can someone recommend a cryptography book? is it possible to have a good understanding of it without having a math(s) degree? i just want to learn the basics to start.

i was looking at those hashes in the other thread here (http://www.wilderssecurity.com/showthread.php?t=133182), are they probably salted because they're all the same length?

and i listened to security now, Gibson said WEP used a good entropic algorithm, but it uses the first bytes it produces and that made it weak, is he talking about hashing chains there?

that's the kind of stuff i want to understand.

-{ Quote: "i was looking at those hashes in the other thread here (http://www.wilderssecurity.com/showthread.php?t=133182), are they probably salted because they're all the same length?" }-Same hashing algorithm gives the same length, no matter the input. md5 is always 16 bytes, sha-1 always 20, sha-256 always 32. Adding a "salt" is a way of preventing dictionary attacks; usually it's a fixed length random or pseudo-random string, and it IS known (usually, appended at the end of the hash, but can be stored somewhere else).

Suppose you have a list of sha-256 hashes corresponding to these passwords:

"password" -> 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
"hello" -> 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
"ciao" -> b133a0c0e9bee3be20163d2ad31d6248db292aa6dcb1ee087a2aa50e0fc75ae2
"password" -> 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

"password$012xL" -> 0187a7835b3623ec116787fc5d7eecb04589375328ae58a04d00e1288057928f$012xL
"hello88'@=^" -> 340070217986e415f6ab091e365090b36728f0ca58815471f5ab389734795e5288'@=^
"ciaoé\27)§" -> f6ff473c939f157d072a2e44d3cf44c4302aa73f000361d6170c2ce88bce393eé\27)§
"password:Z9w?+" -> 77cfd81cf0e1dbc90fffdb293d56f68e40b70880a235cfc1b7239c899d34eea2:Z9w?+

In the first case, you can try to crack the whole list of hashes together: you compile a list of hashes corresponding to dictionary words, and you simply find the ones that match.

In the second example, you need to repeat the process 4 times, because each time you have to append the salt (the last 6 characters) to the dictionary words, then find the hashes that would correspond to the hash of dictionary words+salt. In case of 100 users, the process becomes 100 times longer.

Also notice that in the first example a user who knows his own password and can see the list of hashes automatically sees that there's another user with an identical password, because the hash is the same. In the second example he doesn't (of course, if either of them chose a good password, the chances that they chose the same would be VERY small). ;D

-{ Quote: "and i listened to security now, Gibson said WEP used a good entropic algorithm, but it uses the first bytes it produces and that made it weak, is he talking about hashing chains there?" }-No, it uses the rc4 stream cipher; for a stream cipher, the key has to be always different. If the key repeats, the security is broken. The weakness here is related to the initialization vector, which makes the key repeat over a "not so great" number of packets.

-{ Quote: "can someone recommend a cryptography book?" }-
Handbook of Applied Cryptography (http://www.cacr.math.uwaterloo.ca/hac/)
Not the easiest reading material but freely available to download.
Rick

thanks, TNT. so salted hashes just have extra charactors added to the end, they can even just be alphanumeric? the reason i asked was i've heard afew times that *nix systems use salted hashes, so then my Ubuntu login password must be my password + the salt which the system has added by itself?

hi, herbalist. thanks for the book. but, the thing is i have to go away for a week and i'll be stuck in a house by myself (and some animals i have to look after ;D ) in the countryside with no internet access :( so i thought it might be a good idea to take a book, does anyone know a book i can get? i have bookmarked the link though.

The Code Book by Simon Singh (http://www.amazon.com/gp/product/0385495323/qid=1149064809)

This books givves a great history and basic overview that you will LOVE. I read it when it first came out several years ago, but it's still the best in its class.

Cryptography For Dummies (http://www.amazon.com/gp/product/0764541889/qid=1149065184/)

As far as the basics, this book is quite good. There are some errors in the book but are not important in the overall understanding of the basics of encryption.

Raading Bruce Schneier (http://www.schneier.com/) can never hurt and reading his blog (http://www.schneier.com/blog/)is a must-read for those wanting to understand encryption and data security.

thanks, Gerard. i had The Code Book as a book to get. i'll order it tomorrow 8)

when i search for it there are afew different versions
http://www.amazon.co.uk/exec/obidos/ASIN/1857028899/qid=1149089975/sr=1-1/ref=sr_1_2_1/026-8696189-8443663

http://www.amazon.co.uk/exec/obidos/ASIN/0385900325/qid=1149089975/sr=1-6/ref=sr_1_2_6/026-8696189-8443663

there are afew others too >:( this one seems to be the newest, but it says - "now re-issued for the young-adult market" what does that mean ???
http://www.amazon.co.uk/exec/obidos/ASIN/000717604X/qid=1149089975/sr=1-2/ref=sr_1_2_2/026-8696189-8443663

i don't use amazon though maybe they're used books. if i just ask for the code book at my local book shop do you think i'll get the correct book?

-{ Quote: "thanks, TNT. so salted hashes just have extra charactors added to the end, they can even just be alphanumeric?" }-Yes, they can be just alphanumeric, but obviously this reduces their entropy.

Personally, for the passwords in the databases I always use sha-256 hashes with 10 bytes salt (as a 20-chars long hex string), and the hash can be done from 1 to 10 times depending on external factors.

-{ Quote: "the reason i asked was i've heard afew times that *nix systems use salted hashes, so then my Ubuntu login password must be my password + the salt which the system has added by itself?" }-http://www.chedong.com/phpMan.php/man/crypt/3 I believe most Linux distros use the md5 by default (the "GNU EXTENSION" paragraph).

thanks, TNT. i'm going to order the book later today. i want to really understand it all. atm i read something, pretty much understand it, then forget bits :-[

i've learned loads from just browsing around the internet, but i'm going to see if reading books will give me a greater knowledge of various subjects.

http://www.wilderssecurity.com/images/icons/icon3.gif
;D

i got The Code Book and a Linux book too. i'm going away tomorrow, when i get back i think i might change my title to cryptography expert :D

-{ Quote: "i got The Code Book and a Linux book too. i'm going away tomorrow, when i get back i think i might change my title to cryptography expert :D" }-Schneier's Applied Cryptography is quite old, but still useful. I wouldn't recommend it to start, but you should pick it up sometime.

Excuse me if it's already posted - didn't read the entire thread - but do you want a course in it?

http://www.cs.washington.edu/education/courses/csep590/06wi/
http://www.cs.washington.edu/education/courses/csep590/06wi/lectures/

-{ Quote: "Excuse me if it's already posted - didn't read the entire thread - but do you want a course in it?

http://www.cs.washington.edu/education/courses/csep590/06wi/
http://www.cs.washington.edu/education/courses/csep590/06wi/lectures/" }-
i just wanted something to read while i'm away for a week or so. but, i'll have alook at the links. i'm not going to Washington though, i'm not that keen lol.

i just had a look at some of the links and recommended reading and it looks good, i'll go through it when i get back, thanks.

-{ Quote: "Schneier's Applied Cryptography is quite old, but still useful. I wouldn't recommend it to start, but you should pick it up sometime." }-
i might read it if i start to really like cryptography.