Okay, so we just talked about a public key and sure said how That's really what gives us the assurance in SSL or T l s, that we're talking to the legitimate banking service we have that they're legitimate public key. It provided authenticity to the picture,
but the problem with that is a P K. I takes a lot of effort, a lot of time in some instances, a lot of money
to set up into Maine.
one of the things that we talk about is that we talk about, ah, hash and how that's different from additional signature and then a smack in the middle. So let's go over here and talk about what we know about attack.
If you'll remember, the hash was where we had
Hello and Number 52 representative And again, this was just a very basic basic idea of what a hash does. But if you'll recall two parties, one guarantee integrity, they'll agree on Superman and algorithm. You perform.
I'll perform the algorithm on my end. I'll send you a message before the algorithm.
If we get the same value, we can assume the message has been modified,
and that's true to a degree. But here's the problem passing.
If someone had intercepted this message and had malicious intent and they wanted to modify it,
they simply rehash the document. But I do
because there's nothing about a hash that gives me authenticity.
There's nothing about a hash. It says. Oh, Kelly, Hand Ergen put that cash all the time.
Ah, hashes just intended.
So no offense, sissy. In any time
you don't have authenticity, you're not gonna get
any means guarantee.
It's delicious, Mom. So what? Hash is really only good for detecting accidental.
And usually when we talked about that, we're talking about corruption. Now, if you'll remember, we said, we'll take that a step further.
Let the savior of the message in crew that hash with singers product key.
And then we get authenticity, and that's true. We get our mutual signature over here. And because the digital signature adds authentication,
we already had integrity.
Well, it's true now, repudiation texts
against accidental or intentional changes.
that we have an infrastructure to support
And like I said, that's a lot of overhead. Maybe got 16. My company. I can't really justify setting out a public infrastructure,
but many gap a little bit more than a hats,
but I want most in the expense and effort of Piquet up.
So what we have We have a hash on one in the spectrum, digital signature on the other
and something called a man
The Big Thing about Mac. We're only gonna talk about Hashmat
Mathis spent in general terms. There's also something called a CBC math. It's beyond stupid, this test about half mad.
is it takes a message, plus a symmetric he
a pre agreed upon symmetric key.
Now, how did I get that key to the destiny? It's, I don't know.
Maybe it's a derivative of a password. You and I both know
maybe there's been some form of key exchange. Whatever we distributed the key. So the metric the message, plus a symmetric
he plus hashing out.
So we take the message we can paint mated with a key.
We put it through a hashing algorithm,
and what comes out is a a message. Authentication.
Why was better than 1/2? That symmetric key gives me a reasonable assurance of the words in the message. I've agreed on that cement turkey, which, like I said very well may be based off a password, and you could only generate that semester that's meant to keep. You don't know the correct password.
Only you know the passport. If you generated the right symmetric key. I think that reasonable assumption the message comes from you
calls. It goes for hashing over them. I get the assumption that the message hasn't changed.
That's pretty close to additional signature, but it's not a visual signature. Why?
Because you will never get true non purification with symmetric.
Get Truman on vacation.
You need something found a singular into tastes.
I can't be that private key,
so this is pretty good.
And it does protect me against accidental or intentional changes. Not why it is good isn't pe ei digital signature, but it's certainly on this end of respect.
changes against accidental modification
Max against intentional or accidental eventual signatures of Samos. Well, the big difference is the only one that gives me true non repudiation officials.
Now, I wanted to get that idea out of the way because Max H. Max it max visual signatures all those ideas important. I talk about a couple of other ideas with Hatcher's as well, because hashes are one way. And remember, hatches are always one way man.
Well, you really call him one way encryption. They are because of the one way nous, often hashes, are used to store passwords, credit card information, personally identifiable information, the ideas that we can perform some math in such a way That's very difficult to reverse.
Eso all too well about password hash is,
and there's many different password passes have been around like yourself. Use one called Land Manager. This is hashing out within. That was atrocious early on. Then they had ntl them until inversion to show. One is used to protect passwords you have a problem with. That is Shawn. One has been broken.
It just doesn't really it's broken doesn't mean that we have to drop it right then and there never used again, because usually, you know the bottom line is anything that's encrypted. Be secret just matter of time and work fast.
But once an outward don't get broken,
that's our signal that better aggressively think about doing something different, which is why to shop to 56 is out.
That's kind of the successful shot one. But anyway, the idea is hashing out. Britain's just like anything else.
It's just a matter of time
when we're looking to create,
I want to break a hashing algorithm. What we're really looking to do is to call
and a collision is going to
different pieces of fast
produce the same branch.
two pieces of of texts. You know, when a document changes the hash for change.
So if we have that happened like let's leave, for instance, you're not have a contract. And that contract says that we'll split the profits of our organization 50 50.
All right, both signed the document cache is so that we know will be changed.
Well, if I get in there and I changed the documents say, Kelly gets everything
the hash on the document better shape.
If it doesn't change, we have no integrity.
So different documents should always create different hashes.
collisions are possible just because of just because math is that eventually if you try enough, you will create a collision.
So we called about our hash is we want our hash is to be collusion resistant.
You don't really have a collision proof ashes, just like you don't have unbreakable encryption out what we wanted to be at such a high work factor that it's not reasonable to expect somebody calls.
But let's say this. Let's say for passport, let's say that you entered the password sunshine
and it produced a hash J 75
I don't know your past.
You know what? I don't care about your past.
What I won't do is out the cigarette figure, something that will generate this half.
And if I can cause a collision, if I can use one of these applications to try letter combinations again and again and again and I stumbled across
some totally unrelated word or phrase that produces
I don't care that could see your password. I can now use this
to breach the hash, and it's the hash that opens up. The research is for me anyway.