Tuesday, September 1, 2015

The XORcist (aka Get Rid of Bad Encryption)

   I remember when the movie version of the Exorcist came out.  I was in high school and it was probably the scariest, most graphic movie released by that time.  Parents didn't want their kids to see it.  There were all kinds of media discussions about the potential detrimental effects to roller-skating Linda Blair, who played the possessed Regan.  It was a freaky movie, at least for it's day, though it was way surpassed in gore by the slasher movies of the 80s.

   I recently read the book (well, you know... audiobook!).  It's well written and I recommend it.  But it is graphic, and there's plenty that wasn't in the movie.

   Easily as scary is the way many systems and sites handle encryption!  For those who don't get the title... XOR is a basic mathematical function that all computers can do easily and quickly.  It's critical for computer operations, and is used in some encryption operations, but is not really a strong encryption method by itself.  If you want to learn more about XOR, look here or here.

   I've covered problems with passwords many times here.  One of the problems that has allowed password breaches to work is poor encryption of the password file.  XOR is not a strong encryption method!

   So what does this all mean?  I have two messages... one for programmers and one for everyone else.

   Programmers.  Don't invent your own encryption.  There are fantastic, freely available encryption routines out there that you can use in your code.  Or, your organization may already have standard encryption methods you can use.  Bottom line is that 2000 years of mathematics has led us to some pretty solid encryption algorithms.  Use them!  Friends don't let friends use bad encryption!  Here are some great references.

   Everyone else.  Password storage should use something we call a "one-way hash".  Not a tasty dish, but a method of encrypting data so it can't be decrypted.  That means that no one should be able to tell you your password!  So, if you call customer support or the help desk because you forgot your password, and they can tell you your actual password... run!

   Can you think of any examples of bad encryption?  Do you know of any websites that can show you a forgotten password?

No comments:

Post a Comment