
The Manual One-Time Pad - transpute
http://users.telenet.be/d.rijmenants/en/otp.htm
======
sarciszewski
Though the article says "One-time pad is not a practical encryption system.
However, if properly used, it will be absolutely secure and unbreakable", I've
had to talk developers out of wanting to implement them in their protocols
before.

Quick public service announcement about cryptography.

It's true that, from an information theory perspective, OTPs are unbreakable
encryption.

However, unless you have a long history of cryptanalysis under your belt,
don't even think about implementing one in software. This is a common mistake
people make when they're first learning about cryptography.

Pitfalls:

1\. You need to get two computers to have the same large chunk of random data
without anyone knowing it. This becomes a horrendous key management problem.

2\. Even if you don't know the one-time pad, if you flip bits in transit, the
recipient will happily decrypt them. You can forge messages at will. OTP is
unauthenticated encryption.

If you think your application needs one-time pads, use elliptic curve diffie
hellman key agreement and stream ciphers instead (and remember to authenticate
you ciphertext).

Better yet, hook into a library like libsodium to do this for you and don't
play with fire. (I know the sort of people who love one-time pads are unlikely
to ever listen to this particular advice, but they can't say I didn't warn
them.)

~~~
ekyepyaport
I agree, people shouldn't really try to enjoy their hobbies. They should just
do what everybody tells them.

Imagine if a bank were to accidently mistake your OTP implementation as a
viable product. Oh, the humanity.

~~~
Karunamon
A bank? No. Some random person out there in an oppressive government?
Infinitely more likely.

Crypto is a bit of a special case in programming in that's it's _ridiculously_
easy to do wrong, and failures could have catastrophic consequences on
people's real lives. If you want to play with it yourself, more power to ya,
but for the love of all things good in the world don't put it out there
without sufficient disclaimer that it's a hobby, untested project.

------
tptacek
If you use a computer program to generate random numbers for a "one-time pad",
you're not really using a "one-time pad"; you're using an ad hoc stream cipher
keyed by your RNG.

(Conventional stream ciphers are themselves the DRBG cores of RNGs.)

It's not that stream ciphers are bad --- but ad-hoc cryptography almost always
is. Just pick a well-implemented stream cipher, one that was designed to be a
stream cipher, and use that instead. One-time pads are almost useless in
practice.

------
mateus1
Lovely, I'm currently taking Stanford's Criptography course on Coursera and
it's both entertaining and enlightening. I highly recommend it.
[https://class.coursera.org/crypto-015/](https://class.coursera.org/crypto-015/)

------
whistlerbrk
Sorry for any noise but: ||users.telenet.be^ is reported as 'Malware domains
(long-lived) • Malware domains' for me while using microblock.

