LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Cryptography, Algorithm and SHA-256 (https://www.linuxquestions.org/questions/linux-security-4/cryptography-algorithm-and-sha-256-a-4175428329/)

 Ztcoracat 09-21-2012 01:37 AM

Cryptography, Algorithm and SHA-256

Hi:

I went to Wikipedia to learn about cryptography, algorithm and hash functions.
http://en.wikipedia.org/wiki/Cryptography
http://en.wikipedia.org/wiki/SHA-2
http://en.wikipedia.org/wiki/Algorithm

I get that cryptography is the practice and study of techniques for secure communication in the presence of 3rd parties. Before reading about algorithm, expressed and well defined instructions for calculating a funtion (computation) when executed number of seccesive states producing output I was unaware of how this worked.

In the future I would want to protect the confidentiality between a client and myself-

But how exactly would I do that with SHA-256?

Does SHA-256 prevent preimage attacks on hash functions?

 Snark1994 09-21-2012 09:28 AM

Perhaps have a look at http://www.openssl.org/ which implements the algorithms for you (with security, it's normally better to use an established implementation).

As far as I can understand http://en.wikipedia.org/wiki/Sha-256...and_validation, the attacks are not yet practical, but might allow the development of more efficient attacks - so the recommendation is to use a different hash in security-concious applications.

Hope this helps,

 NyteOwl 09-21-2012 02:44 PM

SHA-256 is what is known as a hash function. It is used to create a theoretically unique encrypted value from some input. As hash functions are trapdoor or one-way functions, they are not "decryptable". You sue them for example hiding the value of a password/passphrase or key.

An encryption algorithm serves as a two-way function to enable both the encryption and decryption of information. This can be used to store information from others as well as securing communications from third parties.

As indicated, SHA-256 is currently secure. How far into the future it may remain so no one can say. Efficient and currently secure encryption algorithms include AES, Twofish, Blowfish, Serpent as well as some others.

If you are looking to ensure that documents have not been tampered with you can sign them, generate a hash of the document that the other party can verify to detect tampering. If you want to hide the contents altogether then you need to encrypt the document (with or without signing) using something like GPG (GnuPG).

 Ztcoracat 09-21-2012 11:00 PM

Quote:
 Originally Posted by Snark1994 (Post 4785844) Perhaps have a look at http://www.openssl.org/ which implements the algorithms for you (with security, it's normally better to use an established implementation). As far as I can understand http://en.wikipedia.org/wiki/Sha-256...and_validation, the attacks are not yet practical, but might allow the development of more efficient attacks - so the recommendation is to use a different hash in security-concious applications. Hope this helps,
Thanks for the links. I read those 2 pages and I observed the 5 examples of the hash values of empty strings.
I was able to tell where they were different and where they were simular. However; I'm thinking to read and research more. I have a better understanding.

Thanks again.

 Ztcoracat 09-21-2012 11:23 PM

Night Owl:

You said; " An encryption algorithm serves as a two-way function to enable both the encryption and decryption of information"

As soon as I read that I remembered; approx. 4 years ago a friend discovered that a keylogger program was on my computer. Someone was tracking everything I was doing. I put that computer in the trash. I was not aware that I could of went to court for that. Had I knew than what I know now I don't think I would have tossed that tower-

Anyway, You said that SHA-256 is secure and AES, Twofish Blowfish and Serpent are available.
I found True Crypt and Blowfish:
http://www.schneier.com/blowfish.html
http://www.truecrypt.org/docs/?s=twofish

I'm a little concered about the bug the documentation speaks of-
NOTE: There is a bug in some source code implementations of Blowfish. Here are the details. The reference implementation does not have this bug.

Do these applications have to come from source and be compliled in order for me to have them on my system?

 Snark1994 09-22-2012 05:04 PM

Quote:
 Originally Posted by Ztcoracat (Post 4786345) As soon as I read that I remembered; approx. 4 years ago a friend discovered that a keylogger program was on my computer. Someone was tracking everything I was doing. I put that computer in the trash. I was not aware that I could of went to court for that. Had I knew than what I know now I don't think I would have tossed that tower-
Hm? I don't see the relevance, I don't see why you couldn't have saved the computer, and I don't see how you could have gone to court...

