Chapter 16 Β· Glossary

Hashing & Digital Signatures β€” Term Reference

Every term you need for hashing and digital signatures on the Security+ exam.

Hash Function
A mathematical function that takes an input of any size and produces a fixed-size output (the digest or hash). Properties: deterministic (same input = same output), one-way (cannot reverse), avalanche effect (tiny change = completely different hash), and collision-resistant (cannot find two inputs with same output).
Hash Digest
The fixed-size output produced by a hash function β€” also called a hash, message digest, or fingerprint. SHA-256 produces a 256-bit (64 hexadecimal character) digest. The digest uniquely represents the input for integrity verification purposes.
Avalanche Effect
A property of cryptographic hash functions where a tiny change in input (even a single bit flip) produces a completely different output hash β€” with roughly half of all output bits changing. Ensures that similar inputs do not produce similar hashes, making pattern analysis useless.
Collision
When two different inputs produce the same hash output. A collision-resistant hash function makes finding a collision computationally infeasible. MD5 is considered broken because practical collisions have been demonstrated β€” two different files can be crafted to share the same MD5 hash.
MD5 (Message Digest 5)
A widely used but now deprecated hash function producing a 128-bit digest. Practical collision attacks were demonstrated in 2004. MD5 should NOT be used for security-critical purposes (file verification, digital signatures, password hashing). Still sometimes used for non-security checksums where speed matters.
SHA-256
Part of the SHA-2 family. Produces a 256-bit (64 hex character) digest. No practical collisions have been found. The current standard for most security-critical hashing needs: file verification, digital signatures, certificate fingerprints, and TLS. Recommended for Security+ exam as the primary strong hash algorithm.
SHA-3
The third major version of the Secure Hash Algorithm standard. Uses a fundamentally different internal structure (Keccak sponge construction) from SHA-2. Not a replacement for SHA-2 (which remains secure) but an alternative with different mathematical foundations β€” useful if SHA-2 were ever found to be vulnerable.
Salt
A random value added to a password before hashing. Stored alongside the hash (not secret). Ensures that even identical passwords produce different hash values in the database. Defeats rainbow tables and precomputed hash attacks β€” an attacker must recompute hashes for each unique salt individually.
Rainbow Table
A precomputed table of hashes for common passwords and word combinations. Allows an attacker to quickly look up a stolen hash and find the corresponding password. Made ineffective by salting β€” each unique salt requires its own precomputed table, making the attack computationally impractical.
Digital Signature
A cryptographic mechanism that provides integrity, authentication, and non-repudiation. Created by hashing a document then encrypting the hash with the signer's private key. Verified using the signer's public key. Proves the document hasn't been modified and that it was signed by the private key holder.
Non-Repudiation
The inability to deny having performed an action. A digital signature provides non-repudiation: only the holder of the private key could have produced the signature. The signer cannot later claim they didn't sign the document. Legally significant β€” digital signatures are legally binding in many jurisdictions.
HMAC (Hash-based Message Authentication Code)
A mechanism that combines a hash function with a secret key to produce a message authentication code. Used to verify both data integrity and the authenticity of a message between parties sharing a secret key. Unlike digital signatures, HMAC uses symmetric key material β€” both parties must share the key.
Code Signing
Applying a digital signature to software (executables, drivers, scripts) by the publisher. When a user installs the software, the OS verifies the signature β€” confirming the code came from the claimed publisher and hasn't been modified since signing. Prevents malware from masquerading as legitimate software updates.
File Integrity Monitoring (FIM)
Continuously hashing critical system files and comparing to known-good baseline hashes. If a file changes (malware modification, unauthorized configuration change), the hash changes and an alert fires. Common on servers where configuration files and system binaries should never change unexpectedly.
Integrity (CIA Triad)
The assurance that data has not been altered in transit or storage without authorization. Hashing provides integrity verification: the hash of a file serves as its fingerprint. If the file changes, the hash changes. Comparing hashes before and after transmission detects unauthorized modification.
Key Stretching (Hashing Context)
Applying a hash function multiple times (or using specifically designed slow functions like bcrypt, PBKDF2, Argon2) to make password hashing computationally expensive. Legitimate logins take milliseconds. Brute-force attempts that try millions of passwords per second are slowed to thousands or fewer. Defends against offline password cracking attacks.