Understanding more about hashing

Written on 11 February 2015, 11:21pm

Tagged with: , ,

Brute force vs dictionary attack vs rainbow tables

Brute force: least efficient, tries all the possible values.
Dictionary attack: tries a predefined list of values
Rainbow tables: contain pre-computed hashed values. If a single salt per db is used, then the pre-computed hashed values have to be updated (to include the salt). If a single salt per password is used, then the pre-computed hashed values have to be updated for each password.
More here.
Note: rainbow table can only be used if the hashed values are available.

Hashing properties

1. Collision resistance: it should not be realistically possible to find two messages giving the same hash
2. Pre-image resistance: given the hash, it should not be realistically possible to obtain the message (we ask an adversary, given only H(m), to find m or some m′ such that H(m′) = H(m) )
3. Second pre-image resistance: given both the hash and the message, it should not be realistically possible to obtain another message with the same hash.
More here and here

Hashing is not compression (you can’t go back to the original string)
Hashing is not encryption (for encryption you need a key)

What are you hashing

– not sensible data: use MD5/SHA family of hashing functions
– sensible data (like passwords): PBKDF2 (*), bcrypt or scrypt

Key derivation

This is about transforming a password into a key that can be used for encryption. Think about encrypting a file with a password.

The output of a password hashing function is acceptable as a symmetric key, after possible truncation to the required size.
LastPass utilizes the PBKDF2 function implemented with SHA-256 to turn your master password into your encryption key.
LastPass user manual

(*) PBKDF2 is in fact a Key derivation function, not a hashing function.

Digital certificates

Written on 9 February 2015, 09:33pm

Tagged with: , ,

A digital certificate binds an individual’s identity to its public key; it proves the ownership of a public key. Digital certificates are like passports, and they are a fundamental part of the PKI (Publick Key Infrastructure).

Class of certificates (this might differ according to the issuer):
class 1: individual (email + domain verification)
class 2: software developer (physical ID verification)
class 3: company (face to face verification)

Creation, storage and distribution of digital certificate
CA – Certificate Authority – issues and verifies the digital certificates
RA – Registration Authority – verifies the identity of users requesting a digital certificate

The RA verifies the identity of the certificate requestor on behalf of the CA.
The CA generates the certificate using information forwarded by RA

Root certificate
All web browsers come with an extensive built-in list of trusted root certificates.
certificate root

X.509 is a standard – for the structure of the digital certificate

Types of certificates
A certificate provider can opt to issue three types of certificates, each requiring its own degree of vetting rigor. In order of increasing rigor (and naturally, cost) they are:
– Domain Validation
– Organization Validation and
– Extended Validation ->Activates the green address bar 🙂


ExtendedSSL is an Extended Validation Certificate, the highest class of SSL available today.

ExtendedSSL activates the green address bar and displays your organization name in the browser interface. These prominent security indicators increase user trust in your website and increase its credibility, leading to more sales conversions.
From €679/year

Digital certificates can also be used for client authentication.
client authentication
You can install a certificate in the browser and authenticate with it on certain websites. However, it is your responsibility that no one else gets physical access to your workstation (3rd law of security).
More about this

Encryption algorithms

Written on 9 February 2015, 05:36pm

Tagged with: ,

A quick note about the 2 types of encryption algorithms:

1. Symmetric encryption

Oldest, fastest and more common
Key management is critical
– Best encoding algorithms: the ones that are public
Public algorithm, private key. “Good security systems rely on the private key for security, not on the algorithm itself”

Suppose you installed the biggest, strongest, most secure lock in the world on your front door, but you put the key under the front door mat. It wouldn’t really matter how strong the lock is, would it?
10 Immutable Laws of Security

2. Asymmetric encryption (Public key cryptography)

– uses both public and private keys
– the key management is part of the algorithm
– it’s slower than the symmetric encryption
– it can be used for both encryption and digital signature (digital signatures: hashing + asymmetric encryption)
– relies on digital certificates