> I think that's because you missed the point. You're confusing manual > key distribution (which makes sense in some cases, but is unworkable > in others) with using a one-time pad (a specific method of encrypting > information that uses up key material very fast but has a security > proof).
Actually, you're right, I was sort of conflating two ideas, since the system I described is useful both for distributing key material and for use as a OTP. Specifically, we can either encrypt text messages using the pad, or use a portion of the "pad" as a key for something else. And if we're really paranoid, we can encrypt a de novo key using OTP, which has the property that the attacker must have that portion of the pad *and* the transmission containing the OTP-encrypted new key to derive the new key; merely having the pad doesn't buy you anything. > Yep. You've got to store the key material safely in transit and at > the endpoints either way, though, and that's much easier for 256 bit > AES keys (which can be put inside an off-the-shelf tamper-resistant > token), and easier still for hashes of public keys (which only have to > arrive unchanged--it doesn't matter if the bad guys learn the > hashes). Yes, but not without cost. Those rest on more and more assumptions. In theory, it rests on only one assumption; unpredictability of the pad. In practice it's unbreakable even if your RNG is badly broken (for example, a bunch of typists asked to type random five-digit groups). > There are provably secure authentication schemes that use much less > key material per message. Google for universal hashing and IBC Hash, > and for provably secure authentication schemes. I seem to recall that > Stinson has a really nice survey of this either webbed or in his > book. (Anyone else remember?) I have his book, I'll check both. I seem to remember him discussing authentication a lot in the book. -- "The generation of random numbers is too important to be left to chance." -- Robert Coveyou -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
