Newsroom

MD5 Checksums

April 5, 2007 · by Scott Fradkin

I recall a few weeks ago, one of my wife’s brothers was visiting and installing a piece of software on her computer. I casually mentioned as he was downloading that he should grab the MD5 checksum so that he could compare it against the downloaded file. He said that he didn’t even know what that was.

Verifying a checksum is a fairly important step in validating that a file that you have downloaded is definitely the file you expect it to be.

Here’s how it works:

  • The person with a file for download will use an MD5 utility to generate an MD5 hash.
  • The file and the text of the hash will be put onto a server for download.
  • The downloader downloads the file to his or her computer.
  • The downloader uses an MD5 utility to generate an MD5 hash of the downloaded file.
  • The downloader compares his or her results to the posted MD5 hash. If they are the same, then the file is legitimate. If the hashes are different, the downloader should not open the file.

Of course, this does mean that there has to be a certain level of trust between the downloader and the website from which the file is downloaded. Files and checksums can be replaced to look legitimate when they may include viruses or other worms in them.

On a Linux system the utility md5sum is usually installed by default. For Windows systems there are various third party utilities that can be downloaded to calculate hashes. One is called digestIT and can be found at http://www.kennethballard.com/modules/xproject/index.php?op=viewSummary&pid=2. The md5sum command line utility has a Windows version which can be found at one of a number of links listed on OpenOffice.org’s website http://www.openoffice.org/dev_docs/using_md5sums.html.

The output of an MD5 hash is a 32 byte hexidecimal number which can be a little tough to manually inspect, but the Windows programs usually do the comparison for you. Some websites have started using SHA1 hashes (which generate 40 byte hexidecimal numbers) instead since SHA1 is more secure and harder to find hash collisions for. Many of the Windows programs will also perform hashing for this and other algorithms. In Linux, the OpenSSL program can calculate many different hashes.

The actual algorithms aren’t too complex, but the discussion takes up a fair amount of space. I may post about those at a later time.

I’d encourage everyone to use the checksums when they are available. Even if you’re downloading from a trustworthy website, you never know if the files have been surreptitiously replaced. It’s a good security habit to get into.

Filed in: Team Member Blog Comments (0)

Comments

There are no comments for this entry.

Commenting is not available in this section entry.