Sunday, December 1, 2013

How to Check SHA1, SHA256 and SHA512 Hashes on Linux

How do you know for sure that the 4 GB file you just downloaded has been transferred without error? One way is to use a hash algorithm that produces a “fingerprint” or a “message digest” of the downloaded file. Like human fingerprints, the resulting character string is meant to be unique and only that file can produce that fingerprint. Sites offering large downloads, say a Linux distribution like Fedora, will also publish a list of the hashes for the files. All you need to do is check the hash of the file you have against the published hash and if they are the same, then the file has been downloaded correctly.
In the past, the preferred hashing algorithm was MD5 and although it is still widely used (for example the Ubuntu project still provides MD5 hashes), it is slowly being replaced by the SHA family of hashes. The problem with MD5 is that it is possible to create multiple files with the same fingerprint. In one famous case among cryptographers, a security researchers said he knew who would win the presidential election and he had created a file with the result in it and issued the MD5 hash. He would release his file after the election and prove his prediction was right. In fact, what he had done was create several files with all the possible winners and manipulated the files in such a way that they all had the same MD5 fingerprint!
There are several different Secure Hash Algorithms (SHA) including SHA1, SHA256 and SHA512. Technically SHA256 and SHA512 both use the same algorithm, but process the data in different sized chunks – SHA256 uses 32 bit blocks and SHA512 64 bit blocks.
SHA1 is similar to MD5 and like MD5, there are some concerns about the uniqueness of the resulting hashes and it is no longer approved for many cryptographic uses since 2010. However if you find a site which publishes SHA1 hashes, you can check them like this:
sha1sum Fedora-19-i386-netinst.iso
The output will look like this:
b24e9b7bd49168839fd056bbd0ac8f2aec6b68b9  Fedora-19-i386-netinst.iso
SHA256 hashes are generated in the same way:
sha256 Fedora-19-i386-netinst.iso
And the output is similar, except note that the fingerprint string is much longer:
2b16f5826a810bb8c17aa2c2e0f70c4895ee4b89f7d59bb8bf39b07600d6357c  Fedora-19-i386-netinst.iso
And likewise for SHA512:
sha512sum Fedora-19-i386-netinst.iso
The resulting fingerprint is even longer:
9eb35d03cc289aa5d5a29cfc9080c3152a3da1b91a2b12d352b16a3d817a7479b9d1be3c7ecf011abf6a01f3122c66892f96a2c213756df786117412d8df99b3  Fedora-19-i386-netinst.iso
Rather just publish the fingerprint string in isolation, some sites offer a checksum file which contains all the hash information in a machine readable form that the various sha commands can use to automatically verify files. A checksum file for the net install 32 bit Intel version of Fedora 19 might look like this:
2b16f5826a810bb8c17aa2c2e0f70c4895ee4b89f7d59bb8bf39b07600d6357c *Fedora-19-i386-netinst.iso
To check this use the “-c” parameter like this:
sha256sum -c Fedora-19-i386-CHECKSUM
Where Fedora-19-i386-CHECKSUM is the name of the file containing the fingerprint information as shown above.
If the fingerprints match, then the output will look like this:
Fedora-19-i386-netinst.iso: OK
If there is an error in the downloaded file, the output will be:
Fedora-19-i386-netinst.iso: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match
Your Linux distribution likely also contains the sha224 and sha384 commands. These two hash algorithms are truncated versions of SHA256 and SHA512. They can be used in exactly the same way as the sha256 and sha512 commands. Try producing hashes uses them and notice the differences in the output.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.