This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Robust and fast security is a basic tenant for secure computer transactions. Hashing algorithms has been poor-man of the community, with their security receiving less attention than standard encryption algorithms. However, most amateur computer programmers completely overlook encryption and hashing while storing passwords via their software/application. Even if they apply them, they don't apply them properly. In this paper, we look at the various ways the hashing algorithms and encryption methods are used together in order to achieve better security but we wonder, how these things may backfire if they are not properly implemented.
II. WHAT IS ENCRYPTION
According to the formal definition, Encryption is a process of converting information into unreadable form so that it can't be accessed by any unauthorized person. To get back the original information, things need to be decrypted back to their original state.
III. HOW ENCRYPTION WORKS
Encryption of data depends on the type of algorithm used. There are thousands of algorithms out there, and discussing all of them is not the scope of this paper. However, we can see how a general encryption algorithm is supposed to work.
Well, an encryption algorithm is a kind of mathematical formula. You give an input to the formula and the formula gives you an output. So in our case, your data will be the Input to the encryption and whatever unreadable form you will get is the output of the Encryption algorithm.
But an encryption algorithm is not supposed to produce a same output of a same data for everyone, whoever uses the algorithm. Even if the data is same, it must produce different versions of encrypted data for different users.
Let us take an example, say I want to encrypt my name 'ABC' so that no one will be able to figure out what it means.
So, I give ABC as an input to the algorithm and in return I get something like say 456. At the same time, someone with the same name 'ABC' uses the same algorithm to encrypt his/her name and get the same output as 456. Now if that person gets his/her hands on my encrypted data, he/she can easily figure out that it means 'ABC'. We can see that the whole reason for encryption fails here.
IV. HOW ENCRYPTION PRODUCES DIFFERENT OUTPUT
To overcome the above mentioned problem, people came up with a method, so that the algorithm will produce a different output each and every time.
Let us have a look at that method. The idea was to use a secret key along with the algorithm. The secret key was supposed to decide the output of the encryption algorithm.
If we get back to our example, we can now use a secret key to encrypt our name with it and since secret key vary from person to person, the encryption algorithm will produce different versions of the same data. So, it will be the secret key that will decide how the data is encrypted and not the data itself. Sounds secure! Well, we will figure out later.
V. HOW TO GET BACK THE ENCRYPTED DATA
Well, if we convert our data into unreadable form, then there should be a way through which we must be able to get it back. This is the beauty of Encryption, that one can get their data back. This method is known as DECRYPTION. It is analogous to the Inverse function in mathematics. From the output, one can get back the Input.
Decryption is like tracking back the encryption algorithm to get back the input. But similar to encryption, the path is traced back according to the secret key.
To put things simply, if one uses a different secret key for the encrypted data to decrypt it, he/she will end up getting a different version of decrypted data and that data will be completely different from the actual one.
VI. WHAT IS HASHING
From the above discussion, we have got a fair idea of what we mean by encryption, how data is encrypted and how decryption works to return back the original data.
Now, what is Hashing, what it needs to do with security and how it is actually related to encryption.
One can put things as, Hashing is one way encryption. What it means is that we can get our data back when we encrypt them but we can't get back our original data if we hash them.
VII. HOW HASHING WORKS
Well, Hashing proceed the same way as that of encryption but differs from it, how the end result is presented.
The end result is usually results in a loss of actual data. Simply put, Hashing creates a corrupted version of encrypted data so that it can't be decrypted even using a secret key.
VIII. PRACTICAL APPLICATION OF HASHING AND ENCRYPTION
One may think that where we can we actually apply the concept of Hashing and Encryption.
Let us have a look at that. Today, Internet is an integral part of our life. We store tremendous amount of data online be it mails, accounts, bank details and what not. In order to stay assured that your data is not compromised, software engineers use the concept of Hashing and Encryption to protect our data from unauthorized access.
IX. HOW HASHING SAVES OUR DATA
We know that, Hashing is a one way function, once we input something, there is zero possibility to get back the original data.
To store data online, we create an account by providing a username along with a password.
Earlier systems used to store the user's password in a database as it is and when the user used to login, its password was compared to the original password to authenticate it.
However, we can see that there is a chance that our data can be accessed by anyone who has the access to the database. This was a serious thing to concern. This thing is brilliantly handled by Hashing today.
Our password is hashed by the respective system and stored in a database. Since Hashing is irreversible, no one can get back our original password even if they have the access to our database. So the next time someone logs in, they enter their password, their password is hashed again and compared to the previously stored hashed password.
We can see the benefit of it. Your original password is never stored by the system and it neglects the chance of data compromise to maximum extent.
X. HOW ENCRYPTION SAVES OUR DATA
We have seen that, since our password is just compared, we really don't need to worry about whether we can extract back our password or not. However, we do need to worry about our data which we store online. Because there should be some way to get back our data. Valuable data can't be hashed because hashing will render them unusable. To overcome the problem, large number of Encryption algorithms has been written and implemented. But we know that, Encryption does need to have a secret key that will decide their output.
During earlier implementations of encryption, Software programmers tend to use a specific secret key for their software for all their encryption needs.
Simply put, the secret key was predefined in the software itself and depending upon that secret key all the data were encrypted accordingly.
XI. FLAWS IN THE ENCRYPTION TECHNIQUE
Well, hashing is fine with the passwords, we can rest assured that our password is safe and no one can really access our password. But as we can see, encryption is depending upon the secret keys pre-configured by the software engineers. If the secret key is compromised by any means, it may lead to exposure of large number of valuable data to unauthorized access.
XII. A WAY TO BETTER ENCRYPTION
With this paper, we want to show that, even though the Encryption is a noble concept but unless and until things are properly implemented, things may go wrong and sometime even may lead to backfire.
So the solution we have come up with for the above mentioned problem is to combine the technique of Hashing and Encryption to store data more securely. We will see how.
Instead of pre-configuring the secret key in encryption algorithm, the better way would be to derive that key each during the configuration of one account and generate that key each time dynamically to decrypt data. Let us see how we can achieve this.
A data can be hashed for any number of times and each time hashing algorithm generates a different output for that iteration. Our method suggests that, passwords must be hashed multiple times and a particular iteration of the hash has to be stored in the database and for some other iteration the hash needs to be stored temporarily. If we combine the two hashes, it will lead to creation of a new hash and that hash can be used as a secret key for the data encryption needs. One can use any function to combine the two hashes but it is suggested that if the function is irreversible, its better. So, the next time, someone logs in, the password is hashed for different iterations. For a particular iteration, it is compared to authenticate the user and the other iteration is stored temporarily. Now again the hashes are combined, and the secret key is generated dynamically to be used for the decryption of the data. We can see that, everything is dynamic here and no one really have the access to our data other than only us.