From: "David F. Ogren" <ogren@cris.com>
Date: Tue, 30 Jul 1996 22:51:48 +0800
To: cypherpunks@toad.com
Subject: Some Questions RE: Nortons For Your Eyes Only
Message-ID: <199607301045.GAA08042@darius.cris.com>
MIME-Version: 1.0
Content-Type: text/plain

-----BEGIN PGP SIGNED MESSAGE-----

Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

To: cypherpunks@toad.com
Date: Tue Jul 30 06:40:47 1996

For those of you who have not heard it, Norton's For Your Eyes Only is a 
piece of software designed to integrate several encryption functions into 
Win95. Among its features (as I understand it) are automatically 
encrypting/decrypting on the fly (ala Secure Drive), encryption of the HD 
boot info, Command auditing, and a hybrid crypto system based on RSA. 
Several symmetric algorithms are available including RC4, 3DES and 
Blowfish.  Non-US versions do not include the strong crypto algorithms.

I only have second-hand information about this program and have a few 
questions regarding it.

1. Apparently, For Your Eyes Only (FYEO for short) encrypts files using a 
user-selectable symmetric algorithm and then encrypts the session key with 
RSA. Does FYEO store this encrypted session key with the rest of the file 
(like PGP does), or does it keep a central database of encrypted session 
keys? Keeping the session keys centrally would obviously prevent sharing 
files across machines, so I imagine that they must be appended (or 
prepended) to the ciphertext.

2. From what I understand, FYEO prompts you to enter your passphrase when 
logging in and this passphrase unlocks your RSA key. What algorithm is used 
to encrypt the RSA key? I am concerned that an exportable (and therefore 
weak) algorithm is used to protect the RSA key.  This would mean that the 
RSA key could be readily hacked. And if the RSA secret key can be hacked 
easily, it will do no good at all to have strong encryption on the files 
themselves.

3. Does FYEO include any kind of authentication system. If so, what 
signature and message digest algorithms does it use?

Thanks.
- --
David F. Ogren                |
ogren@concentric.net          | "A man without religion is like a fish
PGP Key ID: 0x6458EB29        |  without a bicycle"
- ------------------------------|----------------------------------------
Don't know what PGP is?       | Need my public key?  It's available
Send a message to me with the | by server or by sending me a message
subject GETPGPINFO            | with the subject GETPGPKEY
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBMf3msOSLhCBkWOspAQHN4gf9HeVeJ6a6oKwdmtwcHhFT0cnMjdFIjP4V
zcc7Is7qPSMFTZy+1+IwITiXPUugHdxeJbI2JvUyfptbjllfqvacNGy54iIqRZhz
DPqaQkeZ8hjj843kZQB1/tmcA+np3jR6C3p3s5PC8np8Ld36J8rQZ6DVNi3XSoSh
6rOXlQKpmxZgq2gtCK+wydG39rvMsKDYo+ATqHZbX+0lryi3+4RI6Yi4185rrMW4
8iMwZs7VHFnl7sicaIro101Gc3xmrMzj+lRfa0kR1G3Ek2x9I7TArKRmcz2qonZM
dUJivrjf52rUK+9Mi95HzeI6Sakb6iSIBaP7OO3w/IIIV1W6ufiqIg==
=M3JW
-----END PGP SIGNATURE-----