Integrity Verification

Integrity Verification

Download verification and validation tools. Free.

Integrity Verification Application (beta)

Integrity Verification (IV) is now available as an application for Cisco Catalyst Center. This application installs into Cisco Catalyst Center. The IV application verifies integrity and then continues to monitor the device for any integrity status changes. The IV application is capable of monitoring any device that can be managed by Cisco Catalyst Center.

The Integrity Verification application currently can verify and monitor the following categories for integrity:

  • Platform (SUDI and secure boot measurements)
  • Software
  • Hardware
  • Configuration

Note:

Not all devices are supported by Cisco Catalyst Center.
Not all devices support all features of the Integrity Verification Application.
 

Known Good Values (KGV)

Download KGV JSON
 
In order to provide a level of security integrity, Cisco devices must be verified as running authentic and valid software. Currently, Cisco devices in the field have no point of reference to determine whether the software they are running is authentic Cisco software. The Cisco IV application uses a system to compare collected image integrity data to Known Good Values (KGV) for Cisco software.

Cisco produces and publishes a Known Good Value Data file that contains KGV's for many of its products. This KGV file is in standard JSON format, is signed by Cisco, and is bundled with other files into a KGV Combo Bundle that can be retrieved from Cisco.

The contents of the KGV Combo Bundle can also be used with "home grown" or customer developed scripts or applications. The KGV values are standard JSON objects and elements and can be used by any software that can parse JSON data.

The current Cisco produced KGV Data File includes measurements for the following component categories:

  • Boot Integrity Visibility
  • Boot0 image measurements
  • Bootloader image measurements
  • Boot OS image measurements
  • Running image file measurements

Important:

Always verify the signature of the KGV data before using the contents to assign integrity to your network elements. If the signature on the KGV data can not be verified, then the contents of the KGV data can not be trusted.

Cisco's Integrity Verification application verifies the signature on the KGV data automatically, but any "home grown" or customized scripts would need to implement this step prior to using the KGV Combo Bundle data.
 

Bulk Hash File

Download Bulk Hash File

The Bulk Hash file provides a mechanism to re-verify images downloaded from the Cisco Software Downloads page.

Cisco now provides a Secure Hash Algorithm (SHA) 512 bits (SHA512) checksum to validate downloaded images on the Cisco Software Downloads page.

This newer SHA512 hash value is generated on all software images, creating a unique output that is more secure than the MD5 algorithm.

Cisco is providing both the MD5 and SHA512 hashes for all the images made available to customers in a ".csv" file. The compressed ".csv" file is digitally signed by Cisco. Cisco provides a X.509 certificate for validating the contents of the Bulk Hash File. This end-entity certificate is chained to Cisco SubCA and Root certificate. Authenticity of X.509 certificate chain is validated prior to ".csv" file signature verification.

Within the Bulk Hash File archive that you can download below, you will find:

  • Compressed Bulk Hash File
  • X.509 certificate
  • Signature file
  • Verification script
  • Readme

How Can I Use It?

The SHA512 hash value of each file on Cisco.com is contained in the .csv file that you can download.

Generate a hash value for the Cisco downloaded images that you have in your network.

Make sure that there is an exact match between the hash values you have generated on your network images and a hash value in the ".csv" Bulk Hash file.