Hashing and Digital Signatures - SY0-601 CompTIA Security+ : 2.8

00:02

A hash is designed to take any type of input,

00:04

whether that's a document, some audio, a video file, a very

00:09

large file, or a very small file and create

00:12

a very specific unique string of text that's

00:15

associated with that file.

00:17

This is sometimes referred to as a message digest,

00:20

and you can think of it as a fingerprint.

00:22

If you take a fingerprint and look at it,

00:25

we know where that fingerprint came from.

00:27

We know there's only one thing that

00:29

can be associated with that fingerprint

00:31

and that no other person has that particular fingerprint.

00:34

Just like you're not able to recreate an entire person based

00:38

on their fingerprint, you can't recreate an entire file

00:41

based on the hash.

00:43

This hash is a one-way trip.

00:45

Once we take the hashing algorithm

00:47

and apply it to some data, that hash

00:49

provides us with some output that does not

00:52

allow us to go the other direction

00:54

and somehow recreate the data based on that hash.

00:57

Because of that, it's a perfect solution for storing passwords.

01:01

We can take a password, which really no one should

01:03

have access to, create a hash of that password,

01:07

and then refer to the hash every time we want to authenticate.

01:11

This allows us to store the password securely.

01:13

And if somebody did gain access to those hashed passwords,

01:17

they wouldn't have any idea what the original password was.

01:21

We can often use hashing to provide integrity.

01:23

So we can take a hash of a file, we

01:25

can copy that file somewhere else,

01:27

we can perform that same hashing algorithm,

01:30

and then compare the hash that we got on both ends.

01:33

If the hashes are identical, then the file that we copied

01:35

is exactly the same file as the original.

01:38

We also use hashing in combination with encryption

01:42

to create digital signatures.

01:43

That provides authentication, which tells us

01:46

where this data came from, non-repudiation,

01:49

which means we can tie it back to a specific person,

01:52

and of course, the integrity feature is still

01:54

part of that hashing algorithm.

01:57

One unique aspect of a hash is that there is always

02:00

a unique hash for a particular kind of input.

02:03

You will never have two different kinds of input

02:06

create the same hashing value.

02:08

If you do find that two different inputs are creating

02:11

the same hash in the output, then you've found a collision,

02:14

and this is something you would not

02:16

want to have with a hashing algorithm.

02:19

Let's have a look at some hashes.

02:20

We'll perform a SHA256 hash, which

02:23

is a 256-bit hashing algorithm.

02:26

It outputs the equivalent of 64 hexadecimal characters.

02:30

And we'll take a single sentence.

02:32

My name is Professor Messer with a period at the end.

02:35

If we hash that single sentence, we get this entire value

02:39

as the SHA256 hash.

02:42

Let's create a hash of a similar input.

02:44

We'll have an input of My name is

02:46

Professor Messer with an exclamation mark

02:48

at the end of it.

02:50

You'll notice that the hashing value of this second input

02:53

is very different than the hashing value we

02:55

had on the original input.

02:57

In fact, almost every single character of that hash

03:00

is a different value even though the input

03:03

for each of those hashing algorithms

03:05

only was changed by one single character.

03:08

This is a good example of the differences

03:10

that you'll see in a hashing output

03:12

when using two different kinds of input.

03:15

We mentioned earlier that the only time

03:17

we should see an identical hashing value

03:20

is if the input values were identical.

03:22

With a hash, we're taking an input

03:24

of any size, any type of file, and we're creating a fixed size

03:28

string from that that we're calling a message digest,

03:31

a checksum, or a fingerprint.

03:33

Each one of these hash values should be unique

03:36

if it is a unique type of input, and we should never

03:38

have a hash appear that's identical to another

03:41

if there are different inputs involved.

03:43

There have been cases, however, where a hashing algorithm did

03:47

create the same hash for different types of input.

03:50

This occurred with the MD5 algorithm.

03:53

They found this collision problem in 1996.

03:56

This is one type of input that was used for MD5,

04:00

and here's the second input.

04:02

You'll notice that these inputs are almost the same,

04:04

but all of the characters marked in red

04:07

are the differences between these two different inputs.

04:10

If we hash the first input and hash the second input,

04:13

we should get two different hash values.

04:15

But with MD5, we got exactly the same hash value,

04:20

and that is a collision, and it's

04:21

another reason why we usually don't use MD5

04:25

to be able to perform a hash.

04:28

We mentioned earlier that it's very common

04:30

to use hashing to verify the integrity of information.

04:34

For example, you may go out to an internet website

04:36

and download a file, and along with the file name

04:39

at that site, it may provide you with a list of hashes

04:43

associated with these files.

04:44

This means that you could download the file

04:46

from their website and perform the same hashing algorithm

04:50

to the file that you've downloaded.

04:51

If you then compare the hash that you created with the hash

04:54

on the website and those two hashes are identical,

04:57

then you have an exact duplicate of the file that was originally

05:00

posted on that site.

05:02

And as we mentioned earlier, it's

05:03

very common to use hashing when storing passwords.

05:06

Instead of storing your password in plain text,

05:09

we store your password as a hash,

05:11

and we can create and compare that hash

05:13

every time someone logs in.

05:16

Storing passwords is an interesting use case

05:18

for hashing.

05:19

It could be that you have hundreds of thousands

05:22

of user accounts on a website, and statistically, it

05:25

could be that multiple users happen to be

05:28

using the exact same password.

05:30

If you're storing those hashes in a file,

05:33

you could see that there are multiple users that are using

05:36

exactly the same password.

05:38

We don't know what that password is,

05:39

but we do know if we perform a brute force on that hash

05:43

and we're able to determine what that password is, then

05:46

that same password will work for every single one

05:49

of those identical hashes.

05:51

To be able to avoid this, we want to add some randomization

05:54

to these hashes.

05:55

We call this random value salt, and it

05:57

allows us to add some randomization

06:00

during the hashing process so that if even everyone was using

06:04

the same password, every single one of the stored hashes

06:07

would be very different.

06:08

Each user might be using the same password,

06:11

but each one of those passwords would

06:13

have a different random salt associated with it

06:16

and therefore, a different hash would be stored.

06:19

This means that if we had already created some rainbow

06:21

tables based on these hashes, and rainbow tables are

06:24

pre-computed hash values, we would not

06:27

be able to use those rainbow tables

06:29

because this extra randomization of salt

06:32

has been added to every single one of those hashes.

06:35

If an attacker understands the process that's

06:37

used to add the salt, then they could still

06:39

go through a brute force process to try

06:42

to determine what that password is,

06:44

but that is a much longer process to go through

06:46

than looking up information in a rainbow table,

06:49

and the goal here is to slow down the attacker

06:51

as much as possible.

06:53

Let's take a scenario where everyone

06:55

is using exactly the same password,

06:58

but we're going to store that password information along

07:01

with a salted hash.

07:03

Let's take our password.

07:04

In this case, we'll use the password of dragon,

07:07

and the hash for dragon looks like this.

07:09

Let's say that everyone is using the password of dragon,

07:13

but for each account, we're going

07:15

to add an extra piece of salt to that, which of course is going

07:19

to give us a different hash in every single one

07:21

of those scenarios.

07:23

So if an attacker was able to get a copy of our hash file,

07:26

they would see what they thought were five different passwords.

07:30

In reality, it's the same password

07:33

with the salt added for that randomization.

07:37

Another useful function of hashing

07:39

can be found with digital signatures.

07:41

Digital signatures allow us to send information

07:44

to another party and have that person confirm

07:46

that what they received is exactly the information

07:49

that we originally sent.

07:51

These digital signatures proved the source of the message

07:54

and where this came from.

07:56

We can verify that the digital signature isn't fake,

07:59

it hasn't been modified, and it really

08:01

came from that original person.

08:03

And because the digital signature

08:04

was made with the private key from the original user,

08:08

we know that this document could not

08:09

have come from someone else.

08:11

Because the digital signature is created with the private key,

08:15

it's verified with the public key.

08:17

If I was to sign a document with my private key

08:20

and send it to you, you would use

08:22

my public key, which of course is available to everyone,

08:25

to verify the contents of that message.

08:28

This also confirms that it came from me

08:31

because the only person who could have digitally signed

08:33

this is the person with the private key,

08:35

and I'm the only one who has my private key.

08:39

Let's look at how a digital signature is created.

08:42

We'll take a scenario where Alice is hiring Bob,

08:44

and she wants to send Bob a message that

08:46

says, you're hired, Bob.

08:48

But she wants to make sure that Bob

08:50

is able to verify that this message is legitimate

08:53

and that it really came from Alice.

08:55

Alice is going to perform a hashing algorithm

08:57

on this entire plain text message, and out of that,

09:01

we'll get a hash of the plain text.

09:03

The person receiving this message

09:05

could look at the hash to at least verify

09:07

the integrity of the message, but we

09:09

don't want somebody modifying anything in the middle

09:12

of the conversation.

09:13

So the next step is for Alice to encrypt that hash that she

09:17

created with her private key.

09:19

And of course, the only person with Alice's private key

09:22

is Alice.

09:23

The results of that are what we call a digital signature.

09:27

And we can attach that digital signature

09:29

to the original plain text and send that entire message

09:33

to the recipient.

09:35

On the other side, we have Bob, who has received this message

09:38

from Alice.

09:38

The message says, you're hired, Bob.

09:40

And of course, we didn't encrypt the message.

09:42

We simply created a digital signature

09:44

and attached that signature to the message.

09:46

And of course, you can see at the bottom,

09:48

there's our digital signature.

09:50

To be able to verify this digital signature,

09:53

Bob is going to reverse the process that Alice created.

09:56

So the first thing he'll do is use Alice's public key

09:59

to decrypt the digital signature that she sent,

10:02

which of course is simply an encrypted version of the hash.

10:05

After that decryption has been performed,

10:08

Bob is left with the hash of the plain text.

10:11

Now he wants to perform exactly the same hashing function

10:14

that Alice originally did, so he'll

10:17

take that plain text of you're hired, Bob,

10:19

run it through the same hashing algorithm

10:21

that Alice did to see if he can get a hash of that plain text,

10:26

and then compare those hashes to make sure

10:28

that they are the same.

10:30

And if those hashes match, then he

10:31

knows that this message is legitimate.

10:34

It really did come from Alice, and nothing

10:37

has been changed with that message

10:38

while this message was being sent to Bob.