7 Cryptography Concepts EVERY Developer Should Know
Cryptography is scary. In this tutorial, we get hands-on with Node.js to learn how common crypto concepts work, like hashing, encryption, signing, and more fireship.io/lessons/node-cryp...
🔗 Resources
Full Tutorial fireship.io/lessons/node-cryp...
Source Code github.com/fireship-io/node-c...
Node Crypto nodejs.org/api/crypto.html
📚 Chapters
00:00 What is Cryptography
00:52 Brief History of Cryptography
01:41 1. Hash
04:07 2. Salt
05:47 3. HMAC
06:35 4. Symmetric Encryption.
08:19 5. Keypairs
09:29 6. Asymmetric Encryption
10:22 7. Signing
11:31 Hacking Challenge
🔥 Get More Content - Upgrade to PRO
Upgrade to Fireship PRO at fireship.io/pro
Use code lORhwXd2 for 25% off your first payment.
🎨 My Editor Settings
- Atom One Dark
- vscode-icons
- Fira Code Font
🔖 Topics Covered
- Cryptography for Developers Basics
- Crypto algorithms: SHA, MD5, argon2, scrypt
- How password salt works
- Encryption vs Signing
- Difference between Asymmetric vs Symmetric Encryption
- How hacking works and hacks are prevented
I really appreciate that you came back on your past mistake of using md5
This makes me happy, even if my original comment on the matter got deleted lol
and he has used it for the hacking challenge, very clever..no one thought that you'll use md5 again after correcting the past video mistake 😂😂
Whoops
I was thinking "dude... MD5 was unsafe when I was in senior high 15 years ago..." 🤣 Good thing he owned up to his mistake 👍
@@yassin_eldeebHe did that to give the proof that md5 is outdated
9:44 Actually, HTTPS uses asymmetric encryption to establish the identity of the parties and to exchange a symmetric key. Then symmetric encryption is used since it's faster
u right
I'm always doing that with my networking code, but I still don't understanding signing. So I simply require the client to give a shared password to the server to confirm its identity. If password is wrong for whatever reason or isn't provided in time, the thread simply raises an error and the client is kicked out from accessing the server in any way.
Came here to say this. It's just used for the handshake.
@@FinlayDaG33k so that means TLS uses asymmetric encryption, right?
@@gravy1770 asymmetric to establish the shared secret before swapping to symmetric.
So whose password are we collectively brute-forcing for you in the challenge? :D
😂😂😂 Good question 😂😂😂
Hahaha
loool 🤣🤣
It's probably the lifetime account password, if you crack it is yours
😂😂😂 I did not see it that way at first but you make a lot of sense
How to create a great KZhead channel? Step 1: automatically know what the viewers want in the next video Step 2: squeeze the complex content in shortest possible duration Step 3: throw in some smooth humour without changing the tone Step 4: throw in some cool animations Step 5: use dark background 💯% perfection!
This comment need to be pinned
PX ODLT HXDABNUO 9 Let's see if you guys can decrypt this message.
@@eliasziad7864 rickroll would have been funnier
@@shokifrend77 First tell me what the message said?
Can't get more accurate ♥️
Once you deep dive into cryptography you find that, even the strongest encryption algorithm in the world is weak if the user input is weak. The best course of action is to have an input that does not come from the user (I mean a generated password like a sha-512 hash). Ideally that entry is stored on the client device.
Garbage in... Garbage out
Definitely, only randomly generated or diceware are acceptable
yep
thats why 8 charcter is a standard
I started using password manager and updated most passwords to unrememberable computer generated ones.
Jeff wants to crack his girlfriend's password and put it as a challenge on his youtube channel. Well played bro!
I think he's married
@Daniel Vilela, 😂
@@ayushverma5151 wife then it is
10 hours of this topic at uni and I understood things about 80% of the way. I'm confident that if I watched this I would've been at 100% in 12 minutes.
Hi how's the journey so far? Where can I get the 10 hrs lesson?
@@cybermoneyxchange3230 at uni
@@berb_yt This is what I'm experiencing right now :>
They teach most things so slow that it becomes impossible to understand
I always hate these comments tbh. It's just not possible a general, brief overview to give you more than 10hrs of uni classes. Idk if you were sleeping or drunk in class, but even though this video is great, it's simply not able to cover that much info in 12min. Hope you've learned how to pay attention.
