1997-12-16 - Re: Comparing PGP to Symantec’s Secret Stuff

Header Data

From: Adam Shostack <adam@homeport.org>
To: vin@shore.net
Message Hash: afbcc285461cdb819cc060826b8344b11f6b67edc4ca9cbe4d7eaca723b0f537
Message ID: <199712161856.NAA01873@homeport.org>
Reply To: <v03007800b0bc0c9a7689@[198.115.179.81]>
UTC Datetime: 1997-12-16 19:02:55 UTC
Raw Date: Wed, 17 Dec 1997 03:02:55 +0800

Raw message

From: Adam Shostack <adam@homeport.org>
Date: Wed, 17 Dec 1997 03:02:55 +0800
To: vin@shore.net
Subject: Re: Comparing PGP to Symantec's Secret Stuff
In-Reply-To: <v03007800b0bc0c9a7689@[198.115.179.81]>
Message-ID: <199712161856.NAA01873@homeport.org>
MIME-Version: 1.0
Content-Type: text/plain




Vin,

	Having worked for those multinationals and defense
contractors, I've seen them buy new products with serious weaknesses
in key generation, with year 2000 problems, with stream ciphers used
to protect stored data--keyed the same way each time.  I've seen them
use code that sent cleartext where it should have been encrypting on
the wire.

	I could retire a rich man if I never wanted to come back to
the US.

	Do due dilligence yourself.  Read the snake oil faq.  Insist
on speaking to someone at the vendor with two brain cells to rub
together.  If they claim Acme bought it so you should, too, insist on
speaking to the security folks at Acme who did the eval.  Its your
money.  Its their security product.  Feel free to evaluate it right.
If the vendor won't cooperate, go elsewhere.

	The product I'm building uses 'brand name' cryptography--
libraries and tools from well known sources.  It takes a bit of speed
away (I'd have prefered to use X9.17 over SSL for our bits on the
wire, but I couldn't find a peer reviewed X9.17 library out there.)


Adam


Vin McLellan wrote:

|    The lack of published source code is an issue, but if you see such a
| product being purchased by multinationals or US defense contractors you
| can be certain the implementation -- which is the real arena of
| vulnerability, once the algorithm is chosen -- has been carefully studied
| by informed cryptographers. (For non-American product, look for similar
| purchases by government-connected agencies in the vendor's nation.)



-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume







Thread