DISQUS

Hello! Creeva's World 2.0 is using DISQUS, a powerful comment system, to manage its comments. Learn more.

Community Page

creeva.com/ Jump to website »

Subscribe
- New Comments
Community
Top Commenters
- creeva
  155 comments · 1 points
- Miragi
  21 comments · 1 points
- grin
  8 comments · 1 points
- Xie
  6 comments · 1 points
- thorswitch
  5 comments · 2 points
Popular Threads
- Michael Jackson Was My First Hero
  1 week ago · 1 comment
- I Need a Way To Consolidate File Shares - A DFS Replacement
  2 weeks ago · 2 comments
- Father’s Day For My Dad
  2 weeks ago · 1 comment
Recent Comments
- I am still strangely devastated by this. Like you allude to, I think that he was such a huge part of growing up.
  2 days ago by grin
  
  in Michael Jackson Was My First Hero
- Still haven't passed 20 =/
  1 week ago by grin
  
  in I Made It To Level 22 in WoW
- Thank you!!!!!!!!!!!!! As I have said before, you being the first meant that you were the experiment. Hopefully I learned from any mistakes. And so far you have survived and prospered in your life....
  1 week ago by Dad
  
  in Father’s Day For My Dad
- So far I have found @roddenberry, Rod the son of Eugene Roddenberry. @WilliamShatner and @ZacharyQuinto
  2 weeks ago by Zach Carter
  
  in Follow Star Trek Actors On Twitter
- For some reason the openafs client won't start - it's being back asswards. I think I'm going to end up combining two projects into one and seeing how it goes. I've been meaning to...
  2 weeks ago by creeva
  
  in I Need a Way To Consolidate File Shares - A DFS Replacement

Creeva's World 2.0

Jump to original thread »

Why I Hate MD5 or: How I Learned to Start Worrying and Hate the Misconceptions | Creeva's World 2.0

Started by creeva · 10 months ago

No excerpt available. Jump to website »

5 comments

fung-li
10 months ago

there is a difference between md5 and the common practice to use only the contents of a file as input. i guess this is because the tool md5sum takes a filename as argument, which is like a shortcut of "cat file | md5sum". you could echo the filename and its contents and pipe it into md5sum, you would have it.

so the better title would be "why i hate the practice of only using file-contents as input for md5 hashes and not taking the filename itself into account"

reply

creeva
10 months ago

Well there was alot of people ignorant like me - so i thought the misconception title was best. But yes i hate the fact it ignores the file name

reply

grin
6 months ago

It takes, say, 2 minutes to write a program which actually uses file metadata (name, creation and modification date, or even inode data [position on the disk]) for generating hashes, be it md5 (which in fact harder to spoof than you suggest) or some other algos (sha2 comes to mind). Takes half an hour if you want it a bit faster. :-)

But your problem is that you fail to know the goal of the method you use: it's for detecting changes in the files (or, actually, the falsification of the data) and not to have a hash unique to the (actually any random) file. Downloaders aren't intersted whether the file is called "kernel-latest.tar.bz2" or "linux-2.6.31rc2.tar.bz2" as long as it's the same.

Actual security tools (like tripwire, integrit, etc) use file metadata hashing as well, so they detect not just data or filename change, but moving the file or having it changed by any unknown means (which changes, say, inode numbers).

Use tools what they're for. Don't try to screw in a screw with a sledgehammer. ;-)

reply

creeva
6 months ago

btw the script I ended up writing with md5 did use some file metadata so yes you are write and it does take less then 2 minutes.

reply

creeva
6 months ago

I was just pointing out the fallacy where some people take with MD5 - I'm well aware these days not to trust it too much . It has it's flaws and I know it is difficult to spoof - but MD5 collisions caused the new SSL vulnerability issue because people put trust in it and didn't think md5 collisions would be an issue at. It was considered good enough - if you find something you consider a problem raise awareness - in security "good enough" is never good enough - the bad guys always work past it.

reply

Add New Comment

Returning? Login