Schneier on Security

Clive Robinson • November 6, 2018 8:06 AM

@ Bruce,

Speaking of encryption layers, there is another one that although myself and @Nick P have talked about, does not come up very often. But is slowely getting interest in the academic community

It’s “geo-encryption” which uses not just location data but velocity and direction information as well.

I’ve talked about it on this blog also with respect to the “something you know” factor for multiple factor authentication.

This is a recent paper talking about geo-encryption for communications systems,

https://www.ijirset.com/upload/2018/february/83_Geo-Encryption.pdf

However they are actually quite a long way behind the curve on geo-encryption compared to non-academic fields of endevour, their idea was discussed to death amongst some oh a decade to a decade and a half ago.

Clive Robinson • November 6, 2018 12:02 PM

@ Me,

When the drive was to be disposed of, you deleted the old key and generated a new one. Blank drive within a second.

I do wish people would not say thst, because it’s compleatly untrue.

Erasing the encryption key does not erase the contents of the NAND Flash or other storage media the drive might use.

Because of “wear leveling” and often incorrect usage of crypto modes it becomes possible to recover some information iregardless of if you have the encryption key or not.

But there is also the question of “burn in” in both NAND and NOR Flash and other storage types. Nobody has yet come up with a definitive answer that says “burn in data recovery” is not possible.

It’s why when part of the UK Gov “contracted out” the design of an encrypted thumb drive they specifically excluded “key erasure” as a data delete method, and still required multiple “random over write” of all storage memory. Which as any hardware engineers reading along will know is not something you want to be doing if all you have is “backup battery” power to work with.

Oh one nice thing about “key erasure” is of you have central crypto-key managment. You can if you recover a drive get the data back because you centrally have the encryption key.

If your memory device has a GSM radio modual, then you can store the device key in core RAM using a RAM&Register protection scheme[1]. You put a PubKey pair in the device which enables you with care to securely transfer the data encryption key across the GSM network.

Thus it’s possible to design a hardware device that you can use where you can not reveal the password or encryption key because you genuinely don’t know them, and it takes atleast on third party to enable them. If the third party is outside the jurisdiction you are in it’s game over for law enforcment. Just in case you are worried abou the third party getting preasure put on them as @Nick P suggested having them in China would probably solve that. But to be a bit more certain I counterd with “multiparty key sharing” from several antogonistic jurisdictions, as it has the extra advantage that one or more of the third parties can lie and send a false or “duress” key share, and there is no way for any authority to know which third party or multiple third parties it was.

[1] If you design your RAM&Register protection scheme properly then you do not get “data burn in” and even if the device is captured an attacker can not recover the encryption key from examining the RAM contents. I’ve discussed how to do this before using “data shadows” with burn in protection being done from a time based interupt scheme. @RobertT also mentioned he had seen a system implemented in silicon that used a chaotic Lorenz attractor system to both hide the key and prevent data burn in. Have a read of,

https://www.schneier.com/blog/archives/2012/08/is_iphone_secur.html#c857693

And down that thread we talked about issues to do with encrypted storage in a consumer device (iPhone) and even over six years later it’s still highly relrvent today including this thread.

Clive Robinson • November 7, 2018 1:56 PM

@ Arclight,

Would this not require access to an encrypted or signed GPS datastream to prevent spoofing though?

As they say “And thereby hangs the rub”…

The US military have been trying to find a way to have “spoof-proof” GPS for years and they have not yet found a way that does not involve some kind of “secure device” that can not be accessed by anything other than a secure receiver in “classified crypto equipment”[1]. So never ever going to make it into the civilian or even other Government markets.

But there is if you take a carefull look in the paper I gave the link for, a glaring hole in their protocol. That is the authors have forgotten that you can not go faster than the speed of light thus distance equals “time shift”. Which means one of two things, either it’s vulnerable to a narrow range of “replay attacks” or the client system needs a time machine[2].

Oddly this “distance equals time shift” problem crops up all over the place not just with physicists and their “time cone” diagrams. Whilst it can not be fixed engineers can occasionaly find work arounds but at some other expense (needlessly wide bandwidth had less filter time delays and faster rise times for instance). However protocol designers rarely if ever consider it except when they start getting involved with high frequency trading… Where they can and will pay unimaginable amounts of money to tunnel through mountains to shave a few mS (~1nS per foot saved) off of communications paths. Pay millions to rent fields to stop competitors putting up radio towers and all sorts of other things, some of which like bribery are either illegal or highly questionable.

The classic one that is comming home to roost with protocol designers is “distributed database updates”. That is if your database is on three widely spaced nodes how do you deal with the update deadlock. That is node A makes a change and sends it off to node B which sends it off to node C. Provided neither node B or C update the same record in a time period less than the total propergation time it’s not an issue. If however they do you get an issue of which update takes priority. Thus the first thought solition is you use time stamps and decide on those. Only it is difficult to hold all nodes to the same time unless you use atomic clocks which need continuous adjustment for “relativistic issues”[3] for people moving at different speeds, which happens if your buildings are at different lattitudes… Having solved that you have potentially cured the “two change” issue, but not if three or more nodes make changes… But there is still a hidden issue which is “what did you make changes to” that is the nodes update at different times as it propergates across the network thus they are in effect “out of step” as it happens, any additional update during that time therefore could be on old/out of date data. People then stat thinking about “record locking” but that has other issues as NFS admins can tell war stories about. Put simply no network is reliable in it’s entirety at all times, if you issue a lock it may not happen at all nodes, another node might lock the same record before your lock gets there, a node might go down and hold a lock in some way etc etc etc. Thus simple protocols become nightmares with distributed scale. Oh and as far as we can tell there is no effective solution only partial solutions that all have issues…

And yup I have not just war stories but scars from such protocol developments.

[1] I’m not saying there is not a way to do it, especially when the US Mil also have other motives such as keeping tech out of non aligned nations hands. But I’ve not yet seen any tech that convinces me it is possible.

[2] Yes I talk of the NSA and other Gov entities building “time machines” by “collect it all” but to be secure this needs to “see into the future” not “relive the past” (which historians do all the time 😉

[3] Thankfully the 1PPS GPS signal and phase locked carrier frewuency and chip rate clock can save a great deal of expense and difficulties because the USAF in Colorado Springs does all of the corrections for you. But the “Commercial Off The Shelf” (COTS) price of equipment to do this is still eye wateringly expensive…

Clive Robinson • November 7, 2018 11:56 PM

@ carrots,

However, write a 128..256 bit password on a piece of flash paper: Data destruction at the speed you can light a match!

Yes, if you can first find a piece of flash paper large enough for 256 bits of “entropy” 😉

Then there are the issues of, if the flash paper does burn entirely to smoke, what do you get “data destruction” of? In reality “only of that copy” of the “password”, but not of anything else. Because that’s all the same as it was before you put a lit match to that piece of flash paper.

What else might or might not happen as a side effect, depends very much on the technical system being used by the user(s) and the OpSec they employ in it’s use.

So if there is a “password” backup in an envelope in the office fire safe…

Yes I’m belabouring the point, but it’s a point that unsuprisingly many people sometimes have trouble getting to grips with. Whilst jargon and similar might help speed up the communications of those who correctly understand not just the jargon but the full context in which it’s being used, it just confuses the heck out of people who don’t.

Which is a point not lost on George Orwell long befor he wrote 1984 back in 1948.

We often see the confusion with “security by obscurity”[1] it’s a “term of art” that you can not get understanding of by looking the individual words up in a dictionary.

A more technical example can be seen with programers and the use of “nonce” or even “random” which is why,

Four is a random number.

Is an “in joke”. The same as the,

Why did the cat slide off of the roof?

Is to some physicists and, the punch line of

“Oh plus a constant”

Is to some mathematicians.

