[vox-tech] Which cipher to use?

[Bill Broadley]

On Tue, Jun 04, 2002 at 09:39:32PM -0700, Micah Cowan wrote:
> This is really picky of course, but the other criteria for "secure use
> of Xor", in addition to having a key at least as long as your data,
> is:
> 
>   1. That it be a random sequence - *truly* random.  This rules out
>      using "passphrases" and the like.  *All* passphrases or passwords
>      are extremely insecure for Xor, regardless of length.

Correct, a passphrase would violate the xor sequence longer then the data
rule.  Passing PID or time as a seed to random would also be a very
bad idea.   Md5 checksums of random noise (transistors, radio reception
of static, radioactive decay etc) is the level of randomness that is
idea.

>   2. That it be used only one time, and then discarded - never to be
>      used again.

And discarded very carefully, burn it and stir the ashes type careful.
rm OTP.key isn't necessarily enough.

> <rant>
> Which is why you should get extremely skeptical when a company called
> Prescient claims to have created a "virtually unbreakable" encryption

If anyone claims it's so secure that they are going to run a cracking
contest beware, for more info:
http://www.counterpane.com/crypto-gram-9812.html#contests 

> Now, having said that, I'll protect my butt by pointing out that their
> technology *could* still be unbreakable, but not for the reasons they
> claim.  They don't seem to have published their algorithms; their

Another large warning sign, see the above url.

> "Technical White Paper" (http://www.prescient.net/pdf/e2Sec.pdf)
> claims that the keys generated are undeterministic; but I'm rather
> skeptical as to how they could be generated, and understood by another
> host across the 'Net, if they were not undeterministic - unless of
> course their server simply sends the key across the 'Net in the clear
> ;) I'm not a cryptanalyst, and even if I were, I couldn't debunk their

Sounds just like another crappy system with good PR.