encryption with python
James Stroud
jstroud at mbi.ucla.edu
Wed Sep 7 18:52:19 EDT 2005
Also, I should note that the sha function will, to the limits of anyone's
ability to analyze it, decouple the information from the hash. So, to be
careful, you should keep the algorithm to generate the IDs secret. The
advantage of creating an ID from info in this way is that the ID is ("should
be") unique and unchanging. The disadvantage is that you have to keep the
algorithm secret. Because by knowing it, people could generate IDs from
birthdays with only 10**10 calculations (possible 9 digit SS numbers) and
match them to the IDs. All they need to do this is to ask someone what their
birthday is and try SS#s until they get the corresponding ID.
You could keep the algorithm encrypted and decrypt it temporarily to generate
a new ID. Or, you could memorize it and type it in at the beginning of the
semester and generate the IDs for that semester. You might also have to do
this if you loose the IDs somehow.
But beware of the "rubber hose cryptanalyitic attack". This is where an
adversary beats you with a rubber hose then asks you for the ID generation
algorithm (or key to the encrypted version). They then check your algorithm
against a known birthday-SS#-ID triplet. If you lied, they repeat until they
verify your algorithm. This has historically been a very successful attack.
James
--
James Stroud
UCLA-DOE Institute for Genomics and Proteomics
Box 951570
Los Angeles, CA 90095
http://www.jamesstroud.com/
More information about the Python-list
mailing list