Skip to main content

Computer Systems Security Planning for Success

Dr. Jan Pearce, Editor

Section 2.5 Hashes

Flowchart showing ’Plain Text’ processed by a ’Hash Function’ to produce ’Hashed Text’.
The image, captioned ’hash,’ is a flowchart illustrating the cryptographic hashing process in three stages from left to right, connected by arrows.
🔗
The first stage features a document icon labeled ’Plain Text’. An arrow leads to the second stage, a box with an internal grid pattern, labeled ’Hash Function’. A final arrow points to the third stage, a document icon filled with seemingly random characters, labeled ’Hashed Text’.
🔗
This visual representation demonstrates how a hash function transforms readable plaintext into a non-readable, fixed-size string known as hashed text or a digest.
🔗
Figure 2.5.1. Hashing Algorithm
🔗
A hashing algorithm is a one-way function that creates hashed text from plaintext. It is often used for data validation as a relatively small hash digest or signature can demonstrate the integrity of a large block of data. Hashes can also be used so that sensitive information does not have to be stored in cleartext. By storing a hash of a password, you can check to see if the correct password was entered without storing the password itself. In the case of a data breach only the hashes are leaked and the attacker does not have access to the passwords to try with other services.
🔗
Two main families of hash algorithms are used: MD5 and SHA. MD5 produces a 128-bit hash value and is still often used to verify data integrity. The algorithm is technically cryptographically broken, but you may still see it in use. The SHA family of algorithms consists of SHA-1, SHA-2, and SHA-3:
🔗
  • SHA-1: 160 bits, similar to MD5, designed by the NSA, no longer approved for cryptographic use
    🔗
    🔗
  • SHA-2: SHA-256 and SHA-512, very common with the number indicating the block size, designed by the NSA
    🔗
    🔗
  • SHA-3: non-NSA designed, not widely adopted, similar numbering scheme as SHA-2 (SHA3-256, etc.)
    🔗
    🔗
🔗
Dictionary based attacks against password hashes are fairly common. Typically software is used which generates a hash for every word in the dictionary and then compares that hash to what is stored on the compromised machine. One way to combat this is through salting or adding random bits to each password. When salting the bits are stored with the hash. This forces a dictionary based attack to actively generate the hashes based on what the salt is as opposed to using a stored table (rainbow table) of all the possible hashes. It can make attacks go from instant to days or even years depending on the complexity of the password.
🔗
An even better way of combating attacks against hashes is through a secret salt or pepper. A pepper is a random value that is added to the password but not stored with the resulting hash. The random value can be stored in a separate medium such as a hardware Security Module.
🔗
You have attempted 1 of 1 activities on this page.
🔗
PrevTopNext