An introduction to the SHA Hashing Algorithm. The origins of SHA are explained, along with the family taxonomy of SHA message digest functions. We also cover their uses in cryptography. http://boblandstrom.com
2. Data Protection in the Data Center
Why are we bothering with cryptography when talking about data centers?
If we believe that the data center is a treasure chest for our business’ most important
assets, then we have to realize the importance and the role of cryptography for:
a) Maintaining the integrity of data
b) Protecting data privacy, especially with new regulatory constraints
- In Motion, In Use, and At Rest
3. Hashing Algorithms and Cryptography
Hashing algorithms (or hashing functions) are not technically encryption algorithms
at all.
They are though, an essential component in cryptography along with symmetric
encryption and asymmetric encryption algorithms.
Hashing algorithms are also known as a Message Digests.
4. Message Digest: Data Fingerprint
Message-Digest algorithms are mathematical functions that transform a data string
of arbitrary length into a new string of data of fixed length (In this case, there are
options for the length of the digest, but it’s always fixed for each algorithm).
The output of the algorithm can be thought of as a “fingerprint” of the input data.
That is, it is a unique representation of the input data.
Important Points:
1) It should be impossible to have two different versions of the input data that
returns the same output data.
2) It cannot be reversed! It should be impossible to produce the input value even if
you know the output value. It’s a one-way function!
5. The Secure Hash Algorithm (SHA)
The SHA hashing algorithm is actually a family of algorithms: SHA-0, SHA-1, SHA-2, SHA-3.
Created through the US Government’s “Capstone” project, driven by NIST and the NSA.
SHA-0 was quickly withdrawn after release and replaced by SHA-1
SHA-1 produces a 160-bit hash value.
In 2015, SHA-1 was revealed to be vulnerable to collisions at a cost of only $75-120K
using EC2 nodes, putting it within reach of criminal syndicates.
6. SHA-2
The US Government recommends SHA-2 as a replacement for SHA-1.
SHA-2 is a family of hash functions in its own way !
Message Digest lengths of 224, 256, 384, and 512 bits are available.
7. How does it work then?
SHA works like all hashing functions work, by applying a compression function to
the input data.
SHA works in block mode, first separating the data into words, and then grouping
the words into blocks. The words are 32-bit strings converted to hexadecimal,
grouped together as 16 words to make up a 512-bit block. The message can be
padded with zeros and an integer describing the original message length is
appended.
Once formatted for processing, the actual hash is generated. The 512-bit blocks
are taken in order, processing them algorithmically through a series of buffers.
After done for all blocks, the entire message is now represented by the fixed
length string of the hash.
8. Of course- SHA-3
And if you’re wondering, of course there is also a SHA-3.
NIST created a competition in 2006 to create a new hashing function standard.
This was not to replace SHA-2, but as an alternative and dissimilar cryptographic
hashing function.
SHA-3 has been an official NIST hashing standard since 2015. A notable
“dissimilarity” with SHA-3 is its use of a sponge function, which is unlike earlier
SHA algorithms.
9. Which SHA should I use?
So when do you use which SHA algorithm? Well the Federal Information Processing
Standard (FIPS) recommends the following. Use SHA-1, SHA-224, and SHA-256 for
messages less than 264 bits in length. SHA-384 and SHA-512 are recommended for
messages less than 2128 bits in length.
The value of digital fingerprints is straightforward, and there are many choices of
hashing algorithms to use. When applying a hashing algorithm, one may encounter
tradeoffs such as collision resistance and also processing speed.
10. Hashing Algorithm Speed Comparison
Hashing algorithms consume data processing resources of one form or another.
This chart comes from Javamex showing the differences in processing time for the
various hashing algorithms.
11. Applications of SHA Hashing Algorithms
Applications for SHA-1 and SHA-2 are many for demonstrating message integrity,
including password storage, file verification, and digital signatures. They are used
in common Internet applications such as TLS and SSL, PGP, SSH, S/MIME and IPsec.
SHA-2 is widely used for authentication of software packages and digital media.
SHA-256 and SHA-512 have been proposed for use in DNSSEC and also for Unix and
Linux password hashing. SHA-256 is used for Bitcoin transaction verification.