In an earlier video, I
talked about encryption
relying on randomisation.
And here's a good example.
I've got a picture
of this dog, and I'm
going to encrypt this picture.
I'm going to use a block
cipher mode called 128-bit ECB
or electronic codebook.
If I use this particular picture
and that particular cipher,
I end up with this result,
which is an encrypted version
of this dog.
But because there
is no randomisation,
this particular cipher provides
us with a little bit more
than what we were
expecting from something
that might be encrypted.
One way to provide
this randomization
is through the use of
a cryptographic nonce.
A nonce is a number that
is arbitrarily chosen.
You use it one time, and
then you don't use it again.
It comes from the
term, for the nonce,
which means for the time being.
This would be a random or
a pseudo random number.
It would be something that you
probably would not reasonably
guess to be added to this
particular algorithm.
Some people might even use a
calendar, where the number is
constantly incrementing.
A nonce might be commonly
used during the log-in
authentication process.
The server might provide
you with a nonce.
You would calculate your
password along with the nonce,
and then send that entire
hash back to the host.
This use of a nonce
during authentication
means it can only be used during
this particular authentication
process.
This would prevent a replay
attack from occurring,
because the first authentication
was using one nonce,
and any subsequent
authentication request
would be using a
completely different nonce.
If we need to randomize
an encryption scheme,
we commonly use an
initialization vector or an IV.
This is a type of nonce
that provides randomization
for this encryption process.
For example, we use this
in encryption ciphers,
it's used in WEP encryption
and older SSL implementations.
And this particular
block diagram
is showing the
original WEP encryption
that uses an initialization
vector at the beginning
and adds the
initialization vector
to the beginning of the
ciphertext at the end
of the encryption process.
This is a block diagram of
the WEP encryption process.
You can see the use of
an initialization vector
at the beginning of the process.
And you need that
vector at the end,
so the IV is also sent with the
ciphertext to the recipient.
Another type of
cryptographic randomisation
is a Salt. This
is a nonce that is
used to randomize
the hash that is
created from a user's password.
Imagine if everyone
in the organization
used exactly the same password,
all of the stored passwords
would then be identical.
And someone who is trying
to perform a brute force
against all of
those passwords only
needs to break one
of those passwords
to be able to gain access
to all of the others.
Instead, we would Salt
every user's password.
We would add some extra
information to the password.
And this information would
be different for every user.
That means once a hash is
created, even if everyone
is using exactly
the same password,
everyone's stored hash is
going to be very different.
Now the bad guy will have to go
through every individual users
password to perform a
brute force, instead
of performing a single
brute force for everyone.
