chapter 10 Flashcards
hashing.
You can verify integrity with hashing. Hashing is a mathematical algorithm performed on data such as a file or message to produce a fixed-length hexadecimal string of characters called a hash. The hash is used to verify that data is not modified, tampered with, or corrupted. In other words, you can verify the data has maintained integrity.
Hashing verifies integrity for data such as email, downloaded files, and files stored on a disk. A hash is a hexadecimal number created with a hashing algorithm.
Hash Versus Checksum
Hashes and checksums are similar, but there are some differences. In general, hashes are much longer numbers and used in strong cryptographic implementations. A checksum is typically a small piece of data, sometimes only 1 or 2 bits, and is used to quickly verify the integrity of data.
Checksums are not intended to be cryptographically secure. Instead, they give a quick indication when data integrity has been lost.
MD5
Message Digest 5 (MD5) is a common hashing algorithm that produces a 128-bit hash value. Hashes are commonly shown in hexadecimal format instead of a stream of 1s and 0s. For example, an MD5 hash is displayed as 32 hexadecimal characters instead of 128 bits. Hexadecimal characters are composed of 4 bits and use the numbers 0 through 9 and the characters a through f.
MD5 has been in use since 1992. Experts discovered significant vulnerabilities in MD5 in 2004 and later years. As the processing power of computers increased, it became easier and easier to exploit these vulnerabilities. Security experts now consider MD5 cracked and discourage its use as a cryptographic hash.
However, it is still sometimes used to verify the integrity of files as a quick checksum. This includes email, files stored on disks, files downloaded from the Internet, executable files, and more.
Secure Hash Algorithms
Secure Hash Algorithms (SHA) are a group of hashing algorithms with variations grouped into four standards— SHA-0, SHA-1, SHA-2, and SHA-3:
SHA-0 is flawed and not used.
SHA-1 is an updated version that creates 160-bit hashes. It is similar to the MD5 algorithm. Weaknesses were discovered and it is no longer approved for most cryptographic uses.
SHA-2 improved SHA-1 to overcome potential weaknesses. It includes four versions. SHA-256 creates 256-bit hashes and SHA-512 creates 512-bit hashes. SHA-224 (224-bit hashes) and SHA-384 (384-bit hashes) create truncated versions of SHA-256 and SHA-512, respectively.
SHA-3 (previously known as Keccak) is an alternative to SHA-2. The U.S. National Security Agency (NSA) created SHA-1 and SHA-2. SHA-3 was created outside of the NSA and was selected in a non-NSA public competition. It can create hashes of the same size as SHA-2 (224 bits, 256 bits, 384 bits, and 512 bits).
HMAC
Another method used to provide integrity is with a Hash-based Message Authentication Code (HMAC). An HMAC is a fixed-length string of bits similar to other hashing algorithms such as MD5 and SHA-256 (known as HMAC-MD5 and HMAC-SHA256, respectively). However, HMAC also uses a shared secret integrity key to add some randomness to the result and only the sender and receiver know the secret key.
HMAC-MD5 is secure if the secret key is long enough.
Internet Protocol security (IPsec) and Transport Layer Security (TLS) often use a version of HMAC such as HMAC-MD5 and HMAC-SHA256.
Remember This! Hashing is a one-way function that creates an alphanumeric string of characters. You cannot reverse the hash to re-create the original file. Passwords are often stored as hashes instead of storing the actual password. Additionally, applications often salt passwords with extra characters before hashing them.
Hashing Files
Like a program .exe file.
Hashing Messages
Hashing provides integrity for messages.
If you can recognize the hashing algorithms such as MD5, SHA, and HMAC, it will help you answer some exam questions. For example, if a question asks what you would use to encrypt data and it lists three hashing algorithms, you can quickly eliminate them because hashing algorithms don’t encrypt data.
Understanding Hash Collisions
A hash collision occurs when the hashing algorithm creates the same hash from different inputs. This is not desirable.
MD5 is highly susceptible to hash collision attacks, which is why it is no longer recommended as a cryptographic hash.
Understanding Password Attacks
Online Password attacks. ncrack is a free tool that can be used to run online brute force password attacks.
Offline password attacks Offline password attacks attempt to discover passwords from a captured database or captured packet scan.
Event ID 4625 indicating failed logon attempts
Remember This! Online attacks guess the password of an online system. Offline attacks guess the password stored within a downloaded file, such as a database. Logs will show a large volume of failed logon attempts as Event ID 4625 and/or several accounts being locked out as Event ID 4740.
Spraying attacks attempt to avoid account lockout policies, but logs will still show a large volume of failed logon attempts, but with a time lapse between each entry.
dictionary attack
A dictionary attack is one of the original password attacks. It uses a dictionary of words and attempts every word in the dictionary to see if it works. A dictionary in this context is simply a list of words and character combinations.
Brute Force Attacks
A brute force attack attempts to guess all possible character combinations.
password spraying attack
A spraying attack loops through a long list of accounts, it takes a while before it hits the same account twice.
