Re: Top Secret Crypto 3.70

From: Johan Wevers (johanw_at_vulcan.xs4all.nl)
Date: 12/31/04 

Date: Fri, 31 Dec 2004 12:41:42 GMT

headcrash <headcrash@platter.com> wrote:

>OK, let's start with number 1: Bullsh*t - there is not a true random
>source of bits on a deterministic-by-nature PC. Anyone who claims
>differently is a snake oil salesman

I disagree. You can solve it the way pgp 2 handled it - use user keystrokes
as a source for random, or the way GnuPG handles it - use /dev/random, which
gets input from user interaction and system responses like harddisk activity
on it. Both contain a (probably undeterministic) human factor.

If you insist on more randomness there are special hardware boards that
measure white noise from certain electronic components - truly random.

I agree on the other points: using an unknown encryption algorithm of
untested design is insecure and unwise. Even the most respected
programmers can fail here - does anyone remember Bass-o-matic in pgp 1.0?

>And the decription of "simple but elegant". Simple - possibly.
>Elegant - extremely highly unlikely.

I've seen very few ciphers that I would call simple and elegant. They
usually contain large arrays of carefully chosen sboxes. The most
elegant design I know that is not completely broken (as far as we know
now) is IMO RC5. IDEA would also have some claims on both, although it's
more complicated by design.

>Again, the better product to use would be GNUPG

I certainly agree with that. 

-- 
ir. J.C.A. Wevers         //  Physics and science fiction site:
johanw@vulcan.xs4all.nl   //  http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html