Adam Shostack writes:
Not to defend the safemail folks, but this does remind me of something that NeXT did with Eliptic curve based systems; there was no storage of the private key, it was generated from the passphrase at run time.
Yup, NeXT did this with their "For Your Eyes Only" demo and the crypto extensions for their Mail application. Although NeXT used an algorithm called "FEE" (Fast Elpitic Encryption), you can do it with RSA by hashing the passphrase, seeding a random number generator, generating a random prime, etc... It works but it adds a lot of processing time to encryption and decryption. There are other, more serious, drawbacks to such a scheme though. You can't change your passphrase without changing your public key. People can try to guess your passphrase with only your public key. Crack can guess peoples account passwords something like 24% of the time. I doubt the average joe would use much better passphrases for their secret key. That's a scary thought!! At least with PGP someone has to get a copy of the encrypted secret key first. One interesting thing about NeXT's software is that the Mail application has crypto hooks. The crypto code is in a drop-in bundle that extends the app at runtime. This isn't just a generic interface, but the internationally shipped Mail software calls methods in the external bundle that are definitely crypto related. Also, much of the crypto and key management user interface ships with the main Mail package. It is hidden without the crypto bundle, but if you peek around with InterfaceBuilder you can see that it is there. andrew