What about sending encrypted messages to someone without PGP

What about sending encrypted messages to someone without PGP

Post by Mathew Lodg » Fri, 28 Feb 1997 04:00:00




> I'm using McAfee 160bit blowfish which doesn't require the recipient to
> have the program. Its self extracting.  I'm not arguing the quality of PGP,
> I'm sure its great but why should I mess with it (especially since the
> recipient has to have PGP), when I can use this product and send to whoever
> I want. I could send you an encrypted file right now even though you don't
> have it and with the password you could decrypt in a matter of seconds.

And, er, how would I safely get the password from you? Over an unsecured
channel?

Cheers,

Mathew

----
Mathew Lodge; Houston, Texas, USA.
My return e-mail address contains an anti-spam device. Work it out,
remove the anti-spam suffix, and that's the address

 
 
 

What about sending encrypted messages to someone without PGP

Post by Seth Gol » Fri, 28 Feb 1997 04:00:00




> I could send you an encrypted file right now even though you don't
> have it and with the password you could decrypt in a matter of
> seconds.  

But how would I get the password?  You and I would have to communicate
securely at some point and share a secret.  If you wanted to encrypt
things for lots of people, you'd need to share separate secret keys
with each of them.  If they wanted to deal with other people, they'd
also need separate keys for everyone.  For every single point to point
connection, both sides would have to share a secret key to use as a
password.  Even ignoring for the moment the problem of finding a
secure channel to share the passwords on, it's an administrative
nightmare just keeping track of all the keys.  That's what public key
cryptography obviates.

--


 
 
 

What about sending encrypted messages to someone without PGP

Post by System Administrat » Mon, 03 Mar 1997 04:00:00


: > I'm using McAfee 160bit blowfish which doesn't require the recipient to
: > have the program. Its self extracting.  I'm not arguing the quality of PGP,
: > I'm sure its great but why should I mess with it (especially since the
: > recipient has to have PGP), when I can use this product and send to whoever
: > I want. I could send you an encrypted file right now even though you don't
: > have it and with the password you could decrypt in a matter of seconds.

: And, er, how would I safely get the password from you? Over an unsecured
: channel?

And another point: what if I don't have DOS (or whatever OS blowfish
runs on)?  In fact, I _DO_ have DOS, but I know many people who don't.

Vadik.

--

I think that I shall never see a poem as lovely as a binary tree.

 
 
 

What about sending encrypted messages to someone without PGP

Post by Gary McAnall » Mon, 03 Mar 1997 04:00:00


--

: And, er, how would I safely get the password from you? Over an unsecured

Quote:> : channel?

> And another point: what if I don't have DOS (or whatever OS blowfish
> runs on)?  In fact, I _DO_ have DOS, but I know many people who don't.

I was going to send the password just so someone could see how it operates.
 Normally I usually give the password over the phone. As far as dos, I
don't know anyone who isn't using either windows . Since you don't I guess
I wouldn't be sending you anything encrypted would I.  I guess I have to
concede the point that if anyone brings anything up that isn't PGP , its
flawed.  Typical.


 
 
 

What about sending encrypted messages to someone without PGP

Post by Goran Edvardsso » Tue, 04 Mar 1997 04:00:00



? I was going to send the password just so someone could see how it operates.
?  Normally I usually give the password over the phone.

I suppose you can always hope that noone has bugged your phone...
--

 
 
 

What about sending encrypted messages to someone without PGP

Post by Zvxr Ebfraob » Thu, 06 Mar 1997 04:00:00


Gary, why not just skip all of the cloak-and-dagger stuff (passwords),
and give the entire message in the clear over the phone by voice or
fax?  

On 2 Mar 1997 23:50:12 GMT, Gary McAnally ("Gary McAnally"


>--

>: And, er, how would I safely get the password from you? Over an unsecured
>> : channel?

>> And another point: what if I don't have DOS (or whatever OS blowfish
>> runs on)?  In fact, I _DO_ have DOS, but I know many people who don't.

>I was going to send the password just so someone could see how it operates.
> Normally I usually give the password over the phone. As far as dos, I
>don't know anyone who isn't using either windows . Since you don't I guess
>I wouldn't be sending you anything encrypted would I.  I guess I have to
>concede the point that if anyone brings anything up that isn't PGP , its
>flawed.  Typical.



