ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dominique Devienne" <DDevie...@lgc.com>
Subject RE: cvs commit: ant/docs/manual/CoreTasks checksum.html
Date Wed, 16 Feb 2005 16:28:36 GMT
> From: Stefan Bodewig [mailto:bodewig@apache.org]
> 
> On Wed, 16 Feb 2005, Dominique Devienne <DDevienne@lgc.com> wrote:
> 
> > You mean that the MD5 and SHA-1 digests computed by the JDK-provided
> > libraries didn't generate the canonical values of these digests?
> 
> No, broken as in "sucessfully attacked".
> 
> It is possible to create a file that matches the checksum you've
> created, but is different from the original without using a
> brute-force algorithm.
> 
> The way to attack MD5 turns out to be rather easy while the way to do
> it for SHA-1 still involves using a lot of CPU cycles.

But can the forged file with identical MD5 masquerade as the original
file, i.e. still be a Zip file, or tar'd gzipped or bzipped file?

Sure, what you describe sounds bad, but I'm trying to figure out
(without too much research of my own ;-) if it's a real problem in
practice. --DD

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message