| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Jim Michaels <jmichae3(at)yahoo(dot)com> |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #4876: author of MD5 says it's seriously broken - hash collision resistance problems |
| Date: | 2009-06-24 08:59:25 |
| Message-ID: | 4A41EAED.6040303@hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Jim Michaels wrote:
> The following bug has been logged online:
>
> Bug reference: 4876
> Logged by: Jim Michaels
> Email address: jmichae3(at)yahoo(dot)com
> PostgreSQL version: 8.3.7-1
> Operating system: windows XP Pro SP3
> Description: author of MD5 says it's seriously broken - hash
> collision resistance problems
> Details:
>
> If you are looking for hash collision protection, start looking at SHA-256
> or SHA-512.
>
> "In any case, you may not want to be using md5 (at least for
> applications requiring collision-resistance), as it is
> seriously broken. Use SHA-256 instead." - Ronald Rivest (author of MD5)
We are talking about two different uses here, I think.
Using MD5 for passwords doesn't, afaik, actually require
collision-resistance. It requires resistance against preimage-attacks,
which there are none for MD5. At least not yet.
The other use is for hashes in the application, for users of pgcrypto.
pgcrypto already provides SHA-256 and SHA-512 for this use.
> I was using MD5 in my zapdupes program and was told by the author of MD5,
> and switched to SHA-512, because of the size of the files I was dealing
> with. since you have BLOBs, I suggest you do the same.
There is no hashing of the BLOBs unless you build that into your
application, in which case it's your responsibility to use a secure
algorithm. PostgreSQL just stores it.
> this has implications for storing passwords as MD5 hashes. My
That would be the only system use of MD5. What implications are those?
We might want to consider using a safer hash for the password storage at
some point, but from what I gather it's not really urgent for *that* use.
What would be more urgent is to provide a secure hashing *function* to
end users that doesn't rely on pgcrypto. But there is a solution for
this available today for those who need it - install pgcrypto.
> I have implemented SHA-512 as GPL'd code that you may use at
PostgreSQL is a BSD project and we have no use for GPL code. We also
already have implementations of SHA256 and SHA512 that are BSD licensed
in our codebase.
> one possibility is that you could make the MD5 function actually return a
> SHA-512 hash.
That seems like a horrible idea.
--
Magnus Hagander
Self: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2009-06-24 09:13:46 | Re: psql: FATAL: the database system is in recovery mode |
| Previous Message | Albe Laurenz | 2009-06-24 08:55:11 | Re: [BUGS] Integrity check |