[vox-tech] Which cipher to use?

Micah Cowan vox-tech@lists.lugod.org
Wed, 5 Jun 2002 19:18:31 -0700


Mark K. Kim writes:
 > On Tue, 4 Jun 2002, Micah Cowan wrote:
 > 
 > > Bill Broadley writes:
 > >  > Xor is 100% secure if your key is as long as your data, otherwise known
 > >  > as the otp = one time pad.  If it's less, it is indeed rather easy to break.
 > >
 > > This is really picky of course, but the other criteria for "secure use
 > > of Xor", in addition to having a key at least as long as your data,
 > > is:
 > >
 > >   1. That it be a random sequence - *truly* random.  This rules out
 > >      using "passphrases" and the like.  *All* passphrases or passwords
 > >      are extremely insecure for Xor, regardless of length.
 > >
 > >   2. That it be used only one time, and then discarded - never to be
 > >      used again.
 > >
 > > The combination of those three requirements (counting yours), is what
 > > makes something a one-time pad, or "Vernam Cipher".  (I know you know
 > > this stuff, Bill - but I'm pointing it out for any who don't).
 > ==8<--
 > 
 > One-time-pad (of which XOR is one method) is still not secure even if you
 > follow the "standard rules" (the ones Micah points out.)

Good point about XOR being one method - the "canonical" method is to
rotate the letters by the value, not XOR it. But either way, the
probability distributions work out the same.

 > One way the
 > message could be compromised is if the adversary messes up your
 > communication.  Example:
 > 
 >    1. I send the message "I'll meet you at 10 O'Clock", XORed.
 > 
 >    2. Aversary intercepts the message.  S/he has no clue what it says,
 >       but s/he knows it's about some meeting.  In a random spite,
 >       s/he changes a random character.
 > 
 >    3. The recipient receives the message "I'll meet you at 11 O'Clock".
 > 
 > The message has now been compromised even though the adversary did not
 > know what the original message was.  It took a little luck, but it's not a
 > bad chance, if all the adversary wants to do is confuse the recipient.

More luck than I'm willing to worry about, frankly. The chances of
choosing the right spot to change (1 out of 17), *and* the right value
to change it to (9 out of 256) to affect it in a way that is
meaningful are pretty slim. The odds are *much* greater that the
message will just be garbled slightly.

 > I guess if the adversary could do the above, s/he could also simply not
 > forward the message until the recipient dies from old age, too.  But all
 > these issues are important concerns one should be aware of in security;
 > one can't blindly use a technique just because someone tells you it's
 > secure, but one also needs to be aware of all the issues.

This still makes OTP by far the most secure encryption mechanism, bar
none. However, complications arise because it's also damned
inconvenient for most situations. You can't use it to encrypt internet
communications, for instance, unless you physically transport the key
to the other site in advance, or use some other means of
communications that is already secured.

Also, the fact that once you've used up the key, it's done. And you
have to ensure that both parties are very good at destroying the keys,
unless you don't care what happens to the message once it's been
received (which is a possibility). All in all, OTP isn't much more
convenient than just driving over to the recipient's house and
delivering it in person.

Which is why it's almost never used - security is always a balance
between practical usability and ultimate security. After all,
security's no problem if you're enclsoed in a shielded room, with no
connectivity, and you're the only one there. But that makes it kinda
difficult to communicate.

But anyway, in general, I agree with you - there's no perfect solution
for every situation. Everything's a trade-off: finding the right one
is always important.

Micah