PASSWORD ENCRYPTION SUBMITTED BY: SHOBHIT GHAI CSE 2 0461502707
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 1/21
PASSWORD ENCRYPTION
SUBMITTED BY:
SHOBHIT GHAI
CSE 2
0461502707
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 2/21
TOPICS COVERED
INTRODUCTION
STORAGE TECHNIQUE
PLAIN TEXT
BRUTE FORCE AND DICTIONARY ATTACK
HASH FUNCTION
MD5 (MESSAGE DIGEST)
SHA (SECURED HASH ALGO)
SELF MADE ALGO
TRICK TO FIND HOW SECURE IS ANY SITE
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 3/21
Introduction
A password is a secret word or string of characters that is used for
authentication, to prove identity or gain access to a resource (example: an
access code is a type of password). The password should be kept secret fromthose not allowed access.
Despite the name, there is no need for passwords to be actual words; indeed
passwords which are not actual words may be harder to guess, a desirable
property. Some passwords are formed from multiple words and may more
accurately be called a passphrase.
The term passcode is sometimes used when the secret information is purely
numeric, such as the personal identification number (PIN) commonly used for
ATM access.
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 4/21
STORAGE TECHNIQUES
Some computer systems store user passwords as cleartext. If an attacker gains
access to such an internal password store, all passwords²and so all user
accounts²will be compromised. More secure systems store each password in a cryptographically protected
form, so access to the actual password will still be difficult for a snooper who
gains internal access to the system.
A common approach stores only a "hashed" form of the plaintext password.
When a user types in a password on such a system, the password handling
software runs through a cryptographic hash algorithm, and if the hash value
generated from the user's entry matches the hash stored in the password
database, the user is permitted access.
PLAIN TEXT
HASH ALGORITHMS
SELF MADE ALGORITHMS
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 5/21
PLAIN TEXT
The simplest approach to manage user names and passwords is
to store everything in plaintext (no encryption or scrambling) in a
file or database. The result would be something like this:
Username Password
Manpreet qwertyuiop
khushagra changpang
Nitish nitish123
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 6/21
ADVANTAGE:
Authenticating (checking that the username and password pair matches thepair in the table) is very simple ± just compare the strings.
Forgotten passwords can be retrieved ± the password is easily accessible,given the user name.
DISADVANTAGE: First, anyone with access to the file gains immediate access to all passwords!
An employee with legitimate access to the file might print the file or email outthe information, and Voila! all the passwords are compromised.
The second problem is that during the authentication exchange, the passwordis visible on the network. Unless secure communication is used throughout, thepassword can be seen while traveling on the network.
Highly prone to brute force and dictionary attack.
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 7/21
Brute Force And Dictionary attack
BRUTE FORCE:
It involves systematically checking all possible combination of
alphabets until the correct password is found. In the worst case, thiswould involve traversing the entire search space.
In the case of an offline attack where the attacker has access to the
encrypted material, he can try alphabets and numerical combinations
at his leisure until the code is broken.
DICTIONARY ATTACK:
It involve successively trying all those words from the words dictionary
that have more chances of being chosen as a password.
This type of attack also involve gathering of important information
related to the victim.
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 8/21
Hash Algorithms
A cryptogr aphic hash function is a deterministic
procedure that takes anarbitrary block of data andreturns a fixed-size bit string,the (cryptogr aphic) hash value, such that an accidentalor intentional change to thedata will change the hash
value. The data to be encodedis often called the "message",and the hash value issometimes called the messagedigest or simply digest.
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 9/21
A hash function must be able to process an arbitrary-length message
into a fixed-length output. This can be achieved by breaking the input
up into a series of equal-sized blocks, and operating on them insequence using a one-way compression function. The compression
function can either be specially designed for hashing or be built from a
block cipher.
The ideal cryptographic hash function has four main or significantproperties:
it is easy to compute the hash value for any given message,
it is infeasible to find a message that has a given hash,
it is infeasible to modify a message without changing its hash,
it is infeasible to find two different messages with the same hash.
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 10/21
Properties:
Preimage resistance
± Given a hash h it should be hard to find any message m such that
h=hash(m) . This concept is related to that of one-way function.Functions that lack this property are vulnerable to preimageattacks.
S econd preimage resistance
± Given an input m1 it should be hard to find its another modifiedinput m2 ² where m1!=m2 ² such that hash(m1) = hash(m2) .This property is sometimes referred to as w eak collision
resistance, and functions that lack this property are vulnerable tosecond preimage attacks.
C ollision resistance
± It should be hard to find two different messages m1 and m2 suchthat hash(m1)=hash(m2) . Such a pair is called a cryptographichash collision, a property which is sometimes referred to as strong collision resistance.
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 11/21
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 12/21
MD5 ALGORITHM
The main MD5(message digest 5)
algorithm oper ates on a 128-bit state,
divided into four 32-bit words,
denoted A, B, C and D. These areinitialized to certain fixed constants.
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 13/21
var int h0 var int h1
var int h2
var int h3
//Initialize hash value for this chunk:
var int a := h0 var int b := h1
var int c := h2 var int d := h3
//Main loop:
for i from 0 to 63 if 0 i 15 then
f := (b and c) or ((not b) and d)
g := i
else if 16 i 31 f := (d and b) or ((not d) and c) g := (5×i + 1) mod 16
else if 32 i 47
f := b xor c xor d g := (3×i + 5) mod 16
else if 48 i 63
f := c xor (b or (not d))
g := (7×i) mod 16
temp := d
d := c
c := b b := b + leftrotate((a + f + g)
a := temp
//Add this chunk's hash to result so f ar: h0 := h0 + a
h1 := h1 + b
h2 := h2 + c
h3 := h3 + d
var int digest := h0 append h1 append h2 append h3 //(expressed as little-endian)
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 14/21
MD5 Examples:
The 128-bit (16-byte) MD5 hashes (also ter med message digests) are typically
represented as a sequence of 32 hexadecimal digits.
