

An Illustrated Guide to Cryptographic Hashes - danielrm26
http://unixwiz.net/techtips/iguide-crypto-hashes.html

======
aurelianito
The article claims that there are no known md5 collisions. This is plain
_false_. There are known collisions since 2004 and known _windows executables_
with the same md5 hash since 2005.

The windows executables were constructed|discovered by a founder of the
company I work for. Here is the relevant link:
[http://corelabs.coresecurity.com/index.php?module=Wiki&a...](http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=%20MD5_collisions)

~~~
cstuder
The article reports about the collision paper from 2004:
[http://unixwiz.net/techtips/iguide-crypto-
hashes.html#bignew...](http://unixwiz.net/techtips/iguide-crypto-
hashes.html#bignews)

And it seems to be written sometime in 2004, see the update and linked
blogposts at the end.

No need to yell.

~~~
aurelianito
So, we agree that it is at least dated and we should not follow their advise
as is. AFAIK sha256 is not broken yet, we can still use it.

~~~
tptacek
Neither is SHA1. And even MD5 still survives in HMAC-MD5.

~~~
aurelianito
SHA1 has been reduced to a theoretical attack of 2^51 steps
(<http://eprint.iacr.org/2008/469.pdf>) but no collision was found yet AFAIK.

If I were choosing a hash function I would choose SHA256 over SHA1 unless the
environment do not allow it.

~~~
tptacek
Nobody competent would disagree; SHA2 is better than SHA1, use SHA2.

But in the real world, these distinctions matter a lot. Protocols fielded
using SHA1 to glue together crypto primitives are unlikely to broken soon
(often for the simple reason that they're used in hardened constructs like
HMAC). Again: I don't even think there's a tractable way to break an otherwise
sound protocol using HMAC-MD5 using MD5 flaws, today.

It all depends on the context. Bare MD5 is probably fine as a mixing function
for an RNG. It's probably (I haven't thought this through carefully) also fine
for a stretched password hash. But should MD5 be one of your go-to functions?
Of course not.

Should SHA-1? Well, let me put it to you this way: if you contracted my
company to assess your application and we found you using SHA-1 somewhere, we
by default would not be able to write you up for it. It wouldn't actually be a
vulnerability. (If you asked us specifically to review your crypto for best
practices compliance, we would of course recommend you change it).

------
feralchimp
From the title, I expected an illustrated comparison of different hash
algorithms. The linked article is more of an illustrated explanation of some
basic properties of hash operations, and how hashing differs from encryption.

~~~
henrikschroder
This article might be what you were looking for?

<http://home.comcast.net/~bretm/hash/>

I know I liked the visualization of avalanching behaviour.

------
aidenn0
It really amazes me how well md5 has stood up to preimage attacks. It's
obviously broken against collision attacks, but 2 __123 is not that far from
the brute force of 2 __128\. It's almost 20 years old now, and has been under
intense scrutiny for much of that time due to its popularity. Way to go Ron
Rivest.

