In the digital age, safeguarding sensitive information is super duper important. Two key techniques at the forefront of data security are hashing and encryption. While they both serve to protect data, their applications, especially in the context of password management, are distinct. Let’s see when each should be used and why.
Hashing
- Hashing is a process that takes an input (or ‘message’) and returns a fixed-size string of bytes. The output, typically a ‘hash value’ or ‘hash code’, is unique to the given input.
- Hashes are produced by a function called a hash function. This function is designed to be a one-way function, meaning that it is infeasible to reverse the process and retrieve the original input from the hash.
Key Characteristics:
- Uniqueness: Ideally, every different input should produce a unique hash. Even a small change in the input should result in a significantly different hash value.
- Fixed Length: Regardless of the size of the input data, the hash value is of a fixed length.
- Efficiency: Hashing is a fast process and produces the hash value in a relatively short amount of time.
- Irreversibility: It’s computationally infeasible to reverse a hash function to get back the original input data. MD5 example: d0cfaa355491aa642fb529c2e7d006b5
Common Uses:
- Password Storage: Storing the hash value of passwords instead of the actual passwords. Even if the hash is accessed by an unauthorized party, they cannot reverse it to find the original password.
- Data Integrity: Verifying the integrity of data. If the hash of the data matches the expected hash, the data is assumed to be intact and unaltered.
- Lookup Efficiency: Hash tables use hash functions to quickly locate a data record given its search key.
Encryption
- Encryption is the process of converting plain text into ciphertext, a form that cannot be easily understood by unauthorized people.
- Encryption uses an algorithm called a cipher and a key to transform the readable data into an unreadable format. The recipient can decrypt the data with the correct key.
Key Characteristics:
- Two-way Function: Unlike hashing, encryption is reversible. Using the correct key, the original data can be retrieved from the encrypted version.
- Key-Based: Encryption requires a key, which can be a string of characters, to encrypt and decrypt data. The security of encrypted data is largely dependent on the secrecy of the key.
- Variable Length: The length of the encrypted data is proportional to the length of the original data.
Types of Encryption:
- Symmetric Encryption: Uses the same key for both encryption and decryption. Faster but requires secure key management.
- Asymmetric Encryption: Uses a pair of keys – a public key for encryption and a private key for decryption. More secure but slower than symmetric encryption.
Common Uses:
- Secure Communication: Encrypting data being sent over networks to protect it from eavesdropping.
- Data Protection: Protecting sensitive data stored on devices or in the cloud, like user details, financial information, etc.
- Digital Signatures and Authentication: In asymmetric encryption, ensuring the authenticity of a sender and the integrity of the message.
Risks When Password Hashes are Cracked
Let’s see what could happen when passwords get leaked.
- Hash Cracking: The process of attempting to reverse a hash (i.e., discovering the original plaintext from the hashed output). While it’s generally infeasible to reverse a hash directly due to its one-way nature, attackers use alternative methods to ‘crack’ hashes.
Common Cracking Methods:
- Guess and Check: Choosing potential plaintexts (like common passwords), hashing them, and comparing the results with the stolen hash values.
- Rainbow Tables: Precomputed tables for reversing cryptographic hash functions, mainly for cracking password hashes.
- Brute Force Attacks: Systematically checking all possible plaintexts until the correct one is found.
- Dictionary Attacks: Using a list of common passwords or phrases (a dictionary) to generate hashes to match against stolen hashes.
Mitigation Strategies:
- Use of Strong, Unique Passwords: Encouraging users to create complex passwords that are hard to guess.
- Modern Hashing Algorithms: Employing algorithms resistant to these cracking techniques, like bcrypt, Argon2, etc.
- Regular Updates to Security Protocols: Keeping up with advancements in hash cracking methods and updating security measures accordingly.
Enhancing Password Storage
Salting:
- Definition: A ‘salt’ is a random string added to each password before it’s hashed.
- Purpose: Makes each hash unique even if two users have the same password, and prevents attackers from using precomputed hash tables (like rainbow tables).
- Implementation: A unique salt should be used for each user’s password. Salts are usually stored alongside the hash in the database.
Peppering:
- Definition: A ‘pepper’ is a secret value added to the hash process, similar to a salt but not stored in the database.
- Purpose: Adds an extra layer of security. Even if an attacker accesses the database, they cannot crack the hashes without the pepper.
- Implementation: The pepper is a secret key, typically applied as an additional cryptographic function over the hash.
Using Work Factors:
- Definition: A ‘work factor’ refers to the computational effort required to compute the hash, typically defined as the number of iterations of the hashing process.
- Purpose: Slows down the hash calculation, making brute force attacks more time-consuming and computationally expensive.
- Implementation: Should be carefully chosen to balance security needs with system performance. Needs regular adjustment to adapt to increasing computational capabilities.
.NET Example:
public class HashingExample
{
private const string Pepper = "MySaltNPeppa";
private static string GenerateSalt()
{
byte[] saltBytes = new byte[32];
using (var rng = RandomNumberGenerator.Create())
{
rng.GetBytes(saltBytes);
}
return Convert.ToBase64String(saltBytes);
}
private static string HashPassword(string password, string salt)
{
using (var sha256 = SHA256.Create())
{
var saltedPassword = password + salt;
byte[] saltedPasswordBytes = Encoding.UTF8.GetBytes(saltedPassword);
byte[] hashBytes = sha256.ComputeHash(saltedPasswordBytes);
return Convert.ToBase64String(hashBytes);
}
}
private static string ApplyPepper(string hashedPassword)
{
using (var sha256 = SHA256.Create())
{
var pepperedPassword = hashedPassword + Pepper;
byte[] pepperedPasswordBytes = Encoding.UTF8.GetBytes(pepperedPassword);
byte[] hashBytes = sha256.ComputeHash(pepperedPasswordBytes);
return Convert.ToBase64String(hashBytes);
}
}
public static User RegisterUser(string password)
{
string salt = GenerateSalt();
string saltedHashedPassword = HashPassword(password, salt);
return new User { Salt = salt, HashedPassword = saltedHashedPassword };
}
public static bool AuthenticateUser(string enteredPassword, User user)
{
string saltedHashedPassword = HashPassword(enteredPassword, user.Salt);
return saltedHashedPassword == user.HashedPassword;
}
public static void Example()
{
string password = "UserPassword123";
User newUser = RegisterUser(password);
bool isAuthenticated = AuthenticateUser("UserPassword123", newUser);
Console.WriteLine("User authenticated: " + isAuthenticated);
}
}
public class User
{
public string Salt { get; set; }
public string HashedPassword { get; set; }
}
Conclusion
In summary, while both hashing and encryption play pivotal roles in data security, hashing stands out for password protection due to its one-way nature. Employing modern algorithms and enhancing security with salting, peppering, and appropriate work factors is essential in safeguarding passwords. As digital threats evolve, so must our methods of protecting sensitive data.
Coding Bolt 
Leave a comment