If you’re planning on taking the Security+ exam, you should have a good understanding of hashing and how a hash process provides integrity for messages.
For example, can you answer this question?
Q. A security technician runs an automated script every night designed to detect changes in files. Of the following choices, what are the most likely protocols used in this script?
A. PGP and MD5
B. ECC and HMAC
C. AES and Twofish
D. MD5 and HMAC
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Understanding Hashing with Messages
Hashing provides integrity for messages. It provides assurance to someone receiving a message that the message has not been modified. Imagine that Lisa is sending a message to Bart, as shown in the following figure. The message is “The price is $75.” This message is not secret, so there is no need to encrypt it. However, we do want to provide integrity, so this explanation is focused only on hashing.
Simplified hash process
An application on Lisa’s computer calculates the MD5 hash as D9B93C99B62646ABD06C887039053F56. In the figure, I’ve shortened the full hash down to just the first five characters of “D9B93.” Lisa then sends both the message and the hash to Bart.
In this example, something modified the message before it reaches Bart. When Bart receives the message and the original hash, the message is now “The price is .75.” Note that the message is modified in transit, but the hash is not modified.
A program on Bart’s computer calculates the MD5 hash on the received message as 564294439E1617F5628A3E3EB75643FE. It then compares the received hash with the calculated hash:
- Hash created on Lisa’s computer, and received by Bart’s computer:
D9B93C99B62646ABD06C887039053F56 - Hash created on Bart’s computer:
564294439E1617F5628A3E3EB75643FE
Clearly, the hashes are different, so you know the message lost integrity. The program on Bart’s computer would report the discrepancy. Bart doesn’t know what caused the problem. It could have been a malicious attacker changing the message, or it could have been a technical problem. However, Bart does know the received message isn’t the same as the sent message and he shouldn’t trust it.
Understanding Hashing and HMAC
You might have noticed a problem in the explanation of the hashed message. If an attacker can change the message, why can’t the attacker change the hash, too? In other words, if hacker Harry changed the message to “The price is .75,” he could also calculate the hash on the modified message and replace the original hash with the modified hash. Here’s the result:
- Hash created on Lisa’s computer:
D9B93C99B62646ABD06C887039053F56 - Modified hash inserted by attacker after modifying the message:
564294439E1617F5628A3E3EB75643FE - Hash created for modified message on Bart’s computer:
564294439E1617F5628A3E3EB75643FE
The calculated hash on the modified message would be the same as the received hash. This erroneously indicates that the message maintained integrity. HMAC helps solve this problem.
With HMAC, both Lisa and Bart’s computers would know the same secret key and use it to create an HMAC-MD5 hash instead of just an MD5 hash. The following figure shows the result.
Using HMAC
Lisa is still sending the same message. The MD5 hash is D9B93C99B62646ABD06C887039053F56. However, after applying the HMAC secret key, the HMAC-MD5 hash is 733C70A54A13744D5C2C9C4BA3B15034. For brevity, I shortened this to only the first five characters (733C7) in the figure.
An attacker can modify the message in transit just as before. However, the attacker doesn’t know the secret key, so he can’t calculate the HMAC hash.
Bart’s computer calculates the HMAC-MD5 hash on the received message using the shared secret key. It then compares the calculated hash with the hash received from Lisa:
- HMAC-MD5 hash created on Lisa’s computer:
733C70A54A13744D5C2C9C4BA3B15034 - HMAC-MD5 hash created on Bart’s computer:
1B4FF0F6C04434BF97F1E3DDD4B6C137
Again, you can see that the hashes are different and the message has lost integrity. If the messages weren’t modified, the HMAC-MD5 hash would be the same.
Q. A security technician runs an automated script every night designed to detect changes in files. Of the following choices, what are the most likely protocols used in this script?
A. PGP and MD5
B. ECC and HMAC
C. AES and Twofish
D. MD5 and HMAC
Answer is D. Hashing algorithms can detect changes in files (or verify the files have not lost integrity) and Message Digest 5 (MD5) and Hash-based Message Authentication Code (HMAC) are both hashing algorithms.
Pretty Good Privacy (PGP) is a method used to secure email communication.
Elliptic curve cryptography (ECC), Advanced Encryption Standard (AES), and TwoFish are all encryption algorithms.
For more information on hashing, check out these blog posts.
- Core cryptography concepts
Provides an overview of hashing, encryption, and digital signatures - Common hashing algorithms
Explains how MD5 and SHA provide integrity - Hashing concepts
Shows how hashing can verify file integrity - Creating and comparing hashes
Shows how to use md5sum to create and compare file hashes - Password attacks
Discusses online and offline password attacks against hashed passwords