Re: thoughts on one time pads
John Denker wrote: > One drawback with this is that you have to destroy a whole > disk at a time. That's a problem, because if you have a > whole disk full of daily keys, you want to destroy each > day's key as soon as you are through using it. There > are ways around this, such as reading the disk into volatile > RAM and then grinding the disk ... then you just have to make > sure the RAM is neither more volatile nor less volatile than > you wanted it to be. That is, you use the disk for *distribution* > but not necessarily for intermediate-term storage. is there any more reason to destroy a daily key after it as been used than before it has been used? one of the attacks on the stored-value gift cards has been to skim the cards in the racks (before they've been activated) ... and check back later to see which cards are gone. i was standing at grocery store checkout last week ... apparently it was the store manager ... one of the other employees came up with a gift card that somebody had bought before xmas and gave as a present. they had come back complaining that there was no money credited to the account. it could have simply been an computer foul-up ... and then again, it could have been somebody had skimmed the card, waited and then drained the account. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: thoughts on one time pads
On Thu, 26 Jan 2006, Adam Fields wrote: >On Thu, Jan 26, 2006 at 06:09:52PM -0800, bear wrote: >[...] >> Of course, the obvious application for this OTP material, >> other than text messaging itself, is to use it for key >> distribution. > >Perhaps I missed something, but my impression was that the original >post asked about how a CD full of random data could be used as a key >distribution mechanism. You did not miss anything; I confirmed the OP's supposition explicitly, and I agree with it in principle. Bear - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: thoughts on one time pads
Dave Howe wrote: Hmm. can you selectively blank areas of CD-RW? Sure, you can. It isn't s much different from rewriting any other type of disk. There are various versions of getting rid of a disk file. 1) Deletion: Throwing away the pointer and putting the blocks back on the free list. This is well known to be grossly insecure. 2) Zeroizing the blocks in place (followed by deletion). This is vastly better, but still not entirely secure, because there are typically stray remnants of the pattern sitting "beside" the nominal track, and a sufficiently-determined adversary may be able to recover them. 3) Trashing the blocks, i.e. overwriting them in place with crypto-grade random numbers (followed by optional zeroizing, followed by deletion). This makes it harder for anyone to recover strays. 4) Half-track trashing. This requires wizardly disk hardware, which shifts the head half a track either side of nominal, and *then* writes random numbers. I might be persuaded that this really gets rid of strays. 5) Grinding the disk to dust. AFAIK this is the only NSA-approved method. A suitable grinder costs about $1400.00. http://cdrominc.com/product/1104.asp One drawback with this is that you have to destroy a whole disk at a time. That's a problem, because if you have a whole disk full of daily keys, you want to destroy each day's key as soon as you are through using it. There are ways around this, such as reading the disk into volatile RAM and then grinding the disk ... then you just have to make sure the RAM is neither more volatile nor less volatile than you wanted it to be. That is, you use the disk for *distribution* but not necessarily for intermediate-term storage. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: thoughts on one time pads
Jonathan Thornburg wrote: > 1. How to insure physical security for the N years between when you > exchange CDs and the use of a given chunk of keying material? The > "single CD" system is "brittle" -- a single black-bag burglary to > copy the CD, and poof, the adversary has all your keys for the next > N years. Hmm. can you selectively blank areas of CD-RW? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: thoughts on one time pads
> I think that's because you missed the point. You're confusing manual > key distribution (which makes sense in some cases, but is unworkable > in others) with using a one-time pad (a specific method of encrypting > information that uses up key material very fast but has a security > proof). Actually, you're right, I was sort of conflating two ideas, since the system I described is useful both for distributing key material and for use as a OTP. Specifically, we can either encrypt text messages using the pad, or use a portion of the "pad" as a key for something else. And if we're really paranoid, we can encrypt a de novo key using OTP, which has the property that the attacker must have that portion of the pad *and* the transmission containing the OTP-encrypted new key to derive the new key; merely having the pad doesn't buy you anything. > Yep. You've got to store the key material safely in transit and at > the endpoints either way, though, and that's much easier for 256 bit > AES keys (which can be put inside an off-the-shelf tamper-resistant > token), and easier still for hashes of public keys (which only have to > arrive unchanged--it doesn't matter if the bad guys learn the > hashes). Yes, but not without cost. Those rest on more and more assumptions. In theory, it rests on only one assumption; unpredictability of the pad. In practice it's unbreakable even if your RNG is badly broken (for example, a bunch of typists asked to type random five-digit groups). > There are provably secure authentication schemes that use much less > key material per message. Google for universal hashing and IBC Hash, > and for provably secure authentication schemes. I seem to recall that > Stinson has a really nice survey of this either webbed or in his > book. (Anyone else remember?) I have his book, I'll check both. I seem to remember him discussing authentication a lot in the book. -- "The generation of random numbers is too important to be left to chance." -- Robert Coveyou -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: thoughts on one time pads
