The NSA is taking a public shellacking online over its domestic communication monitoring systems that recently were revealed by leaker Edward Snowden.
The Internet furor over the NSA is somewhat ironic given that the NSA’s SHA-1 cryptographic algorithm is one of the things that make it possible to actually use the Internet in the first place.
Secure Hash Algorithm-1 was released by the NSA in 1995 after updating its antecedent, SHA-0. Basically, the algorithm takes a string of information and turns it into a 160-bit hash number.
So why does this matter?
Well, let’s say you have a twitter password and it is “abc.” The SHA-1 algorithm takes the binary coded form of those three ASCII letters [01100001 01100010 01100011] and outputs this hexadecimal string:
A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
It’s very, very difficult to work backwards from the output to get the original input, “abc,” which is your password.
So, when Twitter saves your username and password onto its big file of everyone’s usernames and passwords, it’s your username and the SHA-1 hash of your real password that is actually listed.
When you log in, Twitter calculates the SHA-1 hash of the input password, compares it against the hash it has saved with your username, and lets you in if they match.
Why doesn’t Twitter just save your username and password without encryption? Well, if a hacker steals that file, all they have is a bunch of usernames and meaningless hashes. It’s not useful in the slightest. Plus, when trying a brute force crack of an SHA-1 encrypted password, the output hashes of, for example, “abc” and “abd” are outstandingly different, so it takes a long time to crack them.
In fact, when you send an encrypted email or file, the same concept is used. Let’s say you want to send someone a file in which the ASCII string consists of 1,000,000 repetitions of “a.” The SHA-1 hash of this is:
34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
So, if I want to make sure you get the file uncorrupted and un-edited, I send it to you with that hash key. Your computer will verify that the SHA-1 key of the file you recieved equals the SHA-1 key I sent along to make sure nobody messed with the file by, say, deleting one “a.”
So the whole reason we are able to have passwords on the Internet or send encrypted files and emails to complain about NSA spying is because of the NSA’s SHA-1 algorithm.
Business Insider Emails & Alerts
Site highlights each day to your inbox.