Is one-time pad encryption vulnerable when near identical data is sent many times with different OTP?
$begingroup$
Let's assume a text file that grows at its very end but is otherwise not edited. We now have 100 transmissions of this, but OTP-encrypted (different OTP each time, of course). The first 50% of the original file are identical.
Of course nothing can be said about the other 50%. But can parts of the first 50%, which stay perfectly identical, be attacked?
(Please be light on the lingo and math, I'm a noob.)
Different scenario, same question: The text is edited in various places, but only individual sentences. This shifts the bytes around, but apart from that, most of it stays perfectly identical.
one-time-pad
asked 22 hours ago
Dreamspace PresidentDreamspace President
1507
New contributor
Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
|
show 8 more comments
$begingroup$
Let's assume a text file that grows at its very end but is otherwise not edited. We now have 100 transmissions of this, but OTP-encrypted (different OTP each time, of course). The first 50% of the original file are identical.
Of course nothing can be said about the other 50%. But can parts of the first 50%, which stay perfectly identical, be attacked?
(Please be light on the lingo and math, I'm a noob.)
Different scenario, same question: The text is edited in various places, but only individual sentences. This shifts the bytes around, but apart from that, most of it stays perfectly identical.
one-time-pad
asked 22 hours ago
Dreamspace PresidentDreamspace President
1507
New contributor
Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
1
$begingroup$
I was whimsically considering to make an OTP XOR tool to allow transport of my KeePass database to myself via email, utilizing java.security.SecureRandom.getInstanceStrong() (Windows 10). This spawned the question but I was also interested in general. (Side-note: The database is bigger than 1MB and 7z-compresses to more than its original size, so, due to its built-in encryption, it's already very noisy itself.)
$endgroup$
– Dreamspace President
21 hours ago
2
$begingroup$
Regarding your intended use, I'm pretty sure that what you get via java.security.SecureRandom wouldn't be a proper OTP. You're almost certainly better off in practice with a key file and perhaps something like a Yubikey to hold a portion of the passphrase (to make it harder to shoulder-surf you typing it in), than trying to cobble something together yourself. For one thing, you'll have the benefit of KeyPass at least trying to not leak intermediate data. Who is your adversary anyway, the Andromeda Empire?
$endgroup$
– a CVn
12 hours ago
1
$begingroup$
@DreamspacePresident your OTP File produced with SecureRandom would be a very bloated 160bit, a keyfile with 40 bytes is more than enough.
$endgroup$
– eckes
12 hours ago
2
$begingroup$
Depends on the SecureRandom config, java version and platform, but the commonly used Sha1PRNG of the JCL has not more state. Producing good randomness is hard, it is critical for OTP and it is even harder if you need to produce lots of it. (You would need to use the new DRBG with prediction resistance/reseeding)
$endgroup$
– eckes
11 hours ago
4
$begingroup$
@DreamspacePresident Whether it's 160 bits of state or some other number isn't really all that significant as long as it's not something really low. The main point, I think, is that using a random number generator (even a secure one) doesn't give you the perfect secrecy that a real OTP provides. If you're generating the key with an algorithm, then what you're really doing is pre-calculating part of a stream cipher that's exactly as secure as the random number generator it's based on.
$endgroup$
– Matthew Crumley
10 hours ago
|
show 8 more comments
$begingroup$
Let's assume a text file that grows at its very end but is otherwise not edited. We now have 100 transmissions of this, but OTP-encrypted (different OTP each time, of course). The first 50% of the original file are identical.
Of course nothing can be said about the other 50%. But can parts of the first 50%, which stay perfectly identical, be attacked?
(Please be light on the lingo and math, I'm a noob.)
Different scenario, same question: The text is edited in various places, but only individual sentences. This shifts the bytes around, but apart from that, most of it stays perfectly identical.
one-time-pad
asked 22 hours ago
Dreamspace PresidentDreamspace President
1507
New contributor
Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
Let's assume a text file that grows at its very end but is otherwise not edited. We now have 100 transmissions of this, but OTP-encrypted (different OTP each time, of course). The first 50% of the original file are identical.
Of course nothing can be said about the other 50%. But can parts of the first 50%, which stay perfectly identical, be attacked?
(Please be light on the lingo and math, I'm a noob.)
Different scenario, same question: The text is edited in various places, but only individual sentences. This shifts the bytes around, but apart from that, most of it stays perfectly identical.
one-time-pad
one-time-pad
asked 22 hours ago
Dreamspace PresidentDreamspace President
1507
New contributor
Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 22 hours ago
Dreamspace PresidentDreamspace President
1507
New contributor
Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 22 hours ago
Dreamspace PresidentDreamspace President
1507
New contributor
Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 22 hours ago
Dreamspace PresidentDreamspace President
1507
asked 22 hours ago
Dreamspace PresidentDreamspace President
1507
1507
New contributor
Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Dreamspace President is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
$begingroup$
I was whimsically considering to make an OTP XOR tool to allow transport of my KeePass database to myself via email, utilizing java.security.SecureRandom.getInstanceStrong() (Windows 10). This spawned the question but I was also interested in general. (Side-note: The database is bigger than 1MB and 7z-compresses to more than its original size, so, due to its built-in encryption, it's already very noisy itself.)
$endgroup$
– Dreamspace President
21 hours ago
2
$begingroup$
Regarding your intended use, I'm pretty sure that what you get via java.security.SecureRandom wouldn't be a proper OTP. You're almost certainly better off in practice with a key file and perhaps something like a Yubikey to hold a portion of the passphrase (to make it harder to shoulder-surf you typing it in), than trying to cobble something together yourself. For one thing, you'll have the benefit of KeyPass at least trying to not leak intermediate data. Who is your adversary anyway, the Andromeda Empire?
$endgroup$
– a CVn
12 hours ago
1
$begingroup$
@DreamspacePresident your OTP File produced with SecureRandom would be a very bloated 160bit, a keyfile with 40 bytes is more than enough.
$endgroup$
– eckes
12 hours ago
2
$begingroup$
Depends on the SecureRandom config, java version and platform, but the commonly used Sha1PRNG of the JCL has not more state. Producing good randomness is hard, it is critical for OTP and it is even harder if you need to produce lots of it. (You would need to use the new DRBG with prediction resistance/reseeding)
$endgroup$
– eckes
11 hours ago
4
$begingroup$
@DreamspacePresident Whether it's 160 bits of state or some other number isn't really all that significant as long as it's not something really low. The main point, I think, is that using a random number generator (even a secure one) doesn't give you the perfect secrecy that a real OTP provides. If you're generating the key with an algorithm, then what you're really doing is pre-calculating part of a stream cipher that's exactly as secure as the random number generator it's based on.
$endgroup$
– Matthew Crumley
10 hours ago
|
show 8 more comments
1
$begingroup$
I was whimsically considering to make an OTP XOR tool to allow transport of my KeePass database to myself via email, utilizing java.security.SecureRandom.getInstanceStrong() (Windows 10). This spawned the question but I was also interested in general. (Side-note: The database is bigger than 1MB and 7z-compresses to more than its original size, so, due to its built-in encryption, it's already very noisy itself.)
$endgroup$
– Dreamspace President
21 hours ago
2
$begingroup$
Regarding your intended use, I'm pretty sure that what you get via java.security.SecureRandom wouldn't be a proper OTP. You're almost certainly better off in practice with a key file and perhaps something like a Yubikey to hold a portion of the passphrase (to make it harder to shoulder-surf you typing it in), than trying to cobble something together yourself. For one thing, you'll have the benefit of KeyPass at least trying to not leak intermediate data. Who is your adversary anyway, the Andromeda Empire?
$endgroup$
– a CVn
12 hours ago
1
$begingroup$
@DreamspacePresident your OTP File produced with SecureRandom would be a very bloated 160bit, a keyfile with 40 bytes is more than enough.
$endgroup$
– eckes
12 hours ago
2
$begingroup$
Depends on the SecureRandom config, java version and platform, but the commonly used Sha1PRNG of the JCL has not more state. Producing good randomness is hard, it is critical for OTP and it is even harder if you need to produce lots of it. (You would need to use the new DRBG with prediction resistance/reseeding)
$endgroup$
– eckes
11 hours ago
4
$begingroup$
@DreamspacePresident Whether it's 160 bits of state or some other number isn't really all that significant as long as it's not something really low. The main point, I think, is that using a random number generator (even a secure one) doesn't give you the perfect secrecy that a real OTP provides. If you're generating the key with an algorithm, then what you're really doing is pre-calculating part of a stream cipher that's exactly as secure as the random number generator it's based on.
$endgroup$
– Matthew Crumley
10 hours ago
1
1
$begingroup$
I was whimsically considering to make an OTP XOR tool to allow transport of my KeePass database to myself via email, utilizing java.security.SecureRandom.getInstanceStrong() (Windows 10). This spawned the question but I was also interested in general. (Side-note: The database is bigger than 1MB and 7z-compresses to more than its original size, so, due to its built-in encryption, it's already very noisy itself.)
$endgroup$
– Dreamspace President
21 hours ago
$begingroup$
I was whimsically considering to make an OTP XOR tool to allow transport of my KeePass database to myself via email, utilizing java.security.SecureRandom.getInstanceStrong() (Windows 10). This spawned the question but I was also interested in general. (Side-note: The database is bigger than 1MB and 7z-compresses to more than its original size, so, due to its built-in encryption, it's already very noisy itself.)
$endgroup$
– Dreamspace President
21 hours ago
2
2
$begingroup$
Regarding your intended use, I'm pretty sure that what you get via java.security.SecureRandom wouldn't be a proper OTP. You're almost certainly better off in practice with a key file and perhaps something like a Yubikey to hold a portion of the passphrase (to make it harder to shoulder-surf you typing it in), than trying to cobble something together yourself. For one thing, you'll have the benefit of KeyPass at least trying to not leak intermediate data. Who is your adversary anyway, the Andromeda Empire?
$endgroup$
– a CVn
12 hours ago
$begingroup$
Regarding your intended use, I'm pretty sure that what you get via java.security.SecureRandom wouldn't be a proper OTP. You're almost certainly better off in practice with a key file and perhaps something like a Yubikey to hold a portion of the passphrase (to make it harder to shoulder-surf you typing it in), than trying to cobble something together yourself. For one thing, you'll have the benefit of KeyPass at least trying to not leak intermediate data. Who is your adversary anyway, the Andromeda Empire?
$endgroup$
– a CVn
12 hours ago
1
1
$begingroup$
@DreamspacePresident your OTP File produced with SecureRandom would be a very bloated 160bit, a keyfile with 40 bytes is more than enough.
$endgroup$
– eckes
12 hours ago
$begingroup$
@DreamspacePresident your OTP File produced with SecureRandom would be a very bloated 160bit, a keyfile with 40 bytes is more than enough.
$endgroup$
– eckes
12 hours ago
2
2
$begingroup$
Depends on the SecureRandom config, java version and platform, but the commonly used Sha1PRNG of the JCL has not more state. Producing good randomness is hard, it is critical for OTP and it is even harder if you need to produce lots of it. (You would need to use the new DRBG with prediction resistance/reseeding)
$endgroup$
– eckes
11 hours ago
$begingroup$
Depends on the SecureRandom config, java version and platform, but the commonly used Sha1PRNG of the JCL has not more state. Producing good randomness is hard, it is critical for OTP and it is even harder if you need to produce lots of it. (You would need to use the new DRBG with prediction resistance/reseeding)
$endgroup$
– eckes
11 hours ago
4
4
$begingroup$
@DreamspacePresident Whether it's 160 bits of state or some other number isn't really all that significant as long as it's not something really low. The main point, I think, is that using a random number generator (even a secure one) doesn't give you the perfect secrecy that a real OTP provides. If you're generating the key with an algorithm, then what you're really doing is pre-calculating part of a stream cipher that's exactly as secure as the random number generator it's based on.
$endgroup$
– Matthew Crumley
10 hours ago
$begingroup$
@DreamspacePresident Whether it's 160 bits of state or some other number isn't really all that significant as long as it's not something really low. The main point, I think, is that using a random number generator (even a secure one) doesn't give you the perfect secrecy that a real OTP provides. If you're generating the key with an algorithm, then what you're really doing is pre-calculating part of a stream cipher that's exactly as secure as the random number generator it's based on.
$endgroup$
– Matthew Crumley
10 hours ago
|
show 8 more comments
6 Answers
6
active
oldest
votes
$begingroup$
No, as long as each pad is completely random and independent, you can encrypt literally anything of the appropriate size (no larger than the pad) and retain information theoretic secure confidentiality. This attack is termed a known-plaintext attack, or KPA. The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme. A proper OTP is not vulnerable to KPA.
answered 22 hours ago
forestforest
3,7361439
$endgroup$
2
$begingroup$
I don't see why this is a known plaintext attack. The attacker never has the plaintext, they just have multiple encrypted versions of it.
$endgroup$
– usul
15 hours ago
1
$begingroup$
@usul: You misread. Forest was pointing out the type of attack that would apply to the scenario - and why it would not work.
$endgroup$
– Dreamspace President
14 hours ago
3
$begingroup$
@DreamspacePresident, thanks for the response, unfortunately it doesn't address my question of why the known plaintext attack would apply to this scenario. In a known plaintext attack, the attacker knows the plaintext. This question asks, "But can parts of the first 50%, which stay perfectly identical, be attacked?" Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext.
$endgroup$
– usul
12 hours ago
1
$begingroup$
What is the difference between re-using padding material and half the data not changing? Is the attack based on using known padding material?
$endgroup$
– TKK
11 hours ago
$begingroup$
@usul "Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext." You responded to forest's text which hypothesizes this: "The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme." In other words: If the same pad is used multiple times (Which is NOT my scenario. It's one he made up to point out a possible attack.), this can be combined with KPA (e.g. ` the `) to learn about the payload.
$endgroup$
– Dreamspace President
11 hours ago
|
show 1 more comment
$begingroup$
The short answer; No
As long as the key is not reused, OTP has perfect secrecy. Even at some point if the attacker knows the plaintext, he will get only a key that is used only once. A problem may occur if the generation algorithm is predictable that is the attacker may use the weakness in the generation algorithm to produce previous and next bits.
answered 22 hours ago
kelalakakelalaka
7,42022245
$endgroup$
add a comment |
$begingroup$
Why is OTP perfectly secure?
Let's assume you would like to encrypt a plaintext $m$ using OTP. In order to do that, you would need to pick $m$ from a possible message space of $M$ with a given length. $M$ hereby represents all possible messages of this length.
Further, you choose a key $k$ from the given keyspace $K$. Note that $K$ and $M$ have the same size. In order to encrypt this message, you calculate $c = m mathbin{oplus} k$ and send $c$ to the recipient. $k$ must be distributed out-of-band, which means it is known both to you and the recipient, but not the attacker.
An attacker would now intercept $c$ and attempts to recover $m$, by iterating through $K$ and attempt every possible $k$. What this means is that the attacker receives every possible $m$ in $M$, something they could have done anyways. They have no more information about your chosen $m$ than they did before.
What if we use the same $m$ multiple times?
To answer this question, let us create $c_1$ and $c_2$, this time with $m$, $k_1$ and $k_2$, such that $c_1 = m mathbin{oplus} k_1$ and $c_2 = m mathbin{oplus} k_2$.
If an attacker were to intercept $c_1$ and $c_2$, they could calculate the following:
$c_1 mathbin{oplus} c_2 = m mathbin{oplus} k_1 mathbin{oplus} m mathbin{oplus} k_2$
Since $m mathbin{oplus} m = 0$ and $x mathbin{oplus} 0 = x$, we can write the result as:
$c_1 mathbin{oplus} c_2 = k_1 mathbin{oplus} k_2$
This is not useful for the attacker, as $k_1$ and $k_2$ are randomly chosen and never reused.
Why is OTP not used everywhere then?
Even though this is a bit out-of-scope, it's a question that is often asked by beginning cryptographers when encountering a seemingly perfect encryption scheme. The problem is its usability.
Imagine you would like to encrypt a message and send it to me. How would you do that? I don't have your key, and if you want to negotiate an out-of-band key exchange (say, by meeting with me in person in a secure area), then you might as well tell me the message there (if the message is known at the time).
answered 17 hours ago
David StockingerDavid Stockinger
1887
$endgroup$
2
$begingroup$
"then you might as well tell me the message there"... assuming, of course, that the message to be communicated is known at the time. There are valid scenarios in which this is not the case, yet the security properties of OTP are desirable.
$endgroup$
– a CVn
14 hours ago
$begingroup$
There is a fourth section there: When is OTP used? - Not very often, it seems
$endgroup$
– Mindwin
14 hours ago
$begingroup$
related.
$endgroup$
– Mindwin
14 hours ago
$begingroup$
@aCVn Correct! Say, I command a submarine and you wish to send me commands as the time arrives. What OTP allows you to do to basically give me a set of messages to be received in the future. In my example, I assumed you wanted to send me a message now. I will update my answer to clarify this.
$endgroup$
– David Stockinger
12 hours ago
3
$begingroup$
"perfect secrecy" is not synonymous with "perfectly secure". OTP is still malleable and vulnerable to bit flipping attacks.
$endgroup$
– Ella Rose♦
12 hours ago
|
show 1 more comment
$begingroup$
You appear to be asking if comparative analysis could be employed between the different crypted iterations of the same text to decode it. Answer is "no": As long as the pads are produced using truly random data, the crypted text will never come out the sausage maker the same way twice. The only way comparative analysis could succeed is if keys were reused, which multiple posters to this thread already noted.
The pads must also be transmitted securely. If there is ever a period where they were not accounted for or not in a courier's control during distribution, they must be deemed to be compromised. If a courier is used for distribution, they themselves must also be absolutely trustworthy; a known quantity.
Lastly, if either the sending or receiving station are themselves compromised (those using OTPs), there's ways to tip off the opposite end of the channel of that fact who can then decide to either cease communications and leave you to your fate, or use the channel to distribute misinformation.
So if the following (4) strictures are observed, OTP are UNBREAKABLE:
- Never reuse keys
- Don't encrypt messages larger then the key
- Produce pads using random data
- Ensure pads cannot be compromised during distribution to the operators
-Terrence
answered 11 hours ago
F1LinuxF1Linux
213
New contributor
F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment |
$begingroup$
Though the method is not vulnerable provide that the implementation is right. Of course the key is not reused. For extra entropy you can use a feedback mechanism in case the data is longer than the PAD.
answered 22 hours ago
Soumen MukherjeeSoumen Mukherjee
1094
New contributor
Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
1
$begingroup$
"you can use a feedback mechanism" - Could you please elaborate on the method e.g. via a link? My searches have not been fruitful.
$endgroup$
– Dreamspace President
21 hours ago
3
$begingroup$
A feedback mechanism is an inefficient home made crypto mode (and therefore not recommended) and it is no longer OTP with all its security guarantees.
$endgroup$
– eckes
17 hours ago
2
$begingroup$
Key stretching, by any name, cannot provide "extra entropy", regardless of whether the encryption algorithm is a one-time pad or something else. Key stretching can be used to turn a shorter key into a longer key, but as the longer key can be derived from the shorter key, the entropy of the longer key cannot be greater than that of the shorter key. The attacker can always choose to attack the smaller key space and execute the key stretching algorithm as part of the attack, if doing so is beneficial compared to attacking the larger key space without stretching each attempted key.
$endgroup$
– a CVn
12 hours ago
$begingroup$
@aCVn: Could not the low-entropy data "4000000" be used as a seed for a random generator that creates high entropy data? Or would you say that the entropy has not increased? - I get that it would be a predictable outcome, but still. If the last bits of a too short pad are used to create more pad data, and the attacker does not know of the seam point/data, they are not the wiser.
$endgroup$
– Dreamspace President
11 hours ago
1
$begingroup$
@DreamspacePresident No. Entropy (in the information theory sense) cannot ever increase except when one adds more unrelated data. A deterministic algorithm cannot turn low entropy data into higher entropy data. Keep in mind that entropy has virtually nothing to do with how random-looking some data is in some particular representation. Also read up on Kerckhoffs' principle; the Wikipedia article on it isn't bad if you want an easy start. This is going well beyond requests for clarification on specific posts, so for further questions on this, I encourage you to research and post new questions.
$endgroup$
– a CVn
9 hours ago
add a comment |
$begingroup$
Whether anything is "secure" depends upon the threat model. Simple forms of OTP are absolutely secure against eavesdropping attacks, but may be essentially worthless against known-plaintext spoofing attacks, since each piece of key needs to be used twice--once by the person encrypting the message, and once by the person decrypting it. Consequently, someone who has access to the plaintext and ciphertext forms of a message, as well as the communications channel used to transmit it, will be able to ascertain the key before it is used by the recipient.
If (for purposes of the example) a message was encrypted using a Caesar cipher OTP (add 0-25 to each letter of plaintext to get the ciphertext), someone who knew that a message was "ATTACK AT DAWN" and knew that the last four letters encrypted were "FRED" would be able to determine that the last four letters were shifted by 24, 9, 16, 10. If the person replaced the last four characters of the transmitted message with "ZXZD", the recipient would decode the resulting message as "ATTACK AT NOON".
Overcoming this problem in cases where bandwidth or timing restrictions would preclude the use of a Message Authentication Code (MAC) would require generating more key material, so that multiple possible keys could yield each (plaintext-ciphertext) combination. If message characters must be encrypted entirely independently (such that corruption of one character at the source would corrupt only one character decoded by the recipient), there would be no way to avoid granting an adversary the ability to corrupt any single character. If each character represents a one-of-C choice, however, adding additional key material, chosen from one of (C-1) possibilities, would suffice to prevent the adversary from having any control over which of the (C-1) alternative characters would be decoded. In cases where a transmission error would be allowed to cause more severe disruption of the received message, other forms of encryption and authentication would likely be more appropriate.
Note that depending upon the usage and threat model, the ability of an attacker to guarantee that a byte gets changed somehow may or may not be a meaningful weakness. It's important to note, however, that sometimes seemingly harmless weaknesses (e.g. the fact that Enigma could only map each letter to one of 25 others) may sometimes be exploitable in ways that may be hard to anticipate.
answered 15 hours ago
supercatsupercat
21914
$endgroup$
1
$begingroup$
This is only a problem with an unauthenticated OTP. Just because you're using a OTP doesn't mean it needs to be unauthenticated.
$endgroup$
– a CVn
14 hours ago
$begingroup$
@aCVn: It is certainly possible to supplement OTP with other means of authentication if one is aware of this vulnerability, but there are some problems. One advantage of schemes like OTP and CTR is that they can be used with minimal delay between the time the sender acquires the material to be sent and the recipient is able to act upon it. Nearly all forms of authentication would require that a message be composed into some sort of block, with each block having to be received in its entirety before the authenticity of any of it can be determined.
$endgroup$
– supercat
14 hours ago
$begingroup$
@aCVn: Expanding the size of the key material would make it possible to limit an attacker's ability to that of randomly disturbing all message content following a particular point, while still allowing a recipient who has heard N bytes sent over the communications medium to know that what was heard were either the first N characters of a legitimate message, or the first N-k bytes of the legitimate message followed by k characters over which neither the message originator nor the attacker had any meaningful control.
$endgroup$
– supercat
14 hours ago
$begingroup$
... if one is aware of this vulnerability ...If one is not aware of this vulnerability, then they should not be using homebrew cryptography. Trading security for questionable performance improvements is not a good decision. It becomes an acceptable decision iff it can be proven that those performance improvements are necessary and the the loss in security is negligible for the specific use case. This answer admits the proposed solution is not satisfactory while simultaneously rebelling against the correct solution of using a MAC.
$endgroup$
– Ella Rose♦
14 hours ago
1
$begingroup$
That's good to point out the problem, but it doesn't justify explicitly recommending against a MAC and recommending something else instead. IfOvercoming this problem would require generating more key materialsaidOvercoming this problem would require a MAC, then I would not have downvoted. But it doesn't, so I did.
$endgroup$
– Ella Rose♦
13 hours ago
|
show 4 more comments
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Dreamspace President is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67137%2fis-one-time-pad-encryption-vulnerable-when-near-identical-data-is-sent-many-time%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
6 Answers
6
active
oldest
votes
6 Answers
6
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
No, as long as each pad is completely random and independent, you can encrypt literally anything of the appropriate size (no larger than the pad) and retain information theoretic secure confidentiality. This attack is termed a known-plaintext attack, or KPA. The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme. A proper OTP is not vulnerable to KPA.
answered 22 hours ago
forestforest
3,7361439
$endgroup$
2
$begingroup$
I don't see why this is a known plaintext attack. The attacker never has the plaintext, they just have multiple encrypted versions of it.
$endgroup$
– usul
15 hours ago
1
$begingroup$
@usul: You misread. Forest was pointing out the type of attack that would apply to the scenario - and why it would not work.
$endgroup$
– Dreamspace President
14 hours ago
3
$begingroup$
@DreamspacePresident, thanks for the response, unfortunately it doesn't address my question of why the known plaintext attack would apply to this scenario. In a known plaintext attack, the attacker knows the plaintext. This question asks, "But can parts of the first 50%, which stay perfectly identical, be attacked?" Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext.
$endgroup$
– usul
12 hours ago
1
$begingroup$
What is the difference between re-using padding material and half the data not changing? Is the attack based on using known padding material?
$endgroup$
– TKK
11 hours ago
$begingroup$
@usul "Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext." You responded to forest's text which hypothesizes this: "The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme." In other words: If the same pad is used multiple times (Which is NOT my scenario. It's one he made up to point out a possible attack.), this can be combined with KPA (e.g. ` the `) to learn about the payload.
$endgroup$
– Dreamspace President
11 hours ago
|
show 1 more comment
$begingroup$
No, as long as each pad is completely random and independent, you can encrypt literally anything of the appropriate size (no larger than the pad) and retain information theoretic secure confidentiality. This attack is termed a known-plaintext attack, or KPA. The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme. A proper OTP is not vulnerable to KPA.
answered 22 hours ago
forestforest
3,7361439
$endgroup$
2
$begingroup$
I don't see why this is a known plaintext attack. The attacker never has the plaintext, they just have multiple encrypted versions of it.
$endgroup$
– usul
15 hours ago
1
$begingroup$
@usul: You misread. Forest was pointing out the type of attack that would apply to the scenario - and why it would not work.
$endgroup$
– Dreamspace President
14 hours ago
3
$begingroup$
@DreamspacePresident, thanks for the response, unfortunately it doesn't address my question of why the known plaintext attack would apply to this scenario. In a known plaintext attack, the attacker knows the plaintext. This question asks, "But can parts of the first 50%, which stay perfectly identical, be attacked?" Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext.
$endgroup$
– usul
12 hours ago
1
$begingroup$
What is the difference between re-using padding material and half the data not changing? Is the attack based on using known padding material?
$endgroup$
– TKK
11 hours ago
$begingroup$
@usul "Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext." You responded to forest's text which hypothesizes this: "The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme." In other words: If the same pad is used multiple times (Which is NOT my scenario. It's one he made up to point out a possible attack.), this can be combined with KPA (e.g. ` the `) to learn about the payload.
$endgroup$
– Dreamspace President
11 hours ago
|
show 1 more comment
$begingroup$
No, as long as each pad is completely random and independent, you can encrypt literally anything of the appropriate size (no larger than the pad) and retain information theoretic secure confidentiality. This attack is termed a known-plaintext attack, or KPA. The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme. A proper OTP is not vulnerable to KPA.
answered 22 hours ago
forestforest
3,7361439
$endgroup$
No, as long as each pad is completely random and independent, you can encrypt literally anything of the appropriate size (no larger than the pad) and retain information theoretic secure confidentiality. This attack is termed a known-plaintext attack, or KPA. The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme. A proper OTP is not vulnerable to KPA.
answered 22 hours ago
forestforest
3,7361439
edited 22 hours ago
answered 22 hours ago
forestforest
3,7361439
answered 22 hours ago
forestforest
3,7361439
answered 22 hours ago
forestforest
3,7361439
3,7361439
2
$begingroup$
I don't see why this is a known plaintext attack. The attacker never has the plaintext, they just have multiple encrypted versions of it.
$endgroup$
– usul
15 hours ago
1
$begingroup$
@usul: You misread. Forest was pointing out the type of attack that would apply to the scenario - and why it would not work.
$endgroup$
– Dreamspace President
14 hours ago
3
$begingroup$
@DreamspacePresident, thanks for the response, unfortunately it doesn't address my question of why the known plaintext attack would apply to this scenario. In a known plaintext attack, the attacker knows the plaintext. This question asks, "But can parts of the first 50%, which stay perfectly identical, be attacked?" Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext.
$endgroup$
– usul
12 hours ago
1
$begingroup$
What is the difference between re-using padding material and half the data not changing? Is the attack based on using known padding material?
$endgroup$
– TKK
11 hours ago
$begingroup$
@usul "Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext." You responded to forest's text which hypothesizes this: "The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme." In other words: If the same pad is used multiple times (Which is NOT my scenario. It's one he made up to point out a possible attack.), this can be combined with KPA (e.g. ` the `) to learn about the payload.
$endgroup$
– Dreamspace President
11 hours ago
|
show 1 more comment
2
$begingroup$
I don't see why this is a known plaintext attack. The attacker never has the plaintext, they just have multiple encrypted versions of it.
$endgroup$
– usul
15 hours ago
1
$begingroup$
@usul: You misread. Forest was pointing out the type of attack that would apply to the scenario - and why it would not work.
$endgroup$
– Dreamspace President
14 hours ago
3
$begingroup$
@DreamspacePresident, thanks for the response, unfortunately it doesn't address my question of why the known plaintext attack would apply to this scenario. In a known plaintext attack, the attacker knows the plaintext. This question asks, "But can parts of the first 50%, which stay perfectly identical, be attacked?" Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext.
$endgroup$
– usul
12 hours ago
1
$begingroup$
What is the difference between re-using padding material and half the data not changing? Is the attack based on using known padding material?
$endgroup$
– TKK
11 hours ago
$begingroup$
@usul "Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext." You responded to forest's text which hypothesizes this: "The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme." In other words: If the same pad is used multiple times (Which is NOT my scenario. It's one he made up to point out a possible attack.), this can be combined with KPA (e.g. ` the `) to learn about the payload.
$endgroup$
– Dreamspace President
11 hours ago
2
2
$begingroup$
I don't see why this is a known plaintext attack. The attacker never has the plaintext, they just have multiple encrypted versions of it.
$endgroup$
– usul
15 hours ago
$begingroup$
I don't see why this is a known plaintext attack. The attacker never has the plaintext, they just have multiple encrypted versions of it.
$endgroup$
– usul
15 hours ago
1
1
$begingroup$
@usul: You misread. Forest was pointing out the type of attack that would apply to the scenario - and why it would not work.
$endgroup$
– Dreamspace President
14 hours ago
$begingroup$
@usul: You misread. Forest was pointing out the type of attack that would apply to the scenario - and why it would not work.
$endgroup$
– Dreamspace President
14 hours ago
3
3
$begingroup$
@DreamspacePresident, thanks for the response, unfortunately it doesn't address my question of why the known plaintext attack would apply to this scenario. In a known plaintext attack, the attacker knows the plaintext. This question asks, "But can parts of the first 50%, which stay perfectly identical, be attacked?" Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext.
$endgroup$
– usul
12 hours ago
$begingroup$
@DreamspacePresident, thanks for the response, unfortunately it doesn't address my question of why the known plaintext attack would apply to this scenario. In a known plaintext attack, the attacker knows the plaintext. This question asks, "But can parts of the first 50%, which stay perfectly identical, be attacked?" Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext.
$endgroup$
– usul
12 hours ago
1
1
$begingroup$
What is the difference between re-using padding material and half the data not changing? Is the attack based on using known padding material?
$endgroup$
– TKK
11 hours ago
$begingroup$
What is the difference between re-using padding material and half the data not changing? Is the attack based on using known padding material?
$endgroup$
– TKK
11 hours ago
$begingroup$
@usul "Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext." You responded to forest's text which hypothesizes this: "The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme." In other words: If the same pad is used multiple times (Which is NOT my scenario. It's one he made up to point out a possible attack.), this can be combined with KPA (e.g. ` the `) to learn about the payload.
$endgroup$
– Dreamspace President
11 hours ago
$begingroup$
@usul "Under my reading, this means the attacker never sees any plaintexts, but only sees many different ciphertexts corresponding to the same plaintext." You responded to forest's text which hypothesizes this: "The OTP encryption scheme is only vulnerable to this if you re-use padding material, which breaks the scheme." In other words: If the same pad is used multiple times (Which is NOT my scenario. It's one he made up to point out a possible attack.), this can be combined with KPA (e.g. ` the `) to learn about the payload.
$endgroup$
– Dreamspace President
11 hours ago
|
show 1 more comment
$begingroup$
The short answer; No
As long as the key is not reused, OTP has perfect secrecy. Even at some point if the attacker knows the plaintext, he will get only a key that is used only once. A problem may occur if the generation algorithm is predictable that is the attacker may use the weakness in the generation algorithm to produce previous and next bits.
answered 22 hours ago
kelalakakelalaka
7,42022245
$endgroup$
add a comment |
$begingroup$
The short answer; No
As long as the key is not reused, OTP has perfect secrecy. Even at some point if the attacker knows the plaintext, he will get only a key that is used only once. A problem may occur if the generation algorithm is predictable that is the attacker may use the weakness in the generation algorithm to produce previous and next bits.
answered 22 hours ago
kelalakakelalaka
7,42022245
$endgroup$
add a comment |
$begingroup$
The short answer; No
As long as the key is not reused, OTP has perfect secrecy. Even at some point if the attacker knows the plaintext, he will get only a key that is used only once. A problem may occur if the generation algorithm is predictable that is the attacker may use the weakness in the generation algorithm to produce previous and next bits.
answered 22 hours ago
kelalakakelalaka
7,42022245
$endgroup$
The short answer; No
As long as the key is not reused, OTP has perfect secrecy. Even at some point if the attacker knows the plaintext, he will get only a key that is used only once. A problem may occur if the generation algorithm is predictable that is the attacker may use the weakness in the generation algorithm to produce previous and next bits.
answered 22 hours ago
kelalakakelalaka
7,42022245
edited 12 hours ago
answered 22 hours ago
kelalakakelalaka
7,42022245
answered 22 hours ago
kelalakakelalaka
7,42022245
answered 22 hours ago
kelalakakelalaka
7,42022245
7,42022245
add a comment |
add a comment |
$begingroup$
Why is OTP perfectly secure?
Let's assume you would like to encrypt a plaintext $m$ using OTP. In order to do that, you would need to pick $m$ from a possible message space of $M$ with a given length. $M$ hereby represents all possible messages of this length.
Further, you choose a key $k$ from the given keyspace $K$. Note that $K$ and $M$ have the same size. In order to encrypt this message, you calculate $c = m mathbin{oplus} k$ and send $c$ to the recipient. $k$ must be distributed out-of-band, which means it is known both to you and the recipient, but not the attacker.
An attacker would now intercept $c$ and attempts to recover $m$, by iterating through $K$ and attempt every possible $k$. What this means is that the attacker receives every possible $m$ in $M$, something they could have done anyways. They have no more information about your chosen $m$ than they did before.
What if we use the same $m$ multiple times?
To answer this question, let us create $c_1$ and $c_2$, this time with $m$, $k_1$ and $k_2$, such that $c_1 = m mathbin{oplus} k_1$ and $c_2 = m mathbin{oplus} k_2$.
If an attacker were to intercept $c_1$ and $c_2$, they could calculate the following:
$c_1 mathbin{oplus} c_2 = m mathbin{oplus} k_1 mathbin{oplus} m mathbin{oplus} k_2$
Since $m mathbin{oplus} m = 0$ and $x mathbin{oplus} 0 = x$, we can write the result as:
$c_1 mathbin{oplus} c_2 = k_1 mathbin{oplus} k_2$
This is not useful for the attacker, as $k_1$ and $k_2$ are randomly chosen and never reused.
Why is OTP not used everywhere then?
Even though this is a bit out-of-scope, it's a question that is often asked by beginning cryptographers when encountering a seemingly perfect encryption scheme. The problem is its usability.
Imagine you would like to encrypt a message and send it to me. How would you do that? I don't have your key, and if you want to negotiate an out-of-band key exchange (say, by meeting with me in person in a secure area), then you might as well tell me the message there (if the message is known at the time).
answered 17 hours ago
David StockingerDavid Stockinger
1887
$endgroup$
2
$begingroup$
"then you might as well tell me the message there"... assuming, of course, that the message to be communicated is known at the time. There are valid scenarios in which this is not the case, yet the security properties of OTP are desirable.
$endgroup$
– a CVn
14 hours ago
$begingroup$
There is a fourth section there: When is OTP used? - Not very often, it seems
$endgroup$
– Mindwin
14 hours ago
$begingroup$
related.
$endgroup$
– Mindwin
14 hours ago
$begingroup$
@aCVn Correct! Say, I command a submarine and you wish to send me commands as the time arrives. What OTP allows you to do to basically give me a set of messages to be received in the future. In my example, I assumed you wanted to send me a message now. I will update my answer to clarify this.
$endgroup$
– David Stockinger
12 hours ago
3
$begingroup$
"perfect secrecy" is not synonymous with "perfectly secure". OTP is still malleable and vulnerable to bit flipping attacks.
$endgroup$
– Ella Rose♦
12 hours ago
|
show 1 more comment
$begingroup$
Why is OTP perfectly secure?
Let's assume you would like to encrypt a plaintext $m$ using OTP. In order to do that, you would need to pick $m$ from a possible message space of $M$ with a given length. $M$ hereby represents all possible messages of this length.
Further, you choose a key $k$ from the given keyspace $K$. Note that $K$ and $M$ have the same size. In order to encrypt this message, you calculate $c = m mathbin{oplus} k$ and send $c$ to the recipient. $k$ must be distributed out-of-band, which means it is known both to you and the recipient, but not the attacker.
An attacker would now intercept $c$ and attempts to recover $m$, by iterating through $K$ and attempt every possible $k$. What this means is that the attacker receives every possible $m$ in $M$, something they could have done anyways. They have no more information about your chosen $m$ than they did before.
What if we use the same $m$ multiple times?
To answer this question, let us create $c_1$ and $c_2$, this time with $m$, $k_1$ and $k_2$, such that $c_1 = m mathbin{oplus} k_1$ and $c_2 = m mathbin{oplus} k_2$.
If an attacker were to intercept $c_1$ and $c_2$, they could calculate the following:
$c_1 mathbin{oplus} c_2 = m mathbin{oplus} k_1 mathbin{oplus} m mathbin{oplus} k_2$
Since $m mathbin{oplus} m = 0$ and $x mathbin{oplus} 0 = x$, we can write the result as:
$c_1 mathbin{oplus} c_2 = k_1 mathbin{oplus} k_2$
This is not useful for the attacker, as $k_1$ and $k_2$ are randomly chosen and never reused.
Why is OTP not used everywhere then?
Even though this is a bit out-of-scope, it's a question that is often asked by beginning cryptographers when encountering a seemingly perfect encryption scheme. The problem is its usability.
Imagine you would like to encrypt a message and send it to me. How would you do that? I don't have your key, and if you want to negotiate an out-of-band key exchange (say, by meeting with me in person in a secure area), then you might as well tell me the message there (if the message is known at the time).
answered 17 hours ago
David StockingerDavid Stockinger
1887
$endgroup$
2
$begingroup$
"then you might as well tell me the message there"... assuming, of course, that the message to be communicated is known at the time. There are valid scenarios in which this is not the case, yet the security properties of OTP are desirable.
$endgroup$
– a CVn
14 hours ago
$begingroup$
There is a fourth section there: When is OTP used? - Not very often, it seems
$endgroup$
– Mindwin
14 hours ago
$begingroup$
related.
$endgroup$
– Mindwin
14 hours ago
$begingroup$
@aCVn Correct! Say, I command a submarine and you wish to send me commands as the time arrives. What OTP allows you to do to basically give me a set of messages to be received in the future. In my example, I assumed you wanted to send me a message now. I will update my answer to clarify this.
$endgroup$
– David Stockinger
12 hours ago
3
$begingroup$
"perfect secrecy" is not synonymous with "perfectly secure". OTP is still malleable and vulnerable to bit flipping attacks.
$endgroup$
– Ella Rose♦
12 hours ago
|
show 1 more comment
$begingroup$
Why is OTP perfectly secure?
Let's assume you would like to encrypt a plaintext $m$ using OTP. In order to do that, you would need to pick $m$ from a possible message space of $M$ with a given length. $M$ hereby represents all possible messages of this length.
Further, you choose a key $k$ from the given keyspace $K$. Note that $K$ and $M$ have the same size. In order to encrypt this message, you calculate $c = m mathbin{oplus} k$ and send $c$ to the recipient. $k$ must be distributed out-of-band, which means it is known both to you and the recipient, but not the attacker.
An attacker would now intercept $c$ and attempts to recover $m$, by iterating through $K$ and attempt every possible $k$. What this means is that the attacker receives every possible $m$ in $M$, something they could have done anyways. They have no more information about your chosen $m$ than they did before.
What if we use the same $m$ multiple times?
To answer this question, let us create $c_1$ and $c_2$, this time with $m$, $k_1$ and $k_2$, such that $c_1 = m mathbin{oplus} k_1$ and $c_2 = m mathbin{oplus} k_2$.
If an attacker were to intercept $c_1$ and $c_2$, they could calculate the following:
$c_1 mathbin{oplus} c_2 = m mathbin{oplus} k_1 mathbin{oplus} m mathbin{oplus} k_2$
Since $m mathbin{oplus} m = 0$ and $x mathbin{oplus} 0 = x$, we can write the result as:
$c_1 mathbin{oplus} c_2 = k_1 mathbin{oplus} k_2$
This is not useful for the attacker, as $k_1$ and $k_2$ are randomly chosen and never reused.
Why is OTP not used everywhere then?
Even though this is a bit out-of-scope, it's a question that is often asked by beginning cryptographers when encountering a seemingly perfect encryption scheme. The problem is its usability.
Imagine you would like to encrypt a message and send it to me. How would you do that? I don't have your key, and if you want to negotiate an out-of-band key exchange (say, by meeting with me in person in a secure area), then you might as well tell me the message there (if the message is known at the time).
answered 17 hours ago
David StockingerDavid Stockinger
1887
$endgroup$
Why is OTP perfectly secure?
Let's assume you would like to encrypt a plaintext $m$ using OTP. In order to do that, you would need to pick $m$ from a possible message space of $M$ with a given length. $M$ hereby represents all possible messages of this length.
Further, you choose a key $k$ from the given keyspace $K$. Note that $K$ and $M$ have the same size. In order to encrypt this message, you calculate $c = m mathbin{oplus} k$ and send $c$ to the recipient. $k$ must be distributed out-of-band, which means it is known both to you and the recipient, but not the attacker.
An attacker would now intercept $c$ and attempts to recover $m$, by iterating through $K$ and attempt every possible $k$. What this means is that the attacker receives every possible $m$ in $M$, something they could have done anyways. They have no more information about your chosen $m$ than they did before.
What if we use the same $m$ multiple times?
To answer this question, let us create $c_1$ and $c_2$, this time with $m$, $k_1$ and $k_2$, such that $c_1 = m mathbin{oplus} k_1$ and $c_2 = m mathbin{oplus} k_2$.
If an attacker were to intercept $c_1$ and $c_2$, they could calculate the following:
$c_1 mathbin{oplus} c_2 = m mathbin{oplus} k_1 mathbin{oplus} m mathbin{oplus} k_2$
Since $m mathbin{oplus} m = 0$ and $x mathbin{oplus} 0 = x$, we can write the result as:
$c_1 mathbin{oplus} c_2 = k_1 mathbin{oplus} k_2$
This is not useful for the attacker, as $k_1$ and $k_2$ are randomly chosen and never reused.
Why is OTP not used everywhere then?
Even though this is a bit out-of-scope, it's a question that is often asked by beginning cryptographers when encountering a seemingly perfect encryption scheme. The problem is its usability.
Imagine you would like to encrypt a message and send it to me. How would you do that? I don't have your key, and if you want to negotiate an out-of-band key exchange (say, by meeting with me in person in a secure area), then you might as well tell me the message there (if the message is known at the time).
answered 17 hours ago
David StockingerDavid Stockinger
1887
edited 12 hours ago
answered 17 hours ago
David StockingerDavid Stockinger
1887
answered 17 hours ago
David StockingerDavid Stockinger
1887
answered 17 hours ago
David StockingerDavid Stockinger
1887
1887
2
$begingroup$
"then you might as well tell me the message there"... assuming, of course, that the message to be communicated is known at the time. There are valid scenarios in which this is not the case, yet the security properties of OTP are desirable.
$endgroup$
– a CVn
14 hours ago
$begingroup$
There is a fourth section there: When is OTP used? - Not very often, it seems
$endgroup$
– Mindwin
14 hours ago
$begingroup$
related.
$endgroup$
– Mindwin
14 hours ago
$begingroup$
@aCVn Correct! Say, I command a submarine and you wish to send me commands as the time arrives. What OTP allows you to do to basically give me a set of messages to be received in the future. In my example, I assumed you wanted to send me a message now. I will update my answer to clarify this.
$endgroup$
– David Stockinger
12 hours ago
3
$begingroup$
"perfect secrecy" is not synonymous with "perfectly secure". OTP is still malleable and vulnerable to bit flipping attacks.
$endgroup$
– Ella Rose♦
12 hours ago
|
show 1 more comment
2
$begingroup$
"then you might as well tell me the message there"... assuming, of course, that the message to be communicated is known at the time. There are valid scenarios in which this is not the case, yet the security properties of OTP are desirable.
$endgroup$
– a CVn
14 hours ago
$begingroup$
There is a fourth section there: When is OTP used? - Not very often, it seems
$endgroup$
– Mindwin
14 hours ago
$begingroup$
related.
$endgroup$
– Mindwin
14 hours ago
$begingroup$
@aCVn Correct! Say, I command a submarine and you wish to send me commands as the time arrives. What OTP allows you to do to basically give me a set of messages to be received in the future. In my example, I assumed you wanted to send me a message now. I will update my answer to clarify this.
$endgroup$
– David Stockinger
12 hours ago
3
$begingroup$
"perfect secrecy" is not synonymous with "perfectly secure". OTP is still malleable and vulnerable to bit flipping attacks.
$endgroup$
– Ella Rose♦
12 hours ago
2
2
$begingroup$
"then you might as well tell me the message there"... assuming, of course, that the message to be communicated is known at the time. There are valid scenarios in which this is not the case, yet the security properties of OTP are desirable.
$endgroup$
– a CVn
14 hours ago
$begingroup$
"then you might as well tell me the message there"... assuming, of course, that the message to be communicated is known at the time. There are valid scenarios in which this is not the case, yet the security properties of OTP are desirable.
$endgroup$
– a CVn
14 hours ago
$begingroup$
There is a fourth section there: When is OTP used? - Not very often, it seems
$endgroup$
– Mindwin
14 hours ago
$begingroup$
There is a fourth section there: When is OTP used? - Not very often, it seems
$endgroup$
– Mindwin
14 hours ago
$begingroup$
related.
$endgroup$
– Mindwin
14 hours ago
$begingroup$
related.
$endgroup$
– Mindwin
14 hours ago
$begingroup$
@aCVn Correct! Say, I command a submarine and you wish to send me commands as the time arrives. What OTP allows you to do to basically give me a set of messages to be received in the future. In my example, I assumed you wanted to send me a message now. I will update my answer to clarify this.
$endgroup$
– David Stockinger
12 hours ago
$begingroup$
@aCVn Correct! Say, I command a submarine and you wish to send me commands as the time arrives. What OTP allows you to do to basically give me a set of messages to be received in the future. In my example, I assumed you wanted to send me a message now. I will update my answer to clarify this.
$endgroup$
– David Stockinger
12 hours ago
3
3
$begingroup$
"perfect secrecy" is not synonymous with "perfectly secure". OTP is still malleable and vulnerable to bit flipping attacks.
$endgroup$
– Ella Rose♦
12 hours ago
$begingroup$
"perfect secrecy" is not synonymous with "perfectly secure". OTP is still malleable and vulnerable to bit flipping attacks.
$endgroup$
– Ella Rose♦
12 hours ago
|
show 1 more comment
$begingroup$
You appear to be asking if comparative analysis could be employed between the different crypted iterations of the same text to decode it. Answer is "no": As long as the pads are produced using truly random data, the crypted text will never come out the sausage maker the same way twice. The only way comparative analysis could succeed is if keys were reused, which multiple posters to this thread already noted.
The pads must also be transmitted securely. If there is ever a period where they were not accounted for or not in a courier's control during distribution, they must be deemed to be compromised. If a courier is used for distribution, they themselves must also be absolutely trustworthy; a known quantity.
Lastly, if either the sending or receiving station are themselves compromised (those using OTPs), there's ways to tip off the opposite end of the channel of that fact who can then decide to either cease communications and leave you to your fate, or use the channel to distribute misinformation.
So if the following (4) strictures are observed, OTP are UNBREAKABLE:
- Never reuse keys
- Don't encrypt messages larger then the key
- Produce pads using random data
- Ensure pads cannot be compromised during distribution to the operators
-Terrence
answered 11 hours ago
F1LinuxF1Linux
213
New contributor
F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment |
$begingroup$
You appear to be asking if comparative analysis could be employed between the different crypted iterations of the same text to decode it. Answer is "no": As long as the pads are produced using truly random data, the crypted text will never come out the sausage maker the same way twice. The only way comparative analysis could succeed is if keys were reused, which multiple posters to this thread already noted.
The pads must also be transmitted securely. If there is ever a period where they were not accounted for or not in a courier's control during distribution, they must be deemed to be compromised. If a courier is used for distribution, they themselves must also be absolutely trustworthy; a known quantity.
Lastly, if either the sending or receiving station are themselves compromised (those using OTPs), there's ways to tip off the opposite end of the channel of that fact who can then decide to either cease communications and leave you to your fate, or use the channel to distribute misinformation.
So if the following (4) strictures are observed, OTP are UNBREAKABLE:
- Never reuse keys
- Don't encrypt messages larger then the key
- Produce pads using random data
- Ensure pads cannot be compromised during distribution to the operators
-Terrence
answered 11 hours ago
F1LinuxF1Linux
213
New contributor
F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment |
$begingroup$
You appear to be asking if comparative analysis could be employed between the different crypted iterations of the same text to decode it. Answer is "no": As long as the pads are produced using truly random data, the crypted text will never come out the sausage maker the same way twice. The only way comparative analysis could succeed is if keys were reused, which multiple posters to this thread already noted.
The pads must also be transmitted securely. If there is ever a period where they were not accounted for or not in a courier's control during distribution, they must be deemed to be compromised. If a courier is used for distribution, they themselves must also be absolutely trustworthy; a known quantity.
Lastly, if either the sending or receiving station are themselves compromised (those using OTPs), there's ways to tip off the opposite end of the channel of that fact who can then decide to either cease communications and leave you to your fate, or use the channel to distribute misinformation.
So if the following (4) strictures are observed, OTP are UNBREAKABLE:
- Never reuse keys
- Don't encrypt messages larger then the key
- Produce pads using random data
- Ensure pads cannot be compromised during distribution to the operators
-Terrence
answered 11 hours ago
F1LinuxF1Linux
213
New contributor
F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
You appear to be asking if comparative analysis could be employed between the different crypted iterations of the same text to decode it. Answer is "no": As long as the pads are produced using truly random data, the crypted text will never come out the sausage maker the same way twice. The only way comparative analysis could succeed is if keys were reused, which multiple posters to this thread already noted.
The pads must also be transmitted securely. If there is ever a period where they were not accounted for or not in a courier's control during distribution, they must be deemed to be compromised. If a courier is used for distribution, they themselves must also be absolutely trustworthy; a known quantity.
Lastly, if either the sending or receiving station are themselves compromised (those using OTPs), there's ways to tip off the opposite end of the channel of that fact who can then decide to either cease communications and leave you to your fate, or use the channel to distribute misinformation.
So if the following (4) strictures are observed, OTP are UNBREAKABLE:
- Never reuse keys
- Don't encrypt messages larger then the key
- Produce pads using random data
- Ensure pads cannot be compromised during distribution to the operators
-Terrence
answered 11 hours ago
F1LinuxF1Linux
213
New contributor
F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 11 hours ago
answered 11 hours ago
F1LinuxF1Linux
213
New contributor
F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 11 hours ago
F1LinuxF1Linux
213
answered 11 hours ago
F1LinuxF1Linux
213
213
New contributor
F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
F1Linux is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
$begingroup$
Though the method is not vulnerable provide that the implementation is right. Of course the key is not reused. For extra entropy you can use a feedback mechanism in case the data is longer than the PAD.
answered 22 hours ago
Soumen MukherjeeSoumen Mukherjee
1094
New contributor
Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
1
$begingroup$
"you can use a feedback mechanism" - Could you please elaborate on the method e.g. via a link? My searches have not been fruitful.
$endgroup$
– Dreamspace President
21 hours ago
3
$begingroup$
A feedback mechanism is an inefficient home made crypto mode (and therefore not recommended) and it is no longer OTP with all its security guarantees.
