Hi, @sailnfool. Actually, that's how onetime
already works -- it identifies pads by a SHA256 sum of a fixed number of bytes from the front of the pad (we don't hash the whole pad because some pads can be quite long, and it's good if the identification process can be completed in more or less constant time). See the ~/.onetime/pad-records
file for some examples of pad-record entries (that file will be automatically generated if you use onetime).
The original ticket #29 on GitHub was actually about something different. The OP had written:
imho it is a security risk to publish the full checksum of the used pad.
normaly it is enough to check the last 5-10 chars of it. I have never seen two nearly similar md5sums for example. Could you change it?
However, I don't see how there is any particular security risk. The purpose of the sum is to uniquely identify the pad, the pad cannot be determined from the sum, and if an attacker has the pad anyway then it makes no difference whether they confirm it via a partial sum or a full sum (plus they probably have other ways to confirm it in any case). So I'll close that upstream ticket now.
I suggest that as part of the information kept about the usage of PADs that you keep a cryptographic hash (e.g. sha512) of the PAD. A user may accidentally rename a previously used PAD and leak data via the re-use. I would suggest that as part of the data about the PAD you store the cryptographic hash of the PAD (and all other PADs) in a hash file. In the even that a PAD is a simple rename of a previously created PAD (I prefer to use the term OTP), then it would show up with an identical cryptographic digest.
It is a simple matter to generate the digest:
echo -e "$(openssl dgst -sha512 PAD)\tPAD" >> ~/.onetime/pad-records/hashvalues
If you want to see the list of possible cryptographic hash digests to use:
openssl dgst -list
I have used simple tab separated key/value text files to load and save associative arrays in bash.
I would probably be inclined to enhance the above in bash to:
digestname=sha512
echo -e "${digestname}:$(openssl dgst -${digestname} PAD)\t PAD" >> ~/.onetime/pad-records/hashvalues.
With the above, the entries are sorted by digest type (better than checksums) and then by the value of the cryptographic hash digest.
As a bash hacker I have used the associative arrays so that in the process of loading this simple text file into a key/value associative array, you could identify any duplicates of a PAD that was re-named.
Karl Fogel (a61c3a19) at 10 Sep 05:43
Reflect move from GitHub to code.librehq.com
This was originally https://github.com/kfogel/OneTime/pull/32. It's closed now.
I'm reflecting all the GitHub OneTime issues over here at code.librehq.com, preserving ticket numbers. For closed tickets like this one, I'm not bothering to copy over any of the details. (There's a way to import them all properly into GitLab, but there aren't enough issues to make it worthwhile to learn how to do that. Instead, I'm just copying them over by hand.)
This was originally https://github.com/kfogel/OneTime/pull/32. It's closed now.
I'm reflecting all the GitHub OneTime issues over here at code.librehq.com, preserving ticket numbers. For closed tickets like this one, I'm not bothering to copy over any of the details. (There's a way to import them all properly into GitLab, but there aren't enough issues to make it worthwhile to learn how to do that. Instead, I'm just copying them over by hand.)
See https://github.com/kfogel/OneTime/issues/31. I think the issue there is just that the person is using a very old version of OneTime (on the other hand, my bad for not making an official release for so long!).
OneTime has moved over here to code.librehq.com GitLab, but there are still some open issue tickets and PRs over at GitHub. I haven't ported them all over; we'll just improvisatorily refer to them from here until they're closed. New tickets should be filed here, of course.
This was originally https://github.com/kfogel/OneTime/pull/30. It's closed now.
I'm reflecting all the GitHub OneTime issues over here at code.librehq.com, preserving ticket numbers. For closed tickets like this one, I'm not bothering to copy over any of the details. (There's a way to import them all properly into GitLab, but there aren't enough issues to make it worthwhile to learn how to do that. Instead, I'm just copying them over by hand.)
This was originally https://github.com/kfogel/OneTime/pull/30. It's closed now.
I'm reflecting all the GitHub OneTime issues over here at code.librehq.com, preserving ticket numbers. For closed tickets like this one, I'm not bothering to copy over any of the details. (There's a way to import them all properly into GitLab, but there aren't enough issues to make it worthwhile to learn how to do that. Instead, I'm just copying them over by hand.)
