Re: Back Doors
From: CF (none_at_nowhere.not)
Date: 12/26/03
- Next message: John Savard: "Re: A Paranoid Encryption Mode"
- Previous message: Roger Schlafly: "Crypto Mini-FAQ"
- In reply to: mike3: "Re: Back Doors"
- Next in thread: Bryan Olson: "Re: Back Doors"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 26 Dec 2003 02:40:53 GMT
"mike3" <mike4ty4@yahoo.com> wrote in message
news:1d54b7e4.0312211943.8eb983d@posting.google.com...
> "CryptWolf" <RWilliams01nospam@no.spam.sceinet.no.spam.com> wrote in
message news:<d95fdc915bf9777ecd86061f7da3ca87@news.teranews.com>...
> > "mike3" <mike4ty4@yahoo.com> wrote in message
> > >news:1d54b7e4.0312192340.3f693332@posting.google.com...
> > > Hi.
> > >
> > > How can one implement "back doors" in an encryption algorithm that
> > > would allow someone to decode all messages encrypted with it provided
> > > they know some secret "magic" formula? Is this a very diffcult problem
> > > or an easy one?
> >
> > Design into the system a master key. Every file is then readable using
> > the master key or the user key. Note that this is an obvious solution.
> > It is generally easiest to implemented using a public key system so
> > that security is not compromised if carefully designed. No private keys
> > need to be embedded. This would be typical in a corporate environment
> > where management might want a way to recover anything the
> > employees might encrypt. The weakness is the master private key
> > becomes the prime target. Otherwise well known algorithms may be
> > used and a very secure system can be designed.
> >
> > If you assume the enemy knows everything about the system,
> > hidden key, key leaking or key weakening schemes fail instantly.
> > All just forms of obscurity.
> >
> > Hard or easy depends on what you actually have to work with.
> > Note that it doesn't prevent someone from downloading an
> > alternative without a back door.
> >
> > CryptWolf
>
> Here's the "conventional" method of applying a public key algorithm:
>
> Encryption:
>
> 1. Make a random symmetric key.
> 2. Encrypt that with public key.
> 3. Use random key to encrypt main message with fast symmetric algorithm.
> 4. Send encrypted random key and encrypted message together.
>
> Decryption:
>
> 1. Decrypt random symmetric key with private key.
> 2. Use recovered key to decrypt main message.
>
> Would this work as a good back door?:
>
> Encryption:
>
> 1. Make a random symmetric key.
> 2. Encrypt that with public key.
> 3. Encrypt a second copy with the "master" hardwired internal public key.
> 4. Use random key to encrypt main message with fast symmetric algorithm.
> 5. Send both copies of encrypted random key and encrypted message
together.
>
> Decryption (with recipient's private key)
>
> 1. Decrypt user key-encryped symmetric key with recipient's private key.
> 2. Use recovered key to decrypt main message.
>
> Decryption (with master private key)
>
> 1. Decrypt master key-encryped symmetric key with recipient's private key.
> 2. Use recovered key to decrypt main message.
>
> Would that make a good back door (as long as it is not mentioned)?
Hi mike3,
First off:
1. Encrypt message with public key.
2. Decrypt message with private key. Private key works.
3. Try decrypting message with all other possible keys. If any other key
decrypts message, you know there is a backdoor.
Thus if a master key exists, it can be proven. Just a note in case you're
paranoid and want to take the time and resources to ease your mind.
If your "magic formula" is something other than a master key, your algorithm
or source code may look fishy. Even if your algorithm is complex enough to
fool the worlds smartest, there are still potential problems. Lets take a
look at what this might look like, with no "master key" backdoors.
Let F() be your encryption algorithm.
Let P be your plaintext.
Let k be your public key.
Let Ck be your cyphertext encrypted with key k
Let F(P,k) denote the application of F() on P with k.
F(P,k)=Ck
Let G() be your decryption algorithm.
Le r be your private key.
Let G(Ck,r) denote the application of G() on Ck with r.
G(Ck,r)=P
Then let M() be your "magic function" such that:
M(Ck,k)=P
All you need to do make sure that:
G(Ck,r)=M(Ck,k)
Since, presumably, you already know k and have intercepted Ck, you're all
set.
-KryptoPhalkon
It feels great to post again, after all these years. : )
- Next message: John Savard: "Re: A Paranoid Encryption Mode"
- Previous message: Roger Schlafly: "Crypto Mini-FAQ"
- In reply to: mike3: "Re: Back Doors"
- Next in thread: Bryan Olson: "Re: Back Doors"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
