•  21-09-2022
  •  | 
  •  

Question

for my employer I have to present customers of a web-app with checksums for certain files they download.

I'd like to present the user with the hash their client tools are also likely to generate, hence I have been comparing online hashing tools. My question is regarding their form of hashing, since they differ, strangely enough.

After a quick search I tested with 5:

  1. http://www.convertstring.com/Hash/SHA256
  2. http://www.freeformatter.com/sha256-generator.html#ad-output
  3. http://online-encoder.com/sha256-encoder-decoder.html
  4. http://www.xorbin.com/tools/sha256-hash-calculator
  5. http://www.everpassword.com/sha-256-generator

Entering the value 'test' (without 'enter' after it) all 5 give me the same SHA256 result. However, and here begins the peculiar thing, when I enter the value 'test[enter]test' (so two lines) online tool 1, 2 and 3 give me the same SHA256 hash, and site 4 and 5 give me a different one (so 1, 2 and 3 are equal, and 4 and 5 are equal). This most likely has to do with the way the tool, or underlying code handles \r\n, or at least I think so.

Coincidentally, site 1, 2 and 3 present me with the same hash as my C# code does:

    var sha256Now = ComputeHash(Encoding.UTF8.GetBytes("test\r\ntest"), new SHA256CryptoServiceProvider());

    private static string ComputeHash(byte[] inputBytes, HashAlgorithm algorithm)
    {
        var hashedBytes = algorithm.ComputeHash(inputBytes);
        return BitConverter.ToString(hashedBytes);
    }

The question is: which sites are 'right'?

Is there any way to know if a hash is compliant with the standard?

UPDATE1: Changed the encoding to UTF8. This has no influence on the output hash being created though. Thx @Hans. (because my Encoding.Default is probably Encoding.UTF8)

UPDATE2: Maybe I should expand the question a bit, since it may have been under-explained, sorry. I guess what I am asking is more of a usability question than a technical one; Should I offer all the hashes with different line endings? Or should I stick to one? The client will probably call my company afraid that their file was changed somehow if they have a different way of calculating the hash. How is this usually solved?

Was it helpful?

Solution

All those sites return valid values.

Sites 4 and 5 use \n as line break.

EDIT

I see you edited your question to add Encoding.Default.GetBytes in the code example.

This is interesting, because you see there is some string to byte array conversion to run before computing the hash. Line breaking (\n or \r\n) as well as text encoding are both ways to interpret your string to get different bytes values.

Once you have the same bytes as input, all hash results will be identical.

EDIT 2:

If you're dealing with bytes directly, then just compute the hash with those bytes. Don't try to provide different hash values; a hash must only return one value. If your clients have a different hash value than yours, then they are doing it wrong.

That being said, I'm pretty sure it won't ever happen because there isn't any way to misinterpret a byte array.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top