1

Microsoft has stopped offering the Windows images for download. It is now only possible to get the image if one has a key of a retail version of the corresponding OS. The question is now, whether the images that fly around the internet, are safe to use. It is enough to compare the SHA1 of the .iso-files with the one provided by Microsoft? Is it easily possible to create a collision while simultaneously introducing malware or other unwanted "objects" into the .iso file? The .iso files are all smaller than 5GB.

HerpDerpington
  • 225
  • 2
  • 8
  • 2
    Where are you getting the hashes of the genuine ISOs from if Microsoft don't offer genuine ISOs any more? – Graham Hill Jul 16 '15 at 12:37
  • Funnily enough, you can still find the "Details" of the file (including the hashes) on the MSDN subscriptions downloads page... – HerpDerpington Jul 16 '15 at 12:40
  • @GrahamHill See for example https://msdn.microsoft.com/en-us/subscriptions/downloads/#searchTerm=Windows%207&ProductFamilyId=0&Languages=en&Architectures=x86&ProductFamilyIds=350&FileExtensions=.iso&PageSize=10&PageIndex=0&FileId=0 – HerpDerpington Jul 16 '15 at 14:13

2 Answers2

6

For a malicious attacker who tries to alter an ISO file while keeping its hash value identical to the hash value of the "genuine" file, the problem is known as a second preimage attack. No such attack is known for SHA-1 right now; if somebody wanted to compute such a second preimage, he would have to pay a cost of about 2160 hash function computations, which is way beyond that which is technologically feasible (by some billions of billions of...). Therefore, yeah, as long as the hash matches, the ISO file is "safe" (where "safe" means "identical to what Microsoft wants it to be"), regardless of how you obtained it.

Actually this is true even if MD5 is used as hash function. Second preimages are a lot harder to compute than collisions (one can say that second preimages are like collisions where one half of it is fixed).

All of this assumes, of course, that you can find the genuine hash values as computed by Microsoft themselves (i.e. you found them on a Microsoft Web page and this specific browsing was done over SSL). As @Graham hints at, normally, when you can get the hash value from Microsoft, you can also download the ISO from Microsoft, possibly from the very same page, which makes the point a bit moot.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Yes, but the images are only available for subscribers... – HerpDerpington Jul 16 '15 at 12:43
  • 2
    @user1574054 ISO images found on msdn.microsoft.com are for development and are safe. ISO images found on licensing.microsoft.com are for production and are safe. Both are downloaded over HTTPS. – makerofthings7 Jul 20 '15 at 14:25
1

They are feasibly safe in the sense that in order to compute 2^160 hash computations which is technologically infeasible.

And you don't need to worry about downloading a .iso of Windows while you can create a .iso from install.esd files from someones' Genuine windows copy (if you are a little bit paranoid).

mud1t
  • 102
  • 4