EP46 - AskDeveloper Podcast - Cryptography - Part 1 - Introduction and Hashing

AskDeveloper Podcast

เนื้อหาจัดทำโดย Mohamed Elsherif เนื้อหาพอดแคสต์ทั้งหมด รวมถึงตอน กราฟิก และคำอธิบายพอดแคสต์ได้รับการอัปโหลดและจัดหาให้โดยตรงจาก Mohamed Elsherif หรือพันธมิตรแพลตฟอร์มพอดแคสต์ของพวกเขา หากคุณเชื่อว่ามีบุคคลอื่นใช้งานที่มีลิขสิทธิ์ของคุณโดยไม่ได้รับอนุญาต คุณสามารถปฏิบัติตามขั้นตอนที่แสดงไว้ที่นี่ https://th.player.fm/legal

7+ y ago 1:39:55

MP3•หน้าโฮมของตอน

Information Security 1. Introduction ? Security by obscurity § Steganography ? Hiding data inside another form of data, like using non-used bits in image to hide a message § Cool, but not practical. § Disadvantages ? Algorithm secrecy vs. key secrecy ? Cryptography is everywhere and yet if done right, you can barely see it. ? Goals: § Confidentiality ? Secrets stay secret. § Integrity ? Data is not tampered with. § Non-Repudiation ? No party can deny sending messages. § Authentication ? Each party can ensure that the sender is what they expect. ? Cryptography § Hashing § Encryption § Signing § Protocols ? Random Number Generators § Extremely important, almost all encryption/hashing strength is affected by how random the random number generator is. § Don't use simple random number, use a cryptographic random number generator with a sophisticated source of entropy. § Pseudorandom number generator § Dual_EC_DRBG random generator backdoor 2. Body ? Hashing (one Way) § Properties ? Fixed length output no matter what size the input was ? Very easy to compute the hash of a given message, however very hard to compute from a hash the corresponding input. ? Mathematically infeasible to generate a message that has a given hash ? Any modification to a message produces a completely different hash that has no relationship to the original message's hash. ? It is mathematically infeasible to find two messages with the same hash. Hash Collision § Hashing Functions ? Provides data integrity, however lacks authentication ? Examples ® MD5 ? Considered Insecure ® Secure Hash Family SHA-X, Sha-1, Sha-2 [Sha256, Sha512], Sha-3 ? Sha-1 is considered insecure. ? Sha-1, Sha-2 designed by NSA ? Sha-3 is not designed by NSA, Competition winner. ? Attacks ® Brute force ? CPU's are getting faster and cheaper every day. ? GPU's are getting faster and cheaper every day. ? Special Hash calculating hardware is becoming more available especially with the BitCoin push. ® Rainbow table attacks ? Pre-Calculated tables where you can reverse lookup a hash to a value ? Try www.crackstation.net § Hash Message Authentication Codes (HMAC) ? Adds authentication to integrity ? Can be used with all previous algorithms, HMACMD5, HMACShA1, HMAC256 … etc. § Salted Hash ? Adds random salt to mitigate rainbow table ? Salts are unique per record, and not a secret. § Password Based Key Derivation Function (PBKDF2) ? RSA Public Key Cryptographic Standard PKCS #5 Version 2.0 ? Internet Engineering Task Force RFC 2898 Specification ® Adds a lot of iterations to slow it just enough to mitigate brute force (default 50,000 iterations) ® Adds random salt to mitigate rainbow table ? Disadvantage: It can be easily implemented with hardware which makes it vulnerable to bruteforce even with high number of iterations § Bcrypt ? Password Hashing function ? State of the art password hashing § Usages ? Integrity Check Password Storage Our facebook Page http://facebook.com/askdeveloper On Sound Cloud http://soundcloud.com/askdeveloper Please Like & Subscribe

83 ตอน