Freematt357@aol.com wrote:
http://www.topsecretcrypto.com/ Snake oil? I am not entirely sure. on the plus side - it apparently uses Sha-1 for a signing algo, RSA with a max keysize of 16Kbits (overkill, but better than enforcing something stupidly small), built in NTP synch for timestamps (probably spoofable, but at least a valiant attempt to keep timestamps accurate "by default") and supports a range of file, folder, email and chat crypto with a onscreen keyboard for password entry (again, not unbeatable but a valiant attempt)
next step is the symmetric component though - which shows more than slight traces of oil. First is a randomly generated session key, protected by the RSA component - on the face of it fine (its how pgp and smime do it, after all) but no details are given on *how* the random key is obtained (the code apparently "contains a true random number generator" which seems doubtful) and the symmetric component is a proprietary algo (for which source is provided, but even so...) Second is pretty much pgp's conventional mode - but with a user supplied key. no mention of hashing, and again, the proprietary algo is in use. Third is True One Time Pad - yes well duh! I could write one in eight lines or so of VBScript, for free. Nobody needs to pay for a OTP application, certainly not per-seat. An announcement of the software (and subsequent discussion) took place in Sci.Crypt some months ago - dejagoogle link here: http://makeashorterlink.com/?M138249F6 - if anyone wants to read it.
participants (2)
-
Dave Howe
-
Freematt357@aol.com