Is it safe to rename file.gpg to `md5sum file`?

sben1783 sben1783 at yahoo.de
Tue Dec 4 21:03:51 CET 2012


 On Tue, 4 Dec 2012 14:40:22 +0200, "yyy" <yyy at yyy.id.lv> wrote:
>> There isn't enough entropy in a filename for an MD5 checksum to give
>> much in the way of secrecy.
>>
>
> It seems that MD5 checksum is computed from file contents, not name.

 Yes, I meant to use the MD5 checksum of the original file, not its
 original name. I'm still interested whether this would be "insecure"?

 I found a discussion on this list in 2011, where user atom wrote:

> just make sure you're hashing the file-NAME, not it's contents.
> of course, if you don't lose your db, then there's nothing wrong
> with hashing the contents, or even a counter or random string. 
> hashing
> the file-NAME is just an idea that makes recovery of the db possible 
> if
> you know the format and range of the file-names (and any secret that
> may be used). the real trick is to just do something secure and
> consistent... sha1 does the job.

 (http://www.mail-archive.com/gnupg-users@gnupg.org/msg15110.html)

 He states it's not a problem to hash the files contents, but it seems
 to be thought of no different than "counter and random string" - this
 are completely different things IMHO.

 And, by the way, how could the hash of a filename be used to 
 reconstruct
 the filename (as atom says "... makes recovery of the db possible ...")
 There is no such thing as inverse-md5sum, is there? You'd still need
 "brute force" to find the original name?

 Thanks
 Ben




More information about the Gnupg-users mailing list