pure transit server

Jeffrey M. Vinocur jeff at litech.org
Fri Mar 2 04:40:24 UTC 2001

[ This is long and mostly quoted, feel free to skip unless you're
  interested in hash functions ]

On 1 Mar 2001, Russ Allbery wrote:

> I can't picture an attack based on hash collisions that couldn't be
> performed equally well by just injecting new messages with the same
> message ID as the messages one wants to play games with, so no, I don't
> think so.  Unless I'm missing something.

So...this same topic is being discussed in comp.lang.functional at the
moment (apparently OCaml uses hashes to do something like prevent code
from different versions of the compiler from being linked against each
other).  I don't know any more about hashes than the next guy, but this
discussion has been informative.  This guy Lon Willett who seems to know
what he's talking about[1] thinks they're being silly to use MD5.

For what it's worth.

In <m3y9upxx29.fsf_-_ at emile.sse.ie>:

| What on earth is the point of using MD5 here?  [...]
| A lot of work goes into making cryptographic hashes have certain
| properties that are nice for cryptography.  They are almost always a
| poor choice for anything else, and using them tends to be misleading
| (people tend to think things like "it uses a strong crypto function,
| so it must be unforgeable").  A nice ordinary CRC and/or magic numbers
| sound like what is really wanted.

And in <m3vgptxp97.fsf at emile.sse.ie>:

|My point is that MD5 is no better than using a CRC for this.  It is
| probably even quite a bit worse.  CRCs and other checksums/hash-
| functions tend to be faster, more flexible, and have nicely provable
| properties.  And in the absence of deliberately malicious behaviour,
| the "chance" of a collision is equally small, assuming that you choose
| your function so that it generates an adequate number of bits
| ("chance" in quotes because there is a whole philosophical sidetrack
| here that people tend to get worked up about).

I get the impression the same concerns apply to the situation for INN...

[1] http://www.bluetail.com/wiki/showPage?node=LonWillett

Jeffrey M. Vinocur
jeff at litech.org

More information about the inn-workers mailing list