- old school security

On 26 Apr 2007 at 10:40, der Mouse wrote: Not that long ago, I was asked to defend a scheme of convolved checksums and hashes that I used to protect a rather long data file which would be used in legal actions. This was not a case of detecting errors; it was also a case of detecting attempts at intentional manipulation. It was amazing to hear the "experts" proclaim that if just discarded the more involved (and harder to manipulate) scheme with a single SHA or MD5 hash, the file would be virtually bullet proof from any attempts at manipulation and be much simpler to work with. My response was that while such hashes do a good job of enabling one to detect simple errors, we were dealing with a horse of different color. My data file had no length or content that could be known in advance. Simply adding an extra record or two to make the hash "come out right" would be all that was required. Convolved hashes, while not bulletproof, are considerably more difficult to manipulate, particularly if one doesn't know where to begin looking for them and what they are within the file. But it was surprising to witness the pronoucement by people who had set themselves up as "experts" made me very cynical about what it took to be an expert. I later witnessed this when I was called on to serve as editor on a technical book. The author was pretty much dumb as a stump--he made extensive use of others' contributions and thereby gained a reputation as an expert himself. Cheers, Chuck