CSP-CERT® Resources:
Integrity Check – Importance of Knowing a File Hash

by Nathu Nandwani
posted November 2018


Integrity is just one part of the CIA triad (This doesn’t refer to a government agency). CIA means Confidentiality, Integrity, and Availability. These three are concepts which build security and according to TechTarget, "Integrity", involves the preservation of trustworthiness for a specific data over its life cycle. This simply means that the integrity of a data is genuine only if it wasn’t tampered during the time it is stored or when it is in transit.

In technical terms, integrity in our digital world can be monitored with the help of a cryptographic concept called hashing. Hashing is a process of converting an input into a unique string with a fixed length depending on what algorithm is used. To give an analogy, we can say that a data’s hash can be something like a person’s fingerprint. It’s basically unique to each person but also being debated over chances of two different people having the same fingerprint and as you know it, hashes may have this kind of characteristic too and its term is having a "collision".

In our real world today, existing hashing algorithms such as MD5, SHA-1, SHA-2, and many more are used to label data uniquely. For example, using this online MD5 generator https://passwordsgenerator.net/md5-hash-generator/, typing in the string “CSPCERT” will actually produce "1A7370FEA8FEBDAF8C8EDC8E637EE0F3" as its MD5 hash. Changing even one letter in that string like making one of them a lowercase will already change the MD5 hash equivalent.

When it comes to files or programs, hashes can be used to inform downloaders about its integrity. An example of this is when a user downloads CCleaner:


Notice that the official download page has an item written named "MD5 Checksum" with the value of "9A7ADBAE0D95D0D1FEB9904F3BCEDABB". After downloading ccsetup549.exe, the MD5 hash can be confirmed locally using the "md5sum" tool from BackTrack or Kali:


Seeing the hash of the file confirms that the file is indeed the one hosted by CCleaner's official download page. If the official download page of CCleaner is not in any way compromised or hacked, we can say that it is safe to install this CCleaner version. In case the application has been infected with a malicious code, that hash will not match the one in the official download page. To demonstrate this, suppose we change even just one byte in the file’s executable through a hex editor:


The MD5 hash outcome of the modified file will now become different:


Typically, it takes less than 1 KB to host a backdoor in any application and because the size of CCleaner’s installer is around 17 MB, a change in file size of 1 KB is almost negligible! Therefore, it is important to confirm the file hash with the one stated in the official download page especially if the file was downloaded from an unknown source or even copied from your friend's hard drive because we don’t want any compromises to happen.