[liberationtech] Privus?

Seth David Schoen schoen at eff.org
Fri Feb 28 10:08:56 PST 2014 

Hisham writes:

> Hello LibTech crowd,
> 
> Sorry if this has been discussed here before but is anybody here familiar
> with a software called Privus?
> https://www.kickstarter.com/projects/857935876/175768761?token=bbfb88ac
> 
> Its developers promote it as an encryption service that "offers absolutely
> unbreakable security".
> It uses OTP encryption technology, that developers claim is harder to break
> that PGP.

OTPs can be absolutely unbreakable, but you have to generate the pads in
an absolutely random manner, distribute them over an absolutely secure
channel, store them with an absolutely secure storage method, and then
only use each one once.

Governments have, from World War II to today, tried to actually follow
these rules (with physical distribution of key material).  It's been
expensive and cumbersome because each pair of potential communicating
parties need to have -- in advance! -- as much key material as the total
amount of communication that they may ever do.  They can't send any
more new key material electronically (unless they want to burn some
other existing key material); effectively, it's subject to a
conservation law.

Tools that claim to use an OTP that don't involve physical key material
distribution (like, meet the person in person and give them a key that
they have to keep physically secure, and make sure that the key is as
long as all the messages that you may exchange before you next see them
again) are doing it wrong.

A lot of people hear about the use of XOR in OTPs and think of some way
to create the pad based on a smaller amount of information that can be
exchanged in another way.  If you do this, the pad is actually a stream
cipher and the absolute security guarantees are lost.  (The goal of a
stream cipher is to make an encryption keystream from a short key in such
a way that someone who doesn't know the key can't determine the
keystream, nor detect any regularities in it.  The keystream plays the
role of a one-time pad key, but it is not truly random because it's
produced by a deterministic means.)  There are many stream ciphers out
there, and some of them are thought to offer good security, but none is
provably unbreakable and some have been broken in practice.

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107

More information about the liberationtech mailing list