Welcome to European Tribune. It's gone a bit quiet around here these days, but it's still going.
Display:
Some of the most widely used encryption methods might be broken within a couple of years:

Math Advances Raise the Prospect of an Internet Security Crisis | MIT Technology Review

Alex Stamos, chief technology officer of the online security company Artemis, led a presentation describing how he and three other security researchers studied recent publications from the insular world of academic cryptopgraphy research, which covers trends in attacking common encryption schemes.

"Our conclusion is there is a small but definite chance that RSA and classic Diffie-Hellman will not be usable for encryption purposes in four to five years," said Stamos, referring to the two most commonly used encryption methods.

RSA and Diffie-Hellman encryption are both underpinned by a mathematical challenge known as the discrete logarithm problem. That problem is computationally difficult to solve, ensuring that encrypted data can only be decoded quickly with knowledge of the secret key used to encode it in the first place. Breaking RSA or Diffie-Hellman encryption today requires using vast computing resources for significant periods of time.

However, it is possible that algorithms able to solve the discrete logarithm problem quickly could exist. "We rely on that efficient algorithm not being found," said Jarved Samuel, a cryptographer who works for security consultancy ISEC Partners and presented alongside Stamos. "If it is found the cryptosystem is broken."

The next cryptography frontier is supposed to be  elliptic curve cryptography (ECC). The kicker?

Math Advances Raise the Prospect of an Internet Security Crisis | MIT Technology Review

The U.S. National Security Agency has for years recommended ECC as the most reliable cryptographic protection available. In 2005 the agency released a toolkit called SuiteB featuring encryption algorithms to be used to protect government information. SuiteB makes use of ECC and eschews RSA and Diffie-Hellman. A classified encryption toolkit, SuiteA, is used internally by the NSA and is also believed to be based on ECC.
by Bernard on Fri Aug 16th, 2013 at 03:25:06 PM EST
Been thinking about this, and I am coming to the conclusion that the difficulties of one time pads are bloody well overstated.

Who here has a USBdongle from their bank? A code card? Some physical item supposed to help with the security of your ebanking needs? That item might as well be a read-once memory stick. Heck, if I am reading traffic use right, you could encode your world of warcraft account in this way with approximately the same amount of hassle as is currently expended protecting those accounts. Except this would be guaranteed to actually work against all hacking strategies short of "Break into your place, steal your hardware".

by Thomas on Fri Aug 16th, 2013 at 03:58:13 PM EST
[ Parent ]
Three requirements for One Time Pads are:

  1.  Truly Random Key
  2.  Key as long as the message
  3.  Key is never used again

Assuming the three part computer system I described above (for operational security) the only problem is the first.  Turns out it's only possible to derive an algorithm capable of computing a pseudo-random number, at some point every algorithm cycles back to the beginning. Thus, any practical implementation is not mathematically 'complete' but it doesn't really matter.  Practical systems use a pseudo-random seed value - say the current barometric pressure divided by the current temperature times the second through ninth numbers in the mantissa of the current time - fed into a Good Enough pseudo-random number generator for the key.  

She believed in nothing; only her skepticism kept her from being an atheist. -- Jean-Paul Sartre
by ATinNM on Sat Aug 17th, 2013 at 11:27:16 AM EST
[ Parent ]
No. So much no.
by Colman (colman at eurotrib.com) on Sat Aug 17th, 2013 at 02:53:37 PM EST
[ Parent ]
... take an Geiger counter. point it at a rock.  Pseudo-random number generators are for people scared of soldering wire.
by Thomas on Sat Aug 17th, 2013 at 03:00:31 PM EST
[ Parent ]
If the NSA cracks that, they deserve a nobel for proving the simulation hypothesis.
by Thomas on Sat Aug 17th, 2013 at 03:02:27 PM EST
[ Parent ]
but the problem is even then key delivery isn't trivial. you may have generated the perfect random key, but yoy still have to get it to both ends of the chain, without it being intercepted

Any idiot can face a crisis - it's day to day living that wears you out.
by ceebs (ceebs (at) eurotrib (dot) com) on Sat Aug 17th, 2013 at 09:20:30 PM EST
[ Parent ]
That's where covert and indirect methods are so useful.

You can hide information in anything - Tweets, Amazon feedback, EBay bids, blog comments, lolcat pics, videos, porn, banner ads, the time a given IP address reloads a web page.

Etc.

You don't even have to use steganography. Like email, it just happens to be convenient.

As long as you can agree a code, you can exchange your key using pretty much any traffic on the Internet.

by ThatBritGuy (thatbritguy (at) googlemail.com) on Sat Aug 17th, 2013 at 10:18:32 PM EST
[ Parent ]
For any common purpose key delivery is trivial. This is the electronic era - there is no reason not to make the pad very large, and at some point in time you are very, very likely to have met anyone you wish to communicate securely with in meat-space. Ebanking? pick it up when you set up your account. Corporate networks? HR can hand it over when you are hired/promoted. It isnt like you have to constantly get new keys! A single memory stick pair will cover all your traffic needs for life.. or at least until you forget to take it out of your pockets before washing.
by Thomas on Sun Aug 18th, 2013 at 07:02:57 AM EST
[ Parent ]
Sending a key over the net would be very stupid, however. The entire point is that you do not let anyone see the key twice. Which means delivery has to be physical.
by Thomas on Sun Aug 18th, 2013 at 07:04:47 AM EST
[ Parent ]
Fine, but if I deal with people all over the world, do I have to visit all of them? am I going to end up with a memory stick from every one? I'm sure it would fail on Practicality

Any idiot can face a crisis - it's day to day living that wears you out.
by ceebs (ceebs (at) eurotrib (dot) com) on Mon Aug 19th, 2013 at 07:57:50 AM EST
[ Parent ]
oh, that is easy, also. Oldest known security trick will work for this.
Take USB stick. Mold a clay figure or tablet around it. Sunbake it. -it does not have to be a pretty figurine - in fact, it kind of helps if it is not, harder to copy.  Mail it. Email a photo. Have the recipient compare before smashing. But yhea, you will need a pad for everyone you want secure communications with.
by Thomas on Mon Aug 19th, 2013 at 02:19:38 PM EST
[ Parent ]
Point of this isnt that a clay figurine could not be duplicated. The point is that it would take long enough to do so with sufficient accuracy that the recipient should notice the delay.
by Thomas on Mon Aug 19th, 2013 at 02:22:35 PM EST
[ Parent ]
I know you live in Denmark, so I am forced to assume that it has been a while since you last sent anything in the mail...

- Jake

Friends come and go. Enemies accumulate.

by JakeS (JangoSierra 'at' gmail 'dot' com) on Mon Aug 19th, 2013 at 04:28:33 PM EST
[ Parent ]
Take USB stick. Mold a clay figure or tablet around it. Sunbake it.

This assumes that no packages are X-rayed. But a hollow metal object with an opening that looks like a mold mark might work. Insert data stick, fill remainder of cavity with a metal filled clay, solder the opening shut, grind and polish that surface and glue felt over it as a base. Just don't use a falcon.

A cast or formed metal brass or pewter decorative paper weight would do fine -- unless the authorities became suspicious of the sender or recipient, as acoustic or even more sophisticated inspection might be used. A Dremel tool would suffice to open the base in the appropriate place. If one desired to reuse the object just have a back piece that is soldered around the entire bottom edge. But this is getting to be non trivial.  

"It is not necessary to have hope in order to persevere."

by ARGeezer (ARGeezer a in a circle eurotrib daught com) on Mon Aug 19th, 2013 at 05:51:20 PM EST
[ Parent ]
perhaps deep down it's a government scheme to get people using the post again to drive the price up for privatisation

Any idiot can face a crisis - it's day to day living that wears you out.
by ceebs (ceebs (at) eurotrib (dot) com) on Mon Aug 19th, 2013 at 07:12:47 PM EST
[ Parent ]
The other two are also trivial - Again, assuming you do not have a strange hardon for securely encrypted video chat or life logging, a read-once memory stick covering decades of use would cost pocket change.

.. If you insist on securely locked down lifelogs (.. and the police and security might have good uses for that) it is still trivial, only now you have to actually get new keys once a month or so.

by Thomas on Sat Aug 17th, 2013 at 03:07:34 PM EST
[ Parent ]

Display:

Top Diaries

Occasional Series