[liberationtech] OneTime 2.0 (beta): one-time pad system.
Andy Isaacson
adi at hexapodia.org
Thu Aug 1 07:37:59 PDT 2013
On Wed, Jul 31, 2013 at 12:08:32PM -0500, Karl Fogel wrote:
> interests of code simplicity, I didn't implement that, as I didn't see a
> practical attack here. I still don't, but am definitely open to being
> corrected about that! It's just hard for me to see an attack that
> doesn't rely on having the plaintext already :-).
It's much worse than you seem to realize.
Your implementation is completely vulnerable to a known plaintext
attack.
If the plaintext is known, the attacker can substitute an arbitrary
alternative plaintext of their choosing, as long as the substitute is
shorter than the victim message.
If a prefix of the plaintext is known, the attacker can certainly modify
the prefix, and can almost certainly push the decompression engine into
a null state to throw away the following data or cause it to display as
garbage.
"Hi Andy, How is your day going? ... long message about legal stuff"
"Hi Karl, your message about the drugs came through ok, but there was
some odd garbage at the end... huh, must be nothing."
If a non-prefix subset of the plaintext is known, with a good guess as
to its position, I am pretty sure the attacker can replace that portion
of the plaintext.
Since a OTP depends critically on never using the same pad to encrypt
multiple plaintexts, it conversely also depends on the same pad only
decrypting a single ciphertext. If a onetime implementation implements
a decryption oracle, an attacker can almost certainly leverage multiple
decryption attempts with timing or error discrimination to break the pad
entirely. CF problem 12 in the Matasano crypto challenges.
> Please don't worry if I don't respond for several weeks. I'll be on
> vacation with no Internet, starting tonight.
No worries, have a good vacation, and thank you very much for having the
courage and fortitude to publish onetime! I think the current
implementation is deeply flawed but I'm extremely pleased that we have
an implementation to argue about. :) "code talks, BS walks."
-andy
More information about the liberationtech
mailing list