See https://github.com/kfogel/OneTime/issues/29.
(OneTime has moved over here to code.librehq.com GitLab, but there are still some open issue tickets and PRs over at GitHub. I haven't ported them all over; we'll just improvisatorily refer to them from here until they're closed. New tickets should be filed here, of course.)
This was originally https://github.com/kfogel/OneTime/pull/28. It's closed now.
I'm reflecting all the GitHub OneTime issues over here at code.librehq.com, preserving ticket numbers. For closed tickets like this one, I'm not bothering to copy over any of the details. (There's a way to import them all properly into GitLab, but there aren't enough issues to make it worthwhile to learn how to do that. Instead, I'm just copying them over by hand.)
This was originally https://github.com/kfogel/OneTime/pull/28. It's closed now.
I'm reflecting all the GitHub OneTime issues over here at code.librehq.com, preserving ticket numbers. For closed tickets like this one, I'm not bothering to copy over any of the details. (There's a way to import them all properly into GitLab, but there aren't enough issues to make it worthwhile to learn how to do that. Instead, I'm just copying them over by hand.)
See https://github.com/kfogel/OneTime/issues/27.
(OneTime has moved over here to code.librehq.com GitLab, but there are still some open issue tickets and PRs over at GitHub. I haven't ported them all over; we'll just improvisatorily refer to them from here until they're closed. New tickets should be filed here, of course.)
DomT4 at GitHub kindly reported this bug -- see https://github.com/kfogel/OneTime/issues/26.
(OneTime has moved over here to code.librehq.com GitLab, but there are still some open issue tickets and PRs over at GitHub. I haven't ported them all over; we'll just improvisatorily refer to them from here until they're closed. New tickets should be filed here, of course.)
See https://github.com/kfogel/OneTime/issues/25.
(OneTime has moved over here to code.librehq.com GitLab, but there are still some open issue tickets and PRs over at GitHub. I haven't ported them all over; we'll just improvisatorily refer to them from here until they're closed. New tickets should be filed here, of course.)
See https://github.com/kfogel/OneTime/issues/24.
(OneTime has moved over here to code.librehq.com GitLab, but there are still some open issue tickets and PRs over at GitHub. I haven't ported them all over; we'll just improvisatorily refer to them from here until they're closed. New tickets should be filed here, of course.)
See https://github.com/kfogel/OneTime/issues/23.
(OneTime has moved over here to code.librehq.com GitLab, but there are still some open issue tickets and PRs over at GitHub. I haven't ported them all over; we'll just improvisatorily refer to them from here until they're closed. New tickets should be filed here, of course.)
This was originally https://github.com/kfogel/OneTime/pull/22. It's closed now.
I'm reflecting all the GitHub OneTime issues over here at code.librehq.com, preserving ticket numbers. For closed tickets like this one, I'm not bothering to copy over any of the details. (There's a way to import them all properly into GitLab, but there aren't enough issues to make it worthwhile to learn how to do that. Instead, I'm just copying them over by hand.)
This was originally https://github.com/kfogel/OneTime/pull/22. It's closed now.
I'm reflecting all the GitHub OneTime issues over here at code.librehq.com, preserving ticket numbers. For closed tickets like this one, I'm not bothering to copy over any of the details. (There's a way to import them all properly into GitLab, but there aren't enough issues to make it worthwhile to learn how to do that. Instead, I'm just copying them over by hand.)
This was originally https://github.com/kfogel/OneTime/pull/21. It's closed now.
I'm reflecting all the GitHub OneTime issues over here at code.librehq.com, preserving ticket numbers. For closed tickets like this one, I'm not bothering to copy over any of the details. (There's a way to import them all properly into GitLab, but there aren't enough issues to make it worthwhile to learn how to do that. Instead, I'm just copying them over by hand.)
This was originally https://github.com/kfogel/OneTime/pull/21. It's closed now.
I'm reflecting all the GitHub OneTime issues over here at code.librehq.com, preserving ticket numbers. For closed tickets like this one, I'm not bothering to copy over any of the details. (There's a way to import them all properly into GitLab, but there aren't enough issues to make it worthwhile to learn how to do that. Instead, I'm just copying them over by hand.)