thoughts on one time pads

Travis H. solinym at gmail.com
Sat Jan 28 11:32:05 EST 2006


> There are various versions of getting rid of a disk file.
>   2) Zeroizing the blocks in place (followed by deletion).  This
>    is vastly better, but still not entirely secure, because there
>    are typically stray remnants of the pattern sitting "beside"
>    the nominal track, and a sufficiently-determined adversary
>    may be able to recover them.

I've discussed this before, and if you go back and read Gutmann's new
web page about remanance he says he hasn't ever seen any evidence that
anyone can recover after a single overwrite with zeroes.  For some
reason discussion of this pushes Garfinkel's buttons.

I think this is a MFM image of what you're talking about:

http://www.veeco.com/nanotheatre/nano_view_detail.asp?ImageID=78

>   4) Half-track trashing.  This requires wizardly disk hardware,
>    which shifts the head half a track either side of nominal,
>    and *then* writes random numbers.  I might be persuaded that
>    this really gets rid of strays.

Wow, very cool idea.  I bet that'd work to recover data in some cases too.

>   5) Grinding the disk to dust.  AFAIK this is the only NSA-approved
>    method.  A suitable grinder costs about $1400.00.
>     http://cdrominc.com/product/1104.asp

What about degaussing?

http://www.semshred.com/content606.html
http://www.datalinksales.com/degaussers/v85.htm
http://www.degaussers-erasers.com/

Ah I had a good link a while back but lost it due to file corruption. 
Seriously :)

>    One drawback with this is that you have to destroy a whole
>    disk at a time.  That's a problem, because if you have a
>    whole disk full of daily keys, you want to destroy each
>    day's key as soon as you are through using it.  There
>    are ways around this, such as reading the disk into volatile
>    RAM and then grinding the disk ... then you just have to make
>    sure the RAM is neither more volatile nor less volatile than
>    you wanted it to be.  That is, you use the disk for *distribution*
>    but not necessarily for intermediate-term storage.

I think one solution is that whenever the pad is on disk, it is
encrypted with a strong algorithm, and only decrypted as needed. 
Assuming you use an amenable algorithm, you can overwrite that portion
of the disk after use.  Not perfect security if the attacker gets
access to the overwritten data, but it degrades into an attack on the
conventional cipher.

I wonder how remanance in flash drives fares.
--
"The generation of random numbers is too important to be left to chance."
  -- Robert Coveyou -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list