Currently I'm working on implementing a seed/key algorithm to limit access to a tool for authorized users. My understanding of the algorithm is that its strength is derived from the seed itself. However the majority of articles say "The basic idea is that the server provides a seed -- a short string of byte values -- and the client is required to transform that seed into a key using a secret algorithm." If the algorithm's security is based on the seed, why is it "a short string of byte values" instead of the longest possible string of byte values?
Asked
Active
Viewed 2,327 times
1 Answers
1
"Short" and "long" are relative terms. If I secretly make 128 coin flips and write down the results, that sounds like a lot of coin flips, doesn't it? There's $2^{128} > 10^{38}$ combinations I could get, a number bigger than 1 with 38 zeroes after it, so you have no hope of guessing what results I got.
Yet that unguessable result fits in $128 รท 8 = 16$ bytes, which almost everybody would call short byte string. That is, it's short if you're trying to store it in a computer, but impossibly long if it was picked at random and you're a bad guy trying to guess it.
Modern symmetric cryptographic algorithms come in 128-bit and 256-bit strength, whose keys fit in 16 and 32 bytes respectively, and there's no need for their keys to be any longer. Many public key algorithms do use longer keys (for technical reasons) but even there we're talking about kilobytes at most for popular ones.
Luis Casillas
- 14,703
- 2
- 33
- 53