Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

One-Time Pad From Caltech Offers Uncrackable Cryptography

timothy posted about a year ago | from the unless-you-crack-the-glass dept.

Encryption 192

zrbyte writes "One-time pads are the holy grail of cryptography — they are impossible to crack, even in principle. However, the ability to copy electronic code makes one-time pads vulnerable to hackers. Now engineers at the California Institute of Technology in Pasadena, have found a way around this to create a system of cryptography that is invulnerable to electronic attack. Their solution is based on a special kind of one-time pad that generates a random key through the complexity of its physical structure, namely shining a light through a diffusive glass plate."

cancel ×

192 comments

Not too long until an iceberg attack is revealed (-1)

Anonymous Coward | about a year ago | (#43801823)

Not too long until an iceberg attack is revealed. While it may be damn hard, if there is a way for the intended recipient to read the message there will be a way for an unintended recipient to as well.

Re:Not too long until an iceberg attack is reveale (5, Informative)

Sockatume (732728) | about a year ago | (#43801881)

That's not the case with a properly used one-time pad. Normally you break a cipher by finding correlations due to the repeated use of a finite encryption key on different parts of a comprehensible plaintext. If either the message is random, or the encryption key is random and nonrepeating, then the message cannot be deciphered.

Unless you steal the pad, or force the user to repeat it.

Re:Not too long until an iceberg attack is reveale (5, Insightful)

Joce640k (829181) | about a year ago | (#43801929)

Nope. The OTP is truly unbreakable.

The only problem with it is that you need to secretly transmit the pad to the recipient. How do you do that? With a one-time-pad...?

Re:Not too long until an iceberg attack is reveale (1)

barlevg (2111272) | about a year ago | (#43802109)

The key here is that the OTP is a physical object (actually, TWO physical objects) that is not easily replicated (since it's surface imperfections that give rise to the randomness in the pad). So Eve would have to be in possession of Bob's pad at the time Alice was transmitting the message in order to decipher the message. If I'm understanding this correctly.

Re:Not too long until an iceberg attack is reveale (2)

Joce640k (829181) | about a year ago | (#43802173)

If you can meet up to exchange a piece of glass you can also exchange USB drives (or whatever) full of random numbers. It's just as secure as this method.

The innovation here is that that nobody can make a copy of the piece of glass.

Or is it...? If Bob can create a OTP using the glass then so can Eve. All she does is sneak into his hotel room when he's asleep, generate his pad using his crystal and make a copy of it.

I fail to see how this is more secure than simply exchanging USB keys.

Re:Not too long until an iceberg attack is reveale (-1)

Anonymous Coward | about a year ago | (#43802313)

I fail to see how this is more secure than simply exchanging USB keys.

Well, you seem to be quite experienced when it comes to failing... Add reading comprehension to the list.

Re:Not too long until an iceberg attack is reveale (3, Funny)

JaredOfEuropa (526365) | about a year ago | (#43802509)

All she does is sneak into his hotel room when he's asleep, generate his pad using his crystal and make a copy of it.

Sounds like a metaphor for something kinky...

Re:Not too long until an iceberg attack is reveale (1)

Immerman (2627577) | about a year ago | (#43802809)

Not really - a USB drive is laughably easy to duplicate - that's kind of it's purpose. Exactly duplicating (or even just characterizing) microscopic surface imperfections on a piece of glass on the other hand likely requires specialized hardware that a spy can't easily carry in a suitcase. At least assuming that a smooth protective layer is bonded over it to prevent mold creation (say glass with a much different refractive index).

So basically you're adding physical-key security to your OTP, which drastically strengthens the only major weaknesses of the technique.

Re:Not too long until an iceberg attack is reveale (5, Insightful)

smallfries (601545) | about a year ago | (#43802265)

The real key here is that there is no advantage to the device at all.

In the cryptographic protocol that the authors (all physicists) believe to be novel, but which every cryptographer is aware of:
1. The authors have a perfectly secure channel (separate from the one established in the protocol).
2. They exchange as much information over that channel as the device stores.
3. The later established channel can only use that number of bits.

For real excitement they xor together their OTPs. Sorry guys but this is called a pre-shared key and the crypto world is quite aware of it. Good luck with the window dressing getting you past the PC of a physics venue.

Re:Not too long until an iceberg attack is reveale (2)

barlevg (2111272) | about a year ago | (#43802407)

The breakthrough is the KIND of OTP that they're using: glass plates that, they believe, cannot be (easily?) duplicated, unlike a digital OTP would be.

Re:Not too long until an iceberg attack is reveale (0)

Anonymous Coward | about a year ago | (#43802775)

See Wikipedia for the generic concept behind this "breakthrough": PUF [wikipedia.org] .

