Fog Creek Software
Discussion Board




CRC calculation when using FTP


I'm uploading & downloading EDI files (Flat Text files)
those contains Purchase Order, Quotes, Sales Orders,
Picking Note.

So it's quite sensitive information.

We currently transfer automatically these documents to various trading partners via FTP,

I would like to add a security layer to check that
the data has not been altered during the transfer.

I thought of maybe using WinZip to ZIP a bunch of text files, since a ZIP file has got CRC built in.

What are my other alternatives ?

EagleSoft
Sunday, June 13, 2004

If you have the possibility of using SFTP (part of SSH 2), I'd use that. I use it to connect to work. It has the bonus of being secure. If you're talking about something you're writing yourself: CRC libraries are not hard to find (look for CRC 32).

And BTW, usually FTP (even IP, or your physical ISP connection) itself uses CRC or other error detection mechanisms. But you can never be sure enough ;-)

Good luck.

Janonymous
Sunday, June 13, 2004

Many open source projects validate mirrored source archives using MD5 and/or GPG/PGP signatures.  Some info from the apache project:

http://httpd.apache.org/download.cgi#verify
http://httpd.apache.org/dev/verification.html

Using GPG/PGP properly can help verify the source of the file and that it wasn't compromised in transit.  A CRC by itself could have been recalculated.

Doug
Sunday, June 13, 2004

what's the problem you're trying to solve? a crc (or better yet hash (e.g. md5) or signature (e.g. w/gpg) is only good if you know that it also hasn't been altered.

is a secure connection (e.g. ftp over VPN, sftp (or whatever the mechanism is someone mentioned above with ssh), https) good enough? if not, why not? do you have additional problems today which aren't being addressed (data isn't being modified but is being copied by an advisary)?

mb
Sunday, June 13, 2004

Don't trust TCP's 16 bit checksum (which is all you get when using FTP). Implement something on your own using MD5.

TJ Haeser
Sunday, June 13, 2004

+1 for securing the link instead.

SFTP (FTP over SSH), FTPS (FTP over SSL), HTTPS (you're downloading... what do you need FTP for?), using a VPN, etc., should all provide comfort that the content wasn't changed in transit.

Brad Wilson (dotnetguy.techieswithcats.com)
Monday, June 14, 2004

*  Recent Topics

*  Fog Creek Home