In cryptography, hash functions are referred to as cryptographic hash functions. They provide the ability to generate a unique fixed-length value from a set of data which is difficult to reconstruct without using an identical value for the hash functions input. They are not reversible, but are one-way only, that is you put in information and output a random fixed-length string. A good example are the passwords we use on computers. These are not stored as we know them, or at least they shouldn't be, but rather a cryptographic hash is computed on them and the hash value is stored. This allows us to store our passwords on systems without a system owner knowing what it is. Cryptographic hashes also allow us to provide some level of assurance in cryptographic communications; or the ability to verify that a message, it's authenticity, is unchanged. For example an encrypted block of data can be hashed and the hash compared to demonstrate the message is intact as sent (integrity) and is authentic (providing authenticity). A more formal definition according to the National Institute of Standards and Technology describes them as "...functions that compute a fixed-length message digest from arbitrary length messages are widely used for many purposes in information security (National Institute of Standards and Technology (NIST), 2012). The values returned by a hash function are typically referred to as hash values, hash codes, digests, or simply hashes.
The utility of cryptographic hash functions comes into play when these are used to produce a value to uniquely identify information. To accomplish this, hash functions must be collision-resistant, which describes difficulty to find data that will duplicate the same hash value. Typically collision resistance is achieved by creating large hash values, for example 40 bit values as opposed to eight bit digests. These functions are further categorized into categories including cryptographic hash functions, and "provably secure" hash functions. The later functions are the most secure but often are slow to compute and so see limited use. There are some cryptographic hashes which have been found to be no longer secure because they are no longer as collision resistant due to errors in the hashing algorithms or improvements in computing power to generate a duplicate hash.
Some of these no longer secure algorithms include the Message Digest algorithms MD2 and MD5 and Secure Hashing Algorithm (SHA-1). These produce output values of 40bit, or lower. Researchers have been able to create collisions making them less viable for security purposes, such as hashing passwords and storing them. Ramirez writes that "As you probably know, MD5 has been compromised almost 20 years ago. So, nowadays it is actually possible to artificially produce MD5 collisions. All you need is time, hardware and the proper software" (Ramirez, 2015). So while it's true that these less secure algorithms can have a collision, it is still quite an intensive process to generate a collision, which means we should likely move to other more secure algorithms.
Message Authentication Codes (MAC) are used to authenticate a message. They combine a cryptographic hash function, and a secret cryptographic key. They are checked to ensure that a message hasn't been altered while in transit. There are numerous MAC algorithms, but the algorithm most often used by security systems today is HMAC (keyed-hash or hash-based message authentication code) which is "used in many systems, including some popular Internet protocols (SSL, IPsec, SSH)." (Kowalczyk, n.d.).
By combining the properties of hashes, and message authentication codes along with block ciphers we have the ability to begin constructing what is known as a secure channel. However, a secure channel requires a secret used to encrypt the data, use in the MAC, and hopefully change often to prevent attackers from learning what information is exchanged. This means sharing secrets, or keys, efficiently. Kohno, Ferguson, and Schneier write that the solution to a secure channel requires "three components: message numbering, authentication, and encryption." (Kohno, Ferguson, & Schneier, Chapter 7 Abstract). However, the implementation of secure channels in computing remains one of the more challenging aspects developers today face. Failure to properly implement these three components has resulted in many broken cryptographic systems using strong cryptographic mechanisms, however, secure channels are used every day by Microsoft Windows servers and clients, web browsers, email clients, and VPN systems to name a few, so their value is undeniable.
References
The utility of cryptographic hash functions comes into play when these are used to produce a value to uniquely identify information. To accomplish this, hash functions must be collision-resistant, which describes difficulty to find data that will duplicate the same hash value. Typically collision resistance is achieved by creating large hash values, for example 40 bit values as opposed to eight bit digests. These functions are further categorized into categories including cryptographic hash functions, and "provably secure" hash functions. The later functions are the most secure but often are slow to compute and so see limited use. There are some cryptographic hashes which have been found to be no longer secure because they are no longer as collision resistant due to errors in the hashing algorithms or improvements in computing power to generate a duplicate hash.
Some of these no longer secure algorithms include the Message Digest algorithms MD2 and MD5 and Secure Hashing Algorithm (SHA-1). These produce output values of 40bit, or lower. Researchers have been able to create collisions making them less viable for security purposes, such as hashing passwords and storing them. Ramirez writes that "As you probably know, MD5 has been compromised almost 20 years ago. So, nowadays it is actually possible to artificially produce MD5 collisions. All you need is time, hardware and the proper software" (Ramirez, 2015). So while it's true that these less secure algorithms can have a collision, it is still quite an intensive process to generate a collision, which means we should likely move to other more secure algorithms.
Message Authentication Codes (MAC) are used to authenticate a message. They combine a cryptographic hash function, and a secret cryptographic key. They are checked to ensure that a message hasn't been altered while in transit. There are numerous MAC algorithms, but the algorithm most often used by security systems today is HMAC (keyed-hash or hash-based message authentication code) which is "used in many systems, including some popular Internet protocols (SSL, IPsec, SSH)." (Kowalczyk, n.d.).
By combining the properties of hashes, and message authentication codes along with block ciphers we have the ability to begin constructing what is known as a secure channel. However, a secure channel requires a secret used to encrypt the data, use in the MAC, and hopefully change often to prevent attackers from learning what information is exchanged. This means sharing secrets, or keys, efficiently. Kohno, Ferguson, and Schneier write that the solution to a secure channel requires "three components: message numbering, authentication, and encryption." (Kohno, Ferguson, & Schneier, Chapter 7 Abstract). However, the implementation of secure channels in computing remains one of the more challenging aspects developers today face. Failure to properly implement these three components has resulted in many broken cryptographic systems using strong cryptographic mechanisms, however, secure channels are used every day by Microsoft Windows servers and clients, web browsers, email clients, and VPN systems to name a few, so their value is undeniable.
References
- Kohno, T., Ferguson, N., & Schneier, B. (2010). Cryptography engineering: Design principles and practical applications. Indianapolis, IN: Wiley Pub.
- Kowalczyk, C. (n.d.). Message authentication code (MAC). Retrieved June 28, 2019, from http://www.crypto-it.net/eng/theory/mac.html
- Ramirez, G. (2015, July 28). MD5: The broken algorithm. Retrieved June 28, 2019, from https://blog.avira.com/md5-the-broken-algorithm/
- National Institute of Standards and Technology (NIST). (2012, August). SP 800-107 Rev. 1 Recommendation for Applications Using Approved Hash Algorithms. Retrieved June 30, 2019, from https://csrc.nist.gov/publications/detail/sp/800-107/rev-1/final