IT Hardwares


eg: UK or Brides UK or Classical Art or Buy Music or Spirituality

Business & Money

Technology

Women

Health

Education

Family

Travel

Cars

Entertainment

Introduction To Cryptography With Coding Theory

View:

With the increasing incidence of identity thefts, credit card frauds, social engineering attacks, the digital world is facing challenges in the years ahead. Obviously, cryptography, a young science, will play a prominent role in the security of protecting digital assets. This article tries to explain the basics of cryptography (encryption) using plain language.

Let us take the example of scrambling an egg. First, crack the shell, pour the contents into a bowl and beat the contents vigorously until you achieved the needed result - well, a scrambled egg. This action of mixing the molecules of the egg is encryption. Since the molecules are mixed-up, we say the egg has achieved a higher state of entropy (state of randomness). To return the scrambled egg to its original form (including uncracking the shell) is decryption. Impossible?

However, if we substitute the word “egg” and replace it with “number”, “molecules” with “digits”, it is POSSIBLE. This, my friend, is the exciting world of cryptography (crypto for short). It is a new field dominated by talented mathematicians who uses vocabulary like "non-linear polynomial relations", "overdefined systems of multivariate polynomial equations", "Galois fields", and so forth. These cryptographers uses language that mere mortals like us cannot pretend to understand.

In the computer, everything stored are numbers. Your MP3 file is a number. Your text message is a number. Your address book is a longer number. The number 65 represents the character "A", 97 for the small "a", and so on.

For humans, we recognize numbers with the digits from 0 to 9, where else, the computer can only recognize 0 or 1. This is the binary system which uses bits instead of digits. To convert bits to digits, just simply multiply the number of bits by 0.3 to get a good estimation. For example, if you have 256-bits of Indonesian Rupiah (one of the lowest currency denomination in the world), Bill Gates' wealth in comparison would be microscopic.

The hexadecimal (base 16) system uses the ten digits from 0 to 9, plus the six extra symbols from A to F. This set has sixteen different “digits”, hence the hexadecimal name. This notation is useful for computer workers to peek into the "real contents" stored by the computer. Alternatively, treat these different number systems as currencies, be it Euro, Swiss Franc, British Pound and the like. Just like an object can be priced with different values using these currencies, a number can also be "priced" in these different number systems as well.

To digress a bit, have you ever wondered why you had to study prime numbers in school? I am sure most mathematics teachers do not know this answer. Answer: A subbranch called public-key cryptography which uses prime numbers especially for encrypting e-mails. Over there, they are talking of even bigger numbers like 2048, 4096, 8192 bits.)

When we want to encrypt something, we need to use a cipher. A cipher is just an algorithm similar to a recipe for baking a cake. It has precise, unambiguous steps. To carry out the encryption process, you need a key (some called it passphrase). A good practice in cryptography needs the key used by a cipher must be of high entropy to be effective.

Data Encryption Standard (DES), introduced as a standard in the late 1970's, was the most commonly used cipher in the 1980's and early 1990's. It uses a 56-bit key. It was broken in the late 1990's with specialized computers costing about US$250,000 in 56 hours. With today's (2005) hardware, it is possible to crack within a day.

Subsequently, Triple-DES superseded DES as the logical way to preserve compatibility with earlier investments by big corporations (mainly banks). It uses two 56-bit key using three steps:-

1. Encrypt with Key 1.

2. Decrypt with Key 2.

3. Encrypt with Key 1.

The effective key length used is only 112-bits (equivalent to 34 digits). The key is any number between 0 and 5192296858534827628530496329220095. Some modify the last process using Key 3, making it more effective at 168-bit keys.

Advanced Encryption Standard (AES) was adopted as a standard by the National Institute of Standards & Technology, U.S.A. (NIST) in 2001. AES is based on the Rijndael (pronounced "rhine-doll") cipher developed by two Belgian cryptographers, Victor Rijmen and Joan Daemen. Typically, AES uses 256-bits (equivalent to 78 digits) for its keys. The key is any number between 0 and 15792089237316195423570985008687907853269984665640564039457584007913129639935. This number is the same as the estimated number of atoms in the universe.

The National Security Agency (NSA) approved AES in June 2003 for protecting top-level secrets within US governmental agencies (of course subject to their approval of the implementation methods). They are reputedly the ones that can eavesdrop on all telephone conversations going on around the world. Besides, this organization is recognized to be the largest employer of mathematicians in the world and may be the largest buyer of computer hardware in the world. The NSA probably have cryptographic expertise many years ahead of the public and can undoubtedly break many of the systems used in practice. For reasons of national security, almost all information about the NSA - even its budget is classified.

A brute force attack is basically to use all possible combinations in trying to decrypt encrypted materials.

A dictionary attack usually refers to text-based passphrases (passwords) by using commonly used passwords. The total number of commonly used passwords is surprisingly small, in computer terms.

An adversary is somebody, be it an individual, company, business rival, enemy, traitor or governmental agency who would probably gain by having access to your encrypted secrets. A determined adversary is one with more "brains" and resources. The best form of security is to have zero adversary (practically impossible to achieve), the next best is to have zero determined adversary!

A keylogger is a software program or hardware to capture all keystrokes typed. This is by far the most effective mechanism to crack password-based implementations of cryptosystems. Software keylogger programs are more common because they are small, work in stealth-mode and easily downloaded from the internet. Advanced keyloggers have the ability to run silently on a target machine and remotely deliver the recorded information to the user who introduced this covert monitoring session. Keystroke monitoring, as everything else created by man, can either be useful or harmful, depending on the monitor's intents. All confidential information which passes through the keyboard and reaches the computer includes all passwords, usernames, identification data, credit card details, and confidential documents (as they are typed).

