Forwarding Address: OS X

Monday, March 03, 2003

Usually I wouldn't deign to slam someone else's software publicly but in the case of Perfect Encryption 1.0 I think a load of debunking is in order. I'm going to give the developer the benefit of the doubt and just assume they've just skipped Crypto 101 rather than assume they're trying to con people purposely.

Prism Research is offering, for $20 US, "a suite of tools designed around the first algorithm to exceed the security of the One-Time Pad". Bollocks. Do not download this software. Do not use this software. I happily admit I haven't bothered to do so - testing the strength of crypto software simply by using it is akin to trying to test the structural integrity of a bridge by walking across it a couple of time.

Instead I'll dissect their claims one-by-one and offer counterpoints to support my disagreement with their claims.

1. Before they provide the algorithm you must pay for their software.
That's the hallmark of a scam to me. They claim to do this to abide by US export regulations but that's crap. If that were the case then no public crypto research would be underway. A simple submission to the Department of Commerce will get them all the permission for export they need within one to four months.

They also don't mention if in buying the software and thus receiving the algo if the owner is then prohibited from distributing the algo, but I suspect once they think of that they'll prohibit it. In a nutshell folks: never, ever, trust proprietary crypto algorithms. They're dangerous and I'd happily bet hard cash that they're fundamentally flawed.

2. More secure than a one-time pad.
A one-time pad (OTP) is the only cryptographic implementation that can be proven to be 100% secure. When generated properly a OPT is a perfect scheme. Don't believe me? Good. I direct you to page 15 of "Applied Cryptography" by Bruce Scheier: "Believe it or not there is a perfect encryption scheme. It's called a one-time pad". But hey, Bruce could be wrong so as further proof I direct you to pages 192-193 of "Handbook of Applied Cryptography" by Alfred Menezes et al: "If the keystream of digits are generated independently and randomly, the Vernam cipher is called a one-time pad, and is unconditionally secure".

Prism's misunderstanding of the principals of a one-time pad seem to stem from a misunderstanding of how a one-time pad is used. On their site they present the steps for use of a one-time pad: take your plaintext, mash it with your key, create the cipher text. Want to read it? Take the cipher take, mash it with the key, get your plaintext back. Done. Prism suggests that: "It basically says, if an adversary has both the plaintext and the ciphertext, he will know what the key is" and yes, that's absolutely true. But even that's not important. What Prism seems to be misunderstanding in this is that it's called a one-time pad for a reason: you only use a particular key once and then toss it.

In the case they site above your adversary now knows everything: plaintext, cipher text, key. So? You want to send another message you use a new key. That they have the old one gives them absolutely no help in deciphering the new one. They're back to square one. This is fundamental to the use of the one-time pad: never, ever use the same key twice. If knowing the key to one message helps in deciphering the key to another then you're pad is fundamentally flawed. If your adversary has your pad of keys you don't have a cryptographic issue, you have a human resources issue.

3. I have to quote this one verbatim: "the algorithm eliminates the one-time nature of the OTP. Therefore, the only possible way to crack a cipher that uses the MTP is to physically steal the key".
Those two statements make absolutely no sense together; one cannot beget the other. The one-time nature of the one-time pad is what makes it a perfect system. And theft of the key is actually the only valid attack against a one-time pad system (assuming one-time use of the keys); every other cryptographic system to date (that I'm aware of) has had at least one proposed theoretical attack levied against it, and most have had real-world practical attacks levied against them. I really doubt that Prism's system is any better.

4. Produce a 32 MB key file
My initial reaction to this was WTF? If there's one thing you take from this about cryptographic keys it should be this: size doesn't matter, much. Any algo that makes claims to its security based solely on key size should be discounted. Strength through size is a function of the algorithm used, size alone does not and cannot guarantee strength. Without knowing the alogorithm its impossible to know how the key size relates in Prism's case but know this: a key that's 32 megs is likely just a major waste of drive space.

5. Shred files 55 times
A number of fine Mac apps have provided this feature in the past, I don't have a problem with this from a cryptographic perspective but that they've included this functionality without understanding the basics of everything else worries me. I wouldn't trust these folks within 20 feet of my computer, much less with something so fundamentally sensative as doing multiple-sector wipes of my harddrive. Do you still feel confident trusting this software with the deletion of your critical files?

I think I've gone on longer than I intended to for this. I'm using Prism as a bit of a whipping boy to get a point across, a point that may best be summed up in the word of Bruce Schneier:

"Anyone who creates his or her own cryptographic primitive is either a genius or a fool. Given the genius/fool ratio for our species, the odds aren't very good." - Bruce Schneier
I invite the folks at Prism to rebuke all my claims and evidence at their leisure. I'll happily post verbatim any response they'd care to make. I also invite them to send me their algorithm so I can pass it along to smarter folks than I for some independent analysis. And if they're worried about being busted by the Feds for public disclosure I'll happily take the heat and post it for them on mine own website, free of charge.