MD5("The quick brown fox jumps over the lazy dog") =
9e107d9d372bb6826bd81d3542a419d6
Even a small change in the message will (with over whelming probability) result in a
mostly different hash, due to the avalanche effect
MD5("The quick brown fox jumps over the lazy dog.") =
e4d909c290d0fb1ca068ff addf22cbd0
The hash of the zero-length string is:
MD5("") = d41d8cd98f 00b204e9800998ecf8427e
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 15/21
FLAWS:
MD5 has been employed in a wide variety of security applications, and is also
commonly used to check the integrity of files. However, it has been shown that MD5
is not collision resistant as such, MD5 is not suitable for applications like SSL
certificates or digital signatures that rely on this property.
In 1996, a flaw was found with the design of MD5. While it was not a clearly f atal
weakness, cryptogr apher s began recommending the use of other algorithms, such
as SHA. In 2004, more serious flaws were discovered, making further use of the
algorithm for security pur poses questionable; specifically, a group of researcher s
described how to create a pair of files that share the same MD5 checksum .Further
advances were made in breaking MD5 in 2005, 2006, and 2007. In an attack on MD5published in December 2008, a group of researcher s used this technique to f ake SSL
certificate validity. US-CERT of the U. S. Department of Homeland Security said MD5
"should be considered cryptogr aphically broken and unsuitable for further use´
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 16/21
SHA-1 ALGORITHM
SHA-1 is a cryptogr aphic hash function designed by the NationalSecurity Agency (NSA) and publishedby the NIST as a U.S. Feder alInfor mation Processing Standard.SHA stands for Secure Hash Algorithm. The three SHA algorithms are structured differently and aredistinguished as SH A-0 , SH A-1, andSH A-2 . SHA-1 is very similar to SHA0,but corrects an error in the originalSHA hash specification that led tosignificant weaknesses. The SHA-0 algorithm was not adopted by manyapplications. SHA-2 on the other handsignificantly differ s from the SHA-1hash function.
SHA-1 is the most widely used of theexisting SHA hash functions, and is employed in sever al widely-usedsecurity applications and protocols.
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 17/21
Initialize hash value for this chunk:
a = h0
b = h1c = h2
d = h3e = h4
Main loop:
for i from 0 to 79if 0 i 19 then
f = (b and c) or ((not b) and d)k = 0x5A827999
else if 20 i 39f = b xor c xor d
k = 0x6ED9EBA1else if 40 i 59
f = (b and c) or (b and d) or (c and d)k = 0x8F1BBCDC
else if 60 i 79f = b xor c xor d
k = 0xCA62C1D6
temp = (a leftrotate 5) + f + e + ke = d
d = cc = b leftrotate 30
b = aa = temp
Add this chunk's hash to result so f ar:h0 = h0 + ah1 = h1 + b
h2 = h2 + c
h3 = h3 + d
h4 = h4 + e
Produce the final hash value (big-endian):digest = hash = h0 append h1 append h2 append h3 append h4
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 18/21
SHA 1 Examples:
SHA1("The quick brown fox jumps over the lazy dog") =
2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12
Even a small change in the message will, with overwhelming
probability, result in a completely different hash due to the avalanche
effect. For example, changing dog to cog produces a hash with
different values for 81 of the 160 bits:
SHA1("The quick brown fox jumps over the lazy cog") =
de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 19/21
Advantage:
Preimage attacks and collision attacks are not found in SHA. SHA is irrever sible i.e password can not be gener ated from the digest stored in
database. The digest produced by SHA is longer in length than the digest gener ated by MD5.
Widely used in secured application like SSL, SSH, IPsec, PGP etc.
Flaws:In 2005, security flaws were identified in SHA-1, namely that a mathematicalweakness might exist, indicating that a stronger hash function would be desir able.
Although no successful attacks have yet been reported on the SHA-2 variants, theyare algorithmically similar to SHA-1 and so efforts are under way to develop improved alternatives. A new hash standard, SHA-3, is currently under development ² an ongoing NIST hash function competition is scheduled to end with the selection of a winning function in 2012.
8/8/2019 Password Encryption Seminar Presentation
http://slidepdf.com/reader/full/password-encryption-seminar-presentation 20/21
SELF MADE ALGO
Certain organizations are implementing self made algorithms for encrypting the passwords andother important documents in their database.
The main benefit of encrypting by self made algo is that even if hacker s succeed in finding flaws and vulner ability in other well known algorithms like md5 or SHA even then the data within theorganization will be safe as it was encrypted by other algorithms.
Lets take an example of this:
Suppose the password is shobhit
Now take ASCII value of individual alphabets of the password
s = 115 , h= 104, o= 111, b= 98, h= 104, i= 105, t= 116
Number of alphabets are 7
(115+104+111+98+104+105+116)/7 = 107.57142857142857142857142857143
Now this figure (digest) will be stored in the database along with the username, every time user enter
the password during login this whole procedure will be used for calculating the digest, the digestcalculated will be compared with the digest already stored in the database and if it matches thenthe user will be authorized to login.
THIS PROCEDURE WAS JUST TO EXPLAIN THE WORKING OF SELF MADE ALGO, PRACTICALLY THEALGO IS MUCHMORE COMPLEX THAN THIS.