Re: AI's take on my cipher...

Chris M. Thomasson <chris.m.thomasson.1@gmail.com> wrote:

On 7/12/2025 12:59 PM, Stefan Claas wrote:

Rich wrote:

Stefan Claas <stefan@mailchuck.com> wrote:

Richard Heathfield wrote:

On 10/07/2025 18:19, Stefan Claas wrote:

Chris M. Thomasson wrote:

On 7/9/2025 12:53 PM, Stefan Claas wrote:

>

How does it work if A encrypts on local host and B should
decrypt on his local host, with that given link from A

>
Wrt the online version:
>
A needs to send/give B the ciphertext somehow, email, snail
mail, somehow, hand signals, ect...  ;^) Then B, assuming that A
and B have the same secret key, can use said ciphertext to
decrypt it.  So, if you notice the online program has a
ciphertext only, without a link prefix.  Say this example: I am
encrypting the message on my local host using the default key:

>
But how, for example, would you give me the secret key, from the
USA to Germany, without meeting in person?

>
Diffie-Hellman can establish a secret key in public.  Then
authenticate over an encrypted channel.

>
I know, but how do you protect the key on your online device against
Pegasus or FinSpy?  For proper encryption two parties have to do it
offline, but GnuPG users could never learn it, because it was never
explained to them.

>
Nor will anyone else who falls into the "average computer user
category" and thinks the "I have nothing to hide" excuse is valid.
>
You are not fighting "encryption" here, you are fighting the fact that
few care enough and are motivated to learn.  And that battle will not
be won by better cryptography, nor by better user interfaces.  The only
way those folks will use "secure means" is if the secure means happens
all automatically, by default, without their knowledge, for them.

 
And you know very well that this will not happen, because companies are
not willing to defeat this known issue and only offline encryption and
decryption is the way to go, for secure communications.

 
Think of an offline encrypt with say, my symmetric HMAC cipher thing.
You save the ciphertext to a usb drive. Oh shit, say the offline
computer is infected with a virus, and the USB is now highly suspect.

The reverse is the more likely issue.  Bob receives encrypted message
on his 'networked device'.  Unbeknownst to him, Pegasus is also hiding
in the shadows on the device.  He writes the message to a USB stick to
transfer to his air-gapped crypto-box.  Pegasus adds an exploit to the
USB at the same time.  He plugs the USB into his air-gapped computer
and the 'infection' from the USB now migrates into the air-gapped
computer.  Bob is now owned.

The only way to avoid this is to never have any electronic signals
coupling between anything and the air-gapped computer.  Which means the
airgap computer should really be given data via 'typing it in on a
keyboard' and data retreived from it by "typing the encrypted data out
onto the 'networked computer'.

And, how accurately do you think the average person who wants to send
an encrypted message will be at typing this:

KqHtqbSca2hvI02pCMHtdKQLfHhW6OeN7iK1Fg45nMpoT+to8XpwpvARkW6UziY0iyZWUEgP/gol
gz5p3XpGCe0hZbYV2IYYLDvvRjGWj1k5IHkDX4WshBZvI5fhVssJOqVI3bzqdEW3XLD4NoGKVQg3
ZeNaSJs2hBySnkBoKGI=

That's 128 random bytes, base64 encoded.  128 bytes is right about the
original "tweet length" of tweets on shitter, so there is a severe
limit of the amount of information that can be transferred.

But imagine punching that into a keyboard on an air-gapped computer. 
Do you think that by the time you get to the end, that you will have
typed every character 100% accurately?  Because if you mistype even
one, the message will be corrupt and fail validation.

Or think the reverse, Alice encrypts a message for Bob, then she types
the above out in a tweet or email or even onto paper with an old school
typewriter.  How likely is Alice to get every character 100% correct
(absent a lot of proofreading time on Alice's part).