密碼學雜湊演算法詳解：從 MD5 到 Argon2Cryptographic Hash Algorithms Explained: From MD5 to Argon2

什麼是雜湊演算法？What is a Hash Algorithm?

雜湊演算法（Hash Algorithm）是一種將任意長度的輸入資料轉換為固定長度輸出的數學函數。這個輸出被稱為「雜湊值」（Hash Value）或「摘要」（Digest）。A Hash Algorithm is a mathematical function that converts input data of arbitrary length into a fixed-length output. This output is called a "hash value" or "digest".

雜湊函數的三大特性Three Key Properties of Hash Functions

1. 單向性（One-way）：從輸入計算雜湊值很容易，但從雜湊值反推原始輸入在計算上不可行。One-way: It's easy to compute the hash from input, but computationally infeasible to reverse-engineer the original input from the hash.
2. 確定性（Deterministic）：相同的輸入永遠產生相同的雜湊值。Deterministic: The same input always produces the same hash value.
3. 雪崩效應（Avalanche Effect）：輸入的微小變化會導致雜湊值產生巨大差異。Avalanche Effect: Small changes in input cause dramatically different hash values.

輸入 1: "password"Input 1: "password"
SHA-256: 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

輸入 2: "Password"（只改一個字母大小寫）Input 2: "Password" (only one letter changed to uppercase)
SHA-256: e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a

結果：完全不同的雜湊值Result: Completely different hash values

雜湊 vs 加密：核心差異Hash vs Encryption: Key Differences

許多人混淆雜湊和加密，但它們的目的和特性完全不同：Many people confuse hashing and encryption, but their purposes and characteristics are completely different:

主流雜湊演算法介紹Popular Hash Algorithms

1. MD5（Message-Digest Algorithm 5）

• 輸出長度：128 位元（32 個十六進制字元）Output Length: 128 bits (32 hexadecimal characters)
• 發布年份：1991 年Released: 1991
• 安全狀態：❌ 已破解，不建議用於安全目的Security Status: ❌ Broken, not recommended for security purposes
• 應用場景：檔案完整性檢查（非安全要求）Use Cases: File integrity checks (non-security)

2. SHA-1（Secure Hash Algorithm 1）SHA-1 (Secure Hash Algorithm 1)

• 輸出長度：160 位元（40 個十六進制字元）Output Length: 160 bits (40 hexadecimal characters)
• 發布年份：1995 年Released: 1995
• 安全狀態：❌ 已棄用（2017年實現首次碰撞）Security Status: ❌ Deprecated (first collision achieved in 2017)
• 應用場景：Git 版本控制（歷史原因）Use Cases: Git version control (legacy reasons)

3. SHA-256（SHA-2 家族） (SHA-2 Family)

• 輸出長度：256 位元（64 個十六進制字元）Output Length: 256 bits (64 hexadecimal characters)
• 發布年份：2001 年Released: 2001
• 安全狀態：✅ 目前安全，廣泛使用Security Status: ✅ Currently secure, widely used
• 應用場景：SSL/TLS 憑證、區塊鏈、數位簽章Use Cases: SSL/TLS certificates, blockchain, digital signatures

範例：
輸入: "hello"Example:
Input: "hello"
SHA-256: 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

4. SHA-512（SHA-2 家族） (SHA-2 Family)

• 輸出長度：512 位元（128 個十六進制字元）Output Length: 512 bits (128 hexadecimal characters)
• 安全狀態：✅ 目前安全，比 SHA-256 更強Security Status: ✅ Currently secure, stronger than SHA-256
• 應用場景：高安全需求的應用Use Cases: High-security applications

5. bcrypt

• 類型：密碼雜湊專用函數Type: Password hashing function
• 發布年份：1999 年Released: 1999
• 核心特性：內建加鹽、可調整計算成本Key Features: Built-in salting, adjustable computation cost
• 安全狀態：✅ 專為密碼設計，高度安全Security Status: ✅ Designed for passwords, highly secure
• 應用場景：使用者密碼儲存Use Cases: User password storage

bcrypt 雜湊範例：bcrypt Hash Example:
$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
│  │  │                  鹽值（22字元）    │ 雜湊值（31字元）
│  │  └─ 成本因子（工作因子）= 10 → 2^10 次迭代
│  └─ bcrypt 版本
└─ 演算法識別碼│  │  │                  Salt (22 chars)    │ Hash (31 chars)
│  │  └─ Cost Factor (Work Factor) = 10 → 2^10 iterations
│  └─ bcrypt version
└─ Algorithm identifier

6. Argon2

• 類型：現代密碼雜湊函數Type: Modern password hashing function
• 發布年份：2015 年（密碼雜湊競賽冠軍）Released: 2015 (Password Hashing Competition winner)
• 核心特性：記憶體困難、抗 ASIC 攻擊Key Features: Memory-hard, ASIC-resistant
• 安全狀態：✅ 目前最先進的密碼雜湊演算法Security Status: ✅ Most advanced password hashing algorithm
• 應用場景：新專案的密碼儲存首選Use Cases: First choice for new projects' password storage

演算法選擇指南Algorithm Selection Guide

實際應用場景Real-World Applications

1. 密碼儲存1. Password Storage

這是雜湊最常見的應用。系統不應儲存明文密碼，而是儲存密碼的雜湊值：This is the most common application of hashing. Systems should never store plain-text passwords, but rather store password hashes:

使用者註冊:
  1. 使用者輸入密碼: "MyP@ssw0rd"
  2. 系統加鹽並雜湊: bcrypt("MyP@ssw0rd" + salt)
  3. 儲存雜湊值到資料庫

使用者登入:
  1. 使用者輸入密碼: "MyP@ssw0rd"
  2. 從資料庫取得儲存的雜湊值
  3. 使用相同方法雜湊輸入密碼
  4. 比較兩個雜湊值是否一致User Registration:
  1. User enters password: "MyP@ssw0rd"
  2. System salts and hashes: bcrypt("MyP@ssw0rd" + salt)
  3. Store hash value in database

User Login:
  1. User enters password: "MyP@ssw0rd"
  2. Retrieve stored hash from database
  3. Hash input password using same method
  4. Compare if both hash values match

2. 資料完整性驗證2. Data Integrity Verification

確保檔案或資料在傳輸過程中未被竄改：Ensure files or data haven't been tampered with during transmission:

檔案下載驗證:
  官方網站提供: ubuntu-20.04.iso (SHA-256: a1b2c3d4...)
  下載後計算: sha256sum ubuntu-20.04.iso
  比對雜湊值 → 確認檔案完整File Download Verification:
  Official website provides: ubuntu-20.04.iso (SHA-256: a1b2c3d4...)
  Calculate after download: sha256sum ubuntu-20.04.iso
  Compare hash values → Confirm file integrity

3. 數位簽章3. Digital Signatures

結合雜湊和非對稱加密，驗證文件來源和完整性：Combining hashing with asymmetric encryption to verify document origin and integrity:

簽署流程:
  1. 計算文件雜湊值: SHA-256(document)
  2. 使用私鑰加密雜湊值: RSA_encrypt(hash, private_key)
  3. 附加簽章到文件

驗證流程:
  1. 使用公鑰解密簽章: RSA_decrypt(signature, public_key)
  2. 計算文件雜湊值: SHA-256(document)
  3. 比對兩個雜湊值Signing Process:
  1. Calculate document hash: SHA-256(document)
  2. Encrypt hash with private key: RSA_encrypt(hash, private_key)
  3. Attach signature to document

Verification Process:
  1. Decrypt signature with public key: RSA_decrypt(signature, public_key)
  2. Calculate document hash: SHA-256(document)
  3. Compare the two hash values

4. HMAC（Hash-based Message Authentication Code）4. HMAC (Hash-based Message Authentication Code)

結合雜湊和密鑰，用於訊息認證：Combining hashing with a secret key for message authentication:

API 請求簽署:
  1. 準備請求資料: {"user_id": 123, "action": "transfer"}
  2. 計算 HMAC: HMAC-SHA-256(data, secret_key)
  3. 附加 HMAC 到請求標頭
  4. 伺服器驗證 HMAC 確認請求未被竄改API Request Signing:
  1. Prepare request data: {"user_id": 123, "action": "transfer"}
  2. Calculate HMAC: HMAC-SHA-256(data, secret_key)
  3. Attach HMAC to request header
  4. Server verifies HMAC to confirm request wasn't tampered

安全性威脅與防禦Security Threats and Defense

1. 碰撞攻擊（Collision Attack）1. Collision Attack

找到兩個不同的輸入產生相同的雜湊值。MD5 和 SHA-1 已被證明存在實用的碰撞攻擊。Finding two different inputs that produce the same hash value. MD5 and SHA-1 have been proven to have practical collision attacks.

2. 彩虹表攻擊（Rainbow Table Attack）2. Rainbow Table Attack

預先計算大量密碼的雜湊值並建立查詢表，快速破解未加鹽的密碼雜湊。Pre-computing hash values for many passwords and building lookup tables to quickly crack unsalted password hashes.

彩虹表範例:
password     → 5f4dcc3b5aa765d61d8327deb882cf99 (MD5)
123456       → e10adc3949ba59abbe56e057f20f883e (MD5)
qwerty       → d8578edf8458ce06fbc5bb76a58c5ca4 (MD5)

攻擊者只需查表即可反查密碼Rainbow Table Example:
password     → 5f4dcc3b5aa765d61d8327deb882cf99 (MD5)
123456       → e10adc3949ba59abbe56e057f20f883e (MD5)
qwerty       → d8578edf8458ce06fbc5bb76a58c5ca4 (MD5)

Attackers can simply look up the password in the table

3. 暴力破解（Brute Force Attack）3. Brute Force Attack

系統化地嘗試所有可能的密碼組合。現代 GPU 可以每秒嘗試數十億次 MD5/SHA 雜湊。Systematically trying all possible password combinations. Modern GPUs can attempt billions of MD5/SHA hashes per second.

加鹽技術深入解析Deep Dive into Salting

不加鹽（危險）:
使用者 A 密碼: "password" → Hash: 5f4dcc3b...
使用者 B 密碼: "password" → Hash: 5f4dcc3b...（相同！）
→ 攻擊者破解一個，所有相同密碼都被破解

加鹽（安全）:
使用者 A:
  密碼: "password"
  鹽值: "a8b3c2d1"
  雜湊: bcrypt("password" + "a8b3c2d1") → $2a$10$a8b3c2d1...

使用者 B:
  密碼: "password"
  鹽值: "x9y7z5w3"
  雜湊: bcrypt("password" + "x9y7z5w3") → $2a$10$x9y7z5w3...

→ 即使密碼相同，雜湊值完全不同Without Salt (Dangerous):
User A password: "password" → Hash: 5f4dcc3b...
User B password: "password" → Hash: 5f4dcc3b... (same!)
→ Attacker cracks one, all identical passwords are compromised

With Salt (Secure):
User A:
  Password: "password"
  Salt: "a8b3c2d1"
  Hash: bcrypt("password" + "a8b3c2d1") → $2a$10$a8b3c2d1...

User B:
  Password: "password"
  Salt: "x9y7z5w3"
  Hash: bcrypt("password" + "x9y7z5w3") → $2a$10$x9y7z5w3...

→ Even with same password, hash values are completely different

程式實作範例Code Examples

JavaScript（Node.js）實作JavaScript (Node.js) Implementation

// 使用內建 crypto 模組// Using built-in crypto module
const crypto = require('crypto');

// 1. SHA-256 雜湊Hash
function sha256Hash(input) {
    return crypto.createHash('sha256')
                 .update(input)
                 .digest('hex');
}

console.log(sha256Hash('password'));
// 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

// 2. HMAC-SHA-256
function hmacSha256(message, secret) {
    return crypto.createHmac('sha256', secret)
                 .update(message)
                 .digest('hex');
}

const signature = hmacSha256('API request data', 'my-secret-key');
console.log(signature);

// 3. bcrypt 密碼雜湊（需安裝 bcrypt 套件）password hashing (requires bcrypt package)
const bcrypt = require('bcrypt');

async function hashPassword(password) {
    const saltRounds = 10;  // 成本因子，越高越安全但越慢Cost factor, higher = more secure but slower
    const hash = await bcrypt.hash(password, saltRounds);
    return hash;
}

async function verifyPassword(password, hash) {
    const match = await bcrypt.compare(password, hash);
    return match;
}

// 使用範例Usage example
(async () => {
    const password = 'MySecurePassword123';
    const hash = await hashPassword(password);
    console.log('雜湊值:Hash:', hash);

    const isValid = await verifyPassword('MySecurePassword123', hash);
    console.log('密碼正確:Password valid:', isValid);  // true

    const isInvalid = await verifyPassword('WrongPassword', hash);
    console.log('錯誤密碼:Wrong password:', isInvalid);  // false
})();

Python 實作Python Implementation

# 使用內建 hashlib 模組# Using built-in hashlib module
import hashlib
import hmac

# 1. SHA-256 雜湊Hash
def sha256_hash(input_string):
    return hashlib.sha256(input_string.encode()).hexdigest()

print(sha256_hash('password'))
# 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

# 2. HMAC-SHA-256
def hmac_sha256(message, secret):
    return hmac.new(
        secret.encode(),
        message.encode(),
        hashlib.sha256
    ).hexdigest()

signature = hmac_sha256('API request data', 'my-secret-key')
print(signature)

# 3. bcrypt 密碼雜湊（需安裝 bcrypt 套件）password hashing (requires bcrypt package)
import bcrypt

def hash_password(password):
    # 生成鹽值並雜湊# Generate salt and hash
    salt = bcrypt.gensalt(rounds=10)  # rounds = 成本因子cost factor
    hashed = bcrypt.hashpw(password.encode(), salt)
    return hashed.decode()

def verify_password(password, hashed):
    return bcrypt.checkpw(password.encode(), hashed.encode())

# 使用範例# Usage example
password = 'MySecurePassword123'
hashed = hash_password(password)
print(f'雜湊值Hash: {hashed}')

is_valid = verify_password('MySecurePassword123', hashed)
print(f'密碼正確Password valid: {is_valid}')  # True

is_invalid = verify_password('WrongPassword', hashed)
print(f'錯誤密碼Wrong password: {is_invalid}')  # False

PHP 實作PHP Implementation

<?php
// 1. SHA-256 雜湊Hash
function sha256Hash($input) {
    return hash('sha256', $input);
}

echo sha256Hash('password');
// 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

// 2. HMAC-SHA-256
function hmacSha256($message, $secret) {
    return hash_hmac('sha256', $message, $secret);
}

$signature = hmacSha256('API request data', 'my-secret-key');
echo $signature;

// 3. bcrypt 密碼雜湊（PHP 5.5+ 內建）password hashing (PHP 5.5+ built-in)
function hashPassword($password) {
    // PASSWORD_BCRYPT 使用 bcrypt 演算法uses bcrypt algorithm
    // cost 參數控制計算成本（預設 10）parameter controls computation cost (default 10)
    return password_hash($password, PASSWORD_BCRYPT, ['cost' => 10]);
}

function verifyPassword($password, $hash) {
    return password_verify($password, $hash);
}

// 使用範例// Usage example
$password = 'MySecurePassword123';
$hash = hashPassword($password);
echo "雜湊值Hash: $hash\n";

$isValid = verifyPassword('MySecurePassword123', $hash);
echo "密碼正確Password valid: " . ($isValid ? 'true' : 'false') . "\n";  // true

$isInvalid = verifyPassword('WrongPassword', $hash);
echo "錯誤密碼Wrong password: " . ($isInvalid ? 'true' : 'false') . "\n";  // false
?>

