Cybersecurity
Updated 2 days ago | GitHub

Cryptographic Hash Algorithms

Cryptographic Hash Algorithms are one-way algorithms which are used when data does not need to be decrypted. Because there will be no decryption, there is no need for a key. The common expression for the application of the algorithm is the verb “to hash”. (As in, “I am going to hash this string.”) The results of these one-way algorithms are commonly called “hashes”. (As in “I stored the hash in the database.”)

A cipher text which cannot be decrypted might not seem useful, but it is because of a simple principle:

Same input + same algorithm = same output

This concept allows us to compare two output strings (hashes) in order to know if the input matches. Hash algorithms are especially useful for ensuring data integrity (Checksums) and for secure password storage.

There are many hash algorithms but four stand out as popular choices.

CRC32 (“Cyclic Redundancy Check”) returns a 32-bit integer hash. It can be computed very quickly which makes it useful for data error detection and correction especially during transfer. It is widely used in communication software. If data sent does not match the expected CRC32 hash, the software would ask for the data to be resent.

MD5 is a popular hash function. (“MD” = “Message Digest”). It returns a 128-bit hexadecimal string which is 32 characters long. It was popular for secure encryption from 1991 to 2004, but since a number of weaknesses were discovered it has been used mostly for data integrity.

SHA-1 is a hash function designed by the N.S.A. (“SHA” = “Secure Hash Algorithm”). It returns a 160-bit hexadecimal string which is 40 characters long. It was published by NIST in 1995 (FIPS PUB 180-1) and was widely used in place of MD5 until the late 2000s. Practical collision attacks (such as the 2017 SHAttered attack) have since broken SHA-1, and NIST formally retired SHA-1 in December 2022 with all federal use to be phased out by December 31, 2030. New code should use a SHA-2 variant (e.g. SHA-256) or SHA-3 instead.

bcrypt is a hash algorithm which is based on the Blowfish Symmetric-Key Algorithm. Unlike Blowfish, bcrypt is a one-way hash and offers no decryption. It returns a 184-bit base-64 encoded string which is 31 characters long (but it also prepends information to the encrypted string, making it 60 characters total). It has been used for secure password storage since it was created in 1999. bcrypt is the default hash algorithm on many Unix and Linux operating systems. While bcrypt is still considered safe with a sufficient work factor (10 or more) and is acceptable for password hashing, the current OWASP Password Storage Cheat Sheet recommends Argon2id as the first choice for new applications, with scrypt and PBKDF2 as alternatives.

More on Cryptographic Hash Algorithms when used for: