EP46 - AskDeveloper Podcast - Cryptography - Part 1 - Introduction and Hashing

AskDeveloper Podcast

Konten disediakan oleh Mohamed Elsherif. Semua konten podcast termasuk episode, grafik, dan deskripsi podcast diunggah dan disediakan langsung oleh Mohamed Elsherif atau mitra platform podcast mereka. Jika Anda yakin seseorang menggunakan karya berhak cipta Anda tanpa izin, Anda dapat mengikuti proses yang diuraikan di sini https://id.player.fm/legal.

7+ y ago 1:39:55

MP3•Beranda episode

Information Security 1. Introduction ? Security by obscurity § Steganography ? Hiding data inside another form of data, like using non-used bits in image to hide a message § Cool, but not practical. § Disadvantages ? Algorithm secrecy vs. key secrecy ? Cryptography is everywhere and yet if done right, you can barely see it. ? Goals: § Confidentiality ? Secrets stay secret. § Integrity ? Data is not tampered with. § Non-Repudiation ? No party can deny sending messages. § Authentication ? Each party can ensure that the sender is what they expect. ? Cryptography § Hashing § Encryption § Signing § Protocols ? Random Number Generators § Extremely important, almost all encryption/hashing strength is affected by how random the random number generator is. § Don't use simple random number, use a cryptographic random number generator with a sophisticated source of entropy. § Pseudorandom number generator § Dual_EC_DRBG random generator backdoor 2. Body ? Hashing (one Way) § Properties ? Fixed length output no matter what size the input was ? Very easy to compute the hash of a given message, however very hard to compute from a hash the corresponding input. ? Mathematically infeasible to generate a message that has a given hash ? Any modification to a message produces a completely different hash that has no relationship to the original message's hash. ? It is mathematically infeasible to find two messages with the same hash. Hash Collision § Hashing Functions ? Provides data integrity, however lacks authentication ? Examples ® MD5 ? Considered Insecure ® Secure Hash Family SHA-X, Sha-1, Sha-2 [Sha256, Sha512], Sha-3 ? Sha-1 is considered insecure. ? Sha-1, Sha-2 designed by NSA ? Sha-3 is not designed by NSA, Competition winner. ? Attacks ® Brute force ? CPU's are getting faster and cheaper every day. ? GPU's are getting faster and cheaper every day. ? Special Hash calculating hardware is becoming more available especially with the BitCoin push. ® Rainbow table attacks ? Pre-Calculated tables where you can reverse lookup a hash to a value ? Try www.crackstation.net § Hash Message Authentication Codes (HMAC) ? Adds authentication to integrity ? Can be used with all previous algorithms, HMACMD5, HMACShA1, HMAC256 … etc. § Salted Hash ? Adds random salt to mitigate rainbow table ? Salts are unique per record, and not a secret. § Password Based Key Derivation Function (PBKDF2) ? RSA Public Key Cryptographic Standard PKCS #5 Version 2.0 ? Internet Engineering Task Force RFC 2898 Specification ® Adds a lot of iterations to slow it just enough to mitigate brute force (default 50,000 iterations) ® Adds random salt to mitigate rainbow table ? Disadvantage: It can be easily implemented with hardware which makes it vulnerable to bruteforce even with high number of iterations § Bcrypt ? Password Hashing function ? State of the art password hashing § Usages ? Integrity Check Password Storage Our facebook Page http://facebook.com/askdeveloper On Sound Cloud http://soundcloud.com/askdeveloper Please Like & Subscribe

83 episode