Validating file authenticity — how?

Modern cryptography forms the backbone of our Internet. Without cryptography algorithms, many functions and conveniences such as Internet banking, online shopping and secured messaging would not be possible. Hence in today’s article, we’ll be focusing on hash functions.

Before we continue, what exactly is hashing?

Hashing is not Encryption!

Hashing is a one-way function (i.e. non-reversible) that takes in a string of any length as input and outputs a short fixed-length hash. This resulting hash, also referred to as checksum or message digest, is commonly used as a form of digital signature and users may use it to check the authenticity of the file(s) received.

Whenever a file/message is transferred over the Internet, the receiver can perform the hash function locally and compare against the publicised checksum to ensure that a file is unchanged. SHA-256 is widely adopted by the industry.

Using the Notepad++’s download page as an example, we can see they’ve conveniently provided both the GPG signature and the SHA-256 file hashes for us to validate both integrity and authenticity of the installation files.

Screenshot taken from https://notepad-plus-plus.org/downloads/v8.4.5/
How SHA256 hash looks like

Why do we need file hash?

In today’s landscape, we receive patches and hot-fixes from vendors frequently. Hence, validating file hashes is (and should be!) a common practice. Especially for on-premise setup, we don’t have the luxury of a cloud service provider helping to validate the integrity of these patches. This step is essential in protecting our organisation’s IT supply chain since we certainly do not want to install the wrong patch or worse, a malicious patch onto our systems.

Should I use an online or free file hash checker?

A quick search for an online free hash checker yields many results, and we can see they’re widely available, both online and as executables. However we do not recommend using them! Like all free online tools, we have no visibility on what these platforms do with the files/messages we uploaded. Similarly for executables, we don’t know what may reside in the source code of these softwares. Sometimes installing additional software is simply not allowed in our environment.

Repeat after us: “If something is free, you’re the product.”. 😏

As mentioned above, the authenticity of a received file can be checked by comparing the hash against the publicised checksum. But how do we exactly do so?

How to calculate file hash on Windows?

Windows comes preinstalled with an integrated file hash checker. The get-filehash PowerShell function is easy to use and doesn’t require any installations. It also supports different algorithms such as SHA1, SHA256, SHA384, SHA512, MD5. For full documentation you may refer to this page.

Example of using get-filehash

Another way is through the usage of 7-zip. If you already have 7-zip installed on your host, you can simply just right click on the file and select the hashing algorithm. A window will pop up showing the calculated checksum.

Example of getting checksum using 7-Zip

How to calculate file hash on Linux distributions?

Most Linux distributions come with the sha256sum utility. Simply use the command to generate SHA-256 checksum for the file:

sha256sum FILE_PATH

For the full documentation please refer to this page.

Hashing is a fundamental tool in computer security. One of the ways antivirus and anti-malware quickly detect known malicious files is through the use of file signatures. Other than being used for validating file integrity, hashing is also used in decentralised technology such as blockchain. Hashing’s irreversible and quick-to-compute characteristics allow the network to prevent fraudulent transactions and/or double spending.

If you have any tips that you like to share with us, do leave them in the comments section below. Till then, stay safe and keep learning!

🧙🏼‍♀ Team Merlin 💛
Application security is not any individual’s problem but a shared responsibility.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Team Merlin

Team Merlin

Software | Security | Quality enthusiasts doing the right things