In item #12 in http://www.langalist.com/Plus/newsletters/2001/2001-12-10plus.asp, I asked for your input about "SecureAge," a new email encryption tool. As usual, many LangaList readers not only had great info, but also were very happy to share it generously. A sampling:
Dear Fred: Professionals of proven reputation, like Bruce Schneier, author of the Blowfish and Twofish algorithms, are the best ones to judge cryptographic matters. [As a fan, I would like to recommend his free, Crypto-Gram newsletter.] In his February 15, 1999 newsletter, he wrote a piece about "snake-oil" products (i.e. cryptographic systems whose claims exceed their capabilities.) See below for the article http://www.counterpane.com/crypto-gram-9902.html#snakeoil He also has recommended the following Snake-Oil FAQ:
http://www.interhack.net/people/cmcurtin/snake-oil-faq.html In reviewing the Secureage web site, I noted their claims that their ciphers provide "128-bit/168-bit security." But I was concerned that they did not identify which algorithms they use. Moreover, I was alarmed that there is no evidence of an independent cryptographic audit. Claims without proof are always suspect in the cryptographic arena. As a rule of thumb, it is wiser to treat any *NEW* cryptographic system as "snake-oil" — until proven otherwise. Sincerely, Marc Wing.
Hi Fred, I went to http://www.secureage.com/ and read about the features and functions of SecureAge and they appear to be very well conceived. The real test of any encryption tool is the security of the encryption algorithm though. The only phrase that I could find on their web site that gave any specifics was "PKI security technology." I have no idea what that is. I would have expected to see something link DES, Twofish, Fijndael or Blowfish encryption at least mentioned. It’s not unusual for sharp programmers to develop what seems to them to be uncrackable encryption algorithms, only to have them easily cracked by real experts. Bruce Schneier’s book "Secrets and Lies" does an excellent job of explaining why a long digital security apprenticeship is a must for designing secure encryption software. The short item at
http://www.counterpane.com/crypto-gram-9911.html#EllipticCurvePublic-KeyCryptography gives some idea of the flavor of his book. In short, I’d want to know a lot more about the credentials of the programmers and the nature of their encryption algorithm before I used SecureAge for any serious security application. Cheers, Philip Spohn
Fred, I make no claim to deep or complete understanding of all the issues brought up in this essay. But since you mentioned Secureage vis-a vis PKP (12- Plus! Edition ExtraFree Encryption/Security Tool), I think it’s worth a read: Counterpane Labs Ten Risks of PKI ( http:// www.counterpane.com/pki-risks.html ) Best, Jim
Outstanding info! Thanks to all who wrote in!