|
Subject: |
OTPs: clarification |
|
From: |
"Marcus J. Ranum" <mjr @
iwi .
com> |
|
Organization: |
Information Warehouse! Inc, Baltimore, MD |
|
Date: |
Sun, 5 Nov 1995 16:37:00 -0500 (EST) |
|
To: |
firewalls @
greatcircle .
com |
|
Coredump: |
Infocalypse Now!!! |
|
Phone: |
410-889-8569 |
|
Reply-to: |
mjr @
iwi .
com |
|
Url: |
<A HREF="http://iwi.com/mjr/mjr-top.html">mjr's web page</A> |
mdr @
vodka .
sse .
att .
com writes:
>That leads one to try to implement something else and claim that its a
>OTP. One such method would be to use a Random Number Generator in
This is called an "autokey cipher" and is not terribly
secure. When I talked to the folks from Elementrix I found that
they *are* aware of the distinction and are aware of the fact
that they have abused the terminology. Their claim is that their
system has the *properties* of a OTP. Which I find quite interesting,
since the main interesting property of an OTP is that it is
absolutely unbreakable if used properly.
>This is *NOT* a true OTP.
Correct, it is not. Elementrix is also aware of this.
When I spoke with the guy who developed the scheme in question
it is clear that he is aware of the distinction. :) A lot of
cryptographers have jumped all over them (rightly) for abusing
a trade term for marketing purposes.
>The real problem of course is finding a source of random data that is
>available to *both* parties.
By the *definition* of randomness, this is impossible.
Note that the guys at Elementrix are aware of this
impossibility, too. :) They claim to have a way around it. I
do not believe they do - unless they've got a selective
repeal of laws of nature, or are not using true randomness.
Be that as it may: avoid misusing terms of the trade.
There is no such thing as random data available to both parties
without a communication channel someplace in the system to
convey it. Unless you accept action at a distance. In which
case you still only have one source of randomness. :)
>> Synchronization is a piece of cake. Since the pad is secure,
>> you simply call the other party on the phone and say "offset 129198L"
>> and crank away.
>
>I caveated that with:
> Giving away the offset is inconsequential for a true OTP, but
> for a algorithmically generated OTP it makes cryptoanalyis
> much easier.
Please do not abuse terms of the trade. THERE IS NO SUCH
THING AS AN ALGORITHMICALLY GENERATED OTP. You know that. I know
that. If you keep abusing the terminology, other people who do not
will keep getting confused.
>If the OTP has been "generated" then synchronization is a pain because
THERE IS NO SUCH THING AS A "GENERATED" OTP. You know that.
I know that. If you keep abusing the terminology, other people who
do not will keep getting confused.
>I'm trying to say that the devil is in the details, is their
>implentation of a OTP really a OTP, or just another cypher?
It's not an OTP. They have said as much in the past.
They're willing to describe their technique under
NDA and I'm probably going to meet with them sometime in the
next few weeks and find out what's up. It's not an OTP; it
sounds like they've come up with what they (rightly or wrongly)
feel is an extremely clever wrinkle on some kind of generalized
autokey cipher. They've explained it to a number of folks who
are involved with cryptography but none who I know have great
credentials as a cryptographer. So it remains to be seen. I'd
be *impressed* if Whit Diffie or Ron Rivest said it was good.
I'm less impressed that Winn Schwartau has said it was good. :)
mjr.
Follow-Ups:
|
|
