Home Page Javascript Download Core Servlets & Java Server Java Cryptography Java in 60 Min A Day Javascript Tutorial About Us Contact Us
Site Search
Free Javascript Lessons
Newest Java Articles
Checkbox Changer
Check Entry
Check All
Block Key Press
Basic Validation
Auto Email Link
JavaScript Forms: Agree Before Entry
Auto Tab
JavaScript Calendars: Time Entered - Day Highlighted
JavaScript Calendars: Days Left
Related SE Keywords
Java virtual machine
Java Applet
Javascript Lesson
Javascript Tutorial
Java Programming
Java Games
Java Xml
Java String
Cryptography Extensions
Free Web Master Tools
 
JavascriptDownload.net > Free Javascript Lessons > Java Cryptography Extensions > Chapter 2 / 2 - Random Number Generation

2.1   Random Number Generation

 

Sadly, there is no easy way to hook up our computer to sample earth vibrations or some­thing similar. Research into the generation of random numbers using computers and software continues today. It is easy to find on almost every platform the presence of a cryp-tographically secure pseudo-random number generator, or CSPRNG for short. Kerckhoff s Principled 5] tells us that the secrecy must reside in the secret key, not in the algorithm. In essence, always assume that the cryptanalyst trying to break your ciphertext has obtained the complete details of the employed cipher.

Ciphertext is only as strong as the secret key used to lock the message. The key space relates to the number of possible key combinations that could be used by a given encryp­tion algorithm. For example, a 40-bit key space means that there are 240 possible keys. Similar, a 128-bit key space means that there are 2128 possible key combinations. While the


 

   2.2 The SecureRandom Engine        31

 

difference may seem minimal on the surface, increases in key space truly carry exponen­tial differences. Modern supercomputers could use a brute force attack (try each key in sequence) to break a 40-bit key in well under a day, however, that same supercomputer could spend years and years attempting a brute force attack on a 128-bit key and not find the solution. By the time the key was found, presumably the value of the information encrypted has become meaningless.

How long is the password that you used to log in to your computer this morning? A case-sensitive alphanumeric key space contains a mere 62 characters ([A...Z], [a...z], [0...9]). As an example, let's say that your password is 6 characters long, like SnOOpy. Without dropping into too much math theory, suffice to say that the total possible alphanu­meric combinations are represented by 62*62*62*62*62*62, where each character could be any one of the available 62 characters. That's a mere 56,800,235,584 possible keys. On the surface, it appears to provide a great deal of security—56 billion possible keys. We live in a world where a dual-CPU machine running with a clock speed in excess of 3 GHz is readily available. That 6 character password has an effective bit size of 35-bits. Without any empirical data, let's assume that a machine like that just described is running Linux, and it could attempt 500,000 guesses per minute. The entire 6-byte alphanumeric key space could be searched in a brute force decryption attempt in less than 32 hours. Do you still think your 56 billion combinations represent a significant deterrent to someone who really wants to crack your password? I don't.

The fact is that strength of a key is directly proportional to the size of the key and its randomness. Data that are going to be stored for extended periods of time (like data found inside of a database) should use a larger, more random key to help better protect the data from a brute force attack that might occur over a long period of time. So how do we generate such a strong secret key? Well, the JCA includes a SecureRandom engine explicitly for such purposes.

Add Comment
 
homepage   |  about us  |  contact us
Powered By teknonova.com Sunucu Kiralama