Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
The moose likes Programming Diversions and the fly likes Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of JavaScript Promises Essentials this week in the JavaScript forum!
JavaRanch » Java Forums » Other » Programming Diversions
Bookmark "Security" Watch "Security" New topic
Author

Security

Prakash Dwivedi
Ranch Hand

Joined: Sep 28, 2002
Posts: 452
This was asked in an interview(Infosys)
I have to send a package(could be anything right from classfied documents to genetically good bananas) from one place to another through conventional mail. How should i send so that it remains secure.(It is assumed if something is locked than it is secure).
but keep in mind how will u send the keys if it is locked
thanx
[ June 25, 2003: Message edited by: Prakash Dwivedi ]

Prakash Dwivedi (SCJP2, SCWCD, SCBCD)
"Failure is not when you fall down, Its only when you don't get up again"
Jason Menard
Sheriff

Joined: Nov 09, 2000
Posts: 6450
Double wrap it and tape all seams with packing tape. While it doesn't prevent somebody from gaining access to the material (if you wanted that, you would have sent by courier not conventional mail), you will know if the package has been tampered with.
Mark Herschberg
Sheriff

Joined: Dec 04, 2000
Posts: 6037
As Jason points out, you need to define what "secure" means. In security we don't say something is secure or not secure. Rather, we define a threat model and describe whether the target is vulnerable to a particular form of attack. Some exmaples...
- Must we prevent access to the contents at all costs?
- Is it ok simply to know the contents have been compromised?
- Is it ok for the contents to been seen, but not taken? (Define "seen")
- Do the contents need to be protected from damage?

--Mark
Prakash Dwivedi
Ranch Hand

Joined: Sep 28, 2002
Posts: 452
what security means here is that it can not be opened (person can open a double wrapped package, and wrap it again).
As is said earlier anything that is locked is assumed to be secure.
courier wont increase the security( as a person carrying it can anyway open it)
we have to design a security model so that nobody can even view the content.
i hope i am more clear now
thanx
Jason Menard
Sheriff

Joined: Nov 09, 2000
Posts: 6450
what security means here is that it can not be opened (person can open a double wrapped package, and wrap it again).
As is said earlier anything that is locked is assumed to be secure.

That is a faulty assumption. Realistically anyway, the safest assumption is that anything sent via regular mail, where you or trusted persons loses physical control of the package, is in no ways secure, locked or otherwise. In the US for example, the US postal system will open any package it feels needs to be examined.
courier wont increase the security( as a person carrying it can anyway open it)
Couriers, if you hire the right one that is, are generally considered "trusted" sources. Their livelihood depends on protecting your package and a reputation of reliable service. They will not risk that just to take a look at what you are sending. If your package is extremely sensitive, you might want to hire a courier service along these lines: Secure Transport International, Inc, Specialized Guard Servoce, or any one of a number of similar companies.
The bottom line is that once a document or package leaves your immediate physical control, there is some amount of risk to be assumed. What you have to decide is how much risk you are willing to take, and choose your mode of transport appropriately.
[ June 25, 2003: Message edited by: Jason Menard ]
Eric Pascarello
author
Rancher

Joined: Nov 08, 2001
Posts: 15376
    
    6
Pack a 300lb guy named Brutus with it.
Michael Morris
Ranch Hand

Joined: Jan 30, 2002
Posts: 3451
A few questions:
1. What is the time frame?
2. Can the key be sent under separate package?
3. Is pre/post communication allowed with the recipient?


Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius - and a lot of courage - to move in the opposite direction. - Ernst F. Schumacher
Jignesh Malavia
Author
Ranch Hand

Joined: May 18, 2001
Posts: 81
An older and probably original version that I had heard was something like this.
A few decades back, Nikolai lived in Moscow and his girlfriend Natalia lived in St Petersburg. The postal system at the time was highly corrupt in Russia. If anything was sent by mail in a container that could be opened easily, it was stolen regardless of its worth. However, because the volume of postal traffic was very high and the postal workers did not bother opening anything that was locked properly, say, using a simple alluminum box or any other metal box with a lock on it.
Nikolai wanted to send a diamond ring to Natalia but he was worried about it being stolen and neither Nikolai nor Natalia could travel to each other's city. Finally they both discussed over the telephone and come up with a plan to send it safely via the postal system. How did Nikolai manage to send the ring to Natalia without it being stolen?
And yes, those numbered locks that you can rotate and create different combinations were not available at that time.
My apologies to any Russians postal workers over here :-) but the original puzzle that I had read was something like the above, except that the names of the people were different, which I forgot.
Michael,
Q1. What is the time frame?
A. For sending the package? No limit.
Q2. Can the key be sent under separate package?
A. Yes.
Q3. Is pre/post communication allowed with the recipient?
A. Yes.
Michael Morris
Ranch Hand

Joined: Jan 30, 2002
Posts: 3451
If those are the parameters. My first thought would be this scenario:
1. Tell the recipient, I'm sending the key, and to call me when she receives it.
2. For verification place a message in the package with the key and when the recipient calls, ask that the message be read back.
3. Send the package.
Jim Yingst
Wanderer
Sheriff

Joined: Jan 30, 2000
Posts: 18671
Insert Gollum, who wants to acquire the ring, and has landed himself a job with the Russian postal service:
1.5. Gollum intercepts mail and makes a copy of the key, then sends the original on its way.
4. Gollum uses copy of key to open box and steal ring.

[ June 25, 2003: Message edited by: Jim Yingst ]

"I'm not back." - Bill Harding, Twister
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

It's inefficient, but use the physical description of (was it) Diffie-Hellman for sharing secure data without sharing keys (at all)
Put the item in a box and lock it.
Post the item.
Person 2 gets the package, puts their own lock on the box as well then sends it back.
You get the box, remove your lock, then post it back to the second person.
It costs three times the postage and takes three times as long, and I expect that they'd genetially bad bananas by then
Michael Morris
Ranch Hand

Joined: Jan 30, 2002
Posts: 3451
Originally posted by Jim Yingst:
Insert Gollum, who wants to acquire the ring, and has landed himself a job with the Russian postal service:
1.5. Gollum intercepts mail and makes a copy of the key, then sends the original on its way.
4. Gollum uses copy of key to open box and steal ring.

[ June 25, 2003: Message edited by: Jim Yingst ]

There are only levels of security. Anyone that tells you they have a 100% secure system (umm, like Oracle did a couple of years back?) is delusional and you shouldn't trust their product. Security is just like trying to commit the perfect crime. There will always be some little (or big) thing that you don't consider and there is always someone with a little more experience and knowledge that can fit the puzzle together.
Jim Yingst
Wanderer
Sheriff

Joined: Jan 30, 2000
Posts: 18671
True. I'm assuming though that while cracking the lock itself is either beyond Gollum's capabilities, or at least beyond the threshold of what we need to worry about - as per the original problem, "It is assumed if something is locked than it is secure)." But making a copy of a key is significantly easier than cracking a lock; I can go to Ace Hardware and have it done for a buck in a couple minutes. However there's an alternate solution that does not have this relative weakness.
Michael Morris
Ranch Hand

Joined: Jan 30, 2002
Posts: 3451
Originally posted by Jim Yingst:
True. I'm assuming though that while cracking the lock itself is either beyond Gollum's capabilities, or at least beyond the threshold of what we need to worry about - as per the original problem, "It is assumed if something is locked than it is secure)." But making a copy of a key is significantly easier than cracking a lock; I can go to Ace Hardware and have it done for a buck in a couple minutes. However there's an alternate solution that does not have this relative weakness.

You always challenge me when it's my bedtime. I'll sleep on it and see what else I can come up with. David's solution is better, I hadn't really thought of being able to put two locks on the box.
Jim Yingst
Wanderer
Sheriff

Joined: Jan 30, 2000
Posts: 18671
Dang, I overlooked David's post entirely; sorry. (I saw a response from M^2 to my post; didn't look further back for other stuff.) Yes, that's a good solution. There is at least one more, which is a bit more efficient in terms of time and money - though it may require an additional assumption or two about the relative difficulty of certain activities.
Of course, Gollum could just steal the whole box. Let's assume though that there is paperwork which tracks who last had custody of the box, but not necessarily its contents - and that this means the risk of detation and punishment is great enough to prevent Gollum from just stealing the whole box.
Timothy Chen Allen
Ranch Hand

Joined: Mar 16, 2003
Posts: 161
Originally posted by David O'Meara:
It's inefficient, but use the physical description of (was it) Diffie-Hellman for sharing secure data without sharing keys (at all)
Put the item in a box and lock it.
Post the item.
Person 2 gets the package, puts their own lock on the box as well then sends it back.
You get the box, remove your lock, then post it back to the second person.
It costs three times the postage and takes three times as long, and I expect that they'd genetially bad bananas by then


That was what I was trying to think of! I was walking home last night, thinking, "I remember vaguely something about using a second lock". My neighbors thought I was odd because I was holding my lonchbox up, whooshing it from one hand to the other, and making lock-being-locked sounds.
Thank you, that would have been my answer if I had a better memory, was smarter, and generally was better in every possible respect.


Timothy Chen Allen
Learn Spanish in Washington, DC
Anupam Sinha
Ranch Hand

Joined: Apr 13, 2003
Posts: 1088
Hi
I really liked the two locks solutions but how is that anyway efficient than Michael Morris's solution. First the person who is sending the package(call him A) says to the recipient(call him B) that when you recieve the package you will have a number and add 612(or for that matter any number) and tell me the no. if the result is what's expected then send the key else don't send it. In case of double lock why can't someone from the postal dept. put on the second lock and send the package back. For this reason I think that Michael Morris's solution is the most efficient solution.
[ June 26, 2003: Message edited by: Anupam Sinha ]
Andy Bowes
Ranch Hand

Joined: Jan 14, 2003
Posts: 171
David's answer to the question is probably the best answer out there.
This solution of adding 2 locks to the parcel is my favourite description of how public/private key encryption works. The answer provided by David is basically a description of the technology underlying communications via HTTPS/SSL which is probably why you were asked the question in an interview.


Andy Bowes<br />SCJP, SCWCD<br />I like deadlines, I love the whoosing noise they make as they go flying past - Douglas Adams
Anupam Sinha
Ranch Hand

Joined: Apr 13, 2003
Posts: 1088
Hi Andy
For telecomm. it may work but I still doubt it why can't the same(as in my previous post) be done to the data being sent over the network. That is why cannot someone intercept the data, encrypt the encrypted data then send it back to A and recieve the data back without the A's encryption.
[ June 26, 2003: Message edited by: Anupam Sinha ]
Jim Yingst
Wanderer
Sheriff

Joined: Jan 30, 2000
Posts: 18671
I really liked the two locks solutions but how is that anyway efficient than Michael Morris's solution.
I wouldn't call it more efficient as it requires more postage and time - but it's more secure.
First the person who is sending the package(call him A) says to the recipient(call him B) that when you recieve the package you will have a number and add 612(or for that matter any number) and tell me the no. if the result is what's expected then send the key else don't send it.
This made no sense at all to me until I realized you are actually describing a new solution which is effectively reversing the two steps of Michael's solution. (I had thought you were adding on to either Michael or Dave's solution, and couldn't understand how that would work.) Yes, this works - except that the number trick needs modification. I assume you're trying to block the following scenario:
1. A puts ring in box, locks it, and mails it to B.
2. Gollum intercepts and substitutes another box with another lock (saving the key to this), sends that to B while retaining the original locked box.
3. B receives box, calls A, says "send key".
4. A sends key.
5. Gollum intercepts key, opens box with ring, and can also now substitute the key to the fake box, sending that on to B.
6. B receives key which opens the fake box, finds it is empty, and is mystified.
The business about "you will have a number and add 612(or for that matter any number) and tell me the no" sounds like a modification to step 3 to detect the substitution. Unfortunately it won't necessarily work - if the number was outside the box, then Gollum was able to read it, and can put the same number on the duplicate package. (If the number was inside the locked box, then B coulnd't have read it during step 3 anyway.) This assumes Gollum is smart enough to try to duplicate the original package as accurately as possible - but frankly, taking a piece of paper with the number on it and putting it with the new package is pretty simple. Alternately, maybe the number should be written on the box with A's distinctive handwriting. This works if B is able to recognize A's handwriting more reliably than Gollum can forge it.
My own solution for authentication would be for A to purchase a lock with an engraved serial number on it, and note the serial number. This should not be alterable by Gollum, at least no more easily than he could have just broken open the lock in the first place (which we are to assume he cannot do).
There's one other solution I know which approximately equal in efficiency and security to this one, and has the minor advantage that it can be repeated for future exchanges without needing to buy a new lock each time. (Gollum could have made a copy of the key when it was sent - too late to open the box with the ring, but he could use the key if you ever send a parcel with that lock again.)
----
In case of double lock why can't someone from the postal dept. put on the second lock and send the package back.
So insert a check: when A gets the package back in the mail with two locks on it, call B to verify that B did in fact see the package and put a lock on it. B says, what package? And they notify the post office that they have evidence of mail tampering, which may lead to Gollum's capture. Unfortunately A must now get a pair of boltcutters or something to remove Gollum's lock, but once this is done A and B can try again. The ring is still safe, and Gollum has put himself at risk of capture.
Jason Menard
Sheriff

Joined: Nov 09, 2000
Posts: 6450
I still prefer the option of hiring a team of armed escorts with military and/or police training to deliver the package.
Barring that though, the two lock solution seems to be about the best. With a solution like "add the number 612", the receiver must be made aware of this number, and transmitting that number to the receiver is also a security risk.
Anupam Sinha
Ranch Hand

Joined: Apr 13, 2003
Posts: 1088
Hi Jim
The business about "you will have a number and add 612(or for that matter any number) and tell me the no" sounds like a modification to step 3 to detect the substitution. Unfortunately it won't necessarily work - if the number was outside the box, then Gollum was able to read it, and can put the same number on the duplicate package.

I didn't think about that.
But in your solution about two locks
So insert a check: when A gets the package back in the mail with two locks on it, call B to verify that B did in fact see the package and put a lock on it.

But consider this A sends a package Gollum sees the package keeps the package with him and sends a similar package to B. Now when B resends the same package back to A with 2 locks Gollum sends the orignal package back to A(that contains the ring) with his another lock then A unlocks his lock and sends the package back to B. Now Gollum has the ring. Then Gollum opens his lock from the similar package he sent to B. So now B is mystified as the box is empty.
But here I think there is a catch that how would Golum think that the package that should be returned to A should be the orignal package not the similar one. Well there may be two reasons that he thinks about why two locks have been used and discovers why they are being used or this may have happened before with someone or himself and now may have learnt from that experience.
Michael Morris
Ranch Hand

Joined: Jan 30, 2002
Posts: 3451
Would everyone stop obsessing with trying to create the perfect security paradigm. It is impossible to prevent all man-in-the-middle attacks, period. My solution used an authentication technique where the user must have something and know something. The user knows my phone number and to call me. How would the Gollum know that? The user has the message that persumably only I know. The Gollum would also have that but wouldn't know what to do with it. He could however, as Jim pointed out, copy the key. But in an unsafe environment, how many locked packages will be coming down the pike? Would it be worth his while to copy all of them and and try each on each locked package?
Jim Yingst
Wanderer
Sheriff

Joined: Jan 30, 2000
Posts: 18671
Hey, this is Gollum - he's been to Mordor and back (and later back to Mordor again) in pursuit of this ring. Infiltrating the Russian post office and obsessively scrutinizing all mail to or from A or B is no bid deal to him.
More seriously, there are two possible ways I see that this could be a credible threat. One, Gollum may be specifically targeting A and B and reading all their mail, and doing whatever he can to screw with them. Or two, Gollum may just unsrupulously scan mails that come through - and then one day he finds one that has a key. Hmmm, intriguing. What does it open? Let's write down the sender and receiver's address, and make a copy of the key, and see if we can find a use for it. Maybe it's someone's house key. Send the original on its way to avoid getting in trouble. Then a few days later, another package comes from A to B, and it's a big locked box, and at this point there's a decent change Gollum might now try the key to see if it opens the box.
But in an unsafe environment, how many locked packages will be coming down the pike? Would it be worth his while to copy all of them and and try each on each locked package?
True. If this sort of protocol becomes common, there will be a lot of keys and packages going through the mail, and it' s probably not worth Gollum's time to mess with them all. Unless he's specifically targeting A and B. Or unless maybe he can somehow automate the process of scanning for keys in the mail, copying them, and then looking for packages with corresponding addresses which might then be unlocked...
OK, I admit I've been stacking the deck with a lot of these assumptions. As did Jignesh. The form of the problem that we've been guiding it to is very much a mirror for real-world cryptography issues. Replace the postal system with the internet, and Gollum with an unscrupulous hub admin who's running some scripts to scan for various types of encryted data, and also for things that look like keys, in hopes of finding a pair that match up. How do two people exchange a message with sensitive info (the ring) without it being decrypted (unlocked)? The solutions to the Gollum problem then mirror various protocols using public-key encryption.
So yes, the stated problem is rather contrived, but there is a use for it in the real world.
The other solution I was thinking of is: instead of A sending B the key, have B buy a lock:
1. B buys lock (with key), records the serial number and sends the lock to a in the mail.
2. Gollum sees the lock in the mail, but can't make a copy of the lock, and can't substitute a different lock because the serial numer would be different.
3. A receives the lock, and confers with B to verify the serial number is correct. (Gollum might even hear this conversation, but so what?)
4. A sends the locked box with ring to B. Gollum can't do anything at this point.
5. B now has the ring, and if desired, can send the lock back to A (or even C) for future exchanges, because only B has ever had access to the key to that lock.
Here with dual-key encryption, the lock is analoguous to the public key. You can pass it around in public, and people can't do anything with it other than lock something with it. Once they do that, only you can unlock it. The key retained by B is analogous to the private key - it can unlock anything that was locked with the public key, and you never need to (or want to) let anyone else get ahold of it. The business with checking serial numbers is analogous to using digital signatures to verify the identity of a sender, so that when someone says hey, this is my public key, send me a message, you know that it's really their key, not some replacement.
[Anupam Sinha]: But consider this A sends a package Gollum sees the package keeps the package with him and sends a similar package to B. Now when B resends the same package back to A with 2 locks Gollum sends the orignal package back to A(that contains the ring) with his another lock then A unlocks his lock and sends the package back to B. Now Gollum has the ring. Then Gollum opens his lock from the similar package he sent to B. So now B is mystified as the box is empty.
Good point. Here again it's necessary to insert some sort of check to ensure that the locks are valid, not substitutions. So we again need to rely on something like lock serial numbers for validation.
[ June 26, 2003: Message edited by: Jim Yingst ]
Anupam Sinha
Ranch Hand

Joined: Apr 13, 2003
Posts: 1088
Hi Jim
But B now has to buy a lock that can be locked without a key But requires a key to open it. Well on a serious note I liked that discussion on public keys. Can you tell me more about it or send me a link where I can know more about it.
Jim Yingst
Wanderer
Sheriff

Joined: Jan 30, 2000
Posts: 18671
Well, here are some Google hits that look promising:
[link]
[link]
[link]
[link]
[link]
To really get into this subject, Bruce Schneier's Applied Cryptography is highly recommended.
Anupam Sinha
Ranch Hand

Joined: Apr 13, 2003
Posts: 1088
Thanks Jim for the links and the info.
[ June 27, 2003: Message edited by: Anupam Sinha ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Security