Is a SHA checksum enough to verify integrity and authenticity?

This is a broader question but here a concret example:

From https://www.apache.org/info/verification.html :

File hashes are used to check that a file has been downloaded correctly. They do not provide any guarantees as to the authenticity of the file.

I don’t understand this part: They do not provide any guarantees as to the authenticity of the file.

The checksum used is from a trusted HTTPS source (Eg: https://downloads.apache.org/tomcat/tomcat-8/v8.5.56/bin/apache-tomcat-8.5.56.zip.sha512).

How a file can not be authentic if it match a checksum from a HTTPS trusted source?

Or do I miss something and I still need to validate with a GPG key?

How to numerically verify that principal value?

Mathematica finds

Integrate[Exp[I*s]/(1 + s/(s^2 - 1)^2), {s, -Infinity, Infinity}, PrincipalValue -> True] // ToRadicals (*A huge closed-form expression which is omitted here.*) N[%] (*-1.414 + 0.192275 I*) 

The use of the principal value is grounded by the plots

Plot[{Cos[s]/(1 + s/(s^2 - 1)^2),Sin[s]/(1 + s/(s^2 - 1)^2)},{s,-5,5},WorkingPrecision->30,PlotPoints -> 50] 

enter image description here

It’s clear that the integrand has its real singularities at the real roots of the denominator, so

sol = Reduce[1 + s/(s^2 - 1)^2 == 0, s, Reals] // ToRadicals;  sol[[1]][[2]] (*-(1/(2 Sqrt[3/(4 + (155/2 - (3 Sqrt[849])/2)^(1/3) + (1/2 (155 + 3 Sqrt[849]))^(1/3))]))  -  1/2 Sqrt[8/3 - 1/3 (155/2 - (3 Sqrt[849])/2)^(1/3) -  1/3 (1/2 (155 + 3 Sqrt[849]))^(1/3) +     2 Sqrt[3/( 4 + (155/2 - (3 Sqrt[849])/2)^(1/3) + (1/2 (155 + 3 Sqrt[849]))^(  1/3))]]*)  N[%] (*-1.49022*)  sol[[2]][[2]] (*-(1/(2 Sqrt[3/(4 + (155/2 - (3 Sqrt[849])/2)^(1/3) + (1/2 (155 + 3 Sqrt[849]))^(1/3))])) +  1/2 Sqrt[8/3 - 1/3 (155/2 - (3 Sqrt[849])/2)^(1/3) -   1/3 (1/2 (155 + 3 Sqrt[849]))^(1/3) + 2 Sqrt[3/( 4 + (155/2 - (3 Sqrt[849])/2)^(1/3)+(1/2 (155 + 3 Sqrt[849]))^( 1/3))]]*) 

However, I have doubts concerning the obtained principal value because the integrand asymptotically equals $ \exp(is)$ as $ s\to \infty$ and $ s\to -\infty$ and $ $ PV\int_{-\infty}^\infty \exp(is)\,ds $ $ does not exist.

In view of it I try to verify it numerically through

NIntegrate[Exp[I*s]/(1+s/(s^2-1)^2),{s,-Infinity, -(1/(2 Sqrt[3/(4+(155/2-(3 Sqrt[849])/2)^(1/3)+(1/2 (155+3 Sqrt[849]))^(1/3))]))- 1/2 Sqrt[8/3-1/3 (155/2-(3 Sqrt[849])/2)^(1/3)-1/3 (1/2 (155+3 Sqrt[849]))^(1/3)+ 2 Sqrt[3/(4+(155/2-(3 Sqrt[849])/2)^(1/3)+(1/2 (155+3 Sqrt[849]))^(1/3))]], -(1/(2 Sqrt[3/(4+(155/2-(3 Sqrt[849])/2)^(1/3)+(1/2 (155+3 Sqrt[849]))^(1/3))]))+ 1/2 Sqrt[8/3-1/3 (155/2-(3 Sqrt[849])/2)^(1/3)-1/3 (1/2 (155+3 Sqrt[849]))^(1/3)+ 2 Sqrt[3/(4+(155/2-(3 Sqrt[849])/2)^(1/3)+(1/2 (155+3 Sqrt[849]))^(1/3))]],Infinity}, Method->"PrincipalValue",AccuracyGoal->3,PrecisionGoal->3,WorkingPrecision->50] 

