The document discusses the differences between hashing and encryption techniques, emphasizing that hashing is a one-way process while encryption is two-way. It outlines best practices for hashing algorithms, identifies strengths and weaknesses of various algorithms, and covers the use of asymmetric and shared key ciphers, including PKI and HMAC. The document also highlights the importance of using established algorithms for performance and security.

1. ENCRYPTION TECHNIQUES
AUGUST 2016

2. OVERVIEW
Hashing vs Encryption
Hashing
Ciphers
PKI
Signing
Performance

3. Hashing vs Encryption
Hashing is designed to be one way
Encryption is designed to be 2 way
Don't use a hash when you mean to encrypt
Don't encrypt when you should use a hash

4. Hashing
One way representation of data
Originally designed for indexing and storage
Applications include data integrity
Early hash algorithms are not designed for uniqueness –
CRC-16, CRC-32
Mid strength hash algorithms are frequently broken –
MD-2, MD-5

5. Hashing Best Practice
Don't discard CRC-32 if you need fast and light!
RIPEMD160 is minimum strength today
SHA256 is industrial strength
MD-5 and SHA-1 considered broken

6. Hashing Strength vs Speed
CRC-32 is VERY fast
MD-5, SHA-256 often implemented in hardware
RIPEMD algorithms good compromise between
speed and space
No gain in seeding your hash!

7. Birthday Attacks
Effective against passwords stored in MD-5 or
weaker algorithms
Early password storage included 64 and 32 bit
hashes!
2 people in this room have the same birthday

8. Shared Key Ciphers
Each side has a “secret” key
Decryption / Encryption uses the same key
Weakness is key storage
AES-256 is current best practice
Often implemented in hardware – use OpenSSL
libraries for “helpers”

9. Asymmetric Ciphers
Public Key vs Private Key
Knowing the Public Key does not expose the Private Key
RSA keys, 2048 bit key length is industrial strength
Keys are longer than Shared Keys
Much slower

10. Use of Asymmetric Ciphers
Shared Key Exchange and Updates
Shared Key Storage (Encryption)
Shared Key Verification (Data Signing)
Recipient's Public Key used to Encrypt
Recipient's Private Key used to Decrypt

11. PKI and Certificate Signing
A “certificate” is just a signed public key
Public Key sent to a “trusted” authority
Public Key encrypted using the authority's Private Key
Encrypted and plain text Public Key revealed
Anyone can decrypt the encrypted key, thus verifying the
plain text key

12. PKI Chains
Limited number of trusted authorities
Intermediate authorities signed by trusted
authorities
Certificates signed by trusted authority or
intermediate authority
Enables distributed but controlled key signing

13. Data Signing
Not all encryption is designed for security
Data signature is the reverse of data encryption
(private key used to encrypt, public key can be
used to verify)

14. HMAC
HMAC is a signature equivalent for shared key
ciphers
As with all shared key ciphers, public key can be
used to protect the HMAC key
HMAC is for verification only – HMAC verified data
can be in plain text
No need to encrypt if you don't need to

15. Encryption Performance
Use the Known Algorithms. They are probably
implemented in hardware.
Don't mess with the algorithms
Don't encrypt when you need to hash
Don't hash when you need to encrypt

16. bcrypt
Hashing algorithm based on an encryption
algorithm.
Disadvantage: slow
Advantage: slow, can be made slower
Use only for small chunks of data (passwords)