More amateur cryptography

2007-02-02

in Geek stuff, Internet matters, Security

One of the oldest problems in cryptography is key management. The simplest kind of cryptographic arrangement is based on a single key used by however many parties both for encryption and decryption. This carries two big risks, however. In the first place, you need a secure mechanism for key distribution. Secondly, it is generally impossible to revoke a key, either for one individual or for everyone. Because of these limitations, public key cryptography (which utilizes key pairs) has proved a more appropriate mechanism in many applications.

Once in a while, now, you read about ‘unbreakable’ cryptography based on quantum mechanics. The quantum phenomena employed are actually used for key generation, not for the actual business of encrypting and decrypting messages. Like the use of a one-time pad, the symmetric keys produced by this system hold out the promise of powerful encryption. Of course, such systems remain vulnerable both to other kinds of cryptographic attacks, particularly the ‘side channel’ attacks that have so often been the basis for successful code-breaking. Recent examples include the cracking of the encryption on DVDs, as well as Blu-Ray and HD-DVDs.

An example of a side-channel attack is trawling through RAM and virtual memory to try and find the password to some encrypted system. When you login to a website using secure socket layering (SSL), the data sent over the network is encrypted. That said, the program with which you access the site may well take the string of text that constitutes your password and then dump it into RAM and/or the swap space on your hard disk somewhere. Skimming through memory for password-like strings is much less resource intensive than simply trying every possible password. Programs like Forensic Toolkit by AccessData make this process easy. People who use the same string in multiple applications (any of which could storing passwords insecurely) are even more vulnerable.

As in a large number of other security related areas, people using Apple computers have a slight advantage. While not on by default. if you go into the security menu in the system preferences, you can turn on “Use secure virtual memory.” This encrypts the contents of your swap space, to help protect against the kind of attack described above.

The real lesson of all of this is that total information security can never be achieved. One just needs to strike a balance between the sensitivity of the data, the probability of it coming under examination, and the level of effort that would be required to overcome whatever security is in place.

PS. My PGP public key is available online, for anyone who wants to send me coded messages. Free copies of the encryption software Pretty Good Privacy (PGP) can also be easily downloaded.

Report a typo or inaccuracy

{ 3 comments… read them below or add one }

Anonymous February 2, 2007 at 2:43 pm

Before trying fancy hacks, one might consider the password recovery service for morons.

Milan February 2, 2007 at 3:08 pm

Some related things I wrote about while avoiding different academic work:

GMail security hole – on a bug that made it possible for other sites to access your contact list

American midterm elections today – on electoral security in the United States

Protecting your computer – general tips for normal users

On electronic voting

Basic problems with biometric security

Major vulnerability of mechanical locks – on key bumping

Something to try over the weekend: cryptography by hand

On password security

My standard source of information on all things related to computer security is Bruce Schneier’s blog.

R.K. February 3, 2007 at 12:18 am

Someone so security inclined should probably read:

How to Cheat at Everything: A Con Man Reveals the Secrets of the Esoteric Trade of Cheating, Scams and Hustles

by Simon Lovell

They have the paperback for $13 on Amazon.

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Previous post:

Next post: