Virssagòn
VIP Member
This thread gives more insight in the purpose of hashing algorithms related to security. How does a website store your password and is it safe? We attempt to express in layman's terms what everything does and means.
What is "Hashing"?
In layman's terms, a hashing function is an algorithm that takes an input value, and produces an (ideally unique) output value: a hash. This hash can be used for many different things, e.g. creating a unique index in a list for every value, making it easier to retrieve values from said list. Another use for hashing algorithms is security: when you register an account for a website, this website (hopefully) never stores your password anywhere. This is why the website on its own does not (and never will) know what password you use. Instead, the site will give your password as the input to a hashing algorithm, and store the produced hash in the database. Whenever a user enters a password to login, the website will hash the input again, and compare the hash to the stored value in the database, and then decide whether or not to let the user access the account.
Hash Collisions
An attentive reader might've already figured out that when hashing functions are used for security purposes, every produced hash should be unique. If a hashing function produces the same output for different inputs, a so called hash collision occurs. When attackers attempt to gain access to an account, or to falsify a document, they generally try to produce their own input, that generates the same hash that the legitimate input would. To avoid this, new hashing algorithms are continuously being developed. One of those deprecated algorithms is MD5. In this algorithm, some extensive vulnerabilities were discovered and exploited to create hash collisions in a matter of minutes.
SHAttered
One of the most prevalent still in-use hashfunctions is called SHA-1. This algorithm was believed to be resistant to all hash collision attacks, until recently. A team at Google Labs published a blogpost about how they exploited a very specific piece of code in SHA-1 to create collisions much faster than previous techniques could. In this situation, "faster" is a relative term: it still took the high-performance computer that google used a year to create a collision on a single document. Simultaneously with their blogpost, Google brought a website to life to detect if the "SHAttered" method they developed was used to create a collision.
Consequences
This discovered vulnerability sounds much worse than it actually is. In fact, SHA-1 was already considered a deprecated method for multiple years, and web developers were already stepping to the newer alternative, SHA-256, the same one the research team at google suggests. The long time it takes for the SHAttered method to break the algorithm makes it currently not viable to use on a large scale by regular attackers, and there already exists a reliable option to test if the SHAttered method was used to create a collision, making it easy for software developers to check for it and patch their software accordingly. This does not mean web developers shouldn't take this threat seriously: new developments could mean more and faster ways to break the SHA-1 algorithm, and those new methods could be much harder to detect. In the end, for the regular user these recent developments will be barely unnoticable, but for developers it means that updating their systems to more secure standards becomes a pressing matter, maybe not in the coming weeks, but certainly in the coming months or years.
Read More