Re: 256 Bit Encryption for Secure Email and Secure Online File Storage
At 04:31 PM 12/01/2001 -0800, Meyer Wolfsheim wrote: Another proprietary key format. Why not base such a system on OpenPGP? OpenPGP, ClosedPGP, GPG, PGP2.x, and X.509 all have blazingly ugly data formats, especially for keys. The main advantages of recycling one of the N variations on PGP formats or one of the K variations on X.509 are that you can reuse code, and in some cases you can gain compatibility with existing user bases. On the other hand, you can gain compatibility with existing user bases by letting PGP users sign messages saying My Cryptoheaven Public Key For Messages is key1 and for Signatures is key2 and similarly letting X.509 users do the same if they want. It's not automated, but it can work ok. Also, of course, you'd need to register the Rijndael and SHA-256 entities onto the **PG** formatspaces, but they're generally designed for it. The cleanest key format I've seen is in CryptoKong - it has the advantage that Elliptic Curve cryptosystems let you use short keys, at least if you believe that the math works adequately, and it's not trying to use any KeyID as an abbreviation for the key, so it's just a simple direct encoding of the key, without PGP's annoyances of KeyID lookup and risks of KeyID forgery. Of course, it's also not mapping KeyIDs to users, only to messages, so if you want to maintain relationships between them, you've got to do it yourself, and if you want to have senders of some messages vet senders of other messages, you need to track the messages yourself. James Donald's implementation uses an Evil Microsoft Access database to save messages, but you could do a different implementation if you wanted to. Was the real motivation for using their own format simplicity? Or not-invented-here-ness? Or not-thinking-ness? Or unwillingness to wade through the huge amount of existing ugly code just for compatibility with existing ugly formats? Does it matter much? They're in the Software / Internet Services business, so either they'll find a niche where they get lots of users (in which case it's worth reviewing their code for real security), or they'll fail to do so and Darwin Will Get Them, like so many other projects out there, or they'll end up with a small but fanatic group of users who keep them going, or somebody will discover a Serious Bug which will blow away their security (though they do have at least semi-open source available for review.)
Re: 256 Bit Encryption for Secure Email and Secure Online File Storage
Another proprietary key format. Why not base such a system on OpenPGP? Hmm. AES-256 with SHA-256? Children, what's wrong with the balance in this system? How does a user verify authenticity of another user's public key? Aside from being incompatible with anything else on the net, how is this different or more secure than Hushmail? Than Cryptomail.org? The AES-256 is used independently from SHA-256 and for a different purpose. One is used for encryption, the other for hashing. If youd like to match crypto level provided by the hash, you would have to apply something like SHA-512, but that is irrelevant. SHA-256 is a convenient way of hashing passphrases into 256-bit symmetric key-material used to initialize key vectors in the AES. I would suggest you should look into the source code (available from the a href=http://www.cryptoheaven.com;CryptoHeaven/a web site) before making such trivial but misleading comments. Also, proprietary key format is not such a bad idea as long as the source is open for review. OpenPGP standard involves much more than simple RSA key, and any software using it is prone to the possible errors that may come with it. Making a simpler key format with only the very things that are necessary make it easier to maintain and it is easier to verify correctness of implementation. So what about Hushmail you ask. For one, CryptoHeaven does not require you to send your encrypted private key to the server making CryptoHeaven a much more secure solution. Furthermore, CryptoHeaven includes things like secure multi party folder sharing and multi user discussions which are not available in other systems. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Re: 256 Bit Encryption for Secure Email and Secure Online File Storage
This is a multi-part message in MIME format.
--=_NextPart_000_0006_01C17AEB.9F8D37E0
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
The AES-256 is used independently from SHA-256 and for a different
purpose. One is used for encryption, the other for hashing. If you'd
like to match crypto level provided by the hash, you would have to apply
something like SHA-512, but that is irrelevant. SHA-256 is a convenient
way of hashing passphrases into 256-bit symmetric key-material used to
initialize key vectors in the AES. I would suggest you should look into
the source code before making such trivial but misleading comments.
Also, proprietary key format is not such a bad idea as long as the
source is open for review. OpenPGP standard involves much more than
simple RSA key, and any software using it is prone to the possible
errors that may come with it. Making a simpler key format with only the
very things that are necessary make it easier to maintain and it is
easier to verify correctness of implementation.
So what about Hushmail you ask. For one, CryptoHeaven does not require
you to send your encrypted private key to the server making CryptoHeaven
a much more secure solution. Furthermore, CryptoHeaven includes things
like secure multi party folder sharing and multi user discussions which
are not available in other systems.
Another proprietary key format. Why not base such a system on OpenPGP?
Hmm. AES-256 with SHA-256? Children, what's wrong with the balance
in this system?
How does a user verify authenticity of another user's public key?
Aside from being incompatible with anything else on the net, how is
this
different or more secure than Hushmail? Than Cryptomail.org?
--=_NextPart_000_0006_01C17AEB.9F8D37E0
Content-Type: text/html;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
html xmlns:o=3Durn:schemas-microsoft-com:office:office =
xmlns:w=3Durn:schemas-microsoft-com:office:word =
xmlns=3Dhttp://www.w3.org/TR/REC-html40;
head
META HTTP-EQUIV=3DContent-Type CONTENT=3Dtext/html; =
charset=3Dus-ascii
meta name=3DProgId content=3DWord.Document
meta name=3DGenerator content=3DMicrosoft Word 10
meta name=3DOriginator content=3DMicrosoft Word 10
link rel=3DFile-List href=3Dcid:[EMAIL PROTECTED];
!--[if gte mso 9]xml
o:OfficeDocumentSettings
o:DoNotRelyOnCSS/
/o:OfficeDocumentSettings
/xml![endif]--!--[if gte mso 9]xml
w:WordDocument
w:SpellingStateClean/w:SpellingState
w:GrammarStateClean/w:GrammarState
w:DocumentKindDocumentEmail/w:DocumentKind
w:EnvelopeVis/
w:BrowserLevelMicrosoftInternetExplorer4/w:BrowserLevel
/w:WordDocument
/xml![endif]--
style
!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:;
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Times New Roman;
mso-fareast-font-family:Times New Roman;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;
text-underline:single;}
pre
{margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:Courier New;
mso-fareast-font-family:Times New Roman;
color:black;}
span.EmailStyle17
{mso-style-type:personal-compose;
mso-style-noshow:yes;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:Arial;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:windowtext;}
span.SpellE
{mso-style-name:;
mso-spl-e:yes;}
span.GramE
{mso-style-name:;
mso-gram-e:yes;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
--
/style
!--[if gte mso 10]
style
/* Style Definitions */=20
table.MsoNormalTable
{mso-style-name:Table Normal;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:Times New Roman;}
/style
![endif]--
/head
body lang=3DEN-US link=3Dblue vlink=3Dpurple =
style=3D'tab-interval:.5in'
div class=3DSection1prefont size=3D2 color=3Dblack face=3DCourier =
Newspan
style=3D'font-size:10.0pt'The AES-256 is used independently from =
SHA-256 and for a different purpose. span =
style=3D'mso-spacerun:yes'nbsp;/spanOne is used for encryption, the =
other for hashing.span
Re: 256 Bit Encryption for Secure Email and Secure Online File Storage
Another proprietary key format. Why not base such a system on OpenPGP? Hmm. AES-256 with SHA-256? Children, what's wrong with the balance in this system? How does a user verify authenticity of another user's public key? Aside from being incompatible with anything else on the net, how is this different or more secure than Hushmail? Than Cryptomail.org? -MW- On Sat, 1 Dec 2001, Adam: Kurzawa wrote: Hey, I don't know how many of you have seen this? But here it is anyway, what do you guys think? CryptoHeaven is a new, secure online service released by CryptoHeaven Development Team. The product is intended for individuals in need of security and privacy working together in small groups. CryptoHeaven is the only secure online system currently integrating secure email, secure instant messaging (with multi party support), secure online file storage file sharing in one unique package. Our services are available over the internet from anywhere, anytime. Automatic key and contact management ensures you can use your account from any computer connected to the internet. An easy to use, integrated user interface capable of running on most current computers ensures that all services are always available, regardless of where you may be. Your privacy is at all times protected with the highest level cryptography available: 256 bit symmetric key and 2048-4096 bit asymmetric keys. The level of security offered is unmatched in the industry. Free and premium accounts are available. Take it for a test drive and invite your friends to try it too. CryptoHeaven is confident in its system, and as such we release the source code to any interested party for a review, free of charge. http://www.cryptoheaven.com
