One-Time Pad Generators


Systems which use passwords and/or encryption keys to authenticate an individual's identity or protect against interception of communications achieve the highest degree of security when each password or key is used only once. Spies are furnished “one-time pads” containing pages of keys used to encrypt individual characters of secret messages, then discarded. As long as the physical security of the two copies of a one-time pad is assured and the keys on the pad are sufficiently random, security is absolute.

Swiss banks which accept electronic payment orders use a similar mechanism to verify the identity of the issuer of an order. When a client authorises the bank to accept electronic orders, the bank delivers, by registered mail, a list of individual session passwords (usually numbers of 4 to 6 digits). The customer agrees to keep the list of passwords physically secure, and to not hold the bank liable if the customer allows the list to fall into unauthorised hands. Each time an order is given, in addition to the regular user identity and password, the next key from the list must be entered, and then crossed off by the user. The bank verifies the key against a copy of the list stored in their own secure computer, and only if the key matches is the order accepted. Multiple incorrect entries block electronic access to the customer's account until re-enabled by the customer providing suitable verification that an unauthorised access attempt did not, in fact, occur.

Note that even if the customer's entire communication session with the bank is intercepted, the eavesdropper will not be able to subsequently issue orders in the customer's name since the one-time password used in the compromised session will never be used again, and provides no usable clue as to subsequent one-time passwords.

A choice of programs

Two one-time pad generator programs are available at this site. The first is written in JavaScript embedded in a Web page. When you view the page with a JavaScript-capable browser, you can generate one-time pads to your specifications with all the computation done by the JavaScript interpreter built into the browser. Since the contents of the pad never passes over the Internet, you don't have to worry about it being intercepted. Other security issues are discussed in the generator page.

A second one-time pad generator is implemented in C for Unix systems. (With a little fiddling it can be gotten to work on MS-DOS or other systems with a C compiler and library that more-or-less emulates Unix, and a ready-to-run 32-bit Windows console application is included.) It is available for downloading as a gzipped TAR archive and documented in an included manual page, which you can also read on-line.

JavaScript One-time Pad Generator

C Language One-time Pad Generator Program

Valid XHTML 1.0
by John Walker
February, 1996
Updated: May 1997
Updated: November 2006
Updated: June 2012
Updated: June 2014