[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Decision: Encryption Method/Product

To: Steve Botts <steveb@xxxxxxxxxxxx>, ietf-ediint@xxxxxxx
Subject: Re: Decision: Encryption Method/Product
From: Robert Moskowitz <rgm3@xxxxxxxxxxxx>
Date: Thu, 23 May 1996 06:57:39 -0400
Sender: owner-ietf-ediint@xxxxxxx

At 01:52 PM 5/22/96, Steve Botts wrote:
>
>
>S/MIME as you point out is a standard. The standard specifies the use of
various algorithms used in conjunction with one another to provide specific
security services.  Anyone can introduce security problems in their
implementation of ANYTHING, but as far as S/MIME goes, the problem is not
likely to be in the underlying encryption algorithms.  Which algorithm do you
>feel needs further testing?  RSA?  DES?  MD5?  RC2?  RC4?  -Steve  

MD5 has recently been hit by a partial analysis.  It has been discussed on
the IPSEC list.  Keyed MD5 as is in the HMAC AH internet draft is immune to
this analysis.

RC4 has only recently undergone peer review, as the code was 'leaked' to
cyperpunk.

RC5 is spanking new with various arguements on various sides of the issue.

But the biggest concern I have of the strength of S/MIME is the presence of
any known text.  All of those imbedded MIME headers.  This is exactly the
attack that got Microsoft's WFW .pwl files!  (If you know that starting in
position 10 you will find the string 'application', the crypto analysis is
very easy).

The other problem with S/MIME is that it will tend to restrict product to
those that can afford to pay RSA.

Robert Moskowitz
Chrysler Corporation
(810) 758-8212

Prev by Date: Re: Message From KO/Office
Next by Date: Re: Secure ???? over the Internet
Previous by thread: Re: Decision: Encryption Method/Product
Next by thread: Re: Decision: Encryption Method/Product
Index(es):
- Date
- Thread