« Backto Blog Hashing Algorithms By Jscrambler | 8 min read Let's say you have an important file to send and you want to ensure it will get to the addressee without any changes, in one piece, You could use some trivial methods, like sending it multiple times, contact the addressee and verify the file, and so on... but there's a much better approach: using a hashing algorithm. Whatis a hash function? Hashing algorithms are functions that generate a fixed-length result (the hash, or hash value) from a given input. The hash value is a summary of the original data. For instance, think of a paper document that you keep crumpling to a point where you aren't even able to read its content anymore. It's almost (in theory) impossible to restore the original input without knowing what the starting data was. Projeto Co-inanciado por(Maisinfo) NORTE2020 85620 [iInputdata Hashingalgorithm 12345 Outputdata: We could discuss if it's a secure algorithm (spoiler alert — it isn't). Of course, every input number is individual (we'll talk more about this in the further sections), but it’s easy to guess how it works. This is a very simple example but it gives us an idea about what a hashing algorithm can look like. To learn more about hashes, check this very thorough Wikipedia page. Hashing Algorithm Explained Ahashing algorithm is a cryptographic hash function. It is a mathematical algorithm that maps data of arbitrary size to a hash of a fixed size. Ahash function algorithm is designed to be a one-way function, infeasible to invert. However, in recent years several hashing algorithms have been compromised. This happened to MDS, for example — a widely known hash function designed to be a cryptographic hash function, which is now so easy to reverse — that we could only use for verifying data against unintentional corruption. Ws easy to figure out what the ideal cryptographic hash function should be like: 1, It should be fast to compute the hash value for any kind of data; 2. Itshould be impossible to regenerate a message from its hash value (brute force attack as the only option); It should be infeasible to find two messages with the same hash (a collision); 4. Every change to a message, even the smallest one, should change the hash value. It should be completely different. It's called the avalanche effect rojo cosrarcadoporqssine) ~NORTE2O20 93670Even the smallest change (one letter) makes the whole hash different (SHA-1 example) What do we use it for? Cryptographic hash functions are widely used in IT. We can use them for digital signatures, message authentication codes (MACs), and other forms of authentication. We can also use them for indexing data in hash tables, for fingerprinting, identifying files, detecting duplicates or as checksums (we can detect if a sent file didn't suffer accidental or intentional data corruption). We can also use them for password storage. If you have a website, you most likely do not actually need to store the password of your users. You just need to check whether the user password and the password of any given attempt match, so hashes should work fine and give some additional protection to your users. Ifyou want to know more about hashing passwords and its security, see our previous article - How to Store Passwords Safely. After this section, well show you an example of the last feature. How do MACs work? + Message Authentication Code (MAC) Definition + Coursera * University of Massachusetts Digital signature + Digital Signature Definition + YouTube Video — Security + Digital Signatures rroeocosinmcsdoportss) NORTE2O20 (85520PROTECT YOUR JAVASCRIPT kU ee) Dees cage) REVERSE-ENGINEERING Hashing Algorithm Example So... how does it work? Let's get back to our hashing algorithm example. We're sending a file to our friend. Its a really important file and we want to ensure it has been received in one piece, That's when our hashing algorithm comes in. But first, let's think how our file transfer would look without it: 1 Step: Userssends.afileto Usera a Gan 7 ° 2,User2 receives the file There iso quick way to verifyifboth files areexactly thesame. =) thefile @ = =] thereceived file We can figure out some trivial ideas. You could, for instance, call User2 and you could check the file content together. But then what's the point in sending a file? Checksums are our godsend here. rjc Corrancadopordiesine) =NORTE2020 (85620 Ilwy =) tefie a> 2.Userarecevesthe lead usesthe same ashingalgothm Ahashof ashi thesentfle ‘algorten ( A) 2.Useracomparesboth hashes Ifthe arethesame the z°a & Hashot Hashof thesentfle thereceivedfle Before sending a file, User? uses a hashing algorithm to generate a checksum for a file, Then he/she sends it alongside the file itself. User2 receives both the file and the checksum. Now he/she can use the same hashing algorithm on the received file. What's the point? We already know that a hash is individual (so there can't be any other file with the same hash) and has to be always the same for an individual file. No matter how many times you use the hash algorithm, it will always give you the same result. So now, User2 can compare both hashes. If they're the same, it means it's generated from the same file. There is no way that any other file has the same hash and there is no chance for a hash to be different for the same file. This way, User2 can verify if the file isn’t in any way corrupted. Easy? Certainly. Alot of downloading services use checksums to validate the integrity of their files. Thanks to that, you can find out if your downloaded file isn't corrupted. Popular Hashing Algorithms MDS Ifyou ever learned any programming language and it was some time ago, you surely know this algorithm. It's one of the most widely