Home > Posts > HowTo: Check MSDN Subscriber downloads for tampering via SHA-1 key

HowTo: Check MSDN Subscriber downloads for tampering via SHA-1 key

Supposing you have an MSDN Subscription, you could download say SQL Server 2012 Standard Edition (x86 and x64) – DVD (English) from the following URL:

http://msdn.microsoft.com/en-us/subscriptions/downloads/hh442898.aspx#FileId=48810

Suppose you do so and you keep that .ISO file (a CD/DVD image that you can burn to a disk using Windows 7 or Active@ ISO Burner tool, or mount as a virtual disk with Daemon Tools or unpack with WinRAR etc.).

Later on before installing it you’d like to know if it has been tampered in between by some virus, or if it was tampered by some man-in-the-middle attack during the download process.

Luckily, the MSDN subscriber downloads page is accessible without even signing in with your Microsoft account credentials and has a Details link for each download item that shows an SHA-1 hash key for the file (very handy if you don’t want to use the company’s credentials on a developer machine, but just want to copy-paste the SHA-1 key from there to check it against the file you have at hand).

Speaking of SHA-1, it would be nice if Microsoft also displayed an MD5 key there too for cross-checking both of them, or even a SHA-3 key in the future, that is supposed to be more (cryptographically) secure.

To check the file against the SHA-1 key, you can use the Microsoft File Checksum Integrity Verifier (FCIV) tool, a free command line utility that computes MD5 or SHA1 cryptographic hashes for files: http://www.microsoft.com/en-us/download/details.aspx?id=11533

FCIV installer just unpacks an fciv.exe and a ReadMe.txt file. The command-line parameters for fciv.exe are displayed if you run it from a command-line (cmd.exe or command.exe in XP) window:

//
// File Checksum Integrity Verifier version 2.05.
//
Missing flag: -xml

Usage:  fciv.exe [Commands] <Options>

Commands: ( Default -add )

        -add    <file | dir> : Compute hash and send to output (default screen).

                dir options:
                -r       : recursive.
                -type    : ex: -type *.exe.
                -exc file: list of directories that should not be computed.
                -wp      : Without full path name. ( Default store full path)
                -bp      : specify base path to remove from full path name

        -list            : List entries in the database.
        -v               : Verify hashes.
                         : Option: -bp basepath.

        -? -h -help      : Extended Help.

Options:
        -md5 | -sha1 | -both    : Specify hashtype, default md5.
        -xml db                 : Specify database format and name.

To display the MD5 hash of a file, type fciv.exe filename

Based on those, you can create an fciv.bat file, where you have something like the following:

c:\users\myself\desktop\admin\fciv.exe -both %*
@pause

This batch file (fciv.bat) runs fciv.exe (assuming it is at path c:\users\myself\desktop\admin above, change this appropriately), passing it –both parameter to generate both SHA-1 and MD5 keys (could have used –sha1 instead for more speed, since MSDN doesn’t give MD5 key for files).

It uses %* to pass all command-line parameters of the batch file to the executable fciv.exe file. This means you can then drag-drop any file onto the fciv.bat at Windows Explorer and it will run fciv.exe on it, telling it to generate both MD5 and SHA-1 keys (shown in a tabular form at the output).

Before exiting, the batch file executes pause (the @ prefix means to not display the command itself on the console – could have also used an @echo off command at the start of the batch file but want to show the fciv.exe command path being executed for troubleshooting) instead of closing the console window immediately as would happen if you drag-dropped a file on fciv.exe itself). Pressing space after you read the hash keys (can also copy-paste them from the console right-clicking it and selecting Mark command, then drag to select and press SPACE key to copy), will then close the console.

Do note that FCIV also can take other parameters, to add calculated keys to a simple XML file (serving as a database) which it can use later on to check multiple files for tampering when you tell it to.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: