• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Secure Identifier Based Encrypted Password - SIBEP

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security

View previous topic :: View next topic  
Author Message
MikeReedKS
Just Arrived
Just Arrived


Joined: 07 Dec 2003
Posts: 0
Location: Overland Park, KS

Offline

PostPosted: Mon Jan 05, 2004 8:54 pm    Post subject: Secure Identifier Based Encrypted Password - SIBEP Reply with quote

I've posted an announcement of a new piece of software for password security in the forum thread referenced HERE.

I thought that covering the algorithms used better fit this forum. I hope that the readers find this interesting and that I get great questions and feedback as to the approach used. We have a patent pending on the SIBEP concept, but the algorithms are open for everyone to explore and use.

The explanation below is not fully complete, but I had to keep it to a length that was reasonable. I will answer any and all questions.

Definitions
Password
Any set of data which is required for access.

Password Protected Object
Referred to in the remainder of this document as: PPO
Anything that requires a password for access.

Algorithms
A step-by-step problem-solving procedure, especially an established, recursive computational procedure for solving a problem in a finite number of steps.

Computing Device
Any device capable of processing Algorithms, communicating with one or more types of PPO and having the ability to generate a SIBEP.

User
A person or device wishing granted access to a PPO.

User Selected Password
Referred to in the remainder of this document as: USP
A password selected by the user.

Identifier
Referred to in the remainder of this document as: ID
Any set of data which can be used to identify a PPO.

Secure Identifier Based Encrypted Password
Referred to in the remainder of this document as: SIBEP
A password that is generated through the use of algorithms which combine an ID and a USP.

Portability
The ability to use any Computing Device that can communicate to the PPO.

Process Description
The process is defined as a set of five actions that are executed in order. The first two steps are interchangeable, but both steps must take place in the beginning of the process as the ID and USP are dependencies to the Algorithms.
    The Computing Device retrieves the ID from the PPO (Or User).
    The Computing Device retrieves the USP from the user (Or Storage)
    The Computing Device uses Algorithms to create a SIBEP.
    The SIBEP is passed to the PPO as the password.
    Access is granted to the user.
Any Algorithm can be used, as long as it combines a USP and an ID to construct a SIBEP that is formatted correctly for the PPO.

Portability is accomplished because the SIBEP is generated at the time of use. A SIBEP can be re-created on any Computing Device. This allows the use of multiple Computing Devices while maintaining complete access to any SIBEP protected PPO.

Note: Typical password authentication follows a three step process.
    The Computing Device retrieves the USP from the user
    The USP is passed to the PPO as the password.
    Access is granted to the user.
SIBEP Algorithm for PassSafe (Simplified)

Get the one way MD5 Hash for the password.
md5("password") = 5F4DCC3B5AA765D61D8327DEB882CF99

Get the one way MD5 Hash for the lower case version of the host name.
md5("passsafe.com") = 33D3FC0867D534A3BB17A47567DAEBD0

Get the final one way MD5 Hash for the concatenated MD5 hashes.
md5("5F4DCC3B5AA765D61D8327DEB882CF9933D3FC0867D534A3BB17A47567DAEBD0") = 425E0A5B7085A674EFFBB4ED54EA41F1

PassSafe SIBEP Character Set (82 characters)
"0123456789abcdefghijklmnopqrstuvwxyz0123456789
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".
Example: 0 = "0", 10 = "a", 46 = "A", 81 = "9".

Use the remainder (modulo) when of each four byte value of the final MD5 Hash is divided by 82 as an offset into the "PassSafe SIBEP Character Set ".

If the first character is a number, then replace the character with the letter "A".

The first character is defined as:

4 Bytes From MD5 Hash = 425E
Remainder = 16
PassSafe Character = g (No replacement required)

The remaining characters are defined as:

0A5B
27
r

7085
23
n

A674
54
I

EFFB
17
h

B4ED
69
X

54EA
8
8

41F1
71
Z

The 8 character SIBEP using the outlined algorithm and SIBEP table for the password "password" on the "passsafe.com" web site = "grnIhX8Z".

The actual routines are a bit more complex, but generally this describes the process used. The SIBEP table used by passsafe uses a table of 1984 characters with 24 sets of 82 characters distributed evenly but not sequentially and extra numeric characters added to more evenly distribute the numerics with the upper and lower case characters. For each character in the output, I examine 16 bits of the resulting MD5 hash and use the remainder (modulo value) of that number divided by the number of entries in the table. The result is then used as an index into the table as originally outlined. This results in a character with an unknown original value as the same character can result from 24 different divisors because it exists at least that many times in the table, even more for numbers.

This assures that the multiple samples of the output must be gathered and it must be known that the user used the same password and a known domain to generate the SIBEP. Because the user can select to use the base, full or user defined domain input, the output becomes an indeterminate factor in reverse engineering the initial input. The formula is strictly one-way and can not be used for cryptography of information that needs to be decrypted, that was perfect for this application. Stronger encryption was available, but we feel comfortable that multiple layers of MD5 plus the modulo based table lookup, combined with the users ability to select infinite domain name inputs makes reverse engineering the process, even with the process well defined, as I have done here, reasonably impossible. If a government agency needed even stronger encryption, it could easily be added to the application.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register