Re: Cryptographic protocols, again

On 13/06/09 2:11 PM, in article
4a340800$0$507$b45e6eb0@xxxxxxxxxxxxxxxxxxxxxxxxx, "tchow@xxxxxxxxxxxxx"
<tchow@xxxxxxxxxxxxx> wrote:

publicly reveal my secret key, and the thirty-six strings are publicly
decrypted (to prove that I really did encrypt all thirty-six dice rolls).
The (decrypted) chosen string is the dice roll.

It is hard for the website to cheat with the dice under such conditions.

It appears the basic solution your trying to resolve is that of a 3rd party
server manipulation of the rolls. Server picks from a random set of strings
that it has no knowledge about, and is only decipherable when the originator
publicizes a key.

You could use simple PKI on each roll (I am not suggesting this as an ideal
mechanism - its costly in resources, but servers as an example). Generate a
public private keypair. Encrypt the 36 strings with your own private key AND
your public key. Send the 36 encrypted strings out, have the server pick
from a random set of strings it has no knowledge about and then send that
choice out to all the clients (And all 36 encrypted strings) and then reveal
your private key. Your private key will the allow for your self encrypted
message to be unencrypted by everyone else. Start over with a new
public/private key pair and do again.

Cryptographically this would be sound, server would need inordinate amount
of time/resources to break the private key by itself.

The problem. Lets say you have someone like "Murat" who believes that the
GnuDung cheats (And has professed it for eons), yet has all the source code
at his fingertips and can't pin point anything. How do you convince them
that a cryptographic technique is sound, or can't be easily broken by a
server.

Its trying to convince the layman that this works. How would you go about
proving to Murat that the mathematics (which he likely won't comprehend)
actually work.

I use Murat as an example because he represents the people that likely will
never understand the math and will still draw their own naïve conclusions
even though reality says otherwise.

SSL works in a browser. Ask a normal user how it works (besides a little
icon appearing) and they likely don't have the faintest idea. Ask them why
they trust it, and they'll likely tell you they have to trust the software
(or not) that it "just" works.


.

Relevant Pages

  • Re: Cross platform password string encryption
    ... few people use Delphi or C# compared to C ... The consuming code doesn't use the library code in the right way. ... a raw key directly to the encrypt routine. ... The consuming code is trying to pass strings to the routines and ...
    (sci.crypt)
  • Re: One-Time Pads [was: Re: Help: Randomizing a List of Numbers]
    ... > never repeat the use of one of those strings then throw away the key. ... Checking my home machine, I see the following: ... if I were to use a one-time pad to encrypt traffic ... A CD a month, or even a CD a week, would not be a distribution nightmare. ...
    (sci.crypt)
  • Re: Newbie data size encryption questions
    ... amount of data that I can encrypt without the system being insecure? ... For example, if i wanted to encrypts strings of say 5 or 10 characters, ... bytes for AES] and other modes like CTR would need an IV. ...
    (sci.crypt)
  • Re: Linux System Users Login/Password?
    ... So far I've managed to pull all of the shadow password strings out and into a database, but is there any way of 'matching' the encrypted strings if you are given the plain text version, like with md5? ... PHP has a function named 'crypt' that will encrypt strings in the same way the password is encrypted into the password file. ... Do you really want to pull all the shadow entries into a database? ...
    (comp.lang.php)
  • Re: Storing connection strings
    ... An answer will depend heavily on who you are trying to protect it from, ... might also encrypt the key value. ... again perhaps encrypted and the keys protected by ACLs. ... Search for "COM+ Object Constructor Strings". ...
    (microsoft.public.vb.database)