|
| home | background | contact | studies | lyrics | security | links | SEARCH: |
|
Disclaimer: This page is out-of-date and kept for nostalgic reasons. Links, images and other resources are not maintained. Go to up-to-date site.
Up to overview | Previous: One-way hash functions | Next: Secure passwords
Let's suppose that you have just downloaded a piece of software from the Internet. Are you sure that this software is genuine? If that is so, everything is fine. Install it and have fun!
Apart from intuition, there exists another way to ensure that data hasn't been compromised. The author of the data can publish the fingerprint which identifies the data (file). The fingerprint is really a one-way hash value; other common synonyms are checksum and message digest. Popular programs in this category are md5sum or cksum; both comes with the GNU Textutils package. By doing the same calculation on your received data file, you can verify that it is (in all likelihood) the same file.
A cracker can not alter the data file, without being detected by the fingerprint check. So, s/he must also change the published message digest, for instance, by gaining write access to the official Internet page where it is presented.
That's obvious a weakness. Of couse, for popular software, the fingerprint ought to be available from a large number of sites, and the cracker would have a hard time altering all of them. Still, you would like to be sure that the fingerprint indeed originated from the real author of the data file. PGP, Pretty Good Privacy offers a solution to this problem.
Naturally, you can use message digests in other circumstances; monitoring (unauthorized) changes of files on your own filesystem. Just create a text file containing a list of files along with their fingerprints and save it on a secure place; good storage locations are removable media (floppy disks, flash cards, CD-ROM etc.)
Up to overview | Previous: One-way hash functions | Next: Secure passwords