One-time Pad Communication in Four Steps
Step 1 -
Creating One-time Pads
|
The
basis of the system are the one-time pad pads. A one-time
pad can be a single sheet, a booklet, a roll of paper
tape or a paper strip that contains series of random
numbers. These could be stored in tamper-proof sealed
containers (plastic, metal or cardboard) to ensure that
the series of numbers are used one by one and to prevent
or at least detect unallowed disclosure of unused
numbers.
|
|
 |
When used in clandestine circumstances, the most practical key pads for the person in the field are those that are printed on very small thin paper sheets (see photo). These are easy to hide and destroy. Never store them on a computer, memory stick or CD. These will always leave traces, even after they were erased, and total destruction is never guaranteed. There are several specialized techniques to retrieve computer data, but none to retrieve a burned or digested paper key pad. In critical situations, it's harder to quickly dispose or destruct a memory stick or floppy disk than to eat a small paper sheet.
Step 2 -
Preparing the Message 
Before we can encrypt a message with a one-time pad, we need to convert it into numbers. This conversion is not a type of encryption and offers absolutely no protection whatsoever! The conversion only prepares the plain text for the actual encryption process. In our example, we use the CT-37c conversion table. You can find other variations of the checkerboard conversion table on this page.
The CT-37c table is an extended straddling checkerboard. The table is easy to remember by its most frequent English letters "AEINOT" in the top row, preceded by the "CODE" (0) field. The following two rows contain the remaining letters. The fourth row contains "FIG" (90), the punctuations (less critical to memorize) and the "REQ" (98) and "SPACE" (99) fields.
| The Conversion Table | Another way to represent the table | |
 |
|
Using the CT37c table is easy. All characters are converted into their one-digit or two-digit value. To convert numbers, always use "FIG" before and after one ore more digits. Each digit is written out three times to exclude errors. You can use spaces and punctuations within the "FIG" mode. An example: "1.5 KG" = "90 111 91 555 90 77 74". The "REQ" or "REQUEST" field enables questions and spaces are created with the "SPC" field. The apostrophe (93) can be used as both apostrophe and comma. The "CODE" field is the codebook prefix and is used before each codebook value. The use of spaces before and after codebook words is not necessary.
The use of a codebook is optional. However, a codebook can reduce the length of the ciphertext and transmission time enormously. One can always omit the codes if the receiver has no copy of the codebook. The codebook can contain all kinds of words and/or small phrases about message handling and technical, tactical, logistic or medical expressions. The codebook should contain the most often used words and expressions that would normally be converted with the default table into more than four digits. Since one-time pad encryption is applied, it is not necessary to have a random codebook numbering or to keep the codebook secret. A codebook system does not always require a large book with thousands of expressions. Even a single codebook sheet with carefully selected expressions, as shown below, can contain enough practical information to reduce the message length enormously.
000 ABORT 253 DECODE 505 MILITARY 758 STREET 019 ACCEPT 262 DELAY 514 MONEY 767 SUBWAY 028 ACCESS 271 DIFFICULT 523 MONTH 776 SUCCESS 037 ADDRESS 280 DOCUMENT 532 MORNING 785 SUPPLY 046 AFFIRMATIVE 299 ENCODE 541 MORSE 794 SUPPORT 055 AGENT 307 EVENING 550 NEGATIVE 802 TELEPHONE 064 AIRPLANE 316 EXECUTE 569 NIGHT 811 TODAY 073 AIRPORT 325 FACTORY 578 OBSERVATION 820 TOMORROW 082 ANSWER 334 FAILED 587 PASSPORT 839 TRAIN 091 AUTHORITY 343 FERRY 596 PERSON 848 TRANSFER 109 BETWEEN 352 FLIGHT 604 PHOTOGRAPH 857 TRANSMIT 118 BORDER 361 FREQUENCY 613 POSITIVE 866 TRAVEL 127 BUILDING 370 HARBOUR 622 POSSIBLE 875 TRUCK 136 CANCEL 389 HELICOPTER 631 POWER 884 UNABLE TO 145 CHANGE 398 HIGHWAY 640 PRIORITY 893 URGENT 154 CIVILIAN 406 IDENTITY 659 PROBLEM 901 VERIFY 163 COMPROMISE 415 IMMEDIATE 668 QUESTION 910 WEEK 172 COMPUTER 424 IMPOSSIBLE 677 RADIO 929 WITHIN 181 CONFIRM 433 INFORMATION 686 RECEIVE 938 YESTERDAY 190 CONTACT 442 INSTRUCTIONS 695 RENDEZVOUS 947 DISREGARD MSG FROM 208 COORDINATE 451 LOCATE 703 REPEAT 956 DO NOT ANSWER 217 COUNTRY 460 LOCATION 712 RESERVATION 965 FORWARD THIS MSG TO 226 COVERT 479 MAIL 721 ROUTINE 974 REPEAT YOUR MSG FROM 235 CURRENT 488 MEETING 730 SATELLITE 983 READABILITY (1 TO 5/5) 244 DANGER 497 MESSAGE 749 SHIP 992 SIGNAL STRENGTH (1 TO 5/5) |
Some codebook words can be extended or changed by simply adding one or more characters. With the CT-37 conversion table from above, the plural of 0596 (PERSON) will be 05966 (PERSONS). The past perfect of 0686 (RECEIVE) will be 068672 (RECEIVED), and 0901 (VERIFY) will be 090175 (VERIFYD/verified). Words can also get another meaning. 0686 (RECEIVE) becomes 068682 (RECEIVER), 0857 (TRANSMIT) becomes 085782 (TRANSMITR/transmitter) or 0226 (COVERT) becomes 02267888 (COVERTLY). The FIG code can be omitted when figure(s) are expected: SIGNAL STRENGHT 4 can be written as 0992444. Don't forget to use the "CODE" prefix 0 (zero) before each code!
In our example we will also use the codebook from above. Note the strange non-consecutive values in the codebook. These values are carefully selected and will always enable the detection of single-digit errors and in most cases also two-digit errors. An error will always result in a non existing code. Simply using the values 00 trough 99 for our 100 codebook words is not recommended, as a single-digit error would result in a completely wrong word! Of course, the codebook can be adapted for any specific use.
Let us convert the text "MEETING BERLIN CANCELLED. TRAVEL 25 JAN TO ZURICH WITH NEW PASSPORT."
MEETING B E R L I N CANCEL-D . TRAVEL 2 5 J A N 0488 70 2 82 78 3 4 0136 72 91 0866 90 222 555 90 76 1 4 99 T O Z U R I C H W I T H N E W PASSPORT. 6 5 99 89 84 82 3 71 75 99 86 3 6 75 99 4 2 86 0587 91 In groups: 04887 02827 83401 36729 10866 90222 55590 76149 96599 89848 23717 59986 36759 94286 05879 19191 |
The final group should always be completed with full stops (919....). Note that, with the help of our little code sheet, the 68 characters of the message (spaces and punctuations included) are converted into no more than 80 digits! This gives a very good 1.17 digit/letter ratio. Of course, one could also omit all spaces where readability is maintained and use various abbreviations like "YR" for "YOUR", "WTH" for "WITH" or "RTRN" for "RETURN". This would reduce the message length even more.
Step 3 -
Encryption and Decryption
Once our message is converted into digits we can start the encryption. First, we tell the receiver which key was used. This is done by adding the first five-digit group of the one-time pad sheet at the beginning of the message. This first group of the one-time pad should never be used in the encryption process. Always start enciphering from the second group of the pad. This method of identification doesn't reveal any order of the messages, nor how many messages were actually sent. In the example we skip the identification group 74061 of the pad.
Write down the plaintext digits from Step 2 in groups of five, write the numbers, obtained from the one-time pad key, underneath the plaintext and subtract the one-time pad key from the plaintext, digit by digit and from left to right. Subtraction is performed without borrowing (e.g. 5 - 9 = 15 - 9 = 6). Always complete the last group of plaintext with zeros. In the example we used the one-time pad sheet No 00015 from booklet 1234 as shown in Step 1.
Plain : KEYID 04887 02827 83401 36729 10866 90222 55590 76149 96599 89848 23717 59986 36759 94286 05879 19191
OTP (-): 74061 66599 83953 09280 65571 63520 33281 72791 08682 03571 50328 17473 91793 58402 00658 45973 85273
-----------------------------------------------------------------------------------------------------
Result : 74061 48398 29974 84221 71258 57346 67041 83809 78567 93028 39520 16344 68293 88357 94638 60906 34928
|
Always destroy the key sheet immediately after finishing the encryption, even if it still has unused groups. A new message should always be encrypted with a new sheet. NEVER reuse a pad!
Below the complete message, with the key identification number 74061 as first group. If the message is sent by radio, in voice or Morse, it is recommended to relay all groups twice to exclude errors (f.i. 74061 74061 48398 48398 and so on). If the receiver's callsign is "306", the message could look like this:
306 306 306 74061 48398 29974 84221 71258 57346 67041 83809 78567 93028 39520 16344 68293 88357 94638 60906 34928 |
To decrypt the message, the receiver verifies the first group of the message to ensure that he uses the correct one-time pad sheet. Next, he writes the proper one-time pad digits underneath the ciphertext and adds the key to the ciphertext, digit by digit, without carry (e.g. 9 + 6 = 5 and not 15). The first group is skipped as it is only used to identify the key.
Ciphertext: 74061 48398 29974 84221 71258 57346 67041 83809 78567 93028 39520 16344 68293 88357 94638 60906 34928
OTP Key(+): 74061 66599 83953 09280 65571 63520 33281 72791 08682 03571 50328 17473 91793 58402 00658 45973 85273
-----------------------------------------------------------------------------------------------------
Plain text: KEYID 04887 02827 83401 36729 10866 90222 55590 76149 96599 89848 23717 59986 36759 94286 05879 19191
|
Finally, the receiver re-converts the numbers into plaintext letters with the help of his conversion table. One-digit and two-digit characters are easily distinguished: if the next digit is 1 to 6, you have a one-digit characters. If the next digit is 7, 8 or 9 you have a two-digit character and there's one more digit that follows. If the next digit is 0, a three-digit code follows.
Always use subtraction to encrypt and addition to decrypt.
Remember! Never keep a key sheet after it has been used to decrypt a message. This will compromise the key and the message! Destroy the key sheet immediately after use.
Step 4 -
Important Security Issues
This section contains important rules that should be followed when using one-time pad encryption and communications. These rules are not negotiable. Virtually all one-time pad communications that were compromised at some point, violated one or more of these rules. Even a small and seemingly insignificant error can result in unauthorized decryption of the messages. Insecure communications enable the eavesdroppers to link the messages to the sender or receiver who wanted to stay anonymous. Often, the users were thoroughly instructed beforehand on how to do things but believed that those little details didn't matter. They were wrong. It helps to be paranoia. However, if used properly, one-time pad is unbreakable. And yes, also unbreakable for the NSA, GCHQ or FAPSI. Read carefully!
- The One-time Pads
One-time pad encryption is only possible if both sender and receiver are in possession of the same key. Therefore, the keys must be exchanged beforehand by both parties. This means that the secure communications are expected and planned within a specific time frame. Enough key material must be available for all required communications until a new exchange of keys is possible. Depending on the situation, a large volume of keys could be required for a short time period, or little key material could be sufficient for a very long time period, up to several years.
Never store one-time pads on a computer, memory stick or CD. Erasing these media is very problematic and total destruction of used one-time pads, stored on these carriers, is never guaranteed. Specialized techniques exist to retrieve computer data, even after the data was deleted, and even after it was actually overwritten. The key must always be distributed physically, personally or by a trusted courier. Never send one-time pads electronically. Encrypting a one-time pad before sending it electronically, for instance with AES or some other strong algorithm, is useless and dangerous because it will lower its security from unbreakable down to the security of the used encryption.
The most important part of one-time pad is a secure key management. If the key isn't compromised, the message is mathematically unbreakable. It is clear that those who are responsible for creating and handling one-time pads should be subjected to the highest level of security screening. The number of persons who are responsible for generating the key material should be limited to an absolute minimum. As soon as a one time pad key pair is created, it must be numbered and registered. There should be a centralised (star topology) registration and distribution in order to know who has which keys where and when. If a key pad is used, outdated, revoked or compromised, the distributor or user must immediately inform the other parties and remaining copies of that key should be destroyed immediately. Never use a one-time pad more than once! If you do so, simple analysis will break all messages, encrypted with the reused one-time pad (see one-time pad page)!
