A hash is a function that takes a variable-length string (message) and compresses and transforms it into a fixed-length value. Important facts about hashes are:
- Hashes ensure the data integrity of files and messages in transit.
- Hashes do not ensure confidentiality (in other words, hashes are not used to encrypt data).
- A hash is a one-way function. You cannot reproduce the message by running it back through the hash (or a different hash).
- The hash value (output) is also referred to as a message digest or digital fingerprint.
- The sender and the receiver use the same hashing algorithm on the original data. If the hashes match, then the data can be assumed to be unmodified.
The larger the message digest, the more secure the hash. The predominate hashing algorithms in use today are:
- MD-5 developed by RSA (Rivest-Shamir-Adleman). MD-5 generates a message digest of 128 bits.
- SHA-1 developed by NIST and NSA. SHA-1 generates a message digest of 160 bits.
- RIPEMD developed by the COSIC research group. RIPEMD generates a message digest of 128, 160, 256, or 320 bits.
Hashing is often used for the following:
|File integrity||Hashes are often used to prove the integrity of downloaded files. After a file is downloaded, the recipient creates a hash of the file. If the recipient's hash matches the hash of the original file you know that:
|Secure logon credential exchange||Hashes can be used to secure logon credentials during the exchange. The password is used as the key to perform a hash on a challenge text value, and only the hashed value is passed and not the password. The receiving host uses the same method to compare the hashes to verify the identity of the user. Examples of protocols that use this method are:
Be aware of the following regarding hashes:
- Strong hash outputs should contain a large number of bits. This makes the duplication of the hash value by an attacker more difficult.
- Hashes should be produced from the entire message, not just a portion of the message.
- Good hashing algorithms have high amplification, also known as the avalanche effect. This means that a small change in the message results in a big change in the hashed value.
- Collision is the term used to describe a situation in which two different messages produce the same hash value. This is an indication that a stronger hashing algorithm should be used.
- Collision resistance is the term used to describe a hash algorithm's ability to avoid the same output from two guessed inputs.
- A birthday attack is a brute force attack in which the attacker hashes messages until one with the same hash is found. This type of attack is based on the statistic that there is more than a 50% chance that two out of 23 people in a room will have the same birthday. To match a selected day, 253 people would need to be in the room.