Loading ...
Sorry, an error occurred while loading the content.
 

RE: encryption - pedit - pToolSet

Expand Messages
  • philhair@aol.com
    Dear Paul, I have some knowledge of encryption techniques as they apply to computing -- but be advised that I have amateur status here, since nobody pays me
    Message 1 of 10 , May 6, 2003
      Dear Paul,

      I have some knowledge of encryption techniques as they apply to computing --
      but be advised that I have amateur status here, since nobody pays me for this
      stuff. You do not need to use anyone else's library, since (I understand)
      DES encryption/ decryption is built into the Palm OS. Although DES is
      considered "inadequate" in that a supercomputer or large network can crack it
      in only a few days, Triple DES which uses 3 applications of the algorithm,
      has an effective combined keylength of about 112 bits. (Don't look down on
      this because it isn't 128 or 256 bits. An attack on this level of security
      is well beyond the computing power we're likely have for the next 100 years.
      It'd be easier to break into your house/ appartment/ office and steal your
      hardcopy or bug your computer. These techniques are known as Watergate and
      Tempest, resepectively.)

      A good introductory text on this subject is _Applied Cryptography_ by Bruce
      Schneier, (c) 1994, John Wiley & Sons, Inc., ISBN 0-471-59756-2.

      I would also suggest the Palm program Keyring, <A HREF="http://gnukeyring.sourceforge.net/">
      http://gnukeyring.sourceforge.net/</A> which would be especially useful because
      it is public domain with source available. An explanation of Triple DES is
      included in the web page. Please be advised that you will need a strong
      random number generator, and a secure hash algorithm as well to make this
      work, both of which should be included in the listing.

      There is another reason that you should consider using the built-in DES
      routines. Since the OS would be doing the encryption (not your program), I
      believe that such an enhanced Pedit would not be subject to export controls.
      This means that you could still sell the software from your website without
      getting unfriendly visits from government agents. Philip Zimmerman (creator
      of PGP) found out that this was a real possibility.

      If you like, I'd be happy to discuss this further with you.

      Yours truly
      -- Phil Hair

      In a message dated 2003-05-06 19:05:45 Eastern Daylight Time,
      peditors@yahoogroups.com writes:

      > Hi Guys:
      >
      > Those of you who are "experts" [more or less] in encryption, please take a
      > look at
      >
      > http://www.copera.com/AESLib/
      >
      > and let me know if this would be OK for pedit and pToolSet to use. Or do
      > you
      > know any better Palm ported and readily available encryption SDK or library
      > which you'd recommend? I really need your help since I am not an expert on
      > encryption [well, I am not an "expert" in anything],
      >
      > Best regards, Paul
      >


      [Non-text portions of this message have been removed]
    • Ian Soboroff
      ... Intrigued, downloaded, browsed source. They in fact don t use the built in routines anymore, but something called pilotSSLeay. You can get info and
      Message 2 of 10 , May 7, 2003
        philhair@... writes:

        > I would also suggest the Palm program Keyring, <A
        > HREF="http://gnukeyring.sourceforge.net/">
        > http://gnukeyring.sourceforge.net/</A> which would be especially
        > useful because it is public domain with source available. An
        > explanation of Triple DES is included in the web page. Please be
        > advised that you will need a strong random number generator, and a
        > secure hash algorithm as well to make this work, both of which
        > should be included in the listing.

        Intrigued, downloaded, browsed source. They in fact don't use the
        built in routines anymore, but something called pilotSSLeay. You can
        get info and source on this from
        http://www.isaac.cs.berkeley.edu/pilot/, but the Keyring author does
        not include the source, only the binaries. You can get the source
        from the above URL.

        The nice thing about pilotSSLeay is that it's a straightforward patch
        on SSLeay, free software for doing SSL. As such it does a lot more
        than just 3DES.

        > There is another reason that you should consider using the built-in
        > DES routines. Since the OS would be doing the encryption (not your
        > program), I believe that such an enhanced Pedit would not be subject
        > to export controls. This means that you could still sell the
        > software from your website without getting unfriendly visits from
        > government agents. Philip Zimmerman (creator of PGP) found out that
        > this was a real possibility.

        US Export laws changed in the last couple of years regarding this.
        This may no longer be true, or at least no longer be as complicated.
        In particular, if the encryption source code is available I believe
        (IANAL) that export is OK. Bruce Schneier may have some relevant info
        on his page.

        Ian
      • John Harms
        ... Paul -- I also would be glad to test pedit encryption. However, it would need to be as good or better than Memo Safe, which I currently use extensively.
        Message 3 of 10 , May 7, 2003
          > From: "Ian Soboroff" <ian.soboroff@...>
          > I've used a number of encrypted notepads on my Palm, I'd be glad to
          > help test such a feature in pedit!

          Paul --

          I also would be glad to test pedit encryption. However, it would need to be
          as good or better than Memo Safe, which I currently use extensively.

          "Memo Safe uses the Safer-SK encryption algorithm originally published by
          James L. Massey. Many thanks to Peter
          Gutmann who developed and distributed the open source cryptlib encryption
          library." Quoted from:

          http://www.deepnettech.com/memosafe_readme.txt

          Memo Safe's encryption algorithm is mentioned as an adequate securitiy
          mechanism for sensitive Protected Health Information.

          http://its.med.yale.edu/security/PDA/

          -- JohnH
        • Lonnie Foster
          ... I don t do crypto professionally, but I do try to keep up on trends in the cryptograhic community. AESLib is an implementation of the Advanced Encryption
          Message 4 of 10 , May 8, 2003
            * Paul Nevai <nevai@...-state.edu> [2003-05-06 08:20 -0400]:

            > Those of you who are "experts" [more or less] in encryption, please take a
            > look at
            >
            > http://www.copera.com/AESLib/

            I don't do crypto professionally, but I do try to keep up on trends in
            the cryptograhic community. AESLib is an implementation of the
            Advanced Encryption Standard, which is, by most accounts I've read,
            one of the strongest cryptographic algorithms in existence. The
            algorithm used in AES is called Rijndael; it won an international
            competition held by the NIST a couple years ago to find the best
            encryption algorithm in the world.

            One of the best reasons to use AES is that it's entirely open source,
            which means that real experts in the cryptographic community can
            freely poke through the code for weaknesses. Rijndael has already been
            subjected to intense scrutiny by the brightest minds in the crypto
            community, and it will continue to receive such scrutiny, which is the
            best guarantee you can have that an encryption algorithm hasn't been
            compromised. As soon as anyone spots a weakness in a public algorithm
            like this, the fact that it's broken will be broadcast far and wide,
            giving you an opportunity to find an alternate means of protecting
            your data.

            I was happy to see Copera announce AESLib a few months ago. I
            don't currently have any Palm OS projects that require encryption, but
            I've kept Copera's site bookmarked just in case. It's much easier to
            use a good library interface than it is to try copying code from the
            official AES home page (http://csrc.nist.gov/CryptoToolkit/aes/).

            If integrated into pedit, AESLib would provide one of the strongest
            cryptographic products available on the Palm OS platform.

            --

            /|\ Lonnie Foster <lonnief@...> http://pobox.com/~tribble
            \|/ Why isn't phonetic spelled the way it sounds?
            /|\
          Your message has been successfully submitted and would be delivered to recipients shortly.