Re: encryption

Subject: Re: encryption
From: Aaron Lehmann (aaronl@vitelus.com)
Date: Wed Apr 25 2001 - 18:37:03 CDT

• sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Aaron Lehmann: "Re: encryption"
• Previous message: WJCarpenter: "RE: install problems on WinNT"
• In reply to: Leonard Rosenthol: "Re: encryption"
• Next in thread: WJCarpenter: "RE: encryption"
• Reply: Aaron Lehmann: "Re: encryption"

On Wed, Apr 25, 2001 at 07:01:13AM -0400, Leonard Rosenthol wrote:
> >Do you mean you encrypt the whole document twice with different
> >passphrases, or do you encrypt the random passphrase and
> >include it with the doc?
>
> The latter.

If I understand what you're suggesting, it's analogous to the way
OpenPGP works, as well as just about every other application involving
an asymmetric cipher (public/private key). A random (cryptographically
random) key is generated to be used with a symmetric (single-key)
cipher, and this key is encrypted with the asymmetric private key. The
message itself is encrypted using the symmetric cipher, seeded with
the random key.

AFAIK this doesn't have security benefits, and is mainly done because
asymmetric ciphers are slow as hell. Cracking the asymmetric private
key will still give you access to any message encrypted using that
key. Cracking the random symmetric key used for a particular message
will give you the text of that message, but nothing else (although
knowing the symmetric key of a particular message can be useful for a
plaintext attack on the private key).

Does this convince everyone that we shouldn't even try doing crypto
ourselves? ;-).

While I think cryptography is fascinating, I think we are already
blessed with GPL'd, portable C code that implements a standard
designed and implemented by a group of clued, experienced, and
respected people. If we wanted to take advantage of cryptography we
should definately rely on an OpenPGP implementation such as GPG to do
things for us. Implementing crypto from the ground up is a hassle, and
it's difficult to do well unless you're a skilled cryptographer. Even
if we were to use a widespread algorithm (Blowfish or 3DES), and use
some well-coded version of that, it's always easy to make fatal
mistakes that cause severe bugs. I'm not fiendishly opposed to someone
trying to make a 3DES or Blowfish encryption module for AbiWord, but
I'm merely warning that it's probably not going to work as well or be
nearly as secure as GPG.

• Next message: Aaron Lehmann: "Re: encryption"
• Previous message: WJCarpenter: "RE: install problems on WinNT"
• In reply to: Leonard Rosenthol: "Re: encryption"
• Next in thread: WJCarpenter: "RE: encryption"
• Reply: Aaron Lehmann: "Re: encryption"

This archive was generated by hypermail 2b25 : Wed Apr 25 2001 - 18:37:16 CDT