Snake oil?

[Dave Howe]

Freematt357 at aol.com wrote:
> http://www.topsecretcrypto.com/
> Snake oil?
I am not entirely sure.
on the plus side - it apparently uses Sha-1 for a signing algo, RSA with a
max keysize of 16Kbits (overkill, but better than enforcing something
stupidly small), built in NTP synch for timestamps (probably spoofable,
but at least a valiant attempt to keep timestamps accurate "by default")
and supports a range of file, folder, email and chat crypto with a
onscreen keyboard for password entry (again, not unbeatable but a valiant
attempt)

next step is the symmetric component though - which shows more than slight
traces of oil.

First is a randomly generated session key, protected by the RSA
component - on the face of it fine (its how pgp and smime do it, after
all) but no details are given on *how* the random key is obtained (the
code apparently "contains a true random number generator" which seems
doubtful) and the symmetric component is a proprietary algo (for which
source is provided, but even so...)
Second is pretty much pgp's conventional mode - but with a user supplied
key. no mention of hashing, and again, the proprietary algo is in use.
Third is True One Time Pad - yes well duh! I could write one in eight
lines or so of VBScript, for free. Nobody needs to pay for a OTP
application, certainly not per-seat.

An announcement of the software (and subsequent discussion) took place in
Sci.Crypt some months ago - dejagoogle link here:
http://makeashorterlink.com/?M138249F6 - if anyone wants to read it.