>Or your enemy has to penetrate your site or your correspondent's site, >and copy five CD-ROMs instead of one. Yes - but that should be *HARD* to do... In a reasonably secure setup, any of these things are *HARD* (to use your word). But there's no such thing as absolute security; at best, you can balance relative risks. >CD-ROMs have one advantage: there's a lot of data. But that's not >all good, because you *really* want to destroy any keying material >you've ever used. Yes - but it is a writable CD rom - Write over the data when it's used. Have you overwritten it beyond recovery by sophisticated agents? What if the CD-ROM is compromised before you us it? >I've heard People Who Know say that in the spook and government world, >one-time pads are falling out of favor --- because their practical >security isn't as good as a really high quality conventional cipher >with a dynamically-negotiated session key. I repeat: *practical* >security; your enemy isn't going to hit you or bribe you with a copy >of Shannon's theorems. Ok but one time pads DONE RIGHT (an d that's the optimum term - are VERY STRONG Again -- there's no such thing as ``right''. There is only relative risk. Bob Morris Sr. once observed that the real lesson of ABSCAM was not that politicians are bribable -- we all knew that -- but that he could afford one. And if a U.S. Senator costs $50K, what does the janitor cost? Look at the Walker family spy ring -- not that they sold out for money, but just how little money they cost! You're talking about your home machine? Sure -- how resistant is your house to a black-bag job pulled off by professionals? With one-time pads on CD-ROM, they only have to win once to capture your future traffic for a very long time to come. With something like a STU-III, there's *nothing* that can be captured that will give that sort of information. The risk there is cryptanalysis of the underlying system -- but maybe NSA knows enough about cryptosystems that they think that that risk is very low -- lower, at any rate, than the risks of one-time pads. Remember that the goal is not fancy cryptography. The goal is information security; crypto is just one tool to help achieve that. Your enemy isn't going to be sporting and attack where your defenses are. The proper response to a strong security barrier is not to go through it, but to go around it. Let me suggest that folks read @inproceedings{crypt-fail, title = {Why Cryptosystems Fail}, author = {Ross Anderson, Proc. 1st ACM Conference on Computer and Communications booktitle = {Proceedings of the First ACM Conference on Computer and Communications Security}, month = {November}, year = 1993, pages = {215--227} } It's an extremely important paper. I'll quote the beginning of Section 4: As we have seen, security equipment designers and government evaluators have both concentrated on technical weaknesses, such as poor encryption algorithms and operating systems which could be vulnerable to trojan horse attacks. Banking systems do indeed have their share of such loopholes, but they do not seem to have contributed in any significant way to the crime figures. The attacks which actually happened were made possible because the banks did not use the available products properly; due to lack of expertise, they made basic errors in system design, application programming and administration. In short, the threat model was completely wrong. How could this have happened? --Steve Bellovin