HASH and symmetric encryption

HASH

To transform an arbitrary length of input into a fixed length of output using a HASH algorithm. The output is called the HASH value. This transformation is a compression mapping, that is, the space of the hash values is usually much smaller than the space of the input values, and different inputs may hash into the same output, so it is not possible to determine the unique input values from the hash values. In simple terms, a message of any length is compressed into a message digest of a fixed length

• Hashes have the following characteristics:

  • Algorithm in public
  • You run the same data, you get the same result
  • To operate on different data such asMD5, the default result is128position32A character (16Into the system)
  • You can’t reverse it
  • Summary of information for data identification

• Examples of HASH Algorithms

  • MD5 128 bits, 32 hexadecimal characters
  • SHA1 160 bits, 40 hexadecimal characters
  • SHA256 256 characters, 64 hexadecimal characters

• Starting with iOS 13.0, Apple recommends scrapping MD5 in favor of SHA256 or more secure encryption.

• Examples of symmetric encryption algorithms

  • DES Use less, low strength.
  • 3DES If three secret keys are used to encrypt the original data for three times, it is meaningless
  • AES Advanced encryption standard, widely used. Apple keychain access, NSA, etc

• HASH Algorithm Usage

  • Encryption of the user password
  • Search engine
  • copyright
  • A digital signature

• Encryption of the user password

  • When a user registers, the server stores the password directlyHASHvalue
  • When a user logs in, set the password toHASHForm is passed to the server
  • Due to the same objectHASHThe values are always the same, and now there are trillions of petabytes of themHASHLarge database, can passHASHQuery the original value.
  • Multiple nestedHASHOr add salt processing, also will be large database collision query answer (nested can recursive collision, salt will leak)

• A more secureHMACEncryption scheme

  • The encryption is done with a secret key and the hash is done twice. In the actual development, the secret key comes from the server.
  • The key is generated by the server account during registration and sent to the client.
  • The key can be used to enable the device lock. If the local device does not have the key, ask the server for the key and the server can determine whether to deliver it. If the device lock is enabled, perform operations on the original device.

• Pay attention to,HAMCThe value processed by the encryption scheme can still be intercepted in network transmission and is still insecure.

• Safer options:

  • When a user logs in, theHAMCAfter the encrypted password is spliced, the time stamp (up to the minute bit) is repeatedMD5Encryption. When the server receives the request, it removes the user’s from the libraryHASHPassword, splicing the server timestamp onceMD5Encryption, if the server results do not match the client, then the server forwards the timestamp one minute, matches again, and allows login if successful.
  • In this case, the user’sHASHThe maximum validity period of a password is1 minutes and 59 seconds, which can prevent hidden dangers caused by network interception.

• Search engine

  • Search engine split search, every word ofHASHYou add them, you get the same result in any order.

• copyright

  • For cloud disk applications, data can be uploaded with cloud resourcesHASHValue, and then a series of algorithms (because the cloud resources are huge, andHASHValues can collide, that is, the data is different,HASHValue is the same), such as the file binary front, middle and backNIf the data matches successfully, the data can be identified as the same data, and the data is directly transmitted in seconds (reference unified resources).
  • When the user uploads resources, the original fileHASHValue that can be used to verify ownership.
  • HASHThe value is used to calculate binary data of the file, and the file name will not be changedHASHValue has any effect.
  • Compressed fileHASHThe value will change because the binary of the file has changed to copy the fileHASHWill not change.

• A digital signature

  • Will the original dataHASHThe valueRSAEncryption, will be encrypted afterHASHThe value is passed to the server along with the original data.
  • The server gets the data after the originalHASHThe valueRSADecrypt, if the decryptedHASHValue and the data passed by the clientHASHValue match, then the original data is untampered, otherwise the original data is tampered, the server needs to reject the response.
  • This kind of useRSAThe encryptedHASHValue is the digital signature.

• Symmetric Encryption (traditional Encryption)

• Application mode

  • ECB(Electronic Code Book): Electronic password book mode, each piece of data, independent encryption.
    • The most basic encryption mode, the same plaintext will always be encrypted into the same ciphertext, no initial vector, vulnerable to cipher book replay attacks, generally rarely used.
  • CBC(Cipher Block Chaining): Cryptographic block link mode, using a secret key and an initialization vector to encrypt data.
    • Before encrypting, the plaintext must perform xOR operation with the preceding ciphertext. Therefore, as long as different initial vectors are selected, the same plaintext will form different ciphertext after encryption. This is the most extensive encryption mode at present.CBCEncrypted ciphertext is context-dependent. Plaintext errors are not transmitted to subsequent packets, but if one packet is lost, all subsequent packets are invalidated (synchronization errors).
    • CBCThis ensures the integrity of ciphertext. If data is lost or tampered during transmission, subsequent data cannot be decrypted.

• Terminal Experience encryption

  • openssl enc -des-ecb -K 123 -nosalt -in before.txt -out after.bin DES encryption, ECB mode, key 123, no salt
  • openssl enc -des-cbc -iv 0102030405060708 -K 123 -nosalt -in before.txt -out after.bin DES encryption, CBC mode, key is 123, the initial vector is 0102030405060708, no salt
  • Parameters to increase-dTo decrypt

• Symmetric encryption in iOS

  • #import <CommonCrypto/CommonCrypto.h>A library that handles encryption and decryption in iOS
  • CCCrypt: Functions used for encryption and decryption in iOS, as follows:

CCCryptorStatus CCCrypt(
    CCOperation op,
    CCAlgorithm alg,
    CCOptions options,
    const void *key,
    size_t keyLength,
    const void *iv,
    const void *dataIn,
    size_t dataInLength,
    void *dataOut,
    size_t dataOutAvailable,
    size_t *dataOutMoved)API_AVAILABLE(macos(10.4), ios(2.0));
Copy the code

The preceding encryption methods are not secure for direct service development. Breakpoint debugging can be carried out after jailbreak, capture directlyCCCryptFunction that reads parameters directly from the assembly register to get plaintext data.