Rainbows aka Spectrums Public Private Key Encryption HTTPS Encryption String Encryption You have an account on facebook LinkedIn YouTube etc Your login costanzaseinfeldcom Your password is ID: 586778
Download Presentation The PPT/PDF document "1-way String Encryption" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
1-way String EncryptionRainbows (a.k.a. Spectrums)Public Private Key EncryptionHTTPS
EncryptionSlide2
String EncryptionYou have an account on facebook
, LinkedIn, YouTube etc.
Your login:
costanza@seinfeld.comYour password is : boscoIf this data was stored in a database, it might look like:Slide3
String EncryptionThe problem is if any employee at Facebook or someone who hacks into the server, got a dump of this data, they would have
<
userid
, password> pairs of millions of people. People typically user their email address as their userid and also do not have a many different passwords for every website they have an account on (banks, stores,
stubhub
,
facebook
,
linkedIn
, Google)Slide4
String Encryption - AlgorithmSimple Encryption Algorithm
For each letter in the word
Change it to the next letter in the alphabet (z
a) Example 1)
unencrypted password = “
abc
”
encrypted password = “
bcd
”
Example
2)
unencrypted password =
“
bosco
”
encrypted password =
“
cptdp
”Slide5
Database with Encrypted passwordsNow the database would look likeSlide6
Encryption Algorithm’s RainbowSuppose you don’t know what the encryption algorithm does but you have access to a function that can encrypt words.
encrypt(“
bosco
”) “cptdp”
You could compute the encrypted word for every possible unencrypted word.
This computation is sometimes called the Rainbow or Spectrum of the Encryption Algorithm. Slide7
RainbowWrite a program that creates every string from 1 to 8 character of the alphabet (not numbers or any other character), then inputs them into the encryption algorithm and record the
<unencrypted, encrypted>
pairs in a massive tableSlide8
Time to calculate the RainbowFor our example where only 8 alphabetic characters can be used, there are over
217 Trillion combinations
of possible inputs that we would have to encrypt to calculate the RainbowSlide9
Algorithm for generating RainbowRainbow generating algorithm looks like
for every
word
in (a zzzzzzzz
)
encryptedWord
=
EncryptionAlgorithm
(
word
)
writeToRainbow
(
word,
encryptedWord
)Slide10
Time and Space for RainbowSuppose you have the latest processor 10 gigahertz
(approx. 10 billion instructions/second) and you have 217 trillion instructions to do, how long would it take?
217 trillion/10 billion = 21,700 seconds =
6 hours ***Of course months would be more realistic
Each <
word,EncryptedWord
> pair is 16 characters and there are 217 trillion of them so
[(217 trillion) * 16]/1 Gigabyte =
3
Terrabytes
Slide11
Key (a.k.a Salt) Encryption
The User provided an unencrypted password
The website provides a salt (some word)
Example ) password = “bosco” salt = “12345”
Encrypt (“
bosco
”,”
12345
”) = “
cqvgt
”
This required 2 things to encrypt a password:
The password (only known to the user)
The salt (only known to the website)
A hacker would have to compute the algorithm rainbow for every salt possibleSlide12
3 Encryption algorithms in PHPMD5SHA-1
CRYPT(password, salt)Slide13
LinkedIn (2012 unsalted SHA-1)In 2012, hackers (not known if it was an inside job) go into the database of LinkedIn and dumped the password table which contained 6.5 encrypted passwords.
Inputting these encrypted passwords into a SHA-1 unsalted rainbow generated table, showed English-like words being produced as unencrypted passwords.
http://techcrunch.com/2012/06/06/6-5-million-linkedin-passwords-reportedly-leaked-linkedin-is-looking-into-it
/Slide14
2 Way (encryption/decryption)This simple algorithm of adding 1 letter value is
decryptable
.
That is, if you know the encryption algorithm, since it is reversible, you know how to decrypt and encrypted word. It would be better if the encryption was one way. Slide15
1 way EncryptionSimple but bad Example)
Algorithm) take numerical value of all inputs and multiply them together and store the result
Password =
“cat” encrypted password = 3*1*20 = 60What’s the encrypted password for
“
feb
”
?
= 6*5*2 = 60 also
Even if you know the algorithm you could decrypt 60
“cat”Slide16
Public-Private Key EncryptionA Encryption/Decryption public algorithm that all encrypted messages sent to you can only be decrypted by you.
You ask the public algorithm for a
public key
and a private keyYou know your public and private key values.
You publish your
public key
to anyone who wants to send an encrypted message to you.
They encrypt a message using the public algorithm and your public key.
You receive the message and decrypt it using you private key. Slide17
Public-Private Key ExampleYou request a public key and private key and you get
Public key:
“+60+20”
and Private key “-C”You publish your public key: “+60+20
”
on you website
Someone wants to send you “
bosco
” encrypted so only you can see:
They:
Encrypt
(“bosco”,
“+
60+20”
)
=
“
ervfr
”.
You:
Decrypt
(
“
ervfr
”
,
“-C
”
)
=
“
b
osco
”
Encryption: (+60/+20) = +3 so increment all letters by +3
Decryption –C = -3 so decrement letters by 3
There is a mathematical correlation between the public key and private key
Public key: “+30-3” and Private Key: “+J” would be a valid combination for this encryption/decryption algorithmSlide18
HTTP: HyperText Transfer Protocol
When you go to a website using the URL
HTTP://www.somewebsite.comCommunication is not encrypted. If a form asked you for email and password and you fill it in and hit enter, a message something like
will be sent along all connections from you to the website server (i.e. the coffee shop
wifi
you are connected) and anyone dumping data will be able to read it.
To:
www.somewebsite.com
From: IP address: 123.45.67.890 port:3000
Message:
email(george@seinfeld.com) password(
bosco
) Slide19
HTTPS: (a.k.a. Secure HTTP)When you go to a website using the URL
HTTP
S://www.somesecurewebsite.comCommunication is encrypted.
If a form asked you for email and password and you fill it in and hit enter, a message something like
Using public key private key encryption, the server sends your web browser it’s public key and encryption algorithm (you don’t even realize it) and your messages are encrypted with it and sent back to the server where the server decrypts it with the servers private key.
To:
www.somesecurewebsite.com
From: IP address: 123.45.67.890 port:3000
Message:
fnbjm
(
hfpshf#tfjogfme.dpn
)
qbttxpse
(
cptd
p
) Slide20
SSL (Secure Socket Layer)SSL is the predecessor to TLS (Transport Layer Security)Certificate Authorities (CA’s)
issue public/private …