A cryptographic hash function is a technique that takes a set of text and reduces it down to a fixed length of data. This small fixed set of numbers is called the digest, or hash value. The hash function that reduces the message to a digest is wholly rooted in mathematics. In fact, there is an entire field of mathematics devoted to understanding how to make good hash functions.
A key thing to remember is that the message can be any length but the cryptographic hash function will always return a fixed length of data as the digest. for example, the message could be 11 characters or perhaps 121 characters in length, but the hash function would return, in both cases, a digest of 30 characters. The digest will be different for each message, but a good cryptographic hash function always returns the same length of characters.
If two different messages return the same digest, then the cryptographic function is deemed to be bad.
A respectable system, such as your online credit card account, should never store your password in their database. Your credit card company may use a cryptographic hash function on your password, and store only the digest. This way, if their database is hacked, then the hacker will not see your password. Rather they will see the cryptographic hash.
Further, a respectable cryptosystem will never send you your password, because they don’t have it. They only have the hash, and you can not derive a cryptographic hash function. They only work one way. That is why good systems send you a reset link when you lose your password. (Hint: You may want to avoid websites that send you your actual password when you lose it, rather than a reset link).
Sha-1 is a well-known cryptographic hashing function. It’s not perfect, but suitable for basic hashing needs.
Digital Signatures Provide Message Integrity
You can use a cryptographic hash function on digital signatures to verify the integrity of the message. That is, you can verify the message actually came from the person you think it did.
While hashing passwords has integrity in verifying identification of the user, think of a digital signature as having integrity in verifyying indentification of a message sender. For example, your doctor writing a prescription by email. It allows you to print the email to take to your pharmacy. The integrity of the digital signature should verify that it actually came from your doctor; and that the prescription was not modified in transit over the internet.
A Simple Example of Digital Signature Integrity
- The sender and receiver are the only two people who know a secret.
- The sender writes a message and adds on the secret. A cryptographic hash function is used to form a digest of the message+secret.
- The message+digest is sent. (Remember the digest is a hash of the message+secret).
- The receiver takes the message+digest, removes the digest, and adds the secret. Now the receiver has the message+secret, and keeps the digest for comparison.
- The receiver runs the same cryptographic hash function on message+secret, which returns a digest.
- The receiver now compares this digest with the original digest it removed from the message+digest transmission.
- If it’s a match then the integrity of the digital signature is verified. Of course, this only works if the secret it not compromised.
The integrity only works if the sender and receiver can keep a secret!
While the secret key technique is valid, it’s not practical for the internet because there is not a secure way to distribute keys. The internet is an insecure medium. This fact underscores the challenge of internet security.