2.  Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity of a message  What is received is the same as what was sent  Also useful in providing authentication  Can verify a message without knowledge of the original message Cryptographic Hashing2

3. 3

4.  Based on cryptographic methods  Takes an arbitrary-size input  Called the message  Returns a fixed-size output  Called the message digest or hash value  Change to the data will change the hash value  Accidental or intentional Cryptographic Hashing4

5. 5

6. 1. Easy to compute the hash of a message  Not necessarily quick 2. Infeasible to generate a message that has given a hash 3. Infeasible to modify a message without changing the hash 4. Infeasible to find two different messages with the same hash  Meaningful message even more difficult Cryptographic Hashing6

7.  Message Digest Algorithm  MD4  MD5  Secure Hash Algorithm  SHA-1  SHA-256  SHA-512  RACE Integrity Primitives Evaluation Message Digest (RIPEMD)  RIPEMD-160 Cryptographic Hashing7

8.  Hashing can be used for password checking 1. User creates an account or changes password  Server hashes the password and stores the hash 2. User attempts to log on to the system  User enters username/password  Password is hashed and sent to server 3. Hash is compared to the stored hash  Reasonable assurance the correct password was used if hashes match  Server does not need to store user passwords “in the clear”  Hash can be used to verify password  Can’t reverse hashes to discover passwords Cryptographic Hashing8

9. 9 Start Take User Password Convert Password to MD5 Hash Database

10. Cryptographic Hashing10Cryptographic Hashing Start Take User Password Convert Password to MD5 Hash Compare MD5 with the stored MD5 Create User Session

11. Cryptographic Hashing11

12.  Given a small pool of possible inputs, it is easy to find the original message  Try every possible input and compare to the hash value  Solution: employ a salt  Random sequence of bits concatenated with the hash function input (message)  Attacker must try every combination of message+salt against the hash  Sufficiently large salt make this infeasible  Salt must be known by both parties  Verifying a message hash without the salt will (most likely) fail Cryptographic Hashing12

13.  Number of passwords of length n is k n  k = # of possible characters used in the password  Lowercase only = 26 n  Lowercase and uppercase = 52 n  Lowercase, uppercase, and digits = 62 n  n is the more important factor  Adding a salt to a password effectively increases n Cryptographic Hashing13

14.  Password guessing  Most people don’t choose creative passwords  Relatively small pool of likely passwords  Dictionary attacks  Try every password in a list  Brute force  Try every password of length 1, then 2, then 3, …  What if hashing is used?  Easily guessed passwords still vulnerable  “Stronger” passwords harder to guess  Rainbow tables  Pre-compiled list of passwords and their hash values  Can be searched quickly  Employing a salt makes rainbow tables ineffective Cryptographic Hashing14

15.  Authenticate using more than one means  Something you know  Login/Password  Something you have  Smart card (with PKI certificates)  One-time password token  Something you are  Biometrics  Fingerprints  Retinal scans  Hand geometry  Facial recognition  Etc. Cryptographic Hashing15

16.  The Advanced Encryption Standard (AES) is a symmetric key algorithm.  Numerous variants and key lengths.  Used to encrypt Top Secret information  Basis for many modern VPNs  AES utilizes a large hexadecimal key, which is hard to remember  We can combine hashing of a password with AES to allow us to use easy to remember pass phrases. Digital Cryptography16