Subject: Checksum for packages
To: None <>
From: Dominik Rothert <>
List: tech-pkg
Date: 12/20/2000 13:14:13
According to a text in CryptoBytes (Vol 2 No 2, Summer 1996), 
MD5 is not the best solution for confirming the retrieved distfiles
match the original files. I suppose to use SHA1 instead of MD5,
since this algorithm seems to be more secure for a longer period
of time. By the way, OpenBSD people decided to use SHA1, too.

Dobbertin wrote:

| Conclusions
| The presented attack does not yet threaten practical applications of
| MD5, but it comes rather close. In view of the flexibility of the
| new analytic techniques it would be unwise to assume that the attack
| could not be improved. Ron Rivest [16] commented on the status of
| MD4, after two-round attacks had been found, that it is at the
| edge in terms of risking suc-cessful cryptanalytic attack. Today
| this assessment characterizes the status of MD5. Therefore we
| suggest that in the future MD5 should no longer be implemented in
| applications like signature schemes, where a collision-resistant
| hash function is required. According to our present knowledge,
| the best recommendations for alternatives to MD5 are SHA-1 and
| RIPEMD-160. If essentially weaker cryptographic properties than
| collision-resistance suffice then the use of MD5 might still be
| secure. MD5 can still be used as a one-way function. The HMAC due to
| Bellare, Canetti, and Krawczyk [3, 4] is not touched by the recent
| analytic progress. Future research should analyse hash functions
| with respect to properties like pseudo-random behaviour, which are
| required in message authentication constructions.

Why are we still using MD5? 


/*  Dominik Rothert         |   *
 *  A S T O R I T           |  *
 *  Hohenzollernring 52     |       fon +49-221-251440  *
 *  50672 Cologne, Germany  |       fax +49-221-251443  */:wq!