I want to meet this man. I feel like I could hear him talking from hours and not get bored.

....I honestly get the feeling that Dr. Pound is wildly more intelligent that we realize or he portrays and he always seems like he has to hold back just a bit so he doesn't inadvertently say too much. Like, there is a line that shouldn't be crossed with regard to explaining things and he is constantly dancing with that line and at times has to stop for a moment and think "Ok, right, where am I?....oh, right, ok we can go further" lol Anyone else get that?? Hes awesome man.

Dr. Pound! This guy could read me his shopping list and I would still watch it

This bloke is a well-rounded pundit of computer science--vision, cryptography, algorithms, all the good stuff.

Absolutely love these computerphile videos. To the team: please do not stop making more videos!

Please sent Mike £100

The encryption related Computerphile videos are some of my favorite.

make a 2 hour video with this guy, i could listen to him all day

HE'S BACK! ALL ABOARD THE TRAIN TO POUND TOWN...

This guy is my favorite!

This video seemed to end without much of a conclusion...

Great video. I love Mike Pound - he is my favorite person on computerphile

This guy is awesome. Make sure he keeps on making us videos!

I like the way how he comes to the topic, it's brilliant Mike!!!!

This is the most amazingly clear and concise explanation, thanks

Love this series, but could you please cover Elliptic curve Cryptography? I feel like this channel explains everything the best, so it would be much appreciated.

Someday you should do a video on AEAD, which is more modern than plain old Stream cipher.

I have an exam in computer security coming up soon. These videos are golden

Actual HMAC stuff starts at 4:00 Until then, he's pointing out flaws with substitution in a stream cipher.

I didn't even know HMACs existed until I came across them at work - it's good to know a bit more about them.

Dr. Mike is the best! And this totally reminds me of the Office, especially with the personal interviewing and the random zooms and close-ups 😂 I also love the washing machine animation!!

You're helping me so much studying for my Security+ exam!!!!

Well, do not forget AES CBC is weird, it’s a block cipher, though because of the XOR chaining you can also do this there

its said if you can explain something in simple words, you dont understand the concept. But you sir are just a marvel. Thanks alot.

Is it wrong to feel kinda in love with him? I might have completed my studies if he were my teacher.

Switching off is probably not what anyone has ever done that clicked on a Computerphile video, especially with Mike.😁

I feel like these videos always just scratch the surface and don't go in depth too often. I really would like to see some in depth content for the loyal subscribers!

The seccond method can actually be just as secure if it is guaranteed that none of the valid messages can be a simple concatenation of 2 or more other valid messages. The easiest way to guarantee it is just to always put a total message length block somewhere inside the protected message. This method is a little bit faster than the HMAC.

thanks a lot this helped me in studying hmac for my exams

I've really enjoyed these videos that are related to information and security! I was wondering though, could you guys could make some videos in the "Essentials" series that cover the basics of those topics?

just had an hmac nightmare, this came a bit too late

thank you for that brilliant video!

Mike is implicitly asking us to send him £100

Should have watched this video before my midterm...finally I feel like I know something. Thanks!

Something implicit in the video: the key in a SC is the same length than the message. Fantastic expl. The guy is a genius

could you hash the message and append the hash before encrypting it and then verifying i after decryption, or are there any security implications that make that a bad idea?

Well done ! really enjoyed your video.

these guys are legends

How are you able to explain topics so easily.Seriously, it seems like child's play when I understand things like this

Thanks. Studying for CISSP. I just subscribed!

I like the videos that Dr. Pound does on cryptography and cryptoanalytics, but it would be nice if he could get into more of how the math works behind the concepts. Not just describe the variables.

I have a big ask. It may take several videos but I should love to see a simple but complete differential cryptanalysis. And a set on linear cryptanalysis. We hear about it all the time but it means very little to most of us. There are many books on it but these are hard to follow, a video would be much easier and better. Thanks! If you do it I shall sent a much bigger 'thank you', capital letters and all!

I freaking love this dude. Why aint this guy my teacher.

Is this part of a series? He mentions the SHA video as if I'm supposed to have seen it before, but I can't find an official playlist with computer security related videos från computerphile.

what exactly stops us from doing h(m|k) as opposed to h(k|m)? we don't need to worry about resuming the internal state of the hash function because that would only allow us to append to the key, not the message

So, the outerpad and innerpad are just arbitrary constants that are used to derive the two separate keys which are then used to hash the message authentication code?

Great video! Can you also do one talking about HMAC-before-encrypt vs encrypt-before-HMAC? encrypt(message)|hmac(key,encrypt(message)) vs encrypt(message|hmac(key,message))

Something I didn't understand. Around 5:00, after introducing the first "naive" solution to the problem of tampering the stream cipher - i.e. computing a hash - Dr. Mike rejects this immediately because the middle-man can easily tamper the message and then compute a hash. what I don't understand is how can he compute the hash of the unencrypted message? All he has is the encrypted message, and if the hash is of the un-encrypted, how can he compute this?

You say hases aren't for disks, but I'm pretty sure full disk encryption needs to have something like that... I remember hmacs being mentioned in the WiiU external drive encryption scheme...

If we insert the hash (k1|m) at the start of message itself won't it also solve the problem? May be it s not efficient to prepend than append but i think it'l also solve the problem, but i would like to know your opinion

I was just writing in the middle of writing an RFC6238 TOTP in C++ (because I can't find any that compile in Code::Blocks to run in cmd.exe. Obviously over on Linux its all just works.)

need more !!!

5:13 But why don't we encrypt the checksum too? In other words be append hash of the message right *before* we do the encryption

Helps me study for CISSP, thanks!

