Practical Application of Cryptographic Checksums
Checksum Formation with Free Software under MS-Windows, Unix/BSD,
GNU/Linux and MacOS X, with a Step-by-Step Introduction
to Signing and Encrypting E-mails and Files with OpenPGP

Peter Jockisch, Freiburg i. Br.

The PDF file contains all references of the original HTML version, hyperlinks are framed in color, visible in the browser or with a separate PDF viewer; when hovering with the mouse pointer, the address is displayed, by clicking on it the web page opens in the browser. There are no color frames when printing. Article excerpt:

1.1 Introduction

Computer files can be manipulated in many ways un­no­ticed. Cryptographic checksums, hash values, serve to protect your data: By forming an electronic fingerprint of a file, an always constant numerical value is created. If this value deviates at a later point in time, there is dam­age or manipulation. With a single mouse click, the in­teg­rity of a file can be checked at any time.

Cryptographic checksums form the basis for cryp­to­graph­ic signing and encryption, for website- and e-mail cer­tifi­cates, for the qualified electronic signature, and for the technical understanding of revision-proof e-mail archiving, to which all merchants are legally obliged.

This introduction presents two free graphical programs for checksum generation, CyoHash and Jacksum, for file man­ag­er operation.

Console-based programs are also described, they are avail­able across operating system platforms and are pre-installed on MS-Windows 10 as well as most Unix/BSD and GNU/Linux systems (see 2.3 for instructions). This means that no programs need to be in­stalled at all, the ex­ist­ing operating system resources are sufficient to cal­cu­late checksums.

1.2 Functional Principle
1.2.1 Electronic Fingerprints

Humans are complex creatures. In order to identify them quickly and easily, fingerprints are often created. Com­put­er files can be identified according to the same prin­ci­ple: by generating an “electronic fingerprint”, the so-called cryptographic checksum, an always constant num­ber.

By means of standardized procedures, a fast integrity and authenticity check of files of any kind can be carried out.

Human fingerprints are created with stamp pads, elec­tron­ic fingerprints with a checksum program.

Click on image to enlarge.

Fig.1: Proof of authenticity for human and computer files

1.2.2 Quality Criteria

We consider cryptographic checksums. They are based on hash functions, which provide hash values as a result for any file. This value is also called hash code.

A file, as well as identical copies of it, always has the same hash checksum. However, if only a single bit or char­ac­ter changes due to damage or manipulation, a com­plete­ly different hash code should be created.

A hash-function-checksum-procedure should therefore al­ways return different values for different computer files. Depending on the method used, the calculated check­sum always has the same length. Therefore, of course, only a limited number of numbers can be depicted: There are practically an infinite number of com­put­er files, so that it is impossible to assign a different value to each of these files with a number of fixed length.

From a security point of view, there are various attack scenarios, including forgery of documents. An attacker

would like to create a fake version of a given original file, for example a business order, with a manipulated, in­creased order quantity that has the same hash value check­sum. After making the changes to the document, he then tries to obtain a file version with a cryptographic check­sum identical to that of the original file by trial and error, perhaps by inserting invisible control characters. Such an attack, of course, uses supporting computer pro­grams.

If an attacker actually succeeds in creating a second file (at a reasonable cost in terms of time) containing the de­sired manipulations and which has the same cryp­to­graph­ic checksum of the original file, the hash function pro­cedure in question is “broken”. Once such a weakness becomes known, it should no longer be used. Due to con­tinu­ous research work, weaknesses are detected a long time in advance.

Click on image to enlarge.

Fig.2: Checksum collision

If there were a computer with infinite computational pow­er, theoretically any method could be broken by sim­ply trying out all the possibilities (brute force attack). In practice, such an approach is not considered practicable in the majority of cases, since the necessary cal­cu­la­tions are almost never feasible in a reasonable time.

Most hash functions have had a limited lifetime and have been replaced by successor functions for security

reasons. Computer generations with higher computing pow­er contribute to shortening the service life. In addition to computational force-based attacks, however, there are also attacks with a different orientation, and it can never be ruled out that mathematical creativity can be used to launch practicable attacks today.

In the background a huge army of mathematicians works and researches, especially for intelligence services. Not all scientific findings are published.

1.2.3 Prevailing Standards in the West and Russia

Until 2016, the Western IT infrastructure was pre­domi­nant­ly based on the SHA-1 al­go­rithm (Secure Hash Al­go­rithm 1). Since 2017, this algorithm has been re­gard­ed as finally broken, and the computing time required to corrupt it has fallen dras­ti­cal­ly. Experts now recommend the SHA-2 variants SHA256, SHA384, or SHA512.

The recommended successor algorithm to SHA-2, SHA-3[1], has been officially established since 2012.

In Russia and many other CIS states, GOST R 34.11-94 resp. GOST 34.311-95 were the previous hash standards in authorities and various economic sectors. [2] As with SHA-1, structural weaknesses were also found in this stand­ard.

1.3 Do Technologies exist that are blocked to the Public?
1.3.1 Obsolete Computer Systems

All computational power-related statements in this intro­duc­tion refer to publicly available computer systems and research work released to the general public. The use of the latest, most advanced computer technology is prob­ably currently still reserved for intelligence services in or­der to guarantee them a computing power advantage for an effective leveraging of established encryption tech­nol­ogy.

The widely approved encryption procedures may not be readily breakable for lower levels of government. How­ever, at the top of the hierarchy, at the intelligence level, there should be unrestricted access to the latest com­put­er technology. In addition, all data transferred via the Inter­net will probably be archived for automatic evalu­ation. Under this aspect, the resilience of files sent over the Internet that have been encrypted using publicly stand­ard­ized technology is put into perspective.

For a long time there have been considerations that cer­tain cryptographic algorithms raised to official standards

might have inherent mathematical weaknesses which are only known to the experts of the intelligence services. A pos­sibly existing influence of the secret services on the design of security products (software and possibly hard­ware backdoor problems, open questions about stand­ards, etc.) is the subject of numerous articles on computer security, for example in “Did NSA Put a Secret Backdoor in New Encryption Standard?”. Several renowned com­pa­nies have already directly or indirectly confirmed that they cooperate with intelligence services in their product de­vel­op­ment. One of the official reasons for this was the in­ten­tion to optimize the technical safety of company products. It remains to be seen how much pressure was exerted on “co­opera­tion”.

Corrupted electronics, known or unknown “advanced” hard­ware architectures with factory-built “remote main­te­nance” functions, possibly even with a wireless system built into the processor, represent the other side of the prob­lem.

1.4 Application examples: Business world, Internet, Archiving

Continue in the PDF document, the HTML version is no longer maintained due to time constraints.

Copyright 2008–2024 by Peter Jockisch,

All listed brand names, trademarks and work titles are the property of their respective owners.
For this translated article version DeepL ( was used extensively.

Imprint •  Privacy Statement •  Biographical Notes