How reliable is md5

[chesss]

Does anyone know how reliable is md5 to check the integrity of iso files ?

Here is what wikipedia hs to say about it

In 2007 a group of researchers including Arjen Lenstra described how to create a pair of files that share the same MD5 checksum.[4] In an attack on MD5 published in December 2008, a group of researchers used this technique to fake SSL certificate validity.[5][6] US-CERT of the U. S. Department of Homeland Security said MD5 "should be considered cryptographically broken and unsuitable for further use,

So is it possible that the in win7 RTM edition that i downloaded could be a modified version , even if the md5 matches up?

 

[blr_p]

No, because as your wiki post indicates it was only a cert that was faked.

If they fake your iso it wont work

 

[chesss]

If they fake your iso it wont work

why not, one can always rebuild iso's after modifying some files in it.

 

[blr_p]

Yes you can but fooling the checksum to match involves modifying the ISO itself and will corrupt it. I'm assuming this would be the easiest way. What would the purpose be, to put some malware in, now you need to mask that somehow and then pack it up into an ISO which would pass the checksum, computationally much harder I think and lower probability.

 

[HydroXidE]

Yes you can but fooling the checksum to match involves modifying the ISO itself and will corrupt it. I'm assuming this would be the easiest way. What would the purpose be, to put some malware in, now you need to mask that somehow and then pack it up into an ISO which would pass the checksum, computationally much harder I think and lower probability.

True,..

Creating a pair of files from scratch to match one MD5 will be one thing. Creating one file to match the MD5 of an existing file would be something else altogether.

So, there's a horribly low chance that for a given ISO with an MD5, another ISO can be crafted to match the same ISO without having the freedom to play with the original ISO.

 

[Praks]

MD5 is very much reliable.

If you are kind of paranoid about integrity then go for SHA.

 

[blr_p]

Yes, but if the source he pulls the iso from does not offer SHA, its not an option.

My guess is this is an open source ISO mirroed on many sites and md5 is the default method to test integrity.

 

[chesss]

Yes you can but fooling the checksum to match involves modifying the ISO itself and will corrupt it.

ok yes, that makes sense, thanks

My guess is this is an open source ISO mirroed on many sites and md5 is the default method to test integrity.

its actually windows 7 picked up from torrent . SInce it was giving me problems I wondered if it could have been doctored...

 

[Boot_Comp]

If its the Win 7 RTM edition, can't you get it from the MS site OR have they stopped now?

 

[6pack]

thats the reason you should buy the os. you never know what may go wrong with an unknown source.

 

[chesss]

all my software is 100% p-rated . never have any problems