Newsgroup: sci.crypt document_id: 14147 From: Marc VanHeyningen Subject: RIPEM Frequently Asked Questions Archive-name: ripem/faq Last-update: Sun, 7 Mar 93 21:00:00 -0500 ABOUT THIS POSTING ------------------ This is a (still rather rough) listing of likely questions and information about RIPEM, a program for public key mail encryption. It (this FAQ, not RIPEM) was written and will be maintained by Marc VanHeyningen, . It will be posted to a variety of newsgroups on a monthly basis; follow-up discussion specific to RIPEM is redirected to the group alt.security.ripem. This month, I have reformatted this posting in an attempt to comply with the standards for HyperText FAQ formatting to allow easy manipulation of this document over the World Wide Web. Let me know what you think. DISCLAIMER ---------- Nothing in this FAQ should be considered legal advice, or anything other than one person's opinion. If you want real legal advice, talk to a real lawyer. QUESTIONS AND ANSWERS --------------------- 1) What is RIPEM? RIPEM is a program which performs Privacy Enhanced Mail (PEM) using the cryptographic techniques of RSA and DES. It allows your electronic mail to have the properties of authentication (i.e. who sent it can be confirmed) and privacy (i.e. nobody can read it except the intended recipient.) RIPEM was written primarily by Mark Riordan . Most of the code is in the public domain, except for the RSA routines, which are a library called RSAREF licensed from RSA Data Security Inc. 2) How can I get RIPEM? RIPEM contains the library of cryptographic routines RSAREF, which is considered munitions and thus is export-restricted from distribution to people who are not citizens or permanent residents of the U.S. or Canada. Therefore, the following request is quoted from the README file: #Please do not export the cryptographic code in this distribution #outside of the USA or Canada. This is a personal request from me, #the author of RIPEM, and a condition of your use of RIPEM. Note that RSAREF is not in the public domain, and a license for it is included with the distribution. You should read it before using RIPEM. The best way to get it is to ask a friend for a copy, since this will reduce the load on those sites that do carry it (not to mention the humans that run them.) Naturally this requires that you trust the friend. RIPEM is available via anonymous FTP to citizens and permanent residents in the U.S. from rsa.com; cd to rsaref/ and read the README file for info. Last I looked, this site contains only the source tree, and does not contain compiled binaries or the nice Mac version. RIPEM, as well as some other crypt stuff, has its "home site" on rpub.cl.msu.edu, which is open to non-anonymous FTP for users in the U.S. and Canada who are citizens or permanent residents. To find out how to obtain access, ftp there, cd to pub/crypt/, and read the file GETTING_ACCESS. For convenience, binaries for many architectures are available here in addition to the full source tree. 3) Will RIPEM run on my machine? Probably. It has already been ported to MS-DOS and most flavors of Unix (SunOS, NeXT, Linux, AIX, ULTRIX, Solaris, etc.) Ports to Macintosh include a standard UNIX-style port and a rather nice Mac-like port written by Raymond Lau, author of StuffIt. More ports are expected, and help of users is invited. 4) Will RIPEM work with my mailer? Probably. How easy and clean the effective interface is will depend on the sophistication and modularity of the mailer, though. The users guide, included with the distribution, discusses ways to use RIPEM with many popular mailers, including Berkeley, mush, Elm, and MH. Code is also included in elisp to allow easy use of RIPEM inside GNU Emacs. If you make a new interface for RIPEM or create an improvement on one in the distribution which you believe is convenient to use, secure, and may be useful to others, feel free to post it to alt.security.ripem. 5) What is RSA? RSA is a crypto system which is asymmetric, or public-key. This means that there are two different, related keys: one to encrypt and one to decrypt. Because one cannot (reasonably) be derived from the other, you may publish your encryption, or public key widely and keep your decryption, or private key to yourself. Anyone can use your public key to encrypt a message, but only you hold the private key needed to decrypt it. (Note that the "message" sent with RSA is normally just the DES key to the real message. (See "What is DES?") Note that the above only provides for privacy. For authentication, the fingerprint of the message (See "What is a fingerprint, like MD5?") is encrypted with the sender's private key. The recipient can use the sender's public key to decrypt it and confirm that the message must have come from the sender. RSA was named for the three men (Rivest, Shamir and Adleman) who invented it. To find out more about RSA, ftp to rsa.com and look in pub/faq/ or look in sci.crypt. 6) What is DES? DES is the Data Encryption Standard, a widely used symmetric, or secret-key, crypto system. Unlike RSA, DES uses the same key to encrypt and decrypt messages. However, DES is much faster than RSA. RIPEM uses both DES and RSA; it generates a random key and encrypts your mail with DES using that key. It then encrypts that key with the recipient's public RSA key and includes the result in the letter, allowing the recipient to recover the DES key. DES is sometimes considered weak because it is somewhat old and uses a key length considered too short by modern standards. However, it should be reasonably safe against an opponent smaller than a large corporation or government agency. It is not unlikely that future RIPEMs will strengthen the symmetric cipher, possibly by using multiple encryption with DES. 7) What is PEM, and how does RIPEM relate? PEM is Privacy Enhanced Mail, a system for allowing easy transfer of encrypted electronic mail. It is described in RFCs 1421-1424; these documents have been approved and obsolete the old RFCs 1113-1115. RIPEM is not really a complete implementation of PEM, because PEM specifies certificates for authenticating keys, which RIPEM does not handle at this time. Their addition is planned. 8) What's this about distributing and authenticating keys? For a remote user to be able to send secure mail to you, she must know your public key. For you to be able to confirm that the message received came from her, you must know her public key. It is important that this information be accurate; if a "bad guy" convinces her that his key is in fact yours, she will send messages which he can read. RIPEM allows for three methods of key management: a central server, the distributed finger servers, and a flat file. All three are described in the RIPEM users guide which is part of the distribution. None of them provide perfect security. 9) Why do all RIPEM public keys look very similar? RIPEM public keys begin with a PKCS identifier describing various characteristics about the key, so the first bunch of characters in your key may be the same as those of lots of other people's keys. This does not mean your keys are similar, but only that they are the same class of key, were generated with the same program, are of the same length, etc. 10) What is a fingerprint, like MD5? MD5 is a message digest algorithm produced by RSA Data Security Inc. It provides a 128-bit fingerprint, or cryptographically secure hash, of the plaintext. It is cryptographically secure because it is not possible (in a reasonable amount of computation) to produce a different plaintext which produces the same fingerprint. Thus, instead of signing the entire message with the sender's private key, only the MD5 of the message needs to be signed for authentication. MD5 is sometimes used for other purposes; for example, it is often used to map an input of arbitrary length to 128 bits of data, as a passphrase interpreter or cookie generator. MD5 is described in its entirety (including an implementation in C) in RFC 1321. 11) What is PGP? PGP is another cryptographic mail program called Pretty Good Privacy. PGP has been around longer than RIPEM, and works somewhat differently. PGP is not compatible with RIPEM in any way, though PGP does also use RSA. Some major differences between PGP and RIPEM: - PGP has more key management features, particularly for users without a direct network connection. - RIPEM conforms to the PEM RFCs and thus has a greater probability of working with other PEM software. PGP makes no attempt to be compatible with anything other than PGP (in fact, PGP 1.0 is not compatible with PGP 2.0.) - RIPEM uses RSAREF, a library of RSA routines from RSA Data Security Inc. RSAREF comes with a license which allows noncommercial use. PGP uses its own implementation of RSA which is not licensed; thus, PKP, the firm holding the U.S. patents on the RSA algorithm, claims that it is a infringement of that patent to make, use or sell PGP in the U.S. or Canada. In acknowledgement of this, PGP's original author, Phil Zimmermann, says in the documentation: #In fact, if you live in the USA, and you are not a Federal agency, #you shouldn't actually run PGP on your computer, because Public #Key Partners wants to forbid you from running my software. PGP is #contraband. - Both PGP and RIPEM are export-restricted, and cannot be sent outside the U.S. and Canada. However, PGP already exists on many ftp sites in Europe and other places. Whether you use PGP or RIPEM or whatever, the documentation to PGP is recommended reading to anyone interested in such issues. Note that the above facts, both regarding patent and export restrictions, are somewhat controversial; many people think it shouldn't be that way, and some people interpret various documents differently. Unfortunately, discussions of it on the net inevitably seem to produce more heat than light, and probably belong in misc.legal.computing. (See: "DISCLAIMER") 12) What about RPEM? RPEM stands for Rabin Privacy Enhanced Mail. It was similar to RIPEM, but used a public-key cipher invented by Rabin (which is not RSA) in an attempt to avoid the patent on RSA. It was written by Mark Riordan, the same author as RIPEM. Its distribution was halted when, contrary to the beliefs of many (including Rabin), Public Key Partners (PKP) claimed that their patent was broad enough to cover any public-key cipher whose strength rested in the difficulty of factoring products of large primes, not just RSA. This claim is not universally accepted by any means, but was not challenged for pragmatic reasons. RPEM is not really used anymore. It is not compatible with RIPEM or PGP. 13) What is MIME? MIME stands for Multipurpose Internet Mail Extensions, and is described in RFC 1341. You can find out about it in the newsgroup comp.mail.mime. How PEM should interact with MIME is not yet entirely clear; some people use the stopgap solution of having a MIME type application/x-ripem in order to send RIPEM messages as MIME ones. I hope some standards will emerge. Draft Internet documents exist on the matter. 14) I have this simple way to defeat the security of RIPEM... You may wish to check the companion post "ripem-attacks" which discusses some of the more obvious attacks on RIPEM's security and what procedures will minimize the risk. RIPEM's main "weak area" is probably key distribution. Newsgroup: sci.crypt document_id: 14831 From: mvanheyn@cs.indiana.edu (Marc VanHeyningen) Subject: RIPEM Frequently Asked Questions Archive-name: ripem/faq Last-update: 31 Mar 93 22:00:00 -0500 ABOUT THIS POSTING ------------------ This is a listing of likely questions and information about RIPEM, a program for public key mail encryption. It (this FAQ, not RIPEM) was written and will be maintained by Marc VanHeyningen . It will be posted to a variety of newsgroups on a monthly basis; follow-up discussion specific to RIPEM is redirected to the group alt.security.ripem. WHAT'S NEW ---------- I am now running a World Wide Web archive of RIPEM information. It does not contain much of anything that isn't available elsewhere, but it has convenient pointers to the most current version of this FAQ and some other stuff. The URL is "http://cs.indiana.edu/ripem/dir.html". This month's version has a fair amount of new pointers to information on patents and stuff like that. I've also reordered a few things to have a more sensible ordering. I hope I don't have to edit this again soon. :-) DISCLAIMER ---------- Nothing in this FAQ should be considered legal advice, or anything other than one layperson's opinion. If you want real legal advice, talk to a real lawyer, preferably one with experience in patent law, export regulations, or whatever area of law is in question. LIST OF QUESTIONS ----------------- 1) What is RIPEM? 2) How can I get RIPEM? 3) Will RIPEM run on my machine? 4) Will RIPEM work with my mailer? 5) What is RSA? 6) What is DES? 7) What is a fingerprint, like MD5? 8) What is PEM? 9) What's this about distributing and authenticating keys? 10) Isn't it a bad idea to use patented algorithms in standards like PEM? 11) What about RSADSI/PKP? 12) Why do all RIPEM public keys look very similar? 13) What is PGP? 14) What about RPEM? 15) What is MIME? 16) What is TIS/PEM? 17) I have this simple way to defeat the security of RIPEM... QUESTIONS AND ANSWERS --------------------- 1) What is RIPEM? RIPEM is a (not yet complete, but useful) implementation of Privacy Enhanced Mail (PEM). RIPEM allows your electronic mail to have the four security facilities provided by PEM: disclosure protection (optional), originator authenticity, message integrity measures, and non-repudiation of origin (always). (See: "What is PEM?") RIPEM was written primarily by Mark Riordan . Most of the code is in the public domain, except for the RSA routines, which are a library called RSAREF licensed from RSA Data Security Inc. The current version of RIPEM is 1.0.5; the current version of the Macintosh port of RIPEM is 0.7. 2) How can I get RIPEM? RIPEM uses the library of cryptographic routines RSAREF, which is considered munitions and thus is export-restricted from distribution to persons who are not citizens or permanent residents in the U.S or Canada without an export license. No such license has been obtained (nor would one likely be granted unless the RSA key exchange were shortened to 512 bits and the symmetric cipher changed to something weaker than DES. There are some suggestions that this situation may change now that Clinton is in office.) The author requests in the README file that this law not be violated: #Please do not export the cryptographic code in this distribution #outside of the USA or Canada. This is a personal request from me, #the author of RIPEM, and a condition of your use of RIPEM. Note that RSAREF is not in the public domain, and a license for it is included with the distribution. You should read it before using RIPEM. RIPEM is available via anonymous FTP to citizens and permanent residents in the U.S. from rsa.com; cd to rsaref/ and read the README file for info. Note that the non-RSAREF portion of RIPEM is not a product of RSA Data Security, Incorporated; they merely are helping distribute it. RIPEM, as well as some other crypt stuff, has its "home site" on ripem.msu.edu, which is open to non-anonymous FTP for users in the U.S. and Canada who are citizens or permanent residents. To find out how to obtain access, FTP there, cd to pub/crypt/, and read the file GETTING_ACCESS. For convenience, binaries for many architectures are available here in addition to the full source tree. 3) Will RIPEM run on my machine? Probably. It has already been ported to MS-DOS and most flavors of Unix (SunOS, NeXT, Linux, AIX, ULTRIX, Solaris, etc.) Ports to Macintosh include a standard UNIX-style port and a rather nice Mac-like port written by Raymond Lau, author of StuffIt. More ports are expected, and help of users is invited. 4) Will RIPEM work with my mailer? Probably. How easy and clean the effective interface is will depend on the sophistication and modularity of the mailer, though. The users guide, included with the distribution, discusses ways to use RIPEM with many popular mailers, including Berkeley, mush, Elm, and MH. Code is also included in elisp to allow easy use of RIPEM inside GNU Emacs. If you make a new interface for RIPEM or create an improvement on one in the distribution which you believe is convenient to use, secure, and may be useful to others, feel free to post it to alt.security.ripem. 5) What is RSA? RSA is a crypto system which is asymmetric, or public-key. This means that there are two different, related keys: one to encrypt and one to decrypt. Because one cannot (reasonably) be derived from the other, you may publish your encryption, or public, key widely and keep your decryption, or private, key to yourself. Anyone can use your public key to encrypt a message, but only you hold the private key needed to decrypt it. Note that the "message" sent with RSA is normally just the DES key to the real plaintext. (See "What is DES?") Note that the above only provides for disclosure protection. For originator authenticity, message integrity, and non-repudiation of origin services to be implemented, the fingerprint of the message (See "What is a fingerprint, like MD5?") is encrypted with the sender's private key. The recipient, or a dispute-resolving authority, can use the sender's public key to decrypt it and confirm that the message must have come from the sender and was not altered. RSA was named for the three men (Rivest, Shamir and Adleman) who invented it. To find out lots more about RSA and modern cryptography in general, ftp to rsa.com and look in pub/faq/. Some information also may be in sci.crypt. 6) What is DES? DES is the Data Encryption Standard, a widely used symmetric, or secret-key, crypto system. Unlike RSA, DES uses the same key to encrypt and decrypt messages. However, DES is much faster than RSA. RIPEM uses both DES and RSA; it generates a random key and encrypts your mail with DES using that key. It then encrypts that key with the recipient's public RSA key and includes the result in the letter, allowing the recipient to recover the DES key. DES is sometimes considered weak because it is somewhat old and uses a key length considered too short by modern standards. However, it should be reasonably safe against an opponent smaller than a large corporation or government agency. It is not likely that the PEM standard will incorporate support for other symmetric ciphers in the near future, because there is a strong feeling that PEM should be stable so it can become utilized widely without early problems with interoperability. 7) What is a fingerprint, like MD5? MD5 is a message digest algorithm produced by RSA Data Security Inc. It provides a 128-bit fingerprint, or cryptographically secure hash, of the plaintext. It is cryptographically secure because it is not possible (in a reasonable amount of computation) to produce a different plaintext which produces the same fingerprint. Thus, instead of signing the entire message with the sender's private key, only the MD5 of the message needs to be signed for authentication. MD5s can also be exchanged directly for authentication; for example, RIPEM public keys include an MD5 of the public key in the file, so parties wishing to confirm their keys are authentic via a separate channel merely need exchange MD5s of keys and verify their accuracy. MD5 is sometimes used for other purposes; for example, it is often used to map an input of arbitrary length to 128 bits of data, as a passphrase interpreter or cookie generator. MD5 is described in its entirety (including an implementation in C) in RFC 1321. There have been some recent suggestions that MD5 may not be as strong a hash as was originally believed; presumably some other hash function will be used if this is accepted as true. 8) What is PEM? PEM is Privacy Enhanced Mail, a standard for allowing transfer of encrypted electronic mail generated over a long period of time by a working group of experts. It is described in RFCs 1421-1424; these documents have been approved and obsolete the old RFCs 1113-1115. RIPEM is not really a complete implementation of PEM, because PEM specifies certificates for authenticating keys, which RIPEM does not handle at this time. Their addition is planned. 9) What's this about distributing and authenticating keys? For a remote user to be able to send secure mail to you, she must know your public key. For you to be able to confirm that the message received came from her, you must know her public key. It is important that this information be accurate; if a "bad guy" convinces her that his key is in fact yours, she will send messages which he can read. RIPEM allows for three methods of key management: a central server, the distributed finger servers, and a flat file. All three are described in the RIPEM users guide which is part of the distribution. None of them provide perfect security. The PEM standard calls for key management by certificates; the addition of this feature to RIPEM is planned, but chicken-egg issues still exist. 10) Isn't it a bad idea to use patented algorithms in standards like PEM? This issue has been considered in the standards process. RFC 1310, the specification for Internet standards, has a discussion (section 6) on what specifications for nondiscriminatory availability must be met for a patented method to be included in a standard. RFC 1421 addresses this issue with regard to the patents covering public-key cryptography. This does not, of course, mean that all questions are settled or that everyone is in agreement. An interesting exchange on the use of patented algorithms in standards with regard to public-key cryptography is in the League for Programming Freedom archive (available via FTP: ftp.uu.net:/doc/lpf) in the files bidzos.letter and bidzos.response. (Amusingly, the LPF files on ftp.uu.net are compressed with a patented algorithm.) 11) What about RSADSI/PKP? RSA Data Security, Inc. (RSADSI) is a California-based company specializing in cryptographic technologies. Public Key Partners is a firm which holds exclusive sub-licensing rights of the following U.S. patents and all of their corresponding foreign patents: Cryptographic Apparatus and Method ("Diffie-Hellman")............................... No. 4,200,770 Public Key Cryptographic Apparatus and Method ("Hellman-Merkle").................... No. 4,218,582 Cryptographic Communications System and Method ("RSA")................................... No. 4,405,829 Exponential Cryptographic Apparatus and Method ("Hellman-Pohlig").................... No. 4,424,414 PKP claims these four patents cover all known methods of public key cryptography. The two businesses are rather closely related (for example, the same person, Jim Bidzos, is president of both of them.) PKP has licensed this technology to a considerable number of companies (IBM, DEC, Motorola, AT&T, Lotus...) for use in their products. PKP has also threatened and filed lawsuits defending their patents. RIPEM was originally created with no connection to RSADSI other than its use of the RSAREF library, and for no reason other than its author's desire to see widespread use of public-key cryptography. However, after the ball started rolling, people at RSADSI got interested. RSADSI decided to carry RIPEM on its FTP site, and some people there started making their own RIPEM keys and contributing code. RIPEM even won the "Best Application Built on RSAREF in 1992" award. 12) Why do all RIPEM public keys look very similar? RIPEM public keys begin with a PKCS (Public-Key Cryptography Standards) identifier describing various characteristics about the key, so the first bunch of characters in your key may be the same as those of lots of other people's keys. This does not mean your keys are similar, but only that they are the same class of key, were generated with the same program, are of the same length, etc. 13) What is PGP? PGP is another cryptographic mail program called Pretty Good Privacy. PGP has been around longer than RIPEM, and works somewhat differently. PGP is not compatible with RIPEM in any way, though PGP does also use RSA. A few major differences between PGP and RIPEM: - PGP has more key management features, particularly for users without a direct network connection. - RIPEM conforms to the PEM RFCs and thus has a greater probability of working with other PEM software. PGP makes no attempt to be compatible with anything other than itself. - RIPEM uses RSAREF, a library of RSA routines from RSADSI which comes with a license allowing noncommercial use. PGP uses its own implementation of RSA. PKP claims that it is a violation of its patents to "make, use or sell" PGP in the U.S. or Canada without either a license or written permission. (See: "DISCLAIMER") (See: "What about RSADSI/PKP?") Phil Zimmermann, the author of PGP, stopped distributing it after being threatened with legal action; he believed that a licensing scheme could be arranged, but it hasn't happened and there seems little prospect of it happening in the future. He acknowledges in the PGP User's Guide: #In fact, if you live in the USA, and you are not a Federal agency, #you shouldn't actually run PGP on your computer, because Public #Key Partners wants to forbid you from running my software. PGP is #contraband. - Both PGP and RIPEM are export-restricted, and cannot be sent outside the U.S. and Canada without an export license. However, PGP already exists on many ftp sites in Europe and other places. Whether you use PGP or RIPEM or whatever, the documentation to PGP is recommended reading to anyone interested in such issues. Unfortunately, it's not distributed separately from the program, which can be difficult to find in the U.S. on FTP sites due to liability concerns. 14) What about RPEM? RPEM stands for Rabin Privacy Enhanced Mail. It was similar to RIPEM, but used a public-key cipher invented by Rabin (which is not RSA) in an attempt to avoid the patents on public-key systems. It was written by Mark Riordan, who later wrote RIPEM. Its distribution was halted when, contrary to the beliefs of many (including Rabin), PKP claimed that their patents were broad enough to cover the cipher employed. This claim is not universally accepted, but was not challenged for pragmatic reasons. RPEM is not really used anymore. It is not compatible with RIPEM or PGP. 15) What is MIME? MIME stands for Multipurpose Internet Mail Extensions, and is described in RFC 1341. You can find out about it in the newsgroup comp.mail.mime; a FAQ exists on it. How PEM should interact with MIME is not yet entirely clear; some people use the stopgap solution of having a MIME type application/x-ripem in order to send RIPEM messages as MIME ones. I hope some standards will emerge. Draft Internet documents exist on the matter. 16) What is TIS/PEM? Trusted Information Systems is working on a version of Privacy Enhanced Mail for general availability. Last I heard, it was rumored to be integrated into an existing mail user agent (MH) rather than a stand-alone system, and in beta test. I don't know much more than that. 17) I have this simple way to defeat the security of RIPEM... You may wish to check the companion post "ripem-attacks" which discusses some of the more obvious attacks on RIPEM's security and what procedures will minimize the risk. RIPEM's main "weak area" is probably key distribution. Newsgroup: sci.crypt document_id: 14832 From: mvanheyn@cs.indiana.edu (Marc VanHeyningen) Subject: RIPEM Frequently Noted Vulnerabilities Archive-name: ripem/attacks Last-update: 31 Mar 93 21:00:00 -0500 SOME POSSIBLE ATTACKS ON RIPEM ------------------------------ This is a living list of potential weaknesses to keep your eyes open for when using RIPEM for secure electronic mail. It does not go into great detail, and is almost certainly not exhaustive. Obviously, many of the weaknesses are weaknesses of cryptographically secured mail in general, and will pertain to secure mail programs other than RIPEM. It is maintained by Marc VanHeyningen . It is posted monthly to a variety of news groups; followups pertaining specifically to RIPEM should go to alt.security.ripem. CRYPTANALYSIS ATTACKS --------------------- - Breaking RSA would allow an attacker to find out your private key, in which case he could read any mail encrypted to you and sign messages with your private key. RSA is generally believed to be resistant to all standard cryptanalytic techniques. Even a standard key (about 516 bits with RIPEM) is long enough to render this impractical, barring a huge investment in hardware or a breakthrough in factoring. - Breaking DES would allow an attacker to read any given message, since the message itself is encrypted with DES. It would not allow an attacker to claim to be you. DES has only 56 bits in its key, and thus could conceivably be compromised by brute force with sufficient hardware, but few agencies have such money to devote to simply read one message. Since each message has a different DES key, the work for each message would remain high. KEY MANAGEMENT ATTACKS ---------------------- - Stealing your private key would allow the same benefits as breaking RSA. To safeguard it, it is encrypted with a DES key which is derived from a passphrase you type in. However, if an attacker can get a copy of your private keyfile and your passphrase (by snooping network packets, tapping lines, or whatever) he could break the whole scheme. The main risk is that of transferring either the passphrase or the private key file across an untrusted link. So don't do that. Run RIPEM on a trusted machine, preferably one sitting right in front of you. Ideally, your own machine in your own home (or maybe office) which nobody else has physical access to. - Fooling you into accepting a bogus public key for someone else could allow an opponent to deceive you into sending secret messages to him rather than to the real recipient. If the enemy can fool your intended recipient as well, he could re-encrypt the messages with the other bogus public key and pass them along. It is important to get the proper public keys of other people. The most common mechanism for this is finger; assuming the opponent has not compromised routers or daemons or such, finger can be given a fair amount of trust. The strongest method of key authentication is to exchange keys in person; however, this is not always practical. Having other people "vouch for you" by signing a statement containing your key is possible, although RIPEM doesn't have features for doing this as automatically as PGP. RIPEM does generate and check MD5 fingerprints of public keys in the key files; they may be exchanged via a separate channel for authentication. PLAYBACK ATTACKS ---------------- - Even if an opponent cannot break the cryptography, an opponent could still cause difficulties. For example, suppose you send a message with MIC-ONLY (a PEM mode which does not provide disclosure protection) to Alice which says "OK, let's do that." Your opponent intercepts it, and now resends it to Bob, who now has a message which is authenticated as from you telling him to do that. Of course, he may interpret it in an entirely different context. Or your opponent could transmit the same message to the same recipient much later, figuring it would be seen differently at a later time. Or the opponent could change the Originator-Name: to himself, register your public key as his, and send a message hoping the recipient will send him return mail indicating (perhaps even quoting!) the unknown message. To defeat playback attacks, the plaintext of each message should include some indication of the sender and recipient, and a unique identifier (typically the date). A good front-end script for RIPEM should do this automatically (IMHO). As a recipient, you should be sure that the Originator-Name: header and the sender indicated within the plaintext are the same, that you really are a recipient, and that the message is not an old one. Some this also can and should be automated. The author of this FAQ has made a modest attempt at automating the process of generating and checking encapsulated headers; the programs are included in the standard distribution in the utils directory. LOCAL ATTACKS ------------- - Clearly, the security of RIPEM cannot be greater than the security of the machine where the encryption is performed. For example, under UNIX, a super-user could manage to get at your encrypted mail, although it would take some planning and effort to do something like replace the RIPEM executable with a Trojan horse or to get a copy of the plaintext, depending how it's stored. In addition, the link between you and the machine running RIPEM is an extension of that. If you decrypt with RIPEM on a remote machine which you are connected to via network (or, worse yet, modem), an eavesdropper could see the plaintext (and probably also your passphrase.) RIPEM should only be executed on systems you trust, obviously. In the extreme case, RIPEM should only be used on your own machine, which you have total control over and which nobody else has access to, which has only carefully examined software known to be free of viruses, and so on. However, there's a very real trade-off between convenience and security here. A more moderately cautious user might use RIPEM on a UNIX workstation where other people have access (even root access), but increase security by keeping private keys and the (statically linked, of course) executable on a floppy disk. Some people will keep RIPEM on a multi-user system, but when dialing in over an insecure line, they will download the message to their own system and perform the RIPEM decryption there. However, the security provided by such a mechanism is somewhat illusory; since you presumably type your cleartext password to log in, you've just given away the store, since the attacker can now log in as you and install traps in your account to steal your private key next time you use it from a less insecure line. This will likely remain the situation as long as most systems use the rather quaint mechanism of cleartext password authentication. I find it nice to put a brief statement of how carefully I manage my security arrangement in my .plan next to my public key, so that potential correspondents can be aware what level of precautions are in place. Some people use two keys, a short one which is not carefully managed for ordinary use and a longer one which is treated with greater care for critical correspondence. UNTRUSTED PARTNER ATTACKS ------------------------- - RIPEM's encryption will ensure that only a person with the private key corresponding to the public key used to encrypt the data may read the traffic. However, once someone with that key gets the message, she may always make whatever kind of transformations she wishes. There exist no cryptographic barriers to a recipient, say, taking an ENCRYPTED message and converting it to a MIC-ONLY message, signed by you and readable by anyone, although RIPEM does not provide this functionality. Indeed, the latest PEM draft I have seen specifically states that such transformations should be possible to allow forwarding functions to work. Including the recipients in the plaintext, as mentioned above, will make it possible for recipients of a redistributed message to be aware of its original nature. Naturally, the security of the cryptography can never be greater than the security of the people using it. Newsgroup: sci.crypt document_id: 14982 From: Jim-Miller@suite.com Subject: Certifying Authority question answered. >>If you have access to FTP, try FTPing to rsa.com, login as anonymous. >>There are several documents there, including a "frequently asked questions >>about today's cryptography" document. It has FAQ in its name. >>I believe this document explains the idea behind the certifying authorities. >> >>Good luck >> >>--John Kelsey, c445585@mizzou1.missouri.edu Thanks. I've ftp'ed the FAQ file and it is just what I was looking for. Jim-Miller@suite.com Newsgroup: sci.crypt document_id: 14983 From: C445585@mizzou1.missouri.edu (John Kelsey) Subject: "Rubber-hose cryptanalysis" Some sick part of me really liked that phrase.... Actually, merely the threat of a *long* prison sentence, even without a beating, can get most people to give in. Especially if it's also punctuated with a trip to the county jail, where one just happens to get locked up with all the drunk/stoned/crazy folks that are too violent to be left in cells with other people.... Newsgroup: sci.crypt document_id: 14984 From: grady@netcom.com (1016/2EF221) Subject: Declassifying media There are many Urban Legends (maybe this ought to be in the Crypt FAQ?) about what is actually sufficient to clear or declassify magnetic media when used for classified data. Here is some information "from the horse's mouth". (Regarding the sufficient overwriting of media ("clearing") meant to be *retained* within the controlled environment, or declassifying the material to be reused *outside* the controlled environment,) From National Telecommunications and Information Systems Security (NTISS) "Advisory Memorandum on Office Automation Security Guidelines" (NTISSAM COMPUSEC/1/87): ------ "7.6.2.1 Clearing of Magnetic Media Certain types of removable media (e.g., magnetic tape, floppy disk, cassettes, and magnetic cards) may be cleared by overwriting the entire media one time with any one character. Floppy disks may be cleared by applying a vendor's formatting program that overwrites each location with a given character. Fixed media (e.g., Winchester disks) should be cleared by overwriting at least one time with any one character. One way to do this is by applying a vendor-supplied formatting program that overwrites each location on the disk with a given character, if it can be shown that this program actually works as advertised. The user should beware: some programs that purport to overwrite all locations do not actually do this. Cleared media may be resides within the controlled facility or released for destruction; however, they should be marked and controlled at the level of the most restrictive sensitivity of information ever recorded. 7.6.2.2 Declassification of Magnetic Media Certain types of removable media can be declassified using a degaussing device that has been approved for declassifying media of that type. (A list of approved devices is maintained by the NSA.) If a fixed medium (for example, a hard, or Winchester, disk) is operative, an approved method of declassifying the disk pack is to employ an overwrite procedure which must overwrite all addressable locations at least three times by writing any character, then its complement (e.g., binary ones and binary zeros) alternatively. When fixed media become inoperative, it is impossible to declassify the media by the overwrite method. In this case, there are two alternate procedures that may be used: (1) disassemble the disk pack, and degauss each platter with the appropriate approved degaussing equipment; and (2) courier the inoperative media to the vendor's facility, have the magnetic media (e.g., disk platter) removed in sight of the courier and returned to the courier for destruction at the secure site. The vendor can then install new platters and repair any other problems with the disk unit. 7.6.3 Destruction of Magnetic Media" [see DoD Computer Security Center, "Department of Defense Magnetic Remanence Security Guideline", CSC-STD-003-85 FOR OFFICIAL USE ONLY] ------ This and many other interesting documents (many that are more informative than probably intended) on computer security procedures can be obtained (free) from: Executive Secretary National Telecommunications and Informations Systems Security Committee National Security Agency Fort George G. Meade, MD 20755-6000 Write them! It's fun to be on the NSA's mailing list... -- grady@netcom.com 2EF221 / 15 E2 AD D3 D1 C6 F3 FC 58 AC F7 3D 4F 01 1E 2F Newsgroup: sci.crypt document_id: 14985 From: gtoal@gtoal.com (Graham Toal) Subject: Re: Hard drive security for FBI targets From: res@colnet.cmhnet.org (Rob Stampfli) >separate locations to gain credibility. If they are seized and you are >compelled to decrypt it, you simply explain that you are an amateur >cryptologist playing around with one time pads, and that the first >file is the pad for the second. They XOR the two files, and sure >enough, out pops a copy of "War and Peace". So, judging from recent history, at this point they drop the original charges, preemptively find you guilty of copyright violations, and seize your computer, your home, and your financial reserves under federal forfeiture laws. Ah no - what *really* happens is that they turn up at the court with *another* file which when exored with your document gives up the famous E911 document :-) [And I tell you, some judges would fall for it...] G Newsgroup: sci.crypt document_id: 14986 From: warlord@MIT.EDU (Derek Atkins) Subject: Re: disk safety measure? -----BEGIN PGP SIGNED MESSAGE----- In article <1pq0re$gc2@network.ucsd.edu> loki@sdphu3.ucsd.edu (Lance M Cottrell) writes: BTW I have not been able to get pgp to produce a signature that I can attatch to the end of this message. What is the procedure? Thanks. try: pgp -sat +clearsig=on This will do the clearsig signing... Enjoy! - -derek PGP 2 key available upon request on the key-server: pgp-public-keys@toxicwaste.mit.edu -----BEGIN PGP SIGNATURE----- Version: 2.2 iQBuAgUBK8DNazh0K1zBsGrxAQFoZQLEC/XKXMoDhCPf/AZ3aOQSLfz+6w400UDk Ng6prxnPuEuSZQEiiusMCVcRcGnWbaVrxFjA1o4yubh01Czcg3ZC9wLJolXlxJn7 iSJh/eTZxmJnNynJxlGs0Ao= =4eZb -----END PGP SIGNATURE----- -- Derek Atkins, MIT '93, Electrical Engineering and Computer Science Secretary, MIT Student Information Processing Board (SIPB) MIT Media Laboratory, Speech Research Group warlord@MIT.EDU PP-ASEL N1NWH Newsgroup: sci.crypt document_id: 14987 From: neuhaus@bloch.informatik.uni-kl.de (Stephan Neuhaus (HiWi Mattern)) Subject: Re: PGP 2.2: general comments neuhaus@vier.informatik.uni-kl.de (Stephan Neuhaus (HiWi Mattern)) writes: >[Lots of stuff.] I hate to follow up to my own posting, but I should perhaps clarify some things so I won't get flamed. First of all, when I'm talking about ``factoring the modulus'' or a ``breakthrough in factoring'', what I really mean is a breakthrough in the cryptanalysis of RSA. I know that factoring and breaking RSA are not proven to be equivalent; it's just so damn convenient not to repeat this every time. I also have to admit that I don't really know if the ``non-group'' property of a cipher is essential only for key chaining. I have thought about it a little while, but I can't find a way that a cryptanalyst could exploit a group structure. That, of course, means nothing at all. Then I wrote, >Please note that as long as it is much harder to factor a RSA modulus >than it is to generate it, the increase in computer speed alone will >keep key lengths and modulus factoring in lock-step, i.e., people will >simply start using longer moduli and still be safe. What I meant was that as long as the only advantage of the cryptanalyst is a faster computer, then we will probably have RSA for a long time to come, because even if 1024-bit moduli somehow could be broken with fast computers (not with a new algorithm), then people would simply use longer moduli. Both users and cryptanalysts benefit from better technology in the same way. Hope this keeps the flames away... Have fun. -- Stephan sig closed for inventory. Please leave your pickaxe outside. PGP 2.2 public key available on request. Note the expiration date. Newsgroup: sci.crypt document_id: 14988 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Licensing..... >This thread brings up the more general question. Can any crypto >implementation for which highly publicly scrutinized source code is not >available EVER be trusted? After IBM had invented the DES and the NBS had advertised for proposals, but before IBM had decided to respond, I argued strenuously that they should not; they should keep it proprietary. The biggest proponent of proposing was Dr. Lewis Branscomb. Dr. Branscomb was the IBM Chief Scientist and had come to IBM from NBS. Fortunately for all of us, Dr. Branscomb understood the answer to the above question much better than I. He realized how difficult it would be to gain acceptance for any cryptographic mechanism. Because of the necessary complexity, publicity would not be sufficient and neither would authority. In fact, it has taken both of those plus more than 15 years. We have also had independence. The DES was solicited by NBS, invented and proposed by IBM, and vetted by NBS. It has also been examined and vetted by experts like Adi Shamir, who are not subject to influence by any of these. Even now, there are still people posting on this list who do not trust the DES in spite of all the time, all of the analysis, and all of the public scrutiny. (Of course, it is just this point that NIST misses when it attempts to gain acceptance for a novel mechanism, developed in secret, on the basis of authority alone.) We had a long thread here about whether or not the NSA can "break" the DES. That is a silly question. At some cost and in some time they can "break" anything. The important question is at what cost and in what time. The fundamental strength of the DES and RSA are not nearly so important as what we know about their strength. As long as we understand the cost and duration for an attacker, then we can use them in a safe way. At this point, we may never replace either because of the inability of any successor to overcome this knowledge gap. DES and RSA are among the most significant inventions of the century and the most important inventions in the history of cryptography. We are damned lucky to have them. William Hugh Murray, Executive Consultant, Information System Security 49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840 1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL Newsgroup: sci.crypt document_id: 14989 From: ho@cs.arizona.edu (Hilarie Orman) Subject: Re: Licensing of public key implementations With regard to your speculations on NSA involvement in the creation of PKP, I find that it fails the test of Occam's butcher knife. Never attribute to conspiracy what can be explained by forthright greed. Hilarie Orman Newsgroup: sci.crypt document_id: 14990 From: ken@sugra.uucp (Kenneth Ng) Subject: Re: Identifying / Securing Files In article <2bb29f4c@mash.boulder.co.us: rmashlan%mash@csn.org (Robert Mashlan) writes: :tarnold@vnet.IBM.COM (Todd W. Arnold) said in article <19930322.101356.617@almaden.ibm.com>: :>It's OK as long as you trust the end-user to stay out of your application :>program - or as long as it runs in a system where the user can't get to it. :>Otherwise, you can't stop him from finding the "load a module" code in your :>program, and simply bypassing the check for a valid module. The devious user :>can either modify the object code before running the program, or he can run :>the program under a debugger and change the instructions in memory. :There is a way to foil debuggers, by clearing the single step :interrupt, on which a debugger depends, every few instructions in :the sensitive areas of the code. This assumes the person is using the hardware debug instruction of an X86 type processor. It can be negated by NOP'ing the clear debug instruction, or by running the code on a machine simulator, like one I wrote as a senior project in college. It can bypass and trace practically anything one could write in software. Kind of like being on a Star Trek Holideck :-). -- Kenneth Ng Please reply to ken@eies2.njit.edu for now. "All this might be an elaborate simulation running in a little device sitting on someone's table" -- J.L. Picard: ST:TNG Newsgroup: sci.crypt document_id: 14991 From: ninassup@athena.mit.edu (Nikos I Nassuphis) Subject: LGA ncrypt source I got a number of requests for code. So, here it is. Its written in 80x86 ASM. Borland TASM will do. TASM LGA.ASM TLINK /t LGA.ASM The code: ;---------------------------------------------------------------------- ; LGA ncryption ; (C) by Nick Nassuphis ;---------------------------------------------------------------------- CODE SEGMENT ASSUME CS:CODE, DS:CODE ORG 100h Start: JMP Begin ;---------------------------------------------------------------------- ; ; Gas particle assigment: ; ; BIT 0 particle moving EAST ; BIT 1 particle moving WEST ; BIT 2 particle moving NORTH ; BIT 3 particle moving SOUTH ; ; BIT 4 particle moving EAST ; BIT 5 particle moving WEST ; BIT 6 particle moving NORTH ; BIT 7 particle moving SOUTH ; ; ; Collisiong Rules: ; ; 1. Gas Rules ; ; IF (E & W) AND !(N & S) THEN (E,W)->(N,S) ; IF (N & S) AND !(E & W) THEN (N,S)->(E,W) ; ; for nibbles: ; ; 1100 -> 0011 ; 0011 -> 0011 ; ; and for bytes: ; ; 11000000 -> 00110000 ; 00110000 -> 11000000 ; 00001100 -> 00000011 ; 00000011 -> 00001100 ; 00110011 -> 11001100 ; 00111100 -> 11000011 ; 11000011 -> 00111100 ; 11001100 -> 00110011 ; ; ; 2. Reflection Rules ; ; just swap bits along directions ; ;---------------------------------------------------------------------- ; ; This look-up table implements two particle collisions ; for the HPP lattice gas ; HPPRule: DB 00000000B ;00000000 DB 00000001B ;00000001 DB 00000010B ;00000010 DB 00001100B ;00000011 DB 00000100B ;00000100 DB 00000101B ;00000101 DB 00000110B ;00000110 DB 00000111B ;00000111 DB 00001000B ;00001000 DB 00001001B ;00001001 DB 00001010B ;00001010 DB 00001011B ;00001011 DB 00000011B ;00001100 DB 00001101B ;00001101 DB 00001110B ;00001110 DB 00001111B ;00001111 DB 00010000B ;00010000 DB 00010001B ;00010001 DB 00010010B ;00010010 DB 00011100B ;00010011 DB 00010100B ;00010100 DB 00010101B ;00010101 DB 00010110B ;00010110 DB 00010111B ;00010111 DB 00011000B ;00011000 DB 00011001B ;00011001 DB 00011010B ;00011010 DB 00011011B ;00011011 DB 00010011B ;00011100 DB 00011101B ;00011101 DB 00011110B ;00011110 DB 00011111B ;00011111 DB 00100000B ;00100000 DB 00100001B ;00100001 DB 00100010B ;00100010 DB 00101100B ;00100011 DB 00100100B ;00100100 DB 00100101B ;00100101 DB 00100110B ;00100110 DB 00100111B ;00100111 DB 00101000B ;00101000 DB 00101001B ;00101001 DB 00101010B ;00101010 DB 00101011B ;00101011 DB 00100011B ;00101100 DB 00101101B ;00101101 DB 00101110B ;00101110 DB 00101111B ;00101111 DB 11000000B ;00110000 DB 11000001B ;00110001 DB 11000010B ;00110010 DB 11001100B ;00110011 DB 11000100B ;00110100 DB 11000101B ;00110101 DB 11000110B ;00110110 DB 11000111B ;00110111 DB 11001000B ;00111000 DB 11001001B ;00111001 DB 11001010B ;00111010 DB 11001011B ;00111011 DB 11000011B ;00111100 DB 11001101B ;00111101 DB 11001110B ;00111110 DB 11001111B ;00111111 DB 01000000B ;01000000 DB 01000001B ;01000001 DB 01000010B ;01000010 DB 01001100B ;01000011 DB 01000100B ;01000100 DB 01000101B ;01000101 DB 01000110B ;01000110 DB 01000111B ;01000111 DB 01001000B ;01001000 DB 01001001B ;01001001 DB 01001010B ;01001010 DB 01001011B ;01001011 DB 01000011B ;01001100 DB 01001101B ;01001101 DB 01001110B ;01001110 DB 01001111B ;01001111 DB 01010000B ;01010000 DB 01010001B ;01010001 DB 01010010B ;01010010 DB 01011100B ;01010011 DB 01010100B ;01010100 DB 01010101B ;01010101 DB 01010110B ;01010110 DB 01010111B ;01010111 DB 01011000B ;01011000 DB 01011001B ;01011001 DB 01011010B ;01011010 DB 01011011B ;01011011 DB 01010011B ;01011100 DB 01011101B ;01011101 DB 01011110B ;01011110 DB 01011111B ;01011111 DB 01100000B ;01100000 DB 01100001B ;01100001 DB 01100010B ;01100010 DB 01101100B ;01100011 DB 01100100B ;01100100 DB 01100101B ;01100101 DB 01100110B ;01100110 DB 01100111B ;01100111 DB 01101000B ;01101000 DB 01101001B ;01101001 DB 01101010B ;01101010 DB 01101011B ;01101011 DB 01100011B ;01101100 DB 01101101B ;01101101 DB 01101110B ;01101110 DB 01101111B ;01101111 DB 01110000B ;01110000 DB 01110001B ;01110001 DB 01110010B ;01110010 DB 01111100B ;01110011 DB 01110100B ;01110100 DB 01110101B ;01110101 DB 01110110B ;01110110 DB 01110111B ;01110111 DB 01111000B ;01111000 DB 01111001B ;01111001 DB 01111010B ;01111010 DB 01111011B ;01111011 DB 01110011B ;01111100 DB 01111101B ;01111101 DB 01111110B ;01111110 DB 01111111B ;01111111 DB 10000000B ;10000000 DB 10000001B ;10000001 DB 10000010B ;10000010 DB 10001100B ;10000011 DB 10000100B ;10000100 DB 10000101B ;10000101 DB 10000110B ;10000110 DB 10000111B ;10000111 DB 10001000B ;10001000 DB 10001001B ;10001001 DB 10001010B ;10001010 DB 10001011B ;10001011 DB 10000011B ;10001100 DB 10001101B ;10001101 DB 10001110B ;10001110 DB 10001111B ;10001111 DB 10010000B ;10010000 DB 10010001B ;10010001 DB 10010010B ;10010010 DB 10011100B ;10010011 DB 10010100B ;10010100 DB 10010101B ;10010101 DB 10010110B ;10010110 DB 10010111B ;10010111 DB 10011000B ;10011000 DB 10011001B ;10011001 DB 10011010B ;10011010 DB 10011011B ;10011011 DB 10010011B ;10011100 DB 10011101B ;10011101 DB 10011110B ;10011110 DB 10011111B ;10011111 DB 10100000B ;10100000 DB 10100001B ;10100001 DB 10100010B ;10100010 DB 10101100B ;10100011 DB 10100100B ;10100100 DB 10100101B ;10100101 DB 10100110B ;10100110 DB 10100111B ;10100111 DB 10101000B ;10101000 DB 10101001B ;10101001 DB 10101010B ;10101010 DB 10101011B ;10101011 DB 10100011B ;10101100 DB 10101101B ;10101101 DB 10101110B ;10101110 DB 10101111B ;10101111 DB 10110000B ;10110000 DB 10110001B ;10110001 DB 10110010B ;10110010 DB 10111100B ;10110011 DB 10110100B ;10110100 DB 10110101B ;10110101 DB 10110110B ;10110110 DB 10110111B ;10110111 DB 10111000B ;10111000 DB 10111001B ;10111001 DB 10111010B ;10111010 DB 10111011B ;10111011 DB 10110011B ;10111100 DB 10111101B ;10111101 DB 10111110B ;10111110 DB 10111111B ;10111111 DB 00110000B ;11000000 DB 00110001B ;11000001 DB 00110010B ;11000010 DB 00111100B ;11000011 DB 00110100B ;11000100 DB 00110101B ;11000101 DB 00110110B ;11000110 DB 00110111B ;11000111 DB 00111000B ;11001000 DB 00111001B ;11001001 DB 00111010B ;11001010 DB 00111011B ;11001011 DB 00110011B ;11001100 DB 00111101B ;11001101 DB 00111110B ;11001110 DB 00111111B ;11001111 DB 11010000B ;11010000 DB 11010001B ;11010001 DB 11010010B ;11010010 DB 11011100B ;11010011 DB 11010100B ;11010100 DB 11010101B ;11010101 DB 11010110B ;11010110 DB 11010111B ;11010111 DB 11011000B ;11011000 DB 11011001B ;11011001 DB 11011010B ;11011010 DB 11011011B ;11011011 DB 11010011B ;11011100 DB 11011101B ;11011101 DB 11011110B ;11011110 DB 11011111B ;11011111 DB 11100000B ;11100000 DB 11100001B ;11100001 DB 11100010B ;11100010 DB 11101100B ;11100011 DB 11100100B ;11100100 DB 11100101B ;11100101 DB 11100110B ;11100110 DB 11100111B ;11100111 DB 11101000B ;11101000 DB 11101001B ;11101001 DB 11101010B ;11101010 DB 11101011B ;11101011 DB 11100011B ;11101100 DB 11101101B ;11101101 DB 11101110B ;11101110 DB 11101111B ;11101111 DB 11110000B ;11110000 DB 11110001B ;11110001 DB 11110010B ;11110010 DB 11111100B ;11110011 DB 11110100B ;11110100 DB 11110101B ;11110101 DB 11110110B ;11110110 DB 11110111B ;11110111 DB 11111000B ;11111000 DB 11111001B ;11111001 DB 11111010B ;11111010 DB 11111011B ;11111011 DB 11110011B ;11111100 DB 11111101B ;11111101 DB 11111110B ;11111110 DB 11111111B ;11111111 ; ; This rule implements the velocity-reversal needed to ; run the gas evolution in reverse. Its called a WallRule ; because its the same as is all particles hit a wall ; head on. ; WallRule: DB 00000000B ;00000000 DB 00000010B ;00000001 DB 00000001B ;00000010 DB 00001100B ;00000011 DB 00001000B ;00000100 DB 00001010B ;00000101 DB 00001001B ;00000110 DB 00001011B ;00000111 DB 00000100B ;00001000 DB 00000110B ;00001001 DB 00000101B ;00001010 DB 00000111B ;00001011 DB 00000011B ;00001100 DB 00001110B ;00001101 DB 00001101B ;00001110 DB 00001111B ;00001111 DB 00100000B ;00010000 DB 00100010B ;00010001 DB 00100001B ;00010010 DB 00101100B ;00010011 DB 00101000B ;00010100 DB 00101010B ;00010101 DB 00101001B ;00010110 DB 00101011B ;00010111 DB 00100100B ;00011000 DB 00100110B ;00011001 DB 00100101B ;00011010 DB 00100111B ;00011011 DB 00100011B ;00011100 DB 00101110B ;00011101 DB 00101101B ;00011110 DB 00101111B ;00011111 DB 00010000B ;00100000 DB 00010010B ;00100001 DB 00010001B ;00100010 DB 00011100B ;00100011 DB 00011000B ;00100100 DB 00011010B ;00100101 DB 00011001B ;00100110 DB 00011011B ;00100111 DB 00010100B ;00101000 DB 00010110B ;00101001 DB 00010101B ;00101010 DB 00010111B ;00101011 DB 00010011B ;00101100 DB 00011110B ;00101101 DB 00011101B ;00101110 DB 00011111B ;00101111 DB 11000000B ;00110000 DB 11000010B ;00110001 DB 11000001B ;00110010 DB 11001100B ;00110011 DB 11001000B ;00110100 DB 11001010B ;00110101 DB 11001001B ;00110110 DB 11001011B ;00110111 DB 11000100B ;00111000 DB 11000110B ;00111001 DB 11000101B ;00111010 DB 11000111B ;00111011 DB 11000011B ;00111100 DB 11001110B ;00111101 DB 11001101B ;00111110 DB 11001111B ;00111111 DB 10000000B ;01000000 DB 10000010B ;01000001 DB 10000001B ;01000010 DB 10001100B ;01000011 DB 10001000B ;01000100 DB 10001010B ;01000101 DB 10001001B ;01000110 DB 10001011B ;01000111 DB 10000100B ;01001000 DB 10000110B ;01001001 DB 10000101B ;01001010 DB 10000111B ;01001011 DB 10000011B ;01001100 DB 10001110B ;01001101 DB 10001101B ;01001110 DB 10001111B ;01001111 DB 10100000B ;01010000 DB 10100010B ;01010001 DB 10100001B ;01010010 DB 10101100B ;01010011 DB 10101000B ;01010100 DB 10101010B ;01010101 DB 10101001B ;01010110 DB 10101011B ;01010111 DB 10100100B ;01011000 DB 10100110B ;01011001 DB 10100101B ;01011010 DB 10100111B ;01011011 DB 10100011B ;01011100 DB 10101110B ;01011101 DB 10101101B ;01011110 DB 10101111B ;01011111 DB 10010000B ;01100000 DB 10010010B ;01100001 DB 10010001B ;01100010 DB 10011100B ;01100011 DB 10011000B ;01100100 DB 10011010B ;01100101 DB 10011001B ;01100110 DB 10011011B ;01100111 DB 10010100B ;01101000 DB 10010110B ;01101001 DB 10010101B ;01101010 DB 10010111B ;01101011 DB 10010011B ;01101100 DB 10011110B ;01101101 DB 10011101B ;01101110 DB 10011111B ;01101111 DB 10110000B ;01110000 DB 10110010B ;01110001 DB 10110001B ;01110010 DB 10111100B ;01110011 DB 10111000B ;01110100 DB 10111010B ;01110101 DB 10111001B ;01110110 DB 10111011B ;01110111 DB 10110100B ;01111000 DB 10110110B ;01111001 DB 10110101B ;01111010 DB 10110111B ;01111011 DB 10110011B ;01111100 DB 10111110B ;01111101 DB 10111101B ;01111110 DB 10111111B ;01111111 DB 01000000B ;10000000 DB 01000010B ;10000001 DB 01000001B ;10000010 DB 01001100B ;10000011 DB 01001000B ;10000100 DB 01001010B ;10000101 DB 01001001B ;10000110 DB 01001011B ;10000111 DB 01000100B ;10001000 DB 01000110B ;10001001 DB 01000101B ;10001010 DB 01000111B ;10001011 DB 01000011B ;10001100 DB 01001110B ;10001101 DB 01001101B ;10001110 DB 01001111B ;10001111 DB 01100000B ;10010000 DB 01100010B ;10010001 DB 01100001B ;10010010 DB 01101100B ;10010011 DB 01101000B ;10010100 DB 01101010B ;10010101 DB 01101001B ;10010110 DB 01101011B ;10010111 DB 01100100B ;10011000 DB 01100110B ;10011001 DB 01100101B ;10011010 DB 01100111B ;10011011 DB 01100011B ;10011100 DB 01101110B ;10011101 DB 01101101B ;10011110 DB 01101111B ;10011111 DB 01010000B ;10100000 DB 01010010B ;10100001 DB 01010001B ;10100010 DB 01011100B ;10100011 DB 01011000B ;10100100 DB 01011010B ;10100101 DB 01011001B ;10100110 DB 01011011B ;10100111 DB 01010100B ;10101000 DB 01010110B ;10101001 DB 01010101B ;10101010 DB 01010111B ;10101011 DB 01010011B ;10101100 DB 01011110B ;10101101 DB 01011101B ;10101110 DB 01011111B ;10101111 DB 01110000B ;10110000 DB 01110010B ;10110001 DB 01110001B ;10110010 DB 01111100B ;10110011 DB 01111000B ;10110100 DB 01111010B ;10110101 DB 01111001B ;10110110 DB 01111011B ;10110111 DB 01110100B ;10111000 DB 01110110B ;10111001 DB 01110101B ;10111010 DB 01110111B ;10111011 DB 01110011B ;10111100 DB 01111110B ;10111101 DB 01111101B ;10111110 DB 01111111B ;10111111 DB 00110000B ;11000000 DB 00110010B ;11000001 DB 00110001B ;11000010 DB 00111100B ;11000011 DB 00111000B ;11000100 DB 00111010B ;11000101 DB 00111001B ;11000110 DB 00111011B ;11000111 DB 00110100B ;11001000 DB 00110110B ;11001001 DB 00110101B ;11001010 DB 00110111B ;11001011 DB 00110011B ;11001100 DB 00111110B ;11001101 DB 00111101B ;11001110 DB 00111111B ;11001111 DB 11100000B ;11010000 DB 11100010B ;11010001 DB 11100001B ;11010010 DB 11101100B ;11010011 DB 11101000B ;11010100 DB 11101010B ;11010101 DB 11101001B ;11010110 DB 11101011B ;11010111 DB 11100100B ;11011000 DB 11100110B ;11011001 DB 11100101B ;11011010 DB 11100111B ;11011011 DB 11100011B ;11011100 DB 11101110B ;11011101 DB 11101101B ;11011110 DB 11101111B ;11011111 DB 11010000B ;11100000 DB 11010010B ;11100001 DB 11010001B ;11100010 DB 11011100B ;11100011 DB 11011000B ;11100100 DB 11011010B ;11100101 DB 11011001B ;11100110 DB 11011011B ;11100111 DB 11010100B ;11101000 DB 11010110B ;11101001 DB 11010101B ;11101010 DB 11010111B ;11101011 DB 11010011B ;11101100 DB 11011110B ;11101101 DB 11011101B ;11101110 DB 11011111B ;11101111 DB 11110000B ;11110000 DB 11110010B ;11110001 DB 11110001B ;11110010 DB 11111100B ;11110011 DB 11111000B ;11110100 DB 11111010B ;11110101 DB 11111001B ;11110110 DB 11111011B ;11110111 DB 11110100B ;11111000 DB 11110110B ;11111001 DB 11110101B ;11111010 DB 11110111B ;11111011 DB 11110011B ;11111100 DB 11111110B ;11111101 DB 11111101B ;11111110 DB 11111111B ;11111111 MAXBYTE EQU 55 LINENO EQU 23 SrcPtr DW OFFSET Buffer1 DesPtr DW OFFSET Buffer2 SaveBuff: DB MAXBYTE*(LINENO+1) DUP(0) Buffer1: DB MAXBYTE*(LINENO+1) DUP(0) DB 256 DUP(0) Buffer2: DB MAXBYTE*(LINENO+1) DUP(0) DB 256 DUP(0) ;---------------------------------------------------------------------- ; ; ; ;---------------------------------------------------------------------- Data: DB " " DB " " DB " " DB " This is a test for a Lattice Gas based encryption " DB " algorithm. The data is encoded as particles of a " DB " digital gas, whose time evolution is then simulated " DB " with a cellular-automaton type algorithm. Decryption " DB " can be achieved by running the simulation in reverse. " DB " A thermodynamic argument ensures that even if a single" DB " bit is flipped, no decryption of the data is possible " DB " " DB " After the gas is let to evolve for 256 timesteps, " DB " one can either run the reverse evolution by pressing " DB " space, or flip a bit and then run by pressing '0' " DB " " DB " For a cryptographic application, the key would consist" DB " of the number of time steps and the time and location " DB " of specific bit inversions. " DB " " DB " " DB " " DB " " DB " " ; ; Fill the gas with a piece of code ; InitGas: MOV DI,CS:SrcPtr MOV SI,OFFSET Data MOV CX,LINENO IG0: PUSH DI PUSH CX MOV CX,MAXBYTE IG1: MOV AL,CS:[SI] MOV CS:[DI],AL INC SI INC DI LOOP IG1 POP CX POP DI ADD DI,MAXBYTE LOOP IG0 MOV SI,CS:SrcPtr MOV DI,OFFSET InitGas MOV CX,MAXBYTE*3 MOV AL,0 LG2: MOV BYTE PTR CS:[SI],AL NOT AL INC SI LOOP LG2 RET ;---------------------------------------------------------------------- ; ; Display gas molecules bouncing around ; ShowGas: PUSH ES PUSH SI PUSH DI PUSH CX PUSH BX MOV AX,0B800h MOV ES,AX MOV SI,CS:SrcPtr MOV DI,160*2+10*2 MOV CX,LINENO-3 ADD SI,MAXBYTE*3 SG1: PUSH CX PUSH DI MOV CX,MAXBYTE SG2: MOV AL,CS:[SI] MOV BYTE PTR ES:[DI],AL INC SI ADD DI,2 DEC CX JNZ SG2 POP DI POP CX ADD DI,160 LOOP SG1 POP BX POP CX POP DI POP SI POP ES RET ;---------------------------------------------------------------------- ; ; CS:SI -> Sourse of Data ; CS:DI -> Destination of Data ; ScanOneMiddleLine: ; ; first byte is a special case because of warparound ; MOV BL,0 ; AL is the "assembled" byte. MOV BH,CS:[SI-MAXBYTE] ; NORTH is one line "up" (lower) AND BH,10001000B ; and at bits 7 and 3 OR BL,BH ; OR them into the assembled byte MOV BH,CS:[SI+MAXBYTE] ; SOUTH is one line "down" (higher) AND BH,01000100B ; and at bits 6 and 2 OR BL,BH ; place the stuff into AL MOV BH,CS:[SI+(MAXBYTE-1)] ; WEST is one byte "left" (lower) AND BH,00100010B ; and at bits 5 and 1 OR BL,BH MOV BH,CS:[SI+1] ; EAST is one byte "right" (higher) AND BH,00010001B ; and at bits 4 and 0 OR BL,BH MOV BH,0 MOV AL,BYTE PTR CS:[BX + OFFSET HPPRule] MOV CS:[DI],AL INC SI INC DI ; ; middle bytes can be handled in a loop ; MOV CX,MAXBYTE-2 SOL1: MOV BL,0 ; AL is the "assembled" byte. MOV BH,CS:[SI-MAXBYTE] ; NORTH is one line "up" (lower) AND BH,10001000B ; and at bits 7 and 3 OR BL,BH ; OR them into the assembled byte MOV BH,CS:[SI+MAXBYTE] ; SOUTH is one line "down" (higher) AND BH,01000100B ; and at bits 6 and 2 OR BL,BH ; place the stuff into AL MOV BH,CS:[SI-1] ; WEST is one byte "left" (lower) AND BH,00100010B ; and at bits 5 and 1 OR BL,BH MOV BH,CS:[SI+1] ; EAST is one byte "right" (higher) AND BH,00010001B ; and at bits 4 and 0 OR BL,BH MOV BH,0 MOV AL,BYTE PTR CS:[BX + OFFSET HPPRule] MOV CS:[DI],AL INC SI INC DI LOOP SOL1 ; ; last byte is also special ; MOV BL,0 ; AL is the "assembled" byte. MOV BH,CS:[SI-MAXBYTE] ; NORTH is one line "up" (lower) AND BH,10001000B ; and at bits 7 and 3 OR BL,BH ; OR them into the assembled byte MOV BH,CS:[SI+MAXBYTE] ; SOUTH is one line "down" (higher) AND BH,01000100B ; and at bits 6 and 2 OR BL,BH ; place the stuff into AL MOV BH,CS:[SI-1] ; WEST is one byte "left" (lower) AND BH,00100010B ; and at bits 5 and 1 OR BL,BH MOV BH,CS:[SI-(MAXBYTE-1)] ; EAST is one byte "right" (higher) AND BH,00010001B ; and at bits 4 and 0 OR BL,BH MOV BH,0 MOV AL,BYTE PTR CS:[BX + OFFSET HPPRule] MOV CS:[DI],AL INC SI INC DI RET ;---------------------------------------------------------------------- ; ; CS:SI -> Sourse of Data ; CS:DI -> Destination of Data ; ScanFirstLine: ; ; first byte is a special case because of warparound ; MOV BL,0 MOV BH,CS:[SI+MAXBYTE*(LINENO-1)] AND BH,10001000B ; and at bits 7 and 3 OR BL,BH ; OR them into the assembled byte MOV BH,CS:[SI+MAXBYTE] AND BH,01000100B ; and at bits 6 and 2 OR BL,BH ; place the stuff into AL MOV BH,CS:[SI+MAXBYTE-1] ; WEST is one byte "left" (lower) AND BH,00100010B ; and at bits 5 and 1 OR BL,BH MOV BH,CS:[SI+1] ; EAST is one byte "right" (higher) AND BH,00010001B ; and at bits 4 and 0 OR BL,BH MOV BH,0 MOV AL,BYTE PTR CS:[BX + OFFSET HPPRule] MOV CS:[DI],AL INC SI INC DI ; ; middle bytes can be handled in a loop ; MOV CX,MAXBYTE-2 SFL1: MOV BL,0 ; AL is the "assembled" byte. MOV BH,CS:[SI+MAXBYTE*(LINENO-1)] AND BH,10001000B ; and at bits 7 and 3 OR BL,BH ; OR them into the assembled byte MOV BH,CS:[SI+MAXBYTE] AND BH,01000100B ; and at bits 6 and 2 OR BL,BH ; place the stuff into AL MOV BH,CS:[SI-1] ; WEST is one byte "left" (lower) AND BH,00100010B ; and at bits 5 and 1 OR BL,BH MOV BH,CS:[SI+1] ; EAST is one byte "right" (higher) AND BH,00010001B ; and at bits 4 and 0 OR BL,BH MOV BH,0 MOV AL,BYTE PTR CS:[BX + OFFSET HPPRule] MOV CS:[DI],AL INC SI INC DI LOOP SFL1 ; ; last byte is also special ; MOV BL,0 ; AL is the "assembled" byte. MOV BH,CS:[SI+MAXBYTE*(LINENO-1)] AND BH,10001000B ; and at bits 7 and 3 OR BL,BH ; OR them into the assembled byte MOV BH,CS:[SI+MAXBYTE] AND BH,01000100B ; and at bits 6 and 2 OR BL,BH ; place the stuff into AL MOV BH,CS:[SI-1] ; WEST is one byte "left" (lower) AND BH,00100010B ; and at bits 5 and 1 OR BL,BH MOV BH,CS:[SI-(MAXBYTE-1)] ; EAST is one byte "right" (higher) AND BH,00010001B ; and at bits 4 and 0 OR BL,BH MOV BH,0 MOV AL,BYTE PTR CS:[BX + OFFSET HPPRule] MOV CS:[DI],AL RET ;---------------------------------------------------------------------- ; ; CS:SI -> Sourse of Data ; CS:DI -> Destination of Data ; ScanLastLine: ; ; first byte is a special case because of warparound ; MOV BL,0 ; AL is the "assembled" byte. MOV BH,CS:[SI-MAXBYTE] AND BH,10001000B ; and at bits 7 and 3 OR BL,BH ; OR them into the assembled byte MOV BH,CS:[SI-MAXBYTE*(LINENO-1)] AND BH,01000100B ; and at bits 6 and 2 OR BL,BH ; place the stuff into AL MOV BH,CS:[SI+(MAXBYTE-1)] ; WEST is one byte "left" (lower) AND BH,00100010B ; and at bits 5 and 1 OR BL,BH MOV BH,CS:[SI+1] ; EAST is one byte "right" (higher) AND BH,00010001B ; and at bits 4 and 0 OR BL,BH MOV BH,0 MOV AL,BYTE PTR CS:[BX + OFFSET HPPRule] MOV CS:[DI],AL INC SI INC DI ; ; middle bytes can be handled in a loop ; MOV CX,MAXBYTE-2 SLL1: MOV BL,0 ; AL is the "assembled" byte. MOV BH,CS:[SI-MAXBYTE] AND BH,10001000B ; and at bits 7 and 3 OR BL,BH ; OR them into the assembled byte MOV BH,CS:[SI-MAXBYTE*(LINENO-1)] AND BH,01000100B ; and at bits 6 and 2 OR BL,BH ; place the stuff into AL MOV BH,CS:[SI-1] ; WEST is one byte "left" (lower) AND BH,00100010B ; and at bits 5 and 1 OR BL,BH MOV BH,CS:[SI+1] ; EAST is one byte "right" (higher) AND BH,00010001B ; and at bits 4 and 0 OR BL,BH MOV BH,0 MOV AL,BYTE PTR CS:[BX + OFFSET HPPRule] MOV CS:[DI],AL INC SI INC DI LOOP SLL1 ; ; last byte is also special ; MOV BL,0 ; AL is the "assembled" byte. MOV BH,CS:[SI-MAXBYTE] AND BH,10001000B ; and at bits 7 and 3 OR BL,BH ; OR them into the assembled byte MOV BH,CS:[SI-MAXBYTE*(LINENO-1)] AND BH,01000100B ; and at bits 6 and 2 OR BL,BH ; place the stuff into AL MOV BH,CS:[SI-1] ; WEST is one byte "left" (lower) AND BH,00100010B ; and at bits 5 and 1 OR BL,BH MOV BH,CS:[SI-(MAXBYTE-1)] ; EAST is one byte "right" (higher) AND BH,00010001B ; and at bits 4 and 0 OR BL,BH MOV BH,0 MOV AL,BYTE PTR CS:[BX + OFFSET HPPRule] MOV CS:[DI],AL INC SI INC DI RET ;---------------------------------------------------------------------- ; ; Invert all velocities in the gas ; InvertAll: PUSH BX PUSH CX PUSH SI MOV SI,CS:SrcPtr MOV BX,0 MOV CX,LINENO IA1: PUSH CX MOV CX,MAXBYTE IA2: MOV BL,CS:[SI] MOV AL,BYTE PTR CS:[BX + (OFFSET WallRule)] MOV CS:[SI],AL INC SI LOOP IA2 POP CX LOOP IA1 POP SI POP CX POP BX RET ;---------------------------------------------------------------------- ; ; IterateOnce: MOV SI,CS:SrcPtr MOV DI,CS:DesPtr MOV CS:SrcPtr,DI MOV CS:DesPtr,SI PUSH SI PUSH DI CALL ScanFirstLine POP DI POP SI ADD SI,MAXBYTE ADD DI,MAXBYTE MOV CX,LINENO-2 ; dont scan first and last L1: PUSH SI PUSH DI PUSH CX CALL ScanOneMiddleLine POP CX POP DI POP SI ADD SI,MAXBYTE ADD DI,MAXBYTE LOOP L1 PUSH SI PUSH DI CALL ScanLastLine POP SI POP DI L3: RET ;---------------------------------------------------------------------- ; ; Iterate HPP rule CX times ; Iterate: PUSH CX CALL IterateOnce POP CX CALL ShowGas LOOP Iterate RET ;---------------------------------------------------------------------- ; ; Iterate HPP rule CX times ; IterateUntil: MOV SI,0 MOV CX,OFFSET IU4 - OFFSET IU3 IU00: MOV AL,BYTE PTR CS:[SI + OFFSET IU3] XOR BYTE PTR CS:[SI + OFFSET IU4],AL INC SI LOOP IU00 IU0: CALL IterateOnce CALL ShowGas MOV SI,CS:SrcPtr MOV CX,MAXBYTE*3 MOV BX,0 MOV AH,0 MOV AL,255 IU1: MOV BL,BYTE PTR CS:[SI] MOV DL,BYTE PTR CS:[BX+WallRule] NOT AH XOR DL,AH AND AL,DL INC SI LOOP IU1 MOV SI,0 MOV CX,OFFSET IU4 - OFFSET IU3 IU2: MOV AH,BYTE PTR CS:[SI+OFFSET IU4] AND AH,AL XOR BYTE PTR CS:[SI+OFFSET IU3],AH INC SI LOOP IU2 JMP IU3 IU3: MOV AX,OFFSET IU0 PUSH AX RET DB 256 DUP(90h) IU4: PUSH AX PUSH BX PUSH CX PUSH DX PUSH DS MOV AH,9 MOV DX,CS:MsgPtr INT 21H POP DS POP DX POP CX POP BX POP AX RET DB 512 DUP(90h) MsgPtr DW OFFSET Msg Msg DB "This message is printed out by",10,13 DB "code decrypted using data from the lattice",10,13 DB "which was applied to the decoding routine",10,13 DB "after every time step",10,13 DB "The decoding function left the code unchanged",10,13 DB "except after the gas evolution had completelly",10,13 DB "reversed the thermalization",10,13,"$" TIMES EQU 16 ; 256 repetitions are enough to ; "equilibrate" the gas Begin: MOV AX,0600h MOV BH,7 MOV DH,25 MOV DL,80 MOV CX,0 INT 10h MOV AH,2 MOV BH,0 MOV DH,24 MOV DL,0 INT 10h CALL InitGas CALL ShowGas MOV AH,0 INT 16h PUSH CX MOV CX,TIMES CALL Iterate CALL InvertAll CALL ShowGas MOV AH,0 INT 16h CMP AL,"0" JNE Begin0 MOV SI,CS:SrcPtr XOR BYTE PTR CS:[SI],10000001B Begin0: MOV CX,TIMES CALL IterateUntil CALL InvertAll CALL ShowGas MOV AX,4C00h INT 21h CODE ENDS END Start Newsgroup: sci.crypt document_id: 14992 Subject: Re: Illegal Wiretaps (was Denning's Trust) From: kubo@zariski.harvard.edu (Tal Kubo) In article <1ppg02$i2k@bigboote.WPI.EDU> ear@bigwpi.WPI.EDU (Mr. Neat-O [tm]) writes: >> >>It is apparently quite easy to get hold of a person's calling records >>through the phone company. Police (and some lawyers) are able to acquire >>such information without any warrant or judicial supervision, whether or >>not the target is suspected of specific crimes. > >Pardon me, but isn't this very illegal? I was under the impression that a >warrent *is* needed to get this information out of the phone company in >order to protect people's privacy. Legal or not, I've seen it done. Phone records were obtained in order to *establish* probable cause, rather than as a result of it. In other words, for a fishing expedition. > A local (Worcester, MA) police officer I >spoke with only a couple of nights ago told me that they usually only >subpeona the phone companies records in *extreme* conditions because it's so >much of a hassle. And does the phone company require written, subpoena-able evidence of probable cause in order to process the request? I suggest that the officer was disinterested in pursuing your case -- even if you could prove the offender had called you at a certain time, your chances of winning a harassment suit on the strength of this evidence are nil. My contact with several people who have dealt with cases of extreme phone harassment (several thousand calls in one case) teaches me that police in this area are quite lethargic about pursuing such matters. Tal Newsgroup: sci.crypt document_id: 14993 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Licensing of public key implementations strnlght@netcom.com (David Sternlight) writes: > I will provide one hint: it is reported that RSA expressed puzzlement (at > their conference) that nobody has asked for permission to use RIPEM to > write a PGP-compatible program. This actually supports Bill's speculation - IF there is a backdoor in RSAREF and IF PKP is supported secretly by the NSA, then it is more than natural that they will welcome ANY public-key implementation that uses RSAREF and will strongly oppose themselves against ANY implementation that doesn't. I personally cannot see how one could put a backdoor in a long-precision modular arithmetic library that comes in source, but, of course, the fact that -I- cannot see it means nothing... Regards, Vesselin -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany Newsgroup: sci.crypt document_id: 14994 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: opinions of RC2 alg. Markowitz@DOCKMASTER.NCSC.MIL writes: > It is interesting to note in this regard that permission to export > PKZIP's encryption scheme has twice been denied by NSA. Draw you own > conclusions. Uh, I'm afraid that your information is slightly out of date... PKWare has obtained a license to export their program to the whole world, except a very limited list of countries... Draw your own conclusions about the strength of the algorithm... :-) Regards, Vesselin -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany Newsgroup: sci.crypt document_id: 14995 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: disk safety measure? cuffell@spot.Colorado.EDU (Tim Cuffel) writes: > There is no guarantee that the deleted space would be overwritten during > optimization. Likely, but no guarantee. A quicker and more secure method > would be a batch file that overwrote all of your free space. For example > fill.bat: > echo %1 >> out > fill.bat > (This is off the top of my head. #include ) It is MUCH easier, faster, and probably even more secure to use Norton Utilties 6.0 (I'm talking IBM PC here) and to tell WipeInfo to (a) clean the free disk space and (b) clean the slack space at the end of the files. Use to Government standard option for more careful overwriting... Regards, Vesselin -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany Newsgroup: sci.crypt document_id: 14996 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Licensing... >This actually supports Bill's speculation - IF there is a backdoor in >RSAREF and IF PKP is supported secretly by the NSA, then it is more >than natural that they will welcome ANY public-key implementation that >uses RSAREF and will strongly oppose themselves against ANY >implementation that doesn't. My speculation does not include or depend upon a trapdoor in RSAREF. I do not believe that RSA would consent to such. However, there are other limitation in the concept of RSAREF in which NSA has an interest. It has an interest in a limited number of implementations, i.e., targets. It has an interest in fixed key or maximum modulus size. It has a legitimate (literally) right to pursue such interests. Within bounds, it probably has a right to pursue those interests by covert means. At least it has the same right as the rest of us not to disclose all of its motives and intentions. (Institutions are not self-aware; they do not know their intentions in any meaningful sense.) William Hugh Murray, Executive Consultant, Information System Security 49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840 1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL Newsgroup: sci.crypt document_id: 14997 From: tom_van_vleck@taligent.com (Tom Van Vleck) Subject: Re: looking for one-way (trap-door, password encryption, etc.) algorithms Michael Levin wrote: > I am looking for references to algorithms which can be used for > password encryption. I.e., someone has a clear-text word, runs it > through the algorithm, and it becomes some other sequence of symbols. > I want this algorithm to have the property that it is a) next to > impossible to reverse, and b) would take too long to try all possible > words to see which one works (even by use of a high-speed computer). > Please send references or ideas to mlevin@husc8.harvard.edu. The original one-way encryption I put into Multics about 1968 (as suggested by Joe Weizenbaum) was invertible. An Air Force tiger team demonstrated this to me in May 1973. I then asked an expert (who requested anonymity) what I should use instead; the expert's suggestion was to treat the 8-byte password as both key and data for the LUCIFER encryption algorithm, which is similar or identical to DES. This method or something stronger should take care of (a). Issue (b) is discussed in comp.security.misc: longer passwords and quality control on what users can choose as passwords are the common tactics. tom_vanvleck@taligent.com Newsgroup: sci.crypt document_id: 14998 From: yerazunis@cthulu.enet.dec.com Subject: Re: Hard drive security for FBI targets >cme@ellisun.sw.stratus.com (Carl Ellison) writes: >For example, if I had a program on my disk which created totally random >files looking like encrypted messages and could demonstrate that the file >in question *could have been* created by that program, then my claim that >it was, in fact, created by that program must stand as true (since I'm >innocent) unless someone can prove me wrong. HMMM... that brings up a neat idea. Unfortunately, it's SOOO neat, I think I ought to patent it. So I can't tell you about it. Sorry. :-) -Bill Copyright 1993 William S. Yerazunis (aka Crah the Merciless) All rights reserved, no responsibility taken. "I love the smell of flash powder in the morning! It smells like...like theatre" Newsgroup: sci.crypt document_id: 14999 From: jgk@osc.COM (Joe Keane) Subject: Re: Hard drive security for FBI targets In article <1993Apr2.050451.7866@ucsu.Colorado.EDU> cuffell@spot.Colorado.EDU (Tim Cuffel) writes: >How about this. I create a bunch of sets of random data, and encrypt it. I >keep only one of the sets of random data around, to show that I encypt random >data for kicks. The rest, I delete with their keys. I tell all my friends. >I think this establishes reasonable doubt about the contents of any encrypted >files, and my ability to provides keys. Since anyone could do this, any law >that forces a user to provide keys on demand is worthless. The law is much worse than worthless. It gives police the power to put innocent people in jail because they (the police) find something they don't understand. Most police don't know what the return key does, never mind the difference between a core file and classified military secrets. There are plenty of scenarios where the user would have no idea what something is either. It could be uninitialized junk. The burden of proof is on the user to show that it's something a normal upstanding citizen should have. No one should ever be put in that situation, especially in America. What's disgusting about this is how easily most people go along with it, to provide a bargaining chip against some hypothetical *alleged* child molester or drug dealer, or whatever bad thing is in style at the time. Basically most people don't have a clear distinction between criminals and suspects. As an analogy, it's like they find a loose screw in your house, and they insist that you're building a bomb or machine gun. They ask you where it came from (like you'd know), and ask you to prove your claim. When you explain it in such simple terms, people may start to get the idea. As a matter of fact, i do keep random files on my disk. The reason is, without special-purpose hardware, it takes a long time to generate good random bits. I have programs that crank out a couple bits per minute, which is pretty conservative, but over time that's more than i need. If you think about it, there's no point in actually encrypting random data, because it just gives you different random data. If you want some data to look like an encrypted file, you just put an appropriate header on it. If enough people do this, some of them will be put in jail. When you get arrested and the police ask for your keys, you can tell them it's just random junk, although of course they won't believe you. While you're sitting in jail, you can take consolation in the fact that the government will burn a few CPU-years trying to find something that's not there. -- Joe Keane, amateur cryptologist jgk@osc.com (uunet!amdcad!osc!jgk) Newsgroup: sci.crypt document_id: 15000 From: Graham Toal Subject: Re: Hard drive security for FBI targets In article <6040@osc.COM> Joe Keane writes: :As a matter of fact, i do keep random files on my disk. The reason is, :without special-purpose hardware, it takes a long time to generate good random :bits. I have programs that crank out a couple bits per minute, which is :pretty conservative, but over time that's more than i need. Sounds like a useful program - interested in posting it to alt.sources? G Newsgroup: sci.crypt document_id: 15001 From: cme@ellisun.sw.stratus.com (Carl Ellison) Subject: Re: Hard drive security In article antonh@rpi.edu writes: >say, can anyone send my info on how to encrpyt a hard disk [...] >ps. I would also like know the consequences of those types of actions if i >so chose to do them in the future in this country and european countries. People have been encrypting notes in their notebooks for hundreds of years -- maybe over a thousand. It's a long tradition dating at least back to the alchemists. I know of nothing bad happening to them. I would assume that nothing bad would happen to you, given this long history establishing encryption as the property of individuals, to do with as they please. -- - <> - Carl Ellison cme@sw.stratus.com - Stratus Computer Inc. M3-2-BKW TEL: (508)460-2783 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298 FAX: (508)624-7488 Newsgroup: sci.crypt document_id: 15002 From: cme@ellisun.sw.stratus.com (Carl Ellison) Subject: Re: Licensing of public key implementations In article <1993Apr4.221640.8104@magnus.acs.ohio-state.edu> jebright@magnus.acs.ohio-state.edu (James R Ebright) writes: >I guess we will have to wait for the time in the far future >when everyone uses such good crypto that the NSA has no job. Then the >agency will be disbanded and its files opened after the approprate >historical delay. ;) You've overlooked a fundamental Truth: both headcount and budget of any government agency are monotonic increasing functions. Given that Truth, you need to look for what the agency can do to occupy all those people and spend all that money when crypto is unbreakable. Perhaps they could talk the world's telephone companies into making equipment they could break into and tap. Maybe they could convince people that distributed computing was a good idea so that even the internal state of a process would be available for access by wiretapping. Maybe.... -- - <> - Carl Ellison cme@sw.stratus.com - Stratus Computer Inc. M3-2-BKW TEL: (508)460-2783 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298 FAX: (508)624-7488 Newsgroup: sci.crypt document_id: 15003 From: ray@ole.cdac.com (Ray Berry) Subject: Re: Hard drive security for FBI targets rja14@cl.cam.ac.uk (Ross Anderson) writes: >In article <1993Apr2.050451.7866@ucsu.Colorado.EDU>, cuffell@spot.Colorado.EDU >(Tim Cuffel) writes: >This suggests a new PC security product design approach - first fill the hard >drive with 50% random files and 50% files encrypted under a number of known >keys. Then whenever a new secret file is created, you delete a random file and >replace it with real encrypted data. New non-secret files are encrypted under >a known key. Better yet, instead of thrashing around on the DOS file system, take it a step further. Write yourself a minimal "file system" program that is used to create/delete files, en/decrypt them to ramdisk, list a directory. Put the util, password protected, on a floppy. The catch is that the storage space used by this util is NOT part of the DOS file system. Instead, defrag your disk, thus packing all allocated clusters into clusters 0-n. Then use the back end of the partition to hold your 'stealth' file system. Or, leave a small 2nd partition on the disk that is not assigned to DOS. Another approach might be to use a directory that contains a set of invariant files (DOS system files, for instance). Due to DOS allocating a minimum storage unit of a "cluster" there is unused physical space on the disk between the tail end of each file and the end of its associated cluster. These dead spaces could be concatenated and used to hold your stealth file system. Now you have a situation where no encrypted data "appears" on your disk at all :-). -- Ray Berry kb7ht ray@ole.cdac.com rjberry@eskimo.com 73407.3152@compuserve.com Newsgroup: sci.crypt document_id: 15168 From: so@eiffel.cs.psu.edu (Nicol C So) Subject: Re: Source of random bits on a Unix workstation In article <897@pivot.sbi.com> bet@sbi.com (Bennett Todd @ Salomon Brothers Inc., NY ) writes: >This came up because I decided to configure up MIT-MAGIC-COOKIE-1 security >for X11R5. For this to work you need to stick some bits that an intruder >can't guess in a file (readable only by you) which X client applications >read. They pass the bits back to the server when they want to establish a >connection. > >... >What I settled on was grabbing a bunch of traffic off the network. >Basically, I ran > > etherfind -u -x greater 0|compress > >and skipped over 10K of output, then grabbed my bits. As best I can tell, >these are bits that can be expected to be reasonably uniformly distributed, >and quite unguessable by an intruder. For your application, what you can do is to encrypt the real-time clock value with a secret key. Newsgroup: sci.crypt document_id: 15169 From: ji@cs.columbia.edu (John Ioannidis) Subject: Re: Source of random bits on a Unix workstation In article so@eiffel.cs.psu.edu (Nicol C So) writes: >In article <897@pivot.sbi.com> bet@sbi.com (Bennett Todd @ Salomon Brothers Inc., NY ) writes: >>This came up because I decided to configure up MIT-MAGIC-COOKIE-1 security >>for X11R5. For this to work you need to stick some bits that an intruder >>can't guess in a file (readable only by you) which X client applications >>read. They pass the bits back to the server when they want to establish a >>connection. >> >>... >>What I settled on was grabbing a bunch of traffic off the network. >>Basically, I ran >> >> etherfind -u -x greater 0|compress >> >>and skipped over 10K of output, then grabbed my bits. As best I can tell, >>these are bits that can be expected to be reasonably uniformly distributed, >>and quite unguessable by an intruder. > >For your application, what you can do is to encrypt the real-time clock >value with a secret key. For a good discussion of cryptographically "good" random number generators, check out the draft-ietf-security-randomness-00.txt Internet Draft, available at your local friendly internet drafts repository. A reasonably source of randomness is the output of a cryptographic hash function (e.g., MD5), when fed with a large amount of more-or-less random data. For example, running MD5 on /dev/mem is a slow, but random enough, source of random bits; there are bound to be 128 bits of entropy in the tens (or hundreds) of megabytes of data in a modern workstation's memory, as a fair amount of them are system timers, i/o buffers, etc. /ji Newsgroup: sci.crypt document_id: 15170 From: bear@kestrel.fsl.noaa.gov (Bear Giles) Subject: Re: Fifth Amendment and Passwords In article <1993Apr15.160415.8559@magnus.acs.ohio-state.edu> ashall@magnus.acs.ohio-state.edu (Andrew S Hall) writes: >I am postive someone will correct me if I am wrong, but doesn't the Fifth >also cover not being forced to do actions that are self-incriminating? >e.g. The police couldn't demand that you silently take them to where the >body is buried or where the money is hidden. But they can make you piss in a jar, and possibly provide DNA, semen, and hair samples or to undergo tests for gunpowder residues on your hand. (BTW, that was why the chemical engineer arrested in the WTC explosion thrust his hands into a toilet filled with urine as the cops were breaking down the door -- the nitrogen in the urine would mask any residue from explosives. I found it interesting the news reported his acts, but not his reasons). Somewhere, perhaps a privacy group, they discussed the legal ramifications of using a password like I shot Jimmy Hoffa and his body is in a storage locker in Camden a while back. The impression I got was that real judges would dismiss arguments that this password is self-incrimination as first-year law school sophistry -- the fact that you use a statement for a password has no bearing on the veracity of that phrase. You are not being asked to incrimidate yourself (e.g., "where did you bury the body?"); you are being asked to provide information necessary to execute a legal search warrant. Refusing to provide the password is akin to refusing to provide a key to a storage locker... except that they could always _force_ their way into the locker. Of course, that doesn't mean you have to help them _understand_ what they find, or point out things they overlooked in their search! -- Bear Giles bear@fsl.noaa.gov Newsgroup: sci.crypt document_id: 15171 From: zrepachol@cc.curtin.edu.au (Paul Repacholi) Subject: What is going on?... In article <1qhc2p$8d8@transfer.stratus.com>, cme@ellisun.sw.stratus.com (Carl Ellison) writes: > In article <1993Apr14.120229.15878@mnemosyne.cs.du.edu> rwebb@nyx.cs.du.edu (Russell Webb) writes: ... > Call me paranoid, but this is the same kind of scare story which Dorothy > Denning was citing while calling for the limitation of cryptography. > > I doubt that DD is behind this -- > > but I suspect that the FBI (and maybe NSA) are behind DD and those agencies > could easily be mounting a nationwide campaign (with our tax dollars?) to > build up public outcry against digital communication -- especially against > unbreakable, encrypted communication. > > > What's going on here?? > Haven't you read any of Noam Chomsky's works? A widely used information net outside the control of the 'right people' is unthinkable. Hundreds of billions of dollars will be spent to wipe it out, sorry, 'regulate and order it' once the major media and poitical powers wake up to the efect it can have. If you can't be bothered reading, get the video "Manufacturing Consent". ~Paul Newsgroup: sci.crypt document_id: 15172 From: marc@tanda.isis.org (Marc Thibault) Subject: Re: Hard drive security for FBI targets 1. Do a straight encryption of your keyrings and put the results with misleading names somewhere they won't be noticed (eg. in the \windows directory; nobody knows what half those files are). 2. Do a straight encryption of a .BAT file that will decrypt the keyrings to RAMdisk and will set PGPPATH to point at it. 3. Set up another .BAT file to decrypt and execute the first (again on RAM disk). Have it take the name of the target file as an argument so that there is no link between this file and the (non-existent) batch file referred to by the rest of the system. Comment it so it looks like a test script for fooling around with PGP. Set PGPPATH to the PGP directory. 4. Leave the original keyrings that came with PGP in the directory with PGP; a good indication that you are playing with, but haven't made serious use of PGP. Add a set of keys with your name and a really simple passphrase. Never use it, or use it as your widely published key for low-security e-mail. 5. When needed, run the second .BAT file. Make sure all intermediate and plainfiles are generated on RAMdisk. 6. When you hear the concussion grenade, hit the power switch. Cheers, Marc --- Marc Thibault | CIS:71441,2226 | Put another log marc@tanda.isis.org | NC FreeNet: aa185 | on the fire. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.0 mQBNAiqxYTkAAAECALfeHYp0yC80s1ScFvJSpj5eSCAO+hihtneFrrn+vuEcSavh AAUwpIUGyV2N8n+lFTPnnLc42Ms+c8PJUPYKVI8ABRG0I01hcmMgVGhpYmF1bHQg PG1hcmNAdGFuZGEuaXNpcy5vcmc+ =HLnv -----END PGP PUBLIC KEY BLOCK----- Newsgroup: sci.crypt document_id: 15173 From: grady@netcom.com (1016/2EF221) Subject: SOURCE to Mactinosh PGP 2.2 in C available *** SOURCE code to Macintosh PGP 2.2 now available via anonymous FTP *** FTP netcom.com CD pub/grady MGET MacPGP2.2src.sea.hqx MGET MacPGP2.2srcSIGNATURE Convert to a Compact Pro self-extracting archive with BinHex 4.0. If appropriate, check the digital signature of the .hqx file with your copy of PGP. (Non-Macintosh users wishing to check the digital signature please note that 'CR' denotes the end-of-line on a Macintosh, not 'LF' or 'CRLF'.) For the purposes of the ITAR act, this 'unclassified technical documentation' is hereby released into the public domain. (However no representation is made as to copyright or other commercial rights that may exist in this package.) Full source code, Symantec THINK C 5.0.4 projects and full user documentation is included for both 68020 and 68000 versions of Pretty Good Privacy, a strong public key encryption and digital signature application using the RSA algorithm patented in the United States and the IDEA cipher patented in Switzerland. No executables are included. Executables are available via anonymous FTP from: leif.thep.lu.se (Sweden) night.nig.ac.jp (Japan) van-bc.wimsey.bc.ca (Canada) soda.berkeley.edu (P.R. of Berkeley) src.doc.ic.ac.uk (United Kingdom) ghost.dsi.unimi.it (Italy) plaza.aarnet.edu.au (Australia) nic.funet.fi (Finland) Other's public keys are available from anonymous server sites: (Send message subject "help" for more information.) Internet sites: pgp-public-keys@junkbox.cc.iastate.edu Michael Graff explorer@iastate.edu FTP: tbird.cc.iastate.edu:/usr/explorer/public-keys.pgp pgp-public-keys@toxicwaste.mit.edu Derek Atkins warlord@MIT.EDU FTP: toxicwaste.mit.edu:/pub/keys/public-keys.pgp pgp-public-keys@phil.utmb.edu John Perry perry@phil.utmb.edu FTP: phil.utmb.edu:/pub/pgp/public-keys.pgp pgp-public-keys@demon.co.uk Mark Turner mark@demon.co.uk FTP: ftp.demon.co.uk:/pub/pgp/pubring.pgp UUCP site: pgp-public-keys@jpunix.com John Perry perry@jpunix.com The executable application built from these sources has NOT been licensed by RSA Data Security, Inc. nor has the RSA public key algorithm or the IDEA block cipher algorithm been approved by the National Security Agency. This unclassified technical documentation is made available for EDUCATIONAL USE ONLY; possession, distribution, or use of an executable binary built from this source may be a civil or criminal offense. Suggested improvements, bugs, or comments should be directly posted to alt.security.pgp or to the principal developers listed among the source documents. General questions and comments about public key cryptography or the IDEA cipher may be posted to alt.security.pgp or to the sci.crypt Usenet groups. -- grady@netcom.com 2EF221 / 15 E2 AD D3 D1 C6 F3 FC 58 AC F7 3D 4F 01 1E 2F Newsgroup: sci.crypt document_id: 15174 From: kadie@cs.uiuc.edu (Carl M Kadie) Subject: Re: Fifth Amendment and Passwords ashall@magnus.acs.ohio-state.edu (Andrew S Hall) writes: >I am postive someone will correct me if I am wrong, but doesn't the Fifth >also cover not being forced to do actions that are self-incriminating? [...] [From Mike Godwin , posted with permission - Carl] Sadly, it does not. Suspects can be compelled to give handwriting and voice exemplars, and to take blood and DNA tests. > e.g. The police couldn't demand that you silently take them to where the > body is buried or where the money is hidden. No, but they could compell you to produce the key to a safe where, as it happens, evidence that will convict you is stored. The crypto-key disclosure issue hasn't come up yet, but current law suggests that it's a loser for the defendant--he'll be compelled to turn over the key. The test for compelled self-incrimination is whether the material to be disclosed *in itself* tends to inculpate the discloser. In the example I gave above, the safe key itself has no testimonial value--ergo, it can be disclosed under compulsion (e.g., subpoena duces tecum). Moreover, the government can always immunize the disclosure of a crypto key--compelling you to disclose the key at the price of not using the fact of your disclosure as evidence in the case against you. Of course, they can use whatever they discover as a result of this disclosure against you. --Mike -- Carl Kadie -- I do not represent any organization; this is just me. = kadie@cs.uiuc.edu = Newsgroup: sci.crypt document_id: 15175 From: bob@natasha.portal.com (Bob Cain) Subject: Re: Pgp, PEM, and RFC's (Was: Cryptography Patents) Charles Kincy (ckincy@cs.umr.edu) wrote: : : All I have to say is...yeah, right. If you're willing to pay them : mucho big bucks and/or use the routines *they* tell you to do. : Doesn't sound very reasonable to me. All I have to say is this is full of shit. I have negotiated a license and the bucks are incredibly reasonable with an upfront charge on a sliding scale depending on your capitalization. If you are a startup and can't afford it you can't afford to start up in the first place. Why do people insist on making unequivocal statements about that which they know nothing. : : But I don't guess PKP and RSA are interested in big bucks. Maybe : they have some other agenda? Secure communications only for : government agents, perhaps? Have you considered treatment for paranoia? The government is the single biggest thorn in RSA's side. : : Some limitation. Let me guess: don't use the code in any way PKP or : RSA doesn't like....such as...providing secure communications for the : average citizen. That was exactly its purpose if you know anything about it. There is nothing at all preventing the average citizen using it, only selling it. : : I hope my cynicism is misplaced here. Go ahead...I'm not afraid to : be wrong every once in a while. But, I have an uneasy feeling that I : am right. :( It is and you are wrong yet you emotionally state a bunch of crap as fact with a tiny disclaimer at the end. Check your facts first and grow up. Why is there such a strong correlation between interest in cryptography and immaturity I wonder. Bob Cain (normally rcain@netcom.com) Newsgroup: sci.crypt document_id: 15176 From: ld231782@longs.lance.colostate.edu (L. Detweiler) Subject: Privacy & Anonymity on the Internet FAQ (1 of 3) Archive-name: net-privacy/part1 Last-modified: 1993/3/3 Version: 2.1 IDENTITY, PRIVACY, and ANONYMITY on the INTERNET ================================================ (c) 1993 L. Detweiler. Not for commercial use except by permission from author, otherwise may be freely copied. Not to be altered. Please credit if quoted. SUMMARY ======= Information on email and account privacy, anonymous mailing and posting, encryption, and other privacy and rights issues associated with use of the Internet and global networks in general. (Search for <#.#> for exact section. Search for '_' (underline) for next section.) PART 1 ====== (this file) Identity -------- <1.1> What is `identity' on the internet? <1.2> Why is identity (un)important on the internet? <1.3> How does my email address (not) identify me and my background? <1.4> How can I find out more about somebody from their email address? <1.5> Why is identification (un)stable on the internet? <1.6> What is the future of identification on the internet? Privacy ------- <2.1> What is `privacy' on the internet? <2.2> Why is privacy (un)important on the internet? <2.3> How (in)secure are internet networks? <2.4> How (in)secure is my account? <2.5> How (in)secure are my files and directories? <2.6> How (in)secure is X Windows? <2.7> How (in)secure is my email? <2.8> How am I (not) liable for my email and postings? <2.9> How do I provide more/less information to others on my identity? <2.10> Who is my sysadmin? What does s/he know about me? <2.11> Why is privacy (un)stable on the internet? <2.12> What is the future of privacy on the internet? Anonymity --------- <3.1> What is `anonymity' on the internet? <3.2> Why is `anonymity' (un)important on the internet? <3.3> How can anonymity be protected on the internet? <3.4> What is `anonymous mail'? <3.5> What is `anonymous posting'? <3.6> Why is anonymity (un)stable on the internet? <3.7> What is the future of anonymity on the internet? PART 2 ====== (next file) Resources --------- <4.1> What UNIX programs are related to privacy? <4.2> How can I learn about or use cryptography? <4.3> What is the cypherpunks mailing list? <4.4> What are some privacy-related newsgroups? FAQs? <4.5> What is internet Privacy Enhanced Mail (PEM)? <4.6> What are other Request For Comments (RFCs) related to privacy? <4.7> How can I run an anonymous remailer? <4.8> What are references on privacy in email? <4.9> What are some email, Usenet, and internet use policies? <4.10> What is the MIT ``CROSSLINK'' anonymous message TV program? Miscellaneous ------------- <5.1> What is ``digital cash''? <5.2> What is a ``hacker'' or ``cracker''? <5.3> What is a ``cypherpunk''? <5.4> What is `steganography' and anonymous pools? <5.5> What is `security through obscurity'? <5.6> What are `identity daemons'? <5.7> What standards are needed to guard electronic privacy? Issues ------ <6.1> What is the Electronic Frontier Foundation (EFF)? <6.2> Who are Computer Professionals for Social Responsibility (CPSR)? <6.3> What was `Operation Sun Devil' and the Steve Jackson Game case? <6.4> What is Integrated Services Digital Network (ISDN)? <6.5> What is the National Research and Education Network (NREN)? <6.6> What is the FBI's proposed Digital Telephony Act? <6.7> What other U.S. legislation is related to privacy on networks? <6.8> What are references on rights in cyberspace? <6.9> What is the Computers and Academic Freedom (CAF) archive? Footnotes --------- <7.1> What is the background behind the Internet? <7.2> How is Internet `anarchy' like the English language? <7.3> Most Wanted list <7.4> Change history PART 3 ====== (last file) Anonymizing ----------- <8.1> What are some known anonymous remailing and posting sites? <8.2> What are the responsibilities associated with anonymity? <8.3> How do I `kill' anonymous postings? <8.4> What is the history behind anonymous posting servers? <8.5> What is the value of anonymity? <8.6> Should anonymous posting to all groups be allowed? <8.7> What should system operators do with anonymous postings? <8.8> What is going on with anon.penet.fi maintained by J. Helsingius? * * * IDENTITY ======== _____ <1.1> What is `identity' on the internet? Generally, today people's `identity' on the internet is primarily determined by their email address in the sense that this is their most unchanging 'face' in the electronic realm. This is your login name qualified by the complete address domain information, for example ``ld231782@longs.lance.colostate.edu''. People see this address when receiving mail or reading USENET posts from you and in other situations where programs record usage. Some obsolete forms of addresses (such as BITNET) still persist. In email messages, additional information on the path that a message takes is prepended to the message received by the recipient. This information identifies the chain of hosts involved in the transmission and is a very accurate trace of its origination. This type of identify-and-forward protocol is also used in the USENET protocol to a lesser extent. Forging these fields requires corrupted mailing software at sites involved in the forwarding and is very uncommon. Not so uncommon is forging the chain at the origination point, so that all initial sites in the list are faked at the time the message is created. Tracing these messages can be difficult or impossible when the initial faked fields are names of real machines and represent real transfer routes. _____ <1.2> Why is identity (un)important on the internet? The concept of identity is closely intertwined with communication, privacy, and security, which in turn are all critical aspects of computer networks. For example, the convenience of communication afforded by email would be impossible without conventions for identification. But there are many potential abuses of identity possible that can have very severe consequences, with massive computer networks at the forefront of the issue, which can potentially either exacerbate or solve these problems. Verifying that an identity is correct is called `authentication', and one classic example of the problems associated with it is H.G.Well's ``War of the Worlds'' radio broadcast that fooled segments of the population into thinking that an alien invasion was in progress. Hoaxes of this order are not uncommon on Usenet and forged identities makes them more insidious. People and their reputations can be assaulted by forgery. However, the fluidity of identity on the internet is for some one of its most attractive features. Identity is just as useful as it is harmful. A professor might carefully explain a topic until he finds he is talking to an undergraduate. A person of a particular occupation may be able to converse with others who might normally shun him. Some prejudices are erased, but, on the other hand, many prejudices are useful! A scientist might argue he can better evaluate the findings of a paper as a reviewer if he knows more about the authors. Likewise, he may be more likely to reject it based on unfair or irrelevant criteria. On the other side of the connection, the author may find identities of reviewers useful in exerting pressure for acceptance. Identity is especially crucial in establishing and regulating `credit' (not necessarily financial) and `ownership' and `usage'. Many functions in society demand reliable and accurate techniques for identification. Heavy reliance will be placed on digital authentication as global economies become increasingly electronic. Many government functions and services are based on identification, and law enforcement frequently hinges on it. Hence, employees of many government organizations push toward stronger identification structures. But when does identification invade privacy? The growth of the internet is provoking social forces of massive proportions. Decisions made now on issues of identity will affect many future users, especially as the network becomes increasingly global, universal, widespread, and entrenched; and the positive or adverse affects of these actions, intended and inadvertent, will literally be magnified exponentially. _____ <1.3> How does my email address (not) identify me and my background? Your email address may contain information that influences people's perceptions of your background. The address may `identify' you as from a department at a particular university, an employee at a company, or a government worker. It may contain your last name, initials, or cryptic identification codes independent of both. In the US some are based on parts of social security numbers. Others are in the form 'u2338' where the number is incremented in the order that new users are added to the system. Standard internet addresses also can contain information on your broad geographical location or nationhood. However, none of this information is guaranteed to be correct or be there at all. The fields in the domain qualification of the username are based on rather arbitrary organization, such as (mostly invisible) network cabling distributions. The only point to make is that early fields in the address are more specific (such as specific computer names or local networks) and the later ones the most general (such as continental domains). Typically the first field is the name of the computer receiving mail. Gleaning information from the email address alone is sometimes an inspired art or an inconsistent and futile exercise. (For more information, see the FAQs on email addresses and known geographical distributions below.) However, UNIX utilities exist to aid in the quest (see the question on this). Common Suffixes --------------- .us United States .uk United Kingdom .ca Canada .fi Finland .au Australia .edu university or college .com commercial organization .org 'other' (e.g. nonprofit organization) .gov government .mil military site _____ <1.4> How can I find out more about somebody with a given email address? One simple way is to send email to that address, asking. Another way is to send mail to the postmaster at that address (i.e. postmaster@address), although the postmaster's job is more to help find user ID's of particular people given their real name and solve mail routing problems. The sysadmin (i.e. `root@address') may also be able to supply information. Users with related email address may have information. However, all of these methods rely on the time and patience of others so use them minimally. One of the most basic tools for determining identity over the internet is the UNIX utility 'finger'. The basic syntax is: finger user@here.there.everywhere This utility uses communication protocols to query the computer named in the address for information on the user named. The response is generated completely by the receiving computer and may be in any format. Possible responses are as follows: - A message `unknown host' meaning some aspect of the address is incorrect, two lines with no information and '???'. - A message 'In real life: ???' in which case the receiving computer could not find any kind of a match on the username. The finger utility may return this response in other situations. - A listing of information associated with multiple users. Some computers will search only for matching user IDs, others will attempt to find the username you specified as a substring of all actual full names of users kept in a local database. At some sites 'finger' can be used to get a list of all users on the system with a `finger @address'. In general this is often considered weak security, however, because `attackers' know valid user ID's to `crack' passwords. More information on the fields returned by `finger' is given below. More information on `finger' and locating people's email addresses is given in the email FAQ (such as the WHOIS lookup utility). Just as you can use these means to find out about others, they can use them to find out about you. You can `finger' yourself to find out what is publicly reported by your UNIX system about you. Be careful when modifying `finger' data; virtually anyone with internet access worldwide can query this information. In one amazing case, the New York Times writer J. Markoff uncovered the identity of R. Morris, author of the Internet Worm, through the use of an anonymous tip and 'finger'. See the book Cyberspace by K. Hafner and J. Markoff. _____ <1.5> Why is identification (un)stable on the internet? Generally, identity is an amorphous and almost nonexistent concept on the Internet for a variety of reasons. One is the inherent fluidity of `cyberspace' where people emerge and submerge frequently, and absences are not readily noted in the `community'. Most people remember faces and voices, the primary means of casual identification in the 'real world'. The arbitary and cryptic sequences of letters and digits comprising most email addresses are not particularly noticeable or memorable and far from a unique identification of an individual, who may use multiple accounts on multiple machines anywhere in the world. Currently internet users do not really have any great assurances that the messages in email and USENET are from who they appear to be. A person's mailing address is far from an identification of an individual. - Anyone with access to the account, e.g. they know the password, either legitimately or otherwise, can send mail with that address in the From: line. - Email addresses for an individual tend to change frequently as they switch jobs or make moves inside their organizations. - As part of current mailing protocol standards, forging the From: line in mail messages is a fairly trivial operation for many hackers. The status and path information prepended to messages by intermediate hosts is generally unforgeable. In general, while possible, forgeries are fairly rare on most newsgroups and in email. Besides these pathological cases abve there are many basic problems with today's internet protocols affecting identification on the internet: - Internet mail standards, described in RFC-822, are still evolving rapidly and not entirely orderly. For example, standards for mail address `munging' or `parsing' tend to vary slightly between sites and frequently mean the difference between finding addresses and bouncing mail. - Domain names and computer names are frequently changed at sites, and there are delays in the propagation of this data. - Addresses cannot be resolved when certain critical computers crash, such as the receiving computer or other computers involved in resolving names into addresses called `nameservers'. - A whole slew of problems is associated with `nameservers'; if they are not updated they will not find name addresses, and even the operation of what constitutes `updating' has different interpretations at different sites. The current internet mailing and addressing protocols are slightly anachronistic in that they were created when the network was somewhat obscure and not widespread, with only a fraction of the traffic it now sees. Today a large proportion of internet traffic is email, comprising millions of messages. _____ <1.6> What is the future of identification on the internet? Some new technologies and standards are introducing facial images and voice messages into mail and these will improve the sense of community that comes from the familiarity of identification. However, they are not currently widespread, require large amounts of data transfer, standardized software, and make some compromises in privacy. Promising new cryptographic techniques may make 'digital signatures' and 'digital authentication' common (see below). Also, the trend in USENET standards is toward greater authentication of posted information. On the other hand, advances in ensuring anonymity (such as remailers) are forthcoming. See below. PRIVACY ======= _____ <2.1> What is `privacy' on the internet? Generally, while `privacy' has multiple connotations in society and perhaps even more on the internet, in cyberspace most take it to mean that you have exclusive use and access to your account and the data stored on and and directed to it (such as email), and you do not encounter arbitrary restrictions or searches. In other words, others may obtain data associated with your account, but not without your permission. These ideas are probably both fairly limiting and liberal in their scope in what most internet users consider their private domains. Some users don't expect or want any privacy, some expect and demand it. _____ <2.2> Why is privacy (un)important on the internet? This is a somewhat debatable and inflammatory topic, arousing passionate opinions. On the internet, some take privacy for granted and are rudely surprised to find it tenuous or nonexistent. Most governments have rules that protect privacy (such as the illegal search and seizure clause of the U.S. constitution, adopted by others) but have many that are antithetical to it (such as laws prohibiting secret communications or allowing wiretapping). These rules generally carry over to the internet with few specific rules governing it. However, the legal repercussions of the global internet are still largely unknown and untested (i.e. no strong legal precedents and court cases). The fact that internet traffic frequently passes past international boundaries, and is not centrally managed, significantly complicates and strongly discourages its regulation. _____ <2.3> How (in)secure are internet networks? - `Theoretically' people at any site in the chain of sites with access to hardware and network media that transmits data over the Internet could potentially monitor or archive it. However, the sheer volume and general 'noise' inherent to this data makes these scenarios highly improbable, even by government agencies with supposedly vast funding and resources. - Technologies exist to `tap' magnetic fields given off by electrical wires without detection. Less obscurely, any machine with a network connection is a potential station for traffic detection, but this scenario requires knowledge and access to very low-level hardware (the network card) to pursue, if even possible. - A company Network General Inc. is one of many that manufactures and markets sophisticated network monitoring tools that can 'filter' and read packets by arbitrary criteria for troubleshooting purposes, but the cost of this type of device is prohibitive for casual use. Known instances of the above types of security breaches at a major scale (such as at network hubs) are very rare. The greatest risks tend to emerge locally. Note that all these approaches are almost completely defused with the use of cryptography. _____ <2.4> How (in)secure is my account? By default, not very. There are a multitude of factors that may reinforce or compromise aspects of your privacy on the internet. First, your account must be secure from other users. The universal system is to use a password, but if it is `weak' (i.e. easy to guess) this security is significantly diminished. Somewhat surprisingly and frighteningly to some, certain users of the system, particularly the administrator, generally have unlimited access regardless of passwords, and may grant that access to others. This means that they may read any file in your account without detection. Furthermore, not universally known, most UNIX systems keep fairly extensive accounting records of when and where you logged in, what commands you execute, and when they are executed (in fact, login information is usually public). Most features of this `auditing' or `process accounting' information are enabled by default after the initial installation and the system administrator may customize it to strengthen or weaken it to satisfy performance or privacy aims. This information is frequently consulted for troubleshooting purposes and may otherwise be ignored. This data tracks unsuccessful login attempts and other 'suspicious' activities on the system. A traditional part of the UNIX system that tracks user commands is easily circumvented by the user with the use of symbolic links (described in 'man ln'). UNIX implementations vary widely particularly in tracking features and new sophisticated mechanisms are introduced by companies regularly. Typically system adminstrators augment the basic UNIX functionality with public-domain programs and locally-developed tools for monitoring, and use them only to isolate `suspicious' activity as it arises (e.g. remote accesses to the 'passwd' file, incorrect login attempts, remote connection attempts, etc.). Generally, you should expect little privacy on your account for various reasons: - Potentially, every keystroke you type could be intercepted by someone else. - System administrators make extensive backups that are completely invisible to users which may record the states of an account over many weeks. - Erased files can, under many operating systems, be undeleted. - Most automated services keep logs of use for troubleshooting or otherwise; for example FTP sites usually log the commands and record the domain originations of users, including anonymous ones. - Some software exacerbates these problems. See the section on ``X Windows (in)security''. Indepedent of malevolent administrators are fellow users, a much more commonly harmful threat. There are multiple ways to help ensure that your account will not be accessed by others, and compromises can often be traced to failures in these guidelines: - Choose a secure password. Change it periodically. - Make sure to logout always. - Do not leave a machine unattended for long. - Make sure no one watches you when you type your password. - Avoid password references in email. - Be conservative in the use of the .rhost file. - Use utilities like `xlock' to protect a station, but be considerate. Be wary of situations where you think you should supply your password. There are only several basic situations where UNIX prompts you for a password: when you are logging in to a system or changing your password. Situations can arise in which prompts for passwords are forged by other users, especially in cases where you are talking to them (such as Internet Relay Chat). Also, be aware that forged login screens are one method to illegitimately obtain passwords. (Thanks to Jim Mattson for contributions here.) _____ <2.5> How (in)secure are my files and directories? The most important privacy considerations are related to file rights, and many lapses can be traced to their misunderstood nature or haphazard maintenance. Be aware of the rights associated with your files and directories in UNIX. If the `x' (`execute') right on your parent directory is off for users, groups, and other, these users cannot gain information on anything in your directories. Anything less may allow others to read, change, or even delete files in your home directory. The rights on a directory supersede the rights associated with files in that directory. For a directory, 'x' means that access to the files (or subdirectories) in the directory is possible -- if you know their names. To list the contents of the directory, however, requires the 'r' right. By default most accounts are accessable only to the owner, but the initial configuration varies between sites based on administrator preference. The default file mode specifies the initial rights associated with newly created files, and can be set in the shell with `umask'. The details of rights implementations tend to vary between versions of UNIX. Consult man pages on `chmod' and `ls'. Examples -------- traver.lance % ls -ld ~ drwx------ 15 ld231782 1536 Jan 31 21:22 /users/ld231782/ Here is a listing of the rights associated with a user's home directory, denoted by `~'. The columns at the left identify what rights are available. The first column identifies the entry as a directory, and the next three columns mean that read, write, and execute rights, respectively, are permitted for that user. For directories, the `x' right means that contents (file and subdirectory names) within that directory can be listed. The subsequent columns indicate that no other users have any rights to anything in the directory tree originating at that point. They can't even `see' any lower files or subdirectories; the hierarchy is completely invisible to them. traver.lance % ls -l msg -rw-r--r-- 1 ld231782 35661 Jan 29 23:13 msg traver.lance % chmod u=rw,g=,o= msg traver.lance % ls -l msg -rw------- 1 ld231782 35661 Jan 29 23:13 msg Here the modes on the file `msg' were changed to take away rights from `group' and `other'. Note that `ls -l ' requires both the 'r' right to get the list of files and subdirectories, and the 'x' right to access the files and subdirectories in order to get their size, etc. For example, suppose the directory `foo' has rights dr--r--r--, the following is possible: ls foo These commands would fail independent of file rights: ls -l foo ls -l foo/file cat foo/file cd foo If the directory `foo' has rights d--x--x--x, the following are possible if it is known beforehand that `foo' contains an 'r' readable file named `file': ls -l foo/file cat foo/file cd foo The following commands fail: ls foo ls -l foo (Thanks to Uwe Waldmann for contributions here.) _____ <2.6> How (in)secure is X Windows? X Windows is the primary software developed by the MIT Athena project which is funded by U.S. government grants to develop applications to harness the power of networks in enhancing computational tasks, particularly the human-computer interface. The software implements a client-server interface to a computer via graphical windows. In this case the `client' is the application requesting or utilizing graphical resources (such as windows or a mouse) and the `server' is the machine that provides them. In many situations the client is an application program running on the same machine as the server. The great utility of X Windows comes from its complete dissociation of the client and server so that windows may be `broadcast' to a server at a remote location from the client. Unfortunately this dynamic power also introduces many deep, intricate, and complicated security considerations. The primary security and privacy issue associated with X Windows is that much more sensitive data may be sent over a network, and over wider regions, than in the case where the human is situated near the host computer. Currently there is no encryption of data such as screen updates and keystrokes in X Windows. Due to either intentional design decisions or unintentional design flaws, early versions of the X Window system are extremely insecure. Anyone with an account on the server machine can disrupt that display or read it electronically based on access to the device unix:0.0 by any regular user. There are no protections from this type of access in these versions. The problem arises because the security is completely based on machine addresses rather than users, such that any user at a `trusted' machine is himself trusted. Quoting from X documentation (man Xsecurity): > Any client on a host in the host access control list is allowed > access to the X server. This system can work reasonably well in > an environment where everyone trusts everyone, or when only a > single person can log into a given machine...This system does not > work well when multiple people can log in to a single machine and > mutual trust does not exist. With the access control list, the `xhost' command may prevent some naive attempts (i.e. those other than the direct-access unix:0.0 evasion); the syntax as typed on the host machine is ``xhost +[name]'' where [name] is the domain name or internet address of an authorized client machine. By default clients running nonlocal to the host are disabled. Public domain programs to disrupt a display momentarily (such as 'flip' or slowly mirror the screen image, or cause pixels to 'melt' down to the bottom) have been circulating on the internet among hackers for several years and played as pranks on unsuspecting or inexperienced users. Much more serious security breaches are conceivable from similar mechanisms exploiting this inherent weaknesses. (The minimal, easily-bypassed `trusted' security mode of `xhost' has been jokingly referred to as ``X Hanging Open, Security Terrible.''). New versions of the X Window system (X11R5 and higher) by default make server access as secure as the file system using a .Xauthority file and 'magic cookies'. Remote machines must have a code in the .Xauthority file in the home directory that matches the code allowed by the server. Many older programs and even new vendor-supplied code does not support or is incompatible with `magic cookies'. The basic magic cookie mechanism is vulnerable to monitoring techniques described earlier because no encryption of keys occurs in transmission. X11R5 also includes other sophisticated encryption mechanisms. Try `man Xsecurity' to find out what is supported at your site. Even though improved security mechanisms have been available in X Windows since ~1990, local sites often update this software infrequently because installation is extremely complex. (Thanks to Marc Vanheyningen , Jim Mattson , and Bill Marshall for contributions here.) _____ <2.7> How (in)secure is my email? By default, not very. The characters that you are reading are almost certainly encoded in ASCII, the American Standard Code for Information Interchange that maps alphabetic and symbolic characters onto numeric codes and vice versa. Virtually every computer system uses this code, and if not, has ways of converting to and from it. When you write a mail message, by default it is being sent in ASCII, and since the standard is virtually universal, there is no intrinsic privacy. Despite milleniums worth of accumulated cryptographic knowledge, cryptographic technologies are only recently being established that afford high priority to privacy as a primary criteria in computer and network design. Some potential pitfalls in privacy are as follows: - The most serious threats are instances of immature or unscrupulous system operators reading private mail in the `spool files' at a local site (i.e. at the source or destination of the message), such as a university. - System administrators may also release files to law enforcement agencies, but conventions and protocols for warrants involving computer searches have still not been strongly established and tested legally. - Note that bounced messages go to postmasters at a given site in their entirety. This means that if you address mail with an incorrect address it has a good chance of being seen by a human other than the recipient. - Typically new user accounts are always set up such that the local mail directory is private, but this is not guaranteed and can be overridden. - Finally, be aware that some mailing lists (email addresses of everyone on a list) are actually publicly accessable via mail routing software mechanisms. This `feature' can be disabled. Most potential compromises in email privacy can be thoroughly avoided with the use of strong end-to-end cryptography, which has its own set of caveats (for example, unscrupulous administrators may still be a threat if the encryption site is shared or nonlocal). See the sections on ``email privacy'' and ``email policies.'' _____ <2.8> How am I (not) liable for my email and postings? As punishment or whatever, your system administrator can revoke certain `privileges' such as emailing, USENET posting or reading certain groups, file transferring, remote communications, or generally any subset of capabilities available from your account. This all is completely at the discretion of the local administrator and under the procedures followed at a particular site, which in many cases are haphazard and crisis-oriented. Currently there are virtually no widespread, uniform guidelines or procedures for restricting use to any internet services, and local administrators are free to make arbitrary decisions on access. Today punitive measures are regularly applied in various situations. In the typical scenario complaint(s) reach a system adminstrator regarding abuses by a user, usually but not necessarily preceded by complaints to the user in email, regarding that person's objectionable email or postings. `abusive' posters to USENET are usually first given admonitions from their system administrators as urged by others on the `net'. (The debate persists endlessly on many newsgroups whether this is also used as a questionable means of attacking or silencing `harmless crackpots' or censoring unpopular opinions.) System administrators at remote sites regularly cooperate to 'squelch' severe cases of abuse. In general, however, by tradition Usenet readers are remarkably tolerant of diverse views and uses of the system, but a colorful vocabularly of slang helps describe their alternatives when this patience is sapped: the options wielded by the individual user are to simply advance to the next message (referred to as ``hitting the `n' key''), or to `plonk' annoying posters (according to the Hacker's Dictionary, the sound a jerk makes at the end of a fall to the bottom of a kill file). In cases where punitive actions are applied, generally system administrators are least likely to restrict email. USENET postings are much more commonly restricted, either to individual users or entire groups (such as a university campus). Restrictions are most commonly associated with the following `abuses': - harassing or threatening notes, `email terrorism' - illegal uses, e.g. piracy or propagation of copyrighted material - `ad hominem' attacks, i.e. insulting the reputation of the poster instead of citing the content of the message - intentional or extreme vulgarity and offensiveness - inappropriate postings, esp. binary files in regular groups `mail-bombing': inundating mail boxes with numerous or massive files Major problems originate from lack of distinctions in private and official email or postings. Most users have internet access via accounts at businesses or universities and their activities on the internet can be construed as representative of their parent organizations. Many people put disclaimers in their `signatures' in an attempt dissociate their identity and activities from parent organizations as a precaution. A recent visible political case involves the privacy of electronic mail written by White House staff members of the Bush administration. Following are some guidelines: - Acquaint yourself with your company or university policy. - If possible, avoid use of your company email address for private communication. - Use a disclaimer. - Keep a low profile (avoid `flamewars' or simply don't post). - Avoid posting information that could be construed to be proprietary or `internal'. The following references are available from ftp.eff.com (see also the section on ``internet use policies''): /pub/academic/banned.1991 /pub/academic/banned.1992 --- Computer material that was banned/challenged in academia in 1991 and 1992 including USENET hierarchies. /pub/academic/cases --- This is an on-line collection of information about specific computers and academic freedom cases. File README is a detailed description of the items in the directory. /pub/academic/faq/netnews.liability --- Notes on university liability for Usenet. _____ <2.9> How do I provide more/less information to others on my identity? The public information of your identity and account is mostly available though the UNIX utility `finger' described above. - You have control over most of this information with the utility `chfn', the specifics vary between sites (on some systems use `passwd -f'). - You can provide unlimited information in the .plan file which is copied directly to the destination during the fingering. - A technique that works at some sites allows you to find out who is 'finger'ing you and even to vary the .plan file sent to them. - Your signature is determined by the environment variable SIGNATURE - USENET signatures are conventionally stored in the .signature file in your home directory. Providing less information on your online identity is more difficult and involved. One approach is to ask your system adminstrator to change or delete information about you (such as your full name). You may be able to obtain access on a public account or one from someone unrelated to you personally. You may be able to remotely login (via modem or otherwise) to computers that you are not physically near. These are tactics for hiding or masking your online activities but nothing is foolproof. Consult man pages on the 'chmod' command and the default file mode. Generally, files on a shared system have good safeguards within the user pool but very little protection is possible from corrupt system administrators. To mask your identity in email or on USENET you can use different accounts. More untraceable are new `anonymous posting' and remailing services that are very recently being established. See below. ______ <2.10> Who is my sysadmin? What does s/he know about me? The requirements and screening for getting a system administration job (and thereby access to all information on a system) vary widely between sites and are sometimes frighteningly lax, especially at universities. Many UNIX systems at universities are largely managed by undergraduates with a background in computing and often `hacking'. In general, commercial and industrial sites are more strict on qualifications and background, and government sites are extremely strict. The system adminstrator (root user) can monitor what commands you used and at what times. S/he may have a record (backups) of files on your account over a few weeks. S/he can monitor when you send email or post USENET messages, and potentially read either. S/he may have access to records indicating what hosts you are using, both locally and elsewhere. Administrators sometimes employ specialized programs to track `strange' or `unusual' activity, which can potentially be misused. ______ <2.11> Why is privacy (un)stable on the internet? For the numerous reasons listed above, privacy should not be an expectation with current use of the internet. Furthermore, large parts of the internet are funded by the U.S. NSF (National Science Foundation) which places certain restrictions on its use (such as prohibiting commercial use). Some high-level officials in this and other government agencies may be opposed to emerging techniques to guarantee privacy (such as encryption and anonymous services). Historically the major threats to privacy on the internet have been local. Perhaps the most common example of this are the widespread occurrences of university administrators refusing to carry some portion of USENET newsgroups labelled as `pornographic'. The `alternative' hierarchy in the USENET system, which has virtually no restrictions on propagation and new group creation, is frequently targeted (although this material may appear anywhere). From the global point of view traffic is generally completely unimpeded on the internet and only the most egregious offenders are pursued. For example, verbatim transcriptions of copyrighted material (such as newspaper or magazine articles) are posted to USENET with regularity without major consequences (some email complaints may ensue). More astonishing to some is that currently significant portions of USENET traffic, and less so internet traffic, is comprised of sexually-explicit digitized images almost entirely originating from copyrighted material (newsgroups such as `alt.sex' regularly have the highest traffic). ______ <2.12> What is the future of privacy on the internet? Some argue that the internet currently has an adequate or appropriate level of privacy. Others will argue that as a prototype for future global networks it has woefully inadequate safeguards. The internet is growing to become a completely global, international superhighway for data, and this traffic will inevitably entail data such as voice messages, postal mail, and many other items of extremely personal nature. Computer items that many people consider completely private (such as their local hard drives) will literally be inches from global network connections. Also, sensitive industrial and business information is exchanged over networks currently and this volume may conceivably merge with the internet. Most would agree that, for these basic but sensitive uses of the internet, no significant mechanisms are currently in place to ensure much privacy. New standards are calling for uniform introduction of `privacy enhanced mail' (PEM) which uses encryption technologies to ensure privacy, so that privacy protection is automatic, and may significantly improve safeguards. The same technology that can be extremely destructive to privacy (such as with surreptitious surveilance) can be overwhelmingly effective in protecting it (e.g. with encryption). Some government agencies are opposed to unlimited privacy in general, and believe that it should lawfully be forfeited in cases of criminal conduct (e.g. court-authorized wiretapping). However, powerful new technologies to protect privacy on computers are becoming increasingly popular, provoking some to say that ``the cat is out of the bag'' and the ``genie can't be put back in the bottle''. In less idiomatic terms, they believe that the spread of strong cryptography is already underway will be socially and technically unstoppable. To date, no feasible system that guarantees both secure communication and government oversight has been proposed (the two goals are largely incompatible). Proposals for ``registration'' of secret keys (by D. Denning on sci.crypt, for example) have been met with hot controversy at best and ridicule and derision at worst, mainly because of concerns for the right to privacy and objections of inherent feasibility. Electronic privacy issues, and particularly the proper roles of networks and the internet, will foreseeably become highly visible and explosive over the next few years. ANONYMITY ========= _____ <3.1> What is `anonymity' on the internet? Simply stated, anonymity is the absence of identity, the ultimate in privacy. However, there are several variations on this simple theme. A person may wish to be consistently identified by a certain pseudonym or `handle' and establish a reputation under it in some area, providing pseudo-anonymity. A person may wish to be completely untraceable for a single one-way message (a sort of `hit-and-run'). Or, a person may wish to be openly anonymous but carry on a conversation with others (with either known or anonymous identities) via an `anonymous return address'. A user may wish to appear as a `regular user' but actually be untraceable. Sometimes a user wishes to hide who he is sending mail to (in addition to the message itself). The anonymous item itself may be directed at individuals or groups. A user may wish to access some service and hide all signs of the association. All of these uses are feasible on the internet but are currently tricky to carry out in practice, because of all the tracking mechanisms inherent to operating systems and network protocols. Officials of the NSF and other government agencies may be opposed to any of these uses because of the potential for abuse. Nevertheless, the inherent facelessness of large networks will always guarantee a certain element of anonymity. _____ <3.2> Why is `anonymity' (un)important on the internet? Anonymity is another powerful tool that can be beneficial or problematic depending on its use. Arguably absence of identification is important as the presence of it. It may be the case that many strong benefits from electronic anonymity will be discovered that were unforeseen and unpredicted, because true anonymity has been historically very difficult to establish. One can use anonymity to make personal statements to a colleague that would sabotage a relationship if stated openly (such as employer/employee scenarios). One can use it to pass information and evade any threat of direct retribution. For example, `whistleblowers' reporting on government abuses (economic, social, or political) can bring issues to light without fear of stigma or retaliation. Sensitive, personal, potentially damaging information is often posted to some USENET groups, a risky situation where anonymity allows conversations to be carried on completely independent of the identities of the participants. Some police departments run phone services that allow anonymous reporting of crimes; such uses would be straightforward on the network. Unfortunately, extortion and harassment become more insidious with assurances of anonymity. _____ <3.3> How can anonymity be protected on the internet? The chief means, as alluded to above, are masking identities in email and posting. However, anonymous accounts (public accounts as accessable and anonymous as e.g. public telephones) may be effective as well, but this use is generally not officially supported and even discouraged by some system adminstrators and NSF guidelines. The nonuniformity in the requirements of obtaining accounts at different sites and institutions makes anonymous accounts generally difficult to obtain to the public at large. Many communications protocols are inherently detrimental to anonymity. Virtually every protocol in existence currently contains information on both sender and receiver in every packet. New communications protocols will likely develop that guarantee much higher degrees of secure anonymous communication. _____ <3.4> What is `anonymous mail'? One approach to `anonymizing' mail has been to set up an `anonymous server' that, when activated by email to its address, responds by allocating and supplying an `anonymous ID' that is unique to the person requesting it (based on his email address). This will vary for the same person for different machine address email originations. To send anonymous mail, the user sends email directed to the server containing the final destination. The server `anonymizes' the message by stripping of identification information and forwards the message, which appears to originate from the anonymous server only from the corresponding anonymous user id. This is the `interactive' use of anonymity or pseudonymity mentioned above. Another more `fringe' approach is to run a `cypherpunk' remailer from a regular user account (no root system privileges are required). These are currently being pioneered by Eric Hughes and Hal Finney . The operator runs a process on a machine that anonymizes mail sent to him with certain characteristics that distinguish it from his regular incoming mail (typically fields in the header). One has been implemented as a PERL script running on UNIX. Several of these are in existence currently but sites and software currently are highly unstable; they may be in operation outside of system administrator knowledge. The remailers don't generally support anonymous return addresses. Mail that is incorrectly addressed is received by the operator. Generally the user of the remailer has to disavow any responsibility for the messages forwarded through his system, although actually may be held liable regardless. These approaches have several serious disadvantages and weaknesses: - The anonymous server approach requires maintaining a mapping of anonymous ID's to real addresses that must be maintained indefinitely. One alternative is to allow `deallocation' of aliases at the request of the user, but this has not been implemented yet. - Although an unlikely scenario, traffic to any of these sites could conceivably be monitored from the `outside', necessitating the use of cryptography for basic protection,. - Local administrators can shut them down either out of caprice or under pressure from local, network, or government agencies. - Unscrupulous providers of the services can monitor the traffic that goes through them. - Most remailers currently keep logs that may be inspected. - The cypherpunk approach tends to be highly unstable because these operators are basically network users who do not own the equipment and are accountable to their own system administrators, who may be unaware of the use and unsympathetic to the philosophy of anonymity when the operation is discovered, regarding it as illicit use. - In all cases, a high degree of trust is placed in the anonymous server operator by the user. Currently the most direct route to anonymity involves using SMTP protocols to submit a message directly to a server with arbitrary field information. This practice, not uncommon to hackers, and the approach used by remailers, is generally viewed with hostility by most system administrators. Information in the header routing data and logs of network port connection information may be retained that can be used to track the originating site. In practice, this is generally infeasible and rarely carried out. Some administrators on the network will contact local administrators to request a message be tracked and its writer admonished or punished more severely (such as revoking the account), all of this actually happening occasionally but infrequently. See the sections ``known anonymous mail and posting sites'' and ``responsibilities associated with anonymity''. _____ <3.5> What is `anonymous posting'? Anonymous servers have been established as well for anonymous Usenet posting with all the associated caveats above (monitored traffic, capricious or risky local circumstances, logging). Make sure to test the system at least once by e.g. anonymous posting to misc.test (however some operators don't recommend this because many sites `autorespond' to test messages, possibly causing the anonymous server to allocate anonymous IDs for those machines). See the ``responsibilties associated with anonymous posting'' before proceeding. Another direct route involves using NNTP protocols to submit a message directly to a newserver with arbitrary field information. This practice, not uncommon to hackers, is also generally viewed with hostility by most system administrators, and similar consequences can ensue. See the sections ``known anonymous mail and posting sites'' and ``responsibilities associated with anonymity''. _____ <3.6> Why is anonymity (un)stable on the internet? As noted, many factors compromise the anonymity currently available to the general internet community, and these services should be used with great caution. To summarize, the technology is in its infancy and current approaches are unrefined, unreliable, and not completely trustworthy. No standards have been established and troubling situations of loss of anonymity and bugs in the software are prevalent. Here are some encountered and potential bugs: - One anonymous remailer reallocated already allocated anonymous return addresses. - Others passed signature information embedded in messages unaltered. - Address resolution problems resulting in anonymized mail bounced to a remailer are common. - Forgeries to the anonymous server itself are a problem, possibly allowing unauthorized users to potentially glean anon ID - email address mappings in the alias file. This can be remedied with the use of passwords. - Infinite mail loops are possible with chaining remailers. Source code is being distributed, tested, and refined for these systems, but standards are progressing slowly and weakly. The field is not likely to improve considerably without official endorsement and action by network agencies. The whole idea is essentially still in its infancy and viewed with suspicion and distrust by many on the internet, seen as illegitimate or favorable to criminality. The major objection to anonymity over regular internet use is the perceived lack of accountability to system operators, i.e. invulnerability to account restrictions resulting from outside complaints. System adminstrators at some sites have threatened to filter anonymous news postings generated by the prominent servers from their redistribution flows. This may only have the effect of encouraging server operators to create less characteristically detectable headers. Probably the least problematic approach, and the most traditional to Usenet, is for individual users to deal with anonymous mail however they prefer, e.g. ignoring it or filtering it with kill files. _____ <3.7> What is the future of anonymity on the internet? New anonymous protocols effectively serve to significantly increase safeguards of anonymity. For example, the same mechanism that routes email over multiple hosts, thereby threatening its privacy, can also be used to guarantee it. In a scheme called `chaining' an anonymous message is passed through multiple anonymous servers before reaching a destination. In this way generally multiple links of the chain have to be `broken' for security to be compromised. Re-encryption at each link makes this scenario even more unlikely. Even more significantly the anonymous remailers could be spread over the internet globally so that local weaknesses (such as corrupt governments or legal wiretapping within a nation) would be more unlikely to sacrifice overall security by message tracing. However, remailers run by corrupt operators are possible. The future of anonymous services on the internet is, at this time, highly uncertain and fraught with peril. While specific groups seem to benefit significantly from anonymous posting capabilities, many feel that unlimited newsgroup scope for anonymous posting is a disruptive and dangerous idea and detracts from discussions in `serious' groups. The introduction of unlimited group anonymity may have fundamental repercussions on Usenet conventions and distribution mechanisms such as moderated and `alt' groups have had in the past. For example, as part of new group creation, the charter may specify whether `anonymous' posting is (un)welcome. Nevertheless, the widespread introduction and use of anonymity may be inevitable. Based on traffic statistics, anonymous services are in huge demand. Pervasive and readily available anonymity could carry significant and unforeseen social consequences. However, if its use is continued to be generally regarded as subversive it may be confined to the underground. The ramifications of widespread introduction of anonymity to Usenet are still largely unknown. It is unclear whether it will provoke signficant amounts of new traffic or, instead of expansion, cause a shift where a greater portion of existing traffic is anonymized. Conceivably the services could play a role in influencing future mainstream social acceptance of Usenet. * * * This is Part 1 of the Privacy & Anonymity FAQ, obtained via anonymous FTP to pit-manager@mit.edu:/pub/usenet/news.answers/net-privacy/ or newsgroups news.answers, sci.answers, alt.answers every 21 days. Written by L. Detweiler . All rights reserved. Newsgroup: sci.crypt document_id: 15177 From: ld231782@longs.lance.colostate.edu (L. Detweiler) Subject: Privacy & Anonymity on the Internet FAQ (2 of 3) Archive-name: net-privacy/part2 Last-modified: 1993/3/3 Version: 2.1 IDENTITY, PRIVACY, and ANONYMITY on the INTERNET ================================================ (c) 1993 L. Detweiler. Not for commercial use except by permission from author, otherwise may be freely copied. Not to be altered. Please credit if quoted. SUMMARY ======= Email and account privacy, anonymity, file encryption, academic computer policies, relevant legislation and references, EFF, and other privacy and rights issues associated with use of the Internet and global networks in general. (Search for <#.#> for exact section. Search for '_' (underline) for next section.) PART 2 ====== (this file) Resources --------- <4.1> What UNIX programs are related to privacy? <4.2> How can I learn about or use cryptography? <4.3> What is the cypherpunks mailing list? <4.4> What are some privacy-related newsgroups? FAQs? <4.5> What is internet Privacy Enhanced Mail (PEM)? <4.6> What are other Request For Comments (RFCs) related to privacy? <4.7> How can I run an anonymous remailer? <4.8> What are references on privacy in email? <4.9> What are some email, Usenet, and internet use policies? <4.10> What is the MIT ``CROSSLINK'' anonymous message TV program? Miscellaneous ------------- <5.1> What is ``digital cash''? <5.2> What is a ``hacker'' or ``cracker''? <5.3> What is a ``cypherpunk''? <5.4> What is `steganography' and anonymous pools? <5.5> What is `security through obscurity'? <5.6> What are `identity daemons'? <5.7> What standards are needed to guard electronic privacy? Issues ------ <6.1> What is the Electronic Frontier Foundation (EFF)? <6.2> Who are Computer Professionals for Social Responsibility (CPSR)? <6.3> What was `Operation Sun Devil' and the Steve Jackson Game case? <6.4> What is Integrated Services Digital Network (ISDN)? <6.5> What is the National Research and Education Network (NREN)? <6.6> What is the FBI's proposed Digital Telephony Act? <6.7> What other U.S. legislation is related to privacy on networks? <6.8> What are references on rights in cyberspace? <6.9> What is the Computers and Academic Freedom (CAF) archive? Footnotes --------- <7.1> What is the background behind the Internet? <7.2> How is Internet `anarchy' like the English language? <7.3> Most Wanted list <7.4> Change history * * * RESOURCES ========= _____ <4.1> What UNIX programs are related to privacy? For more information, type `man [cmd]' or `apropos [keyword]' at the UNIX shell prompt. passwd - change password finger - obtain information about a remote user chfn - change information about yourself obtainable by remote users (sometimes `passwd -f') chmod - change the rights associated with a file or directory umask - (shell) change the default (on creation) file access rights ls - list the rights associated with files and directories xhost - allow or disable access control of particular users to an Xwindow server last - list the latest user logins on the system and their originations who - list other users, login/idle times, originations w - list other users and what they are running xhost - access control list for X Window client use xauth - control X Window server authentication .signature - file in the home directory appended to USENET posts .forward - file used to forward email to other accounts .Xauthority - file used for X Window server authentication keys $SIGNATURE - variable used for name in email and USENET postings The 'tcpdump' packet-tracing program is loosely based on SMI's "etherfind" although none of the etherfind code remains. It was originally written by Van Jacobson, Lawrence Berkeley Laboratory, as part of an ongoing research project to investigate and improve tcp and internet gateway performance. A current version is available via anonymous ftp from host ftp.ee.lbl.gov (currently at address 128.3.254.68) file tcpdump.tar.Z (a compressed Unix tar file). This program is subject to the 'standard' Berkeley network software copyright. _____ <4.2> How can I learn about or use cryptography? A general introduction to mostly theoretical cryptographic issues, especially those frequently discussed in sci.crypt, is available in FAQ form: > Compiled by: > cme@ellisun.sw.stratus.com (Carl Ellison) > Gwyn@BRL.MIL (Doug Gwyn) > smb@ulysses.att.com (Steven Bellovin) NIST (U.S. National Institute for Standards and Technology) publishes an introductory paper on cryptography, special publication 800-2 ``Public-Key Cryptograhy'' by James Nechvatal (April 1991). Available via anonymous FTP from csrc.ncsl.nist.gov (129.6.54.11), file pub/nistpubs/800-2.txt. Also via available anonymous FTP from wimsey.bc.ca as crypt.txt.Z in the crypto directory. Covers technical mathematical aspects of encryption such as number theory. More general information can be found in a FAQ by Paul Fahn of RSA Labortories via anonymous FTP from rsa.com in /pub/faq.ps.Z. See the `readme' file for information on the `tex' version. Also available as hardcopy for $20 from RSA Laboratories, 100 Marine Parkway, Redwood City, CA 94065. Send questions to faq-editor@rsa.com. Phil Zimmerman's PGP (Pretty Good Privacy) public-domain package for public key encryption is available at numerous sites, and is in widespread use over the internet for general UNIX-based file encryption (including email). Consult the archie FTP database. Also see the newsgroup alt.security.pgp. Mailing list requests to info-pgp-request@lucpul.it.luc.edu. From the RIPEM FAQ by Marc VanHeyningen on news.answers: > RIPEM is a program which performs Privacy Enhanced Mail (PEM) > using the cryptographic techniques of RSA and DES. It allows > your electronic mail to have the properties of authentication > (i.e. who sent it can be confirmed) and privacy (i.e. nobody can > read it except the intended recipient.) > > RIPEM was written primarily by Mark Riordan > . Most of the code is in the public domain, > except for the RSA routines, which are a library called RSAREF > licensed from RSA Data Security Inc. > > RIPEM is available via anonymous FTP to citizens and permanent > residents in the U.S. from rsa.com; cd to rsaref/ and read the > README file for info. > > RIPEM, as well as some other crypt stuff, has its `home site' on > rpub.cl.msu.edu, which is open to non-anonymous FTP for users in > the U.S. and Canada who are citizens or permanent residents. To > find out how to obtain access, ftp there, cd to pub/crypt/, and > read the file GETTING_ACCESS. Note: cryptography is generally not well integrated into email yet and some system proficiency is required by users to utilize it. _____ <4.3> What is the cypherpunks mailing list? Eric Hughes runs the `cypherpunk' mailing list dedicated to ``discussion about technological defenses for privacy in the digital domain.'' Send email to cypherpunks-request@toad.com to be added or subtracted from the list. From the charter: > The most important means to the defense of privacy is encryption. > To encrypt is to indicate the desire for privacy. But to encrypt > with weak cryptography is to indicate not too much desire for > privacy. Cypherpunks hope that all people desiring privacy will > learn how best to defend it. _____ <4.4> What are some privacy-related newsgroups? FAQs? Newsgroups ========== alt.comp.acad-freedom.news alt.comp.acad-freedom.talk -------------------------- Moderated and unmoderated issues related to academic freedom and privacy at universities. Documented examples of violated privacy in e.g. email. Documented examples of `censorship' as in e.g. limiting USENET groups local availability. alt.cyberpunks -------------- Virtual reality, (science) fiction by William Gibson and Bruce Sterling, cyberpunk in the mainstream. alt.hackers ----------- USENET Network News Transfer Protocol (NNTP) posting mechanisms, Simple Mail Transfer Protocol (SMTP), `obligatory hack' reports. alt.privacy ----------- General privacy issues involving taxpaying, licensing, social security numbers, etc. alt.security comp.security.misc ------------------ Computer related security issues. FAQ in news.answers below. alt.security.pgp alt.security.ripem ---------------- Dedicated to discussing public domain cryptographic software packages: PGP, or ``Pretty Good Privacy'' Software developed by Phil Zimmerman for public key encryption, and RIPEM by Mark Riordan for public key and DES encryption. comp.society.privacy -------------------- Privacy issues associated with computer technologies. Examples: caller identification, social security numbers, credit applications, mailing lists, etc. Moderated. comp.eff.news comp.eff.talk ------------- Moderated and unmoderated groups associated with the Electronic Frontier Foundation started by Mitch Kapor for protecting civil and constitutional rights in the electronic realm. news.admin news.admin.policy ----------------- Concerns of news administrators. NNTP standards and mechanisms. news.lists ---------- USENET traffic distributions. Most frequent posters, most voluminous groups, most active sites, etc. sci.crypt --------- Considers scientific and social issues of cryptography. Examples: legitimate use of PGP, public-key patents, DES, cryptographic security, cypher breaking, etc. FAQs ==== FAQs or ``Frequently-Asked Questions'' are available in the newsgroups *.answers or via anonymous FTP to pit-manager.mit.edu [18.172.1.27] (also rtfm.mit.edu) from the directory /pub/usenet/news.answers/[x] where [x] is the archive name. This FAQ is archived in the file `net-privacy'. Others are: network-info/part1 ------------------ Sources of information about the Internet and how to connect to it, through the NSF or commercial vendors. alt-security-faq ---------------- Computer related security issues arising in alt.security and comp.security.misc, mostly UNIX related. ssn-privacy ----------- Privacy issues associated with the use of the U.S. Social Security number (SSN). pdial ----- Public dialup internet accounts list. college-email/part1 ------------------- How to find email addresses for undergraduate and graduate students, faculty and staff at various colleges and universities. ripem/faq --------- Information on RIPEM, a program for public key mail encryption officially sanctioned by Public Key Partners Inc., the company that owns patents on public key cryptography. unix-faq/faq/part1 ------------------ Frequently-asked questions about UNIX, including information on `finger' and terminal spying. distributions/* --------------- Known geographic, university, and network distributions. _____ <4.5> What is internet Privacy Enhanced Mail (PEM)? Internet drafts on Privacy Enhanced Mail (PEM) describe a standard under revision for six years delineating the official protocols for email encryption. The standard has only recently stabilized and implementations are being developed. - RFC-1421: ``Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures.'' J. Linn <104-8456@mcimail.com> - RFC-1422: ``Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management'' S. Kent - RFC-1424: ``Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services'' B. Kaliski - RFC-1423: ``Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers'' D. Balenson Send email to pem-info@tis.com for more information. See ``RFCs related to privacy'' for information on how to obtain RFCs. _____ <4.6> What are other Requests For Comments (RFCs) related to privacy? RFC-822: SMTP, Simple Mail Transfer Protocol RFC-977: NNTP, Network News Transfer Protocol RFC-1036: Standard for interchange of network news messages RFC-1208: Glossary of Networking Terms RFC-1207: Answers to ``experienced Internet user'' questions RFC-1206: Answers to ``new Internet user'' questions RFC-1355: Privacy issues in Network Information center databases RFC-1177 is ``FYI: Answers to commonly asked ``new internet user'' questions, and includes: basic terminology on the Internet (TCP/IP, SMTP, FTP), internet organizations such as IAB (Internet Activities Board) and IETF (Internet Enbgineering Task Force), and a glossary of terms. Also from ftp.eff.org: /pub/internet-info/internet.q. > RFCs can be obtained via FTP from NIC.DDN.MIL, with the pathname > RFC:RFCnnnn.TXT or RFC:RFCnnnn.PS (where `nnnn' refers to the > number of the RFC). Login with FTP, username `anonymous' and > password `guest'. The NIC also provides an automatic mail > service for those sites which cannot use FTP. Address the > request to SERVICE@NIC.DDN.MIL and in the subject field of the > message indicate the RFC number, as in `Subject: RFC nnnn' (or > `Subject: RFC nnnn.PS' for PostScript RFCs). > > RFCs can also be obtained via FTP from NIS.NSF.NET. Using FTP, > login with username `anonymous' and password `guest'; then > connect to the RFC directory (`cd RFC'). The file name is of the > form RFCnnnn.TXT-1 (where `nnnn' refers to the number of the > RFC). The NIS also provides an automatic mail service for those > sites which cannot use FTP. Address the request to > NIS-INFO@NIS.NSF.NET and leave the subject field of the message > blank. The first line of the text of the message must be `SEND > RFCnnnn.TXT-1', where nnnn is replaced by the RFC number. _____ <4.7> How can I run an anonymous remailer? Cypherpunk remailer source is at soda.berkeley.edu in the /pub/cypherpunks directory. It's written in PERL, and is relatively easy to install (no administrative rights are required). Karl Barrus has more information and modifications. Also, most remailer operators mentioned above are amenable to discussing features, problems, and helping new sites become operational. Address all points in the section ``responsibities of anonymous use'' in this document prior to advertising your service. You should be committed to the long-term stability of the site and avoid running one surreptitiously. _____ <4.8> What are references on privacy in email? Brown, Bob. ``EMA Urges Users to Adopt Policy on E-mail Privacy.'' Network World (Oct 29, 1990), 7.44: 2. Bairstow, Jeffrey. ``Who Reads your Electronic Mail?'' Electronic Business (June 11, 1990) 16 (11): 92. ``Electronic Envelopes - the uncertainty of keeping e-mail private'' Scientific American, February 1993. ftp.eff.org =========== /pub/eff/papers/email_privacy --- Article on the rights of email privacy. by Ruel T. Hernandez. /pub/academic/law/privacy.email --- ``Computer Electronic Mail and Privacy'', an edited version of a law school seminar paper by Ruel T. Hernadez. /pub/eff/papers/email-privacy-biblio-2 --- Compilation of bibliography on E-Mail and its privacy issues (part 2 of the work). Compiled by Stacy B. Veeder (12/91). /pub/eff/papers/email-privacy-research --- The author at Digital Research tried to formalize their employee privacy policy on E-Mail. The casesightings are divided into two groups: US Constitutional law, and California law. /pub/eff/papers/company-email --- Formulating a Company Policy on Access to and Disclosure of Electronic Mail on Company Computer Systems by David R. Johnson and John Podesta for the Electronic Mail Assocation /pub/cud/alcor --- Information on Alcor Co., an e-mail privacy suit. /pub/academic/law/privacy.email --- Email privacy search at Berkeley. _____ <4.9> What are some email, Usenet, and internet use policies? The Computer Policy and Critiques Archive is a collection of the computer policies of many schools and networks, run by the Computers and Academic Freedom group on the Electronic Frontier Foundation FTP site. The collection also includes critiques of some of the policies. > If you have gopher, the archive is browsable with the command: > gopher -p academic/policies gopher.eff.org > > The archive is also accessible via anonymous ftp and email. Ftp > to ftp.eff.org (192.88.144.4). It is in directory > `pub/academic/policies'. For email access, send email to > archive-server@eff.org. Include the line: > > send acad-freedom/policies > > where is a list of the files that you want. File > README is a detailed description of the items in the directory. > > For more information, to make contributions, or to report typos > contact J.S. Greenfield (greeny@eff.org). Directory `widener' > contains additional policies (but not critiques). ftp.eff.org =========== /pub/cud/networks --- Acceptable Use Policies for various networks, including CompuServe (file `compuserve'), NSFNET (file `nsfnet') with information on research and commercial uses. See /pub/cud/networks/index. /pub/cud/networks/email --- Policies from various sysadmins about how they handle the issue of email privacy, control, and abuse, compiled by T. Hooper . /pub/cud/schools/ --- Computer use policies of a number of schools. See schools/Index for a full list and description. Commentary ========== /pub/academic/faq/policy.best --- Opinions on the best academic computer policies. /pub/academic/faq/email.policies --- Do any universities treat email and computer files as private? /pub/academic/faq/netnews.writing --- Policies on what users write on Usenet. /pub/academic/faq/netnews.reading --- Policies on what users read on Usenet: should my university remove (or restrict) Netnews newsgroups because some people find them offensive? /pub/academic/faq/policy --- What guidance is there for creating or evaluating a university's academic computer policy? ______ <4.10> What is the MIT ``CROSSLINK'' anonymous message TV program? > CROSSLINK is an anonymous message system run on MIT Student > Cable TV-36. It provides an anonymous medium through which MIT > students can say those things they might otherwise find > difficult, inconvenient or impossible to say in person. It's > also a way to send fun or totally random messages to your > friends over the air. It is similar to the anonymous message > pages found in many college newspapers, except that it's > electronic in nature and it's free. Messages can be posted to the service via email. For more information send email to crosslink@athena.mit.edu. MISCELLANEOUS ============= _____ <5.1> What is ``digital cash''? With digital encryption and authentication technologies, the possibility of a widespread digital cash system may someday be realized. A system utilizing codes sent between users and banks (similar to today's checking system except entirely digital) may be one approach. The issues of cryptography, privacy, and anonymity are closely associated with transfer of cash in an economy. See the article in Scientific American by David Chaum (~Dec.1992). An experimental digital bank is run by Karl Barrus based on suggestions by Hal Finney on the cypherpunks mailing list. To use the server send mail to elee7h5@rosebud.ee.uh.edu message with the following text: :: command: help user@host where `user@host' is your email address. _____ <5.2> What is a ``hacker'' or ``cracker''? These terms arouse strong feelings by many on their meaning, especially on the internet. In the general news media in the past a person who uses computers and networks to malicious ends (such as breaking into systems) has been referred to as a hacker, but most internet users prefer the term ``cracker'' for this. Instead, a ``hacker'' is perceived as a benign but intensely ambitious, curious, and driven computer user who explores obscure areas of a system, for example---something of a proud electronic pioneer and patriot. This is the sense intended in this document. See also the ``Hacker's Dictionary'' and the FAQ `alt-security-faq'. _____ <5.3> What is a ``cypherpunk''? From the charter of the cypherpunk mailing list: > Cypherpunks assume privacy is a good thing and wish there were > more of it. Cypherpunks acknowledge that those who want privacy > must create it for themselves and not expect governments, > corporations, or other large, faceless organizations to grant > them privacy out of beneficence. Cypherpunks know that people > have been creating their own privacy for centuries with whispers, > envelopes, closed doors, and couriers. Cypherpunks do not seek > to prevent other people from speaking about their experiences or > their opinions. See information on the cypherpunk mailing list below. See also the CryptoAnarchist Manifesto and the Cryptography Glossary in soda.berkeley.edu:/pub/cypherpunks. _____ <5.4> What is `steganography' and anonymous pools? Closely associated with encryption is `steganography' or the techniques for not only pursuing private (encrypted) communication but concealing the very existence of the communication itself. Many new possibilities in this area are introduced with the proliferation of computer technology. For example, it is possible to encode messages in the least-significant bits of images, typically the most 'noisy'. In addition, when such an item is posted in a public place (such as a newsgroup), virtually untraceable communication can take place between sender and receiver. For steganographic communications in the electronic realm one another possibility is setting up a mailing list where individual messages get broadcast to the entire list and individual users decode particular messages with their unique key. An anonymous pool has been set up by Miron Cuperman (miron@extropia.wimsey.com) for experiments. Send email to with one of the following commands in the subject line: subscribe unsubscribe help _____ <5.5> What is `security through obscurity'? `Security through obscurity' refers to the attempt to gain protection from system weaknesses by hiding sensitive information or programs relating to them. For example, a company may not make public information on its software's encryption techniques to evade `attacks' based on knowledge of it. Another example would be concealing data on the existence of security holes or bugs in operating systems. Or, some reliance may be made on the fact that some standard or mechanism with potential problems is serious because they are ``not widely known'' or ``not widely used.'' This argument is occasionally applied to mechanisms for email and Usenet posting `forgery'. `Security through obscurity' is regarded as a very feeble technique at best and inappropriate and ineffective at worst (also called the ``head-in-the-sand approach''). See the FAQ for alt.security. Some remarks of John Perry Barlow, cofounder of the Electronic Frontier Foundation, directed to NSA agents at the First International Symposium on National Security & National Competitiveness held in McLean, Virginia Dec. 1, 1992: > Digitized information is very hard to stamp classified or keep > contained. ... This stuff is incredibly leaky and volatile. It's > almost a life form in its ability to self-propagate. If > something hits the Net and it's something which people on there > find interesting it will spread like a virus of the mind. I > believe you must simply accept the idea that we are moving into > an environment where any information which is at all interesting > to people is going to get out. And there will be very little > that you can do about it. This is not a bad thing in my view, > but you may differ... _____ <5.6> What are `identity daemons'? RFC-931 describes a protocol standard that allows UNIX programs to query a remote user's login name after connection to a local communication socket (a connection of this type is established during FTP and TELNET sessions, for example). The standard is not widely supported, perhaps 10% of internet sites currently implement it but the number is increasing. The mechanism is detrimental to anonymity. Regular users cannot disable it but system adminstrators can circumvent it. This standard may represent a trend toward greater authentication mechanisms. _____ <5.7> What new standards are needed to guard electronic privacy? Remailing/Posting ----------------- - Stable, secure, protected, officially sanctioned and permitted, publicly and privately operated anonymous servers and hubs. - Official standards for encryption and anonymity in mail and USENET postings. - Truly anonymous protocols with source and destination information obscured or absent and hidden routing mechanisms (chaining, encrypted addresses, etc.) - Standards for anonymous email addressing, embedding files, and remailer site chaining. General ------- - Recognition of anonymity, cryptography, and related privacy shields as legitimate, useful, desirable, and crucial by the general public and their governments. - Widespread use and implementation of these technologies by systems designers into hardware, software, and standards, implemented `securely,' `seamlessly,' and `transparently'. - General shift of use, dependence, and reliance to means other than wiretapping and electronic surveillance by law enforcement agencies. - Publicity, retraction, and dissolution of laws and government agencies opposed to privacy, replaced by structures dedicated to strengthening and protecting it. ISSUES ====== _____ <6.1> What is the Electronic Frontier Foundation (EFF)? From ftp.eff.org:/pub/EFF/mission_statement: > A new world is arising in the vast web of digital, electronic > media which connect us. Computer-based communication media like > electronic mail and computer conferencing are becoming the basis > of new forms of community. These communities without a single, > fixed geographical location comprise the first settlements on an > electronic frontier. > > While well-established legal principles and cultural norms give > structure and coherence to uses of conventional media like > newspapers, books, and telephones, the new digital media do not > so easily fit into existing frameworks. Conflicts come about as > the law struggles to define its application in a context where > fundamental notions of speech, property, and place take > profoundly new forms. People sense both the promise and the > threat inherent in new computer and communications technologies, > even as they struggle to master or simply cope with them in the > workplace and the home. > > The Electronic Frontier Foundation has been established to help > civilize the electronic frontier; to make it truly useful and > beneficial not just to a technical elite, but to everyone; and to > do this in a way which is in keeping with our society's highest > traditions of the free and open flow of information and > communication. EFF was started by the multimillionaire Mitchell Kapor, founder of Lotus software, and John Barlow, lyricist for the Grateful Dead rock band. A highly publicized endeavor of the organization involved the legal defense of Steve Jackson Games after an FBI raid and an accompanying civil suit (see section on ``Steve Jackson Games''). The foundation publishes EFF News (EFFector Online) electronically, send requests to effnews-request@eff.org. In a letter to Mitchell Kapor from the Chairman of the Subcommittee with primary jurisdiction over telecommunications policy dated November 5, 1991, Representative Edward J. Markey complemented Mitchell Kapor on his ``insights on the development of a national public information infrastructure'' which ``were appreciated greatly by myself and the Members of the Subcommittee'' (complete text in ftp.eff.com:/pub/pub-infra/1991-12): > ...we need to pursue policies that encourage the Bell companies to > work with other sectors of the communications industry to create > a consumer-oriented, public information network. Please let me or > my staff know what policies you and others in the computer > industry believe would best serve the public interest in creating > a reasonably priced, widely available network in which > competition is open and innovation rewarded. I also want to > learn what lessons from the computer industry over the past ten > to fifteen years should apply to the current debate on > structuring the information and communications networks of the > future....I ask your help in gaining input from the computer > industry so that the Subcommittee can shape policies that will > bring this spirit of innovation and entrepreneurship to the > information services industry. ftp.eff.org =========== /pub/eff/about-eff --- A file of basic information about EFF including goals, mission, achievements, and current projects. Contains a membership form. /pub/eff/mission-statement --- EFF mission statement. /pub/eff/historical/founding-announcement --- EFF founding press release. /pub/eff/historical/eff-history --- John Perry Barlow's ``Not Terribly Brief History of the EFF'' (July 10, 1990). How EFF was conceived and founded, major legal cases, and the organizational directions. /pub/eff/historical/legal-case-summary --- EFF legal case summary. _____ <6.2> Who are Computer Professionals for Social Responsibility (CPSR)? The Computer Professionals for Social Responsibility have been working to protect and promote electronic civil liberties issues since ~1982. The group has three offices (Palo Alto, Cambridge, Washington, DC) and 20 chapters. It is involved in litigation against the FBI, The NSA, NIST, the Secret Service and other other U.S. government agencies to declassify and provide documentation on issues such as Operation Sundevil, the FBI wiretap proposal, NSA's interference in crypography, the breakup of the 2600 raid in Arlington, Va in Nov 1992. Members speak frequently in front on Congress, state legislators and public utility commissions to testify on privacy, information policy, computer security, and caller identification. CPSR has created an extensive Internet Privacy library available via FTP, Gopher, WAIS, and email at cpsr.org, currently comprising the largest collection of privacy documents on the internet. For more information, anonymous FTP cpsr.org:/cpsr/. (Thanks to Dave Banisar for contributions here.) _____ <6.3> What was `Operation Sundevil' and the Steve Jackson Game case? In the early 1990's a fear spread among U.S. law enforcement agencies on the illicit activities of `hackers' and `phreakers' involved in such activities as credit card fraud and long-distance call thievery. (see ftp.eff.org:/pub/SJG/General_Information/EFFector1.04): > `Operation Sundevil,' the Phoenix-inspired crackdown of May > 8,1990, concentrated on telephone code-fraud and credit-card > abuse, and followed this seizure plan with some success. > [Bulletin Board Systems] went down all over America, terrifying > the underground and swiftly depriving them of at least some of > their criminal instruments. It also saddled analysts with some > 24,000 floppy disks, and confronted harried Justice Department > prosecutors with the daunting challenge of a gigantic nationwide > hacker show-trial involving highly technical issues in dozens of > jurisdictions. Massive `show-trials' never materialized, although isolated instances of prosecution were pursued. The movement reached a crescendo in Texas with the highly publicized case of illegal search and seizure involving the Steve Jackson Games company of Austin Texas on March 1, 1990. From the column GURPS' LABOUR LOST by Bruce Sterling in Fantasy and Science Fiction Magazine: > In an early morning raid with an unlawful and unconstitutional > warrant, agents of the Secret Service conducted a search of the > SJG office. When they left they took a manuscript being prepared > for publication, private electronic mail, and several computers, > including the hardware and software of the SJG Computer Bulletin > Board System. Yet Jackson and his business were not only > innocent of any crime, but never suspects in the first place. > The raid had been staged on the unfounded suspicion that > somewhere in Jackson's office there `might be' a document > compromising the security of the 911 telephone system. FBI agents involved in the seizure were named in a civil suit filed on behalf of Steve Jackson Games by The Electronic Frontier Foundation. See information on EFF below. From an article by Joe Abernathy in the Houston Chronicle ~Feb 1, 1993: > AUSTIN -- An electronic civil rights case against the Secret > Service closed Thursday with a clear statement by federal > District Judge Sam Sparks that the Service failed to conduct a > proper investigation in a notorious computer crime crackdown, > and went too far in retaining custody of seized equipment. > > Secret Service Special Agent Timothy Foley of Chicago, who was in > charge of three Austin computer search-and-seizures on March 1, > 1990, that led to the lawsuit, stoically endured Spark's rebuke > over the Service's poor investigation and abusive computer > seizure policies. While the Service has seized dozens of > computers since the crackdown began in 1990, this is the first > case to challenge the practice. > > Sparks grew visibly angry when it was established that the Austin > science fiction magazine and game book publisher was never > suspected of a crime, and that agents did not do even marginal > research to establish a criminal connection between the firm and > the suspected illegal activities of an employee, or to determine > that the company was a publisher. Indeed, agents testified that > they were not even trained in the Privacy Protection Act at the > special Secret Service school on computer crime. > > "How long would it have taken you, Mr. Foley, to find out what > Steve Jackson Games did, what it was?" asked Sparks. "An hour? > > "Was there any reason why, on March 2, you could not return to > Steve Jackson Games a copy, in floppy disk form, of everything > taken? > > "Did you read the article in Business Week magazine where it had > a picture of Steve Jackson -- a law-abiding, tax-paying citizen > -- saying he was a computer crime suspect? > > "Did it ever occur to you, Mr. Foley, that seizing this material > could harm Steve Jackson economically?" > > Foley replied, "No, sir," but the judge offered his own answer. > > "You actually did, you just had no idea anybody would actually go > out and hire a lawyer and sue you." > > More than $200,000 has been spent by the Electronic Frontier > Foundation in bringing the case to trial. The EFF was founded by > Mitchell Kapor amid a civil liberties movement sparked in large > part by the Secret Service computer crime crackdown. ftp.eff.org =========== /pub/cud/papers/sundevil --- A collection of information on Operation SunDevil by the Epic nonprofit publishing project. Everything you wanted to know but could never find. /pub/cud/papers/sj-resp --- Steve Jackson's response to the charges against him. _____ <6.4> What is Integrated Services Digital Network (ISDN)? ISDN is a high-speed data communications standard that utilizes existing copper telephone lines, and is a possible inexpensive and intermediate alternative to laying fiber optic cable for phone networks. The speeds involved may be sufficient for audio and video transmission applications. G. V. der Leun in the file ftp.eff.org: /pub/pub-infra/1991-11: > Telecommunications in the United States is at a crossroads. With > the Regional Bell Operating Companies now free to provide > content, the shape of the information networking is about to be > irrevocably altered. But will that network be the open, > accessible, affordable network that the American public needs? > You can help decide this question. > > The Electronic Frontier Foundation recently presented a plan to > Congress calling for the immediate deployment of a national > network based on existing ISDN technology, accessible to anyone > with a telephone connection, and priced like local voice service. > We believe deployment of such a platform will spur the > development of innovative new information services, and maximize > freedom, competitiveness, and civil liberties throughout the > nation. > > The EFF is testifying before Congress and the FCC; making > presentations to public utility commisions from Massachusetts to > California; and meeting with representatives from telephone > companies, publishers, consumer advocates, and other stakeholders > in the telecommunications policy debate. > > The EFF believes that participants on the Internet, as pioneers on > the electronic frontier, need to have their voices heard at this > critical moment. To automatically receive a description of the platform and details, send mail to archive-server@eff.org, with the following line: send documents open-platform-overview or send mail to eff@eff.org. See also the Introduction to the EFF Open Platform Proposal in ftp.eff.org:/pub/pub-infra/1991-02. References ========== ``Digital Data On Demand.'' MacWorld, 2/82 (page 224). --- 56Kbps vs. ISDN services and products. See comments by J. Powers in ftp.eff.org:pub/pub-infra/1992-02. ``Telephone Service That Rings of the Future.'' By Joshua Quittner. Newsday, Tue, Jan 7 1992. --- Implications of ISDN for the masses, written in popular science style. John Perry Barlow (cofounder EFF). Regional telephone companies (Ohio Bell). ISDN as ``Technological Rorschach Test.'' Anecdotes about McDonald's, Barbara Bush teleconferencing. See complete text in ftp.eff.org:/pub/pub-infra/1992-01. ftp.eff.org:/pub/pub-infra/ --- Files 1991-11 through 1992-05 containing email from the EFF public infrastructure group organized by month. Opinions and facts on the pros and cons of ISDN, Integrated Services Digital Network. Uses of ISDN (phone video, audio, etc.) Japanese model. Alternatives to ISDN (HDSL, ADSL, fiber optics). Technical specifications of ISDN, implementation details, cost issues, political obstacles, (RBOC, Regional Bell Operating Companies or `Baby Bells', e.g. NET, New England Telephone). Influencing development of future networks (e.g. ISDN and NREN, National Research and Education Network), encouraging competition (cable TV systems). Press releases and news articles. Letter from Rep. E. J. Markey to M. Kapor. _____ <6.5> What is the National Research and Education Network (NREN)? The Nation Research and Education Network was introduced in legislation cosponsored by Sen. A. Gore to promote high-speed data network infrastructure augmenting the internet with up to 50 times faster transmission rates. The bill passed the House on November 20, 1991, the Senate on November 22, 1991, and was signed by the President on December 9, 1991. ftp.eff.org =========== /pub/EFF/legislation/nren-bill-text --- The complete text of the House-Senate compromise version of S. 272, the High-Performance Computing Act. /pub/internet-info/gore.bill --- 102nd congress 1st Session. Text of high performance computing bill cosponsored by Sen. A. Gore. /pub/EFF/legislation/gore-infrastructure-bill --- The text of S.2937, the Information Infrastructure and Technology Act of 1992 introduced by Senator Gore to expand Federal efforts to develop technologies for applications of high-performance computing and high-speed networking, and to provide for a coordinated Federal program to accelerate development and deployment of an advanced information infrastructure. U.S. SAID TO PLAY FAVORITES IN PROMOTING NATIONWIDE COMPUTER NETWORK By John Markoff, N.Y. Times (~18 Dec 91). --- President Bush's legislation for natiowide computer data `superhighway.' IBM-MCI venture as monopoly destructive to fair competition and innovation? National Science Foundation NSFnet. complete text in /pub/pub-infra/1991-12. Commentary ========== /pub/academic/statements/nren.privacy.cpsr --- ``Proposed Privacy Guidelines for the NREN'' -- Statement of Marc Rotenberg, Washington Director Computer Professionals for Social Responsibility (CPSR). /pub/internet-info/cisler.nren --- The National Research and Education Network: Two meetings Steve Cisler, Senior Scientist Apple Computer Library December 17, 1990 Summary of meetings exploring educational issues of NREN by diverse members of academia and industry. /pub/internet-info/privatized.nren --- Feb. 14 1991 essay by M. Kapor advocating advantages of a private National Public Network, and specific recommendations for open NREN policies encouraging competition. /pub/eff/papers/netproposition --- An FYI about the proposed NREN setup. _____ <6.6> What is the FBI's proposed Digital Telephony Act? ``Providers of electronic communication services and private branch exchange operators shall provide within the United States capability and capacity for the government to intercept wire and electronic communications when authorized by law...'' From `BBS Legislative Watch: FBIs Wiretapping Proposal Thwarted' by S. Steele in Boardwatch Magazine, Feb. 1993, p. 19-22: > In a move that worried privacy experts, software manufacturers and > telephone companies, the FBI proposed legislation to amend the > Communications Act of 1934 to make it easier for the Bureau to > perform electronic wiretapping. The proposed legislation, > entitled 'Digital Telephony,' would have required communications > service providers and hardware manufacturers to make their > systems 'tappable' by providing 'back doors' through which law > enforcement officers could intercept communications. Furthermore, > this capability would have been provided undetectably, while the > communications was in progress, exclusive of any communications > between other parties, regardless of the mobility of the target > of the FBI's investigation, and without degradation of service. > > ...under the proposal, the Department of Justice (DOJ) can keep > communications products off the market if it determines that > these products do not meet the DOJ's own ... guidelines. This > [could] result in increased costs and reduced competitiveness for > service providers and equipment manufacturers, since they will be > unlikely to add any features that may result in a DOJ rejection > of their entire product. ...the FBI proposal suggests that the > cost of this wiretapping 'service' to the Bureau would have to be > borne by the service provider itself... > > The Electronic Frontier Foundation organized a broad coalition of > public interest and industry groups, from Computer Professionals > for Social Responsibilty (CPSR) and the ACLU to AT&T and Sun > Microsystems, to oppose the legislation. A white paper produced > by the EFF and ratified by the coalition, entitled, `An Analysis > of the FBI Digital Telephony Proposal,' was widely distributed > throughout the Congress. ... The Justice Department lobbied hard > in the final days to get Congress to take up the bill before > Congress adjourned, but the bill never ... found a Congressional > sponsor (and was therefore never officially introduced). The FBI > [may] reintroduce "Digital Telephony" when the 103rd Congress > convenes in January. ftp.eff.org =========== /pub/eff/legislation/fbi-wiretap-bill /pub/EFF/legislation/new-fbi-wiretap-bill --- A bill to ensure the continuing access of law enforcement to the content of wire and electronic communications when authorized by law and for other purposes. Version 2 of the bill after FBI changes in response to public response. /pub/cud/law/hr3515 --- House of Rep bill 3515, Telecommunications Law. Commentary ========== /pub/eff/papers/eff-fbi-analysis --- The EFF-sponsored analysis of the FBI's Digital Telephony proposal. /pub/eff/papers/ecpa.layman --- The Electronic Communications Privacy Act of 1986: A Layman's View. /pub/eff/papers/nightline-wire --- Transcript of ABC's Nightline of May 22, 1992, on the FBI, Privacy, and Proposed Wire-Tapping Legislation. Featured are Marc Rotenberg of the CPSR and William Sessions, Director of the FBI. /pub/eff/papers/edwards_letter --- A letter from the Director of the Secret Service to US Rep. Don Edwards, D-California, in response to questions raised by Edwards' Subcommittee. This copy came from Computer Professionals for Social Responsibility in Washington, D.C. /pub/eff/papers/fbi.systems --- A description of how information is stored on the FBI's computer systems. _____ <6.7> What other U.S. legislation is related to privacy? ftp.eff.org =========== /pub/cud/law/ --- State computer crime laws: AL, AK, AZ, CA, CO, CT, DE, FL, GA, HI, IA, ID, IL, IN, MD, MN, NC, NJ, NM, NY, OR, TX, VT, VA, WA, WI, WV. /pub/cud/law/ --- Current computer crime laws for: The United States (federal code), Canada, Ghana, and Great Britain. /pub/cud/law/bill.s.618 --- Senate bill 618, addressing registration of encryption keys with the government. /pub/cud/law/improve --- Improvement of Information Access bill. /pub/cud/law/monitoring --- Senate bill 516; concerning abuses of electronic monitoring in the workplace. /pub/cud/law/us.e-privacy --- Title 18, relating to computer crime & email privacy. /pub/academic/law/privacy.electronic.bill --- The text of Simon's electronic privacy bill, S. 516. ``To prevent potential abuses of electronic monitoring in the workplace.'' _____ <6.8> What are references on rights in cyberspace? ftp.eff.org =========== /pub/cud/papers/const.in.cyberspace --- Laurence Tribe's keynote address at the first Conference on Computers, Freedom, & Privacy. `The Constitution in Cyberspace' /pub/cud/papers/denning --- Paper presented to 13th Nat'l Comp Security Conf ``Concerning Hackers Who Break into Computer Systems'' by Dorothy E Denning. /pub/cud/papers/privacy --- ``Computer Privacy vs First and Fourth Amendment Rights'' by Michael S. Borella /pub/cud/papers/rights-of-expr --- Rights of Expression in Cyberspace by R. E. Baird /pub/academic/eff.rights --- Bill of Rights' meaning in the Electronic Frontier. _____ <6.9> What is the Computers and Academic Freedom (CAF) archive? The CAF Archive is an electronic library of information about computers and academic freedom. run by the Computers and Academic Freedom group on the Electronic Frontier Foundation FTP site. > If you have gopher, the archive is browsable with the command: > gopher -p academic gopher.eff.org > > It is available via anonymous ftp to ftp.eff.org (192.88.144.4) in > directory `pub/academic'. It is also available via email. For > information on email access send email to archive-server@eff.org. > In the body of your note include the lines `help' and `index'. > > For more information, to make contributions, or to report typos > contact J.S. Greenfield (greeny@eff.org). ftp.eff.org =========== /pub/academic/statements/caf-statement --- Codifies the application of academic freedom to academic computers, reflecting seven months of on-line discussion about computers and academic freedom. Covers free expression, due process, privacy, and user participation. /pub/academic/books --- Directory of book references related to Computers and Academic Freedom or mentioned in the CAF discussion. The file books/README is a bibliography. /pub/academic/faq/archive --- List of files available on the Computers and Academic Freedom archive. /pub/academic/news --- Directory of all issues of the Computers and Academic Freedom News. A full list of abstracts is available in file `abstracts'. The special best-of-the-month issues are named with their month, for example, `June'. FOOTNOTES ========= _____ <7.1> What is the background behind the Internet? The article ``Internet'' in Fantasy and Science Fiction by Bruce Sterling contains general and nontechnical introductory notes on origins of the Internet, including the role of the RAND corporation, the goal of network resilience in face of nuclear attack, MIT, UCLA, ARPANET, TCP/IP, NSF, NREN, etc.: > ARPANET itself formally expired in 1989, a happy victim of its > own overwhelming success. Its users scarcely noticed, for > ARPANET's functions not only continued but steadily improved. > The use of TCP/IP standards for computer networking is now > global. In 1971, a mere twenty-one years ago, there were only > four nodes in the ARPANET network. Today there are tens of > thousands of nodes in the Internet, scattered over forty-two > countries, with more coming on-line every day. Three million, > possibly four million people use this gigantic > mother-of-all-computer-networks. > > The Internet is especially popular among scientists, and is > probably the most important scientific instrument of the late > twentieth century. The powerful, sophisticated access that it > provides to specialized data and personal communication has sped > up the pace of scientific research enormously. > > The Internet's pace of growth in the early 1990s is spectacular, > almost ferocious. It is spreading faster than cellular phones, > faster than fax machines. Last year the Internet was growing at > a rate of twenty percent a *month.