Some of the software available for download lists MD5 checksums.

I have no idea how to generate a checksum to compare with the one on
the download page. Do many people do this? I only find urls that
say how to do it in Unix.


Background:
My guess is that if one uses the right software on the downloaded
file, he should get the checksum, and then he'll know the file wasn't
virified or tampered in some other way to his detriment. The wikip
entry talks about transmission errors.

Either way, I don't know how to do it, or if I should bother. Do
many people do it?

mm wrote:
> Some of the software available for download lists MD5 checksums.
>
> I have no idea how to generate a checksum to compare with the one on
> the download page. Do many people do this? I only find urls that
> say how to do it in Unix.
>
>
> Background:
> My guess is that if one uses the right software on the downloaded
> file, he should get the checksum, and then he'll know the file wasn't
> virified or tampered in some other way to his detriment. The wikip
> entry talks about transmission errors.
>
> Either way, I don't know how to do it, or if I should bother. Do
> many people do it?

I do this all the time. I have a port of MD5SUM which I use
regularly, but I can't tell you exactly where I found it.
I've had it for a while.

Microsoft provides a tool, called FCIV. It computes both
MD5 (message digest 5) and SHA1. So you could get this one.

http://www.microsoft.com/downloads/e...displaylang=en

Of the two algorithms, I've heard that MD5 has been cracked. What
that means, is a hacker can change the contents of a download
file, preserve the file length, and have the MD5 sum work
out to the correct value. And thus, in the larger scheme of
things, an MD5 sum may not identify when a download has been
altered.

I don't know if the same is true of SHA1 or not. There are some
comments here about SHA1.

http://www.h-online.com/security/fea...ed-747181.html

A determined hacker, could probably alter a downloaded file,
and make those checks appear normal. So the technique is not
without its flaws.

Paul

On 18/01/2011 8:27 PM, Paul wrote:
> Of the two algorithms, I've heard that MD5 has been cracked. What
> that means, is a hacker can change the contents of a download
> file, preserve the file length, and have the MD5 sum work
> out to the correct value. And thus, in the larger scheme of
> things, an MD5 sum may not identify when a download has been
> altered.
>
> I don't know if the same is true of SHA1 or not. There are some
> comments here about SHA1.
>
> http://www.h-online.com/security/fea...ed-747181.html
>
> A determined hacker, could probably alter a downloaded file,
> and make those checks appear normal. So the technique is not
> without its flaws.

It wouldn't be likely to get an executable file to work if you changed
its contents and tried like crazy to make sure its hashes worked. You'd
have to change too many other bytes and that'll just kill the whole
thing. Doing the same thing to a data file might be more plausible, but
of course such a file can't be used as a payload to malware. Of more use
to spies than to hackers.

Yousuf Khan

"mm" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Some of the software available for download lists MD5 checksums.
>
> I have no idea how to generate a checksum to compare with the one on
> the download page. Do many people do this? I only find urls that
> say how to do it in Unix.
>
>
> Background:
> My guess is that if one uses the right software on the downloaded
> file, he should get the checksum, and then he'll know the file wasn't
> virified or tampered in some other way to his detriment. The wikip
> entry talks about transmission errors.
>
> Either way, I don't know how to do it, or if I should bother. Do
> many people do it?


I've used the Windows version of CRC32 Calculator for years to check the
CRC of downloads:
http://www34.brinkster.com/dizzyk/crc32.asp

For MD5 sums there is MD5 Checker:
http://download.cnet.com/MD5-Checker...-10410639.html

--
Glen Ventura
MS MVP Oct. 2002 - Sept. 2009
CompTIA A+
http://dts-l.net/

On Tue, 18 Jan 2011 23:33:45 -0500, "glee" <(E-Mail Removed)>
wrote:

>"mm" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> Some of the software available for download lists MD5 checksums.
>>
>> I have no idea how to generate a checksum to compare with the one on
>> the download page. Do many people do this? I only find urls that
>> say how to do it in Unix.
>>
>>
>> Background:
>> My guess is that if one uses the right software on the downloaded
>> file, he should get the checksum, and then he'll know the file wasn't
>> virified or tampered in some other way to his detriment. The wikip
>> entry talks about transmission errors.
>>
>> Either way, I don't know how to do it, or if I should bother. Do
>> many people do it?
>
>
>I've used the Windows version of CRC32 Calculator for years to check the
>CRC of downloads:
>http://www34.brinkster.com/dizzyk/crc32.asp
>
>For MD5 sums there is MD5 Checker:
>http://download.cnet.com/MD5-Checker...-10410639.html

Wow. Two kinds. I'll read the urls and do the downloads. Thanks
all.