8 February 2001

These respond to the Cryptome product reference "Top Secret Crypto" http://www.topsecretcrypto.com

Additional responses welcomed. IDs deleted by Cryptome.


The original message to Cryptome:

From: "MacGregor K. Phillips" <[email protected]>
To: <[email protected]>
Subject: Top Secret Crypto
Date: Wed, 7 Feb 2001 19:34:52 +0800

Dear Sir,
 
After visiting your web site I thought you might me 
interested in Top Secret Crypto, a program I have written. 
For more information visit www.topsecretcrypto.com. If 
you want to evaluate the program just let me know and 
I will e-mail you a copy.
 
Sincerely,
MacGregor K. Phillips


Date: Wed, 7 Feb 2001 17:34:35 -0800 From: "david" To: <[email protected]> Subject: Top Secret Crypto   If you care about security how can you push code that doesn't even come with source code. The more I read the ad the more it sounded like SNAKE OIL DAVE
To: "david" From: John Young <[email protected]> Date: Wed, 07 Feb 2001 20:45:37 -0500 Subject: Top Secret Crypto Dave, I know, I plead guilty, the name and promo and solo act just seemed funny and gutsy over the top snake oil. Usually I don't promote any commercial products, not least because most of them blow more shinola than TS Crypto but dressed in sleazy corporate grey flannel. To be sure TS may be a corporate scam. John
Date: Wed, 7 Feb 2001 18:05:04 -0800 From: "david" To: John Young <[email protected]> Subject: Re: Top Secret Crypto Over the years I have written to you several times (different address) I am a retired electronic engineer I worked at [US Navy's] China Lake for 26 years. Crypto has always interested me. My own code is considered snake oil by the so called crypto gods. But I would be happy if you checked out my web page sometime. I wrote scott16u and scott19u The web site is http://members.nbci.com/ecil/index.htm My other hobby is compression. Especially compression that is used before encryption and I have several pages there on my compression methods.
Date: Wed, 7 Feb 2001 16:33:21 -0800
From: SS
To: [email protected]
Subject: Top Secret Crypto

*** BEGIN PGP DECRYPTED/VERIFIED MESSAGE ***

Far be it from me to say you shouldn't list something interesting on
Cryptome.  But...

Did you have an indication that their product is really something exciting?
I am always cautioned in these matters by the wise and regularly repeated
comments of Bruce Schneier:

http://www.counterpane.com/crypto-gram-9902.html
	- "Snake Oil"
http://www.counterpane.com/crypto-gram-9904.html
	- "Importance of Not Being Different"
http://www.counterpane.com/whycrypto.html
	- "Why Cryptography is Harder Than It Looks"
http://www.interhack.net/people/cmcurtin/snake-oil-faq.html
	- "Snake Oil FAQ"

etc.

Schneier has been harping for years on the point that reasonable security
requires published, peer-reviewed systems.  And there are tons of companies
with their own idiosyncratic cryptosystems and almost all of them are no good
at all and there is no opportunity for anyone to _know_ whether or not they're
any good.

In cryptography as in other parts of mathematics, it's a big red flag when
somebody says "I've been working on this all by myself for 20 years and
not in touch with the community".

The problem is of course not that independent and self-taught researchers
are stupid, but that it's easy to misunderstand the nature of a problem, or
how to recognize the validity of a potential solution.  _That_ part is so
difficult that only a tiny handful of mathematicians have ever been able to
do it on their own -- like Srinivasa Ramanujan, and nobody else I can
think of.  Even the great misanthropes and hermits (not Hermites) of
mathematics tended to correspond and try to understand and critique one
another's work.

It's really easy to invent a cryptosystem (I've done it!) and really hard
to invent a secure one.  Even understanding what's meant by a secure
cryptosystem is a very difficult matter: why is one 64-bit system "more
secure" than another, or 64-bit RC5 stronger than 1024-bit RSA?  Why is
a one-time pad "perfectly secure" and no other cryptosystem ever perfectly
secure?

I can _almost_ answer those questions, conceptually, and the math is still a
challenge, though I'm working on it and I love to hang out with cryptographers.

But the prospects are not really very good for those who work in isolation.
And that's the case with almost all of these small (like one-person)
companies which have developed their own idiosyncratic cryptosystems.  And
indeed Schneier and his colleagues like Matt Blaze, Ian Goldberg, David
Wagner, and Marc Briceno have been completely willing to "put their
money where their mouth is" by repeatedly breaking these idiosyncratic,
proprietary, or non-peer-reviewed systems.  You know all about lots of
those stories; the common thread has been that somebody decided to invent
or use a cryptosystem "from scratch" without letting the community of
cryptographers poke at it.

And of course this is the story behind Andreas Bogk's improvements to
DeCSS, etc.: once the CSS algorithm became known, it turned out that it
was a really weak system and could be broken in a very straightforward way.
But for some weird reasons of their own, the DVD CCA decided to create their
own special algorithm instead of using something peer-reviewed and time-tested.
And they lost, or at least we're hoping that they lost.

Now actually looking at the web page that prompted me to write this, I
immediately see a problem:

	For its conventional encryption algorithm it uses the One Time
	Pad Encryption System, which is considered Unbreakable in
	Theory and Practice when used correctly.

Unfortunately, from this sentence alone we know that this product is _not_
using one-time pads correctly!  The theorem that says that one-time pads
are unbreakable stipulates that you have a perfect key-exchange mechanism.
But the fact that this is a "conventional encryption algorithm" inside a
larger product requires that they have some kind of key-exchange, and if
they're going to provide that in software it's not going to be perfect.

Sure enough, the web site says

	uses the RSA Public Key Encryption Algorithm

which is a well-known key-exchange method which is well-known _not to be
percect_.  And its inventors never claim that it is perfect, just that
it's useful.  But you'll never hear any claim from Rivest, Shamir, or
Adleman that RSA is "Unbreakable", just that it's infeasible to break
on average by any known method using any known computer system.  And
they can potentially show that if certain math results are true, it will be
permanently infeasible on any sequential computer.

OK, so to use OTPs "correctly" you have to have a perfectly secure key
exchange, which RSA is not.  So immediately the OTP is being used
incorrectly and is no longer Unbreakable in either Theory or Practice.

That doesn't mean that Top Secret Crypto is any _less_ strong than
something like GPG; but it shows that the author has some issues that
he might want to address before claiming his software is in a league
of its own.

-- 

[Sig omitted]

*** END PGP DECRYPTED/VERIFIED MESSAGE ***


Date: Thu, 8 Feb 2001 04:26:17 -0500 (EST) From: DL To: [email protected] Subject: top secret crypto oy, all of these one-time-pad implementations are a load of bullshit.