The Archives

Security, Software, Technology
WinHasher 1.6
February 8th, 2010 (1 month ago) by Jeff | Permalink | Dump Core
Wow! A non-Twitter digest post! Amazing!

This is a quickie to let you guys now I’ve just released WinHasher 1.6. This is a minor release containing a few cosmetic and minor functional changes, so there’s no need to upgrade unless the features or bug fixes listed below seem worth the effort.
- Added a progress indication message for all the console applications. Previously, these programs simply went off into lala land when you kicked them off, kind of like the original GUI version did, giving you no indication how far along things have come. Now the program displays what it’s doing (“Computing SHA-1 of…”) and then a percentage complete as it works. Once complete, it displays the resulting hash as it did before. I thought about making the progress indicator “graphical” with little periods, hyphens, or equal signs, but the percentage was a lot easier to do (and I’m lazy).
- Added a “case kludge” for comparing computed hashes against reference hashes (i.e. digests copied from a website). Typically, most sites will display hashes as a lower-case hexadecimal string, which is why I made that the default. However, I and other users have run into occasions where a download site presents the hash as upper-case hexadecimal. Unfortunately, if you paste this value into the comparison field on either the main WinHasher form or the “Send To” result dialog, the comparison will fail simply because the case does not match, even if the actual hash values do. Technically, you can tweak the command line of the “Send To” shortcut or change the output type on the main form, but either can be a pain when you know what you expect to see. So I’ve added a little bit of code that looks at what the comparison expects (i.e. “I’m looking for a lower-case hex string”) and adjusts the case of the comparison field if necessary. This means lower-case hex and Bubble Babble comparisons are forced to lower-case, while upper-case hex is forced to upper-case, no matter what case the original pasted-in string was. In the case of Base64, which includes mixed case characters, the comparison string is compared unaltered. After any case adjustment, the hash comparison occurs as previously designed.
- Fixed a bug that wasn’t displaying the icon correctly within the application itself. Oopsy.
For those who don’t know, WinHasher is a cryptographic hash generator for Microsoft .NET. It is roughly analogous to digest programs on other platforms (such as “openssl dgst” from OpenSSL) but designed for Windows and other .NET platforms. It lets you verify the integrity of downloads and determine whether changes have been made to files. It does NOT guarantee the authenticity of a file; for that, use cryptographic signatures such those produced by PGP or GnuPG. It also lets you create hashes of arbitrary text, which is handy for generating strong “passwords”, although I’m working on a different project that will do a much better job of this particular task. [Looks around shifty-eyed.]
Software, Technology
WinHasher 1.5 Released
July 9th, 2009 (8 months ago) by Jeff | Permalink | Dump Core
Just posting a quick note to let you guys know I’ve bumped good ol’ WinHahser to version 1.5. This is both a bug and feature release, so both of you using it will probably want to upgrade. Here’s a quick list of the changes:
- Bug fix: When I wrote the hashing engine, I made sure to use a 64-bit integer when computing the total sum of the size of all files in a multi-file comparison. This allowed for a whopping total of 8.05EB (exabytes, or millions of gigabytes) of data to be compared. Unfortunately, I used the wrong data type when running this calculation on a single file, using a 32-bit integer instead. That put the cap on a single file at around 2GB, which can easily be exceeded by a decent-sized DVD ISO. The really embarrassing thing here is that .NET’s System.IO.FileStream object uses a 64-bit integer for its Length attribute, meaning this was totally my mistake, not Microsoft’s. The end result here is that WinHasher would crash on files larger than 2GB since it would end up trying to calculate its percent complete on an overflowed negative value. I’ve updated the code so that the single-file length calculations also use 64-bit integers and now I can finally validate that Fedora 11 DVD ISO download. Note that there’s still a hard cap at 8.05EB whether your hashing a single file or you sum up multiple files together. While it’s possible to bump this up to an unsigned 64-bit integer and go for even more ridiculous large numbers, I seriously doubt anyone is going to be running a SHA-1 hash that large any time soon.
- The “Send To” shortcuts call the GUI app via the command line to hash a file and throw the result up into a dialog box, making it convenient to right-click a file and quickly get a hash. Unfortunately, I was using a standard MessageBox object for this, meaning the hash was displayed in a read-only form that couldn’t be copied and pasted elsewhere to be compared. (It’s much easier to copy and paste two hashes into a text editor, for example, and visually scan the two lines for differences.) Well, I wasn’t the only one to find this annoying. WinHasher user Todd Henry had issues with this too and suggested that I either put the hash result in a text box that could be copied and pasted elsewhere, or add a box where an externally produced hash (say from a Web site) could be pasted into the dialog and have WinHasher compare them. Interestingly enough, I was already planning to make that change when he wrote me, and now it’s there. Once WinHasher is done, it will display a new result dialog with both a copyable hash result field and a new “compare to” field that will take an external hash string and tell you if it matches or not.
- The Hash Single File tab in the main GUI app also has a new “compare to” field that works in an identical fashion to the one in the result dialog described above. I didn’t see a need to add it to the Hash Text tab, and it would be redundant on the Compare Files tab.
- And in the completely useless trivia department, I’ve added hooks in to my Subversion clients to add the SVN revision number as the last part of the version number. This is more for my purposes than anything else, but now if you have a problem and can give me the full version number of the app, I know exactly what revision of the code you’re using.
I realized after I updated the files and the site that I forgot to make any changes to the documentation to reflect these updates. Oh, well. I don’t think they’re major enough to sweat over, so I’ll leave those alone for now and make sure they get updated by the next release.
Software, Technology
WinHasher 1.3
June 30th, 2008 (1 year, 8 months ago) by Jeff | Permalink | Dump Core
For both of you out there who care, WinHasher has now been bumped to version 1.3. The changes are very minor, so there’s no need to upgrade unless you find the following two new features useful:
- There’s now a drop-down box to choose between hexadecimal output and Base64 (RFC 2045, although without line wrapping). I personally like using Base64 because it’s more compact than hex and more “obscure-looking”; even non-coders are familiar with hex, seeing it in error messages all the time, but are less familiar with Base64, which looks more like “random noise”. The default output is still hex, so you only need to switch modes if you really find Base64 more useful.
- There’s now a tab in the GUI to hash arbitrary text. I added this feature because there was an extension to Firefox that I used all the time to do this—which I used frequently to generate “random-looking” passwords by hashing simpler plain text and using the hash as the “real” password—but the extension hasn’t been updated in forever and is no longer working in Firefox 3. So to keep myself from getting locked out of the accounts where I used hashed passwords, I threw this feature in WinHasher. The backbone was already there, so all that needed to be added was a GUI. There’s also an encoding drop-down box that lets you change the text encoding if you so desire/need. To be honest, I don’t think it’s really necessary because I think .NET uses Unicode internally all the time, but it does have a nice side-effect: if you enter text in one encoding and change the encoding setting to something radically different (say you enter Western European Windows text but change the encoding to IBM EBCDIC Japanese), you’ll end up with a very different hash than you would have had if you used the “right” encoding. This isn’t encryption by any means as it could be easily reverse engineered if you knew what encodings were used, but it does significantly scramble things to the point that it makes it much harder to figure out exactly what you did.
I had originally started adding support for HMAC signed hashes but have abandoned that for now. If there’s anyone out there who might actually find that useful, drop me a line and I’ll revisit the code to see what I might be able to add. Downloads can be found at the first link above.
Software, Technology
WinHasher 1.2
November 30th, 2007 (2 years, 3 months ago) by Jeff | Permalink | Dump Core

I just can’t leave well enough alone. I’ve been mildly annoyed with the “hash in progress” and progress dialogs in WinHasher 1.1. The original idea was to use System.ComponentModel.BackgroundWorker to easily multi-thread very large hashes (say of CD or DVD ISOs or uncompressed video files). This had two benefits: (1) it allows the user to cancel a hash in progress and (2) gives us an opportunity to update the GUI while the hashing takes place in the background, meaning we can inform the user of the progress. Unfortunately, I couldn’t find a method right away to determine the progress of an individual hash. System.Security.Cryptography.HashAlgorithm.ComputeHash() by default takes a byte array or file stream and chugs the whole thing at once, spitting out the hash as a result. There’s no way with this method to determine how far along you are.

However, if you look at the guts of ComputeHash(), you’ll find it reads in chunks of bytes into a buffer, then calls two methods: TransformBlock() for every chunk but the last, and TransformFinalBlock() to hash the last chunk and finalize the hash. The result can then be obtained from the HashAlgorithm.Hash property. If we bypass the convenience of the single ComputeHash() method call, you can read chunks of bytes from the buffer, feed it to the Transform...() methods, and keep track of how many bytes have been read so far. Since we already know how big the file is from the start (System.IO.FileStream.Length), it’s trivial to calculate a percentage complete. Want the progress of a multi-file comparison? Sum the lengths of all files in the batch, then keep track of the total number of bytes hashed along the way.

I’ve bumped WinHasher to version 1.2. It should be available on the official site by tomorrow morning.
Software, Technology
WinHasher 1.1
November 9th, 2007 (2 years, 4 months ago) by Jeff | Permalink | Dump Core

I was downloading Fedora 8 yesterday with every intention of (eventually) upgrading Demeter, our Linux box, currently running Fedora Core 5. I say “eventually” because finding time to back everything up, install the new OS, restore all the files and third-party apps, and then spend hours debugging what went wrong is the hardest part of the whole process.

Anyhoo, I thought I’d put good ol’ WinHasher to use to verify the SHA-1 hash and make sure the download was successful. That was, after all, the primary reason I wrote the thing. But then I noticed something incredibly annoying. The DVD ISO for Fedora 8 weighs in at around 3.18GB. WinHasher has no problems hashing such a file as it hashes the file stream as it reads it, so it can hash any file of arbitrary size. But while it’s doing so, there’s absolutely no feedback to the user. In fact, if you use the right-click “Send To” shortcut, unless you go into the Windows Task Manager and check the process list, you won’t even know the thing is running. It seems to go off into la-la land until mysteriously, a minute or two later, it comes back with a mysterious pop-up box with a cryptographic hash in it.

Bad programmer! Bad!

Well, this annoyed me enough to fix it, so I’ve tweaked it now so it actually runs multi-threaded. This is ridiculously easy to do when you use the System.ComponentModel.BackgroundWorker object in .NET. You just create the object, create a few event handlers for it, and tell it to go do its thing. The hardest part is if you want it to report its progress; then you have to tweak your working code to generate a percentage complete so it has something to display. I learned this trick when I was working on Mandelbrot Madness! 2.0; I have no idea why it never occurred to me to incorporate it here. The annoying part about this addition, though, is that there’s no way to report on the progress of an individual hash. System.Security.Cryptography.HashAlgorithm doesn’t provide a way for you to know how far it’s gone, so there’s nothing to feed to BackgroundWorker.ReportProgress(). The comparison feature does, however, let you know how many of the files have been processed so far in the batch.

So if you’re one of the few brave souls who downloaded WinHasher 1.0, please grab 1.1 at the official site. It officially goes up tomorrow (a delay caused by Keenspot’s parsing to insert the advertising codes). If you haven’t already downloaded it, why not give it a try?
Software, Technology
WinHasher 1.0 and Mandelbrot Madness! 2.0
September 26th, 2007 (2 years, 5 months ago) by Jeff | Permalink | Dump Core

I’m not sure if anyone cares, but I’ve been doing a tiny bit of dabbling in releasing Open Source software lately. Since I don’t particularly care to announce them on the GPF News (it isn’t, after all, GPF news), I’ll announce them here. For those of you who might complain that working on these has taken precious time away from the comic, fret not. The tiny bit of time I’ve been able to squeeze in here and there to work on these have been during periods when working on the comic would be impossible, so there’s no way for there to be any conflict.

The first one I’ll announce is the most recent. WinHasher is a Microsoft .NET Framework 2.0 application for generating cryptographic hashes of files. It is both a Windows GUI applet and a console (command line) program, and it operates in two possible modes. The first mode generates the hash of a single file, which you can then use to verify a download or check to see if a file has been tampered with. The second mode takes the hashes of multiple files and compares them; in this way, you can see if two or more files have the same binary contents regardless of their names, locations, and time stamps. The Windows app supports drag-and-drop functionality, and the installer lets you also build shortcuts in your Windows Explorer “Send To” context menu so you can just right-click a file and get its hash.

So why did I build this? Well, the full details are on the site, but the quick version is that I’ve grown tired of not being able to validate the hashes of downloaded files because Windows doesn’t have a built-in hashing program. Linux and the other free UNIX clones have OpenSSL; heck, even Mac OS has OpenSSL under the hood. Not Windows… of course. So instead of downloading a file on a Windows machine, copying it to the Linux box, validating the hash, and moving it back (or worse, just not even validating the hash at all and taking my chances), I hacked together this little program. Then I thought it might be useful enough to share, so I did. If you find it useful, please let me know.

For the really technically inclined out there, most of the hashes are built-in to .NET 2.0, so this was obscenely easy to implement. In fact, 2.0 has an abstract hash algorithm class (System.Security.Cryptography.HashAlgorithm) that all of the built-in hashes implement. The two non-standard hashes, Whirlpool and Tiger, were taken from the Legion of the Bouncy Castle Crypto API, which is actually .NET 1.1 based. I (rather crudely) ported these classes to be subclasses of HashAlgorithm, so they can technically be used as a drop-in replacement of any .NET 2.0 hash. I plan to add additional hashes over time, provided that (a) the original source code is free and (b) I can port it to be a HashAlgorithm subclass.

The second program to mention is actually a bit of an oldie now. (I actually released it back in June.) The Windows version of Mandelbrot Madness! is back, also in a .NET 2.0 edition. I wrote the original in Visual C++ 4.x, but have long since lost the source code. Then the Java version came into being and rapidly surpassed the Windows version, leaving it to suffer from bit rot. Both eventually languished as I lost time to work on them. Well, in December of 2005, I released the not-quite-complete-but-close-enough 4.0 version of Mandelbrot Madness JAVA!, declaring it abandoned. It always bugged me that I never went back and revisited the Visual C++ code, but without the source I was stuck.

Well, to make a long story short, my new job had me learning a new programming language: C#. That had me programing Web sites, but I knew you could also do Windows GUI apps in it as well. So somewhere down the line I got a wild hair and started the agonizing work of porting the Java code from the last version of MMJ! to C#. Actually, Java and C# are similar enough that the porting work wasn’t all that hard. Not only is MM! 2.0 now pretty much identical in functionality to MMJ! 4.0, but I introduced a number of new features that I hope to eventually port back to the Java version. While I still prefer the platform independence of Java, I’ll readily admit that the .NET version is a lot faster on Windows. I think that anyone on that platform that has actually bothered to play with the Java version (both of you) should make the switch. Anyone still using the decrepit old 1.0 version of Win32 MM! should enter the 21st century and upgrade too.

Both programs have been released under version 2 of the GPL (haven’t had time to really review version 3 yet), so the sources are also available. If you have any suggested changes, feel free to pass them along and I might incorporate them into the official builds (giving you credit, of course).