IntroductionOne time pads are the only encryption system that has been proven to be theoretically unbreakable. That said, one time pads suffer from two main flaws:
One time pads can be quite attractive for encrypting small amounts of data, for example to exchange passwords over an insecure channel, when other more sophisticated methods are not available. For an early version of my PictaTrove web server I implemented a one time pad system to protect passwords that were entered through the remote administration interface. The one time pad system is comprised of three main components:
Key Generation UtilityOf these three pieces the only one that is questionable in a cryptographic sense in the key generation utility. Here is how I have approached the problem of producing a "random" set of keys for the pad:
The key weakness of this is that the process is completely deterministic. If you know:
then the program would always produce exactly the same one time pad file. However, as the exact time of running is not known (though could be reduced to a range of times based on the timestamp of the otp.txt file) and the directory that was used as a source of files is also not known and the random text is not known, then even if an attacker can gain access to the computer where the pad was generated it would take a lot of effort to create a duplicate pad. In fact, it would be vastly simpler to just look for the otp.txt file and make a copy. Once you consider this, it becomes apparent that any theoretical weakness in the way that the pad file is created is far less significant than the risk of the pad file being discovered and copied. The Python program to make a one time pad is here: makeotp.py. Client Side JavascriptTo make use of this to protect some data that you enter on a web form you would arrange for the user to have two text entry fields, one to enter the data and a second to enter a key from his copy of the one time pad. When the server generates the HTML for the form it will include the line number of the key that the user should use from the one time pad. The user can then do a simple copy/paste operation to place the 64 hex characters that make up the key into the form. Note: this limits the amount of data that can be encrypted at once to 32 bytes, though you could always enter more keys to encrypt more data if needed.You then set up the page so that when the user hits the submit button the a fragment of javascript runs in the browser to actually read the key value, use it to encrypt the data and send the result to the server. This one-time-pad-example.html page is an example of the HTML and Javascript for such a form. It is public domain so use it if you want. In it I unpack the hex key to binary, combine it with the password to be protected and then re-encode back to hex to send the result to the server (along with a user name that is not protected). back to vermeulen.ca home |