Adding MD5CryptoServiceProvider hash to an XMLSerializer.Serialize

[Guest]

How can I add an MD5 hash to XMLSerializer.Serialize without corrupting the
content of the file; then how to read it back to verify is correct?

I'd like to code up something (see below) that looks like this, but I'm not
sure this is correct approach to the problem. Once I add the signature, the
file won't test the same way again. I know I could add it to the bottom of
the file, but then everyone would have to know my algorithm for correct
computation, it seems to me there should be a standard way to do this.

Example (ignore coding errors, I'm after the logic)

XmlSerializer xs = new XmlSerializer(class types);
FileStream fs = new FileStream(Create, Write, None);

xs.Serialize (fs, class types)

AddMD5(fs); <-- How to implement?

function AddMD5( FileStream )
{
MD5CryptoServiceProvider md5 = new MD5CryptoServiceProvider();
using (FileStream fs = new FileStream( fs )
hash = md5.ComputeHash(fs);

-->> Add hash to filestream
}

function VerifyMD5 (FilesStream )
{
// nothing will match, without custom algorithm
}

Any help would be appreciated.

Jim
I'm not even sure this is the correct approach to this problem;

 

[rossum]

How can I add an MD5 hash to XMLSerializer.Serialize without corrupting the
content of the file; then how to read it back to verify is correct?

I'd like to code up something (see below) that looks like this, but I'm not
sure this is correct approach to the problem. Once I add the signature, the
file won't test the same way again. I know I could add it to the bottom of
the file, but then everyone would have to know my algorithm for correct
computation, it seems to me there should be a standard way to do this.

Example (ignore coding errors, I'm after the logic)

XmlSerializer xs = new XmlSerializer(class types);
FileStream fs = new FileStream(Create, Write, None);

xs.Serialize (fs, class types)

AddMD5(fs); <-- How to implement?

function AddMD5( FileStream )
{
MD5CryptoServiceProvider md5 = new MD5CryptoServiceProvider();
using (FileStream fs = new FileStream( fs )
hash = md5.ComputeHash(fs);

-->> Add hash to filestream
}

function VerifyMD5 (FilesStream )
{
// nothing will match, without custom algorithm
}

Any help would be appreciated.

Jim
I'm not even sure this is the correct approach to this problem;

1 MD5 is not recommended for new applications, SHA-256 is more secure.

2 The hash is a fixed length, so you can create a new file with the
hash at the front:

Create:
make Serialize file
calculate hash
write hash to new file
append Serialize file to hash file


Verify:
open hash file
read fixed length hash
copy remainder to temporary file or memory
calculate hash of temporary file
if hashes match then
deserialize temporary file
else
delete temporary file
flag error
endif

Depending on how secure you want to be, you may need to use
hash(hash(Serialized)) to avoid length extension attacks.

rossum

 

[Guest]

Hi Rossum,

Thanks for the response, this didn't quite answer my question. I should
have stated a few requirements up front, I'm not after security but rather I
just want to be sure the file I "just" transferred looks the same as the file
I'm holding.

Second, I don't want to implement a custom solution, I could have added the
hash at the end of the file and read all the lines before.

The approach I would like to take, looks a lot like the way a soap message
is signed, but I want it to be file based.

Any help?