1998-09-21 - RE: ArcotSign (was Re: Does security depend on hardware?)

Header Data

From: “Lucky Green” <shamrock@netcom.com>
To: “Nick Szabo” <scott@loftesness.com>
Message Hash: 13495559af77f889e78a55fceac87472a954ade34ddc329602c4ef51c208e222
Message ID: <001201bde5dc$6ed105c0$1330c4c2@cypherpunks.aec.at>
Reply To: <199809220131.SAA11293@shell7.ba.best.com>
UTC Datetime: 1998-09-21 14:49:04 UTC
Raw Date: Mon, 21 Sep 1998 22:49:04 +0800

Raw message

From: "Lucky Green" <shamrock@netcom.com>
Date: Mon, 21 Sep 1998 22:49:04 +0800
To: "Nick Szabo" <scott@loftesness.com>
Subject: RE: ArcotSign (was Re: Does security depend on hardware?)
In-Reply-To: <199809220131.SAA11293@shell7.ba.best.com>
Message-ID: <001201bde5dc$6ed105c0$1330c4c2@cypherpunks.aec.at>
MIME-Version: 1.0
Content-Type: text/plain



Nick,

I am somewhat puzzled by your response. Do you assert that a software based
solution, executed on a general purpose CPU under a general purpose OS, can
afford the same protection of whatever the secret in question may be as a
hardware token, such as a smartcard? A hardware token lacking the very API
to extract the secret through software based attacks?

If so, could you please share with us the revolutionary breakthrough in
computer science that negates the effect of decompilers and runtime
debuggers on Arcot's software?

Furthermore, how do you consolidate the claim on Arcot's website that
"ArcotSignTM [...] offers [hardware solution] tamper resistance in software"
with the statement by Arcot's very own cryptographic advisor, Bruce
Schneier, that "Of course. It's less secure than hardware solutions".

Perhaps I have worked in this industry for too long to fully adjust to the
novel genius displayed in "virtual one-time pads", "virtual smartcards", and
"virtual security".

Thanks,
--Lucky Green <shamrock@netcom.com>
  PGP 5.x  encrypted email preferred

> -----Original Message-----
> From: owner-cryptography@c2.net [mailto:owner-cryptography@c2.net]On
> Behalf Of Nick Szabo
> Sent: Monday, September 21, 1998 18:31
> To: rdl@MIT.EDU; scott@loftesness.com
> Cc: cryptography@c2.net; libtech@lists.best.com
> Subject: Re: ArcotSign (was Re: Does security depend on hardware?)
>
>
>
> I have consulted at both DigiCash and Arcot.  I am still
> under nondisclosure to Arcot, so I can't answer any
> questions about this that go beyond the publicly available
> information.  Arcot has recently made available on their public
> web site "Software Smart Cards via Cryptographc Camouflage", at
> http://www.arcot.com/camo2.html.  At the end of
> this paper is referenced Rivest's "Chaffing and Winnowing"
> paper.  These give a good overview of how such a technology
> can work, and the scope of its application.
>
>
> Nick Szabo
> szabo@best.com
> http://www.best.com/~szabo/
>





Thread