[vox-tech] Which cipher to use?

Mark K. Kim vox-tech@lists.lugod.org
Wed, 5 Jun 2002 14:25:56 -0700 (PDT)


On Tue, 4 Jun 2002, Micah Cowan wrote:

> Bill Broadley writes:
>  > Xor is 100% secure if your key is as long as your data, otherwise known
>  > as the otp = one time pad.  If it's less, it is indeed rather easy to break.
>
> This is really picky of course, but the other criteria for "secure use
> of Xor", in addition to having a key at least as long as your data,
> is:
>
>   1. That it be a random sequence - *truly* random.  This rules out
>      using "passphrases" and the like.  *All* passphrases or passwords
>      are extremely insecure for Xor, regardless of length.
>
>   2. That it be used only one time, and then discarded - never to be
>      used again.
>
> The combination of those three requirements (counting yours), is what
> makes something a one-time pad, or "Vernam Cipher".  (I know you know
> this stuff, Bill - but I'm pointing it out for any who don't).
==8<--

One-time-pad (of which XOR is one method) is still not secure even if you
follow the "standard rules" (the ones Micah points out.)  One way the
message could be compromised is if the adversary messes up your
communication.  Example:

   1. I send the message "I'll meet you at 10 O'Clock", XORed.

   2. Aversary intercepts the message.  S/he has no clue what it says,
      but s/he knows it's about some meeting.  In a random spite,
      s/he changes a random character.

   3. The recipient receives the message "I'll meet you at 11 O'Clock".

The message has now been compromised even though the adversary did not
know what the original message was.  It took a little luck, but it's not a
bad chance, if all the adversary wants to do is confuse the recipient.  I
guess if the adversary could do the above, s/he could also simply not
forward the message until the recipient dies from old age, too.  But all
these issues are important concerns one should be aware of in security;
one can't blindly use a technique just because someone tells you it's
secure, but one also needs to be aware of all the issues.

BTW, to get around problems like this, you could include a checksum
(actually, better to compress the data, too, for other reasons), and send
messages at predetermined times to verify you're not losing messages...
but that brings other concerns like "what happens if you need to send
messages at random times?"

Anyway...

-Mark

--
Mark K. Kim
http://www.cbreak.org/
PGP key available upon request.