Home / Topics / Hash & Signatures

Hash Functions & Digital Signatures

Understand cryptographic hash functions, message authentication, digital signatures, and PKI.

Introduction

Hash functions and digital signatures are fundamental cryptographic tools that provide integrity and authentication. While encryption protects confidentiality, hash functions and digital signatures ensure that data has not been tampered with and verify the identity of the sender.

Cryptographic Hash Functions

A cryptographic hash function is a mathematical algorithm that maps data of arbitrary size to a fixed-size bit array (hash value or message digest).

Hash Function Properties:
One-way: Computationally infeasible to reverse
Deterministic: Same input always produces same output
Collision-resistant: Hard to find two inputs with same hash
Fixed output: Same length regardless of input size

How Hash Functions Work

Input: "Hello, World!"
Hash (SHA-256): dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986f

Input: "Hello, World" (no exclamation)
Hash (SHA-256): 0a0a78d12cc80922fb0e34e46c140b2c08e4c3d2b1c16b1a4a3c4d5e6f7a8b9

Hash Function Properties

  • Pre-image Resistance: Given a hash, cannot find original input
  • Second Pre-image Resistance: Given input, cannot find different input with same hash
  • Collision Resistance: Cannot find any two inputs with same hash
  • avalanche Effect: Small input change causes large output change

Hash Algorithms

MD5 (Message Digest 5)

  • 128-bit hash output
  • Developed by Ronald Rivest in 1991
  • NOW CONSIDERED BROKEN - collisions have been demonstrated
  • Should not be used for security purposes

SHA-1 (Secure Hash Algorithm 1)

  • 160-bit hash output
  • Developed by NSA in 1993
  • DEPRECATED - collisions demonstrated in 2017
  • Still used in some legacy systems

SHA-2 Family

  • SHA-224, SHA-256, SHA-384, SHA-512
  • Different output sizes for different security needs
  • Currently secure - widely used
  • SHA-256 is the most common choice

SHA-3 (Keccak)

  • Selected as SHA-3 standard in 2012
  • Different design from SHA-2
  • Based on sponge construction
  • Not widely adopted yet
Algorithm Output Size Status
MD5 128 bits Broken
SHA-1 160 bits Deprecated
SHA-256 256 bits Secure
SHA-512 512 bits Secure

Message Authentication Codes

A Message Authentication Code (MAC) provides both integrity and authentication by using a shared secret key.

How MAC Works

  1. Alice and Bob share a secret key
  2. Alice computes MAC = Hash(Message + SecretKey)
  3. Alice sends Message and MAC to Bob
  4. Bob computes MAC' = Hash(Message + SecretKey)
  5. Bob compares MAC and MAC' - if equal, message is authentic

Limitation: MAC requires a shared secret key, so both parties must trust each other. It doesn't provide non-repudiation - both Alice and Bob can compute the same MAC.

HMAC (Keyed-Hash MAC)

HMAC is a specific construction for creating MACs using cryptographic hash functions:

HMAC(K, M) = H((K ⊕ opad) || H((K ⊕ ipad) || M))

Where:
- K = secret key
- M = message
- H = hash function (SHA-256 typically)
- ipad/opad = inner/outer padding

Digital Signatures

Digital signatures provide integrity, authentication, and non-repudiation. Unlike MACs, digital signatures use asymmetric cryptography, so only the signer can create signatures, but anyone can verify them.

How Digital Signatures Work

  1. Sender: Computes hash of message
  2. Sender: Signs hash with their private key
  3. Sender: Sends message + signature
  4. Receiver: Computes hash of received message
  5. Receiver: Verifies signature with sender's public key
  6. Verification: If signature matches hash, message is authentic

Digital Signature Process


Message

Hash

Sign (Private Key)

Signature

Common Digital Signature Algorithms

  • RSA: Most common, uses RSA algorithm for signing
  • DSA: Digital Signature Algorithm, US government standard
  • ECDSA: Elliptic Curve DSA, more efficient
  • EdDSA: Edwards-curve DSA, modern and fast

PKI & Digital Certificates

Public Key Infrastructure (PKI) is the framework that enables the use of public key cryptography at scale, providing a system for creating, managing, and verifying digital certificates.

Digital Certificates

A digital certificate binds a public key to an identity (person, organization, or website). It contains:

  • Subject's public key
  • Subject's identity information
  • Certificate validity period
  • Issuer's digital signature
  • Issuer's identity

Certificate Authorities (CA)

Trusted third parties that issue and verify certificates:

  • Root CAs: Top-level CAs that issue intermediate CA certificates
  • Intermediate CAs: CAs below root, issue end-entity certificates
  • End-Entity Certificates: Issued to individuals or organizations

Certificate Chain

Certificate Validation Chain


Root CA

Intermediate CA

End Entity

SSL/TLS Certificates

Used to secure web connections (HTTPS):

  • Domain Validation (DV): Only verifies domain ownership
  • Organization Validation (OV): Verifies organization identity
  • Extended Validation (EV): Most rigorous verification