Thursday 10 August 2006

Encryption: Hashing

A Hash is a signature for a piece of data. It is always the same size regardless of the size of the source data. Hashing is a one way process, the Hash cannot be converted back to the data that was the source of the Hash. Some common types of Hashing Algorithms are MD4, MD5 and SHA-0.

The smallest change to a piece of source data can produce an entirely different Hash. Hashes are used in a number of ways, the most popular ways in which Hashes are used is for Passwords and File Verification.

Passwords
If we store passwords as clear text it would be possible for a hacker to view and read the passwords. If however a Hash is stored instead, an attacker can view but not read the passwords. This means he cannot know what password generated the Hash. When a legitimate user attempts to login their password is run through the same Hashing Algorithm and the output from this operation is compared to the Hash value stored in the password file. If the Hash values match then access is granted, if not then an incorrect password was input and access will be denied.

File Verification
If you download some software from a website you cannot be sure that what you received what was the author intended you to receive. One way to ensure that you have an original unchanged copy of the software is to compare the Hash value of the software with the published Hash value for that particular download. If these differ, then your software is different to the version you were intended to receive.

An interesting article is this one by Bruce Schneier in which he discusses the weaknesses of MD5 and SHA, the two most common forms of Hashing.

“You go through life, you try to be nice to people, you struggle to resist the urge to punch ’em in the face, and for what? So some pimply little puke can treat you like dirt because you’re not on the team. Well, I’m better than dirt. Well, most kinds of dirt. I mean not that fancy store bought dirt. That stuffs loaded with nutrients. I… I can’t compete with that stuff.” - Moe Szyslak

No comments: