Quoting the Scrambler website: "The drawback of the one-time cypher pad encryption method is that to encrypt a message without reusing the one-time cypher pad requires it to be 256 times the size of the message. Encrypting a one megabyte file without reusing the one-time cypher pad requires it to be 256 megabytes. While it is recommended that you do not reuse one-time cypher pads, Scrambler will do so."
The author doesn't understand how to construct one-time pads, and flouts the most important rule of using them. Avoid this software like the plague. Cheers, Michael Seth David Schoen <[email protected]> wrote: >Michael Hicks writes: > >> ok so I guess I just send u guys the links and u check out my software and >> Vet it? This was made for people to be able to protect their privacy and the >> NSA can't hack it No One can it's impossible. all the information is at >> scrambler.webs.com > >It's true that no one can crack a one-time pad, which your software >claims to implement. A one-time pad might be useful for some people, >though it's possible that they shouldn't then use a computer to encrypt >and decrypt, because using a computer introduces new vulnerabilities >(like radiofrequency emanations and remote software exploits). > >There might still be cryptographic vulnerabilities in the random number >generation that your software uses. There was recently a high-profile >vulnerability in the random number generation provided by the Java >implementation on Android, which allowed keys to be compromised. If >there were a similar vulnerability in the Java implementations people >use with your software, it might have similar consequences -- which >might not be the fault of your software, but might still undermine its >security. > >A one-time pad is probably not very useful to most people who need to >communicate securely because they have to find a safe way, ahead of >time, to distribute and store the key material with each potential >party that they may communicate with. That's a pretty heavy burden, >especially when people are meeting new contacts and wanting to >communicate with those contacts (without having been able to arrange >a prior physical key distribution). > >It also doesn't integrate easily with any form of communications >other than exchanging files, although it would be possible to extend >it to other things like e-mail or IM if you could manage the sequence >numbers properly to avoid reusing key material (something our existing >protocols don't really help with). > >If you read _Between Silk and Cyanide_, there's a good and interesting >historical account of wartime military use of one-time pads. One of >the messages seems to be that it was quite expensive and cumbersome, >though perhaps well worth it for the particular application. It's hard >to imagine many audiences prepared to actually bear these costs for >many of their communications today. We already see people complaining >about the effort and overhead of things like PGP merely because some >aspects of the key management are made explicit to the user. For >one-time pads _every_ aspect of key management is made explicit -- and >manual, and requiring the exchange of physical objects! > >My intuition is that people who feel that one-time pads are necessary >should probably learn to operate them by hand, the way the SOE agents >in that book did. > >-- >Seth Schoen <[email protected]> >Senior Staff Technologist https://www.eff.org/ >Electronic Frontier Foundation https://www.eff.org/join >815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 >-- >Liberationtech is a public list whose archives are searchable on Google. >Violations of list guidelines will get you moderated: >https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, >change to digest, or change password by emailing moderator at >[email protected]. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
