Re: [cryptography] Underhanded Crypto Contest - All Entries Published
I skimmed a few of those and noticed two submissions for signature issues: RyanCastellucci, and AleksanderEssex. Is it normal for people to find issues with the signing/verification process or is this just coincidence? On Sat, Mar 21, 2015 at 5:44 PM, Adam Caudill a...@adamcaudill.com wrote: FYI - All of the entries received for the Underhanded Crypto Contest have now been published. See here for the list and downloads: https://underhandedcrypto.com/2015/03/21/all-underhanded-crypto-entries/ --Adam Caudill http://adamcaudill.com ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 21 Mar 2015, at 22:24, Lee wrote: On 3/21/15, Jeffrey Goldberg jeff...@goldmark.org wrote: (1) the file isn't secret But the fact that I'm using it as my one-time pad is. Why isn't that good enough? As others have already answered, your key is knowledge of which publicly available file to use as the pad. But for a OTP to have the security that an OTP offers the key must be a long as the message itself. Your key is much shorter. Just as with using a PRNG to generate a pad, you are using a short key to generate/identify a long pad. Your system can be no more secure than the size of your key. (The size of what must be kept secret.) Remember, you aren't keeping the file secret; you are keeping the name of the file secret. So it is a short key. (2) the file isn't random. Right. An ISO file is a bad choice - too many zeros machine code isn't very random. But what about something like an MP3, OGV or some other compressed file? Again, no. If you want the security properties offered by an OTP, the pad/key must be truly random. So if you need a pad that is a million bytes (eight million bits) long, then the particular pad you use must be no more likely than any other string of eight millions bits. I'm sorry to pick on you, but you've illustrated a point I tried to make earlier. The OTP is a simple idea that is remarkably easy for people to misunderstand. It doesn't feel like you're picking on me - I appreciate the feedback :) Great. A point I've been making is that the OTP (and other systems) are brittle. By this I mean that if you don't follow the rules to letter you can end up with a system that is extremely weak. A small variation on the protocol can lead to catastrophic results. Any simulation of a OTP that isn't a OTP itself will not have the security properties of an OTP. And any simulation that is not designed very carefully will end up being far weaker than the actual cryptographic systems we have today. So remember, one of the requirements of a OTP is that the key itself (the stuff that you need to keep secret) must be as long as the message. When I say that the key must be kept secret, I mean the key/pad itself. Not the identity of the key/pad. Another property is that the key/pad must be truly random. Appearing random is not enough. It must truly be random. And yet a third requirement is that the pad never be reused. Break any of those rules, and you not only no longer have a OTP, but you probably have something that is easily broken. There are good crypto systems in use which generate pseudo-random pads from keys that are 128 (or 256) bits in length. But these are – at best – no better than the length of their keys. Cheers, -j smime.p7s Description: S/MIME digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 21 Mar 2015 21:17 -0700, from sch...@eff.org (Seth David Schoen): *True random pad*: Attacker doesn't know whether pad k₁ is actually more likely than pad k₂, if (c ⊕ k₁) and (c ⊕ k₂) both appear to be equally plausible plaintexts. *Choosing a meaningful file but keeping secret which one you used*: An attacker who tries your file f₁ as the pad notices that both (c ⊕ f₁) and f₁ itself appear meaningful, so it's more likely that f₁ is correct compared to some other f₂ which is not meaningful. This also goes hand in hand with the difference between a true OTP and a stream cipher secured by a key of length less than the length of the message to be encrypted. In that sense, which file was used as the pad? corresponds to what was the encryption key fed into the cipher?. -- Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp “People who think they know everything really annoy those of us who know we don’t.” (Bjarne Stroustrup) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
agreed. On 3/21/2015 5:18 PM, John Levine wrote: Would a commonly available large binary file make a good one-time pad? Something like ubuntu-14.10-desktop-amd64.iso12 maybe.. Unlkely for two reasons. One is that the point of a one-time pad is that only the sender and recipient are supposed to have a copy. The other is that something like a Linux distribution has extremely obvious regularities, so it wouldn't be hard for a cryptographer to figure out what it was. The way you make a one time pad is to take a source of actual (not pseudo) randomness and record a lot of it in a form that is relatively easy to distribute securely, like a DVD-ROM. R's, John ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 22 Mar 2015 09:36 -0500, from jeff...@goldmark.org (Jeffrey Goldberg): There are good crypto systems in use which generate pseudo-random pads from keys that are 128 (or 256) bits in length. But these are – at best – no better than the length of their keys. Which is, admittedly, _quite good enough_ for almost any _practical_ purpose that an individual is likely to face. Nobody (to within experimental error) is going to successfully brute force your truly-random AES-256 key that was used to protect the 10 MiB archive containing your Evil Overlord Plans for World Domination. But it's a _lot_ easier to keep secret a 32-byte key than a 10 MiB pad, and it is a lot easier to generate 256 truly-random bits than ~80 _million_ truly-random bits. If they want access to the data, they are going to do it differently. Compare https://xkcd.com/538/ -- Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp “People who think they know everything really annoy those of us who know we don’t.” (Bjarne Stroustrup) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 22 Mar 2015 10:50 -0400, from givo...@gmx.com (Givon Zirkind): I was tempted by the promise of software to run a one-time pad on my machine. I am a fool and I fall upon my own sword. An unauthenticated one-time pad is trivial to implement; it's literally a few lines of code in any reasonably modern language, and a handful of lines of code in less modern ones. The hard part, as has been pointed out in this thread, is to generate and handle the _pad_. imho, this is not as difficult as you say. using a time-date stamp as part of your seed. Any pseudo-random number generator is going to, _at best_, be exactly as secure as the entropy of the seed. And the entropy of a date/time-stamp in most contexts is _incredibly_ low; I would expect a few tens of bits at the very most even with a high-precision timestamp. Remember that a timestamp of one second accuracy between about 1902 and 2038 can be expressed as a single 32-bit integer value, so for any semi-reasonable range, we'd be looking at an entropy of 30 bits or less. For something like message was sent between 2011-01-01 and 2017-12-31 (seven full years' range) and one-second precision that's approximately log(7×365×86400)/log(2) ≅ 27.7 bits of entropy, assuming no other knowledge on part of the attacker. The point I made Friday still stands: # It doesn't matter how the PRNG works. If it's seeded by a key, and # the pad is regenerable given the key (which it sounds like given the # description), then it's not an OTP, and you get _at the very best_ # 2^k bits security (where k is the number of entropy bits in the key) # rather than a proper OTP's 2^n bits security (where n is the length # of the message, in bits). There is a time and a place for a seedable CSPRNG together with an operation to combine the CSPRNG output with the ciphertext or plaintext. That construct is called a _stream cipher_; it is _not_ called a one-time pad. the real difficulty is in the length of the key. rounding other calculations errors will quickly interfere. but, for up to 500 characters, the length of the avg email, imho, you can produce a non-reusable pad 1. Do you have any data to suggest that the average length of an email, even if we play nice by excluding headers and quoted material, is 500 characters or less? My experience points toward it being significantly higher. 2. How do you propose to get the pad to the recipient? 3. How do you propose the recipient should securely store the pad until it is used? 4. How do you guarantee that no part of the pad is ever reused for a different message? -- Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp “People who think they know everything really annoy those of us who know we don’t.” (Bjarne Stroustrup) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
If we haven't argued it enough by now, he'll never get it. Either way I would ask people to stop this discussion before I have to unsubscribe from yet another once-useful discussion list. Greg. Phone: +1 619 890 8236 GPG/PGP: 1081A37C 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Here's an optimization: * Assume you have a decent One Time Pad generator. * Assume you have a secure pad delivery system. * Assume it is reasonably low-latency and high-volume. Say somewhere between Usenet and the modern Internet. Now then -- instead of sending the pads, send a message. It gets delivered with the same security as the pad, so it has identical security as using the OTP. Even better, you don't have to worry about insecurity of the OTP generator. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.3.0 (Build 9060) Charset: us-ascii wsBVAwUBVQ8kVvD9H+HfsTZWAQglHAgApSI+gBHAzenSwtoE64g+TRb17tEbD3Vq dSjtzFlp+j4k4DqoMTXCzmG0xmvVunZqsKFpxActAA6ztbN5gKX1xnOmFDH/dn8z s5rw8RJNteIxRitTtb8+01yJiR4lzuJuQPcGX+ag6pF1GFOhNWf4sYLDVL0ya61u wXe4Ykz1E+S2zPDmqAnTvJaBgc+wWvTSe2CT+6T7hOfFf0eCn/h21Js+8vFfdhiJ K0aOzJH4aFdNuPGqKN48GKmFOvdnbrfZ0v9Y9zk1tnoM1YszX/HXXTxsOKSr4mzX V3u52AH4viqrR0KbFQ/7aU7pR7lIQtML2fgoWDLQhnr3DJ7Vrn152w== =1PVt -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 22 Mar 2015, at 9:48, Michael Kjörling wrote: On 22 Mar 2015 09:36 -0500, from jeff...