Cool thing: That was an actual true story. The algorithm is called CMEA,
and it is used in an awful lot of PCS phones that communicate using a
certain kind of behavior (or "protocol"). Check out the hack at:
http://www.counterpane.com/cmea.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
***************************************************
Other note: The president of Counterpane Systems that published the hack is
Bruce Schneier and you're going to be hearing his name a lot. He wrote the
ultimately vital cryptography book "Applied Cryptography." If you're really
into cryptography you probably already have it, but I'll get into that later.
***************************************************
So remember. A stupid cryptosystem that happens to use a key seven
gazillion digits long is still a stupid cryptosystem. You might as well
just write the message on a dang postcard in large letters and attach a big
neon sign to it that reads "Private but unprotected data! Don't read!
Please! You might have to take all my money! Aaaaaa!"
C. What is "public key" supposed to mean?
Easy. You know how the ciphers we've been talking about have a secret key
that both encrypts AND decrypts the message? Public key systems have two
different keys that each will do one of those things.
?
Okay okay, hold on. First let's have a little "Words You Need To Know"
update: A cryptosystem that uses the same key to encrypt and decrypt the
data is called a "symmetrical cipher." The reason for that should be
obvious: because the whole process thing is the same on either end, only
reversed like a mirror image. That's why they use the word "symmetry." And
you can guess what they call a system that has a different key for each
purpose ... yeah, an "asymmetrical cipher" (Asymmetrical just means "not
symmetrical")
Other more ordinary words for these systems are "private key" or "secret
key" crypto for symmetrical, and "public key" for asymmetrical.
Okay, you got the terms lah dee dah yeehaw let's get on with it.
The problem started when people got sick of having to go through the hassle
of getting the great and powerful secret key back and forth between the
senders and receivers and all that stuff. I mean, how many ways can you get
a secret key to someone without an eavesdropper snatching it en route? Not
many.
So some guy at Bell Labs came up with the genius idea of a system that
would generate two numbers based on a certain kind of mathematical problem.
When one of the numbers was used to encrypt data, only the other number
generated with it would decrypt it. Woa! It was expanded upon by some
cryptographers in Britan, and then some guys at Stanford came up with an
even better idea (not even knowing about the previous work!). I'll tell you
about those people in a sec.
So you would generate the two numbers you'd use as keys (called a key
pair). Give everybody in the universe one of the keys, and keep the other
one on a floppy disc in your ventilation duct or your underwear drawer or
somewhere else really private. Anyone who encrypted a message to you with
the key that you gave them would be making a ciphertext that nothing in the
world could decrypt except the key you have hidden between your undies and
your socks.
Nowadays there are a few different systems that use this clever little
scheme hiding in your underwear. You can imagine how popular it is, no need
to sneak around slipping floppies under doors and all that irritating cloak
and dagger stuff. You download and install the software, generate the keys,
and start emailing people your public key. If somebody encrypts something
with your public key, only your private key can decrypt it.
When you want to email someone an encrypted message, you get their public
key. If you encrypt a message with somebody else's public key, only their
private key can decrypt it. Reeeeeeaaaallll simple.
Little secret: about fourteen years before these guys invented this system,
the US government was talking to military cryptodudes and the NSA about this
same problem but with nuclear missile signaling systems. They wanted some
way of getting encrypted messages to the missile's computers in a way that
wouldn't give anybody else the chance to get the key. So the NSA is saying
that they had public key stuff a while back. Here's some of the NSA info
and also information on the web about the Bell Labs papers and British
discoveries about Public Key crypto way back in like 1970:
http://www.cesg.gov.uk/ellisint.htm
http://jya.com/nsam-160.htm.
D. What's a Diffie-Hellman and who's RSA?
Check it out, those are just different kinds of systems and keys.
Diffie-Hellman keys are generated using a specific method for public key
crypto, and RSA keys are generated using a completely different method for
public key crypto. The basic public key thing is the same, but the two
systems come up with the keys in a different way and go about the crypto
thing using different algorithms.
Whitfield Diffie, Ralph Merkle and Martin Hellman independently thought up a
great way of generating a key pair in 1976 using a really tripped out math
problem called the "discrete logarithm" problem. I ain't even going near
explaining that, it's gonna hafta wait.
Then the next year, some more brainiacs named Ron Rivest, Adi Shamir and
Leonard Adleman invented the RSA scheme that essentially does the same job
but based on a different mathematical problem called the "Integer
Factorization Problem." Again, not touchin' it with a ten-foot pole. I'll
go into it later. Much later.
So keys created using Diffie, Merkle and Hellman's method are still called
"Diffie-Hellmans." In fact, the newer ones are getting more popular because
they can be used for digital signatures and everything. RSA still does all
this stuff too and also is a big huge company.
Funny thing: The early public key discoveries made at Bell Labs and in
Britain's crypto unit from 1970 through 1974 used these SAME math problems.
Then the others came up with them later on out of nowhere without even
seeing the older work. Freaky huh?
_______________________________________________________________________
Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the
official Happy Hacker Web page at http://www.happyhacker.org.
We are against computer crime. We support good, old-fashioned hacking of the
kind that led to the creation of the Internet and a new era of freedom of
information. So don't email us about any crimes you have committed! And
don't expect us to come to your rescue if you crash 100 million computers
with some new Java virus you just unleashed.
Copyright 1998 Tim "No Sinister Nickname" Skorick <tskorick@hotmail.com>. You
may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your
Web site as long as you leave this notice at the end.
