RE: FW: Symantec Norton, Your Eyes Only.

[David Honig <honig@otc.net>]

At 03:46 PM 1/23/98 +1100, Pearson Shane wrote:
>Hi William,
>
>Many thanks for the reply.
>
>I was hoping it was ok having Blowfish,
>but I guess it could be their own
>"efficient" version.
>
>Bye for now.
>

WHGIII gave you the most conservative answer.  That is, in cryptology, the
correct answer.

A more detailed analysis would say:

* the blowfish algorithm is considered strong for various reasons

* IFF the Norton program were written correctly
(not just the algorithm implementation, but key hiding,
worrying about getting swapped onto disk by the OS, etc.)
then it would be a useful tool for security.

* Without examining the source, any assumption of security
from using the tool relies *absolutely* on your trust of the
implementor.

(In a Turing award paper, Ritchie described how you
implicitly must trust your compiler-writers too.. the 
compiler could have clandestine functions like inserting
extra code when it recognizes patterns)

So you see how WHGIII was correct, although for practical
purposes (depending on the value of your data and the 
attackers you anticipate, plus the security of the rest of your
system (only as strong as the weakest link)) you may find this tool acceptable
in the non-exportable version.  Keylength-limited versions are worthless
from a security viewpoint.

But on this mailing list, you won't find the yes/no answer
you probably want.  Which is probably correct behavior for this list.

Cheers,


------------------------------------------------------------
      David Honig                   Orbit Technology
     honig@otc.net                  Intaanetto Jigyoubu

"The tragedy of Galois is that he could have contributed so much
more to mathematics if he'd only spent more time on his marksmanship."