A few important points on Tango 2000's one time pad:
- Only letters are encrypted. Numbers and other characters are unchanged.
- OTP is usually an XOR. Tango uses simple alphabet rotation.
- The key can only contain letters and ignores case.
The limitation of not working whatsoever with numbers certainly reduces
its effectiveness for (e.g.) securing a credit card number. Take a look
at how secure this example is:
<@CIPHER ACTION=ENCRYPT TYPE=ONETIMEPAD KEY="onlyalpha"
STR="1234-1234-1234-1234">
This might be completely different in a more recent version of Witango.
On Mon, 27 Jan 2003, Eric Weidl wrote:
> Hi,
>
> A couple of specific comments:
>
> >Unfortunately I have it on very good authority that the @CIPHER tag does
> >not work as well as it should. Here is what Jess told me:
> >
> >"Unless somebody has changed something in the last
> >year, all of Tango's <@CIPHER> stuff (besides the
> >hash) is basically worthless for the purposes of
> >security.
>
> There may be some truth to that comment, but it is due to the nature of the
> problem and not necessarily the @CIPHER tag itself. Yes, the BitRoll,
> Caesar, and Rot13 types supported by @CIPHER are trivial encryption methods
> and don't have a place in a production system.
>
>
>
> >The one time pad actually isn't a one time pad at all,
> >it's a rotation cipher, and on top of that it doesn't
> >work properly...
>
> OneTimePad is by definition a rotation cipher. It even says so right in the
> manual. Criticizing it for being so is like complaining that a dog has fur.
>
> The power of the OneTimePad is based in the keys and their management, not
> the cipher algorithm itself. In a perfect world, OneTimePad is the most
> secure encryption mechanism available. Why? Because, in a perfect world,
> the keys are *NEVER* reused and never stored after use.
>
> Obviously not storing keys is difficult in the real world, so in practice,
> the OneTimePad falls far short of its theoretical performance.
>
> As to your comment that it doesn't work properly, I've never heard or
> experienced any issues with it.
>
>
> Eric
>
> ________________________________________________________________________
> TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED]
> with unsubscribe witango-talk in the message body
>
________________________________________________________________________
TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED]
with unsubscribe witango-talk in the message body
