one-way (Hash)
- Only encryption is possible, not decryption.
- Hashing always returns a fixed-length hash value for variable-length data.
- Hashing always returns the same output for the same input.
=> It causes rainbow attack. - The hash algorithm is designed to retrieve datas quickly.
=> It causes brute-force attack.
MD5
- Message Digest Algorithm 5
- This is an algorithm producing a 128-bit hash value.
- Currently, This is not encouraged for sucurity.
- It can still be used as a checksum to verify data integrity.
SHA
- Secure Hash Algorithm
- SHA-0 was quickly replaced to SHA-1 due to security problem.
- SHA-1's hash collision was revealed by Google and CWI in 2017.
- Currently, SHA-2 and SHA-3 is recommended to be used.
| Algorithm | hashvalue size | collision | use cases |
|---|---|---|---|
| SHA-0 | 160 bits | o | x |
| SHA-1 | 160 bits | o | git, file verification |
| SHA-2 SHA-3 | 224 256 384 512 bits | - | blockchain, SSL certificate, user info |
one-way (Hash) + salting + key stretching
bycrypt
- It's a password hashing function based on Blowfish cipher.
- It's internally generates a random salt while encoding passwords and store that salt along with the encrypted password.
PBKDF2
Password Encryption Algorithm
SHA-2 is vulnerable to brute-force attack because the operation speed using GPU is very fast.
bcrpyt
PBKDF2
two-way
symmetric
DES
- Data Encryption Standard
- symmetric block cipher
- DES has been withdrawn as a standard by NIST
- It's insecure due to the short 56-bit key size.
- It's not recommended to use.
AES
- Advanced Encryption Standard
- symmetric block cipher
- It's takes plain text in blocks of 128 bits(16 bytes) and converts them to ciphertext using keys of 128, 192, and 256 bits.
Comparison of AES and DES
| . | AES | DES |
|---|---|---|
| key length | 56 bits | 128/192/256 bits |
| block size | 64 bits | 128 bits |
| known attacks | No known attack | Brute-force, Linear crypt- analysis |
| security | insecure | secure |
| brute force | 2^55 | 2^127 (in 128 bits) |
asymmetric
RSA
Cryptographic attacks
Brute Force attack
- This is a hacking technique used to find out the credentials such as a password by trying out every possible combinations of credentials.
- The time taken increases exponentially as the length and complexity of the password.
Dictionary attack
- This makes a dictionary with usable patterns such as frequently used characters or words with specific meaning or target's informations.
Rainbow Table attack
- This is a precomputed table(digest list) for caching the output of cryptographic hash functions.
(Hash function always returns the same output from the same input.)
Note that
👉 Regulations
👉 Terms
digest means hash value
salt is a random data that is used as an additional input to a one-way hash function.
salting makes rainbow table meaningless using salt.
key strectching is used to make a relatively insecure value, such as password more secure against a brute force attack by increasing the time it takes. (This is to repeat creating a digest using the created digest.)
👉 ETC
scrypt, HMAC, argon2
practice
MD5
It can check whether the file is corrupted or not with the original file and the hash value.
import (
"crypto/sha256"
"encoding/hex"
)
import "crypto/md5
f, err := os.Open("/Users/gom/image.png")
if err != nil {
log.Fatal(err)
}
defer f.Close()
h := md5.New()
if _, err := io.Copy(h, f); err != nil {
log.Fatal(err)
}
fmt.Printf("%w\n", h.Sum(nil))=> d11d54a4dd7328dd37eb21f8985ca9c7
SHA
SHA2 "crypto/sha256" | "crypto/sha512"
hash algorithms as defined in FIPS 180-4.
SHA3 "golang.org/x/crypto/sha3"
hash algorithms as defined by FIPS-202.
import (
"crypto/rand"
"crypto/sha256"
"crypto/sha512"
"encoding/hex"
"encoding/base64"
)
// 1
f, err := os.Open("/Users/gom/image.png")
if err != nil {
log.Fatal(err)
}
defer f.Close()
h := sha256.New()
if _, err := io.Copy(h, f); err != nil {
log.Fatal(err)
}
fmt.Printf("%x\n", h.Sum(nil))
// 2
hh := sha256.New()
hh.Write([]byte("abcd1234!@#$"))
hashValue := hex.EncodeToString(h.Sum(nil))
fmt.Println(hashValue)
// 3
salt := make([]byte, 16)
_, err := rand.Read(salt)
if err != nil {
log.Fatal(err)
}
hhh := sha512.New()
hhh.Write(append([]byte("abcd1234!!"), salt...))
r := base64.URLEncoding.EncodeToString(hhh.Sum(nil))
fmt.Println(r)bcrypt
import (
"golang.org/x/crypto/bcrypt"
)
// hash password
password := "abcd1234!!"
bytes, err := bcrypt.GenerateFromPassword([]byte(password), 10)
// check password
err := bcrypt.CompareHashAndPassword([]byte(bytes), []byte(password))refrence
Regulations
https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS217&mCode=D010030000&nttId=7041#LINK
https://blog.naver.com/16954/222681910557
Library
https://pkg.go.dev/crypto/md5
https://pkg.go.dev/crypto/sha256
https://pkg.go.dev/crypto/sha512
https://pkg.go.dev/golang.org/x/crypto/sha3
https://github.com/golang/crypto
https://pkg.go.dev/golang.org/x/crypto/bcrypt
