The SHA_V program (listed on this NIST site ) is a software program which contains a FIPS 180-3 validated algorithm for (SHA-1) use.

There are two situations which voting officials are concerned with when trying validate the software installed on the voting machines.

• The first is validating the initial installation
• The second is validating the software on voting day

The Maresware Hash and Hashcmp programs can help you with both situations.

DAY 1, Initial Installed Software

Quite simply, you have an installed set of software, lets call it day 1 software. This software is what was initially installed by the vendor. You need to get a fingerprint of the installed software at day 1. The hash program will perform this task. It will generate a hash for the files which the vendor has installed, and your auditors are comfortable that the software is what you purchased. Now you have a data file which contains the original hashes of these installed programs. Save it somewhere safe.

When you get upgrades, or new installs of software, you run the hash program against the newly installed software. This gets you a "now" listing of hashes. With the hashcmp program, it is easy to compare the day 1, and the now listings to see which files have been changed. Any changes that are not expected may have to be investigated. That completes the day 1, and the now verification.

The process:
1. Hash the original installation.
2. Hash the current installation.
3. Compare the two outputs, and see which files have changed.

Voting Day

The next, and more complicated process is to validate the software on the day of voting. Since the software, and computers may be susceptable to tampering while they are in storage, you want to verify the software on the day of voting. Both, before and after voting hours.

This process is similar to the original verification. Because we have the original data hashes stored and available, this is what you do on voting day.

• Hash the voting machines before the day begins.
• Compare the hashes on each machines with the original day 1 refernce
• Any anomolies need to be examined.

Maresware's Hashing programs are designed to calculate the MD5 hash values of source files. (They can also calculate the SHA1 (160Bit) , and SHA2 (256, 384, 512 BIT) values.) The data that the Maresware hash program works on is the contents of a source file. The hash values and other information about the source file are placed (by default) to the screen. All Maresware programs are command line driven for easy use and customization of their operation. This means command line options can be easily modified and the data produced by the Hash program will be placed in a text output file; that output file can be further processed or printed. Forensic examiners and others who must determine or record the authenticity of a source file find the hash program very useful. A simple procedure to determine a source file's authenticity would be:

The SHA_V contains a FIPS 180-3 validated SHA-1 algorithm.

1. Calculate the original hash "fingerprint" of the source file, and record it in an output file.
2. At a later time, hash the same "source" file again and record the information in a second output file.
3. Compare the records (lines) of the original hash output file with those of the current hash output file.

If the hashes of the source files match, the files are identical and unchanged. If the hash values are not identical, the contents of the source file have been altered. Here are sample output records (rows) from the hash program. Headings, and some format modifications were done to facilitate display here. The hash command line to generate a default output file would be:

C:\hash -p c:\ -o output.txt 
  Filename                 MD5 Hash (fingerprint)         Size   Date       Time 
C:\FOLDER\source1.ext     893C5990B1029171F8FDB262AF5ABDD0  5741 2003/01/28 08:22:36 
C:\FOLDER\source2.ext     893C5990C1023171F8123262AF5ABDD0  9941 2003/01/22 08:24:36  
C:\FOLDER\source3.ext     893C5990B102917EFDCDB262AF5ABDD0  1234 2003/03/28 08:22:36 
C:\FOLDER\source4.ext     893ABCD0C1023171F8123262AF5ABDD0  5678 2003/02/28 08:24:36  

Step 3 of the hashing procedure requires the comparison of the original hash value with a current hash value of the specific file. Hashcmp is specially designed to compare the output files produced by the Hash program. Hashcmp will very quickly compare the two output files (an initial, and a current one) created by the Hash program. It then displays information on source files whose hashes do not match. The information that is displayed is the appropriate record or line in the hash output files relating to the original source file(s) whose hashes do not match. In tests on a 2.8 GHz. CPU, with a reasonably fast hard drive, Hashcmp can compare two files containing upwards of 30,000 records each in under 10 seconds.

The procedure of comparing a reference, or original, hash value of a source file and a current hash value of a source file has many uses. One interesting application lately brought to our attention, is its use by university library archivists to ensure that the copies of documents they are maintaining have not been altered or tampered with.

Some states have already begun using Maresware Hash and Hashcmp programs to assist in validating the voting machine software. The process of calculating the hash, and then comparing hash values with standards or originals is a good starting point to help convince persons that the software has not been tampered with.

The following are sources of technical documents with information relating to the MD5 or SHA hashing algorithm: