Hash Algorithms
| Many people confuse hashing with encryption. Hashing is in no way connected to encryption. Hashes produce a "fingerprint" of some data by taking the data and running in through an algorithm. The same data always produces the same value. If even one bit in the data changes, the fingerprint is different. In this way, we can get a large amount of data and, using a small fingerprint , make sure our data has not been altered . Two main hash algorithms in production today are MD5 and SHA-1. Hash algorithms help us with integrity, making sure data has not been modified in transit. We check it by hashing our data and appending the hash value to the data as we send it across the network to our peer. Our peer receives two values, separates them, runs the data through the same hash algorithm, and compares the hash result to the one received. If they match, our peer can be certain that the data was not modified in transit. If they do not match, the data (or hash) has been modified, which means they will disregard the data received. MD5The MD5 algorithm, described in RFC 1321, was invented by Ron Rivest of RSA Security. This algorithm takes as input a message of arbitrary length and produces as output a 128-bit fingerprint or message digest of the input. A 128-bit algorithm means that there are approximately 2^128 possible values for any single message. The possibility of creating a message to match a particular hash value is so minute, we might as well say there is a 0% possibility. For example, if we have a 64-byte Ethernet frame and run it through the MD5 algorithm, we receive as output a 128-bit value. If we run the same frame through the algorithm again, we receive the exact same 128-bit value. But if someone modifies a single bit, and the hash algorithm computes a 128-bit value, it will be completely different from the original hash. If we have a frame that is 1500 bytes in length and run it through the MD5 algorithm, we receive as output a 128-bit value. No matter what size of data we put through the algorithm, we always receive as output a 128-bit value. SHA-1The MD5 algorithm proved to have some weaknesses in certain situations; collisions "making a well-known value match a particular hash-out value" were confirmed. Knowing there were possible weaknesses in the algorithm, another more secure algorithm was needed. The SHA-1 is defined in RFC 3174. SHA-1 has as output a 160-bit value, as opposed to MD5's 128-bit value. The number of possible values is much larger, which increases the strength of the data's integrity. SHA-1 also has additional security measures built into the algorithm, such as an additional round to further hash the value. For example, if we have a 64-byte Ethernet frame and run it through the SHA-1 algorithm, we receive as output a 160-bit value. If we run the same frame through the algorithm again, we receive the exact same 160-bit value. But if someone modifies a single bit, and the hash algorithm computes a 160-bit value, it will be completely different from the original hash. HMACsMessage-digest algorithms have a drawback. Suppose a cracker (man-in-the-middle) intercepts the message, which contains the data and the hash value. He can create a new message, calculate the correct hash value, append that hash value to the data, and send it to the destination. The destination will separate the data from the hash, run the data through the hash value, and compare the result with the received hash. Because they would match, the receiver would think the data is valid and accept it as being sent from its peer. To address this type of attack, a shared secret key, known only between the two peers, is also inserted into the hash algorithm. In this way, the process uses a random value (the key), unknown to anyone else, to make sure that the man-in-the-middle attack cannot be successful. We are in effect authenticating our messages; mechanisms that provide such integrity checks based on a secret key are usually called message authentication codes (MACs). When using MACs with hash algorithms, we call this feature Hash Message Authentication Codes, or HMACs. To create the hash, the data along with the shared secret key is inserted into the hash algorithm to obtain the output message digest, which is appended to the data and sent to the peer. Even if the data and hash algorithms are modified in transit, the receiver using its shared secret value will calculate a different hash and silently discard the received packet. Under certain circumstances, the MD5 algorithm was shown to be susceptible to certain types of attack. This additional MAC function added to the algorithm was shown to mitigate the problem. When using the function, MD5 is called HMAC-MD5, and SHA-1 is called HMAC-SHA-1 when using this function.
|
