The general rule of cryptography says that one should never use the same keystream characters more than once. Otherwise, the cipher starts to be vulnerable to ciphertext-only attacks.
The following example shows, how the security of the OTP cipher is affected by using the same keystream bytes twice:
c1 <- m1 XOR PRG(k)
c2 <- m2 XOR PRG(k)
Having the two ciphertexts, an eavesdropper is able to break the cipher just by adding them together:
c1 XOR c2 = m1 XOR PRG(k) XOR m2 XOR PRG(k) = m1 XOR m2
The received byte sequence does not depend on the secret key. Due to the fact that there is enough redundancy in languages and in ASCII encoding, the attacker is able to extract the original messages:
m1 XOR m2 -> m1, m2
Nowadays, well-designed algorithms of symmetric ciphers add some unique (for every piece of data) characters to secret key bits. In the simplest case, a regular counter could be used. It may be stored on a few bytes and it should increase every iteration of the encryption algorithm. This guarantees effective encryption, without the risk of repetition of secret key bits.
During and after the Second World War, hundreds of cryptanalysts of intelligence agencies of the United States and the United Kingdom were collaborating against intelligence agencies of the Soviet Union. All the messages sent by Soviet spies and diplomats were constantly stored and analysed. The most important messages were encrypted with a One-Time Pad system.
Mane secret Soviet messages were revealed, due to a serious blunder on the part of the Soviets. Because of shortages of code books, the operators reused some parts of the secret OTP keys for encryption of multiple messages. Every page of the code book should have been used exactly once, and then it should have been destroyed
This mistake broke the security of the One-Time Pad cipher. It allowed the Allies to decrypt many secret messages and gained advantage over their communist opponents.
PPTP (Point to Point Tunnelling Protocol) is one of communication protocols, which allow to create virtual private networks (VPN) using tunnelling. Implementation of this protocol created by Microsoft was one of the most popular (used in Windows 98 and Windows NT), and also one of the most faulty. MS-PPTP has been considered cryptographically broken by Microsoft since 2012, and it is no longer recommended.
One of the MS-PPTP weaknesses is the lack of proper synchronisation between the client and the server. They use the same secret key (usually created from the user's password) in exactly the same way, for sending their messages. Both parties fail to create unique keystreams by adding some unique numbers.
The client groups his messages together, and then encrypts them by using the shared secret key. In the meantime, the same operations are performed by the server. It also groups the messages, encrypts using by the same shared secret key, and sends them to the client.
Because the used secret key bytes are the same, the attacker may eavesdrop messages from the client and from the server, which are encoded by using exactly the same keystream bytes. Having such data, the attacker has great chances for breaking the cipher and recovering the original data.
802.11 is a group of IEEE (Institute of Electrical and Electronics Engineers) standards of wireless network protocols. In their older versions, it was recommended to use a WEP (Wired Equivalent Privacy) standard (created in 1997) for encryption of wireless transmission.
The messages exchanged between client and host are encrypted using RC4 stream symmetric cipher. Both sides use the same 5-byte long secret key for generating keystream. Each side generates the same keystream. To ensure that every message is encrypted using different bytes, they add three additional bytes of the IV vector to every key sequence. IV is added unencrypted to each encrypted message. This allows the receiver to decrypt all messages.
However, due to the fact that the IV vector has only 24 bits, so after relatively short time its values begin to repeat. It happens after around 16 million frames, so (if network traffic is high), after around 5 hours. Moreover, some devices reset the vector IV during the restart, which allows to observe the same byte sequences even faster.
There exist a few other flaws that make WEP even less secure. Usually, regular counters are used for creating the IV vector. It makes the key bytes used for encryption messages in both directions relatively similar. Moreover, some values of the IV vector are considered weak because they allow to attack specific bytes of the secret key. Because of all these weaknesses, the WEP encryption can be broken in a very short time (within a few minutes).
In newer versions of IEEE standards, newer security protocols are recommended: WPA (Wi-Fi Protected Access) and WPA2.
Another example of an attack based on the two-time-pad vulnerability is KRACK attack, presented in October 2017. Due to its complexity, it was presented on a separate subpage.