A one-time pad is always compromised in the following cases:
- The pad is used more than once
- The pad was - even temporarily - not under custody of authorised personnel or securely stored
- A distributor or user is suspected to have violated security rules
- The pad has been exposed intentionally or by accident to other people
- The pad is lost or there is no proof of destruction
- If there's any doubt about the current or past situation of the pad
- Finally, if you don't know whether a one-time pad is compromised or not, it is compromised.
Never use a compromised one-time pad and always notify all users of compromised pads to destory those pads immediately!
- Secure Encryption and Decryption
Never ever use a computer to type a plain message or to encrypt or decrypt a message. This will always leave traces on the computer, even after being deleted. There's no such thing as a safe computer! Instead, write the message, the key and do the calculations on a single piece of paper on a hard surface, and destroy that paper after you finished encrypting or decrypting. The most convenient method is to burn the paper. It sounds paranoia but has its reasons! Check you encryption before sending the message. A single error could make the message unreadable or result in critical mistakes during deciphering. Once a message is encrypted, you can store it anywhere you like. It will stay unbreakable. However, for reasons of deniability, it's not recommended to store enciphered messages on a computer or any other easily accessible medium.
- Ways To Communicate
If interception of the communications and exposure of the identity and location of the sender/receiver doesn't endanger their privacy or personal security, physically, legally or otherwise, we can send the message by any means, even insecure. It's unbreakable anyway. This is the easy way. However, if identification of the involved persons, or the fact that they use encryption, endangers their privacy or personal security, they must communicate covertly or disguise their message.
Covert communications are a most difficult issue. Telephone, mobile or satellite phone, voice or text message, paper mail, e-mail and other Internet based communications are always to be considered completely unsafe. They enable identification of both sender and receiver. They should never be used to communicate covertly. Publicly available systems are a way to communicate anonymously. Some examples are a computer in a cyber café or library (of course without need for registration) or a public phone (with anonymously bought pre-paid card). A message can be posted or read from a cyber-café computer onto an Internet forum or any random on-line guestbook. However, it should never be possible to link time and place to the person that uses the public system. Although one might be using a publicly available system anonymously, it remains possible to retrieve time and location of the communication. In such case, a witness or security camera could link a particular time and place to the person who used that public phone or computer. Today, all electronic communications are stored for long periods, ready to be exploited if required. A phone call or mobile phone's text message is never a moment in time. It is a digital event that permanently resides in databases.
It should also be impossible to link a particular device to an intercepted communication. A mobile phone or a pre-paid card will link that particular phone or card to the communications. Once this link is found, it’s easy to link that message to other related messages. On-line e-mail accounts are also easy to link to a particular message and location. Using a mobile phone, pre-paid card or e-mail account, even one single time, will always leave traces and compromise that method of communicating, making it impossible to use that particular phone, pre-paid card or e-mail account for any other purpose in the future.
Shortwave radio is an ideal way to covertly receive messages over large distances. There's no way to detect the location of someone who receives radio signals. Having a simple household shortwave radio isn’t suspicious (of course, the frequency to receive the messages should never be stored in the radio memory). Sending a message covertly with a radio transmitter poses more risks. A broadcast can be located within seconds if the opponent has the proper direction finding equipment. The current SDR technology (Software Defined Radio) easily permits surveillance and interception of many signals simultaneous on several wide frequency ranges. The use of burst-transmission (transmitting very rapidly) might not be sufficient to avoid detection. Therefore, a radio broadcast is only suitable when the transmitter is located far away and out of reach of the opponent. Another possibility is to use special equipment that operates on unusual frequencies or uses a special type of electromagnetic or optical carrier. As you can read, it's very difficult to communicate truly anonymously in today's high-tech and fully digitized world without leaving any trace.
If the communications are not intended to relay a message over a large distances, but solely to deny any relationship between sender and receiver, a dead-drop or brush-pass can be used. A dead drop is a location that is used to secretly pass items or messages between two people, without requiring them to meet. The sender hides the message on a secret but publicly available location and gives a signal somewhere else (f.i. a chalk mark on a wall or chewing gum on a pole) to tell the receiver that a dead drop was delivered. The receiver empties the dead drop at any suitable moment. Both persons must agree upon a location for the dead drop and a type of signal and its location beforehand. Detection of a dead drop would require intensive surveillance of both sender, receiver and the dead drop location. A brush-pass is an encounter between sender and receiver on a pre-determined location where they quickly and surreptitiously exchange a message. This could be done by leaving the message inside a newspaper to be picked up immediately after by the receiver, swapping identical bags, or any unsuspicious action in a public place. A brush-pass is easier to detect during surveillance and poses more risks than a dead drop. One could always deny that a message was transferred but cannot deny there was a meeting with the other person.
