Page 30«..1020..29303132..4050..»

Internet Security Administrator: Job Description and Requirements

Learn about the education and preparation needed to become a Internet security administrator. Get a quick view of the requirements as well as details about schooling, job duties and certification to find out if this is the career for you.

Internet security administrators are the security professionals who specialize in protecting businesses from cyber attacks on their computer systems from hackers and viruses. They will typically have a bachelor’s degree in information technology or computer science though their background in computer security is equally important. With businesses becoming more and more reliant on computer technology, the need for internet security administrators are on the rise with an expected growth rate of 18 percent for the next decade.

Internet security administrators are responsible for protecting computer systems against attack. Due to an increasing number of cyber attacks on computer systems, this industry has grown, and Internet security administrators are in higher demand. Although most security administrators hold bachelor’s degrees, in this field, a combination of professional experience, knowledge of internet and network systems, and industry certifications often outweigh formal education credentials.

Source: *U.S. Bureau of Labor Statistics

Find schools that offer these popular programs

More Programs

Internet security administrators are also known as computer security specialists, network security analysts or Internet security specialists. The security administrator handles all aspects of information security. They teach others about computer security, check for security violations, install protection software and take action against cyber attacks. In some cases, an Internet security administrator may provide evidence of a cyber attack to prosecute individuals for breaching security.

Security administrators are known for their communication skills, as well as their ability to detect and analyze problems. Once a problem is detected, Internet security administrators are expected to quickly and accurately find a solution.

Most Internet security administrators work full-time. They are sometimes asked to work on-call in case of an emergency. Since data security threats continue to be of concern, employment opportunities for information security analysts are expected to grow a faster-than-average 18% from 2014-2024, according to the U.S. Bureau of Labor Statistics (BLS). The BLS further states that most of these professionals made between $51,280 and $143,770 per year in 2015.

Usually Internet security administrator positions require a bachelor’s degree, but not necessarily in a related field. Common majors found in the field may include information technology, computer science and information systems. Although a bachelor’s degree is beneficial, some employers may not require one. Many employers may find work experience and certification sufficient for many entry-level positions.

Certification is viewed as an industry standard. Internet security administrators are expected to stay up-to-date with current technology, so continuing education is also important. Individuals can find certification and continuing education courses on a variety of topics including:

Internet security administrators are security professionals who specialize in providing companies guidance on their internal security procedures and detect any weaknesses in their computer network that make them vulnerable to cyber attacks. While there are degrees offered in information technology and information systems, interested individuals who can also pursue certifications that keep them up-to-date with current technology. This is a growing industry where those employed can earn a possible salary anywhere between $51,280 to $143,770 a year.

Read more here:
Internet Security Administrator: Job Description and Requirements

Read More..

Top 10 Cheap Antivirus and Internet Security Protection for …

written by: Donna Buenaventuraedited by: Aaron R.updated: 11/30/2010

An ideal antivirus and Internet security package should not only offer good protection against malware but should also meet your budget. Homes and offices often have more than one computers, so it’s a good idea to find the best cheap antivirus and Internet security programs available.

Never buy antivirus or Internet security programs that are too expensive, because there’s plenty of cheap antivirus and Internet security software to consider. Free security software is unbeatable, but some home or office users prefer using commercial Internet security solutions. That is because paid security software includes almost complete protection and maintenance tools.

Internet security suites do not only offer protection against viruses, Trojans, worms, adware, spyware, rootkit, potentially unwanted programs (PUPs) and other malware, but also provide two-way firewall protection, anti-spam, e-mail scanners and identity protection. Some security vendors also offers free online backup.

I’ve compared the prices of several antivirus and Internet security program of 2010 and 2011 below. Take a look at the list of cheap antivirus and Internet security to see your options.

Below are the top 5 inexpensive security software packages for 3 PCs that you should consider evaluating before purchasing. Read the reviews by Bright Hub writers to learn more about the product features.

