[Cryptography] Data Protection Against Quantum Computing Brute Force via Device ID

Fri Jun 8 12:38:07 EDT 2018

Hello Memory Vandal,

Greetings!!

Thank you for taking out the time to read the paper and providing your valuable feedback which brings to forefront a point which was low on the radar all this while.

You are absolutely right that the hackers can write their own code, crack private key via QC and decrypt the data and ignore Device ID

The ultimate solution to this problem is that instead of application, embed Device ID technology directly into the encryption algorithm - there is no other way out. Then the Algo, along with usual crypto operations, will also check Device ID as described in the paper and stop the process if device is found to be rouge.

And when we do that, it essentially means that we develop a new crypto!! Since we will modify RSA and ECC, let’s call them RSA+/ECC+ for now. The bad guys cannot bypass the Algo. Right? Applications vendors can then embed this crypto algo into their application instead of integrating directly with such a DeviceID.

I agree this sounds over simplistic and honestly, at this stage I am not sure

A) Exactly where in the encryption/decryption process should Device ID technique be embeded and

B) Whether apart from the Algo itself, will we require a code snippet. If so, it will impact integration with applications.

Clearly there is lot more to be done. But at a conceptual level, I think we have a soluiton. I will revert back with modified approach and concept document hopefully with some illustrations/diagrams.

What was and still is fundamental, is to ensure that the Device ID technique is fool proof. I know few Device ID techniques which are prone to MITM or some form of Malware. Once we have a robust Device ID (which I think we have now), its half the battle won.

Have a nice weekend all!!

Regards

Govind

________________________________
From: Memory Vandal <memvandal at gmail.com>
Sent: Thursday, June 7, 2018 6:45 AM
To: Govind Yadav
Cc: cryptography at metzdowd.com; Natasha Aidinyantz
Subject: Re: [Cryptography] Data Protection Against Quantum Computing Brute Force via Device ID

Hi Govind,

Your paper is not clearly describing the Device ID technology that you propose.

>From what it looks from the description, the Device ID is used only for authentication and its not really used to encrypt the actual data. This is considering the fact the Device ID is getting added to the digital certificate and can be read by anyone since its in plain text.

You seem to make assumption that an adversary who has access to quantum computing will use only the official software application (e.g. text editor with embedded support for Device ID) and that the software will deny access to data even with correct private key that has been cracked.

Have you considered that the adversary will use its own code to crack the keys and also to decrypt the data and totally ignore the Device ID?

Regards,

MemoryVandal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180608/c0f6ca95/attachment.html>