1-way String Encryption Rainbows (a.k.a. Spectrums) Public Private Key Encryption HTTPS Encryption
String Encryption You have an account on facebook, LinkedIn, YouTube etc. Your login: Your password is : bosco If this data was stored in a database, it might look like:
String Encryption The problem is if any employee at Facebook or someone who hacks into the server, got a dump of this data, they would have pairs of millions of people. People typically user their address as their userid and also do not have a many different passwords for every website they have an account on (banks, stores, stubhub, facebook, linkedIn, Google)
String Encryption - Algorithm Simple Encryption Algorithm - For each letter in the word - Change it to the next letter in the alphabet (z a) Example 1) unencrypted password = “abc” encrypted password = “bcd” Example 2) unencrypted password = “bosco” encrypted password = “cptdp”
Database with Encrypted passwords Now the database would look like
Encryption Algorithm’s Rainbow Suppose you don’t know what the encryption algorithm does but you have access to a function that can encrypt words. encrypt(“bosco”) “cptdp” You could compute the encrypted word for every possible unencrypted word. This computation is sometimes called the Rainbow or Spectrum of the Encryption Algorithm.
Rainbow Write a program that creates every string from 1 to 8 character of the alphabet (not numbers or any other character), then inputs them into the encryption algorithm and record the pairs in a massive table
Time to calculate the Rainbow For our example where only 8 alphabetic characters can be used, there are over 217 Trillion combinations of possible inputs that we would have to encrypt to calculate the Rainbow
Algorithm for generating Rainbow Rainbow generating algorithm looks like for every word in (a zzzzzzzz) encryptedWord = EncryptionAlgorithm(word) writeToRainbow (word, encryptedWord)
Time and Space for Rainbow Suppose you have the latest processor 10 gigahertz (approx. 10 billion instructions/second) and you have 217 trillion instructions to do, how long would it take? 217 trillion/10 billion = 21,700 seconds = 6 hours ***Of course months would be more realistic Each pair is 16 characters and there are 217 trillion of them so [(217 trillion) * 16]/1 Gigabyte = 3 Terrabytes
Key (a.k.a Salt) Encryption The User provided an unencrypted password The website provides a salt (some word) Example ) password = “bosco” salt = “12345” Encrypt (“bosco”,”12345”) = “cqvgt” This required 2 things to encrypt a password: 1) The password (only known to the user) 2) The salt (only known to the website) A hacker would have to compute the algorithm rainbow for every salt possible
3 Encryption algorithms in PHP MD5 SHA-1 CRYPT(password, salt)
LinkedIn (2012 unsalted SHA-1) In 2012, hackers (not known if it was an inside job) go into the database of LinkedIn and dumped the password table which contained 6.5 encrypted passwords. Inputting these encrypted passwords into a SHA-1 unsalted rainbow generated table, showed English-like words being produced as unencrypted passwords.
2 Way (encryption/decryption) This simple algorithm of adding 1 letter value is decryptable. That is, if you know the encryption algorithm, since it is reversible, you know how to decrypt and encrypted word. It would be better if the encryption was one way.
1 way Encryption Simple but bad Example) Algorithm) take numerical value of all inputs and multiply them together and store the result Password = “cat” encrypted password = 3*1*20 = 60 What’s the encrypted password for “feb” ? = 6*5*2 = 60 also Even if you know the algorithm you could decrypt 60 “cat”
Public-Private Key Encryption A Encryption/Decryption public algorithm that all encrypted messages sent to you can only be decrypted by you. You ask the public algorithm for a public key and a private key You know your public and private key values. You publish your public key to anyone who wants to send an encrypted message to you. They encrypt a message using the public algorithm and your public key. You receive the message and decrypt it using you private key.
Public-Private Key Example You request a public key and private key and you get Public key: “+60+20” and Private key “-C” You publish your public key: “+60+20” on you website Someone wants to send you “bosco” encrypted so only you can see: They: Encrypt(“bosco”,“+60+20” ) = “ervfr”. You: Decrypt(“ervfr”, “-C”) = “bosco” Encryption: (+60/+20) = +3 so increment all letters by +3 Decryption –C = -3 so decrement letters by 3 There is a mathematical correlation between the public key and private key Public key: “+30-3” and Private Key: “+J” would be a valid combination for this encryption/decryption algorithm
HTTP: HyperText Transfer Protocol When you go to a website using the URL Communication is not encrypted. If a form asked you for and password and you fill it in and hit enter, a message something like will be sent along all connections from you to the website server (i.e. the coffee shop wifi you are connected) and anyone dumping data will be able to read it. To: From: IP address: port:3000 Message: password(bosco)
HTTPS: (a.k.a. Secure HTTP) When you go to a website using the URL Communication is encrypted. If a form asked you for and password and you fill it in and hit enter, a message something like Using public key private key encryption, the server sends your web browser it’s public key and encryption algorithm (you don’t even realize it) and your messages are encrypted with it and sent back to the server where the server decrypts it with the servers private key. To: From: IP address: port:3000 Message: fnbjm(hfpshf#tfjogfme.dpn) qbttxpse(cptdp)
SSL (Secure Socket Layer) SSL is the predecessor to TLS (Transport Layer Security) Certificate Authorities (CA’s) issue public/private …