-----BEGIN PGP SIGNED MESSAGE----- [ for cypherpunks: Apple's now beta testing a video conferencing product called QuickTime Conferencing, or QTC. The Mac crypto interface list (mcip@feeley.cc.utexas.edu) started a discussion on video encryption, hence this crosspost. Feel free to chime in. ] Here are a couple of additional things to consider. This is a pretty classic application for stream ciphers. Since QTC is transport-independent (and I'd bet it's using OpenTransport calls, too), I'm assuming that QTC is using streams for video data, and that any packetization happens at the transport layer. Just before you call UDPSend(), ATPSend(), or whatever, just whack that outgoing block through the crypto function and off you go. As mentioned, RC4 might be a good choice. It's fast, plus Apple's already licensed it. It probably provides adequate tactical security, but as Adam pointed out, it has not been well analyzed in the open literature. However, there are many other stream ciphers out there: Diamond, Blowfish, RC5, etc. My gut feel is that RC4 is probably adequately secure with a 128-bit key; then Apple can dumb down to 40 bits for export approval. After all, they're not likely to build a product which they can't export. What about using a PCMCIA card like the National Semi Persona 100? It includes RSA signatures & verification, Diffie-Hellman key exchange (I think) and single DES; future versions will include 3DES and IDEA. Hardware encryption is fast, fast, fast. Don't forget AT&T's recent announcement of a similar product which does 3DES. One MCIP reader proposed just using PGP: RSA the session key and send it along. IMHO Diffie-Hellman is a better way to do this. Rather than using the PGP metaphor, where RSAing the session key allows you to send the session key as part of the message, DH allows you to establish the session key over an insecure channel, then start sending messages. - -Paul - -- Paul Robichaux, KD4JZG | Good software engineering doesn't reduce the perobich@ingr.com | amount of work you put into a product; it just Not speaking for Intergraph. | redistributes it differently. ### http://www.intergraph.com ### -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBLzEFkKfb4pLe9tolAQEtEAP/bxEHw+fwPaJJPyHaRRtuZqlxmzvEyD+w 5cmB9c75gzkY9SpSSLkbtawwUjCCiKynMAX76uSRaDRkVeTILelJ3gvdguRMS3Id MYQI162mPvCN+lTvsMoXVJAdZzC14WE9JE0t9FC+ovYE8M+/yZ16EGEnvtWbnNYQ pO8GkvNpR+g= =n3fX -----END PGP SIGNATURE-----