I’m mindful that the readership of this blog has very varied depth and breadth, and try to address it which has had the side effects of making me look pedantic to some but bringing understanding to others (“You can’t win em all” 😉

[1] If anyone has a “one sentance explanation” that precisely and unequivocally explains “security by obscurity” to a non expert, I would not be the only one who would be greatfull of it. The Wikipedia attempt of,

In security engineering, security through obscurity (or security by obscurity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system.

Which whilst getting close “Does not cut the mustard” with “non experts”, who will have unanswered questions from it. Due to the use of other “terms of art” and an assumption.

Clive Robinson • November 8, 2018 1:54 PM

@ Anura,

A 20-word diceware passphrase has over 256 bits of entropy.

Only if the dictionary is 7132 words or longer. Which is larger than the average persons vocabulary.

But that is beside the point I was joking about. Flash Paper is most frequently used by magicians and is usually the size of a small “hand rolling paper”.

The reason is some magicians make their own they take a packet of Rizzler papers (or what ever the local equivalent is). Lay them out and brush them down with a nitrate or permaganate solution.

The reason that they make Flash Paper that way, is that when it burns it generates enough thermal lift to float up by it’s self. What the audiance sees is what looks like a flame with a life of it’s own. You can make them coloured by adding other chemicals.

Any way unless you have teensy-weeny hand writting you would not get 26 words –from a 1024 size dictionary– on such a small piece of paper.

Clive Robinson • November 8, 2018 10:38 PM

@ Anura,

then twenty words on flash paper is probably not that big of a deal

Just how tiny is your hand writing?

Or are your cigarette “hand rolling papers” the size of Havana cigars where you come from 😉

I know the Russian’s used special printing techniques and very soluble inks to put their Spy “one time pads” on flash paper a couple of sizes bigger than cigarette papers. But if you get to see one in a Museum they are usually mounted under a large magnifying glass, otherwise you just can not read them.

Clive Robinson • November 9, 2018 7:17 PM

@ Erik, Ethan,

Apple decided to stop trusting drive-based encryption and started moving those functions into a coprocessor (“T2” chip) that they designed themselves

Apparently the T2 chip now on new hardware also stops “Linux” being put on Apple hardware hard drives. Which might upset Linus, apparently he’s been a fan of Apple hardware for a while.

https://www.forbes.com/sites/jasonevangelho/2018/11/06/booting-linux-is-impossible-on-new-apple-hardware/

Clive Robinson • November 12, 2018 2:02 AM

@ Derek,

Does this also mean that you could make it look like the drive supports encryption when it doesn’t. So bitlocker would just do nothing if enabled later?

Yup, that’s more or less the case.

Think of it this way, bitlocker can not reach through the drive electronics to the raw data in the Flash in a reliable way. Because it has to go through the drive electronics and there is no way to tell if those electronics are being honest or not.

But even if it could get honest access how could bitlocker tell the quality of the encryption? It would need to know not just the key, it would need to know the algorithm the drive used and mode it is used in.

Now consider you are a malicious actor you could get at the Flash storage in the drive electronics. It would not be difficult to come up with an algorithm that would sector by sector disable the encryption, so after a while the drive would be compleatly decrypted but you would not have seen a performance hit or much increased power drain… Oh and Flash does not clank or click like a mechanical system, so you would not get an audible clue the drive had changed behaviour either…

It’s one of the reasons I said at the top of the comments above,

The underlying problem is such that to be secure you need to have different encrption schemes at,

And went on to list the layers you need to address.

Clive Robinson • November 13, 2018 10:37 PM

@ echo,

Shorthand and other alternative writing systems may provide a form of compression.

Without redundancy there can be no entropy…

Many shorthands actually take up more page space due to trying to harness the fluidity of longhand, and still having “pot hooks” that are accurately recognisable some time later. As the article notes most are just a short term at best aide-memoire to go from dictation to typed letter. I’ve known a couple of 80-100 wpm typists, who can type as fast as most people can dictate whilst thinking about what they are saying. Oh and a couple of military telegraphists who could out type the old mechanical teletypes –KSR/ASR machines– that were supposedly good for ~90wpm.

What the article does show however is the level of redundancy in written english. It’s lack of precision, is actually one of it’s strengths, it’s lack of rigidity allows for creativity. Which in turn encorages inovation, thus progress.

It’s actually quite surprising just how much our “mother tongue” effects our outlook on life.

Clive Robinson • November 14, 2018 3:53 PM

@ echo,

<

blockquote>Did you just drive a coach over me and mansplain me?

<

blockquote>

Err not intentionally.

The “Without redundancy there can be no entropy…” is one of those jokes like “4 is a random number”, only it’s ment to be said in a neutral but monotonic voice like a “Vulcan pronouncement” or the “Their can be only one” of the highlander movies.

As for “out typing” and old mechanical teleprinter it’s one of lifes “ouch moments” as the clutch grinds and graunches and wise telemechs vanish as if by magic to some place unknown. Because adjusting that mechanism is to be blunt a right royal pain, if you follow the “official method”…

But those with grey hair know to have a pack of hand rolling cigarette papers in their tool kit, as the very much unoficial method which uses them can be way easier and many times faster.

Which brings us back to “just what can you get on a Rizzler” cigarette paper where space is somewhat short in both directions.

Thus I’m still doubtful that an ordinary mortal using ordinary pens etc will get a 256bit AES key to fit when hand written no matter how you encode it.

You could have 256 binary symbols such as a short and long vertical line, but how do you tell them apart after a long run of either. You could use 64 hex chars which you could get on but you need spaces to group them otherwise your chance of getting the sequence write is low. However each extra bit width you use doubles up the number of symbols which obviously reduces not just legability but increases potential errors so you need extra symbols for error correction, which in turn need their own error correction of a different form. So just the humidity from your hand or in your wallet will cause the ink etc to smudge reducing legability thus needing more error correction etc.

There are so many “hidden gotchas” in covert communications systems especialy of the degrading store and forward variety that has a deadmans / antiduress fast destruction features, it’s still a quite wide area of research.

There are some horror stories of the “blew up in my face” variety. There are stories of the use of cellulose papers washed in oxidizing chemicals to give high flamability and inks that are very soluble that were independently developed. But… when mixed together the ink is a catalyst to the fuel (cellulose) and oxidizer mix that makes it unstable with time.

A similar but more famous example is “exploding billiard balls”. Nitro cellulose or celluloid was the wonder plastic of it’s time and used in just about everything from shirt buttons through handles for knives and forks through piano keys and billiard balls. It turns out that nitro cellulose is a fuel oxidizer mix that over time will degrade and become a vibration sensitive explosive… The speed of the degradation is in part the general environment but also mechanical shock. Thus the billiard balls would eventually explode in blazing balls of fire.

Now any competent chemist on being told what was in the ink and paper would have warned about the danger. But as we know when secrecy is involved information gets compartmentalized, and the left hand does not see what the right does and vice verser. The result was store rooms of code books suffering what was thought to be very clever arson attacks… Because being “secret” the investigators were also kept in the dark…

The world of secrecy is full of similar left not knowing right stories…

Clive Robinson • November 17, 2018 2:02 AM

@ echo,

In effect what you write is an “all or nothing” “limited retry” password. Type it in wrong and it’s very quickly “game over”. Which even with a pristine copy is quite likely to happen, which is why I wince when I see things like,

I did not apply an error checking scheme.

It’s unfortunatly a common failing in security systems where you are expected to type in what appears to human eyes a long random string.

Which is odd because it’s long been known with hand written letters that things get mistaken…

B – 8, C – 0, D – 0, E – F,3, F – E,7, b – 6, 1 – i,I,l, 2 – 7, 3 – 8, 5 – s,S,…

Are just a few of very many errors people make when reading hand written text.

Likewise it’s also been known for a long time that hings get worse if they are not “grid aligned” and “grouped”.

Grid alignment in a mechanically typed font is usually something like a quater of a letter width block after a letter and between a quater and a half a letter hight block below a letter. With hand written letters a similar or greater spacing is usual for legability.

Grouping is used to make random memorable over a short run. There is a saying about human short term memory “five plus or minus two” which says basically the minimum we can remember is three random letters and if they were the start or end of a group. Which is why the accepted intetnational standard for “codes” is “upper case letters in groups of five letters with a single space between groups” and has been for considerably more than a century, and why the “word” of “words per minute” is “five letter average”.

With regards,

Slightly better compression could be achieved with base 36 which would save five character spaces.

Whilst 36^50 is greater than 16^64 / 2^256 you end up with a leading / terminating encoding issue as the difference is around 5.6 times larger. Humans tend not to be good with such ambiguity, especially when writing software to match it.

So what you do write should be “armoured” in some way. For very limited error detection and correction you look for one bit extra for every bit length doubling of data. So 256 bits of data would need an extra 8bits of error check as a minimum to detect / correct just one error, which is nowhere near good enough. In communications “in noisy environments” the likes of “Forward Error Correction” often send twice as many “check bits” as there are “information bits” of data. Importantly the error correction needs to be distributed across the entire information block. But in the case of writting on paper errors tend to group in two dimensions that is if you smudge a letter the eight surrounding it in the 3×3 grid are also likely to be effected thus your error correction should also be two dimensional in effect.

These are practical considerations that would be needed to make a system workable in practice over a period of time.

But sticking with HEX alphabet and 64 letters you are looking at four rows of sixteen letters. So with a 6×8 font size you would be looking at 126×44 grid area with around an 8 size boarder for 142×60 total coverage.

A Rizzler blue is 70mm x 35mm (2.76×1.38in) giving a basic point size of ~0.5mm which would need quite a sharp HB pencil, held upright when using… 0.5mm is usually considered the minimum width lead or nib size in technical drawing propelling pencils and ink pens. Having spent over half of my professional career using them I know why I tend to write in block caps in 10×15 points of 0.5mm as the minimum to be legible over time.

Clive Robinson • November 17, 2018 10:16 PM

@ echo,

Oh for God’s sake stop changing the goal posts.

Read the last paragraph, and it is not my intention to move goal posts, that is others intent.

What has happened is I made an informal comment and joke (search for havana) about “twenty words on flash paper”[1]. Others have decided to disagree and moved the goal posts and in a way that made it such that only a formal response should be given.

Thus rather than letting it drop they’ve forced me to become more formal and “show my workings” which also highlights the difference between a one off experiment and an effective system.

This is because it’s become a matter of “public record” with my name attached to it, and I’m not keen on boomerangs.

As you are aware I’ve been subject to attack by others using what are anonymous handles who have tried to be “jacks”. It’s something our host has also suffered from on several occasions and still does. Similar behaviour has forced a significant number of the more technically minded contributors off of this site. Some have gone to other sites, some have ceased commenting anywhere thus are now a lost resource to the community.

Like FOSS coders technically minded contributors to this and other sites do so out of a sense of “giving to the community” from their own experience and free time. They don’t have to do so, it’s not a requirment. Many can not contribute because of wide spread “commercial indenture” which means there are only a few at liberty to comment. Thus people should ask what the gains and losses would be if those few who can contribute stoped?

[1] For a wordlist where 256bits is covered by just twenty words the average word length especially if originally designed to make memorable paraphrases –ie lack connectives and other short words– would weigh in around 8-9 letters. Thus needing 19 spaces and 160-180 letters. Thus would be getting on for three times the length of a hex string[2]. If you think you can get close to 200 chars on a 70x35mm cigarette rolling paper with an HB pencil and have it remain legible and error free for daily usage etc over a month or so, then good luck, you’ll need it.

[2] You chose to try using HEX and yes you can get it on but at what reliability? I’ve simply pointed out that as a string of chars it’s impractical to use and will need error correction of some type, pointing out that the most suitable which is FEC will bring you back to just under 200 chars before formatting for readability.