Keyless encryption and passwordless authentication

[Voland.V]

The point of authentication without a password is not that you can't use your password, but that your password can't be used by anyone other than yourself, except the account owner.
With regular password authentication, when your password has fallen into the hands of a fraudster, you are lost. And it's good if you find out about it.
With passwordless authentication, if someone steals your password, they can't use it! And moreover, such an attempt will surely become known to you (if there is such a service).
In passwordless authentication, a fraudster needs to steal not only your password, but your entire device. And the loss of the device - a normal person will notice immediately. But the loss of the password - will not notice, because this information.
Fraudsters take advantage of the fact that you know nothing, that they have the password. If you knew that, you would take urgent action.
For this reason, passwordless authentication will make the fraudster's life as difficult as it can even be done. 

[1715358672]

1715358672

[1715358672]

1715358672

[1715358672]

1715358672

[Voland.V]

Today hackers don't crack, they don't look for hard decisions, they just log in with a password. This phrase, which is often repeated by cybersecurity experts, describes a real pattern: most hackings are due to stealing passwords, not malware. That's it, it turned out to be just...
This is a direct consequence of outdated key and/or password authentication technologies that are based on unique client identifiers fixed on the server, including biometric constant identifiers.
So what is the point of existing complex cryptographic solutions, even of new post-quantum cryptography, if the key or password basis of these technologies is always attacked? This is an old rudimentary loophole for swindlers, which is never closed at the fundamental level of protection systems functioning. 
The conclusion is unequivocal. What can work reliably for one well-organized, attentive and accurate person does not work very well, or rather does not work properly at all, for an average user. Even worse, it works for large groups of people connected by the same security system, where a single member's vulnerability compromises the entire security system. This is the case when a correct, reliable, good theory of protection does not go well with modern practice, with the observed pattern of cybercrime, with the realities of our lives. 

[Voland.V]

Keyless encryption technology, in essence, has a strict and clear theoretical rationale.
So... Any key system (for simplicity let's talk about symmetric encryption systems) uses the key to select one encryption scheme from a variety of possible ones. One key is one scheme. The same public message is the same cipher code. This is exactly the point that has been changed in the keyless encryption model.
Specifically, that's it.
You select the size of the message to be encrypted in one encryption scheme, one of many possible in the system. For example, the message size is 256 bits. A priori, this is the message size that you would not fear even a brute force attack, even a quantum computer. This is a known fact, so we chose the size of the first message that was encrypted with the first encryption scheme.
Next. The second message is encrypted with a new encryption scheme that is unknown to the outside observer. And so on. Each new message...
is encrypted with a completely new encryption scheme.
What does an external observer need to know in order to calculate a new encryption scheme following the previous one?
In addition to the key that was used to encrypt the first 256-bit message, he needs to know all the public texts of all messages up to the last one, to have all the ciphers of all messages without a single error (even a 1-bit error is not a 1-bit error).
It is allowed), to know the exact sequence of all messages and their cipher codes and much more.
Look at the differences. In a key system, you don't need to know anything but the key.
Isn't this a fundamentally different solution to key information security problems? Doesn't it have some fundamental theoretical contradictions or obstacles?
It's an interesting discussion on this subject.

[Voland.V]

All modern cryptography is built on the same principle: the encryption scheme is defined by the key. And even if the cryptography itself is "conditionally reliable" or absolutely reliable (Vernam's ciphers), the fact of having a key will always be a natural vulnerability, which will be actively exploited by fraudsters in the first place. It is this vulnerability factor that instantly, irrevocably, completely levels out and weakens to zero any most reliable cryptographic system. Moreover, it has fatal consequences if the fact of compromising key information remains a mystery to the attacker. For this reason, all new post-quantum encryption systems, any key encryption technology, all the latest security systems of tomorrow will be no exception.
Any security system, a security protocol based on cryptography with a mandatory key function, will be attacked first, through the encryption keys, through its weakest point.

[Voland.V]

Is this method so safe? For some reason, I'm not sure.

--------------------------
In a keyless system that does not have a key, but has a continuously changing set of encryption schemes, it is necessary to perform exactly the same task for absolutely every data packet with a volume of 256 bits.
Why?
Because for any and every 256-bit message, one unique encryption scheme is used (in fact, this is a unique set of encryption schemes and rules).

Consider attack resistance.
First. If the message contains only 10 data packets of 256 bits each, this is 10 times 2256 bits of information, then a brute force attack will have to be carried out absolutely on each data packet.
Mathematically, this means that with respect to the key encryption model, the task becomes more complicated as many times as there are data packets (256 bits each) a message contains.
Second. In contrast to the key encryption model, in a keyless system, the hypothetical positive result of a successful brute-force attack of any number of data packets (256 bits each) does not help to solve the problem of decrypting other data packets that make up this message.
Third. Thus, a rough search will have to be done for each data packet from the available set. If G is the minimum number of data packets, adding up which it is possible to unambiguously understand the open message, then the exhaustive search problem will look like this: it will be necessary to check 2 to the power (G * 256) options. The possibility of attacking such numbers needs no comment, it is utopia by definition for any high technological level of attackers.
 Fourth. Any model of keyless encryption, technologically, must have the function of "encryption of silence", which simulates the exchange of cipher codes of open messages in this closed communication channel. If this function is there, therefore, you can use it as many times as necessary. This means that the number of packets that must be simultaneously decoded to understand an open message can be any large, regardless of the minimum size of the open message itself. How to solve the problem of breaking a cipher with such an additional condition? I can not imagine.

[Voland.V]

Technological part.
Steamless symmetric encryption technology is based on the method of very fast change of encryption schemes, which are determined only in very short moments and are absolutely unpredictable for an external observer-analyst. The lack of the ability to attack the person in the middle (MITM) prevents key or password information from being compromised by users.
To fully implement the principle of fast change of encryption schemes, a vector-geometric encoding technology was developed based on fast and continuous change of virtual geometric space in a continuum with virtual internal time.
Such cipher code is reasonably resistant to cryptanalysis, brute force attack, especially given the rapid emergence of quantum computers. The keyless cipher code is absolutely resistant to Chosen-plaintext attack (CPA) attacks based on comparing the selected open text with the cipher code, without the possibility of violating the integrity of the open message, hidden modification, even at the level of one bit of information, and special (attack), and "noise" origin.
Instant and continuous verification of any volume of transmitted (or received) information.
  A channel watcher has no possibility to know:
 1) who transmitted (or received from whom) the information;
 2) how much information is transmitted and/or received at all or per session;
 3) whether there was any information exchange between users at all;
 4) all pauses of the "silence" moments of the interlocutors, of any duration, are filled with fake data, which are encoded in the same way as an open message.

[gmaxwell]

gibberish thread. I wonder what scam its peddling on the backend?

[Voland.V]

gibberish thread. I wonder what scam its peddling on the backend?

It's the scam of the century. It's happening now. It's called encrypt your secrets with good cryptography, and we'll just steal your key. So statistics show that whoever has a key to keep for a long time is a profane.
Today we are all profane.
And for us, for the profane, there is gibberish, like security in cyberspace, which does not yet exist.
And then there's gibberish for those who look at things superficially.
Everyone has a choice.
The con is where one writes for the sake of writing and being a legendary and untalented writer on the forum.
And if there is a desire to think freely, to think, for the sake of interest and not just to write, then I will write the following for those.
The key is what opens the lock. If the lock is not changed for a long time, the key can be picked. Therefore, if the lock is not changed for a long time, the key should be as sophisticated as possible. If you change the lock sometimes, there will be less time to pick the key. And if the lock is changed very often, the complexity of the key will cease to matter and there will be no time to pick the key. And if you change it even more often... then you can refuse the pair lock-key at all, it is enough to change, to know the direction of opening of this door. For example, the door to yourself is "1", the door from yourself - "0". Imagine that we need to guess 256 openings and never make a mistake. We can only try once, there is no time for a second attempt. The gambler will say - you can try. The analyst will say - there is no point in trying, it is the same as guessing a key that is 256 bits long. It is not possible to guess, because this problem cannot be solved, even by a complete search, in polynomial time, not only with modern computing power, even those that can be predicted in the future. And in our example, there is no time at all, let us say conventionally, one second and only one attempt. These explanations are given to understand the level of complexity of the problem, and hence the reliability of encryption in such a concept.