* The number of `host' > machines with direct connection to TCP/IP has been doubling > every year since 1988. The Internet is moving out of its > original base in military and research institutions, into > elementary and high schools, as well as into public libraries > and the commercial sector. References ========== Bowers, K., T. LaQuey, J. Reynolds, K. Roubicek, M. Stahl, and A. Yuan, ``Where to Start - A Bibliography of General Internetworking Information'' (RFC-1175), CNRI, U Texas, ISI, BBN, SRI, Mitre, August 1990. The Whole Internet Catalog & User's Guide by Ed Krol. (1992) O'Reilly and Associates, Inc. --- A clear, non-jargonized introduction to the intimidating business of network literacy written in humorous style. Krol, E., ``The Hitchhikers Guide to the Internet'' (RFC-1118), University of Illinois Urbana, September 1989. ``The User's Directory to Computer Networks'', by Tracy LaQuey. The Matrix: Computer Networks and Conferencing Systems Worldwide. by John Quarterman. Digital Press: Bedford, MA. (1990) --- Massive and highly technical compendium detailing the mind-boggling scope and complexity of global internetworks. ``!%@:: A Directory of Electronic Mail Addressing and Networks'' by Donnalyn Frey and Rick Adams. The Internet Companion, by Tracy LaQuey with Jeanne C. Ryer (1992) Addison Wesley. --- ``Evangelical'' etiquette guide to the Internet featuring anecdotal tales of life-changing Internet experiences. Foreword by Senator Al Gore. Zen and the Art of the Internet: A Beginner's Guide by Brendan P. Kehoe (1992) Prentice Hall. --- Brief but useful Internet guide with plenty of good advice on useful databases. See also ftp.eff.com:/pub/internet-info/. (Thanks to Bruce Sterling for contributions here.) General ======= Cunningham, Scott and Alan L. Porter. ``Communication Networks: A dozen ways they'll change our lives.'' The Futurist 26, 1 (January-February, 1992): 19-22. Brian Kahin, ed., BUILDING INFORMATION INFRASTRUCTURE (New York: McGraw-Hill, 1992) ISBN# 0-390-03083-X --- Essays on information infrastructure. Policy and design issues, research and NREN, future visions, information markets. See table of contents in ftp.eff.org:/pub/pub-infra/1992-03. Shapard, Jeffrey. ``Observations on Cross-Cultural Electronic Networking.'' Whole Earth Review (Winter) 1990: 32-35. Varley, Pamela. ``Electronic Democracy.'' Technology Review (November/December, 1991): 43-51. ______ <7.2> How Internet `anarchy' like the English language? According to Bruce Sterling : > The Internet's `anarchy' may seem strange or even unnatural, but > it makes a certain deep and basic sense. It's rather like the > `anarchy' of the English language. Nobody rents English, and > nobody owns English. As an English-speaking person, it's up > to you to learn how to speak English properly and make whatever > use you please of it (though the government provides certain > subsidies to help you learn to read and write a bit). > Otherwise, everybody just sort of pitches in, and somehow the > thing evolves on its own, and somehow turns out workable. And > interesting. Fascinating, even. Though a lot of people earn > their living from using and exploiting and teaching English, > `English' as an institution is public property, a public good. > Much the same goes for the Internet. Would English be improved > if the `The English Language, Inc.' had a board of directors > and a chief executive officer, or a President and a Congress? > There'd probably be a lot fewer new words in English, and a lot > fewer new ideas. _____ <7.3> Most Wanted list Hopefully you have benefitted from this creation, compilation, and condensation of information from various sources regarding privacy, identity, and anonymity on the internet. The author is committed to keeping this up-to-date and strengthening it, but this can only be effective with your feedback. In particular, the following items are sought: - Short summaries of RFC documents and other references listed, esp. CPSR files. - More data on the specific uses and penetration of RFC-931. - Internet traffic statistics. How much is email? How much USENET? What are the costs involved? - Famous or obscure examples of compromised privacy on the internet. - FTP site for the code (NOT the code) to turn the .plan file into a named pipe for sensing/reacting to remote `fingers'. - Knowledge on the `promiscuous' mode of receipt or transmission on network cards. - Details on the infamous experiment where a scientist resubmitted previously accepted papers to a prominent journal with new and unknown authors that were subsequently rejected. - X Windows, EFF, CPSR FAQhood in news.answers. Commerical use of this document is negotiable and is a way for the author to recoup from a significant time investment. Email feedback to ld231782@longs.lance.colostate.edu. Please note where you saw this (which newsgroup, etc.). _____ <7.4> Change history 3/3/93 v2.1 (current) CPSR pointer, new UNIX mode examples, digital telephony act, Steve Jackson incident, additions/ reorganization to anonymity section, part 3. Note: v2.0 post to sci.crypt, alt.privacy, news.answers, alt.answers, sci.answers was cancelled by J. Kamens because of incorrect subject line. 2/14/93 v2.0 Major revisions. New section for X Windows. Some email privacy items reorganized to network security section. New sections for email liability issues, anonymity history and responsibilities. Split into three files. Many new sources added, particularly from EFF and CAF in new `issues' part. `commentary' from news.admin.policy. 21 day automated posting starts. 2/3/93 v1.0 More newsgroups & FAQs added. More `Most Wanted'. Posted to news.answers. Future monthly posting to sci.crypt, alt.privacy. 2/1/93 v0.3 Formatted to 72 columns for quoting etc. `miscellaneous,' `resources' sections added with cypherpunk servers and use warnings. More UNIX examples (`ls' and `chmod'). Posted to alt.privacy, comp.society.privacy. 1/29/93 v0.2 `Identity' and `Privacy' sections added. `Anonymity' expanded. Remailer addresses removed due to lack of information and instability. Posted to sci.crypt. 1/25/93 v0.1 Originally posted to the cypherpunks mailing list on 1/25/93 as a call to organize a list of anonymous servers. email ld231782@longs.lance.colostate.edu for earlier versions. * * * SEE ALSO ======== Part 1 (previous file) ------ <1.1> What is `identity' on the internet? <1.2> Why is identity (un)important on the internet? <1.3> How does my email address (not) identify me and my background? <1.4> How can I find out more about somebody from their email address? <1.5> Why is identification (un)stable on the internet? <1.6> What is the future of identification on the internet? <2.1> What is `privacy' on the internet? <2.2> Why is privacy (un)important on the internet? <2.3> How (in)secure are internet networks? <2.4> How (in)secure is my account? <2.5> How (in)secure are my files and directories? <2.6> How (in)secure is X Windows? <2.7> How (in)secure is my email? <2.8> How am I (not) liable for my email and postings? <2.9> How do I provide more/less information to others on my identity? <2.10> Who is my sysadmin? What does s/he know about me? <2.11> Why is privacy (un)stable on the internet? <2.12> What is the future of privacy on the internet? <3.1> What is `anonymity' on the internet? <3.2> Why is `anonymity' (un)important on the internet? <3.3> How can anonymity be protected on the internet? <3.4> What is `anonymous mail'? <3.5> What is `anonymous posting'? <3.6> Why is anonymity (un)stable on the internet? <3.7> What is the future of anonymity on the internet? Part 3 (next file) ------ <8.1> What are some known anonymous remailing and posting sites? <8.2> What are the responsibilities associated with anonymity? <8.3> How do I `kill' anonymous postings? <8.4> What is the history behind anonymous posting servers? <8.5> What is the value of anonymity? <8.6> Should anonymous posting to all groups be allowed? <8.7> What should system operators do with anonymous postings? <8.8> What is going on with anon.penet.fi maintained by J. Helsingius? * * * This is Part 2 of the Privacy & Anonymity FAQ, obtained via anonymous FTP to pit-manager@mit.edu:/pub/usenet/news.answers/net-privacy/ or newsgroups news.answers, sci.answers, alt.answers every 21 days. Written by L. Detweiler . All rights reserved. Newsgroup: sci.crypt document_id: 15178 From: ld231782@longs.lance.colostate.edu (L. Detweiler) Subject: Privacy & Anonymity on the Internet FAQ (3 of 3) Archive-name: net-privacy/part3 Last-modified: 1993/3/3 Version: 2.1 NOTES on ANONYMITY on the INTERNET ================================== Compiled by L. Detweiler . <8.1> What are some known anonymous remailing and posting sites? <8.2> What are the responsibilities associated with anonymity? <8.3> How do I `kill' anonymous postings? <8.4> What is the history behind anonymous posting servers? <8.5> What is the value of anonymity? <8.6> Should anonymous posting to all groups be allowed? <8.7> What should system operators do with anonymous postings? <8.8> What is going on with anon.penet.fi maintained by J. Helsingius? * * * _____ <8.1> What are some known anonymous remailing and posting sites? Currently the most stable of anonymous remailing and posting sites is anon.penet.fi operated by julf@penet.fi for several months, who has system adminstrator privileges and owns the equipment. Including anonymized mail, Usenet posting, and return addresses (no encryption). Send mail to help@penet.fi for information. Hal Finney has contributed an instruction manual for the cypherpunk remailers on the ftp site soda.berkeley.edu (128.32.149.19): pub/cypherpunks/hal's.instructions. See also scripts.tar.Z (UNIX scripts to aid remailer use) and anonmail.arj (MSDOS batch files to aid remailer use). ebrandt@jarthur.claremont.edu ----------------------------- Anonymized mail. Request information from above address. elee7h5@rosebud.ee.uh.edu ------------------------- Experimental anonymous remailer run Karl Barrus , with encryption to the server. Request information from that address. hal@alumni.caltech.edu ---------------------- Experimental remailer with encryption to server and return addresses. Request information from above address. hh@soda.berkeley.edu hh@cicada.berkeley.edu hh@pmantis.berkeley.edu ---------------------- Experimental remailer. Include header `Request-Remailing-To'. nowhere@bsu-cs.bsu.edu ---------------------- Experimental remailer allowing one level of chaining. Run by Chael Hall. Request information from above address. phantom@mead.u.washington.edu ----------------------------- Experimental remailer with encryption to server. `finger' site address for information. Notes ===== - Cypherpunk remailers tend to be unstable because they are often running without site administrator knowledge. Liability issues are wholly unresolved. - So far, all encryption is based on public-key cryptography and PGP software (see the question on cryptography). - Encryption aspects (message text, destination address, replies) vary between sites. - Multiple chaining, alias unlinking, and address encryption are mostly untested, problematic, or unsupported at this time. _____ <8.2> What are the responsibilities associated with anonymity? Users ----- - Use anonymity only if you have to. Frivolous uses weaken the seriousness and usefulness of the capability for others. - Do not use anonymity to provoke, harass, or threaten others. - Do not hide behind anonymity to evade established conventions on Usenet, such as posting binary pictures to regular newsgroups. - If posting large files, be attentive to bandwidth considerations. Remember, simply sending the posting to the service increases network traffic. - Avoid posting anonymously to the regular hierarchy of Usenet; this is the mostly likely place to alienate readers. The `alt' hierarchy is preferred. - Give as much information as possible in the posting (i.e. references, etc.) Remember that content is the only means for readers to judge the truth of the message, and that any inaccuracies will tend to discredit the entire message and even future ones under the same handle. - Be careful not to include information that will reveal your identity or enable someone to deduce it. Test the system by sending anonymized mail to yourself. - Be aware of the policies of the anonymous site and respect them. Be prepared to forfeit your anonymity if you abuse the privilege. - Be considerate and respectful of other's objections to anonymity. - ``Hit-and-run'' anonymity should be used with utmost reservation. Use services that provide anonymous return addresses instead. - Be courteous to the system operator, who may have invested large amounts of time, be personally risking his account, or dedicating his hardware, all for your convenience. Operators --------- - Document thoroughly acceptable and unacceptable uses in an introductory file that is sent to new users. Have a coherent and consistent policy and stick to it. State clearly what logging and monitoring is occurring. Describe your background, interest, and security measures. Will the general approach be totalitarian or lassaiz-faire? - Formulate a plan for problematic ethical situations and anticipate potentially intense moral quandaries and dilemmas. What if a user is blackmailing someone through your service? What if a user posts suicidal messages through your service? Remember, your users trust you to protect them. - In the site introductory note, give clear examples of situations where you will take action and what these actions will be (e.g. warn the user, limit anonymity to email or posting only, revoke the account, 'out' the user, contact local administrator, etc.) - Describe exactly the limitations of the software and hardware. Address the bandwidth limitations of your site. Report candidly and thoroughly all bugs that have occurred. Work closely with users to isolate and fix bugs. Address all bugs noted below under ``(in)stability of anonymity''. - Document the stability of the site---how long has it been running? What compromises have occured? Why are you running it? What is your commitment to it? - Include a disclaimer in outgoing mail and messages. Include an address for complaints, ideally appended to every outgoing item. Consult a lawyer about your liability. - Be committed to the long-term stability of the site. Be prepared to deal with complaints and `hate mail' addressed to you. If you do not own the hardware the system runs on or are not the system adminstrator, consult those who do and are. - Be considerate of providing anonymity to various groups. If possible, query group readers. - Keep a uniformity and simplicity of style in outgoing message format that can be screened effectively by kill files. Ensure the key text `Anon' is somewhere in every header. - Take precautions to ensure the security of the server from physical and network-based attacks and infiltrations. Readers ------- - Do not complain, attack, or discredit a poster for the sole reason that he is posting anonymously, make blanket condemnations that equate anonymity with cowardice and criminality, or assail anonymous traffic in general for mostly neutral reasons (e.g. its volume is heavy or increasing). - React to the anonymous information unemotionally. Abusive posters will be encouraged further if they get irrationally irate responses. Sometimes the most effective response is silence. - Notify operators if very severe abuses occur, such as piracy, harassment, extortion, etc. - Do not complain about postings being inappropriate because they offend you personally. - Use kill files to screen anonymous postings if you object to the idea of anonymity itself. - Avoid the temptation to proclaim that all anonymous postings should be barred from particular groups because no `possible' or `conceivable' need exists. References ---------- See e.g. ftp.eff.org:/pub/academic/anonymity: > This article is an excerpt from an issue of FIDONEWS on individual > privacy and the use of handles. It accepts the need of a system > operator to know the name of a user; but suggests that the use of > a handle is analogous to a request to withhold the name in a > letter to the editor. The article concludes with a set of > guidelines for preserving the right to be anonymous. _____ <8.3> How do I `kill' anonymous postings? James Thomas Green : > Try putting this in your kill file: > > /Anon/h:j > /Anonymous/h:j > > This will search the headers of the messages and kill any that > contain `Anon' or `Anonymous' in them. Not perfect and won't > kill followups. Note that anonymous server operators have the capability to mask anonymous postings under which the above method will not work; so far this practice is not widespread, but it may become more common as a countermeasure to widespread anonymous filtering. _____ <8.4> What is the history behind anonymous posting servers? Originally anonymous posting services were introduced for individual, particularly volatile newsgroups, where anonymity is almost the preferred method of communication, such as talk.abortion and alt.sex.bondage. One of the first was one by Dave Mack started in ~1988 for alt.sex.bondage. Another early one was wizvax.methuen.ma.us run by Stephanie Gilgut (Gilgut Enterprises) but was disbanded due to lack of funds. The system provided anonymous return addresses. n7kbt.rain.com (John Opalko) took up the functions of this server, including reinstating the anonymous alias file. The group ``alt.personals has been chewing through servers like there's no tomorrow.'' Spurred by the disappearance of `wizvax' and interested in researching the idea, Karl Kleinpaste developed his own system from scratch in six hours. By this time the idea of extending the server to new, more `mainstream' groups was starting to emerge, and he explored the possibility partly at the specific request by multiple users for anonymity in other groups. ``The intended advantage of my system was specifically to allow multiple group support, with a single anon identifier across all. This was arguably the single biggest deficiency of previous anon systems.'' K. Kleinpaste posted a message on rec.nude asking users whether an anonymous service would be welcome there, and judged a consensus against it. K. Kleinpaste introduced what he calls a ``fire extinguisher'' to `squelch' or `plonk' abusive users in response to complaints, and used this in three cases. Nevertheless, after a few months of intense traffic he was eventually overwhelmed by the abuses of his server. ``Even as restricted as it was, my system was subjected to abuses to the point where it was ordered dismantled by the facilities staff here. Such abuses started right after it was created.'' In ~Nov 1992, Johan Helsingius (julf@penet.FI) set up the most controversial anonymous site to date. anon.penet.fi is based on scripts and C code written by K. Kleinpaste and supports anonymized mail, posting, and return addresses. He initially wanted to confine the service to Scandinavian users but expanded it to worldwide accessability in response to 'lots' of international requests. J. Helsingius policy of allowing anonymous posting to every Usenet newsgroup has been met with strong and serious ideological opposition (e.g. by news adminstrators in news.admin.policy). Because of the relative newness and recent emergence of the medium, abuses by anonymous posters tend to have higher visibility than ``routine'' abuses. His total commitment to preservation of anonymity is also controversial. For example, in a highly controversial and publicized case in ~Feb 1993, an anonymous user posted a supposed transcript of desperate crew dialogue during the Challenger shuttle disaster via anon.penet.fi to sci.astro. Despite that the transcript had been posted in the same place up to a year earlier (then non-anonymously) and actually originated not with the poster but a New York news tabloid, subsequent responses consisted largely of vociferous outrage at the poster's use of anonymity, reverberating through many newsgroups. The original poster, using the same anonymous handle, later conceded that the story ``seemed likely to have been fabricated,'' suggesting the plausible possibility that the original intent was not to provoke outrage but gauge reactions on the authenticity of the story (albeit crudely), free of personal risk from perceived association with the item. The ensuing commotion generated queries for the original article by late-entering readers. The anonymous user later posted deliberately offensive comments at his detractors. Despite piercingly irate and outraged complaints, and even the vocal opposition and verbal abuse of K. Kleinpaste and eminent news operators, J. Helsingius has largely avoided use of the ``fire extingisher'' and the ``group bouncer'' mechanisms that limit the scope of the service. As of ~March 1993 the anon.penet.fi site is best described as `inundated': it has registered over 13,000 users in its initial three months of operation, forwards ~3000 messages a day, and approximately 5% of all Usenet postings are anonymized through the site. The immense popularity is probably largely due to the capability for `global' anonymity which has allowed users to find creative uses in diverse areas not previously envisioned. Johan Helsingius has been subject to extraordinary pressure to dismantle his server in ~Feb 1993. At one point K. Kleinpaste threatened publicly to organize a sort of vigilante group of irate news operators to send out revocation commands on all messages originating from the site. J. Helsingius has also alluded to threats of flooding the server. The server has crashed several times, at least once due to a saturation `mailbombing' through it by an anonymous user. Mr. Helsingius reports spending up to 5 hours per day answering email requests alone associated with the service's administration. In response to the serious threats he disabled global group access temporarily for one week and encouraged his users to defend the service publicly. Based on fast-moving dialogue and creative suggestions by ``cypherpunks,'' J. Helsingius has identified many security weaknesses and valuable new features for the service, and is currently in the process of code development and testing. He is planning on upgrading the IBM compatible 386 machine to a 486 soon to handle the voluminous load and is considering integrating a new system with very sophisticated functionality, including multiple email aliases, alias allocation control, public-key encryption, etc. A very sophisticated anonymous posting system was set up in Dec. 1992 by D. Clunie that used cryptography in both directions (to/from) the server for the highest degree of confidentiality seen so far. However, it was running on a public access account, and he had to shut it down after only several weeks, upon receiving requests and conditions apparently ultimately originating from NSF representatives. D. Clunie has released the software to the public domain. Recently the idea of a newsgroup devoted to `whistleblowing' on government abuses has received wide and focused attention, and group formation is currently underway. In the basic scenario the group would allow people to post pseudonymously using remailers, and even establish reputations based on their authentifiable digital signatures. The traffic may eventually reach reporters in the mainstream news media. deltorto@aol.com has volunteered to attack multiple aspects of this project, including distributing easy-to-read documentation on posting, anonymization, and encryption. See also sections on ``views on anonymous posting'' below and ``what is going on with anon.penet.fi?'' in this document. (Thanks to Carl Kleinpaste , David Clunie and Johan Helsingius for contributions here.) _____ <8.5> What is the value of anonymity? KONDARED@PURCCVM.BITNET: > I think anonymous posts do help in focusing our attention on the > content of one's message. Sure lot of anonymous posts are abusive > or frivolous but in most cases these are by users who find the > anon facility novel. Once the novelty wears off they are stopping > their pranks... morgan@engr.uky.edu (Wes Morgan): > I don't mind seeing the miscellaneous hatred/prejudice/racism; > those things are part of our nature. However, the notion of > providing anonymity's shield for these ideas repulses me. If > they have such strong feelings, why can't they put their name(s) > on their postings? ... Quite frankly, I loathe communication > with people who refuse to use their names. dclunie@pax.tpa.com.au (David Clunie) > Many seem to question the value of anonymity. But who are they to > say what risks another individual should take ? There is no > question that in this rather conservative society that we live > in, holding certain views, making certain statements, adopting a > certain lifestyle, are likely to result in public censure, > ridicule, loss of status, employment, or even legal action. Given > the heterogeneity of the legal jurisdictions from where the many > contributors to usenet post, who knows what is legal and what is > not ! Some say that anonymous posters are "cowards" and should > stand up and be counted. Perhaps that is one point of view but > what right do these detractors have to exercise such censorship ? From: doug@cc.ysu.edu (Doug Sewell) > Why is it censorship to not expect someone to speak for > themselves, without the cloak of anonymity. This is at best a > lame argument. > > You tell me why what you have to say requires anonymity. And you > tell me why the wishes of a majority of non-anonymous users of a > newsgroup should be disregarded when they don't want anonymous > posts. > > Anonymous users have LESS rights than any others. They are not > legitimate usenet participants. I would not honor RFDs, CFVs, > control messages, or votes from one. brad@clarinet.com (Brad Templeton): > I can think of no disadvantage caused by anon posting sites that > doesn't already exist, other than the fact that they do make more > naive net users who don't know how to post anonymously the old > way more prone to do it. From: mandel@netcom.com (Tom Mandel) > I cannot speak for others but I regard anonymous postings in a > serious discussion as pretty much worthless. ... views that hide > behind the veil of anon are hardly worth the trouble of reading. n8729@anon.penet.fi (Hank Pankey) > Since I began posting anonymously (to show support for general > principles of personal privacy) I have been subject to far more > abuse and attack than I ever received before. People seem to > find it easier to flame and insult someone whose name they don't > know. Perhaps it's easier to pretend that there is no person > behind the email address who feels the sting of abusive comments. > > Anonymity does hinder some methods of controlling other posters' > actions. People who seek such control will naturally oppose it. From: 00acearl@leo.bsuvc.bsu.edu > Instead of making this a "free-er medium" by allowing posters to > "protect themselves" with anonymity, simply require that all > posters be prepared to discuss their sources of information and > take the heat for unsubstantiated dribble. This seems to be the > way things are currently done; xtkmg@trentu.ca (Kate Gregory): > In misc.kids there are three threads going on started by anonymous > posters. One was about changing jobs so as to work less hours, > job sharing and so on, from a woman who didn't want anyone at her > current place of work to know she was thinking of looking for > work elsewhere. The next was from a woman who is thinking of > having a baby sometime soon and doesn't want coworkers, friends, > family etc etc to know all about it, but who wants advice. The > third is about sex after parenthood -- actually this was started > by people posting in the usual way but then it was pointed out > that the anonymous posting service might let more people > participate. > > Misc.kids doesn't seem to be suffering any harm from the presence > of anonymous posters; in fact it seems to have been helped by it. hoey@zogwarg.etl.army.mil (Dan Hoey): > While there has never been any real security against anonymous or > forged postings on Usenet, the process has until now been > sufficiently inconvenient, error-prone, and undocumented to limit > its use by persons who have not learned the culture of the net. > > On the other hand, a recent use of the anonymous posting service > on sci.math seemed seemed to be a student asking help on a > homework problem. It has now been attributed to a teacher, > asking for an explanation of a dubious answer in his teaching > guide. He says his news posting is broken, so he is using the > anonymous service as a mail-to-news gateway. Karl Barrus > Some argue that the opinions of the people who hide behind a veil > of anonymity are worthless, and that people should own up to > their thoughts. I agree with the latter point - in an ideal > world we would all be sitting around engaging in Socratic > dialogues, freely exchanging our opinions in an effort to > learn. But in an ideal world nobody will threaten you for your > thoughts, or ridicule you. > > But we live in a world where the people who don't agree with you > may try to harm you. Let's face it, some people aren't going to > agree with your opinion no matter how logically you try to > present it, or how reasoned out it may be. This is sad since it > does restrict people from voicing their opinions. red@redpoll.neoucom.edu (Richard E. Depew): > The consensus seems to be that a general anonymous posting service > such as that at anon.penet.fi seems sufficiently corrosive of the > trust and civility of the net that this particular experiment > should be ended. Perhaps the next time the question comes up we > can say: "We tried it - we learned it does more harm than good - > and we stopped it." From: C96@vm.urz.uni-heidelberg.de (Alexander EICHENER) > anonymous posting has not created major problems aside from > angering irate people (like you?) who would rather ban > anonymous/pseudonymous posting altogether because "real men can > stand up for what they said" or comparable puerile arguments as > others have brought up. dave@elxr.jpl.nasa.gov (Dave Hayes): > What a primal example of human nature. I have three questions for > you folks. > > Do people really say different things to each other based upon > whether their identity is or isn't known? > > Are people really so affected by what other people say that the > verbage is labeled "abuse"? > > Most importantly, on a forum that prizes itself on the freedom of > communication that it enjoys, is there really such a thing as > freedom of communication? From: terry@geovision.gvc.com (Terry McGonigal) > ... Just how many anon services are needed? Will > *everybody* start running one soon? What's the purpose? Who > stands to benefit when there are N anon services, then 2*N, then > N^2, out there. Where *has* this sudden fasination with anon > services come from? > > For better or (IMHO) worse, it looks like we'er gonna get stuck > with these things, and as much as I don't like the idea (of > services like this becoming the norm) I don't really think > there's much to be done since it's obvious that anyone who wants > to can set one up with a bit of work. Karl_Kleinpaste@cs.cmu.edu (Karl Kleinpaste): > Weak reasoning. > With freedom comes responsibility. dave@elxr.jpl.nasa.gov (Dave Hayes): > Responsibility isn't real if it is enforced. True responsibilty > comes with no coercion. _____ <8.6> Should anonymous posting to all groups be allowed? morgan@engr.uky.edu (Wes Morgan): > I will be the first to admit