[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: worldwide announce: New OTP Mail/FTP apps





>> One initial connection is all that is needed to have a secure
>> connection for the lifetime of the two communicating parties. This
>> initial connection can be accomplished via any number of ways. It
>> does involve an initial one time only shared secret. This is much
>> different than the many shared secrets and key management issues of
>> private and public key systems.  For the initial connection you can
>> stick the machines back to back if you are really worried about
>> security. This initial transaction serves as a seed for subsequent
>> transactions. All subsequent transactions depend on preceding
>> transactions. A degree of randomness comes from the randomness of
>> the messages. Each next word in the message is random.
>
>I'm a little new to this, but I thought the whole idea behind keys was
>not having to whisper "secrets" to someone on the other side of a
>crowded mall. Most people don't have the luxary of connecting their
>computers back to back with someone on the other side of the world
>just to ensure a secure communications path. Ther would have to be
>some mechnisms to ensure that secure delivery of your "secret", and
>that brings us back to key management, so the whole thing is rather
>self defeating.
>
>Christopher
>
>
>

Remember, that's only one of the options for the truly paranoid. If you want,
you can just use their (for now secret) keying implementation on the floppy
disk for the first exchange.
 I feel a little uncomfortable with this at the moment (as I'm sure do most
of the other readers). The algorithm, once revealed should be a very interesting
read.
 However, this does not bring us back to key management in the sense of
traditional public or private cryptosystems. Since the entire communication
hinges on the first successful exchange, this is the exchange where they
key is most critical. I believe they have an option for entering a secret
key (initialization vector it seems) as well. So, presumable you could call
somebody on the phone, or send them a PGP message, or whatever, to exchange
this initial key. 
 It still seems to me that once this initial communication is out of the way,
that the product will work fairly well. I see it as an excellent way, in
our situation, to provide remote professors and students secure communication
paths to our network in the future (hinging on the development of some kind
of telnet client).  I rather think that the whole public/private key
thing is self-defeating... computers get more powerful, key gets hacked...
key size increases.. etc.. etc.. This sounds like a novel alternative. People
interested in non-disclosure analsysis may wish to contact the company.

Elementrix: 212-888-8879, 850 Third Avenue NY, NY 10022 (North America
office)

I'm not sure what, if any, real cryptanalysis has been done on this. David
Kahn himself admitted he wasn't an expert cryptanalyst. I don't know if anybody
has done any in depth review or subjected it to differential cryptanalysis
of any kind.

 It seems to be a OTP/stream cipher of some kind.. subsequent number depending
on previous numbers. I don't know if its possible to prove that the sequence
will never repeat, having not seen the algorithm. But if it did not, it would
seem to be strong enough. Too many questions, too few answers.

--
____________________________________________________________________________
Doug Hughes					Engineering Network Services
System/Net Admin  				Auburn University
			[email protected]
	Apple T-shirt on Win95 - "Been there, done that"