What does SHA1 and SHA256 do?

Dec 13, 2023

1. Hashing

Hashing is a mathematical technique used in Computer Science to convert input data of any size into a fixed-size string of characters (hash-code).

They are used in: SSL Certs, SSH, Crypto,…

There are differences between Hashing and Encryption:

Hashing vs Encryption

2. SHA

Abbreviation of Secure Hash Algorithm, is a family of cryptographic hash functions that were developed and published as standards by U.S. federal government.

SHA can protect data that is only accessible to hackers by Brute force.

A small change in the input data will produce a significantly different hash code value.

3. SHA-1/SHA-256

Both are part of the SHA family.

  • SHA-1:

    • 160-bit hash value - 40-digit hexadecimal
    • Less usage, sometime produce “collision”

  • SHA-256:

    • 256-bit hash value - 64-digit hexadecimal
    • Part of SHA-2 family
    • Stronger security than SHA-1, widely-used nowadays.

Example: “Hello, World”

  • SHA-1: 0a0a9f2a6772942557ab5355d76af442f8f65e01
  • SHA-256: dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986f

4. In Action

4.1. SSL Certificates

SSL Certs are used to authenticate the identity of a website and establish an encrypted connection between Server and Client.

SHA in SSL Certs

4.2. Github SSH keys

Don’t mistake that the key we input to SSH keys of Github is a hashing. It’s actually a pair of public/private key generated by cryptographic algorithms like RSA, DSA,… The private key is kept secret on your local, while the public key can be shared.

But the fingerprint which is used to identify an SSH public key is generated by applying a cryptographic hash function (SHA1/SHA256) to the public key. That’s why we see it something like SHA256:z7Mpj5nUSEOahlKJY1Om/yKuhr66LfrBMtNpVzf+SAQ in the Github interface.

Github uses this fingerprint to compare with the fingerprint from our SSH client (also a generated fingerprint from public key) before process to the next authentication with public key and private key. This happens when we do something like git pull, git push,…

Sometime you will see the passphrase, it’s an additional layer of security used to protect our private key. The passphrase encrypts the private key itself, making it more secure.

4.3. Android App with Firebase

In Android, SHA certificate fingerprints are used to uniquely identify the app’s signing certificate. Ensure that the requests coming from our app is not an imposter (authenticity & integrity). It is generated by using the keystore file that we use to sign our app. For debug builds, Android Studio usually uses the default debug keystore.

Firebase requires SHA fingerprint to ensure the request coming from our app is authentic for services like: Firebase Authentication, Google Sign-In, in-app purchase.

Android app relies on SHA certs while iOS app using provisioning profiles and certificates from Apple.

Refs:

https://certera.com/blog/sha1-vs-sha2-vs-sha256-vs-sha512-hash-algorithms-know-the-difference