Network Security - controls/examples for integrity

1. Hashes (SHA-family)

  • What: A hash function takes input data and produces a fixed-size output (digest). Even a tiny change in input completely changes the output.

  • Why for integrity: If the received hash of a file doesn’t match the expected hash, you know the file was altered.

  • Examples: SHA-256, SHA-3 (modern, secure); MD5 and SHA-1 are weak and deprecated.

  • Use case: Software download pages often publish a SHA-256 checksum for verification.

2. HMACs (Hash-based Message Authentication Codes)

  • What: A cryptographic hash combined with a secret key.

  • Why for integrity: Unlike plain hashes, an attacker cannot recompute a valid HMAC without the key — so it proves both integrity and authenticity.

  • Example: TLS uses HMACs to ensure messages haven’t been tampered with.

  • Use case: API request signing, secure communications.

3. Digital Signatures

  • What: A private key signs data; anyone with the public key can verify the signature.

  • Why for integrity: If the data changes, the signature no longer verifies. Also provides non-repudiation (the sender can’t deny signing).

  • Examples: Signed software updates, signed documents (PDF, emails).

  • Use case: Windows or Linux package managers (apt, yum) use digital signatures to verify authenticity of updates.

4. Checksums

  • What: A simple mathematical function applied to data to detect accidental errors.

  • Why for integrity: Can spot transmission/storage corruption, but not secure against intentional tampering.

  • Examples: CRC32, Adler-32.

  • Use case: TCP/UDP/IP packets include checksums to detect errors in transmission.

5. Code Signing

  • What: A specific application of digital signatures for software executables/libraries.

  • Why for integrity: Guarantees that the code hasn’t been modified since the developer signed it.

  • Examples: Microsoft Authenticode, Apple app signing, Android APK signing.

  • Use case: Prevents attackers from slipping malware into legitimate software packages.

6. Versioning

  • What: Keeping track of different versions of files/data.

  • Why for integrity: Lets you detect unauthorized changes by comparing versions and roll back if needed.

  • Examples: Git repositories, database snapshots.

  • Use case: Developers can see exactly who changed a line of code and when.

7. File System Immutability

  • What: Making files read-only or append-only at the system level.

  • Why for integrity: Prevents unauthorized modification or deletion.

  • Examples: Linux chattr +i or +a, WORM (Write Once Read Many) storage.

  • Use case: Protecting system logs so attackers can’t cover their tracks.

Together, these mechanisms cover different layers:

  • Simple error detection: Checksums.

  • Tamper-evident integrity: Hashes, versioning.

  • Cryptographic integrity + authenticity: HMACs, digital signatures, code signing.

  • Prevention of alteration: File system immutability.