_________________________________________

(Use ROT13 to decipher)
M.S., Mathematics
PGP public key available from most keyservers
 
 
 

What about sending encrypted messages to someone without PGP

Post by Anthony E. Gree » Thu, 06 Mar 1997 04:00:00


-----BEGIN PGP SIGNED MESSAGE-----



Quote:>Gary, why not just skip all of the cloak-and-dagger stuff (passwords),
>and give the entire message in the clear over the phone by voice or
>fax?  

I know we PGP'rs consider ourselves serious about security, but there is
sometimes a need to prevent casual snooping. I can see a need for a
solution that is easy and provides just enough security to prevent nosy
people from reading your mail and files. Password security for such a
system need not be strict.

The only real problem I see with solutions like this is that users will
tend to forget that they have inherent weaknesses when compared to
public key systems and systems that use larger keys. But if your needs
are casual such limitations may not be important.

Let's not get so narrow-minded that we think there's only one way to do
things.

Tony

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCdAwUBMxznDERUP9V4zUMpAQFlFwQ6A9G+NVyv6mAeSuk6DZH6LrEuKjhtvKGv
c4Jqhytm9Yy5NMgdQoHH9JMNLS90zyNcy7anB8v0EDnEhKL+D63tRVJfsevRFBk2
z8hq5PbDvyLyq+ZphW2bCpC2uoVyoTPMxS0/MpLXefnQlD9xTIzkcIzQzesgY4qL
jVrxXAIzr7/lk/CbuoyBnQ==
=DmWm
-----END PGP SIGNATURE-----

===================================================

PGP Key Id: pub 1083 0x78CD4329
===================================================
PGP Key:  Send me email with Subject: send pgp key
PGP Info: Send me email with Subject: send pgp info
          or visit PGP Inc at <http://www.pgp.com/>
===================================================

 
 
 

What about sending encrypted messages to someone without PGP

Post by Galactu » Thu, 06 Mar 1997 04:00:00


-----BEGIN PGP SIGNED MESSAGE-----



> Gary, why not just skip all of the cloak-and-dagger stuff (passwords),
> and give the entire message in the clear over the phone by voice or
> fax?  

A bit expensive, if you're in the Netherlands, and the other party
is in New Zealand.

And have you ever tried to fax a color photo? Bleh.

Hmm.. I suppose you could try whistling down the line to pretend
that you're a modem or something..
- --
To find out more about PGP, send mail with HELP PGP in the SUBJECT line to me.


Anonymity and privacy site: http://www.stack.nl/~galactus/remailers/

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: cp850

iQCVAgUBMx28PzyeOyxBaho1AQEQDQQAkU/ePQUCjZ3ejpf0C+mU/LOn25q+WVav
T/dg9C51caVfsDj/mNU2jx5Ix2t31ZPqaPq8t+ol6i1jBloGQW7oLTKO25jLovIv
35oxF+2wYZFvcECocY2UZVKhYvPGip36XP8eUNTH0pXM4F/SnihI74GG0unQylDu
E6efxEswnts=
=MxZN
-----END PGP SIGNATURE-----

 
 
 

What about sending encrypted messages to someone without PGP

Post by Zvxr Ebfraob » Thu, 06 Mar 1997 04:00:00


On Wed, 05 Mar 1997 18:56:15 +0100, Arnoud "Galactus" Engelfriet


>-----BEGIN PGP SIGNED MESSAGE-----



>> Gary, why not just skip all of the cloak-and-dagger stuff (passwords),

[snipped]

Quote:>Hmm.. I suppose you could try whistling down the line to pretend
>that you're a modem or something..

[snipped]

Hmmm....do you think that if I practice this daily, I could get a spot
on Letterman's Stupid Human Tricks?

