EP46 - AskDeveloper Podcast - Cryptography - Part 1 - Introduction and Hashing - a podcast by Mohamed Elsherif, Amr Eldib, Yasser Makram, Tamer Zaki & Ahmed Elmalt

Information Security
1. Introduction? Security by obscurity
§ Steganography? Hiding data inside another form of data, like using non-used bits in image to hide a message
§ Cool, but not practical.§ Disadvantages
? Algorithm secrecy vs. key secrecy? Cryptography is everywhere and yet if done right, you can barely see it.
? Goals:§ Confidentiality
? Secrets stay secret.§ Integrity
? Data is not tampered with.§ Non-Repudiation
? No party can deny sending messages.§ Authentication
? Each party can ensure that the sender is what they expect.? Cryptography
§ Hashing§ Encryption
§ Signing§ Protocols
? Random Number Generators§ Extremely important, almost all encryption/hashing strength is affected by how random the random number generator is.
§ Don't use simple random number, use a cryptographic random number generator with a sophisticated source of entropy.§ Pseudorandom number generator
§ Dual_EC_DRBG random generator backdoor2. Body
? Hashing (one Way)§ Properties
? Fixed length output no matter what size the input was? Very easy to compute the hash of a given message, however very hard to compute from a hash the corresponding input.
? Mathematically infeasible to generate a message that has a given hash? Any modification to a message produces a completely different hash that has no relationship to the original message's hash.
? It is mathematically infeasible to find two messages with the same hash. Hash Collision§ Hashing Functions
? Provides data integrity, however lacks authentication? Examples
® MD5? Considered Insecure
® Secure Hash Family SHA-X, Sha-1, Sha-2 [Sha256, Sha512], Sha-3
? Sha-1 is considered insecure.? Sha-1, Sha-2 designed by NSA
? Sha-3 is not designed by NSA, Competition winner.? Attacks
® Brute force? CPU's are getting faster and cheaper every day.
? GPU's are getting faster and cheaper every day.? Special Hash calculating hardware is becoming more available especially with the BitCoin push.
® Rainbow table attacks? Pre-Calculated tables where you can reverse lookup a hash to a value
? Try www.crackstation.net§ Hash Message Authentication Codes (HMAC)
? Adds authentication to integrity? Can be used with all previous algorithms, HMACMD5, HMACShA1, HMAC256 … etc.
§ Salted Hash? Adds random salt to mitigate rainbow table
? Salts are unique per record, and not a secret.§ Password Based Key Derivation Function (PBKDF2)
? RSA Public Key Cryptographic Standard PKCS #5 Version 2.0? Internet Engineering Task Force RFC 2898 Specification
® Adds a lot of iterations to slow it just enough to mitigate brute force (default 50,000 iterations)® Adds random salt to mitigate rainbow table
? Disadvantage: It can be easily implemented with hardware which makes it vulnerable to bruteforce even with high number of iterations§ Bcrypt
? Password Hashing function? State of the art password hashing
§ Usages? Integrity Check
Password StorageOur facebook Page
http://facebook.com/askdeveloperOn Sound Cloud
http://soundcloud.com/askdeveloperPlease Like&Subscribe

Further episodes of AskDeveloper Podcast

Further podcasts by Mohamed Elsherif, Amr Eldib, Yasser Makram, Tamer Zaki & Ahmed Elmalt

Website of Mohamed Elsherif, Amr Eldib, Yasser Makram, Tamer Zaki & Ahmed Elmalt