Well the comments posted to the list pretty much confirm what I had heard before, that the present encrypt/decrypt tags offered with Witango are either not tight enough or not practical in a production environment.
I really am looking for tags using blowfish or MD5 technology. You can tell I am by no means an expert or novice in the encryption area, but these seem to be the buzz words at this time. Anyone doing this that might be interested in selling their custom tags and related code? It may help to know if there are others on the list that are interested in this option. Steve Fogelson Internet Commerce Solutions -----Original Message----- From: Eric Weidl [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 7:14 AM To: Multiple recipients of list witango-talk Subject: RE: Witango-Talk: Credit Card Security Hi, A couple of specific comments: >Unfortunately I have it on very good authority that the @CIPHER tag does >not work as well as it should. Here is what Jess told me: > >"Unless somebody has changed something in the last >year, all of Tango's <@CIPHER> stuff (besides the >hash) is basically worthless for the purposes of >security. There may be some truth to that comment, but it is due to the nature of the problem and not necessarily the @CIPHER tag itself. Yes, the BitRoll, Caesar, and Rot13 types supported by @CIPHER are trivial encryption methods and don't have a place in a production system. >The one time pad actually isn't a one time pad at all, >it's a rotation cipher, and on top of that it doesn't >work properly... OneTimePad is by definition a rotation cipher. It even says so right in the manual. Criticizing it for being so is like complaining that a dog has fur. The power of the OneTimePad is based in the keys and their management, not the cipher algorithm itself. In a perfect world, OneTimePad is the most secure encryption mechanism available. Why? Because, in a perfect world, the keys are *NEVER* reused and never stored after use. Obviously not storing keys is difficult in the real world, so in practice, the OneTimePad falls far short of its theoretical performance. As to your comment that it doesn't work properly, I've never heard or experienced any issues with it. Eric ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body ________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
