What is a hash anyway?
Without cryptography there would be no data protection and no privacy on the Internet. Bank accounts, emails, social media accounts – private data would be easy to hack without cryptography.
A computer basically does what you tell it to do, even if it is sometimes difficult to believe. But sometimes we don’t want him to do something – for example, release sensitive data. This is where cryptography comes in, the science of encrypting information. InformaWas was actually behind the term hash long before computers existed. Even in ancient Egypt, for example, mythological-religious texts were encrypted by using special hieroglyphs to refer to deities, which only clergy could read. Julius Caesar (100 BC to 44 BC) wrote encrypted messages to his generals by shifting letters of the alphabet. This cipher became known as the Caesar cipher.
Computer-aided cryptography methods have played an important role since around 1970. Put simply, data is encrypted using an algorithm. Ideally, it is not possible to decrypt them without the appropriate authorizations. As a developer, you don’t have to understand the complex mathematics behind it, but you should know concepts such as caching, encryption and signing.
One of the most common cryptographic concepts is what is known as a hash. The word is of culinary origin and means something like “chop up and mix”, which actually describes perfectly what a hash does. An input of any length is passed to a hash function. The function then returns a value with a fixed length, the so-called hash. This does not allow any conclusions to be drawn about the input. If the input is the same, the same output is always generated. A hash must also be quick to calculate and be unique.
These are useful properties that enable developers, for example, to store data in encrypted form without having to know its true value – for example when storing passwords in a database. Simply saving the passwords in plain text in the database would also be possible, but is not recommended. If attackers gain access to the database, they could easily read out and use the passwords stored there. However, if the data has been hashed, the hashes must be cracked beforehand.
Developers can implement a hash function, for example in Node Crypto, the crypto module from Node.js. All you need is node.js and a JavaScript file in the code editor of your choice:
const { createHash } = require('crypto');
function hash(input) {
return createHash('sha256').update(input).digest('hex'));
Als Erstes wird die createHash-Funktion aus Node Crypto importiert. Anschließend wird eine eigene benutzerdefinierte Funktion definiert, die einen String als input annimmt und einen Hash-String zurückgibt. Im oben stehenden Beispiel heißt diese Funktion hash
.
Dann muss der zu verwendende Hash-Algorithmus definiert werden. Im Beispiel ist das Sha256, Alternativen wären beispielsweise Argon2 oder md5. Zweiterer gilt allerdings als veraltet, ersterer ist nicht in Node Crypto verfügbar.
Innerhalb der Hashing-Funktion createHash wird update
mit dem entsprechenden input
-Value aufgerufen. Um die Rückgabe eines Hashs zu definieren, dient digest – zusammen mit dem Format, in dem der Hash zurückgegeben werden soll. Im Beispielcode wird das Hexadezimalformat ('hex') verwendet, eine andere verbreitete Option ist base64.
Dieser Funktion kann dann eine Eingabe, im Beispiel eben ein Passwort übergeben werden. Ein console.log() von hash1 zeigt euch dann die immer gleiche Zeichenfolge im Hexadezimalformat. Aussehen kann diese beispielsweise so:
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
.
[code]let password = 't3n – digital pioneers'
const hash1 = hash(password);
console.log(hash1)
To compare two hashed password entries, a second hash – hash2 – is now created and compared with the first:
password = 't3n – digital news';
const hash2 = hash(password);
const match = hash1 === hash2;
console.log(match ? ' 😊 passwords match ' : ' 🤨 passwords don't match ');
If they match, a console.log () of hash2 would output the same long string. Since they do not match in the example, the output de console.log () in the code snippet would be 🤨 passwords don’t match.
These are the basics of how a hash works. Hashes are useful, but alone are not enough to securely store a password in a database. The problem lies in the property described above of always generating the same output with the same input.
The reason: If attackers have gained access to a database with hashed passwords, the probability is high that they will also find passwords such as password or 123456. Attackers can then simply research the resulting hashes – and they have cracked some of the passwords in the database.
Another cryptographic concept, the so-called salt, ensures more security for cryptographic hash functions.