Article <1050ffb$2q09e$2@dont-email.me>

Deutsch English Français Italiano
<1050ffb$2q09e$2@dont-email.me>

View for Bookmarking (what is this?)
Look up another Usenet article
Path: nntp.eternal-september.org!news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail
From: Rich <rich@example.invalid>
Newsgroups: sci.crypt
Subject: Re: AI's take on my cipher...
Date: Sun, 13 Jul 2025 14:22:36 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 83
Message-ID: <1050ffb$2q09e$2@dont-email.me>
References: <1049c0q$10d0c$1@dont-email.me>   <104hp5s$363bm$1@dont-email.me> <e80d25a08cb77a726c77b8359c59833f871cfa1e@i2pn2.org> <104mgv5$cvfq$1@dont-email.me> <047c88f47daa342fbbf7aee669a3deb8896ce6af@i2pn2.org> <104mj60$dltj$1@dont-email.me> <4b6e233e7c3fb669fa324151f627c4addbfc9f70@i2pn2.org> <104r7eo$1i08p$1@dont-email.me> <95a6f265f6bdddcd037a7e48cf5258e77cec9b15@i2pn2.org> <104uecv$2ak1k$1@dont-email.me> <8e54a93978459bb7baa6896adc62508b9deb7d78@i2pn2.org> <104uqme$2cu71$1@dont-email.me>
Injection-Date: Sun, 13 Jul 2025 16:22:36 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="98d3fbcbb0287bbd0d73a29a092f1053";
	logging-data="2949422"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX184Q/15Xj2qD6d5rGTTc7dd"
User-Agent: tin/2.6.1-20211226 ("Convalmore") (Linux/5.15.139 (x86_64))
Cancel-Lock: sha1:MrZkWFdzKhVjjMMSle3ujylcPPM=

Chris M. Thomasson <chris.m.thomasson.1@gmail.com> wrote:
> On 7/12/2025 12:59 PM, Stefan Claas wrote:
>> Rich wrote:
>>> Stefan Claas <stefan@mailchuck.com> wrote:
>>>> Richard Heathfield wrote:
>>>>> On 10/07/2025 18:19, Stefan Claas wrote:
>>>>>> Chris M. Thomasson wrote:
>>>>>>> On 7/9/2025 12:53 PM, Stefan Claas wrote:
>>>>>>
>>>>>>>> How does it work if A encrypts on local host and B should
>>>>>>>> decrypt on his local host, with that given link from A
>>>>>>>
>>>>>>> Wrt the online version:
>>>>>>>
>>>>>>> A needs to send/give B the ciphertext somehow, email, snail
>>>>>>> mail, somehow, hand signals, ect...  ;^) Then B, assuming that A
>>>>>>> and B have the same secret key, can use said ciphertext to
>>>>>>> decrypt it.  So, if you notice the online program has a
>>>>>>> ciphertext only, without a link prefix.  Say this example: I am
>>>>>>> encrypting the message on my local host using the default key:
>>>>>>
>>>>>> But how, for example, would you give me the secret key, from the
>>>>>> USA to Germany, without meeting in person?
>>>>>
>>>>> Diffie-Hellman can establish a secret key in public.  Then
>>>>> authenticate over an encrypted channel.
>>>>
>>>> I know, but how do you protect the key on your online device against
>>>> Pegasus or FinSpy?  For proper encryption two parties have to do it
>>>> offline, but GnuPG users could never learn it, because it was never
>>>> explained to them.
>>>
>>> Nor will anyone else who falls into the "average computer user
>>> category" and thinks the "I have nothing to hide" excuse is valid.
>>>
>>> You are not fighting "encryption" here, you are fighting the fact that
>>> few care enough and are motivated to learn.  And that battle will not
>>> be won by better cryptography, nor by better user interfaces.  The only
>>> way those folks will use "secure means" is if the secure means happens
>>> all automatically, by default, without their knowledge, for them.
>> 
>> And you know very well that this will not happen, because companies are
>> not willing to defeat this known issue and only offline encryption and
>> decryption is the way to go, for secure communications.
> 
> Think of an offline encrypt with say, my symmetric HMAC cipher thing. 
> You save the ciphertext to a usb drive. Oh shit, say the offline 
> computer is infected with a virus, and the USB is now highly suspect. 

The reverse is the more likely issue.  Bob receives encrypted message 
on his 'networked device'.  Unbeknownst to him, Pegasus is also hiding 
in the shadows on the device.  He writes the message to a USB stick to 
transfer to his air-gapped crypto-box.  Pegasus adds an exploit to the 
USB at the same time.  He plugs the USB into his air-gapped computer 
and the 'infection' from the USB now migrates into the air-gapped 
computer.  Bob is now owned.

The only way to avoid this is to never have any electronic signals 
coupling between anything and the air-gapped computer.  Which means the 
airgap computer should really be given data via 'typing it in on a 
keyboard' and data retreived from it by "typing the encrypted data out 
onto the 'networked computer'.

And, how accurately do you think the average person who wants to send 
an encrypted message will be at typing this:

KqHtqbSca2hvI02pCMHtdKQLfHhW6OeN7iK1Fg45nMpoT+to8XpwpvARkW6UziY0iyZWUEgP/gol
gz5p3XpGCe0hZbYV2IYYLDvvRjGWj1k5IHkDX4WshBZvI5fhVssJOqVI3bzqdEW3XLD4NoGKVQg3
ZeNaSJs2hBySnkBoKGI=

That's 128 random bytes, base64 encoded.  128 bytes is right about the 
original "tweet length" of tweets on shitter, so there is a severe 
limit of the amount of information that can be transferred.

But imagine punching that into a keyboard on an air-gapped computer.  
Do you think that by the time you get to the end, that you will have 
typed every character 100% accurately?  Because if you mistype even 
one, the message will be corrupt and fail validation.

Or think the reverse, Alice encrypts a message for Bob, then she types 
the above out in a tweet or email or even onto paper with an old school 
typewriter.  How likely is Alice to get every character 100% correct 
(absent a lot of proofreading time on Alice's part).