In article , no-sales-spam@bassburglaralarms (Robert L Bass) writes: | > Ideally the system should use a zero | > knowledge proof... | | I don't get your meaning. Please elaborate.
In the abstract, a zero knowledge proof allows you to prove that you know a secret without disclosing that secret or even any (much) information that would allow someone else to appear to know the secret. There are various well-understood ways to accomplish this. It really doesn't matter which one you use (well, as long as it isn't one that has been shown to be flawed). Google the term if you want the underlying details of some of the algorithms.
| > Rolling codes are a clever hack to get | > some security in a one-way environment, but | > there is really no need to resort to them here. | | They add another layer in front of the would-be | hacker.
A zero knowledge proof provides a superset of their functionality.
| > | True but it's actually simpler than that. Since | > | the range is limited, any received transmission | > | of the same protocol could be treated as an | > | attempt. | >
| > This still leaves you open to denial of service | > attacks. Not a big problem now, you may say | > (as likely thought the developers of tcp/ip about | > SYN floods), but why set yourself up for trouble | > if you don't have to?... | | Agreed. There's always a compromise between | security and convenience.
There is no need to compromise in this case.
| The safer we make the | system from hacking the easier it becomes for | someone to hassle us.
No, a properly implemented zero knowledge proof system makes it both harder to hack the system and harder to hassle us. Again, this technology is well understood and used--at least where the purveyors consider real security important. As an example, the smart cards used to authorize satellite television decoder boxes have used a zero knowledge proof handshake since their inception. (In case you are concerned about computing power, available RFID cpus these days are more powerful than smart cards were back then.)
Now of course, the same companies (more or less) that recognize the critical need to prevent satellite signal piracy with appropriate crypto will tell you that residential alarm/access control can get by with the simplest fixed code systems. You can decide for yourself whether they have consumers' best interests at heart.
Dan Lanciani ddl@danlan.*com