Home page logo

basics logo Security Basics mailing list archives

Re: One-Time Pad software?
From: profeten <profeten () gmail com>
Date: Fri, 02 Feb 2007 20:11:00 +0100

FocusHacks wrote:
> I am looking for software implementations of one-time pad encryption.
> Ideally, these would be cross platform, and command line open-source
> would be even better.

I have only found pseudo-one-time-pad software (like otp4u: http://it.geocities.com/teutoburgo/java/otp4u.html) which compromises the perfect secrecy property by making the key exchange more practical. However, writing such a tool yourself ought to be trivial.

FocusHacks wrote:
Optionally, it would be nice if it had the ability to use multiple "pages" (blocks, files, whatever) of a pad when the file in question is larger than one piece of the pad. For instance, if your "pad" consisisted of many 20k binary files full of pseudo-random data, and you wished to encrypt a 3 megabyte file, it would use as many sequential pad files as needed, as opposed to "looping" one of the
pad files to meet the demand.

Any reasonable implementation of a one-time pad crypto would enforce
this "optional" feature, i.e. NEVER use the same pad twice (especially
not within the same cryptogram!). After all, there is a reason why it's
called a ONE-TIME pad. Reusing the key pads (or "looping" them) breaks
the crypto and makes crypto analysis a breeze.

For example, an analyst could generate a 20K (or whatever he suspect the
size of the reused key pad to be) repetition of a single sequence of
letters likely to be in the plain-text, like the english (if english
plain-text is suspected) word "that", i.e. "thatthatthatthat...". This
is the currently guessed plain-text. Then he could used the guessed
plain-text and the first 20K of the known cryptogram to generate the
currently guessed key. Then he decrypts the rest of the crypto-text (which he assumes have been encrypted with the same key as the first 20K block the key was generated from) with this guessed key, which probably will generate a lot of rubbish as plain-text, but there might be some readable sequences here and there. These are then assumed to coincide with some of the correctly guessed "that":s in the guessed plain-text and correct parts of the guessed key.

This is then reapeated three more times so "that" has taken every
possible position in the first 20K of the cryptogram by displacing it
one character to the right each time, i.e. using the following guessed
plain-texts: "_thatthat...", "__thatthat..." and "___thatthat...". Of
course, this will generate some false positives when the guessed keys
seem to decrypt into some readable sequences but only does so by chance.
However, if reapeted with more common words (like "was", "and", "you"
etc), and if the readable sequences gained by using the guessed keys are
expanded through analysis of their context (e.g. if the guessed key
generates "g2DryptogaI4lAv" from some part of the cryptogram he can
guess that the real plain-text is "g2cryptogramlAv" or "g2cryptographyv"
etc) such faults will be detected as well as more parts of the real key
and real plain-text are being approximated.

Never reuse your one time pads!

PS. There are algorithms that reuse the key pads by mixing them with the
crytptext in arcane ways and still retaining strong protection against
the above described crypto analysis. However, these algoritms does not
keep the rather nice perfect secrecy property of properly used one-time
pads. One might just as well use AES, twofish, RSA or any other decent
crypto instead.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]