Subject: Re: Checksum for packages
To: Bill Sommerfeld <>
From: Al Snell <>
List: tech-pkg
Date: 12/21/2000 18:07:47
On Thu, 21 Dec 2000, Bill Sommerfeld wrote:

> cryptographic engineering (as opposed to cryptography) involves making
> very conservative assumptions about the underlying cryptographic
> primitives, and taking the "hunches" and such of the Real
> Cryptographers(tm) very seriously.  Those cryptographers are saying
> "sha1 is most likely stronger than md5"...

Yup. There's a principle in crypto, though, that in many cases you can
take two algorithms A and B and combine them in such a way that the
resulting algorithm is at least as weak as the weaker of A and B, and very
probably stronger.

Eg, if you take an MD5 *and* and SHA1 and concatenate them. Even if both
are broken, finding a way of changing the file that breaks *both* of them
will be at least as tricky as finding a change that slips by each of them
in turn...


                               Alaric B. Snell
   Any sufficiently advanced technology can be emulated in software