One-Time Pad is a very simple method of how for absolutely perfect (that is, unbreakable) encryption. The concept of was first described by Frank Miller in 1882, but has never been used widely, due to the requirement that the encryption key be the same length as the message being sent.
For a reasonably good overview and history, see wikipedia
For a more full history of One-Time Pad encryption, see cryptomuseum.com
The simple web site here (onetimepad.glitch.me) is a demonstration of the One-Time Pad. It is a fully functional model for encrypting/decrypting, but does not have/use a good random number generator, which is a critical part of using a One-Time Pad. It is purely client-side, so could be used securely if you:
The "key" is the hard part. "Truly random values" means they must be actually random, not a random page from your favorite book. And they must never be intercepted by anyone other than the party you are communicating with. And each set of values must only be used for one message. (I would say "only used once", but repeating the message has no effect on its security, as long as the same key is not used for a different message)
For guidance on how to create a truly secure key, read the below Passwords / Cryptographically Secure Keys, For the Truly Paranoid
Original source code for this project on GitHub
Now primarily hosted at onetimepad.glitch.me
This work is "No Rights Reserved" -- that is, licensed under CC0. More formally:
To the extent possible under law, the publisher has waived all copyright and related or neighboring rights to this property "OneTimePad.html". This work is published from the United States.
♡ Please copy and share.
This has been tested with the following browsers:
Written in October, 2015. (occasionally modified since then)
Thanks to:
The One Time Pad method can be used to create passwords by combining values from multiple, less trusted sources.
We have plenty of generators of "random" numbers and values. One of the least secure is the basic random number generator provided in javascript, which is what the "Generate Key" button at https://onetimepad.glitch.me/ uses.
But if you want to have really secure values, you need a few things:
The last part is what the One Time Pad method can help with. If you want the most secure possible method of generating random values, use the following steps.
It should go without saying, but anything you do on a computer is only as secure as that computer is. You can start with the above, even from an unsecure connection on a public computer, but secure is always preferable. Everything after this should only be done in the most secure environment possible.
Now the Output value is the most-secure version of all of the input random values combined. Store this value until you need it; and once you use it, destroy it! (if you ever use it again, it ain't "one time")
Similar to the above, but instead of trying to get a bunch of "truly random" values from multiple sources, start with one you-generated value (whatever you can come up with quickly), and then use the "Generate Key" button for a few cycles to scramble that.
The threat model of random numbers not being cryptographically secure is fairly weak. That is, pseudo randomly generated numbers are only a problem when the attacker knows a lot about your machine. If you really use OneTimePad.html on an offline device, that significantly limits what they can know about it. More importantly, if you use one-time-pad encryption, even if an adversary did correctly guess your pseudo-random numbers, there is absolutely no way for them to prove that they did. And on top of that, if you start with something you make up, and add the random time-delay of your own operation between running "Generate Key" multiple times, that really does guarantee the key will be unguessable. (all browsers I know of implement random() with a seed that includes the current clock time)