Skip site navigation (1) Skip section navigation (2)

Re: BUG #4876: author of MD5 says it's seriously broken - hash collision resistance problems

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Jim Michaels <jmichae3(at)yahoo(dot)com>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #4876: author of MD5 says it's seriously broken - hash collision resistance problems
Date: 2009-06-24 08:59:25
Message-ID: 4A41EAED.6040303@hagander.net (view raw or flat)
Thread:
Lists: pgsql-bugs
Jim Michaels wrote:
> The following bug has been logged online:
> 
> Bug reference:      4876
> Logged by:          Jim Michaels
> Email address:      jmichae3(at)yahoo(dot)com
> PostgreSQL version: 8.3.7-1
> Operating system:   windows XP Pro SP3
> Description:        author of MD5 says it's seriously broken - hash
> collision resistance problems
> Details: 
> 
> If you are looking for hash collision protection, start looking at SHA-256
> or SHA-512.
> 
> "In any case, you may not want to be using md5 (at least for
> applications requiring collision-resistance), as it is
> seriously broken.  Use SHA-256 instead." - Ronald Rivest (author of MD5)

We are talking about two different uses here, I think.

Using MD5 for passwords doesn't, afaik, actually require
collision-resistance. It requires resistance against preimage-attacks,
which there are none for MD5. At least not yet.

The other use is for hashes in the application, for users of pgcrypto.
pgcrypto already provides SHA-256 and SHA-512 for this use.


> I was using MD5 in my zapdupes program and was told by the author of MD5,
> and switched to SHA-512, because of the size of the files I was dealing
> with.  since you have BLOBs, I suggest you do the same.  

There is no hashing of the BLOBs unless you build that into your
application, in which case it's your responsibility to use a secure
algorithm. PostgreSQL just stores it.


> this has implications for storing passwords as MD5 hashes.  My

That would be the only system use of MD5. What implications are those?

We might want to consider using a safer hash for the password storage at
some point, but from what I gather it's not really urgent for *that* use.

What would be more urgent is to provide a secure hashing *function* to
end users that doesn't rely on pgcrypto. But there is a solution for
this available today for those who need it - install pgcrypto.


> I have implemented SHA-512 as GPL'd code that you may use at 

PostgreSQL is a BSD project and we have no use for GPL code. We also
already have implementations of SHA256 and SHA512 that are BSD licensed
in our codebase.


> one possibility is that you could make the MD5 function actually return a
> SHA-512 hash.

That seems like a horrible idea.


-- 
 Magnus Hagander
 Self: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

In response to

Responses

pgsql-bugs by date

Next:From: Heikki LinnakangasDate: 2009-06-24 09:13:46
Subject: Re: psql: FATAL: the database system is in recovery mode
Previous:From: Albe LaurenzDate: 2009-06-24 08:55:11
Subject: Re: [BUGS] Integrity check

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group