Definition

Hash functions map an input of any size to a fixed-size value called a hash or digest that acts as a fingerprint for the input value.

• Input can be of any size
• Output has a small fixed size
• They are one-way functions. This means that for a given output, it is hard to find an input value that will produce the same value.
• Given an input value they will always produce the same output (idempotent).

Use Cases

Cryptographic hash functions are hash functions that must satisfy more strict requirements that enable them to withstand attacks. They are useful for

• Handling sensitive data
  Hash functions can be used to store password fingerprints that can be used for authenticating users without having to store the actual passwords.
  Note that for storing passwords we use modified algorithms that make the computation slower and use salt values to protect against certain types of attacks (such as dictionary attacks).
• Integrity checking
  You can compute the hash of some data at different points in time to make sure it does not change.
• Detecting duplicated data
  A photo management application might use hashes to detect whether two photos (with possibly different names) are the same. Comparing hashes is much less resource-intensive than comparing the actual photos.
• Anonimization of data
  If you need to log sensitive data from an application, you might want to take the extra step of hashing the data first. You will be able to find where the same hash value appears in the logs and, if you have access to the original data, you can compute its hash and look for it. But someone taking a look at the logs will not be able to extract sensitive information from them.
  If you need to remove data associated with a user for GDPR reasons, you can use hashes to "remove" some data that cannot be removed from the database without affecting the integrity of the database.

Example

You might want to use hashes to make sure a piece of software you are downloading has not been tampered with.

Let's look at the AWS EKS kubectl CLI which can be downloaded from here.

First we download the software

curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.0/2024-01-04/bin/darwin/amd64/kubectl

Then, we download the hash made available by the publisher of the software

curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.29.0/2024-01-04/bin/darwin/amd64/kubectl.sha256

The downloaded hash should look like this

08198f2e1c425a7aa4f6c8a9f19772afeaf87d6f84c8f3e8ae7dfbb28291b341

Then, we compute the hash of the software locally using the same algorithm that the publisher used, SHA-256 in this case. You can use a tool such as OpenSSL in the following example.

openssl sha1 -sha256 kubectl

If the downloaded hash and the locally computed hash match, then we can safely assume that the software has not been tampered with.

Example

When including resources such as CSS and script files from an HTML page, you have the option of specifying an integrity value -- a hash value for the file to be included.

<link
    href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css"
    rel="stylesheet"
    integrity="sha384-QWTKZyjpPEjISv5WaRU9OFeRpok6YctnYmDr5pNlyT2bRjXh0JMhjY6hW+ALEwIH"
    crossorigin="anonymous"
>
<script
    src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js"
    integrity="sha384-YvpcrYf0tY3lHB60NNkmXc5s9fDVZLESaAA55NDzOxhy9GkcIdslK1eN7N6jIeHz"
    crossorigin="anonymous"
></script>

When the browser downloads the file, it automatically computes a hash value using the same algorithm and compares the two values. If they do not match, it means that someone has tampered with the file.

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

Example

Advanced Intrusion Detection Environment (AIDE) is an open-source intrusion detection tool that maintains a database of hashes of files and directories to figure out if any of them have been tampered with.

https://www.redhat.com/sysadmin/linux-security-aide