One of the most fascinating areas of information and network security, in my opinion, is the area of cryptography.  In truth, many aspects of cryptography still baffle me but it also the one area that really piques my interest.  I recall my first steps into the cryptographic realm and wondered how anyone was able to comprehend it all.  At the time, my mathematical foundation was weak so understanding the ideas presented to me were confusing.  Much of cryptography, from a mathematical perspective, has its roots in number theory which is the branch of pure mathematics concerned with the properties of numbers in general (integers in particular).  To be more precise, the sub-field of computational number theory which is the study of algorithms relevant in number theory, specifically fast algorithms for prime testing (3, 5, 7, etc.) and integer factorization, is where cryptography resides in the mathematical world.

So, what is cryptography and why should anyone care about it?  Cryptography is the art of transforming a message into an intermediate form that contains the same information as the original message but is hidden or secret to anyone who does not know how to reverse the transformation.  In layman’s terms, it is the science writing in secret code.  Before I supply an example let me use and clarify the proper terminology for this meaning.  A message exists in plain text which means anyone who understands the language the message was written in is able to understand it.  This is how all messages exist prior to the cryptographic process taking place.  The information is always used and understood in plain text form to one or more persons.  Once a message has undergone the cryptographic process of transforming it from a plain text message into a secret message, it is called a cipher text.  Let’s review this quickly.  A message existing in plain text undergoes a cryptographic process and becomes cipher text.

Read More | Comment

My example is very basic and is intended more as an interesting method to begin the complicated and often impossible task of deciphering encrypted messages/codes.

The following C++ program accepts character input from the keyboard or via file redirection. It will count each character instance and report the amount of times each character was used.

Why would anyone want to do this? Depending on the method the original message was encoded with, it may help to determine which characters in the ciphertext are representing specific characters in the plaintext. Certain letters and combinations of letters are used much more frequently than others in the English language. The top twenty most used words in English are: “the of to in and a for was is that on at he with by be it an as his”. The list of the most used letters in the English language in descending order are: “e t a o i n s r h l d c u m f p g w y b v k x j q z”. The letter frequency of the first letter of a word in descending order is “t o a w b c d s f m r h i y e g l n o u j k”, the second letter’s frequency in a word is “h o e i a u n r t” and the third letter’s frequency is “e s a r n i”.

By using this program to compute these letter frequencies and comparing them to known lists as presented above we can gain some insight into the message and possibly crack the code if the code is encoded poorly (simple substitution cipher).

A few limitations to the program include: it treats characters as case-insensitive but can easily be modified to treat characters as case-sensitive and it only works with English alphabetic characters (a-Z). Modifying the program to accept non-standard characters (#, !, etc.) could be added just as easily.

The code:

Read More | Comment

The Orange Book, part of the DoD’s rainbow series, the Trusted Computer System Evaluation Criteria was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classified information. It has been superseded by the Common Criteria.

It outlines the following objectives:

• Policy
• Accountability
• Assurance
• Documentation

Policy defines the Mandatory Security Policy and the Discretionary Security Policy. Accountability defines identification, authentication, and auditing. Assurance defines Operational, Life-Cycle, and Continuous Protection Assurance. Documentation defines Security Features User’s Guide, Trusted Facility Manual, Test Documentation and Design Documentation.

The Orange Book defines four divisions of security: A, B, C, and D with A having the highest level of security. Each division may contain sub-divisions, such as B1, B2, and B3.

• A – Verified Protection
1. A1 – Verified Design
• B – Mandatory Protection
1. B1 – Labeled Security Protection
2. B2 – Structured Protection
3. B3 – Security Domains
• C – Discretionary Protection
1. C1 – Discretionary Security Protection
2. C2 – Controlled Access Protection
• D – Minimal Protection

Read More | Comment