Cryptography fascinates the inner thief in almost everyone, from children who have tried to steal a cookie while their mothers were not looking, to professionals attempting to steal secrets. This interview question is a good one to discuss for a 45 minute hour to determine if a candidate understands the basic principles of cryptography as opposed to security.
[Note for the reader: We do not intend to have many specialty questions in this series. Given the number of jobs in IT that relate somehow to “security,” it seemed wise to present one question about the computer science flip-side, which is cryptography. ]
Syferlock, Inc. makes a software product that provides additional security for authentication by conventional passwords. If you have pondered the security risks of passwords stored in the browser, or the possibility that someone watches over your shoulder as you type in your PIN at the magic money machines, then you have considered how easy it is to lose the level of protection afforded by basic passwords.
Syferlock’s product shows a substitution pad as a method for scrambling your PIN. Consider Pad #1. Suppose your PIN is that most famous of all taxicab numbers, and that your substitution rule is to choose the number from the 12 o’clock position of each number on the PIN pad. In that case, you would type in 5204. We will call 5204 the encrypted password, and your undisclosed password the plaintext password.
The substitution numbers, i.e., the red and blue numbers, are generated with a good, long period pseudo-random number generator. The each pad you see will undoubtedly be different from its predecessor, so if a thief observes you type in 5204, the thief would not be able to use it on the next pad to be shown because the pad will have changed. The fact that the encrypted password changes prevents loss of the plain text password by this method of observation.
In fact, 5204 corresponds to a few other numbers and rules:
- 7390 using numbers from the top left corner.
- *245 using numbers from the bottom right corner.
- 2960 using numbers from the bottom center.
- …and so on.
Consider Pad #2. On Pad #2, the taxicab number will be encoded as 4459. Assume that you can record the PIN pad patterns and the keys typed in by the user, much as was done by the “Coreflood” botnet.
- Suppose you are doing a little “social engineering,” and you intend to hack the PINs of ten people who work on math and statistics problems for Nate Silver. What ten four digit PINs would you try first, and why?
- What is the essential premise (and caution) behind one-time-pad cryptography?
- Does the grid’s generation with a high-quality pseudo-random number generator have any effect on the security of this system? Or stated differently, does “knowing” the next pad or the next 100 pads effect the systems crack-ability? If so, how?
- Explain the essential method of determining the plaintext password using the above described observational methods.
- In the United States, PINs are usually four digits long. In Europe, they are six digits long. Does password length alter difficulty of determining the plaintext password using the type of observational analysis described in this scenario?
- Suppose the user can change the orientation of the substitution rule with each digit rather than being locked to a single substitution rule for all four or six digits. For example, “north” for the first and last digits, and “northeast” for the second digit, and “south” for the third digit. Setting aside the complexities for the user of remembering separate rules for each digit, what effect would this extra degree of freedom have on the system?