tags:

views:

600

answers:

6
+15  Q: 

What is the best nuclear missile crypto system?

You are on a submarine and there is an encrypted message that you want to read. Two people must use their keys at the same time in order to obtain the plain text. What is best cryptographic primitive to use? Are the following two implementations suitable?

plain_text=decrypt(Key1 XOR key2,ciper_text,IV)

plain_text=decrypt(Key1,decrypt(key2,ciper_text,IV2),IV1)

(Assume AES256-CMAC if it matters to you.)

+1  A: 

XOR'ing the keys, while the simplist method, may not be the best. I don't think the resulting key would be random enough - if someone with key 1 was able to get their hands on the resulting key they may be able to derive key 2.

To throw further complexity into the mix, perhaps some kind of one-time pad would be a good plan. It's probably not a good idea to re-use keys for this kind of system :)

Here's an example of when reusing keys caused problems:

http://en.wikipedia.org/wiki/Venona_project

UPDATE

I've just blown the dust off my copy of Bruce Schneier's excellent Applied Cryptography, and taken a look at section 3.6 Secret Splitting. It's a different scenario, but he suggests that simply XOR'ing keys with a message is secure:

Here’s a protocol in which Trent can split a message between Alice and Bob:

(1) Trent generates a random-bit string, R, the same length as the message, M.

(2) Trent XORs M with R to generate S.

M ⊕ R = S

(3) Trent gives R to Alice and S to Bob.

Note he says nothing of whether this might be suitable for a guarding a missile launch system ;)

Cocowalla  2010-05-05 09:11:49
Yeah references are nice.
Rook  2010-05-05 09:15:04
There should be no correlation between `key1` and `key2` in *either* method - for example, both of them could simply be generated from a secure source of real random bits. This is true in either case.
caf  2010-05-05 09:49:48
@caf what I mean is that (even with both keys being completely random) if one person has one of the keys, and the resulting XOR'd key, if may be possible for then to determine the other key - or have I still got it wrong?
Cocowalla  2010-05-05 09:55:07
If a person has one subkey and the resulting key then they can *definitely* determine the other subkey. However since they already have the resulting key, this doesn't buy them anything.
caf  2010-05-05 10:14:47
@caf that's a fair point :D
Cocowalla  2010-05-05 10:15:39
Regarding Bruce's example: If R is *sufficiently* random, you are in effect using a One-time pad. Then, if either R or M is secret, it is *impossible* to get the other-half. Without the other half, it is impossible to get S. Reference: http://en.wikipedia.org/wiki/One-time_pad
Jacco  2010-05-05 11:13:19
@Jacco - It doesnt have to be an OTP to be 'sufficiently random'. It just means there shouldnt be a way to determine M from R
PaulG  2010-05-05 12:29:17
@PaulG correct. but, for it to be a One-Time Pad, it does have to be sufficiently random. If R (in the example) is truly random, the OTP is unbreakable. One-Time Pads are known to be used extensively by secret-services and military-intelligence around the world.
Jacco  2010-05-05 14:34:20
Oh I think I see what you are saying now, but I would avoid mentioning OTP's here. A OTP is (by definition) for use once only. This method of combining keys doesnt automatically make it a OTP, and infact if multiple messages use that key combination it is by definition *NOT* a OTP. Further, it could be confusing because a typical OTP could be as simple as XORing an encrypted message against a key of the same length. What we are discussing here is XORing *keys*.
PaulG  2010-05-05 15:07:28
I see your point. But: since the question is about a "nuclear missile crypto system", OTP is the very likely candidate for keeping the key secret. Each of the 2 people responsible holds 1 part of the XOR-ed key. combined, they have the key needed to access the system. Since this is 'nuclear missile system' level of security, all keys are for single use only.
Jacco  2010-05-05 16:46:25
A: 

With this, I don't see how you could implement the requirement that any two people of sufficient rank - together - will be able to read the message...

Other than that: depending on the underlying encryption algorithm, having one half the XOR'ed key may allow one to derive parts of the complete key, significantly weakening the protection.

Then again, IANAC :)

Thorarin  2010-05-05 09:27:23
Having one half of the XORd key gives you no information about the other half of the key, and subsequently no information about the complete key. See my answer.
PaulG  2010-05-05 13:10:44
+1  A: 

The second option:

plain_text=decrypt(Key1,decrypt(key2,ciper_text,IV2),IV1)

doesn't follow the requirement that both parties must use their keys at the same time. Key2 must be used before Key1, but once that happens, the first party (the possessor of Key1) can wait to decipher until a time of her choosing, leaving the second party out of the loop. This may or may not be a problem for the application.

As Cocowalla's Schneier quote suggests, XOR works, unless one of the parties can get the combined key (the decryptor may be able to keep this secret) and the other key has other uses. If the keys aren't statistically independent, the speed of XOR means the key combination step is vulnerable to guided brute-forcing (decrypt is still a bottleneck). If the keys are independent, then there's no need to figure out either partial key, nor does knowing one partial key help figure out the combined key, so a brute-force attack may as well target the combined key and ignore the parts. As caf mentions, figuring the other partial key is moot because it requires the combined key; also, you can only fire the nukes once. If one key is only used in combination with the other key (and we don't reuse passwords for different systems, right?), XOR is safe.

There are a couple of cryptographic systems that allow k-out-of-n keys to decrypt a message when used simultaneously, but I can't remember the term for them off the top of my head, and my copy of Applied Cryptography isn't at hand.

Edit: thanks to Cocowalla, the name of the scheme is "(m,n) threshold scheme". For a visual example, read "Visual Cryptography and Bit-Plane Complexity Segmentation" by Daniel Stoleru, published in Dr. Dobbs. Visual cryptography was created by Naor and Shamir, and presented at EUROCRYPT '94 (according to Doug Stinson).

Wikipedia lists still more examples of k-out-of-n secret sharing: using n points, where the secret is an k-1 degree polynomial; using k k-hyperplanes, where the secret is the point of intersection.

outis  2010-05-05 12:28:49
'Speed of XOR makes brute forcing more viable'. How so? You'll still be brute forcing every single possible combination of bits.
PaulG  2010-05-05 12:42:46
I think the term you are looking for is (m,n) _threshold scheme_ (i have access to my copy of Applied Cryptography ;) )
Cocowalla  2010-05-05 12:51:01
@PaulG: `decrypt` is still a potential bottleneck, but not key combination (hence "more viable" rather than "viable"). I should put the bit about independent/dependent keys back in. @Cocowalla: that sounds like the one. Does AC have the example using overlaid images that look like static?
outis  2010-05-05 21:35:52
+5  A: 

By XORing the keys you're guaranteeing that every single bit in Key1 can potentially be modified by every single bit in Key2 (and vice-versa). It means that the holder of Key1 has no way of calculating either Key2 or the result of XORing Key1/Key2.

Another way of stating this is that the holder of Key1 would have to brute force every single possible combination of bits to exhaust the available keyspace. The fact that he already holds one of the keys doesnt help him at all.

There are other ways of combining two keys together, but a simple XOR is all that is required when the keys are the same length.

PaulG  2010-05-05 12:48:11
It might be obvious, but it's maybe worth saying that both keys must be the same length :)
Cocowalla  2010-05-05 12:51:49
Agreed, the keys would be the same length.
Rook  2010-05-05 19:53:31
+15  A: 

XORing two randomly generated keys together to obtain the final secret is certainly secure. The general form of this is known as 'secret sharing', and there are secure algorithms that allow you to generate 'm of n' schemes, where you generate n shares, and any m are sufficient to deduce the original key.

The best known scheme is Shamir's Secret Sharing, and involves generating a random m-1 degree polynomial with the key as the constant, then sampling it at n locations, and giving those to the individuals as key shares.

Nick Johnson  2010-05-05 15:33:06
Sometimes referred to as the 'k of n' problem (look at the terms in Shamir's algorithm and I bet you can guess why)
Jason  2010-05-05 20:20:57
Great answer! This is exactly what I was looking for.
Rook  2010-05-05 22:55:48
+1  A: 

Before thinking about solutions, you probably want to think about the requirements. In the given scenario, where you have two persons that are both needed to decrypt the message it is reasonable to require that

  • each person never sees the key of the other person.

After all you want to avoid that one person just chooses a random ciphertext, pretends that this just came in, sees the key of the other person, and then notices that the ciphertext must have been a hoax. This requirement makes the decryption with option 1 difficult. Since you are using a MAC you probably also want that

  • both persons are convinced that the decrypted message is legitimate.

This seems to rule out option 2. After all how can the holder of Key2 know that the holder of Key1 decrypted correctlty and did not just replace the legitimate plaintext with one of his choosing.

I must admit that I don't know a good solution for the scenario that you describe. A potential scheme might look like this: The ciphertext is tuple c1, c2, d1, d2, where

c1 = EncryptAndMAC(Key1, Share1)

d1 = MAC(Key2, hash(Share1))

c2 = EncryptAndMAC(Key2, Share2)

d2 = MAC(Key1, Share2)

message = Share1 XOR Share2

Now both keys are needed to find the message, both parties can decrypt their shares independently without having to share their keys, and both parties can verify that the other party decrypted correctly. Of course, this is an ad-hoc protocol, so it is likely that I missed something.

Accipitridae  2010-05-06 06:58:08

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security