Which trust model in cryptography is the simplest

It enables us to verify a website via a digital certificate, to verify a passport using a digital signature, or to verify a bank card using a challenge-response mechanism.

With that in mind, how do we trust cryptography in the first place without a true understanding of what it is? Everything seems to rest on the trust of this one part of the technology stack. Well, there are various ways we ensure the trust is guaranteed in cryptographic operations. Among others:. There are many ways to secure cryptographic keys so that only valid users have access to the keys. Examples include secure storage on devices such as USB keys and smart cards.

Encryption and decryption What is cryptography? Cryptography is the science of using mathematics to encrypt and decrypt data.

Cryptography enables you to store sensitive information or transmit it across insecure networks like the Internet so that it cannot be read by anyone except the intended recipient. Strong cryptography "There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files.

This book is about the latter. How does cryptography work? A cryptographic algorithm, or cipher, is a mathematical function used in the encryption and decryption process. A cryptographic algorithm works in combination with a key — a word, number, or phrase — to encrypt the plaintext. The same plaintext encrypts to different ciphertext with different keys.

The security of encrypted data is entirely dependent on two things: the strength of the cryptographic algorithm and the secrecy of the key. Conventional cryptography In conventional cryptography, also called secret-key or symmetric-key encryption, one key is used both for encryption and decryption.

Figure is an illustration of the conventional encryption process. Conventional encryption Caesar's Cipher An extremely simple example of conventional cryptography is a substitution cipher.

A substitution cipher substitutes one piece of information for another. This is most frequently done by offsetting letters of the alphabet. In both cases, the algorithm is to offset the alphabet and the key is the number of characters to offset it. Key management and conventional encryption Conventional encryption has benefits. It is very fast. It is especially useful for encrypting data that is not going anywhere.

However, conventional encryption alone as a means for transmitting secure data can be quite expensive simply due to the difficulty of secure key distribution. Public key cryptography The problems of key distribution are solved by public key cryptography, the concept of which was introduced by Whitfield Diffie and Martin Hellman in There is now evidence that the British Secret Service invented it a few years before Diffie and Hellman, but kept it a military secret — and did nothing with it.

Public key encryption The primary benefit of public key cryptography is that it allows people who have no preexisting security arrangement to exchange messages securely. PGP is a hybrid cryptosystem. Data compression saves modem transmission time and disk space and, more importantly, strengthens cryptographic security.

Most cryptanalysis techniques exploit patterns found in the plaintext to crack the cipher. Compression reduces these patterns in the plaintext, thereby greatly enhancing resistance to cryptanalysis. Files that are too short to compress or which don't compress well aren't compressed. How PGP encryption works Decryption works in the reverse. How PGP decryption works The combination of the two encryption methods combines the convenience of public key encryption with the speed of conventional encryption.

Keys A key is a value that works with a cryptographic algorithm to produce a specific ciphertext. Keys are basically really, really, really big numbers. Key size is measured in bits; the number representing a bit key is darn huge.

In public key cryptography, the bigger the key, the more secure the ciphertext. Digital signatures Amajor benefit of public key cryptography is that it provides a method for employing digital signatures. Digital signatures enable the recipient of information to verify the authenticity of the information's origin, and also verify that the information is intact.

Thus, public key digital signatures provide authentication and data integrity. A digital signature also provides non-repudiation, which means that it prevents the sender from claiming that he or she did not actually send the information. These features are every bit as fundamental to cryptography as privacy, if not more. Simple digital signatures Hash functions The system described above has some problems. It is slow, and it produces an enormous volume of data — at least double the size of the original information.

An improvement on the above scheme is the addition of a one-way hash function in the process. A one-way hash function takes variable-length input — in this case, a message of any length, even thousands or millions of bits — and produces a fixed-length output; say, bits.

The hash function ensures that, if the information is changed in any way — even by just one bit — an entirely different output value is produced. Secure digital signatures Digital signatures play a major role in authenticating and validating other PGP users' keys.

Digital certificates One issue with public key cryptosystems is that users must be constantly vigilant to ensure that they are encrypting to the correct person's key. In an environment where it is safe to freely exchange keys via public servers, man-in-the-middle attacks are a potential threat. In this type of attack, someone posts a phony key with the name and user ID of the user's intended recipient. Data encrypted to — and intercepted by — the true owner of this bogus key is now in the wrong hands.

A digital certificate consists of three things: A public key. Certificate information. One or more digital signatures. The purpose of the digital signature on a certificate is to state that the certificate information has been attested to by some other person or entity.

The digital signature does not attest to the authenticity of the certificate as a whole; it vouches only that the signed identity information goes along with, or is bound to, the public key. Anatomy of a PGP certificate Certificate distribution Certificates are utilized when it's necessary to exchange public keys with someone else. For small groups of people who wish to communicate securely, it is easy to manually exchange diskettes or emails containing each owner's public key.

This is manual public key distribution, anditispracticalonlytoa certain point. Beyond that point, it is necessary to put systems into place that can provide the necessary security, storage, and exchange mechanisms so coworkers, business partners, or strangers could communicate if need be.

These can come in the form of storage-only repositories called Certificate Servers, or more structured systems that provide additional key management features and are called Public Key Infrastructures PKIs. Certificate formats A digital certificate is basically a collection of identifying information bound together with a public key and signed by a trusted third party to prove its authenticity. A digital certificate can be one of a number of different formats.

The certificate holder's information — this consists of "identity" information about the user, such as his or her name, user ID, photograph, and so on. The digital signature of the certificate owner — also called a self-signature, this is the signature using the corresponding private key of the public key associated with the certificate.

The preferred symmetric encryption algorithmfor the key — indicates the encryption algorithm to which the certificate owner prefers to have information encrypted. You might think of a PGP certificate as a public key with one or more labels tied to it see Figure On these 'labels' you'll find information identifying the owner of the key and a signature of the key's owner, which states that the key and the identification go together. This particular signature is called a self-signature; every PGP certificate contains a self-signature.

A PGP certificate X. The most current is version 3. The certificate holder's public key — the public key of the certificate holder, together with an algorithm identifier which specifies which cryptosystem the key belongs to and any associated key parameters. The serial number of the certificate — the entity application or person that created the certificate is responsible for assigning it a unique serial number to distinguish it from other certificates it issues.

This information is used in numerous ways; for example when a certificate is revoked, its serial number is placed in a Certificate Revocation List or CRL. The certificate holder's unique identifier — or DN — distinguished name. This name is intended to be unique across the Internet. The unique name of the certificate issuer — the unique name of the entity that signed the certificate. This is normally a CA. Using the certificate implies trusting the entity that signed this certificate.

Note that in some cases, such as root or top-level CA certificates, the issuer signs its own certificate. The digital signature of the issuer — the signature using the private key of the entity that issued the certificate. The signature algorithm identifier — identifies the algorithm used by the CA to sign the certificate. There are many differences between an X. You provide your public key, proof that you possess the corresponding private key, and some specific information about yourself.

You then digitally sign the information and send the whole package — the certificate request — to the CA. The CA then performs some due diligence in verifying that the information you provided is correct, and if so, generates the certificate and returns it. Validity and trust Every user in a public key system is vulnerable to mistaking a phony key certificate for a real one.

Validity is confidence that a public key certificate belongs to its purported owner. Validity is essential in a public key environment where you must constantly establish whether or not a particular certificate is authentic. Checking validity One way to establish validity is to go through some manual process. There are several ways to accomplish this. You could require your intended recipient to physically hand you a copy of his or her public key.

But this is often inconvenient and inefficient. Establishing trust You validate certificates. Improve this answer. It will be harder to get straight than randomness --and much, much harder to agree upon, especially by zero-trust purists.

Formal verification makes it even more powerful. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown.

The Overflow Blog. Does ES6 make JavaScript frameworks obsolete? Podcast Do polyglots have an edge when it comes to mastering programming Featured on Meta. Now live: A fully responsive profile. Related Hot Network Questions. Question feed. The harder problem is choosing one person say, you, the reader and then finding another person who has the same number of hairs on their head as you have on yours. This is somewhat similar to the Birthday Problem. Alas, researchers as far back as found that practical collision attacks could be launched on MD5, SHA-1, and other hash algorithms and, today, it is generally recognized that MD5 and SHA-1 are pretty much broken.

Readers interested in this problem should read the following:. For historical purposes, take a look at the situation with hash collisions, circa , in RFC In October , the SHA-1 Freestart Collision was announced; see a report by Bruce Schneier and the developers of the attack as well as the paper above by Stevens et al. See also the paper by Stevens et al.

Stevens, A. Lenstra, and B. Finally, note that certain extensions of hash functions are used for a variety of information security and digital forensics applications, such as:. So, why are there so many different types of cryptographic schemes?

Why can't we do everything we need with just one? The answer is that each scheme is optimized for some specific cryptographic application s. Hash functions, for example, are well-suited for ensuring data integrity because any change made to the contents of a message will result in the receiver calculating a different hash value than the one placed in the transmission by the sender.

Since it is highly unlikely that two different messages will yield the same hash value, data integrity is ensured to a high degree of confidence. Secret key cryptography, on the other hand, is ideally suited to encrypting messages, thus providing privacy and confidentiality. The sender can generate a session key on a per-message basis to encrypt the message; the receiver, of course, needs the same session key in order to decrypt the message.

Key exchange, of course, is a key application of public key cryptography no pun intended. Asymmetric schemes can also be used for non-repudiation and user authentication; if the receiver can obtain the session key encrypted with the sender's private key, then only this sender could have sent the message.

Public key cryptography could, theoretically, also be used to encrypt messages although this is rarely done because secret key cryptography values can generally be computed about times faster than public key cryptography values. Figure 4 puts all of this together and shows how a hybrid cryptographic scheme combines all of these functions to form a secure transmission comprising a digital signature and digital envelope.

In this example, the sender of the message is Alice and the receiver is Bob. A digital envelope comprises an encrypted message and an encrypted session key.

Alice uses secret key cryptography to encrypt her message using the session key , which she generates at random with each session. Alice then encrypts the session key using Bob's public key. The encrypted message and encrypted session key together form the digital envelope. Upon receipt, Bob recovers the session secret key using his private key and then decrypts the encrypted message.

The digital signature is formed in two steps. First, Alice computes the hash value of her message; next, she encrypts the hash value with her private key. Upon receipt of the digital signature, Bob recovers the hash value calculated by Alice by decrypting the digital signature with Alice's public key.

Bob can then apply the hash function to Alice's original message, which he has already decrypted see previous paragraph. If the resultant hash value is not the same as the value supplied by Alice, then Bob knows that the message has been altered; if the hash values are the same, Bob should believe that the message he received is identical to the one that Alice sent.

This scheme also provides nonrepudiation since it proves that Alice sent the message; if the hash value recovered by Bob using Alice's public key proves that the message has not been altered, then only Alice could have created the digital signature. Bob also has proof that he is the intended receiver; if he can correctly decrypt the message, then he must have correctly decrypted the session key meaning that his is the correct private key.

This diagram purposely suggests a cryptosystem where the session key is used for just a single session. Even if this session key is somehow broken, only this session will be compromised; the session key for the next session is not based upon the key for this session, just as this session's key was not dependent on the key from the previous session. This is known as Perfect Forward Secrecy ; you might lose one session key due to a compromise but you won't lose all of them.

In a article in the industry literature, a writer made the claim that bit keys did not provide as adequate protection for DES at that time as they did in because computers were times faster in than in Therefore, the writer went on, we needed 56,bit keys in instead of bit keys to provide adequate protection.

