From: fc@all.net (Dr. Frederick B. Cohen)
To: marc@cam.ov.com (Marc Horowitz)
Message Hash: bfc2e5456f96d182d876a8bc8d93af7021564b4a541aa6dff0e6955178122f68
Message ID: <9508012013.AA14958@all.net>
Reply To: <199508011923.PAA17989@dun-dun-noodles.cam.ov.com>
UTC Datetime: 1995-08-01 20:19:33 UTC
Raw Date: Tue, 1 Aug 95 13:19:33 PDT
From: fc@all.net (Dr. Frederick B. Cohen)
Date: Tue, 1 Aug 95 13:19:33 PDT
To: marc@cam.ov.com (Marc Horowitz)
Subject: What do I use?
In-Reply-To: <199508011923.PAA17989@dun-dun-noodles.cam.ov.com>
Message-ID: <9508012013.AA14958@all.net>
MIME-Version: 1.0
Content-Type: text
> So Dr. Cohen, what do you use when you want to send a message across
> the Internet with better security than cleartext? What do your
> recommend to others?
I use different techniques when different levels of protection are
required, and I definately don't use the Internet for anything that is
really vital because of the ease of gaining intelligence indicators
based on traffic analysis.
I commonly use FAX machines from non-fixed locations for point-to-point
communications where I don't want it to be tapped from my end. I often
use telephone lines with modems for other secure communications
depending on the requirements. I have used DES for some limited items
with the key sent over a separate channel, RSA for short time-limited
secure messages, one-time-pads for certain really critical stuf between
myself and a single other trusted party, special secure telephones as
required by organizations for select communications, various custom
ciphers for communication with parties who have special requirements,
dictionary and codebook ciphers on rare occasions, wheel ciphers of
various sorts, a variety of custom authentication ciphers, and who knows
what else.
I never recommend a solution without knowing a fair amount about the
specific challenge it is supposed to address. I typically start with an
understanding of the general environment, the financial and/or human
issues, the threat profile, the protection environment, the other
dependencies and protection factors, and other factors related to the
reasons for protection. Once I have this understanding, I make value
judgements about how much I trust things relative to the requirement for
trust and other limitations presented by the situation.
Sorry I can't give you a pat answer like "I use Joe's Cryptobox", but
that's just the way it is.
--
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Return to August 1995
Return to “Phil Fraering <pgf@tyrell.net>”