If we look at a hashing algorithm such as MD5, which is 128-bits, it’s role and purpose is to take any data you wish, and turn it INTO 128-bits. Now if you imagine I have a manual of 800 pages and I was to run it through the MD5 algorithm, the output would be 128-bits…. that’s 128 1′s and 0′s… how is it possible to turn 128 1′s and 0′s back into a 800 page manual? 128-bits might be big enough to indicate to us what language the book was written in, but what font type? Font size? Where is the page numbering? Are there pictures? Etc…

So if it’s impossible to reverse something that has been hashed, what is it used for? The simple answer is Integrity. Integrity is there for us to prove that the data has not been tampered with, or changed in any way, and to proof it came from the correct person.

As an example, If I was to send you an e-mail that said, “please pay John Doe $100″, and John Doe was to intercept that e-mail and changed it to say “please pay John Doe $1000″ I would not be too happy when my account was debited with the wrong amount. So what if instead of just sending you a clear message, I was to take the original data “please pay John Doe $100″ and then I was to take a secret word that only you and I knew about like “secretpassword” and hashed both values together. This would result in a 128-bit hash value (Result1), that I would then attach to the original message “please pay John Doe $100″

When you receive the e-mail it will have the original message “please pay John Doe $100″ and it will have ‘Result1′. You will take the original message, and take the password that only you and I know about “secretpassword” and hash them together. You would end up with a result (Result2). If ‘Result1′ is equal to ‘Result2′ then the message is correct and has not been tampered with. If the two input fields “please pay John Doe $100″ and “secretpassword” are used on both sides, the result has to be the same…. If the result is not the same, the two inputs used on my side are not the same as the two input fields on your side. Assuming we both have used the same password, then the only that could have changed is the message, proving the message has been tampered with, and we can throw it away.

Hashing is also used extensively in passwords for authentication. When I log onto my computer in the morning, I type my username “user” and I type my password “password”. My computer sends my username to my Domain Controller in clear text (no encryption or hashing), and sends the HASH of my password not the actual password! My Domain Controller knows what my password is supposed to be, so it checks my user account in its database, retrieves what my password should be, then it hashes my password that it retrieved from its database and compares that with what I sent it. If the two results are the same, I typed my password in correctly, if they are different, I got my password wrong. This is really good from a security point of view, as if someone was to ‘listen in’ on my conversation to try receive my password as it’s sent to the Domain Controller, all they would get is the Hash value, and not my password.

Note: When computers hash passwords they also include extra information in the equation such as the session number, which prevents the Hash from been re-played by someone else.

Related posts:

1. How encryption works
2. Decrypting Type 7 Passwords (enable password)
3. Configuring SSH (Secure Shell) on a Cisco device

When I moved into my house, my bathroom door didn’t have a key. The previous owners of the house didn’t know what key was needed for that door as they never had one either.

I went down to my local hardware store and spoke to them about my problem, and after paying a deposit for a whole set of keys, I was on my way back home.

The key set they gave me was for the Y-standard (each key starts with Y, i.e. Y1, Y2, Y3 etc), and there were just over a hundred of these keys. So there I was, in my bathroom trying every key in the bunch starting at Y1 all the way through to the end. Now if it had been my lucky day, I would have tried Y1 and had success. Worst case scenario it would have been the very last key, which I think was Y115. Now with only about 115 keys to try, it really isn’t the end of the world, and I did manage to find the right one after some time.

The point to my scenario, is that no-one had to explain to me how to use a key, or how to unlock a door. That’s not a big secret to anyone. The big secret is, which key opens the door.

Similarly with encryption, the algorithm that is used to encrypt and decrypt data is freely available on the internet, if you were to do a couple searches you will find the equation used in particular formula – much like different doors have different types of locks.

The big difference between my bathroom door, and computer encryption, is the amount of keys in the bunch.

If we were to assume that there was such a thing as 3-bit encryption, then the possible keys would be

000

001

010

011

100

101

110

111

Giving us 8 possible keys to try (2 to the power of 3). Needless to say, with only 8 keys this would take no time at all to find the right one to “open our door”

Encryption technologies therefore use a much larger structure, and hence have a lot more keys that one would have to try to break into an encrypted document.

40-bit encryption (2 to the power of 40) gives us a total of 1,099,511,627,776 – That’s over a TRILLION possibilities, and it’s a good thing that my bathroom door didn’t have that many keys I had to try! But just how good is that? Considering that in human terms a trillion of anything is amazing. Computers however are able to do millions and billions of things per second. My computer for example, is able to test just over 10 million keys per second, which makes a trillion not that far out of reach. Based on that, it would take my machine 1.2 Days to crack a 40-bit encryption standard.

So how good is 56-bit encryption then?

56-bit will give us a total of 72,057,594,037,927,936 (72 Quadrillion keys!!!) I can’t even comprehend that amount of anything. But yet again, just how good is that really. Well based on my computer been able to do just over 10 million keys per second, it would take my computer 228 YEARS!!!! The beautiful thing about binary, is that for every bit larger the encryption key is, the amount of keys DOUBLES in size. So 57-bit would take me 456 Years, 58-bit would take me 912 Years etc.

The good news is, that encryption standards today usually work on

56-bit                             72,057,594,037,927,936         (228 years for my computer to decrypt)

64-bit                    18,446,744,073,709,551,616         (58,494 Years)

128-bit                  ???

1024-bit                ???

2048-bit                ???

Related posts:

1. Hashing, What is it and how does it work?
2. Configuring SSH (Secure Shell) on a Cisco device
3. Decrypting Type 7 Passwords (enable password)