Securing The System

Author Gravatar Image TONY SHERWOOD
In the real world, making a one time pad system secure is a big problem... one that's big enough to stump some of the most famous names in security. But thinking about security is still a good exercise, and here's some ideas for how to make your system more secure:
  • Take it off the network! Your pi no longer has any reason to have a wireless connection, and while it has one, that wireless connection is one giant security hole.
  • When it's not in use, stick the whole thing inside a safe.
  • If you add a battery for a power supply, it never has to leave the safe. If you line the inside of the safe with copper mesh, the safe doubles as a faraday cage. You open the door, turn on the machine, and press the button. Close the door, wait a few minutes, and open it up.
  • Each copy of the pad should be stored in a tamper-resistant container. If you have access to a 3D printer, this one will work well. Edit the OpenSCAD to specify the serial number of the pad you've just generated (it's on the top left corner of every page). Pause the print just before the top starts to print, and insert one tightly-rolled copy of the pad. Then resume the print and you will have a copy of the pad sealed inside. The only way to get it out and read it is to break open the container. Also, secretly reading the pad and then putting it into a replacement container takes time.
  • Make two containers, and give one to your friend. When encoding messages, add the serial number, and then the first 5 random letters on the page to the beginning of your ciphertext. That way your recipient will know which container to break open in order to decode the message. When he's done, he should place the remaining pages in another tamper-proof container, or burn them all.
  • If you're into 3D design, why not add a loop to the top of the container, and wear it as a necklace? You're a lot closer to having physical control of the pad at all times if you have it physically on you at all times.
  • Have a secret, known only to you and your friend, that is used somewhere in every message. For instance, you might agree to use an onomatopoeia, such as "bang" or "buzz" in every message. If someone steals his pad and uses it to send you a message, you will know, because they won't include the secret. Even if they know there's a secret, they hopefully won't know which one it is, because it's never the same word or in the same place in any two messages.
  • Note that if someone steals your buddy's copy of the pad, there is no protection for the messages you send him. The attacker can now read everything you send him.
And that's it! Have fun, and if you want to test it all out, feel free to email me at tony@adafruit.com with messages encoded using one of the pages of the example otp.txt included in the GitHub repo.
Last updated on 2014-04-07 at 09.35.47 PM Published on 2013-08-15 at 10.34.57 PM