Archived

This topic is now archived and is closed to further replies.

Message digesting - storing the fingerprint

This topic is 5174 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I''m trying to implement some kind of message digesting for a data file in my program, in order to make sure that it hasn''t been modified. However, I''m not sure whether I fully understand the way it ought to be done. My current understanding is that you-
  • Digest the contents of the message you want to write to the file, creating a fingerprint
  • Store this fingerprint in a file (either the data file or a separate one)
  • Read in the message the next time the program runs, and digest it again, obtaining the "new" fingerprint
  • Read in the old fingerprint which was stored to the file
  • Compare the two fingerprints - if they''re the same, there''s an extremely good chance the file hasn''t been modified
Now, if that is indeed correct, then I am a little puzzled about the fingerprint. Basically, if the fingerprint is stored in a file, then couldn''t someone
  • Modify the file
  • Feed in this modified file into a program that generates a new fingerprint - this assumes he knows what algorithm I used to digest it (which will probably be MD5, and that''s a fairly standard algorithm)
  • Change the fingerprint I''ve stored in a file to this new fingerprint, thereby fooling the program into thinking nothing has been modified
I haven''t been able to see a way around this. I''ve tried searching for tutorials on making sure data hasn''t been modified, but they seem to be focussed more on data transmission via the internet, and stuff like public-key cryptography (which I don''t think is applicable for a stand-alone application - but let me know if that''s wrong too). I would be grateful if someone could point out a flaw in my understanding, or give me some advice as to how I would get around this.

Share this post


Link to post
Share on other sites
quote:
Original post by DarkAvenger
I''m trying to implement some kind of message digesting for a data file in my program, in order to make sure that it hasn''t been modified. However, I''m not sure whether I fully understand the way it ought to be done. My current understanding is that you-


  • Digest the contents of the message you want to write to the file, creating a fingerprint

  • Store this fingerprint in a file (either the data file or a separate one)

  • Read in the message the next time the program runs, and digest it again, obtaining the "new" fingerprint

  • Read in the old fingerprint which was stored to the file

  • Compare the two fingerprints - if they''re the same, there''s an extremely good chance the file hasn''t been modified






Absolute right

quote:


Now, if that is indeed correct, then I am a little puzzled about the fingerprint. Basically, if the fingerprint is stored in a file, then couldn''t someone


  • Modify the file

  • Feed in this modified file into a program that generates a new fingerprint - this assumes he knows what algorithm I used to digest it (which will probably be MD5, and that''s a fairly standard algorithm)

  • Change the fingerprint I''ve stored in a file to this new fingerprint, thereby fooling the program into thinking nothing has been modified



I haven''t been able to see a way around this. I''ve tried searching for tutorials on making sure data hasn''t been modified, but they seem to be focussed more on data transmission via the internet, and stuff like public-key cryptography (which I don''t think is applicable for a stand-alone application - but let me know if that''s wrong too).

I would be grateful if someone could point out a flaw in my understanding, or give me some advice as to how I would get around this.


If you are doing this for some sort of security, storing the fingerprint along with the data probably isn''t the most secure solution eh?
Having said that, the person would have to know what and where the fingerprint is. At first glance in a binary file I think it would be pretty hard to identify which 16-bytes are an MD5 signature!

You have many other options as to where to store the fingerprint - you have to choose the one that best suits you. You can further secure yourself by performing a hash _and_ a CRC-32 style checksum and storing both in different places. But again you will have the problem that if somebody finds where you''re storing them they could change them also.

These are problems that have always faced software licensing and such things, which is why software always manages to be hacked. The best solution is to do what Microsoft do with XP products, which is why it''s so unpopular!





"Absorb what is useful, reject what is useless, and add what is specifically your own." - Lee Jun Fan

Share this post


Link to post
Share on other sites
quote:
Original post by JY
You can further secure yourself by performing a hash _and_ a CRC-32 style checksum and storing both in different places.


That''s a good idea. I think I might do that.

quote:

But again you will have the problem that if somebody finds where you''re storing them they could change them also.


I guess there''s only so much you can do to make the program secure, but still, it''s a good idea.

Thanks !

Share this post


Link to post
Share on other sites
quote:
Original post by DarkAvenger


Now, if that is indeed correct, then I am a little puzzled about the fingerprint. Basically, if the fingerprint is stored in a file, then couldn''t someone


  • Modify the file

  • Feed in this modified file into a program that generates a new fingerprint - this assumes he knows what algorithm I used to digest it (which will probably be MD5, and that''s a fairly standard algorithm)

  • Change the fingerprint I''ve stored in a file to this new fingerprint, thereby fooling the program into thinking nothing has been modified



I haven''t been able to see a way around this. I''ve tried searching for tutorials on making sure data hasn''t been modified, but they seem to be focussed more on data transmission via the internet, and stuff like public-key cryptography (which I don''t think is applicable for a stand-alone application - but let me know if that''s wrong too).

I would be grateful if someone could point out a flaw in my understanding, or give me some advice as to how I would get around this.




You could always encrypt the finger print.

Share this post


Link to post
Share on other sites