Hash functions are an important and ubiquitous cryptography building block. They are relatively simple to understand and to use.

Most cryptographic hash functions are designed to take a string of any length as input and produce a fixed-length hash value. Therefore they are used to assure integrity and Authentication.

Below you see examples of the outcoming hash applied to the same text with two different hash functions.

SHA1("The quick brown fox jumps over the lazy dog")
gives: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
SHA224("The quick brown fox jumps over the lazy dog")
gives: 730e109bd7a8a32b1cb9d9a09aa2325d2430587ddbc0c38bad911525

Ideal Cryptographic hash function

None of the existing cryptographic functions are ideal, but they must be very close to it. The main quality criteria of every cryptographic hash function is how close/far to the ideal one they are. The ideal cryptographic hash function has four properties:

  • it is quick to compute the hash value for any given message.
  • it is infeasible to generate a message from its hash value.
  • it is infeasible to modify a message without changing the hash value.
  • it is infeasible to find two different messages with the same hash value.

Usage of hash functions

And because of that cryptographic hash functions are used for:

  • Verifying the integrity of files or messages (MAC)
  • Password protection and verification (with care)
  • Can also be used in the generation of pseudorandom bits, or to derive new keys or passwords from a single, secure key or password.
  • Widely used as a file or Object identifier in e.g. Git, Mercurial, and some p2p-file-sharing networks.

General purpose Hash functions

List of some well know and historical Hash functions:

  • MD4(128)
  • MD5(128)
  • SHA-1(160)
  • SHA-2 (224, 256)
  • SHA-3 (224, 256, 384, 512)

SHA2 is state of the art and is recommended function to be used in e.g. X.509 Certificates. And SHA3 is built for the future and very new and is not broadly supported at the moment.

MD4, MD5, SHA1 Are not recommended for usage anymore.

Java Example of the SHA-256 hash

To give you a more practical impression of the usage, below you’ll find a java example making SHA-256 hash out of password string.

package org.holbreich.crypto.examle.hash;
import java.security.MessageDigest;

public class SHA2HashingExample 
    public static void main(String[] args)throws Exception
    	String testText = "MyTestText";
    	//Possible SHA-256, SHA-384, and SHA-512
    	//See http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA
        MessageDigest md = MessageDigest.getInstance("SHA-256");
        byte mdByteData[] = md.digest();

The result is stored in byte array mdByteData You can find the complete source on Github

Hash and Passwords

In the early days (and unfortunately still now), general purpose hash functions are widely used for password hashing. The problem with them is that they are too “too fast” on modern hardware. This makes them weak against brute-force attacks. Read Our passwords hashing has no clothes from Troy Hunt for more details about it. And just don’t use general-purpose hashing algorithms for password hashing, instead use one of the listed below.

Hash functions designed for password protection

  • PBKDF2
  • bcrypt, scrypt
  • ==Argon2== - PHC winner