Israeli Firm Claims Unbreakable Encryption

Several readers have pointed to an Israeli company's claim of achieving unbreakable encryption. The linked article reports this claim uncritically. Do you think there's such a thing as unbreakable encryption? This isn't the first time someone's made this claim, or second, or third ...

Snake oil

[Scarblac]

From the article:
"Most of the encryption community called our product snake oil," says Backal. "Everyone competed to throw stones at us and didn't bother trying to understand the product."

So, 1) They have an unbelievable claim (unbreakable encryption) and 2) the extremely knowledgeable encrypton community, who have much experience with breaking encryption, has seen their product and calls it snake oil.

It is snake oil. Move along.

PRACTICALLY unbreakable

Their glick is using a 1MB long key (4000 times longer than current encryption methods). They say it's going to be the strongest in the next 5-6 years.

The title "unbreakable" was created by the journalist (and it appears to have worked, they got a story in slashdod).

Re:One Time Pad

[jtdubs]

One time pads are not uncrackable by definition. They have two weak points.

1) The generation of the pads.

One time pads are as crackable as your method for generating the pads. If your pad is TRULY random than it can't be cracked via statistics and probability. You must also be sure that no one else saw the pads or had access to the same entropy pool you used to generate the pads.

2) The distribution of the pads.

Both parties need a copy of the pad for it to work. How do the parties get the pads? Is this process secure? If not, than the quality of the pad is moot.

Justin Dubs

Re:Exceptionally random cipher text

[jtdubs]

By using a non-software-based, outside source of entropy. Send up a weather baloon connected to your serial/parallel port. Retrieve real-time data, disgard a few of the most significant figures, and use the rest.

In other words, there are many ways.

Justin Dubs

The telltale signs of snakeoil encryption

[philipsblows]

From the press release or whatever that is:

Meganet Corporation's founder, Saul Backal, claims that its solution can put an end to these problems. Meganet offers a patented non-linear data mapping technology[1], called VME (Virtual Matrix Encryption)[2], that creates exceptionally random cipher text[3] and combines it with a one million-bit key[4], which is unheard of in today's data security markets. Competing solutions offer a maximum of 256 bits[5].

"There is nothing stronger in existence,"[6] says 38-year-old Backal, a dual Israeli-U.S. citizen[7] who was a tank commander in the IDF in the Lebanon war[8]. "All other encryption methods have been compromised in the last five to six years."[9]

• [1] A cool, wordy name for this new, fantastic technology
• [2] An even cooler, trademark-able acronym
• [3] Hand waving
• [4] An excessively-large encryption key, to impress us
• [5] A dig on current encryption key size, since smaller keys == less encrypted...
• [6] Outlandish claim
• [7] Mysterious lineage of the founder. Hmmmmm.
• [8] Tank commanders. Does anyone understand encryption better than these guys?
• [9] Article claims this one has been in development for 11+ years... see how long it takes to cryptanalyze having appeared on slashdot!

Even though this is probably bogus, the prize for breaking it looks interesting

In an attempt to prove VME's strength, Meganet began offering prizes such as a Ferrari or $1m. to anyone who could break into a VME-protected file. So far, two million people have attempted to crack the code, but none have managed.

Re:256 Bits? I think not.

[MortimerK]

Seriously, though. Who uses a 256 bit key anymore? AFAIK, the suggested key size is at least 1024 bits.

You're ignoring the distinction between symmetric and asymmetric cryptography.

Symmetric cryptography uses only one key for encryption and decryption. For such a key, 256 bits is quite secure.

Asymmetric cryptography uses a public key for encryption and a different, private key for decryption. If using the RSA algorithm then yes, anything less than 1024 is insecure. (Elliptic Curve Cryptography is also asymmetric but is still strong at less than 1024 bits.)

Meganet's algorithm is symmetric.

Re:One Time Pad

[God!+Awful+2]

Whoever modded this up as anything but funny is an idiot. Of course distinguishing the correct answer from random text is part and parcel of cracking the code.

I bet when this guy takes a multiple choice exam, he just fills in *all* the boxes, and then claims that he got every answer right.

-a

Broken Scheme: Reuse of a One Time Pad

[Burstwave]

This crypto scheme is weak and can be rapidly broken by a brute force approach. It requires a common private key sequence that is shared among multiple users of the software; each user uses this common key to encrypt messages along the matrix. Matrix values are shared amongst all users with a common "serial number prefix." The encrypted "message" that is created is not actually the message; it is a bit sequence that points at positions within the matrix. The software locates each bit position to give a readout of the character at that step. Although the matrix undergoes convolutions as decryption occurs, supposedly making it more "uncrackable," ultimately the reduction of this method requires re-use of a one-time pad (the "virtual matrix"). Reuse of a one-time pad turns an unbreakable encoding into something insecure and breakable. That is ultimately the largest weakness of this algorithm.

Here's the telling bit in the patent scheme (US 6,219,421):
"A message may be secured in accordance with various options specifying an intended audience, including "global," "specific" and "private" options. "Global" allows anyone having a copy of the data security software to decrypt the message providing that person has the correct keys and is able to supply parameters matching those with which the message was secured. "Group" allows the possibility of successful decryption by any of a number of users within a group identified by its members having copies of the software program with a common prefix. "specific" allows only a user having a particular numbered copy of the software program to decrypt. Finally, "private" allows decryption only by the same software copy used to secure the message originally. Without the correct keys and parameters, it is impossible for the message to be unlocked. The present invention further enhances security by allowing definition of a date range where the data can be decrypted correctly, hence preventing lengthy efforts to break the code by brute computational force."

This used to be called Power One Time Pad

[Zeinfeld]

This scheme looks very similar to a scheme that Ron Rivest sent to me called Power One Time pad about eight years ago.

Ron had had a fax from the inventors claiming that the scheme had been endorsed by several well known names in the crypto world who I won't mention for reasons that will become apparent including one of my collegues on a Web standards board.

There wasn't enough information in the press release to determine whether the scheme was bogus so I did the obvious thing and called up one of the people who was alledged to endorse it. Turned out that he did nothing of the sort, he thought it was snake oil but had been asked a different question, who should he talk to to get it adopted as a standard. The snake oil peddlers had then approached Ron saying that 'S. recommended that he talk to them', cleraly implying that S. recommended the scheme.

This matrix scheme looks very much like Power One Time Pad, it has the same million bit key. According to the patent application the scheme appears to be a variant of the playfair cipher which was cracked in WWI.

The competition means absolutely nothing. Any scheme can be made uncrackable if it uses a key length that is greater or equal to the amount of data encrypted. The point is that such schemes are almost completely useless.

The claimed $1 million prize is not convincing experience has shown that companies that make such offers rarely pay them out even if the scheme is broken. In short the actual value of the prize is:

Amount x Probability of Payment x Probability of cracking - cost of time.

The challenge is in any case over. I can't find out how long the challenge was offered for.

As I said before, I can set the rules for a competition so that the competition is unwinnable even though the cipher is broken.

For example consider creating a cipher using the declaration of independence which for the sake of argument we will consider to be perfectly random (it is not). The cipher consists of choosing a random starting point in the declaration and then XORing the plaintext with the declaration to create the ciphertext. I can generate one unbreakable ciphertext simply by making the plaintext shorter than the declaration.

I note that the current challenge text is distributed in a 53Kb Zip file, that would be 424,000 bits or so, considerably less than the alleged million bit key. Give me a few hundred Mb of ciphertext however and we might have a contest.

The wierd thing is the claim to have a contract with the department of Labor to supply an encryption scheme that is not endorsed by NIST. That would appear to breach several procurement guidlines. Also I can't find any record of any contract of that type on the Department of Labor site.