MD5 Algorithm Introduction:
MD5 Full name is the paper Digest to the algorithm (Message-digest ALGORITHM5), the algorithm for arbitrary length of information is calculated bitwise, resulting in a binary length of 128 bits (hexadecimal length is 32 bits) "fingerprint" (or "Digest to"), The likelihood that different files will produce the same quote digest is very, very small.
Message Digest algorithm MD5 is a hash function widely used in the field of computer security, and the MD5 algorithm is often used to verify the integrity of the network file transfer and to prevent the file from being tampered with. It is a complex mathematical algorithm to obtain a 128bit value, no matter how big your source file, his value is 128bit, if the file only a little change, the MD5 value will be very different AH
On Linux or UNIX, md5sum is the tool used to calculate and verify the file digest. In general, after installing Linux, there will be md5sum this tool, directly run directly at the command line terminal.
Command format:
Calculates the checksum of a file:
md5sum File > File.md5
When we download a file on the Internet (RPM package or ISO file or source code package) , we want to determine whether it is modified, you can download The file files and the file digest to file . MD5 (if the RPM or source package is available from the official web site corresponding to the summary file) in the same directory:(note:-C is based on the generated MD5 value, the existing file validation )
Md5sum-c FILE.MD5
Then, if the validation succeeds, the output is: correct
Application Examples:
Generally when we suspect that the system is moving more hands or feet or intrusion, will be through the log to see some information, but the master they will generally clear their intrusion log, how to do, in fact, you think, they invade must do what? , will definitely move the system some of the key files and programs, and then use these rights to execute their program, we can see whether our key programs and files are modified to determine if there is an intrusion. So what do we do? There are ways that we can get the MD5 value of the system's key documents and programs and back it up to another secure computer, and when we suspect that the MD5 value of these key documents and programs is saved as another document once the intrusion is made, then compare the two documents to be different, You can see some clues (can be implemented by scripting)
The following are important documents:
/etc/passwd
/etc/shadow
/etc/group
/usr/bin/passwd
/sbin/portmap
/bin/login
/bin/ls
/bin/ps
/usr/bin/top
Note: the same content of the file is the same as the MD5. If you copy the file first, then the MD5,MD5 value is the same for a file that does not have the same name as the content