Re: My my, how time flies ...... it's been about "1 hour" -- anyone cracked CryptoSMS yet?

From: Regis (
Date: 08/29/05

Date: Sun, 28 Aug 2005 18:52:59 -0400

On Sun, 28 Aug 2005 08:16:38 -0000, Joe Peschel <>

>That's not quite true; there can be instances where the combination of
>three ciphers is weaker than one.

Yes, in the case where none of the three ciphers have been properly
implemented. But if they HAVE been properly implemented, then three
ciphers combined are (at the very least) as strong as the first of the
individual ciphers being combined. This was already confirmed by
Maurer and Massey back in 1993. I don't know about you, but I have no
problems with trusting their findings...and would trust theirs over
those of any of the sci.crypt "experts" any day of the week.

>The source code of PGP has been available for a long time. It's probably
>the best known e-mail encryption program in the world.

The source code to PGP was only made available AFTER its reputation
had already been well-established, and AFTER it had sold millions of
dollars worth of software, and AFTER it was deemed to no longer be
financial suicide to release it.

>Maybe he didn't implement them correctly.

Or maybe he did.

>His program -- at least way he describes it -- has problems other than the
>lack of publicly available source code. I think we've covered those
>problems in various threads.

They've only been "covered" in the sense that there have been many
unfounded and unproven claims made against it. As far as I know,
there hasn't been one single incident where his software has been
shown to be in any way lacking.

>That's not true. Cracking one message by a ciphertext-only attack would
>clearly reveal CryptoSMS to be snake oil. Let's suppose, however, that the
>encrypted message isn't cracked. The message might remain uncracked for
>several reasons. Here are a few:
> No one has seriously tried to crack it.

Why not? If it's so easy to do...why not just spend the "one hour"
and do it?

> No one has admitted cracking it.

Again...why not? You'd think all these people attacking the guy would
be first in line to wave their arms up and down to show that they
cracked it. It's not like CryptoSMS will be used to provide security
for billions of dollars worth of if someone cracks it,
there would be zero point in keeping it a secret.

> More ciphertexts may be necessary.

Any attacker could generate as many plaintexts and ciphertexts as he
wants with the software.

> There isn't enough information about the hodgepodge of ciphers to
> launch an attack.

Therefore, calling it weak is unjustified.

> The ciphers that are claimed to be implemented actually are
> not.

If you can't even know what ciphers have been used to encrypt the
messages, how could you possibly claim it to be weak when you wouldn't
even know where to begin launching your attack?

> There isn't enough information about the system to crack the message.

Therefore, calling it weak is unjustified.

> There isn't enough information about the password handling.

Therefore, calling it weak is unjustified.

>Until Crypto@S.M.S. divulges the source code, there is no reason to trust
>the secrecy of CryptoSMS.

In the world of software, how many times are you privy to the source
code of the software used by millions of people on a daily basis? The
answer is...almost never. And yet...people continue to use their
software even though they don't have the source codes to them...they
continue to trust them (until they have reason not to)...and the world
continues to revolve around the sun.

>So far as I've seen, Crypto@S.M.S. hasn't
>cryptanalyzed the program himself. He's also said he's here to learn -- not
>a good sign to be learning about crypto after he's already started hawkng
>the stuff.

He never claimed to have put some home-made, super-duper-wicked-strong
cipher into his product. If he's using ready-made ciphers that are
well-established (as he said), and he's implemented them correctly,
then he doesn't need to be an expert cryptographer in order to make
his software functional and secure.