Re: ADVERT: Secure communications



robin_carey5@xxxxxxxxxxx (06-07-31 10:40:57):

The software provides secure (E-mail) communications facilities;
communications secrecy, user-authentication and data-integrity
verification.

Well, I didn't try it, but it has a few serious flaws, from what you say
about it in the "unique technological superiorities" list:


| The use of the L15 Stream Cipher which is a technological superiority
| in itself.

This is a claim, which is not proven in any way. I couldn't find a
single review of the algorithm, nor did anyone talk about it. By the
way, how could a random number generator based on ARC4 be secure at all?
How could it be even more secure than an LFSR-based generator?


| Innovative Cipher-Packet technique hides ciphertext in padding thus
| preventing cryptanalysis.

What does that mean, it "hides" ciphertext in padding? And how does
that prevent cryptanalysis?


| E-mail is encrypted using the RSA public-key cryptosystem thus
| eliminating security risks from symmetric ciphers.

What security risks? The security of RSA isn't even proven, and no
serious flaws have been found in AES or Twofish, or even Blowfish. And
how about sending a 16 MB file via e-mail? That would take hours to
encrypt with RSA. There is actually a reason to use symmetric ciphers
with RSA.


| The provision of secret-public-key facilities caters for high security
| scenarios.

How?


| Unorthodox (reversed) RSA encoding of data should provide a higher
| level of security relative to orthodox implementations.

First of all, RSA is no encoding. Now what is "reversed RSA
encryption"?


| Digital signatures are encrypted thus eliminating security risks from
| cryptographic hash functions (most of which have recently discovered
| security issues).

The recent security issues found in hash algorithms can't be used to
attack them, when used properly. Encrypting digital signatures,
however, is _not_ proper use, because signatures should help proving
that the message wasn't forged (and not only to the receiver). How are
they encrypted anyway? What about unencrypted signed-only messages?


| The software is supplied with a FreeBSD-4.11R /dev/[u]random
| replacement kit.

And that's more secure? Does it use L15 again?


Regards,
E.S.
.