## Presentation on theme: "1-way String Encryption"— Presentation transcript

Slide1

1-way String EncryptionRainbows (a.k.a. Spectrums)Public Private Key EncryptionHTTPS

EncryptionSlide2

String EncryptionYou have an account on facebook

, LinkedIn, YouTube etc.

Your login:

costanza@seinfeld.comYour password is : boscoIf this data was stored in a database, it might look like:Slide3

String EncryptionThe problem is if any employee at Facebook or someone who hacks into the server, got a dump of this data, they would have

<

userid

, password> pairs of millions of people. People typically user their email address as their userid and also do not have a many different passwords for every website they have an account on (banks, stores,

stubhub

,

facebook

,

linkedIn

, Google)Slide4

String Encryption - AlgorithmSimple Encryption Algorithm

For each letter in the word

Change it to the next letter in the alphabet (z

a) Example 1)

unencrypted password = “

abc

”

encrypted password = “

bcd

”

Example

2)

unencrypted password =

“

bosco

”

encrypted password =

“

cptdp

”Slide5

Database with Encrypted passwordsNow the database would look likeSlide6

Encryption Algorithm’s RainbowSuppose you don’t know what the encryption algorithm does but you have access to a function that can encrypt words.

encrypt(“

bosco

”) “cptdp”

You could compute the encrypted word for every possible unencrypted word.

This computation is sometimes called the Rainbow or Spectrum of the Encryption Algorithm. Slide7

RainbowWrite a program that creates every string from 1 to 8 character of the alphabet (not numbers or any other character), then inputs them into the encryption algorithm and record the

<unencrypted, encrypted>

pairs in a massive tableSlide8

Time to calculate the RainbowFor our example where only 8 alphabetic characters can be used, there are over

217 Trillion combinations

of possible inputs that we would have to encrypt to calculate the RainbowSlide9

Algorithm for generating RainbowRainbow generating algorithm looks like

for every

word

in (a zzzzzzzz

)

encryptedWord

=

EncryptionAlgorithm

(

word

)

writeToRainbow

(

word,

encryptedWord

)Slide10

Time and Space for RainbowSuppose you have the latest processor 10 gigahertz

(approx. 10 billion instructions/second) and you have 217 trillion instructions to do, how long would it take?

217 trillion/10 billion = 21,700 seconds =

6 hours ***Of course months would be more realistic

Each <

word,EncryptedWord

> pair is 16 characters and there are 217 trillion of them so

[(217 trillion) * 16]/1 Gigabyte =

3

Terrabytes

Slide11

Key (a.k.a Salt) Encryption

The User provided an unencrypted password

The website provides a salt (some word)

Example ) password = “bosco” salt = “12345”

Encrypt (“

bosco

”,”

12345

”) = “

cqvgt

”

This required 2 things to encrypt a password:

The password (only known to the user)

The salt (only known to the website)

A hacker would have to compute the algorithm rainbow for every salt possibleSlide12

3 Encryption algorithms in PHPMD5SHA-1

CRYPT(password, salt)Slide13

LinkedIn (2012 unsalted SHA-1)In 2012, hackers (not known if it was an inside job) go into the database of LinkedIn and dumped the password table which contained 6.5 encrypted passwords.

Inputting these encrypted passwords into a SHA-1 unsalted rainbow generated table, showed English-like words being produced as unencrypted passwords.

http://techcrunch.com/2012/06/06/6-5-million-linkedin-passwords-reportedly-leaked-linkedin-is-looking-into-it

/Slide14

2 Way (encryption/decryption)This simple algorithm of adding 1 letter value is

decryptable

.

That is, if you know the encryption algorithm, since it is reversible, you know how to decrypt and encrypted word. It would be better if the encryption was one way. Slide15

1 way EncryptionSimple but bad Example)

Algorithm) take numerical value of all inputs and multiply them together and store the result

Password =

“cat” encrypted password = 3*1*20 = 60What’s the encrypted password for

“

feb

”

?

= 6*5*2 = 60 also

Even if you know the algorithm you could decrypt 60

“cat”Slide16

Public-Private Key EncryptionA Encryption/Decryption public algorithm that all encrypted messages sent to you can only be decrypted by you.

You ask the public algorithm for a

public key

and a private keyYou know your public and private key values.

You publish your

public key

to anyone who wants to send an encrypted message to you.

They encrypt a message using the public algorithm and your public key.

You receive the message and decrypt it using you private key. Slide17

Public-Private Key ExampleYou request a public key and private key and you get

Public key:

“+60+20”

and Private key “-C”You publish your public key: “+60+20

”

on you website

Someone wants to send you “

bosco

” encrypted so only you can see:

They:

Encrypt

(“bosco”,

“+

60+20”

)

=

“

ervfr

”.

You:

Decrypt

(

“

ervfr

”

,

“-C

”

)

=

“

b

osco

”

Encryption: (+60/+20) = +3 so increment all letters by +3

Decryption –C = -3 so decrement letters by 3

There is a mathematical correlation between the public key and private key

Public key: “+30-3” and Private Key: “+J” would be a valid combination for this encryption/decryption algorithmSlide18

HTTP: HyperText Transfer Protocol

When you go to a website using the URL

HTTP://www.somewebsite.comCommunication is not encrypted. If a form asked you for email and password and you fill it in and hit enter, a message something like

will be sent along all connections from you to the website server (i.e. the coffee shop

wifi

you are connected) and anyone dumping data will be able to read it.

To:

www.somewebsite.com

From: IP address: 123.45.67.890 port:3000

Message:

email(george@seinfeld.com) password(

bosco

) Slide19

HTTPS: (a.k.a. Secure HTTP)When you go to a website using the URL

HTTP

S://www.somesecurewebsite.comCommunication is encrypted.

If a form asked you for email and password and you fill it in and hit enter, a message something like

Using public key private key encryption, the server sends your web browser it’s public key and encryption algorithm (you don’t even realize it) and your messages are encrypted with it and sent back to the server where the server decrypts it with the servers private key.

To:

www.somesecurewebsite.com

From: IP address: 123.45.67.890 port:3000

Message:

fnbjm

(

hfpshf#tfjogfme.dpn

)

qbttxpse

(

cptd

p

) Slide20

SSL (Secure Socket Layer)SSL is the predecessor to TLS (Transport Layer Security)Certificate Authorities (CA’s)

issue public/private …