[Cryptography] One-time pads in modern crypto software?
Kent Borg
kentborg at borg.org
Thu Feb 18 15:00:18 EST 2021
On 2/14/21 1:28 AM, John Gilmore wrote:
>
> I continue to be surprised that nobody has put support for one-time pads
> into TLS. For the small subset of people who want higher reliability
> security, it would be straightforward to run standard protocols for web
> and email and DNS and such, but with OTP keying rather than depending on
> possibly breakable mathematics or quantum theory.
One-time pads have a really nice simplicity about their security. Simple
is good.
But OTP key management is still hard. Something tells me back in the
days of one-keys being on a "pad" of paper the hard part wasn't compact
storage, but all the other issues surrounding it:
- Generating random key material.
- Transporting it in secrecy.
- Maintaining secrecy at it's destination.
- Securely destroying used key material.
- Not accidentally reusing key material.
The OTP core might be simple, but the whole system surrounding it in any
real deployment is *not* and in that complexity will lie security holes.
All of that complicated stuff has to be done right or the simple
provable security of OTP is out the window
Move to now, and the availability of dense flash storage…doesn't solve
those problems. Automating the solution to some of those problems by
doing something called "programming" it might help, assuming the
programming is done correctly. Can we assume that? No. Which means the
simple provable security is out the window.
Moving OTP into the modern world seems to be trying to solve one of the
smaller problems out there. We see security holes all the time, I worry
about information security a lot, but I don't worry that AES-256 is
weak. Who has the time? There are too many other holes in our systems to
worry about first, well before we should get around to worrying about
the security of a well chosen, well designed cipher. Modern ciphers are
good, there are real options to choose from. Even old DES, which has
been long known to be something to avoid, has held up well: slap it in
in a triple mode and we still get over a hundred bits of symmetric
strength, don't we? Current block ciphers learned from DES' design, it
seems the least of our worries.
I'm sure swapping in a one-time-pad could be done, but I don't see that
it would be worth it, nor would be a net security win. I would advise
"financial traders, diplomats, spooks or black marketeers" to avoid such
an innovation and stick with more tested systems and implementations.
-kb
P.S. If I were a crook seriously worried about cipher strength I would
do something manual, disciplined, and unorthodox. Maybe superencrypt
with an unrelated key, through an unrelated cipher, from an independent
implementation. (Do respected stream ciphers still exist?) Even if my
concatenation offered no theoretical benefit (simple concatenating of
DES doesn't, that's why triple DES is so strange), it couldn't hurt, and
it might have a practical advantage: Some imagined NSA bulk, class break
of AES-256 wouldn't work against this without a tailored effort.
But the real benefit of the extra manual encryption would be to protect
against some security hole in the first program that has nothing to do
with whether AES-256 has any flaws.
Crucial is:
1. manual concatenation, of
2. an unrelated implementation, of
3. a different cipher, with
4. an unrelated key.
More information about the cryptography
mailing list