Perry Metzger writes:
Doug Hughes writes:
How about WWW one time pad servers? You browse to your favorite OTP server, which has a random number generator running in the background. You tell it to give you a block of X bytes, and mail it to persons 1, 2, 3, ... N.
Do I get you wrong, or are you proposing the mailing of one time pads in the clear?
Not necessarily. It could be sent any number of different ways. Heck, you could mail (email, US, fedex) a bunch of passphrases or whatever to a site (as an extreme example) to xor with the random number string. They send you the product, you xor with your passphrases in the appropriate order, and you have the true random number string. Of course the feds could just get a court order and snarf all your passphrases or keys if it was in this country. People would probably be better off using a server in another country and having the pad sent to them encrypted or hashed in some fashion.
Enough of these things would be REALLY tough to monitor...
The NSA is willing to monitor virtually all international telecommunications traffic and try to figure out whats interesting. I doubt this poses much of a challenge to them. Not to mention the fact that it probably wouldn't pose much of a challenge to *me* given a set of wiretaps and I have virtually no resources...
What if we just call them random number servers? Does that make them uninteresting? What if there are dozens or hundreds of them receiving thousands or 10's of thousands of connections a day? (Of course this couldn't happen overnight. :) ) After all, there are plenty of good purposes to which you can put a random number, but a OTP is probably suspicious enough to warrant scrutiny. Maybe it's all too much work for too little value. All you need is one byte or int, or whatever to xor with the RN before it's send to you over the length of the int. Securely getting these bytes/keys to the server might be tricky. Maybe it's impossible. US Mail is still guaranteed to be private.. (don't everybody laugh at once. ;) ) Okay, assuming that the OTP idea just won't fly, is a general purpose random number generating web site, or internet service of interest? It could be a useful thing for a seed for individuals who want to do their own OTP-ing. (Hey stan, I'll get us both an RN from the server on the net, XOR each byte with 0x3e and will use that as an OTP for a secret message). For frequent use it might be a huge bust because you'd need a secure channel to get a secure channel. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu "Real programmers use cat > file.as"