Re: AI's take on my cipher...

Stefan Claas <stefan@mailchuck.com> wrote:

Chris M. Thomasson wrote:

Think of an offline encrypt with say, my symmetric HMAC cipher
thing.  You save the ciphertext to a usb drive.  Oh shit, say the
offline computer is infected with a virus, and the USB is now highly
suspect.  Sigh...  Alice gives the USB to Bob, key/viral exchange,
say a new key is encrypted in the ciphertext...  ;^).  Bob just
infected his computer with the virus before decrypt even occurs. 
Now, if this is all offline, then the virus should not be able to
use the net to infect.  However, it might have a keylogger and alter
your encrypted messages right after you click encrypt or something? 
So, you think you encrypt the message attack at dawn.  The keylogger
changes dawn to dusk -before- it gets passed into the cipher to do
its thing, so to speak...
 
So, offline encrypting Alice and Bob would need to be _sure_ that
their devices are _secure_, aka, no malware, ect...  and for this
aspect, no internet access, wifi, bluetooth, ect, signals,...  Its
in a, say a fractal cloak, so to speak.  Check this out:
fractenna.com.  They have them.

 
You see, this topic is always left out by security experts, when discussing
encryption.
 
For an initial set-up of an offline device it can be used once online and
to install the required programs.

For a true 'ssecurity export' they will stop you right here and yell:
"insecure".  If you really want this offline device to be secure, you
must never, ever, use it 'online', even once.  Back in the days of the
early WinXP and it's security issues (esp. pre Service Pack 1) the tale
was that connecting an unpatched WinXP machine to the internet would
result in it being infected with something within a time range of
something like 30-90 seconds.

So instead, this 'offline' machine must be assembled and delivered
ready to go -- with no usage 'online' ever.  Which now shifts your
concern to supply chain attacks instead of online attacks.  A NSA level
exploit inserted during the assembly line becomes your concern now.

Later you send/receive files with a 3,5 inch drive and disks.  Their
are so loud that you can here read/write access and only have 1.4 MB
storage capacity which you can easily inspect with a disk monitor.

And, for the truly creative, the 3.5 inch disk could have a small
onboard hardware exploit that monitors the read/write patterns going
to/from the head and either extracts what it wants (keys) or makes
modifications to what it wants to change the messages.  This is still,
mostly, a supply chain attack variant, but even "use 3.5 inch disks" is
not a guarantee of security, for a truly determined attacker.

But you must hurry to get disks and a drive at Amazon, because when
stocks run out, I am not sure if they are re-filling.

They won't be.  I doubt any manufacturer is making new 3.5 inch drive
hardware.  And while there might be a small market for the disks
themselves, this market will also dry up as the existing, unreplacable,
hardware fails from old age.