What is an OTP in Computer Security?

The acronym OTP is used to refer to two different things in computer security. The older meaning is “One Time Pad”, in modern contexts it’s much more likely to refer to “One Time Password/Passcode/PIN”. As you can probably guess from the shared use of the term “One Time”, there are some similarities.

One Time Pad – basics

A One Time Pad is a method of encryption. Theoretically, it is perfectly secure and impossible to crack. It’s not widely used though because it has a variety of limitations and requirements that seriously hamper its viability in practice. The first issue is that the pad requires the encryption key on the pad to be truly random. Even pseudo-random number generators PRNGs used for other cryptographic purposes aren’t random enough to be secure. Any level of predictability in the key material compromises the perfect secrecy premise.

The key generation process must be completely secure. Additionally, the method of communicating the One Time Pad must be secure. All parties must then also continue to securely store the One Time Pads. Used one-time keys must be also securely disposed of. A One Time Pad doesn’t offer any authentication mechanism. An attacker that knows the plaintext and the ciphertext, can recover the key. They can then use that to generate a different ciphertext, as long as they keep the message the same size or shorter. Finally, the message being encrypted can only be as long as the pre-generated key.

The use of the term “pad” comes from the fact that in most use cases, a decently sized series of one-time keys are distributed. A useful format is that of a notepad with a unique key on each page. When a message needs to be encrypted, the topmost page is used. the page is then typically removed and destroyed to prevent it from being compromised or reused.

One Time Pad – complications

In practice, the fact that the One Time Pad must be securely generated, communicated, and stored, like any shared secret, makes it very difficult to use. For example, a One Time Pad is only as secure as the communication method. If you rely on HTTPS to securely communicate the pad, an adversary with the ability to break that TLS encryption to get the pad would then have no further issue decoding messages. As such, a digitally communicated pad doesn’t offer any additional security. When using a physical transmission method, i.e. a courier, or dead drop, the pad is either secure or it isn’t. This makes physical pads much more useful than digital pads. Additionally, computer-based One Time Pads are much harder to securely delete and face data remanence issues.

If a One Time Pad is compromised, it can be used to decrypt past messages. To avoid this, typically a page is destroyed, often burned. This prevents the key from being reused, or from being discovered. Assuming a pad is compromised but the destruction practice is followed, past messages can’t be decrypted. Future messages, however, then would be able to be decrypted.

In practice, modern cryptography is typically more than secure enough. One advantage a One Time Pad has though is that it can be used by hand. Modern cryptography is very complex and needs a computer to be used efficiently. This makes One Time Pads useful in spycraft environments when messages need to be sent without using the Internet or computers. During the cold war, spies often used One Time Pads printed on flash paper. Being made of nitrocellulose, a used page could be very quickly burned without generating any smoke.

One Time Password

A One Time Password, is a secret string that can be used for authentication. It needs to remain secret, however, unlike a One Time Pad, it cant be used to encrypt anything and has no specific randomness requirements. A common use case for One Time Passwords is in two-factor authentication. For example, a two-factor authentication app generates a one-use code based on the time and a secret to confirm your identity. The One Time Password, doesn’t even necessarily have to be unique. Two-factor codes are often six digits. This provides enough randomness to make it extremely unlikely that an attacker can guess a valid one at the right time.

Some companies, such as banks may also pre-generate a list of one-use passwords and mail them to their customers for use with online banking. The One Time Passwords in this case can’t be the same for everyone, but don’t necessarily need to be 100% unique in all cases.

One Time Passwords can be somewhat clunky from a user experience perspective. The passwords need to be securely transmitted and stored, or securely generatable. Phishing is also a risk, while One Time Passwords add an extra layer of opportunity for a user to not fall for the phish, a user that has already been convinced to hand over their username and password will typically also hand over the One Time Password too.

Conclusion

In computer security, OTP stands for One Time Pad or One Time Password. A One Time Pad is an encryption technique that offers perfect secrecy. It has, however, a number of requirements that makes it awkward to use in practice and is generally very tricky to implement correctly on computers. One Time Pads can be used by hand though, making them useful for old-fashioned spycraft. One Time Passwords are secret strings that can be used to log you in. they can work alongside or instead of a traditional password. Two-factor authentication is one example of an implementation of One Time Passwords.