I've been (repeatedly) attempting to repel a sales droid from ARCOT, who wants to sell me their "cryptographic camoflage" product. I reviewed their IEEE paper again, and I'm still unimpressed with this stuff. In a nutshell, the security of the product lies in keeping the public exponent secret, as well as the private exponent [It's an RSA system]. The idea is that the PIN/passphrase that protects the private exponent need not be that strong, since there's no way to verify that you've found the correct private exponent without also knowing the public exponent (in their scheme, the public exponent is picked randomly, and is set to be roughly half the size of the modulus). There's also a lot of other painful dancing around to make sure that things like messages encrypted under the public key are never made available to anyone but the "trusted domain" that this system lives in. The only real protection they have is that the server side of this stuff disables the user after a small number of failed authentication attempts, otherwise you could use servers as oracles to test trial decryptions of the private key. The system is horribly broken if it's ever possible to intercept a message encrypted under the public key of the target user, since they make no attempt to enforce any kind of passphrase quality, and it's not clear whether they use PKCS#5 techniques to generate (symmetric) keying material from the passphrase. They do use random padding on signatures, which precludes verifying a guess at the private key by comparing signatures from an intercepted message. But that's nothing special--I started doing that years ago. Has anyone else looked at this stuff?