密碼儲存最佳實踐Password Storage Best Practices

✅ 應該做的事✅ Do's

1. 使用專用密碼雜湊函數：選擇 Argon2、bcrypt 或 scrypt，而非通用雜湊函數。Use dedicated password hashing functions: Choose Argon2, bcrypt, or scrypt instead of general-purpose hash functions.
2. 自動加鹽：現代密碼雜湊函數內建隨機鹽值生成。Automatic salting: Modern password hashing functions have built-in random salt generation.
3. 調整成本因子：根據硬體性能調整，目標是雜湊時間約 250-500 毫秒。Adjust cost factor: Tune based on hardware performance, targeting hash time of about 250-500 milliseconds.
4. 定期更新演算法：隨著硬體進步，提高成本因子或遷移到更強演算法。Regularly update algorithms: As hardware advances, increase cost factors or migrate to stronger algorithms.
5. 使用驗證函數：使用 bcrypt.compare() 而非手動比對雜湊值。Use verification functions: Use bcrypt.compare() instead of manually comparing hash values.

❌ 不應該做的事❌ Don'ts

1. 不要用快速雜湊：MD5、SHA-256 太快，容易被暴力破解。Don't use fast hashes: MD5 and SHA-256 are too fast, making them vulnerable to brute force attacks.
2. 不要自己實作加密：使用經過充分測試的函式庫。Don't implement your own crypto: Use well-tested libraries.
3. 不要儲存明文密碼：即使是臨時測試環境也不行。Don't store plain-text passwords: Not even in temporary testing environments.
4. 不要用固定鹽值：每個密碼都應該有唯一的隨機鹽值。Don't use fixed salts: Each password should have a unique random salt.
5. 不要限制密碼長度：不要將密碼截斷到特定長度。Don't limit password length: Don't truncate passwords to a specific length.

成本因子調整指南Cost Factor Tuning Guide

bcrypt 成本因子影響:
Rounds = 10 → 2^10 = 1,024 次迭代 → ~50ms
Rounds = 12 → 2^12 = 4,096 次迭代 → ~200ms（建議）
Rounds = 14 → 2^14 = 16,384 次迭代 → ~800ms

選擇原則:
- 使用者登入可接受的延遲（建議 < 1 秒）
- 定期評估硬體進步並提高成本因子
- 平衡安全性與使用者體驗bcrypt Cost Factor Impact:
Rounds = 10 → 2^10 = 1,024 iterations → ~50ms
Rounds = 12 → 2^12 = 4,096 iterations → ~200ms (recommended)
Rounds = 14 → 2^14 = 16,384 iterations → ~800ms

Selection Principles:
- Acceptable delay for user login (recommended < 1 second)
- Regularly evaluate hardware advances and increase cost factor
- Balance security and user experience

完整密碼處理流程Complete Password Handling Process

使用者註冊:
  1. 驗證密碼強度（長度、複雜度）
  2. 使用 bcrypt/Argon2 雜湊密碼
  3. 儲存雜湊值到資料庫
  4. 記錄使用的演算法和成本因子

使用者登入:
  1. 接收使用者輸入
  2. 從資料庫查詢雜湊值
  3. 使用相同演算法驗證
  4. 如果成功且演算法過舊，重新雜湊並更新
  5. 實施登入嘗試次數限制

密碼重設:
  1. 生成隨機 token（使用安全隨機函數）
  2. 雜湊 token 並設定過期時間
  3. 發送 token 到使用者信箱
  4. 驗證 token 並允許設定新密碼
  5. 使雜湊後的新密碼，使所有舊 session 失效User Registration:
  1. Validate password strength (length, complexity)
  2. Hash password using bcrypt/Argon2
  3. Store hash value in database
  4. Record the algorithm and cost factor used

User Login:
  1. Receive user input
  2. Query hash value from database
  3. Verify using the same algorithm
  4. If successful and algorithm is outdated, rehash and update
  5. Implement login attempt rate limiting

Password Reset:
  1. Generate random token (using secure random function)
  2. Hash token and set expiration time
  3. Send token to user's email
  4. Verify token and allow setting new password
  5. Hash new password, invalidate all old sessions

結論與建議Conclusion and Recommendations

雜湊演算法是現代資訊安全的基石。正確選擇和使用雜湊演算法，能有效保護使用者資料和系統安全。Hash algorithms are the cornerstone of modern information security. Choosing and using hash algorithms correctly can effectively protect user data and system security.