Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
Dreamject2014-11-20 23:38:26
Information Security
Dreamject, 2014-11-20 23:38:26

How difficult is it to “hack” a correction (CoRreCtica)?

In general, he released a universal layout- not God knows what software, but I'm still developed. I would not want all sorts of smart-ass people to inject viruses or trojans into executable files, and then spread them on trackers, so I distribute them in iso-image and closed rar on my own. I thought about how to protect against changes, or rather how to detect changes quickly and easily. This means that storing md5 and sha1 side by side is boring, and it takes a long time to check (but there may be quick ways), and even collisions are selected for md5. In general, I came to such a “way out” - to store in the information about the release and in the file name information that allows identification. Everything will be based on the laconic, but unreliable CRC32, Supplemented with md5 & sha-1 - two characters from the first and second, and at the end completely crc32 (so that if the file name is cut off, everything will fit, at least partially).
As a result, we can google not only the full version of the program assembly - 2.7.37.2e.8FAC8664, but even just crc32.
I would like to know how difficult it is to modify a file and pick up a collision so that the file name remains unchanged?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
A
Andrew, 2014-11-21
@OLS

After about 2 ^ 15 options, the desired one will be found (a calculation is underway for a given CRC32, and it is very difficult to pick up a simultaneous collision of MD5 and SHA-1 - with such parameters it is much easier to search for them randomly before the first match)

Report
B
brutal_lobster, 2014-11-21
@brutal_lobster

Invest some money and use the digital signature :)
And so - you complicate the verification process too much. Normal practice is to publish md5/sha-1/sha-256 sums. It doesn't take long to check :)
Moreover, it makes no sense to store the checksum in the file itself or in the file name.
It doesn't cost anything for an " intruder " to change the file itself, and the name of the file, and specify the correct
checksum. is it easier to make repack toys?

Report
D
Dreamject, 2014-11-21
@Dreamject

brutal_lobster
They are quite long and, in general, not usable. CRC32+4 characters are easy to compare by eye or even remember - about 8+2+2 digits. And yes, the data for verification is stored not only in the file name, but also in the “program version”, that is, they are just in plain sight. If an attacker changes the file name, it's easy to see, or at least find with more certainty, where the incorrect file was.i-3.jpg

Similar questions
L
la02013-08-23 22:04:24
The restaurant copies cards and overwrites their data - where to go? 17Reply
M
mDOGx2013-08-29 08:58:13
Inexpensive video surveillance for the home: the choice of platform and implementation? 13Reply
C
Chvalov2016-02-13 01:36:32
Where to go to work in the field of IT security? 3Reply
R
r85qPZ1d3y2016-02-14 22:46:07
File control from unauthorized access in Windows, is it possible? 1Reply
K
kzmzhz2016-02-16 13:31:12
Do special characters increase password strength? 7Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question