are there any good cryptography books?

Discussion in 'privacy general' started by iceni60, May 30, 2006.

Thread Status:
Not open for further replies.
  1. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    can someone recommend a cryptography book? is it possible to have a good understanding of it without having a math(s) degree? i just want to learn the basics to start.

    i was looking at those hashes in the other thread here, are they probably salted because they're all the same length?

    and i listened to security now, Gibson said WEP used a good entropic algorithm, but it uses the first bytes it produces and that made it weak, is he talking about hashing chains there?

    that's the kind of stuff i want to understand.
     
  2. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Same hashing algorithm gives the same length, no matter the input. md5 is always 16 bytes, sha-1 always 20, sha-256 always 32. Adding a "salt" is a way of preventing dictionary attacks; usually it's a fixed length random or pseudo-random string, and it IS known (usually, appended at the end of the hash, but can be stored somewhere else).

    Suppose you have a list of sha-256 hashes corresponding to these passwords:

    "password" -> 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
    "hello" -> 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
    "ciao" -> b133a0c0e9bee3be20163d2ad31d6248db292aa6dcb1ee087a2aa50e0fc75ae2
    "password" -> 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

    "password$012xL" -> 0187a7835b3623ec116787fc5d7eecb04589375328ae58a04d00e1288057928f$012xL
    "hello88'@=^" -> 340070217986e415f6ab091e365090b36728f0ca58815471f5ab389734795e5288'@=^
    "ciaoé\27)§" -> f6ff473c939f157d072a2e44d3cf44c4302aa73f000361d6170c2ce88bce393eé\27)§
    "password:Z9w?+" -> 77cfd81cf0e1dbc90fffdb293d56f68e40b70880a235cfc1b7239c899d34eea2:Z9w?+

    In the first case, you can try to crack the whole list of hashes together: you compile a list of hashes corresponding to dictionary words, and you simply find the ones that match.

    In the second example, you need to repeat the process 4 times, because each time you have to append the salt (the last 6 characters) to the dictionary words, then find the hashes that would correspond to the hash of dictionary words+salt. In case of 100 users, the process becomes 100 times longer.

    Also notice that in the first example a user who knows his own password and can see the list of hashes automatically sees that there's another user with an identical password, because the hash is the same. In the second example he doesn't (of course, if either of them chose a good password, the chances that they chose the same would be VERY small). :D

    No, it uses the rc4 stream cipher; for a stream cipher, the key has to be always different. If the key repeats, the security is broken. The weakness here is related to the initialization vector, which makes the key repeat over a "not so great" number of packets.
     
    Last edited: May 30, 2006
  3. herbalist

    herbalist Guest

    Handbook of Applied Cryptography
    Not the easiest reading material but freely available to download.
    Rick
     
  4. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks, TNT. so salted hashes just have extra charactors added to the end, they can even just be alphanumeric? the reason i asked was i've heard afew times that *nix systems use salted hashes, so then my Ubuntu login password must be my password + the salt which the system has added by itself?

    hi, herbalist. thanks for the book. but, the thing is i have to go away for a week and i'll be stuck in a house by myself (and some animals i have to look after :D ) in the countryside with no internet access :( so i thought it might be a good idea to take a book, does anyone know a book i can get? i have bookmarked the link though.
     
  5. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    The Code Book by Simon Singh

    This books givves a great history and basic overview that you will LOVE. I read it when it first came out several years ago, but it's still the best in its class.

    Cryptography For Dummies


    As far as the basics, this book is quite good. There are some errors in the book but are not important in the overall understanding of the basics of encryption.

    Raading Bruce Schneier can never hurt and reading his blog is a must-read for those wanting to understand encryption and data security.
     
  6. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks, Gerard. i had The Code Book as a book to get. i'll order it tomorrow :cool:

    when i search for it there are afew different versions
    http://www.amazon.co.uk/exec/obidos...89975/sr=1-1/ref=sr_1_2_1/026-8696189-8443663

    http://www.amazon.co.uk/exec/obidos...89975/sr=1-6/ref=sr_1_2_6/026-8696189-8443663

    there are afew others too :mad: this one seems to be the newest, but it says - "now re-issued for the young-adult market" what does that mean o_O
    http://www.amazon.co.uk/exec/obidos...89975/sr=1-2/ref=sr_1_2_2/026-8696189-8443663

    i don't use amazon though maybe they're used books. if i just ask for the code book at my local book shop do you think i'll get the correct book?
     
  7. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Yes, they can be just alphanumeric, but obviously this reduces their entropy.

    Personally, for the passwords in the databases I always use sha-256 hashes with 10 bytes salt (as a 20-chars long hex string), and the hash can be done from 1 to 10 times depending on external factors.

    http://www.chedong.com/phpMan.php/man/crypt/3 I believe most Linux distros use the md5 by default (the "GNU EXTENSION" paragraph).
     
  8. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks, TNT. i'm going to order the book later today. i want to really understand it all. atm i read something, pretty much understand it, then forget bits :oops:

    i've learned loads from just browsing around the internet, but i'm going to see if reading books will give me a greater knowledge of various subjects.

    [​IMG]
    :D
     
  9. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i got The Code Book and a Linux book too. i'm going away tomorrow, when i get back i think i might change my title to cryptography expert :D
     
  10. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Schneier's Applied Cryptography is quite old, but still useful. I wouldn't recommend it to start, but you should pick it up sometime.
     
  11. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
  12. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i just wanted something to read while i'm away for a week or so. but, i'll have alook at the links. i'm not going to Washington though, i'm not that keen lol.

    i just had a look at some of the links and recommended reading and it looks good, i'll go through it when i get back, thanks.
     
  13. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i might read it if i start to really like cryptography.
     
Loading...
Thread Status:
Not open for further replies.