1/10/14

One time codes, ciphers and online security.

Modern computer systems rely on cryptography (ciphers) for security.

Information passed is encrypted, or disguised, so it is harder to overhear or change by unwanted people. If someone collects passwords, or even encrypted data, it can be used as a clue for following attacks.

But any cipher can be broken in finite amount of time, sometimes more efficiently, sometimes less. At any rate, stroke of 'luck' can result in uncovering cryptographic key.

What about passwords or pins? They are part of security as well. Problem is that with too simple password, account can be attacked with brute-force methods (trying all possible permutations of characters, letters or digits or other, sometimes used in combinations with dictionary words and character sequences). With too 'clever' passwords, people tend to forget and use aids such as stickers on monitors, and this opens avenue for other kind of attacks.

To rely only on cryptography and internet security measures is foolishness, for any account can be penetrated (hacked) and information stolen.

Modern banks use one-time passwords to add extra security to users' accounts. It's simple, part of cryptographic key is stored in the computer system, part of it is password, and part of it is one time code*. In that case even if everything online gets stolen, attackers still do not know whole picture. They can attack system trying all possible combinations, but i bet that after 3 tries (more or less) someone raises quiet alarm and 'police' gets called.

There are other possible security measures, but i think that real security should rely not only on information or cipher, but also on something physical, such as USB key, authentication code generator (such as in online games), or card with one-time codes, each used only once... perhaps with few failing tries allowed, or something similar.

Summary: do not rely on online only security. i would not rely on phone authenticators either, for they can be hacked. Any device can be if it's connected.

* For example: these short parts of the key are added to the ciphertext, transformed according to the data contained in key, so we have whole ciphertext. If we have whole ciphertext, we can use rest of the key (+algorithm) to decrypt rest of ciphertext into plaintext. (Algorithm + key = full recipe to encrypt or decrypt. Knowing algorithm we can attack the key, but there's a trapdoor function usually).

No comments:

Post a Comment