Hashing and Digital Signatures - SY0-601 CompTIA Security+ : 2.8
Summary
TLDRThe video explains how hashing algorithms convert any input—like files or passwords—into a fixed-size, unique string called a hash, which acts like a digital fingerprint. Hashing is a one-way process, meaning the original data cannot be reconstructed from the hash. It's used for secure password storage, data integrity verification, and digital signatures. Collisions, where two different inputs generate the same hash, are rare but problematic. Salting, which adds randomization to passwords, makes them more secure. The video also covers how digital signatures verify message authenticity and integrity using hashing and encryption.
Takeaways
- 🔐 A hash is a unique string generated from any type of input (document, audio, video, etc.), acting like a fingerprint for the data.
- 🛑 A hash is a one-way function, meaning you cannot recreate the original file from the hash.
- 🔑 Hashing is commonly used for securely storing passwords by converting them into a hash, preventing access to the original password.
- 🔍 Hashing ensures data integrity by verifying that two copies of the same file have identical hashes.
- 🧾 Digital signatures use hashing in combination with encryption to authenticate data sources and confirm integrity.
- 🚫 Collisions, where different inputs create the same hash, are rare but occurred with the MD5 algorithm, making it less reliable.
- 🧂 Adding a 'salt' (a random value) to a hash prevents attackers from using precomputed 'rainbow tables' to crack passwords.
- ⚡ Even a small change in the input will result in a completely different hash, showcasing the sensitivity of hashing algorithms.
- 🗝️ Digital signatures involve encrypting a hash with a private key, and recipients verify the signature using the sender's public key.
- 🛠️ Hashing algorithms like SHA256 create fixed-length outputs, regardless of the input size, providing consistency for verification.
Q & A
What is a hash, and what is its primary purpose?
-A hash is a function that converts any input, such as a document, audio, video, or file of any size, into a unique string of text called a message digest. Its primary purpose is to create a fixed-size representation (or fingerprint) of the data, ensuring data integrity and secure storage of sensitive information like passwords.
Why is hashing considered a one-way process?
-Hashing is considered a one-way process because once data is converted into a hash, it's impossible to reverse-engineer the original data from the hash. This property makes hashing ideal for securely storing passwords and ensuring data integrity.
How is hashing used to store passwords securely?
-When a password is hashed, the original password is transformed into a fixed-size hash value. This hash is stored instead of the plain text password. When a user logs in, the system hashes the input password and compares it to the stored hash. If they match, access is granted. This prevents storing passwords in plain text and protects against unauthorized access.
What is the purpose of adding 'salt' to a hash, and how does it improve security?
-Adding 'salt' to a hash involves introducing a random value to each password before hashing it. This ensures that even if two users have the same password, their stored hash values will be different. This process prevents attackers from using precomputed hash values, known as rainbow tables, to crack passwords.
What is a hash collision, and why is it problematic?
-A hash collision occurs when two different inputs produce the same hash value. This is problematic because it undermines the uniqueness of the hash function, potentially allowing malicious data to be validated as authentic or causing confusion in data integrity checks.
Why is the MD5 hashing algorithm no longer recommended for use?
-The MD5 hashing algorithm is no longer recommended because it is vulnerable to hash collisions. In 1996, it was discovered that MD5 could generate the same hash for different inputs, which compromises its security and integrity.
How does hashing ensure the integrity of a file during transfer?
-To ensure file integrity during transfer, a hash of the original file is created before the transfer. After the file is received, the same hashing algorithm is applied to the transferred file. If the resulting hash matches the original hash, the file has not been altered during transfer.
What role does hashing play in digital signatures?
-In digital signatures, hashing is used to create a unique hash of a document. This hash is then encrypted with the sender's private key to create the digital signature. The recipient can decrypt the signature with the sender's public key and compare the resulting hash with the hash of the received document to verify the authenticity and integrity of the message.
What is the difference between a public key and a private key in digital signatures?
-A private key is used by the sender to sign a document, creating a digital signature, while a public key is used by the recipient to verify the signature. The private key is kept secret and known only to the sender, while the public key is shared openly.
How does a digital signature verify the sender's identity and message integrity?
