On 2015-06-30, Steven D'Aprano <st...@pearwood.info> wrote: > I don't think there has been much research into keeping at least *some* > security even when keys have been compromised, apart from as it relates to > two-factor authentication.
That's because "the key" is all the secret part. If an attacker knows the algorithm, and the key, and the ciphertext, then *by definition* all is lost. If you mean keeping the algorithm secret too then that's just considered bad crypto. > In the past, and still today among people who don't understand Kerckhoffs' > principle, people have tried to keep the cipher secret and not have a key > at all. E.g. atbash, or caesar cipher, which once upon a time were cutting > edge ciphers, as laughably insecure as they are today. If the method was > compromised, all was lost. Caesar cipher has a key. It's just very small, so is easy to guess. > Today, if the key is compromised, all is lost. Is it possible that there are > ciphers that are resistant to discovery of the key? Obviously if you know > the key you can read encrypted messages, that's what the key is for, but > there are scenarios where you would want security to degrade gracefully > instead of in a brittle all-or-nothing manner: > > - even if the attacker can read my messages, he cannot tamper with > them or write new ones as me. I suppose that could be achieved by having separate encryption and signing keys, but you could do the same but better by encrypting with multiple algorithms. It's not an unstudied area: https://en.wikipedia.org/wiki/Multiple_encryption -- https://mail.python.org/mailman/listinfo/python-list