Domain: cryptosmith.com
Stories and comments across the archive that link to cryptosmith.com.
Comments · 8
-
Re:No surprise there
If you only have two messages you can only get K^A K^B and A^B. This doesn't directly give you the key.
However as A^B is just a plaintext encoded plaintext, decyphering both plaintexts is relatively easy. Where relatively here means infinitely easier than provable impossibility.
Ridiculously easy if A and B were black and white images. See http://www.cryptosmith.com/archives/70
Getting the key is then trivial. -
OTP Security
One-time pad's are secure if the key is used only once (hence the name, one-time pad). The key needs to be as long as the original message, which makes this method unpractical in most real-life situations. If you use a smaller key than your plaintext, your encrypted message is compromised. If you re-use the key, then all your encrypted messages are compromised.
There's a very nice visual representation of this property here:
http://www.cryptosmith.com/archives/70
I like this example as it provides a visual representation of the leak. If you encrypt two different images with the same key using OTP and if you have access to both encrypted images, then you can XOR the encrypted images together to get information from the original images. It's surprising how much information is actually leaked when you re-use a key in OTP.
In the case of WWII pigeons, if anyone re-used an OTP key and an attacker captured two pigeons carrying messages encrypted with the same key, these messages would all be compromised.
-
Re:Duh?
I didn't say it was wrong, however, there are 3 flaws with the advice to write down your password:
1. It based upon the premise that many/most systems are implemented using the currently in-vogue policies of complex, hard to remember passwords, and that you should/must use different passwords for each system. Both Schneier and the MS researcher (Jesper Johansson) whose comments at a conference inspired Schneier's blog post mention those limitations as the basis for writing them down.
2. Both of those posts are very light on the topic of actually securing the written down passwords. Something which some other security experts have stressed, but which is frequently overlooked.
3. People who do write down their passwords are not good at securing them.
Unless you give complete instructions, including tips on protecting the written down password, then writing down passwords is not materially more secure than choosing easy to guess passwords. A far better recommendation is to use a password manager such as 1Password, KeePass or LastPass with a long, but easy for THAT user to remember pass-phrase.
TL;DR: Writing down passwords is a recommendation about how to cope in a world of bad password policies, and it's an incomplete recommendation because users will leave their written passwords in easily found locations. A far better recommendation is to use a password manager such as 1Password, KeePass or LastPass with a long, but easy for THAT user to remember pass-phrase. Long term, we need sane password/pass-phrase policies.
-
Re:Duh?
I didn't say it was wrong, however, there are 3 flaws with the advice to write down your password:
1. It based upon the premise that many/most systems are implemented using the currently in-vogue policies of complex, hard to remember passwords, and that you should/must use different passwords for each system. Both Schneier and the MS researcher (Jesper Johansson) whose comments at a conference inspired Schneier's blog post mention those limitations as the basis for writing them down.
2. Both of those posts are very light on the topic of actually securing the written down passwords. Something which some other security experts have stressed, but which is frequently overlooked.
3. People who do write down their passwords are not good at securing them.
Unless you give complete instructions, including tips on protecting the written down password, then writing down passwords is not materially more secure than choosing easy to guess passwords. A far better recommendation is to use a password manager such as 1Password, KeePass or LastPass with a long, but easy for THAT user to remember pass-phrase.
TL;DR: Writing down passwords is a recommendation about how to cope in a world of bad password policies, and it's an incomplete recommendation because users will leave their written passwords in easily found locations. A far better recommendation is to use a password manager such as 1Password, KeePass or LastPass with a long, but easy for THAT user to remember pass-phrase. Long term, we need sane password/pass-phrase policies.
-
Re:Duh?
I didn't say it was wrong, however, there are 3 flaws with the advice to write down your password:
1. It based upon the premise that many/most systems are implemented using the currently in-vogue policies of complex, hard to remember passwords, and that you should/must use different passwords for each system. Both Schneier and the MS researcher (Jesper Johansson) whose comments at a conference inspired Schneier's blog post mention those limitations as the basis for writing them down.
2. Both of those posts are very light on the topic of actually securing the written down passwords. Something which some other security experts have stressed, but which is frequently overlooked.
3. People who do write down their passwords are not good at securing them.
Unless you give complete instructions, including tips on protecting the written down password, then writing down passwords is not materially more secure than choosing easy to guess passwords. A far better recommendation is to use a password manager such as 1Password, KeePass or LastPass with a long, but easy for THAT user to remember pass-phrase.
TL;DR: Writing down passwords is a recommendation about how to cope in a world of bad password policies, and it's an incomplete recommendation because users will leave their written passwords in easily found locations. A far better recommendation is to use a password manager such as 1Password, KeePass or LastPass with a long, but easy for THAT user to remember pass-phrase. Long term, we need sane password/pass-phrase policies.
-
Re:The cycle to hell.Some great material on that subject: Center for password sanity.
...a few years back, I came to realize just how crazy password management has become. The rule comes down to this:
The password must be impossible to remember and never written down. -
Re:Error in summary
Is that you, Mordac?
-
Re:Rotate your keys
Change [your keys] periodically.
That could be dangerous advise. What kind of attack scenario are you protecting yourself against by changing keys periodically?