# Cryptography> FSA March 25, 2017Foundational ideas in Cryptography____##

1. # Cryptography
2. > FSA March 25, 2017
3.  
4. Foundational ideas in Cryptography
5.  
6. ____
7. ## Crypto
8. * Cryptography: code-making / secret keeping
9. * Cryptanalysis: code-breaking / secret revealing
10.  
11. Cryptography is the masonry of software security. It is not the same AS software security.
12.  
13. #### Randomness
14. * not 'predictable/patterned'
15. * uniformly distributed output
16. * next is unrelated to previous
17. * next is unrelated to previous previous
18.  
19. **Random Number Generator**
20. * We need random numbers for some algos, including quicksort
21. * Avoiding deadlocks and 'starvation' in parallel programming
22. * simulations/games
23.  
24. Don't be fooled by a seeming non-random pattern in a string of iterations.
25.  
26. Random Number Generators:
27. * quantum mechanics
28. * thermal noise
29. * 10th char of most recent tweet?
30. * randomness is `subjective` in some way, because we may be able to increase the information that we have to predict something
31.  
32. Pseudo-Random Number Generators:
33. * Not truly random, but easier to work with
34. * Easier and deterministic (repeatable)
35. * 'die hard' tests – a suite of tests that look at the quality of a pseudo-random number generator
36. * PRNG is less crypto-secure than a CSPRNG
37.  
38. > PRNGS use a seed and typically input one iteration's seed as the seed of the next iteration. Check out Mersenne twister and middle squares method.
39.  
40. **CSPRNG**
41. Pass statistical tests.
42. Satisfies the 'next-bit test'
43. Withstands 'state compromise extensions'
44.  
45. #### Hashing
46. Takes some input string ('message') and outputs a string ('digest').
47. The same message is always going to get the same output. Digest is usually a fixed size.
48. The hashing algorithm is *irreversible*.
49.  
50. > Collisions are a problem (remember our hash table workshop?)
51.  
52. Irreversibility is less strange than it seems. What if I tell you a sum is 15? What were my inputs? You don't know.
53.  
54. * '+' <-- addition
55. * sha1
56. * md5
57. * neurons
58.  
59. Possible collisions are infinite.
60.  
61. **Why do we hash?**
62.  
63. Identity:
64. * Useful for identifying something quickly (think hash table)
65. * bloom filter
66. * git commit ids
67. * equality testing
68.  
69. > Storing hashed passwords in your database protects somewhat from compromise. You can hash the password and see if it matches the hash in the DB, without knowing the user's password.
70.  
71. Cryptography:
72. * password verification
73. * integrity verification
74. * some PRNGs
75. * proof of work (in cryptography)
76.  
77. **How**
78.  
79. 1. pad – we make sure it is of a certain size (our target size)
80. 2. partition – split the string into chunks of our target size
81. 3. combine – smoosh all of our chunks into a
82.  
83. AKA Merkle-Damgard construction
84.  
85. **For example: Simple Hash**
86. 1. pad string to at least twice the desired length
87. 2. partition into chunks of desired length
88. 3. combine (reduce) this partitions using XOR
89.  
90. #### XOR
91. ```
92. XOR TRUTH TABLE
93. ______
94. 00 | 0
95. 01 | 1
96. 10 | 1
97. 11 | 0
98. ```
99. XOR produces an evenly distributed output.
100.  
101. #### Cryptographic Hashing
102. 1. Pre-image resistance: a hacker can't find collision given hash result
103. – What if I can create something that produces the same results?
104.  
105. 2. Second pre-image resistance: a hacker can't find collision given input message
106. – If you know a file that was used to produce a hash, then you can't come up with another string of text that will produce the same hash.
107. I receive a hashed output. Someone in the middle comes up with a different file that has the same hashed output. This is bad!
108.  
109. 3. Collision resistance: a hacker can't find some arbitrary collision
110. – Impossible to find some arbitrary collision. I can't figure out two messages in general that hash to the same output.
111.  
112. > When people say an algo is 'collision resistant', they usually mean all three.
113.  
114. #### HMAC
115. Hash-message authentication code
116.  
117. key + message => digest
118. key is a secret
119.  
120. Scenario:
121. 1. When I buy something I'm asked to make a secret
122. 2. Secret hashed together with purchase
123. 3. Creates an HMAC which you can verify again using the 'receipt' (purchase) and the secret
124.  
125. Can be used to confirm message receipt without exposing identity or message.
126.  
127. #### PBKDF2
128. > Password based key derivation function!
129.  
130. We use this on passwords. It repeatedly calls a hashing algorithm on 'salted' text.
131.  
132. My password `cats`, adds some secret salt to the front, `jazz82cats` (an HMAC). The salted password is hashed repeatedly and stored in the database.
133.  
134. 1. Why should we hash passwords before storing in our DB?
135. Avoid having them easily stolen.
136.  
137. 2. Why salt?
138. Common passwords could be guessed via collisions by testing a large quantity of passwords. Helps us avoid rainbow table hacks – because the hacker also needs the salt.
139.  
140. 3. Why repeatedly hash?
141. Slows down algorithms. It slows us down a bit, sure. But for a hacker we significantly slow their brute force attacks by increasing the how many times they have to hash every possible password.
142.  
143.  
144. #### Encryption
145. TBD
146.  
147.  
148. #### Asymmetric-key (RSA)
149. TBD