Seriously, though, I can see the need for "weak" encryption--heck, I'm
using ROT13 to protect myself from Spamford Wallace.  I'll concede
that for casual purposes, it's probably OK to send a password over the
phone, but this method should be used with caution, of course, because
it is not very secure--hence my smart-alecky comment about sending the
message in the clear over the phone.
_________________________________________

(Use ROT13 to decipher)
M.S., Mathematics
PGP public key available from most keyservers

 
 
 

What about sending encrypted messages to someone without PGP

Post by Steve Smi » Fri, 07 Mar 1997 04:00:00





>I know we PGP'rs consider ourselves serious about security, but there is
>sometimes a need to prevent casual snooping. I can see a need for a
>solution that is easy and provides just enough security to prevent nosy
>people from reading your mail and files. Password security for such a
>system need not be strict.

Why?  Good, solid security (at least on the program level) is no more
difficult or expensive than bad.  IDEA is no more difficult to program
than Enigma.  A 256 character passphrase is no more difficult to program
than an 8 character password.

Also, the boundaries keep shifting.  Originally, storing passwords in a
file accessible only by the superuser was "enough".  Then it was enough
to store passwords in encrypted form.  Now we store encrpted passwords
in a superuser-only file, and we worry about that.

Quote:>The only real problem I see with solutions like this is that users will
>tend to forget that they have inherent weaknesses when compared to
>public key systems and systems that use larger keys. But if your needs
>are casual such limitations may not be important.

The big problem that I see is that users (despite all warnings) will
insist that there really is a backdoor, and *demand* that you restore
data stored with their forgotten password.

With "cheap" security, there is a backdoor.

Quote:>Let's not get so narrow-minded that we think there's only one way to do
>things.

Absolutely!

--

Agincourt Computing                             +1 (301) 681 7395
"Everything should be made as simple as possible, but no simpler."

 
 
 

What about sending encrypted messages to someone without PGP

Post by Anthony E. Gree » Sat, 08 Mar 1997 04:00:00


-----BEGIN PGP SIGNED MESSAGE-----







>>I know we PGP'rs consider ourselves serious about security, but there
>is
>>sometimes a need to prevent casual snooping. I can see a need for a
>>solution that is easy and provides just enough security to prevent
>nosy
>>people from reading your mail and files. Password security for such a
>>system need not be strict.

>Why?  Good, solid security (at least on the program level) is no more
>difficult or expensive than bad.  IDEA is no more difficult to program
>than Enigma.  A 256 character passphrase is no more difficult to
>program
>than an 8 character password.

The original poster's point is that he was using a system that allowed
him to send an encrypted message along with the decryption engine eo
that the recipient need not have the software. I don't don't know of any
strong encryption system that's that simple.

It's not a matter of programming IDEA or setting key sizes. It's a user
interface thing. Easy, casual systems by their very nature do not
require all the precautions needed for secure systems. That's why
they're called casual.

Tony

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCdAwUBMx/VRERUP9V4zUMpAQGPlgQ5AaGPrEhOhxfM82YeGk0Z1aQlLcno3owH
Okpn+jgzpUuNdv53jqcFkhGVBbbCsHovwC7S9zeYt104agu+itrsiGIeLaGTQ8p8
xPynsHyvDgGZFNHdsF8zPi/i++PnI9hX1nCCwBRkzd2ZI4iGsmeTrpH1tFV54Mvl
k3gXKhcsJCVAhxnlCOtymQ==
=BWlT
-----END PGP SIGNATURE-----

--

PGP Key Id: pub 1083 0x78CD4329
---------------------------------------------------
PGP Key:  Send me email with Subject: send pgp key
PGP Info: Send me email with Subject: send pgp info
          or visit PGP Inc at <http://www.pgp.com/>
---------------------------------------------------

 
 
 

What about sending encrypted messages to someone without PGP

Post by Anthony E. Gree » Sun, 09 Mar 1997 04:00:00




Quote:

>And my point is that in most cases, good security is no harder than
>bad.  A convienent user interface has nothing to do with security, good
>or bad...

Ahh... I see your point. True, the two are not inherently related.

Tony
--

PGP Key Id: pub 1083 0x78CD4329
---------------------------------------------------
PGP Key:  Send me email with Subject: send pgp key
PGP Info: Send me email with Subject: send pgp info
          or visit PGP Inc at <http://www.pgp.com/>
---------------------------------------------------