JEFF HOWELL
  • Home
  • About
  • Cyber Security Fundementals
    • Threats and Vulnerabilities
    • Reference Monitor
    • Links to Additional Resources
  • Cryptography
    • Block Ciphers
    • Hash Functions
    • Message Authentication Codes (MAC's)
    • Kerberos Key Management (Single sign-on)
    • Public Key Infrastructure (PKI)
    • Links to Additional Resources
  • Secure Architecture
    • Architecture Strategy
    • Contextual Security Architecture
    • Conceptual Security Architecture
    • Logical Security Architecture
    • Physical Security Architecture
    • Component Security Architecture
    • Operations
    • Supporting Materials
  • Reference Link Library
    • Industry Websites
    • Government Resources
    • Cyber Security News
    • Certification and Training
    • Books
    • Cyber Security Tools
  • Risk Management
    • Supporting Materials
  • Operational Policy
    • Laws and Regualations
    • Data Classification
    • Policy Implementation and Enforcement
    • Supporting Materials
  • Management and Cyber Security
    • Contingency Planning
    • ROI of Cyber Security
    • Staffing Models
    • Links to Additional Resources
  • Secure Software Design and Development
    • Heartbleed Details
    • Mobile Device Vulnerabilities
    • Links to Additional Resources
  • Network Visualization and Vulnerability Detection
    • Visualizing the Network
    • Protecting the Perimeter
    • Vulnerability Detection
    • Sniffing Wireless Networks
    • Links to Additional Resources
  • Cyber Threat Intelligence
    • Links to Additional Resources
  • Incident Response and Computer Network Forensics
    • Links to Additional Resources

Hash Functions Definition

Major Considerations

Figure 1 - Apple Example

Picture
A hash function is any function that can be used to map data of arbitrary size to data of fixed size. The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes. One use is a data structure called a hash table, widely used in computer software for rapid data lookup.
Encryption is ideally suited for ensuring the confidentiality of the data, but what about integrity? Scroll below for an example.

A major factor to consider is the complexity to implement the package correctly.  For the cryptographic systems to be implemented correctly, programmers need to choose the right parameters, configurations and balance these factors for performance to meet the needs in the real world. A mistake in any of these will become a meaningless effort with catastrophic results. A recent example is Apple’s “goto” bug in 2014 (see figure 1).  A programmer mistakenly added one additional go-to statement (likely through a copy/paste activity) which resulted bypassing all certificate checks for TLS/SSL connections. Further, this error continued for over a year, whereby million if not billions of devices were vulnerable to Man-in-the-Middle (MITM) attacks. ​​
Figure 1 – Apple “go-to” code
if ((err = SSLHashSHA1.update(...)) != 0)
goto fail;
goto fail; /* BUG */
if ((err = SSLHashSHA1.final(...)) != 0)
goto fail;
err = sslRawVerif(...); ...
fail:
...
return err;

Does Encryption Support Data Integrity?

The simple answer is "no".  Encryption by itself will not ensure data integrity.  The example below will illustrate this.  To see how integrity of a message is maintained, see the Message Authentication Codes (MAC's) page on this website.

​In this example, I converted the text “CSOL510” to binary and then XOR’d that binary to a cipher with a repeating key using the binary equivalent of “A” (01000001). Assuming this is correct, the XOR’d cipher is below. 

Picture
​I would argue that in this case, the plain text “CSOL510” is confidential until someone either cracks it or has the key “A” (in binary).  However, there are no assurances the integrity of the message has not been compromised. In the example below, I changed one of the bits in the sixth word “1” to the binary equivalent of the number “3”. 
Picture
​It’s a long and drawn-out way to say that a single bit change in the encrypted message will compromise the integrity of the message without the receiver knowing it was compromised, yet it required the key to decrypt. Therefore, the confidentiality was maintained, but the integrity was not. As a result, a MAC is required to maintain the integrity of the message. If this were a real example, a student who thought she was registered for the course CSOL 510 may have received a confirmation that she is enrolled in CSOL 530.
Jeff Howell  -  San Carlos, CA  -  Privacy Statement - email Jeff
  • Home
  • About
  • Cyber Security Fundementals
    • Threats and Vulnerabilities
    • Reference Monitor
    • Links to Additional Resources
  • Cryptography
    • Block Ciphers
    • Hash Functions
    • Message Authentication Codes (MAC's)
    • Kerberos Key Management (Single sign-on)
    • Public Key Infrastructure (PKI)
    • Links to Additional Resources
  • Secure Architecture
    • Architecture Strategy
    • Contextual Security Architecture
    • Conceptual Security Architecture
    • Logical Security Architecture
    • Physical Security Architecture
    • Component Security Architecture
    • Operations
    • Supporting Materials
  • Reference Link Library
    • Industry Websites
    • Government Resources
    • Cyber Security News
    • Certification and Training
    • Books
    • Cyber Security Tools
  • Risk Management
    • Supporting Materials
  • Operational Policy
    • Laws and Regualations
    • Data Classification
    • Policy Implementation and Enforcement
    • Supporting Materials
  • Management and Cyber Security
    • Contingency Planning
    • ROI of Cyber Security
    • Staffing Models
    • Links to Additional Resources
  • Secure Software Design and Development
    • Heartbleed Details
    • Mobile Device Vulnerabilities
    • Links to Additional Resources
  • Network Visualization and Vulnerability Detection
    • Visualizing the Network
    • Protecting the Perimeter
    • Vulnerability Detection
    • Sniffing Wireless Networks
    • Links to Additional Resources
  • Cyber Threat Intelligence
    • Links to Additional Resources
  • Incident Response and Computer Network Forensics
    • Links to Additional Resources