[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: POTP critques?
Peter Trei <[email protected]> wrote:
> An acquaintence of mine works at a firm with little cryptography
> experience. They are thinking of including cryptography in a
> future product, and Elementrix's Power One Time Pad is a
> serious contestant.
>
> I'm looking for independent critiques of the system, something
> better than 'it's not really a one-time pad.' Is the cryptosystem
> which is actually implemented worth a damn? Does their claim
> to have solved the key distribution problem hold water? I
> seem to remember something about them wanting to
> generate keys for you, and ship them to the customer. Is this
> correct?
Not quite. What the program actually does is the first time you send a
message, it generates an initial key and sends the key - in plaintext -
to the recipient. Then the first message is encrypted with this key.
So the system initially has absolutely no security at all.
The second message sent is encrypted with a hash of the first message as
a key. The third message is encrypted using a hash of the second message,
and so forth. So each time you send a new message, you in effect send
a new key, encrypted with the old key. Their theory is that if the
eavesdropper misses a message, then he loses the key, and can't decrypt
the messages anymore.
Of course, if the intended recipient loses a message then he loses the key
for subsequent messages too. Thus we have a nice little denial-of-service
attack. They prevent this via a "emeregency resynchronization" procedure
(which they seem quite proud of, and their web pages congratulate
themselves repeatedy on the purported cleverness of this). Of course, this
"resnchronization" is based upon a pre-arranged key, which the eavesdropper
should already have, if he's been decrypting their mail. Even better,
the attacker can synchronize with one or both parties, performing a
man-in-the-middle attack and/or spoofing them.
So basically the system will stand up to a passive sniffing attack only if
the eavesdropper is clumsy and loses messages, and doesn't stand up to a
denial-of-service or man-in-the-middle attack at all. And I haven't even
considered implementation bugs yet.