[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: POTP critques?

To: [email protected], [email protected]
Subject: Re: POTP critques?
From: [email protected] (Anonymous)
Date: Fri, 18 Oct 1996 22:35:10 +0200 (MET DST)
Organization: Replay and Company UnLimited
References: <[email protected]>
Sender: [email protected]
XComm: Replay may or may not approve of the content of this posting
XComm: Report misuse of this automated service to <[email protected]>

Peter Trei <[email protected]> wrote:

> An acquaintence of mine works at a firm with little cryptography
> experience. They are thinking of including cryptography in a 
> future product, and Elementrix's Power One Time Pad is a
> serious contestant.
> 
> I'm looking for independent critiques of the system, something
> better than 'it's not really a one-time pad.' Is the cryptosystem
> which is actually implemented worth a damn? Does their claim
> to have solved the key distribution problem hold water? I
> seem to remember something about them wanting to
> generate keys for you, and ship them to the customer. Is this
> correct?

Not quite.  What the program actually does is the first time you send a
message, it generates an initial key and sends the key - in plaintext -
to the recipient.  Then the first message is encrypted with this key.
So the system initially has absolutely no security at all.  

The second message sent is encrypted with a hash of the first message as
a key.  The third message is encrypted using a hash of the second message,
and so forth.  So each time you send a new message, you in effect send
a new key, encrypted with the old key.  Their theory is that if the
eavesdropper misses a message, then he loses the key, and can't decrypt
the messages anymore.

Of course, if the intended recipient loses a message then he loses the key
for subsequent messages too.  Thus we have a nice little denial-of-service
attack.  They prevent this via a "emeregency resynchronization" procedure
(which they seem quite proud of, and their web pages congratulate
themselves repeatedy on the purported cleverness of this).  Of course, this
"resnchronization" is based upon a pre-arranged key, which the eavesdropper
should already have, if he's been decrypting their mail.  Even better,
the attacker can synchronize with one or both parties, performing a
man-in-the-middle attack and/or spoofing them.

So basically the system will stand up to a passive sniffing attack only if
the eavesdropper is clumsy and loses messages, and doesn't stand up to a 
denial-of-service or man-in-the-middle attack at all.  And I haven't even
considered implementation bugs yet.

References:
- POTP critques?
  - From: "Peter Trei" <[email protected]>

Prev by Date: Re: Identity is Just Another Credential...
Next by Date: Re: POTP critques?
Prev by thread: POTP critques?
Next by thread: Re: POTP critques?
Index(es):
- Date
- Thread