The document discusses the RSA algorithm for cryptography. It begins by explaining that RSA was created by Ron Rivest, Adi Shamir, and Leonard Adleman in 1977. It uses logarithmic functions to encrypt and decrypt data in a way that is difficult to break, even with powerful computers. RSA can encrypt generic data to enable secure sharing and can verify digital signatures. It works using a public key that encrypts data and a private key that decrypts it. The document then provides examples of how RSA encryption works step-by-step using prime numbers to generate keys. It discusses the security of RSA and how increasing the key size makes it more difficult to break through brute force attacks or factorization. Proper key management is
1. CRYPTOGRAPHY
RSA ALGORITHM
What Is RSA Algorithm in Cryptography?
A public-key signature algorithm called RSA was created by Ron Rivest, Adi Shamir, and
Leonard Adleman. The algorithm, which was first described in their 1977 publication, makes use of
logarithmic functions to maintain the working complicated enough to withstand brute force attacks
while being streamlined and quick after deployment. The graphic below demonstrates how it uses the
RSA approach to validate digital signatures.
Along with handling the verification of digital signatures, RSA can also encrypt and decrypt
generic data to enable secure data sharing. Along with handling the verification of digital signatures,
RSA can also encrypt and decrypt generic data to enable secure data sharing.
It uses the opposite key set while encrypting and decrypting generic data with RSA. In contrast
to signature verification, it encrypts data using the recipient's public key and decrypts it using the
recipient's private key. Therefore, in this situation, no keys need to be exchanged.
2. When it comes to RSA cryptography, there are two parts:
Key generation is the process of creating the keys that will be used to encrypt and decode the
data that will be transferred.
The function of encryption and decryption: The procedures to be followed when data needs
to be recovered after being scrambled.
Both the public and the private keys in RSA cryptography can be used to encrypt a
message. The key used to decrypt a message is the opposite of the key used to encrypt it. RSA's ability
to guarantee the secrecy, integrity, authenticity, and non-repudiation of electronic communications
and data storage is one of the reasons it has grown to be the most popular asymmetric algorithm.
RSA is used for encryption and digital signature capabilities in numerous protocols,
including Secure Shell (SSH), OpenPGP, S/MIME, and SSL/TLS. Additionally, it is used in software
programs. Browsers are a prime example of this since they frequently need to validate digital
signatures or create safe connections over unreliable networks like the internet. One of the most often
carried out operations in network-connected systems is the verification of an RSA signature.
Since it is challenging to factor huge integers that are the product of two large prime
numbers, RSA is secure. These two numbers multiply easily, but extracting the original prime
numbers from the sum, or factoring, is thought to be impractical due to the time required, even with
today's supercomputers.
The most challenging aspect of RSA cryptography is the algorithm used to generate public
and private keys. The Rabin-Miller primality test procedure yields two enormous prime numbers, p,
and q. Calculating a modulus, n, requires multiplying p and q. The connection between the public and
private keys is made possible by the usage of this number. The key length is the length of the key,
which is often given in bits.
The public key is made up of a public exponent, e, and a modulus, n, which is typically
chosen at 65537 because it is a manageable prime number. Given that everyone has access to the
public key, the e-figure doesn't have to be a prime number that was privately chosen.
The Extended Euclidean algorithm is used to calculate the multiplicative inverse about the
totient of the modulus n and the private exponent d, which make up the private key.
3. RSA algorithm is an asymmetric cryptography algorithm. Asymmetric actually means
that it works on two different keys i.e. Public Key and Private Key. As the name describes that the
Public Key is given to everyone and the Private key is kept private.
An example of asymmetric cryptography:
A client (for example browser) sends its public key to the server and requests some data.
The server encrypts the data using the client’s public key and sends the encrypted data.
The client receives this data and decrypts it.
Since this is asymmetric, nobody else except the browser can decrypt the data even if a
third party has the public key of the browser.
