Security is Relative, not Absolute

Many security products promise the moon and stars with ridiculous statements such as “stop hackers” and “100% safe”–which are misleading at best and dirty lies at worst. No one likes to be uncomfortable about security, but the truth is very uncomfy indeed:  there is no such thing as absolute security in information security, especially on the leakiest of untight and unwieldy ships, the U.S.S. Internet.

Kleptography is the new reality, and kleptotrojans in random number generators/compilers/key generators are a lethal threat.  What is kleptography you ask?  Kleptography is using encryption to steal everything on your computer without your knowing.

Getting on the internet means being open to the delivery of kleptographic tools.  Almost as bad, we now have the internet of things (IoT), another series of threats.  What is the solution?  For the information that you want to keep private, you must go off-line.  If your life depends on it, air gapping is the only solution.  If you are using a computer, as you probably are at this moment, everything on that computer is up for grabs.  That is fine, as long as you know it and you don’t mind that what is on there can be lifted very easily.

But there is strong security and near-absolute security for all levels of information.  We can have a high expectation of privacy, anonymity, or both, with good products and best practices.

Using a product such as Protonmail for your email provider is an instance of employing strong security to ensure privacy.  Encrypting a file off-line with a symmetric cipher such as CAMELLIA256 and hashing it with SHA512, and sending that over Protonmail would be even better.  Using a one-time pad, encrypting it with an appropriate public key or a symmetric cipher, and sending that over an end-to-end encrypted provider like Protonmail is near-absolute security (NAS).  NAS is as good as it gets. Done properly, such a message will remain unter vier Augen, and will have never really existed once the key to the one-time pad is destroyed.

That said, one must be careful to be aware and to follow the laws that apply to cryptography in your area.  For example, in Thailand it is illegal to destroy keys.  In Thailand, you can use symmetric keys, but you must keep a copy because that is the law.  Find out what the laws are for cryptography in your jurisdiction.

Advertisements

Can One Use Numbers as a One-Time-Pad Key? (a question at Cryptography Stack Exchange)

Yes, you can use numbers as a one-time-pad key. In fact, the CIA used to do it all the time, as did many.

When you use numbers the plaintext becomes letters by referring to a conversion table such as the venerable “Tapir” used by the STASI.

enter image description here

Here the addition will be modulo 10. Vernam Cipher, or the one-time pad (OTP), can also be done modulo 2:

SENDING


message: 0 0 1 0 1 1 0 1 0 1 1 1 … pad: 1 0 0 1 1 1 0 0 1 0 1 1 … XOR ————————— cipher: 1 0 1 1 0 0 0 1 1 1 0 0 …

RECEIVING


cipher: 1 0 1 1 0 0 0 1 1 1 0 0 … pad: 1 0 0 1 1 1 0 0 1 0 1 1 … XOR ————————— message: 0 0 1 0 1 1 0 1 0 1 1 1 …

Or it can be done modulo 26 (with English letters, for example):

Plaintext: DARLING THE NIST CURVES HAVE BEEN COMPROMISED AND MY RANDOM NUMBER GENERATOR HAS A KLEPTOGRAPHIC BACKDOOR I FEEL SAD

Key: NLQVT ZBOFW MFAVS RJMDE PGNEX GGQMU VOFNE PBWXT ICDWK VEEYL EGVWS ZRDKD IDJGO HWKFF MBEGA KEUNQ BEYDO


Ciphertext: QLHGB MHHMA ZNSOU LAHHW WGIIY KKDOI HDWBQ XTAAT VFPUB VRHMX RAHXW QXHXH ZDCUF OWCFP XFTZO QVUCX JGZDQ MUYBN VQUZE RBR

Here is one example of what a CIA one-time-pad key looked like during the Cold War:

enter image description here

Create a free website or blog at WordPress.com.

Up ↑