Password System Security And Cryptography Goals Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The computer is a great device to show and install template such as images, biometric and any other materials that store in the computer database, either it is for normal usage to view the template or for privacy usage. For the template that want to be seen public, put them on the internet or in the normal folder. Important template should be protect and only authorize person can view and use the images. Administrators are able to protect a template to restrict editing, moving or viewing of that images or database, and remove such protection. Nowadays, the best ways to protect the template are by using Cryptography and Watermarking technique. This thesis will more detail on Cryptography side where the template security will be based on password enhancement to make only authorized person can view all the information's in the template.

All of business systems' users have confidential passwords. This does that mean the system and its contents are safe. Organizations that not guarantee the current security of their passwords are revealing themselves to deception and possible burden by failing to protect confidential information [3].

Modern years have seen a gush in the cleverness and number of hacker try to get unauthorized access to online proprietary corporate information and processes [3]. Moreover, a rising list of national, state and local laws and policies requires organizations to protect the confidentiality of client and employee data in their systems [3]. In response, system administrators had to enforce strict procedures leading the creation and intermittent appraisal of passwords, as well as the number of wrong try to enter a password the system will allow before it hinder the user out of the account [3]. Such conditions do improve security. But because fraudsters stand to grow, possibly significantly, they continue to work out creative and often very flourishing ways to crack, or decode, client and employee passwords [3]. To help the administrator defeat such attacks, this thesis under section 2.4 will briefly clarify hackers' various methods and demonstrates comprehensive countermeasures that can halt most, if not all, attempts to crack the passwords.

2.3 Cryptography

2.3.1 A little bit of history

Since the origin of history, fierce battles have been waged between code makers and code breakers. Prehistoric hieroglyphs, Egyptian hieroglyphs, druidic runes were communication tools reserved to certain high-castes in order to differentiate and protect their community. More intentionally, secret communications were key elements of how wars were won and lost, from the ancient Greece to the World War II and the famous German Enigma machine [8]. All this refers to the so-called conventional cryptography. From the middle of the last century, modern cryptography is more related to diplomacy, business, espionage and unfortunately terrorism with the recent use of steganography to set up 2001/9/11 terrorist attacks in the US [8]. Modern cryptography in IT began with IBM and Horst Feistel developments during the early seventies to finally build the US national standard Data Encryption System (DES) in 1977 [8]. Most current communication systems extensively use cryptography: banking networks, mobile telephony, satellite television, and internet.

2.3.2 Cryptography Goals Confidentiality

The very first and intuitive goal of cryptography is the protection of confidentiality; anyone intercepting an encrypted message must be unable to recover the original message, without having access to the ciphering key. This confidentiality feature is obtained with encryption/decryption schemes. Encryption, for instance, is a so-called primitive of cryptography, as example, one tool of the toolbox. Integrity

The second, out of the three most important features, is integrity. This ensures the receiver that the message is the original one and has not been modified by a malicious third-person. The integrity primitive is the so-called hash function [6]. Authentication

The third important one is authentication. This ensures the receiver that the message is really coming from the right sender, who couldn't be impersonated by a malicious third-person. The integrity primitives are the so-called Message Authentication Code (MAC) function or Digital Signature when using asymmetric primitives [6]. Identification

This notion is close to the previous one, here the goal being to directly authenticate our interlocutor and not a message. The person is generally authenticated with a secret that he or she possesses. This identification feature is based on the so-called Challenge-Response protocol [6]. Others

Several other cryptographic goals could be achieved with classical prehistoric depending on the application needs. Here is a non-comprehensive list: secrecy like at electronic voting, commitment like in online gaming, non-repudiation in financial transactions, randomness in online gaming, zero-knowledge like in online user authentication, and availability of services [6].

2.3.3 Science of Secret

Cryptography is the art and science of encryption. At least, that is how it started out. Nowadays it is much broader, covering authentication, digital signatures, and many more straightforward security functions. Cryptography is just a small part of much larger security system. Even though it is only a small part of the security system, it is a very significant part. Cryptography is the part that has to provide access to some people but not to others. This is very tricky. Most parts of the security system are like walls and fences in that they are designed to keep everybody out. In simple definition, Cryptography is the practice and study of hiding information. Modern cryptography intersects the disciplines of mathematics, computer science, and electrical engineering. Applications of cryptography include ATM cards, computer passwords, and electronic commerce [5].

