[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
BEWARE of SnakeOil (tm)
SNAKEOIL ALERT:
Cc: [email protected]
On Mon, 31 Aug 1998 18:37:35 -0600, Cdn-Firearms Digest wrote:
>Date: Mon, 31 Aug 1998 15:30:34 -0600
>From: Lee Scroggins <[email protected]>
>Subject: New/easy to use strong file encryption fyi
>
>For anyone interested in easy to use strong file encryption, or just
>afraid that your gun related data/Emails may be too tempting for the
>officials, the following article points to an interesting site
>(http://www.filesafety.com).
Maybe his product is valid, but, after having read the the Cypherpunks mailing list for
years, here are my conclusions:
- beware of any product that has not been *extensively* peer-reviewed, with *all* the
source code made public. Security breaches are *very* easy to overlook and no software
should *ever* be used unless it was peer-reviewed.
- the fact that a software uses a specific encryption technique that is described in
well known books and that this technique is usually recognized as secure by the
cryptanalysis community doesn't mean that the *specific* software implementation of it
is truly secure. Thus, the need not only to peer-review the specific encryption
technique but *also* and *especially* the precise coding implementation.
[from their web page] "CryptView will allow you to validate algorithms and examine the
internals of SecureOffice files. You can see the inside of the cryptography box.
CryptView allows you to examine file formats and come to your own conclusions about the
Security of SecureOffice. "
- the fact an encrypted output doesn't look comprehensible to *you* or to a software
engineer doesn't mean that a cryptanalyst cannot crack it within minutes... It is a
*very* complicated science indeed. If you are not a PhD in cryptanalysis with years of
experience in software security, you can't know. One of the NSA top cryptanalyst once
said that before you spent at least fifteen years of your life cracking codes, you have
no idea of how to devise a truly secure one.
> Please note that the US govt seems to be having a hissy fit about it
> (you might want to look while it still exists).
They try pursue anybody who violates ITAR in a public way. If I were to walk with a
PGP diskette across the border outside Cana-USA, I would be liable under ITAR even if I
never wrote a line of software in my life.
> Individuals can be charged with violating federal restrictions on the
> export of encryption software, but the government also appears to be
> worried that Booher has simply made it to easy to use extremely secure
> encryption--with or without export.
Yes, in USA, and it applies to Canada too, encryption software is considered the same
as missiles for export purposes (category: ammunition). It is regulated by ITAR, just
like guns. But this text borders on being glib.
PGP caused a lot of trouble to his author too, but PGP has been *very extensively* peer
reviewed. At least, AFAIK, V2.6.2. The newer version of PGP uses *several* encryption
techniques, among which you have to choose.
> The subpoena Booher received also ordered him to bring to the courthouse the
> source code for his product, suggesting the government wants to reverse
> engineer it.
Absolute BS! The security is afforded by the specific cryptography mathematics that
are themselves *extensively* well known, peer reviewed and, in the case of 3DES (DES),
*invented* in government labs! The other technique, RSA, is used in PGP and the patent
will expire in a few years.
> Booher intends to patent his source code and says he does not plan to
> hand it over to anyone.
Un-peer-reviewed code has an excedingly high probability of being snakeoil, especially
if it is marketed before being reviewed...
A false feeling of security is much more dangerous than no security at all.
All the govts have vested interest in disseminating pseudo-strong cryptography. This
statement is not paranoia, it is recent and regularly recurring history.
I find the information in the web page way too incomplete and, to the limit,
misleading. Personnally, I prefer to stick to PGP. Version 5.x is *easy* to use.
I do get tired of seeing posts like that around...
One of theses days, I will write a FAQ on encryption for the layman...
If ever I find that this software is appropriate, I will say so on the CFD.
I do not own any interests, direct or indirect, in PGP.
Ciao
jfa
Security is not afforded by a few tools, it is a state of mind.