What is SHA-256 Hashing?
SHA-256 is the cryptographic algorithm that generates the tamper-proof fingerprint at the core of every AI Verified business passport.
Definition
SHA-256 is a cryptographic hash function in the SHA-2 family, standardised by the United States National Institute of Standards and Technology (NIST) in FIPS Publication 180-4. It takes any input — a word, a document, a database record, or an entire file — and produces a fixed-length 256-bit output, represented as a 64-character hexadecimal string. This output is called the hash, the digest, or the fingerprint of the input.
The defining characteristic of SHA-256 is that it is deterministic and one-way. Deterministic means the same input always produces the same output: if you hash the string "Acme Ltd, registration number 2024/001234/07, South Africa" today and again in ten years, you will get exactly the same 64-character string. One-way means the process cannot be reversed: given the hash, it is computationally infeasible to reconstruct the original input. These two properties together make SHA-256 the foundation of digital signatures, blockchain technology, certificate authorities, and — in the context of aiverified.io — tamper-proof business identity records.
SHA-256 was designed to replace the earlier SHA-1 algorithm, which was found to have theoretical weaknesses in 2005 and practical collision vulnerabilities by 2017. SHA-256 has no known practical weaknesses and is currently recommended by NIST, the European Union Agency for Cybersecurity (ENISA), and every major standards body for use in security-critical applications.
How SHA-256 hashing works
SHA-256 processes its input through a series of mathematical operations that are easy to compute in one direction and practically impossible to reverse. The algorithm begins by padding the input to a specific length, then breaking it into 512-bit blocks. Each block is processed through 64 rounds of a compression function that combines the block data with eight 32-bit state variables using bitwise operations, modular addition, and logical functions. The final state after processing all blocks is the 256-bit hash.
The most important property for understanding why SHA-256 is useful for business identity is the avalanche effect. Consider a concrete example: the string Acme Ltd, 2024/001234/07, ZA produces the hash a3f2c1.... Change a single character — replace the comma with a full stop — and the result is 7d9e4b.... The two hashes share almost no digits. There is no partial match, no gradual change. The entire output is different. This means that any attempt to alter a business's verified identity record — changing the legal name, the registration number, or the country — produces a completely different hash that does not match the published value, making the alteration immediately detectable.
The three-step verification process that AI Verified uses illustrates this in practice. In step one, the business submits its identity details through the claim form. The system constructs a canonical JSON-LD document from the submitted data, sorting all keys alphabetically to ensure that the same data always produces the same document regardless of the order in which fields were entered. In step two, this canonical document is processed through SHA-256 to produce a 64-character forensic hash. This hash is the business's permanent identifier — it is published at aiverified.io/v/{hash}/ and embedded in the JSON-LD structured data served on the passport page. In step three, any AI system, search engine, or human can independently verify the record by taking the canonical document from the passport page, running it through SHA-256, and confirming that the result matches the published hash. If it matches, the record is authentic. If it does not match, the record has been altered.
This independent verifiability is what distinguishes SHA-256-anchored identity from self-reported business directories. A business cannot claim a different legal name or registration number without producing a different hash. The hash is the proof.
Why SHA-256 matters for business identity
The rise of AI answer engines has created a new category of risk for businesses: identity fraud and hallucination. When an AI system is asked about a business, it retrieves information from its training data and from structured sources it can access in real time. If the business's identity information is not cryptographically anchored, there is no way for the AI to distinguish between the authentic record and a fraudulent or hallucinated one. SHA-256 solves this by creating a mathematical proof of identity that is independent of any single platform or database.
The practical consequence for businesses is significant. An AI agent making a purchasing decision, a search engine deciding whether to display a business in a local pack, or an autonomous system verifying a supplier's credentials all need to answer the same question: is this the real business, and has the information been altered? Without a cryptographic anchor, the answer is always uncertain. With a SHA-256 hash published at a permanent URL, the answer is verifiable in milliseconds.
| Without SHA-256 | With SHA-256 |
|---|---|
| Identity can be altered without detection | Any alteration produces a different hash — immediately detectable |
| AI systems cannot verify the record is authentic | Any AI system can independently verify the record in milliseconds |
| No permanent identifier — business name can be duplicated | 64-character forensic hash is globally unique to this exact record |
| Verification requires human lookup in government registry | Verification is automated via public API — no human required |
| Identity record can be disputed or impersonated | Cryptographic proof is independent of any single authority |
AI Verified handles this automatically. Every verified passport includes a SHA-256 forensic hash generated from your canonical identity document — no developer, no cryptography knowledge required. Get your free passport →
Why most businesses cannot implement SHA-256 themselves
The first and most significant barrier is canonical JSON serialisation precision. SHA-256 is deterministic — the same input always produces the same output — but this only works if the input is identical every time. A JSON document with keys in a different order, extra whitespace, or different Unicode normalisation will produce a completely different hash. Implementing canonical serialisation correctly requires understanding JSON-LD compaction algorithms, Unicode normalisation forms, and deterministic key ordering. A single invisible character difference — a non-breaking space, a different line ending, a byte-order mark — will produce a hash that does not match the published value. Most developers who attempt this get it wrong on the first attempt, and the errors are extremely difficult to debug.
