Yeah this goes back to the old 'three types of crypto tokens': - What you know (a password) - What you have (an rsa token, or a phone with google authenticator) - What you are (fingerprint, retina scan)
Any new crypto system essentially boils down to some combination of those things. If you're using a CD, you've invented a new kind of crypto token (what you have). If you're remembering which youtube video is your key, you're using a (pretty weak) password (what you know). Still very cool though, if you can play it and have an embedded device hear the recording. It'd also be very cool to have a little crypto token that plays what sounds like static, and then have your computer / phone / whatever unlock when it hears the 'right' static-sounding audio clip. The cool thing about audio (for me) would be doing voice fingerprinting. "My name is my passport. Verify me" https://www.youtube.com/watch?v=-zVgWpVXb64 On Thu, Apr 14, 2016 at 11:11 AM, Justin King-Lacroix <[email protected]> wrote: > > On 10 April 2016 at 10:27, Mihai Ionut <[email protected]> wrote: >> >> Hi, I am a 21 years old software engineer from Bucharest, Romania >> passionate about programming, robotics, cryptography and Artificial >> intelligence. >> For the past two months I've worked on a new encryption application based >> on sounds. It allows users to encrypt their files (AES) using an audio >> input. > > > There's a lot of coolness in this idea. You might want to read up on the use > of sound card inputs as sources of entropy for random number generators. > >> >> The users have three options : they can generate their own WaveKey, they >> can use an exiting audio file (your favorite song from 1990's stored on a >> CD) or to use an online audio source - now I'm only focused on YouTube. You >> simply visit an YouTube video, select the time sequence, generate you >> WaveKey and encrypt your file. After that the key self-destructs. > > > While the idea isn't a bad one in principle, it means you now need to treat > the relevant YouTube link / song name with the same care as a cryptographic > key. > Also, YouTube knows your key. > >> >> Of course I've taken into account the obvious attacks - like the ones >> regarding recording when the users create their WaveKeys (I've worked on a >> custom printed circuit board with an integrated microphone and a small >> storage USB drive) or, in the case of the YouTube source your search history >> (We have Sandboxie and I'm pretty sure I can strike a deal with them). > > > What you haven't considered is that everyone on the network who can observe > your YouTube search history now potentially knows your key. Sandboxie only > prevents your browser from keeping its history on your hard disk; any traces > you leave on the network -- such as in YouTube's access logs (you weren't > logged in as yourself when you viewed it, right?) -- are, by nature, not > eraseable in this fashion. > > On the flip side, generating your own WaveKey also seems problematic: on the > one hand, you want to filter as much noise as possible out of the audio > coming into your application, so the key generation is repeatable ie you can > sing the same song into the same mic again on a different day and decrypt > your files. On the other, you're throwing away a lot of entropy that way, > potentially making it easier to just brute-force the key. > > If you solve this problem using a USB drive (or similar) connected to a > microphone to store the 'authoritative' copy of the recording, and reuse > that, we're now back to the usual key-management problem, only your key is > an unwieldy sound recording. > > > This idea is cool. However, I believe these issues need to be fixed or > mitigated before it can be put to practical use. > > </$0.02> > > J > > > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging > _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
