On 2021-12-28 13:06, Snail Mail Blob wrote:
> On 12/21/21 9:24 AM, Stefan Claas wrote:
>> On Tuesday, December 21, 2021 at 4:11:50 PM UTC+1, Richard Heathfield wrote:
>>> On 21/12/2021 14:53, Stefan Claas wrote:
>>
>>>> What do you think about this proposal?
>>
>>> "Against all odds, over a noisy telephone line, tapped by the tax
>>> authorities and the secret police, Alice will happily attempt, with
>>> someone she doesn't trust, whom she can't hear clearly, and who is
>>> probably someone else, to fiddle her tax return and to organise a
>>> cout d'etat, while at the same time minimising the cost of the phone
>>> call." - John Gordon
>>
>> Since Alice knows her friend Maria they can of course use the noiseless
>> postal system. :-) But It may not be so reliable in the United States, as it
>> occurred to me in the past, and I had to send then again an expensive
>> registered letter.
>
> The postal mails between two P.O. boxes are usually more secure than any
> encrypted channel where PKI is involved. The likelihood of any spy or
> spook tapping your particular first class letter for eavesdropping is
> statistically close to zero. There are strong penal laws in most
> countries that dissuade that sort of activity. It occasionally happens,
> but the volume of mails is so vast that it is the needle in a haystack
> problem for Alice.
>
The secure comes not from the postal system, but from the physical
security of the tamper evident packaging. The tamper evidence if done
correctly ensures that any key that has been accessed via (legal or
otherwise) mail intercept will be rejected by Bob as if it never arrived.
If the tamper evidence is done such that even reading the contents
will be detected, the method can be used to distribute actual OTP keys,
otherwise it is limited to public signature keys, such as those using
XMSS or its generic non-NSA equivalent with a strong enough hash algorithm.
> If one uses a inner envelope that is tamper evident then one won't end
> up using a compromised key if the letter is tampered by state agents.
>
> I had this happen once with a encrypted USB flash drive many years ago
> when USB media was a brand new thing and thus was treated suspiciously
> as if it were a cloak and dagger device. Someone at the post office
> opened the envelope, and upon realizing it was a tamper evident setup
> they just kept the flash drive and sent the envelope along empty. They
> tore gashes in the outer envelope to make it look like accidental
> damage. Always encrypt removable media! And send microSD cards instead
> of thumb drives.
If the keys are short enough, physically scan friendly paper formats
such as QR codes or OCR-B text, these can do the job without leaving
anything other than a normal-looking letters in the envelopes. Add
something in the outer envelope which makes the presence of the inner
envelope non-suspect, like "Here's the letters for you that arrived at
your hotel after you left". Also make the inner tamper evidence
sufficiently subtle that an experienced Eve won't find it.
The hard part is to arrange the secret tamper detection protocol before
the exchange over untrusted postal courier. Because if Eve knows, she
can completely fake it by creating a new pair of nested envelopes
matching the protocol.
>
> Sending a initial session key via the post office to negotiate a later
> key exchange is almost as secure as exchanging keys in the pub.
>
> What does it cost, like a dollar or two to send a international letter?
> A tamper-proof inner envelope will cost less than a dollar.
>
Unless you are mailing from China or any other historically poor
country, the price has gone up in recent years, but still affordable
for the task.
> You can use tape and super glue on a regular envelope to convert it to
> tamper-evident.
>
> Draw smiley faces all over the envelope, smear some superglue streaks on
> the envelope, cover that over by sealing the key inside with packing
> tape, then lay several courses of tape on it and rub on the super glue
> across the tape. Then glue that inner envelope into the outer envelope,
> making it impossible to open without destroying both envelopes.
>
> It will take about five minutes. Not a big time investment. It is
> impossible to steam off and remove the tape without visibly damaging the
> envelopes and smiley faces.
>
> If you are really paranoid, use a piece of thin, rough felt, or
> styrofoam packing felt, for the inner envelope. The felt will get torn
> to shreds by any manipulation of the covering tape.
>
These methods don't provide an unknown-to-Eve indication that this
wasn't an envelope made by Eve after intercepting the original.
One method could be to transmit, in an authenticated plaintext
transmission after the envelope is required to arrive, a set of
locations on the inner envelope where the seemingly or actually
random details occur, Bob can then hold the received envelope until
receiving the authentic details from Alice, then check as he opens
the envelopes.
If the envelopes match the authentic checks, Bob can send Alice an
initial confirmation message using one part of the sealed key material,
thus allowing Alice to know which (if any) keys reached Bob securely.
> The nice thing about this kind of key exchange is that once you have the
> mailed key, using it you can start off with a cascade of symmetric
> ciphers over a big blob file and exchange a whole basket of new
> symmetric keys and pads over any channel before using any asymmetric
> ciphers at all.
>
Indeed, a read-evident seal can distribute an initial OTP key for
later key exchange. Hard part is to safely expand a short OTP into
a set of agreed upon secure secret keys for much larger messages.
Obvious way would be to OTP transmit a random symmetric key for a strong
algorithm, which is then used to encrypt further random symmetric keys.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.
https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct
+45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded