rethinking MD5

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Vegan
Forum Regular
Posts: 574
Joined: Fri Sep 05, 2008 3:34 pm
Location: Victoria, BC
Contact:

rethinking MD5

Post by Vegan »

I use the PHP MD5 to to generate an etag so that some dumb search engine can figure it out whether my page has been edited or not

reading some IT news, said the MD5 was rather weak and was being used to hack Windows update.

So does PHP support SHA or other hashes so I can look at new options?
Hardcore Games™ Legendary is the Only Way to Play™
My site is powered by LAMP
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: rethinking MD5

Post by Celauran »

Vegan wrote:reading some IT news, said the MD5 was rather weak
Weak how? Weak at what? It's worthless for storing password hashes, for instance, but is still widely used to verify the integrity of downloads, for instance. PHP does indeed support a number of hashing algorithms, but I'm not convinced a change is required.
User avatar
Vegan
Forum Regular
Posts: 574
Joined: Fri Sep 05, 2008 3:34 pm
Location: Victoria, BC
Contact:

Re: rethinking MD5

Post by Vegan »

I am simply wanting to see if other options are available, when I see security bulletins I like to make sure nothing is left unchecked
Hardcore Games™ Legendary is the Only Way to Play™
My site is powered by LAMP
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: rethinking MD5

Post by requinix »

MD5 isn't good for cryptography but you're not using cryptography.

What you're using MD5 for is perfectly fine. The only way it could be abused is if someone uploaded content, to the same URL, that had an identical MD5 hash, and identical after accounting for whatever factors you've configured for your ETag, and putting aside that you would have much larger problems all they would do is affect when the browser requests fresh content.
User avatar
Vegan
Forum Regular
Posts: 574
Joined: Fri Sep 05, 2008 3:34 pm
Location: Victoria, BC
Contact:

Re: rethinking MD5

Post by Vegan »

I switched MD5 to SHA1 mainly to modernize the code
are there other choices that are can be substituted

Code: Select all

<?php header("ETag: " . sha1(date("YmdHis", getlastmod()))); ?>
Hardcore Games™ Legendary is the Only Way to Play™
My site is powered by LAMP
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: rethinking MD5

Post by Celauran »

Yes, see the list of hashing algorithms I posted above. I still maintain that md5 is perfectly suited for this task as creating digests of data is precisely what it was designed to do.
Post Reply