Page 2 of 4 FirstFirst 1234 LastLast
Results 21 to 40 of 74
  1. Minsc's Avatar
    Posts
    967 Posts
    Global Posts
    974 Global Posts
    #21  
    So let me make sure I understand this, with Mirage I have to enter a passcode a minimum of once per "session", or ideally once for each email I open?? Talk about a hassle!
    I'm into tight security as much as the next guy, but this seems a bit overboard. Is email interception by hackers over wireless devices really common enough to warrant that degree of security? Maybe it is, and I'm just out of the loop...
    Also, by definition wireless phones are already encrypting the voice/data to a very high degree. (especially CDMA) At some point, of course, it's de-crypted. (at the switch?) I assume your encryption scheme is to protect the email from that point on?
  2.    #22  
    Quote Originally Posted by jaytee
    Encryption using proprietary, unknown algorithms can never be proved to be secure though. How can I possibly know how secure your encryption algorithm is? From the reading I've done, it seems like proprietary encryption algorithms are not either as secure or as well received as well peer-reviewed, thoroughly tested algorithms. Why are you not using a modern and open standard with a decently long key length (say 2048 bits)? Why not just use the concepts shown and proven with public key cryptography systems?

    Secondly, if I have information that needs this high a level of security, why am I letting it flow through a server I have no control of on the way to the recipient? I assume it will be encrypted by then, but I have no assurance that the encryption does not have some proprietary backdoor inserted in it.

    Several things just fly in the face of good security practices here. I know that with a spiffy marketing job, you may garner some business interests, but security through closed cryptographic methods is out of the question for me. Locking both the sender and the recipient into a specific product is also something I try to avoid. (I use many OS's and many different products in my computing work and play).
    VeriTouch has been developing this product over a four-year period, primarily coming from the healthcare arena where we did ground-breaking security development for clinical networks for Cerner Corporation of Kansas City, Missouri, and for several regional hospitals in Toronto, and Kingston, Canada.

    You have missed the point somehow that we are leveraging two powerful security engines, from PGP and our own which is the strongest symmetric key strength in the world.

    You can try to decrypt an encrypted mail produced by our client, I'd be delighted for you to try and crack the code!

    With respect to using a server, it is a necessary module in any internet-based messaging system, and again, I'd be delighted if you'd explain a different system (perhaps each and every customer could run their own web server just for email with a static I.P. and tons of bandwidth :-), YEAH, that would work!).

    We stand by our products, and although no other SW maker in the world would do the same, WE would place in our customer license a guarantee that there is no "back door" as you mention to have outside control over an encrypted customer message.

    As opposed to SnapperMail, Chatter Email, and every other mail client out there for Treo600 users, we are taking message security very seriously, and are preparing the first client SW for the T600 whose sole purpose is to protect the integrity of each and every protected message for our customers.

    That's our vision for MIRAGE, and it is unorthodox in a great many respects, as you pointed out.

    Gary E. Brant, CEO
    VeriTouch Ltd. - New York
    gb@veritouch.com
  3.    #23  
    Quote Originally Posted by Minsc
    So let me make sure I understand this, with Mirage I have to enter a passcode a minimum of once per "session", or ideally once for each email I open?? Talk about a hassle!
    I'm into tight security as much as the next guy, but this seems a bit overboard. Is email interception by hackers over wireless devices really common enough to warrant that degree of security? Maybe it is, and I'm just out of the loop...
    Also, by definition wireless phones are already encrypting the voice/data to a very high degree. (especially CDMA) At some point, of course, it's de-crypted. (at the switch?) I assume your encryption scheme is to protect the email from that point on?
    GB> As stated earlier, you can cache your passphrase so that, so long as you are logged onto the client, you will not have to re-enter it for each message.

    With respect to encryption for DATA, I think you must be jesting.

    Hackers are out in droves to drop in on both voice and data transfers on cellular networks.

    Can anyone remember Prince Charles' "faux paux" with his cell phone?

    Gary E. Brant, CEO
    VeriTouch Ltd. - New York
    gb@veritouch.com
  4. #24  
    well clearly Gary, you think you product is all that and a bag of chips. What real value does it offer for the average Treo user beyond that which Chatter Email and others already provide? If I can add security like this for the same price or just a few bucks more sure, but I doubt this encryption that is so safe, is very cheap.

    The emails I send arent anything special and I dont really care much about the 'super jumbo best in the world cause we made it'security you offer. That's not to say someone wont want it.

    Whats the draw for the average user. Chatter email is great for what i do and it's very affordable. Throw out some numbers and see what happens.
    “There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order.”
    — Ed Howdershelt
    "A government big enough to give you everything you want, is big enough to take away everything you have."- Thomas Jefferson
  5.    #25  
    Quote Originally Posted by Woof
    well clearly Gary, you think you product is all that and a bag of chips. What real value does it offer for the average Treo user beyond that which Chatter Email and others already provide? If I can add security like this for the same price or just a few bucks more sure, but I doubt this encryption that is so safe, is very cheap.

    The emails I send arent anything special and I dont really care much about the 'super jumbo best in the world cause we made it'security you offer. That's not to say someone wont want it.

    Whats the draw for the average user. Chatter email is great for what i do and it's very affordable. Throw out some numbers and see what happens.
    GB> You're right, it doesn't sound like you need it, and we aren't aware that there is an "average Treo User".

    Paying more than $500 for a cell phone to begin with, makes Treo users anything but "average" cell phone or mobile messaging users, wouldn't you agree?

    You may not appreciate, or as I said "need" Mirage, but some day when your ISP is hacked, or someone compromises some information that you wished had remained private between you and your intended recipient, you may change your mind.

    Gary E. Brant, CEO
    VeriTouch Ltd. - New York
    gb@veritouch.com
  6. #26  
    I definitely agree with your last statement there Gary. People have extremely little concern over either the privacy or the authenicity of email communications. If email survives the onslaught of spam, it may become much more important, and products like yours will find an ever increasing market. I just think that your approach differs significantly from what I would classify as a verifiably acceptable security solution.

    One of the questions I have been leading up to (I guess) is, why not just encrypt and sign using standard public key solutions? Given the time and effort to crack such a message, with a good encryption algorithm and a sufficent key length, wouldn't this be a simpler and more acceptable solution?

    Also, if I encrypt and sign on the treo, why can't I send through any smtp server to my recipient, who then decrypts and checks the signature. I don't follow why the solution needs your server in the middle unless you are doing more encryption/decryption there.

    Thirdly, if I am so concerned about security that I need a 20,000 bit (ECC?) key for encryption, I probably would be concerned that you might either put in a back door (although I'd personally bet you don't). I'd probably also get my own lab of crack crypto geeks to vet your code.

    Finally you said:

    With respect to using a server, it is a necessary module in any internet-based messaging system, and again, I'd be delighted if you'd explain a different system (perhaps each and every customer could run their own web server just for email with a static I.P. and tons of bandwidth :-), YEAH, that would work!).
    ... I've already got an smtp server if i have a treo data plan
    Last edited by jaytee; 09/13/2004 at 09:47 PM.
  7. #27  
    Quote Originally Posted by veritouch
    GB> 21,000 bit encryption is a unique and patent-pending cryptographic algorithm developed by VeriTouch. As you are probably aware, standard SSL credit card transactions over the Internet are "protected" by a paltry 1024-bit key. Our key is fully 200 times more powerful, ensuring that your mail is going to be very well protected from hackers.
    Paltry 1024-bit key?

    After millions of hours of processor work and four years of human effort, the RC5 64-bit encryption algorithm has finally been broken.

    Using 331,252 volunteer machines, a crypto group called Distributed.net cracked RSA Security's encryption challenge and picked up a cheque for $10,000.


    ---

    It took 250 days to crack RC5-56 and 1757 days to crack RC5-64. And that was with thousands of computers working together. They are currently working on RC5-72. Other ciphers are equally as strong.

    You urged someone to crack your encryption, well I urge you to crack 128-bit SSL (Triple DES, MD5, whatever).

    Mike
  8. #28  
    Quote Originally Posted by veritouch
    GB> You're right, it doesn't sound like you need it, and we aren't aware that there is an "average Treo User".

    Paying more than $500 for a cell phone to begin with, makes Treo users anything but "average" cell phone or mobile messaging users, wouldn't you agree?

    You may not appreciate, or as I said "need" Mirage, but some day when your ISP is hacked, or someone compromises some information that you wished had remained private between you and your intended recipient, you may change your mind.

    Gary E. Brant, CEO
    VeriTouch Ltd. - New York
    gb@veritouch.com
    Oddly you avoid reponding to the comments about cost. Show us some numbers, and then we'll see who's average.
    “There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order.”
    — Ed Howdershelt
    "A government big enough to give you everything you want, is big enough to take away everything you have."- Thomas Jefferson
  9. #29  
    Regarding the encryption, I have two words: snake oil.

    Never accept any encryption algorithm, unless it's been under public scrutiny and has been vetted by academics and the security industry. Too many people think they can create the most "secure" encryption yet, but it's just target practice for all the young cryptanalysts out there.

    (I own a copy of PGP Mobile.)
  10.    #30  
    Quote Originally Posted by calroth
    Regarding the encryption, I have two words: snake oil.

    Never accept any encryption algorithm, unless it's been under public scrutiny and has been vetted by academics and the security industry. Too many people think they can create the most "secure" encryption yet, but it's just target practice for all the young cryptanalysts out there.

    (I own a copy of PGP Mobile.)
    GB> Our encryption engine came out of a heavy academic think tank, and has been tested, and re-tested for over four years.

    Snake oil? I'll send you a message encrypted by our algo and see if you can de-cipher it. Just to give you a preview, two lines of plain text would end being over 100,000 cipher-characters.

    However, ingeniously, the cipher processing adds not one bit of data to the encrypted file!

    The "cryptanalysts" (good word!), have attacked our cipher seven ways from Sunday, bring on the challengers!

    Gary E. Brant, CEO
    VeriTouch Ltd. - New York
    gb@veritouch.com
  11. #31  
    Quote Originally Posted by veritouch

    ...snip ...

    The "cryptanalysts" (good word!), have attacked our cipher seven ways from Sunday, bring on the challengers!

    Gary E. Brant, CEO
    VeriTouch Ltd. - New York
    gb@veritouch.com
    Do you have a peer-reviewed analysis of your algorithm and independant record of testing that we can reference? If you are providing these alogorithms to large corporations and governmental entities, then there must be an independant way to validate your claims.

    And, please, do not tell me to try an decrypt your encrypted samples. I don't have the time, inclination, skill, or desire. That is not to say that there may not be others in the world who would rise to the challenge.
  12. #32  
    Quote Originally Posted by veritouch
    Snake oil? I'll send you a message encrypted by our algo and see if you can de-cipher it. Just to give you a preview, two lines of plain text would end being over 100,000 cipher-characters.
    You keep saying that but I can guarantee that you can't crack standard 128-bit encryption either. Even if you had the computer "deep crack" and the full support of distributed.net it would be decades before you could decipher the message.

    Even if your 21000 bit encrypition is secure and great, it's not any better than 128-bit. Both would be impossible to crack in a reasonable amount of time.

    Mike
  13.    #33  
    Quote Originally Posted by kazinvan
    You keep saying that but I can guarantee that you can't crack standard 128-bit encryption either. Even if you had the computer "deep crack" and the full support of distributed.net it would be decades before you could decipher the message.

    Even if your 21000 bit encrypition is secure and great, it's not any better than 128-bit. Both would be impossible to crack in a reasonable amount of time.

    Mike
    GB> You're missing the point.

    It's not only our encryption algorithm, it is the WAY that we implement two forms of encryption, both for ease of use for customers, and to allow wide deployment in an enterprise infrastructure.

    You are incorrect about RSA 128-bit DES encryption.

    In 2000, a laptop was stolen from the HQ of one of the BIG credit card companies (I won't mention their name because they've already taken enough flack over this), which had more than 2,000,000 customers' account information on it, supposedly "protected" by DES.

    You can probably guess what happened next! Yes, all of those accounts were compromised AD HOC.

    Another, more recent case in point, SunnComm Technologies came out with what they claimed was a "copy proof music CD", to prevent piracy and illegal
    distribution of music tracks.

    Within one week of its release, a university student had hacked the encryption with ONE KEYSTROKE COMMAND on his PC.

    Yes, I'm aware of the dangers of hyping encryption, and YES, we've done our homework over four years and we believe we have a robust solution.

    And NO, I won't send you an encrypted sample to try and crack!

    Best wishes,

    Gary E. Brant, CEO
    VeriTouch Ltd. - New York
    gb@veritouch.com
  14. #34  
    Quote Originally Posted by veritouch
    You can probably guess what happened next! Yes, all of those accounts were compromised AD HOC.
    Ad hoc? What do you mean?

    Quote Originally Posted by veritouch
    Another, more recent case in point, SunnComm Technologies came out with what they claimed was a "copy proof music CD", to prevent piracy and illegal
    distribution of music tracks.

    Within one week of its release, a university student had hacked the encryption with ONE KEYSTROKE COMMAND on his PC.
    I don't believe that was encryption. It was an autoplay-style program that prevented ripping. If the audio data had been encrypted, normal CD players would not have played the CD.

    Quote Originally Posted by veritouch
    Yes, I'm aware of the dangers of hyping encryption, and YES, we've done our homework over four years and we believe we have a robust solution.
    Why should we trust you?

    /jgt
  15. #35  
    We all know that DES and 3DES are not secure and that is why there is AES.
    We've worked on secure email solution for the Palm, Windows and Blackberry using Certicom's security builder 3 years ago. Guess what? no body was interested in email security. Our solution was very simple and seemless integration. No email server required to key exchange. You can send secure email using 3des, des or aes to any supported device including attachments. public keys are all handled by the client.
    Want mp3/wav ringtones , Audio and Video recording for your Treo600/650? visit www.toysoft.ca
  16. #36  
    Quote Originally Posted by veritouch
    GB> You're missing the point.

