One Time Pad encryption

One Time Pad encryption
Complete privacy for your
sensitive information
One Time Pad encryption
One Time Pad encryption is a very simple, yet completely unbreakable cipher
method. It has been used for decades
in mils cipher systems for encrypting
our customers’ sensitive data.
Complete privacy for your
sensitive information
Over the years, we have perfected the implementation of
One Time Pad encryption into our products. Today, high
levels of automation, high capacity storage media, continuous key protection, and huge One Time Pads provide
our customers with outstanding communication security
without sacrificing convenience. This document will help
you understand how One Time Pad can ensure complete
privacy for your sensitive information.
Characteristics of the
One Time Pad
encryption method
The One Time Pad encryption method is a binary additive stream cipher,
where a stream of truly random keys
is generated and then combined with
the plain text for encryption or with
the cipher text for decryption by an
Exclusive OR (XOR) addition.
It is possible to prove that a stream
cipher encryption scheme is unbreakable if the following preconditions are
met:
Plain text
Cipher text
0 1 1 0 1 000 1 0 1 1 0 1 1
1 1 000 1 1 0
One Time Pad
Exclusive OR
function
1 0 1 0 1 1 1 0 1 0 1 00 1 1
A
The key must be as long as the plain text.
B
The key must be truly random.
C
The key must only be used once.
The One Time Pad implementation in mils products fulfills all these requirements.
Therefore, it provides absolute protection for your sensitive information.
Why is One Time Pad encryption
unbreakable?
The simple explanation
Cipher text
KNQX L Z RV
Key 1
Z CVP Q I T A
Y E S , C OM E
Plain text 1 (meaningful)
Key 2
HSUX Z R AV
CPQX A T I F
Plain text 2 (meaningless)
Key 3
E T DYHCN X
HZAUHP S E
Plain text 3 (meaningless)
Key 4
L F ZRX I B H
S T AY O F F
Plain text 4 (meaningful)
Exclusive OR
function
The brute force attack
Attackers must try every possible key
With One Time Pad encryption, the key used for encoding the message is completely random and is as long as
the message itself. That is why the only possible attack to
such a cipher is a brute force attack. Brute force attacks
use exhaustive trial and error methods in order to find the
key that has been used for encrypting the plain text. This
means that every possible combination of key bits must be
used to decrypt the cipher text. The correct key would be
the one that produces a meaningful plain text.
Since all One Time Pad keys are equally likely and come
from an unpredictable number generator proven to be random, the attacker has to test all possible key strings.
Unlimited computing power is useless
Let’s assume an eavesdropper has intercepted a One Time
Pad encrypted message and that he has unlimited computing power and time. For example, typical e-mail messages
are at least 200 bytes long, requiring the testing of 1,600
bits. Even if the eavesdropper is both willing and able to do
this, the following paragraph will describe why unlimited
computational power will not compromise the system.
Impossible to guess the right plain text
If he used every possible key string to decrypt the cipher
text, all potential plain text strings with the same length as
the original plain text would appear. As illustrated above,
most of these potential plain text strings would make no
sense; however, every meaningful string the same length
as the original plain text would also appear as a potential
plain text string.
Without knowing the applied OTP, the eavesdropper has
no way of finding out which meaningful string is the original plain text. Thus, trying all possible keys does not help
the attacker at all, because all possible plain texts are
equally likely decryptions of the cipher text.
Why is One Time Pad encryption
unbreakable?
The mathematical proof
DEFINITION
A number generator is called a True Random Number Generator or fulfills the true random propany generated key sequence
for all
satisfies
erty if for all
(1)
THEOREM: Unconditional security of One Time Pad
For a cipher system with a true random number generator, the One Time Pad cipher is
perfectly secret.
PROOF
. Let
denote the plain
First, we determine the length of the plain text by
text and
the One Time Pad generated by the true random number generator. The
resulting cipher text
is calculated by
, i.e.
for all
(2)
.
A system is called perfectly secret or unconditionally secure if for all
for all
is satisfied. For
we conclude from equation (2)
and
.
(3)
We get for all
and
by using the law of total probability and the true
random property of the number generator
(4)
By again applying the true random property of the number generator and equation (2)
for
we obtain
(5)
and
From the definition of conditional probability follows for all
and all
(6)
and
(7)
and thus we get
(8)
From equation (5) and equation (4) we deduce
equation (8) simplifies to
and thus
for all
Hence, the mathematical proof is complete.
.
OTP encryption
in practice
Although perfectly secure, One Time Pad encryption is
often claimed to be complex and impractical. In former
times this may have been true. But with today’s high automation and the perfect implementation into MilsOne,
OTP encryption provides perfect security without sacrificing the convenience of the operators.
A small example network
using MilsOne
MilsQube
Ministry
OTP link with
heavy traffic
Regional
HQ1
In MilsOne, every station receives a MilsQube, the purpose-built hardware security module that encapsulates all
elements of the OTP implementation.
Regional
HQ2
The illustration on the left shows a small communication
network in which the various stations are connected by
links using OTP encryption. Due to the varying communication volumes, different amounts of One Time Pad are
required for the various links.
OTP link with
low traffic
OTP link with
medium traffic
Branch
MilsOne is a highly secure unified communication system that combines real-time communication services
like instant messaging or IP-telephony with non real-time
services like e-mail or file transfer. No matter which communication mode you choose, MilsOne can protect every
information exchange with the unbreakable One Time Pad
encryption method.
Branch
Due to the flexibility of MilsOne, each link can be individually assigned the required amount of One Time Pads,
which are then supplied to the involved stations.
LA
TED BY
EMC &
Optics
/15
V-E175
SL-EM
S
The MilsQube lies at the heart of the OTP implementation by mils. It safeguards the sensitive components of
the One Time Pad system, provides True Random Number Generation (TRNG), and secure key storage.
ES
IE
T
The MilsQube
BOR ATOR
Security features
A
Layered protection scheme for maximum protection of
all keys, algorithms, and other sensitive data
B
Highly secure True Random Number Generator
(TRNG) for the creation of unique session keys and
One Time Pad sequences
C
Forgery-proof hardware clock for time stamps
E
Provisions against non-invasive attacks
F
Strictly controlled electromagnetic emissions and
susceptibility, certified according to MIL-STD 461E by
Seibersdorf Laboratories
G
Designed to support certification at FIPS 140-2 Level
3 and even Level 4, depending on application requirements
D
Sophisticated tamper-respondent design protects
against physical attacks and reverse engineering of onboard applications and data
Metallic housing
Encapsulant resin
Tamper
respondent
sensor
Secure
key storage
Shielding box
Hardware clock
True Random
Number Generator
Types of MilsQubes
and their role in MilsOne
In the OTP system, three different types of MilsQubes
are relevant. Although they share the same hardware,
they provide different functionality depending on their
purpose.
OneQube
SubQube
KeyQube
The OneQube is used for OTP generation and is the primary storage area
for One Time Pads. Each station (also
called subscriber) of a MilsOne network receives an individual OneQube.
When OTP encryption is employed,
the OTP is used directly from the internal storage area of the OneQube.
The SubQube is used as a dedicated
additional OTP generation and storage device and thus allows the OTP
Manager to increase the maximum
key capacity available to a station.
Additionally the SubQube is used to
implement fault-tolerant OTP communication links.
A KeyQube acts as a substitute for
a OneQube or SubQube during key
generation and distribution carried
out at a Key Generation station. It
serves as a secure transport medium for OTPs. At the respective stations, the OTPs are transferred to the
OneQube and SubQube(s).
Key
Generator
OTP
Replenishment
Regional
HQ1
OneQube
SubQube
KeyQube
Subscriber
KeyQube
KeyQube
Regional
HQ2
Ministry
Subscriber
OneQube
SubQube
SubQube
The roles of the MilsQubes in our example network
OneQube
For One Time Pad encryption, a
truly random key stream must be
employed to generate the required
keys. In MilsOne, all keys are
exclusively generated by the True
Random Number Generator (TRNG)
which is incorporated into each
MilsQube.
The True Random
Number Generator
Theoretical background
Solid as a rock
Thanks to our many years of experience, high-tech knowhow, and continuous strive for perfection, we at mils have
been able to profoundly understand how to best make use
of certain quantum-random events. Complex, scientific
probability models have made it possible to master the art
of true randomness.
Thanks to the correct parametrization of its digital implementation, we created a hardened and robust TRNG
which is even able to withstand temperature and frequency attacks. Compared to other random number generators
working with light, the TRNG by mils is solid as a rock.
Quantum-random phenomena
There are not many events which can be seen as truly random. Most phenomena can be predicted one
way or another. The exception are fundamentally
unpredictable quantum-mechanical events. They
occur, for instance, when electrons are forced to
jump from one material to the other. Nobody is
able to predict when exactly they are going to
take the leap.
This phenomenon can be measured in electronic
noise (Shot noise in electronic circuits). Its behavior is unpredictable when collecting phase jitter in
digitally implemented ring oscillators.
