Re: My my, how time flies ...... it's been about "1 hour" -- anyone cracked CryptoSMS yet?

mike4ty4@yahoo.com wrote:
> Crypto@S.M.S wrote:
> > Joe Peschel wrote:
> > > Crypto@S.M.S wrote in news:11gsq8cgnefrl9c@news.supernews.com:
> > >
> > >
> > > > Joe Peschel wrote:
> > > >
> > > >
> > > > > " \"- Prof. Jonez©\"" <jonez@norcom.ca> wrote in
> > > > > news:fLlPe.20$nh6.4497@news.uswest.net:
> > > > >
> > > > >
> > > > >
> > > > > > What makes you think any attacker would have the source code
> > > > > > of any given encryption program to work with?
> > > > > >
> > > > >
> > > > >
> > > > > One always has to assume that the attacker knows everything
> > > > > about the encryption system, except the key. See Kerckhoffs'
> > > > > principle: "the security of a cryptosystem must depend only
> > > > > on the key," and
> > > > > Shannon's maxim: "the enemy knows the system."
> > > > >
> > > > > Schneier explained, in his May 2002 Cryptogram, why the
> > > > > principle is important.
> > > > >
> > > > > The reasoning behind Kerckhoffs' Principle is compelling.
> > > > > If the cryptographic algorithm must remain secret in
> > > > > order for the system to be secure, then the system is be
> > > > > less secure. The system is less secure, because security
> > > > > is affected if the algorithm falls into enemy hands.
> > > > > It's harder to set up different communications nets,
> > > > > because it would be necessary to change algorithms as
> > > > > well as keys. The resultant system is more fragile,
> > > > > simply because there are more secrets that need to be
> > > > > kept. In a well-designed system, only the key needs to
> > > > > be secret; in fact, everything else should be assumed to
> > > > > be public.
> > > > >
> > > > > J
> > > > >
> > > >
> > > > Schneier's statement does not mention source code. It talks
> > > > about algorithms, and you already know the algorithms used by
> > > > CryptoSMS.
> > > > That has been stated over&over. You know everything about these
> > > > algorithms (and the order in which they are applied),
> > >
> > >
> > > We don't know that the alorithms have been implemented properly.
> > >
> >
> > Yes you do. On startup, CryptoSMS runs the published test vectors
> > through all crypto-primitives and checks the results. Not just
> > against a single vector, but against all well-known test sets.
> > Every time CryptoSMS starts up it confirms its own implementation
> > with this built-in self-test.
> >
>
> Well just CLAIMING something isn't enough. We don't have the source
> code
> so we cannot PROVE that. It's very easy to write a program that will
> display
> "All tests passed!!!" without doing ANY tests at all. Without the
> soure
> code
> we have NO WAY of knowing whether or not it does that. For example,
> try
> the following simple C program:
>
> #include <stdio.h>
> main()
> {
> printf("All cipher tests passed.\n");
> }
>
> When you run it, it will display "All cipher tests passed." Well if we
> didn't have the above source code, just an exe file, we wouldn't know
> that it didn't do any tests (which it obviously didn't), nor would we
> know that it did!
>
> That's EXACTLY how uncertain we are about your program. We have
> NOTHING
> to examine -- we only have YOUR WORD. Nothing more. Your program could
> just do what I show above! We only have YOUR WORD that it doesn't.
> YOUR
> WORD. NOTHING MORE.

Then how the fuck could you, or Joe "the blow" Asswood know
they could crack it in "less than one hour", eh?
Received on Thu Sep 29 21:53:15 2005