Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Verifying the TrueCrypt hashes

Posted on 2016-10-06
15
Medium Priority
?
214 Views
Last Modified: 2016-10-08
We read in a TrueCrypt link to verifying the TrueCrypt v7.1a Files hash to make sure that if we downloaded the correct or legit version of the apps.  The link states, and the purpose of our question, that  “Many sites attempt to assert the authenticity of the files they offer by posting their cryptographic hash values”.  We’ve read the link and its reference links within, but can’t quite grasp the process of verifying TrueCrypt hash.  So, as always, turning to EE; how do we do this process of “verifying”?
0
Comment
Question by:rayluvs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
15 Comments
 
LVL 65

Expert Comment

by:btan
ID: 41832189
It is just saying as long as the download package hashes matches the hashes listed in below trusted site, then the files are indeed as-is and not malicious. There are sites that spoof the actual package and may be malicious when downloaded.
https://defuse.ca/truecrypt-7.1a-hashes.htm

You can easily use a hash calculator to compute the hash and compare against the trusted list. The hash can be either SHA256, or SHA1. I suggest you fixed with using SHA256 in your hash calculator to compute and check the hash strings. See tool
http://www.mcafee.com/sg/downloads/free-tools/hash-calculator.aspx

Also you can have the exe or hash of the exe or package uploaded in the Virustotal to check if there is any AV reporting their scan has once detected it malicious - see past scan below
https://www.virustotal.com/en/file/e95eca399dfe95500c4de569efc4cc77b75e2b66a864d467df37733ec06a0ff2/analysis/1431421999/
0
 

Author Comment

by:rayluvs
ID: 41832305
Ok, will check your links.
0
 

Author Comment

by:rayluvs
ID: 41832546
We download and installed calculator but how can we use it? I created a fiddler folder, but what's next?
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 65

Expert Comment

by:btan
ID: 41832821
The next thing is to use tool to compute the hash. But look like to make it easier for you, can consider online to upload the file or another tool to specified the file dest. See

http://hash.online-convert.com/sha256-generator
https://sourceforge.net/projects/quickhash/

Once this alright also need some pgp tool to verify TC its .sig file or for windowa verify ita digital signature. See

https://www.truecrypt71a.com/documentation/miscellaneous/digital-signatures/

https://gpgtools.tenderapp.com/discussions/problems/10359-truecrypt-pgp-key-verification#comment_28129801
0
 

Author Comment

by:rayluvs
ID: 41832856
Don't understand.  You gave us a link to view trucrypt hash which we assume it will be used with the link to download a calculator which created a fiddler folder but what do we have to do?  We went thru your last links and can't relate or to the previous links.  Are we to use the resultas of the previous links with the latest links?
0
 
LVL 65

Expert Comment

by:btan
ID: 41832958
You download the Truecrypt file.

As the fiddler plugin hash calculator does not allow file (except only string) to be hashed, it will not used in your case.

You then need to download quickhash or just use the online hash.convert to upload the file to generate SHA256.

You can then compare the generated SHA256 string with the stated hash string in defuse.ca. If the string matches, it means the package is not tamper or corrupted.

You can then proceed to verify the .sig which I shared in below
https://www.truecrypt71a.com/documentation/miscellaneous/digital-signatures/

Hopes this helps.
0
 

Author Comment

by:rayluvs
ID: 41833002
When you say "just use the online hash.convert to upload the file to generate SHA256", you mean the link you have previously (http://hash.online-convert.com/sha256-generator)?
0
 
LVL 65

Expert Comment

by:btan
ID: 41833094
Yes, pl. Pardon me.
0
 

Author Comment

by:rayluvs
ID: 41833680
Thanx.  Lastly when you say "You can then proceed to verify the .sig which I shared in below", where do find the .sig?
0
 
LVL 65

Expert Comment

by:btan
ID: 41833991
Pls see https://github.com/DrWhax/truecrypt-archive which also has even earlier version as well
0
 

Author Comment

by:rayluvs
ID: 41834336
Checked it but where it says how to verify the .sig? (tell where to look we can't located it)
0
 
LVL 65

Expert Comment

by:btan
ID: 41834586
There is mention on how to verify the signature - see
How to Verify X.509 Signatures
How to Verify PGP Signatures

https://www.truecrypt71a.com/documentation/miscellaneous/digital-signatures/
0
 

Author Comment

by:rayluvs
ID: 41834666
There is a lot of read there (sorry we are in a bit of emergency), but do you know the exact steps?
(If you its ok we find a way)
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 41834680
Since it is urgent, suggest we check the below.

1. Check X.509 signatures which are currently available only for the TrueCrypt self-extracting installation packages for Windows.

2. Download the TrueCrypt self-extracting installation package (‘TrueCrypt Setup.exe’)

3. On the EXE file, click right mouse button and select ‘Properties’ from the context menu.

4. In the Properties dialog window, select the ‘Digital Signatures’ tab.

5. On the ‘Digital Signatures’ tab, in the ‘Signature list’, double click the line saying “TrueCrypt Foundation“.

6. The ‘Digital Signature Details’ dialog window should appear now.

> If you see the following sentence at the top of the dialog window, then the integrity and authenticity of the package have been successfully verified:”This digital signature is OK.”

> If you do not see the above sentence, the file is very likely corrupted.

Note: On some obsolete versions of Windows, some of the necessary certificates are missing, which causes the signature verification to fail.
0
 

Author Comment

by:rayluvs
ID: 41834758
Thanx
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question