Hashing

Home

Store

My Account

Forums

Support/Contact

Beta

About

(empty)

Secure Licensing API

Two Factor Authentication

More Products

The Company

Training

Secret Server

Overview

Gimmes

Secret Server - Team Blog

Why does Secret Server take so long to start up? (5/18/2008)

One of the things that we did notice with Secret Server is that it does take what seems to be a long time for Secret Server to start up for the first time. This started happening in Secret Server 4.0. More >>

Secret Server on the Treo 700 (4/19/2008)

More >>

Secret Server at FOSE 2008 (4/3/2008)

More >>

Giving Secret View a System Font (3/27/2008)

One of the questions that I sometimes get from customers is, "I want the information on the Secret View page to display in a system font" The reason for this is it makes it easier to distinguish between O's and zeros; More >>

Article - Hashing

Kevin Jones
Senior .Net Developer
Thycotic Software Ltd.

Hashing is a cryptographic function that takes a set of data as input and produces a “thumbprint” of this data, which is called a digest. This thumbprint cannot be reversed back into its original form, making hashing ideal for storing passwords to ensure they cannot be stolen.

When hashing data, its output is determined by the algorithm, or mathematical formula used to produce the hash. The most common hashing algorithm is Secure Hash Algorithm version 1, commonly known as SHA-1. SHA-1 produces a 160 bit digest. Regardless of how much data it uses as input, its digest size is consistently 160-bits.

A hash algorithm has many requirements, the first being that it produces a digest that is unique to the best of its ability. The second is where similar inputs do not produce and output result that is similar, commonly called the cascade effect. The cascade effect is defined as a single change to the input will result in a completely different hash. For example ⁱ, if we had the input:

Input: “bells”

Output: “205 93, 0, 158, 133, 9, 66, 132, 42, 23, 220, 107, 20, 29, 195, 98, 20, 113, 141, 53, 167”

Input: “sells”

Output: “210, 70, 165, 34, 215, 255, 59, 171, 109, 224, 81, 222, 157, 134, 128, 180, 244, 213, 218, 69”

As this example demonstrates, two inputs that are similar produce outputs that are not similar in any place.

What are the risks of hashing?

As will all hashing algorithms, hashing is all based on mathematical improbability. Since the input of a hash is unlimited in length and combinations, but the output is a fixed size, at some point two unique inputs will produce identical outputs. This is called a hash collision. SHA-1 is known to have hash collisions when you exceed 2⁶³ calculations.

Addressing SHA-1’s Limitations

The limitations and security issues related to SHA-1 have been addressed by a new set of hashing algorithms called SHA-2. SHA-2 includes hashing algorithms that have larger digests, ranging from 224-bits to 512-bits. Collisions have not yet been produced using any of the SHA-2 algorithms. The strongest of the SHA-2 algorithms is SHA-512. This produces a 512-bit digest which is roughly three times larger than that of SHA-1. SHA-512’s improvements go beyond producing a larger digest. Its algorithm uses more complex operations compared to SHA-1, making the algorithm by itself stronger. Using the previous two examples, these are the results using the SHA-512 algorithm ⁱⁱ:

Input: “bells”

Output: “198, 149, 12, 252, 60, 139, 107, 189, 9, 122, 170, 59, 222, 62, 177, 155, 67, 88, 72, 160, 88, 249, 74, 129, 241, 135, 7, 95, 186, 48, 92, 15, 209, 165, 31, 88, 198, 119, 204, 168, 177, 65, 199, 155, 221, 145, 61, 225, 170, 224, 148, 152, 20, 252, 92, 120, 141, 104, 58, 61, 38, 58, 177, 165”

Input: “sells”

Output: “59, 48, 192, 46, 249, 253, 191, 142, 121, 26, 208, 96, 17, 216, 165, 11, 249, 179, 68, 20, 249, 89, 124, 244, 224, 241, 191, 209, 248, 125, 135, 84, 19, 242, 184, 157, 157, 91, 214, 177, 12, 120, 201, 118, 6, 59, 249, 130, 252, 37, 25, 82, 12, 108, 8, 160, 76, 52, 37, 31, 125, 92, 33, 183”

SHA-512 in the .NET Framework

The Microsoft .NET Framework includes all of the necessary classes to hash data. All of the hash algorithms can be found in the System.Security.Cryptography namespace. The class SHA512Managed is the class used to produce a 512 bit digest. Here is a snippet that will hash an input string and return a hexadecimal string:

C#:

VB.NET:

Both of which result in the following output if the input is “hello”:

5165D592A6AFE59F80D07436E35BD513B35542991640A16C1ADFA499C5A8CE
3A370ACDD4DC787D04350473BEA71EA8345748578FC63AC91F8F95B6C14B93

Why Secret Server Uses SHA-512

Secret Server uses SHA-512 because Secret Server is designed to be as secure as possible. SHA-512 is the government standard for hashing, and to better protect data and to reduce all chances of Secret Server being compromised.

ⁱ This example assumes SHA-1 and Unicode encoded text.

ⁱⁱ This example uses the SHA-512 algorithm and Unicode encoded text.

Available on PDF