To All - I apologize to those of you who have already read this FAQ section from the Website. I think that some of the question's that Enam brings up are answered here, albeit, not by a 3rd party. There are 4 ways to break a code, and Enam, you're right, brute force is only one of them. The insurance company was convinced that all 4 methods had been covered; otherwise, they wouldn't have put the money up.
In speaking with Mitch, he said that so far, the lack of another 3rd party accreditation has not been a problem.
Barrie Einarson
bbruin@home.com
FROM THE WEBSITE
What characteristics does this product have that differentiates it from RSA's product?
The JAWS L5 algorithm uses a much longer encryption key length, rendering “brute force” attack much more difficult. In addition, teams of computers connected via the Internet have broken the RSA algorithm. In general, algorithms that permit key recovery in any fashion, have built in security risks that may permit successful attack by code crackers.
What characteristics does this product have that differentiates it from PGP's product?
Same as above. In general, most currently available encryption algorithms have the same deficiencies or potential deficiencies. Key length is not sufficient to protect against a concerted brute force attack. JAWS L5 solves this problem by using extremely long key lengths. Key recovery or retrieval mechanisms tend to introduce back doors to decryption. JAWS L5 allows no such form of attack. The structure of the JAWS L5 encryption algorithm ensures that back door attacks will prove fruitless.
It is widely known that cryptographic algorithms have a way of degrading over time ('The Crypto-bomb is Ticking', Bruce Schneider, Byte, May, 1998, pp 97). What is JAWS' answer to this?
Cryptographic protection does seem to degrade over time although I would not agree that the algorithms degrade. Rather, modern computing power increases so quickly that previously impossible tasks can now be completed in reasonable time frames. The key length provided for by JAWS L5 has taken the algorithm well beyond the statistical capability of modern computers. The structure of JAWS L5 also permits key lengths extended well beyond the currently implemented 4096 bits. If computing power continues its exponential growth we will extend the key length once again to ensure that brute force attacks remain non-viable.
We've all seen headlines where some over-active graduate students have taken it on as a personal challenge to break the code on previous encryption products. How have you designed the JAWS product to avoid such a sudden and devastating demise?
The JAWS L5 algorithm has specific features built in that make conventional attack useless. Language pattern analysis has been addressed and specific measures have been taken to ensure that character counts and word lengths will not give clues to the system. In addition the algorithm makes extensive use of recursion through both the key generation and data encryption processes.
Many encryption products have impressive front-door features. A particularly creative and/or devious programmer discovers a back-door in the product which makes code-breaking child's play and renders the product useless to its customers. How have you designed and/or tested the JAWS product to avoid such a sudden and devastating demise?
JAWS L5 makes extensive use of recursive mathematics. The nature of recursion makes backward analysis tenuous or impossible.
What features does JAWS offer that will be particularly appealing to the encryption user?
JAWS L5 is extremely simple to use. The user interface is intuitive and permits encryption of a single file or a full directory. The process is quick and easy and the result is extremely secure.
Some products are limited to certain file types. Does JAWS have any such limitations? For example, graphic, audio, video, drawing files.
JAWS L5 is completely independent of file type. It works on the bit level and can therefore encrypt any file type stored in computer systems.
Do JAWS encrypted files grow materially through the encryption process?
JAWS L5 does change the file size as part of the encryption process. The few bytes involved are not a material change.
Most encryption users are either lazy or in a hurry. To these individuals, encryption represents another annoying step in the work process. They'd probably not bother if someone in their organization didn't mandate the use of encryption. How have you architected the JAWS product to make it as easy as possible and as painless to use to achieve high compliance rates?
WinZip Integration - JAWS L5 encryption is fully transparent to the WinZip utility. In fact encryption can take place before or after compression without penalty or difficulty, so long as the unzipping and decryption processes take place in the correct sequence.
E-mail Integration - Fully transparent
Desktop Application Integration - Our user interface integrates well with the most commonly encountered desktop configurations in use today. Full vendor compatibility testing is now underway to permit logo compatibility and vendor certification.
Customer Application Integration - Customer-specific applications SHOULD team up just fine with JAWS L5 but there can be specific things in custom programs that complicate the integration process. JAWS developers will be happy to analyze specific data structures to confirm JAWS L5 compatibility on a special request basis. In general, if your program runs under the JAWS L5 supported operating systems, there should be no problem implementing JAWS L5 in your enterprise.
Constantly Active on Workstation - There are specific security challenges involved in having a program like JAWS L5 constantly active on the desktop. In particular it means that the encryption key must be stored somewhere. This opens the system to hostile attack. We are examining methods of having the JAWS L5 software readily accessible without providing these security breaches.
The reality is that despite the dominance of Windows, most organizations have multiple operating systems in place. Moving files around is still a problem for many organizations. Does introducing an encryption product like JAWS make things worse?
Installation of JAWS L5 will not affect an organization's ability to move files from one O/S to another. If there were problems before the installation of JAWS L5 then those same problems will still be there after installation. JAWS L5 encrypted files are every bit as transportable as the non-secure versions of those files.
Some products enable emergency access to decrypt files for which keys may have been accidentally or maliciously misplaced. Do you see this as a helpful feature or one that undermines many of the objectives associated with encryption in the first place?
JAWS L5 is serious protection for serious users. Any system that permits an authorized user to recover or discover a lost key also allows unauthorized users a method to attack the system. The current version of JAWS L5 does not support key recovery. We are now evaluating the need for a lite or junior version of the software that permits key recovery. This product will be quite different from the high security JAWS L5 you see today.
Is JAWS intending to submit its algorithm for consideration by the NIST Advanced Encryption Standard (AES) initiative?
JAWS Technologies Inc. is a young company with many organizations and standards to investigate. NIST is very high profile and JAWS is eager to investigate all organizations that have an interest in furthering the cause of security and encryption.
Encryption software is helpful and wonderful but doesn't it miss most of the problems? Don't poor procedures, lackadaisical management, sloppy employees really amount to the major causes of security breaches?
JAWS L5 is a tool to be used by those who have a strong desire to secure their sensitive data. Like any tool, it has to be used to be effective. In order to ensure that the tool is used, we have made JAWS L5 easy to use. We cannot have control over client procedures and policies but we are available to advise on security and encryption matters. |
