checksums and has numbers

M

mm

Some of the software available for download lists MD5 checksums.

I have no idea how to generate a checksum to compare with the one on
the download page. Do many people do this? I only find urls that
say how to do it in Unix.


Background:
My guess is that if one uses the right software on the downloaded
file, he should get the checksum, and then he'll know the file wasn't
virified or tampered in some other way to his detriment. The wikip
entry talks about transmission errors.

Either way, I don't know how to do it, or if I should bother. Do
many people do it?
 
P

Paul

mm said:
Some of the software available for download lists MD5 checksums.

I have no idea how to generate a checksum to compare with the one on
the download page. Do many people do this? I only find urls that
say how to do it in Unix.


Background:
My guess is that if one uses the right software on the downloaded
file, he should get the checksum, and then he'll know the file wasn't
virified or tampered in some other way to his detriment. The wikip
entry talks about transmission errors.

Either way, I don't know how to do it, or if I should bother. Do
many people do it?
Click to expand...

I do this all the time. I have a port of MD5SUM which I use
regularly, but I can't tell you exactly where I found it.
I've had it for a while.

Microsoft provides a tool, called FCIV. It computes both
MD5 (message digest 5) and SHA1. So you could get this one.

http://www.microsoft.com/downloads/...58-31B7-47E2-A663-7365C1686C08&displaylang=en

Of the two algorithms, I've heard that MD5 has been cracked. What
that means, is a hacker can change the contents of a download
file, preserve the file length, and have the MD5 sum work
out to the correct value. And thus, in the larger scheme of
things, an MD5 sum may not identify when a download has been
altered.

I don't know if the same is true of SHA1 or not. There are some
comments here about SHA1.

http://www.h-online.com/security/features/Hash-cracked-747181.html

A determined hacker, could probably alter a downloaded file,
and make those checks appear normal. So the technique is not
without its flaws.

Paul
 
Y

Yousuf Khan

Of the two algorithms, I've heard that MD5 has been cracked. What
that means, is a hacker can change the contents of a download
file, preserve the file length, and have the MD5 sum work
out to the correct value. And thus, in the larger scheme of
things, an MD5 sum may not identify when a download has been
altered.

I don't know if the same is true of SHA1 or not. There are some
comments here about SHA1.

http://www.h-online.com/security/features/Hash-cracked-747181.html

A determined hacker, could probably alter a downloaded file,
and make those checks appear normal. So the technique is not
without its flaws.
Click to expand...

It wouldn't be likely to get an executable file to work if you changed
its contents and tried like crazy to make sure its hashes worked. You'd
have to change too many other bytes and that'll just kill the whole
thing. Doing the same thing to a data file might be more plausible, but
of course such a file can't be used as a payload to malware. Of more use
to spies than to hackers.

Yousuf Khan
 
G

glee

mm said:
Some of the software available for download lists MD5 checksums.

I have no idea how to generate a checksum to compare with the one on
the download page. Do many people do this? I only find urls that
say how to do it in Unix.


Background:
My guess is that if one uses the right software on the downloaded
file, he should get the checksum, and then he'll know the file wasn't
virified or tampered in some other way to his detriment. The wikip
entry talks about transmission errors.

Either way, I don't know how to do it, or if I should bother. Do
many people do it?
Click to expand...


I've used the Windows version of CRC32 Calculator for years to check the
CRC of downloads:
http://www34.brinkster.com/dizzyk/crc32.asp

For MD5 sums there is MD5 Checker:
http://download.cnet.com/MD5-Checker/3000-2092_4-10410639.html
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to get rid of orphan file links from your Shell32.dll? I don'tthink there's a way Is everybody 2
Daylight Saving Time changes file times. 8
How To Check MD5sums On A Linux Iso Image (using linux) 0
To successfully download and install RC1. 3
[Update] ClrMamePro v3.80c 1
Found on the internet : Improving antivirus scanners 10
copied file different than original 1
Installing IE6 and IE7 side by side 2

Top