From: schaen@mitre.org (Sam Schaen) Subject: Re: POTP At 12:53 PM 10/16/95, Bill Neugent wrote: >Today's Network World has an article (pg 53) on Power One-Time Pad (POTP), >a new security offering from Elementrix Ltd that purports to achieve >encryption without key management via the synchronization of random >processes on communicating comuters (presumably something like SecurID). >Applied towards encryption, it sounds a bit like snake oil to me. Does >anyone know more about this thingie? > >Bill I saw them at Networld+Interop in Atlanta. The firm is HQ'd in Isreal with an office in NY, I think. They were loathe to discuss anything about the internals (saying it was proprietary). They have not addressed the key management problem at all - you currently need a secure out-of-band exchange with each correspondent. -Sam From: mckenney@smiley.mitre.org (Brian W. McKenney) Subject: Re: POTP Bill, I have been in touch with Elementrix (actually a distributor). G025 has plans to look at two POTP products under tech ops. We are interested in the POTP secure communications driver for Windows and the POPT Personal Firewall. The benefit of a one-time pad is that it does not require the repeated use of the same key (there is no permanent key, keys are random, and no key is repeated). Elementrix is a legitimate company and their introduction of products that employ one time pads caught my attention. Expect to hear more about POTP products. The POTP Secure Mail product has a list price of $245.00. They also provide a POTP Secure FTP server for UNIX systems and for Windows NT and Windows 95. Note: Elementrix is a subsidiary of Elron Electronic Industries Ltd, based in Haifa, Israel. Elron is Israel's leading high technology holding company. -Brian >Today's Network World has an article (pg 53) on Power One-Time Pad (POTP), >a new security offering from Elementrix Ltd that purports to achieve >encryption without key management via the synchronization of random >processes on communicating comuters (presumably something like SecurID). >Applied towards encryption, it sounds a bit like snake oil to me. Does >anyone know more about this thingie? > >Bill From: wneugent@smiley.mitre.org (Bill Neugent) Subject: Re: POTP Folks, FYI, Here are some thoughts from Jason Smith on POTP. Thanx, Jason. Bill >Date: Mon, 16 Oct 95 13:19:41 EDT >Mime-Version: 1.0 >To: wneugent@smiley (Bill Neugent) >From: jason@smiley.mitre.org (Jason Smith) >Subject: Re: FWD: Revolutionary Encryption Product Praised by Kahn and Schwart > >Bill, > >Kevin Jones sent me the following message about the product. I responded >with my $0.02 worth. I am forwarding the slightly edited dialog. First >comes my response to the product, then the article info. Keep in mind I'm >just a newbie, but I see little new here except for the synchronized rng. >The entire crypto strength is based on this rng being unbreakable, >otherwise the whole thing falls apart. Note that the first message >initializes the rng, so first communication is vulnerable. Future >communications can be secured, but only by resuming the rng started >earlier. Could be a maintainance nightmare. Feel free to edit and >re-distribute as needed. > >-- Jason Smith > > >>>Kevin, >>> >>>I see a couple of problems with this...first of all the initial connection >>>between parties establishes the initialization vector that secure all >>>future communications. any hacker listening on the first communication can >>>align his own box and read all future traffic. second, if i communicate >>>with 1,000 sites, i need to retain 1,000 init vectors. if i establish a >>>new vector each transaction i am defeating the mechanism, so i must retain >>>this info. Conversely, if i am a server who supports 20,000 connections a >>>day, thats a hell of a lot of vectors to maintain. thirdly, anyone who >>>says "I don't see how the keys could be predictable" shouldn't be trusted. >>>The keys can not be entirely random or the boxes could not generate >>>identical keys simultaneously. This means that the strength of the keys >>>relies on the randomness of the initial message. One time pads are >>>informationally secure (perfect security). They rely on completely random >>>keys that are as long as the message itself. The claim that the product is >>>perfectly secure is false. One time pads are completely secure, but only if >>>the keys are >>perfectly random, not if >>>they rely on pseduo random numbers. Then they are only as strong as the >>>random numbers themselves. they have introduced new components into an old >>>system without re-evaluating the overall security. they brush aside claims >>>of attacks against the random number generators, yet this is likely to be >>>the weakpoint in the system. > >-------------------------------------- > >>>>>Subject: Revolutionary Encryption Product Praised by Kahn and Schwart >>>>> >>>>> >>>>> >>>>>---------- Forwarded message ---------- >>>>>Date: Mon, 2 Oct 1995 21:51:00 -0400 (EDT) >>>>>From: Joseph T. Lisi > >>>>>Subject: Revolutionary Encryption Product Praised by Kahn and Schwartau >>>>> >>>>>Vic; >>>>> >>>>>I thought you would be interested. I wonder how long it will take before >>>>>somebody gets into it? I know nothing more about the product than what I >>>>>see in the article. Pay particular note to ownership/affiliation of the >>>>>company! >>>>> >>>>>Regards, >>>>>Joe >>>>> >>>>>ELEMENTRIX ANNOUNCES REVOLUTIONARY ENCRYPTION >>>>> >>>>>PR Newswire >>>>> >>>>>POTP Secure Mail, Secure FTP Avoid Limitations of Existing Systems >>>>> >>>>> NEW YORK, Sept. 29 /PRNewswire/ -- Elementrix Technologies, Inc. has >>>>>announced a security technology for digital communications based on the >>only >>>>>encryption method which is considered unbreakable. The method, POTP (Power >>One >>>>>Time Pad) eliminates the weaknesses that allow break-ins to existing >>systems. >>>>> >>>>> Two products which feature this technology, POTP Secure Mail and POTP >>>>>Secure FTP were voted the leading security products in the Best of the Show >>>>>awards announced at the Networld + Interop Show in Atlanta this week. The >>>>>technology is expected to be a boon to both corporate and individual users >>of >>>>>the Internet and a major step forward for electronic commerce. >>>>> >>>>> The products are an automatic implementation of One Time Pad (OTP), the >>>>>only encryption which is considered unbreakable. Prior to the invention of >>>>>POTP, OTP was used only in extreme situations where cost and logistical >>>>>constraints were not determining factors. Now POTP(TM) makes this legendary >>>>>encryption readily available as a commercial software package. >>>>> >>>>> As with OTP, POTP creates keys that are as long as the messages they >>>>>encrypt, and are used only once. But unlike OTP, which requires extensive >>key >>>>>distribution and management, POTP(TM) creates real time: random keys are >>>>>created automatically during the communication process. Therefore, users >>can >>>>>instantly send private and sensitive e-mail over the Internet or other open >>>>>systems with 'point and click security.' >>>>> >>>>> "Elementrix has found a logical way to generate non-algorithmic, >>>>>dynamically changing keys at two separate sites without transmitting them >>on >>>>>the line and without using parallel lines," said Dr. David Kahn, the >>country's >>>>>leading historian of cryptography and the current visiting historian at the >>>>>National Security Agency. >>>>> >>>>> "Elementrix is well within its rights to call this technology Power One >>>>>Time Pad. I see no way of reconstructing the encryption key," he said at >>the >>>>>press conference announcing the products. >>>>> >>>>> "POTP represents a paradigm shift in encryption," said Winn Schwartau, >>an >>>>>internationally recognized expert on electronic security who also spoke at >>the >>>>>press conference. "The fundamental technology is entirely different from >>any >>>>>existing encryption scheme. This is the first system I've ever seen that >>can >>>>>make the entire Internet secure for non-expert users." >>>>> >>>>> Schwartau also noted the importance of the system for corporate users >>>>>based on its advantages in the area of key management. >>>>> >>>>> "The problem with systems that depend on passwords for security is that >>>>>the infrastructure required to manage and distribute them is cumbersome, >>>>>especially in large organizations," he said. "POTP eliminates the need for >>>>>this infrastructure." >>>>> >>>>> POTP(TM) technology can be used to encrypt any digital communication. >>>>>This can include data communications, secure telephones, wireless, >>satellite, >>>>>cable TV and virtually any method of modern, digital communications. All >>>>>POTP(TM) products are automatic and transparent to the user. >>>>> >>>>> The system addresses a paradox in encryption: "If the keys are truly >>>>>unpredictable then there should be no way for one party to automatically >>>>>re-create the same keys that are being used by the other," said Isaac >>>>>Rubinstein, executive vice president of Elementrix Technologies Inc. >>>>> >>>>> "However, POTP's dynamically changing random keys are created by a >>patent >>>>>pending method during the communication process itself," he said. "After >>the >>>>>POTP(TM) between the two parties has been initialized -- only the very >>first >>>>>time they communicate -- a One Time Pad process is executed continuously." >>>>> >>>>> POTP(TM) is patent pending. This unique method is fully disclosed on an >>>>>individual basis only, through a non-disclosure agreement. A select group >>of >>>>>encryption and security experts, including Kahn and Schwartau, have been >>fully >>>>>briefed and have endorsed the new technology. >>>>> >>>>> POTP(TM) Secure Mail carries a very low overhead of less than 1.2%. >>>>>Encryption and decryption are very fast and have virtually no effect on >>>>>software performance. The system requires an IBM or compatible computer >>with a >>>>>386 or higher CPU and 4MB of RAM; a modem or network card; and any TCP/IP >>>>>stack for Microsoft Windows. The software is Windows 3.1 and Windows 95 >>>>>compatible. >>>>> >>>>> Professsional Encryption/Personal Privacy >>>>> >>>>> In the e-mail package, the entire message including attachments is >>>>>encrypted in real time as it leaves the PC. Messages remain totally private >>>>>while stored on the mail server, handled by an Internet provider, and/or >>sent >>>>>over communication lines. Messages are sent in standard e-mail format with >>no >>>>>need for a special mail server. Any standard SMTP/POP3 mail server will >>handle >>>>>the messages. >>>>> >>>>> There is no need for any manual key distribution or management: no >>public >>>>>and private keys; no master and session keys. Messages remain private and >>>>>cannot be read by anyone, even system administrators. >>>>> >>>>> The manufacturer's suggested list price for the single user is $245. A >>>>>special price of $198 will be available during the product introduction. >>>>> >>>>> Elementrix Technologies >>>>> >>>>> Elementrix Technologies Inc., based in New York City, is a subsidiary >>of >>>>>Elementrix Technologies Ltd., based in Haifa, Israel. The parent company is >>a >>>>>subsidiary of Elron Electronic Industries Ltd., Israel's leading advanced >>>>>technology holding company. Elementrix was founded in January 1994 in order >>to >>>>>develop commercial applications for its POTP(TM) encryption and other >>security >>>>>products. >>>>> >>>>> -0- 9/29/95 >>>>> >>>>> /CONTACT: Michael Meric, Fusion TMA, 212-977-4600, fax: 212-265-9684, >>>>>e-mail: mmeric@elementrix.co.il, or Maia Aron, VP Marketing, Elementrix, >>>>>212-888-8879, fax: 212-935-3882, e-mail: maia@elementrix.co.il/ >>>>> >>>>>CO: Elementrix Technologies Inc. ST: New York IN: CPR SU: PDT > >>> >>> >>> >> >> > >--------------------------------------------------- >Jason S. Smith > >jason@smiley.mitre.org | The MITRE Corporation >Phone: (703) 883 - 6219 | 7525 Colshire Dr. >FAX: (703) 883 - 1397 | McLean, VA 22102 > >Fear of women is the basis of good health > -- Spanish Proverb >