Re: [cryptography] Unbreakable crypto?
On 21 Mar 2015, at 22:24, Lee wrote: On 3/21/15, Jeffrey Goldberg jeff...@goldmark.org wrote: (1) the file isn't secret But the fact that I'm using it as my one-time pad is. Why isn't that good enough? As others have already answered, your key is knowledge of which publicly available file to use as the pad. But for a OTP to have the security that an OTP offers the key must be a long as the message itself. Your key is much shorter. Just as with using a PRNG to generate a pad, you are using a short key to generate/identify a long pad. Your system can be no more secure than the size of your key. (The size of what must be kept secret.) Remember, you aren't keeping the file secret; you are keeping the name of the file secret. So it is a short key. (2) the file isn't random. Right. An ISO file is a bad choice - too many zeros machine code isn't very random. But what about something like an MP3, OGV or some other compressed file? Again, no. If you want the security properties offered by an OTP, the pad/key must be truly random. So if you need a pad that is a million bytes (eight million bits) long, then the particular pad you use must be no more likely than any other string of eight millions bits. I'm sorry to pick on you, but you've illustrated a point I tried to make earlier. The OTP is a simple idea that is remarkably easy for people to misunderstand. It doesn't feel like you're picking on me - I appreciate the feedback :) Great. A point I've been making is that the OTP (and other systems) are brittle. By this I mean that if you don't follow the rules to letter you can end up with a system that is extremely weak. A small variation on the protocol can lead to catastrophic results. Any simulation of a OTP that isn't a OTP itself will not have the security properties of an OTP. And any simulation that is not designed very carefully will end up being far weaker than the actual cryptographic systems we have today. So remember, one of the requirements of a OTP is that the key itself (the stuff that you need to keep secret) must be as long as the message. When I say that the key must be kept secret, I mean the key/pad itself. Not the identity of the key/pad. Another property is that the key/pad must be truly random. Appearing random is not enough. It must truly be random. And yet a third requirement is that the pad never be reused. Break any of those rules, and you not only no longer have a OTP, but you probably have something that is easily broken. There are good crypto systems in use which generate pseudo-random pads from keys that are 128 (or 256) bits in length. But these are – at best – no better than the length of their keys. Cheers, -j smime.p7s Description: S/MIME digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 21 Mar 2015 21:17 -0700, from sch...@eff.org (Seth David Schoen): *True random pad*: Attacker doesn't know whether pad k₁ is actually more likely than pad k₂, if (c ⊕ k₁) and (c ⊕ k₂) both appear to be equally plausible plaintexts. *Choosing a meaningful file but keeping secret which one you used*: An attacker who tries your file f₁ as the pad notices that both (c ⊕ f₁) and f₁ itself appear meaningful, so it's more likely that f₁ is correct compared to some other f₂ which is not meaningful. This also goes hand in hand with the difference between a true OTP and a stream cipher secured by a key of length less than the length of the message to be encrypted. In that sense, which file was used as the pad? corresponds to what was the encryption key fed into the cipher?. -- Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp “People who think they know everything really annoy those of us who know we don’t.” (Bjarne Stroustrup) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
agreed. On 3/21/2015 5:18 PM, John Levine wrote: Would a commonly available large binary file make a good one-time pad? Something like ubuntu-14.10-desktop-amd64.iso12 maybe.. Unlkely for two reasons. One is that the point of a one-time pad is that only the sender and recipient are supposed to have a copy. The other is that something like a Linux distribution has extremely obvious regularities, so it wouldn't be hard for a cryptographer to figure out what it was. The way you make a one time pad is to take a source of actual (not pseudo) randomness and record a lot of it in a form that is relatively easy to distribute securely, like a DVD-ROM. R's, John ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 22 Mar 2015 09:36 -0500, from jeff...@goldmark.org (Jeffrey Goldberg): There are good crypto systems in use which generate pseudo-random pads from keys that are 128 (or 256) bits in length. But these are – at best – no better than the length of their keys. Which is, admittedly, _quite good enough_ for almost any _practical_ purpose that an individual is likely to face. Nobody (to within experimental error) is going to successfully brute force your truly-random AES-256 key that was used to protect the 10 MiB archive containing your Evil Overlord Plans for World Domination. But it's a _lot_ easier to keep secret a 32-byte key than a 10 MiB pad, and it is a lot easier to generate 256 truly-random bits than ~80 _million_ truly-random bits. If they want access to the data, they are going to do it differently. Compare https://xkcd.com/538/ -- Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp “People who think they know everything really annoy those of us who know we don’t.” (Bjarne Stroustrup) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 22 Mar 2015 10:50 -0400, from givo...@gmx.com (Givon Zirkind): I was tempted by the promise of software to run a one-time pad on my machine. I am a fool and I fall upon my own sword. An unauthenticated one-time pad is trivial to implement; it's literally a few lines of code in any reasonably modern language, and a handful of lines of code in less modern ones. The hard part, as has been pointed out in this thread, is to generate and handle the _pad_. imho, this is not as difficult as you say. using a time-date stamp as part of your seed. Any pseudo-random number generator is going to, _at best_, be exactly as secure as the entropy of the seed. And the entropy of a date/time-stamp in most contexts is _incredibly_ low; I would expect a few tens of bits at the very most even with a high-precision timestamp. Remember that a timestamp of one second accuracy between about 1902 and 2038 can be expressed as a single 32-bit integer value, so for any semi-reasonable range, we'd be looking at an entropy of 30 bits or less. For something like message was sent between 2011-01-01 and 2017-12-31 (seven full years' range) and one-second precision that's approximately log(7×365×86400)/log(2) ≅ 27.7 bits of entropy, assuming no other knowledge on part of the attacker. The point I made Friday still stands: # It doesn't matter how the PRNG works. If it's seeded by a key, and # the pad is regenerable given the key (which it sounds like given the # description), then it's not an OTP, and you get _at the very best_ # 2^k bits security (where k is the number of entropy bits in the key) # rather than a proper OTP's 2^n bits security (where n is the length # of the message, in bits). There is a time and a place for a seedable CSPRNG together with an operation to combine the CSPRNG output with the ciphertext or plaintext. That construct is called a _stream cipher_; it is _not_ called a one-time pad. the real difficulty is in the length of the key. rounding other calculations errors will quickly interfere. but, for up to 500 characters, the length of the avg email, imho, you can produce a non-reusable pad 1. Do you have any data to suggest that the average length of an email, even if we play nice by excluding headers and quoted material, is 500 characters or less? My experience points toward it being significantly higher. 2. How do you propose to get the pad to the recipient? 3. How do you propose the recipient should securely store the pad until it is used? 4. How do you guarantee that no part of the pad is ever reused for a different message? -- Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp “People who think they know everything really annoy those of us who know we don’t.” (Bjarne Stroustrup) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
If we haven't argued it enough by now, he'll never get it. Either way I would ask people to stop this discussion before I have to unsubscribe from yet another once-useful discussion list. Greg. Phone: +1 619 890 8236 GPG/PGP: 1081A37C 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Here's an optimization: * Assume you have a decent One Time Pad generator. * Assume you have a secure pad delivery system. * Assume it is reasonably low-latency and high-volume. Say somewhere between Usenet and the modern Internet. Now then -- instead of sending the pads, send a message. It gets delivered with the same security as the pad, so it has identical security as using the OTP. Even better, you don't have to worry about insecurity of the OTP generator. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.3.0 (Build 9060) Charset: us-ascii wsBVAwUBVQ8kVvD9H+HfsTZWAQglHAgApSI+gBHAzenSwtoE64g+TRb17tEbD3Vq dSjtzFlp+j4k4DqoMTXCzmG0xmvVunZqsKFpxActAA6ztbN5gKX1xnOmFDH/dn8z s5rw8RJNteIxRitTtb8+01yJiR4lzuJuQPcGX+ag6pF1GFOhNWf4sYLDVL0ya61u wXe4Ykz1E+S2zPDmqAnTvJaBgc+wWvTSe2CT+6T7hOfFf0eCn/h21Js+8vFfdhiJ K0aOzJH4aFdNuPGqKN48GKmFOvdnbrfZ0v9Y9zk1tnoM1YszX/HXXTxsOKSr4mzX V3u52AH4viqrR0KbFQ/7aU7pR7lIQtML2fgoWDLQhnr3DJ7Vrn152w== =1PVt -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 22 Mar 2015, at 9:48, Michael Kjörling wrote: On 22 Mar 2015 09:36 -0500, from jeff...