Randomizing Cryptography – CompTIA Security+ SY0-501 – 6.1

We rely heavily on randomization when using cryptography. In this video, you’ll learn about the importance of randomization and how random information is used to provide data security.

<< Previous Video: Hashing and Digital Signatures Next: Weak Encryption >>


In an earlier video, I talked about encryption relying on randomisation. And here’s a good example. I’ve got a picture of this dog, and I’m going to encrypt this picture.

I’m going to use a block cipher mode called 128-bit ECB or electronic codebook. If I use this particular picture and that particular cipher, I end up with this result, which is an encrypted version of this dog. But because there is no randomisation, this particular cipher provides us with a little bit more than what we were expecting from something that might be encrypted.

One way to provide this randomization is through the use of a cryptographic nonce. A nonce is a number that is arbitrarily chosen. You use it one time, and then you don’t use it again. It comes from the term, for the nonce, which means for the time being.

This would be a random or a pseudo random number. It would be something that you probably would not reasonably guess to be added to this particular algorithm. Some people might even use a calendar, where the number is constantly incrementing.

A nonce might be commonly used during the log-in authentication process. The server might provide you with a nonce. You would calculate your password along with the nonce, and then send that entire hash back to the host. This use of a nonce during authentication means it can only be used during this particular authentication process. This would prevent a replay attack from occurring, because the first authentication was using one nonce, and any subsequent authentication request would be using a completely different nonce.

If we need to randomize an encryption scheme, we commonly use an initialization vector or an IV. This is a type of nonce that provides randomization for this encryption process. For example, we use this in encryption ciphers, it’s used in WEP encryption and older SSL implementations. And this particular block diagram is showing the original WEP encryption that uses an initialization vector at the beginning and adds the initialization vector to the beginning of the ciphertext at the end of the encryption process.

This is a block diagram of the WEP encryption process. You can see the use of an initialization vector at the beginning of the process. And you need that vector at the end, so the IV is also sent with the ciphertext to the recipient.

Another type of cryptographic randomisation is a Salt. This is a nonce that is used to randomize the hash that is created from a user’s password. Imagine if everyone in the organization used exactly the same password, all of the stored passwords would then be identical. And someone who is trying to perform a brute force against all of those passwords only needs to break one of those passwords to be able to gain access to all of the others.

Instead, we would Salt every user’s password. We would add some extra information to the password. And this information would be different for every user. That means once a hash is created, even if everyone is using exactly the same password, everyone’s stored hash is going to be very different. Now the bad guy will have to go through every individual users password to perform a brute force, instead of performing a single brute force for everyone.