Step 1 - Creating One-time Pads
The basis of the system are the one-time pad pads. A one-time pad can be a single sheet, a booklet, a roll of paper tape or a paper strip that contains series of random numbers. These could be stored in tamper-proof sealed containers (plastic, metal or cardboard) to ensure that the series of numbers are used one by one and to prevent or at least detect unallowed disclosure of unused numbers.
The numbers must absolutely be truly random. To generate these random numbers, the most practical option is to purchase a hardware based generator with random noise source (PC card or USB device). Firms like Mils Electronic and IDQ offer hardware RND generators.
A second way is to generate the numbers purely with software. However, such generators should be selected with care. Software, simply based on the computer RND function, will not produce secure random numbers! At the bottom of this page you can download a software number generator. If you generate the random numbers on a computer, you must always use a stand-alone computer, never connected to a network. No single computer is secure if ever connected to a network!
Another very secure and truly random method - although time consuming - is to select the random numbers manually. You could use five ten-sided dice. With each throw, you have a new five-digit group (see image right). Such dice are available in toy stores or you could make them yourself (dice template).
Never ever simply use normal six-sided dice by adding the values of two dice. This method is statistically unsuitable to produce values from 0 to 9 and thus absolutely insecure (the total of 7 will occur about 6 times more often that the values 2 or 12). Instead, use one black and one white die and assign a value to each of the 36 combinations, taking in account the order/colour of the dice (see table below). This way, each combination has a .0277 probability (1 on 36). We can produce three series of values between 0 and 9. The remaining 6 combinations (with a black 6) are simply disregarded, which doesn't affect the probability of the other combinations.
Another good source of randomness would be a lotto system with balls, numbered from 0 to 9. After extracting a number, that ball must be mixed again with the other balls before extracting the next number. More about generating random numbers on the one-time pad page.
A default one-time pad sheet usually contains 50 groups of 5 random digits, which is sufficient for one normal message, and each one-time pad sheet should have a unique first group of five digits. This first group will be used to identify the key and is not used in the encryption process. A one-time pad set consist of two identical one-time pads. To establish a one-way communication you will only need one OUT pad for the sender and one IN pad for the receiver. To communicate in both directions both sender and receiver need OUT and IN pads. Never use a single pad to communicate in both directions!
Example of an OUT booklet No 1234 and its sheet No 00015:
When used in clandestine circumstances, the most practical key pads for the person in the field are those that are printed on very small thin paper sheets (see photo). These are easy to hide and destroy. Never store them on a computer, memory stick or CD. These will always leave traces, even after they were erased, and total destruction is never guaranteed. There are several specialized techniques to retrieve computer data, but none to retrieve a burned or digested paper key pad. In critical situations, it's harder to quickly dispose or destruct a memory stick or floppy disk than to eat a small paper sheet.
Step 2 - Preparing the Message
Before we can encrypt a message with a one-time pad, we need to convert it into numbers. This conversion is not a type of encryption and offers absolutely no protection whatsoever! The conversion only prepares the plain text for the actual encryption process. In our example, we use the CT-37c conversion table. You can find other variations of the checkerboard conversion table on this page.
The CT-37c table is an extended straddling checkerboard. The table is easy to remember by its most frequent English letters "AEINOT" in the top row, preceded by the "CODE" (0) field. The following two rows contain the remaining letters. The fourth row contains "FIG" (90), the punctuations (less critical to memorize) and the "REQ" (98) and "SPACE" (99) fields.
Using the CT37c table is easy. All characters are converted into their one-digit or two-digit value. To convert numbers, always use "FIG" before and after one ore more digits. Each digit is written out three times to exclude errors. You can use spaces and punctuations within the "FIG" mode. An example: "1.5 KG" = "90 111 91 555 90 77 74". The "REQ" or "REQUEST" field enables questions and spaces are created with the "SPC" field. The apostrophe (93) can be used as both apostrophe and comma. The "CODE" field is the codebook prefix and is used before each codebook value. The use of spaces before and after codebook words is not necessary.
The use of a codebook is optional. However, a codebook can reduce the length of the ciphertext and transmission time enormously. One can always omit the codes if the receiver has no copy of the codebook. The codebook can contain all kinds of words and/or small phrases about message handling and technical, tactical, logistic or medical expressions. The codebook should contain the most often used words and expressions that would normally be converted with the default table into more than four digits. Since one-time pad encryption is applied, it is not necessary to have a random codebook numbering or to keep the codebook secret. A codebook system does not always require a large book with thousands of expressions. Even a single codebook sheet with carefully selected expressions, as shown below, can contain enough practical information to reduce the message length enormously.
Some words in the codebook are extendable or changed by addition of one or more characters. with the CT-37 conversion table from above, the plural of 0596 (PERSON) will be 059683 (PERSONS). The past perfect of 0686 (RECEIVE) will be 068672 (RECEIVED), and 0901 (VERIFY) will be 090172 (VERIFYD or verified). Words can also get another meaning. 0686 (RECEIVE) becomes 068682 (RECEIVER), 0857 (TRANSMIT) becomes 085782 (TRANSMITR or transmitter) and 0226 (COVERT) becomes 02267888 (COVERTLY). The FIG code can be omitted when a figure is expected. Thus, SIGNAL STRENGHT 4 can be written as 0992444.
In our example we will also use the codebook from above. Note the strange non-consecutive values in the codebook. These values are carefully selected and will always enable the detection of single-digit errors and in most cases also two-digit errors. An error will always result in a non existing code. Simply using the values 00 trough 99 for our 100 codebook words is not recommended, as a single-digit error would result in a completely wrong word! Of course, the codebook can be adapted for any specific use.
Let us convert the text "MEETING BERLIN CANCELLED. TRAVEL 25 JAN TO ZURICH WITH NEW PASSPORT."
The final group should always be completed with full stops (919....). Note that, with the help of our little code sheet, the 68 characters of the message (spaces and punctuations included) are converted into no more than 80 digits! This gives a very good 1.17 digit/letter ratio. Of course, one could also omit all spaces where readability is maintained and use various abbreviations like "YR" for "YOUR", "WTH" for "WITH" or "RTRN" for "RETURN". This would reduce the message length even more.
Step 3 - Encryption and Decryption
Once our message is converted into digits we can start the encryption. First, we tell the receiver which key was used. This is done by adding the first five-digit group of the one-time pad sheet at the beginning of the message. This first group of the one-time pad should never be used in the encryption process. Always start enciphering from the second group of the pad. This method of identification doesn't reveal any order of the messages, nor how many messages were actually sent. In the example we skip the identification group 74061 of the pad.
Write down the plaintext digits from Step 2 in groups of five, write the numbers, obtained from the one-time pad key, underneath the plaintext and subtract the one-time pad key from the plaintext, digit by digit and from left to right. Subtraction is performed without borrowing (e.g. 5 - 9 = 15 - 9 = 6). Always complete the last group of plaintext with zeros. In the example we used the one-time pad sheet No 00015 from booklet 1234 as shown in Step 1.
NEVER reuse a pad! Always destroy the key sheet immediately after finishing the encryption, even if it still has unused groups. A new message should always be encrypted with a new sheet.
Below the complete message, with the key identification number 74061 as first group. If the message is sent by radio, in voice or Morse, it is recommended to relay all groups twice to exclude errors (f.i. 74061 74061 48398 48398 and so on). If the receiver's callsign is "306", the message could look like this:
To decrypt the message, the receiver verifies the first group of the message to ensure that he uses the correct one-time pad sheet. Next, he writes the proper one-time pad digits underneath the ciphertext and adds the key to the ciphertext, digit by digit, without carry (e.g. 9 + 6 = 5 and not 15). The first group is skipped as it is only used to identify the key.
Finally, the receiver re-converts the numbers into plaintext letters with the help of his conversion table. One-digit and two-digit characters are easily distinguished: if the next digit is 1 to 6, you have a one-digit characters. If the next digit is 7, 8 or 9 you have a two-digit character and there's one more digit that follows. If the next digit is 0, a three-digit code follows.
Always use subtraction to encrypt and addition to decrypt.
Remember! Never keep a key sheet after it has been used to decrypt a message. This will compromise the key and the message! Destroy the key sheet immediately after use.
Step 4 - Important Security Issues
This section contains important rules that should be followed when using one-time pad encryption and communications. These rules are not negotiable. Virtually all one-time pad communications that were compromised at some point, violated one or more of these rules. Even a small and seemingly insignificant error can result in unauthorized decryption of the messages. Insecure communications enable the eavesdroppers to link the messages to the sender or receiver who wanted to stay anonymous. Often, the users were thoroughly instructed beforehand on how to do things but believed that those little details didn't matter. They were wrong. It helps to be paranoia. However, if used properly, one-time pad is unbreakable. And yes, also unbreakable for the NSA, GCHQ or FAPSI. Read carefully!
a. The One-time Pads
One-time pad encryption is only possible if both sender and receiver are in possession of the same key. Therefore, the keys must be exchanged beforehand by both parties. This means that the secure communications are expected and planned within a specific time frame. Enough key material must be available for all required communications until a new exchange of keys is possible. Depending on the situation, a large volume of keys could be required for a short time period, or little key material could be sufficient for a very long time period, up to several years.
Never store one-time pads on a computer, memory stick or CD. Erasing these media is very problematic and total destruction of used one-time pads, stored on these carriers, is never guaranteed. Specialized techniques exist to retrieve computer data, even after the data was deleted, and even after it was actually overwritten. The key must always be distributed physically, personally or by a trusted courier. Never send one-time pads electronically. Encrypting a one-time pad before sending it electronically, for instance with AES or some other strong algorithm, is useless and dangerous because it will lower its security from unbreakable down to the security of the used encryption.
The most important part of one-time pad is a secure key management. If the key isn't compromised, the message is mathematically unbreakable. It is clear that those who are responsible for creating and handling one-time pads should be subjected to the highest level of security screening. The number of persons who are responsible for generating the key material should be limited to an absolute minimum. As soon as a one time pad key pair is created, it must be numbered and registered. There should be a centralised (star topology) registration and distribution in order to know who has which keys where and when. If a key pad is used, outdated, revoked or compromised, the distributor or user must immediately inform the other parties and remaining copies of that key should be destroyed immediately. Never use a one-time pad more than once! If you do so, simple analysis will break all messages, encrypted with the reused one-time pad (see one-time pad page)!
A one-time pad is always compromised in the following cases:
Never use a compromised one-time pad and always notify all users of compromised pads to destory those pads immediately!
* Secure Encryption and Decryption
Never ever use a computer to type a plain message or to encrypt or decrypt a message. This will always leave traces on the computer, even after being deleted. There's no such thing as a safe computer! Instead, write the message, the key and do the calculations on a single piece of paper on a hard surface, and destroy that paper after you finished encrypting or decrypting. The most convenient method is to burn the paper. It sounds paranoia but has its reasons! Check you encryption before sending the message. A single error could make the message unreadable or result in critical mistakes during deciphering. Once a message is encrypted, you can store it anywhere you like. It will stay unbreakable. However, for reasons of deniability, it's not recommended to store enciphered messages on a computer or any other easily accessible medium.
b. Ways To Communicate
If interception of the communications and exposure of the identity and location of the sender/receiver doesn't endanger their privacy or personal security, physically, legally or otherwise, we can send the message by any means, even insecure. It's unbreakable anyway. This is the easy way. However, if identification of the involved persons, or the fact that they use encryption, endangers their privacy or personal security, they must communicate covertly or disguise their message.
Covert communications are a most difficult issue. Telephone, mobile or satellite phone, voice or text message, paper mail, e-mail and other Internet based communications are always to be considered completely unsafe. They enable identification of both sender and receiver. They should never be used to communicate covertly. Publicly available systems are a way to communicate anonymously. Some examples are a computer in a cyber café or library (of course without need for registration) or a public phone (with anonymously bought pre-paid card). A message can be posted or read from a cyber-café computer onto an Internet forum or any random on-line guestbook. However, it should never be possible to link time and place to the person that uses the public system. Although one might be using a publicly available system anonymously, it remains possible to retrieve time and location of the communication. In such case, a witness or security camera could link a particular time and place to the person who used that public phone or computer. Today, all electronic communications are stored for long periods, ready to be exploited if required. A phone call or mobile phone's text message is never a moment in time. It is a digital event that permanently resides in databases.
It should also be impossible to link a particular device to an intercepted communication. A mobile phone or a pre-paid card will link that particular phone or card to the communications. Once this link is found, its easy to link that message to other related messages. On-line e-mail accounts are also easy to link to a particular message and location. Using a mobile phone, pre-paid card or e-mail account, even one single time, will always leave traces and compromise that method of communicating, making it impossible to use that particular phone, pre-paid card or e-mail account for any other purpose in the future.
Shortwave radio is an ideal way to covertly receive messages over large distances. There's no way to detect the location of someone who receives radio signals. Having a simple household shortwave radio isnt suspicious (of course, the frequency to receive the messages should never be stored in the radio memory). Sending a message covertly with a radio transmitter poses more risks. A broadcast can be located within seconds if the opponent has the proper direction finding equipment. The current SDR technology (Software Defined Radio) easily permits surveillance and interception of many signals simultaneous on several wide frequency ranges. The use of burst-transmission (transmitting very rapidly) might not be sufficient to avoid detection. Therefore, a radio broadcast is only suitable when the transmitter is located far away and out of reach of the opponent. Another possibility is to use special equipment that operates on unusual frequencies or uses a special type of electromagnetic or optical carrier. As you can read, it's very difficult to communicate truly anonymously in today's high-tech and fully digitized world without leaving any trace.
