517.3 Hashing and digital signatures

Overview

In this topic, we explore two powerful tools for verifying the integrity and authenticity of data: hashing and digital signatures. Hashing is used to detect whether data has been altered, while digital signatures confirm the identity of the sender. These concepts are used in web development to protect files, verify messages, and ensure trust in secure communication.

Targets

In this topic, students learn to:

• Define hashing and explain its role in ensuring data integrity

• Describe how hash functions produce fixed-length values from data

• Explain how digital signatures are created and verified

• Recognise how hashing and signatures are used in HTTPS and software security

• Identify common use cases for hashing in web applications

Syllabus references

What is hashing?

Hashing is the process of converting data into a unique fixed-length value called a hash or digest. Even a slight change in the input produces an entirely different hash.

Hashing is used to:

• Check whether data has been changed (data integrity)

• Store passwords in a secure way

• Identify duplicate files or messages

Properties of a good hash function

• Deterministic – the same input always produces the same hash

• Irreversible – it’s nearly impossible to reverse a hash back to the original data

• Collision-resistant – it’s doubtful that two different inputs produce the same hash

Common hash algorithms

• SHA-256 – used in HTTPS certificates and blockchain

• MD5 – faster but outdated due to known vulnerabilities

• SHA-1 – deprecated due to collision risks

What is a digital signature?

A digital signature confirms that:

• The data has not been altered

• The data came from a trusted sender

Digital signatures are created using asymmetric encryption:

1. The sender generates a hash of the data

2. They encrypt the hash using their private key

3. The recipient decrypts the signature using the public key

4. If the hash matches, the data is verified

Digital signatures are based on the Public Key Infrastructure. By this mechanism, two keys are generated: a Public Key and a Private Key. The signer keeps the private key, and it should be kept securely. On the other hand, the receiver must have the public key to decrypt the message.

Use cases in web development

• HTTPS certificates include digital signatures to verify website identity

• Software downloads often include a hash value to check integrity

• Signed tokens (e.g. JWTs) use digital signatures to verify content and expiry time

Summary

Hashing and digital signatures are essential tools in secure web systems. Hashing ensures that data has not been altered, while digital signatures confirm that the data comes from a verified source. Together, they help protect communication, software, and user data across the web.