Few Things About Cryptographic Tools and Hashes

Encryption techniques are used mainly to protect data from unauthorized access. There are many algorithms available and we have discussed the most commonly used ones. There are a few tools available in a Linux environment for performing encryption and decryption. Sometimes we use encryption algorithm hashes for verifying data integrity. This section will introduce a few commonly used cryptographic tools and a general set of algorithms that these tools can handle.

Let us see how to use tools such as crypt, gpg,base64,md5sum,sha1sum,and openssl
  • The crypt command is a simple and relatively insecure cryptographic utility that takes a file from stdin and a passphrase as input and output encrypted data into stdout
(and, hence, we use redirection for the input and output files):
$ crypt <input_file >output_file
Enter passphrase:
It will interactively ask for a passphrase. We can also provide a passphrase through
command-line arguments:
$ crypt PASSPHRASE <input_file >encrypted_file
In order to decrypt the file, use:

$ crypt PASSPHRASE -d <encrypted_file >output_file

 

  • gpg (GNU privacy guard) is a widely used tool for protecting files with encryption that ensures that data is not read until it reaches its intended destination. Here we discuss how to encrypt and decrypt a file.
In order to encrypt a file with gpg use:
$ gpg -c filename
This command reads the passphrase interactively and generates
filename.gpg. In order to decrypt a gpg file use:
$ gpg filename.gpg
This command reads a passphrase and decrypts the file.
  • Base64 is a group of similar encoding schemes that represents binary data in an ASCII string format by translating it into a radix-64 representation. The base64 command can be used to encode and decode the Base64 string. In order to encode a binary file into the Base64 format, use :
                         $ base64 filename > outputfile
                            Or:
                          $ cat file | base64 > outputfile
It can read from stdin.Decode Base64 data as follows:
$ base64 -d file > outputfile
Or:
$ cat base64_file | base64 -d > outputfile
md5sum and SHA-1 are unidirectional hash algorithms, which cannot be reversed to form the original data. These are usually used to verify the integrity of data or for generating a unique key from a given data:
$ md5sum file
8503063d5488c3080d4800ff50850dc9 file
$ sha1sum file
1ba02b66e2e557fede8f61b7df282cd0a27b816b file
These types of hashes are commonly used for storing passwords. Passwords are stored as their hashes and when a user wants to authenticate, the password is read and converted to the hash. Then, this hash is compared to the one that is stored already. If they are the same, the password is authenticated and access is provided, otherwise it is denied. Storing plain text password strings is risky and poses a security risk.
  • Shadow-like hash (salted hash)
         Let us see how to generate a shadow-like salted hash for passwords. The user passwords in Linux are              stored as their hashes in the /etc/shadow file. A typical line in /etc/shadow will look like this:
         test:$6$fG4eWdUi$ohTKOlEUzNk77.4S8MrYe07NTRV4M3LrJnZP9p.qc1bR5c.
         EcOruzPXfEu1uloBFUa18ENRH7F70zhodas3cR.:14790:0:99999:7:::
$6$fG4eWdUi$ohTKOlEUzNk77.4S8MrYe07NTRV4M3LrJnZP9p.qc1bR5c.
EcOruzPXfEu1uloBFUa18ENRH7F70zhodas3cR is the shadow hash corresponding to its password.
In some situations, we may need to write critical administration scripts that may need
to edit passwords or add users manually using a shell script. In that case we have to
generate a shadow password string and write a similar line as the preceding one to
the shadow file. Let’s see how to generate a shadow password using
openssl
.
Shadow passwords are usually salted passwords. SALT is an extra string used to
obfuscate and make the encryption stronger. The salt consists of random bits that
are used as one of the inputs to a key derivation function that generates the salted
hash for the password
$ opensslpasswd -1 -salt SALT_STRING PASSWORD
$1$SALT_STRING$323VkWkSLHuhbt1zkSsUG.
Replace SALT_STRING with a random string and PASSWORD with the password you want to use.

Back to top button
Close