Re: AI's take on my cipher...

On 7/13/2025 7:34 AM, Rich wrote:

Stefan Claas <stefan@mailchuck.com> wrote:

Chris M. Thomasson wrote:

Think of an offline encrypt with say, my symmetric HMAC cipher
thing.  You save the ciphertext to a usb drive.  Oh shit, say the
offline computer is infected with a virus, and the USB is now highly
suspect.  Sigh...  Alice gives the USB to Bob, key/viral exchange,
say a new key is encrypted in the ciphertext...  ;^).  Bob just
infected his computer with the virus before decrypt even occurs.
Now, if this is all offline, then the virus should not be able to
use the net to infect.  However, it might have a keylogger and alter
your encrypted messages right after you click encrypt or something?
So, you think you encrypt the message attack at dawn.  The keylogger
changes dawn to dusk -before- it gets passed into the cipher to do
its thing, so to speak...
>
So, offline encrypting Alice and Bob would need to be _sure_ that
their devices are _secure_, aka, no malware, ect...  and for this
aspect, no internet access, wifi, bluetooth, ect, signals,...  Its
in a, say a fractal cloak, so to speak.  Check this out:
fractenna.com.  They have them.

>
You see, this topic is always left out by security experts, when discussing
encryption.
>
For an initial set-up of an offline device it can be used once online and
to install the required programs.

 For a true 'ssecurity export' they will stop you right here and yell:
"insecure".  If you really want this offline device to be secure, you
must never, ever, use it 'online', even once.  Back in the days of the
early WinXP and it's security issues (esp. pre Service Pack 1) the tale
was that connecting an unpatched WinXP machine to the internet would
result in it being infected with something within a time range of
something like 30-90 seconds.

Oh shit. Yikes! What about older windows os's (even NT (client/server) iirc) that actually had a damn blank password for the Administrator account? I wrote a test program around 26 years ago back when I was creating specialized server software that would try to log onto computers using the Administrator account with no password. Just scanning ip ranges... Well, wow. Shit happens!
I was able to connect to many of them, and log in... Wow! Then it was simply a matter of putting some software that would get run on the next boot. A system service that setup a special proxy http server. Iirc, I could not run the program right off the bat. Did not explore RPC too much in that case. Oh that was bad of me, but also it was nasty for the Administrator account to have no damn password! Damn Microcrap!

So instead, this 'offline' machine must be assembled and delivered
ready to go -- with no usage 'online' ever.  Which now shifts your
concern to supply chain attacks instead of online attacks.  A NSA level
exploit inserted during the assembly line becomes your concern now.
 

Later you send/receive files with a 3,5 inch drive and disks.  Their
are so loud that you can here read/write access and only have 1.4 MB
storage capacity which you can easily inspect with a disk monitor.

 And, for the truly creative, the 3.5 inch disk could have a small
onboard hardware exploit that monitors the read/write patterns going
to/from the head and either extracts what it wants (keys) or makes
modifications to what it wants to change the messages.  This is still,
mostly, a supply chain attack variant, but even "use 3.5 inch disks" is
not a guarantee of security, for a truly determined attacker.
 

But you must hurry to get disks and a drive at Amazon, because when
stocks run out, I am not sure if they are re-filling.

 They won't be.  I doubt any manufacturer is making new 3.5 inch drive
hardware.  And while there might be a small market for the disks
themselves, this market will also dry up as the existing, unreplacable,
hardware fails from old age.