l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
May 20: Smart Static Sites with Hakyll 		Next Installfest:
Saturday, January 26th 		Latest News:
Mar. 22: Slides from "Making Predictions Using Linux and R" talk 		Page last updated:
2002 May 17 17:49

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

 Report this post as spam:

(Enter your email address)
Re: [vox] MD5 Checksums and Public Downloading
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] MD5 Checksums and Public Downloading

On Fri, 17 May 2002, Rick Moen wrote:

> Quoting Shwaine (shwaine@malevolence.com):
>
> > Not to throw oil on a budding flame, but isn't the core of the 
OpenPGP
> > signature (or any RSA digital signature for that matter) generating
> > a message digest (e.g. a hash like MD5, among others) of the data
> > and signing said hash output rather than the data itself?
>
> I look forward to seeing your performance and usability tests on 
660 MB
> files, and am willing to donate a few in the name of science.

Ah, so I see your plan is to throw around misdirections and strawmen 
rather than address the valid points which Micah and I have raised.
I bet you are a real joy around the office. No matter. Let us address 
your concerns as they are. If you use the MD5 checksum mode which 
is recommended as a hash alternative to SHA-1 in the OpenPGP specification,
the generation of the MD5 checksum will take a time comparable to 
generating the md5sum of the file from the command line. There will 
then be the added overhead of computing the signature of the checksum,
which would take as much time as computing the signature for any 
message, since the signature is always computed on the constant sized 
checksum. Overall, I'd be willing to bet that the majority of time 
is spent on computing the MD5 checksum since signing short messages 
with an OpenPGP compiliant program does not take an inordinant amount 
of time. Therefore, your concerns that signing the file would take 
longer than computing the md5sum seem rather moot when using MD5 
for the OpenPGP digest (if using SHA-1, the time of course may differ 
wildly).

Now, if you are so concerned about the times, why don't you try some 
side by side generations of signatures (using the MD5 digest not 
SHA-1) and md5sum time trials. I really have far more pressing things 
to do with my time, such as research.

Shwaine the Wandering Arch of Malevolence
--------------------------------------------------------------
http://www.malevolence.com              http://www.shwaine.com
telnet://shwaine.dyn.greystoneapts.com:3000






_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox
LinkedIn
LUGOD Group on LinkedIn 		Sign up for LUGOD event announcements
Your email address: 		facebook
LUGOD Group on Facebook

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

 Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!