tags:

views:

68

answers:

3

I need to generate a checksum over a dictionary. Keys and Values.

Is there any simple way to accomplish this in an iterative way.

foreach(var item in dic.Keys) checksum += checksum(dic[item]) + checksum(item);

In this case, keys and values could be converted to strings, concatinated and then a single checksum applied over these but is there a better way?

Ideally MD5 but other options could work. Using this to validate data that is passed over a couple of storage methods. The checksum is then encrypted along with some other information (using AES) so I am not horribly worried about an ideal, unbreakable checksum.

A: 

Answered my own question I think....

GetHashCode() on each item. Add them in an unchecked {} environment. Too simple.

Andrew Robinson
You do realize basically you're expecting addresses in memory to match between signer and verifier , right?
Remus Rusanu
It depends on how strong you want the checksum to be. If you want a cryptographically strong checksum then this will not work, since GetHashCode() is *not* cryptographically strong, so MD5 or SHA1 or whatever *of GetHashCode()* won't be strong, either. If you just want a checksum for hashing purposes then, of course, that's exactly what GetHashCode() is for.
Evgeny
+3  A: 

Generating a signature is pretty much the same process all over: create a MD5 hash object, then you digest all the bytes of interest, then you extract the hash value. The important thing is that you and the verifier agree on the bytes to hash and on the order they are hashed.

In C# you can achieve this by calling HashAlgorithm.TransformBlock repeatedly, and then finally calling HashAlgorithm.TransformFinalBlock. This is automated by using a CryptoStream with a HashTransform (MD5 implements ICryptoTransform) and then simply writing your dictionary into the crypto stream.

As aside note, countless protocols and crypto schemes that digest a hash and encrypt it were humiliated in the wild. I would suggest taking the beaten path and use well established industry standards::

  • Use a HMAC, see HMACMD5
  • Use an RSA signature (ie. private key encryption of an MD5 hash), and save your self from all key provisioning and master secret exchange problems, see RSACryptoServiceProvider.SignHash
Remus Rusanu
A: 

You should not be writing any new code relying on MD5. It's deprecated, and for some extremely solid reasons. You should look at SHA-256, or at the very least SHA-1, instead

And you should take Remus' advice. Cryptography + hashes = digital signatures. Pull something down off a shelf (just not XML-Security, please!), learn it, use it, and get on to other interesting parts of your project.

Jason
It's not unheard of with cryptographic hashes to make a hash of hashes in order to get a single item that stands in for a group of items. You should know however that you're basically doubling down on the strength of the hash. The attacker now has two chances to fiddle with your tamper detection.
Jason