Created Tuesday 22 February 2022
(and back?)
(Incidentally)
Source Code -> Binary
DELIBERATELY
Encryption and Hashing.
Encryption - Hard to turn back
Hashing - *Impossible* to turn back, more later
(wrote a dumb book)
Yep, even given all the NSA stuff. You have to be super careful
(all breaking you see is usually "backdoors"
not fundamentals)
The basic tools for encryption are mostly available to all…
...even if the social factors, companies, corporations, and governments aren’t down.
(remember, you gotta have it on BOTH SIDES)
Caesar Cipher. (yes, this really used to fool people)
DWWDFN WKH HDVW ZLQJ RI WKH IRUW DW WKUHH RQ WKXUVGDB..
attack the east wing of the fort at three on thursday
What about hiding the message ITSELF?
Shave a guy's head ... and wait?
Hiding the fact that the message (or payload) exists at all
Examples:
- fake personal ad to say something else
- having a safe but hiding valuables in a shoebox
- weird bits in a jpg
Languages, dialects, patois'...
CULTURAL ENCRYPTION.
CULTURAL AUTONOMY.
(ever heard of “code switching?”)
Steganography v. Encryption
Useful, but imperfect, esp online
Bad, because: Robots and radio
Why YES, you can have a copy.
OF JUNK! TOO BAD YOU CANT READ IT!
(This is Encryption)
ALICE needs to send a verifiable message to BOB
but CAROL is trying to listen in.
“This is a conversation between A and B so you can C your way out!”
CLEARTEXT - (should be obvious)
CIPHER - The system of encryption
CIPHERTEXT - the (hopefully not-understandable) gibberish generated
KEY - the arbitrary decoding or encoding "key/password-ish thing" - sometimes not both.
Secret METHOD
vs
Public METHOD, secret KEY
Security through obscurity* is generally a bad idea:
*The STRICT definition, meaning
"Relying on secrecy in implementation or design,
NOT in the key"
"Any person can invent a security system so clever that she or he can't think of how to break it."
Schneier's Law
(you can generalize this to a lot of things; e.g. Open Source, Auditing, etc)
(Or better yet, do, and throw it out. You'll learn something)
The bookstore strategy
OR
The One-Time Pad
but what if you CAN'T meet each other...
What, even for a computer, is VERY FAST in one direction..
..and IMPOSSIBLY SLOW in the other?
(remembering,
all computers do is math?
24
4 * 6
2 * 2 * 2 *3?
PRIME
One Way Strategies.
Invents this. "Hey, this is pretty good privacy!"
"Cool idea, no cap. Also, when the FBI kicks down your door, holla"
Gotta sign checks and credit cards!
Encryption and digital signatures are two sides of the same coin.
You need digital signatures to send money, so we also have encryption. (mostly)
Because wait: If it's just me and you, its like we just met.
But if it's
Amazon ,Buyer and Card thief..?
and we want to keep this on going.
If ALL THE SIGNALS ARE IN THE AIR
and MY COMPUTER or PHONE HAS TO SEE ALL OF THEM
I invite you to my house,
where I have COMPLETE CONTROL of my router.
I get you to buy something from Amazon for the first time ever
HOW DO I NOT STEAL YOUR CREDIT CARD?
I'm watching LITERALLY ALL OF THE TRAFFIC?
(pretend that you can't "unmix" colors. Milkshake)
When you lose your password, what does the website do?
Make you change it?
Or
Send you a copy of it.
THEY SUCK AT SECURITY.
Because they don't actually know it.
...kinda.
One way to do this:
1) Get their password
2) Save it on your computer
3) Then, encrypt it for safety.
The actual password
or
simply:
Proof that they typed in the same thing both times?
Remember: “encrypting” something always yields:
GIBBERISH
“MyPassword123” > ab18db351a3ed3849cca9839d98381ee6392eeb391baa39d766290082812d9eceab
Remember: “encrypting” something always yields:
UNIQUE GIBBERISH
“MyPassword123” > ab18db351a3ed3849cca9839d98381ee6392eeb391baa39d766290082812d9eceab
means that
”DifferentPassword456” ≠ab18db351a3ed3849cca9839d98381ee6392eeb391baa39d766290082812d9eceab
just the gibberish!
NOT
“MyPassword123” = “MyPassword123”
“ab18db351a3ed3849cca9839d98381ee6392eeb391baa39d766290082812d9eceab”
=
“ab18db351a3ed3849cca9839d98381ee6392eeb391baa39d766290082812d9eceab”?
And “MyPassword123” IS NOT ON THE SERVER
“ab18db351a3ed3849cca9839d98381ee6392eeb391baa39d766290082812d9eceab”
=
“ab18db351a3ed3849cca9839d98381ee6392eeb391baa39d766290082812d9eceab”?
“ab18db351a3”= “ab18db351a3”*
As long as
we use ALL the data in the original to get this number
And it’s STILL mathematically unliklely that two different passwords will yield the same short gibberish, we’re good to go.
(not exactly this)
Presumption: The network (or person) is imperfect. The bytes we receive may not always be the exact ones that were sent.
Also: The network or verification is “slow”
We need a shorter, but verifiable, version of the data.
Error checking/Checksumming.
One tiny change in the original still means BIG changes in the gibberish.
(MD5, which is fast, but not super-secure) is good for this)
Error Checking/Checksums
Password “Storage”
Bitcoin/Cryptocurrencies
They don't store your password (your secret ingredient)
They just store the entire milkshake....and calculate/mix it every time.
(don't use MD5, use something deliberately slow, like bcrypt)
Consider your mom’s _______ recipe?
(milkshake?)
Even if you don’t know the ingredients..
… you know when it’s WRONG :)
Horrible – storing the password
Better but still bad – storing the password hashed
Decent – storing “userid+password” hashed
Best – storing “userid+password+salt” hashed
Login: jmarks
password: g00dpassword
(salt): b00gab00ga
jmarks+g00dpassword+b00gab00ga
==HASHED==>
02f39aae85ad73e162b446e918597e89