Re: [cryptography] Unbreakable crypto?
Warning Sign #6: One-time pads. These days we can buy 128GB pendrives (i.e. very long pads) for $35. This simple approach seems viable to me: https://www.codeandsec.com/Poor-Mans-Unbreakable-Encrypted-TCP-Tunnel Regards, q On Fri, Mar 20, 2015 at 10:42 AM, Michael Kjörling mich...@kjorling.se wrote: On 19 Mar 2015 16:10 -0400, from kevinsisco61...@gmail.com (Kevin): On 3/19/2015 4:00 PM, Ben Lincoln (F70C92E3 - Cryptography ML) wrote: There's no demo version available, but based on the screenshots and the information on the site, it looks like it's using a one-time pad generated using a PRNG or other sequence-generator seeded with a key generated by the application, and it's the key that's exchanged. I assume it uses your hardware to generate the random value. It doesn't matter how the PRNG works. If it's seeded by a key, and the pad is regenerable given the key (which it sounds like given the description), then it's not an OTP, and you get _at the very best_ 2^k bits security (where k is the number of entropy bits in the key) rather than a proper OTP's 2^n bits security (where n is the length of the message, in bits). The reason why a OTP is provably secure in theory (in the confidentiality sense of secure) is that the key _is_ as long as the message and completely random; thus you cannot tell whether a key you just tried is valid without already knowing the plaintext message, in which case there really is no point to the exercise to begin with. Combining a seeded PRNG with a simple operation on the PRNG output and the plaintext or ciphertext is how stream ciphers work. Now, something like a decent KDF feeding a key into AES running in counter mode to generate a ciphertext stream which is then used as a key for encryption in a stream cipher-like construct is _probably reasonably_ (_very heavy_ emphasis on probably) secure, and not too dissimilar from what is hypothesized above. But at that point, you might just as well use the fairly well-proven AES directly; it will be marginally faster given identical hardware and otherwise identical software (since you avoid your extra algorithm, and AES is often hardware-accellerated on modern CPUs) and it will be at least equally secure (because the security of the ciphertext in the combined scheme will be totally dependent on the security of the stronger algorithm pass anyway -- see Kerckhoffs' principle -- and most people are unlikely to come up with something that is _more_ secure than AES against any type of attack, much less all types of attacks). And it absolutely is _not_ a one-time pad. -- Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp “People who think they know everything really annoy those of us who know we don’t.” (Bjarne Stroustrup) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
none of the clients they advertise actually exist ... On Thu, Mar 19, 2015 at 8:33 PM, Kevin kevinsisco61...@gmail.com wrote: This software uses the one-time pad. Have any of you seen this? http://www.unbreakable-crypto.com --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- Wim Remes Security Afficionado ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 20 Mar 2015 15:11 -0400, from kevinsisco61...@gmail.com (Kevin): I was tempted by the promise of software to run a one-time pad on my machine. I am a fool and I fall upon my own sword. An unauthenticated one-time pad is trivial to implement; it's literally a few lines of code in any reasonably modern language, and a handful of lines of code in less modern ones. The hard part, as has been pointed out in this thread, is to generate and handle the _pad_. -- Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp “People who think they know everything really annoy those of us who know we don’t.” (Bjarne Stroustrup) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On Fri, 20 Mar 2015, stef wrote: Or a reasonably clever and trolling satire on snakeoil products. :) the less optimistic alternative is this being a well-crafted water-holing site targeted at the members of this mailing-list. But wouldn't the members of this list be smart enough to not get taken in? Wouldn't they? I like the idea of it being a troll; it certainly explains a lot. -- Dave Horsfall DTM (VK2KFU) Those who don't understand security will suffer. http://www.horsfall.org/spam.html (and check the home page whilst you're there) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On Fri, Mar 20, 2015 at 06:12:31PM +, Dave Howe wrote: Or a reasonably clever and trolling satire on snakeoil products. :) the less optimistic alternative is this being a well-crafted water-holing site targeted at the members of this mailing-list. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 3/20/2015 2:50 PM, Dave Horsfall wrote: On Fri, 20 Mar 2015, stef wrote: Or a reasonably clever and trolling satire on snakeoil products. :) the less optimistic alternative is this being a well-crafted water-holing site targeted at the members of this mailing-list. But wouldn't the members of this list be smart enough to not get taken in? Wouldn't they? I like the idea of it being a troll; it certainly explains a lot. I was tempted by the promise of software to run a one-time pad on my machine. I am a fool and I fall upon my own sword. --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 20/03/2015 17:01, Kevin wrote: I am trying to contact the company and it is not easy. They don't want people looking into them or the product they offer. I guess it's fraud; I am disillusioned. If you hold real still and listen, you can here the sound of my bubble bursting. Or a reasonably clever and trolling satire on snakeoil products. :) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On Fri, Mar 20, 2015 at 4:02 AM, Enrique Soriano esori...