>From: "Travis H." <[EMAIL PROTECTED]> >Sent: Jan 26, 2006 6:30 AM >To: cryptography@metzdowd.com >Subject: thoughts on one time pads ... >In this article, Bruce Schneier argues against the practicality of a >one-time pad: > >http://www.schneier.com/crypto-gram-0210.html#7 > >I take issue with some of the assumptions raised there. I think that's because you missed the point. You're confusing manual key distribution (which makes sense in some cases, but is unworkable in others) with using a one-time pad (a specific method of encrypting information that uses up key material very fast but has a security proof). Manual key distribution means that I carry the key material to you by hand. This can be on a DVD or CD or tape or USB drive, or for that matter on a piece of paper or punched card or cryptographic token. A one-time pad means that I take my key material, which must be perfectly random for the proof to work, and XOR it with plaintext to get ciphertext. That can't possibly be cryptanalyzed, because there's no information about the plaintext in the ciphertext, so long as the key is unknown and random. (Any plaintext could lead to any ciphertext with equal probability.) ... >For example, you may have occasional physical meetings with a good >friend, colleague, family member, or former co-worker. Let's say you >see them once every few years, maybe at a conference or a wedding or a >funeral or some other occasion. At such times, you could easily hand >them a CD-ROM or USB flash drive full of key material. Then, you >could use that pad to encrypt messages to them until the next time you >meet. Let's say you send them ten 1kB messages per year. Then a $1 >CD-ROM would hold enough data for 7 years of communication! Heck, >I could put the software on the image and make a dozen to keep with >me, handing them out to new acquaintances as a sort of preemptive >secure channel. You're talking about manual key distribution here. This works the same for both OTPs and conventional encryption. The difference is that managing the keys in a secure way is *much* easier when you're doing conventional encryption. The only advantage using a one-time pad gives here is that you don't have to worry about cryptanalysis. And one-time pad encryption can't be used with anything but manual key distribution, or other methods that are at least as awkward (like quantum key distribution). You can't hand me a business card with your PGP fingerprint on it and establish secure communications with me using a one-time pad, but you can using PGP and conventional crypto. ... >Excuse me? This would in fact be a _perfect_ way to distribute key >material for _other_ cryptosystems, such as PGP, SSH, IPSec, openvpn, >gaim-encryption etc. etc. You see, he's right in that the key >distribution problem is the hardest problem for most computer >cryptosystems. So the OTP system I described here is the perfect >complement for those systems; it gives them a huge tug on their >bootstraps, gets them running on their own power. But then you're not using an OTP anymore. And there's no need for a station wagon full of DVDs, you can use a piece of paper with a 32-digit hex string on it to exchange the AES key, ugly though that is to type in. In fact, there are some procedures people have worked out to do this. But it doesn't scale well. >I'm not sure it is even limited to this use case. For example, before >a ship sets out to sea, you could load it up with enough key material >to last a few millenia. How much key material could a courier carry? >I bet it's a lot. As they say, "never underestimate the bandwidth of >a station wagon full of tapes". And don't embassies have diplomatic >pouches that get taken to them and such? Yep. You've got to store the key material safely in transit and at the endpoints either way, though, and that's much easier for 256 bit AES keys (which can be put inside an off-the-shelf tamper-resistant token), and easier still for hashes of public keys (which only have to arrive unchanged--it doesn't matter if the bad guys learn the hashes). >So my questions to you are: > >1) Do you agree with my assessment? If so, why has every crypto >expert I've seen poo-pooed the idea? Not to put too fine a point on it, it's because he's right and you're wrong. >2) Assuming my use case, what kind of attacks should I worry about? >For example, he might leave the CD sitting around somewhere before >putting it in his computer. If it sits around on CD, physical access >to it would compromise past and future communications. If he copies >it to flash or magnetic media, then destroys the CD, we can >incrementally destroy the pad as it is used, but we have to worry >about data remanence. You have to worry about securing the key material from cradle to grave, and operationally makign sure you use the right key material with the right person and never reuse it. OTPs are terribly sensitive to the randomne
Re: thoughts on one time pads
Two other problems with using a CD for OTP key material: 1. How to insure physical security for the N years between when you exchange CDs and the use of a given chunk of keying material? The "single CD" system is "brittle" -- a single black-bag burglary to copy the CD, and poof, the adversary has all your keys for the next N years. 2. How to securely destroy it after use, to prevent retrospective dumpster-diving? Nothing short of physical destruction will stop a determined adversary... and physical destruction is *hard*: Smashing the CD with a hammer leaves individual fragments which can still be read with a microscope. (That would yield "some" key bits; a serious adversary could "drag" these across archived encrypted-traffic to find the position which decrypts to something that's statistically plaintext.) Melting the CD should work... but in practice that takes a specialized "oven" (I seriously doubt my home oven gets hot enough), and is likely to produce toxic fumes, and leave behind a sticky mess (stuck to the surface of the specialized oven). ciao, -- -- Jonathan Thornburg <[EMAIL PROTECTED]> Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut), Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html "Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral." -- quote by Freire / poster by Oxfam - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: thoughts on one time pads
On Thu, Jan 26, 2006 at 06:09:52PM -0800, bear wrote: [...] > Of course, the obvious application for this OTP material, > other than text messaging itself, is to use it for key > distribution. Perhaps I missed something, but my impression was that the original post asked about how a CD full of random data could be used as a key distribution mechanism. -- - Adam ** Expert Technical Project and Business Management System Performance Analysis and Architecture ** [ http://www.everylastounce.com ] [ http://www.aquick.org/blog ] Blog [ http://www.adamfields.com/resume.html ].. Experience [ http://www.flickr.com/photos/fields ] ... Photos [ http://www.aquicki.com/wiki ].Wiki [ http://del.icio.us/fields ] . Links - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]