password encryption seminar presentation

8/8/2019 Password Encryption Seminar Presentation

http://slidepdf.com/reader/full/password-encryption-seminar-presentation 1/21

PASSWORD ENCRYPTION

SUBMITTED BY:

SHOBHIT GHAI

CSE 2

0461502707



TOPICS COVERED

INTRODUCTION

STORAGE TECHNIQUE

PLAIN TEXT

BRUTE FORCE AND DICTIONARY ATTACK

HASH FUNCTION

MD5 (MESSAGE DIGEST)

SHA (SECURED HASH ALGO)

SELF MADE ALGO

TRICK TO FIND HOW SECURE IS ANY SITE



Introduction

A password is a secret word or string of characters that is used for

authentication, to prove identity or gain access to a resource (example: an

access code is a type of password). The password should be kept secret fromthose not allowed access.

Despite the name, there is no need for passwords to be actual words; indeed

passwords which are not actual words may be harder to guess, a desirable

property. Some passwords are formed from multiple words and may more

accurately be called a passphrase.

The term passcode is sometimes used when the secret information is purely

numeric, such as the personal identification number (PIN) commonly used for

ATM access.



STORAGE TECHNIQUES

Some computer systems store user passwords as cleartext. If an attacker gains

access to such an internal password store, all passwords²and so all user

accounts²will be compromised. More secure systems store each password in a cryptographically protected

form, so access to the actual password will still be difficult for a snooper who

gains internal access to the system.

A common approach stores only a "hashed" form of the plaintext password.

When a user types in a password on such a system, the password handling

software runs through a cryptographic hash algorithm, and if the hash value

generated from the user's entry matches the hash stored in the password

database, the user is permitted access.

PLAIN TEXT

HASH ALGORITHMS

SELF MADE ALGORITHMS



PLAIN TEXT

The simplest approach to manage user names and passwords is

to store everything in plaintext (no encryption or scrambling) in a

file or database. The result would be something like this:

Username Password

Manpreet qwertyuiop

khushagra changpang

Nitish nitish123



ADVANTAGE:

Authenticating (checking that the username and password pair matches thepair in the table) is very simple ± just compare the strings.

Forgotten passwords can be retrieved ± the password is easily accessible,given the user name.

DISADVANTAGE: First, anyone with access to the file gains immediate access to all passwords!

An employee with legitimate access to the file might print the file or email outthe information, and Voila! all the passwords are compromised.

The second problem is that during the authentication exchange, the passwordis visible on the network. Unless secure communication is used throughout, thepassword can be seen while traveling on the network.

Highly prone to brute force and dictionary attack.



Brute Force And Dictionary attack

BRUTE FORCE:

It involves systematically checking all possible combination of

alphabets until the correct password is found. In the worst case, thiswould involve traversing the entire search space.

In the case of an offline attack where the attacker has access to the

encrypted material, he can try alphabets and numerical combinations

at his leisure until the code is broken.

DICTIONARY ATTACK:

It involve successively trying all those words from the words dictionary

that have more chances of being chosen as a password.

This type of attack also involve gathering of important information

related to the victim.



Hash Algorithms

A cryptogr aphic hash function is a deterministic

procedure that takes anarbitrary block of data andreturns a fixed-size bit string,the (cryptogr aphic) hash value, such that an accidentalor intentional change to thedata will change the hash

value. The data to be encodedis often called the "message",and the hash value issometimes called the messagedigest or simply digest.



A hash function must be able to process an arbitrary-length message

into a fixed-length output. This can be achieved by breaking the input

up into a series of equal-sized blocks, and operating on them insequence using a one-way compression function. The compression

function can either be specially designed for hashing or be built from a

block cipher.

The ideal cryptographic hash function has four main or significantproperties:

it is easy to compute the hash value for any given message,

it is infeasible to find a message that has a given hash,

it is infeasible to modify a message without changing its hash,

it is infeasible to find two different messages with the same hash.



Properties:

Preimage resistance

± Given a hash h it should be hard to find any message m such that

h=hash(m) . This concept is related to that of one-way function.Functions that lack this property are vulnerable to preimageattacks.

S econd preimage resistance

± Given an input m1 it should be hard to find its another modifiedinput m2 ² where m1!=m2 ² such that hash(m1) = hash(m2) .This property is sometimes referred to as w eak collision

resistance, and functions that lack this property are vulnerable tosecond preimage attacks.

C ollision resistance

± It should be hard to find two different messages m1 and m2 suchthat hash(m1)=hash(m2) . Such a pair is called a cryptographichash collision, a property which is sometimes referred to as strong collision resistance.



MD5 ALGORITHM

The main MD5(message digest 5)

algorithm oper ates on a 128-bit state,

divided into four 32-bit words,

denoted A, B, C and D. These areinitialized to certain fixed constants.



var int h0 var int h1

var int h2

var int h3

//Initialize hash value for this chunk:

var int a := h0 var int b := h1

var int c := h2 var int d := h3

//Main loop:

for i from 0 to 63 if 0 i 15 then

f := (b and c) or ((not b) and d)

g := i

else if 16 i 31 f := (d and b) or ((not d) and c) g := (5×i + 1) mod 16

else if 32 i 47

f := b xor c xor d g := (3×i + 5) mod 16

else if 48 i 63

f := c xor (b or (not d))

g := (7×i) mod 16

temp := d

d := c

c := b b := b + leftrotate((a + f + g)

a := temp

//Add this chunk's hash to result so f ar: h0 := h0 + a

h1 := h1 + b

h2 := h2 + c

h3 := h3 + d

var int digest := h0 append h1 append h2 append h3 //(expressed as little-endian)



MD5 Examples:

The 128-bit (16-byte) MD5 hashes (also ter med message digests) are typically

represented as a sequence of 32 hexadecimal digits.

MD5("The quick brown fox jumps over the lazy dog") =

9e107d9d372bb6826bd81d3542a419d6

Even a small change in the message will (with over whelming probability) result in a

mostly different hash, due to the avalanche effect

MD5("The quick brown fox jumps over the lazy dog.") =

e4d909c290d0fb1ca068ff addf22cbd0

The hash of the zero-length string is:

MD5("") = d41d8cd98f 00b204e9800998ecf8427e



FLAWS:

MD5 has been employed in a wide variety of security applications, and is also

commonly used to check the integrity of files. However, it has been shown that MD5

is not collision resistant as such, MD5 is not suitable for applications like SSL

certificates or digital signatures that rely on this property.

In 1996, a flaw was found with the design of MD5. While it was not a clearly f atal

weakness, cryptogr apher s began recommending the use of other algorithms, such

as SHA. In 2004, more serious flaws were discovered, making further use of the

algorithm for security pur poses questionable; specifically, a group of researcher s

described how to create a pair of files that share the same MD5 checksum .Further

advances were made in breaking MD5 in 2005, 2006, and 2007. In an attack on MD5published in December 2008, a group of researcher s used this technique to f ake SSL

certificate validity. US-CERT of the U. S. Department of Homeland Security said MD5

"should be considered cryptogr aphically broken and unsuitable for further use´



SHA-1 ALGORITHM

SHA-1 is a cryptogr aphic hash function designed by the NationalSecurity Agency (NSA) and publishedby the NIST as a U.S. Feder alInfor mation Processing Standard.SHA stands for Secure Hash Algorithm. The three SHA algorithms are structured differently and aredistinguished as SH A-0 , SH A-1, andSH A-2 . SHA-1 is very similar to SHA0,but corrects an error in the originalSHA hash specification that led tosignificant weaknesses. The SHA-0 algorithm was not adopted by manyapplications. SHA-2 on the other handsignificantly differ s from the SHA-1hash function.

SHA-1 is the most widely used of theexisting SHA hash functions, and is employed in sever al widely-usedsecurity applications and protocols.



Initialize hash value for this chunk:

a = h0

b = h1c = h2

d = h3e = h4

Main loop:

for i from 0 to 79if 0 i 19 then

f = (b and c) or ((not b) and d)k = 0x5A827999

else if 20 i 39f = b xor c xor d

k = 0x6ED9EBA1else if 40 i 59

f = (b and c) or (b and d) or (c and d)k = 0x8F1BBCDC

else if 60 i 79f = b xor c xor d

k = 0xCA62C1D6

temp = (a leftrotate 5) + f + e + ke = d

d = cc = b leftrotate 30

b = aa = temp

Add this chunk's hash to result so f ar:h0 = h0 + ah1 = h1 + b

h2 = h2 + c

h3 = h3 + d

h4 = h4 + e

Produce the final hash value (big-endian):digest = hash = h0 append h1 append h2 append h3 append h4



SHA 1 Examples:

SHA1("The quick brown fox jumps over the lazy dog") =

2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12

Even a small change in the message will, with overwhelming

probability, result in a completely different hash due to the avalanche

effect. For example, changing dog to cog produces a hash with

different values for 81 of the 160 bits:

SHA1("The quick brown fox jumps over the lazy cog") =

de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3



Advantage:

Preimage attacks and collision attacks are not found in SHA. SHA is irrever sible i.e password can not be gener ated from the digest stored in

database. The digest produced by SHA is longer in length than the digest gener ated by MD5.

Widely used in secured application like SSL, SSH, IPsec, PGP etc.

Flaws:In 2005, security flaws were identified in SHA-1, namely that a mathematicalweakness might exist, indicating that a stronger hash function would be desir able.

Although no successful attacks have yet been reported on the SHA-2 variants, theyare algorithmically similar to SHA-1 and so efforts are under way to develop improved alternatives. A new hash standard, SHA-3, is currently under development ² an ongoing NIST hash function competition is scheduled to end with the selection of a winning function in 2012.



SELF MADE ALGO

Certain organizations are implementing self made algorithms for encrypting the passwords andother important documents in their database.

The main benefit of encrypting by self made algo is that even if hacker s succeed in finding flaws and vulner ability in other well known algorithms like md5 or SHA even then the data within theorganization will be safe as it was encrypted by other algorithms.

Lets take an example of this:

Suppose the password is shobhit

Now take ASCII value of individual alphabets of the password

s = 115 , h= 104, o= 111, b= 98, h= 104, i= 105, t= 116

Number of alphabets are 7

(115+104+111+98+104+105+116)/7 = 107.57142857142857142857142857143

Now this figure (digest) will be stored in the database along with the username, every time user enter

the password during login this whole procedure will be used for calculating the digest, the digestcalculated will be compared with the digest already stored in the database and if it matches thenthe user will be authorized to login.

THIS PROCEDURE WAS JUST TO EXPLAIN THE WORKING OF SELF MADE ALGO, PRACTICALLY THEALGO IS MUCHMORE COMPLEX THAN THIS.



T H ANK YOU

password encryption seminar presentation

Documents