**More on crypto...**

E. More crypto-history

Okay, ciphers have evolved over the ages. A lot.
There were disc ciphers

that could rotate between alphabets, electrical ciphers that
looked like

typewriters but spat out ciphertext, and others. I have to skip
over a lot

of these for right now to get to other important stuff, but fear
not - I'll

cover more classical crypto stuff later on.

IV. HOW THEY DO IT TODAY (or "Bigger isn't better")

A. Keys are important still, but not the only thing.

Today's ultra-modern crypto stuff is still based around making
sure that the

ciphertext can only be decrypted with that one special key.
The keys you

see these days are made up of strings of numbers, characters
and stuff all

broken down into digital form of 1s and 0s. The more numbers
in the key, and

the more random the info that makes it, the "stronger"
the key is.

Important thing: Having a big ol' humongous strong key doesn't
necessarily

mean you have a strong cryptosystem. Having a nice secure algorithm
and a

tiny weak little key also doesn't guarantee you a strong cryptosystem.

Are you going "aroof" and scratching your head yet?

Look at it this way. A strong algorithm is like knowing
self-defense, and a

big key is like having big muscles. Having big muscles
doesn't mean you

know how to defend yourself. And knowing how to defend
yourself doesn't

mean you're strong enough to. If you have the ability,
then you use your

big muscles to get the job of defending yourself done, but neither
is any

good without the other.

***************************************************

Here's a good way to remember:

Big Manly Key + Weak Wimpy Algorithm = Weak System

Small Wimpy Key + Strong Manly Algorithm = Weak System

Big Manly Key + Strong Manly Algorithm = Strong System

Note: All apologies to the females in the audience, the word
"manly" just

had the vibe I was looking for. No offense intended
:)

***************************************************

Now I have to confuse you again, but all will be made clear.
The big key

and strong algorithm don't *guarantee* a strong system necessarily.
Why?

Well, it's always possible that YOU the user can mess everything
up and make

the whole dang thing insecure by trusting the wrong person with
your key,

not knowing who has access to your computer, setting crypto stuff
up wrong,

and just not being careful. Having big muscles and the
knowledge to defend

yourself won't make you safe if you happen to be drunk when attacked.

But back to the whole "big key" thing: it doesn't
really have anything to do

with the guts of the algorithm that encrypts and decrypts your
message. The

algorithm just uses the key to do the job. The reason everyone's
stuff

after being put through the same algorithm looks different is
because each

time, the same algorithm is put into motion, but using a different
key - one

from each person.

B. What's "brute forcing?"

Making sure your key is nice and big just makes it harder
to guess the key

if you were going down the list of all possible keys. This
is called a

"brute force" attack. This means that if you
have a six-digit number, you

could crack the key by starting guessing it at 000001 then 000002
then

000003 on the way to 999999 till you get the key.

A typical ATM pin number four digits long would be harder
to "brute force"

if it were ten numbers. The number of guesses you would have
to go through

to get the key increase hugely each time a number is added to
a key, and

your poor PC is worked overtime in the rush to figure out all
the possible

combinations.

~~~~~~~~~~~~~~~~~~~~~~~~ Head Exercise ~~~~~~~~~~~~~~~~~~~~~~~~

You can brute force a key of two digits in your head.
Get a friend to

think of a two-digit number, and not tell you. Easy to
guess, right? There

are only 99 numbers it could possibly be, so you count down the
list till

you guess the right one. Now tell your friend to add just
one more teensy

little digit, so they have a secret number with three digits.
Now there are

999 possible numbers it could be. See? 999 may only
have one more digit

than 99, but it's more than ten times bigger. It gets ten
times harder each

time you add a digit. You can still try to guess it, but
how high do you

feel like counting?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

With modern keys of 4096 bits, brute forcing takes dang
near forever and

there's just more intelligent ways of doing it. This is
why the brute force

method of cracking a large key is the very last resort of any
smart

cryptanalyst (those are the guys that crack the crypto stuff,
remember?).

And if a key can ever be brute forced, that means it's reeeeaaaaalllllly
weak.

Unfortunately some cryptosystem engineers haven't figured
out that a bigger

key isn't necessarily a better system.

For instance, the PCS phone carrier that I use advertised
the safety of

talking on their phones by saying that "Our phones are so
friggin' secure

that in order to break through their communications privacy you'd
have to

guess four trillion keys in less than a second! Hoo yah!
We're all that!"

They didn't use those actual words, but it was something like
that. Anyway,

you know by now that they were talking about a brute force attack.
The

problem is that they didn't really look at the rest of the actual

cryptosystem they used.

Then some really awesome hackers looked at the actual system
and process

they used to encrypt the communication (remember the "algorithm?")
and found

some mathematical flaws that would allow anyone with a little
ingenuity and

some common equipment to decrypt the phone call information.

Needless to say I made fun of my PCS people forEVER after
that.

More crypto--->>