-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Sunday 2007-04-08 at 23:43 -0700, David Brodbeck wrote:
> Ryouga Hibiki wrote:
> > PS: Unless you know that there's a way to change a package without
> > modifying the integrity of these (MD5SUM), is that possible?
>
> I *think* it's been shown that it's possible to create two different
> files that have the same MD5 checksum.
Curious!
I was thinking of that the other day while falling sleep. It is obviously
possible: if it weren't, then we could use the checksum instead of the
original file as a brutally effective compression technique. There will be
then several (many?) files of the same size having the same checksum.
> Exploiting this would require
> creating a *meaningful* file with the same checksum as the original,
> though, which is much more difficult.
Not knowing the in depth mathematical analysis of checksums, my educated
guess is that a checksum protects against the chance corruption of a file
in transmission, affecting one or many, but not all, of its bytes. It will
not protect against the deliberate attempt to generate a file of the same
size and checksum; but generating one such file that is a valid file of
the same format I imagine could be an herculean task.
In the case of the SuSE iso images, the task would be terrible difficult:
each rpm inside the iso has also checksums, plus a pgp signature.
- --
Cheers,
Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Made with pgp4pine 1.76
iD8DBQFGGf5dtTMYHG2NR9URAuysAKCMl9zILcGYrrmrS3HDS/OoM8FAaQCeOOD+
yBdiXBGKKBLNLZq2j+gqGso=
=lSj3
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
