Re: Erasing an OTP file on a SD card.

From: Giorgio (giorgio_at_bignami.zzn.com)
Date: 07/29/04 

Date: 29 Jul 2004 02:17:46 -0700

cesarbremer@raseac.com.br (Cesar Bremer Pinheiro) wrote in message news:<4c3656f.0407281116.1de1b935@posting.google.com>...
> We have clients that don't want to rely only in Rijndael to their
> protection. I will ask you, why do not allow our clients to have OTP
> security?
...
> The security have a price, we have clients asking for OTP.
You must think that in real world you are using crittosystems and that
algoritms are only a single element of it; the whole system is as weak
as the weakest element.
With OTP, you can be sure taht the algorithm is provably unbreakable
but since is required the excange of a pad as big as the message, all
the other steps of the system become most difficult to be keept secure
than when you are using other systems. That doesn't mean that security
of the whole system is not a problem for the implementation of other
cypher, it only means that OTP must manage bigger problems.
Like Bruce Schneier says in Crypto-Gram it's worthless to make any
element of the system overkilling if there are simpler solution for
the attacker, it will be like sticking a 50 ft poole to make a
palisade wall when all other pole are shorter and weaker, the attacher
will simply sidestep and avoid the strongest poole.
With many good cryptosystem you can calculate what would be the work
needed to break it (or the best way known), with OTP you excange this
problem with: how strong is the pad excange system? Can i
realistically calculate if it's higher or lower than the difficulty in
breaking ather crittosystems? Can i calculate how difficult is to
overcome guards or reverse engineer hardcored protections? How much
does it costs? Can i prove that it will be reasonably secure under any
circumstances or in the very most of the cases?
I think it's very difficult to calculate and proof the security of
such kind of system; the system will be as sure as you can make sure
(in the real world at the cost that you can afford) to keep the pad
secure, the whole system would never be practically unbreakable as the
algorithm so the customer will never have the theorical OTP security,
but only the security of the weakest element of the practical
OTP-implementation.
The customer should really be warned about it, they are however using
an OTP-implementation, wich have weaker steps than the unbreakable OTP
algorithm, and that means that it's strong as the weakest element.

> I donn't know your technical
> backgroung, but implemment OTP is a very easy task.
> And abut our OTP implementation. You will be able to test-it in an
> easy way, you will have the opportunity to change the OTP file and
> hear the sound.
It's very easy to make a routine that xor sources of data... but one
must com form a real rng, and the rng device should be tested to
beeing properly working in the given parameters (not testing the
output, since if the output is real random it can be anything). More,
you must be sure that the rng is based on a really non deterministic
dynamic and you should be able to test that it's not tampered by an
attacker before you use it. (it's part of the olistic security needed
in a real OTP implementation)

> We erase all used data after each session, in both handhelds, and our
> OTP routine checks if we are reading null data.
As said, secure deletion is quite difficult, there are physical means
to recover old states of many kind of memories. Also this element of
the implementation, if difficult, is not impossible. You should well
know how the device works at a very low level and keep you secure
deletion routine updated with advancements in data recovery.
Like said, the cost for the overkilling security of the algorithm
element of the system, in the case of OTP, reflects vary badly over
other elements, that may become potentially weaker (and certainly are
more unpredictable) than the security provided by other cryptosystems.
I hope to have been useful in the thread.
 Giogio

Relevant Pages

  • Re: attacking a re-used OTP // is it possible if it is changed with a random key each time ?
    ... securely transmitted daily, to generation new OTP by transposition, ... The algorithm will always be known. ... to develop something that is secure. ... can a new designation of the embedding for the next set of messages be ...
    (sci.crypt)
  • Re: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection
    ... >>Costly for the bank but very effective security for the customer ... >poland promised a hand on session breaking OTP tokens. ... secure them that exists today will be thought to be old-school and ...
    (Full-Disclosure)
  • Re: Erasing an OTP file on a SD card.
    ... > SDCard will need to be stoled and analysed in a more difficult way. ... > want security, in this case the best way to deal with this situation ... Don't use a secure phone. ... The device storing the OTP itself ensures that it can be read only once. ...
    (sci.crypt)
  • Re: research into modern computer-based one-time pad implementations?
    ... > secure electronic message traffic, ... Computers are not particularly appropriate for implementing OTP. ... secure destruction of keying material as soon as it is used. ... your security degrades from "provably unbreakable" to "how good is the ...
    (sci.crypt)
  • Re: Are natural languages secure ciphers?
    ... those who need a genuine OTP and who are prepared to bother ... concerned about security, then you also want to be absolutely sure ... > commands to my server sitting on the 'Net via e-mail. ... > with a sniffer has zero chance of discerning the contents of my ...
    (sci.crypt)