Hashing – CompTIA Security+ SY0-401: 6.1

Hashing functions can provide us with some interesting ways of validating data. In this video, you’ll learn the fundamentals of hashing and I’ll demonstrate how you can validate a downloaded file by calculating a hash.

<< Previous Video: Non-RepudiationNext: Key Escrow >>


A cryptographic hash is a way to take some existing data– it might be a file. It might be a picture. It might be an email that you’ve created. And it’s a way that you can create a message digest from it, which is really just a short string of text. If you were to look at a cryptographic hash– and we’ll look at some in just a bit– you’ll see there’s just a bunch of letters and numbers put together, usually represented in a hexadecimal form.

Now what’s nice about this is if you were to have a file and create a cryptographic hash from it, you could send that file to someone else. And you could say here’s the cryptographic hash I created on my side. You do the same thing. And they’ll take the file, create a hash from that file. If the hashes match up, then you know the file is exactly the same on both sides.

One very important characteristic of these hashes is that it’s a one-way trip. I could not look at the hash, and somehow figure out what the original text was. That’s a very important consideration with hashes. Because very often, we use these to take passwords and hash the password, and we store the password as the hash. We’re not actually storing your actual password in plain text. This makes your storage of the password that much more secure. Because if somebody got their hands on this list of passwords or hashed passwords, they would have no idea what your original password was. That’s an extremely important aspect of what we do with hashes.

But we can also use hashes for other things. For instance, they could be a digital signature. We know that if we were to take a file and create a cryptographic hash from it, we can give that file to someone else, have them also look at that hash, and make sure that what they’ve received is authentic, that nobody changed this file somewhere along the line. And they know that it came from you because you’re matching up the keys that you’re using to create that hash with– some very nice capabilities there. That means you don’t have to encrypt the entire file that you’re sending. You can simply send it along in plain text, but still be assured that nobody changed that file somewhere in between.

Let’s take an example of this. I’m on the GnuPG webpage. This is the open source version of PGP– an absolutely free version. It’s called GNU Privacy Guard. And I’ve downloaded a file. You can see in this download section that they have a number of files here. And along with the files, they have put the shaw one checksum for this. This is the hash of that particular file.

And I’ve downloaded this one right here– this GNU PG 1.4.11 tar gz, which is supposed to have this checksum. So let’s see if it does. I’m going to flip over to my terminal screen, which is right here. Let’s move it up so we can see all these things at the same time. Move this down.

Here’s the file that I’ve downloaded right here. Let’s see if that’s what’s really there. Yes that is. That’s the GNU PG 1.4.11 tar gz that’s on my hard drive. And I’m going to check it with that shaw one checksum, using open SSL. And I’m just going to specify as a parameter shaw one, and then the name of the file. And open SSL will perform this shaw one checksum for me and create this hash from the file.

And ideally, that hash should match exactly what’s on the website. And if you compare those two, you can see they are exactly the same. We have mathematically gone through that file, created a hash of it, and now we can be assured that the file that is on my hard drive right here matches the file that was put out there on the web server originally.