in Resources

Secure Hashing with Python‘s hashlib

Hey there! Hashing is a fascinating concept in cryptography that you as a programmer should absolutely understand.

In this comprehensive guide, I‘ll be sharing my insider knowledge to help you master cryptographic hashing and implement it easily in Python.

Here‘s what I‘ll cover:

  • What is hashing and why should you care about it
  • The 7 key properties of secure hash functions
  • How hashlib makes hashing simple in Python
  • Cool statistics on hash algorithms
  • Real-world examples like securing passwords
  • My thoughts on the role of hashing in blockchain
  • Common errors to avoid when using hashlib

So if you want to truly grok hashing and use Python to compute ultra-secure hashes, you‘re in the right place. Let‘s get started!

What is Cryptographic Hashing?

A hash function takes an input of any size like a file or string. It then generates a fixed size output called a hash value or message digest.

Here‘s a simple analogy. Imagine you have a long essay. The hashing algorithm would take this essay and give back a short, fixed length summary.

But there‘s a catch. This summary should be unique so that if even one word of the essay changes, the summary will be totally different!

This leads us to the key properties that make cryptographic hash functions secure:

Deterministic

Same input = same hash. Your essay will always have the exact same summary.

Quick to calculate

The hashing algorithm can rapidly generate the hash/summary. No matter if your essay is 100 words or 10,000 words.

Preimage resistance

From just the summary, it‘s impossible to reconstruct your full essay. The hashing function only goes one way.

Collision resistance

It‘s really tough to find two different essays that‘ll generate the same summary or hash value.

Avalanche effect

A tiny change in the essay causes drastic changes to the hash summary.

These properties enable some brilliant use cases for hashing that we‘ll discuss soon. But first, how is hashing different from encryption?

Hashing vs Encryption

Here are the key differences:

  • Hashing is one-way only. Encryption lets you go both ways – encrypt and decrypt a message.
  • Hashes are fixed length. The same hashing algorithm will always output a summary of say 256-bits. Encryption outputs vary in length.
  • Hashing is fast. Encryption/decryption takes longer with algorithms like AES.

So in summary, think of hashing as a quick way to fingerprint data. While encryption is used to securely exchange messages.

Why Does Hashing Matter?

Here are some scenarios where hashing shines:

  • Verify file integrity – When you download an ISO or software package, you can check it against a trusted hash to ensure it wasn‘t tampered with.

  • Store passwords – Storing passwords as hashes rather than plain text is far more secure.

  • Blockchain – Hashing is at the heart of Bitcoin and other cryptocurrencies. It lets you chain blocks of transactions securely.

  • Deduplication – Identical files will have the same hash. So you can avoid storing duplicate copies.

  • Commitment schemes – Prove you know some info without revealing the actual info using hashing.

And plenty more applications like digital signatures, challenge-response authentication and data fingerprinting.

That‘s why cryptographic hash functions play a fundamental role in securing all data in transit and at rest.

Now let‘s go deeper into the exact properties you want in acryptographically-secure hash algorithm.

7 Key Properties of Secure Hash Functions

For a hash algorithm like SHA-256 to be trusted for security applications, it should satisfy these properties:

1. Deterministic

Same message => Same hash

This means if you hash "Hello World" 100 times with SHA-256, you‘ll always get the same 256-bit hash.

A non-deterministic function would give different outputs each time. That destroys any value for security.

2. Quick computation

FAST. Even for large amounts of data.

SHA-256 can hash data at around 63 GB/s on a standard PC. In comparison, symmetric ciphers like AES-256 operate at about 1 GB/s.

This speed makes hashing indispensable when you need to verify large files or datasets.

3. Preimage resistance

Infeasible to go from hash => original message

If you‘re given the hash "A665A45920422F9D417E4867EFDC4FB8A04A1F3FFF1FA07E998E86F7F7A27AE3", there‘s no way to find the original message.

This irreversibility is critical. Otherwise, hashing would expose your data rather than protect it!

4. Collision resistance

Hard to find two inputs with the = hash

Let‘s say you have a malicious actor Eve who knows Alice‘s password hashes. Eve can‘t find another valid password that hashes to the same value as Alice‘s real passwords.

This collision resistance protects against compromise even if the adversary has the hashes.

5. Avalanche effect

A tiny change in input => Big change in hash

Change a single bit in the input message and ~50% of the hash bits flip on average. This amplifies collision resistance.

For example, SHA-256("Hello") => ab530a…
SHA-256("helLo") => e0ec6f…

You can see the hash completely changes from that one bit flip.

6. Puzzle friendly

The hash function shouldn‘t have shortcuts via ASICs or GPUs. This keeps mining decentralized.

For example, Bitcoin originally used SHA-256 which is now dominated by specialized ASICs. Newer coins are shifting to ASIC-resistant algorithms.

7. Pseudorandomness

Output appears random

The output should have high entropy and pass statistical randomness tests. This prevents leaking info via patterns.

Compare a simple vs secure hash:

Insecure: 
hash("Hello") = H3

Secure:  
SHA-256("Hello") = ab530a13e659409ad3e35a146db9dad6522beca8ecb7e1f0dd447d90eb94e1ef

These 7 properties ensure hashes like SHA-256 or Keccak (SHA-3) can keep our data secure.

Next, let‘s look at some cool statistics on the popular hash algorithms.

Hash Algorithm Stats and Comparison

Here‘s a quick overview of hash algorithm speeds, digest sizes, and other stats:

Algorithm Speed on Core i7 Digest Size Status
MD5 900 MB/s 128-bit Insecure – don‘t use!
SHA-1 500 MB/s 160-bit Vulnerable – don‘t use!
SHA-256 190 MB/s 256-bit Secure
SHA-512 75 MB/s 512-bit Secure
BLAKE2b 450 MB/s 512-bit Secure
SHA-3 85 MB/s 256-bit Secure

You can see MD5 and SHA-1 are compromised and should never be used for secure hashing.

SHA-256 offers the best balance of speed and security with a 256-bit output. SHA-512 is more conservative but slower.

And the newer SHA-3 Keccak and BLAKE2b also seem solid. Personally, I recommend SHA-256 for most purposes.

Now let‘s discuss how to easily compute hashes in Python using the hashlib module.

Hashing in Python with hashlib

The hashlib module in Python provides an easy interface to compute different hash functions like SHA-256.

Here is a simple example to hash a string:

import hashlib

msg = "Hello World"
msg_bytes = msg.encode(‘utf-8‘)  

sha256_hash = hashlib.sha256(msg_bytes)
md5_hash = hashlib.md5(msg_bytes)

print(sha256_hash.hexdigest())
print(md5_hash.hexdigest())

This shows how similar the API is for different algorithms – md5, sha256, sha512 etc.

You can also feed the data incrementally with the update() method:

hash = hashlib.sha256()
hash.update(b‘Hel‘)
hash.update(b‘lo Wo‘)
hash.update(b‘rld!‘)

print(hash.hexdigest())

The hashlib module is great because it provides an easy interface and optimizes in the backend for fast performance.

Under the hood, it actually uses the OpenSSL library hash implementations. This is good because OpenSSL hashes are widely-used and tested.

There are also no dependencies – hashlib works fast out of the box with the standard Python install.

Next, let‘s go through some practical examples of hashing.

Hashing Passwords Securely

Storing user passwords as plain text is dangerous. Hashing them is far more secure: 

import hashlib
import secrets 

password = "hunter2"
salt = secrets.token_bytes(32) 

salted_password = password.encode(‘utf-8‘) + salt
sha256 = hashlib.sha256(salted_password)
password_hash = sha256.hexdigest()

# Optionally iterate hashing to strengthen it
for i in range(100000):
   sha256 = hashlib.sha256(password_hash.encode(‘utf-8‘) + salt)
   password_hash = sha256.hexdigest()

print(password_hash)

Here‘s what this code does:

  1. Generates 32 random bytes as a salt
  2. Appends the salt to the encoded password
  3. Hashes the salted password with SHA-256
  4. Iterates the hashing 100,000 times to make brute forcing harder

Even if your database is compromised, the hashes are still secure against offline cracking attempts.

You can also go further with password hashing schemes like Argon2, scrypt or bcrypt. But this snippet gives a good template to follow.

Verifying File Integrity

Here‘s an example of securely checking a file‘s contents haven‘t changed:

import hashlib

filename = ‘data.bin‘

# Compute original hash
with open(filename, ‘rb‘) as f:
    data = f.read()
    file_hash = hashlib.sha256(data).hexdigest()

# Verify hash matches  
with open(filename, ‘rb‘) as f:
    data = f.read() 
    computed_hash = hashlib.sha256(data).hexdigest()

print(computed_hash == file_hash)

Any changes to the file will drastically change the SHA-256 hash. So you can use this to verify integrity.

Large software packages like Linux ISOs commonly provide published hashes to check against before installing.

My Thoughts on Hashing in Blockchain

Hashing is the backbone of blockchain security guarantees. But overreliance on simplistic hashes also leads to vulnerabilities. Let me explain…

In Bitcoin, the header of each block is hashed using SHA-256. Miners try to find a nonce value that results in a valid hash under the target difficulty. This Proof-of-Work secures the blockchain.

However, simple hashing alone is not enough. Bitcoin has suffered issues like transaction malleability where transactions get mutated but still have the same hash.

That‘s why modern blockchains use approaches like Merkle trees and authenticated data structures above the base hash layer. For example, Ethereum uses Patricia tries to prevent malleability attacks.

Overall, hashing gives crucial security properties to blockchains. But you need mechanisms like Merkle trees and digital signatures at other layers to plug potential holes.

Common Errors to Avoid with hashlib

Here are some gotchas to watch out for when using Python‘s hashlib:

  • Forgetting to encode strings to bytes before hashing

  • Using insecure algorithms like MD5 or SHA-1

  • Not using a random salt when hashing passwords

  • Assuming hashes are reversible back to the original data

  • Thinking hashes prevent malleability or provide authentication

  • Assuming a single hash iteration is sufficient for passwords

The key is to combine hashing with other mechanisms like salts, digital signatures, and extra iterations in order to achieve full security.

Conclusion

I hope this guide helped boost your understanding of cryptographic hashing and how to use it properly.

Here are the key points we covered:

  • Hashing generates fixed length outputs from any data input
  • Properties like determinism, preimage resistance enable security
  • Python‘s hashlib module lets you easily compute hashes
  • Use cases include verifying integrity, securing passwords, blockchain etc.
  • Combine hashing with other techniques to avoid potential malleability issues

Now go forth and build more secure systems with the power of cryptographic hashing!

Let me know if you have any other questions. I‘m always happy to chat more about this fascinating topic.

Happy hashing!

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.