On Wed, 4 Apr 2018 10:54:04 +1000, Andrew Rowley <[email protected]> wrote:
>On 4/04/2018 10:29 AM, Paul Gilmartin wrote: >> So is a signature any more secure than an independently verifiable checksum, >> or just more practical? >If you get the checksum via a reliable channel I think it is as secure. >The digital signature allows the checksum to be included with the file, >and verified using pre-arranged public keys. So you only need the public >keys rather than a means to get a verifiable checksum for each package >(really the signature + public keys are the means to verify the checksum). Of course, you want a checksum method that is strong enough that an attacker can't create a modified file that will have the same checksum. SHA-1 is no longer strong enough to guarantee that, from what I've read. SHA-2 should be strong enough. -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
