cryptoanarchy.wiki

Arise, you have nothing to lose but your barbed wire fences!

1995-11-08 - Re: using pgp to make an otp

Header Data

From: Bill Stewart <stewarts@ix.netcom.com>
To: cypherpunks@toad.com
Message Hash: b383220f4e2a2ef255e7aeb79d091ac59b767ccc0c770b84a6f70b1bfc712da5
Message ID: <199511080454.UAA08618@ix.ix.netcom.com>
Reply To: N/A
UTC Datetime: 1995-11-08 05:07:01 UTC
Raw Date: Wed, 8 Nov 1995 13:07:01 +0800

Raw message

From: Bill Stewart <stewarts@ix.netcom.com>
Date: Wed, 8 Nov 1995 13:07:01 +0800
To: cypherpunks@toad.com
Subject: Re: using pgp to make an otp
Message-ID: <199511080454.UAA08618@ix.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 11:31 PM 11/6/95 EST, Derek Atkins <warlord@MIT.EDU> wrote:
>> 	PGP output is not random enough to be used for a one time pad.
>> The security of a OTP is *entirely* based on the quality of the random
>> numbers; they should come from some strong generator.  Building good
>> one time pads is tough, and usually not worth the effort.
>
>No, however the output of "pgp +makerandom=XXX filename.dat" _IS_
>random enough for an OTP.  The problem then becomes distributing this
>data.

amp had written:
| my point here is that _if_ pgp output is random enough, i wouldn't need
| hardware. even i, with my extremely limited programming skills could create
| a .cmd file or program that could be used as input for a stream cypher.

The output of PGP should be random enough for your application,
as long as you don't think you're getting a cryptographically-correct OTP
out of the deal.  PGP uses its randpool stuff in its random number generation,
so there are likely to be at least 24 bytes of real randomness kept around, 
maybe more depending on the size of your randpool, but the rest of
your security comes from algorithm quality and is theoretically crackable
like any pseudo-random sequence (albeit requiring exponentially-large
crackwork.)
It's using IDEA in a feedback mode, so it's better than just repeated MD5s.

The output of PGP +makerandom probably is secure enough for most applications,
depending on how many bits you're using, what you're doing with it,
and how paranoid you need to be.  Check out the code to be sure.
You may have special applications such as amp's stream cypher
for which it's more convenient to XOR the makerandom instead of using PGP,
but watch out for attacks like known-plaintext, which can really bite you
in secure-voice systems where there's a lot of near-silence.
Careless protocol work can spoil really decent random numbers....
#---
#                                       Thanks;  Bill
# Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com
# Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281
#---

Thread