Solved

Secuity Code Strength

Posted on 2004-04-02
16
312 Views
Last Modified: 2008-02-01
I am currently working on a project that involves some security hardware.  Specifically an electronic door lock.  The lock requires the employee to enter a passcode.

This passcode is changed every minute, 24 hours a day, 7 days a week, etc. etc .... The employee carries a little device that calculates this passcode that's based strictly on the current time and date.

Now there are obviously better ways of doing this but there are hardware restrictions.  To make things even less secure the engineers made it 4 parts that are merely appended together to form the 12-digit passcode. The passcode will always be 12 digits and any part of that code that makes it less will have leading zeros added to it.

Its was up to me to create an logical alogirthm that would secure this vulnerable system.  So although any passcode based on a date and time is not secure I think I did a pretty decent job of hiding it.

So my question is... can someone determine the method I used to encode the date and time given some examples? I figure if you guys cant figure it out then its good enough for the application it will be applied to.  Good luck :)

on May 5, 2004 at 8:35 AM the passcode was 201200400175

on October 29, 2003 at 12:57 AM the passcode was 200323671653
0
Comment
Question by:aaronCS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +4
16 Comments
 
LVL 12

Expert Comment

by:stefan73
ID: 10741849
Hi aaronCS,
For a real know-plaintext attack we need more pairs.

Cheers,
Stefan
0
 
LVL 12

Expert Comment

by:stefan73
ID: 10741857
BTW: This is not a cryptology forum. Consider going there.

But don't be sad when you have to trash your solution because someone broke it ;-)
0
 

Author Comment

by:aaronCS
ID: 10741871
How many more do you want to see? I cant make this too easy.  
Realistically someone may only have a few pairs, if they were able to acquire more then they would already have access.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 11

Expert Comment

by:lbertacco
ID: 10741887
Since anyone having a look at the device for a few minutes will see the code change, I think you should provide more pairs for a sequence of successive minutes.
0
 

Author Comment

by:aaronCS
ID: 10741902
You know this is a tough project since I am so limited.  It HAS to be 4 groups and it HAS to be based on the date and time.
Its not for fort knox so it doesnt have to be a hardcore code, I just didnt like the fact that it was SO easy to crack before.
0
 

Author Comment

by:aaronCS
ID: 10741991
Thats a good point, lbertacco.  The device is controlled by a security guard so no one will have access to this device but him.  I didnt mention this before for simplicy sake.  I want to assume that if it is possible for an unauthorized user to obtain 2 passcodes (minimum number required to solve an algo like this) would it be possible to crack the code.  So assume that the passcode are very hard to obtain for anyone but the guard.
0
 
LVL 22

Expert Comment

by:grg99
ID: 10742104
Does the number 4638775  ring a bell?   Thats the ratio of the date difference divided by the code difference.

0
 

Author Comment

by:aaronCS
ID: 10742301
keep in mind that the passcode is split into 4 parts but your ratio is being applied to the entire date.
0
 
LVL 5

Expert Comment

by:info_expert
ID: 10742767
You should better look at the congrence theory in discrete mathematics book. It is really possible to decrypt on the basis of date and time. But a lot of effort is required to develop such a program to decrypt. But the programs previously developed can tell the relation on the basis of supercomputency. Got?
0
 
LVL 7

Expert Comment

by:knightmad
ID: 10744174
well, Experts-Exchange is a good place to discover thay the cript algo isn't as strong as we imagined. Take a look at this thread, that I posted and surprised me a lot to see how weak the algo I was using was:
http://www.experts-exchange.com/Miscellaneous/Puzzles_Riddles/Q_20710835.html

Anyway, you may consider human factor when developing your algo. Unless you trust a lot (I mean, you trust more than in yourself) in every person that may have access to the device (and consequently the pairs), you should assume someone can have more than 2 pairs to test the strenght of your code. What about 4 or more pairs? I would always work with the worst case possible, and 2 is not bad enough : )

Regards,
Fernando

P.S.   I am working to see if I can break the method
P.S.2 Do you work for the Men in Black?
0
 
LVL 22

Expert Comment

by:grg99
ID: 10744918
As a counter-example, look at how easily the VCR-Plus code was broken.  And that is a somewhat compex code, BUT it wasnt designed by crypto experts and there's lots of plaintext available :)

See:

www.tinaja.com/third/vcrplus.pdf

http://www.cs.princeton.edu/introcs/104crypto/

http://citeseer.ist.psu.edu/260048.html

0
 

Author Comment

by:aaronCS
ID: 10745314
Lets not look too much into the reasoning behind this code process.  As I mentioned there is limits to what the existing system can handle.
Please just give it a go and see what you can come up with in terms of a possible algo.
Thanks!
0
 

Author Comment

by:aaronCS
ID: 10745888
By using your favorite spreadsheet program, pen+paper, or computer, try to find how to split passcodes into 4 parts and how these 4 numbers have been calculated using date/time data.

Use simple math or bits operators... Don't try too complicated calculations. There is neither complex bit hashing (based on previous passcode) like real single-use token generator, nor checksum digits.

To those not familiar with english time notation, don't forget that "12:57 AM" means "0h57" (not "12h57"), and "10:37 PM" means "22h37" in 24-hours notation.
0
 
LVL 12

Expert Comment

by:stefan73
ID: 10755646
aaronCS,
The "devices" each employee carries are identical?

It would make them more secure if each of those devices was somehow different (i.e., the serial number is part of the key generation).

You could also disable one device in case of loss/theft.


Stefan
0
 
LVL 11

Accepted Solution

by:
PennGwyn earned 500 total points
ID: 10779364
digits 1-4 = year + hour
digits 5-6 = day + year - 2009
digits 7-8 = minutes + month
digits 9-10 = day + hour + year - 2016
digits 11-12 = 110 - minutes

> on May 5, 2004 at 8:35 AM the passcode was 201200400175

2004 05 05 08 35 => 2012 00 40 01 75

> on October 29, 2003 at 12:57 AM the passcode was 200323671653

2003 10 29 00 57 => 2003 23 67 16 53

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Grammars for C C++ and java 1 138
Exception thrown at 0x00007FFD5BC81F28 7 55
Android development question 2 78
How do I get Window Title of all opened process? 4 35
  Included as part of the C++ Standard Template Library (STL) is a collection of generic containers. Each of these containers serves a different purpose and has different pros and cons. It is often difficult to decide which container to use and …
Many modern programming languages support the concept of a property -- a class member that combines characteristics of both a data member and a method.  These are sometimes called "smart fields" because you can add logic that is applied automaticall…
The goal of the tutorial is to teach the user how to use functions in C++. The video will cover how to define functions, how to call functions and how to create functions prototypes. Microsoft Visual C++ 2010 Express will be used as a text editor an…
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question