Skip to main content

Alice and Bob go hashing

Alice wants to share some files with Bob over a public medium. Alice's computer is presumed 'secure'

she can easily generate a nice long 'passprase' by generating a cryptographic hash of the plaintext (say sha256sum) and use this as a key for a symmetrical crypt

ie

alice$> echo "hello world" > plaintext # generate sample input file
alice$> sha256sum plaintext # a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447

and then crypt the file


alice$> openssl aes-256-cbc -in plaintext -out ciphertext
enter aes-256-cbc encryption password: [SHA256SUM GENERATED ABOVE]
Verifying - enter aes-256-cbc encryption password: [ditto]
alice$> ls -l plaintext ciphertext
-rw-rw-r--. 1 alice alice 32 Nov  7 16:01 ciphertext
-rw-rw-r--. 1 alice alice 12 Nov  7 16:00 plaintext


Alice can then send the symmetric key to Bob via their normal secure channel (assumed to be working)
and bob can decrypt with

bob$> openssl aes-256-cbc -d -in ciphertext 
enter aes-256-cbc decryption password: [SHA SUM]
hello world


So - is using a hash function a Bad Idea? 
The method is predictable -- yes but Mallory would need to know the plaintext (in which case, game over) to generate quickly, or would need to bruteforce ($time++)


Discussions / comments welcome

Comments

Popular posts from this blog

Growatt inverter monitoring with Raspberry Pi

At home we have a small (2.5KW - 10*250w panels) PV system to try and offset our daytime electricity usage. This is connected to a 'Growatt' inverter that handily has both RS485 (wierd 2 pin plugs) and RS232 (9 pin D connector buried under a screwplate) outputs.

With the firmware on ours (installed Sept 2013) it supports modbus-rtu over serial 9600 8N1.

I had done some initial digging and experimentation (as announced on Whirlpool) but never really got sensible values out.When my guruplug (via a long USB to serial adaptor) finally died and I shelved the whole thing. With the completion of the structured wiring though I finally got round to reconnecting it and starting again.

Small D9 Gender changer, + cisco console cable (all hail fleabay) gives a nice neat look on the outside, and in the garage I have another console cable plugged into the relevant patch outlet and a cheap usb-serial adaptor in a Raspberry Pi (which also has a GPS module connected, acting as a PPS NTP master)

Publishing DHT22 data via MQTT with an ESP8266

Some time ago I picked up a couple of ESP-01 modules with the intention of using them as wireless temperature/humidity sensors coupled with a DHT22.

Initial investigations took place at the Perth Artifactory "Arduino-U" evenings - I managed to put on a nodemcu lua firmware and found a few (varying) dht22 libraries. however I couldn't ever manage to get it to consistently publish the information to my message broker - it'd do one or two and then lock up. I dug it out again recently and decided to have another go - especially as Pete Scargill seemed to be having success with them (running native C).

So trying to 'revert' to a newer espressif release turned out to be non-trivial - installing the relevant toolchain needs multiple bits. I gave up and noticed that there was a newer (0.9.6-dev_20150704) nodemcu release, so I gave that a try.

First discovery - There's native support for the dht sensors in the firmware, so to get the current values all you need is…

Pretty Colours via MQTT

What does a geek do when they have some spare RGB LED strip (addressable WS2812B) and some cheap nasty LED devices? LED transplant time...

So, first to go was the LED glass prism stand received as a christmas present - out went the potted pcb with three fading LEDs, and in went a single piece of RGB strip fixed in place with a hot glue gun.
wire comes out the bottom and goes to a nanode.
So far so good, but I don't just want fixed or fading colours so time to revisit an IoT idea: Cheerlights

The cheerlights API defines 10 colors that can be set, but I want the possibility of sending any RGB value, so I created @FakeCheerlights as an MQTT series of topics on the test.mosquitto.org broker

fakecheerlights/rgb
fakecheerlights/colour
fakecheerlights/raw

which contain the hex RGB value, the identified colour name and the raw tweet.

A separate script (running on the NAS) uses the twitter API via tweepy to follow the twitter stream search for 'cheerlights' and 'fakecheerlights…