开发者

[algorithm/md5]: what is the detailed verification process in file sharing?

I read the wiki-page of "Cryptographic Hash Function" today. And I got to know that, md5 has been applied in verification of file.

There is somethi开发者_如何学Pythonng I can't figure out, here it is.

Suppose I want to download a file(.exe, .iso, whatever) from a website. 1.Does the server first transfer the md5 code of the file to me? If so, how do I store the md5 code? store the code in a file?

2.When the downloading is done, how do I start the verification process? Am I supposed to do the verification manually or the downloader (be it a chrome explorer download tool) does the verification automatically?

3.If the file I'm downloading is intercepted by some Hacker on the internet, then will the Hacker know what the file is ? And how to prevent the interception?

thank you.


Further to previous answers, the purpose of the MD5 published on download websites has nothing to do with crackers (man-in-the-middle attacks). It's just to make sure you downloaded it correctly. If some bits were corrupted for whatever reason, the software mightn't run. Security is much more complicated to set up than one little hash, but luckily your browser knows how to deal with that: whenever you connect over TLS (SSL, https) it will set up a secure connection. Just by watching how much data is sent, even though he can't see what the data is, an attacker may be able to guess which file you're downloading.

  1. MD5 checking is entirely manual. You download it or copy and paste it yourself.
  2. Every operating system should come with an md5 program; Windows is probably the only one that doesn't. Google for one if you have the misfortune of needing to.
  3. With md5 alone, he certainly can see what the file is. The only way to prevent the interception is to use encryption, which most sites provide using https URLs.

Edit: What is an MD5? It's just the value of a little calculation done with all the parts of the file. You send the file, and do the calculation yourself using the md5 program, and check that you get the same value as is listed on the website. The calculation is clever, and if one or more bits of the file are corrupted, the calculated MD5 value will change, so you know that the download didn't work and you need to download again.


The file and the MD5 hash of the file are transferred separately. You are expected to calculate the MD5 hash of the file for yourself and compare it with the downloaded version. If they match then the files are the same. Think of MD5 as a more elaborate version of a checksum.

If you want to prevent interception then you need to encrypt the file, which is a separate question. If you want to ensure the the file is truly the original and you haven't been fooled by a false copy, with false MD5 hash, then look at HMAC.


There are probably browser plugins that will let you do hash-verification automatically. I haven't researched any previously.

A website will usually provide a hash, in hex format, next to the download link.

Once you have downloaded the file, you 'feed' it to a tool which will calculate the hash of the file. Almost all programming languages will have the ability to do this, and there are many googable tools to do so.

If the hash that you generated yourself matches the one shown on the website you know that the file is not corrupt / is the correct one.

MD5 is the most common hash function used to do hash verification. It is not advised to use for security purposes anymore, but it is perfectly fine to verify a file's contents are correct (in 'casual' circumstances).

Digital signing is also used to ensure a file is correct and was generated by a known person/authority/site.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