Re: thoughts on one time pads
If anyone is interested in participating in the design of a system that could be used for manual key distribution and/or OTP purposes, email me. I figure we can talk about our special cases off-list, and maybe submit the final design to the list for people to take their best crack at it. -- Whosoever is delighted in solitude is either a wild beast or a god. -- http://www.lightconsulting.com/~travis/ GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CD shredders, was Re: thoughts on one time pads
On Feb 1, 2006, at 3:50 AM, Travis H. wrote: On 1/28/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: In our office, we have a shredder that happily takes CDs and is designed to do so. It is noisy and cost $500. Here's one for $40, although it doesn't appear to shred them so much as make them pitted: http://www.thinkgeek.com/gadgets/security/6d7f/ For a few more dollars, you can get one where the residue is powder: http://www.securityprousa.com/dodcddestroyer.html. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: CD shredders, was Re: thoughts on one time pads
I have an Executive Machines EPS-1501X cross-cut shredder (15 sheet, I think) which also shreds CDs. And it really shreds them, into about 1/4 x 1 strips. It's no louder than any home/office other shredder I've used, though it is louder when shredding CDs. Jim --- Travis H. [EMAIL PROTECTED] wrote: On 1/28/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: In our office, we have a shredder that happily takes CDs and is designed to do so. It is noisy and cost $500. Here's one for $40, although it doesn't appear to shred them so much as make them pitted: http://www.thinkgeek.com/gadgets/security/6d7f/ -- The generation of random numbers is too important to be left to chance. -- Robert Coveyou -- http://www.lightconsulting.com/~travis/ GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- --- - --- --- James K. Deane Physicist and Geospatial Analyst [EMAIL PROTECTED] -- --- - -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
CD shredders, was Re: thoughts on one time pads
On 1/28/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: In our office, we have a shredder that happily takes CDs and is designed to do so. It is noisy and cost $500. Here's one for $40, although it doesn't appear to shred them so much as make them pitted: http://www.thinkgeek.com/gadgets/security/6d7f/ -- The generation of random numbers is too important to be left to chance. -- Robert Coveyou -- http://www.lightconsulting.com/~travis/ GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [EMAIL PROTECTED]: Re: thoughts on one time pads]
Eugen Leitl wrote: Sudden thermal stress (liquid nitrogen, etc) might be good enough to delaminate, leaving clear disks behind. Not sure what the data surface is made from but - surely a suitable organic solvent could remove the paint into suspension leaving a clear plastic disc and no trace of organized data? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
Anne Lynn Wheeler wrote: is there any more reason to destroy a daily key after it as been used than before it has been used? That's quite an amusing turn of phrase. There are two ways to interpret it: *) If taken literally, the idea of destroying a key _before_ it is used is truly an ingenious way to ensure security. Alas there is some degradation of functionality, but isn't that always the case? Also the cost of key distribution goes way down once you decide you will only distribute already-destroyed keys. *) Perhaps the intent was to speak about _protecting_ keys before and after use. That's somewhat trickier to do securely, and is more dependent on the threat model ... but offers vastly greater functionality. -- The best way to _protect_ a key after it has been used is to destroy it. -- For keys that have yet been used, a sufficient scheme (not the only scheme) for many purposes is to package the keys in a way that is tamper-resistant and verrry tamper-evident. The package must be tamper-evident in order to be secure. If there are signs of tampering, don't use the keys. The package must be at least somewhat tamper-resistant in order to protect the functionality against a too-easy DoS attack, i.e. superficial tampering. one of the attacks on the stored-value gift cards has been to skim the cards in the racks (before they've been activated) ... and check back later to see which cards are gone. That indicates a gross lack of tamper-evident packaging, as discussed above. The store should never have activated a card that came from a package that had been tampered with. Travis H. wrote: What about degaussing? That's even funnier. Most CDs and DVDs are totally non-magnetic to begin with. Degaussing them is not going to have much effect. There are, of course, NSA-approved degaussers for magnetic media, but heretofore this thread hasn't been about magnetic media. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
Peter Gutmann wrote: Jonathan Thornburg [EMAIL PROTECTED] writes: Melting the CD should work... but in practice that takes a specialized oven (I seriously doubt my home oven gets hot enough), and is likely to produce toxic fumes, and leave behind a sticky mess (stuck to the surface of the specialized oven). For no adequately explored reason I've tried various ways of physically destroying CDs: Does a microwave oven do anything? I've been reading too much Tom Clancy ... It does get rid of the stuff on the top, leaving a surface that a bit of sanding would make irretrievable, and some flakes that could be burned maybe? Another possibility might be to n-of-n [1] split the data up so you need to have a whole disk rotation's worth in order to reconstruct any of it - that might well make assured destruction a lot easier. The repeatedly applied hammer would probably work well then, I doubt it's that hard to destroy ~2^100 bits with a few blows to one track. but the hot fiery furnace in the basement is probably still the best. :) It used to be a fashion to have key signing parties when crypto people gathered - and at several ones over the last few years I have seen CD's of OTP data swapped instead. And DVD's are about the same price as CDs now. I'm talking about the kind of careful people who get the message and do the xor themselves, probably in shell script. No applications. They can easily change to using symmetric keys to save OTP material (using some of the otp for the symmetric key) when large files are sent - Here's the porneo.mpg of Hillary Clinton [2], encrypted in AES with this key: xxx... Often doubly encrypted, typically using both Blowfish and AES with different keys, in case one of those ciphers has been covertly broken. Hey, why not? It costs nothing. -- Peter Fairbrother [1] the crypto variety of m-of-n splitting, but where m=n so you need all of the pieces to reconstruct any of the whole - not the RAID variety of m-of-n splitting, where you only need as much data as the original data. [2] Anne Widdecombe? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
John Denker wrote: That indicates a gross lack of tamper-evident packaging, as discussed above. The store should never have activated a card that came from a package that had been tampered with. if you have seen many of the gift cards in racks at grocery stores ... they can be skimmed w/o any tampering needed (many with no packaging at all). it might be better that they were shipped in some sort of packaging that would require tampering in order to skim. i think that the conventional wisdom was that the cards were (nearly) worthless until activated (and so why would anybody bother with a worthless card). - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
John Denker wrote: -- The best way to _protect_ a key after it has been used is to destroy it. -- For keys that have yet been used, a sufficient scheme (not the only scheme) for many purposes is to package the keys in a way that is tamper-resistant and verrry tamper-evident. periodically there was some discussion about institutional-centric tokens vis-a-vis person-centric tokens ... in one case specifically with respect to being able to replace magstripe payment cards with tokens. in the person-centric token scenario, the person can choose to have a single token that they could use for all authentication purposes, including all accounts (or choose how many tokens they want and which purposes each token is used for). at one point, there were counter arguments that a single card per account (the current mechanism) was much preferred because of the lost/stolen card problem. the problem is that the prevailing threat model for lost/stolen cards is the purse or wallet containing all cards (as opposed to individual cards). the person-centric model at least would allow a person to replace all cards subject to common threat model with a single token. a major issue with cdrom one-time pads would be somebody skimming the whole cdrom. destroying keys as they are being used would appear to only be a countermeasure to theft of the cdrom (in which case it is apparent that unused pads are compromised and should be eliminated). however, skimming the cdrom might not leave any trace that unused pads have been compromised ... which turned out to be the issue in the gift card skimming compromise. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
In our office, we have a shredder that happily takes CDs and is designed to do so. It is noisy and cost $500. --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
I forgot to mention in my previous message: It is worth your time to read _Between Silk and Cyanide_. That contains an example of somebody who thought really hard about what his threat was, and came up with a system to deal with the threat ... a system that ran counter to the previous conventional wisdom. It involved protecting keys before use and destroying them after use. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: thoughts on one time pads
[CD destruction] | You missed the old standby - the microwave oven. | | The disk remains physically intact (at least after the | 5 seconds or so I've tried), but a great deal of pretty | arcing occurs in the conductive data layer. Where the | arcs travel, the data layer is vapourized. | | The end result is an otherwise intact disk in which the | data layer is broken up into small intact islands | surrounded by clear channels. It might be interesting | to try a longer burn, in which case you might also | want to put a glass of water in with the disk(s) to | preserve the microwave's electronics. | | This is probably less effective than the other methods | you've described, but its very fast and leaves no noxious | residues. It also uses a very commonly available tool. As always, who are you defending against? There are commercial CD shredders whose effect - preserved islands with some destroyed material - is produced by a much more prosaic approach: The surface is covered with a grid of pits. Only a small fraction of the surface is actually damaged, but no standard device will have any chance of reading the disk. I suppose specialized hardware might do so, but even if it code, there's the question of the encoding format. CD's are written with error-correcting codes which can recover from fairly significant damage - but if the damage exceeds their correction capability, they provide no information about what was there to begin with. If you want to go further down the same route, grinding the whole surface of the disk should work even better. Of course, all this assumes that there's no way to polish or otherwise smooth the protective plastic. Polishing should work if the scratches aren't too deep. (The pits produced by the CD shredder I've seen look deep enough to make this difficult, but that's tough to do over the whole surface.) Probably the best approach would be better living through chemistry: It should be possible to dissolve or otherwise degrade the plastic, leaving the internal metallic surface - very thin and delicate - easy to destroy. One would need to contact a chemist to determine the best way to do this. (If all else fails, sulfuric acid is likely pretty effective - if not something you want to keep around.) Realistically, especially given the error-correcting code issues, anything that breaks the CD into a large number of small pieces probably puts any recovery into the national lab range - if even they could do it. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
Jonathan Thornburg [EMAIL PROTECTED] writes: Melting the CD should work... but in practice that takes a specialized oven (I seriously doubt my home oven gets hot enough), and is likely to produce toxic fumes, and leave behind a sticky mess (stuck to the surface of the specialized oven). For no adequately explored reason I've tried various ways of physically destroying CDs: - Hammer on hard surface: Leaves lots of little fragments, generally still stuck together by the protective coating. - Roasting over an open fire: Produces a Salvador Dali effect until they catch fire, then huge amounts of toxic smoke (fulfilling our carbon tax quota was one comment) and equally toxic-looking residue. - Propane torch: Melts them without producing combustion products. - Skilsaw: Melts them together at the cutting point, rest undamaged. - Axe: Like skilsaw but without the melting effect. - Using the propane torch and hammer to try and drop-forge a crude double- density CD: Messy. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
There are various versions of getting rid of a disk file. 2) Zeroizing the blocks in place (followed by deletion). This is vastly better, but still not entirely secure, because there are typically stray remnants of the pattern sitting beside the nominal track, and a sufficiently-determined adversary may be able to recover them. I've discussed this before, and if you go back and read Gutmann's new web page about remanance he says he hasn't ever seen any evidence that anyone can recover after a single overwrite with zeroes. For some reason discussion of this pushes Garfinkel's buttons. I think this is a MFM image of what you're talking about: http://www.veeco.com/nanotheatre/nano_view_detail.asp?ImageID=78 4) Half-track trashing. This requires wizardly disk hardware, which shifts the head half a track either side of nominal, and *then* writes random numbers. I might be persuaded that this really gets rid of strays. Wow, very cool idea. I bet that'd work to recover data in some cases too. 5) Grinding the disk to dust. AFAIK this is the only NSA-approved method. A suitable grinder costs about $1400.00. http://cdrominc.com/product/1104.asp What about degaussing? http://www.semshred.com/content606.html http://www.datalinksales.com/degaussers/v85.htm http://www.degaussers-erasers.com/ Ah I had a good link a while back but lost it due to file corruption. Seriously :) One drawback with this is that you have to destroy a whole disk at a time. That's a problem, because if you have a whole disk full of daily keys, you want to destroy each day's key as soon as you are through using it. There are ways around this, such as reading the disk into volatile RAM and then grinding the disk ... then you just have to make sure the RAM is neither more volatile nor less volatile than you wanted it to be. That is, you use the disk for *distribution* but not necessarily for intermediate-term storage. I think one solution is that whenever the pad is on disk, it is encrypted with a strong algorithm, and only decrypted as needed. Assuming you use an amenable algorithm, you can overwrite that portion of the disk after use. Not perfect security if the attacker gets access to the overwritten data, but it degrades into an attack on the conventional cipher. I wonder how remanance in flash drives fares. -- The generation of random numbers is too important to be left to chance. -- Robert Coveyou -- http://www.lightconsulting.com/~travis/ GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
