One-time pad: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Sandy Harris
imported>Howard C. Berkowitz
(snapshot save)
Line 1: Line 1:
{{subpages}}
{{subpages}}


A '''one-time pad''' (often abbreviated OTP) is a [[cipher]] system in which the [[key (cryptology)|key]], i.e. the secret used to encrypt and decrypt messages, is a long sequence of random values, each one of which is only ever used ''once'', and only to encrypt ''one'' particular letter or word.
A '''one-time pad''' (often abbreviated OTP) is a [[cipher]] system in which the [[key (cryptology)|key]], i.e. the secret used to encrypt and decrypt messages, is a long sequence of random values, each one of which is only ever used ''once'', and only to encrypt ''one'' particular letter or word. In practice, this means that the volume of key must be equal to that of all traffic to be sent or received, which make its use logistically impractical.
 
It is the only cipher that is provably unbreakable, if the adversary does not have a copy of the key. <ref name=ShannonSec>{{citation
| title = Communication Theory of Secrecy Systems
| first = Claude E. | last = Shannon
| url = http://netlab.cs.ucla.edu/wiki/files/shannon1949.pdf}}</ref>


The name is derived from the first [[cryptosystem]]s which used this approach, code systems which used pads containing pages of printed [[random number]]s used as [[additive]]s; each page was used only once, after which it was discarded.
The name is derived from the first [[cryptosystem]]s which used this approach, code systems which used pads containing pages of printed [[random number]]s used as [[additive]]s; each page was used only once, after which it was discarded.


==Technical details==
==Implementation==


More technically, it is a cipher in which the key is:
It is a cipher in which the key is:


* at least as long as the total set of messages to be enciphered
* at least as long as the total set of messages to be enciphered
Line 13: Line 18:
* never re-used
* never re-used


Given those three conditions, it can easily be proved that the cipher is perfectly secure, in the sense that an attacker with intercepted message in hand has no better chance of guessing the message than an attacker who has not intercepted the message and only knows the message length. No such proof exists for any other cipher.
Given those three conditions, it can proven that the cipher is perfectly secure, in the sense that an attacker with intercepted message in hand has no better chance of guessing the message than an attacker who has not intercepted the message and only knows the message length. No such proof exists for any other cipher.


There are, however, several problems with this perfect cipher.
While cryptographic security is established, one-time pads tend to be usable, for practical and technical reason, in only small niches of encryption.  


First, it is impractical for applications involving appreciable amounts of traffic. Due to the sheer size of the keys, key management is at best difficult, often completely impossible. While it would be useless for the headquarters of an army, it has been entirely practical for espionage traffic that is of small volume.
First, it is impractical for applications involving appreciable amounts of traffic. There must be as much key as there is traffic, which may be practical for high-security applications if the key can be stored on high-density computer-readable media. While it would be useless for the headquarters of an army, it has been entirely practical for espionage traffic that is of small volume.<ref name=Kahn>{{citation
 
| first = David | last = Kahn
Second, it is dependent on having truly random keys, which must be generated from nonmathematical methods. With modern instruments and equipment, a truly random one-time pad can be generated with a combination of measurement of a random physical phenomenon (e.g., thermal noise or radioactive disintegrations), which is then captured by a computer and put into hugh-density storage.  
| title = The Codebreakers: the story of secret writing
 
| date = second edition, 1996
In the past, one-time pads were generated by typists who were told to type randomly, but, in practice, had patterns. Limited to manual methods, a not-unreasonable way is to put numbered balls in a bowl, having a blindfolded person take it out, the number recorded, the ball returned to the bowl, and the bowl shaken thorougly before taking the next ball.
| publisher = Scribners}} p.663-666 </ref>  Another example where it was a practical solution was for the original implementation of MOLINK, the "hotline" between Washington and Moscow, which was encrypted with a commercial machine that originally used one-time paper tapes. The two sides generate tapes for their direction of transmission. One-time pad was attractive because it gave total security, but was implemented with a commercial device rather than forcing either side to reveal their sensitive high-security encryption methods. Since the traffic was limited, and between two fixed locations, key volume was not overwhelming.<ref name=NYT1988-09-18>{{citation
| title =  Moscow's Still Holding
| journal = New York Times
| first = Webster | last = Stone
| date = September 18, 1988
| url =http://query.nytimes.com/gst/fullpage.html?res=940DEFDC1339F93BA2575AC0A96E948260&sec=&spon=&pagewanted=all}}</ref><ref>Kahn, pp. 715-716</ref>


Small changes which violate the conditions listed above do not just weaken the cipher a little. Quite often they destroy its security completely.
Small changes which violate the conditions listed above do not just weaken the cipher a little. Quite often they destroy its security completely.


* Re-using the pad weakens the cipher to the point where it can be broken with pencil and paper. With a computer, the attack is trivially easy. In a famous example called [[Venona]], the [[NSA]] broke Soviet diplomatic ciphers which had been misused this way.
* Re-using the pad weakens the cipher to the point where it can be broken with pencil and paper. With a computer, the attack is trivially easy. The U.S. [[National Security Agency]] broke Soviet diplomatic ciphers which had been reused; see [[VENONA]]<ref name=NSA-Venona>{{citation
| url = http://www.nsa.gov/venona/
| author = National Security Agency
| title = VENONA}}</ref> .
* Using anything less than truly random numbers completely invalidates the security proof.
* Using anything less than truly random numbers completely invalidates the security proof.
* In particular, using computer-generated pseudo-random numbers may give an extremely weak cipher. It might also produce a good [[stream cipher]], if the pseudo-random generator is both well-designed and properly seeded.
* In particular, using computer-generated pseudo-random numbers may give an extremely weak cipher. It might also produce a good [[stream cipher]], if the pseudo-random generator is both well-designed and properly seeded.
If an adversary can obtain a one-time pad, he can send deceptive messages, although there are usually additional security measures, such as bluff checks, in espionage traffic. The pads themselves are shipped by trusted couriers or other secure means. Paper pads are printed on water-soluble and edible paper, or "flash" paper which will burn with the slightest spark, so they can easily be destroyed.
If he can copy it and return it without detection, he can read future messages.  Paper pads were usually bound in a manner that broke a seal when turning to a new page.


Finally, even if the system is implemented and used correctly, it is highly vulnerable to a substitution attack. If an attacker knows some [[plaintext]] and has an intercepted message, he can discover the pad. This does not matter if the attacker is just a passive eavesdropper. It gives him no plaintext he didn't already know and we don't care that he learns a pad which we will never re-use. However, an active attacker who knows the plaintext can recover the pad, then use it to encode whatever he chooses. If he can get his version delivered instead of yours, this may be a disaster. If you send "attack at dawn", the delivered message can be anything the same length -- perhaps "retreat to east" or "shoot generals". An active attacker with only a reasonable guess at the plaintext can try the same attack. If the guess is correct, this works and the attacker's bogus message is delivered. If the guess is wrong, a garbled message is delivered.
Finally, even if the system is implemented and used correctly, it is highly vulnerable to a substitution attack. If an attacker knows some [[plaintext]] and has an intercepted message, he can discover the pad. This does not matter if the attacker is just a passive eavesdropper. It gives him no plaintext he didn't already know and we don't care that he learns a pad which we will never re-use. However, an active attacker who knows the plaintext can recover the pad, then use it to encode whatever he chooses. If he can get his version delivered instead of yours, this may be a disaster. If you send "attack at dawn", the delivered message can be anything the same length -- perhaps "retreat to east" or "shoot generals". An active attacker with only a reasonable guess at the plaintext can try the same attack. If the guess is correct, this works and the attacker's bogus message is delivered. If the guess is wrong, a garbled message is delivered.
==One-time pad generation==


In general then, despite its theoretical perfection, the one-time-pad has very limited practical application.
{{quotation|Choosing random quantities to foil a resourceful and motivated adversary is surprisingly difficult.|IETF Best Current Practice 106<ref name=RFC4086>{{citation
| id = RFC 4086; IETF Best Current Practice 106
| title = Randomness Requirements for Security
| first1 = D. 3rd | last1 = Eastlake | first2 = J. |last2 = Schiller | first3 = S. | last3 = Crocker
| date = June 2005
| url = http://www.ietf.org/rfc/rfc4086.txt}}</ref>}}
The content of a one-time pad must be truly random. This immediately rules out a function such as UNIX/LINUX <code>random()</code>, which is a pseudo-random number generator. Pseudo-random means that the function will always produce the same output when initialized with the same value which is useful in certain software testing; see [[Computer simulation#Pitfalls in computer simulation|pitfalls in computer simulation]].


== Bogus one-time pads==
Effective one-time encryption depends on having truly random keys, which must be generated from nonmathematical methods. With modern instruments and equipment, a truly random one-time pad ''may'' be generated with a combination of measurement of a random physical phenomenon (e.g., thermal noise or radioactive disintegrations), which is then captured by a computer and put into high-density storage. An expert in the physical phenomenon being measured. The measurement may be self-similar in a way that can be exploited statistically; see [[Fractal]] for a specific type of self-similarity.


Marketing claims about the "unbreakable" security of various products which somewhat resemble one-time pads are common; such claims are one of the surest signs of [[Cryptographic snake oil]]. Anyone who talks about "generating" a "one-time pad" using some algorithm does not have a one-time pad, but a stream cipher. If he or she does not even know that, it is quite unlikely to be a good stream cipher. Most systems marketed with such claims are worthless.
Different applications, both cryptographic and noncryptographic, may need more or less strict random numbers.  


==External links==
In the past, one-time pads were generated by typists who were told to type randomly, but, in practice, had patterns. Limited to manual methods, a not-unreasonable way is to put numbered balls in a bowl, having a blindfolded person take it out, the number recorded, the ball returned to the bowl, and the bowl shaken thorougly before taking the next ball.
== Bogus one-time pads==


There is a useful [http://www.ranum.com/security/computer_security/papers/otp-faq/ one time pad FAQ] available.
Marketing claims about the "unbreakable" security of various products which somewhat resemble one-time pads are common; such claims are one of the surest signs of [[Cryptographic snake oil]]. Anyone who talks about "generating" a "one-time pad" using some algorithm does not have a one-time pad, but a stream cipher. If he or she does not even know that, it is quite unlikely to be a good stream cipher. Most systems marketed with such claims are worthless..
==References==
{{reflist|2}}

Revision as of 11:37, 3 August 2008

This article is developed but not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable, developed Main Article is subject to a disclaimer.

A one-time pad (often abbreviated OTP) is a cipher system in which the key, i.e. the secret used to encrypt and decrypt messages, is a long sequence of random values, each one of which is only ever used once, and only to encrypt one particular letter or word. In practice, this means that the volume of key must be equal to that of all traffic to be sent or received, which make its use logistically impractical.

It is the only cipher that is provably unbreakable, if the adversary does not have a copy of the key. [1]

The name is derived from the first cryptosystems which used this approach, code systems which used pads containing pages of printed random numbers used as additives; each page was used only once, after which it was discarded.

Implementation

It is a cipher in which the key is:

  • at least as long as the total set of messages to be enciphered
  • absolutely random
  • never re-used

Given those three conditions, it can proven that the cipher is perfectly secure, in the sense that an attacker with intercepted message in hand has no better chance of guessing the message than an attacker who has not intercepted the message and only knows the message length. No such proof exists for any other cipher.

While cryptographic security is established, one-time pads tend to be usable, for practical and technical reason, in only small niches of encryption.

First, it is impractical for applications involving appreciable amounts of traffic. There must be as much key as there is traffic, which may be practical for high-security applications if the key can be stored on high-density computer-readable media. While it would be useless for the headquarters of an army, it has been entirely practical for espionage traffic that is of small volume.[2] Another example where it was a practical solution was for the original implementation of MOLINK, the "hotline" between Washington and Moscow, which was encrypted with a commercial machine that originally used one-time paper tapes. The two sides generate tapes for their direction of transmission. One-time pad was attractive because it gave total security, but was implemented with a commercial device rather than forcing either side to reveal their sensitive high-security encryption methods. Since the traffic was limited, and between two fixed locations, key volume was not overwhelming.[3][4]

Small changes which violate the conditions listed above do not just weaken the cipher a little. Quite often they destroy its security completely.

  • Re-using the pad weakens the cipher to the point where it can be broken with pencil and paper. With a computer, the attack is trivially easy. The U.S. National Security Agency broke Soviet diplomatic ciphers which had been reused; see VENONA[5] .
  • Using anything less than truly random numbers completely invalidates the security proof.
  • In particular, using computer-generated pseudo-random numbers may give an extremely weak cipher. It might also produce a good stream cipher, if the pseudo-random generator is both well-designed and properly seeded.

If an adversary can obtain a one-time pad, he can send deceptive messages, although there are usually additional security measures, such as bluff checks, in espionage traffic. The pads themselves are shipped by trusted couriers or other secure means. Paper pads are printed on water-soluble and edible paper, or "flash" paper which will burn with the slightest spark, so they can easily be destroyed.

If he can copy it and return it without detection, he can read future messages. Paper pads were usually bound in a manner that broke a seal when turning to a new page.

Finally, even if the system is implemented and used correctly, it is highly vulnerable to a substitution attack. If an attacker knows some plaintext and has an intercepted message, he can discover the pad. This does not matter if the attacker is just a passive eavesdropper. It gives him no plaintext he didn't already know and we don't care that he learns a pad which we will never re-use. However, an active attacker who knows the plaintext can recover the pad, then use it to encode whatever he chooses. If he can get his version delivered instead of yours, this may be a disaster. If you send "attack at dawn", the delivered message can be anything the same length -- perhaps "retreat to east" or "shoot generals". An active attacker with only a reasonable guess at the plaintext can try the same attack. If the guess is correct, this works and the attacker's bogus message is delivered. If the guess is wrong, a garbled message is delivered.

One-time pad generation

Choosing random quantities to foil a resourceful and motivated adversary is surprisingly difficult. — IETF Best Current Practice 106[6]

The content of a one-time pad must be truly random. This immediately rules out a function such as UNIX/LINUX random(), which is a pseudo-random number generator. Pseudo-random means that the function will always produce the same output when initialized with the same value which is useful in certain software testing; see pitfalls in computer simulation.

Effective one-time encryption depends on having truly random keys, which must be generated from nonmathematical methods. With modern instruments and equipment, a truly random one-time pad may be generated with a combination of measurement of a random physical phenomenon (e.g., thermal noise or radioactive disintegrations), which is then captured by a computer and put into high-density storage. An expert in the physical phenomenon being measured. The measurement may be self-similar in a way that can be exploited statistically; see Fractal for a specific type of self-similarity.

Different applications, both cryptographic and noncryptographic, may need more or less strict random numbers.

In the past, one-time pads were generated by typists who were told to type randomly, but, in practice, had patterns. Limited to manual methods, a not-unreasonable way is to put numbered balls in a bowl, having a blindfolded person take it out, the number recorded, the ball returned to the bowl, and the bowl shaken thorougly before taking the next ball.

Bogus one-time pads

Marketing claims about the "unbreakable" security of various products which somewhat resemble one-time pads are common; such claims are one of the surest signs of Cryptographic snake oil. Anyone who talks about "generating" a "one-time pad" using some algorithm does not have a one-time pad, but a stream cipher. If he or she does not even know that, it is quite unlikely to be a good stream cipher. Most systems marketed with such claims are worthless..

References

  1. Shannon, Claude E., Communication Theory of Secrecy Systems
  2. Kahn, David (second edition, 1996), The Codebreakers: the story of secret writing, Scribners p.663-666
  3. Stone, Webster (September 18, 1988), "Moscow's Still Holding", New York Times
  4. Kahn, pp. 715-716
  5. National Security Agency, VENONA
  6. Eastlake, D. 3rd; J. Schiller & S. Crocker (June 2005), Randomness Requirements for Security, RFC 4086; IETF Best Current Practice 106