The top 5 cheap Internet security software for a single computer are provided by the following vendors:

Note that all of the above Internet security program provide good protection and have received certifications from several antivirus testing laboratories.

There’s also cheap antivirus programs to check out, if you prefer using standalone virus protection for Windows without limitations on functionality:

NOD32, Avira AntiVir, BitDefender, Norton Antivirus and Kaspersky often received a high or advanced rating in malware testing reports. Avast is a powerful antivirus and its’ boot-time scan is a plus when cleaning malware. Note only that Kaspersky antivirus is known to use a lot of memory during a scan. Norton Antivirus seldom provides false detection which is why it’s one of the favorites for home users.

Remember to check the product information at the vendors’ website for the latest information. Also, don’t forget that the price should not matter, if you want to secure important data and valuable information from hackers and malware.

Image credits: US Dollar symbol By Rugby471 (Own work)[see page for license], via Wikimedia Commons. Screenshots taken by the author.

Excerpt from:
Top 10 Cheap Antivirus and Internet Security Protection for …

Read More..

Best Antivirus Software, Internet Security & Malware Removal

Computer Virus, Malware, Spyware and Adware: Whats the Difference?

Viruses, spyware, and adware are all malware with distinct differences. All of them do damage to legitimate computer users but they fall into different categories depending on the intent of their attack.

Viruses are a bit of malicious code that is secretly included in an application you decide to download. It replicates itself to infect other computers. Eventually, the virus is activated for its purpose: deleting important files, corrupting information, or randomly shutting off your computer.

Spyware is malicious software that gets installed without the user even knowing about it. This is usually the most dangerous form of attack. It invades your internet security to find sensitive information from your computer and sell it for a price on the black market.

Adware, on the other hand, is a unique form of software specifically written to produce popup ads. The popups can start as the user uses a certain application, when they visit a particular website online, or simply as soon as they boot up their computer. The most deceptive form of adware shows a popup telling the user their computer is infected and that they need to install antivirus software.

Computers and the internet are now almost a necessity in every day life. We email and chat with friends and family far away. We watch our favorite shows or how to videos to troubleshoot a problem. A lot of us even bank or shop online.

Whenever youve connected to the internet, you are opening up your private information to the world. Once online, computer viruses and malware find ways to infect your computer without your knowledge. Antivirus software provides the best virus protection and will remove any malware found on your computer.

You might already know that Microsoft Windows includes a basic form of antivirus. If you have Microsoft Windows 7 or earlier, you can download Microsoft Security Essentials, which will provide some basic protection against viruses, spyware and other malicious software. Microsoft Security Essentials are upgraded and renamed to Windows Defender in Microsoft Windows 8 and later. For example, the standard antivirus for Windows 10 is Windows Defender.

The bottom line is that Microsoft Security Essentials and Windows Defender are free and does a reasonable job. But being free has limitations too. Support is limited (if any at all) and might not catch the very latest cyber threats. If the files on your computer are important (e.g. work documents, cherish family pictures, etc) we recommend that you pay for the best antivirus software. That way youll get the up-to-date protection to keep you safe.

Go here to see the original:
Best Antivirus Software, Internet Security & Malware Removal

Read More..

Download AVG Internet Security Unlimited –

AVG Internet SecurityUnlimited is an essential suite of security tools that builds upon the powerful AVG AntiVirus FREE. Not only can it detect and remove viruses on your PC, but it also provides protection for an unlimited amount of computers, tablets, and phones. In fact, one subscription covers every device in your family to keep you all protected, all the time.

The app is able to block infected links as you browse, checks files before you download them, and help you protect your personal data online and on your PC with an enhanced set of privacy features.

Key features include:

AVG Internet SecurityUnlimited now has a fresh, clean design with an intuitive feel to it. It comes with a solid firewall, which is not included in AVG AntiVirus FREE, a smart anti-phishing filter and a robust antivirus engine.

The great thing about AVG Internet SecurityUnlimited is that whenever the suite encounters an unknown threat, AVG then quickly analyze it, creates a cure and then pushes it out to millions of users, so everyone is better protected. All security updates are automatically pushed to you, along with any new features, to always keep you as up-to-date as possible.

AVG Internet SecurityUnlimited is able to be installed on every computer you have, in order to protect the whole family at no extra cost. The app also includes advanced AVG AntiVirus PRO app that can protect unlimited Android phones and tablets as well.

Overall, AVG Internet SecurityUnlimited has a low impact on system resources, is intuitive to use and has a simplified design. This coupled with free online support, and a robust cloud-based threat detection method, makes AVG Internet SecurityUnlimited a superb security suite to have installed on your home system(s).

Read the original post:
Download AVG Internet Security Unlimited –

Read More..

Norton Internet Security –

Norton Security represents Symantec’s next step in terms of PC safety and malware prevention.It is a different product than Norton Internet Security, as Norton Security offers multi-device protection and secure backup features. For those unfamiliarized with Norton, the software utility is designed to prevent, identify and remove files infected with viruses, Trojans, worms, rootkits and other kinds of malicious traces, in addition to some safety measures concerning online navigation.

Setting up Security should be a fast and painless task to any user, since the tool is not flexible when it comes to handpicking the components; everything is installed by default.

Sharing its look with Norton AntiVirus, Security’s interface is mostly user-friendly, although some of its options could have been better put together. Most security modules can be activated and deactivated with one click, as well as configured in detailed by advanced users. Terminology could be an issue in some cases, since Norton adopts unique names to describe proprietary technologies.

Settings may be customized in detail for Norton Security by defining the scanning scope, such as compressed files, rootkits and stealth items, network drives, heuristics protection, low-risk threats, tracking cookies, scan scheduler, file and virus signature exclusions, and so on.

The real-time protection module has all components turned on by default. Norton is able to prevent spyware from infiltrating into the system while keeping an eye out for suspicious removable media devices and network locations. It can also scan Windows autostart entries at every boot sequence and hide notifications to let users carry on with normal PC activity without any intrusions.

All traffic between the computer and other systems can be temporarily blocked, while intrusion signatures can be customized to give passes to any items. The application monitors incoming and outgoing messages in email clients, and also features a personal firewall for network traffic, apps with tailored Internet access rules, and so on.

Online navigation is ensured by Norton, since it oversees web addresses and notifies users on malware-infected or suspicious links. It also keeps track of downloaded files and includes an identity safe to hold all confidential data in one place (e.g. autofill forms, credit card info). What’s more, users are protected from phishing websites whose purpose is to steal transactional data.

Thanks to the cloud technology used, Norton Security finishes scan jobs faster than many other av products. It is mostly successful concerning identified and removed malware files, and regularly receives virus definition updates. CPU and RAM consumption is generally low. Although less experienced users are likely to get lost in translation when trying to figure our each features, advanced ones will probably find Norton Security worthwhile.

Originally posted here:
Norton Internet Security –

Read More..

Internet Security – Cisco

The unprecedented connectivity of the Internet age has led to enormous social and economic benefits, but has also introduced numerous new challenges. In a fully connected world, Internet security threats continue to evolve, keeping ahead of the most advanced defenses.


Network-based security threats have led to widespread identity theft and financial fraud. Spam, viruses, and spyware cause significant problems for consumers and businesses. A security breach may irreparably damage a company’s brand or reputation. In the United States, Internet security issues threaten to slow the national adoption of electronic medical records. In the European Union, consumer confidence regarding Internet security and data protection is a barrier to the more rapid expansion of e-commerce across member state borders.

Todays information attacks are a profitable business enterprise and are often controlled by organized crime syndicates. A growing number of sophisticated cybercrime business models, including the emergence of criminal enterprises, are built around selling tools and services for launching network attacks, rather than simply selling information gained from attacks.

Internet security technology continues to advance, changing from passive, point product-based to active, end-to-end approaches to recognition, containment, and quarantine. In addition, Internet Service Providers (ISPs) are competing on security and consumer ISPs offer Internet security as part of their service.

Policy makers around the world are focused on the state of the information infrastructure. Policy makers want to ensure that users of networks employ the best technology and process practices to make networks as secure as possible. Governments and businesses continually update their strategies to prevent attacks, and public-private partnerships have been formed to develop voluntary, market-based approaches to security.

Ciscos Position

Cisco believes that governments can help decrease Internet security threats by:

Cisco does not believe that governments should regulate security. In general, regulation:

For more information please visit: Security

See the article here:
Internet Security – Cisco

Read More..

Doug H. – Boston Cloud Computing Meetup (Boston, MA) | Meetup

Today’s corporate officers and IT technologists are literally deluged with marketing hype over cloud, and the economic advantages of migrating business and IT functions and applications to the cloud.

We have seen corporate giants like NetFlix and Sabre (global reservation system used by major airline carriers) experience cloud-based system outages, causing customer delays and significantly impacting business not just in the US, but impacted globally in the case of Sabre.

There are hundreds of cloud providers to choose from in the market today. Not all are enterprise ready, despite their claims. And let’s face it, many have paid or biased positioning in leading independent studies released by highly respected IT research companies.

How does a CIO or CTO, and today’s CEO, tasked to identify the essential drivers of a business, navigate? Leading independent think tanks (Gartner, Aberdeen, IDC, etc) are not fully equipped to provide battle-tested and deep thorough analysis regarding the critical issues of cloud security, network throughput, reliability and ROI when it comes to enterprise grade customers. Researchers can only convey what they read and disseminate their opinions, not facts. Gartner (NYSE:IT) even has in its disclaimer that all analysis is “opinion and not based on facts.”

It’s time that we get real answers and share actual experiences from companies who are using enterprise grade cloud and from true technologists that has the experience and credentials to provide an unbiased roadmap.

GOAL: We create leaner, more efficient companies that is secure, reliable and has the ROI to start training our current employees, and bringing jobs back to the US workforce.

Continue reading here:
Doug H. – Boston Cloud Computing Meetup (Boston, MA) | Meetup

Read More..

Cloud computing at Ifes, IFs, and hospitals | RNP

In the second session on cloud computing of the III RNP Forum, representatives from hospitals and Federal Institutes of Higher Education (Institutos Federais de Ensino Superior – IFES) and of Education, Science and Technology (IFs) spoke about what they expect from cloud computing resources.

The Federal University of Rio de Janeiro (UFRJ) Professor and Superintendent of Information Technology and Communication Gabriel Pereira da Silva expressed the universities desire. We want a cloud that will solve all our problems, where we can put all our systems.

One of the cloud applications that UFRJ offers to its community is the OJS, the electronic journal service provider, to meet the search area. For Gabriel, the Capes (Coordination of Improvement of Higher Education Personnel) Journals Portal is an important element for the community, but forgets the national production of increasingly electronic research and journals. Therefore, we offer the OJS, he said.

Carlos Thiago Garantizado, from the Federal Institute of Amazonas (IFAM), showed the IFs perspective in deploying services and cloud applications. We work with infrastructure, platform, and service. The biggest challenge is to provide security. Not only to provide it, but to transmit this security to the user, he affirmed.

When submitting a SWOT matrix of cloud deployment in IFs, he highlighted as a help for the institutes integration, the Federate Academic Community (CAFe) service and the technical expertise of the teams.

Moderated by Adenilson Raniery Pontes, from the Par Museum Emilio Goeldi (MPEG), the panel also included the participation of Marco Antonio Gutierrez, who heads the Computer Service and the Medical Informatics Laboratory of the Heart Institute (Instituto do Corao – Incor).

Gutierrez noted that health information systems must be made available very quickly. According to him, the hospital area, open cloud solutions cannot be used. We need to ensure the information confidentiality and secrecy.

At the end of his speech, the officer explained the economic constraints of healthcare industry regarding cloud computing. The investment in technology within hospitals is still seen as a cost and not as an investment. Therefore, we cannot evolve into private cloud solutions due to financial issues, he stated.

Read the original here:
Cloud computing at Ifes, IFs, and hospitals | RNP

Read More..

MobileCoin: A New Cryptocurrency From Signal Creator Moxie …

In the early bitcoin years, proponents promised that you would soon be able to pay for anything and everything with cryptocurrency. Order pizza! Buy Etsy trinkets! Use a bitcoin ATM! While PayPal had existed for more than a decade, frictionless, social payment platforms like Venmo were just first taking off, and cryptocurrency seemed like a legitimate way for digital transactions to evolve.

It didn’t happen. Cryptocurrency remains confusing and challenging for the average person to acquire and manage, much less sell. And the protocols that underlie bitcoin and other mainstream cryptocurrencies like ethereum suffer significant scalability and transaction bottleneck issues. Visa currently processes about 3,674 transactions per second; the best bitcoin network might be able to process seven per second.

But now the creator of the dead simple end-to-end encrypted messaging app Signal, Moxie Marlinspike, is on a mission to overcome those limitations, and to create a streamlined digital currency that’s private, easy-to-use, and allows for quick transactions from any device. And while it may feel like the last thing the world needs is yet another cryptocurrency, Marlinspike’s track record with Signaland the organization behind it, Open Whisper Systemsmakes this a project worth watching.

The currency Marlinspike has been working on as technical advisor for the last four months, alongside technologist Joshua Goldbard, is MobileCoin. The two based it on the open-source Stellar Consensus Protocols platform, an alternative payment network that underlies systems like an inter-bank payment network run by IBM in the South Pacific, and the low-fee international money transfer service Tempo in Europe.

‘Usability is the biggest challenge with cryptocurrency today.’

Signal Creator Moxie Marlinspike

The Stellar blockchain is also generally regarded as being faster and more efficient than its predecessors; On Wednesday, the mobile messaging service Kik announced that it will move its Kin cryptocurrency platform from Ethereum to Stellar. “We’ve been using Ethereum to date, and to be honest I call it the dial-up era of blockchain,” CEO Ted Livingston said.

MobileCoin wants to leverage an extensive architecture to add simplicity to real privacy protections and resilience against attacks. The ultimate goal: To make MobileCoin as intuitive as any other payment system.

That vision mirrors the animating purpose of Signal, which was developed to make robust end-to-end encrypted communication as easy and straightforward as less secure options, a simple experience that belies the complex cryptographic communication protocols that enable it.

“I think usability is the biggest challenge with cryptocurrency today,” says Marlinspike. “The innovations I want to see are ones that make cryptocurrency deployable in normal environments, without sacrificing the properties that distinguish cryptocurrency from existing payment mechanisms.”

Usability efforts for older generation cryptocurrency protocols, like bitcoin, have largely been left to services like Coinbase, which centralize everything from currency exchange to your wallet, key management, and processing transactions. These platforms make actually using cryptocurrency more realistic for the average person, but they also consolidate mechanisms that are meant to be kept separate in the private and decentralized concept of cryptocurrency. They generally detail extensive privacy and security protections, but they do require users to trust both their intentions and implementation.

By contrast, the idea of MobileCoin is to build a system that hides everything from everyone, leaving fewer (or theoretically no) opportunities for abuse.

Ideally, there would be a way to fix the structural problems of existing cryptocurrencies, rather than creating another new offering. But Marlinspike and Goldbard concluded that the only way to orient a cryptocurrency around user needs was to start from scratch, and architect everything with that “target user experience” in mind.

To that end, MobileCoin delegates all the complicated and processing-intensive work of participating in a blockchain ledger and validating transactions to nodesservers with constant connectivity that store and work on a fully updated copy of a currency’s blockchain. The nodes can then provide software services to users, like apps that seamlessly integrate easy and quick MobileCoin transactions. The nodes also handle key management for users, so the publicand particularly the privatenumeric sequences that encrypt each person’s transactions are stored and used by the node. But crucially MobileCoin is designed so the node operators can never directly access users’ private keys.

‘If you cant look at the ledger, how can you cheat it?’

Joshua Goldbard, MobileCoin

This is where the special features of MobileCoin come in. The currency is designed to utilize an Intel processor component known as Software Guard Extensions, or a “secure enclave.” SGX is a sequestered portion of a processor that runs code like any other, but the software inside it can’t be accessed or changed by a device’s broader operating system. Computers can still check that an enclave is running the right software to validate it before connecting, but neither MobileCoin users nor node administrators can decrypt and view the enclave.

For MobileCoin, the enclaves in all of the nodes of the network hide the currency’s indelible ledger from view. Users’ private keys are stored and shielded in the enclave, too.

“If you put the cryptocurrency inside of the secure enclave, then people can run the nodes without seeing whats happening inside them,” Goldbard says. “If you cant look at the ledger, how can you cheat it?”

Marlinspike first experimented with SGX for Signal as a workaround so users can find people they know on Signal through their address books without exposing all of that data.

Secure enclaves create some technical challenges, because they have limited processing capacity. But MobileCoin is designed with efficiency in mind. The system does as much data processing as possible outside the enclave, and only uses SGX for sensitive computing that needs to be shielded. And not needing to trust the nodesbecause sensitive data isn’t exposed on themmeans that more can happen off of a user’s device without sacrificing privacy, making transactions quick and easy on mobile devices.

“MobileCoin is designed to be deployable in normal resource-constrained environments like mobile devices, and to deliver a simple user experience along with privacy and security,” Marlinspike says. “The design gives you the benefits of server assistance without the downsides of having to trust a server to act appropriately and not be hacked.

The platform has other protections layered with SGX as well. Even if someone compromised a MobileCoin enclave and could view the transaction ledger, one-time addresses and special one-time signatures for each transaction would still prevent an attacker from being able to trace and link events. And a privacy bonus of the Stellar Consensus Protocol is that the nodes don’t need to store a full transaction history in the blockchain; they can discard most data after each payment is completed. These components make MobileCoin more resistant to surveillance, whether it’s coming from a government or a criminal who wants to track and extort users.

There are lots of potential applications for MobileCoin, but Goldbard and Marlinspike envision it first as an integration in chat apps like Signal or WhatsApp. Here’s how it would work in practice: To start using MobileCoin, you would generate a public and private key, and a recovery PIN. Then you would set up your account with an app that incorporates MobileCoin. The app would validate the software running in its service’s node, establish an encrypted communication channel to the enclave, and then send your keys and the short, easy-to-remember recovery PIN that you’ll use to access your MobileCoinlike a smartphone lock passcode.

To send MobileCoin to your friend Brian within a service that both of you use, your app would look up his public key, generate a one-time key and signature to use for the transaction, and send the transaction to the app’s MobileCoin node. The node would sync and validate the transaction, update the ledger, and check the one-time key and signature to prevent spoofed double-spending. At this point Brian’s MobileCoin node would take over, receiving and validating the transaction and communicating with Brian’s app to generate the one-time private key that will allow Brian to receive the payment. And then Brian gets a notification that you paid him. The messaging app (or whatever service you’re both using) doubles as a wallet for each of you.

It’s a complicated process to wade through. The point of MobileCoin, though, is that you and Brian don’t have to worry about any of it. The complicated parts all take place in the background.

The MobileCoin site, where developers looking to adopt the cryptocurrency will ultimately be able to access the software development kit, currently houses a white paper describing how MobileCoin works in more detail. But Goldbard says that the currency is still six months to a year from release, while he and Marlinspike refine the platform to eliminate potential problems, like the possibility that secure enclaves can inadvertently leak data.

That means there are still plenty of questions to be answered, including one big one: whether MobileCoin will be able to cut through all the noise and hype of the cryptocurrency community to actually be adopted by mainstream apps that could put it in everyone’s hands. Currencies, after all, need a critical mass of people to not just be able to use them, but to agree on their worth.

And though speculation has driven bitcoin to all-time-high valuations, most cryptocurrencies don’t end up capturing much value, languishing instead in far-flung corners of the internet. Here again, though, MobileCoin’s creators hope to emulate Signal. End-to-end encryption was once a fringe feature; then WhatsApp gave it to a billion people at once using the Signal Protocol.

“Nobody actually transacts in cryptocurrency,” Goldbard says. “So making something that people can actually use is our first goal. And then we want to find additional ways that people can implement it over time. But initially all we want is to make it so people can actually complete transactions.”

If it works, the project will give hope to people who once believed cryptocurrency could truly replace cash in modern societyeven if you’re only buying a pizza.

See original here:
MobileCoin: A New Cryptocurrency From Signal Creator Moxie …

Read More..

security – Fundamental difference between Hashing and …

Well, you could look it up in Wikipedia… But since you want an explanation, I’ll do my best here:

They provide a mapping between an arbitrary length input, and a (usually) fixed length (or smaller length) output. It can be anything from a simple crc32, to a full blown cryptographic hash function such as MD5 or SHA1/2/256/512. The point is that there’s a one-way mapping going on. It’s always a many:1 mapping (meaning there will always be collisions) since every function produces a smaller output than it’s capable of inputting (If you feed every possible 1mb file into MD5, you’ll get a ton of collisions).

The reason they are hard (or impossible in practicality) to reverse is because of how they work internally. Most cryptographic hash functions iterate over the input set many times to produce the output. So if we look at each fixed length chunk of input (which is algorithm dependent), the hash function will call that the current state. It will then iterate over the state and change it to a new one and use that as feedback into itself (MD5 does this 64 times for each 512bit chunk of data). It then somehow combines the resultant states from all these iterations back together to form the resultant hash.

Now, if you wanted to decode the hash, you’d first need to figure out how to split the given hash into its iterated states (1 possibility for inputs smaller than the size of a chunk of data, many for larger inputs). Then you’d need to reverse the iteration for each state. Now, to explain why this is VERY hard, imagine trying to deduce a and b from the following formula: 10 = a + b. There are 10 positive combinations of a and b that can work. Now loop over that a bunch of times: tmp = a + b; a = b; b = tmp. For 64 iterations, you’d have over 10^64 possibilities to try. And that’s just a simple addition where some state is preserved from iteration to iteration. Real hash functions do a lot more than 1 operation (MD5 does about 15 operations on 4 state variables). And since the next iteration depends on the state of the previous and the previous is destroyed in creating the current state, it’s all but impossible to determine the input state that led to a given output state (for each iteration no less). Combine that, with the large number of possibilities involved, and decoding even an MD5 will take a near infinite (but not infinite) amount of resources. So many resources that it’s actually significantly cheaper to brute-force the hash if you have an idea of the size of the input (for smaller inputs) than it is to even try to decode the hash.

They provide a 1:1 mapping between an arbitrary length input and output. And they are always reversible. The important thing to note is that it’s reversible using some method. And it’s always 1:1 for a given key. Now, there are multiple input:key pairs that might generate the same output (in fact there usually are, depending on the encryption function). Good encrypted data is indistinguishable from random noise. This is different from a good hash output which is always of a consistent format.

Use a hash function when you want to compare a value but can’t store the plain representation (for any number of reasons). Passwords should fit this use-case very well since you don’t want to store them plain-text for security reasons (and shouldn’t). But what if you wanted to check a filesystem for pirated music files? It would be impractical to store 3 mb per music file. So instead, take the hash of the file, and store that (md5 would store 16 bytes instead of 3mb). That way, you just hash each file and compare to the stored database of hashes (This doesn’t work as well in practice because of re-encoding, changing file headers, etc, but it’s an example use-case).

