[6633] in cryptography@c2.net mail archive
More comments on Arcot's "software smart cards"
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Sun Feb 20 15:40:10 2000
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@c2.net, cypherpunks@cyberpass.net
Reply-To: pgut001@cs.auckland.ac.nz
X-Charge-To: pgut001
Date: Sat, 19 Feb 2000 05:58:55 (NZDT)
Message-ID: <95089313502099@kahu.cs.auckland.ac.nz>
Arcot's "software smart cards" have been discussed in the past on these lists,
however the discussion predates the publication of their paper "Software smart
cards via cryptographic camouflage" at the IEEE Symposium on Security and
Privacy halfway through last year
(http://www.itd.nrl.navy.mil/ITD/5540/ieee/SP99-Program.html), so I thought I'd
give a quick summary for future reference.
What's been pointed out before is that they encrypt a private key without
putting in any known structure, and use decoy keys so an attacker never knows
when they've got the right one. This introduces a few extra requirements:
- The public key has to be kept secret (!!). I've just checked Arcot's web
site, this is obviously some new use of the term "public key" with which I
wasn't previously familiar.
- You can never encrypt recognisable plaintext (ie you can't use something like
PKCS #1 padding or OAEP, which ignores the fact that there are very good
security reasons why these types of padding are used).
- You can never sign recognisable data (same comment as above).
- You have to encrypt the signature.
This thing has so many holes in it (both practical and security problems) that
it's going to be unworkable outside of a few special-case situations, in which
case you may as well just use a MAC with a shared secret key or some other
conventional solution. Based on Arcot's claims, this is still a public-key
scheme though because you can just #define ARCOT_PUBLIC_KEY SECRET_KEY :-).
People have referred to it as snake oil, which, strictly speaking, it isn't -
if you redefine reality to be the way you want it to be, you can provide any
kind of security you like. "Assume a perfectly spherical elephant of
negligible mass and volume..."
Peter.
