While proprietary software can be more convenient and easy to use, opting for open source solutions is generally advisable from a security perspective. This is because the code in these programs can be independently checked to confirm that it has not been modified or compromised. However, you may still wonder how to know if the files you download from a website, for example, haven’t been altered by a third-party. The answer is cryptographic hashes or checksums, which are used to verify the files.
These are usually MD5 or SHA1, but in some cases there are stronger hashes available such as Sha2 or SHA3. While MD5 is the most popular form of hashing, it has been compromised and it is unreliable. A cryptographic hash is obtained from the contents of a file and it offers a unique fingerprint that changes if the file is changed. Even a small change in the file modifies the hash value. It should be noted that the contents of a file can’t be obtained from its hash value.
Why do you need to check the hash
Even a small change in a file will affect its hash value significantly. This is why when you check the hash value of a file and compare it with the value published by its developers, you will be able to find out if the file that you downloaded is the same file that the developers offer or if it has been tampered with. Reliable developers publish the cryptographic hash for their downloads. Hashes can also confirm that files are not corrupted. Hashing is used for a wide variety of cryptographic purposes including verification of keys during VPN handshakes.
How to check hash
In order to check the cryptographic hash integrity of a file, you need to take note of the hash number posted by the developer. Then you have to generate the value of the file you have and compare it with the developer’s information. If they are exactly the same, then you know that the file that you have is the one the developer originally released and it hasn’t been tampered with. If the data doesn’t match, the file has been corrupted or altered. MacOS and Linux come with hash functions included, but if you use Windows, you will need to get additional software.
Type “openssl md5” and press Enter. You can also type “openssl md5” and then drag and drop the target file into the Terminal window. Then you can press enter. You should now see the MD 5 hash value. You can replace md5 with the name of the hash function needed, for instance, openssl sh1.
You can type mdsum and press Enter. The MD5 hash value will be shown. In this case, you can also replace md5 with the kind of hash value that you need. Type man dgst into Terminal to see what hash functions are supported by your system.
You can use File Checksum Integrity Verifier (FCIV), a command line tool from Microsoft that can compute MD5 or SHA-1 cryptographic hash values.
- First open a command prompt and go to the location of the file.
- Type fciv.exe and press Enter.
- You will see the MD5 hash value.
- If you need to find the hash value for SH1, you can type fviv.exe -sha1
The most common Windows GUI hashing tool is HashTab. However, this is not an open source solution anymore. Still Windows users can download it for free. If you want an open source solution, you can opt for Fsum Frontend, which includes hash compare functions and support for over 90 hash algorithms.
Hash function vulnerabilities
One thing that you need to keep in mind is that the process of verifying the hash function of a file is not the strongest form of data integrity. This is because it doesn’t verify the origin of the file. If a hacker has altered the developer website as well to make sure that the hash value you get is the same as the file they have tampered, the hash function won’t prevent you from getting a file that has been compromised. Using Digital signatures is a more secure option.
It is also important to consider that hash functions can come with mathematical weaknesses. For instance, the web’s most commonly used algorithm is MD5, but it has a “collision in executables” vulnerability, meaning that it has been pretty much broken. This is why SSL certificates authorities, software companies and the majority of organizations focuses on security have stopped using it. SHA1 is stronger, but SHA2 and SHA3 are even better.
Verifying the cryptographic hash function of a file is a practical option to determine its integrity in a basic level. However, you need to keep in mind that it is not possible to use one-way hash functions to establish that the two hash values are equal, although they provide a a good way to be reassured of the accuracy of the data. Digital signatures are a solution that is more secure.