Logo

Navigation
 

How to use Hashes to Ensure Integrity

By | on November 30, 2011 |
Networking

Introduction

Hashes are excellent within the field of cryptography. The hashes can be thought of as a type of transformation which captures input, and sends back a string which is fixed in size. This string is referred to as being the hash value.

Hash functions are directly connected to this property, and they will be used for a number of computational reasons, most notably cryptography. This hash value can be thought of as the precise symbolization of the message or document which is long, and from which it is derived.

The message digest could be thought of as a type of digital fingerprint, one which represents the bigger document. The cryptographic hash functions will be utilized to carry out integrity checks for the messages, and they will also carry out integrity checks for the digital signatures.

This is of great use in numerous security applications, which range from message integrity to authentication. The hash function will capture a string, no matter what its length, and this string will be taken in as input. It will then create a string with a specific length for the output.

This is referred to as being the message digest, or the digital fingerprint. The hash value, which is also known as a digest, can be thought of as a signature for a data stream which symbolizes the content.

A good analogy which can be used to described the hash function is comparing it to the seals which are tamper evident, which are commonly found with physical software packages.

For most standards and applications, the two hash functions which are most commonly accepted is the SHA-1 and MD5. Back in 2005, a number of security flaws were found in both of these algorithms.

Hash Basics

By 2007, the NIST presented a contest which would be used to invent a hash function which would be called SHA-3, and which would be susceptible to the FIPS standard. However, generally speaking, the hash function must behave like a function which is random, but it must still be deterministic, and should be computable in an efficient manner.

The hash will be considered vulnerable if it meets certain criteria. One of this criteria involves finding a message which matchs a digest which is given. Another criteria which designates a hash as being vulnerable is when collisions are found within two different messages that use the identical message digest.

If an attacker can use any of this criteria, they can utilize them as a substitute for authorized messages. Theoretically, it should not even be possible to find two messages that have digests which are identical, or even close in identity, and you would not want the attacker to be able to figure out anything useful from the message via its digest.

At the same time, if the attacker gets just a small bit of information, the digest can allow the attacker to notice the message if it should appear a second time. There are also a number of properties which are closely related to hash functions.

The hash function should be preimage resistant, second preimage resistant, and have weak collision resistance. It should be notoriously difficult to find two messages which are different with a hash that is collision resistant. However, there are many hash functions which are susceptible to what is called length extension attacks.

Even the most popular hash functions can be vulnerable to this. With the length extension attack, provided h(m) and len(m), but without m, by picking the suitable m, it is possible for an attacker to calculate h (m II m’) where II will define concatenation.

Potential Applications for Hash Functions

There are a number of potential applications where hash functions can be used. One good example is the verification for message integrity. It is important to determine whether or not modifications have been made to a specific file or message, and this can be accomplished with hash functions via the comparison of message digests which were calculated before and after transmission, as well as many other events.

The message digest can also be used to identify a file in a reliable manner. It can also identify systems for source code management, which includes Monotone along with Mercurial.

Hash functions are also useful for password verification. Passwords will typically not be stored within cleartext, and the reasons for this should be obvious. However, they will generally be stored within digest form. For authenticating the user, the password which is presented by the user can be hashed, and then compared with the stored hash.

This is typically referred to as being "one way encryption." Many digital signature algorithms will define that only the message digest be signed, rather than the whole message. Hash functions will also typically be used for pseudorandom bits. The top message digest algorithms that are used today include RIPEMD-160, MD5, and SHA-1.

Methods for Hardening Your Operating System

Many people choose to harden their OS so that they can maintain much higher levels of security. The first step in hardening your OS is to become familiar with the security policies which are related to it.

Whether you are working with Windows, Linux, or Solaris, each OS will have security policies which are distinct from others. At the same time, there are also many things that they all have in common. One of the most important steps in hardening your OS is to develop a strong password policy.

Most of the security which is related to your OS will be heavily dependent on the passwords you choose. To gain an understanding of how to use passwords properly, it is first important to understand the password requirements which are necessary for most operating systems.

Many operating systems, particularly Windows, will not store passwords in clear text. Instead, the passwords will be stored through the use of two distinct password representations, which are referred to as being hashes. This is done to ensure backwards compatibility.

One hash which is common with Windows is the LMHash. Also known as the Lan Manager hash, it is not really a hash, and is computed in a distinct way. The Lan Manager will be computed by converting the lower case characters for the passwords into upper case, padding the password with the NULL characters that are precisely 14 characters in length, and breaking the password into two pieces which are comprised of seven characters. It will use the pieces separately as DES keys to encrypt certain keys. Additionally, it will concatenate the twin ciper texts within the 128-bit string, and will store the results.

Role of Hashes in OS Hardening

Because of the algorithm which is utilized to create the LMHash, this hash is pretty easy to crack. Even if the password should be more than eight characters in length, it can simply be attacked in two pieces which are distinct. In addition to this, the whole lower cased part of the character set can be disregarded.

This basically means that many password crack tools can begin by simply cracking the LMHashes, and after this, they can alter the alpha characters within the password that has been cracked to create the passwords which are case sensitive.

If you are trying to login to your OS locally or remotely, you may need to use the password which is case preserved. Another type of hash which can be used for further hardening the OS is the NTHash. Known as the Unicode hash, it provides support for the whole Unicode character group.

The NTHash can be calibrated by using the plaintext password and creating the MD4 hash from it. Once this is done, the MD4 hash will be stored. The NTHash is much better than the LMHash because it can resist brute force attacks to a much higher degree.

If anyone should try to use a brute force attack on an OS that makes use of NTHash, it will take a much longer period of time for the attack to be successful, especially when compared to using such an attack on the LMHash. After the hash, the next important step in hardening your OS is to understand what comprises a good password.

There are a number of guidelines that exist for creating a good password, and understanding these will allow you to make your OS much more resistant to attacks and unauthorized attempts to access it.

What Comprises a Good Password?

The typical password should always be longer than seven characters. If it is not, the second portion of the LMHash will be an encryption which makes use of the NULL password. The password should also be comprised of 3 elements that come from the four primary character sets, and these are the Lowercase characters, the Uppercase characters, Non-alpha numeric characters, and Numbers. It is also important to keep in mind that passwords should never use any part of the username, and they should not be comprised of common words.

With most operating systems, the complexity of the password will be determined by the password filter. This filter can be extended to form a complete group policy. It is also possible for the administrator to customize the requirements for the password complexity, and this can be accomplished via the customized password filter.

For instance, this filter could act to enforce the fact that the name of a company or organization never be used in the password. Password filters play an important role in hardening operating systems, but the policies an organization follows is a very important part of computer/network security.

« « Data Protection Protocols
Importance of Goal Setting » »

Author Description

Chandra Vennapoosa

Chandra Vennapoosa, B.S Arch Graduate, Managing Director - Exforsys Inc, Founder of exforsys.com and geekinterview.com. Chandra's mission is "to provide quality career coaching and interview advice for aspiring candidates". She is an avid writer and is also very passionate to help others become professional freelancers. In addition to several online trainings, she has authored the popular book "How to Become a Successful Freelancer"

Exforsys e-Newsletter

ebook
 
© 2024. All Rights Reserved.IT Training and Consulting