Schneier on Security
A blog covering security and security technology.
« Federated Authentication |
| FBI Asks for Cryptanalysis Help »
March 30, 2011
How Peer Review Doesn't Work
In this amusing story of a terrorist plotter using pencil-and-paper cryptography instead of actually secure cryptography, there's this great paragraph:
Despite urging by the Yemen-based al Qaida leader Anwar Al Anlaki, Karim also rejected the use of a sophisticated code program called "Mujhaddin Secrets", which implements all the AES candidate cyphers, "because 'kaffirs', or non-believers, know about it so it must be less secure".
Posted on March 30, 2011 at 7:14 AM
• 49 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Shades of Hitler rejecting Einstein's "Jew physics"....
Maybe they thought that using a Caesar cipher is a form of security since law enforcement wouldn't suspect something so primitive :).
"because 'kaffirs', or non- believers, know about it so it must be less secure"
Just another case of "not invented here" syndrome?
That said I have low confidence in many AES implementations when used in "online" systems due to time side channels and other EmSec / ComSec issues.
And to avoid the usual complaint by "online" I mean systems that use the crypto whilst connected to an unsecure network or communications device not anything else...
So I have no qualms about "AES" it's self and few when the system used is "Offline" and "Stand Alone" ie not connected at any time to a network or communications device, I do however have a few qualms when the same system goes "online" (well quite a few qualms actually all to do with malware ;).
Mind you what does it say about the organisation that took this man on as an "IT worker"?
Or is his real role in "IT" lower than say a data entry clerk?
I look forward to the Defence Experts article when it comes out (he's actually a very good writer and an "inventor" of security devices in his own right that the UK Gove decided to nick)
"organization lacks policies and clear procedures."
"Organizations decentralized C&C means lack of quality control and organizational authority."
They need an IG.
Now we know! The NSA is really just leaking all the cyphers to Satan, and letting HIM do the cryptanalysis.
One of the calmed advantages of OTP is that it can be implemented by pencil and paper.
Excellent. Stay stupid^H^H^H^H^H^H^H true to your own encryption beliefs, guys. Please.
I should also point out that the article I linked above is pen & paper crypto ...
Religion trumping science to religion's detriment! Christopher Hitchens must be happy (for another example).
Ironically, the group that publishes Mujahideen Secrets issued a warning two weeks ago against downloading untrusted copies of the software.
From the press release: "We warn our brothers from downloading any copy of Mujahideen Secrets © version 2.0 form [sic] any untrustworthy source." Links to apparently trustworthy terrorist sites are helpfully included, along with the very very secure password to the file.
Also, it's apparently copyrighted, so please don't infringe. When did we go to sleep and wake up in a Monty Python skit?
Another example of an extremist in intent and thought processes. I have thought for years that someone that is extremist will show it in their thought processes. The shoe bomber, etc. I also lump that same principle for nutty global warmists. (the truly crazy one)
These brainiacs could have used their own scheme (pun) along with truecrypt. Apparently, that thought never occured to them. The shoe bomber could have brought a zippo.
It's a good thing the nuts are imcompentent so often. However, we are still subjected to groping at airport. I actually, embarassed one and got a laugh from the line and them. Told 'em I'd been married for decades, and retired military...go for it. everybody chuckled.
sense of humor goes a long way in this world. ;)
Next thing someone's going to suggest some sort of cypher using a deck of cards and a Solitaire-like game.
Well, he can't use any Intel Core CPUs anyway because they're designed in Haifa, Israel :p
Why did the underpants bomber fly to Detroit?
Because it was the cheapest fare.
Honestly. Terrorists who maintain their copywrite and work on a budget are THE most dangerous people in the world? Something isn't right there.
On an unrelated note, what do people think about scrypt? A google search of scrypt site:schneier.com returns 0 hits, and it doesn't even yet have its own wikipedia page. Since there are apparently two unrelated projects of the same name, I'm talking about this one:
Their ignorance is our bliss.
It's as I've repeatedly said: the only reason the US is still standing is that ninety five percent of terrorists are incompetent idiots. (Including myself back when...)
Speaking of handwritten ciphertexts...
Just found this via Google News:
Apparently the FBI needs our help. Bruce's Kibitzers to the rescue! Haha
@michel I had forgotten that, that's funny. I wonder if they put any "micro" imprinting on the chips. Maybe a menorrah. That would make it even funnier. Actually, I seem to remember someone coming up with a OTP using a deck of cards....I wonder if a irrational number would be better for them to use???
