Password Hashes

Printable View

February 24th, 2005, 04:20 PM
Dia_Byte

Password Hashes

Hi guyz

i have a question,
what are password hashes ?

i always here about those as well as hash tables, i asked about it in www.programmingforums.org but i did'nt really understand !
February 24th, 2005, 04:27 PM
MrLinus

A password hash is the result of the password being passed through an algorithm. It's not the encrypted password but rather a result of it.

e.g.,

In a simplistic view, if my password is 6 and the algorithm is "adding two numbers" with a key of 7 then the hash is 13. And as long as I put in 6 the resultant should always be 13. It is the hash that gets compared (say in the /etc/shadow file).

Now, to avoid getting the same hash if people use the same password we add what is often referred to as a "salt", a piece of unique data. Say, the day, month and year an account was created. So, if we took today's date (24022005) and used it in the algorithm then the hash would be:

Quote:

(6 + 24022005) + 7 = 24022018

If another user is using 6 as their password but their account was created on 24022004 their hash would be: 24022017.

Keep in mind this is a very simplistic view. The salt needs to be more unique than this as many accounts could be created on the same day so you could go as far as to have user name, time, random key generations, etc.

Hope that helps.
February 24th, 2005, 04:27 PM
Black Cluster

Quote:

Hashes are a cryptographic method of providing a one-way encoding of information which yields a hash value of the original value. This hash value can only be recreated using the exact same information again, and it is impossible to retrieve the original information from the hash. The strength of the hash algorithm lies in these facts.

This makes hashes perfect for encoding passwords for storage, as to check a password, the hashes are calculated and compared, rather than the plain password.
February 24th, 2005, 04:36 PM
Dia_Byte

i'm starting to get the issue, thanx guys

but what do you mean MsMittens : adding "adding two numbers" with a key of 7 ???
February 24th, 2005, 04:40 PM
MrLinus

Quote:

but what do you mean MsMittens : adding "adding two numbers" with a key of 7 ???

It's just a simplistic example. The algorithms used are usually a lot more complicated. For the purposes of a simple example I said the algorithm was to add to numbers together (one is the key and one is the data/password).
February 24th, 2005, 04:44 PM
guardian alpha

For a easy-to-understand version of password hashes and how they are used, look into:

http://www.nmrc.org/pub/faq/hackfaq/hackfaq-04.html
February 24th, 2005, 04:45 PM
Dia_Byte

oh ok thanx, things cleared !
February 24th, 2005, 05:10 PM
AxessTerminated

Hashing Unleashed

Think of it this way:
You encrypt the password "enter". The encrypted result is "a5jjdkei9kd(". Note, that was completely random. Now, that encypted result is the hash....it cannot be unencrypted, or so the theory goes.
When you try to log on to a system, it encrypts what you give as a password, and compares that hash to the hash stored on the system. If they're the same, you're all set.
Now, what's hard about hashing algorithms is something called collisions. Collisions happen when two different passwords create the same algorithm, this is a major vulnerability.

Hope this helped.

A_T
February 24th, 2005, 05:43 PM
zencoder

I'm a pundit because I say I am!

OK, lemme weigh in on this.

Dia_Byte, in a simplistic view you can equate the word 'alrogithm' with 'equation', or even more simplistically, 'process'.

MsMittens was saying the algorithm is "take their password and add the value 7". Or algabraiclly:
X + 7 = HASH

There's much more to hashing and one-way hashes, but it sounds like you're on track.
February 27th, 2005, 05:33 PM
Dia_Byte

OK then the hash is the encrypted result ?

like : "enter" -> a5jjdkei9kd(
February 27th, 2005, 06:11 PM
MrLinus

It's not an encrypted result. An encrypted result would be a cipher text (the plaintext encrypted). It's a form of integrity check, if you will. Basically, verifies that the information hasn't changed and if it has, then the input is suspect. It's just a mathematical result of some data being put through an algorithm.
February 28th, 2005, 04:45 AM
AxessTerminated

if its the mathematic result of terms going through an algorithm...then is it not the encryption result?

whether is LM, MD5, or SHA1...they all come out as (theoretically) one way encryption, correct?

the hashes are the result of the encryption algorithm..and in order to check the password, or the integrity of the file...information is encrypted and compared to the hash...if they differ, then the file's changed, or the password's wrong.

if im wrong with what i said above, please explain how, because this is how it works AFAIK

A_T
February 28th, 2005, 05:08 AM
sec_ware

Hi

encryption and hashing

This is now a discussion about definitions.
So let me give you some definitions (based on my taste):

(two-way) encryption: 3DES,CAST5,AESxxx (="two-way" cipher)

first way - encryption: generates from plaintext a ciphertext
second way - decryption: generates from ciphertext a plaintext

Note: there is only one ciphertext for a given plaintext, and for
a given ciphertext, there is only one plaintext. ("well-defined cipher").

(one-way) hash (misleadingly often called one-way encryption): MD5, SHA1, SecWare1 :D

the only way - "hashing": generates a "ciphertext"=hash from a "plaintext"

Note: there can be several "plaintexts" for one "ciphertext"=hash ("collisions"),
but there is only one "ciphertext"=hash for a given "plaintext".

Another note: CISSP's learn ( :) ) that hashing does not encrypt the message.
It creates a "fingerprint" to enable the testing of integrity. (Hm, I have just
realised that I am paraphrasing MsMittens. Sorry about that).

a very simple example of "hashing": SecWare1

"plaintext": myverylongtesttext

SecWare1 hashing - scheme:
- translate every letter into its ascii value
- add all these values. result: 1453
- take the sum of the digits, until a number between 0 and 9 is reached:

1+4+5+3 = 13 -> 1+3 = 4

the SecWare1 hash of "myverylongtesttext" = 4

collision:
the SecWare1 hash of "L " = in ascii 76. Sum: -> 7+6 = 13 -> 1+3 = 4

ergo: "myverylongtesttext" and "L" give the same hash-value. If a password-
verification is based on this hash, you could login with either
"myverylongtesttext" or "L".

Conclusion: This hash is very bad, but actually is used in a slightly modified
version (ISBN numbers of books. Some of you might have noted that I have
cheated here. ISBN is not actually a "one-way" hash, I think, because an attacker
can modify the message as well as the hash. But here I should stop, as it
goes too far).

:D

Cheers
February 28th, 2005, 03:11 PM
Dia_Byte

if the hashes are the results of the encryption algorithms, then how can we get the hashes of a password ???
February 28th, 2005, 05:10 PM
AxessTerminated

to get the hash of a password, you pass it through the hashing algorithm. the result is the hash (usually unencryptable). when someone logs on to the system, whatever they type in is passed through the algorithm, and that result is compared with the original one.

A_T
March 1st, 2005, 04:35 PM
ikalo

When I think about hash I often see it like kind of CRC, or ParityCheck with much larger numbers and math operations. Ofcourse it is very very very simplified view.