Skip to content

Instantly share code, notes, and snippets.

@jcasimir

jcasimir/hashing_exercises.markdown

Created September 13, 2018 16:08
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jcasimir/1533189d8e90a9e3ceba33708d792090 to your computer and use it in GitHub Desktop.
Save jcasimir/1533189d8e90a9e3ceba33708d792090 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
hashing_exercises.markdown

Hashing in Practice

You can complete these exercises in JavaScript or Ruby.

We'll provide timing constraints on the board. If you're moving quickly and feeling confident, complete the Extension questions. But if you're not, make sure you complete all the non-Extension exercises first.

Hashing Fundamentals

You've done some hash building in the physical space. Let's practice doing it with the machine.

  1. What is the MD5 digest of the string "Hello, World!"
  2. What is the Sha256 digest of the same string?
  3. Repeat both MD5 hashing and Sha256 hashing by remove the exclamation mark in the input. What do you notice about the output?

Extension

Feeling good about hashing? Try answering these questions:

  1. Which algorithm (MD5 / Sha256) is faster? Can you prove it using a dataset of at least 100 inputs and calculating the percentage speed difference?
  2. Is the percentage difference consistent if you increase the size of each individual input data by 100 times?
  3. Is there a scenario where you'd want to intentionally choose a slower algorithm? Why?

Dumb Secrets

Hashing functions are one-way functions which is useful in security, but it's not fool-proof.

Say you hack into my application and are able to retrive all my users' hashed passwords. You find that the account with username boss@example.com has this hashed password:

3e40106b8f4332e18d76e94124d9c82a

Based on the length of the digest you guess it's an MD5. You know that some users, particularly bosses, are lazy and they do dumb things like re-use their 4-digit ATM pin for their password. But the application required a password of eight digits, so they might have repeated the pin.

  1. What's this user's password?
  2. Would the user have been "more secure" if they used eight letters rather than eight numbers?

Extension

A "rainbow table" makes this reverse engineering much faster.

  1. Can you generate a CSV file that has two columns: the first column contains all possible 8-digit codes following the 4+4 rule above, then the second column has the MD5 digest for that input.
  2. If you now have an MD5 digest for an input that is expected to follow the 4+4 rule, how long does it now take you to "crack" a password?
  3. Could you generate the same file for the all words of eight or more letters in the dictionary? (hint: you have a text file dictionary on your filesystem at /usr/share/dict/words)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment