Is it safe to "share" a private key's MD5 fingerprint?


Hi all,

I have a repo that is currently private, but may eventually be public. In the CircleCI config, I have a snippet which adds a private SSH key via the add_ssh_keys item, e.g.:

  - add_ssh_keys:
        - "00:11:22:33:44:55:66:77:88:99:00:11:22:33:44:55"

I was wondering whether it’s safe to have the fingerprint publicly accessible, given its a private key, and uses MD5 for its hash. My assumption is yes, it’s safe, but want to confirm, before heading down an alternate route.



Probably not. MD5 is a very fast hashing algorithm, and many millions of brute-force attempts can be guessed per second these days (with just one CPU). Due to hashing collisions, there are probably several keys that resolve to the same hash, but perhaps there would be a small enough number that they could be tried one by one.

If you have a need to share a hash, can you use something stronger (e.g. Bcrypt)?