From: David Honig <honig@otc.net>
To: Pearson Shane <whgiii@invweb.net>
Message Hash: 9ea3c915b25509d5f973fc48e5947e82ea29c097fb177d02031f62612dac5654
Message ID: <3.0.5.32.19980123100807.007ec770@206.40.207.40>
Reply To: <01ISPZTCTU9U00AS02@hmgwy1.isd.tafensw.edu.au>
UTC Datetime: 1998-01-23 19:21:06 UTC
Raw Date: Sat, 24 Jan 1998 03:21:06 +0800
From: David Honig <honig@otc.net>
Date: Sat, 24 Jan 1998 03:21:06 +0800
To: Pearson Shane <whgiii@invweb.net>
Subject: RE: FW: Symantec Norton, Your Eyes Only.
In-Reply-To: <01ISPZTCTU9U00AS02@hmgwy1.isd.tafensw.edu.au>
Message-ID: <3.0.5.32.19980123100807.007ec770@206.40.207.40>
MIME-Version: 1.0
Content-Type: text/plain
At 03:46 PM 1/23/98 +1100, Pearson Shane wrote:
>Hi William,
>
>Many thanks for the reply.
>
>I was hoping it was ok having Blowfish,
>but I guess it could be their own
>"efficient" version.
>
>Bye for now.
>
WHGIII gave you the most conservative answer. That is, in cryptology, the
correct answer.
A more detailed analysis would say:
* the blowfish algorithm is considered strong for various reasons
* IFF the Norton program were written correctly
(not just the algorithm implementation, but key hiding,
worrying about getting swapped onto disk by the OS, etc.)
then it would be a useful tool for security.
* Without examining the source, any assumption of security
from using the tool relies *absolutely* on your trust of the
implementor.
(In a Turing award paper, Ritchie described how you
implicitly must trust your compiler-writers too.. the
compiler could have clandestine functions like inserting
extra code when it recognizes patterns)
So you see how WHGIII was correct, although for practical
purposes (depending on the value of your data and the
attackers you anticipate, plus the security of the rest of your
system (only as strong as the weakest link)) you may find this tool acceptable
in the non-exportable version. Keylength-limited versions are worthless
from a security viewpoint.
But on this mailing list, you won't find the yes/no answer
you probably want. Which is probably correct behavior for this list.
Cheers,
------------------------------------------------------------
David Honig Orbit Technology
honig@otc.net Intaanetto Jigyoubu
"The tragedy of Galois is that he could have contributed so much
more to mathematics if he'd only spent more time on his marksmanship."
Return to January 1998
Return to “Pearson Shane <Shane.Pearson@tafensw.edu.au>”