hashing - dwilson2547/wiki_demo GitHub Wiki
Hashing is a fundamental concept in computer science and cryptography. It transforms input data (of any size) into a fixed-size string of characters, which is typically a hash value or digest. Let’s explore hashing in detail:
- 1. What is Hashing?
- 2. Key Properties of Hashing
- 3. Common Hashing Algorithms
- 4. How Hashing Works
- 5. Use Cases of Hashing
- 6. Hashing vs. Encryption
- 7. Security Considerations
- 8. Example: Password Hashing with Salt
- 9. Common Misconceptions
Hashing is a one-way function that:
- Takes an input (e.g., a password, file, or message).
- Produces a fixed-length output (the hash).
- Is deterministic: The same input always produces the same hash.
- Is irreversible: You cannot reverse-engineer the input from the hash.
| Property | Description |
|---|---|
| Deterministic | Same input → same hash. |
| Fixed-Length Output | Regardless of input size, the hash is always the same length (e.g., 256 bits for SHA-256). |
| Irreversible | No practical way to reverse the hash to get the original input. |
| Collision-Resistant | Hard to find two different inputs that produce the same hash. |
| Avalanche Effect | A tiny change in input drastically changes the hash. |
| Algorithm | Output Length | Use Case |
|---|---|---|
| MD5 | 128 bits | Legacy (insecure for cryptography). |
| SHA-1 | 160 bits | Legacy (vulnerable to collisions). |
| SHA-256 | 256 bits | Secure (used in Bitcoin, TLS, etc.). |
| SHA-3 | Variable (e.g., 224, 256, 384, 512 bits) | Modern alternative to SHA-2. |
| bcrypt | Variable (adaptive) | Password hashing (slow by design). |
| Argon2 | Variable | Winner of the Password Hashing Competition (PHC). |
- Input:
"hello" - Output (SHA-256):
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 - Even a small change (e.g.,
"Hello") produces a completely different hash:64ec88ca00b268e5ba1a35678a1b5316d212f4f366b2477232534a8aeca37f3c
- Never store plaintext passwords!
- Instead, store the hash of the password.
- When a user logs in, hash their input and compare it to the stored hash.
- Example:
- User’s password:
"mypassword" - Stored hash:
bcrypt("mypassword") → "$2a$10$N9qo8uLOickgx2ZMRZoMy..."
- User’s password:
- Verify that data hasn’t been tampered with.
- Example: Download a file and check its hash against the published hash.
- Combine hashing with encryption to verify authenticity.
- Example: Sign a message with a private key and verify with a public key.
- Each block contains the hash of the previous block, ensuring immutability.
| Feature | Hashing | Encryption |
|---|---|---|
| Purpose | Integrity, fingerprinting. | Confidentiality. |
| Reversible | No. | Yes (with a key). |
| Use Case | Passwords, checksums. | Secure communication. |
- Rainbow Tables: Precomputed tables for reversing hashes. Mitigate with salting (adding random data to input).
- Brute Force Attacks: Use slow hashing algorithms (e.g., bcrypt, Argon2) for passwords.
- Collision Attacks: Use modern algorithms (e.g., SHA-256, SHA-3) to avoid collisions.
- User creates a password:
"mypassword". - System generates a random salt:
"a1b2c3". - Combine password + salt:
"mypassworda1b2c3". - Hash the result with bcrypt:
bcrypt("mypassworda1b2c3") → "$2a$10$N9qo8uLOickgx2ZMRZoMy..." - Store both the salt and hash in the database.
- Hashing ≠ Encryption: Hashing is one-way; encryption is two-way.
- Not All Hashes Are Secure: MD5 and SHA-1 are broken for cryptographic use.
- Salting Alone Isn’t Enough: Use slow hashing algorithms for passwords.
Would you like to explore a specific hashing algorithm, real-world implementation, or how hashing fits into modern security practices?