So Dr. Cohen, what do you use when you want to send a message across the Internet with better security than cleartext? What do your recommend to others?
I use different techniques when different levels of protection are required, and I definately don't use the Internet for anything that is really vital because of the ease of gaining intelligence indicators based on traffic analysis. I commonly use FAX machines from non-fixed locations for point-to-point communications where I don't want it to be tapped from my end. I often use telephone lines with modems for other secure communications depending on the requirements. I have used DES for some limited items with the key sent over a separate channel, RSA for short time-limited secure messages, one-time-pads for certain really critical stuf between myself and a single other trusted party, special secure telephones as required by organizations for select communications, various custom ciphers for communication with parties who have special requirements, dictionary and codebook ciphers on rare occasions, wheel ciphers of various sorts, a variety of custom authentication ciphers, and who knows what else. I never recommend a solution without knowing a fair amount about the specific challenge it is supposed to address. I typically start with an understanding of the general environment, the financial and/or human issues, the threat profile, the protection environment, the other dependencies and protection factors, and other factors related to the reasons for protection. Once I have this understanding, I make value judgements about how much I trust things relative to the requirement for trust and other limitations presented by the situation. Sorry I can't give you a pat answer like "I use Joe's Cryptobox", but that's just the way it is. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236