Doing a project to connect to a government service at the moment and it requires SHA 256 hashing.
Streamsec have all you could want (http://www.streamsec.com) and this is the library I am using. A free (and unsupported) alternative is DCPcrypt Cryptographic Component Library. (http://www.cityinthesky.co.uk/cryptography.html). Any hash from SHA-2 is considered the best option. cheers, Jeremy On Wed, Jan 28, 2009 at 2:03 PM, John Bird <johnkb...@paradise.net.nz> wrote: > Looks like MD5 hashes are deprecated now....there has been security papers > about possible generation of any MD5 hashed data using large > computation.....(they used 200 networked PS3's if I recall) sometime around > Xmas. > > It caused a bit of a scare in the browser communities (IE/Firefox etc) as > some of the SSL certificate authorities such as Comodo or a subsidiary > thereof rely on MD5, although most have now switched to using SHA hashes. > The worry was that while some recognised certificate vendors were still > using MD5 there was the posssibility they could validate any site > certificate even if they were using other hashes by supplying a valid MD5 > verifification I understand. > > see > > http://www.heise-online.co.uk/security/25C3-MD5-collisions-crack-CA-certificate--/news/112327 > > > "The infrastructure of Certification Authorities is meant to prevent this > kind of attack, but despite warnings, some root CAs are still using MD5, > leaving people potentially exposed to the possibility of forged > certificates. The team found the following CAs still using MD5; RapidSSL, > FreeSSL, TC TrustCenter AG, RSA Data Security, Thawte and verisign.co.jp. > They collected 30,000 certificates and found 9,000 of them were signed with > MD5 and of them, 97 per cent were issued by RapidSSL. Because of this and > other attributes of RapidSSL's procedures, such as use of sequential serial > numbers in issued certificates, the researchers examined RapidSSL's > certificates in greater depth. > > By purchasing a certificate and then getting it reissued a number of times, > data allowing prediction of the serial number was obtained, allowing the > researchers to generate the certificate data to be signed over the course of > just a few days. The predicted serial number was then passed to the > Playstation 3 cluster which was asked to calculate both legitimate > certificate data and bogus certificate data, which when MD5 hashed, would > collide. When it came to the time the predicted serial number would be used > by the CA, the researchers purchased a new legitimate certificate, hoping to > get a certificate with the same serial number as they had predicted. It took > four attempts to get the methodology to work and actually get a certificate > with the same serial number, but the signature of the issued certificate was > now valid on the bogus colliding certificate because of the MD5 collision." > > I understand RapidSSL hurriedly switched in January... > > I presume this means for Delphi its a good idea to use something > else.....what do others use? > > John > >> This popped up on DelphiFeeds.com today >> http://delphi.about.com/od/objectpascalide/a/delphi-md5-hash.htm >> > > _______________________________________________ > NZ Borland Developers Group - Delphi mailing list > Post: delphi@delphi.org.nz > Admin: http://delphi.org.nz/mailman/listinfo/delphi > Unsubscribe: send an email to delphi-requ...@delphi.org.nz with Subject: > unsubscribe > _______________________________________________ NZ Borland Developers Group - Delphi mailing list Post: delphi@delphi.org.nz Admin: http://delphi.org.nz/mailman/listinfo/delphi Unsubscribe: send an email to delphi-requ...@delphi.org.nz with Subject: unsubscribe
