Posted by the ManGeek

Monday, February 7th 2005 11:58 pm CST

To hash or not to hash. That is the question.

Is it nobler to hash even as experts debate the long-standing value. The raging debate comes as collisions are discovered in MD5, fueled by the later discovery of a method to create meaningful files that collide. [www.cits.rub.de]

For some time hashes served a number of different purposes; the two most common of which are:

• Confirming that one file or another are indeed identical files
• Validating passwords that are stored encrypted

Well for the most part you can kiss away any guarantees on the first item. As this issue expands and these techniques evolve, the simple message digest hash functions are become antiquated. This eliminates MD5 for use in forensic investigations and for validation software like host-based intrustion detection systems. In this regard, there is much sorrow amongst security practitioners.

However take heart in that password validation using message digests is still perfectly valid. That is of course so long as you sanitize the user input. (Secure applications should always do this no matter.) As of now the collision technique being used does not work if you're limited with an alpha-numeric string of say less than 20 characters. It's simply not possible to be guaranteed of any colisions. Additionally the applicable technique requires knowledge of both data sets that you want to have collide.

The end result? Some slings and arrows to suffer but the day of reckoning is not upon us. Just don't implement MD5 in applications where an attacker can know their source content and you'll disco for another decade or so. (Well at least a week. One has to love technology.)

Trackback URL: http://www.mangeek.com/blogc/4track.html

Comments (0)