“Product X”

 I recently heard about an authentication product, let’s call it “Product X”.   According to their website:

Product X . . . implements the equivalent of a “one-time pad” system – the most secure communication possible.

Product X uses applied physics to defeat all known Internet authentication threats.

Sounds good, maybe too good.  Can we trust it?

Cryptographic Snake Oil

Serge Hallyn introduced me to the term “cryptographic snake oil”, which is explained at http://www.interhack.net/people/cmcurtin/snake-oil-faq.html:

Good cryptography is an excellent and necessary tool for almost anyone. Many good cryptographic products are available commercially, as shareware, or free. However, there are also extremely bad cryptographic products which not only fail to provide security, but also contribute to the many misconceptions and misunderstandings surrounding cryptography and security.

 

Why “snake oil”? The term is used in many fields to denote something sold without consideration of its quality or its ability to fulfill its vendor’s claims. This term originally applied to elixirs sold in traveling medicine shows. The salesmen would claim their elixir would cure just about any ailment that a potential customer could have. Listening to the claims made by some crypto vendors, “snake oil” is a surprisingly apt name.

The snake-oil-faq is a fun website with a lot of information.  Regarding “one-time-pads” it says: 

A vendor might claim the system uses a one-time-pad (OTP), which is provably unbreakable.

 

Snake oil vendors will try to capitalize on the known strength of an OTP. But it is important to understand that any variation in the implementation means that it is not an OTP and has nowhere near the security of an OTP.

 What are One-time-pads, and why are they “unbreakable”?

 A One-time-pad is a key as long as the message.  Each byte of the OTP is generated with an unpredictable random process. 

 The sender and receiver each need a copy of the OTP and must insure no one else has a copy. The OTP should be physically exchanged, not transmitted.

 Each byte of the OTP is only used once – so there is no “statistical pattern” that an adversary could use to crack the message.  (More info is at: http://en.wikipedia.org/wiki/One-time_pad.)

The unbreakability of one-time-pads rests on three factors:

1. Every byte in the OTP is generated by a truly random (unpredictable) process.

2. Every byte in the OTP is used only once.

3. The sender and recipient insure that no one else could have a copy of the pad.

When these are true, the OTP is unbreakable – there is no vulnerability that can be exploited.

How Product X works (I think)

Note: This is not a comprehensive evaluation of “Product X”, but rather my personal quick comparison of the  information on their website to One-time-pads.  Their website does not have a complete technical description, so I’ve made some assumptions that could be inaccurate.

 If I understand correctly, “Product X” works like this:

 - “Product X” uses a USB device and some software to provide secure authentication (login) from the user’s client system to a remote server.

- The user supplies a User ID and a Password on the client system.

- The User ID is sent to the server software, which selects an “index” that is sent back to the client.

- The “index” and secure information in the USB device create a “one-time password”, claimed to be equivalent to a One-time-pad.

- The “one-time password” is used to securely transmit the User’s password to the server.

Is “Product X” the equivalent of a one-time-pad?

 Let’s look at the factors that make one-time-pads unbreakable:

1. Every byte in the OTP is unpredictable.

I will assume they got this right.   You can use random.org, or several other techniques.

2. Every byte in the OTP is used only once.

I don’t think this is the case.  I believe the “index” sent back from the server, works with the USB device to “randomly” select a pad.  If enough logins happen, eventually pads will get re-used.

The Snake Oil website says:

OTPs are seriously vulnerable if you ever reuse a pad. For instance, the NSA’s VENONA project [4], without the benefit of computer assistance, managed to decrypt a series of KGB messages encrypted with faulty pads. It doesn’t take much work to crack a reused pad.

How soon are pads reused?  The “Product X” website mentions “billions”, but doesn’t give specifics.

3. The sender and recipient insure that no one else could have a copy of the pad.

I don’t think this is the case.  I believe all users share the same set of pads (otherwise the remote server would need a huge amount of per-user data).

However, I believe the role of the USB Device is to scrambles the pad selection on a per-user basis.  I think security experts agree – a device like this (assuming well implemented) with a physically secure secret, provides significant security advantages.

So, the strength of “Product X” is based on:

- Could an adversary detect re-use of a pad?

- Could an adversary subvert the secret in the USB device?

This is the point of the “Snake Oil” FAQ.  The strength of “Product X” is based on its own implementation details – not the “unbreakable” strength of one-time-pads.

I hope users of “Product X” also understand that it  *ONLY* provides special security for the authentication step (the communication of the password).   It does not help with the rest of the communication between the client and the server.

Since One-time-pads are so dang secure, why aren’t they used for everything?

OTPs have two important limitations:

- They must not be reused, and need to have as many bytes as the messages they are encoding.  This is not practical if you’ve got gigabytes going back and forth every day.

- There must be some other secure mechanism to get the pad from one party to the other.  That’s hard to do if you’re communicating with someone you’ve never met before (common on the web).

The Snake Oil FAQ lists many other things to watch out for, such as:

• Secret Algorithms
• Revolutionary Breakthroughs
• Experienced Security Experts, Rave Reviews, and Other Useless Certificates

[1] Dan Geer, Measuring Security