How does the alphabet length affect a subsitution cypher.
The idea was originally invented by the classical Greeks with a 24 letter alphabet, used by the Romans with a 21/23 letter alphabet.
Presumably the people involved here used the 28 character Arabic alphabet..
Presumably a longer alphabet would make decryption harder, however, letter frequency distribution in plain text is more important than alphabet length.
The linked article, as of this writing, has 5,900 comments. If I were the FBI, I'd be checking the comments threads related to the articles about the stories to see what strange posters show up.
"using pencil-and-paper cryptography instead of actually secure cryptography"
So a well crafted and properly used one time pad system done on paper is not secure? Inconvenient to set up in many ways, yes, but I thought they worked well.
O/T on this thread, but pertinent to other discussions here, was an article linked at the page linked to in "story",
"The first person jailed under draconian UK police powers that Ministers said were vital to battle terrorism and serious crime has been identified by The Register as a schizophrenic science hobbyist with no previous criminal record.
"His crime was a persistent refusal to give counter-terrorism police the keys to decrypt his computer files.
"The 33-year-old man, originally from London, is currently held at a secure mental health unit after being sectioned while serving his sentence at Winchester Prison."
It seems he's a model rocketry fan. The rest is interesting/scary. But the world is now a little safer from terrorism ...
I think the point that makes PnP crypto insecure is that you can scan it into a computer and brute-force pretty much anything you could implement via PnP.
The word idiot comes to mind. It's the result either of a deluded psyche, or the only encryption technique he actually understood. It would seem that both paranoia and incompetence are characteristics found in many wannabe terrorists. And with quite some other folks, I might add, where the former is often a side-effect of the latter.
One-time-pads done with pencil and paper are as unconditionally secure as any other one-time-pad implementation - provided you can secure your key material and properly destroy your plaintexts/intermediates!
Same goes for other ciphers. You could do AES with pencil and paper, you'd just need a lot of pencil and paper (and a very large shredder and incinerator afterward...)
Impressively stupid. We wrote a small program in my university crypto course more than 20 years ago, that could break the Viginere cipher automatically (you add a password and the text), so that we would really understand that these things are anything but secure today. Caesar ciphers are just plain obvious.
Also impressively stupid that it seems to have taken 9 months to break this.
This text ROT-13 encrypted twice for higher security!
Gweihir: You made a grave misstake... Everyone know that ROT-13 is only secure if its used in the Triple-ROT13 system :-P
"How does the alphabet length affect a subsitution cypher?"
The simple answer is it's very dependant on many other things.
Thus you need to first consider the cipher "block size" or alphabet size in more general terms (ie not in substitution / code book modes).
For instance in a stream cipher it is effectivly bit by bit encryption therefore the alphabet size is 2 (0,1). However used properly stream ciphers can be very strong (the OTP is effectivly a stream cipher with a user selected alphabet size) That is the strength comes not from the alphabet but from the stream generator producing an unknown binary alphabet for each bit.
Then consider a large code book where messages are enciphered not on individual input alphabet charecters but on collections of charecters that go to form largish blocks. An example would be using AES 256 in Code Book mode with the input alphabet being Baudot (32bit) 51 charecters per block.
Further then consider how you actually break a simple substitution cipher, you do it by frequency counts of individual chars in the cipher text or binims (2 chars) trinims (3 chars) etc and compare to the frequency table of the assumed input language and alphabet.
If you break the frequency count corelation between the input alphabet and cipher text alphabet you make the job considerably more difficult.
Shannon and others before him recognised this but Shannon actually gave a mathmatical way to measure the "redundancy" in ciphertext alphabets and gave a new meaning to the word "entropy" and produced a measure for a given alphabet and language called the "unicity" distance. Thus any message bellow this length (about 26 chars in english slightly less in a single case alphabet) is in theory not uniquely decodable from the cipher text. If I remember correctly the unicity distance for DES in ordinary Code Book was just over two blocks...
So one way to make a substitution cipher less amenable to the standard attack methods is to some how break up the statistics of the individual chars and their relationships when in pairs tripples etc.
