are essentially the same thing, except that the Keys are usually somewhat shorter than the Pads and the Keys are generally used for authentication rather than transmission of information.
They are also the strongest form of encryption available.
The idea is that you create a stream of random characters and encrypt each character of your message with the corresponding character in the keystream. Only someone with the identical key has any hope of decrypting the message because no attack on the ciphertext could discover the right key. The random nature of the key means that all possible combinations and results are equally probable.
One Time Pads are currently thought to be the only mathematically provable secure means of communication.
To be a useful One Time Pad, each character must have been created randomly. The quality of randomness (external link) is crucial. A one time pad generated using standard "RAND" functions available in most programming languages or spreadsheets would be massively insecure as these functions do not generate true randomness.
Some argue that the only truly random events in the universe are quantum events such as the decay of radio-active nucleii and that only data based on such events can be said to be similarly random. Anything less, it is argued, is "deterministic" and can thus be predicted if you know both the algorithm and the initial conditions under which the random data is created. This is undoubtedly true but it does not represent a huge barrier.
The point of using random data is that it is, by definition, completely unpredictable. You cannot deduce, from any given character or stream of characters within the data, what the next character or any other character is likely to be. The benefit of this unpredictability can be seen if we consider a "known plaintext" attack.
Lets imagine we have intercepted a (truly random one-time-pad-encrypted) message from Alice to Bob and we have good reason to believe that the opening words of the message are "Happy Birthday Bob".
That information allows us to work backwards to figure out what the one time pad characters must have been. But it stops right there. We still have no way of knowing what else was said because those "used" chararacters are not part of any pattern and tell us nothing about the remaining characters in the pad. So the rest of the message remains completely undecipherable.
Contrast this with the situation where we have reason to believe the keystream was generated using a known prng and we also know what range of seeds are likely to have been used to initialise the generator. "Happy Birthday Bob" gives us part of the keystream, and with a few minutes effort by our computer, we can brute force the seeds and generate the rest of the keystream using our own copy of the prng. Now the entire message (and possibly several before and after - if the same keystream has been used) are now available for our inspection.
In short, if there is any way to deduce the connection between the value of one character and the next; and thus to predict the content of a one time pad, then it is effectively useless.
However, whereas genuine randomness might be difficult to obtain without exotic sources like radio-activity, genuine unpredictability is not so difficult and is just as effective.
Cryptographically strong prngs, initialised by long and strong seeds, can serve the purpose. As can "entropy gatherers" such as ps_Rand and Intel's CPU based rng.
Both methods are capable of producing streams of apparently unpredictable data good enough to pass all reasonable tests of randomness (such as the Diehard tests created by George Marsaglia). The entropy gatherers can be considered superior because their keystream could only be "broken" if the machine creating it was being monitored at low level during the process of creation. If an attacker was capable of that level of monitoring, they could monitor the message being created before it was encrypted, or simply steal a copy of the keystream. In the case of the prngs, the algorithms are - generally - known (and even less trustworthy if not known) so security of the entire keystream depends completely on the security and strength of the seeds. Stealing those seeds might be a lot easier than the monitoring required to break an entropy gatherer.
In conclusion:
If no character on the Pad or Key can be predicted
and the two parties to a communication both have copies of the Pads/Keys
and no-one else has a copy of the Pads/Keys
and the Pads/Keys are only ever used once
then, and only then, it is possible to provide a mathematical proof that "Eve" cannot learn what Alice has sent to Bob using the Pad or Key.
The reason this otherwise perfectly secure encryption technique is not used as a general default for web based communications is down to the Key Distribution Problem. Codel, however, with one or two of its products - primarily the anti-counterfeiting protocol - doesn't face the Key Distribution Problem because, we need to visit each site in order to integrate the software which creates the VRs into the manufacturer's system. While we are there, it makes sense to establish secure links to the Codel database using the most secure encryption system available.
