EC-Council CEH 312-50 v10 – Cryptography Part 2

5. Hashing, Hashing Collisions, Common Hash Algorithms

The next thing we want to discuss is a hash. And a hash is simply functions that are primarily used to generate fixed length output data that can act as a shortened reference to the original data. So it represents it’s a fingerprint of the original data, if you will. This is useful when the original data is too cumbersome to use in its entirety. One practical use is a data structure called a hash table where the data is stored associatively searching linearly per person’s name and list becomes cumbersome as the length of the list increases. But the hashed value can be used to store a reference to the original data and retrieve constant time barring any collision.

Another use is in cryptography, the science of encoding and safeguarding data. It’s easy to generate hash values from the input data and easy to verify the data matches the hash, but hard to fake a hash value to hide malicious data. This is the principle behind the PGP algorithm for Data validation, and PGP stands for Pretty Good Privacy, which was created by Phil Zimmerman in around 1996. Hash functions are also frequently used to accelerate table lookup or data comparisons, such as finding items in a database, detecting duplicated or similar records in a large file, and finding similar stretches.

For example, in DNA sequences, a hash function should be deterministic when it’s invoked twice on identical data. For example, two strings containing exactly the same characters, the function should produce the same value. This is crucial to the correctness of virtually all algorithms based on hashing. So the key takeaway on here are the fact that the hash is simply a process to create a unique string of characters from any source that could be a password and executable whatever. It’s also very important to understand the output is of a fixed length defined by the algorithm. The output changes completely if the source changes. It’s. Used primarily for data integrity and secure password authentication. The hash value cannot be reverse engineered. It’s known as a one way algorithm.

So if you think about it, this hash value, it would be impossible to reverse engineer it into what we put into the source, although we might guess what the source might happen to be. And if it comes up with the same hash value, that’s what the source was. This is the concept of cracking passwords. In reality, we don’t crack passwords, we guess passwords. We guess what the password might happen to be, run it through the hash algorithm and come up with a hash value if it matches what’s in the registry. Hey, you guessed the right password, come on in.

Let’s take a couple of moments and demonstrate these hash values. So I’m going to go into my online lab and I’m going to go ahead and open up my XP attacker that I happen to know has MB five hash. A little utility to create hashes. Let’s go ahead and just create a text document, and we’ll call this PA Ssward TXT. Great. I’m going to open that up and I’m going to put in what some individuals say is the most popular password in the world. I have no idea if this is right. M-O-N-K-E-Y. Monkey, one, two, three. Okay, fine. So I’m going to go ahead and save this, and I’m going to get out of this and I’m going to drag this in.

And you notice it’s calculated the hash. I’m going to open this back up, and I want you to understand that notepad is what’s called a disconnected application. If I save it and drag this file in here, it’d be the same thing as if I closed it and drag the file in here. So what I’m going to do, I want you to notice right here that this file ends in 1269 E. Going to drag this in, and again, the value is 1269 E. And I’m going to go over here in this and put in just one space, save the file, and I’m going to drag this back over again. I want you to notice real quick and I’ll zoom in on this just a little bit, that the password hash has completely changed. Every one of those numbers in it has changed. Not just the last couple of them, but if the last few characters match, you can pretty well be assured the whole thing is going to match. Now I’m going to go ahead and take this out again and just make it monkey one, two, three again, and we’ll see if it comes back to the same password hash.

And you see it does. 1269 E. So the password hash is simply a way of us being able to take a fixed length hash because it’s always this fixed length number of characters. It’s never anymore. No matter what I put in here, I could put in an entire hard drive. I could put in the application. Let’s say, for example, here’s my inmap setup. I’m going to drag it over here. You notice it’s taking a little bit longer to calculate the hash, but this is what you would typically see on a website. You may see a Shaw One hash, which is a stronger hash, or an MD Five hash. MD Five has actually been broken, but a lot of people still use it because it’s very fast.

They’ll typically authenticate the original file with a shaw one, and after the original file is authenticated, then they use an MD Five because it’s simply faster. Again, the key points, the key takeaways here are that the hash cannot be reverse engineered into plain text. It’s a one way hash. I can’t take this and create this from it, although I could guess what this happens to be. Run it through the hash engine. If it shows up right here. Hey, I guessed right. The output changes completely if the source changes and the output is of a fixed length defined by the algorithm. Now, it never seems that I get through a lecture when somebody in the class raises their hand and says, well, that’s not quite right, that an input will always produce the same hash. Now, just the law of averages tells you that it is possible that two distinctly different inputs could produce the same hash. When you think about it, that’s a possibility because we’re hashing a tremendous amount of data and only representing that data by a thick string of characters. The hash functions are not typically invertible, meaning that it is not possible to reconstruct the input. It is common that several values hash to the same value, a condition called a hash collision.

Since collisions cause confusion of objects which make exact hash based algorithms slower, hash functions are designed to minimize the probability of collisions. For cryptographic uses, hash functions are engineered in such a way that it’s impossible to reconstruct any input from the hash value alone without expending great amounts of computing time. This is the reason it’s also called a one-way function. Hash functions are related to and often confused with checksums, check digits, fingerprints, randomization functions, error correcting codes, and ciphers. Although these concepts overlap to some extent, each of them has its own use and requirements to design and optimize differently.

The hash keeper database maintained by the American National Drug Intelligence Center, for instance, is most aptly described as a catalog of file fingerprints than of hash values. Let’s real quickly discuss some of the common hash values you’ll typically see. It referred to as an MD, and the MD stands for Message Digest. An MD four has already been cracked. An MD five has already been cracked. The Shaw One is said to have been cracked. It uses 160 bits, used as an industry standard and Xbox copy protection. But look at Shaw Two. And Shaw Two is what we’re typically using to encrypt our certificates today. Keep in mind that we’re going to double the amount of bits for every bit. So for example, if we went from 224 to 225, we double the amount all the way up to 256. We’re going up by a factor of a huge amount. The Shaw Two is incredibly strong, although it can be a little bit slow.

6. Ransomware

I tell you, this one here probably needs a whole lecture on its own. It’s something called ransomware, and you probably may even be familiar with it. If you are, you’re going to probably be kind of angry at it as well. What happens is you accept some kind of malware. And remember we talked about these key generators for files. This is a common ploy for or infecting you with ransomware. What it actually does is it goes out and looks for something you have a lot of personal time invested in things like games, online games such as Call of Duty, World of Warcraft, Daisy, Minecraft, Fallout, Diablo, as well as configuration files for Steam, which of course is an online gaming platform.

It looks for files related to tax returns and personal finance, like into its Quicken software and maybe itunes things. It can also now extend its reach into devices and drives connected by any means. It will encrypt the files out on those as well. USB drives, network file shares, cloud storage folders, and other storage connected devices. What about your Dropbox or Google Drive? Basically what happens is it encrypts it and in order for you to get it back, you must pay a ransom for it.

Now, the ransom you have to pay is generally in Bitcoin and they give you the address for payment. You can see I’ve kind of blurred that right here. You can also make payment with PayPal my cash card, which is $500 a piece. Your total pay would be $1,000. There was two PayPal cash cards. It’s even gotten worse. And this really makes you think about the ethics of these.

There was an article in one of the security magazines where the ransomware people had sent a very popular cryptographer an email, and it said, can you help us with our ransomware? We are not able to decrypt files for individuals on certain occasions. If you can help us fix this ransomware, we would then be able to decrypt everyone’s files when they pay us.

So basically what happens is you may or may not get your files back, even if you do pay them. Now, I would think the most disturbing thing of all that’s happened recently is the concept of giving them two other people that they can collect ransomware for and they will decrypt your files for free. Can you imagine getting giving them access to, let’s say, your boss’s email or somebody else you don’t like and then somebody else that you give it access to? It just makes your skin crawl, doesn’t it?

7. IPSec and SSH

The next few things we want to talk about is IPsec, and IPsec stands for the Internet Protocol Security. It’s a protocol suite for securing the Internet Protocol, or IP communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between the agents at the beginning of the session and associating of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts, in other words, host to host, between a pair of security gateways, network to network, or between a security gateway and a host, in other words, network to host.

IPsec is an end to end security scheme operating in the Internet layer of the Internet Protocol Suite. While some other Internet security systems in widespread use, such as the transport layer security, which we commonly think of as SSL and Secure Shell or SSH, operate in the upper layers of the TCP IP model. Hence, IPsec protects any application traffic across an IP network. Applications do not need to be specifically designed to use IPsec without IPsec. The use of TLS SSL must be designed into an application to protect the application’s protocol. IPsec can have two different modes of operation. They can be implemented in a host to host transport mode as well as in a network tunnel mode.

