When I look at this, I get totally different results. First, there
are several differences between the files (not just the one that
your cmp command shows). Second, the MD5s are not only difefrent,
they don't match the calculation you provide....
You are correct that cmp isn't the best way to compare these files,
but even if you do count in all the differences, it is hard for
me to (at this point) see how this is really that bad. Sure, the
files differ, but look how:
< 0000020: 3266 6361 6235 3837 3132 3436 3765 6162 2fcab58712467eab
0000020: 3266 6361 6235 3037 3132 3436 3765 6162 2fcab50712467eab
8 = 1000 binary
0 = 0000 binary
< 0000050: 3833 6534 3838 3833 3235 3731 3431 3561 83e488832571415a
0000050: 3833 6534 3838 3833 3235 6631 3431 3561 83e4888325f1415a
37 = 0011 0111 binary
66 = 0110 0110 binary
< 0000070: 6439 3164 6264 6632 3830 3337 3363 3562 d91dbdf280373c5b
0000070: 6439 3164 6264 3732 3830 3337 3363 3562 d91dbd7280373c5b
66 = 0110 0110 binary
37 = 0011 0111 binary
< 00000a0: 6464 3533 6532 6234 3837 6461 3033 6664 dd53e2b487da03fd
00000a0: 6464 3533 6532 3334 3837 6461 3033 6664 dd53e23487da03fd
62 = 0110 0010 binary
33 = 0011 0011 binary
< 00000d0: 6365 3534 6236 3730 3830 6138 3064 3165 ce54b67080a80d1e
00000d0: 6365 3534 6236 3730 3830 3238 3064 3165 ce54b67080280d1e
61 = 0110 0001 binary
32 = 0011 0010 binary
< 00000f0: 3936 6639 3635 3262 3666 6637 3261 3730 96f9652b6ff72a70
00000f0: 3936 6639 3635 6162 3666 6637 3261 3730 96f965ab6ff72a70
32 = 0011 0010 binary
61 = 0110 0001 binary
Total bytes in file: 128
Total bytes differing: 6
Total bits in file: 1024
Total bits differing: 18
(Unless I counted wrong, that is.)
These are 1024 bit binary files, too, not ASCII text. It would be
really interesting to see someone show how two hard drive images (or
even hashed blocks within a hard drive partition) could be modified
such that they allow one to plant evidence that falsely proves that
the victim was killed by Col. Mustard in the Library with a
Candlestick, while having the same MD5 hashes for both that full
hard drive and each block.
By the way, you can always double-up hashes using the OpenSSL tools:
$ openssl dgst -md5 1.bin 2.bin
MD5(1.bin)= 79054025255fb1a26e4bc422aef54eb4
MD5(2.bin)= 79054025255fb1a26e4bc422aef54eb4
$ openssl dgst -sha1 1.bin 2.bin
SHA1(1.bin)= a34473cf767c6108a5751a20971f1fdfba97690a
SHA1(2.bin)= 4283dd2d70af1ad3c2d5fdc917330bf502035658
$ openssl dgst -ripemd160 1.bin 2.bin
RIPEMD160(1.bin)= 5b7e463089d2f19c823939f1b7ba17717d7e12cf
RIPEMD160(2.bin)= 87f5aecc2f01f1809cd55b7f4a81ced5e4a186e1
--
Dave Dittrich Information Assurance Researcher,
dittrich@u.washington.edu The iSchool
http://staff.washington.edu/dittrich University of Washington
PGP key http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint FE97 0C57 0843 F3EB 49A1 0CD0 8E0C D0BE C838 CCB5
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
