In need of an EllipticCurve example (jdk1.5)

[Chris Uppal]

The problem with the above is that you now have to trust FedEx (which
implies trusting everybody that FedEx trust; e.g. each individual courier,
and trusting that the couriers won't ask their friends to make a delivery
for them or otherwise that those friends are trustworthy, etc.)

You can reduce the chances of interception, in theory at least, by handing over
the first CD of one-time-pads when you meet in person at the start of the
association. Thereafter, as long as both parties keep their current CDs safe
(which you have to assume anyway), the next CD can be sent quite openly if what
it contains is not the next batch of OTPs but the XOR of the next batch with
the previous batch. The receiver can then recover the new batch by undoing the
XOR, but nobody else can.

That is using a OTP twice, which is normally a complete sin, but in this case,
the second time it is being used to encrypt /random/ unknown data, so there
cannot, by definition, be any increased risk. (Always assuming complete
randomness).

In practise, I doubt if this would work. It would mean that any successful
penetration (a physical break-in or whatever) would open up all subsequent
communication too -- a highly undesirable situation. Using unrelated OTPs does
not have that disadvantage, even though the risk to any /single/ pad may be
much higher.

-- chris

 

[Roedy Green]

I say use an aggregate of tried and true RSA with a "supposedly"

All of those algorithms are based on assumption some calculation is
difficult. That is just an assumption. Whereas with one-time-pad,
anyone who takes time to understand it can see for themselves why it
is uncrackable, not just difficult IMPOSSIBLE to crack.

Given that, with a bit of software ingenuity, one time pads are only a
bit more inconvenient than mathematical ciphers, and if you are up
against people smarter than you, you are nuts to take the risk of
using a mathematical cipher your enemies might be able to break.
..
Say for example you used Diffie Hellman to negotiate a secret key.
Your opponents could be in the middle, intercepting your exchanges and
forging them.

The other thing recommending one-time pads is that what the Soviet
diplomats use.. They have access to the best mathematicians on the
planet. They are a very cautious bunch, and that it what they decided
to do.

 

[Roedy Green]

But even if you assume FedEx is trustworthy,

You don't have to trust Fedex at all. What you have to trust is that
you can wrap a package is such a way that you can detect if it has
been opened.

You don't even have to do that. You just need to know the that
probability of the package being intercepted is less that some bound
b.

They can only hurt you if they intercept ALL your packages undetected.

It is the inverse of my floppy disk scheme for recovery from scratches
and thumbprints that Norton Backup used. If a sector is lost from a
mutually protective set, you can recreate it by xoring the remaining
ones. However, if any of the remaining ones is also missing, you
can't.

 

[James McGill]

I'd say it's an addition of a secret, rather than a replacement.
The one
time pad is still present.

Yes, and it's in the hands of an untrusted party, albeit without their
knowledge. Still, the identity of that party needs to be protected just
as much as the intended recipient of the key.

 

[Roedy Green]

I'd say it's an addition of a secret, rather than a replacement. The one
time pad is still present.

Remember the children's story of the man who captured a leprechaun. He
forced the leprechaun to reveal to location of his gold stache. He
tied a sash around the tree and somehow terrorised the leprechaun into
promising not to remove the sash. The next day the man returned to
claim his gold and discovered every tree had a similar sash.

I suggest overwhelming the resources of your opponents trying to
intercept your CD keys with similar tactics.

 

[Roedy Green]

the next CD can be sent quite openly if what
it contains is not the next batch of OTPs but the XOR of the next batch with
the previous batch. The receiver can then recover the new batch by undoing the
XOR, but nobody else can.

That however might be tantamount to using an XOR key more than once, a
big no no. The whole scheme depends on never reusing a key in any way.

the value of the key is that it not correlated in any way to anything
else. To maintain its theoretical uncrackability you must be
impeccable about maintaining that property.

 

[Roedy Green]

All pretty much tried and
trusted low-tech, compared to systems requiring computers and a lot of
processing power - but limited to not to long messages.

but with computers and DVDs to distribute keys, you can jabber away
for a VERY long time. You would only get in trouble only sending
voice, video or images. You need one key DVD per data DVD worth of
information, not that stiff a penalty for uncrackable encryption.

 

[Eric Sosman]

Roedy Green wrote On 03/03/06 15:22,:

[...]
The other thing recommending one-time pads is that what the Soviet
diplomats use.. They have access to the best mathematicians on the
planet. They are a very cautious bunch, and that it what they decided
to do.

Look up "Venona," and then contemplate the use
this very cautious bunch made of one-time pads, and
what grief came of it.

 

[Roedy Green]

One-time pads work well for communicating with spies, because usually
when you first hire a spy, you can arrange for a physical meeting, and
directly hand her the one time pad.

If you are doing something that would attract the interest of those
with the financial resources to break ordinary codes, presumably you
have substantial resources yourself.

For example, if you are in the diplomatic service, there are
diplomatic couriers and diplomatic pouches. If you are a drug dealer
you can hire non-descript people to deliver things for you. If you are
a US government department, you have the immense borrowing power of
the state to buy you whatever you want.

If you are a terrorist, you likely have a deep distrust of the
Internet and computers, given the are such black boxes capable of
hiding all manner of spyware. You still might use isolated computers
to exchange CDs and key CDs, never using the networks at all.

If you are pornographer specialising in illegal materials, if all your
videos look like Baghdad in a sandstorm, how are they to prosecute
you?

The floppy and the fax are credited with bringing greater civil
freedom to the Soviet Union. Today it could the CD and one-time pads.

 

[Mark Thornton]

All of those algorithms are based on assumption some calculation is
difficult. That is just an assumption. Whereas with one-time-pad,
anyone who takes time to understand it can see for themselves why it
is uncrackable, not just difficult IMPOSSIBLE to crack.

Given that, with a bit of software ingenuity, one time pads are only a
bit more inconvenient than mathematical ciphers, and if you are up
against people smarter than you, you are nuts to take the risk of
using a mathematical cipher your enemies might be able to break.

One time pads have one big problem which distributing the pads. This is
what limits the security of your transmissions.

Mark Thornton

 

[Roedy Green]

And if
the key pad is out of your hands, how do you know when you're
transmitting the message, that someone hasn't intercepted the key?

You would load up your hard disk with keys and as you use them erase
them by writing over them several times.

Software has to be responsible for non-reuse of keys.

If I were trying to entrap terrorists, one technique I could use it is
to create one-pad software, with a tiny bug, that every once in a
while it would "accidentally" reuse a key, say after a Windows crash
then put it out as shareware with source inviting people to see for
themselves it contained no spyware.

 

[James McGill]

No... I mean, someone has gotten the key from your agent, and is
reading your messages but not letting you know....

 

[Chris Uppal]

That however might be tantamount to using an XOR key more than once, a
big no no. The whole scheme depends on never reusing a key in any way.

the value of the key is that it not correlated in any way to anything
else. To maintain its theoretical uncrackability you must be
impeccable about maintaining that property.

Why don't you /read/ posts before answering them ? The scheme I
outlined (impractical though it undoubtedly is) does not in any way
suffer from the problem of using OTPs more than once.

Indeed, one could use any single OTP as many times as one wanted
providing that the plaintext was in every case purely random and not
in any way correlated with any other plaintext pushed through that OTP.

-- chirs

 

[Roedy Green]

Look up "Venona," and then contemplate the use
this very cautious bunch made of one-time pads, and
what grief came of it.

I did not find anything relevant.

However I do recall the soviets foolishly kept old keys lying around
on paper in a warehouse where eventually the Americas got hold of
them.

 

[Roedy Green]

Why don't you /read/ posts before answering them ?

Why don't you get a dictionary and look up the word "tantamount"
before lecturing me.

 

[Roedy Green]

No... I mean, someone has gotten the key from your agent, and is
reading your messages but not letting you know....

That's a problem with any encryption scheme. You have to trust anyone
with access to the key not to hand it out. If they have access to the
key, chances are they also have access to the original materials or
the computer used to encrypt them. The cat is out of the bag in any
case.

 

[Eric Sosman]

Roedy Green wrote On 03/03/06 17:47,:

I did not find anything relevant.

204,000 hits on Google may, in truth, be a little
too much to wade through ;-) One of them, though, is
both easy to find and informative:

http://en.wikipedia.org/wiki/Venona

The gist is that the Soviets re-used some pages of
their one-time pads -- not the entire pads, just a page
here and there -- and once the other side's spooks caught
on they were able to decode parts of both encoded streams.
So much for the uncrackability of the one-time pad.

Of course, the Soviets misused their pads; had they
not re-used pages the cryptanalysis would not have worked.
But the Soviets must certainly have been aware that the
abuse struck at the very core of the method's security,
so the obvious question is: Why did bright people do such
a stupid thing? Nobody in the Kremlin seems likely to tell
us, so all we have is speculation. To me, it seems most
likely that they re-used their pad pages out of desperation:
They simply didn't have enough random numbers for the amount
of traffic they wanted to encrypt. And that, of course, is
a problem with one-time pads: Making and distributing them
can become a logistical challenge too great even for the
NKVD.

However I do recall the soviets foolishly kept old keys lying around
on paper in a warehouse where eventually the Americas got hold of
them.

Hadn't heard that one before -- but then, I'm just
another non-expert on these matters.

An acquaintance of mine once worked in the computer
operations of a spook shop, managing the distribution lists
for various kinds of classified material: Major X gets to
read Reports A and B, Colonel Y gets to see B and C, but
X can't read C and Y can't read A -- that sort of thing.
Years afterward, he said he thought the easiest way to beat
the Soviets would have been to add the Kremlin to *every*
distribution list and drown them in the traffic volume.

I doubt he suggested this to his superiors ...

 

[Bent C Dalager]

The gist is that the Soviets re-used some pages of
their one-time pads -- not the entire pads, just a page
here and there -- and once the other side's spooks caught
on they were able to decode parts of both encoded streams.
So much for the uncrackability of the one-time pad.

This isn't one-time pad. If anything, it is two-time pad

Any cryptosystem is trivially cracked if the people who "use" it
choose to ignore it and invent their own ad hoc system in stead.

Of course, the Soviets misused their pads; had they
not re-used pages the cryptanalysis would not have worked.
But the Soviets must certainly have been aware that the
abuse struck at the very core of the method's security,
so the obvious question is: Why did bright people do such
a stupid thing? Nobody in the Kremlin seems likely to tell
us, so all we have is speculation. To me, it seems most
likely that they re-used their pad pages out of desperation:
They simply didn't have enough random numbers for the amount
of traffic they wanted to encrypt. And that, of course, is
a problem with one-time pads: Making and distributing them
can become a logistical challenge too great even for the
NKVD.

Their mistake, then, was to not have a fallback mechanism.

Of course, for all we know, their fallback mechanism might have been
"reuse an old key originally used for a low-sensitivity message"
thereby introducing the possibility of both messages being
compromised, but possibly being a better alternative than transmitting
the new message in clear. You sacrifice an older, presumably outdated,
message in return for some level of protection on a new, more
important, message.

If so, then their crypto scheme would actually be "one-time pad with
occasional fallback to two-time pad". Which is still better than
transmitting in clear.

Cheers
Bent D

 

[Oliver Wong]

You sacrifice an older, presumably outdated,
message in return for some level of protection on a new, more
important, message.

The problem with one-time pads is that when you re-use them, you're not
only sacrificing the security of the old message, but of the new message as
well!

If so, then their crypto scheme would actually be "one-time pad with
occasional fallback to two-time pad". Which is still better than
transmitting in clear.

Transmitting in the clear may be better in some cases. I believe there's
a famous quote in the cryptanalyst circles that goes something like
(paraphrased): The only thing worse than no security is a false sense of
security.

- Oliver

 

[Oliver Wong]

Yes, and it's in the hands of an untrusted party, albeit without their
knowledge. Still, the identity of that party needs to be protected just
as much as the intended recipient of the key.

Oh, okay, I understand what you're saying know. There was a
misunderstanding between us:

You send everybody a different random garble of data (of which you keep
a copy yourself). You throw away the random data sent to the innocent
people, but keep the one sent to your target.

So no one else has the one-time-pad that your recipient has (or rather
there's a tiny chance that they do, but that's coincidental, rather than
part of the plan).

- Oliver