• About Us
    • PRODUCTS

  • Contact
Blog Security SHA Algorithm in Cryptography: The Secret Behind Secure Data Encryption

DATE:

august 23 2023

AUTHOR:

Table of Contents

What Is SHA? What Is SHA Used for?

Secure Hash Algorithm SHA is a cryptographic hash function that is widely used in digital security applications to ensure data integrity and authenticity. It generates a unique fixed-size output, also known as a hash value or message digest, for a given input data, which can be used to verify the integrity of the data and detect any unauthorized modifications or tampering attempts. SHA is commonly used in digital signatures, message authentication codes, and password storage mechanisms, among other applications.

Introduction to SHA

Secure Hash Algorithm is a family of cryptographic hashing algorithms. Described in RFC 3174. Given an input message of arbitrary length, the algorithm generates a 160-bit hash digest, also called the message digest, which is typically displayed as a 40-digit hexadecimal number.

Secure Hash Algorithms are used in many cryptographic applications and protocols. The principles underlying the Secure Hash Algorithms are similar to those used by Ronald Rivest when designing MD4.

Different SHA Forms

The most commonly used SHA forms are SHA-1, SHA-2, and SHA-3. These different forms of SHA algorithms use different ways of working of SHA algorithm to generate hash values of different sizes and offer varying levels of security. As the digital landscape continues to evolve and threats to data security become increasingly sophisticated, it is important to understand the differences between these SHA forms and their respective strengths and weaknesses.

SHA-0

In 1993, the NSA worked with NIST to develop a secure hashing algorithm now known as SHA-0 for the secure hashing standard. However, the NSA soon withdrew this version, citing a bug they discovered that was never disclosed. The agency then replaced it with a revised version published in 1995 in FIPS PUB 180-1.

 This version is considered what is called SHA-1. Later, at the 1998 CRYPTO conference, two French researchers presented an attack on the SHA-0 algorithm that did not work on the SHA-1 algorithm. This may have been a bug discovered by the NSA.

SHA-1

SHA-1 implements a hash function based on the idea of ​​the compression functions. The inputs to the compression function are a 512-bit message block and the output of the previous message block. The output is the value of all hash blocks up to that point. In other words, the hash block M(i) is h(i) = f(M(i), h(i-1)). The hash value of the entire message is the output of the last block.

SHA-1 is the most common of the entire SHA family and is used in a variety of widely used cryptographic applications and algorithms. However, Google has long expressed its distrust of SHA-1, especially for using this feature to sign TLS certificates. Back in 2014, shortly after the publication of Mark Stevens’ work, the Chrome development team announced that they were phasing out SHA-1.

SHA-2

Secure Hash Algorithm Version 2 SHA-2 is a family of cryptographic algorithms – one-way hash functions, including the SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/256 and SHA-512/224 algorithms.

Hash functions are designed to create “fingerprints” or “digests” of messages of arbitrary length. They are used in various applications or components related to information security.

SHA-2 hash functions were developed by the US National Security Agency and published by the National Institute of Standards and Technology in the Federal Information Processing Standard FIPS PUB 180-2 in August 2002.

In March 2012, the latest revision of FIPS PUB 180-4 was released, which added SHA-512/256, and SHA-512/224 functions based on SHA-512.

SHA-3

SHA-3 Keccak is a variable-length hashing algorithm developed by a group of authors led by Joan Dymen, co-author of Rijndael, author of MMB, SHARK, Noekeon, SQUARE, and BaseKing ciphers.

On October 2, 2012, Keccak became the winner of the US National Institute of Standards and Technology Cryptographic Algorithm Contest]. On August 5, 2015, the algorithm was approved and published as a FIPS 202 standard. In a software implementation, the authors claim 12.5 cycles per byte when executed on a PC with an Intel Core 2 processor. However, in hardware implementations, Keccak turned out to be much faster than all other finalists.

The SHA-3 hash generation flow is built on the principle of a cryptographic sponge. This structure of cryptographic algorithms was proposed earlier by the authors of the Keccak algorithm.

SHA Characteristics

SHA-1 works according to the following parameters:

  • Hash code length: 160 bits
  • length of the processed blocks: 512 bits
  • number of algorithm steps: 80 (4 rounds of 20 steps each)
  • maximum length of hashed data: 2^64 – 1

 

The SHA-256 algorithm has the following characteristics:

  • block size indicator: 64 bytes
  • maximum allowable message length: 33 bytes
  • hash digest size characteristic: 32 bytes – 256 bits
  • standard word size: 4 bytes
  • internal position length parameter: 32 bytes
  • number of iterations in one loop: 64
  • speed achieved by the protocol: approximately 140 Mbps

 

SHA-3 is organized on the principle of a cryptographic sponge, which is its main distinguishing feature.

In cryptography, a sponge function is an iterative construct for creating a function with arbitrary length input and arbitrary length output based on transformations f.

The sponge has an internal state S – with data of a fixed size b (bits). In this case, the data is divided into 2 parts – the first S1 of size r, and the second S2 of size c. The value of r is called the bit rate, and the value of c is called the power; b=r+c.

In the initialization phase, a data block of size b is filled with zeros, and the input data M is divided into blocks of size r. Further work on the sponge is carried out in 2 stages:

In the “absorption” phase, the XOR operation of the next block of the original message with the first part of the state S1 of size r (bits) is performed, and the remaining part of the S2 state of capacity c remains unaffected. The result is placed in S1, and then the state S is processed by the function f, a multi-round keyless pseudo-random permutation, and this is repeated until the blocks of the original message are exhausted.

In the “squeezing” phase, the state S is fed to the function f, after which part S1 is fed to the output. These actions are repeated until a sequence of the desired length (for example, the hash value length) is obtained.

The last bits of c depend only indirectly on the input blocks and are not output during the squeezing phase.

What SHA Is Used for and Why

Hash functions are used in version control systems, electronic signature systems, secure authenticators and also for building authentication codes.

SHA-1 is the most common of the entire SHA family and is used in a variety of widely used cryptographic applications and algorithms.

SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/256, and SHA-512/224 are permitted by US law for use in certain government applications, including use within other cryptographic algorithms and protocols, to protect information that does not have a secrecy stamp. The standard also allows private and commercial organizations to use SHA-2.

SHA-2 hash functions are used for data integrity checks and in various cryptographic schemes. The SHA-2 family of hash functions is not as widely used as MD5 and SHA-1, despite the shortcomings found in the latter.

Studies have shown that SHA-2 algorithms work 2-3 times slower than other popular hash algorithms MD5, SHA-1, Tiger, and RIPEMD-160.

SHA-3/Keccak is one of the most secure and efficient hashing algorithms. Some argue that it will not be possible to hack in the next 20-30 years. Development in the world of quantum computing may shorten this time frame, but for now, this algorithm is still one of the best hashing algorithms that mankind has at the moment.

SHA algorithms are widely used in blockchain. SHA-256 is one of the first and most prominently used hashing algorithms in Bitcoin blockchain. The hashing engine is used in various stages in a blockchain:

Consensus mechanism: Miners calculate the hash of new blocks to be created.

Chains of blocks: Each block in the ledger contains a SHA-256 hash referring to the preceding block in the chain.

Digital signatures: Transactions are digitally signed to maintain integrity, the transaction is hashed using SHA-256, and then it is encrypted with the sender’s private key to generate a signature.

Differences Between a Secure Hash and an HMAC

Hash-based message authentication code HMAC is one of the mechanisms for checking the integrity of information to ensure that data transmitted or stored in an untrusted environment has not been modified by unauthorized persons. The HMAC mechanism uses MAC spoofing, described in RFC 2104, in the standards of the ANSI, IETF, ISO, and NIST organizations.

MAC is a standard that describes how to exchange data and how to check the integrity of transmitted data using a secret key cryptography. Two clients using a MAC typically share a shared secret. HMAC – add-on over MAC; a mechanism for exchanging data using a secret key (as in MAC) and hash functions.

The resulting secure authentication code allows you to verify that the data has not been changed in any way since it was created, transmitted, or stored by a trusted source. For this kind of verification, it is necessary, for example, that two parties that trust each other agree in advance on the use of a secret key that is known only to them.

This guarantees the authenticity of the source and the message. The disadvantage of this approach in comparison with SHA is obvious – there must be two parties that trust each other. However, at the same time, without knowing the secret key, it is impossible to fake HMAC, while anyone can get the hash value from the original data if they know the hashing algorithm used and have such data.

What’s the Most Secure Hashing Algorithm?

With growing computational resources, the hash algorithms with smaller hash lengths like SHA-1 and MD5 become more vulnerable to brute-force attacks. The goal of a brute force attack is not to decrypt the hash but to encrypt thousands of words until they get the same hash values. It can be used to crack hashed passwords by getting one with the same hash value.

Of the entire SHA family, Keccak’s SHA-3 function is the most secure to date. The Keccak family of hash functions has been subjected to intense cryptanalysis since its submission to the SHA-3 competition in 2008.

The Keccak algorithm became the most productive hardware implementation among the finalists of the SHA-3 competition, and it also used an uncommon encryption method – the sponge function. Thus, attacks based on SHA-2 will not work. Another significant advantage of SHA-3 is its ability to be implemented on miniature embedded devices, such as a USB flash drive.

Conclusion

SHA is a cryptographic hash function used to ensure data integrity and authenticity. Its unique fixed-size output, or hash value, is widely used in digital security applications such as digital signatures, message authentication codes, and password storage mechanisms, to protect against unauthorized modifications or tampering attempts. Helenix develops cryptographic solutions for a wide variety of organizational needs, which you can learn more about in our Custom Development section.

FAQ

The SHA 256 algorithm is widely used for secure data transmission, digital signatures, and password authentication. It generates a unique 256-bit hash value for a given input data, which can be used to verify the integrity of the data and protect against unauthorized modifications or tampering attempts.

SHA-1 and SHA-256 are cryptographic hash functions that generate a unique fixed-size output for a given input data. SHA-256 is a stronger and more secure version than SHA-1.

SHA-256 is a specific form of the Secure Hash Algorithm, while SHA refers to the family of hash functions that include SHA-1, SHA-2, and SHA-3.

Yes, SHA-512 is more secure than SHA-256. It generates a longer respective hash value and uses more rounds of computation, providing a higher level of security. However, it may be slower and require more resources to compute.