@goldmark.org (Jeffrey Goldberg): There are good crypto systems in use which generate pseudo-random pads from keys that are 128 (or 256) bits in length. But these are – at best – no better than the length of their keys. Which is, admittedly, _quite good enough_ for almost any _practical_ purpose that an individual is likely to face. Oh, absolutely. I am perfectly happy with 128 bit keys. Indeed, I'm very much on record in defending 128 bit keys in the face of customer demand for 256 bits. https://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/ I was just to distinguish between perfect secrecy and everything else (without going into any discussion of asymptotic security). I think that people who first learn about the OTP are infatuated with perfect secrecy, and fail to what is really involved. Although I sympathize with Greg Rose's lament that we are beating a long dead horse, I think that it is worthwhile to try to understand why so many people seem to learn (something) about the OTP and then badly reinvent stream ciphers. And I want to kill off the meme that is popular in some circles that the only unbreakable cipher is the OTP. And so I see it as a teaching moment. Thus if I may repeat what others have said, I too recommend Dan Bonah's on-line Cryptography course to Lee and anyone else who doesn't immediately see why we all so emphatically screamed No to these OTP modifications. Cheers, -j ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
Right. An ISO file is a bad choice - too many zeros machine code isn't very random. But what about something like an MP3, OGV or some other compressed file? No! The requirements for the Vernam cipher are very simple: - the pad must be random - the pad must not be reused - the pad must be secret (it's the key!) These formats (e.g. mp3) have headers, etc. http://mpgedit.org/mpgedit/mpeg_format/mpeghdr.htm Anyway, the data is not random, so it should not be used as a one-time-pad. Regards. q ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
whos to say? we're jus trapt on erf together. On Mar 21, 2015 11:37 PM, Seth David Schoen sch...@eff.org wrote: Lee writes: On 3/21/15, Jeffrey Goldberg jeff...@goldmark.org wrote: [Apologies for quoting badly] No! A thousand times no. (1) the file isn't secret But the fact that I'm using it as my one-time pad is. Why isn't that good enough? If an attacker has access to the same web sites and databases that you do, the attacker could just try all of them the files in them. There shouldn't be more than 2⁵⁰ publicly-accessible files out there, right? Or maybe each file in a copy of the Internet Archive, say. One of them is actually going to be that ISO file! There are other conceptual problems that are much worse than this practical problem. The biggest conceptual problem is that, for the one-time pad setting that has been mathematically proven secure, the shortest description of the pad you are using should normally be the pad itself. If there is a shorter description, the attacker first of all has a smaller work factor (set of things to try), but what's really _much much much_ worse conceptually, the attacker has a probability of being able to usefully distinguish one possible decryption as more likely than others. In the ideal one-time pad, there is no basis on which an attacker (even an attacker with completely unbounded resources) can usefully say that one proposed decryption is more likely to be right than another, at least compared to the attacker's prior beliefs about what the plaintext was likely to be. But if there is a meaningfully shorter description of what you used as the pad, then an attacker with vast resources who correctly guesses what that was will know that it's likely to be right, which is a kind of success that the attacker couldn't have achieved with a truly random pad. *True random pad*: Attacker doesn't know whether pad k₁ is actually more likely than pad k₂, if (c ⊕ k₁) and (c ⊕ k₂) both appear to be equally plausible plaintexts. *Choosing a meaningful file but keeping secret which one you used*: An attacker who tries your file f₁ as the pad notices that both (c ⊕ f₁) and f₁ itself appear meaningful, so it's more likely that f₁ is correct compared to some other f₂ which is not meaningful. This is the great thing about the classical one-time pad: the attacker _literally doesn't know when the attack was successful_, a fact which has nothing to do with how powerful the attacker is (how many keys the attacker is able to try guessing). In the classical one-time pad with a true random pad, even an attacker who can try _every single_ pad literally doesn't have any evidence which could reveal which one was right, or which could reveal any new fact or property about the plaintext. Relaxing the randomness assumption, in turn, undermines this conclusion because the attacker can now have some conceivable indication about being on the right track (even if that's merely statistical), which could simply never happen with a true random pad. -- Seth Schoen sch...@eff.org Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On Sat, 21 Mar 2015, Lee wrote: Would a commonly available large binary file make a good one-time pad? Something like ubuntu-14.10-desktop-amd64.iso12 maybe.. Well, you can't use that one now... -- Dave Horsfall DTM (VK2KFU) Those who don't understand security will suffer. http://www.horsfall.org/spam.html (and check the home page whilst you're there) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 3/20/15, Michael Kjörling mich...@kjorling.se wrote: On 20 Mar 2015 15:11 -0400, from kevinsisco61...@gmail.com (Kevin): I was tempted by the promise of software to run a one-time pad on my machine. I am a fool and I fall upon my own sword. An unauthenticated one-time pad is trivial to implement; it's literally a few lines of code in any reasonably modern language, and a handful of lines of code in less modern ones. The hard part, as has been pointed out in this thread, is to generate and handle the _pad_. Would a commonly available large binary file make a good one-time pad? Something like ubuntu-14.10-desktop-amd64.iso12 maybe.. Regards, Lee ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
[Apologies for quoting badly] No! A thousand times no. (1) the file isn't secret (2) the file isn't random. I'm sorry to pick on you, but you've illustrated a point I tried to make earlier. The OTP is a simple idea that is remarkably easy for people to misunderstand. Sent from my iPhone On Mar 21, 2015, at 3:13 PM, Lee ler...@gmail.com wrote: On 3/20/15, Michael Kjörling mich...@kjorling.se wrote: On 20 Mar 2015 15:11 -0400, from kevinsisco61...@gmail.com (Kevin): I was tempted by the promise of software to run a one-time pad on my machine. I am a fool and I fall upon my own sword. An unauthenticated one-time pad is trivial to implement; it's literally a few lines of code in any reasonably modern language, and a handful of lines of code in less modern ones. The hard part, as has been pointed out in this thread, is to generate and handle the _pad_. Would a commonly available large binary file make a good one-time pad? Something like ubuntu-14.10-desktop-amd64.iso12 maybe.. Regards, Lee ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography smime.p7s Description: S/MIME cryptographic signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
Would a commonly available large binary file make a good one-time pad? Something like ubuntu-14.10-desktop-amd64.iso12 maybe.. Unlkely for two reasons. One is that the point of a one-time pad is that only the sender and recipient are supposed to have a copy. The other is that something like a Linux distribution has extremely obvious regularities, so it wouldn't be hard for a cryptographer to figure out what it was. The way you make a one time pad is to take a source of actual (not pseudo) randomness and record a lot of it in a form that is relatively easy to distribute securely, like a DVD-ROM. R's, John ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 2015-03-22 10:34, James A. Donald wrote: On 2015-03-22 06:13, Lee wrote: Would a commonly available large binary file make a good one-time pad? Something like ubuntu-14.10-desktop-amd64.iso12 maybe.. I wrote: Before you asked the question, probably would have made a good one time pad. Not any more. Of course, it was never really a one time pad, merely security by obscurity - which is quite good, until it is quite bad. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 3/21/15, Jeffrey Goldberg jeff...@goldmark.org wrote: [Apologies for quoting badly] No! A thousand times no. (1) the file isn't secret But the fact that I'm using it as my one-time pad is. Why isn't that good enough? (2) the file isn't random. Right. An ISO file is a bad choice - too many zeros machine code isn't very random. But what about something like an MP3, OGV or some other compressed file? I'm sorry to pick on you, but you've illustrated a point I tried to make earlier. The OTP is a simple idea that is remarkably easy for people to misunderstand. It doesn't feel like you're picking on me - I appreciate the feedback :) Best Regards, Lee On Mar 21, 2015, at 3:13 PM, Lee ler...@gmail.com wrote: On 3/20/15, Michael Kjörling mich...@kjorling.se wrote: On 20 Mar 2015 15:11 -0400, from kevinsisco61...