Re: a way psuedo random numbers can be used in cryptography


wallbangicus wrote:
I've recently made a program on a TI - 83+ that takes a password, and
multiplies it together. ie if the pass was HAT, then H=8 A=1an T=20 so
HAT = 8*1*20 = 160. this number is then used as a random seed.

Well, the first problem is multiple passwords all create the same seed,
and it's very easy to find them. For instance, HAT, HTA, AHT, ATH, TAH,
THA all produce the same seed, and thus the same key. That is a big
weakness. Also, using such small numbers is bad because an attacker can
just make guesses. It's easy to write a program to count to 160. A good
exercise might be to find out, given 8 character passwords, what the
highest number he has to count to is.


The binary data (accually a picture on the calculator due to its
limitations) is then changed using a xor on the random number and the
original data. the random number goes through some changes so its
either a 0 or a 1, but thats irrelavent. If the data is decrypted with
the wrong seed (password in this case) the data will be totally
illegible. but if 160 is used again as the random seed, the original
data will be back to normal.


So basically you have data XOR seed, right? I'm not sure what you mean
by the random number going through changes. If it's irrelavent, then it
contributes nothing to security. If you are doing it for some security
reason, then it is very relevant. But I'll assume whatever change it
goes through is known (like, take the seed and multiply it by 2, or
something).

Another good exercise would be to try and find a way to attack your
cipher.

So lets say seed = 160. I'm going to use this algorithm to send a
letter to Alice (Alice is a name cryptographers like to use to denote a
person using cryptography).

So here it is:

Dear Alice,

......my letter goes here....

Sincerely,
Matt

The attacker knows this is a letter going to Alice. He also gets to
intercept the encrypted message.

Can you see any way to break it? I can give a hint if you need.

I'm relativly new to cryptography, so if
this has already been discussed, discovered, or is pointless, I
apoligize.

Yep, this is probably the first cipher everyone "invents." It's a good
learning exercise in that when you realize how it's broken, you see
that while something might "seem" good, it really isn't.

My advice is to pick up a book like Applied Cryptography and start
reading. Don't design ciphers because unless you know the attacks that
have been developed over the last 30 years, you can't know how to
design something secure against them. You can't design a doorlock
without studying how lock picking works, can you?

-Matt

.

Relevant Pages

  • Re: Password / access rights check
    ... >> knowing their passwords. ... knowledge of a user's access level. ... One reason why you might care is that it ... allows the attacker to focus their attacks only on those accounts with the ...
    (sci.crypt)
  • US-CERT security awareness tips
    ... the US-CERT recently started offering security ... Choosing and Protecting Passwords ... what attacker cares about your ... One of the best ways to protect information or physical property is to ...
    (Security-Basics)
  • Re: [Full-disclosure] Google Talk cleartext credentials in processmemory
    ... operating system already presents a means to protect against one process snooping on the other, as has already been pointed out elsewhere in this thread. ... Since application developers are lazy they're going to expose those passwords to every tom, dick and harry who gains access. ... The longer an attacker has to wait for something the greater the ...
    (Full-Disclosure)
  • Re: MD5 and SHA-0 collisions
    ... >>authenticating that you have the secret key. ... hashes of passwords to avoid storing passwords in the clear. ... An attacker wanting to run a dictionary search would have to get ...
    (sci.crypt)