Skip site navigation (1) Skip section navigation (2)

Re: [GENERAL] SHA1 on postgres 8.3

From: Peter Eisentraut <peter_e(at)gmx(dot)net>
To: pgsql-hackers(at)postgresql(dot)org
Cc: sanjay sharma <sanksh(at)hotmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Greg Sabino Mullane <greg(at)turnstep(dot)com>
Subject: Re: [GENERAL] SHA1 on postgres 8.3
Date: 2008-04-02 17:28:16
Message-ID: 200804021928.16879.peter_e@gmx.net (view raw or flat)
Thread:
Lists: pgsql-generalpgsql-hackers
Am Mittwoch, 2. April 2008 schrieb sanjay sharma:
> md5 is not being recommended anywhere because it contains hash collision.
> Therefore either it should be replaced with SHA1 or any other good hash
> algorithm or taken out of core completely. md5 in core is worthless now.I
> am not using it in my application. I am using SHA1 in client/web tier for
> password hashing. 
> Would replacing md5 with SHA1 in core involve much work?

The vulnerabilities that exist for MD5 and SHA1 involve finding two random 
input strings that create the same hash values.  This is possible for MD5 
*and* SHA1 now, so asking for SHA1 to replace MD5 is completely pointless.  
What is not possible with either MD5 or SHA1 is finding an input string that 
creates the same hash value as a given input string (except by googling, but 
that affects all algorithms).  So using MD5 for encrypting passwords or 
digesting known data values or tarballs can be considered secure at the 
moment.

If you are dealing with certificate infrastructures, where the hash collision 
vulnerability described above might be relevant, you are certainly going to 
use some library such as openssl, and those have already moved away from 
using MD5 and SHA1 anyway.

In response to

pgsql-hackers by date

Next:From: Alvaro HerreraDate: 2008-04-02 17:51:57
Subject: Re: US VISA CISP PCI comp. needs SHA1
Previous:From: Matthew WetmoreDate: 2008-04-02 17:24:02
Subject: US VISA CISP PCI comp. needs SHA1

pgsql-general by date

Next:From: Ian SillitoeDate: 2008-04-02 17:32:56
Subject: Re: (FAQ?) JOIN condition - 'WHERE NULL = NULL'
Previous:From: Ian SillitoeDate: 2008-04-02 17:25:00
Subject: Re: (FAQ?) JOIN condition - 'WHERE NULL = NULL'

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group