[4811] in cryptography@c2.net mail archive
Product Review: NOVaSTOR DataSAFE
daemon@ATHENA.MIT.EDU (L. Sassaman)
Tue Jun 1 11:27:11 1999
Date: Tue, 1 Jun 1999 10:50:18 -0400 (EDT)
From: "L. Sassaman" <rabbi@quickie.net>
To: cryptography@c2.net
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Product Review: NOVaSTOR DataSAFE
L. Sassaman
6/1/1999
The NOVaSTOR web site (http://data-encryption.com/index.html) makes this
bold claim regarding their DataSAFE product:
"Password Protect, Compress and Encrypt your Files and Email Protect your
data from prying eyes! The DataSAFE family of encryption software stores,
transmits and receives electronic files securely. Protect your sensitive
files and data from prying eyes, whether on your PC or over the Internet
and World Wide Web. DataSAFE encrypts your data with BLOWFISH or RSA
secure algorithms which have never been broken, and can encrypt and
protect every type of file on every kind of media."
The benefits of using this software package are clear, according to the
company. "DataSAFE is the only encryption software on the market that lets
you send secure documents to people who do not have the program."
Apparently, for a mere $39.50, one can have a quick, easy way of sending
secure files to anyone with a computer. When using this product, the sender
uses the program to generate a .exe file, encrypted with Blowfish, that he
then sends as an attachment through email. The recipient does not need to
have any additional software on his computer, as the encrypted message
runs by itself (popping up a cute safe, which spits out the plain-text
when the correct combination is entered.)
Now, obviously, this lacks all the benefits of public key cryptography.
(The key, or "combination to the safe" must be delivered to the recipient
in some manner deemed secure. We are now back to the days of relying on
couriers with hand-cuffed brief-cases for security. The web page steps
over this issue, merely saying "you send [the key] separately".) The
product offers no identity verification for the author or originator of
the file being transfered. In addition, the .exe generated is a potential
carrier of virii, and only works on Microsoft systems. (Though a Java
version is promised.)
The product white paper
(http://data-encryption.com/datasheets/ds_white.html) makes this absurd
statement regarding public key cryptography (PKC):
"Public key encryption was discarded because it is too difficult to
establish key exchange with third party organizations running a variety of
computer hardware, mail systems and security programs. For example, a
typical law office needs to be able to send secure documents to a wide
range of client organizations, each having their own unique combination of
computers, mail and security systems."
PGP, and its free clone released under the GPL, GnuPG, are perfect
examples of secure PKC that are easily implemented across a variety of
computer hardware, mail systems and security systems. There is an
established network of public key servers that is widely used by nearly
every combination of software and hardware across the entire Internet.
(http://http://pgp.ai.mit.edu/ is one such server.) DataSAFE, however, is
not available except on systems running the correct versions of Microsoft
operating systems.
The closing statement on the product white paper offers this explanation
for the product's design:
"It should be recognized that BLOWFISH is just one of many excellent
encryption algorithms. In real life situations the security provided
depends much more on the user's ability to make use of the software than
the mathematical underpinnings of the encryption engine. The NOVaSTOR
DataSAFE strives to be so simple to use that people are willing and able
to secure their files."
Granted, the best encryption software in the world is useless if people
won't use it. But, in my opinion it is far more dangerous to lure people
into a false sense of security. Products like DataSAFE could possibly
encourage someone to reveal sensitive material on electronic
correspondence that he would otherwise have been reluctant to communicate.
It is my recommendation that DataSAFE not be used by anyone requiring
anything more than casual security. The freely available GnuPG
(http://www.gnupg.org), and the inexpensive PGP (www.pgp.com) offer the
best system for secure email communication available, and should be used
by anyone who is concerned about privacy. Products like DataSAFE should be
set aside, along with the secret decoder ring from the breakfast cereal
box.
L. Sassaman
System Administrator | "What's true in our minds is true,
Technology Consultant | whether some people know it or not."
icq.. 10735603 |
pgp.. finger://ns.quickie.net/rabbi | --Robin Williams
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.7 (GNU/Linux)
Comment: OpenPGP Encrypted Email Preferred.
iD8DBQE3U/MyPYrxsgmsCmoRAthbAJsGLzLS8wCqjnwSLgkZY6lEJN6kUQCeJhwC
H5e+Iquwq/c1GUq6ndZzdPY=
=BN59
-----END PGP SIGNATURE-----
