eli5: Lots of websites will have a file hash you can use to verify file integrity; computationally speaking how is this created? Do you really need to inspect every character or just make sure the first and last few are correct? For well known programs should you verify the hash with a third party?

297 views

eli5: Lots of websites will have a file hash you can use to verify file integrity; computationally speaking how is this created? Do you really need to inspect every character or just make sure the first and last few are correct? For well known programs should you verify the hash with a third party?

In: 3

6 Answers

Anonymous 0 Comments

The hash is computed by consuming every Byte of the file and feeding it in a hashing algorithm. These are some sort of special function called one-way function. They give you a certain output for a given input. If you feed the same data in, you’ll get the same result. But you can’t deduct the input from the output and good hashing algorithms also generate vastly different outputs for even slight changes to the input.

With that information, it is considered a shortcut to only compare a few character sin the beginning and end. But, for better security, the full hash should be compared. For every major OS, there are tools that can generate the hashes using various different algorithms for a given file and then compare that to a given hash.

The problem with hashes is that the don’t include identity. They can only convey integrity in the sense that the transmission didn’t cause any corruption and that what the source of the hash says is the hash. But you can’t be sure the website or transmission of the hash itself isn’t compromised.

That’s why some sources also provide PGP signatures. They’re based in a public key scheme, where you could also verify that the signature was created by the entity holding the private key and that the file wasn’t altered. Yet, if the private key were to be compromised, you could still forge a valid signature. It all depends on what you trust and how high of a level of security is desired.

You are viewing 1 out of 6 answers, click here to view all answers.