Seecrets on Security: A Gentle Introduction on Cryptography Part 2

A slightly longer series of “Keep Your Secrets” articles contains practical examples and helpful tips. They, of course, continue the topic of understanding cryptography and computer security.

Unilateral hash

The algorithm, also known as a one-way function, message digest, fingerprint, or control amount, creates fixed-length outputs that cannot be undone. Unilateral hashes provide control amounts for file verification, digital certificates, and play a central role in many authentication schemes.

Let’s look at this example. For centuries, the Chinese had a divination method based on Ba Ji (eight characters) using the time, day, month and year of birth according to their calendar. There are sixty possibilities (almost equal to 6 bits) for each of the four variables. Since the Chinese use two symbols for each variable, the result will always be eight characters. This is an example of an unsafe 24-bit one-way hash.

Obviously, this method of creating a one-way hash is unacceptable for security reasons because of the number of collisions (different inputs produce the same result).

The most commonly used hashes are SHA-1 (the safe hashing algorithm uses 160 bits) and MD5 (the message digest uses 128 bits). In August 2005, a team of cryptographers led by Xioyun Wang of Shandong University in China presented an article that found faster ways to detect collisions than using the usual brute force method. These exploits (vulnerabilities) can make the counterfeiting of digital certificates a reality.

The implications for e-commerce can be summarized, not to mention the millions of websites that have used MD5 to hash users’ passwords in their databases. Any webmaster can tell you that converting these sites to SHA-256 or SHA-512 will not be easy.

In a recent guide, the National Institute of Standards and Technology (NIST, USA) recommended that U.S. government agencies use SHA-256 or SHA-512 (256 and 512 bits, respectively) instead.


A biometric device is a device that can detect unique characteristics by finger, eye or voice. Many believe that biometrics should provide a higher level of security than other forms of authentication.

In March 2005, it was reported that the Malaysian owner had lost his Mercedes car and index finger in an attack by hijackers armed with machetes. Obviously, ignition electronics without a key cannot determine whether the finger is still part of the original body, and also whether the finger (and therefore the person) is alive or not.

Recent security breaches have raised concerns about the repositories of personal information stored on many financial websites. Therefore, when such violations occur, the number of identity thefts also increases.

If you lose your credit card, you can always cancel it and get a new one. If you lose your fingerprint (stored digitally) or other biometric identifiers, who can replace it?


Most people inevitably used materials that seemed familiar to them, such as birthdays, family names, pet names, etc., when asked to recall a random number or symbols.

For example, most people will choose the dates when they are asked to choose a six-digit number for their PIN (personal identification number). This reduces the number of possibilities by nine times.

Random numbers and generators

Random numbers are at the heart of cryptography. To be considered true random numbers, output data from random number generators (HFCs) must pass statistical randomity tests. The two sets, which are considered de facto standards, are an “unconed” set developed by Prof. George Marsaglia of Florida State University and a set of NIST statistical tests.

Secondly, the output of the PPP should be unpredictable, even with full knowledge of the algorithm or equipment producing the series, and all the previously created bits.

Third, the GST output cannot be cloned when rerun even with the same input.

The most common approach to random numbers is using an algorithm run by a computer program (Yarrow, Tiny, Egads, Mersenne Twister). Such algorithms cannot produce random numbers, hence their name – generators of pseudo-random numbers (PRNG).

Another approach is to use physical events such as entropy produced by keyboard, mouse, interruptions, white noise from microphones or speakers, and disk drive behavior as an initial value.

Some will say that real random generators are those that can detect quantum behavior in subatomic physics. This is because randomness is inherent in the behavior of subatomic particles – remember the electronic cloud from school physics.

Single ground

The most efficient system is often the simplest. A disposable buffer (OTP) is a sequence of random bits that are the length of which are equal to the length of a digital object to be encrypted. To encode, simply use a simple computer operation, excluding OR (XOR). To decode enough XOR result encoded with the same random bits.

The flip side of using OTP is that it needs to be thrown away after use. Second, a one-time password and a digital object should have the same number of bits. Finally, there is an obvious problem of OTP synchronization between the recipient and the sender.

Leave a Reply