worldwide announce: New OTP Mail/FTP apps
A company in Israel named Elementrix has just announce at Interop an entirely new paradigm in secure transactions. They have a secure one time pad that allows people to exchange mail and ftp files back in forth in complete security without the worries of key management or storage or secure random number generation or synchronization. In the words of Winn Schwartau: "This really fucks with your brain" Both he and David Kahn have gotten information out of non-disclosure, as well as several other un-named experts in cryptography about the nature of this new development. They were astounded and have provided assurances as to its authenticity and ability to work as advertised. So far they have no released the complete protocol, but plan to do so as soon as the Patent issues pending in several countries have been resolved. The protocol will be completely published and subject to scrutiny by everybody. To me it looks like it would be trivial for them to integrate it into any and all kinds of browsers, clients and applications. Of course, I do not have a complete knowledge of the entire protocol, but the brief overview was simple enough to understand in concept. If it can work in FTP, it can surely work in telnet as well, it's just a different front end over a TCP/IP connection. I realize that there will be those out there on this list who will immediately dismiss this as a hoax, as would have I had I not seen it operate with my own eyes, and sat through the conference. It was a case of serendipity for me, showing up at the booth and getting an invite to the press conference on the one day I decided to attend Networld/Interop. It works something like this: (I may not have it completely right, but this is what I understood of the broken English of the man without the microphone) A third party generates random numbers, or one of the two communicating parties. The numbers do not have to be secret. There is also a published table of mappings.. Something like, a number, and an operation.. 1 -> add 23 2 -> add 21 3 -> add 40 4 -> add 57 90 -> sub 23 One initial connection is all that is needed to have a secure connection for the lifetime of the two communicating parties. This initial connection can be accomplished via any number of ways. It does involve an initial one time only shared secret. This is much different than the many shared secrets and key management issues of private and public key systems. For the initial connection you can stick the machines back to back if you are really worried about security. This initial transaction serves as a seed for subsequent transactions. All subsequent transactions depend on preceding transactions. A degree of randomness comes from the randomness of the messages. Each next word in the message is random. (the argument goes like this: If you already know what the next word in the message is, there is no point in sending the message in the first place, because you know what all the words in the message are.) This imparts some degree of randomness, as no two beings will have an entire conversation over their lives the same as their conversation with anybody else: similar arguments can be applied to file transfers. After the initial exchange every message sent subsequently gets randomized from the previous randomness of the messages plus something in the table. If somebody else makes an exact copy of your machine, and sends a message as you, then you can no longer send messages to the other party as you are out of sync, and an Intruder alert is flagged if you do try to send a message. Then you and the foreign party can resynchronize. This new state is the basis for new messages. Argument: "That's fine, but how to I communicate securely with someone over the Internet with email that I'm not able to setup a secure channel with." Apparently each distribution disk is encoded with a unique ID and some kind of unique (and as yet undisclosed table and algorithm). This table allows the two parties to somehow setup a secure session and send mail. This does not solve authentication problems. If somebody steals your disk and sends mail to someone, they can appear to be you (or anybody). However, the minute you try to send mail to that same person, there is state on the remote machine with the imposter that you do not possess that flags an intruder problem, and new negotiations can begin. However, snoopers of the original message will still be unable to decode the one time pad. Winn Schwartau and Dr. David Karn have both signed non-disclosure and both made announcements to the affect that it does work as advertised. Also, it is not strictly random numbers in the traditional sense. It relies on the fact that the message is composed of a random series of words to create the one time pad. However, the one time pad does not repeat itself due to the continuing diversity of subsequent messages. They have reviewed the math and the algorithms and stated that it's a completely new way to think about cryptography, and the math is valid. Usability: point and click.. Click on the little lock button and the message is encrypted on the fly. The mail browser decrypts the message on the fly. After it is decrypted it is stored on the hard drive in plain text. (As it would have to be, unless you encrypt it with some conventional secret-key algorithm like DES or IDEA). This is fine as they say you have to have some degree of physical security anyway, and this is only to protect you on the networks in between the two machines. I'm inclined to agree. Notes: It's fast!! I'm just telling you what I heard. I have no idea how or what is stored as state information if anything. (part of the currently undisclosed algorithm). I was very skeptical at first, but have affected cautious optimism at this point. (until it is published). I just have a couple things to add. If it's true and works as advertised, we're in for a real treat, and the NSA and FBI are going to be really upset. :) Those drug smugglers and kiddie porn pushers are going to be immune to network wire taps. Next step: illegal algorithms, illegal XOR. ;)
Doug Hughes <Doug.Hughes@Eng.Auburn.EDU> writes: you are really worried about security. This initial transaction serves as a seed for subsequent transactions. All subsequent transactions depend on preceding transactions. A degree of randomness comes from the randomness of the messages. Each next word in the message is random.
After the initial exchange every message sent subsequently gets randomized from the previous randomness of the messages plus something in the table.
OK, you expected this, but here goes anyway. This isn't a one time pad because the "randomness" isn't really random -- it depends on a bunch of plaintext. Technically from your description this looks like a plaintext autokey system. A true OTP requires honest to goodness physically random key material for the pad. It may be quite strong, but it just doesn't fit the definition. Sigh. People keep throwing OTP around because it's the only known perfect system -- until we get quantum crypto, I suppose -- but few companies actually want to go to the trouble to implement the real thing. And with good reason -- it's a nuisance to do secure exchanges on the keying material. Jim Gillogly Sterday, 8 Winterfilth S.R. 1995, 01:41
One initial connection is all that is needed to have a secure connection for the lifetime of the two communicating parties. This initial connection can be accomplished via any number of ways. It does involve an initial one time only shared secret. This is much different than the many shared secrets and key management issues of private and public key systems. For the initial connection you can stick the machines back to back if you are really worried about security. This initial transaction serves as a seed for subsequent transactions. All subsequent transactions depend on preceding transactions. A degree of randomness comes from the randomness of the messages. Each next word in the message is random.
I'm a little new to this, but I thought the whole idea behind keys was not having to whisper "secrets" to someone on the other side of a crowded mall. Most people don't have the luxary of connecting their computers back to back with someone on the other side of the world just to ensure a secure communications path. Ther would have to be some mechnisms to ensure that secure delivery of your "secret", and that brings us back to key management, so the whole thing is rather self defeating. Christopher
One initial connection is all that is needed to have a secure connection for the lifetime of the two communicating parties. This initial connection can be accomplished via any number of ways. It does involve an initial one time only shared secret. This is much different than the many shared secrets and key management issues of private and public key systems. For the initial connection you can stick the machines back to back if you are really worried about security. This initial transaction serves as a seed for subsequent transactions. All subsequent transactions depend on preceding transactions. A degree of randomness comes from the randomness of the messages. Each next word in the message is random.
I'm a little new to this, but I thought the whole idea behind keys was not having to whisper "secrets" to someone on the other side of a crowded mall. Most people don't have the luxary of connecting their computers back to back with someone on the other side of the world just to ensure a secure communications path. Ther would have to be some mechnisms to ensure that secure delivery of your "secret", and that brings us back to key management, so the whole thing is rather self defeating.
Christopher
Remember, that's only one of the options for the truly paranoid. If you want, you can just use their (for now secret) keying implementation on the floppy disk for the first exchange. I feel a little uncomfortable with this at the moment (as I'm sure do most of the other readers). The algorithm, once revealed should be a very interesting read. However, this does not bring us back to key management in the sense of traditional public or private cryptosystems. Since the entire communication hinges on the first successful exchange, this is the exchange where they key is most critical. I believe they have an option for entering a secret key (initialization vector it seems) as well. So, presumable you could call somebody on the phone, or send them a PGP message, or whatever, to exchange this initial key. It still seems to me that once this initial communication is out of the way, that the product will work fairly well. I see it as an excellent way, in our situation, to provide remote professors and students secure communication paths to our network in the future (hinging on the development of some kind of telnet client). I rather think that the whole public/private key thing is self-defeating... computers get more powerful, key gets hacked... key size increases.. etc.. etc.. This sounds like a novel alternative. People interested in non-disclosure analsysis may wish to contact the company. Elementrix: 212-888-8879, 850 Third Avenue NY, NY 10022 (North America office) I'm not sure what, if any, real cryptanalysis has been done on this. David Kahn himself admitted he wasn't an expert cryptanalyst. I don't know if anybody has done any in depth review or subjected it to differential cryptanalysis of any kind. It seems to be a OTP/stream cipher of some kind.. subsequent number depending on previous numbers. I don't know if its possible to prove that the sequence will never repeat, having not seen the algorithm. But if it did not, it would seem to be strong enough. Too many questions, too few answers. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Apple T-shirt on Win95 - "Been there, done that"
Doug Hughes <Doug.Hughes@Eng.Auburn.EDU> writes: It seems to be a OTP/stream cipher of some kind.. subsequent number depending on previous numbers. I don't know if its possible to prove that the sequence will never repeat, having not seen the algorithm. But if it did not, it would seem to be strong enough. Too many questions, too few answers.
It does seem to be a stream cipher of some kind. Subsequent numbers depending on previous numbers means that it's an autokey cipher. That most assuredly does <not> make it a one time pad, no matter whether it ever repeats or not (which it presumably wouldn't). Here's an easy way to demonstrate that the strength of this system is less than a one time pad. Let's give the attacker all the breaks: he knows the initial secret key, he has watched the key exchange from both sides by monitoring all keystrokes, and has access to all the keying information and plaintext and ciphertext that has happened from day 0 until now, day 30, but none of the plaintext or other keying information thereafter. Case one: the system you're flogging. He can keep reading the mail. Case two: a true one time pad. He immediately loses touch with the system as soon as they go to the first unknown byte of the one time pad. I sympathize with their desire to call it a one time pad, since that has obvious marketing cachet. But it isn't -- can't they simply say they think it's a nice strong cipher? Jim Gillogly Sterday, 8 Winterfilth S.R. 1995, 22:21
participants (3)
-
Christopher J. Shaulis -
Doug Hughes -
Jim Gillogly