$endgroup$
– eckes
17 hours ago
2
$begingroup$
Key stretching, by any name, cannot provide "extra entropy", regardless of whether the encryption algorithm is a one-time pad or something else. Key stretching can be used to turn a shorter key into a longer key, but as the longer key can be derived from the shorter key, the entropy of the longer key cannot be greater than that of the shorter key. The attacker can always choose to attack the smaller key space and execute the key stretching algorithm as part of the attack, if doing so is beneficial compared to attacking the larger key space without stretching each attempted key.
$endgroup$
– a CVn
12 hours ago
$begingroup$
@aCVn: Could not the low-entropy data "4000000" be used as a seed for a random generator that creates high entropy data? Or would you say that the entropy has not increased? - I get that it would be a predictable outcome, but still. If the last bits of a too short pad are used to create more pad data, and the attacker does not know of the seam point/data, they are not the wiser.
$endgroup$
– Dreamspace President
11 hours ago
1
$begingroup$
@DreamspacePresident No. Entropy (in the information theory sense) cannot ever increase except when one adds more unrelated data. A deterministic algorithm cannot turn low entropy data into higher entropy data. Keep in mind that entropy has virtually nothing to do with how random-looking some data is in some particular representation. Also read up on Kerckhoffs' principle; the Wikipedia article on it isn't bad if you want an easy start. This is going well beyond requests for clarification on specific posts, so for further questions on this, I encourage you to research and post new questions.
$endgroup$
– a CVn
9 hours ago
add a comment |
$begingroup$
Though the method is not vulnerable provide that the implementation is right. Of course the key is not reused. For extra entropy you can use a feedback mechanism in case the data is longer than the PAD.
answered 22 hours ago
Soumen MukherjeeSoumen Mukherjee
1094
New contributor
Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
1
$begingroup$
"you can use a feedback mechanism" - Could you please elaborate on the method e.g. via a link? My searches have not been fruitful.
$endgroup$
– Dreamspace President
21 hours ago
3
$begingroup$
A feedback mechanism is an inefficient home made crypto mode (and therefore not recommended) and it is no longer OTP with all its security guarantees.
$endgroup$
– eckes
17 hours ago
2
$begingroup$
Key stretching, by any name, cannot provide "extra entropy", regardless of whether the encryption algorithm is a one-time pad or something else. Key stretching can be used to turn a shorter key into a longer key, but as the longer key can be derived from the shorter key, the entropy of the longer key cannot be greater than that of the shorter key. The attacker can always choose to attack the smaller key space and execute the key stretching algorithm as part of the attack, if doing so is beneficial compared to attacking the larger key space without stretching each attempted key.
$endgroup$
– a CVn
12 hours ago
$begingroup$
@aCVn: Could not the low-entropy data "4000000" be used as a seed for a random generator that creates high entropy data? Or would you say that the entropy has not increased? - I get that it would be a predictable outcome, but still. If the last bits of a too short pad are used to create more pad data, and the attacker does not know of the seam point/data, they are not the wiser.
$endgroup$
– Dreamspace President
11 hours ago
1
$begingroup$
@DreamspacePresident No. Entropy (in the information theory sense) cannot ever increase except when one adds more unrelated data. A deterministic algorithm cannot turn low entropy data into higher entropy data. Keep in mind that entropy has virtually nothing to do with how random-looking some data is in some particular representation. Also read up on Kerckhoffs' principle; the Wikipedia article on it isn't bad if you want an easy start. This is going well beyond requests for clarification on specific posts, so for further questions on this, I encourage you to research and post new questions.
$endgroup$
– a CVn
9 hours ago
add a comment |
$begingroup$
Though the method is not vulnerable provide that the implementation is right. Of course the key is not reused. For extra entropy you can use a feedback mechanism in case the data is longer than the PAD.
answered 22 hours ago
Soumen MukherjeeSoumen Mukherjee
1094
New contributor
Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
Though the method is not vulnerable provide that the implementation is right. Of course the key is not reused. For extra entropy you can use a feedback mechanism in case the data is longer than the PAD.
answered 22 hours ago
Soumen MukherjeeSoumen Mukherjee
1094
New contributor
Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 21 hours ago
answered 22 hours ago
Soumen MukherjeeSoumen Mukherjee
1094
New contributor
Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 22 hours ago
Soumen MukherjeeSoumen Mukherjee
1094
answered 22 hours ago
Soumen MukherjeeSoumen Mukherjee
1094
1094
New contributor
Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Soumen Mukherjee is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
$begingroup$
"you can use a feedback mechanism" - Could you please elaborate on the method e.g. via a link? My searches have not been fruitful.
$endgroup$
– Dreamspace President
21 hours ago
3
$begingroup$
A feedback mechanism is an inefficient home made crypto mode (and therefore not recommended) and it is no longer OTP with all its security guarantees.
$endgroup$
– eckes
17 hours ago
2
$begingroup$
Key stretching, by any name, cannot provide "extra entropy", regardless of whether the encryption algorithm is a one-time pad or something else. Key stretching can be used to turn a shorter key into a longer key, but as the longer key can be derived from the shorter key, the entropy of the longer key cannot be greater than that of the shorter key. The attacker can always choose to attack the smaller key space and execute the key stretching algorithm as part of the attack, if doing so is beneficial compared to attacking the larger key space without stretching each attempted key.
$endgroup$
– a CVn
12 hours ago
$begingroup$
@aCVn: Could not the low-entropy data "4000000" be used as a seed for a random generator that creates high entropy data? Or would you say that the entropy has not increased? - I get that it would be a predictable outcome, but still. If the last bits of a too short pad are used to create more pad data, and the attacker does not know of the seam point/data, they are not the wiser.
$endgroup$
– Dreamspace President
11 hours ago
1
$begingroup$
@DreamspacePresident No. Entropy (in the information theory sense) cannot ever increase except when one adds more unrelated data. A deterministic algorithm cannot turn low entropy data into higher entropy data. Keep in mind that entropy has virtually nothing to do with how random-looking some data is in some particular representation. Also read up on Kerckhoffs' principle; the Wikipedia article on it isn't bad if you want an easy start. This is going well beyond requests for clarification on specific posts, so for further questions on this, I encourage you to research and post new questions.
$endgroup$
– a CVn
9 hours ago
add a comment |
1
$begingroup$
"you can use a feedback mechanism" - Could you please elaborate on the method e.g. via a link? My searches have not been fruitful.
$endgroup$
– Dreamspace President
21 hours ago
3
$begingroup$
A feedback mechanism is an inefficient home made crypto mode (and therefore not recommended) and it is no longer OTP with all its security guarantees.
$endgroup$
– eckes
17 hours ago
2
$begingroup$
Key stretching, by any name, cannot provide "extra entropy", regardless of whether the encryption algorithm is a one-time pad or something else. Key stretching can be used to turn a shorter key into a longer key, but as the longer key can be derived from the shorter key, the entropy of the longer key cannot be greater than that of the shorter key. The attacker can always choose to attack the smaller key space and execute the key stretching algorithm as part of the attack, if doing so is beneficial compared to attacking the larger key space without stretching each attempted key.
$endgroup$
– a CVn
12 hours ago
$begingroup$
@aCVn: Could not the low-entropy data "4000000" be used as a seed for a random generator that creates high entropy data? Or would you say that the entropy has not increased? - I get that it would be a predictable outcome, but still. If the last bits of a too short pad are used to create more pad data, and the attacker does not know of the seam point/data, they are not the wiser.
$endgroup$
– Dreamspace President
11 hours ago
1
$begingroup$
@DreamspacePresident No. Entropy (in the information theory sense) cannot ever increase except when one adds more unrelated data. A deterministic algorithm cannot turn low entropy data into higher entropy data. Keep in mind that entropy has virtually nothing to do with how random-looking some data is in some particular representation. Also read up on Kerckhoffs' principle; the Wikipedia article on it isn't bad if you want an easy start. This is going well beyond requests for clarification on specific posts, so for further questions on this, I encourage you to research and post new questions.
$endgroup$
– a CVn
9 hours ago
1
1
$begingroup$
"you can use a feedback mechanism" - Could you please elaborate on the method e.g. via a link? My searches have not been fruitful.
$endgroup$
– Dreamspace President
21 hours ago
$begingroup$
"you can use a feedback mechanism" - Could you please elaborate on the method e.g. via a link? My searches have not been fruitful.
$endgroup$
– Dreamspace President
21 hours ago
3
3
$begingroup$
A feedback mechanism is an inefficient home made crypto mode (and therefore not recommended) and it is no longer OTP with all its security guarantees.
$endgroup$
– eckes
17 hours ago
$begingroup$
A feedback mechanism is an inefficient home made crypto mode (and therefore not recommended) and it is no longer OTP with all its security guarantees.
$endgroup$
– eckes
17 hours ago
2
2
$begingroup$
Key stretching, by any name, cannot provide "extra entropy", regardless of whether the encryption algorithm is a one-time pad or something else. Key stretching can be used to turn a shorter key into a longer key, but as the longer key can be derived from the shorter key, the entropy of the longer key cannot be greater than that of the shorter key. The attacker can always choose to attack the smaller key space and execute the key stretching algorithm as part of the attack, if doing so is beneficial compared to attacking the larger key space without stretching each attempted key.
$endgroup$
– a CVn
12 hours ago
$begingroup$
Key stretching, by any name, cannot provide "extra entropy", regardless of whether the encryption algorithm is a one-time pad or something else. Key stretching can be used to turn a shorter key into a longer key, but as the longer key can be derived from the shorter key, the entropy of the longer key cannot be greater than that of the shorter key. The attacker can always choose to attack the smaller key space and execute the key stretching algorithm as part of the attack, if doing so is beneficial compared to attacking the larger key space without stretching each attempted key.
$endgroup$
– a CVn
12 hours ago
$begingroup$
@aCVn: Could not the low-entropy data "4000000" be used as a seed for a random generator that creates high entropy data? Or would you say that the entropy has not increased? - I get that it would be a predictable outcome, but still. If the last bits of a too short pad are used to create more pad data, and the attacker does not know of the seam point/data, they are not the wiser.
$endgroup$
– Dreamspace President
11 hours ago
$begingroup$
@aCVn: Could not the low-entropy data "4000000" be used as a seed for a random generator that creates high entropy data? Or would you say that the entropy has not increased? - I get that it would be a predictable outcome, but still. If the last bits of a too short pad are used to create more pad data, and the attacker does not know of the seam point/data, they are not the wiser.
$endgroup$
– Dreamspace President
11 hours ago
1
1
$begingroup$
@DreamspacePresident No. Entropy (in the information theory sense) cannot ever increase except when one adds more unrelated data. A deterministic algorithm cannot turn low entropy data into higher entropy data. Keep in mind that entropy has virtually nothing to do with how random-looking some data is in some particular representation. Also read up on Kerckhoffs' principle; the Wikipedia article on it isn't bad if you want an easy start. This is going well beyond requests for clarification on specific posts, so for further questions on this, I encourage you to research and post new questions.
