Secure Identifier Based Encrypted Password - SIBEP

Networking/Security Forums -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security

Author: MikeReedKSLocation: Overland Park, KS PostPosted: Mon Jan 05, 2004 8:54 pm    Post subject: Secure Identifier Based Encrypted Password - SIBEP
    ----
I've posted an announcement of a new piece of software for password security in the forum thread referenced HERE.

I thought that covering the algorithms used better fit this forum. I hope that the readers find this interesting and that I get great questions and feedback as to the approach used. We have a patent pending on the SIBEP concept, but the algorithms are open for everyone to explore and use.

The explanation below is not fully complete, but I had to keep it to a length that was reasonable. I will answer any and all questions.

Definitions
Password
Any set of data which is required for access.

Password Protected Object
Referred to in the remainder of this document as: PPO
Anything that requires a password for access.

Algorithms
A step-by-step problem-solving procedure, especially an established, recursive computational procedure for solving a problem in a finite number of steps.

Computing Device
Any device capable of processing Algorithms, communicating with one or more types of PPO and having the ability to generate a SIBEP.

User
A person or device wishing granted access to a PPO.

User Selected Password
Referred to in the remainder of this document as: USP
A password selected by the user.

Identifier
Referred to in the remainder of this document as: ID
Any set of data which can be used to identify a PPO.

Secure Identifier Based Encrypted Password
Referred to in the remainder of this document as: SIBEP
A password that is generated through the use of algorithms which combine an ID and a USP.

Portability
The ability to use any Computing Device that can communicate to the PPO.

Process Description
The process is defined as a set of five actions that are executed in order. The first two steps are interchangeable, but both steps must take place in the beginning of the process as the ID and USP are dependencies to the Algorithms.
Any Algorithm can be used, as long as it combines a USP and an ID to construct a SIBEP that is formatted correctly for the PPO.

Portability is accomplished because the SIBEP is generated at the time of use. A SIBEP can be re-created on any Computing Device. This allows the use of multiple Computing Devices while maintaining complete access to any SIBEP protected PPO.

Note: Typical password authentication follows a three step process.
SIBEP Algorithm for PassSafe (Simplified)

Get the one way MD5 Hash for the password.
md5("password") = 5F4DCC3B5AA765D61D8327DEB882CF99

Get the one way MD5 Hash for the lower case version of the host name.
md5("passsafe.com") = 33D3FC0867D534A3BB17A47567DAEBD0

Get the final one way MD5 Hash for the concatenated MD5 hashes.
md5("5F4DCC3B5AA765D61D8327DEB882CF9933D3FC0867D534A3BB17A47567DAEBD0") = 425E0A5B7085A674EFFBB4ED54EA41F1

PassSafe SIBEP Character Set (82 characters)
"0123456789abcdefghijklmnopqrstuvwxyz0123456789
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".
Example: 0 = "0", 10 = "a", 46 = "A", 81 = "9".

Use the remainder (modulo) when of each four byte value of the final MD5 Hash is divided by 82 as an offset into the "PassSafe SIBEP Character Set ".

If the first character is a number, then replace the character with the letter "A".

The first character is defined as:

4 Bytes From MD5 Hash = 425E
Remainder = 16
PassSafe Character = g (No replacement required)

The remaining characters are defined as:

0A5B
27
r

7085
23
n

A674
54
I

EFFB
17
h

B4ED
69
X

54EA
8
8

41F1
71
Z

The 8 character SIBEP using the outlined algorithm and SIBEP table for the password "password" on the "passsafe.com" web site = "grnIhX8Z".

The actual routines are a bit more complex, but generally this describes the process used. The SIBEP table used by passsafe uses a table of 1984 characters with 24 sets of 82 characters distributed evenly but not sequentially and extra numeric characters added to more evenly distribute the numerics with the upper and lower case characters. For each character in the output, I examine 16 bits of the resulting MD5 hash and use the remainder (modulo value) of that number divided by the number of entries in the table. The result is then used as an index into the table as originally outlined. This results in a character with an unknown original value as the same character can result from 24 different divisors because it exists at least that many times in the table, even more for numbers.

This assures that the multiple samples of the output must be gathered and it must be known that the user used the same password and a known domain to generate the SIBEP. Because the user can select to use the base, full or user defined domain input, the output becomes an indeterminate factor in reverse engineering the initial input. The formula is strictly one-way and can not be used for cryptography of information that needs to be decrypted, that was perfect for this application. Stronger encryption was available, but we feel comfortable that multiple layers of MD5 plus the modulo based table lookup, combined with the users ability to select infinite domain name inputs makes reverse engineering the process, even with the process well defined, as I have done here, reasonably impossible. If a government agency needed even stronger encryption, it could easily be added to the application.



Networking/Security Forums -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group