Usage Instructions & SHA Knowledge

What is SHA? How is it different from MD5?

• Definition: SHA (Secure Hash Algorithm) is a family of cryptographic hash functions designed by the NSA.
• One-way irreversible: Like MD5, SHA is a one-way hash algorithm (extracts a fingerprint), and it is impossible to restore the plaintext from the ciphertext (asymmetric encryption is RSA, etc., do not confuse them).
• Comparison with MD5: The collision risk of MD5 has been proven (i.e., two different files can generate the same MD5 value), while the SHA family (especially SHA-256 and above) is much more secure than MD5. Therefore, SHA has completely replaced MD5 as the industry standard in digital signatures, SSL certificates, and blockchain.

SHA Family Version Evolution

• SHA-1: Generates a 160-bit (40 hex characters) hash value. Since it was successfully attacked by Google and others in 2017 to produce collisions, it is no longer secure and is not recommended for use in new security systems.
• SHA-2 Family (including SHA-224, SHA-256, SHA-384, SHA-512): This is currently the most mainstream and widely used version. Among them:
  • SHA-256: Generates a 64-character hash value. It is the basis of the Bitcoin mining algorithm and the first choice for most Web API signatures and password storage.
  • SHA-512: Generates a 128-character hash value. Higher security, suitable for financial or military-grade data verification with extremely high security requirements.
• SHA-3: The latest hash standard, completely different internal structure from SHA-1 / SHA-2 (using sponge construction), mainly used to prevent unknown attacks against the SHA-2 algorithm that may appear in the future.

🔑 What is HMAC?

• Definition: HMAC (Hash-based Message Authentication Code) is a key-based hash algorithm. It combines a hash algorithm (such as MD5, SHA-256) and an additional Secret Key.
• Function: A normal hash can only verify whether the data has been tampered with, while HMAC can not only verify data integrity but also verify the identity of the sender (because only the person with the key can generate the correct HMAC value).
• Scenarios: Widely used in JWT (JSON Web Token) signature verification, WeChat Pay/Alipay API signatures, OAuth identity authentication, etc.

Application Scenarios

• Password Storage: User passwords stored in website databases (usually salted before SHA-256 encryption).
• File Verification: After downloading large software (such as system images, game clients), verify the SHA-256 value to ensure the file has not been tampered with or implanted with Trojans.
• Digital Signature & Anti-tampering: When various open platform APIs communicate, the request parameters are appended with a Secret Key and SHA signed to prevent man-in-the-middle data tampering.