From: anonymous@freezone.remailer
Date: Fri, 20 Oct 95 13:40:36 PDT
To: cypherpunks@toad.com
Subject: [reformatted] how secure can privasoft be?
Message-ID: <199510202040.QAA29119@light.lightlink.com>
MIME-Version: 1.0
Content-Type: text/plain


heres a version with eighty character lines:

============================================================================

How Secure Can PrivaSoft Be?


Introduction

PrivaSoft is a communication security product, and the user is entitled to
know how secure it is.  This document addresses the question of cryptographic 
strength of PrivaSoft.

Export license regulations

In some advanced countries, cryptographic products are categorized as 
"munitions" and their use, sale or exportation is controlled by local 
licensing regulations.  PrivaSoft has obtained an export license from the 
governments of Israel and the USA.  Licenses in other countries are obtained 
in coordination with the local distributors.  

The typical policy is to limit the allowable cryptographic strength of 
commercial products to a level that is strong enough for commercial purposes.  
The basic intention of this regulation is to protect the state from abuse of 
too strong cryptographic products by terrorists and criminals.  Some countries
do not practice such law because it is viewed as a denial of freedom of 
expression.  PrivaSoft willfully complies with these regulations as it is a 
commercial product, and it is not intended for national security applications 
with its current key length which is the maximum legally allowable for 
commercial users.

The cryptographic engine of PrivaSoft

PrivaSoft uses a pseudo-random generator that is seeded by a 9 digit number 
uniformly normalized from the user's secret key.  The engine is proprietary, 
designed according to the rules of modern cryptology to make the best use of 
the allowable key length.

Like other dependable cryptographic engines, the structure of the encryption 
software can be disclosed without compromising the security of the user.  
However, the coding and specific parameters of the mechanism are considered a 
trade secret and will be disclosed for the purpose of cryptoanalytic 
validation when necessary and under an appropriate non-disclosure non-
competition agreement.

The use of default keys

When secret keys or passwords are used by laymen, there is always a conflict 
between security and convenience:  The user tends to use fixed, easily 
memorized keys again and again, while the cryptoanalyst only waits for an 
opportunity to see many messages encrypted by the same key.  PrivaSoft, being 
a secure commercial product must live in peace with both - allow the user to 
use a repetitive, default key, and deny the cryptoanalyst the pleasure of 
having many messages encrypted by one key.  This is done by using the pseudo-
random "key extension" feature which is described in the PrivaSoft user's 
guide.

The information contents a clear message

If a cryptographic product is properly designed, then the almost only way to 
crack it is to try all possible keys.  If the process is done by a computer, 
the "cracking"" software must be taught to tell the correct key from the 
wrong keys.  This can only be done if there are some properties of the 
decrypted message that are known a - priori.  With the PrivaSoft analogue 
graphical encryption, and with the naturally noisy fax images, a significant 
portion of the page must be reconstructed, and a significant amount of 
mathematical correlation must be calculated between neighboring areas of the 
image, before the cracking software can tell whether the candidate key is 
wrong.  This makes the cracking process much slower than in alphanumeric 
encryption of the text in a natural language.  The 9 digit key, when applied 
to analogue, the graphical encryption is equivalent to a much longer key 
applied to alphanumeric encryption.  The cryptographically oriented user can 
make it very much harder by some smart pre-processing of the image prior to 
its encryption.  A simple example:  For a short message, increasing the font 
size of the text by a factor of 10 will significantly increase the time 
required for breaking the encryption.

Customized versions of PrivaSoft

PrivaSoft is unique in being a one-stop product than can serve all types of 
modern correspondence, including E-mail, fax and paper printouts.  Special 
applications that need and can obtain a license to use non-commercial 
cryptographic engines can be accommodated by special versions of PrivaSoft.  
The cryptographic engine can be customer-furnished and customer integrated, 
however - since in some areas the integration of this product with certain 
cryptographic engines may be considered "munitions", each customized version 
of the product has to be licensed separately in accordance with the laws of 
the territory where it was created and used.

==========================================================================