1995-11-22 - Re: PKZIP - Encryption

Header Data

From: “W. Kinney” <kinney@bogart.Colorado.EDU>
To: cypherpunks@toad.com
Message Hash: b4eeea084a7b1bd18d1ed75169044196c381b0d39e706c1b9cb4c139c535531f
Message ID: <199511220607.XAA12915@bogart.Colorado.EDU>
Reply To: <Pine.A32.3.91.951122064257.46049A-100000@carmel.haifa.ac.il>
UTC Datetime: 1995-11-22 06:31:03 UTC
Raw Date: Wed, 22 Nov 1995 14:31:03 +0800

Raw message

From: "W. Kinney" <kinney@bogart.Colorado.EDU>
Date: Wed, 22 Nov 1995 14:31:03 +0800
To: cypherpunks@toad.com
Subject: Re: PKZIP - Encryption
In-Reply-To: <Pine.A32.3.91.951122064257.46049A-100000@carmel.haifa.ac.il>
Message-ID: <199511220607.XAA12915@bogart.Colorado.EDU>
MIME-Version: 1.0
Content-Type: text/plain



L. DEkel writes:

>
>     "Perry E. Metzger" writes:
> > I could see why one would want to use a weak encryption system if it
> > bought you something. However, good encryption systems are as cheap to
> > use as bad ones. Therefore, why ever use a bad one? If the top of the
> > line lock costs the same amount as a toy lock, why buy a toy?
> 
> There is the question of convenience (security=1/convenience - postulate),
> people don't like to pass their plaintext through several utils, where one
> compresses it, the other encrypts etc., they want a convenient util to use.

I think the point is that the postulate is true only because the people
who write "convenient" software usually either don't have a proper clue
about security or are afraid of crossing ITAR. Secure encryption algorithms
are intrinsically no less convenient than insecure ones. Quite the opposite,
from what I've seen: secure algorithms tend toward simplicity, because
it's easier to prove theorems with a simple algorithm than with a 
convoluted one. RC4 is a fine example of this, astonishingly uncomplicated.

It's as easy to drop IDEA into a compression/archiving utility as it is
to put in the dreaded "proprietary" algorithm. Easier. And if you don't want
to pay the licensing fees, use Blowfish or 3-DES. Why these companies don't
is a anybody's guess. Take the example of StuffIt on the Mac, which
started out with DES and moved to some internally produced algorithm for
reasons no one at Aladdin has been willing to explain to me, even when
I asked with relative bluntness. Evidently, it was worth some trouble to
them to _reduce_ their security, of all things. That is a sad, sad 
situation. 

(No particular flame on Aladdin, other than the obvious technical one. They're
a fine bunch of folks, from my experience.)


                                  -- Will







Thread