The Crypto Revolution has started and many people are buying, selling, trading, and hodling cryptocurrencies. Most people find security in exchanges, phone app wallets, and crypto banks. Other people find security in managing their own crypto by installing desktop/laptop clients or running their own cold storage solutions.
The Crypto Revolution has also brought a wave of con artist, scammers, and hackers. These baddies are constantly finding new ways to get your money and coins. They can alter websites, run massive successful phishing attacks, and/or inject virus into software packages all aimed to gain access to your computer and your data.
If you are one of the few that prefer to manage your coins via desktop client from your own computer, well first congratulations you are smart! But more importantly, how can you be sure the desktop client or coin management tool you are about to download has not been compromised?
The solution?
Trust, but Verify.
SHA256 Explained
So what the heck is SHA? Here is the boring definition:
(Secure Hash Algorithm) A family of popular one-way hash algorithms used to create digital signatures. The 160-bit SHA was developed by the National Institute of Standards & Technology (NIST) in 1993, and SHA-1 was the first revision in 1994. SHA-1 is similar to the MD4 and MD5 algorithms developed by Rivest, but is slightly slower and more secure. See MD5. SHA-2 and SHA-3 Released in 2001, the stronger SHA-2 version superseded SHA-1. Because computers are increasingly more powerful, the stronger algorithm is encouraged by certificate authorities (CAs) to prevent an attacker from impersonating a CA. SHA-256 and SHA-512 are SHA-2 algorithms using hash lengths of 256 and 512 bits respectively, and SHA-224 and SHA-384 are truncated versions.
Ok, what the heck is SHA?
Simply speaking, SHA is a method that allows you to create a unique signature from a digital asset. This signature is based on the exact digital content or information of the digital asset.
This is what a SHA-256 signature looks like:
185379f203feca19eac1d6c1f96f82d391f6ffbabf9b1a7cd013b3b0888ad450
So how or when do I use it?
Let’s say a friend of yours is sending you a file over the internet. He or She can simply send the file over email, dropbox, or other means. No problem. Most likely you would not bother to verify the authenticity of this file because it is coming from a trusted source.
But let’s say you do want to verify the authenticity of the file your friend is sending. In this case, you can ask your friend to simply run the file over a SHA Calculator and get the unique signature. When your friend sends you the file over the internet, he or she can then text you or email you the signature. To verify the authenticity, you simply run the file on a SHA Calculator and compare the signature you get to the signature sent by your friend.
This sounds like a lot of work, but not really. Here are the steps:
Sender: Run File to be sent over SHA Calculator.
Sender: Send File and SHA Signature separately.
Receiver: Run File over SHA Calculator and compare signatures.
If the file your friend is sending got corrupted or intentionally modified during transition, then the signature you will generate from it will be completely different to the one provided by your friend.
In the Crypto World, there are many examples of projects releasing their latest and greatest clients and providing a SHA signature along with the download. Here is one example of NEO doing juts that.
Keep Your Coins SAFE
In my opinion, every download should be accompanied by a SHA signature. It’s a super simple way of providing a layer of trust and verification that protects both the owner and the user. Unfortunately, this is not always the case.
I must admit I have not always followed this cardinal rule and have downloaded files without much verification. But in some ocassions, I have gone to the extreme of asking the file owners for the SHA signatures. Some are kind enough to provide but most won’t.
Now that you understand the power of SHA, let go through some quick examples of how it works, how to verify and where can you find SHA generators.
SHA Generators
You can find many SHA Calculator or Generators online. These are super simple to use because you can simply drag and drop a file or a text and generate the unique signature. Here are some I trust:
Now, if you don’t trust Online Generators you could get one from your trusted App Store.
Finally, the best solution is to use the SHA Generator built in your computer. Yes, there is SHA generator in every computer, if you know where to look.
SHA-256 on OSx
Generate
On Apple Systems, simply open Terminal and use the following command to generate a signature of a file on your hard drive:
shasum -a 256 REPLACE THIS TEXT WITH FILE LOCATION
On Windows, Open Command Prompt and use:
CertUtil -hashfile <path to file> SHA256
A SHA256 signature looks something like this:
185379f203feca19eac1d6c1f96f82d391f6ffbabf9b1a7cd013b3b0888ad450
Verify
To verify you could check character by character or if you are a Mac user, you can use the following command:
shasum -a 256 -c <<<'PASTE SIGNATURE HERE *PASTE FILE LOCATION'
Here is an example of how it would look like:
shasum -a 256 -c <<<'185379f203feca19eac1d6c1f96f82d391f6ffbabf9b1a7cd013b3b0888ad450 */Users/myusername/Desktop/DSCF2022.jpg'
Notice how I kept the <<< the ‘ and the *
The above if ran properly and the file has not been compromised will return a simply OK
If the file has been compromised and the signature is not the same, the command will return shasum: WARNING: 1 computed checksum did NOT match
Here is an example on Terminal. Notice how the checksum fails when I modified the signature.
Here is a Tip: On Mac systems, to get the file location, simply find the file you are running through SHA and copy it. Go to Terminal and Paste. This will past the exact location.
Voila!
Now you know how to generate and verify SHA Signatures!
Be Safe Out There!
And,
Thanks For Reading!
DanielRe
👨💻👍
XRP: rsXdvxi7w95EvxhS52gw4p12QSwqWBTWZ6
BTC: 38iAyqxbTQ4TrMxY1BXMtYJPCtN8w9iPJv
BCH: qprdpgvcnqrzpv6s5aml6hfk7px8h0nf8glpvzm9zm
