My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Wednesday, September 15, 2004
« Courtesy & Professionalism.... | Main | BizTalk Question RE: WSE adapter and X.5... »

In the latest issue of Crypto-Gram, Bruce Schneier provides a "Cryptanalysis of MD5 and SHA" which looks at the weakness in the MD5 and SHA functions that were announced at the CRYPTO Conference recently. Some highlights:

"...  Today, the most popular hash function is SHA-1, with MD5 still being used in older applications. "

"..  To a user of cryptographic systems -- as I assume most readers are -- this news is important, but not particularly worrisome. MD5 and SHA aren't suddenly insecure."

"It's time for us all to migrate away from SHA-1."

"Luckily, there are alternatives. The National Institute of Standards and Technology already has standards for longer -- and harder to break -- hash functions: SHA-224, SHA-256, SHA-384, and SHA-512. They're already government standards, and can already be used."

.NET Provides out of the box support for MD5, SHA-1, SHA-256, SHA-384 and SHA-512 hashing algorithms. 

A major use of hash functions in a web based application is to store a password as a hash, or even better as a salted hash.  A frequently used helper function that is used by many to implement this functionality is the very appropriately named HashPasswordForStoringInConfigFile method of FormsAuthentication.  Presently, the only hash algorithms that are supported by this method are MD5 and SHA-1.  I REALLY would like to see this support extended to SHA-256.


Tags:: Security
9/15/2004 11:57 PM Eastern Daylight Time  |  Comments [0]  |  Disclaimer  |  Permalink   
Comments are closed.