The Need for Certainty

® TRUSTLEAP The Need For Certainty

Mathematically-Proven Unbreakable Security www.trustleap.com This document is aimed at helping people to understand the TrustLeap technology. A cryptographic oracle (where users chose and submit the plaintext: an ASCII classic English book and a sentence that they type, an encryption key, the standard encryption algorithm to secure like AES or RC4, and get the ciphertext, with the sentence injected at a random position that they must guess to demonstrate that teir plaintext attack is successful) as well as further information regarding the internals of TWD Industries AG's technology are available under a proper NDA, to selected partners.

Encryption: to convert (information or data) into a code, especially to prevent unauthorized access.

Origin: 1950s (in the US), from English 'in' and Greek kruptos 'hidden'.

“no one ever lost money to an attack on a properly designed [standard] cryptosystem” – Peter Gutmann

Used to Steal 45 millions of Credit-Card Numbers Legal Costs: $40,900,000

Spy, Trace and Impersonate Billion of Mobile Phone Users.

– Karsten Nohl

Spy, Trace and Impersonate Billion of Mobile Phone Users.

– Karsten Nohl

Steal data, Spy, Trace and Impersonate Billion of Mobile Phone Users.

– Karsten Nohl

Steal VW, Audi, Bentley, Lamborghini & Porsche cars as Megamos Crypto is broken.

– Flavio Garcia

They know since 2002 what they do wrong... but 2012 audits still certify a flawed system.

– advtools.com

But Experts Keep Saying:

“It's Very Safe”

“Cryptosystem failure is orders of magnitude below any other risk.” – Peter Gutmann

2012 – X.509 Certificates

“the Flame malware has been signed by forged PKI certificates to appear as if it was produced by... Microsoft.”

The FLAME Malware

Active Since Year 2000 (!) Exploiting Hashing Collisions Breaking “Trusted” PKI Standard

“SSL Authenticate-then-encrypt is Provably-Secure.” – Hugo Krawczyk

SSL & TLS standards

2011 “BEAST exploits CBC IVs” 2012 “CRIME exploits compression” 2013 “LUCKY13 exploits decryption”

“AES 256-bit Is Safe Even For TOP-SECRET Information.” – U.S. Government

2011 - AES standard

“AES Broken 5x Faster Than By Brute Force; Cause: Small Key Space.” – Andrey Bogdanov

2012 - AES standard

“OpenSSL Uses AES Tables For Speed, Leaking Many Key Bits” – Fraunhofer Research

“It Would Take Millions Of Years To Break Standard Encryption.”

2012 – RSA SecurID

“It Takes 13 Minutes To Extract A Secret Key From AES-based RSA SecurID 800 Dongles” – INRIA

There Is No Such A Thing Like:

● “Strong Authentication” ● “Strong Encryption” ● “Strong Security”

> Crypto Is Either SAFE or UNSAFE.

● PSEUDO-RANDOM Number Generators

● OSes Do It Wrong (a recurring issue)

● Developers Told To Trust OSes or CPUs.

> Crypto Keys Are Known In Advance.

● “Magic Words” In File Headers, Protocols (“PDF%”, “%PNG”, “HTTP/1.1”, etc.)

● Padding (often NULL bytes)

> Leading To Known Plaintext Attacks.

AES(input, key) < 2256 (AES < Key Space)

AES(iv, key) = System of Equations

AES(in, key) = AES(AES(i(n-1), key), key)

2 AES BLOCKS ENOUGH TO FIND KEY

> ARITHMETIC, NOT “RANDOM” data.

YOUR DEAR “Safe” KEY DATA

TrustLeap 29 | Copyright © 2013, TWD Industries AG. All rights reserved. Claude Shannon's “Information Theory” Defined The Rules In The 1940s: 1011011000010110111100101111 I CAN SEE 0110110111010110010001111101 S YOU! 1000100010100101001001010010 1010010010100000101001111011K A 0111101 1001111111010011111010101010E 0011001 1110101001011011111001101010L 0101001 E1011000010010100011111111111Y LE 010010 K 1010010100101001010010010101A 0101100101001001010010010010K YOUR 1 S DEAR “Safe” KEY 1001001010010110100010101001DATA 0100101001010010010101010100 TrustLeap 30 | Copyright © 2013, TWD Industries AG. All rights reserved. What's The Problem?

The “Information Theory” Says “Either Perfect Secrecy OR Convenience”: True Random Encryption Keys Applied On Data Larger Than The Key Leaks Key Patterns That Can Be Spotted & Used To Recover The “Secret” Key.

1 Use The One-Time Pad; Keys Must Be: (a) Random & Unique, (b) As Long As Data, (c) Safely Exchanged Before Encryption.

Provably Safe If Safe Random Source & Key Exchange & No Key Reuse: Not Convenient.

2 Use A Very Strictly Defined Grammar (a) Does Not Suit All Uses (b) Requires High Crypto Skills (c) Any Usage Error Implies Failure.

Can Be Made Provably Safe If Properly Done & Used, But Not General-Purpose.

3 Use Provably-Safe Mathematical Rules To Remove All Exploitable Key Leaks From Encryption Standard ciphertexts (making AES and others provably-safe).

Provably SAFE & CONVENIENT. Getting The Best Of Both World!

Game-Changing: - Delivers Provably-Safe Certainty - Reduces Surface Of Vulnerability

HOW:

Mathematically-Proven: Its Design Does Not Expose Leaked Key Patterns In Encrypted Data.

WHY:

Without Correlations To Spot In Encrypted Data There Is Nothing To Target & Break.

WHERE:

A Low Overhead Makes It Suitable For All Uses (Servers, Phones, Embedded).

WHY:

Security Becomes Independent From Chosen Key Length And Involved Encryption Algorithm.

WHERE:

By Restricting Access To Known Users It Excludes All External Threats, Reducing The Surface Of Vulnerability.

Consensus Easy To Obtain:

● Plug & Play, Securing AES, DES... ● Visible Undisputable Benefits ● 70-Year-Old Established Theory ● Affordable Licensing Terms

Quantum Computers (used by the NSA since 1990) find instantly results of algorithms without having to run them. This is the death of security based on computational hardness. Only Mathematically-Proven TrustLeap Encryption can resist to Quantum Computers (as there is nothing left to exploit) and can be said to be “provably unbreakable”.

Quantum Encryption is based on PHYSICS rather than MATHS. Its security depends on the lack of KNOWN Principles of PHYSICS able to break it. This “security” will NEVER BE PROVEN: we learn more about PHYSICS every day. So, unlike Mathematically-Proven TrustLeap, Quantum Encryption can never be said to be “provably unbreakable”.

Application Firewalls and other security filters attempt to block abusers. They can only block AFTER an attack is detected, and their detection rules are updated AFTER a new attack signature is built and broadcasted. With TRUSTLEAP, only authenticated users can interact with your server applications: you know who to block, and where to find offenders.

● Future-Proof (I.e. QUANTUM Computers)

● Mathematically Proven (Can Be Trusted By All)

● Independent From Computing Power Used To Break It

● No More Need To Enlarge Encryption Keys

● No More Need To Change Encryption Algorithms

● Also Unbreakable Two & Three-Factor Authentication

● No Central Key Repository Needed (But Can Be Used)

● Mobiles / Embedded: Very Low CPU / RAM Overhead

● Corporate Asset Protection (Patents, Talks, Databases)

● Public Asset Protection (e-Votes, Medical Records, Legal)

● International Negotiations (United Nations, Contracts)

● Transaction / Archiving Certifications (Indisputable)

● Defense (Impenetrable Communications, Drones, etc.)

● Chips Would Be Ideally Used (Tampering, I.P. Protection)

● Legitimacy to Impose A Licensing Monopole (Exclusivity)

● Email (Data Protection, Negotiations, Board Talks)

● Routers / Firewalls (How Safe Are Barriers If Broken?)

● Transactions (Trading, Contracts, Non-Repudiation)

● Storage (Confidentiality, Tamper-Proof, Full-Control)

● Defence (Remote Presence / Control, Chain Of Orders)

● I.P. Rights (What Worth Is A Proof That Can Be Spoofed?)

● Legal (Customers / Lawyers / Regulators Security Chain)

Availability: TrustLeap Multipass

twd-industries.com

10001000101001010010010100101000100010100101001001010010 10100100101000001010011110111010010010100000101001111011 10011111110100111110101010101001111111010011111010101010 11101010010110111110011010101110101001011011111001101010 10110000100101000111111111111011000010010100011111111111 10100101001010010100100101011010010100101001010010010101 01011001010010010100100100100101100101001001010010010010 10010010100101101000101010011001001010010110100010101001 01001010010100100101010101000100101001010010010101010100

TrustLeap

Worldwide Corporate HQ

TrustLeap Paradiesli 17 CH-8842 Unteriberg SZ Switzerland

Phone +41 (0)55 414 20 93 Fax +41 (0)55 414 20 67

Email [email protected]

www.trustleap.com

About TrustLeap

TrustLeap, the security division of TWD Industries AG, protects digital assets with cryptanalytically unbreakable technology (safe against unlimited computing power: it is proven mathematically that no key leaks can be exploited). The TrustLeap secure platform leverages enterprise, cloud, networking, digital media and financial services in global strategic markets.

TrustLeap lets partners and users form dynamic ecosystems where duly accredited strangers can safely trust each-other. Establishing widespread trust enables organizations to secure their infrastructure, raise the value of their offers and safely market their digital assets.