Verify SHA256 hashes verbally

This article describes how to verify SHA256 hashes verbally more easily using sha2wordlist.

Background

If you are working with security you may have encountered situations where you wanted to verify a hash “out of band”.  This could be done in many ways. Secured secondary chat channels or https enabled websites. But sometimes this would be done verbally over the phone or to an audience.

Im pretty fascinated with the security model used to secure the private keys used to sign the root zone in DNS. They meet four times a year for a carefully scripted ceremony where they take out smart cards, HSMs and so on from safes locked in cages. During these ceremonies there is several situations where hashes need to be verified by the participants. It would be pretty hard to do this directly using the actual hash consisting of 64 random hex numbers.

PGP word list

One solution to this problem (and the one that is used in the DNSSEC ceremonies is to convert the hash into a list of words in a predictable way. When I found this out I got really interested and I tried to find a good description of this on the web. First I found out about the PGP Wordlist which is basically a smart way to turn data into words. The words in these wordlists are chosen for their phonetic distinctiveness which give less room for error. You can read more about the history of this system on Wikipedia.

sha2wordlist

Then I tried to find a small program that did this convertion but without any luck. So if you know of something like this, please tell me. But what I did find was a small program sha2wordlist that does exactly what I want. It takes data on stdin and outputs the SHA256 hash and the PGP words. This program is written by Jakob Schlyter who is a OpenSSH developer and co author of many (according to me) important RFCs. He is also one of the co authors of the original practice statement for the “Root Zone KSK Operator”.

Verify SHA256 hashes

One example run could look like this:

# echo smallamountofdata | sha2wordlist
SHA-256:    a42e35de45646a86c665b081212384a67de2083c0427afd47948daa619a69055
PGP Words:  regain coherence chopper telephone crusade getaway Geiger letterhead southward glossary ruffled inventive blackjack cannonball mural paragon klaxon tomorrow aimless crossover adrift celebrate rocker souvenir jawbone dictator surmount paragon bedlamp paragon peachy equipment

FreeBSD Ports

I couldn’t find any packaged programs like sha2wordlist or a packaged version of sha2wordlist itself for that matter. So I decided to make my own port of it and contribute it to FreeBSD.  It is now avilable to install using ports/security/sha2wordlist. Binary packages will be available soon.