7. The Bedrock of Cybersecurity: Cryptography 177 The birthday paradox math is the same math for finding a hash collision. It can be quickly approximated by taking the square root of the number of buckets. This make sense because the number of comparisons are squared: (n × (n - 1)) / ≃ n2 For the birthday problem, taking the square root of the number of birthdays yields: = 19.13 This is a close approximation to the actual answer of twenty-three. Now back to the original question: how many hashes would need to be generated to make finding a collision likely for a 256 bit hash function? = 2128 2128 may seem small, but it is actually an incomprehensibly huge number. It is not possible to create enough hashes to make a hash collision probable even if given all the computing power in the world and all the time remaining before the sun runs out of energy to do it. Besides the brute-force attack, the other type of attack on hash functions is a cryptanalytic attack. Nothing about hash functions is secret. Their internal operations can be analyzed to dissect how they manipulate bits to produce hashes. If there is a flaw in the algorithm, then it may be possible to cleverly manufacture a collision. In other words, it is not necessary to produce countless hashes hoping to find a collision like in a bruteforce attack. Input values can be chosen carefully to make collisions more likely. Two famous hash functions have fallen to cryptanalytic attacks. MD5 (Message Digest 5) is a 128 bit hash function created in 1991. By 1996 a weakness was discovered in its design, so its continued use was discouraged. However, it is still a popular hash function in contexts where security is not critical (e.g., in capture-the-flag contests). SHA-1 (Secure Hash Algorithm 1) is a 160 bit hash function created in 1993 and flaws were also soon discovered in its design. In the 2000s experts recommended that its use be discontinued. Google famously produced the first actual SHA-1 collision in 2017 in what they called the SHAttered attack. 7.3 Steganography “A boat beneath a sunny sky / Lingering onward dreamily / In an evening of July — / Children three that nestle near, / Eager eye and willing ear…” - “A Boat Beneath a Sunny Sky” by Lewis Carroll Cryptography is closely related to steganography. Steganography (sometimes abbreviated stego) comes from two Greek words meaning “covered writing.” It is the art and science of hiding information in plain sight. It can be a message within a message or an unexpected method of communication. The goal with steganography is for communicat-
RkJQdWJsaXNoZXIy MTM4ODY=