Re: Secure Data & Communication Project
From: Matt Mahoney (matmahoney_at_yahoo.com)
Date: 06/20/05
- Next message: Matt Mahoney: "Re: How do you Decrypt a RAR file using known-plaintext attack ??"
- Previous message: joe: "M100 crypto device?"
- In reply to:(deleted message) Italy Anonymous Remailer: "Re: Secure Data & Communication Project"
- Next in thread: Yoy G0: "Re: Secure Data & Communication Project"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 19 Jun 2005 15:38:00 -0700
Italy Anonymous Remailer wrote:
> One Time Pad will be one of the functions, e.g. one of the options,
> not the only one. The user shall be able to use whatever crypto
> he/she needs in any given situation. One Time Pad will not be
> implemented in the way you are suggesting here. It will be
> implemented as it should, for example:
>
> create two copies of One Time Pad keys, and the parties will
> initially exchange them face to face, or via trusted third party via
> secure channels, in phisical world. Each time any portion of the key
> material is used, the program will delete that portion from the
> storage. The key material might be saved on a, let's say, USB memory
> stick, or something of that kind, encrypted during transport and
> between uses. Otherwise no portion of the key material will be sent
> via insecure channels before the initial use.
>
> When the key material is used up, the parties shall repeat the
> procedure. Alternatively, just before the key material is being used
> up, instructions can be exchanged between the parties encrypted with
> some of the remaining One Time Pad key material, which could
> establish a procedure between the parties for generating a pool of
> new key material with some generator with the same true random seed
> for both, e.g. a portion of the remaining key material. This new
> pools could be the new pad.
That is not one time pad. Not that it can't be done securely, but you
don't have the theoretical secrecy against an attacker with unlimited
computing power that OTP offers. With unlimited power the attacker can
try all possible seeds (since there are only a finite number of them)
and find the one that decrypts to something sensible. All the wrong
decryptions will look like random data. With OTP all plaintexts are
equally likely, including all the sensible ones, so there is no way to
tell which one is correct. OTP will require a hardware random number
generator for every bit of the keystream.
The scheme you describe could just as well be done with AES in CTR
mode, and all you need to do is exchange keys, not the whole keystream.
Whichever way you do it, you still need to provide authenication,
because an OTP encrypted message can still be easily tampered with by
flipping bits.
-- Matt Mahoney
- Next message: Matt Mahoney: "Re: How do you Decrypt a RAR file using known-plaintext attack ??"
- Previous message: joe: "M100 crypto device?"
- In reply to:(deleted message) Italy Anonymous Remailer: "Re: Secure Data & Communication Project"
- Next in thread: Yoy G0: "Re: Secure Data & Communication Project"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
