11/27/2007

Cryptonotes

Some interesting things I've learned from my Cryptography class:

  • PGP, or "Pretty Good Privacy", is a lot better than "Pretty Good" - it's extremely good. The inventor named it "pretty good" because he didn't want to oversell it. (Which is humble and all, but IMO, that's been a barrier for people to use it.) It's open, free, and good, so you should get it. (1) (2) (3) (4)
  • The basis of all communication security as we know it comes down to two darn hard math problems: discrete logarithms, and factoring large primes. Has anyone solved them without brute force? Not that we know of, but, well ... if you solved one, would you tell anyone? :)
  • Authentication (proving who you are) can be based on three things: what you know (passwords), what you have (keys, smart cards, etc.), or what you are (fingerprints, retinal scans, etc). Using two of these at once is called Second Factor authentication, and it's creepy and cool. (5)
  • If your wireless network uses WEP, it can be broken into in a few hours ... not because it uses poor encryption (RC4 is quite strong(6)) but because it's a poorly implemented protocol. Use WPA2 instead.(7)

Footnotes:

1) Incidentally, over a year ago, I posted this entry about PGP, along with my public key block.

2) In that post, I said, "in 10 years time, a brute-force approach to our currently encrypted stuff will be trivial". That's not exactly true; as it turns out, advances in computer power favor the cryptographer (secret-writer), not the cryptanalyst (secret-cracker). Makes sense, if you think about it ... by simply adding one bit, I make it twice as hard to crack my code using brute force. Throw on an extra 64 bits, and the brute force problem is now 18,446,744,073,709,551,616 times harder. Get my drift? So as computers get faster, we can add bits much faster than crackers can brute-force them.

3 - Also incidentally, I happen to know the CEO of PGP Corporation, Dunk. He used to be the CEO at another company I worked at. At that time, I asked him to give me leeway to rewrite the entire asp application stack of the company in .NET, a job that would have taken 6 people 8 months to do. He said no ... and that company still has the same exact code base, 5 years later, and is NOW starting to rewrite the application stack in .NET. Ahem ... I TOLD YOU SO.

4 - Ze Frank (no, he's not back, he's just keeping us company during the writers' strike) posted a funny show today about the NSA and privacy.

5 - Remind me to tell you about my idea for a smell-based authentication device. I may be sitting on a million dollar idea here.

6 - And elegant, too. RC4 is implementable in just a few lines of code.

7 - Or just set up VPN tunneling into a trusted network. VPN tunneling uses IPSec, which is mind-numbingly boring but also important. Like many things in life. In a nutshell, what it does is hide all your packets inside other packets, so nobody knows who they are, or what they were doing. Kind of like druids.