6

I am always on the look out for privacy enhancing technologies. I stumbled upon the service from unseen.is. I had a look at their site (specifically here) and even though I lack knowledge there are a few early warning signs:

a former security contractor told us "if it's publicly available, it's cracked"

I think this is untrue?

extremely strong but not widely available encryption

I thought extremely strong = widely used/available?

We've use only super strong NTRU encryption for public key exchange that is believed to be resistant to even quantum computing attacks

Quantum computing doesn't even exist in any (realistically) applicable way, so I think this a bold statement?

I contacted the service asking about their encryption algorithm, how they exchange keys, if they have cryptographers on their team and got this response:

For the chat we use NTRU for the key and xAES for the message, 4096 bit key. For email we are using PGP at the moment 2048 bit or 4096 bit. The email will get upgraded to the same encryption as the chat at some point. Probably this summer.

I also found out that NTRU is in fact a known standard and has a wikipedia article although I am suspicious of the concept.

Simply put my question is this: would this service and their claims fall under "have no clue" or is it my lack of knowledge and could this be a very decent, functional service?

Update: the website's FAQ (or this recent archive) states about xAES (an AES replacement with 4096-bit key) something that seems falsifiable:

we add an advanced symmetrical encryption which is very easy to use with keys 16x longer than those found in AEA256, an industry standard. According to our engineers, this will take 23840 times longer to crack than aes256, which is commonly known as "military grade" encryption.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
user3244085
  • 171
  • 2
  • "super strong" might be bold, but the rest of that particular statement isn't. $;$ –  Mar 01 '14 at 08:13
  • Could you be more specific why it isn't? Considering the fact that quantum computing vs. encryption is merely theoretic at this point as far as I know – user3244085 Mar 01 '14 at 08:28
  • They are offering encryption for somewhat general use, and transcripts can be archived with the hope of later acquiring a quantum computer to break the key exchanges. $;$ –  Mar 01 '14 at 08:38
  • An archive of the website shows an aspect (now gone) of the early intentions: " For those desiring more security, we offer a Premium service which will feature One Time Pad. This classic encryption doesn't use repetitive math formulas and the key is the same length (or longer) than the message. [..] because it uses a different technique to hide your message, it's very powerful and considered immune to cryptanalysis even today. We're making it even simpler to use this powerful way to encrypt your messages. " – fgrieu Mar 01 '14 at 09:29
  • 4
    Quoting our FAQ: " Cryptography Stack Exchange is for asking questions about the mathematics and properties of cryptographic systems, their analysis ("cryptanalysis") and subsidiary topics that generally make up cryptology, such as random number generation. ". The present question is more about reading between the lines of commercial (rather than mathematical) text, trying to spot something that obviously does not hold water. I consider the question off-topic until it points a falsifiable claim . – fgrieu Mar 01 '14 at 10:06
  • @fgrieu Considering the CipherCloud question was well-accepted, I think this one should be too. The nuance between this an CipherCloud is the former asks is this snake oil? and the latter how do they do that?. Maybe take this to Meta? – rath Mar 01 '14 at 12:44
  • @rath: CipherCloud pretended to achieve some goals that classic crypto does not achieve, making these claims falsifiable to some degree. Here, I see (pun intended) on the website, or question, no claimed achievement that's out of reach of standard crypto; no description of the AES-256 replacement with 4096-bit key (thus we can't reason about if it is good or bad); no clue about which variant of NTRU is used, with what parameters, in what protocol (I do see a non-disastrous rationale for NTRU, involving resistance to Quantum Computers and speed of user-side private-key generation). – fgrieu Mar 01 '14 at 13:26
  • But the claims that "public crypto is always bad, we have super secure not-so-public crypto", "4096 bit key (because longer is better)", "resistance against quantum computing"? And how is the discussion on "is it snake oil or not" not about cryptography? I admit there may be limited math involved, but it does discuss "properties of cryptographic systems" and I think such questions and their answers are needed on the web to provide information on encryption. – user3244085 Mar 01 '14 at 22:12
  • @user3244085: Your "public crypto is always bad" and "longer is better" seems to use quotes around paraphrase put without some slightly redeeming context. Perhaps "if it's publicly available, it's cracked" was referring to an implementation on a platform unable to resit key leakage, and if it's used in the sense of as soon as the code. Saying "believed to be resistant to even quantum computing attacks" may be useless, but is not snake oil. It would be fine to discuss if the 4096-bit key xAES is ridiculous or fair, if you (or someone else) could describe it, say by reverse-engineering. – fgrieu Mar 02 '14 at 00:26
  • @user3244085: ah, and since you point an answer to a question about long keys (that I also answered): using a 4096-bit RSA key is fine practice (for a long term key or/and to damp down paranoia); using a 4096-bit (key? block? do we even know?) for a symmetric block cipher is pointless (as far as we know), but could be harmless. – fgrieu Mar 02 '14 at 00:43
  • 1
    @fgrieu I am aware of the fact that you answered the question, it is the reason I linked to it: to demonstrate the fact that my question was relevant as you answered similar question, although I see how that question had information which made it more relevant than this one. But well, I do feel my question is answered but marking an answer will be difficult as no one got past a comment. First negative question on stack exchange, yay. – user3244085 Mar 02 '14 at 06:08
  • Add facts to the question (like the NTRU variant and parameters, what TRNG is used for user and session key generation, the working of the mysterious xAES, the protocols..) and you'll get up-votes. Or just point any falsifiable and outrageously wrong statement on the website, and I'll answer. Scoop, I've just found such statement, I'll add it in the question! – fgrieu Mar 02 '14 at 12:46
  • 1
    This is about marketing claims regarding cryptography, rather than about cryptography itself. As such this question is off-topic here, but would be on-topic on [security.se] as it touches on choosing a method to achieve a security objective. As it happens, this question has already been asked there: A service that claims beyond army level encryption – Gilles 'SO- stop being evil' Mar 02 '14 at 21:09
  • 1
    Re "I thought extremely strong = widely used/available?", it's not that simple. If something is patented, or slow, or hasn't received a lot of analysis, or isn't significantly better than current practice, it might not be popular, even if it's good. – Matt Nordhoff Mar 03 '14 at 03:51
  • 1
    And RC4 is very widely used but (academically at least) is broken – Cryptographeur Mar 04 '14 at 11:36

2 Answers2

12

I'll comment only the statement referring to an AES-256 replacement with 4096-bit key:

According to our engineers, this will take 23840 times longer to crack than aes256

Bob writing that is not able to correctly transcribe even the numbers that engineer Alice allegedly spelled: most likely, $23840$ is intended to be $2^{3840}$, which is the ratio $2^{4096}/2^{256}$ of the number of 4096-bit keys to that of 256-bit keys. For reasons that I'll detail, that ratio of number of keys is irrelevant. Bob is incompetent at crypto, or totally gullible, or dishonest (I mean or as inclusive, not xor). And if anyone left Alice with the impression that $2^{3840}$ was a meaningful number, Alice is incompetent or dishonest, and that does not spell well for the system or code Alice designed or wrote.

Thus at least one holds: The FAQ's author is dishonest; it is dangerous to trust the engineer cited by the FAQ as advisor.

AES-256 is a symmetric cipher with a huge key of 256-bit. Remember the tale of the man who asked the sultan as reward for his good services 1 grain or rice on a first square of a checkerboard, 2 on the second, 4 on the third.. and got impaled for having asked $2^{64}-1$ grains of rice, which is orders of magnitude more than the worldwide yearly rice production nowadays? Well, 256-bit instead of 64-bit is like this man asking a checkerboard with 256 squares instead of 64. 64-bit of key was considered quite safe against key enumeration in 1970, and the reasonable optimists about the power of Moore's law agree that 1 year does not quite give 1 bit when it comes to brute force, and that whatever exponential trend there has been has already started to slow. Meaning 128-bit is still safe from key enumeration for the next two decades, and 256-bit is safe from key enumeration for whatever matters to man (the later is even with quantum computers running full gear). Increasing key size to 4096-bit serves no purpose towards the threat of key enumeration, and it is pointless to consider the ratio $2^{4096}/2^{256}$ of keys for whatever security consideration or practical purpose.

Increasing the key size of a block cipher could conceivably serve some other purpose (like making side-channel attacks harder, although the opposite could also occur). But if that was the intend, the extra protection obtained (if any) would not be anywhere near $2^{3840}$, or quantifiable to 4-digit precision (if we trust $23840$).

Fact is, past a certain key size, the time (as in the quoted statement) or effort it takes to recover a key does not depend so much on the key size (at least, not as $2^\text{size}$), but on how the key is generated in the first place, and how well it is protected from later leakage. Over that limit (much less than 128-bit nowadays), a bad RNG, careless storage, a buffer overflow, another side-channel (timing, power consumed..), a fault-injection attack, younamit, are more likely threats to a key's confidentiality than key enumeration is.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • Are there even any publicly-available and cryptanalyzed symmetric ciphers that can accept key sizes up to 4096 bits? – Stephen Touset Mar 03 '14 at 07:24
  • 1
    @Stephen Touset: I can't point any publication about a symmetric cipher with 4096-bit key. However for many ciphers (AES, DES..) it is standard practice to consider separately key expansion (generating subkeys independent of plaintext); and the rest, which is in some attacks modeled as a random key as wide as the subkeys are. So arguably, that variant of AES-256 (with 1920-bit key) is somewhat studied. yAES defined as AES with 31 rounds and no key expansion would be a 4096-bit cipher, at least as strong in a random-key setup as AES-256 is (but horribly vulnerable to related-key attacks). – fgrieu Mar 03 '14 at 13:47
  • 2
    That's a great take on it; I'd wager that's likely not what they're doing, but it's interesting to consider an AES variant where key expansion is skipped and a random key of appropriate size is used instead. – Stephen Touset Mar 03 '14 at 18:46
  • Maybe the FAQ has been written by somebody from marketing department. In many cases, they are incompetent at crypto and dishonest (just half kidding). Anyway, I hope they'll come up with more reviewable description of their 4096-bit symmetric crypto. The widest symmetric crypto I've used has been 2048-bits and even it had issues with related key (RC4). – user4982 Mar 04 '14 at 15:15
4

The claims made are pretty much all nonsense or do not represent an accurate understanding of the state of the art. I'm not going to go into a point-by-point response; suffice it to say that I would not trust any advice or representations they may make about what is or isn't secure. Their system might be fine, or it might not be, but their public statements do not give grounds for confidence.

So, yes, their claims fall under "have no clue". Whether it is a decent, functional service, I can't say. It could be... but my a posteriori estimate of the probability of that has gone down, after reading their public statements.

D.W.
  • 36,365
  • 13
  • 102
  • 187