John Denker wrote: Dave Howe wrote: Hmm. can you selectively blank areas of CD-RW? Sure, you can. It isn't s much different from rewriting any other type of disk. Yeah, I know. just unsure how effective blanking is on cd-rw for (say) a pattern that has been in residence for two years, but now must be unrecoverable. There are various versions of getting rid of a disk file. 5) Grinding the disk to dust. AFAIK this is the only NSA-approved method. A suitable grinder costs about $1400.00. http://cdrominc.com/product/1104.asp for most, scratching off the carrier substrate is usually enough - I *might* be persuaded some trace remains on the plastic disc afterwards, but I can't imagine anyone recovering from a disk that had been a) scraped clean then b) thrown into a blast furnace containing liquid iron, or even a small home smelter. However, I am more interested in methods to destroy just a single track at a time, and I doubt you could deface the disk reliably *and* still retain read abilty on the remaining tracks. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: thoughts on one time pads
You missed the old standby - the microwave oven. The disk remains physically intact (at least after the 5 seconds or so I've tried), but a great deal of pretty arcing occurs in the conductive data layer. Where the arcs travel, the data layer is vapourized. The end result is an otherwise intact disk in which the data layer is broken up into small intact islands surrounded by clear channels. It might be interesting to try a longer burn, in which case you might also want to put a glass of water in with the disk(s) to preserve the microwave's electronics. This is probably less effective than the other methods you've described, but its very fast and leaves no noxious residues. It also uses a very commonly available tool. Peter Trei -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Gutmann Sent: Saturday, January 28, 2006 2:25 AM To: cryptography@metzdowd.com; [EMAIL PROTECTED] Subject: Re: thoughts on one time pads Jonathan Thornburg [EMAIL PROTECTED] writes: Melting the CD should work... but in practice that takes a specialized oven (I seriously doubt my home oven gets hot enough), and is likely to produce toxic fumes, and leave behind a sticky mess (stuck to the surface of the specialized oven). For no adequately explored reason I've tried various ways of physically destroying CDs: - Hammer on hard surface: Leaves lots of little fragments, generally still stuck together by the protective coating. - Roasting over an open fire: Produces a Salvador Dali effect until they catch fire, then huge amounts of toxic smoke (fulfilling our carbon tax quota was one comment) and equally toxic-looking residue. - Propane torch: Melts them without producing combustion products. - Skilsaw: Melts them together at the cutting point, rest undamaged. - Axe: Like skilsaw but without the melting effect. - Using the propane torch and hammer to try and drop-forge a crude double- density CD: Messy. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
On Thu, Jan 26, 2006 at 06:09:52PM -0800, bear wrote: [...] Of course, the obvious application for this OTP material, other than text messaging itself, is to use it for key distribution. Perhaps I missed something, but my impression was that the original post asked about how a CD full of random data could be used as a key distribution mechanism. -- - Adam ** Expert Technical Project and Business Management System Performance Analysis and Architecture ** [ http://www.everylastounce.com ] [ http://www.aquick.org/blog ] Blog [ http://www.adamfields.com/resume.html ].. Experience [ http://www.flickr.com/photos/fields ] ... Photos [ http://www.aquicki.com/wiki ].Wiki [ http://del.icio.us/fields ] . Links - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
Two other problems with using a CD for OTP key material: 1. How to insure physical security for the N years between when you exchange CDs and the use of a given chunk of keying material? The single CD system is brittle -- a single black-bag burglary to copy the CD, and poof, the adversary has all your keys for the next N years. 2. How to securely destroy it after use, to prevent retrospective dumpster-diving? Nothing short of physical destruction will stop a determined adversary... and physical destruction is *hard*: Smashing the CD with a hammer leaves individual fragments which can still be read with a microscope. (That would yield some key bits; a serious adversary could drag these across archived encrypted-traffic to find the position which decrypts to something that's statistically plaintext.) Melting the CD should work... but in practice that takes a specialized oven (I seriously doubt my home oven gets hot enough), and is likely to produce toxic fumes, and leave behind a sticky mess (stuck to the surface of the specialized oven). ciao, -- -- Jonathan Thornburg [EMAIL PROTECTED] Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut), Golm, Germany, Old Europe http://www.aei.mpg.de/~jthorn/home.html Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
From: Travis H. [EMAIL PROTECTED] Sent: Jan 26, 2006 6:30 AM To: cryptography@metzdowd.com Subject: thoughts on one time pads ... In this article, Bruce Schneier argues against the practicality of a one-time pad: http://www.schneier.com/crypto-gram-0210.html#7 I take issue with some of the assumptions raised there. I think that's because you missed the point. You're confusing manual key distribution (which makes sense in some cases, but is unworkable in others) with using a one-time pad (a specific method of encrypting information that uses up key material very fast but has a security proof). Manual key distribution means that I carry the key material to you by hand. This can be on a DVD or CD or tape or USB drive, or for that matter on a piece of paper or punched card or cryptographic token. A one-time pad means that I take my key material, which must be perfectly random for the proof to work, and XOR it with plaintext to get ciphertext. That can't possibly be cryptanalyzed, because there's no information about the plaintext in the ciphertext, so long as the key is unknown and random. (Any plaintext could lead to any ciphertext with equal probability.) ... For example, you may have occasional physical meetings with a good friend, colleague, family member, or former co-worker. Let's say you see them once every few years, maybe at a conference or a wedding or a funeral or some other occasion. At such times, you could easily hand them a CD-ROM or USB flash drive full of key material. Then, you could use that pad to encrypt messages to them until the next time you meet. Let's say you send them ten 1kB messages per year. Then a $1 CD-ROM would hold enough data for 7 years of communication! Heck, I could put the software on the image and make a dozen to keep with me, handing them out to new acquaintances as a sort of preemptive secure channel. You're talking about manual key distribution here. This works the same for both OTPs and conventional encryption. The difference is that managing the keys in a secure way is *much* easier when you're doing conventional encryption. The only advantage using a one-time pad gives here is that you don't have to worry about cryptanalysis. And one-time pad encryption can't be used with anything but manual key distribution, or other methods that are at least as awkward (like quantum key distribution). You can't hand me a business card with your PGP fingerprint on it and establish secure communications with me using a one-time pad, but you can using PGP and conventional crypto. ... Excuse me? This would in fact be a _perfect_ way to distribute key material for _other_ cryptosystems, such as PGP, SSH, IPSec, openvpn, gaim-encryption etc. etc. You see, he's right in that the key distribution problem is the hardest problem for most computer cryptosystems. So the OTP system I described here is the perfect complement for those systems; it gives them a huge tug on their bootstraps, gets them running on their own power. But then you're not using an OTP anymore. And there's no need for a station wagon full of DVDs, you can use a piece of paper with a 32-digit hex string on it to exchange the AES key, ugly though that is to type in. In fact, there are some procedures people have worked out to do this. But it doesn't scale well. I'm not sure it is even limited to this use case. For example, before a ship sets out to sea, you could load it up with enough key material to last a few millenia. How much key material could a courier carry? I bet it's a lot. As they say, never underestimate the bandwidth of a station wagon full of tapes. And don't embassies have diplomatic pouches that get taken to them and such? Yep. You've got to store the key material safely in transit and at the endpoints either way, though, and that's much easier for 256 bit AES keys (which can be put inside an off-the-shelf tamper-resistant token), and easier still for hashes of public keys (which only have to arrive unchanged--it doesn't matter if the bad guys learn the hashes). So my questions to you are: 1) Do you agree with my assessment? If so, why has every crypto expert I've seen poo-pooed the idea? Not to put too fine a point on it, it's because he's right and you're wrong. 2) Assuming my use case, what kind of attacks should I worry about? For example, he might leave the CD sitting around somewhere before putting it in his computer. If it sits around on CD, physical access to it would compromise past and future communications. If he copies it to flash or magnetic media, then destroys the CD, we can incrementally destroy the pad as it is used, but we have to worry about data remanence. You have to worry about securing the key material from cradle to grave, and operationally makign sure you use the right key material with the right person and never reuse it. OTPs are terribly sensitive to the randomness of your key material (if you screw up and use
Re: thoughts on one time pads
Jonathan Thornburg wrote: 1. How to insure physical security for the N years between when you exchange CDs and the use of a given chunk of keying material? The single CD system is brittle -- a single black-bag burglary to copy the CD, and poof, the adversary has all your keys for the next N years. Hmm. can you selectively blank areas of CD-RW? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
Dave Howe wrote: Hmm. can you selectively blank areas of CD-RW? Sure, you can. It isn't s much different from rewriting any other type of disk. There are various versions of getting rid of a disk file. 1) Deletion: Throwing away the pointer and putting the blocks back on the free list. This is well known to be grossly insecure. 2) Zeroizing the blocks in place (followed by deletion). This is vastly better, but still not entirely secure, because there are typically stray remnants of the pattern sitting beside the nominal track, and a sufficiently-determined adversary may be able to recover them. 3) Trashing the blocks, i.e. overwriting them in place with crypto-grade random numbers (followed by optional zeroizing, followed by deletion). This makes it harder for anyone to recover strays. 4) Half-track trashing. This requires wizardly disk hardware, which shifts the head half a track either side of nominal, and *then* writes random numbers. I might be persuaded that this really gets rid of strays. 5) Grinding the disk to dust. AFAIK this is the only NSA-approved method. A suitable grinder costs about $1400.00. http://cdrominc.com/product/1104.asp One drawback with this is that you have to destroy a whole disk at a time. That's a problem, because if you have a whole disk full of daily keys, you want to destroy each day's key as soon as you are through using it. There are ways around this, such as reading the disk into volatile RAM and then grinding the disk ... then you just have to make sure the RAM is neither more volatile nor less volatile than you wanted it to be. That is, you use the disk for *distribution* but not necessarily for intermediate-term storage. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
On Thu, 26 Jan 2006, Adam Fields wrote: On Thu, Jan 26, 2006 at 06:09:52PM -0800, bear wrote: [...] Of course, the obvious application for this OTP material, other than text messaging itself, is to use it for key distribution. Perhaps I missed something, but my impression was that the original post asked about how a CD full of random data could be used as a key distribution mechanism. You did not miss anything; I confirmed the OP's supposition explicitly, and I agree with it in principle. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
John Denker wrote: One drawback with this is that you have to destroy a whole disk at a time. That's a problem, because if you have a whole disk full of daily keys, you want to destroy each day's key as soon as you are through using it. There are ways around this, such as reading the disk into volatile RAM and then grinding the disk ... then you just have to make sure the RAM is neither more volatile nor less volatile than you wanted it to be. That is, you use the disk for *distribution* but not necessarily for intermediate-term storage. is there any more reason to destroy a daily key after it as been used than before it has been used? one of the attacks on the stored-value gift cards has been to skim the cards in the racks (before they've been activated) ... and check back later to see which cards are gone. i was standing at grocery store checkout last week ... apparently it was the store manager ... one of the other employees came up with a gift card that somebody had bought before xmas and gave as a present. they had come back complaining that there was no money credited to the account. it could have simply been an computer foul-up ... and then again, it could have been somebody had skimmed the card, waited and then drained the account. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
Travis H. wrote: In this article, Bruce Schneier argues against the practicality of a one-time pad: http://www.schneier.com/crypto-gram-0210.html#7 I take issue with some of the assumptions raised there. [...] Then a $1 CD-ROM would hold enough data for 7 years of communication! [...] So my questions to you are: 1) Do you agree with my assessment? If so, why has every crypto expert I've seen poo-pooed the idea? You shift to the problem of filling CDs with pure random data. Which physical property do you want to sample and with which type of hardware do you expect to sample it and at which rate, and with which protection against eavesdroping during the sampling? At what cost? With what kind of design assurance that the pure random data is indeed pure and random? Have fun. -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1 Tel.: (514)385-5691 Fax: (514)385-5900 web site: http://www.connotech.com e-mail: [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
On Thu, Jan 26, 2006 at 05:30:36AM -0600, Travis H. wrote:
[...]
