One-way encryption: Difference between revisions

Revision as of 13:13, 22 February 2021

Main Article

Discussion

Related Articles ^[?]

Bibliography ^[?]

External Links ^[?]

Citable Version ^[?]

This editable Main Article is under development and subject to a disclaimer.

[edit intro]

For more information, see: cryptography.

Storing a new password

Authenticating via an existing password

When passwords are stored on a computer, it is essential that they be kept secret. To do so, programmers apply one-way encryption to a password before storing it on disk. When a user later enters their password to authenticate with the site, the plain-text password typed by the user gets re-hashed and then compared to the stored, encrypted string.

The password is always scrambled via a hash digest function, where the result for every string is always a fixed-size, large integer. An example of a hash digest is SHA-1, which dates from 1994; the SHA-1 algorithm takes a string as input and always outputs a 160-bit number (20 bytes of storage). Because 48 decimal digits would be required to express this number, but it is usually displayed to humans as a 28-character, base-64 encoded string. Here are some examples:

Hello World   z7R8yBtZz0+eqead7UEYzPvVFjw=
VB            L1SHP0uzuGbMUpT4z0zlAdEzfPE=
vb            eOcnhoZRmuoC/Ed5iRrW7IxlCDw=
Vb            e3PaiF6tMmhPGUfGg1nrfdV3I+I=
vB            gzt6my3YIrzJiTiucvqBTgM6LtM=

In the examples above, even very similar strings produce quite different hash digests; the resultant hash string does not give any hint about the length of source string, or its starting character, or anything else about it. SHA-1 is useful because it produces collision-free results. Below is C# (v2.0) code for producing an SHA-1 hash digest from a string:

Byte[] bytSource; // byte array for plain text string Byte[] bytHash; // byte array for cipher string
System.Text.UnicodeEncoding uEncode = new System.Text.UnicodeEncoding();
System.Security.Cryptography.SHA1CryptoServiceProvider sha1 = new System.Security.Cryptography.SHA1CryptoServiceProvider();
// fill byte array with Unicode chars from plain text source string bytSource = uEncode.GetBytes(strSource);
// encrypt the source byte array into the result array bytHash = sha1.ComputeHash(bytSource);
// return a displayable base64-encoded string return Convert.ToBase64String(bytHash);

Because hash digests are unique signatures, they can be used to verify that a file has not changed. The hash digest of a file can be taken before transmitting it and appended to the file transmission, and the receiving computer can also hash the file, compare its computed hash with the transmitted hash, and if they are identical, presume that the file was not corrupted by noise or tampering on the transmission channel.

Use of one-way encryption for password storage and authentication

When implementing password security, it is best to use a tried and true software library which has already been developed and debugged, because the process of handling passwords is a little more complicated than merely creating a hash digest of a password. It turns out, that to minimize the likelihood of a dictionary attack on a password, it is necessary to salt the password by either prepending or appending a unique, randomly created string to it before it hashing and storage (new password) or hashing and comparison (existing password). There is a very good tutorial on salting passwords in the OAuth blog ("Adding Salt to Hashing: A Better Way to Store Passwords"^[1]).

Use of one-way encryption for verification of file integrity

References

↑ OAuth blog: Adding Salt to Hashing: A Better Way to Store Passwords, last access 10/8/2020

[1] OAuth blog: Adding Salt to Hashing: A Better Way to Store Passwords, last access 10/8/2020

[1]

@@ Line 3: / Line 3: @@
 {{Image|Password_creation.jpg|right|450px|Storing a new password}}
 {{Image|password_authentication.jpg|right|450px|Authenticating via an existing password}}
-When passwords are stored on a computer, it is essential that they be kept secret.  To do so, programmers apply '''one-way encryption''' to a password before storing it on disk. When a user later enters their password to authenticate with the site, the entered password gets re-hashed and then compared to the stored, encrypted string.  It is not quite this simple, but that is the basic framework of what happens.
+When passwords are stored on a computer, it is essential that they be kept secret.  To do so, programmers apply '''one-way encryption''' to a password before storing it on disk. When a user later enters their password to authenticate with the site, the plain-text password typed by the user gets re-hashed and then compared to the stored, encrypted string.
-The password gets encrypted via a [[Hash digest|Hash digest]], where the result of "hashing" any string is always a fixed-size number (which can also be written as a large string of characters).  An example of a hash digest is SHA-1, which dates from 1994.  The SHA-1 [[Algorithm|Algorithm]] takes a string as input and always outputs a 160-bit number (20 bytes of storage).  48 decimal digits would be required to express this number, but it is usually displayed to humans as a 28-character, [[Base-64 encoded string|Base-64 encoded string]].  Here are some examples:
+The password is always scrambled via a [[Hash digest|hash digest]] function, where the result for every string is always a fixed-size, large integer.   An example of a hash digest is SHA-1, which dates from 1994; the SHA-1 [[Algorithm|algorithm]] takes a string as input and always outputs a 160-bit number (20 bytes of storage).  Because 48 decimal digits would be required to express this number, but it is usually displayed to humans as a 28-character, [[Base-64 encoded string|base-64 encoded string]].  Here are some examples:
   Hello World   z7R8yBtZz0+eqead7UEYzPvVFjw=
@@ Line 13: / Line 13: @@
   vB            gzt6my3YIrzJiTiucvqBTgM6LtM=
-In the examples above, note that even very similar strings have quite different hash digests; the hash doesn’t tell us the length of source string, or its starting character, or anything else about it.  SHA-1 is useful because it produces collision-free results.  Below is C# (v2.0) code for producing an SHA-1 hash digest from a string:
+In the examples above, even very similar strings produce quite different hash digests; the resultant hash string does not give any hint about the length of source string, or its starting character, or anything else about it.  SHA-1 is useful because it produces collision-free results.  Below is C# (v2.0) code for producing an SHA-1 hash digest from a string:
+<blockquote>
   Byte[] bytSource; // byte array for plain text string
   Byte[] bytHash;   // byte array for cipher string
@@ Line 31: / Line 32: @@
   // return a displayable base64-encoded string
   return Convert.ToBase64String(bytHash);
+</blockquote>
-Hash digests are unique signatures and can be used to verify that a file has not changed.  For example, the hash digest of an XML file can be sent (along with the XML file) to verify that the file wasn’t corrupted during transmission.
+Because hash digests are unique signatures, they can be used to verify that a file has not changed.  The hash digest of a file can be taken before transmitting it and appended to the file transmission, and the receiving computer can also hash the file, compare its computed hash with the transmitted hash, and if they are identical, presume that the file was not corrupted by noise or tampering on the transmission channel.
 ==Use of one-way encryption for password storage and authentication==

One-way encryption: Difference between revisions

Revision as of 13:13, 22 February 2021

Use of one-way encryption for password storage and authentication

Use of one-way encryption for verification of file integrity

References

Navigation menu

Search