Let the Devil Wear Black - Memoirs of an analyst

James F. Linden - Writer ...
This site:
Let the Devil
Wear Black:
James Linden:


Resources - Hidden Trapdoor

How to hide a trapdoor password in a program.

Chapter 7

A great deal of Sturges Nother's apparent psychic abilities that manifested themselves in the computer report were focused on the Sale Order Processing System (SOPS). All of that fell apart after the InComp 'factual' computer report was produced, when I was asked by Tod Bexley for the SOPS' password.

So, how did we get there?

When I asked Deryck if I could write the program, I gave him the original specification which included band member and customer records as well as enquiries, actual bookings and invoices. He specified in return that the data in it should be secured by encrypting it.

As well as an encryption algorithm — a piece of code that encrypted or decrypted the data you fed it — that was specific to the program, I also wrote a trapdoor algorithm.

In real life, a 'trapdoor' is something that you fall through but can't get back out of, so in computer terms, a trapdoor algorithm is a bit of a program code that you send some data to — such as a password — but what you get in return is special in that you cannot use it to find out what was originally sent to it.

One thing that I discovered was that when I ran the algorithms in the programming environment, I got different results to when I ran them in a compiled (completed) program — this was because the programming environment and the compiled program used slightly different bits of pre-assembled programming code from the code library. This gave me an idea.

A 'back-door' is way of gaining access to a program without having to go in through the front — ie, you could get a particular status by typing in the back-door password at the right time — a bit like a landlord's master key. This is something that programmers do all of the time and it enables them to get to the parts of the program that they are editing quickly, thus saving their client some money.

So, I wrote and compiled a program that took my intended back-door password, put it through my trapdoor algorithm and then printed it on the screen. I then took that program output — a series of letters and numbers called a 'string' — and sliced it up into short pieces, storing it all over the program so that anybody who looked at the code would not see anything that looked like a trapdoor string that they could then stick back together again and perform a brute-force attack on — at the best of times, other people's programs look like spaghetti so it would never have been easy any way.

A 'brute-force attack' is where you try every combination — a bit like trying to break into somebody's front door by taking along every key that could exist and trying them all out, one-by-one. With a brute-force attack on a recovered trapdoor string, you try out every combination of letters, numbers and everything else, putting them, one at a time, through the trapdoor algorithm and comparing the output string with the one you have recovered — when they are the same, you have cracked the password. In contrast, a 'cryptographic attack' is like picking the lock — if you know how to pick it, it is quicker.

When the SOPS program ran, it reassembled the trapdoor string. When you typed in your password, it put it through the trapdoor code and if the string matched the back-door string, you got in. In that way, the program never needed to know what the back-door password was because it compared the processed string and not the password string in the clear.

A modern example of a trapdoor algorithm is the MD5 hash. You can make an MD5 hash from the command line — either by typing in text or by getting it to read a file.

Here we have a file called z.txt which contains the text 'hello world'

>cat z.txt
hello world
>md5sum z.txt
6f5902ac237024bdd0c176cb93063dc4  z.txt

So, you can see that your trapdoor output string has a different length and you can try if you like to work out the text from that string but you will be wasting your time. You can take such as string and cut it up so that you might have 'bdd0' somewhere and '63d' somewhere else and so on, re-assembling it when you need it.

So, it is fairly easy to do and it made a fool out of Roland Bosworth and more, much more, as you read on...

Whereas Bexley’s mind was an impenetrable, multidimensional labyrinth, each twist obfuscating the truth cleverly and opaquely, Snaith’s mind was a little more open–plan.

Copyright © 2012-2014 James F Linden. All Rights Reserved.