Basics of Hashing and Cryptography

Next up, hashing. Let’s take a look at one-way hash functions. As the name suggests, one-way hash functions are a one-way function. They’re a mathematical function which cannot be reversed, and they’re usually used to either store passwords or create checksums over files.

They’re often used to store passwords, but they can also be used to create checksums over files, or other things.

There’s also not just one hash function, there are multiple hash functions with different strength. And there exists bad ones, like MD5, which is more or less cracked and broken, and better ones like SHA2 or SHA3. In theory, SHA3 would be better than SHA2, but it doesn’t have a large support right now from bigger companies and tools, so we’re stuck with SHA2, for the moment. A hash usually looks like some gibberish, and you cannot determine the out and input from the hash alone. If I have two completely different words, like “banana” and “test,” the hashes will also be completely different, except for the length, which will always be the same length.

In theory, if you change one or two bits of the input, the hash should be around 50% different than before. I say “in theory” because, in hashes like MD5, there are hash collisions, which means that two different words will create the same hash. You can think of hash functions. I always like to bring up the example of hash browns when talking about hash functions. If you have the same potato- the exact same potato, two times - and you make the exact same steps to prepare the hash browns, you will get two hash browns that are identical, or even the same.

If you use another potato that is completely different, and do the same steps, you will get completely different hash browns. Also, you cannot convert your hash browns back into regular potatoes. Let’s take a look at cryptography. Now, cryptography has three main goals

which make the acronym CIA: Confidentiality - Only for the right eyes. Integrity - The message I send is the same you will receive. No attacker has edited the message I sent you. Authenticity - If a message tells that I sent it, I should actually be the real sender of that message. Now, what does cryptography have to do with passwords? First and foremost, passwords are never encrypted, or never should be. Passwords are hashed. And hashes are not encryption because an encryption can usually be reversed, and a hash, not. But passwords are used for encryption. Like if you have a password-protected zip, it’s basically just an encrypted zip.

Password-based encryption will not be the topic of this course, but with the methods, and strategies, and tools from this course, you can also crack encryption, which is password-based. Something like a password-protected zip file can be cracked with the tools and methods learned in this course. Now, let’s do a quick recap. We took a look at entropy, which is a measure of information. The higher the entropy, the more secure the password. So, our goal is to make passwords that have a high entropy, so an attacker needs more time to crack it. We have taken a look at hashing and what hashes are - usually, a one-way function to scramble passwords and store them in a safe way.

Cryptography - cryptography should not be used to store passwords. You do not encrypt passwords and store them in databases. You hash them, store them in databases, and when a user tries to log in, you hash what he enters in the password box, and compare the two hashes. Encryption and decryption will not be the topic of this course. We will focus on passwords and how to exploit them, and how you can prevent that. And that’s it for this video. Thank you for watching. In the next one, we’ll be setting up the environment.