| How Does It Work
Automated Pass Phrase | |
|---|
| 4.5.15 Automated Pass Phrase: | | Your Automated pass phrase can be published because it is designed to be too hard to guess and only three attempts are granted before random attacks are blacklisted. This published set of algorithms do not define all details, but rather define the type of algorithms deployed from time to time. In practice, these pass phrase generation algorithms continually evolve to ensure that a department who collude and share their pass phrase, are not able to deduce other pass phrases. | | Encryption means obfuscation so a criminal cannot deduce the real phass phrase when given an encoded pass phrase or vica versa. Multiple layers of encryption will increase sign in times by a few milli-seconds, but exceed criminal decode computing capabilities. The more obtuce and surreptitious the algorithms, the more expensive it will be to try to crack the pass phrase. The criminal will only get three attempts before the user profile is blacklisted, and that includes guessing many other factors as well as the pass phrase. |
| Business Requirement: | | Pass phrase encryption is very different from shared message encryption where identity must be established and the encryption must be reversable using RSA like logic. Pass phrase encryption is to transform a pass phrase into an repetitive hash string that has no duplicates, but the formula does not need to be reversable. Pass phrasees are less than 64 characters so fingerprinting transformations will not help in an attack. Pass phrasees are more than 64 characters so cyclic rainbow tables wil not help in an attack. | | Methodology: (1) Automatically generate a pass phrase of 12 to 20 charaters. (2) Discard any pass phrase that does not have at least 2 upper case, 2 lower case, 2 numbers and 2 symbols. (3) Encrypt the pass phrase using a salted transform key of at least 64 characters as a fixed lenght long number. (4) Encrypt the fixed length long number using the RSA algorithm with 2 keys that are never disclosed - modulo arithmetic is not reversable. (5) Encrypt the RSA remainder using a salted transform into a fixed length binary string. (6) Store the binary string in the database as the pass phrase. (7) Email a link to the generated pass phrase to the authenticated user with a duration of say one hour. (8) No person other than the authenticated user will know the generated pass phrase. | | Sign In: (1) Verify may authentication parameters including the user handle and email to identify one unique person. (2) Encrypt the pass phrase entered using the encryption function identified above to create a binary string. (3) Compare the binary string entered with the binary string stored - only a perfect match is accepted. | | Risk: (1) A criminal may gain access to the stored pass phrase data. (2) It is not practical to reverse engineer the stored binary strings back to a pass phrase. (3) A criminal is obliged to revert to guessing the pass phrase, but they only get three attempts to guess 12 to 20 secure characters between certain times of the day on certain days of the week using certain networks in a specified country. | | Forgotten: (1) When a user forgets their pass phrase, then a new pass phrase must be generated and emailed to the user. (2) No history of old pass phrases are stored, but complex automatic generation techniques mean that every generated pass phrase will be unique. |
| Background: | | All formal encryption methods such as MD5, SHA, AES and RSA have been cracked because criminals can devote thousands of man-hours into building a solution. TIES chooses to deploy many layers of encryption so the result of any layer is a meansingless string that does not give the criminal any idea if they have a solution or not. TIES chooses to deply different encryption transforms for different parts of a pass phrase and deploy binary arithmetic that may not be based on 8 bit bytes. Because TIES does not need to share a public key with anybody and does not need to authenticate another persons key. everything is retained internally for both encode and decode. |
| One Way Arithmetic: | | Modulo arithmetic is all about calculating a remainder - if you know the remainder, you do not know what original numbers were using in the algorithm. Discrete logarithms are at the heart of the RSA encryption mechanism. It has been said that the NSA are building bespoke quantum computers to resolve RSA encryption problems. This history of all encryption methods is that they are eventally cracked. | | The TIES solution is to nest multiple layers of different encryption methods on top of one another. When the attacker does not know what encryption methods are deployed and how many layers of encryption are used, then it may be too expensive or too time consuming to decode. | | TIES chooses to use base 63 numbers simply because it adds an extra layer of complexity that will slow the criminal down. While most encryption methods use 8 bit byte characters or decimal numbers, TIES chooses complex numbers to variable bases. |
| Four Levels: | | Quite different typs of algorithms are deployed to match the role of the user. Normal user set of algorithms are defined in this paper. Managers have an extra component that is unique by department. Providers have different components that are not known to others. |
| Set of Algorithms: | | When the pass phrase generation function is used, the actual algorith used is based on the tenth of second, so algorithms identified as "0" to "9" may be used. The day-of-week and week-of-year are also used to identify different algorithms. These identifiers are known as "salt and pepper" within the encoded pass phrase. |
| Providers Non-Prinatable Codes: | | Gamma as Γ Delta as Δ Xi as Ξ Sigma as Σ Phi as Φ Psi as Ψ Omega as Ω Mu as Μ Dagger as † Double Dagger as ‡ Ligature as Œ AE as Æ Trademark as ™ Copyright as © Registered as ® Spade as ♠ Club as ♣ Heart as ♥ Diamond as ♦ Paragraph as ¶ Section as § InvQuestion as ¿ Integral as ∫ Cap as ∩ Cup as ∪ Infinity as ∞ SquareRoot as √ Sum as ∑ PlusMinus as ± Not as ¬ Cent as ¢ Pound as £ Yen as ¥ Euro as € Quarter as ¼ Half as ½ ThreeQuarters as ¾ Squared as ² Cubed as ³ |
| ASCII Code Data Entry: | | Hold the ALT key down and press 3 digits on the number pad to represent the ASCII code: |
| Monthly Change: | | Manually entered 8 character pass phrases that match the rule as containing: 2 upper case letters, 2 lower case letters, 2 digits and 2 symbols, where all the letters are unique, the numbers are unique and the symbols are unique. This manually entered pass phrase must be changed every 42 days because it may be manually used by other applications that are vulnerable. A manually entered pass phrase must not be reused, because it may be disclosed by another application that used the same password. | | If a manually entered pass phrase is forgotten, an automatically assigned 14 character pass phrase will be generated and sent via an email link that is enabled for only one hour. The user may retain that automatic pass phrase for at least three years or may manually enter their own 8 character pass phrase that must be changed every 42 days. |
| Components: (5) | | A pass phrase may be generated using: | | (a) part of a 1st name | | (b) part of a 2nd name | | (c) 1st symbol from set-cs | | (d) 2nd symbol from set-ds | | (e) part of phone number | | The persons role, department, timezone and title may be used as additional components |
| Name Component: (12) | | (a) Two to five characters of a name may be extracted. | | (b) Extract may begin at the front or back or center of the name. | | (c) One, two or three characters will be upper case - others will be lower case. |
| Number Component: | | (a) Two to five digits of a (phone) number may be extracted. | | (b) Extract may begin at the front or back or center of the number. |
| Case Generation: (25) | | All characters are lower case, except those identified by position to be upper case This rule is applied depending on component length as: 1, 2, 3, 4. 1-2, 1-3, 1-4, 1-5; 2-3, 2-4, 2-5, 3-4, 3-5, 4-5. 1-2-3, 1-2-4, 1-2-5, 1-3-4, 1-3-5, 1-4-5. 2-3-4, 2-3-5, 2-4-5. 3-4-5. |
| Symbol Component: (17) | | (c) 1st symbol is from (7) lower-case set-cs. | | (d) 2nd symbol is from (7) lower-case set-cs and (10) lower-case-set-ds. | | (cs) Space as space Divide as / Minus as - Plus as + Period as . SemiColon as ; Equals as = | | (ds) Exclamation as ! PerCent as % RoundBraceLeft as ( RoundBraceRight as ) CurlyBraceLeft as { CurlyBraceRight as } Underscore as _ Tilde as ~ At as @ Colon as : |
| Data Algorithm: | | (a1) Number of characters extracted from 1st name. | | (a2) Extract from front, back or center of 1st name. | | (a3) Upper case 1st name character positions. | | (b1) Number of characters extracted from 2nd name. | | (b2) Extract from front, back or center of 2nd name. | | (b3) Upper case 2nd name character positions. | | (c) Select symbol from lower case set. | | (d) Select symbol from lower and upper case set. | | (e1) Number of digits extracted from number. | | (e2) Extract from front, back or center of number. | | (x) Pass phrase is a string of components in order defined by an algorithm. |
| Order of Components: (10+) | | Five (or more) components may be ordered as defined by: | | ACEDB, BCEDA, AECDB, BECDA, ACDEB, BCDEA, ABCDE, BACDE, ABCED, BACED... |
| Character Substitution: | | A as 4, B as 8, I as 1. O as 0, E as 3, S as 5, G as 9, Z as 2. | | This rule is applied when consequtive letters exist. |
| Excluded Symbols: | | For CSV extract reasons: Comma, Apostrophe and Quotation are not used. | | For international keyboard reasons: Pound as £ Dollar as $ Euro as € Hash as # | | For HTML reasons; Less as < Greater as > Asterisk as * | | For HTML reasons; Square-Brace-Left as [ Square-Brace-Right as ] |
| Encryption: | | NIST encryption standards designed by the NSA cannot be trusted in the same way as open standards or in-house standards. Pass phrases are encrypted using salted offset substitution methods to create a 63 digit fixed length string. The 63 digit string does not imply pass phrase length and is further encrypted and scrambled using open standards for hashing. The third level of encryption is a lookup method that creates 7 bit bytes to represent every 2 digits. This binary field value is not printable, not searchable and cannot be changed using normal database methods. | | Attempts to decode the result will be hard to verify as the result of any decode level is just a scrambled string. Even if the criminal has access to all encryted pass phrases, the decode of any pass phrase cannot be cracked by brute force computing as various hashing methods are deployed with multiple levels of decode needed. Critical providers pass phrases are further encrypted using UTF-8 Greek and mathematical (2 and 3 byte) symbols that do not exist on a keyboard. | | Each character in the pass phrase is transformed using a unique offset so the same character will not result in the same result. |
|
|