thoughts on one time pads

Anne & Lynn Wheeler lynn at
Sat Jan 28 17:50:16 EST 2006

John Denker wrote:
>  -- The best way to _protect_ a key after it has been used is to destroy
>   it.
>  -- For keys that have yet been used, a sufficient scheme (not the only
>   scheme) for many purposes is to package the keys in a way that is
>   tamper-resistant and verrry tamper-evident.

periodically there was some discussion about institutional-centric
tokens vis-a-vis person-centric tokens ... in one case specifically with
respect to being able to replace magstripe payment cards with tokens.

in the person-centric token scenario, the person can choose to have a
single token that they could use for all authentication purposes,
including all accounts (or choose how many tokens they want and which
purposes each token is used for).

at one point, there were counter arguments that a single card per
account (the current mechanism) was much preferred because of the
lost/stolen card problem. the problem is that the prevailing threat
model for lost/stolen cards is the purse or wallet containing all cards
(as opposed to individual cards).

the person-centric model at least would allow a person to replace all
cards subject to common threat model with a single token.

a major issue with cdrom one-time pads would be somebody skimming the
whole cdrom.

destroying keys as they are being used would appear to only be a
countermeasure to theft of the cdrom (in which case it is apparent that
unused pads are compromised and should be eliminated). however, skimming
the cdrom might not leave any trace that unused pads have been
compromised ... which turned out to be the issue in the gift card
skimming compromise.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list