No announcement yet.


  • Filter
  • Time
  • Show
Clear All
new posts

  • HashFile

    I have a little app which I have been considering adding to the PB downloads section.

    It is no great shakes but has a few extra features than are found in similar applications. However, similar applications are thin on the ground.

    It is basically a wrapper for MD5, SHA1, SHA256 and Whirlpool. MD5 and SHA1 implement the API and SHA256 and Whirlpool implement Greg Turgeon's code. A subset of Don Dickinson's is also used. Both authors are credited within the application and the Properties sheet and I have assumed that they both will allow use of their efforts. If not please shout.

    The first three algorithms also have a HMAC facility. Unfortunately, I have not been able to obtain test vectors for HMAC-Whirlpool so it is not available by default. The HMAC key may be either a text string or a hex string and a built in hex string generator is provided via Greg's RandBytes code. I'd cut you in on a slice Greg but a percentage of nothing doesn't add up to much nowadays.

    The 'extra features' include saving the hash values to file and subsequent reading in addition to reading and writing to the screen.

    There is also a 'Straight comparison' for local files and this was recently overhauled to take into account the recent thread on large files although I settled on my own version.

    I wonder if some of you could spare 10 or 15 minutes to give it a work out.

    There is a small ReadMe.html file included in the zip which is only 86.1KB.

    If you would let me have an email address I'll send the zip.

    Actually, not just a work out - general feedback would be more than welcome - the UI may not go down well - it is not menu driven and is as spartan as I can make it - I've opted for a 'most everything is in front of you' approach.

    Thanks in advance.

  • #2
    Hi David ,

    I just implemented HMAC-MD5, HMAC-SHA1, HMAC-SHA256 and HMAC-SHA512 in my HIME library (V2.04 , to be released within a few months time).
    I suppose you used the same test vectors as I did (the ones from NIST for SHAxxx and RFC2202 ?) so the results should be okay .

    If you like, I could give it a test run to compare results for some awkward length (very long / very short) keys for example .
    Or if you send me some data/key combinations I can send you the HMAC results of my application.

    (support at devotechs dot com)

    Kind regards
    Last edited by Eddy Van Esch; 20 Nov 2007, 02:41 AM.


    • #3
      Hi Eddy

      Yes, I have used the same test vectors but also used those at Nessie for a bigger workout. is winging its way to you.



      • #4
        Got it, David. Thanks !

        Kind regards


        • #5
          Uses for this application?

          Or is this one of those cases where if I don't 'get it' from the above description, I don't need it?
          Michael Mattias
          Tal Systems (retired)
          Port Washington WI USA
          [email protected]


          • #6
            In reading from the screen mode we can check the integrity of a file against its hash value. publishes a MD5 checksum with its downloads. 2.3.1 RC1 is currently available with a MD5 checksum of 652ABB724BC0A1033E95530A8E21FB00. The download is 107.14MB. Linux distributions are large, perhaps 700MB, and they tend to come with hash values.

            After downloading it is a simple matter to navigate to the file, calculate its MD5 hash value and compare that with the above checksum. If they match then we can be confident that the download was successful. MD5 has 2^128 possible values so the chance of a collision, that is a false positive, is small.

            Some years ago I bought a defragmenter which misbehaved. The author suggested I repeat the download as he had not seen the problems I was having. The second download was fine. Since then the author has published a checksum with his downloads.

            In writing to the screen mode we can generate our own checksums and publish them on our websites or include with email attachments. We could have archive files which are not local but their checksums could be. I may have a file which I suspect may be corrupt. If you have the same file we can compare their respective hash values without the files moving.

            Hash values can be determined for any type of file, exe, jpg, pdf and whatever.

            With HashFile the hash values can be saved to file very easily and subsequently read.

            With HMAC we can include a secret key, either in the form of a password/phrase or hex string, which is effectively absorbed within the hash. That plus the resulting hash will allow a recipient, who has been given the secret key, to authenticate a file as well as check its integrity. The recipient, of course, needs a utility like HashFile. Well, thats easily solved - you just give them a copy.

            With HashFile we have SHA1, SHA256 and Whirlpool in addition to MD5. I favour SHA256 which is effectively a squaring of MD5's strength.

            On my machine I can calculate a SHA256 hash value of a 100MB file in 1.7 seconds so we are not talking about a time consuming exercise.

            Whether you would have a use for HashFile or its like, Michael, I have no idea. I can see some people using it now and again, as I do, and others may use it quite a lot.


            • #7
              Some websites show a message digest or hash value (often MD5) next to a downloadable file.
              After you have downloaded the file, you can calculate the hash value of the file yourself with Davids program and compare it with the value shown on the website.
              If these 2 values match, you know that the file on your harddisk was not tampered with or did not have any transmission errors.

              That's just one use.

              (Looks like David was posting at the same time ..)

              Kind regards


              • #8
                HashFile hasn't found its way into PB downloads yet, they are obviously busy right now.

                In the meantime I have decided to drop a link here.

                I have implemented some code by José Roca allowing the html Read Me file to be displayed by selecting an entry in the System Menu.

                Greg's RandBytes has been replaced by the Windows API equivalent. Greg's SHA256 and Whirlpool code is still there. The SHA256 code is very fast and on the heels of the MS MD5.

                I doubt that I will do any more work on this project unless someone spots a bug.

                I am now looking at D-HMAC [Dynamic HMAC] and a paper published in 2006. I am not aware of any code for it yet and have got the OK from one of the authors to write here about it. It will find its way into the Source Code Forum when I get time, unless someone beats me to it.

                For those of you who kindly looked at V 1.0 for me you may want to download this latest version, V 1.08, which has some security features with regard the HMAC shared key. I got slated by some friends for not having a minimize button - I may have taken minimalism too far.



                • #9
                  finger trouble


                  • #10
                    Originally posted by Michael Mattias View Post
                    Uses for this application?
                    checking that file you just sent via command line FTP arrived in one piece?