LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-21-2012, 01:37 AM   #1
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware & CentOS
Posts: 2,885
Blog Entries: 1

Rep: Reputation: Disabled
Cryptography, Algorithm and SHA-256


Hi:

I went to Wikipedia to learn about cryptography, algorithm and hash functions.
http://en.wikipedia.org/wiki/Cryptography
http://en.wikipedia.org/wiki/SHA-2
http://en.wikipedia.org/wiki/Algorithm

I get that cryptography is the practice and study of techniques for secure communication in the presence of 3rd parties. Before reading about algorithm, expressed and well defined instructions for calculating a funtion (computation) when executed number of seccesive states producing output I was unaware of how this worked.

In the future I would want to protect the confidentiality between a client and myself-

But how exactly would I do that with SHA-256?

Does SHA-256 prevent preimage attacks on hash functions?
 
Old 09-21-2012, 09:28 AM   #2
Snark1994
Senior Member
 
Registered: Sep 2010
Location: Wales, UK
Distribution: Arch
Posts: 1,630
Blog Entries: 3

Rep: Reputation: 345Reputation: 345Reputation: 345Reputation: 345
Perhaps have a look at http://www.openssl.org/ which implements the algorithms for you (with security, it's normally better to use an established implementation).

As far as I can understand http://en.wikipedia.org/wiki/Sha-256...and_validation, the attacks are not yet practical, but might allow the development of more efficient attacks - so the recommendation is to use a different hash in security-concious applications.

Hope this helps,
 
1 members found this post helpful.
Old 09-21-2012, 02:44 PM   #3
NyteOwl
Member
 
Registered: Aug 2008
Location: Nova Scotia, Canada
Distribution: Slackware, OpenBSD, others periodically
Posts: 512

Rep: Reputation: 138Reputation: 138
SHA-256 is what is known as a hash function. It is used to create a theoretically unique encrypted value from some input. As hash functions are trapdoor or one-way functions, they are not "decryptable". You sue them for example hiding the value of a password/passphrase or key.

An encryption algorithm serves as a two-way function to enable both the encryption and decryption of information. This can be used to store information from others as well as securing communications from third parties.

As indicated, SHA-256 is currently secure. How far into the future it may remain so no one can say. Efficient and currently secure encryption algorithms include AES, Twofish, Blowfish, Serpent as well as some others.

If you are looking to ensure that documents have not been tampered with you can sign them, generate a hash of the document that the other party can verify to detect tampering. If you want to hide the contents altogether then you need to encrypt the document (with or without signing) using something like GPG (GnuPG).
 
1 members found this post helpful.
Old 09-21-2012, 11:00 PM   #4
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware & CentOS
Posts: 2,885
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Snark1994 View Post
Perhaps have a look at http://www.openssl.org/ which implements the algorithms for you (with security, it's normally better to use an established implementation).

As far as I can understand http://en.wikipedia.org/wiki/Sha-256...and_validation, the attacks are not yet practical, but might allow the development of more efficient attacks - so the recommendation is to use a different hash in security-concious applications.

Hope this helps,
Thanks for the links. I read those 2 pages and I observed the 5 examples of the hash values of empty strings.
I was able to tell where they were different and where they were simular. However; I'm thinking to read and research more. I have a better understanding.

Thanks again.
 
Old 09-21-2012, 11:23 PM   #5
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware & CentOS
Posts: 2,885
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Night Owl:

You said; " An encryption algorithm serves as a two-way function to enable both the encryption and decryption of information"

As soon as I read that I remembered; approx. 4 years ago a friend discovered that a keylogger program was on my computer. Someone was tracking everything I was doing. I put that computer in the trash. I was not aware that I could of went to court for that. Had I knew than what I know now I don't think I would have tossed that tower-

Anyway, You said that SHA-256 is secure and AES, Twofish Blowfish and Serpent are available.
I found True Crypt and Blowfish:
http://www.schneier.com/blowfish.html
http://www.truecrypt.org/docs/?s=twofish

I'm a little concered about the bug the documentation speaks of-
NOTE: There is a bug in some source code implementations of Blowfish. Here are the details. The reference implementation does not have this bug.

Do these applications have to come from source and be compliled in order for me to have them on my system?
 
Old 09-22-2012, 05:04 PM   #6
Snark1994
Senior Member
 
Registered: Sep 2010
Location: Wales, UK
Distribution: Arch
Posts: 1,630
Blog Entries: 3

Rep: Reputation: 345Reputation: 345Reputation: 345Reputation: 345
Quote:
Originally Posted by Ztcoracat View Post
As soon as I read that I remembered; approx. 4 years ago a friend discovered that a keylogger program was on my computer. Someone was tracking everything I was doing. I put that computer in the trash. I was not aware that I could of went to court for that. Had I knew than what I know now I don't think I would have tossed that tower-
Hm? I don't see the relevance, I don't see why you couldn't have saved the computer, and I don't see how you could have gone to court...

Truecrypt is hard drive encryption, not an encryption library, I believe...

Quote:
Do these applications have to come from source and be compliled in order for me to have them on my system?
I'm not sure I understand your question... Everything you have on your computer will have been compiled at some point (alright, pedants, not interpreted scripts, but the points stands) by someone. Are you asking "Does this bug affect the implementation of blowfish on my system?"? If so, it will depend where you got it from. Are you asking "How can I install a library that implements blowfish?"? If so, I've already linked to OpenSSL, which implements blowfish.
 
