We have passed a brief introductory course, now we should talk in more details about what is encryption in General, let's delve into what is the hash itself, etc.
Hashing
Hashing is the transformation of an array of input data of arbitrary length into a (output) bit string of fixed length, performed by a certain algorithm. The function that implements the algorithm and performs the transformation is called a "hash function" or "convolution function". The source data is called an input array, a "key" or a "message." The result of the conversion (output) is called "hash", "hash code", "hash sum", "message summary".
Let's look at the image, see here:
1. Input
2. Algorithm or hashing function
3. The Resulting output is always a fixed size.
Hash function accepts input data of any size. It can be e-mail, file, word, in our case, the phrase "Hello", and the data is converted using the hash function in the following form
732b01dfbfc088bf6e958b0d2d6f1482a3c35c7437b798fdeb 6e7 7c78d84ccb1
For better assimilation and analysis of this material, let's move away from the dry text and make a visual demonstration
As we can see from the animated GIF above, our input is converted using a hashing algorithm, namely SHA-256, to a fixed-size output.
explanation: As we can see, when changing our input data by adding "=) " our output has a different form, as in the bit equivalent the multiplier has changed. Consequently, the value of the output itself has changed. When returning to the original input data, the value again gets the original form.
You can present this as an example: 1. "Hello" = 5
2. "Hello =)" = 7 3. "Hello" = 5
The hash algorithm itself is the second arbitrary multiplier, let it be 2, then:
1. 2*5=10
2. 2*7=14
3. 2*5=10
And with the hash, only the hashing algorithm has more complex mathematical operations than I gave before, if you need a specific conversion formula used in the algorithm, see Wikipedia.
An important feature of the hash function is that you cannot convert from the hash back to the original input. This is a one-way hash function and does not require keys.
For example, again look at our GIF, which I gave earlier
Hello > SHA-256 > 732b01dfbfc088bf6e958b0d2d6f1482a3c35c7437b798fdeb 6e7 7c78d84ccb1
As we can see, we only used the input data, without any keys, and then we got the resulting output, which always has fixed size depending on the type of function you are using.
This ensures integrity and allows you to detect unintended modifications. It doesn't provide privacy, authentication, it does not allow to determine the presence of intentional modification.
by the WAY: There are many examples of hash functions: MD2, MD4, MD5, HAVAL, SHA, SHA-1, SHA-256, SHA-384, SHA-512, Tiger and so on.
WHAT to USE: NOWADAYS, if you choose a cryptographic system, you should use SHA-256 and above, I mean SHA-384 and SHA-512 and so on.
To make it easier to deal with the material, let's move away from the dry text and simulate the situation
let's Say You were given the task to download the operating system Windows 7 Home Premium x64bit
We know that this operating system comes from the developer Microsoft, then we go to the search and make the following search query: site:microsoft.com Windows 7 Home Premium hash
Site operator: This operator limits the search to a specific domain or site. That is, if we make a request: site:microsoft.com Windows 7 Home Premium hash, the results will be obtained from pages containing the words "Windows", "7", "Home", "Premium" and "hash" on the site "microsoft.com" and not in other parts of the Internet.
This is also the key information to search for the shops using operators in search engines, learn more about how to search using operators in Google use this article - https://habrahabr.ru/sandbox/46956/ .
As we can see from the Gifs above, I easily found the hash amount of the operating system Windows 7 Home Premium 64bit on the official website of Microsoft
Here it is - SHA1 Hash value: 6C9058389C1E2E5122B7C933275F963EDF1C07B9
In General, I would recommend you to find the hash amount and search from 256 and above, but on the official site there was only this amount, so I'll take what we have
Next, we need to find a file that corresponds to the hash amount, for this we also use the Google search engine and operators, how to search using operators and what it is, the link above.
inurl:download "6C9058389C1E2E5122B7C933275F963EDF1C07B9"
After you download this file, you can use our hash amount to make sure that this file has not changed, i.e. it has integrity.
There are tools that you can download to do this. https://en.wikipedia.org/wiki/Compar..._verification_ software
One of these tools is the Quick Ha (https://quickhash- gui.org), and I will show you an example with it, how to verify the hash amount and verify the integrity of the information received.
As we can see, the hash amount of the downloaded file corresponds to the hash amount given to us from the official website of Microsoft.
I will also attach below information on other hash amounts of this file
MD5: DA319B5826162829C436306BEA7F0F
SHALL-1: 6C9058389C1E2E5122B7C933275F963EDF1C07B9
SHALL-256: C10A9DA74A34E3AB57446CDDD7A0F825D526DA78D9796D44 2DB5022C33E3CB7F
SHALL-512: E0CB678BF9577C70F33EDDC0221BC44ACD5ABD4938567B92D C31939B814E72D01FAC882870AB0834395F1A77C2CD5856FD8 8D2B05FBE1D1D9CCE9713C1D8AB73
You may notice, as these numbers increase in the hashing algorithm, the length of the hash becomes longer as it is the length in bits. SHA-1 is short, 256, 512, and MD5, which is weak and should not be used at all. So this is a way to confirm that the file you downloaded has kept its integrity.
Some of you will probably ask, "What if the file I'm going to download is already compromised?"For example, here we have a website (https://www.veracrypt.fr) software VeraCrypt (https://ru.wikipedia.org/wiki/VeraCrypt).
And I want to download VeraCrypt, the site has a hash amount of files encoded SHA-256 and SHA-512
SHA-256: 6cff2cce52eb97321b1696f82e9ccefa7c80328d91c49bf10b 49e3 897677896e VeraCrypt Setup 1.21.exe
SHA-512: 5c68a5a14fa22ee30eb51bc7d3fd35207f58eefb8da492f338 c6d
ac54f68133885c47fa2b172d7836142c75d838dac782b9b9fa ca4 06a2ffb8854cc7d93f8b359 VeraCrypt Setup 1.21.exe
However, there is one "BUT", if the website has been compromised, it means that the attackers could substitute this file for downloading and add something to it, a Trojan or something for surveillance, and they could also substitute the checksum.
So, it appears the hash means nothing, that is, it cannot detect the intentional modification of a file. And we need something else to make sure that this software really comes from the developer. That the site VeraCrypt is the official site of VeraCrypt, etc.
And here we come to the certificates, digital signatures and other tools, that are we going to parse, but for now, let's touch on a not unimportant essence of hashing.
I don't want to copy etc. it's important to see everything in colour and details
Now let's talk about Digital signatures
So let's go back again to our VeraCrypt, how to find out that the site is really official and the software comes from the developer.
a very Simple and tricky way to find out if it is an official website is to find the software in Wikipedia, and to follow the link to the official website of the software from there.
However, we can also click on the target lock and there see the certificate that was issued https://puu.sh/xQAFM/e687c816ce.png
A digital signature is a hash value. This is the result of a fixed-size hash function that is encrypted with the sender's private key in the purpose of creating a digital signature or signed message.
From a technical point of view, a digital signature is a mark, confirming the person, who signed the message. This is the issuance of a guarantee for the object that was signed with it.
For clarity, what is a digital signature open screenshot ( https://puu.sh/xQAFM/e687c816ce.png ) and look at the Signing
Signing: What you can see on the infographic above, but based on our file which we parse hash Algorithm > hash Value (6cff2cce52eb97321b1696f82e9ccefa7c80328d91c49bf10 b49e3 897677896e) > Private key (see Asymmetric encryption) =
Digital signature.
If the encryption object is signed with a digital signature, authentication is provided, because the object is encrypted with a private key, which can only be encrypted by the owner of this private key. This is authentication.
It makes it impossible to refuse authorship, because, as I said before, the private key of the sender was used. And it provides integrity as we hash.
Digital signature can be used, for example, in software. It can be used for the drivers inside of your operating system. It can be used for certificates, confirming that the signed objects come from the person specified in the certificate, and that the integrity of the data of these objects has been preserved, and that they haven't undergone any changes.
And how to make sure that the file really comes from the developer, in our case VeraCrypt, that is, in the case of fraud, etc. you could say with 100% certainty that I used your software, and it was signed by your digital signature.
https://puu.sh/xQB20/5166e3d0c8.gif - usually the certificate is checked automatically.
After we watch the gif, open the screenshot https://puu.sh/xQB5Y/c840f4670d.png
What we see here. Certificate issued: to-IDRIX SARL, to - GlobalSign. So, GlobalSign is the company whose private key was used to digitally sign this program. GlobalSign reports: "This software is legitimate and has not been modified." It says here: "the Certificate is intended to certify that the software comes from a software developer, the software is protected from modification after its release." To find out if it's a valid digital signature or not, we need to reverse the original process.
so we open again our screenshot https://puu.sh/xQAFM/e687c816ce.png
Check: What you can see on the infographic above but based on our file that we are parsing
Signed message > Public key ( this is a file in format .asc usually has the following form - https://www.idrix.fr/VeraCrypt/VeraC...public_key.asc, the private key also looks the same ) =hash Value, that is what you should get 6cff2cce52eb97321b1696f82e9ccefa7c808d91c49bf10b49 e389 7677896e
After that, this hash value will need to be checked with the specified hash, open the file with the program QuickHash, run our file and in the algorithm that it is presented to us, everything must match, if it does not match the file itself is changed, and there may be a Trojan, or something to wiretap us, or something bad
SHA-256: 6cff2cce52eb97321b1696f82e9ccefa7c80328d91c49bf10b 49e3 897677896e VeraCrypt Setup 1.21.exe
I checked the received hash ( https://puu.sh/xQBAz/8905455dd7.png ) and as we can see in the screenshot, they are identical, the files are legitimate and correspond to the digital signature of the developer and this file exactly from him.
And this software will infect your computer with WannaCry or any other bad virus, it will be guilty.
For example, this is how you, as a child, would deny that fact, that you ate all of the but your mother pokes you in the face with evidence, such as video and says, I have it all recorded, look here. And no matter how hard you try, that's what digital signature does.
Read a few times, if you do not understand, and try to understand this point, it is really important
And what we saw directly in this screenshot https://puu.sh/xQAFM/e687c816ce.png
This is what Windows verifies, the certificate of authenticity, that such certificate is really registered with a such number.
Let me draw an analogy to understand what Windows does, when it writes these lines https://puu.sh/xQBLa/604166ab6c.png in the certificate
You come to the Bank with fake money, and they check the money through special devices, and then BAM and the paint washes off, or they do not Shine through the watermarks and you are told that your bills do not match, and they are fake, as well as Windows.
So if someone else rewrote all of the data in the certificate and made a copy of the certificate for signing, with such data it would not correspond,
it is a complex topic, but actually I think it is clear.
And if the verification fails, you usually see a warning ( https://puu.sh/xQC61/ef80678f6b.png )
This means that any file that does not have a digital signature or Windows ( remember the Bank employee ) does not trust this digital signature ( and in the case of an employee of the Bank, he does not trust in your bill ), you can check the way I described above ( and the Bank employee well, there too, can check on your machine or there applying solutions ).
In Linux, this is simple, because you just do not install proprietary SOFTWARE as all SOFTWARE is usually put from official repositories.
You can take as homework to study etc.
Write yourself.
Let's go through this material again, because I am sure that for some of you it may seem quite difficult to understand.
So, the value of the hash (the program itself, if the dude himself drove it through QuciHash), which was encrypted using the private key (his private key, his personal fingerprint, so to speak on the network) of the sender or software release. It's a digital signature.
This ensures authentication, non-repudiation and integrity. But if you encrypt anything and in addition you would provide it with a digital signature, you will be able to achieve privacy together with authentication, repudiation and integrity.
Digital signatures certify that a program or anything else is received from a particular person or publisher, and they protect the software or messages from being modified after they have been published or sent.
I think we have now dealt with digital signatures. Let's now move on to End-to-End encryption (E2EE).
End-to-end encryption is that the data is encrypted by the sender and decrypted only by the recipient. If you want to avoid tracking, mass surveillance, hackers and so on, then you need this kind of encryption of transmitted data.
