John Kaster

Behind the Screen

MD5 hash on CodeCentral downloads

with 5 comments

All internal stored downloads in CodeCentral now have an MD5 hash value, so you can use that value to validate your download.

In the Details section of the download, you’ll see something like this:

Updated on Tue, 25 Sep 2007 13:26:55 GMT
Originally uploaded on Tue, 25 Sep 2007 07:51:10 GMT
MD5 Hash: 7ACEF4E7E2A223B59F92070039FD1947

If you don’t already have an MD5 utility, you should be able to use this CodeCentral Delphi download to compare the hash value against.

This request was made long ago on our newsgroups. I’m glad to finally mark this one “Done”.

Advertisements

Written by John Kaster

May 4, 2009 at 2:50 pm

Posted in Delphi, EDN

5 Responses

Subscribe to comments with RSS.

  1. Given that MD5 is broken, maybe consider SHA instead or in addition? There are numerous examples of different PDF’s with the same MD5 about.

    jorge almeida

    May 5, 2009 at 5:18 am

  2. LOL. I was wondering how long it would take for someone to ask for SHA1 instead. Not long, evidently! Fortunately Dean’s utility supports SHA1 as well. We’ll get around to using SHA1 instead, but that’s not a priority right now.

    John Kaster

    May 5, 2009 at 8:06 am

  3. SHA-1 is also not recommended for much longer because SHA-1 is also broken (http://www.schneier.com/blog/archives/2005/02/sha1_broken.html and http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html). Security is a moving target. Might as well be proactive and make it SHA-2 or something that hasn’t yet been broken.

    MD5 has been broken since 2004. There are many practical exploits against it. One not too long ago where two SSL certs had the same MD5 hash (http://www.win.tue.nl/hashclash/rogue-ca/), and hence were functionally equivalent. The old maxim “Once significant weaknesses against a cryptographic primitive have been exposed it should be no longer used” comes to mind.

    jorge almeida

    May 5, 2009 at 11:11 am

  4. SHA-1 is not recommended for much longer because SHA-1 is also broken 4 years ago (http://www.schneier.com/blog/archives/2005/02/sha1_broken.html and http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html). Security is a moving target. Might as well be proactive and make it SHA-2 or something that hasn’t yet been broken.

    MD5 has been broken since 2004. There are many practical exploits against it. One not too long ago where two SSL certs had the same MD5 hash (http://www.win.tue.nl/hashclash/rogue-ca/), and hence were functionally equivalent. The old maxim “Once significant weaknesses against a cryptographic primitive have been exposed it should be no longer used” comes to mind.

    jorge almeida

    May 5, 2009 at 11:59 am

  5. Jorge, we generate these values only as a reference for our users. I don’t think SHA-2 is that widely adopted yet.

    John Kaster

    October 21, 2009 at 2:25 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: