Joined: 07 Dec 2003
Location: Overland Park, KS
|Posted: Mon Jan 05, 2004 8:54 pm Post subject: Secure Identifier Based Encrypted Password - SIBEP
I've posted an announcement of a new piece of software for password security in the forum thread referenced HERE.
I thought that covering the algorithms used better fit this forum. I hope that the readers find this interesting and that I get great questions and feedback as to the approach used. We have a patent pending on the SIBEP concept, but the algorithms are open for everyone to explore and use.
The explanation below is not fully complete, but I had to keep it to a length that was reasonable. I will answer any and all questions.
Any set of data which is required for access.
Password Protected Object
Referred to in the remainder of this document as: PPO
Anything that requires a password for access.
A step-by-step problem-solving procedure, especially an established, recursive computational procedure for solving a problem in a finite number of steps.
Any device capable of processing Algorithms, communicating with one or more types of PPO and having the ability to generate a SIBEP.
A person or device wishing granted access to a PPO.
User Selected Password
Referred to in the remainder of this document as: USP
A password selected by the user.
Referred to in the remainder of this document as: ID
Any set of data which can be used to identify a PPO.
Secure Identifier Based Encrypted Password
Referred to in the remainder of this document as: SIBEP
A password that is generated through the use of algorithms which combine an ID and a USP.
The ability to use any Computing Device that can communicate to the PPO.
The process is defined as a set of five actions that are executed in order. The first two steps are interchangeable, but both steps must take place in the beginning of the process as the ID and USP are dependencies to the Algorithms.
The Computing Device retrieves the ID from the PPO (Or User).
Any Algorithm can be used, as long as it combines a USP and an ID to construct a SIBEP that is formatted correctly for the PPO.
The Computing Device retrieves the USP from the user (Or Storage)
The Computing Device uses Algorithms to create a SIBEP.
The SIBEP is passed to the PPO as the password.
Access is granted to the user.
Portability is accomplished because the SIBEP is generated at the time of use. A SIBEP can be re-created on any Computing Device. This allows the use of multiple Computing Devices while maintaining complete access to any SIBEP protected PPO.
Note: Typical password authentication follows a three step process.
The Computing Device retrieves the USP from the user
SIBEP Algorithm for PassSafe (Simplified)
The USP is passed to the PPO as the password.
Access is granted to the user.
Get the one way MD5 Hash for the password.
md5("password") = 5F4DCC3B5AA765D61D8327DEB882CF99
Get the one way MD5 Hash for the lower case version of the host name.
md5("passsafe.com") = 33D3FC0867D534A3BB17A47567DAEBD0
Get the final one way MD5 Hash for the concatenated MD5 hashes.
md5("5F4DCC3B5AA765D61D8327DEB882CF9933D3FC0867D534A3BB17A47567DAEBD0") = 425E0A5B7085A674EFFBB4ED54EA41F1
PassSafe SIBEP Character Set (82 characters)
Example: 0 = "0", 10 = "a", 46 = "A", 81 = "9".
Use the remainder (modulo) when of each four byte value of the final MD5 Hash is divided by 82 as an offset into the "PassSafe SIBEP Character Set ".
If the first character is a number, then replace the character with the letter "A".
The first character is defined as:
4 Bytes From MD5 Hash = 425E
Remainder = 16
PassSafe Character = g (No replacement required)
The remaining characters are defined as:
The 8 character SIBEP using the outlined algorithm and SIBEP table for the password "password" on the "passsafe.com" web site = "grnIhX8Z".
The actual routines are a bit more complex, but generally this describes the process used. The SIBEP table used by passsafe uses a table of 1984 characters with 24 sets of 82 characters distributed evenly but not sequentially and extra numeric characters added to more evenly distribute the numerics with the upper and lower case characters. For each character in the output, I examine 16 bits of the resulting MD5 hash and use the remainder (modulo value) of that number divided by the number of entries in the table. The result is then used as an index into the table as originally outlined. This results in a character with an unknown original value as the same character can result from 24 different divisors because it exists at least that many times in the table, even more for numbers.
This assures that the multiple samples of the output must be gathered and it must be known that the user used the same password and a known domain to generate the SIBEP. Because the user can select to use the base, full or user defined domain input, the output becomes an indeterminate factor in reverse engineering the initial input. The formula is strictly one-way and can not be used for cryptography of information that needs to be decrypted, that was perfect for this application. Stronger encryption was available, but we feel comfortable that multiple layers of MD5 plus the modulo based table lookup, combined with the users ability to select infinite domain name inputs makes reverse engineering the process, even with the process well defined, as I have done here, reasonably impossible. If a government agency needed even stronger encryption, it could easily be added to the application.