Discussion:
Can PGP be Cracked?
(too old to reply)
beebs
2009-02-01 14:04:04 UTC
Permalink
I have created a 2k PGP DH key and was wondering if this is hard enough to
prevent it from being cracked? Also would we the public ever know, if the NSA
had the capability to crack PGP?
A 2k key is a little weak, but still uncrackable.

If the NSA could crack pgp, we'd never know.

Worry about somebody doing a blackbag job
on your house and installing a keylogger.

beebs
just a chemist
JTF
2009-02-01 16:24:56 UTC
Permalink
Post by beebs
I have created a 2k PGP DH key and was wondering if this is hard enough to
prevent it from being cracked? Also would we the public ever know, if the NSA
had the capability to crack PGP?
A 2k key is a little weak, but still uncrackable.
If the NSA could crack pgp, we'd never know.
Worry about somebody doing a blackbag job
on your house and installing a keylogger.
beebs
just a chemist
The first attack would be a dictionary attack as the WEAKEST LINK is
in the password. If you choose to use PGP, then you should choose a
password that is NOT a word and contains a mixture if upper and lower
case letters as well as numbers in no particular order. For more
memorable passwords use words, but mnemonics as simple as:

If you want to use the word "intrepid", change it to 1ntr3p1p

Other suggestions here
http://uit.tufts.edu/?pid=232
David E. Ross
2009-02-01 16:32:39 UTC
Permalink
Post by JTF
Post by beebs
I have created a 2k PGP DH key and was wondering if this is hard enough to
prevent it from being cracked? Also would we the public ever know, if the NSA
had the capability to crack PGP?
A 2k key is a little weak, but still uncrackable.
If the NSA could crack pgp, we'd never know.
Worry about somebody doing a blackbag job
on your house and installing a keylogger.
beebs
just a chemist
The first attack would be a dictionary attack as the WEAKEST LINK is
in the password. If you choose to use PGP, then you should choose a
password that is NOT a word and contains a mixture if upper and lower
case letters as well as numbers in no particular order. For more
If you want to use the word "intrepid", change it to 1ntr3p1p
Other suggestions here
http://uit.tufts.edu/?pid=232
Note that PGP documents discuss passphrases, not passwords. For PGP,
use complete sentences -- with spaces and punctuation -- for passphases.
Or even use two or more sentences.
--
David E. Ross
<http://www.rossde.com/>.

Don't ask "Why is there road rage?" Instead, ask
"Why NOT Road Rage?" or "Why Is There No Such
Thing as Fast Enough?"
<http://www.rossde.com/roadrage.html>
JTF
2009-02-01 16:35:10 UTC
Permalink
Post by JTF
Post by beebs
I have created a 2k PGP DH key and was wondering if this is hard enough to
prevent it from being cracked? Also would we the public ever know, if the NSA
had the capability to crack PGP?
A 2k key is a little weak, but still uncrackable.
If the NSA could crack pgp, we'd never know.
Worry about somebody doing a blackbag job
on your house and installing a keylogger.
beebs
just a chemist
The first attack would be a dictionary attack as the WEAKEST LINK is
in the password.  If you choose to use PGP, then you should choose a
password that is NOT a word and contains a mixture if upper and lower
case letters as well as numbers in no particular order.  For more
If you want to use the word "intrepid", change it to 1ntr3p1p
Other suggestions here
http://uit.tufts.edu/?pid=232
Note that PGP documents discuss passphrases, not passwords.  For PGP,
use complete sentences -- with spaces and punctuation -- for passphases.
 Or even use two or more sentences.
--
David E. Ross
<http://www.rossde.com/>.
Don't ask "Why is there road rage?"  Instead, ask
"Why NOT Road Rage?" or "Why Is There No Such
Thing as Fast Enough?"
<http://www.rossde.com/roadrage.html>
That would be more secure, but after I come up with a sentence,
changing the words to mnemonics would increase the security of your
encryption.
Charlie Kroeger
2009-02-01 17:47:20 UTC
Permalink
Post by David E. Ross
passphrases, not passwords. For PGP,
use complete sentences -- with spaces and punctuation -- for passphases.
Have some fun with your passphrase whilst making it strong:

http://world.std.com/~reinhold/diceware.html

The dice are always rolling.
--
CK
Strider
2009-02-02 13:02:43 UTC
Permalink
Post by Charlie Kroeger
Post by David E. Ross
passphrases, not passwords. For PGP,
use complete sentences -- with spaces and punctuation -- for passphases.
http://world.std.com/~reinhold/diceware.html
The dice are always rolling.
Just visited that link. Looks like Yahtzee would be the perfect game to use
(5 dice)!

Strider
Zax
2009-02-02 13:59:28 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

["Followup-To:" header set to alt.privacy.anon-server.]
On Sun, 01 Feb 2009 12:47:20 -0500, Charlie Kroeger wrote in
Post by Charlie Kroeger
The dice are always rolling.
If you're running something Posix based, this one-liner works nicely for
me:
dd if=/dev/urandom count=1 2> /dev/null | base64 | sed -ne 2p | cut -c-20

The 20 on the end defines the password length.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREKAAYFAkmG/EAACgkQlKZ6CY7Vd0P5CQCaAtWuuTM0c4COB/HHVwqPdlwa
inIAoIWkaI7EdBmUposZIqQ7dKH4+ZJo
=Cj+7
-----END PGP SIGNATURE-----
--
pub 1024D/8ED57743 2003-07-08 Bananasplit Operator
Key fingerprint = 796F 67E0 E890 A0BB BDAE EBB4 94A6 7A09 8ED5 7743
uid Admin <admin.bananasplit.info>
Ari©
2009-02-08 23:04:07 UTC
Permalink
Post by JTF
The first attack would be a dictionary attack as the WEAKEST LINK is
in the password. If you choose to use PGP, then you should choose a
password that is NOT a word and contains a mixture if upper and lower
case letters as well as numbers in no particular order. For more
If you want to use the word "intrepid", change it to 1ntr3p1p
Horsehit. Long tested, arithmetically vetted, long passwords are more
secure than shorter, multi-character ones.
--
Meet Ari! http://tr.im/1fa3
"To get concrete results, you have to be confrontational".
John Smith
2009-03-17 22:21:41 UTC
Permalink
Post by Ari©
Post by JTF
The first attack would be a dictionary attack as the WEAKEST LINK is
in the password. If you choose to use PGP, then you should choose a
password that is NOT a word and contains a mixture if upper and lower
case letters as well as numbers in no particular order. For more
If you want to use the word "intrepid", change it to 1ntr3p1p
Horsehit. Long tested, arithmetically vetted, long passwords are more
secure than shorter, multi-character ones.
Oh my god, you post here too
Unruh
2009-03-17 23:38:00 UTC
Permalink
Post by Ari©
Post by JTF
The first attack would be a dictionary attack as the WEAKEST LINK is
in the password. If you choose to use PGP, then you should choose a
password that is NOT a word and contains a mixture if upper and lower
case letters as well as numbers in no particular order. For more
If you want to use the word "intrepid", change it to 1ntr3p1p
Horsehit. Long tested, arithmetically vetted, long passwords are more
What is a "long tested, arighmetically vetted" password?
Post by Ari©
secure than shorter, multi-character ones.
You advise long single character passwords?
rrrrrrrrrrrrrrrrrrrrrrr ?
JTF
2009-03-18 00:04:55 UTC
Permalink
Post by Unruh
Post by Ari©
Post by JTF
The first attack would be a dictionary attack as the WEAKEST LINK is
in the password.  If you choose to use PGP, then you should choose a
password that is NOT a word and contains a mixture if upper and lower
case letters as well as numbers in no particular order.  For more
If you want to use the word "intrepid", change it to 1ntr3p1p
Horsehit. Long tested, arithmetically vetted, long passwords are more
What is a "long tested, arighmetically vetted" password?
Post by Ari©
secure than shorter, multi-character ones.
You advise long single character passwords?
rrrrrrrrrrrrrrrrrrrrrrr ?
Your best bet is to use a pass PHRASE rather than a word. Then to
increase the effectiveness of such a password, make that phrase a
alpha-numeric such as:
I like antique cars, especially the Model-T
become
1 l1k3 4n71qu3 c4r5, 35p3c1lly 7h3 M0d3l-7
Unruh
2009-03-18 03:09:56 UTC
Permalink
Post by JTF
Post by Unruh
Post by Ari©
Post by JTF
The first attack would be a dictionary attack as the WEAKEST LINK is
in the password. =A0If you choose to use PGP, then you should choose =
a
Post by Unruh
Post by Ari©
Post by JTF
password that is NOT a word and contains a mixture if upper and lower
case letters as well as numbers in no particular order. =A0For more
If you want to use the word "intrepid", change it to 1ntr3p1p
Horsehit. Long tested, arithmetically vetted, long passwords are more
What is a "long tested, arighmetically vetted" password?
Post by Ari©
secure than shorter, multi-character ones.
You advise long single character passwords?
rrrrrrrrrrrrrrrrrrrrrrr ?
Your best bet is to use a pass PHRASE rather than a word. Then to
increase the effectiveness of such a password, make that phrase a
I like antique cars, especially the Model-T
become
1 l1k3 4n71qu3 c4r5, 35p3c1lly 7h3 M0d3l-7
Which is the same as the previous suggestion ( except with a longer
phrase). I will buy longer=better, but I still want to know what a
Uni-character, Long tested, arithmetically vetted password is.
Admins
2009-03-18 06:31:00 UTC
Permalink
Post by Unruh
Post by Ari©
Post by JTF
The first attack would be a dictionary attack as the WEAKEST LINK is
in the password. If you choose to use PGP, then you should choose a
password that is NOT a word and contains a mixture if upper and lower
case letters as well as numbers in no particular order. For more
If you want to use the word "intrepid", change it to 1ntr3p1p
Horsehit. Long tested, arithmetically vetted, long passwords are more
What is a "long tested, arighmetically vetted" password?
Post by Ari©
secure than shorter, multi-character ones.
You advise long single character passwords?
rrrrrrrrrrrrrrrrrrrrrrr ?
Try the password generator here:

http://www.privacyoffshore.net/links.html

Lot's of options with an estimated time to crack, regards
Unruh
2009-03-18 23:34:04 UTC
Permalink
This is a multi-part message in MIME format.
--------------030702010101060201000402
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Post by Unruh
Post by Ari©
Post by JTF
The first attack would be a dictionary attack as the WEAKEST LINK is
in the password. If you choose to use PGP, then you should choose a
password that is NOT a word and contains a mixture if upper and lower
case letters as well as numbers in no particular order. For more
If you want to use the word "intrepid", change it to 1ntr3p1p
Horsehit. Long tested, arithmetically vetted, long passwords are more
What is a "long tested, arighmetically vetted" password?
Post by Ari©
secure than shorter, multi-character ones.
You advise long single character passwords?
rrrrrrrrrrrrrrrrrrrrrrr ?
http://www.privacyoffshore.net/links.html
Lot's of options with an estimated time to crack, regards
I know how to choose my passwords. I just want to know what a
uni-character, long tested, arithmetically vetted password is.

Note that I sure would not trust some web page to give me passwords.
It indicates that the person who set that up had no idea whatsoever about
what security was all about.
--------------030702010101060201000402
Content-Type: text/x-vcard; charset=utf-8;
name="invalid.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="invalid.vcf"
begin:vcard
fn:Admins
n:;Admins
org:Privacy Offshore
note;quoted-printable:* www.privacyoffshore.net (No Logs Net Browsing)=0D=0A=
* Anonymous Secure Offshore SSH-2 Surfing Tunnels=0D=0A=
* Anonymous Mail & News through SSH-2 Tunnels=0D=0A=
* Free Resources and Privacy Software=0D=0A=
url:http://www.privacyoffshore.net
version:2.1
end:vcard
--------------030702010101060201000402--
Ari®
2009-03-18 16:45:28 UTC
Permalink
Post by Unruh
Post by Ari©
secure than shorter, multi-character ones.
You advise long single character passwords?
rrrrrrrrrrrrrrrrrrrrrrr ?
Is that how you misread that?
--
http://tr.im/1fa6
s***@lsajfd.com
2009-03-19 19:44:10 UTC
Permalink
Post by Unruh
Post by Ari©
Post by JTF
The first attack would be a dictionary attack as the WEAKEST LINK is
in the password. If you choose to use PGP, then you should choose a
password that is NOT a word and contains a mixture if upper and lower
case letters as well as numbers in no particular order. For more
If you want to use the word "intrepid", change it to 1ntr3p1p
Horsehit. Long tested, arithmetically vetted, long passwords are more
What is a "long tested, arighmetically vetted" password?
Post by Ari©
secure than shorter, multi-character ones.
You advise long single character passwords?
rrrrrrrrrrrrrrrrrrrrrrr ?
There's bullshit and then there are the facts.

http://world.std.com/~reinhold/dicewarefaq.html

Anonymous
2009-03-18 00:32:43 UTC
Permalink
Post by John Smith
Post by Ari©
Post by JTF
The first attack would be a dictionary attack as the WEAKEST LINK is
in the password. If you choose to use PGP, then you should choose a
password that is NOT a word and contains a mixture if upper and lower
case letters as well as numbers in no particular order. For more
If you want to use the word "intrepid", change it to 1ntr3p1p
If somebody figures out the password to your secret key, does it do him
any good if he does not have your secret key?
Post by John Smith
Post by Ari©
Horsehit. Long tested, arithmetically vetted, long passwords are more
secure than shorter, multi-character ones.
Oh my god, you post here too
David E. Ross
2009-03-18 15:01:33 UTC
Permalink
Post by Anonymous
If somebody figures out the password to your secret key, does it do him
any good if he does not have your secret key?
No. Without your secret key, the passphase is useless.

However, they cannot know if they have figured out your passphrase
unless they can test it with your secret key. In general, the first
step is to get your secret key and then determine your passphrase.
That's how police and other government agencies would work. All they
need to seize your computer is a search warrant or merely a Bush order.
--
David E. Ross
<http://www.rossde.com/>.

Don't ask "Why is there road rage?" Instead, ask
"Why NOT Road Rage?" or "Why Is There No Such
Thing as Fast Enough?"
<http://www.rossde.com/roadrage.html>
Frank Merlott
2009-03-18 20:30:29 UTC
Permalink
Post by David E. Ross
Post by Anonymous
If somebody figures out the password to your secret key, does it do him
any good if he does not have your secret key?
No. Without your secret key, the passphase is useless.
However, they cannot know if they have figured out your passphrase
unless they can test it with your secret key. In general, the first
step is to get your secret key and then determine your passphrase.
That's how police and other government agencies would work. All they
need to seize your computer is a search warrant or merely a Bush order.
The police in some countries, for example Britan, has now the right to
hack into your computer without a court order. This would be a good way
to get your secret key and your password.
--
Privacylover: http://www.privacylover.com
JTF
2009-03-18 23:28:00 UTC
Permalink
Post by Frank Merlott
Post by Anonymous
If somebody figures out the password to your secret key, does it do him
any good if he does not have your secret key?
No.  Without your secret key, the passphase is useless.
However, they cannot know if they have figured out your passphrase
unless they can test it with your secret key.  In general, the first
step is to get your secret key and then determine your passphrase.
That's how police and other government agencies would work.  All they
need to seize your computer is a search warrant or merely a Bush order.
The police in some countries, for example Britan, has now the right to
hack into your computer without a court order. This would be a good way
to get your secret key and your password.
--
Privacylover:http://www.privacylover.com
Store your keys OFFLINE and on an encrypted volume
Non scrivetemi
2009-03-18 23:34:02 UTC
Permalink
Post by Frank Merlott
The police in some countries, for example Britan, has now the right
to hack into your computer without a court order. This would be a
good way to get your secret key and your password.
Do you mean they have the authority to forcibly enter your home and
gain physical control of your computer, or do you mean they have the
authority to do this electronically somehow, or do you mean something
else entirely?

If it's a typical electronic exploit, all that's probably necessary is
to stop using Windows if that's what you've got.

You could probably use another PC, not at all connected to the
internet to do all your key management and encrypting. You can even
generate encrytped emails on it. Then download them to a USB key and
upload on the PC connected to the internet and out you go.

If they hack the PC connected to the internet they'll see nothing.
Strider
2009-03-19 18:38:18 UTC
Permalink
Post by Non scrivetemi
You could probably use another PC, not at all connected to the
internet to do all your key management and encrypting. You can even
generate encrytped emails on it. Then download them to a USB key and
upload on the PC connected to the internet and out you go.
If they hack the PC connected to the internet they'll see nothing.
Or you could put both PCs on a secure home network. Create & encrypt on the
offline PC, save to the "shared documents" (or whatever) folder and retrieve
it on the online PC. Do the reverse for decrypting inbound messages. (For
those who don't like "sneakernet".)
Ari©
2009-02-08 23:02:34 UTC
Permalink
Post by beebs
A 2k key is a little weak, but still uncrackable.
Then it's not weak.
--
Meet Ari! http://tr.im/1fa3
"To get concrete results, you have to be confrontational".
Juergen Nieveler
2009-02-08 23:15:32 UTC
Permalink
Post by Ari©
Post by beebs
A 2k key is a little weak, but still uncrackable.
Then it's not weak.
Depends. How old you are planning to get? ;-)


Juergen Nieveler
--
There's many a boy here today who looks on war as all glory, but, boys, it
is all hell.
Gen. William T. Sherman
Ed
2009-02-09 00:02:38 UTC
Permalink
Post by Juergen Nieveler
Post by Ari©
Post by beebs
A 2k key is a little weak, but still uncrackable.
Then it's not weak.
Depends. How old you are planning to get? ;-)
Juergen Nieveler
I don't know about Ari, but I'm planning on at least another
500 years :-)


- --
http://blogdoofus.com
http://tinfoilchef.com
http://www.domaincarryout.com
Un-official Freenet 0.5 alternative download
http://peculiarplace.com/freenet/
Mixminion Message Sender, Windows GUI Frontend for Mixminion
http://peculiarplace.com/mixminion-message-sender/
Ari©
2009-02-09 17:20:33 UTC
Permalink
Post by Zax
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Juergen Nieveler
Post by Ari©
Post by beebs
A 2k key is a little weak, but still uncrackable.
Then it's not weak.
Depends. How old you are planning to get? ;-)
Juergen Nieveler
I don't know about Ari, but I'm planning on at least another
500 years :-)
Anyone ever call you a pessimist?

The point I was making, weakly, this week, while I am planning to live,
is that if something is uncrackable, I timidly suggest it cannot be
weak.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
Ed
2009-02-09 17:25:08 UTC
Permalink
Post by Ari©
Post by Zax
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Juergen Nieveler
Post by Ari©
Post by beebs
A 2k key is a little weak, but still uncrackable.
Then it's not weak.
Depends. How old you are planning to get? ;-)
Juergen Nieveler
I don't know about Ari, but I'm planning on at least
another 500 years
:-)
Anyone ever call you a pessimist?
Actually, yeah, sometimes.
Post by Ari©
The point I was making, weakly, this week, while I am
planning to live, is that if something is uncrackable, I
timidly suggest it cannot be weak.
Makes sense to me.

- --
http://blogdoofus.com
http://tinfoilchef.com
http://www.domaincarryout.com
Un-official Freenet 0.5 alternative download
http://peculiarplace.com/freenet/
Mixminion Message Sender, Windows GUI Frontend for Mixminion
http://peculiarplace.com/mixminion-message-sender/
JTF
2009-02-09 23:06:23 UTC
Permalink
Post by Zax
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Ari©
Post by Zax
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Juergen Nieveler
Post by Ari©
Post by beebs
A 2k key is a little weak, but still uncrackable.
Then it's not weak.
Depends. How old you are planning to get? ;-)
Juergen Nieveler
I don't know about Ari, but I'm planning on at least
another 500 years
 :-)
Anyone ever call you a pessimist?
Actually, yeah, sometimes.
Post by Ari©
The point I was making, weakly, this week, while I am
planning to live, is that if something is uncrackable, I
timidly suggest it cannot be weak.
Makes sense to me.
- --http://blogdoofus.comhttp://tinfoilchef.comhttp://www.domaincarryout.com
Un-official Freenet 0.5 alternative downloadhttp://peculiarplace.com/freenet/
Mixminion Message Sender, Windows GUI Frontend for Mixminionhttp://peculiarplace.com/mixminion-message-sender/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.70
iQEVAwUBSZBm73V+YnyE1GYEAQjE9wf/WawTgO8magNUw8EIFQJ+RRwbJVTkQ5
mJ
6Hv+yYtVI8qLLSR5q2yaCUDB1hwJXAjtJthoBuo7kX4ugoov2vBVRe9eQfm4Po
rD
46YE6yuVt+PWNdW/ExUVHnvcJQ3PfZEWyiPWUcxcJ41QE7J51Ig+Km6SD+vbk4
ny
frmjjcYCMKGdy7WdVlRpRH2l8lamOc7goqZx3p4bjCA/eTthTsYxACvchj8Jmm
4C
79POPrH15HLObXkSYQ2OZidzu8IkAlywCDiesbOzWMFkLwc+HcLdhBAyEfdKjx
mI
qRHZL9uSkyENClJU4LHbRPlw47PuOsoTwApdPJ9h6Qlo72sWwXwmyg==
=I1tp
-----END PGP SIGNATURE-----
Something to think about
PGP X may become crackable/hackable, and unless you plan on never
upgrading to the latest and greatest encryption, then plan on
evetually having your encrypted stuff pried open. So it really
becomes a moving target. As soon as "they" get close to cracking and
encryption scheme, the target moves and the research must start over.

As long as there is an interest in keeping things private, there will
be better and better encryption.
Ari©
2009-02-10 05:55:48 UTC
Permalink
Post by JTF
Something to think about
PGP X may become crackable/hackable, and unless you plan on never
upgrading to the latest and greatest encryption, then plan on
evetually having your encrypted stuff pried open.
And that would be...........
Post by JTF
So it really
becomes a moving target. As soon as "they" get close to cracking and
encryption scheme, the target moves and the research must start over.
As long as there is an interest in keeping things private, there will
be better and better encryption.
Don't hog the crack pipe.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
Juergen Nieveler
2009-02-10 19:26:33 UTC
Permalink
Post by Ari©
Post by JTF
Something to think about
PGP X may become crackable/hackable, and unless you plan on never
upgrading to the latest and greatest encryption, then plan on
evetually having your encrypted stuff pried open.
And that would be...........
Well, somebody MIGHT solve the mathematical problems behind the very
algorithms you are using - that would mean ALL keys using those
algorithms would be broken, regardless of length.

Burte Force is out of the question unless somebody builds a working QC,
of course.

Juergen Nieveler
--
"Down in Washington they're playing with Social Security like it's some
kind of government program!" George W. Bush
Ari©
2009-02-10 22:25:54 UTC
Permalink
Post by Juergen Nieveler
Post by Ari©
Post by JTF
Something to think about
PGP X may become crackable/hackable, and unless you plan on never
upgrading to the latest and greatest encryption, then plan on
evetually having your encrypted stuff pried open.
And that would be...........
Well, somebody MIGHT solve the mathematical problems behind the very
algorithms you are using - that would mean ALL keys using those
algorithms would be broken, regardless of length.
Burte Force is out of the question unless somebody builds a working QC,
of course.
Juergen Nieveler
True but I was asking the poster who had "the latest and greatest
encryption" in his opinion.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
JTF
2009-02-11 00:42:05 UTC
Permalink
Post by Ari©
Post by Juergen Nieveler
Post by Ari©
Post by JTF
Something to think about
PGP X may become crackable/hackable, and unless you plan on never
upgrading to the latest and greatest encryption, then plan on
evetually having your encrypted stuff pried open.
And that would be...........
Well, somebody MIGHT solve the mathematical problems behind the very
algorithms you are using - that would mean ALL keys using those
algorithms would be broken, regardless of length.
Burte Force is out of the question unless somebody builds a working QC,
of course.
Juergen Nieveler
True but I was asking the poster who had "the latest and greatest
encryption" in his opinion.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
That is all a matter of opinion. Open source is good, but usually
lags behind the commercial PGP software. PGP is trusted for business
and government but open source solutions can't touch the commercial
algorithms because of patents and copyrights, so it will always be
second best.

Keeping your encryption software up to date will keep you at least on
the curve and remember, it is Pretty Good Privacy, not absolute
privacy.....a reasonable effort to keep your secret keys secret should
be "Pretty Good" for your privacy.