@lsub.org wrote: These days we can buy 128GB pendrives (i.e. very long pads) for $35. This simple approach seems viable to me: https://www.codeandsec.com/Poor-Mans-Unbreakable-Encrypted-TCP-Tunnel Poorly implemented, one time pads are in fact quite dangerous: 1) Extremely great care must be taken to never reuse any portion of the pad. When reused, the attacker can easily obtain the XOR of the plaintexts encrypted with the reused portion of the pad 2) Without authentication (i.e. a MAC), one time pads are highly malleable The author of that software doesn't know the difference between a one time pad and a stream cipher. There's no practical reason to prefer a one time pad to a modern stream cipher like ChaCha20, which can be combined with the Poly1305 MAC to create an authenticated encryption scheme that isn't malleable like an unauthenticated one time pad. -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 3/20/2015 12:06 PM, Tony Arcieri wrote: On Fri, Mar 20, 2015 at 4:02 AM, Enrique Soriano esori...@lsub.org mailto:esori...@lsub.org wrote: These days we can buy 128GB pendrives (i.e. very long pads) for $35. This simple approach seems viable to me: https://www.codeandsec.com/Poor-Mans-Unbreakable-Encrypted-TCP-Tunnel Poorly implemented, one time pads are in fact quite dangerous: 1) Extremely great care must be taken to never reuse any portion of the pad. When reused, the attacker can easily obtain the XOR of the plaintexts encrypted with the reused portion of the pad 2) Without authentication (i.e. a MAC), one time pads are highly malleable The author of that software doesn't know the difference between a one time pad and a stream cipher. There's no practical reason to prefer a one time pad to a modern stream cipher like ChaCha20, which can be combined with the Poly1305 MAC to create an authenticated encryption scheme that isn't malleable like an unauthenticated one time pad. -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography I am trying to contact the company and it is not easy. They don't want people looking into them or the product they offer. I guess it's fraud; I am disillusioned. If you hold real still and listen, you can here the sound of my bubble bursting. --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 2015-03-20, at 1:24 PM, stef s...@ctrlc.hu wrote: On Fri, Mar 20, 2015 at 06:12:31PM +, Dave Howe wrote: Or a reasonably clever and trolling satire on snakeoil products. :) the less optimistic alternative is this being a well-crafted water-holing site targeted at the members of this mailing-list. Szia Stef, I believe I’ve also seen this raised on sci.crypt, which is spectacularly easy to troll. I really WANT to believe it is a deliberate troll-like thing. But the sad fact of the matter is that a huge number of people who learn a little about the OTP think that they can create unbreakable crypto, and they end up (1) Using a crappy PRNG. (2) Seeding/keying their crappy PRNG badly. (3) Failing to notice/address the malleability of these things. (4) Reusing the key/pad. So whether a troll or not, that is the kind of snake oil that people sincerely produce. I like using the OTP as an example of how brittle some schemes are. Doing things “slightly” wrong can lead to dramatic reductions in security. Cheers, -j ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 19 Mar 2015 16:10 -0400, from kevinsisco61...@gmail.com (Kevin): On 3/19/2015 4:00 PM, Ben Lincoln (F70C92E3 - Cryptography ML) wrote: There's no demo version available, but based on the screenshots and the information on the site, it looks like it's using a one-time pad generated using a PRNG or other sequence-generator seeded with a key generated by the application, and it's the key that's exchanged. I assume it uses your hardware to generate the random value. It doesn't matter how the PRNG works. If it's seeded by a key, and the pad is regenerable given the key (which it sounds like given the description), then it's not an OTP, and you get _at the very best_ 2^k bits security (where k is the number of entropy bits in the key) rather than a proper OTP's 2^n bits security (where n is the length of the message, in bits). The reason why a OTP is provably secure in theory (in the confidentiality sense of secure) is that the key _is_ as long as the message and completely random; thus you cannot tell whether a key you just tried is valid without already knowing the plaintext message, in which case there really is no point to the exercise to begin with. Combining a seeded PRNG with a simple operation on the PRNG output and the plaintext or ciphertext is how stream ciphers work. Now, something like a decent KDF feeding a key into AES running in counter mode to generate a ciphertext stream which is then used as a key for encryption in a stream cipher-like construct is _probably reasonably_ (_very heavy_ emphasis on probably) secure, and not too dissimilar from what is hypothesized above. But at that point, you might just as well use the fairly well-proven AES directly; it will be marginally faster given identical hardware and otherwise identical software (since you avoid your extra algorithm, and AES is often hardware-accellerated on modern CPUs) and it will be at least equally secure (because the security of the ciphertext in the combined scheme will be totally dependent on the security of the stronger algorithm pass anyway -- see Kerckhoffs' principle -- and most people are unlikely to come up with something that is _more_ secure than AES against any type of attack, much less all types of attacks). And it absolutely is _not_ a one-time pad. -- Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp “People who think they know everything really annoy those of us who know we don’t.” (Bjarne Stroustrup) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography