[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Snake Oil FAQ 0.4 [comments appreciated]

At 10:06 PM 9/16/96 -0400, The Deviant <[email protected]> wrote:

>Not to mention, the basic flaw of OTP.. if you have the only copy of the
>key, and the key is non-repetitive, how do you send the key to another
>person without being just as insecure as not encrypting it in the first
>place... almost any OTP claims are gonna be snake oil.

The way you send OTPs to people securely is to use couriers with
briefcases handcuffed to their arms, or whatever level of physical
security you need.  The kinds of things software packages can help with are
providing a friendly user interface for getting the next N bits
out of the pad and trashing them after use, keeping track of where
you were in the pad, handling the different pads you use to communicate with
different people, driving the robot arm that drops the tape into the
shredder, etc.  Slightly less trustably, they can be used to help
generate a pad by crunching down the data from your hardware random
number generators, and perhaps emailing Geiger Counter data to the
Safety Department after rounding to the nearest order of magnitude.

Somebody else wrote:
>> I would also suggest that the generation of OTP 'pads' for users is
>> *highly* questionable. Who else is getting a copy of them, assuming they're
>> even valid?
        Definitely - that concept loses big time.

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# <A HREF="http://idiom.com/~wcs"> 	
# You can get PGP software outside the US at ftp.ox.ac.uk/pub/crypto