OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matthew Pemble (mpemble@ISINTEGRATION.COM)
Date: Mon Mar 05 2001 - 14:40:03 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    As I read the paper, what we are talking about is a conventional
    One-Time-Pad solution, with an interesting key distribution method.

    As has already been stated, the basic encryption technology is not
    new (1917 according to Schneier App Crypto Section 1.5) and is
    provably secure even given unlimited computational power (let's not
    think about practical difficulties). However, we are not all
    currently using this old, provably secure technology: we are using
    DES, AES or even Public Key systems - why? Key exchange. OTP
    systems use one bit of key for every bit of data, therefore you have
    a huge distribution problem. Rabin is using open (broadcast)
    transmission, relying on the high data rate to make trying every key
    set impractical.

    Note the last: trivial (mathematically), not even difficult, but just
    hard engineering. In the event of infinite storage, to remember the
    key sequence, any particular message will be decodable - assume they
    have more power than you and that time is not of essence.

    There is, however, a more interesting theoretical problem: how do the
    sender and the receiver agree on the starting point of the key? Due
    to the data rate, you can't even use GPS (best timing available to
    most of us) to lock you clocks together and, anyway, you still have
    to agree a starting time. You could say something like "take the key
    starting after the first block A54FD17C after 12:01:00.0000000" but
    that is then, in practice, a key which you have to transmit securely.
     Anyone with that "key" can do the decryption.

    Therefore, although your actual encryption is secure, you have to use
    another method to ensure secure key exchange. That is your weakest
    link, therefore this is no solution. If you want to play similar
    games, write a random bit stream onto a DVD-RAM, make one copy and
    post it (DataPost in the UK, Fed-Ex or UPS outside) that to your
    correspondent. That way you each have a very lengthy OTP key, and
    unless your horrid organisation of choice can interfere with the
    mail, it is more secure than broadcast.

    Matthew Pemble, Principal Consultant, IS Integration,
    Preston Technology Management Centre, Marsh Lane, PRESTON,
    Lancashire, PR1 8UD

    Tel: +44 (0)1324 820690 Fax: +44 (0)1324 826034

    Head Office:
    Tel: +44 (0)1772 885850 Fax: +44 (0)1772 558881
    Mobile: +44 (0)7050 128620
    Mailto:mpemble@isintegration.com Web: http://www.isintegration.com

    This email and any files transmitted with it are confidential and
    intended
    solely for the use of the individual or entity to whom they are
    addressed.
    If you have received this email in error please notify your system
    manager
    or IS Integration Limited on +44 (0) 1772 885850

    Any Views expressed in this e-mail message are those of the
    individual
    sending the message, except where the sender specifically states them
    to be
    the views of IS Integration Limited.

    - -----Original Message-----
    From: CISSP Study Mailing List
    [mailto:CISSPSTUDY@SECURITYFOCUS.COM]On
    Behalf Of Robert G. Ferrell
    Sent: 27 February 2001 17:23
    To: CISSPSTUDY@SECURITYFOCUS.COM
    Subject: Re: This should start up a discussion....

    >The whole article looks to me more of using science fiction movies
    >slang.

    Imagine the potential for man-in-the-middle attacks, or the error
    correction
    algorithm necessary to keep two random bit streams synchronized.
    How do you verify data integrity? I don't think CRCs would suffice
    here.

    ;-)

    Cheers,

    RGF

    Robert G. Ferrell, CISSP
    Information Systems Security Officer
    National Business Center
    U. S. Dept. of the Interior
    Robert_G_Ferrell@nbc.gov
    ========================================
     Who goeth without humor goeth unarmed.
    ========================================

                 +--------------------------------------------+
                 | You have received this email because you |
                 | subscribed to the CISSPSTUDY mailing list. |
                 | -- To unsubscribe, send an email to -- |
                 | listserv@securityfocus.com |
                 | with a message body of: |
                 | UNSUBSCRIBE CISSPSTUDY |
                 +--------------------------------------------+

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

    iQA/AwUBOqP5gWrvMjpl5yaUEQLsEQCg03NJ5lMQ9p4tPNxFjMBG4BC7I04An2wV
    Ie4vJ6QPhC4nbI+f1D5oe1eD
    =DDty
    -----END PGP SIGNATURE-----

                 +--------------------------------------------+
                 | You have received this email because you |
                 | subscribed to the CISSPSTUDY mailing list. |
                 | -- To unsubscribe, send an email to -- |
                 | listserv@securityfocus.com |
                 | with a message body of: |
                 | UNSUBSCRIBE CISSPSTUDY |
                 +--------------------------------------------+