Re: Erasing an OTP file on a SD card.

From: Cesar Bremer Pinheiro (cesarbremer_at_raseac.com.br)
Date: 07/30/04

  • Next message: Mok-Kong Shen: "Re: Call for stego ideas" 
    Date: 30 Jul 2004 14:36:52 -0700

    Liwp <liwp@nospam.invalid> wrote in message news:<3a7jsmgcc7.fsf@birtwistle.cl.cam.ac.uk>...
    > cesarbremer@raseac.com.br (Cesar Bremer Pinheiro) writes:
    >
    > > I don't feel well with OTP, and because that i built a system where
    > > AES is the main protection, and OTP will not do the AES weaker.
    >
    > Remind me how exactly do you get the keys for the AES encryption?

    The keys are collected when the user writes randomly over the handheld
    screen, the system get the points and do a SHA-256 over the points
    collected.

     You
    > didn't want to do DH... And I remember you saying that you update the
    > session key by hashing it with SHA-256 which provides no forward secrecy
    > as has been mentioned here more than once already.

    The problem of storing a symmetric key is the same as storing a
    private key.
    You need authentication.
    If you don't have a secure way to protect the authentication process,
    you don't have security.
    I see the use of your own memory (if you have a good one) or a
    tampered resistant device to store your keys as good ways to garantee
    better authentication.

    Without authentication we can't go ahead with security.
    We have a lot of attacks here, you can have stoled or readed your
    SDCard, the attacker can get your phone, worst if the attacker could
    change your hardware, then you loss all your security.

    If i have my symmetric keys inside a tampered resistant device i can
    get more garantee of authentication and more protection. If you have
    your private key inside your tampered resistant device, you will have
    better garantee of authentication and security, but if you lost your
    authentication, your forward secrecy will not help.

    And without a good hardware to protect the authentication process . .
    . . . . . . . . . . . . .

    Cesar.

  • Next message: Mok-Kong Shen: "Re: Call for stego ideas"

    Relevant Pages

    • RE: 802.1x RADIUS Deployment in Wireless LAN
      ... To talk about WPA in Wi-Fi Alliance's ... EAP in combination with 802.1X is used for Authentication. ... or use Pre-shared keys (typically in homes where you can't have a RADIUS ... such features need to be built on the cards as the cards use these features ...
      (Security-Basics)
    • Re: Why does openssh protocol default to 2?
      ... >> RSA/DSA keys, don't do that. ... > What would you suggest for NFS mounted home dirs as a reasonable solution? ... you then fire up an agent remotely on a trusted machine ... that if you choose to forward authentication root can hijack you ...
      (FreeBSD-Security)
    • Re: sshd known_hosts query
      ... >> I'd say turn PasswordAuthentication off, ... Sometimes you can't set keys - I certainly ... > authentication PLUS passwords works fine. ... sshed to `postgres' on one of my machines... ...
      (uk.comp.os.linux)
    • Re: Secure hash algorithm vs block cipher based authentication
      ... block ciphers used for authentication. ... If you want a message authentication code or a PRF, ... you may need to change keys ...
      (sci.crypt)
    • Re: About jobfuscate
      ... Obfuscators (and also copy protection) are ... Obfuscation is, essentially, weak encryption. ... encryption but leaves a decryption key in the hands of every would-be ... asymmetric ciphers used to encode symmetric session keys for things ...
      (comp.lang.java.programmer)