Rich Freeman via plug on 25 Sep 2022 17:23:03 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] free courses, systemd Win, hashquines


On Sun, Sep 25, 2022 at 8:11 PM Walt Mankowski via plug
<plug@lists.phillylinux.org> wrote:
>
> On Sun, Sep 25, 2022 at 06:08:11PM -0400, JP Vossen via plug wrote:
> > On 9/25/22 16:53, Walt Mankowski via plug wrote:
> > > > It was already installed for me on Debian-10, which is near EoL.  But holy cow the hashes are long!  I use `md5sum` to compare files a lot [1], in part because the hashes are short and don't make my eyes & brain bleed.
> > >
> > > That was my reaction too. You can make them shorter with the -l
> > > parameter, but who knows what that does to the robustness of the
> > > algorithm?
> >
> > Probably still better than MD5?  :-)  But...I can remember `md5sum`, not sure how long I'm going to remember `b2sum -l 48`.
>
> Same. For the files I'm running this on, there's basically no risk
> they might have been hacked.
>

I'd think that if you just truncated the hash to the same length as an
md5 hash then it should be no worse than md5 in terms of security.
I'd think it would keep any algorithmic strengths of the better
algorithm, but of course you'd be less resistant to brute force
attacks.

I realize you aren't really concerned with deliberate attacks, but it
never hurts to use the more secure algorithm.

So, on the topic of insecure hash algorithms, can anybody spot the
glaring problem with this:
$ git cat-file commit ec9a21e4f51de087744f2f5eb95a82cda673b07e
tree 0b6fab6bb7b543878e599ec60699fb005b434bbc
parent b95029fad9f1a593342cb2f52322a182c29259de
author Repository mirror & CI <repomirrorci@gentoo.org> 1664081214 +0000
committer Repository mirror & CI <repomirrorci@gentoo.org> 1664081214 +0000
gpgsig -----BEGIN PGP SIGNATURE-----

 iQEzBAABCAAdFiEE90jps8R+OTzCTI+vfCrAnNmPLt8FAmMv3T4ACgkQfCrAnNmP
 Lt99Xwf8DFCj4LNb5m2fJ9Didx7Yw3rYQxb655O7+/+OcdInU3rbqCywtZPv8Ij+
 8r57/l3ehnFct2Wut2jKokNXzvd+mDPbPVc4sZ6Y5cLxtvycIAD48jHcXSJoc7gk
 WYuoBP3o1Rdkfj1dM8wZ+jzvEbt8FKMXoXdvXurjoifL7QvlZUjaeOeHmecWswyD
 jP8bW409LeK0wxUf10XcyP7+ehMeCD0j8eGF/+NC3hx7QBY+VZO+CZ1V5YXQfF4k
 wU6e9vZEJSd47zeKiCn1SSJ4KAzcDvUmV1mqlZBxosZC/BKreJEgk8F0qOLxBlzg
 Zxnpw1CK7pYG64Easd0x63zIAIMeNg==
 =/8YU
 -----END PGP SIGNATURE-----

2022-09-25 04:46:54 UTC


-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug