Page 114 - DCAP309_INFORMATION_SECURITY_AND

Page 114 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY

P. 114

Information Security and Privacy

Notes television. Cryptography is closely associated to the theory and practice of using passwords,
and modern systems frequently use strong cryptographic converts in conjunction with physical
properties of individuals and shared secrets to offer highly consistent authentication of identity.
Determining good passwords appear into the field called key selection. In real meaning, a
password can be considered of as a key to a cryptosystem that permits encryption and decryption
of everything that the password permits access to. Actually, password systems have been
implemented in just this manner in some commercial products.

The gathering of keys has traditionally been a cause of cryptosystem failure. Even though we
know that H(K) is maximized for a key selected with an equal probability of every possible
value (i.e. at random), in practice when people select keys, they choose them to make them easy
to keep in mind, and so not at random. This is most dramatically established in the poor choice
that people make of passwords.
On many systems, passwords are amassed in encrypted form with read access obtainable to all
so that programs wishing to confirm passwords needn’t be run by privileged users. A side
advantage is that the plaintext passwords don’t emerge anywhere in the system, so an
unintentional leak of information doesn’t negotiate system wide protection.

A usual algorithm for converting any string into an encrypted password is intended so that it
takes 10 or more msec/transformation to encode a string. By easy calculation, if only capital
letters were permitted in a password, it would take .26 seconds to verify all the one letter
passwords, 6.76 seconds to confirm all the 2 letter passwords, 4570 seconds for the 4 letter
passwords, and by the time we got to 8 letter passwords, it would take about 2*10**9 seconds
(24169 days, over 66 years).
For passwords permitting lower case letters, numbers, and special symbols, this goes up
significantly. Studies over the years have time after time indicated that key choice by those
without knowledge of defense is very poor. In a new study, 21% of the users on a computer
system had 1 character passwords, with up to 85% having passwords of 1/2 the maximum
allowable length, and 92% having passwords of 4 characters or less. These results are quite
typical, and noticeably reveal that 92% of all passwords could be guessed on a usual system in
just over an hour.

Notes Numerous suggestions for getting random uniform random numbers comprise the
use of low order bits of Geiger counter counts, the use of the time among entries at a
keyboard, low order bits of the amount of light in a room as calculated by a light sensitive
diode, noisy diode output, the last digit of the first phone number on a specified page of a
telephone book, and digits from transcendental numbers like Pi.

8.2.6 Credentialing Systems

A credential is usually a document that introduces one party to another by referencing a normally
known trusted party.

Example: When credit is applied for, references are generally requested. The credit of
the references is checked and they are contacted to find out the creditworthiness of the applicant.
Credit cards are frequently used to credential an individual to achieve further credit cards.
A driver’s license is a figure of credential, as is a passport.

108 LOVELY PROFESSIONAL UNIVERSITY

109 110 111 112 113 114 115 116 117 118 119