Old 09-23-2012, 01:13 PM   #7
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware & CentOS
Posts: 2,885
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
I went back to http://www.openssl.org/source/ and looked at all of the filenames.


There is an overwhelming amount of distribution tarballs on this page.
So I put my focus on the latest and newest .tar.gz (just as an example)
May 10 17:20:24 2012 openssl-1.0.1c.tar.gz (MD5) (SHA1) (PGP sign) [LATEST]

I only need one of those right? (on that page)
How can I tell which (tar.gz) for my system (Debian)?
 
Old 09-24-2012, 07:49 AM   #8
Snark1994
Senior Member
 
Registered: Sep 2010
Location: Wales, UK
Distribution: Arch
Posts: 1,630
Blog Entries: 3

Rep: Reputation: 345Reputation: 345Reputation: 345Reputation: 345
It's source code, so any of them. There's probably a README which will tell you how to compile it, or you can just grab the relevant source code (look at the license to check that your usage is allowed first)
 
Old 09-24-2012, 08:18 AM   #9
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,267

Rep: Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086
I suggest that you simply save yourself a massive amount of time by using an existing, all-inclusive security tool such as:
  • SSL/TLS
  • GPG
  • OpenVPN
  • Standard e-mail S/MIME encryption

The reason why I say this is that ... the crypto algorithm, whatever it is, is only a small and almost-irrelevant part of the story. It's almost never the thing that anyone tries to break. The weak link in the chain is always key-management, and the people who are using it. Even if you succeed in implementing it all correctly ... you have just "done a thing already done."

You very much want to employ something that is as absolutely standard, as absolutely and completely "what everyone else is using for the same purpose," as you can. In this way, you push the responsibility for cryptographic security to people whose work is trusted around the world "and deservedly so." You also maximize the ease with which the recipient of your information can decipher it ... probably without needing to be explicitly aware that it is enciphered. As the SSL/TLS protocols now do for any "https" web-page or frame that you may ever use. (There is, BTW, a lot more to even that protocol than most sites make use of.) As S/MIME can do for e-mail.

Don't overlook VPN. Secure the tunnel strongly, using digital certificates per recipient site, and push any-old-thing through that tunnel. You know who you're talking to, you know the traffic is arriving as-tendered, and you know that it's secure.

Last edited by sundialsvcs; 09-25-2012 at 02:57 PM.
 
Old 09-24-2012, 08:43 PM   #10
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware & CentOS
Posts: 2,885
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
There should be a Read Me file like you said to help me.
I've never done this (compiled) before so I hope it's clear.

I won't overlook VPN, GPG or S/MIMI.
I will have to study, read and learn more about 'using digital certificates'I don't much about them.
Or how to obtain one for each recepient as you've mentioned.

Thank You
 
Old 09-25-2012, 03:02 PM   #11
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,267

Rep: Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086
Digital certificates are quite an easy idea, actually ... and you don't have to pay for them.

Without going into all the gory details, let me just say: "they are 'a badge,' and they've got the company's logo printed on them."

When you hire-on with a company of any size, they issue you a badge which you have to "swipe" or "wave" to get through most doors. That badge is issued to you by the security department, and it is issued specifically to you. You can't forge the badge, duplicate it, or change its assigned access-privileges. If you quit or get fired or die or get laid-off, your badge becomes useless even if you keep it. If you lose it, you call the security department and within two minutes that badge (wherever it now is) just turned into a useless bookmark ... and if in the meantime anyone just used that badge to get inside the building, they know.

Sometimes, to get through a really secure door, you must combine "what you have" with "what you know." You must swipe your badge then enter a secret code. The badge without the code is useless, as is the code without the badge.

What you never see in an office-building is someone standing next to a door saying, "Say the magic-word, please ..." You'd probably have slammed the book shut on Harry Potter if one of the kids had had a dictionary shoved into their hands and they started reading it page-by-page at one of the secret-passages that led into the various houses, but this is literally what a password is susceptible to. A badge never is. Either you've got one or you don't, and you can't fake it. Either the badge is acceptable to whoever's on the other side of that door, or it's not.

Last edited by sundialsvcs; 09-26-2012 at 01:36 PM.
 
Old 09-26-2012, 01:42 AM   #12
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware & CentOS
Posts: 2,885
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Sundialsvcs:

You have been very helpful!

Thank You
 
Old 09-26-2012, 01:29 PM   #13
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,267

Rep: Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086Reputation: 1086
You're welcome.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Off-the-Record plugin, SHA-1 or SHA-2? madbullet Linux - Security 1 06-21-2010 09:28 AM
[SOLVED] Thumbernails bigger than 256 x 256? yooy Linux - Software 3 06-09-2010 01:24 AM
md5/sha-1 with perl shifter Programming 2 03-31-2010 10:14 AM
SHA-256 encryption algorithm in Action Script 3 kazuni Programming 1 11-24-2009 05:46 AM
sha-1 encryption and endianness sade Linux - Software 0 08-24-2004 10:16 AM


All times are GMT -5. The time now is 02:26 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration