Sunday, August 07, 2005

Is One-Time Pad encryption history?

I came across an article about One-Time Pads on Bruce Schneier's newsletter. He says that, although it's the only provably secure cryptosystem we know of, it has no future. He arguments that One-Time Pads turn a message security problem into a just-as-difficult key distribution problem. This is correct, assuming we don't want to be occupied with running around with briefcases, handcuffed to our wrist. And indeed, there is no need to go through all that trouble. We now have asymmetric public key algorithms, based on factoring large primes. They securely protect the message key of the symmetric encryption, used to encrypt the data.

But there's a problem. Although it has taken lots of time, defactoring (limited) primes is possible and already done. Imagine what would happen when someone finds a mathematical shortcut for the factoring problem, or a hardware solution, speeding up the process, as expected from quantum computers? Imagine a world where asymmetric encryption no longer resists against maths, or any symmetric cipher is brute forced within minutes?

One-Time Pads would be the only solution, although a very expensive one due to the key distribution problems. It's a bit like using Morse code on radio. Several Armed Forces abandoned Morse. Yes, it's stone-age technology, and one can say it's ridicules in these high bit-rate days of data communication. And what do we see now... we start teaching Morse again to Army signal operators. When things go bad, Morse is the only system getting across, all others failing. So, i think we may never throw away those solid systems like One-Time Pads too fast.

More info on One-Time Pads can be found here.

9 comments:

Dirk said...

By the way, the TAN system, used in Europe to make secure banking transfers, is a solid and compact system on computer, based on one-time pad. Banks exchange large one-time pads of data, used to encrypt transfer details only once and never again. Absolutely safe system!

Matt Crypto said...

I don't suppose you know of a web page discussing the TAN system?

Dirk said...

Yep, here's a nice pdf on PIN/TAN

http://www.informatik.tu-darmstadt.de/ftp/pub/TI/reports/attack.pdf

Matt Crypto said...

Hmm...from the paper above, it would seem that PIN/TAN uses one-time passwords, an entirely different kettle of fish to a one-time pad!

Dirk said...

Once I have some spare time, I will check that paper myselfe. I got that one from Ulrich Kunitz' comment on Schneier's article. See the comments from readers at the bottom...

http://www.schneier.com/crypto-gram-0211.html#7

Matt Crypto said...

Yeah, it would seem that the actual encryption in this system is done by normal SSL/TLS. The PIN/TAN system is used to authenticate a customer to the bank. The customer has a list of TAN numbers, and for each action (like transferring money etc), he has to enter the next TAN on his list. Each TAN can be used only once, after that it gets rejected by the bank. One-time passwords are useful protection against key-loggers (imagine you're doing your online banking in a public Internet cafe...). If an attacker logs your keystrokes and gets a password, it's of no use to him because it can only be used once.

Dirk said...

So instead of using a public key algorithm to wrap the symmetric encryption key in, we use each time a unique (one-time)key, distributed on before...perfect security...as long as the encryption on which te key is used is also perfect, and thats were we come back to the article...

Dirk said...

Hey, I just got a mail from Frode Weierud, pointing me to a firm, also provinding OTK's, those One-Time Keys. Check out this one: http://www.mils.com/

Matt Crypto said...

With one-time passwords, the passwords aren't usually used for encryption, i.e., they're not used as keys. They are used to authenticate someone, just like a normal password at a login prompt. In PIN/TAN, the system uses public-key crypto to negotiate a shared symmetric key via SSL. The server is authenticated to the client using a public-key certificate. The client authenticates to the server using the one-time passwords.

Interesting link to the Mils site. I was astonished to see that they support the 5-channel paper tape as an output format for their RNG; I've just posted an entry about it on my blog.