Re: How much must be revealed

---

• From: HilltopLab@xxxxxxxxxxxxx
• Date: 26 Feb 2007 19:03:16 -0800

---

On Feb 26, 9:35 am, Volker Hetzer <firstname.lastn...@xxxxxxxx> wrote:

Hilltop...@xxxxxxxxxxxxx schrieb:> If I have an encryption program, is it possible to describe the

algorithm sufficiently to give people confidence in its security
without revealing the source code? Or must it be given away before any
worth is appreciated?

These are two different issues:
You can convince peope to trust your /algorithm/ by publishing it. Or by
choosing a well known one and saying "I use AES/CTR with that kind of
Key/Counter management".

You can convince people that you are not a liar by providing source code.
In cases without random numbers (i.e. if your program is fully deterministic)
people can perhaps trust you if they can reproduce ciphertext by means of
pencil and paper and it matches your output and you take reasonable pains
to ensure integrity of thge download (i.e. by providing pgp keys, checksums
and the like).

Lots of Greetings!
Volker
--
For email replies, please substitute the obvious.

I completely agree that you cannot trust a program that depends on the
secrecy of the algorithm. Not only because the algorithm cannot be
independently tested, but also because no one can ensure the secret
will not get leaked. But that's why I asked the question. No matter
how detailed an explanation is given of an algorithm, the devil is in
the details. And, just because I claim the program does something
doesn't mean it actually does. So, if the only recourse is to publish
the source code, there is little incentive to develop a new algorithm,
as no one can hope to market it. Except maybe as a hobby.

Richard Mueller

.

---

• Follow-Ups:
  • Re: How much must be revealed
    • From: Volker Hetzer
  • Re: How much must be revealed
    • From: Arthur J. O'Dwyer

• References:
  • How much must be revealed
    • From: HilltopLab
  • Re: How much must be revealed
    • From: Volker Hetzer

• Prev by Date: Re: Quantum Cryptography can not work
• Next by Date: Re: Quantum Cryptography can not work
• Previous by thread: Re: How much must be revealed
• Next by thread: Re: How much must be revealed
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: How much must be revealed ... You can convince peope to trust your /algorithm/ by publishing it. ... You can convince people that you are not a liar by providing source code. ... Not only because the algorithm cannot be ... Microsoft-built crypto software in the black. ... (sci.crypt) Re: How much must be revealed ... worth is appreciated? ... You can convince peope to trust your /algorithm/ by publishing it. ... You can convince people that you are not a liar by providing source code. ... (sci.crypt) Re: How much must be revealed ... then publishing the algorithm will enable anybody else in the world to ... write their own source code implementing it; ... that's what "test vectors" are for. ... some way to get people to trust you. ... (sci.crypt) RE: [Full-Disclosure] Vulnerability response times -- MS and others ... > on solving security issues. ... no trust should be placed in code from others. ... There is little trust to be placed in source code. ... Microsoft is willing to place their complete trust in all those ... (Full-Disclosure) Re: Blowfish Sign Extension implementation risk ... > Tom St Denis wrote: ... >> the algorithm correctly in the first place is the better course of action. ... mainstream, was published with C source code (again, see Dr. Dobbs, ... Applied Cryptography, etc.). ... (sci.crypt)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)