Why do we need a hash value for file downloads?
When we download files from the Internet, we need some way of knowing that what we are downloading is an exact copy of what we are expecting to download. We want to know that it hasn’t been altered in any way. Viruses, Trojans and other nefarious payloads can be added to downloads without the author’s knowledge, or the file can be added to other download websites after it has been modified. A hash value allows us to confirm the file’s integrity by ensuring that it has not been modified.
A hash value is not a necessary precaution for all files. For example, when you download PCFerret from anywhere, you can be sure that it is the genuine article by checking the digital signature of the file. You can read more about digital signatures here. To check a downloaded file’s digital signature, right-click on the downloaded file, select Properties and view the Digital Signatures tab. The Name of signer should read “PCFerret”. If it doesn’t, then it isn’t from PCFerret and is not an exact copy of the original. The digital certificate should also be within its validity period.
How is a hash value created?
When a SHA-256 hash value is created, it is in the form of a 256-bit value which is usually expressed as a 64 digit hexadecimal number (see example below). When a SHA-256 hash value is used in order to verify that a file’s content has not been changed since the file’s value was initially calculated, the following procedure is typically followed.
- A program is used to read the file in question and create a SHA-256 hash value. No matter what program you use, the hash value will always be the same for a given file. Of course, I use PCFerret to generate mine
- The SHA-256 hash value is then published on the website next to the file’s download link
- The user downloading the file can then use a program to generate a SHA-256 hash value from the downloaded file. PCFerret can generate hash values.
- If the SHA-256 hash value of the file matches that of the value published on the file’s download website, then the contents have not been altered.
It is worth remembering that just because a SHA-256 hash value matches, it does not mean that the file is safe, it just means that it has not been modified since the original hash value was generated.
A SHA-256-bit hash value:
Another common hash algorithm you may encounter on websites offering file downloads is MD5. However, MD5 is now considered to be insecure and obsolete.
If a website containing downloads with published hash values is hacked, the hacker could not only change a file’s contents, but could also adjust the file’s hash value accordingly.
Here are two solutions that would help to circumvent this possibility. The first, is to have the hash value contained in a digitally signed file such as a DOCX or PDF file which the user can download separately, or it could be included with the downloaded file. One way to do this would be to include both the required download, and the file containing the hash value, in a ZIP file. That way, the recipient can verify that the document containing the hash value has not been modified, which guarantees the integrity of the generated hash value.
The second, and my preferred method, is to make the file to be downloaded a self-extracting file (EXE). This way, a digital code signing certificate can be added to the self-extracting EXE file, thus making a hash value unnecessary, and the validity of the files would be guaranteed. This method is used on PCFerret’s website.
The only drawback with these two methods is cost, as a document or code signing certificate would need to be purchased.
I recommend DigiCert for code signing certificates. There are companies who offer cheaper certificates but you do get what you pay for and DigiCert’s service is excellent, with quick delivery and first-class customer service.