[Cryptography] OTP USB TLA

[John Gilmore]

I had an idea a few years ago that with the ubiquity of high bandwidth
USB interfaces and large flash chips, someone could build a small USB
device that would cache paired True random numbers when physically
plugged into a second such device.  The two plugged-together devices
(when also plugged into power) would fill their memories with identical
true random numbers.  When you unplugged them and took them to two
different places, you'd have gigabytes or a few terabytes of paired
high quality random numbers, in a tiny, innocuous form factor.

The USB interface from the device to the randomness user (host computer)
would never hand out a particular set of random bits more than once, and
would securely erase them from its memory as soon as they were handed
over the interface.  So seizing an already-used device would not expose
past traffic.

So far this isn't rocket science, but it has a few problems:

  * How do you best avoid an attacker depleting all your randomness by
  having malware just suck bits out until there aren't any more?  Such
  an attack at either end of a comms link would disable the encryption,
  a denial-of-service attack.

  * How does the host computer authenticate that it's really talking to
  your RNG device?  Someone like Q could build a lookalike USB thing
  that an Evil Maid could swap for yours.  It would suck all the secret
  bits out of your true USB device when the Maid plugged yours into it;
  would also make a copy of that bit stream somewhere else (like on an
  ordinary USB stick) for the Evil Maid's employer; and would store the
  extracted bit stream inside itself so the Evil device could pretend to
  be your device the next time you plugged it in.  Its delivered bits
  would match the bits at the other end of your comms link, but they
  would have been secretly copied for the attacker's use.

	John