One Time Pad encryption
Transcription
One Time Pad encryption
One Time Pad encryption Complete privacy for your sensitive information One Time Pad encryption One Time Pad encryption is a very simple, yet completely unbreakable cipher method. It has been used for decades in mils cipher systems for encrypting our customers’ sensitive data. Complete privacy for your sensitive information Over the years, we have perfected the implementation of One Time Pad encryption into our products. Today, high levels of automation, high capacity storage media, continuous key protection, and huge One Time Pads provide our customers with outstanding communication security without sacrificing convenience. This document will help you understand how One Time Pad can ensure complete privacy for your sensitive information. Characteristics of the One Time Pad encryption method The One Time Pad encryption method is a binary additive stream cipher, where a stream of truly random keys is generated and then combined with the plain text for encryption or with the cipher text for decryption by an Exclusive OR (XOR) addition. It is possible to prove that a stream cipher encryption scheme is unbreakable if the following preconditions are met: Plain text Cipher text 0 1 1 0 1 000 1 0 1 1 0 1 1 1 1 000 1 1 0 One Time Pad Exclusive OR function 1 0 1 0 1 1 1 0 1 0 1 00 1 1 A The key must be as long as the plain text. B The key must be truly random. C The key must only be used once. The One Time Pad implementation in mils products fulfills all these requirements. Therefore, it provides absolute protection for your sensitive information. Why is One Time Pad encryption unbreakable? The simple explanation Cipher text KNQX L Z RV Key 1 Z CVP Q I T A Y E S , C OM E Plain text 1 (meaningful) Key 2 HSUX Z R AV CPQX A T I F Plain text 2 (meaningless) Key 3 E T DYHCN X HZAUHP S E Plain text 3 (meaningless) Key 4 L F ZRX I B H S T AY O F F Plain text 4 (meaningful) Exclusive OR function The brute force attack Attackers must try every possible key With One Time Pad encryption, the key used for encoding the message is completely random and is as long as the message itself. That is why the only possible attack to such a cipher is a brute force attack. Brute force attacks use exhaustive trial and error methods in order to find the key that has been used for encrypting the plain text. This means that every possible combination of key bits must be used to decrypt the cipher text. The correct key would be the one that produces a meaningful plain text. Since all One Time Pad keys are equally likely and come from an unpredictable number generator proven to be random, the attacker has to test all possible key strings. Unlimited computing power is useless Let’s assume an eavesdropper has intercepted a One Time Pad encrypted message and that he has unlimited computing power and time. For example, typical e-mail messages are at least 200 bytes long, requiring the testing of 1,600 bits. Even if the eavesdropper is both willing and able to do this, the following paragraph will describe why unlimited computational power will not compromise the system. Impossible to guess the right plain text If he used every possible key string to decrypt the cipher text, all potential plain text strings with the same length as the original plain text would appear. As illustrated above, most of these potential plain text strings would make no sense; however, every meaningful string the same length as the original plain text would also appear as a potential plain text string. Without knowing the applied OTP, the eavesdropper has no way of finding out which meaningful string is the original plain text. Thus, trying all possible keys does not help the attacker at all, because all possible plain texts are equally likely decryptions of the cipher text. Why is One Time Pad encryption unbreakable? The mathematical proof DEFINITION A number generator is called a True Random Number Generator or fulfills the true random propany generated key sequence for all satisfies erty if for all (1) THEOREM: Unconditional security of One Time Pad For a cipher system with a true random number generator, the One Time Pad cipher is perfectly secret. PROOF . Let denote the plain First, we determine the length of the plain text by text and the One Time Pad generated by the true random number generator. The resulting cipher text is calculated by , i.e. for all (2) . A system is called perfectly secret or unconditionally secure if for all for all is satisfied. For we conclude from equation (2) and . (3) We get for all and by using the law of total probability and the true random property of the number generator (4) By again applying the true random property of the number generator and equation (2) for we obtain (5) and From the definition of conditional probability follows for all and all (6) and (7) and thus we get (8) From equation (5) and equation (4) we deduce equation (8) simplifies to and thus for all Hence, the mathematical proof is complete. . OTP encryption in practice Although perfectly secure, One Time Pad encryption is often claimed to be complex and impractical. In former times this may have been true. But with today’s high automation and the perfect implementation into MilsOne, OTP encryption provides perfect security without sacrificing the convenience of the operators. A small example network using MilsOne MilsQube Ministry OTP link with heavy traffic Regional HQ1 In MilsOne, every station receives a MilsQube, the purpose-built hardware security module that encapsulates all elements of the OTP implementation. Regional HQ2 The illustration on the left shows a small communication network in which the various stations are connected by links using OTP encryption. Due to the varying communication volumes, different amounts of One Time Pad are required for the various links. OTP link with low traffic OTP link with medium traffic Branch MilsOne is a highly secure unified communication system that combines real-time communication services like instant messaging or IP-telephony with non real-time services like e-mail or file transfer. No matter which communication mode you choose, MilsOne can protect every information exchange with the unbreakable One Time Pad encryption method. Branch Due to the flexibility of MilsOne, each link can be individually assigned the required amount of One Time Pads, which are then supplied to the involved stations. LA TED BY EMC & Optics /15 V-E175 SL-EM S The MilsQube lies at the heart of the OTP implementation by mils. It safeguards the sensitive components of the One Time Pad system, provides True Random Number Generation (TRNG), and secure key storage. ES IE T The MilsQube BOR ATOR Security features A Layered protection scheme for maximum protection of all keys, algorithms, and other sensitive data B Highly secure True Random Number Generator (TRNG) for the creation of unique session keys and One Time Pad sequences C Forgery-proof hardware clock for time stamps E Provisions against non-invasive attacks F Strictly controlled electromagnetic emissions and susceptibility, certified according to MIL-STD 461E by Seibersdorf Laboratories G Designed to support certification at FIPS 140-2 Level 3 and even Level 4, depending on application requirements D Sophisticated tamper-respondent design protects against physical attacks and reverse engineering of onboard applications and data Metallic housing Encapsulant resin Tamper respondent sensor Secure key storage Shielding box Hardware clock True Random Number Generator Types of MilsQubes and their role in MilsOne In the OTP system, three different types of MilsQubes are relevant. Although they share the same hardware, they provide different functionality depending on their purpose. OneQube SubQube KeyQube The OneQube is used for OTP generation and is the primary storage area for One Time Pads. Each station (also called subscriber) of a MilsOne network receives an individual OneQube. When OTP encryption is employed, the OTP is used directly from the internal storage area of the OneQube. The SubQube is used as a dedicated additional OTP generation and storage device and thus allows the OTP Manager to increase the maximum key capacity available to a station. Additionally the SubQube is used to implement fault-tolerant OTP communication links. A KeyQube acts as a substitute for a OneQube or SubQube during key generation and distribution carried out at a Key Generation station. It serves as a secure transport medium for OTPs. At the respective stations, the OTPs are transferred to the OneQube and SubQube(s). Key Generator OTP Replenishment Regional HQ1 OneQube SubQube KeyQube Subscriber KeyQube KeyQube Regional HQ2 Ministry Subscriber OneQube SubQube SubQube The roles of the MilsQubes in our example network OneQube For One Time Pad encryption, a truly random key stream must be employed to generate the required keys. In MilsOne, all keys are exclusively generated by the True Random Number Generator (TRNG) which is incorporated into each MilsQube. The True Random Number Generator Theoretical background Solid as a rock Thanks to our many years of experience, high-tech knowhow, and continuous strive for perfection, we at mils have been able to profoundly understand how to best make use of certain quantum-random events. Complex, scientific probability models have made it possible to master the art of true randomness. Thanks to the correct parametrization of its digital implementation, we created a hardened and robust TRNG which is even able to withstand temperature and frequency