RE: using pgp to make an otp
-- [ From: amp * EMC.Ver #2.3 ] --
While in theory the output of PGP would be ``random'' enough for a one-time pad, you need to take into account that there is ``header'' information in a PGP message. This info in the first several bytes indicates which key was used, how big the message is, whether the receiving PGP should save the decrypted file, etc. This part is not very random at all.
i understand the non-random portions of the pgp output, which is why i specified in my origional message that the 1st 20 or so lines would find their way to the bit bucket.
The weakness in this method is that the ``key'' to the OTP is composed of the PGP encryption key and the plaintext used to generate the pad. Both would have to be fairly well protected to prevent a bad guy from either a) generating his own copy of the OTP by obtaining the key and plaintext or b) forcing you to use a known OTP by munging your copy of the key or plaintext.
i'm confused here. how would the 'key' to the otp be related to my pgp encryption key? if i strip off all the identifying information that pgp uses to recognise how to decrypt a message, and destroy the 'clean' copy of the file(s) that eventually became part of my otp, how could the resulting output be tied to my key? if it could, then pgp is less secure than i give it credit for being. if your objection is based on the fact that my public key is a known entity, , this can easily be bypassed by creating a brand new key from a freshly unzipped copy of pgp. use that key to create the otp, then destroying the key(s) used to create it.
This technique does have its uses. For instance, if you use DES you can ``seed'' it with a value, then by re-encrypting the output of DES repeatedly you can generate an essentially random sequence of values. This can be used as a OTP for a stream cypher.
isn't this essentially what i'm doing? if it is necessary, i can do this...(assuming a virgin key) 1. create a cyphertext of a file. 2. strip the indentifying lines. 3. create a new cyphertext from the resulting file. 4. repeat until paranoia level < comfort zone. my point here is that _if_ pgp output is random enough, i wouldn't need hardware. even i, with my extremely limited programming skills could create a .cmd file or program that could be used as imput for a stream cypher. imo, for crypto to be useful, it has to be easy. i'm trying to find a way to do this that can be implemented anywhere.
amp wrote: | my point here is that _if_ pgp output is random enough, i wouldn't need | hardware. even i, with my extremely limited programming skills could create | a .cmd file or program that could be used as imput for a stream cypher. PGP output is not random enough to be used for a one time pad. The security of a OTP is *entirely* based on the quality of the random numbers; they should come from some strong generator. Building good one time pads is tough, and usually not worth the effort. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
PGP output is not random enough to be used for a one time pad. The security of a OTP is *entirely* based on the quality of the random numbers; they should come from some strong generator. Building good one time pads is tough, and usually not worth the effort.
No, however the output of "pgp +makerandom=XXX filename.dat" _IS_ random enough for an OTP. The problem then becomes distributing this data. -derek
participants (3)
-
Adam Shostack -
amp -
Derek Atkins