A cryptology tip for those upset about cyber-security.

12 views
Skip to first unread message

B.H.

unread,
Aug 1, 2022, 12:45:06 PMAug 1
to

https://news.yahoo.com/thousands-lives-depend-transplant-network-121902476.html

If you have your own server, you don't need to use public key cryptology algorithms based on factorization or the discrete logarithm problem. You can simply use one-time pad and private-key cryptography and randomly generate new one-time-pad private keys every so often, perhaps every time a user logs in. If the private keys are stored and re-created--using a carefully concealed and complicated seed for the random number generator that is never known to the public--on what you might term a "minimal output server"--you could have the server send only bit at a time, as in "true" for access granted or "false" for access denied--you could simply have login attempts sent to the "partly offline" server, verified there, and you could have the results transmitted back to the main server to either grant or deny access.

The purpose of public-key crypto is to have a system that everyone knows that supposedly, though not really, no one can decrypt, so that you can essentially have a "mail slot" system...someone can send you a message, encrypting it with your publicly known public key, and no one but you, with your private key, can decrypt it. Some hash functions for passwords use similar technology, but that is not secure; DLP-type and RSA cryptosystems can all be broken in PTIME.

I have a better version of provably secure public-key crypto, but I'm not publishing it. We were taught about one-time pad in the CS department's crypto class that I started but later withdrew from. In general, there is no reason not to just use "frequently updated one-time pad" to secure passwords.

Other cyber attacks, AFAIK, typically involve using something along the lines of a SQL injection attack, where non-comprehensively-written code is exploited by providing inputs that aren't properly taken care of. There are good books on PHP security, I think--I haven't read the book I bought but it looks good--and probably for other languages, too. In general, if your programmers are aware of what the software will be used for, they can make sure to deal with special cases with if statements and the like to address "wild inputs" that may be from malicious actors. AFAIK, as a non-expert who hasn't really studied it, it's a failure to address certain (often tedious/boring) special cases in the source code.

-Philip White (philip...@yahoo.com)


Reply all
Reply to author
Forward
0 new messages