Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - lpwaterhouse

#1
You're thinking Dual_EC_DRBG, which has nothing to do with AES. NSA only reviewed and approved the AES candidate algorithms, they did not have a direct hand in them like with DES (where they secretly made it more secure) or Dual_EC_DRBG (deliberately sabotaged as part of "Bullrun").

As for 128 vs. 256 the one concern is that 256 seems to be slightly weaker (though FAR from broken) against related key attacks, but given its much greater strength overall I'm not worried by that, both options are sensible, I go with 256 if speed is not a major concern.

If I HAD to pick an alternative today I'd go for ChaCha20 (A Stream Cipher, so not fully comparable), Serpent or Twofish (in descending order of preference), but for the moment I trust AES. Much of that is of course personal preference and gut-feeling, but I read the relevant papers too ;-)
#2
Hi,

I just discovered the youtube channel and the OTP video drew me here. I'm a bit of a Cryptology nerd and want to chime in on some of the commonly glossed-over details, misconceptions, etc. that are nonetheless surprisingly vital in keeping your communication secret, especially regarding the perfect secrecy of OTPs (which is _far_ more impractical than most people assume). Gil does mention all of the problems, but I think they bear pointing out even more explicitly:

While it is true that a properly generated One-time Pad is information-theoretically perfectly secure, the devil is in the details of that "properly generated". The perfect security ONLY applies when a source of actual, physical, randomness is used, with proper precautions to eliminate biases, etc. The problem is that it is very hard to be sure your source _is_ actually random (Generally nuclear decay, Thermal (Johnson-Nyquist) noise, Avalanche Diodes or the last bit of a microsecond time difference between keystrokes are usually considered "good, as far as we know"). If instead you use any kind of Pseudo-random number generator [PRNG] (e.g. /dev/random, rand(), that formilab site, etc.) then the security guarantees drop from "perfect" to that of an ordinary StreamCipher (in fact "Adding/XORing with an algorithmically generated Key-Stream" is a definition of StreamCipher), subject to the quality of the PRNG, but always lower than "perfect". Some such PRNGs are "cryptographically secure" [CPRNG], meaning that while they aren't "perfect" we _currently_ know no way of breaking them. The majority of PRNGs however are utterly unsuitable for cryptographic purposes, they were designed for statistical properties instead.

So, if you truly want to approach the perfect security of the OTP you MUST use a hardware or "true" RNG [TRNG], and pay attention to whether the cryptographic community considers that particular design "good, as far as we know". Some possible options are http://moonbase.tictail.com/ or https://www.tindie.com/products/WaywardGeek/infinite-noise-true-random-number-generator/.

If you have no access to a TRNG (or you realize that "perfect" is the enemy of "good enough") then you are probably better off using an established cryptographic algorithm, because they a) are likely equal or better than anything you can assemble with a PRNG, even if cryptographically secure, and b) don't share the major drawback of OTPs (or rather: pre-shared key-streams), namely having to _securely_ share a "pad" with the recipient ahead of time, that is at least as long as all messages you ever intend to exchange concatenated (The only advantage of this over communicating securely directly is that it can be shared ahead of time, when circumstances can make it easier, e.g. face to face). There is a good reason even governments/spy agencies don't often use OTPs, exchanging and storing that much highly sensitive "pad" is truly difficult (And then you still have to be extremely careful in using it correctly, or you can easily make non-obvious mistakes that render you encryption surprisingly weak, read up on the "Venona project" for when that happend to the Soviet Union. For example: NEVER EVER repeat the pad! One repetition IS enough to break it, relatively easily even!)

So, what if you only need "good enough"? Meaning something that, according to current research (publicly available only, of course...) would either take longer than the expected life-time of the universe to break, or something that only needs to be secure against non-government adversaries, like your neighbors?

Your best bet is well-established and internationally vetted systems, preferably using public-key algorithms (So you don't even have to exchange the, relatively short, compared to an OTP, key securely), for example RSA with AES.

But those of course require computers and access to cryptographic software (something that many governments consider restricting from time to time...), so you want something that can either be programmed from memory or works without any computer at all, "in the field". I suggest having a look at these two options in particular:

    - CipherSaber-2 (http://ciphersaber.gurus.org/) using RC-4, an easily memorizable algorithm that most programmers can code in a few minutes, with practice. RC-4 itself is considered insecure against determined and knowledgable adversaries, though the modification in CipherSaber-_2_ is likely to alleviate that somewhat. In a SHTF (as opposed to an Orwellian) scenario I wouldn't hesitate to use it.

    - Solitaire (https://www.schneier.com/academic/solitaire/), also known as "Pontifex" (in the "Cryptonomicon" Gil mentioned) working without a computer, using an inconspicuous deck of playing cards. Not much research seems to have gone into the security of Solitaire (though its designer is a respected cryptographer), but its construction suggests it may be vulnerable to the same kind of attacks as RC-4. Still: Certainly good enough against your neighbors. Try it (the password is "GL", which is too short for real use, and I'm not using the optional keying step of setting the Jokers): "LEZVJ RUQLK BCTED"

And last, but not least: In case you want to learn some cryptanalysis and break some ciphers (including a few used by the US army in WW2), have a look at https://www.mysterytwisterc3.org/en/ It can be quite eye-opening...

Regards,
Lawrence