On 2015-08-07 15:54:26 +0200, Antonio Diaz Diaz wrote: > I have no experience at all rigging tarballs, but it took me just > minutes to obtain two xz compressed tarballs with very different > contents that match in size and sum(1). I did it just with an > editor, ddrescue and data from /dev/urandom, by brute force, without > any knowledge about the algorithm of sum. And I did it not once, but > twice.
sum(1) just gives a 16-bit checksum! So, it suffices to generate N*65536 random compressed tarballs to get around N collisions with a given file. Then the only problem is to get the right size, but if one has random input, it is (almost) not compressible, so that one will get "almost" the same size for each tarball. By controlling how compression is done to reach the right size, this should even be easier. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150807192703.ga12...@zira.vinc17.org
