Free One-Time Pad Encryption Software

Hello Wilders Security,

I wrote FreeOTP about a year ago, but didn't do much with it. With the recent privacy concerns in the news, I wanted to share it with others and get feedback and suggestions.

http://16s.us/FreeOTP/

An acquaintance of mine, who is a professor of math at Virginia Tech and who teaches cryptography, reviewed the code and encrypted and decrypted some messages, but we didn't do much with it after that.

It's alpha software, but it seems to work OK on Windows, Mac and Linux. I post test messages on twitter (user FreeOTP) with pads so that anyone can decrypt them. Would be neat if others would encrypt something and send me the pads and encrypted messages so I could experiment more.

Let me know what you think. Would really appreciate any feedback with regard to the crypto implementation.

Here is the Twitter feed of messages and pads:

https://twitter.com/FreeOTP

 

But now that you've put it out there, you want to bet the NSA is now looking at it!

 

You should read Shannon's research from the 1940's:

"While he was at Bell Labs, Shannon proved that the cryptographic one-time pad is unbreakable in his classified research that was later published in October 1949. He also proved that any unbreakable system must have essentially the same characteristics as the one-time pad: the key must be truly random, as large as the plaintext, never reused in whole or part, and be kept secret." - https://en.wikipedia.org/wiki/Claude_Shannon

Having said that, OTP is not practical for most. However, it is ideal for small messages that *must* be unbreakable.

 

One other feature of one time pad encryption is that you can make an encrypted message decrypt to any plaintext message you like. So, you could have multiple different plaintext messages from the same ciphertext. Here's an actual working example of this. Notice that the two plaintext messages have the opposite meaning.

FreeOTP.exe "Flee now" mA0kkAbS e
String: Flee now
Pad: mA0kkAbS
Command: e
CipherText: RL4ojNpd​

The real message is "Flee now". The real pad is "mA0kkAbS". Here is what it looks like decrypted:

FreeOTP.exe "RL4ojNpd" mA0kkAbS d
String: RL4ojNpd
Pad: mA0kkAbS
Command: d
PlainText: Flee now​

Now, this pad "zs41k9Gv" decrypts the exact same ciphertext to a different plaintext:

FreeOTP.exe RL4ojNpd "zs41k9Gv" d
String: RL4ojNpd
Pad: zs41k9Gv
Command: d
PlainText: stay PUT​

One time pad encrypted messages are impossible to crack and can be made to decrypt to any string you like. Figuring out the real message is mathematically impossible.

 

What approaches would you consider using in order to securely deliver either the ciphertext or the pad, (or preferably both)?

 

A face to face meeting would be the best way to exchange pads. USB stick, SD card, etc.

After that, in most cases, the two parties would be geographically far apart. Twitter, image tags on websites, radio, etc. are a few ways in which to send and recieve messages. There are lots of ways to discretely send the ciphertext messages (Tor, ssh, SSL, etc.), but in some cases, you don't have to be discrete at all and can just post them publicly.

As long as the pads are handled and used correctly then destroyed, there won't be any issues. The ciphertext messages by themselves are impossible to crack. In fact, you should just assume that other people have access to the ciphertext messages at all times.

 

What are the limits on password? (i.e. max length, what characters are allowed or does it matter for OTP encryption?)

Can the plain text it encrypts have special characters like å, Ä, ö, â?

Thanks for making FreeOTP available to us.

 

So in other words, you could have multiple plaintext messages for different situations - one for the actual communication and another innocent to show law enforcement?

Interesting, because if implemented correctly such a system would offer absolute plausible deniability but for the stupid who incriminate themselves in other ways.
If the government compels you to decrypt your data it can't prove the actual contents.