How about WWW one time pad servers? You browse to your favorite OTP server, which has a random number generator running in the background. You tell it to give you a block of X bytes, and mail it to persons 1, 2, 3, ... N. These people then use this OTP for encrypting a document. It wouldn't be illegal because you aren't encoding any data and distributing it.. You're generating raw data. You wouldn't have to distribute any crypto software, you just xor your data file with the number of bytes that you were sent in the mail from the OTP server.. Enough of these things would be REALLY tough to monitor.. Plus, you could connect 8 different times and just pick one of the sets.. Or you could just use a portion of the set that you and the receiving party agreed upon. Or, instead of using email, you could have a application/x-otp browser that would collect the OTP that the server sent out to you over HTTP. (this would be really hard to differentiate from other data if the server was doing other things at the same time). Thoughts? Doug Hughes Engineering Network Services doug@eng.auburn.edu Auburn University
Doug Hughes writes:
How about WWW one time pad servers? You browse to your favorite OTP server, which has a random number generator running in the background. You tell it to give you a block of X bytes, and mail it to persons 1, 2, 3, ... N.
Do I get you wrong, or are you proposing the mailing of one time pads in the clear?
Enough of these things would be REALLY tough to monitor...
The NSA is willing to monitor virtually all international telecommunications traffic and try to figure out whats interesting. I doubt this poses much of a challenge to them. Not to mention the fact that it probably wouldn't pose much of a challenge to *me* given a set of wiretaps and I have virtually no resources... Perry
Perry Metzger writes:
Doug Hughes writes:
How about WWW one time pad servers? You browse to your favorite OTP server, which has a random number generator running in the background. You tell it to give you a block of X bytes, and mail it to persons 1, 2, 3, ... N.
Do I get you wrong, or are you proposing the mailing of one time pads in the clear?
Not necessarily. It could be sent any number of different ways. Heck, you could mail (email, US, fedex) a bunch of passphrases or whatever to a site (as an extreme example) to xor with the random number string. They send you the product, you xor with your passphrases in the appropriate order, and you have the true random number string. Of course the feds could just get a court order and snarf all your passphrases or keys if it was in this country. People would probably be better off using a server in another country and having the pad sent to them encrypted or hashed in some fashion.
Enough of these things would be REALLY tough to monitor...
The NSA is willing to monitor virtually all international telecommunications traffic and try to figure out whats interesting. I doubt this poses much of a challenge to them. Not to mention the fact that it probably wouldn't pose much of a challenge to *me* given a set of wiretaps and I have virtually no resources...
What if we just call them random number servers? Does that make them uninteresting? What if there are dozens or hundreds of them receiving thousands or 10's of thousands of connections a day? (Of course this couldn't happen overnight. :) ) After all, there are plenty of good purposes to which you can put a random number, but a OTP is probably suspicious enough to warrant scrutiny. Maybe it's all too much work for too little value. All you need is one byte or int, or whatever to xor with the RN before it's send to you over the length of the int. Securely getting these bytes/keys to the server might be tricky. Maybe it's impossible. US Mail is still guaranteed to be private.. (don't everybody laugh at once. ;) ) Okay, assuming that the OTP idea just won't fly, is a general purpose random number generating web site, or internet service of interest? It could be a useful thing for a seed for individuals who want to do their own OTP-ing. (Hey stan, I'll get us both an RN from the server on the net, XOR each byte with 0x3e and will use that as an OTP for a secret message). For frequent use it might be a huge bust because you'd need a secure channel to get a secure channel. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu "Real programmers use cat > file.as"
participants (2)
-
Doug Hughes -
Perry E. Metzger