[erlang-questions] wow: MD5 broken

Richard Kelsall <>
Sat Dec 1 14:17:19 CET 2007


Toby Thain wrote:
> On 1-Dec-07, at 9:42 AM, Joe Armstrong wrote:
> 
>> MD5 is really broken - gulp see
...
>> I wonder how many millions of programs have now become insecure?
> 
> The paper concludes,
> "MD5 should no longer be used as a hash function for software  
> integrity or code signing purposes."
> ...but isn't a good workaround just to use more than one hash, e.g.  
> MD5+SHA1?

No. Use a better algorithm like SHA-256 or SHA-512. There are plenty
of other good hash algorithms. Pick one from the table here that says
"No" in the collisions column rather than creating your own

http://en.wikipedia.org/wiki/Cryptographic_hash_function


Richard.



More information about the erlang-questions mailing list