Crypto Basics 1
Base64 Encoding
Basically it goes through all the bytes and transforms each set of 6 bits into a readable byte (8 bits). The result is that the size of the encoded bytes is increased with about 33%.
1 | Hello ==> SGVsbG8= |
Basic Authentication
Basic authentication is sometimes used by web applications. This uses base64 encoding. Therefore, it is important to at least use Transport Layer Security (TLS or more commonly known as https) to protect others from reading the username password that is sent to the server.
HTML encoding
HTML encoding is used a lot when sending form data and request parameters to the server. Since spaces are not allowed in a URL, this is then replaced by %20.
UUEncode
The Unix-2-Unix encoding has been used to send email attachments.
XOR encoding
Sometimes encoding is used as a first and simple obfuscation technique for storing passwords. IBM WebSphere Application Server e.g. uses a specific implementation of XOR encoding to store passwords in configuration files. IBM recommends to protect access to these files and to replace the default XOR encoding by your own custom encryption. However when these recommendations are not followed, these defaults can become a vulnerability.
XOR运算有一个很奇妙的特点:如果对一个值连续做两次 XOR,会返回这个值本身。
原始信息是message,密钥是key,第一次 XOR 会得到加密文本cipherText。对方拿到以后,再用key做一次 XOR 运算,就会还原得到message。
战后,美国数学家香农(Claude Shannon)将他的研究成果公开发表,证明了只要满足两个条件,XOR 加密是无法破解的。
key的长度大于等于message
key必须是一次性的,且每次都要随机产生
理由很简单,如果每次的key都是随机的,那么产生的CipherText具有所有可能的值,而且是均匀分布,无法从CipherText看出message的任何特征。也就是说,它具有最大的"信息熵",因此完全不可能破解。这被称为 XOR 的"完美保密性"(perfect secrecy)。
满足上面两个条件的key,叫做 one-time pad(缩写为OTP),意思是"一次性密码本",因为以前这样的key都是印刷成密码本,每次使用的时候,必须从其中挑选。
相对于其他的简易加密算法,XOR算法的优点如下。
(1)算法简单,对于高级语言很容易能实现。
(2)速度快,可以在任何时候、任何地方使用。
(3)对任何字符都是有效的,不像有些简易加密算法,只对西文字符有效,对中文加密后再解密无法还原为原来的字符。
通过密码编码可以阻止偶然查看服务器配置和属性文件中的密码。
缺省情况下,使用各种 WebSphere® Application Server ASCII 配置文件中的简单屏蔽算法自动对密码进行编码。 此外,您可以手动对 Java™ 客户机和 WebSphere Application Server的管理命令所使用的属性文件中的密码进行编码。
缺省编码算法称为 XOR。 备用 OS400 编码算法可与仅利用本机验证列表 (*VLDL) 对象的 WebSphere Application Server for IBM® i 配合使用。 对于 OS400 算法,密码以加密形式存储在验证列表中。 配置文件中包含已存储的密码的索引,但不包含已屏蔽的密码的索引,与 XOR 算法的情形相同。
经过编码的密码使用以下语法:
其中 {algorithm} 是一个标记,它指定用来对密码进行编码的算法,算法包括 XOR 或 OS400。 encoded_password 变量是密码的编码值。 当服务器或客户机需要对密码解码时,它就会使用该标记来确定使用哪种算法,然后使用该算法来对经过编码的密码进行解码。
Java 客户机使用 sas.client.props 文件中的密码,该文件位于 profile_root/properties 目录中。
要将密码编码用于 Java 客户机,必须使用 PropFilePasswordEncoder 工具在 sas.client.props 文件中手动编码密码。
WebSphere Application Server 的管理命令将 soap.client.props 文件 (也位于 profile_root/properties 目录中) 中的密码用于 SOAP 连接。 某些管理命令 (可选) 将 profile_root/properties 中的 sas.client.props 文件中的密码用于远程方法调用 (RMI) 连接。 要将密码编码与管理命令配合使用,必须使用 PropFilePasswordEncoder 工具手动对 soap.client.props 和 sas.client.props 文件中的密码进行编码。
WebSphere {xor} password在线解密:
WebSphere {xor} password decoder and encoder (strelitzia.net)
Plain Hashing
Hashing is a type of cryptography which is mostly used to detect if the original data has been changed. A hash is generated from the original data. It is based on irreversible cryptographic techniques. If the original data is changed by even one byte, the resulting hash is also different.
So in a way it looks like a secure technique. However, it is NOT and even NEVER a good solution when using it for passwords. The problem here is that you can generate passwords from dictionaries and calculate all kinds of variants from these passwords. For each password you can calculate a hash. This can all be stored in large databases. So whenever you find a hash that could be a password, you just look up the hash in the database and find out the password.
Some hashing algorithms should no longer be used: MD5, SHA-1 For these hashes it is possible to change the payload in such a way that it still results in the same hash. This takes a lot of computing power, but is still a feasible option.
Salted Hashes
Plain passwords should obviously not be stored in a database. And the same goes for plain hashes. The OWASP Password Storage Cheat Sheet explains what should be used when password related information needs to be stored securely.
在线解密:
Symmetric encryption
Symmetric encryption is based on a shared secret that is used for both encryption as well as decryption. Both parties involved in exchanging secrets therefore share the same key.
Example protocols are:
AES
3DES
Asymmetric encryption
Asymmetric encryption is based on mathematical principles that consist of a key pair. The two keys are usually called a private key and a public key. The private key needs to be protected very well and is only known to one party. All others can freely use the public key. Something encrypted with the private key can be decrypted by all that have the public key, and something encrypted with the public key can only be decrypted with the private key.
Example protocols are:
RSA
DSA
HTTPS uses both symmetric and asymmetric keys
Here is a short description of what happens if you open your browser and go to an https site.
Your browser connects to the server and gets the webserver certificate
Your browser checks if it trusts the certificate issuer by checking if the issuer certificate is in its trust store. This trust store is managed by operating system and browser updates. And on some corporate networks it is managed by the company. From the certificate the browser obtains the public key.
The browser now generates random bytes to be used to generate a symmetric key and encrypts this with the public key of the server. So only the server can decrypt it.
At the end of this process both the browser and the webserver will use the exchanged symmetric key (in the asymmetric key exchange process) to encrypt and decrypt messages that are sent back and forth between the browser and the webserver.
Symmetric keys are used because they can be used more safely for large amounts of data.
wechat
alipay