"Frank Ellermann" commented:
AFAIK SHA-1 is not really better than MD5, it's only longer.
And SHA-256 is again longer. I watch the "hash WG" hoping
for better ideas. At the moment I often see discussions in
the rough direction of "let's take SHA-256 and truncate it".
I understand MD-5 has been shown to have serious flaws,
cryptographically-speaking. I've seen a quote from its author, Ron Rivest (URL
below) , advising people not to use it any more.
There has recently been published a paper suggesting that SHA-1 also,
theoretically, has a similar collision susceptibility. The same article says
that NIST have declared that they are generating a plan to phase out SHA-1 in
favour of SHA-256 over the next few years because of this risk.
http://www.networkmagazine.com/shared/article/showArticle.jhtml?articleId=47903171
The 'truncation' ideas are to get the (hoped-for) collision-free properties of
SHA-256 yet still fit in the same 20 bytes as SHA-1 - but I'm sure you know all
this.
BTW, (& slightly OT), the performance of Sun's Java 1.5 implementation of
digests on my 4 GHz Athlon with 256Kbyte message size is:
Throughput
Mbytes/sec
MD5 28,9
SHA-1 19,2
SHA-256 13,3
SHA-512 8,5
Anyone know how these rates relate to the arrival rate of mail messages on a
large production server? I'm curious as to the impact of schemes like DK & SES
which sometimes form / check digests of almost everything. Maybe off-list
responses would be fair to SPF.
Chris Haynes