l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
July 21: Defensive computing: Information security for individuals
Next Installfest:
TBD
Latest News:
Jul. 4: July, August and September: Security, Photography and Programming for Kids
Page last updated:
2002 Jun 05 19:09

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Which cipher to use?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Which cipher to use?



On Tue, 4 Jun 2002, Micah Cowan wrote:

> Bill Broadley writes:
>  > Xor is 100% secure if your key is as long as your data, otherwise known
>  > as the otp = one time pad.  If it's less, it is indeed rather easy to break.
>
> This is really picky of course, but the other criteria for "secure use
> of Xor", in addition to having a key at least as long as your data,
> is:
>
>   1. That it be a random sequence - *truly* random.  This rules out
>      using "passphrases" and the like.  *All* passphrases or passwords
>      are extremely insecure for Xor, regardless of length.
>
>   2. That it be used only one time, and then discarded - never to be
>      used again.
>
> The combination of those three requirements (counting yours), is what
> makes something a one-time pad, or "Vernam Cipher".  (I know you know
> this stuff, Bill - but I'm pointing it out for any who don't).
==8<--

One-time-pad (of which XOR is one method) is still not secure even if you
follow the "standard rules" (the ones Micah points out.)  One way the
message could be compromised is if the adversary messes up your
communication.  Example:

   1. I send the message "I'll meet you at 10 O'Clock", XORed.

   2. Aversary intercepts the message.  S/he has no clue what it says,
      but s/he knows it's about some meeting.  In a random spite,
      s/he changes a random character.

   3. The recipient receives the message "I'll meet you at 11 O'Clock".

The message has now been compromised even though the adversary did not
know what the original message was.  It took a little luck, but it's not a
bad chance, if all the adversary wants to do is confuse the recipient.  I
guess if the adversary could do the above, s/he could also simply not
forward the message until the recipient dies from old age, too.  But all
these issues are important concerns one should be aware of in security;
one can't blindly use a technique just because someone tells you it's
secure, but one also needs to be aware of all the issues.

BTW, to get around problems like this, you could include a checksum
(actually, better to compress the data, too, for other reasons), and send
messages at predetermined times to verify you're not losing messages...
but that brings other concerns like "what happens if you need to send
messages at random times?"

Anyway...

-Mark

--
Mark K. Kim
http://www.cbreak.org/
PGP key available upon request.

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.