Build a Vernam Cipher

 DIY, Programming, Science  No Responses »
Feb 152012
 

The current issue of 2600: The Hacker Quarterly has an article on cryptography that outlines the use of the Vernam Cipher (aka One-time pad) to encrypt text by hand. What makes this technique interesting is its ease of implementation, but even more interesting than that is the fact that the Vernam Cipher is the only known method of encryption that is proven to be unbreakable when implemented/used correctly.

Sample One-Time Pad

So how does it work? In simple terms, each character from your text, known as plaintext, is encrypted by modular arithmetic with a character from a secret random key (or pad) of the same length as your plaintext. What results is a ciphertext. If the key is TRULY random and as large as the original text and has never been used then the ciphertext will be impossible to decrypt without knowing the key.

This got me to thinking — what would it take to create a web application to easily implement this encryption method for use on data that I wanted to store, let’s say, in my file based wiki!? Sure, there are numerous tools out there that one could leverage to encrypt text but this seemed like an interesting challenge and an excuse to learn a bit more about this cryptography method.

Before I proceed, let me just state that I am not a cryptographer and that the technique I devised for implementing my cipher is for informational purposes only!

The first step to encrypting our text is to convert our letters, and if we choose, our punctuation, to numbers so we can perform our modular arithmetic operations. The 2600 article described what is known as a straddling checkerboard which gives us numeric values for our non-number text characters while simultaneously introducing fractionation.

Example Straddling Checkerboard Grid

Using this particular implementation of the straddling checkerboard, Geek Tips would translate into 245527 18607. When encrypting by hand, it’s common to break the data up into smaller, easier to manage, groups. In this case we’ll use groups of five digits. Since our third group is less than five digits, we’ll fill in with zeros. Following this pattern, our string becomes, 24552 71860 70000, which is now ready for the next stage of the ciphering process which is to perform modular arithmetic with a key.

As I stated before, to implement this cipher properly, the key should be completely random and at least as long as our new string of numbers. For this example, let’s say our key is 20247 88641 30412. Now I subtract each digit in the key from each digit in the plaintext. If the result is less than zero, I add 10. For example, in the fifth column, I calculate 2 – 7, which results in -5. Because this is less than zero, I add 10 to get 5 as the final answer. In the first column, the result of 2 – 2 is 0, which is not less than zero, so I leave that as my final answer.

  24552 71860 70000 (plaintext)
- 20247 88641 30412 (key)
-------------------------
  04315 93229 40698 (encrypted)

Decrypting our string is as simple as reversing the modular arithmetic by adding the key to the encrypted string. This will reproduce our original plaintext string. To convert the string back to the original message we simply refer back to our straddling checkerboard grid to recompose the message – SIMPLE!!

The first thing I needed to do to move this project forward was write a simple form to gather my data:

<html>
<body>
<form action="process.php" method="post">
<p>Your message:<br /><textarea name="text" rows="40" cols="180" /></textarea></p>
<p>Decode: <input type="checkbox" name="decode" value="yes" /></p>
<p>Enter Key: <input type="password" value="" name="key" autocomplete="off" /></p>
<p><input type="submit" value="Encode/Decode" />&nbsp;&nbsp;&nbsp;<input type="reset" value="Reset" /></p>
</form>
</body>
</html>

With my form in place, now I could start developing the code to replicate the straddling checkerboard cipher that was described in the 2600 article. The resulting script was fully functional but WAY more complex than I wanted. As I thought about ways to simplify my code, I recalled that most programming languages have a number of built-in bitwise operators that I might be able to leverage to really simplify what I was trying to accomplish.

The operator that I narrowed in on is called XOR. It works by looking at two bit patterns of equal length and performs a logical exclusive OR operation on each pair of corresponding bits. The result in each position is 1 if only the first bit is 1 OR only the second bit is 1, but will be 0 if both are 0 or both are 1. This is equivalent to being 1 if the two bits are different, and 0 if they are the same.

Calculating an XOR result (2 ^ 7 = 5)

As this example shows, the 4, 2 and 1 columns have bits in the ON position. Since the 2 column bit is ON for both our numbers it becomes OFF, that leaves the 4 and 1 columns. When we add those together the resulting number is five. Since this XOR functionality is built-in to PHP the complexity of building this computational logic was removed thus allowing me to really simplify my code. Following are the results:

<?php

 $key = $_POST['key'];

 // Our plaintext/ciphertext
 if (strtolower($_POST['decode']) == "yes") {
   $text = base64_decode($_POST['text']);
 } else {
   $text = $_POST['text'];
 }
  
 // Iterate through each character
 for($i=0;$i<strlen($text);)
 {
     for($j=0;$j<strlen($key);$j++,$i++)
     {
         $outText .= $text{$i} ^ $key{$j};
     }
 }
 
 if (strtolower($_POST['decode']) == "yes") {
   echo "<p>Your message:<br /><textarea name=\"text\" rows=\"40\" cols=\"180\">"  . $outText  . "</textarea></p>";
 } else {
   echo "<p>Your encoded message:<br /><textarea name=\"text\" rows=\"40\" cols=\"180\">"  . base64_encode($outText)  . "</textarea></p>";
 }
 
 echo "<br /><br /><a href='https://www.example.com/form.html'>Return</a>";
 
?>

If the key provided matches the criteria outlined previously then the output from this script should be a true one-time pad. The reality, however is that it’s highly impractical to meet the one-time pad key criteria to make our ciphertext unbreakable. If you choose to use the same key for all of your enciphering (more practical) then the resulting ciphertext is, obviously, less secure. If your key is shorter than your plaintext, thus requiring the key to repeat then the resulting ciphertext is now encoded in what is known as a stream cipher.

I wouldn’t necessarily use the results of this script for anything of significant value but it was nonetheless and interesting exercise for gaining a deeper understanding of ciphers and how they can be implemented for obfuscation purposes in ones own solutions.

Until next time – GEEK OUT!

~GT~

   

 Posted by James L at 8:19 pm

Arduino & The Internet of Things

 DIY, Home Automation, Mac, Programming, Science, Technology  No Responses »
Apr 292011
 

If you tinker with technology then chances are you already know what the “Internet of Things” is all about. If you don’t know, then my question to you is, where have you been!?

For those of you not in the know, here’s a quick primer.

“The Internet of Things is a network of Internet-enabled objects, together with web services that interact with these objects. Underlying the Internet of Things are technologies such as RFID (radio frequency identification), sensors, and smartphones.”[1] 

One way that folks put this concept into practice is the set up their “things” so they, like their owners, can update their status.  I like to think of it as Twitter for my stuff.  One site that gives your devices a place to update their status information is called Pachube (pronounced “PATCH-bay” [2]).  I’ve been using Pachube for a couple of years to report health data from my servers but I’ve been wanting to experiment with building a microcontroller based stand-alone device that could use sensors to gather environmental data and then report that data to Pachube without the need for a computer.

A microcontroller (in this context) is a pre-built device consisting of circuitry on a single printed circuit board (PCB) such as microprocessor, I/O circuits, clock generator, RAM, stored program memory, etc. The idea behind the microcontroller is that it is immediately available and useful to an application developer, without needing to spend time and effort in developing the controller board itself [3].

In the case of an Arduino, however, the idea is to make it easy to prototype solutions by building your own circuits and devices and proving them before committing your device to a PCB of it’s own or going into large-scale production

There are lots of microcontrollers on the market such as the Arduino, BASIC Stamp and others. I’ve been reading about the Open-Source Arduino Platfrom for a long time and had been looking for an excuse to buy one and expirament. To get my feet wet, I decided to buy the latest Arduino board, some photocells, a nice selection of resistors, and a simple breadboard.

Building The Circuit

When I received the parts, my first task was to build a very simple circuit. Since a photocell is basically a resistor, the easiest way to get a measurement was to connect one end to 5V and the other to a pull-down resistor to ground. Now all I had to do was make a connection from analog input to the point between the fixed pull-down resistor and the photocell.

Now we have a complete circuit and should be able to build a simple sketch (firmware program) to read the data and pump it to our serial port.

  Ldr

Writing The Sketch

In Arduino parlance, a sketch refers to the program that is written and uploaded to the ATMega chip (aka the firmware) that tells the Arduino what to do.

The easiest way to get up and going is to download the Arduino IDE from the Arduino website.  The IDE makes it easy to compile and upload our code and at this point, easy is what we want.

int ldrPin = 0;
void setup() {
Serial.begin(9600);
}
void loop () {
Serial.println(analogRead(ldrPin)/204.8);
delay(1500);
}

Our sketch is very simple.  We start by defining the location of our photocell which in this case is Pin 0. We then open the serial port at 9600 baud and then start a perpetual loop that reads the voltage from the photocell, waits 1500 milliseconds (1.5 seconds) and then sends the result to the serial port.

When we read the analog port the value that is returned is a value between 0, representing zero volts, and 1024, representing five volts. I could easily use that number but I want to convert the number to actual voltage which I do by dividing the value returned by the analogRead function by 204.8.

Reading and Posting

As I stated in my opening, the goal with the Arduino is to have a stand-alone device that can post data to Pachube (or anywhere for that matter) independently.  Since we’re just experimenting with the fundamentals, in this instance, we’ll leave our Arduino connected to the computer to read the data and then post it.

On my Mac I opened a Terminal session and navigated to /dev to look for the device name of the Arduino.  In my case it’s cu.usbmodem621. To validate that we’re getting data, I opened a read-only connection to see what I would get (be sure to close the Arduino IDE first).

cat /dev/cu.usbmodem621

If you receive a value on a new line every 1.5 seconds then everything is functioning correctly.  Since I’ve been using Pachube for a while, I already have my API Key which is necessary to programmatically update the Pachube feed.  If you don’t have an account already, go to pachube.com, set one up and grab your API Key.

Now that we know our device name, know that we’re getting data and have our Pachube API Key, we can now write our script.

You can use any scripting language to accomplish the task of reading serial data from the Arduino and then making the necessary calls to post the data.  My preference is PHP, so that’s what I’ll use here.

#!/usr/bin/php -q
<?php
$handle = fopen("/dev/cu.usbmodem621","r");
$str_ldr = fgets($handle);
sleep(5);
$mintime = time();
do{
$str_ldr = fgets($handle);
$str_ldr = trim( preg_replace( '/s+/', ' ', $str_ldr ) );
if( time()> $mintime+60) {
echo $str_ldr . "n";
echo exec("curl --request PUT --header "X-PachubeApiKey: 11112222333344445555566666777778888899999" --data "$str_ldr" "http://www.pachube.com/api/00000.csv" --silent");
$mintime = time();
}
}while(1);
fclose($handle);
?>;

First thing we do is open a connection to the Arduino and read in some data and then wait for 5 seconds. You may have noticed that the first line of data you get from the device after you open a fresh connection is not always clean. Using this method allows the connection to “settle” before we start grabbing data to post.

Next we start an infinite loop to grab a line of data, strip the CRLF, call out to cURL to post our data, wait 60 seconds and then do it all over again.

The image below shows a Pachube 24h graph.

Pachube Graph

Conclusion

I was surprised how easy it was to prototype with the Arduino and to have a working solution up and running with so little effort. My next goal will be to add new sensors to extend my home automation system (track real-time electricity, gas and water usage) and then add an Ethernet Shield to remove the need for a computer to post my data.

Until next time – GEEK OUT!!

~GT~

   

 Posted by James L at 4:20 pm

Yahoo Small Business — Bad Experience!

 Science  No Responses »
Jun 282007
 

Whew, what a day. I called Yahoo (case 5607533) this afternoon to get an authorization code to transfer a domain that I registered with them on April 1, 2006 to a new registrar. When I registered the domain, I registered it for two years and I also purchased a years worth of hosting services which I let expire in April of this year.

An agent named Anthony answered right away and asked what he could do for me. I explained that I wanted to transfer a domain and he proceeded to ask me a series of questions to verify who I was (yay Yahoo – I appreciated this) and then gave me an authorization code to initiate the domain move to my new registrar. So far, so good!

I’ve learned enough through the years to never let a person who is helping you on the phone go until you’ve verified the information they give you is good information. Keeping the person on the phone isn’t always practical, but in this case it was, so I tried to initiate the transfer and immediately received an email telling me the transfer failed due to an invalid authorization code. I explained what had just occurred to Anthony and he told me that the code was valid and that I would need to call MelbourneIT if I was having problems because Yahoo was just a reseller and because I was no longer being serviced at Yahoo since I let my hosting service expire earlier in the year.

Well, I don’t do so good with passing the buck, so I started digging in. First of all, whether Yahoo is the reseller or not, isn’t my problem, I registered the domain with them and telling me, sorry, it isn’t our problem is grossly inappropriate! To make matters worse, MelbourneIT is in, you guessed it, Melbourne Australia, so telling me that I need to call them means I need to make an overseas call on my own dime.

By now I’m getting frustrated and Anthony had one mission and that was to get rid of me, but I wasn’t having any of that. I suggested he contact his second or third level support team again to see if we had the wrong code or to let me speak to a supervisor. All he could say was, “there’s nothing else we can do for you, you have the authorization code”. I made it clear that I wasn’t going anywhere and that he might as well get his supervisor. To appease me he put me on hold and then came back saying that his supervisor suggested I go to inww.com (an alias for the same MelbourneIT site) and initiate the transfer from there. What Anthony didn’t know was that I was on the MelbourneIT site while I was on hold and was reading their pages about site transfers (which were all about inbound transfers by the way) and found nothing that indicated I could initiate the transfer from their site. I told Anthony that I thought this was a good –get rid of me tactic– but it wasn’t going to work because I had already been reading about transfers on the MelbourneIT site. He suggested I login with my Yahoo credentials, which –of course– failed and as you might have guessed, Anthony was again, at a loss. In a moment of desperation he said, “the only other suggestion I have is to release your account which will transfer control over to MelbourneIT and you can then transfer the account anywhere you want”. Now we’re talking, this would get Yahoo out of the picture and should get me to a place where I could initiate the transfer myself; so I agreed and within seconds, received an email from MelbourneIT telling me the account had been released to my control and that I would be responsible for the domain’s management via the MelbourneIT web site.

Now don’t get me wrong, I think Anthony was doing his level best, and I don’t blame him for this experience. That said, there was a break-down somewhere. Perhaps in the agent training or maybe it was with Anthony himself, I don’t know, but I should have never been told to go somewhere else. The key to excellent customer service is to own the customer’s problem, not pass them around and especially to a company in another country!

In the end, I had to call MelbourneIT where, after holding for about eight minutes, I spoke to a chap named Adam who was very helpful and who helped me resolve the problem within two or three minutes (total call duration 9:55).

So what’s the moral of this story? Well, you draw your own conclusion, but for me, I’m done with Yahoo and as far as I’m concerned, they owe me for a ten minute overseas call to Australia.

Now that I have that off my chest, I feel much better :)

~GT~

 Posted by James L2 at 9:45 pm
© 2012 Geek-Tips Suffusion theme by Sayontan Sinha