Re: thoughts on one time pads

[Travis H.]

If anyone is interested in participating in the design of a system
that could be used for manual key distribution and/or OTP purposes,
email me.  I figure we can talk about our special cases off-list, and
maybe submit the final design to the list for people to take their
best crack at it.
--
"Whosoever is delighted in solitude is either a wild beast or a god." -><-
http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: CD shredders, was Re: thoughts on one time pads

[James Deane]

I have an Executive Machines EPS-1501X cross-cut
shredder (15 sheet, I think) which also shreds CDs. 
And it really shreds them, into about 1/4" x 1"
strips.  It's no louder than any home/office other
shredder I've used, though it is louder when shredding
CDs.

Jim

--- "Travis H." <[EMAIL PROTECTED]> wrote:

> On 1/28/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > In our office, we have a shredder that happily
> > takes CDs and is designed to do so.  It is noisy
> > and cost >$500.
> 
> Here's one for $40, although it doesn't appear to
> "shred" them so much
> as make them pitted:
> 
> http://www.thinkgeek.com/gadgets/security/6d7f/
> --
> "The generation of random numbers is too important
> to be left to chance."
>   -- Robert Coveyou -><-
> http://www.lightconsulting.com/~travis/
> GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9
> 204A 94C2 641B
> 
>
-
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
> [EMAIL PROTECTED]
> 


-- --- - --- --- 
James K. Deane 
Physicist and Geospatial Analyst
[EMAIL PROTECTED]
-- --- -  -- 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: CD shredders, was Re: thoughts on one time pads

[Dave Korn]

Travis H. wrote:
> On 1/28/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>> In our office, we have a shredder that happily
>> takes CDs and is designed to do so.  It is noisy
>> and cost >$500.
>
> Here's one for $40, although it doesn't appear to "shred" them so much
> as make them pitted:
>
> http://www.thinkgeek.com/gadgets/security/6d7f/

  The review doesn't exactly inspire confidence.  They say the disk is 
"pitted"?  Isn't that just another way of saying that the machine does only 
minor surface damage to the protective plastic coating, and doesn't harm the 
fine metallic layer in the center of the disc where the actual information 
is?  And in that case, shouldn't you be able to recover the data with one of 
those cheap CD-polish-and-repair kits?

  I can't the point of paying for a machine that damages the disk _less_ 
than you could do by snapping it in half with your bare hands.  That seems 
to me to be a very major false economy: a shredder that doesn't shred is 
just /not/ an improvement on one that does, no matter *how* much cheaper it 
is.


cheers,
  DaveK
-- 
Can't think of a witty .sigline today 




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: CD shredders, was Re: thoughts on one time pads

[Aram Perez]

On Feb 1, 2006, at 3:50 AM, Travis H. wrote:


On 1/28/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:

In our office, we have a shredder that happily
takes CDs and is designed to do so.  It is noisy
and cost >$500.


Here's one for $40, although it doesn't appear to "shred" them so much
as make them pitted:

http://www.thinkgeek.com/gadgets/security/6d7f/


For a few more dollars, you can get one where the residue is powder:  
.



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: CD shredders, was Re: thoughts on one time pads

[Jack Lloyd]

On Wed, Feb 01, 2006 at 05:50:24AM -0600, Travis H. wrote:
> On 1/28/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > In our office, we have a shredder that happily
> > takes CDs and is designed to do so.  It is noisy
> > and cost >$500.
> 
> Here's one for $40, although it doesn't appear to "shred" them so much
> as make them pitted:
> 
> http://www.thinkgeek.com/gadgets/security/6d7f/

If you packaged up your OTP material into blocks using an all-or-nothing
transform you could probably be certain that this would suffice, as long as the
blocks you used were large enough that it was at least statistically probable
that 'enough' bits of each block were destroyed or made unreadable. I believe
specifically you'd want to make sure that 2^n is an infeasible amount of work,
where n is the minimum number of bits that will be lost from any block by the
destruction process. This seems to generalize nicely, for example if an entire
CDs worth of material was processed as a single block under an all-or-nothing
transform, just snapping the disk in half might suffice to prevent any
(computationally feasible) data recovery [though it would be quite annoying in
practice, since you'd have to process the entire disk to read even a single bit
from it]

-Jack

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: CD shredders, was Re: thoughts on one time pads

[Steven M. Bellovin]

>> In our office, we have a shredder that happily
>> takes CDs and is designed to do so.  It is noisy
>> and cost >$500.
>
>Here's one for $40, although it doesn't appear to "shred" them so much
>as make them pitted:
>
>http://www.thinkgeek.com/gadgets/security/6d7f/


Again -- what is the assurance level that they do a good enough job, 
and against what enemy?

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

CD shredders, was Re: thoughts on one time pads

[Travis H.]

On 1/28/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> In our office, we have a shredder that happily
> takes CDs and is designed to do so.  It is noisy
> and cost >$500.

Here's one for $40, although it doesn't appear to "shred" them so much
as make them pitted:

http://www.thinkgeek.com/gadgets/security/6d7f/
--
"The generation of random numbers is too important to be left to chance."
  -- Robert Coveyou -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Anne & Lynn Wheeler]

John Denker wrote:
> I forgot to mention in my previous message:
> 
> It is worth your time to read _Between Silk and Cyanide_.
> That contains an example of somebody who thought really
> hard about what his threat was, and came up with a system
> to deal with the threat ... a system that ran counter to
> the previous conventional wisdom.  It involved protecting
> keys before use and destroying them after use.

an open question is whether preventing anybody from accessing the cd
for skimming is also sufficient for preventing anybody from accessing
the cd for theft. this has some analogy to tamper-evident vis-a-vis
tamper-proof. obviously theft leaves more tell tail trails (aka
tamper-evident). then does any countermeasures for skimming
(tamper-proof) have to be more stringent than countermeausures for
theft (tamper-evident). destroying the used keys is countermeausre for
all kinds of access of the used keys. however destroying used keys still
leaves vulnerability of skimming the unused keys (on the same cd). if
the countermeasures for skimming the unused keys (tamper-proof) is
sufficiently high ... then that may also be adequate for all kinds of
access to the used keys on the same cd.

but as mentioned ... there are also the people of the school of thot
that more security is always better.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Anne & Lynn Wheeler]

John Denker wrote:
> It is worth your time to read _Between Silk and Cyanide_.
> That contains an example of somebody who thought really
> hard about what his threat was, and came up with a system
> to deal with the threat ... a system that ran counter to
> the previous conventional wisdom.  It involved protecting
> keys before use and destroying them after use.

if you have a scores or hundreds of one-time pads (or any other static
secrets) on a cd  and the vulnerability is skimming ... then if the
already used pads are destroyed as countermeasure to skimming ... the
unused pads that are also on the same cd are also vulnerable to the same
skimming. say the cd was skimmed before any pads were used ... then
there hasn't yet been any destroyed pads. supposedly if you provide
protection sufficient for the unused pads ... then that should be
protection for the used pads also (although there always is the school
of thot that more security is always better).

destroying just the one time pads on a cd is countermeasure to theft ...
since the theft of the cd hopefully prevents the unused pads from being
used (at least by you), there potentially is vulnerability that the
thief might be able to use the unused pads in some sort of attack.

the issue is that having both used and unused pads on the same CD
creates a potential common vulnerability of everything on the same CD
(which are in different states). once all pads have been used ... then
the whole CD represents a common vulnerability state ... and the whole
CD can either be destroyed.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: thoughts on one time pads

[leichter_jerrold]

[CD destruction] 
| You missed the old standby - the microwave oven.
| 
| The disk remains physically intact (at least after the
| 5 seconds or so I've tried), but a great deal of pretty
| arcing occurs in the conductive data layer. Where the
| arcs travel, the data layer is vapourized. 
| 
| The end result is an otherwise intact disk in which the
| data layer is broken up into small intact islands 
| surrounded by clear channels. It might be interesting
| to try a longer burn, in which case you might also
| want to put a glass of water in with the disk(s) to
| preserve the microwave's electronics.
| 
| This is probably less effective than the other methods
| you've described, but its very fast and leaves no noxious
| residues. It also uses a very commonly available tool.
As always, who are you defending against?  There are commercial "CD
shredders"
whose effect - preserved islands with some destroyed material - is produced
by 
a much more prosaic approach:  The surface is covered with a grid of pits.
Only a small fraction of the surface is actually damaged, but no standard 
device will have any chance of reading the disk.  I suppose specialized 
hardware might do so, but even if it code, there's the question of the 
encoding format.  CD's are written with error-correcting codes which can 
recover from fairly significant damage - but if the damage exceeds their 
correction capability, they provide no information about what was there to 
begin with.

If you want to go further down the same route, grinding the whole surface of

the disk should work even better.

Of course, all this assumes that there's no way to polish or otherwise
smooth
the protective plastic.  Polishing should work if the scratches aren't too
deep.  (The pits produced by the CD shredder" I've seen look deep enough to 
make this difficult, but that's tough to do over the whole surface.)

Probably the best approach would be "better living through chemistry":  It 
should be possible to dissolve or otherwise degrade the plastic, leaving the

internal metallic surface - very thin and delicate - easy to destroy.  One 
would need to contact a chemist to determine the best way to do this.  (If
all 
else fails, sulfuric acid is likely pretty effective - if not something you 
want to keep around.)

Realistically, especially given the error-correcting code issues, anything 
that breaks the CD into a large number of small pieces probably puts any 
recovery into the "national lab" range - if even they could do it.

-- Jerry


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[John Denker]

I forgot to mention in my previous message:

It is worth your time to read _Between Silk and Cyanide_.
That contains an example of somebody who thought really
hard about what his threat was, and came up with a system
to deal with the threat ... a system that ran counter to
the previous conventional wisdom.  It involved protecting
keys before use and destroying them after use.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[dan]

In our office, we have a shredder that happily
takes CDs and is designed to do so.  It is noisy
and cost >$500.

--dan


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Anne & Lynn Wheeler]

John Denker wrote:
>  -- The best way to _protect_ a key after it has been used is to destroy
>   it.
> 
>  -- For keys that have yet been used, a sufficient scheme (not the only
>   scheme) for many purposes is to package the keys in a way that is
>   tamper-resistant and verrry tamper-evident.

periodically there was some discussion about institutional-centric
tokens vis-a-vis person-centric tokens ... in one case specifically with
respect to being able to replace magstripe payment cards with tokens.

in the person-centric token scenario, the person can choose to have a
single token that they could use for all authentication purposes,
including all accounts (or choose how many tokens they want and which
purposes each token is used for).

at one point, there were counter arguments that a single card per
account (the current mechanism) was much preferred because of the
lost/stolen card problem. the problem is that the prevailing threat
model for lost/stolen cards is the purse or wallet containing all cards
(as opposed to individual cards).

the person-centric model at least would allow a person to replace all
cards subject to common threat model with a single token.

a major issue with cdrom one-time pads would be somebody skimming the
whole cdrom.

destroying keys as they are being used would appear to only be a
countermeasure to theft of the cdrom (in which case it is apparent that
unused pads are compromised and should be eliminated). however, skimming
the cdrom might not leave any trace that unused pads have been
compromised ... which turned out to be the issue in the gift card
skimming compromise.



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Anne & Lynn Wheeler]

John Denker wrote:
> That indicates a gross lack of tamper-evident packaging, as discussed
> above.  The store should never have activated a card that came from a
> package that had been tampered with.

if you have seen many of the gift cards in racks at grocery stores ...
they can be skimmed w/o any tampering needed (many with no packaging at
all). it might be better that they were shipped in some sort of
packaging that would require tampering in order to skim.

i think that the conventional wisdom was that the cards were (nearly)
worthless until activated (and so why would anybody bother with a
worthless card).


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Peter Fairbrother]

Peter Gutmann wrote:

> Jonathan Thornburg <[EMAIL PROTECTED]> writes:
> 
>> Melting the CD should work... but in practice that takes a specialized "oven"
>> (I seriously doubt my home oven gets hot enough), and is likely to produce
>> toxic fumes, and leave behind a sticky mess (stuck to the surface of the
>> specialized oven).
> 
> For no adequately explored reason I've tried various ways of physically
> destroying CDs:

Does a microwave oven do anything? I've been reading too much Tom Clancy ...

It does get rid of the stuff on the top, leaving a surface that a bit of
sanding would make irretrievable, and some flakes that could be burned
maybe?



Another possibility might be to n-of-n [1] split the data up so you need to
have a whole disk rotation's worth in order to reconstruct any of it - that
might well make assured destruction a lot easier.

The repeatedly applied hammer would probably work well then, I doubt it's
that hard to destroy ~2^100 bits with a few blows to one track.

but the hot fiery furnace in the basement is probably still the best. :)







It used to be a fashion to have key signing parties when crypto people
gathered - and at several ones over the last few years I have seen CD's of
OTP data swapped instead. And DVD's are about the same price as CDs now.

I'm talking about the kind of careful people who get the message and do the
xor themselves, probably in shell script. No "applications".

They can easily change to using symmetric keys to save OTP material (using
some of the otp for the symmetric key) when large files are sent - "Here's
the porneo.mpg of Hillary Clinton [2], encrypted in AES with this key:
xxx..."



Often doubly encrypted, typically using both Blowfish and AES with different
keys, in case one of those ciphers has been covertly broken.

Hey, why not? It costs nothing.


-- 
Peter Fairbrother



[1] the crypto variety of m-of-n splitting, but where m=n so you need all of
the pieces to reconstruct any of the whole - not the RAID variety of m-of-n
splitting, where you only need as much data as the original data.

[2] Anne Widdecombe?


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[John Denker]

Anne & Lynn Wheeler wrote:


is there any more reason to destroy a daily key after it as been used
than before it has been used?


That's quite an amusing turn of phrase.  There are two ways to
interpret it:

*) If taken literally, the idea of destroying a key _before_ it is
 used is truly an ingenious way to ensure security.  Alas there is
 some degradation of functionality, but isn't that always the case?
 Also the cost of key distribution goes way down once you decide you
 will only distribute already-destroyed keys.

*) Perhaps the intent was to speak about _protecting_ keys before and
 after use.  That's somewhat trickier to do securely, and is more
 dependent on the threat model ... but offers vastly greater functionality.

 -- The best way to _protect_ a key after it has been used is to destroy
  it.

 -- For keys that have yet been used, a sufficient scheme (not the only
  scheme) for many purposes is to package the keys in a way that is
  tamper-resistant and verrry tamper-evident.

  The package must be tamper-evident in order to be secure. If there are
  signs of tampering, don't use the keys.

  The package must be at least somewhat tamper-resistant in order to
  protect the functionality against a too-easy DoS attack, i.e.
  superficial tampering.



one of the attacks on the stored-value gift cards has been to skim the
cards in the racks (before they've been activated) ... and check back
later to see which cards are gone.


That indicates a gross lack of tamper-evident packaging, as discussed
above.  The store should never have activated a card that came from a
package that had been tampered with.

Travis H. wrote:


What about degaussing?


That's even funnier.  Most CDs and DVDs are totally non-magnetic to begin
with.  Degaussing them is not going to have much effect.

There are, of course, NSA-approved degaussers for magnetic media, but
heretofore this thread hasn't been about magnetic media.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: [EMAIL PROTECTED]: Re: thoughts on one time pads]

[Dave Howe]

Eugen Leitl wrote:
> Sudden thermal stress (liquid nitrogen, etc) might be good enough to
> delaminate, leaving clear disks behind.

Not sure what the data surface is made from but - surely a suitable organic
solvent could remove the "paint" into suspension leaving a clear plastic disc
and no trace of organized data?

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Dave Howe]

Peter Gutmann wrote:
> For no adequately explored reason I've tried various ways of physically
> destroying CDs:
> 
> - Hammer on hard surface: Leaves lots of little fragments, generally still 
> stuck
>   together by the protective coating.
> 
> - Roasting over an open fire: Produces a Salvador Dali effect until they catch
>   fire, then huge amounts of toxic smoke ("fulfilling our carbon tax quota"
>   was one comment) and equally toxic-looking residue.
> 
> - Propane torch: Melts them without producing combustion products.
> 
> - Skilsaw: Melts them together at the cutting point, rest undamaged.
> 
> - Axe: Like skilsaw but without the melting effect.
> 
> - Using the propane torch and hammer to try and drop-forge a crude double-
>   density CD: Messy.
you tried just scraping the data carrier paint off with a knife?

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Dave Howe]

Anne & Lynn Wheeler wrote:
> is there any more reason to destroy a daily key after it as been used
> than before it has been used?

  Yeah. tbh for good security, you should move your OTP keys into a secure
storage device (asssuming you have one more secure than the cd-r) as soon as
possible then destroy the entire disk. I can envisage a tamper-proof storage
device that accepts an upload of raw key data, and stores 1gb of it in battery
backed dynamic ram, which will blank reasonably effectively if the power is 
removed.
  But for most people, I imagine a CD-R is probably much, much easier to arrange
physical security for than any other storage they may have access to, and both
cheaper and easier to destroy after one use (easiest way to ensure data can't be
retrieved) than say a USB storage dongle.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Steven M. Bellovin]

How high-assurance are these CD destruction methods?  I don't recall 
seeing any articles on CD data recovery under normal conditions, let 
alone these.  As always, it depends on your threat model.  (Aside: to 
me, the only reason for using one-time pads is because you don't trust 
conventional encryption algorithms.  Given that AES is rated for top 
secret traffic by NSA, I will assert that any enemy who has a chance of 
attacking it can devote considerable resources to data recovery from 
smashed CDs.)

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: thoughts on one time pads

[Trei, Peter]

You missed the old standby - the microwave oven.

The disk remains physically intact (at least after the
5 seconds or so I've tried), but a great deal of pretty
arcing occurs in the conductive data layer. Where the
arcs travel, the data layer is vapourized. 

The end result is an otherwise intact disk in which the
data layer is broken up into small intact islands 
surrounded by clear channels. It might be interesting
to try a longer burn, in which case you might also
want to put a glass of water in with the disk(s) to
preserve the microwave's electronics.

This is probably less effective than the other methods
you've described, but its very fast and leaves no noxious
residues. It also uses a very commonly available tool.

Peter Trei

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Gutmann
Sent: Saturday, January 28, 2006 2:25 AM
To: cryptography@metzdowd.com; [EMAIL PROTECTED]
Subject: Re: thoughts on one time pads

Jonathan Thornburg <[EMAIL PROTECTED]> writes:

>Melting the CD should work... but in practice that takes a specialized
"oven"
>(I seriously doubt my home oven gets hot enough), and is likely to 
>produce toxic fumes, and leave behind a sticky mess (stuck to the 
>surface of the specialized oven).

For no adequately explored reason I've tried various ways of physically
destroying CDs:

- Hammer on hard surface: Leaves lots of little fragments, generally
still stuck
  together by the protective coating.

- Roasting over an open fire: Produces a Salvador Dali effect until they
catch
  fire, then huge amounts of toxic smoke ("fulfilling our carbon tax
quota"
  was one comment) and equally toxic-looking residue.

- Propane torch: Melts them without producing combustion products.

- Skilsaw: Melts them together at the cutting point, rest undamaged.

- Axe: Like skilsaw but without the melting effect.

- Using the propane torch and hammer to try and drop-forge a crude
double-
  density CD: Messy.

Peter.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Dave Howe]

John Denker wrote:
> Dave Howe wrote:
> 
>> Hmm. can you selectively blank areas of CD-RW?
> 
> 
> Sure, you can.  It isn't s much different from rewriting any
> other type of disk.
Yeah, I know. just unsure how effective blanking is on cd-rw for (say) a pattern
that has been in residence for two years, but now must be unrecoverable.


> There are various versions of getting rid of a disk file.
>  5) Grinding the disk to dust.  AFAIK this is the only NSA-approved
>   method.  A suitable grinder costs about $1400.00.
>http://cdrominc.com/product/1104.asp
for most, scratching off the carrier substrate is usually enough - I *might* be
persuaded some trace remains on the plastic disc afterwards, but I can't imagine
anyone recovering from a disk that had been
a) scraped clean then
b) thrown into a blast furnace containing liquid iron, or even a small home 
smelter.

However, I am more interested in methods to destroy just a single track at a
time, and I doubt you could deface the disk reliably *and* still retain read
abilty on the remaining tracks.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Travis H.]

> There are various versions of getting rid of a disk file.
>   2) Zeroizing the blocks in place (followed by deletion).  This
>is vastly better, but still not entirely secure, because there
>are typically stray remnants of the pattern sitting "beside"
>the nominal track, and a sufficiently-determined adversary
>may be able to recover them.

I've discussed this before, and if you go back and read Gutmann's new
web page about remanance he says he hasn't ever seen any evidence that
anyone can recover after a single overwrite with zeroes.  For some
reason discussion of this pushes Garfinkel's buttons.

I think this is a MFM image of what you're talking about:

http://www.veeco.com/nanotheatre/nano_view_detail.asp?ImageID=78

>   4) Half-track trashing.  This requires wizardly disk hardware,
>which shifts the head half a track either side of nominal,
>and *then* writes random numbers.  I might be persuaded that
>this really gets rid of strays.

Wow, very cool idea.  I bet that'd work to recover data in some cases too.

>   5) Grinding the disk to dust.  AFAIK this is the only NSA-approved
>method.  A suitable grinder costs about $1400.00.
> http://cdrominc.com/product/1104.asp

What about degaussing?

http://www.semshred.com/content606.html
http://www.datalinksales.com/degaussers/v85.htm
http://www.degaussers-erasers.com/

Ah I had a good link a while back but lost it due to file corruption. 
Seriously :)

>One drawback with this is that you have to destroy a whole
>disk at a time.  That's a problem, because if you have a
>whole disk full of daily keys, you want to destroy each
>day's key as soon as you are through using it.  There
>are ways around this, such as reading the disk into volatile
>RAM and then grinding the disk ... then you just have to make
>sure the RAM is neither more volatile nor less volatile than
>you wanted it to be.  That is, you use the disk for *distribution*
>but not necessarily for intermediate-term storage.

I think one solution is that whenever the pad is on disk, it is
encrypted with a strong algorithm, and only decrypted as needed. 
Assuming you use an amenable algorithm, you can overwrite that portion
of the disk after use.  Not perfect security if the attacker gets
access to the overwritten data, but it degrades into an attack on the
conventional cipher.

I wonder how remanance in flash drives fares.
--
"The generation of random numbers is too important to be left to chance."
  -- Robert Coveyou -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Peter Gutmann]

Jonathan Thornburg <[EMAIL PROTECTED]> writes:

>Melting the CD should work... but in practice that takes a specialized "oven"
>(I seriously doubt my home oven gets hot enough), and is likely to produce
>toxic fumes, and leave behind a sticky mess (stuck to the surface of the
>specialized oven).

For no adequately explored reason I've tried various ways of physically
destroying CDs:

- Hammer on hard surface: Leaves lots of little fragments, generally still stuck
  together by the protective coating.

- Roasting over an open fire: Produces a Salvador Dali effect until they catch
  fire, then huge amounts of toxic smoke ("fulfilling our carbon tax quota"
  was one comment) and equally toxic-looking residue.

- Propane torch: Melts them without producing combustion products.

- Skilsaw: Melts them together at the cutting point, rest undamaged.

- Axe: Like skilsaw but without the melting effect.

- Using the propane torch and hammer to try and drop-forge a crude double-
  density CD: Messy.

Peter.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Anne & Lynn Wheeler]

John Denker wrote:
>   One drawback with this is that you have to destroy a whole
>   disk at a time.  That's a problem, because if you have a
>   whole disk full of daily keys, you want to destroy each
>   day's key as soon as you are through using it.  There
>   are ways around this, such as reading the disk into volatile
>   RAM and then grinding the disk ... then you just have to make
>   sure the RAM is neither more volatile nor less volatile than
>   you wanted it to be.  That is, you use the disk for *distribution*
>   but not necessarily for intermediate-term storage.

is there any more reason to destroy a daily key after it as been used
than before it has been used?

one of the attacks on the stored-value gift cards has been to skim the
cards in the racks (before they've been activated) ... and check back
later to see which cards are gone.

i was standing at grocery store checkout last week ... apparently it was
the store manager ... one of the other employees came up with a gift
card that somebody had bought before xmas and gave as a present. they
had come back complaining that there was no money credited to the
account. it could have simply been an computer foul-up ... and then
again, it could have been somebody had skimmed the card, waited and then
drained the account.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[bear]

On Thu, 26 Jan 2006, Adam Fields wrote:

>On Thu, Jan 26, 2006 at 06:09:52PM -0800, bear wrote:
>[...]
>> Of course, the obvious application for this OTP material,
>> other than text messaging itself, is to use it for key
>> distribution.
>
>Perhaps I missed something, but my impression was that the original
>post asked about how a CD full of random data could be used as a key
>distribution mechanism.

You did not miss anything; I confirmed the OP's supposition
explicitly, and I agree with it in principle.

Bear

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[John Denker]

Dave Howe wrote:


Hmm. can you selectively blank areas of CD-RW?


Sure, you can.  It isn't s much different from rewriting any
other type of disk.

There are various versions of getting rid of a disk file.
 1) Deletion:  Throwing away the pointer and putting the blocks back
  on the free list.  This is well known to be grossly insecure.
 2) Zeroizing the blocks in place (followed by deletion).  This
  is vastly better, but still not entirely secure, because there
  are typically stray remnants of the pattern sitting "beside"
  the nominal track, and a sufficiently-determined adversary
  may be able to recover them.
 3) Trashing the blocks, i.e. overwriting them in place with
  crypto-grade random numbers (followed by optional zeroizing,
  followed by deletion).  This makes it harder for anyone to
  recover strays.
 4) Half-track trashing.  This requires wizardly disk hardware,
  which shifts the head half a track either side of nominal,
  and *then* writes random numbers.  I might be persuaded that
  this really gets rid of strays.
 5) Grinding the disk to dust.  AFAIK this is the only NSA-approved
  method.  A suitable grinder costs about $1400.00.
   http://cdrominc.com/product/1104.asp

  One drawback with this is that you have to destroy a whole
  disk at a time.  That's a problem, because if you have a
  whole disk full of daily keys, you want to destroy each
  day's key as soon as you are through using it.  There
  are ways around this, such as reading the disk into volatile
  RAM and then grinding the disk ... then you just have to make
  sure the RAM is neither more volatile nor less volatile than
  you wanted it to be.  That is, you use the disk for *distribution*
  but not necessarily for intermediate-term storage.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Dave Howe]

Jonathan Thornburg wrote:
> 1. How to insure physical security for the N years between when you
> exchange CDs and the use of a given chunk of keying material?  The
> "single CD" system is "brittle" -- a single black-bag burglary to
> copy the CD, and poof, the adversary has all your keys for the next
> N years.
Hmm. can you selectively blank areas of CD-RW?

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Travis H.]

> I think that's because you missed the point.  You're confusing manual
> key distribution (which makes sense in some cases, but is unworkable
> in others) with using a one-time pad (a specific method of encrypting
> information that uses up key material very fast but has a security
> proof).

Actually, you're right, I was sort of conflating two ideas, since the
system I described is useful both for distributing key material and
for use as a OTP.

Specifically, we can either encrypt text messages using the pad, or
use a portion of the "pad" as a key for something else.  And if we're
really paranoid, we can encrypt a de novo key using OTP, which has the
property that the attacker must have that portion of the pad *and* the
transmission containing the OTP-encrypted new key to derive the new
key; merely having the pad doesn't buy you anything.

> Yep.  You've got to store the key material safely in transit and at
> the endpoints either way, though, and that's much easier for 256 bit
> AES keys (which can be put inside an off-the-shelf tamper-resistant
> token), and easier still for hashes of public keys (which only have to
> arrive unchanged--it doesn't matter if the bad guys learn the
> hashes).

Yes, but not without cost.  Those rest on more and more assumptions.

In theory, it rests on only one assumption; unpredictability of the
pad.  In practice it's unbreakable even if your RNG is badly broken
(for example, a bunch of typists asked to type random five-digit
groups).

> There are provably secure authentication schemes that use much less
> key material per message.  Google for universal hashing and IBC Hash,
> and for provably secure authentication schemes.  I seem to recall that
> Stinson has a really nice survey of this either webbed or in his
> book.  (Anyone else remember?)

I have his book, I'll check both.  I seem to remember him discussing
authentication a lot in the book.
--
"The generation of random numbers is too important to be left to chance."
  -- Robert Coveyou -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[John Kelsey]

>From: "Travis H." <[EMAIL PROTECTED]>
>Sent: Jan 26, 2006 6:30 AM
>To: cryptography@metzdowd.com
>Subject: thoughts on one time pads

...
>In this article, Bruce Schneier argues against the practicality of a
>one-time pad:
>
>http://www.schneier.com/crypto-gram-0210.html#7
>
>I take issue with some of the assumptions raised there.

I think that's because you missed the point.  You're confusing manual
key distribution (which makes sense in some cases, but is unworkable
in others) with using a one-time pad (a specific method of encrypting
information that uses up key material very fast but has a security
proof).  

Manual key distribution means that I carry the key material to you by
hand.  This can be on a DVD or CD or tape or USB drive, or for that
matter on a piece of paper or punched card or cryptographic token.  

A one-time pad means that I take my key material, which must be
perfectly random for the proof to work, and XOR it with plaintext to
get ciphertext.  That can't possibly be cryptanalyzed, because there's
no information about the plaintext in the ciphertext, so long as the
key is unknown and random.  (Any plaintext could lead to any
ciphertext with equal probability.)   

...
>For example, you may have occasional physical meetings with a good
>friend, colleague, family member, or former co-worker.  Let's say you
>see them once every few years, maybe at a conference or a wedding or a
>funeral or some other occasion.  At such times, you could easily hand
>them a CD-ROM or USB flash drive full of key material.  Then, you
>could use that pad to encrypt messages to them until the next time you
>meet.  Let's say you send them ten 1kB messages per year.  Then a $1
>CD-ROM would hold enough data for 7 years of communication!  Heck,
>I could put the software on the image and make a dozen to keep with
>me, handing them out to new acquaintances as a sort of preemptive
>secure channel.

You're talking about manual key distribution here.  This works the
same for both OTPs and conventional encryption.  The difference is
that managing the keys in a secure way is *much* easier when you're
doing conventional encryption.  The only advantage using a one-time
pad gives here is that you don't have to worry about cryptanalysis.

And one-time pad encryption can't be used with anything but manual key
distribution, or other methods that are at least as awkward (like
quantum key distribution).  You can't hand me a business card with
your PGP fingerprint on it and establish secure communications with me
using a one-time pad, but you can using PGP and conventional crypto.  

...
>Excuse me?  This would in fact be a _perfect_ way to distribute key
>material for _other_ cryptosystems, such as PGP, SSH, IPSec, openvpn,
>gaim-encryption etc. etc.  You see, he's right in that the key
>distribution problem is the hardest problem for most computer
>cryptosystems.  So the OTP system I described here is the perfect
>complement for those systems; it gives them a huge tug on their
>bootstraps, gets them running on their own power.

But then you're not using an OTP anymore.  And there's no need for a
station wagon full of DVDs, you can use a piece of paper with a
32-digit hex string on it to exchange the AES key, ugly though that
is to type in.  In fact, there are some procedures people have worked
out to do this.  But it doesn't scale well.  

>I'm not sure it is even limited to this use case.  For example, before
>a ship sets out to sea, you could load it up with enough key material
>to last a few millenia.  How much key material could a courier carry? 
>I bet it's a lot.  As they say, "never underestimate the bandwidth of
>a station wagon full of tapes".  And don't embassies have diplomatic
>pouches that get taken to them and such?

Yep.  You've got to store the key material safely in transit and at
the endpoints either way, though, and that's much easier for 256 bit
AES keys (which can be put inside an off-the-shelf tamper-resistant
token), and easier still for hashes of public keys (which only have to
arrive unchanged--it doesn't matter if the bad guys learn the
hashes).  

>So my questions to you are:
>
>1) Do you agree with my assessment?  If so, why has every crypto
>expert I've seen poo-pooed the idea?

Not to put too fine a point on it, it's because he's right and you're
wrong.  

>2) Assuming my use case, what kind of attacks should I worry about? 
>For example, he might leave the CD sitting around somewhere before
>putting it in his computer.  If it sits around on CD, physical access
>to it would compromise past and future communications.  If he copies
>it to flash or magnetic media, then destroys the CD, we can
>incrementally destroy the pad as it is used, but we have to worry
>about data remanence.

You have to worry about securing the key material from cradle to
grave, and operationally makign sure you use the right key material
with the right person and never reuse it.  OTPs are terribly sensitive
to the randomne

Re: thoughts on one time pads

[Jonathan Thornburg]

Two other problems with using a CD for OTP key material:

1. How to insure physical security for the N years between when you
exchange CDs and the use of a given chunk of keying material?  The
"single CD" system is "brittle" -- a single black-bag burglary to
copy the CD, and poof, the adversary has all your keys for the next
N years.

2. How to securely destroy it after use, to prevent retrospective
dumpster-diving?  Nothing short of physical destruction will stop a
determined adversary... and physical destruction is *hard*:

Smashing the CD with a hammer leaves individual fragments which can
still be read with a microscope.  (That would yield "some" key bits;
a serious adversary could "drag" these across archived encrypted-traffic
to find the position which decrypts to something that's statistically
plaintext.)

Melting the CD should work... but in practice that takes a specialized
"oven" (I seriously doubt my home oven gets hot enough), and is likely
to produce toxic fumes, and leave behind a sticky mess (stuck to the
surface of the specialized oven).

ciao,

--
-- Jonathan Thornburg <[EMAIL PROTECTED]>
   Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
   Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html
   "Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
  -- quote by Freire / poster by Oxfam


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Adam Fields]

On Thu, Jan 26, 2006 at 06:09:52PM -0800, bear wrote:
[...]
> Of course, the obvious application for this OTP material,
> other than text messaging itself, is to use it for key
> distribution.

Perhaps I missed something, but my impression was that the original
post asked about how a CD full of random data could be used as a key
distribution mechanism.

-- 
- Adam

** Expert Technical Project and Business Management
 System Performance Analysis and Architecture
** [ http://www.everylastounce.com ]

[ http://www.aquick.org/blog ]  Blog
[ http://www.adamfields.com/resume.html ].. Experience
[ http://www.flickr.com/photos/fields ] ... Photos
[ http://www.aquicki.com/wiki ].Wiki
[ http://del.icio.us/fields ] . Links




-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[bear]

On Thu, 26 Jan 2006, Travis H. wrote:

> For example, you may have occasional physical meetings with a good
> friend, colleague, family member, or former co-worker.  Let's say
> you see them once every few years, maybe at a conference or a
> wedding or a funeral or some other occasion.  At such times, you
> could easily hand them a CD-ROM or USB flash drive full of key
> material.  Then, you could use that pad to encrypt messages to them
> until the next time you meet.  Let's say you send them ten 1kB
> messages per year.  Then a $1 CD-ROM would hold enough data for
> 7 years of communication!  Heck, I could put the software on the
> image and make a dozen to keep with me, handing them out to new
> acquaintances as a sort of preemptive secure channel.

It's far easier and less error-prone to hand them a CD-ROM
full of symmetric keys indexed by date.

The problem is that most people will not take the care needed
to properly use a one-time pad.  For text communications like
this forum, they're great, and a (relatively) small amount of
keying material, as you suggest, will last for many years.

But modern applications are concerned with communicating *DATA*,
not original text; someone on the system is going to want to
send their buddy a 30-minute video of the professor explaining
a sticky point to the class, and where is your keying material
going then?  He wants to be ignorant of the details of the
cryptosystem; he just hits "secure send" and waits for magic
to happen.  Or if not a 30-minute video, then the last six
months of account records for the west coast division of the
company, or a nicely formatted document in a word processor
format that uses up a megabyte or two per page, or ...
whatever.  The OTP is nice for just plain text, but the more
bits a format consumes, the less useful it becomes.  And
fewer and fewer people even understand how much or how
little bandwidth something is; they think in terms of "human
bandwidth", the number of seconds or minutes of attention
required to read or listen to or watch something.

An OTP, as far as I'm concerned, makes a really good system,
but you have to respect its limits.  One of those limits is
a low-bandwidth medium like text-only messages, and in the
modern world that qualifies as "specialized."

Given a low-bandwidth medium, and indexing keying material
into daily chunks to prevent a system failure from resulting
in pad reuse, you get 600 MB on a CD-ROM.  Say you want a
century of secure communications, so you divide it into 8-
kilobyte chunks -- each day you can send 8 kilobytes and
he can send 8 kilobytes.  (Note that DVD-ROMs are better).

That gives you a little over 100 years (read, "all you're likely
to need, barring catastrophic medical advances,") of a very
secure low-bandwidth channel.

Of course, the obvious application for this OTP material,
other than text messaging itself, is to use it for key
distribution.

Bear















>Bruce acknowleges this by saying "[t]he exceptions to this are
>generally in specialized situations where simple key management is a
>solvable problem and the security requirement is timeshifting."  He
>then dismisses it by saying "[o]ne-time pads are useless for all but
>very specialized applications, primarily historical and non-computer."
>
>Excuse me?  This would in fact be a _perfect_ way to distribute key
>material for _other_ cryptosystems, such as PGP, SSH, IPSec, openvpn,
>gaim-encryption etc. etc.  You see, he's right in that the key
>distribution problem is the hardest problem for most computer
>cryptosystems.  So the OTP system I described here is the perfect
>complement for those systems; it gives them a huge tug on their
>bootstraps, gets them running on their own power.
>
>I'm not sure it is even limited to this use case.  For example, before
>a ship sets out to sea, you could load it up with enough key material
>to last a few millenia.  How much key material could a courier carry?
>I bet it's a lot.  As they say, "never underestimate the bandwidth of
>a station wagon full of tapes".  And don't embassies have diplomatic
>pouches that get taken to them and such?
>
>So my questions to you are:
>
>1) Do you agree with my assessment?  If so, why has every crypto
>expert I've seen poo-pooed the idea?
>
>2) Assuming my use case, what kind of attacks should I worry about?
>For example, he might leave the CD sitting around somewhere before
>putting it in his computer.  If it sits around on CD, physical access
>to it would compromise past and future communications.  If he copies
>it to flash or magnetic media, then destroys the CD, we can
>incrementally destroy the pad as it is used, but we have to worry
>about data remanence.
>
>3) How should one combine OTP with another conventional encryption
>method, so that if the pad is copied, we still have conventional
>cipher protection?  In this manner, one could use the same system for
>different use cases; one could, for example, 

Re: thoughts on one time pads

[Ralf Senderek]

On Thu, 26 Jan 2006, Travis H. wrote:

> All I've got to say is, I'm on this like stink on doo-doo.  Being the
> thorough, methodical, paranoid person I am, I will be grateful for any
> pointers to prior work and thinking in this area. 

You may wish to look at:

Ueli M . Maurer: Conditionally-Perfect Secrecy and a Provably-Secure Randomized 
Cipher
in: Journal of Cryptography, vol 5, no. 1, pp. 53-66, 1992 (available online)

and

Ferguson, Schneier, Wagner: Security Weaknesses in Maurer-Like Randomized 
Stream Ciphers
published on Schneier's website

Regards
   Ralf Senderek


*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*
* Ralf Senderek  <[EMAIL PROTECTED]> http://senderek.com*  What is privacy  *
* Sandstr. 60   D-41849 Wassenberg  +49 2432-3960   *  without  *
* PGP: AB 2C 85 AB DB D3 10 E7  CD A4 F8 AC 52 FC A9 ED *Pure Crypto?   *
49466008763407508762442876812634724277805553224967086648493733366295231438448

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Jack Lloyd]

On Thu, Jan 26, 2006 at 05:30:36AM -0600, Travis H. wrote:

[...]
> Excuse me?  This would in fact be a _perfect_ way to distribute key
> material for _other_ cryptosystems, such as PGP, SSH, IPSec, openvpn,
> gaim-encryption etc. etc.  You see, he's right in that the key
> distribution problem is the hardest problem for most computer
> cryptosystems.  So the OTP system I described here is the perfect
> complement for those systems; it gives them a huge tug on their
> bootstraps, gets them running on their own power.
[...]
> So my questions to you are:
> 
> 1) Do you agree with my assessment?  If so, why has every crypto
> expert I've seen poo-pooed the idea?

Your use case above suggests that you are still willing to trust conventional
ciphers to be secure, so, practically speaking, what is the difference between:

Key #1: 128 bits of one time pad
Key #2: AES_{masterkey}(counter++)

I'm not an "expert", but the reason I'd call it a bad idea (versus just not
worth the effort, which is all the AES/OTP comparison is suggesting) is it
introduces a need for synchronization, and that can be a hard thing to do
between arbitrary parties on a network.

> 2) Assuming my use case, what kind of attacks should I worry about? 
> For example, he might leave the CD sitting around somewhere before
> putting it in his computer.  If it sits around on CD, physical access
> to it would compromise past and future communications.  If he copies
> it to flash or magnetic media, then destroys the CD, we can
> incrementally destroy the pad as it is used, but we have to worry
> about data remanence.

I don't think attacks are the problem, so much as susceptibility to errors. To
even get started, you need a CD of truly random bits, which is fairly
non-trival to do on many platforms (and it's difficult to tests if your bits
are actaully random or just look that way). More importantly, the key
management issues seem annoying and highly prone to catastrophic failure. For
example, I send you a message using the first N bits of the pad, my machine
crashes, I restore from backup (or a filesystem checkpoint), and then my index
into the pad is reset back to the start. Then I resend a second message using
the same pad bits. Problem.

I think your characterization of the possible attacks is pretty fair. But
compare the OTP failure mode "access to it would compromise past and future
communications", to the failure mode of, say, RSA authenticated DH key
exchange, which provides PFS and requires an active attack in order to attack
communications even after the key is compromised. Is OTP so much more secure
than a simple PK-based key exchange that it is worth even this single tradeoff
(not to mention the initial key exchange hassles and the need to store
megabytes of pad with anyone I might want to talk to)?

[...]
> 4) For authentication, it is simple to get excellent results from an
> OTP.  You simply send n bytes of the OTP, which an attacker has a
> 2^-8n chance in guessing.

That sounds prone to a man in the middle attack; what is to stop someone from
taking your authentication packet with the N bits of unguessable pad, cause
your connection to drop and then authenticating as you using the pad you sent
earlier?

You could probably do a challenge-response authentication based on pad bits
pretty easily, however, though doing it in a way that doesn't require a secure
hash might be a little trickier.

> How do we ensure message integrity?  Is it
> enough to include a checksum that is encrypted with the pad?  Does it
> depend on our method of encipherment?  Assuming the encipherment is
> XOR, is a CRC sufficient, or can one flip bits in the message and CRC
> field so as to cancel each other?

There are some attacks against WEP along those lines (they used RC4 to encrypt
the checksum, instead of a one time pad, but it would end up about the same, I
would think). Using HMAC keyed with pad bits seems a lot more sane to me...

> 6) How should one detect and recover from lost, reordered, or partial 
> messages?

I think that this question needs to be asked at all points to one of the flaws
of OTP from a practical standpoint.

-Jack

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: thoughts on one time pads

[Thierry Moreau]

Travis H. wrote:


In this article, Bruce Schneier argues against the practicality of a
one-time pad:

http://www.schneier.com/crypto-gram-0210.html#7

I take issue with some of the assumptions raised there.

[...] Then a $1
CD-ROM would hold enough data for 7 years of communication! [...]

So my questions to you are:

1) Do you agree with my assessment?  If so, why has every crypto
expert I've seen poo-pooed the idea?



You shift to the problem of filling CDs with pure random data. Which 
physical property do you want to sample and with which type of hardware 
do you expect to sample it and at which rate, and with which protection 
against eavesdroping during the sampling? At what cost? With what kind 
of design assurance that the pure random data is indeed pure and random?


Have fun.

--

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]