Since its humble beginnings, cybersecurity has been tasked with beating the collective genius of individuals whose sole purpose is to break things.
Mar 04 2021 | ArticleThe biggest dilemma they faced was securing information without compromising its accessibility. The solution was something that humanity has been using since the Classic era: Cryptography.
A cryptographic system’s basic concept is to encode a message or data to make the information fully confidential so that an unknown party cannot derive its meaning.
We can see how cryptography has evolved recently by looking at password security. The most common way to store a password is called *hashing; it’s a technique where passwords stored in the plaintext are replaced with a random hash.
While the solution offers much better security than your standard plaintext password, it’s far from flawless, as it’s still vulnerable to something known as “Rainbow Table,” which is a precomputed table for reversing cryptographic hash functions (a cracking method) for obtaining the Key Derivation Function (or KDF).
It requires minimal computing power instead of other more intense methods such as Brute force or Dictionary attack.
These tables operate by taking the existing hashes and comparing them to known results from a table with over 800,000 billion hashes. A technique known as “Salting” was developed to prevent this from happening.
Example:
Password: professionaltools
Salt: eg!7(
Append: professionaltoolseg!7(
Hash: 90af412e929f7d62859d8b3aa8d5480e
Salt are random short sets of characters appended at the end of the string before the hashing process. An advantage of Salt is that users are entirely unaware of the process occurring behind the scene.
However, there is a disadvantage; most Salts are stored in plaintext beside the username, so while it’s very effective at preventing a Rainbow Table hack, it's rather useless against Brute force Dictionary attacks.
Example:
Password: professionaltools
Pepper: E
Append: professionaltoolsE
Hash: -something random-
Pepper is a short string or single character appended at the end of a password. It sounds a lot like Salt, doesn't it? But the devil is in the details; in this case, the user won’t be aware of this either, but the difference is that Pepper won’t be stored in plain text. Instead, the application database will try to match all possible peppers until it finds a hash match.
This vital extra step on the database means that attackers willing to Brute force their way to hack passwords will need at least 50 times more computing power than they did before. Unfortunately, this also comes with a disadvantage; the extra computing effort will also be applied to the application hashing the password every time a legit user logs in.
Salt and Pepper protect users when storing private passwords, but despite this, they are still unable to avert a brute force attack, even when combined. A brute force attack essentially uses a tremendous amount of computing power to cross-check numerous combinations of either password or hash keys to identify a working object.
There’s no current viable way in the cybersecurity world to avoid this. It is a fundamental problem of the limited (yet almost endless) combinations of 0 and 1 a computer can create.
Colin Percival developed a method in 2012 for Tarsnap that comes close to averting these kinds of attacks. The technique is called Scrypt.
According to Colin Percival in Stronger Key Derivation via Sequential Memory-Hard Functions (2009):
Scrypt “presents a family of key derivation functions which, under the random oracle model of cryptographic hash functions, are provably sequential memory-hard, and a variation which appears to be marginally stronger at the expense of lacking provable strength.”
Remember how Salt and Pepper used a single algorithm to hash the previous examples? This method uses not one but four various functions to maximize the required amount of work any custom hardware would need to brute force any given password. It gets exponentially worse for every added character.
The method makes any kind of brute force attack virtually impossible for anyone without a billion dollars in pocket change.
Every modern web service storing confidential information about its users is highly likely to accommodate any derivation from the Salt and Pepper techniques.
Giant corporate operations, such as Amazon, are one of the most significant users of Scrypt technology. Interestingly, web services are only the tip of the iceberg since a lot of Scrypt users are not applying it to protect passwords, but something much more valuable: digital and crypto currency.
Bitcoin uses a hashing method known as SHA-256, which is the most popular form of cryptocurrency encryption. It creates a lot of scarcity and rewards custom hardware and global financial operations. More and more crypto operations are now opting to use the Scrypt technique.
Scrypt-protected cryptocurrency is increasing and emerging daily. Some of the biggest contenders are currently Litecoin, grossly valued at $8,905,628,035, and Dogecoin sitting at a comfortable $3,463,801,312 market cap.
One of the reasons these Blockchain projects use Scrypt instead of SHA-256 is to level the playing field. Everything happens in memory with Scrypt. The advantage that custom hardware offers is greatly diminished, meaning that global operations are less likely to overshadow enthusiasts trying to get into mining either as a business or as a hobby.
If you are a cybersecurity enthusiast or a CTO looking to improve your platform’s security, keep in mind that every method comes with its advantages and disadvantages.
While Scrypt can give you the best protection, it consumes a lot more computing power than its alternatives - according to Scrypt is Maximally Memory-Hard paper.
“Memory-hard functions (MHFs) are hash algorithms whose evaluation cost is dominated by memory cost. As memory, unlike computation, costs about the same across different platforms, MHFs cannot be evaluated at a significantly lower cost on dedicated hardware like ASICs. MHFs have found widespread applications including password hashing, key derivation, and proofs-of-work.”
-Jo¨el Alwen , Binyi Chen , Krzysztof Pietrzak , Leonid Reyzin , and Stefano Tessaro
Scrypt’s application to cryptocurrency is excellent because most of the computing is done on the end-user side. However, when used for web services, you will have to compensate for computing costs using your resources.
It’s essential to keep this in mind when choosing a hashing method, as brute force attacks are already expensive when applying Salt and Pepper. Although the costs might be enough to dissuade a few, it has not succeeded in averting the most giant corporations.
The struggle with cryptography appears to be a technological one. The application of cryptography to modern cryptocurrencies has revealed a few issues.
During the 2012 - 2013 Bitcoin (SHA-256) boom, big investors decided to run the Bitcoin mining operation facilities. The change in management drove away enthusiasts and small rig owners and pushed the currency directly into the hands of corporate users who had a limitless supply of custom mining hardware.
As a result, alternative coins (or altcoins) such as Litecoin with more convenient hashing methods like Scrypt became a safe haven for people who believed that the cryptocurrency’s identity as a decentralized digital currency has been compromised.
As technology evolves, so do its implications, and with developments like electronic voting gaining more traction, the need for an even playing field is becoming crucial.
Perhaps an even more comprehensive solution awaits in the near future, possibly rendering useless some of the finest modern hardware whose only purpose is to crack SHA-256 keys.