hash-examples: Difference between revisions

From Microformats Wiki
Jump to navigation Jump to search
m (→‎Existing Practices: add Brad Fitzpatrick sentence & link)
m (Replace <entry-title> with {{DISPLAYTITLE:}})
 
(29 intermediate revisions by 9 users not shown)
Line 1: Line 1:
= Hash Examples =
{{DISPLAYTITLE:Hash examples}}
A microformat for MD5 and SHA-1 hashes.
 
Research of real world examples of cryptographic [[hash|hashes]] on the web, such as MD5 and SHA-1, towards the development of a microformat per the [[process]]:
* [[hash-examples]]
* [[hash-formats]]
* [[hash-brainstorming]]


== The Problem ==
Checksums (MD5 & SHA-1 hashes) are offered for files to prove they haven't been tampered with and to uniquely identify them. They are very useful, but they are not used as much as they could be. The current method involves a manual process of hashing the downloaded file (with programs that are not installed by default on all operating systems) and then comparing the value to the one listed. An easy and automatic way to use them would be preferrable to present methods.
== Participants ==
== Participants ==
* Ant Bryan
* Ant Bryan
* Charles Iliya Krempeaux
* [http://stoneship.org/ Denis Defreyne]
== Real-World Examples ==
== Real-World Examples ==
Currently, MD5 and SHA-1 checksums are either listed on a webpage or email (see Example #1) or stored in a separate file such as (filename.ext.md5 or filename.ext.sha1) (see Example #2). There is no standard or automatic way to use them. Verifying a file after you have the hash is not complex, but it is more than the average user is used to doing (see [http://www.openoffice.org/dev_docs/using_md5sums.html OpenOffice.org: Using MD5 sums]).
Currently, MD5 and SHA-1 checksums are either listed on a webpage or email (see Example #1) or stored in a separate file such as (filename.ext.md5 or filename.ext.sha1) (see Example #2). There is no standard or automatic way to use them. Verifying a file after you have the hash is not complex, but it is more than the average user is used to doing (see [http://www.openoffice.org/dev_docs/using_md5sums.html OpenOffice.org: Using MD5 sums]). MD5 checksums are 32 digit hexadecimal numbers, while SHA-1 checksums are 40, and SHA-256 checksums are 64.
 
== Who offers MD5/SHA-1 checksums with software ==
This is only a small sampling.
*[http://httpd.apache.org/ Apache HTTP Server] in .md5 file from web.
*[http://www.cisco.com/ Cisco] MD5 for versions of IOS from Software Center on Cisco website.
*[http://developer.apple.com/darwin/ Darwin] MD5 on web.
*[http://fedora.redhat.com/ Fedora Project] SHA-1 on web and SHA1SUM file on ftp.
*[http://www.freebsd.org/ FreeBSD] on web and in CHECKSUM.MD5 and CHECKSUM.SHA256 files.
*[http://gcc.gnu.org/ GCC] on ftp as md5.sum file.
*[http://www.gentoo.org/ Gentoo] as .md5 file on ftp.
*[http://www.gnome.org/ GNOME] as MD5SUMS-for-gz and MD5SUMS-for-bz2 files on ftp.
*[http://www.gnupg.org/ GnuPG] SHA-1 on web.
*[http://www.kde.org/ KDE] on web and on ftp as MD5SUMS file.
*[http://www.knoppix.org/ Knoppix] in .md5 and .sha1 file.
*[http://www.mysql.com/ MySQL] MD5 on web.
*[http://www.openoffice.org/ OpenOffice.org] MD5 on web.
*[http://www.openssh.com/ OpenSSH] SHA-1 in release announcement.
*[http://www.openssl.org/ OpenSSL] .md5 and .sha1 files linked to from web.
*[http://www.perl.org/ Perl] link to .md5 on web.
*[http://www.postgresql.org/ PostgreSQL] in a .md5 file.
*[http://www.python.org/ Python] MD5 on web
*[http://www.ubuntu.com/ Ubuntu] as MD5SUMS on ftp.
*[http://www.x.org/ X.org] md5sums file on ftp.
 
=== Example #1: [http://download.openoffice.org/2.0.1/md5sums.html OpenOffice.org MD5 sums] ===
=== Example #1: [http://download.openoffice.org/2.0.1/md5sums.html OpenOffice.org MD5 sums] ===
<pre>
<pre>
Line 36: Line 65:


== Existing Practices ==
== Existing Practices ==
As described above, I believe almost all solutions are manual (see [http://www.openoffice.org/dev_docs/using_md5sums.html OpenOffice.org: Using MD5 sums]), an 8 step process on Windows and 3 steps on Linux. [http://mdhashtool.mozdev.org/lfinfo.html Link Fingerprints] which are used by [http://mdhashtool.mozdev.org/index.html MD Hash Tool], a Firefox extension, is one exception. Here is a Link Fingerprint example:
As described above, I believe almost all solutions are manual (see [http://www.openoffice.org/dev_docs/using_md5sums.html OpenOffice.org: Using MD5 sums]), an 8 step process on Windows and 3 steps on Linux. [http://mdhashtool.mozdev.org/lfinfo.html Link Fingerprints] which are used by [http://mdhashtool.mozdev.org/index.html MD Hash Tool], a very old Firefox extension, is one exception. Here is a Link Fingerprint example:


<pre>
<pre>
Line 42: Line 71:
</pre>
</pre>
A Link Fingerprint begins with a traditional URL, then #!md5!, then the MD5 hash.
A Link Fingerprint begins with a traditional URL, then #!md5!, then the MD5 hash.
[http://www.metalinker.org Metalinks] are an XML file format (.metalink) that contain mirrors and checksum information for downloading files. They are used by download programs/managers and mainly open source projects. After a download finishes, the checksum is automatically verified.


