Peter Trei <trei@process.com> wrote:
An acquaintence of mine works at a firm with little cryptography experience. They are thinking of including cryptography in a future product, and Elementrix's Power One Time Pad is a serious contestant.
I'm looking for independent critiques of the system, something better than 'it's not really a one-time pad.' Is the cryptosystem which is actually implemented worth a damn? Does their claim to have solved the key distribution problem hold water? I seem to remember something about them wanting to generate keys for you, and ship them to the customer. Is this correct?
Not quite. What the program actually does is the first time you send a message, it generates an initial key and sends the key - in plaintext - to the recipient. Then the first message is encrypted with this key. So the system initially has absolutely no security at all. The second message sent is encrypted with a hash of the first message as a key. The third message is encrypted using a hash of the second message, and so forth. So each time you send a new message, you in effect send a new key, encrypted with the old key. Their theory is that if the eavesdropper misses a message, then he loses the key, and can't decrypt the messages anymore. Of course, if the intended recipient loses a message then he loses the key for subsequent messages too. Thus we have a nice little denial-of-service attack. They prevent this via a "emeregency resynchronization" procedure (which they seem quite proud of, and their web pages congratulate themselves repeatedy on the purported cleverness of this). Of course, this "resnchronization" is based upon a pre-arranged key, which the eavesdropper should already have, if he's been decrypting their mail. Even better, the attacker can synchronize with one or both parties, performing a man-in-the-middle attack and/or spoofing them. So basically the system will stand up to a passive sniffing attack only if the eavesdropper is clumsy and loses messages, and doesn't stand up to a denial-of-service or man-in-the-middle attack at all. And I haven't even considered implementation bugs yet.