Re: Total protection for your software against crack

• Previous message: John A. Malley: "Re: I think the Illuminati know all passwords !!!"
• In reply to: Simon Johnson: "Re: Total protection for your software against crack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 17 Jun 2005 21:45:09 GMT

"Simon Johnson" <simon.johnson@gmail.com> writes:

>> My problem with Cloakware was mostly that they were entirely hype
>> driven. Even as an employee [I was there for 8 months btw...] I was
>> refused access to the most basic of their research notes... even though
>> my official title was "Intern Cryptographer".

>You see, that's the thing with trade-secrets. They never have any
>substance because if they did then they'd patent them. That's the most
>profitable way to turn a trade-secret in to a money making machine.

No, the other use for trade secrets is so that you do not have to publish
the stuff you are patenting (or can hide that you are using someone else's
patented stuff). Ie, it need not be substanceless.

>Of course, they'll rant about all their secret IP in their product
>briefs etc but really it's all just snake-oil. It's been recommended by
>everyone in the field that you shouldn't use cryptography covered by
>patents. However, I believe that we should be even more vociferous in
>our attacks on "cryptography" based on trade secrets simply because
>this is on an even worse footing.

Patents may well be fine, as long as the vendor makes the crypto code public and replaceable. However, hidden crypto is useless. There is absolutely no way of
looking at the input and output and deciding that the crypto engine is
good. It is possible to hide the key for example in the output so that an
adversary who knows the technique can extract the key. This is even true of
something like RSA.

The only crypto anyone should buy is crypto where the key generation engine
and the crypto engine are not only public but can be replaced in the binary
file-- eg as a library which you can compile yourself.
That way the crypto engine and the key generation can be independently
tested and verified. The whole purpose of crypto is to hide your info from
outsiders. Why in the world would you then trust a completely unknown
outsider with all your secrets?

>I'll leave it as an excerise to the reader to decide which category
>Cloakware belongs in.

• Previous message: John A. Malley: "Re: I think the Illuminati know all passwords !!!"
• In reply to: Simon Johnson: "Re: Total protection for your software against crack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]