CODEL: The Key To Digital Certainty

• Home
• News
• People
• Compliance
• Use Cases
  • Financial Services
  • Medical
  • Government
    • Identity
  • Legal
    • Legal Copyright
    • Anti-Counterfeiting Legal Action
    • Codel Bible
    • Codel E-Wills
    • Copyright Protection
  • Software
    • Software Protection
    • Document Protection Software
    • Audit Trail Protection Software
    • Why Isn't Software Better Protected?
  • Music
  • Pharmaceutical
  • Anti-Counterfeiting
  • Document Authenticity
    • Document Origin
    • Document Uniqueness
  • Protecting Images
  • Webform Authentication
  • Codel Email
    • Email Validation - Separation of Keys
    • Email Validation - 2nd Key sent to Codel
    • Key Distribution Problem
  • Anti-Counterfeit Software
    • The Counterfeit Problem
    • Product Tagging - Fibertag
    • Codelmark for Anti-Counterfeitng
• Technical
  • Security
  • Data Storage
  • Glossary A-L
  • Glossary M-Z
  • Hash & Hashing
    • SHA256 - Hashing Algorithm
    • Hash Change
    • Hash Table
    • Master Document Hash
    • Protection of Master Document Hash (MDH)
    • Publication of Master Document Hashes
    • Hash Publication in the Financial Times
    • SHA 256 Hashing Algorithm
    • Effect of change on Hash
    • The Local Hash Table
    • ASCII/ANSI
    • Hex
  • Audit Trail Protection
    • Protected Audit Trials
    • Reducing the Burden of Trust
    • Local Data Audit Policy
    • WORM
    • CDR
    • DVDR
    • How Codel ATP Protects an Audit Trail
    • Codel Storage Objectives - What Codel Stores
    • Local Data Audit Policy
    • Local Master Document Table content
    • Local Storage of Audited Data
    • Item Fails Audit
    • Audit Succeeds
    • Local Document Table content
    • Sample Local Data Audit Policy
    • Storing Local Master Document Hashes
  • One Time Pads and One Time Keys
  • Strong Revocation
  • Strong Authentication
  • Attacks
    • Attack 1 - Naïve
    • Attack 2 - Copy legitimate IDs from existing products
    • Attack 3 - Steal bulk IDs from the database
    • Attacks 4 & 5 - Subverting the Database.
    • Attack 6 - Subverting the Server
    • Attack 7 - The Manufacturer
    • Attack 8 - Distributed Denial of Service
    • Attack 9 - Physical Destruction of the Database
• Contact
• White Papers

Validation Reference Length

Validation Reference Length

Consider the problem if you were an attacker trying to brute force the content of one of the Codel Validation References.

If, for example, our VR simply consisted of a single uppercase letter then you'd only have to try out 26 possibilities before you'd be bound to find a match. That would take, even a novice, only a few minutes.

However, if we make it 2 letters, you'd have to try up to 26x26 (=676) variations before you could guarantee finding a match. Thats going to take you a week or two unless you write a small computer program to do it for you, in which case it will be done in a fraction of second.

At 5 letters, your computer program has to make nearly 12 million attempts before a guaranteed match. Actually, its a little bit easier than that. On average, you'd find a match about half way through the search, so a mere 6 million hash values will normally have to be created before you match just 5 randomly selected uppercase letters. That will take a good PC about an hour. The world's fast computers could do it in about a tenth of a second.

For every letter we add on, the calculation time will multiply by 26. So at 6 letters, the worlds fastest computer could find a match in about 2.6 seconds.  7 letters will take it a little over a minute. 8 takes half an hour.9 requires 13 hours. 10 needs a little over 2 weeks. 11 has the machine grinding away for a year. 12 characters requires 26 years

Now, you might think we'd feel reasonably secure at this point. It would, after all be much friendlier to use VRs only 15 characters long (including the 3 check digits).

However, to reduce the security risks of valid VRs being stolen from the manufacturer, once the VRs have been printed on labels (or whatever), we discard as much of the VR as we can, leaving only enough to ensure that we still have a unique reference when a consumer contacts us to register their purchase or to query something in relation to the product. (dealt with in more detail here)

If what we leave behind is only 6 or 7 characters long, (which might be enough for the uniqueness requirement), the potential hacker, if he has access to the worlds fastest computer, and has access to the half of the VR we've kept, can find a hash match for the whole VR in about a minute.

We'd prefer that to be nearer the 26 years. So we actually use no less than 20 randomly selected characters, plus their 5 check digits, to create the VRs. We also allow the digits 1 to 9 (so wherever we refer to multiplying by 26 above, make it 35), Thus, when we throw away the last 15 characters (12 random, 3 check digits), the hacker's task is still at least a task requiring a few decades of computing - to find just ONE valid VR.

Which is why our VRs are 25 characters long and why we only store the hash values of the VRs on the Authentication Database.