Site home page
Get alerts when Linktionary is updated
Book updates and addendums
Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)
Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!
Contribute to this site
Electronic licensing info
Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.
A hash function is a form of encryption that takes some plaintext input and transforms it into a fixed-length encrypted output called the message digest. The digest is a fixed-size set of bits that serves as a unique "digital fingerprint" for the original message. If the original message is altered and hashed again, it will produce a different signature. Thus, hash functions can be used to detect altered and forged documents. They provide message integrity, assuring recipients that the contents of a message have not been altered or corrupted.
Hash functions are one-way, meaning that it is easy to compute the message digest but very difficult to revert the message digest back to the original plaintext (e.g., imagine trying to put a smashed pumpkin back to exactly the way it was). Hash function features are listed here:
Hash functions may be used with or without a key. If a key is used, both symmetric (single secret key) and asymmetric keys (public/private key pairs) may be used. The two primary algorithms are listed next and the RFCs listed later provide more information on the protocols. Also see the list of Web sites on the related entries page.
Keyed MD5 is a technique for using MD-5. Basically, a sender appends a randomly generated key to the end of a message, and then hashes the message and key combination to create a message digest. Next, the key is removed from the message and encrypted with the sender's private key. The message, message digest, and encrypted key are sent to the recipient, who opens the key with the sender's public key (thus validating that the message is actually from the sender). The recipient then appends the key to the message and runs the same hash as the sender. The message digest should match the message digest sent with the message.
The result of a hash function that combines a message with a key is called a message authentication code, or MAC. A MAC is a "fingerprint" or "message digest" of the input in combination with a key available to parties in the message exchange.
Hash functions are used in authentication routines such as CHAP (Challenge Handshake Authentication Protocol). Both the client and server share a secret-the password used by the client, which has been previously exchanged but is never sent over the wire. When the client establishes a link to the server, the server sends a unique "challenge" value (sometimes called a nonce) to the client. The client combines his or her password with the challenge and then runs them through the hash function. The result is sent back to the server, which runs the same process and compares its results with those received from the client. If they compare, the client is considered authentic. Note that the actual password is never sent, only a hash of the challenge and password combination.
HMAC (Hashed Message Authentication Code) is a core protocol that is considered essential for security on the Internet along with IPSec, according to RFC 2316 (Report of the IAB, April 1998). It is not a hash function, but a mechanism for message authentication that uses either MD5 or SHA-1 hash functions in combination with a shared secret key (as opposed to a public/private key pair). Basically, a message is combined with a key and run through the hash function. The result is then combined with the key and run through the hash function again. This 128-bit result is truncated to 96 bits and becomes the MAC.
According to RFC 2104 (HMAC: Keyed-Hashing for Message Authentication, February 1997), HMAC should be used in preference to older techniques, notably keyed hash functions. Keyed hashes based on MD-5 are especially to be avoided, given the hints of weakness in MD-5. HMAC is the preferred shared-secret authentication technique, and it should be used with SHA-1. It can be used to authenticate any arbitrary message and is suitable for logins.
The following RFCs provide important additional information about the hash functions used in the Internet environment. These RFCs are located on the CD-ROM.
Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.