Saturday, June 22, 2013

Security+ Topic - Hashes

Creating a hash is like creating one of those math problems that not even the creator knows how it happened or how to get the same dang thing again. The algorithms used for the hashes are complex and continue to get more complex due to the increasing computer power available to crack weak hashes. In the simplest form, a hash is used to create a unique identifier for a piece of information. This could be to conceal the actual password or to verify a document has not been changed. It is more than just taking one character of a password or document and replacing it with another. These math equations are so complex that even if you were to change one letter of a word document the entire has would change. Ideally, every single hash should be 100% unique. In the real world though we have seen that the common MD5 has had duplicates discovered.


So why does the hashing algorithm really matter?


When it comes to the security of your systems, you want to have a strong password policy and keep your data out of the wrong hands. This is why the hashing algorithm is important. In the event that an exploit affects your systems and an attacker is able to get a copy of your password hashes you wouldn't want a weak algorithm. Imagine how easy someone would know all the passwords if you simply replace every A with a B and every B with a C. The one-way hash for passwords has to create make it so it would take an unreasonably long time to crack even if they tried every possible password.


There are more than just passwords to protect when it comes to a hashing algorithm. There is also data verification, message transmission on a network, and even the signing of documents. Imagine that you download a file and when you run it, your anti-virus comes up saying that the file is malicious and has gotten rid of it for you. You know that you downloaded it from a legitimate site and are really confused. One thing you can do is to check the hash posted on their website against a hash run on the file that you downloaded. If they match then it may be that the file is triggered as a false-positive by your anti-virus but if the hashes did not match then you know that you may have been a victim of a website compromise or man-in-the middle attack. That hash suddenly sounds important doesn't it?


Document signing is the one that gets most people confused. When working with securing data there needs to be a way that the receiver can verify the file they got is actually from the person who they are expecting it to be from. This is where digital signatures come into play. The recipient is able to verify your signature after they have decrypted the file and calculate their own digest. In this situation the encryption is asymmetric.


When it comes to picking a hashing algorithm, just make sure to try and pick the strongest one available for the systems you are using. As of this writing MD5 should start be phased out unless required by limitations and SHA-1 should be utilized where possible.


– Joe McShinsky