Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)
I don't have any hard information or even any speculation about BULLRUN, but I have an observation and a question: Traditionally it has been very hard to exploit a break without giving away the fact that you've broken in. So there are two fairly impressive parts to the recent reports: (a) Breaking some modern, widely-used crypto, and (b) not getting caught for a rather long time. To say the same thing the other way, I was always amazed that the Nazis were unable to figure out that their crypto was broken during WWII. There were experiments they could have done, such as sending out a few U-boats under strict radio silence and comparing their longevity to others. So my question is: What would we have to do to produce /tamper-evident/ data security? As a preliminary outline of the sort of thing I'm talking about, you could send an encrypted message that says The people at 1313 Mockingbird Lane have an enormous kiddie porn studio in their basement. and then watch closely. See how long it takes until they get raided. Obviously I'm leaving out a lot of details here, but I hope the idea is clear: It's a type of honeypot, adapted to detecting whether the crypto is broken. Shouldn't something like this be part of the ongoing validation of any data security system? Also . on 09/05/2013 04:35 PM, Perry E. Metzger wrote: A d20 has a bit more than 4 bits of entropy. I can get 256 bits with 64 die rolls, or, if I have eight dice, 16 rolls of the group. You can get a lot more entropy than that from your sound card, a lot more conveniently. http://www.av8n.com/turbid/ If I mistype when entering the info, no harm is caused. I'm not so sure about that. Typos are not random, and history proves that seemingly minor mistakes can be exploited. The generator can be easily tested for correct behavior if it is simply a block cipher. I wouldn't have said that. As Dykstra was fond of saying: Testing can show the presence of bugs; testing can never show the absence of bugs. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)
On Thu, 05 Sep 2013 16:56:38 -0700 John Denker j...@av8n.com wrote: The generator can be easily tested for correct behavior if it is simply a block cipher. I wouldn't have said that. As Dykstra was fond of saying: Testing can show the presence of bugs; testing can never show the absence of bugs. The point is that a deterministic generator operating off of a seed can be validated -- you can assure yourself reasonably easily that the thing is indeed AES in counter mode. A hardware generator can have horrible flaws that are hard to detect without a lot of data from many devices. (The recent break of the Taiwanese national ID card system should be a lesson on that too.) I will remind everyone that the key generation ceremony for the Clipper devices used a deterministic generator for precisely this reason even given that the keys were being escrowed. See Dorothy Denning's old report on that for a reminder. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)
John Denker j...@av8n.com writes: To say the same thing the other way, I was always amazed that the Nazis were unable to figure out that their crypto was broken during WWII. There were experiments they could have done, such as sending out a few U-boats under strict radio silence and comparing their longevity to others. Cognitive dissonance. We have been..., sorry Ve haff been reassured zat our cipher is unbreakable, so it must be traitors, bad luck, technical issues, Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)
Sent from my difference engine On Sep 5, 2013, at 9:22 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: John Denker j...@av8n.com writes: To say the same thing the other way, I was always amazed that the Nazis were unable to figure out that their crypto was broken during WWII. There were experiments they could have done, such as sending out a few U-boats under strict radio silence and comparing their longevity to others. Cognitive dissonance. We have been..., sorry Ve haff been reassured zat our cipher is unbreakable, so it must be traitors, bad luck, technical issues, Not necessarily Anyone who raised a suspicion was risking their life. Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message 52291a36.9070...@av8n.com, John Denker j...@av8n.com writes To say the same thing the other way, I was always amazed that the Nazis were unable to figure out that their crypto was broken during WWII. There were experiments they could have done, such as sending out a few U-boats under strict radio silence and comparing their longevity to others. In fact the Nazis did have many suspicions that Enigma was compromised, no more so (this from memory, the books with the fuller account are on a shelf several thousand miles away from my current desk) than in the Python incident where the Devonshire was sent to sink a German U-boat refuelling boat ... and the Dorsetshire turned up at the same place by chance and chipped in. The subsequent German inquiry (two enemy ships appearing over the horizon heading straight for your refuelling point in the middle of the empty South Atlantic is deeply worrying) relied upon them reading our North Atlantic convoy traffic (they were breaking Allied codes at that point in the war) where they found no evidence of Enigma acquired information being used to avoid U-boat movements. This was because their inquiry happened to coincide with a short period during which we were not reading their traffic! The inquiry concluded that Enigma was not broken (which was strictly correct at that moment) and it carried on being used. Such are the random chances, good and bad, which occur in the real world. Of course there were improvements made to Enigma throughout the war both to the hardware and also to operating procedures... it was harder to break in 1945 than 1939. So my question is: What would we have to do to produce /tamper-evident/ data security? As a preliminary outline of the sort of thing I'm talking about, you could send an encrypted message that says The people at 1313 Mockingbird Lane have an enormous kiddie porn studio in their basement. and then watch closely. See how long it takes until they get raided. you will have noted the requirement for some of the agencies who have been given NSA material (such as telco metadata) to recreate it for the benefit of their court cases ... so you'd probably fail to observe any background activity that tested whether this information was plausible or not (assuming that the NSA considered this issue important enough to pursue); and then some chance event would occur that caused someone from Law Enforcement (or even a furnace maintenance technician) to have to look in the basement. You'd be left saying this proves it and everyone else will be spending their time commenting on whether your particular style of tinfoil hat appeared sartorially suitable - -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 iQA/AwUBUik0UeINNVchEYfiEQIj1wCgjvXptGYkMdfKFI7pQfQuMUZJOAkAmwV2 UiNLZIncCKWCsUynA0p5y/Ws =fqW2 -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)
On Thu, Sep 5, 2013 at 9:18 PM, Peter Gutmann pgut...@cs.auckland.ac.nzwrote: To say the same thing the other way, I was always amazed that the Nazis were unable to figure out that their crypto was broken during WWII. There were experiments they could have done, such as sending out a few U-boats under strict radio silence and comparing their longevity to others. Cognitive dissonance. We have been..., sorry Ve haff been reassured zat our cipher is unbreakable, so it must be traitors, bad luck, technical issues, As I recall the history it was direction finding (HF-DF) that was causing specific U-boats to be lost. Crypto was more global---resulting in rerouting convoys, etc. See https://en.wikipedia.org/wiki/High-frequency_direction_finding. After late '42 or so, U-boat radio silence would have indicated that using the radios was a problem---even during the time that the Naval Enigma was not being broken. -- Chuck == Charles L. Jackson 301 656 8716desk phone 888 469 0805fax 301 775 1023mobile PO Box 221 Port Tobacco, MD 20677 ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography