HASHING ALGORITHMS
god, wouldnt you just love to be able to throw around functions that would create unique hashed strings from any given hash key? well, this just so happens to be your lucky day. welcome to the exciting world of hashing algorithms. in this tutorial, you will find out the distinction of a number of hashing algorithms, and what sets them apart from one another.
QUESTION: How do I start encrypting strings?
mistake number one. hashing is NOT an encryption algorithm. the word "encryption", by its very nature, suggests that there is a method of decryption available. this is not the case with hashing algorithms. hashing algorithms are designed to be one-way, surjective functions that create an string based on a given key. so lets fix that...
QUESTION: How do I start hashing strings?
php offers many popular algorithms to hash strings by. the message-digest algorithm (4 and 5) are available (md4 and md5, respectively). md5 is the most popular hashing algorithm that php provides. others include the secure hashing algorithm (available as sha1), which is meant for hashing algorithms over an insecure connection, and others, depending on the php version. some versions of php support a dedicated hash engine (the hash engine comes standard as of PHP 5.1.2, or if installed as a module).
QUESTION: Didn't you forget CRC32?
NO! mistake number two. ill take this time to point out that crc32 is NOT a hashing algorithm. it is a checksum, used to check for file integrity. crc (cyclical redundancy check) algorithms should NOT be used to protect data, because hash collisions are easier to find than with methods like md5 or sha1. (note that the md4 and sha1 algorithms have both been compromised, and are now considered less than secure. for most cases you will use it for, it is fine, but consider more advanced algorithms like sha2).
QUESTION: Why would I want to hash a string?
interesting question. hashing data provides a means of creating a data "fingerprint". the theory is that, other than rare cases, given hash algorithm f(x), and hash keys A and B, that f(A)!=f(B). this allows data to be stored as a hash (obsfucated), and that the only matching hash value would be the same key rehashed. this allows for security with stored information. for instance, if you are storing a database of usernames and passwords, if anyone gained access to your databases, the hash values would do very little good.
QUESTION: So that means that hash algorithms are invincible?
no. not at all. there are two common ways to crack a hash. the first is time consuming, and is known as brute-force. by trying every possible hash key through the hash algorithm, eventually a collision will be found. the other method is known as rainbow tables. this is a table of known hash key/value combinations. by searching the table for the given value, the key will be found as well. this requires a stored list of keys/values, but is relatively fast.
QUESTION: Are there ways to increase security?
several. firstly, multiple recursions of a hash help vastly. consider the difficulty in reversing 100 recursions of md5. since md5 returns a 32-digit hexadecimal string, each reversal would either take a list of every possible combination of 32 hexadecimal digits (~ 3.403 x 10^38 combinations), or a brute-force attack on each possibility (at 1000 checks per second, it would take about 10^28 years).
secondly, you can salt your hash. this includes adding seemingly random characters to the hash key to change the hash value. this prevents the use of rainbow tables, in many cases, and it increases the complexity of the hash. the salt can be of any length, but is usually either a static string, a piece of the given key, or, depending on the useage, a time-dependent string.
--------------------------------------------- ----------
any questions?
