Keeping a Secret - Don't tell anybody!
15/01/2023
Wandee's Blog
The never ending trouble with passwords.
Keeping a Secret - Don't tell anybody!
Before we start with explanations how the application works, let's first make a bold statement. This application only requires one Password and it can be any data (word, image etc) and it doesn't require to be saved and stored somewhere. Remembering it is the only requirement and that shouldn't be to difficult, since we can also use the easy passwords (ABCDEF, 123456 etc) prohibited by online services or current password managers (😉 Wandee - an emoji and your first name), they will do just fine. If we can't remember these passwords, it indicates that it is time to look for medical help, because we might have a serious health problem.
Let's start with the Setup for the accounts. We assume that the number of accounts is about 10 and each account requires its own set, because we have to share a password (secret) with the online service provider.
1. We enter the online provider: J.P. Morgan
2. We enter the password:_____ PASSWORD
On the webpage we show two tables ( Link ) and there we restricted both input fields to 16 hexadecimal characters (8 ASCII characters). Having said that, the application itself permits an input length of 128 ASCII (256 hexadecimal characters). Using the hexadecimal or binary system opens the door for all other data formats and with that our password can be anything we want it to be, image, text etc. But one thing we have to keep in mind is that the Internet has turned into a bonanza for the entities and people, who believe that privacy shouldn't exist. The motto here is, save now and decrypt later. So, the exchange of the secret has to take place offline. Using a common mail letter or exchanging the secret in person is still the best way to do it. Banks still send PIN codes for cards via letters and it might take two or three days, before you can use these cards. It is a safer way than the Internet and increases the chances that you still got money in the account, when finally using a card and accessing the account with your PIN code.
Password Manager - Authentication - OTP Encryption
| Hexadecimal | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | A | B | C | D | E | F |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Online Account: | J | . | P | . | M | O | R | G | A | N | 1 | |||||
| Master Password | P | A | S | S | W | O | R | D |
| Hex Code 1 | 5 | 2 | 2 | E | E | 2 | D | 4 | D | 2 | 5 | 2 | 5 | 0 | E | 2 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Hex Code 2 | 3 | 5 | F | 2 | 4 | F | 5 | 3 | 0 | 5 | 5 | 1 | 5 | 5 | 4 | 5 |
| Shared = Secret | 8 | 7 | 1 | 0 | 2 | 1 | 2 | 7 | D | 7 | A | 3 | A | 5 | 2 | 7 |
|---|
Would there be a problem if this string is somehow accessed by someone who wasn't authorized? Not immediately, but not very long thereafter. With the speed of already commercially available systems an adversary will be able to go through all P!16 possible combinations in record time (a few seconds the most). One of these possible combinations would be J.P. MOR first string and PASSWORD for the second string, because we have limited the amount of hexadecimal characters to 16 characters. Shared Secret doesn't mean we share this character string with the second party in the setup procedure. This string is only a secret for us to have a string that contains both input fields in one set of characters. We will store that string, but not in that sequence. We know the password and we can remember that with ease. So, what we do is using a code (4 digits from our birthday like 2508 etc) and change the shared secret by shifting the string using these values. The modus is the same as on the page with the linked tables, the characters at the front move to end of the string. That's the string we save and the only record left on our system.
Reversing the process is simple by loding the string into the field and entering the 4 digit code. Now we enter Password, which will generate the correct code and the rest is simple algebra, X + Y = Z. What do we share than with the other party. Of course, what we share is a password, but encrypted and not as a meaningful text. This is the shared secret between online service provider, family members, friends and us. That password needs to be exchanged in a secure way, which the internet certainly is not.
Login & Authentication:
Let's go through to the login after we selected the correct website, entered the required fields and now are asked for our password. For this to work in OTP mode sender and recipient have both to use the application. The first item we enter is a random authentication code, just 5 hexadecimal characters that spring to mind. This code is transmitted and on both ends creates a shift code by mapping it against the encrypted shared password. The mapping is straight forward and the first character 3 is mapped against the value string, giving us 2. The next four characters are mapped the same way. On both ends the encrypted password string is shifted into a temporary string (shift mode is always the same, by moving the characters cut off at the front, in reversed order to the end of the string). The last task for the sender is to enter a second random number of 6 digits which will with the temporary secret string create a OTP cipher and transmit it to the recipient. Verification and authentication is done there and login granted or denied based on the result.
Password Manager - LOGIN - OTP Encryption | User = Password Creation