Excuse me? This would in fact be a _perfect_ way to distribute key
material for _other_ cryptosystems, such as PGP, SSH, IPSec, openvpn,
gaim-encryption etc. etc. You see, he's right in that the key
distribution problem is the hardest problem for most computer
cryptosystems. So the OTP system I described here is the perfect
complement for those systems; it gives them a huge tug on their
bootstraps, gets them running on their own power.
[...]
So my questions to you are:
1) Do you agree with my assessment? If so, why has every crypto
expert I've seen poo-pooed the idea?
Your use case above suggests that you are still willing to trust conventional
ciphers to be secure, so, practically speaking, what is the difference between:
Key #1: 128 bits of one time pad
Key #2: AES_{masterkey}(counter++)
I'm not an expert, but the reason I'd call it a bad idea (versus just not
worth the effort, which is all the AES/OTP comparison is suggesting) is it
introduces a need for synchronization, and that can be a hard thing to do
between arbitrary parties on a network.
2) Assuming my use case, what kind of attacks should I worry about?
For example, he might leave the CD sitting around somewhere before
putting it in his computer. If it sits around on CD, physical access
to it would compromise past and future communications. If he copies
it to flash or magnetic media, then destroys the CD, we can
incrementally destroy the pad as it is used, but we have to worry
about data remanence.
I don't think attacks are the problem, so much as susceptibility to errors. To
even get started, you need a CD of truly random bits, which is fairly
non-trival to do on many platforms (and it's difficult to tests if your bits
are actaully random or just look that way). More importantly, the key
management issues seem annoying and highly prone to catastrophic failure. For
example, I send you a message using the first N bits of the pad, my machine
crashes, I restore from backup (or a filesystem checkpoint), and then my index
into the pad is reset back to the start. Then I resend a second message using
the same pad bits. Problem.
I think your characterization of the possible attacks is pretty fair. But
compare the OTP failure mode access to it would compromise past and future
communications, to the failure mode of, say, RSA authenticated DH key
exchange, which provides PFS and requires an active attack in order to attack
communications even after the key is compromised. Is OTP so much more secure
than a simple PK-based key exchange that it is worth even this single tradeoff
(not to mention the initial key exchange hassles and the need to store
megabytes of pad with anyone I might want to talk to)?
[...]
4) For authentication, it is simple to get excellent results from an
OTP. You simply send n bytes of the OTP, which an attacker has a
2^-8n chance in guessing.
That sounds prone to a man in the middle attack; what is to stop someone from
taking your authentication packet with the N bits of unguessable pad, cause
your connection to drop and then authenticating as you using the pad you sent
earlier?
You could probably do a challenge-response authentication based on pad bits
pretty easily, however, though doing it in a way that doesn't require a secure
hash might be a little trickier.
How do we ensure message integrity? Is it
enough to include a checksum that is encrypted with the pad? Does it
depend on our method of encipherment? Assuming the encipherment is
XOR, is a CRC sufficient, or can one flip bits in the message and CRC
field so as to cancel each other?
There are some attacks against WEP along those lines (they used RC4 to encrypt
the checksum, instead of a one time pad, but it would end up about the same, I
would think). Using HMAC keyed with pad bits seems a lot more sane to me...
6) How should one detect and recover from lost, reordered, or partial
messages?
I think that this question needs to be asked at all points to one of the flaws
of OTP from a practical standpoint.
