Open Source Security
Welcome at » Quality

By: Bryan Jacobson (    As always, the following are my personal opinions.


“Product X”

 I recently heard about an authentication product, let’s call it “Product X”.   According to their website:

Product X . . . implements the equivalent of a “one-time pad” system – the most secure communication possible.

Product X uses applied physics to defeat all known Internet authentication threats.

Sounds good, maybe too good.  Can we trust it?


Cryptographic Snake Oil


Serge Hallyn introduced me to the term “cryptographic snake oil”, which is explained at


Good cryptography is an excellent and necessary tool for almost anyone. Many good cryptographic products are available commercially, as shareware, or free. However, there are also extremely bad cryptographic products which not only fail to provide security, but also contribute to the many misconceptions and misunderstandings surrounding cryptography and security.


Why “snake oil”? The term is used in many fields to denote something sold without consideration of its quality or its ability to fulfill its vendor’s claims. This term originally applied to elixirs sold in traveling medicine shows. The salesmen would claim their elixir would cure just about any ailment that a potential customer could have. Listening to the claims made by some crypto vendors, “snake oil” is a surprisingly apt name.


The snake-oil-faq is a fun website with a lot of information.  Regarding “one-time-pads” it says: 

A vendor might claim the system uses a one-time-pad (OTP), which is provably unbreakable.


Snake oil vendors will try to capitalize on the known strength of an OTP. But it is important to understand that any variation in the implementation means that it is not an OTP and has nowhere near the security of an OTP.

 What are One-time-pads, and why are they “unbreakable”?

 A One-time-pad is a key as long as the message.  Each byte of the OTP is generated with an unpredictable random process. 

 The sender and receiver each need a copy of the OTP and must insure no one else has a copy. The OTP should be physically exchanged, not transmitted.

 Each byte of the OTP is only used once – so there is no “statistical pattern” that an adversary could use to crack the message.  (More info is at:

The unbreakability of one-time-pads rests on three factors:

1. Every byte in the OTP is generated by a truly random (unpredictable) process.

2. Every byte in the OTP is used only once.

3. The sender and recipient insure that no one else could have a copy of the pad.

When these are true, the OTP is unbreakable – there is no vulnerability that can be exploited.


How Product X works (I think)

Note: This is not a comprehensive evaluation of “Product X”, but rather my personal quick comparison of the  information on their website to One-time-pads.  Their website does not have a complete technical description, so I’ve made some assumptions that could be inaccurate.

 If I understand correctly, “Product X” works like this:

 – “Product X” uses a USB device and some software to provide secure authentication (login) from the user’s client system to a remote server.

– The user supplies a User ID and a Password on the client system.

– The User ID is sent to the server software, which selects an “index” that is sent back to the client.

– The “index” and secure information in the USB device create a “one-time password”, claimed to be equivalent to a One-time-pad.

– The “one-time password” is used to securely transmit the User’s password to the server.


Is “Product X” the equivalent of a one-time-pad?

 Let’s look at the factors that make one-time-pads unbreakable:

1. Every byte in the OTP is unpredictable.

I will assume they got this right.   You can use, or several other techniques.

2. Every byte in the OTP is used only once.

I don’t think this is the case.  I believe the “index” sent back from the server, works with the USB device to “randomly” select a pad.  If enough logins happen, eventually pads will get re-used.

The Snake Oil website says:

OTPs are seriously vulnerable if you ever reuse a pad. For instance, the NSA’s VENONA project [4], without the benefit of computer assistance, managed to decrypt a series of KGB messages encrypted with faulty pads. It doesn’t take much work to crack a reused pad.

How soon are pads reused?  The “Product X” website mentions “billions”, but doesn’t give specifics.

3. The sender and recipient insure that no one else could have a copy of the pad.

I don’t think this is the case.  I believe all users share the same set of pads (otherwise the remote server would need a huge amount of per-user data).

However, I believe the role of the USB Device is to scrambles the pad selection on a per-user basis.  I think security experts agree – a device like this (assuming well implemented) with a physically secure secret, provides significant security advantages.

So, the strength of “Product X” is based on:

– Could an adversary detect re-use of a pad?

– Could an adversary subvert the secret in the USB device?

This is the point of the “Snake Oil” FAQ.  The strength of “Product X” is based on its own implementation details – not the “unbreakable” strength of one-time-pads.


I hope users of “Product X” also understand that it  *ONLY* provides special security for the authentication step (the communication of the password).   It does not help with the rest of the communication between the client and the server.


Since One-time-pads are so dang secure, why aren’t they used for everything?

OTPs have two important limitations:

– They must not be reused, and need to have as many bytes as the messages they are encoding.  This is not practical if you’ve got gigabytes going back and forth every day.

– There must be some other secure mechanism to get the pad from one party to the other.  That’s hard to do if you’re communicating with someone you’ve never met before (common on the web).


The Snake Oil FAQ lists many other things to watch out for, such as:

  • Secret Algorithms
  • Revolutionary Breakthroughs
  • Experienced Security Experts, Rave Reviews, and Other Useless Certificates

If you are interested in security and security metrics, I highly recommend reading Dan Geer’s chart deck on “Measuring Security”. It weighs in at a hefty 426 pages, but it made me laugh out loud in parts and go hmmm. Highlights include p. 108 on “Decision Making” says “*Rational decisions are not enough, *Need to also allow for your preferences”. I really like the model for “Tracking Performance” that he shows for selected security software on pages 154-156, but caution still needs to be applied and meta-information about the numbers is important for full understanding – did the product undergo extensive review one year? are the CVE’s equivalent to each other in severity? etc. Well worth a read and on my list for more more comprehensive study.

[1] Dan Geer, Measuring Security

Gerrit is blogging the Linux Kernel Summit this week and his blog entrys are well worth reading, if just for the use of the word kerfuffle. Seriously, there is good stuff there – Andrew Morton on Linux Kernel Quality is especially interesting to me. I had heard that Andrew was tossing around the idea of requiring test cases for patch submissions. That would greatly increase test code coverage and reduce regressions, but based on the discussion in Gerrit’s blog posting, it looks like it would have been dismissed out of hand for requiring to much additional work, if it had even been brought up at the kernel summit. A related topic was brought up during the Documentation session with a proposal to pull LTP tests into Linus’ git tree.
Off the topic of quality, this cracked me up: “The running joke was that long explanations of x86 functionality requested by the s390 people was usually ended with the comment “oh, I understand now, we have an instruction that does that” ;)”
I love this coverage of the Kernel Summit, along with LWN’s coverage, it is better than actually being there!