More on crypto...
E. More crypto-history
Okay, ciphers have evolved over the ages. A lot.
There were disc ciphers
that could rotate between alphabets, electrical ciphers that
typewriters but spat out ciphertext, and others. I have to skip
over a lot
of these for right now to get to other important stuff, but fear
not - I'll
cover more classical crypto stuff later on.
IV. HOW THEY DO IT TODAY (or "Bigger isn't better")
A. Keys are important still, but not the only thing.
Today's ultra-modern crypto stuff is still based around making
sure that the
ciphertext can only be decrypted with that one special key.
The keys you
see these days are made up of strings of numbers, characters
and stuff all
broken down into digital form of 1s and 0s. The more numbers
in the key, and
the more random the info that makes it, the "stronger"
the key is.
Important thing: Having a big ol' humongous strong key doesn't
mean you have a strong cryptosystem. Having a nice secure algorithm
tiny weak little key also doesn't guarantee you a strong cryptosystem.
Are you going "aroof" and scratching your head yet?
Look at it this way. A strong algorithm is like knowing
self-defense, and a
big key is like having big muscles. Having big muscles
doesn't mean you
know how to defend yourself. And knowing how to defend
mean you're strong enough to. If you have the ability,
then you use your
big muscles to get the job of defending yourself done, but neither
good without the other.
Here's a good way to remember:
Big Manly Key + Weak Wimpy Algorithm = Weak System
Small Wimpy Key + Strong Manly Algorithm = Weak System
Big Manly Key + Strong Manly Algorithm = Strong System
Note: All apologies to the females in the audience, the word
had the vibe I was looking for. No offense intended
Now I have to confuse you again, but all will be made clear.
The big key
and strong algorithm don't *guarantee* a strong system necessarily.
Well, it's always possible that YOU the user can mess everything
up and make
the whole dang thing insecure by trusting the wrong person with
not knowing who has access to your computer, setting crypto stuff
and just not being careful. Having big muscles and the
knowledge to defend
yourself won't make you safe if you happen to be drunk when attacked.
But back to the whole "big key" thing: it doesn't
really have anything to do
with the guts of the algorithm that encrypts and decrypts your
algorithm just uses the key to do the job. The reason everyone's
after being put through the same algorithm looks different is
time, the same algorithm is put into motion, but using a different
key - one
from each person.
B. What's "brute forcing?"
Making sure your key is nice and big just makes it harder
to guess the key
if you were going down the list of all possible keys. This
is called a
"brute force" attack. This means that if you
have a six-digit number, you
could crack the key by starting guessing it at 000001 then 000002
000003 on the way to 999999 till you get the key.
A typical ATM pin number four digits long would be harder
to "brute force"
if it were ten numbers. The number of guesses you would have
to go through
to get the key increase hugely each time a number is added to
a key, and
your poor PC is worked overtime in the rush to figure out all
~~~~~~~~~~~~~~~~~~~~~~~~ Head Exercise ~~~~~~~~~~~~~~~~~~~~~~~~
You can brute force a key of two digits in your head.
Get a friend to
think of a two-digit number, and not tell you. Easy to
guess, right? There
are only 99 numbers it could possibly be, so you count down the
you guess the right one. Now tell your friend to add just
one more teensy
little digit, so they have a secret number with three digits.
Now there are
999 possible numbers it could be. See? 999 may only
have one more digit
than 99, but it's more than ten times bigger. It gets ten
times harder each
time you add a digit. You can still try to guess it, but
how high do you
feel like counting?
With modern keys of 4096 bits, brute forcing takes dang
near forever and
there's just more intelligent ways of doing it. This is
why the brute force
method of cracking a large key is the very last resort of any
cryptanalyst (those are the guys that crack the crypto stuff,
And if a key can ever be brute forced, that means it's reeeeaaaaalllllly
Unfortunately some cryptosystem engineers haven't figured
out that a bigger
key isn't necessarily a better system.
For instance, the PCS phone carrier that I use advertised
the safety of
talking on their phones by saying that "Our phones are so
that in order to break through their communications privacy you'd
guess four trillion keys in less than a second! Hoo yah!
We're all that!"
They didn't use those actual words, but it was something like
you know by now that they were talking about a brute force attack.
problem is that they didn't really look at the rest of the actual
cryptosystem they used.
Then some really awesome hackers looked at the actual system
they used to encrypt the communication (remember the "algorithm?")
some mathematical flaws that would allow anyone with a little
some common equipment to decrypt the phone call information.
Needless to say I made fun of my PCS people forEVER after