CompTIA Security+ SY0-601 – 2.9 Basics of cryptographic concepts Part 5
March 27, 2023

12. Key stretching

In this video, we’re going to be talking about key stretching. Now, key stretching is something you do when you may be using an algorithm, a cryptographic algorithm, when the key of itself is not long enough. In other words, if you guys remember when I explained to you guys why key size matters, right? The bigger the key size, the more key space. But if you have a very small key size algorithm, especially to store passwords, this becomes an issue because then they’ll be able to brute force it and defeat your encryption. So key stretching, what it does is that it will allow you to encrypt data and then encrypt it again, and then encrypt it again, and then encrypt it again in order to increase the strength of it and make it harder for a brute force attack to work.

 So, for example, let’s say you take a password. If you remember passwords are hashed. So if you take a password and you hash it, and then you take that hash and you hash it again, and then you take that hash and you hash it again and you keep doing this, it basically makes it harder for you to decrypt the data or harder to decrypt the hash, I should say. So one famous tool to do this is Bcrypt. Now I’m going to show you guys Bcrypt here. There’s a bunch of Bcrypt online and the rounds of them rehashing it over and over and over. So take a look at this here. I’m going to use this one. So I just Googled a b crypt online. And second one here, browser lingering. com. And I’m just going to put in, let’s say you have a password so that’s my password not too complex. You guys can see that. Notice how it says round? So basically it’s going to hash it and rehash it and rehash it and rehash it over and over and over. And we’re going to say encrypt that.

 And you’ll notice that it generated a hash. Now basically, what this basically is that it hashed it, then rehashed it, then rehashed it, then rehash it. Why are we doing this? Well, once again, again, you’re doing this so that you’re stretching out the key. You’re making it more difficult for a brute force attack to work. Interesting tool. I want you guys to check out this tool here, Bcrypt. And if you’re ever in a position where you realize that the hashing algorithm for a password or an encryption isn’t strong enough, consider key stretching.

13. Salting

In this video, I’m going to be talking about password saltin or saltin. A cryptographic salt is basically a set of random characters added to the end of a password before the operating system hashes it and stores it. You do this to increase the complexity of the hash that’s being stored. This helps to defeat things like brute force attacks, rainbow table, and dictionary attacks. So let me explain how this works to you once again. Remember, passwords are hashed, right? So just a quick reminder. Let’s say here I have password generator net, and I’m looking at an MD five hash.

So let’s say your password is password. That means the operating system is going to store this in its password files. When you log in and you type your password as password, it basically hashes it. And if it matches what’s here, log you in. Now, what if you have terrible passwords like I do here, as the word password? So to make this complex, what I could do is I could add a cryptographic salt. Now, a cryptographic salt is just a random set of characters that is added again to the actual password before it’s hashed. And then the operating system stores that hash. I’ll show you guys something. Watch this.

If I go to crack station, which cracks passwords, and I give it this hash and I say, okay, let’s crack this. Traffic lights. Here we go. Traffic lights. You’ll see how easy it cracked it? So this right now, I have an unsalted password. But what if I add a salt? Now, remember, salt is just a random set of characters added to your password before it’s hashed. So I have a website here, so I Googled password, hash, salt generator. All right? And then I found this site here, loreem ipsum co UK. And there’s a bunch of these sites here that you can use. Just Google password, salt generator, hash salt generator. There’s a bunch of them. I just like this one here because this one gives a lot of different hashes. So you notice it puts up this optional salt.

So I’m going to go in there and I’m going to say, you know what? My password is just password. So password. And I’m going to say, hey, can you generate a hash for me with the salt? So it did. So we’re doing an MD five. So this is my password. And what they did is they added this random set of the salt to it and then they hashed it. So they’re saying that your new one is this. This would be the new hash. And I’ll tell you, I’ll show you how they got it. Basically, this is the salt.

