Tim Callan's SSL Blog
SearchSecurity - VeriSign addresses MD5 flaws
Wiki - MD5
MD5 considered harmful today
The truth about the new attack on MD5 signatures
I guess for development purposes, it's ok for using MD5 based finger print/digital signature. We should now avoid using MD5 to perform critical application level hashing to prevent potential security issues. SHA-1 apparently is a better choice now even though it is theoretically vulnerable to the same issue albeit requires more significant processing power to do the trick.
Note that iKeyMan GUI, runmqckm (MQ 6.0) and Java keytool program uses MD5 as default signing algorithm.
For Java keytool, you can use the -sigalg SHA1withRSA option to override the default.
For strmqikm and runmqckm (MQ 7.0 uses sha1 by default, check here ), you can use GSKCapiCmd instead because it allows the specification of -sigalg sha1 to use SHA-1 algorithm
There's another way I found from the comments:
Option B is to acquire any IBM Java 6 JRE, add the IBMCMSKS provider to
java.security, and use the bundled ikeycmd or your /bin/gsk7cmd with
JAVA_HOME pointing at the new JRE -- sig_alg will be accepted there as well.
--
Eric Covener
Posts
you have a nice site. thanks for sharing this site. you can download lots of ebook from here
ReplyDeletehttp://feboook.blogspot.com
hi
ReplyDeleteIts really interesting to know about Using SHA-1 as message digest algorithm instead of MD5.you guess for development purposes, it's ok for using MD5 based finger print/digital signature. you should now avoid using MD5 to perform critical application level hashing to prevent potential security issues.Thanks for sharing such an informtion rich blog.
ReplyDeletedigital signature certificate