There are many basic cryptography concepts are there like Hashing, Encryption (Symmetric & Asymmetric) and Certificates. In this post, will see about Hashing.
Hashing
Generally hashing means, converting the plain text into irrelevant String which wont be in readable mode.
One of its feature is, whatever the plain text’s length, but the Hash Value for that will be in Fixed length. And the term converting the arbitrary length (plaintext) into the fixed length is known as Digest and the Hash Value is denoted as Digest value. On change of single character in plain text, then whole hash value will get changed.
Main difference between the Hashing and the Encryption is, If a plain text is encrypted, it can be decrypted but in Hashing once a plain text is digested, we cant convert the digested value into plaintext. Only on comparison, we can verify the digested value, so that Hashing is known as One way Encryption.
For Example, assume a User’s password is stored in the DB in Hashed format. So, on next time, if the same user tries to login, then system needs to Hash the entered password and need to compare it with the DB value respectively, based on that it can be authenticated.
Note, some disadvantages are there in this Hashing like, assume if two users are having the same password, then its Hash value will be same which will be a cake for Hackers. There are multiple ways where hackers can get it, some are Rainbow table – where billons of Hash code combination available, by using this, hackers can easily identify the plain text, Bruteforce attack – where trying every possible characters combinations and many more.
To overcome this, we can use the salt, pepper, etc concepts.
Salt :
Assume, a password is “dhoni”, before hashing and storing it in database, add some random letters “th@1A” with that password like “dhonith@1A” and hash it and store it in DB. Along with this, store the random letters (th@1A) also in DB in separate column.
So whenever user tries to login, they will enter “dhoni” only, then before checking we need to append its random letters and hash it and compare it, this Random letters are known as Salt. Like this for each user we need to store their Salt in DB. Storing the Salt in DB is some what a loop hole but its a additional security layer which will take more time to hackers to crack.
Pepper :
Instead of appending multiple letters like salt, if we add single alphabet like “dhoniM”, then we don’t need to store that in any separate column. On each time user tries to login, system needs to append and try all the alphabets and if matches then authenticate.
Note:
MD5-128 algorithm has been cracked, so avoid using this.
There are many Hashing Algorithms are there like MD5, SHA etc which will hash the plain text very fast, with this we can specify the bits range like 128, 256 etc. There are other algorithms like bcrypt, scrypt etc which will be intentionally slow, so that it will drastically reduce the attacks. With these, along with the plain text we need to mention the salt key and cost value. Here Cost value is the number like 10 or 20 like that, where hashing will happen that much of time repeatedly which will be more secured.
In practical, most of the company will Digest the password along with the salt and cost value and on top of that encryption will be done, so that it will be more secured.
