Cisco continues to strengthen the security in and around its products, solutions, and services.
This newer SHA512 hash value is generated on all software images, creating a unique output that is more secure than the MD5 algorithm.
Cisco is providing both the MD5 and SHA512 hashes for all the images made available to customers in a ".csv" file. The compressed .csv file is digitally signed with a Cisco private key. Cisco provides a X.509 certificate for the corresponding public key. This end-entity certificate is chained to Cisco SubCA and Root certificate. Authenticity of X.509 certificate chain is validated prior to .csv file signature verification.
Within the tar file that you can download below, you will find the compressed Bulk Hash File, the Public Key in X.509 certificate format, signature file, verification script and a README.
The five files mentioned above are contained within the following tar file:
Last Update JAN 31, 2017
SHA512 is part of the SHA family of cryptographic hash functions, which are part of the Secure Hash Standard (SHS) specification. SHA512 provides a more adequate cryptographically secure functionality than MD5.
The SHA512 checksum (512 bits) output is represented by 128 characters in hex format, while MD5 produces a 128-bit (16-byte) hash value, typically expressed in text format as a 32-digit hexadecimal number.
The following example provides a comparison of the output of an SHA512 checksum with an MD5 checksum for a Cisco ASA software image (asa941-smp-k8.bin).
The SHA512 hash value of each file on Cisco.com is contained in the .csv file that you can download above.
Generate a hash value for the Cisco downloaded images that you have in your network.
Make sure that there is an exact match between the hash values you have generated on your network images and a hash value in the .csv Bulk Hash file.
bash-3.2$ shasum -a 512 asa933-smp-k8.bin
SHA512 verification on a Windows PC can be a little tricky. The functionality to perform SHA512 was added as part of the Microsoft PowerShell utility in Version 4, which may not come preinstalled with the operating system. To install PowerShell 4.0, see How to install Windows PowerShell 4.0.
The SHA512 checksum verification is one of the many technologies and processes that allow the customer to validate the integrity of the product. The following white papers provide additional resources on how to perform device integrity checks in Cisco IOS and Cisco IOS XE devices.
For further questions of comments send mail to: firstname.lastname@example.org
THIS FILE AND DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT OR TOOL IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.