The True Random
Number Generator
Mastering
true randomness
Fundamentally
unpredictable
quantum-mechanical
phenomena
Once you have a random, physical
phenomenon, the next tricky question is how to harvest its randomness
without disturbing the physical process. In our TRNG, we use a sampler
to extract the digitized noise signal,
so that the outcome is truly unpredictable.
Harvesting
mechanism
(Sampler)
Post processing
Random bit stream
Entropy Distiller
1 001 0 1 001
In a Post processing step (as demanded by BSI AIS 31 Classification PTG.3,
among others), any deterministic results are masked by applying a Von
Neumann corrector. This compensates possible imbalances between
the number of ones and zeros in the
random signal (Entropy Distiller).
Statistical tests
Thus, we have our random bit stream.
But mils would not be leading the
field of OTP encryption worldwide if
we would not verify that what looks
random, is truly random. This is why
stringent statistical tests make sure
that the bit stream can be considered
unpredictable from a mathematical
point of view.
Truly random
key file
Only when all tests are passed may
the random bit stream become an
OTP key file.
OTP key
Applied
Randomness
The most powerful randomness source is useless if it does
not form part of a sophisticated and elaborate system.
For that reason, the MilsOne system supports the most
diverse OTP generation and distribution scenarios.
Scenario 1:
Key Generation by Manager
Manager
(online)
KeyQube
Ministry
KeyQube
KeyQube
KeyQube
KeyQube
The Manager station supplies the
subscribers with OTP keys by using
KeyQubes. Each KeyQube contains
its own True Random Number Generator.
KeyQube
OneQube
Regional
HQ1
Regional
HQ2
OneQube
This allows a massive parallelization
of the OTP generation process, as
each KeyQube generates the sending
key of an OTP link and copies it to the
receiving station afterwards.
OneQube
Branch
Branch
OneQube
Scenario 2:
Key Generation by
Key Generators
OneQube
Manager
(online)
Delegates OTP generation
and distribution tasks for a
certain area
Online communication
Ministry
KeyQube
Region 1
OneQube
KeyQube
KeyQube
Key Generator 1
Regional
HQ1
Regional
HQ2
OneQube
USB
OneQube
Region 2
Branch
Branch
OneQube
Offline communication
KeyQube
KeyQube
Key Generator 2
OneQube
KeyQube
MilsOne provides an elegant way
to delegate the OTP generation
efforts to several subscribers. The
advantage is that you may share the
key generation workload with Key
Generator stations.
The Key Generator stations can work
in online or offline mode, depending
on your security requirements. When
working in offline mode, the communication with the Manager station is
performed by exchanging USB memory sticks.
Restricted area (offline)
... the possibilities
are endless...
OTP generation,
the detailed view
One Time Pad keys are symmetrical keys used in identical
pairs, i.e. the sender and the recipient of the sensitive information need to have the same One Time Pad available
for encryption and decryption. It is of paramount importance to hermetically protect these One Time Pads during
generation and distribution.
Perfect protection of OTP
keys during their entire life
In MilsOne, the confidentiality and authenticity of the OTP
keys is guaranteed thanks to the continuous protection
during their generation, distribution, and storage in the
MilsQube. As the keys are exchanged in encrypted form,
any attempt to get hold of the plain key material is in vain.
Additionally, the Key Generator station can be offline (with
no connection to any network), therefore reliably shielding
this sensitive process from any external attacks
The following illustrations take you through the OTP creation and exchange process.
Step 1: Each MilsQube creates a truly random OTP key
OneQube of Ministry
OneQube of Regional HQ1
True Random
Number
Generator
Encrypt (QKM)
True Random
Number
Generator
QKM
(unique)
Tamper respondent
RAM
OTP key
Ministry to
Regional HQ1
Key storage area
QKHQ1
(unique)
Encrypt (QKHQ1)
OTP key
Regional HQ1
to Ministry
QKM = Qube Key of ‘Ministry’
QKHQ1 = Qube Key of ‘HQ1’
(Qube Keys are unique for
each OneQube)
Key storage area
Both MilsQubes create a truly random OTP sending key.
After being created by the internal True Random Number
Generator of the OneQube, each OTP is immediately encrypted and authenticated by the Mils Block Cipher (MBC)
algorithm initiated by the unique Qube Keys (QKM resp.
QKHQ1). Then it is stored into the OneQube’s key storage
area in encrypted format.
Please note that Qube Keys are unique for each OneQube.
All keys (OTP keys, Qube Keys, and
Key Encryption Keys) are exclusively generated by the True Random
Number Generator (TRNG) which is
incorporated into each MilsQube.
Step 2: The first OTP key is copied
As the identical OTPs are required
at the sender’s and recipient’s side,
they now need to be exchanged between the sender’s and recipient’s
OneQubes.
OneQube of Ministry
QKM
(unique)
OneQube of Regional HQ1
KEKM
(unique)
Decrypt
(QKM)
Encrypt
(KEKM)
Encrypted OTP key exchange
via USB interface
at a Key Generator station
KEKM
(unique)
QKHQ1
(unique)
Decrypt
(KEKM)
Encrypt
(QKHQ1)
OTP key
Ministry to
Regional HQ1
OTP key
Ministry to
Regional HQ1
Key storage area
QKM = Qube Key of ‘Ministry’
QKHQ1 = Qube Key of ‘HQ1’
KEKM = Key Encryption Key
(Ministry to HQ1)
Key storage area
The first MilsQube securely transmits its OTP key.
The OneQube of Ministry starts to
share its OTP via the USB interface at
the Key Generator station. Therefore,
the OTP key needs to be decrypted using the OneQube’s Qube Key
(QKM). To securely transfer the One
Time Pad key, it is encrypted using
the Key Encryption Key specific and
unique to the communication between the Ministry and the Regional
HQ1 (KEKM). Once arrived at the Regional HQ1’s OneQube the OTP key is
decrypted using the pre-shared Key
Encryption Key (KEKM) and encrypt-
ed using the Qube Key of the Regional
HQ1’s OneQube (QKHQ1).
Please note that the Key Encryption
Key is unique for each communication link.
Step 3: The second OTP key is copied
OneQube of Ministry
QKM
(unique)
Encrypt
(QKM)
OneQube of Regional HQ1
KEKHQ1
(unique)
Decrypt
(KEKHQ1)
Encrypted OTP key exchange
via USB interface
at a Key Generator station
OTP key
Regional HQ1
to Ministry
Key storage area
KEKHQ1
(unique)
QKHQ1
(unique)
Encrypt
(KEKHQ1)
Decrypt
(QKHQ1)
OTP key
Regional HQ1
to Ministry
QKM = Qube Key of ‘Ministry’
QKHQ1 = Qube Key of ‘HQ1’
KEKHQ1 = Key Encryption Key
(HQ1 to Ministry)
Key storage area
The second MilsQube securely transmits its OTP key to the first MilsQube.
Just like in Step 2, the key stream needs to be decrypted
with the Qube Key (of the Regional HQ1’s OneQube) and
encrypted with the Key Encryption Key (specific to the
link). After traveling in protected form to the Ministry’s
OneQube, the OTP key needs to be decrypted with the Key
Encryption Key and encrypted with the Qube Key.
Final result: Both MilsQubes contain both OTP keys
OneQube of Ministry
OneQube of Regional HQ1
True Random
Number
Generator
True Random
Number
Generator
OTP key
Ministry to
Regional HQ1
OTP key
Ministry to
Regional HQ1
OTP key
Regional HQ1
to Ministry
OTP key
Regional HQ1
to Ministry
Key storage area
At the end of this process, both MilsQubes dispose of
identical copies of the OTP keys. In order to securely store
the OTP keys, each OneQube encrypted the OTP key using
its Qube-specific Qube Key.
Key storage area
The OneQubes are now distributed to the respective
subscribers and can be used for OTP-encrypted communication.
The One Time Pad
cipher process in MilsOne
The strength of the MilsOne OTP implementation lies in the continuous protection of the OTP keys. One Time Pads are exclusively stored in encrypted
format in the secure key storage area of each MilsQube. Even for encryption
or decryption operations, the OTP keys stay within the protected environment of the OneQube or SubQube.
OTP encryption process
Secret
Information
(plain)
OTP decryption process
Communication
Network
Data encryption process
Decrypt (QKM)
Secret
Information
(plain)
Data decryption process
QKM
(unique)
Decrypt (QKHQ1)
OTP key
Ministry to
Regional HQ1
QKHQ1
(unique)
OTP key
Ministry to
Regional HQ1
Key storage area
Key storage area
QKM = Qube Key of ‘Ministry’
QKHQ1 = Qube Key of ‘HQ1’
OneQube of Ministry
(Sender)
To encrypt plain data, the sender uses a OTP key string
which is as long as the plain data. The requested amount
of OTP is read from the respective OTP key file (in this
case Ministry > Regional HQ1), and is decrypted by using
the Mils Block Cipher (MBC) algorithm plus the Qube Key
(QKM) of the Ministry’s OneQube. The decrypted OTP key
is then mixed (XOR-ed) with the plain text bit by bit, always adding one bit of the key with one bit of the plain data
to create one bit of cipher text. This cipher text is then sent
to the recipient.
OneQube of Regional HQ1
(Receiver)
At the recipient’s end, the duplicate copy of the OTP key
is decrypted using the Regional HQ’s unique Qube Key
(QKHQ1) and then the encoded data is mixed (XOR-ed)
with the OTP key. Thus, the plain data is restored.
Both the sender’s and recipient’s OTP keys are automatically destroyed after use, so that erroneous re-application of the same key is impossible.
Reliable One Time Pad
links
When you are running a One Time Pad based communication system, reliability is crucial. Especially in global
deployments with long supply routes, the breakdown of
a subscriber station cannot be tolerated. While the creation of OTP key backups is totally inconceivable, provisions have to be made in case a OneQube fails.
Introducing RaiQ
To ensure the highest possible reliability at the subscriber
stations, we have introduced the OTP RaiQ (Reliable array
of independent Qubes) system. This system guarantees
OTP communication even in case of hardware faults, as
every OTP key is divided and distributed among the available OneQube and SubQubes.
Ministry
OneQube
SubQube1
SubQube2
OTP key
Ministry to Regional HQ1
OTP key
Ministry to Regional HQ1
OTP key
Ministry to Regional HQ1
⅓ of OTP key
⅓ of OTP key
⅓ of OTP key
Secure key storage area
Secure key storage area
Secure key storage area
A RaiQ configuration with a OneQube and two SubQubes
Thanks to the RaiQ system, the availability of OTP keys is
guaranteed, even if the OneQube (or any SubQube) fails,
without needing to illegitimately create backups of the
OTP key.
On top of that, the introduction of RaiQ increases the OTP
storage capability at the subscriber station.
Additional benefit: If the worst comes to the worst, a
SubQube can be converted into a OneQube for interruption-free communication.
Further reading
Schneier, Bruce:
Applied Cryptography: Protocols, Algorithms,
and Source Code in C.
1996, John Wiley and Sons, Inc.
Menezes, Alfred J., Paul C. van Oorschot,
and Scott A. Vanstone:
Handbook of Applied Cryptography
1997, CRC Press
The history of
One Time Pad encryption
The One Time Pad encryption method is nothing new. In
1882, Frank Miller was the first to describe the One Time
Pad system for securing telegraphy.
In 1917, Gilbert Vernam invented a cipher solution for a
teletype machine. U.S. Army Captain Joseph Mauborgne
realized that the character on the key tape could be completely random. Together, they introduced the first One
Time Pad encryption system.
Since then, One Time Pad systems have been widely used
by governments around the world. Outstanding examples
of a One Time Pad system include the hotline between the
White House and the Kremlin as well as the famous Sigsaly speech encryption system.
Another development was the paper pad system. Diplomats had long been using codes and ciphers for confidentiality. For encryption, words and phrases were converted
to groups of numbers and then encrypted using a One
Time Pad.
The famous patent for the Secret Signaling System from 1919.
Each character of a message was combined with a character
on a paper tape key.
Frank Miller
Gilbert Vernam
Joseph Mauborgne
OTP history at mils
OTP encryption has always played an
essential role in the product philosophy of mils. When the company was
founded in the late 1940s, OTP was
the only applied encryption method.
The TT-360 Tape Mixer was one of
the first electro-mechanical cipher
machines which the company developed and sold.
TT-360 Tape Mixer
M640 Tape Mixer
M730 Cipher Machine with MilsCard
OTP Cipher Disk
M830 Cipher Machine
MilsOne Client with OneQube
Although unbreakable, OTP encryption is so simple that you can even
employ it manually. We therefore
often give a OTP Cipher Disk to our
customers as a gift. When used correctly, it is a powerful tool to create
short unbreakable messages.
With the invention of microprocessor technology, OTP encryption was
complemented by algorithm based
encryption in the M640 Tape Mixer
or the M830 Cipher Machine. The
usability of OTP was drastically increased by software-based development.
With the invention of the personal
computer it was necessary to remove
the sensitive parts of OTP encryption
from the PC into dedicated security
hardware, like the MilsCard of the
M730 Cipher Machine.
Today, the entire OTP storage and
encryption process is handled by
the OneQube, the hardware token
of MilsOne. With its fully automated
OTP usage and 29 GB of OTP storage
it represents the state-of-the-art OTP
implementation.
mils electronic gesmbh & cokg · leopold-wedl-strasse 16 · 6068 mils · austria
t +43 52 23 577 10-0 · f +43 52 23 577 10-110 · [email protected] · www.mils.com
TEC-OTP-07e