responce to graphic encryption replies

Rev. Mark Grant mark at unicorn.com
Fri Oct 20 10:25:55 PDT 1995 

Urk.. not wanting to start up the "MIME is Evil, ASCII Forever !" thread
again, but it would help those of us who have to use MIME-supporting mail
programs if you didn't send messages as MIME attachments, pine is too
stupid to actually include the attachment in the reply... 

> How Secure Can PrivaSoft Be?

>  The typical policy is to limit the allowable cryptographic strength of
> commercial products to a level that is strong enough for commercial
> purposes. 

Sadly, that's not true. The typical policy is to limit the cryptographic
strength to a level that the NSA or a few hackers can break. IMHO 40-bit
RC4 doesn't come close to being strong enough for commercial purposes, at
least for anything other than trivial messages. 

> The cryptographic engine of PrivaSoft PrivaSoft uses a pseudo-random
> generator that is seeded by a 9 digit number uniformly normalized from
> the user's secret key. 

So that's about 30 bits ? Hmm, the computer on my desk kicked butt five
years ago, but today it's not much use for anything other than an
X-terminal, and slower than my $1500 laptop. Yet when we were cracking
SSL, it was searching a 28-bit chunk of keyspace every hour or so merely
using the idle cycles. In which case, if it's no harder to detect a
correct decryption than SSL, and no slower to decrypt than RC4, I could
crack your messages in about 4 hours by myself (of course, from what
you've said, it almost certainly *is* harder than that, the question is
*how much* harder).

Incidentally, how do you intend to distribute these secret keys ? Do you 
have some kind of RSA layer on top, or do I just have to call everyone I 
want to send faxes to and ask for their key ?

> The 9 digit key, when applied to analogue, the graphical encryption is

What do you mean here ? What's analogue in this system ? You're running 
it on digital data in a digital computer, right ?

> equivalent to a much longer key applied to alphanumeric encryption. 

Perhaps, but it would have to be at least 1000 times harder merely to 
make it as secure as RC4-40, which we've already shown to be insecure.

> PrivaSoft is unique in being a one-stop product than can serve all types
> of modern correspondence, including E-mail, fax and paper printouts. 
                                      ^^^^^^
This seems to be a direct contradiction of what you said above, unless you
plan to send email by creating a bitmap, encrypting the bitmap, and then 
sending that to the recipient. Some of us don't have T1 links to support 
that kind of mail... and it won't support, say, sending an executable 
file or C source code in that message and being able to use it at the 
other end.

It's also hardly unique, as PGP can readily encrypt any kind of digital 
data, with much better security.

	Mark

More information about the cypherpunks-legacy mailing list