| Gregory P. Smith | 7208af4 | 2005-08-22 18:31:41 +0000 | [diff] [blame] | 1 | \section{\module{hashlib} --- |
| 2 | Secure hashes and message digests} |
| 3 | |
| 4 | \declaremodule{builtin}{hashlib} |
| 5 | \modulesynopsis{Secure hash and message digest algorithms.} |
| 6 | \moduleauthor{Gregory P. Smith}{greg@users.sourceforge.net} |
| 7 | \sectionauthor{Gregory P. Smith}{greg@users.sourceforge.net} |
| 8 | |
| 9 | \versionadded{2.5} |
| 10 | |
| 11 | \index{message digest, MD5} |
| 12 | \index{secure hash algorithm, SHA1, SHA224, SHA256, SHA384, SHA512} |
| 13 | |
| 14 | This module implements a common interface to many different secure hash and |
| 15 | message digest algorithms. Included are the FIPS secure hash algorithms SHA1, |
| 16 | SHA224, SHA256, SHA384, and SHA512 (defined in FIPS 180-2) as well as RSA's MD5 |
| 17 | algorithm (defined in Internet \rfc{1321}). |
| Georg Brandl | caa94bd | 2006-01-23 22:00:17 +0000 | [diff] [blame] | 18 | The terms secure hash and message digest are interchangeable. Older |
| Gregory P. Smith | 7208af4 | 2005-08-22 18:31:41 +0000 | [diff] [blame] | 19 | algorithms were called message digests. The modern term is secure hash. |
| 20 | |
| 21 | \warning{Some algorithms have known hash collision weaknesses, see the FAQ at the end.} |
| 22 | |
| 23 | There is one constructor method named for each type of \dfn{hash}. All return |
| 24 | a hash object with the same simple interface. |
| 25 | For example: use \function{sha1()} to create a SHA1 hash object. |
| 26 | You can now feed this object with arbitrary strings using the \method{update()} |
| 27 | method. At any point you can ask it for the \dfn{digest} of the concatenation |
| 28 | of the strings fed to it so far using the \method{digest()} or |
| 29 | \method{hexdigest()} methods. |
| 30 | |
| 31 | Constructors for hash algorithms that are always present in this module are |
| 32 | \function{md5()}, \function{sha1()}, \function{sha224()}, \function{sha256()}, |
| 33 | \function{sha384()}, and \function{sha512()}. Additional algorithms may also |
| Thomas Wouters | 49fd7fa | 2006-04-21 10:40:58 +0000 | [diff] [blame] | 34 | be available depending upon the OpenSSL library that Python uses on your platform. |
| Gregory P. Smith | 7208af4 | 2005-08-22 18:31:41 +0000 | [diff] [blame] | 35 | \index{OpenSSL} |
| 36 | |
| 37 | For example, to obtain the digest of the string \code{'Nobody inspects |
| 38 | the spammish repetition'}: |
| 39 | |
| 40 | \begin{verbatim} |
| 41 | >>> import hashlib |
| 42 | >>> m = hashlib.md5() |
| 43 | >>> m.update("Nobody inspects") |
| 44 | >>> m.update(" the spammish repetition") |
| 45 | >>> m.digest() |
| 46 | '\xbbd\x9c\x83\xdd\x1e\xa5\xc9\xd9\xde\xc9\xa1\x8d\xf0\xff\xe9' |
| 47 | \end{verbatim} |
| 48 | |
| 49 | More condensed: |
| 50 | |
| 51 | \begin{verbatim} |
| 52 | >>> hashlib.sha224("Nobody inspects the spammish repetition").hexdigest() |
| 53 | 'a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2' |
| 54 | \end{verbatim} |
| 55 | |
| 56 | A generic \function{new()} constructor that takes the string name of the |
| 57 | desired algorithm as its first parameter also exists to allow access to the |
| 58 | above listed hashes as well as any other algorithms that your OpenSSL library |
| 59 | may offer. The named constructors are much faster than \function{new()} and |
| 60 | should be preferred. |
| 61 | |
| 62 | Using \function{new()} with an algorithm provided by OpenSSL: |
| 63 | |
| 64 | \begin{verbatim} |
| 65 | >>> h = hashlib.new('ripemd160') |
| 66 | >>> h.update("Nobody inspects the spammish repetition") |
| 67 | >>> h.hexdigest() |
| 68 | 'cc4a5ce1b3df48aec5d22d1f16b894a0b894eccc' |
| 69 | \end{verbatim} |
| 70 | |
| 71 | The following values are provided as constant attributes of the hash objects |
| 72 | returned by the constructors: |
| 73 | |
| 74 | \begin{datadesc}{digest_size} |
| 75 | The size of the resulting digest in bytes. |
| 76 | \end{datadesc} |
| 77 | |
| 78 | A hash object has the following methods: |
| 79 | |
| 80 | \begin{methoddesc}[hash]{update}{arg} |
| 81 | Update the hash object with the string \var{arg}. Repeated calls are |
| 82 | equivalent to a single call with the concatenation of all the |
| 83 | arguments: \code{m.update(a); m.update(b)} is equivalent to |
| 84 | \code{m.update(a+b)}. |
| 85 | \end{methoddesc} |
| 86 | |
| 87 | \begin{methoddesc}[hash]{digest}{} |
| 88 | Return the digest of the strings passed to the \method{update()} |
| Thomas Wouters | 89f507f | 2006-12-13 04:49:30 +0000 | [diff] [blame] | 89 | method so far. This is a string of \member{digest_size} bytes which may |
| 90 | contain non-\ASCII{} characters, including null bytes. |
| Gregory P. Smith | 7208af4 | 2005-08-22 18:31:41 +0000 | [diff] [blame] | 91 | \end{methoddesc} |
| 92 | |
| 93 | \begin{methoddesc}[hash]{hexdigest}{} |
| 94 | Like \method{digest()} except the digest is returned as a string of |
| 95 | double length, containing only hexadecimal digits. This may |
| 96 | be used to exchange the value safely in email or other non-binary |
| 97 | environments. |
| 98 | \end{methoddesc} |
| 99 | |
| 100 | \begin{methoddesc}[hash]{copy}{} |
| 101 | Return a copy (``clone'') of the hash object. This can be used to |
| 102 | efficiently compute the digests of strings that share a common initial |
| 103 | substring. |
| 104 | \end{methoddesc} |
| 105 | |
| 106 | \begin{seealso} |
| 107 | \seemodule{hmac}{A module to generate message authentication codes using hashes.} |
| 108 | \seemodule{base64}{Another way to encode binary hashes for non-binary environments.} |
| 109 | \seeurl{http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf} |
| 110 | {The FIPS 180-2 publication on Secure Hash Algorithms.} |
| 111 | \seeurl{http://www.cryptography.com/cnews/hash.html} |
| 112 | {Hash Collision FAQ with information on which algorithms have known issues and |
| 113 | what that means regarding their use.} |
| 114 | \end{seealso} |