SHA-1 校验和验证? [英] SHA-1 Checksum verify?

问题描述

我正在下载下载 Android Studio 和 SDK 工具.写入了 SHA-1 校验和，其值为 f9b59d72413649d31e633207e31f456443e7ea0b.

I was downloading the Download Android Studio and SDK Tools. There was written SHA-1 Checksum and its value given f9b59d72413649d31e633207e31f456443e7ea0b.

我的问题是:

1) 它有什么用?

2) 如何在 Window 和 linux 上测试验证?

2) How to test and verify it on Window and linux?

我还可以对任何文件进行 SHA-1 校验和吗?

Can I also make SHA-1 Checksum of any file?

推荐答案

1) 它有什么用?

1) What is the use of it?

本质上，散列是一种单向(不可逆)过程，它获取一些输入数据并生成一个字符串(通常为十六进制)，具有固定长度，唯一*标识该特定输入数据.这非常有用并且有很多应用程序，但在您的情况下，它用于验证文件的完整性.网站上传文件的哈希值供全世界查看，当文件下载到您的计算机上时，您检查本地计算的哈希值是否与网站上显示的哈希值匹配.如果匹配，则文件完好无损；如果不匹配，则您计算机上的文件与服务器上的文件不同 - 很可能是因为它在传输过程中已损坏/更改.

In essence, hashing is a one-way (irreversible) process that takes some input data and produces a string - typically in hexadecimal - of a fixed length that uniquely* identifies that particular input data. This is very useful and has many applications but in your case, it's used to verify the integrity of files. A website uploads the hash of a file for the world to see and when the file is downloaded on your computer, you check whether or not the hash you calculate locally matches the hash displayed on the website. If they match, the file is intact but if they don't, the file on your computer is not identical to the file on the server - most likely because it was damaged/altered in transit.

2) 如何在 Windows 和 Linux 上进行测试和验证?

2) How to test and verify it on Windows and Linux?

至少在 *nix 系统上，有几种比较哈希的方法.没有什么能阻止您手动检查两个散列的每个字符是否相等——当您只想检查单个文件时，这通常很快.无论如何，大多数散列程序都有一个用于此目的的 -c 选项，它会在匹配的情况下输出OK".要手动输入哈希和文件以及管道到 sha1sum 进行比较，请执行以下操作:

At least on *nix systems, there are several ways of comparing hashes. Nothing is stopping you from manually checking every character of two hashes for equality - this is often fast when you simply want to check a single file. Anyway, most of the hashing programs have a -c option for this purpose that will output "OK" in case of a match. To manually input the hash and file and pipe both to sha1sum for comparison, do this:

$ echo "672d844c60553f9b3db9844dc29ddf49bc426f45" /bin/echo | sha1sum -c -
/bin/echo: OK

计算散列并制作一个包含散列和文件路径+文件名的文件(echo.sha1):

To calculate the hash and make a file (echo.sha1) containing the hash and file path + file name:

# calculate hash and write it along with the file path + file name to a file
$ sha1sum /bin/echo > echo.sha1

# see the contents of the file
$ cat echo.sha1 
672d844c60553f9b3db9844dc29ddf49bc426f45  /bin/echo

# do the comparison
$ sha1sum -c echo.sha1 
/bin/echo: OK

Microsoft 显然提供了文件校验和完整性验证器，用于相同的目的.我在 Linux 上还没有测试过，但描述说:

Microsoft apparently provides The File Checksum Integrity Verifier for the same purpose. I'm on Linux and haven't tested it but the description says:

文件校验和完整性验证器 (FCIV) 是一个命令提示符实用程序，用于计算和验证文件的加密哈希值.FCIV 可以计算 MD5 或 SHA-1 加密哈希值.这些值可以显示在筛选或保存在 XML 文件数据库中以供以后使用和验证."

我不同意 Microsoft 在此上下文中使用短语 加密哈希"；也许程序已经过时了.无论如何，为了记录，MD5 和 SHA1 不是加密安全的散列算法.但是，它们非常适合进行快速文件完整性检查.

I disagree with Microsoft's use of the phrase "cryptographic hash" in this context; maybe the program is outdated. Anyway, for the record, MD5 and SHA1 are not cryptographically secure hashing algorithms. They are, however, perfectly fine for doing quick file integrity checks.

我还可以对任何文件进行 SHA-1 校验和吗?

Can I also make SHA-1 Checksum of any file?

确实可以.事实上，如果不计算您计算机上的哈希值，就无法验证文件完整性——这是过程的一部分.要在 Linux/Unix 上获取文件的 sha1 总和(在本例中再次是echo"二进制文件)，您可以简单地执行以下操作:

You can indeed. In fact, there's no way of verifying file integrity without calculating the hash on your computer - its part of the process. To get the sha1 sum of a file on Linux/Unix (in this case the "echo" binary again), you can simply do:

$ sha1sum /bin/echo
672d844c60553f9b3db9844dc29ddf49bc426f45  /bin/echo

还有其他 SHA 哈希长度:

There are other SHA hash lengths:

$ sha512sum /bin/echo 
1f481804f114677efbfc1438b04e88af5be8507e098792b714939fcd346b7477fdb4ae0c53fd48e96d1031fc8d6e3d8c8d4c4c80e121f5c5a39d18c912b33a11  /bin/echo

MD5 长期以来一直用于相同的目的，有时仍然如此(但同样，不要将 MD5 或 SHA1 用于加密):

MD5 was used for the same purpose for a long time and sometimes still is (but, again, don't use MD5 or SHA1 for cryptography):

$ md5sum /bin/echo 
482a44200637097351e30c80b1155c27  /bin/echo

如下所示，它也适用于字符串.echo 后面的 -n 选项去掉了换行符，否则它会成为字符串的一部分并导致错误的散列.

As you can see below, it works for strings as well. The -n option after echo strips out the newline character that would otherwise be part of the string and result in a wrong hash.

$ echo -n "some_string" | sha256sum
539a374ff43dce2e894fd4061aa545e6f7f5972d40ee9a1676901fb92125ffee  

如果您运行服务器并希望进行密码登录，您通常不会存储实际密码，而是存储密码的哈希值.在这种情况下，请在散列之前在密码中添加 salt 并使用当前推荐的散列算法 - bcrypt 是 2016 年的不错选择.

If you run a server and want to do password logins, you typically don't store the actual passwords but, instead, you store a hash of the passwords. In this case, add a salt to the password before hashing and use the currently recommended hashing algorithm - bcrypt is a good choice in 2016.

我可以继续讨论校验和与加密散列与加密、彩虹表、散列冲突等，但这超出了您的问题范围.

I could go on and on about checksums vs. cryptographic hashing vs. encryption, rainbow tables, hash collisions, etc. but that's beyond the scope of your question.

• "(...) 唯一标识 (...)" 是一种夸大的说法.原因.这个世界上没有什么是完美的 - 除了一次性便笺 :)

• "(...) that uniquely identifies (...)" is an over-statement. Here's why. Nothing in this world is perfect - except one-time pads :)

这篇关于SHA-1 校验和验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！