We Keep Coding

Openssl Message Digest One-Way Brute-force attack

I am learning Cryptography and using OPENSSL to implement whatever I am learning. Recently, I found one of the assignment questions and am trying to solve it. I don't have problem understanding most of the questions but this one.
4 Task 2: One-Way Property versus Collision-Free Property
In this task, we will investigate the difference between two properties of common hash functions: one-way
property versus collision-free property. We will use the brute-force method to see how long it takes to break
each of these properties. Instead of using openssl’s command-line tools, you are required to write your
own C program to invoke the message digest functions in openssl’s crypto library. Docs can be found at
http://www.openssl.org/docs/crypto/EVP_DigestInit.html.
Laboratory for Computer Security Education, CMSC 414, Spring 2013
2
Since most of the hash functions are quite strong against the brute-force attack on those two properties,
it will take us years to break them using the brute-force method. To make the task feasible, in all of this
project we reduce the length of the hash value to 24 bits. We can use any one-way hash function, but we
only use the first 24 bits of the hash value.
Write a program that, given a 24-bit hash value, finds a matching text (only lower-case ASCII charac-
ters). Your program will have to repeatedly 1) generate a random text, 2) hash it, 3) compare lower 24 bits
to the input.
Your program (source must be called task2.c) will be called as follows:
./task2 <digest name> <hash value>
e.g, ./task2 sha256 2612c7. . . and your program must write the winning text to task2.out.
Please ensure the output is readable and writable, i.e.:
open("task2.out", O`enter code here` WRONLY | O CREAT, 0644);
We will verify with command line tools, e.g., openssl dgst -sha256 task2.out.
Question: How many texts did you have to hash to find a specific hash? (give average of three trials)
I am not able to understand how to start writing my program. Any inputs are greatly appreciated. As I am not solving it for a home work. I am looking for some pointers and not the code.

Well, reading the text to me its clear what is the task, and unclear which part you do not get. Where to start?
create a skeleton program like hello word
create a function that generates a random text
create a function that takes text and a hash-id, and uses openssl to hash it, returning the hash
create a function that extract the lower 24 bits of the hash
create function that takes the command line params and convert them to a 24-bit number that is the looked-for hash and the hash-id to drop at openssl (or exits with error indication)
run a loop that keeps feeding new random strings until the resulting hash matches the req and counts
write the winning text to file and the number to output
do all the remaining tasks from assignment...

The algorithm is well laid out by Balog Pal. Just to add a few things:
In one-way property, you are given a hash and you search for another text with the similar hash.
In collision-free property, you just need to find two texts with similar hashes. So you start by generating two texts and compare their corresponding hashes. If they are the same, you have found a collision. If not, you store the already generated hashes and then generate a new text, find its hash and Compare it with the stored hashes. if any stored hash matches with it, you have found a collision, else store it in the list of stored hashes. Repeat the cycle until you find a collision.
The python implementation of the same can be found at the below link. It includes minimum comments, so you have to figure out everything from the code. Once that is done, then try implementing it in C or java.
https://github.com/arafat1/One-Way-Property-versus-Collision-Free-Property/blob/master/HashProperty.py

Check a fingerprint in the database

I am saving the fingerprints in a field "blob", then wonder if the only way to compare these impressions is retrieving all prints saved in the database and then create a vector to check, using the function "identify_finger"? You can check directly from the database using a SELECT?
I'm working with libfprint. In this code the verification is done in a vector:
def test_identify():
cur = DB.cursor()
cur.execute('select id, fp from print')
id = []
gallary = []
for row in cur.fetchall():
data = pyfprint.pyf.fp_print_data_from_data(str(row['fp']))
gallary.append(pyfprint.Fprint(data_ptr = data))
id.append(row['id'])
n, fp, img = FingerDevice.identify_finger(gallary)

There are two fundamentally different ways to use a fingerprint database. One is to verify the identity of a person who is known through other means, and one is to search for a person whose identity is unknown.
A simple library such as libfprint is suitable for the first case only. Since you're using it to verify someone you can use their identity to look up a single row from the database. Perhaps you've scanned more than one finger, or perhaps you've stored multiple scans per finger, but it will still be a small number of database blobs returned.
A fingerprint search algorithm must be designed from the ground up to narrow the search space, to compare quickly, and to rank the results and deal with false positives. Just as a Google search may come up with pages totally unrelated to what you're looking for, so too will a fingerprint search. There are companies that devote their entire existence to solving this problem.

Another way would be to have a mysql plugin that knows how to work with fingerprint images and select based on what you are looking for.
I really doubt that there is such a thing.
You could also try to parallelize the fingerprint comparation, ie - calling:
FingerDevice.identify_finger(gallary)
in parallel, on different cores/machines

You can't check directly from the database using a SELECT because each scan is different and will produce different blobs. libfprint does the hard work of comparing different scans and judging if they are from the same person or not
What zinking and Tudor are saying, I think, is that if you understand how does that judgement process works (which is by the way, by minutiae comparison) you can develop a method of storing the relevant data for the process (the *minutiae, maybe?) in the database and then a method for fetching the relevant values -- maybe a kind of index or some type of extension to the database.
In other words, you would have to reimplement the libfprint algorithms in a more complex (and beautiful) way, instead of just accepting the libfprint method of comparing the scan with all stored fingerprint in a loop.
other solutions for speeding your program
use C:
I only know sufficient C to write kind of hello-world programs, but it was not hard to write code in pure C to use the fp_identify_finger_img function of libfprint and I can tell you it is much faster than pyfprint.identify_finger.
You can continue doing the enrollment part of the stuff in python. I do it.
use a time / location based SELECT:
If you know your users will scan their fingerprints with more probability at some time than other time, or at some place than other place (maybe arriving at work at some time and scanning their fingers, or leaving, or entering the building by one gate, or by other), you can collect data (at each scan) for measuring the probabilities and creating parallel tables to sort the users for their probability of arriving at each time and location.
We know that identify_finger tries to identify fingers in a loop with the fingerprint objects you provided in a list, so we can use that and give it the objects sorted in a way in which the more likely user for that time and that location will be the first in the list and so on.

What is cheaper: cast to int or Trim the strings in C++?

I am reading several files from linux /proc fs and I will have to insert those values in a database. I should be as optimal as possible. So what is cheaper:
i) to cast then to int, while I stored then in memory, for later cast to string again while I build my INSERT statement
ii) or keep them as string, just sanitizing the values (removing ':', spaces, etc...)
iii) What should I take in account to learn to make this decision?
I am already doing a split in the lines, because the order they came is not good enough for me.
Thanks,
Pedro
Edit - Clarification
Sorry guys, my scenario is the following: I am measuring cpu, memory, network, disk, etc... every 10 seconds. We are developing our database system, so I cannot count with anything more than just INSERT statements.
I got interested in this optimization because the frequency off parsing data. Its gonna be write once - there will be no updates over the data after it is written.

You seem to be performing some archiving activity [write-once, read-probably-atmost-once] (storing the DB for a later rare/non-frequent use), if not, you should put the optimization emphasize based on how the data will be read (not written).
If this is the archiving case, maybe inseting BLOBs (binary large objects, [or similar concepts]) into the DB will be more efficient.
Addition:
Apparently it will depend on how you will read the data. Are you just listing the data for browse purpose later on, or there will be more complex fetching queries based on the benchmark values.
For example if you are later performing something like: SELECT * from db.Log WHERE log.time > time1 and Max (Memory) < 5000 then it is best to keep each data in its original format (int in integer, string in String, etc) so that the main data processing is left to DB server.

Generate unique pin numbers (6 digits) using current time and username + password?

I need to use current time because later on, another program will need to know when I generated the pin and whats the username and password.
Summary:
Username + password + current time = pin [6 digits]
Reverse, generated pin, I need to know which particular, and check if its already pass 1 minute.
I am not asking for direct code, but I need to know the best, not say best, good way/algorithm for it. Thanks (btw, I am cpp beginner)
EDIT:
I am sorry for not making things clear. Actually, I dun need the OTP, after generated the pin, the other program will need to run like this: validate {username} {password} {pin}

999999 minutes, gives ~694 days, ~1.9 years. So if you used all the entropy available just for recording the current time, you'd cycle the value in less than 2 years.
And things will be much worse if you want to include the username and password, and avoid easy guessing.
With 6 decimal digits, you can store about 19 bits of data. So you'll have to make sure that you have strong anti-brute-force protection on your server end, otherwise it'll be trivial to try all possible combinations.
One-time passwords do not have internal decode-able structure, they are typically used in addition to a normal password to act as a second factor in authentication. Then can be based on the time as you are suggesting, but are not reversible - the other end also has the secret key, and can generate the possible list itself.
So, for example, as well as entering a username and (normal) password, the user enters the value from a token, which is generated as AES(secretkey, currentminute), and the server computes AES(secretkey, currentminute) and AES(secretkey, currentminute-1) etc, to compare the value against. It might also record which token matches, so that it records an estimate of the token's clock accuracy, which allows some drift of the token's clock, as long as it's used frequently enough. To work out how to best use the 19 bits you have in a 6-digit pin, you'll need someone who is a real cryptographer - as I would guess that taking a simple truncation might be in-secure.

Promoted my earlier comment to an answer, as an afterthought:
I'm pretty sure it is deceiving to call this 'otp'. OTP is purely random and secret.
What you describe is a simple hash.
You could
MD5(username+password_hash+(seconds_past_1970%60))
I'm sure besides using public key encryption instead of the password, this is more or less how RSA keys do it.
Edit Oh yes: it will be pretty trivial to generate 6 digits from the resulting hash :)

How can I obfuscate/de-obfuscate integer properties?

My users will in some cases be able to view a web version of a database table that stores data they've entered. For various reasons I need to include all the stored data, including a number of integer flags for each record that encapsulate adjacencies and so forth within the data (this is for speed and convenience at runtime). But rather than exposing them one-for-one in the webview, I'd like to have an obfuscated field that's just called "reserved" and contains a single unintelligible string representing those flags that I can easily encode and decode.
How can I do this efficiently in C++/Objective C?
Thanks!

Is it necessary that this field is exposed to the user visually, or just that it’s losslessly captured in the HTML content of the webview? If possible, can you include the flags as a hidden input element with each row, i.e., <input type=“hidden” …?

Why not convert each of the fields to hex, and append them as a string and save that value?
As long as you always append the strings in the same order, breaking them back apart and converting them back to numbers should be trivial.

Use symmetric encryption (example) to encode and decode the values. Of course, only you should know of the key.
Alternatively, Assymetric RSA is more powerfull encryption but is less efficient and is more complex to use.
Note: i am curios about the "various reasons" that require this design...

Multiply your flag integer by 7, add 3, and convert to base-36. To check if the resulting string is modified, convert back to base-2, and check if the result modulo 7 is still 3. If so, divide by 7 to get the flags. note that this is subject to replay attacks - users can copy any valid string in.

Just calculate a CRC-32 (or similar) and append it to your value. That will tell you, with a very high probability, if your value has been corrupted.