Brad Fitzpatrick also [http://brad.livejournal.com/2162507.html suggested referring to "files/patches/changesets" by their unique digest.]
Brad Fitzpatrick also [http://brad.livejournal.com/2162507.html suggested referring to "files/patches/changesets" by their unique digest.]


== Proposal ==
Some HTTP server applications compute a hash over the response body to serve as an effective ETag.  The server must still compute the body but can benefit from reduced network utilization and reduced downstream cache thrashing.  Such applications must be willing to risk a hash collision, albeit scoped to a single URL.
A microformat for MD5 and SHA-1 hashes could make them more usable. Maybe [http://mdhashtool.mozdev.org/index.html MD Hash Tool], another extension, or download managers could be modified to use them automatically.
 
Including a hash in a URL can lead to great cacheability, since the TTL can likely be set to an infinite value.  Such URLs are often referred to as ''versioned URLs''.
 
== media:hash in Yahoo Media RSS Module ==
 
Yahoo's [http://search.yahoo.com/mrss Media RSS Module] adds <code><media:hash></code> to RSS feed enclosures, like this:
 
<code><pre><media:hash algo="md5">dfdec888b72151965a34b4b59031290a</media:hash></pre></code>
 
== Related Pages ==
* [[hash]]
* [[hash-examples]]
* [[hash-formats]]
* [[hash-brainstorming]]

Latest revision as of 16:23, 18 July 2020


Research of real world examples of cryptographic hashes on the web, such as MD5 and SHA-1, towards the development of a microformat per the process:

Participants

Real-World Examples

Currently, MD5 and SHA-1 checksums are either listed on a webpage or email (see Example #1) or stored in a separate file such as (filename.ext.md5 or filename.ext.sha1) (see Example #2). There is no standard or automatic way to use them. Verifying a file after you have the hash is not complex, but it is more than the average user is used to doing (see OpenOffice.org: Using MD5 sums). MD5 checksums are 32 digit hexadecimal numbers, while SHA-1 checksums are 40, and SHA-256 checksums are 64.

Who offers MD5/SHA-1 checksums with software

This is only a small sampling.

Example #1: OpenOffice.org MD5 sums

English Application Binaries

e0d123e5f316bef78bfdf5a008837577  OOo_2.0.1_LinuxIntel_install.tar.gz
35d91262b3c3ec8841b54169588c97f7  OOo_2.0.1_LinuxIntel_install_wJRE.tar.gz
cc273fe9d442850fa18c31c88c823e07  OOo_2.0.1_SolarisSparc_install.tar.gz
ff6626c69507a6f511cc398998905670  OOo_2.0.1_SolarisSparc_install_wJRE.tar.gz
ce099d7e208dc921e259b48aadef36c1  OOo_2.0.1_Solarisx86_install.tar.gz
4fb319211b2e85cace04e8936100f024  OOo_2.0.1_Solarisx86_install_wJRE.tar.gz
66bd00e43ff8b932c14140472c4b8cc6  OOo_2.0.1_Win32Intel_install.exe
2d86c4246f3c0eb516628bf324d6b9a3  OOo_2.0.1_Win32Intel_install_wJRE.exe

Example #2: Knoppix MD5 and SHA-1 sums in separate files

KNOPPIX_V4.0.2CD-2005-09-23-EN.iso.md5:

1188f67d48c9f11afb8572977ef74c5e *KNOPPIX_V4.0.2CD-2005-09-23-EN.iso

KNOPPIX_V4.0.2CD-2005-09-23-EN.iso.sha1:

56857cfc709d3996f057252c16ec4656f5292802 *KNOPPIX_V4.0.2CD-2005-09-23-EN.iso

Note: This directory also contains filename.ext.md5.asc and filename.ext.sha1.asc files containing the same checksums and PGP signatures in one file.

Existing Practices

As described above, I believe almost all solutions are manual (see OpenOffice.org: Using MD5 sums), an 8 step process on Windows and 3 steps on Linux. Link Fingerprints which are used by MD Hash Tool, a very old Firefox extension, is one exception. Here is a Link Fingerprint example:

http://example.org/OOo_2.0.1_LinuxIntel_install.tar.gz#!md5!e0d123e5f316bef78bfdf5a008837577

A Link Fingerprint begins with a traditional URL, then #!md5!, then the MD5 hash.

Metalinks are an XML file format (.metalink) that contain mirrors and checksum information for downloading files. They are used by download programs/managers and mainly open source projects. After a download finishes, the checksum is automatically verified.

Brad Fitzpatrick also suggested referring to "files/patches/changesets" by their unique digest.

Some HTTP server applications compute a hash over the response body to serve as an effective ETag. The server must still compute the body but can benefit from reduced network utilization and reduced downstream cache thrashing. Such applications must be willing to risk a hash collision, albeit scoped to a single URL.

Including a hash in a URL can lead to great cacheability, since the TTL can likely be set to an infinite value. Such URLs are often referred to as versioned URLs.

media:hash in Yahoo Media RSS Module

Yahoo's Media RSS Module adds <media:hash> to RSS feed enclosures, like this:

<media:hash algo="md5">dfdec888b72151965a34b4b59031290a</media:hash>

Related Pages