which results in the error message

NIntegrate::ncvb: NIntegrate failed to converge to prescribed accuracy after 9 recursive bisections in s near {s} = {3.7749613270651398879039428756113970426387939277790*10^28}. NIntegrate obtained 8.8211977939280824575415993952100374290963331174834*10^47 I and 9.1940327832901306869987159913883594088789773626283`50.*^47 for the integral and error estimates.

and

 (*-2.6098684408162971553635553440779848277629513026488*10^49 +   8.8211977939280824575415993952100374290963331174789*10^47 I*) 

Constructive suggestions are welcome.

Can you verify a word’s position in an enumeration faster than performing the enumeration?

Pt 1. Given as input the tuple: (word, natural number)–does there exist a verifier, that runs faster than a fixed enumerator, that can accept if the word is in the position of the natural number in the enumeration by the fixed enumerator, and reject if it is not?

I suspect the answer is no. In that case…

Pt 2. Is there a way to get around this by adding a “tagging” function to the enumerator so that a verifier can be given something like (word#tag, natural number) so that it almost immediately knows, from the tag, if the word is in the position of the natural number (do there exist such ‘modified languages’) AND IT CAN’T BE FOOLED! Of course you can stick a natural number onto a word, but how can you do this so the verifier can BE SURE you aren’t lying…? Trying to figure out a way to tag the words (or generate a description for the words in a language (modify the language being enumerated/the enumerator)) so that stuck on to the words enumerated is the positions their the enumeration, and this information is reliable and can be verified quickly.

Any ideas? 🙂

Must a decision problem in $NP$ have a complement in $Co-NP$, if I can verify the solutions to in polynomial-time?

Goldbach’s Conjecture says every even integer $ >$ $ 2$ can be expressed as the sum of two primes.

Let’s say $ N$ is our input and its $ 10$ . Which is an integer > 2 and is not odd.

Algorithm

1.Create list of numbers from $ 1,to~N$

2.Use prime-testing algorithm for creating a second list of prime numbers

3.Use my 2_sum solver that allows you to use primes twice that sum up to $ N$

for j in range(list-of-primes)):   if N-(list-of-primes[j]) in list-of-primes:    print('yes')    break 

4.Verify solution efficently

if AKS-primality(N-(list-of-primes[j])):     if AKS-primality(list-of-primes[j]):         print('Solution is correct') 

5.Output

yes 7 + 3 Solution is correct 

Question

If the conjecture is true, then the answer will always be Yes. Does that mean it can’t be in $ Co-NP$ because the answer is always Yes?

How do I verify a signature using DSA and my own “y” value in Python?

I have to verify a signature using DSA FIPS 186-2 (I know it is not used anymore, but I need to make it work for a legacy system). My problem is I have the “y” DSA value, but I cannot work out how I can feed that into the Python code to create my own public key from the “y” value and then apply the verify.

For example below is what I have, but instead of generating a NEW key, I need to use my existing value?

from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import dsa from cryptography.exceptions import InvalidSignature  private_key = dsa.generate_private_key(      key_size=1024,      backend=default_backend() ) data = b"this is some data I'd like to sign" signature = private_key.sign(      data,      hashes.SHA1() )  public_key = private_key.public_key()  try:     public_key.verify(              signature,              data,              hashes.SHA1()) except InvalidSignature:     print ("Invalid") 

How could I verify that a contract was actually sent to me from the client as soon as the contract is received?

If I want to store electronic contracts for clients over a long period of time. I need to make sure that those files are not readable by anyone other than the client until the client retrieves them at a later time. But, I do need to be able to verify that a contract was actually sent to me from the client as soon as the contract is received. How could this be done? what would the client do, and what algorithms would they use? What would I do, and what algorithms would I use?

