Results 1 to 10 of 10

Thread: Which one? MD5? SHA-1?

  1. #1

    Which one? MD5? SHA-1?

    Hi All,
    I have an application which needs to store some information in a configuration file.
    We decided to encrypt the information with an algorithm that is commonly used across the company.
    I thought it would be best if we insert some kind of checksum validation so we can know if the file has been tampered. When I started looking at this issue, first I thought of MD5. Then I read some more and I found that some people say that collisions may happen with this algorithm, which make it less secure. Then I turned to SHA-1, but again looks like it may have flaws, since it is a variation of SHA.
    Any thoughts on the way we should handle this?

    Thanks and Cheers!!

  2. #2

  3. #3
    Thanks Helena!
    While peeking around, I found this interesting.
    I didn't know of many ways of doing this.
    Since I am most confortable with C#, I will use the C# implementation found here, and currently attached to this post.

    Once again, thanks!

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Re: Which one? MD5? SHA-1?

    What encryption algorithm are you using? It might already contain some sort of checksum validation..

    http://en.wikipedia.org/wiki/Digital_signature
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Hi SirDice!

    Thank you for replying.
    Well, actually the algorithm is very old, it is a basic thing for scrambling things. To my opinion it is very weak. I believe former developers found it somewhere and implemented because it was better than nothing. And mostly because Visual Basic code was available It does not do any kind of validation. Just scrambles the information with a key.
    I proposed to change the algorithm but I found a huge amount of resistance, because it is implemented everywhere.
    Since my desire of improving security is not diminished, I thought of adding some kind of checksum to detect when "malintentioned users" are trying to use different configurations and see what works and what doesnt.

    Thanks, and cheers!

  6. #6
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    If you want to detect tempering, you don't want just a hash, you want a signature...
    (Unless you're sotreing the hash seperately in a tripwire way...)


    Ammo
    Credit travels up, blame travels down -- The Boss

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    http://www.cryptography.com/cnews/hash.html

    Note that MD5-HMAC is somewhat unaffected by the vulnerability. Also, the hashing collisions have been discussed elsewhere here.

    Your best bet is a newer algorithm such as SHA-256.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  8. #8
    Hi Ammo!
    Thanks for replying.
    If you want to detect tempering, you don't want just a hash, you want a signature...
    (Unless you're sotreing the hash seperately in a tripwire way...)
    I was thinking in storing the hash elsewhere. This configuration file will be generated by us, and we want to detect if someone is trying to change config files to elevate privileges or to access servers other than we want them to access. If the application detects that someone tried to change the files, it will send a notification directly to us.
    To be honest, I didn't know that this was called 'tripwire'

    Thanks!

  9. #9
    Hi Csch!
    Thanks for replying
    Your best bet is a newer algorithm such as SHA-256.
    I went here and found some VB6 source code for SHA256. I converted it to VB.Net 2003, and attached it to this post.
    I double checked the final VB.Net app with this site.

    Looks like we'll be using SHA256 after all

    Thanks heaps.

  10. #10
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    All,

    NIST has said that government agencies should no longer use MD5. While still a very valid method of proving the integrity of a file, it has been proven vulnerable to attack. Use it at your own risk.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •