Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Xcott

1
Hi,

I disagree about AES:  the algorithm is actually very transparent and straightforward.  It wasn't designed by the NSA either, nor altered to introduce any weakness.

Also, for a one-time pad you can't send someone the key file encrypted using PGP. If you did that it would no longer be a one-time pad, or to be more specific it would no longer satisfy perfect secrecy.  It would instead be a theoretically breakable cipher with the same weakness as PGP.  For a one-time pad you must transfer the pad material over a channel guaranteed to be secure, no extra encryption allowed.

If I needed a pencil-and-paper cipher I probably wouldn't use a one-time pad, because while the algorithm is super-simple, the key management is horribly complicated, and the one-time pad provides terrible security if anyone is slightly bad at key discipline.  It's an example of a cipher that goes from perfect to awful with just a tiny addition of reality.
2
Hello all,

I teach cryptography at my university and my research area is information security, and I read this thread with great interest.

It is true that a one-time-pad, correctly used, is absolutely theoretically unbreakable.  It's also simple enough to perform by hand (no computers,) and you don't need to trust in the security of some algorithm or hardness of some unsolved problem.

On the other hand, you may notice that barely anyone uses it, despite its simplicity and perfect security, and despite it being well-known for about a century.  That's because of its one unavoidable logistical weakness:  the sender and receiver both need a copy of the key pad in advance, the pad must be at least as long as the message, and each bit of the pad must only ever be used once.

Taken together, that means that you need to make a giant wodge of random key data for all the potential traffic between you and the receiver, and you need to somehow get a copy of that key data to the receiver by a secure channel.  This raises an obvious half-joking question:  if I had a secure channel to hand off a huge amount of key data to the other guy, why not just use that opportunity to hand over the message?  The answer is that you may be able to give someone a DVD of key data today, and not be able to meet with them later, but the point is that we have a pretty onerous key requirement.

That also introduces a serious vulnerability due to the need for intense key discipline.  For example, consider someone who runs out of key symbols and decides to re-use an older part of the pad.  It's very easy for an adversary to catch this, and pull out the transmitted message, by comparing all the sent messages.  The USA actually used this trick to crack Soviet one-time-pad traffic (see the Venona Project for more information.)

In contrast, any other symmetric cipher (like AES) requires a short key that you can simply memorize if you are good at memorizing things.  An AES key is 128 bits; if you can memorize a passphrase of eight dictionary words, you can memorize an AES key, and you don't need to carry any volume of stuff that could present a liability.  Moreover, modern cryptography uses tricks to generate one-time secret keys on the fly, so that nobody needs to memorize any shared secrets at all.  However, none of those tricks can be used with a one-time pad, because of its very stringent key requirements.

Scott K2CAJ