Truly random numbers

jerf at compy.attbi.com jerf at compy.attbi.com
Wed Feb 12 02:56:09 CET 2003


On Tue, 11 Feb 2003 15:49:51 -0800, Paul Rubin wrote:
> Use an SSL tunnel and hope that Fourmilabs isn't logging the random
> numbers?

This point should be emphasized. If you care enough to do a one-time pad,
you need to care enough to buy your own random number generator. Assume
Fourmilabs is logged by the NSA and [insert your enemy here], along with
every other similar RNG on the 'net.

If you don't care enough to buy your own random number generator, then you
don't care enough to use OTP. Use a solid, stream-based cipher with a
nice, large key. 

It's very importent to understand that as an encryption method, "One Time
Pads" are not secure. It is only secure as the key used as the pad. Now,
the nice thing about OTP's is that they are no *less* secure then that,
even in theory, which is unique to that algorithm. But if you're pulling
the key off of the public Internet, it's not secure and you might as well
just be using a stream cipher anyhow.






More information about the Python-list mailing list