What are the implications of Shannon’s work on security?
Claude E. Shannon is referred to as the founder of information theory, a scientist responsible for classical information theory. Shannon’s paper focuses on communication referencing PCM (pulse code modulation) and PPM (pulse position modulation). In the paper, Shannon explores topics which we are all familiar with today, topics such as bandwidth and SNR (signal-to-noise ratio).
When people think about digital security in today’s world they then to think about internet security, internet security is really about the protocols, operating systems, and applications which make up the internet. As I looked at Fig. 1 – Schematic diagram of a general communication system (Shannon, 2001, p. 4), I couldn’t help but think about TCP/IP and a simple topological representation as [HOST] <-> [ROUTER] <-> [ROUTER] <-> [HOST].
All the constructs that Shannon discusses in his 1948 paper, like source and destination (host), the transmitter (router, switch, etc…), and channel (wireless TDMA, CDMA, GSM, 802.11, etc…) all still exist and continue to evolve. Shannon talks about the messages having meaning and being correlated to some system (Shannon, 2001, p. 1), TCP/IP are the protocols that run the internet, moving information using packets. These packets are given meaning using IP (Internet Protocol) header information which contains detail about the source and destination, and a TCP (Transmission Control Protocol) header which includes information that allows data to be segmented, delivered out-of-order and reassembled. This TCP/IP header information is what allows the payload (the actual data we care about) to move between source and destination.
We can surmise that Shannon’s work had a significant impact on the TCP/IP protocols that interconnect us all today. When Bob Kahn and Vint Cert wrote the paper “A Protocol for Packet Network Intercommunication” (Cerf & Kahn, 1974) in 1974, defining the protocols that would become the platform from which the internet would blossom their concepts for a packet communication network were likely rooted in the work of Shannon.
In 1945 Shannon wrote a paper entitled “A Mathematical Theory of Cryptography.” (Shannon, 1945). This paper pre-dates “A mathematical theory of communication” by four years, the cryptography paper was initially a classified document, downgraded three years later, an abridged version was published and followed by the publication of the full article after being declassified twelve years later. Shannon’s paper on cryptography introduces an unbreakable a key-based encryption scheme known as “The Vernam Cipher”. Key-based encryption (“plaintext + key = ciphertext ⇒ ciphertext + key = plaintext”) is widely used today to encrypt and decrypt data at the source and destination, ensuring it’s confidentiality and integrity while in-flight on public networks like the internet. Cryptography is pervasive, from simple applications like MD5 hashing binaries to guarantee their integrity, to PGP public and private key encryption to SSL encryption (What is SSL, TLS and HTTPS?, n.d.). With 3.9 billion (Internet Users, n.d.) people on the internet and pervasive use of SSL and HTTPS, it’s fair to say that > 50% of the world population has benefited from Shannon’s work on communications and security.
Cerf, V., & Kahn, R. (1974). A protocol for packet network intercommunication. IEEE Transactions on Communications, 22(5), 637-648. doi:10.1109/TCOM.1974.1092259
Collins, G. P. (2002, October 14). Claude E. Shannon: Founder of Information Theory. Retrieved May 02, 2018, from https://www.scientificamerican.com/article/claude-e-shannon-founder/
Internet Users. (n.d.). Retrieved May 2, 2018, from http://www.internetlivestats.com/internet-users/
PGP, Public and Private Keys, and How PGP Encryption Works. (n.d.). Retrieved May 02, 2018, from http://accc.uic.edu/service/pgp/how-encryption-works
Shannon, C. (2001). A mathematical theory of communication. ACM SIGMOBILE Mobile Computing and Communications Review, 5(1), 3-55. doi:10.1145/584091.584093
Shannon, C. E. (1945). A Mathematical Theory of Cryptography – Case 20878. Alcatel-Lucent. Retrieved from https://www.iacr.org/museum/shannon/shannon45.pdf
The Vernam Cipher. (n.d.). Retrieved May 02, 2018, from http://www.cryptomuseum.com/crypto/vernam.htm
What is SSL, TLS and HTTPS? (n.d.). Retrieved May 02, 2018, from https://www.websecurity.symantec.com/security-topics/what-is-ssl-tls-https
Discussion Response 1
The computational power of RISC based processors like GPUs, TPUs, FPGAs and other ASICs being applied to password cracking has changed the game. Massive hacks and the dictionaries of passwords which have been aggregated and shared all over the internet as a result (e.g., https://wiki.skullsecurity.org/Passwords) along with available and accessible computational power to conduct brute-force attacks has made even strong passwords vulnerable. A 12 character alphanumeric with special characters password is not as hard to crack as many people think (http://www.netmux.com/blog/cracking-12-character-above-passwords). Provision a boatload of GPU capacity from AWS for a week and you would be surprised by the number of hashes per second you can churn out.
Then there is the application of deep learning to hacking. Projects like deephack (https://www.youtube.com/watch?v=Ybyg8WL0F4o) are starting to apply algorithmic thinking and build neural networks to hack systems.
Here is a little demo I put in this weeks assignment, where I used hashcat (https://hashcat.net/hashcat/) to crack five MD5 hashed passwords: https://asciinema.org/a/R4XnaVL0hKPLLrdF04NGQaO0p
Depending on your perspective I may seem like the only crazy person with a 6 x GPU machine. My wife would live if I only hade a single 6 x GPU rig, but the rig I used for the password crack is one of my four GPU rigs. The applicability of GPUs to cryptocurrency mining and machine learning have lots of people with lots of GPU power available either on their rigs or in the cloud.
I ran the password crack demo in the video above on my latest build which I am doing burn-in on in my home office before being added to the farm: https://photos.app.goo.gl/dKKWgB2pENIbTIm33
The interesting part about building GPU rigs for machine learning, mining, password cracking, etc… requires some caution because they pull a lot of power, the components get hot, and many of them are sourced by people like me direct from low-cost component manufacturers. Without exercising caution, you can have a meltdown aka a fire.
Strong passwords are good, but I would highly encourage the use of multi-factor authentication.
Discussion Response 2
Ahhhhh… Analog, my younger years as a phone phreak with my TRS-80 and acoustic coupler were the best. 🙂 Long live John Draper aka Cap’n Crunch.
The blue box and black box were a thing of beauty, enable by the simplicity of the analog system. Let’s face it if you were online in the early 80s and knew how to build a black box you built one because who could afford all those local exchange costs, let alone long distance costs. Then you had the device (don’t remember what it was called but I remember building it and putting inline between the modem and the wall jack) which ran the analog line through a potentiometer, some resistors and capacitors to clean up the line for you 110 baud acoustic coupler to give you a little more bandwidth, the good old days.
To this day I am still a loyal subscriber to 2600 Magazine and lister of Offf The Hook, I’ve even hit some clandestine 2600 meetups in faraway lands, that’s a treat.
If you are into some leisure (true story) reading about this era I suggest a book called “Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker”.
And of course, you have to get yourself a “Free Kevin” t-shirt. 🙂
Terminology Module Assignment