RSA algorithm uses the following procedure to generate public and private keys:
o Select two large prime numbers, p and q.
o Multiply these numbers to find n = p x q, where n is called the modulus for encryption and
decryption.
o Choose a number e less than n, such that n is relatively prime to (p - 1) x (q -1). It means that e and (p
- 1) x (q - 1) have no common factor except 1. Choose "e" such that 1<e < φ (n), e is prime to φ (n),
gcd (e,d(n)) =1
o If n = p x q, then the public key is <e, n>. A plaintext message m is encrypted using public key <e,
n>. To find ciphertext from the plain text following formula is used to get ciphertext C.
C=me
modn
4. o Here, m must be less than n. A larger message (>n) is treated as a concatenation of messages, each of
which is encrypted separately.
o To determine the private key, we use the following formula to calculate the d such that:
De mod{(p-1)x(q-1)}=1
Or
De mod φ (n) = 1
o The private key is <d, n>. A ciphertext message c is decrypted using private key <d, n>. To calculate
plain text m from the ciphertext c following formula is used to get plain text m.
m = cd mod n
Let's take some example of RSA encryption algorithm:
Example 1:
This example shows how we can encrypt plaintext 9 using the RSA public-key encryption algorithm.
This example uses prime numbers 7 and 11 to generate the public and private keys.
Explanation:
Step 1: Select two large prime numbers, p, and q.
p = 7
q = 11
Step 2: Multiply these numbers to find n = p x q, where n is called the modulus for encryption and
decryption.
First, we calculate
n = p x q
n = 7 x 11
n = 77
Step 3: Choose a number e less that n, such that n is relatively prime to (p - 1) x (q -1). It means
that e and (p - 1) x (q - 1) have no common factor except 1. Choose "e" such that 1<e < φ (n), e is
prime to φ (n), gcd (e, d (n)) =1.
5. Second, we calculate
φ (n) = (p - 1) x (q-1)
φ (n) = (7 - 1) x (11 - 1)
φ (n) = 6 x 10
φ (n) = 60
Let us now choose relative prime e of 60 as 7.
Thus the public key is <e, n> = (7, 77)
Step 4: A plaintext message m is encrypted using public key <e, n>. To find ciphertext from the plain
text following formula is used to get ciphertext C.
To find ciphertext from the plain text following formula is used to get ciphertext C.
C = me mod n
C = 97
mod 77
C = 37
Step 5: The private key is <d, n>. To determine the private key, we use the following formula d such
that:
De mod {(p - 1) x (q - 1)} = 1
7d mod 60 = 1, which gives d = 43
The private key is <d, n> = (43, 77)
Step 6: A ciphertext message c is decrypted using private key <d, n>. To calculate plain text m from
the ciphertext c following formula is used to get plain text m.
m = cd mod n
m = 3743
mod 77
m = 9
In this example, Plain text = 9 and the ciphertext = 37
6. Example 2:
A RSA cryptosystem uses two prime numbers 3 and 13 to generate the public key= 3 and the private
key = 7. What is the value of cipher text for a plain text?
Explanation:
Step 1: In the first step, select two large prime numbers, p and q.
p = 3
q = 13
Step 2: Multiply these numbers to find n = p x q, where n is called the modulus for encryption and
decryption.
First, we calculate
n = p x q
n = 3 x 13
n = 39
Step 3: If n = p x q, then the public key is <e, n>. A plaintext message m is encrypted using public
key <e, n>. Thus the public key is <e, n> = (3, 39).
To find ciphertext from the plain text following formula is used to get ciphertext C.
C = me mod n
C = 53
mod 39
C = 125 mod 39
C = 8
Hence, the ciphertext generated from plain text, C = 8.
7. SECURITY OF RSA:
These are explained as following below
1. Plain text attacks:
It is classified into 3 subcategories:-
Short message attack:
In this we assume that attacker knows some blocks of plain text and tries to decode cipher
text with the help of that. So, to prevent this pad the plain text before encrypting.
Cycling attack:
In this attack, the attacker thinks that the cipher text has been generated by using some
permutation. He uses all possible permutations of plain text to decipher the cipher text by
‘cycling’ the permutations.
Unconcealed Message attack:
Sometimes it happens that plain text is same as cipher text after encryption. So it must be
checked or it will be of no use as the attacker will see right through it.
8. 2. Chosen cipher attack:
In this attacker is able to find out plain text based on cipher text using the Extended
Euclidean Algorithm.
3. Factorization attack:
If the attacker is able to know P and Q using N, then he can find out value of private key.
This fails when N contains at least 300 longer digits in decimal terms, attacker will not able to find
it. Hence this is infeasible for larger numbers.
4. Attacks on Encryption key:
If we take smaller value of E in RSA this may occur so to avoid this take value of E =
2^16+1 (at least).
5. Attacks on Decryption key:
Revealed decryption exponent attack:
If attacker somehow guess decryption key D, not only the cipher text generated by
encryption the plain text with corresponding encryption key is in danger, but even future
messages are also in danger. So, it is advised to take fresh values of two prime numbers (i.e.: P
and Q), N and E.
Low decryption exponent attack:
If we take smaller value of D in RSA this may occur so to avoid this take value of D =
2^16+1(at least).
Four possible approaches to attacking the RSA algorithm are
Brute force: This involves trying all possible private keys.
Mathematicalattacks:Thereareseveralapproaches,allequivalentineffortto
factoring the product of two primes.
Timingattacks:Thesedependontherunningtimeofthedecryptionalgorithm.
Chosen ciphertext attacks: This type of attack exploits properties of the RSA algorithm.
The defense against the brute-force approach is the same for RSA as for other
cryptosystems, namely, to use a large key space. Thus, the larger the number of
bits in d, the better. However, because the calculations involved, both in key generation and inen
cryption/decryption, are complex, the larger the size of the key, the slower thesystem will run.
9. KEY MANAGEMENT:
Cryptographic keys are a vital part of any security system. They do everything from
data encryption and decryption to user authentication. The compromise of any cryptographic key
could lead to the collapse of an organization’s entire security infrastructure, allowing the attacker to
decrypt sensitive data, authenticate themselves as privileged users, or give themselves access to other
sources of classified information. Luckily, proper management of keys and their related components
can ensure the safety of confidential information. Key Management is the process of putting certain
standards in place to ensure the security of cryptographic keys in an organization. Key Management
deal with the creation, exchange, storage, deletion, and refreshing of keys. They also deal with the
members access of the keys.
Why is Key Management Important ?
Key management forms the basis of all data security. Data is encrypted and decrypted via
the use of encryption keys, which means the loss or compromise of any encryption key would
invalidate the data security measures put into place. Keys also ensure the safe transmission of data
across an Internet connection. With authentication methods, like code signing, attackers could
pretend to be a trusted service like Microsoft, while giving victim’s computers malware, if they steal
a poorly protected key. Keys provide compliance with certain standards and regulations to ensure
companies are using best practices when protecting cryptographic keys. Well protected keys are only
accessible by users who need them.
Types of Keys:
There are two types of cryptographic keys, symmetric and asymmetric keys. Symmetric
keys deal with data-at-rest, which is data stored in a static location, such as a database. Symmetric
key encryption uses the same key for both encryption and decryption. Using data in a database as an
example, while the data is stored in the database, it is encrypted with the symmetric key. Once an
authorized user attempts to access the data, the information is decrypted with the same symmetric
key and made accessible to the user. The other type of cryptographic key is an asymmetric key.
10. Encryption using asymmetric keys is a little more complicated than symmetric key
encryption. Instead of using the same key for both encryption and decryption, two separate keys called
a public and private key, are used for the encryption and decryption of data. These keys are created
as a pair, so that they relate to each other. The public key of a pair of asymmetric keys is mainly used
to encrypt data. This key can be shared with anyone since it encrypts, not decrypts, data. The private
key is used for the decryption of data encrypted by its public key counterpart, so it must stay secure.
Asymmetric keys focus on encrypting data-in-motion. Data-in-motion is data sent across a
network connection, whether it be a public or private connection. When transporting sensitive data,
most encryption processes use both symmetric and asymmetric keys to encrypt data.
The data is first encrypted-at-rest by a symmetric encryption key.
The symmetric key is now encrypted by the public key of the person who the data is being
sent to. That encrypted symmetric key and the ciphertext are sent to the recipient of the data.
Once the ciphertext and key reach the recipient, the symmetric key is decrypted by that user’s
private key, and the ciphertext is decrypted.
11. Key management follows a lifecycle of operations which are needed to ensure the key is
created, stored, used, and rotated securely. Most cryptographic keys follow a lifecycle which involves
key
Generation
Distribution
Use
Storage
Rotation
Backup/Recovery
Revocation
Destruction
The generation of a key is the first step in ensuring that key is secure. If the key in question
is generated with a weak encryption algorithm, then any attacker could easily discover the value of
the encryption key. Also, if the key is generated in an insecure location, the key could be
compromised as soon as it is created, resulting in a key that cannot be safely used for encryption. Key
generators, AES encryption algorithms, or random number generators tend to be used for secure key
generation.
The next step of the key lifecycle is ensuring the safe distribution of the keys. Keys should
be distributed to the required user via a secure TLS or SSL connection, to maintain the security of the
keys being distributed. If an insecure connection is used to distribute the cryptographic keys, then the
security of any data encrypted by these keys is in question, as an attacker could execute a man-in-the-
middle attack and steal the keys.
After distribution of the key, it is used for cryptographic operations. As previously noted,
the key should only be used by authorized users, to make certain the key is not misused, copied, etc.
When the key is used to encrypt data, it must then be stored for later decryption. The most secure
method is via a Hardware Security Module (HSM) or CloudHSM. If an HSM is not used, then the
keys can either be securely stored on the client’s side, or, if the keys are used on the Cloud, then the
Cloud Service Provider’s Key Management Service can be used.
12. First the data is decrypted by the old key or key pair and then encrypted by the new key or
key pair. Rotation is necessary because the longer a key is in rotation, the more chance there is for
someone to steal or find out the key. Rotation of keys can happen before the cryptoperiod expires in
cases where the key is suspected to be compromised.
Two other ways of dealing with a compromised key are revoking or destroying the key in
question. Revoking a key means the key can no longer be used to encrypt or decrypt data, even if its
cryptoperiod is still valid. Destroying a key, whether that is due to compromise or due to it no longer
being used, deletes the key permanently from any key manager database or other storage method.
This makes it impossible to recreate the key, unless a backup image is used. NIST standards require
that deactivated keys be kept in an archive, to allow for reconstruction of the keys if data encrypted
in the past must now be decrypted by that key or key pair.
13. SECURE HASH ALGORITHM
Secure Hash Algorithms, also known as SHA, are a family of cryptographic functions
designed to keep data secured. It works by transforming the data using a hash function: an algorithm
that consists of bitwise operations, modular additions, and compression functions. The hash function
then produces a fixed-size string that looks nothing like the original. These algorithms are designed
to be one-way functions, meaning that once they’re transformed into their respective hash values, it’s
virtually impossible to transform them back into the original data. A few algorithms of interest are
SHA-1, SHA-2, and SHA-3, each of which was successively designed with increasingly stronger
encryption in response to hacker attacks. SHA-0, for instance, is now obsolete due to the widely
exposed vulnerabilities.
A common application of SHA is to encrypting passwords, as the server side only needs
to keep track of a specific user’s hash value, rather than the actual password. This is helpful in case
an attacker hacks the database, as they will only find the hashed functions and not the actual
passwords, so if they were to input the hashed value as a password, the hash function will convert it
into another string and subsequently deny access. Additionally, SHAs exhibit the avalanche effect,
where the modification of very few letters being encrypted causes a big change in output; or
conversely, drastically different strings produce similar hash values. This effect causes hash values
to not give any information regarding the input string, such as its original length. In addition, SHAs
are also used to detect the tampering of data by attackers, where if a text file is slightly changed and
barely noticeable, the modified file’s hash value will be different than the original file’s hash value,
and the tampering will be rather noticeable.
SHA Characteristics
One-way Function
Alice and Bob are pen pals who share their thoughts via mail. When Alice visited Bob, she
gave him a phone book of her city. In order to keep their messages safe from intruders, Alice tells
Bob that she will encrypt the message. She tells Bob that he will find a bunch of numbers on every
letter, and each sequence of numbers represents a phone number. Bob’s job is to find the phone
number in the book and write down the first letter of the person’s last name. With this function, Bob
is to decrypt the entire message.
14. To decrypt the message, Bob has to read the entire phone book to find all the numbers on the
letter, whereas Alice can quickly find the letters and their respective phone numbers in order to encrypt
her message. For this reason, before Bob is able to decrypt the message by hand, Alice can re-hash the
message and keep the data secure. This makes Alice’s algorithm a one-way function.
The second safety characteristic is called second pre-image resistance, granted by SHA when
a message is known, m1, yet it’s hard to find another message, m2, that hashes to the same value: Hm1
=Hm2. Without this characteristic, two different passwords would yield the same hash value, deeming
the original password unnecessary in order to access secured data.
The last safety characteristic is collision resistance, which is provided by algorithms that make
it extremely hard for an attacker to find two completely different messages that hash to the same hash
value: Hm1=Hm2. In order to provide this characteristic, there must be a similar number of possible
inputs to possible outputs, as more inputs than outputs, by the pigeonhole principle, will definitively
incur potential collisions.
For this reason, collision resistance is necessary, as it implies that finding two inputs that hash
to the same hash value is extremely difficult. Without collision resistance, digital signatures can be
compromised as finding two messages that produce the same hash value may make users believe two
documents were signed by two different people when one person was able to produce a different
document with the same hash value.
Recent cryptographic functions have stronger security characteristics to block off recently
developed techniques such as length extension attacks, where given a hash value, hash(m), and the
length of the original message, m, an attacker can find a message, ’m’, and calculate the hash value of
the concatenation of the original message and the new message: hash (m∣∣m’).
As a general guideline, a hash function should be as seemingly random as possible while still
being deterministic and fast to compute.
15. SHA-1:
Secure Hash Algorithm 1, or SHA-1, was developed in 1993 by the U.S. government's
standards agency National Institute of Standards and Technology (NIST). It is widely used in security
applications and protocols, including TLS, SSL, PGP, SSH, IPsec, and S/MIME.
SHA-1 works by feeding a message as a bit string of length less than 264264 bits, and
producing a 160-bit hash value known as a message digest. Note that the message below is represented
in hexadecimal notation for compactness.
There are two methods to encrypt messages using SHA-1. Although one of the methods saves
the processing of sixty-four 32-bit words, it is more complex and time-consuming to execute, so the
simple method is shown in the example below. At the end of the execution, the algorithm outputs blocks
of 16 words, where each word is made up of 16 bits, for a total of 256 bits.
Albeit SHA-1 is still widely used, cryptanalysts in 2005 were able to find vulnerabilities on this
algorithm that detrimentally compromised its security. These vulnerabilities came in the form of an
algorithm that speedily finds collisions with different inputs, meaning that two distinct inputs map to
the same digest .
As of 2010, many organizations have recommended its replacement by SHA-2 or SHA-3.
Companies like Microsoft, Google, or Mozilla have announced that their browsers will stop accepting
SHA-1 encryption certificates by 2017.
EXAMPLE:
Below program shows the implementation of SHA-1 hash in Java
import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public class GFG {
public static String encryptThisString(String input)
{
try {
16. // getInstance() method is called with algorithm SHA-1
MessageDigest md = MessageDigest.getInstance("SHA-1");
// digest() method is called
// to calculate message digest of the input string
// returned as array of byte
byte[] messageDigest = md.digest(input.getBytes());
// Convert byte array into signum representation
BigInteger no = new BigInteger(1, messageDigest);
// Convert message digest into hex value
String hashtext = no.toString(16);
// Add preceding 0s to make it 32 bit
while (hashtext.length() < 32) {
hashtext = "0" + hashtext;
}
// return the HashText
return hashtext;
}
// For specifying wrong message digest algorithms
catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
// Driver code
public static void main(String args[]) throws
NoSuchAlgorithmException
{
System.out.println("HashCode Generated by SHA-1 for: ");
String s1 = "GeeksForGeeks";
System.out.println("n" + s1 + " : " + encryptThisString(s1));
String s2 = "hello world";
System.out.println("n" + s2 + " : " + encryptThisString(s2));
}
}
17. SHA-2:
Due to the exposed vulnerabilities of SHA-1, cryptographers modified the algorithm to produce
SHA-2, which consists of not one but two hash functions known as SHA-256 and SHA-512, using 32- and
64-bit words, respectively. There are additional truncated versions of these hash functions, known as SHA-
224, SHA-384, SHA-512/224, and SHA-512/256, which can be used for either part of the algorithm.
SHA-1 and SHA-2 differ in several ways; mainly, SHA-2 produces 224- or 256-sized digests,
whereas SHA-1 produces a 160-bit digest; SHA-2 can also have block sizes that contain 1024 bits, or 512
bits, like SHA-1.
Brute force attacks on SHA-2 are not as effective as they are against SHA-1. A brute force search
for finding a message that corresponds to a given digest of length L using brute force would
require 2L evaluations, which makes SHA-2 a lot safer against these kinds of attacks.
Features of Hash Functions:
The typical features of hash functions are
Fixed Length Output (Hash Value)
Hash function coverts data of arbitrary length to a fixed length. This process is often referred to
as hashing the data.
In general, the hash is much smaller than the input data, hence hash functions are sometimes
called compression functions.
Since a hash is a smaller representation of a larger data, it is also referred to as a digest.
Hash function with n bit output is referred to as an n-bit hash function. Popular hash functions
generate values between 160 and 512 bits.
Efficiency of Operation
Generally for any hash function h with input x, computation of h(x) is a fast operation.
Computationally hash functions are much faster than a symmetric encryption.
18. MD5 ALGORITHM
MD5 is a cryptographic hash function algorithm that takes the message as input of any
length and changes it into a fixed-length message of 16 bytes. MD5 algorithm stands for
the message-digest algorithm. MD5 was developed as an improvement of MD4, with advanced
security purposes. The output of MD5 (Digest size) is always 128 bits. MD5 was developed in 1991
by Ronald Rivest.
Use Of MD5 Algorithm:
It is used for file authentication.
In a web application, it is used for security purposes. e.g. Secure password of users etc.
Using this algorithm, We can store our password in 128 bits format.
Working of the MD5 Algorithm:
MD5 algorithm follows the following steps
1. Append Padding Bits: In the first step, we add padding bits in the original message in such a
way that the total length of the message is 64 bits less than the exact multiple of 512.
Suppose we are given a message of 1000 bits. Now we have to add padding bits to the original
message. Here we will add 472 padding bits to the original message. After adding the padding bits
the size of the original message/output of the first step will be 1472 i.e. 64 bits less than an exact
multiple of 512 (i.e. 512*3 = 1536).
Length(original message + padding bits) = 512 * i – 64 where i = 1,2,3 . . .
19. 2. Append Length Bits: In this step, we add the length bit in the output of the first step in such a
way that the total number of the bits is the perfect multiple of 512. Simply, here we add the 64-bit
as a length bit in the output of the first step.
i.e. output of first step = 512 * n – 64
length bits = 64.
After adding both we will get 512 * n i.e. the exact multiple of 512.
3. Initialize MD buffer: Here, we use the 4 buffers i.e. J, K, L, and M. The size of each buffer is
32 bits.
J = 0x67425301
K = 0xEDFCBA45
L = 0x98CBADFE
M = 0x13DCE476
4. Process Each 512-bit Block: This is the most important step of the MD5 algorithm. Here, a total
of 64 operations are performed in 4 rounds. In the 1st round, 16 operations will be performed, 2nd
round 16 operations will be performed, 3rd round 16 operations will be performed, and in the 4th
round, 16 operations will be performed. We apply a different function on each round i.e. for the 1st
round we apply the F function, for the 2nd G function, 3rd for the H function, and 4th for the I
function.
We perform OR, AND, XOR, and NOT (basically these are logic gates) for calculating functions.
We use 3 buffers for each function i.e. K, L, M.
F(K,L,M) = (K AND L) OR (NOT K AND M)
G(K,L,M) = (K AND L) OR (L AND NOT M)
H(K,L,M) = K XOR L XOR M
I(K,L,M) = L XOR (K OR NOT M)
20. After applying the function now we perform an operation on each block. For performing
operations we need
add modulo 232
M[i] – 32 bit message.
K[i] – 32-bit constant.
<<<n – Left shift by n bits.
Now take input as initialize MD buffer i.e. J, K, L, M. Output of K will be fed in L, L will
be fed into M, and M will be fed into J. After doing this now we perform some operations to find
the output for J.
In the first step, Outputs of K, L, and M are taken and then the function F is applied to
them. We will add modulo 232
bits for the output of this with J.
In the second step, we add the M[i] bit message with the output of the first step.
Then add 32 bits constant i.e. K[i] to the output of the second step.
At last, we do left shift operation by n (can be any value of n) and addition modulo by 232
.
After all steps, the result of J will be fed into K. Now same steps will be used for all functions G, H,
and I. After performing all 64 operations we will get our message digest.
Output:
After all, rounds have been performed, the buffer J, K, L, and M contains the MD5 output starting
with the lower bit J and ending with Higher bits M.
Code:
# importing the required libraries
import hashlib
inputstring = "This is a message sent by a computer user."
# encoding the message using the library function
output = hashlib.md5(inputstring.encode())
# printing the hash function
print("Hash of the input string:")
print(output.hexdigest())
21. Output:
Hash of the input string:
922547e866c89b8f677312df0ccec8ee
Application Of MD5 Algorithm:
We use message digest to verify the integrity of files/ authenticates files.
MD5 was used for data security and encryption.
It is used to Digest the message of any size and also used for Password verification.
For Game Boards and Graphics.
Advantages of MD5 Algorithm:
MD5 is faster and simple to understand.
MD5 algorithm generates a strong password in 16 bytes format. All developers like web
developers etc use the MD5 algorithm to secure the password of users.
To integrate the MD5 algorithm, relatively low memory is necessary.
It is very easy and faster to generate a digest message of the original message.
Disadvantages of MD5 Algorithm:
MD5 generates the same hash function for different inputs.
MD5 provides poor security over SHA1.
MD5 has been considered an insecure algorithm. So now we are using SHA256 instead of
MD5
MD5 is neither a symmetric nor asymmetric algorithm.
22. WEB SECURITY
Web Security is very important nowadays. Websites are always prone to security
threats/risks. Web Security deals with the security of data over the internet/network or web or while
it is being transferred to the internet. For e.g. when you are transferring data between client and
server and you have to protect that data that security of data is your web security.
Hacking a Website may result in the theft of Important Customer Data, it may be the credit
card information or the login details of a customer or it can be the destruction of one’s business and
propagation of illegal content to the users while somebody hacks your website they can either steal
the important information of the customers or they can even propagate the illegal content to your
users through your website so, therefore, security considerations are needed in the context of web
security.
Security Threats:
A Threat is nothing but a possible event that can damage and harm an information system.
Security Threat is defined as a risk that which, can potentially harm Computer systems &
organizations. Whenever an Individual or an Organization creates a website, they are vulnerable to
security attacks.
Security attacks are mainly aimed at stealing altering or destroying a piece of personal and
confidential information, stealing the hard drive space, and illegally accessing passwords. So
whenever the website you created is vulnerable to security attacks then the attacks are going to steal
your data alter your data destroy your personal information see your confidential information and
also it accessing your password.
Top Web Security Threats :
Web security threats are constantly emerging and evolving, but many threats consistently appear at
the top of the list of web security threats. These include:
Cross-site scripting (XSS)
SQL Injection
Phishing
Ransomware
Code Injection
Viruses and worms
Spyware
Denial of Service
23. Security Consideration:
Updated Software: You need to always update your software. Hackers may be aware of
vulnerabilities in certain software, which are sometimes caused by bugs and can be used to damage
your computer system and steal personal data. Older versions of software can become a gateway for
hackers to enter your network. Software makers soon become aware of these vulnerabilities and will
fix vulnerable or exposed areas. That’s why It is mandatory to keep your software updated, It plays
an important role in keeping your personal data secure.
Beware of SQL Injection: SQL Injection is an attempt to manipulate your data or your database
by inserting a rough code into your query. For e.g. somebody can send a query to your website and
this query can be a rough code while it gets executed it can be used to manipulate your database
such as change tables, modify or delete data or it can retrieve important information also so, one
should be aware of the SQL injection attack.
Cross-Site Scripting (XSS): XSS allows the attackers to insert client-side script into web pages.
E.g. Submission of forms. It is a term used to describe a class of attacks that allow an attacker to
inject client-side scripts into other users’ browsers through a website. As the injected code enters
the browser from the site, the code is reliable and can do things like sending the user’s site
authorization cookie to the attacker.
Error Messages: You need to be very careful about error messages which are generated to give the
information to the users while users access the website and some error messages are generated due
to one or another reason and you should be very careful while providing the information to the users.
For e.g. login attempt – If the user fails to login the error message should not let the user know
which field is incorrect: Username or Password.
24. Data Validation: Data validation is the proper testing of any input supplied by the user or
application. It prevents improperly created data from entering the information system. Validation of
data should be performed on both server-side and client-side. If we perform data validation on both
sides that will give us the authentication. Data validation should occur when data is received from
an outside party, especially if the data is from untrusted sources.
Password: Password provides the first line of defense against unauthorized access to your device
and personal information. It is necessary to use a strong password. Hackers in many cases use
sophisticated software that uses brute force to crack passwords. Passwords must be complex to
protect against brute force. It is good to enforce password requirements such as a minimum of eight
characters long must including uppercase letters, lowercase letters, special characters, and numerals.
Secure socket Layer (SSL/TLS):
• Used to authenticate servers
– Uses certificates, “root” CAs
• Can authenticate clients
• Inclusive security protocol
• Security at the socket layer
– Transport Layer Security (TLS)
– Provides
• authentication
• confidentiality
• integrity
25. SSL Handshake
(1) Client Hello (algorithms,…)
(2) Server Hello (alg. selection, …)
(3) Server Certificate
(4) ClientKeyRequest
(5) ChangeCipherSuite
(6) ChangeCipherSuite
(7) Finished
(8) Finished
Simplified Protocol Detail
Participants: Alice/A (client) and Bob/B (server)
Crypto Elements : Random R, Certificate C, k+
i Public Key (of i)
Crypto Functions : Hash function H(x), Encryption E(k, d), Decryption D(k, d),
Keyed MAC HMAC(k, d)
1. Alice → Bob RA
2. Bob → Alice RB, CB
Alice pick pre-master secret S
Alice calculate master secret K = H(S, RA, RB)
3. Alice → Bob E(k+B, S), HMAC(K,! CLNT! + [#1, #2])
Bob recover pre-master secret S = D(k−B , E(k+B, S))
Bob calculate master secret K = H(S, RA, RB)
4. Bob → Alice HMAC(K,! SRV R! + [#1, #2])
26. Advantages:
Confidential session
Server authentication*
GUI clues for users
Built into every browser
Protocol has heavily analyzed
Disadvantages:
Users don’t check certificates (don’t know meaning)
Too easy to obtain certificates
Too many roots in the browsers
Some settings are terrible
ssl v2 is on, totally insecure cipher suites included
Reality of SSL:
SSL is here to stay no matter what credit card over SSL connection is probably safer than
credit card to waiter biggest hurdles:
– performance
– user education (check those certificates)
– too many trusted sites (edit your browser prefs)
– misconfiguration (turn off bad ciphersuites)
– can be used for many non-web applications
Now used for more than https, base for many distributed applications, etc.