Welcome! Log In Create A New Profile

Re: How does Nginx look-up cached resource?

Forum List Message List New Topic Print View

Maxim Dounin

September 05, 2015 09:58PM

Hello!

On Sat, Sep 05, 2015 at 12:20:06AM +0300, Gena Makhomed wrote:

> On 04.09.2015 22:43, Maxim Dounin wrote:
>
> >>>For sure this is something that can be done. The question remains
> >>>though: how often collisions are observed in practice, is it make
> >>>sense to do anything additional to protect from collisions and
> >>>spend resources on it? Even considering only md5, without the
> >>>crc32 check, no practical cases were reported so far.
> >>
> >>What?
> >>That SHOULD be done! Once is already too much!
> >
> >No one yet happened. And likely won't ever happen, as md5 is a
> >good hash function 128 bits wide, and it took many years to find
> >even a single collision of md5. And even if it'll happen, we have
> >crc32 check in place to protect us.
>
> "and it took many years to find even a single collision of md5"
>
> This is not true:
>
> The security of the MD5 hash function is severely compromised.
> A collision attack exists that can find collisions within seconds
> on a computer with a 2.6 GHz Pentium 4 processor (complexity of 2**24.1)
> - https://en.wikipedia.org/wiki/MD5#Security

I said "took", not "takes now". The MD5 hash function was
introduced in 1991, and the first collision was found in 2004.

Also, it's important to understand that, while collision attacks
now exists, it doesn't really make MD5 bad for various
non-security uses.

[...]

> Variable-length hash function SHAKE128 from SHA-3 standard,
> for message M and output length 128 bit - SHAKE128(M, 128)
> have high collision resistance, its security is 64 bits.
>
> Also, using SHA-3 SHAKE128 instead of MD5 will be good
> for marketing purposes and for nginx compliance with
> any existing security standards and recommendations,
> which forbid and not recommend any usage of MD5.
>
> Theoretically, it is possible situation, what some of
> potential customers of NGINX Plus can't use NGINX Plus
> because NGINX Plus internally use MD5, which is broken.

We can't really avoid using MD5 anyway, as we support some
things that require md5 (like $apr1$ passwords).

Also, in this particular case keeping keys 128 bits wide isn't
really required, and we can switch to any other function if
needed. And, while SHA-3 is certainly interesting, I would rather
prefer something more common. But I don't really think cache keys
hash need to be changed.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
How does Nginx look-up cached resource?	Shuxin Yang	942	September 03, 2015 09:40PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	306	September 04, 2015 09:24AM
Re: How does Nginx look-up cached resource?	Sergey Brester	348	September 04, 2015 11:38AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	338	September 04, 2015 02:12PM
Re: How does Nginx look-up cached resource?	Sergey Brester	448	September 04, 2015 02:58PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	298	September 04, 2015 03:44PM
Re: How does Nginx look-up cached resource?	Sergey Brester	334	September 04, 2015 05:02PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	342	September 05, 2015 08:10PM
Re: How does Nginx look-up cached resource?	Sergey Brester	386	September 07, 2015 09:36AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	362	September 07, 2015 12:20PM
Re: How does Nginx look-up cached resource?	Sergey Brester	302	September 07, 2015 12:34PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	363	September 04, 2015 05:22PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	327	September 05, 2015 09:58PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	308	September 07, 2015 10:46AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	293	September 07, 2015 01:00PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	431	September 07, 2015 03:30PM
Re: How does Nginx look-up cached resource?	Sergey Brester	405	September 07, 2015 05:24PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	558	September 07, 2015 07:20PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	479	September 07, 2015 09:42PM
Re: How does Nginx look-up cached resource?	Gena Makhomed	441	September 08, 2015 05:08PM
Re: How does Nginx look-up cached resource?	Maxim Dounin	467	September 09, 2015 01:18PM
Re: How does Nginx look-up cached resource?	Sergey Brester	338	September 10, 2015 05:58AM
Re: How does Nginx look-up cached resource?	Sergey Brester	332	September 10, 2015 08:56AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	357	September 10, 2015 10:48AM
Re: How does Nginx look-up cached resource?	Sergey Brester	319	September 10, 2015 11:08AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	322	September 10, 2015 11:34AM
Re: How does Nginx look-up cached resource?	Sergey Brester	332	September 10, 2015 11:56AM
Re: How does Nginx look-up cached resource?	Maxim Dounin	347	September 10, 2015 01:00PM
Re: How does Nginx look-up cached resource?	Sergey Brester	611	September 10, 2015 04:54PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

itpp2012

Guests: 307

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018