HTTP Digest Authentication MD5 Collision
MD5 hashes are now considered broken开发者_如何学Go, because collision might happen. Is this problematic for HTTP digest authentication?
MD5 is known to be vulnerable to collision attacks. HTTP Digest does not require collision resistance from the hash function. It uses the hash to verify both parties poses the same secret plaintext without exposing it en route.
If in doubt, just add HTTPS :-)
MD5 hashes are now considered broken, because collision might happen
Wrong.
The probability of accidental collisions was known when md5 was written. What has changed is that techniques are now available to reduce the amount of effort required to generate a specific hash.
If HTTP digest auth is currently adequate for your purposes then continue to use it; there are other far more serious / exploitable vulnerabilities in digest authentication.
This is all described on Wikipedia
精彩评论