I think in the video, we were shown this as a non-working solution: encrypt(message)|hash(encrypt(message)) Why couldn't you do this: encrypt(message|hash(message))

why not just append a salt and signature of the message+salt after that BEFORE applying the cipherstream? The attacker could change the message, but they're going to have a pretty hard time guessing what the salt is to compute the hash and even if they did they wouldn't be able to XOR it to the state the recipient expects.

Gotta love the paper he uses with the sprocket holes. Who does that ?!?! LoL

What about video encryption is this stream cypher?

06:33 would adding length of message (excluding added length) in message prevent append attack?

I like the void cube and ghost cube on the shelf. :D

The teaching is awesome and he explains greatly, but i can't help but to notice how every video seems like an episode from The Office

There is a guy named Please who pleases Mike. Anyways, what is special about CMAC and Poly1305?

I've seen SHA512 being used as a hash function. Does it have the same flaws as SHA256?

The captions on this aren''t great, any way for me to edit?

Thank you!

0:53 Left upper corner, that ghost cube :D

Someone just flipping bits like that doesn't have the old message or the new message to compute the hashes from. Plus the hash itself is likely to be encrypted. Here, it comes down to how much power you think the attacker has. If he can read all your messages and correctly guess all your keys, you're sunk anyway because he can do whatever he wants.

Why we just hash before encrypt all together message and hash? we could not compute a new hash for the changed message since we would need to know the encryption key

How do the sender and receiver get same key? Do they use key exchange protocols?

YAY he finally solved the ghost cube

*Sees doc pound* *EXTERMINES THAT LIKE BUTTON*

I've used you guys so often in my degree, can you guys start a Patreon so that myself and others can donate?

There's no video about the length extension attack yet if i see right :(

Did i miss something or he never mention how we gonna send the shared secret key to the other person ?

Why doesnt this work?: encrypt(message hash(message))

This guy couldn't look any more mischievous if he wore a black henchman's mask befitting a 70s' Batman episode.

Does anyone know, what's inner pad and outer pad which he mentions at 8:10?

Why not just append the key to the end of the message before taking the hash instead of prepending it to the beginning? Wouldn't that solve length-extension?

So I guess the length extension video never came out sed.

so why not just use digital signatures? when would we use HMAC as oppsed to using signtures?

From 6:10 to 6:42 I got completely lost. I didn't understand what you were talking about and also couldn't make out some words. Could somebody explain it to me or just point me to the video I missed to understand that?

Why not just do SHA2( msg | key ) and not SHA2( key | msg ) like this the malicious appends can only get SHA2( msg | key | malicious ) but the check will be made SHA2( msg | malicious | key) ?

Hash length extension attack video ?

Why do I get the feel that this guy was a car mechanic in a previous life?

Doc Pound is my jam

DONT QUIT THE VIDEO JUST YET 😂

Wait a sec? So a Block cipher changes multiple bits? so if I changed a single letter/bit, in the message that in turn makes the entire message of letters before and after get altered also??? I know of alot of coding systems but as far as I'm aware I think everything usually is 1 to 1, example if we used Enigma 1 letter in 1 letter out sorta like a substitution! If we Transposition it then the same amount of letters move around, If we playfair it then we still end up with same count of letters, in fact I can't think of any 1 situation where 1 plaintext letter is fully responsible for keeping the entire rest of the message mathematically in tact The only thing I can think of is... if you Take 8 Letters that are 8 Bits long in Ascii and Put the rows of numbers 1 by 1 under until you get like 8x8 thus 64 bits but instead grouping all the 1st bits and making an Ascii character out of then then all the 2nd bits until all 8 is done then substitute that maybe along with a 1 time pad, then I can see how maybe by chance changing 1 Ascii can sometimes Affect many characters, unless I'm not seeing something here? So example lets say A=001 B=010 C=100 R=111and our word was Cab then 100, 001, 010 if stacked could be 100, 001, 010 which doesn't change anything but lets try BAR, 010, 001, 111 we get now, 001, 101, 011 now this is kinda neat because we have new numbers which might be mapped to a question mark or something if this was 8 bit ascii but then math to it could change it yet again. I can't 100% see how a single change normally can affect the outcome of how a message works, but I can see in my example how sometimes hit or miss it can affect the entire message! I will have to look at block ciphers to maybe understand, but for most part from my experience the bulk of codes/encryption almost always is the Plain Text being heavily altered with some steps where if you isolated any letter usually, you get the plaintext of that specific letter! Equally speaking if deleting a letter anywhere or changing a letter anywhere also usually doesn't disturb a message most times in all of it's entirety. However what I can say is... if it is possible where 1 Letter is the only way to crack the code if unchanged and all characters have that exact same property and must be One! Then yes that would be 100% valuable and secure as you can just take that and put that through 1 to 1 ciphers knowing there was a step involved that binds all of them together as a whole as one unit.

The questions of the guy with the camera don't sound very clearly..

So... do you HMAC then encrypt or encrypt then HMAC? And for the love of Turing, please clean your screen. :)

What if instead of appending the key you prepend the key. It's secret so no one would know what the state would be after the key.

Whose videos are referenced in the bit about hamming distance at 8:50, Dave Brelson is the best I can make out...

CBC mode for block ciphers

I'm a newbie, is hmac reversible?

What software did you use to make this animation?

idk why but this reminds me of the office

You can see at 5:44 the spider bite in Tobey Maguire's hand

Great vid! But, those fingerprints on Mike's monitor are really upsetting :p

"We can actually change the amount get sent, which unfortunately is a purely hypothetical example, I don't actually get any money" 😂

It's David Brent!!!

Mike, could you please cover Qubes OS? :)