From: "L. Sassaman" <rabbiat_private> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Product Review: NOVaSTOR DataSAFE L. Sassaman 6/1/1999 The NOVaSTOR web site (http://data-encryption.com/index.html) makes this bold claim regarding their DataSAFE product: "Password Protect, Compress and Encrypt your Files and Email Protect your data from prying eyes! The DataSAFE family of encryption software stores, transmits and receives electronic files securely. Protect your sensitive files and data from prying eyes, whether on your PC or over the Internet and World Wide Web. DataSAFE encrypts your data with BLOWFISH or RSA secure algorithms which have never been broken, and can encrypt and protect every type of file on every kind of media." The benefits of using this software package are clear, according to the company. "DataSAFE is the only encryption software on the market that lets you send secure documents to people who do not have the program." Apparently, for a mere $39.50, one can have a quick, easy way of sending secure files to anyone with a computer. When using this product, the sender uses the program to generate a .exe file, encrypted with Blowfish, that he then sends as an attachment through email. The recipient does not need to have any additional software on his computer, as the encrypted message runs by itself (popping up a cute safe, which spits out the plain-text when the correct combination is entered.) Now, obviously, this lacks all the benefits of public key cryptography. (The key, or "combination to the safe" must be delivered to the recipient in some manner deemed secure. We are now back to the days of relying on couriers with hand-cuffed brief-cases for security. The web page steps over this issue, merely saying "you send [the key] separately".) The product offers no identity verification for the author or originator of the file being transfered. In addition, the .exe generated is a potential carrier of virii, and only works on Microsoft systems. (Though a Java version is promised.) The product white paper (http://data-encryption.com/datasheets/ds_white.html) makes this absurd statement regarding public key cryptography (PKC): "Public key encryption was discarded because it is too difficult to establish key exchange with third party organizations running a variety of computer hardware, mail systems and security programs. For example, a typical law office needs to be able to send secure documents to a wide range of client organizations, each having their own unique combination of computers, mail and security systems." PGP, and its free clone released under the GPL, GnuPG, are perfect examples of secure PKC that are easily implemented across a variety of computer hardware, mail systems and security systems. There is an established network of public key servers that is widely used by nearly every combination of software and hardware across the entire Internet. (http://http://pgp.ai.mit.edu/ is one such server.) DataSAFE, however, is not available except on systems running the correct versions of Microsoft operating systems. The closing statement on the product white paper offers this explanation for the product's design: "It should be recognized that BLOWFISH is just one of many excellent encryption algorithms. In real life situations the security provided depends much more on the user's ability to make use of the software than the mathematical underpinnings of the encryption engine. The NOVaSTOR DataSAFE strives to be so simple to use that people are willing and able to secure their files." Granted, the best encryption software in the world is useless if people won't use it. But, in my opinion it is far more dangerous to lure people into a false sense of security. Products like DataSAFE could possibly encourage someone to reveal sensitive material on electronic correspondence that he would otherwise have been reluctant to communicate. It is my recommendation that DataSAFE not be used by anyone requiring anything more than casual security. The freely available GnuPG (http://www.gnupg.org), and the inexpensive PGP (www.pgp.com) offer the best system for secure email communication available, and should be used by anyone who is concerned about privacy. Products like DataSAFE should be set aside, along with the secret decoder ring from the breakfast cereal box. L. Sassaman System Administrator | "What's true in our minds is true, Technology Consultant | whether some people know it or not." icq.. 10735603 | pgp.. finger://ns.quickie.net/rabbi | --Robin Williams -----BEGIN PGP SIGNATURE----- Version: GnuPG v0.9.7 (GNU/Linux) Comment: OpenPGP Encrypted Email Preferred. iD8DBQE3U/MyPYrxsgmsCmoRAthbAJsGLzLS8wCqjnwSLgkZY6lEJN6kUQCeJhwC H5e+Iquwq/c1GUq6ndZzdPY= =BN59 -----END PGP SIGNATURE----- -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:24:28 PDT