Re: crypto camouflage in software
"paul a. bauerschmidt" <[EMAIL PROTECTED]> writes: > neat question: > > http://www.arcot.com/arcot_ieee.pdf > > a method of protecting private keys using camouflage, in software, to > prevent dictionary attacks. > > one password will decrypt correctly, many other passwords will produce > alternate, valid-looking keys to fool an attacker. > > is this an example of security through obscurity (a thought which many > frown upon, it seems)? > > > please feel free to mail me personally if you want to shred/shed light. > > .paul bauerschmidt The trade off here is that if the attacker can get it wrong 1/n times, so can the user (from miss-keying (i.e typing mistakes)). Depending on the application, a low n might be disastrous. -- Stefan Kahrs in [Kah96] discusses the notion of completeness--programs which never go wrong can be type-checked--which complements Milner's notion of soundness--type-checked programs never go wrong [Mil78].
Re: crypto camouflage in software
>"paul a. bauerschmidt" wrote: >> one password will decrypt correctly, many other passwords will produce >> alternate, valid-looking keys to fool an attacker. >> >> is this an example of security through obscurity (a thought which many >> frown upon, it seems)? At 05:12 PM 10/8/99 -0700, Ed Gerck wrote: > >No, it is IMO a valid example of security through ambiguity. One time pads rely on the same general idea taken to its extreme: any decryption is as plausible as any other. I've always thought this is the essence of a good password encryption scheme: try to eliminate the internal cues that indicate whether the result is valid or not. That way the attacker can only verify a decryption by using it in a genuine authentication transaction. If the decryption is wrong, the attempt gets logged, leaving a trace of the attempt. Rick. [EMAIL PROTECTED] "Internet Cryptography" at http://www.visi.com/crypto/
Re: crypto camouflage in software
"paul a. bauerschmidt" wrote: > neat question: > > http://www.arcot.com/arcot_ieee.pdf > > a method of protecting private keys using camouflage, in software, to > prevent dictionary attacks. > > one password will decrypt correctly, many other passwords will produce > alternate, valid-looking keys to fool an attacker. > > is this an example of security through obscurity (a thought which many > frown upon, it seems)? No, it is IMO a valid example of security through ambiguity. Side-tracking attackers is a useful method employed for example in a more direct form in the UNIX crypt salt method -- which also reduces the efficiency of dictionary attacks. Cheers, Ed Gerck
crypto camouflage in software
neat question: http://www.arcot.com/arcot_ieee.pdf a method of protecting private keys using camouflage, in software, to prevent dictionary attacks. one password will decrypt correctly, many other passwords will produce alternate, valid-looking keys to fool an attacker. is this an example of security through obscurity (a thought which many frown upon, it seems)? please feel free to mail me personally if you want to shred/shed light. .paul bauerschmidt