What are checksums?

While surfing the internet, you may have encountered long strings of numbers and letters next to download links. They may have looked something like this: SHA-256 hash value: F68F966BB322A4245ACE6A35D58F8F2CD263F89EADD8B16F53ACDD868976252F

Note: The checksum method does not replace anti-virus programs, firewalls, regular updates and other security safeguards on your device. Checksums are values that are generated from transmitted data before and after transmission. They are used to detect corruption in the data.

An example:
You transmit the number 34567. The digit sum of this number is 3+4+5+6+7=25. The number 25 can be used as a checksum for the number 34567.

While using the value created by the digit sum is one method to create a checksum, the very simplicity of it has disadvantages in practice. For example, transposed digits, an easy mistake to make, will go undetected. 3+6+7+4+5 also produces a result of 25. The checksum of '25' will also be created when the form of the data in itself has modified, something that the checksum is intended to flag. For example, the number 4579 also has a digit sum of 25. When the changed data also pass the checksum test, this is called a collision. This is exactly what attackers want to achieve. They try to manipulate the data so that its checksum is the same as that of the original data.

The easy method, using the digit sum as the checksum, offers no security against any deliberate manipulations that modify data because the method is simple to circumvent. To avoid this issue, simple checksum methods must be replaced with stronger cryptographic algorithms that are designed to reliably prevent deliberate collisions.

Cryptography algorithms

Today, the conventional methods using SHA-1, SHA-256, MD5, and so forth, are designed to avoid these 'collisions'. The algorithms they use are cryptography-based, so they produce cryptographic checksums. With this kind of checksum, it is virtually impossible for two non-identical files to have the same checksum. However, the algorithms are not perfect, so complex attacks are still possible. If there are multiple methods to choose from, preference should be given to SHA-2. SHA-1 and MD5 may also be used as alternatives.

The methods that are currently thought to be most secure are listed in the algorithm catalogue published by the Federal Network Agency.

Because digital information is always available using numbers (zeros and ones), a (cryptographic) checksum can be created from every digital file, whether it is an e-mail, an image, or a video file.

What is the purpose of checksum verification?

On its journey across the internet, data can be intercepted or manipulated. There is also a risk of data being modified at random. To enable the system to check whether a file has been downloaded in its original, unchanged state, the creator of the download file uses a special program to generate a checksum before the file is transmitted via the internet. The checksum for the file presented for download is made available on the internet alongside the download file.

Using a checksum verification program, you can then create a checksum for the download file and compare it to the one provided by the creator, even if the file comes from a trusted source. You can then be relatively sure that the file or app you have downloaded has not been modified.

HOWEVER: Before you compare the checksums, you should first verify whether the files you want to download can be checked using digital signatures. This method offers a higher security level than checksums.

Examples of checksums in use

The AusweisApp page can be used as an example of checksums in use. The screenshot below shows the checksums for the AusweisApp.

Another example is the free program "OpenOffice": In this program, a link to the "MD5 checksums" is placed below the OpenOffice download link. This link opens a list of the relevant checksums created using the MD5 algorithm for all OpenOffice versions (language, operating system etc.).

Not a cure-all solution

In principle, checksums created from a non-corrupted file can only be used to verify the integrity of the data and not the trustworthiness of the sender. So, you can check that the data was not modified while it was being transmitted - but if it was already dangerous, checksum verification alone will not detect this. This is why it is so important to use a virus scanner and to keep your software and operating system up to date.

Programs for checksum verification

All programs and program extensions for checksum verification work based on the same principle: They determine the checksum from the downloaded file using the algorithm specified by the user (MD5, SHA etc.). The checksum can then be compared with the checksum specified on the download page.

The programs listed below can be used to generate and verify checksums. Visit en.wikipedia.org for a list of other programs that can be used to calculate hash values:

• The program Jacksum either needs to be started in the computer's console (command prompt in Windows) or integrated into the file browser via script. The latest information on installation and use can be found on the Jacksum website.
• The open-source software "FileVerifier++" can be installed on Microsoft Windows like any other program. To generate the checksums of specific files, you first need to select the relevant checksum method offered by the download source in the "Algorithms" menu. You can then import the files to be checked using the "Files" button. The "Hash" column displays the checksum. If you wish to copy the checksum (into a text editor, for example), then click on the list entry with your right mouse button and select "Export to Clipboard as Text".

What should I do if the checksums are different?

If the checksums are different (in any way, not just as described in the example above!), the data has either been transmitted incorrectly or the checksum is no longer valid because the data has been legitimately updated or modified during transmission.

If the checksums do not match, take the following steps:

• Do not open the data under any circumstances; delete it immediately.
• Notify the source from which you obtained the data that the checksums do not match; the error might have occurred at that end of the process.
• Try to obtain the data from another source.
• If there are no other sources, clear your browser's cache and download history and download the data again. The issue could have been caused by a transmission error.
• If the checksum still does not match on your second attempt, do not make any further attempts to obtain the data from this source. You should also delete the downloaded data from your storage medium.