Cryptography

Cryptography has been here since we are, we have to remember that to break a cryptography system was the objective of the first computers but also that cryptography and security are always related on iT or other for example:
Every poker player should learn a bit about cryptography. Because, in a way, playing poker is actually a form of cryptography. Let me explain.
Cryptography is the science of encoding information. Typically encryption is used to encode communications between two parties so that a third party is unable to understand it. For millennia, people have been trying to encrypt their communications—and the field of cryptography has become increasingly important over the years.
All of the innovation in cryptography is designed to address one problem. There is an inherent tradeoff between ease-of-use of a cryptographic method and its security.
Interestingly, if you are interested only in security—making sure that no one can possibly break your code—and not at all in ease-of-use, then the solution to perfect encryption is trivially simple. You can use a method called a one time pad.
Let’s say we have a message written in English that is 140 characters long. We want to encode this message so that only its intended recipient can read it. Before we send the message, we generate a list of 140 random numbers from 0 to 26. Maybe we have a computer generate this list. We write the random numbers down on a piece of paper and hand it to our intended recipient.
Then we compose the message. And for every character in our message, we add the corresponding number to it—adding meaning that we go that many letters forward in the alphabet to get the new letter. So if our letter is E, and the random number is 3, then in our encrypted message we use H, because H is three letters after E.
As a matter of details, let’s say the space character comes after Z, and if our number requires us to go beyond space, we wrap around to A and start from there.
So here’s how it works in practice. I generate a random list of 140 numbers, write them on a piece of paper, and give them to my friend. He then flies anywhere in the world. At some later time, I compose a 140 character message I’d like him to read. I transform each character in my message according to the numbers in our agreed upon code. Then I send my encoded message in any format I like—perhaps a publicly-readable place like Twitter. My friend then receives the garbled message, subtracts the appropriate number from each character, and reads what I have to say.
This, believe it or not, is perfect encryption. There is no way for a third party to make heads or tails of this message. This is because every single piece of the message is randomized independently. There is no pattern between any of the 140 characters in my message, because each is transformed by an independently generated random number.
Now let’s say I have another message to send to my friend, but he is still halfway across the world. I have no way to get him a new piece of paper with new random numbers, so I just use the ones we already have agreed upon to encode the new message.
Uh oh. The encryption is no longer perfect. Why? Because now there is a pattern. Anyone watching the garbled messages on Twitter could assume that the same transformation applied to message A was also applied to message B. And from this assumption, the person might be able to discern a bit of a pattern and figure things out from there.
To understand this, assume we got really lazy, and started sending hundreds of messages to each other on Twitter, all encoded with this same 140 random numbers. Now the sorts of patterns you might see are fairly obvious. Maybe the first letter is Q in a lot of the message. Perhaps you could assume this Q is a substitute for the letter A—so maybe that first random number is 16. Does this guess of 16 make sense for other messages where the first letter isn’t Q? Is the letter I also common, which would correspond to T? And so forth.
This is the tradeoff. If you use the random numbers once, it’s perfect security. But if you get lazy—that is you want ease-of-use—then it becomes possible to find patterns in the information and crack the code entirely.
There is history of militaries using one time pads to encode communications. They would distribute paper books of randomly generated codes, and every time a message was sent, the recipient would tear out a sheet of code from the book, use it to decrypt the communique, and then use that code sheet later as toilet paper.
In any case, the entire field of cryptography is devoted to devising algorithms that allow you to reuse codes (ease-of-use) while also making the encoded messages contain as little decipherable information as possible (security).

Comentarios

Publicar un comentario

Entradas más populares de este blog

Best Practices for DDoS

I found this  doc ument from Google that explains the best practices to this cases. GCP load balancing solution has DDoS mitigations built-in lowering the attack surface: configure ingress firewall rules (like iptables) network load balancing has port filtering. Any port that is not loadbalanced is dropped by GCP highly scaling frontend infrastructure HTTP/HTTPS loadbalancing can absorb and protect from IP spoofing and large SYN flood attacks. it has also fair-share allocation built-in  And Google Cloud Platform provides a number of features to defend against DDoS attacks. You can use these in conjunction with the above mentioned best practices and other measures tailored to your requirements to make your GCP deployment resilient to DDoS attacks. 
Leer más

Ethical issues security professionals

Physicians, attorneys and other professionals whose job duties affect others' lives usually receive, as part of their formal training, courses that address ethical issues common to their professions. IT security personnel often have access to confidential data and knowledge about individuals' and companies' networks and systems that give them a great deal of power. That power can be abused, either deliberately or inadvertently. But there are no standardized training requirements for hanging out your shingle as an IT security consultant or in-house security specialist. Associations and organizations for IT pros are beginning to address the ethical side of the job, but again, there is no requirement for IT security personnel to belong to those organizations. Why are ethical guidelines needed? The education and training of IT professionals, including security specialists, usually focuses on technical knowledge and skills. You learn how to perform tasks, but with little
Leer más

Operating System Security

Dentro de los principales sistemas operativos MacOS es de los más importantes, el día de ayer se descubrió una vulnerabilidad que permitía que un usuario invitado tuviera privilegios de administrador con un simple cambio en el nombre del usuario y varios enters, Pueden ver el descubrimiento original aquí Lo más interesante de esto es que 19 horas más tarde Apple ya tenia disponible en su centro de descargas una actualización al sistema operativo que solucionaba el problema. No existe sistema perfecto pero la velocidad de reacción y el compromiso de los creadores a mantenerlo seguro, confiable y funcional es lo que hace que sus usuarios permanezcan ahí.
Leer más