What Is Cryptographic Hash? [a Beginner’s Guide]

Chances are, back in the day you and your friends made up a code to pass each other messages no one else could understand. At the very least you knew people like that.

Some guys like that took this game seriously and went on to turn it into a career. 

Others became magicians – the so-called mentalists. With the help of codes, they use their “mental powers” to guess cards, numbers, etc.

That simple child game became what’s known as encryption, hashing, and all other functions, which produce seemingly unreadable code from a given input. 

Today we’ll dive into the magical world of coding to see what a cryptographic hash is, its inner workings, and its applications.

So, without further ado, let’s jump right in.

What Is a Cryptographic Hash?

The cryptographic hash function is a type of hash function used for security purposes. It has several properties that distinguish it from the non-cryptographic one. Let’s break it down step-by-step.

What Is a Hash?

Hashing is the method used for compressing data.

Still, it’s not the typical compression everyone knows, like a .zip or .rar file.

Hashing creates a code for the data using a hash algorithm. The code represents a string of characters, which act as a “fingerprint” of that file. 

We all know fingerprints are small, but they contain a massive amount of data. You know, things like our names, faces, addresses, and other sensitive information. Hashing is similar – it takes an arbitrary-sized piece of data and turns it into a relatively small sequence of characters.

No matter the size of the input, you always get a fixed-length output when hashing.

Hash Function Examples

So here’s an example of how this happens. For this demonstration, we’ll use the 256-bit Secure Hashing Algorithm, known as SHA-256. It’s one of the most common hashing algorithms, and as it turns out - it’s also used by Bitcoin.

See, although the messages are of different lengths, they all get a 64-character hash. This is also known as a hash value or a digest.

You’ll get the same fixed-length outcome if you hash a book or even the content of an entire library. You can also do that with other kinds of data as well - videos, pictures, etc.

What’s great about hashes is, you’ll get an entirely different hash value even if you make the smallest of changes. It’s known as the avalanche effect. 

So if your girlfriend/boyfriend deletes all the pictures you have of your ex, for example, the hash of the folder will change. That way, you’ll know something’s wrong without checking each picture.

Let’s see one more example of how a hash function is useful in practice. For the next example, I hashed our “What Is a VPN?” article, and it looks like this:

Then I deleted a word from the article and hashed it again. Here’s the result:

The removal of a single word completely changed the hash values. This is especially helpful if you want to check if any alterations have been made to a file. 

It’s even more helpful when you are dealing with great amounts of information. For example, a cryptocurrency blockchain storing thousands of transactions daily. 

Now let’s dive deeper and see what cryptographic hash really means.

Cryptographic Hash Explained

When you need security and privacy, the cryptographic hash comes into play. The downside of cryptographic hashing is it’s usually slower than the other types of hashes. If you need to hash quickly and you don’t need high-level security - non-cryptographic hashing is better. For example - if you are creating an index of some non-sensitive data.

The main difference between non-cryptographic and cryptographic hashing is the latter is extremely difficult to break. Notice that it’s not impossible. Still, cryptographic hashing makes cracking a hash near-impossible.

For a hash function to be a cryptographic hash, it has to have several properties.

Cryptographic Hash Function Properties

If you want to use hashing for cryptographic purposes, there are several requirements the hash function has to meet to be considered secure. 

Property #1 – Speed

If you like fancy words – the cryptographic hash functions should be computationally efficient. That means the hashing function should be able to produce a hash in a fraction of a second.

Source

Property #2 – the Avalanche Effect

The avalanche effect means even a minor change in the message will result in a major change in the hash value.  

Using a lower-case “j” in the second message changes the hash code entirely.

This is a simple hash function example, but you get the idea. It’s very practical and can quickly show if any data has been altered. 

Property #3 – the Cryptographic Hash Function Should Be Deterministic

That means no matter how many times you use a hash function for the same input, you’ll always get the same output. This is obvious since if you got random hashes for the same message, the whole process would be meaningless. 

Property #4 – Pre-Image Resistance (One-Way Function)

This means that it’s really hard to get to the input via the output. 

In simple words, you can’t reverse the cryptographic hash function to get to the data. Still, this doesn’t mean it’s impossible to see the message. 

Here’s the deal.

There are two methods of finding the hashed message.

1. To compare the hash to an existing list of hashes, like this one: Dehash.me. Usually, cybercriminals have their own databases of translated (dehashed) messages. 
2. To execute a brute-force attack. 

To crack a hash with brute-force, you have to choose a message, hash it, and compare it to the hash you have. Best case scenario – you get it from the first try. Still, the chances of that happening are extremely small. 

Worst case scenario – you find it from your last try. That means you have to hash all possible messages and compare them to the one you have. The number is different, depending on the hash algorithm. 

For the sake of example, let’s use SHA-256. In that case, you’d have to find 2²⁵⁶ -1 hash values first. Safe to say it can’t be done in several lifetimes and leave it at that. 

Now.

The pre-image resistance property of the cryptographic hash plays a significant role in the hashing vs. encryption debate. 

See – you can decrypt an encrypted message, but you can’t do the same for a cryptographic hash.

You can think of the hash as a smoothie. You can’t extract the message out of a hash the same way you can’t extract the banana and the milk out of a smoothie. 

Encryption, on the other hand, is more like a safe. It protects your valuables, but there’s always a key that opens it. 

Property #5 – Collision Resistance

That means that two different messages shouldn’t be able to produce the same hash value. From a mathematical standpoint, this is impossible anyway.

You already know hash values have a fixed length. That means there are limited output combinations. The inputs, on the other hand, are an infinite number. So, in theory, there’s a chance that two different messages could produce the same hashes.

Still, the hash function in cryptography makes the odds of a hash collision practically negligible.

Look.

All of these properties ensure the security and usability of a cryptographic hash. So it’s time to meet the different cryptographic hash functions.

Common Hashing Algorithms

There are different classes (families) of hash algorithms. The core difference between them is the hash value each one produces and its security properties.

Here are the most commonly used ones:

Message Digest Algorithm (MD)

MD5 was the hash function of choice for many companies, but was broken in 2004. A hash algorithm is considered broken when there has been a successful collision or pre-image attack against it. Still, many websites continue to use the MD5 hashing function for file verification. 

For example, when you download a file, you can compare its hash to the one on the site to make sure no one has tampered with it.

The MD family consists of MD2, MD3, MD4, MD5 (all of these are broken), and MD6 (which isn’t that popular.)

Here’s the hash function example of MD5.

MD5 produces a 128-bit hash value with 32 characters length. 

Because of its flaws, the Message Digest algorithm is no longer considered as a cryptographic hash function.

Secure Hashing Algorithm (SHA)

The largest family of cryptographic hash functions consists of four classes:

• SHA-0
• SHA-1
• SHA-2
• SHA-3

SHA-0 had many flaws and didn’t become widely used. SHA-1 tried to fix them, but got broken in 2005. 

SHA-2 and its subclasses are commonly used today until SHA-3 proves itself as an even more secure function.

The SHA-2 family consists of four members – SHA-224, SHA-256, SHA-384, and SHA-512, which differ in the number of bits of their hash values. So far, there hasn’t been a successful attack on the SHA-2 cryptographic hash algorithm. 

Here are some hash functions examples using the SHA-2 class.

RACE Integrity Primitives Evaluation Message Digest (RIPEMD)

Initially, RIPEMD was created for a European Union project called RIPE. There are five hash functions in the RIPEMD family.

• RIPEMD
• RIPEMD-128
• RIPEMD-160
• RIPEMD-256
• RIPEMD-320

In 2004 there was a collision in the original RIPEMD hash function. That’s why it’s no longer in use. Currently, RIPEMD-160 is the most common. Here’s how it looks:

Whirlpool

This cryptographic hash function name has nothing to do with the home appliances’ manufacturer. The Whirlpool galaxy-inspired the name of the algorithm.

What’s interesting about the Whirlpool hashing algorithm is that one of its creators is Vincent Rijmen, the co-creator of AES, Advanced Encryption Standard.

Whirlpool is a 512-bit hash function, and its digest represents a string with 128 characters.

This is an example of the cryptographic hash function.

These are the most common hashing algorithms today. 

So, now that you know the basics of hashing, let’s see its applications in real-life.

Hashing in Cryptocurrencies

We’ve already explained what Bitcoin is and how the blockchain works, so we’ll go straight ahead to hashing. 

The cryptographic hash function is essential to cryptocurrencies since it guarantees one of the blockchain’s most important features – immutability. 

Since cryptocurrency blockchains deal with large numbers of transactions, they use hashing. This is a far more practical and secure approach than to keep every record of every single transaction in the ledger.

In Bitcoin’s case, the miners run a series of SHA-256 functions to create the hash of a block. Then the latter receives a timestamp. Once the nodes reach consensus, the block is added to the blockchain. Not only does the block have its own hash, but it also contains the hash of the previous one, thus chaining all of them together. 

Because of the avalanche effect, any attempts of tampering with a block are not possible. In case someone tries to change a transaction in a block, they have to alter every consecutive one as well. Such an operation would require so much computing power and time, that it’s practically impossible. 

That makes hashing a crucial feature in the blockchain’s security. 

Now.

Different cryptocurrencies use different hashing algorithms in their blockchain.

