ARCHIVED from builddistributedsystem.com on 2026-04-28 — URL: https://builddistributedsystem.com/tracks/securitor/tasks/task-24-2-3-hash-functions
TASK

Implementation

Cryptographic hash functions map any input to a fixed-size digest. SHA-256 is fast and great for integrity checks, but too fast for passwords. Bcrypt is deliberately slow with a configurable work factor, making brute-force password cracking impractical.

Implement a node that handles hashing and password operations:

// SHA-256 hash for integrity verification
{ "type": "hash", "msg_id": 1,
  "data": "Hello World", "algorithm": "sha256" }
-> { "type": "hashed", "in_reply_to": 1,
    "hash": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" }

// Verify data integrity
{ "type": "verify_integrity", "msg_id": 2,
  "data": "Hello World",
  "expected_hash": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" }
-> { "type": "integrity_verified", "in_reply_to": 2, "valid": true }

// Hash a password with bcrypt (includes random salt)
{ "type": "hash_password", "msg_id": 3,
  "password": "user_password_123", "algorithm": "bcrypt" }
-> { "type": "password_hashed", "in_reply_to": 3,
    "hash": "$2b$10$..." }

// Verify password against stored bcrypt hash
{ "type": "verify_password", "msg_id": 4,
  "password": "user_password_123",
  "hash": "$2b$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy" }
-> { "type": "password_verified", "in_reply_to": 4, "valid": true }

Sample Test Cases

Calculate SHA-256 hashTimeout: 5000ms
Input
{
  "src": "client",
  "dest": "hash",
  "body": {
    "type": "hash",
    "msg_id": 1,
    "data": "Hello World",
    "algorithm": "sha256"
  }
}
Expected Output
{"type": "hashed", "in_reply_to": 1, "hash": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e"}
Verify data integrityTimeout: 5000ms
Input
{
  "src": "client",
  "dest": "hash",
  "body": {
    "type": "verify_integrity",
    "msg_id": 1,
    "data": "Hello World",
    "expected_hash": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e"
  }
}
Expected Output
{"type": "integrity_verified", "in_reply_to": 1, "valid": true}

Hints

Hint 1
SHA-256 always produces the same 64-character hex output for the same input
Hint 2
verify_integrity: hash the data and compare to expected_hash
Hint 3
Never use SHA-256 for passwords — use bcrypt, scrypt, or Argon2
Hint 4
bcrypt includes a random salt and work factor automatically in the hash string
Hint 5
verify_password: use bcrypt.compare() — do not hash manually and compare

Resources

Password Hashing
OWASP password storage cheat sheet: bcrypt, scrypt, Argon2
Password Hashing Competition
Password Hashing Competition (Argon2)
OVERVIEW

Theoretical Hub

Concept overview coming soon

Key Concepts

SHA-256bcrypthash integritypassword hashingsaltwork factor
main.py
python
Implement Cryptographic Hash Functions - The Securitor | Build Distributed Systems