Re: File Integrity Check

["Geva Patz" <geva () planet co za>]

> CRC is a Cyclic Redundancy Check.  It's a polynomial, calculating a *very*
> unique value based on content.  Much more effective than a MD5 or any
other
> checksum.

Much more effective in X/Y/Zmodem communications, yes, where it's a lot
quicker to calculate than an MD5 checksum, a lot shorter (usually a max of
32 bits rather than 128), and gives you limited error correction, too (i.e.
it doesn't just indicate that there has been an error in transmission, but
in some cases allows the erroneous bit(s) to be reconstructed without a
retransmission).

These properties, which make CRCs wonderfully suited to communications uses,
are precisely what makes them near useless for security purposes. It's
trivial to pad a file with a byte or four to generate any desired CRC. You
can use the known properties of the checksum polynomial to calculate the
values you need, or if you aren't up to that, a brain-dead brute-force
search of the 32-bit space can be completed in a resonable time (bearing in
mind that there are some very fast CRC calculation routines out there). MD5
has so far proved resistant to mathematical analysis to reverse-calculate
values from checksums, and brute-forcing the value space just isn't
practical.


-- Geva