[RndTbl] Suggestion For Improvements To Cryptographic Hashing

Ihor Jakowec ijakowec at icloud.com
Tue Mar 14 14:53:06 CDT 2017 

 I hope this is readable, if not please notify me.
This article is also readable from google+ 
Keywords:  Ihor Jakowec  DEJA VU HASH Revised

Or, copy and paste, the below link...
https://drive.google.com/open?id=0BxLingfkcfkbQ3JwYUlZVVBGZGc


DEJA VU HASH


Abstract

Described here is a self modifying cryptographic hash, 
that changes with every login, and/or, after an arbitrary 
time interval. In addition to a password, the hash 
uses login statistics. A hacker would would have less 
time to crack a password, because the hash value could 
keep changing. Also, hacker would need login statistics.



TIME SENSITIVE CRYPTOGRAPHIC HASH

This method is used for remote logins from computers with 
an operating system containing log files that hold login 
data and network traffic data. This method is NOT for use 
by “dumb” terminals, or on guest computers where data is 
erased upon logout.

The input to the hash consists of some or all of the 
following:

1.)  Password.

2.)  Time delay, established by use either/or: 
         - the mode and variance of several ping attempts
         - a truncated value common to most ping trials
         - or the intersection algorithm. [1]

3.)  Login time.

4.)  Previous or, current login duration.

5.)  CPU serial number.

6.)  An array that is a histogram of values of the number 
of packets sent and received (the interval size is 
arbitrary)


[1]
_________________
 Wikipedia Contributors “Intersection Algorithm” 
“Wikipedia, The Free Encyclopedia” 
Wikipedia, The Free Encyclopedia
5 May 2014. Web. 5 May 2014. 

NOTE:

You could use NTP (Network Time Protocol), with 
peer-to-peer connectivity for both the login 
client and the server; to increase the resolution 
of the above items:  2, 3, and 4.

(Referring to item 4.) If the current login is used, 
the hash is performed at the end of the login.

A different hash value can be kept for each login 
from a different CPU. (This could be a weakness if 
many different CPU’s have been used, and infrequently 
at that.) Therefore, using item 5. should only be 
considered as an option, for those who want to 
restrict logins to a select few computers.

How these values are arranged as input to the hash 
is arbitrary. You could use sequential concatenation. 
Or, values can be hashed separately, then xored to 
the final hash value. Input values can also be bit 
shuffled. 

Modification: Item 6 could consist of a single array 
that is a histogram of differences: 

(number of data packets sent - number of data packets received)

The arbitrary time interval is:

login duration / inter login interval 


Both the server and the client would have records of items 
1 to 6 on their respective file systems. However, for 
concealment,  the way they are stored,  and used as input to
the hash can vary.


Since, this method results in a different hash for every 
login. A hacker’s cracking time would be limited to the 
time interval between successive logins




PSEUDO LOGIN

The concept here is to use pseudo logins. This is not a 
full login. Only the login state tables are synchronized 
and the password hash value is re-hashed. The login interval 
can be based on information known to both the client and 
the server. The average of the last five logins could be 
used, where a fraction, or multiple, of this average is used
as the pseudo login interval. Moreover, the pseudo login
interval can be vary. This interval can be made slightly
longer or shorter. This variation can be based on the
histogram of differences previously mentioned. The
histogram can be partitioned into percentiles, or an
arbitrary n-tile.  Lower than average values can be used
to shrink the pseudo login interval, while higher than
average values can be used to lengthen the interval. 

Optimally, the average of these intervals should be slightly 
shorter than the amount of time needed by the average hacker 
to crack a hash value.   Or, it could be left up to the system 
adminstrator to set the length of the pseudo login interval. 
This would depend on the need for security in juxtaposition 
to system load demands.




SALTING THE SALT

As an added security feature, each pseudo login hash can be 
salted with a random number. The same value that is used 
by the server and the remote login. The random number 
generator and the seed value used, would be common to the 
server and the login client. The type of random number 
generator used would be quasi-propriatary to the system 
being used. That is, each random value could be 
cryptographically hashed with a common seed value. The 
resulting hash value could be used with the hash value of 
the previous login or previous pseudo login hash value.



==================================================
DISCLAIMER
Any words not defined, in this collection of documents; 
use the definition given to them, by the O.E.D. and/or 
American Webster's dictionary. It is not my intention 
to use double entendre: either from English or in any 
other language, or from pop subculture (past or present).
Any words redefined by me, or phrases defined by me, are 
simply technical in nature. They are not intended to 
refer to any: 
group, institution, organization, person or persons. 
— No alternate meaning to any word or phrase is implied 
or intended.
— My intent is NOT to: 
slight, insult, affront, or offend.
Ihor Jakowec  Tuesday 14 December 2017
===================================================

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20170314/fd50dd88/attachment-0001.html>

More information about the Roundtable mailing list