@gmail.com (Kevin): I was tempted by the promise of software to run a one-time pad on my machine. I am a fool and I fall upon my own sword. An unauthenticated one-time pad is trivial to implement; it's literally a few lines of code in any reasonably modern language, and a handful of lines of code in less modern ones. The hard part, as has been pointed out in this thread, is to generate and handle the _pad_. Would a commonly available large binary file make a good one-time pad? Something like ubuntu-14.10-desktop-amd64.iso12 maybe.. Regards, Lee ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 3/21/15, James A. Donald jam...@echeque.com wrote: On 2015-03-22 10:34, James A. Donald wrote: On 2015-03-22 06:13, Lee wrote: Would a commonly available large binary file make a good one-time pad? Something like ubuntu-14.10-desktop-amd64.iso12 maybe.. I wrote: Before you asked the question, probably would have made a good one time pad. Not any more. Of course, it was never really a one time pad, merely security by obscurity - which is quite good, until it is quite bad. How is a one time pad not security by obscurity? As soon as the opponent gets a copy it's game over. Lee ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On Sat, Mar 21, 2015 at 8:37 PM, Lee ler...@gmail.com wrote: On 3/21/15, James A. Donald jam...@echeque.com wrote: On 2015-03-22 10:34, James A. Donald wrote: On 2015-03-22 06:13, Lee wrote: Would a commonly available large binary file make a good one-time pad? Something like ubuntu-14.10-desktop-amd64.iso12 maybe.. I wrote: Before you asked the question, probably would have made a good one time pad. Not any more. Of course, it was never really a one time pad, merely security by obscurity - which is quite good, until it is quite bad. How is a one time pad not security by obscurity? As soon as the opponent gets a copy it's game over. So you're looking for a crypto system which is secure against an attacker having a copy of the key? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
Lee writes: On 3/21/15, Jeffrey Goldberg jeff...@goldmark.org wrote: [Apologies for quoting badly] No! A thousand times no. (1) the file isn't secret But the fact that I'm using it as my one-time pad is. Why isn't that good enough? If an attacker has access to the same web sites and databases that you do, the attacker could just try all of them the files in them. There shouldn't be more than 2⁵⁰ publicly-accessible files out there, right? Or maybe each file in a copy of the Internet Archive, say. One of them is actually going to be that ISO file! There are other conceptual problems that are much worse than this practical problem. The biggest conceptual problem is that, for the one-time pad setting that has been mathematically proven secure, the shortest description of the pad you are using should normally be the pad itself. If there is a shorter description, the attacker first of all has a smaller work factor (set of things to try), but what's really _much much much_ worse conceptually, the attacker has a probability of being able to usefully distinguish one possible decryption as more likely than others. In the ideal one-time pad, there is no basis on which an attacker (even an attacker with completely unbounded resources) can usefully say that one proposed decryption is more likely to be right than another, at least compared to the attacker's prior beliefs about what the plaintext was likely to be. But if there is a meaningfully shorter description of what you used as the pad, then an attacker with vast resources who correctly guesses what that was will know that it's likely to be right, which is a kind of success that the attacker couldn't have achieved with a truly random pad. *True random pad*: Attacker doesn't know whether pad k₁ is actually more likely than pad k₂, if (c ⊕ k₁) and (c ⊕ k₂) both appear to be equally plausible plaintexts. *Choosing a meaningful file but keeping secret which one you used*: An attacker who tries your file f₁ as the pad notices that both (c ⊕ f₁) and f₁ itself appear meaningful, so it's more likely that f₁ is correct compared to some other f₂ which is not meaningful. This is the great thing about the classical one-time pad: the attacker _literally doesn't know when the attack was successful_, a fact which has nothing to do with how powerful the attacker is (how many keys the attacker is able to try guessing). In the classical one-time pad with a true random pad, even an attacker who can try _every single_ pad literally doesn't have any evidence which could reveal which one was right, or which could reveal any new fact or property about the plaintext. Relaxing the randomness assumption, in turn, undermines this conclusion because the attacker can now have some conceivable indication about being on the right track (even if that's merely statistical), which could simply never happen with a true random pad. -- Seth Schoen sch...@eff.org Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
Warning Sign #6: One-time pads. These days we can buy 128GB pendrives (i.e. very long pads) for $35. This simple approach seems viable to me: https://www.codeandsec.com/Poor-Mans-Unbreakable-Encrypted-TCP-Tunnel Regards, q On Fri, Mar 20, 2015 at 10:42 AM, Michael Kjörling mich...@kjorling.se wrote: On 19 Mar 2015 16:10 -0400, from kevinsisco61...@gmail.com (Kevin): On 3/19/2015 4:00 PM, Ben Lincoln (F70C92E3 - Cryptography ML) wrote: There's no demo version available, but based on the screenshots and the information on the site, it looks like it's using a one-time pad generated using a PRNG or other sequence-generator seeded with a key generated by the application, and it's the key that's exchanged. I assume it uses your hardware to generate the random value. It doesn't matter how the PRNG works. If it's seeded by a key, and the pad is regenerable given the key (which it sounds like given the description), then it's not an OTP, and you get _at the very best_ 2^k bits security (where k is the number of entropy bits in the key) rather than a proper OTP's 2^n bits security (where n is the length of the message, in bits). The reason why a OTP is provably secure in theory (in the confidentiality sense of secure) is that the key _is_ as long as the message and completely random; thus you cannot tell whether a key you just tried is valid without already knowing the plaintext message, in which case there really is no point to the exercise to begin with. Combining a seeded PRNG with a simple operation on the PRNG output and the plaintext or ciphertext is how stream ciphers work. Now, something like a decent KDF feeding a key into AES running in counter mode to generate a ciphertext stream which is then used as a key for encryption in a stream cipher-like construct is _probably reasonably_ (_very heavy_ emphasis on probably) secure, and not too dissimilar from what is hypothesized above. But at that point, you might just as well use the fairly well-proven AES directly; it will be marginally faster given identical hardware and otherwise identical software (since you avoid your extra algorithm, and AES is often hardware-accellerated on modern CPUs) and it will be at least equally secure (because the security of the ciphertext in the combined scheme will be totally dependent on the security of the stronger algorithm pass anyway -- see Kerckhoffs' principle -- and most people are unlikely to come up with something that is _more_ secure than AES against any type of attack, much less all types of attacks). And it absolutely is _not_ a one-time pad. -- Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp “People who think they know everything really annoy those of us who know we don’t.” (Bjarne Stroustrup) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
none of the clients they advertise actually exist ... On Thu, Mar 19, 2015 at 8:33 PM, Kevin kevinsisco61...@gmail.com wrote: This software uses the one-time pad. Have any of you seen this? http://www.unbreakable-crypto.com --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- Wim Remes Security Afficionado ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 20 Mar 2015 15:11 -0400, from kevinsisco61...@gmail.com (Kevin): I was tempted by the promise of software to run a one-time pad on my machine. I am a fool and I fall upon my own sword. An unauthenticated one-time pad is trivial to implement; it's literally a few lines of code in any reasonably modern language, and a handful of lines of code in less modern ones. The hard part, as has been pointed out in this thread, is to generate and handle the _pad_. -- Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp “People who think they know everything really annoy those of us who know we don’t.” (Bjarne Stroustrup) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On Fri, 20 Mar 2015, stef wrote: Or a reasonably clever and trolling satire on snakeoil products. :) the less optimistic alternative is this being a well-crafted water-holing site targeted at the members of this mailing-list. But wouldn't the members of this list be smart enough to not get taken in? Wouldn't they? I like the idea of it being a troll; it certainly explains a lot. -- Dave Horsfall DTM (VK2KFU) Those who don't understand security will suffer. http://www.horsfall.org/spam.html (and check the home page whilst you're there) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On Fri, Mar 20, 2015 at 06:12:31PM +, Dave Howe wrote: Or a reasonably clever and trolling satire on snakeoil products. :) the less optimistic alternative is this being a well-crafted water-holing site targeted at the members of this mailing-list. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 3/20/2015 2:50 PM, Dave Horsfall wrote: On Fri, 20 Mar 2015, stef wrote: Or a reasonably clever and trolling satire on snakeoil products. :) the less optimistic alternative is this being a well-crafted water-holing site targeted at the members of this mailing-list. But wouldn't the members of this list be smart enough to not get taken in? Wouldn't they? I like the idea of it being a troll; it certainly explains a lot. I was tempted by the promise of software to run a one-time pad on my machine. I am a fool and I fall upon my own sword. --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 20/03/2015 17:01, Kevin wrote: I am trying to contact the company and it is not easy. They don't want people looking into them or the product they offer. I guess it's fraud; I am disillusioned. If you hold real still and listen, you can here the sound of my bubble bursting. Or a reasonably clever and trolling satire on snakeoil products. :) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On Fri, Mar 20, 2015 at 4:02 AM, Enrique Soriano esori...@lsub.org wrote: These days we can buy 128GB pendrives (i.e. very long pads) for $35. This simple approach seems viable to me: https://www.codeandsec.com/Poor-Mans-Unbreakable-Encrypted-TCP-Tunnel Poorly implemented, one time pads are in fact quite dangerous: 1) Extremely great care must be taken to never reuse any portion of the pad. When reused, the attacker can easily obtain the XOR of the plaintexts encrypted with the reused portion of the pad 2) Without authentication (i.e. a MAC), one time pads are highly malleable The author of that software doesn't know the difference between a one time pad and a stream cipher. There's no practical reason to prefer a one time pad to a modern stream cipher like ChaCha20, which can be combined with the Poly1305 MAC to create an authenticated encryption scheme that isn't malleable like an unauthenticated one time pad. -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 3/20/2015 12:06 PM, Tony Arcieri wrote: On Fri, Mar 20, 2015 at 4:02 AM, Enrique Soriano esori...@lsub.org mailto:esori...@lsub.org wrote: These days we can buy 128GB pendrives (i.e. very long pads) for $35. This simple approach seems viable to me: https://www.codeandsec.com/Poor-Mans-Unbreakable-Encrypted-TCP-Tunnel Poorly implemented, one time pads are in fact quite dangerous: 1) Extremely great care must be taken to never reuse any portion of the pad. When reused, the attacker can easily obtain the XOR of the plaintexts encrypted with the reused portion of the pad 2) Without authentication (i.e. a MAC), one time pads are highly malleable The author of that software doesn't know the difference between a one time pad and a stream cipher. There's no practical reason to prefer a one time pad to a modern stream cipher like ChaCha20, which can be combined with the Poly1305 MAC to create an authenticated encryption scheme that isn't malleable like an unauthenticated one time pad. -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography I am trying to contact the company and it is not easy. They don't want people looking into them or the product they offer. I guess it's fraud; I am disillusioned. If you hold real still and listen, you can here the sound of my bubble bursting. --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 2015-03-20, at 1:24 PM, stef s...@ctrlc.hu wrote: On Fri, Mar 20, 2015 at 06:12:31PM +, Dave Howe wrote: Or a reasonably clever and trolling satire on snakeoil products. :) the less optimistic alternative is this being a well-crafted water-holing site targeted at the members of this mailing-list. Szia Stef, I believe I’ve also seen this raised on sci.crypt, which is spectacularly easy to troll. I really WANT to believe it is a deliberate troll-like thing. But the sad fact of the matter is that a huge number of people who learn a little about the OTP think that they can create unbreakable crypto, and they end up (1) Using a crappy PRNG. (2) Seeding/keying their crappy PRNG badly. (3) Failing to notice/address the malleability of these things. (4) Reusing the key/pad. So whether a troll or not, that is the kind of snake oil that people sincerely produce. I like using the OTP as an example of how brittle some schemes are. Doing things “slightly” wrong can lead to dramatic reductions in security. Cheers, -j ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 19 Mar 2015 16:10 -0400, from kevinsisco61...