Re: What is md5sum?

From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 06/28/04 

Date: Mon, 28 Jun 2004 21:36:33 +0000 (UTC)

Carlos Moreno <moreno_at_mochima_dot_com@xx.xxx> writes:

]Bill Unruh wrote:

]> ]>> ]and compare it to the one that came with the file. If they don't
]> ]>> ]match, something is wrong.
]>
]> There is nothing wrong with this statement. If they do not match, there is
]> something wrong.

]Yes, of course. I did not deny this part. Notice, however, that
]this was stated by Alan Connor, and not by Variant. Variant's
]statement was false.

]Notice also that I stated that my objections were in "pedantic"
]mode. But still, it terrifies me to see a statement that is
]false going by without any objections. If the statement had
]been accompanied by a "in practical terms", or a "almost
]certainly", or something like that, I wouldn't have objected.

Sorry, it is not "false". The user wants to know something about the md5sum
which he is using to verify the files he is downloading. My statement is
that if the md5 sums agree then his file is correct. I stand by that
statement.
Is there a possibilitity that the file actually does differ? Of course.
There could be a trojan planted in his md5sum which always reports the md5
sum of the particular file that he has downloaded as some given value, no
matter what was downloaded.
There could be a misreading of the output of md5sum so that the person
thought the sums were the same but they were really different. The CIA
could be sending out mindrays to alter his perception so that he never
actually ran md5sums but only thought he did. And finally, he could have
discovered a case where the md5sums of the two files were the same even
though the files differ. Of these the last one has by far the smallest
probability. Do I specify any of those other ways that the files could
differ even though the md5 sums are reported to be the same? No. Simply
because their probability is so small, not because they are logically
impossible.

I and I am sure you would be willing to bet at a million to one odds, that
a file downloaded from the net which had the same md5sum as the original
was the same bit by bit as the original.
Sometimes Pedantic is misleading.

Now, if you want me to say that there may be more than one file with the
same md5sum (Note that any particular file has a unique md5 sum associated
with it) that is true. But also completely irrelevant to the questioner's
question.

]> They sure are. The probability that a cosmic ray caused your computer to
]> miscalculate the md5sum is astronomically more probable than if a file has
]> the same md5sum, it has been changed.
]> If the md5sum is the same, the file has not been changed.

]I'm not sure what would terrify me more; the fact that you
]had not known that your statement is false, or the fact that
]you, *perfectly understanding* everything about hashes and
]MD5, you still insist on writing and fiercely defending that
]statement, which IS INCORRECT.

I know hashes very well and I know how md5 behaves very well as well.
Please do not be so easily terrified.

]> ]> Almost EVERYTHING that has been said, from Variant's reply to yours,
]> ]> is incorrect (although yes, in practical terms, probabilistically
]> ]> speaking, it is correct), and no-one has pointed it out.
]>
]> Who cares. The OP wanted to know what the md5sum command was all about. We
]> told him.

]Agreed. But in doing so, you volunteered some extra information
]which is incorrect (it is "correct" in practical terms, but
]still)

Lets see, it is incorrect but correct. Hmm.
 I certainly did not see the OP asking a theoretical question about the
details of hashes. I heard him asking about the use of the program md5sum.

]> ]> An MD5 code IS NOT unique to a file's content. A file that has,
]>
]> Of course not. So what?

]So what? That makes the statement is INCORRECT. That's what.

So what? There are many many many things which could be argued to make that
statement incorrect, of which your argument is the very least of my
worries.

]> IF you ever find a pair of files which have the same MD5 sum and the files
]> are different, then you will be very very famous, and maybe even rich. But
]> buy lottery tickets if you want to be famous and rich. You will have a much
]> higher chance.
]Another "pedantic mode" note: Alan said that. Actually,

I will accept that correction.

]Variant said that (just changing the phrasing) in addition to
]saying that the MD5 is unique to a file. That IS INCORRECT.

