Saturday, February 3, 2007

Verifying file integrity

Whenever you use a file obtained from a public source or over a network, its a good practice to check the integrity of the file. This is very useful when softwares are downloaded from public web sites. There are many hashing algorithms that can be used to check the integrity of files. Some of them are MD5, SHA, PGP etc..

MD5

Message Digest algorithm 5 (MD5) is a popular cryptographic hashing algorithm with a 128 bit encryption key. It produces a 32 bit hash value as output from the input file of any size. The use of this value is that if a file is tampered after calculating its MD5 hash, that can be detected by using the MD5 sum calculated earlier.

There are many tools that can be used to generate and verify MD5 checksums. Most of the linux distributions comes with the command md5sum.

Create a file:

[safeer@LinuxBox ~]$echo "Unchanged File" > inputfile.txt

Compute the md5 checksum for this file and store it in a file

[safeer@LinuxBox ~]$md5sum inputfile.txt > inputfile.md5

[safeer@LinuxBox ~]$cat inputfile.md5
7d26e15c0ab488afb85ff48ff9bfbf34 inputfile.txt

Now verify the integrity of source file using the md5 sum.

[safeer@LinuxBox ~]$md5sum -c inputfile.md5
inputfile.txt: OK

The result of this test will be OK since we haven't made any modification to the source file. Now we can test again after changing the source file.

[safeer@LinuxBox ~]$echo "The file is modified" >> inputfile.txt
[safeer@LinuxBox ~]$md5sum -c inputfile.md5
inputfile.txt: FAILED
md5sum: WARNING: 1 of 1 computed checksum did NOT match

This way we can verify whether a file is tampered or note. Many web sites provide the MD5 key of their softwares so that you can verify the integrity of the software after downloading.

Now we can have a look at a real scenario. I am going to download Apache HTTPD server from the a mirror website. They have also provided the MD5 and PGP checksum of the software.

[safeer@LinuxBox ~]$wget http://www.reverse.net/pub/apache/httpd/httpd-2.2.4.tar.gz

Now the MD5 file. This is a plain text file.

[safeer@LinuxBox ~]$wget http://www.apache.org/dist/httpd/httpd-2.2.4.tar.gz.md5

Make sue that both the file to be checked and its md5sum file are in the same directory.

[safeer@LinuxBox ~]$md5sum -c httpd-2.2.4.tar.gz.md5
httpd-2.2.4.tar.gz: OK

This ensures us that the httpd package we have downloaded is the original package that is provided by the web site.

Findout more about md5sum man pages
#man md5sum
at 4:26 PM Posted by Safeer CM
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)