Free Republic
Browse · Search 		General/Chat
Topics · Post Article

To: killermosquito
oh, and you also have to keep in mind that there are several different hashes that might be used. Most folks use md5, but it's really not a good choice any more because it's been shown to be possible to force a hash collision. When they show you the hash, they should also tell you how it was calculated.  The following shows the same file being tested using several different hashing techniques. Of these, the most secure hash is sha512, but really, anything over sha224 is good. (sha1 has similar known vulnerabilities to md5)

 

$ for x in md5sum sha1sum sha224sum sha256sum sha384sum sha512sum; do $x linuxmint-17.3-kde-64bit.iso;done
9fae1a87bebe4b57f6a587272f0cee3d  linuxmint-17.3-kde-64bit.iso
d3e8f755df63801678af48bf0c2b716d7a066fdd  linuxmint-17.3-kde-64bit.iso
672792a81435ef77296fd403771f911df26d359e0020dd1e7fb9d204  linuxmint-17.3-kde-64bit.iso
aa33bf286e92556163c335b258fe5cbd9f65f4ab8490e277fed94cf20d3920e4  linuxmint-17.3-kde-64bit.iso
7ae57b2bfe931c56bb355fc0817717636edcdc08d009cb64497605a645ecc46725ab259928a2d91489278c15e212df3f  linuxmint-17.3-kde-64bit.iso
d3c8499c6d3ab6b852d2592ab13129c5289f812443c848ca3f9221a516778d46e85f8ca9c7ac08e1a08882d94e28e4d9558a255366560f75065247568b3f7977  linuxmint-17.3-kde-64bit.iso

 

22 posted on 02/26/2016 1:35:54 PM PST by zeugma (Lon Horiuchi is the true face of the feral government. Remember that. Always.)
[ Post Reply | Private Reply | To 12 | View Replies ]

To: zeugma
It's like two factor authentication (not just like it) but sort of. You calculate the hash as you've indicated. The desired value is published elsewhere. You compare the value you got from the value that is expected. For example if you go to http://lug.mtu.edu/fedora/linux/releases/23/Workstation/x86_64/iso/ You see the following entries: 
Fedora-Live-Workstation-x86_64-23-10.iso           29-Oct-2015 21:42          1469054976
Fedora-Workstation-23-x86_64-CHECKSUM              30-Oct-2015 20:37                1156
Fedora-Workstation-netinst-x86_64-23.iso           30-Oct-2015 01:37           433061888
Two of these are giant files and one is a fairly small one. If you calculate the SHA256 hashes on the giant files they should match the values published in the tiny one. 
# The image checksum(s) are generated with sha256sum.
SHA256 (Fedora-Workstation-netinst-x86_64-23.iso) = f38d1aca6211b6bbb2873a550f393d03866294e3e5094256feb4cd647c25a310

SHA256 (Fedora-Live-Workstation-x86_64-23-10.iso) = a91eca2492ac84909953ef27040f9b61d8525f7ec5e89f6430319f49f9f823fe
And the checksums are signed with a PGP signature. So if one wants to be super careful one can be. Full disclosure - I am not.
24 posted on 02/26/2016 2:14:59 PM PST by 2 Kool 2 Be 4-Gotten
[ Post Reply | Private Reply | To 22 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson