## Understanding more about hashing

Written on **11 February 2015, 11:21pm **

## Brute force vs dictionary attack vs rainbow tables

**Brute force**: least efficient, tries all the possible values.

**Dictionary attack**: tries a predefined list of values

**Rainbow tables**: contain pre-computed hashed values. If a single salt per db is used, then the pre-computed hashed values have to be updated (to include the salt). If a single salt per password is used, then the pre-computed hashed values have to be updated for each password.

More here.

**Note**: rainbow table can only be used if the hashed values are available.

## Hashing properties

**1. Collision resistance:** it should not be realistically possible to find two messages giving the same hash

**2. Pre-image resistance:** given the hash, it should not be realistically possible to obtain the message (*we ask an adversary, given only H(m), to find m or some m′ such that H(m′) = H(m)* )

**3. Second pre-image resistance:** given both the hash and the message, it should not be realistically possible to obtain another message with the same hash.

More here and here

**Remember:**

Hashing is **not compression** (you can’t go back to the original string)

Hashing is **not encryption** (for encryption you need a key)

## What are you hashing

– not sensible data: use MD5/SHA family of hashing functions

– sensible data (like passwords): PBKDF2 (*), bcrypt or scrypt

## Key derivation

This is about transforming a password into a key that can be used for encryption. Think about encrypting a file with a password.

The output of a password hashing function is acceptable as a symmetric key, after possible truncation to the required size.

– link

LastPass utilizes the PBKDF2 function implemented with SHA-256 to turn your master password into your encryption key.

– LastPass user manual

(*) PBKDF2 is in fact a Key derivation function, not a hashing function.

*Written by*
**Dorin Moise**
(Published articles: 229)

- Likes (
*0*) -
Share
- Comments (0)