On Wed, 2004-01-21 at 19:44, Trevor Lauder wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Curtis Sloan said: > > On Wed, 2004-01-21 at 11:43, Jason Louie wrote: > > The answer lies is in the way the MD5 algorithm works. It produces a > > unique 128-bit checksum for any given arrangement of bytes. > > > > Not to throw another variable into the mix, but it is possible to have 2 > completely different files with the same MD5 checksum. The algorithm > creates enough different checksums to make this improbable but it is still > a possibility. That is why md5 has never been sufficient evidence that > files are the exact same, which is why they also use gpg/pgp to verify > files.
Actually, GPG/PGP signing is used to verify that the source of the files/MD5 checksums are 'trustworthy' (i.e. that a hacker didn't breach a server, replace the files and create new checksums to go with the trojaned files). The premise of 'signing' a file is that the asymmetric public key cryptography is at least as hard as MD5 to crack, and as such 'verifies' that the MD5 checksum provided is the one hashed out by the author of the file. So, in essence, it verifies the verifier. :-P It's one level deeper in the security scheme. > The chances of this happening are extremely small though. That's true. :-) >From the RFC (link below): [The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA. The key words here are "computationally infeasible", as opposed to mathematically infeasible. Basically, the MD5 algorithm has the potential to be reversed, but our current computers are not up to the task (yet). For more on MD5, see http://www.faqs.org/rfcs/rfc1321.html Curtis > > Cheers, > > Trevor > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (GNU/Linux) > > iD8DBQFADzj7BsV2IjgYy+cRAnYFAKDRF58Grrgi3bZenaHyCoyYpkykWQCeOZOB > eq4SBnm6o1Rx8eNJmXwx2/U= > =8KKw > -----END PGP SIGNATURE----- > > _______________________________________________ > clug-talk mailing list > [EMAIL PROTECTED] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