-A digital signature verifies the sender's identity and message integrity by using the sender's private key to encrypt a hash of the message. The recipient decrypts the signature using the sender's public key and compares the hash with a newly generated hash of the message. If they match, it confirms the sender's identity and that the message has not been altered.
Outlines
🔒 Understanding Hash Functions and Their Role
A hash function converts any type of input, whether a document, video, or other file, into a unique string of text called a 'message digest' or fingerprint. This one-way process means it's impossible to recreate the original data from the hash. Hashes are commonly used for storing passwords securely since it's difficult to derive the original password from the hash. They also help verify file integrity, ensuring that files copied or transferred are exact replicas by comparing their hashes. Hashing is often used with encryption to create digital signatures, enhancing data authenticity and integrity. If two inputs produce the same hash, it's called a 'collision,' which indicates a flaw in the algorithm.
🔑 Hashing Passwords: Salt and Rainbow Tables
When storing passwords, hashing with added 'salt' is used to avoid identical hashes for users with the same password. Salt adds randomization to the hash, ensuring that even identical passwords result in different hashes. This extra step prevents attackers from using rainbow tables—precomputed tables of hash values—to crack passwords. Although brute force attacks can still be used, adding salt significantly increases the time required for such attacks. By using a salt for each password, identical passwords appear as different hashes, making it harder for attackers to exploit identical passwords across accounts.
📜 How Digital Signatures Ensure Authenticity
Digital signatures use hashing and encryption to confirm the authenticity of a message. For example, Alice sends a message to Bob saying 'You're hired, Bob,' and wants to prove its authenticity. She first hashes the message, then encrypts the hash using her private key, creating a digital signature. This signature is attached to the plain message and sent to Bob. To verify the signature, Bob uses Alice's public key to decrypt the signature and retrieves the hash. He then compares it with the hash he computes from the received message. If both hashes match, Bob knows the message is authentic and unaltered.
🔏 Verifying Integrity with Hashing
When Bob receives the digitally signed message, 'You're hired, Bob,' he needs to verify its integrity. First, he decrypts the digital signature using Alice's public key, retrieving the original hash that Alice created. Next, he performs the same hashing algorithm on the plain text message and compares both hashes. If the hashes are identical, it confirms that the message is legitimate, from Alice, and has not been altered during transmission. This process ensures both the authenticity of the sender and the integrity of the message.
Mindmap
Keywords
💡Hash
💡Message Digest
💡Collision
💡SHA256
💡Password Hashing
💡Salt
💡Digital Signature
💡Public Key
💡Integrity
💡Non-repudiation
Highlights
A hash creates a unique string from any input, such as documents, audio, video, or small files.
Hashes are often referred to as message digests or fingerprints, which uniquely represent data.
A hash is a one-way function, meaning it cannot be reversed to retrieve the original data.
Hashes provide a secure method for storing passwords since the original password can't be retrieved from the hash.
Hashes can ensure file integrity by comparing the hash of a copied file to the original.
Digital signatures combine hashing and encryption to verify the source, integrity, and authenticity of a message.
Hashes are unique for a specific input, and different inputs should never generate the same hash.
A 'collision' occurs when two different inputs create the same hash, a problem identified with the MD5 algorithm.
The MD5 algorithm had a collision issue discovered in 1996, making it less reliable for modern hashing.
When downloading a file, users can compare the provided hash with the hash of their downloaded file to verify its authenticity.
Salting adds random data to hashes, ensuring even identical passwords generate different hashes.
Rainbow tables are precomputed hash values, but salting renders them ineffective due to added randomization.
Digital signatures allow for authentication by verifying that a message truly came from the claimed sender.
A private key is used to create a digital signature, while a public key verifies it, ensuring that only the owner could have sent the message.
The process of verifying a digital signature involves comparing the hash of the plain text message with the decrypted signature hash to ensure integrity.
Transcripts
A hash is designed to take any type of input,
whether that's a document, some audio, a video file, a very
large file, or a very small file and create
a very specific unique string of text that's
associated with that file.
This is sometimes referred to as a message digest,
and you can think of it as a fingerprint.
If you take a fingerprint and look at it,
we know where that fingerprint came from.