I’m currently taking intro to security and this is exactly what we are learning. Thank you for explaining it so succinctly and with amazing visuals and code
Thanks for making theses videos. You're creating a mind map for developers to get a grasp of the vast technology landscape - props to you, your content is truly unique and high quality too.
Another important feature of hash algos is that similar inputs yield very different outputs, that way, you cannot guess that your getting close.
Awesome sum up of crypto concepts for developers in under 12 minutes, really to the point, impressive
The quality of this video is literally perfect...
loved every minute,
Every fireship's videos are perfect haha
@02:08 you said that the hash is unique , given that the result has a fixed length you can't map infinite strings to a fixed length string without loosing unicity
Good point, "unique as possible" would have been a better phrasing.
Its unique for all practical purposes for the modern cyphers uses today. Afaik for SHA256 no one has ever been able to find a collision. That being said you are correct in that any hash by definition cannot be injective.
@@yakov9ify Yes , by definition hash functions have low probability of collision. And like you said they are surjective functions
Well yes, that is what is called collision. But the idea of a hash is also that collision is hard to find (with a systematical method other than sheer brute force). Different input can be mapped to the same output. However, even the slightest change in the input (say, a bit flip) will change the output significantly. This, makes finding two input with the same output quite hard.
There's also the matter of that text converted to bytes which is then hashed, it's unlikely if there is a collision that the input can actually be created from the bytes from text, so there's some accidental security there. However random bytes which are hashed lack this "feature". If there is a collision with text inputs it's also likely that the password used is weaker than the other input that returns the same hash, so there's no downside.
I think this the first KZhead video where I actually set playback time to value lower than 1
I really love every single video you post, they're so useful but this one... Wow! Thanks for sharing your knowledge 🤙🏼
Perfect! the video is upto the point - explaining all the concepts needed for a newbie to dive-in!
The quality of content and the presentation of it keeps getting better with each video. I cannot be any more thankful to you than I already am for putting this out for free. I've learnt tons from this channel.
I second that!
@ around 02:12 argon2 is listed as a hashing algorithm. It's more accurate to refer to it as PBKDF (Password Based Key Derivation Function), especially since you stated that hashing algorithms need to be fast to compute. Argon2 doesn't fit that description. It's acceptably fast to compute (It's orders of magnitude slower than say sha256) and that's by design, so that it becomes unfeasible to brute force them. It's also designed to account for increases in computational power over the years as you can make it harder to compute by increasing the amount of memory used to generate the derivative.
i’ve noticed this in my api. I use 512kb of memory to hash and store user passwords but 128kb for api keys. it takes the server about 1.5 seconds to hash using 512kb which isn’t unreasonably slow but compared to sha256 or bcrypt, it’s like a snail. verifying api keys on each request with just a hash is also somewhat computationally intensive so that’s why i dropped the api key memory to 128kb. somewhat decent security balanced with speed. besides, i’d rather have my limited permission based api key brute forced than my password
Great job on this video. Really awesome. I love the challenge at the end. Great content! Thank you for sharing.
You make hard concepts very easy. Thank you for the great contents.
Always makes my day when Fireship uploads. Keep up the amazing work, I learned so much from your channel and website. :)
I love your videos! You have perfect graphics and damn I love that upload schedule.
Nice video, it covers a lot of really important topics in a easy to understand way
I just started learning this and now you made a video about it You have the best timing
I'm subscribed to a f*ck ton of coding channels but this one is by far my favorite! So straight-forward and highly informative with a visual to complement it! I love how you explain a concept and then will proceed on with various examples as well as implementations. Keep it up bro!
Very good channel with to the point content, spiced up humor! Thanx!
It would be cool if you could create more videos like this to explain more every concept.. awesome work!
Great start. I'd also add that the Public/Private Certificate is actually used to negotiate a random symmetric key which is used once the channel is opened. Why? Public/Private encryption is SLOW. This would be a great segway into Diffie-Hellman key exchange.
Assembly in 100 seconds
You maniac
If he did a risc based architecture like ARM it might be doable
Assembly in 100 hours
Talking about assembly in a whole I mean all architectures including x86 and risc
that would be fun tbh
Amazing that timing attacks and initial vectors are explained!
Top tier content. This channel is what I am going to tell people to refer to for any web related knowledge.
This is one of your best videos, hands down. Thanks for sharing Jeff!
A whole semester saved by this man, thank you brother
Thank you for the great tutorial. I like this hands-on approach!
my god. that was the best Cryptography video I've ever watched 🔥
Exactly what I needed to get started with a user account system for my website. Thanks lots!
For school or just knowing the basic, that ok, but you should not implementing your own authentication system in a real product
watched a couple of videos... top notch on pacing and editing! (and humor).
dude you are awesome, I read a book called Mastering bitcoin and I understood most of this but you just killed it in this short video as always. 🙌🏽
You made JS look like a pancake! I wish I could get a good JS course from instructors like you.
I've used hash but not salt. Thanks for bringing this to me Jeff
use salt & pepper
I hope you didn't do this in production dawg 😯
Thanks a lot, this is very useful! Please keep going! :)
The red light green light scene was subtle and terrific. Video taught me a lot as well as per usual.
Great vid, on RSA don't forget that it is getting really slow with increasing key size. This is why many providers are switching to elliptic curve cryptography ^^ That is way faster and needs smaller keys.
Also it's often implemented poorly when it comes to the generation of the required primes which leads to many public keys sharing prime-compartments
@@tobiasaddicks9695 exactly, but id say is a good video for beginners
Ohh never heard about this. I'm still use RSA 1024bit keys. Not that anyone would care to hack me so I'll just keep using it for now.
(Sorry for necroposting) I didn't want to go into details in my comment above, but there are multiple reasons why RSA isn't great nowadays. To make a short list: 1. You need quadratically increasing key size instead of linear increasing key size to get the same amount of security bits because of the reliance on prime numbers (AKA keys can get really big really fast and this will only get worse). 2. Key generation include a "brute-force" step, which makes key generate really slow. This is especially problematic for key exchanges, as this is a pattern seen in the wild. Apart from that, pretty much every operations is slower with RSA then with Elliptic Curves. 3. The way key generation work, your whole security model relies on the fact that your key is "probably" prime... 4. RSA design makes it a good target for timing attacks, depending on the implementation (this is also a reason why AES is slowly getting phased out in favor of chacha20) 5. RSA is badly broken with quantum computers because of Shor's algorithm. The danger with quantum computers isn't that they're so fast they could bruteforce any cryptographic primitives that classic computer can compute, it's more that quantum computers gets access to new quantum algorithms that can solve some previously "unsolvable" mathematical problem with way more ease then classical computers, so not all primitives are affected the same way.
Quantum computers that can run Shor’s algorithm are vapourware, and destined to remain that way indefinitely.
You've summarised entire Internet Security lessons in 11:54 minutes of video. It's incredible 💪
The mailbox analogy for public/private key is quite brilliant! Good job
Finaly a video in which the half is not clickbaity claims and explaining what the Byte is ❤ Thank you 🙂
how do you do those animations at the beginning of every video? it looks so awesome, this is killing me for the last few months
Check out his second channel 'Jeff Delaney' he provides some good insight over there!
Awesome to include HMAC and what it's used for. Unfortunately, it could be made more clear what the actual difference between hash and hmac is, as it is a common mistake to use hashes where hmacs should be used.
what are the different use cases for a hash vs hmac?
@@kylector The use case for regular hash functions is to provide data integrity. If even one bit changes in the data, then when you run it through the hash, it would be very obvious the data was altered. The use case for hmac is to provide data integrity but also to provide authentication; AKA verifying the data was sent from the right person. This is because only the person with the correct password can produce the hash of the message they sent you.
Just thinking about cryptography 1 hr ago . This guy is a magician . First I share fireships video than I start watching it
I've been a developer 20 years and never seen this topic explained so simply. Even I learned something.
My diploma project is to make hash function for cryptography I took the 256 hash and 512 hash and my collage accepted it ,it was just hashing the hash function again
On a side note, the salt works because it makes those rainbow tables useless. It also forces you to make a new table for every user since they all have their own salt. However, storing the salt like that is also not ideal because it makes it easier to use when generating your own tables. So when computing catches up you're more vulnerable in case of a data leak. Best is to also store those salts securely using for example a private key that rotates (updates). Although almost none of us need that level of security it's still fun to think about.
If a hacker just splits the hash like he did in the code. Isnt that the same as having no salt at all?
@@flodderr yep seems like it.
Joining them with “:” it’s like hinting it a la captain obvious 5:44
You are so smart...knowing every aspect of this industry Respect bro
This helped me a lot when building my own secure signup/signin functionality :) also came in handy when generatinh hash for account activation emails
I believe browsers do not encrypt using the certs public key, and then the server decrypts. The TLS protocol let's browsers and web servers establish a symmetric key which is used to encrypt and decrypt traffic.
"Angular is the best" - Jeff (2nd November 2021)
Thank you for the great content! 🙏
Great content 👌 keep up the good work 👏
You just summarized my 3 month university course into 12 min 😂😂😂. I completely love your videos ❤️
hackers would watch this in reverse
Great content, keep up the great work. Nobody Boo this man!!
very helpful to undersand basic crypto concets in short time.
7:45 AES: Advanced Encryptation Standard: many hashes for the same text. 8:30 Public Key Cryptosystem: public key and private key. 9:30 Asymetrics encryptation: https; RSA + SHA.
One great book about cryptography and steganography (similar techniques to the bald guy moment) is "The Code Book" by Simon Lehna Singh. Highly recommend it as it explains the evolution of this "math thing" from the beginning to our days in a very intuitive and easy-to-understand way.
Nice and concise 😊 Thanks
This couldn't have come to me at a better time. Thanks!
Haha, that challenge was fast Edit: Also, adding to the awesome video, cryptography, no matter how strong the math behind it is, if badly implemented will still be vulnerable.
How did you solve it?
@@soumyajitdey5720 check the hash type and then use a well known weakness for those hash. It is quite trivial and it shows the point of salting. Spoiler warning!!! . . . . . . . . . . . It is MD5 without a salt and then you just use a lookup table.
@@YandiBanyu great! Was thinking along the same lines but you were quicker 😂 Good job! 👏
@@soumyajitdey5720 I didn't get the challenge either lol. Watched the vid 6 minute after release and the challenge were already solved.
Hmmm, That was a lot to "digest"
Thanks for putting this up.
I needed this video thank you!
So early that it's still 360p
I like how no one in the comments mentioned the "the british are coming!" Reference haha
Pretty sure if he had put “Let’s go Brandon” there would’ve been some response
the timing safe equals was a nice touch
always have very little understanding the pub and priv key pairs until now. thank you for the mail box analogy. it helps clearing the concept cloud...
While I find all Fireship channel's videos useful, this one was especially helpful to me as it allowed me to finally dissolve my chronic confusions about Crypto concepts and gain nice clarity. I found your use of simple yet concrete hands-on examples, your logically moving from one concept to the other (while comparing and contrasting each), and your use of memorable analogies very helpful. Thanks for the good work. God bless.
I'm so early that the video is in 360p edit: superhacker
Sa.e
If you store the salt appended to the password like that in the database. And said database gets hacked. Isnt it then super easy for the hacker to do the same split on the colon and run the password hash against the rainbow table again?
The salt is appended, but then gets mixed together with the password during the hash, so in the final result hash it's all jumbled together. There's no easy way to split it out.
@@chrissdehaan yea but then he appends the salt to the hashed password and pushes that to the DB. So a hacker has the salt anyway if he sees a colon in the value
@@flodderr It's not quite in that order. It doesn't go: 1) Hash 2) Append salt It does go: 1) Append salt 2) Hash The salt is appended to the password first, then that whole string is hashed next. That means the salt mixed around through the whole result, and can't be seen or split out easily.
@@chrissdehaan I understand what you're saying but look at his code again. On the 2nd line of the signup function he does exactly what you say. But then on line 4 of that function he makes a user variable to push to the DB that exists of again the salt + the hash of salt with password. Im confused why he does it like that
By far my fav channel on KZhead 😍
We want more of such challenges!
You know you're among the first viewers when you have to watch it in 360p lol 😂
Nice vid 🔥 But I can’t get one thing. Why did you use fixed separator (:) for storing hash and salt? Isn’t it oblivious for the attacker which part is what. Mb better option will be to use fixed length?
Sure it is oblivious. But to generate the resulting hash, you need to add the salt. This means that a password if hashed (say "abc") will be the result of "abc"+salt. Now if each user has unique salt, it means lookup table attack is pointless and the hacker need to attack each hash independently.
@@YandiBanyu and i believed all the time, we should not save Salt in the DB. Just have it in the Application Ram. So if the Database lost. the Salt is independent..
@@mikelinsi Well, the problem with that is, if you have an upgrade to your application, those salt are lost. Remember, to check the password you need the salt and then hash them then compare the result. Without salt, you cannot check the user anymore. Also, you should use different salt for each user.
It was used as an example. One should use fixed size salts for the reason you showed.
It's just a technical detail. If the salt and password lengths are constant, a separator wouldn't be needed. Or they could even be stored in different columns. Doesn't really matter. Also, if using a single field that combines the salt and the hash, trying to depending on an attacker not knowing where in the field the divide is would be a type of security-by-obscurity, which doesn't work anyway, so you might as well put the separator there, for your own convenience.
I am so happy to see this video after the great API video that had the big MD5 problem ;)
thanks. this really helped me understand
I have a midterm for my IT Security class literally tomorrow, this video came out at the perfect time and was a great little review for me. How does Fireship always know exactly what I want when I want it?
Jeff is a friend of Zucc so he has all of our data and runs a simulation of all of our brains in virtual machines and can thus determine exactly what video everyone wants at any given time.
4:53 for the people confused on this (including past me), scrypt is not just a function for salting hashes, it also takes longer to compute (which it does by basically running SHA a bunch of times). It still only takes a few hundred milliseconds, so it can still be used, but it makes brute force attacks significantly harder.
Um that was a whole month of reading articles on cryptography and you summarised that in 10 mins :_) appreciate your skill
3:30 thanks for mentioning argon2 - didn't know about this 5:30 timingSafeEqual to prevent timing attack - wow, i had thoughts about that (timing attack) but didn't know it was a real thing
2:13 -ish. Is "a hash of a hash" more secure than just a simple single "hash"? secret --> hash_1 --> hash_2 is hash_2 more secure than hash_1 ?
Yes. For example, I saw a PHP password algorithm using MD5, which sounds bad. But it iterates the hash 8000 times, which is good. Not suitable for cryptographic message hashes, but good for password hashes.
Hello, I'm new to Biticon trade and l've been making huge losses but recently i see a lot of people earning from it. Please can someone tell me what to do?
@Kelvin Well, you are saying the fact. I invested $4,000 with Mrs Annabelle Hartfield , and earned $12,000 in 7 working days.
In Bitcoin investment, determination to take risk is one of the major factor required because it takes a brave heart to make money this days.
Being a newbie in Bitcoin investment and trading is very discouraging but since I met Mrs Annabelle Hartfield , she has really been careful in handling my investment.
Many people are afraid to be invest because of the Scammers in the business
Yes there are scammers in the business just like it's in every other business but there are also legit brokers out there for investors and Mrs Annabelle Hartfield is one of the real and legit brokers out there.
Very enlightening, I will sub to your channel and look to see if you have a video on packeting data.
*The Perfect Video That Gives An Abstract & Well Defined Summary About Cryptography, Another Thing I Like About The Videos You Make Is That You Don't Waste Any Time On Unnecessary Details & Make Quality Content*
It‘s easier to understand the concept of public key, when it is represented with a padlock symbol, rather than a key. The private key then unlocks the closed padlock.
You forget main technology of widely used by both government agents and theirs not so legal opponents for decryption. Thermorectal cryptanalysis is very effective, fast, eco-friendly (because it uses really energy efficient hardware, 50 watt decription device is powerful than enough for most situations) and required relatively low qualification for operators.
What are u talking about? Xd
Haha thermorectal, all your secrets belong to us 😂
oh wow! Thank you so much for this!
Hi! This is. so cool! How would it be if you guys made a playlist called "Every dev should know"??
Laravel in 100 seconds
I'm actually tired of worrying about stocks...it's driving me nuts these days,I think crypto investment is far better than stock..
Stocks are good but crypto is more profitable
I'm new to forex trade and I have been making huge losses but recently see a lot of people earning from it.can someone please tell me what I'm doing wrong
@@evelynhannah3147 All you need now is a professional broker else you gonna continue blowing of your account
Mr Dennis services is working for me at the moment and am making good profits from forex and crypto trading.
@@jeremysanchez5545 Same here, it’s four months now I started investing with him and it's been good experience
This is great. Good explanation.
Great video! You are the best!
A video on making a portfolio website pls. 😭
Maybe search first next time? kzhead.info/sun/hJt6f9qPp3uMe40/bejne.html