Truecrypt is hard drive encryption, not an encryption library, I believe...

Quote:
 Do these applications have to come from source and be compliled in order for me to have them on my system?
I'm not sure I understand your question... Everything you have on your computer will have been compiled at some point (alright, pedants, not interpreted scripts, but the points stands) by someone. Are you asking "Does this bug affect the implementation of blowfish on my system?"? If so, it will depend where you got it from. Are you asking "How can I install a library that implements blowfish?"? If so, I've already linked to OpenSSL, which implements blowfish.

 Ztcoracat 09-23-2012 01:13 PM

I went back to http://www.openssl.org/source/ and looked at all of the filenames.

So I put my focus on the latest and newest .tar.gz (just as an example)
May 10 17:20:24 2012 openssl-1.0.1c.tar.gz (MD5) (SHA1) (PGP sign) [LATEST]

I only need one of those right? (on that page)
How can I tell which (tar.gz) for my system (Debian)?

 Snark1994 09-24-2012 07:49 AM

It's source code, so any of them. There's probably a README which will tell you how to compile it, or you can just grab the relevant source code (look at the license to check that your usage is allowed first)

 sundialsvcs 09-24-2012 08:18 AM

I suggest that you simply save yourself a massive amount of time by using an existing, all-inclusive security tool such as:
• SSL/TLS
• GPG
• OpenVPN
• Standard e-mail S/MIME encryption

The reason why I say this is that ... the crypto algorithm, whatever it is, is only a small and almost-irrelevant part of the story. It's almost never the thing that anyone tries to break. The weak link in the chain is always key-management, and the people who are using it. Even if you succeed in implementing it all correctly ... you have just "done a thing already done."

You very much want to employ something that is as absolutely standard, as absolutely and completely "what everyone else is using for the same purpose," as you can. In this way, you push the responsibility for cryptographic security to people whose work is trusted around the world "and deservedly so." You also maximize the ease with which the recipient of your information can decipher it ... probably without needing to be explicitly aware that it is enciphered. As the SSL/TLS protocols now do for any "https" web-page or frame that you may ever use. (There is, BTW, a lot more to even that protocol than most sites make use of.) As S/MIME can do for e-mail.

Don't overlook VPN. Secure the tunnel strongly, using digital certificates per recipient site, and push any-old-thing through that tunnel. You know who you're talking to, you know the traffic is arriving as-tendered, and you know that it's secure.

 Ztcoracat 09-24-2012 08:43 PM

There should be a Read Me file like you said to help me.
I've never done this (compiled) before so I hope it's clear.

I won't overlook VPN, GPG or S/MIMI.
Or how to obtain one for each recepient as you've mentioned.

Thank You

 sundialsvcs 09-25-2012 03:02 PM

Digital certificates are quite an easy idea, actually ... and you don't have to pay for them.

Without going into all the gory details, let me just say: "they are 'a badge,' and they've got the company's logo printed on them."

When you hire-on with a company of any size, they issue you a badge which you have to "swipe" or "wave" to get through most doors. That badge is issued to you by the security department, and it is issued specifically to you. You can't forge the badge, duplicate it, or change its assigned access-privileges. If you quit or get fired or die or get laid-off, your badge becomes useless even if you keep it. If you lose it, you call the security department and within two minutes that badge (wherever it now is) just turned into a useless bookmark ... and if in the meantime anyone just used that badge to get inside the building, they know.

Sometimes, to get through a really secure door, you must combine "what you have" with "what you know." You must swipe your badge then enter a secret code. The badge without the code is useless, as is the code without the badge.

What you never see in an office-building is someone standing next to a door saying, "Say the magic-word, please ..." You'd probably have slammed the book shut on Harry Potter if one of the kids had had a dictionary shoved into their hands and they started reading it page-by-page at one of the secret-passages that led into the various houses, but this is literally what a password is susceptible to. A badge never is. Either you've got one or you don't, and you can't fake it. Either the badge is acceptable to whoever's on the other side of that door, or it's not.

 Ztcoracat 09-26-2012 01:42 AM

Sundialsvcs: