RE: encryption - pedit - pToolSet
- Dear Paul,
I have some knowledge of encryption techniques as they apply to computing --
but be advised that I have amateur status here, since nobody pays me for this
stuff. You do not need to use anyone else's library, since (I understand)
DES encryption/ decryption is built into the Palm OS. Although DES is
considered "inadequate" in that a supercomputer or large network can crack it
in only a few days, Triple DES which uses 3 applications of the algorithm,
has an effective combined keylength of about 112 bits. (Don't look down on
this because it isn't 128 or 256 bits. An attack on this level of security
is well beyond the computing power we're likely have for the next 100 years.
It'd be easier to break into your house/ appartment/ office and steal your
hardcopy or bug your computer. These techniques are known as Watergate and
A good introductory text on this subject is _Applied Cryptography_ by Bruce
Schneier, (c) 1994, John Wiley & Sons, Inc., ISBN 0-471-59756-2.
I would also suggest the Palm program Keyring, <A HREF="http://gnukeyring.sourceforge.net/">
http://gnukeyring.sourceforge.net/</A> which would be especially useful because
it is public domain with source available. An explanation of Triple DES is
included in the web page. Please be advised that you will need a strong
random number generator, and a secure hash algorithm as well to make this
work, both of which should be included in the listing.
There is another reason that you should consider using the built-in DES
routines. Since the OS would be doing the encryption (not your program), I
believe that such an enhanced Pedit would not be subject to export controls.
This means that you could still sell the software from your website without
getting unfriendly visits from government agents. Philip Zimmerman (creator
of PGP) found out that this was a real possibility.
If you like, I'd be happy to discuss this further with you.
-- Phil Hair
In a message dated 2003-05-06 19:05:45 Eastern Daylight Time,
> Hi Guys:[Non-text portions of this message have been removed]
> Those of you who are "experts" [more or less] in encryption, please take a
> look at
> and let me know if this would be OK for pedit and pToolSet to use. Or do
> know any better Palm ported and readily available encryption SDK or library
> which you'd recommend? I really need your help since I am not an expert on
> encryption [well, I am not an "expert" in anything],
> Best regards, Paul
- philhair@... writes:
> I would also suggest the Palm program Keyring, <AIntrigued, downloaded, browsed source. They in fact don't use the
> http://gnukeyring.sourceforge.net/</A> which would be especially
> useful because it is public domain with source available. An
> explanation of Triple DES is included in the web page. Please be
> advised that you will need a strong random number generator, and a
> secure hash algorithm as well to make this work, both of which
> should be included in the listing.
built in routines anymore, but something called pilotSSLeay. You can
get info and source on this from
http://www.isaac.cs.berkeley.edu/pilot/, but the Keyring author does
not include the source, only the binaries. You can get the source
from the above URL.
The nice thing about pilotSSLeay is that it's a straightforward patch
on SSLeay, free software for doing SSL. As such it does a lot more
than just 3DES.
> There is another reason that you should consider using the built-inUS Export laws changed in the last couple of years regarding this.
> DES routines. Since the OS would be doing the encryption (not your
> program), I believe that such an enhanced Pedit would not be subject
> to export controls. This means that you could still sell the
> software from your website without getting unfriendly visits from
> government agents. Philip Zimmerman (creator of PGP) found out that
> this was a real possibility.
This may no longer be true, or at least no longer be as complicated.
In particular, if the encryption source code is available I believe
(IANAL) that export is OK. Bruce Schneier may have some relevant info
on his page.
> From: "Ian Soboroff" <ian.soboroff@...>Paul --
> I've used a number of encrypted notepads on my Palm, I'd be glad to
> help test such a feature in pedit!
I also would be glad to test pedit encryption. However, it would need to be
as good or better than Memo Safe, which I currently use extensively.
"Memo Safe uses the Safer-SK encryption algorithm originally published by
James L. Massey. Many thanks to Peter
Gutmann who developed and distributed the open source cryptlib encryption
library." Quoted from:
Memo Safe's encryption algorithm is mentioned as an adequate securitiy
mechanism for sensitive Protected Health Information.
- * Paul Nevai <nevai@...-state.edu> [2003-05-06 08:20 -0400]:
> Those of you who are "experts" [more or less] in encryption, please take aI don't do crypto professionally, but I do try to keep up on trends in
> look at
the cryptograhic community. AESLib is an implementation of the
Advanced Encryption Standard, which is, by most accounts I've read,
one of the strongest cryptographic algorithms in existence. The
algorithm used in AES is called Rijndael; it won an international
competition held by the NIST a couple years ago to find the best
encryption algorithm in the world.
One of the best reasons to use AES is that it's entirely open source,
which means that real experts in the cryptographic community can
freely poke through the code for weaknesses. Rijndael has already been
subjected to intense scrutiny by the brightest minds in the crypto
community, and it will continue to receive such scrutiny, which is the
best guarantee you can have that an encryption algorithm hasn't been
compromised. As soon as anyone spots a weakness in a public algorithm
like this, the fact that it's broken will be broadcast far and wide,
giving you an opportunity to find an alternate means of protecting
I was happy to see Copera announce AESLib a few months ago. I
don't currently have any Palm OS projects that require encryption, but
I've kept Copera's site bookmarked just in case. It's much easier to
use a good library interface than it is to try copying code from the
official AES home page (http://csrc.nist.gov/CryptoToolkit/aes/).
If integrated into pedit, AESLib would provide one of the strongest
cryptographic products available on the Palm OS platform.
/|\ Lonnie Foster <lonnief@...> http://pobox.com/~tribble
\|/ Why isn't phonetic spelled the way it sounds?