Symmetric Cryptography, Asymmetric Cryptography and PKI (LEVEL : Beginner) -PART-3

In this article we will discuss in detail the vulnerabilities of symmetric cryptography.

MITM Attack:

To understand the Man in the middle attack, let’s repeat the scenario where User1 & User2 wants to start encrypted conversation, let’s consider UserX sitting in between User1 & User2, UserX will be able to capture all the communication between User1 and User2. As UserX sitting in the middle, he will be able to capture the secret key being shared between user1 & user2. After key is shared both the parties will start communication in encrypted mode without knowing that the userX is capturing their communication & as userX as already captured a secret key UserX is able to decrypt all the content transferred between User1 & User2.

Brute Force Attack:

    

            Consider a scenario of the combination lock with two decimal digits, each has possibility of 0 to 9. If I want to open the lock without knowing the correct code, I may try all possible combination until I found the correct one; In this case of two digits combination lock, it may have maximum 100 possibilities (00 to 99). I may try all possibilities & get the correct combination code.

In Case attacker has capture ciphered data encrypted with 56bit DES algorithm, but don’t have secret key to decrypt it. What attacker can do is try all different possible keys. 56 bit key size may have 2⁵⁶ possibilities; Attacker may try all the possible key combination systematically until found the correct one. As key size increases, more key combination have to check by the attacker, which takes more time to crack the key. Please look at the following table of key length v/s brute force combinations from wikipedia.

Symmetric key length vs brute force combinations
Keysize in bits	Permutations	Brute force time for a device checking 256 permutations per second
8	28	0 milliseconds
40	240	0.015 milliseconds
56	256	1 second
64	264	4 minutes 16 seconds
128	2128	149,745,258,842,898 years
256	2256	50,955,671,114,250,100,000,000,000,000,000,000,000,000,000,000,000,000 years

Symmetric Cryptography, Asymmetric Cryptography and PKI (LEVEL : Beginner) - PART-2

 Symmetric cryptography:

Only one key is being used for encryption& decryption in symmetric cryptosystem,

The key which is used to encrypt some content, same key must be used to decrypt the encrypted content.

Let’s discuss a scenario where User1 wants to have confidential conversation with User2 using symmetric encryption. The encrypted conversation can only be started between them only if both the user has same symmetric key. In this case User1 has to generate and share the key with the User2. After sharing the key, User1 encrypts message & send it to user2, user2 decrypts the message to read it using the shared key. 

As encrypted conversation can only start after key is shared. But Key sharing itself takes place in unencrypted form. User1 has to share the key with User2 in unencrypted form, and there is a possibility of compromising the secret key during transition at the time of sharing.

Advantages:

·         Less Process consuming

Disadvantages:

·         Problem with key sharing

·         Vulnerable to MITM attack.

·         Vulnerable to Brute force attack.

Symmetric Cryptography, Asymmetric Cryptography and PKI (LEVEL : Beginner) - PART-1

In cryptography, beginners may have lot of confusion & questions like.

1)      What is Symmetric & Asymmetric cryptography?

2)      What Algorithm can be used with Symmetric & Asymmetric cryptography?

3)      What are the vulnerabilities?

4)      Is Asymmetric Cryptography & PKI same?

5)      Why we need PKI, when we have Asymmetric cryptography?  

And many more.

In next few articles, we’ll discuss followings in detail

·         Symmetric cryptography

·         Vulnerabilities in Symmetric cryptography

·         Asymmetric cryptography

·         Vulnerabilities in Asymmetric cryptography

·         How PKI overcomes issues with Asymmetric Cryptography

Application Security: Level - Basic, Secure the password being stored in Database (PART-2)

In this post we'll discuss, how to use hashing technique to secure password.

As I explained in my last post, Hashing is also known as a one way hash OR Message Digest. Hashing is the one way process which generate fixed length representation of the supplied content, if content is changed the hash will be changed. As it is one way process, hash can be generated from the content but the original content cannot be retrieved back from the hash.

