Hashing and Digital Signatures - CompTIA Security+ SY0-701 - 1.4
Summary
TLDRThis script delves into the world of cryptographic hashes, explaining their function as digital fingerprints for data integrity and verification. It contrasts hashing with encryption and illustrates the process using SHA256, highlighting the uniqueness of hashes even with minor text changes. The script warns against using MD5 due to collision issues and discusses practical applications like verifying downloads and securing passwords with salted hashes. It also explains digital signatures for authentication and non-repudiation, detailing the process from creation to verification.
Takeaways
- 🔒 A cryptographic hash is a unique string that represents data, akin to a digital fingerprint, and is used for data verification and integrity.
- 🔑 Hashing is not encryption; it's a one-way process from which the original data cannot be reconstructed.
- 🔄 The SHA256 algorithm is a common hashing method that produces a 64-character hexadecimal string from the input data.
- 📝 Even a minor change in the input text results in a significantly different output hash, highlighting the sensitivity of hashing algorithms.
- 🚫 Collisions, where different inputs produce the same hash, are undesirable and rare in secure hashing algorithms.
- ❌ MD5 is an example of an outdated hashing algorithm that has been compromised due to collision vulnerabilities.
- 📥 Hashes are used to verify the integrity of downloaded files by comparing them with the hashes provided by the source.
- 🔒 Storing passwords as hashes, with added salt, ensures they cannot be easily retrieved or cracked, enhancing security.
- 🔄 Salting hashes with unique random data per user prevents the use of rainbow tables for reverse-engineering hashes.
- 🖋️ Digital signatures use hashing and public/private key encryption to provide authentication, integrity, and non-repudiation.
- 🔏 The process of creating a digital signature involves hashing the message, encrypting the hash with a private key, and sending it along with the message for verification.
Q & A
What is a cryptographic hash used for?
-A cryptographic hash is used to represent data as a short string of text, often referred to as a message digest or fingerprint, to verify data integrity and authenticity without the need to store or transmit the original data.
How is a cryptographic hash different from encryption?
-Unlike encryption, which is reversible and can recreate the original data, a cryptographic hash is a one-way function that cannot be used to recreate the original data from the hash value.
What is the purpose of using a hash to verify a downloaded document?
-Hashes are used to ensure that the downloaded document matches the original one posted on a website, thus providing integrity and verifying that the document has not been altered.
What role do hashes play in the creation of digital signatures?
-Hashes are used in the process of creating digital signatures to ensure the integrity and authenticity of a message, as well as to provide non-repudiation, which means the sender cannot deny having sent the message.
What is the SHA256 hashing algorithm and what does it produce?
-The SHA256 hashing algorithm is a common cryptographic hash function that produces a 256-bit hash, represented as a 64-character hexadecimal string, from the input data.
Why is it significant that a small change in the input text results in a significantly different hash output?
-This characteristic, known as the avalanche effect, ensures the security of the hash function by making it infeasible for an attacker to find two different inputs that produce the same hash, a situation known as a collision.
What is a collision in the context of hashing algorithms?
-A collision occurs when two different inputs to a hashing algorithm produce the same hash output, which is undesirable as it compromises the uniqueness and security of the hash function.
Why is the MD5 hashing algorithm no longer recommended for use?
-The MD5 algorithm is no longer recommended due to the discovery of collision vulnerabilities in 1996, which makes it susceptible to attacks and not suitable for secure applications.
How are hashes used in the context of password storage?
-Hashes are used to store passwords securely by converting the plain text passwords into a hash value, which is then stored instead of the actual password. This ensures that even if the storage is compromised, the plain text passwords are not directly exposed.
What is a salt in the context of password hashing?
-A salt is a random piece of data added to the password before it is hashed. This ensures that even if two users have the same password, their hashes will be different due to the unique salt, making it more difficult for attackers to crack the passwords using pre-computed hash tables or rainbow tables.
How does the process of creating a digital signature ensure the integrity and authenticity of a message?
-The process of creating a digital signature involves hashing the original message and then encrypting the hash with the sender's private key. The recipient can then decrypt the signature with the sender's public key and compare the resulting hash with the hash of the received message to verify its integrity and authenticity.
Outlines
🔒 Understanding Cryptographic Hashes
This paragraph introduces the concept of cryptographic hashes, which are short strings of text used to represent data, akin to fingerprints. It clarifies that hashes are not encryption and cannot be used to recreate the original data. The paragraph discusses the practical applications of hashes, such as verifying document integrity and creating digital signatures for authentication, non-repudiation, and integrity. The SHA256 hashing algorithm is highlighted, which generates a 64-character hexadecimal hash from input data. The importance of unique hashes for different inputs and the rarity of hash collisions are emphasized, with a mention of the MD5 algorithm's vulnerability to collisions.
🛡️ Hashing in Security and Password Storage
The second paragraph delves into the use of hashing in security practices, particularly in password storage. It explains the process of creating a salted hash to prevent the use of rainbow tables for reverse-engineering passwords. The paragraph illustrates how adding a salt to a password results in a unique hash for each user, even if the same password is used, enhancing security against brute force attacks. It also touches on the concept of digital signatures, comparing them to traditional signatures for integrity, authentication, and non-repudiation. The process of creating a digital signature using a private key and verifying it with a public key is outlined, emphasizing its role in confirming the authenticity and integrity of a message.
🗒️ Digital Signatures and Verification Process
The final paragraph focuses on the verification process of digital signatures. It describes a scenario where Alice sends a message to Bob with a digital signature to ensure the message's integrity and origin. The paragraph details the steps involved in creating a digital signature, including hashing the plaintext and encrypting the hash with a private key. Upon receipt, Bob's email client verifies the signature using Alice's public key, confirming the message's authenticity and integrity. The process highlights the cryptographic mechanisms at work behind common digital signature functionalities in email systems and other applications.
Mindmap
Keywords
💡Cryptographic Hash
💡Message Digest
💡Digital Fingerprint
💡SHA256
💡Hash Collision
💡MD5
💡Digital Signature
💡Authentication
💡Non-repudiation
💡Salt
💡Rainbow Table
Highlights
A cryptographic hash is used to represent data as a short string of text, also known as a message digest or fingerprint.
Cryptographic hashes are not encryption and cannot be used to recreate the original data from the hash.
Hashes can verify the integrity of a document by comparing it to the original hash posted on a website.
Digital signatures use hashes for authentication, non-repudiation, and integrity.
SHA256 is a common hashing algorithm that produces a 64-character hexadecimal hash.
Even minor changes in the input text result in a significantly different hash output.
Hash collisions, where different inputs produce the same hash, are extremely rare and undesirable.
MD5 is an example of a hashing algorithm with known collision problems, and its use is not recommended.
Hashing is commonly used to verify the integrity of downloaded files by comparing hashes.
Storing passwords as hashes, rather than plain text or encrypted forms, enhances security.
Salted hashes add a random element to the hashing process, making brute force attacks more difficult.
Rainbow tables are a technique used to reverse engineer non-salted hashes, which can be thwarted by salting.
Digital signatures are created using a private key and verified with a public key, ensuring the integrity and authenticity of a message.
The process of creating a digital signature involves hashing the plaintext, encrypting the hash with a private key, and attaching it to the message.
Digital signatures provide non-repudiation by confirming the message's source and ensuring it was not altered during transmission.
Using digital signatures in email involves a simple interface, but relies on complex cryptographic processes.
The verification of a digital signature involves decrypting it with the sender's public key and comparing the resulting hash to the original message's hash.
Transcripts
A cryptographic hash is used to represent data
as a short string of text.
Sometimes you'll hear this referred to as a message
digest or a fingerprint.
Just like our fingerprints that can represent us,
a digital fingerprint can represent data
that is being stored elsewhere.
Keep in mind that this cryptographic hash is not
encryption.
You can't somehow recreate the data if the only thing you have
is the hash.
For the same reason, you can't recreate a person when all you
have is their fingerprint.
In practical terms, we can use these hashes
to verify that a document that we've downloaded
matches the original document that was posted on a website.
This provides us with integrity.
We can also use these hashes during the process of creating
a digital signature.
And these digital signatures are used for authentication,
non-repudiation, and integrity.
Let's create some hashes.
We're going to use a very common hashing algorithm
called the SHA256 hashing algorithm.
This will produce 256 bits of information
that we will represent as 64 hexadecimal characters.
So let's create a hash from a very simple text string.
This text string says, "My name is Professor Messer."
And there's a period at the end of that sentence.
If we were to put this into an application
to create a SHA256 hash from that sentence,
we would get this long string of characters
that you see right here.
Let's now make one change to this sentence.
This now says, "My name is Professor Messer."
But instead of it ending in a period,
it's now ending in an exclamation mark.
So there's really only one character that's been changed.
This is a very common characteristic of hashing,
where you make one minor change to the input text.
And the output hash is very different from each other.
One of the things we'd like to avoid when creating a hash
is to make sure the hashes are very different for all types
of input.
In practical use, we should never run into a situation
where this hash is duplicated.
If we're putting different inputs
into the hashing algorithm, we should
expect to see different outputs as well.
If, for some reason, we do have different inputs
and those inputs create exactly the same hashing value,
then we've created a collision.
In practical use, you're probably
never going to run into one of these collisions.
And your hashing algorithm should
be created so that collisions are
an extremely rare occurrence.
Unfortunately, there have been hashing algorithms,
through the years, that did have problems with collisions.
One good example of this is the hashing algorithm MD5.
This collision problem was found in 1996.
And because of that, we highly recommend
that you use a different hashing algorithm than MD5.
Here's how this MD5 collision works.
Here, we have a string of input.
This is text that we're going to put into a hashing algorithm.
And we're going to take another string of text that's
almost the same.
You can see these almost match up.
But every place there is a red character
means there's a slight difference between each
of these inputs.
But if we take both of those inputs
and put them into the MD5 algorithm,
we get exactly the same hash.
This is a collision.
And this is the reason we no longer recommend using
MD5 as a hashing algorithm.
We use hashing for many different purposes.
And you might run into hashing multiple times
through a normal workday.
For example, you may need to verify
that a file that you've downloaded
matches the file that happens to be posted on a website.
You'll often see this on sites where
you're downloading very important files like a Linux
distribution.
And you can see that each distribution
has been associated with a particular hash.
This means that you can download the ISO file,
run the same hashing algorithm on the file you downloaded,
and compare it to the hash that's posted on the website.
If your hash matches the one that's on the website,
then you've downloaded the same file that exists on that site.
Another common use of hashing is to store passwords.
Ideally, we would never store someone's password
in plain text.
And we would not encrypt passwords,
because then, someone could potentially decrypt and gain
access to your passwords.
Instead, we provide a hash for all of the passwords
that someone stores.
In reality, it's a hash plus a little extra information called
a salted hash.
This way, we're able to store everyone's password
as a hash, which means we have no idea what
the actual password might be.
During the login process, the password you input
is changed to a hash, compared to the one that's
stored on the server.
And if they match, you've gained access to that system.
I mentioned earlier that when we're storing passwords,
we might want to add some additional information to make
it more difficult to brute force.
We refer to this extra information as assault.
This is random information that we
add during the hashing process to modify or randomize
the resulting hash.
Every user gets a different random salt
to go along with their password, which means if everyone's
using the same password, we'll still
see very different hashes stored for every single user.
There's a technique for reverse engineering
hashes called a rainbow table.
This is a pre-compiled set of every possible input
and the series of hashes associated with those inputs.
This makes it very easy for someone
to get a non-salted hash and very quickly
be able to determine what the original password might be.
But if you're adding a random salt to everyone's password,
these rainbow tables will no longer work.
This would certainly slow things down
for an attacker that's trying to find everyone's password
by performing a brute force.
