A slightly longer series of “Keeping Your Secrets” articles will review practical examples in more detail and provide helpful tips and advice. They will also continue to promote the idea of making computer and crypto security simple to understand.

One-Way Hashing

The algorithm, also known as a message digest or checksum, creates an output of a fixed length that cannot be reversed. One-way hashes are checksums that validate files, generate digital certificates and play a major role in many validating schemes.

Take a look at this example. For ages, the Chinese have had a method of divination that relies on “Ba Ji” (eight characters) which uses the time, day, month and year of birth according to their calendar. For each variable, there are 60 possible combinations (roughly 6 bits). Because Chinese uses only two characters to represent each variable, you will always get eight characters. This is a 24-bit, one-way hash that is not secure.

This method is clearly not suitable for security reasons due to the high number of collisions.

Hashes that are commonly used include SHA-1, (The Secure Hash Algorithm) (which uses 160 bits), as well as MD5 (Message Digest, which uses 128 bits). In August 2005, an team of cryptographers Xiaoyun Wang from Shandong University (China) presented a study that showed a way to find collisions more quickly than using the brute force method. These exploits (vulnerabilities), can make digital certificate forgery a reality.

The implications to e-commerce can be rampant not to mention the millions of websites that use MD5 to hash users ’passwords in their databases. A webmaster will tell you it is not an easy task to convert these sites into SHA-256 and SHA512.

In a recent directive, NIST (National Institute of Standards & Technology, USA) advised U.S. government agencies to use SHA-256 or SHA-512 (256 and 512 bits respectively).

Biometrics

Biometric devices can recognize unique characteristics in a finger or eye, as well as the voice. Many believe that biometrics can provide greater security than other methods of authentication.

In March 2005 there was news about how a Malaysian car owner lost his Mercedes, and pointed at car thieves armed machetes. Keyless ignition electronics can’t tell if the finger is part of the original person or if the finger, and by extension the whole body is still alive.

Recent security breaches raised concern about personal information stored in many financial sites. Identity theft is also more common when such crimes occur.

You can get a replacement card if you lose your card. Who can replace your fingerprints (digitally stored) or other biometric features?

Passwords

The majority of people use their own personal information to create random characters and numbers. This includes birthdays, family names, pet names, etc.

When asked to choose a six-digit Personal Identification Number for an ATM, many will select dates. This will reduce the possibilities by nine.

Random Numbers and Generators

The central theme of the game is random numbers cryptoFor a random number to be considered true, it must pass a statistical randomness test. Two suites considered as de facto standards are the “diehard” suite developed by Prof. George Marsaglia of the State University of Florida and “Statistical Test Suite” from NIST.

The output of the RNG must be unpredictable, even if you know the exact algorithm or hardware used to produce the series as well as all previous pieces.

Thirdly, even with the exact same input, it is impossible to duplicate the RNG output.

Most random number generators use a computer algorithm (Yarrow, Tiny Egads or Mersenne Twister). They are called pseudo-random numbers generators (PRNG) because they cannot produce random numbers.

A second approach is to use physical event as seed, such as entropy created by keyboard, mouse, interruptions (white noise) from speakers or microphones, and disk drive behaviour.

Some people might argue that true random generation is the only way to detect quantum behavior. The behavior of subatomic particle is random. Remember the electron cloud in high school physics?

One Time Pad

Simplest systems are often the most effective. The one-time pad is a random series of bits that are the same length as the digital object being encrypted. To encrypt your data, you can use a simple computer function, exclusive O. To decrypt a message, XOR its encrypted result with random bits.

OTP must be discarded after use. The OTP and digital object should have the exact same number of bits. The obvious issue of OTP synchronization is between the receiver and sender.