WOTD: SHA-512 (Secure Hash Algorithm)
Sorry… This is going to be a long post since there’s so much information to cover… I apologize and thank you for your attention in advance…
I was reading a post by security software maker Sophos about a company that checks to see whether your online account details have been compromised; that company suggested to use “SHA-512 hash” when submitting your user id or email for the check. The Sophos post commented that average computer users don’t understand what “SHA-512 hash” is… Curious, I went to google “SHA-512 hash” to find out what exactly it is, because after all, I am no average computer user!
Secure Hash Algorithm
A little online search will tell you SHA-512 is part of the Secure Hash Algorithm. According to Wikipedia, the Secure Hash Algorithm is one of a number of cryptographic hash functions published by the National Institute of Standards and Technology as a U.S. Federal Information Processing Standard. There are currently 4 generations/types of SHA standards:
- SHA-0:: A retronym applied to the original version of the 160-bit hash function published in 1993 under the name “SHA”. It was withdrawn shortly after publication due to an undisclosed “significant flaw” and replaced by the slightly revised version SHA-1.
- SHA-1:: A 160-bit hash function which resembles the earlier MD5 algorithm. This was designed by the National Security Agency (NSA) to be part of the Digital Signature Algorithm.
- SHA-2:: A family of two similar hash functions, with different block sizes, known as SHA-256 and SHA-512. They differ in the word size; SHA-256 uses 32-byte (256 bits) words where SHA-512 uses 64-byte (512 bits) words. There are also truncated versions of each standardized, known as SHA-224 and SHA-384. These were also designed by the NSA.
- SHA-3:: A proposed hash function standard still in development. This is being chosen in a public review process from non-government designers. An ongoing NIST hash function competition is scheduled to end with the selection of a winning function, which will be given the name SHA-3 in 2012.
SHA-512 is part of the SHA-2 cryptographic hash function set, a novel hash function computed 64-bit words (512 bits). There are also SHA-224, SHA-256 and SHA-384, named after their digest lengths (in bits). Go to this Wiki page to learn more about SHA-2, its function sets and standards.
Using SHA-512 Hash
In other words, SHA-512 hash (and SHA-2 in general) is used to encrypt (scramble) digital information. While it might sound hard-core geek, average computer users CAN put it to work too. In fact, if you use any TLS or SSL protocols, you are already using a SHA-2 hash function of sort.
SHA hashing functions are found in many modern programming languages, such as Java, Python, PHP, and Perl.
There are also online tools (hash converters) that allow you to generate SHA-512 hashes on demand:
- SHA-512 Hash Text Tool by Chilkat Software (works only Internet Explorer)
- Online Convert.com – SHA-512 Hash Converter
I played with the Online-Convert.com tool a little bit, converting the following famous opening line into a SHA-512 hash:
To be, or not to be: that is the question…
And the resulting hash is:
(without secret key):
(with a secret key):
Adding a secret key during convert (i.e. creating a Hash-based Message Authentication Code variant) strengthens the security of the hash; by add a secret key, you are creating a more complex message which makes it harder to decipher the hash.
Hashes is commonly used for storing passwords. Before a password is saved in a user info table, it is scrambled into a hash, so even if someone broke into the table and get a hold of the password, it would be more difficult for the person to find out what the password really is.
Hashes can be used for verifying both the data integrity and the authenticity of a message. Many online software distributors now include the hash of the downloadable software. After you download the software, you can use a checksum utility such as this or OS X’s built-in function to scramble your downloaded file, and verify with the hash provided by the software distributors. If the checksums don’t match, then the integrity of the software is likely have been compromised.
“What About Decryption?” You Might Ask…
You might wonder, and I know I did, if I use any of the readily available online hash converters, wouldn’t others can easily decode my hash message? Wondering about that, I did a little experiment:
1) First I search for some online decoders;
Since I couldn’t find a SHA-512 hash decoder, I settled for a few SHA-1 decoders…
2) Using Online-Convert.com’s SHA-1 hash converter, I got the hash for “To be, or not to be: that’s is the questions…“;
3) Taking the SHA-1 hash, I went over to one of the online decoders to see if they would return the original message…
And the answer is NO.
4) Then I went to another online decoder (stringfunction.com) to try…
And the result is the same. However I noticed stringfunction.com also has an online SHA-1 encoder. So I encoded my Shakespeare message again using stringfunction.com’s encoder. The result? The returned hash is THE SAME as the one from Online-Converter.com! And now see what happened when I decode the hash again?
My conclusion is…
While hash decoders are readily available, these decoders rely on hash databases to match the input hash to the converted message. If your message/hash pair is not in the databases, the online decoders can’t decode the message. This is clearly illustrated in the different decoding results from stringfunction.com’s decoder, before and after I encoded the message using the site’s encoder.
There are hash databases that are commonly available, this is especially the case with MD5 (another popular) encryption algorithm. Vulnerabilities to different types of cryptanalytic attack are also found in some encryption algorithms. Here is a comparison on the different types of encryption algorithms.
As it turns out, any good cryptographic hash algorithm should include a one-way function of sort. Meaning while it would be easy to scramble any message into a fixed-length hash, it would be very difficult, if not impossible, to decode the hash to figure out the original message.
There has been cases that a encryption algorithm being broken into (such as the case of MD5 in an attack to break SSL in 2008… Read more); SHA-2 (especially SHA-512) seems to be the best encryption algorithm at the moment. But no doubt that will change as hackers are constantly trying to figure out how to break the code. That’s why SHA-3 — the next generation of SHA algorithm — is in development right now, and it will be revealed in as soon as 2012.
Meanwhile, here are some tips to add extra security to your hash encryption:
- Use secret keys (or better yet, SALT values) to create a HMAC variant and make the hash harder to decrypt.
- Hash your message at least twice to make it harder to decipher.
- Require the message to have lowercase and uppercase characters, special characters and numbers.
- Use multiple hash algorithms to hash your data multiple times .
So there you have it… Tons and tons of information on secure hash algorithm. What started as a look into SHA-512 turned into my head-dive into the world of cryptographic hash functions. I hope you have found the information useful. Since I’m a relative newbie in the realm of (hard-core) cyber security, I have much to learn… Please feel free to add your thoughts and/or any pointers.
Any if you know of any good books or suggested reading on the subject of cryptography, cryptographic hash functions and alike, I would love to know about them… So fire away! Thank you in advance!
(Added 6/8/2012) MD5 password scrambler ‘no longer safe’