If the communications are not intended to relay a message over a large distances, but solely to deny any relationship between sender and receiver, a dead-drop or brush-pass can be used. A dead drop is a location that is used to secretly pass items or messages between two people, without requiring them to meet. The sender hides the message on a secret but publicly available location and gives a signal somewhere else (f.i. a chalk mark on a wall or chewing gum on a pole) to tell the receiver that a dead drop was delivered. The receiver empties the dead drop at any suitable moment. Both persons must agree upon a location for the dead drop and a type of signal and its location beforehand. Detection of a dead drop would require intensive surveillance of both sender, receiver and the dead drop location. A brush-pass is an encounter between sender and receiver on a pre-determined location where they quickly and surreptitiously exchange a message. This could be done by leaving the message inside a newspaper to be picked up immediately after by the receiver, swapping identical bags, or any unsuspicious action in a public place. A brush-pass is easier to detect during surveillance and poses more risks than a dead drop. One could always deny that a message was transferred but cannot deny there was a meeting with the other person.
c. Deniability and Steganography
As you can read, it is all but easy to communicate truly anonymously in today's high-tech and fully digitized world without leaving any traces. Another way to convey the message is to do this openly, but to disguise the message in such a way that no one knows that the message has been sent.
The plaintext message (payload) is encrypted and the ciphertext digits are hidden inside a seemingly innocent text, e-mail or letter (carrier). This technique is called steganography (lit. hidden writing) and enables both sender and receiver to fully deny the existence of encrypted communications. Note that the payload must always be encrypted before hiding it in the carrier. Even when the adversary knows the method of hiding, any attempt to extract encrypted information would merely produce unintelligible digits. The message remains fully deniably. However, an attempt to extract non-encrypted data could reveal the message. Protect before hiding! There are various ways to hide ciphertext digits in a seemingly innocent text. Of course, simply inserting strange sequences of digits or some illogical values will draw suspicion.
The Words-Per-Sentence (WPS) system is a simple yet effective text-based method to conceal digits. For each digit, a sentence is composed with as many words as the digit + 5. Adding 5 to the total ensures that all sentences have at least five words. Words like its, youre or set-up are regarded as one word. To retrieve the original digits, the receiver subtracts 5 from the total number of words in each sentence.
To avoid statistical bias, some sentences with less than five words or more than fourteen words should be added (these are later simply ignored). The advantages of this method are an excellent linguistic freedom and the lack of complex calculations or conversions. Always start by writing a meaningful text and then play with the words to obtain the required sentence length. Exclude the salutation in a letter from the system, as a nine-letter salutation would arouse suspicion. The random digits produce an average of ten-words sentences.
Below, the ciphertext group 68496 is hidden inside a letter. The receiver counts 11 words in the first sentence and knows that the first digit is 11 5 = 6.
Thanks to this system, the hidden
message is fully deniable. There is no way to prove the
existence of a message inside the innocent looking letter
without having the proper one-time pad. We now have a
safe method to send encrypted messages covertly by postal
mail, e-mail or Internet forums. This is an important
advantage in today's digital world where virtually all
means to communicate are prone to eavesdropping. Of
course, the conversation itself remains detectable and
you will need a good excuse for the nonsense you wrote
and to whom you wrote it.
d. Personal Security and the Law
Finally, there's also the issue of personal security. In some countries, it's forbidden by law to use this type of encryption. The reason is simple: some governments don't understand the word "privacy" and read their citizens' communications. One-time pads prevents them from doing so. That's why, in some countries, being caught with one-time pads or being identified as a person who used encryption could cost you more than money or freedom. One-time pads can cause serious health problems, and that's not a joke!
On this website you can download Numbers 8.3. With this Crypto Secure Pseudo Random Number Generator (CSPRNG) you can generate and print series of random numbers or letters, formatted as standard one-time pads, worksheets or custom series. You can also view and print different letter-to-digit conversion tables for use in one-time pad encryption. Although using a CSPRNG theoretically never achieves Shannon's perfect secrecy, it will be useful in practice to generate one-time pads. The huge size and the limited use of a given random seed, the astronomical number of possible generator states, the whitening by combining 14 generators, and the irregular partial use of the output make it infeasible to retrieve or predict the generated output. External randomness can be loaded into the software. The Numbers software is therefore a good software alternative to generate one-time pads.
Create pairs of one-time pads with truly random digits, one copy for sender and one copy for receiver. To encipher a message, convert the plaintext into digits with the help of the conversion table. Write the one-time pad underneath the converted plaintext, but skip the first group of the one-time pad. Subtract the one-time pad from the plaintext, without carry. Put the skipped first group of the pad in front of the ciphertext message to tell the receiver which pad was used. Destroy the pad after enciphering.
To decipher a message, check the first group of the ciphertext to see which one-time pad was used. Write the proper one-time pad underneath the ciphertext but skip the first group of both ciphertext and pad. Add ciphertext and one-time pad together without carry. Convert the resulting digits back into plaintext with the help of the conversion table. Destroy the pad after deciphering.
one-time pads with truly random digits
More about one-time pad on this website
© Copyright 2004 - 2014 Dirk Rijmenants