Roger Needham and Mike Guy, two of the Titan developers, were discussing the problem one evening at a local pub. They discussed ways of protecting the passwords with secret codes of various kinds. They finally hit upon the idea of using a “one-way cipher” function. The cipher would take a password and transform it (“hash” it) into unreadable gibberish.

Today, we call such a function a one-way hash. This function had two essential properties:

1. Whenever it hashed a particular password, it yielded the same gibberish every time.

2. There was no practical way to analyze the gibberish and derive the password that produced it.

The technique worked as shown in FIGURE 6.6. In preparation, Needham and Guy applied the hash function to the readable, plain text passwords in the password file, replacing each one with its hashed version.

Whenever a user logged in, the system collected the password and applied the hash function. Then the password checking procedure compared the hashed password against the user’s hashed password stored in the password file.

Password hashing made the fifth attack vector, retrieve from offline, impractical, at least at first. In older versions of Unix, the password file itself was protected from writing, but allowed read access to all users. Unix relied on hashing to keep the passwords secret. Starting in the 1990s, however, improvements in password cracking strategies (see Section 6.4) placed hashed passwords at risk of disclosure.

Note that Figure 6.6 is different from earlier diagrams in this text. It is a procedure diagram. So far, the other diagrams illustrated processes, and we can call those process diagrams. Both diagrams may refer to data in RAM or in files.

In a process diagram, we show processes with ovals. The processes may all be running more or less simultaneously. Arrows show information flow between the processes.

In a procedure diagram, we show individual procedures with round-cornered rectangles. Each procedure represents a step in the larger procedure being illustrated. The procedures execute in a strict order, following the flow of data as shown by arrows.

Moreover, when we show a particular type of procedure, like a hash function, there are a specific number of inputs and outputs. Every typical implementation of a hash function has one input and one output.

Password hashing on modern systems protects from the following attack vectors:

• ■   Social engineering. In these attacks, someone tries to talk a system administrator into divulging a user’s password, often by posing as the user in question. Such attacks are impossible with hashed passwords. No one, including the administrator, can retrieve the password using only the hash.

• ■   Stolen authentication database. These are the same as classic attacks. Today, however the stakes are higher, because many users try to use the same password for many different purposes. Knowing the password for one system may help an attacker guess the right password for another system.

Modern computing systems still use passwords, but the environment is radically different from the earliest timesharing systems. Password files often reside on single-user systems as well as on personally managed websites and on larger-scale systems. Some systems hash their stored passwords, while others do not. Modern Unix-based and Windows-based systems hash their passwords. Some, but not all, web-based systems hash their passwords.

Ron Rivest, a professor at MIT and prolific cryptographer, produced a series of one-way hash functions in the early 1990s. He called these “message digest” functions because they took a message and computed a “digest” reflecting its contents. Rivest’s Message Digest 5, or MD5, was widely used to protect e-commerce messages between early desktop web browsers and secure web servers. MD5 distills the contents of such messages down to a 16-byte hash value.

Hash functions have evolved since the 1990s. Newer functions benefit from advances in cryptographic analysis and design. Older functions became obsolete as researchers found successful attacks against them. TABLE 6.3 illustrates the evolution of modern hash functions. The “common names” identify different hashing strategies. Each new strategy sought to address weaknesses of earlier designs.

TABLE 6.3 Cryptographic One-Way Hash Functions

Hash functions play such a fundamental cybersecurity role that the U.S. government has published a series of standards for them. These are called the Secure Hash Algorithms (SHA-x), where x represents the digest size in bits. The algorithms are published in the Federal Information Processing Standards 180 series, abbreviated FIPS-180. As shown in Table 6.3, we also use the SHA acronym to identify different hashing strategies. The SHA-2, SHA-1, and SHA (sometimes called SHA-0) strategies were developed by the NSA. SHA-3 was developed through an open competition managed by NIST.

The hash algorithms approved in the latest standard, FIPS 180-4, appear below. The official names reflect the digest size. If two numbers appear, as in 512/224, the second number is the digest size.

• ■   SHA-1 (still in the standard, but unsafe)

• ■   SHA-224 (uses SHA-2)

• ■   SHA-256 (uses SHA-2)

• ■   SHA-384 (uses SHA-3)

• ■   SHA-512 (uses SHA-3)

• ■   SHA-512/224 (uses SHA-3)

• ■   SHA-512/256 (uses SHA-3)

As of this date, SHA-1 still appears in the FIPS 180-4 standard. Since 2011, NIST has published recommendations that SHA-1 not be used in the future. It remains in use to support equipment that contains embedded data hashed using SHA-1. For example, older public-key certificates may legitimately contain SHA-1 hashes. Unfortunately, some vendors continued to use it in newer certificates and in other applications. Software vendors have tried to encourage transition to SHA-2 or SHA-3 hashes by indicating SHA-1 hashes as unsafe.

A hash function by itself protects passwords in an authentication database. We also can use the function as an especially sensitive error detection code. While checksums and CRCs work well for disk sectors or similarly sized blocks of data, a one-way hash can detect minor changes in enormous blocks of data, like programs downloaded from the internet. (See Section 5.4.1.)

When a software publisher posts a program to be downloaded, there are risks that the user won’t download the program correctly. In some cases, the program is damaged while being downloaded, and in other cases, a hacker might substitute a subverted version of the program for the legitimate one. To detect such failures, some publishers display the file’s correct hash value along with the link to download the file. A careful user can use the hash procedure to calculate the file’s hash and compare it with the publisher’s hash value. If they match, the user downloaded the file correctly.

However, the one-way hash isn’t always easy to use by itself. It’s not easy to compare hash values just by looking at them, and it’s easier to have the computer do the checking. To make this work, we use the hash as a cryptographic building block and combine it with other functions to achieve better protection. Although there are many cryptographic functions, we will see the building blocks used in effective security systems.

To work reliably as a building block, a modern hash function must meet stronger requirements and resist more sophisticated attacks. Today, we expect a one-way hash function to perform as follows:

• ■   If we change a document in any way, whether changing a single bit, a few bytes, or a large amount, the hash value will change in a large and unpredictable way.

• ■   If we make a document longer or shorter, the hash value will change in a large and unpredictable way.

• ■   If we have a hash value, we cannot construct a password or document that yields the same hash value.

• ■   If we have a document and its hash value, we cannot build a different document that yields the same hash value.

• ■   We cannot construct two different documents from scratch that both yield the same hash value.

A practical hash yields a unique hash value for every input. In reality this is theoretically impossible: If the hash values are only 20 bytes long and the files are 20,000 bytes long or longer, the hash values must collide once in a while. What makes hash functions work in practice is that there are far, far more hash values than there are documents. A 20-byte hash value represents a 160-bit binary number, and that number can cover a huge range of values:

It is possible through the workings of random chance that two different documents or passwords could yield the same hash value, but it’s very, very unlikely in practice. Software vendors made a special effort to abandon SHA-1 in 2017 after researchers at Google produced two different PDF documents that yielded the same SHA-1 hash value.