Humans are not good at memorizing complex things, such as long strings of randomly looking letters and numbers. That is why we are using passwords containing known words or numbers. Some of us use password volts which securely stores our password for us. Those password volts are most likely using some kind of cryptography to seal the data and if they don’t, don’t use them.

This article does not explore every subject to the full extent, there are many caveats to each described way of securing the data or application access. Nevertheless, it shows the most important aspects of security trends.

Let’s talk about password security first. Until we use a password that is extremely complex and is only in our head it is not secure enough to guarantee safety. And even then it might not be the best way to secure your data or access your accounts. The reason is that it is still easier to brute force the password than the cryptographic key. Have I been pwned allows you to validate your password on the list of leaked passwords. Be careful, the safest way to check your password exists in the repository is not by typing it on the web page, even if you trust the guy owning that web page. To do it securely you need a terminal and follow the instructions below.

To validate your password hash it with sha1sum like so: echo -n password1 | shasum. Next, curl it to the REST API like so: curl https://api.pwnedpasswords.com/range/e38ad | tr A-Z a-z > psswd.txt where e38ad is the first 5 hash chars of your hashed password. All suffixes of existing hashes will be saved to the psswd.txt file. Grep the file content over the suffix part of your hash (all chars from 6 char included to the end of a hash) like so: cat psswd.txt | grep 214943daad1d64c102faec29de4afe9da3d. This should produce the output. If it looks like this 214943daad1d64c102faec29de4afe9da3d:3264863 it means a password was exposed :n times. In the case of password: “paswword1” it was exposed 3264863 times.

The Have I Been Pwned version 7 arrived in November 2020 bringing the total passwords to over 613M. That is just overwhelming.

Ok. What about password volts?

Volts secure all your passwords with a single password or a single key. For example, the ASE can secure your passwords locally by encrypting them. For symmetrical encryption the AES is a global security standard. The National Institute of Standards and Technology selected three “flavours” of AES: 128-bit, 192-bit, and 256-bit. Each type uses 128-bit blocks. The difference lies in the length of the key. As the longest, the 256-bit key provides the strongest level of encryption. With a 256-bit key, a hacker would need to try 2256 different combinations to ensure the right one is included. This number is astronomically large, landing at 78 digits in total. It is exponentially greater than the number of atoms in the observable universe. Understandably, the US government requires 128- or 256-bit encryption for sensitive data.

Three AES varieties are also distinguished by the number of rounds of encryption. AES 128 uses 10 rounds, AES 192 uses 12 rounds, and AES 256 uses 14 rounds. The more rounds, the more complex the encryption, making AES 256 the most secure AES implementation. It should be noted that with a longer key and more rounds come higher performance requirements. AES 256 uses 40% more system resources than AES 192, and is, therefore, best suited to high-sensitivity environments where security is more important than speed. AES 256 is virtually impenetrable using brute-force methods. While a 56-bit DES key can be cracked in less than a day, AES would take billions of years to break when current computing technology is used. Hackers would be foolish to attempt this type of attack. This makes your passwords securely stored but will not help transmit them to the access point. The problem with passwords is that it is sent as a part of the message to gain access to the service. The great majority of the traffic is encrypted and this secures the password and you always have to check if the connection is secured properly with the strongest encryption standard there is. To achieve safe data transmission modern mechanisms use a composite approach where a symmetric encryption key is transmitted over transmission encrypted by the asymmetric encryption data having two keys. Symmetric encryption is just way faster and mother CPUs have dedicated circuits to do just AES encryption and decryption making it extremely fast.

What is asymmetric encryption?

The AES allows for safe data encryption using a single key for encryption and decryption. This is extremely powerful but will not help in transmitting passwords. We require a safe connection that will allow for that encryption first. Asymmetric encryption allows the transmission of data when both parties of the transmission know each other public keys. The public key can be publicly known not causing any security vulnerability to the data transmission. The public key allows in this case only for data encryption. To decrypt the data the private key is used. The private key is known only to the party that shared its public key so only for the data receiver. Anyone listening to the transmitted will not be able to read the data. We can safely transmit passwords to access points validating our identity. But the access points see our password and store its hash representation to validate the identity. This weakens security. In today’s complex system, most data are encrypted to the proxy or load balancer that will pass the traffic to the microservices. Not all the data are encrypted between microservices, but it is becoming a standard nowadays to take care of proper encryption everywhere. This may slow down the traffic, but we prefer to pay performance price over data security. Nevertheless, your password is not a black box all the time. It sometimes travels through the system or application as plain text.

The other side of the stick of asymmetric encryption is that it not only allows for secure data transfer by encrypting the data. It also allows for validation of who issued the data. It is done via a handshake process. First, you, the one that wants access to the service, ask for the data from the server. The server sends you some random data that he keeps in cache memory for a short time. This is the first two parts of the handshake. The next part is to sign the given data with your private key and send your public address, signature, and data digest to the server. The server validates the data digest and a signature, if it is valid for a given public address, then your public address identifies you uniquely and you can access the service. Some session mechanism is used to keep the connection valid, for example, a JWT token. What is important is that it is a much safer way of proving identity for a few reasons. First data can be transmitted over an insecure network without making the whole process insecure. If your public address is stolen it will not allow the thief to sign any data, as the only way to sign data is by the private key. Handshake is unique per validation as long as the server uses a secure way of randomizing the data provided in the first step. Data then are unique per handshake and the same are signature and digest.

Is asymmetric signature secure?

In theory, asymmetric key encryption algorithms are unbreakable in finite time. In practice, it depends on the implementation. Some languages are paying more attention and effort to provide secure algorithms, for example, Golang. The whole cryptographic package is open source sponsored by Google and part of the standard library. The packages are tested against an enormous amount of vectors. The other languages got a bad reputation, for example, Psychic Signatures in Java allowed for an easy breaking identification process while using an asymmetric key signature algorithm. All security depends on the standards that the given technology provides. To picture the shadow algorithm implementation is casting over the security, let’s look at the problem of a buggy example implementation of RSA algorithms. The modulus part of the RSA algorithm is generated from two very large prime numbers p and q. If those prime numbers are picked at random then there is a possibility that they may differ within the lower 64 bytes to be vulnerable. If they are not farther apart than 64 lower bytes or the key is small enough to allow for that to happen, then RSA can be broken in less than a second. Look here to see the algorithm: CrackRSA.

Security is often taken for granted by companies, developers and clients. But the truth is that proper security takes effort and expertise. Sometimes such trivial things as picking the proper programming language can make a difference. In today’s data transmission and internet access, our data are securely encrypted by encryption algorithms following the highest standards. Without these encryption standards and algorithms, passwords will guarantee no security. I believe that wallets that allow for cryptographic signature validation with asymmetric keys are the future of securing the APIS and other internet services.