[Cryptography] Data Protection Against Quantum Computing Brute Force via Device ID

Sat Jun 9 06:38:27 EDT 2018

Hi Govind,

On Fri, Jun 8, 2018 at 10:08 PM, Govind Yadav <yadavgovind at hotmail.com>
wrote:

> You are absolutely right that the hackers can write their own code, crack
> private key via QC and decrypt the data and ignore Device ID
>
> The ultimate solution to this problem is that instead of application,
> embed Device ID technology directly into the encryption algorithm - there
> is no other way out. Then the Algo, along with usual crypto operations,
> will also check Device ID as described in the paper and stop the process if
> device is found to be rouge.
>

Like Natanael said earlier, the attacker can write code which works exactly
the same way the hardware would work. Hiding the algorithm in hardware
would be security by obscurity and it would be reversed eventually.

Take a look at TPM which is already available technology that can give you
a hash based on the hardware on the system. Any change in hardware will
generate a different hash value. This technology is used with whole drive
encryption like Bitlocker where the system decrypts itself without user
entering a key. Any modification in the hardware and the disk wont decrypt
without providing a backup recovery key. That means you cannot just remove
the hard drive and walk away from that system.

> And when we do that, it essentially means that we develop a new crypto!!
> Since we will modify RSA and ECC, let’s call them RSA+/ECC+ for now. The
> bad guys cannot bypass the Algo. Right? Applications vendors can then embed
> this crypto algo into their application instead of integrating directly
> with such a DeviceID.
>

Any algorithm you develop will be available with the attacker too. Special
algorithm is not how its done. Key management is what is tough thing to
achieve and you need to focus on that part most.

>   I agree this sounds over simplistic and honestly, at this stage I am
> not sure
>
> A) Exactly where in the encryption/decryption process should Device ID
> technique be embeded and
>
> B) Whether apart from the Algo itself, will we require a code snippet. If
> so, it will impact integration with applications.
>
> Clearly there is lot more to be done. But at a conceptual level, I think
> we have a soluiton. I will revert back with modified approach and concept
> document hopefully with some illustrations/diagrams.
>
>
>
> What was and still is fundamental, is to ensure that the Device ID
> technique is fool proof. I know few Device ID techniques which are prone to
> MITM or some form of Malware. Once we have a robust Device ID (which I
> think we have now), its half the battle won.
>

You are still not even near to a solution. But don't lose your motivation
and keep thinking!

Regards,

MemoryVandal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180609/736484b1/attachment.html>