Reputation: 1373
Signature/Hash Choice for File Integrity Verification
For a file repository, I need to select a hashing algorithm that will reasonably ensure the integrity of files.
I need an algorithm that anyone (with a bit of effort) would be able to easily use to verify the integrity given the hash. In short, the file may be transferred to the user, along with a hash, and they must be able to verify that the hash comes from the file.
My first choice would be MD5 because there seems to be widely available utilities to verify MD5 hashes, but I'm concerned with the MD5 algorithm being cryptographically broken (ref Wikipedia/US-CERT: http://en.wikipedia.org/wiki/MD5)
My second choice would be a SHA-2 algorithm, but I'm concerned about availability of utilities that could easily verify the hash. Most examples I've found show program code to evaluate a hash, but I've found few, if any, utilities that are pre-built (asking users to build their own utility is beyond the 'easily' scope)
What other options are available for generating and evaluating a file hash, or are these two the options that are best?
Upvotes: 1
Views: 1717
Answers (3)
Reputation: 1852
sha256sum, a program a part of the coreutils package on linux will generate checksums for the listed files. The format of the checksum output is the same as that of the md5sum program (but using SHA-256 hashing instead of MD5 of course), which has been widely used for years. You didn't list any target platforms but a quick googling shows there are Windows ports of the command line program.
If you need to generate large numbers of checksums you can use md5deep, which includes support for other hashes as well, including SHA-256. http://md5deep.sourceforge.net/
I haven't tried this but from the screenshots it looks pretty neat integrating into OSX and Windows Explorer: http://implbits.com/HashTab.aspx
Upvotes: 0
Reputation: 54801
Provide both/multiple, and let the user decide which they verify against. Or if they are really cautious, they can verify against both/all.
Have seen download sites use this approach. One site recommended the most secure, but offered others like md5 as fallback. It also provided links to tools. Can't remember specific site I'm afraid.
Upvotes: 2
Reputation: 4296
Since you've been able to find a few file-checkers, why not link to them as a recommendation? That way your users have at least one tool they can use. They don't need several dozen different filechecking utilities, they need just one which works for the algo you chose to use.
Tools you could link to: Windows: http://securityxploded.com/download-hash-verifier.php Mac OS X: http://www.macupdate.com/app/mac/31781/checksum
Upvotes: 0
Related Questions
- SHA-256 or MD5 for file integrity
- Confirming file content against hash
- Hashes of various types of files
- How should I compute files hash(md5 & SHA1) in C#
- Signing a hash value instead of a file
- A suitable hash function to detect data corruption / check for data integrity?
- File integrity check
- To check if two image files are same..Checksum or Hash?
- Which hash to use for file uniqueness in Java
- Is using 2 different hash functions a good way to check for file integrity?