Re: [cryptography] Unbreakable crypto?

2015-03-23 Thread Ryan Carboni
Based on the current randombit discussion of one-time pads...

Here's a question: given the surprising security of the PKZIP cipher...
which is essentially CRC, say you have a random 128-bit segment of a
compressed file xored with another 128-bit segment of another compressed
file.

How much information has leaked?
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-22 Thread Jon Callas
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Here's an optimization:

* Assume you have a decent One Time Pad generator.

* Assume you have a secure pad delivery system.

* Assume it is reasonably low-latency and high-volume. Say somewhere between 
Usenet and the modern Internet.

Now then -- instead of sending the pads, send a message. It gets delivered with 
the same security as the pad, so it has identical security as using the OTP. 
Even better, you don't have to worry about insecurity of the OTP generator.

Jon


-BEGIN PGP SIGNATURE-
Version: PGP Universal 3.3.0 (Build 9060)
Charset: us-ascii

wsBVAwUBVQ8kVvD9H+HfsTZWAQglHAgApSI+gBHAzenSwtoE64g+TRb17tEbD3Vq
dSjtzFlp+j4k4DqoMTXCzmG0xmvVunZqsKFpxActAA6ztbN5gKX1xnOmFDH/dn8z
s5rw8RJNteIxRitTtb8+01yJiR4lzuJuQPcGX+ag6pF1GFOhNWf4sYLDVL0ya61u
wXe4Ykz1E+S2zPDmqAnTvJaBgc+wWvTSe2CT+6T7hOfFf0eCn/h21Js+8vFfdhiJ
K0aOzJH4aFdNuPGqKN48GKmFOvdnbrfZ0v9Y9zk1tnoM1YszX/HXXTxsOKSr4mzX
V3u52AH4viqrR0KbFQ/7aU7pR7lIQtML2fgoWDLQhnr3DJ7Vrn152w==
=1PVt
-END PGP SIGNATURE-
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-22 Thread Jeffrey Goldberg

On 22 Mar 2015, at 9:48, Michael Kjörling wrote:

On 22 Mar 2015 09:36 -0500, from jeff...@goldmark.org (Jeffrey 
Goldberg):

There are good crypto systems in use which generate pseudo-random
pads from keys that are 128 (or 256) bits in length. But these are
– at best – no better than the length of their keys.


Which is, admittedly, _quite good enough_ for almost any _practical_
purpose that an individual is likely to face.


Oh, absolutely. I am perfectly happy with 128 bit keys.

Indeed, I'm very much on record in defending 128 bit keys in
the face of customer demand for 256 bits.

 
https://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/


I was just to distinguish between "perfect" secrecy and
everything else (without going into any discussion of asymptotic
security). I think that people who first learn about the OTP
are infatuated with perfect secrecy, and fail to what is really
involved.

Although I sympathize with Greg Rose's lament that we are beating
a long dead horse, I think that it is worthwhile to try to understand
why so many people seem to learn (something) about the OTP and then
badly reinvent stream ciphers. And I want to kill off the meme that
is popular in some circles that "the only unbreakable cipher is the
OTP".

And so I see it as a "teaching moment". Thus if I may repeat
what others have said, I too recommend Dan Bonah's on-line
Cryptography course to Lee and anyone else who doesn't immediately
see why we all so emphatically screamed "No" to these OTP modifications.

Cheers,

-j
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-22 Thread Michael Kjörling
On 22 Mar 2015 10:50 -0400, from givo...@gmx.com (Givon Zirkind):
>>> I was tempted by the promise of software to run a one-time pad on my
>>> machine.  I am a fool and I fall upon my own sword.
>> 
>> An unauthenticated one-time pad is trivial to implement; it's
>> literally a few lines of code in any reasonably modern language, and a
>> handful of lines of code in less modern ones.
>> 
>> The hard part, as has been pointed out in this thread, is to generate
>> and handle the _pad_.
> 
> imho, this is not as difficult as you say.  using a time-date stamp
> as part of your seed.

Any pseudo-random number generator is going to, _at best_, be exactly
as secure as the entropy of the seed. And the entropy of a
date/time-stamp in most contexts is _incredibly_ low; I would expect a
few tens of bits at the very most even with a high-precision
timestamp. Remember that a timestamp of one second accuracy between
about 1902 and 2038 can be expressed as a single 32-bit integer value,
so for any semi-reasonable range, we'd be looking at an entropy of 30
bits or less. For something like "message was sent between 2011-01-01
and 2017-12-31" (seven full years' range) and one-second precision
that's approximately log(7×365×86400)/log(2) ≅ 27.7 bits of entropy,
assuming no other knowledge on part of the attacker.

The point I made Friday still stands:

# It doesn't matter how the PRNG works. If it's seeded by a key, and
# the pad is regenerable given the key (which it sounds like given the
# description), then it's not an OTP, and you get _at the very best_
# 2^k bits security (where k is the number of entropy bits in the key)
# rather than a proper OTP's 2^n bits security (where n is the length
# of the message, in bits).

There is a time and a place for a seedable CSPRNG together with an
operation to combine the CSPRNG output with the ciphertext or
plaintext. That construct is called a _stream cipher_; it is _not_
called a one-time pad.


> the real difficulty is in the length of the key.  rounding & other
> calculations errors will quickly interfere.
> but, for up to 500 characters, the length of the avg email, imho,
> you can produce a non-reusable pad

1. Do you have any data to suggest that the average length of an
email, even if we play nice by excluding headers and quoted material,
is 500 characters or less? My experience points toward it being
significantly higher.

2. How do you propose to get the pad to the recipient?

3. How do you propose the recipient should securely store the pad
until it is used?

4. How do you guarantee that no part of the pad is ever reused for a
different message?

-- 
Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
 “People who think they know everything really annoy
 those of us who know we don’t.” (Bjarne Stroustrup)
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-22 Thread Greg Rose
If we haven't argued it enough by now, he'll never get it. Either way I would 
ask people to stop this discussion before I have to unsubscribe from yet 
another once-useful discussion list.

Greg.

Phone:  +1 619 890 8236 
GPG/PGP:  1081A37C  232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-22 Thread Givon Zirkind

agreed.

On 3/21/2015 5:18 PM, John Levine wrote:

Would a commonly available large binary file make a good one-time pad?
Something like ubuntu-14.10-desktop-amd64.iso12 maybe..

Unlkely for two reasons.  One is that the point of a one-time pad is
that only the sender and recipient are supposed to have a copy.  The
other is that something like a Linux distribution has extremely
obvious regularities, so it wouldn't be hard for a cryptographer
to figure out what it was.

The way you make a one time pad is to take a source of actual (not
pseudo) randomness and record a lot of it in a form that is relatively
easy to distribute securely, like a DVD-ROM.

R's,
John
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-22 Thread Givon Zirkind

On 3/20/2015 6:56 PM, Michael Kjörling wrote:

On 20 Mar 2015 15:11 -0400, from kevinsisco61...@gmail.com (Kevin):

I was tempted by the promise of software to run a one-time pad on my
machine.  I am a fool and I fall upon my own sword.

An unauthenticated one-time pad is trivial to implement; it's
literally a few lines of code in any reasonably modern language, and a
handful of lines of code in less modern ones.

The hard part, as has been pointed out in this thread, is to generate
and handle the _pad_.

imho, this is not as difficult as you say.  using a time-date stamp as 
part of your seed.
the real difficulty is in the length of the key.  rounding & other 
calculations errors will quickly interfere.
but, for up to 500 characters, the length of the avg email, imho, you 
can produce a non-reusable pad

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-22 Thread Michael Kjörling
On 22 Mar 2015 09:36 -0500, from jeff...@goldmark.org (Jeffrey Goldberg):
> There are good crypto systems in use which generate pseudo-random
> pads from keys that are 128 (or 256) bits in length. But these are
> – at best – no better than the length of their keys.

Which is, admittedly, _quite good enough_ for almost any _practical_
purpose that an individual is likely to face.

Nobody (to within experimental error) is going to successfully brute
force your truly-random AES-256 key that was used to protect the 10
MiB archive containing your Evil Overlord Plans for World Domination.
But it's a _lot_ easier to keep secret a 32-byte key than a 10 MiB
pad, and it is a lot easier to generate 256 truly-random bits than ~80
_million_ truly-random bits. If they want access to the data, they are
going to do it differently. Compare https://xkcd.com/538/

-- 
Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
 “People who think they know everything really annoy
 those of us who know we don’t.” (Bjarne Stroustrup)
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-22 Thread Jeffrey Goldberg
On 21 Mar 2015, at 22:24, Lee wrote:

> On 3/21/15, Jeffrey Goldberg  wrote:

>> (1) the file isn't secret
>
> But the fact that I'm using it as my one-time pad is.  Why isn't that
> good enough?

As others have already answered, your key is "knowledge of which
publicly available file to use as the pad". But for a OTP to have
the security that an OTP offers the key must be a long as the message
itself. Your key is much shorter.

Just as with using a PRNG to generate a pad, you are using a short
key to generate/identify a long pad. Your system can be no more
secure than the size of your key. (The size of what must be kept
secret.) Remember, you aren't keeping the file secret; you are keeping
the name of the file secret. So it is a short key.

>> (2) the file isn't random.
>
> Right.  An ISO file is a bad choice - too many zeros & machine code
> isn't very random.  But what about something like an MP3, OGV or some
> other compressed file?

Again, no. If you want the security properties offered by an OTP,
the pad/key must be truly random. So if you need a pad that is
a million bytes (eight million bits) long, then the particular pad
you use must be no more likely than any other string of eight millions
bits.

>> I'm sorry to pick on you, but you've illustrated a point I tried to make
>> earlier. The OTP is a simple idea that is remarkably easy for people to
>> misunderstand.
>
> It doesn't feel like you're picking on me - I appreciate the feedback :)

Great.

A point I've been making is that the OTP (and other systems) are brittle.
By this I mean that if you don't follow the rules to letter you can end
up with a system that is extremely weak. A small variation on the protocol
can lead to catastrophic results.

Any simulation of a OTP that isn't a OTP itself will not have the security
properties of an OTP. And any simulation that is not designed very carefully
will end up being far weaker than the actual cryptographic systems we have
today.

So remember, one of the requirements of a OTP is that the key itself (the
stuff that you need to keep secret) must be as long as the message. When I
say that the key must be kept secret, I mean the key/pad itself. Not the 
identity of the key/pad.

Another property is that the key/pad must be truly random. Appearing random
is not enough. It must truly be random.

And yet a third requirement is that the pad never be reused.

Break any of those rules, and you not only no longer have a OTP,
but you probably have something that is easily broken.

There are good crypto systems in use which generate pseudo-random
pads from keys that are 128 (or 256) bits in length. But these are
– at best – no better than the length of their keys.

Cheers,

-j

smime.p7s
Description: S/MIME digital signature
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-22 Thread Michael Kjörling
On 21 Mar 2015 21:17 -0700, from sch...@eff.org (Seth David Schoen):
> *True random pad*: Attacker doesn't know whether pad k₁ is actually more
> likely than pad k₂, if (c ⊕ k₁) and (c ⊕ k₂) both appear to be equally
> plausible plaintexts.
> 
> *Choosing a meaningful file but keeping secret which one you used*: An
> attacker who tries your file f₁ as the pad notices that both (c ⊕ f₁)
> and f₁ itself appear "meaningful", so it's more likely that f₁ is
> correct compared to some other f₂ which is not "meaningful".

This also goes hand in hand with the difference between a true OTP and
a stream cipher secured by a key of length less than the length of the
message to be encrypted. In that sense, "which file was used as the
pad?" corresponds to "what was the encryption key fed into the
cipher?".

-- 
Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
 “People who think they know everything really annoy
 those of us who know we don’t.” (Bjarne Stroustrup)
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-22 Thread Enrique Soriano
>
>
> Right.  An ISO file is a bad choice - too many zeros & machine code
> isn't very random.  But what about something like an MP3, OGV or some
> other compressed file?
>
>
No!

The requirements for the Vernam cipher are very simple:

- the pad must be random
- the pad must not be reused
- the pad must be secret (it's the key!)

These formats (e.g. mp3) have headers, etc.

http://mpgedit.org/mpgedit/mpeg_format/mpeghdr.htm

Anyway, the data is not random, so it should not be used as a one-time-pad.

Regards.
q
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-22 Thread mtm
whos to say?
we're jus trapt on erf together.
On Mar 21, 2015 11:37 PM, "Seth David Schoen"  wrote:

> Lee writes:
>
> > On 3/21/15, Jeffrey Goldberg  wrote:
> > > [Apologies for quoting badly]
> > >
> > > No!  A thousand times no.
> > >
> > > (1) the file isn't secret
> >
> > But the fact that I'm using it as my one-time pad is.  Why isn't that
> > good enough?
>
> If an attacker has access to the same web sites and databases that you
> do, the attacker could just try all of them the files in them.  There
> shouldn't be more than 2⁵⁰ publicly-accessible files out there, right?
>
> Or maybe each file in a copy of the Internet Archive, say.  One of them
> is actually going to be that ISO file!
>
> There are other conceptual problems that are much worse than this
> practical problem.  The biggest conceptual problem is that, for the
> one-time pad setting that has been mathematically proven secure, the
> shortest description of the pad you are using should normally be the pad
> itself.  If there is a shorter description, the attacker first of all has
> a smaller work factor (set of things to try), but what's really _much much
> much_ worse conceptually, the attacker has a probability of being able
> to usefully distinguish one possible decryption as more likely than others.
>
> In the ideal one-time pad, there is no basis on which an attacker (even
> an attacker with completely unbounded resources) can usefully say that
> one proposed decryption is more likely to be right than another, at
> least compared to the attacker's prior beliefs about what the plaintext
> was likely to be.  But if there is a meaningfully shorter description of
> what you used as the pad, then an attacker with vast resources who
> correctly guesses what that was will know that it's likely to be right,
> which is a kind of success that the attacker couldn't have achieved with
> a truly random pad.
>
> *True random pad*: Attacker doesn't know whether pad k₁ is actually more
> likely than pad k₂, if (c ⊕ k₁) and (c ⊕ k₂) both appear to be equally
> plausible plaintexts.
>
> *Choosing a meaningful file but keeping secret which one you used*: An
> attacker who tries your file f₁ as the pad notices that both (c ⊕ f₁)
> and f₁ itself appear "meaningful", so it's more likely that f₁ is
> correct compared to some other f₂ which is not "meaningful".
>
>
> This is the great thing about the classical one-time pad: the attacker
> _literally doesn't know when the attack was successful_, a fact which
> has nothing to do with how powerful the attacker is (how many keys the
> attacker is able to try guessing).  In the classical one-time pad with
> a true random pad, even an attacker who can try _every single_ pad
> literally doesn't have any evidence which could reveal which one was
> right, or which could reveal any new fact or property about the
> plaintext.  Relaxing the randomness assumption, in turn, undermines this
> conclusion because the attacker can now have some conceivable indication
> about "being on the right track" (even if that's merely statistical),
> which could simply never happen with a true random pad.
>
> --
> Seth Schoen  
> Senior Staff Technologist   https://www.eff.org/
> Electronic Frontier Foundation  https://www.eff.org/join
> 815 Eddy Street, San Francisco, CA  94109   +1 415 436 9333 x107
> ___
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-21 Thread Seth David Schoen
Lee writes:

> On 3/21/15, Jeffrey Goldberg  wrote:
> > [Apologies for quoting badly]
> >
> > No!  A thousand times no.
> >
> > (1) the file isn't secret
> 
> But the fact that I'm using it as my one-time pad is.  Why isn't that
> good enough?

If an attacker has access to the same web sites and databases that you
do, the attacker could just try all of them the files in them.  There
shouldn't be more than 2⁵⁰ publicly-accessible files out there, right?

Or maybe each file in a copy of the Internet Archive, say.  One of them
is actually going to be that ISO file!

There are other conceptual problems that are much worse than this
practical problem.  The biggest conceptual problem is that, for the
one-time pad setting that has been mathematically proven secure, the
shortest description of the pad you are using should normally be the pad
itself.  If there is a shorter description, the attacker first of all has
a smaller work factor (set of things to try), but what's really _much much
much_ worse conceptually, the attacker has a probability of being able
to usefully distinguish one possible decryption as more likely than others.

In the ideal one-time pad, there is no basis on which an attacker (even
an attacker with completely unbounded resources) can usefully say that
one proposed decryption is more likely to be right than another, at
least compared to the attacker's prior beliefs about what the plaintext
was likely to be.  But if there is a meaningfully shorter description of
what you used as the pad, then an attacker with vast resources who
correctly guesses what that was will know that it's likely to be right,
which is a kind of success that the attacker couldn't have achieved with
a truly random pad.

*True random pad*: Attacker doesn't know whether pad k₁ is actually more
likely than pad k₂, if (c ⊕ k₁) and (c ⊕ k₂) both appear to be equally
plausible plaintexts.

*Choosing a meaningful file but keeping secret which one you used*: An
attacker who tries your file f₁ as the pad notices that both (c ⊕ f₁)
and f₁ itself appear "meaningful", so it's more likely that f₁ is
correct compared to some other f₂ which is not "meaningful".


This is the great thing about the classical one-time pad: the attacker
_literally doesn't know when the attack was successful_, a fact which
has nothing to do with how powerful the attacker is (how many keys the
attacker is able to try guessing).  In the classical one-time pad with
a true random pad, even an attacker who can try _every single_ pad
literally doesn't have any evidence which could reveal which one was
right, or which could reveal any new fact or property about the
plaintext.  Relaxing the randomness assumption, in turn, undermines this
conclusion because the attacker can now have some conceivable indication
about "being on the right track" (even if that's merely statistical),
which could simply never happen with a true random pad.

-- 
Seth Schoen  
Senior Staff Technologist   https://www.eff.org/
Electronic Frontier Foundation  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109   +1 415 436 9333 x107
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-21 Thread Aaron Turner
On Sat, Mar 21, 2015 at 8:37 PM, Lee  wrote:
> On 3/21/15, James A. Donald  wrote:
>> On 2015-03-22 10:34, James A. Donald wrote:
>>> On 2015-03-22 06:13, Lee wrote:
 Would a commonly available large binary file make a good one-time pad?
 Something like ubuntu-14.10-desktop-amd64.iso12 maybe..
>>
>> I wrote:
>>> Before you asked the question, probably would have made a good one time
>>> pad.
>>>
>>> Not any more.
>>
>> Of course, it was never really a one time pad, merely security by
>> obscurity - which is quite good, until it is quite bad.
>
> How is a one time pad not security by obscurity?   As soon as the
> opponent gets a copy it's game over.

So you're looking for a crypto system which is secure against an
attacker having a copy of the key?
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-21 Thread Lee
On 3/21/15, James A. Donald  wrote:
> On 2015-03-22 10:34, James A. Donald wrote:
>> On 2015-03-22 06:13, Lee wrote:
>>> Would a commonly available large binary file make a good one-time pad?
>>> Something like ubuntu-14.10-desktop-amd64.iso12 maybe..
>
> I wrote:
>> Before you asked the question, probably would have made a good one time
>> pad.
>>
>> Not any more.
>
> Of course, it was never really a one time pad, merely security by
> obscurity - which is quite good, until it is quite bad.

How is a one time pad not security by obscurity?   As soon as the
opponent gets a copy it's game over.

Lee
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-21 Thread Lee
On 3/21/15, Jeffrey Goldberg  wrote:
> [Apologies for quoting badly]
>
> No!  A thousand times no.
>
> (1) the file isn't secret

But the fact that I'm using it as my one-time pad is.  Why isn't that
good enough?

> (2) the file isn't random.

Right.  An ISO file is a bad choice - too many zeros & machine code
isn't very random.  But what about something like an MP3, OGV or some
other compressed file?

