[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Hash algorithms
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: Hash algorithms
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Wed, 25 Jul 2007 22:39:12 -0300
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nklxFFxTtY5OLrJLOns3OVkZfR9rDVtGjjQLpoJJzJ/xrgSUSkDUCLq4FL2xMi5DJH1h/Tg+BI9VQciPPRQxtUQxL44stdtusa9Q7H2J0NXRUhgu3vwBnx4+kVdgU85iw9TSlaN1CI9KgtEeme6ecA1GiyWk5yBw6KdRB434dfg=
Hi Jonas,
Thanks for the information. I know about the attacks against MD5 and SHA-1, but
I don't think they are practical enough to make any difference for us.
In addition to
that, our integrity check uses both algorithms together, and there is no attack
available that can affect both at the same time.
That being said, I agree with you that we need to evaluate and think on a new
combination of algorithms to use. Tiger can be a good alternative, but
I don't know
if it received the same amount of public scrutiny as md5 and sha1....
If you can open a feature request in our bugzilla (
http://www.ossec.net/bugs/ ) we
can have a central place to discuss it for our next release.
Thanks!
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/25/07, Jonas <jonas.esp@xxxxxxxxxxxxxx> wrote:
>
> Using straight-up MD5 or SHA-1 is not recommended, even with a salt.
> Salt values mitigate one basic attack. Adaptive hashing mitigates a
> more important one.
>
> You must read
> http://home.gwu.edu/~khenry/CSci381/AlternativeHashFunctions.pdf
>
> As alternative I suggest *Tiger*. It's secure, and faster than SHA-1
> as you can check here:
> http://www.cryptopp.com/benchmarks.html
>
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.