Cisco continues to strengthen the security in and around its products, solutions, and services. This week Cisco began providing a Secure Hash Algorithm (SHA) 512 bits (SHA512) checksum to validate downloaded images on www.cisco.com. Cisco already provided a Message Digest 5 (MD5) checksum as the secured hash of the software but the newer SHA512 hash value is now generated on all software images, creating a unique output that is more secure than the MD5 algorithm.

What is SHA512?

SHA512 is part of the SHA family of cryptographic hash functions, which are part of the Secure Hash Standard (SHS) specification. SHA512 provides a more adequate cryptographically secure functionality than MD5.

The SHA512 checksum (512 bits) output is represented by 128 characters in hex format, while MD5 produces a 128-bit (16-byte) hash value, typically expressed in text format as a 32-digit hexadecimal number.

The following example provides a comparison of the output of an SHA512 checksum with an MD5 checksum for a Cisco ASA software image (asa941-smp-k8.bin).

SHA512 checksum

MD5 checksum

How Can I Use It?

The SHA512 value is available during the download process and can be used by customers for software image validation. The following is an example of the new SHA512 checksum of a Cisco ASA Software image.


SHA512 Verification on *nix machines (Linux, FreeBSD, MAC OSX, etc.)

In the following example, the shasum tool is used to validate the software image that was downloaded from www.cisco.com.

bash-3.2$ shasum -a 512 asa933-smp-k8.bin
92bd2be9c1be85525c78a16047779abddfe89705e51 asa933-smp-k8.bin

In the previous example, the SHA512 checksum matches the one displayed in the Cisco Software Download site.

SHA512 Verification on a System Running Microsoft Windows

SHA512 verification on a Windows PC can be a little tricky. The functionality to perform SHA512 was added as part of the Microsoft PowerShell utility in Version 4, which may not come preinstalled with the operating system. To install PowerShell 4.0, see How to install Windows PowerShell 4.0. The following is an example of how to perform a SHA512 verification on a Windows machine using PowerShell:

SHA512 Verification on Windows
SHA512 Verification on Windows

SHA512 Verification on Cisco ASA

The Cisco ASA also supports SHA512 checksum validation with the verify /sha-512 command, as demonstrated in the following example.

omar-asa# verify /sha-512 disk0:/asa941-smp-k8.bin
verify /SHA-512 (disk0:/asa941-smp-k8.bin) = 1b6d41e893868aab9e06e78a9902b925227c82d8e31978ff2c412c18ac99f49f70354715441385

In the previous example, the software image  asa941-smp-k8.bin is verified.

The SHA512 checksum verification is one of the many technologies and processes that allow the customer to validate the integrity of the product. The following white papers provide additional resources on how to perform device integrity checks in Cisco IOS and Cisco IOS XE devices.

Additional Resources:


Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations