What is Checksum?

Checksum, in simple terms, is a string of numbers derived from a file (which could be any software, movies, images, or documents) using a checksum algorithm. This should always produce the same string of numbers for the same file across devices and if there is even the smallest change within the file then the checksum of that particular file will be different. Two different files “ideally” can’t have the same checksum as two people can’t have the same fingerprint.

These strings of numbers are used to check the “integrity“ of a file to make sure that it has not been corrupted or tampered with in any way. To sum it up, a file produces a unique string of numbers, which is like its fingerprint. If you know the checksum of the original file then you could compare your file with the original one to verify if it has been corrupted, either unintentionally or intentionally by some malicious actor, in any manner.

Example:

A text file containing “apple” and “aapple” would have completely distinct checksums even though there is only a one-word difference.

Different types of algorithms

There are many types of algorithms to verify hashes but mainly there are Secured Hash Algorithms or SHA algorithms which include SHA1 and SHA 256 algorithms etc, and Message Digest 5 Algorithm or MD5. Currently, MD5 and SHA1 algorithms are not widely used for verification since researchers have found “collisions” in these algorithms, i.e. two different files with the same checksum were discovered; even though the probability of that happening is low, a well-funded organization with malicious intent might be able to reproduce the results.

Therefore, wherever possible, SHA256 should be the preferred algorithm for verification.

When to verify checksum?

Ideally, you should verify it whenever available; i.e. while downloading programs, movies, books, or anything; if the developer/creator has made checksum available – verify it.

What is integrity?

Integrity is to verify if the downloaded file is the same as the original file or not, if the file is exactly the same then the integrity of the file is not compromised. It is a subset of authenticity.

What is authenticity?

Authenticity includes checking the integrity of the file along with verifying the source of the information, if both integrity of the file and source is verified, then we can say that the file is authentic.

Does Checksums look for integrity or authenticity?

Checksums check the integrity of a file but are not a reliable way to check for authenticity. To check the authenticity GPG verification is recommended along with checksum verification.

Example: Let’s say a popular software website was hacked and the hacker swapped the program hosted on the site with their bad program and along with that they also swapped the checksum of the file to match the malicious one; in this case, the checksum of the file will be matching with the source -thus being integral- since the hacker also swapped the checksum of the original program which was hosted on the website but the program you downloaded will not be considered authentic as it’s not from the source that you expect.

Therefore, If you want to check the authenticity of a program you should take extra steps like GPG verification.

You just downloaded the latest version of your favorite distribution’s disk image and you are all ready to flash it to your USB and experience the latest and greatest, sounds great right? yeah, but before you press the install button there is an important verification step that helps to check the integrity of your file – Verifying Checksum.