Security concepts used in web development
one-way hash functions (e.g. SHA-1, md5)
https://en.wikipedia.org/wiki/Cryptographic_hash_function
- takes arbitrary data and returns fixed size string
- cannot determine original input from the hash output (this is different from encryption)
- every input has a different hash output
- can determine if 2 inputs are the same without knowing what they are
- used for checksums, storing passwords
- SHA-1 is used by SSL, SSH, PGP, git, and mercurial
- yes truncating a hash is generally OK. see http://crypto.stackexchange.com/questions/9435/is-truncating-a-sha512-hash-to-the-first-160-bits-as-secure-as-using-sha1
symmetric key encryption (e.g. AES, Blowfish, bcrypt, skip32)
- data is encrypted then decrypted (different than one-way hash functions)
- encryption and decryption is done using the same key (different from encoding where there is no key)
- i.e. cipher
public key cryptography (e.g. SSL, SSH)
- uses one private key and one public key
- the public key is used for encryption and the private key is used for decryption
- uses asymmetric key algorithms
message authentication code (e.g. HMAC)
- assures integrity (message has not changed) and authenticity (affirms message's origin)
- uses a single key to generate and verify MAC values (unlike one-way hash functions which do not use a key)
- different than a digital signature which uses 2 keys (asymmetric encryption)
- HMAC uses a one-way hash function
- example uses: tokens for email unsubscribe or account activation links. see https://pythonhosted.org/itsdangerous/#example-use-cases
base64 encoding
- used to allow transmitting of binary data as text over a network
- does encode and decode (not a one-way function)
- does not use a key so anyone can decode it (different from encryption which uses at least one key)
- can be used for obfuscation, but not for encryption
http://stackoverflow.com/questions/201479/what-is-the-use-of-base-64-encoding
http://en.wikipedia.org/wiki/Base64
bcrypt
http://en.wikipedia.org/wiki/Bcrypt
- used for passwords
- slow to prevent brute-force attacks
- based on Blowfish cipher
- Blowfish is a symmetric block cipher, but it seems bcrypt acts more like a one-way hashing function like SHA-1. not sure I understand this.
"bcrypt is an adaptive password hashing algorithm which uses the Blowfish keying schedule, not a symmetric encryption algorithm." -- codahale.com/how-to-safely-store-a-password
"then uses this state to perform a block encryption using part of the key, and uses the result of that encryption (really, a hashing)" -- Wikipedia
"Derive an encryption key from the password using the salt and cost factor." -- http://stackoverflow.com/questions/6832445/how-can-bcrypt-have-built-in-salts
- Usually the cost, salt, and cipher text are concatentated and stored in the database in a single field. --http://stackoverflow.com/questions/6832445/how-can-bcrypt-have-built-in-salts
skip32
- cipher based on Skipjack
keyczar
- toolkit that supports several cryptography functions:
HMAC using SHA1 (signing), AES (symmetric key encryption), DSA and RSA (asymmetric key encryption)
https://code.google.com/p/keyczar/wiki/Algorithms
AES
- http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
- a symmetric-key algorithm
- based on the Rijndael cipher
- it supersedes DES
PGP/GPG
- supports encryption and signing
- uses symmetric key and public key cryptography
- GPG uses a variety of algorithms:
- Symmetric encryption: IDEA, CAST5, Camellia, Triple DES, AES, Blowfish, and Twofish.
- Asymmetric-key encryption: ElGamal and RSA
- One-way hashes: RIPEMD-160, MD5, SHA-1, SHA-2, and Tiger
- Digital signatures: DSA and RSA
(from http://en.wikipedia.org/wiki/GNU_Privacy_Guard#Process)
- used for encrypting and signing email and other things