Hashing Algorithms
Ensuring Data Integrity and Authentication
From MD5 to SHA-3 and Beyond
What is a Hash Function?
Definition: A mathematical function that transforms input data of any size into a fixed-size string of characters, which appears as a seemingly random sequence.
Key Purpose:
- Data integrity verification
- Digital fingerprinting
- Password storage
- Digital signatures
Essential Properties
- Deterministic: Same input = same output
- Fixed Output: Always same length regardless of input
- Fast Computation: Quick to calculate
- Pre-image Resistance: Hard to reverse
- Collision Resistance: Hard to find duplicates
- Avalanche Effect: Small change = big difference
Avalanche Effect Example
Input 1: "Hello"
SHA-256: 2cf24dba4f21d4288094e6606c5be39418
9c5f85c70c6c0b8e11b0c93628e2e48c
Input 2: "Hello!"
SHA-256: 334d016f755cd6dc58c53a86e183882f8
ec14f4e7d47a66e4c8f33f53dbefc1
One character change → Completely different hash!
SHA-256: 2cf24dba4f21d4288094e6606c5be39418
9c5f85c70c6c0b8e11b0c93628e2e48c
Input 2: "Hello!"
SHA-256: 334d016f755cd6dc58c53a86e183882f8
ec14f4e7d47a66e4c8f33f53dbefc1
One character change → Completely different hash!
MD5 (Message Digest 5)
- Output Length: 128 bits (32 hex characters)
- Block Size: 512 bits
- Designed: 1991 by Ronald Rivest
- Status: Cryptographically broken
Security Issue: Vulnerable to collision attacks. Not recommended for security-critical applications.
MD5 Example
Input: "abc"
Step 1: Padding
Binary: 01100001 01100010 01100011 1000...
Step 2: Process in 512-bit blocks
Through 4 rounds of 16 operations each
Output:
900150983cd24fb0d6963f7d28e17f72
Step 1: Padding
Binary: 01100001 01100010 01100011 1000...
Step 2: Process in 512-bit blocks
Through 4 rounds of 16 operations each
Output:
900150983cd24fb0d6963f7d28e17f72
SHA (Secure Hash Algorithm) Family
SHA-1:
- 160-bit output, deprecated since 2017
SHA-2 Family:
- SHA-224, SHA-256, SHA-384, SHA-512
- Currently recommended standard
SHA-3:
- Latest standard (2015)
- Different construction (Keccak)
SHA-256 Algorithm
- Output Length: 256 bits (64 hex characters)
- Block Size: 512 bits
- Rounds: 64 operations per block
- Security: Currently considered secure
Example:
Input: "Hello World"
SHA-256: a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e
Input: "Hello World"
SHA-256: a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e
Applications of Hash Functions
- Data Integrity: File verification, checksums
- Password Storage: Store hash instead of password
- Digital Signatures: Hash then sign for efficiency
- Blockchain: Bitcoin uses SHA-256
- Data Structures: Hash tables, databases
- Forensics: Evidence integrity verification
Data Integrity Verification
Scenario: File Download Verification
1. Website provides file + hash
2. User downloads file
3. User calculates hash of downloaded file
4. Compare hashes
5. If match → file is intact
6. If different → file corrupted/tampered
1. Website provides file + hash
2. User downloads file
3. User calculates hash of downloaded file
4. Compare hashes
5. If match → file is intact
6. If different → file corrupted/tampered
Password Storage
Never store passwords in plain text!
Process:
1. User creates password: "mypassword123"
2. System adds salt: "mypassword123" + "randomsalt"
3. Hash the combination
4. Store: hash + salt
Login verification:
1. User enters password
2. Add stored salt
3. Hash combination
4. Compare with stored hash
1. User creates password: "mypassword123"
2. System adds salt: "mypassword123" + "randomsalt"
3. Hash the combination
4. Store: hash + salt
Login verification:
1. User enters password
2. Add stored salt
3. Hash combination
4. Compare with stored hash
Salt in Password Hashing
Salt: Random data added to password before hashing
Why Use Salt?
- Prevent Rainbow Tables: Pre-computed hash lookups
- Unique Hashes: Same password ≠ same hash
- Slow Attacks: Force attackers to crack individually
Without salt: hash("password") = 5e884898da...
With salt: hash("password" + "a1b2c3") = 9f8e7d6c5b...
With salt: hash("password" + "a1b2c3") = 9f8e7d6c5b...
Message Authentication Codes (MAC)
HMAC: Hash-based Message Authentication Code
Formula:
HMAC(K, M) = H((K ⊕ opad) || H((K ⊕ ipad) || M))
Where:
• K = secret key
• M = message
• H = hash function
• opad, ipad = constants
HMAC(K, M) = H((K ⊕ opad) || H((K ⊕ ipad) || M))
Where:
• K = secret key
• M = message
• H = hash function
• opad, ipad = constants
Purpose: Verify both integrity and authenticity
Hashing in Blockchain
- Block Hashing: Each block has unique hash
- Chain Linking: Each block references previous hash
- Proof of Work: Mining finds specific hash patterns
- Merkle Trees: Efficient transaction verification
Bitcoin Example:
Block hash must start with specific number of zeros
Miners adjust "nonce" until hash meets criteria
Current difficulty: ~19 leading zeros!
Block hash must start with specific number of zeros
Miners adjust "nonce" until hash meets criteria
Current difficulty: ~19 leading zeros!
Hash Collisions
Collision: When two different inputs produce the same hash
Types of Attacks:
- Birthday Attack: Find any collision
- Pre-image Attack: Find input for given hash
- Second Pre-image: Find different input with same hash
MD5 Collision Example:
Two different files can have identical MD5 hashes
This breaks integrity guarantees!
Two different files can have identical MD5 hashes
This breaks integrity guarantees!
Modern Recommendations
For General Use:
- SHA-256: Most widely supported
- SHA-3: Latest standard, different design
For Passwords:
- bcrypt: Adaptive cost function
- Argon2: Winner of password hashing competition
- PBKDF2: Key derivation function
Performance vs Security
| Algorithm | Output Size | Speed | Security |
|---|---|---|---|
| MD5 | 128 bits | Very Fast | Broken |
| SHA-1 | 160 bits | Fast | Deprecated |
| SHA-256 | 256 bits | Moderate | Strong |
| SHA-3 | Variable | Moderate | Strong |
Future of Hash Functions
- Quantum Computing: Grover's algorithm reduces security
- Post-Quantum Hashing: New algorithms needed
- Hardware Acceleration: GPU/ASIC attacks on passwords
- IoT Constraints: Lightweight hash functions
Quantum Impact: Effectively halves hash security
SHA-256 provides ~128-bit quantum security
SHA-256 provides ~128-bit quantum security
Hash Function Best Practices
- Use Modern Algorithms: SHA-256 or SHA-3
- Always Use Salt: For password hashing
- Choose Right Tool: Different purposes need different functions
- Keep Updated: Monitor security advisories
- Consider Performance: Balance security and speed
Try It Yourself
Calculate SHA-256 for:
1. Your name
2. Your name + "1"
3. Compare the results
Tools:
• Online calculators
• Command line: echo "text" | sha256sum
• Programming libraries
1. Your name
2. Your name + "1"
3. Compare the results
Tools:
• Online calculators
• Command line: echo "text" | sha256sum
• Programming libraries
Key Takeaways
- Hash functions create fixed-size digital fingerprints
- Essential for data integrity and authentication
- MD5 and SHA-1 are no longer secure
- SHA-256 and SHA-3 are current standards
- Always use salt for password hashing
- Choose the right hash function for your needs
Remember: A small change in input creates a completely different hash