1.4.5 Hashing, Salting & Signatures
Hashing is the use of a one-way mathematical algorithm to transform variable-length data into a unique, fixed-length string called a message digest.
Hashing Characteristics and Integrity Hashing is primarily used to ensure Integrity within the CIA triad. Unlike encryption, hashing is not intended to be reversed; you do not "decrypt" a hash back into plaintext. - Fixed-length output: Regardless of whether the input is a single word or a 10GB file, the resulting hash is always the same size (e.g., a 256-bit SHA-256 hash). - Deterministic: The same input will always produce the exact same hash value when using the same algorithm. - Avalanche Effect: A minor change in the input (even one bit) results in a drastically different hash output. - Collisions: A vulnerability where two different inputs happen to produce the same hash. Strong algorithms aim to be "collision-resistant."
Hashing Algorithms - MD5 (Message Digest 5): An older 128-bit algorithm now considered cryptographically broken due to collision vulnerabilities. - SHA (Secure Hash Algorithm): A family of hashes. SHA-1 (160-bit) is legacy and considered weak. SHA-2 (including SHA-256 and SHA-512) and SHA-3 are the current industry standards. - HMAC (Hash-based Message Authentication Code): Combines a hash function with a shared secret key. This provides both integrity and authenticity, proving that the message was sent by someone possessing that specific key.
Salting and Password Security While hashing provides confidentiality for passwords by not storing them in plaintext, attackers can use Rainbow Tables (precomputed lists of hashes) to crack them. - Salting: Adding a unique, random string of data to a password before hashing it. - Purpose: This ensures that two users with the same password (e.g., "P@ssword123") will have completely different stored hashes, effectively neutralizing rainbow table attacks.
Digital Signatures A digital signature uses hashing and asymmetric encryption to provide Integrity, Authentication, and Non-repudiation. - The Process: The sender hashes a document to create a digest, then encrypts that digest with their Private Key. - The Verification: The receiver decrypts the signature using the sender’s Public Key to reveal the hash. They then hash the document themselves; if the two hashes match, the document is authentic and unaltered.
Quick recall - Integrity: The primary goal of hashing; verifying data has not been changed. - One-way: Hashing cannot be reversed to discover the original data. - Collision: Two different inputs producing the same hash. - Salt: Random data added to passwords to prevent rainbow table attacks. - Non-repudiation: Provided by digital signatures; proof that the sender cannot deny sending the message.