ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martijn Kruithof ...@kruithof.xs4all.nl>
Subject Re: cvs commit: ant/docs/manual/CoreTasks checksum.html
Date Wed, 16 Feb 2005 19:10:09 GMT
Dominique Devienne wrote:

>>From: Stefan Bodewig [mailto:bodewig@apache.org]
>>
>>On Wed, 16 Feb 2005, Dominique Devienne <DDevienne@lgc.com> wrote:
>>
>>    
>>
>>>You mean that the MD5 and SHA-1 digests computed by the JDK-provided
>>>libraries didn't generate the canonical values of these digests?
>>>      
>>>
>>No, broken as in "sucessfully attacked".
>>
>>It is possible to create a file that matches the checksum you've
>>created, but is different from the original without using a
>>brute-force algorithm.
>>
>>The way to attack MD5 turns out to be rather easy while the way to do
>>it for SHA-1 still involves using a lot of CPU cycles.
>>    
>>
>
>But can the forged file with identical MD5 masquerade as the original
>file, i.e. still be a Zip file, or tar'd gzipped or bzipped file?
>
>Sure, what you describe sounds bad, but I'm trying to figure out
>(without too much research of my own ;-) if it's a real problem in
>practice. --DD
>
>  
>
Would it be feasible to publish instead of just the SHA-1 all, the 
SHA-1, MD5 and the size of the file.

Is Modifying a file while fulfilling all of the following conditions:
- the file format valid
- the size the same
- the SHA-1 the same
- the MD5 the same
- the working of ant not obviously broken
practically possible?

And would it be worth the wile to spend that much effort on forging it 
on the ant distribution (in the release timeframe?)

It seems to me the vurnerability of the ant project is not in the 
hashes. (so maybe provide more hashes + size)

Martijn



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message