From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Thu Sep 20 2001 - 17:55:44 MDT
Louis Newstrom wrote,
> From: "Ken Clements" <Ken@Innovation-On-Demand.com>
> > It is now possible for someone to carry around a chip with
> > enough pre-recorded random bits in it to last longer than
> anyone can type.
>
> I wish the bad guys WOULD do something this simple. We would
> easily be able
> to recover the chips from dead bodies and have a copy of the master code.
Actually, SecureID has a pretty good solution to this.
They have a device that generates random numbers for one-time keys. Instead
of using a list, they actually use public/private key encryption with a
clock to generate a random generated time-of-day message. It is encrypted
with the senders' private key and the recipients' public key so that only
the recipient can verify it, and they can verify that the sender was
correct.
They also have a good physical security mechanism whereby the card is almost
impossible to open without destroying the data. It is metal so it cannot be
x-rayed. It has a battery that requires all parts to be in position to
maintain the charge to hold the memory active. As soon as any piece is
moved slightly in relation to any other piece, the memory instantly lose
power and the data is lost. It is so sensitive inside that any cutting,
x-raying, drilling and the like disrupts the circuit. They might even have
vibration protections. These cards have been compromised at great expense
to demonstrate that it is possible, but it is unlikely.
Also, the encryption requires a user's memorized password plus the card's
random number generator. They would have to get the password out of the
person and get the card. Killing the person first wouldn't help. They also
have panic codes, whereby the person can lie about their own password which
will cause the device to stop functioning. There is no way to know whether
the password is correct or will permanently destroy the device ahead of
time.
> Very rarely. If the NSA are watching a known terrorist, and he
> transmits a
> picture of a puppy-dog, do you really think they won't know there is a
> message?
Actually, there have been drug cases where the dealers used "untraceable"
e-mail to make deals. The prosecutors didn't have to trace the e-mail, they
just noted that every few days an untraceable message was sent, and within
an hour each time a drug deal occurred. This was statistically good enough
for them to show a cause-and-effect relationship without having to bother to
actually look at the email or prove where it went.
> I think you added the "alone" part. Harvey was saying that steganography
> does not add anything to encryption. You might as well send
> encrypted text.
> He was saying that embedding it in a picture buys you nothing.
Actually, it does buys you "obscurity". "Security by obscurity" is not bad.
It just is temporary. It works fine while no one is suspicious or
investigating. As soon as someone blabs, or someone starts investigating,
then they quickly find these things.
It is fun to try to dream up these methods. Everybody wants to be a hacker
and be able to get away with something. Security research has been trying
to dream up these solutions for decades, and then spent decades cracking
them. It is very unlikely that someone on this list will dream up an
uncrackable scheme in a few days when security experts have failed to do so
in the history of security. As with any technical field, like AI,
nanotechnology, cryonics, life-extension, space travel, stock-market
investing, quantum physics, it always looks easier at first glance. The
more you get into the technical details, the more complicated it becomes.
-- Harvey Newstrom <http://HarveyNewstrom.com> <http://Newstaff.com>
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 08:10:52 MST