Sunday, December 16, 2012

XORing is not encryption


Sometimes, people use XOR operator to encrypt their data and think its secure. The way it
works is if you have a key K and message M, then encrypted text will be
Enc = M (XOR) K
As long as adversary don't know about the key he can't decrypt the original message. This is also used sometimes as it is very fast to compute. Everything is fine till here but the problem arises because of the way it is used. 
XOR
INPUT
A   B
XOR
OUTPUT

A XOR B
000
011
101
110

Thing to remember here is the key used to encrypt the message should never be reused.   Let me show you why.
Let assume you encrypted message m1 and m2 using the same key.
Enc1 = m1 (XOR) K
Enc2 = m2 (XOR) K

Now, attacker can take the XOR of these two encrypted message
Enc3 = Enc1 (XOR) Enc2 =  m1 (XOR) K (XOR)  m2 (XOR) K
         = m1 (XOR) m2 
So the key is no more in the picture and attacker can easily know the message.

Hence, this should never be used. This type of encryption is also called one time pad for the same reason that the key should be used only once.
It can also create problem when key generator used to generate key for encryption is not random key generator or the output of next key can be predicted based on the previous keys.

Friday, August 31, 2012

Zarro Boogs

   If you are using bugzilla to track bugs, and if somehow God is so kind on you that you have zero bugs on your plate, then you will see the message "Zarro Boogs found"

First I thought there is a mistake (Bug on Bugzilla :-)) here but soon i found out that its intentional! and this what I found :D

 from Wikipedia
"It is intended as a buggy statement itself (a misspelling of "zero bugs"), implying that even when no bugs have been identified, software is still likely to contain bugs that haven't yet been identified"

Terry Weissman (an early Bugzilla developer) says:
" when Netscape released version 4.0 of its browser, we had a release party. Naturally, there had been a big push to try and fix every known bug before the release. Naturally, that hadn't actually happened. (This is not unique to Netscape or to 4.0; the same thing has happened with every software project I've ever seen.) Anyway, at the release party, T-shirts were handed out that said something like "Netscape 4.0: Zarro Boogs". Just like the software, the T-shirt had no known bugs. Uh-huh. So, when you query for a list of bugs, and it gets no results, you can think of this as a friendly reminder. Of *course* there are bugs matching your query, they just aren't in the bugsystem yet...
--Terry Weissman"