MD5 哈希现在被认为是损坏的,因为可能会发生冲突。这对 HTTP 摘要身份验证有问题吗?
问问题
748 次
2 回答
3
众所周知,MD5 容易受到碰撞攻击。HTTP Digest 不需要哈希函数的抗冲突性。它使用哈希来验证双方提出相同的秘密明文,而不会在途中暴露。
如果有疑问,只需添加 HTTPS :-)
于 2011-07-03T10:51:18.197 回答
1
MD5 hashes are now considered broken, because collision might happen
Wrong.
The probability of accidental collisions was known when md5 was written. What has changed is that techniques are now available to reduce the amount of effort required to generate a specific hash.
If HTTP digest auth is currently adequate for your purposes then continue to use it; there are other far more serious / exploitable vulnerabilities in digest authentication.
This is all described on Wikipedia
于 2011-07-05T11:58:43.187 回答