100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Python

Hashing and Digital Signatures

Understand one-way cryptographic hashing and how digital signatures use hashing plus private keys to prove integrity and authenticity.

Cryptography FundamentalsIntermediate10 min readJul 8, 2026
Analogies

Introduction

While encryption protects confidentiality, cryptographic hashing and digital signatures address a different concern: proving that data has not been altered and, in the case of signatures, proving who created it. These techniques are essential for software distribution, secure communications, and legal-grade authenticity guarantees.

🏏

Cricket analogy: While encryption is like disguising a team's game plan so opponents can't read it, hashing and digital signatures are like a match referee certifying that a scorecard hasn't been altered and confirming which official actually signed off on the result.

Explanation

A cryptographic hash function takes an input of any size and produces a fixed-size output called a digest or hash. Crucially, a hash function is one-way: it is computationally infeasible to reconstruct the original input from its digest, which is why hashing is not the same as encryption and is never used to hide data for later recovery. A good cryptographic hash function is also collision-resistant, meaning it is extremely difficult to find two different inputs that produce the same digest. Hashing alone provides integrity checking: if even one bit of a file changes, its hash changes completely. However, hashing alone cannot prove who produced the data, because anyone can compute a hash. Digital signatures solve this by combining hashing with asymmetric cryptography. To sign a message, the sender first hashes it, then encrypts that hash with their own private key, producing the signature. Anyone can verify the signature using the sender's public key: they decrypt the signature to recover the original hash, independently hash the message themselves, and compare the two. If they match, the message has not been altered (integrity) and could only have been signed by the holder of the private key (authenticity and non-repudiation, since the sender cannot plausibly deny having signed it).

🏏

Cricket analogy: A ball-by-ball highlight reel condensed into a fixed-length match summary is like a hash digest — you can't reconstruct the full match from the summary, and two genuinely different matches shouldn't produce the same summary, which is why a single altered delivery changes the whole summary.

Example

python
import hashlib
from cryptography.hazmat.primitives.asymmetric import rsa, padding
from cryptography.hazmat.primitives import hashes

message = b"Contract v2: deliver 500 units by March 1"

# Step 1: hash the message (integrity)
digest = hashlib.sha256(message).hexdigest()
print("SHA-256 digest:", digest)

# Step 2: sign the hash with a private key (authenticity + non-repudiation)
private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
public_key = private_key.public_key()

signature = private_key.sign(
    message,
    padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH),
    hashes.SHA256()
)

# Step 3: verify using the sender's public key
try:
    public_key.verify(signature, message, padding.PSS(
        mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH), hashes.SHA256())
    print("Signature valid: message is authentic and unaltered")
except Exception:
    print("Signature invalid: message was tampered with or key mismatch")

Analysis

The SHA-256 digest alone tells us whether the message content matches an expected hash, but it does not tell us who created it, since hashing requires no secret. The signature step adds the private key, so only the actual key holder could have produced a valid signature over that specific hash. Verification with the public key confirms both facts at once: the message matches what was signed (integrity) and it was signed by someone possessing the private key (authenticity). If even a single character of the message changes, verification fails, because the recomputed hash will no longer match.

🏏

Cricket analogy: A scorecard's checksum alone confirms the numbers match what was recorded but not which official recorded them, since anyone can compute a checksum; adding the official scorer's personal seal, verifiable by their known signature stamp, proves both that it's unaltered and who certified it.

Key Takeaways

  • A cryptographic hash is one-way and collision-resistant, not reversible or encrypted.
  • Hashing alone provides integrity but not authenticity.
  • A digital signature = hash the message, then encrypt the hash with the signer's private key.
  • Signature verification uses the signer's public key and provides integrity, authenticity, and non-repudiation.

Practice what you learned

Was this page helpful?

Topics covered

#Python#CyberSecurityFundamentalsStudyNotes#CyberSecurity#HashingAndDigitalSignatures#Hashing#Digital#Signatures#Explanation#StudyNotes#SkillVeris