fixed order; lowest card to highest card, in bridge suits. Perform the Solitaire operation, but instead of Step 5, do another count cut based on the first character of the passphrase (19, in this example). (Remember to put the top cards just above the bottom card in the deck, as before.) Do this once for each character. Use another two characters to set the positions of the jokers. Remember, though, that there are only about 1.4 bits of randomness per character in standard English. You're going to want at least an 80-character passphrase to make this secure; I recommend at least 120 characters. (Sorry, but you just can't get good security with a shorter key.)
SAMPLE OUTPUT
Here's some sample data to practice your Solitaire skills with:
Sample 1: Start with an unkeyed deck: A(clubs) through K(clubs), A(hearts) through K(hearts), A (diamonds) through K(diamonds), A(spades) through K(spades), A joker, B joker (you can think of this as 1-52, A, B). The first ten outputs are:
4 49 10 (53) 24 8 51 44 6 33
The 53 is skipped, of course. I just put it there for demonstration. If the plain text is:
AAAAA AAAAA
then the cipher text is:
EXKYI ZSGEH
Sample 2: Using keying method 3 and the key 'FOO,' the first fifteen outputs are:
8 19 7 25 20 (53) 9 8 22 32 43 5 26 17 (53) 38 48
If the plain text is all As, the cipher text is:
ITHZU JIWGR FARMW
Sample 3: Using keying method 3 and the key 'CRYPTONOMICON,' the message 'SOLITAIRE' encrypts to:
KIRAK SFJAN
Of course, you should use a longer key. These samples are for test purposes only. There are more samples on the website, and you can use the book's PERL script to create your own.
SECURITY THROUGH OBSCURITY
Solitaire is designed to be secure even if the enemy knows how the algorithm works. I have assumed that
That's why keeping the key secret is so important. If you have a deck of cards in a safe place, you should assume the enemy will at least entertain the thought that you are using Solitaire. If you have a bridge column in your safe deposit box, you should expect to raise a few eyebrows. If any group is known to be using the algorithm, expect the secret police to maintain a database of bridge columns to use in cracking attempts. Solitaire is strong even if the enemy knows you are using it, and a simple deck of playing cards is still much less incriminating than a software encryption program running on your laptop, but the algorithm is no substitute for street smarts.
OPERATIONAL NOTES
The first rule of an output-feedback mode stream cipher, any of them, is that you should never use the same key to encrypt two different messages. Repeat after me: NEVER USE THE SAME KEY TO ENCRYPT TWO DIFFERENT MESSAGES. If you do, you completely break the security of the system. Here's why: if you have two ciphertext streams, A + K and B + K, and you subtract one from the other, you get (A + K) — (B + K) = A + K — B — K = A — B. That's two plaintext streams combined with each other, and is very easy to break. Trust me on this one: you might not be able to recover A and B from A — B, but a professional cryptanalyst can. This is vitally important: never use the same key to encrypt two different messages.
Keep your messages short. This algorithm is designed to be used with small messages: a couple of thousand characters. If you have to encrypt a 100,000-word novel, use a computer algorithm. Use shorthand, abbreviations, and slang in your messages. Don't be chatty.
For maximum security, try to do everything in your head. If the secret police starts breaking down your door, just calmly shuffle the deck. (Don't throw it up in the air; you'd be surprised how much of the deck ordering is maintained during the game of 52-Pickup.) Remember to shuffle the backup deck, if you have one.
SECURITY ANALYSIS
There's quite a lot of it, but it's far too complicated to reproduce here. See http://www.counterpane.com, or write to
Counterpane Systems
1711 North Ave #16
Oak Park, IL 60302
LEARNING MORE
I recommend my own book,
Notes
1
