Reputation: 3161

What's the difference between a CRC and a checksum?

Upvotes: 55

Answers (4)

Adam Katz

Reputation: 16118

Jeff Atwood (founder of Stack Overflow) wrote in his Checksums and Hashes blog post:

I learned to appreciate the value of the Cyclic Redundancy Check (CRC) algorithm in my 8-bit, 300 baud file transferring days. If the CRC of the local file matched the CRC stored in the file (or on the server), I had a valid download. I also learned a little bit about the pigeonhole principle when I downloaded a file with a matching CRC that was corrupt!

A checksum is an error detection scheme that typically refers to a cryptographic hash function, though it also includes CRCs. Here are three different types of checksums:

Cyclic Redundancy Checks like CRC-32 are fast but collision-prone. They are not robust to collision attacks; somebody could take a given CRC and easily create a second input that matches it.

Cryptographic hash functions like MD5 (weaker), SHA-1 (weak), and SHA-256 (strong) are specifically designed to be resistant to collision attacks. They are preferable to CRCs in every situation except speed. Use the strongest algorithm you can computationally afford.

Key derivation functions like PBKDF2 and Argon2 generate secret keys, though they are better known for hashing passwords. This takes advantage of KDF key stretching to make even shorter passwords more expensive to compute and therefore more robust to brute-force attacks.

See also this Crypto.SE question on CRC vs SHA1. Wikipedia has a hash function security summary page that discusses collision-proneness of various cryptographic hashes.

Upvotes: 9

Péter Török

Reputation: 116256

CRC (Cyclic Redundancy Check) is a type of checksum, specifically a position dependent checksum algorithm (among others, such as Fletcher's checksum, Adler-32). As their name suggest, these detect positional changes as well, which makes them more robust - thus more widely used - than other checksum methods.

Upvotes: 48