In one of my softwares i have to prove that the xml output given is authentic.
So i simply take secret known by my counterpart and me, add it to the xml string and use a md5 to sign the xml stuff. No more.
It is possible to create "doppelganger" blocks in documents or binaries that don’t change the md5 of it. So my opponent simply takes my xml, changes the main information and still has the proof that i am the one to blame.
So good bye md5, it was a nice time we had, but somehow my life went further and you don’t fit in any more. Just a short time-out. Let’s see us two as – eh – friends. No, the other hash (sha1, that is) i am living with now has nothing to do with it. It’s just the feeling that i can’t trust you anymore.
PS: PHP supports sha1 since 4.3, MySQL does not until now, but that should be easy (hartmut? weigon? ulf? anyone? ;-)