I assume that yours is not a 'philosophical' but rather a mathematical or engineering endeavour? The Ellis doc at www.cesg.gov.uk/ellisint.htm gives some of the background to non-secret cryptography - key management. I confess that I find the idea of information protection using PKE illogical and even with a highspeed encryption engine in hardware the practicalities of syncronisation, error correction, etc for streaming data seem doubtful. For key or seed distribution and authentication the value of PKE is well established. If you have a quantum engine available streaming would certainly be possible using PKE but rather a waste of a good engine.:-)
Firstly keep the number to a minimum - for minimum password length of 8 characters 8 passwords is about the maximum users can cope with using this system. Users are required to think of a quotation, poem, a passage from a play, etc. which they ALREADY remember. Security administrators produce a card for each 'work-group', one per user. The card has the letters of the alphabet printed in any order, even random, in one column or line and a random selection of keyboard characters in a parallel line or column. Cards are replaced at 6 month intervals with a new combination of characters. The user simply spells out the remembered 'key' to themselves, one letter at a time, with the card to hand, looks at the alphabetic column/line and selects the corresponding code character for entry. When the card is kept 'private' this method of remembering passwords is far more resistant to cryptographic techniques than the machine on which it is being used. The habit of some users sticking the card on their VDU/terminal - "in case I loose it" should be discouraged - this makes the system vulnerable to cryptographic techniques. Loosing a card is no big deal anyway, as co-workers in the same 'group' have an identical card which may be borrowed to log in. Lost cards should of course initiate the replacement of all cards for the 'work-group'.
Quite! There are no 'secure systems' in the public domain, the best we can aspire to are 'Trusted systems'. 'System'is the operative word - everything and everyone involved in the handling, processing, transmission and storage of information is/are part of the system. A failure in any one part renders every other precaution useless. I would suggest that the question to be asked first is who wants to access personal medical records and how valuable such information would be to them? If someone had a life insurance policy for $10x10^6 and a 'pre-existing' condition, I would suggest that it would be in someones interest to discover a pre-existing condition which may not have been disclosed. The financial rewards would warrant the effort and cost. Legislation is also part of the 'system'; without any personal data privacy legislation US citizens are somewhat vulnerable. Good advice from NSA at NIST is helpful.
Slashdot Mirror
I assume that yours is not a 'philosophical' but rather a mathematical or engineering endeavour? The Ellis doc at www.cesg.gov.uk/ellisint.htm gives some of the background to non-secret cryptography - key management. I confess that I find the idea of information protection using PKE illogical and even with a highspeed encryption engine in hardware the practicalities of syncronisation, error correction, etc for streaming data seem doubtful. For key or seed distribution and authentication the value of PKE is well established. If you have a quantum engine available streaming would certainly be possible using PKE but rather a waste of a good engine.:-)
Firstly keep the number to a minimum - for minimum password length of 8 characters 8 passwords is about the maximum users can cope with using this system. Users are required to think of a quotation, poem, a passage from a play, etc. which they ALREADY remember. Security administrators produce a card for each 'work-group', one per user. The card has the letters of the alphabet printed in any order, even random, in one column or line and a random selection of keyboard characters in a parallel line or column. Cards are replaced at 6 month intervals with a new combination of characters. The user simply spells out the remembered 'key' to themselves, one letter at a time, with the card to hand, looks at the alphabetic column/line and selects the corresponding code character for entry. When the card is kept 'private' this method of remembering passwords is far more resistant to cryptographic techniques than the machine on which it is being used. The habit of some users sticking the card on their VDU/terminal - "in case I loose it" should be discouraged - this makes the system vulnerable to cryptographic techniques. Loosing a card is no big deal anyway, as co-workers in the same 'group' have an identical card which may be borrowed to log in. Lost cards should of course initiate the replacement of all cards for the 'work-group'.
Quite! There are no 'secure systems' in the public domain, the best we can aspire to are 'Trusted systems'. 'System'is the operative word - everything and everyone involved in the handling, processing, transmission and storage of information is/are part of the system. A failure in any one part renders every other precaution useless. I would suggest that the question to be asked first is who wants to access personal medical records and how valuable such information would be to them? If someone had a life insurance policy for $10x10^6 and a 'pre-existing' condition, I would suggest that it would be in someones interest to discover a pre-existing condition which may not have been disclosed. The financial rewards would warrant the effort and cost. Legislation is also part of the 'system'; without any personal data privacy legislation US citizens are somewhat vulnerable. Good advice from NSA at NIST is helpful.