Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strong Encryption


  • Please log in to reply
88 replies to this topic

#1 jamesadrian

jamesadrian

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 PM

Posted 17 April 2016 - 08:07 PM

Mod Edit:  Merged with dupe topic in different forum - Hamluis.

 

Claude Shannon proved that any encryption algorithm possessing these characteristics is absolutely secure:

1. The encryption keys must be random numbers of uniform distribution.

2. The keys must be shared in absolute secrecy by the sender and receiver.

3. Any key encrypting a message must be as at least as long as that message.

4. Any key used to encrypt a message must not be reused.

I get This from "Claude Elwood Shannon - Collected Papers" edited by N. J. A. Sloane and Aaron D. Wyner.

Because storage media has become so very dense, over the last several decades it has become very convenient to use such algorithms.

I am surprised that so many Internet articles recommend against it.

Small businesses trying to bring innovations to the market suffer hacking by organizations that can afford a room full of large servers.  Is this good for the economy?

I would rather send an armored car full of memory devices to each of my partners than get innovations stolen.

I appreciate the need to keep such algorithms out of the hands of criminals.  If we need to register users of strong encryption, I would go along with that.  The government can investigate me all it wants.  I am willing to share encrypted messages with U. S. citizens only.

Can anybody think of a system that the government would like.

 

Keep in mind that patent laws have been changed to award patents to those who are first to patent, not those who have witnessed proof that they were the first to conceive of the invention.  This makes hacking very profitable.  The hacking organization patents any concept that they can find and they can afford to keep small businesses in court forever on the remainder.

Thank you for your help.

Jim Adrian


Edited by hamluis, 29 April 2016 - 10:28 AM.
Moved from 'Mac OS' to 'General chat'


BC AdBot (Login to Remove)

 


#2 jamesadrian

jamesadrian
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 PM

Posted 22 April 2016 - 05:23 PM

There have been no replies.

 

Does anybody have an opinion about using encryption such as the one-time pad?  Is it still available?

 

Thank you for your help.

 

By the way, why is my picture square at the top and correct in proportions in my post?

 

Jim Adrian



#3 jamesadrian

jamesadrian
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 PM

Posted 23 April 2016 - 05:17 PM

I appeal to the moderator to make a comment.

 

 

Jim Adrian



#4 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:09:19 PM

Posted 28 April 2016 - 11:13 PM

It's just hard to implement. Let's go through each point to explain why:
 

The encryption keys must be random numbers of uniform distribution.

This is the worst problem. It's not easy to generate a truly random key of significant length. The only way to generate truly random data is through user input: I.E: ask the user to smash the keyboard for 10 minutes. Most users aren't willing to go through this.
 

The keys must be shared in absolute secrecy by the sender and receiver.

This is almost impossible in today's world. The only way to do this is to physically meet the person and give them the key, and even that can be observed by surveillance equipment.
 

Any key encrypting a message must be as at least as long as that message.

This is simple for small messages, but the problems with large key sizes grow exponentially. A key that encrypts a 100GB back up must be 100GB or more? I think you see the issue here.
 

Any key used to encrypt a message must not be reused.

This is actually the easiest problem to deal with, but complicates the other problems, especially if a message must be read more than once.

EDIT:
TL;DR: Humans are too lazy

Edited by ScathEnfys, 28 April 2016 - 11:14 PM.

Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#5 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 29 April 2016 - 07:34 AM

The OP already have a thread on this topic here.



#6 jamesadrian

jamesadrian
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 PM

Posted 29 April 2016 - 07:46 AM

The other post was apparently misplaced and has had no responses by others.  There is a response here that starts the discussion.

 

Jim Adrian



#7 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 29 April 2016 - 07:51 AM

There might be a reason why you got no responses on the other thread.  For me at least, I don't understand the purpose of your thread.  Nevertheless, starting a duplicate thread on the same topic is not how things are done around here.



#8 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:09:19 PM

Posted 29 April 2016 - 10:01 AM

There might be a reason why you got no responses on the other thread.  For me at least, I don't understand the purpose of your thread.  Nevertheless, starting a duplicate thread on the same topic is not how things are done around here.


Nor is complaining to the OP TBH... Both of you should be reporting posts that are misplaced/break forum rules with the 'report' button in the bottom right corner of the post.
Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#9 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 29 April 2016 - 10:07 AM

Will do and reported.



#10 jamesadrian

jamesadrian
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 PM

Posted 29 April 2016 - 07:53 PM

May we discuss the subject here?

 

Jim Adrian



#11 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:09:19 PM

Posted 29 April 2016 - 10:35 PM

May we discuss the subject here?
 
Jim Adrian

Considering that the mod merged the topic rather than locking or deleting it, I would say yes.
Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#12 jamesadrian

jamesadrian
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 PM

Posted 30 April 2016 - 09:43 PM

ScathEnfys,

 

Your objections are traditional.

 

Let me describe my values on this subject.

 

I am glad to spend $50.00 per month sending media containing random numbers to my communication partners.  I recommend it.  I also recommend calling the FBI and telling them what I am doing, who I am, who my communication partners are, and promising them that I will keep the pain text for their examination.

 

What is absolutely critical is this:  No person or organization other than the American government may anonymously learn the content of my chemical and computing trade secrets, and my research in progress.

 

On the subject of the inconvenience to the general market, I realize that few are willing to go to great lengths to protect their communication.  For them, a lesser level of security my be appropriate.  I do not recommend algorithms that use number theory insights, reused keys, or rely on mere complexity.  I recommend using the one-time pad with something less than truly random numbers generated by hardware random number generators.

 

First, I would point out that the art of making pseudo random numbers has advance considerably,  This makes the transformation of a billion truly random numbers to another billion pseudo random numbers by means of employing only ten million additional random numbers such that the use of the transformed numbers presents a greater challenge to statisticians than any existing convenient algorithm.

 

This means that pads can be extended to last much longer than would otherwise be the case.  I don't care about this because I can afford the $50.00 dollars per month, but it might be of interest to some.

 

The key here is that some data MUST be protected FOREVER, and email must be use to keep up with the speed of business.  Why do you think that embassies and military organization use it?

 

I hope American citizens preserve the right to use the strongest possible encryption and use it with appropriate sensitivity to the problem of criminality and terrorism.

 

I also hope that you understand this: I don't get what I need from any other type of encryption.

 

Thank you for your input.

 

 

Jim Adrian


Edited by jamesadrian, 30 April 2016 - 10:12 PM.


#13 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:09:19 PM

Posted 30 April 2016 - 11:07 PM

If you want your data in transit to be completely unintelligible to an observer, and cost is of no object, then you should seriously look into Quantam Cryptography (Link points to the Wikipedia page, but that is of course only a start). A few companies already use this for extremely sensitive intra- and inter-office communications.

For what it's worth, I agree with your stance on encryption. I simply pointed out issues of getting it 'to the masses' as it were for the sake of discussion - it's definitely something you needed to consider. I disagree with your point about informing the government, but that is a political view and not appropriate for this topic (or for that matter anywhere on this forum outside the Speak Easy).
Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#14 jamesadrian

jamesadrian
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 PM

Posted 01 May 2016 - 08:31 PM

ScathEnfys,

 

Thank you for your observations and the link.

 

For those who insist on the convenience of communicating keys more conveniently at some additional risk but without much cost, I want to point out that changing and expanding the pad monthly by sending a small amount of data by postal mail or over the phone can achieve more security than is realized by existing convenient algorithms.

 

Consider a letter that asks the project team to modify and expand the existing pad by using program 257 from a shared library of programs, or by using the following shared functions:  18, 93, 86, and 71 in that order.

 

A string of arguments in a letter to be used by a function or program is very hard to deduce in this context.

 

Unlike encryption software that gets popular and is the same for many users, this approach would surely cause all communicating groups to use different programs and functions - of which there are at least millions.  The number of unique combinations of functions is very large

 

A relatively simple thing link using half of the pad to permute the other half or interleave the pad makes things very difficult for any statistician.  Imagine the difficulty of contending with the uncertainty created by more complex ideas like the one stated above.

 

I would like to see this done very widely.  I would like to discuss such software designs with anyone interested.

 

Jim Adrian

 

http://www.futurebeacon.com/jamesadrian.htm


Edited by jamesadrian, 01 May 2016 - 08:34 PM.


#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 AM

Posted 02 May 2016 - 03:15 PM

What you describe is the OTP encryption: One Time Pad.

The problem is key management.

 

 

I appreciate the need to keep such algorithms out of the hands of criminals.

 

No, the algorithms must not be secret. That is one of Kerckhoffs' laws.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users