Re: thoughts on one time pads
On Thu, 26 Jan 2006, Travis H. wrote: > For example, you may have occasional physical meetings with a good > friend, colleague, family member, or former co-worker. Let's say > you see them once every few years, maybe at a conference or a > wedding or a funeral or some other occasion. At such times, you > could easily hand them a CD-ROM or USB flash drive full of key > material. Then, you could use that pad to encrypt messages to them > until the next time you meet. Let's say you send them ten 1kB > messages per year. Then a $1 CD-ROM would hold enough data for > 7 years of communication! Heck, I could put the software on the > image and make a dozen to keep with me, handing them out to new > acquaintances as a sort of preemptive secure channel. It's far easier and less error-prone to hand them a CD-ROM full of symmetric keys indexed by date. The problem is that most people will not take the care needed to properly use a one-time pad. For text communications like this forum, they're great, and a (relatively) small amount of keying material, as you suggest, will last for many years. But modern applications are concerned with communicating *DATA*, not original text; someone on the system is going to want to send their buddy a 30-minute video of the professor explaining a sticky point to the class, and where is your keying material going then? He wants to be ignorant of the details of the cryptosystem; he just hits "secure send" and waits for magic to happen. Or if not a 30-minute video, then the last six months of account records for the west coast division of the company, or a nicely formatted document in a word processor format that uses up a megabyte or two per page, or ... whatever. The OTP is nice for just plain text, but the more bits a format consumes, the less useful it becomes. And fewer and fewer people even understand how much or how little bandwidth something is; they think in terms of "human bandwidth", the number of seconds or minutes of attention required to read or listen to or watch something. An OTP, as far as I'm concerned, makes a really good system, but you have to respect its limits. One of those limits is a low-bandwidth medium like text-only messages, and in the modern world that qualifies as "specialized." Given a low-bandwidth medium, and indexing keying material into daily chunks to prevent a system failure from resulting in pad reuse, you get 600 MB on a CD-ROM. Say you want a century of secure communications, so you divide it into 8- kilobyte chunks -- each day you can send 8 kilobytes and he can send 8 kilobytes. (Note that DVD-ROMs are better). That gives you a little over 100 years (read, "all you're likely to need, barring catastrophic medical advances,") of a very secure low-bandwidth channel. Of course, the obvious application for this OTP material, other than text messaging itself, is to use it for key distribution. Bear >Bruce acknowleges this by saying "[t]he exceptions to this are >generally in specialized situations where simple key management is a >solvable problem and the security requirement is timeshifting." He >then dismisses it by saying "[o]ne-time pads are useless for all but >very specialized applications, primarily historical and non-computer." > >Excuse me? This would in fact be a _perfect_ way to distribute key >material for _other_ cryptosystems, such as PGP, SSH, IPSec, openvpn, >gaim-encryption etc. etc. You see, he's right in that the key >distribution problem is the hardest problem for most computer >cryptosystems. So the OTP system I described here is the perfect >complement for those systems; it gives them a huge tug on their >bootstraps, gets them running on their own power. > >I'm not sure it is even limited to this use case. For example, before >a ship sets out to sea, you could load it up with enough key material >to last a few millenia. How much key material could a courier carry? >I bet it's a lot. As they say, "never underestimate the bandwidth of >a station wagon full of tapes". And don't embassies have diplomatic >pouches that get taken to them and such? > >So my questions to you are: > >1) Do you agree with my assessment? If so, why has every crypto >expert I've seen poo-pooed the idea? > >2) Assuming my use case, what kind of attacks should I worry about? >For example, he might leave the CD sitting around somewhere before >putting it in his computer. If it sits around on CD, physical access >to it would compromise past and future communications. If he copies >it to flash or magnetic media, then destroys the CD, we can >incrementally destroy the pad as it is used, but we have to worry >about data remanence. > >3) How should one combine OTP with another conventional encryption >method, so that if the pad is copied, we still have conventional >cipher protection? In this manner, one could use the same system for >different use cases; one could, for example,
Re: A glimpse of SIGINT 20 years ago...
