Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I’m not going to evaluate if MD5 is safe for “tcpauth” even if I was competent enough to do so.

If confidentiality isn’t a factor (since any hush function that is fast m enough to brute force isn’t going to be particularly secure) and if integrity cannot be compromised through collisions then the hash function is safe for this usecase.

Why use MD5? It’s relatively easy to implement securely m, there are a lot of safe implementations and it’s fast.

This is why CRC32 is still used today also.



No, "why use MD5" is because MD5 is the only one supported by kernels. And it has to be supported by kernels in order to allow any realistic use of a BGP daemon.

I thought this should be clear from the fact that it protects against RST packets. Nothing on an application layer can do that.

I wish I could edit that comment because while I expected people to go "oh, I didn't know TCP had that!", multiple commenters seem to have not read past "MD5" and assumed that this is pure application-level.


CRC32 is used for its error detection properties which exceed those of a cryptographic hash of the same length (and, to boot, it's cheaper, too).

There's no reason to choose MD5 over SHA-1. It's less secure and slower and there's plenty of free implementations of SHA-1.

Ideally you'd use SHA-256, because of (smaller) security concerns with SHA-1, but it is a small touch slower than MD5.


MD5 is quite a bit faster on my machine.

  % for i in md5 sha1 sha256 sha512; do echo -n "$i: ";  time ${i}sum test.bin > /dev/null ; done 
  md5: ${i}sum test.bin > /dev/null  1.37s user 0.13s system 99% cpu 1.501 total
  sha1: ${i}sum test.bin > /dev/null  1.84s user 0.12s system 99% cpu 1.952 total
  sha256: ${i}sum test.bin > /dev/null  4.43s user 0.16s system 99% cpu 4.593 total
  sha512: ${i}sum test.bin > /dev/null  2.69s user 0.12s system 99% cpu 2.810 total
Surprisingly, SHA256 is much slower than SHA512 here.


OK, I measured a dozen machines, and I found a very mixed picture using 'openssl speed'.

- Lots of modern x86 machines with SHA-NI that were typically 50-300% faster than MD5

- Older Intel machines, where SHA1 was generally slightly faster, with one or two exceptions where the reverse was true.

- ARM machines with good SIMD/NEON where the NEON implementation of SHA1 was 30-40% faster than MD5.

- Embedded ARM machines with bad SIMD/NEON where it was pretty much a tie.

- A few ARM machines-- most notably Broadcom chipsets in the Raspberry Pi, where MD5 wins big a large margin.

- Embedded MIPS 24k, where MD5 won by 33%.

Then I found http://bench.cr.yp.to/results-hash.html , which bears out what I'd measured.

In any case, I don't think "speed" is any reason to select MD5, unless maybe if you're on MIPS 24k.


It's not about speed. It's about kernel support. And RFC2385 has kernel support and TCP-AO does not. See other comments.


>Surprisingly, SHA256 is much slower than SHA512 here.

SHA512 is expected to be faster than SHA256 on modern 64 bit architectures due to fewer rounds per byte.


Thanks. Shows how much I know! At least I am kind of handy with the shell...


> There's no reason to choose MD5 over SHA-1

What TCP stacks support TCP-AO? They do support TCP-MD5. That's why.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: