One-time pad

src: www.cryptomuseum.com

In cryptography, one-time ( OTP ) is an encryption technique that can not be cracked, but requires the use of a previously shared key with the same size as, or more old from, sent messages. In this technique, the plaintext is paired with a random secret key (also referred to as one pad ). Then, each bit or plaintext character is encrypted by combining it with the corresponding bit or character of the pad using modular addition. If the key is completely random, at least as long as the plaintext, never reused in whole or in part, and kept completely secret, then the resulting ciphertext will not be possible to decrypt or corrupt. It has also been proven that a cipher with a perfect secret property should use the keys with effectively the same requirements as the OTP key. The digital version of a one-time password cipher is used by countries for virtually all secret diplomatic and military communications, but the issue of secure key distribution has made them impractical for less critical applications.

First described by Frank Miller in 1882, the pad was once rediscovered in 1917. On July 22, 1919, US Patent 1,310,719 was issued to Gilbert S. Vernam for XOR operations used for a one-time encryption pad. Derived from Vernam cipher it, the system is a password that combines the message with the key read from the ribbon perforated. In its original form, the Vernam system is vulnerable because the key is a circle, which is reused every time the loop makes a full cycle. One-time use came later, when Joseph Mauborgne admitted that if the key recording was completely random, then a cryptanalysis was not possible.

The "pad" part of the name is derived from the initial implementation in which the keying material is distributed as a paper pad, so the top sheet can be easily torn and shattered after use. To facilitate concealment, the pad is sometimes reduced to a very small size so that a strong magnifying glass is required to use it. KGBs use pads of such size that they can fit in the palm of the hand, or in a walnut shell. To improve safety, once pads are sometimes printed onto highly flammable nitrocellulose sheets, so they can be quickly burned after use.

There is some ambiguity to the term because some sources use the term "Vernam cipher" and "pad once" synonymously, while others refer to each additional flow cipher as "Vernam cipher", including those based on a safe cryptographic pseudorandom generator number ( CSPRNG).

Video One-time pad

Histori

Frank Miller in 1882 was the first to describe the pad system once to secure the telegraph.

The next one-off pad system is electricity. In 1917, Gilbert Vernam (of AT & T Corporation) was discovered and then patented in 1919 ( U.S. Patent 1,310,719 ) a password based on teleprinter technology. Each character in the message is electrically combined with characters on paper ribbon keys. Joseph Mauborgne (then a captain in the US Army and later Head of the Corps of Signals) knew that the sequence of characters on the keychain could be entirely random and, if so, the cryptanalysis would be more difficult. Together they found the first one-time ribbon system.

The next development is the paper pad system. Diplomats have long used codes and passwords for confidentiality and to minimize telegraph charges. For codes, words and phrases are converted into number groups (usually 4 or 5 digits) using a code book such as a dictionary. For added security, the secret number can be combined with (usually modular addition) of each code group before transmission, with secret numbers being changed regularly (this is called superencryption). In the early 1920s, three German cryptographers (Werner Kunze, Rudolf Schauffler and Erich Langlotz), were involved in the disconnection of the system, realizing that they would never be broken if a randomly selected number was used for each code group. They have duplicate printed papers with group lines of random numbers. Each page has a serial number and eight lines. Each line has six 5-digit numbers. The page will be used as a worksheet to encode the message and then destroy it. The page serial number will be sent with an encoded message. The receiver will reverse the procedure and then destroy the copy of the page. The German foreign office implemented this system in 1923.

A separate idea is the use of a one-time pad to encrypt the plaintext directly as in the example below. Leo Marks described the discovery of such a system for the British Special Operations Executive during World War II, although he suspected it was already known in the highly fragmented cryptographic world, such as at Bletchley Park.

The last discovery was by Claude Shannon in the 1940s who recognized and proved the theoretical significance of a one-time pad system. Shannon delivered the results in a secret report in 1945, and publicly published them in 1949. At the same time, Vladimir Kotelnikov independently proved the absolute security of the one-time pad; The results were submitted in 1941 in a report that still seems to be classified.

Maps One-time pad

Example

Suppose Alice wants to send a "HELLO" message to Bob. Assume two paper pads containing an identical random sequence of letters were previously produced and securely removed for both. Alice selects unused pages from pad. The way to do this is usually set first, such as 'use the 12th sheet on May 1', or 'use the next available sheet for future messages'.

The material on the selected sheet is key for this message. Each letter of the pad will be combined in a predetermined manner with a single letter from the message. (It's common, but not mandatory, to specify each letter with a numerical value, for example, "A" is 0, "B" is 1, and so on.)

In this example, the technique is to combine keys and messages using modular additions. The numerical value of the corresponding message and the key letters are added together, modulo 26. So if the keying material starts with "XMCKL" and the message is "HELLO", then the encoding will be done as follows:

 H E L L O message  Â Â Â Message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O)  Key 23 (X) 12 (M) 2 (C) 10 (K) 11 (L)  = 30 16 13 21 25 key messages  = 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) (key message) mod 26  Â Â Â Â Â Â E Q N V Z -> ciphertext  

If the number is greater than 26, then the rest after the reduction of 26 is taken in modular arithmetic mode. This means that if the calculation "passes through" Z, the sequence begins again in A.

Ciphertext that will be sent to Bob is "EQNVZ". Bob uses the matching key page and the same process, but vice versa, to get the plaintext. Here the key is reduced from ciphertext, again using modular arithmetic:

 E Q N V Z ciphertext  Â Â Â Â 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) ciphertext  - Key 23 (X) 12 (M) 2 (C) 10 (K) 11 (L)  = -19 4 11 11 14 ciphertext - lock  = 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) ciphertext - lock (mod 26)  Â Â Â Â Â Â Â Message H E L L O ->  

Similar to the above, if the negative number is then 26 is added to make the number zero or higher.

So Bob finds Alice's plaintext, the message "HELLO". Both Alice and Bob destroy key sheets immediately after use, thus preventing reuse and password attacks. KGBs often issue their agents once on a small sheet of "flash paper" - chemical paper converted to nitrocellulose, which burns almost instantaneously and leaves no ash.

The only classical espionage pad uses the actual pads of very small, easily concealed papers, sharp pencils, and some mental arithmetic. This method can be implemented now as a software program, using data files as input (plaintext), output (ciphertext) and key material (random sequence required). XOR operations are often used to incorporate plaintext and key elements, and are very interesting on computers as they are usually native machine instructions and therefore very fast. However, it is difficult to ensure that the keying material is actually random, used only once, never known by the opposition, and completely destroyed after use. Additional parts of the one-time pad implementation software present a real challenge: safe handling/plaintext transmission, completely random locks, and one-time-only use of keys.

Trying on cryptanalysis

To continue the example from above, suppose Eve cuts Alice's ciphertext: "EQNVZ". If Eve has unlimited time, it will find that the "XMCKL" key will produce a "HELLO" plaintext, but it will also find that the "TQURI" key will produce a plaintext "LATER", a message that makes sense:

 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) ciphertext  - 19 (T) 16 (Q) 20 (U) 17 (R) 8 (I) possible key  = -15 0 -7 4 17 ciphertext-key  = 11 (L) 0 (A) 19 (T) 4 (E) 17 (R) ciphertext-key (mod 26)  

In fact, it is possible to "decrypt" out of the ciphertext any message of any kind with the same number of characters, simply by using different keys, and no information in the ciphertext that will allow Eve to choose among the various possible readings of the ciphertext.

src: i.ytimg.com

Perfect secret

A one-time pad is "information-theoretically safe" in an encrypted message (ie, ciphertext) does not provide information about the original message to the cryptanalyst (except the maximum possible length of the message). This is a very powerful security idea that was first developed during World War II by Claude Shannon and proved, mathematically, to be true to a one-time pad by Shannon at the same time. The results were published in Bell Labs Technical Journal in 1949. Used correctly, once a cushion is safe in this sense even against enemies with infinite computing power.

Claude Shannon proves, using the information theory consideration, that a one-time pad has a property which he names perfect secrecy ; ie, ciphertext C does not provide any additional information about plaintext. This is because, given a random key that is only used once, the ciphertext can be translated into each plaintext of the same length, and all of them have the same possibilities. Thus, the probability of a priori of the plaintext message M is equal to the probability a posteriori of the plaintext message M given ciphertext appropriate. Mathematically, this is expressed as H ( M ) = H ( M | C ), where H ( M ) is the entropy of plaintext and H ( M | C ) is the conditional entropy of the plaintext given ciphertext C . This implies that for every appropriate M and ciphertext C message, there must be at least one K key that binds it. Mathematically, this means ${\ displaystyle | K | \ geq | C | \ geq | M |}$ . In other words, if you must be able to get away from any prohibition texts in the M message space to any cipher in the cipher-space C (encryption) and from what password in cipher-space C to plain text in the M (decryption) message space, you need at least ${\ displaystyle | M | = | C |}$ keys (all keys are used with the same probability ${\ displaystyle 1/| K |}$ to ensure perfect confidentiality).

Conventional symmetric encryption algorithms use complex substitution and transposition patterns. For the best of the currently used, it is unknown whether there might be a cryptanalytic procedure that can reverse (or, useful, partially reverse) this transformation without knowing the key used during encryption. Asymmetric encryption algorithms depend on mathematical problems that are considered difficult to solve, such as factorization of integers and discrete logarithms. However, there is no evidence that the problem is difficult, and mathematical breakthroughs can make the existing system vulnerable to attack.

Given perfect secrecy, unlike conventional symmetric encryption, OTP is immune to even brute-force attacks. Trying all the keys just generates all the plaintext, all possibly the same as the actual plaintext. Even with known plaintext, like part of a known message, a brute-force attack can not be used, because the attacker can not get information about the key parts needed to decrypt the rest of the message. Known sections will only reveal only key parts related to them, and they are closely related one-to-one; no part of the key depends on the other part.

src: media1.s-nbcnews.com

Problem

Although Shannon is proof of his safety, the one-time pad has serious disadvantages in practice because it requires:

• Very random one-off pad values ​​(as opposed to pseudorandom), which is a non-trivial requirement. See Pseudorandom number generator.
• Safe generation and exchange of values ​​at once, which should be at least as long as the message. (Security pad one time only safe like security exchange pad one time).
• Careful care to ensure that it remains confidential, and properly disposed of preventing reuse in whole or in part - hence "one time". See data remanent for discussion of difficulties in completely removing computer media.

A one-time bearing solves some of the current practical problems in cryptography. High quality ciphers are widely available and safety is not considered a major concern at this time. Such ciphers are almost always easier to use than one pad; the number of key ingredients that must be generated properly and distributed safely is much smaller, and public key cryptography overcomes this problem.

Key distribution

Because the pad, like all the secrets shared, must be skipped and kept secure, and the pad should be at least as long as the message, it is often useless to use a padding pad, since one can send plain text instead of pad (because both can be the same size and should be sent with secure). However, after a very long pad has been sent safely (for example, a computer disk full of random data), it can be used for many future messages, up to the same size as the pad size. Quantum key distribution also proposes a solution to this problem.

Distributing disposable pad locks is very uncomfortable and usually poses a significant security risk. Pad is basically an encryption key, but unlike keys to modern passwords, it must be very long and too difficult to remember by humans. Storage media such as thumb drives, DVD-Rs or personal digital audio players can be used to carry a very large one-time pad from one place to another in a way that is not suspicious, but nevertheless the need to transport the pad physically is a burden compared to the key negotiating protocol of modern public key cryptosystems, and such media can not be safely removed safely in any way short of physical damage (eg burning). A 4.7 GB DVD-R is a one-time data-filled, if shredded into particles 1 mm², leaves more than 4 megabits (admittedly difficult to recover, but not likely) data on each particle. In addition, the risk of compromise during transit (for example, pickpocket swipe, copy and replace pad) may be much greater in practice than possible compromise for passwords such as AES. Finally, the effort required to manage a one-time key pad on a scale is very bad for large networks of communicants - the number of required pads rises as the square of the number of users freely exchanges messages. For communication between just two people, or the star network topology, this is less of a problem.

The keying material should be disposed of safely after use, to ensure the keying material is never reused and to protect the transmitted messages. Because the keying material must be transported from one endpoint to the other, and persisting until a message is sent or received, it can be more susceptible to forensic recovery than the transient plaintext it protects (see remanent data).

Authentication

As a traditionally used base, one time does not provide message authentication, a deficiency that can pose a security threat in real-world systems. For example, an attacker who knows that the message contains "meet jane and me tomorrow at three thirty pm" can obtain the appropriate pad code directly from two known elements (encrypted text and known text). The attacker can then replace the text with another text of exactly the same length, such as "thirty meetings canceled, stay at home." The attacker's knowledge of the pad is once limited to the length of this byte, which must be preserved for any other content of the message to remain valid. This is slightly different from the flexibility where it is not necessary that the plaintext be known. See also stream cipher attack.

Standard techniques to prevent this, such as the use of message authentication code can be used in conjunction with a one-time pad system to prevent such attacks, such as classical methods such as variable length padding and Russian copulation, but they all lack the perfect OTP security itself. Universal hashing provides a way to authenticate messages to arbitrary security limits (that is, for p & gt; 0, a large hash ensures that even unlimited attacker's probability of successful falsification is less than p), but this uses additional random data of pad, and eliminates the possibility of implementing a system without a computer.

True randomness

A high-quality random number is difficult to generate. Random number functions in most programming language libraries are not suitable for cryptographic use. Even generators suitable for normal cryptographic use, including/dev/random and many random number generating sets, can make some use of cryptographic functions whose safety has not been proven. An example of how true randomness can be achieved is by measuring radioactive emissions.

In particular, a one-time use is absolutely necessary. If a one-time pad is used only twice, a simple mathematical operation can reduce it to a running key cipher. If both plainteks in a natural language (eg, English or Russian) later, though both are secret, each have a very high chance of being recovered by a heuristic cipher reading, with the possibility of some ambiguity. Of course longer messages can only be solved for overlapping parts with shorter messages, plus maybe a little more by completing a word or phrase. The most famous exploitation of this vulnerability occurred with the Venona project.

src: www.cryptomuseum.com

Usage

Enforcement

Regardless of the problems, the pad once kept some practical interests. In some hypothetical espionage situations, a one-time pad may be useful because it can be counted by hand only with pencil and paper. Indeed, almost all other high quality ciphers are completely impractical without a computer. Spies can receive their bearings personally from their "handlers". However, in the modern world, computers (such as those embedded in personal electronic devices like cell phones) are so scattered everywhere that computers are suitable for conventional encryption (for example, phones that can run hidden cryptographic software) are usually unattractive suspicion.

• A one-time pad is an optimal cryptosystem with theoretically perfect secrecy.
• The -test-pad is one of the most practical encryption methods in which one or both parties should do all the work by hand, without the help of a computer. This makes it important in the pre-computer era, and can be imagined still useful in situations where computer ownership is illegal or burdensome or where reliable computers are not available.
• A once-practical bear in situations where two parties in a safe environment must be able to depart from each other and communicate from two separate safe environments with perfect secrecy.
• A one-time pad can be used in superencryption.
• The algorithm most often associated with the distribution of a quantum key is a one-time pad.
• One pad is streamed by a stream cipher.
• A pad once can be part of a cryptographic introduction.

Historical usage

The single bearing has been used in special circumstances since the early 1900s. In 1923, he was hired for diplomatic communications by German diplomatic institutions. The Diplomatic Service of the Weimar Republic began using this method around 1920. The breakdown of Soviet bad cryptography by the British, with messages made publicly for political reasons in two cases in the 1920s (the ARCOS case), appears to have prompted the Soviet Union to adopt one-bearing cushion for some purposes around 1930. The KGB spy is also known to have used a pencil and one-time paper pad recently. Examples include Colonel Rudolf Abel, who was arrested and convicted in New York City in the 1950s, and 'Krogers' (ie, Morris and Lona Cohen), who were arrested and convicted of espionage in Britain in the early 1960s. Both are found with a physical bearing once in their possession.

A number of countries have used the pad system once for their sensitive traffic. Leo Marks reported that the British Special Operations Executive used a one-time bearing in World War II to encode traffic between his offices. A one-time pad for use with his foreign agent was introduced at the end of the war. Some British one-time cipher machines include Rockex and Noreen. The German Sprach Station machine was also able to use one time band used by East Germany, Russia, and even Cuba to send encrypted messages to their agents.

The SIGSALY World War II sound scrambler is also a one-time system form. It adds sound to the signal at one end and deletes it at the other end. The noise is distributed to the end of the channel in the form of large lacquers notes produced in unique pairs. There are good start synchronization and long-term phase shift issues that arise and resolve before the system can be used.

The hotline between Moscow and Washington D.C., established in 1963 after the Cuban missile crisis, uses teleprinters protected by a one-time commercial tape system. Each country sets up a key ribbon used to encode its messages and send them through their embassies in other countries. The unique advantage of OTP in this respect is that both countries should disclose more sensitive encryption methods to others.

US Army Special Forces used one bearing in Vietnam. By using Morse code with a one-time bearing and continuous wave radio transmission (Morse code carrier), they achieve secret and reliable communication.

During the 1983 Grenada Invasion, US forces found the supply of a pair of pad books once in a Cuban warehouse.

Beginning in 1988, the African National Congress (ANC) used a disk-based one-time pad as part of a secure communication system between ANC leaders outside South Africa and domestic operations as part of Operation Vula, a successful attempt to build network resistance within South Africa. The random number on disk is deleted after use. A Belgian airline stewardess acts as a courier to carry a disk pad. Regular new disk supplies are needed because they are used quickly. One problem with the system is that it can not be used for secure data storage. Then Vula adds a stream cipher that is locked by the book codes to solve this problem.

The related idea is a one-time code - a signal, used only once, for example, "Alpha" for "completed mission", "Bravo" for "failed missions" or even "Torch" for "Allied invasion of North Africa France" can not be "decrypted "in the sense of a reasonable word. Understanding messages will require additional information, often 'depth' of repetition, or some traffic analysis. However, the strategy (though often used by real cooperatives, and baseball coaches) is not a one-time cryptography in a significant sense.

NSA

At least until the 1970s, the US National Security Agency (NSA) produced a variety of one-time manual bearings, both general and special purpose, with 86,000 bearings once produced in fiscal year 1972. Special purpose bearings were produced for what the NSA called "pro forma" system, in which "the basic framework, form or format of each text of the message is identical or almost so, the same type of information, message after message must be presented in the same order, and only certain values, such as numbers, replace with each message." Examples include a nuclear launch message and a radio direction search report (COMUS).

General purpose pads are manufactured in several formats, simple random letters (DIANA) or number-only (CALYPSO) lists, small MICKEY MOUSE pads, and pads designed for faster, low-density short message encoding. One example, ORION, has 50 lines of plaintext alphabet on one side and corresponding random cipher text letters on the other. By placing the sheet on a piece of carbon paper with carbon face upwards, one can circle one letter on each line on one side and one letter corresponding to the other side will be encircled by carbon paper. So one ORION sheet can quickly encode or unlock messages up to 50 characters. Production of ORION pads is required to print both sides in proper registration, difficult process, so the NSA switches to another pad format, MEDEA, with 25 rows of paired alphabets and random characters. ( View Commons: Category: NSA once pads for illustration.)

The NSA also built an automated system for "CIA headquarters and Central Specialized Central unit headquarters so they can efficiently process many separate one-time pad messages to and from each pad holder in the field."

During World War II and into the 1950s, the US used a lot of single-band systems. In addition to providing secrecy, circuits secured with one-time recordings continue to run, even when there is no traffic, thus protecting against traffic analysis. In 1955, the NSA produced about 1.660,000 rolls of recordings once. Each roll is 8 inches in diameter, contains 100,000 characters, lasts 166 minutes and costs $ 4.55 to produce. In 1972, only 55,000 rolls were produced, because the one-time cassette was replaced by a rotor machine like SIGTOT, and then by an electronic device based on the shift register. The NSA describes a one-time ribbon system such as 5-UCO and SIGTOT used for intelligence traffic until the introduction of electronic ciphers based on KW-26 in 1957.

Exploit

While a single bearing provides perfect confidentiality when generated and used correctly, a small error can lead to a successful password reading:

• In 1944-1945, the US Army Intelligence Service was able to complete a one-time pad system used by the German Foreign Office for high-traffic traffic, codenamed GEE. GEE feels insecure because the pads are not completely random - the machines used to produce bearings produce predictable outputs.
• In 1945, the US found that the Canberra-Moscow message was encrypted first using the codebook and then using the pad once. However, once used pad is the same one used by Moscow for the Washington, D.C.-Moscow message. Combined with the fact that some Canberra-Moscow messages include known British government documents, this allows some encrypted messages to be disconnected.
• A single bearing is used by Soviet espionage agents for secret communications with agents and agency controllers. Analysis shows that these pads are made by typists using the actual typewriter. This method is of course not really random, since making certain key sequences easier than others, but proves to be generally effective because while one will not produce the same random sequence they are in no way following the same structured mathematical rules. that a machine will be good, and everyone produces ciphers in different ways so that it attacks every challenging message. Without a copy of the key ingredient used, only a few defects in the generation method or key reuse offer much hope of reading the password. Beginning in the late 1940s, US and British intelligence agencies were able to destroy a portion of the Soviet one-time traffic to Moscow during World War II as a result of mistakes made in generating and distributing key materials. One suggestion is that Moscow Central personnel were somewhat hastened by the presence of German forces outside Moscow in late 1941 and early 1942, and they produced more than one copy of the same key material during that period. Business for decades was finally given the code name VENONA (BRIDE is the previous name); it produces a huge amount of information, including more than a few about some Soviet atomic spies. Even so, only a small portion of messages are tapped either completely or partially decrypted (several thousand of several hundred thousand).
• The one-time ribbon system used by the US uses an electromechanical mixer to combine the bits of a message and a one-time recording. This mixer emits sufficient electromagnetic energy that can be taken by the enemy at a certain distance from the encryption equipment. This effect, first known to Bell Labs during World War II, could allow the interception and recovery of text messages sent, a code vulnerability named Tempest.

src: www.st-andrews.ac.uk

See also

src: www.cryptomuseum.com

References

src: i.ytimg.com

Further reading

src: www.cryptomuseum.com

External links

• Detail description and history of One-time Pad with examples and drawings on Cipher and Cryptology Machine
• FreeS/WAN glossary entry with discussion of OTP flaws

Source of the article : Wikipedia