[cryptography] Unbreakable crypto?

Jeffrey Goldberg jeffrey at goldmark.org
Sun Mar 22 10:36:40 EDT 2015


On 21 Mar 2015, at 22:24, Lee wrote:

> On 3/21/15, Jeffrey Goldberg <jeffrey at goldmark.org> wrote:

>> (1) the file isn't secret
>
> But the fact that I'm using it as my one-time pad is.  Why isn't that
> good enough?

As others have already answered, your key is "knowledge of which
publicly available file to use as the pad". But for a OTP to have
the security that an OTP offers the key must be a long as the message
itself. Your key is much shorter.

Just as with using a PRNG to generate a pad, you are using a short
key to generate/identify a long pad. Your system can be no more
secure than the size of your key. (The size of what must be kept
secret.) Remember, you aren't keeping the file secret; you are keeping
the name of the file secret. So it is a short key.

>> (2) the file isn't random.
>
> Right.  An ISO file is a bad choice - too many zeros & machine code
> isn't very random.  But what about something like an MP3, OGV or some
> other compressed file?

Again, no. If you want the security properties offered by an OTP,
the pad/key must be truly random. So if you need a pad that is
a million bytes (eight million bits) long, then the particular pad
you use must be no more likely than any other string of eight millions
bits.

>> I'm sorry to pick on you, but you've illustrated a point I tried to make
>> earlier. The OTP is a simple idea that is remarkably easy for people to
>> misunderstand.
>
> It doesn't feel like you're picking on me - I appreciate the feedback :)

Great.

A point I've been making is that the OTP (and other systems) are brittle.
By this I mean that if you don't follow the rules to letter you can end
up with a system that is extremely weak. A small variation on the protocol
can lead to catastrophic results.

Any simulation of a OTP that isn't a OTP itself will not have the security
properties of an OTP. And any simulation that is not designed very carefully
will end up being far weaker than the actual cryptographic systems we have
today.

So remember, one of the requirements of a OTP is that the key itself (the
stuff that you need to keep secret) must be as long as the message. When I
say that the key must be kept secret, I mean the key/pad itself. Not the 
identity of the key/pad.

Another property is that the key/pad must be truly random. Appearing random
is not enough. It must truly be random.

And yet a third requirement is that the pad never be reused.

Break any of those rules, and you not only no longer have a OTP,
but you probably have something that is easily broken.

There are good crypto systems in use which generate pseudo-random
pads from keys that are 128 (or 256) bits in length. But these are
– at best – no better than the length of their keys.

Cheers,

-j
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2728 bytes
Desc: S/MIME digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20150322/0f6b7310/attachment.p7s>


More information about the cryptography mailing list