Question about SHA1 and MD5 Verifying

Discussion in 'other security issues & news' started by victor43, Feb 27, 2011.

Thread Status:
Not open for further replies.
  1. victor43

    victor43 Registered Member

    Joined:
    Nov 4, 2009
    Posts:
    32
    I've downloaded some files from the internet. I would like to learn how to check these two values with the one assigned to the files that have been downloaded. I've read that you need to check with a database of some sort but how and where do I find this database online.

    Any suggestions would be appreciated.
     
  2. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    First you will need the MD5/SHA1 hash value that the author of the file has posted. Then you compare that value with the value you calculate on your machine to see if they match. If they match, it means the file you downloaded is bit for bit the same file being hosted. If they don't match, something is wrong and you should not run the file. In order to verify the hash you will probably need some software, but that is outside the scope here. Here is a command line utility that will do it.

    Please note, that while hash checking is useful, it should not be used to determine the authenticity of a file. It should only be used to make sure the file is not corrupted on transfer (integrity). It should not be used for security! If a hacker can break into a website, he can merely upload his own file and hash value.

    The only way to ensure the integrity and authenticity of a file is for the author to digitally sign it (PGP/GPG). This way, even if his site is cracked and the file is replaced by a malicious one, it will be easy to detect by anyone who has his public key.
     
  3. victor43

    victor43 Registered Member

    Joined:
    Nov 4, 2009
    Posts:
    32
    Thanks for the reply. How do I find the values that the author has posted ? Thats the part I'm having difficulty with. Can you give me step by steps on how I can digitally check the files I have downloaded ?

    Thanks again
    Victor
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You can check the Bit9 FileAdvisor database.

    I use HashTab for calculating hashes.
     
  5. katio

    katio Guest

    How do we securely obtain PGP keys? One could do real life key exchange (key singing parties) or verify over oob communication (phone). But who does?
    The way it actually works is to host the code and the key on different servers, preferably https.

    But this you can do with hash sums too, some projects have their own ftp/http file server and many mirrors. You get the file from a random mirror but you should always compare it with the main website.

    I make use of the virustotal.com/search database. It not only guarantees to some extent that the file isn't infected by know malware but also that I haven't gotten a special booby trapped file but exactly the same as other users previously (or it wouldn't be in the data base). The comment section adds some levels of confidence.

    Windows executables can be signed. If they are I carefully check what organisation the cert is for and who signed it. Most of them are signed by a handful of highly regarded CAs and therefore can be trusted to really come from whom it says on the tin.

    Finally, I only execute code on the real system if it comes from a reputable developer (e.g. I check their contacts, twitter, wikipedia entry, check their site with urlvoid.com, google entries, check if there is a source code, what license and so on). If my paranoia can't be quietened sufficiently I simple don't run the code on the system. Instead I use a sandbox or throwaway VM.

    Actually, I'm not doing all of that all the time ;). It's a bit too much work and in all the years I encountered two or three "suspicious" files. One was a fp, the other was a bad download the third I can't remember. But I hope I could show some ways how to verify where software is coming from and to make informed decisions.

    All this mess is also one big, maybe the big reason I like Linux: Their repository system takes care of it all (almost, some surprises there as well that make you appreciate "Trust, but verify")
     
  6. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    That's what you are looking for.
    It will create an extra File Hashes tab in file->properties.
    As soon as you click on the tab, hashes will be calculated and you can compare them with the hash that's displayed on the website by copy/pasting it.
    (Right-click in the 'Hash Value' box to select other hashes).

    It can be found on --http://www.implbits.com/Products/HashTab.aspx--

    File hashes tab image; http://www.implbits.com/Portals/0/ht_small.png
     
    Last edited: Feb 28, 2011
  7. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Key signing parties and the like are used to build a web of trust, which is nice, but not necessary in this context. Of course, there is a possibility that a hacker can upload his own public key and masquerade as the developer, but that's why you check the signatures on the key. If there are a lot of sigs from reputable people you can be reasonably certain it is the right key (because people only sign keys when they meet the person in real life or have verified the key in some other way). Or you could e-mail the developer himself and ask him for the key's fingerprint and then compare. Another option is that the developer might buy a certificate from a CA, which takes care of the "trust" issue automatically.

    The only 100% sure-fire way of being certain is to meet the developer in person and check his key's fingerprint. But, again, it's not necessary if one does a bit of research beforehand (asking other people if they have the same key as the one you have, etc.). If some rogue party was masquerading as the developer, he would find out about it pretty quickly and make it known. So, again, a little research is in order if you have doubts.

    I agree. It's nice having a large repository of software to choose from that has already been checked, verified, and digitally signed. Does this make it failsafe? No. Someone could always send malicious code to the distro developers and they might be lazy and not check it, etc. But it does dramatically lessen the probability that one would download malicious software from the repos.
     
  8. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I use HashCalc for calculating hashes.
     
Loading...
Thread Status:
Not open for further replies.