A Short Note on Security, Privacy, and Encryption

Kankan Roy

copyright 1999-2009

 

One time random keypad is the best encryption system that can ever be devised. There are practical difficulties in constructing one. However a simple scheme can be thought of.

1.       Two parties agree to exchange the seeds for Pseudo-Random number generators without any cycle that passes all tests of randomness and can withstand all attacks. Alternatively they both possess an infinite (or large) keypad of random numbers

2.       One time keypad is created with Random number generated synchronously and the randomized message sent with it. That is each character of the message is XOR ed with each character from (P)RNG; and (P)RNG s used by both are in tandem – produce exactly the same sequence of random numbers. We shall see later that there are other occasions when multiple PRNGs are required to be in tandem. It is for generating Pass Token given User ID and time.

 

 i.      For I = 0 to 2^N -1 {S[I] = I;}

ii.      J = 0

Scrambling:

 i.            For I = 0 … 2^N -1 {J= J + S[I]+K[ I mod key length]; Swap(S[I], S[J])

 

 

Generation Loop:

I = I + 1; J = J + S[I]; Swap (S[I], S[J]); Output z = S[S[I] + S[J]]

 

      1. Kerberos is an authentication protocol. Software is available free. Its implementation consists of one or more Authentication Server running on physically secured hosts. The AS maintains a database of principals (i.e. users and servers) and their secret keys.
      2. The authentication process proceeds as follows: Client has a client key known to server. Server has a server key known to client.
      3. A Client sends a request to the AS requesting “credentials” for a given Server.
      4. The AS responds with these Credentials, encrypted in the Client’s key. The Credentials consist of  -a Ticket for the Server and a temporary key called Session Key.
      5. The Client transmits the Ticket, which contains the Client’s identity, and a copy of the Session Key, all encrypted in Server’s Key to the Server. The Client now shares the Session Key with Server, further Server has Clients identity and the fact that client could send this, authenticates the client. Authentic Server alone can retrieve Session key. Server has client's identity.

 

      1. Generate a random number Prime numbers P and Q
      2. Let N = P x Q and R = (P-1) x (Q-1)
      3. Let E be such that it is prime (not essential though, computationally desired that its binary equivalent has only a few (say 3) ones and R > E> 0 and GCD(R,E)=1. E if prime ensures all the above.
      4. Extended Euclidean Algorithm finds x and y such that given a >= b >= 0 and gcd(a,b) =d : ax + by = d. With a=R and b=E and d=1, we find x and y. D is y. If D < 0 then we take D = R + D. We thus get key pair D and E.
      5. From the chosen E D N P Q R and relationship, for any given any S < N, (S^E)^D [mod N] = S, since S^R[mod N] =1 for P and Q being prime.  We throw away R, P, Q forever and retain N, E and D.
      6. Select a random S, symmetric key, raise it to the power of E [mod N] getting T and send it to any one who has corresponding D. It is easy to get back S from T. Raise T^D[mod N] = S.
      7. Till the time we have no device any method which can factor N giving P and Q, we can not guess D from N and E or vice versa.
      8. Alternative to IPSEC is SSL/TLS. This is widely used in browser and server based computing. SSL/TLS is increasingly used for client-server system. However it is not packet oriented nor is it encrypted or decrypted at physical machine boundary. Encryption/decryption are responsibility of user client or browser and Server. Further the encryption/decryption is not done for IP packets. Servers distribute asymmetric Public Key to clients to use for exchange of symmetric key. Servers and clients need to acquire certificate and asymmetric keys from certificate issuing organizations. It is responsibility of browser or clients or servers to manage these keys. It is implicit that certificate issuer can be trusted to have verified Server or Client. It is implicit that the browser is managing the keys very well and can't be accessed by any spy (program). It is also implicit that there exists no dubious certificate issuer already existing in client or server environment. Further, key generators are worthy to be used. Some spy softwares record all the information input or output to browser and transmit them external agency, thus creating security holes.

 

 

kankank@hotmail.com