Bitcoin, for example, uses SHA-256 for its proof-of-work. Yet, Bitcoin uses two hashing algorithms to generate a public address (key) – SHA-256 and RIPEMD-160. This was done by Satoshi Nakamoto to provide better protection for public keys and to decrease the odds of a collision.

Ethereum, on the other hand, uses the Keccak-256 hash algorithm, which is the foundation of SHA-3.

By the time of writing, there hasn’t been a successful attack on any of these algorithms.

Even if you aren’t into the cryptocurrency market, you still make use of hashing functions every day. 

How’s that?

Hash Functions in Password Storage

There are four main techniques companies use to store our passwords – in plain text, with encryption, and with a hash function. The last method is a combination of two or more of these techniques.

Let’s see what the differences are.

Storing Passwords in Plain Text – a Big No-No

Storing passwords in plain text is, well… exactly what it sounds like.

Like this:

Username: John Smith

Password: johnsmith93

The company’s database contains the same information – user: John Smith, pass: johnsmith93.

This should be avoided if companies value their clients’ privacy. (Hopefully, someone from Facebook will read this.)

The downside of this method is obvious – if cybercriminals infiltrate the company’s database, they can see all usernames and passwords.

Storing Passwords Using Encryption

Encryption is a better way of securing passwords. It transforms your password into an unreadable sequence of numbers and letters. 

Here’s how it works:

Username: John Smith

Password: johnsmith93

When the company uses encryption to protect your password, the database entry looks like this:

Username: John Smith

Password: I8Zdy1QBthsk2ie1HHsl+66bf20fDDcdCtXURqa07iQ=

If a cybercriminal obtains this password, it’s useless - they can’t use it to break into the account. Still, it can, theoretically, be decrypted. 

In case a malicious actor obtains your encrypted password, they can decrypt it using various tools. Still, it takes more time and requires greater computing skills than just obtaining a plain text password.

Fortunately, there are encryption algorithms that are powerful enough to be a safe method of protecting passwords.

Storing Passwords via a Hashing Algorithm

Hash and encryption are often mistaken for the same thing and interchangeably used. Yet, there’s a crucial difference between them.

The hash function, like encryption, also transforms your password into an unreadable sequence of numbers and letters. The crucial difference is it works only one way. Unlike decryption, you can’t reverse the process of hashing. 

With that being said, if a cybercriminal obtains the hash of your password, usually they can’t do anything with it. 

There are many hash functions available, but let’s use SHA-256 for our example.

Username: John Smith

Password (hashed): e7c95991f28e529b4d3b37611e5f3b6a6a43600ce148af0c42d3d38c06365af5

Now. 

Although the hash can’t be reversed to its original text, there are large lists of messages and their hashes. Unfortunately, malicious actors can still hack your password if they get its hash value. Thankfully, if you use a strong password, the chances of that happening are incredibly small. We’ll use a different example in this case.

Hash Functions Examples in Password Storage

Let’s say your password is 123456. (Don’t ever use that one, create a strong password instead.)

Here’s its hash if we use the SHA-256 hashing algorithm:

8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92

Unfortunately, this hash configures in a list of dehashed messages.

The problem with that is even bigger because many people use the same password. So if a database is hacked and cybercriminals find the hash of a password they can use it for every user that uses the same password. Not to mention that many people use the same password for different accounts, which will get them out of the frying pan and into the fire.

Still, you can do several things to prevent this from happening.

First and foremost, use a strong password and create different passwords for different accounts.

The other thing you can do is to add “salt” to the hash. A salted hash adds additional value to your password and produces a different password hash for each input. 

For example, every user who uses the password 123456 and “salts” it will get a different hash.

Each example is a salted hash of 123456.

$2y$10$pIxpMnhlQmt1t.EUYK1G/eHkb7Roo/XhPybKyFZSAqk/50BW10a8.

$2y$10$sCLqOpeA4R.St/8IaUWF9.m01MM4YbY.qTwbCY3.K5z.cd5lwxL6W

So, what’s the best way a company can protect your password?

It’s a combination of all techniques mentioned above – like Dropbox does, for example.

Source: Dropbox

So that’s how you deal with hashing every day, without even realizing it.

Wrap Up

To summarize – hashing has many benefits. 

You can hash any type of data – be it for indexing, or for checking for alterations. This makes hashing useful for contracts, downloads, password storage, etc. 

Cryptocurrencies evolve as well. Not just the ones we have now, but new players are warming up to join the fun. Even Facebook will release Libra, so we are bound to make use of hashing even more. 

Maybe Facebook will pave the way for other big companies to release their own cryptocurrencies - and why not new hashing mechanisms? Only time will tell. 

See you next time!