Re: [cryptography] Unbreakable crypto?

[Michael Kjörling]

On 20 Mar 2015 15:11 -0400, from kevinsisco61...@gmail.com (Kevin):
> I was tempted by the promise of software to run a one-time pad on my
> machine.  I am a fool and I fall upon my own sword.

An unauthenticated one-time pad is trivial to implement; it's
literally a few lines of code in any reasonably modern language, and a
handful of lines of code in less modern ones.

The hard part, as has been pointed out in this thread, is to generate
and handle the _pad_.

-- 
Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
 “People who think they know everything really annoy
 those of us who know we don’t.” (Bjarne Stroustrup)
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Unbreakable crypto?

[Jeffrey Goldberg]

On 2015-03-20, at 1:24 PM, stef  wrote:
> On Fri, Mar 20, 2015 at 06:12:31PM +, Dave Howe wrote:
>> Or a reasonably clever and trolling satire on snakeoil products. :)
> 
> the less optimistic alternative is this being a well-crafted water-holing site
> targeted at the members of this mailing-list.

Szia Stef,

I believe I’ve also seen this raised on sci.crypt, which is
spectacularly easy to troll.

I really WANT to believe it is a deliberate troll-like thing. But
the sad fact of the matter is that a huge number of people who
learn a little about the OTP think that they can create unbreakable
crypto, and they end up

(1) Using a crappy PRNG.
(2) Seeding/keying their crappy PRNG badly.
(3) Failing to notice/address the malleability of these things.
(4) Reusing the key/pad.

So whether a troll or not, that is the kind of snake oil that people
sincerely produce.

I like using the OTP as an example of how brittle some schemes are. Doing
things “slightly” wrong can lead to dramatic reductions in security.

Cheers,

-j


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Unbreakable crypto?

[Kevin]

On 3/20/2015 2:50 PM, Dave Horsfall wrote:

On Fri, 20 Mar 2015, stef wrote:


Or a reasonably clever and trolling satire on snakeoil products. :)

the less optimistic alternative is this being a well-crafted
water-holing site targeted at the members of this mailing-list.

But wouldn't the members of this list be smart enough to not get taken in?
Wouldn't they?

I like the idea of it being a troll; it certainly explains a lot.

I was tempted by the promise of software to run a one-time pad on my 
machine.  I am a fool and I fall upon my own sword.



---
This email is free from viruses and malware because avast! Antivirus protection 
is active.
http://www.avast.com

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Unbreakable crypto?

[Dave Horsfall]

On Fri, 20 Mar 2015, stef wrote:

> > Or a reasonably clever and trolling satire on snakeoil products. :)
> 
> the less optimistic alternative is this being a well-crafted 
> water-holing site targeted at the members of this mailing-list.

But wouldn't the members of this list be smart enough to not get taken in?  
Wouldn't they?

I like the idea of it being a troll; it certainly explains a lot.

-- 
Dave Horsfall DTM (VK2KFU)   "Those who don't understand security will suffer."
http://www.horsfall.org/spam.html (and check the home page whilst you're there)
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Unbreakable crypto?

[stef]

On Fri, Mar 20, 2015 at 06:12:31PM +, Dave Howe wrote:
> Or a reasonably clever and trolling satire on snakeoil products. :)

the less optimistic alternative is this being a well-crafted water-holing site
targeted at the members of this mailing-list.

-- 
otr fp: https://www.ctrlc.hu/~stef/otr.txt
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Unbreakable crypto?

[Dave Howe]

On 20/03/2015 17:01, Kevin wrote:
> I am trying to contact the "company" and it is not easy.  They don't
> want people looking into them or the product they offer.  I guess it's
> fraud; I am disillusioned.  If you hold real still and listen, you can
> here the sound of my bubble bursting.

Or a reasonably clever and trolling satire on snakeoil products. :)

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Unbreakable crypto?

[Kevin]

On 3/20/2015 12:06 PM, Tony Arcieri wrote:
On Fri, Mar 20, 2015 at 4:02 AM, Enrique Soriano > wrote:


These days we can buy 128GB pendrives (i.e. very long pads) for $35.

This simple approach seems viable to me:

https://www.codeandsec.com/Poor-Mans-Unbreakable-Encrypted-TCP-Tunnel


Poorly implemented, one time pads are in fact quite dangerous:

1) Extremely great care must be taken to never reuse any portion of 
the pad. When reused, the attacker can easily obtain the XOR of the 
plaintexts encrypted with the reused portion of the pad

2) Without authentication (i.e. a MAC), one time pads are highly malleable

The author of that software doesn't know the difference between a one 
time pad and a stream cipher. There's no practical reason to prefer a 
one time pad to a modern stream cipher like ChaCha20, which can be 
combined with the Poly1305 MAC to create an authenticated encryption 
scheme that isn't malleable like an unauthenticated one time pad.


--
Tony Arcieri


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
I am trying to contact the "company" and it is not easy.  They don't 
want people looking into them or the product they offer.  I guess it's 
fraud; I am disillusioned.  If you hold real still and listen, you can 
here the sound of my bubble bursting.




---
This email is free from viruses and malware because avast! Antivirus protection 
is active.
http://www.avast.com
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Unbreakable crypto?

[Tony Arcieri]

On Fri, Mar 20, 2015 at 4:02 AM, Enrique Soriano  wrote:

> These days we can buy 128GB pendrives (i.e. very long pads) for $35.
>
> This simple approach seems viable to me:
>
> https://www.codeandsec.com/Poor-Mans-Unbreakable-Encrypted-TCP-Tunnel


Poorly implemented, one time pads are in fact quite dangerous:

1) Extremely great care must be taken to never reuse any portion of the
pad. When reused, the attacker can easily obtain the XOR of the plaintexts
encrypted with the reused portion of the pad
2) Without authentication (i.e. a MAC), one time pads are highly malleable

The author of that software doesn't know the difference between a one time
pad and a stream cipher. There's no practical reason to prefer a one time
pad to a modern stream cipher like ChaCha20, which can be combined with the
Poly1305 MAC to create an authenticated encryption scheme that isn't
malleable like an unauthenticated one time pad.

-- 
Tony Arcieri
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Unbreakable crypto?

[Wim Remes]

none of the clients they advertise actually exist ...

On Thu, Mar 19, 2015 at 8:33 PM, Kevin  wrote:

> This software uses the one-time pad.  Have any of you seen this?
> http://www.unbreakable-crypto.com
>
>
> ---
> This email is free from viruses and malware because avast! Antivirus
> protection is active.
> http://www.avast.com
>
> ___
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>



-- 
Wim Remes
Security Afficionado
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Unbreakable crypto?

[Enrique Soriano]

>>Warning Sign #6: One-time pads.

These days we can buy 128GB pendrives (i.e. very long pads) for $35.

This simple approach seems viable to me:

https://www.codeandsec.com/Poor-Mans-Unbreakable-Encrypted-TCP-Tunnel

Regards,
q

On Fri, Mar 20, 2015 at 10:42 AM, Michael Kjörling  wrote:
> On 19 Mar 2015 16:10 -0400, from kevinsisco61...@gmail.com (Kevin):
>> On 3/19/2015 4:00 PM, Ben Lincoln (F70C92E3 - Cryptography ML) wrote:
>>> There's no demo version available, but based on the screenshots and the
>>> information on the site, it looks like it's using a "one-time pad"
>>> generated using a PRNG or other sequence-generator seeded with a key
>>> generated by the application, and it's the key that's exchanged.
>>
>> I assume it uses your hardware to generate the random value.
>
> It doesn't matter how the PRNG works. If it's seeded by a key, and the
> pad is regenerable given the key (which it sounds like given the
> description), then it's not an OTP, and you get _at the very best_ 2^k
> bits security (where k is the number of entropy bits in the key)
> rather than a proper OTP's 2^n bits security (where n is the length of
> the message, in bits).
>
> The reason why a OTP is provably secure in theory (in the
> confidentiality sense of secure) is that the key _is_ as long as the
> message and completely random; thus you cannot tell whether a key you
> just tried is valid without already knowing the plaintext message, in
> which case there really is no point to the exercise to begin with.
>
> Combining a seeded PRNG with a simple operation on the PRNG output and
> the plaintext or ciphertext is how stream ciphers work.
>
> Now, something like a decent KDF feeding a key into AES running in
> counter mode to generate a ciphertext stream which is then used as a
> key for encryption in a stream cipher-like construct is _probably
> reasonably_ (_very heavy_ emphasis on "probably") secure, and not too
> dissimilar from what is hypothesized above. But at that point, you
> might just as well use the fairly well-proven AES directly; it will be
> marginally faster given identical hardware and otherwise identical
> software (since you avoid your extra algorithm, and AES is often
> hardware-accellerated on modern CPUs) and it will be at least equally
> secure (because the security of the ciphertext in the combined scheme
> will be totally dependent on the security of the stronger algorithm
> pass anyway -- see Kerckhoffs' principle -- and most people are
> unlikely to come up with something that is _more_ secure than AES
> against any type of attack, much less all types of attacks). And it
> absolutely is _not_ a one-time pad.
>
> --
> Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se
> OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
>  “People who think they know everything really annoy
>  those of us who know we don’t.” (Bjarne Stroustrup)
> ___
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Unbreakable crypto?

[Michael Kjörling]

On 19 Mar 2015 16:10 -0400, from kevinsisco61...@gmail.com (Kevin):
> On 3/19/2015 4:00 PM, Ben Lincoln (F70C92E3 - Cryptography ML) wrote:
>> There's no demo version available, but based on the screenshots and the
>> information on the site, it looks like it's using a "one-time pad"
>> generated using a PRNG or other sequence-generator seeded with a key
>> generated by the application, and it's the key that's exchanged.
> 
> I assume it uses your hardware to generate the random value.

It doesn't matter how the PRNG works. If it's seeded by a key, and the
pad is regenerable given the key (which it sounds like given the
description), then it's not an OTP, and you get _at the very best_ 2^k
bits security (where k is the number of entropy bits in the key)
rather than a proper OTP's 2^n bits security (where n is the length of
the message, in bits).

The reason why a OTP is provably secure in theory (in the
confidentiality sense of secure) is that the key _is_ as long as the
message and completely random; thus you cannot tell whether a key you
just tried is valid without already knowing the plaintext message, in
which case there really is no point to the exercise to begin with.

Combining a seeded PRNG with a simple operation on the PRNG output and
the plaintext or ciphertext is how stream ciphers work.

Now, something like a decent KDF feeding a key into AES running in
counter mode to generate a ciphertext stream which is then used as a
key for encryption in a stream cipher-like construct is _probably
reasonably_ (_very heavy_ emphasis on "probably") secure, and not too
dissimilar from what is hypothesized above. But at that point, you
might just as well use the fairly well-proven AES directly; it will be
marginally faster given identical hardware and otherwise identical
software (since you avoid your extra algorithm, and AES is often
hardware-accellerated on modern CPUs) and it will be at least equally
secure (because the security of the ciphertext in the combined scheme
will be totally dependent on the security of the stronger algorithm
pass anyway -- see Kerckhoffs' principle -- and most people are
unlikely to come up with something that is _more_ secure than AES
against any type of attack, much less all types of attacks). And it
absolutely is _not_ a one-time pad.

-- 
Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
 “People who think they know everything really annoy
 those of us who know we don’t.” (Bjarne Stroustrup)
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography