Complete Guide to Hashing and Encryption: Using MD5, SHA256, and AES Correctly
Encoding(Updated May 25, 2026)
Hash vs. Encryption: The Key Difference
| Hash | Encryption | |
|---|---|---|
| Reversible | ❌ One-way | ✅ Decryptable |
| Purpose | Integrity checks, fingerprints | Confidential transmission |
| Key required | No | Yes |
| Examples | MD5, SHA256 | AES, RSA |
Common mistake: "MD5 encrypts passwords" — MD5 is a hash, not encryption, and is no longer secure.
Hash Algorithms
MD5
- Output: 128 bits (32 hex characters)
- Speed: Very fast
- Security: ❌ Collision-prone — not for security use
- Good for: Quick file integrity checks (non-security)
Use the MD5 tool to hash files or text.
SHA Family
| Algorithm | Output length | Security | Use |
|---|---|---|---|
| SHA-1 | 160 bits | ❌ Collision-prone | Legacy systems |
| SHA-256 | 256 bits | ✅ Secure | Recommended |
| SHA-512 | 512 bits | ✅ Secure | High-security needs |
Use the SHA256 tool to compute SHA-256 hashes.
HMAC
Hash + secret key = message authentication code. Verifies both integrity and origin:
HMAC-SHA256(message, secret_key) → authenticated hash
Use the HMAC tool to compute HMAC values.
Encryption Algorithms
AES (Symmetric)
Same key encrypts and decrypts:
| Mode | Characteristics | Recommendation |
|---|---|---|
| AES-128-CBC | Classic mode | General use |
| AES-256-GCM | Authenticated encryption | Recommended |
| AES-256-CTR | Stream-style | Large files |
Use the AES tool for AES encrypt/decrypt.
When to Use Hash vs. Encryption
File download verification → SHA256 hash comparison
Password storage → bcrypt/argon2 (not MD5!)
API signatures → HMAC-SHA256
Data in transit → AES-256-GCM encryption
Common Misuse and Correct Practice
| Misuse | Problem | Correct approach |
|---|---|---|
| MD5 for passwords | Rainbow tables crack instantly | bcrypt/argon2 + salt |
| SHA256 for passwords | Too fast, easy to brute-force | Dedicated password hash functions |
| Hard-coded AES key | Source leak = key leak | Environment variables / KMS |
| ECB mode | Same plaintext → same ciphertext | Use CBC/GCM modes |
| Hash = encryption | Concept confusion | Use AES when decryption is needed |
ToolsKu Crypto Toolchain
All powered by the Web Crypto API, processed locally in your browser:
- MD5 — Quick fingerprint (non-security)
- SHA256 — Secure hashing
- HMAC — Message authentication
- AES — Symmetric encrypt/decrypt
- RSA — Asymmetric encrypt/decrypt
- SM2/SM3/SM4 — Chinese national crypto standards
Summary
Understanding the difference between hashing and encryption—and picking the right algorithm and mode—is security fundamentals. ToolsKu offers a full crypto toolchain that runs locally in the browser, ideal for development, debugging, and learning. For production, use audited cryptographic libraries.
#哈希#加密#MD5#SHA256#AES#安全