MD5 IS unique to a file. A file has one and only one md5sum.
That is a possible interpretation of the words "unique to a file"
You object to the other interpretation that there is only one file with a
given md5sum. I agree. But that is not the question. The question is
"If I download a file and I find that the md5sum is the same, is the file
the same". The answer is yes.

]code not being unique is ridiculously low). Still, I stand
]by my complaint that, why oh-why, if you do know this about
]MD5 and hashes in general, wouldn't you simply add the "in
]practical terms", to make the statement correct, instead of
]stating something that IS NOT CORRECT ?

Because making such a statement carries with it the implication that that
statement is relevant to the question being asked. It is not. It is not "in
practical terms". It is "In all cases being discussed."

]> I and I am sure he stands by that. And I still stand by If the sums
]> are the same then the files are the same. It is up to you to demonstrate me
]> wrong by showing me two downloads of the same file, with the same md5sum
]> which are different.

]Oh MY GOD?!!! I can not believe such level of stubbornness!!!

Hmm. Self analysis is not a strong point at your end I see.

]No, I do not have to demonstrate anything! I do not have to
]find a counter-example. The statement is so trivially proven
]wrong!! You even ACCEPTED my proof that the statement is
]wrong! How can you possibly re-state it, defend it, and
]say that I have to demonstrate the opposite with a counter-
]example?!! OH MY GOOOOOOODDDDDD!!!!!!!!!!

The statement is not wrong. If the sums of a file downloaded from the net
is the same as the one attached to the file, then the files are the same.
Could that statement be wrong? Again, in thousands of ways, none of which
have anything to do with the properties of hashes.

Now if you were using a 1 bit hash (parity bit) I certainly would not make
the statement. But md5 is a 128 bit hash, and at that point I will again
make the statement with great confidence.
If the file you download from the net has the same md5sum as the original,
then your file is the same.

]> A simplified description
] ^^^^^^^^^^^^^^^^^^^^^^^^^^

Except it does not even have the advantage that it is even close to right.

]> of what the system does is that it stores the MD5
]> ]> of the password you chose, and not the password itself. Thus,

It does not store the md5 of the password you choose. This is just wrong.

]>
]> Since you want to be pedantic, the MD5 password scheme does not opperate
]> this way.

]I know. See, that's why I bothered to add the "a simplified
]description" of what it does. What I explained summarizes the

It is not simplified. It is wrong. It stores a very slow hash, of unknown
cryptographic strength, of the password and the salt.

]essence and the purpose of using MD5 for passwords (I omited
]the salt part as well), exactly as saying "in practical terms,
]the MD5 is unique to a file and can be used to verify that a
]file has not been modified" explains the essence and purpose
]of the md5sum command (or more in general, the use of MAC's).

Relevant Pages

  • Re: What is md5sum?
    ... been accompanied by a "in practical terms", ... > the same md5sum, it has been changed. ... statement, which IS INCORRECT. ... then the MD5 must be the same (which is equivalent to saying ...
    (comp.os.linux.setup)
  • Re: What is md5sum?
    ... ]>]> When you say that md5sum does not identify a files contents uniquely. ... ]> IF md5 were shown to be cryptographically weak, I would change my answer, ... IF such a thing were to occur (Ie a weakness in MD5) I would advise people ... ]is wrong -- adding that in practical terms, ...
    (comp.os.linux.setup)
  • Re: What is md5sum?
    ... ]>>]When you download a file with an md5sum available, ... if the sums are different you do not know how the files differ. ... ]> An MD5 code IS NOT unique to a file's content. ...
    (comp.os.linux.setup)
  • Re: What is md5sum?
    ... > IF md5 were shown to be cryptographically weak, I would change my answer, ... So, even putting aside the cryptographic weakness possibility, ... is wrong -- adding that in practical terms, ... true (also adding that when using the md5sum command, ...
    (comp.os.linux.setup)
  • Re: What does it mean to check the MD5SUM?
    ... and it compares the md5 checksum of the images. ... have a good downloaded iso set. ... you will need to download a md5sum program. ...
    (comp.os.linux.misc)