If the password is: “Critical”

Critical: express criticism or disapproval

Express: convey a thought or feeling in words or by gestures and conduct

Convey: transport or carry to a place

So, assuming you and I have the same dictionary, I can prove that I know the password “Critical” by telling you the hash “Transport”.

]]>For example, if we do a simple hash algorithm which assigns all the letters of a password to a number and adds all those numbers together we get a number from which it is impossible to retrieve the original password (unless it was something simple or very repetitive). While that protect the original password, it has a weakness because many other passwords could produce the same number (collisions); “password” and “drowssap” would produce the same number as would “ssawprod” and many others.

So the true objective of the math for a one way has is to generate a unique value and reduce (or eliminate) the potential of collisions.

With encryption, imagine that you have to have a way to reverse that algorithm to recover the original password. A good hash algorithm resists this recovery, this is where encryption comes in. There is a conversion (like password to number), but there is also a reverse (like recover the password from the number).

]]>Yes, you do not need to decode a one-way function. But I gave this example to build up to the discussion of public key encryption, so I wanted an example where you can decode. But you are right.

]]>NO, one way encryption should NOT have a way to decode it!!

Typical example:

Allice needs to verify her password on Bob’s system. Allice does not want to transmit the password in the clear and Bob does not want to store the password in the clear.

Allice uses a ONE-WAY encryption (‘hash’)to transform her password to a ‘hash’. Bob has a hash of Allice’s password stored on his system, created using the same ‘hashing’ algorithm as Alice. Bob can compare the 2 hashes to determine if the password is correct. No need to be able to DECODE the hash back to the password, that would be bad.

You can easily advert both the given attack and reverse lookup by either omitting digits or adding random ones (salt). ]]>