Solved

Secuity Code Strength

Posted on 2004-04-02
16
300 Views
Last Modified: 2008-02-01
I am currently working on a project that involves some security hardware.  Specifically an electronic door lock.  The lock requires the employee to enter a passcode.

This passcode is changed every minute, 24 hours a day, 7 days a week, etc. etc .... The employee carries a little device that calculates this passcode that's based strictly on the current time and date.

Now there are obviously better ways of doing this but there are hardware restrictions.  To make things even less secure the engineers made it 4 parts that are merely appended together to form the 12-digit passcode. The passcode will always be 12 digits and any part of that code that makes it less will have leading zeros added to it.

Its was up to me to create an logical alogirthm that would secure this vulnerable system.  So although any passcode based on a date and time is not secure I think I did a pretty decent job of hiding it.

So my question is... can someone determine the method I used to encode the date and time given some examples? I figure if you guys cant figure it out then its good enough for the application it will be applied to.  Good luck :)

on May 5, 2004 at 8:35 AM the passcode was 201200400175

on October 29, 2003 at 12:57 AM the passcode was 200323671653
0
Comment
Question by:aaronCS
  • 6
  • 3
  • 2
  • +4
16 Comments
 
LVL 12

Expert Comment

by:stefan73
Comment Utility
Hi aaronCS,
For a real know-plaintext attack we need more pairs.

Cheers,
Stefan
0
 
LVL 12

Expert Comment

by:stefan73
Comment Utility
BTW: This is not a cryptology forum. Consider going there.

But don't be sad when you have to trash your solution because someone broke it ;-)
0
 

Author Comment

by:aaronCS
Comment Utility
How many more do you want to see? I cant make this too easy.  
Realistically someone may only have a few pairs, if they were able to acquire more then they would already have access.
0
 
LVL 11

Expert Comment

by:lbertacco
Comment Utility
Since anyone having a look at the device for a few minutes will see the code change, I think you should provide more pairs for a sequence of successive minutes.
0
 

Author Comment

by:aaronCS
Comment Utility
You know this is a tough project since I am so limited.  It HAS to be 4 groups and it HAS to be based on the date and time.
Its not for fort knox so it doesnt have to be a hardcore code, I just didnt like the fact that it was SO easy to crack before.
0
 

Author Comment

by:aaronCS
Comment Utility
Thats a good point, lbertacco.  The device is controlled by a security guard so no one will have access to this device but him.  I didnt mention this before for simplicy sake.  I want to assume that if it is possible for an unauthorized user to obtain 2 passcodes (minimum number required to solve an algo like this) would it be possible to crack the code.  So assume that the passcode are very hard to obtain for anyone but the guard.
0
 
LVL 22

Expert Comment

by:grg99
Comment Utility
Does the number 4638775  ring a bell?   Thats the ratio of the date difference divided by the code difference.

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:aaronCS
Comment Utility
keep in mind that the passcode is split into 4 parts but your ratio is being applied to the entire date.
0
 
LVL 5

Expert Comment

by:info_expert
Comment Utility
You should better look at the congrence theory in discrete mathematics book. It is really possible to decrypt on the basis of date and time. But a lot of effort is required to develop such a program to decrypt. But the programs previously developed can tell the relation on the basis of supercomputency. Got?
0
 
LVL 7

Expert Comment

by:knightmad
Comment Utility
well, Experts-Exchange is a good place to discover thay the cript algo isn't as strong as we imagined. Take a look at this thread, that I posted and surprised me a lot to see how weak the algo I was using was:
http://www.experts-exchange.com/Miscellaneous/Puzzles_Riddles/Q_20710835.html

Anyway, you may consider human factor when developing your algo. Unless you trust a lot (I mean, you trust more than in yourself) in every person that may have access to the device (and consequently the pairs), you should assume someone can have more than 2 pairs to test the strenght of your code. What about 4 or more pairs? I would always work with the worst case possible, and 2 is not bad enough : )

Regards,
Fernando

P.S.   I am working to see if I can break the method
P.S.2 Do you work for the Men in Black?
0
 
LVL 22

Expert Comment

by:grg99
Comment Utility
As a counter-example, look at how easily the VCR-Plus code was broken.  And that is a somewhat compex code, BUT it wasnt designed by crypto experts and there's lots of plaintext available :)

See:

www.tinaja.com/third/vcrplus.pdf

http://www.cs.princeton.edu/introcs/104crypto/

http://citeseer.ist.psu.edu/260048.html

0
 

Author Comment

by:aaronCS
Comment Utility
Lets not look too much into the reasoning behind this code process.  As I mentioned there is limits to what the existing system can handle.
Please just give it a go and see what you can come up with in terms of a possible algo.
Thanks!
0
 

Author Comment

by:aaronCS
Comment Utility
By using your favorite spreadsheet program, pen+paper, or computer, try to find how to split passcodes into 4 parts and how these 4 numbers have been calculated using date/time data.

Use simple math or bits operators... Don't try too complicated calculations. There is neither complex bit hashing (based on previous passcode) like real single-use token generator, nor checksum digits.

To those not familiar with english time notation, don't forget that "12:57 AM" means "0h57" (not "12h57"), and "10:37 PM" means "22h37" in 24-hours notation.
0
 
LVL 12

Expert Comment

by:stefan73
Comment Utility
aaronCS,
The "devices" each employee carries are identical?

It would make them more secure if each of those devices was somehow different (i.e., the serial number is part of the key generation).

You could also disable one device in case of loss/theft.


Stefan
0
 
LVL 11

Accepted Solution

by:
PennGwyn earned 500 total points
Comment Utility
digits 1-4 = year + hour
digits 5-6 = day + year - 2009
digits 7-8 = minutes + month
digits 9-10 = day + hour + year - 2016
digits 11-12 = 110 - minutes

> on May 5, 2004 at 8:35 AM the passcode was 201200400175

2004 05 05 08 35 => 2012 00 40 01 75

> on October 29, 2003 at 12:57 AM the passcode was 200323671653

2003 10 29 00 57 => 2003 23 67 16 53

0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Article by: SunnyDark
This article's goal is to present you with an easy to use XML wrapper for C++ and also present some interesting techniques that you might use with MS C++. The reason I built this class is to ease the pain of using XML files with C++, since there is…
Introduction This article is a continuation of the C/C++ Visual Studio Express debugger series. Part 1 provided a quick start guide in using the debugger. Part 2 focused on additional topics in breakpoints. As your assignments become a little more …
The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.
The viewer will learn how to user default arguments when defining functions. This method of defining functions will be contrasted with the non-default-argument of defining functions.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now