We will be taken through the two equivalent hashing processes that simulate a secured text document transmission, one using the SHA-1 hashing algorithm and another using the MD5 hashing algorithm. Hashes are cryptographic algorithms that manipulate data and produce fixed-length digests regardless of the amount of data used to create them. Despite small minor changes of the input data, hashing algorithm’s outputs changes significantly, which is an indication of the complexity of the algorithms mathematical computational formulas. This paper will study the outputs of encrypted and decrypted text documents against the two various hashing algorithms SHA-1 and MD5. A password will be created during the encryption phase, which essentially functions as a secured key used to unlock the file for the intended recipient. The quality and usefulness of the SHA-1 and MD5 algorithms are widely debated and both arguments will be discussed here.

Hashing of a text document

First we need to create a document that contains some content. I used the README file produced after I downloaded the Quick Hash software program. I downloaded Quick Hash using the Chrome browser, which saved the file to my hard drive. After installing the Quick Hash software, the program immediately launched and I was greeted with the main window. I dragged the README file into the main window of Quick Hash and instantaneously was greeted with a “Hashing Complete!” notification, which is SHA-1. By Simply checking the MD5 Hashing Algorithm button in Quick Hash, the program re-hashed the file in an instant. I actually toggled back and forth between selecting the MD5 and SHA-1 radial button and noticed the Quick Hash program recomputed each algorithm in real-time. In doing this, I was able to notice that the MD5 algorithm has a slightly shorter Hash value length compared to the SHA-1. In addition, as stated before, the length of the test file does not determine the length of the hash value as the length of the hash value for each corresponding algorithms is predetermined by the algorithm itself and cannot be modified in any way. The difference in algorithm architecture plays a role in the resulting outputs. SHA-1 has a larger state than MD5: 160 vs. 128 bits. SHA-1 has more rounds than MD5: 80 vs. 64.

File Encryption

AEScrypt. I downloaded file encryption software called AEScrypt from www.aescrypt.com and installed it to the hard drive. After the installation, AEScrypt became a selectable option on the right-click button using the mouse. After right clicking on the file, I was presented with a box to enter a password. After entering the password a new encrypted README file was placed on the desktop with a lock icon on top with the words “AES”. I compared both the SHA-1 and MD5 hash values of the encrypted and original files, which resulted in a mismatch. This is the resultant of the original file being modified during the encryption process. It should be noted that the hash values of the encrypted file should match at both the transmitters and receivers ends just as the original file’s hash should match at both ends as well.

HxD Hex Editor. In this next step we will examine the contents of the encrypted file using a program called “HxD”, which I was able to download from Here. HxD is a Hex Editor, which can read files whether encrypted or not, in raw form. I opened the encrypted README file using HxD and was able to see the file was created with AEScrypt in a Windows GUI with the AES encryption algorithm. The rest of the contents of the file were unreadable as it was encrypted. I also opened the original file using the HxD editor and was able to read the file in clear text. This proved that the AEScrypt software effectively encrypted the file with a resulting hash value different from that of the original file. I repeated this procedure using both the SHA-1 and MD5 algorithms and noticed the differences in sizes of hash values. As stated earlier, the SHA-1 hash yielded a longer hash value than the MD5.

Decryption. To decrypt the file, I had two options. I could either double click the encrypted README file or right-click on the file and select “Decrypt” from the dropdown. After entering the password, I was presented with an error saying that the file already exists. This is because I’m acting as the sender and receiver on the same computer that I’m performing this procedure. After renaming the original file, I was able to decrypt the encrypted file to the desktop after entering the correct password and unlocking the file. I was able to compare the SHA-1 and MD5 hash values with a match for both algorithms. The matching hash values indicate that the received file is an exact unmodified match of the original sent file.

Conclusions and Final Arguments

There are arguments on both sides for and against the use of the SHA-1 and MD5 as hashing algorithms. Although hashing algorithms were designed to ensure integrity of information transmission, there are said drawbacks to their design. One of the drawbacks to said hashing security mechanisms is Brute Force attacks or dictionary attacks, which uses a list of known words that are potential candidates for a password. Brute force attacks generally require a huge amount of CPU or GPU processing power and patience, as these particular types of attacks usually require days, weeks, or years to perform to achieve positive results. The amount of time required to crack passwords depends on the complexity of the passwords used.

A general rule of thumb is, “NO EMAIL IS 100% SECURE!” In the end it boils down to doing something instead of doing nothing. Personally, I found this experiment to be rather easy and fully comprehensible. I do believe that the average user could apply these security principles to their daily routines with a little practice. The average user will most likely know nothing about how to hash and encrypt a file but would be able to perform these actions after a few hours of practice. It’s always best to observe any and all security precautions when transmitting critical private sensitive data across public networks.

Citations:

sharpooth. (2010, 6 10). Algorithm Complexity & Security: MD5 or SHA1? Retrieved 4 19, 2015, from stackoverflow.com: http://stackoverflow.com/questions/2948156/algorithm-complexity-security-md5-or-sha1

Tasker, B. (2013, 6 7). Why You Shouldn’t be using SHA1 or MD5 to Store Passwords. Retrieved 4 18, 2015, from BENTASKER.CO.UK: https://www.bentasker.co.uk/blog/security/201-why-you-should-be-asking-how-your-passwords-are-stored

Trivedi, Y. (2011, 7 1). HTG Explains: What Are MD5 & SHA-1 Hashes and How Do I Check Them? Retrieved 4 19, 2015, from How To Geek: http://www.howtogeek.com/67241/htg-explains-what-are-md5-sha-1-hashes-and-how-do-i-check-them/