- Deniability and Steganography
As you can see, it is all but easy to communicate securely. Another way to convey the message is to do this openly, but to disguise the message in such way that an eavesdropper won’t know that the message was sent. This technique is also called steganography (lit. hidden writing). There are various ways to insert or hide ciphertext numbers in a seemingly innocent letter or e-mail. Of course, the numbers in the text should always look unsuspicious. Simply inserting strange sequences of digits or some illogical values could draw suspicion. Also, simply converting the message into digits without encryption and then hide them in a message (a basic null cipher) is a completely insecure method and should never be used. Always encrypt your message before hiding it!
One method to hide the ciphertext digits in text is to assign a set of words to each digit and use these words to compose a readable and innocent looking text. If properly applied, the encrypted communications are fully deniable. To ensure flexibility and variations in the composed text, each digit should be represented by as many as possible words. You can see an example of a digit-to-words table in this text file (right-click and select "Save As" to download). You can select any of the 22 words that are assigned to a particular digit. To retrieve the digits that are hidden in the text, the table also contains a word-to-digit part in alphabetic order, to quickly find the digit that corresponds to a given word in the text.
In the following example, we hide the groups 74061 48398 29974, an enciphered fragment from "Meeting Berlin cancelled..." from above. We use our example digit-to-words table to find the words that we can use in our text. You may also use the plural of some the words (MOVIES, CARS, HOUSES...) as long as the word stays unchanged (to avoid confusion). Occasionally, but not too often, you can use ciphertext digits directly in your text wherever this looks unsuspicious ("It took me 40 minutes to..."). Now, here's an example of how to hide the three ciphertext groups with our digit-to-words table:
"I just got back from the office. I could use a holiday! A pool with some beer would do just fine. A bit more cash on my account would be usefull to pay my airplane. I wish I could leave for a whole month. By the way, read any good books or magazines lately? I always read whilst listening to the radio,with a good glass of wine in my lazy couch. Much better than watching football. I know, you cultural barbarian prefer a cigar and a newspaper."
Isn't that a nice and innocent looking piece of text (of course, in real life, you don't underline the words). Make sure to compose a text that makes sense. Writing about a trip you never made or about a family member or your dog that doesn't exist could blow your cover! Writing about things that you would like to have or to do, or about things in the future is pretty safe because such information is harder to verify by an eavesdropper. Make sure not to use any of the table words unintentionally, as this would add a wrong digit and makes the text undecipherable. Double-check your work!
The receiver checks each noun in his word-to-digit table to see if it relates to a digit. He writes down the extracted digits and deciphers the ciphertext message with the proper one-time pad. Although it will take quite a few sentences to hide a large message, this method provides good flexibility. Of course, you should compose your own table with frequently used words, maybe also with words related to your enviroment, and keep this table secret. A compromised digit-to-words table could affect your chances to fully deny the existens of a message in the text. Nevertheless, the message will stay unbreakable when the one-time pad, used to encipher the message, is kept secret or has been properly destroyed .
With this method, the hidden message is fully deniable because there is absolutely no way to detect or to prove its existence in the innocent looking text without the proper one-time pad key. Given the fact that in today's digital world virtually all means to communicate are prone to eavesdropping, this method is the perfect solution to send messages by postal mail, e-mail, on-line accounts, Internet forums and such. This is especially interesting in countries where the use of encryption is forbidden and ciphertext groups could get you in trouble. The communicating itself however will still be detectable (traffic analysis!). You only need a bit of literary fantasy and an excuse why you wrote each other. Note that this technique, but in combination with other encryption algorithms than one-time pad, could enable the eavesdropper to cryptanalyse and decipher the text! Only one-time pad offers cryptanalysis-resistant text and truly plausible deniability.
