Revisiting the One-Time Pad
A decidedly Low-Tech Solution to a High Tech Problem
Pretend with me: You are in a foreign country known for its ability to hack your emails. But there is some very sensitive information that you must get to your comrades back home. Do you you text the info to your friends? No- We know that the Government can crack phones. Do you email? Probably not directly, for the same reason. What about apps like Wickr, which send encrypted messages which disappear after a while? We know that disappearing encrypted messages can actually be retrieved, and through brute force methods, can be broken eventually, especially if the company is helping the Government do its work.
So what do you do? Well- I suggest you consider using the One Time Pad. This method of encryption, if used correctly, requires only a little bit of premeditation, no computers (though computers makes its use easier), and just a little time. And the encryption becomes virtually impossible to crack. Its a surprisingly simple encryption method to make your most important tweets to your friends absolutely secure.
“How,” you say? Well — the method is actually rather simple. The Encoder and the Decoder both have the same code book and a several sets of randomly generated 2 digit numbers. The numbers are the key that either locks the code you put in when you change letters into numbers using the codebook, or unlocks it so you can refer to the numbers in the code book and find out what your partner is up to.
First, you need to know how to operate the code correctly.
Some ground rules for the One Time Pad
- You and your partner must have the same code book to turn letters and words into two digit numbers, and then back again. The codebook is useless, however without the keys.
- You must have a randomly generated string of keys, and you may only use that string exactly one time, before it must be destroyed (Hence the name, One Time Pad). You can create your set with 140 roles of a 100 sided die, or you can use a site like Random.org, which claims to approach true randomness by utilizing atmospheric noise, a pattern which never repeats itself. I am not a scientific wizard, so I don’t know how they do it, but the claim is that it is a random number generator which does not rely on a computer algorithm, (which can be cracked), and that randomness is really what you need. Your keys usually come in a book, and you sequentially use the key and then tear the page off and destroy it. But once the key has been used, it can never be used anymore, so the spies would generate these keys and print them in a small, palm-sized book on tissue-thin paper.
- If you MUST re-transmit the message, you must use a new key. No problem though since you already destroyed the one the first one was encoded with. But if you use the same key, spies have a way of noting patterns in numbers, and will very soon break your code, as they did with the Russian OTP in East Germany when it was discovered that Soviet agents were getting sloppy and reusing their keys. New key, every time, no exceptions.
- Let me reiterate: You may use each key one and only one time. The encoder must destroy his or her key immediately after encoding, and before transmitting the message, the decoder must destroy his or her copy of the key immediately upon decoding the message. This must happen without exception. Users of the OTP have done crazy stuff to destroy their keys, like burn it or burn it then mix the ashes into your coffee and drink it, or something like this.
- You must have a fundamental understanding of the method.
One-Time Pad: The Method
Once you understand the very simple rules to correctly use OTP, you may begin:
- The encoder chooses a key and begins to write down the message, in regular alphanumeric format. He writes one letter at a time, with all punctuation, if the code book allows for that. He may or may not include spaces, again, depending on the code book. My own OTP code book takes this a step further by having all letters, digits, and then some commonly used words and phrases, which themselves only have a single number associated with them. For example 72 may equal “Stopped for lunch”. This way you can pack even more info in the code. The key must be communicated to the recipent before he can begin decoding the message.
- Each letter, (and punctuation and space and, if allowed, common word or phrase) is coded based on the code book. If, in the codebook A=12, every time, I see an “A” in my message, I will write “12” underneath it. I will come up with a code that looks something like this, when all is said and done:
The 00’s are “no character”, and they mean this spot contains no information. There are also “Stop” codes in here. One stop is a “period”, two stops is the end of the message.
4. Your message should not be over 140 “entries” (think “characters”) long, but for shorter messages, your keys will work out just fine. Once you have changed your plaintext to two digit numbers, you simply put the two digit numbers of the key directly below it. The Key looks like this:
12 35 8 54 55 87 83 19 17 19 96 64 22 24 25 44 83 73 69 9 14 17 11 89 78 45 10 10 20 5 81 32 87 85 6 25 63 79 5 …
Again, remember, this is a 140 number long randomly generated string, and is only to be used one time.
