<div dir="ltr"><p>Beyond the fact that switching to one-time pad addresses such a tiny risk compared to other risks to users that this is inherently dumb and the app is almost certainly broken in many other ways, I might assign the following question to a Crypto 101 undergraduate course:</p><p>"Zendo is using one-time pads, which can remove vulnerability to a symmetric cipher being cryptanalyzed successfully. However, what are three ways that Zendo still relies on symmetric crypto primitives for its security?"</p><p>Answer:</p><p>1) Most mobile devices can't generate 500k of true randomness in a short period of time, so they're using a PRNG to generate it.</p><p>2) They can't transfer 500k of one-time pad over the visual channel (which they assume is secure) so they transmit an AES-256 key over that channel, then encrypt the one-time pad and send it over a data channel.</p><p>3) They are using HMAC, instead of a one-time MAC based on universal hashing. </p><p>The third one is actually an easy fix, they probably just didn't know about this and there isn't really library support sitting around. The first two they can't very easily fix.<br></p><p>On Mar 24, 2015 5:14 PM, "Tony Arcieri" <<a href="mailto:bascule@gmail.com" target="_blank">bascule@gmail.com</a>> wrote:<br></p><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Some delicious <a href="http://snakeoil.cr.yp.to/" target="_blank">http://snakeoil.cr.yp.to/</a></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 24, 2015 at 3:01 PM, Tim Bray <span dir="ltr"><<a href="mailto:tbray@textuality.com" target="_blank">tbray@textuality.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default"><a href="http://techcrunch.com/2015/03/24/one-time-pads-ride-again/" target="_blank">http://techcrunch.com/2015/03/24/one-time-pads-ride-again/</a> Typically semiliterate write-up.<span><font color="#888888"><br clear="all"></font></span></div><span><font color="#888888"><div><br></div>-- <br><div><div dir="ltr"><div>- Tim Bray (If you’d like to send me a private message, see <a href="https://keybase.io/timbray" target="_blank">https://keybase.io/timbray</a>)</div></div></div>
</font></span></div>
<br>_______________________________________________<br>
Messaging mailing list<br>
<a href="mailto:Messaging@moderncrypto.org" target="_blank">Messaging@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/messaging" target="_blank">https://moderncrypto.org/mailman/listinfo/messaging</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Tony Arcieri<br></div>
</div>
<br>_______________________________________________<br>
Messaging mailing list<br>
<a href="mailto:Messaging@moderncrypto.org" target="_blank">Messaging@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/messaging" target="_blank">https://moderncrypto.org/mailman/listinfo/messaging</a><br>
<br></blockquote></div>
</div>