Hashing and Digital Signatures

Cryptographic Hash Overview

A cryptographic hash represents data as a short string of text.
- Sometimes referred to as a message digest or fingerprint.
- Analogous to human fingerprints that uniquely identify individuals.
A cryptographic hash is not encryption.
- You cannot recreate the original data from the hash, similar to how you cannot recreate a person from their fingerprint.

Used to verify that downloaded documents match original documents posted online, ensuring integrity.
Used in creating digital signatures, which provide:
- Authentication: proving the sender's identity.
- Integrity: ensuring the data hasn’t changed.
- Non-repudiation: preventing the sender from denying the transmission of the data.

SHA256 Hashing Algorithm: Produces 256 bits of information represented as 64 hexadecimal characters.
- Example input string: "My name is Professor Messer."
- Changing the end punctuation to an exclamation mark significantly alters the output hash, demonstrating hash sensitivity to input changes.

Minor changes in input yield vastly different hashes, ensuring the uniqueness of the output.
Ideal hashing algorithms should produce different outputs for different inputs and avoid hash duplication.
Hash collisions occur when different inputs produce the same hash value, which should be rare.
- Example: Collisions were discovered in the MD5 algorithm in 1996, leading to its deprecation in favor of more secure algorithms.

Two similar input strings can produce the same MD5 hash, demonstrating a collision.
- Understanding collisions aids in recognizing the shortcomings of certain hashing algorithms.

File Verification: Hashing allows users to verify downloaded files against published hashes on websites, particularly for important file distributions (e.g., Linux ISOs).
Password Storage: Hashes are fundamental in securely storing passwords.
- Instead of plain text or encryption, passwords should be hashed to prevent unauthorized access.
- Use of salted hashes adds randomness, enhancing password security by modifying each password’s hash uniquely.

A salt is random data added during the hashing process to ensure unique hashes, even for identical passwords.
Salts prevent attackers from using precomputed rainbow tables (precompiled sets of inputs and hashes) to easily crack hashes.
- When salts are employed, the effectiveness of rainbow table attacks diminishes, ensuring higher security against brute force attacks.

Example password: "dragon"
- Without salt: generates a specific hash.
- With unique salts added: results in different hashes for the same password, complicating an attacker's ability to determine the original password.

Digital signatures confirm that a message remains unchanged during transmission, aiding in the processes of integrity and authentication.
- Closely related to standard signatures in physical documents.
Non-repudiation: Digital signatures help prove the origin of a message.

The sender (e.g., Alice) prepares the plaintext message (e.g., "You're hired, Bob").
The email client invokes a hashing algorithm on the plaintext to derive a hash.
The hash is encrypted using the sender’s private key, creating the digital signature.
The plaintext message is sent with the attached digital signature (no encryption of the message itself).
The receiver (e.g., Bob) attempts to verify the signature by:
- Decrypting the digital signature with Alice’s public key.
- Comparing this decrypted hash with a new hash generated from the received plaintext.
If both hashes match, the identity of the sender is verified, and the message integrity is intact.

Understanding cryptographic hashes, their purposes, and the significance of methods like salting and digital signatures is crucial in enhancing data security in digital communications and data storage.