

Ask HN: Paired USB keys for 100% unbreakable encryption? - heeton

Just a thought:<p>* 2 USB keys that share a securely generated amount of random data.<p>* Share one with somebody you&#x27;d like to communicate with.<p>* The two keys can encrypt&#x2F;decrypt messages to each other using that random data as a one-time-pad. http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;One-time_pad<p>* You can then transmit messages across the net in plaintext. You can even tell your partner which part of the pad you are using.<p>Technically, one-time-pads are impossible to crack. You&#x27;d only have to watch out for observation attacks and that sort of thing (perhaps the keys would could be bootable for extra security?).<p>The keys would only work for a certain amount of time before needing to be &quot;paired&quot; again, their pad data would eventually run out. But with modern keys holding many GB of data, this would take a while.<p>Obviously this is only for the super-paranoid (or the geeks) who want to chat 100% securely among friends. But hey, 6 months ago only the super-paranoid were using encryption at all and look where we are now.
======
tptacek
No professional or academic cryptographer in the world does this. Consider
asking yourself why. It isn't because they haven't heard of a one-time pad.

When Schneier wrote about one-time pads in Applied Cryptography, he wasn't
doing it to establish the high water mark for best possible crypto; he was
doing it to illustrate some of the theory that underpins modern ciphers.
Unfortunately, a whole generation of amateur cryptographers took a different
message away: "forget about modern block ciphers, let's just use one-time
pads".

Encrypt your content with AES-128 with a random (from /dev/random) key; write
the key down as 32 hexadecimal digits. Nobody is going to break it, ever.

~~~
Tomte
_Encrypt your content with AES-128 with a random (from /dev/random) key; write
the key down as 32 hexadecimal digits. Nobody is going to break it, ever._

Don't you advocate the use of urandom, or is there a subtlety I haven't got
yet?

Over the last days I've been looking into the whole "never use urandom for
crypto" meme that permeates practically every Linux and general tech message
board (and that I had believed for years).

And I've come away with the conclusion that not trusting AES (or another
modern block cipher) to be "good enough" for the CSPRNG, but using the output
for... AES (or another modern block cipher) is quite comical.

~~~
tptacek
Random, urandom, same thing. That meme is ridiculous.

------
TheLoneWolfling
You can do this already - just take two flash drives and mirror the same
random data to each one. Just make sure you never use the same part of the
random data twice.

Of course, I have to ask: why bother? If you're giving them a flash drive
anyways, just exchange public keys. Also safer, as if someone loses/etc. a
public key it's no big deal whereas if someone loses the OTP then all of the
data you sent is trivially decryptable.

~~~
heeton
Yea techies can do it but it's not simple/easy to use. I couldn't give my
mother a key to use.

I suppose something about the pure security of a OTP is enticing. Public keys
can be broken, it's just not feasible at the moment. I don't know enough here,
but it seems like past data sent via public key will eventually be trivial to
decrypt?

Losing a OTP is equivalent to losing a private key, not much changes there. I
suppose if your partner was "coerced" then a OTP exposes both sides of the
transaction, whereas knowing their private key would only help decrypt your
messages to them.

------
zxcvgm
That kinda sounds like iTwin [http://www.itwin.com/](http://www.itwin.com/)

It comes in a pair with 2 USB ends and can be mated together to share a key.

~~~
heeton
Yep :) Spot on, need to buy one of those. Good to know someone is doing this!

------
DanBC
OTPs feel nice because "UNBREAKABLE!!". But there are severe problems.

1) The pad needs to be random. It must only be used once. It must be larger
than the plain text you want to send.

2) You have to be able to transmit the pad somehow. If you can transmit the
pad, why don't you just transmit the message, or transmit keys?

People do sell OTP technology. It's up to you to decide if it's snake oil or
not. ([http://www.mils.com/en/products/unified-
communication/#2](http://www.mils.com/en/products/unified-communication/#2))
([http://cipher-text.blogspot.co.uk/2005/08/one-time-pads-
on-p...](http://cipher-text.blogspot.co.uk/2005/08/one-time-pads-on-paper-
tape-in-2005.html))

> _First, they were founded in 1946, and have been doing one-time pads ever
> since. Second, they seem to be pitching their products at governments.
> Third, amongst other things, their random number generator can output to
> a...wait for it...5-channel paper tape puncher (pictured above left)._

> _5-channel paper tape -- as in, pretty much the same one-time pad
> implementation Gilbert Vernam patented in 1919. I 'm flabbergasted. Who's
> still using this stuff? I reckon you'd need a little over 4 meters for each
> kilobyte of information you encrypt._

------
fernly
I don't understand "You can then transmit messages... in plaintext." A message
composed of SERHYTVXA etc is obviously encrypted.

But another question: by how much is the system weakened if the pad data is
nonrandom? Because I was thinking how much simpler the key exchange would be,
if instead of sharing pad-texts, you only shared links to texts that were
available on the internet -- both parties to use as a pad the text of a
particular Google Book, or Internet Encyclopedia of Philosophy article.[edit
below]

Another option would be share only a "persistent identifier" to be used with
[0].

[0]
[http://www.random.org/integers/?mode=advanced](http://www.random.org/integers/?mode=advanced)

[edit] clearly you would not want to access the pad at any time near to
transmitting a message encoded with that pad! You would download the pad data
at some other time, preferably with another ID.

~~~
Ellipsis753
If the pad data can be worked out or is known then the "encryption" is
useless. If you use something like a book and the book used is unknown then it
could still be found if someone can work out part of your message though guess
work. "They sent a 5 letter word, I'm guessing it was "hello" therefore the
first part of the book they used must be........". If you send the pad across
the internet at all it could be recorded at many points along the way. While
it still might not be cracked you'd certainly do better using proper
encryption.

------
vmarsy
In theory yes, but if you're super-paranoid good luck to find "a securely
generated amount of random data."

~~~
heeton
Seeding a PRNG with user entry? Thermal noise from a component in the key?

~~~
tptacek
Congratulations, you just reinvented the "stream cipher".

