Threats to Information Security and What the Hash you could do about it

http://www.mfbzone.com/img/my%20pages/information.png

What are Hash Functions?

A cryptographic hash functions is a mathematical formula that helps you convert a given value to another value that is of a fixed length and is irreversible. The result is much smaller than that of the original input to the function and are comparatively faster (unlike in using cipher techniques). A good hash function will never result give the same result for two distinct inputs; even if a bit is changed the whole hash value changes (avalanche effect). I mentioned that hash functions are faster compared to ciphers. But they shouldn't be able to compute too quickly either, which may result in the function being labeled as brittle. These attributes of hash functions allows them to be used in multitude of real-world use cases like,
  • Integrity protection in messages and software 
  • Hashing the certificate in HTTPS
  • Digital signature
  • Creating database indexes
https://cdn.auth0.com/blog/hashing-one-way-road-to-security/hash-flow.png

Types of Hash Functions

There are several types of hash functions available for each of the scenarios mentioned above and some, designed with different concepts and goals in mind. There are 2 main families of hash functions Cryptographic and Non-cryptographic.
Cryptographic hash functions have several properties including but not limited to,
  1. Deterministic - same input outputs same digest
  2. Quick - quick to calculate
  3. One-way function - cannot "de-hash" and retrieve the input
  4. Avalanche effect - even a small change results in complete change to the digest
  5. Collision resistant - two different inputs cannot yield the same output
  6. Pre-image attack resistant - should resist attack attacks in its pre-image
Contrarily, non-cryptographic hash functions trades-off security features to an extend in exchange for improvements in performance. Non-cryptos try to only avoid collisions for "non-malicious" inputs.
  • Cryptographic
    • Keyed
      • Requires the digest as well as a key for calculating the result
      • HMAC, One-key MAC, BLAKE2
    • Unkeyed
      • Requires to produce only the hashed value/digest
      • MD5, SHA256
    • Checksum
      • Detecting errors that might have been introduced in data exchange.
      • Sum, Mod-10
    • Cyclic Redundancy Checks 
      • Error-detecting code used in identify changes to raw data. Similar to checksum.
      • CRC-16, CRC-32
  • Non-Cryptographic
      • Pearson, Java hashCode, MurmurHash 

Breaking Hash

As I've previously mentioned, a good cryptographic hash function should not yield the same output for two distinct inputs. If a hash function produces the same value for different inputs a.k.a "Hash Collision", the function is not longer "secure" and will be demoted from being a cryptographic hash function to non-cryptographic hash function.

Why does this happen?

The reason is the pigeon-hole principle, which is a mathematical principle that states that when n number of items is put into m containers where n > m, it is unavoidable that at least one container must contain more than one item. In the information security world, cryptographic hash functions can produce only a certain set of values based on the number of bits it can output, which might result in two inputs ending up with the same output. For example, SHA1 can produce only outputs of length 160 bits and MD5 with only 128 bits. These two hash functions are now considered "broken" because they are proven to produce the same output for distinct inputs in at least one case.
https://steemitimages.com/DQmevFVotrr7YHgr6XCwPFy1h7NxE69VmtktMAhKRFSovD5/image.png
http://shattered.io/static/infographic-small.png
Shattered.io has conducted experiments, broken SHA1. In their site, it is shown that two distinct PDF files (one with a blue background and the other with red) have produced the same sum. Even though this act has demoted it from being cryptographically secure, that does not mean all your implementations using SHA1 are broken. This simply means that it could very rarely be used to send something malicious but the probability is like a scenario where a 2 people in Colombo might have the same hair count. Nothing serious, but better to be cautious and switch to the SHA2 family (SHA256, SHA512). But the "broken functions" still maybe used in cases like file authenticity verification, or file transmissions.

http://shattered.io/static/shattered.png

Ways of Breaking a Hash Function

Cryptographers have come up with three different kinds of possible attacks on hash functions. 
  1. Collision attack - finding two different inputs B1 and B2 where hash(B1) = hash(B2)
  2. Pre-image attack - given a digest H, find any value V where H = hash(V)
  3. Second pre-image attack - given one input B1, find any other value B2 where hash(B1) = hash(B2)
To overcome your security concerns of someone breaking the hash functions you're currently using, always opt-in for newer revised cryptographic hash functions that are resistant to the above mentioned three attacks; using newer hash functions like SHA3, BLAKE, Skein, and etc.

The aforementioned attacks can be seen as ways of cracking hash functions. But malicious entities in most cases would want to crack passwords where one could opt for using,
  • Rainbow tables - using pre-computed tables for reversing the values of the input for a hash function by using more space for storing the table
  • Brute-force attacks - calculate hashes for all possible inputs in real-time by using more computational power
which is a classic example of the space-time trade-off. The simplest precaution that can be taken overcome these attacks is to use "Salted Hashing", which I have mentioned in my previous post. If the salt is long and random enough, your hashing is strong.

Comments

Post a Comment

Popular posts from this blog

Robotic Process Automation a.k.a RPA

Image
Robotic Process Automation also known as RPA in the community is a new Technology on the rise, which uses so called "Bots" to get mundane (or sometimes heavy logical) tasks done, (with) or without any Human Intervention.  Many industry giants are on the verge of breakthrough and some have already achieved the targeted technology namely Accello (by Virtusa Polaris), Blue Prism and Accenture. Software Robots  A software 'robot' is a software application that replicates the actions of a human being interacting with the user interface of a computer system. For example, the execution of data entry into a SAP system - or indeed a full end-to-end business process - would be a typical activity for a software robot. The software robot operates on the  user interface  (UI) in the same way that a human would; this is a significant departure from traditional forms of IT integration which have historically been based on  Application Programming Interfaces  (
Read more

What the Hash. A Simple Guide to Hashing

Image
What is Hashing Hashing, plainly put is using hardcore mathematics to increase security on some "message". Hashing is a procedure that takes a variable length value as input and spits out a fixed length hashed value as output, also known as a hash, digest or thumbprint depending on the scenario the hashing is used in. This procedure is irreversible in a more general sense, but we can use some special procedures to understand the input value (more on that later). And most importantly, no two different inputs can produce the same output. The image below gives you a quick look at what I just blabbered. Why Hashing Now let's look at a practical example. Imagine a user registration and login scenario.  User enters his/her new credentials and clicks register which posts this username and password to the server. Server grabs the password and sends it through a hash function ( SHA256 in this case) and gets the hashed password in return. Server then stores th
Read more