Is it safe to rename file.gpg to `md5sum file`?
sben1783
sben1783 at yahoo.de
Tue Dec 4 21:03:51 CET 2012
On Tue, 4 Dec 2012 14:40:22 +0200, "yyy" <yyy at yyy.id.lv> wrote:
>> There isn't enough entropy in a filename for an MD5 checksum to give
>> much in the way of secrecy.
>>
>
> It seems that MD5 checksum is computed from file contents, not name.
Yes, I meant to use the MD5 checksum of the original file, not its
original name. I'm still interested whether this would be "insecure"?
I found a discussion on this list in 2011, where user atom wrote:
> just make sure you're hashing the file-NAME, not it's contents.
> of course, if you don't lose your db, then there's nothing wrong
> with hashing the contents, or even a counter or random string.
> hashing
> the file-NAME is just an idea that makes recovery of the db possible
> if
> you know the format and range of the file-names (and any secret that
> may be used). the real trick is to just do something secure and
> consistent... sha1 does the job.
(http://www.mail-archive.com/gnupg-users@gnupg.org/msg15110.html)
He states it's not a problem to hash the files contents, but it seems
to be thought of no different than "counter and random string" - this
are completely different things IMHO.
And, by the way, how could the hash of a filename be used to
reconstruct
the filename (as atom says "... makes recovery of the db possible ...")
There is no such thing as inverse-md5sum, is there? You'd still need
"brute force" to find the original name?
Thanks
Ben
More information about the Gnupg-users
mailing list