2.4.5. Hashing, Salting, and Digital Signatures
š” First Principle: Hashing, salting, and digital signatures work together for integrity and authentication. Hashing creates fingerprints, salting prevents precomputed attacks, and digital signatures combine hashing with asymmetric cryptography to prove both integrity and authorship.
Hashing produces a fixed-length digest from any input. SHA-256 produces 256 bits whether the input is a byte or a gigabyte. Key properties: deterministic (same input = same hash), one-way (can't reverse it), collision-resistant (different inputs shouldn't produce the same hash). MD5 (128-bit) and SHA-1 (160-bit) are considered broken for security purposes ā collisions have been demonstrated. SHA-256 and SHA-3 are current standards.
HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to provide both integrity and authentication. Unlike a plain hash (which anyone can compute), HMAC requires the shared secret ā so only parties with the key can generate or verify the code. Used in TLS, IPSec, and API authentication.
Salting adds a unique random value to each input before hashing. Two users with password "P@ssw0rd" get different hashes because each has a unique salt. This defeats rainbow table attacks and forces per-hash brute-force.
Digital signatures provide non-repudiation: the sender hashes the message, encrypts the hash with their private key. The recipient decrypts with the sender's public key and compares hashes. Match = authentic and unaltered.
Key stretching strengthens weak passwords by running them through a hash function thousands of times. PBKDF2 and bcrypt are common algorithms. Each guess requires the same intensive computation, making brute-force much slower.
Blockchain uses hashing to create an immutable chain ā each block contains a hash of the previous block, so changing any record invalidates all subsequent hashes. An open public ledger extends this to public verification.
ā ļø Exam Trap: Salting prevents rainbow tables. Key stretching slows brute-force. They solve different problems. Good password storage uses both.
