compare-by-hash (was Re: sharing /etc/passwd)
Jason Stone
freebsd-security at dfmm.org
Tue Sep 28 13:09:37 PDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> One thing to keep in mind is that the collision-resistance of SHA-1 is
> an unproven conjecture.
sure, I was going to mention that - indeed, md4 is the algorithm used in
rsync, and it _has_ been shown to be less collision-resistant than the
full 128-bits would imply.
which means that instead of finding only one collision in the entire
lifetime of the universe, you'll find four.
it doesn't change the fact that the probability of your computer catching
fire and killing you, in an absolutely real and literal sense, is many
millions of times higher, and that the time you spend worrying about this
would be much, much better spent backing up your data offsite and wearing
kevlar pants.
also, excellent point someone made about passwords already using md5 in
freebsd - this means that there are already an infinite number of
passwords that will let someone into your box as root, right now, this
very instant. so using rsync, you're hardly worse off....
-Jason
--------------------------------------------------------------------------
Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
that he was insufficiently fondled when he was an infant.
-- Ashley Montagu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQFBWcUBswXMWWtptckRAi3rAJ4tyujyV0XyT7nC2VpdntVA5KjIbwCdHkpZ
OSGmWnJPtrb4DLrwNz0HaEA=
=UZOZ
-----END PGP SIGNATURE-----
More information about the freebsd-security
mailing list