Information Security
1. Introduction
○ Security by obscurity
§ Steganography
□ Hiding data inside another form of data, like using non-used bits in image to hide a message
§ Cool, but not practical.
§ Disadvantages
◊ Algorithm secrecy vs. key secrecy
○ Cryptography is everywhere and yet if done right, you can barely see it.
○ Goals:
§ Confidentiality
□ Secrets stay secret.
§ Integrity
□ Data is not tampered with.
§ Non-Repudiation
□ No party can deny sending messages.
§ Authentication
□ Each party can ensure that the sender is what they expect.
○ Cryptography
§ Hashing
§ Encryption
§ Signing
§ Protocols
○ Random Number Generators
§ Extremely important, almost all encryption/hashing strength is affected by how random the random number generator is.
§ Don't use simple random number, use a cryptographic random number generator with a sophisticated source of entropy.
§ Pseudorandom number generator
§ Dual_EC_DRBG random generator backdoor
2. Body
○ Hashing (one Way)
§ Properties
□ Fixed length output no matter what size the input was
□ Very easy to compute the hash of a given message, however very hard to compute from a hash the corresponding input.
□ Mathematically infeasible to generate a message that has a given hash
□ Any modification to a message produces a completely different hash that has no relationship to the original message's hash.
□ It is mathematically infeasible to find two messages with the same hash. Hash Collision
§ Hashing Functions
□ Provides data integrity, however lacks authentication
□ Examples
® MD5
◊ Considered Insecure
® Secure Hash Family SHA-X, Sha-1, Sha-2 [Sha256, Sha512], Sha-3
◊ Sha-1 is considered insecure.
◊ Sha-1, Sha-2 designed by NSA
◊ Sha-3 is not designed by NSA, Competition winner.
□ Attacks
® Brute force
◊ CPU's are getting faster and cheaper every day.
◊ GPU's are getting faster and cheaper every day.
◊ Special Hash calculating hardware is becoming more available especially with the BitCoin push.
® Rainbow table attacks
◊ Pre-Calculated tables where you can reverse lookup a hash to a value
◊ Try www.crackstation.net
§ Hash Message Authentication Codes (HMAC)
□ Adds authentication to integrity
□ Can be used with all previous algorithms, HMACMD5, HMACShA1, HMAC256 … etc.
§ Salted Hash
□ Adds random salt to mitigate rainbow table
□ Salts are unique per record, and not a secret.
§ Password Based Key Derivation Function (PBKDF2)
□ RSA Public Key Cryptographic Standard PKCS #5 Version 2.0
□ Internet Engineering Task Force RFC 2898 Specification
® Adds a lot of iterations to slow it just enough to mitigate brute force (default 50,000 iterations)
® Adds random salt to mitigate rainbow table
□ Disadvantage: It can be easily implemented with hardware which makes it vulnerable to bruteforce even with high number of iterations
§ Bcrypt
□ Password Hashing function
□ State of the art password hashing
§ Usages
□ Integrity Check
Password Storage
Our facebook Page
http://facebook.com/askdeveloper
On Sound Cloud
http://soundcloud.com/askdeveloper
Please Like & Subscribe