Actually, because the two algorithms are related, using both at once yields only as much security as the more secure of the two: Breaking SHA1 and MD5 together is not much more difficult than breaking SHA1 alone. Better security is achieved by using a better hash algorithm, such as SHA256.
-Nick Johnson On Tue, Oct 27, 2009 at 12:35 PM, Roy Smith <[email protected]>wrote: > If you're paranoid, how about a concatenation of the SHA and MD5 sums. > > > On Tue, Oct 27, 2009 at 12:30 PM, Martin Trummer < > [email protected]> wrote: > >> >> On Oct 27, 10:53 am, "Nick Johnson (Google)" <[email protected]> >> wrote: >> > Collision attacks on MD5 have been found, yes. But a collision attack >> > requires the attacker to specify both strings, and currently at least, >> > requires them to be at least 128 bytes long, and makes no guarantee >> about >> > human readability. A preimage attack, which would find a plaintext that >> > hashes to the same value as a given hash, has not been found - and in >> any >> > case, the plaintext would not be the same as the input one. >> >> ah, ok - Seems I haven't fully understood the articles, I've read. >> I was not aware, that the collissions only happen for input that >> is >= 128 bytes. >> So: I agree, that using an MD5 hash in this case is sufficiently >> random. >> >> but since I'm quite paranoid, I won't use it :) >> although I am well aware that any app. I wrote and will write has a >> lot of other far more serious security related problems than this >> one :) >> >> On Oct 27, 12:09 pm, Tim Hoffman <[email protected]> wrote: >> > Becuase the problem comes down to definining a unique id, using one of >> > the various UUID methods will work (an most then use something >> > unique like a email address, randome seed, and time) anything that >> > requires incrementing a counter to provide a unique id will then >> > require sharding counters >> > if you creating them rapidly. >> hmm.. I'm talking about unique long keys, that the datastore assigns >> when an entity is created: >> e.g. see IdGeneratorStrategy.IDENTITY in http://tinyurl.com/yg99p35 >> so creating a unique id is not a problem (at least not for me, but >> for the datastore) >> >> >> >> > > > > -- Nick Johnson, Developer Programs Engineer, App Engine Google Ireland Ltd. :: Registered in Dublin, Ireland, Registration Number: 368047 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
