Avatar

Cisco continues to strengthen the security in and around its products, solutions, and services. This week Cisco began providing a Secure Hash Algorithm (SHA) 512 bits (SHA512) checksum to validate downloaded images on www.cisco.com. Cisco already provided a Message Digest 5 (MD5) checksum as the secured hash of the software but the newer SHA512 hash value is now generated on all software images, creating a unique output that is more secure than the MD5 algorithm.

What is SHA512?

SHA512 is part of the SHA family of cryptographic hash functions, which are part of the Secure Hash Standard (SHS) specification. SHA512 provides a more adequate cryptographically secure functionality than MD5.

The SHA512 checksum (512 bits) output is represented by 128 characters in hex format, while MD5 produces a 128-bit (16-byte) hash value, typically expressed in text format as a 32-digit hexadecimal number.

The following example provides a comparison of the output of an SHA512 checksum with an MD5 checksum for a Cisco ASA software image (asa941-smp-k8.bin).

SHA512 checksum
1b6d41e893868aab9e06e78a9902b925227c82d8e31978ff2c412c18ac99f49f7035471544
1385e0b96e4bd3e861d18fb30433d52e12b15b501fa790f36d0ea0

MD5 checksum
6ddc5129d43a22490a3c42d93f058ffe

How Can I Use It?

The SHA512 value is available during the download process and can be used by customers for software image validation. The following is an example of the new SHA512 checksum of a Cisco ASA Software image.

SHA512 CHECKSUM CISCO ASA SOFTWARE EXAMPLE
SHA512 CHECKSUM CISCO ASA SOFTWARE EXAMPLE

SHA512 Verification on *nix machines (Linux, FreeBSD, MAC OSX, etc.)

In the following example, the shasum tool is used to validate the software image that was downloaded from www.cisco.com.

bash-3.2$ shasum -a 512 asa933-smp-k8.bin
e2a8b6b47dc784c263c36758c788e0b8835b1c1caaf23747d21cea93875ce60cc0069f98c0c9a988e440e
92bd2be9c1be85525c78a16047779abddfe89705e51 asa933-smp-k8.bin

In the previous example, the SHA512 checksum matches the one displayed in the Cisco Software Download site.

SHA512 Verification on a System Running Microsoft Windows

SHA512 verification on a Windows PC can be a little tricky. The functionality to perform SHA512 was added as part of the Microsoft PowerShell utility in Version 4, which may not come preinstalled with the operating system. To install PowerShell 4.0, see How to install Windows PowerShell 4.0. The following is an example of how to perform a SHA512 verification on a Windows machine using PowerShell:

SHA512 Verification on Windows
SHA512 Verification on Windows

SHA512 Verification on Cisco ASA

The Cisco ASA also supports SHA512 checksum validation with the verify /sha-512 command, as demonstrated in the following example.

omar-asa# verify /sha-512 disk0:/asa941-smp-k8.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Done!
verify /SHA-512 (disk0:/asa941-smp-k8.bin) = 1b6d41e893868aab9e06e78a9902b925227c82d8e31978ff2c412c18ac99f49f70354715441385
e0b96e4bd3e861d18fb30433d52e12b15b501fa790f36d0ea0
omar-asa#

In the previous example, the software image  asa941-smp-k8.bin is verified.

The SHA512 checksum verification is one of the many technologies and processes that allow the customer to validate the integrity of the product. The following white papers provide additional resources on how to perform device integrity checks in Cisco IOS and Cisco IOS XE devices.

Additional Resources: