WinHasher Command-Line Help

Official WinHasher Site: http://www.gpf-comics.com/dl/winhasher/
Last Updated June 8, 2009

• Introduction
• Core Concepts
• Why WinHasher?
• Currently Supported Hashes
• Currently Supported Output Formats
• Disclaimers
• Installing WinHasher
• System Requirements
• Running the Installer
• WinHasher Without the Win: Non-Windows Platforms
• Portable WinHasher
• Using WinHasher
• The hash program
• A Matter of Convenience: md5 and sha1

From Wikipedia:

In cryptography, a cryptographic hash function is a transformation that takes an input and returns a fixed-size string, which is called the hash value. Hash functions with this property are used for a variety of computational purposes, including cryptography. The hash value is a concise representation of the longer message or document from which it was computed. The message digest is a sort of "digital fingerprint" of the larger document. Cryptographic hash functions are used to do message integrity checks and digital signatures in various information security applications, such as authentication and message integrity.

A hash function takes a long string (or "message") of any length as input and produces a fixed length string as output, sometimes termed a message digest or a digital fingerprint. A hash function (also called a "digest" or a "checksum") is a kind of "signature" for a stream of data that represents the contents. One analogy that explains the role of the hash function would be the "tamper-evident" seals used on a software package.

In various standards and applications, the two most-commonly used hash functions are MD5 and SHA-1.

For more information, look up "cryptographic hash function" on Wikipedia.

As described in the synopsis above, one of the primary uses of cryptographic hashes is to verify and validate computer software or digital files. It is common practice among many developers, especially in the Open Source community, to provide a hash of a file next to its download link. Once the user has downloaded the file, they can generate a hash using the same hashing algorithm on their own machine and compare this computed hash to the hash listed on the originating site. If the two hashes match, the user can then safely assume that (1) the downloaded file arrived intact and uncorrupted and (2) it has not been tampered with since the original hash displayed on the site was posted.

However, security experts will wisely caution that this does NOT guarantee that downloaded file is completely safe. A hacker or malicious system administrator could have easily modified the file after the developer posted it, recomputed the hash, and placed the modified file and hash in the original's place. It also does not guarantee that the file is free from viruses, trojans, or other malware that have infected the file before the hash was computed. Therefore, cryptographic hashes should be just one in a series of checks a user should perform before deciding that a file downloaded from the Internet is safe to use.

Cryptographic hashing is readily available on many computer operating systems. It often comes built-in to the OS or as a (relatively) standard optional package. Mac OS, Linux, Free/OpenBSD, and many other OSes include OpenSSL as either a pre-installed or easily installable optional component. OpenSSL includes several command-line components for generating cryptographic hashes and there are number of graphical user interface (GUI) applications that allow point-and-click access to its capabilities.

Not so with Microsoft Windows. Windows does not include any built-in utilities for cryptographic hashes, and installing and using OpenSSL on Windows is not a trivial matter. The typical Windows user of today is much less familiar with the Windows Console (i.e. command line) let alone compiling software from source. And while cryptographic hashes are pretty much standard in programming libraries such as the Microsoft .NET Framework, the user is required to write and compile their own applications to use them.

This "hashing divide" has annoyed me for some time. While I consider myself to be an operating system agnostic and find myself equally home on both Windows and Linux, there are many times I've downloaded Windows-only software but didn't have the capability to verify the file's hash. Either I've been unable to install and run OpenSSL on a given machine, or I haven't had the time or access to a Linux box to copy the file over, generate the hash, and verify it before install. So I wanted to create a quick, simple, easy-to-use Windows app so I could get the hash of a file without waiting or moving it around. I also thought it would be a nice idea to be able to quickly compare the hashes of multiple files without having to generate each one and manually check every hexadecimal digit, so I added that functionality too. After writing the program, I thought it might be useful to others, so I decided to share.

