Re: Meganet on Cryptogram again
From: Mxsmanic (mxsmanic_at_hotmail.com)
Date: 09/17/03
- Next message: Mxsmanic: "Re: Meganet's "unbreakable" cryptography? I'm skeptical."
- Previous message: Russ Lyttle: "Re: A stupid text trick - Example of the redundancy of English text"
- In reply to: Scott Contini: "Re: Meganet on Cryptogram again"
- Next in thread: David Wagner: "Re: Meganet on Cryptogram again"
- Reply: David Wagner: "Re: Meganet on Cryptogram again"
- Reply: Richard Heathfield: "Re: Meganet on Cryptogram again"
- Reply: Erwann ABALEA: "Re: Meganet on Cryptogram again"
- Reply: Scott Contini: "Re: Meganet on Cryptogram again"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Sep 2003 05:44:56 +0200
Scott Contini writes:
> They need to revoke their claims about it being as strong as a one time pad.
> They completely misunderstand why this is wrong. This in itself is a sign
> of non-expertise in the field.
This is an appeal to authority, and it is a dangerous fallacy.
If Meganet's algorithm is insecure, then someone needs to prove that by
breaking it. If nobody breaks it, then Meganet can claim that it is
unbreakable, and this claim will be effectively valid.
It doesn't matter how theoretically insecure the algorithm might be. If
nobody ever attacks it because they take for granted that it is too
insecure to be worthy their valuable time, then the algorithm could been
even a simple XOR and it would still be secure for Meganet's customers.
The security of their algorithm would depend on psychology, rather than
cryptographic principles, perhaps, but that really doesn't matter as
long as it is effective in protecting their customer's data.
Frankly, people who claim that Meganet's algorithm is insecure do not
impress me unless they actually break the algorithm to prove it. Taking
things for granted is not a prudent course of action in cryptography,
and while it is usually best not to assume that an algorithm is secure,
neither is it particularly wise to assume that it is insecure.
> Meganet misses the point that if they want experts to endorse
> their security product, then they have to make their algorithm and code
> easily accessible and easily readable.
Why bother? Nobody is willing to attack their algorithm, which is a
major selling point in itself.
> Meganet claims that disassembly of their code should be easy
> to do for encryption experts. Encryption experts are not going
> to waste many hours of valuable time disassembling
> some product that has not proven itself in anyway.
You have it backwards. As long as nobody is willing to "waste many
hours of valuable time" to crack the algorithm, it is effectively
secure. Meganet wins, and the "experts" lose, because they are too lazy
to do anything but criticize.
All I see here is attacks on Meganet the company, not Meganet's
encryption. Until someone successful attacks the encryption, it's all
just words.
> Meganet misses the point about ciphertext-only challenges. Again, this
> shows lack of expertise in the field.
If you judge algorithms based on appearances, then a company that "shows
expertise" should have secure algorithms that don't need to be verified,
right? So why ever bother to attack algorithms at all? You can just
trust or distrust the authors, and not "waste valuable hours" of time
actually trying to prove or disprove the security of their inventions.
> People that make blunders such as this and the other blunders
> they have made (such as comparing it to a one-time pad) have no
> knowledge of cryptanalyst methods.
But they do have knowledge of psychology. They've invented a
cryptographic algorithm that nobody is willing to attack. So it is
effectively secure.
> Algorithms designed by such people are almost inevitably insecure.
"Almost inevitably"? So how do you identify the exceptions, without any
cryptanalysis?
> But Meganet does not understand the models of attack, and why
> their challenges fail to demonstrate security.
Sounds like their challenges demonstrate security pretty well, since
nobody takes them up.
> If Meganet wants endorsement by the crypto community, here are two
> suggestions:
Forget endorsement. Only the results of real cryptanalysis count.
Until an algorithm has been actually attacked, it may or may not be
secure. Declaring it insecure _de jure_ simply because one holds the
authors of the algorithm in contempt just isn't very cogent.
> Security experts are not going to waste their time on stupid challenges
> that show no knowledge of BASIC security concepts.
They aren't spending time on these challenges because Meganet's
algorithm is unbreakable.
> It only further justifies why people should ignore this
> snake oil product.
Essentially because you say so? That boils down to trusting people
rather than trusting algorithms, which is a dangerous path to tread in
cryptography. Trust, but verify.
-- Transpose hotmail and mxsmanic in my e-mail address to reach me directly.
- Next message: Mxsmanic: "Re: Meganet's "unbreakable" cryptography? I'm skeptical."
- Previous message: Russ Lyttle: "Re: A stupid text trick - Example of the redundancy of English text"
- In reply to: Scott Contini: "Re: Meganet on Cryptogram again"
- Next in thread: David Wagner: "Re: Meganet on Cryptogram again"
- Reply: David Wagner: "Re: Meganet on Cryptogram again"
- Reply: Richard Heathfield: "Re: Meganet on Cryptogram again"
- Reply: Erwann ABALEA: "Re: Meganet on Cryptogram again"
- Reply: Scott Contini: "Re: Meganet on Cryptogram again"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
