Re. your point about security and burglary. An intruder could copy a one-time pad, but of course an intruder can also copy the private key to an RSA system as well. I'll admit that physical key control is easier with public key systems: one just keeps one's key disc in one's personal possession at all times, and keeps a couple of backup copies in the hands of close trusted friends or family who understand and will take equal precautions. One could also design physical storage media which are intrusion resistant in the sense of self-destructing if tampered with or fed the wrong password; these would work as well for OTP keys as for RSA keys. In some conceivable applications, physical security can be insured as a matter of the vital interests of the participants. Again, I'm by no means trying to suggest that OTPs be considered for particularly wide application. Rather, that OTPs and a range of other systems be designed, implemented, and made available so that potential users can make their own informed choices. -gg
Physical security is not a big issue for RSA (in the pgp implementation) because the secret key ring is itself encrypted. The problem is not so much physical-intrusion-to-get-the-key as it is physical intrusion aimed at modifying software. It would be easy to modify pgp so that the keys are logged, etc, in a way transparent to the user. This is why it is important to keep both the keys and the software that manipulates them off line. It is also important to keep the software from being tampered with. The best way to do this is to put the keys and the software on a hard disk, and put the hard disk in a computer, and carry the computer with you whereever you go. e
Physical security is not a big issue for RSA (in the pgp implementation) because the secret key ring is itself encrypted. The problem is not so much physical-intrusion-to-get-the-key as it is physical intrusion aimed at modifying software.
To add my two cents, I once had some sensitive files solen from me. the cracker had modified the crypt command to record passwords and current directory (since crypt only works on stdin and stdout). In a matter of a few days they have my crypt password and enough infomation from my file to raise some real hell. Note that they did not bother with breaking the crypt or guessing the password they just rigged the system binaries. -Pete PS: this happend a year ago, and last month a copy of the files appeared on some systems owned by the Bay Area Air Quality Management District in SF (baaqmd). PPS: I *know* that crypt is insecure but I had tared/compressed it and des was not avalible on the systems I was working on.
Again, I'm by no means trying to suggest that OTPs be considered for particularly wide application. Rather, that OTPs and a range of other systems be designed, implemented, and made available so that potential users can make their own informed choices.
One time pad systems are expensive enough and in uncommon enough use that I doubt they are going to get written as free software. I personally am not going to work on them, because I don't want to go buy the necessary hardware to generate and hold sufficient key material for a practical application. You also need hardware random number generators for a secure OTP system. Such boxes are not readily available, or come cheap. While not obvious, making random bits is a very deep problem. See Knuth volume 2 for some insights. I suspect that this same argument holds for all the rest of the people in the group as well. I don't know of anybody who wants to implement this system for themselves, given the cost involved. Cryptography is all economics, and the economics here are that one time pad systems are expensive enough that the software that gets written for them will be for in-house use or will be commercial. In either case, someone is paying someone else for developing the software. It might be possible that there are enough people who do want this that there is some money for development. A perfectly possible outcome is the creation of a consortium to hire some implementers who would make some gnu-ware. Such organization does not exist. Until it does, an off-the-shelf OTP system won't exist. Eric
Physical security for pgp is also necessary if you store your pass phrase in memory. As far as modification, detection is good enough, but you'd better make sure your program to detect modifications is not itself compromised! (Does anybody detect an imminent arms race here?) Eric Hollander is correct. Ideally, your keys and your encryption mechanism should be kept secure. At some point in the future, a small card which contains all of this will be standard equipment, as well as a port to plug it into. Eric
participants (4)
-
Eric Hollander -
Eric Hughes -
George A. Gleason -
Peter Shipley