In the transport mode, only the payload of the IP packet is usually encrypted and or authenticated. The routing is intact since the IP header is neither modified nor it’s encrypted. However, when the authentication header is used, the IP addresses cannot be translated, as this will invalidate the hash value. The transport and application layers are always secured by a hash, so they cannot be modified in any way.

For example, translating the port number, a means to encapsulate messages for Nat transversal has been defined by the RFC documents describing the Nat T mechanism. Then we have tunnel mode. In tunnel mode, the entire IP packet is encrypted and or authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create virtual private network. We typically think of a tunnel mode as a VPN from network to network communication between routers to link to sites, hosted network communications, in other words, remote user access and host host communication. Tunnel mode supports Nat transversal. Lastly, let’s talk about the transport layer security or the SSH or Secure Shell.

It’s a cryptographic network protocol for securing data communication between the remote command line login, remote command execution, and other secure network services between two network computers. It connects via secure channel over an insecure network, a server and a client running SSH and SSH client programs, respectively. The protocol specification distinguishes between two major versions that are referred to as SSH One and SSH Two.

The best known application is for use for access to shell count on Unixlike operating systems, but it can also be used in similar fashion for accounts on Windows. It was designed as a replacement for Telnet, which stores its password in the clear, and other insecure remote shell protocols such as the Berkeley, RSH and Rxecute protocols, which send information, notably passwords, in plain text, rendering them susceptible to interception and disclosure using packet analysis. The decryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network such as the Internet.

8. PKI Applications, Quantum Crypto and VeraCrypt

To round out the home stretch of our cryptography section, let’s talk a little bit about PKI enabled applications. Millions of people are using PKI without ever realizing it. Every time anyone uses Https secured Web server connection, they’re using a PKI server identity certificate in the SSL handshake. The purpose of this is so the server can assert its identity to the client in a verifiable manner. For example, it’s important for Amazon customers to be sure it is really an Amazon server they are accessing before supplying their credit card number for an online purchase. Mail servers commonly use SSL, and virtually any socket based client server application can use SSL for greater security, both encryption and increased assurance that the server is who they claim to be.

VPN appliances can also use PKI server identity certificates to verify themselves as VPN clients. So we can use this for authentication and authorization of web applications, electronic documents and form signing authentication for VPNs S, Mime, email signing and encryption, an email list server, just to name a few. Now, this lecture wouldn’t be complete unless we talked about quantum cryptography. Just briefly. Quantum cryptography describes the use of a quantum mechanical effect, in particular quantum communication and quantum computation, to perform cryptographic tasks or to break cryptographic systems.

Well known examples of quantum cryptography are the use of quantum communication to exchange the key securely, in other words, quantum key distribution and the hypothetical use of quantum computers that would allow the breaking of various popular public key encryption and signature schemes, for example, RSA and Elgamo.

The advantage of quantum cryptography lies in the fact that it allows the completion of various tasks that are proven or conjectured to be impossible using only classical in other words, non-quantum communication. For example, quantum mechanics guarantees that measuring quantum data disturbs that data. This can be easily used to detect eavesdropping into quantum key distribution. And lastly, let’s don’t forget about our laptop and portable encryption. And as a matter of fact, it’s not a bad idea to go ahead and encrypt our desktops to be secure.

The most popular versions of this would include items like VeraCrypt. It often poses the question I forgot my password. Is there any way, in other words, a backdoor to recover the files from my VeraCrypt volume? We have not implemented any kind of backdoor in VeraCrypt and will never implement any backdoor or deliberate weakness if asked to do so by any government agency because it would defeat the purpose of the software. VeraCrypt does not allow decryption of data without knowing the correct password or key.

We cannot recover your data because we don’t know the password that you used, you chose, or the key generated when using VeraCrypt. If you follow the security requirements listed in the directions, then to the best of our knowledge, the only way to recover your files is to crack the password of the key, which, however, could take thousands or millions of years, depending upon the length and quality of the password or key files on the software, hardware, performance algorithms and other factors. If you find this hard to believe, considered the fact that even the FBI was not able to decrypt a Veracity volume after a year of trying.