Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!gegeweb.org!de-l.enfer-du-nord.net!feeder1.enfer-du-nord.net!cs.uu.nl!news.stack.nl!newsfeed.xs4all.nl!newsfeed5.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.016 X-Spam-Evidence: '*H*': 0.97; '*S*': 0.00; 'commonly': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:80.91.229.12': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'received:lo.gmane.org': 0.09; 'referenced': 0.09; 'algorithm': 0.13; 'cache,': 0.16; 'caches': 0.16; 'from:addr:behnel.de': 0.16; 'from:addr:stefan_ml': 0.16; 'from:name:stefan behnel': 0.16; 'robust.': 0.16; 'advance': 0.17; 'input': 0.21; '(or': 0.22; 'header:In-Reply-To:1': 0.22; 'stefan': 0.24; 'bit': 0.28; 'url:wiki': 0.29; 'calculated': 0.30; 'hash': 0.30; 'chris': 0.30; 'quite': 0.31; "i've": 0.31; 'point,': 0.32; "isn't": 0.32; 'header:User-Agent:1': 0.33; 'to:addr:python-list': 0.33; 'there': 0.33; 'received:84': 0.34; 'rather': 0.34; 'algorithms': 0.34; 'function.': 0.34; 'header:X -Complaints-To:1': 0.34; 'something': 0.35; 'things': 0.35; 'however,': 0.35; 'file': 0.35; 'data.': 0.36; 'example,': 0.36; 'depend': 0.36; 'received:org': 0.37; 'some': 0.38; 'should': 0.38; 'e.g.': 0.38; 'url:en': 0.39; 'url:org': 0.39; 'being': 0.39; 'files': 0.39; 'subject:: ': 0.39; 'to:addr:python.org': 0.40; 'more': 0.61; 'course,': 0.61; 'subject': 0.62; 'choice.': 0.64; 'stability': 0.67; 'storage': 0.68; 'presents': 0.71; 'proclaimed': 0.84; 'attacks': 0.93; 'complexity': 0.93 X-Injected-Via-Gmane: http://gmane.org/ To: python-list@python.org From: Stefan Behnel Subject: Re: Hash stability Date: Sun, 15 Jan 2012 18:20:02 +0100 References: <4f1107b7$0$29988$c3e8da3$5496439d@news.astraweb.com> <4F1205A7.70303@modelnine.org> <4F12BC8A.9040205@modelnine.org> <4F12F9D8.5080904@modelnine.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Gmane-NNTP-Posting-Host: dslb-084-056-000-204.pools.arcor-ip.net User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111220 Thunderbird/9.0 In-Reply-To: X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 22 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1326648019 news.xs4all.nl 6876 [2001:888:2000:d::a6]:36309 X-Complaints-To: abuse@xs4all.nl Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:19013 Chris Angelico, 15.01.2012 17:13: > Of course, it's still dodgy to depend on the stability of something > that isn't proclaimed stable, and would be far better to use some > other hashing algorithm (MD5 or SHA for uberreliability). I've seen things like MD5 or SHA* being used quite commonly for file caches (or file storage in general, e.g. for related files referenced in a text document). Given that these algorithms are right there in the stdlib, I find them a rather obvious choice. However, note that they may also be subject to complexity attacks at some point, although likely requiring substantially more input data. In the specific case of a cache, an attacker may only need an arbitrary set of colliding hashes. Those can be calculated in advance for a given hash function. For example, Wikipedia currently presents MD5 with a collision complexity of ~2^20, that sounds a bit weak. Something like SHA256 should be substantially more robust. https://en.wikipedia.org/wiki/Cryptographic_hash_function#Cryptographic_hash_algorithms Stefan