one time key encryption.en

8/6/2019 One Time Key Encryption.en

1/16

The unbreakableencrypt ion method

One Time Key Encryption


2/16

One Time Key encryption - the only provenunbreakable encryption method

2


One Time Key encryption is a very simple, yet completely unbreakable cipher method.It has been used for decades in mils electronic cipher systems for encrypting our cus-

tomers sensitive data.

Over the years, we have perfected the implementation of One Time Key encryption

into our products. Today, our high level of automation, high capacity storage media,

continuous key protection and One Time Keys of more than 100 megabytes offer our

customers outstanding message security without sacrificing convenience.

This document will help you understand how OTK can ensure complete privacy for your

sensitive information.


3/16

The One Time Key encryption method is a binary additive stream cipher, where astream of truly random keys is generated and then combined with plain text for encryp-

tion or with ciphertext for decryption by an exclusive OR (XOR) addition.

It is possible to prove a stream cipher encryption algorithm is unbreakable if the follow-

ing preconditions are met:

3


Characteristics of the One Time Key encryption method

The key must be as long as the plain text

The key must be truly random

The key must only be used once

The One Time Key implementation in mils electronics products fulfils all these require-ments and therefore provides absolute protection for our customers sensitive informa-

tion.


4/16

How does it work?

True random key generation


The Random Noise Source in the M111Security Controller

4


5/16

The encryption process


One time keys are used in pairs. Onecopy of the key is kept by each userand the keys are exchanged via a se-cure channel prior to encryption.

The condentiality and authenticityof the One Time Keys are assured bycryptographic measures during theirdistribution and storage. This guaran-tees outsiders will not be able to mis-use the key (e.g. by copying or alter-ing the key during distribution).

To encrypt plain text data, the senderuses a key string equal in length tothe plain text. The key is used by mix-ing (XOR-ing) every bit of the OneTime Key with every bit of the originalplain text to create the cipher text bits.

This cipher text is then sent to the re-cipient.

At the recipients end, the encodedmessage is mixed (XOR-ed) with the

duplicate copy of the One Time Keyand the plain text is restored.Both the sender and the recipient de-

stroy the key string after use, so as toensure re-application of the same keywill not happen by mistake.

The One Time key encryption process

5


6/16

Why is One Time Key encryption unbreakable?


The popular scientificexplanationWith One Time Key encryption, thekey used for encoding the messageis completely random and is as longas the message itself. That is why theonly possible attack to such a cipheris a brute force attack.

The Brute Force attack

Brute force attacks use exhaustive trialand error methods in order to nd thekey that has been used for encryptingthe plain text. This means that everypossible combination of key bits mustbe used to decrypt the cipher text.The correct key would be the one thatproduces a meaningful plain text.

Unlimited computing poweris useless

Lets assume an eavesdropper has in-tercepted a One Time Key encryptedmessage and that he has unlimitedcomputing power and time. A brute

force attack would be very expensivefor a plain text of reasonable size.For example, typical e-mail messagesare at least 200 bytes long, requiringthe testing of 1600 bits. Even if theeavesdropper is both willing and ableto do this, the following paragraphwill describe why unlimited computa-tional power will not compromise thesystem.

Attackers must try everypossible keySince all One Time Keys are equallylikely and come from a completely un-predictable noise source that is prov-ably random, the attacker has to testall possible key strings.

Impossible to guess theright plain textIf he used every possible key stringto decrypt the cipher text, all poten-

t ial plain text strings with t he samelength as the original plain text datawould appear. As illustrated on t he

right-hand side, most of these poten-tial plain text strings would not makesense; however, every meaningfulstring the same length as t he originalplain text data would also appear asa potential plain text string.

Without knowing the true OTK, theeavesdropper has no way of ndingout which meaningful string is the in-tended original plain text data. Thus,trying all possible keys doesnt helpthe attacker at all, since all possibleplaintexts are equally likely decryp-t ions of the ciphertext.

6


7/16


A Brute Force attack on a One Time Key encrypted Plain Text

7


8/16

The mathematical proof

According to Alfred Menezes et al. in t heir book, Handbook of Applied Cryptography, a system can be called perfect lysecret, or unconditionally secure, when observing cipher text gives an eavesdropper no additional information aboutthe original plain text string. If we let L be the number of bits in the plain text string, then i ranges from 1 to L in the fol-lowing denitions:

pi = the i th bit in the plain text stringci = the i th bit in the cipher text stringki = the i th bit in the key stringP(p

i) = the probability that p

iwas sent

P(pi| c

i) = the probability that p

iwas sent given that c

iwas observed

A system can be called perfectly secret when P(pi) = P(p

i| c

i). This section will prove that an OTK system is perfectly

secret.

a b a XOR b

0 0 0

0 1 1

1 0 11 1 0

In traditional stream cipher systems, the most common method of mixing plain text data bits with key bits is by perform-ing the XOR operation on the corresponding bits. XOR is short for exclusive OR. The following is a table that denesXOR (you can think of column a as a bit of plain text and column b as its corresponding key bit):


8


9/16

By stating another denition,

P(ki) = the probability that k

iwas used to create c

i

the rst conclusion drawn above can be written as

P(ki=1) = P(k

i=0) = 1/2 for all i. (2)

In other words, a bit of One Time Key is just as likely to be a 1 as a 0 at any t ime. The second conclusion drawn aboveallows us to consider triples of key, cipher text, and plain text for a particular value ofi without regard for other triples.Equation (1) leads to an important observation: knowing any two of{pi , ci , ki } determines the third. Likewise, givenone of{pi , ci , ki }, a second one can be written in terms of the third. For example,

P(ci=1| k

i=0) = P(p

i=1);

in other words, if we know for a fact that the key bit is 0, then plain text and cipher text must be equal.

In order to show that P(pi| c

i) = P(p

i), we rst need to show P(c

i) = P(c

i| p

i). Using equation (1), we will do this explic-

itly by rst deriving the distribution ofP(ci). Next, we will derive the distribution ofP(c

i| p

i) given that the plain text bit

is a 0 and then given that it is a 1.

The sender makes cipher text by XORing plain text and key one bit at a t ime:

ci = pi XOR ki (1)

where ci , pi , and ki are as dened above.Because OTK is completely random and unpredictable, two conclusions can be drawn:

First, the probability of observing any particular One Time Key bit is equal to the probability of observing any oth-

er One Time Key bit.

Second, knowing all the previous values of key in a sequence tells us nothing about the next key bit.


9


10/16

P(ci=1) = P(ci=1 | ki=1) P(ki=1) + P(ci=1 | ki=0) P(ki=0)

by the denition of conditional probability

= P(pi=0) P(k

i=1) + P(p

i=1) P(k

i=0) by equation (1)

= P(pi=0) (1/2) + P(p

i=1) (1/2) by equation (2)

= (1/2) [P(pi=0) + P(p

i=1)] regrouping

= 1/2 since pi can only be 1 or 0

P(ci=0) = P(ci=0| ki=1) P(ki=1) + P(ci=0| ki=0) P(ki=0)

by the denition of conditional probability

= P(pi=1) P(k

i=1) + P(p

i=0) P(k


= P(pi=1) (1/2) + P(p

i=0) (1/2) by equation (2)

= (1/2) [P(pi=1) + P(p

i=0)] regrouping

= 1/2 since pi can only be 1 or 0

Distribution ofP(ci)


10


11/16

Ifpi=0:

P(ci=0| pi=0) = P(ki=0) by equation (1)= 1/2 by equation (2)

P(ci=1| p

i=0) = P(k


= 1/2 by equation (2)

Ifpi=1:

P(ci=0| p

i=1) = P(k


= 1/2 by equation (2)

P(ci=1| pi=1) = P(ki=0) by equation (1)= 1/2 by equation (2)

It is clear from the distributions derived above that P(ci | pi ) = P(ci ). Recall that a system can be called perfectly secretwhen P(pi) = P(p

i| c

i). Using the denition of conditional probability, the joint probability, P(p

iand c

i), the probability

that piand c

iare observed, can be written in the following two (equivalent) forms:

P(piand c

i) = P(c

i| p

i) P(p

i)

and

P(pi and ci ) = P(pi | ci ) P(ci ).

Combining the two equations gives

P(pi| c

i) P(c

i) = P(c

i| p

i) P(p

i).

Since P(ci| p

i) = P(c

i) as shown above, these two terms cancel, leaving P(p

i| c

i) = P(p

i), which is the condition for per-

fect secrecy.

Distribution ofP(ci| p

i)


11


12/16

The history of One Time Key encryption

The One Time Key encryption methodis nothing new. In 1917, Gilbert Ver-nam invented a cipher solution for ateletype machine.

Gilbert Vernam

Patent for the Secret Signaling Sys-tem from 1919

Each character in a message wascombined with a character on a pa-per tape key.

Together, they introduced the rstOne Time Pad encryption system.

Joseph Mauborgne


12

U.S. Army Captain Joseph Maubor-gne realized that the character on thekey tape could be completely random.


13/16

Since then, One Time Key systemshave been widely used by govern-ments around the world. Outstandingexamples of a One Time Key systeminclude the hot line between theWhite House and the Kremlin andthe famous Sigsaly speech encryptionsystem.

To date, customers in more than 50countries have beneted from the un-conditional security that our productsprovide.

Another development was the paperpad system. Diplomats had long usedcodes and ciphers for confidentiality.For encryption, words and phraseswere converted to groups of numbersand then encrypted by using a OneTime Pad.

A One Time Pad The MilsMachine, mils electronicssecure communication terminal withOne Time Key encryption

The Sigsaly system


13


14/16


14

Further readings

Schneier, Bruce:Applied Cryptography: Protocols, Al-gorithms, and Source Code in C1996, John Wiley and Sons, Inc.New York, Chichester, Brisbane, To-ronto, Singapore


15/16


15

Menezes, Alfred J., Paul C. van Oors-chot, and Scott A. Vanstone:Handbook of Applied Cryptography1997, CRC PressBoca Raton, New York, London, Tokyo


16/16

mils electronic gesmbh & cokgleopold-wedl-strasse 166068 mils austriatel: +43 5223 57710-0fax: +43 5223 57710-110

[email protected] www.mils.com

mils electronic is a major player in the

field of communication and informationsecurity. Our product range includesmessage cipher systems, VPN solutionsand random key production equip-ment.

From the outset, we have integratedthe strongest possible encryption algo-rithms and the unbreakable One TimeKey encryption method into the secu-rity functions of our products.

Being an independent, privately-heldAustrian company, free of external in-fluences, puts us in the unique positionof being able to provide our globalcustomers with the very highest stan-dards of protection.

one time key encryption.en

Documents