[REQ] Sha-1 support

[icfu]

Well, CRC is completely unsecure anyway, MD5 is proven to be unsecure since August 2004, see url=http://eprint.iacr.org/2004/199.pdf, so it's getting time to include "at least" Sha-1 support.

Icfu

[Sheepdog]

Hi icfu,

your link is broken. And what do you mean CRC and MD5 is unsecure? Du you mean onecould (easily) change the file and still get the same CRC and/or MD5 checksum?

And what is Sha-1? A link would be great

sheepdog

[icfu]

Always the same forum bug, comma and dot directly behind a link is included in the link. I have removed it, thx...

Du you mean onecould (easily) change the file and still get the same CRC and/or MD5 checksum?

Yep. With MD5 it's not as easy as for CRC, though. Anyway, it's possisble so you can't trust it, never.

Information about SHA from the world's best WIKI project:
http://en.wikipedia.org/wiki/SHA-1
http://de.wikipedia.org/wiki/SHA-1

Icfu

[Sheepdog]

Thanks for the links.

Anyway, it's possisble so you can't trust it, never.

But it's not probable by chance. So for detecting transfer errors it's still usable I think.



sheepdog

[icfu]

But it's not probable by chance. So for detecting transfer errors it's still usable I think.

For detecting transfer errors even CRC is enough.

The chance that a download is corrupted by accident and the resulting file has the same hash is extremely unlikely.

Icfu

[norfie]

Always the same forum bug, comma and dot directly behind a link is included in the link.

It's not a bug - I suppose only (white) spaces delimit a link and normal text (because a regular link could contain a comma and other characters). Alternativ you could use the "[url]" tag.

[JackFoo]

MD5 is insecure in cryptographic applications, there is no reason not to use MD5 for file checksums. Check on the inet, there are several CRC32 making programs that create files matching a given sum, that can't be said for MD5 (and for a good reason) even with MD5's weakness I can't see a time when such a program will exist for it (maybe in 20 years?). That aside you can try my sha256h tool, it can be used within TC. (sha256 is sha1 with 256bits output)

http://ghisler.ch/board/viewtopic.php?t=1261

Cheers.

[icfu]

It's not a bug - I suppose only (white) spaces delimit a link and normal text (because a regular link could contain a comma and other characters).

URLs do neither contain dots nor commas at the end so to include them in URL is a forum bug. There are enough phpBB forums out there with correct URL handling. I suppose it's just a missing update.

Alternativ you could use the "[url]" tag.

That's exactly the only way to fix it and as you can see it was already done.

@JackFoo:
I am using dsSHA from http://members.ozemail.com.au/~nulifetv/freezip/freeware/. It's only 7kb GUI app and fits my needs, simple Drag&Drop. Anyway, thx for your app, good to have a command line app, too.

Icfu

[ghisler(Author)]

2icfu
Is there any standard for SHA checksums similar to the md5 checksums? If yes,
- what is the file layout?
- what file name and extension are used?

TC already includes SHA1 functions for secure ftp logins (not encrypted, only secure password), so it wouldn't be too difficult to add SHA1 support.

[JackFoo]

A small correction, SHA-1 is a different function and isn't the same as SHA256 or otherwise known as SHA-2 with 256bit output (SHA-1 outputs 160 bits), IIRC SHA-2 was created by NIST to strengthen SHA-1. FTP logins as Christian pointed use SHA-1, mainly because the RFCs are outdated and no-one cares to change the protocols and due to the fact that stronger function isn't needed.

Christian:
There are no standards for SHA (1 nor 2) checksum file formats, some programs support SHA checksum but there is no defined format, some use the simple [hash filename] format others [hash ?hashtype*filename] and I would guess there are many others... there is definitely no file extension defined.

That said I don't even know if there is any application (non-cryptographic) that uses SHA for file checksums.

Cheers.

[Maxwish]

Well, after Christian implements it there will!
Will be an interesting test case to see what influence TC can have ....

BTW:
here's an example (googled)
http://www.gnupg.org/(en)/download/integrity_check.html#sha1sum

here's how MS uses it:
http://support.microsoft.com/?kbid=841290

stores it in XML

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<FCIV>
	<FILE_ENTRY><name>readme.txt</name><SHA1>L+OY8evO0WYIc2JiYkG5Xv6qtAc=</SHA1></FILE_ENTRY></FCIV>

[icfu]

what is the file layout?

Files should have a simple structure so no XML please.
First link of Maxwish shows the best solution:

checksum pathtofile

Checksum first because this makes the file look structured and ordered.

what file name and extension are used

filename.sha

or

filename.sha1
filename.sha256
etc...

They are all unused so no collisions expected.

Icfu

[norfie]

Checksum 0.2b

Checksum 0.2b

Provides MD5 and SHA1 checksum generator/checker from within Total Commander packer interface. It is able to generate ".md5" and ".sha" list files acceptable by GNU respectively md5sum and sha1sum utilities. There is also
'virtual' browser for these list files. You can "enter" into listing as it were archive, test it and use Lister to see original/computed MD5/SHA1 checksums ...

[Hacker]

http://www.schneier.com/blog/archives/2005/02/sha1_broken.html

Roman

[icfu]

Oh Jesus, these are the same scientists that already had broken MD5, see my first link to the PDF, is this their hobby or what?

Ok, Sha-1 is dead, thanks Hacker.

Icfu