"Jeremy Thorpe" <jeremythorpe@shore.net> wrote in message
news:fqqCb.1016$Pg1.782@newsread1.news.pas.earthlink.net...
You sure are good at jumping to conclusions in the absence of data.

Ok, tell me, how does your threat model avoid authenticity issues?

Tom

On Fri, 12 Dec 2003 21:34:23 GMT, Tom St Denis <tomstdenis@iahu.ca> wrote:



"Jeremy Thorpe" <jeremythorpe@shore.net> wrote in message
news:fqqCb.1016$Pg1.782@newsread1.news.pas.earthlink.net...
You sure are good at jumping to conclusions in the absence of data.

Ok, tell me, how does your threat model avoid authenticity issues?

Tom



No. You won't tell me what I want to know, so I won't tell you what you
want to know.

I can do that, Jan, and have /dev/random setup correctly, but what I need
to make my simplistic scheme work is the numbers 0000 to 9999 randomized.

When you trim the output of of /dev/random to 4 characters (by concatenating
several runs and then trimming it down) you get a lot of duplicates.

I wonder if there is some way I could just print out a list in order and
then use /dev/random to select a line at random and send it to the bottom
of another file?

Jeremy Thorpe <jeremythorpe@shore.net> writes:
Thank you so much. I want to burn a bunch of them on a CD and send it to
a friend so that we can discuss a certain proprietary project in complete
secrecy, and this is the only encryption scheme I trust.

Learn some more cryptography so you'll come to trust better schemes.

Jeremy Thorpe <jeremythorpe@shore.net> writes:
I can do that, Jan, and have /dev/random setup correctly, but what I need
to make my simplistic scheme work is the numbers 0000 to 9999 randomized.

That's elementary programming--there's nothing wrong with asking how
to do it, but it's just not really feasible for a newsgroup response
teach someone to be even a beginning programmer. You might try looking
at a programming book or website instead. "Learning Perl" might
be a reasonable choice.

Note also that you can only get a few dozen bytes (typically) of
random data from /dev/random before it freezes, because it won't give
you more data than it thinks it has gathered from physical randomness
in the computer. You can use /dev/urandom and get unlimited output,
but that's basically the same thing as using a stream cipher seeded by
/dev/random. To get unlimited physical randomness at reasonable data
rates you need a hardware RNG.

When you trim the output of of /dev/random to 4 characters (by concatenating
several runs and then trimming it down) you get a lot of duplicates.

I'm not sure what you mean by that but something would probably be
terribly wrong if there were no duplicates.

I wonder if there is some way I could just print out a list in order and
then use /dev/random to select a line at random and send it to the bottom
of another file?

Look, I'm not trying to insult you since all of us were beginners
once, but really, it's best to acquire some experience of your own
before deciding that professionals in a field don't know what they're
doing. If you just want to play around with OTP's, the best way to do
it is to generate the random numbers by rolling dice or shaking
pennies in a box or something like that, rather than with computers
(you can buy 10-sided dice from game stores if you want numbers like
0000-9999). If you want to actually exchange confidential data with
another person, the best way to do it is with conventional
cryptography rather than with OTP's. Someone seriously trying to
intercept your data is far more likely to steal your CD-ROM with the
OTP on it, than they are to break any good encryption algorithm.

"Jeremy Thorpe" <jeremythorpe@shore.net> wrote in message
news:LasCb.682$0s2.616@newsread2.news.pas.earthlink.net...
On Fri, 12 Dec 2003 21:34:23 GMT, Tom St Denis <tomstdenis@iahu.ca> wrote:



"Jeremy Thorpe" <jeremythorpe@shore.net> wrote in message
news:fqqCb.1016$Pg1.782@newsread1.news.pas.earthlink.net...
You sure are good at jumping to conclusions in the absence of data.

Ok, tell me, how does your threat model avoid authenticity issues?

Tom



No. You won't tell me what I want to know, so I won't tell you what you
want to know.

Dude I don't care what you do. My question was meant to provoke a question
for yourself [e.g. "do I need authenticity?"]

If you want to be an arrogant clueless little prick that's entirely up to
you.

Tom

If you were trying to help, then I appreciate it. But it sure wasn't
apparent
to me. It seemed like you were just fucking with my head.

After the message has been sent, I will call my friend and give him a
string
of characters that will include a count of the total characters in the
message, the md5sum, the number of lines and the length of the lines (all
identical except the last)

Thanks for the advice. But no one is going to steal those one-time-pads.
They will be destroyed forever after being used, having long since been
transferred from the CD,

which is only a means of conveying them to their
destination and then burned to dust.

I would NOT stake my life on ANY computer-generated encryption scheme.

"Jeremy Thorpe" <jeremythorpe@shore.net> wrote in message
news:hvtCb.1288$Pg1.592@newsread1.news.pas.earthlink.net...
If you were trying to help, then I appreciate it. But it sure wasn't
apparent
to me. It seemed like you were just fucking with my head.

After the message has been sent, I will call my friend and give him a
string
of characters that will include a count of the total characters in the
message, the md5sum, the number of lines and the length of the lines (all
identical except the last)

This actually can be foiled alot easier than you think.

For instance, if your line is tapped and I get voice clips of you saying all
hex digits then I could compose my own sample which will sound like you
reading the hex digits. So even if the other person knows what your voice
sounds like this is still trivial to break.

Tom

Jeremy Thorpe <jeremythorpe@shore.net> writes:
Thanks for the advice. But no one is going to steal those one-time-pads.
They will be destroyed forever after being used, having long since been
transferred from the CD,

Transferred from the CD to what? And how do you know THAT won't be stolen?

which is only a means of conveying them to their
destination and then burned to dust.

Have you ever actually burned a CD to dust? What happened?

I would NOT stake my life on ANY computer-generated encryption scheme.

Unless you're going to burn those CD's in an enclosed incinerator with
scrubbers, does it occur to you that you're taking your life into your
hands when you burn a CD and breathe the fumes?

Try www.random.org to get a bunch or random files. You can download 1 or 10
meg files. Then get a really good encryption program. Take the random file
you download from random.org and encrypt it with AES or serpent or twofish
and throw away the key. You now have a nearly random file that you can use
for a pad. And it is no longer something you downloaded from the internet.


Very good. I'll look into that.

Seems like there should be some way to use /dev/random on my Linux box.

Gee. I plan and I think and I do research.

What do YOU do?

How do you know that someone isn't going to hold you up with a gun
and force you to give them all your crypto keys?

You apparently think that I am going to describe every detail of our plans
on the Usenet. Which means that either you are a dumb motherfucker, or that
you think that I am.

I am not posting the all the details of our security arrangements on the
fucking Usenet.

In article <DnuCb.826$0s2.572@newsread2.news.pas.earthlink.net>, Jeremy Thorpe wrote:
You apparently think that I am going to describe every detail of our plans
on the Usenet. Which means that either you are a dumb motherfucker, or that
you think that I am.

If your plan would be weakened by posting every detail to usenet, then it is
a weak plan.

That's right cuz you're a fucking double-oh agent right? Grow up.

You're the asshat devising your own cryptosystem stating "I can only trust
my security to an OTP...".

Tom
Hey Tom...did you forget??? You're in the sandbox.