Re: Can somebody point me in the right direction?

On Fri, 23 May 2008 02:15:33 GMT, notreal@xxxxxxxxxxx wrote:

I am very new to encryption and I was tasked to solve a seemingly common
problem. I don't mind doing the research but I need at least some kind of
direction in the beginning.

My problem is very similar to validating serial keys on software packages.
Here is what I need to accomplish:

1. I need to create a black box that is capable of generating a large number
(let's say 1 million) of fix 10 character length pseudo-random strings
2. I need a second black box that is capable validating those strings that
they were generated by black box one. I think this is pretty standard affair
so far although I have no idea how this is accomplished.
3. Here is the twist: When validating a string I need more than just a
passed/failed result. I need to be able to dig out a value between one and
ten from the ten character string. So box number two would either say no,
this was not generated by box number one or it would spit out a number that
was embedded by box number one.
4. Obviously there should be no way of figuring out what number is embedded
in the string or if it is valid or not without using box number two. A
single person would have only access to a small set of the strings so I
don't think this will be difficult to accomplish.
5. There should be little probability of entering a random character string
that would yield a passing result.
Some comments:

The standard encryption, AES, works on 128 bit blocks, 16 bytes, so a
16 byte string would probably be easier.

You are probably better off thinking in terms of bytes rather than
characters as it is better to use the full 0 -> 255 range of values
allowed in a byte.

Who are you defending against? Do you want to stop Aunt Edna cracking
the system? Do you want to stop a small commercial rival, with
limited resources? Do you want to stop a large commercial rival with
many resources? Do you want to stop a three letter Government agency?
How much effort you put into your system is dependant on who you are
defending aginst.

If you use encryption you have a potential problem at the second black
box. The second black box needs a copy of the key to decrypt the
cyphertext. If the key is permanently stored then there is nothing to
stop an attacker opening up the box and extracting a copy of the key.

What is the time difference between box 1 encrypting the string and
box 2 decrypting it? If the two are done at the same time, then a
unique key can be generated just for the single transaction and the
key-storage problem disappears. If there is a gap of weeks or years
then key-storage at box 2 may become a problem.

You are trying to solve two problems, establishing validity and
transmitting a number. It might be easier to solve the two problems
separately rather tha trying to do both together.

rossum


For what little I know about encryption I came up with this scheme that is
most likely totally flawed:

Let' say I needed one hundred thousand strings for each digit between zero
and nine so I would end up with one million ten character strings at the
end.

I figured I would pick a random range of sequential numbers for each one
hundred thousand lot so let's say 0 would have a range of
2,005,000-2,105,000 and 1 would have 46,234,125,000-46,234,225,000 etc.

Once I have a range of numbers then I would encrypt them with some kind of
publicly available encryption algorithm using a fixed password. I can use
leading zeros to try to help the encryption to come up with fixed length
results. Is it possible to produce fixed length results or I would have to
discard some of the resulting string? I don't know. If I do have to discard
some results, I could extend the original range from 100,000 to 200,000 or
more but I still would know what the last number in the range was when I
have my 100,000 ten character strings.

At the second black box I would simply decrypt a string with the same
password and see if the result falls into any of the ten ranges that I
originally set up. If the resulting number falls into one of the ranges then
I would know which digit it was used for.

I am a web designer not a mathematician. I am certain that this problem has
been solved a long time ago and published somewhere. I would really
appreciate if somebody could point me in the right direction of how to
approach this problem if my thinking is flawed.

Thank you,
Yosh

.

Relevant Pages

  • Re: Byte array to string and back - newbie question
    ... // Create a symmetric algorithm. ... This is done to make encryption more ... // Encrypt a string into a string using a password ... // Decrypt a byte array into a byte array using a key and an IV ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Using Python To Create An Encrypted Container
    ... an encrypted archive utility designed for secure archiving ... A match string allows you to only extract files matching a given ... Encrypt the string s using passwd and encryption cipher enc ...
    (comp.lang.python)
  • Re: How good an encryption algorithm is this?
    ... As long as the string can be converted to/from a byte stream, ... then you can apply that after the encryption. ... > So I decided to invent my own algorithm, and I just wanted anybody's> opinion on how secure this could be compared to the Win32 API version. ... > HCRYPTHASH hCryptHash; ...
    (microsoft.public.vc.language)
  • Length of the data to decrypt is invalid
    ... I found this code on a site for doing string encryption/decryption. ... // Create a symmetric algorithm. ... // This is done to make encryption more secure. ... // This will tell it that we have done our decryption ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Web app security
    ... public static string EncryptToBase64String(string stringToEncrypt, ... we'd also like to move on to better encryption such ... to make the.NET AES encryption to work together with the AES encryption ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet)