A Study of Salting Method for Image Protection

AHMAD FAEEZ LUKMAN51262111325

Bachelor of Engineering Technology in Data CommunicationsAdvisor : Miss Siti Hajar Ab Aziz (SHAA)

#IntroductionPassword Protection - to ensure sensitive

information is protected at all times from any kinds of attacks and breaches.

Other than passwords, other important data that needs to be protected over the internet are templates. This includes any images and biometrics (fingerprints, face, iris, voice).

Cryptography – a science of converting a plain text

from a readable state into secret coding by using certain algorithms.

Hash Functions - most common algorithms used to encrypt passwords.

- A fixed-length hash value is computed based on the plaintext and the process is a one-way function.

Salt - cover up weaknesses produced by the hashes. - Consist of random bits that is added on to the original plaintext , making it long enough before being converted into a hash.

#Literature ReviewBased on a journal titled Biometric Template Security,

January 2008 by authors Anil K. Jain, Karthik Nandakumar and Abhishek Nagar, they state that images or templates will be protected both on encryption and decryption side based on key matching and correct filename. And that the security of salting technique is actually on the confidentiality of the password.

An author of the website Martjin’s C# Programming Blog in a post titled Creating Salted Hash Passwords in C#, mentioned that salting technique requires hackers to re-calculate the dictionary for each user password, thus greatly increasing the attack time.

#Problem Statement

Images that are not securely kept in a server’s database can easily be captured by hackers and is subject to manipulation.

Images usually encrypted with unsalted passwords, which is highly vulnerable to a hacker’s attack (Recent event – LinkedIn website hacked)

This project targets to implement salting method into passwords that secure images kept in a database

END

START

RESEARCH AND LEARNING PROCESS

PRODUCING FINAL REPORT

PERFORMANCE EVALUATION : PERFORM A DEMO ATTACK

IMPLEMENTATION OF ALGORITHMS IN MATLAB GUI

CREATING SALT AND HASH ALGORITHMS

IS ENCRYPTION AND DECRYPTION SUCCESFUL?

IS ATTACK SUCCESSFUL?

NO

YES

NO

YES

#Methodology

User uploads image and

“lock” image with password

Salt is applied on

password by the server

Password+Salt converted

into hash value

Hash value stored in server

database

User insert password to

login

Password inserted is salted and hashed

again, and compared with stored hash

value

User can login and retrieve image

Password : "hello"

"hello" + "QxLUF1bgIAdeQX"

hash("hello" + "QxLUF1bgIAdeQX") = 9e209040c863f84a31e719795b2577523954739fe5ed3b58a75cff2127075ed1

"hello"

Image:

Expected Result :Encryption : User insert image and set plain passwordDecryption : User type in password, and the image

inserted earlier should be displayedAttack : Attack should not be successful to gain

password hashes from database

Password Salt Hash (Password+Salt)

hello2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

hello QxLUF1bgIAdeQX9e209040c863f84a31e719795b2577523954739fe5ed3b58a75cff2127075ed1

hello bv5PehSMfV11Cdd1d3ec2e6f20fd420d50e2642992841d8338a314b8ea157c9e18477aaef226ab

hello YYLmfY6IehjZMQa49670c3c18b9e079b9cfaf51634f563dc8ae3070db2c4a8544305df1b60f007

Example of salting and hashing

#Gantt Chart

Activities Wk 1-2

Wk2-7

Wk8

Wk9

Wk10

Wk11-13

Wk14

Wk15-20

Wk21-23

Wk24-26

Wk27-31

Wk32-36

Wk37

Wk38-39

Wk40

Identifying topic of research

Gathering resources

Change of project title

Identifying new project / research

Preparation for proposal

Presentation Week

Proposal Submission

Extended Research

Install / Learn Matlab GUI

Developing Salt / Hash Algorithms

Implementation and troubleshoot

Perform attack and troubleshoot

Report Submission

#ConclusionAt this stage, I have learned through research and findings that by

using the salting method implemented in a password, it can add an extra layer of security on the password and everything connected to it (images, personal information, sensitive information etc).

Salting method is not 100% safe and cannot be cracked, but the hacker will for sure need much more time and cost to brute-force attack every single password in a database one by one, instead of pre-building up a lookup table beforehand.

Next part of the project will be further researched, learning and implementing image protection using the salting method in MATLAB GUI, along with a demo password attack. The user-friendly GUI interface should enable users to enter password to protect an image, and later enter the same password to retrieve the image.

#Reference1. Jain, A. K., Nandakumar, K., & Nagar, A. (2008). EURASIP Journal

on Advances in Signal Processing, Special Issue on Biometrics : Biometric Template Security.

2. Ke, Y., Sukthankar, R., Huston, L. (2003). Efficient Near-duplicate Detection and Sub-image Retrieval, Intel

3. Creating Salted Hash Password in C#. (2008, December). Retrieved from http://www.dijksterhuis.org/creating-salted-hash-values-in-c/,

4. Kessler, G. C. (2012, July 17). An Overview of Cryptography. Retrieved from http://www.garykessler.net/library/crypto.html#hash

5. Ferguson, N. & Schneier, B. (2003). Practical Cryptograph. Wiley Publishing Inc.

6. Ullrich J. (2011, June 28). Hashing Passwords. Retrieved from http://www.dshield.org/diary.html?storyid=11110

7. Creating Salted Hash Passwords in C#. (2008, December 9). Retrieved from http://www.dijksterhuis.org/creating-salted-hash-values-in-c/

Thank You.