    It's not only our encryption algorithm, it is the WAY that we implement two forms of encryption, both for ease of use for customers, and to allow wide deployment in an enterprise infrastructure.

    You are incorrect about RSA 128-bit DES encryption.

    In 2000, a laptop was stolen from the HQ of one of the BIG credit card companies (I won't mention their name because they've already taken enough flack over this), which had more than 2,000,000 customers' account information on it, supposedly "protected" by DES.

    You can probably guess what happened next! Yes, all of those accounts were compromised AD HOC.

    Another, more recent case in point, SunnComm Technologies came out with what they claimed was a "copy proof music CD", to prevent piracy and illegal
    distribution of music tracks.

    Within one week of its release, a university student had hacked the encryption with ONE KEYSTROKE COMMAND on his PC.

    Yes, I'm aware of the dangers of hyping encryption, and YES, we've done our homework over four years and we believe we have a robust solution.

    And NO, I won't send you an encrypted sample to try and crack!

    Best wishes,

    Gary E. Brant, CEO
    VeriTouch Ltd. - New York
    gb@veritouch.com

    Gary, I think that letting this degrade to a pissing match over encryption technologies (which you have contributed to) is hardly the way to get customers.

    You product is clearly unique (although not that unique, Thanks smiley) and has features that some people may be interested in. I would have to say though having participated on this board and others like it for the last year, the average treo user isnt going to be on your list of possible customers. Just my opinion.

    You might want to outline why someone might want to encrypt their emails, give details on the features of your product and the benefits of using it, and then of course, TELL US ABOUT THE COST!

    If you spend any time here at all you will learn that when you spend $500 plus for a smartphone, it doesnt necessarily mean you have an unlimited budget when it come to add ons and software. If your product is reasonably priced campared to the other email clients and the additional features you offer justify the added expense over the others, you may get some converts.

    Going on and on about how great your product is and how smart your comapny is for making it and how safe our emails to our wives and friends will be, just isnt the way to get it sold. IHMO.

    Good luck.
    “There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order.”
    — Ed Howdershelt
    "A government big enough to give you everything you want, is big enough to take away everything you have."- Thomas Jefferson
  17. #37  
    Quote Originally Posted by veritouch

    You are incorrect about RSA 128-bit DES encryption.

    In 2000, a laptop was stolen from the HQ of one of the BIG credit card companies (I won't mention their name because they've already taken enough flack over this), which had more than 2,000,000 customers' account information on it, supposedly "protected" by DES.
    Where did I say anything about DES? I know DES is not safe anymore, it can be cracked quite easily with brute force attack. In a previous post, I talked about RC5, MD5, Blowfish, etc.

    Quote Originally Posted by veritouch
    Another, more recent case in point, SunnComm Technologies came out with what they claimed was a "copy proof music CD", to prevent piracy and illegal
    distribution of music tracks.

    Within one week of its release, a university student had hacked the encryption with ONE KEYSTROKE COMMAND on his PC.
    SunnComm had nothing to do with encryption, the student didn't hack anything just figured out how to get around the trick. You can't encrypt CD audio data, if you did how would a generic CD player decoded it? Suncomm just tried to exploit the different ways that audio CD palyers and CD-ROM drives in your computer read CDs.

    Mike
  18. Minsc's Avatar
    Posts
    967 Posts
    Global Posts
    974 Global Posts
    #38  
    I tend to agree with Woof. While having a 20,000 bit (or whatever it is) encryption scheme is very cool, I don't it's going to be much of a selling point to anyone other than paranoid conspiracy theorists. What most users care about is usability, reliability, user-interface, and cost. If it's a great app in all those respects, then the bullet-proof encryption is gravy.

    As an aside, is the security concern for wireless email the actual "wireless part", (where the data is travelling from your mobile device to a tower) or is it once the data reaches the tower and then gets routed along thru the internet?
  19. #39  
    Quote Originally Posted by veritouch
    GB> Our encryption engine came out of a heavy academic think tank, and has been tested, and re-tested for over four years.
    Good. Please cite the papers which reference it, and I'll check them out. Journal names, dates of issue, and titles of papers would be great.

    Quote Originally Posted by veritouch
    Snake oil? I'll send you a message encrypted by our algo and see if you can de-cipher it. Just to give you a preview, two lines of plain text would end being over 100,000 cipher-characters.
    However, ingeniously, the cipher processing adds not one bit of data to the encrypted file!
    This demonstrates how little you know about ciphers. ALL block ciphers can be made to work in a way which doesn't increase the size of the encrypted file. (For example: generate a keystream, then XOR it with the original file.)
  20. #40  
    (To all the people who are now in physical agony at the thought of generating a keystream, then XOR'ing it with the original file: don't worry, that comment wasn't aimed at you.)
Page 2 of 4 FirstFirst 1234 LastLast

Posting Permissions