The second barrier is the need for a trusted publication URL. A SHA-256 hash is only useful as a verification mechanism if it is published at a permanent, publicly accessible URL that AI systems and crawlers can reach. Generating a hash locally and storing it in a database solves nothing — there is no way for an external system to verify it. The hash must be served at a canonical URL with the correct JSON-LD context, the correct content type, and the correct HTTP headers. Setting up this infrastructure requires a server, a domain, SSL, and the technical knowledge to serve JSON-LD correctly.
The third barrier is the absence of a registry anchor. Even if a business generates a correct SHA-256 hash and publishes it at a permanent URL, the hash is only as trustworthy as the publication. Without a third-party registry that has independently verified the business's legal registration and anchored the hash to a confirmed identity, the hash is self-reported. An AI system has no way to distinguish between a legitimate business that has correctly implemented SHA-256 and a fraudulent actor who has done the same. The registry anchor — the independent verification step — is what transforms a cryptographic fingerprint into a trust signal.
How aiverified.io provides SHA-256 business identity
Every AI Verified passport is built around a SHA-256 forensic hash generated from a canonical identity document. When a business submits its details through the claim form, the system constructs a JSON-LD document using the Schema.org Organisation type with the business's legal name, registration number, country of incorporation, and website domain as the primary fields. The keys are sorted alphabetically and the document is serialised using a deterministic algorithm that produces identical output regardless of the order in which fields were submitted. This canonical document is then processed through SHA-256 to produce the forensic hash.
The hash is published at aiverified.io/v/{hash}/ as a human-readable passport page, at aiverified.io/v/{hash}.json as a machine-readable JSON-LD document, and at aiverified.io/api/verify?hash={hash} as a REST API endpoint. All three representations are served with the correct content types and HTTP headers. The JSON-LD document is served in the <head> tag of the passport page, making it readable by AI crawlers that do not execute JavaScript — the most important detail for AI system compatibility.
For Silver, Gold, and Platinum tier passports, the hash is additionally anchored to a verified legal registration. A member of the aiverified.io team reviews the business's government registration certificate and confirms that the legal name and registration number in the canonical document match the official record. This verification step transforms the hash from a self-reported fingerprint into a third-party verified identity anchor. The verification status is recorded in the JSON-LD document as a hasCredential property linking to the passport, and the verification timestamp is included as a dateModified property so AI systems can assess the recency of the verification.
The result is a business identity record that any AI system, search engine, or autonomous agent can verify independently, in milliseconds, without human intervention, and without trusting any single authority. The mathematics of SHA-256 are the authority.
Frequently asked questions
What makes SHA-256 tamper-proof?
SHA-256 is tamper-proof because of a property called the avalanche effect: if you change even a single character in the input — one letter, one space, one punctuation mark — the resulting hash changes completely and unpredictably. There is no gradual change. A document that differs by one character produces a hash that shares almost no digits with the original. This means any attempt to alter a verified record is immediately detectable by recomputing the hash and comparing it to the published value. The mathematics guarantee this property — it is not a policy or a promise, it is a mathematical certainty.
Can SHA-256 be reversed?
No. SHA-256 is a one-way function, which means it is computationally infeasible to work backwards from the hash to the original input. This property is called preimage resistance. The only way to find an input that produces a given hash is to try every possible input — a process that would take longer than the age of the universe even with the most powerful computers available. This is why SHA-256 is trusted for securing financial transactions, digital signatures, and identity records. The one-way property is not a limitation — it is the feature. You can verify a record without being able to reconstruct it from the hash alone.
How does AI Verified use SHA-256?
AI Verified uses SHA-256 to generate a unique forensic hash for every business passport. When a business submits its identity details, the system constructs a canonical JSON-LD document from the data, sorts all keys alphabetically to ensure deterministic ordering, and runs the result through SHA-256. The resulting 64-character hexadecimal string becomes the business's permanent identifier. The hash is published at aiverified.io/v/{hash}/ and embedded in the JSON-LD structured data served on every passport page, making it independently verifiable by any AI system or human. The hash is also used as the primary key in the AI Verified registry and as the identifier in the knowledge graph entry.
What is the difference between SHA-256 and a password hash?
SHA-256 is a general-purpose cryptographic hash function designed for speed and determinism — the same input always produces the same output, and the computation is fast. Password hashing algorithms like bcrypt, scrypt, and Argon2 are intentionally slow and include a random salt to prevent precomputation attacks. For business identity verification, speed and determinism are desirable properties: you want to be able to recompute the hash quickly to verify a record. For passwords, you want the opposite — slow computation makes brute-force attacks impractical. AI Verified uses SHA-256 for identity fingerprinting, not for password storage. Passwords in the aiverified.io system are hashed using bcrypt.
How do I verify a SHA-256 hash myself?
You can verify any AI Verified passport hash using standard command-line tools available on every operating system. Retrieve the canonical JSON-LD document from the passport's .json URL, save it to a file, and run sha256sum filename.json on Linux or Mac, or Get-FileHash filename.json -Algorithm SHA256 on Windows. The output should match the hash shown in the passport URL and in the JSON-LD identifier property. If it matches, the record is authentic and unaltered. If it does not match, the record has been modified since the hash was generated. You can also use the AI Verified API at aiverified.io/api/verify?hash={hash} to verify programmatically without downloading the document.
Sources and further reading
- FIPS 180-4: Secure Hash Standard — National Institute of Standards and Technology (NIST)
- SHA-2 — Wikipedia
- JSON-LD 1.1 Specification — W3C
- Organization — Schema.org — Schema.org