AskDeveloper Podcast #46: Cryptography Basics – Introduction & Hashing Explained 🔐
Kick off your cryptography journey with this episode covering fundamental concepts like security by obscurity, steganography, and the essentials of hashing. Perfect for beginners in information security!
Mohamed Elsherif
5.9K views • Oct 1, 2016
About this video
http://www.askdeveloper.com/2017/01/cryptography.html
Information Security
1. Introduction
○ Security by obscurity
§ Steganography
□ Hiding data inside another form of data, like using non-used bits in image to hide a message
§ Cool, but not practical.
§ Disadvantages
◊ Algorithm secrecy vs. key secrecy
○ Cryptography is everywhere and yet if done right, you can barely see it.
○ Goals:
§ Confidentiality
□ Secrets stay secret.
§ Integrity
□ Data is not tampered with.
§ Non-Repudiation
□ No party can deny sending messages.
§ Authentication
□ Each party can ensure that the sender is what they expect.
○ Cryptography
§ Hashing
§ Encryption
§ Signing
§ Protocols
○ Random Number Generators
§ Extremely important, almost all encryption/hashing strength is affected by how random the random number generator is.
§ Don't use simple random number, use a cryptographic random number generator with a sophisticated source of entropy.
§ Pseudorandom number generator
§ Dual_EC_DRBG random generator backdoor
2. Body
○ Hashing (one Way)
§ Properties
□ Fixed length output no matter what size the input was
□ Very easy to compute the hash of a given message, however very hard to compute from a hash the corresponding input.
□ Mathematically infeasible to generate a message that has a given hash
□ Any modification to a message produces a completely different hash that has no relationship to the original message's hash.
□ It is mathematically infeasible to find two messages with the same hash. Hash Collision
§ Hashing Functions
□ Provides data integrity, however lacks authentication
□ Examples
® MD5
◊ Considered Insecure
® Secure Hash Family SHA-X, Sha-1, Sha-2 [Sha256, Sha512], Sha-3
◊ Sha-1 is considered insecure.
◊ Sha-1, Sha-2 designed by NSA
◊ Sha-3 is not designed by NSA, Competition winner.
□ Attacks
® Brute force
◊ CPU's are getting faster and cheaper every day.
◊ GPU's are getting faster and cheaper every day.
◊ Special Hash calculating hardware is becoming more available especially with the BitCoin push.
® Rainbow table attacks
◊ Pre-Calculated tables where you can reverse lookup a hash to a value
◊ Try www.crackstation.net
§ Hash Message Authentication Codes (HMAC)
□ Adds authentication to integrity
□ Can be used with all previous algorithms, HMACMD5, HMACShA1, HMAC256 … etc.
§ Salted Hash
□ Adds random salt to mitigate rainbow table
□ Salts are unique per record, and not a secret.
§ Password Based Key Derivation Function (PBKDF2)
□ RSA Public Key Cryptographic Standard PKCS #5 Version 2.0
□ Internet Engineering Task Force RFC 2898 Specification
® Adds a lot of iterations to slow it just enough to mitigate brute force (default 50,000 iterations)
® Adds random salt to mitigate rainbow table
□ Disadvantage: It can be easily implemented with hardware which makes it vulnerable to bruteforce even with high number of iterations
§ Bcrypt
□ Password Hashing function
□ State of the art password hashing
§ Usages
□ Integrity Check
Password Storage
Our facebook Page
http://facebook.com/askdeveloper
On Sound Cloud
http://soundcloud.com/askdeveloper
Please Like & Subscribe
Information Security
1. Introduction
○ Security by obscurity
§ Steganography
□ Hiding data inside another form of data, like using non-used bits in image to hide a message
§ Cool, but not practical.
§ Disadvantages
◊ Algorithm secrecy vs. key secrecy
○ Cryptography is everywhere and yet if done right, you can barely see it.
○ Goals:
§ Confidentiality
□ Secrets stay secret.
§ Integrity
□ Data is not tampered with.
§ Non-Repudiation
□ No party can deny sending messages.
§ Authentication
□ Each party can ensure that the sender is what they expect.
○ Cryptography
§ Hashing
§ Encryption
§ Signing
§ Protocols
○ Random Number Generators
§ Extremely important, almost all encryption/hashing strength is affected by how random the random number generator is.
§ Don't use simple random number, use a cryptographic random number generator with a sophisticated source of entropy.
§ Pseudorandom number generator
§ Dual_EC_DRBG random generator backdoor
2. Body
○ Hashing (one Way)
§ Properties
□ Fixed length output no matter what size the input was
□ Very easy to compute the hash of a given message, however very hard to compute from a hash the corresponding input.
□ Mathematically infeasible to generate a message that has a given hash
□ Any modification to a message produces a completely different hash that has no relationship to the original message's hash.
□ It is mathematically infeasible to find two messages with the same hash. Hash Collision
§ Hashing Functions
□ Provides data integrity, however lacks authentication
□ Examples
® MD5
◊ Considered Insecure
® Secure Hash Family SHA-X, Sha-1, Sha-2 [Sha256, Sha512], Sha-3
◊ Sha-1 is considered insecure.
◊ Sha-1, Sha-2 designed by NSA
◊ Sha-3 is not designed by NSA, Competition winner.
□ Attacks
® Brute force
◊ CPU's are getting faster and cheaper every day.
◊ GPU's are getting faster and cheaper every day.
◊ Special Hash calculating hardware is becoming more available especially with the BitCoin push.
® Rainbow table attacks
◊ Pre-Calculated tables where you can reverse lookup a hash to a value
◊ Try www.crackstation.net
§ Hash Message Authentication Codes (HMAC)
□ Adds authentication to integrity
□ Can be used with all previous algorithms, HMACMD5, HMACShA1, HMAC256 … etc.
§ Salted Hash
□ Adds random salt to mitigate rainbow table
□ Salts are unique per record, and not a secret.
§ Password Based Key Derivation Function (PBKDF2)
□ RSA Public Key Cryptographic Standard PKCS #5 Version 2.0
□ Internet Engineering Task Force RFC 2898 Specification
® Adds a lot of iterations to slow it just enough to mitigate brute force (default 50,000 iterations)
® Adds random salt to mitigate rainbow table
□ Disadvantage: It can be easily implemented with hardware which makes it vulnerable to bruteforce even with high number of iterations
§ Bcrypt
□ Password Hashing function
□ State of the art password hashing
§ Usages
□ Integrity Check
Password Storage
Our facebook Page
http://facebook.com/askdeveloper
On Sound Cloud
http://soundcloud.com/askdeveloper
Please Like & Subscribe
Tags and Topics
Browse our collection to discover more content in these categories.
Video Information
Views
5.9K
Likes
237
Duration
01:40:46
Published
Oct 1, 2016
User Reviews
4.6
(1) Related Trending Topics
LIVE TRENDSRelated trending topics. Click any trend to explore more videos.
Trending Now