# are there any good cryptography books?

Discussion in 'privacy general' started by iceni60, May 30, 2006.

Not open for further replies.
1. ### iceni60( ^o^)

Joined:
Jun 29, 2004
Posts:
5,116
can someone recommend a cryptography book? is it possible to have a good understanding of it without having a math(s) degree? i just want to learn the basics to start.

i was looking at those hashes in the other thread here, are they probably salted because they're all the same length?

and i listened to security now, Gibson said WEP used a good entropic algorithm, but it uses the first bytes it produces and that made it weak, is he talking about hashing chains there?

that's the kind of stuff i want to understand.

2. ### TNTRegistered Member

Joined:
Sep 4, 2005
Posts:
948
Same hashing algorithm gives the same length, no matter the input. md5 is always 16 bytes, sha-1 always 20, sha-256 always 32. Adding a "salt" is a way of preventing dictionary attacks; usually it's a fixed length random or pseudo-random string, and it IS known (usually, appended at the end of the hash, but can be stored somewhere else).

Suppose you have a list of sha-256 hashes corresponding to these passwords:

"hello" -> 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

"hello88'@=^" -> 340070217986e415f6ab091e365090b36728f0ca58815471f5ab389734795e5288'@=^
"ciaoé\27)§" -> f6ff473c939f157d072a2e44d3cf44c4302aa73f000361d6170c2ce88bce393eé\27)§

In the first case, you can try to crack the whole list of hashes together: you compile a list of hashes corresponding to dictionary words, and you simply find the ones that match.

In the second example, you need to repeat the process 4 times, because each time you have to append the salt (the last 6 characters) to the dictionary words, then find the hashes that would correspond to the hash of dictionary words+salt. In case of 100 users, the process becomes 100 times longer.

Also notice that in the first example a user who knows his own password and can see the list of hashes automatically sees that there's another user with an identical password, because the hash is the same. In the second example he doesn't (of course, if either of them chose a good password, the chances that they chose the same would be VERY small).

No, it uses the rc4 stream cipher; for a stream cipher, the key has to be always different. If the key repeats, the security is broken. The weakness here is related to the initialization vector, which makes the key repeat over a "not so great" number of packets.

Last edited: May 30, 2006
3. ### herbalistGuest

Handbook of Applied Cryptography
Rick

4. ### iceni60( ^o^)

Joined:
Jun 29, 2004
Posts:
5,116
thanks, TNT. so salted hashes just have extra charactors added to the end, they can even just be alphanumeric? the reason i asked was i've heard afew times that *nix systems use salted hashes, so then my Ubuntu login password must be my password + the salt which the system has added by itself?

hi, herbalist. thanks for the book. but, the thing is i have to go away for a week and i'll be stuck in a house by myself (and some animals i have to look after ) in the countryside with no internet access so i thought it might be a good idea to take a book, does anyone know a book i can get? i have bookmarked the link though.

5. ### LockBoxRegistered Member

Joined:
Nov 20, 2004
Posts:
2,275
Location:
Here, There and Everywhere
The Code Book by Simon Singh

This books givves a great history and basic overview that you will LOVE. I read it when it first came out several years ago, but it's still the best in its class.

Cryptography For Dummies

As far as the basics, this book is quite good. There are some errors in the book but are not important in the overall understanding of the basics of encryption.

Raading Bruce Schneier can never hurt and reading his blog is a must-read for those wanting to understand encryption and data security.

6. ### iceni60( ^o^)

Joined:
Jun 29, 2004
Posts:
5,116
thanks, Gerard. i had The Code Book as a book to get. i'll order it tomorrow

when i search for it there are afew different versions
http://www.amazon.co.uk/exec/obidos...89975/sr=1-1/ref=sr_1_2_1/026-8696189-8443663

http://www.amazon.co.uk/exec/obidos...89975/sr=1-6/ref=sr_1_2_6/026-8696189-8443663

there are afew others too this one seems to be the newest, but it says - "now re-issued for the young-adult market" what does that mean
http://www.amazon.co.uk/exec/obidos...89975/sr=1-2/ref=sr_1_2_2/026-8696189-8443663

i don't use amazon though maybe they're used books. if i just ask for the code book at my local book shop do you think i'll get the correct book?

7. ### TNTRegistered Member

Joined:
Sep 4, 2005
Posts:
948
Yes, they can be just alphanumeric, but obviously this reduces their entropy.

Personally, for the passwords in the databases I always use sha-256 hashes with 10 bytes salt (as a 20-chars long hex string), and the hash can be done from 1 to 10 times depending on external factors.

http://www.chedong.com/phpMan.php/man/crypt/3 I believe most Linux distros use the md5 by default (the "GNU EXTENSION" paragraph).

8. ### iceni60( ^o^)

Joined:
Jun 29, 2004
Posts:
5,116
thanks, TNT. i'm going to order the book later today. i want to really understand it all. atm i read something, pretty much understand it, then forget bits

i've learned loads from just browsing around the internet, but i'm going to see if reading books will give me a greater knowledge of various subjects.

9. ### iceni60( ^o^)

Joined:
Jun 29, 2004
Posts:
5,116
i got The Code Book and a Linux book too. i'm going away tomorrow, when i get back i think i might change my title to cryptography expert

10. ### TNTRegistered Member

Joined:
Sep 4, 2005
Posts:
948
Schneier's Applied Cryptography is quite old, but still useful. I wouldn't recommend it to start, but you should pick it up sometime.

Joined:
May 6, 2004
Posts:
351
12. ### iceni60( ^o^)

Joined:
Jun 29, 2004
Posts:
5,116
i just wanted something to read while i'm away for a week or so. but, i'll have alook at the links. i'm not going to Washington though, i'm not that keen lol.

i just had a look at some of the links and recommended reading and it looks good, i'll go through it when i get back, thanks.

13. ### iceni60( ^o^)

Joined:
Jun 29, 2004
Posts:
5,116
i might read it if i start to really like cryptography.