Use a hash function when you’re checking validity of input data. That’s what they are designed for. If you have 2 pieces of input, and want to check to see if they are the same, run both through a hash function. The probability of a collision is astronomically low for small input sizes (assuming a good hash function). That’s why it’s recommended for passwords. For passwords up to 32 characters, md5 has 4 times the output space. SHA1 has 6 times the output space (approximately). SHA512 has about 16 times the output space. You don’t really care what the password was, you care if it’s the same as the one that was stored. That’s why you should use hashes for passwords.

Use encryption whenever you need to get the input data back out. Notice the word need. If you’re storing credit card numbers, you need to get them back out at some point, but don’t want to store them plain text. So instead, store the encrypted version and keep the key as safe as possible.

Hash functions are also great for signing data. For example, if you’re using HMAC, you sign a piece of data by taking a hash of the data concatenated with a known but not transmitted value (a secret value). So, you send the plain-text and the HMAC hash. Then, the receiver simply hashes the submitted data with the known value and checks to see if it matches the transmitted HMAC. If it’s the same, you know it wasn’t tampered with by a party without the secret value. This is commonly used in secure cookie systems by HTTP frameworks, as well as in message transmission of data over HTTP where you want some assurance of integrity in the data.

A key feature of cryptographic hash functions is that they should be very fast to create, and very difficult/slow to reverse (so much so that it’s practically impossible). This poses a problem with passwords. If you store sha512(password), you’re not doing a thing to guard against rainbow tables or brute force attacks. Remember, the hash function was designed for speed. So it’s trivial for an attacker to just run a dictionary through the hash function and test each result.

Adding a salt helps matters since it adds a bit of unknown data to the hash. So instead of finding anything that matches md5(foo), they need to find something that when added to the known salt produces md5(foo.salt) (which is very much harder to do). But it still doesn’t solve the speed problem since if they know the salt it’s just a matter of running the dictionary through.

So, there are ways of dealing with this. One popular method is called key strengthening (or key stretching). Basically, you iterate over a hash many times (thousands usually). This does two things. First, it slows down the runtime of the hashing algorithm significantly. Second, if implemented right (passing the input and salt back in on each iteration) actually increases the entropy (available space) for the output, reducing the chances of collisions. A trivial implementation is:

There are other, more standard implementations such as PBKDF2, BCrypt. But this technique is used by quite a few security related systems (such as PGP, WPA, Apache and OpenSSL).

The bottom line, hash(password) is not good enough. hash(password + salt) is better, but still not good enough… Use a stretched hash mechanism to produce your password hashes…

Do not under any circumstances feed the output of one hash directly back into the hash function:

The reason for this has to do with collisions. Remember that all hash functions have collisions because the possible output space (the number of possible outputs) is smaller than then input space. To see why, let’s look at what happens. To preface this, let’s make the assumption that there’s a 0.001% chance of collision from sha1() (it’s much lower in reality, but for demonstration purposes).

Now, hash1 has a probability of collision of 0.001%. But when we do the next hash2 = sha1(hash1);, all collisions of hash1 automatically become collisions of hash2. So now, we have hash1’s rate at 0.001%, and the 2nd sha1() call adds to that. So now, hash2 has a probability of collision of 0.002%. That’s twice as many chances! Each iteration will add another 0.001% chance of collision to the result. So, with 1000 iterations, the chance of collision jumped from a trivial 0.001% to 1%. Now, the degradation is linear, and the real probabilities are far smaller, but the effect is the same (an estimation of the chance of a single collision with md5 is about 1/(2128) or 1/(3×1038). While that seems small, thanks to the birthday attack it’s not really as small as it seems).

Instead, by re-appending the salt and password each time, you’re re-introducing data back into the hash function. So any collisions of any particular round are no longer collisions of the next round. So:

Has the same chance of collision as the native sha512 function. Which is what you want. Use that instead.

View post:
security – Fundamental difference between Hashing and …

Read More..