I want to meet this man. I feel like I could hear him talking from hours and not get bored.

....I honestly get the feeling that Dr. Pound is wildly more intelligent that we realize or he portrays and he always seems like he has to hold back just a bit so he doesn't inadvertently say too much. Like, there is a line that shouldn't be crossed with regard to explaining things and he is constantly dancing with that line and at times has to stop for a moment and think "Ok, right, where am I?....oh, right, ok we can go further" lol Anyone else get that?? Hes awesome man.

Dr. Pound! This guy could read me his shopping list and I would still watch it

Absolutely love these computerphile videos. To the team: please do not stop making more videos!

This bloke is a well-rounded pundit of computer science--vision, cryptography, algorithms, all the good stuff.

The encryption related Computerphile videos are some of my favorite.

Great video. I love Mike Pound - he is my favorite person on computerphile

HE'S BACK! ALL ABOARD THE TRAIN TO POUND TOWN...

This guy is my favorite!

make a 2 hour video with this guy, i could listen to him all day

Please sent Mike £100

Love this series, but could you please cover Elliptic curve Cryptography? I feel like this channel explains everything the best, so it would be much appreciated.

This video seemed to end without much of a conclusion...

Well, do not forget AES CBC is weird, it’s a block cipher, though because of the XOR chaining you can also do this there

just had an hmac nightmare, this came a bit too late

Switching off is probably not what anyone has ever done that clicked on a Computerphile video, especially with Mike.😁

Someday you should do a video on AEAD, which is more modern than plain old Stream cipher.

Mike is implicitly asking us to send him £100

I didn't even know HMACs existed until I came across them at work - it's good to know a bit more about them.

I like the way how he comes to the topic, it's brilliant Mike!!!!

The seccond method can actually be just as secure if it is guaranteed that none of the valid messages can be a simple concatenation of 2 or more other valid messages. The easiest way to guarantee it is just to always put a total message length block somewhere inside the protected message. This method is a little bit faster than the HMAC.

Something I didn't understand. Around 5:00, after introducing the first "naive" solution to the problem of tampering the stream cipher - i.e. computing a hash - Dr. Mike rejects this immediately because the middle-man can easily tamper the message and then compute a hash. what I don't understand is how can he compute the hash of the unencrypted message? All he has is the encrypted message, and if the hash is of the un-encrypted, how can he compute this?

This guy is awesome. Make sure he keeps on making us videos!

its said if you can explain something in simple words, you dont understand the concept. But you sir are just a marvel. Thanks alot.

I have an exam in computer security coming up soon. These videos are golden

Dr. Mike is the best! And this totally reminds me of the Office, especially with the personal interviewing and the random zooms and close-ups 😂 I also love the washing machine animation!!

5:13 But why don't we encrypt the checksum too? In other words be append hash of the message right *before* we do the encryption

Is it wrong to feel kinda in love with him? I might have completed my studies if he were my teacher.

This is the most amazingly clear and concise explanation, thanks

I feel like these videos always just scratch the surface and don't go in depth too often. I really would like to see some in depth content for the loyal subscribers!

these guys are legends

You're helping me so much studying for my Security+ exam!!!!

Hash length extension attack video ?

idk why but this reminds me of the office

How are you able to explain topics so easily.Seriously, it seems like child's play when I understand things like this

Should have watched this video before my midterm...finally I feel like I know something. Thanks!

0:53 Left upper corner, that ghost cube :D

Actual HMAC stuff starts at 4:00 Until then, he's pointing out flaws with substitution in a stream cipher.

I have a big ask. It may take several videos but I should love to see a simple but complete differential cryptanalysis. And a set on linear cryptanalysis. We hear about it all the time but it means very little to most of us. There are many books on it but these are hard to follow, a video would be much easier and better. Thanks! If you do it I shall sent a much bigger 'thank you', capital letters and all!

What about video encryption is this stream cypher?

I freaking love this dude. Why aint this guy my teacher.

I like the videos that Dr. Pound does on cryptography and cryptoanalytics, but it would be nice if he could get into more of how the math works behind the concepts. Not just describe the variables.

The captions on this aren''t great, any way for me to edit?

I think in the video, we were shown this as a non-working solution: encrypt(message)|hash(encrypt(message)) Why couldn't you do this: encrypt(message|hash(message))

From 6:10 to 6:42 I got completely lost. I didn't understand what you were talking about and also couldn't make out some words. Could somebody explain it to me or just point me to the video I missed to understand that?

06:33 would adding length of message (excluding added length) in message prevent append attack?

So I guess the length extension video never came out sed.

I like the void cube and ghost cube on the shelf. :D

Thanks. Studying for CISSP. I just subscribed!

Gotta love the paper he uses with the sprocket holes. Who does that ?!?! LoL

Well done ! really enjoyed your video.

I've really enjoyed these videos that are related to information and security! I was wondering though, could you guys could make some videos in the "Essentials" series that cover the basics of those topics?

Great video! Can you also do one talking about HMAC-before-encrypt vs encrypt-before-HMAC? encrypt(message)|hmac(key,encrypt(message)) vs encrypt(message|hmac(key,message))

thank you for that brilliant video!

DONT QUIT THE VIDEO JUST YET 😂

Why do I get the feel that this guy was a car mechanic in a previous life?

You can see at 5:44 the spider bite in Tobey Maguire's hand

Is this part of a series? He mentions the SHA video as if I'm supposed to have seen it before, but I can't find an official playlist with computer security related videos från computerphile.

