Re: My my, how time flies ...... it's been about "1 hour" -- anyone cracked CryptoSMS yet?

From: Joe Peschel (jpeschel_at_no.spam.org)
Date: 08/26/05 

Date: Fri, 26 Aug 2005 06:14:06 -0000

Crypto@S.M.S wrote in news:11gt8bfljnb73d2@news.supernews.com:

>>>
>>>Schneier's statement does not mention source code. It talks about
>>>algorithms, and you already know the algorithms used by CryptoSMS.
>>>That has been stated over&over. You know everything about these
>>>algorithms (and the order in which they are applied),
>>
>>
>> We don't know that the alorithms have been implemented properly.
>>
>
> Yes you do. On startup, CryptoSMS runs the published test vectors
> through all crypto-primitives and checks the results. Not just
> against a single vector, but against all well-known test sets.
> Every time CryptoSMS starts up it confirms its own implementation
> with this built-in self-test.

What are the well-known set of test vectors for 3IDEA-RC4-Blowfish. I've
never seen a set of officially recognized test vectors for such a menagerie
of ciphers. How we do know the CryptoSMS is actually checking those alleged
vectors without looking at the source code?

>
>>
>>>so the
>>>conditions of Kerckhoffs' Principle have been met.
>>
>>
>> No,they haven't been met. Kerckhoffs' principle said "the security of
>> a cryptosystem must depend only on the key." I'll repeat that: "Only
>> on the key."
>>
>
> You don't need source code to crack the message.
> You need only the algorithms, and the correct key.
> You know the algorithms, so your ability to "crack"
> the messages depends "Only on the key".

The source code is needed to check the security of your implementation.
There may be weaknesses in something other than the ciphers. Why do you
insist on keeping the source code a secret?

>
>>
>>>What in the above statements compels cryptosystem implementors to
>>>provide attackers with the source code?
>>>
>>
>>
>> This compels you to provide the source code: "In a well-designed
>> system, only the key needs to be secret; in fact, everything else
>> should be assumed to be public."
>>
>> Are you going to post the source code now, or are you going to keep
>> it a secret?
>>
>> J
>
> No, its owners have not approved that.

If you are going to continue to hawk the virtues of this system in
sci.crypt, you ought to get the owners to change their minds.

> If you were really trying to crack CryptoSMS messages,
> enough details have been posted for you to run the
> reference implementations of the stated algorithms;
> and, (assuming that you knew the key) you would indeed
> succeed in recovering the plain text.

If one is interested in ascertaining the strength of CryptoSMS, he is not
interested in looking at the reference implementations of the algorithms
you claim to use. Instead, he is interested in looking at the program's
source code.

J 

-- 
__________________________________________
http://www.impeach-bush-now.org
Joe Peschel 
D.O.E. SysWorks                                 
http://members.aol.com/jpeschel/index.htm
__________________________________________

Relevant Pages
Quantcast