[DUG] Sending a file and verifying the data

Jeremy North jeremy.north at gmail.com
Wed Jan 28 16:08:38 NZDT 2009 

Doing a project to connect to a government service at the moment and
it requires SHA 256 hashing.

Streamsec have all you could want (http://www.streamsec.com) and this
is the library I am using. A free (and unsupported) alternative is
DCPcrypt Cryptographic Component Library.
(http://www.cityinthesky.co.uk/cryptography.html).

Any hash from SHA-2 is considered the best option.

cheers,
Jeremy

On Wed, Jan 28, 2009 at 2:03 PM, John Bird <johnkbird at paradise.net.nz> wrote:
> Looks like MD5 hashes are deprecated now....there has been security papers
> about possible generation of any MD5 hashed data using large
> computation.....(they used 200 networked PS3's if I recall) sometime around
> Xmas.
>
> It caused a bit of a scare in the browser communities (IE/Firefox etc) as
> some of the SSL certificate authorities such as Comodo or a subsidiary
> thereof rely on MD5, although most have now switched to using SHA hashes.
> The worry was that while some recognised certificate vendors were still
> using MD5 there was the posssibility they could validate any site
> certificate even if they were using other hashes by supplying a valid MD5
> verifification I understand.
>
> see
>
> http://www.heise-online.co.uk/security/25C3-MD5-collisions-crack-CA-certificate--/news/112327
>
>
> "The infrastructure of Certification Authorities is meant to prevent this
> kind of attack, but despite warnings, some root CAs are still using MD5,
> leaving people potentially exposed to the possibility of forged
> certificates. The team found the following CAs still using MD5; RapidSSL,
> FreeSSL, TC TrustCenter AG, RSA Data Security, Thawte and verisign.co.jp.
> They collected 30,000 certificates and found 9,000 of them were signed with
> MD5 and of them, 97 per cent were issued by RapidSSL. Because of this and
> other attributes of RapidSSL's procedures, such as use of sequential serial
> numbers in issued certificates, the researchers examined RapidSSL's
> certificates in greater depth.
>
> By purchasing a certificate and then getting it reissued a number of times,
> data allowing prediction of the serial number was obtained, allowing the
> researchers to generate the certificate data to be signed over the course of
> just a few days. The predicted serial number was then passed to the
> Playstation 3 cluster which was asked to calculate both legitimate
> certificate data and bogus certificate data, which when MD5 hashed, would
> collide. When it came to the time the predicted serial number would be used
> by the CA, the researchers purchased a new legitimate certificate, hoping to
> get a certificate with the same serial number as they had predicted. It took
> four attempts to get the methodology to work and actually get a certificate
> with the same serial number, but the signature of the issued certificate was
> now valid on the bogus colliding certificate because of the MD5 collision."
>
> I understand RapidSSL hurriedly switched in January...
>
> I presume this means for Delphi its a good idea to use something
> else.....what do others use?
>
> John
>
>> This popped up on DelphiFeeds.com today
>> http://delphi.about.com/od/objectpascalide/a/delphi-md5-hash.htm
>>
>
> _______________________________________________
> NZ Borland Developers Group - Delphi mailing list
> Post: delphi at delphi.org.nz
> Admin: http://delphi.org.nz/mailman/listinfo/delphi
> Unsubscribe: send an email to delphi-request at delphi.org.nz with Subject: unsubscribe
>

More information about the Delphi mailing list