@gmail.com (Kevin): On 3/19/2015 4:00 PM, Ben Lincoln (F70C92E3 - Cryptography ML) wrote: There's no demo version available, but based on the screenshots and the information on the site, it looks like it's using a one-time pad generated using a PRNG or other sequence-generator seeded with a key generated by the application, and it's the key that's exchanged. I assume it uses your hardware to generate the random value. It doesn't matter how the PRNG works. If it's seeded by a key, and the pad is regenerable given the key (which it sounds like given the description), then it's not an OTP, and you get _at the very best_ 2^k bits security (where k is the number of entropy bits in the key) rather than a proper OTP's 2^n bits security (where n is the length of the message, in bits). The reason why a OTP is provably secure in theory (in the confidentiality sense of secure) is that the key _is_ as long as the message and completely random; thus you cannot tell whether a key you just tried is valid without already knowing the plaintext message, in which case there really is no point to the exercise to begin with. Combining a seeded PRNG with a simple operation on the PRNG output and the plaintext or ciphertext is how stream ciphers work. Now, something like a decent KDF feeding a key into AES running in counter mode to generate a ciphertext stream which is then used as a key for encryption in a stream cipher-like construct is _probably reasonably_ (_very heavy_ emphasis on probably) secure, and not too dissimilar from what is hypothesized above. But at that point, you might just as well use the fairly well-proven AES directly; it will be marginally faster given identical hardware and otherwise identical software (since you avoid your extra algorithm, and AES is often hardware-accellerated on modern CPUs) and it will be at least equally secure (because the security of the ciphertext in the combined scheme will be totally dependent on the security of the stronger algorithm pass anyway -- see Kerckhoffs' principle -- and most people are unlikely to come up with something that is _more_ secure than AES against any type of attack, much less all types of attacks). And it absolutely is _not_ a one-time pad. -- Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp “People who think they know everything really annoy those of us who know we don’t.” (Bjarne Stroustrup) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On Thu, 19 Mar 2015, Kevin wrote: This software uses the one-time pad. Have any of you seen this? http://www.unbreakable-crypto.com Hilarious; a secure system marketed for fundamentally insecure computers... -- Dave Horsfall DTM (VK2KFU) Those who don't understand security will suffer. http://www.horsfall.org/spam.html (and check the home page whilst you're there) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Unbreakable crypto?
This software uses the one-time pad. Have any of you seen this? http://www.unbreakable-crypto.com --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
https://www.schneier.com/crypto-gram/archives/1999/0215.html Warning Sign #6: One-time pads. http://en.wikipedia.org/wiki/Snake_oil_%28cryptography%29 etc etc etc. On Thu, Mar 19, 2015 at 2:33 PM, Kevin kevinsisco61...@gmail.com wrote: This software uses the one-time pad. Have any of you seen this? http://www.unbreakable-crypto.com --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On Thu, Mar 19, 2015 at 03:33:25PM -0400, Kevin wrote: This software uses the one-time pad. Have any of you seen this? http://www.unbreakable-crypto.com i wonder if the eff is aware that they are referenced in the footer. i'd categorise this as brilliant satire. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On Thu, March 19, 2015 12:33 pm, Kevin wrote: This software uses the one-time pad. Have any of you seen this? http://www.unbreakable-crypto.com There's no demo version available, but based on the screenshots and the information on the site, it looks like it's using a one-time pad generated using a PRNG or other sequence-generator seeded with a key generated by the application, and it's the key that's exchanged. They call this a Virtual OTP Cascade, but I believe it would be more correct to call it a proprietary stream-cipher implementation with a silly name attached. I'd also be curious if anyone else has used it so they can verify that it works this way. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Unbreakable crypto?
On 3/19/2015 4:00 PM, Ben Lincoln (F70C92E3 - Cryptography ML) wrote: On Thu, March 19, 2015 12:33 pm, Kevin wrote: This software uses the one-time pad. Have any of you seen this? http://www.unbreakable-crypto.com There's no demo version available, but based on the screenshots and the information on the site, it looks like it's using a one-time pad generated using a PRNG or other sequence-generator seeded with a key generated by the application, and it's the key that's exchanged. They call this a Virtual OTP Cascade, but I believe it would be more correct to call it a proprietary stream-cipher implementation with a silly name attached. I'd also be curious if anyone else has used it so they can verify that it works this way. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography I assume it uses your hardware to generate the random value. --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
