CODEL: The Key To Digital Certainty

• 2: Home
• 3: News
• 4: People
• 5: Register
  • 5.1: Change Password
  • 5.2: Forgotten Password
• 9: Verify Item
• 10: Compliance
• 11: Applications
  • 11.1: Financial Services
  • 11.2: Webform Authentication
  • 11.3: Government
    • 11.3.1: National Identity Cards
  • 11.4: Legal
    • 11.4.1: Legal Copyright
    • 11.4.2: Anti-Counterfeiting Legal Action
  • 11.5: Software
  • 11.6: Music
  • 11.7: Pharmaceutical
  • 11.8: Supply Chain Visibility
    • 11.8.1: Validation Reference Length
  • 11.9: Anti-Counterfeiting
    • 11.9.1: Ticket Copying
    • 11.9.2: Retail Voucher
    • 11.9.3: VR Tests
  • 11.10: Digital Imaging
• 12: Products
  • 12.1: Codel Bible
  • 12.3: Codel Email
  • 12.4: Codel E-Wills
  • 12.5: Anti-Counterfeit Software
• 13: Partners
  • 13.1: List
  • 13.2: Partner Programme
  • 13.3: Marketing Materials
• 14: Technical
  • 14.1: Security
  • 14.2: Data Storage
  • 14.3: Glossary
  • 14.4: Hash & Hashing
    • 14.4.1: Hash Change
    • 14.4.2: Hash Table
    • 14.4.3: Master Document Hash
    • 14.4.4: Hash Publication in the Financial Times
    • 14.4.5: SHA 256 Hashing Algorithm
  • 14.5: Audit Trail Protection
    • 14.5.1: Local Data Audit Policy
• 16: Contact
• 18: White Papers

Validation Reference Length

Consider the problem if you were an attacker trying to brute force the content of one of the Codel Validation References.

If, for example, our VR simply consisted of a single uppercase letter then you'd only have to try out 26 possibilities before you'd be bound to find a match. That would take, even a novice, only a few minutes.

However, if we make it two letters, you'd have to try up to 26 x 26 (=676) variations before you could guarantee finding a match. That's going to take you a week or two unless you write a small computer program to do it for you, in which case it will be done in a fraction of second.

At five letters, your computer program has to make nearly 12 million attempts before a guaranteed match. Actually, it's a little bit easier than that. On average, you'd find a match about half way through the search, so a mere six million hash values will normally have to be created before you match just five randomly selected uppercase letters. That will take a good PC about an hour. The world's fast computers could do it in about a tenth of a second.

For every letter we add on, the calculation time will multiply by 26. So at six letters, the world's fastest computer could find a match in about 2.6 seconds.

Seven letters will take it a little over a minute. Eight takes half an hour. Nine requires 13 hours.  Ten needs a little over two weeks.  Eleven has the machine grinding away for a year.  Twelve characters requires 26 years ...

Now, you might think we'd feel reasonably secure at this point. It would, after all be much friendlier to use VRs only 15 characters long (including the three check digits).

However, to reduce the security risks of valid VRs being stolen from the manufacturer, once the VRs have been printed on labels (or whatever), we discard as much of the VR as we can, leaving only enough to ensure that we still have a unique reference when a consumer contacts us to register their purchase or to query something in relation to the product (dealt with in more detail here)

If what we leave behind is only six or seven characters long, (which might be enough for the uniqueness requirement), the potential hacker, if he has access to the world's fastest computer, and has access to the half of the VR we've kept, can find a hash match for the whole VR in about a minute.

We'd prefer that to be nearer the 26 years. So we actually use no less than 20 randomly selected characters, plus their five check digits, to create the VRs. We also allow the digits one to nine (so wherever we refer to multiplying by 26 above, make it 35).  Thus, when we throw away the last 15 characters (12 random, three check digits), the hacker's task is still at least a task requiring a few decades of computing - to find just ONE valid VR.

Which is why our VRs are 25 characters long and why we only store the hash values of the VRs on the Authentication Database.

Calculation of Check Digit

Reminder: This is what a valid VR looks like

R36IJ GLVNY IN215 ZRHQZ WL1IA

The check digits at the end of each group of five are calculated using "modulo arithmetic".

Add the ASCII values of the first four characters. Divide the result by 35 (the number of permitted characters) and convert the remainder back into one of the permitted characters.

Repeat that for the 10th character - except that the sum includes the first nine characters, so that the check digit is now confirming the validity not just of the second group of five characters, but the first two groups as well.

Repeat for the 15th, 20th and 25th characters.