[messaging] Fwd: WaveCrypt

Mihai Ionut c.ionutmihai1 at gmail.com
Thu Apr 14 02:23:03 PDT 2016

[image: --]

Chelalau Ionut Mihai
[image: https://]about.me/c.ionutmihai1

---------- Forwarded message ----------
From: Mihai Ionut <c.ionutmihai1 at gmail.com>
Date: Thu, Apr 14, 2016 at 12:21 PM
Subject: Re: [messaging] WaveCrypt
To: Joseph Gentle <me at josephg.com>

​Thanks for feedback.

I really enjoyed that 1992 sneakers video, not only because it showed a
very simple "fix" but it gave me a nostalgia feeling. You know, nowadays
when we are learning computer science they tend to forget a lot of details.
Because the time is short they have to compress the learning materials so
that they can give us "the important stuff". By doing so however they
deprive us, the young generation, from knowing the basics. They don't
longer "waste" time with teaching the early programming languages, those
things are just specified on the last page of the manual with the smallest
font available.

There's another aspect to this. While I was working on WaveCrypt I've read
books not only about cryptography or sound design and audio synthesizers
but also about assembly language and how the nowadays audio formats came to
be (wav, mp3 etc). So, when we take a look at our entire computer science
history and the various difficulties we've had in the past it's impossible
not to have a beautiful thought in my mind... : why can't I simply create
my own audio format? Why can't I simply design my own primitive operating
system on that custom printed circuit board? Why can't I create an special
error-correcting code (a special version of Hamming) so that the audio
input I record would be able to verify it's source, without compromising
its integrity?

I will really work on this in the summer. I've found online some retro
radio kits and it would be a lot of fun in trying to encrypt using sounds
from that.  It gives me that warm lovely feeling when I'm trying to create
something new.

When you think about it it's also my responsibility. I didn't deserve any
of this - the internet, my laptop or all the information I could have never
afforded with my modest financial status. So, I have to give something back.


On Thu, Apr 14, 2016 at 6:34 AM, Joseph Gentle <me at josephg.com> wrote:

> Yeah this goes back to the old 'three types of crypto tokens':
> - What you know (a password)
> - What you have (an rsa token, or a phone with google authenticator)
> - What you are (fingerprint, retina scan)
> Any new crypto system essentially boils down to some combination of
> those things. If you're using a CD, you've invented a new kind of
> crypto token (what you have). If you're remembering which youtube
> video is your key, you're using a (pretty weak) password (what you
> know). Still very cool though, if you can play it and have an embedded
> device hear the recording. It'd also be very cool to have a little
> crypto token that plays what sounds like static, and then have your
> computer / phone / whatever unlock when it hears the 'right'
> static-sounding audio clip.
> The cool thing about audio (for me) would be doing voice
> fingerprinting. "My name is my passport. Verify me"
> https://www.youtube.com/watch?v=-zVgWpVXb64
> On Thu, Apr 14, 2016 at 11:11 AM, Justin King-Lacroix
> <justin.king-lacroix at cs.ox.ac.uk> wrote:
> >
> > On 10 April 2016 at 10:27, Mihai Ionut <c.ionutmihai1 at gmail.com> wrote:
> >>
> >> Hi, I am a 21 years old software engineer from Bucharest, Romania
> >> passionate about programming, robotics, cryptography and Artificial
> >> intelligence.
> >> For the past two months I've worked on a new encryption application
> based
> >> on sounds. It allows users to encrypt their files (AES) using an audio
> >> input.
> >
> >
> > There's a lot of coolness in this idea. You might want to read up on the
> use
> > of sound card inputs as sources of entropy for random number generators.
> >
> >>
> >> The users have three options : they can generate their own  WaveKey,
> they
> >> can use an exiting audio file (your favorite song from 1990's stored on
> a
> >> CD) or to use an online audio source - now I'm only focused on YouTube.
> You
> >> simply visit an YouTube video, select the time sequence, generate you
> >> WaveKey and encrypt your file. After that the key self-destructs.
> >
> >
> > While the idea isn't a bad one in principle, it means you now need to
> treat
> > the relevant YouTube link / song name with the same care as a
> cryptographic
> > key.
> > Also, YouTube knows your key.
> >
> >>
> >> Of course I've taken into account the obvious attacks - like the ones
> >> regarding recording when the users create their WaveKeys (I've worked
> on a
> >> custom printed circuit board with an integrated microphone and a small
> >> storage USB drive) or, in the case of the YouTube source your search
> history
> >> (We have Sandboxie and I'm pretty sure I can strike a deal with them).
> >
> >
> > What you haven't considered is that everyone on the network who can
> observe
> > your YouTube search history now potentially knows your key. Sandboxie
> only
> > prevents your browser from keeping its history on your hard disk; any
> traces
> > you leave on the network -- such as in YouTube's access logs (you weren't
> > logged in as yourself when you viewed it, right?) -- are, by nature, not
> > eraseable in this fashion.
> >
> > On the flip side, generating your own WaveKey also seems problematic: on
> the
> > one hand, you want to filter as much noise as possible out of the audio
> > coming into your application, so the key generation is repeatable ie you
> can
> > sing the same song into the same mic again on a different day and decrypt
> > your files. On the other, you're throwing away a lot of entropy that way,
> > potentially making it easier to just brute-force the key.
> >
> > If you solve this problem using a USB drive (or similar) connected to a
> > microphone to store the 'authoritative' copy of the recording, and reuse
> > that, we're now back to the usual key-management problem, only your key
> is
> > an unwieldy sound recording.
> >
> >
> > This idea is cool. However, I believe these issues need to be fixed or
> > mitigated before it can be put to practical use.
> >
> > </$0.02>
> >
> > J
> >
> >
> > _______________________________________________
> > Messaging mailing list
> > Messaging at moderncrypto.org
> > https://moderncrypto.org/mailman/listinfo/messaging
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20160414/af6a37c9/attachment.html>

More information about the Messaging mailing list