Thursday, 22 June 2017

Hardware OTP Tokens

Swami Gulagulaananda said:
"Security by obscurity is an interesting notion - for we all fear what we don't understand"

A long time ago, I saw a friend of mine holding a small hand-held device. It hand a single button and a small screen. I asked him what it was. "Oh, I have an account with HSBC Bank. This is an OTP generator, it is for additional security", he replied. "How does it work?", I asked him. "I don't know man, they ask me to enter it while signing in. I press the button, some number comes up and I enter it", he replied

I tried it. Each time I pressed the button, a seemingly random number appeared on the screen. However, once a number appeared, it didn't change and remained on the screen. It didn't change even if I pressed it. It would remain for some time, perhaps a minute and then disappear. I pressed the button again and another number would appear.

This was pretty interesting. But I soon forgot about it. A few years later, I was signing up on some MongoDB website which required two-factor authentication. It required me to use an authenticator app - Google Authenticator (Although I distinctly remember using Microsoft Authenticator as I had a Windows phone). This also worked in a very similar manner. Apparently these new passwords are used to prevent problems due to key-loggers and man-in-the-middle attacks.

It turns out that both require some kind of registration with the server - A one time registration. Subsequently, there is no connection between the server and the device (app can be run without internet connection, and the small HSBC device is not a 'smart' device)

So now the question is - How does this work? The real thing probably works using either Time Based One time password algorithm or HMAC based one time password algorithm described here. But I was thinking if I could come up with a relatively simple mechanism.

I remembered Pseudo Random Numbers. The reason pseudo random numbers are "Pseudo" is because they are not really random numbers. In fact, these random numbers have a seed. A seed is a number that we provide to the PRN generator in the beginning. Subsequently, the function returns some numbers. The beauty is that this is repeatable. It means, if I started with a seed 10 and generated 5 random numbers and told you that my seed was 10, and you generated 5 random numbers using that seed, the 5 numbers that you have are exactly the 5 numbers that I have.

Here's a sample Python program for you to try out. Try running this in different terminals.
>>> import random
>>> random.seed(5)
>>> random.random()
>>> random.random()
Now obviously the question is - How do these PRN generator functions work? One of the ways could be to use a standard function like Sine or Log. For example, sin(x) will always be the same for the same value of x. So the seed is the first value of x. Each time you call the function, it will give you sin(x) and increment x. This is, of course, just an example.

So, now, these HSBC tokens have the 'x' value burned into it. The HSBC tokens also have a unique identifier. The security servers know the mapping between identifier and the seed value burned into it. Therefore, the two independent devices are capable of producing the same output. When you register the device, the server associates the token against you. Now, when you press the button, it probably uses the current time along with the seed (say concatenates or adds) and passes it into the function. It may use time till the minute level. Now whatever value is generated is typed by you. When you submit, the server looks at who submitted the value, gets the seed against him and the current time, and passes it into the same function - The result should be the same value if everything is okay. Otherwise there is something wrong...

Note that I have not used any fancy algorithms here - Do you think this is vulnerable? What problems do you see with this approach? Let me know in the comments.

Sunday, 27 November 2016

Marking Territory

Swami Gulagulaananda said:
Vasudhaiva Kutumbakam"

Planet Earth is considered to be a unique planet - It is the only known planet that harbours life. The Earth has been around for a long time, a few billion years (or a few thousand if you are a devout christian) and is filled with resources such as water, trees, fossil fuel, gemstones, wildlife and more.

Let's look at the planet Earth from the point of animals, say ants. Ants are remarkable insects that live in colonies and have divided their tasks among themselves - Some are workers, some are cleaners while some others are soldiers. They divide labour, just like humans; they communicate among themselves like humans; and they are territorial, just like humans. They decide what their territories are, and aggressively defend it. Any perceived threat will result in a swarm of ants working like a well oiled machine with their mandibles pulling at the enemy from various angles. I saw a video of an ant colony dismembering a scorpion.

Ants are not the only animal group that is territorial - Dogs, wolves, tigers and a host of other animals are territorial as well. I guess we can safely assume that being territorial is a deep rooted primal quality.

The planet Earth does not belong to anyone - So, everything on the planet belongs to everyone. And yet, the reality is not so. I cannot go and see the Great Barrier Reef or Mount Fuji without taking permission from some people. Does that seem fair? Do these places belong to some people? Why? Is it because they were born in that area? And if you look at Australia, it was a pristine country with a few Aborigines which was taken over by some Europeans quite recently. And now they don't let others come in. Is that fair?

We simply accept these things as they are. We were born in a country and we become citizens of that country. Many of us aggressively support that country, defend it and even die for it. Some of the disillusioned ones leave their country for others. We have seen this all.

We like some countries and we don't like some countries. A majority of Indians and Pakistanis don't like each other, Israel and Palestine, China and a bunch of countries fight for land and water. Many people who were born in that country are told as children that they have to be enemies with the other country because they own part of their territory or intend steal part of what belongs to them.

All this seems perfectly natural to us and we consider it as part of our geopolitical reality.

But do you see how similar religion is to this? People are born into it - and children are raised being taught certain things. They support it aggressively, defend it and some even die for it. And many atheists nuts are no different from religious nuts.

However, the question is - Is it really wrong? Why is it that we feel religious fundamentalism wrong but we find territorial “fundamentalism” natural? So unless we all truly believe that the whole world should be utopic where we believe in Upanishadic quote “Vasudhaiva Kutumbakam” (The world is one family), blaming only religion for problems is silly

Higher Dimensions

Swami Gulagulaananda said:
"That we cannot sense certain things due to a limitation of our body does not imply the absence of what we cannot sense"

I was watching some interesting videos on YouTube the other day, and I stumbled upon String Theory. Matter, as we know, is made up of tiny particles called atoms. Atoms are made up of protons, neutrons and electrons. We learn about this in school And often, we hear about other sub-atomic particles like mesons, bosons etc. It turns out that protons and neutrons themselves are made up of quarks... And quarks are made up, according to String Theory, of extremely tiny particles called Strings.

From what I gathered, everything in eventually made up of tiny strings, and the different behavioural characteristics are due to varying frequencies of the strings. While this theory is still under development, it made me wonder if a string could be the same as the Brahman (https://en.wikipedia.org/wiki/Brahman).

But let us not introduce religion into this. Continuing with his explanation, Brian Greene goes on to explain about higher dimensions, saying that they are working with 11 dimensions - 10 dimensions + time.

Now all of us understand up to three dimensions really well - a line exists in a single dimension, a triangle exists in a plane or two dimensions and a cube in three dimensions. Our world is in three dimensions. But they are talking about dimensions above this which we find impossible to visualise, primarily because of our inability to fit it with things that we see around. When we talk about something with three dimensions, I can understand it because our world is 3D. A 2D diagram on a page is easy to grasp too. But what is a 4D diagram?

A 2D triangle has each side made up of a line which is 1D. A cube is a 3D diagram which has each face made up of squares which are 2D. Therefore, should a 4D diagram have each face that should be made up of 3D diagrams? We cannot imagine it...

Our eyes have rods and cones to detect the intensity and colour of objects around us. The world looks vibrant with colours. But other animals such as dogs and bulls don’t perceive the world in the same way as we do. They lack certain the colour detecting capabilities that we take for granted. So the same object is seen differently by them - perhaps less vibrant and more dull and boring.

But remember, they are looking at the same objects as we are. The same objects are seen differently by them - less colourful. Butterflies on the other hand can sense light in the ultraviolet range of the spectrum which is completely invisible to us. This means that the butterfly sees a far more vibrant and iridescent world. The mantis shrimp is remarkable in that way - Compared to the three types of colour receptive cones of humans (five of certain butterflies), the eyes of the mantis shrimp carry 16 types of colour receptive cones. Meaning, it is seeing a different world than you and I.

What if things that we see and feel are not really what they are? What if, we are like the residents of Flatland who live in a two dimensional world? Or like the ant that traversed the mobius strip? What if there are things beyond this and that we are simply unable to perceive them due to some constraints? Are there creatures living in a different dimension like some characters from the Bartimaeus Trilogy? Are THEY “ghosts”? :P

That we cannot sense certain things due to a limitation of our body does not imply the absence of what we cannot sense

Interesting Content
Watch Visualising Eleven Dimensions

Wednesday, 23 December 2015

Of traffic, teams and companies

Swami Gulagulaananda said:
"The grand unification theory is nought but analogies connecting seemingly unrelated things"

When you drive through Bangalore traffic, more often than not, you are not driving... You are probably waiting at traffic junctions or trying to wiggle through evanescent worm holes.

The strange fact about driving is that it becomes automatic after some time - You don't even pay attention while changing gears or switching between the accelerator and the brake. And since that frees up your mind, it tends to wander into the realm of contemplation...

As I watched vehicles around me, I drew some parallels that I wanted to list out in this post.

1) Among motorbikes, cars and buses, bikes are the fastest when it comes to rate of picking up speed or accelerating while buses are the slowest. However, once all vehicles start accelerating, bikes soon get left behind as cars and buses zoom past them. Companies are also of these types small caps (start-ups), mid caps and large caps. While start-ups can grow very quickly, larger companies with their higher muscle power - both in terms of finance and man-power can quickly outpace smaller companies

2) Bikes cannot sustain long distance like cars and buses. While on a long distance drive, riding a motorcycle is least comfortable of the three and can make you sore. The fuel capacity also is quite limited and needs constant refuelling to reach your destination. Cars and buses are much more comfortable and needs lesser refuelling. Companies are also similar in terms of funding.

3) Bikes are more agile, then comes cars and finally buses. This is something that you have definitely noticed in traffic. You can quickly manoeuvre a bike and ride through that narrow space between a car and a bus. Cars are much less easy to manoeuvre while buses simply cannot move. Companies are also similar with start-ups being significantly more agile with less bureaucracy and fewer meetings before decisions are arrived at and plans are put into action. Large companies are behemoths that take forever to make even the smallest change in course.

4) Bikes are more unstable and can severely injure the rider in an accident when compared to cars and buses. Start-ups can vanish overnight unlike larger companies

5) When a bike goes down, very few people die unlike in cars and buses. Just like how many people lose their jobs when larger companies go down unlike start-ups.

6) If a bus crashes into a bike...

7) There are bike clubs. I have not heard of bus clubs... There are also biker chicks ;-)

8) Riding bikes are definitely more thrilling than a bus ride. Enough said.




Friday, 13 November 2015

Knight's Tour

Swami Gulagulaananda said:
"The dark knight can never be blocked... nor can the white knight"

The Knight's Tour is a mathematical puzzle which I had played on a Windows Phone game called Doors. I didn't know it was called Knight's Tour till I watched this Numberphile video. I had some time to spare and wrote a simple version of it that you can test out below.

The objective of the game is to make sure that every square of the board has been occupied by your knight once. Click on any valid square to make your move

Programmers: Do you think you can write a program to find solutions?


Knight's Tour

Move the knight and cover every single square without repeating a square