A rainbow table can find this information
in a matter of seconds.
But brute forcing can take days, weeks, or even longer
to find someone's password.
Let's take some user passwords.
We'll add some salt to each password.
And let's see what the resulting hash looks like.
Let's take the password of "dragon."
And if we're not using any salting,
this is the hash that results from that password of dragon.
But now, let's add some additional random text
onto this password of dragon.
And as we add the different randomization
for each one of these, you can see
that we have a very different hash that we're storing.
If someone was to gain access to our hashed database,
they would think that there were five different passwords being
used, when in reality, there's a single password
with a number of different salts added to that password.
Hashes are also used during the process of creating
a digital signature.
A digital signature is very similar to a signature
you might use on any other document.
But this one is a digital version
of the signature that proves that the message that you
received was not somehow changed during the process of sending
that message to you.
From that perspective, digital signatures provide integrity.
The digital signature will also help you prove
the source of the message.
This provides authentication.
And if others want to prove that the message really
was sent by the person who says they sent it,
we can confirm that with the digital signature.
That's also referred to as non-repudiation.
The process for creating a digital signature
is almost the opposite as encrypting data.
For digital signature, the person signing the document
will use their private key to create the digital signature.
When that signature is sent to another party,
they're able to confirm that private key was
used by verifying it with the public key for that user.
If we receive a digital signature
and go through the verification process
and find that the public key of the sender
is not able to verify the digital signature,
then something in that document has changed.
And we can no longer trust the information
that we've received.
If you're using a digital signature process built
into your email system, or you're using a third party
utility to provide digital signatures,
then it's as simple as clicking a button or checkbox
to include a digital signature with the information
that you're sending.
But behind the scenes, there's a great deal of cryptography
that's going on.
Let's step through the process of creating a digital signature
so that you can see what happens when you select that checkbox.
We'll start with Alice, who would
like to send a message to Bob that says, "You're hired, Bob."
We refer to this original message as the plaintext.
Alice is going to click that check box that tells her email
program to include a digital signature
with this email message.
Behind the scenes, the email client
is going to look at the plain text of, "You're hired, Bob,"
and send it through a hashing algorithm
to create a hash of that plaintext.
The email application is then going
to encrypt the hash that's been created
with Alice's private key.
And since Alice is the only one that has her private key,
she's the only one that could have created
this final digital signature.
Just like a digital signature is a bit of information
you add to the end of a document,
we can do exactly the same thing with this email.
So, "You're hired, Bob," is still
sent through the network in plaintext.
We're not doing any type of encryption
in this specific example.
But we do include the digital signature, usually
as an attachment or at the end of the email.
Bob now checks his email.
And he's got a message from Alice
that has a message that says, "You're hired, Bob,"
and it includes that same digital signature.
Now, Bob wants to really verify that the message he received
is really the message that was originally sent.
And he wants to confirm that it really came from Alice.
The first thing he's going to do is load that message
into his email client.
And generally, the email client will
recognize there's a digital signature
and will perform a verification and tell Bob
that this is either verified or not verified.
Behind the scenes, what's really happening
is that the email client is looking
at the digital signature.
And it decrypts that digital signature
using Alice's public key.
Remember that the keys are mathematically related.
So if you encrypt with one key, you can decrypt with the other.
The result of this decryption ends up
being a hash of the original plain text.
Now we simply perform the same hash
that was done originally to the plaintext
to see what the results are.
And if both of those hashes match,
then we know that the digital signature verifies,
and that not only is the document exactly what
was originally sent, but we can confirm
that it really came from Alice.
関連動画をさらに表示
Non-repudiation - CompTIA Security+ SY0-701 - 1.2
One Way Hash Explained
Hashing and Digital Signatures - SY0-601 CompTIA Security+ : 2.8
#34 Spring Security | Bcrypt Password Encoder
How to use CrypTool for creating the digital signature for documents
CompTIA Security+ SY0-701 Course - 1.4 Use Appropriate Cryptographic Solutions - PART B
5.0 / 5 (0 votes)