Tuesday, December 11, 2012

Introducing the Crypto Module

Introduction

With the release of Real Studio 2012r2, we can take the wraps off our new Crypto module. This module provides access to additional hashing algorithms SHA-1, SHA-256, and SHA-512, as well as keyed hashing functions HMAC and PBKDF2.

The language reference for the Crypto module is available at http://docs.realsoftware.com/index.php/Crypto, but I'll give you an overview of everything it does right here.

Simple Hashing

The Crypto.Hash function provides you access to the simplest hashing. You pass in a MemoryBlock and any of the Crypto.Algorithm values, and get back a binary hash. For users familiar with our MD5 function, the code Crypto.Hash("password",Crypto.Algorithm.MD5) and MD5("password") both return identical results.

There are also convenience functions Crypto.MD5, Crypto.SHA1, Crypto.SHA256, and Crypto.SHA512, if you don't need the flexibility the Crypto.Hash function provides.

Hash-Based Message Authentication Code (HMAC)

Crypto.HMAC works much like Crypto.Hash, except that it requires one additional parameter: a key. In simplest terms, HMAC produces hashes that are "stronger" than non-HMAC hashes.  A very common use of HMAC is to add a "salt" value to a password. Rather than simply applying the salt to the beginning or end of the password before sending it to MD5, you can use the salt as the key and produce a stronger hash.

For example, this code:

Const Password = "password"
Const Key = "key"

Dim PlainHash As String = EncodeHex(Crypto.Hash(Key + Password,Crypto.Algorithm.MD5)
Dim HMACHash As String = EncodeHex(Crypto.HMAC(Key,Password,Crypto.Algorithm.MD5))

Results in

PlainHash = 084201E2889684A768A54EA3B0E05D6D
HMACHash = A95669C550C0C9CC91EF29A91873CA4F

To a human, those results appear very similar. To a computer, the HMACHash will be harder to break.

Password-Based Key Derivation Function 2 (PBKDF2)

Building upon HMAC, PBKDF2 is even more secure, simply because it is much slower. In fact, it is as slow as you want it to be. The Crypto.PBKDF2 function adds two parameters: Iterations and Length. Iterations is the number of loops the function will make, which essentially means the greater the iterations, the slower the function. Length is the number of bytes you want the desired hash to be.

Following up on the earlier example, we can run a the same values through PBKDF2 at 1,000 iterations and retrieve a 16 byte hash:

Dim PBKDF2Hash As String = EncodeHex(Crypto.PBKDF2(Key,Password,1000,16,Crypto.Algorithm.MD5))

Produces the hash 1C0792068A80FD07931CD4A86C001D27

Now here's the beauty of PBKDF2. On my machine, the plain MD5 hash took 0.02ms. The HMAC-MD5 hash took 0.03ms. The PBKDF2-MD5 took 1.22ms. This means my computer could brute force the HMAC-MD5 at a rate of about 30,000 hashes per second. But the PBKDF2 could only achieve about 1,000 hashes per second. Every computer is different, of course. But regardless, being 30 times slower is still quite valuable.

6 comments:

Andrew said...

Wouldn't HMAC-MD5 be only 30 times slower than PBKDF2 rather than 30,000?

Thom McGrath said...

Haha, you're right Andrew. That's why I'm an engineer and not a tech writer! I've updated the article.

Gerard said...

Which option would you recommend for reversible encryption.

Thom McGrath said...

Gerald, our Crypto module does not currently provide any reversible encryption routines.

For reversible encryption, I would use AES128 or AES256. You can the OpenSSL command line tools to do this on Mac and Linux, they're installed by default. If you need Windows support, there are third party plugins.

Mike Faulkner said...

Gerard, you can use our FREE Blowfish encryption module (includes all source code) which is located at:

www.skydancerstudios.com

Feel free to use it for any project!

- Mike

Chris said...

A random salt generator would be nice. Simply pass the required length. It would be simple to generate with the current random class I know but maybe I am lazy...