Can you cite the sources, please
Posted Dec 17, 2007 22:40 UTC (Mon) by khim
In reply to: SquirrelMail 1.4.13 released - older versions compromised
Parent article: SquirrelMail 1.4.13 released - older versions compromised
The purpose of a cryptographic hash is that you can make reasonable declarations about the qualities of the algorithm without reference or qualification to the structure or content of the input.
Sorry, but this is piece of bullshit. The main purpose of cryptographic hash is to guarantee immutability of signed data in most cases (including distribution case). It's called Second preimage resistance. And both MD5 and SHA1 are not broken in sense that second preimage attack is implementable.
What the hoople is all about then ? MD5 and SHA1 were found not collision resistant. Yes, there are exist application where this is requirement. For example you can not use it to prove that you've sent file A and not file B. But signing of tarbals is not such an application: if attacker can alter original tarball on ftp site before it's signed up - you have much bigger problem then just problems with collisions.
While it becomes easier and easier to find collisions preimage attack is still quite hard (preimage attack is not just "slightly harder" then collision attack - it's "billions of billion times harder" then collision attack initially and thus still far from being cracked). Of course now it's not the time to be complacent (I'm pretty sure the next stage will be preimage attack), but from practical viewpoint MD5 is still not broken...
to post comments)