PASSWORD AND FILE SYSTEM SECURITY FOR

OPERATING SYSTEMS
 CONTENTS

● Introduction
● What is Encryption?
● Why use Encryption?
● Where is Encryption used?
● Which methods UNIX and LINUX use for
Encryption of password and data?
 CONTENTS

● What is MD5?
● What is SHA?
● Comparison of all algorithms
 INTRODUCTION

● Operating systems need security for storing

saved user passwords and securing the user
files on the disk.

● Encryption of the user data stored on disk is

divided into data encryption and system
encryption.
 WHAT IS ENCRYPTION?

● Encryption is the process of encoding

messages or information in such a way that
only authorized parties can read it.

● An encryption scheme usually uses a pseudo-

random encryption key generated by an
algorithm
 KINDS OF ENCRYPTION

1. Symmetric key encryption

The encryption and decryption keys are the same.
Communicating parties must have the same key before they
can achieve secret communication.

2. Public key encryption

The encryption key is published for anyone to use and
encrypt messages.
Only the receiving party has access to the decryption key that
enables messages to be read.
 WHY USE ENCRYPTION?
● The files only become available to the operating system and
applications in readable form while the system is running and
unlocked by a trusted user.
● An unauthorized person looking at the disk contents directly, will
only find garbled random-looking data instead of the actual files.
● This can prevent unauthorized viewing of the data when the
computer or hard-disk is:
– Located in a place to which non-trusted people might gain
access while you're away
– Lost or stolen, as with laptops, net-books or external storage
devices
– In the repair shop
– Discarded after its end-of-life
 WARNING!

● Disk encryption does not protect your data from

all threats.
● You will still be vulnerable to :
– Attackers who can break into your system over the
Internet
– Attackers who are able to gain physical access to
the computer
– A government entity, like NSA
● Disk encryption also won't protect you against
someone simply wiping your disk.
 DATA ENCRYPTION

● Defined as encrypting only the user's data itself

(often located within the /home directory)
● Data encryption is the simplest and least
intrusive use of disk encryption, but has some
significant drawbacks.
● Mere data encryption will leave you vulnerable
to offline system tampering attacks.
 SYSTEM ENCRYPTION

● Defined as the encryption of the operating system

and user data.
● Benefits:
– Prevents unauthorized physical access to OS.
– Prevents unauthorized physical access to private data
● Disadvantage:
– Unlocking of the encrypted parts of the disk can no
longer happen during or after user login; it must now
happen at boot time
 WHERE IS ENCRYPTION USED?

● Used for:
– Military data security
– Government file security
– Protecting files and data on storage like USBs
– Protecting data in transit
 ENCRYPTION IN UNIX AND LINUX

● The encryption method used in Linux

distributions like Debian depend on the ID
specified in $id$salt$encrypted

ID Method
1 MD5

2a Blowfish

5 SHA-256

6 SHA-512
 CRYPTOGRAPHY

● Cryptography (or cryptology, from Greek

kryptós meaning "hidden or secret", is the
practice and study of techniques for secure
communication in the presence of third parties
(called adversaries).
● Applications of cryptography include ATM
cards, computer passwords, and electronic
commerce.
 CRYPTOGRAPHIC HASH FUNCTION

● A cryptographic hash function is a hash function which

is considered practically impossible to invert, that is, to
recreate the input data from its hash value alone.
● The ideal cryptographic hash function has four main
properties:
– Easy to compute the hash value for any given message
– Infeasible to generate a message that has a given hash
– Infeasible to modify a message without changing the hash
– Infeasible to find two different messages with the same
hash.
 MD5

● MD5 stands for Message Digest algorithm 5

● Invented by Ronald Rivest in 1991
● The idea behind this algorithm is to take up a
random data (text or binary) as an input and
generate a fixed size “hash value” as the output.
● The input data can be of any size or length, but
the output “hash value” size is always fixed.
MD5 EXAMPLE
WORKING OF MD5
 DECLINE OF MD5

● In 1996 a flaw was found in the design of MD5

● Cryptographers began recommending the use of
other algorithms, such as SHA-1
● In 2004 it was shown that MD5 is not collision
resistant.
● MD5 is not suitable for applications like SSL
certificates or digital signatures
● In 2004 more serious flaws were discovered in
MD5
 THE END OF MD5

● A 2013 attack by Xie Tao, Fanbao Liu, and

Dengguo Feng breaks MD5 collision resistance
in 218 time. This attack runs in less than a
second on a regular computer.
 THE END OF MD5

CMU(Carnegie Mellon University) Software

Engineering Institute now says that MD5
"should be considered cryptographically
broken and unsuitable for further use"
 SHA

● SHA stands for Secure Hash Algorithm

● It is a hash algorithm used by certification
authorities to sign certificates and CRL
(certificates revocation list)
● Introduced in 1993 by NSA with SHA0
● It is used to generate unique hash values from
files
 TYPES OF SHA

1. SHA-0:
Published in 1993 under the name "SHA".
Was withdrawn shortly after publication due to an
undisclosed "significant flaw" and replaced by the slightly
revised version SHA-1.

2. SHA-1:
Resembles the older MD5 algorithm.
Designed by the National Security Agency (NSA) to be
part of the Digital Signature Algorithm.
Standard is no longer approved for most cryptographic
uses after 2010.
 TYPES OF SHA

3. SHA-2:
1.A family of two similar hash functions, with different block
sizes, known as SHA-256 and SHA-512. These were
also designed by the NSA.
1.4. SHA-3:
1.Formerly called Keccak
2.Chosen in 2012 after a public competition among non-
NSA designers.
3.Supports the same hash lengths as SHA-2
4.Internal structure differs significantly from the rest of the
SHA family.
 WHY 3 VERSIONS OF SHA?
• For any cryptographic solution, SHA must evolve
along with our computers' calculation capacities
• If not, an SHA encryption will be faster to crack on a
faster processor
• SHA versions get out-dated & are discarded when
enough of vulnerabilities or collisions are found in
them
 SHA - 256
• One of the successor hash functions to SHA-1
• Member of the SHA-2 family
• One of the strongest hash functions available
• 512-bit message block and a 256-bit intermediate
hash value
• Gives an output of 256 bits
WORKING OF SHA 256
 SHA - 512
• Also a member of the SHA-2 family
• 1024-bit message block and a 512-bit intermediate
hash value
• Gives an output of 512 bits
• Much faster than SHA - 256
 SHA EXAMPLE

The SHA – 256 hash of 'a' is:

ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb

The SHA – 256 hash of 'a.' is:

5ab640fad553cbf927dc96b8e7878a9844b2fa79b7a4f5c515e186970ec53027

Whereas, the SHA – 512 hash of 'a' is:

1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f530286
0c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75
 APPLICATIONS OF SHA

● SHA-256 is used to authenticate Debian

GNU/Linux software packages and in the DKIM
message signing standard
● SHA-512 is part of a system to authenticate
archival video from the International Criminal
Tribunal of the Rwandan genocide
● Unix and Linux vendors are moving to using 256-
and 512-bit SHA-2 for secure password hashing
 APPLICATIONS OF SHA

● Required by law for use in certain U.S.

Government applications for the protection of
sensitive unclassified information
● "Federal agencies should stop using SHA-1
for...applications that require collision
resistance as soon as practical, and must use
the SHA-2 family of hash functions for these
applications after 2010"
 COMPARISON OF ALGORITHMS
● Algorith ● Output ● Internal ● Block ● Max ● Round ● Operatio ● Securit ● Perfor
m size state size messa s ns y (bits) manc
(bits) size (bits) ge size e
(bits) (bits) (MB/s
)
● MD5 ● 128 ● 128 ● 512 ● 264 − 1 ● 64 ● add mod ● < 64 ● 335
(Refere ● (4 x 32) 232, and, ● (collisi
nce) or, xor, ons
rot found)
● SHA- ● 256 ● 256 ● 512 ● 264 − 1 ● 64 ● add mod ● 128 ● 139
256 ● (8 x 32) 232, and,
or, xor,
shr, rot
● SHA - ● 512 ● 512 ● 1024 ● 2128 − 1 ● 80 ● add mod ● 256 ● 154
512 ● (8 x 64) 264, and,
or, xor,
shr, rot