Re: RC5, hiding source code

Ronald Van Iwaarden (rrt0136@ibm.net)
Sun, 11 May 97 16:17:37


On Sun, 11 May 1997 15:50:05 -0400, Nelson Minar wrote:

>>>We're keeping the source available and allowing people worldwide to
>>>participate,
>>What are you doing to ensure that the client does the work it claims it
>>does? With public source code, I would think that you are wide open for a
>>hacker to maliciously destroy all your efforts.
>
>Keeping the source code proprietary does *not* effectively protect the
>server against a malicious client. If someone wants to muck with your
>server, they can just reverse engineer the client. If the protocol is
>simple enough you don't even need to do that - just eavesdrop on the
>protocol stream and work from there.

Agreed. It is always possible to reverse engineer this stuff. However, I
would think that having proprietary source code would make malicious clients
more difficult to create. After all, that is the point of encryption. It is
breakable, you just want to make it difficult enough to break so that it is not
worth the effort. Same thing here, just make it more difficult for hackers to
screw up the effort.

One idea I had (I don't know how reasonable it is) is that all the messages
could be encrypted. If one of the keys were burried within the binary, then it
could both encrypt and decrypt messages. Again, it could be cracked if one of
the keys could be discovered (it would have to be well hidden in the
executable) but this would add an additional level of security.

>>If all the forces of Solnet and DESCHAL were thrown behind your effort as
>>soon as we are done, I am sure we would crack RC5-56 quite quickly.
>
>I confess, I don't really understand why RC5-56 is such a target.
>RC5-40 made sense - it was the only crypto exportable from the US;
>demonstrating it was weak was an important political move. A similar
>argument goes for breaking DES. But why RC5-56? Is $10,000 that
>exciting?

Part of it is the thrill of the crack but another part is to make sure that the
US does not do something stupid like change from RC5-40 to RC5-56 for export.
Perhaps this will encourage them to go quite a few steps farther or abolish all
the present restrictions.

--Ron
o Ronald Van Iwaarden | Work to live;
/\ Hope College | Live to bike;
_`\ `_<=== Holland MI 49423 | Bike to work!
__(_)/_(_)___.-._ voice : (616)355-7120 | http://www.cs.hope.edu/~rvaniwaa/