[1722] in cryptography@c2.net mail archive
Crypto in real life
daemon@ATHENA.MIT.EDU (John R Levine)
Thu Oct 9 14:23:19 1997
Date: Thu, 9 Oct 1997 12:12:38 -0400 (EDT)
From: John R Levine <johnl@iecc.com>
To: cryptography@c2.net
Here's part of an exchange I've had in a public mailing list with the
vendor of a commercial crypto program. I pointed out that black box
cryptosystems aren't trustworthy, but she seems utterly unable to
understand what my concern is.
She does say that Bruce Schneier developed the it, which is
encouraging, but I can't tell whether she means that he developed
Blowfish, or that he developed the program they're selling.
Evidently Infoworld, Wugnet, et al. are now qualified to evaluate
crypto software. Wow.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
---------------------------------------------
From: penny@authentex.com (Penelope Whitelock)
To: "'johnl@iecc.com'" <johnl@iecc.com>
Cc: "'net-lawyers@peach.ease.lsoft.com'"
<net-lawyers@peach.ease.lsoft.com>
Subject: FW: [NET-LAWYERS] Any programs combining BeyondMail and PGP?
Date: Tue, 7 Oct 1997 17:14:54 -0400
John Levine wrote;
My, that was one heck of a fine piece of puffery. Datasafe looks like
a reasonably good program so long as you're sure that every single one
of your correspondents is running a Windows mail program that handles
attachments, but I wouldn't dream of using it for serious security at
this point. Why? Because it's a black box crypto system.
Cryptography is very difficult, and subtle errors can turn a very
secure system into a totally porous one. One of the reasons that
people trust PGP is that the source code is widely available, has been
studied at length by many people other than the author, and the system
has been attacked unsucessfully by friend and foe alike. Datasafe
uses an algorithm called blowfish which is indeed quite secure if
implemented correctly, but there's a lot more to a reliable crypto
system than the choice of algorithm. Since Datasafe is new and as far
as I know the source code isn't available for examination, it's as
likely as any other new program to contain unknown bugs. Maybe the
bugs introduce security flaws, maybe they don't. The problem is that
I can't tell and neither can anyone else.
Unfortunately, an easy-to-use highly reliable crypto system is close
to an oxymoron. Nearly anything you can do to make a crypto system
more convenient makes it less secure. One has to make tradeoffs,
consider how valuable the encrypted material is and how difficult
other non-crypto techniques for obtaining it are, then decide how much
time and money to spend on crypto. But I would be very sceptical of
a system that was both untried and designed for ease of use.
----------------------
John,
If you can't figure out what makes Blowfish tick, does that mean its
is no good and impossible to break. On the contrary.
The Authentex DataSAFE program has been evaluated by and reported on
in a number of computing magazines, (Windows Magazine, Secure
Computing, Internet World, PC World, etc....) is endorsed by the
WUGNET group, is on Microsofts WinList, is endorsed by TUCOWS,
etc....AND was developed by Mr. Bruce Schneier, a well respected,
published and recognized cryptography expert whom will gladly discuss
the BLOWFISH algorithm with anyone.
The Authentex DataSAFE program never said it was compliant with
anything but WINDOWS, and as far as mail programs which support file
attachments, there are many (Microsoft Mail, Microsoft Exchange,
Netscape Mail, Lotus Mail, Lotus Notes, etc.....) and Authentex
DataSAFE is compliant with them all. Documentation exists on the
problems other encryption programs, such as PGP, have in their
compatibility with such mail programs.
All I am saying is, there are new developments in encryption programs
everyday and while we should all proceed with caution lets not be so
paranoid and biased that we halt in our tracks! Until there is a
problem, lets not assume there is one. The program has been around
for some months and so far no one has found a problem in Authentex
DataSAFE ............so maybe insinuating there is one is a bit
pre-mature. If the Authentex DataSAFE product is projecting false
information please prove it, otherwise it is pure folly. By the way,
check out the news release regarding Authentex and RSA, it's on the
website. Seems the "experts" are favouring the Authentex technology
after all!
Penny
--
