From: MrD on 9 Jul 2010 10:14 Tom St Denis wrote: > Most people don't actually need privacy or non-repudiation on their > emails. And people who truly need it will tend to use it. Conversely, non-repudiation could actually be the opposite of what someone wants. I do not want all of my email rendered proof against repudiation. I might one day want to send a single, non-repudiable email; but that occasion hasn't arisen yet. No-one that I deal with that needs non-repudiable documents from me (bankers, lawyers) is organisationally capable of accepting them by email. By systematically encrypting all my email, I create a store of documents that might be used to *prove* I said such-and-such to so-and-so on yea date. I can't see into the future, and I can't be sure that the ready availability of such proof might not be against my interests at some future date. Hell, I don't know what's in my mailstore - it goes back 15 years. So while I'm broadly in favour of "pervasive encryption", I don't encrypt email bodies. However my mailserver will use crypto on the wire with crypto-enabled peers. That doesn't seem to me to present the same order of threat; in fact I can't conceive of any way that could harm me at all. -- MrD.
From: Francois Grieu on 9 Jul 2010 11:40 On 09/07/2010 15:35, Tom St Denis wrote: > On Jul 9, 9:32 am, Globemaker <alanfolms...(a)cabanova.com> wrote: >> Here's an idea, use a stable website as keying material. Find a >> website that has a text story of about 20 kilobytes. The text must >> remain unchanged for years. Use that as a one time pad OTP to XOR with >> the message. The message has a plaintext preamble that give an offset >> number that defines which character is the beginning of the OTP. The >> preamble also gives the URL of the website. >> >> As an example, look at the "web archive dot org"http://web.archive.org/web/20060708173816/www.reliefglobe.com/index.html >> There are many stable archived stories on that giant website. That is >> simple. > > And you want to publish a blog on cryptography that people are > supposed to read? To decipher what Tom said: it is a critic masquerading as a question. Globemaker's algorithm is beyond weak, to the point that proposing it demonstrate ignorance of the basics of cryptography: - the material on that stable website is public, hence unsuitable as a key for a symmetric cipher (including an OTP); - the material on that stable website is not uniformly random, thus unsuitable as an OTP; - reuse of the OTP, a well documented sin as demonstrated by important historical breaks, seems encouraged or at least not prohibited. Francois Grieu
From: Mok-Kong Shen on 9 Jul 2010 13:59 Globemaker wrote: > I have no valuable secrets to communicate to anyone > using crypto. So you shouldn't care about crypto, I would surmise. Lest there be misunderstanding, I like to say that my theme implies also that ideally all encryption algorithms used will be simple ones, since the complexity are not 'necessary'. Note that in cases where specially high security is needed, one could achieve that with e.g. multiple encryptions. M. K. Shen
From: Tom St Denis on 9 Jul 2010 14:35 On Jul 9, 1:59 pm, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > Globemaker wrote: > > I have no valuable secrets to communicate to anyone > > using crypto. > > So you shouldn't care about crypto, I would surmise. > > Lest there be misunderstanding, I like to say that my > theme implies also that ideally all encryption algorithms > used will be simple ones, since the complexity are not > 'necessary'. Note that in cases where specially high security is > needed, one could achieve that with e.g. multiple encryptions. RSA, ECC, AES, etc aren't really that complicated if you don't care about performance. Tom
From: Maaartin on 9 Jul 2010 19:02 On Jul 9, 7:59 pm, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > Lest there be misunderstanding, I like to say that my > theme implies also that ideally all encryption algorithms > used will be simple ones, since the complexity are not > 'necessary'. You miss the point. Most people don't care about the complexity of an algorithm, most of them even have no clue what an algorithm is. And they won't understand it, be it you alg or AES or whatever. They don't care and they needn't to. The majority of computer users is hardly capable of sending emails, if they get it preset so that it's PGP encrypted and they're smart enough not to give the password to everybody, everything's fine. I'd never use an encryption schema of yours or mines, simply because I don't need to. You can't make it more comfortable to use since it's nearly perfect. You can't make it more secure, since you can't hire dozens of cryptographers to analyze it. You can't make it noticeably faster since I don't notice the time it takes at all. > Note that in cases where specially high security is > needed, one could achieve that with e.g. multiple encryptions. Sure, but e.g. PGP is much more secure than my computer or my password, and I'm not gonna put a stronger lock on my door when the window is open.
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: My Recent Posts and the Fallout Aggro. Next: A new prime number pattern |