An intro to Cryptography + Bcrypt

Many of us have heard of cryptography before, whether you have been implementing Auth within Ruby on Rails, watched the Imitation Game, or heard about cryptocurrency, but I wanted to dive a little deeper about what it is, and how it works. I’ll begin with an overview of cryptography, and then dive a little deeper into Bcrypt and how it utilizes different aspects of cryptography.

Historically, cryptography (literally “secret writing”) has been used for thousands of years to encrypt secret messages, whether conspirators are readying a coup, or Alan Turing is attempting to break the Enigma encryption during WWII. Now, it is one of the most common forms of computer security, with millions of secure transmissions occurring each day. Cryptography is used to keep banking transactions, health data, and cryptocurrency legitimate and safe.

Encryption

With the introduction of computers and computer science, these basic encryption techniques became incredibly simple to decrypt. There was a need for something more powerful….

Hashing

Bcrypt

Traditional hashing algorithms such as SHA1 or MD5 initially look like Bcrypt, but are far different. They will intake a string, such as above, and output the same hash for the same string. Although this looks complex, hackers can use a method called the dictionary attack or rainbow table to run these encryption methods, compile a list of the most commonly used passwords along with their hash, and match their list of hashes with the compromised list. A nefarious actor can then work backwards to determine the passwords. A popular website for this is Hashkiller.io. For example, try to crack this MD5 hash: 48bb6e862e54f2a795ffc4e541caed4d

Notice below how when we run multiple iterations of Bcrypt for the same string, a different hash is generated each time.

Bcrypt and other complex hashes use a method to add a “salt” to the data you want to encrypt. A salt is a short, random assortment of characters appended to the end of your input so that when run through the hashing algorithm, you receive a different output every time. This renders the rainbow tables and dictionary attacks useless. This salt is unknown by the user, but if we wanted to, we are able to view the salt generated with the code below:

Try plugging this in the rainbow table! $2a$12$wyVKnRdbLIRsqaDGHpPgXuNarmEf4BgSrQQOx/LKfnC7rWzk5RU0e

One final point about Bcrypt compared to other hashing algorithms is that it is a “slow” hashing method. Essentially it takes more time to brute force the password with a slow hashing algorithm than a fast one. To the user, it may take 100 milliseconds to login (slow) instead of 0.1 ms (fast), but it might take a hacker 3000 days instead of 3 days to brute force the hashing method, and require much more computing power. This makes it unreasonable in most cases.

There is a side case against Bcrypt, and that is using a FPGA to access the passwords. If you would like to read further into this, please read here.

Photo by Bermix Studio on Unsplash

Other Hashing Algorithms/ Cryptocurrencies

Cryptocurrencies use hashing to secure their transactions. The most popular cryptocurrency, Bitcoin, uses SHA-256 (Secure Hashing Algorithm 256) hashing to compute and verify transactions. The biggest reasons for this are that SHA-256 has a quick computation time, and it is incredibly “one way”. Sure, you could use brute force to determine the inputted value, but you are looking at 2²⁵⁶ different computations! Even if you crack the code halfway through, you’re still looking at 2²⁵⁵ combinations. I will dive deeper into cryptocurrency hashing in a later blog, it’s something I have always wanted to explore.