More on Hashing Functions - Security Series #4.2.1

Ben asked me a question this morning in the comments section of my last post. I started to answer and realized the answer was getting WAY too long (and wide) for the comments section, so I am making a follow up post.

Ben Asked "Just so I am clear on Hashing, it is possible for two strings to result in the same hash value, right?"

Thanks for the question, Ben. I probably should have explained that better.

Yes it is possible for input values to have the same hash value, but depending on the hash function you use it becomes less and less likely to the point of being nearly impossible.

Two input values having the same hash value within a hash function is called a collision. Some hash functions have stronger "collision resistance" than others.

I showed the example of the MD5 hashing of the phrases "Jason" , "Model-Glue", and "SR-71 Blackbird".


Well, here are those same values hashed with SHA-256


And here they are hash with SHA-512


The SHA-512 hash probably won't even fit properly on this page.

So you can see that the chance of a collision becomes much smaller.

If we were to pass infinite strings of a length greater then the fixed-length of the hash, it is assured we would find a collision. But if you limit the length of your users passwords to 25 characters, and have a UUID hash of 35 characters then those 60 characters string should never yield a collision in a 128 character hash resulting from SHA-512.

Jason Dean's Gravatar

I forgot to link to the previous post. Here it is.

I really need to get SES URLs ;)

# Posted By Jason Dean | 5/19/08 9:23 AM
Pete Capra's Gravatar

I must say Jason, I'm loving this security series. I've used some of these concepts before, but without really understanding the reasoning behind each.

You've succinctly explained these concepts in a way that I can easily grasp and (hopefully) will be able to implement just as easily in my own apps.

Looking forward to the rest of the series!

# Posted By Pete Capra | 5/19/08 5:52 PM
Jason Dean's Gravatar


Hey, thanks! That really means a lot. I've not been blogging for very long, and it is really nice to read feedback like that. I've been getting so few comments that I sometimes wonder if people were reading.

Again, thanks. I enjoy doing this, and it encourages me to hone my skills, so I plan on continuing. I just hope I can keep up the pace.

# Posted By Jason Dean | 5/19/08 8:24 PM
Ben Nadel's Gravatar


Looks good. When you mentioned "collision" that this is what was meant. I also didn't realize that different hashing functions resulted in different length strings. I had just always assumed that it came back with a 32 character string. This is really good to know (especially when you are designing your database schema to hold hashed values).

Thanks for clearing it up. I agree with Pete - the security series is most helpful!

# Posted By Ben Nadel | 5/20/08 1:20 PM
Jason Dean's Gravatar


Thanks. I'm glad I was able to make it clear. I realized after your question that I did not really explain those topics very well. It's such a big subject. I probably could have made 2 more posts out of it. And maybe someday I will :)

# Posted By Jason Dean | 5/20/08 1:30 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner