In part 1 of this series discussing hashing, we explored how to run hashing commands from the command-line in Linux, OSX, and Windows 10. Part 2 took a more global overview of hashing and its uses. In this, part 3, we'll look at one more way to produce a hash via the command-line in most variations of opensource *nix using the OpenSSL toolkit. As stated before, cryptographic hashing helps to assure file and data integrity by providing a one-way data-map of the data being hashed. The hashing algorithm provides a string of characters that represents the data being hashed, and will change if the data being hashed is modified in anyway whether intentional or unintentional. Before we move on to the exercise, here's a quick overview of a weakness of this cryptographic function known as a “collision.” If you're familiar with hashing, you have noticed that the output is simply a string of characters, the length of which is determined by the hashing function that's chosen. If an attacker can find a piece of data that results in the same hash string being produced as that of the data being protected, a collision has taken place. For instance, if I hash a file and the output of the hash process is “jsbfsj”, a collision takes place if a completely different file is hashed and also outputs the string “jsbfsj”. In the case of a password hash, an attacker may not need to know my password if they have the ability to produce the same hash. In other words, if my password is “dog” and the password hash = “kjhll”, and then an attacker discovers that “this isdiff3r3nt” also produces the password hash = “kjhll”, either “dog” or “this isdiff3r3nt” would suffice to compromise my account. When increased processing power and/or weak algorithms begin to increase the likelihood of being able to produce a collision, it's time to begin using a stronger hashing algorithm. Let's move on to hashing using OpenSSL. In part 2 we saw that another name for a hash was digest. It's important to recognize the various names. Why? Because if you were to look at the man page for OpenSSL (man OpenSSL), you would see the following text listed “Calculation of Message Digests”. Further, the command to conduct hashing in the OpenSSL toolkit is “dgst” (OpenSSL is so large that “OpenSSL” is the application part of the command-line string, you also need to provide a “standard command”). Let's see this happen. Using the test file from Part 1 (or any file that you want to use), open up a command terminal and get a md5 hash using the md5sum program (on linux):
pig-pig:tmp$ md5sum test_file.txt
MD5 (test_file.txt) = f0eac7ea373ec547cc3dee88a3c50a3a
Now, let's use OpenSSL to get a md5 hash of the same file:
pig-pig:tmp$ openssl dgst -md5 test_file.txt
MD5(test_file.txt)= f0eac7ea373ec547cc3dee88a3c50a3a
Notice that we used 2 different programs to provide the hashes, but the hash-strings (digests) are the same. They should be. And just for clarification, the md5sum program belongs to the coreutils package on my Debian system, while the OpenSSL program belongs to the OpenSSL package. In summary, hashing has many uses in basic computer operations. Most of the time these operations are performed without user intervention. But, when needed, a user can start a terminal window and perform a manual hash. You should get friendly with the man pages on these commands. With the exception of OpenSSL , the commands have only a few switches, and most importantly, you need to know which hashes your system supports. OpenSSL is a whole different ball of fun. I plan on visiting this suite of tools soon.