Off-Topic > Off-Topic - Tiny Core Lounge

Is md5 checksum that reliable ?

(1/3) > >>

Pats:
Lalely I read somewhere about preimage and collision attacks and reliability of md5 checksum . Would appriciate different opinions  . I had reffered the following link :
 ... https://security.stackexchange.com/questions/186657/is-it-secure-to-use-md5-to-verify-the-integrity-of-small-files-less-than-15kb

Rich:
Hi Pats
Since this thread is the result of a checksum mis-match while downloading an extension I will address that aspect of it. From the
thread where the checksum mis-match was brought up I stated:

--- Quote from: Rich on July 27, 2018, 09:29:38 PM ---Hi Pats

--- Quote from: Pats on July 27, 2018, 08:51:24 PM --- ... do you think that md5 mis-match may be real culprit in the OPs problem ? .... Just curious , if md5 checksum is that reliable . ...
--- End quote ---
Well yes, the mis-match is the source original problem. I feel for confirming that extensions are downloaded correctly it
is reliable enough. If the downloaded extension gets corrupted, it will get flagged. if the downloaded  md5  file gets
corrupted, it will get flagged. If only one of the two files gets updated in the repo, as was the case here, it will get flagged.
--- End quote ---

From a security point of view, if you are downloading  FILE  and  FILE.md5.txt  from the same source, choice of checksum
algorithm is irrelevant. If someone can replace  FILE  with a malicious version they can replace the checksum file too.

Pats:
Hi Rich , thanks for explanation !
Brought the discusion point here from ...*Re: md5sum: WARNING: 1 of 1 computed checksums did NOT match* thread ... : ...

--- Quote --- Last post by <b>Rich </b>on <b>Today</b> at 10:25:29 PM »Hi Pats<br>The  md5  file is not required for the extension to run. The  md5  file is however also used to check whether an extension<br>in the repo has been updated.
--- End quote ---

..Correct ! Except for Kernel compiling / Update and security related downloads like iptables etc , I myself very rarely use md5 checks .

--- Quote --- Last post by <b>Rich</b></b> : ... If someone can replace  FILE  with a malicious version they can replace the checksum file too.
--- End quote ---

Though posible , but such replacements are not of any worth to the imposter ! So not practical , I guess .
 That means , if someone want to be damn sure about a downloaded file integrity , better options may be SHA-1 and above versions of  (Digest::SHA1) or some utility like HashCheck.

 By the way , I found following articles interesting :
1)  http://raymond.cc/blog/ask-raymond-how-to-decrypt-md5-hashed-strings/
 2) https://www.perlmonks.org/?node_id=386246

bmarkus:
md5 with the tcz extensions has nothing to do with security which is a complex issue. It is to check integrity and detect file corruption.  Considering networking protocols, reliability of storage systems probability of file corruption is extremely low. File corruption in TC environment in most cases caused by interrupted transfer e.g. due to lack of free storage or networking issue. In such case md5 is perfect, sha1 wouldn't bring any benefit.

vinceASPECT:
Hello.

Uh the md5 cs is referring to a files integrity against an identical file of integrity. With that in mind, when dealing with transmissions
and so forth and protocols those a bit/ per bit streams and collision's will be in that domain. Collisions would'nt implicitly refer to
the integrity a bit stream (as a packet of a file header)
That sort of networking issue concerns hardware parity.

Thx

V

Navigation

[0] Message Index

[#] Next page