l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2002 May 17 15:34

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] MD5 Checksums and Public Downloading
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] MD5 Checksums and Public Downloading

On Thu, 16 May 2002, Rick Moen wrote:
> 2.  PGP/GnuPG isn't designed for signing of large files.  I'm not even
> sure what happens if you try that.  I'm not sure it hashes the entire
> file.  MD5 was designed to do exactly all of that, and is fast 
for what
> it does.

Not to throw oil on a budding flame, but isn't the core of the OpenPGP 
signature (or any RSA digital signature for that matter) generating 
a message digest (e.g. a hash like MD5, among others) of the data 
and signing said hash output rather than the data itself? RFC 2440 
(OpenPGP) says multiple times (sections 2.2 and 5.2.4) that the signature 
is computed over the hash output. It would seem then that the length 
of the data would be irrelevant then. 

To qualify my statement above about "any RSA digital signature", 
in Matt Bishop's ECS253 class last year, there was a specific example 
in the working draft of his book which showed why signing the actual 
data with an RSA based signature is a "bad thing" (basically allows 
a bad guy to fake a signature from you after having you sign a few 
selected messages) and hashing the data first avoids this problem.
The reference given for that section of Bishop's book was Bruce 
Schneier's book "Applied Cryptography", second edition. 

Shwaine the Wandering Arch of Malevolence
http://www.malevolence.com              http://www.shwaine.com

vox mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!