ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dominique Devienne" <>
Subject RE: cvs commit: ant/docs/manual/CoreTasks checksum.html
Date Wed, 16 Feb 2005 16:28:36 GMT
> From: Stefan Bodewig []
> On Wed, 16 Feb 2005, Dominique Devienne <> wrote:
> > You mean that the MD5 and SHA-1 digests computed by the JDK-provided
> > libraries didn't generate the canonical values of these digests?
> No, broken as in "sucessfully attacked".
> It is possible to create a file that matches the checksum you've
> created, but is different from the original without using a
> brute-force algorithm.
> The way to attack MD5 turns out to be rather easy while the way to do
> it for SHA-1 still involves using a lot of CPU cycles.

But can the forged file with identical MD5 masquerade as the original
file, i.e. still be a Zip file, or tar'd gzipped or bzipped file?

Sure, what you describe sounds bad, but I'm trying to figure out
(without too much research of my own ;-) if it's a real problem in
practice. --DD

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message