One-Time Pad Generator One-Time Pad Generatormichael@0: This page, which requires that your browser support JavaScript michael@0: (see Why JavaScript below), michael@0: generates one-time pads or password lists in a variety of michael@0: forms. It is based a high-quality pseudorandom sequence michael@0: generator, which can be seeded either from the current date michael@0: and time, or from a seed you provide. Fill in the form below michael@0: to select the format of the pad and press “Generate” to michael@0: create the pad in the text box. You can then copy and paste michael@0: the generated pad into another window to use as you wish. michael@0: Each of the labels on the request form is linked to a description michael@0: of that parameter. michael@0:
michael@0: michael@0: michael@0: michael@0: michael@0: michael@0:michael@0: Each of the fields in the one-time pad request form is described michael@0: below. michael@0:
michael@0: michael@0:michael@0: Enter the number of keys you'd like to generate. If you generate michael@0: more than fit in the results text box, you can use the scroll michael@0: bar to view the additional lines. michael@0:
michael@0: michael@0:michael@0: Lines in the output will be limited to the given length (or contain michael@0: only one key if the line length is less than required for a single michael@0: key). If the line length is greater than the width of the results michael@0: box, you can use the horizontal scroll bar to view the rest of the michael@0: line. Enter 0 to force one key per line; this is handy michael@0: when you're preparing a list of keys to be read by a computer program. michael@0:
michael@0: michael@0:michael@0: Each key will contain this number of characters, not counting michael@0: separators between groups. michael@0:
michael@0: michael@0:michael@0: If a nonzero value is entered in this field, the key will be broken michael@0: into groups of the given number of characters by separators. Humans michael@0: find it easier to read and remember sequences of characters when michael@0: divided into groups of five or fewer characters. michael@0:
michael@0: michael@0:michael@0: This set of radio buttons lets you select the character set used in michael@0: the keys. The alternatives are listed in order of michael@0: increasing security. michael@0:
michael@0: michael@0:michael@0:michael@0: michael@0:michael@0:
michael@0: michael@0:- Numeric
michael@0:- Keys contain only the decimal digits “0” through “9”. michael@0: Least secure.
michael@0: michael@0:- Word-like
michael@0:- Keys are composed of alphabetic characters which obey the michael@0: digraph statistics of English text. Such keys contain michael@0: sequences of vowels and consonants familiar to speakers michael@0: of Western languages, and are therefore usually easier to michael@0: memorise but, for a given key length, are less secure than michael@0: purely random letters.
michael@0: michael@0:- Alphabetic
michael@0:- Keys consist of letters of the alphabet chosen at random. michael@0: Each character has an equal probability of being one of michael@0: the 26 letters.
michael@0: michael@0:- Gibberish
michael@0:- Keys use most of the printable ASCII character set, excluding michael@0: only characters frequently used for quoting purposes. This michael@0: option provides the greatest security for a given key length, michael@0: but most people find keys like this difficult to memorise or michael@0: even transcribe from a printed pad. If a human is in the loop, michael@0: it's often better to use a longer alphabetic or word-like key. michael@0: Most secure.
michael@0:
michael@0: The case of letters in keys generated with Word-like, Alphabetic, and michael@0: Gibberish key text will be as chosen. Most people find it easier to michael@0: read lower case letters than all capitals, but for some applications michael@0: (for example, where keys must be scanned optically by hardware that michael@0: only recognises capital letters), capitals are required. Selecting michael@0: “Mixed case” creates keys with a mix of upper- and michael@0: lower-case letters; such keys are more secure than those with uniform michael@0: letter case, but do not pass the “telephone test”: you michael@0: can't read them across a (hopefully secure) voice link without having michael@0: to indicate whether each letter is or is not a capital. michael@0:
michael@0: michael@0:michael@0: When the Key length is longer than michael@0: a nonzero Group length specification, michael@0: the key is divided into sequences of the given group length michael@0: by separator characters. By default, a hyphen, “-”, is used michael@0: to separate groups. If you check this box, separators will be michael@0: chosen at random among punctuation marks generally acceptable michael@0: for applications such as passwords. If you're generating passwords michael@0: for a computer system, random separators dramatically increase michael@0: the difficulty of guessing passwords by exhaustive search. michael@0:
michael@0: michael@0:michael@0: michael@0: When this box is checked, at the end of the list of keys, preceded by michael@0: a line beginning with ten dashes “-”, the 128 bit MD5 signature of michael@0: each key is given, one per line, with signatures expressed as 32 michael@0: hexadecimal digits. Key signatures can be used to increase security michael@0: when keys are used to control access to computer systems or databases. michael@0: Instead of storing a copy of the keys, the computer stores their michael@0: signatures. When the user enters a key, its signature is computed michael@0: with the same MD5 algorithm used to generate it initially, and the key michael@0: is accepted only if the signature matches. Since discovering michael@0: a key which will generate a given signature is believed to be michael@0: computationally prohibitive, even if the list of signatures stored on michael@0: the computer is compromised, that information will not permit an michael@0: intruder to deduce a valid key. michael@0:
michael@0: michael@0:michael@0: Signature calculation is a computationally intense process for which michael@0: JavaScript is not ideally suited; be patient while signatures are michael@0: generated, especially if your computer has modest michael@0: processing speed. michael@0:
michael@0: michael@0:michael@0: For signature-based validation to be secure, it is essential michael@0: the original keys be long enough to prohibit discovery of matching michael@0: signatures by exhaustive search. Suppose, for example, one used michael@0: four digit numeric keys, as used for Personal Identification michael@0: Numbers (PINs) by many credit card systems. Since only 10,000 michael@0: different keys exist, one could simply compute the signatures of michael@0: every possible key from 0000 through 9999, permitting an attacker who michael@0: came into possession of the table of signatures to recover the michael@0: keys by a simple lookup process. For maximum security, keys must michael@0: contain at least as much information as the 128 bit signatures michael@0: computed from them. This implies a minimum key length (not counting michael@0: non-random separator characters) for the various key formats as michael@0: follows: michael@0:
michael@0: michael@0:| Key Composition | Minimum Characters |
|---|---|
| Numeric | 39 |
| Word-like | 30 |
| Alphabetic | 28 |
| Gibberish | 20 |
michael@0: It should be noted that for many practical applications there is no michael@0: need for anything approaching 128-bit security. The guidelines above michael@0: apply only in the case where maximum protection in the event of michael@0: undetected compromise of key signatures occurs. In many michael@0: cases, much shorter keys are acceptable, especially when it is assumed michael@0: that a compromise of the system's password or signature database would michael@0: be only part of a much more serious subversion of all resources michael@0: on the system. michael@0:
michael@0: michael@0:michael@0: The seed is the starting value which determines all michael@0: subsequent values in the pseudorandom sequence used to generate michael@0: the one-time pad. Given the seed, the pad can be reproduced. The michael@0: seed is a 31-bit number which can be derived from the date and michael@0: time at which the one-time pad was requested, or from a michael@0: user-defined seed value. If the user-defined seed consists michael@0: entirely of decimal digits, it is used directly as the seed, michael@0: modulo 231; if a string containing non-digit characters michael@0: is entered, it is used to compute a hash code which is michael@0: used to seed the generator. michael@0: michael@0:
michael@0: michael@0:michael@0: When the clock is used to create the seed, the seed value is entered michael@0: in the User-defined box to allow you, by checking “User-defined”, michael@0: to produce additional pads with the same seed. michael@0:
michael@0: michael@0:michael@0: At first glance, JavaScript may seem an odd choice for programming michael@0: a page such as this. The one-time pad generator program is rather michael@0: large and complicated, and downloading it to your browser takes longer michael@0: than would be required for a Java applet or to transfer a michael@0: one-time pad generated by a CGI program on the Web server. I chose michael@0: JavaScript for two reasons: security and transparency. michael@0: michael@0:
michael@0: michael@0:michael@0: Security. michael@0: The sole reason for the existence of one-time pads is to michael@0: provide a source of information known only to people to whom michael@0: they have been distributed in a secure manner. This means michael@0: the generation process cannot involve any link whose security michael@0: is suspect. If the pad were generated on a Web server and michael@0: transmitted to you, it would have to pass over the michael@0: Internet, where any intermediate site might make a copy michael@0: of your pad before you even received it. Even if some michael@0: mechanism such as encryption could absolutely prevent the michael@0: pad's being intercepted, you'd still have no way to be sure michael@0: the site generating the pad didn't keep a copy michael@0: in a file, conveniently tagged with your Internet address. michael@0:
michael@0: michael@0:michael@0: In order to have any degree of security, it is essential michael@0: that the pad be generated on your computer, without michael@0: involving any transmission or interaction with other michael@0: sites on the Internet. A Web browser with JavaScript makes michael@0: this possible, since the generation program embedded in this michael@0: page runs entirely on your own computer and does not michael@0: transmit anything over the Internet. Its output appears michael@0: only in the text box, allowing you to cut and paste it michael@0: to another application. From there on, its security is michael@0: up to you. michael@0:
michael@0: michael@0:michael@0: Security is never absolute. A one-time pad generated with michael@0: this page might be compromised in a variety of ways, including michael@0: the following: michael@0: michael@0:
michael@0: michael@0:michael@0: One can whip oneself into a fine fever of paranoia worrying about michael@0: things like this. One way to rule out the most probable risks michael@0: is to download a copy of the generator page and run it michael@0: from a “file:” URL on a computer which has no network michael@0: connection whatsoever and is located in a secure location michael@0: under your control. And look very carefully at any files michael@0: created by your Web browser. You may find the most interesting michael@0: things squirreled away there…. michael@0:
michael@0: michael@0:michael@0: Transparency. michael@0: Any security-related tool is only as good as its design michael@0: and implementation. Transparency means that, in michael@0: essence, all the moving parts are visible so you can judge michael@0: for yourself whether the tool merits your confidence. In michael@0: the case of a program, this means that source code must michael@0: be available, and that you can verify that the program michael@0: you're running corresponds to the source code provided. michael@0: michael@0:
michael@0: michael@0:michael@0: The very nature of JavaScript achieves this transparency. michael@0: The program is embedded into this actual Web page; to michael@0: examine it you need only use your browser's “View Source” michael@0: facility, or save the page into a file on your computer michael@0: and read it with a text editor. JavaScript's being michael@0: an interpreted language eliminates the risk of your running michael@0: a program different from the purported source code: with michael@0: an interpreted language what you read is what you run. michael@0:
michael@0: michael@0:michael@0: Transparency is important even if you don't know enough about michael@0: programming or security to determine whether the program michael@0: contains any flaws. The very fact that it can be examined michael@0: by anybody allows those with the required expertise to pass michael@0: judgment, and you can form your own conclusions based on michael@0: their analysis. michael@0:
michael@0: michael@0:michael@0: michael@0: The pseudorandom sequence generator is based on L'Ecuyer's michael@0: two-sequence generator as described in michael@0: Communications of the ACM, Vol. 31 (1968), page 742. michael@0: A Bays-Durham shuffle is used to guard against regularities michael@0: lurking in L'Ecuyer's algorithm; see michael@0: ACM Transactions on Mathematical Software, Vol. 2 (1976) michael@0: pages 59–64 for details. michael@0:
michael@0: michael@0:michael@0: The JavaScript implementation of the michael@0: MD5 message-digest algorithm michael@0: was developed by Henri Torgemane; please view the source code of this michael@0: page to examine the code, including the copyright notice and michael@0: conditions of use. The MD5 algorithm was developed by Ron Rivest. michael@0:
michael@0: michael@0: michael@0: michael@0:
michael@0: 
michael@0: |
michael@0: This document is in the public domain. michael@0:
michael@0: michael@0: michael@0: