We download and install software and software updates regularly. How do we know these applications are safe? Should we trust the download, or should we be a little more careful about what we install on our computers. When it comes to voting systems, how do you know that the software installed by the manufacturer or someone else on your team is the certified version? When you’re buying a used car, do you trust the used-car salesperson, or do you have a trusted mechanic inspect the car before you decide to buy? Most of us would opt for the trusted mechanic.
Where is that “trusted mechanic” when it comes to software installation or file downloads? The answer is hash validation. A hash value is a digital fingerprint (a checksum) created by performing a mathematical operation (a hash function) on the data comprising a computer program or other digital file.
Any change in just one byte of the data comprising the computer program or digital file will change the hash value. The hash value is, therefore, a unique fingerprint for any program or digital file.
Ensuring a program or digital file has not been tampered with or just corrupted when downloaded or installed becomes a relatively simple matter of calculating the hash value and comparing it to the hash checksum provided by the developer or an independent lab. This is especially critical for voting systems. If they are not the same, the program has been changed in some way. This change is not always malicious but is a reason to proceed with caution.
Remember that hash checks are useful for ensuring the integrity of programs and files, but do not provide any type of authentication. In other words, the file you have may match the source but says nothing about the legitimacy of the source. When relying on hash values for validation, it is critical that it comes from a trusted source.
How do I validate a hash value?
It is important that the tool you use to validate a digital hash is from an independent, and preferably, open source. You will use the tool to convert the file into a hash value which you can then manually compare with the hash value from a trusted source. This is like balancing your checkbook, for those who still do this– you keep a record of transactions that you can compare against your bank statement to identify any errors. If the amount you show in your check register does not match your bank statement, you would know there is an issue to be addressed.
The mathematical process that creates the hash will create a string of letters and numbers that represent the file and is a standard length, regardless of the size of the file itself. You take the string produced by the third-party tool and compare them with what your trusted source says they should be. If they match, you’re good to go! If they don’t, there is an issue, and the file should be redownloaded or obtained directly from a trusted source. If your hash does not match the source’s hash, do not install the software!
If you are ready to start verifying the hash value of programs or files, here is a link to six free, open source hash checkers for Windows, Linux, and macOS.