Hash Function Cryptography
Hash functions, also called message digests, use a fixed length hash value to transform the data that makes it difficult for someone to decrypt or change the data without affecting the hash value, thus securing the data from intruders.
Hashing functions are one-way mathematical functions that are easy to compute but hard to reverse. A hash function
H( ), applied on input (x), and returns a fixed string, hs. Mathematically it is written as hs = H(x). A cryptographic hash function in general should have the following properties:
• Flexible input length (x)
• H(x) should be relatively easy to compute
• H(x) is one way function and cannot be reversible
• The output is of fixed length and does not depend on input length
Hashing is generally used in the following situations:
• Password management in case of PPP, CHAP, and Microsoft EAP. This method of cryptography is normally used in operating systems to protect passwords.
• Digital signatures and file integrity checkers to check the integrity of data.
Hashing functions are used to vouch for the integrity of the message by appending the message with the hash value. If the message is changed, the hash value when recomputed will not match the precomputed hash value. In order to avoid man-in-the middle attacks, it is ideal to send the hash value in a secure way to the intended party. Such secure transfer is possible using public key cryptography.
Further, hash value is used to store passwords of the operating systems like Microsoft Windows. Here, the original passwords are not stored; instead the SAM corresponding hash values are stored. These provide high security to the passwords, as hash value is not reversible to find out the original password. Only when the passwords are entered in the system will it compute the hash value and check with the hash value stored in the SAM.
“Salting” the password before hashing by either suffixing or prefixing it with a random string decreases the possibility of cracking the password.
Hashing is also used in some of the implementation of digital signatures which vouches for the integrity of the message sent. Hashing functions are also used in virus detection as well as intrusion detection.
Figure 10-8 illustrates how hashing ensures the integrity of the message that is sent.
Figure 8-8. Message Integrity Check through Hashing
MD5 (Message Digest Function 5), SHA1 (Secure Hash Algorithm 1), SHA2 (Secure Hash Algorithm 2), and SHA3 (Secure Hash Algorithm 3) are the popular hashing functions /algorithms. MD5 outputs are of 128 bits and are popularly used for storing of the passwords as well as to ensure file integrity. MD5 is prone for collision.
SHA algorithms again provide for one way hash. SHA1 provides for 160 bit output. SHA-224, SHA-256, SHA-384, and SHA-512 are known as SHA-2. SHA3 is the most advanced hashing function which was announced by NIST in 2012. SHA-3 has a unique structure known as sponge construction.
MAC (Message Authentication Code) is another popular hash function which is also known as a Keyed Hash Function.
A digital signature is like a handwritten signature but it is in the digital form for an electronic document. The document containing the digital signature is verified by the recipient using a hash function to check whether the message has been altered either intentionally or accidentally during the transmission. If the message is altered, the hash function returns a different result. Digital signature ensures authenticity and non-repudiation.
Here, usually the hash value is encrypted with the sender's private key. This provides for the authenticity.
When the receiver decrypts the private key using the sender's public key, he gets the hash value. He can check this hash value with the hash value generated using the hash algorithm from the message received. Alternatively, both the message and the appended hash value both can be encrypted with the sender's private key in a similar way as above. If both the hash value received and the hash value generated from the message received tally that means the integrity of the message is maintained. Because it has been signed by the sender's private key, the message sender is also authenticated. Another alternative is to encrypt the message and the hash value using the symmetric key shared between both the parties.