Many of us have heard of cryptography before, whether you have been implementing Auth within Ruby on Rails, watched the Imitation Game, or heard about cryptocurrency, but I wanted to dive a little deeper about what it is, and how it works. I’ll begin with an overview of cryptography, and then dive a little deeper into Bcrypt and how it utilizes different aspects of cryptography.
Historically, cryptography (literally “secret writing”) has been used for thousands of years to encrypt secret messages, whether conspirators are readying a coup, or Alan Turing is attempting to break the Enigma encryption during WWII. Now, it is one of the most common forms of computer security, with millions of secure transmissions occurring each day. Cryptography is used to keep banking transactions, health data, and cryptocurrency legitimate and safe.
For most of history, cryptography consisted of encrypting messages with a substitution, permutation, or columnar transposition cipher. Essentially these ciphers transposed one letter into another letter, and you needed a key to encrypt and decrypt. This worked very well until cryptographers and mathematicians became increasingly adept, and could begin to decrypt these messages using statistics, based on the frequency of letters. The next most complex was the German Enigma cipher which utilized much more complex mechanisms to encrypt messages, including dynamic keys. It took much more effort to discover the key for this!
With the introduction of computers and computer science, these basic encryption techniques became incredibly simple to decrypt. There was a need for something more powerful….
Hashing is clearly described as a method of one way encryption. Plaintext is inputted, and a hash is outputted. You cannot go back from a one way hash without the original string. Complex mathematical functions ensures this stays true.
Bcrypt is a “slow” hashing algorithm used within Ruby on Rails to securely encrypt data. If our passwords were stored within the database in plaintext, then anybody would be able to see our passwords if the database was compromised. This is why passwords and other sensitive data must be encrypted before entering the database. Bcrypt uses a one way function to encrypt your data, so with an input of“flatiron”, Bcrypt generates a complex output as the result. It is much easier to go in this one direction than the reverse since it is a one way function. These get pretty complex, so I will add some resources below to dive a little deeper. Below, I will go into some of the logic behind Bcrypt, and benefits over other hashing algorithms. I hope to give some insight on why Bcrypt works as it does.
Traditional hashing algorithms such as SHA1 or MD5 initially look like Bcrypt, but are far different. They will intake a string, such as above, and output the same hash for the same string. Although this looks complex, hackers can use a method called the dictionary attack or rainbow table to run these encryption methods, compile a list of the most commonly used passwords along with their hash, and match their list of hashes with the compromised list. A nefarious actor can then work backwards to determine the passwords. A popular website for this is Hashkiller.io. For example, try to crack this MD5 hash: 48bb6e862e54f2a795ffc4e541caed4d
Notice below how when we run multiple iterations of Bcrypt for the same string, a different hash is generated each time.
Bcrypt and other complex hashes use a method to add a “salt” to the data you want to encrypt. A salt is a short, random assortment of characters appended to the end of your input so that when run through the hashing algorithm, you receive a different output every time. This renders the rainbow tables and dictionary attacks useless. This salt is unknown by the user, but if we wanted to, we are able to view the salt generated with the code below:
Try plugging this in the rainbow table! $2a$12$wyVKnRdbLIRsqaDGHpPgXuNarmEf4BgSrQQOx/LKfnC7rWzk5RU0e
One final point about Bcrypt compared to other hashing algorithms is that it is a “slow” hashing method. Essentially it takes more time to brute force the password with a slow hashing algorithm than a fast one. To the user, it may take 100 milliseconds to login (slow) instead of 0.1 ms (fast), but it might take a hacker 3000 days instead of 3 days to brute force the hashing method, and require much more computing power. This makes it unreasonable in most cases.
There is a side case against Bcrypt, and that is using a FPGA to access the passwords. If you would like to read further into this, please read here.
Other Hashing Algorithms/ Cryptocurrencies
Some other hashing algorithms include SHA1, SHA256, SHA512 and SCRYPT. The SHA are fast hashes, which are bad for passwords as hackers can brute force these much quicker than the slow SCRYPT and BCRYPT.
Cryptocurrencies use hashing to secure their transactions. The most popular cryptocurrency, Bitcoin, uses SHA-256 (Secure Hashing Algorithm 256) hashing to compute and verify transactions. The biggest reasons for this are that SHA-256 has a quick computation time, and it is incredibly “one way”. Sure, you could use brute force to determine the inputted value, but you are looking at 2²⁵⁶ different computations! Even if you crack the code halfway through, you’re still looking at 2²⁵⁵ combinations. I will dive deeper into cryptocurrency hashing in a later blog, it’s something I have always wanted to explore.
What is the difference between bcrypt and SHA256?
TL;DR; SHA1, SHA256, and SHA512 are all fast hashes and are bad for passwords. SCRYPT and BCRYPT are both a slow hash…
Bcrypt password cracking extremely slow? Not if you are using hundreds of FPGAs!
Building custom FPGA-based hardware to crack bcrypt passwords.