What Is SHA and the Difference Between SHA-1, SHA-2 and SHA-256?

What is SHA?
SHA is the acronym for secure hash algorithm, which first came into being in 1993. Its hashing process, simply explained, is to take a text or a file of any length, run it through the function, and produce a string of incomprehensible characters of fixed bit length. The result is called a hash, a hash value or a digest.

SHA-1 and SHA-2 are two versions of hash algorithms developed and published by NIST and NSA. SHA-1 was once popular and globally used, but it is no longer approved because more than one person has managed to prove that it's flawed and vulnerable to attacks. Then SHA-2 was designed as the successor of SHA-1 and was published in 2001. SHA-224, SHA-256, SHA-384 and SHA-512 are the variants of SHA-2, and are collectively called SHA-2, among which SHA-256 is the most popular and the most used one.
The number in the name refers to the bit length of the resulting hash value. That is, the hash values for SHA-224, SHA-256, SHA-384, and SHA-512 would be 224 bits, 256 bits, 384 bits and 512 bits respectively. In practice, SHA-2, SHA-256 and SHA 256-bit refer to the same thing.

The Advantages and Characteristics of Cryptographic Hash Algorithms

There are two major characteristics of hash algorithms: Uniqueness and irreversibility. First, we'll explain what uniqueness means here. There are no two texts that can be used to produce the same hash.
Let's say, I send a "Good morning" to someone. The message is hashed with SHA-256 and becomes an unreadable string of characters shown below.

However, if I change the letters into all capital ones, the resulting hash would look like this.

In our example, even though "Good morning" and "GOOD MORNING" have the same meaning, their hashes are wildly different because the original texts are written differently. And you can see that these two hash values are actually of the same length.
Whether you hash one sentence or a whole book, as long as you're using the same function, their hash values' length will be the same! Isn't this amazing? Hash functions are designed this way to hide the actual length of the original text. What's more, it's much more efficient for computers to just compare hash values since the length is always fixed. If you want to know whether there's any difference between the first edition and the second edition of a book, computers will only need to compare their hash values to know instead of comparing the entire books.

Irreversibility means the hashing process is a one-way process. One has no way of knowing the original piece of data with the hash value alone. The process is not reversible. Thus the original data is kept secure. We'll get back to this in more detail later.

SHA-256 in Use

Now you know SHA-256 and understand how it works, let's move on to the next question. What is it used for in practice?
How exactly SHA-256 produces a hash is extremely complex. We are not going to do the math here, well because you may fall asleep before even finishing reading. (Below is a simplified illustration of the hashing process）Instead, we'll give some examples here to help you learn more about its practical use and how it helps protect your data. 

It is used to sign the digital certificate. The signed digital certificate will inform you and your users that the website hasn't been altered or modified in any way and that it has remained the same since the certificate was issued. If cyber attackers have made changes to the certificate, another hash value would be generated which is different from the original. Then the browser will be alarmed by the different hash and show an error warning. This is how SSL certificates can be used to ensure identity authentication and data integrity.

When we send and receive messages online, how can we be sure the message truly comes from the person we know? And how can we be sure the message hasn't been changed before it reached us? Remember the uniqueness of hash algorithms?
Any change to the original message would result in a completely different hash value. For example, your friend sends you an email inviting you to a meet & greet. Someone hacks into the email and changes the time and location of the event. Your computer receives the changed email and compares the hash value with the original one. You will immediately get a warning that the email may have been tampered with.

For websites that store your password on their servers, they don't just store your plaintext password. They'd run it through the hash function and store the hashed password. How do they know whether you've entered the correct password the next time? They hash the password entered this time and compare the two hash values. If the two values match, it means you've entered the right password. But as we mentioned before, it's a one–way process. You can't recover a password if you forgot it, since the server only stores the hashed data. You'll have to reset the password.
Now you may ask: Other people might set a password same as mine. Yes, passwords could be the same. This is why when using hash algorithms, some random characters are added to the original password before hashing. For instance, originally, you and Jason have the same password: Peace4me. The function will add random characters to it, and your password may become "Peace4me123456", and Jason's may be "Peace4me456789". In this way, different hash values can be generated and stored, and it also creates immense barriers to cybercriminals.

Is SHA-2 Secure Enough?

If two different inputs produce the same hash, it's called a collision. SHA-1 has been considered weak and got replaced because of this.
SHA-256 is one of the most widely used hash algorithms nowadays. Theoretically, SHA-256 may not be perfect, but practically, it is the perfect solution you can find. While SHA-2 has been in use since 2001, so far no one has made a successful brute-force attack against SHA-256. A plaintext using SHA-256 can have 2256 possible hashes. A hacker has to try that many combinations before getting to the right one, and that's like FOREVER (though not impossible)! It's basically beyond human power to try to crack it in a lifetime with current resources and technologies.

In a word, a collision is not impossible, but right now it's extremely difficult to do so. Therefore, at the moment SHA-2 is still relatively a secure and strong function. When SHA-2 hash functions have been proved less secure, they will be replaced by new ones.
If you run a website or your work involves cybersecurity in any way, it is of great significance for you to be aware of data protection and learn about hashing concepts. We hope this article can be of some help to you.