[Dshield] Virtual Matrix Encryption Hoax?

Stephane Grobety security at admin.fulgan.com
Tue Mar 26 16:29:51 GMT 2002


>> both systems). Any cryptosystem that relies on the secrecy of the
>> algorithm has a severe weakness.


JW> WHAT?  What else is there in a security system than the algorithm?  Policy.

No, the key.

The idea is that an attacker will ALWAYS know the algorithm: you MUST
provide it to him since it's in the form of a "clear text" program.
What is unknown is the key used to create the ciphertext.

policy has, in fact, nothing to do with the subject at hand (it's a
matter of implementation).

JW> I respectfully disagree with your statement and argue that there are many
JW> fine algorithms out there that will keep things plenty secure.

Sure there is. The point is that these algorithm do not rely on any
secret by the key. That's the point. And that's also why key
management is the biggest problem.

JW> I propose
JW> that any cryptosystem that is implemented with poor policy has a severe
JW> weakness.

What exactly to you mean by "policy". I can't quite follow you here.
Do you mean "key exchange" ? Do you mean "Do not store your PGP
pass phrase on a sticky note under your keyboard" ?

-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com




More information about the list mailing list