Skip to content

Hashing

Hashing is not encryption
Hash functions are one-way -- you cannot reverse a hash to get the original input. They provide integrity verification not confidentiality and they play a critical role in password storage , data integrity , and digital signatures

Core Properties

  • Deterministic - Same input always produces same output
  • Fast Computation - Easy to compute hash for any input
  • Preimage Resistance - Given hash , infeasible to find input
  • Second Preimage Resistance - Given input , infeasible to find different input with same hash
  • Collision Resistance - Infeasible to find any two inputs with same hash

Common Hash Functions

MD5 - Broken 128-bit output. Collision attacks practical since 2004 Never use for security purposes (still fine for non-security checksums)

SHA-1 - Deprecated 160-bit output. SHAttered attack (2017) demonstrated practical collision NIST deprecated for all cryptographic use

SHA-2 - Current standard SHA-256 (256-bit) and SHA-512 (512-bit) are recommended Used in TLS, SSH, digital signatures, blockchain

SHA-3 - Modern alternative Based on Keccak sponge construction Not yet as widely adopted as SHA-2

BLAKE2/BLAKE3 - Fast hash functions BLAKE3 is extremely fast (faster than SHA-2, MD5) Used in modern applications (not yet standard)

Password Hashing

Passwords require special hash functions designed to be slow and resource-intensive

  • bcrypt - Built-in salt , cost factor adjustable (standard choice)
  • scrypt - Memory-hard (resists ASIC/GPU attacks)
  • argon2 - Modern winner of Password Hashing Competition (2015)
  • PBKDF2 - NIST standard (older , weaker against GPU)

Why Password Hashing is Different

Regular hashes are designed to be fast
Password hashes must be slow to resist brute force attacks

# Wrong: fast hashes for passwords
hash = sha256(password)  # Can try billions/sec

# Right: slow password hashes
hash = bcrypt(password, cost=12)  # ~10 hashes/sec

Rainbow Tables

Precomputed hash-to-plaintext mappings
Salt defeats rainbow tables by making each password's hash unique

# With salt
hash = sha256(salt + password)  # Different hash per user

HMAC (Hash-based Message Authentication Code)

Keyed hash function for message authentication

HMAC-SHA256(key, message) = SHA256(key XOR opad || SHA256(key XOR ipad || message))

Used in: JWT signing , API authentication , TLS record verification

Common Attacks

  • Collision Attack - Find two inputs with same hash (MD5, SHA-1)
  • Length Extension - Given H(M) , compute H(M || padding || extra) without knowing M (SHA-256 vulnerable , SHA-3 not)
  • Birthday Attack - Find any collision in 2^(n/2) operations (faster than brute force)
  • Dictionary Attack - Try common passwords against hashes