Secuity Code Strength

I am currently working on a project that involves some security hardware.  Specifically an electronic door lock.  The lock requires the employee to enter a passcode.

This passcode is changed every minute, 24 hours a day, 7 days a week, etc. etc .... The employee carries a little device that calculates this passcode that's based strictly on the current time and date.

Now there are obviously better ways of doing this but there are hardware restrictions.  To make things even less secure the engineers made it 4 parts that are merely appended together to form the 12-digit passcode. The passcode will always be 12 digits and any part of that code that makes it less will have leading zeros added to it.

Its was up to me to create an logical alogirthm that would secure this vulnerable system.  So although any passcode based on a date and time is not secure I think I did a pretty decent job of hiding it.

So my question is... can someone determine the method I used to encode the date and time given some examples? I figure if you guys cant figure it out then its good enough for the application it will be applied to.  Good luck :)

on May 5, 2004 at 8:35 AM the passcode was 201200400175

on October 29, 2003 at 12:57 AM the passcode was 200323671653
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi aaronCS,
For a real know-plaintext attack we need more pairs.

BTW: This is not a cryptology forum. Consider going there.

But don't be sad when you have to trash your solution because someone broke it ;-)
aaronCSAuthor Commented:
How many more do you want to see? I cant make this too easy.  
Realistically someone may only have a few pairs, if they were able to acquire more then they would already have access.
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Since anyone having a look at the device for a few minutes will see the code change, I think you should provide more pairs for a sequence of successive minutes.
aaronCSAuthor Commented:
You know this is a tough project since I am so limited.  It HAS to be 4 groups and it HAS to be based on the date and time.
Its not for fort knox so it doesnt have to be a hardcore code, I just didnt like the fact that it was SO easy to crack before.
aaronCSAuthor Commented:
Thats a good point, lbertacco.  The device is controlled by a security guard so no one will have access to this device but him.  I didnt mention this before for simplicy sake.  I want to assume that if it is possible for an unauthorized user to obtain 2 passcodes (minimum number required to solve an algo like this) would it be possible to crack the code.  So assume that the passcode are very hard to obtain for anyone but the guard.
Does the number 4638775  ring a bell?   Thats the ratio of the date difference divided by the code difference.

aaronCSAuthor Commented:
keep in mind that the passcode is split into 4 parts but your ratio is being applied to the entire date.
You should better look at the congrence theory in discrete mathematics book. It is really possible to decrypt on the basis of date and time. But a lot of effort is required to develop such a program to decrypt. But the programs previously developed can tell the relation on the basis of supercomputency. Got?
well, Experts-Exchange is a good place to discover thay the cript algo isn't as strong as we imagined. Take a look at this thread, that I posted and surprised me a lot to see how weak the algo I was using was:

Anyway, you may consider human factor when developing your algo. Unless you trust a lot (I mean, you trust more than in yourself) in every person that may have access to the device (and consequently the pairs), you should assume someone can have more than 2 pairs to test the strenght of your code. What about 4 or more pairs? I would always work with the worst case possible, and 2 is not bad enough : )


P.S.   I am working to see if I can break the method
P.S.2 Do you work for the Men in Black?
As a counter-example, look at how easily the VCR-Plus code was broken.  And that is a somewhat compex code, BUT it wasnt designed by crypto experts and there's lots of plaintext available :)


aaronCSAuthor Commented:
Lets not look too much into the reasoning behind this code process.  As I mentioned there is limits to what the existing system can handle.
Please just give it a go and see what you can come up with in terms of a possible algo.
aaronCSAuthor Commented:
By using your favorite spreadsheet program, pen+paper, or computer, try to find how to split passcodes into 4 parts and how these 4 numbers have been calculated using date/time data.

Use simple math or bits operators... Don't try too complicated calculations. There is neither complex bit hashing (based on previous passcode) like real single-use token generator, nor checksum digits.

To those not familiar with english time notation, don't forget that "12:57 AM" means "0h57" (not "12h57"), and "10:37 PM" means "22h37" in 24-hours notation.
The "devices" each employee carries are identical?

It would make them more secure if each of those devices was somehow different (i.e., the serial number is part of the key generation).

You could also disable one device in case of loss/theft.

digits 1-4 = year + hour
digits 5-6 = day + year - 2009
digits 7-8 = minutes + month
digits 9-10 = day + hour + year - 2016
digits 11-12 = 110 - minutes

> on May 5, 2004 at 8:35 AM the passcode was 201200400175

2004 05 05 08 35 => 2012 00 40 01 75

> on October 29, 2003 at 12:57 AM the passcode was 200323671653

2003 10 29 00 57 => 2003 23 67 16 53

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.