256 Bit Encryption for Secure Email and Secure Online File Storage

Jonny Weron jonnyweron at hotmail.com
Sun Dec 2 12:32:59 PST 2001


>Another proprietary key format. Why not base such a system on OpenPGP?
>
>Hmm. AES-256 with SHA-256? Children, what's wrong with the balance
>in this system?
>
>How does a user verify authenticity of another user's public key?
>
>Aside from being incompatible with anything else on the net, how is this
>different or more secure than Hushmail? Than Cryptomail.org?


The AES-256 is used independently from SHA-256 and for a different purpose.  
One is used for encryption, the other for hashing.  If you’d like to match 
crypto level provided by the hash, you would have to apply something like 
SHA-512, but that is irrelevant.  SHA-256 is a convenient way of hashing 
passphrases into 256-bit symmetric key-material used to initialize key 
vectors in the AES.  I would suggest you should look into the source code 
(available from the <a href="http://www.cryptoheaven.com">CryptoHeaven</a> 
web site) before making such trivial but misleading comments.
Also, proprietary key format is not such a bad idea as long as the source is 
open for review.  OpenPGP standard involves much more than simple RSA key, 
and any software using it is prone to the possible errors that may come with 
it.  Making a simpler key format with only the very things that are 
necessary make it easier to maintain and it is easier to verify correctness 
of implementation.

So what about Hushmail you ask.  For one, CryptoHeaven does not require you 
to send your encrypted private key to the server making CryptoHeaven a much 
more secure solution.  Furthermore, CryptoHeaven includes things like secure 
multi party folder sharing and multi user discussions which are not 
available in other systems.




_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp





More information about the cypherpunks-legacy mailing list