A slightly longer series of “Keeping Your Secrets” articles will review practical examples in more detail and provide helpful tips and advice. Of course, they will continue with the theme of making crypto and computer security easy to understand.
One-Way Hash
Also known as a one-way function, a message digest, a fingerprint or a checksum, the algorithm creates a fixed-length output that cannot be reversed. One-way hashes provide checksums to validate files, create digital certificates and play a key part in many validation schemes.
Let us consider this example. For ages, the Chinese have had a method of divination that relies on “Ba Ji” (eight characters) which uses the time, day, month and year of birth according to their calendar. There are sixty possibilities (roughly equal to 6 bits) for each of the four variables. Since Chinese uses two characters for each variable, the result is always eight characters. This is an example of an insecure 24-bit one-way hash.
Obviously, this method of producing a one-way hash is not acceptable for security purposes due to the large number of collisions (different inputs producing the same output).
The most commonly used hashes are SHA-1 (The Secure Hash Algorithm uses 160 bits) and MD5 (Message Digest uses 128 bits). In August 2005, a team of cryptographers led by Xiaoyun Wang of Shandong University, China, presented a paper that found a faster way of finding collisions than the standard brute force method. These exploits (vulnerabilities) can make the forgery of digital certificates a reality.
The implications to e-commerce can be rampant not to mention the millions of websites that use MD5 to hash users ’passwords in their databases. Any webmaster can tell you that converting these sites to use SHA-256 or SHA-512 is not a small task.
In a recent directive, NIST (National Institute of Standards & Technology, USA) advised U.S. government agencies to use SHA-256 or SHA-512 (256 and 512 bits respectively).
Biometrics
A biometric device is one that can identify unique characteristics from a finger, eye or voice. Many believe that biometrics should provide a higher level of security than other means of authentication.
There was news in March 2005 of how a Malaysian owner lost his Mercedes car and pointed to car thieves armed with machetes. Clearly keyless ignition electronics cannot determine whether the finger is still part of the original body or whether the finger (and by extension the person) is alive or not.
Recent security breaches have raised concern over deposits of personal information stored on many financial sites. When such violations occur, the incidence of identity theft will also increase.
If you lose your credit card, you can always void the card and get a new one. When you lose your fingerprint (digitally stored), or other biometric feature, who can replace them?
Passwords
When asked to create random numbers or characters, most people inevitably use materials familiar to them such as birthdays, names of family members, names of pets and so on.
For example, most will pick dates when asked to select a six -digit number for their ATM Personal Identification Number (PIN). Doing so will reduce the number of possibilities by nine times.
Random Numbers and Generators
Random numbers are central to crypto. To qualify as a true random number, the output from random number generators (RNG) must pass statistical randomness tests. Two suites considered as de facto standards are the “diehard” suite developed by Prof. George Marsaglia of the State University of Florida and “Statistical Test Suite” from NIST.
Second, the output of the RNG should be unpredictable even with complete knowledge of the algorithm or hardware that makes the series and all previous pieces produced.
Third, the RNG output cannot be cloned to a repetitive run even with the same input.
The most common approach to making random numbers is by using an algorithm executed by a computer program (Yarrow, Tiny, Egads, Mersenne Twister). Such algorithms cannot generate random numbers, hence their name, pseudo-random number generators (PRNG).
Another approach is to use physical events such as entropy produced by the keyboard, mouse, interruptions, white noise from microphones or speakers and disk drive behavior as seed (initial value).
Some might argue that true random generators are the ones that can detect quantum behavior in subatomic physics. This is because randomness is inherent in the behavior of subatomic particles – remember the electron cloud from your high school physics.
One time Pad
The most effective system is often the simplest. A one-time pad (OTP) is a series of random bits with the same length of digital object to be encrypted. To encrypt, use only a simple computer operation, exclusive O (XOR). To decrypt, just XOR the encrypted result with the same random bits.
The downside of using OTP is that when used, it must be discarded. Second, the OTP and the digital object must have the same number of bits. Finally, the obvious problem of OTP synchronization between receiver and sender.