Passwords and Encryption - From Classical to Quantum

in steemstem •  11 months ago
Recently, Twitter asked its users to change their passwords as an extra precaution. Not because there was a breach into their database but because they found a bug. The passwords were stored as plain-text in the database as a result of a bug, which is a very naive and insecure way of storing.

For those who don't know, Cryptography is the study and procedure of the techniques used to establish a secure communication between two parties by hiding the data from third party.
Passwords are kind of an applicaiton of Cryptography to secure sensitive data and information.
I won't dig deeper into the definition and introduction, let's come to the point.

How passwords are stored then?

When you sign up for a website, your password is stored in its database. What could be the possible way of storing passwords of all the users?
One way is to store, just the plain-text, like this:

UsernamesPasswords
Aliceabcd123
Bobspookyspy

If a hacker gets hold of this database, then all the passwords are compromised too.
That's why we always use hash tables for storing passwords.

What are Hash tables?

Hash tables are a data structure widely used in computer programming.
There are hash functions which are applied on the usernames or on the passwords to convert them into another set of characters which are completely non-decipherable for hackers.

Now let's store Alice and Bob's password using a hash function.

Hash function: I am taking the ASCII value of each character in the password and multiplying it with the position of that character and then adding all the values. Then take modulo of the result with any random prime number, let's say 89.

abcd123 = (97x1)+(98x2)+(99x3)+(100x4)+ (49x5)+(50x6)+(51x7)

= 1892 mod 89
= 23.

Similary for other password:

spookyspy = (115x1)+(112x2)+(111x3)+ (111x4)+(107x5)+(121x6)+(115x7)+(112x8)+(121x9)

= 5167 mod 89
= 5.

Now the passwords are hashed and can be stored like this:

UsernamesPasswords
Alice23
Bob5

If a hacker gets hold of this database and he knows the hash function, he still won't be able to find the actual password because hashing works one way only. Hacker can see the password 23 and 5 and if he applies hash function to these then he will get an entirely different result.

How the actual user gets his password verified, when he tries to login?
Alice will enter abcd123 and database has stored 23 for her. But they don't match.
What happens here is that, every attempted password along with the username "Alice" is hashed first with the above used hashed function and if the result matches the password(which is already hashed with the same hash function) stored in database, then only the user is allowed to login.

There is one other way; We can hash usernames with the same hashed function and get different indices for every user to store their password.

Alice = (65x1)+(108x2)+(105X3)+(99x4)+(101x5)
= 1497 mod 89
= 73
Bob = (66x1)+(111x2)+(98x3)
= 582 mod 89
= 48

UsernamesPasswords
0
1
..
48spookyspy
..
73abcd123

If a hacker get holds of this type of database then he won't know who is 48 and who is 73. Knowing hash function won't help much until he also knows which username's password he wants.
To make it more secure, passwords should be hashed too like discussed before this.

Every secure internet service or website save your passwords with this technique.

But hackers are also in the game with us. They use rainbow tables (precomputed tables to reverse the hash funcitons) to crack the passwords. Acutually rainbow tables were contructed by the companies as a backdoor, in case of forgotten passwords or other emergencies.

To resolve this issue we add salt to the hash. Salt is any random set of characters attached to the hashed password to make it more secure. Till now rainbow tables can't decipher the Salts because they are already taking too much storage and adding Salts would increase the combinations exponentially again.

By now, you must have realised that we are just making it diffiult for the hackers to crack the passwords, we are not making it impossible.
Brute Force can still be used for cracking, that is checking every possible combination of the password in rainbow tables. Addition of Salts have fetched us some time till Quantum Computers are in function. Because Salts too merely increase the possibilities as mentioned, which are hard to compute for classical computers. When Quantum Computers will actually come, then it will be a matter of seconds to break codes.
Till then you can have a good nights sleep.


Encryption

Apart from securing our personal data, we want secure communication as well. An encrypted communication, to be more precise. I have discussed below the types:

  1. Assymetric
  2. Symmetric

Assymetric Encryption:

Assymetric Encryption which involves with public and privat keys can be best explained by this famous padlock analogy:

Alice and Bob, both have padlocks and their keys. Alice wants to send a message to Bob. She will ask for Bob's padlock. On the way, the unlocked padlock could be locked by anyone but it doesn't matter. When the unlocked padlock reaches Alice, she locks the message with Bob's padlock and send him back. Now own the way, nobody can unlock that padlock because only Bob has its key. When Bob will get the message, securely locked with his padlock then he can open it with his key.

Public key was the padlock and private key was the key itself. Both are linked to each other. If one get holds of a public key, he has to derive private key as well to unveil the message.

RSA algorithm is used to implement such procedure.

Symmetric Encryption:

The simplest explanation would be; when both the parties have the same key to encrypt or decrypt messages.
It is faster than Assymetric Encryption but it has a drawback; the distribution of the key. Unless both parties have met in person and decided upon a shared key. Otherwise, to send the key on internet would again make it vulnerable to hackers.

AES algorithm is used to implement it.


Let's take an example of Whatsapp which is said to use both techniques taking benefit from the speciality of both.

Alice and Bob are in modern world now. Alice wants to send a message to Bob on whatsapp.
Now according to ethics, as a one-to-one conversation, there shouldn't be any third person reading that message. Not even the Whatsapp company. Doesn't matter, what is the nature of that message, nobody wants their personal chats to be read by anyone.
A session should be established first. For that Alice will request the server, for Bob' public keys which she will get on the insecure channel. But that doesn't matter, alone public key won't do good to anybody.
Now that she has his public key and hers too, she will now generate a private message key using those keys and send it back to Bob encrypted with his public key.
Both have safely got a private message key via Assymetric Encryption.
Now they can send messages to each other encrypted with the same private message key.
This is symmetric encryption now in work which is faster as well.

How to check the connection is secure on Whatsapp?

The above mentioned proceudre was a behind the scene process.
To make sure, Alice and Bob has secure channel for conversation, they can check their mobile phones too.
In the chat window with Bob , Alice opens the option panel at the top right corner and clicks "view contact".
There she taps, "Encryption" and can see a 60-digit long number and a QR code.
She can send Bob that number and if it matches the number written at Bob's end on the similar window then that means they have a secure connection.
Or if they are sitting together, either can scan the QR code of the other and if it shows the Green Tick that means the connection is secure or encrypted.


Hole in Whatsapp Group Chat Security

I am sure, you know how the Whatsapp group chat feature works. When a group member adds or removes members, everyone gets notified. But the drawback is that this modification in group chat is not end-to-end encrypted (only users can read messages, not even server). If a whatsapp server gets compromised, hacker can easily add himself in the group and forge messages and modifications in the group.
The researchers have proposed a solution to that problem. That the power of adding and removing members should soley remain with the admin, not even to the whatsapp server. The hacker would need to get verified by the group admin to invade, which would be impossible then.
But Whatsapp hasn't resolved this issue still.

Is there any threat to Current Encryption Techniques?

Algorithms like AES (Advanced Encryption Standard) ) and RSA are used to generate keys for current encryption methods. These keys are way to large to be guessed by today's computers.
Yeah, I'm talking the same thing again. Quantum Computers will be able to guess the correct keys in just seconds.
Again the whole Crypto world would collapse.

No secure passwords and no secure means of communication, in short, no privacy.


Quantum Cryptography

Quantum Computing has given us enough tough time before actually coming into our lives. But it also provides us a solution to our issues.

Let's beat Quantum attacks with Quantum Mechanics ;-)

Yeah, I am talking about Quantum Cryptography.

If Maths is decipherable then Physics can't be. ;-)

Quantum Key Distribution helps to create a key using the principles of quantum mechanics. This has already been explained by some great contributors, I am giving a simplified version of the picture for who haven't read it before.

  • Alice sends photons to Bob through a light source.
  • Single photon can be represented by a qubit.
  • She has four sets of polarizers i.e, Horizontal or Vertical and Diagonal.
    Horizontal H is assigned value 0.
    Vertical V is assigneld value 1.
    Diagonal DL at 45o left is 0.
    Diagonal DR at 45o right is 1.
  • On the other end, Bob has two beam spiltters (horizontal or vertical and diagonal) and two photon detectors.

  • If horizontally polarized photon is sent by Alice, passes through Horizontal beams splitter, it remains horizontal. Same happens with others.

  • Now Bob will randomly choose beam splitter for each photon and will later tell Alice, in which order he used the splitters.

  • Alice will then tell him which photons he guessed correctly.

  • The correct photons which are represnting a number, will now be the encryption key.

AliceH , 0DL, 0DR, 1V, 1
BobHVDRDL
Bob's Measurement0010
Key0-1-

Hackers interference would be easily detected in this phenomenon, because qubits will change, when hackers will try to measure the values. But in an experiment, hackers have managed to eavesdrop with minimum turbulance in qubits which wasn't detected easily.
That issue was resolved too by using the concepts of quantum entanglement. (I will explain it another post soon.)

Another limitation was the constraint on distance. This technique couldn't work at larger distances.
But a recent breakthrough related to the discovery of space photons has solved this issue too. The idea behind is that secure keys can now be generated using photons, between users thousands of miles apart with the help of satellites.

I am stopping here now because this will generate another discussion and we have already discussed too many concepts in this post.

Enjoy a world of privacy ;-)


We have talked about Quantum Encryption, What about Quantum Passwords?

References and Further Reading
1. Whatsapp Security White paper
2. Cryptography in Banking Industry White Paper
3. End-to-End Security of Group Chats
4. Quantum Computing taking over Today's Encryption
5. Space Photons for Quantum Cryptography
6. Hash Tables and Passwords

Note: I have left some questions and details unanswered on purpose in the end, that to be discussed in next post.


Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

I want to point out how important it is to have unique passwords. Sure something like qwerty or 12345 or simple words are easy to remember but they are also easier to crack with the use of rainbow tables. Even with the use of salts that danger cannot be eliminated completely. It really depends where salt algorithm splits your password.

I enjoyed your post. You explained it in easy to understand way :)

·

In my opinion, uniqueness of password doesn't matter much. It's the length that matters.
We use brute force to crack passwords i.e, checking all the possible combinations.
So if a password is long then it will take longer to crack it because the combinations which need to be applied will also increase.
Short password, doesn't matter how unique, will give less combinations to check, means less time to crack.
And about the salt part, I think one has to know exactly what the salt is to know where the split begins. Algorithm would be generic for all kind of salts. Right?

Thanks for stopping by.

So this is what goes on when we sign up in various websites...

It is fascinating to learn of the roles of quantum cryptography and entanglement in ensuring maximum security of passwords and cryptographic alphanumerics (keys).

This quite a good reference material for research purposes.

Regards

@eurogee of @euronation community & a member of @steemstem community

·

I am glad that you learn something from this article.

Hi @event-horizon!

Your post was upvoted by utopian.io in cooperation with steemstem - supporting knowledge, innovation and technological advancement on the Steem Blockchain.

Contribute to Open Source with utopian.io

Learn how to contribute on our website and join the new open source economy.

Want to chat? Join the Utopian Community on Discord https://discord.gg/h52nFrV

·

Thank you for the vote.

This is actually interesting to read. You broke down every bit of the course that anyone will understand. It is fascinating to see how things work "behind the scene".

Great work!

·

Thanks, I am happy that you like it.

·
·

It is quite fascinating that these all the activities that go on behind the scenes when we log into websites and social media accounts.

Quick question, is it wise to make use of one password recurrently for different platforms, like

Alice - abcd123

For Facebook, Instagram and Gmail

·

Ofcourse not. Although It's easier to remember but different passwords are better, hard to recall ofcourse but if someone is trying to hack your accounts, he/she just needs one password and tada.

Edited to add: longer passwords like you stated may stand a chance, if someone is not persistent to hack it.

·
·

Alright.

Thanks for the feedback, and again, this is a wonderful post!

This is actually interesting to read. You broke down every bit of the course that anyone will understand. It is fascinating to see how things work "behind the scene".

Great work!

So this is what goes on when we sign up in various websites...

It is fascinating to learn of the roles of quantum cryptography and entanglement in ensuring maximum security of passwords and cryptographic alphanumerics (keys).

This quite a good reference material for research purposes.

Regards

@eurogee of @euronation community & a member of @steemstem community

Congratulations @event-horizon! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes
Award for the number of upvotes received

Click on any badge to view your Board of Honor.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

Do not miss the last announcement from @steemitboard!

Do you like SteemitBoard's project? Vote for its witness and get one more award!

Congratulations @event-horizon! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes

Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word STOP

Do not miss the last post from @steemitboard!


Participate in the SteemitBoard World Cup Contest!
Collect World Cup badges and win free SBD
Support the Gold Sponsors of the contest: @good-karma and @lukestokes


Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Congratulations @event-horizon! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes

Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word STOP

Do not miss the last post from @steemitboard!


Participate in the SteemitBoard World Cup Contest!
Collect World Cup badges and win free SBD
Support the Gold Sponsors of the contest: @good-karma and @lukestokes


Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Congratulations @event-horizon! You have completed the following achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes

Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word STOP

Do not miss the last post from @steemitboard:
SteemitBoard World Cup Contest - The semi-finals are coming. Be ready!


Participate in the SteemitBoard World Cup Contest!
Collect World Cup badges and win free SBD
Support the Gold Sponsors of the contest: @good-karma and @lukestokes


Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Congratulations @event-horizon! You have completed the following achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes

Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word STOP

Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Congratulations @event-horizon! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 1 year!

Click here to view your Board

Support SteemitBoard's project! Vote for its witness and get one more award!