-
January 25th, 2006, 02:52 PM
#1
Member
Which one? MD5? SHA-1?
Hi All,
I have an application which needs to store some information in a configuration file.
We decided to encrypt the information with an algorithm that is commonly used across the company.
I thought it would be best if we insert some kind of checksum validation so we can know if the file has been tampered. When I started looking at this issue, first I thought of MD5. Then I read some more and I found that some people say that collisions may happen with this algorithm, which make it less secure. Then I turned to SHA-1, but again looks like it may have flaws, since it is a variation of SHA.
Any thoughts on the way we should handle this?
Thanks and Cheers!!
-
January 25th, 2006, 04:27 PM
#2
Junior Member
MD5 is broken.
SHA1 is not bad
TTH is just sweet
Tiger/160 should do nicely imho
http://en.wikipedia.org/wiki/Tiger_%28hash%29
-
January 25th, 2006, 04:55 PM
#3
Member
Thanks Helena!
While peeking around, I found this interesting.
I didn't know of many ways of doing this.
Since I am most confortable with C#, I will use the C# implementation found here, and currently attached to this post.
Once again, thanks!
-
January 25th, 2006, 05:02 PM
#4
Re: Which one? MD5? SHA-1?
What encryption algorithm are you using? It might already contain some sort of checksum validation..
http://en.wikipedia.org/wiki/Digital_signature
Oliver's Law:
Experience is something you don't get until just after you need it.
-
January 25th, 2006, 05:26 PM
#5
Member
Hi SirDice!
Thank you for replying.
Well, actually the algorithm is very old, it is a basic thing for scrambling things. To my opinion it is very weak. I believe former developers found it somewhere and implemented because it was better than nothing. And mostly because Visual Basic code was available It does not do any kind of validation. Just scrambles the information with a key.
I proposed to change the algorithm but I found a huge amount of resistance, because it is implemented everywhere.
Since my desire of improving security is not diminished, I thought of adding some kind of checksum to detect when "malintentioned users" are trying to use different configurations and see what works and what doesnt.
Thanks, and cheers!
-
January 26th, 2006, 12:18 AM
#6
If you want to detect tempering, you don't want just a hash, you want a signature...
(Unless you're sotreing the hash seperately in a tripwire way...)
Ammo
Credit travels up, blame travels down -- The Boss
-
January 26th, 2006, 03:44 AM
#7
http://www.cryptography.com/cnews/hash.html
Note that MD5-HMAC is somewhat unaffected by the vulnerability. Also, the hashing collisions have been discussed elsewhere here.
Your best bet is a newer algorithm such as SHA-256.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
January 26th, 2006, 07:09 PM
#8
Member
Hi Ammo!
Thanks for replying.
If you want to detect tempering, you don't want just a hash, you want a signature...
(Unless you're sotreing the hash seperately in a tripwire way...)
I was thinking in storing the hash elsewhere. This configuration file will be generated by us, and we want to detect if someone is trying to change config files to elevate privileges or to access servers other than we want them to access. If the application detects that someone tried to change the files, it will send a notification directly to us.
To be honest, I didn't know that this was called 'tripwire'
Thanks!
-
January 26th, 2006, 08:07 PM
#9
Member
Hi Csch!
Thanks for replying
Your best bet is a newer algorithm such as SHA-256.
I went here and found some VB6 source code for SHA256. I converted it to VB.Net 2003, and attached it to this post.
I double checked the final VB.Net app with this site.
Looks like we'll be using SHA256 after all
Thanks heaps.
-
January 27th, 2006, 04:56 PM
#10
All,
NIST has said that government agencies should no longer use MD5. While still a very valid method of proving the integrity of a file, it has been proven vulnerable to attack. Use it at your own risk.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|