A lot of people have recently started using SHA1 over MD5. I know that MD5 has it's security flaws but what other reasons is making SHA1 becoming more popular lately?
SHA1 is also looking weak now. For new applications you might as well start with SHA-256.
Lower chance of collisions mostly. It's better in almost every way except backwards compatibility.
Related
I'm exploring currently the safe aspects of Java. Of course one of the first things I looked up, was the whole decoding point.
Mentioned decryption technologies
After some time of studying I learned some thing about following cryptography technologies:
MD5
SHA
PBKDF2WithHmacSHA1
Why am I asking this question ?
I know that roughly speaking SHA1 is safer than MD5, with PBKDF2WithHmacSHA1 being the safest. But now I have to ask myself, why in some applications an encryption like MD5 or SHA1 is still used, whereas in this case PBKDF2WithHmacSHA1 is more secure? I am of course aware that the chance to take advantage of the best technology comes only in rare cases (reduction of brute force speed / risk of collision).
But in spite of everything the implementation time is a little bit longer and in return you get a more secure encryption.
My final question
In short, my question is why not all applications always use the best encryption technology, even if they don't necessarily need it? I mean the only drawback is that it takes a little bit longer to implement.
In addition
I don't think that the loss of speed is a reason, to not use the best encryption technologies.
The goal is to make the hash function slow enough to impede attacks, but still fast enough to not cause a noticeable delay for the user. From here
A couple of resons comes to my mind:
Lack of knowledge - one do not know enough about cryptography to write good code (should I choose PBKDF2WithHmacSHA1, PBKDF2WithHmacSHA512, bcrypt, Argon2?)
Legacy systems - hashed values can't be unhashed, thus hashed passwords can't be converted to new cryptography scheme
No library /available/supported/NIST compliant/ etc. by the operating system
I want to do some automatic story generation demonstration and the approach I am taking is using AI planning. I have been reading several relevant papers and have figured out that PDDL is perhaps the most widely used language to form the planning problem. I have been looking at the syntax and several example codes to learn how to use it.
The part where I am stuck is how to get the planner to work. I have found out some popular planners (fast-forward, MBP, IPP) but am not being able to make them work, using the instructions even from the sources itself.
I am using Gnome Terminal on Ubuntu 13.04.
I am very new to planning and this may be a very naive question but I assure that I have been searching for more than 3-4 days without any luck. Also, suggestions on using some other planning system are welcome.
If you are using Linux then I strongly suggest to use Fast Downward (it has its own web page - just google it). First of all, it is currently one of the best-known planning systems in the AI planning community and, further, it is really easy to get it to run. Well, you still need half an hour or so, but there is an easy-to-follow step-by-step description telling you where to check out the code and which commands you need to run.
It has also implemented most of the known planning heuristics that are required to solve problems fast or even optimal (planning requires search and heuristics make the search "goal-oriented" rather than blind and, if the heuristic is admissible and/or monotone (depending on the kind of search algorithm that is chosen -- see fast forward and pddl: is the computed solution the best?), it guarantees to find optimal solutions).
Concerning literature, I suggest to read/skip through the following two journal articles:
Porteous, J.; Cavazza, M.; and Charles, F. 2010. Applying planning to interactive storytelling: Narrative control using state constraints. ACM Trans. Intell. Syst. Tech. 10:1-10:21.
http://dl.acm.org/citation.cfm?id=1869399
Patrik Haslum. "Narrative Planning: Compilations to Classical Planning". Journal of AI Research, vol. 44, p. 383-395, 2012
http://www.jair.org/papers/paper3602.html
Well, both MBP and IPP are really, really old systems. If you're just looking for a ready-made planner to use in an off-the-shelf manner, I'd suggest you to follow the pointers leading to the authors (and software) that took part in the last International Planning Competition (2011):
http://www.plg.inf.uc3m.es/ipc2011-deterministic/ParticipatingPlanners.html
I understand that passwords should be encrypted in databases to protect them from hackers and people with bad intentions. But MD5 was renewed in 2005. Since then, hackers found the inverse hash function and a lot of website can easily crack the MD5 hashed key, for example md5this.com which was one of the first suggested on google.
Shouldn't each web developper create their own hash functions so that the hackers can't retrieve the password if they get access to the database ?
You shouldn't use MD5 hash for that reason anymore.
It provides some security just not enough to matter.
Each web developer should, but they don't have the time usually so sha1 usually does the trick...
Sha1 is susceptible to a brute force attack, but it would be very time consuming for most developers to come up with their own encryption pattern that isn't susceptible to brute force attacks.
Is SHA-1 secure for password storage?
If you feel like you have the algorithmic chops to create a workable hash function please do so. The best advice I've seen to to switch from MD5 to the latest SHA implementation, use a salt, and think about running several loops of encryption to force extra work on any crackers.
I am an integration consultant and tend to use C and Lua in my spare time, unfortunately it is not my day job ;-(
Anyway, I tend to believe that a mixture of C and Lua is perfect for many "product" developments. I currently have an "adapter engine" built in pure C, but would like to actually move the adapter code to Lua....
For example, coding an EMAIL adapter in Lua is far easier than in C...yet I like the "engine speed of C"....
But now there is the big question of security risk in that the user can potentially add whatever he or she wants to the LUa scripts in production.....obviously there we could CHMOD the files...but is that really secure?
Ideally I want the C / Lua combination here....but now do I literally imbed the Lua code in the C application with a CHAR*....or do I issue a lua_dofile??
Thanks for the help
Lynton
First, one of the drawbacks to using C/Lua in production is it tends to be harder to find resources who can develop for these languages. C++ and JavaScript programmers are typically easier to find.
In terms of security, the key here is to use leading practices. Security is about risk reduction, there is no expectation one can achieve perfect security so you need to mitigate risk.
Here are my suggestions:
As with all middleware you need to use a hardened server. This is the first step, if the server is compromised using any platform you are in trouble. Middleware should NOT be in the DMZ.
You want to store the Lua code external to the compiled code (otherwise you lose the advantage of using Lua.) Make that storage as secure as you can. CHMOD is good, a secure DB server is better. The more secure the script store the more secure the system.
You can encrypt the Lua source - this is a trade off since it makes it a little harder to gain the advantage of easy updates and modification. You will probably need to implement decrypted script caching for performance.
Your security is as strong as your weakest link. If you provide a way to modify the Lua source via external access this will be an attack vector. Avoid this design if you can.
You should consider putting in change management checks. For example a separate place in the system where a checksum for each Lua file is stored. Then if an un-authorized change is made to a script you can abort functioning till the security breach is mitigated.
Other than the drawback I mentioned above, I don't think there is anything fundamentally flawed in your plan. If it can aid in making a good middleware system I would say go for it. Just mitigate the risk of your adapter scripts getting compromised as much as possible.
To expand on Donal's comment - given the popularity of node I would say that JavaScript is the the leading practice in scripted middleware right now. If you can handle learning a new scripting language I would say it would be a good idea given the support, popularity, and tools available.
Your primary requirement in terms of security is to ensure that the server cannot evaluate anything send by clients by any mechanism (not just direct evaluation, but also through supplying filenames). A lesser requirement is that they should also not have any mechanism to produce a message that allows other clients to evaluate unexpected things (i.e., avoid XSS trouble). If you can satisfy these requirements, you've got a safe server and the language(s) that it written in won't matter; using multiple languages is in fact a good idea as it lets you leverage the best of each.
It's also a good idea to use a carefully configured firewall, plenty of privilege restriction, some kind of DMZ proxy system to at least verify basic syntactic legality of messages, etc. These things are all just good practice. (Aim to configure things so the server can only just manage to do the service you want to provide.)
With sending email, there are a few other things to beware of. In particular, you do not want to be a conduit for spam, so you need to take care to ensure that arbitrary email headers cannot be constructed from client input and that the data formats you send out are non-executable (or that the data is constructed in a way that is non-evil). Rate limiting is also a good idea; unless your site is insanely popular, you shouldn't need to send more than a few messages a second across all clients. If you're ever sending only to a small set of addresses (e.g., to a fixed contact address) then you can relax these restrictions a bit (but still be careful of header injection). In all cases, route all email by a specialist email handling server instead of doing routing yourself as this avoids a whole lot of configuration difficulties.
Primary goal is to learn from a popular web server codebase (implemented in C) with priority given to structure/design instead of neat tricks throughout the code.
I didn't include Apache since its code base is an order of magnitude larger than the two mentioned.
Ngxinx might just be the best straight-c code-base I have encountered. I have read large chunks of Apache, and I always came out feeling unclean, it is a monolithic mess.
You will not just learn about web-servers by exploring Nginx, but pretty much the best practises for writing networked software under Unix and straight-c, from code architecture to meta-programming techniques.
I have heard nothing but good things about Lighttpd, however it is limited in scope compared to Nginx. therefore I would invest time in nginx if I was you. Although lighttpd's limited scope might be beneficial to you, as a first target to study.
Neat tricks always happen in any codebase worth its salt, to be honest. Nevertheless, the answer you probably don't want to hear is that it would probably be good to study both so you can kind of learn through the intersection. The alternative might really leave you stuck in a box of the "lighthttpd" way or the "nginx" way, etc.
I didn't include Apache since its code base is an order of magnitude larger than the two mentioned.
Actually Apache code is quite readable. It has large code base because it does lots of things. But it is well structured and quite easy to understand. You can also check APR library (Apache Portable Runtime) which has plethora of small things to learn from.
IMO if you want to learn programming, you should start with lower profile projects - and not HTTPd, but something simpler.
Both nginx and LightHTTPd (just like Apache) are production quality software, meaning very steep learning curve. And the learning unfortunately often means digging archives to see why it is that way - that comes with age to any mature project.
If you are simply into C and learning design, you might want to check the FreeBSD or its derivatives. In my experience it is a better place for starting: there are lots of tools and libraries of all calibers there. And their TODO lists are never empty, what serves well as a guide to where to start.