What is Hashing? Hashing Algorithms, Salting, and Digital Signatures
Hashing is a one-way cryptographic function that produces a fixed-size output (hash) from any input. Unlike encryption, hashing cannot be reversed — it's used for integrity verification, password storage, and digital signatures.
What is Hashing?
Hashing is a cryptographic process that takes input data of any size and produces a fixed-length output called a hash, message digest, or fingerprint. The same input always produces the same hash, but even a tiny change in input produces a completely different hash.
Key properties: deterministic (same input = same output), one-way (cannot reverse a hash to get the original input), fixed output size (SHA-256 always produces 256 bits), and collision-resistant (extremely hard to find two inputs with the same hash).
Hashing is NOT encryption. Encryption is reversible (ciphertext can be decrypted). Hashing is one-way — there is no decryption. Encryption protects confidentiality; hashing protects integrity.
- Hash: fixed-size fingerprint of any input data
- One-way function — cannot be reversed (unlike encryption)
- Deterministic — same input always produces the same hash
- Avalanche effect — changing one bit of input flips ~50% of output bits
- Hashing verifies integrity; encryption protects confidentiality
Common Hashing Algorithms
SHA (Secure Hash Algorithm) family — the most widely used. SHA-1 produces 160-bit hashes (deprecated due to collision attacks). SHA-2 includes SHA-224, SHA-256, SHA-384, and SHA-512 — SHA-256 is the current standard. SHA-3 is the newest NIST-standardized family (not just SHA-2 with longer output — different design).
MD5 (Message Digest 5) — produces 128-bit hashes. MD5 is cryptographically broken and should not be used for security. Collisions can be generated in seconds. However, it's still used for non-security checksums (file integrity verification).
RIPEMD — less common, based on MD4 design. RIPEMD-160 produces 160-bit hashes.
For the Security+ exam, know that SHA-256 and SHA-3 are current standards, SHA-1 and MD5 are deprecated for security use.
- SHA-256: current gold standard — 256-bit output, widely used in TLS and digital signatures
- SHA-1: 160-bit output — deprecated (SHA-1 collision attacks demonstrated in 2017)
- MD5: 128-bit output — broken, trivial collisions, do not use for security
- SHA-3: newest standard — different design from SHA-2, equally secure
- Larger hash = more collision resistance (but slower)
Salting and Password Storage
Passwords should never be stored as plaintext or as simple hashes. A salt is a random value added to each password before hashing. Even if two users have the same password, they get different hashes (because the salts differ).
Salting prevents: rainbow table attacks (precomputed hash-to-password lookup tables), and identical password detection (you can't tell which users share passwords).
Modern password hashing uses slow, resource-intensive algorithms designed specifically for passwords: bcrypt (adaptive, includes salt), Argon2 (winner of the Password Hashing Competition), and PBKDF2 (iterates the hash function many times).
- Salt: unique random value per user, added before hashing
- Prevents rainbow table attacks — attacker must brute-force each password individually
- bcrypt, Argon2, and PBKDF2 are designed for password hashing
- Key stretching: algorithms are intentionally slow to resist brute force
- Never use plain SHA or MD5 for password storage — always use a dedicated password hash
Digital Signatures and HMAC
A digital signature provides authenticity (proves who created the message), integrity (proves the message wasn't altered), and non-repudiation (the signer cannot deny signing).
Digital signatures work by: (1) hashing the message to create a digest, (2) encrypting the digest with the sender's private key (asymmetric encryption), (3) the recipient decrypts the signature with the sender's public key and compares the hash.
HMAC (Hash-based Message Authentication Code) — uses a shared secret key combined with a hash function. HMAC verifies both integrity and authenticity using symmetric cryptography. HMAC-SHA256 is commonly used in API authentication.
For the Security+ exam, understand that digital signatures use asymmetric encryption (private key to sign, public key to verify) and provide non-repudiation, while HMAC uses symmetric keys and does not provide non-repudiation.
- Digital signature: hash + asymmetric encryption = integrity, authenticity, non-repudiation
- Sign with private key, verify with public key
- HMAC: hash + shared secret key = integrity and authenticity (no non-repudiation)
- Code signing uses digital signatures to verify software publisher identity
Exam Tip
Know the difference: encryption (reversible, confidentiality) vs hashing (one-way, integrity). SHA-256 is the current standard; MD5 and SHA-1 are broken. Salts prevent rainbow tables. Digital signatures provide non-repudiation.