[Voland.V]

gibberish thread. I wonder what scam its peddling on the backend?

Yeah, that's a lot of gibberish... The old concept keeps crumbling like sand...
Here's a recent gibberish: Developers of popular Android apps forgot to fix a dangerous vulnerability...
This year, Oversecured security researchers discovered a serious vulnerability (CVE-2020-8913) in the Play Core library, which allowed malware installed on users' devices to inject rogue code into other apps and steal sensitive data such as passwords, photos, 2FA codes and more.  Nothing about the topic of password-based security - doesn't that help your thinking go into a groove?
According to a scan conducted by Check Point, six months after the Play Core update was released, 13% of all apps on the Google Play Store were still using the library, and only 5% were using the updated (secure) version. Among the apps with the highest number of users who failed to update the library, Check Point identified:
- Microsoft Edge, Grindr, OKCupid, Cisco Teams, Viber and Booking.com.

You don't happen to have products from these companies. I mean on the devices you use when you work with cryptocurrency?

[Voland.V]

Is this method so safe? For some reason, I'm not sure.

--------------
Information security systems are based on rules, technologies, security protocols, and cryptography. The core of information security systems is cryptography. All modern symmetric cryptography is built on the same principle: the encryption scheme is determined by the key. And even if the cryptography itself is "conditionally secure" or absolutely secure (absolutely strong Vernam ciphers), the fact of having a key will always be a natural vulnerability in any security system. First of all, attacks will be aimed at keys (passwords), the "human factor" will be exploited most successfully.
It is this factor that instantly and irrevocably weakens to zero any most secure cryptographic system and consequently the security system in general. There will be fatal consequences if the fact of compromising key or password information remains a secret to the attacker for a long time. The same danger will be acute for any new cryptography that will exist in the era of quantum computers, for any newest cyber defense system of tomorrow.

[Voland.V]

Password less authentication ?
Okay so what do you think would be used instead of a password ?
Fingerprint ?
Face lock ?
Voice recognition ?
The authenticator by Google?
----
Except the last one , I do believe each and everyone of them comes with a fault , come on one can actually do something to a person to connect with the device .. unfortunately us traders hold most in our mobile phones and I do think not just passwords , but everything at once all the things that I listed are not enough too  you can never be more secure .

=================
The fact is that the issues of encryption of information are more or less well resolved.
Few people want to use uncertified encryption technologies
encryption technologies (such as ours, KE), but the issue of passwordless
authentication is well unsolved.

It is especially relevant for banks, for their security systems.

The problem of phishing in the usual password authentication is not very well solved,
e.g. by increasing authentication factors (biometrics, SMS, temporary
valid codes, etc.), two- and even three-factor authentication systems.
All these technologies are only modification of authentication by stable factors,
assigned to this or that client.

No really working password-free authentication.
And yet, billions have already been invested in this topic by the world's leading corporations.

Therefore, it is necessary to clearly define what to call what.
let's make such a definition:

If in this closed channel of communication (SCC) is observed:
- a rapidly changing, strictly deterministic, known only to the members of that VCS - digital factor for authentication;
- any and each authentication factor is used only once;
- any and each authentication factor is not generated in advance, is not transmitted through third-party channels (local), and does not require storage;
- authentication occurs continuously, does not stop the whole communication session, a priori for each data packet, in both directions;
- any and every authentication factor is not derived from any other authentication factor or from any set of them;
- the fast changeability of any authentication factor is in no way related to physical time and has no stable generation function;
- generation of any authentication factors does not require the user to create, store, use any password information,   
then such method of authentication, within the framework of this technology, will be called password-free authentication.