On Wed, 16 Feb 2005, Dominique Devienne <[EMAIL PROTECTED]> wrote: > But can the forged file with identical MD5 masquerade as the > original file, i.e. still be a Zip file, or tar'd gzipped or bzipped > file?
Yes. At least for ZIP it would be easy. Just add data as much as you need to external attributes - and unzip will talk about skipping unknown external attributes which is quite common. For MD5, that is. Creating collisions fpr SHA-1 still is a major task, that't why I've written that you should research on your own whether the algorithm meets your needs. To answer Martijn, even though I'm no crypto expert, I think it would be very hard to forge SHA-1 and MD5 at the same time. Forging the MD5 and keeping the file size is possible IIRC. If you use <checksum> to keep track of files that have changed (like the <modified> selector) or just want to verify the download over a secure link was OK, MD5 is still fine. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
