What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

More on crypto...

E.  More crypto-history

Okay, ciphers have evolved over the ages.  A lot.  There were disc ciphers
that could rotate between alphabets, electrical ciphers that looked like
typewriters but spat out ciphertext, and others. I have to skip over a lot
of these for right now to get to other important stuff, but fear not - I'll
cover more classical crypto stuff later on.
 

IV. HOW THEY DO IT TODAY (or "Bigger isn't better")

A. Keys are important still, but not the only thing.

Today's ultra-modern crypto stuff is still based around making sure that the
ciphertext can only be decrypted with that one special key.  The keys you
see these days are made up of strings of numbers, characters and stuff all
broken down into digital form of 1s and 0s. The more numbers in the key, and
the more random the info that makes it, the "stronger" the key is.

Important thing: Having a big ol' humongous strong key doesn't necessarily
mean you have a strong cryptosystem. Having a nice secure algorithm and a
tiny weak little key also doesn't guarantee you a strong cryptosystem.

Are you going "aroof" and scratching your head yet?

Look at it this way.  A strong algorithm is like knowing self-defense, and a
big key is like having big muscles.  Having big muscles doesn't mean you
know how to defend yourself.  And knowing how to defend yourself doesn't
mean you're strong enough to.  If you have the ability, then you use your
big muscles to get the job of defending yourself done, but neither is any
good without the other.

***************************************************
Here's a good way to remember:

Big Manly Key + Weak Wimpy Algorithm  = Weak System
Small Wimpy Key  + Strong Manly Algorithm = Weak System
Big Manly Key + Strong Manly Algorithm  = Strong System

Note: All apologies to the females in the audience, the word "manly" just
had the vibe I was looking for.  No offense intended  :)
***************************************************

Now I have to confuse you again, but all will be made clear.  The big key
and strong algorithm don't *guarantee* a strong system necessarily.  Why?
Well, it's always possible that YOU the user can mess everything up and make
the whole dang thing insecure by trusting the wrong person with your key,
not knowing who has access to your computer, setting crypto stuff up wrong,
and just not being careful.  Having big muscles and the knowledge to defend
yourself won't make you safe if you happen to be drunk when attacked.

But back to the whole "big key" thing: it doesn't really have anything to do
with the guts of the algorithm that encrypts and decrypts your message.  The
algorithm just uses the key to do the job.  The reason everyone's stuff
after being put through the same algorithm looks different is because each
time, the same algorithm is put into motion, but using a different key - one
from each person.
 

B. What's "brute forcing?"
 
 Making sure your key is nice and big just makes it harder to guess the key
if you were going down the list of all possible keys.  This is called a
"brute force" attack.  This means that if you have a six-digit number, you
could crack the key by starting guessing it at 000001 then 000002 then
000003 on the way to 999999 till you get the key.
 
 A typical ATM pin number four digits long would be harder to "brute force"
if it were ten numbers. The number of guesses you would have to go through
to get the key increase hugely each time a number is added to a key, and
your poor PC is worked overtime in the rush to figure out all the possible
combinations.
 
 ~~~~~~~~~~~~~~~~~~~~~~~~ Head Exercise ~~~~~~~~~~~~~~~~~~~~~~~~
 You can brute force a key of two digits in your head.  Get a friend to
think of a two-digit number, and not tell you.  Easy to guess, right?  There
are only 99 numbers it could possibly be, so you count down the list till
you guess the right one.  Now tell your friend to add just one more teensy
little digit, so they have a secret number with three digits.  Now there are
999 possible numbers it could be.  See?  999 may only have one more digit
than 99, but it's more than ten times bigger.  It gets ten times harder each
time you add a digit.  You can still try to guess it, but how high do you
feel like counting?
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 With modern keys of 4096 bits, brute forcing takes dang near forever and
there's just more intelligent ways of doing it.  This is why the brute force
method of cracking a large key is the very last resort of any smart
cryptanalyst (those are the guys that crack the crypto stuff, remember?).
And if a key can ever be brute forced, that means it's reeeeaaaaalllllly weak.
 
 Unfortunately some cryptosystem engineers haven't figured out that a bigger
key isn't necessarily a better system.
 
 For instance, the PCS phone carrier that I use advertised the safety of
talking on their phones by saying that "Our phones are so friggin' secure
that in order to break through their communications privacy you'd have to
guess four trillion keys in less than a second!  Hoo yah!  We're all that!"
They didn't use those actual words, but it was something like that.  Anyway,
you know by now that they were talking about a brute force attack.  The
problem is that they didn't really look at the rest of the actual
cryptosystem they used.
 
 Then some really awesome hackers looked at the actual system and process
they used to encrypt the communication (remember the "algorithm?") and found
some mathematical flaws that would allow anyone with a little ingenuity and
some common equipment to decrypt the phone call information.
 
 Needless to say I made fun of my PCS people forEVER after that.  

More crypto--->>


Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

Return to the index of Guides to (mostly) Harmless Hacking!

 © 2013 Happy Hacker All rights reserved.