[ale] File Integrity Check
Holbrook, Paul
Paul.Holbrook at turner.com
Fri Aug 13 11:01:15 EDT 1999
More recent algorithms are referred to as "cryptographic" checksums (aka "message digests"), meaning that it is far harder to spoof them. The 'sum' algorithm is easy to spoof; once upon a time, I remember seeing a hacker tool that would jiggle the bytes in a file to match any given checksum. For that matter, the fact that the 'sum' command only computes a 16 bit checksum, which means that entirely different files could come up with the same 16 bit number just by chance.
The canonical cryptographic checksum algorithm is known as MD5. On my Redhat system, the 'md5sum' command implements this. Tripwire uses MD5.
Cryptographic algorithms have two useful properties:
- If files differ in any way, they will produce significantly different checksums. With a good algorithm, a single bit change should result in about half the bits in the checksum changing.
- The algorithm cannot be spoofed. With the 128 bit checksums from MD5, there are 1.7 x 10^38 different outputs, making it pretty difficult to twiddle the bits in a file and make it look like another file.
Of course, both of these are relative properties; even with MD5, it is possible for different files to come up with different checksums; it's just very unlikely. (And probably even less likely for them to be the same size.)
There are other algorithms for doing cryptographic checksums; the Secure Hash Algorithm (SHA) is endorsed by the US Government and produces 160 bit checksums. But MD5 is probably the way to go for anything you might want to use.
Paul Holbrook
paul.holbrook at cnn.com
>
> PS: Any of you math types are quite welcome to correct any
> misconceptions I may be propagating...
>
> Russell Enderby wrote:
> >
> > In pursuit of determining critical system files for
> modifications I was
> > thinking the checksum prog 'sum' would be sufficient. Understanding
> > that time,date, and file size can be modified under the ext2fs/ufs
> > directory table. Is it possible to also make the 'sum'
> checksum appear
> > to be correct?
> >
> > I was under the impression tripwire uses its own special
> checksum prog
> > to verify files, although would 'sum' be sufficient as well? If not
> > does anyone know of better more thorough checksum app?
>
More information about the Ale
mailing list