Linked by Thom Holwerda on Fri 21st Mar 2014 16:56 UTC
Internet & Networking

Microsoft has lost customers, including the government of Brazil.

IBM is spending more than a billion dollars to build data centers overseas to reassure foreign customers that their information is safe from prying eyes in the United States government.

And tech companies abroad, from Europe to South America, say they are gaining customers that are shunning United States providers, suspicious because of the revelations by Edward J. Snowden that tied these providers to the National Security Agency’s vast surveillance program.

Right. Because, as we all know, European governments did not fully comply with the US spying programs, nor have they similar programs of their own.

High time some smart company develops a very simple and straightforward 'personal cloud'; a simple, large box with loads of storage that you dump in the basement somewhere, with pre-configured email, internet storage, and so on. Also offer the ability to have multiple of these things tied to the same account for data duplication, so you can, say, dump one of them at a trusted friend's home. Make it platform-agnostic and encrypted, et voila.

Doesn't sound like something that's terribly hard to do.

Thread beginning with comment 585071
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Personal Cloud
by ricegf on Sat 22nd Mar 2014 13:13 UTC in reply to "Personal Cloud"
ricegf
Member since:
2007-04-25

A true one-time pad shouldn't be decipherable by anyone (I think?). Since you set up the server, and you access it remotely, you should be able to replicate the pad securely. Am I missing something?

Of course, if your OS was compromised and your one-time pad was on disk, you'd be compromised. But you could always keep the pad on a custom SD card that could only be read once (using some hacked firmware on the card itself).

Say, how paranoid do I need to be? I'm scaring me here... :-D

Reply Parent Score: 2

RE[2]: Personal Cloud
by Alfman on Sat 22nd Mar 2014 15:11 in reply to "RE: Personal Cloud"
Alfman Member since:
2011-01-28

ricegf,

A true one-time pad shouldn't be decipherable by anyone (I think?). Since you set up the server, and you access it remotely, you should be able to replicate the pad securely. Am I missing something?



A one time pad works because the ciphertext could equal ANY plaintext in perfectly equal distribution, so probability attacks are impossible. The only indication the eavesdropper would have is message length (and that could be hidden by padding the message with random numbers). So you are correct that it's not decipherable. However how do you transfer it securely? For every bit you'd want to transfer to a remote system, you'd consume a bit of your one time pad. It's a catch-22. In practice what we can do is transfer the parameters to a pseudo random number generator such that both sides can generate the same sequence of random numbers. These random numbers get used similarly to a onetime key, this is how streaming ciphers like RC4 work.

Unfortunately it's exactly this sort of "compression" that makes statistical analysis possible. The weakness with all symmetric ciphers is that the more they get used in between key updates, the stronger it's fingerprint. An AES key is usually considered good for a couple hundred megabytes, maybe a gigabyte. Less is better, but that implies you need another mechanism on top of AES to exchange symmetric keys.

So in practice AES is used with an asymmetric algorithm, SSL servers for instance use RSA public key certificates. Unlike symmetric ciphers, RSA security is based on the mathematical difficulty of factoring primes. If you can solve this problem then you've broken the underpinnings of the remainder of the cryptographic toolchain.

Shor's algorithm exists to do just this, but it requires theoretical quantum computers to execute.
http://tph.tuwien.ac.at/~oemer/doc/quprog/node18.html


http://blog.kaspersky.com/quantum-computers-and-the-end-of-security...
By the way, good symmetric algorithms, e.g. AES, don’t have flaws allowing that kind of dramatic bruteforcing speedup. By existing estimates, bruteforcing 256-bit AES key on quantum computer is equal to bruteforcing 128-bit AES on a classic computer, so security levels remain very high.



Of course, if your OS was compromised and your one-time pad was on disk, you'd be compromised. But you could always keep the pad on a custom SD card that could only be read once (using some hacked firmware on the card itself).


Well, it seems like quantum mechanics offers an easier and more secure approach. Two quantum entangled atoms can output the same infinite random sequence at separate locations. This makes for an ideal source of randomness for a one time pad. I've read that prototypes of this technology have had implementation flaws, but I don't know the details.

Reply Parent Score: 4

RE[3]: Personal Cloud
by ricegf on Sat 22nd Mar 2014 17:12 in reply to "RE[2]: Personal Cloud"
ricegf Member since:
2007-04-25

However how do you transfer it securely?


That was the point of my post. I must not have been clear (sorry).

* You set up the server.
* You use an offline computer to create the one-time pad and write the one-time pad to two one-time-read SD cards.
* You place one SD card in your server and the other in your wallet for use in connecting to your server.

This avoids the transfer problem entirely. It's a special case, of course, but it is the special case that we're discussing in this thread.

Does that clear up why a one-time pad works in this instance?

t seems like quantum mechanics offers an easier and more secure approach


More secure, yes, but easier?? Where do I buy a quantum server to put in my basement, and a quantum smartphone to carry around with me, pray tell?

Reply Parent Score: 2