On Tue, Jun 04, 2002 at 09:39:32PM -0700, Micah Cowan wrote: > This is really picky of course, but the other criteria for "secure use > of Xor", in addition to having a key at least as long as your data, > is: > > 1. That it be a random sequence - *truly* random. This rules out > using "passphrases" and the like. *All* passphrases or passwords > are extremely insecure for Xor, regardless of length.
Correct, a passphrase would violate the xor sequence longer then the data rule. Passing PID or time as a seed to random would also be a very bad idea. Md5 checksums of random noise (transistors, radio reception of static, radioactive decay etc) is the level of randomness that is idea. > 2. That it be used only one time, and then discarded - never to be > used again. And discarded very carefully, burn it and stir the ashes type careful. rm OTP.key isn't necessarily enough. > <rant> > Which is why you should get extremely skeptical when a company called > Prescient claims to have created a "virtually unbreakable" encryption If anyone claims it's so secure that they are going to run a cracking contest beware, for more info: http://www.counterpane.com/crypto-gram-9812.html#contests > Now, having said that, I'll protect my butt by pointing out that their > technology *could* still be unbreakable, but not for the reasons they > claim. They don't seem to have published their algorithms; their Another large warning sign, see the above url. > "Technical White Paper" (http://www.prescient.net/pdf/e2Sec.pdf) > claims that the keys generated are undeterministic; but I'm rather > skeptical as to how they could be generated, and understood by another > host across the 'Net, if they were not undeterministic - unless of > course their server simply sends the key across the 'Net in the clear > ;) I'm not a cryptanalyst, and even if I were, I couldn't debunk their Sounds just like another crappy system with good PR. _______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech