A Study of Salting Method for Image Protection AHMAD FAEEZ LUKMAN 51262111325Bachelor of Engineering Technology in Data Communications Advisor : Miss Siti Hajar Ab Aziz (SHAA)
#IntroductionPassword Protection - to ensure sensitive information is protected at all times from any kinds of attacks and breaches.Other than passwords, other important data that needs to be protected over the internet are templates. This includes any images and biometrics (fingerprints, face, iris, voice).Cryptography – a science of converting a plain text from a readable state into secret coding by using certain algorithms.
Hash Functions - most common algorithms used to encrypt passwords. - A fixed-length hash value is computed based on the plaintext and the process is a one-way function.Salt - cover up weaknesses produced by the hashes. - Consist of random bits that is added on to the original plaintext , making it long enough before being converted into a hash.
#Literature Review Based on a journal titled Biometric Template Security, January 2008 by authors Anil K. Jain, Karthik Nandakumar and Abhishek Nagar, they state that images or templates will be protected both on encryption and decryption side based on key matching and correct filename. And that the security of salting technique is actually on the confidentiality of the password. An author of the website Martjin’s C# Programming Blog in a post titled Creating Salted Hash Passwords in C#, mentioned that salting technique requires hackers to re-calculate the dictionary for each user password, thus greatly increasing the attack time.
#Problem Statement Images that are not securely kept in a server’s database can easily be captured by hackers and is subject to manipulation. Images usually encrypted with unsalted passwords, which is highly vulnerable to a hacker’s attack (Recent event – LinkedIn website hacked) This project targets to implement salting method into passwords that secure images kept in a database
#Methodology START RESEARCH AND LEARNING PROCESS CREATING SALT AND HASH ALGORITHMS IMPLEMENTATION OF ALGORITHMS IN MATLAB GUI IS ENCRYPTION AND NO DECRYPTION SUCCESFUL? YES PERFORMANCE EVALUATION : PERFORM A DEMO ATTACK YES IS ATTACK SUCCESSFUL? NO PRODUCING FINAL REPORT END
hash("hello" + "QxLUF1bgIAdeQX")Image: =Password : "hello" 9e209040c863f84a31e719795b257 User uploads 752 Salt is applied 3954739fe5ed3b58a75cff2127075e Password+Salt image and on password d1 converted into “lock” image by the server hash value with password "hello" + "QxLUF1bgIAdeQX" Hash value stored in server database User insert User can Password inserted is "hello" password to login and salted and hashed login retrieve again, and compared image with stored hash value
Expected Result : Encryption : User insert image and set plain password Decryption : User type in password, and the image inserted earlier should be displayed Attack : Attack should not be successful to gain password hashes from databaseExample of salting and hashingPassword Salt Hash (Password+Salt) 2cf24dba5fb0a30e26e83b2achello 5b9e29e1b161e5c1fa7425e7 3043362938b9824 9e209040c863f84a31e71979hello QxLUF1bgIAdeQX 5b2577523954739fe5ed3b58 a75cff2127075ed1 d1d3ec2e6f20fd420d50e2642hello bv5PehSMfV11Cd 992841d8338a314b8ea157c9 e18477aaef226ab a49670c3c18b9e079b9cfaf51hello YYLmfY6IehjZMQ 634f563dc8ae3070db2c4a85 44305df1b60f007
#Conclusion At this stage, I have learned through research and findings that by using the salting method implemented in a password, it can add an extra layer of security on the password and everything connected to it (images, personal information, sensitive information etc). Salting method is not 100% safe and cannot be cracked, but the hacker will for sure need much more time and cost to brute-force attack every single password in a database one by one, instead of pre-building up a lookup table beforehand. Next part of the project will be further researched, learning and implementing image protection using the salting method in MATLAB GUI, along with a demo password attack. The user- friendly GUI interface should enable users to enter password to protect an image, and later enter the same password to retrieve the image.
#Reference 1. Jain, A. K., Nandakumar, K., & Nagar, A. (2008). EURASIP Journal on Advances in Signal Processing, Special Issue on Biometrics : Biometric Template Security. 2. Ke, Y., Sukthankar, R., Huston, L. (2003). Efficient Near- duplicate Detection and Sub-image Retrieval, Intel 3. Creating Salted Hash Password in C#. (2008, December). Retrieved from http://www.dijksterhuis.org/creating-salted- hash-values-in-c/, 4. Kessler, G. C. (2012, July 17). An Overview of Cryptography. Retrieved from http://www.garykessler.net/library/crypto.html#hash 5. Ferguson, N. & Schneier, B. (2003). Practical Cryptograph. Wiley Publishing Inc. 6. Ullrich J. (2011, June 28). Hashing Passwords. Retrieved from http://www.dshield.org/diary.html?storyid=11110 7. Creating Salted Hash Passwords in C#. (2008, December 9). Retrieved from http://www.dijksterhuis.org/creating-salted- hash-values-in-c/