WinHasher supports the following cryptographic hashes, which are made available by default through the Microsoft .NET Framework either as pure managed classes or interfaces to the unmanaged Microsoft CryptoAPI:

• MD5: A very common 128-bit hashing algorithm that is an Internet standard (RFC 1321). This is usually expressed as a 32-character hexadecimal number and was designed by Ronald Rivest in 1991 to replace an earlier hash function, MD4. In 1996 and 2004, flaws were discovered in MD5 that now make it questionable for serious security purposes. In 2009, even more devastating evidence was presented when researchers demonstrated that fake SSL certificate authorities could be generated by using signatures from legitimate CAs signing certificates using MD5. Therefore, we strongly discourage the use of MD5 for any purpose where security is paramount. Still, MD5 continues to be widely used, so its support is generally expected. The hash and md5 applications will display a warning whenever MD5 is the selected hash.
• SHA-1: Considered the successor to MD5, SHA-1 produces a 160-bit digest. It was first published in 1995 as a "correction" to the previously released and withdrawn SHA-0 algorithm. While it is generally considered more secure than MD5, several attacks against it have been published and its future use is generally discouraged. However, like MD5, its use online continues to be prevalent.
• SHA-256: Part of the SHA-2 family of successor algorithms to SHA-1 first published in 2001, SHA-256 generates a 256-bit digest. It is computed with 32-bit words and uses a block size of 512 bits. No known weaknesses have been found as of this writing.
• SHA-384: This algorithm is a truncated version of SHA-512, computed with a different initial value. It produces a 384-bit digest and has no known weaknesses.
• SHA-512: Like SHA-256, this algorithm is a SHA-2 successor to SHA-1. It produces a 512-bit digest, using 64-bit words and a block size of 1024 bits. It has no known weaknesses.
• RIPEMD-160: This 160-bit digest algorithm was developed in Europe and first published in 1996. It was designed in the open academic community and is not known to be constrained by any patents. It is not as widely used as MD5 or the SHA family, which may have caused it to be less scrutinized. A collision was found in the original 128-bit RIPEMD algorithm in 2004, so its use should be discouraged. However, no known collision exists in RIPEMD-160.

In addition, the following hashing algorithms have been added, either from freely available sources or completely written from scratch by myself:

• Whirlpool: This 512-bit digest algorithm was designed by Vincent Rijmen and Paulo S. L. M. Barreto. Note that this is the 2003 second revision of Whirlpool, not the original "Whirlpool-0" of 2000 or the 2001 first revision "Whirlpool-T". For hashes of data shorter than 64 bits (8 bytes) this hash function has some of the same fundamental problems of hashes like MD5 or SHA-1. Longer hashes should be relatively safe, however. The Whirlpool code used by WinHasher is adapted from the Legion of the Bouncy Castle Crypto API, which in turn was ported from the original Java source developed by Rijmen and Barreto.
• Tiger: This 192-bit digest algorithm was designed by Ross Anderson and Eli Biham in 1995 for efficiency on 64-bit platforms. Note that this is the original implementation of Tiger that uses padding similar to MD4, not "Tiger2" which is closer to MD5 or SHA-1. There are no known attacks against the full number of rounds of Tiger, although collisions have been detected in several reduced-round versions. The Tiger code used by WinHasher is adapted from the Legion of the Bouncy Castle Crypto API, which in turn was ported from the reference implementations developed by Anderson and Biham.

It is my eventual goal to include other cryptographic hashes into this application, either by including code from freely available sources or by writing the algorithms myself.

The output of cryptographic hashes are raw binary data. However, it is usually represented by one of several output formats that encode raw binary data with easily identifiable text. WinHasher currently supports the following output formats:

• Hexadecimal, with either lower-case or upper-case letters. Lower-case hexadecimal is the default output for WinHasher, but upper-case hex can be selected by using the "-hexcaps" command-line switch.
• Base64 (RFC 2045): A few people (myself included) prefer to work with Base64-encoded hashes instead of hex. Base64 is a bit more compact than hexadecimal, with 64 characters per digit instead of 16. Base64 is also less well known than hexadecimal; even casual computer users have seen hexadecimal before and may recognize it, while Base64 is usually a bit more obscure and often hidden when used.
• Bubble Babble: This is a method of representing a message digest as a string of "real" words, to make the fingerprint easier to remember. The "words" are not necessarily real words, but they look more like words than a string of hex characters. Bubble Babble fingerprinting is used by the SSH2 suite to display easy-to-remember key fingerprints. The key (a DSA or RSA key) is converted into a textual form, digested using SHA-1, and run through Bubble Babble to create the key fingerprint. It can also be used when sharing digests with others as the "words" are easier to remember than seemingly random hex or Base64 characters.

