kfogel / OneTime

An open source encryption program that uses the "one-time pad" method.
http://red-bean.com/onetime
32 stars 14 forks source link

Encrypted Pad Storage #8

Open PowerPress opened 10 years ago

PowerPress commented 10 years ago

This is a great program idea and I love seeing the old crypto being utilized to work with new computing systems. But I have a suggestion that would greatly enhance your program. SSD/Flash based technology is rapidly taking over magnetic hard drive space and due to wear leveling there is no 100% method to ensure that your pad media once it has been used is destroyed.

1) Please keep all encrypted pad data stored in a AES256 file type that is opened only when the pad is in use 2) Once the pad data has been used have it zero out or delete that pad id/section

This way for example if your program and pad data was kept on a flash drive there is no way for an adversary to decrypt past sent messages since even if wear leveling failed to successfully delete the data because it was stored on the flash media or SSD encrypted already that threat vector is solved.

Essentially this enforces the critical rule of one time pad pages being burned/destroyed after use to prevent previously sent messages from being decoded.

There will be no issue as long as you make one pad in each direction per use as you suggestion.

from bob to alice.pad and alice to bob.pad

kfogel commented 10 years ago

Thanks. It's an interesting suggestion. I think the "decrypt pad in memory, only when it's being used" feature could be implemented without complicating the code too much. (Keep in mind that one of the main purposes of OneTime: for the program's entire code to be small enough and simple enough for a moderately experienced programmer to vet. The worth of any new feature has to be weighed against this, always.)

Right now issue #2 is much more important, and is blocking a 2.0 release, so I have to put this idea on the back burner until then. But that's what issue trackers are for, luckily :-).

Zeroing out the pad is not a behavior OneTime should have, I think. One too often needs to be able to decrypt a message one has sent. Also, it wouldn't do any good for those who keep their pads on read-only media (e.g., CD-ROMs). The ~/.onetime/pad-records file exists to prevent pad range reuse; if for some reason it is unreliable, we should fix that. But I don't think OneTime should ever destroy pad data itself.

maqp commented 7 years ago

"But I don't think OneTime should ever destroy pad data itself."

That depends on whether the conversation is intended to be ephemeral. Forward secrecy is more or less the norm and PGP gets a lot of critique for lacking it (together with deniability). The classic definition of perfect secrecy in OTPs is to destroy the pad immediately after use.