Re:Not too long until an iceberg attack is reveale (2)

david_thornley (598059) | about a year ago | (#43802797)

If the OTPs are in fact uncopyable, the authors don't need a perfectly secure channel. Alice sends plates to Bob. Eve intercepts the crate, and then what? If she can't copy the plates, she can either divert them or break them (in which case all we need is an authenticated, not secure, channel for Bob to report nondelivery), or let them proceed to Bob. If Bob doesn't report that he has the plates, then Alice sends another batch of plates until Bob reports that he has them. If Alice and Bob need to talk more than the shipped plates allow, Alice can ship more at any time. Eve can, if sufficiently diligent and successful, remove Alice and Bob's ability to communicate, but cannot intercept any message.

Of course, if it's possible to make a copy of a plate, it's no better than trying to securely send thumb drives.

Re:Not too long until an iceberg attack is reveale (4, Interesting)

K. S. Kyosuke (729550) | about a year ago | (#43802943)

What about a MITM attack? Doesn't need Bob verify that the plates are actually the ones that Alice manufactured? You don't need to copy the plates to barge into the channel.

Re:Not too long until an iceberg attack is reveale (0)

Anonymous Coward | about a year ago | (#43802587)

The problem here is the OTP is not one-time.

Re:Not too long until an iceberg attack is reveale (1)

Big Hairy Ian (1155547) | about a year ago | (#43802633)

Oh thats easy just make sure the person you want to talk secretly to is called Eve!

Problem solved :)

Impossible? (2, Insightful)

Sockatume (732728) | about a year ago | (#43801825)

Couldn't you just steal the plate?

Re:Impossible? (4, Informative)

barlevg (2111272) | about a year ago | (#43801831)

That's generally the only way to crack a true one-time pad: steal the pad.

Re:Impossible? (1)

Sockatume (732728) | about a year ago | (#43801845)

Yeah, that's supposed to be what this problem solves, though, if I'm reading it right. Haven't they just taken a step back to having a physical OTP on your desk/in your shoe?

Re:Impossible? (4, Informative)

barlevg (2111272) | about a year ago | (#43801865)

Right: it sounds like it's TWO MATCHED OTPs (or, rather, one-time slabs), so Eve would need both Alice's slab AND Bob's slab to crack the communication. And if Alice and Bob are both in physical possession of the slabs, then Eve is better off using $5 cryptography [xkcd.com] to get at the message. The issue, of course, is that one-time pads aren't exactly practical, because, by definition, they're one-use-and-then-destroy. If you use an OTP more than once, it becomes vulnerable to cracking.

Re:Impossible? (0)

Anonymous Coward | about a year ago | (#43801873)

That's $5 cryptanalysis you insensitive clod!

Re:Impossible? (4, Informative)

L4t3r4lu5 (1216702) | about a year ago | (#43801887)

Eve is better off using $5 cryptography to get at the message.

Rubber Hose Cryptanalysis [wikipedia.org] Just FYI.

Re:Impossible? (4, Informative)

slim (1652) | about a year ago | (#43802421)

No, the two devices don't match. Each device contains a different several GB of random numbers (or I suppose, random transformations), encapsulated in the structure of the glass.

The two owners meet, and using both their devices, produce a "combined key". The combined key can be stored in a public repository. The shared OTP can be extracted from the combined key using either device.

The two parties exchange confidential data encrypted with bytes from the OTP until the OTP is all consumed. Then they must meet up again to create a new OTP.

There's nothing novel about the cryptography. What might be novel is the physical properties of the device used to allow someone to carry their personal list of random numbers around.

Re:Impossible? (5, Informative)

Hans Adler (2446464) | about a year ago | (#43801871)

Who would have thought that the f... article addresses this devilishly ingenious workaround?

"And even if Eve steals the glass, they estimate that it would take her at least 24 hours to extract any relevant information about its structure.

This extraction can only be done by passing light through the glass at a rate that is limited by the amount of heat this creates (since any heating changes the microstructure of the material). And the time this takes should give the owners enough time to realise what has happened and take the necessary mitigating actions."

Re:Impossible? (1)

Sockatume (732728) | about a year ago | (#43801905)

Right, it's difficult, not impossible. You need a sufficiently large time window to steal both pads and duplicate them.

Re:Impossible? (1)

bugnuts (94678) | about a year ago | (#43802139)

Just one of them is sufficient.

At least it's not the size of a manuscript anymore, so you don't need a guy with a handcuffed briefcase on one hand and a SMG on the other.

Re:Impossible? (1)

Anonymous Coward | about a year ago | (#43802161)

Sarah Michelle Gellar?

Re:Impossible? (1)

Sockatume (732728) | about a year ago | (#43802743)

If I'm reading it right (which is a shaky assumption) one pad is sufficient to decipher messages sent to that recipient, but both would be necessary to read messages going both ways.

Re:Impossible? (5, Funny)

rherbert (565206) | about a year ago | (#43801941)

What if you drop the glass plate? You're sure to crack it then.

Re:Impossible? (1)

Corbets (169101) | about a year ago | (#43802113)

That said, I think this light-based encryption solution is brilliant in the lab.

Re:Impossible? (1)

Sockatume (732728) | about a year ago | (#43802141)

I suppose my error here is letting the title's "uncrackable cryptography" override the summary's "invulnerable to electronic attack", which is absolutely true.

Moon Runes (5, Funny)

codemaster2b (901536) | about a year ago | (#43801847)

So, the message can only be read by the light of a moon the same shape and season that the message was written on?

Certs are complicated enough (1)

Anonymous Coward | about a year ago | (#43801849)

You try explaining to my computer illiterate relatives that they need to buy these special glass plates for their computer to communicate with the bank.

Re:Certs are complicated enough (1)

slim (1652) | about a year ago | (#43802071)

Just embed the glass in a credit card sized gizmo, and put a reader in laptops.

Obligatory XKCD (1)

stewsters (1406737) | about a year ago | (#43801851)

Re:Obligatory XKCD (0)

Anonymous Coward | about a year ago | (#43801923)

Not applicable. One time pads are used for encrypting transmissions, not storage. If you transmit the key before the message, you can make sure that the key is not compromised and only then encrypt and send your message. The person or system transporting the key can not reveal the message and the person or system transporting the encrypted message can not reveal the message because the key is transmitted separately.

Re:Obligatory XKCD (0)

Anonymous Coward | about a year ago | (#43801993)

Yeah, but they can throw a black bag over your head and take your glass plate. Once it works they no longer need you alive.

Re:Obligatory XKCD (1)

andy.ruddock (821066) | about a year ago | (#43802579)

If you transmit the key before the message, you can make sure that the key is not compromised and only then encrypt and send your message.

How do you make sure that the key is not compromised?

Re:Obligatory XKCD (1)

Immerman (2627577) | about a year ago | (#43802893)

Test it every 23 hours - supposedly it takes at least 24 hours with specialized equipment to duplicate the glass key without damaging it.

Re:Obligatory XKCD (3, Funny)

smallfries (601545) | about a year ago | (#43802281)

This [xkcd.com] seems a little bit more appropriate.

Re:Obligatory XKCD (1)

NatasRevol (731260) | about a year ago | (#43802449)

I think you guys broke xkcd.com

Fundamental problem (0)

Anonymous Coward | about a year ago | (#43801867)

If you know the clear text and the cypher text, you know the key and can reuse it. No system where the machine handling the clear text and the cypher text can be compromised is guaranteed to be secure, no matter how fancy your one time pad construction is.

Re:Fundamental problem (1)

barlevg (2111272) | about a year ago | (#43801875)

That's where the "one-time" part of the "one-time pad" comes in: you're only supposed to use an OTP cypher once before destroying it.

Physical vulnerability (3, Funny)

Anonymous Coward | about a year ago | (#43801879)

Uncrackable glass plates? Forget cryptography, you should get into the windshield business!

Shades of WarGames... (1)

Zelig (73519) | about a year ago | (#43801883)

SIR! TURN YOUR KEY!

Got it backwards (4, Insightful)

Monty845 (739787) | about a year ago | (#43801939)

A one time pad is impossible to crack in theory, but may be crackable if the method for generating the pad is flawed. Creating true randomness is a tricky proposition, and I don't see why its safe to believe that "shining a light through a diffusive glass plate" will generate true randomness.

Re:Got it backwards (3, Informative)

Anonymous Coward | about a year ago | (#43801997)

On a photon-by-photon basis, refraction, diffraction, and anything less than total reflection are all quantum mechanical processes. It doesn't get more random than that. Sending photons through a partially transparent mirror has been a standard trick for generating random bits quantum mechanically for at least a decade that I know of. It sounds like this is the same principle.

Re:Got it backwards (2)

ledow (319597) | about a year ago | (#43802043)

But to be a useful one-time pad, don't you have to be able to repeat the results to decode the message?

Re:Got it backwards (2)

Corbets (169101) | about a year ago | (#43802119)

But to be a useful one-time pad, don't you have to be able to repeat the results to decode the message?

No. You have to distribute matched pads - one to the encoder, one to the decoder.

Thus, if someone gets his or her hands on a copy of the pad, decryption is trivial.

Re:Got it backwards (1)

ledow (319597) | about a year ago | (#43802317)

So at what point aren't "matched pads" repeats of the original pads, or devices which would repeat the results of the original pad?

This is my point - these pads aren't "random", because if they were they'd perform differently in two different devices. In which case, their results are surely trivially capturable and, thus, reproducible if you digitally capture the performance of a single example?

It's the old "if you can read it, so can anyone else with the same equipment, and so can you 'fake' it with sufficient knowhow" DRM problem

Re:Got it backwards (1)

slim (1652) | about a year ago | (#43802755)

On some device when the two glass owners meet:

pad = generateRandomBytes(many GB)
combinedKey = encodeToCombinedKey(pad, glass1, glass2)
publishToInternet(combinedKey) // shared key i

Later, to send a message:

chunkOfPad = decryptSharedKey("http://repository/combinedKeyId", glassAlice)
cipherText = xor(plaintext,chunkOfPad)

To decode:

chunkOfPad = decryptSharedKey("http://repository/combinedKeyId", glassBob)
plaintext = xor(ciphertext,chunkOfPad)

There may be some novelty in the way the combinedKey is constructed (probably not).
The main novelty is in the properties of the glass (hence this being in an optics journal, not a cryptography journal).

Re:Got it backwards (1)

jittles (1613415) | about a year ago | (#43802133)

But to be a useful one-time pad, don't you have to be able to repeat the results to decode the message?

No. With a proper random pad generation algorithm, you could never ever reproduce the exact same pad in two places, or at two separate times. You generate the pad once and use some other method (such as couriers) to deliver the pads to the people that need them. You also need a way to guarantee that the courier did not tamper with, sell, or copy the original pad. If you transmit via internet, you would use some previously arranged cryptographic exchange.

Re:Got it backwards (0)

Anonymous Coward | about a year ago | (#43802127)

Do they change the glass plate after every use?

Re:Got it backwards (1)

slim (1652) | about a year ago | (#43802837)

Do they change the glass plate after every use?

No, but once you've used a chunk of randomness, you don't reuse it, and eventually the glass plate is "finished".

TFA:

... it ought to be possible to generate a terabit of randomness from a single cubic millimetre of diffusing glass with higher-resolution equipment.

And even thought this can only be used once, the slabs can be easily reset by heating the glass to change its microstructure at which point Alice and Bob must meet again to create a new set of combined keys.

Re:Got it backwards (1)

slim (1652) | about a year ago | (#43802157)

I don't think this is about quantum phenomena. The glass has a randomised construction, but it needs to be a repeatable source of randomisation.

The process seems to be: Both parties meet, and feed some random data into a process which uses both their glasses and produces a few GB of "combined key". Alice's glass and Bob's glass are different. But either can be used to extract the OTP from the "shared key".

Re:Got it backwards (1)

hcs_$reboot (1536101) | about a year ago | (#43802203)

This remind me of an old Office file where the MS copyright text was encrypted thanks to a simple XOR value (a few bytes). (There is also that funny story at the time of a Linux tool that only needed the `-d` option to decipher a whole XLS, without providing any password...). Anyway, what was said at the time: while XOR encryption seems very week, if the key itself is as long as the text to be encrypted, and if the key is based on reliable random values (and the key is kept secret), it is indeed a very strong encrytion.

Re:Got it backwards (1)

JustinOpinion (1246824) | about a year ago | (#43802233)

This work seems to be based on this high-profile paper from 2002:
Ravikanth Pappu, Ben Recht, Jason Taylor, Neil Gershenfeld Physical One-Way Functions [sciencemag.org] Science 2002, 297 (5589), 2026-2030, doi: 10.1126/science.1074376 [doi.org]

Abstract: Modern cryptographic practice rests on the use of one-way functions, which are easy to evaluate but difficult to invert. Unfortunately, commonly used one-way functions are either based on unproven conjectures or have known vulnerabilities. We show that instead of relying on number theory, the mesoscopic physics of coherent transport through a disordered medium can be used to allocate and authenticate unique identifiers by physically reducing the medium's microstructure to a fixed-length string of binary digits. These physical one-way functions are inexpensive to fabricate, prohibitively difficult to duplicate, admit no compact mathematical representation, and are intrinsically tamper-resistant. We provide an authentication protocol based on the enormous address space that is a principal characteristic of physical one-way functions.

Basically, they create a slab of epoxy with a bunch of glass micro-spheres randomly distributed within it. When you shine light through it, the multiple refractions/scattering events lead to a complicated path for the various light beams, which interfere to generate a complicated light-speckle pattern on the other side. This multiple-scattering process is of course deterministic, but in practice it is so complicated that it is not feasible to reverse-engineer the internal structure of such a material. (In fact, the method exploits coherent scattering, and because the light-detector can only measure the amplitude (and not the phase) of the scattered light, the problem is formally 'ill-posed': there is no way to invert the coherent scattering data to obtain the material structure. Instead such problems can only be approximately solved with iterative processes; this can be made arbitrarily difficult by increasing the number of scattering entities (glass beads in this case)...) This is analogous to mathematical one-way functions: in principle you can crack them, but it takes an infeasible amount of time.

Ultimately the 'randomness' (uniqueness of a slab) comes from the inital preparation of the slab: you're basically 'freezing in' the random Brownian motion of the micro-particles. Thermal noise is a pretty robust source of randomness.

These slabs are neat in the sense that you can use them to generate multiple pads. A different illumination condition (incident angle, or light pattern) generates a new one-time-pad (see the paper for a discussion of 'how different' the illumination condition needs to be in order to yield a uncorrelated/unique one-time-pad), so one idea is for people to carry a single physical token and use it to generate different OTPs for different communications channels they care about.

These schemes are not without their downsides, of course, but it's a neat idea to use a physical structure (rather than mathematical function) to generate pseudo-random numbers. (Thes slabs don't require a battery to maintain their state; one could image secure ways of generating two identical slabs at fabrication time, and then giving them to the two parties; etc.)

Random is hard. (2)

DarthVain (724186) | about a year ago | (#43802389)

I can't remember which book it was, maybe Cryptonomicon, but more likely The Ultra Secret, but it had some interesting stories about both the allies and axis having a hard time at this.

They used various ideas to try and "make" randomness into their one time pads. However all of these things had to be done by a person, as this was more less before the advent of computers (well just before anyway). One such method had to do with using a deck of cards. However crackers were able to even find patterns among the people using (aka their tendencies in drawing cards or other such devices), so occasionally personnel would have to be "shuffled" themselves to different areas.

If you think about it, a computer is generating it from an algorithm, which may be complex, but is essentially a set of rules that can be determined. I have heard of some that try to utilize some sort of seemingly random event that is naturally occurring. However even these can be modeled over time.

The key really is to make it difficult enough so that the code breaker cannot really use the information obtained effectively. Unfortunately usually this involves additional overhead on the part of the cryptography as well, which of course reduces its usefulness as well.

Which is exactly why the allies took such great pains to prevent the axis from finding out that their unbeatable code had been broken. As it was they got complacent and lazy, and had they known, they would have changed their codes, and the allies would have to start all over again.

Re:Random is hard. (4, Interesting)

thoromyr (673646) | about a year ago | (#43802615)

I have heard of some that try to utilize some sort of seemingly random event that is naturally occurring. However even these can be modeled over time.

A good post, but I'm not sure you understand hardware based random number generation. At least one way to do it is have a small amount of radiactive material. Although it decays predictably in the long term (half life) it is random in the short term. By measuring the radioactive decay truly random numbers can be obtained.

Can you model this? Sure, but your model will either be a software based random number generator or it will be a hardware token. In either case it will *not* be the item in question at the time in question and will not allow you to determine what numbers were generated.

No system is foolproof, but all the interesting cracks in cryptography that I'm aware of come through side channels or demonstration that a method was not truly random. Human card shuffling is certainly not random -- not only is the process controlled by the shuffler, but there are distinct non-random patterns to it that allow stage magicians to take a stack decked that is shuffled and still produce the desired result.

I think my favorite side channel attack was picking up the attenuated signal from the unencrypted side of a cryptograpy machine -- the British didn't have to crack the encryption used by the French embassy, they just read the plain text!

OTP are sexy and cool because they provide unbreakable encryption. As long as they are generated correctly (truly random) and distributed without tampering or exposure. The first is hard enough, but distribution on any scale means that not all of them will be free of tampering and exposure.

Re:Got it backwards (1)

Impy the Impiuos Imp (442658) | about a year ago | (#43802729)

Creating true randomness is a tricky proposition, and I don't see why its safe to believe that "shining a light through a diffusive glass plate" will generate true randomness.

They claim it passes statistcal analysis tests for true randomness.

I would imagine such tests would also be useful to SETI to detect data transmission distinguishible from random noise. In this way, no decoding is needed to tell if there is information there. A concerted effort could bury non-random bits here and there, one out of millions, and get away with it, but not a general encrypted blob, much less just encoded data nobody is trying to hide.

In any case, it's 10gb, enough for a lifetime of text messages (the complete works of Shakespeare, IIRC, on Project Gutenberg, is only ~80 meg.)

Which then suggests the need for a metric -- how long should they trust a provably secure mechanism against standard spy techniques? Even both ends being locked in silos might not warrant a 10 year lifespan, much less security-through-obscurity of a field agent. Hell, just transmitting large blocks of 100% mathematically random data is a red flag. "One-time pad in use! Something very interesting going on here!"

Leaving traces (0)

Anonymous Coward | about a year ago | (#43801969)

Paper pads had the same problems that computers do today, that aren't so trivially dispensed with using the premise "when used correctly."

It's nearly impossible to "use correctly" a one-time pad on any computer or other electronic device. The moment you put the key into RAM, or worse, FLASH, you are leaving remnants that can allow the key to be recovered. It's a relatively complex process to recover old, erased data from memory, but it is done, every day.

You would need to create your ciphered data, then completely destroy the PC or electronic device used to create it, in order to have a perfectly unbreakable message.

Re:Leaving traces (1)

h4rr4r (612664) | about a year ago | (#43802089)

You cannot recover old data from memory. Hard disk maybe, but RAM is volatile. Turn off the machine and within seconds it will be gone.

Recovering data from a hard disk can also be made impossible. Simply encrypt the entire device. Without the key no recovery can occur.

Re:Leaving traces (1)

50000BTU_barbecue (588132) | about a year ago | (#43802147)

I thought so too.

http://en.wikipedia.org/wiki/Cold_boot_attack [wikipedia.org]

Back in the day on my VIC-20, I could see that data stayed for a few seconds but that was probably 6T SRAM with humongous feature sizes.

Re:Leaving traces (0)

Anonymous Coward | about a year ago | (#43802491)

Delete and override each block (e.g. 512 bytes) of the OTP as soon as it has been used for decryption. Any cold boot attack which could restore partially used and hence not yet deleted keys would also reveal the decrypted message as it also would be still in memory.

Re:Leaving traces (1)

weilawei (897823) | about a year ago | (#43802225)

Clearly, you've never used a can of compressed air held upside down and sprayed on the RAM to cool it down. Why, that might even allow someone to mount an attack [wikipedia.org] ! Don't spout off BS when you're several years behind the news...

Re:Leaving traces (0)

Anonymous Coward | about a year ago | (#43802257)

Abstract Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.

Source: https://citp.princeton.edu/research/memory/ [princeton.edu]

There are some very illustrative videos there to show just what is possible. Enough to know that hard drive encryption is no cryptographic silver bullet.

Re:Leaving traces (1)

Anonymous Coward | about a year ago | (#43802363)

Like most concepts in security, once you have physical access, all bets are off on keeping your information secure. The point of this technology is to protect the data while in transit to the recipient.

Grammar Police Alert (0)

mamer-retrogamer (556651) | about a year ago | (#43801975)

way round

So just how round are these one time pads? Way round.

Is it new? (3, Interesting)

140Mandak262Jamuna (970587) | about a year ago | (#43801985)

I thought there was a similar technique used in WWII for communication between Churchill and FDR. Identical pairs of phonograph records were kept on both sides. Both sides would play a pair simultaneously, or as nearly as they could. Then technicians would use electronic delay and tune it so that they both are synchronized. Then add voice communication to the recorded sounds and transmit. On the receiving side they subtract the phonograph record sound and get the voice alone back. Each pair of phonograph records would be a one time pad. The encryption and decryption was analog, not digital. But apart from that, adding a "noise" as encryption and subtracting identical noise for decryption would be very similar to what the article is describing.

Was it really used? Or am I hazily recalling some spy novel stuff from Irwin Wallace or Alistair MacLean and mistaking it for real history?

Re:Is it new? (1)

barlevg (2111272) | about a year ago | (#43802065)

Looks like it was called POTUS-PRIME [cromwell-intl.com] , but I haven't yet found any more information than what's on that page.

Re:Is it new? (1)

bill_mcgonigle (4333) | about a year ago | (#43802361)

POTUS-PRIME

Great, now I have to imagine Roosevelt with Peter Cullen's voice saying, "Allied Forces, roll out."

Re:Is it new? (1)

140Mandak262Jamuna (970587) | about a year ago | (#43802069)

It was real [wikipedia.org] , my memory has not been addled. Not yet.

Re:Is it new? (1)

mbone (558574) | about a year ago | (#43802083)

That is indeed how the WWII "scrambler" phones worked, but that was not viewed as nearly as secure as a one time pad (required for all messages dealing with Enigma decrypts) and the Germans did decode at least some scrambler phone communications.

The cryptographic trouble is that the inherent correlations of the human voice are still present, just overlaid by noise, and you can use that knowledge to extract the signal (the voice) from the noise. It did prevent idle eavesdropping, which I think was more the point.

Re:Is it new? (1)

140Mandak262Jamuna (970587) | about a year ago | (#43802129)

Yes, plain scrambler was insecure. I just read the wiki about the project. They did a lot more than simply adding noise. They did some pulse code modulation, frequency shifting etc.

Re:Is it new? (1)

slim (1652) | about a year ago | (#43802107)

There's nothing new about one-time pads, and your story is plausible (I think I've heard it before).

OTPs have definitely been used in real spycraft. People were literally issued with a book of random numbers, to be very closely guarded.

What's new here is the way of storing OTPs so that they can't unobtrusively be copied.

Re:Is it new? (2)

140Mandak262Jamuna (970587) | about a year ago | (#43802179)

In what way guarding a block of glass different from guarding a telephone book? Easiest one time pads are to get two copies of the same yellow pages. The caller specifies a page number. The receiver turns to that page. Ignore all alphabets and collect all the phone numbers write them down in sequence. You got a one time pad.

Re:Is it new? (1)

slim (1652) | about a year ago | (#43802545)

In what way guarding a block of glass different from guarding a telephone book?

You can trivially borrow a telephone book, copy what you need, then return it without the owner noticing.

TFA:

And even if Eve steals the glass, they estimate that it would take her at least 24 hours to extract any relevant information about its structure.

This extraction can only be done by passing light through the glass at a rate that is limited by the amount of heat this creates (since any heating changes the microstructure of the material). And the time this takes should give the owners enough time to realise what has happened and take the necessary mitigating actions.

... and their abstract...

Benefits of volumetric physical storage over electronic memory include the inability to probe, duplicate or selectively reset any random bits without fundamentally altering the entire key space

Easiest one time pads are to get two copies of the same yellow pages. The caller specifies a page number. The receiver turns to that page. Ignore all alphabets and collect all the phone numbers write them down in sequence. You got a one time pad.

"Easiest", but not unbreakably secure in the manner of a truly random OTP.

Re:Is it new? (1)

thoromyr (673646) | about a year ago | (#43802649)

easy does not mean secure. First hint, your phone numbers do not represent a random distribution of numbers. Better than nothing? Sure. Would it prevent me from cracking the encrypted message? Yes, but I'm not a cryptographer. The lack of any meaningful randomness would permit analysis and cracking.

Re:Is it new? (3, Informative)

JaredOfEuropa (526365) | about a year ago | (#43802657)

Those numbers aren't truly random and cryptanalysis can be applied to them. Especially if the attacker knows you're using the Yellow Pages (security through obscurity).

Re:Is it new? (1)

AvitarX (172628) | about a year ago | (#43802275)

It sampled every 20 milliseconds, and sent that as a number. I think you could call it digital.

Re:Is it new? (0)

Anonymous Coward | about a year ago | (#43802417)

Real or not, such a system is described in Cryptonomicon.

Expansion/Contraction (0)

Anonymous Coward | about a year ago | (#43802059)

Hope they keep this glass plate at a constant temperature, lest it shrink/grow changing your OTP key.

"New Cryptography" - I don't think so. (2)

bradgoodman (964302) | about a year ago | (#43802123)

One time pads are uncrackable only if the pad is truly random and perfectly secretive. Everyone has known this for years. All they have done here was to create a new way to generate random numbers. Any new way of generating random numbers would/could be equally applied to OTP crypto.

Nothing is impossible to crack... (0)

Anonymous Coward | about a year ago | (#43802165)

... bruteforce still works (but, of course it could take a lot of time...)

Re:Nothing is impossible to crack... (3, Informative)

slim (1652) | about a year ago | (#43802269)

No, against a one-time pad, bruteforce won't work, because the key is never re-used so you've no basis to know that any output from your decryption is more valid than any other.

The first 1024 bytes of Hamlet, XOR'd with 1024 truly random bytes, is indistinguishable from random bytes.

XOR that with the same bytes again, and you get 1024 bytes of Hamlet back.
XOR it with most random streams of bytes, and you'll get something that looks equally random.
XOR it with a particular different list of bytes, and you get 1024 bytes of Moby Dick.
XOR it with another list of bytes, and you get a version of Hamlet in which "Bernardo" is replaced with "Slashdot". ... and as an attacker, you've no way of knowing which one of those, if any, was the original plaintext.

Re:Nothing is impossible to crack... (0)

Anonymous Coward | about a year ago | (#43802397)

That may not be the kind of brute force that the other AC had in mind.

Re:Nothing is impossible to crack... (0)

Anonymous Coward | about a year ago | (#43802507)

Maybe I'm missing something but has otp key an infinite lenght? I don't think so. If key has a fixed length, you should use it multiple time to encode a long message so in a case you get full hamlet, in another case you get 1024 bytes of moby dick and then garbage.

Am i wrong?

Re:Nothing is impossible to crack... (3, Interesting)

slim (1652) | about a year ago | (#43802617)

You are wrong.

The "one time" in "one time pad" means you never use a piece of key twice. The OTP needs to be as long (or longer than) the plaintext, and when you've used up your OTP, you need to get together and share a new one.

You can make an OTP last longer by compressing before encrypting, or by using OTP encyption to exchange temporary keys, to be used with other encryption methods.

Clearly you *could* re-use your OTP, perhaps starting from the beginning when you run out of bytes. But each time you do that you weaken your security.

Re:Nothing is impossible to crack... (1)

damnbunni (1215350) | about a year ago | (#43802335)

Actually no, brute force specifically doesn't work against OTP cryptography.

That's kind of the whole point of OTP.

At most you can determine the maximum length of the message. However, if you determine it's an eight word message there is absolutely no way to determine WHAT those eight words are without the key.

You also can't determine if the message is really eight words, or if it's five words banana popsicle meow.

Even theoretically infinite computing power will not suffice to crack a one time pad if it's used properly.

Re:Nothing is impossible to crack... (0)

Anonymous Coward | about a year ago | (#43802627)

OTP is even immune against brute-force.

Brute-forcing works only when you can detect a successfull decryption. Your chances of finding "ATTACK AT DAWN" are exactly the same as "ATTACK AT DUSK" or any other meaningfull message and you can't decide which one is the original message.

I wonder... (0)

Anonymous Coward | about a year ago | (#43802315)

why they wouldn't use existing technologies (light-sensitive polymer inks, for instance) to make pairs of OTPs which both:
a) Have to be registered at a central authority to "recognize" the other station, and,
b) Destroy themselves as they're read, prohibiting copying.

Alice and Bob both grab a disk at CIA headquarters, Bob is sent to the American Embassy in Elbonia, and registers his OTP from that location with the State Department. Then, it's locked to that terminal, with his credentials, and the OTP wipes itself out as he goes...

Mallory would have to copy the OTP pad before first use, break into the VPN, and use Bob's credentials to send a forged message. Other than an over-the-shoulder camera or TEMPEST interception, I'm not sure how she could get snoop copies, other than HUMINT.

The question is (1)

nickol (208154) | about a year ago | (#43802349)

The question is: how soon this diffusive glass will become a forbidden substance ?

nothing new (1)

stenvar (2789879) | about a year ago | (#43802481)

Random physical structures have been used for this purpose for decades.

Re:nothing new (1)

nsaspook (20301) | about a year ago | (#43802783)

Random physical structures have been used for this purpose for decades.

Yes, using PUF devices for OTP, challenge/response and key generation is old tech.

All you really need is a large SRAM structure to generate unique random bits for each device. A simple microcontroller with a large SRAM block works nicely.
http://trudevice.com/Workshop/program/13%20M.%20Platonov%20TRUDEVICE_2013.pdf [trudevice.com]

Re:nothing new (1)

SuiteSisterMary (123932) | about a year ago | (#43802865)

One of my personal favourites was one that took digital pictures of four different colored lava-lamps and used that to generate the random stream.

Completely impractical, i.e. worthless (2)

gweihir (88907) | about a year ago | (#43802559)

A secure one-time pad with classical means is easy to do. You just need to secure the system where the pad is applied adequately. You need to do the same thing with this hype-device. Hence it has zero advantages over other implementations of the one-time pad, but a lot of drawbacks.

I would suggest that these people are not stupid and know of the severe drawbacks. I would also suggest they are just completely unethical lying scum and grant or investment money is the only thing counts for them.

Variations on this are the only way. (1)

Karmashock (2415832) | about a year ago | (#43802805)

All top secret information should flow through one time pad systems.

Look at it this way. What does disk space cost these days? Imagine getting a 30 gigabyte one time pad file on its own little SSD drive. How much data could be passed back and forth as theoretically unbreakable encryption? At the very least 30 gigabytes of data. In practice, probably at least a magnitude beyond that.

Re:Variations on this are the only way. (1)

mbone (558574) | about a year ago | (#43802889)

All top secret information should flow through one time pad systems.

Look at it this way. What does disk space cost these days? Imagine getting a 30 gigabyte one time pad file on its own little SSD drive. How much data could be passed back and forth as theoretically unbreakable encryption? At the very least 30 gigabytes of data. In practice, probably at least a magnitude beyond that.

No, at most 30 gigabytes. The next byte you send will start to reveal previous traffic.

Be wary (2)

mbone (558574) | about a year ago | (#43802869)

Three things are required for a one time pad - that the key be shared, random and non-repeated. A one time pad is very much breakable if the key is not both random and non-repeated, and the biggest problem with its use can be the sharing of the keys.

  The Soviet "Verona" traffic was decoded because they reused pads (keys), rendering the message decryption straightforward, and also revealing the keys. The revealed keys were found to have some further weaknesses, as they were made manually (apparently by secretaries told to type randomly on their typewriters). These weaknesses included an avoidance of repeated characters, a tendency to alternate hands (a character on the left side of the keyboard would be likely to be followed by one on the right), and (IIRC) a preference for character pairs and triplets that didn't require too much stretching of the hands. (On the top line of a QWERTY keyboard, this means that, say, an initial "q" would be unlikely to be followed by another "q", that it would be likely to be followed by a letter in the "u - p" range, and that the third character would be more likely to be a q, w or e than an r, t or y.)

Now, officially, that amount of manual non-randomness wasn't enough to break further Soviet one time pad encryptions, but I suspect that they were. I have also heard rumors that later use of random keys generated by electronic circuits had problems as the physical limitations of the electronic circuitry imposed a low-pass filtering that made these keys, again, not totally random. Note that true randomness is what is needed here - common digital pseudorandom techniques, such hashing with SHA-1, may help to obscure weaknesses, but they will not make a non-random key random.

In this case, I would worry very much about

- whether the physical technique produces a truly random key and
- how to satisfy myself that today's random key is totally independent of every previous key. If this is, say, dependent on where the laser is pointing to in the glass, how far apart does each pointing need to be to make sure that the results are independent, and can I securely verify that today's direction is sufficiently different from every previous time and
- as the technique is passing an initial sequence of bits through the randomizer glass, how random does the initial sequence need to be ? What weaknesses are imposed by non-randomness in that initial sequence.

I could easily see this technique being secure in theory but massively broken in practice by some weakness in how the glass is made or handled or in the initial keys.

Note, by the way, that the two parties must physically get together to generate the key, so in a sense this is really a secure key storage device. Once they use up their stored keys, they have to meet again to be able to send more messages, which of course is the real problem with one time keys (and why, for example, the Soviets reused some of the Verona keys).

And, finally, this technique might make a cool way of doing truly secure hashing.

True Randomness is Possible... (1)

BoRegardless (721219) | about a year ago | (#43802925)

When you get loaded.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...