ISO images have become a de-facto standard for sharing software mostly packaged, licensed and are genuine like operating systems, large development software etc over the web and now a days between peers. Some of the very famous examples include Linux Ubuntu images, Windows XP images, Visual Studio 2008 images. These images are in compressed format with the additional feature that the integrity and authenticity is maintained. That's the reason why they cannot be edited even with softwares like WinRAR, Magic ISO Maker etc though some softwares have come off late like the latest version of Magic ISO Maker i.e. 5.5.274 which can edit them as well. But the case in question is when ISO files get corrupted due to erroneous file-transfer, download or a damaged file hosted on a server. The implication is that if you burn and use that ISO say in installing an OS then you'll have to follow the steps back again after getting a clean ISO. Add to it that no software can come to your rescue in such case since the data stream is corrupted and that can't be corrected. So what can you do to check that your ISO is clean assuming it has come from authentic sources....? MD5SUM and SHA-1 is the answer to the question.
Sources like Microsoft, Ubuntu, Sun Microsystems, Google support MD5Sum and SHA-1 hash code when they allow ISO images for public download. Check the image below. It is to be noted that md5sum is of no use if the indented ISO is user-made or has come from inauthentic sources.
The program md5sum is designed to verify data integrity using the MD5 (Message-Digest algorithm 5) 128-bit cryptographic hash. MD5 hashes used properly can confirm both file integrity and authenticity.
In terms of integrity, an MD5 hash comparison detects changes in files that would cause errors. The possibility of changes (errors) is proportional to the size of the file; the possibility of errors increase as the file becomes larger. It is a very good idea to run an MD5 hash comparison check when you have a file like an operating system install CD that has to be 100% correct.
In terms of security, cryptographic hashes such as MD5 allow for authentication of data obtained from insecure mirrors. The MD5 hash must be signed or come from a secure source (an HTTPS page) of an organization you trust.
While security flaws in the MD5 algorithm have been uncovered, MD5 hashes are still useful when you trust the organization that produces them. Moving to more secure hashes like SHA-256 and Whirlpool is under discussion.
MD5SUM and SHA-1 on Linux
Most Linux distributions come with the md5sum utility so installation is usually unnecessary. We are going to use the Ubuntu 8.10 LiveCD for the following example:
First go to the correct directory to check a downloaded iso file:
Then run the following command from within the download directory.
sha1sum ubuntu-8.10-i386.iso (for SHA-1)
The md5sum should print out a single line after calculating the hash:
Compare the hash (the alphanumeric string on left) that your machine calculated with the corresponding hash provided by the owner of the ISO (in case you do not have then Google it out). When both hashes match exactly then the downloaded file is almost certainly intact. If the hashes do not match, then there was a problem with either the download or a problem with the server. You should download the file again from either the same mirror, or from a different mirror if you suspect a server error. If you continuously receive an erroneous file from a server, please be kind and notify the webmaster of that mirror so they can investigate the issue.
MD5SUM and SHA-1 on Windows
Windows does not come with MD5Sum and SHA-1. There are also graphical tools such as the one used in the walk-through provided below:
- Download and run MD5 & SHA-1 Checksum Utility, a free and open source hash verification utility.
- Browse to the ISO file and the MD5 and SHA-1 hash will be generated.
- Copy the corresponding hash from the owner of the ISO into the 'Hash' text box.
- Click "Verify"
- A message box will say if the hashes are equal.