What is MD5 and SHA?

Discussion in 'other firewalls' started by chaos16, Apr 9, 2007.

Thread Status:
Not open for further replies.
  1. chaos16

    chaos16 Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,004
    I was just wondering wt MD5 SHA-1 SHA-2 is??

    I have read it in wikipedia but don't fully understand it.

    Wat is it was software firewalls use? do they have to use it? or does it give better protection?

    I am just curious what it is. Can someone explain it to me in a simple way pls :)


    And wondering what is the best a latest version of the hash functions?
     
  2. lu_chin

    lu_chin Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    294
    Re: Wat is MD5 and SHA?

    They are different hashing algorithms. I tend to think of them as methods to generate unique signatures for files. For example, an anti-malware program may use such methods to detect if a file has been tempered with or for speeding up on-demand scanning (by scanning only changed files). MD5 is faster but it had been compromised so SHA is more secure.
     
  3. light50

    light50 Registered Member

    Joined:
    Feb 23, 2006
    Posts:
    30
    Re: Wat is MD5 and SHA?

    In simple terms,md5/sha1 reads the file and depending on it's code it calculates a number given to the file, which will be used to identify the file. If that particular file is changed, than when it calculates the number it won't be the same anymore. That number is called "hash"

    Firewalls, or mostly hips, calculate each file the first time its launched, considering that your pc is clean, and store it. If the next time it is launched and the calculated has a different hash from that of the one stored in the database than it informs you that the file has changed. This is important because with hash you can make sure that the files are legit and not fake.

    I think that md5 hash could be faked, while sha1 can not, but i might be wrong on that one
     
  4. herbalist

    herbalist Guest

    Re: Wat is MD5 and SHA?

    Firewalls use MD5 and Sha-1 signatures to verify that the process involved is actually what it claims to be, that it hasn't been modified or altered. The firewall records the signature of the executable when the rule is made. When ever that executable tries to communicate, it's signature is checked against the original. If it's changed, the user is notified. It was a standard trick with malware in earlier times, to name the malware file after a legit windows file, or actually replace one, and bypass firewalls that didn't check the files integrity. HIPS use such signatures the same way.

    You can get a better idea of how and why this works by picking up one of the freely available MD5 checkers. They work on all kinds of files, not just executables.

    For easy manual checking, I use MD5cksum104. Just unzip it and put a shortcut to the executable in the "SendTo" folder. You can get a better idea how a small change in a file changes the whole signature. Choose any text file and check its MD5 signature. Then add a single period or comma anywhere in that file and check it again.

    It is possible to construct a file to have the same MD5 signature as another and defeat MD5 signature checking. That said, this isn't something that's usually done with malware. It's not something that's easy to do. MD5 signatures are generally sufficient for checking application integrity. SHA-1 is more secure, but IMO this factor alone isn't sufficient reason to choose one firewall over another.
    Rick
     
    Last edited by a moderator: Apr 9, 2007
  5. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Re: Wat is MD5 and SHA?

    The wiki is your friend.... see MD5 and SHA

    Blue
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Re: Wat is MD5 and SHA?

    Hi,

    Those are mathematical algorithms.

    What they do is this:
    They calculate a so called checksum for a certain file.

    The purpose is to make sure that a file has not been changed.
    The name or the date or the size of a file is not enough to make sure that a file has not been changed.
    So that is why those checksums algorithms were made.

    There are a lot of different checksums algorithms.
    Some are old, some not so old.
    To name only a few:
    CRC32, MD2, MD5, SHA1, HAVAL, RIPEMD, TIGER, etc etc

    All checksum algorithms try to give an unique checksum to a file.
    Which means that no two different files have the same checksum.
    Such an occasion is called a collision.
    That is not an easy task. That is something for the mathematicians and crypto-experts among us.

    Do you have to worry about it?
    No, unless you are very, very, very into this topic.
    In general:
    The stronger the algorithm, the better.

    What do checksums algorithms in firewalls do:
    They calculate the checksum (using a certain algorithm) of a file.
    Later on they calculate it again, and check whether those two checksums are the same.
    Why is this important:
    Let us say that you allowed your browser to go through your firewall to the internet, and your browser is Internet Explorer for example.
    But now suddenly some malware on your system was able to change Internet Explorer's file without changing its name.
    So Internet Explorer's file was changed, but its name was not changed.
    If your firewall was looking only at its name, it would say: OK, let it go to the internet.
    If your firewall does also check the checksum of the Internet Explorer file, there would be a big chance that it would discover that it was suddenly changed. And that is exactly the purpose of firewalls using checksum algorithms.

    Of course there is much more to say about this, but I hope that this might help a little bit.
     
  7. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Re: Wat is MD5 and SHA?

    OK, here you go (quotes from postings by me 5 years ago)

    It's exactly about that "storing".

    How safe is a checksum stored?

    Let’s say program P uses a checksum algorithm (like CRC32 or MD5) to check whether files have been changed.
    Let’s say you want file F to be checked.
    The first time you run program P on file F there will be a checksum C generated.
    Then, after a while, you will check whether file F is changed.
    So you run a second time program P on file F;
    the algorithm used in program P makes a new checksum – let’s say C2 - ;
    the checksums C and C2 are compared;
    and then program P tells you whether file F has been changed or not, depending on whether C and C2 are the same or not.

    So far so good, but the only way program P can perform this, is that it must compare these two checksums C and C2. That means that it after the generation of the first checksum C must store it somewhere….

    Now I have a malicious program M (like some kind of a Trojan).
    Malicious program M looks specific for file F and want to replace it with malicious file MF.
    And malicious program M is made in that way that it already knows that changes in file F are being checked with program P. So it brings together with malicious file MF it’s checksum MC.
    The only thing that malicious program M now has to do is to replace file F with file MF and replace checksum C with checksum MC.
    And there is no way that program P ever can tell you that file F is changed…

    Conclusion: the security that program P with its checksum algorithm can give you, depends heavily on the way how safe it stores checksums !
     
  8. herbalist

    herbalist Guest

    Re: Wat is MD5 and SHA?

    Partly true. Storing the signatures in a file is better than registry storage, and yes, one algorithm is stronger than the other. That said, if we're dealing with signatures stored by a HIPS or a firewall with a HIPS component, any malicious process trying to alter those sigs would be intercepted in the first place.
     
  9. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Re: Wat is MD5 and SHA?

    Things have changed since 5 years ago ;)
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Wat is MD5 and SHA?

    Is there a free utility to check SHA hash?
     
  11. light50

    light50 Registered Member

    Joined:
    Feb 23, 2006
    Posts:
    30
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Wat is MD5 and SHA?

    Thanks but i was asking for one that some people are using/ have used themselves indeed.
     
  13. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Re: Wat is MD5 and SHA?

    Hi,

    There are lots of free tools.
    Examples:

    Karen's Hasher
    http://www.karenware.com/powertools/pthasher.asp
    I have this one installed.

    HashTab
    http://www.beeblebrox.org/hashtab/
    I don't have it installed, but I know that there are folks who are using it.

    I myself use almost always the not-free CryptoSuite (see dedicated forum here at the Wilders-board).

    See also for example:
    http://www.dslreports.com/forum/remark,17010220
     
  14. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
Loading...
Thread Status:
Not open for further replies.