However, you’ll still see Event ID 4625 indicating failed logon attempts
Pass the Hash Attacks
In a pass the hash attack, the attacker discovers the hash of the user’s password and then uses it to log on to the system as the user. Any authentication protocol that passes the hash over the network in an unencrypted format is susceptible to this attack. It has been widely associated with Microsoft LAN Manager (LM) and NT LAN Manager (NTLM), two older security protocols used to authenticate Microsoft clients. However, this attack has enjoyed success against other protocols, such as Kerberos.
Remember This! Passwords are typically stored as hashes. A pass the hash attack attempts to use an intercepted hash to access an account. These attacks can be detected in Event ID 4624 with a Logon Process of NTLMSSP and/or an Authentication Package of NTLM.
birthday attack
Birthday attacks on hashes are thwarted by increasing the number of bits used in the hash to increase the number of possible hashes. For example, the MD5 algorithm uses 128 bits and is susceptible to birthday attacks. SHA-3 can use as many as 512 bits and is not susceptible to birthday attacks.
Remember This! Birthday attacks exploit collisions in hashing algorithms. A hash collision occurs when the hashing algorithm creates the same hash from different passwords. Salting adds random text to passwords before hashing them and thwarts many password attacks, including rainbow table attacks.
Rainbow Table Attacks
Rainbow table attacks are a type of attack that attempts to discover the password from the hash. A rainbow table is a huge database of possible passwords with the precomputed hashes for each.
Rainbow table attacks are often performed offline on stolen or compromised databases. In a rainbow table attack, the application simply compares the hash of each password in the database against hashes stored in the rainbow table.
Salting Passwords
Salting passwords is a common method of preventing rainbow table attacks, along with other password attacks such as brute force and dictionary attacks. A salt is a set of random data such as two additional characters. Password salting adds these additional characters to a password before hashing it. These additional characters add complexity to the password, and result in a different hash than the system would create using only the original password. This causes password attacks that compare hashes with a rainbow table to fail.
Key Stretching
Key stretching is an advanced technique used to increase the strength of stored passwords. Instead of just adding a salt to the password before hashing it, key stretching applies a cryptographic stretching algorithm to the salted password. The benefit of key stretching is that it consumes more time and computing resources— frustrating attackers who are trying to guess passwords.
Remember This! Bcrypt, PBKDF2, and Argon2 are key stretching techniques that help prevent brute force and rainbow table attacks. They salt the password with additional bits and then send the result through a cryptographic algorithm.
Remember This! Encryption provides confidentiality and helps ensure that data is viewable only by authorized users. This applies to any data at rest (such as data stored in a database) or data in transit being sent over a network.
Providing Confidentiality with Encryption
Encryption provides confidentiality and prevents unauthorized disclosure of data. Plaintext is human- readable data. An encryption algorithm scrambles the data, creating ciphertext, which is unreadable. Attackers can’t read encrypted traffic sent over a network or encrypted data stored on a system. In contrast, if data is sent in cleartext, an attacker can capture and read the data using a protocol analyzer.
Data at rest
Data at rest refers to any data stored on media and it’s common to encrypt sensitive data. For example, it’s possible to encrypt individual fields in a database (such as the fields holding customer credit card data), individual files, folders, or a full disk.
Data in transit or data in motion
Data in transit or data in motion refers to any data sent over a network and it’s common to encrypt sensitive data in transit. For example, e-commerce websites commonly use Hypertext Transfer Protocol Secure (HTTPS) sessions to encrypt transactions that include credit card data. If attackers intercept the transmissions, they only see ciphertext.
Data in use
Data in use refers to data being used by a computer. Because the computer needs to process the data, it is not encrypted while in use. If the data is encrypted, an application will decrypt it and store it in memory while in use. If the application changes the data, it will encrypt it again before saving it.
Symmetric Encryption
Symmetric encryption uses the same key to encrypt and decrypt data. In other words, if you encrypt data with a key of three, you decrypt it with the same key of three. Symmetric encryption is also called secret-key encryption or session-key encryption.
Remember This! Symmetric encryption uses the same key to encrypt and decrypt data. For example, when transmitting encrypted data, symmetric encryption algorithms use the same key to encrypt and decrypt data at both ends of the transmission media.
Block Versus Stream Ciphers
Stream ciphers encrypt data a single bit, or a single byte, at a time in a stream. Block ciphers encrypt data in a specific-sized block such as 64-bit or 128-bit blocks. Stream ciphers are more efficient than block ciphers when encrypting data in a continuous stream.
Common Symmetric Algorithms
- AES The Advanced Encryption Standard (AES) is a strong symmetric block cipher that encrypts data in 128-bit blocks.
- 3DES Although 3DES is a strong algorithm, it isn’t used as often as AES today. AES is much less resource intensive.
Remember. AES is a strong symmetric block cipher that encrypts data in 128-bit blocks. AES uses 128-bit, 192-bit, or 256-bit keys. 3DES is a block cipher that encrypts data in 64-bit blocks. 3DES was originally designed as a replacement for DES, but NIST selected AES as the current standard. However, 3DES is still used in some applications, such as when legacy hardware doesn’t support AES.