A second method to hide digits in text is by converting digits into letters with the help of a much smaller table. Unfortunately, this method is less flexible to compose the text. We use the 20 most frequent letters in the English language, divided in two groups: "ETAOINSHRD LCUMWFGYPB". Each digit from 0 to 9 is assigned to one from the 10 higher frequent letters (first group) and to one from the 10 lower frequent letters (second group). Next, we compose a text where every other word starts with one of the two letters that correspond to the given ciphertext digit. Of course, you can adapt the conversion table to the letter frequencies of any other language (see letter frequencies on Wikipedia, click column header icons to sort your language)
Below the table with digit-to-letter and letter-to-digit conversion. The distribution of letters is optimized for the English language to provide sufficient flexibility in devising words. Scrambling the order of the letters isn't necessary because we use one-time pad.
English optimized table 0 = E or L A = 2 M = 3 1 = T or C B = 9 N = 5 2 = A or U C = 1 O = 3 3 = O or M D = 9 P = 8 4 = I or W E = 0 R = 8 5 = N or F F = 5 S = 6 6 = S or G G = 6 T = 1 7 = H or Y H = 7 U = 2 8 = R or P I = 4 W = 4 9 = D or B L = 0 Y = 7 Unused letters: J K Q V X |
In the following example, we again use the groups 74061 48398 29974. When converted into letter pairs, according to the table above, we have the following sequence of 15 letter pairs:
HY IW EL SG TC IW RP OM DB RP TC DB DB HY IW |
You are free to choose either the first or second letter of each pair as first letter of every second word. An example of how such a text could look like this:
"I hope everything is OK. Last week seemed quite chaotic, no? I think relaxation would offer you definitely better results to calm down. Don't skip breakfast and handle your workload!
You can agree on starting off with either the first or the second word. If required, you can use one of the empty letters "JKQVX" instead of the 20 most frequent letters. In that case, the letter is simply discarded during deciphering and we continue with the next second letter. It gives you a bit more freedom to play with the text.
Personal Security and the Law
Finally, there's also the issue of personal security. In some countries, it's forbidden by law to use this type of encryption. The reason is simple: some governments don't understand the word "privacy" and read their citizens' communications. One-time pads prevents them from doing so. That's why, in some countries, being caught with one-time pads or being identified as a person who used encryption could cost you more than money or freedom. One-time pads can cause serious health problems, and that's not a joke!
Numbers 8.0
Random number generator
On this website you can download Numbers 8.1. With this Crypto Secure Pseudo Random Number
Generator (CSPRNG) you can generate and print series of
random numbers or letters, formatted as standard one-time
pads, worksheets or custom series. You can also view and
print different letter-to-digit conversion tables for use
in one-time pad encryption. Although using a CSPRNG
theoretically never achieves Shannon's perfect secrecy,
it will be useful in practice to generate one-time pads.
The huge size and the limited use of a given random seed,
the astronomical number of possible generator states, the
whitening by combining 14 generators, and the irregular
partial use of the output make it infeasible to retrieve
or predict the generated output. External randomness can
be loaded into the software. The Numbers software is
therefore a good software alternative to generate
one-time pads.
Create pairs of one-time pads with truly random digits, one copy for sender and one copy for receiver. To encipher a message, convert the plaintext into digits with the help of the conversion table. Write the one-time pad underneath the converted plaintext, but skip the first group of the one-time pad. Subtract the one-time pad from the plaintext, without carry. Put the skipped first group of the pad in front of the ciphertext message to tell the receiver which pad was used. Destroy the pad after enciphering.
To decipher a message, check the first group of the ciphertext to see which one-time pad was used. Write the proper one-time pad underneath the ciphertext but skip the first group of both ciphertext and pad. Add ciphertext and one-time pad together without carry. Convert the resulting digits back into plaintext with the help of the conversion table. Destroy the pad after deciphering.
1. Create
one-time pads with truly random digits
2. Never ever use a one-time pad more than once
3. Destroy the one-time pad immediately after use
More about one-time pad on this
website
Guide
to Secure Communications with the One-time Pad
Cipher 
How set
up secure communications with one-time pad- One-time pad about one-time pad and its history
- Numbers Stations about shortwave broadcasts of encrypted messages
- Spies and Numbers - Here to Stay The use of one-time pads in
espionage
- Cuban Agent Communications Paper on Cuban numbers stations,
Cuban agents in the U.S. and the errors they made
- Is One-time Pad History? About the usefulness of one-time pad
encryption
| Home One-time pad |