CipherSaber - help spread strong crypto!
Posted 27 Apr 2000 at 11:19 UTC by cdegroot
What sort of idea would you get when you browse
99 Bottles
of
Beer on the Wall and The
CipherSaber Home Page in short succession? Of course, the idea to
collect CipherSaber implementations and see whether it is possible to
collect a couple of hundred implementations of this useful little crypto
program - so write your CipherSaber implementation and submit it
to the CipherSaberList.
In fact, there are two lists: one with computer programs, which I think
will be interesting to most of us. The second one I hope will be even
more important, because it's a list of CipherSaber algorithm
descriptions in natural languages, which hopefully serves to
spread the algorithm even to the backwoods of the Amazonas ;-), and
furthermore to ridicule anti-crypto measures all over the world, of
course.
Oh great, now we're seeing diary entries
encrypted with CS.
Does anyone know of actual uses of CypherSaber where you're not posting
the key in the clear? I'd imagine not many, as you have all the
classical problems of managing keys in a symmetric environment.
Since I had seen CS (and being a bit frustrated with the needless
complexity of PGP), I had been toying with a similar thing for public
keys. But it's a hell of a lot harder to do good primality testing and
so on than implement RC4.
Anyway, I'm glad this thing is out there, if for no other reason than as
a teaching tool and to make a political statement.
I want to do a CipherSaber implementation in PocketC for the Palm.
There's way too little crypto stuff for this device, which is a pity
because it has a lot of potential...
Yes, symmetric key algorithms have their problems, but for personal use
(protect yourself against snooping spooks) that's no problem; for
communication use, something like a book-based key exchange would be
good enough for most people. Correction: make that a web-based key
exchange:
Alice and Bob agree on a number of websites (encrypted with CipherSaber
on their respective Palms), one for each day. When Alice wants to send
Bob a message, she goes to a Internet cafe for anonymous surfing, opens
the day's web site, and selects 10 words. She uses the ten words as the
key, and sends the encrypted message with the offsets of the 10 words to
Bob.
Advantage over the book-based algorithm is that it is a bit harder for
the spooks than going through your library...
On 28 Apr 2000, cdegroot wrote:
Alice and Bob agree on a number of
websites [...]
Advantage over the book-based algorithm is that it is a bit harder
for the spooks than going through your library...
Right, but the web is very vulnerable to a man-in-the-middle attack.
Imagine that Mr BadGuy has access to a proxy that Alice or Bob is using,
or has access to some routers in the network, close to the sender or
receiver: he can then see the list of pages that you are visiting. Even
if he does not know exactly what you are extracting from the page (10
words), he can get a finite list of words or numbers and use various
combinations of these for a brute-force attack. By monitoring the sites
that Alice or Bob is visiting every day, Mr BadGuy can try to guess how
the key is built.
If a pseudo-random key has to be generated, then it is better to use
several sources of entropy coming from different channels in order to
reduce the risks that Mr BadGuy can have some knowledge of all
channels. So the web-based method is good, but it should only be one
part of the key generation. The other parts of the key could be
generated from a book or file that is available to Alice and Bob, from
some words taken from a daily newspaper (assuming that both of them can
get it), from the timestamp of the message (if it is not changed during
the transmission), from the color of the tie worn by [insert name of TV
star here] on that day, and so on... Note that most of these sources of
pseudo-random data have a resolution of one day and may not be suitable
if you intend to send more than one message per day.
If you are communicating frequently with another person, then each
message could include a part of the key to be used for the next
message. Not the whole key because a spook who manages to decrypt one
message could then get all the others, but one or two letters of the key
should be enough (the other parts would be derived from another channel
as explained above). But this only works if you exchange messages
frequently, so that you can remember the new part of the key without
having to write it down or to keep a decrypted copy of your the last
message.
By the way, it is usually a good idea to compress the message before
encrypting it, because it makes the brute-force attacks a bit harder.
If you select a compression method that does not insert a well-known
header in the compressed stream, then the attacker will need some
additional operations in order to be able to check if the correct key
was found or not. A good candidate for that may be zlib, which is free,
although you may have to XOR the first two bytes with some predefined
number if you really want to obfuscate the contents even more.
<blatant self-promotion>
crypted 99 bottles
beer on the wall
</blatant self-promotion>
I wrote that quite some time ago, seems somewhat apropos to post it
here. This is not related to cybersaber though, which seems quite
interesting.