# Re: Differences between Fingerprint, MessageDigest and Hash-Value of a document?

From: David W. Hodgins (dhodgin1661_at_nomail.afraid.org)
Date: 07/07/05

```Date: Wed, 06 Jul 2005 19:45:16 -0400

```

On Wed, 06 Jul 2005 08:03:22 -0400, Marcus Mackler <mmecky@yahoo.com> wrote:

> When I read some tutorials and articles about the topic it seems to me that these three
> expressions are often mixed resp. used synonymously.
> Or are there any differences in the meaning ?

I'm no expert, but here's my 2¢ worth...

Fingerprint - anything shorter than a copy of the document, that can be used to verify
that the document has not been altered. With pgp, the standard use of a fingerprint,
is to verify that the key is the correct one. For example, I could read the fingerprint
of my key to you, over the phone, so that you could verify you have a real copy of my
public key. Being much shorter, it would be much easier to read the fingerprint, rather
then all of the digits in the key itself.

Hash-value - The result of using a hash algorithm to process a value, or set of values.

A hash algorithm is any mathamatical formula used to translate one value, or set of
values to another. Most hash values are used to produce a smaller number of possible
values. For example, lets say you have a database, where you want to be able to
directly access records based on a 20 character name. Even if you limit the accecpted
characters to uppercase letters and spaces, that would be 2 to the power of 27 possible
values, or 134,217,728 records. You know you won't have every possible name in the
database. In order to save space, you need some method, to translate the names that
are used, into a record number. That's where the hash algorithm comes in. With pgp,
the two choices of hash algorithms used are MD5 (Message Digest 5), and SHA1 (Secure
Hash Algorithm 1). Both formulas are used to convert unknown length documents into
128-bit numbers. Both are one way hashes, meaning it's impossible to determine the
correct document contents, from just the hash value.

For pgp, one major concern is, given a document and it's hash value, how hard is it
to produce another document, that will produce the same hash value, and still appear
to be a valid document. I'll leave it to the experts to explain how hard it is.

For details on MD5 see http://www.faqs.org/rfcs/rfc1321.html
For SHA-1 see http://www.itl.nist.gov/fipspubs/fip180-1.htm

Regards, Dave Hodgins

```--
Change nomail.afraid.org to rogers.com to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
```