>> Let's take a look at some of the concepts we just learned about regarding hashing.
>>让我们看看我们刚刚学过的关于哈希的一些概念。
I went to an online hashing calculating website.
我去了一个在线哈希计算网站。
There are a bunch of them.
有很多。
This one happens to be my favorite.
这个碰巧是我最喜欢的。
And I'm going to enter into the hashing algorithm the string bob.
我要进入哈希算法字符串bob。
I'm going to click the hash button and scroll on down to see all of the message digests
that were simultaneously calculated.
我将单击散列按钮并向下滚动以查看同时计算的所有消息摘要。
As we discussed the longer the output the more secure the mashing algorithm.
正如我们所讨论的,输出越长,混合算法越安全。
So, I'm going to grab the SHA-256 output for the bob plain text password.
因此,我将获取bob纯文本密码的SHA-256输出。
Not a very good password that was selected by some user.
不是某个用户选择的很好的密码。
I'm going to paste that result in hash inside of my text editor.
我要把结果粘贴到文本编辑器中。
Now what I'm going to do is I'm going to go to a website and copy a bunch of text.
现在我要做的是我要去一个网站,复制一些文本。
I'm going to get all of this text.
我将得到所有这些文本。
I'm going to copy it.
复制一下。
And I'm going to enter all of that text into the same hashing algorithm.
我要把所有的文本输入到同一个哈希算法中。
We're going to hash that entire article.
我们将对整篇文章进行散列。
We're going to once again grab our SHA-256 message digest
and we're going to paste it right below the hash of bob.
我们将再次获取SHA-256消息摘要并将其粘贴到bob的散列下面。
As you can see even though the first input was significantly shorter
than the second output the size of the message digests the output
of the hashing algorithm exactly the same.
正如您所看到的,即使第一个输入比第二个输出短得多,消息的大小也会对散列算法的输出进行完全相同的摘要。
Let's go back to our hashing input.
让我们回到哈希输入。
And instead of bob in all lower-case letters.
用小写字母代替bob。
I'm going to capitalize the first letter.
我要大写第一个字母。
I'm going to run that plain text also a bad choice fair password
through the hashing algorithms and I'm going to grab the SHA-256 hash once again.
我要运行纯文本这也是一个不好的选择公平密码通过哈希算法我要再次获取SHA-256哈希。
Let's see how it compares to the original bob.
我们来看看它和原来的bob有什么不同。
The first row contains the hash the original bob.
第一行包含原始bob的散列。
And now the second row contains the hash of the bob where I upper case the first character.
现在第二行包含了bob的哈希,这里我大写了第一个字符。
As you can see I change the lower-case B to an upper-case B.
And the result
if hashes they're radically different.
如您所见,我将小写B改为大写B。
这是结果,如果哈希它们是完全不同
As another practice example I'm at the Kali Linux download page.
另一个实践示例是Kali Linux下载页面。
In a future course we're going to be using this Linux distribution.
在以后的课程中,我们将使用这个Linux发行版。
I want to download the Kali 64-bit ISO.
我想下载Kali 64位ISO。
The developers have listed the hash generated with SHA-256.
开发人员列出了使用SHA-256生成的散列。
In fact, I've already downloaded this file and uploaded it to another online hash calculator.
实际上,我已经下载了这个文件并将其上传到另一个在线散列计算器。
As you can see the calculated hash matches the hash
that the Kali developers have published on their site.
如您所见,计算的散列与Kali开发人员在其站点上发布的散列相匹配。
I now know that no bits have been changed either accidentally
or maliciously in transit to my machine.
现在我知道,在传输到我的机器上的过程中,没有意外或恶意地更改任何位。
When the publisher site uses SSL/TLS, this reduces the likelihood of a man
in the middle attack that modifies the file while in transit.
当发布者站点使用SSL/TLS时,这减少了中间人在传输过程中修改文件的可能性。
I also want to make sure that nobodies changed
or replaced the file underneath the hood to give me something else.
我还想确保没有人更改或替换引擎盖下的文件,以给我一些其他的东西。
However, face value hacker switched the file he'd certainly be smart enough
to change the listed hash as well.
然而,票面价值黑客交换了文件,他当然足够聪明,以改变所列的哈希以及。
So, if you download the file from the same source as the published hash.
因此,如果您从与发布的散列相同的源下载文件。
Then the hash can't really prove that the file hasn't been changed or replaced.
这样哈希就不能真正证明文件没有被更改或替换。
If you get the hash from a reputable source like the publisher's website, www.
kali.org,in this case then you can download the actual file from anywhere.
如果您从一个信誉良好的来源获得散列,如出版商的网站www.kali.org,在这种情况下,您可以从任何地方下载实际的文件。
For example, by using torrent link.
例如,通过使用torrent链接。
The direct ISO download here leads to a different server.
这里直接下载的ISO文件指向不同的服务器。
The hash is stored on www.
kali.
org, while the file itself is stored on cdimage.
kali.
org.
散列存储在www.kali.org上,而文件本身存储在cdimage.kali.org上。
Now the hacker would have to hack into multiple locations.
现在黑客将不得不入侵多个地点。
Want to change the file, add another to change the listed hash.
若要更改文件,请添加另一个以更改列出的散列。
While there are no guarantees that just didn't happen, its less likely.
虽然不能保证这种情况不会发生,但可能性较小。
What would be even better is storing the file on a completely different domain.
更好的方法是将文件存储在完全不同的域中。
Still the servers could have been hacked and there exists the possibility
of a D N S cash poisoning attack.
尽管如此,这些服务器仍有可能遭到黑客攻击,而且存在DNS中毒攻击的可能性。(DNS投毒攻击的目的是:你的哈希证明你下载的软件是无毒的,那好,我通过这种攻击,让用户得不到真正的哈希,得到我们伪造的哈希,迷惑用户下载的软件是正常)
Where for example www.
kali.
org leads to a rogue site.
例如,www.kali.org会导致一个流氓网站。
The ultimate level of integrity would be downloading a hash that's signed.
最终的完整性级别是下载签名的散列。
Which means the hash is encrypted with the private key of the publisher.
这意味着哈希是用发布服务器的私钥加密的。
You'd decrypt the signed hash with the public key of the publisher.
您可以使用发布服务器的公钥解密签名的哈希。
Then you'd hash the file.
然后对文件进行散列。
And compare the decrypted hash with the computer hash.
并将解密后的哈希与计算机哈希进行比较。
If the two match, you've got the original file.
如果两者匹配,就得到了原始文件。
If they don't match, the file has been changed or replaced.
如果它们不匹配,则文件已被更改或替换。
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
