Cyber Smarts Series: Integrity and Hashing

October 27, 2021

Cyber Smarts Series: Integrity and Hashing

Keep Reading

Previously in the Cyber Smarts Series, we detailed the first foundational principle of the information security triad, which is confidentiality and encryption. This month we focus on the second principle, integrity.

Merriam-Webster defines integrity as the condition of being unified, unimpaired, or sound in construction. A simplified information security definition (from the condition of being unimpaired) is the guarantee and evidence that information and information assets are exactly the same when transmitted, received, duplicated, or analyzed. The guarantee and evidence are commonly achieved using hashing, or a hash algorithm.

Hashing

While confidentiality (encryption) and integrity (hashing) may be used simultaneously, they serve different purposes and are not interdependent. You may recall that encryption is a method of encoding that uses a cypher, and that anything that is encrypted can be decrypted, and that the encoding ensures confidentiality. Hashing works a bit differently. A hash algorithm returns a fixed-length, unique signature that cannot be reversed. In simple terms, encryption is two-way (encode-decode) and hashing is one-way (encode only). The formulas are complex and may use Fibonacci Series and Prime numbers. The following analogy is helpful for understanding the formulas.

Suppose that you are asked to determine if a copy of a 300-page document is exactly the same as an original. You could conduct an exhaustive comparison of every page, which would be difficult, time-consuming, and prone to error. Or, you could instead, count the number of upper-case letter ‘A’s on each page. You would then assign a three-digit value for each page using leading zeros, 001 to 300, then a three-digit value for the number of upper-case ‘A’s on each page, 000 for no upper-case ‘A’s, 010 for 10, etc. You would have a six-digit sequence for each page. If then, the pages were concatenated all together in sequence, the resulting sequence would have 1,800 digits and might look something like 001001002005003002.

If the 1,800-digit sequences of both documents (original and copy) were exactly equal, you could conclude with some certainty that the two documents were also identical. If the words on the pages were different or the pages were out of order, you could conclude that the documents were not exactly the same. That is how a hashing algorithm works, with one important feature: each hash that is produced is unique. There are scenarios where the analogous example method could produce the same 1,800-digit sequence from documents that were slightly different. For example, two pages that are out of order and have the same number of upper-case ‘A’s would yield an identical result.

Note that the hash does not provide any information about the content of the document itself. A hash does not disclose the subject, content, author, or any other specifics. Equally important, a hash does not alter the original artifact. What a hash does tell you is if two information artifacts are exactly identical.

Hashing Guarantees Integrity with Passwords

Hash algorithms are also used for securing passwords. Secure applications and operating systems will hash a user’s password on their local computer, encrypt the hash, transmit the encrypted hash to the server, decrypt the hash, and compare the hash to the hash that is stored within the server directory. Authentication is successful if the two hashes match. While this method is more secure than sending an encrypted password, it can be defeated with some sophisticated attacks. If two users have the same password, the hashes will be identical.

This weakness was addressed in the 197Os using a technique known as “salting,” With a salted hash, unique, randomized characters known only to the client and server computers are concatenated, or linked, to the end of a password. The number of characters (the amount of salt) increases the strength and security of passwords and is configured by server and application administrators.

Get caught up on cyber security with our Cyber Smarts Series, starting with How To Change Your PIN


We’re gaining momentum.

Stay up-to-date with the latest.

We’re gaining momentum.

Stay up-to-date with the latest.