Re: NSA back doors in encryption products

[David Honig]

At 06:42 PM 5/24/00 -0500, Jim Choate wrote:
>
>On Wed, 24 May 2000, Eugene Leitl wrote:
>>The prudent assumption is hence: your online system 
>> can't be completely trusted, whether OpenSource, or not. Encryption
>> should be done in hardware.
>
>Bull, the hardware companies aren't any more trustworthy.

No but their product is less mutable.

And actually you can reverse engineer hardware.  Firms do it
commercially every day.

While a cipher is great in hardware, ciphers don't
change --they don't track 'standards' like protocols.  More and
more crypto- (and other) hardware contains firmware in changable locations.
More convenient (upgrades, fixes) that way, of course.  But
subvertable.

Your data still goes through an operating system, etc., so the
real issue is a closed system: encrypt on a PDA which is under your
close personal control and does not download new executables.  Let your 
untrustworthy networked-PC be merely its gateway.