Newsgroups: sci.crypt
Path: msuinfo!caen!sdd.hp.com!network.ucsd.edu!qualcom.qualcomm.com!qualcom.qualcomm.com!karn
From: karn@qualcom.qualcomm.com (Phil Karn)
Subject: Re: Reply to request for features of new encryption system.
Message-ID: <1992Jan25.010506.1237@qualcomm.com>
Sender: news@qualcomm.com
Nntp-Posting-Host: qualcom.qualcomm.com
Reply-To: karn@chicago.qualcomm.com
Organization: Qualcomm, Inc
References:  <3258@wet.UUCP>
Distribution: usa
Date: Sat, 25 Jan 1992 01:05:06 GMT
Lines: 37

In article <3258@wet.UUCP>, naga@wet.UUCP (Peter Davidson) writes:
|> printed manual.  The full details of the method, and the actual C source
|> code, are currently not being made public, not because of doubt about the
|> security of the method, but because, in the opinion of the publisher, such
|> exposure can do nothing to enhance the security of the system. Cryptologists
|> would probably like to take a look, but users will feel safer knowing that
|> the details of the encryption method are not known to would-be attackers.

This is an utterly unbelievable statement!

The history of DES and especially the history of the ill-fated NSA
"commercial comsec endorsement program" have shown again and again
that smart crypto users (outside of classified arenas) will simply not
accept secret algorithms. The only algorithms that can be trusted are
those that have been subjected to intense public scrutiny for years
without being broken. All too many "proprietary, better than DES"
ciphers have quickly collapsed once their designs became known.

Even releasing the algorithm is not enough -- you must release the
design criteria as well. IBM's withholding, at NSA's request, of this
information for DES has hung over it like a cloud since its inception.
The recent progress in cryptanalyzing DES in less than brute-force time
shows that perhaps this "cloud" was well-justified.

Anyone who claims that a cipher of his own creation is unbreakable
simply because he cannot break it himself is either an utter genius or
a complete fool.  I'll leave it to your imagination as to which type
is more numerous. The rest of us know our limitations and prefer to
rely on the peer review process.

I know enough about cryptography to know that I am not a
cryptographer. And that would seem to mean that I know a LOT more
about cryptography than most people.

Phil