known. This hash algorithm used to be widely used and is still one of the most widely known hashing algorithms But despite initially being designed to be used as a cryptographic algorithm function, itis no longer rrojeo cosirancatopormissino) NORTE2020 (83620 IWhen MDS is used to hash passwords directly, there is an even easier way to break it... Google. By typing the hash in the search box, there's a good chance you'll receive its before-state within milliseconds! Now let's look at this example: oe Y id togin emit password [i Edt $8 Copy © Dolote 1) Tester itsiustancthoremail@mai com| edbbs2F7es3876e28907600 1250834 [PEt F8Copy © Doloto 2 Testo tector@mailcom | bssooarose81360772e6484600483076 TL A Edt FCopy @Delote 3) Tester testes@mail com -485034f488720bd5°35c 10206505267 [ED gF Edt B2Copy @ Delete 4) Admin testerasminG@mailcom | 2e968bOBAGeadeOtedeTONN5674NR28 You could think you are secure if your passwords are stored as MDS hashes, but if somebody gets access to your database, he/she can just type the hash to Google and get its real value! The CMU Software Engineering Institute considers MDS essentially “cryptographically broken and unsuitable for further use". It was accepted for many years, but it’s now mainly used for verifying data against unintentional corruption. ‘SHA-family Secure Hash Algorithm is a cryptographic hash function designed by the United States’ NSA. SHA-O (published in 1993) has been compromised many years ago. SHA-1 (1995) produces a 160-bit (20-byte) hash value. It's typically rendered as a 40 digits long hexadecimal number. It has been compromised in 2008 as theoretical collisions were discovered, but its real “death” occurred in 2010 when many organizations started to recommend its replacement. The big three - Microsoft, Google, and Mozilla — have stopped accepting SHA-1 SSL certificates in 2017 on their browsers, after multiple successful attacks. SHA-1 was built on principles similar to those used in the design of the MD4 and MDS, It has a more conservative approach, though, Learn more about the imperfect SHA-1 here. Safer, for now, is SHA-2. SHA-2 includes several important changes. Its family has six hash functions with digests: SHA-224, SHA-256 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, There are numerous reasons why you should move to SHA-2 if you haven't yet. We also find some useful resources that can help you with this move, ‘As a bottom line, SHA-2 is a lot more complicated and is still considered safe. However, SHA-2 shares the same structure and mathematical operations as its predecessor (SHA-1) — so it's likely that it will be compromised in the near future. As so, a new option for the future is SHA-3. vrje cosirancato permissive) NORTE2O20 (85620 ML.algorithm. It was released by NIST on August 5, 2015. One of SHA-3's requirements was to be resilient to potential attacks that could compromise SHA-2. Keccak is significantly faster than SHA-2 (from 25% to 80%, depending on implementation). It uses the sponge construction. The data is first “absorbed! into the "sponge" and the result is “squeezed” out. While absorbing, message blocks are XORed into a subset of the state. Then it's transformed as one element. While squeezing, output blocks are read from this element, but alternated with state transformations, Akey aspect of SHA-3 is that it was designed to easily replace SHA-2 in applications that currently use that variant. As so, the transition from SHA-2 to SHA-3 should be analyzed in regards to the required security level and the overhead (refactoring/testing) — that greatly depend on the application's structure and architecture, SHA.3's authors have proposed additional features like an authenticated encryption system and a tree hashing scheme, but they aren't standardized yet, Still, it's the safest hashing algorithm for now. Ith a CT ase ol ree eats Ae OED Useful links Cryptographic Hash Function — Wikipedia Page © Which hashing algorithm is best for uniqueness and speed? + Princeton Lecture — Hashing Algorithms + How does a hashing algorithm work? * Hashing Algorithms and Security — Computerphile — YouTube Video * Secure Hash Algorithm — YouTube Video + Current Recommendations for Key Length Conclusion Hashing algorithms can be pretty useful. However, IT is a really fast-changing industry and this entropy also extends to hashing algorithms. MDS, once considered really safe, now it's completely compromised. Then there was SHA-1, which is now unsafe. The same thing will surely happen to the widely used SHA-2 someday. wiosornissini) NORTE2020 (83520Abig part of good security standards if you're developing web applications is ensuring that attackers can't reverse engineer or tamper with your JavaScript code. Start your free Jscrambler trial and secure your code in 2 minutes! hms, JavaScript, Web Secu gorithms, Hashing A Jscrambler The leader in client-side Web security, With Jscrambler, JavaScript applications become self-defensive and capable of detecting and blocking client-side attacks like Magecart. Must read next nto ware @ Framework Deep dive into MITRE ATT&CK Framework By Adhyayan Panwar | 6 min rea After introducing MITRE ATTACK In a previous post, in this post, well take a look at every aspect of MITRE ATT&CK in detail eae na) Nee Corer REL PCI DSS Compliance Projo Co-inanciado por(Maisinfo) NORTE2020 85620 [i; payment card data, The newest version of PCI DSS contains requirements aimed at preventing attacks THANKS! You've successfully subscribed to our newsletter. Keep an eye out for your inbox on Tuesdays. Aout Us Contact Us Careers Blog Press Events Help Center Privacy & Security Changelog Copyright© scrambler 2022 Al RightsReserved rose Cosinacatoportssin) ~NORTE2020 93520