Please read the WinHasher license for complete licensing information. WinHasher is released under the GNU General Public License version 2, which outlines information concerning its use, redistribution, and warranties. Please read this license fully before using this application.

It should be noted that cryptographic hashes and digests do NOT guarantee authenticity or ownership of digital files. Hashes and digests should NOT be confused with digital signatures, which verify both file integrity and the authenticity of the file's creator. Hashes and digests ONLY guarantee that the file has not been altered or corrupted in transit, and it is trivial for a hacker to alter both a file and the displayed hash if a remote site is hacked. If both integrity and authenticity are required, please use an application such as PGP or GnuPG to create and/or verify digital signatures.

After releasing WinHasher, it came to my attention that there already exists a separate WinHasher application that performs a similar function. This application is unrelated to the other application by the same name and was independently developed. I make no claims of trademark on the name "WinHasher" and from my understanding, neither has the other application's developer. Since my application came second, I will happily defer and rename my WinHasher if the other developer asserts ownership of the name. However, since names can mean a great deal in today's world of search engines, I will continue to use the name unless explicitly asked to change it by the other application's developer. You can find the other WinHasher by searching for "WinHasher" at Google and going to any of the shareware/freeware download sites listed. My WinHasher is currently only available at GPF-Comics.Com.

[ Return to Table of Contents ]

The primary system requirement for WinHasher is the Microsoft .NET 2.0 Framework. This is a special series of common libraries that specially-built applications can call upon to provide standard Windows functionality. (Hard-core developers will recognize this is a gross oversimplification, but that should suffice for most people.) As such, WinHasher will not work unless .NET 2.0 is installed. .NET itself has its own system requirements that must be met in order for it to be usable, but if your system meets these requirements running WinHasher will be no problem.

To download the Microsoft .NET 2.0 Framework or obtain more information about it, click here. It should also be available through Windows Update or Microsoft Update on most versions of Windows newer that Windows 98SE. Note that .NET 3.0 or higher is NOT an "upgrade" from 2.0; it is a separate framework, designed to be installed alongside 2.0. So if you have .NET 1.1, 3.0, or any other version of the framework installed, you still must install .NET 2.0 for WinHasher to work.

Beyond .NET's own requirements, WinHasher doesn't require much. However, since cryptographic hashes are very CPU intensive to produce, it should be pointed out that WinHasher will perform better with more RAM and CPU horsepower available. Therefore, the faster your CPU is and the greater amount of free RAM available, the faster WinHasher will work. This is especially true for multi-file comparisons of very large files.

Installing WinHasher should be a breeze, thanks to InnoSetup. Simply download and run the installer program, just like you would for virtually any Windows application. However, the setup program include a number of options that can get confusing, so let's talk a little about each one.

After choosing the install location, you will be presented with a series installable "components." There are three main components: the WinHasher Windows application, the WinHasher console (command-line) application, and the HTML help files. Since this help file pertains to the console application, we will ignore the Windows application option for now. Installing the HTML help installs this file and the necessary shortcuts to access it.

When you install the console version of WinHasher, the installer will run a little helper application that will add the path to the console programs to your system's PATH environment variable. That way you will be able to access WinHasher from any directory on your system. WinHasher tries to play nice and appends its path to the end of the PATH so it shouldn't interfere with other programs. Note, however, that if your PATH is ridiculously long it could cause problems and Windows won't be able to find the programs. If you decide to uninstall WinHasher, it will also clean up after itself and remove its path from the PATH. (I hate it when other programs don't do this.) Note that on Windows 98 and ME, changing the PATH requires a reboot to take effect; on NT-derived systems (including 2000, XP, and Vista) you must close all open console windows and restart them before the PATH change takes effect.

One of the beauties about using the .NET Framework to develop WinHasher is that it's technically not restricted to Microsoft Windows. Anyone can (in theory) develop their own .NET framework based on Microsoft's specifications to run on any platform, and thus run any .NET application built for that framework. Mono is one such project which runs .NET client and server applications on Linux, Solaris, Mac OS X, Windows, and Unix. However, at the time of this writing, Mono mostly supports .NET 1.1 and only partially supports .NET 2.0. MoMA reports that WinHasher should work with Mono 1.2.5 (or higher, I assume). However, I do not plan to officially offer support for non-Windows use of WinHasher. Personally, I think there are much better tools already available for other OSes, and you'd be better off using those instead. Still, if you're a glutton for punishment, feel free to give it a try.

Currently, WinHasher requires installation on the target machine. However, all the installer really does is set up WinHasher in a predictable (yet user-customizable) location and optionally creates "Send to" shortcuts and adds the install path to the Windows PATH. In theory, WinHasher should be able to be used in a "portable" fashion which does not require installation. In order to use WinHasher as a portable app, you will need to install it on one machine and copy the WinHasherCore.dll library and any of the executables you wish to carry. The DLL must be in the same location as the executables, as it contains the core hashing engine for all the programs. You can then run the WinHasher executables anywhere you wish.

There are, however a few caveats to point out with using WinHasher in a portable manner:

• The context menu "Send to" shortcuts will not be available as these are created by the installer. You can, however, drag-and-drop files onto the GUI app or specify the file(s) to hash on the GUI app or console app command lines.
• Beginning with version 1.4, WinHasher stores your last used settings in the Windows registry. These settings are benign, but remain after the program closes. The uninstaller offers to delete these registry keys when the application is uninstalled, but the uninstaller is not available if the installer is not used. Thus, if you use WinHasher as a portable app, you will have to manually delete these registry keys if you want to maintain a completely zero-impact portable status. These registry keys may be found in HKCU\Software\GPF Comics\WinHasher. Note that the registry keys are only created by the GUI application in GUI mode and not by the console apps.

[ Return to Table of Contents ]

The primary console program for WinHasher is hash. Run without any arguments, hash will display a somewhat standard usage statement:

C:\Program Files\WinHasher>hash

WinHasher v. 1.4.0.0
Copyright 2009, Jeffrey T. Darlington.  All rights reserved.
http://www.gpf-comics.com/dl/winhasher/

Usage: hash [-md5|-sha1|-sha256|-sha384|-sha512|-ripemd160|-whirlpool|
       -tiger] [-base64|-hexcaps|-bubbab] filename1 [filename2 ...]

WinHasher is a command-line cryptographic hash generator for files.  It
runs in one of two modes:  single file hashing and multi-file comparison.

In single file mode, WinHasher computes the cryptographic hash of the
given file and prints it to the screen.  With no command-line switches,
it computes the SHA-1 hash and displays it in hexadecimal format.  Various
switches allow you to change to other hashing algorithms, such as MD5,
the SHA family, RIPEMD-160, Whirlpool, and Tiger.  The "-base64" switch
causes WinHasher to output hashes in MIME Base64 (RFC 2045) format rather
than hexadecimal, "-hexcaps" outputs hexadecimal with all capital letters,
and "-bubbab" uses Bubble Babble encoding.

In multi-file comparison mode, WinHasher computes the specified hash for
each file given and compares the results.  If the hash of every file
matches, then all files in the batch are declared to be the same.  If
one or more hashes do not match the others, a warning will be displayed
indicating as such.  In this way, you can determine whether two or more
files share the same contents despite file name, path, and modification
time differences.

hash expects at least one command-line argument: a file to compute a hash for. If you supply a file name as an argument, hash will by default compute the SHA-1 hash of the file and return a hexadecimal representation of it:

C:\Program Files\WinHasher>hash C:\some\path\to\somefile.jpg

SHA-1: e14e93cce06ab2ebd5852bc4d83e75148a2676cd

Note that this default behavior has changed from previous versions of hash! Versions prior to 1.4 displayed the MD5 hash of the file and did not include the small hash name header. If you are using hash as part of a script, please update your code to take these changes into account.