1.      How to generate hash using Java?

                    

With the use of MessageDigest class from java.security package, hash can be generated. Please refer the following sample code.

MessageDigest md = MessageDigest.getInstance("SHA1");

md.update(password.getBytes());

byte[] passHash = md.digest();

Now let’s understand the above sample code in detail

MessageDigest md = MessageDigest.getInstance("SHA1");

Is to create instance of the MessageDigest, by using static getInstance() function.

The supplied value ‘SHA1’ is the algorithm using which the MessageDigest will generate hash.  The other algorithms are MD5, SHA-256 etc, which can be used instead of ‘SHA1’

md.update(password.getBytes());

The update function of the MessageDigest, is used to feed the content as byte array, on which hash to be generated. Here we have content in string form which is converted to byte array and supplied to the update function.

byte[] passHash = md.digest();

After adding content to the MessageDigest using update function, Hash can be generate by calling digest() function.  It returns a hash in form of byte array.

2.      As hash is generated as byte array, do I need to modify my database to store hash instead of password?

There is no need to modify database structure at all, generally password is being stored into the database as string (varchar or char datatype). We may convert the hash generated as a byte array to the string by using base64 encoding

Please refer following sample code.

String password = "secret_word";

MessageDigest md = MessageDigest.getInstance("SHA1");

md.update(password.getBytes());

byte[] passHash = md.digest();

String passHashStr = new BASE64Encoder().encode(passHash);

//passHashStr to store in to the database.

The Hash converted to String can be stored in to the database without changing existing database table structure.

3.      If it is one way hash, how will I get original password back to compare with password supplied by user while login?

You don’t need to retrieve original password, it’s not even possible. Using same algorithm Hash can be generated on the password entered by user. And the hash can be used to compare with hash retrieved from database.

//Login information supplied by user

            String userName = request.getParameter("UserName");

            String password = request.getParameter("Password");

           

            //Generate hash on password supplied by user.

            MessageDigest md = MessageDigest.getInstance("SHA1");

            md.update(password.getBytes());

            byte[] passHash = md.digest();

            String passHashStr = new BASE64Encoder().encode(passHash);

           

            //Retrieve password hash stored from database

            String passHashFromDB = getPasswordFromDatabase(userName);

           

            //Compare password hash from DB to hash generated on password entered by user.

            if(passHashStr.equals(passHashFromDB))

            {

                //Login successfull.

                goToHomePage();

            }

            else

            {

                //Login failed

                goToErrorPage();

            }

Application Security: Level - Basic, Secure the password being stored in Database (PART-1)

There are few common questions comes to the mind, while adding authentication feature to the application.

1.      Our Database server is secure, what is the harm if I store password in plain text?

There are many reasons why you should not store password in plain text,

If your application is not serving valuable / confidential / sensitive information, you may choose to take a risk to store password in plain text. But what, if your application is serving valuable information like banking & finance, confidential information like tender related documents etc., you would not like any unauthorised person to view/update/delete such valuable data.

Even if you feel your database server is secure OR it’s not directly connected to Internet, OR it’s protected by firewall. Still there are many ways to hack the information, which we are not going to discuss here.

It’s very easy for database administrator to easily access username/password information stored in plain text format from the database and may start misusing it.

2.      How to secure a password being stored in database table?

Hashing and Encryption are the useful techniques to secure the password being stored in to the database.

Hashing – is also known as a one way hash OR Message Digest. Hashing is the one way process which generate fixed length representation of the supplied content, if content is changed the hash will be changed. As it is one way process, hash can be generated from the content but the original content cannot be retrieved back from the hash.   

Encryption – is process to convert the original content to the unreadable form, this process is reversible & the reverse process is known as decryption.

I would strongly recommend using one way hash to secure the password storage, until and unless you have a specific requirement to retrieve the original password back from encrypted password.

In next post we’ll have detailed discussion about how to implement one way hashing technique in the application to secure the password being stored in the database. I‘ll also post some sample java code to generate one way hash.