A cryptographic hash function is an algorithm which can be executed on data, like a file or a password, to create a value called a checksum. A hash function takes an input, or a message and returns with a fixed-size string of bytes. Any data can be hashed, regardless of its size or type and length, the hash which any data generates using a hashing algorithm is always of the same length.
A hash also acts as a one-way function, which means that one can put data in a hashing algorithm, and receive back a unique string — but if a person comes across a new hash, you cannot decipher the input data that was used to hash.
Cryptographic hash functions are designed to prevent the ability to reverse the checksums they create back to the original texts, which includes a lot of things that are secured on the web from the HTTPS protocol to payments made on internet platforms and passwords.
Various classes of hash functions exist, which include Secure Hashing Algorithm (SHA-1, SHA-2 and SHA-3), RACE Integrity Primitives Evaluation Message Digest (RIPEMD), bcrypt, Message Digest Algorithm 5 (MD5), BLAKE2. All of these classes of the hash function may include different algorithms. For instance, SHA-2 is a family of hash functions that contains SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.
SHA-256 (part of SHA-2) is probably one of the most popular ones of all cryptographic hash functions because it’s used widely in securing blockchain networks, particularly the Bitcoin protocol. One of the latest secure hash algorithms, SHA-3, is now being developed for protecting embedded hardware like IoT devices.
Not All Algorithms Are Fool-Proof
One of the most important properties that cryptographic hash functions must possess is something called collision resistance, which means that it must be virtually impossible to find two different inputs that produce the same output. But, if someone encounters the same hash from two different values, then you may have something called a collision—a broken hash function that indicates a vulnerability.
And, that’s precisely what happened with the SHA1 cryptographic hash algorithm which is now considered insecure after researchers performed the world’s first known event of a collision on it. Recently, the already-dead SHA1 horse got hammered again as a different team of researchers unveiled a new attack that’s significantly more powerful.
While we know SHA-1 is pretty much useless, the concerning thing in terms of web security is that SHA-1 remains the default hash function for certifying PGP keys in one of the legacy version branches of GnuPG – which is the open-source software for encrypting email and images. And multiple non-Web applications that depend on HTTPS encryption still accept SHA1 certificates. SHA1 is also still permitted for in-protocol signatures in the Transport Layer Security and Secure Shell protocols.
Everyday Web Security Examples For Cryptographic Hash Functions
The primary use of a cryptographic hash function is to check the authenticity of any data. Two files can be considered to be identical only if the checksums produced from each one of files utilising the same cryptographic hash function are equal, which in turn, has a great use case in data security of files.
For example, you have a software file from your favourite web service but for some reason, you download it from another website where it was also hosted. Now, you can still make sure the file is genuine as the one provided by the main site by using a checksum calculator to compute the checksum using a particular cryptographic hash. Then compare it to the main website, to check if the checksums are identical, and ensures the file is not malicious and safe to use.
An average user encounters cryptographic hashing regularly, particularly in the realm of passwords. For example, when you sign up for an email address and password, your email provider never saves the password but instead runs the password into a hashing algorithm and stores the hash of your password.
So, each time you try to log in to your email, the email service hashes the password which is entered and then matches this hash to the database hash which was collected earlier. You only log in when the two hashes are same which ensures that the hackers and the service provider itself cannot read your encrypted mails; unless you are duped into giving your password in a phishing attack.
Another use case is, how VPN service, like Proton VPN, uses a hash function like HMAC SHA-384 for message authentication between users’ devices and its VPN servers. This makes as well as authenticates the traffic— which is being received on a device coming from the original servers — are not being tampered or spoofed along the way by a third party.
Enjoyed this story? Join our Telegram group. And be part of an engaging community.
Provide your comments below
What's Your Reaction?
Vishal Chawla is a senior tech journalist at Analytics India Magazine (AIM) and writes on the latest in the world of analytics, AI and other emerging technologies. Previously, he worked as a senior correspondent for IDG CIO and ComputerWorld. Reach out to Vishal on Twitter @_vishalchawla