Print

Cryptography

Cryptography Defined

  • Cryptography ("hidden secret" in Greek) is the practice and study of techniques for secure communication in the presence of third parties (called adversaries, a malicious entity). It is about constructing and analyzing protocols or algorithms that overcome the influence of adversaries.
  • It is used to secure Web application in:
    • Authentication:
      • Securing user credential data by encrypting the data stored in the database and the SQL connection that leads to the data store.
      • Securing the transfer (e.g., SSL) of user credential data through th ecommunication channel. 
    • Non-repudiation: Preserving proof that the request was sent from the originating system through encrypted digital signatures .
    • Privacy: Keeping data confidential.
    • Integrity: Ensuring that data is not changed during transmission or storage.

Encryption and Decryption

  • Encryption is the process of converting a string of characters into another string of characters through the use of a cryptography algorithm combined with a key, so that by examination, the original string of characters cannot be deciphered. 
  • Decryption is to make the encrypted characters readable again.
  • The strength of the encryption is determined by the key size .
    • Common key sizes include 64 bit (8 bytes), 128 bit (16 bytes), 192 bit (24 bytes), 256 bit (32 bytes) and 512 bit (64 bytes).
    • The larger the key, the stronger the encryption.
  • To hack encrypted characters, unless the key is stolen, the hackers must use brute force program to test every single possible key combination. Hacking a key is not easy, because, for example, for a 64-bit key, there are 72,057,594,037,927,936 possible combinations (2^56 - 8 bits are held for parity). 
  • Key Management refers to the secure administration of keys to provide them to users where and when they are required.
  • Cryptography Approaches:  
    • Symmetric Encryption
      • Both the encrypting side (encryptor) and the decrypting side (decryptor) use and have access to the same key
      • Have to have a very high level of trust of sharing the key between the two sides.
      • Are extremely fast and well suited for encrypting large streams of data.
      • Inevitable concern with how to securely transfer the key to the decryptor.
      • Read more about Symmetric key algorithms
    • Asymmetric Encryption
      • Use two different keys: a public key for encryption and a private key for decryption.
      • This approach is used by SSL to secure HTTP transmissions. 
      • Used for small amount of data, because it is relatively slow due to more computation.
      • More secure than symmetric encryption.
      • Read more about Asymmetric key algorithms
  • Demo 1

Secure Socket Layer (SSL)

  • Steps:
    1. A browser sends a https request to a web server; the web server sends back a SSL certificate.
    2. The browser checks the certificate to make sure that the web server can be trusted.
      1. Trustworthiness check: The certificate was issued by a trustworthy certification agency (i.e. was provided with a valid digital signature).     
      2. Validity check: The certificate has not expired, or been declared invalid by the certification agency before expiry of its validity period.
      3. IP check: The web server address stated in the certificate agrees with the address entered into the browser address field.
    3. If the web server can be trusted, the browser sends a message to the server and the web server sends back a digitally signed acknowledgement to start an SSL encrypted session.
    4. Encrypted data is shared between the browser and the web server
  • Watch this YouTube on How SSL Works

Hashing

  • Hashing is a cryptographic function used to provide a secure fingerprint of data.
  • A hash value is derived from a mathematical algorithm such as Message Digest algorithm 5 (MD5), Secure Hash Algorithm (SHA), and so on, to a fixed-length checksum. 
  • A hash value is
    • fix-lengthed - always be the same length for any given input of different size (variable length to fixed length).
    • deterministic - will always be the same for any given input.
    • irreverrsible - is almost impossible to reverse (no "de-hash").
    • unique - will never have another same values.
  • However, according to CrackStation, there might approximately be 40% of the hashes that can be cracked by a service like CrackStation in the first day that someone gets a hold of your database:
"Say you have a database of 1 Million hashes. You want to perform a dictionary attack on every hash, but you don't want to do 1 million dictionary attacks. What you do is hash every word in your dictionary, and store the word:hash pair in a lookup table. Next, you go through all the hashes you want to crack and see if the hash exists in the lookup table. If it does, you've just found the password. In this case the lookup table method is MUCH faster than doing 1 million dictionary attacks. You only have to hash each word in your wordlist once, then perform 1 million lookups (which are VERY fast). These lookup table databases DO exist!"
  • It is better to choose a secure hash algorithm and then add a salt value which is a string of random characters used to the hashed value harder to crack.
  • The process for storing the password is as follows:
    1. Generate a long random salt.
    2. Compute the salted hash value by a strong hash algorithm like SHA256.
    3. Save both the hash and salt in the database.
  • To validate a password:
    1. Get the hash and salt for that user from the database.
    2. Compute the salted hash value of the password entered by the user. 
    3. Compare 1 and 2.
  • Demo 2

Hashing vs. Encryption

  • Encryption is two way; Hashing is one way. 
  • Hashing is used for faster retrieval of data from databases.