The conclusion was then drawn that because 56,bit keys are infeasible true , we should accept the fact that we have to live with weak cryptography false! The major error here is that the writer did not take into account that the number of possible key values double whenever a single bit is added to the key length; thus, a bit key has twice as many values as a bit key because 2 57 is two times 2 In fact, a bit key would have times more values than a bit key.

In cryptography, size does matter. The larger the key, the harder it is to crack a block of encrypted data. The reason that large keys offer more protection is almost obvious; computers have made it easier to attack ciphertext by using brute force methods rather than by attacking the mathematics which are generally well-known anyway. With a brute force attack, the attacker merely generates every possible key and applies it to the ciphertext. Any resulting plaintext that makes sense offers a candidate for a legitimate key.

Until the mids or so, brute force attacks were beyond the capabilities of computers that were within the budget of the attacker community.

By that time, however, significant compute power was typically available and accessible. General-purpose computers such as PCs were already being used for brute force attacks. Distributed attacks, harnessing the power of up to tens of thousands of powerful CPUs, are now commonly employed to try to brute-force crypto keys. This information was not merely academic; one of the basic tenets of any security system is to have an idea of what you are protecting and from whom are you protecting it!

The table clearly shows that a bit key was essentially worthless against even the most unsophisticated attacker. On the other hand, bit keys were fairly strong unless you might be subject to some pretty serious corporate or government espionage.

But note that even bit keys were clearly on the decline in their value and that the times in the table were worst cases. So, how big is big enough? DES, invented in , was still in use at the turn of the century, nearly 25 years later. If we take that to be a design criteria i. The DES proposal suggested bit keys; by , a bit key would have been required to offer equal protection and an bit key necessary by A or bit SKC key will probably suffice for some time because that length keeps us ahead of the brute force capabilities of the attackers.

Note that while a large key is good, a huge key may not always be better; for example, expanding PKC keys beyond the current or bit lengths doesn't add any necessary protection at this time. Weaknesses in cryptosystems are largely based upon key management rather than weak keys. Blaze, W. Diffie, R.

Rivest, B. Schneier, T. Shimomura, E. Thompson, and M. Wiener The most effective large-number factoring methods today use a mathematical Number Field Sieve to find a certain number of relationships and then uses a matrix operation to solve a linear equation to produce the two prime factors.

The sieve step actually involves a large number of operations that can be performed in parallel; solving the linear equation, however, requires a supercomputer. In early , Shamir of RSA fame described a new machine that could increase factorization speed by orders of magnitude. There still appear to be many engineering details that have to be worked out before such a machine could be built.

Furthermore, the hardware improves the sieve step only; the matrix operation is not optimized at all by this design and the complexity of this step grows rapidly with key length, both in terms of processing time and memory requirements.

Nevertheless, this plan conceptually puts bit keys within reach of being factored. It is also interesting to note that while cryptography is good and strong cryptography is better, long keys may disrupt the nature of the randomness of data files. Shamir and van Someren "Playing hide and seek with stored keys" have noted that a new generation of viruses can be written that will find files encrypted with long keys, making them easier to find by intruders and, therefore, more prone to attack.

Finally, U. Until the mids, export outside of North America of cryptographic products using keys greater than 40 bits in length was prohibited, which made those products essentially worthless in the marketplace, particularly for electronic commerce; today, crypto products are widely available on the Internet without restriction.

The U. Department of Commerce Bureau of Industry and Security maintains an Encryption FAQ web page with more information about the current state of encryption registration. Without meaning to editorialize too much in this tutorial, a bit of historical context might be helpful. In the mids, the U. Department of Commerce still classified cryptography as a munition and limited the export of any products that contained crypto. For that reason, browsers in the era, such as Internet Explorer and Netscape, had a domestic version with bit encryption downloadable only in the U.

Many cryptographers felt that the export limitations should be lifted because they only applied to U. Those restrictions were lifted by or , but there is still a prevailing attitude, apparently, that U. On a related topic, public key crypto schemes can be used for several purposes, including key exchange, digital signatures, authentication, and more.

