256 Bit Encryption for Secure Email and Secure Online File Storage
Jonny Weron
jonnyweron at hotmail.com
Sun Dec 2 12:32:59 PST 2001
>Another proprietary key format. Why not base such a system on OpenPGP?
>
>Hmm. AES-256 with SHA-256? Children, what's wrong with the balance
>in this system?
>
>How does a user verify authenticity of another user's public key?
>
>Aside from being incompatible with anything else on the net, how is this
>different or more secure than Hushmail? Than Cryptomail.org?
The AES-256 is used independently from SHA-256 and for a different purpose.
One is used for encryption, the other for hashing. If youd like to match
crypto level provided by the hash, you would have to apply something like
SHA-512, but that is irrelevant. SHA-256 is a convenient way of hashing
passphrases into 256-bit symmetric key-material used to initialize key
vectors in the AES. I would suggest you should look into the source code
(available from the <a href="http://www.cryptoheaven.com">CryptoHeaven</a>
web site) before making such trivial but misleading comments.
Also, proprietary key format is not such a bad idea as long as the source is
open for review. OpenPGP standard involves much more than simple RSA key,
and any software using it is prone to the possible errors that may come with
it. Making a simpler key format with only the very things that are
necessary make it easier to maintain and it is easier to verify correctness
of implementation.
So what about Hushmail you ask. For one, CryptoHeaven does not require you
to send your encrypted private key to the server making CryptoHeaven a much
more secure solution. Furthermore, CryptoHeaven includes things like secure
multi party folder sharing and multi user discussions which are not
available in other systems.
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
More information about the cypherpunks-legacy
mailing list