A slightly longer series of articles “Keeping Your Secrets Secret” will examine practical examples in greater detail and provides useful tips and advice. The theme of making cryptography and computer security simple to understand will undoubtedly continue with these.
One-Way Hash
The algorithm generates a fixed-length output that cannot be reversed, also known as a one-way function, message digest, fingerprint, or checksum. One-way hashes serve as checksums for files’ validity, produce digital certificates, and were essential to many authentication schemes.
Let’s think about this illustration. For ages, the Chinese have a fortune-telling method that relies on “Ba Ji” (eight characters) which uses the time, day, month and year of birth according to their calendar. For each of the four variables, there are sixty possible values—roughly six bits. The result is always eight characters because each variable requires two characters in Chinese writing. Using a 24-bit one-way hash in this manner is not secure.
Because of the enormous number of collisions—different inputs producing the same output—this method of creating a one-way hash is obviously unacceptable for security reasons.
The most widely used hashes are SHA-1 (which uses 160 bits for its Secure Hash Algorithm) and MD5 (which uses 128 bits for its Message Digest). A team of cryptographers from Shandong University in China, led by Xiaoyun Wang, presented a paper in August 2005 that identified quicker approaches to collision detection than the traditional brute force approach. Forging digital certificates could become commonplace thanks to these exploits (vulnerabilities).
Without even mentioning the millions of websites that used MD5 to hash the users’ passwords in their databases, the implications for e-commerce could be significant. Any webmaster will be able to tell you that changing these websites to use SHA-256 or SHA-512 will not be an easy task.
National Institute of Standards and Technology (NIST), a U.S. government agency, issued a recent directive.) has advised Governmental organizations in the US should substitute SHA-256 or SHA-512 (256 or 512 bits, respectively).
Biometrics
A biometric device is one that can recognize distinctive traits from a finger, eye, or voice. Many people think that biometrics should offer a higher level of security than other types of authentication.
A Malaysian owner of a Mercedes lost both the vehicle and his index finger to car thieves wielding machetes, according to a news report from March 2005. Evidently, the finger (and subsequently the person) cannot be detected by the keyless ignition electronics as to whether it is still a part of the original body or whether it is alive or not.
Concern over the storage of personal data on numerous financial websites has increased in light of recent security breaches. The frequency of identity theft will therefore increase whenever such breaches occur.
You can always cancel your lost credit card and obtain a new one. Who can replace your lost digitally stored fingerprint or other biometric features?
Passwords
Most people inevitably used materials they were familiar with when asked to conjure a random number or characters, such as their birthdays, family members’ names, their pet’s names, and so on.
When given the option to select a six-digit number for their ATM Personal Identification Number (PIN), the majority, for instance, will select dates. The possibilities will be reduced by nine times if this is done.
Random Numbers and Generators
Cryptography depends on random numbers. The output of random number generators (RNG) must pass statistical tests of randomness in order to be considered true random numbers. Two suites considered as de facto standards are the “diehard” suite developed by Prof. George Marsaglia of State University of Florida and “Statistical Test Suite” from NIST.
Second, even with complete knowledge of the hardware or algorithm creating the series and all the previously produced bits, the RNG’s output must be unpredictable.
Third, even with the same input, a repeat run of the RNG cannot produce the same output.
The most popular method for generating random numbers is to use an algorithm that is carried out by a computer program (Yarrow, Tiny, Egads, Mersenne Twister). Such algorithms are called pseudo-random number generators (PRNG) because they are unable to generate truly random numbers.
Another strategy is to use physical events as the seed (initial value), such as the entropy generated by the keyboard, mouse, interrupts, white noise from microphones or speakers, and disk drive behavior.
Those who can recognize quantum behavior in subatomic physics may contend that true random generators are those. This is so that subatomic particles behave randomly, as you may recall from your high school physics studies of the electron cloud.
One-time Pad
Often, the most straightforward system is the most efficient. A one-time pad (OTP) is a string of randomly generated bytes that is the same length as the digital object to be encrypted. Utilize the exclusive OR (XOR) computer operation to encrypt data. Simply XOR the encrypted result with the same random bits to decrypt.
The drawback of using OTP is that it needs to be thrown away after use. Second, there must be an equal number of bits between the OTP and the digital object. Last but not least, there is the obvious issue of synchronizing the OTP between the sender and receiver.
[Note from the author: The final Part 3 will concentrate on public key cryptography and keys management.]
“Other people use crypto, in God we trust.”