{
    "slug": "hash_functions_deep",
    "term": "Cryptographic Hash Functions",
    "category": "cryptography",
    "difficulty": "intermediate",
    "short": "One-way functions producing a fixed-length digest — SHA-256, SHA-3, and BLAKE3 are secure for data integrity; MD5 and SHA-1 are broken and must not be used for security.",
    "long": "Cryptographic hash functions must be: deterministic (same input = same output), fast to compute, pre-image resistant (cannot reverse), second pre-image resistant (cannot find collision for a given input), and collision resistant (cannot find any two inputs with the same hash). SHA-256/SHA-512 (SHA-2 family): widely deployed, no known practical attacks. SHA-3 (Keccak): different construction, quantum-resistant design. BLAKE3: fast, secure, modern. MD5 and SHA-1: broken collision resistance — do not use for security. In PHP: hash('sha256', $data), hash('sha3-256', $data).",
    "aliases": [
        "SHA-256",
        "SHA-3",
        "BLAKE3",
        "MD5",
        "SHA-1",
        "cryptographic hash"
    ],
    "tags": [
        "cryptography",
        "security",
        "php"
    ],
    "misconception": "SHA-256 is suitable for password hashing — SHA-256 is fast (billions of operations per second on a GPU), making it unusable for passwords; use bcrypt or Argon2id instead.",
    "why_it_matters": "Using MD5 or SHA-1 for data integrity checks opens the door to collision attacks where two different inputs produce the same hash — file signature forgery and certificate attacks both exploit this.",
    "common_mistakes": [
        "MD5 for file integrity checksums — collisions have been demonstrated; use SHA-256.",
        "SHA-256 for password hashing — fast algorithm; use password_hash() with Argon2id.",
        "Not using HMAC for message authentication — a bare hash can be length-extended; use hash_hmac().",
        "Comparing hashes with == instead of hash_equals() — timing attack vulnerability."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "key_derivation_functions",
        "weak_password_hash",
        "hmac",
        "digital_signatures"
    ],
    "prerequisites": [
        "cryptographic_hash",
        "hmac",
        "hashing_algorithms_deep"
    ],
    "refs": [
        "https://www.php.net/manual/en/function.hash.php"
    ],
    "bad_code": "// MD5 for integrity — broken:\n$checksum = md5_file($uploadedFile); // Collisions possible\n\n// SHA-256 for password — wrong tool:\n$hash = hash('sha256', $password); // Fast = GPU crackable\n\n// Timing-vulnerable comparison:\nif ($computed === $provided) { /* vulnerable to timing attack */ }",
    "good_code": "// SHA-256 for file integrity:\n$checksum = hash_file('sha256', $uploadedFile); // Secure for integrity\n\n// Argon2id for passwords:\n$hash = password_hash($password, PASSWORD_ARGON2ID);\n\n// HMAC for message authentication:\n$mac = hash_hmac('sha256', $message, $secretKey);\n\n// Constant-time comparison:\nif (hash_equals($expected, $computed)) { /* safe */ }",
    "quick_fix": "Choose the right hash for the use case: SHA-256 for data integrity checksums, HMAC-SHA-256 for authentication tags, Argon2id for passwords — never MD5 or SHA1 for any security use",
    "severity": "high",
    "effort": "medium",
    "created": "2026-03-16",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/hash_functions_deep",
        "html_url": "https://codeclaritylab.com/glossary/hash_functions_deep",
        "json_url": "https://codeclaritylab.com/glossary/hash_functions_deep.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Cryptographic Hash Functions](https://codeclaritylab.com/glossary/hash_functions_deep) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/hash_functions_deep"
            }
        }
    }
}