[vox-tech] Which cipher to use?

Micah Cowan vox-tech@lists.lugod.org
Tue, 4 Jun 2002 23:26:42 -0700 

Bill Broadley writes:
 > On Tue, Jun 04, 2002 at 09:39:32PM -0700, Micah Cowan wrote:
 > > This is really picky of course, but the other criteria for "secure use
 > > of Xor", in addition to having a key at least as long as your data,
 > > is:
 > > 
 > >   1. That it be a random sequence - *truly* random.  This rules out
 > >      using "passphrases" and the like.  *All* passphrases or passwords
 > >      are extremely insecure for Xor, regardless of length.
 > 
 > Correct, a passphrase would violate the xor sequence longer then the data
 > rule.  Passing PID or time as a seed to random would also be a very
 > bad idea.   Md5 checksums of random noise (transistors, radio reception
 > of static, radioactive decay etc) is the level of randomness that is
 > idea.

Right.  But even if it didn't violate the "key must be longer than the
data" rule, it's still too insecure - for instance, if someone wrote a
50-page essay to encrypt a 25-page something-or-other.

The strength of the Vernam cipher is that, because it is *truly*
random, the probability that the encrypted message is one thing is
exactly the same as every other thing (of the same length). With other
encryption schemes, the probability is typically much less evenly
spread, often you can prove that it could *not* be certain things.

However, if you don't use a random source, then you can have a lot of
problems. If an atttacker can guess at words that might appear in the
key (say, "significance"), he can try XOR-ing that key against the
text at various places, until he finds a spot where intelligible data
seems to result. There's no way to prove mathematically that you've
recovered a portion of text, but it is much easier to find several
possible candidates, and rule out candidates which are decidedly
unlikely. Especially in situations where, e.g., you know that both the
key and the message are textual data.

 > If anyone claims it's so secure that they are going to run a cracking
 > contest beware, for more info:
 > http://www.counterpane.com/crypto-gram-9812.html#contests 

AFAIK, they haven't even done that. Actually, cracking contests are a
great way to find out if your algorithm is as good as you think it is;
but using successful contests as a means of *proving* that an
algorithm is secure is faulty (as the URL you pointed out says).

 > > Now, having said that, I'll protect my butt by pointing out that their
 > > technology *could* still be unbreakable, but not for the reasons they
 > > claim.  They don't seem to have published their algorithms; their
 > 
 > Another large warning sign, see the above url.

I agree. But it is unfortunately commonplace. Still, I would never
trust my data to an algorithm I can't touch, see, taste, hear and
smell :)

There are many graveyards of those foolish enough to claim to have
discovered an "unbreakable" encryption mechanism. There are many more
graveyards of people who think they've discovered something new, when
it is actually some variant of XOR, the *least* secure of encryption
algorithms (when it's not a one-time pad).

I don't want to give people here the impression I'm some sort of
expert on cryptography, considering how much I've been running my
mouth on the subject - I have never really done anything interesting
in the field, don't spend time analysing algorithms, etc. - any
information I have is based on readily available stuff I've read (I
highly recommend Bruce Schneier's "Applied Cryptography", BTW). So I
could never tell anybody if some new algorithm seems to be secure -
but I sure can pick off some of the stragglers and figure out that
they're *not* secure.

 > > "Technical White Paper" (http://www.prescient.net/pdf/e2Sec.pdf)
 > > claims that the keys generated are undeterministic; but I'm rather
 > > skeptical as to how they could be generated, and understood by another
 > > host across the 'Net, if they were not undeterministic - unless of
 > > course their server simply sends the key across the 'Net in the clear
 > > ;) I'm not a cryptanalyst, and even if I were, I couldn't debunk their
 > 
 > Sounds just like another crappy system with good PR.

I'm inclined to agree. :)

Micah