If the file's path contains spaces, you must include the entire path in double quotes:

C:\Program Files\WinHasher>hash "C:\This path has spaces\somefile.jpg"

SHA-1: e14e93cce06ab2ebd5852bc4d83e75148a2676cd

If you specify multiple files on the command-line, hash enters comparison mode. The hash (SHA-1 by default) for each file is computed individually, then all the hashes are compared. If the hashes of every file specified are equal, then all the files are said to match:

C:\Program Files\WinHasher>hash file1.jpg file2.jpg

Congratulations!  All 2 files match!

However, if at least one file in the batch does not match the others, then the entire batch fails the test. So it's an all-or-nothing comparison:

C:\Program Files\WinHasher>hash file1.jpg file2.doc

WARNING! One or more of these 2 files do not match!

To change which hashing algorithm to use, supply the appropriate algorithm switch as the first command-line argument. So for SHA-256:

C:\Program Files\WinHasher>hash -sha256 somefile.jpg

SHA-256: ed25e7af09323d82af975641cbcd291368e50f173fd191e7760d05244aada29f

The algorithm switch consists of a hyphen (not a slash, which is the standard Windows command-line switch prefix, because it's always my hope to support other platforms) followed by the algorithm name in all lower case. Any punctuation (like the hyphens for the SHA family) are dropped. If you're ever in doubt on what a switch for a particular algorithm is, just run hash with no arguments to get the usage text. The algorithm switches will be listed and should be pretty easy to figure out.

To generate hash output in MIME Base64 rather than hexadecimal, include the -base64 switch. The following produces the SHA-1 hash of a file in Base64 format:

C:\Program Files\WinHasher>hash -base64 somefile.jpg

SHA-1: 4U6TzOBqsuvVhSvE2D51FIomds0=

The Base64 switch can be combined with any hash algorithm switch. The order of the two switches is unimportant, but all switches must come before the list of files to hash. For example:

C:\Program Files\WinHasher>hash -sha256 -base64 somefile.jpg

SHA-256: zIdgsm9nv4AoeEwZ+hMyL5h+JuiOGRr3v6siCXIogKc=

hash -sha256 -base64 is equivalent to hash -base64 -sha256. While you can specify the Base64 switch on multi-file comparisons, it is silently ignored. It doesn't really matter whether the comparisons are made on strings of hexadecimal characters or strings of Base64 characters, just that the two strings either match or not.

In the same fashion, you can use the -bubbab switch to put the output in Bubble Babble format:

C:\Program Files\WinHasher>hash -bubbab somefile.jpg

SHA-1: xumeg-vugos-sumok-pesiv-roham-hupus-gukef-vityc-gadad-kytas-texox

If the first argument is not a recognized switch (say, you made a typo and typed hash -sha258), an error message is displayed and the algorithm defaults to MD5, hexadecimal output. Then the first argument is treated as a file name, which may or may not be what you wanted. (In this example, "-sha258" is not likely to be a valid file name.)

The algorithm switch can, of course, be combined with multiple file arguments to do a comparison using that particular hash. For example, to compare three files using RIPEMD-160:

C:\Program Files\WinHasher>hash -ripemd160 file1.jpg file2.jpg file3.jpg

Because MD5 and SHA-1 are so prevalent on the Internet, as a convenience, I've also included two alternate programs, md5 and sha1, that perform just these hashes. md5 is equivalent to running hash -md5, while sha1 is equivalent to hash -sha1. Neither of these programs will accept the algorithm switches as the first argument. They will, however, accept the -base64 and -bubbab switches, but only if they comes first before the file list.

Creating these extra programs is a bit redundant, but Windows does not have a mechanism for aliases or symbolic links. If there is enough demand, I can create other "convenience" programs for the other algorithms. However, I also believe in the concept of less is more, so I will only go that route if there are enough requests.

[ Return to Table of Contents ]

This document is © Copyright 2009, Jeffrey T. Darlington. It and the software it describes are released under the GNU General Public License, Version 2.