GeneralThis forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I downloaded the two files (they were identical size) and ran md5 and it was the same! Just to make sure I ran sha1, 256 also and shasums were different.
What surprises me is that the OP is surprised. There is no such thing as a 100% secure checksum/crypto system. Whats important now anyways is that the developers of said tools have already caught wind of this and are working on the fix.
It is important to note that the hash value shared by the two different files is a result of the collision construction process. We cannot target a given hash value, and produce a (meaningful) input bit string hashing to that given value.
Though interesting from a theoretical crypto standpoint, it doesn't look to be any threat to md5sums as used for verifying a downloaded file hasn't been tampered with. They need to modify both files before they can engineer a collision. If they could achieve a collision by only modifying one of the files, then that would be a far more worrying.
Still, it was an interesting read. Thanks for posting.
If you have a file with 1000 bytes, and there's 8 bits in each byte, there could be 2^8000 (so much that my calculator app fails) different combinations.
And md5 sum consists of 128 bits, and has 2^128 (340282366920938463463374607431768211456) different possibilities. Not even close to the 1KB file.
The MD ( message Digest ) family of Hash functions has been proved to be weak ( theoretically speaking ) to cryptanalitic attacks;
Several papers pertaining to its weakness have been published by RSA, and by Bruce Schneier himself...
The weaknesses are deemed theoretical because, despite the fact that one does not need a brute force attack to find a collision, several properties of the algorithm of hash
can be exploited to find a collision, this requires nonetheless a huge ammount of processing...
What surprises me is that the OP is surprised. There is no such thing as a 100% secure checksum/crypto system. Whats important now anyways is that the developers of said tools have already caught wind of this and are working on the fix.
What surprises me is that you are surprised that the OP is surprised.
What doesn't surprise me is what surprises you that you were surprised that the OP was surprised about being surprised about that.
What halfheartedly surprises me is that you aren't surprised that I was surprised that I was surprised that the OP was surprised about being surprised about that.
What halfheartedly surprises me is that you aren't surprised that I was surprised that I was surprised that the OP was surprised about being surprised about that.
Surprising, isn't it?
What halfheartedly surprises me is that you aren't surprised POW( that I was surprised , N ) that the OP was surprised about being surprised about that
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.