Viewing a single comment thread. View all comments

PieMastaSam t1_iwlldwd wrote

Why couldn't someone simply run an encryption algorithm in reverse to crack a hash (I'm not sure if I am asking this correctly lol)? I'm thinking of something like AES. Also, if it is possible can someone explain AES in a eli5 manner.

3

physicswizard t1_iwlyj3k wrote

Hash functions are designed to be easy to perform, but difficult to undo, and multiple inputs could map to the same output. As an analogy, think about adding two numbers. It is simple to say 2+3=5, but if I gave you the number 5 and asked which two numbers I added together to get that, there are multiple answers. Now imagine the operation is even more complicated than addition, involving bit shifts, elliptic curves, etc.

16

calcopiritus t1_iwnxzeb wrote

While you have received many answers on the AES thing, I've only seen one on the hash question.

Hashes are not difficult to reverse, they are impossible. That is because you lose information when performing a hash.

It's easy to see if we use the modulus operator (%). It's just the remainder you get after a division. So 1%3 = 1, 2%3 = 2, 3%3 = 0, then 4%3 = 1 again.

So if I tell you to solve x%3=1, you can't know what X is. It might be 1 or 4 or 7...

If I hash my password "1234" and it becomes "hfiek", you have no way to obtain "1234" back, because there is an infinite amount of passwords whose hash is "hfiek".

6

Treacherous_Peach t1_iwp3pwy wrote

Wouldn't any solution be sufficient? Don't most places use the same hashing algorithms? So who cares if you got a different password from the real one, it will probably still work on other sites too?

5

calcopiritus t1_iwp4k5e wrote

To "break" a hash yes, any solution is sufficient. However, getting 1 of those solutions is still really hard. In this case the total amount of "hashes" is 3: either 0, 1 or 2. Real hashing algorithms have many more possible hashes.

It won't necessarily work in other sites for 2 reasons.

  1. "1234" and "7463" might generate the same hash using algorithm X, but it probably won't using algorithm Y. If 2 sites use different algorithms, you have to know the actual password. EDIT: I just saw you mentioned this, but it's still interesting to point out.

  2. Just hashing a password is bad practice for exactly this reason, so the recommended technique is doing hash+salt. That means every site generates a random "salt" for every user, and adds it to the password before hashing. So the password for site X is actually "1234jdyendi" while in site Y is "1234udnfki". Although you type the same password in both sites, it's actually a different one from an attacker POV, you need to know "1234", any other solution won't work for both sites.

3

Stevetrov t1_iwmsua6 wrote

I will describe streaming encryption with AES because that's easiest. To be clear AES is not a secure hash function, it's a symmetrical encryption algorithm.

Just think of aes as a black box that does the following

  • takes a key (128, 192, 256 bits long) basically a huge massive number. There are so many possible keys that all the computers in the world wouldn't be enough to try them all ... not even close.
  • from this key the box outputs a key stream of one's and zeros that is different for each key.
  • the key stream that comes out of the box appears completely random, has no structure and doesn't repeat.
  • two key streams of two related keys are not related.

To encrypt your data, XOR* each bit of the data with each bit of the key steam. The the result is your encrypted data.

To decrypt the data you do exactly the same you did to encrypt, use the same key and your original data is recovered.

*XOR (exclusive OR) takes two binary inputs and returns 1 if the two inputs are different, it returns 0 if they are the same.

2