• The Embedded Code

Friday, August 26, 2011

Introduction

Passwords and such small bits and pieces of information are generally stored in eeproms in digital systems. While developing such a system the general methodology is that the user is made to enter a predefined length of characters which is encrypted using an algorithm and a key. This encrypted password is then stored into the eeprom or similar memory.

The alternative approach is to use a hash function. The hash function converts the large data into a small datum and this value is called a hash value. Cryptographic hash has certain properties. The ideal cryptographic hash function has four main or significant properties:

• it is easy (but not necessarily quick) to compute the hash value for any given message

• it is infeasible to generate a message that has a given hash

• it is infeasible to modify a message without changing the hash

• it is infeasible to find two different messages with the same hash

A very popular example is the MD5 or Message Digest 5 hash. These are commonly used to verify the integrity of messages and even files.

I personally deal with devices that are used in “less threatening” environments. The users of some of my products don’t have access to such information nor programming knowledge of how to read or write data to an eeprom. So my approach to saving passwords is simpler and less expensive in terms of costs.

Modular Sum

A less popular variant of the checksums is the modular sum. The method is to add all the "words" as unsigned binary numbers, discarding any overflow bits, and append the two's complement of the total as the checksum. To validate a message, the receiver adds all the words in the same manner, including the checksum; if the result is not a word full of zeros, an error must have occurred. This variant too detects any single-bit error, but the probability that a two-bit error will go undetected is a little less than 1/n.

Implementation

The basic method would be to generate the modular sum for the characters and then write the characters along with the modular sum to the eeprom. Since the modular sum methodology is simple it will be easy to hack but a better bet than no checksum since the hacker may simply remove the eeprom and replace it with an eeprom with simple ascii characters all over the memory. The function can be modified with the following suggestions:

1. Add a predefined number to the modular sum, so that the validated checksum is non zero.

2. Have a predefined buffer of characters that can be added for stuffing. E.g. A total of 16 characters may be available. If the entered password length is say 14 then the stuffed characters may be “OK” else if the length is 13 then the stuffed characters may be “why” etc. Hence a lookup table for stuffing words may be generated.

3. Use different memory locations for the characters difficult to implement but more difficult to hack.

My methodology is to use a variation of the above function to create a modular sum and then store the relevant information on the eeprom. The general example is given below in C.

Functions for Generating and checking the Modular Sum

char ModSum(char *ArrayPtr, unsigned char ArraySize){
unsigned char i;
char Sum=0x00;

for (i= 0; i<ArraySize; i++)
Sum = Sum + *(ArrayPtr+i);

return Sum;
}
char GenModSum(char *ArrayPtr, unsigned char ArraySize){
char Sum=0x00;
Sum = ModSum(ArrayPtr, ArraySize -1);

Sum = ~Sum;
Sum = Sum + 1;

*(ArrayPtr+ArraySize-1) = Sum;
return 0;
}
int main(int argc, char *argv[])
{
#define SIZE 5
char a[SIZE], sum, toc;
char *ptr;
ptr = &a;

a = 0xff;
a = 0xff;
a = 0xff;
a = 0xff;
// Generate the Sum
GenModSum(ptr, SIZE);
// Check the modular Sum
if(ModSum(ptr, SIZE)==0)
printf("\nOK\n");
else
printf("\nNot OK\n");

system("PAUSE");
return 0;
}

I tested the above code in Dev C++ as a proof of concept but please feel free to use this code in your project under the terms and conditions of the creative commons license and if it was useful then leave a comment below.