For the last definition, we will use an example. Let's say you have your house equipped with the latest locks, no master keys and no locksmith can tamper with them. Your doors and windows are unbreakable. How then does an adversary get into your house without using a bulldozer to break your front door? Answer: the roof - by removing a few tiles, the adversary can get into your house. This is an exploit (weakness point). Every system, organization, individual has exploits.

See, it is not that difficult after all. If you can understand the material presented in this article, congratulations - you have become crypto-literate (less than 1% of all current computer users). If you do not believe me, try using some of this newfound knowledge on your banker friends or computer professionals.

Stan Seecrets' Postulate: “The sum total of all human knowledge is a prime number.”

Corollary: “The sum total of all human wisdom is not a prime number.”

Introduction To Cryptography With Coding Theory

A slightly longer series of articles "Keeping Your Secrets Secret" will examine practical examples in greater detail and provides useful tips and advice. Of course, these will continue with the theme of making crypto and computer security easily understood.

One-Way Hash

Also known as a one-way function, a message digest, a fingerprint or a checksum, the algorithm creates a fixed-length output that cannot be reversed. One-way hashes provide checksums to validate files, create digital certificates and played a central part in many authentication schemes.

Let us consider this example. For ages, the Chinese have a fortune-telling method that relies on "Ba Ji" (eight characters) which uses the time, day, month and year of birth according to their calendar. There are sixty possibilities (almost equal to 6 bits) for each of the four variables. Since the Chinese use two characters for each variable, the result is always eight characters. This is an example of a nonsecure 24-bit one-way hash.

Obviously, this way of producing a one-way hash is not acceptable for security purposes because of the huge number of collisions (different inputs producing the same output).

The most commonly used hashes are SHA-1 (Secure Hash Algorithm uses 160 bits) and MD5 (Message Digest uses 128 bits). In August 2005, a team of cryptographers led by Xiaoyun Wang of Shandong University, China, presented a paper that found faster ways of finding collisions than the usual brute force method. These exploits (vulnerabilities) may make digital certificates forgery a reality.

The implications to e-commerce may be widespread not to mention the millions of websites which used MD5 to hash the users' passwords in their databases. Any webmaster can tell you that converting these sites to use SHA-256 or SHA-512 will not be a trivial task.

In a recent directive, NIST (National Institute of Standards & Technology, U.S.A.) has advised U.S. governmental agencies to use SHA-256 or SHA-512 (256 and 512 bits respectively) instead.

Biometrics

A biometric device is one that can identify unique characteristics from a finger, eye or voice. Many believe that biometrics should provide a higher level of security than other forms of authentication.

There is a news story in March 2005 of how a Malaysian owner lost his Mercedes car and index finger to car thieves armed with machetes. Obviously the keyless ignition electronics cannot detect whether the finger is still part of the original body nor whether the finger (and by extension the person) is alive or not.

Recent security breaches have heightened concern over depositories of personal information stored on many financial sites. When such breaches occurred, the incidence of identity thefts will thus rise also.

If you lose your credit card, you can always void the card and get a new one. When you lose your fingerprint (stored digitally), or other biometric features, who can replace those?

Passwords

When asked to conjure a random number or characters, most people inevitably used materials that are familiar to them like birthdays, names of family members, pets' names and so forth.

For example, most will choose dates when asked to choose a six-digit number for their ATM Personal Identification Number (PIN). Doing so will reduce the number of possibilities by nine times.

Random Numbers and Generators

Random numbers are central to crypto. To qualify as true random numbers, the output from random number generators (RNG) must pass statistical tests of randomness. Two suites considered as de facto standards are the "diehard" suite developed by Prof. George Marsaglia of State University of Florida and "Statistical Test Suite" from NIST.

Second, the RNG's output must be unpredictable even with complete knowledge of the algorithm or hardware producing the series and all the previous bits produced.

Third, the RNG's output cannot be cloned in a repeat run even with the same input.

The most common approach to producing random numbers is by using an algorithm carried out by a computer program (Yarrow, Tiny, Egads, Mersenne Twister). Such algorithms cannot produce random numbers, hence their names, pseudo-random number generators (PRNG).

Another approach is to use physical events such as entropy produced by the keyboard, mouse, interrupts, white noise from microphones or speakers and disk drive behavior as the seed (initial value).

Some may argue that true random generators are those that can detect quantum behavior in subatomic physics. This is because randomness is inherent in the behavior of subatomic particles - remember the electron cloud from your high school physics.

One-time Pad

The most effective system is often the simplest. A one-time pad (OTP) is a series of random bits that has the same length as the digital object to be encrypted. To encrypt, just use a simple computer operation, exclusive OR (XOR). To decrypt, simply XOR the encrypted result with the same random bits.

The downside of using OTP is that once used, it must be discarded. Second, the OTP and the digital object must have the same number of bits. Lastly, the obvious problem of synchronizing the OTP between the receiver and sender.

[Author's note: The concluding Part 3 will focus on keys management and public key cryptography.]

"In God we trust, others use crypto."

© Copyright 2005, Stan Seecrets. All rights reserved.

Related Articles
Author
Most Popular

•	25 Ways To Win With People, by N.chandumrongdej
•	A Brief Guide To Biology With Physiology, by John Hilaire
•	A Brief Introduction To Fluid Mechanics, by Lori Hampson
•	A Brief Introduction To The New Testament, by Gabriel Adams
•	A Guide To Astrophotography With Digital Slr Cameras, by James

Stan Seecrets has sinced written about articles on various topics from Computers and The Internet, Penny Stocks and Computers and The Internet. . Stan Seecrets's top article generates over 40500 views. to your Favourites.

Balancing Work And Family Life
Its of critical importance to create space in our young childrens days for unstructured, open-ended, quiet time. Make sure the weekends are a time to rest, daydream, and recharge for the week ahead