Hand Ciphers

Recondite49

With worries about famous encryption programs like Truecrypt being compromised and rumours of hardware keylogging being commonplace, I was wondering if anyone had given any thoughts to good old fashioned hand ciphers?

I think most security inclined people dismiss them out of hand (no pun intended) as a modern computer could crack most conventional ciphers like Caesar or Vignere in a matter of seconds.

Having said that there are some pen and paper methods which could be used to protect your messages.

A one time pad cipher would offer perfect security provided you kept your pad of random numbers safe and the numbers were truly random (Bruce Schneier invented one called the Pontifex Cipher for those that are interested).

Another favourite of mine is a book cipher, which simply represents words or letters in any given piece of text. One famous one which supposedly reveals the location of buried treasure is the 'Beale Cipher', one of the papers for which uses the US Constitution as a key text.

While this wouldn't necessarily be PRISM proof, it would be proof against hardware and software keyloggers, so any thoughts people? Pointlessly paranoid or sensible step?

Khannie

OTP doesn't guarantee integrity. Just saying.

Recondite49

Khannie wrote: »

OTP doesn't guarantee integrity. Just saying.

Well it provides perfect theoretical security, however in practice it can be compromised if anyone gets their hand on the code book. They can have their uses though - The Red Phone between Washington and Moscow uses one as naturally the pad can be kept safe in the respective Presidents' offices!

The usual warnings as well that the numbers must be truly random and that each sequence is only used once then destroyed securely. However provided these stipulations are met it's mathematically possible to prove that the cipher cannot be broken.

Anonamoose

Truecrypt broken.... May switch to windows 8 now......OUCH

Recondite49

Anonamoose wrote: »

Truecrypt broken.... May switch to windows 8 now......OUCH

Don't forget to use Bitlocker :-p

Anonamoose

Recondite49 wrote: »

Don't forget to use Bitlocker :-p

It's yer only man....

Khannie

Recondite49 wrote: »

Well it provides perfect theoretical security, however in practice it can be compromised if anyone gets their hand on the code book. They can have their uses though - The Red Phone between Washington and Moscow uses one as naturally the pad can be kept safe in the respective Presidents' offices!

The usual warnings as well that the numbers must be truly random and that each sequence is only used once then destroyed securely. However provided these stipulations are met it's mathematically possible to prove that the cipher cannot be broken.

They can't be broken, but they can be tampered with. I can't remember the details, but OTP on its own does not guarantee message integrity.

Recondite49

Khannie wrote: »

They can't be broken, but they can be tampered with. I can't remember the details, but OTP on its own does not guarantee message integrity.

Hi Khannie,

Well as I said, the data you use has to be truly random (think background radiation, white noise etc.), each pad has only to be used once and of course you need to keep the pad safe from prying eyes.

Provided these conditions are met, the pad offers perfect secrecy in theory, there's even a mathematical proof of it which I found on Google but sadly I can't post links yet!

Why doesn't everyone use OTP's to protect their data then? Well firstly to be truly secure you can't send the pad over the wire so you'd have to meet with your correspondents regularly and exchange pads - for an organisation like the military who share thousands of messages a day with thousands of people this is a logistical nightmare.

The other reasons are due to the stipulations I outlined above.

Ensuring the numbers are random can be difficult (in the novel Cryptonomicon a OTP is broken as the method used is to ask old ladies to draw bingo balls from a basket while blindfolded. Inevitably some ladies get bored and stop looking away when removing the numbered balls, which means the pad started following a predictable pattern).

Even if you did slap the old ladies on the wrist and force them to wear blindfolds, others might not have the resources of Mi6 to hire an army of elderly minions to generate random numbers in this way, which means these days they might use a less secure method like relying on a software random number generator which will use repeated and predictable patterns. (Incidentally I'm engaged in a pet project at present to build a hardware Random Number Generator, still grappling with the soldering iron, watch this space..!)

Keeping the code book safe can also be difficult. If it's on board a submarine it's one thing but if you're an agent in foreign territory it can prove problematic. During the Cold War one OTP was discovered inside a hollowed out nickel, such were the lengths gone to by the Russians to keep them safe. In practice however the OTP was broken due to defecting agents explaining how it worked and also recovering the pads from captured enemy spies, whereas less theoretically secure ciphers like the VIC cipher weren't broken through Cryptanalysis.

Compare and contrast with ciphers like the AES Cipher which while not theoretically secure, in practical terms it would usually take so long to crack encrypted data, it's not really worth it through cryptanalysis alone.

Of course you can combine the two, I was just wondering about people's thoughts on whether this was needlessly paranoid or impractical.

Recondite49

Update : It seems the powers that be have now allowed me to post links:

Mathematical proof of the perfect security afforded by OTP provided above stipulations are met (security of pads, truly random data which is never reused) available here:

http://squall.cs.ntou.edu.tw/CryptoIntro/97SpringFC1/FC02_PerfectSecurity.pdf

What I find reassuring about this is that there is a way to make sure that even a Quantum Computer couldn't decode your traffic via analysis alone. Of course if your adversary is a domestic intelligence agency they may simply arrest you and bludgeon you with a baton until you reveal where the pad is (see Lead Pipe Cryptanalysis), so perfection is relative. :-D

Blowfish

Recondite49 wrote: »

Update : It seems the powers that be have now allowed me to post links:

Mathematical proof of the perfect security afforded by OTP provided above stipulations are met (security of pads, truly random data which is never reused) available here:

http://squall.cs.ntou.edu.tw/CryptoIntro/97SpringFC1/FC02_PerfectSecurity.pdf

What I find reassuring about this is that there is a way to make sure that even a Quantum Computer couldn't decode your traffic via analysis alone. Of course if your adversary is a domestic intelligence agency they may simply arrest you and bludgeon you with a baton until you reveal where the pad is (see Lead Pipe Cryptanalysis), so perfection is relative. :-D

OTP provide perfect secrecy sure, but on their own don't have any guarantees of integrity. i.e. if someone intercepts the OTP message and knows roughly what the message is about, they can flip a few bits in it and forward to the intended recipient. When decrypting, the OTP 'algorithm' has no way of knowing that the message has changed.

Khannie

Recondite49 wrote: »

Provided these conditions are met, the pad offers perfect secrecy in theory, there's even a mathematical proof of it which I found on Google but sadly I can't post links yet!

Perfect secrecy, yes, but not message integrity. So you can screw with someone's intercepted message and they'd never know it.

edit: Oh, blowfish just said that.

Recondite49

Khannie wrote: »

Perfect secrecy, yes, but not message integrity. So you can screw with someone's intercepted message and they'd never know it.

edit: Oh, blowfish just said that.

Hi Khannie,

Well it's certainly possible to change some digits around so the resulting output is gibberish. You could even go one further and intercept the message altogether so it never reaches its intended recipient.

Of course this is no more true for the OTP than it is for any other Cipher.

Fortunately gpg provides us with a neat solution to verify the integrity of a message by signing it with your private key.

Of course a third party could still change around the bits in the message but you'd then have a way of knowing that it had been tampered with. This would have the added advantage of making sure that the pad itself hasn't been intercepted by an adversary.

So - OTP message signed by gpg - best way forward?

Recondite49

Blowfish wrote: »

OTP provide perfect secrecy sure, but on their own don't have any guarantees of integrity. i.e. if someone intercepts the OTP message and knows roughly what the message is about, they can flip a few bits in it and forward to the intended recipient. When decrypting, the OTP 'algorithm' has no way of knowing that the message has changed.

Hi Blowfish,

Thanks for your thoughts. Are you sure though that the recepient would know the message hadn't been tampered with, even if you didn't sign it with gpg as I suggested below?

Let's say you combined the numerical equivalent of the letter 'e' (5) with a random number 7. The resulting output would be 12. You could of course then change that number 12 to 17, so that the letter 'e' read instead as 'j', however surely this would be fairly noticeable upon decryption?

Also if you're in possession of the only copy of the encrypted message wouldn't it be easier just to destroy the whole thing rather than scramble a few digits here and there?

Khannie

Ah, now signed is different to a pure OTP. GPG does provide message integrity. You're not going to GPG sign something by hand though.

Recondite49

Khannie wrote: »

Ah, now signed is different to a pure OTP. GPG does provide message integrity. You're not going to GPG sign something by hand though.

Interesting thoughts!

The way I had envisioned doing this was preparing the OTP offline by hand but then typing into a machine and sending over the internet, possibly combined with gpg. As you know the best form of security is layered.

Having said this, I don't think we need to be overly concerned if someone wanted to write their OTP on the back of a postcard instead.

Firstly as we discussed already, the OTP is no more susceptible to this than any other form of communication and while it's true it may be possible to mess around with the digits, it would be far easier for an adversary simply to shred the postcard or keep the whole thing to themselves if they simply wanted to obfuscate your comms.

It's true that if a portion of the message were known then it would be possible so substitute a different message of the same length.

All the threat models I've seen for the OTP involve knowing the plain text of the message (or a part of it) in the first place. This would mean that the pad itself had been compromised - a general idea of what the message is about or who it's from would not do, an adversary would need to know exactly where the message was encoded and the exact plain text in order to change it in a way which is useful to them.

I'm sure you'll agree under these circumstances, establishing the provenance of a message would be something of a moot point! Also this would only be possible to do for any given particular message - the adversary would need to know the plain text of each message sent with each stream of random numbers in order to forge messages.

Having said this I was wondering if there's a way to do this by hand and also ensure the integrity of the message?

Of course you could write down the Message Authentication Code, hash or similar of a message by hand prepared using an offline computer and mail this but it could be a touch laborious... Similarly you could prepare the message on a machine with an air gap and send a burned CD or similar to your intended recipient.

The nature of the OTP is such that you could safely repeat the message multiple times, provided you kept using truly random numbers. As long as your adversary didn't know the exact length of the message, their chances of distorting it beyond recognition or altering key parts would be reduced proportionately provided you used a different pad for the repeated message.

(Numbers stations used by intelligence agencies repeat the sequences automatically so spies in enemy territory can double check that they've written down the ciphertext correctly before decryption as many times as they wish. Tuning in to a dedicated SW radio frequency also helps ensure the provenance of the message, we should be so lucky!).

Although this wouldn't be secure as some form of MAC or check sum it would be possible to include a previously agreed codeword or answer to a security challenge question within the message too. Of course if the sender's pad has been compromised they might be compelled to hand this over too.

Recondite49

My august co-worker has also pointed out that if the OTP is written on a post card, wouldn't the recipient recognise that it wasn't your writing if some or all of it was substituted?

Having said this I've heard of handwriting experts used by the government (the French Police put this to good effect in 'Day of the Jackal' to lure in the OAS' hired muscle Kowalski).

Probably the most practical methods would be to send the message several times using different pads on different days. Of course this would have to mean time is on your side, plus if the entire OTP was seized then it wouldn't be much good to you as subsequent messages could be encoded using the random numbers.

Of course the security of the OTP itself is dependent on the stipulations outlined above, including keeping the pad safe, so as long as these are met, the integrity of the message will not be altered in a meaningful way by definition unless the digits are obfuscated through human error or non malicious interference such as a poor radio signal.

BoB_BoT

Anonamoose wrote: »

Truecrypt broken.... May switch to windows 8 now......OUCH

Truecrypt isn't broken, it's just discontinued. Might be worth reading this https://www.grc.com/misc/truecrypt/truecrypt.htm

Recondite49

BoB_BoT wrote: »

Truecrypt isn't broken, it's just discontinued. Might be worth reading this https://www.grc.com/misc/truecrypt/truecrypt.htm

Hi Bob,

Thanks for your post - interesting reading. I agree with the notion that although the developers might be done with Truecrypt, the rest of us aren't.

I don't suppose you saw my separate post about the program tc-play? It runs from Linux command line. Not as visually appealing as Truecrypt but it has all the functionality (multiple ciphers, hidden volumes) without any of the worrying licensing issues.

The only thing it can't do is encrypt your whole OS but I'd say that anyone who takes their security seriously would be using a non Windows machine anyway.

Khannie

Recondite49 wrote: »

anyone who takes their security seriously would be using a non Windows machine anyway.

Yeps.