attacks. Compared to other random number generators working with light, the TRNG by mils is solid as a rock. Quantum-random phenomena There are not many events which can be seen as truly random. Most phenomena can be predicted one way or another. The exception are fundamentally unpredictable quantum-mechanical events. They occur, for instance, when electrons are forced to jump from one material to the other. Nobody is able to predict when exactly they are going to take the leap. This phenomenon can be measured in electronic noise (Shot noise in electronic circuits). Its behavior is unpredictable when collecting phase jitter in digitally implemented ring oscillators. The True Random Number Generator Mastering true randomness Fundamentally unpredictable quantum-mechanical phenomena Once you have a random, physical phenomenon, the next tricky question is how to harvest its randomness without disturbing the physical process. In our TRNG, we use a sampler to extract the digitized noise signal, so that the outcome is truly unpredictable. Harvesting mechanism (Sampler) Post processing Random bit stream Entropy Distiller 1 001 0 1 001 In a Post processing step (as demanded by BSI AIS 31 Classification PTG.3, among others), any deterministic results are masked by applying a Von Neumann corrector. This compensates possible imbalances between the number of ones and zeros in the random signal (Entropy Distiller). Statistical tests Thus, we have our random bit stream. But mils would not be leading the field of OTP encryption worldwide if we would not verify that what looks random, is truly random. This is why stringent statistical tests make sure that the bit stream can be considered unpredictable from a mathematical point of view. Truly random key file Only when all tests are passed may the random bit stream become an OTP key file. OTP key Applied Randomness The most powerful randomness source is useless if it does not form part of a sophisticated and elaborate system. For that reason, the MilsOne system supports the most diverse OTP generation and distribution scenarios. Scenario 1: Key Generation by Manager Manager (online) KeyQube Ministry KeyQube KeyQube KeyQube KeyQube The Manager station supplies the subscribers with OTP keys by using KeyQubes. Each KeyQube contains its own True Random Number Generator. KeyQube OneQube Regional HQ1 Regional HQ2 OneQube This allows a massive parallelization of the OTP generation process, as each KeyQube generates the sending key of an OTP link and copies it to the receiving station afterwards. OneQube Branch Branch OneQube Scenario 2: Key Generation by Key Generators OneQube Manager (online) Delegates OTP generation and distribution tasks for a certain area Online communication Ministry KeyQube Region 1 OneQube KeyQube KeyQube Key Generator 1 Regional HQ1 Regional HQ2 OneQube USB OneQube Region 2 Branch Branch OneQube Offline communication KeyQube KeyQube Key Generator 2 OneQube KeyQube MilsOne provides an elegant way to delegate the OTP generation efforts to several subscribers. The advantage is that you may share the key generation workload with Key Generator stations. The Key Generator stations can work in online or offline mode, depending on your security requirements. When working in offline mode, the communication with the Manager station is performed by exchanging USB memory sticks. Restricted area (offline) ... the possibilities are endless... OTP generation, the detailed view One Time Pad keys are symmetrical keys used in identical pairs, i.e. the sender and the recipient of the sensitive information need to have the same One Time Pad available for encryption and decryption. It is of paramount importance to hermetically protect these One Time Pads during generation and distribution. Perfect protection of OTP keys during their entire life In MilsOne, the confidentiality and authenticity of the OTP keys is guaranteed thanks to the continuous protection during their generation, distribution, and storage in the MilsQube. As the keys are exchanged in encrypted form, any attempt to get hold of the plain key material is in vain. Additionally, the Key Generator station can be offline (with no connection to any network), therefore reliably shielding this sensitive process from any external attacks The following illustrations take you through the OTP creation and exchange process. Step 1: Each MilsQube creates a truly random OTP key OneQube of Ministry OneQube of Regional HQ1 True Random Number Generator Encrypt (QKM) True Random Number Generator QKM (unique) Tamper respondent RAM OTP key Ministry to Regional HQ1 Key storage area QKHQ1 (unique) Encrypt (QKHQ1) OTP key Regional HQ1 to Ministry QKM = Qube Key of ‘Ministry’ QKHQ1 = Qube Key of ‘HQ1’ (Qube Keys are unique for each OneQube) Key storage area Both MilsQubes create a truly random OTP sending key. After being created by the internal True Random Number Generator of the OneQube, each OTP is immediately encrypted and authenticated by the Mils Block Cipher (MBC) algorithm initiated by the unique Qube Keys (QKM resp. QKHQ1). Then it is stored into the OneQube’s key storage area in encrypted format. Please note that Qube Keys are unique for each OneQube. All keys (OTP keys, Qube Keys, and Key Encryption Keys) are exclusively generated by the True Random Number Generator (TRNG) which is incorporated into each MilsQube. Step 2: The first OTP key is copied As the identical OTPs are required at the sender’s and recipient’s side, they now need to be exchanged between the sender’s and recipient’s OneQubes. OneQube of Ministry QKM (unique) OneQube of Regional HQ1 KEKM (unique) Decrypt (QKM) Encrypt (KEKM) Encrypted OTP key exchange via USB interface at a Key Generator station KEKM (unique) QKHQ1 (unique) Decrypt (KEKM) Encrypt (QKHQ1) OTP key Ministry to Regional HQ1 OTP key Ministry to Regional HQ1 Key storage area QKM = Qube Key of ‘Ministry’ QKHQ1 = Qube Key of ‘HQ1’ KEKM = Key Encryption Key (Ministry to HQ1) Key storage area The first MilsQube securely transmits its OTP key. The OneQube of Ministry starts to share its OTP via the USB interface at the Key Generator station. Therefore, the OTP key needs to be decrypted using the OneQube’s Qube Key (QKM). To securely transfer the One Time Pad key, it is encrypted using the Key Encryption Key specific and unique to the communication between the Ministry and the Regional HQ1 (KEKM). Once arrived at the Regional HQ1’s OneQube the OTP key is decrypted using the pre-shared Key Encryption Key (KEKM) and encrypt- ed using the Qube Key of the Regional HQ1’s OneQube (QKHQ1). Please note that the Key Encryption Key is unique for each communication link. Step 3: The second OTP key is copied OneQube of Ministry QKM (unique) Encrypt (QKM) OneQube of Regional HQ1 KEKHQ1 (unique) Decrypt (KEKHQ1) Encrypted OTP key exchange via USB interface at a Key Generator station OTP key Regional HQ1 to Ministry Key storage area KEKHQ1 (unique) QKHQ1 (unique) Encrypt (KEKHQ1) Decrypt (QKHQ1) OTP key Regional HQ1 to Ministry QKM = Qube Key of ‘Ministry’ QKHQ1 = Qube Key of ‘HQ1’ KEKHQ1 = Key Encryption Key (HQ1 to Ministry) Key storage area The second MilsQube securely transmits its OTP key to the first MilsQube. Just like in Step 2, the key stream needs to be decrypted with the Qube Key (of the Regional HQ1’s OneQube) and encrypted with the Key Encryption Key (specific to the link). After traveling in protected form to the Ministry’s OneQube, the OTP key needs to be decrypted with the Key Encryption Key and encrypted with the Qube Key. Final result: Both MilsQubes contain both OTP keys OneQube of Ministry OneQube of Regional HQ1 True Random Number Generator True Random Number Generator OTP key Ministry to Regional HQ1 OTP key Ministry to Regional HQ1 OTP key Regional HQ1 to Ministry OTP key Regional HQ1 to Ministry Key storage area At the end of this process, both MilsQubes dispose of identical copies of the OTP keys. In order to securely store the OTP keys, each OneQube encrypted the OTP key using its Qube-specific Qube Key. Key storage area The OneQubes are now distributed to the respective subscribers and can be used for OTP-encrypted communication. The One Time Pad cipher process in MilsOne The strength of the MilsOne OTP implementation lies in the continuous protection of the OTP keys. One Time Pads are exclusively stored in encrypted format in the secure key storage area of each MilsQube. Even for encryption or decryption operations, the OTP keys stay within the protected environment of the OneQube or SubQube. OTP encryption process Secret Information (plain) OTP decryption process Communication Network Data encryption process Decrypt (QKM) Secret Information (plain) Data decryption process QKM (unique) Decrypt (QKHQ1) OTP key Ministry to Regional HQ1 QKHQ1 (unique) OTP key Ministry to Regional HQ1 Key storage area Key storage area QKM = Qube Key of ‘Ministry’ QKHQ1 = Qube Key of ‘HQ1’ OneQube of Ministry (Sender) To encrypt plain data, the sender uses a OTP key string which is as long as the plain data. The requested amount of OTP is read from the respective OTP key file (in this case Ministry > Regional HQ1), and is decrypted by using the Mils Block Cipher (MBC) algorithm plus the Qube Key (QKM) of the Ministry’s OneQube. The decrypted OTP key is then mixed (XOR-ed) with the plain text bit by bit, always adding one bit of the key with one bit of the plain data to create one bit of cipher text. This cipher text is then sent to the recipient. OneQube of Regional HQ1 (Receiver) At the recipient’s end, the duplicate copy of the OTP key is decrypted using the Regional HQ’s unique Qube Key (QKHQ1) and then the encoded data is mixed (XOR-ed) with the OTP key. Thus, the plain data is restored. Both the sender’s and recipient’s OTP keys are automatically destroyed after use, so that erroneous re-application of the same key is impossible. Reliable One Time Pad links When you are running a One Time Pad based communication system, reliability is crucial. Especially in global deployments with long supply routes, the breakdown of a subscriber station cannot be tolerated. While the creation of OTP key backups is totally inconceivable, provisions have to be made in case a OneQube fails. Introducing RaiQ To ensure the highest possible reliability at the subscriber stations, we have introduced the OTP RaiQ (Reliable array of independent Qubes) system. This system guarantees OTP communication even in case of hardware faults, as every OTP key is divided and distributed among the available OneQube and SubQubes. Ministry OneQube SubQube1 SubQube2 OTP key Ministry to Regional HQ1 OTP key Ministry to Regional HQ1 OTP key Ministry to Regional HQ1 ⅓ of OTP key ⅓ of OTP key ⅓ of OTP key Secure key storage area Secure key storage area Secure key storage area A RaiQ configuration with a OneQube and two SubQubes Thanks to the RaiQ system, the availability of OTP keys is guaranteed, even if the OneQube (or any SubQube) fails, without needing to illegitimately create backups of the OTP key. On top of that, the introduction of RaiQ increases the OTP storage capability at the subscriber station. Additional benefit: If the worst comes to the worst, a SubQube can be converted into a OneQube for interruption-free communication. Further reading Schneier, Bruce: Applied Cryptography: Protocols, Algorithms, and Source Code in C. 1996, John Wiley and Sons, Inc. Menezes, Alfred J., Paul C. van Oorschot, and Scott A. Vanstone: Handbook of Applied Cryptography 1997, CRC Press The history of One Time Pad encryption The One Time Pad encryption method is nothing new. In 1882, Frank Miller was the first to describe the One Time Pad system for securing telegraphy. In 1917, Gilbert Vernam invented a cipher solution for a teletype machine. U.S. Army Captain Joseph Mauborgne realized that the character on the key tape could be completely random. Together, they introduced the first One Time Pad encryption system. Since then, One Time Pad systems have been widely used by governments around the world. Outstanding examples of a One Time Pad system include the hotline between the White House and the Kremlin as well as the famous Sigsaly speech encryption system. Another development was the paper pad system. Diplomats had long been using codes and ciphers for confidentiality. For encryption, words and phrases were converted to groups of numbers and then encrypted using a One Time Pad. The famous patent for the Secret Signaling System from 1919. Each character of a message was combined with a character on a paper tape key. Frank Miller Gilbert Vernam Joseph Mauborgne OTP history at mils OTP encryption has always played an essential role in the product philosophy of mils. When the company was founded in the late 1940s, OTP was the only applied encryption method. The TT-360 Tape Mixer was one of the first electro-mechanical cipher machines which the company developed and sold. TT-360 Tape Mixer M640 Tape Mixer M730 Cipher Machine with MilsCard OTP Cipher Disk M830 Cipher Machine MilsOne Client with OneQube Although unbreakable, OTP encryption is so simple that you can even employ it manually. We therefore often give a OTP Cipher Disk to our customers as a gift. When used correctly, it is a powerful tool to create short unbreakable messages. With the invention of microprocessor technology, OTP encryption was complemented by algorithm based encryption in the M640 Tape Mixer or the M830 Cipher Machine. The usability of OTP was drastically increased by software-based development. With the invention of the personal computer it was necessary to remove the sensitive parts of OTP encryption from the PC into dedicated security hardware, like the MilsCard of the M730 Cipher Machine. Today, the entire OTP storage and encryption process is handled by the OneQube, the hardware token of MilsOne. With its fully automated OTP usage and 29 GB of OTP storage it represents the state-of-the-art OTP implementation. mils electronic gesmbh & cokg · leopold-wedl-strasse 16 · 6068 mils · austria t +43 52 23 577 10-0 · f +43 52 23 577 10-110 · [email protected] · www.mils.com TEC-OTP-07e
Similar documents
One Time Pad Encryption The unbreakable
Random Noise Source’. This Noise Source is incorporated into the hardware security token of each mils electronic application. As it is part of the security token, it is protected against all manipu...
More information