Firewall Wizards mailing list archives

RE: File Integrity Check

From: "Choi, Byoung" <bchoi () visa com>
Date: Sat, 14 Aug 1999 15:22:37 -0700

uhhh.... the "simple checksum" is CRC, isn't it?

doesn't bsd checksum utility generate MD5 instead?

b-

----------
From:         Bill_Royds () pch gc ca[SMTP:Bill_Royds () pch gc ca]
Reply To:     Bill_Royds () pch gc ca
Sent:         Saturday, August 14, 1999 7:10 AM
To:   Marcus J. Ranum
Cc:   Russell Enderby; firewall-wizards () nfr net
Subject:      Re: File Integrity Check

What is the opinion of the BSD cksum command for generating hashses for
files?
It calculates a CRC for the file rather than a simple checksum  but is
less
computationally expensive than MD5.
 I compromised on this during backups to avoid the MD5 overhead (and extra
downtime) but with some hope that it is harder to fake than the sum
checksum.

Please respond to "Marcus J. Ranum" <mjr () nfr net>

To:   Russell Enderby <Russell.Enderby () arris-i com>,
firewall-wizards () nfr net
cc:    (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  Re: File Integrity Check

In pursuit of determining critical system files for modifications I was
thinking the checksum prog 'sum' would be sufficient.  Understanding
that time,date, and file size can be modified under the ext2fs/ufs
directory table.  Is it possible to also make the 'sum' checksum appear
to be correct?


Yes, the "sum" checksum is not particularly resistant to deliberate
faking. It's an example of a normal checksum - resistant to accidental
changes but not deliberate tampering.

I was under the impression tripwire uses its own special checksum prog
to verify files, although would 'sum' be sufficient as well?  If not
does anyone know of better more thorough checksum app?


Tripwire's probably the thing to use. It uses a mix of cryptographic
checksums including the de facto standard(s) SHA1 and MD5. That type
of checksumming algorithm is designed to resistant to deliberate
manipulation, and uses a much larger checksum output. It'd require
extreme devotion and sophistication to defeat the checksum algorithms
(i.e.: a national intelligence agency). That's not likely, since
there are easier parts of the system to defeat.

In short, I'd suggest using tripwire. If that's not an option for
whatever reason, you can also use PGP to generate high quality
checksums of files.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Current thread:

File Integrity Check Russell Enderby (Aug 13)
- Re: File Integrity Check Marcus J. Ranum (Aug 13)
- Re: File Integrity Check Darren Reed (Aug 14)
- <Possible follow-ups>
- Re: File Integrity Check Steven M. Bellovin (Aug 13)
- Re: File Integrity Check Antonomasia (Aug 13)
- Re: File Integrity Check Bill_Royds (Aug 14)
- RE: File Integrity Check Choi, Byoung (Aug 15)
  - Re: File Integrity Check Scot Anderson (Aug 15)
    - Re: File Integrity Check Geva Patz (Aug 16)
    - Re: File Integrity Check Adam Shostack (Aug 17)
    - Re: File Integrity Check Dave Gillett (Aug 18)
    - Re: File Integrity Check Bennett Todd (Aug 17)
- Re: File Integrity Check Bill_Royds (Aug 18)
  - Re: File Integrity Check Brian Denehy (Aug 20)