« Micah is Free | Main | Transparent Alumina! »

August 21, 2004

Comments

Steve Foerster

::G, someone did devise a system of randon bits burned onto a CD-ROM. It was called FolderSafe, and was used as a means of encrypting files on a specified directory on one's hard drive. The idea was that without the key CD, the data in the secured directory on the hard drive would be invulnerable. Unfortunately, the company did not surive the dot-com collapse.

Shannon Clark

A few challenges occur to me:

1. How do you, the user, know the state of the system you are connecting to (or trying to) i.e. say I am on an only semi-reliable connection (WIFI for example) and try to connect to a website - it is not at all unlikely that at some point my connection will fail, leaving me uncertain as to the state of the password for that site - i.e. is it still the last "one-time" code that I tried to use (but did not succeed) or is it now the next one.

2. Memory. Specifically the user's - passwords are difficult to remember, but grow easier over time as you use the same password frequently, this system would require you to recall a CHANGING piece of key data over time - so memory aids would not work, thus many more people would have to write it down.

3. If centralized what do I do if I am connecting to MULTIPLE sites during a given session (say via different browser windows)? Which password(s) do I use? What if I am not using the same browser but am using multiple browsers on my computer?

What if I am using multiple computers at the same time? It implies, I think, that I have to recall a precise order of connection to each site - rendering automated tools to recall passwords difficult at best.

I think it is a bit of overkill for the vast majority of websites that require passwords. Personally I recommend people use a two-tiered approach to passwords:

For the first tier, "less important" sites (such as most websites that do not contain/impact financial or medical data, the NY Times website being a clear example) use a password that is unique to that site, but easily remembered by you - and regenerated if you forget it (i.e. use an internal system to generate the password that you can run again in the future and get the same result - something like "take the first letter of the site name and repeat it 5 times adding a number that is the number of characters in the domainname" - i.e. something that you can use to generate a 6-8 character password (where you are limited to that, with a variation where you are not so limited)

Second - "secure" passwords - these are for your email, for your brokerage accounts, for your health data etc. Use a password that is either completely random - but such that you can memorize it, or use a password that is a menomic but unique to that site (the first letters of the first lyric of a song you like for example). Such passwords generally should contain numbers and generally some mixed-case as well.

That's basically what I do - sure it is not fully secure, but it is capable of working with the limitations of my own memory. (note - I use a very different algorithm for my passwords - just made that one up on the spot).

Shannon

Nova Spivack

Yes I suppose you are right there is a potential risk of a man-in-the-middle attack on the system. That's why I proposed the random-number approach at the end of the post, but even that is still vulnerable to some degree. Still, you have to admit this system would be *a lot* better than the current way of doing passwords on the Web! It's a tradeoff ultimately. A true onetime pad is too cumbersome because the user has to always have the pad with them. The method I was proposing is "halfway" because there is a way for the user to remember how to generate new passwords, but without extensive cryptanalysis an attacker would have a hard time making use of one or even just a few intercepted passwords (since they can only be used once and the pattern for generating them is effectively almost random, using the random key approach). Of course if someone was able to intercept a sequence of such "random" passwords even that could be easily cracked. So I wouldn't advocate this for extremely sensitive data protection, etc. -- for that I would propose quantum crytpo such as what MagiQ is making -- it not only tells you if someone tried to intercept a key, but it also requires nearly infinite computing power to crack!

::G

Very dangerous proposition. The whole point of one-time pads is that there's no possible correlation between previous messages and current messages. The method of using a single key to generate subkeys can always be broken through cryptanalysis, and has no relation to one-time pads (OTPs). Further, the suggestion of using a website to disseminate the subkeys is highly insecure, particularly susceptible to man-in-the-middle attacks that could be used to collect enough data to extrapolate the master key.

Disclaimer: I'm not a crypto professional, but I have studied the subject enough to know basic security issues when I see them. Well, if reading Schneier and the occasional paper counts as studying, that is.

It would be safer to just burn random bits onto pairs of DVD-Rs and give the other half -- in person, not via mail!! -- to the party you want to communicate with. OTPs are the only truly secure and unbreakable form of encryption. Of course there are other issues if someone breaks into your house and swipes your encryption DVDs....

Sorry to be a downer. However, the wireless power thread is interesting, especially to a Tesla fan.

::G

Bill

SecureID is a great example. Something you know plus something you have which changes every minute. The need for centralized administration is reduced to the local level.


http://www.rsasecurity.com/products/securid/

Nova

Thanks carolyn!

Nova

Nova

Thanks Tim, interesting link!!!

Nova

carolyn

as well as SecureID, SofToken...

Tim Keller

Nova, it's a good idea but it's been done already, several years ago, for Unix at least. There's 2 versions, called S/KEY & OPIE. Here's a good intro page on it: http://www.eda.org/pub/tools/skey_info.html

Tim

The comments to this entry are closed.

My Photo

Twine | Nova Spivack - My Public Twine items

Radar Networks

  • twine.jpg
  • logo_v5_03b.jpg
  • logo_v5_03b.jpg

Nova's Trip to Edge of Space

  • Stepsedgestratosphere
    In 1999 I flew to the edge of space with the Russian air force, with Space Adventures. I made it to an altitude of just under 100,000 feet and flew at Mach 3 in a Mig-25 piloted by one of Russia's best test-pilots. These pics were taken by Space Adventures from similar flights to mine. I didn't take digital stills -- I got the whole flight on digital video, which was featured on the Discovery Channel.

Nova & Friends, Training For Space...

  • Img021
    In 1999 I was invited to Russia as a guest of the Russian Space Agency to participate in zero-gravity training on an Ilyushin-76 parabolic flight training aircraft. It was really fun!!!! Among other people on that adventure were Peter Diamandis (founder of the X-Prize and Zero-G Corporation), Bijal Trivedi (a good friend of mine, science journalist), and "Lord British" (creator of the Ultima games). Here are some pictures from that trip...

Categories

People I Like

  • Peter F. Drucker
    Peter F. Drucker was my grandfather. He was one of my principal teachers and inspirations all my life. My many talks with him really got me interested in organizations and society. He had one of the most impressive minds I've ever encountered. He died in 2005 at age 95. Here is what I wrote about his death. His foundation is at http://www.pfdf.org/
  • Mayer Spivack
    Mayer Spivack is my father; he's a brilliant inventor, cognitive scientist, sculptor, designer and therapist. He also builds carbon fiber trimarans in his spare time, and studies animal intelligence. He is working on several theories related to the origins of violence and ways to prevent it, new treatments for learning disabilities, and new theories of cognition. He doesn't have a Web site yet, but I'm working on him...
  • Marin Spivack
    Marin Spivack is my brother. He is the one of the only western 20th generation lineage holders of the original Chen Family Tai Chi tradition in China. He's been practicing Tai Chi for about 6 to 10 hours a day for the last 10 years and is now one of the best and most qualified Tai Chi teachers in America. He just returned from 3 years in China studying privately with a direct descendant of the original Chen family that created Tai Chi. The styles that he teaches are mainly secret and are not known or taught in the USA. One thing is for sure, this is not your grandmother's Tai Chi: This is serious combat Tai Chi -- the original, authentic Tai Chi, not the "new age" form that is taught in the USA -- it's intense, physically-demanding, fast, powerful and extremely deadly. If you are serious about Tai Chi and want to learn the authentic style and applications, the way it was meant to be, you should study with my brother. He's located in Boston these days but also travels when invited to teach master classes.
  • Louise Freedman
    Louise specializes in art-restoration. She does really big projects like The Museum of Fine Arts in Boston, The Gardner Museum and Harvard University. She's also a psychotherapist and she's married to my dad. She likes really smart parrots and she knows how to navigate a large sailboat.
  • Kris Thorisson
    Kris has been working with me for years on the design of the Radar Networks software, a new platform for the Semantic Web. He has a PhD from the MIT Media Lab. He designs intelligent humanoids and virtual realities. He is from Iceland, which makes him pretty cool.
  • Kimberly Rubin
    Kim is my girlfriend and partner, and also a producer of 11 TV movies, and now an entrepreneur in the pet industry. She is passionate about animals. She has unusual compassion and a great sense of humor.
  • Kathleen Spivack
    Kathleen Spivack is my mother. She's a poet, novelist and creative writing teacher. She was a personal student of Robert Lowell and was in the same group of poets with Silvia Plath, Elizabeth Bishop and Anne Sexton. She coaches novelists, playwrites and poets in France and the USA. She teaches privately and her students, as well as being published, have won many of the top writing prizes.
  • Josh Kirschenbaum
    Josh is a visual effects whiz, director and generalist hacker in LA. We have been pals and collaborators since the 1980's. Josh is probably going to be the next Jim Cameron. He's also a really good writer.
  • Joey Tamer
    Joey is a long-time friend and advisor. She is an expert on high-tech strategic planning.
  • Jim Wissner
    Jim is among the most talented software developers I've ever worked with. He's a prolific Java coder and an expert on XML. He's the lead engineer for Radar Networks.
  • Jerry Michalski
    I have been friends with Jerry for many years; he's been advising Radar Networks on social software technology.
  • Chris Jones
    Chris is a long-time friend and now works with me in Radar Networks, as our director of user-experience. He's a genius level product designer, GUI designer, and product manager.
  • Bram Boroson
    Bram is an astrophysicist and college pal of mine. We spend hours and hours brainstorming about cellular automata simulations of the universe. He's one of the smartest people I ever met.
  • Bari Koral
    Bari Koral is a really talented singer songwriter. We co-write songs together sometimes. She's getting some buzz these days -- she recently opened for India Arie. She worked at EarthWeb many years ago. Now she tours almost all year long and she just had a hit in Europe. Check out her video, on her site.
  • Adam Cohen
    Adam Cohen is a long-term friend; we were roommates in college. He is a really talented composer and film-scorer. He doesn't have a Web site but I like him anyway! He's in Hollywood living the dream.
Blog powered by Typepad
Member since 08/2003