> MD5 *must* duplicate. It may never duplicate in practice; it may never
> duplicate over the life of a single project. But if you are designing
> aircraft software, you must be able to say 'we need to check every byte
> for changes'.
Well, its a little worse than that. From the PGP O'Reilley book:
"So why does MD5 seems so seecure? Because 128 bits allows you to have
2^128=340,282,366,920,938,463,374,607,431,768,211,456 different possible
MD5 codes. That is a number that is billions of times larger than the total
number
of documents that will ever be created by the human race for the next
thousands
of year."
So while it is possible that MD5 could give you an erroneous result, it is
statistically
so close to zero as to be almost impossible.
(You might checkout http://www.rsasecurity.com/rsalabs/faq/3-6-6.html (which
is cool
in that it has links to the actual papers in addition to being a high level
overview)) The PGP O'Reiley
book also has a pretty good high-level overview, but I would recommend Bruce
Scheiner's Applied
Cryptography, if anyone in the audience is interested in how they work and
how you use them.)
Of course, if you're just ultra-paranoid you could use SHA-1 as your digest
algorythm. It uses
160-bits and a better algorhythm.
Compare the above to a timestamp which can fail if:
1) The edits are within the granularity of the time stamp.
2) The sys-admin (or any bozo with sudo shell access) diddles the system
clock.
3) Daylight savings switchover (in most parts of the US).
4) Automatic NTP correction of the system time (pretty common in the Unix
server world).
(Under Windows 2000 it is possible for all the machines in a given
domain to periodically
sync their clocks with the PDC).
5) touch -r (although that's a bit of a pathological case)
6) Getting completely scrambled by a misbehaving samba servers. (Heh...no
flames
please. Just something I've seen happen.)
How often do these happen? I'd be willing to bet $50 that it is less often
than a 128bit or 160bit
digest routine duplicates. ;-)
Brian Huddleston
Huddleston Consulting
