Is Bcrypt a hashing algorithm or is my study material wrong?

It's not a good question. You're not wrong to call bcrypt a ‘hashing algorithm’, but they're not wrong that it is qualitatively different from the others—although it is curious that they single out bcrypt and not HMAC too. We can group them into three categories:

  • bcrypt is meant to be a password hash, also known as a password-based key derivation function, whose purpose is to be expensive to compute so that even if it doesn't take many trials on average for an adversary to guess what the input was, there's a high cost to testing each guess. Other examples include PBKDF2, scrypt, and Argon2, and Balloon hash.

  • MD5, RIPEMD, and SHA are meant to be collision-resistant hashes, whose purpose is to make it hard to find distinct messages that have the same hash. As it happens, MD5, RIPEMD, SHA-0, and SHA-1 (though not SHA-2 or SHA-3) are all broken—collisions have been reported for all of them. They're also designed to be preimage-resistant, so that it is hard to find a message having a prescribed hash, and second-preimage-resistant, so that it is hard to find a second message having the same hash as a prescribed message; none of them have had these properties broken. Other examples—which, unlike MD5, RIPEMD, and SHA-0/SHA-1, are unbroken to this day—include BLAKE2b and SHAKE128.

  • HMAC is a technique for constructing pseudorandom function families (PRFs) or message authentication codes (MACs) out of certain hash functions like SHA-256; sometimes HMAC is loosely called a ‘keyed hash’, but that doesn't really make it clear what the security goal is, which is unforgeability as a MAC or pseudorandomness as a PRF: if the key is chosen uniformly at random, an adversary who doesn't know the key can't guess the MAC for any message, and can't distinguish the hash of any message from a uniform random bit string.

The word ‘hash’ alone in cryptography just means a function that scrambles its input, or the scrambled output. There are other kinds of hash functions: the FNV-1 string hash function, sometimes used in hash tables; universal hash families like Poly1305, with guaranteed bounds on collision probabilities, sometimes used to make extremely cheap message authentication codes with high security; key derivation functions like HKDF, used to turn high-entropy but nonuniform bit strings like Diffie–Hellman shared secrets into uniform random bit strings; etc. It's not wrong to call any of these ‘hashes’, but it may be helpful to use more specific terminology like collision-resistant hash or pseudorandom function family or universal hash family.


Strangely enough, two of those things are not like the others, but apparently it only marked one of them as wrong.

All of the options above are arguably hash functions, in that they all take some input message and produce a "digest" or "hash": a fixed-length set of high-entropy bits that is deterministic on its inputs but is not reversible. There are differences in both inputs and usage between them, though.

MD5, RIPEMD, and SHA (now usually called SHA1) are all very much the same class of function, taking just one input (an arbitrary message) and quickly producing the digest of that message (which, at least in theory, possesses collision and pre-image resistance). Their particular characteristics (both mechanically, such as length of digest, and practically, such as security) vary, but at a high level they are interchangeable.

Bcrypt takes two additional parameters: a salt, and a cost/work factor. Additionally, it is intended for hashing only short strings (passwords or similar), and constrains the input length to 72 useful bytes. It produces output like a standard hash function, but (possibly much) more slowly.

HMAC is a construction that requires an externally-defined hash function. As a function, HMAC requires inputs of a message, a salt, and a hash function to use. Unlike bcrypt, it does not introduce any constraints on the input message - in this way, it is more like the other three - but unlike all four of the others it does not actually specify an algorithm for computing a digest, delegating that operation to the specified hash function.

In summary, you could make a case for any of the following answers:

  • All five are hash functions, because they take a message and produce a one-way, fixed-length, deterministic, high-entropy digest.
  • Bcrypt is the only one that's not a hash function, because it cannot operate on arbitrary-length messages.
  • HMAC is the only one that's not a hash function, because it doesn't define a procedure for computing a digest.
  • Only MD5, RIPEMD, and SHA are true hash functions.

Evidently, your study material takes the second view. I personally lean more toward the third or fourth view. HMAC-SHA-256 is a hash function (that differs from the "pure" ones by requiring a key), but HMAC by itself isn't a hash function. It would be like saying "obtain flour, salt, water, and a person who knows how to make tortillas; give the flour, water, and salt to the person; tell the person to produce a tortilla" is a tortilla recipe.


One can find many "certification" questions that are less than ideal trying to exploit nuances of wording to test understanding of the topic, but failing to have any real meaning in a practical sense. While you may validly be able to argue the point in the reality of the real world, it really doesn't matter in the face of what the certification test is trying to assess.

Coming from my network background, I could easily find many examples around "classful" networking. This is part of the reason certification questions are generally off topic on the Network Engineering stack. It seems pointless to answer why Test X indicates that 10.250.0.0/255.255.0.0 is not a valid network (answer - a "Class A" network has a mask of 255.0.0.0) when it really has no bearing on running a network in today's world.

Also not sure why the popular answers are fixated on "hashing functions". The certification question asks, "Which of the following are hashing algorithms?" (emphasis mine). There is no mention of hashing functions.

So, of the five provided, four can be considered algorithms in their own right, whether they have their own hashing functions built into them. On the other hand, bcrypt (while a function) uses an algorithm based on blowfish, it is not an algorithm unto itself.

It may be a stupid distinction, but again it is a certification question.

Tags:

Hash

Bcrypt

Related

How do we cross-verify if the device is doing exactly what it is supposed to do? If you revoke a certificate authority's certificate, do all of the certificates it issued become invalid as well? Does code obfuscation give any measurable security benefit? How does a CDN actually prevent DDoS attacks, when an origin server accepts direct connections? If we should encrypt the message rather than the method of transfer, why do we care about wifi security? Is this just security theatre? Is it safe to pay bills over satellite internet? Why are KDFs slow? Is using a KDF more secure than using the original secret? Is storing files under a web server root unsafe if it is handled by PHP and blocked by the web server site configuration file? SSH from a shared workplace computer How can I verify my browser/OS's top level certificate? Should I be able to see patterns in a HS256 encoded JWT? Why do many websites hide input when entering an OTP?

Recent Posts