What Are SHA-256 Hash Values, Relating To File Downloads?

Posted 54 years ago by

SHA-256 is one of a set of cryptographic hash functions designed by the NSA. The SHA-256 algorithm is often used to produce a hash value (see below) in order to confirm a file’s integrity.

 

Why do we need a hash value for file downloads?

When we download files from the Internet, we need some way of knowing that what we are downloading is an exact copy of what we are expecting to download. We want to know that it hasn’t been altered in any way. Viruses, Trojans, and other nefarious payloads can be added to downloads without the author’s knowledge, or the file can be added to other download websites after it has been modified. A hash value allows us to confirm the file’s integrity by ensuring that it has not been modified.

A hash value is not a necessary precaution for all files. For example, when you download PCFerret Pro from anywhere, you can be sure that it is the genuine article by checking the digital signature of the file. You can read more about digital signatures here. To check a downloaded file’s digital signature, right-click on the downloaded file, select Properties, and view the Digital Signatures tab. The Name of signer should read “PCFerret Technology Solutions”. If it doesn’t, then it isn’t from PCF Technology Solutions and is not an exact copy of the original.

 

How is a hash value created?

When a SHA-256 hash value is created, it is in the form of a 256-bit value which is usually expressed as a 64-digit hexadecimal number (see example below). When a SHA-256 hash value is used in order to verify that a file’s content has not been changed since the file’s value was initially calculated, the following procedure is typically followed.

  • A program is used to read the file in question and create a SHA-256 hash value. No matter what program you use, the hash value will always be the same for a given file. Of course, I use PCFerret Pro to generate mine

  • The SHA-256 hash value is then published on the website next to the file’s download link

  • The user downloading the file can then use a program to generate a SHA-256 hash value from the downloaded file. If the SHA-256 hash value of the file matches that of the value published on the file’s download website, then the contents have not been altered.

It is worth remembering that just because a SHA-256 hash value matches, it does not mean that the file is safe, it just means that it has not been modified since the original hash value was generated.

 

Example

A SHA-256-bit hash value:

f478aee77925004290f017b27eb18fec86936fb96bcaffbf7bc4ae0e9f1cfbe3

 

Note

Another common hash algorithm you may encounter on websites offering file downloads is MD5. However, MD5 is now considered to be insecure and obsolete.

 

Hacking Considerations

If a website containing downloads with published hash values is hacked, the hacker could not only change a file’s contents but could also adjust the file’s hash value accordingly.

Here are two solutions that would help to circumvent this possibility. The first is to have the hash value contained in a digitally signed file such as a DOCX or PDF file which the user can download separately, or it could be included with the downloaded file. One way to do this would be to include both the required download and the file containing the hash value, in a ZIP file. That way, the recipient can verify that the document containing the hash value has not been modified, which guarantees the integrity of the generated hash value.

The second, and my preferred method, is to make the file to be downloaded a self-extracting file (EXE). This way, a digital code signing certificate can be added to the self-extracting EXE file, thus making a hash value unnecessary, and the validity of the files would be guaranteed. This method is used on PCFerret Pro’s download page.

The only drawback with these two methods is cost, as a document or code signing certificate would need to be purchased.

I recommend DigiCert for code signing certificates. There are companies who offer cheaper certificates but you do get what you pay for and DigiCert’s service is excellent, with quick delivery and first-class customer service.

 

*PCFerret Pro is a freely available Windows application, which was written by me. It is free for both personal and business use. There are no ads on nuisance screens. No unwanted software is installed. The software is digitally signed.

Disclosure: I receive no financial benefits from any third-party company, mentioned in this article.