[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Safemail



At 5:32 PM 6/20/96, Deranged Mutant wrote:
>On 20 Jun 96 at 10:29, Adam Shostack wrote in [email protected]:
>
>> Not to defend the safemail folks, but this does remind me of something
>> that NeXT did with Eliptic curve based systems; there was no storage
>> of the private key, it was generated from the passphrase at run time.
>> It was a side discussion, maybe with Andrew Lorenstien?  Andrew?
>
>> Daniel R. Oelke wrote:
>
>The HKS archives are still down, but a while back on the coderpunks
>list was an interestng idea about hashing a passphrase to seed a
>crypto PRNG and used the first good set of primes etc. for a secret
>and private key pair.  Only the private key is saved in such a case.

I haven't seen this particular idea, but a general point to always bear in
mind is that "entropy doesn't increase" (despite what you may have heard
about that other kind of entropy....).

To wit, if there are N bits of entropy in a passphrase (or whatever is the
basic key, be it typed in, read from a floppy, whatever), then no amount of
deterministic crunching by a PRNG (or whatever) will increase this.

(I say "deterministic" in the sense that all parties presumably need to run
the same PRNG and get the same output from the same "seed" (= passphrase,
in this scheme). Thus, the PRNG cannot add additional randomness or
entropy. Unless I am misunderstanding the proposal...)

So, if the passphrase is 22 characters, as in the "Safemail" proposal (such
as it is), that's all that can be gotten. Period. There just aren't enough
"places" in the space of starting points. Anyone with access to the
algorithms used to process the 22 characters (154 bits if 7 bits are used
for each character) can brute force search the space in a relatively short
time. (If the later processing algorithms are supposed to be "secret," then
of course this a cryptographic faux pas of the first magnitude, usually
dismissed as "security through obscurity.")

By the way, amongst other defects, "Safemail" is a pretty bad name for a
company, being that RSA Data Security has or had a product called
"MailSafe."

(The same thing happened with the Web search tool made by "Architext."
There was a Macintosh hypertext program with the same name, which I bought
in 1990. Someone I knew who worked for Architext was confused by my
denunciation of Architext....such name collisions make for interesting
situations.)

--Tim May

Boycott "Big Brother Inside" software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
[email protected]  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Licensed Ontologist         | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."