Examples of end-to-end encryption technology are things like PGP, S/MIME, OTR, which stands for "off the record" (Rus. not for writing), ZRTP, which stands for Z in the RTP Protocol, and SSL and TLS implemented correctly, all of which can be used as end-to-end encryption.
Companies that develop software, that uses end-to- end encryption and zero-knowledge systems cannot disclose the details of data exchange to your enemies, even under duress, even if they wanted to. This is the advantage of end-to- end zero-knowledge encryption.
End-to-end encryption provides protection in the process of data transmission, but it is obvious that it can not protect the data after it is received. Next, you need another protection mechanism. Use end-to-end encryption wherever possible.
the Use of secure HTTPS on all websites is becoming increasingly necessary, regardless to the types of data transmitted.
Let me show you what END-TO-END encryption is on the example of websites.
Is a digital certificate, the same as a digital signature, there are a number of differences, there are certification authorities and etc., you usually are not faced with that, not going to talk about this now, anyone interested can surf in Google "Centers of certification of keys and HTTPS and Digital certificates" a Green padlock in the URL or HTTPS means that your Internet provider or, say, the government, they can only track the target domain. What's the meaning of that?
let's Say there is an attacker between us and Google in the same way as in the case of sending a message in the infographic above. He won't be able to know exactly what I was looking for, because it's end-to-end ( or end-to-end ) encryption between my browser and the server.
Let's look at a visual example, and see what the provider can learn about us
First, we will use the example of non-encrypted connection using HTTP connection.
HTTP, HyperText Transfer Protocol - a widespread data transfer Protocol, originally designed for the transfer of hypertext documents ( that is, when you click on a word in the article to go to another web page ).
By default, HTTP uses TCP port 80.
For the screenshots below, I will use the WireShark network traffic analysis program.
For the experiment I took a site based on HTTP Protocol uznayvse.ru after I click on the link, the request from the site will be displayed in the program window WireShark, under the number 1, but let's immediately analyze what is responsible for each window of the program for better assimilation of the material.
1. This area is called Packet List -you can see in it, with which server the data is exchanged, the Protocol that is used and General information about the frames.
2. The next area is called Packet Details - it displays the details of the packages that have been selected in the Packet List.
3. And the last area is called Packet bit - it displays the 16th display of this package, also displays the offset in the form of Asuka, and also if we right-click on this area, we can see how it would look like in bits.
Here's what happens, when you click on a link, all traffic data is immediately filtered.
Let's look at the resulting packages, read more and find out clearly about the surveillance, analysis and etc.
1. Forwarded packets by our filter
2. Target domain, that is, the main page of the site is after slash "/"
3. User agent, browser settings, operating system version and other parameters..
4. Referer - indicates from which page we went to this page since we went from a secure page, there were many packages with redirects in the end, if we came from the same page it referred to ourselves, if I, for example, moved from the main page of the site to this then in the referral would be the main page of the site. ( see the screenshot below with an explanation to fully understand the meaning ).
5. Cookies, or session ) Here is your password sailed ) you Can go under your session logged in and fumble ) from the logged-in user that is you
by the WAY: If you think that this is the maximum of what this software is able to do, I am afraid to upset you, this is only the tip of the iceberg
6. Well, this is the final page where we are by the WAY: If you think that this is the maximum of what this software is able to do, I am afraid to upset you, this is only the tip of the iceberg in Order for you to have no doubts after reading, I decided to analyze these items by going from one page of the website to another and as we can see:
1. Refer - indicates the previous page that we parsed, we came to this page from it
2. What page are we on now?
As we can see, by itself, the HTTP Protocol does not involve the use of encryption, to transfer information.
However, for HTTP, there is a common extension that implements the packaging of transmitted data into the SSL or TLS cryptographic Protocol.
the Name of this extension is HTTPS (HyperText Transfer Protocol Secure). For HTTPS connections, TCP port 443 is typically used. HTTPS is widely used to protect information from eavesdropping, and generally provides protection against man-in-the-middle attacks - in the event that a certificate is validated on the client, and the private key of the certificate has not been compromised, the user has not confirmed the use of an unsigned certificate, and the user's computer has not implemented certificates of the attacker's certificate authority.
1. Google is using the secure HTTPS Protocol 2. Request packet data via a secure Protocol HTTPS
3. As we can see in the details of the package we have only Encrypted Application Data: 0000000000000016eec0818f25b5eb9bd4690883155a74b6.. .
No other information that is contained on the web page or where the person - we don't have
4. Since we have under the number 2-and the IP- address from which packets are exchanged with the server, we can see what kind of IP-address is there, and based on the data, we can conclude that the person is on the landing page of Google.
In fact, the use of HTTPS is secure and as I said earlier that: Companies that develop software that uses end-to-end encryption and zero-knowledge systems cannot disclose the details of data exchange to your enemies, even under duress, even if they wanted to. This is the advantage of end-to-end zero-knowledge encryption.
SSLStrip - https removal.
But also based on this, there are attacks on the removal of SSL, let's quickly analyze what it is?
Any attacker who can be located between the source and destination of traffic, in our case, the COMPUTER and the SERVER, this attacker can make an attack of the form "Man in the middle" ( Rus. "Man in the middle" ). One such attack, which requires very little skill and resources, is called SSL stripping ( Rus. "Removing SSL" ). The attacker acts as a proxy here and substitutes encrypted HTTPS connections for HTTP connections.
Let's open the screenshot and see what it is https://puu.sh/xQFWy/edbaf90d7a.png
1. As we can see we have sent the request with http
2. It passes through the SSLStrip and does not change, just goes on
3. The server sees that you came over in a insecure Protocol, without encryption and changes it to secure using encryption that is, https ( that is, 301 or 302 redirect is performed - this is configured on the server )
4. SSLStrip sees that the server has sent you a request in HTTPS ( see point 3 ) and automatically changes it to insecure that is on HTTP thereby removing TLS encryption
SSLStrip here, pretends to be the proxies and responds from the web server, simulating your browser, and sends you back the HTTP version of the site. The server will never notice the difference.
Because the server thinks that you are communicating over a secure https Protocol, because it does not see that an attacker ( SSLStrip ) has changed your Protocol to an insecure one
And what you will see - it will be almost indistinguishable from the original site. Let me show you what a website should look like.
https://puu.sh/xQHeu/014bf0515b.png
1. We see a secure version, that is, with end-to-end encryption
2. I have now done HTTPS-stripping ( removing SSL - SSLStrip ). And this is how the version of the site looks like after the attack.
As you can see, the difference, is that you no longer have HTTPS and most people will not notice the difference. And like I said, the server will never notice that something is wrong because it communicates with a proxy that behaves exactly like you would.
I advise you to read it with color
https://youtu.be/0wpxrPD90a4 - 1 Part of MITM. How is the MITM attack.
https://youtu.be/quZjKlrmCvQ -
Part 2 MITM.
Network attack methods MITM in parts, write down your Homework also view, etc.
You can delve more deeply into this issue What can I say as an EPILOGUE.
I believe that we have a lot of disassembled encryption, the only thing that I did not have time to disassemble, I wrote above ,that we did not say this option with PGP, OTR, ZRTP, OMAXA, such protocols, about them you can read in Google or learn from me, I will give information if you need it.
Well, with PPP and OTR I think everything is clear
ZRTP is voice communication,and Omaha is a new type of encryption from the OTP series, only with their buns from offline messengers, encryption of chats, conferences, etc.
Encryption is a fantastic tool for privacy, security and anonymity, it is a tool that really works and attackers ( hackers ) will try to avoid it.
In simple words.. No fool would make a direct attack on encryption.
Remember the case of Ross Ulbricht the Creator of the "silk road" he got on captcha. That is, a simple little thing, because people forget about the most important thing, namely the simplest things.. The basics so to speak.
That is, no one will ever brute your passwords, it is much easier to install you a Keylogger on your system, or send you a link to a site with an infected JS script and make an attack, or a PDF file, etc.
But as I said encryption, no one will ever want to break. Attackers will simply try to circumvent the encryption. You should keep that in mind.
Security is a so-called the weak link phenomenon . It is as strong as the weakest link in the chain. Strong encryption is often a strong link.
We, human beings are usually the weak link. As they say my Tongue is my enemy.
