Hash algorithms in IT security
Download as PPTX, PDF1 like275 views
This document provides a comprehensive guide on hashes and salted hashes used in IT security, explaining their role in data encryption, integrity, and database efficiency. It highlights the characteristics of cryptographic hash functions, such as being one-way and unique, along with the processes involved in creating hashes like SHA-1 and MD5. Additionally, it discusses the concept of salted hashes to enhance security against brute force attacks by randomizing the hash generation.
Hash algorithms in IT security
- 1. Hashes A GUIDE TO HASHES (AND SALTED HASHES) IN IT SECURITY CLARE JOHNSON
- 2. What are hashes? Hashes are mathematical functions (or algorithms) that take a string of data of a variable length and turn it into a numeric string of fixed length Text input of variable length Numeric output of fixed length
- 3. Examples Any amount of data is converted to a fixed-length “fingerprint” Cannot be reversed Any change in the input results in a completely different hash. hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 hash("hbllo") = 58756879c05c68dfac9866712fad6a93f8146f337a69afe7dd238f3364946366 hash("waltz") = c0e81794384491161f1777c232bc6bd9ec38f616560b120fda8e90f383853542
- 4. Why use hashes? Hashes are used in databases to make it easier / faster to search for data We are interested in the hashes that are used for data encryption – this may be: To store sensitive data in encrypted format To ensure integrity of data
- 5. Important Properties A hash is unique, but always repeatable The word ‘cat’ will hash to something that no other word will hash to, but it will always hash to the same thing The function is one way If you are given the hash value for ‘cat’ you will never be able to reverse hash it back to the word ‘cat’. cat 9d989e8d27dc9e0ec3389fc855f142c3d40f0c50
- 6. Cryptographic Hash Functions Computationally infeasible to reverse SHA-1 Produces a string of 160 bits Specification finalised in 1995 MD5 Quicker to compute than SHA-1 Known to have been attacked
- 7. This is the process IN BRIEF for SHA-1 HOLD ON TO YOUR HATS…
- 8. Take your word and convert Original word Cat Convert to ASCII 99 97 116 Convert ASCII codes to binary 01100011 01100001 01110100 Join together and add a 1 to the end 0110001101100001011101001
- 9. Add a load of zeros… Your number divided by 512 must have a remainder of 448, so add as many zeros as necessary to get a remainder of 448 0110001101100001011101001 My message length is 25 (8 * 3 +1) 448 – 25 = 423 Therefore, add 423 zeros to my message, then it will be 448 digits long 448 / 512 is 0 remainder 448
- 10. More padding is added The length of the original message is added next, but it must equal 64 bits, so in our case, as the length was 25, I add the binary of 25 (00011001) preceded by 56 zeros (because 8 digits plus 56 digits = 64 digits) to the end of my message. Looks like this: 011000110110000101110100100000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000011001
- 11. Chunk and process Break the string into chunks of 512 (ours is already 512) Break the chunks into 16 x 32 bit words Extend each group of 16 words to 80 words via a looped algorithm 4 words selected XOR the words together eg a 1 and a zero becomes a 1 (1 + 0 = 1) a zero and a zero becomes a 0 (0 + 0 = 0) a 1 and a 1 becomes a 0 (1 + 1 = 0) a 0 and a 1 becomes a 1 (0 + 1 = 1)
- 12. Process further The new word is left rotated by 1 The first character is removed and added to the end of the word The word is added to the next vacant slot (ie on the first loop this will become word number 16) until there are 80 words in total A series of functions is carried out on each word, depending on the number of the word (eg words 0-19 use function 1) Words are ‘added’ together, and additional digits are truncated. Convert back to hex 9d989e8d27dc9e0ec3389fc855f142c3d40f0c50 Voila!
- 13. Overview Example for account registration 1. User creates an account 2. Password is hashed and stored (as a hash) in the database 3. When the user attempts to log in, the hash of the password they enter is checked against the hash of their real password 4. If the hashes match, the user is granted access. 5. Steps 3 and 4 repeat every time a user tries to log in.
- 14. Salted hashes Because hashing always generates the same code from a given word or phrase, it is possible to crack passwords by using brute force attacks using common passwords These attacks can be prevents by randomising hashing by adding or prepending a random string, called a salt, prior to hashing. Salts are stored in the user account database, along with the hash. This renders lookup tables, reverse lookups etc useless.
- 15. References The first website listed is the one mainly used in this presentation, where you can hash your own word and see the exact process in action http://www.metamorphosite.com/one-way-hash-encryption-sha1- data-software, accessed 8/10/15 https://crackstation.net/hashing-security.htm, accessed 12/10/15 http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf, accessed 14/10/15 (the official Federal Information Processing Standard) Images sourced from Google for educational purposes only
Editor's Notes
- #2: Please note that some of the steps in this walkthrough are deliberately vague – the aim of this presentation is to give an overview into the process, rather than to provide explicit instructions on how to process a hash algorithm. The presentation is aimed at Level 4 / Level 5 Foundation Degree students. References to websites consulted are provided at the end.