Open in app

Sign in

Write

Sign in

Does hashing ensure Authentication and Integrity?

Nuwan Tissera
4 min readMay 9, 2020

--

Hashing is simply transforming plain text for a fixed-sized output (message digest) using a hash function. This process is irreversible.

Normally it’s hard to find two inputs that produce the same output. (We cannot say no).

So we have to make sure we are not using outdated/weak (MD5, SHA-1) hashing algorithms, which have hash collisions (Producing the same identical hash for different inputs).

So let’s see how hashing ensures authentication and integrity.

Password Hashing

Normally passwords are hashed during registration and hash is kept in the database.

So when a user tries to logging, it hashes the input password using the same hash function and matches the password in the database. So if these two are identical, the user is successfully authenticated.

So during this process password is protected and it prevents unauthorized modification since its hash. This ensures integrity. But still, have some drawbacks. So let’s discuss them.

Example

Think about a database administrator who has access to this database. That person can see all the hashed passwords here.

So think about an instance where he found that the hashed password of his own account is similar to another account…

User Table

So he can simply log using his own password to that one's account. So to overcome this drawback, we need to use Salting hashes.

During registration of a user, it generates a random salt(random value) for a user. Then this salt value is concatenated with the password.

The password with salt is hashed and stored in the database. (i.e: the salt value should be larger, unique and randomly generated)

User registration process: Salting Hashes

So when the user tries to log in, it uses the stored salt value as follows.

Using Stored Salts

Enhance Integrity of data in Hashing

We can use some other techniques to enhance the integrity of data in hashing.

Key stretching

This is iterating the hashing function by taking output as the input in the next iteration. So when the user has used a short password, it reduces the risk of getting cracked by Dictionary and Brute Force Attacks.

Key Stretching

We need to think about the Pros and Cons of every this key stretching. We have to have a good idea of no of iterations(n) in this process.

Otherwise, it will become a DDoS attack on the server when more users are authenticating at the same time. So we need to keep ‘n’ at a good level considering the computational capacity of the server.

One of the popular key stretching algorithms are PBKDF2 and bcrypt. So don’t reimplement, just reuse. ( By the way, it's not good to make hash algorithms of your own).

So in a nutshell...

Although we are using hashing algorithms to protect sensitive data like passwords without being cracked by attackers, It’s not happening as we wish.

Attackers use several techniques like Lookup tables, Reverse Lookup tables, Rainbow Tables, Dictionary and Brute Force Attacks(with the aid of high-end GPU) to crack hashed passwords.

So developers have to ensure the authenticity and integrity of the system using technologies like salted hashing, key stretching that makes the attack more expensive.

Possible Attacks

Dictionary and Brute Force Attacks

The simplest way to crack. Dictionary contains a huge amount of passwords that are likely to used by people.

Brute Force Attack
Dictionary Attack

Lookup tables

These tables contain pre-computed hashes for the passwords in the dictionary.

Rainbow Tables

This lists all possible permutations of hashes generated from a hashing algorithm. These are available online :-).

Passwords that use MD5 and SHA1 algorithms (with Max 8bit) are completely vulnerable to crack using rainbow tables.

Rainbow table analyzing a password

Collision Attack

This is an attempt to find 2 string which produces the same hash. Hashing algorithms like MD5 and SHA-1 have been stated as weak hashes due to this collision attacks. SHA-2 (and SHA-3) is regarded as collision-resistant nowadays.

  • ** The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.(Wikipedia)**
  • Good hashing algorithm should be Pre-Image Resistance, second Pre-Image Resistance, and Collision Resistance.
  • If a hash function is collision-resistant then it is second pre-image resistant.

As I explained, there are many possible attacks. So make sure you are not using outdated/weak hashing algorithms and use techniques like salted hashing, key stretching if possible.

Thank you !!

Hashing
Integrity

--

--

Nuwan Tissera
Nuwan Tissera

Written by Nuwan Tissera

48 Followers
400 Following

Software Engineer WSO2 | Msc in CSE UoM | Blogger

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams