Date: Fri, 16 Apr 1993 15:13 CDT From: treason@gnu.ai.mit.edu Well, this all sounds fine and dandy, but... 1) They are not passing out the algorithym, and I dont trust ANYONE to tell me its secure. ... 4) No explanation of what the 'key' contents are composed of (numbers, letters, alphanum, characters, some odd cyphercode???) is even implied. 5) No explanation of how the key is propegated or if it will even be needed for the remote site is mentioned. How are the remote sites going to decypher your cyphersounds(text)? There was no mention of further releases in information...is this all we get? treason@gnu Question (5) is particularly acute. Offhand I can think of two ways the remote site might decrypt the message: 1. If the two phones can talk to each other then the originator phone might ask the receiver phone for its public key (as in public key cryptography) and then use this to encrypt the message. (The receiver phone then decrypts with its private key.) But since the encryption is occurring in real time, this is probably not feasible unless short keys are used. 2. The originator phone might simply send the encryption key down the line, perhaps itself encrypted or disguised in some way. If so then it might not be too hard to discover the key. In this case all security lies in ignorance of the encryption algorithm used (violating crypto- logical principles). It probably wouldn't be too long (at most a year or so) before someone figures out what the algorithm is, in which case all security is compromised. However, security in particular cases is relative to the expertise of the attacker, so it might still be the case that one's neighbors and business competitors could not decrypt the message, even if XYZ Security Consultants could. -- Peter Meyer