$endgroup$
– a CVn
9 hours ago
$begingroup$
@DreamspacePresident No. Entropy (in the information theory sense) cannot ever increase except when one adds more unrelated data. A deterministic algorithm cannot turn low entropy data into higher entropy data. Keep in mind that entropy has virtually nothing to do with how random-looking some data is in some particular representation. Also read up on Kerckhoffs' principle; the Wikipedia article on it isn't bad if you want an easy start. This is going well beyond requests for clarification on specific posts, so for further questions on this, I encourage you to research and post new questions.
$endgroup$
– a CVn
9 hours ago
add a comment |
$begingroup$
Whether anything is "secure" depends upon the threat model. Simple forms of OTP are absolutely secure against eavesdropping attacks, but may be essentially worthless against known-plaintext spoofing attacks, since each piece of key needs to be used twice--once by the person encrypting the message, and once by the person decrypting it. Consequently, someone who has access to the plaintext and ciphertext forms of a message, as well as the communications channel used to transmit it, will be able to ascertain the key before it is used by the recipient.
If (for purposes of the example) a message was encrypted using a Caesar cipher OTP (add 0-25 to each letter of plaintext to get the ciphertext), someone who knew that a message was "ATTACK AT DAWN" and knew that the last four letters encrypted were "FRED" would be able to determine that the last four letters were shifted by 24, 9, 16, 10. If the person replaced the last four characters of the transmitted message with "ZXZD", the recipient would decode the resulting message as "ATTACK AT NOON".
Overcoming this problem in cases where bandwidth or timing restrictions would preclude the use of a Message Authentication Code (MAC) would require generating more key material, so that multiple possible keys could yield each (plaintext-ciphertext) combination. If message characters must be encrypted entirely independently (such that corruption of one character at the source would corrupt only one character decoded by the recipient), there would be no way to avoid granting an adversary the ability to corrupt any single character. If each character represents a one-of-C choice, however, adding additional key material, chosen from one of (C-1) possibilities, would suffice to prevent the adversary from having any control over which of the (C-1) alternative characters would be decoded. In cases where a transmission error would be allowed to cause more severe disruption of the received message, other forms of encryption and authentication would likely be more appropriate.
Note that depending upon the usage and threat model, the ability of an attacker to guarantee that a byte gets changed somehow may or may not be a meaningful weakness. It's important to note, however, that sometimes seemingly harmless weaknesses (e.g. the fact that Enigma could only map each letter to one of 25 others) may sometimes be exploitable in ways that may be hard to anticipate.
answered 15 hours ago
supercatsupercat
21914
$endgroup$
1
$begingroup$
This is only a problem with an unauthenticated OTP. Just because you're using a OTP doesn't mean it needs to be unauthenticated.
$endgroup$
– a CVn
14 hours ago
$begingroup$
@aCVn: It is certainly possible to supplement OTP with other means of authentication if one is aware of this vulnerability, but there are some problems. One advantage of schemes like OTP and CTR is that they can be used with minimal delay between the time the sender acquires the material to be sent and the recipient is able to act upon it. Nearly all forms of authentication would require that a message be composed into some sort of block, with each block having to be received in its entirety before the authenticity of any of it can be determined.
$endgroup$
– supercat
14 hours ago
$begingroup$
@aCVn: Expanding the size of the key material would make it possible to limit an attacker's ability to that of randomly disturbing all message content following a particular point, while still allowing a recipient who has heard N bytes sent over the communications medium to know that what was heard were either the first N characters of a legitimate message, or the first N-k bytes of the legitimate message followed by k characters over which neither the message originator nor the attacker had any meaningful control.
$endgroup$
– supercat
14 hours ago
$begingroup$
... if one is aware of this vulnerability ...If one is not aware of this vulnerability, then they should not be using homebrew cryptography. Trading security for questionable performance improvements is not a good decision. It becomes an acceptable decision iff it can be proven that those performance improvements are necessary and the the loss in security is negligible for the specific use case. This answer admits the proposed solution is not satisfactory while simultaneously rebelling against the correct solution of using a MAC.
$endgroup$
– Ella Rose♦
14 hours ago
1
$begingroup$
That's good to point out the problem, but it doesn't justify explicitly recommending against a MAC and recommending something else instead. IfOvercoming this problem would require generating more key materialsaidOvercoming this problem would require a MAC, then I would not have downvoted. But it doesn't, so I did.
$endgroup$
– Ella Rose♦
13 hours ago
|
show 4 more comments
$begingroup$
Whether anything is "secure" depends upon the threat model. Simple forms of OTP are absolutely secure against eavesdropping attacks, but may be essentially worthless against known-plaintext spoofing attacks, since each piece of key needs to be used twice--once by the person encrypting the message, and once by the person decrypting it. Consequently, someone who has access to the plaintext and ciphertext forms of a message, as well as the communications channel used to transmit it, will be able to ascertain the key before it is used by the recipient.
If (for purposes of the example) a message was encrypted using a Caesar cipher OTP (add 0-25 to each letter of plaintext to get the ciphertext), someone who knew that a message was "ATTACK AT DAWN" and knew that the last four letters encrypted were "FRED" would be able to determine that the last four letters were shifted by 24, 9, 16, 10. If the person replaced the last four characters of the transmitted message with "ZXZD", the recipient would decode the resulting message as "ATTACK AT NOON".
Overcoming this problem in cases where bandwidth or timing restrictions would preclude the use of a Message Authentication Code (MAC) would require generating more key material, so that multiple possible keys could yield each (plaintext-ciphertext) combination. If message characters must be encrypted entirely independently (such that corruption of one character at the source would corrupt only one character decoded by the recipient), there would be no way to avoid granting an adversary the ability to corrupt any single character. If each character represents a one-of-C choice, however, adding additional key material, chosen from one of (C-1) possibilities, would suffice to prevent the adversary from having any control over which of the (C-1) alternative characters would be decoded. In cases where a transmission error would be allowed to cause more severe disruption of the received message, other forms of encryption and authentication would likely be more appropriate.
Note that depending upon the usage and threat model, the ability of an attacker to guarantee that a byte gets changed somehow may or may not be a meaningful weakness. It's important to note, however, that sometimes seemingly harmless weaknesses (e.g. the fact that Enigma could only map each letter to one of 25 others) may sometimes be exploitable in ways that may be hard to anticipate.
answered 15 hours ago
supercatsupercat
21914
$endgroup$
1
$begingroup$
This is only a problem with an unauthenticated OTP. Just because you're using a OTP doesn't mean it needs to be unauthenticated.
$endgroup$
– a CVn
14 hours ago
$begingroup$
@aCVn: It is certainly possible to supplement OTP with other means of authentication if one is aware of this vulnerability, but there are some problems. One advantage of schemes like OTP and CTR is that they can be used with minimal delay between the time the sender acquires the material to be sent and the recipient is able to act upon it. Nearly all forms of authentication would require that a message be composed into some sort of block, with each block having to be received in its entirety before the authenticity of any of it can be determined.
$endgroup$
– supercat
14 hours ago
$begingroup$
@aCVn: Expanding the size of the key material would make it possible to limit an attacker's ability to that of randomly disturbing all message content following a particular point, while still allowing a recipient who has heard N bytes sent over the communications medium to know that what was heard were either the first N characters of a legitimate message, or the first N-k bytes of the legitimate message followed by k characters over which neither the message originator nor the attacker had any meaningful control.
$endgroup$
– supercat
14 hours ago
$begingroup$
... if one is aware of this vulnerability ...If one is not aware of this vulnerability, then they should not be using homebrew cryptography. Trading security for questionable performance improvements is not a good decision. It becomes an acceptable decision iff it can be proven that those performance improvements are necessary and the the loss in security is negligible for the specific use case. This answer admits the proposed solution is not satisfactory while simultaneously rebelling against the correct solution of using a MAC.
$endgroup$
– Ella Rose♦
14 hours ago
1
$begingroup$
That's good to point out the problem, but it doesn't justify explicitly recommending against a MAC and recommending something else instead. IfOvercoming this problem would require generating more key materialsaidOvercoming this problem would require a MAC, then I would not have downvoted. But it doesn't, so I did.
$endgroup$
– Ella Rose♦
13 hours ago
|
show 4 more comments
$begingroup$
Whether anything is "secure" depends upon the threat model. Simple forms of OTP are absolutely secure against eavesdropping attacks, but may be essentially worthless against known-plaintext spoofing attacks, since each piece of key needs to be used twice--once by the person encrypting the message, and once by the person decrypting it. Consequently, someone who has access to the plaintext and ciphertext forms of a message, as well as the communications channel used to transmit it, will be able to ascertain the key before it is used by the recipient.
If (for purposes of the example) a message was encrypted using a Caesar cipher OTP (add 0-25 to each letter of plaintext to get the ciphertext), someone who knew that a message was "ATTACK AT DAWN" and knew that the last four letters encrypted were "FRED" would be able to determine that the last four letters were shifted by 24, 9, 16, 10. If the person replaced the last four characters of the transmitted message with "ZXZD", the recipient would decode the resulting message as "ATTACK AT NOON".
Overcoming this problem in cases where bandwidth or timing restrictions would preclude the use of a Message Authentication Code (MAC) would require generating more key material, so that multiple possible keys could yield each (plaintext-ciphertext) combination. If message characters must be encrypted entirely independently (such that corruption of one character at the source would corrupt only one character decoded by the recipient), there would be no way to avoid granting an adversary the ability to corrupt any single character. If each character represents a one-of-C choice, however, adding additional key material, chosen from one of (C-1) possibilities, would suffice to prevent the adversary from having any control over which of the (C-1) alternative characters would be decoded. In cases where a transmission error would be allowed to cause more severe disruption of the received message, other forms of encryption and authentication would likely be more appropriate.
Note that depending upon the usage and threat model, the ability of an attacker to guarantee that a byte gets changed somehow may or may not be a meaningful weakness. It's important to note, however, that sometimes seemingly harmless weaknesses (e.g. the fact that Enigma could only map each letter to one of 25 others) may sometimes be exploitable in ways that may be hard to anticipate.
answered 15 hours ago
supercatsupercat
21914
$endgroup$
Whether anything is "secure" depends upon the threat model. Simple forms of OTP are absolutely secure against eavesdropping attacks, but may be essentially worthless against known-plaintext spoofing attacks, since each piece of key needs to be used twice--once by the person encrypting the message, and once by the person decrypting it. Consequently, someone who has access to the plaintext and ciphertext forms of a message, as well as the communications channel used to transmit it, will be able to ascertain the key before it is used by the recipient.
If (for purposes of the example) a message was encrypted using a Caesar cipher OTP (add 0-25 to each letter of plaintext to get the ciphertext), someone who knew that a message was "ATTACK AT DAWN" and knew that the last four letters encrypted were "FRED" would be able to determine that the last four letters were shifted by 24, 9, 16, 10. If the person replaced the last four characters of the transmitted message with "ZXZD", the recipient would decode the resulting message as "ATTACK AT NOON".
Overcoming this problem in cases where bandwidth or timing restrictions would preclude the use of a Message Authentication Code (MAC) would require generating more key material, so that multiple possible keys could yield each (plaintext-ciphertext) combination. If message characters must be encrypted entirely independently (such that corruption of one character at the source would corrupt only one character decoded by the recipient), there would be no way to avoid granting an adversary the ability to corrupt any single character. If each character represents a one-of-C choice, however, adding additional key material, chosen from one of (C-1) possibilities, would suffice to prevent the adversary from having any control over which of the (C-1) alternative characters would be decoded. In cases where a transmission error would be allowed to cause more severe disruption of the received message, other forms of encryption and authentication would likely be more appropriate.
Note that depending upon the usage and threat model, the ability of an attacker to guarantee that a byte gets changed somehow may or may not be a meaningful weakness. It's important to note, however, that sometimes seemingly harmless weaknesses (e.g. the fact that Enigma could only map each letter to one of 25 others) may sometimes be exploitable in ways that may be hard to anticipate.
answered 15 hours ago
supercatsupercat
21914
edited 8 hours ago
answered 15 hours ago
supercatsupercat
21914
answered 15 hours ago
supercatsupercat
21914
answered 15 hours ago
supercatsupercat
21914
21914
1
$begingroup$
This is only a problem with an unauthenticated OTP. Just because you're using a OTP doesn't mean it needs to be unauthenticated.
$endgroup$
– a CVn
14 hours ago
$begingroup$
@aCVn: It is certainly possible to supplement OTP with other means of authentication if one is aware of this vulnerability, but there are some problems. One advantage of schemes like OTP and CTR is that they can be used with minimal delay between the time the sender acquires the material to be sent and the recipient is able to act upon it. Nearly all forms of authentication would require that a message be composed into some sort of block, with each block having to be received in its entirety before the authenticity of any of it can be determined.
$endgroup$
– supercat
14 hours ago
$begingroup$
@aCVn: Expanding the size of the key material would make it possible to limit an attacker's ability to that of randomly disturbing all message content following a particular point, while still allowing a recipient who has heard N bytes sent over the communications medium to know that what was heard were either the first N characters of a legitimate message, or the first N-k bytes of the legitimate message followed by k characters over which neither the message originator nor the attacker had any meaningful control.
$endgroup$
– supercat
14 hours ago
$begingroup$
... if one is aware of this vulnerability ...If one is not aware of this vulnerability, then they should not be using homebrew cryptography. Trading security for questionable performance improvements is not a good decision. It becomes an acceptable decision iff it can be proven that those performance improvements are necessary and the the loss in security is negligible for the specific use case. This answer admits the proposed solution is not satisfactory while simultaneously rebelling against the correct solution of using a MAC.
$endgroup$
– Ella Rose♦
14 hours ago
1
$begingroup$
That's good to point out the problem, but it doesn't justify explicitly recommending against a MAC and recommending something else instead. IfOvercoming this problem would require generating more key materialsaidOvercoming this problem would require a MAC, then I would not have downvoted. But it doesn't, so I did.
$endgroup$
– Ella Rose♦
13 hours ago
|
show 4 more comments
1
$begingroup$
This is only a problem with an unauthenticated OTP. Just because you're using a OTP doesn't mean it needs to be unauthenticated.
$endgroup$
– a CVn
14 hours ago
$begingroup$
@aCVn: It is certainly possible to supplement OTP with other means of authentication if one is aware of this vulnerability, but there are some problems. One advantage of schemes like OTP and CTR is that they can be used with minimal delay between the time the sender acquires the material to be sent and the recipient is able to act upon it. Nearly all forms of authentication would require that a message be composed into some sort of block, with each block having to be received in its entirety before the authenticity of any of it can be determined.
$endgroup$
– supercat
14 hours ago
$begingroup$
@aCVn: Expanding the size of the key material would make it possible to limit an attacker's ability to that of randomly disturbing all message content following a particular point, while still allowing a recipient who has heard N bytes sent over the communications medium to know that what was heard were either the first N characters of a legitimate message, or the first N-k bytes of the legitimate message followed by k characters over which neither the message originator nor the attacker had any meaningful control.
$endgroup$
– supercat
14 hours ago
$begingroup$
... if one is aware of this vulnerability ...If one is not aware of this vulnerability, then they should not be using homebrew cryptography. Trading security for questionable performance improvements is not a good decision. It becomes an acceptable decision iff it can be proven that those performance improvements are necessary and the the loss in security is negligible for the specific use case. This answer admits the proposed solution is not satisfactory while simultaneously rebelling against the correct solution of using a MAC.
$endgroup$
– Ella Rose♦
14 hours ago
1
$begingroup$
That's good to point out the problem, but it doesn't justify explicitly recommending against a MAC and recommending something else instead. IfOvercoming this problem would require generating more key materialsaidOvercoming this problem would require a MAC, then I would not have downvoted. But it doesn't, so I did.
$endgroup$
– Ella Rose♦
13 hours ago
1
1
$begingroup$
This is only a problem with an unauthenticated OTP. Just because you're using a OTP doesn't mean it needs to be unauthenticated.
$endgroup$
– a CVn
14 hours ago
$begingroup$
This is only a problem with an unauthenticated OTP. Just because you're using a OTP doesn't mean it needs to be unauthenticated.
$endgroup$
– a CVn
14 hours ago
$begingroup$
@aCVn: It is certainly possible to supplement OTP with other means of authentication if one is aware of this vulnerability, but there are some problems. One advantage of schemes like OTP and CTR is that they can be used with minimal delay between the time the sender acquires the material to be sent and the recipient is able to act upon it. Nearly all forms of authentication would require that a message be composed into some sort of block, with each block having to be received in its entirety before the authenticity of any of it can be determined.
$endgroup$
– supercat
14 hours ago
$begingroup$
@aCVn: It is certainly possible to supplement OTP with other means of authentication if one is aware of this vulnerability, but there are some problems. One advantage of schemes like OTP and CTR is that they can be used with minimal delay between the time the sender acquires the material to be sent and the recipient is able to act upon it. Nearly all forms of authentication would require that a message be composed into some sort of block, with each block having to be received in its entirety before the authenticity of any of it can be determined.
$endgroup$
– supercat
14 hours ago
$begingroup$
@aCVn: Expanding the size of the key material would make it possible to limit an attacker's ability to that of randomly disturbing all message content following a particular point, while still allowing a recipient who has heard N bytes sent over the communications medium to know that what was heard were either the first N characters of a legitimate message, or the first N-k bytes of the legitimate message followed by k characters over which neither the message originator nor the attacker had any meaningful control.
$endgroup$
– supercat
14 hours ago
$begingroup$
@aCVn: Expanding the size of the key material would make it possible to limit an attacker's ability to that of randomly disturbing all message content following a particular point, while still allowing a recipient who has heard N bytes sent over the communications medium to know that what was heard were either the first N characters of a legitimate message, or the first N-k bytes of the legitimate message followed by k characters over which neither the message originator nor the attacker had any meaningful control.
$endgroup$
– supercat
14 hours ago
$begingroup$
... if one is aware of this vulnerability ... If one is not aware of this vulnerability, then they should not be using homebrew cryptography. Trading security for questionable performance improvements is not a good decision. It becomes an acceptable decision iff it can be proven that those performance improvements are necessary and the the loss in security is negligible for the specific use case. This answer admits the proposed solution is not satisfactory while simultaneously rebelling against the correct solution of using a MAC.$endgroup$
– Ella Rose♦
14 hours ago
$begingroup$
... if one is aware of this vulnerability ... If one is not aware of this vulnerability, then they should not be using homebrew cryptography. Trading security for questionable performance improvements is not a good decision. It becomes an acceptable decision iff it can be proven that those performance improvements are necessary and the the loss in security is negligible for the specific use case. This answer admits the proposed solution is not satisfactory while simultaneously rebelling against the correct solution of using a MAC.$endgroup$
– Ella Rose♦
14 hours ago
1
1
$begingroup$
That's good to point out the problem, but it doesn't justify explicitly recommending against a MAC and recommending something else instead. If
Overcoming this problem would require generating more key material said Overcoming this problem would require a MAC, then I would not have downvoted. But it doesn't, so I did.$endgroup$
– Ella Rose♦
13 hours ago
$begingroup$
That's good to point out the problem, but it doesn't justify explicitly recommending against a MAC and recommending something else instead. If
Overcoming this problem would require generating more key material said Overcoming this problem would require a MAC, then I would not have downvoted. But it doesn't, so I did.$endgroup$
– Ella Rose♦
13 hours ago
|
show 4 more comments
Dreamspace President is a new contributor. Be nice, and check out our Code of Conduct.
Dreamspace President is a new contributor. Be nice, and check out our Code of Conduct.
Dreamspace President is a new contributor. Be nice, and check out our Code of Conduct.
Dreamspace President is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67137%2fis-one-time-pad-encryption-vulnerable-when-near-identical-data-is-sent-many-time%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
$begingroup$
I was whimsically considering to make an OTP XOR tool to allow transport of my KeePass database to myself via email, utilizing java.security.SecureRandom.getInstanceStrong() (Windows 10). This spawned the question but I was also interested in general. (Side-note: The database is bigger than 1MB and 7z-compresses to more than its original size, so, due to its built-in encryption, it's already very noisy itself.)
$endgroup$
– Dreamspace President
21 hours ago
2
$begingroup$
Regarding your intended use, I'm pretty sure that what you get via java.security.SecureRandom wouldn't be a proper OTP. You're almost certainly better off in practice with a key file and perhaps something like a Yubikey to hold a portion of the passphrase (to make it harder to shoulder-surf you typing it in), than trying to cobble something together yourself. For one thing, you'll have the benefit of KeyPass at least trying to not leak intermediate data. Who is your adversary anyway, the Andromeda Empire?
$endgroup$
– a CVn
12 hours ago
1
$begingroup$
@DreamspacePresident your OTP File produced with SecureRandom would be a very bloated 160bit, a keyfile with 40 bytes is more than enough.
$endgroup$
– eckes
12 hours ago
2
$begingroup$
Depends on the SecureRandom config, java version and platform, but the commonly used Sha1PRNG of the JCL has not more state. Producing good randomness is hard, it is critical for OTP and it is even harder if you need to produce lots of it. (You would need to use the new DRBG with prediction resistance/reseeding)
$endgroup$
– eckes
11 hours ago
4
$begingroup$
@DreamspacePresident Whether it's 160 bits of state or some other number isn't really all that significant as long as it's not something really low. The main point, I think, is that using a random number generator (even a secure one) doesn't give you the perfect secrecy that a real OTP provides. If you're generating the key with an algorithm, then what you're really doing is pre-calculating part of a stream cipher that's exactly as secure as the random number generator it's based on.
$endgroup$
– Matthew Crumley
10 hours ago