Openssl cms verify signature with timestamp and crl

I’ve used openssl cms to sign the data and generate the detached signature. As per my requirements I need to timestamp the signature as well, so that if the certificate expired, verification of signature can be done. Generated timestamp is also in detached format. I’ve also generate the CRL after revoking the certificate.

NOTE: For testing purpose I’ve created my own CA authority using openssl

For signing data:

openssl cms -sign -binary -in test_data.tgz -md5 sha256 -signer my-cert.pem -inkey my-cert.key -out test_data.cms -outform DER

For timestamping signature: (Used freetsa.org as a TSA authority)

openssl ts -query -data test_data.cms -no_nonce -sha256 -cert -out test_data.tsq curl -H "Content-Type: application/timestamp-query" --data-binary '@test_data.tsq' https://freetsa.org/tsr > test_data.tsr

Now for the verification part as per my understanding from RFC3161 (https://tools.ietf.org/html/rfc3161#page-20) following procedure can be used to verify the authenticity of the digital signature.

  1. Verify timestamp token:

    openssl ts -verify -in test_date.tsr -queryfile date_tsr.tsq -CAfile cacert.pem -untrusted tsa.crt

    openssl ts -verify -data test_data.cms -in test_data.tsr -CAfile cacert.pem -untrusted tsa.crt

  2. Fetch the timestamp:

    openssl ts -reply -in test_date.tsr -text

    Time stamp: Apr 24 13:09:25 2020 GMT (Example)

  3. Convert timestamp to Unix epoch time:

    date -d “Apr 24 13:09:25 2020 GMT” +%s

    1587733765

  4. Verify the signature againt timestamp and the certificates via openssl cms

    openssl cms -verify -binary -verify -in test_data.cms -content test_data -CAfile ca-chain.cer -inform DER -out /tmp/tmp.data -attime 1587733765

Everything works until crl (Certificate revocation list) comes into the picture. What I know is that If the certificate (my-cert.pem in this case) has been revoked and if the “Invalidity Date” is after the timestamp date, the signature should still be valid. But with openssl cms -verify its not working as expected or it is not supported.

  1. Revoke certificate:

    openssl ca -config openssl.conf -revoke my-cert.pem -crl_reason key -crl_reason keyCompromise -crl_compromise 20200422140925Z

    Compromise date is after timestamp date.

  2. Verify the signature with crl and timestamp

    openssl cms -verify -binary -verify -in test_data.cms -content test_data -CAfile ca-chain.cer -inform DER -out /tmp/tmp.data -attime 1587733765 -crl_check

    output: CRL is not yet valid

I think openssl is comparing the “Last Update” date of CRL instead of “Invalidity date” with the date mentioned in -attime argument, i.e. 1587733765 dues to which it shows “CRL is not yet valid”.

  1. Removing “-attime”

    openssl cms -verify -binary -verify -in test_data.cms -content test_data -CAfile ca-chain.cer -inform DER -out /tmp/tmp.data -crl_check

    Output: Certificate revoked

So how do I verify the signature with CRL and timestamp in openssl cms? The only way I see is to fetch the “Invalidity Date” manually from CRL and compare with timestamp and act accordingly.

Using Expand, Guess, Verify to solve the following recurrence relation

Hello and thanks to those who bothered reading! I am trying to solve the following recurrence relation, $ S(n) = S(n-1) + (2n-1)$ , with the following base case: $ S(1) = 1$ .

I already used the Solution Formula and got the closed form solution $ 1^n + n^2 – 1$ , but for the expansion part I am having trouble with the $ g(n)$ term. Perhaps even my solution formula answer is wrong. Any help is appreciated and I am more than willing to further explain the problem! The Solution Formula is $ S(n) = c^{n-1} S(1) + \sum_{i=2}^n (c^{n-i} g(i))$ and $ g(n) = 2n-1$ . $ c$ is the constant in front of the $ S(n)$ term, which in this case is $ 1$ .