Someone just flipping bits like that doesn't have the old message or the new message to compute the hashes from. Plus the hash itself is likely to be encrypted. Here, it comes down to how much power you think the attacker has. If he can read all your messages and correctly guess all your keys, you're sunk anyway because he can do whatever he wants.

thanks a lot this helped me in studying hmac for my exams

So, the outerpad and innerpad are just arbitrary constants that are used to derive the two separate keys which are then used to hash the message authentication code?

You say hases aren't for disks, but I'm pretty sure full disk encryption needs to have something like that... I remember hmacs being mentioned in the WiiU external drive encryption scheme...

Does anyone know, what's inner pad and outer pad which he mentions at 8:10?

Whose videos are referenced in the bit about hamming distance at 8:50, Dave Brelson is the best I can make out...

This guy couldn't look any more mischievous if he wore a black henchman's mask befitting a 70s' Batman episode.

There's no video about the length extension attack yet if i see right :(

I'm a newbie, is hmac reversible?

The questions of the guy with the camera don't sound very clearly..

what exactly stops us from doing h(m|k) as opposed to h(k|m)? we don't need to worry about resuming the internal state of the hash function because that would only allow us to append to the key, not the message

There is a guy named Please who pleases Mike. Anyways, what is special about CMAC and Poly1305?

Did i miss something or he never mention how we gonna send the shared secret key to the other person ?

I was just writing in the middle of writing an RFC6238 TOTP in C++ (because I can't find any that compile in Code::Blocks to run in cmd.exe. Obviously over on Linux its all just works.)

What software did you use to make this animation?

How do the sender and receiver get same key? Do they use key exchange protocols?

Wait a sec? So a Block cipher changes multiple bits? so if I changed a single letter/bit, in the message that in turn makes the entire message of letters before and after get altered also??? I know of alot of coding systems but as far as I'm aware I think everything usually is 1 to 1, example if we used Enigma 1 letter in 1 letter out sorta like a substitution! If we Transposition it then the same amount of letters move around, If we playfair it then we still end up with same count of letters, in fact I can't think of any 1 situation where 1 plaintext letter is fully responsible for keeping the entire rest of the message mathematically in tact The only thing I can think of is... if you Take 8 Letters that are 8 Bits long in Ascii and Put the rows of numbers 1 by 1 under until you get like 8x8 thus 64 bits but instead grouping all the 1st bits and making an Ascii character out of then then all the 2nd bits until all 8 is done then substitute that maybe along with a 1 time pad, then I can see how maybe by chance changing 1 Ascii can sometimes Affect many characters, unless I'm not seeing something here? So example lets say A=001 B=010 C=100 R=111and our word was Cab then 100, 001, 010 if stacked could be 100, 001, 010 which doesn't change anything but lets try BAR, 010, 001, 111 we get now, 001, 101, 011 now this is kinda neat because we have new numbers which might be mapped to a question mark or something if this was 8 bit ascii but then math to it could change it yet again. I can't 100% see how a single change normally can affect the outcome of how a message works, but I can see in my example how sometimes hit or miss it can affect the entire message! I will have to look at block ciphers to maybe understand, but for most part from my experience the bulk of codes/encryption almost always is the Plain Text being heavily altered with some steps where if you isolated any letter usually, you get the plaintext of that specific letter! Equally speaking if deleting a letter anywhere or changing a letter anywhere also usually doesn't disturb a message most times in all of it's entirety. However what I can say is... if it is possible where 1 Letter is the only way to crack the code if unchanged and all characters have that exact same property and must be One! Then yes that would be 100% valuable and secure as you can just take that and put that through 1 to 1 ciphers knowing there was a step involved that binds all of them together as a whole as one unit.

YAY he finally solved the ghost cube

So... do you HMAC then encrypt or encrypt then HMAC? And for the love of Turing, please clean your screen. :)

could you hash the message and append the hash before encrypting it and then verifying i after decryption, or are there any security implications that make that a bad idea?

Why we just hash before encrypt all together message and hash? we could not compute a new hash for the changed message since we would need to know the encryption key

The teaching is awesome and he explains greatly, but i can't help but to notice how every video seems like an episode from The Office

Thank you!

Psuedo?

I've seen SHA512 being used as a hash function. Does it have the same flaws as SHA256?

need more !!!

so why not just use digital signatures? when would we use HMAC as oppsed to using signtures?

"We can actually change the amount get sent, which unfortunately is a purely hypothetical example, I don't actually get any money" 😂

If I create a hash of the message and append that to the end of the message and stream cypher the whole bytes stream (message + hash) it will make things harder to change the message.

But how would you share the key in secure way?

is it just me or are they spelling "pseudo" as "psuedo"?

why not just append a salt and signature of the message+salt after that BEFORE applying the cipherstream? The attacker could change the message, but they're going to have a pretty hard time guessing what the salt is to compute the hash and even if they did they wouldn't be able to XOR it to the state the recipient expects.

Why doesnt this work?: encrypt(message hash(message))

CBC mode for block ciphers

I've used you guys so often in my degree, can you guys start a Patreon so that myself and others can donate?

Why not just append the key to the end of the message before taking the hash instead of prepending it to the beginning? Wouldn't that solve length-extension?

Doc Pound is my jam

If we insert the hash (k1|m) at the start of message itself won't it also solve the problem? May be it s not efficient to prepend than append but i think it'l also solve the problem, but i would like to know your opinion

Why not just do SHA2( msg | key ) and not SHA2( key | msg ) like this the malicious appends can only get SHA2( msg | key | malicious ) but the check will be made SHA2( msg | malicious | key) ?

It's David Brent!!!

What if instead of appending the key you prepend the key. It's secret so no one would know what the state would be after the key.

Helps me study for CISSP, thanks!