[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: checking system integrity

On Sun, Feb 11, 2001 at 10:09:42AM +1100, Brian May wrote:
 
> Also, I have heard there are algorithms that allow you to create a file
> with the same md5sum, but different length[1].
> 
> Hence, it is not good enough just testing the md5sum, you need to
> check the file size too.
> 
> Note:
> [1] anyone got any good references for this?

Erm, no.  But I thought that the weakness in md5 was not the general
ability to find a file with the same hash, but the ability to find
collisions in the hash function (pairs of files with matching hashes).
Once that has been done, however, it seems unlikely that the algorithm
will remain secure in the future.

Perhaps you would be better off using SHA-1, which is regarded as a
more secure alternative.  IIRC, there is a patent on SHA-1 which allows
for its use in, eg, free software (somebody correct me if this is
wrong?)

-- 
Peter Eckersley                         http://www.cs.mu.oz.au/~pde 
(pde@cs.mu.oz.au)              TLI:  http://www.computerbank.org.au
<~~~~.sig temporarily conservative pending divine intervention~~~~>
GPG fingerprint: 30BF 6A78 2013 DCFA 5985  E255 9D31 4A9A 7574 65BC
Reply to: