Hashing

michael.dance@gmail.com@mikedance

What is a hash?

– Wikipedia

A hash function is used to map digital data of an arbitrary size to digital data of a fixed size, with slight differences in input data producing very big differences in output

data.

In other words…

A hash function provides a concise fingerprint for data that is easily verified, and easy to spot if

the data has been tampered.

What are the properties of a good hash function?

Arbitrary Input LengthIdeally, we should be able to hash anything we want: an

email, document, movie, etc.

Fixed Output LengthThe output of the hash function should be small so it is

efficient to send, and differences can be easily detected.

One Way FunctionYou should not be able to determine the hash input, from

the output.

The Avalanche EffectA small change to the input, should have a large effect

on the output to make tampering easy to detect.

password vs Password Simply uppercasing the P on password results in a completely different hash.

Collision ResistanceThe probability of generating the same hash output

should be computationally impractical.

Real World Applications

• Password Storage And Verification

• Source Code/Software Verification

Password Storage And Verification

Instead of storing your actual password, websites will store the hash of your password

Why?

How many of you use the same password for multiple websites?

Prevents system administrators, and hackers from being able to view your password if they gain

access to the database.

Passwords are stored in plaintext

The hashed version of the password is stored

Source Code/Software Verification

Using hashes and public key cryptography digital signatures we can quickly verify that source code and software has not been tampered with.

Original

Original Hash

Backdoor

Backdoor Hash

The original and backdoor hashes are completely different!

GITGIT is the most popular version control software used to

track source code changes throughout a project.

A git source code repository computes hashes of each file, directory structure, and commit details to ensure

source code integrity.

Hash

Bitcoin ArmoryBitcoin technology allows a person to hold their entire

life savings in software.

With this in mind, the ability to verify that software we download hasn’t been tampered with becomes critically

important.

File

FileThis is the file we want to verify. It could be an email,

software, document, movie, etc.

Signed Hash File

Signed Hash FileContains the signed message and the message signature that will be verified

against the software vendors signing key. In this example, the message contains the hash of the file we want to verify, and the filename.

Message

Hash

Filename

Digital Signature

Signing Key

Signing KeyContains the software vendors public key used to verify that the signed message is authentic, and has not been

tampered with.

This can be downloaded from the software vendors website, or from a centralised key server.

Verifying Software

1. Verify the signed hash file is authentic

Command

Good Signature

2. Verify the files hash matches the hash in the

signed hash file.

Signed File

Hash

File Hash

The signed file hash and our file hash match!

Questions?

Further Reading• Hash function wikipedia definition

• http://en.wikipedia.org/wiki/Hash_function

• GPG-Verifying Armory Installers

• https://bitcoinarmory.com/download/

• Brainwallet

• http://brainwallet.org