Cryptography
Cryptography Defined
- Cryptography
("hidden
secret"
in Greek) is the practice and study of techniques for secure
communication in the
presence of third parties (called adversaries,
a malicious entity). It is about constructing and analyzing protocols
or algorithms
that overcome
the influence of adversaries.
- It is used to secure Web application in:
- Authentication:
- Securing user credential data by encrypting the data
stored
in
the database and the SQL connection that leads to the data store.
- Securing the transfer (e.g., SSL) of user credential
data
through th ecommunication channel.
- Non-repudiation:
Preserving proof
that the request was sent from the originating system through encrypted
digital signatures .
- Privacy:
Keeping data
confidential.
- Integrity:
Ensuring
that data is not changed during transmission or storage.
Encryption and Decryption
- Encryption
is the
process
of converting a string of characters into another
string of
characters through the use of a cryptography algorithm combined
with a key, so that by
examination,
the original string of characters cannot be deciphered.
- Decryption
is to
make the encrypted characters
readable again.
- The strength of the encryption is determined by
the key size .
- Common key sizes include 64
bit (8 bytes), 128 bit (16 bytes), 192 bit (24 bytes), 256 bit (32
bytes) and 512 bit (64 bytes).
- The larger the key, the stronger the
encryption.
- To hack encrypted characters, unless the key is stolen, the
hackers must use brute
force
program to test every single possible key
combination. Hacking a key is not easy, because, for example, for a
64-bit key, there are 72,057,594,037,927,936 possible combinations
(2^56 -
8 bits are held for parity).
- Key Management refers to the secure
administration of keys
to provide them to users where and when they are required.
- Cryptography Approaches:
- Symmetric Encryption
- Both the encrypting side (encryptor) and the decrypting
side
(decryptor) use and have access to the same key.
- Have to have a very high level of trust
of sharing the key
between the two sides.
- Are extremely fast and well suited for
encrypting large
streams of data.
- Inevitable concern with how to securely transfer the
key
to
the decryptor.
- Read more about Symmetric
key algorithms
- Asymmetric Encryption
- Use two different keys: a public key for encryption and
a
private key for decryption.
- This approach is used by SSL to secure HTTP
transmissions.
- Used for small amount of data, because it is relatively
slow due to more computation.
- More secure than symmetric encryption.
- Read more about Asymmetric
key algorithms
- Demo 1
Secure Socket Layer (SSL)
- Steps:
- A browser sends a https
request to a web server; the web server sends back a SSL certificate.
- The browser checks the certificate to make sure that the
web server can be trusted.
- Trustworthiness
check: The certificate was issued by a trustworthy certification agency
(i.e. was provided with a valid digital
signature).
- Validity
check: The certificate has not expired, or been declared invalid by the
certification agency before expiry of its validity period.
- IP
check: The web server address stated in the certificate agrees
with the address entered into the browser address field.
- If the web server can be trusted, the browser sends a
message to the server and the web server sends back a digitally signed
acknowledgement to start an SSL
encrypted session.
- Encrypted data is shared between the browser and the web
server
- Watch this YouTube on How SSL Works
Hashing
- Hashing
is a
cryptographic function used to provide a secure fingerprint of
data.
- A hash value is derived from a mathematical algorithm such
as Message Digest
algorithm 5 (MD5), Secure
Hash Algorithm (SHA), and so
on, to a fixed-length checksum.
- A hash value is
- fix-lengthed
- always
be the same length for any given input of different size (variable
length to fixed length).
- deterministic
- will
always be the same for any given input.
- irreverrsible
- is almost
impossible to reverse (no "de-hash").
- unique
- will never
have another same values.
- However, according to CrackStation, there
might approximately be 40% of the hashes that can be cracked
by a service like CrackStation
in the first day that someone gets a hold of your database:
"Say you have a database of 1 Million
hashes. You want to perform a dictionary attack on every hash, but you
don't want to do 1 million dictionary attacks. What you do is hash
every word in your dictionary, and store the word:hash pair in a lookup
table. Next, you go through all the hashes you want to crack and see if
the hash exists in the lookup table. If it does, you've just found the
password. In this case the lookup table method is MUCH faster than
doing 1 million dictionary attacks. You only have to hash each word in
your wordlist once, then perform 1 million lookups (which are VERY
fast). These lookup table databases DO exist!"
- It is better to choose a secure hash algorithm and
then add a salt value which is a
string of random characters used to the hashed value harder to crack.
- The process for storing the password is as follows:
- Generate a long random salt.
- Compute the
salted hash value by a strong hash
algorithm like SHA256.
- Save both the hash and salt in the database.
- To validate a password:
- Get the hash and salt for that user
from the database.
- Compute the salted hash value of the password entered by
the user.
- Compare 1 and 2.
- Demo 2
Hashing vs. Encryption
- Encryption is two way; Hashing is one way.
- Hashing is used for faster retrieval of data from databases.