Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Seduction of the One-Time Pad

Published byPreston Brown Modified over 6 years ago

Similar presentations

Presentation on theme: "The Seduction of the One-Time Pad"— Presentation transcript:

1 The Seduction of the One-Time Pad
Jon Callas 8 October 1998

2 The Situation The One-Time Pad (OTP) is the only provably secure form of encryption Cryptography, like life, is filled with uncertainties People want certainty, so they think that if they make their system more like an OTP, it will be more certain and more secure

3 The Seduction OTPs are hard OTPs attract cranks
In other fields, certainties attract cranks OTPs attract people who should know better

4 The Problem Making crypto like an OTP is like making an airplane like a bird Great idea Great metaphor Some people actually make it work In general, a bad idea

5 Overview What is an OTP? How do they work? Why don’t they work?
Pseudo-OTPs Snake Oil

6 What is an OTP? OTP takes a string of random numbers as long as the message Combines the random numbers with the message XOR, modular or rotational arithmetic good ways This produces cyphertext Because all random strings are equally likely, cryptanalysis is impossible

7 How it works Message: ATTACK Pad (key): 4 8 20 10 16 1
Cyphertext: EAMKSL But what if the pad was Message is FLBACK This is why it’s unbreakable

8 So Far, So Good But what longer messages? You need a longer pad
You need a lot of pad You need a pad for every person you want to talk to.

9 Dangers The pad must be cryptographically random This takes work
Cryptographic random numbers are not like other random numbers They must be conformists You must never reuse a pad You must never lose a pad

10 Is this Feasible? Suppose we pre-compute 1MB pads
Suppose you want enough pads for a 1000 person company That’s ~500K pads That’s 1/2 terabyte I’d like a laptop that big!

11 Is this Feasible? Suppose we don’t pre-compute pads
Pads must be distributed through a secure channel If you use a “secure network,” the security level of the pad is that of the network You lose provable security

12 Can These Flaws be Fixed?
Pseudo-OTP A PRNG replaces the RNG Pads don’t have to be stored Seed material is smaller than pads, easier to secure This isn’t an OTP It’s a stream cypher There is nothing wrong with a stream cypher It’s not an OTP

13 Snake Oil A term for medicine with over-broad claims
Real medicine comes with a list of caveats Snake oil may still cure some things It’s really an error in labeling

14 Cranks Over-label Vague claims Wear “persecution” as a badge
Galileo was persecuted I’m persecuted Therefore, I’m the next Galileo Ignore peer review, publication process Exception -- patents

15 Identifying Snake Oil No Papers No Algorithms No Publication
No Documentation Outrageous claims Thousand to Million bit keys Access to secret knowledge Etc.

16 Very Long Keys There are 2**85 nanoseconds until the sun goes nova
There are 2**170 atoms in Planet Earth If every atom on the planet tests a key per nanosecond, it will check 255 bits of key space when the sun goes nova

17 Coming Full Circle There’s no certainty in security
We settle for predictability Reasonably designed systems have predictable security parameters The reasonable design of 256-bit cyphers is a leap from the reasonable design of 128-bit systems There is no assurance that longer keys in known systems give more security

18 Questions?

Download ppt "The Seduction of the One-Time Pad"

Similar presentations

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”

1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”
Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #34 Dec 5 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.

Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.

Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
Dan Boneh Stream ciphers The One Time Pad Online Cryptography Course Dan Boneh.

Dan Boneh Stream ciphers The One Time Pad Online Cryptography Course Dan Boneh.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
Crypto Bro Rigby. History

Crypto Bro Rigby. History
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.

One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
Giuseppe Bianchi Warm-up example 1 found on a real paper! Warm-up example 1 found on a real paper!

Giuseppe Bianchi Warm-up example 1 found on a real paper! Warm-up example 1 found on a real paper!
Introduction to Quantum Key Distribution

Introduction to Quantum Key Distribution
Attacks on PRNGs - By Nupura Neurgaonkar CS-265 (Prof. Mark Stamp)

Attacks on PRNGs - By Nupura Neurgaonkar CS-265 (Prof. Mark Stamp)
Lecture 2: Introduction to Cryptography

Lecture 2: Introduction to Cryptography
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.

CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.

หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Lecture 3 Page 1 CS 236 Online Basic Encryption Methods Substitutions –Monoalphabetic –Polyalphabetic Permutations.

Lecture 3 Page 1 CS 236 Online Basic Encryption Methods Substitutions –Monoalphabetic –Polyalphabetic Permutations.

Similar presentations

Ads by Google