Hash Function Properties
1. Deterministic
The same input always produces the same output hash. Hash("hello") = 2cf24dba... every single time, on any machine, with any implementation. This is what makes hash comparison reliable.
2. One-Way (Pre-image Resistant)
Given a hash, you cannot work backward to find the original input. There is no "unhash" operation. The only way to find an input that produces a given hash is to try inputs until one matches β which is computationally infeasible for a strong hash.
3. Avalanche Effect
Changing a single bit of input completely changes the output β roughly half of all output bits flip. Hash("hello") and Hash("Hello") (just capital H) produce completely different digests with no resemblance. Small changes are magnified into completely different fingerprints.
4. Collision-Resistant
Computationally infeasible to find two different inputs that produce the same hash. The SHA-256 output space has 2^256 possible values β finding a collision by chance or computation is astronomically unlikely. MD5 lost this property β practical collisions exist.
Hash Algorithms: Comparison
| Algorithm | Output Size | Status | Use Today? |
|---|---|---|---|
| MD5 | 128 bits (32 hex chars) | BROKEN β collisions found (2004) | No β not for security. Sometimes for non-security checksums only. |
| SHA-1 | 160 bits (40 hex chars) | DEPRECATED β collision demonstrated (2017 SHAttered attack) | No β browsers and CAs stopped accepting SHA-1 certificates. |
| SHA-256 | 256 bits (64 hex chars) | Secure | Yes β primary standard for most security uses. |
| SHA-384 | 384 bits (96 hex chars) | Secure | Yes β used where extra margin desired. |
| SHA-512 | 512 bits (128 hex chars) | Secure | Yes β high-security applications. |
| SHA-3 | Variable (224β512 bits) | Secure (different design) | Yes β alternative to SHA-2 with different internal structure. |
Password Hashing: Without and With Salt
| Scenario | Without Salt | With Salt |
|---|---|---|
| User A password: "pass123" | Hash("pass123") = abc123 | Hash("pass123" + saltA) = x7q2ab |
| User B password: "pass123" | Hash("pass123") = abc123 (SAME) | Hash("pass123" + saltB) = p9r3kl (DIFFERENT) |
| Rainbow table attack | Look up abc123 β "pass123" instantly | Must generate rainbow table for every unique salt β infeasible |
| Database breach impact | All users with same password exposed simultaneously | Each user must be cracked individually with their salt |
Digital Signature Process
Alice computes SHA-256 of the document. This produces a unique 256-bit digest that represents this exact version of the document.
Alice encrypts the hash using her own private key. This creates the digital signature. Only Alice can do this β she is the only one with her private key.
Bob receives both the original document and Alice's digital signature attached to it.
Bob uses Alice's public key (which is publicly available) to decrypt the signature. This reveals the hash Alice computed in Step 1.
Bob independently computes SHA-256 of the received document.
If Alice's hash (decrypted from signature) = Bob's computed hash β document is authentic and unmodified. If they differ β document was changed or signature is forged.
What Digital Signatures Prove
| Property | What It Means | How the Signature Provides It |
|---|---|---|
| Integrity | The document hasn't been modified | Any change to the document changes the hash β the hash comparison fails |
| Authentication | The document came from who it claims | Only the holder of Alice's private key could have created a signature that Alice's public key can verify |
| Non-Repudiation | The signer cannot deny having signed | The private key is uniquely Alice's β mathematical proof that she signed it, not forgeable without her key |
Hashing vs. Encryption vs. Digital Signatures
| Property | Hashing | Encryption | Digital Signature |
|---|---|---|---|
| Reversible? | No (one-way) | Yes (with key) | Hash portion: No. Signature: Yes (verify with public key) |
| Keys required? | None | Symmetric key OR public/private key pair | Private key to sign; public key to verify |
| Provides confidentiality? | No | Yes | No |
| Provides integrity? | Yes (comparison) | No (just confidentiality) | Yes |
| Provides authentication? | No | No (alone) | Yes |
| Provides non-repudiation? | No | No | Yes |