Re: Re: Reformated: How secure....
Firstly, I would like to thank Cypherpunks members for helping me evaluate and critique my document on PrivaSoft's security. I would like to address several of the issues raised on list list. 1. Alot of question would be answered if you had a copy of PrivaSoft to look at or at least a scrambled page to examine. Both of these are available at our WEB site (http://www.privasoft.com/privasoft) this is not an advertising plug, it really helps to see the thing in action to better understand its capabilities. 2. Re: the 9 digit key. Partially why you misunderstand the strength of the 9 digit key in PrivaSoft is b/c Graphical Encryption is very different form data encryption. Graphic encryption takes an image of your document and scrambles the tiles accross the page in a pseudo-random order based both on the encryption algorithm and the key used, Each key produces a completely different scramble. Further, descrambling entails moving tiles and recognition of readable text. An edge detection machine would not be helpful with PrivaSoft, as far as I know, OCR or human interface, or the PrivaSoft descrambler( with the correct key) are the only methods that can be employed. And all three of these take considerable time. Time is a key factor here (no pun intended). the strength of an encryption relies heavily on the time it takes to bruteforce check different keys. as such, even the addition of 10 miliseconds to the process is a significant increase in security when taken on the large scale of how many keys need to be checked. 3. The key extension is useful when documents are scrambled using the same default key. This feature adds 2 digits to your key, thus, even the same exact document scrambled with the same key but a different key extension would produce a radically diofferent scramble. 4. With regard to the increased font size, this is not necessary but is helpful in that the tiles themselves would contain less recognisable features of letters. 5. As a fax security product, their is nothing comparable to PrivaSoft in ease of use, strength, verstility. I'm sure you have all recieved faxes that have come in skewed, with heavy line noise, a black line running accros the page, or any other combanaiton of fax problems. These do not effect PrivaSoft's capability to descramble the fax, PrivaSoft has several patented features that produce readable text even after moderate damage to the page. Also, if you haven't figured this out yet, PrivaSoft is the only encryption software that provides Hardcopy encryption and decryption, ie. you can print out a hardcopy of the scrambled image, and fax it, store it, even snail mail it and then on the recieving end, fax or scan it back into the pc and decrypt. 6. re: custimization: This refers to our capability, for corperate clients and the like, to produce batch operation or need specific features. Also we can increase the digits of the key if the client requires such, as in gov't agencies etc, however this is not necesary for day to day use as PrivaSoft is strong enough for most transmissions over the Net and via fax regardless of the prevalent comments by many members of this group. I do not take offence at the many slurs on our product. I fully believe that if any of those who believe that PrivaSoft is a fly-by-night or bogus product have not looked at or tried the software and therfore speak from less than a knowledgable position. Please do not take this the wrong way, I do not mean to insult anyones inteligence or ability, I just mean to say that many here are quick to judge, and they have a right to be suspicious of everything and everyone, that is the nature of security, but I do challenge the naysayers to truly check out the software before completely condeming its use and capabilities. I have personnally demonstrated are software to several key individuals in the gov't, military, and corperate arenas both executive and technical persons. All were impressed have taken the software back for further testing. I have recieved positive responces from them and many have recomended / are presently using PrivaSoft. Once again, thank you for your help in editing and restructurin g the How secure document and i will post an updated version when it is ready. Also, if anyone would like a scrambled page E-mailed to them to look at / try to crack please E-mail me as such, I do not wish to post one only b/c many of you might not want to recieve it. If you have further questions or comments, I do appreciate and encourage them, please feel free to E-mail me at privsoft@ix.netcom.com or post them here. Steve O. ************************************************* PrivaSoft TM * 1877 Springfield Ave PO BOX 600 * Maplewood NJ 07040-0600 * Tel. 201-378-8865 Fax. 201-762-3742 * Http://www.privasoft.com/privasoft * E-mail: privsoft@ix.netcom.com * *************************************************
Further, descrambling entails moving tiles and recognition of readable text.
