Hash Generator

Hash function properties — what makes a good hash

A cryptographic hash function must satisfy four essential properties to be considered secure.

Deterministic: the same input always produces the same output. This is essential for the verification use case — if hashes were random, you couldn't confirm a file hadn't changed.

Pre-image resistance: given a hash output, it must be computationally infeasible to find any input that produces that hash. This is what makes hashes one-way — you cannot reverse a SHA-256 hash to find the original data.

Second pre-image resistance: given an input and its hash, it must be computationally infeasible to find a different input with the same hash. This prevents an attacker from substituting a malicious file that has the same hash as a trusted file.

Collision resistance: it must be computationally infeasible to find any two different inputs that produce the same hash. This is a stronger property than second pre-image resistance — it requires that no collision can be found at all, not just that a specific input can't be matched.

MD5 and SHA-1 have been broken for collision resistance: researchers can produce collisions on consumer hardware. They remain useful for checksums where collision attacks are not a concern (detecting accidental corruption), but must not be used for security purposes.

Practical uses for file hashing

Hashing a file produces a unique fingerprint that enables several practical applications.

Download integrity verification: open-source projects and software vendors publish SHA-256 hashes alongside downloads. After downloading, you hash the file and compare the result to the published hash. If they match, the file was not corrupted in transit and has not been tampered with. If they differ, discard the download and try again.

Deduplication: storage systems use hashing to identify duplicate files. If two files have the same SHA-256 hash, they are (with overwhelming statistical certainty) identical, and only one copy needs to be stored. Git uses SHA-1 hashing to identify objects (commits, trees, blobs) and detect duplicates.

Change detection: monitoring systems hash configuration files or critical system files periodically. Any change to a file produces a different hash, triggering an alert. This is the principle behind file integrity monitoring tools (Tripwire, OSSEC, AIDE) used in security operations.

Content-addressed storage: instead of naming files by path, systems like IPFS, Git objects, and many caches identify content by its hash. This makes content immutable and enables efficient caching and sharing — if you request a hash you already have, you don't need to fetch it again.

HMAC authentication — how it works and where it's used

HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to produce a code that authenticates both the content and the sender. Unlike a plain hash, which anyone can compute, an HMAC can only be computed by someone who knows the secret key.

The HMAC formula: HMAC(K, M) = H((K ⊕ opad) || H((K ⊕ ipad) || M)), where H is the hash function, K is the key, M is the message, opad and ipad are fixed padding constants. This double-hash structure provides protection against length extension attacks that affect plain hash authentication.

Real-world uses: AWS API request signing uses HMAC-SHA256 to authenticate every API call — the signature in the Authorization header is an HMAC of the canonical request string with your AWS secret key. Webhook providers (Stripe, GitHub, Twilio) include an HMAC signature in webhook request headers so recipients can verify the request came from the legitimate source. JWT tokens using HS256 use HMAC-SHA256 to sign the header and payload.

HMAC is not encryption — it does not hide the message content. It only proves authenticity and integrity. For confidentiality, combine HMAC with encryption (or use an authenticated encryption mode like AES-GCM that provides both simultaneously).