Checksums and Hashes

Jeff Atwood

Jeff Atwood

1 min read Comments

I learned to appreciate the value of the Cyclic Redundancy Check (CRC) algorithm in my 8-bit, 300 baud file transferring days. If the CRC of the local file matched the CRC stored in the file (or on the server), I had a valid download. I also learned a little bit about the pigeonhole principle when I downloaded a file with a matching CRC that was corrupt! An 8-bit CRC only has 256 possible values, after all.

Checksums are somewhat analogous to filesystem “fingerprints”– no two should ever be alike, and any modification to the file should change the checksum. But checksums are unsuitable for any kind of security work:

CRCs cannot be safely relied upon to verify data integrity (that no changes whatsoever have occurred), since it’s extremely easy to intentionally change data without modifying its CRC.

That’s probably because CRC is a simple algorithm designed for speed – not security. As I discovered, a checksum is really just a specific kind of hash. Steve Friedl’s, Illustrated Guide to Cryptographic Hashes is an excellent, highly visual introduction to the more general theory behind hashing. The .NET framework provides a few essential security-oriented hashing algorithms in the System.Security.Cryptography namespace:

  • MACTripleDes
  • MD5
  • SHA1
  • SHA256
  • SHA384
  • SHA512

As far as I can tell, there are only three hash algorithms represented here: Des, MD5, and SHA. SHA is available in a couple different sizes, and bigger is better: every extra bit doubles the number of possible keys and thus reduces the pigeonhole effect. It also doubles the number of brute force attempts one would theoretically need to make in an attack.

However, if all you need to do is tell two things apart, you don’t need fancy security hashes. Just use the humble GetHashCode method:

Dim s As String = "Hash browns"
Console.WriteLine(s.GetHashCode)

I’m not clear exactly which algorithm was used to generate this hash, but I’m sure it’s at least as good as my CRC32 class.

I hear more hashing algorithms will be introduced with .NET 2.0. I’d like to see CRC32 in there at the very least. For an interactive demonstration of the 13 most popular hash algorithms, I recommend SlavaSoft’s HashCalc.

checksums crc hashes data integrity security
Jeff Atwood

Written by Jeff Atwood

Indoor enthusiast. Co-founder of Stack Overflow and Discourse. Disclaimer: I have no idea what I'm talking about. Let's be kind to each other. Find me https://infosec.exchange/@codinghorror

⏲️ Busy signing you up.

❗ Something's gone wrong. Please try again.

✅ Success! Check your inbox (and your spam folder, just in case).

Recent Posts

map of the United States via rgmii.org showing all 3,143 counties by rural (gold) / metro (grey) and population

Launching The Rural Guaranteed Minimum Income Initiative

It's been a year since I invited Americans to join us in a pledge to Share the American Dream: 1. Support organizations you feel are effectively helping those most in need across America right now. 2. Within the next five years, also contribute public dedications of time or

By Jeff Atwood ·
Comments
Let's Talk About The American Dream

Let's Talk About The American Dream

A few months ago I wrote about what it means to stay gold — to hold on to the best parts of ourselves, our communities, and the American Dream itself. But staying gold isn’t passive. It takes work. It takes action. It takes hard conversations that ask us to confront

By Jeff Atwood ·
Comments
Stay Gold, America

Stay Gold, America

We are at an unprecedented point in American history, and I'm concerned we may lose sight of the American Dream.

By Jeff Atwood ·
Comments
I’m feeling unlucky... 🎲   See All Posts