On 21 Mar 2015, at 22:24, Lee wrote: > On 3/21/15, Jeffrey Goldberg <jeff...@goldmark.org> wrote:
>> (1) the file isn't secret > > But the fact that I'm using it as my one-time pad is. Why isn't that > good enough? As others have already answered, your key is "knowledge of which publicly available file to use as the pad". But for a OTP to have the security that an OTP offers the key must be a long as the message itself. Your key is much shorter. Just as with using a PRNG to generate a pad, you are using a short key to generate/identify a long pad. Your system can be no more secure than the size of your key. (The size of what must be kept secret.) Remember, you aren't keeping the file secret; you are keeping the name of the file secret. So it is a short key. >> (2) the file isn't random. > > Right. An ISO file is a bad choice - too many zeros & machine code > isn't very random. But what about something like an MP3, OGV or some > other compressed file? Again, no. If you want the security properties offered by an OTP, the pad/key must be truly random. So if you need a pad that is a million bytes (eight million bits) long, then the particular pad you use must be no more likely than any other string of eight millions bits. >> I'm sorry to pick on you, but you've illustrated a point I tried to make >> earlier. The OTP is a simple idea that is remarkably easy for people to >> misunderstand. > > It doesn't feel like you're picking on me - I appreciate the feedback :) Great. A point I've been making is that the OTP (and other systems) are brittle. By this I mean that if you don't follow the rules to letter you can end up with a system that is extremely weak. A small variation on the protocol can lead to catastrophic results. Any simulation of a OTP that isn't a OTP itself will not have the security properties of an OTP. And any simulation that is not designed very carefully will end up being far weaker than the actual cryptographic systems we have today. So remember, one of the requirements of a OTP is that the key itself (the stuff that you need to keep secret) must be as long as the message. When I say that the key must be kept secret, I mean the key/pad itself. Not the identity of the key/pad. Another property is that the key/pad must be truly random. Appearing random is not enough. It must truly be random. And yet a third requirement is that the pad never be reused. Break any of those rules, and you not only no longer have a OTP, but you probably have something that is easily broken. There are good crypto systems in use which generate pseudo-random pads from keys that are 128 (or 256) bits in length. But these are – at best – no better than the length of their keys. Cheers, -j
smime.p7s
Description: S/MIME digital signature
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
