2
The recent explosive growth of PC’s and Internet-based commerce
has significantly increased the need for a wide variety of
computer security mechanisms. This article, the second of a
three-part series, lays the underlying foundation in plain
language.
A slightly longer series of articles \”Keeping Your Secrets
Secret\” will examine practical examples in greater detail and
provides useful tips and advice. Of course, these will continue
with the theme of making crypto and computer security easily
understood.
One-Way Hash
Also known as a one-way function, a message digest, a
fingerprint or a checksum, the algorithm creates a fixed-length
output that cannot be reversed. One-way hashes provide checksums
to validate files, create digital certificates and played a
central part in many authentication schemes.
Let us consider this example. For ages, the Chinese have a
fortune-telling method that relies on \”Ba Ji\” (eight characters)
which uses the time, day, month and year of birth according to
their calendar. There are sixty possibilities (almost equal to 6
bits) for each of the four variables. Since the Chinese use two
characters for each variable, the result is always eight
characters. This is an example of a nonsecure 24-bit one-way
hash.
Obviously, this way of producing a one-way hash is not
acceptable for security purposes because of the huge number of
collisions (different inputs producing the same output).
The most commonly used hashes are SHA-1 (Secure Hash Algorithm
uses 160 bits) and MD5 (Message Digest uses 128 bits). In August
2005, a team of cryptographers led by Xiaoyun Wang of Shandong
University, China, presented a paper that found faster ways of
finding collisions than the usual brute force method. These
exploits (vulnerabilities) may make digital certificates forgery
a reality.
The implications to e-commerce may be widespread not to mention
the millions of websites which used MD5 to hash the users’
passwords in their databases. Any webmaster can tell you that
converting these sites to use SHA-256 or SHA-512 will not be a
trivial task.
In a recent directive, NIST (National Institute of Standards &
Technology, U.S.A.) has advised U.S. governmental agencies to
use SHA-256 or SHA-512 (256 and 512 bits respectively) instead.
Biometrics
A biometric device is one that can identify unique
characteristics from a finger, eye or voice. Many believe that
biometrics should provide a higher level of security than other
forms of authentication.
There is a news story in March 2005 of how a Malaysian owner
lost his Mercedes car and index finger to car thieves armed with
machetes. Obviously the keyless ignition electronics cannot
detect whether the finger is still part of the original body nor
whether the finger (and by extension the person) is alive or not.
Recent security breaches have heightened concern over
depositories of personal information stored on many financial
sites. When such breaches occurred, the incidence of identity
thefts will thus rise also.
If you lose your credit card, you can always void the card and
get a new one. When you lose your fingerprint (stored
digitally), or other biometric features, who can replace those?
Passwords
When asked to conjure a random number or characters, most people
inevitably used materials that are familiar to them like
birthdays, names of family members, pets’ names and so forth.
For example, most will choose dates when asked to choose a
six-digit number for their ATM Personal Identification Number
(PIN). Doing so will reduce the number of possibilities by nine
times.
Random Numbers and Generators
Random numbers are central to crypto. To qualify as true random
numbers, the output from random number generators (RNG) must
pass statistical tests of randomness. Two suites considered as
de facto standards are the \”diehard\” suite developed by Prof.
George Marsaglia of State University of Florida and \”Statistical
Test Suite\” from NIST.
Second, the RNG’s output must be unpredictable even with
complete knowledge of the algorithm or hardware producing the
series and all the previous bits produced.
Third, the RNG’s output cannot be cloned in a repeat run even
with the same input.
The most common approach to producing random numbers is by using
an algorithm carried out by a computer program (Yarrow, Tiny,
Egads, Mersenne Twister). Such algorithms cannot produce random
numbers, hence their names, pseudo-random number generators
(PRNG).
Another approach is to use physical events such as entropy
produced by the keyboard, mouse, interrupts, white noise from
microphones or speakers and disk drive behavior as the seed
(initial value).
Some may argue that true random generators are those that can
detect quantum behavior in subatomic physics. This is because
randomness is inherent in the behavior of subatomic particles -
remember the electron cloud from your high school physics.
One-time Pad
The most effective system is often the simplest. A one-time pad
(OTP) is a series of random bits that has the same length as the
digital object to be encrypted. To encrypt, just use a simple
computer operation, exclusive OR (XOR). To decrypt, simply XOR
the encrypted result with the same random bits.
The downside of using OTP is that once used, it must be
discarded. Second, the OTP and the digital object must have the
same number of bits. Lastly, the obvious problem of
synchronizing the OTP between the receiver and sender.
[Author’s note: The concluding Part 3 will focus on keys
management and public key cryptography.]
\”In God we trust, others use crypto.\”
© Copyright 2005, Stan Seecrets. All rights reserved.
About the author:
The author, Stan Seecrets, is a veteran software developer with
25+ years experience. For more of his articles and website
promotion, visit http://www.seecrets.biz or http://www.rushprnews.com