Nothing is guaranteed.
Unruh
2009-02-11 04:07:58 UTC
Permalink
Post by JTF
Post by Ari©
Post by Juergen Nieveler
Post by Ari©
Post by JTF
Something to think about
PGP X may become crackable/hackable, and unless you plan on never
upgrading to the latest and greatest encryption, then plan on
evetually having your encrypted stuff pried open.
And that would be...........
Well, somebody MIGHT solve the mathematical problems behind the very
algorithms you are using - that would mean ALL keys using those
algorithms would be broken, regardless of length.
Burte Force is out of the question unless somebody builds a working QC,
of course.
Juergen Nieveler
True but I was asking the poster who had "the latest and greatest
encryption" in his opinion.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
That is all a matter of opinion. Open source is good, but usually
lags behind the commercial PGP software. PGP is trusted for business
and government but open source solutions can't touch the commercial
algorithms because of patents and copyrights, so it will always be
second best.
This I am afraid is nonesense. There are no patents, and copyrights do not
apply. There are loads of "open" encryption algorithms, including the
official ones like AES.
In fact a closed encryption algorithm is by definition weak, because there
is no way of checking that it does what it claims.
Post by JTF
Keeping your encryption software up to date will keep you at least on
the curve and remember, it is Pretty Good Privacy, not absolute
privacy.....a reasonable effort to keep your secret keys secret should
be "Pretty Good" for your privacy.
The limitation on security is NOT in the algorithms. It is in things like
keeping your keys secret.
Post by JTF
Nothing is guaranteed.
Borked Pseudo Mailed
2009-02-11 07:23:22 UTC
Permalink
Post by Unruh
Post by JTF
Post by Ari©
Post by Juergen Nieveler
Post by Ari©
Post by JTF
Something to think about
PGP X may become crackable/hackable, and unless you plan on never
upgrading to the latest and greatest encryption, then plan on
evetually having your encrypted stuff pried open.
And that would be...........
Well, somebody MIGHT solve the mathematical problems behind the very
algorithms you are using - that would mean ALL keys using those
algorithms would be broken, regardless of length.
Burte Force is out of the question unless somebody builds a working QC,
of course.
Juergen Nieveler
True but I was asking the poster who had "the latest and greatest
encryption" in his opinion.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
That is all a matter of opinion. Open source is good, but usually
lags behind the commercial PGP software. PGP is trusted for business
and government but open source solutions can't touch the commercial
algorithms because of patents and copyrights, so it will always be
second best.
This I am afraid is nonesense. There are no patents, and copyrights do not
apply. There are loads of "open" encryption algorithms, including the
official ones like AES.
In fact a closed encryption algorithm is by definition weak, because there
is no way of checking that it does what it claims.
Post by JTF
Keeping your encryption software up to date will keep you at least on
the curve and remember, it is Pretty Good Privacy, not absolute
privacy.....a reasonable effort to keep your secret keys secret should
be "Pretty Good" for your privacy.
The limitation on security is NOT in the algorithms. It is in things like
keeping your keys secret.
Post by JTF
Nothing is guaranteed.
Aside from the fact that all of you will die
JTF
2009-02-11 13:40:27 UTC
Permalink
Post by Unruh
Post by Ari©
Post by Juergen Nieveler
Post by Ari©
Post by JTF
Something to think about
PGP X may become crackable/hackable, and unless you plan on never
upgrading to the latest and greatest encryption, then plan on
evetually having your encrypted stuff pried open.
And that would be...........
Well, somebody MIGHT solve the mathematical problems behind the very
algorithms you are using - that would mean ALL keys using those
algorithms would be broken, regardless of length.
Burte Force is out of the question unless somebody builds a working QC,
of course.
Juergen Nieveler
True but I was asking the poster who had "the latest and greatest
encryption" in his opinion.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
That is all a matter of opinion.  Open source is good, but usually
lags behind the commercial PGP software.  PGP is trusted for business
and government but open source solutions can't touch the commercial
algorithms because of patents and copyrights, so it will always be
second best.
This I am afraid is nonesense. There are no patents, and copyrights do not
apply. There are loads of "open" encryption algorithms, including the
official ones like AES.
In fact a closed encryption algorithm is by definition weak, because there
is no way of checking that it does what it claims.
Keeping your encryption software up to date will keep you at least on
the curve and remember, it is Pretty Good Privacy, not absolute
privacy.....a reasonable effort to keep your secret keys secret should
be "Pretty Good" for your privacy.
The limitation on security is NOT in the algorithms. It is in things like
keeping your keys secret.
Nothing is guaranteed.
I am talking about PGP (pgp the company) having patents on some of
their encryption techniques. I believe they contribute their older
releases to open source, but there are some things PGP corporation
will not release to open source and is proprietary to their commercial
products
David W. Hodgins
2009-02-11 15:45:44 UTC
Permalink
Post by JTF
I am talking about PGP (pgp the company) having patents on some of
their encryption techniques. I believe they contribute their older
releases to open source, but there are some things PGP corporation
will not release to open source and is proprietary to their commercial
products
Where did you get this idea? You obviously haven't been following the
development of pgp. You can download the source for pgp. See
http://www.pgp.com/developers/sourcecode/

You should take a look at
http://www.mccune.cc/PGPpage2.htm#Symmetric
There's a lot of good info there.

Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
JTF
2009-02-11 18:27:08 UTC
Permalink
Post by JTF
I am talking about PGP (pgp the company) having patents on some of
their encryption techniques.  I believe they contribute their older
releases to open source, but there are some things PGP corporation
will not release to open source and is proprietary to their commercial
products
Where did you get this idea?  You obviously haven't been following the
development of pgp.  You can download the source for pgp.  Seehttp://www.pgp.com/developers/sourcecode/
You should take a look athttp://www.mccune.cc/PGPpage2.htm#Symmetric 
There's a lot of good info there.
Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
http://www.gnupg.org/features.en.html
It clearly states:
"Does not use any patented algorithms."
David W. Hodgins
2009-02-11 21:14:49 UTC
Permalink
Post by JTF
http://www.gnupg.org/features.en.html
"Does not use any patented algorithms."
The only patented algorithm used by pgp is idea, which is only
required for compatibility with old rsa keys. All other alogithms
used by pgp are available in gpg too.

The idea module can easily be found on the net, and added to
gpg, so that it can work with older keys too.

Except for idea, gpg and pgp are fully compatible with each other.

Due to the NDA required to view the pgp source, more people
are likely to review the source of gpg. In my opinion, that makes
it safer.

PGP does have whole disk encryption, an email proxy and other
features that are not in gpg, but that doesn't have anything to do
with the actual encryption methods used.

Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
Borked Pseudo Mailed
2009-02-11 20:53:24 UTC
Permalink
Post by David W. Hodgins
Post by JTF
I am talking about PGP (pgp the company) having patents on some of
their encryption techniques. I believe they contribute their older
releases to open source, but there are some things PGP corporation
will not release to open source and is proprietary to their commercial
products
Where did you get this idea? You obviously haven't been following the
development of pgp. You can download the source for pgp. See
http://www.pgp.com/developers/sourcecode/
What good is that given their non-disclosure policy?

None, that's what.

GnuPG rules. Open source, no secretive, shady non disclosures required.
David W. Hodgins
2009-02-11 21:06:43 UTC
Permalink
Post by Borked Pseudo Mailed
What good is that given their non-disclosure policy?
My point was that pgp does not include any algorithm that isn't also
included in gpg, except for the patented idea. PGP is not using any
"in-house" developed algorithms.

With idea, it isn't hard to find the idea module, and to configure gpg
to use it, which is needed for compatibility with older versions of pgp.

Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
Unruh
2009-02-11 20:07:53 UTC
Permalink
Post by JTF
Post by Ari©
Post by Juergen Nieveler
Post by Ari©
Post by JTF
Something to think about
PGP X may become crackable/hackable, and unless you plan on never
upgrading to the latest and greatest encryption, then plan on
evetually having your encrypted stuff pried open.
And that would be...........
Well, somebody MIGHT solve the mathematical problems behind the very
algorithms you are using - that would mean ALL keys using those
algorithms would be broken, regardless of length.
Burte Force is out of the question unless somebody builds a working =
QC,
Post by Ari©
Post by Juergen Nieveler
of course.
Juergen Nieveler
True but I was asking the poster who had "the latest and greatest
encryption" in his opinion.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
That is all a matter of opinion. =A0Open source is good, but usually
lags behind the commercial PGP software. =A0PGP is trusted for business
and government but open source solutions can't touch the commercial
algorithms because of patents and copyrights, so it will always be
second best.
This I am afraid is nonesense. There are no patents, and copyrights do no=
t
apply. There are loads of "open" encryption algorithms, including the
official ones like AES.
In fact a closed encryption algorithm is by definition weak, because ther=
e
is no way of checking that it does what it claims.
Keeping your encryption software up to date will keep you at least on
the curve and remember, it is Pretty Good Privacy, not absolute
privacy.....a reasonable effort to keep your secret keys secret should
be "Pretty Good" for your privacy.
The limitation on security is NOT in the algorithms. It is in things like
keeping your keys secret.
Nothing is guaranteed.
I am talking about PGP (pgp the company) having patents on some of
No they do not. RSA used to have a patent (which Phil Zimmermann violated
when he released PGP and it caused him much grief for a while as RSA labs
tried to get after him) but it has long expired. AES is by design public.
RC4 used to be trade secret, but that secret was revealed.
Post by JTF
their encryption techniques. I believe they contribute their older
releases to open source, but there are some things PGP corporation
will not release to open source and is proprietary to their commercial
products
What is proprietary is their "look and feel". The algorithms are all public
algorithms. In fact if anyone uses a proprietary algorithm in any
encryption product run as fast as you can away from it.
Neil - Salem, MA USA
2009-02-11 20:26:13 UTC
Permalink
Post by Unruh
I am talking about PGP (pgp the company) having patents on some of...
No they do not. RSA used to have a patent (which Phil Zimmermann violated
when he released PGP and it caused him much grief for a while as RSA labs
tried to get after him) but it has long expired. AES is by design public.
RC4 used to be trade secret, but that secret was revealed.
their encryption techniques. I believe they contribute their older
releases to open source, but there are some things PGP corporation
will not release to open source and is proprietary to their commercial
products
What is proprietary is their "look and feel". The algorithms are all public
algorithms. In fact if anyone uses a proprietary algorithm in any
encryption product run as fast as you can away from it.
I would guess that something similar will happen with elliptic curve
cryptography as happened with RSA. It is described on
http://www.iusmentis.com/technology/encryption/elliptic-curves/ this way:

"Elliptic curve cryptography was invented by Neil Koblitz in 1987 and by
Victor Miller in 1986. The principles of elliptic curve cryptography can be
used to adapt many cryptographic algorithms, such as Diffie-Hellman or
ElGamal. Although no general patent on elliptic curve cryptography appears
to exist, there are several patents that may be relevant depending on the
implementation (US 5,159,632, US 5,271,061, US 5,463,690 and US 6,141,420).

"The main advantage of elliptic curve cryptography is that the keys can be
much smaller. Recommended key sizes are in the order of 160 bits rather
than 1024 bits for RSA."

Neil - Salem, MA USA
Unruh
2009-02-11 21:00:41 UTC
Permalink
Post by Neil - Salem, MA USA
Post by Unruh
I am talking about PGP (pgp the company) having patents on some of...
No they do not. RSA used to have a patent (which Phil Zimmermann violated
when he released PGP and it caused him much grief for a while as RSA labs
tried to get after him) but it has long expired. AES is by design public.
RC4 used to be trade secret, but that secret was revealed.
their encryption techniques. I believe they contribute their older
releases to open source, but there are some things PGP corporation
will not release to open source and is proprietary to their commercial
products
What is proprietary is their "look and feel". The algorithms are all public
algorithms. In fact if anyone uses a proprietary algorithm in any
encryption product run as fast as you can away from it.
I would guess that something similar will happen with elliptic curve
cryptography as happened with RSA. It is described on
"Elliptic curve cryptography was invented by Neil Koblitz in 1987 and by
Victor Miller in 1986. The principles of elliptic curve cryptography can be
used to adapt many cryptographic algorithms, such as Diffie-Hellman or
ElGamal. Although no general patent on elliptic curve cryptography appears
to exist, there are several patents that may be relevant depending on the
implementation (US 5,159,632, US 5,271,061, US 5,463,690 and US 6,141,420).
No patent exists on elliptic curves. They are warning you you that the
patent holders of those patents which use elliptic curves for specific
implimentations of crypt might or might not consider that their
patents apply to your application depending on exactly what you did with
your application. Ie, read those patents and decide if your particular
implimentation of elliptic curves falls under that patent. Or do like
Zimmermann and use your particular application and wait for the patent
holders to object, or not. Note that PGP does not use elliptic curves.

By the way, see http://cr.yp.to/patents/us/5159632.html,
http://cr.yp.to/patents/us/5271061.html,
http://cr.yp.to/patents/us/5463690.html,
http://cr.yp.to/patents/us/6141420.html
who argues that all of these patents are in fact invalid due to prior art.
Post by Neil - Salem, MA USA
"The main advantage of elliptic curve cryptography is that the keys can be
much smaller. Recommended key sizes are in the order of 160 bits rather
than 1024 bits for RSA."
Agreed. But PGP does not use them.
Post by Neil - Salem, MA USA
Neil - Salem, MA USA
JTF
2009-02-11 23:46:33 UTC
Permalink
Post by Unruh
Post by JTF
Post by Ari©
Post by Juergen Nieveler
Post by Ari©
Post by JTF
Something to think about
PGP X may become crackable/hackable, and unless you plan on never
upgrading to the latest and greatest encryption, then plan on
evetually having your encrypted stuff pried open.
And that would be...........
Well, somebody MIGHT solve the mathematical problems behind the very
algorithms you are using - that would mean ALL keys using those
algorithms would be broken, regardless of length.
Burte Force is out of the question unless somebody builds a working =
QC,
Post by Ari©
Post by Juergen Nieveler
of course.
Juergen Nieveler
True but I was asking the poster who had "the latest and greatest
encryption" in his opinion.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
That is all a matter of opinion. =A0Open source is good, but usually
lags behind the commercial PGP software. =A0PGP is trusted for business
and government but open source solutions can't touch the commercial
algorithms because of patents and copyrights, so it will always be
second best.
This I am afraid is nonesense. There are no patents, and copyrights do no=
t
apply. There are loads of "open" encryption algorithms, including the
official ones like AES.
In fact a closed encryption algorithm is by definition weak, because ther=
e
is no way of checking that it does what it claims.
Keeping your encryption software up to date will keep you at least on
the curve and remember, it is Pretty Good Privacy, not absolute
privacy.....a reasonable effort to keep your secret keys secret should
be "Pretty Good" for your privacy.
The limitation on security is NOT in the algorithms. It is in things like
keeping your keys secret.
Nothing is guaranteed.
I am talking about PGP (pgp the company) having patents on some of
No they do not. RSA used to have a patent (which Phil Zimmermann violated
when he released PGP and it caused him much grief for a while as RSA labs
tried to get after him) but it has long expired. AES is by design public.
RC4 used to be trade secret, but that secret was revealed.
Post by JTF
their encryption techniques.  I believe they contribute their older
releases to open source, but there are some things PGP corporation
will not release to open source and is proprietary to their commercial
products
What is proprietary is their "look and feel". The algorithms are all public
algorithms. In fact if anyone uses a proprietary algorithm in any
encryption product run as fast as you can away from it.
Not being too concerned, I was just stating that any patented
technology would not be available in the open source products unless
specifically endorsed by the patent holder, which from time to time
MAY happen but usually doesn't until the patent holder is finished
with it, as happens with PGP's older versions.
Ari©
2009-02-12 05:51:53 UTC
Permalink
Post by Unruh
What is proprietary is their "look and feel". The algorithms are all public
algorithms. In fact if anyone uses a proprietary algorithm in any
encryption product run as fast as you can away from it.
Just that simple? All the proprietary NSA stuff is shit? Self-developed,
commercial stuff is shit?

When you make sweeping statements like this, you end up looking like...

You guessed it.

