Learn about key stretching, hashing, digital signatures, code signing, random number generators, and perfect forward security.
- [Instructor] Cryptographic techniques are used to increase the security of our networks. As a security professional, you're expected to understand key stretching, hashing, digital signatures, code signing, random number generation, and perfect forwarded security. Key stretching is a technique that's used to mitigate a weaker key by increasing its effectiveness by increasing the time needed to crack it. With key stretching, the weaker key is run through an algorithm to create a longer and more secure key that's at least 128 bits long.
Many systems utilize key stretching to increase the security they provide, including WiFi protected access and WPA2, pretty good privacy or PGP, bcrypt, and many more. In network security, integrity is usually provided through the use of a hashing function. Hashing is a one way cryptographic function which takes an input and produces a unique message digest. Because this is a one way function, there is no way to determine the original message from the message digest or the hash.
The resulting message digest acts like a digital fingerprint for the original file. Another unique thing about a hash digest is that they are always the same length regardless of how long the input is. Whether I input a file containing one word or a file containing a million words, the output will always be the same length based on the hashing algorithm chosen. By far the most commonly used hash algorithm is an MD5 algorithm. The MD5 algorithm creates a 120 bit hash value that's unique to the input file.
Unfortunately because the hash value is only 128 bits long, it can only create a limited number of unique values and this can lead to two files having the same resulting hash digest. When this occurs, it's called a collision. Due to the limited number of unique hash values associated with MD5, a newer algorithm called the secure hash algorithm or SHA was created. SHA-1 for example creates a 160 bit hash digest, which significantly reduces the number of collisions that can occur.
SHA-2 is a family of hash functions with an even longer hash digest. This includes the SHA-224, SHA-256, SHA-348, and SHA-512 hash functions. Each version of SHA performs a different number of mathematical computations called a round to create their hash digest. In SHA-2, this can range anywhere from 64 to 80 rounds, but you don't have to memorize that number for each version of SHA for the exam. SHA-3 is the newest family of hash functions with hash digest ranging between 224 and 512 bits just like SHA-2.
The major increase in security though is that it uses 120 rounds of mathematical computations to create the message digest for each unique file by default. There are other types of hash functions available that you might come across in your daily work such as HAVAL or RIPEMD, but the two most common are definitely MD5 and the SHA family of hashes. We briefly spoke about collisions with hashes and while they're uncommon, they are something that we have to be concerned with. To prevent a collision from being used to spoof the identity of a file or message, many professionals have turned to digital signatures.
A digital signature is created by hashing a file and then taking the resulting hash digest and encrypting it with a private key. So if I was going to send an email to you and wanted to digitally sign it, I would run the email message through a hashing algorithm like SHA-1. Then I would take the result 160 bit unique hash value and encrypt it using my private key. When I send the email to you, the resulting encrypted hash is attached to prove its integrity and create non-repudiation.
When you receive that email, you're then going to decrypt the digital signature by using my public key, providing you with the original 160 bit hash digest. Your system would run my email through a SHA-1 algorithm and compare the message digest that your system calculates with the one that I sent as part of my digital signature. If they both match, then you can be assured that the email message was not modified in transit between my system and yours and this provides us with an integrity check. But since I encrypted my SHA-1 digest with my private key and only I have my private key, you can also be assured that I was the person who sent you that message.
This provides us with the non-repudiation of the email. The non-repudiation simply means that I can't say that I didn't send it because only I could have because I'm the only one who has my private key. For digital signatures to be utilized, you should either use the digital security algorithm, the Rivest-Shamir-Adleman cipher, the elliptic curve DSA, or SHA. The federal government actually created a digital signature standard called DSS, which relies upon the 160 bit message digest created by DSA.
Most commercial entities though rely on the RSA standard because its faster and can be used for digital signatures, encryption, and key distribution. Digital signatures have expanded beyond just email too. Code signing relies upon the digital signature of a program file. For example, if you create a mobile application that you want to offer through the app store, your installer file must be code signed. Every developer must register with Apple or Google and they'll receive a private key. Just as in the email example provided earlier, the application file is hashed and the hash is encrypted using the developer's private key.
This is called a code signing and ensures the installer hasn't been modified or corrupted since the developer published it to the app store. Another cryptographic function that's used heavily in computers and networking is random number generation. Computers actually cannot create purely random numbers though but they can simulate it using a pseudo random number generator. These numbers are used for a variety of purposes such as in game development or even in the security of some files. For example, you may with to have the images uploaded by your users assigned a random file name made out of a series of numbers.
In truth though, the numbers are not purely random because computers create them based on mathematical functions or maybe you need to generate a unique session key to identify a user and this would be an appropriate place to use a pseudo random number. Perfect forward secrecy is built around the concept of unique session keys. With perfect forward secrecy, even if a single key is compromised, the other session keys would remain protected as would the communications occurring within those sessions. With perfect forward secrecy, no single key can be used to derive any additional keys.
This is primarily used with VPNs as well as SSL and TLS tunnels which rely upon the concept of perfect forward secrecy to provide us security over the web.
- Adapting data flow security to changing business needs
- Provisioning and deprovisioning resources
- Security and privacy considerations of storage integration
- Integrating the cloud and virtualization into the secure enterprise architecture
- Identity proofing and identity propagation
- Integrating cryptographic techniques into the secure enterprise architecture
- Cryptocurrency and blockchain
- Mobile device encryption considerations
- Integrating secure communications and collaboration solutions