Time
10 hours 28 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson covers hashing; specifically:

  • Hash functions
  • Passwords, credit cards, PII
  • Digital forensics
  • Malware analysis and virus protection
  • Hash collisions
  • MAC
  • HMAC

It is important to remember a hash is just about integrity of a system, it does not produce authenticity and is only good for discovering accidental changes in a system.

Video Transcription

00:04
Okay, so we just talked about a public key and sure said how That's really what gives us the assurance in SSL or T l s, that we're talking to the legitimate banking service we have that they're legitimate public key. It provided authenticity to the picture,
00:22
but the problem with that is a P K. I takes a lot of effort, a lot of time in some instances, a lot of money
00:30
to set up into Maine.
00:32
So
00:34
one of the things that we talk about is that we talk about, ah, hash and how that's different from additional signature and then a smack in the middle. So let's go over here and talk about what we know about attack.
00:46
If you'll remember, the hash was where we had
00:49
Hello and Number 52 representative And again, this was just a very basic basic idea of what a hash does. But if you'll recall two parties, one guarantee integrity, they'll agree on Superman and algorithm. You perform.
01:04
I'll perform the algorithm on my end. I'll send you a message before the algorithm.
01:10
If we get the same value, we can assume the message has been modified,
01:14
and that's true to a degree. But here's the problem passing.
01:18
If someone had intercepted this message and had malicious intent and they wanted to modify it,
01:26
they simply rehash the document. But I do
01:30
because there's nothing about a hash that gives me authenticity.
01:34
There's nothing about a hash. It says. Oh, Kelly, Hand Ergen put that cash all the time.
01:40
Ah, hashes just intended.
01:42
So no offense, sissy. In any time
01:47
you don't have authenticity, you're not gonna get
01:49
any means guarantee.
01:53
It's delicious, Mom. So what? Hash is really only good for detecting accidental.
02:01
And usually when we talked about that, we're talking about corruption. Now, if you'll remember, we said, we'll take that a step further.
02:09
Let the savior of the message in crew that hash with singers product key.
02:16
And then we get authenticity, and that's true. We get our mutual signature over here. And because the digital signature adds authentication,
02:25
we already had integrity.
02:29
Well, it's true now, repudiation texts
02:34
against accidental or intentional changes.
02:38
And that's great.
02:40
What
02:42
digital signature
02:44
requires
02:46
that we have an infrastructure to support
02:47
people.
02:50
And like I said, that's a lot of overhead. Maybe got 16. My company. I can't really justify setting out a public infrastructure,
02:59
but many gap a little bit more than a hats,
03:01
but I want most in the expense and effort of Piquet up.
03:06
So what we have We have a hash on one in the spectrum, digital signature on the other
03:10
and something called a man
03:14
in the
03:15
The Big Thing about Mac. We're only gonna talk about Hashmat
03:21
Mathis spent in general terms. There's also something called a CBC math. It's beyond stupid, this test about half mad.
03:29
But what a Mac does
03:31
is it takes a message, plus a symmetric he
03:37
a pre agreed upon symmetric key.
03:39
Now, how did I get that key to the destiny? It's, I don't know.
03:44
Maybe it's a derivative of a password. You and I both know
03:47
maybe there's been some form of key exchange. Whatever we distributed the key. So the metric the message, plus a symmetric
03:57
he plus hashing out.
04:00
So we take the message we can paint mated with a key.
04:04
We put it through a hashing algorithm,
04:08
and what comes out is a a message. Authentication.
04:14
Why was better than 1/2? That symmetric key gives me a reasonable assurance of the words in the message. I've agreed on that cement turkey, which, like I said very well may be based off a password, and you could only generate that semester that's meant to keep. You don't know the correct password.
04:31
Only you know the passport. If you generated the right symmetric key. I think that reasonable assumption the message comes from you
04:39
calls. It goes for hashing over them. I get the assumption that the message hasn't changed.
04:45
That's pretty close to additional signature, but it's not a visual signature. Why?
04:50
Because you will never get true non purification with symmetric.
04:56
Get Truman on vacation.
04:58
You need something found a singular into tastes.
05:02
I can't be that private key,
05:05
so this is pretty good.
05:06
And it does protect me against accidental or intentional changes. Not why it is good isn't pe ei digital signature, but it's certainly on this end of respect.
05:18
Hey, said hashes
05:21
changes against accidental modification
05:25
Max against intentional or accidental eventual signatures of Samos. Well, the big difference is the only one that gives me true non repudiation officials.
05:39
Now, I wanted to get that idea out of the way because Max H. Max it max visual signatures all those ideas important. I talk about a couple of other ideas with Hatcher's as well, because hashes are one way. And remember, hatches are always one way man.
05:59
Well, you really call him one way encryption. They are because of the one way nous, often hashes, are used to store passwords, credit card information, personally identifiable information, the ideas that we can perform some math in such a way That's very difficult to reverse.
06:17
Eso all too well about password hash is,
06:20
and there's many different password passes have been around like yourself. Use one called Land Manager. This is hashing out within. That was atrocious early on. Then they had ntl them until inversion to show. One is used to protect passwords you have a problem with. That is Shawn. One has been broken.
06:41
It just doesn't really it's broken doesn't mean that we have to drop it right then and there never used again, because usually, you know the bottom line is anything that's encrypted. Be secret just matter of time and work fast.
06:56
But once an outward don't get broken,
06:59
that's our signal that better aggressively think about doing something different, which is why to shop to 56 is out.
07:06
That's kind of the successful shot one. But anyway, the idea is hashing out. Britain's just like anything else.
07:15
It's just a matter of time
07:17
when we're looking to create,
07:19
I want to break a hashing algorithm. What we're really looking to do is to call
07:27
and a collision is going to
07:30
different pieces of fast
07:31
produce the same branch.
07:33
We've created
07:38
two pieces of of texts. You know, when a document changes the hash for change.
07:45
So if we have that happened like let's leave, for instance, you're not have a contract. And that contract says that we'll split the profits of our organization 50 50.
07:56
All right, both signed the document cache is so that we know will be changed.
08:00
Well, if I get in there and I changed the documents say, Kelly gets everything
08:05
the hash on the document better shape.
08:07
If it doesn't change, we have no integrity.
08:11
So different documents should always create different hashes.
08:15
But again,
08:16
collisions are possible just because of just because math is that eventually if you try enough, you will create a collision.
08:24
So we called about our hash is we want our hash is to be collusion resistant.
08:30
You don't really have a collision proof ashes, just like you don't have unbreakable encryption out what we wanted to be at such a high work factor that it's not reasonable to expect somebody calls.
08:45
But let's say this. Let's say for passport, let's say that you entered the password sunshine
08:52
and it produced a hash J 75
08:56
I don't know your past.
09:01
You know what? I don't care about your past.
09:03
What I won't do is out the cigarette figure, something that will generate this half.
09:09
And if I can cause a collision, if I can use one of these applications to try letter combinations again and again and again and I stumbled across
09:22
some totally unrelated word or phrase that produces
09:30
the same cache,
09:31
I don't care that could see your password. I can now use this
09:37
to breach the hash, and it's the hash that opens up. The research is for me anyway.

Up Next

CompTIA CASP

In our online CompTIA CASP training, you will learn how to integrate advanced authentication, how to manage risk in the enterprise, how to conduct vulnerability assessments and how to analyze network security concepts and components.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor