When you download a file or make one available for others, the integrity of the file is just as important as anything in it -- both to guard against tampering and to ensure that files aren't corrupted during downloads or from being transported on bad media. Such things are rare, but they do happen, and they contribute in their own small way to what might be the only available copy of something becoming unusable. If you've ever downloaded something on a high-speed connection, burned it to CD for later use and then found out the burned copy was corrupt, you'll have experienced this firsthand.
What can be done to defend against this sort of problem? Many archives or self-extraction mechanisms have their own file verification systems, but there's something else you can do above relying on such things alone: Create an MD5 hash for the file.
The MD5 algorithm, created by Ron Rivest, is a way to "sign" a file to verify its contents mathematically. The hash consists of a 128-bit (16-byte) checksum -- also known as a "digest" -- that is generated cryptographically by using the contents of the file. No two files ever generate the same hash, and it's virtually impossible to craft a file that will have a given checksum ahead of time. This makes it enormously useful for verifying a patch or file archive: If you publish the file along with an MD5 checksum, then the end user or administrator can use a third-party tool to ensure that the file matches the hash.
One very simple implementation of an MD5 hash tool is DiamondCS MD5 from Diamond Computer Systems Pty. Ltd. It's a freeware app that runs in Windows and can generate an MD5 hash for any given file or even a piece of text. The resulting hash can be copied out (it's plain text) and provided either in a text file with the file itself or in a separate accompanying note. If either the hash or the file is damaged, they will not match, and you'll know something went wrong.
MD5 hashes are also used in many other contexts. Cryptography packages for e-mail allow you to sign an e-mail with both an MD5 hash and a cryptographic certificate. Doing so verifies that the contents did indeed come from the person in question. Likewise, a binary attachment in an e-mail can accompany an MD5 hash in the body of the e-mail.
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
This was first published in October 2005