> I'm sorry to pick on you, but you've illustrated a point I tried to make
> earlier. The OTP is a simple idea that is remarkably easy for people to
> misunderstand.

It doesn't feel like you're picking on me - I appreciate the feedback :)

Best Regards,
Lee


>
>> On Mar 21, 2015, at 3:13 PM, Lee  wrote:
>>
>>> On 3/20/15, Michael Kjörling  wrote:
>>> On 20 Mar 2015 15:11 -0400, from kevinsisco61...@gmail.com (Kevin):
 I was tempted by the promise of software to run a one-time pad on my
 machine.  I am a fool and I fall upon my own sword.
>>>
>>> An unauthenticated one-time pad is trivial to implement; it's
>>> literally a few lines of code in any reasonably modern language, and a
>>> handful of lines of code in less modern ones.
>>>
>>> The hard part, as has been pointed out in this thread, is to generate
>>> and handle the _pad_.
>>
>> Would a commonly available large binary file make a good one-time pad?
>> Something like ubuntu-14.10-desktop-amd64.iso12 maybe..
>>
>> Regards,
>> Lee
>> ___
>> cryptography mailing list
>> cryptography@randombit.net
>> http://lists.randombit.net/mailman/listinfo/cryptography
>
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-21 Thread James A. Donald

On 2015-03-22 06:13, Lee wrote:

Would a commonly available large binary file make a good one-time pad?
Something like ubuntu-14.10-desktop-amd64.iso12 maybe..


Before you asked the question, probably would have made a good one time pad.

Not any more.


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-21 Thread James A. Donald

On 2015-03-22 10:34, James A. Donald wrote:

On 2015-03-22 06:13, Lee wrote:

Would a commonly available large binary file make a good one-time pad?
Something like ubuntu-14.10-desktop-amd64.iso12 maybe..


I wrote:

Before you asked the question, probably would have made a good one time
pad.

Not any more.


Of course, it was never really a one time pad, merely security by 
obscurity - which is quite good, until it is quite bad.


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-21 Thread John Levine
>Would a commonly available large binary file make a good one-time pad?
>Something like ubuntu-14.10-desktop-amd64.iso12 maybe..

Unlkely for two reasons.  One is that the point of a one-time pad is
that only the sender and recipient are supposed to have a copy.  The
other is that something like a Linux distribution has extremely
obvious regularities, so it wouldn't be hard for a cryptographer
to figure out what it was.

The way you make a one time pad is to take a source of actual (not
pseudo) randomness and record a lot of it in a form that is relatively
easy to distribute securely, like a DVD-ROM.

R's,
John
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-21 Thread Jeffrey Goldberg
[Apologies for quoting badly]

No!  A thousand times no. 

(1) the file isn't secret
(2) the file isn't random. 

I'm sorry to pick on you, but you've illustrated a point I tried to make 
earlier. The OTP is a simple idea that is remarkably easy for people to 
misunderstand. 



Sent from my iPhone

> On Mar 21, 2015, at 3:13 PM, Lee  wrote:
> 
>> On 3/20/15, Michael Kjörling  wrote:
>> On 20 Mar 2015 15:11 -0400, from kevinsisco61...@gmail.com (Kevin):
>>> I was tempted by the promise of software to run a one-time pad on my
>>> machine.  I am a fool and I fall upon my own sword.
>> 
>> An unauthenticated one-time pad is trivial to implement; it's
>> literally a few lines of code in any reasonably modern language, and a
>> handful of lines of code in less modern ones.
>> 
>> The hard part, as has been pointed out in this thread, is to generate
>> and handle the _pad_.
> 
> Would a commonly available large binary file make a good one-time pad?
> Something like ubuntu-14.10-desktop-amd64.iso12 maybe..
> 
> Regards,
> Lee
> ___
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography


smime.p7s
Description: S/MIME cryptographic signature
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-21 Thread Dave Horsfall
On Sat, 21 Mar 2015, Lee wrote:

> Would a commonly available large binary file make a good one-time pad? 
> Something like ubuntu-14.10-desktop-amd64.iso12 maybe..

Well, you can't use that one now...

-- 
Dave Horsfall DTM (VK2KFU)   "Those who don't understand security will suffer."
http://www.horsfall.org/spam.html (and check the home page whilst you're there)
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-21 Thread Lee
On 3/20/15, Michael Kjörling  wrote:
> On 20 Mar 2015 15:11 -0400, from kevinsisco61...@gmail.com (Kevin):
>> I was tempted by the promise of software to run a one-time pad on my
>> machine.  I am a fool and I fall upon my own sword.
>
> An unauthenticated one-time pad is trivial to implement; it's
> literally a few lines of code in any reasonably modern language, and a
> handful of lines of code in less modern ones.
>
> The hard part, as has been pointed out in this thread, is to generate
> and handle the _pad_.

Would a commonly available large binary file make a good one-time pad?
Something like ubuntu-14.10-desktop-amd64.iso12 maybe..

Regards,
Lee
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-20 Thread Michael Kjörling
On 20 Mar 2015 15:11 -0400, from kevinsisco61...@gmail.com (Kevin):
> I was tempted by the promise of software to run a one-time pad on my
> machine.  I am a fool and I fall upon my own sword.

An unauthenticated one-time pad is trivial to implement; it's
literally a few lines of code in any reasonably modern language, and a
handful of lines of code in less modern ones.

The hard part, as has been pointed out in this thread, is to generate
and handle the _pad_.

-- 
Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
 “People who think they know everything really annoy
 those of us who know we don’t.” (Bjarne Stroustrup)
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-20 Thread Jeffrey Goldberg
On 2015-03-20, at 1:24 PM, stef  wrote:
> On Fri, Mar 20, 2015 at 06:12:31PM +, Dave Howe wrote:
>> Or a reasonably clever and trolling satire on snakeoil products. :)
> 
> the less optimistic alternative is this being a well-crafted water-holing site
> targeted at the members of this mailing-list.

Szia Stef,

I believe I’ve also seen this raised on sci.crypt, which is
spectacularly easy to troll.

I really WANT to believe it is a deliberate troll-like thing. But
the sad fact of the matter is that a huge number of people who
learn a little about the OTP think that they can create unbreakable
crypto, and they end up

(1) Using a crappy PRNG.
(2) Seeding/keying their crappy PRNG badly.
(3) Failing to notice/address the malleability of these things.
(4) Reusing the key/pad.

So whether a troll or not, that is the kind of snake oil that people
sincerely produce.

I like using the OTP as an example of how brittle some schemes are. Doing
things “slightly” wrong can lead to dramatic reductions in security.

Cheers,

-j


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-20 Thread Kevin

On 3/20/2015 2:50 PM, Dave Horsfall wrote:

On Fri, 20 Mar 2015, stef wrote:


Or a reasonably clever and trolling satire on snakeoil products. :)

the less optimistic alternative is this being a well-crafted
water-holing site targeted at the members of this mailing-list.

But wouldn't the members of this list be smart enough to not get taken in?
Wouldn't they?

I like the idea of it being a troll; it certainly explains a lot.

I was tempted by the promise of software to run a one-time pad on my 
machine.  I am a fool and I fall upon my own sword.



---
This email is free from viruses and malware because avast! Antivirus protection 
is active.
http://www.avast.com

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-20 Thread Dave Horsfall
On Fri, 20 Mar 2015, stef wrote:

> > Or a reasonably clever and trolling satire on snakeoil products. :)
> 
> the less optimistic alternative is this being a well-crafted 
> water-holing site targeted at the members of this mailing-list.

But wouldn't the members of this list be smart enough to not get taken in?  
Wouldn't they?

I like the idea of it being a troll; it certainly explains a lot.

-- 
Dave Horsfall DTM (VK2KFU)   "Those who don't understand security will suffer."
http://www.horsfall.org/spam.html (and check the home page whilst you're there)
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-20 Thread stef
On Fri, Mar 20, 2015 at 06:12:31PM +, Dave Howe wrote:
> Or a reasonably clever and trolling satire on snakeoil products. :)

the less optimistic alternative is this being a well-crafted water-holing site
targeted at the members of this mailing-list.

-- 
otr fp: https://www.ctrlc.hu/~stef/otr.txt
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-20 Thread Dave Howe
On 20/03/2015 17:01, Kevin wrote:
> I am trying to contact the "company" and it is not easy.  They don't
> want people looking into them or the product they offer.  I guess it's
> fraud; I am disillusioned.  If you hold real still and listen, you can
> here the sound of my bubble bursting.

Or a reasonably clever and trolling satire on snakeoil products. :)

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-20 Thread Kevin

On 3/20/2015 12:06 PM, Tony Arcieri wrote:
On Fri, Mar 20, 2015 at 4:02 AM, Enrique Soriano > wrote:


These days we can buy 128GB pendrives (i.e. very long pads) for $35.

This simple approach seems viable to me:

https://www.codeandsec.com/Poor-Mans-Unbreakable-Encrypted-TCP-Tunnel


Poorly implemented, one time pads are in fact quite dangerous:

1) Extremely great care must be taken to never reuse any portion of 
the pad. When reused, the attacker can easily obtain the XOR of the 
plaintexts encrypted with the reused portion of the pad

2) Without authentication (i.e. a MAC), one time pads are highly malleable

The author of that software doesn't know the difference between a one 
time pad and a stream cipher. There's no practical reason to prefer a 
one time pad to a modern stream cipher like ChaCha20, which can be 
combined with the Poly1305 MAC to create an authenticated encryption 
scheme that isn't malleable like an unauthenticated one time pad.


--
Tony Arcieri


___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
I am trying to contact the "company" and it is not easy.  They don't 
want people looking into them or the product they offer.  I guess it's 
fraud; I am disillusioned.  If you hold real still and listen, you can 
here the sound of my bubble bursting.




---
This email is free from viruses and malware because avast! Antivirus protection 
is active.
http://www.avast.com
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-20 Thread Tony Arcieri
On Fri, Mar 20, 2015 at 4:02 AM, Enrique Soriano  wrote:

> These days we can buy 128GB pendrives (i.e. very long pads) for $35.
>
> This simple approach seems viable to me:
>
> https://www.codeandsec.com/Poor-Mans-Unbreakable-Encrypted-TCP-Tunnel


Poorly implemented, one time pads are in fact quite dangerous:

1) Extremely great care must be taken to never reuse any portion of the
pad. When reused, the attacker can easily obtain the XOR of the plaintexts
encrypted with the reused portion of the pad
2) Without authentication (i.e. a MAC), one time pads are highly malleable

The author of that software doesn't know the difference between a one time
pad and a stream cipher. There's no practical reason to prefer a one time
pad to a modern stream cipher like ChaCha20, which can be combined with the
Poly1305 MAC to create an authenticated encryption scheme that isn't
malleable like an unauthenticated one time pad.

-- 
Tony Arcieri
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-20 Thread Wim Remes
none of the clients they advertise actually exist ...

On Thu, Mar 19, 2015 at 8:33 PM, Kevin  wrote:

> This software uses the one-time pad.  Have any of you seen this?
> http://www.unbreakable-crypto.com
>
>
> ---
> This email is free from viruses and malware because avast! Antivirus
> protection is active.
> http://www.avast.com
>
> ___
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>



-- 
Wim Remes
Security Afficionado
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-20 Thread Enrique Soriano
>>Warning Sign #6: One-time pads.

These days we can buy 128GB pendrives (i.e. very long pads) for $35.

This simple approach seems viable to me:

https://www.codeandsec.com/Poor-Mans-Unbreakable-Encrypted-TCP-Tunnel

Regards,
q

On Fri, Mar 20, 2015 at 10:42 AM, Michael Kjörling  wrote:
> On 19 Mar 2015 16:10 -0400, from kevinsisco61...@gmail.com (Kevin):
>> On 3/19/2015 4:00 PM, Ben Lincoln (F70C92E3 - Cryptography ML) wrote:
>>> There's no demo version available, but based on the screenshots and the
>>> information on the site, it looks like it's using a "one-time pad"
>>> generated using a PRNG or other sequence-generator seeded with a key
>>> generated by the application, and it's the key that's exchanged.
>>
>> I assume it uses your hardware to generate the random value.
>
> It doesn't matter how the PRNG works. If it's seeded by a key, and the
> pad is regenerable given the key (which it sounds like given the
> description), then it's not an OTP, and you get _at the very best_ 2^k
> bits security (where k is the number of entropy bits in the key)
> rather than a proper OTP's 2^n bits security (where n is the length of
> the message, in bits).
>
> The reason why a OTP is provably secure in theory (in the
> confidentiality sense of secure) is that the key _is_ as long as the
> message and completely random; thus you cannot tell whether a key you
> just tried is valid without already knowing the plaintext message, in
> which case there really is no point to the exercise to begin with.
>
> Combining a seeded PRNG with a simple operation on the PRNG output and
> the plaintext or ciphertext is how stream ciphers work.
>
> Now, something like a decent KDF feeding a key into AES running in
> counter mode to generate a ciphertext stream which is then used as a
> key for encryption in a stream cipher-like construct is _probably
> reasonably_ (_very heavy_ emphasis on "probably") secure, and not too
> dissimilar from what is hypothesized above. But at that point, you
> might just as well use the fairly well-proven AES directly; it will be
> marginally faster given identical hardware and otherwise identical
> software (since you avoid your extra algorithm, and AES is often
> hardware-accellerated on modern CPUs) and it will be at least equally
> secure (because the security of the ciphertext in the combined scheme
> will be totally dependent on the security of the stronger algorithm
> pass anyway -- see Kerckhoffs' principle -- and most people are
> unlikely to come up with something that is _more_ secure than AES
> against any type of attack, much less all types of attacks). And it
> absolutely is _not_ a one-time pad.
>
> --
> Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se
> OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
>  “People who think they know everything really annoy
>  those of us who know we don’t.” (Bjarne Stroustrup)
> ___
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-20 Thread Michael Kjörling
On 19 Mar 2015 16:10 -0400, from kevinsisco61...@gmail.com (Kevin):
> On 3/19/2015 4:00 PM, Ben Lincoln (F70C92E3 - Cryptography ML) wrote:
>> There's no demo version available, but based on the screenshots and the
>> information on the site, it looks like it's using a "one-time pad"
>> generated using a PRNG or other sequence-generator seeded with a key
>> generated by the application, and it's the key that's exchanged.
> 
> I assume it uses your hardware to generate the random value.

It doesn't matter how the PRNG works. If it's seeded by a key, and the
pad is regenerable given the key (which it sounds like given the
description), then it's not an OTP, and you get _at the very best_ 2^k
bits security (where k is the number of entropy bits in the key)
rather than a proper OTP's 2^n bits security (where n is the length of
the message, in bits).

The reason why a OTP is provably secure in theory (in the
confidentiality sense of secure) is that the key _is_ as long as the
message and completely random; thus you cannot tell whether a key you
just tried is valid without already knowing the plaintext message, in
which case there really is no point to the exercise to begin with.

Combining a seeded PRNG with a simple operation on the PRNG output and
the plaintext or ciphertext is how stream ciphers work.

Now, something like a decent KDF feeding a key into AES running in
counter mode to generate a ciphertext stream which is then used as a
key for encryption in a stream cipher-like construct is _probably
reasonably_ (_very heavy_ emphasis on "probably") secure, and not too
dissimilar from what is hypothesized above. But at that point, you
might just as well use the fairly well-proven AES directly; it will be
marginally faster given identical hardware and otherwise identical
software (since you avoid your extra algorithm, and AES is often
hardware-accellerated on modern CPUs) and it will be at least equally
secure (because the security of the ciphertext in the combined scheme
will be totally dependent on the security of the stronger algorithm
pass anyway -- see Kerckhoffs' principle -- and most people are
unlikely to come up with something that is _more_ secure than AES
against any type of attack, much less all types of attacks). And it
absolutely is _not_ a one-time pad.

-- 
Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
 “People who think they know everything really annoy
 those of us who know we don’t.” (Bjarne Stroustrup)
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-19 Thread Dave Horsfall
On Thu, 19 Mar 2015, Kevin wrote:

> This software uses the one-time pad.  Have any of you seen this?
> http://www.unbreakable-crypto.com

Hilarious; a secure system marketed for fundamentally insecure 
computers...

-- 
Dave Horsfall DTM (VK2KFU)   "Those who don't understand security will suffer."
http://www.horsfall.org/spam.html (and check the home page whilst you're there)
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-19 Thread Kevin

On 3/19/2015 4:00 PM, Ben Lincoln (F70C92E3 - Cryptography ML) wrote:

On Thu, March 19, 2015 12:33 pm, Kevin wrote:

This software uses the one-time pad.  Have any of you seen this?
http://www.unbreakable-crypto.com

There's no demo version available, but based on the screenshots and the
information on the site, it looks like it's using a "one-time pad"
generated using a PRNG or other sequence-generator seeded with a key
generated by the application, and it's the key that's exchanged.

They call this a "Virtual OTP Cascade", but I believe it would be more
correct to call it "a proprietary stream-cipher implementation with a
silly name attached".

I'd also be curious if anyone else has used it so they can verify that it
works this way.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

I assume it uses your hardware to generate the random value.


---
This email is free from viruses and malware because avast! Antivirus protection 
is active.
http://www.avast.com

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-19 Thread Kevin

On 3/19/2015 4:03 PM, stef wrote:

On Thu, Mar 19, 2015 at 03:33:25PM -0400, Kevin wrote:

This software uses the one-time pad.  Have any of you seen this?
http://www.unbreakable-crypto.com

i wonder if the eff is aware that they are referenced in the footer.
i'd categorise this as brilliant satire.


The whole thing could be bull but on the other hand it could be legit.


---
This email is free from viruses and malware because avast! Antivirus protection 
is active.
http://www.avast.com

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-19 Thread Ben Lincoln (F70C92E3 - Cryptography ML)
On Thu, March 19, 2015 12:33 pm, Kevin wrote:
> This software uses the one-time pad.  Have any of you seen this?
> http://www.unbreakable-crypto.com

There's no demo version available, but based on the screenshots and the
information on the site, it looks like it's using a "one-time pad"
generated using a PRNG or other sequence-generator seeded with a key
generated by the application, and it's the key that's exchanged.

They call this a "Virtual OTP Cascade", but I believe it would be more
correct to call it "a proprietary stream-cipher implementation with a
silly name attached".

I'd also be curious if anyone else has used it so they can verify that it
works this way.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-19 Thread stef
On Thu, Mar 19, 2015 at 03:33:25PM -0400, Kevin wrote:
> This software uses the one-time pad.  Have any of you seen this?
> http://www.unbreakable-crypto.com

i wonder if the eff is aware that they are referenced in the footer.
i'd categorise this as brilliant satire.

-- 
otr fp: https://www.ctrlc.hu/~stef/otr.txt
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] Unbreakable crypto?

2015-03-19 Thread Warren Kumari
https://www.schneier.com/crypto-gram/archives/1999/0215.html
Warning Sign #6: One-time pads.


http://en.wikipedia.org/wiki/Snake_oil_%28cryptography%29

etc etc etc.

On Thu, Mar 19, 2015 at 2:33 PM, Kevin  wrote:
> This software uses the one-time pad.  Have any of you seen this?
> http://www.unbreakable-crypto.com
>
>
> ---
> This email is free from viruses and malware because avast! Antivirus
> protection is active.
> http://www.avast.com
>
> ___
> cryptography mailing list
> cryptography@randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


[cryptography] Unbreakable crypto?

2015-03-19 Thread Kevin

This software uses the one-time pad.  Have any of you seen this?
http://www.unbreakable-crypto.com


---
This email is free from viruses and malware because avast! Antivirus protection 
is active.
http://www.avast.com

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography