What is Hashing? Hashing Algorithms, Salting, and Digital Signatures

Hashing is a one-way cryptographic function that produces a fixed-size output (hash) from any input. Unlike encryption, hashing cannot be reversed — it's used for integrity verification, password storage, and digital signatures.

What is Hashing?

Hashing is a cryptographic process that takes input data of any size and produces a fixed-length output called a hash, message digest, or fingerprint. The same input always produces the same hash, but even a tiny change in input produces a completely different hash.

Key properties: deterministic (same input = same output), one-way (cannot reverse a hash to get the original input), fixed output size (SHA-256 always produces 256 bits), and collision-resistant (extremely hard to find two inputs with the same hash).

Hashing is NOT encryption. Encryption is reversible (ciphertext can be decrypted). Hashing is one-way — there is no decryption. Encryption protects confidentiality; hashing protects integrity.

  • Hash: fixed-size fingerprint of any input data
  • One-way function — cannot be reversed (unlike encryption)
  • Deterministic — same input always produces the same hash
  • Avalanche effect — changing one bit of input flips ~50% of output bits
  • Hashing verifies integrity; encryption protects confidentiality

Common Hashing Algorithms

SHA (Secure Hash Algorithm) family — the most widely used. SHA-1 produces 160-bit hashes (deprecated due to collision attacks). SHA-2 includes SHA-224, SHA-256, SHA-384, and SHA-512 — SHA-256 is the current standard. SHA-3 is the newest NIST-standardized family (not just SHA-2 with longer output — different design).

MD5 (Message Digest 5) — produces 128-bit hashes. MD5 is cryptographically broken and should not be used for security. Collisions can be generated in seconds. However, it's still used for non-security checksums (file integrity verification).

RIPEMD — less common, based on MD4 design. RIPEMD-160 produces 160-bit hashes.

For the Security+ exam, know that SHA-256 and SHA-3 are current standards, SHA-1 and MD5 are deprecated for security use.

  • SHA-256: current gold standard — 256-bit output, widely used in TLS and digital signatures
  • SHA-1: 160-bit output — deprecated (SHA-1 collision attacks demonstrated in 2017)
  • MD5: 128-bit output — broken, trivial collisions, do not use for security
  • SHA-3: newest standard — different design from SHA-2, equally secure
  • Larger hash = more collision resistance (but slower)

Salting and Password Storage

Passwords should never be stored as plaintext or as simple hashes. A salt is a random value added to each password before hashing. Even if two users have the same password, they get different hashes (because the salts differ).

Salting prevents: rainbow table attacks (precomputed hash-to-password lookup tables), and identical password detection (you can't tell which users share passwords).

Modern password hashing uses slow, resource-intensive algorithms designed specifically for passwords: bcrypt (adaptive, includes salt), Argon2 (winner of the Password Hashing Competition), and PBKDF2 (iterates the hash function many times).

  • Salt: unique random value per user, added before hashing
  • Prevents rainbow table attacks — attacker must brute-force each password individually
  • bcrypt, Argon2, and PBKDF2 are designed for password hashing
  • Key stretching: algorithms are intentionally slow to resist brute force
  • Never use plain SHA or MD5 for password storage — always use a dedicated password hash

Digital Signatures and HMAC

A digital signature provides authenticity (proves who created the message), integrity (proves the message wasn't altered), and non-repudiation (the signer cannot deny signing).

Digital signatures work by: (1) hashing the message to create a digest, (2) encrypting the digest with the sender's private key (asymmetric encryption), (3) the recipient decrypts the signature with the sender's public key and compares the hash.

HMAC (Hash-based Message Authentication Code) — uses a shared secret key combined with a hash function. HMAC verifies both integrity and authenticity using symmetric cryptography. HMAC-SHA256 is commonly used in API authentication.

For the Security+ exam, understand that digital signatures use asymmetric encryption (private key to sign, public key to verify) and provide non-repudiation, while HMAC uses symmetric keys and does not provide non-repudiation.

  • Digital signature: hash + asymmetric encryption = integrity, authenticity, non-repudiation
  • Sign with private key, verify with public key
  • HMAC: hash + shared secret key = integrity and authenticity (no non-repudiation)
  • Code signing uses digital signatures to verify software publisher identity

Exam Tip

Know the difference: encryption (reversible, confidentiality) vs hashing (one-way, integrity). SHA-256 is the current standard; MD5 and SHA-1 are broken. Salts prevent rainbow tables. Digital signatures provide non-repudiation.