What are the differences between "md5sum" and "sha256sum"?

iso md5sum

Why we need two tools for verifying ISO . is there any specific things to consider between them ?


Short answer: For verifying ISOs, there is no practical difference, use whichever you want, as long as you trust the source providing the sums. MD5 is/used to be the standard, but the computing world is moving towards adopting SHA since it is newer and "better" for the future; hence, SHA sums are often provided as an alternative.

  • md5sum and sha256sum are programs which implement the MD5 and SHA-256 hash algorithms respectively
  • In general, a hash algorithm takes an input of any (arbitrary) length and runs mathematical computations on it to produce a relatively small, fixed-length output, called a "hash" (or "sum")
  • Verifying data integrity (e.g. ISOs) is only one of the many uses for hashes
  • The primary difference between the older MD5 and the newer SHA-256 hashes is that MD5 produces a 128-bit output while SHA-256 produces a 256-bit output
  • For verifying data (ISOs) to work, the hash of the data must effectively be unique, so that no other data produces the same MD5 sum or SHA-256 sum.
    • In theory, this is possible, i.e. two sets of input data produce the same output hash, called a "collision".
    • The chance of such collisions is lower with SHA-256 compared to MD5 because its 256-bit hash is double the size of MD5's 128-bit hash.
    • In practice, the chance of a collision when verifying ISOs, even with MD5 is zero given the 100+ MB size of ISOs.
  • Still, since the computing world is moving towards SHA because it is a newer and "better" hash for the future, ISO checksums are often provided in multiple formats.

From How To SHA256 SUM page

The program sha256sum is designed to verify data integrity using the SHA-256 (SHA-2 family with a digest length of 256 bits). SHA-256 hashes used properly can confirm both file integrity and authenticity. SHA-256 serves a similar purpose to a prior algorithm recommended by Ubuntu, MD5, but is less vulnerable to attack. In terms of security, cryptographic hashes such as SHA-256 allow for authentication of data obtained from insecure mirrors.

From How to MD5SUM

The program md5sum is designed to verify data integrity using the MD5 (Message-Digest algorithm 5) 128-bit cryptographic hash. MD5 hashes used properly can confirm both file integrity and authenticity. The MD5 hash must be signed or come from a secure source (an HTTPS page) of an organization you trust. While security flaws in the MD5 algorithm have been uncovered, MD5 hashes are still useful when you trust the organization that produces them.

Basically it is measure of security concern. If you are using Unofficial Mirrors for downloading the ISO's then probably both can be used to make sure the integrity of file.

Related

How do I disable unwanted iPXE boot attempt in Libvirt/qemu-kvm?
Can I open Excel .xlsx files with LibreOffice Calc?
I can't add PPA repository behind the proxy
Netbeans install error: The specified jdk folder does not contain jdk
what is the linux-kernel-devel equivalent in 12.04.2 LTS 3.5.0?
What server control panels are available for Ubuntu Server?
Opening an .accdb file in Ubuntu?
How can I close a root process "unknown TCP" that shows up in nethogs?
How to change the value of an argument in a script?
gzip: stdin: unexpected end of file -> problem in extracting jdk-7u55-linux-x64.tar.gz
How to increase VM HDD and RAM sizes?
Disable ibus in Ubuntu 14.04