Guest

 

Secure Software Publishing - Bulk Hash File Download Center

 

 

Introduction

Cisco continues to strengthen the security in and around its products, solutions, and services.

Cisco provides a  Secure Hash Algorithm (SHA) 512 bits (SHA512) checksum to validate downloaded images on www.cisco.com.

This newer SHA512 hash value is generated on all software images, creating a unique output that is more secure than the MD5 algorithm.

Cisco is providing both the MD5 and SHA512 hashes for all the images made available to customers in a ".csv" file. The compressed .csv file is digitally signed with a Cisco private key. Cisco provides a X.509 certificate for the corresponding public key. This end-entity certificate is chained to Cisco SubCA and Root certificate. Authenticity of X.509 certificate chain is validated prior to .csv file signature verification.

Within the tar file that you can download below, you will find the compressed Bulk Hash File, the Public Key in X.509 certificate format, signature file, verification script and a README.

Downloads

The five files mentioned above are contained within the following tar file:

BulkHashFile

Last Update APR 30, 2017

Installation

  1. Download to your local server the BulkHashFile.tar.
  2. Extract the tar file. [Command: “tar -xvf BulkHashFile.tar”]
  3. Refer to README file for details about tar file contents.
  4. Verify the BulkHashFile is signed by Cisco Systems Inc, using provided verification script and end-entity certificate. [Please refer to README file for exact usage of the verification script]
  5. After successful signature verification, decompress BulkHash.tar to generate BulkHash.csv file. [Command: “tar -xvf BulkHash.tar”]
  6. You are now ready to use the Bulk Hash File to match the hash value of your downloaded software with the hash values in the Bulk Hash File.

What is SHA512?

SHA512 is part of the SHA family of cryptographic hash functions, which are part of the Secure Hash Standard (SHS) specification. SHA512 provides a more adequate cryptographically secure functionality than MD5.

The SHA512 checksum (512 bits) output is represented by 128 characters in hex format, while MD5 produces a 128-bit (16-byte) hash value, typically expressed in text format as a 32-digit hexadecimal number.

The following example provides a comparison of the output of an SHA512 checksum with an MD5 checksum for a Cisco ASA software image (asa941-smp-k8.bin).

SHA512 checksum
1b6d41e893868aab9e06e78a9902b925227c82d8e31978ff2c412c18ac99f49f70354715441385e0b96e4bd3e861d18fb30433d52e12b15b501fa790f36d0ea0

MD5 checksum
6ddc5129d43a22490a3c42d93f058ffe

How Can I Use It?

The SHA512 hash value of each file on Cisco.com is contained in the .csv file that you can download above. 

Generate a hash value for the Cisco downloaded images that you have in your network.

Make sure that there is an exact match between the hash values you have generated on your network images and a hash value in the .csv Bulk Hash file.   

 

SHA512 Verification on *nix machines (Linux, FreeBSD, MAC OSX, etc.)

In the following example, the shasum tool is used to validate the software image that was downloaded from www.cisco.com.

bash-3.2$ shasum -a 512 asa933-smp-k8.bin
e2a8b6b47dc784c263c36758c788e0b8835b1c1caaf23747d21cea93875ce60cc0069f98c0c9a988e440e92bd2be9c1be85525c78a16047779abddfe89705e51 asa933-smp-k8.bin

SHA512 Verification on a System Running Microsoft Windows

SHA512 verification on a Windows PC can be a little tricky. The functionality to perform SHA512 was added as part of the Microsoft PowerShell utility in Version 4, which may not come preinstalled with the operating system. To install PowerShell 4.0, see How to install Windows PowerShell 4.0.

 

The SHA512 checksum verification is one of the many technologies and processes that allow the customer to validate the integrity of the product. The following white papers provide additional resources on how to perform device integrity checks in Cisco IOS and Cisco IOS XE devices.

Additional Resources:

For further questions of comments send mail to:  sw-verify-feedback@cisco.com

 

THIS FILE AND DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT OR TOOL IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.