Cryptology prior to the modern age was almost the same with encryption, the conversion of information from a readable state to unreadable. The sender retained the ability to decrypt the information and therefore avoid unwanted persons being able to read or view it [5]. The primary objective of cryptography is to enable two people, to communicate over an insecure channel in such a way that an adversary cannot understand what is being said. Cryptography is historically used in military and diplomatic communications, and more recently, few tens of years, has found application in Information Technology security. Applications in IT security include communication encryption, digital signature, and user/device authentication.

2.3.4 Basic Primitives of Cryptography Encryption/Decryption Functions

Encryption is the process of transforming clear information (referred to as Plaintext, Message or original template) to unreadable information (referred to as Cipher text or Cryptogram), except for who's having the special knowledge (referred to as the Key).

Figure 2.1: The Shannon encryption model

Figure 2.1 illustrates the symmetric encryption/decryption system referred to as the Shannon model, whereas Figure 2.2 depicts the asymmetric encryption/decryption system, where the sender uses the receiver's public key to encrypt while the receiver uses his own private key to decrypt.

Figure 2.2: The asymmetric encryption model

The existence of systems dedicated to predetermined data likes file encryption referred to as block ciphers and systems dedicated to on-the-fly encryption likes voice in mobile telephony referred to as stream ciphers. Some well known solutions, and very much used in IT, are DES and AES for symmetric cryptography and RSA for asymmetric cryptography. Hash Functions

Hashing is the process of transforming and reducing clear information, the message, to a very short data representative of the message, generally 128, 160 or 256 bits. Hashing is a one-way function and permanent because one can't retrieve the message from its hash value and is ideally collision-free, in other words, two different messages can't have the same hash value. Basically, hashing is a lossy compression function.

Figure 2.3: The integrity channel

Some well known solutions, and very much used in IT, are MD5 and SHA-1. The hash is used to ensure the message reliability, since the couple (message and hash value) can't be fake, in theory. Beyond cryptography, hashing is a classical technique to index data in arrays and is widely used in large database management systems. The password can act likes a message and it is good to hash, becoming password hashed. Table below shown the list of some algorithm that is often used in cryptography:


Output size (bits)

Internal state size

Block size

Length size

Word size











































Table 1: Cryptographic Hash Function Algorithms

2.4 Salting Method on Template Protection

Salt is a random string that is concatenated with passwords before being operated on by the hash function. The salt key is then stored in the user database. Salting key makes dictionary attacks practically impossible, as an attacker would have to figure out the hashes for all possible salt values. In findings, the template protection methods can be classified into two categories namely, feature transformation approach and cryptosystem (helper data method). Salting falls under the feature transformation approach as categorized in Figure 2.4. Apart from salting, none of the other template protection schemes require any secret information (such as a key) that must be securely stored or presented during matching.

Figure 2.4: Categorization of template protection schemes.

To make the salting method more clearly, Figure 2.5 will demonstrate how the salting apply along the template encryption and decryption. For the template image, fingerprint image was used because it is a good example to protect the identification privacy.

Figure 2.5: Authentication mechanism when the template is protected using a salting approach.

In the feature transform method, a transformation function (F) is applied to the image template (T) and only the transformed template (F (T; K)) is stored in the database as shown in figure 2.4 above. The parameters of the salting function are typically derived from a random key (K) or password [2]. The same transformation function is applied to query features (Q) and the transformed query (F (Q; K)) is directly matched against the transformed template (F (T; K)) [2]. In salting, F is invertible, that is, if an adversary gains access to the key and the transformed template, the user can recover the original image template (or a close approximation of it) [2]. Hence, the security of the salting technique is actually on the confidentiality of the key or password.

Salting and stretching

Based on the findings, to squeeze the most security out of a limited-entropy password or passphrase, two techniques can be used that are salting and stretching [1]. The first is to add a salt. This is simply a random number that is stored alongside the data that was encrypted with the password. The recommended number of bit is 256-bit salt [1]. The next step is to stretch the password. Stretching is essentially a very long computation. Let p be the password and s be the salt. Using any cryptographically strong hash function h, then compute

K will be the key to actually encrypt the data. The parameter "r" is the number of iterations in the computation, and should be as large as practical [1]. In normal use, the stretching computation has to be done every time a password used. This is at a point in time where the user has just entered a password. It has probably taken several seconds to enter the password, so using 200ms for password processing is quite acceptable. The rule to choose r such that computing K from (s,p) takes 200-1000ms on the user's equipment. Computers get faster over time, so r should be increasing over time as well [1].

The salt stops the attacker from taking advantage of an economy scale when the user is attacking a large number of passwords simultaneously. Suppose there are million users in the system, and each user stores an encrypted file that contains his/her keys. Each file encrypted with the user's stretched password. If the security creator did not use a salt, then the attacker can attack as follows: guess a password p, compute the stretched key K, and try to decrypt each of the key files using K. The stretch function only needs to be computed once for every password, and the resulting stretched key can be used in an attempt to decrypt each of the files.

This is no longer possible when the security creator add the salt to the stretching function. All the salts are random values, so each user will use a different salt value. The attacker now has to compute the stretching function once for each password/file combination, rather than once for each password. This is a lot more work for the attacker, and it comes at a very small price for the users of the system.

2.5 Salting Hashed Password

Authentication is the important matters when the template was protect by the password. Before go more deeply on salting method that is known as the best way to strengthen the password, let's focus on some definition related to this field. For the normal login system, users have to insert their username and password to login the system. Actually the password entered by the user is known as clear text password. This clear text is the unencrypted characters create by the user itself. Hashing is a process that follows a mathematical formula to convert a user's password or clear text into an encrypted alphanumeric value. Despite its harder-to-crack encryption, hashing has security weaknesses. Salt is a symbolic term for a random array of characters that will be attached to a password to strengthen it against hackers. Salt also can be concatenated with the hash becoming salted hashing. Salted hashing is a technique to make passwords harder to crack. It consists of adding a salt value to a password, and then hashing it.

Stored passwords for logins should be hashed and salted. Hashing is a one way mechanism to produce approximately unique value based on the given input [4]. This is useful since the authorized user can store the hash and validate the password whenever needed without storing the actual password [4]. The same input will always produce the same hashed value which is useful for validating password logins but it is also difficult since people could determine that user "A" password must be the same as user "B" password since they have the same hashed value [4]. This can be taken to an extreme where roll up the matching hashes across thousands of passwords and can therefore use a common password list to start identifying passwords - think someone looking at system user table with thousands of records looking for hashed passwords with the same value [4]. The solution is salting which means adding a known random value to each password before hashing it - this makes all the hashed values unique and prevents cross-referencing or dictionary attacks [4]. For the better understanding about clear text, hashing, and salted hash, one example scenario on banking database system was listed:

Let say in one system database has a password table listing each user's identification and password that is located in electronic database, when a user attempts to log in; the system evaluates the username and password filled by the user with the values in the password table. If both of the particular match, the system declares the user [3].

User Name

Clear-Text Password





Ng Lee Liang
















Table 2: Password Table

The risk intrinsic to this password database is that it could be informal cooperated. For example, a hacker might get illegal remote access to it or it could be purposely revealed to a stranger by, perhaps, a resign system administrator [3]. For better illustration about this, assume that AIA Bank necessitates its employees to use passwords that contain of at least six numbers and lowercase or uppercase letters. The bank preserves these passwords in a password table. Table 3 explains the three major password formats available to system administrator, and specifies the comparative risk associated with each technique [3].

Password Format

Risk Exposure

Clear Text Password / Plain Password


Basic Hash Encryption


Salted Hash Encryption


Table 3: Password Format Risk Exposure

Clear-text passwords as in Table 2 shows; this unencrypted format of password or known as clear text password exposes the system passwords to everyone who views the password table [3]. System administrators be supposed to make sure their staffs realize the danger and imprudent of storing passwords in clear text format [3]. Basic hash encryption engages encrypting passwords before storing them in a password table. One familiar method involves the mathematical hashing formula usage, which change a user's password into an encrypted alphanumeric value [3]. Table 4 below illustrates the process of hashing. Assume AIA Bank employee David chooses password "Batman". As an example, the hashing process converts "Batman" into "68tzq9p".

User's Password: "Batman"

Hashing Function (encryption only; no decryption)

Hashed Value: "68tzq9p"

Table 4: Basic process of hashing

By using hash encryption, only the user knows his or her password. The system administrator will recognize only the hashed value of the user's password. And if a hacker someway were to find out that hashed value, the hacker would not be able to "reverse-compute" the password [3]. If users fail to remember his or her password, they can ask for a temporary password, which the system administrator can send to the e-mail address specified in the user's system profile. To secure against exploitation of the temporary password by an unauthorized person, the system should need the user to answer a previously agreed-upon question. For example, after the user entering the temporary password, the system might ask him to give his or her mother's maiden name [3]. At this point, the system also should require the user to choose a new permanent password. Although basic hash encryption makes passwords difficult to crack, it is not a thoughtful challenge for many hackers [3]. That's because basic hashed values can be at risk to hacker attacks utilizing rainbow tables, which are lists of the predetermined hashed values of thousands of words that employees may have preferred as passwords [3].

If a hacker gained a duplicate of the password table as shown in table 5, the hacker could make a comparison with a rainbow table, searching for matches.

Table 5: Hashed password vulnerable to rainbow tables

The bank's password table as in Table 5 contains an imaginary hashed value of all passwords in the clear text table in Table 1. In Table 5 also has a sample of rainbow table. A hacker would make a comparison between these two tables, seeking for matches. If a match is recognized, the hacker could assume the employee's password. In this case, the hacker would notice that "68tzq9p" is the hashed value of David's password, "Batman". To make substances worse, the hacker also would notice that Ng Lee Liang's and William's hashed password values are "68tzq9p" too, meaning their clear-text password also "Batman". Prepared with that information, the hacker would simply be able to access into David's, Ng Lee Liang's, and William's accounts.

Because of the hacker can easily guest the hash and the initial password, the hash encryption should be salted. Salted Hash encryption involves the use of randomization known as a salt string. A salt string is a random range of characters created and then concatenate to a user's password before hashing it [3]. This extra step; adding salt will exponentially raises the difficulty of cracking the password [3]. Without salted hashing, there's a good chance one of the hacker's rainbow tables will have a match for the password the hacker is trying to figure out [3]. But when the password enclose salt, which the rainbow table probably will not contain the probability of a match reduce, and the hacker is likely to be slowed down and confused [3]. Once a hacker recognizes the system uses salted hashing, the hacker most likely will move on, searching for a system with not protected by salt [3]. Table 6 illustrates the use of salt in hashing system.

Table 6: Salted Hash - The Best Defense

From Table 6, AIA Bank employee David uses "Batman" as his password. When he entering the password, the system will generate a random string, for example "dbm675", and concatenate it to the beginning of her password, which will become "dbm675Batman". Then the system will hash that salted password, converting it to "Jirhmj9uq8q0uuq" and record the salted hashed character in the password table, as shown in Table 6. Although David, Ng Lee Liang, and William have the same clear-text password; "Batman", each of them has a different salted hashed pattern of that password.

2.6 Software Implementation

The software that has been used in this project is MATLAB 7.10.0 (R2010a). MATLAB (matrix laboratory) is a numerical computing environment and fourth-generation programming language [10]. Developed by Math Works, MATLAB allows matrix manipulations, plotting of functions and data, implementation of algorithms, creation of user interfaces, and interfacing with programs written in other languages, including C, C++, and FORTRAN [10]. Although MATLAB is intended primarily for numerical computing, an optional toolbox uses the MuPAD symbolic engine, allowing access to symbolic computing capabilities. An additional package, Simulink, adds graphical multi-domain simulation and Model-Based Design for dynamic and embedded systems [10].

Figure 2.6: MATLAB Software

The MATLAB language supports the vector and matrix functions that are primary to engineering and scientific problems [9]. It enables quick development and implementation. With the MATLAB language, user can code and develop algorithms simply than with conventional languages because low-level administrative tasks do not need to perform, such as declaring variables, allocating memory and specifying data types [9]. In many cases, MATLAB abolish the need for 'for' loops. As a result, one line of MATLAB code can often replace numerous lines of C or C++ code [9]. At the same time, MATLAB provides all the features of an established programming language, including data structures, arithmetic operators, flow control, data types, debugging features, and object-oriented programming (OOP) [9].

By using MATLAB, user is able to utilize the interactive tool GUIDE (Graphical User Interface Development Environment) to layout, design, and edit user interfaces. GUIDE lets the user include the push buttons, list boxes, radio buttons, pull-down menus, and sliders, as well as MATLAB plots and ActiveX controls. Otherwise, user can create GUIs programmatically using MATLAB functions [9].

Figure 2.7: MATLAB GUIDE tool window