This article briefly explains the motivations behind SHA256. If you just want to know how to check the SHA256 hash of the official Nxt client, skip straight to How do I find the SHA256 hash of a file?.
What is SHA256?
SHA256 is a hash function. That means it's a specific formula for turning a piece of digital data like a paragraph of text or a file, into a line of characters called a hash of the data. For example, this sentence
The quick brown fox jumps over the lazy dog.
has the following SHA256 hash
The SHA256 hash is always exactly 64 characters long, regardless of how large the original data is. Each character is either a digit or a letter from A to F, and represents 4 bits of information. So the entire hash represents 64 x 4 = 256 bits of information, which is where the 256 in SHA256 comes from.
Here the data is shorter than the hash, but usually the file or data will be much larger.
Why should I care about the SHA256 hash?
It's extremely unlikely that two different files have the same SHA256 hash, as there are over 1077 (that's 1 followed by 77 zeroes) possible hashes. It's designed to be extremely difficult to reverse; to date no one has found a way to make two different files with the same, or even mostly similar hash. And small changes in the original data almost always result in large changes to the SHA256 hash.
The hash lets you quickly check if two files are identical. Instead of comparing the entire contents of both files, you can just compare their hashes.
This gives a quick way to check that a file hasn't been corrupted or tampered with. The process usually goes like this:
- Author of the file uploads the file and announces its SHA256 hash.
- ???? (The file may get uploaded to other places. Some of these uploads may get corrupted. And sometimes bad people insert viruses/malware into the file before uploading.)
- User downloads the file from somewhere.
- User finds the SHA256 hash of the file and compares it with the hash announced by the author.
- If they are the same, the user can be certain they've got the right file. If they are different, the user knows they've got a bad file and should re-download it, possibly from a different source.
Think of the hash as a short characterization of a large file.
How do I find the SHA256 hash of a file?
An easy way is to use an online hash calculator like online-convert.com. Upload your file using the "Browse" button, then click "Convert File". After a short while, the site will tell you the file's hash. If you do not want to use an "online" tool for checking an SHA256 hash, there are also free SHA256 calculators that you can run "offline for Windows and MacOS at Hashtab
It's a good idea to check the hash of sensitive files like the Nxt client before using them. These are the sort of files a malicious attacker would try to tamper with in order to gain control of your Nxt account and/or personal information.
After downloading the .zip file from https://bitbucket.org/JeanLucPicard/nxt/downloads/nxt-client-1.10.3.zip containing the official client, find it's SHA256 hash using the instructions above. If you see
then you're safe and you can go ahead with the installation.
Does SHA256 have other uses?
Yes! In Nxt, your private key is calculated from your passphrase by taking the SHA256 hash of your passphrase, and then changing a few bits. Your (unencoded) account number is also the SHA256 hash of your public key. SHA256 is also used to generate the 'signing keys' used in each transaction.
Some proof-of-work currencies like Bitcoin use the difficulty of finding similar SHA256 hashes as the 'work' it requires.
Are there other hash functions?
One other hash function you may have heard of is md5. Like SHA256, md5 produces a line of characters (but one that's half the length of SHA256). That still gives a huge number of possible hashes. So md5 is still useful in checking for unintended errors during downloads, and it's still widely used.
But unlike SHA256, md5 is not secure. People know clever ways to reverse it, it's feasible to make two different files that have the same md5 hash. So you shouldn't rely on md5 to confirm that a file hasn't been deliberately tampered with.