SHA256 Checksums Verify Firmware Supply Chain Security Integrity

JULY 6, 2012
Using Cryptographic Hashes to verify file download integrity

NOTE: Don’t use MD5 (see below)

The SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard (see: SHA stands for Secure Hash Algorithm.

Vendors provide a sha-1 or better sha-256 hash for software downloads. This enables you to verify that your downloaded files are unaltered from the original.


To confirm file integrity, use a software tool on your computer to calculate your own hash for files downloaded from the vendor’s web site.

NOTE: It’s important that the checksums you are comparing to are publicly available and visible on the vendors website without having to go through a paywall or logging in to see.  This will help ensure against tampering by unauthorized people and make the work of applying the patch easier to validate along the entire supply chain. How often do we have a patch downloaded by one person from the vendor, sent to a consultant on site to download to the server, tested by someone else, then actually applied to the production system?  Each of these steps in the supply chain should include checking the integrity of the file being applied against a known good checksum.

If your calculated hash matches the message digest we provide, you are assured that the file was downloaded intact.

Tools are available for Windows and Linux and Mac. Most UNIX installations provide a built-in command for these hashes. You may need a newer linux kernel to calculate the checksums for larger files.

The Microsoft File Checksum Integrity Verifier (FCIV) can be used on Windows based products to verify sha-1 values. See for details on FCIV.

Mac OS X: How to Verify a SHA-1 Digest

Instructions on checking an sha-1 checksum on a Mac:
In Finder, browse to /Applications/Utilities.
Double-click on the Terminal icon. A Terminal window will appear.
In the Terminal window, type: “openssl sha1 ” (sha1 followed by a space).
Drag the downloaded file from the Finder into the Terminal window.
Click in the Terminal window, press the Return key, and compare the checksum displayed to the screen to the one on the vendor’s download page.

UPDATE: you can now also run “shasum -a 256” from the latest mac OS X command line.

From TechNet

Windows Server 2008 R2 Standard, Enterprise, Datacenter, and Web (x64) – DVD (English)
File Name: en_windows_server_2008_r2_standard_enterprise_datacenter_web_x64_dvd_x15-50365.iso
Size: 2,858 (MB)
Date Published (UTC): 8/31/2009 10:22:24 AM
Last Updated (UTC): 1/11/2010 4:31:40 PM
SHA1: A548D6743129F2A02C907D2758773A1F6BB1BCD7
 ISO/CRC: 8F94460B

About MD5

MD5 was designed by Ron Rivest in 1991 to replace an earlier hash function, MD4. In 1996, a flaw was found with the design of MD5. While it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1 (which has since been found also to be vulnerable). In 2004, more serious flaws were discovered, making further use of the algorithm for security purposes questionable; specifically, a group of researchers described how to create a pair of files that share the same MD5 checksum. Further advances were made in breaking MD5 in 2005, 2006, and 2007. In an attack on MD5 published in December 2008, a group of researchers used this technique to fake SSL certificate validity.

US-CERT says MD5 “should be considered cryptographically broken and unsuitable for further use,”and most U.S. government applications now require the SHA-2 family of hash functions.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s