Hashing and Digital Signatures - CompTIA Security+ SY0-701 - 1.4

00:01

A cryptographic hash is used to represent data

00:04

as a short string of text.

00:06

Sometimes you'll hear this referred to as a message

00:09

digest or a fingerprint.

00:11

Just like our fingerprints that can represent us,

00:14

a digital fingerprint can represent data

00:17

that is being stored elsewhere.

00:18

Keep in mind that this cryptographic hash is not

00:21

encryption.

00:22

You can't somehow recreate the data if the only thing you have

00:26

is the hash.

00:27

For the same reason, you can't recreate a person when all you

00:30

have is their fingerprint.

00:32

In practical terms, we can use these hashes

00:34

to verify that a document that we've downloaded

00:37

matches the original document that was posted on a website.

00:41

This provides us with integrity.

00:43

We can also use these hashes during the process of creating

00:46

a digital signature.

00:47

And these digital signatures are used for authentication,

00:50

non-repudiation, and integrity.

00:53

Let's create some hashes.

00:55

We're going to use a very common hashing algorithm

00:57

called the SHA256 hashing algorithm.

01:00

This will produce 256 bits of information

01:03

that we will represent as 64 hexadecimal characters.

01:07

So let's create a hash from a very simple text string.

01:10

This text string says, "My name is Professor Messer."

01:13

And there's a period at the end of that sentence.

01:15

If we were to put this into an application

01:17

to create a SHA256 hash from that sentence,

01:20

we would get this long string of characters

01:23

that you see right here.

01:24

Let's now make one change to this sentence.

01:27

This now says, "My name is Professor Messer."

01:29

But instead of it ending in a period,

01:31

it's now ending in an exclamation mark.

01:33

So there's really only one character that's been changed.

01:36

This is a very common characteristic of hashing,

01:39

where you make one minor change to the input text.

01:42

And the output hash is very different from each other.

01:46

One of the things we'd like to avoid when creating a hash

01:48

is to make sure the hashes are very different for all types

01:52

of input.

01:53

In practical use, we should never run into a situation

01:56

where this hash is duplicated.

01:57

If we're putting different inputs

01:59

into the hashing algorithm, we should

02:01

expect to see different outputs as well.

02:04

If, for some reason, we do have different inputs

02:07

and those inputs create exactly the same hashing value,

02:11

then we've created a collision.

02:13

In practical use, you're probably

02:14

never going to run into one of these collisions.

02:16

And your hashing algorithm should

02:18

be created so that collisions are

02:20

an extremely rare occurrence.

02:22

Unfortunately, there have been hashing algorithms,

02:24

through the years, that did have problems with collisions.

02:27

One good example of this is the hashing algorithm MD5.

02:31

This collision problem was found in 1996.

02:34

And because of that, we highly recommend

02:36

that you use a different hashing algorithm than MD5.

02:40

Here's how this MD5 collision works.

02:42

Here, we have a string of input.

02:44

This is text that we're going to put into a hashing algorithm.

02:48

And we're going to take another string of text that's

02:50

almost the same.

02:51

You can see these almost match up.

02:53

But every place there is a red character

02:56

means there's a slight difference between each

02:59

of these inputs.

03:00

But if we take both of those inputs

03:02

and put them into the MD5 algorithm,

03:05

we get exactly the same hash.

03:07

This is a collision.

03:08

And this is the reason we no longer recommend using

03:11

MD5 as a hashing algorithm.

03:14

We use hashing for many different purposes.

03:16

And you might run into hashing multiple times

03:19

through a normal workday.

03:20

For example, you may need to verify

03:22

that a file that you've downloaded

03:24

matches the file that happens to be posted on a website.

03:27

You'll often see this on sites where

03:29

you're downloading very important files like a Linux

03:32

distribution.

03:33

And you can see that each distribution

03:34

has been associated with a particular hash.

03:37

This means that you can download the ISO file,

03:39

run the same hashing algorithm on the file you downloaded,

03:43

and compare it to the hash that's posted on the website.

03:46

If your hash matches the one that's on the website,

03:48

then you've downloaded the same file that exists on that site.

03:52

Another common use of hashing is to store passwords.

03:56

Ideally, we would never store someone's password

03:58

in plain text.

03:59

And we would not encrypt passwords,

04:01

because then, someone could potentially decrypt and gain

04:04

access to your passwords.

04:05

Instead, we provide a hash for all of the passwords

04:09

that someone stores.

04:10

In reality, it's a hash plus a little extra information called

04:14

a salted hash.

04:15

This way, we're able to store everyone's password

04:17

as a hash, which means we have no idea what

04:20

the actual password might be.

04:22

During the login process, the password you input

04:25

is changed to a hash, compared to the one that's

04:28

stored on the server.

04:29

And if they match, you've gained access to that system.

04:33

I mentioned earlier that when we're storing passwords,

04:35

we might want to add some additional information to make

04:38

it more difficult to brute force.

04:40

We refer to this extra information as assault.

04:43

This is random information that we

04:45

add during the hashing process to modify or randomize

04:48

the resulting hash.

04:50

Every user gets a different random salt

04:52

to go along with their password, which means if everyone's

04:55

using the same password, we'll still

04:57

see very different hashes stored for every single user.

05:01

There's a technique for reverse engineering

05:03

hashes called a rainbow table.

05:05

This is a pre-compiled set of every possible input

05:09

and the series of hashes associated with those inputs.

05:13

This makes it very easy for someone

05:15

to get a non-salted hash and very quickly

05:17

be able to determine what the original password might be.

05:20

But if you're adding a random salt to everyone's password,

05:23

these rainbow tables will no longer work.

05:26

This would certainly slow things down

05:28

for an attacker that's trying to find everyone's password

05:31

by performing a brute force.

05:33

A rainbow table can find this information

05:35

in a matter of seconds.

05:36

But brute forcing can take days, weeks, or even longer

05:39

to find someone's password.

05:41

Let's take some user passwords.

05:43

We'll add some salt to each password.

05:45

And let's see what the resulting hash looks like.

05:48

Let's take the password of "dragon."

05:50

And if we're not using any salting,

05:51

this is the hash that results from that password of dragon.

05:55

But now, let's add some additional random text

05:58

onto this password of dragon.

05:59

And as we add the different randomization

06:02

for each one of these, you can see

06:04

that we have a very different hash that we're storing.

06:07

If someone was to gain access to our hashed database,

06:10

they would think that there were five different passwords being

06:13

used, when in reality, there's a single password

06:16

with a number of different salts added to that password.

06:20

Hashes are also used during the process of creating

06:23

a digital signature.

06:24

A digital signature is very similar to a signature

06:27

you might use on any other document.

06:29

But this one is a digital version

06:31

of the signature that proves that the message that you

06:34

received was not somehow changed during the process of sending

06:37

that message to you.

06:38

From that perspective, digital signatures provide integrity.

06:42

The digital signature will also help you prove

06:44

the source of the message.

06:46

This provides authentication.

06:48

And if others want to prove that the message really

06:50

was sent by the person who says they sent it,

06:53

we can confirm that with the digital signature.

06:55

That's also referred to as non-repudiation.

06:58

The process for creating a digital signature

07:01

is almost the opposite as encrypting data.

07:04

For digital signature, the person signing the document

07:07

will use their private key to create the digital signature.

07:11

When that signature is sent to another party,

07:13

they're able to confirm that private key was

07:16

used by verifying it with the public key for that user.

07:20

If we receive a digital signature

07:22

and go through the verification process

07:24

and find that the public key of the sender

07:26

is not able to verify the digital signature,

07:29

then something in that document has changed.

07:32

And we can no longer trust the information

07:34

that we've received.

07:35

If you're using a digital signature process built

07:38

into your email system, or you're using a third party

07:41

utility to provide digital signatures,

07:43

then it's as simple as clicking a button or checkbox

07:46

to include a digital signature with the information

07:49

that you're sending.

07:50

But behind the scenes, there's a great deal of cryptography

07:52

that's going on.

07:53

Let's step through the process of creating a digital signature

07:57

so that you can see what happens when you select that checkbox.

08:01

We'll start with Alice, who would

08:02

like to send a message to Bob that says, "You're hired, Bob."

08:05

We refer to this original message as the plaintext.

08:08

Alice is going to click that check box that tells her email

08:11

program to include a digital signature

08:13

with this email message.

08:15

Behind the scenes, the email client

08:16

is going to look at the plain text of, "You're hired, Bob,"

08:19

and send it through a hashing algorithm

08:22

to create a hash of that plaintext.

08:24

The email application is then going

08:26

to encrypt the hash that's been created

08:29

with Alice's private key.

08:31

And since Alice is the only one that has her private key,

08:35

she's the only one that could have created

08:37

this final digital signature.

08:39

Just like a digital signature is a bit of information

08:42

you add to the end of a document,

08:44

we can do exactly the same thing with this email.

08:47

So, "You're hired, Bob," is still

08:49

sent through the network in plaintext.

08:51

We're not doing any type of encryption

08:53

in this specific example.

08:55

But we do include the digital signature, usually

08:58

as an attachment or at the end of the email.

09:01

Bob now checks his email.

09:03

And he's got a message from Alice

09:04

that has a message that says, "You're hired, Bob,"

09:06

and it includes that same digital signature.

09:09

Now, Bob wants to really verify that the message he received

09:13

is really the message that was originally sent.

09:16

And he wants to confirm that it really came from Alice.

09:19

The first thing he's going to do is load that message

09:21

into his email client.

09:23

And generally, the email client will

09:25

recognize there's a digital signature

09:27

and will perform a verification and tell Bob

09:29

that this is either verified or not verified.

09:32

Behind the scenes, what's really happening

09:34

is that the email client is looking

09:36

at the digital signature.

09:37

And it decrypts that digital signature

09:40

using Alice's public key.

09:42

Remember that the keys are mathematically related.

09:45

So if you encrypt with one key, you can decrypt with the other.

09:48

The result of this decryption ends up

09:50

being a hash of the original plain text.

09:53

Now we simply perform the same hash

09:56

that was done originally to the plaintext

09:58

to see what the results are.

10:00

And if both of those hashes match,

10:02

then we know that the digital signature verifies,

10:05

and that not only is the document exactly what

10:08

was originally sent, but we can confirm

10:10

that it really came from Alice.