Re: crypto for criminals?
Date: Sun, 03 Jul 2005 10:26:16 +1000
Tom St Denis wrote:
> Dane Metcalfe wrote:
> In the real world it's upto the designer to prove their worth.
> This guy is layering on various diffrent algorithms all of which have
> differing levels of security [some are broken even] in a vain attempt
> to say "you have to break all these first".
That is *exactly* what you would have to do.
See the related thread "Needle in a haystack", also in Sci.Crypt,
and pay special attention to the articles by Terry Ritter, for
> First off, that's bad engineering. Perhaps it could be secure [I'm not
> saying one way or the other without seeing code] but it's also
> inefficient. It's the job of a competent cryptographer to not only
> address the security needs but also to do so with a minimal use of
> resources. In this, he fails miserably.
> Second, nowhere on his site does he talk about authentication. So
> people can alter files and nobody is the wiser...
There are no files, so obviously you weren't really paying attention.
CryptoSMS saves nothing on the host system. No files, no keyrings,
no cipher text of any kind.
Or if by files you mean, messages, then no they can no be altered.
There is an internal MAC (for decryp verification) and an external CRC
(to confirm transmisson integrity).
> At anyrate it's not upto Joe to analyze it. Just to point out the
> clear "bad engineering" and infer that it's an amateur job.
Again, negative sounding terms throw out without the shred of evidence.