The length of the secret keys exchanged via that system have to have at least the same level of attack resistance. Secure use of cryptography requires trust. While secret key cryptography can ensure message confidentiality and hash codes can ensure integrity, none of this works without trust. PKC solved the secret distribution problem, but how does Alice really know that Bob is who he says he is?

Just because Bob has a public and private key, and purports to be "Bob," how does Alice know that a malicious person Mallory is not pretending to be Bob? There are a number of trust models employed by various cryptographic schemes. This section will explore three of them:. Each of these trust models differs in complexity, general applicability, scope, and scalability. Pretty Good Privacy described more below in Section 5.

A PGP user maintains a local keyring of all their known and trusted public keys. The user makes their own determination about the trustworthiness of a key using what is called a "web of trust. This is a section of my keychain, so only includes public keys from individuals whom I know and, presumably, trust. Note that keys are associated with e-mail addresses rather than individual names.

In general, the PGP Web of trust works as follows. Suppose that Alice needs Bob's public key. Alice could just ask Bob for it directly via e-mail or download the public key from a PGP key server; this server might a well-known PGP key repository or a site that Bob maintains himself. In fact, Bob's public key might be stored or listed in many places.

Alice is prepared to believe that Bob's public key, as stored at these locations, is valid. Suppose Carol claims to hold Bob's public key and offers to give the key to Alice. How does Alice know that Carol's version of Bob's key is valid or if Carol is actually giving Alice a key that will allow Mallory access to messages?

The answer is, "It depends. And trust is not necessarily transitive; if Dave has a copy of Bob's key and Carol trusts Dave, it does not necessarily follow that Alice trusts Dave even if she does trust Carol. The point here is that who Alice trusts and how she makes that determination is strictly up to Alice. PGP makes no statement and has no protocol about how one user determines whether they trust another user or not.

In any case, encryption and signatures based on public keys can only be used when the appropriate public key is on the user's keyring. Kerberos is a commonly used authentication scheme on the Internet. Developed by MIT's Project Athena, Kerberos is named for the three-headed dog who, according to Greek mythology, guards the entrance of Hades rather than the exit, for some reason!

In this model, security and authentication will be based on secret key technology where every host on the network has its own secret key.

It would clearly be unmanageable if every host had to know the keys of all other hosts so a secure, trusted host somewhere on the network, known as a Key Distribution Center KDC , knows the keys for all of the hosts or at least some of the hosts within a portion of the network, called a realm. In this way, when a new node is brought online, only the KDC and the new node need to be configured with the node's key; keys can be distributed physically or by some other secure means.

While the details of their operation, functional capabilities, and message formats are different, the conceptual overview above pretty much holds for both. One primary difference is that Kerberos V4 uses only DES to generate keys and encrypt messages, while V5 allows other schemes to be employed although DES is still the most widely algorithm used.

Certificates and Certificate Authorities CA are necessary for widespread use of cryptography for e-commerce applications. While a combination of secret and public key cryptography can solve the business issues discussed above, crypto cannot alone address the trust issues that must exist between a customer and vendor in the very fluid, very dynamic e-commerce relationship.

How, for example, does one site obtain another party's public key? How does a recipient determine if a public key really belongs to the sender? How does the recipient know that the sender is using their public key for a legitimate purpose for which they are authorized? When does a public key expire? How can a key be revoked in case of compromise or loss? The basic concept of a certificate is one that is familiar to all of us. A driver's license, credit card, or SCUBA certification, for example, identify us to others, indicate something that we are authorized to do, have an expiration date, and identify the authority that granted the certificate.

As complicated as this may sound, it really isn't. Consider driver's licenses. I have one issued by the State of Florida. The license establishes my identity, indicates the type of vehicles that I can operate and the fact that I must wear corrective lenses while doing so, identifies the issuing authority, and notes that I am an organ donor. When I drive in other states, the other jurisdictions throughout the U.

When I leave the U. When I am in Aruba, Australia, Canada, Israel, and many other countries, they will accept not the Florida license, per se, but any license issued in the U. This analogy represents the certificate trust chain, where even certificates carry certificates. For purposes of electronic transactions, certificates are digital documents. The specific functions of the certificate include:. A sample abbreviated certificate is shown in Figure 7.

While this is a certificate issued by VeriSign, many root-level certificates can be found shipped with browsers. When the browser makes a connection to a secure Web site, the Web server sends its public key certificate to the browser. The browser then checks the certificate's signature against the public key that it has stored; if there is a match, the certificate is taken as valid and the Web site verified by this certificate is considered to be "trusted.

Most certificates today comply with X. Certificate authorities are the repositories for public keys and can be any agency that issues certificates. When a sender needs an intended receiver's public key, the sender must get that key from the receiver's CA.

That scheme is straight-forward if the sender and receiver have certificates issued by the same CA. If not, how does the sender know to trust the foreign CA? One industry wag has noted, about trust: "You are either born with it or have it granted upon you. CAs, in turn, form trust relationships with other CAs. Thus, if a user queries a foreign CA for information, the user may ask to see a list of CAs that establish a "chain of trust" back to the user.

One major feature to look for in a CA is their identification policies and procedures. When a user generates a key pair and forwards the public key to a CA, the CA has to check the sender's identification and takes any steps necessary to assure itself that the request is really coming from the advertised sender.

Different CAs have different identification policies and will, therefore, be trusted differently by other CAs. Verification of identity is just one of many issues that are part of a CA's Certification Practice Statement CPS and policies; other issues include how the CA protects the public keys in its care, how lost or compromised keys are revoked, and how the CA protects its own private keys. As a final note, CAs are not immune to attack and certificates themselves are able to be counterfeited.

Problems have continued over the years; good write-ups on this can be found at " Another Certification Authority Breached the 12th! The paragraphs above describe three very different trust models. It is hard to say that any one is better than the others; it depends upon your application. One of the biggest and fastest growing applications of cryptography today, though, is electronic commerce e-commerce , a term that itself begs for a formal definition.

PGP's web of trust is easy to maintain and very much based on the reality of users as people. The model, however, is limited; just how many public keys can a single user reliably store and maintain? And what if you are using the "wrong" computer when you want to send a message and can't access your keyring? How easy it is to revoke a key if it is compromised? PGP may also not scale well to an e-commerce scenario of secure communication between total strangers on short-notice.

Kerberos overcomes many of the problems of PGP's web of trust, in that it is scalable and its scope can be very large. In the early days of the Internet, every host had to maintain a list of every other host; the Domain Name System DNS introduced the idea of a distributed database for this purpose and the DNS is one of the key reasons that the Internet has grown as it has. While certificates and the benefits of a PKI are most often associated with electronic commerce, the applications for PKI are much broader and include secure electronic mail, payments and electronic checks, Electronic Data Interchange EDI , secure transfer of Domain Name System DNS and routing information, electronic forms, and digitally signed documents.

A single "global PKI" is still many years away, that is the ultimate goal of today's work as international electronic commerce changes the way in which we do business in a similar way in which the Internet has changed the way in which we communicate. The paragraphs above have provided an overview of the different types of cryptographic algorithms, as well as some examples of some available protocols and schemes.

The paragraphs below will show several real cryptographic applications that many of us employ knowingly or not everyday for password protection and private communication. Some of the schemes described below never were widely deployed but are still historically interesting, thus remain included here. But passwords are not typically kept on a host or server in plaintext, but are generally encrypted using some sort of hash scheme.

Note that each password is stored as a byte string. The first two characters are actually a salt , randomness added to each password so that if two users have the same password, they will still be encrypted differently; the salt, in fact, provides a means so that a single password might have different encryptions.

The remaining 11 bytes are the password hash, calculated using DES. This fact, coupled with the weak encryption of the passwords, resulted in the development of the shadow password system where passwords are kept in a separate, non-world-readable file used in conjunction with the normal password file.

In the NT case, all passwords are hashed using the MD4 algorithm, resulting in a bit byte hash value they are then obscured using an undocumented mathematical transformation that was a secret until distributed on the Internet. The password password , for example, might be stored as the hash value in hexadecimal b22d73c34bd4aa79c8b09f Passwords are not saved in plaintext on computer systems precisely so they cannot be easily compromised.

For similar reasons, we don't want passwords sent in plaintext across a network. But for remote logon applications, how does a client system identify itself or a user to the server? One mechanism, of course, is to send the password as a hash value and that, indeed, may be done. A weakness of that approach, however, is that an intruder can grab the password off of the network and use an off-line attack such as a dictionary attack where an attacker takes every known word and encrypts it with the network's encryption algorithm, hoping eventually to find a match with a purloined password hash.

In some situations, an attacker only has to copy the hashed password value and use it later on to gain unauthorized entry without ever learning the actual password.

An even stronger authentication method uses the password to modify a shared secret between the client and server, but never allows the password in any form to go across the network.

As suggested above, Windows NT passwords are stored in a security file on a server as a byte hash value. When a user logs on to a server from a remote workstation, the user is identified by the username, sent across the network in plaintext no worries here; it's not a secret anyway! The server then generates a bit random number and sends it to the client also in plaintext.

This number is the challenge. Recall that DES employs a bit key, acts on a bit block of data, and produces a bit output. In this case, the bit data block is the random number. The client actually uses three different DES keys to encrypt the random number, producing three different bit outputs.

The first key is the first seven bytes 56 bits of the password's hash value, the second key is the next seven bytes in the password's hash, and the third key is the remaining two bytes of the password's hash concatenated with five zero-filled bytes.

So, for the example above, the three DES keys would be b22d73c34 , bd4aa79c8b0 , and 9f Each key is applied to the random number resulting in three bit outputs, which comprise the response. Thus, the server's 8-byte challenge yields a byte response from the client and this is all that would be seen on the network. The server, for its part, does the same calculation to ensure that the values match. There is, however, a significant weakness to this system. Specifically, the response is generated in such a way as to effectively reduce byte hash to three smaller hashes, of length seven, seven, and two, respectively.

Thus, a password cracker has to break at most a 7-byte hash. One Windows NT vulnerability test program that I used in the past reported passwords that were "too short," defined as "less than 8 characters. This was, in fact, not the case at all; all the software really had to do was to look at the last eight bytes of the Windows NT LanMan hash to see that the password was seven or fewer characters.

Consider the following example, showing the LanMan hash of two different short passwords take a close look at the last 8 bytes :. MS-CHAP assumes that it is working with hashed values of the password as the key to encrypting the challenge. Diffie and Hellman introduced the concept of public key cryptography. The mathematical "trick" of Diffie-Hellman key exchange is that it is relatively easy to compute exponents compared to computing discrete logarithms.

Diffie-Hellman works like this. Alice and Bob start by agreeing on a large prime number, N. There is actually another constraint on G, namely that it must be primitive with respect to N. As an example, 2 is not primitive to 7 because the set of powers of 2 from 1 to 6, mod 7 i. The definition of primitive introduced a new term to some readers, namely mod. The phrase x mod y and read as written! Read more about the modulo function in the appendix.

Anyway, either Alice or Bob selects N and G; they then tell the other party what the values are. Alice and Bob then work independently Figure 9 :. Perhaps a small example will help here. In this example, then, Alice and Bob will both find the secret key 1 which is, indeed, 3 6 mod 7 i. A short digression on modulo arithmetic. This can be confirmed, of course, by noting that:. Diffie-Hellman can also be used to allow key sharing amongst multiple users.

Note again that the Diffie-Hellman algorithm is used to generate secret keys, not to encrypt and decrypt messages.