SaltyCrane Blog — Notes on JavaScript and web development

Security concepts used in web development

one-way hash functions (e.g. SHA-1, md5)
  - takes arbitrary data and returns fixed size string
  - cannot determine original input from the hash output (this is different from encryption)
  - every input has a different hash output
  - can determine if 2 inputs are the same without knowing what they are
  - used for checksums, storing passwords
  - SHA-1 is used by SSL, SSH, PGP, git, and mercurial
  - yes truncating a hash is generally OK. see

symmetric key encryption (e.g. AES, Blowfish, bcrypt, skip32)
  - data is encrypted then decrypted (different than one-way hash functions)
  - encryption and decryption is done using the same key (different from encoding where there is no key)
  - i.e. cipher

public key cryptography (e.g. SSL, SSH)
  - uses one private key and one public key
  - the public key is used for encryption and the private key is used for decryption
  - uses asymmetric key algorithms

message authentication code (e.g. HMAC)
  - assures integrity (message has not changed) and authenticity (affirms message's origin)
  - uses a single key to generate and verify MAC values (unlike one-way hash functions which do not use a key)
  - different than a digital signature which uses 2 keys (asymmetric encryption)
  - HMAC uses a one-way hash function
  - example uses: tokens for email unsubscribe or account activation links. see

base64 encoding
  - used to allow transmitting of binary data as text over a network
  - does encode and decode (not a one-way function)
  - does not use a key so anyone can decode it (different from encryption which uses at least one key)
  - can be used for obfuscation, but not for encryption

  - used for passwords
  - slow to prevent brute-force attacks
  - based on Blowfish cipher
  - Blowfish is a symmetric block cipher, but it seems bcrypt acts more like a one-way hashing function like SHA-1. not sure I understand this.
    "bcrypt is an adaptive password hashing algorithm which uses the Blowfish keying schedule, not a symmetric encryption algorithm." --
    "then uses this state to perform a block encryption using part of the key, and uses the result of that encryption (really, a hashing)" -- Wikipedia
    "Derive an encryption key from the password using the salt and cost factor." --
  - Usually the cost, salt, and cipher text are concatentated and stored in the database in a single field. --

  - cipher based on Skipjack

  - toolkit that supports several cryptography functions:
    HMAC using SHA1 (signing), AES (symmetric key encryption), DSA and RSA (asymmetric key encryption)

  - a symmetric-key algorithm
  - based on the Rijndael cipher
  - it supersedes DES

  - supports encryption and signing
  - uses symmetric key and public key cryptography
  - GPG uses a variety of algorithms:
      - Symmetric encryption: IDEA, CAST5, Camellia, Triple DES, AES, Blowfish, and Twofish.
      - Asymmetric-key encryption: ElGamal and RSA
      - One-way hashes: RIPEMD-160, MD5, SHA-1, SHA-2, and Tiger
      - Digital signatures: DSA and RSA
  - used for encrypting and signing email and other things