If I take this and I copy this and I add it to my password here. So this is the salt as well. Now, the new hash with this additional salt is nine five F one. We’ll just use the last four. Where is it? Nine five f one. So yes, all they did was they basically took this and they added it here just like I did here. So salts are generally some kind of random digits added in to the password before it’s hash. Now, being that this is my new brand new hash, if I give this to crack, station can’t crack it because now it’s a really complex password. Mountains or hills. Okay, mountains or hills and can’t do it now.

 So we defeated this one by using assault. So this is the salt, right? This is the optional salt that we added. So basically, password salt in or saltin is just a set of characters added to the password before it’s hashed. Now, the way they store it in the operating system is like this. Remember, you don’t need to remember the salt. The operating system remembers the salt, not you. Not just the operating system, but the application. This is mostly used in applications, so the app remembers the salt, not you. So when I come to my computer to type in my password, all I need to do is type password. The computer adds the salt to it, rehashes it, and then matches it up. So if anybody ever steals the hash, maybe the hash is going around the network and clear text. Or they break into the application and steal the password, followed all the hashes. They’re going to be trying to crack a password that’s not my password. The hash that’s there, this hash that’s here, this MD five hash that’s here is technically not my password. My password is password. And the operating system remembers the salt. Now you guys are going to laugh when I tell you guys this. The cryptographic salt generally is stored with the password. It’s not the laughing part. This is the way the systems are made.

Then there is something called a pepper. Salt and pepper, that’s the funny part. So the salt is stored with the password. The pepper is basically the same concept, except the pepper is stored in another system or in another database. So the pepper is stored separately from the password, from the password hashes and the system, while the salt is stored with the password. Okay? So remember, for your exam, salting helps to increase the complexity of your password, making it more harder, if not close to impossible, to defeat things like dictionary attacks. Lookup tables, as you saw. And it makes it much harder for the brute force to work.

14. Quantum

In this video, I’m going to be talking about quantum cryptography. So before we get started, the new wave of computing will be quantum computing. Quantum computing is the next generation of our old style, old technology. And I’m saying it’s all because the architecture of the PC that we know, it was invented it maybe about 100 years ago, so they never wave. The new generation of computers that may come out in ten or 20 years from now is considered a quantum computer using what’s known as qubits. Now, in this video, what I want to talk about is how this relates to cryptography in general. A quantum computer will be a whole lot faster than the computing power that we have today. And that means a problem for encryption.

Now remember, encryption of itself is dependent upon how slower a computer is in order to brute force and crack it and guess all the keys. If you remember in my AES video we talked about in symmetric encryption, I showed you guys in 128 bit. It’s almost impossible to crack that. So now comes quantum computing which will drastically rise or computing power. Quantum computing can increase the power so much that a 128 bit becomes like a 64 bit to crack.

Now, there are some issues here that we need to talk about. So first of all, let’s start off with symmetric encryption. So in symmetric encryption like AES 128 bit, they have AES 256 bit. Let me just say this for now without making it too complex. When, if a quantum computer does exist, remember, in today’s world, these things and these are not commercialized machine, a lot of them are theory and they’re still figuring out how to build it. It is theoreticized that generally 128 bit would become crackable at a 64 bit algorithm. In other words, it’s going to cut the key size by half. So it is taught that AES 256 bit is still secure against a quantum computer. Now why? Because the key of itself is so large. And even if the quantum computer can cut the key size in half to 128, it’s still considered very secure. The problem though, comes in key distribution. And if you remember, RSA is one of the most famous key distribution algorithms. And because of that, quantum computing does have the ability to crack RSA. RSA is based on the factoring of large prime numbers. So based on different algorithms that are out there, quantum computer will be able to crack RSA. So this comes up with quantum key distribution and the ability to distribute symmetric keys using quantum computing.

 That’s a whole nother topic for another class and more in the future. Not currently. But just remember, quantum computer could correct this. So this brings us to the world of post quantum computing. Post quantum computing is going to be a world where we have quantum computers that are being used with quantum cryptography, which is a lesson for a whole nother class and year as we get there. But just remember, for your exam, just know what quantum computing is. Know that the future of quantum computing will be a whole lot faster and maybe able to crack current encryptions that we have now. And in that world of post quantum computing, we’re going to be using quantum of cryptography.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!