This article is only for review after class. Thank you, Hank.

Summary of the HASH

A Hash is a Hash algorithm that transforms an input of arbitrary length into an output of fixed length. The output is the Hash value. This transformation is a compression mapping, that is, the space of hashes is usually much smaller than the space of inputs, and different inputs may be hashed into the same output, so it is impossible to determine a unique input value from the hash value. Simply put, it is a function that compresses a message of any length into a message digest of a fixed length.

The characteristics of the HASH

  • The algorithm is public
  • The same data, you get the same answer
  • The default result of different data operations, such as MD5, is 128 bits,32 characters (hexadecimal identifier).
  • You can’t reverse it
  • Summary of information, information “fingerprint”, is used to do data identification

The purpose of the HASH

  • Encryption of user passwords
  • Search engine
  • copyright
  • A digital signature

Password encryption

Passwords cannot be stored in any clear text. Therefore, the user password is encrypted using the HASH algorithm.

  • Use MD5 encryption directly (not secure)
  • Md5 with salt (this method is not secure if you brute force crack salt)
  • HMAC Encryption Scheme (recommended)
  • Add your own encryption logic (recommended)

HMAC encryption scheme

  1. HMAC encryption
  2. Do two hashes of encrypted data with one secret key
  3. The secret key comes from the server
  4. After an account is sent, the server generates a key (secret key). The server saves the account and its corresponding key. The key is encrypted in plaintext (HMAC password) by the client and sent to the server for saving
  5. Encrypt the account using an existing key, with key, HMAC password, server timestamp, and account area server authentication
  • Due to the limitations of adding time stamps, often cracked, only 1-2 minutes to perform the login attempt
  • Simple cracking of keys can only pose risks to a single account, and key leakage is only for one user



A digital signature

It’s yours. You sign the check, it’s yours. So a digital signature is a way of identifying digital information. Therefore, digital signature includes signature + verification to prevent tampering.

The previous chapter covered RSA encryption, public key, private key, and asymmetric encryption.

In digital signature, the private key is not used to sign the plaintext. However, using RSA encryption alone is not enough for our needs. As we mentioned earlier, RSA is only good for small data encryption. Therefore, the HASH algorithm is used to verify data integrity, and RSA encryption algorithm is used to protect HASH data.

At this point, the client sends the original data and the hash value of the data encrypted by RSA. The server decrypts RSA encrypted data to obtain the hash value of the original data. Then, the server performs the same hash algorithm on the original data and compares the obtained hash value with the decrypted hash value. If the decrypted hash value is the same, the data validity is guaranteed. Or if RSA data cannot be decrypted, the data has been tampered with.

Therefore, we say that the data encrypted by RSA on the Hash value of the original data is the digital signature of the original data. This is asymmetric encryption of the Hash value of the original data.



Symmetric encryption

Symmetric encryption: The plaintext is encrypted using the key to obtain ciphertext. Ciphertext is decrypted by key to obtain plaintext.

Common algorithms

  • DES Data Encryption Standard (used sparingly because it is not strong enough)
  • 3DES uses three keys to encrypt the same data three times, with enhanced strength (over at birth)
  • AES Advanced password standard. (Keychain access)

Application mode

  • ECB (Electronic Code Book) : Electronic Code Book mode. Each piece of data is encrypted independently.

The most basic encryption mode, that is, commonly understood encryption, the same plaintext will always be encrypted into the same ciphertext, no initial vector, vulnerable to cipherbook replay attacks, rarely used in general.

  • Cipher Block Chaining (CBC) : Cipher Block Chaining mode. Encryption is performed using a key and an initialization vector [iv]

The plaintext is encrypted after xOR operation with the previous ciphertext. Therefore, the same ciphertext will be encrypted into different ciphertext as long as different initial vectors are selected. This is the most widely used ciphertext mode. CBC encrypted ciphertext is context-dependent, but plaintext errors are not passed to subsequent groups, but if one group is lost, all subsequent groups are invalidated (synchronization errors).

CBC effectively ensures the integrity of ciphertext. If a data block is lost or changed during transmission, subsequent data cannot be decrypted.

By the way, the CBC anti-eavesdropping program is used all the time.



Terminal command

Encryption, AES(ECB) encrypts the “hello” string

$ echo -n hello | openssl enc -aes-128-ecb -K 616263 -nosalt | base64Copy the code

Decryption AES(ECB) decryption

$ echo-n d1QG4T2tivoi0Kiu3NEmZQ = = | | base64 - D openssl enc - aes - 128 - the ECB - 616263 - K nosalt - DCopy the code

Encryption, AES(CBC) encrypts the “hello” string

$ echo -n hello | openssl enc -aes-128-cbc -iv 0102030405060708 -K 616263 -nosalt | base64Copy the code

Decryption, AES(CBC) decryption

$ echo-n u3W/N816uzFpcg6pZ + KBDG = = | | base64 - D openssl enc - aes - 128-616263-0102030405060708 - K CBC to iv nosalt - DCopy the code