Hash Algorithms Explained: MD5, SHA-1, SHA-256 Principles and Applications

Hash Algorithms Explained: MD5, SHA-1, SHA-256 Principles and Applications

Hash algorithms are methods that convert data of any length into fixed-length hash values. They are widely used in cryptography, data integrity verification, data indexing and other fields. This article explains common hash algorithms, their characteristics and applications.

1. Hash Algorithm Principles

The core idea of a hash algorithm is to convert input data of any length into a fixed-length output through a series of complex mathematical transformations. This process is one-way, meaning the original input cannot be derived from the hash value. Hash algorithms are designed to ensure that even a tiny change in the input data results in a huge difference in the output hash value (avalanche effect).

Mathematical Foundation

Hash algorithms are usually based on compression functions and iterative structures. The compression function compresses fixed-length input into shorter output, and then iteratively compresses input of any length step by step. Common structures include the Merkle-Damgård construction and the sponge construction. These structures ensure the security and efficiency of the algorithm.

2. Hash Algorithm Properties

  • Deterministic: Same input always produces same output
  • One-way: Cannot derive original input from hash value
  • Avalanche effect: Small input changes cause large output changes
  • Fixed length: Output length is fixed regardless of input size
  • Collision resistance: Hard to find two different inputs producing same hash

8. Hash Algorithm Application Comparison

Algorithm Output Length Security Recommended Use
MD5 128 位 (32 字符) Compromised Non-security scenarios, checksums
SHA-1 160 位 (40 字符) Compromised Compatibility scenarios
SHA-256 256 位 (64 字符) Secure Security scenarios, data signing
SHA-512 512 位 (128 字符) Secure High security requirements

4. Hash Calculation in JavaScript

4.1 Using Web Crypto API

async function sha256(message) {
  const msgBuffer = new TextEncoder().encode(message);
  const hashBuffer = await crypto.subtle.digest('SHA-256', msgBuffer);
  const hashArray = Array.from(new Uint8Array(hashBuffer));
  const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
  return hashHex;
}

const result = await sha256('Hello, World!');
// dffd6021bb2bd5b0af676290809ec3a53191dd81c7f70a4b28688a362182986f

4.2 MD5 Calculation

Web Crypto API does not support MD5, needs third-party library:

// 使用 crypto-js 库
const MD5 = require('crypto-js/md5');
const result = MD5('Hello, World!').toString();
// 65a8e27d8879283831b664bd8b7f0ad4

5. Common Application Scenarios

5.1 Password Storage

When storing passwords, use salted hashes:

async function hashPassword(password, salt) {
  const salted = password + salt;
  return sha256(salted);
}

const salt = crypto.randomUUID();
const hashedPassword = await hashPassword('myPassword123', salt);

// 存储: { password: hashedPassword, salt: salt }

5.2 Data Integrity Verification

Verify integrity when downloading files:

async function verifyFile(file, expectedHash) {
  const arrayBuffer = await file.arrayBuffer();
  const hashBuffer = await crypto.subtle.digest('SHA-256', arrayBuffer);
  const actualHash = Array.from(new Uint8Array(hashBuffer))
    .map(b => b.toString(16).padStart(2, '0')).join('');
  return actualHash === expectedHash;
}

5.3 Data Deduplication

Quickly determine if data is duplicate using hash values:

const seenHashes = new Set();

function addUniqueData(data) {
  const hash = sha256(JSON.stringify(data));
  if (!seenHashes.has(hash)) {
    seenHashes.add(hash);
    // 保存数据
  }
}

6. Security Considerations

  • Do not use MD5 or SHA-1 for password storage
  • Use salted hashes for sensitive data storage
  • Consider dedicated password hashing algorithms like Argon2, bcrypt
  • Regularly update hash algorithms

7. Advanced Techniques

7.1 HMAC Message Authentication Code

HMAC is a keyed hash algorithm for verifying data integrity and authenticity:

async function hmacSHA256(message, secret) {
  const encoder = new TextEncoder();
  const keyMaterial = await crypto.subtle.importKey(
    'raw',
    encoder.encode(secret),
    { name: 'HMAC', hash: 'SHA-256' },
    false,
    ['sign']
  );
  const signature = await crypto.subtle.sign('HMAC', keyMaterial, encoder.encode(message));
  return Array.from(new Uint8Array(signature))
    .map(b => b.toString(16).padStart(2, '0')).join('');
}

// 使用
const secret = 'my-secret-key';
const signature = await hmacSHA256('Hello, World!', secret);
console.log(signature);

7.2 Salted Hash Best Practices

Secure password hashing requires random salt and appropriate iteration count:

async function hashPassword(password) {
  // 生成随机盐
  const salt = crypto.getRandomValues(new Uint8Array(16));
  
  // 使用 PBKDF2 进行密钥派生
  const encoder = new TextEncoder();
  const keyMaterial = await crypto.subtle.importKey(
    'raw',
    encoder.encode(password),
    { name: 'PBKDF2' },
    false,
    ['deriveBits']
  );
  
  const derivedKey = await crypto.subtle.deriveBits(
    {
      name: 'PBKDF2',
      salt: salt,
      iterations: 100000,
      hash: 'SHA-256'
    },
    keyMaterial,
    256
  );
  
  const hash = Array.from(new Uint8Array(derivedKey))
    .map(b => b.toString(16).padStart(2, '0')).join('');
  
  return {
    salt: Array.from(salt).map(b => b.toString(16).padStart(2, '0')).join(''),
    hash: hash,
    iterations: 100000
  };
}

7.3 Constant Time Comparison

Secure comparison to prevent timing attacks:

function constantTimeCompare(a, b) {
  if (a.length !== b.length) return false;
  
  let result = 0;
  for (let i = 0; i < a.length; i++) {
    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
  }
  return result === 0;
}

// 使用
const storedHash = 'abc123...';
const inputHash = 'abc123...';
const isValid = constantTimeCompare(storedHash, inputHash);

7.4 Common Issues and Debugging

Issue Cause Solution
Case Inconsistency Hash values have both uppercase and lowercase representations Convert to lowercase or uppercase before comparison
Encoding Issue Different encoding produces different hashes Use UTF-8 encoding consistently
Salt Management Forgot to store salt value, unable to verify Store salt together with hash
Output Length Inconsistency Missing leading zeros in hex encoding Use padStart(2, '0') to pad

8. Hash Algorithm Application Comparison

Choose the right hash algorithm:

Scenario Recommended Algorithm Reason
密码存储 Argon2 / bcrypt Resistant to brute-force, configurable cost
数据完整性 SHA-256 Secure and performant
文件校验 SHA-256 / SHA-512 High security requirements
缓存键 MD5 Non-security scenario, performance first
数据签名 HMAC-SHA256 Keyed authentication

9. Using Tudousi Tools for Hash

Tudousi Tools provides multiple hash algorithm calculation features:

  • Supports MD5, SHA-1, SHA-256, SHA-512 and other algorithms
  • Supports text and file hash calculation
  • Real-time calculation, no server upload needed
  • Supports batch processing

Use SHA Hash Tool Now

Use MD5 Hash Tool Now

10. Summary

Hash algorithms are the foundation of modern security systems. Understanding the characteristics and applicable scenarios of various algorithms helps you make correct technical choices. Tudousi Tools' hash calculation feature helps you quickly verify data integrity.