At 10:52 PM 10/17/2002 -0700, Morlock Elloi wrote:
I have a working OTP system on $40 64 Mb USB flash disk on my keychain.
Cute. Is it available?
$39 + tax in Fry's.
I don't mean the disk - there are lots of those. I mean your software. Also, can your tool use floppies instead of USB keys? There are problems with KGB-quality attackers recovering overwritten data which are probably much more serious for disks than flash rom, but they're nearly universal and good shredders work well on them.
How do you prevent other applications from reading the file off your USB disk, either while your application is using it or some other time?
I don't care. No one knows about it enough to set a trap in a random PC (and if They do we're in deep shit anyway.) This is the reason for not releasing the (trivial) program. Write your own and let it be your group key ... say, 40-bits worth ?
USB key disks look like an obvious target for eavesdropping in general. (They're also the best medium for re-inventing the floppy-disk virus:-)
Since you say that "Used bits are securely deleted", does your application distinguish between using the pad to encrypt and using the pad to decrypt (which are basically the same thing, except for destroying the key bits the second time)?
You destroy bits *every* time. The routine that reads bits overwrites them. Messages are fixed size, index into OTP file is a part of the message, each user gets starting offset assigned to avoid synching problems.
You need to use each bit twice - once to encrypt, and once to decrypt. Destroying them after the first use is a bad idea....