From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 18459 invoked by uid 1002); 24 Jul 2003 07:30:31 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 30420 invoked from network); 24 Jul 2003 07:30:31 -0000 Date: Thu, 24 Jul 2003 00:30:30 -0700 From: Robin H.Johnson To: Fred Van Andel Cc: gentoo-dev@gentoo.org Message-ID: <20030724073030.GD770@cherenkov.orbis-terrarum.net> Mail-Followup-To: Fred Van Andel , gentoo-dev@gentoo.org References: <20030723194823.GJ9959@mail.lieber.org> <3F1F8C28.7050807@ifi.uio.no> <20030724015453.5079e993.rbilbao@inzignia.cl> <200307222342.26941.fava@gentoo.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="RYJh/3oyKhIjGcML" Content-Disposition: inline In-Reply-To: <200307222342.26941.fava@gentoo.org> User-Agent: Mutt/1.5.3i Subject: Re: [gentoo-dev] (crazy?) proposal to reduce load and disk on mirrors X-Archives-Salt: e9e5b77a-e54a-42d4-b129-e48b2065ad0b X-Archives-Hash: aca00f76b86deb8f73c0b6d293e0bb4a --RYJh/3oyKhIjGcML Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 22, 2003 at 11:42:26PM -0700, Fred Van Andel wrote: > As for the security of MD5, there is no published instance of anyone=20 > finding 2 different datasets that produce an identical hash value. MD5=20 > is a 128 bit hash algorithm so in theory it would be be required to=20 > calculate approximately 1.2 * sqrt(2^128) different hashes in order to=20 > have a 50% chance of a single collision. That would require > 350=20 > billion gigabytes just to store the hashes. I believe MD5 to be secure=20 > enough for this application. I'd be VERY careful with this. http://www.rsasecurity.com/rsalabs/faq/3-6-6.html I've seen much more recent research into it myself, along with a way of making it SIGNIFICENTLY more difficult to break. Namely, store the correct filesize along with the MD5 sum in a verifiable fashion. Having file containing a list of tarballs and their sizes, then providing a GPG signature for that file makes solves the issue to a level such that even all the computers in the world in 10 years could not beat it [famous last words, after seeing the crypto-attack on RSA keys using a massive NFS setup]. --=20 Robin Hugh Johnson E-Mail : robbat2@orbis-terrarum.net Home Page : http://www.orbis-terrarum.net/?l=3Dpeople.robbat2 ICQ# : 30269588 or 41961639 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 --RYJh/3oyKhIjGcML Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Robbat2 @ Orbis-Terrarum Networks iD8DBQE/H4sWsnuUTjSIToURAl8JAJsHY/NrTaJKkpily8q13w5h2dO/8gCfaPsI NDkxmW5xazLRYfG26xzEcVU= =f0Au -----END PGP SIGNATURE----- --RYJh/3oyKhIjGcML--