Maybe I was a bit too harsh. Sorry about that. But I'm going to stick to my guns and maintain that Crypt::OTP is deeply flawed. It solves the easy problem (xoring the pad into the message), but provides no help at all on the difficult problem (key management). If a one-time pad is going to be secure, it is absolutely critical that no part of the pad ever be reused to encrypt a second message. Recovering plaintexts encrypted with the same key is easy for a cryptanalyst (try it sometime, it's kind of fun). It would be useful if Crypt::OTP would help remember which parts of the pad have already been used, but it doesn't. Even if I remember which parts I've used, there's no way to tell Crypt::OTP to seek to the unused parts. I have to extract the unused portion into a temp file, then pass that to Crypt::OTP, and wipe it afterwards. I also need to make sure there are enough bytes left in the pad to encrypt the message, or Crypt::OTP will happily recycle key bytes. It's a lot of work to use this module securely.

To make matters worse, none of this is explained in the module documentation. And there's some rather bad advice in there to boot. You suggest that the pad file be a "semi-random text file." Wrong -- in order to be secure, a one-time pad must be completely random. Any patterns in the pad provide a handhold for the cryptanalyst. Also, a lot of people are going to interpret "text file" to mean "a file of English text." You reinforce that idea by showing an English phrase as the key in your less secure example. However, recovering an English text message encrypted with an English text running key is an easy problem for someone who knows what they're doing. So maybe you really do know your stuff, but you sure didn't show it in Crypt::OTP.

In reply to Re: Re: Re: Web Cryptomatic by no_slogan
in thread Web Cryptomatic by oakbox

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.