End-to-End Encryption: Hash, Passwords, and Security

Introduction

The rapid growth of the Internet, its availability, and the enormous opportunities it provides to the user have led to the emergence of entire industries in business, science, and education. However, at the same time, this development of capabilities and services brings several new challenges, the most serious of which is the confidentiality of information. Recently, various illegal actions that violate the safety of users, trade secrets, personal data on the network. For example, leaks from LinkedIn, Sony, and many others, have been keeping pace with the development of technology (Significant Cyber Incidents, n.d.). Often, the problem is indicated by the imperfection of the security system; in other cases, the hacking of the NSA or GCHQ encryption is highlighted (Herrera & Ali, 2018). Regardless of the reason, this issue requires detailed consideration and solution.

Password Hash Files

Information leaks are the illegal transfer of confidential information (materials necessary for various companies or the state, citizens’ data), intentional or accidental. Having access to logins and passwords and bank cards and accounts, attackers steal money from citizens, trade secrets, and corporate secrets (Wongwiwatchai, Pongkham & Sripanidkulchai, 2020). They are classified according to data leakage channels, and over the last time, more than 70% have fallen on the network (Brogada, Sison & Medina, 2019). Authentication and identification systems, cryptographic protection systems for disk data, information transmitted over networks, software solutions for managing encryption keys are used to protect the confidentiality.

Authentication and identification tools allow restricting access to network resources. The users are asked for some information known only to them, after which access is opened. The following actions are used to implement this opportunity: biometrics – physiological characteristics of people (fingerprints, an image of the eye’s iris); confidential information – passwords, keys, and many more (Iskhakov et al., 2017). As a result of encryption, each character of the protected information is converted. The essence of encryption is reduced to permutation of characters, substitution, analytical transformations, or gamming.

Cryptographic hash functions, as the most modern form of this technology, are an indispensable and ubiquitous tool used to perform various tasks, including authentication, data integrity checking, file protection, and even malware detection. Many hashing algorithms differ in cryptographic strength, complexity, bit depth, and other properties (Ntantogian, Malliaros & Xenakis, 2019). The most common function of a hash is to store and encrypt passwords on various sites, which has partly proven a relatively reliable and secure mechanism (Filippova, 2021). However, now more and more cases of sufficiently massive personal data leaks have begun to occur, which, from a legal point of view, violates the rights of users of specific resources (Sollars, 2019). Test attacks by NSA on user data provoke the work of security services, which constantly improve systems, adapting them all to new and new attacks. Ultimately, the question only arises about using and disposing of the relevant personal data that fell into the hands of those who encroached on security systems.

Practical Actions

There have been comparatively many important and significant information leaks and privacy frauds lately. However, several relatively simple tools do not exclude constant attentiveness and control over the actions of users on the Internet. First of all, this is a careful check of the privacy settings on each resource visited by the user. The more time a user spends on a given resource or site, the better it is worth studying the privacy policy, which may allow the transmission of their data with the users’ consent.

Web surveillance is one of the top privacy concerns for users. For example, users entering a site using a browser transmits much information about themselves to the site owner. As a result, contextual advertising is then formed, and marketing specialists can make a profile of each specific user (Zadereyko et al., 2021). It is necessary to deal with this problem with the help of a supporter of programs that protect the user’s visit to Internet resources from data collection. The issue is so severe that ITI has long advocated reform of surveillance legislation that will help restore public confidence and strengthen our ability to defend ourselves against economically harmful policies worldwide (ITIC – Surveillance Reform, n.d.). Nevertheless, a large share of the responsibility always lies with the user, who needs to follow specific rules so that he does not have to resort to the help of third-party programs.

Firstly, it is needed to carefully approach the issue of communicating phone numbers, email addresses, and other personal data. In total, this information can provide fraudsters with access to many resources, including financial ones, which can lead to irreparable losses. Secondly, users should use end-to-end encryption of personal information programs and use hash technology to store passwords (Bai et al., 2020). Finally, users should use rather complex passwords for authentication and registration on resources since simple passwords, or instead of their hash representation, have long been studied by fraudsters (Kamal, 2019). In the second part of this work, the algorithms for hashing passwords will be considered in more detail and the questions of why more complex passwords are more reliable.

Security by Hashing

A cryptographic hash function is a particular operation that converts an arbitrary array of data into a fixed-length string of letters and numbers, and this length will remain unchanged, regardless of input data. A hash function can be cryptographically vital only if the main requirements are met. They include resistance to the recovery of hashed data and resistance to collisions, that is, the formation of two identical hash values ​​from two different data arrays. Interestingly, none of the existing algorithms formally falls under these requirements since finding the value inverse to the hash is only a matter of computing power. This type of password storage is more secure since both the resource itself and crackers cannot see the password in its pure form to repeat the user authentication effortlessly; as a result, the security increases.

Hash functions have some properties that directly and indirectly determine their level of security and reliability. The first property is determinism, which means that no matter how many times a particular input is parsed through a hash function, the result will always be the same. Determinism is essential for hashes and one bit that changes in the input to create an entirely different hash. The problem with hashing algorithms is the inevitability of collisions (Hatzivasilis, 2017). That is, the fact that hashes are a fixed-length string means that other possible inputs will result in the same hash for every possible input.

The second property is fast computation, so the hash function must be able to return a hash input quickly. If the process is not fast enough, the system will not be effective. Finally, another property stands out: the complexity of the reverse computation. The complexity of the reverse calculation means that given H (A), it is impossible to determine A, where A is the input data, and H (A) is the hash (Hatzivasilis, 2017). Although it is possible to determine the original data from the hash, the complexity of the reverse calculation should be maximized.

Attacks

Cyber ​​attacks can affect the information space of a computer, which contains information, stores materials of a physical or virtual device. The attack usually affects a storage medium specially designed to store, process, and transmit the user’s personal information (Carter & Johnson, 2020). Users with simple and short passwords are the main targets of brute-force attackers, or in other words, brute-force attacks. This rather simple hacking method often brings results and theoretically allows you to get a password for an account on any service or portal if it is not sufficiently secure (Llewellyn-Jones & Rymer, 2017). The simpler the password, the faster the attack will reach its target. To brute-force passwords, special software is used, which is either created by the cybercriminals themselves, or borrowed by them from their colleagues. Previously compromised computers and servers are often used as capacities.

A client-side attack is based on interaction with a network user or computer that the attackers want to hack. Hackers try to force the user to enter their details on a fake or phishing site. All available methods are used: malicious links, documents, applications, and much more. Even an experienced user cannot always distinguish a phishing site from the original – the copies are pretty believable, and given the rhythm of life, it is tough to notice a minor typo in the site address (Bošnjak, Sreš & Brumen, 2018). Dictionary attacks are carried out on the assumption that most passwords consist of whole words, dates, and numbers taken from a dictionary. Dictionary attack tools require an input vocabulary list. Knowing the password hashing algorithm, it is possible to “guess the password” based on the data from the dictionaries (Hitaj et al., 2019). Other types of hacker attacks on passwords are more indirect.

Another group includes DoS attacks that disable various systems; social engineering, when fraudsters achieve the result using psychological methods, not technological ones; finally, “man in the middle” or complete control of communication in confidential correspondence (Haber, 2020). It is also possible to access the password using these attacks, but there are no direct attacks on the hash.

Salt

The prevalence of simple passwords poses a threat to overall security, since once a hacked hashing algorithm for such a password opens access to all users using it. A hash without salt is very easy to write to a rainbow table. Rainbow tables are a trade-off technique between lookup time and memory usage. They are similar to lookup tables, except they sacrifice the speed of breaking hash codes to make lookup tables smaller. Crackers store many short passwords, along with their hash equivalents, in special forms of information. There are so-called rainbow tables that store these values.

Therefore, salt in this context means an extra string of characters added to or otherwise modifies the hash: for each site, the salt is unique (Jeong, Woo & Cha, 2019). Salt is a tool for protecting and verifying the correctness of each password, therefore, it is usually stored along with the hash. Quite simple algorithms using a random variable to edit the initial hash can protect users and the server from guessing the password through rainbow tables. As a result, the hacker cannot do anything due to the complicated algorithm. Moreover, it is recommended to use a different salt for each password, which almost completely reduces the possibility of such an attack (Farshim & Tessaro, 2021). However, there are times when salt cannot help.

For example, the security is not increased if the server or the site misuses the salt. Short salt and its reuse, coupled with the combination of functions of encryption methods, do not lead to the desired results and only slightly slow down the activities of fraudsters (Khowfa & Silasai, 2019). In this regard, the salt must be used uniquely for a different resource and each password, user. To generate the salt, a cryptographically secure pseudo-random number and symbol generator should be used. One of the main challenges for the future development of hashing is to find a balance between slow performance to protect against attacks and performance for user comfort.

Conclusion

In comparison with simple ones, more complex passwords have a hash, as a rule, not entered in rainbow tables. As a consequence, the presence of such passwords excludes the possibility of a particular group of attacks. The use of salt leaves almost no chance of breaking such a password at all. As a result, the joint efforts of the user and the developer on the resource side can provide a sufficiently high level of security and privacy on the network.

Reference List

Bai, W., et al. (2020) “Improving non-experts’ understanding of end-to-end encryption: an exploratory study” in 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 210-219). IEEE.

Bošnjak, L., Sreš, J., & Brumen, B. (2018) “Brute-force and dictionary attack on hashed real-world passwords”, in 2018 41st international convention on information and communication technology, electronics and microelectronics (mipro) (pp. 1161-1166). IEEE.

Brogada, M. A. D., Sison, A. M., & Medina, R. P. (2019) “Cryptanalysis on the Head and Tail Technique for Hashing Passwords” in 2019 IEEE 7th Conference on Systems, Process and Control (ICSPC) (pp. 137-142). IEEE.

Carter, A. D., & Johnson, R. A. (2020) “Slow Hashing Speed as a Protection for Weak Passwords”, International Journal of Advanced Engineering and Science, 9(1), pp. 1-8.

Farshim, P., & Tessaro, S. (2021) “Password Hashing and Preprocessing”, in Annual International Conference on the Theory and Applications of Cryptographic Techniques (pp. 64-91). Springer, Cham.

Filippova, A. (2021) “Current security issues in the information society” in SHS Web of Conferences (Vol. 109, p. 01014). EDP Sciences.

Haber, M. J. (2020) “Attack Vectors” in Privileged Attack Vectors (pp. 65-85). Apress, Berkeley, CA.

Hatzivasilis, G. (2017) “Password-hashing status”, Cryptography, 1(2), pp. 1-10.

Herrera, J., & Ali, M. L. (2018) “Concerns and Security for Hashing Passwords” in 2018 9th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON) (pp. 861-865). IEEE.

Hitaj, B., et al. (2019) “Passgan: A deep learning approach for password guessing” in International Conference on Applied Cryptography and Network Security (pp. 217-237). Springer, Cham.

Iskhakov, A., et al. (2017) “Increase in security of authentication services through additional identification using optimal feature space” in Proceedings of the IV International research conference “Information technologies in Science, Management, Social sphere and Medicine”(ITSMSSM) (pp. 443-446).

(n.d.)

Jeong, J., Woo, D., & Cha, Y. (2019) “Enhancement of website password security by using access log-based salt”, in 2019 International Conference on Systems of Collaboration Big Data, Internet of Things & Security (SysCoBIoTS) (pp. 1-3). IEEE.

Kamal, P. (2019) “Security of Password Hashing in Cloud”, Journal of Information Security, 10(02), pp. 44-45.

Khowfa, W., & Silasai, O. (2019) “The Efficiency of using Salt Against Password Attacking”, Journal of Southern Technology, 12(1), pp. 217-227.

Llewellyn-Jones, D., & Rymer, G. (2017) “Cracking pwdhash: A bruteforce attack on client-side password hashing” in Proceedings of the 11th International Conference on Passwords (Passwords). Springer-Verlag, Cham, Switzerland.

Ntantogian, C., Malliaros, S., & Xenakis, C. (2019) “Evaluation of password hashing schemes in open source web platforms”, Computers & Security, 84, pp. 206-224.

(n.d.)

Sollars, M. (2019) “IoT security: could careless talk cost livelihoods?”, Computer Fraud & Security, 2019(5), pp. 12-15.

Wongwiwatchai, N., Pongkham, P., & Sripanidkulchai, K. (2020) “Comprehensive detection of vulnerable personal information leaks in android applications” in IEEE INFOCOM 2020-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS) (pp. 121-126). IEEE.

Zadereyko, A., et al. (2021) “Development of an Algorithm to Protect User Communication Devices Against Data Leaks”, Eastern-European Journal of Enterprise Technologies, 1(2), pp. 109-110.

Encryption Techniques for Protecting Big Data

Introduction

Encryption helps encode information into specific symbols that protect data from viruses and hacks. This technique is commonly used in the IT and engineering spheres when professionals need to secure big data and transfer it to the customer. There are two types of encoding which are called symmetric and asymmetric, and they are used in diverse cases like data integrity, authentication, privacy (Kaur & Kumar, 2020). Data protection is considered one of the most important aspects while coding. Consequently, this essay will compare two types of encryption techniques and evaluate their importance in protecting big data.

Encryption Techniques and Their Importance

Symmetrical encryptions have special algorithms which encrypt and decrypt information. There is only one key called a secret key, and it converts data into code that is not understandable for anyone. Once the encoded message is received by those who need it, parallel algorithms transform the code into the original form. The information can be accessed using a specific password available for those who work with the code. This password is generated by the systems, including random numbers and letters. Every sphere that requires information encryption and password generation has unique algorithms not available for those who do not work in a particular area. According to Kaur and Kumar (2020), there are two types of symmetrical encryption called ‘block algorithms’ and ‘stream algorithms.’ Blocks transform information into chunks of electronic data, and streams store data in a structured sequence.

Asymmetrical encryption has approximately the same functions as symmetrical techniques, using two separate cryptographic keys. These keys are commonly known as ‘public key’ and ‘private key,’ and they have diverse responsibilities (Kaur & Kumar, 2020). The public key is often used for encryption, and the private key is famous for the decryption process, and this type of information can be accessed only with the use of a specific password. Both keys are mathematically connected, and their parallel generation helps secure the encryption process.

Both techniques are used to secure data and ensure a safe transfer of information. The keys used in the process allow developers and customers to have protected access to specific data that other people should not reveal. Asymmetric and symmetric techniques are usually used by banks where all transactions should secure and transferred in the particular code to decrease the risk of stolen money or hacked accounts. Software developers can decide which type of encryption process they like most and what can be more helpful. For more easy projects symmetric technique can be used as it requires less time to be generated. At the same time, more complicated schemes require professionals to use asymmetrical methods.

Nevertheless, it is important to understand the most visible differences between these two types of encryption methods. For instance, the text is shorter in the symmetrical method, and the generation of codes does not take much time. However, asymmetrical encryption requires developers to encode more information and make it more complicated. Moreover, the asymmetrical type is more secure than symmetrical and used in serious areas. The symmetrical technique is easy to use because the encryption and decryption are conducted using one specific key, while asymmetrical requires developers to combine private and public keys. Nonetheless, symmetrical encryption is an old version of encoding, and asymmetrical, in this case, is considered to be more reliable.

Symmetrical encryption is more suitable for big data as it does not require long messages, and long messages can be encoded quicker. Big data includes many complicated information pieces that constantly renew and should be protected. Consequently, the symmetrical technique uses an easy method that allows developers to preserve data efficiently. The asymmetrical technique is rarely used in massive encryption processes as it increases the length of the cryptogram, which is not beneficial in the encoding process. The price, in this case, rises significantly, and the demand for this method decreases. Moreover, the symmetrical method uses less power and may provide encryption and decryption simultaneously. The hybrid technique can also be useful in data protection, but it isn’t very easy, and software developers should have experience in combining different techniques. Nevertheless, the hybrid method helps control encryption during the session, and when it finishes, the developer can save changes or leave them unsaved. ‘Session key’ is generated for the single access and is not saved in the system. These methods help ensure data security and test different changes that might affect big data.

Conclusion

In conclusion, encryption helps to protect different types of data, and diverse techniques give developers the chance to test or adjust changes to specific information. Symmetrical and asymmetrical encryption techniques are the key aspect of the concept, and they allow IT professionals to work with different amounts of data. By understanding the key similarities and differences, encoders are able to use both techniques in the right way. Each method has advantages and disadvantages, and if people understand how to decrease the negative effects caused by these techniques, the data encryption process can become more reliable and secure.

Reference

Kaur, M., and Kumar, V. (2020). A comprehensive review on image encryption techniques. Achieves of Computational Methods in Engineering, 27, 15-43.