Creating a hash is like creating one of those math problems that
not even the creator knows how it happened or how to get the same
dang thing again. The algorithms used for the hashes are complex and
continue to get more complex due to the increasing computer power
available to crack weak hashes. In the simplest form, a hash is used
to create a unique identifier for a piece of information. This could
be to conceal the actual password or to verify a document has not
been changed. It is more than just taking one character of a
password or document and replacing it with another. These math
equations are so complex that even if you were to change one letter
of a word document the entire has would change. Ideally, every
single hash should be 100% unique. In the real world though we have
seen that the common MD5 has had duplicates discovered.
So why does the hashing algorithm really matter?
When it comes to the security of your systems, you want to have a
strong password policy and keep your data out of the wrong hands.
This is why the hashing algorithm is important. In the event that an
exploit affects your systems and an attacker is able to get a copy of
your password hashes you wouldn't want a weak algorithm. Imagine how
easy someone would know all the passwords if you simply replace every
A with a B and every B with a C. The one-way hash for passwords has
to create make it so it would take an unreasonably long time to crack
even if they tried every possible password.
There are more than just passwords to protect when it comes to a
hashing algorithm. There is also data verification, message
transmission on a network, and even the signing of documents.
Imagine that you download a file and when you run it, your anti-virus
comes up saying that the file is malicious and has gotten rid of it
for you. You know that you downloaded it from a legitimate site and
are really confused. One thing you can do is to check the hash
posted on their website against a hash run on the file that you
downloaded. If they match then it may be that the file is triggered
as a false-positive by your anti-virus but if the hashes did not
match then you know that you may have been a victim of a website
compromise or man-in-the middle attack. That hash suddenly sounds
important doesn't it?
Document signing is the one that gets most people confused. When
working with securing data there needs to be a way that the receiver
can verify the file they got is actually from the person who they are
expecting it to be from. This is where digital signatures come into
play. The recipient is able to verify your signature after they have
decrypted the file and calculate their own digest. In this situation
the encryption is asymmetric.
When it comes to picking a hashing algorithm, just make sure to
try and pick the strongest one available for the systems you are
using. As of this writing MD5 should start be phased out unless
required by limitations and SHA-1 should be utilized where possible.
– Joe McShinsky
Saturday, June 22, 2013
Subscribe to:
Posts (Atom)