Re: Algorithms to generate permutations
From: BRG (brg_at_nowhere.org)
Date: Thu, 04 Aug 2005 12:07:51 +0100
> BRG wrote:
>> Crypto@S.M.S wrote:
>>>> There are a few (typically specialist) applications where this extra
>>>> protection can be valuable, an example being situations where
>>>> is needed for several decades or more.
>>> CryptoSMS is one such "specialist" application.
>> I took a quick look at your web pages and I don't see anything to
>> suggest that CryptoSMS is a specialist application. It is a general
>> purpose product that attempts to add security to SMS messaging.
> It is "specialist" in that it only runs on PocketPCs and SmartPhones.
>> Quite apart from the security problems raised by others, it lacks
>> important characteristics that I would expect to see in a specialist
>> high security product intended for such use.
> What are these "important characteristics"?
There are quite a few things that are absent but two I will mention are:
(a) a design document including a threat model, a security design
specification and an analysis that shows how the design successfuly
counters the threats described in the model;
(b) an independent validation of the design and implementation to
national or international security assurance standards such as those set
The essential difference between general and specialist information
security products is that the latter provide a high level of confidence
in the security claims made by their suppliers because these claims have
been independently scrutinised and verified to recognised standards of
Designs that are going to be independently verified in this way are very
costly to produce and very costly to validate. In consequence the
resulting products are extremely expensive and this makes them
specialist in nature.
In consequence most of us don't bother and simply accept that our
security will be measured in 10's of bits rather than 100's if we are
ever unfortunate enough to face a determined and well resourced
attacker. Fortunately the protection provided by the 'needle in a
haystack' phenomenon can come to our rescue provided that we take
_other_ (i.e. non-cryptographic) measures to protect ourselves.
Risible claims of 1000's of bits of cryptographic protection in software
products such as CryptoSMS serve only to discredit those who make them.