Hashes Can Be Attacked. In Addition, Describe

¶ … hashes can be attacked. In addition, describe some scenarios where a hash has been used as part of an authentication scheme, and the validity of a particular authentication using that scheme have been challenged.

Hashes are one type of a variety of cryptographic methods of providing a one-way encoding of information. A hash value can only be recreated using the exact same information again. "The cryptographic value of the hash lies in the fact it is impossible to retrieve the original information from the hash itself." (Miseldine, 2004)

One of the most common and familiar forms of hashes is a password. But although passwords may have significance to the user, viewed from a computer's point-of-view, a hash is merely an unordered collection of values, each of which is identified by a unique key or combination of letters, values, and other symbols. Replicating these keys can only retrieve the value of the hash. By altering one's password, one can add to or delete from the collection of symbols used. The variety of symbols available to the user varies with the system and the nature of the derived hash, and the data structure with these properties is called a dictionary. This dictionary may be as wide and all encompassing as the dictionary itself, or even more so, if it is case-sensitive and uses many symbols and numbers and spaces as well as letters. (Menon-Sen, 2002)

Because the usual intent is that the hash can act as a signature for the original data, without revealing its contents it is important that the hash function is irreversible, in other words it cannot be changed during the authentication process or while a user is logging into a system. But randomness cannot have any place in a hash function. In other words, a hash function can and should completely deterministic. Given the exact same forms of input twice, in other words the hash function should always produce the same output. Even a single bit of information changed in the input should produce a different hash value. (Connected, 2004)

Thus, the hash value should be small enough to be manageable in further manipulations, yet large enough to prevent an attacker from randomly finding a block of data that produces the same hash, enabling even the most inexperienced attackers to access the passwords of authentic users. (Connected, 2004) Limiting the dictionary of the available codes, such as requiring users to use case sensitive passwords, passwords containing letters and numbers and punctuation, or simply to have longer strings of data in their passwords are all ways to enlarge the hash, without the has becoming too unmanageable.

Hash functions cannot be used directly for encryption, to protect a system as a whole but remain very useful for individual user authentication. "To authenticate the user, a password is requested, and the user's response is run through the hash function. If the resulting hash value is the same as the one stored, then the user must have supplied the correct password, and is authenticated. Since the hash function is irreversible, obtaining the hash values doesn't reveal the passwords to an attacker." (Connected, 2004)