On Thu, Jul 05, 2007 at 03:42:42PM -0700, Jason Chu wrote:
We are at an inroads in hashing algorithm theory. All the current hashing algorithms have flaws. It's also likely that any new hash algorithms will have flaws as well.
Maybe the information I had is already outdated, since all this stuff moves pretty quickly :) What are the flaws of all the SHA-224/256/384/512 hashes ? see this for example : http://en.wikipedia.org/wiki/SHA-1#SHA_sizes Or are these the new algorithms ? They could indeed have flaws as well, but still say more secure than the current ones, even after flaws are found.
If we just trusted md5s or sha1s, then it would be less secure and more complicated, but because we look at both md5s and sha1s *together* that things improve.
I'm not convinced that 1) md5 or sha1 alone aren't enough secure (for our use case) 2) combining md5 and sha1 is better than eg SHA-256
An analogy, think of two sheets with holes in them. You can look through each sheet and see the light on the other side, but if you lay the two sheets on top of each other a lot less light is visible. Because we're considering both hashing algorithms they cover some of the other's failings.
In that case, you move both holes so that they match (with padding) :) But yes, that's still the general case, not pacman one.
I'm all for making less complication though... maybe a more abstract hash API?
If we need to keep several hashing algorithm, I think this would be great.