CompTIA Security+ SY0-601 – 2.9 Basics of cryptographic concepts Part 5
March 27, 2023

12. Key stretching

In this video, we’re going to be talking about key stretching. Now, key stretching is something you do when you may be using an algorithm, a cryptographic algorithm, when the key of itself is not long enough. In other words, if you guys remember when I explained to you guys why key size matters, right? The bigger the key size, the more key space. But if you have a very small key size algorithm, especially to store passwords, this becomes an issue because then they’ll be able to brute force it and defeat your encryption. So key stretching, what it does is that it will allow you to encrypt data and then encrypt it again, and then encrypt it again, and then encrypt it again in order to increase the strength of it and make it harder for a brute force attack to work.

So, for example, let’s say you take a password. If you remember passwords are hashed. So if you take a password and you hash it, and then you take that hash and you hash it again, and then you take that hash and you hash it again and you keep doing this, it basically makes it harder for you to decrypt the data or harder to decrypt the hash, I should say. So one famous tool to do this is Bcrypt. Now I’m going to show you guys Bcrypt here. There’s a bunch of Bcrypt online and the rounds of them rehashing it over and over and over. So take a look at this here. I’m going to use this one. So I just Googled a b crypt online. And second one here, browser lingering. com. And I’m just going to put in, let’s say you have a password so that’s my password not too complex. You guys can see that. Notice how it says round? So basically it’s going to hash it and rehash it and rehash it and rehash it over and over and over. And we’re going to say encrypt that.

And you’ll notice that it generated a hash. Now basically, what this basically is that it hashed it, then rehashed it, then rehashed it, then rehash it. Why are we doing this? Well, once again, again, you’re doing this so that you’re stretching out the key. You’re making it more difficult for a brute force attack to work. Interesting tool. I want you guys to check out this tool here, Bcrypt. And if you’re ever in a position where you realize that the hashing algorithm for a password or an encryption isn’t strong enough, consider key stretching.

13. Salting

In this video, I’m going to be talking about password saltin or saltin. A cryptographic salt is basically a set of random characters added to the end of a password before the operating system hashes it and stores it. You do this to increase the complexity of the hash that’s being stored. This helps to defeat things like brute force attacks, rainbow table, and dictionary attacks. So let me explain how this works to you once again. Remember, passwords are hashed, right? So just a quick reminder. Let’s say here I have password generator net, and I’m looking at an MD five hash.

If I go to crack station, which cracks passwords, and I give it this hash and I say, okay, let’s crack this. Traffic lights. Here we go. Traffic lights. You’ll see how easy it cracked it? So this right now, I have an unsalted password. But what if I add a salt? Now, remember, salt is just a random set of characters added to your password before it’s hashed. So I have a website here, so I Googled password, hash, salt generator. All right? And then I found this site here, loreem ipsum co UK. And there’s a bunch of these sites here that you can use. Just Google password, salt generator, hash salt generator. There’s a bunch of them. I just like this one here because this one gives a lot of different hashes. So you notice it puts up this optional salt.

So I’m going to go in there and I’m going to say, you know what? My password is just password. So password. And I’m going to say, hey, can you generate a hash for me with the salt? So it did. So we’re doing an MD five. So this is my password. And what they did is they added this random set of the salt to it and then they hashed it. So they’re saying that your new one is this. This would be the new hash. And I’ll tell you, I’ll show you how they got it. Basically, this is the salt.

If I take this and I copy this and I add it to my password here. So this is the salt as well. Now, the new hash with this additional salt is nine five F one. We’ll just use the last four. Where is it? Nine five f one. So yes, all they did was they basically took this and they added it here just like I did here. So salts are generally some kind of random digits added in to the password before it’s hash. Now, being that this is my new brand new hash, if I give this to crack, station can’t crack it because now it’s a really complex password. Mountains or hills. Okay, mountains or hills and can’t do it now.