There are a couple of ways to do this the first is to simply transpose the input message in blocks greater than the language unicity distance in a method that uses a uniformly increasing steped size (that is similar to selecting the wire order on a rotor wheel). There are known fairly easy pencil and paper ways to do this based on "code words" (look up WWII "poem codes" to see how it was done for double transposition).
The second thing that can be done is to change the frequency appearence of plain text chars to "flatten the statistics". Again there are fairly easy ways to do this with pencil and paper (see the "straddeling checkerboard" in for instance the Foote version of the Russian "nilihist code").
Variations of these were used in what was considered to be a very strong pencil and paper cipher in the 1950's one such version was the VIC Cipher which also included a lagged Fibonacci generator for generating an adition key stream. It remained unbroken even to the NSA untill it's basic structure was revealed by a defector.
Thus it becomes clear that as Shannon noted a repeated application of transposition then substitution could produce a very strong cipher system (which is still what most block ciphers actually do).
But the required "complexity" of the system is very much dependent on how much traffic is to be sent.
The usuall way to attack unknown substitution or transposition ciphers is by the "indepth method" where messages assumed encoded under the same or related keys are stacked up and subjected to various anylitical techniques to reveal any latent structure and statistics and by repeated application un roll the layers one by one like pealing an onion with only your bare hands.
So the less traffic sent in the system and under any one key the better...
Finaly one weak system in many ciphers is "standard openings" and "standard closings" a simple way to hide these is to use "Russian Coupling" where you split the cipher text up into blocks and transpose them such that the message begining and ending is somewhere in the middle.
So yes it is possible to make semi-secure pencil and paper ciphers, but usually they suffer from the human ability to make unintentional mistakes, so the systems are in general weak to allow for human failings...
I would have encryped it using 6ROT13 because that is twice as secure as Triple-ROT13. ;-)
On PnP one-time pads: these are not generally secure unless you take care to generate your one-time pad randomly. Using the text of a book at a certain page, for example, is unsecure, and creating a one-time pad by "picking letters that seem random" isn't much better. And of course many people who would think to use dice or coins would fail to ensure an even distribution, which wouldn't be that good either (simply adding the result of five dice to select each letter in the OTP - surprising many people don't see the problem with that).
No, wait, did he really use an Excel spreadsheet to implement simple substitution, then superenciphered the resulting ciphertext with his simple substitution system? Please tell me that's not what he did. Oh, and my earlier post in this thread was supposed to be in the FBI appeal thread. OOPS.
As for paper and pencil one time padding, I know someone out there has released an alphabet die, so the biggest problem with OTP generation now is sourcing, and disposing of, the carbon paper you'd need to create the two sheets without using a copier.
"dzwe" , I really shouldn't travel to the library to many times,the inks running low
@ Robert in San Diego,
"I know someone out there has released an alphabet die, so the biggest problem with OTP generation now is sourcing, and disposing of, the carbon paper you'd need to create the two sheets without using a copier."
An "alphabet die" I'd like one as a "desk toy", but you don't need it.
All you realy need to generate a rough and ready OTP is two dice of the same size but different colours (or two dice of the same colour but ink in the spots on one) and a simple six by six grid.
You can make either a "letter" or "number" OTP with the grid.
For a "letter OTP" you fill the alphabet in five letters at a time in the grid rows (ie in the 1 to 5 columns and leave the sixth blank) in the first five rows. In the sixth row you put the Z in the sixth column.
To use first decide which die is for the columns and which for the rows (and stick with it for the entire time you make the OTP).
For each letter throw both dice and look up the intersect square, if it contains a letter write it down, if it's blank (and it should be on average for 10 in 36 throws) just throw both dice again untill you get a valid letter.
For a "Number OTP" just put 1-5 in the odd rows, and 6-0 in the even rows giving you thirty filled spaces and six blank spaces.
Providing you are only making a small amount of KeyMat two dice are ok.
You will also find it's a lot quicker if you can use a 1lb (454g) glass "jam jar" or other transparent container with a lid put both dice inside. Then shake it sufficiently hard with your non writting hand so the dice hit the lid and bottom three or four times and let them fall to the bottom. With a little practice you can get one letter or number every 4 or 5 seconds and can keep it up at that rate to write down a thousand letter pad on A4 paper (ie ten 5 letter groups every third line).
I do it slightly differently, I use a very old PC and a dot matrix printer and two part stationary, I wrote a small program years ago in Apple Pascal (later converted to turbo Pascal then Turbo C) where you just type in the letters or numbers one by one and it prints them out in a nice format (ie six five letter groups in three line boxes fifteen rows to a page with a serial number at the top etc) on two part fan fold stationary that is also punched for putting in a ring bound folder.
Surprisingly you can turn out about 15 pages an hour and a couple of days days work gives me a couple of hundred pages which is all the out station emergancy KeyMat I need for a year or so these days.
Importantly the printer "ribbon" goes back in the safe with the disk, jar and folder of printed fanfold or it goes out the back to the BBQ pit where it gets reduced to less than ashes.
One important thing to note with OTP's in use, you need a piece of glass slightly bigger than your "pad sheet" to write on otherwise you could leave a tell tale impression (why do you think all 'signals' officers/ yeomen / asorted REMFs have glass tops to their tables, it's not there just to hold down the photos or standing odrers ;)
Yet the US uses the TSA to defend itself against them.
US - the best idiocy money can buy
@Clive: Just to be clear, I assume you still generate the letters or numbers with the dice, since generating them with the computer would mean using the random number generator seed as a key.
Do you worry about the dice being imbalanced? Have you tested these particular dice (I notice you store the jar, presumably with the dice in it, in the safe)?
Have you considered moving to polyhedral dice? Some of those operations might be easier with ten- or twenty-sided dice.
@ David Thornley,
"Just to be clear, I assume you still generate the letters or numbers with the dice..."
Yes, the comp program is just for "pretty printing" (and displaying a running count/frequency graph as a confidence assurance).
However... I did some time ago look at using a "card shuffling" algorithm similar to ARC4 that continuously as an evolving pool of pesudo randomned and every so the output of a low frequency true random generator would add jitter to the card shuffling algorithm to "spread the love" of the entropy across the evolving pool.
It turns out that if you keep the sampling rate from the pool to less than half the sarray size multiplied by the average frequency of the TRNG it's statistics are very simillar to that you would expect from another TRNG...
Asside from all the philisophical questions over what is and is not a random sequence, you have to ask yourself 'if it looks like a duck quacks like a duck do I realy need to treat it like a goose?'
So yes I have considered rewritting it to do this...
Beside a few "quantum gismos" (mixing a microwave noise source with a very delayed version of it's self) to get wide band "base band" noise for random bits, we realy do not have good "fast TRNG's".
And the price of these quantum gismos was/is extraordinarily high when compared to say a 'reverse biased diode junction' or even high level AWGN 'excess thermal noise' source....
"Do you worry about the dice being imbalanced? Have you tested these particular dice?"
Yes and Yes.
As I said the method I mentioned is for "Rough and ready" low volume small size OTPS, where the inherant bias of a pair of reasonably priced die will be to small to measure.
However my jam jar actually has six dice in it with two sets of three dice, one set with black spots and the other with white spots and I take the resedue mod six of both sets when using them (which I can do almost at a glance by "striking out "sixes").
Prior to inclusion in a set, each die had a 240 (40 from each face) roll plot done and I started with ten of each die type. The die in each set were selected to give the best balance based on it's plot.
However I'm still cautious hence the running count tally in the software.
"Have you considered moving to polyhedral dice? Some of thos operations might be easier with ten- or twenty-sided dice"
I actually had a pair of twenty sided dice made for those doing mathmatics, they were expensive and showed measurable (with a micrometer) asymmetric off set and hence bias (I have the workshop tools required for cutting, grinding, flanging and measuring X-band and above waveguide).
You can actually get packs of tested and approved "Casino Die" for quite reasonable sums (I used to be a member of a "small club" and they quite happily sold me a fresh sealed box of them). However I prefer the mass produced half inch cube die with rounded corners you can buy these in bulk for next to nothing (ie 10-20 cents each).
A little knowledge is a dangerous thing. Especially in domains like cryptography, where concepts are not so immediate to grasp.
I contribute to an Open Source PGP-related project, for which I also do user support on a forum and mailing list.
I remember an user saying that he was not going to use PGP but a symmetric cypher instead. The reason? "In asymmetric cryptography, you have to disclose part of your key to others (your public key), while in symmetric cryptography you keep the key all for yourself. Hence symmetric crypto is obviously safer than asymmetric crypto."
Another user complained about the hassle of keeping a secret key AND remembering a password, and proposed that keyservers should also store private keys...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..