Shit.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
Unruh
2009-02-12 09:10:38 UTC
Permalink
Post by Ari©
Post by Unruh
What is proprietary is their "look and feel". The algorithms are all public
algorithms. In fact if anyone uses a proprietary algorithm in any
encryption product run as fast as you can away from it.
Just that simple? All the proprietary NSA stuff is shit? Self-developed,
commercial stuff is shit?
Yes. Because there is not way in which you or anyone else can determine if
it is shit or not, or can determine if it is properly implimented.
Post by Ari©
When you make sweeping statements like this, you end up looking like...
You guessed it.
Shit.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
And then you have this signature line, showing you have no idea what it
means.
Cryptography is used because you do NOT trust others. And you are telling
them to trust others in the software to be used because you do not trust
others. Makes sense I guess in some universe.
Ari©
2009-02-13 14:59:51 UTC
Permalink
Post by Unruh
Post by Ari©
Post by Unruh
What is proprietary is their "look and feel". The algorithms are all public
algorithms. In fact if anyone uses a proprietary algorithm in any
encryption product run as fast as you can away from it.
Just that simple? All the proprietary NSA stuff is shit? Self-developed,
commercial stuff is shit?
Yes. Because there is not way in which you or anyone else can determine if
it is shit or not, or can determine if it is properly implimented.
WTF does the NSA do, *not* test their "shit". You're nutz and I think
you know it.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
Ari©
2009-02-13 15:01:27 UTC
Permalink
Post by Unruh
Post by Ari©
Post by Unruh
What is proprietary is their "look and feel". The algorithms are all public
algorithms. In fact if anyone uses a proprietary algorithm in any
encryption product run as fast as you can away from it.
Just that simple? All the proprietary NSA stuff is shit? Self-developed,
commercial stuff is shit?
Yes. Because there is not way in which you or anyone else can determine if
it is shit or not, or can determine if it is properly implimented.
Post by Ari©
When you make sweeping statements like this, you end up looking like...
You guessed it.
Shit.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
And then you have this signature line, showing you have no idea what it
means.
Yeah, it's reeeeeel tuff to figure out what Thonpson meant. <rolling
eyes>
Post by Unruh
Cryptography is used because you do NOT trust others. And you are telling
them to trust others in the software to be used because you do not trust
others. Makes sense I guess in some universe.
WTF? Pass the crack pipe to the left, the guy on the right keeps handing
it back to you.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
JTF
2009-02-13 15:20:14 UTC
Permalink
Post by Ari©
Post by Unruh
Post by Ari©
Post by Unruh
What is proprietary is their "look and feel". The algorithms are all public
algorithms. In fact if anyone uses a proprietary algorithm in any
encryption product run as fast as you can away from it.
Just that simple? All the proprietary NSA stuff is shit? Self-developed,
commercial stuff is shit?
Yes. Because there is not way in which you or anyone else can determine if
it is shit or not, or can determine if it is properly implimented.
Post by Ari©
When you make sweeping statements like this, you end up looking like...
You guessed it.
Shit.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
And then you have this signature line, showing you have no idea what it
means.
Yeah, it's reeeeeel tuff to figure out what Thonpson meant. <rolling
eyes>
Post by Unruh
Cryptography is used because you do NOT trust others. And you are telling
them to trust others in the software to be used because you do not trust
others. Makes sense I guess in some universe.
WTF? Pass the crack pipe to the left, the guy on the right keeps handing
it back to you.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
Not sure what point you are making
Ari©
2009-02-14 02:41:31 UTC
Permalink
Post by JTF
Post by Ari©
Post by Unruh
Post by Ari©
Post by Unruh
What is proprietary is their "look and feel". The algorithms are all public
algorithms. In fact if anyone uses a proprietary algorithm in any
encryption product run as fast as you can away from it.
Just that simple? All the proprietary NSA stuff is shit? Self-developed,
commercial stuff is shit?
Yes. Because there is not way in which you or anyone else can determine if
it is shit or not, or can determine if it is properly implimented.
Post by Ari©
When you make sweeping statements like this, you end up looking like...
You guessed it.
Shit.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
And then you have this signature line, showing you have no idea what it
means.
Yeah, it's reeeeeel tuff to figure out what Thonpson meant. <rolling
eyes>
Post by Unruh
Cryptography is used because you do NOT trust others. And you are telling
them to trust others in the software to be used because you do not trust
others. Makes sense I guess in some universe.
WTF? Pass the crack pipe to the left, the guy on the right keeps handing
it back to you.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
Not sure what point you are making
Me or UhHuh?
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
JTF
2009-02-14 17:39:26 UTC
Permalink
Post by Ari©
Post by JTF
Post by Ari©
Post by Unruh
Post by Ari©
Post by Unruh
What is proprietary is their "look and feel". The algorithms are all public
algorithms. In fact if anyone uses a proprietary algorithm in any
encryption product run as fast as you can away from it.
Just that simple? All the proprietary NSA stuff is shit? Self-developed,
commercial stuff is shit?
Yes. Because there is not way in which you or anyone else can determine if
it is shit or not, or can determine if it is properly implimented.
Post by Ari©
When you make sweeping statements like this, you end up looking like...
You guessed it.
Shit.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
And then you have this signature line, showing you have no idea what it
means.
Yeah, it's reeeeeel tuff to figure out what Thonpson meant. <rolling
eyes>
Post by Unruh
Cryptography is used because you do NOT trust others. And you are telling
them to trust others in the software to be used because you do not trust
others. Makes sense I guess in some universe.
WTF? Pass the crack pipe to the left, the guy on the right keeps handing
it back to you.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
Not sure what point you are making
Me or UhHuh?
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
UhHuh
Ari©
2009-02-15 16:39:43 UTC
Permalink
Post by Ari©
Post by JTF
Post by Ari©
Post by Unruh
Post by Ari©
Post by Unruh
What is proprietary is their "look and feel". The algorithms are all public
algorithms. In fact if anyone uses a proprietary algorithm in any
encryption product run as fast as you can away from it.
Just that simple? All the proprietary NSA stuff is shit? Self-developed,
commercial stuff is shit?
Yes. Because there is not way in which you or anyone else can determine if
it is shit or not, or can determine if it is properly implimented.
Post by Ari©
When you make sweeping statements like this, you end up looking like...
You guessed it.
Shit.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
And then you have this signature line, showing you have no idea what it
means.
Yeah, it's reeeeeel tuff to figure out what Thonpson meant. <rolling
eyes>
Post by Unruh
Cryptography is used because you do NOT trust others. And you are telling
them to trust others in the software to be used because you do not trust
others. Makes sense I guess in some universe.
WTF? Pass the crack pipe to the left, the guy on the right keeps handing
it back to you.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
Not sure what point you are making
Me or UhHuh?
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
UhHuh
All conversations with UhHuh are like this. He rambles around,
blithering about so called truisms, skirting direct replies and fumbling
with his nuts.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
JTF
2009-02-16 03:28:41 UTC
Permalink
Post by Ari©
Post by Ari©
Post by JTF
Post by Ari©
Post by Unruh
Post by Ari©
Post by Unruh
What is proprietary is their "look and feel". The algorithms are all public
algorithms. In fact if anyone uses a proprietary algorithm in any
encryption product run as fast as you can away from it.
Just that simple? All the proprietary NSA stuff is shit? Self-developed,
commercial stuff is shit?
Yes. Because there is not way in which you or anyone else can determine if
it is shit or not, or can determine if it is properly implimented.
Post by Ari©
When you make sweeping statements like this, you end up looking like...
You guessed it.
Shit.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
And then you have this signature line, showing you have no idea what it
means.
Yeah, it's reeeeeel tuff to figure out what Thonpson meant. <rolling
eyes>
Post by Unruh
Cryptography is used because you do NOT trust others. And you are telling
them to trust others in the software to be used because you do not trust
others. Makes sense I guess in some universe.
WTF? Pass the crack pipe to the left, the guy on the right keeps handing
it back to you.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
Not sure what point you are making
Me or UhHuh?
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
UhHuh
All conversations with UhHuh are like this. He rambles around,
blithering about so called truisms, skirting direct replies and fumbling
with his nuts.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
I thought it was me, I had no idea what he was saying. I like
arguments, but only if I can understand the argument.
Ari©
2009-02-12 05:47:42 UTC
Permalink
Post by Unruh
In fact a closed encryption algorithm is by definition weak, because there
is no way of checking that it does what it claims.
So you can check the open source implementations of, the algorithmic
qualities of, say, Truecrypt?

Please post those results.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
Ari©
2009-02-09 17:18:13 UTC
Permalink
Post by Juergen Nieveler
Post by Ari©
Post by beebs
A 2k key is a little weak, but still uncrackable.
Then it's not weak.
Depends. How old you are planning to get? ;-)
Juergen Nieveler
lol
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
Loading...