# Security concepts used in web development

one-way hash functions (e.g. SHA-1, md5) https://en.wikipedia.org/wiki/Cryptographic_hash_function - takes arbitrary data and returns fixed size string - cannot determine original input from the hash output (this is different from encryption) - every input has a different hash output - can determine if 2 inputs are the same without knowing what they are - used for checksums, storing passwords - SHA-1 is used by SSL, SSH, PGP, git, and mercurial - yes truncating a hash is generally OK. see http://crypto.stackexchange.com/questions/9435/is-truncating-a-sha512-hash-to-the-first-160-bits-as-secure-as-using-sha1 symmetric key encryption (e.g. AES, Blowfish, bcrypt, skip32) - data is encrypted then decrypted (different than one-way hash functions) - encryption and decryption is done using the same key (different from encoding where there is no key) - i.e. cipher public key cryptography (e.g. SSL, SSH) - uses one private key and one public key - the public key is used for encryption and the private key is used for decryption - uses asymmetric key algorithms message authentication code (e.g. HMAC) - assures integrity (message has not changed) and authenticity (affirms message's origin) - uses a single key to generate and verify MAC values (unlike one-way hash functions which do not use a key) - different than a digital signature which uses 2 keys (asymmetric encryption) - HMAC uses a one-way hash function - example uses: tokens for email unsubscribe or account activation links. see https://pythonhosted.org/itsdangerous/#example-use-cases base64 encoding - used to allow transmitting of binary data as text over a network - does encode and decode (not a one-way function) - does not use a key so anyone can decode it (different from encryption which uses at least one key) - can be used for obfuscation, but not for encryption http://stackoverflow.com/questions/201479/what-is-the-use-of-base-64-encoding http://en.wikipedia.org/wiki/Base64 bcrypt http://en.wikipedia.org/wiki/Bcrypt - used for passwords - slow to prevent brute-force attacks - based on Blowfish cipher - Blowfish is a symmetric block cipher, but it seems bcrypt acts more like a one-way hashing function like SHA-1. not sure I understand this. "bcrypt is an adaptive password hashing algorithm which uses the Blowfish keying schedule, not a symmetric encryption algorithm." -- codahale.com/how-to-safely-store-a-password "then uses this state to perform a block encryption using part of the key, and uses the result of that encryption (really, a hashing)" -- Wikipedia "Derive an encryption key from the password using the salt and cost factor." -- http://stackoverflow.com/questions/6832445/how-can-bcrypt-have-built-in-salts - Usually the cost, salt, and cipher text are concatentated and stored in the database in a single field. --http://stackoverflow.com/questions/6832445/how-can-bcrypt-have-built-in-salts skip32 - cipher based on Skipjack keyczar - toolkit that supports several cryptography functions: HMAC using SHA1 (signing), AES (symmetric key encryption), DSA and RSA (asymmetric key encryption) https://code.google.com/p/keyczar/wiki/Algorithms AES - http://en.wikipedia.org/wiki/Advanced_Encryption_Standard - a symmetric-key algorithm - based on the Rijndael cipher - it supersedes DES PGP/GPG - supports encryption and signing - uses symmetric key and public key cryptography - GPG uses a variety of algorithms: - Symmetric encryption: IDEA, CAST5, Camellia, Triple DES, AES, Blowfish, and Twofish. - Asymmetric-key encryption: ElGamal and RSA - One-way hashes: RIPEMD-160, MD5, SHA-1, SHA-2, and Tiger - Digital signatures: DSA and RSA (from http://en.wikipedia.org/wiki/GNU_Privacy_Guard#Process) - used for encrypting and signing email and other things