Date: Fri, 17 Mar 2000 01:22:49 +0100 From: Erik Trulsson <ertr1013@student.csd.uu.se> To: goodleaf <john@home.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Off Topic AND Newbie-ish! Security... Message-ID: <20000317012249.B1003@student.csd.uu.se> In-Reply-To: <Pine.BSF.4.21.0003161410210.20064-100000@C702312-A.sttln1.wa.home.com>; from john@home.com on Thu, Mar 16, 2000 at 02:23:11PM -0800 References: <Pine.BSF.4.21.0003161410210.20064-100000@C702312-A.sttln1.wa.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 16, 2000 at 02:23:11PM -0800, goodleaf wrote: > > Apologies for off-topic post. <sycophant>But the people on this list have > the highest average competence I know of--mailing list wise.</sycophant> > > How secure is a pkzipped file that has been zipped with a password? My > company is considering exchanging data, possibly sensitive, with another > company who wants to "encrypt" by pkzipping to a password. Isn't the > algorithm for pkzip too well known to be secure? First you should remember that "security through obscurity" never works in the long run. This means that the fact that an algorithm is well known does no necessarily mean it is insecure. Most of the crypto algorithms that are used "for real" are very well known. (RSA or DES for example.) Assume that an attacker knows everything about the algorithm that you have used and act accordingly. Now, I don't know what algorithm pkzip uses but I don't think it is very good. (If it was there would be a lot of trouble involved in exporting programs using it out of the USA, and I haven't seen any of that.) A lot of the encryption algorithms used in programs that are mainly intended for other things (wordprocessors, file archivers atc) are actually quite weak and should not be trusted to protect sensitive data. They are more designed to hinder a casual reader rather than a determined attacker. > > I think they want to use it because they can easily call it from a command > line; they batch data from their dbase and ship it out to us. They don't > like human intervention, and pkzip works with batch files. Does PGP (Yes, > we would pay for appropriate licenses.) have a similar capability? > I am fairly certain that it does but should check it yourself to be sure. > Any thoughts are appreciated. I'm relatively new even to thinking about > security, and here I am having to make a decision about it. I love the > corporate life. > Thanks, > John > Basic rule for security is: Be paranoid. Don't trust anybody or anything unless you have to. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000317012249.B1003>