Perry E. Metzger wrote: > This is a couple of weeks old, but it appears that, by accident, a lot > of information on the targets and methods being used for > US/Australian/NZ SIGINT about 20 years ago has come to light as the > result of the release of a late New Zealand Prime Minister's papers. > > http://www.stuff.co.nz/stuff/print/0,1478,3540743a6005,00.html > > Among other things: > >The report lists the Tangimoana station's targets in 1985-86 as >"French South Pacific civil, naval and military; French Antarctic >civil; Vietnamese diplomatic; North Korean diplomatic; Egyptian >diplomatic; Soviet merchant and scientific research shipping; Soviet >Antarctic civil. Soviet fisheries; Argentine naval; Non-Soviet >Antarctic civil; East German diplomatic; Japanese diplomatic; >Philippine diplomatic; South African Armed Forces; Laotian diplomatic >(and) UN diplomatic." > >The station intercepted 165,174 messages from these targets, "an >increase of approximately 37,000 on the 84/85 figure. Reporting on the >Soviet target increased by 20% on the previous year". recent posting and glimpse of public key crypto 20 years ago http://www.garlic.com/~lynn/2006.html#30 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: thoughts on one time pads
On Thu, 26 Jan 2006, Travis H. wrote: > All I've got to say is, I'm on this like stink on doo-doo. Being the > thorough, methodical, paranoid person I am, I will be grateful for any > pointers to prior work and thinking in this area. You may wish to look at: Ueli M . Maurer: Conditionally-Perfect Secrecy and a Provably-Secure Randomized Cipher in: Journal of Cryptography, vol 5, no. 1, pp. 53-66, 1992 (available online) and Ferguson, Schneier, Wagner: Security Weaknesses in Maurer-Like Randomized Stream Ciphers published on Schneier's website Regards Ralf Senderek *.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.* * Ralf Senderek <[EMAIL PROTECTED]> http://senderek.com* What is privacy * * Sandstr. 60 D-41849 Wassenberg +49 2432-3960 * without * * PGP: AB 2C 85 AB DB D3 10 E7 CD A4 F8 AC 52 FC A9 ED *Pure Crypto? * 49466008763407508762442876812634724277805553224967086648493733366295231438448 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: thoughts on one time pads
On Thu, Jan 26, 2006 at 05:30:36AM -0600, Travis H. wrote: [...] > Excuse me? This would in fact be a _perfect_ way to distribute key > material for _other_ cryptosystems, such as PGP, SSH, IPSec, openvpn, > gaim-encryption etc. etc. You see, he's right in that the key > distribution problem is the hardest problem for most computer > cryptosystems. So the OTP system I described here is the perfect > complement for those systems; it gives them a huge tug on their > bootstraps, gets them running on their own power. [...] > So my questions to you are: > > 1) Do you agree with my assessment? If so, why has every crypto > expert I've seen poo-pooed the idea? Your use case above suggests that you are still willing to trust conventional ciphers to be secure, so, practically speaking, what is the difference between: Key #1: 128 bits of one time pad Key #2: AES_{masterkey}(counter++) I'm not an "expert", but the reason I'd call it a bad idea (versus just not worth the effort, which is all the AES/OTP comparison is suggesting) is it introduces a need for synchronization, and that can be a hard thing to do between arbitrary parties on a network. > 2) Assuming my use case, what kind of attacks should I worry about? > For example, he might leave the CD sitting around somewhere before > putting it in his computer. If it sits around on CD, physical access > to it would compromise past and future communications. If he copies > it to flash or magnetic media, then destroys the CD, we can > incrementally destroy the pad as it is used, but we have to worry > about data remanence. I don't think attacks are the problem, so much as susceptibility to errors. To even get started, you need a CD of truly random bits, which is fairly non-trival to do on many platforms (and it's difficult to tests if your bits are actaully random or just look that way). More importantly, the key management issues seem annoying and highly prone to catastrophic failure. For example, I send you a message using the first N bits of the pad, my machine crashes, I restore from backup (or a filesystem checkpoint), and then my index into the pad is reset back to the start. Then I resend a second message using the same pad bits. Problem. I think your characterization of the possible attacks is pretty fair. But compare the OTP failure mode "access to it would compromise past and future communications", to the failure mode of, say, RSA authenticated DH key exchange, which provides PFS and requires an active attack in order to attack communications even after the key is compromised. Is OTP so much more secure than a simple PK-based key exchange that it is worth even this single tradeoff (not to mention the initial key exchange hassles and the need to store megabytes of pad with anyone I might want to talk to)? [...] > 4) For authentication, it is simple to get excellent results from an > OTP. You simply send n bytes of the OTP, which an attacker has a > 2^-8n chance in guessing. That sounds prone to a man in the middle attack; what is to stop someone from taking your authentication packet with the N bits of unguessable pad, cause your connection to drop and then authenticating as you using the pad you sent earlier? You could probably do a challenge-response authentication based on pad bits pretty easily, however, though doing it in a way that doesn't require a secure hash might be a little trickier. > How do we ensure message integrity? Is it > enough to include a checksum that is encrypted with the pad? Does it > depend on our method of encipherment? Assuming the encipherment is > XOR, is a CRC sufficient, or can one flip bits in the message and CRC > field so as to cancel each other? There are some attacks against WEP along those lines (they used RC4 to encrypt the checksum, instead of a one time pad, but it would end up about the same, I would think). Using HMAC keyed with pad bits seems a lot more sane to me... > 6) How should one detect and recover from lost, reordered, or partial > messages? I think that this question needs to be asked at all points to one of the flaws of OTP from a practical standpoint. -Jack - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
A glimpse of SIGINT 20 years ago...
This is a couple of weeks old, but it appears that, by accident, a lot of information on the targets and methods being used for US/Australian/NZ SIGINT about 20 years ago has come to light as the result of the release of a late New Zealand Prime Minister's papers. http://www.stuff.co.nz/stuff/print/0,1478,3540743a6005,00.html Among other things: The report lists the Tangimoana station's targets in 1985-86 as "French South Pacific civil, naval and military; French Antarctic civil; Vietnamese diplomatic; North Korean diplomatic; Egyptian diplomatic; Soviet merchant and scientific research shipping; Soviet Antarctic civil. Soviet fisheries; Argentine naval; Non-Soviet Antarctic civil; East German diplomatic; Japanese diplomatic; Philippine diplomatic; South African Armed Forces; Laotian diplomatic (and) UN diplomatic." The station intercepted 165,174 messages from these targets, "an increase of approximately 37,000 on the 84/85 figure. Reporting on the Soviet target increased by 20% on the previous year". Hat tip to Bruce Schneier's blog for reminding me about it. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: thoughts on one time pads
Travis H. wrote: In this article, Bruce Schneier argues against the practicality of a one-time pad: http://www.schneier.com/crypto-gram-0210.html#7 I take issue with some of the assumptions raised there. [...] Then a $1 CD-ROM would hold enough data for 7 years of communication! [...] So my questions to you are: 1) Do you agree with my assessment? If so, why has every crypto expert I've seen poo-pooed the idea? You shift to the problem of filling CDs with pure random data. Which physical property do you want to sample and with which type of hardware do you expect to sample it and at which rate, and with which protection against eavesdroping during the sampling? At what cost? With what kind of design assurance that the pure random data is indeed pure and random? Have fun. -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1 Tel.: (514)385-5691 Fax: (514)385-5900 web site: http://www.connotech.com e-mail: [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: a crypto wiki
There's also a crypto portal in Wikipedia itself: http://en.wikipedia.org/wiki/Portal:Cryptography FWIW, I'd rather see energy focused on the Wikipedia version, which more people are likely to use. William > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Travis H. > Sent: Thursday, January 26, 2006 12:02 PM > To: cryptography@metzdowd.com > Subject: a crypto wiki > > http://www.cryptodox.com/Main_Page > > -- > "The generation of random numbers is too important to be left > to chance." > -- Robert Coveyou -><- http://www.lightconsulting.com/~travis/ > GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to > [EMAIL PROTECTED] > > - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
a crypto wiki
http://www.cryptodox.com/Main_Page -- "The generation of random numbers is too important to be left to chance." -- Robert Coveyou -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
thoughts on one time pads
In this article, Bruce Schneier argues against the practicality of a one-time pad: http://www.schneier.com/crypto-gram-0210.html#7 I take issue with some of the assumptions raised there. For example, you may have occasional physical meetings with a good friend, colleague, family member, or former co-worker. Let's say you see them once every few years, maybe at a conference or a wedding or a funeral or some other occasion. At such times, you could easily hand them a CD-ROM or USB flash drive full of key material. Then, you could use that pad to encrypt messages to them until the next time you meet. Let's say you send them ten 1kB messages per year. Then a $1 CD-ROM would hold enough data for 7 years of communication! Heck, I could put the software on the image and make a dozen to keep with me, handing them out to new acquaintances as a sort of preemptive secure channel. Bruce acknowleges this by saying "[t]he exceptions to this are generally in specialized situations where simple key management is a solvable problem and the security requirement is timeshifting." He then dismisses it by saying "[o]ne-time pads are useless for all but very specialized applications, primarily historical and non-computer." Excuse me? This would in fact be a _perfect_ way to distribute key material for _other_ cryptosystems, such as PGP, SSH, IPSec, openvpn, gaim-encryption etc. etc. You see, he's right in that the key distribution problem is the hardest problem for most computer cryptosystems. So the OTP system I described here is the perfect complement for those systems; it gives them a huge tug on their bootstraps, gets them running on their own power. I'm not sure it is even limited to this use case. For example, before a ship sets out to sea, you could load it up with enough key material to last a few millenia. How much key material could a courier carry? I bet it's a lot. As they say, "never underestimate the bandwidth of a station wagon full of tapes". And don't embassies have diplomatic pouches that get taken to them and such? So my questions to you are: 1) Do you agree with my assessment? If so, why has every crypto expert I've seen poo-pooed the idea? 2) Assuming my use case, what kind of attacks should I worry about? For example, he might leave the CD sitting around somewhere before putting it in his computer. If it sits around on CD, physical access to it would compromise past and future communications. If he copies it to flash or magnetic media, then destroys the CD, we can incrementally destroy the pad as it is used, but we have to worry about data remanence. 3) How should one combine OTP with another conventional encryption method, so that if the pad is copied, we still have conventional cipher protection? In this manner, one could use the same system for different use cases; one could, for example, mail the pad, or leave it with a third party for the recipient to pick up, and you opportunistically theoretical security if the opponent doesn't get it, and you get empirical (conventional) security if they do. 4) For authentication, it is simple to get excellent results from an OTP. You simply send n bytes of the OTP, which an attacker has a 2^-8n chance in guessing. How do we ensure message integrity? Is it enough to include a checksum that is encrypted with the pad? Does it depend on our method of encipherment? Assuming the encipherment is XOR, is a CRC sufficient, or can one flip bits in the message and CRC field so as to cancel each other? If so, how should we compute a MIC? Just SHA-1, and include that right after the plaintext (that is, we encrypt the MIC so as to not reveal a preimage if SHA-1 is found to be invertible)? 5) How should one decouple message lengths from plaintext lengths? 6) How should one detect and recover from lost, reordered, or partial messages? All I've got to say is, I'm on this like stink on doo-doo. Being the thorough, methodical, paranoid person I am, I will be grateful for any pointers to prior work and thinking in this area. I recall Jim Choate from the Austin cypherpunks saying he was working on a OTP system, but never heard any more about it (let's not discuss him though please, this thread is about one time pads). -- "The generation of random numbers is too important to be left to chance." -- Robert R. Coveyou -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Kama Sutra Spoofs Digital Certificates
Peter Gutmann wrote: >Anne & Lynn Wheeler <[EMAIL PROTECTED]> writes: > > > >>The Kama Sutra worm can fool WIndows into accepting a malicious ActiveX >>control >>by spoofing a digital signature, a security company said Tuesday. >> >> > >If you track down the original Fortinet advisory you'll see that the >Information- >Week text is slightly misleading, all it does is set the "this control is all >right" flags in the registry to make Windows think it's passed a signature >check >at some point in the past. > > Sounds like a "pseudo-Cache" attack then - is that not valid as a "spoof" though? There was an embedded SSL Cache attack a few years back, and that was considered a man-in-the-middle spoof attack. Is there a specific definition to that? >Peter. > > >- >The Cryptography Mailing List >Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] > > > > -- Best Regards, Lance James Secure Science Corporation www.securescience.net Author of 'Phishing Exposed' http://www.securescience.net/amazon/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]