Cool! Its back!

Spy/Counterspy was, last I saw it, run out of a Canadian site but mysteriously shut down. Alot of the info was basic stuff you could find in a Tom Clancy novel but there was some very very clever stuff. My personal favorite was this one – how to broadcast to cells. Brilliant.

Use of a one-time pad

How to use a dead-letter box

Im gonna have to mirror this one on my drive in case it goes Tango unifrom again.

8 thoughts on “

  1. Provided that an eavesdropper cannot get access to either the sender’s or receiver’s key, the one-time pad method is 100% secure. No FBI cryptanalyst will ever crack it. No Cray supercomputer running the NSA’s cracker software will ever break it. Period.

    Well, THAT is amusing. This guy knows sweet dick about crypto.

    The point of a one-time pad is not that it “cannot” be broken. It most certainly can.

    The point of a one-time pad is that once you have broken it, it doesn’t help you break subsequent messages encrypted with their own one-time pads.

    A simple example: If I encode a message using the old standard A=1, B=2, C=3, and so on, and I encode a second message using ROT-13 (A=N, B=O, C=P, &c.), you can figure out what either of those messages means. But determining that message #1 is a number for letter substitution does not tell you anything about how to break message #2. You have to go through the process of figuring it out starting from square 1. This is the power of one-time pads, not the mythical “unbreakable” properties of only using a code once.

    One-time pads are not “100% secure.” They just aim to make decryption so effort intensive as to render it pointless (i.e., by the time you break it, it is too late or the resources required to break each message individually cost more than the intelligence gained is worth.).

  2. In fairness, I should add that one-time pads have been shown mathematically to be “theoretically unbreakable.” And subsequently, they have been broken.

  3. Did you notice that there’s a note on one of the pages saying that this is essentially a “mirror” site run off what appears to be an old archive? The real site is still down.

  4. paging systems & one-time pads

    The vast majority of commercial paging companies do not use over the air voice paging anymore. You can however, put together a pager intercept station to decode the POCSAG and Flex data modes currently used in digital paging systems and do the same thing.

    The strength of a one-time pad is the key is a randomly generated non-repeating data stream that is not reused. Once you use a sheet off a pad, you are supposed to destroy it. The major problems that lie with this method are keeping both parties well-supplied with pads, the chances that the pad might be discovered, and the generation of an adequately random key string. Back when the Soviet Union was going down the drain, the availability of fresh one time pads became an issue, and they were forced to reuse them. Big comsec error.

    The implementation described in that “one time pad” article is not a one time pad. A substitution cipher perhaps, but not a one time pad.

    “Spies and agents, on the other hand, cannot afford to carry incriminating evidence like bulky code-books, so they use instead the simplified conversion method shown below and spell out every word in full.”

    Actually, the Soviets issued their agents one-time pads that were about the size of a matchbook, and were supposedly able to be easily hidden. They were not “bulky code books”, just a small pad with random number strings in very small print on them.

  5. Well, a properly executed one-time pad isn’t breakable.

    If you create a one-time pad (either digital or the old-fashioned letter cypher kind described in this article) that is truly random, and it’s used exactly once for a single message, then the resulting message cannot be decrypted without having the accompanying pad, for the simple reason that there’s no way to tell whether you’re right or not. Every message decrypts to every possible plaintext depending on what key you’re using, and if the key is truly random there’s no way to show that any decryption is right, or even more likely to be right than any other.

    However, the phrases “properly executed” and “truly random” are they big issues in the above description. One-time pads have been cracked on several occasions, and the method is always either a backchannel (i.e. they intercept the pad, or find notes or pen impressions, or analyze the handwriting, etc.) or a flaw in the randomness of the pad. For instance, in the linked article, he mentions “Now you’re ready to create a key. First, write down a series of random alphabet characters, such as HLMSEZRBHPSJOTDW.”

    No. Create your key that way and you’re screwed; humans are terrible at generating random data on purpose. The pad you generate won’t be truly random, and a skilled cryptanalyst can crack it, particularly if they have a lot of cyphertext or multiple messages to work with. Computers are pretty awful at it, too — people have tried to use pseudorandom number generators (what most people call “random” number generators) for cryptography on many occasions and it fails horribly (I’m no cryptanalyst and I could write a program to crack a one-time pad using a known PNRG to generate randomness.) There are cryptographic random number generators you can use, but even those must be seeded with an initial pool of random data, and the size of that seed essentially forms a key that can be brute-forced (though that key may be incredibly large, and thus uncrackable with today’s technology, there’s a big difference between “incredibly large” and “truly unbreakable.” In theory you could search the entire keyspace of a CRNG and more than likely only one key would produce intelligible plaintext, thus defeating the one-time pad advantage of “every cyphertext can decrypt to every plaintext.”

    Truth is, cryptography — one-time pad or no — usually makes decryption so effort-intensive as to render it pointless… because people make stupid mistakes that give away the message without decryption being required. Why crack someone’s encrypted email when it’s in a deleted file trace on their computer? Just steal the hard disk.

Comments are closed.