Why do you make this claim? If PrivaSoft's transposition cipher is even superficially ok, a wrong-key decryption will look like a random permutation of the input pixels, i.e. an image with the same black/white statistics as the original (a slight weakness, IMHO) but with none of its spatial coherence. Look at the distribution of run lengths, or of the size of connected components. I just went and looked at your "PrivaSoft in action" example, and I'd have to say that the cipher is not "superficially ok". The ciphertext is visibly structured: there are visible fragments of letters (an "e", an "n", a "k", the top of an "S"); there are evenly-spaced vertical lines of dashes and crosses; I can see the bold text of the original (what's more, it's only diffused over a small extent, not the whole ciphertext); and, um, was the letterhead text supposed to be unreadable, or just dirtied up a little? Since the algorithm doesn't break up small-scale structure very well, a more robust way of testing for correct decryption would be to count the number of black pixels on each scan line, and examine this for periodicity. Even with some noise and scan skew, there will be obvious periodicity for unencrypted text, and little for an incorrect decipherment. I don't mean to be unnecessarily hard on your software. It's probably fine against casually nosy people and for protecting mildly embarassing information, and it's conveniently exportable. But if you represent it as suitable for high-value secrets, you're misleading your customers. -- Eli Brandt eli+@cs.cmu.edu
Steve writes:
2. Re: the 9 digit key. Partially why you misunderstand the strength of the 9 digit key in PrivaSoft is b/c Graphical Encryption is very different form data encryption.
That indicates to me that you don't understand anything at all about cryptography. I'm not trying to be cruel. People around here have seen me cruel. Its just that bits are bits and it doesn't matter what you are encrypting. You seem to think that because images "need humans" to determine if they make sense that you have somehow won -- in fact, the statistics of real vs random images are so different that I can hardly see how one could have an easier time of it. Amateurs pretending that they are professionals going out and selling snake-oil crypto are one of the biggest threats in our business. I doubt that you are going to relent -- folks in your position have an amazingly stubborn ability to ignore reality -- but I think anyone buying your product is crazy.
I fully believe that if any of those who believe that PrivaSoft is a fly-by-night or bogus product have not looked at or tried the software and therfore speak from less than a knowledgable position.
Reading your messages is sufficient, actually. If I read something from someone pretending to be a doctor and he notes that his new blood thinning machine is useful for curing baldness, I don't really have to try the product, now, do I. I suspect it would take a real cryptographer very little effort to break your system, but that no one will bother doing so because it isn't really worth anyone's time.
I have personnally demonstrated are software to several key individuals in the gov't, military, and corperate arenas both executive and technical persons. All were impressed have taken the software back for further testing.
Who cares? I know places where you can demonstrate psychic surgery and get dozens of people to vouch for it. Perry
"Perry E. Metzger" writes:
Amateurs pretending that they are professionals going out and selling snake-oil crypto are one of the biggest threats in our business.
and then...
I suspect it would take a real cryptographer very little effort to break your system, but that no one will bother doing so because it isn't really worth anyone's time.
Well, Perry, if it's really such a threat, isn't it worth someone's time to combat it? Wasn't that point driven home by the Netscape PRNG problems?
Scott Brickner writes:
"Perry E. Metzger" writes:
Amateurs pretending that they are professionals going out and selling snake-oil crypto are one of the biggest threats in our business.
and then...
I suspect it would take a real cryptographer very little effort to break your system, but that no one will bother doing so because it isn't really worth anyone's time.
Well, Perry, if it's really such a threat, isn't it worth someone's time to combat it?
Wasn't that point driven home by the Netscape PRNG problems?
Netscape is in wide use. If a substantial number of people bothered to use the Privsoft, then it might be worth breaking it. As it stands, I don't think its worth my while. Maybe someone out there wants to bother to do it as an exercise. It unfortunately has a bit of added complexity because you have to learn a bit about image statistics in order to do a good job of segregating the images, but it also looks like you might be able to use multiple anagramming to get a nice handle on the thing so your statistics don't have to be particularly good. Perry
participants (4)
-
Eli Brandt -
Perry E. Metzger -
privsoft@ix.netcom.com -
Scott Brickner