Score:10

Are one time pads still used, perhaps for military or diplomatic purposes?

cn flag

The ME-600 key generator was developed in the early 1990s for generating truly random one time key streams. That's not exactly World War 1 or 2. I don't know how long it was used, or whether it still is.

Now with quantum computing on the horizon, people are looking at post-quantum cryptography. We also don't yet know the cryptographic dangers of artificial intelligence. (See "Silicon Valley" comedy last episode, where their AI solves the discrete log problem. Tesla beware!) It seems that there is still a need for unbreakable information theoretic security for the most sensitive use cases.

Without doing a "Snowden" and revealing too much secret "stuff", can anyone answer authoritatively (i.e. perhaps by someone associated with the intelligence community)? Any super anonymous super-duper secret tips from Five Eyes contractors here would be welcome. Don't get into trouble though.

Timeline:

Thanks to kodlu, we're up to as recently as say 2018. Can anyone better this?

Score:9
sa flag

I know for a fact that OTPs were used by diplomatic corps of a certain unnamed country as recently as under 5 years ago.

As for specific info on OTP use by US diplomatic corps, see the interesting Wikileaks cable below requesting Teletype based OTP comms support for the Pope during his visit to communist Poland during the Solidarity crackdown.

https://wikileaks.org/plusd/cables/1979WARSAW04761_e.html

(U) URGENT COMMUNICATIONS SUPPORT NEEDS AT KRAKOW DURING PAPAL VISIT Date:1979 May 11, 00:00 (Friday)
Original Classification:CONFIDENTIAL Current Classification:UNCLASSIFIED

034505; (D) WARSAW 0942

  1. (C) SUMMARY: WE HAVE REEVALUATED OUR NEED FOR SECURE COMMUNICATIONS SUPPORT AT KRAKOW DURING THE PAPAL VISIT. OUR CONCLUSION IS THAT REF. A UNDERESTIMATES THE POSSIBLE NEED FOR FAST, SECURE COMMUNICATIONS DURING AN EVENT OF THIS MAGNITUDE IN POLAND AND OVERESTIMATES THE COST OF THE SORT OF "CAN-DO" PACKAGE OPERATION WE BELIEVE WOULD REPRESENT A WISE PRECAUTION IN THIS CASE. WE WILL REQUIRE TDY COMMUNICATIONS SUPPORT IN ANY EVENT; WE RECOMMEND SPENDING A LITTLE MORE TO BE PREPARED FOR ANY EVENTUALITY IN WHAT COULD BE A VERY VOLATILE POLITICAL SITUATION. END SUMMARY.
  2. (C) KRAKOW COMMUNICATIONS FACILITIES: CURRENT SECURE COMMUNICATIONS FACILITIES, AS DESCRIBED IN REF D, CONSIST OF A TELEX AND A ONE-TIME PAD, OPERATED BY WHICHEVER OFFICER (P.O., VICE CONSUL, OR BPAO) CAN BE SPARED FROM HIS PRIMARY DUTIES. IN AN EMERGENCY THE FASTEST WAY TO GET A MEDIUM-LENGTH, URGENT, CLASSIFIED MESSAGE FROM THE CONSULATE TO THE EMBASSY RIGHT NOW IS TO JUMP INTO A CAR AND DRIVE FOR FOUR TO FIVE HOURS. DURING THE PAPAL VISIT EVEN THIS MAY NOT BE POSSIBLE SINCE, WE UNDERSTAND, STRINGENT TRAFFIC CONTROLS WILL BE EXERCISED IN AND AROUND ALL LOCALITIES TO BE VISITED BY POPE. HE WILL BE IN THE KRAKOW AREA FOR FOUR DAYS (JUNE 7-10).

Another cable from the same era alludes to use of OTP for emergency comms during a tropical storm but also says OTP the only means of secure comms since electronic comms are not functioning:

  1. AS RESULT OF CYCLONE, EMBASSY HAS BEEN UNABLE TO SEND OR RECEIVE TELEGRAMS SINCE NIGHT OF 22ND. NEW EMBASSY STANDBY GENERATOR STILL NOT CONNECTED DUE VARIOUS LOCAL INEFFICIENCY. PREVIOUSLY SCHEDULED COMMTECH TEAM ARRIVING JAN 2 FOR RADIO INSTALLATIONS. THEY PRESUMABLY WILL BE OF ASSISTANCE IN FINISHING GENERATOR INSTALLATION. SHOULD FURTHER PROBLEMS DEVELOPE ON RECENTLY RECOMMENCED CITY POWER, IT MAY BE NECESSARY TO USE ONE-TIME-PAD FOR ANY URGENT CLASSIFIED TRAFFIC.

I take that to mean that paper based OTPs may need to be used.

It is possible and even probable that the use of OTP continued long after 1979 by the US government.

Paul Uszak avatar
cn flag
Is it possible to expand on para 1? E.g. Was it for the security benefits, or was it just cheaper than some fancy AES/home brew cipher + satellite system?
Oscar Smith avatar
bd flag
OTP is basically impossible to mess up. Regular crypto works really well but is really easy to mess up horribly. If sending a trusted party with a 1TB hard drive of random noise is within your budget, it's pretty hard to beat in terms of security.
quarague avatar
ke flag
@OscarSmith I feel OTPs are so simple and secure that I would have assumed it is the standard method of communication in most diplomacy/ embassy/ consulate situations. Handing each diplomat a USB stick with white noise before sending them abroad seems so simple I wouldn't know why you would not do that.
Vilx- avatar
cn flag
To add to the above and emphasize the security aspect - AFAIK it's one of the few methods that are physically impossible to break. With AES/RSA/whatever you at least have the bruteforce option of trying every key until you find the one that works. Sure, with current technologies it will take longer than the lifetime of the Sun (unless you get very, very lucky), but it's at least theoretically possible. With OTPs even that isn't possible. The cryptography itself is simply unbreakable without the key, period.
Paul Uszak avatar
cn flag
@OscarSmith Is there not an issue with keeping both keystreams in sync though? I read that the ME-600 had _"a printer that stamps index numbers onto the tape."_.
SAI Peregrinus avatar
si flag
OTPs are easy to mess up catastrophically: if any portion of the pad is re-used, it loses all security for that portion. Synchronizing the keystreams is also always an issue, if the streams desync the message can't be decrypted and further messages can't be sent securely. That said, they're good for emergency communications, since those are likely starting at the beginning of the pad and reasonably short, negating most of the difficulty.
poncho avatar
my flag
@SAIPeregrinus: pad synchronization is easy (have the encryptor start each message saying where in the pad he is; this is essentially a counter mode IV). Of course, your 'reusing pad' issue is much harder to address...
Score:0
ch flag

I think OTP has perfect secrecy regarding what could it "leaks" about the plaintext (except its length). OTP has many drawbacks if used solely as is, e.g., it is malleable, and any eavesdropping adversary can manage to falsify the encrypted content and thus changing the underlying plaintext when decrypted.

That may not be a precise answer to your question, but I wanted to emphasize that the context (or even the protocol), under which an OTP is used, matters.

poncho avatar
my flag
Actually, adding integrity protection (to address malleability) to OTP is straightforward. I don't know if it is done in practice - however, I've never *seen* an OTP system in practice...
canary avatar
ch flag
@poncho , yeah maybe the use of some secure MAC would help mitigating this particular issue ( maybe via some OTP-then-MAC ). But from a "paranoid" perspective ( where you decided to use OTP and seek for a perfect secrecy, it's hard to trust any additional not-perfect constructions (e.g., a MAC ). For example, from that perspective, the parties could not trust that such a secure MAC would not leak absolutely anything about the message, and thus, making OTP's goal unachievable.
canary avatar
ch flag
Maybe One-Time MAC is what needed in that case, but I think that would not be the end of the story :)
poncho avatar
my flag
Well, if you MAC the ciphertext, you're obviously not leaking anything that the attacker cannot see. In addition, there exist 'informationally secure' MACs (that is, MACs that are based on one time keys, and have provably small forgery probabilities assuming random keys); a Carter-Wegman type construction is one possible approach. As for trust, the parties already need to trust the one-time pad generator and the xor; it's not clear why that trust can't be extended to include the MAC
canary avatar
ch flag
Yes, the use of an OTM can be very adequate for that situation. The "trust" I talked about before is like seeking for a construction based on provably perfect primitives, assuming the keys are generated via some trusted( maybe enforced by the parties themselves) truly random generators :). It's an interesting construction to analyze
Paul Uszak avatar
cn flag
@poncho Nowhere, anywhere, whatsoever on the [Museum](https://www.cryptomuseum.com/) have I seen **any** mention of integrity protection. I think the protection relies on principles of the Vienna Convention and diplomatic couriers. These days though we have QKDNs to avoid the hassle.
Paul Uszak avatar
cn flag
Given that OTPs are best suited to textual information and not 8K UHD porn films, and that a TRNG is quite easily built with wood and nails, or just your PC, much message length leakage can be mitigated though simple padding to a fixed length. And hello there :-)
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.