At 1:08 PM 3/12/93 -0500, Markowitz(_at_)DOCKMASTER(_dot_)NCSC(_dot_)MIL wrote:
...
Ah, a challenge! I just encrypted and signed a 270KB file and using
SecretAgent/Mac 1.0.4. This did the following:
1. computation of pseudorandom DES key based on 20-byte random seed
and number of ticks since last boot (uses NIST SHA for state
transitions; use of a purely random key generation scheme is
optional)
2. lookup of recipient's public key; ElGamal encryption of DES key
3. DES encryption of file (270KB) in CBC mode
4. NIST Secure Hash of file (preformed simultaneously with 2) as
message digest
5. lookup of sender's public key, validation of private key, and
computation of NIST DSA on hash
...
Michael,
The comparison you offer is not especially interesting in the context of
the pem-dev mailing list. I recall discussing this with you and Tom Venn
in April of 1991, when I telephoned your office to inform you of the
existence of PEM. To recap:
The PEM objective has been a standard for secure mail with Internet-wide
interoperability. We now have such a standard, the union of RFCs 1421
through 1424, which has arrived at Proposed Standard status in the
IETF/IESG/IAB/ISOC process. At this time, RFC 1423 specifies the use of
RSA for symmetric key distribution and signature, and MD2 and MD5 for
hashing. ElGamal (in any form), DSS, and SHS are not listed in the RFC.
Nor are RC2 and RC4.
Some may choose to implement privacy-enhance mail with DSS, SHS, etc., but
that would not be an implementation of Internet PEM. If you sold it, your
customers would only be sure of being able to talk to each other. (I seem
to remember that you and Jim Bidzos have had "discussions" in the past that
would make it difficult for you to sell something that uses RSA.)
The question of whether DSS should or will appear as a PEM algorithm has
been discussed in the PSRG and the PEM WG since as early as NIST first
announced the intent to publish a signature standard. I believe the
concensus position was and still is that if and when DSS, etc. become final
FIP standards, and when there has been sufficent exposure and experience
for the community to gain confidence in them, these algorithms would be
candidates for inclusion in PEM.
However, the U.S. Government, particularly the Department of Defense, is
proceeding along a path that will make it difficult for vendors to sell a
secure e-mail package that is both PEM-compliant and meets Government
standards. Although DSS can be used to sign messages and certificates, it
can't be used as a substitute for RSA where RSA is used in PEM for key
distribution. That requires another assymmetric encryption algorithm.
NIST is not signaling that such an algorithm will be forthcoming, and DOD
is almost certain to use only algorithms that will not be disclosed and
will only be used in hardware. (Just as soon as I know for sure that
information on this subject is publicly releasable, I will forward it or
references to this list.)
As I said in 1991, you guys need to get on the PEM bandwagon for long-term
marketability.