[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"power one time pad"




I'd be interested in reactions to the article in Network World, 10/16/95 
issue,
page 53.  It describes a supposed cryptosystem that sounds bogus, but
I can't make up my mind about how much is the system and how much is
the confusion of the author.

Among other things, it says that POTP "doesn't use an encryption algorithm;
instead it synchronizes random processes on two computers as they
communicate".  (I wonder if the author understands that that's just another
way to describe encryption algorithms...)  The other claim is that it 
eliminates
the need to manage keys.  "... there is no need for central servers where 
PGP
keys ... are kept".

This seems like a strange claim because of course PGP doesn't require
central servers, but more importantly, you can't do authentication without
at least one piece of keying data being established out of band.  That
could be a certification authority public key, but you need something
to get started.

Supposedly this thing was shown at Interop.  Did anyone see it, and does
the product make sense even if the article didn't?

(One thing that disturbes me about the product name is the use of the
phrase "one time pad".  Since the "random" processes are presumably
not random but rather pseudo-random, there is no one time pad involved
at all, but rather a plain old stream cypher of some sort, which may or
may not be secure in practice but cannot have the "secure from first
principles" property that real one time pad has.)

     paul
     ([email protected])