[Cryptography] One-time pads in modern crypto software?

[Phillip Hallam-Baker]

On Wed, Feb 17, 2021 at 1:03 AM John Gilmore <gnu at toad.com> wrote:

> Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> > TLS would seem like a poor choice, a messaging layer approach like S/MIME
> > would be a better fit.
>
> My guess is that about 10,000 times as many emails get encrypted via
> TLS, as via S/MIME.  Just counting the mail flowing between Gmail and
> Outlook!  And TLS secures many more things besides email -- not just the
> web, not just email, but DNS, WebRTC audio and video, etc.
>

But what you are proposing is an end to end security solution.

OTP security between Alice and Bob: Good

OTP from Alice to Alice's MSP then plaintext, then OTP from Alice's MSP to
Bob's MSP then plaintext, then OTP from Bob's MSP to Bob: I really fail to
see the point.

If you want to establish TLS between Alice and Bob, you have disrupted the
model far more than switching to SMIME would.

Sure, most people don't want S/MIME because of the faff. But OTP is going
to be vastly more faff than S/MIME or OpenPGP today.

It's certainly not standardized in draft or issued RFCs.  Want to help?
>

I am currently trying to finish 15 internet drafts specifying a Threshold
Key Infrastructure to make using OpenPGP and S/MIME as easy as using
regular SMTP email.





> > The big problem technically would be conserving your supply of one time
> > material. You have to exchange that out of band if there is going to be
> > security.
>
> Let's not be stuck in 1990s thinking.  Moving terabits from one place to
> another is not as big a problem as it used to be.


It is not just moving it, you have to be able to generate it. And you have
to be absolutely sure you never use the same material twice and the other
end of the communication knows where you are in the transmission.

I agree the storage is no longer such an issue. Though migrating my NAS
from its 6TB disks to a set of 16TB disks it turning into a two week job.
and I only had 26TB of data.

The bottom line is Alice has to really, really wanna talk to Bob securely
for this to make sense. And I am having a hard time seeing how I can fit it
into any model for Data At Rest security. OTP is really about the channel.

> > For most of us, 'one time pad' is a sure fire sign of
> > crypto snakeoil.
>
> Y'mean we would actually have to examine products to see if they were
> secure?  Rather than come to a snap judgment based on their name?  ;-/
>

Examine products to see if they are secure before relying on them? Sure.

Examine products to determine that they are not yet more snake oil before
discarding them? I have other priorities.

The best reason I can see for doing this would actually be to demonstrate
just how limiting a genuine OTP scheme would be.

There is good reason OTP is pretty much limited to diplomatic traffic.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210218/bad21d04/attachment.htm>