问题
I was downloading the Download Android Studio and SDK Tools. There was written SHA-1 Checksum and its value given f9b59d72413649d31e633207e31f456443e7ea0b.
My questions are:
1) What is the use of it?
2) How to test and verify it on Window and linux?
Can I also make SHA-1 Checksum of any file?
回答1:
1) What is the use of it?
In essence, hashing is a one-way (irreversible) process that takes some input data and produces a string - typically in hexadecimal - of a fixed length that uniquely* identifies that particular input data. This is very useful and has many applications but in your case, it's used to verify the integrity of files. A website uploads the hash of a file for the world to see and when the file is downloaded on your computer, you check whether or not the hash you calculate locally matches the hash displayed on the website. If they match, the file is intact but if they don't, the file on your computer is not identical to the file on the server - most likely because it was damaged/altered in transit.
2) How to test and verify it on Windows and Linux?
At least on *nix systems, there are several ways of comparing hashes. Nothing is stopping you from manually checking every character of two hashes for equality - this is often fast when you simply want to check a single file. Anyway, most of the hashing programs have a -c option for this purpose that will output "OK" in case of a match. To manually input the hash and file and pipe both to sha1sum for comparison, do this:
$ echo "672d844c60553f9b3db9844dc29ddf49bc426f45" /bin/echo | sha1sum -c -
/bin/echo: OK
To calculate the hash and make a file (echo.sha1) containing the hash and file path + file name:
# calculate hash and write it along with the file path + file name to a file
$ sha1sum /bin/echo > echo.sha1
# see the contents of the file
$ cat echo.sha1
672d844c60553f9b3db9844dc29ddf49bc426f45 /bin/echo
# do the comparison
$ sha1sum -c echo.sha1
/bin/echo: OK
Microsoft apparently provides The File Checksum Integrity Verifier for the same purpose. I'm on Linux and haven't tested it but the description says:
"The File Checksum Integrity Verifier (FCIV) is a command-prompt utility that computes and verifies cryptographic hash values of files. FCIV can compute MD5 or SHA-1 cryptographic hash values. These values can be displayed on the screen or saved in an XML file database for later use and verification."
I disagree with Microsoft's use of the phrase "cryptographic hash" in this context; maybe the program is outdated. Anyway, for the record, MD5 and SHA1 are not cryptographically secure hashing algorithms. They are, however, perfectly fine for doing quick file integrity checks.
Can I also make SHA-1 Checksum of any file?
You can indeed. In fact, there's no way of verifying file integrity without calculating the hash on your computer - its part of the process. To get the sha1 sum of a file on Linux/Unix (in this case the "echo" binary again), you can simply do:
$ sha1sum /bin/echo
672d844c60553f9b3db9844dc29ddf49bc426f45 /bin/echo
There are other SHA hash lengths:
$ sha512sum /bin/echo
1f481804f114677efbfc1438b04e88af5be8507e098792b714939fcd346b7477fdb4ae0c53fd48e96d1031fc8d6e3d8c8d4c4c80e121f5c5a39d18c912b33a11 /bin/echo
MD5 was used for the same purpose for a long time and sometimes still is (but, again, don't use MD5 or SHA1 for cryptography):
$ md5sum /bin/echo
482a44200637097351e30c80b1155c27 /bin/echo
As you can see below, it works for strings as well. The -n option after echo strips out the newline character that would otherwise be part of the string and result in a wrong hash.
$ echo -n "some_string" | sha256sum
539a374ff43dce2e894fd4061aa545e6f7f5972d40ee9a1676901fb92125ffee
If you run a server and want to do password logins, you typically don't store the actual passwords but, instead, you store a hash of the passwords. In this case, add a salt to the password before hashing and use the currently recommended hashing algorithm - bcrypt is a good choice in 2016.
I could go on and on about checksums vs. cryptographic hashing vs. encryption, rainbow tables, hash collisions, etc. but that's beyond the scope of your question.
- "(...) that uniquely identifies (...)" is an over-statement. Here's why. Nothing in this world is perfect - except one-time pads :)
来源:https://stackoverflow.com/questions/36444317/sha-1-checksum-verify