将SHA256散列截断为128位可以吗? [英] Is it okay to truncate a SHA256 hash to 128 bits?
问题描述
基本上我想用它来唯一地标识文件系统中的文件,有一天包含万亿个文件。我知道生日问题,一个128位散列应该在万亿个文件中产生一个万亿分之一的概率,这样就会有两个具有相同散列的不同文件。我可以忍受这些可能性。
我无法忍受的是,如果有人可以轻松,有意地插入一个具有相同散列和相同开始字符的新文件的文件。我相信在MD5和SHA1这是可能的。
是的,这将工作。从理论上讲,最好将两个半部分异或,但即使是截断的SHA256也要比MD5更强。尽管如此,您仍然应该考虑128位散列值而不是256位散列值。
在这种情况下,我特别推荐使用HASH + uniquifier进行存储和引用uniquifier是你之前用这个哈希看到的不同文件的数量。这样,如果有人试图存储未来发现的SHA256碰撞矢量,你就不会完全失败。
MD5 and SHA-1 hashes have weaknesses against collision attacks. SHA256 does not but it outputs 256 bits. Can I safely take the first or last 128 bits and use that as the hash? I know it will be weaker (because it has less bits) but otherwise will it work?
Basically I want to use this to uniquely identify files in a file system that might one day contain a trillion files. I'm aware of the birthday problem and a 128 bit hash should yield about a 1 in a trillion chance on a trillion files that there would be two different files with the same hash. I can live with those odds.
What I can't live with is if somebody could easily, deliberately, insert a new file with the same hash and the same beginning characters of the file. I believe in MD5 and SHA1 this is possible.
Yeah that will work. Theoretically it's better to XOR the two halves together but even truncated SHA256 is stronger than MD5. You should still consider the result a 128 bit hash rather than a 256 bit hash though.
My particular recommendation in this particular case is to store and reference using HASH + uniquifier where uniquifier is the count of how many distinct files you've seen with this hash before. This way you don't absolutely fall down flat if somebody tries to store future discovered collision vectors for SHA256.
这篇关于将SHA256散列截断为128位可以吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
