DEV Community

Cover image for You Wouldn't Base64 a Password! Cryptography Terms and Concepts for Developers

You Wouldn't Base64 a Password! Cryptography Terms and Concepts for Developers

Scott Arciszewski on December 13, 2016

Originally published at: You Wouldn't Base64 a Password! on the Paragon Initiative Enterprises blog There's a ton of bad programming and securit...
Collapse
 
qm3ster profile image
Mihail Malo

Given a public key, it is almost impossible to figure out what the private key is.
Given a private key, you can near-instantly calculate the related public key.

Is this really so?
I thought the two were essentially two sides of the same coin, and we just arbitrarily choose one to be the private key and hide it and publish the remaining one.

Collapse
 
paragoniescott profile image
Scott Arciszewski

I thought the two were essentially two sides of the same coin, and we just arbitrarily choose one to be the private key and hide it and publish the remaining one

Nope! See also: 3v4l.org/ZJNVT

Collapse
 
qm3ster profile image
Mihail Malo

We have to go more public!

array(5) {
  ["secret key"]=>
  string(64) "2337c49553ee014b5deeb0506015dde1256236468aa83e2a0014eaa3178aba82"
  ["public key"]=>
  string(64) "a393199a4e8333d558d0832909d7bb3966280f0e0139f718fb903f2bd032362d"
  ["public key from secret key"]=>
  string(64) "a393199a4e8333d558d0832909d7bb3966280f0e0139f718fb903f2bd032362d"
  ["super public key from public key"]=>
  string(64) "63079d6d457e7ef05e31a65c7b08a3fff2971b9e2943954565725b69f0754627"
  ["super super public key from super public key"]=>
  string(64) "ec3f52bde73b8026c0bb00ccc0a936529e617b9b3233ec0e02d95d3f5c1fe344"
}
Collapse
 
ericlaw profile image
Eric Lawrence

This looks great, thanks for sharing.

you cannot easily go from the hash output to the original message.

I feel like that one requires an asterisk, e.g. (* unless you happen to have a large table mapping original messages to hash values. Use salts to combat rainbow tables).

Collapse
 
cagatayy profile image
cagatay-y

(If the file and hash are on separate servers, the situation is a little different, but the improvement is not significant enough to warrant eschewing a better solution.)

Is it still useless if the file is served over an insecure connection (like a HTTP mirror) and hash is accessed over an HTTPS connection?

Collapse
 
qm3ster profile image
Mihail Malo

Would you say chocolatey's hash verification is not a waste of time, since it stores the hashes in the repository, far from where a compromise of the application developer's site could reach?

Collapse
 
codebeautify profile image
Code Beautify • Edited

In case someone needs a online base64 decoder: codebeautify.net/base64/decode

Collapse
 
toastal profile image
toastal

I prefer rot26 encryption to base64 though.

Collapse
 
raevilman profile image
RD

Awesome. Thanks.

Collapse
 
vekzdran profile image
Vedran Mandić

Thank you so much for this excellent and important article and its topic.

Collapse
 
monoblaine profile image
Serhan Apaydın

Bonus: You wouldn't tell your fianceé that you work for the CIA.

Collapse
 
jamesmalvi profile image
Jaimie Malvi

This tool may help to decode the base64 codebeautify.org/base64-decode

Collapse
 
drrial profile image
d3rrila

"[...]ret key can reverse; requires one key.[...]"

You have "key" highlighted instead of "one"

Collapse
 
ben profile image
Ben Halpern

Thanks for a wonderful read, Scott 👌