1 / 18

The Seduction of the One-Time Pad

The Seduction of the One-Time Pad. Jon Callas 8 October 1998. The Situation. The One-Time Pad (OTP) is the only provably secure form of encryption Cryptography, like life, is filled with uncertainties

ida
Download Presentation

The Seduction of the One-Time Pad

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Seduction of the One-Time Pad Jon Callas 8 October 1998

  2. The Situation • The One-Time Pad (OTP) is the only provably secure form of encryption • Cryptography, like life, is filled with uncertainties • People want certainty, so they think that if they make their system more like an OTP, it will be more certain and more secure

  3. The Seduction • OTPs are hard • OTPs attract cranks • In other fields, certainties attract cranks • OTPs attract people who should know better

  4. The Problem • Making crypto like an OTP is like making an airplane like a bird • Great idea • Great metaphor • Some people actually make it work • In general, a bad idea

  5. Overview • What is an OTP? • How do they work? • Why don’t they work? • Pseudo-OTPs • Snake Oil

  6. What is an OTP? • OTP takes a string of random numbers as long as the message • Combines the random numbers with the message • XOR, modular or rotational arithmetic good ways • This produces cyphertext • Because all random strings are equally likely, cryptanalysis is impossible

  7. How it works • Message: ATTACK • Pad (key): 4 8 20 10 16 1 • Cyphertext: EAMKSL • But what if the pad was 25 15 11 10 16 1 • Message is FLBACK • This is why it’s unbreakable

  8. So Far, So Good • But what longer messages? • You need a longer pad • You need a lot of pad • You need a pad for every person you want to talk to.

  9. Dangers • The pad must be cryptographically random • This takes work • Cryptographic random numbers are not like other random numbers • They must be conformists • You must never reuse a pad • http://www.nsa.gov:8080/docs/venona/venona.html • You must never lose a pad

  10. Is this Feasible? • Suppose we pre-compute 1MB pads • Suppose you want enough pads for a 1000 person company • That’s ~500K pads • That’s 1/2 terabyte • I’d like a laptop that big!

  11. Is this Feasible? • Suppose we don’t pre-compute pads • Pads must be distributed through a secure channel • If you use a “secure network,” the security level of the pad is that of the network • You lose provable security

  12. Can These Flaws be Fixed? • Pseudo-OTP • A PRNG replaces the RNG • Pads don’t have to be stored • Seed material is smaller than pads, easier to secure • This isn’t an OTP • It’s a stream cypher • There is nothing wrong with a stream cypher • It’s not an OTP

  13. Snake Oil • A term for medicine with over-broad claims • Real medicine comes with a list of caveats • Snake oil may still cure some things • It’s really an error in labeling

  14. Cranks • Over-label • Vague claims • Wear “persecution” as a badge • Galileo was persecuted • I’m persecuted • Therefore, I’m the next Galileo • Ignore peer review, publication process • Exception -- patents

  15. Identifying Snake Oil • No Papers • No Algorithms • No Publication • No Documentation • Outrageous claims • Thousand to Million bit keys • Access to secret knowledge • Etc.

  16. Very Long Keys • There are 2**85 nanoseconds until the sun goes nova • There are 2**170 atoms in Planet Earth • If every atom on the planet tests a key per nanosecond, it will check 255 bits of key space when the sun goes nova

  17. Coming Full Circle • There’s no certainty in security • We settle for predictability • Reasonably designed systems have predictable security parameters • The reasonable design of 256-bit cyphers is a leap from the reasonable design of 128-bit systems • There is no assurance that longer keys in known systems give more security

  18. Questions?

More Related