Three Letters Re: COMSEC: One Time Pad Generation

Sir:
I agree with the response posted, and your reply. While older versions of Perl used relatively poor pseudo-random number seeds, the original author’s use of a time (at runtime) index as a pseudo random number (PRN) generator seed is a reasonably “secure” method of generating a series of PRNs. That was the first thing I looked for in his code, and such a method would be secure given the caveats you suggest. (That is, it won’t be up against true high-power cryptanalysis). If applied with random letters instead of words as suggested, (like a “real” one time pad), it would be a better implementation.

As a note, true hardware-based random number generators are available at much lower costs these days. That would dramatically improve the cryptographic security of a generated one time pad.

Thanks for the great blog. – Marc X.

 

Good morning Mr. Rawles,  
Reader need to be very careful with encrypted communications. It is illegal for amateur radio operators to broadcast encrypted signals. This should be treated as other illegal activities that we would implement only during a true SHTF situation [where there is no longer a rule of law]. Anonymity in the mass of global communications will provide some protection but Ham operators should be extra vigilant as they are holding a Federal license and they should know better.  – G.B.

 

James Wesley:
I am sure you realize this but the principal weakness of a one time pad does not lie in ones ability to break it by brute force but rather by ones ability to simply kick down your door and confiscate the pad. The police confiscated firearms during Katrina and could easily confiscate one time pads, computers, radio equipment, etc as well.  

A secure system requires that the key (one time pad or other) also be protected using something like a password based encryption process for example.  Ultimately, the human is always the weak spot in any crypto system and is the weakness most often exploited by crackers. If your objective is to prevent local law enforcement or government from reading your messages you’re going to need to protect your keys/pads from searches and confiscations. – F.C.

 

JWR,
Thanks for posting my article. I wasn’t sure if it was a little too geeky for the blog, but with all the radio communications articles on the site, I felt that I’d be in good company

I’ve just read Mike D.’s comments on my one time pad (OTP).  From what I see, I think all of his points are valid.  One of the biggest challenges in writing this was identifying what computer skill set to write to.  The Perl programmer in me wants to use all the latest modules, and make the code as cryptic as possible.  But developing code that way would greatly reduce the audience that could use it.  The reason that I chose to use a simpler method was to provide a solution that did not require a computer science degree to implement, or to ask the readers to trust me completely by writing far more complex code.

To me, this breaks down as follows:

  1. By using words and adding your own keywords instead of pages of letter/character generation, communications are kept short reducing the probability of direction finding – it’s a tradeoff between air time and code complexity.  Note that in a SHTF condition, a force-decode would require special hardware, software, and analysis. Code breaking teams would probably be prioritized on bigger fish.
  2. Using a dictionary as a base, then adding in your own terms, saves a lot of typing; and if you prefer your own word list, I tried to make the code clear where to reference your own source word list.
  3. A smaller code base also allows for ‘open’  and readable code.
  4. By keeping it simple we allow for a larger audience base to use the OTP,  while still needing significant computer resources to force-decode the content – classic 80/20 rule. 
  5. And last, I’ve learned to never let the perfect prevent the good from being implemented. Implement good first, then improve.  

Hopefully those that have a programming background are inspired to create their own version, and those that do not know programming are able to use this solution without too much trouble. – B.R.