-
Notifications
You must be signed in to change notification settings - Fork 18
/
SECURITY
103 lines (73 loc) · 3.5 KB
/
SECURITY
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
1) On the appearance of randomness
Rubberhose places extreme demands on random number generators and
ciphers. It is not enough for a generated stream to be merely
irreversible. There must be no computationally feasible way to
detect ANY (statistically significant) correlation between values
in the stream.
1.1) hash streams
As an example of a pseudo random number stream that does not fall
within these expectations, consider a stream generated by a
theoretically provably secure hash cipher, seeded with a true random
number, where successive elements are generated by:
s_n = h(s_{n-1})
This stream can be trivially shown to be the product of a
particular hash cipher by performing the above calculation on the
suspected stream, and comparing e_n.
An example of a stream that is acceptable, given a strong hash cipher,
consider:
e_1 = h(true_random())
e_n = h(e_{n-1} where e is kept as private state
s_n = h(e_n}
1.2) symmetric ciphers
When non random data is encrypted with a theoretically perfect symmetric
cipher the result can, depending on mode, be trivially detected as the
result of a suspected cipher rather than a stochastic process.
1.2.1) ECB
In ECB non-randomness can be detected simply by looking for identical
ciphertext blocks with a prevalence greater than normal variation of
the birthday paradox would otherwise lead one to expect.
1.2.2) CBC
In a worst case scenario, uniform plaintext is being encrypted
(e.g all zeros), where
E is a family of encryption functions
E_k is an individual within that family
then
c_n = E_k(c_{n-1}) of c_n bits
where
c_n is a ciphertext block
if c_n is l bits wide, then E_k(c_n) is a transform
l -> l'
Since only c_{n-1} is variable, it fully predicts the output
of E_k.
If ever a cipher text block appears more than once, there is a
cycle. Assuming an E_k that rarely produces cycles, this will occur on
average in 2^(l/2) blocks. Detection of the cycle shows that the
stream is not truly random, provided such detection is likely to be
more frequent than chance. It is possible that cycles will occur much
sooner. For example in some block ciphers, encrypting twice is the
same as decrypting once. For such ciphers, the amount of repeating
plaintext required to set off a cycle can be as low as three blocks.
1.3) Proof of the resistance of certain ciphers and ciphertexts
Non-lossy, n->n bit ciphers, are completely resistant to random/non-random
discrimination when the plaintext is truly random:
There exists a function f (encryption), which when applied to a
truly random sequence of bits of length n,
produces another sequence of length n. i.e
c = f(p) where len(c) <=> len(p) <=> n
There also exists an inverse function f'
(decryption), such that
p = f'(c)
Suppose c can be shown to be the result of some
unspecified non-stochastic process. This fact can be
expressed in no less than one bit of information,
which must come at the expense of other information
already in c. However as p is incompressible and
fully recoverable from c via f' this is impossible.
2) On the application of symmetry
The fundamental basis under which rubberhose aspects are kept deniable
is the application of symmetry `that which I do to myself is
indistinguishable from that which you do to me'. The application of
this principle is likewise symmetric `that which I do to you is
indistinguishable from that which you do to yourself'. It is
impossible to overestimate the importance of this principle. It is the
essence of rubberhose deniability. All other conclusions flow from it.