“How do you go from a naturally random source to digital?”

pretty much the same way you measure anything in nature…

“And if your “source sample of randomness” is compromised?”

compromised how? compromised in the sense that other people have access to it? you’re in worse shape if other people have access to the sample than if they have access to the source, generally, but obviously neither are ideal and physical access controls are needed to prevent this kind of thing from occurring…

“In the end encryption != security”

of course not… encryption is just a logical access control… logical access controls without physical access controls (ie. keeping the secret, encrypted or not, out of the enemy’s hands) are clearly not secure enough on their own (at least not when you’re talking about the kinds of secrets the government or military keeps)…

brute force is still not the weak point of the logical access control for modern ciphers, though… i’m not disagreeing with your conclusion, just one step of how you got there…

In the end encryption != security, and is not a durable safeguard for ITAR-controlled information. This is important because companies have been planning and adopting risk mitigation strategies around laptop encryption as their savior. Might work for SOX, but not ITAR.

??? you don’t have to create a prng that does that… you sample a truely random source at a time when it’s convenient and record the sampled data for use at some other time when it’s convenient to use it… there’s no need to reproduce the randomness itself…

“Under the ITAR, encrypting sensitive, controlled information is not enough for compliance”

indeed, but not because of susceptibility to brute force cracking… rather, because the enemy almost certainly has ways of extracting the data that are easier than computational brute force… logical access controls don’t count for much without physical access controls…

Anyways, this topic of discussion isn’t so much related to my blog post. Under the ITAR, encrypting sensitive, controlled information is not enough for compliance. Ahh! the c-word! If a foreign national is given access to encrypted ITAR-controlled information without a license, an export has been committed illegaly. No ifs, ands, or buts!

otp (one time pad) is uncrackable if used properly (ie. the ‘one time’ in one time pad is very, very important)…

“Every crypto algorithm that I know of has been cracked, or would just take a long time to crack given the computing power an attacker is likely to have.”

if by long time you mean the age of the universe then sure… brute forcing a 256 bit key is theoretically possible but practically infeasible…

@landon lewis:
“Random can not be recreated.”

no but it can be sampled from natural systems known to behave in a random way, then recorded and shared between 2 parties for use as key material…

“There are many cases where OTP’s are reused which makes them perfectly breakable.”

but they were only breakable because they were misused (reused)…

“Afterall as you said the purpose is to create something strong enough to out live the lifetime of the data’s usefulness…”

and barring cryptographic breakthroughs that render aes (for example) broken, a secret encrypted with aes using a 256 bit key should out live not only it’s usefulness but everyone alive today as well…

of course cryptographic breakthroughs are a possibility too, but that’s unrelated to brute force attacks that would require ‘enough computing power and time’…

??, no - there are definitely cryptosystems for which cracking is impossible (ex. otp) and many more for which it’s infeasible well beyond the lifetime of the data’s usefulness…

however, in the context of government or military secrets, rubber-hose cryptography is definitely something that needs to be considered and encrypting data certainly doesn’t do anything in itself to diminish that threat…