Carlos E. R. wrote:
The Sunday 2007-04-08 at 23:43 -0700, David Brodbeck wrote:
Ryouga Hibiki wrote:
PS: Unless you know that there's a way to change a package without modifying the integrity of these (MD5SUM), is that possible? I *think* it's been shown that it's possible to create two different files that have the same MD5 checksum.
Curious!
I was thinking of that the other day while falling sleep. It is obviously possible: if it weren't, then we could use the checksum instead of the original file as a brutally effective compression technique. There will be then several (many?) files of the same size having the same checksum.
Exploiting this would require creating a *meaningful* file with the same checksum as the original, though, which is much more difficult.
Not knowing the in depth mathematical analysis of checksums, my educated guess is that a checksum protects against the chance corruption of a file in transmission, affecting one or many, but not all, of its bytes. It will not protect against the deliberate attempt to generate a file of the same size and checksum; but generating one such file that is a valid file of the same format I imagine could be an herculean task.
In the case of the SuSE iso images, the task would be terrible difficult: each rpm inside the iso has also checksums, plus a pgp signature.
Bear in mind an md5sum is only 128 bits. It is impossible for there to be only one file that results in that sum, given that a file can be any size, with any value in each of the bytes. However, it's virtually impossible to change a file so that it has the same md5sum and is still sensible in the intended application. A small change in the original file makes a big change in the md5sum. -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org