Roedy Green said:
The key to doing One Time Pad is you must implement the algorithm
yourself or at least go over the source with a fine tooth comb and the
compiled version as well, to make sure there is no code there that
does not need to be.
That assumes you trust the compiler. So you'd have to write your own
compiler. You can't write your own compiler in Java though, 'cause you'd
have to compile that compiler, and you don't trust the compiler. You can't
write it in assembly language though, 'cause you'd have to trust the
assembler/linker. Maybe use a hex editor and write it directly in machine
code. But then you'd have to trust the hex editor.
So your best bet is to build a read-only USB key from scratch, where the
data on the USB key is the executable for your assembler, from which you can
write your one time pad algorithm in assembly.
That of course assumes you trust your CPU. Just because you send it one
set of instructions doesn't mean it might not execute a different set.
And even then, there's lots of devices in between your USB key and the
CPU that could nefariously insert malicious code along the way. The USB host
device, the data/control BUS, the offboard cache, etc.
While building your USB key, you can't buy ready made transistors and
such from radioshack, as they might be under control of the goverment too.
Oh, and you can't trust your senses. You may think you're sitting in
your basement, smelling dampness, and touching screw drivers and electronics
parts, but this might all be an drug induced hallucination as the men in
black peer into your dreams to try to find out your secrets.
At some point, you're going to have to trust something. As I mentioned
elsewhere in this thread, I haven't read the source code for my PGP
binaries, nor have I compiled them from source; I just downloaded the
binaries and use them. I trusted them. Maybe I was naive.
- Oliver