Hands on cryptography

I’ve looked over 2 articles written by George Tokas in the bcb journal at his request. Even though I don’t exactly know what he wanted me to see, I did come up with something to “say”.

There is no perfect practical cryptographic scheme. And there is only one in theory: the one in which your encryption key is the same size as the to be encrypted data AND you don’t use that key ever again (aka [URL=http://en.wikipedia.org/wiki/One-time_pad]One Time Pad[/url]).

So no matter what crypting algorithm you use, no matter what methods you use to “strengthen” it, it can be cracked.
Take for example the strong point of the RSA algorithms or any other algorithms that are using huge prime numbers.
There is no publicly known method today to find out the 2 prime numbers used given their product. (p=a*b, a and b primes). But we know from math that if you know that p is the product of 2 prime numbers, there will be exactly (no less, no more, but exactly) 2 prime numbers that will give you p. So you can *calculate* a and b given p. The only problem is that there is no fast enough algorithm for that YET known to the public. But if some math genius finds that method tomorrow, everything based on primes will go up in smoke. And that includes your on-line banking.
Same goes for any kind of math-based cryptographic scheme that uses something “very hard” to calculate. Basically, the generalization is an isomorph function that has a very hard to calculate inverse. So it’s just a matter of time until somebody figures out how to calculate it fast enough (or the hardware gets fast enough). Then what? You run to the bank to get your savings out? You go running into your anti-atomic bomb shelter because .. oops, somebody was faster?

If I were to protect some very sensitive data, I will definitely not use something available out of the box on the market by itself. Nor will I come up with something myself since that can be even worse than the first case. But instead I would use several totally different products from the market.
Basically, every algorithm has some weak points through which information “perspires”. So a very good encryption scheme/algorithm is:
– use f1..fx crypting functions
– use p1..px different passwords
– choosing x is part of the “password”
– choosing the order of the f’s is also part of the “password”
– choosing the order of the p’s is another part of the “password”
– knowing which f’s to use, yes, is yet another part of the password.
so the final password will be formed by:
– number of f’s
– which f’s
– which p’s
– the order of the f’s
– the order of the p’s
(and we can add some more stuff)

I can think of a a method to calculate the above information based on a very long key (we can set a minimum of say 128 characters). And after the algorithm is done, I choose my password (a paragraph from the bible or some other book, etc). Every f will perspire some information that an experienced crypt-analyst can use to crack the function and/or get some information about the crypted data.
Imagine this as a very dens textile material. You take one sheet. You put water in it and it holds the water but it starts dripping pretty fast and after a while there is no more water left. That is ONE f.
Now take 10 sheets of dense textile. Put water. The speed of the water dripping away will be much slower. If you choose the textile right and the number of layers, you might have the luck of getting on drip of water per hour.

The problem with using one algorithm is that if you know what to expect, you can crack the encryption and finally find the password and that’s done. Worse case scenario is brute force. I know the encrypted data contains text, right? well, I keep trying passwords until I can find some readable text and then I validate the whole data. Sure, it can take a year with todays hardware, but if I have the money to use 100.000. super computers, it might only take a few days.

So the real question is: [color=red:46b455ffb0]how much TIME and MONEY is the cracker willing to invest in order to get your sensitive information?[/color:46b455ffb0]

THAT is how you choose your cryptographic scheme. The time and money needed to crack something can be estimated with a pretty good percentage, so instead of wasting your time to find the perfect cryptographic function, ask yourself the question in red.
Is your sensitive information only about personal photos with your naked girlfriend? If so, you can use the simplest method of scrambling some or all bytes in the data, shifting, etc. a very simple, high-school level “cryptography”. Your mates will not be able to crack it because they lack the knowledge and whoever has the knowledge is not interested in those pictures 😉

well … that’s what I wanted to say about cryptography 🙂

Related posts

Leave a Reply

This blog is kept spam free by WP-SpamFree.