[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: new hashes (SHA512, SHA3) in apt metadata and .changes files?

On 05-08-13 02:16, Ben Hutchings wrote:
> On Sun, 2013-08-04 at 16:45 +0200, Wouter Verhelst wrote:
>> On 03-08-13 13:45, Ondřej Surý wrote:
>>> I think it's useless to upgrade to SHA512 (or SHA-3),
>> It's never useless to upgrade to a stronger hash.
>> The cost might outweight the benefit, yes. But that's a different matter.
> What makes you think these are stronger?

Simple mathematics.

To me, a "strong hash" is a hash for which collisions are unlikely.

A SHA512 hash is longer than a SHA1 hash. Therefore it has more bits.
Therefore it has more possible values, which decreases the likelihood
that two collections of bits will produce the same hash value by accident.

In addition, there are some concerns today about the strength of SHA1.
It's not yet broken, but it's not right to think of it as "fully safe"
anymore, either. Hashes don't get stronger over time; they get weaker.

Of course, the very fact that SHA512 produces a longer hash does mean
that there is a cost involved; and as said, that cost might outweigh the
benefits. But that doesn't make it "useless".

This end should point toward the ground if you want to go to space.

If it starts pointing toward space you are having a bad problem and you
will not go to space today.

  -- http://xkcd.com/1133/

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: