one time pad overview

Are one-time pads a thing of the past? There has been quite a bit discussion about that, and some security and cryptography experts argue that one-time pad is no longer a system for today’s needs, that it is impractical and creates enormous key distribution problems. They say that current computer algorithms provide enough security and public key schemes solve the problem of key distribution. That’s all true. But there are some things they don’t tell you.

Let us first explain one-time encryption, and what this paper is about. One-time encryption, also called one-time pad encryption, is a most basic encryption algorithm where the readable data is combined with a truly random key of the same length as the data. The key should never be reused and always destroyed after use. The system was invented in 1917 and it is mathematically unbreakable. There is no way to crack it with current or future computer power, simply because it is mathematically impossible. The downside is that the rules of one-time use create a cumbersome key distribution with associated problems. I must point out here that this paper is about modern one-time encryption applications, not the pencil-and-paper spy craft (although it is just as secure). Neither is this paper about small onetime passwords or one-time keys, which are only valid for a single encryption session by some crypto-algorithm under control of that key, and the paper is certainly not about the many snake-oil applications that pretend to be unbreakable because they claim to be using one-time encryption, while they actually are not. Remember: key as long as the data, truly random and used only once. There is no way around these three conditions without messing up the unbreakable part! Many cryptologists believe that one-time encryption is something from the past. They claim that modern encryption algorithms offer secure communications and privacy, that the current key exchange schemes solve the complex key distribution and that there is no longer a need for onetime encryption. This paper explains why they are wrong (and why they don’t admit that). 2 Insecure Systems For a start, there is the problem of implementing secure systems. A strong encryption algorithm is useless on a computer that contains viruses or spy ware that captures your keystrokes or retrieves your data before it is encrypted. Today, virtually all computers are vulnerable to attacks, and most computers are actually infected, especially those connected to an external network like the security nightmare called ‘the Internet’. The modern Personal Computer is a true TEMPEST disaster, everything leaks out, and anyone can get in. In fact, today, all our means of communication are completely digitalized and automated, but at the same time, we no longer have any control over these systems. We have no idea of what our own computer is doing, which processes are running in the background, or what plug-ins, add-ons and other unidentified software is downloaded automatically to “stay compatible”. A most dangerous evolution, which has gone way too far already. There are very strong algorithms available, but we use completely insecure computers. Even firewalls of government agencies have proven to be vulnerable to attacks. In 99 percent of cases, Intelligence agencies don’t have to break any encryption, they simply retrieve the information before it is encrypted. That is why the only truly secure encryption is performed by dedicated crypto devices or computers, well separated from the outside world. All network-connected computers are to be considered insecure. Cryptologists or software designers who claim that their software provides security and privacy on your personal computer really do not know what they are talking about, simply because they have no idea of all the things that are running on your computer. Actually, we all don’t have any idea. Mathematical Security What about mathematical security? There are two main types of encryption: symmetric and asymmetric. The traditional symmetric encryption uses the same key for both encrypting and decrypting (one-time pads are a type of symmetric encryption). This creates the problem of secure key exchange. Asymmetric public key encryption uses key pairs. Each pair consists of a public key to encrypt and a private key to decrypt. You can distribute your public key openly, and everyone who wants to send you something can encrypt data with your public key, but only you can decrypt it with your private key. This is great. We no longer have to securely exchange secret keys.

Free download research paper