5. The method is then additive. You add the number of your message to the number of the string directly below it. So, in our example, the code we have above becomes:
17 13 12 35 15 72 58 96 11 49 44 20 75 64 02 29 39 48 94 74 80 36 29 18 20 98 80 57 11 38 48 05 81 32 87 85 06 25 63 79 05 84 32 11 09 42 03 56 15 99 02 39 29 03 71 94 14 88 67 75 04 43 43 42 13 23 54 33 80 77 52 96 53 94 29 20 20 05 03 21 63 83 79 28 72 65 82 49 33 44 45 81 …
6. Some quick transformation into a five digit number to make it a bit more difficult to read yields this spiffy little design, which the encoder then keys in, and does the reverse process, except using the same key as you have but subtracting that key from the coded message to produce the original alphanumeric message:
17131 23515 72589 61149 44207 56402 29394 89474 80362 91820 98805 71138 48058 13287 85062 56379 05843 21109 42035 61599 02392 90371 94148 86775 04434 34213 23543 38077 52965 39429 20200 50321 63837 92872 65824 93344 4581…
To even the untrained eye, this is a random string of numbers. To the trained eye, who knows exactly what this is, these numbers are absolutely useless without the same exact key that the encoder used to encode. They would have no idea which of 100 randomly selected numbers to subtract from each of these two digit numbers, in each character, to reproduce the message. With 100 choices each on each of the 140 characters, there would be so much noise in the result, that nobody could ever be sure that what they got was in any way the correct message. With randomly generated strings of numbers, it becomes theoretically impossible to break this code.
And it can be done with simple math. You add two numbers together to get the encoded character. When the sum of two 2-digit numbers goes over 100, you simply start over from 00. The decoder will then use the same number to subtract from each encoded character, and if it is negative, the encoder simply counts down from 99 and continues on their merry way. But again, without the correct number from the key, the result of the decoding produces random characters, and at best the decoder will reproduce part of the key which wasn’t used in the encoding without knowing it.
OTP as Operational Security
I have read that, unless you are an actual spy, working for the Government, if you need to send your messages via OTP, you probably shouldn’t be sending the message. But I don’t necessarily agree with this. OTP can be useful in a lot of scenarios some of us will find ourselves in. For example:
- If we are journalists covering internal struggle in a lawless country.
- If we are a dissident who is organizing tactical plans to win the revolution.
- If we are in a secret society and need to change a meeting time.
- If we are poor people with no access to modern encrypted communications technology, and have no reason to trust it even if we do have access.
- If we are a citizen seeking to protect our rights to be secure in our persons and papers from a Government that is overly aggressive with its domestic spying programs, and shows no desire to adhere to the rule of law.
- If we are a consumer concerned about data mining operations of companies, who use keywords in our flirtation with our friends to sell us stuff we don’t need and which is probably bad for us.
And so forth — you get the picture.
This is one thing our government doesn’t seem to understand: You don’t have to be engaged in criminal behavior to want to have a private conversation. Sure- criminals do like to have private conversations with one another, and there is a small chance that they would be smart enough to actually use OTP instead of announcing who they are, who they know, and where they will be committing a crime over a burner phone which the cops ALWAYS mysteriously seem to crack with remarkable ease. That is possible.
But most citizens who have their metadata routinely collected and stored are not criminals. We have the right to be free from government intrusion into our personal lives. Now that tech companies has joined in the government’s effort to spy on us, nobody is safe, unless they switch off their computers, randomly generate some numbers and talk in code. If you generate a OTP message like the one I previewed above, you can feel free to announce the numbers over a loud speaker. Nobody but your intended audience will be able to do anything with those numbers.
Think if how frustrating it would be to call someone whose phone is tapped and simply say: “Seventeen Thousand, One Hundred Thirty One, Twenty three thousand five hundred fifteen, Seventy Two Thousand Five Hundred Eighty Nine…” Within minutes, the decoder would have the message, (much faster, I must say, than the US mail, but only slightly slower than email), you would both destroy the keys, and then the cops can raid the place all they like. They won’t find anything of any use to them to figure out what you all were talking about.
Yes- We have the right to communicate with one another without the expectation that some spook in a closet somewhere is listening to us. When we don’t need it, OTP can actually be kind of fun to send codes to your friends and fellow members of the Secret Army — which does not exist — but when you DO need it, it could be the difference of life and death for you, your contacts, and your loved ones at the hands of a government that has been eavesdropping on your conversations and doesn’t happen to appreciate the contents of your messages.
Using OTP is a cake walk, it is 100 percent secure if you follow the simple rules for use — most importantly, only use each key once and only once — and it can really help you get your message out of a tight spot. Since it prevents governments from listening to you, I would advise every freedom loving human across the globe to look into OTP. There are no back doors, there are no passwords to be stolen, there are no hacks like there are even with 256-bit encryption, which relies on a “random” algorithm generated by a computer, and therefore, subject to brute force attacks which will become even easier as our computing power continues to exponentially increase. The only way to get access to the information is to have the key, and if you destroy the key when you have used it once, there is no way to get access to the key.
If nothing else, please don’t believe that anything you do or say over digital media is in any way secure. As the #WannaCry ransomware attack demonstrates full well, technology companies build backdoors into their programs all the time, and most of them have given the keys to those backdoors to the Government so the Government can create hacks to your computer, all in the name of security and crime fighting. There is no reason you have to tolerate that. Under no circumstances should we, as citizens have to put up with the Government looking over our shoulder and listening in on everything we write or say. Under no circumstances should we put up with hackers breaking into our storage and seeing what is on there by using our encrypted but obviously crackable passwords.
OTP is one good, and very simple way, and extremely secure to stop them. And its low tech — that is always a plus.