Hashing of usernames in syslog

Forrest J. Cavalier III mibsoft at epix.net
Mon Sep 30 13:25:39 UTC 2002


> Your advice is fine.  It just seems superstitious.  

Perhaps you are confusing "superstitious" and "cautious."

Superstition: A belief or practice, resulting from ignorance, fear of 
the unknown, trust in magic or chance, or a false conception of 
causation.  (Webster's Ninth New Collegiate Dictionary)

So I wouldn't say I was superstitious, instead "cautious" about security
algorithms, where it is easy for non-experts like me to make 
assumptions which are not true.

> I want to see papers
> which point out vulnerabilities in MD5. 

Seems like you didn't even try to look.  The google.com search terms
you want are
  md5 Hans Dobbertin

You could have arrived at that yourself by searching
  md5 broken

(You seem to know more about encryption and security than
I do, so I'd be interested in knowing what you thought
of the paper.)

> I also want to see proof that an
> input to MD5 with symmetry doesn't make things worse.
> 

That is a good point.  I have no proof.  The avoidance of
("secret" "phrase") and ("phrase" "secret") is my own non-expert
conclusion from reading Dobbertin.   Use two secrets then.

Or better yet, find an expert for advice.

Thanks for the comments!
Forrest



More information about the inn-workers mailing list