@goldmark.org (Jeffrey Goldberg): There are good crypto systems in use which generate pseudo-random pads from keys that are 128 (or 256) bits in length. But these are – at best – no better than the length of their keys. Which is, admittedly, _quite good enough_ for almost any _practical_ purpose that an individual is likely to face. Oh, absolutely. I am perfectly happy with 128 bit keys. Indeed, I'm very much on record in defending 128 bit keys in the face of customer demand for 256 bits. https://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/ I was just to distinguish between perfect secrecy and everything else (without going into any discussion of asymptotic security). I think that people who first learn about the OTP are infatuated with perfect secrecy, and fail to what is really involved. Although I sympathize with Greg Rose's lament that we are beating a long dead horse, I think that it is worthwhile to try to understand why so many people seem to learn (something) about the OTP and then badly reinvent stream ciphers. And I want to kill off the meme that is popular in some circles that the only unbreakable cipher is the OTP. And so I see it as a teaching moment. Thus if I may repeat what others have said, I too recommend Dan Bonah's on-line Cryptography course to Lee and anyone else who doesn't immediately see why we all so emphatically screamed No to these OTP modifications. Cheers, -j ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
Right. An ISO file is a bad choice - too many zeros machine code isn't very random. But what about something like an MP3, OGV or some other compressed file? No! The requirements for the Vernam cipher are very simple: - the pad must be random - the pad must not be reused - the pad must be secret (it's the key!) These formats (e.g. mp3) have headers, etc. http://mpgedit.org/mpgedit/mpeg_format/mpeghdr.htm Anyway, the data is not random, so it should not be used as a one-time-pad. Regards. q ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
whos to say? we're jus trapt on erf together. On Mar 21, 2015 11:37 PM, Seth David Schoen sch...@eff.org wrote: Lee writes: On 3/21/15, Jeffrey Goldberg jeff...@goldmark.org wrote: [Apologies for quoting badly] No! A thousand times no. (1) the file isn't secret But the fact that I'm using it as my one-time pad is. Why isn't that good enough? If an attacker has access to the same web sites and databases that you do, the attacker could just try all of them the files in them. There shouldn't be more than 2⁵⁰ publicly-accessible files out there, right? Or maybe each file in a copy of the Internet Archive, say. One of them is actually going to be that ISO file! There are other conceptual problems that are much worse than this practical problem. The biggest conceptual problem is that, for the one-time pad setting that has been mathematically proven secure, the shortest description of the pad you are using should normally be the pad itself. If there is a shorter description, the attacker first of all has a smaller work factor (set of things to try), but what's really _much much much_ worse conceptually, the attacker has a probability of being able to usefully distinguish one possible decryption as more likely than others. In the ideal one-time pad, there is no basis on which an attacker (even an attacker with completely unbounded resources) can usefully say that one proposed decryption is more likely to be right than another, at least compared to the attacker's prior beliefs about what the plaintext was likely to be. But if there is a meaningfully shorter description of what you used as the pad, then an attacker with vast resources who correctly guesses what that was will know that it's likely to be right, which is a kind of success that the attacker couldn't have achieved with a truly random pad. *True random pad*: Attacker doesn't know whether pad k₁ is actually more likely than pad k₂, if (c ⊕ k₁) and (c ⊕ k₂) both appear to be equally plausible plaintexts. *Choosing a meaningful file but keeping secret which one you used*: An attacker who tries your file f₁ as the pad notices that both (c ⊕ f₁) and f₁ itself appear meaningful, so it's more likely that f₁ is correct compared to some other f₂ which is not meaningful. This is the great thing about the classical one-time pad: the attacker _literally doesn't know when the attack was successful_, a fact which has nothing to do with how powerful the attacker is (how many keys the attacker is able to try guessing). In the classical one-time pad with a true random pad, even an attacker who can try _every single_ pad literally doesn't have any evidence which could reveal which one was right, or which could reveal any new fact or property about the plaintext. Relaxing the randomness assumption, in turn, undermines this conclusion because the attacker can now have some conceivable indication about being on the right track (even if that's merely statistical), which could simply never happen with a true random pad. -- Seth Schoen sch...@eff.org Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography