Questions tagged [sha256]

SHA-256 is a hashing algorithm.

178 questions
91
votes
2 answers

What is the relationship between "SHA-2" and "SHA-256"

I'm confused on the difference between SHA-2 and SHA-256 and often hear them used interchangeably (which seems really wrong). I think SHA-2 a "family" of hash algorithms and SHA-256 a specific algorithm in that family. Is that correct? Can someone…
Mike B
  • 3,336
  • 4
  • 29
  • 39
69
votes
4 answers

What are requirements for HMAC secret key?

I'm creating HTTP REST service which will be available over tls only. For authentication purposes I plan to generate JWT token for every user using HMAC HS256. I need a secret key for HMAC. What are the requirements for secret key? Do I need a long…
ivstas
  • 793
  • 1
  • 6
  • 6
57
votes
5 answers

Is it secure to use MD5 to verify the integrity of small files (less than 15kb)?

I know that collision for MD5 has been documented since the 90s and that digital certificates based off of MD5 has been demonstrated to be completely compromised back in 2010 but how effective is MD5 in ensuring that small amounts of data have not…
thebunnyrules
  • 673
  • 1
  • 5
  • 10
34
votes
7 answers

How can crackers reconstruct 200k salted password hashes so fast?

I'm researching for a small talk about websecurity and I found one article about the formspring hack, which made me curious. They claim to have used SHA-256 + salt We were able to immediately fix the hole and upgraded our hashing mechanisms from…
33
votes
2 answers

SHA256 security: what does it mean that attacks have broken "46 of the 60 rounds of SHA256"?

Wikipedia reports Currently, the best public attacks break 46 of the 64 rounds of SHA-256 or 46 of the 80 rounds of SHA-512. What does this mean, and how safe is SHA-256 expected to be in the conceivable future? To a layperson, 46 out of 64 may…
Random Random
27
votes
7 answers

Is sha1sum still secure for downloadable software packages signature?

We use sha1sum to calculate SHA-1 hash value of our packages. Clarification about the usage: We distribute some software packages, and we want users to be able to check that what they downloaded is the correct package, down to the last bit. The…
Michael
  • 1,457
  • 1
  • 18
  • 36
25
votes
2 answers

Truncating the output of SHA256 to 128 bits

Suppose we need/prefer 128 bit hash output, for example to generate a 128 bit encryption key or, in other applications (e.g. file integrity verification), to consume less storage space. I don't know of any new/standard/unbroken 128 bit hash…
H M
  • 2,897
  • 6
  • 22
  • 21
25
votes
6 answers

Is a sha256 hash of a unix timestamp a strong password

I am setting up a postgres db that will never be used by humans. In fact, I really don't need to know it myself ever. I assumed that just using a 256bit(64 alphanumeric chars) hash of a unix timestamp IE: date +%s%3N | sha256sum A very important…
ThisGuyCantEven
  • 499
  • 4
  • 10
24
votes
3 answers

How secure are sha256 + salt hashes for password storage

I started reading about password hashing recently on multiple sites like this page on crackstation and others, and for what I have understood, I should avoid using hashing algorithms like md5 and sha1 for they are outdated and instead, I should use…
Yuran Pereira
  • 351
  • 1
  • 2
  • 7
24
votes
1 answer

What kind of hashing to use for storing REST API tokens in the database?

We have a REST API that communicates with a mobile front-end. After submitting a one time password, the backend will issue a token (random UUID v4 string) for the mobile app to use as authentication on subsequent requests. The server will store a…
maniciam
  • 343
  • 2
  • 4
23
votes
2 answers

Client-server encryption technique explanation (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 bit keys)

I opened a web page using https. When I looked at the page info provided by my browser (Firefox) I saw following: Connection encrypted: High-grade Encryption (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 bit keys). I got a question - what does this…
VL-80
  • 1,234
  • 1
  • 9
  • 17
23
votes
9 answers

Deprecation of SHA1 code signing certificates on Windows

EDIT (7/7/2016) - see addition at the end of post I have been keenly following the issues with regards to Microsoft deprecating the use of SHA1 code-signing certificates for Windows executables…
Kevin
  • 331
  • 1
  • 2
  • 7
20
votes
1 answer

John the ripper does not crack password

I'd like to attack a self-created sha256 hash with john --wordlist= So far I've done the following: $ echo 'testpassword' | sha256sum > mypassword removed the tail of the output with vim $ cat…
user430
  • 303
  • 1
  • 2
  • 5
17
votes
1 answer

Is the Litecoin Scrypt hashing technique a threat to hashed passwords?

The Bitcoin alternative, Litecoin uses a different algorithm to protect the block chain, namely Scrypt (not Sha256). Given that GPU accelerators exists, and ASICS are due to be released, does the widespread implementation of the Litecoin network…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
17
votes
1 answer

Manually walking through the signature validation of a certificate

Since I am not too familiar with the Web of Trust and Public Key-Infrastructure I decided to learn about it by following the signing chain of a X.509 certificate issued to CN=*wikipedia.org (Serial number:…
1
2 3
11 12