Australian Gov't Offers $560k Cryptographic Protocol For Free 163
mask.of.sanity writes "Australia's national welfare agency will release its 'unbreakable' AU$560,000 smart card identification protocol for free. The government agency wants other departments and commercial businesses to adopt the Protocol for Lightweight Authentication of ID (PLAID), which withstood three years of design and testing by Australian and American security agencies. The agency has one of Australia's most advanced physical and logical converged security systems: staff can access doors and computers with a single centrally-managed identity card, and user identities can be automatically updated as employees leave, are recruited or move to new departments. PLAID, which will be available soon, is to be used in the agency's incoming fleet of contact-less smartcards that are currently under trial by staff. It will replace existing identity cards that operate on PKI encryption."
Surprisingly sedate acronym (Score:4, Insightful)
Re: (Score:3, Funny)
Re: (Score:3, Funny)
Re: (Score:2)
Why? We aren't talking about something like disk encryption where the government might supposedly want to have a secret backdoor they could use to snoop on your data.* We're talking about smart cards that are going to be used by the government itself to provide security to that government's own premises. What motive would they have for concealing problems?
Even supposing they found cryptographic we
So when it gets replaced (Score:5, Funny)
Re: (Score:3, Funny)
A little more info (Score:5, Informative)
Re:A little more info (Score:5, Informative)
The protocol looks unremarkable. They pass some entropy and IDs back and forth, using conventional standards based encryption and hash algorithms.
Their problem is keeping the cards secure and they state clearly that they are using commercially available smart cards.
There are secrets in the cards, an RSA private key and an AES master key. The bigger problem is keeping these secrets in the cards and distributing the keys to cards. The PLAID protocol has no bearing on these matters.
Re:A little more info (Score:5, Informative)
There are secrets in the cards, an RSA private key and an AES master key. The bigger problem is keeping these secrets in the cards and distributing the keys to cards. The PLAID protocol has no bearing on these matters.
Which is fine, because those problems are easily solved.
Commercially-available smart cards provide a rather high degree of security. Extracting keys from them isn't impossible (nothing is), but it is very difficult and expensive. I design high security systems for a living, and we have no concerns about the security of the cards themselves, because experience shows it's just not an issue.
What we do focus on is the security of the issuance process, because that's where those keys get injected. That problem is also solvable, mainly by performing the key injection in secure facilities using highly secure devices (FIPS 140-2 level 4 certified hardware security modules). It's expensive and complex (from a management and process perspective, not a technical perspective), but a high degree of security is achievable.
The protocol looks unremarkable. They pass some entropy and IDs back and forth, using conventional standards based encryption and hash algorithms.
It is unremarkable, which is one of its most significant strengths. It's just a lighter-weight approach to the problem, one that can be implemented efficiently on current-generation hardware. Previously, PK authentication on smart cards was considered too slow to use for physical access control and other applications where sub-second authentication was required. Faster smart cards coupled with a lightweight authentication protocol mean that PK authentication can be completed reliably in as little as 200 ms. That's fast enough to use it for transit applications.
Re: (Score:2)
Yes.
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:3, Insightful)
If it's so unremarkable, what makes it worth half million Australian dollars, then? Unremarkable patent, perhaps?
How do you define the "worth" of a protocol?
Secure protocols are hard to design because there are a lot of subtle errors that can be made. It takes a lot of work by a lot of smart people to make sure that none have been -- and it's even harder if the protocol breaks new ground.
I suspect that the half-million figure is an estimate of how much has been put into the design and verification of the protocol. That's a goodly amount of work. Had the protocol been extremely novel, verifying it to the world's
Re: (Score:2)
Re: (Score:2)
> Their problem is keeping the cards secure and they state clearly that they are using commercially available smart cards.
The other problem is the use of an RFID interface. Unless you have a metal wallet, your card would be vulnerable to third party use as long as they can get close enough to your wallet. The normal readers can only bridge a few centimeters, but there is no reason why with proper signal amplification it should not work over a meter or more. Suddenly new attack scenarios become feasible t
Re: (Score:2)
You missed the bit about it performing strong mutual authentication. What third party attacks are you concerned about?
Re: (Score:3, Informative)
Not to mention the "new attack scenarios" do not include simple copying of the card UUID, so radio-based attacks would need to be interactive:
1. Attacker camps out at door with radio equipment
2. Attacker
Re: (Score:3, Insightful)
Re:A little more info (Score:5, Interesting)
The protocol looks unremarkable. They pass some entropy and IDs back and forth, using conventional standards based encryption and hash algorithms.
That's a good thing.
Their problem is keeping the cards secure and they state clearly that they are using commercially available smart cards.
Which is also a good thing, as long as these cards have been analyzed well. I would be worried if they were using cards with "military grade" security meaning that they were only analyzed by few, without any standardized security level like FIPS or CC.
There are secrets in the cards, an RSA private key and an AES master key. The bigger problem is keeping these secrets in the cards and distributing the keys to cards. The PLAID protocol has no bearing on these matters.
Sorry, but you are wrong on both matters.
The RSA private key and AES master keys are not on the card. It contains the RSA public key and the AES derived key (one that is specific to the card).
There are many interesting things about this protocol. Lets have a list so I can get a few mod points on this old discussion:
Ok, for some disadvantages
All in all, this protocol is very interesting for mutual authentication. I'll have to look into it further (e.g. how much the private key needs to stay private).
It is the fastest protocol (Score:3, Funny)
While some crypto protocols are capable of ludicrous speed, this protocol can go plaid.
Re: (Score:2)
PLACID (Score:5, Funny)
That's a much better acronym than the originally proposed Protocol for Automated National Identification and Control.
Re:PLACID (Score:5, Funny)
That's a much better acronym than the originally proposed Protocol for Automated National Identification and Control.
Or the lesser known Protocol for Enhanced Network and Internet Security.
Re:PLACID (Score:5, Funny)
Re:PLACID (Score:4, Funny)
Nobody Asked Me Before Labeling the Authentication!
Re: (Score:2)
Yeah Right... (Score:5, Insightful)
Re:Yeah Right... (Score:4, Informative)
Given Australian government's views on privacy, I wonder when the back door will be discouvered? Or is looking for it agianst the law?
Look at the protocol. It's so simple that there's virtually no way for a back door to exist.
Implementations can have back doors, of course, but that's a separate issue.
Re: (Score:2)
In this particular case the risk of a backdoor is going to be in the hardware. That is, the smartcard itself. You can't easily look in there and see what's going on.
Their specification indicates they are using Java Cards and most if not all Java Cards do in fact have a backdoor if you know the keys. Often these keys are embedded in the card's firmware and can't be changed. They are designed to allow easy mass production and personalization and are generally only available to the manufacturer (or I assum
Re:Yeah Right... (Score:4, Interesting)
Well, these are off-the-shelf cards, so if there are back doors, they're already there. That has nothing to do with this protocol.
Also, it's not really accurate to say that Javacards have a "back door if you know the keys". They're delivered from the manufacturer with an initial key set, which is generally swapped out for new, randomly-generated keys by the card issuer. The card issuer knows those keys and can use them to install and remove applets and what not. The card issuer is the true owner of the card, and has complete control over it, because they know the keys. That's not so much a "back door" as the reality that the card holder is generally not the one that owns the card.
Re: (Score:3, Informative)
I wasn't talking about the issuer keys. There are more keys that let you in to other levels of the card hardware. This is not generally publicized and the only reason I know about it is because of how long I have been working in this field. Now this may not be true of all Java Cards but it is for every one I have seen.
Well, I've been working with smart cards in general for over 12 years, and with Javacards ever since they've existed, including having done some work on the JCOP operating system (IBM's implementation of Javacard, now owned by NXP), and I've NEVER heard of keys at a lower level than the CardManager keys.
Which specific cards have you seen this to be true of? And how did you find out? It's certainly not in the documentation of the cards from Gemalto, Oberthur, G&D or NXP.
Re: (Score:2)
I wounder when you'll discouver you doun't need to insert extra "u"'s after every "o".
Re: (Score:2)
Mmmh (Score:5, Insightful)
"Here, have my lock and key. Nobody will be able to get into your home. Except, maybe, me :-)"
Re: (Score:3, Insightful)
They aren't giving a way the lock and key. They are giving away a design for locks and keys.
You are correct (Score:2)
It was a very short comment. The idea is, that before anyone would like to use it the crypto-community should have a long and hard look at it.
Re: (Score:3, Insightful)
From the summary:
which withstood three years of design and testing by Australian and American security agencies.
I took that to mean the crypto-community had a long hard look at it.
What unbreakble? Fah! (Score:3, Funny)
Oh... they use two crypto algorithms (Score:2)
... that must mean it's secure {\sarcasm}
FTFA: Centrelink documents reported the hackers cannot break the PLAID protocol because it uses two cryptographic algorithms in its scrambling process in rapid succession - typically less than a quarter of a second - whereas other systems use a single algorithm.
contactless smart cards are the way to go (Score:3, Interesting)
Imagine government IDs had contactless smart cards with certificates on them keyed to an ID database managed by the government (for revocation purposes and identity information). Now imagine contactless smart card readers were standard equipment in PCs.
You would just need one card in your wallet to log you in to any computer or web site, make purchases, board planes or trains... anything! No more wasted effort on having a hundred weak authentication cards and passwords. You have one strong authentication method that can't be forged, or at least not without fantastically more effort than forging a check or credit card.
Enormous economic and security benefit.
Re: (Score:3, Interesting)
You would just need one card in your wallet to log you in to any computer or web site, make purchases, board planes or trains... anything! No more wasted effort on having a hundred weak authentication cards and passwords. You have one strong authentication method that can't be forged, or at least not without fantastically more effort than forging a check or credit card.
Enormous economic and security benefit.
Until you lose your wallet and the person who finds it has complete control to ruin every aspect of your life connected to said card... ...
Re:contactless smart cards are the way to go (Score:5, Interesting)
Until you lose your wallet and the person who finds it has complete control to ruin every aspect of your life connected to said card... ...
Yes, because clearly they would have no system to revoke lost cards.
Re: (Score:2, Funny)
"To revoke privileges to your lost card, please validate your identity by presenting your smart card"
Re: (Score:3, Interesting)
yes because the govt. has shown such wisdom in the past by making it easy to replace social security numbers
Re:contactless smart cards are the way to go (Score:5, Insightful)
Re: (Score:2)
They have also never put a stop to it after the practice began
I don't believe that! (Score:2)
The government never issued SSN with the intent of being a universal identifier.
Really? What would be the problem with that? Isn't that exactly what it's for?
Also, there's nothing wrong, from a security standpoint, with issuing universal identifiers.
For instance, on most online sites I have the "universal" identifier "jonaskoelker". No one seems to want to "steal" it from me, so in that sense it's universal (I can get it when-/whereever I want).
The problem is that in most real-life security protocols, the conceptual "login form" has only a field for the username, and no password; or
That's the wrong complaint about SSNs (Score:2)
[discussing key revocation] yes because the govt. has shown such wisdom in the past by making it easy to replace social security numbers
The real failure is not the lack of revocation of SSNs.
Consider this hypothetical security protocol for proving that you are who you claim: you tell them a name, an address and an SSN. The verifier looks up in the person database under your SSN and checks that your claimed name and address matches what the database says.
You have to revoke your SSN after every single use, because otherwise the verifier can "prove" they're you.
The real failure is in the "proving-I'm-me" protocol: it works by you revealing yo
Re: (Score:2)
Depends on how fast you can get it revoked...So several hours go by while your bank account is drained and your personal information stolen. Oh, and he's already halfway around the world.
And this is any different than if someone steals your wallet today, how?
Re: (Score:2)
That's why we should embed them into peoples arms and if they start cutting those off, use their forehead!
I read about this in some old archaic book somewhere.
Re: (Score:2)
1) PKI systmes have revocation, so you're wrong.
2) A good PKI system would have an online photo database, so you're wrong unless the guy looked like you and you have not had your card revoked
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
Re:contactless smart cards are the way to go (Score:4, Interesting)
Enormous economic and security benefit.
Yes, for just $429.95 I will sell you a very nice mask and a programmable contactless identity chip. Enormous economic benefit to me, enormous security benefit to you. Well, it will benefit you in bypassing security, and framing someone for a crime anyway.
You still need at minimum two-factor authentication to be secure, so you're still going to need a PIN for non-trivial uses. However, even non-trivial uses could be enough to get you into plenty of trouble.
It's not hard to consolidate multiple usernames and passwords down to a single username and password. This is done for users through any number of freely available schemes. This is preferable to concentrating them down to a single system which, when corrupted (not "if") will permit virtually unlimited abuse. I do not believe that you are so helpless that you need government to assist you with password management. Therefore I submit that you are trolling. You could call it sarcasm if you had left any clues in your comment. Perhaps you used > rather than & someplace?
Re: (Score:2)
Yes, for just $429.95 I will sell you a very nice mask and a programmable contactless identity chip
That's rather expensive. Programmable contactless chips are available in engineering quantities for less than $10 and large quantities for less than $2.
And what good does it do to have a chip? To fake someone's identity, what you need is their KEY so you can put it in a chip.
Re: (Score:2)
what if the host where i log in is compromised? Even if it could not do Man in the middle attack because the session is secured from the smart card to the destination, it could intercept and pilot mouse and keyboard events and screen display so your bank withdrawal becomes 100$ to you and 900$ to the hacker.
The trust put in the system and its centralized nature would turn any security breach into a nightmare.
Besides, how much you trust your government with access to all your money and movement and online ac
Re: (Score:2)
I am referring to a strong authentication system. The government would have no control over bank accounts or anything like that. It would simply enable me to prove to my bank that I am me.
None of the security issues you attempt to describe are unique to smartcard-based authentication systems.
Why a single card? (Score:2)
Consolidating this to a single card would be utterly retarded, as it provides both the issuer (the government) and entities that you do business with far more information about you than they need to know, and it greatly increases the consequences when a card is compromised.
On the other hand, having a standard authentication mechanism which was integrated into most computers would be very useful. Then when my bank issued me a pin-and-chip credit card, I would know that it worked with my computer as well as a
Re: (Score:2)
No, you're wrong. It would provide only identity/authentication information. No more.
Re: (Score:2)
Re: (Score:2)
It would provide only identity/authentication information.
I don't think you realize how much information that is.
Each transaction would authenticate me as Citizen X, rather than as card holder Y. Today all my purchases are made with a single use card number and shipped to a PO Box. If the authorities want to track me down using that, they can get a warrant and get the info from my credit company or the postal box company, but people I ordered from don't know or care who I am.
The government would also have a record of everyone who checked the public key repository.
Bad idea to combine ID with payment (Score:2)
It is better to have at least two types of cards. One for official ID - which should rarely leave my sight.
And one for payment, which I could pass to someone else for a short time.
So if something happens to the payment card or cert (damaged or lost), I can apply for another payment card.
While waiting for a new payment card to be issued, I can still prove I am me, with my ID card.
Putting that all on one card makes that hard.
Currently, I take out my ID card from
Surviving design... (Score:3, Funny)
Anything that withstands three years of attempted government design must be robust indeed.
PLAID 6 Protocol (Score:4, Informative)
- Note - Neither SHA256 nor ECC are used at this time because production cards are either not obtainable from all vendors nor do they achieve the required performance, (in spite of theoretical advantage of ECC)
- Note - RSA 1984 is a trade off between performance and security, and ensuring the transaction fits in one APDU command.
* Fast & simple - less than 1/2 second (400ms) and the Java Card - applet is extremely small (about 4 Kb)
* Not clone-able, re-playable or subject to privacy or identity leakage
* Same protocol can be used for PACS/LACS & contact/contactless
* PIN can be verified when card-not-present by comparing PIN hash
- Saves user having to hold contactless card to reader during typical PKI session
* Mutual authentication Protocol
* Algorithms used are commercially available on virtually all modern smartcards including Java
Card, MULTOS, most SIMs and many proprietary cards
* Algorithms and their selected key lengths have been tested on production cards and devices to ensure speeds are real, not theoretical
* No IP issues - IP was developed solely by the Australian Government by its agency, Centrelink, and will be openly and freely licensed
* Designed to be used either stand-alone or as a bootstrap into other specifications like Australian IMAGE, US PIV, ICAO Passports etc.
* Supports multiple concurrent specs dependant on device request to card
- i.e. Card could supply Weigand number or CHUID or Centrelink CSIC or Passport MRZ etc etc dependant on use case
* Supports multiple (256) key sets dependant on device request to card
- i.e. there might be a "perimeter key set" and a "high security key set" and a "LACS key set" and an "administrative key set" etc etc and the terminal device only requests the one it requires, reducing the possibility of compromise of the others.
- The key sets can be rolled, by loading spare unused key sets (up to 255) in case of compromise (memory is the limitation)
* Optionally provides session keys for higher level specs
* Protocol can be registered and implemented under ISO/IEC 24727-3 and 6, and either used under ISO/IEC 24727or implemented separately
However:
Slightly slower than existing physical access Tag and proprietary solutions (by 0.2 to 0.3 seconds)
- Keys MUST be distributed & managed
* Vendors need to build key management for PLAID into existing or new key management systems. (Centrelink vendor is doing this for LACS)
* PACS using older Weigand technologies need secure SAM devices in the readers
* Newer PACS can utilise back end HSM devices/SAMs on the network or in distribution frames
Withstood? (Score:2)
Withstood three years of design? What the blazes does that mean?
Boss 0: Here is all the material we have on the PLACID system. I want you to design it.
Agent X: Right away, Boss!
Agent X: Sorry Boss. Me and my team have been trying for three years. PLACID simply withstands all attemps at being designed.
Boss 0: I was afraid of that. We'll have to release it to
FYI: For the smart card unaware (Score:2)
Stories like this frequently conflate the smart card goings-on with the system functions.
In this case, the newsy bit about the smart card is they apparently have a new protocol for authenticating from the smart card. For those that don't know, there are many kinds of smart cards including ones that have an operating system on-board. Their protocol is probably employed on top of the smart card OS. Yes, you too can write your own authentication protocol and use it on a smart card.
The backend system appears
Spaceballs (Score:3, Funny)
Worthy of trust? (Score:2)
It seems like the NSA and other intelligence agencies around the world have a real trust problem.
On the one hand, they make some of their living out of breaking codes. And worse, as we saw with the NSA illegal wiretapping, they're not necessarily acting in legal ways or in the interests of the general public.
So for that reason, we citizens have a good reason to distrust anything they say, especially large wooden statues of horses.
On the other hand, the NSA et al also have a desire (we believe) to help the
Getting PLAID (Score:3, Funny)
Good for them (Score:2)
Sigh... I give it 6 months once its in the open (Score:2)
The problem is some people LIVE for challenges like this and it's an ecryption method based off of other encryption methods. That means there is only 1 piece of the puzzle to figure out.
My concern is that they (the government) suddenly say that all ID's must be tied to this and like several posts above... now someone who knows how to crack this and tag a specific person now has access to everything about them. Banking, health records etc...
Re: (Score:2)
First of all, it's a protocol, not an encryption method. The protocol is based on RSA and AES. If those are "broken" we have bigger problems to worry about as all internet encryption is based on these protocols.
I'm not saying it is safe, but saying it will be broken because somebody will break the "encryption method" because it is out there, well, that's not in line with the current state of crypto-analysis.
Ludicrous (Score:2)
They've gone to plaid!
Doesn't jibe (Score:2)
Why don't I think the US or Aussie government (especially the Aussies, given their recent track record on civil liberties and disregarding privacy concerns of their citizens) would give away an "unbreakable" form of crypto?
My feeling is that they must have a backdoor into this, and that makes me suspicious.
It seems to me it might be more like "Here, use this, this is great encryption, nobody can crack it." Well, it may be unbreakable - but what if they have a master key or something?
Re: (Score:2)
Re: (Score:2)
First of all, this is a protocol using normal cryptographic primitives. They can't have a master key to this protocol. Normally you have back doors or master keys for devices not for protocols.
Second of all, this is mainly about authentication of their own terminals, so yes, I would suppose they have the master key. In their scheme, it's called "Master ISK key" (probably master inspection system key).
Third of all, they don't need to give away an unbreakable form of crypto, since none of the current, widely
6 Months (Score:2)
Now that it has hit Slashdot I give it 6 months before it's blown apart. Nothing pisses a geek off more then being told "It Can't Be Done"
Ther are very angry cave dwellers that since seeing this have now vowed to make it their EPIC QUEST to crack this thing open. Do not underestimate the power of the geek!
POWER OF THE GEEK COMPELLS YOU!
POWER OF THE GEEK COMPELLS YOU!
THE SPIRIT OF THE WOZ COMPELLS YOU!
POWER OF THE GEEK COMPELLS YOU!
POWER OF THE GEEK COMPELLS YOU!
THE SPIRIT OF THE TORVALD COMMANDS YOU!
POWER O
Unbreakable? (Score:2)
Should they really be calling it unbreakable? Isn't that essentially the same as asking to have it broken so some hacker can make a name for himself? Any good social-engineer could crack this thing in a few days flat, I'm sure. As /. posters love pointing out, even if the system were perfect its users ain't.
I laugh ... (Score:5, Insightful)
The claim is usually an open invitation to reduce the "unbreakable" object to ashes.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The claim is usually an open invitation to reduce the "unbreakable" object to ashes.
Unbreakable, not unburnable...
Inflammable Means Flammable? What A Country!
Here's the relevant snippet from TFA [computerworld.com.au]:
Re: (Score:2)
Oracle Breakable After All (Score:2)
... when an organization claims that they're going to provide something that's unbreakable [securityfocus.com]
So I guess [slashdot.org] neither Oracle nor Slashdot moderation is unbreakable.
Re:I laugh ... (Score:5, Interesting)
This allows one to completely securely transmit up to n bits of data from a source stream, and because the source and destination can pick new X and Y values with every transmission, and unencrypted data is never found on any transmitted data stream. The likelihood of breaking it is genuinely 1 in 2^n and can only be broken by brute force attack. Factoring methods will not break the encryption because what would normally be associated as a public/private key pair (X,Y) in some other encryption protocols is never shared with the other party.
Re:I laugh ... (Score:5, Informative)
That looks familiar but I can't remember the name, what scheme is it?
That's not strictly true. Although the discrete log problem is hard it is still a computational assumption. Proving that 2^n is a lower bound would be a significant achievement. This scheme is only "unbreakable" in the sense that RSA is - breaking it requires solving a problem that we suspect, but are unable to prove, is very hard.
Re: (Score:2)
Unless I am mistaken...
Computational Workload (Score:2)
Re: (Score:3, Informative)
I'm not really sure what you mean. Assuming that A and B are roughly the same size, A, B and SQRT(c) will all have about n/2 bits. But I don't see the connection to discrete logs. The scheme assumes that the attacker can't compute Xd,Xs,Yd,Ys. If the attacker observes the D transmitted in steps 5,6 and 7 then he can attempt to invert the exponentiation revealing Xd and Ys.
My head is a bit too hungover to follow through the implications, but Xs is the multiplicative inverse of Ys and so should be unique and
Re: (Score:3, Insightful)
3.The source and destination then compute Ys and Yd, respectively, such that their own X*Y is congruent to 1 mod (A*B). They do not share this information.
Should that be 1 mod ((A-1)*(B-1))?
I'm not that convinced that relying on the discrete logarithm problem (at the cost of 4x as much network communication) rather than directly on the factoring problem (like more commonly discussed PK based systems) has any additional security : aren't the 2 problems of identical complexity?
Re: (Score:2)
oops - I should have read more closely...
because the source and destination can pick new X and Y values with every transmission
I see now that _that_ is what you gain for the additional bandwidth cost
Re: (Score:2)
This is the RSA algorithm. It hasn't been broken in the last 30 years by the smartest people. Either that, or the govt.(NSA) knows how to break it and is keeping it under wraps.
The algorithm in mark-t's post is not the one described on http://en.wikipedia.org/wiki/RSA [wikipedia.org] : I read it as a varient that (using the wikipedia page's notation) is making {p,q} public instead of {n,e}, with a corresponding adjustment to the messages that need to be exchanged.
this relies on the discrete logarithm of (d6=d5^Ys mod C) being difficult to solve from step-6 (with d6,d5 and C being known to an eavesdropper : Ys being what you need to figure out to break the encryption) - compared to the wikipedia a
Re: (Score:2)
Meh.... unbreakable encryption is easy, or so close to it that the difference is largely irrellevant:
...
4. The source takes n bits from the data, D, and applies the following transform: D = D ^ Xs mod C. This data is transmitted.
5. The destination then applies the transform D = D ^ Xd mod C and transmits that back to the source.
6. The source applies the transform D = D ^ Ys mod C and transmits that to the destination
7. The destination finally applies D = D ^ Yd mod C, and in this final transform retrieves the unencrypted data.
Tripling the bandwidth requirements doesn't seem like a very efficient solution.
Unbreakable encryption is pointless if it isn't practical.
Re: (Score:2)
Encryption we don't know how to break is easy. There's no proof that we won't come up with a way to break it.
Decryption (at least of known plaintext, and it's frequently not difficult to get some) is a problem in NP, since we can verify that a key is correct very efficiently. Theoretically, ciphers could be found to be NP-hard, although I haven't heard of any proofs.
However, we've never been able to prove that NP problems cannot be solved efficiently. The smart money seems to be that there's no way,
Parent is fail! Don't take crypto advice on /. (Score:4, Interesting)
Meh.... unbreakable encryption is easy, or so close to it that the difference is largely irrellevant: [protocol] [...]
Well, this will have to be performed over a channel which solves almost all the important cryptographic problems.
If not, consider this scenario:
Alice wants to send something to Bob. Both know A, B and C (why not p, q and n?). She sends out D^Xs. She receives D' from someone. She sends out D'^Ys.
Consider Bob: he receives E from someone, sends out E^Xd. Then he receives E' from someone and computes E'^Yd.
There is no guarantee and no way to check whether "someone" is the person you think you're talking to; they might appear to be Bob in Alice's eyes and vice versa while in reality they're Doctor Evil.
There's also no way to be sure that the message(s) you receive from the network have any particular relation to what you sent out. Doctor Evil could, for instance, multiply the data by 2 without anyone noticing.
Besides, doing modular exponentiation is slow like molasses. You really do not want to do that for every chunk of data; you'd much rather use those kinds of operations to agree on a (secret) key for a symmetric cipher (say, AES) and then encrypt the data using the symmetric cipher.
I hope to god no one implements this.
Factoring methods will not break the encryption because what would normally be associated as a public/private key pair (X,Y) in some other encryption protocols is never shared with the other party.
And that is why all you can know is that you sent an encrypted message to someone: there's nothing distinguishing your intended receiver from anyone else. The sender/receiver has no shared secret knowledge, nor any private/public asymmetric knowledge, so anyone can do the same computations as either intended party in this protocol.
Similar to optimization, there are two rules for cryptography:
If you're curious about my background, I'm a crypto phd student (that I am, even if you're not curious). I want to stress: I'm not trying to make an argument from authority.
I'm also not trying to make crypto an exclusive thing; I welcome anyone to educate themselves on the matters of cryptography. It's just that this shit is hard, and if you don't know your shit, your own designs is extremely likely to be insecure.
Re:I laugh ... (Score:4, Interesting)
... when an organization claims that they're going to provide something that's unbreakable [securityfocus.com] The claim is usually an open invitation to reduce the "unbreakable" object to ashes.
This one has already been under discussion and review by the cryptologic community for several years now. It has received a lot of attention by the top academic cryptographers, as well as by government organizations like the NSA.
Never say never, and I'm sure the "unbreakable" word came from management or from news agencies, not the authors of the protocol, but I'll be very surprised if this is broken.
Re: (Score:2, Interesting)
I guess it's perfectly OK. It withstood 3 years of in-agency cracking. Now they want to see whether it will survive in the wild. What better method than to claim it is unbreakable? If it has vulnerabilities known to modern cryptoanalysis, all the tech news will laugh and point at them - quite an easy event to spot. Some people are not afraid to be laughed at if they get what they need...
Re: (Score:2)
Consider the source. You've got a manager telling you it's unbreakable. Perhaps his cryptographers said to him "it's a good protocol, fixes the weakness in this previous protocol, and FOR ALL YOU KNOW it's unbreakable." They maybe didn't say those capitalized words out loud, because they figured their boss wouldn't know the difference anyway. But they forgot their boss might blab it on to someone else that way.
My point is this is the kind of phrasing that comes out of the mouths of higher-ups who don
Re: (Score:2)
Strong security requires a lot of processing power. If this secure card can not support a lot of MIPS security is weak. That may just be fine if the secrets one is trying to hide are low value. Otherwise, it ain't good enough.
No, security would be strong and the card would be slow. The reason for this is that the key sizes and algorithms seem to be part of the protocol. But these kind of cards all use cryptographic co-processors (AES accelerators and Montgomery multipliers for RSA), so MIPS don't have anything to do with it.