-Jack
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
On Thu, 26 Jan 2006, Travis H. wrote: All I've got to say is, I'm on this like stink on doo-doo. Being the thorough, methodical, paranoid person I am, I will be grateful for any pointers to prior work and thinking in this area. You may wish to look at: Ueli M . Maurer: Conditionally-Perfect Secrecy and a Provably-Secure Randomized Cipher in: Journal of Cryptography, vol 5, no. 1, pp. 53-66, 1992 (available online) and Ferguson, Schneier, Wagner: Security Weaknesses in Maurer-Like Randomized Stream Ciphers published on Schneier's website Regards Ralf Senderek *.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.* * Ralf Senderek [EMAIL PROTECTED] http://senderek.com* What is privacy * * Sandstr. 60 D-41849 Wassenberg +49 2432-3960 * without * * PGP: AB 2C 85 AB DB D3 10 E7 CD A4 F8 AC 52 FC A9 ED *Pure Crypto? * 49466008763407508762442876812634724277805553224967086648493733366295231438448 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: thoughts on one time pads
On Thu, 26 Jan 2006, Travis H. wrote: For example, you may have occasional physical meetings with a good friend, colleague, family member, or former co-worker. Let's say you see them once every few years, maybe at a conference or a wedding or a funeral or some other occasion. At such times, you could easily hand them a CD-ROM or USB flash drive full of key material. Then, you could use that pad to encrypt messages to them until the next time you meet. Let's say you send them ten 1kB messages per year. Then a $1 CD-ROM would hold enough data for 7 years of communication! Heck, I could put the software on the image and make a dozen to keep with me, handing them out to new acquaintances as a sort of preemptive secure channel. It's far easier and less error-prone to hand them a CD-ROM full of symmetric keys indexed by date. The problem is that most people will not take the care needed to properly use a one-time pad. For text communications like this forum, they're great, and a (relatively) small amount of keying material, as you suggest, will last for many years. But modern applications are concerned with communicating *DATA*, not original text; someone on the system is going to want to send their buddy a 30-minute video of the professor explaining a sticky point to the class, and where is your keying material going then? He wants to be ignorant of the details of the cryptosystem; he just hits secure send and waits for magic to happen. Or if not a 30-minute video, then the last six months of account records for the west coast division of the company, or a nicely formatted document in a word processor format that uses up a megabyte or two per page, or ... whatever. The OTP is nice for just plain text, but the more bits a format consumes, the less useful it becomes. And fewer and fewer people even understand how much or how little bandwidth something is; they think in terms of human bandwidth, the number of seconds or minutes of attention required to read or listen to or watch something. An OTP, as far as I'm concerned, makes a really good system, but you have to respect its limits. One of those limits is a low-bandwidth medium like text-only messages, and in the modern world that qualifies as specialized. Given a low-bandwidth medium, and indexing keying material into daily chunks to prevent a system failure from resulting in pad reuse, you get 600 MB on a CD-ROM. Say you want a century of secure communications, so you divide it into 8- kilobyte chunks -- each day you can send 8 kilobytes and he can send 8 kilobytes. (Note that DVD-ROMs are better). That gives you a little over 100 years (read, all you're likely to need, barring catastrophic medical advances,) of a very secure low-bandwidth channel. Of course, the obvious application for this OTP material, other than text messaging itself, is to use it for key distribution. Bear Bruce acknowleges this by saying [t]he exceptions to this are generally in specialized situations where simple key management is a solvable problem and the security requirement is timeshifting. He then dismisses it by saying [o]ne-time pads are useless for all but very specialized applications, primarily historical and non-computer. Excuse me? This would in fact be a _perfect_ way to distribute key material for _other_ cryptosystems, such as PGP, SSH, IPSec, openvpn, gaim-encryption etc. etc. You see, he's right in that the key distribution problem is the hardest problem for most computer cryptosystems. So the OTP system I described here is the perfect complement for those systems; it gives them a huge tug on their bootstraps, gets them running on their own power. I'm not sure it is even limited to this use case. For example, before a ship sets out to sea, you could load it up with enough key material to last a few millenia. How much key material could a courier carry? I bet it's a lot. As they say, never underestimate the bandwidth of a station wagon full of tapes. And don't embassies have diplomatic pouches that get taken to them and such? So my questions to you are: 1) Do you agree with my assessment? If so, why has every crypto expert I've seen poo-pooed the idea? 2) Assuming my use case, what kind of attacks should I worry about? For example, he might leave the CD sitting around somewhere before putting it in his computer. If it sits around on CD, physical access to it would compromise past and future communications. If he copies it to flash or magnetic media, then destroys the CD, we can incrementally destroy the pad as it is used, but we have to worry about data remanence. 3) How should one combine OTP with another conventional encryption method, so that if the pad is copied, we still have conventional cipher protection? In this manner, one could use the same system for different use cases; one could, for example, mail the pad, or leave it with a third party for the recipient
