Letter Re: COMSEC: One Time Pad Generation

Hey Jim:
I am a little concerned about yesterday evening’s post by B.R. regarding the generation of one-time pads. It claims to generate a “pad” using a random selection of dictionary words. A properly generated one-time pad requires a truly random selection of letters; it is only as strong as the source of entropy. Using a dictionary of English language words, acronyms, etc. does not seem to be very wise. Additionally, while I am not terribly familiar with Perl, I know that a lot of languages have built-in “random” functions that are not as random as one might hope for; having a computer generate a truly random number is more difficult than an amateur might expect. I may be way off base on this, having only a few moments to glance at the code and description, but a simpler and safer solution would be to generate a truly random number, modulo 26, correspond it to a letter, and write that letter to the “pad”. The use of the dictionary is unnecessary; all you need — and all you want — are truly random letters.

Best, – Mike D.

JWR Replies: You are correct that most “random number generators” are actually just pseudo-random number generators. However, the computing power required to break such a system will not be available to looters or even local governments in the disaster situations that we’ve been discussing in SurvivalBlog. Yes, they can be broken by the NSA and their phalanxes of supercomputers. But for our purposes, book codes or locally-generated one time pads will suffice. My concern is that my readers might try to rely on obsolete encryption methods such as Four-square and Playfair substitution ciphers, which are easily broken, even without computing power. Substitution ciphers are just one notch above transmitting “in the clear”. Don’t make that mistake!