We know there's only one thing that
can be associated with that fingerprint
and that no other person has that particular fingerprint.
Just like you're not able to recreate an entire person based
on their fingerprint, you can't recreate an entire file
based on the hash.
This hash is a one-way trip.
Once we take the hashing algorithm
and apply it to some data, that hash
provides us with some output that does not
allow us to go the other direction
and somehow recreate the data based on that hash.
Because of that, it's a perfect solution for storing passwords.
We can take a password, which really no one should
have access to, create a hash of that password,
and then refer to the hash every time we want to authenticate.
This allows us to store the password securely.
And if somebody did gain access to those hashed passwords,
they wouldn't have any idea what the original password was.
We can often use hashing to provide integrity.
So we can take a hash of a file, we
can copy that file somewhere else,
we can perform that same hashing algorithm,
and then compare the hash that we got on both ends.
If the hashes are identical, then the file that we copied
is exactly the same file as the original.
We also use hashing in combination with encryption
to create digital signatures.
That provides authentication, which tells us
where this data came from, non-repudiation,
which means we can tie it back to a specific person,
and of course, the integrity feature is still
part of that hashing algorithm.
One unique aspect of a hash is that there is always
a unique hash for a particular kind of input.
You will never have two different kinds of input
create the same hashing value.
If you do find that two different inputs are creating
the same hash in the output, then you've found a collision,
and this is something you would not
want to have with a hashing algorithm.
Let's have a look at some hashes.
We'll perform a SHA256 hash, which
is a 256-bit hashing algorithm.
It outputs the equivalent of 64 hexadecimal characters.
And we'll take a single sentence.
My name is Professor Messer with a period at the end.
If we hash that single sentence, we get this entire value
as the SHA256 hash.
Let's create a hash of a similar input.
We'll have an input of My name is
Professor Messer with an exclamation mark
at the end of it.
You'll notice that the hashing value of this second input
is very different than the hashing value we
had on the original input.
In fact, almost every single character of that hash
is a different value even though the input
for each of those hashing algorithms
only was changed by one single character.
This is a good example of the differences
that you'll see in a hashing output
when using two different kinds of input.
We mentioned earlier that the only time
we should see an identical hashing value
is if the input values were identical.
With a hash, we're taking an input
of any size, any type of file, and we're creating a fixed size
string from that that we're calling a message digest,
a checksum, or a fingerprint.
Each one of these hash values should be unique
if it is a unique type of input, and we should never
have a hash appear that's identical to another
if there are different inputs involved.
There have been cases, however, where a hashing algorithm did
create the same hash for different types of input.
This occurred with the MD5 algorithm.
They found this collision problem in 1996.
This is one type of input that was used for MD5,
and here's the second input.
You'll notice that these inputs are almost the same,
but all of the characters marked in red
are the differences between these two different inputs.
If we hash the first input and hash the second input,
we should get two different hash values.
But with MD5, we got exactly the same hash value,
and that is a collision, and it's
another reason why we usually don't use MD5
to be able to perform a hash.
We mentioned earlier that it's very common
to use hashing to verify the integrity of information.
For example, you may go out to an internet website
and download a file, and along with the file name
at that site, it may provide you with a list of hashes
associated with these files.
This means that you could download the file
from their website and perform the same hashing algorithm
to the file that you've downloaded.
If you then compare the hash that you created with the hash
on the website and those two hashes are identical,
then you have an exact duplicate of the file that was originally
posted on that site.
And as we mentioned earlier, it's
very common to use hashing when storing passwords.
Instead of storing your password in plain text,
we store your password as a hash,
and we can create and compare that hash
every time someone logs in.
Storing passwords is an interesting use case
for hashing.
It could be that you have hundreds of thousands
of user accounts on a website, and statistically, it
could be that multiple users happen to be
using the exact same password.
If you're storing those hashes in a file,
you could see that there are multiple users that are using
exactly the same password.
We don't know what that password is,
but we do know if we perform a brute force on that hash
and we're able to determine what that password is, then
that same password will work for every single one
of those identical hashes.
To be able to avoid this, we want to add some randomization
to these hashes.
We call this random value salt, and it
allows us to add some randomization
during the hashing process so that if even everyone was using
the same password, every single one of the stored hashes
would be very different.
Each user might be using the same password,
but each one of those passwords would
have a different random salt associated with it
and therefore, a different hash would be stored.
This means that if we had already created some rainbow
tables based on these hashes, and rainbow tables are
pre-computed hash values, we would not
be able to use those rainbow tables
because this extra randomization of salt
has been added to every single one of those hashes.
If an attacker understands the process that's
used to add the salt, then they could still
go through a brute force process to try
to determine what that password is,
but that is a much longer process to go through
than looking up information in a rainbow table,
and the goal here is to slow down the attacker
as much as possible.
Let's take a scenario where everyone
is using exactly the same password,
but we're going to store that password information along
with a salted hash.
Let's take our password.
In this case, we'll use the password of dragon,
and the hash for dragon looks like this.
Let's say that everyone is using the password of dragon,
but for each account, we're going
to add an extra piece of salt to that, which of course is going
to give us a different hash in every single one
of those scenarios.
So if an attacker was able to get a copy of our hash file,
they would see what they thought were five different passwords.
In reality, it's the same password
with the salt added for that randomization.
Another useful function of hashing
can be found with digital signatures.
Digital signatures allow us to send information
to another party and have that person confirm
that what they received is exactly the information
that we originally sent.
These digital signatures proved the source of the message
and where this came from.
We can verify that the digital signature isn't fake,
it hasn't been modified, and it really
came from that original person.
And because the digital signature
was made with the private key from the original user,
we know that this document could not
have come from someone else.
Because the digital signature is created with the private key,
it's verified with the public key.
If I was to sign a document with my private key
and send it to you, you would use
my public key, which of course is available to everyone,
to verify the contents of that message.
This also confirms that it came from me
because the only person who could have digitally signed
this is the person with the private key,
and I'm the only one who has my private key.
Let's look at how a digital signature is created.
We'll take a scenario where Alice is hiring Bob,
and she wants to send Bob a message that
says, you're hired, Bob.
But she wants to make sure that Bob
is able to verify that this message is legitimate
and that it really came from Alice.
Alice is going to perform a hashing algorithm
on this entire plain text message, and out of that,
we'll get a hash of the plain text.
The person receiving this message
could look at the hash to at least verify
the integrity of the message, but we
don't want somebody modifying anything in the middle
of the conversation.
So the next step is for Alice to encrypt that hash that she
created with her private key.
And of course, the only person with Alice's private key
is Alice.
The results of that are what we call a digital signature.
And we can attach that digital signature
to the original plain text and send that entire message
to the recipient.
On the other side, we have Bob, who has received this message
from Alice.
The message says, you're hired, Bob.
And of course, we didn't encrypt the message.
We simply created a digital signature
and attached that signature to the message.
And of course, you can see at the bottom,
there's our digital signature.
To be able to verify this digital signature,
Bob is going to reverse the process that Alice created.
So the first thing he'll do is use Alice's public key
to decrypt the digital signature that she sent,
which of course is simply an encrypted version of the hash.
After that decryption has been performed,
Bob is left with the hash of the plain text.
Now he wants to perform exactly the same hashing function
that Alice originally did, so he'll
take that plain text of you're hired, Bob,
run it through the same hashing algorithm
that Alice did to see if he can get a hash of that plain text,
and then compare those hashes to make sure
that they are the same.
And if those hashes match, then he
knows that this message is legitimate.
It really did come from Alice, and nothing
has been changed with that message
while this message was being sent to Bob.
Посмотреть больше похожих видео
One Way Hash Explained
What Is Hashing? | What Is Hashing With Example | Hashing Explained Simply | Simplilearn
SHA 256 | SHA 256 Algorithm Explanation | How SHA 256 Algorithm Works | Cryptography | Simplilearn
MD5 Algorithm | What Is MD5 Algorithm? | MD5 Algorithm Explained | Network Security | Simplilearn
Blockchain Hashing Explained! (You NEED to understand this)
Hashing and Digital Signatures - CompTIA Security+ SY0-701 - 1.4
5.0 / 5 (0 votes)