Question about SHA1 and MD5 Verifying

I've downloaded some files from the internet. I would like to learn how to check these two values with the one assigned to the files that have been downloaded. I've read that you need to check with a database of some sort but how and where do I find this database online.

Any suggestions would be appreciated.

 

First you will need the MD5/SHA1 hash value that the author of the file has posted. Then you compare that value with the value you calculate on your machine to see if they match. If they match, it means the file you downloaded is bit for bit the same file being hosted. If they don't match, something is wrong and you should not run the file. In order to verify the hash you will probably need some software, but that is outside the scope here. Here is a command line utility that will do it.

Please note, that while hash checking is useful, it should not be used to determine the authenticity of a file. It should only be used to make sure the file is not corrupted on transfer (integrity). It should not be used for security! If a hacker can break into a website, he can merely upload his own file and hash value.

The only way to ensure the integrity and authenticity of a file is for the author to digitally sign it (PGP/GPG). This way, even if his site is cracked and the file is replaced by a malicious one, it will be easy to detect by anyone who has his public key.

 

Thanks for the reply. How do I find the values that the author has posted ? Thats the part I'm having difficulty with. Can you give me step by steps on how I can digitally check the files I have downloaded ?

Thanks again
Victor

 

You can check the Bit9 FileAdvisor database.

I use HashTab for calculating hashes.

 

How do we securely obtain PGP keys? One could do real life key exchange (key singing parties) or verify over oob communication (phone). But who does?
The way it actually works is to host the code and the key on different servers, preferably https.

But this you can do with hash sums too, some projects have their own ftp/http file server and many mirrors. You get the file from a random mirror but you should always compare it with the main website.

I make use of the virustotal.com/search database. It not only guarantees to some extent that the file isn't infected by know malware but also that I haven't gotten a special booby trapped file but exactly the same as other users previously (or it wouldn't be in the data base). The comment section adds some levels of confidence.

Windows executables can be signed. If they are I carefully check what organisation the cert is for and who signed it. Most of them are signed by a handful of highly regarded CAs and therefore can be trusted to really come from whom it says on the tin.

Finally, I only execute code on the real system if it comes from a reputable developer (e.g. I check their contacts, twitter, wikipedia entry, check their site with urlvoid.com, google entries, check if there is a source code, what license and so on). If my paranoia can't be quietened sufficiently I simple don't run the code on the system. Instead I use a sandbox or throwaway VM.

Actually, I'm not doing all of that all the time . It's a bit too much work and in all the years I encountered two or three "suspicious" files. One was a fp, the other was a bad download the third I can't remember. But I hope I could show some ways how to verify where software is coming from and to make informed decisions.

All this mess is also one big, maybe the big reason I like Linux: Their repository system takes care of it all (almost, some surprises there as well that make you appreciate "Trust, but verify")

 

That's what you are looking for.
It will create an extra File Hashes tab in file->properties.
As soon as you click on the tab, hashes will be calculated and you can compare them with the hash that's displayed on the website by copy/pasting it.
(Right-click in the 'Hash Value' box to select other hashes).

It can be found on --http://www.implbits.com/Products/HashTab.aspx--

File hashes tab image; http://www.implbits.com/Portals/0/ht_small.png

 

Key signing parties and the like are used to build a web of trust, which is nice, but not necessary in this context. Of course, there is a possibility that a hacker can upload his own public key and masquerade as the developer, but that's why you check the signatures on the key. If there are a lot of sigs from reputable people you can be reasonably certain it is the right key (because people only sign keys when they meet the person in real life or have verified the key in some other way). Or you could e-mail the developer himself and ask him for the key's fingerprint and then compare. Another option is that the developer might buy a certificate from a CA, which takes care of the "trust" issue automatically.

The only 100% sure-fire way of being certain is to meet the developer in person and check his key's fingerprint. But, again, it's not necessary if one does a bit of research beforehand (asking other people if they have the same key as the one you have, etc.). If some rogue party was masquerading as the developer, he would find out about it pretty quickly and make it known. So, again, a little research is in order if you have doubts.

I agree. It's nice having a large repository of software to choose from that has already been checked, verified, and digitally signed. Does this make it failsafe? No. Someone could always send malicious code to the distro developers and they might be lazy and not check it, etc. But it does dramatically lessen the probability that one would download malicious software from the repos.

 

I use HashCalc for calculating hashes.