Prev: Cipher challenge
Next: Rolex Oyster Perpetual Cosmograph Daytona Mens Watch 116523-WDO Collection
From: Guy Macon on 13 Nov 2008 05:37 David Eather wrote: >So, 24hrs for everyone you intend to communicate with (using Brian's >suggestion for more efficient OTP use). Plus the time for all the >couriers etc. With the OTP split into many shares there is also the >growing risk that one of the shares will not be delivered, making the >OTP useless. > >That all seems a lot of work and risk, compared to exchanging a public >key and using a symmetric cipher. It certainly does. Good thing I have been saying that claims of insecurity and inconvenience in distributing a large OTP key rather than a small shared secret cipher key are overblown, and not saying that shared secret ciphers are in some way better than public key ciphers. If I ever find the fellow who believes the latter, I will be sure to send him to you. :) -- Guy Macon <http://www.GuyMacon.com/>
From: Guy Macon on 13 Nov 2008 05:38 Unruh wrote: > >Guy Macon <http://www.GuyMacon.com/> writes: > >>As for the "far more secure", Given the basic scheme of sending >>multiple OTP keys and XORing them at the end, sending at least >>one of the keys using public key encryption would make the key >>distribution mechanism at least as secure as simply using public >>key encryption would be, and certainly would make the chances of >>an attacker getting that key far lower that the one in a million >>used in the above calculation. > >Sure. It would make the total probability essentially the chance >of breaking the public key cypher. So why not send the message >that way? You appear to have missed the point of what I wrote. Nowhere did I say that the method described is better than just using PGP. My claim was narrow and specific: claims of insecurity and inconvenience in distributing a large OTP key rather than a small shared secret cipher key are overblown. I wrote that the task of distributing a 128 bit AES key pretty much has the same degree of security and convenience that sending an 8 gigabyte OTP key has. I stand by that statement. Unruh wrote: > >Guy Macon <http://www.GuyMacon.com/> writes: > >>Unruh wrote: >> >>>He then argues that the probability of anyone getting all 6 is low and you >>>are OK. But the probability of someone getting all 6 is surely far far >>>greater than the probability of someone guessing a private key for a >>>symmetric cypher, or getting say an AES key via exhaustive search. > >>Hmmm. Is it really? > >>Let's assume a 1 in a million chance of getting each key. That's >>6 times 20 bits, or 120 bits. Not too far from the AES-128 keysize. >>Even if we assume a one in 16,384 chance for each, the more-secure >>9-key scheme that I discussed in the same post would be 9 times 14 >>bits -- 126 bits. > >This reminds me of the Drake equation. Multiply a bunch of totally unknown >probabilities together and then declare the answer as cast in stone and >correct.("I have no idea what the probability of life arising on a planet >the same temperature distance from a star as the earth is, so because I >have no idea, that probability must be about 1/2--- OOOh look how probably >life on other planets is ") You are confusing things that have totally unknown probabilities with things where we can set a lower and upper bound on the odds. >I would estimate the probability of getting each key for a >determined attacker as 1/10 not 1/1000000. What does that >do to your estimate? It calls into question your estimating ability. Consider: I send key 1 through a library computer using PGP encrypted email. I send key 2 through a computer at an Internet cafe. This time I use stego to hide it in a series of porns that I put up in a binaries Usenet newsgroup. I send key 3 through my home computer using TOR, and I run a TOR node from my house. I send key 4 by US mail by walking it into a post office 20 miles from where I live and sending it to PO box at at the destination city. It is a USB thumb drive that I concealed inside a RC race car toy. For the odds of interception to be 1 in 10, someone would have to intercept 10% of all US mail and tear apart every toy they find. Key 5 goes by FedEx from another nearby city to a private "mailboxes R us" box and the key is hidden in the slack space of a laptop computer. For the odds of interception to be 1 in 10, someone would have to intercept 10% of all FedEx shipments *and* figure out that the data is there. Key 6 goes by UPS, to general pickup at a UPS store in the destination city and is in the unused portions of some DVDs with family photos on them. Key 7 goes by a courier service on a DVD labeled "Patent Infringement lawsuit data" My brother hand-delivers key 8, which I put inside a cake. Key 9 is delivered by one of my employees embedded in a prototype. For the odds of interception to be 1 in 10, someone would have to open 10% of all US mail, FedEx, and UPS shipments, have a 10% chance of compromising a courier service employee, my employee and my brother, be able to intercept 10% of all PGP emails and TOR connections, and watch 10% of all Internet cafes in Los Angeles 24/7 to catch me going in to one. Or maybe all Starbucks Wi-Fi points -- I might use one of those. And even if the attacker did achieve a 1 in 10 chance for each key, he has a one in a million chance of getting all nine. Far easier to simply grab me off the street and beat my secrets out of me. -- Guy Macon <http://www.GuyMacon.com/>
From: Unruh on 13 Nov 2008 09:37 Guy Macon <http://www.GuyMacon.com/> writes: >Unruh wrote: >> >>Guy Macon <http://www.GuyMacon.com/> writes: >> >>>As for the "far more secure", Given the basic scheme of sending >>>multiple OTP keys and XORing them at the end, sending at least >>>one of the keys using public key encryption would make the key >>>distribution mechanism at least as secure as simply using public >>>key encryption would be, and certainly would make the chances of >>>an attacker getting that key far lower that the one in a million >>>used in the above calculation. >> >>Sure. It would make the total probability essentially the chance >>of breaking the public key cypher. So why not send the message >>that way? >You appear to have missed the point of what I wrote. Nowhere >did I say that the method described is better than just using >PGP. My claim was narrow and specific: claims of insecurity >and inconvenience in distributing a large OTP key rather than >a small shared secret cipher key are overblown. I wrote that the >task of distributing a 128 bit AES key pretty much has the same >degree of security and convenience that sending an 8 gigabyte >OTP key has. I stand by that statement. Except that one only ever has to do it once, not suddenly have to do it again because the 8GB is used up-- at a most critical juncture. And no matter what you say, 128 bits is easier to distribute than is 8GB. It can be snuck in in places where 8GB would stick out. (It is like saying that mosquito is as easy or hard to ship as an elephant-- on one level of abstraction, yes, in reality, no) Eg, say you are a movie distributor sending the latest Bond film to all the movie theatres. Are you seriously advocating OTP as just as easy and secure and AES for getting the film to the theatres ( Here you are in the 100GB realm--for each film you send!) >Unruh wrote: >> >>Guy Macon <http://www.GuyMacon.com/> writes: >> >>>Unruh wrote: >>> >>>>He then argues that the probability of anyone getting all 6 is low and you >>>>are OK. But the probability of someone getting all 6 is surely far far >>>>greater than the probability of someone guessing a private key for a >>>>symmetric cypher, or getting say an AES key via exhaustive search. >> >>>Hmmm. Is it really? >> >>>Let's assume a 1 in a million chance of getting each key. That's >>>6 times 20 bits, or 120 bits. Not too far from the AES-128 keysize. >>>Even if we assume a one in 16,384 chance for each, the more-secure >>>9-key scheme that I discussed in the same post would be 9 times 14 >>>bits -- 126 bits. >> >>This reminds me of the Drake equation. Multiply a bunch of totally unknown >>probabilities together and then declare the answer as cast in stone and >>correct.("I have no idea what the probability of life arising on a planet >>the same temperature distance from a star as the earth is, so because I >>have no idea, that probability must be about 1/2--- OOOh look how probably >>life on other planets is ") >You are confusing things that have totally unknown probabilities >with things where we can set a lower and upper bound on the odds. >>I would estimate the probability of getting each key for a >>determined attacker as 1/10 not 1/1000000. What does that >>do to your estimate? >It calls into question your estimating ability. Consider: >I send key 1 through a library computer using PGP >encrypted email. >I send key 2 through a computer at an Internet cafe. >This time I use stego to hide it in a series of porns >that I put up in a binaries Usenet newsgroup. >I send key 3 through my home computer using TOR, and I >run a TOR node from my house. >I send key 4 by US mail by walking it into a post office >20 miles from where I live and sending it to PO box at >at the destination city. It is a USB thumb drive that >I concealed inside a RC race car toy. For the odds of >interception to be 1 in 10, someone would have to intercept >10% of all US mail and tear apart every toy they find. >Key 5 goes by FedEx from another nearby city to a private >"mailboxes R us" box and the key is hidden in the slack >space of a laptop computer. For the odds of interception >to be 1 in 10, someone would have to intercept 10% of all >FedEx shipments *and* figure out that the data is there. >Key 6 goes by UPS, to general pickup at a UPS store in >the destination city and is in the unused portions >of some DVDs with family photos on them. >Key 7 goes by a courier service on a DVD labeled "Patent >Infringement lawsuit data" >My brother hand-delivers key 8, which I put inside a cake. >Key 9 is delivered by one of my employees embedded in a >prototype. >For the odds of interception to be 1 in 10, someone would >have to open 10% of all US mail, FedEx, and UPS shipments, >have a 10% chance of compromising a courier service employee, >my employee and my brother, be able to intercept 10% of all >PGP emails and TOR connections, and watch 10% of all Internet >cafes in Los Angeles 24/7 to catch me going in to one. Or maybe >all Starbucks Wi-Fi points -- I might use one of those. >And even if the attacker did achieve a 1 in 10 chance for >each key, he has a one in a million chance of getting all nine. >Far easier to simply grab me off the street and beat my >secrets out of me. >-- >Guy Macon ><http://www.GuyMacon.com/>
From: Guy Macon on 13 Nov 2008 12:37 Unruh wrote: > >Guy Macon <http://www.GuyMacon.com/> writes: > >>The task of distributing a 128 bit AES key pretty much has >>the same degree of security and convenience that sending an >>8 gigabyte OTP key has. > >Except that one only ever has to do it once, not suddenly have to do it >again because the 8GB is used up -- at a most critical juncture. I don't know about you, but I personally am able to count up how much of a key has been used so I don't "suddenly have to do it again." >And no matter what you say, 128 bits is easier to distribute than is 8GB. The difference is slight in today's world. >It can be snuck in in places where 8GB would stick out. That's security by obscurity. Security comes from the attacker not having the key, not from the attacker having the key and not knowing what he has. >(It is like saying that mosquito is as easy or hard to ship as >an elephant -- on one level of abstraction, yes, in reality, no) If the only available boxes are big enough to hold an elephant and both weigh the same, then yes, a mosquito *is* as easy or hard to ship as an elephant. The smallest physical data storage device in common use is the Micro-SD card, and it is *exactly* as hard to distribute by mail or courier when it has 8GB of data in it as it is when it has 128 bits of data in it. Sending an 8GB file over a fast connection is slightly more difficult/inconvenient than sending a 128 bit file, but both are far easier than hiring the courier or even mailing the box is. >Eg, say you are a movie distributor sending the latest Bond film >to all the movie theatres. Are you seriously advocating OTP as >just as easy and secure and AES for getting the film to the >theatres ( Here you are in the 100GB realm--for each film you send!) My assertion was clearly written: | My claim was narrow and specific: claims of insecurity and | inconvenience in distributing a large OTP key rather than a | small shared secret cipher key are overblown. I wrote that | the task of distributing a 128 bit AES key pretty much has | the same degree of security and convenience that sending an | 8 gigabyte OTP key has. I stand by that statement. If you wish me to answer a different question such as "does the task of distributing 128 bit AES keys have pretty much the same degree of security and convenience that sending thousands of different OTP keys each containing 100s of GBs?" I can answer that as well, but it is a different question. For film distribution, the task of distributing 128-bit AES keys is reasonably close to having the same degree of security and convenience that sending OTP keys has. The two aren't as close as is the case with far smaller datasets, but they are still reasonably close. A high-end digital projector costs around $70,000, and is very likely to become obsolete in a few years. It costs around $1,000 to create a single film print for the existing optical projectors. The studios are currently giving away the projectors and charging a virtual print fee of $800 per digital print to cover the cost of the projector, Internet connection, etc. Needless to say, they are very interested in making it so that it only shows on that projector and does not end up unencrypted on The Pirate Bay. Given the above economics, the cost of shipping a 128-bit AES key embedded in the electronics of each projector isn't all that much more difficult than shipping an OTP key big enough to handle ten years worth of films embedded in the electronics of each projector. It might even be a selling point that such a large chunk of data is harder for the pirates to steal. I stand by my assertion that claims of insecurity and inconvenience associated with distributing a large OTP key rather than a small shared secret cipher key are overblown. -- Guy Macon <http://www.GuyMacon.com/>
From: Kristian Gj�steen on 13 Nov 2008 14:11
Guy Macon <http://www.GuyMacon.com/> wrote: >Given the above economics, the cost of shipping a 128-bit AES >key embedded in the electronics of each projector isn't all >that much more difficult than shipping an OTP key big enough >to handle ten years worth of films embedded in the electronics >of each projector. I mean, wow! Care to show your work? On might also ask how you intend to keep all those gigabytes secure inside the box? Compared to that 128-bit thingy... >I stand by my assertion that claims of insecurity and >inconvenience associated with distributing a large OTP key >rather than a small shared secret cipher key are overblown. Yeah, yeah. I know which problem I'd rather face... -- Kristian Gj�steen |