On Wed, Jul 31, 2013 at 12:08:32PM -0500, Karl Fogel wrote: > interests of code simplicity, I didn't implement that, as I didn't see a > practical attack here. I still don't, but am definitely open to being > corrected about that! It's just hard for me to see an attack that > doesn't rely on having the plaintext already :-).
It's much worse than you seem to realize. Your implementation is completely vulnerable to a known plaintext attack. If the plaintext is known, the attacker can substitute an arbitrary alternative plaintext of their choosing, as long as the substitute is shorter than the victim message. If a prefix of the plaintext is known, the attacker can certainly modify the prefix, and can almost certainly push the decompression engine into a null state to throw away the following data or cause it to display as garbage. "Hi Andy, How is your day going? ... long message about legal stuff" "Hi Karl, your message about the drugs came through ok, but there was some odd garbage at the end... huh, must be nothing." If a non-prefix subset of the plaintext is known, with a good guess as to its position, I am pretty sure the attacker can replace that portion of the plaintext. Since a OTP depends critically on never using the same pad to encrypt multiple plaintexts, it conversely also depends on the same pad only decrypting a single ciphertext. If a onetime implementation implements a decryption oracle, an attacker can almost certainly leverage multiple decryption attempts with timing or error discrimination to break the pad entirely. CF problem 12 in the Matasano crypto challenges. > Please don't worry if I don't respond for several weeks. I'll be on > vacation with no Internet, starting tonight. No worries, have a good vacation, and thank you very much for having the courage and fortitude to publish onetime! I think the current implementation is deeply flawed but I'm extremely pleased that we have an implementation to argue about. :) "code talks, BS walks." -andy -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
