[Tutor] My Python project - an update

Michael Sparks ms at cerenity.org
Wed Mar 28 13:12:45 CEST 2007


On Wednesday 28 March 2007 10:50, Rohan Deshpande wrote:
> Out of curiousity, why md5?  Hasn't it been cracked already?  Would sha1 or
> 2sum be a better alternative?  I'm a newbie to this so it's just a
> question.

People have indeed shown vulnerabilities in MD5 for this sort of purpose. 
Specifically this includes modification of existing data on a system in a 
manner that preserves the MD5 with a crafted modification text (ie actual 
deliberate change, rather than random text that happens to match).

SHA1 is generally considered a better approach at the moment as a result. This 
isn't to say that MD5 is hideously crippled - for most purposes its still 
very good, but in this particular context it makes less sense. Especially 
given that once this sort of vulnerability is shown first to be possible, 
then demonstrated with a specific attack associated with a repeatable method, 
after that things generally get worse not better.


Michael


More information about the Tutor mailing list