Password Hashes

[MrLinus]

It's not an encrypted result. An encrypted result would be a cipher text (the plaintext encrypted). It's a form of integrity check, if you will. Basically, verifies that the information hasn't changed and if it has, then the input is suspect. It's just a mathematical result of some data being put through an algorithm.

[AxessTerminated]

if its the mathematic result of terms going through an algorithm...then is it not the encryption result?

whether is LM, MD5, or SHA1...they all come out as (theoretically) one way encryption, correct?

the hashes are the result of the encryption algorithm..and in order to check the password, or the integrity of the file...information is encrypted and compared to the hash...if they differ, then the file's changed, or the password's wrong.

if im wrong with what i said above, please explain how, because this is how it works AFAIK

A_T

[sec_ware]

Hi

encryption and hashing

This is now a discussion about definitions.
So let me give you some definitions (based on my taste):

(two-way) encryption: 3DES,CAST5,AESxxx (="two-way" cipher)

first way - encryption: generates from plaintext a ciphertext
second way - decryption: generates from ciphertext a plaintext

Note: there is only one ciphertext for a given plaintext, and for
a given ciphertext, there is only one plaintext. ("well-defined cipher").


(one-way) hash (misleadingly often called one-way encryption): MD5, SHA1, SecWare1

the only way - "hashing": generates a "ciphertext"=hash from a "plaintext"

Note: there can be several "plaintexts" for one "ciphertext"=hash ("collisions"),
but there is only one "ciphertext"=hash for a given "plaintext".

Another note: CISSP's learn ( ) that hashing does not encrypt the message.
It creates a "fingerprint" to enable the testing of integrity. (Hm, I have just
realised that I am paraphrasing MsMittens. Sorry about that).


a very simple example of "hashing": SecWare1

"plaintext": myverylongtesttext

SecWare1 hashing - scheme:
- translate every letter into its ascii value
- add all these values. result: 1453
- take the sum of the digits, until a number between 0 and 9 is reached:

1+4+5+3 = 13 -> 1+3 = 4

the SecWare1 hash of "myverylongtesttext" = 4

collision:
the SecWare1 hash of "L " = in ascii 76. Sum: -> 7+6 = 13 -> 1+3 = 4

ergo: "myverylongtesttext" and "L" give the same hash-value. If a password-
verification is based on this hash, you could login with either
"myverylongtesttext" or "L".

Conclusion: This hash is very bad, but actually is used in a slightly modified
version (ISBN numbers of books. Some of you might have noted that I have
cheated here. ISBN is not actually a "one-way" hash, I think, because an attacker
can modify the message as well as the hash. But here I should stop, as it
goes too far).



Cheers

[Dia_Byte]

if the hashes are the results of the encryption algorithms, then how can we get the hashes of a password ???

[AxessTerminated]

to get the hash of a password, you pass it through the hashing algorithm. the result is the hash (usually unencryptable). when someone logs on to the system, whatever they type in is passed through the algorithm, and that result is compared with the original one.

A_T

[ikalo]

When I think about hash I often see it like kind of CRC, or ParityCheck with much larger numbers and math operations. Ofcourse it is very very very simplified view.