that I hold some controversial > opinions; indeed, I'm sure that none of us are completely > orthodox in our opinions. However, I've received *hundreds* of > anonymous email messages over the last few years; fewer than 20 > of them were "reasonable posts made with good motives." It's > getting more and more difficult to remember why we need anonymity > at all; the abusers are (once again) lousing things up for those > who truly need the service (or those who would put it to good > use). > > I'm not suggesting that we should ban anonymous servers; as I've > said, there are several situations in which anonymity is a Good > Thing (tm). > > However, the notion that anonymity's shield should be > automatically extended to every Usenet discussion is ridiculous; > it opens the door to further abuse. twpierce@unix.amherst.edu (Tim Pierce): > Of course, how does one determine whether a "group" requests the > service? A flat majority of posters voting in favor? A positive > margin of 100 votes? Or what? No one speaks for a newsgroup. > > I'm not convinced by the arguments that an anonymous posting > service for all newsgroups is inherently a bad idea, simply > because it's a diversion from the status quo. Since the status > quo previously permitted anonymous posting to *no* newsgroups, > any anonymous posting service would reject the status quo. hartman@ulogic.UUCP (Richard M. Hartman) writes: > It is facist to suggest that a newsgroup is best able to decide > whether it wants to allow anonymous postings instead of having > them forced upon them by an service administrator? ogil@quads.uchicago.edu (Brian W. Ogilvie): > The service provides a mechanism for forwarding mail to the > original poster. Since most Usenet readers don't know John Smith > from Jane Doe except by their opinions and their address, the > effect of having an anonymous posting to which mail replies can > be directed is minimal, except for those who personally know the > poster--and ... the lack of anonymity could be serious. Any > mechanism like this is liable to abuse, but the benefits as well > as the costs must be weighed. Limiting the service to alt groups, > or specific groups, would not help those who want advice on > sensitive issues in more 'professional' newsgroups. From: tarl@sw.stratus.com (Tarl Neustaedter) > An additional point is that some of us find anonimity in technical > matters to be profoundly offensive; anonimity in different forums > has different meanings. If I get a phone call from someone who > won't identify himself, I hang up. If I get U.S. mail with no > return address, it goes into the garbage unopened. If someone > accosts me in the street while wearing a mask, I back away - > carefully, and expecting violence. In a technical discussion, > anonimity means that the individual isn't willing to associate > himself with the matter being discussed, which discredits his > utterances and makes listening to them a waste of time. > > Anonimity leads to fun psych experiments; the literature is filled > with all the various things that people will do anonymously that > they won't otherwise. Including one notorious study involving > torture that would not have passed today's ethical standards. Fun > stuff, in any case. > > FINE. LEAVE US OUT OF IT. From: jbuck@forney.berkeley.edu (Joe Buck) > You obviously have never submitted an article to a refereed > journal, where you will receive anonymous reviews through a server > (the editor) that behaves much like the one in Finland (e.g. you > may reply and the editor will maintain the anonymity). ... Your > comparison of someone who wants to express him/herself on a > technical issue anonymously with a person who approaches you on a > dark street with a ski mask is just emotionally overwrought > nonsense; such posters pose no physical threat to you. jik@mit.edu (J. Kamens): > It seems obvious to me that the default should be *not* to allow > anonymous postings in a newsgroup. The Usenet has always > operated on the principle that the status quo should be kept > unless there's a large number of people who want to change it. > > If someone REALLY needs to post a message anonymous in a newsgroup > in which this usually isn't done, they can usually find someone > on the net to do this for them. They don't need an automated > service to do it, and the automated service is by its nature > incapable of making the judgment call necessary to decide whether > a particular posting really needs to be anonymous. From: twpierce@unix.amherst.edu (Tim Pierce) > For any newsgroup you name, I bet I can envision a scenario > involving a need for secrecy. If an accurate content-based > filter of each anonymous posting could be devised to screen out > those that don't require secrecy, wonderful. But it can't be > done. From: lhp@daimi.aau.dk (Lasse Hiller|e Petersen) > If a newsgroup wants to be noise- and nuisance-free, then it > should call for moderation. This should happen on a per-newsgroup > basis, and not as a general USENET ban on anonymous postings. Of > course one principle of moderation might be to keep out all > anonymous postings, and could be achieved automatically. It would > still be _moderation_. Personally I would prefer moderation > criteria being based on actual content. David A. Clunie (dclunie@pax.tpa.com.au) > If a "group" doesn't want to receive certain posts it should > become moderated - there are clearly defined mechanisms on > non-alt groups for this to take place. An automated moderator > excluding posts from certain (eg. anonymous) sites or individuals > could easily be established. If anyone wants to take such a > draconian approach then they are welcome to do so and good luck > to them. I doubt if I will be reading their group ! From: dave@frackit.UUCP (Dave Ratcliffe) > What possible need would someone have for posting anonymously to a > sci.* group? > > Sure most adults are willing to post under their own names. Why > would they want to hide behind an anonymous posting service? > Ashamed of what they have to say or just trying to rile people > without fear of being identified? > > Anonymous posting have their place in CERTAIN groups. If I or > anyone else needs to tell you what those groups are then you've > been on another planet breathing exotic gases for too long. From: Karl_Kleinpaste@cs.cmu.edu > It's bloody fascinating that (all?) the proponents of unimpeded > universal anon posting access can't seem to find any middle > ground at all. Why is there such a perception of > absolutism? Where does this instant gratification syndrome come > from, "I want anon access and I want it NOW"? Who are the > control freaks here? From: 00acearl@leo.bsuvc.bsu.edu > Remember, this is a newsgroup for posters writing about SCIENTIFIC > issues. Anonymous discussion of scientific issues leads to bad > science. From: noring@netcom.com (Jon Noring) > Though many have personal philosophical arguments against > anonymous posters, their arguments have not been compelling > enough to convince me that omni-newsgroup anonymous posting > should be banned or severely restricted. Though I cannot prove > it, it seems to me that those who do not like anonymous posting > (in principle) do so for reasons that are personal (read, > psychological discomfort) rather than for reasons related to > maintaining the "integrity" of Usenet. > > Remember, it is impossible to be able to ascertain all the > conceivable and legitimate motives for anonymous posting to > newsgroups one normally would not deem to be "sensitive". ... in > general, I fear even letting newsgroup readers vote on either > allowing or not allowing anonymous posting, since a priori they > *cannot* know all the motives of *legitimate* posters, and I do > not believe that any system should ever be instituted that would > inhibit the posting of legitimate and informative posts. lestat@wixer.cactus.org (Lyle J. Mackey) writes: > I personally don't believe that pseudonymous postings are > appropriate in a serious discussion area. If there is a > LEGITIMATE reason for concealing the posters' identity, perhaps, > but simply because they're not so sure if they want their name > attached doesn't qualify as LEGITIMATE in my book. (Oh, and if > you can come up with a legitimate purpose for anonymous postings, > please, enlighten me.) sderby@crick.ssctr.bcm.tmc.edu (Stuart P. Derby) > Three of our (the U.S.'s) founding fathers, Madison, Hamilton, and > Jay, seemed to think "anonymous posting" was OK. The Federalist > papers were originally printed in New York newspapers with > authorship attributed to "Publius". I wonder if you would find > their purpose "LEGITIMATE"? _____ <8.7> What should system operators do with anonymous postings? From: emcguire@intellection.com (Ed McGuire) > I would like to know how to junk all articles posted by the > anonymous service currently being discussed. Ideally I would > actually tell my feed site not to feed me articles posted by the > anonymous service. Assuming the C News Performance Release, what > is a simple way to accomplish this? Or where should I look to > learn how to do it myself? From: dclunie@pax.tpa.com.au (David Clunie) > That's a bit draconian isn't it ? Have your users unanimously > decided that they would like you to do this or have you decided > for them ? From: emcguire@intellection.com (Ed McGuire) > Good question. Nobody has decided. I have no definite plan to do > this, just wanted the technical data. Carl Kleinpaste (Karl_Kleinpaste@godiva.nectar.cs.cmu.edu): > ...were I to be in the position of offering such a service again, > my promises of protection of anonymity would be limited. Not on > the basis of personal opinion of what gets posted, but on the > basis of postings which disrupt the smooth operation of the > Usenet. The most obvious and direct recourse would be to `out' > the abusive individual. Less drastic possibilities exist -- the > software supports a "fire extinguisher" by which individuals can > be prevented from posting. john@iastate.edu (John Hascall): > Since when is Usenet a democracy? If someone wants to run an > anonymous service, that's their business. If you want to put > that host in your killfile, that's your business. If a newsadmin > wants to blanket-drop all postings from that site, that's between > them and the other people at that site. If everyone ignores a > service, the service effectively doesn't exist. From: jik@athena.mit.edu (Jonathan I. Kamens) > NNTP servers that allow posting from anyone are NOT "a service to > the net." They do the net a disservice. > > Terminal servers have the same problems as open NNTP servers -- > they allow people who want to do illegal/immoral/unethical things > on the Internet to do so without accountability. > > There are, by now, public access sites all over this country, if > not all over the world, that allow very inexpensive access to the > Usenet and the Internet. There is no reason for NNTP servers to > allow anyone to post messages through them, and there is no > reason for terminal servers to allow anyone to connect to them > and then make outbound connections through them. Perhaps when it > was harder to get to the Internet or the Usenet, open servers > could be justified, but not now. jbotz@mtholyoke.edu (Jurgen Botz): > I think that what ... these points show clearly is that an > anonymous posting service has a great deal of responsibility, > both towards its clients and towards the Net as a whole. Such a > service should (IMHO) have a set of well-defined rules and a > contract that its clients should sign, under the terms of which > they are assured anonymity. From: an8785@anon.penet.fi > Is the problem that some are used to "punishing" posters who are > upsetting in some vague way by complaining to the (usually > acquiescent) sysadmin or organizations that the poster belongs > to? That surely is the most gutless approach to solving > problems, but my experience on the net shows that the same users > who vilify anonymous postings are the first to write obsessively > detailed grievances to the poster's supervisor when his or her > tranquility is disturbed by some "intrusive" or subversive post > or another. > > Anonymous postings prevent just this kind of intimidation. From: gandalf@cyberspace.org (Eric Schilling) > The main point I would like to make here is that while we can go > through and revise the news sw to "reject anon posts to technical > newsgroups" or some such thing, I think the attempt will prove > futile. Each attempt to modify news can result in a changed > approach by anon service providers to thwart the change. I think > this would be pointless. From: julf@penet.fi (Johan Helsingius) > I have tried to stay out of this discussion, and see where the > discussion leads. But now I rally feel like I have to speak up. > ... I have repeatedly made clear ... that I *do* block users if > they continue their abuse after having been warned. In many cases > the users have taken heed of the warning and stopped, and in some > cases even apologized in public. And when the warning has not had > the desired effect, I have blocked a number of users. I have also > blocked access to groups where the readership has taken a vote to > ban anonymous postings, although I feel changing the newsgroup > status to moderated is the only permanent solution for newsgroups > that want to "formalize" discussion. red@redpoll.neoucom.edu (Richard E. Depew) > Does this ... mean that you are volunteering to issue a Request > For Discussion to ban anonymous postings or to moderate each of > the 4000+ newsgroups that your server can reach? I don't think > so, but this illustrates the trouble that your server is causing! > > please listen to the consensus of the news administrators in this > group: any newsgroup should be consulted *before* letting your > server post messages to that group. From: C96@vm.urz.uni-heidelberg.de (Alexander EICHENER) > There is no pompous "consensus of *the* news administrators" > here - maybe you would like to invent one. There is a sizeable > number of people who are concerned about the possible (and, to a > minor extent, about the actual abuse of the server as it is > configured now). These concerns are respectable; Johan is dealing > with them. ... There are some (few) who rage with foam before > their mouth and condemn the service altogether. And a number who > defend it, pointing out, like Kate Gregory, that even a group > like misc.kids. can benefit from pseudonymous postings. From: julf@penet.fi (Johan Helsingius) > I have answered a lot of personal mail related to server abuse, > and as a result of that, blocked a number of abusive users. I > have also withdrawn the service from several newsgroups where the > users have taken a vote on the issue. I have not made any > comments on news.admin.policy, partly because the > newly-implemented password feature (as a emergency measure > against a security hole) has kept me really busy answering user > queries the last two weeks, and partly because I feel it is not > for me to justify the service, but for the users. The problem > with news.admin.policy is that the readership is rather elective, > representing people whith a strong interest in centralised > control. From: hartman@ulogic.UUCP (Richard M. Hartman) > This seems to be a rather bigoted attitude. I would consider that > this group is for anyone who wishes to discuss how the net should > be controlled. Saying that we only have an interest in > "centralized control" is a clear indication of bias. You are > perfectly welcome to join in the discussions here to promote your > views on control. jbuck@ohm.berkeley.edu > This whole debate is a lot of "sound and fury signifying nothing" > because, even if you all decide to ban anonymous posting servers, > it is not enforceable. The only people who conceivably could > enforce retrictions are those that control the international > links. > > Policy changes should be made by cooperation, not by attempting > to dictate. ...you need to persuade those who run the services > to act like this through friendly persuasion, not by trying to > beat them over the head with a stick (especially a stick you > don't even have). spp@zabriskie.berkeley.edu (Steve Pope) > I am finding this bias against pseudonymity boring. Our friend > posting through penet has a point. The old guard would like to > keep their network the way it always has been... and this new > thing, these pseudonymous servers, cuts into their turf. So they > whine and bitch about it, and every time there's the slightest > abuse (such as somebody's .sig being too long), they try to > parlay that into an argument against pseudonymity. > > I'll go on record as saying: three cheers for the admins at anon > servers like penet, pax, and n7kbt... and for all the access > service providers who are willing to preserve their clients > privacy. > > And a pox on those who try to defeat and restrict pseudonymity. mimir@stein.u.washington.edu (Al Billings) > I wouldn't help people get rid of anon postings as a group. If you > don't like what someone says, then you put THAT anon address in > your kill file, not all of them. Of course, if and when I get an > anon site going, I'm just going to assign fake names like > "jsmith" instead of "anon5564" to avoid most of the hassles. > You'll never know it is anonymous will you? From: anne@alcor.concordia.ca (Anne Bennett) > I must admit to some astonishment at this argument. I see the > value of anonymous postings under some circumstances, yet believe > strongly that these should be identified as such, so that people > who do not wish to read material from people who won't identify > themselves, don't have to. > > I fail to see what good you would be accomplishing, and indeed > surmise that you will cause many people inconvenience and > annoyance, by hiding the anonymity of postings from your > anonymous site. Would you care to justify where the hell you get > the gall to try to prevent people from effectively filtering > their news as they see fit? From: dclunie@pax.tpa.com.au (David Clunie) > I thought I was out of reach here in Australia too. Unfortunately > one of the US sites involved in the US/Aus feed complained to the > Australian Academic Reasearch Network through whom my site is > connected, not about anything in particular, just the concept of > anonymous mail having no redeeming features and consuming a > narrow bandwidth link (with which I can't argue) and that was > that ... stop the service or face disconnection. > > I consider the demise of [my] service to have been rather > unfortunate, and I wish the Finnish remailer luck ! It is a pity > that there are very few if any similar services provided with in > the US. I guess that's the benefit of having a constitution that > guarantees one freedom of speech and a legal and political system > that conspires to subvert it in the name of the public good. _____ <8.8> What is going on with anon.penet.fi run by J. Helsingius? From: Karl_Kleinpaste@cs.cmu.edu > Funny, how beating the rest of the Usenet over the head with a > stick is OK if it's anon.penet.fi and universal anon access. But > somehow people on the other side of the same equation (not even > arguing to shut it off entirely, but rather just to have some > control applied to the abuses that manifest themselves) aren't > allowed to do that. > > I have written to Johan several times in the last couple of > weeks. He used to reply to me quite readily. After all, I was > the source of the software as originally delivered to him -- he > used to be downright _prompt_ about replying to me. Funny, now > he's being an impolite bastard who doesn't answer mail _at_all_, > even when it consists of really very civil queries. From: julf@penet.fi (Johan Helsingius) > In your mail you told me you sent me one or more messages on Feb. > 8th. Feb 7th and 8th the server was down, and the flood of mail > that resulted from the server coming up again crashed my own mail > host. The problem was aggregated by an abusive user sending > thousands of messages to another user, filling up that users > mailbox. The bounce messages ended up in my mailbox, overflowing > my local disk as well. > > I can only suppose that your message got lost in that hassle, as > I have tried to answer as much as possible of the anon-related > messages I get, from routine mis-addessed messages to complaints > about the service. On the average I spend 4-5 hours per day > answering anon-related messages. From: Karl_Kleinpaste@cs.cmu.edu > Why is it that everybody else has to put up with the impoliteness > and insensitivity of the misuse of anon.penet.fi? Whose > definitions of "polite" and "sense" apply, and why? Why is > universal anon access considered to be within the realm of this > fuzzy concept of "politeness" in the first place? > > I think Johan has long since crossed the line into being a rude > bastard, and I told him so in private mail a little while ago. > > At this point, I deeply regret [a] having created an anonymous > system supporting >1 newsgroup and [b] having given the code to > Johan. I didn't copyright it, but I thought that some concept of > politeness and good sense might follow it to new > homes. Interesting that Johan's ideas of politeness and good > sense seem to have nearly no interesection with mine. I could > even cope with universal anon access _if_ Johan would be willing > to engage in abuse control, but somehow that seems to be outside > the range of reality... From: julf@penet.fi (Johan Helsingius) > There is no way for me to convey how sad and upset your message > made me. I do, to some extent, understand your feelings, but it > still feels really bad. Running the server requires getting used > to a lot of flames, but mindlessly abusive hate mail is so much > easier to deal with than something like this, as I do respect and > value your views and opinions to a high degree. No, I'm not > asking for sympathy, I just wanted you to know that I am really > giving your views quite a lot of weight. > > When I asked for the software, I was actually only going to > provide the service to scandinavian users. But a lot of people > requested that I keep the service open to the international > community. I now realize that I ought to have contacted you at > that point to ask how you feel about me using your stuff in such > a context. Again, I really want to apologise. And I will replace > the remaining few pieces of code thet still stem from your > system. Unfortunately there is no way to remove the ideas and > structure I got from you. > > Again, I am really sorry that the results of your work ended up > being used in a way that you don't approve of. And I will be > giving a lot of hard thought to the possibility of shutting down > the server alltogether. From: Karl_Kleinpaste@cs.cmu.edu > I think I'm feeling especially rude and impolite. If it's good > for Johan, it's good for me. After all, he didn't ask the > greater Usenet whether universal anon access was a good idea; he > just did it. ... Yes, I'm a seriously rude pain in the ass now, > and I think I'll arm the Usenet Death Penalty, slightly modified, > not for strategic whole-site attack, but tactical assault, just > "an[0-9]*@anon.penet.fi" destruction. Only outside alt.*, too, > let's say. > > To parrot this line...people have been doing things like the UDP > (that is, cancelling others' postings) for years, no one could > ever stop them, and it's only politeness and good sense that has > prevented them up to now. > > In fact, I have 8 people who have expressed privately the desire > and ability to arm the UDP. > > ... > > PS- No, in fact there are not 8 newsadmins ready to arm the > UDP. It would be amusing to know how many people gulped hard > when they read that, though. I don't see it as any different > from Johan's configuration. > > PPS- Now that I've calmed some fears by the above PS... There > are 2 newsadmins ready to arm the UDP. They've asked for my > code. I haven't sent it yet. Only one site would be necessary > to bring anon.penet.fi to a screeching halt. Anyone can > implement the UDP on their own, if they care to. Politeness and > good sense prevents them from doing so. I wonder how long before > one form of impoliteness brings on another form. From: julf@penet.fi (Johan Helsingius) > It would be trivially easy to bring anon.penet.fi to a screeching > halt. In fact it has happened a couple of times already. But as > we are talking threats here, let me make one as well. A very > simple one. If somebody uses something like the UDP or > maliciously brings down anon.penet.fi by some other means, it > will stay down. But I will let the users know why. And name the > person who did it. OK? As somebody said on this thread: "You have > to take personal responsibility for your actions", right? From: avs20@ccc.amdahl.com ( 134 Atul V Salgaonkar) > I am very grateful and appreciative of this service , courtesey of > penet.fi. Some important questions about my personal > life/career/job were resolved due to kind help of other people > who had been thru similar situations. In return, I have also > replied to anon postings where I thought I could make a positive > contribution. > > In general, anon service is a great, in my opinion, although like > any tool some people will not use it responsibly. I suggest that > it should be kept alive. Wasting bandwidth is less important than > saving lives, I think. From: us273532@mmm.serc.3m.com (Elisa J. Collins) > I have been informed that the anonymous posting service to many > newsgroups has been turned off as a result of discussions in this > newsgroup over people abusing it. > > I had been posting to a nontechnical misc newsgroup about an > intimate topic for which I felt I required privacy. I have > received immeasurable help from the people in that newsgroup, and > I have never used anonymity to behave in an abusive, immature, or > unethical fashion toward anyone. > > Please, folks, believe me, I *need* this service. Please > consider my point of view and permit admin@anon.penet.fi to turn > the service back on... > > Thank you. * * * SEE ALSO ======== Part 1 (first file) ------ <1.1> What is `identity' on the internet? <1.2> Why is identity (un)important on the internet? <1.3> How does my email address (not) identify me and my background? <1.4> How can I find out more about somebody from their email address? <1.5> Why is identification (un)stable on the internet? <1.6> What is the future of identification on the internet? <2.1> What is `privacy' on the internet? <2.2> Why is privacy (un)important on the internet? <2.3> How (in)secure are internet networks? <2.4> How (in)secure is my account? <2.5> How (in)secure are my files and directories? <2.6> How (in)secure is X Windows? <2.7> How (in)secure is my email? <2.8> How am I (not) liable for my email and postings? <2.9> How do I provide more/less information to others on my identity? <2.10> Who is my sysadmin? What does s/he know about me? <2.11> Why is privacy (un)stable on the internet? <2.12> What is the future of privacy on the internet? <3.1> What is `anonymity' on the internet? <3.2> Why is `anonymity' (un)important on the internet? <3.3> How can anonymity be protected on the internet? <3.4> What is `anonymous mail'? <3.5> What is `anonymous posting'? <3.6> Why is anonymity (un)stable on the internet? <3.7> What is the future of anonymity on the internet? Part 2 (previous file) ------ <4.1> What UNIX programs are related to privacy? <4.2> How can I learn about or use cryptography? <4.3> What is the cypherpunks mailing list? <4.4> What are some privacy-related newsgroups? FAQs? <4.5> What is internet Privacy Enhanced Mail (PEM)? <4.6> What are other Request For Comments (RFCs) related to privacy? <4.7> How can I run an anonymous remailer? <4.8> What are references on privacy in email? <4.9> What are some email, Usenet, and internet use policies? <4.10> What is the MIT ``CROSSLINK'' anonymous message TV program? <5.1> What is ``digital cash''? <5.2> What is a ``hacker'' or ``cracker''? <5.3> What is a ``cypherpunk''? <5.4> What is `steganography' and anonymous pools? <5.5> What is `security through obscurity'? <5.6> What are `identity daemons'? <5.7> What standards are needed to guard electronic privacy? <6.1> What is the Electronic Frontier Foundation (EFF)? <6.2> Who are Computer Professionals for Social Responsibility (CPSR)? <6.3> What was `Operation Sun Devil' and the Steve Jackson Game case? <6.4> What is Integrated Services Digital Network (ISDN)? <6.5> What is the National Research and Education Network (NREN)? <6.6> What is the FBI's proposed Digital Telephony Act? <6.7> What other U.S. legislation is related to privacy on networks? <6.8> What are references on rights in cyberspace? <6.9> What is the Computers and Academic Freedom (CAF) archive? <7.1> What is the background behind the Internet? <7.2> How is Internet `anarchy' like the English language? <7.3> Most Wanted list <7.4> Change history * * * This is Part 3 of the Privacy & Anonymity FAQ, obtained via anonymous FTP to pit-manager@mit.edu:/pub/usenet/news.answers/net-privacy/ or newsgroups news.answers, sci.answers, alt.answers every 21 days. Written by L. Detweiler . All rights reserved. Newsgroup: sci.crypt document_id: 15179 From: ckincy@cs.umr.edu (Charles Kincy) Subject: Re: Pgp, PEM, and RFC's (Was: Cryptography Patents) In article <1993Apr16.001321.3692@natasha.portal.com> bob@natasha.portal.com (Bob Cain) writes: >: I hope my cynicism is misplaced here. Go ahead...I'm not afraid to >: be wrong every once in a while. But, I have an uneasy feeling that I >: am right. :( > >It is and you are wrong yet you emotionally state a bunch of crap as fact >with a tiny disclaimer at the end. Check your facts first and grow up. >Why is there such a strong correlation between interest in cryptography >and immaturity I wonder. Oh, I see, flame someone, tell them that they are immature, tell them they are wrong, and then don't offer any proof for your assertions. You really *are* a putz. Put up or shut up. cpk -- It's been 80 days. Do you know where your wallet is? Newsgroup: sci.crypt document_id: 15180 Subject: Re: Fifth Amendment and Passwords From: pgut1@cs.aukuni.ac.nz (Peter Gutmann) In kadie@cs.uiuc.edu (Carl M Kadie) writes: >The crypto-key disclosure issue hasn't come up yet, but current law >suggests that it's a loser for the defendant--he'll be compelled to turn >over the key. It has actually come up (or it will in a week or two) in NZ. I'll post the outcome when the trial finishes (which could take months BTW). Overall it looks like you can't be forced to reveal a password, if anyone can provide a convincing legal argument to the contrary (ie an actual court case) I'd be most interested... Peter. -- pgut1@cs.aukuni.ac.nz||p_gutmann@cs.aukuni.ac.nz||gutmann_p@kosmos.wcc.govt.nz peterg@kcbbs.gen.nz||peter@nacjack.gen.nz||peter@phlarnschlorpht.nacjack.gen.nz (In order of preference - one of 'em's bound to work) -- Think! (or thwim) -- Newsgroup: sci.crypt document_id: 15181 From: Rob Shirey Subject: ISOC Symposium on Net Security CALL FOR PAPERS The Internet Society Symposium on Network and Distributed System Security 3-4 February 1994, Catamaran Hotel, San Diego, California The symposium will bring together people who are building software and hardware to provide network or distributed system security services. The symposium is intended for those interested in practical aspects of network and distributed system security, rather than in theory. Symposium proceedings will be published by the Internet Society. Topics for the symposium include, but are not limited to, the following: * Design and implementation of services--access control, authentication, availability, confidentiality, integrity, and non-repudiation --including criteria for placing services at particular protocol layers. * Design and implementation of security mechanisms and support services--encipherment and key management systems, authorization and audit systems, and intrusion detection systems. * Requirements and architectures for distributed applications and network functions--message handling, file transport, remote file access, directories, time synchronization, interactive sessions, remote data base management and access, routing, voice and video multicast and conferencing, news groups, network management, boot services, mobile computing, and remote I/O. * Special issues and problems in security architecture, such as -- very large systems like the international Internet, and -- high-speed systems like the gigabit testbeds now being built. * Interplay between security goals and other goals--efficiency, reliability, interoperability, resource sharing, and low cost. GENERAL CHAIR: Dan Nessett, Lawrence Livermore National Laboratory PROGRAM CHAIRS: Russ Housley, Xerox Special Information Systems Rob Shirey, The MITRE Corporation PROGRAM COMMITTEE: Dave Balenson, Trusted Information Systems Tom Berson, Anagram Laboratories Matt Bishop, Dartmouth College Ed Cain, U.S. Defense Information Systems Agency Jim Ellis, CERT Coordination Center Steve Kent, Bolt, Beranek and Newman John Linn, Independent Consultant Clifford Neuman, Information Sciences Institute Michael Roe, Cambridge University Rob Rosenthal, U.S. National Institute of Standards and Technology Jeff Schiller, Massachusetts Institute of Technology Ravi Sandhu, George Mason University Peter Yee, U.S. National Aeronautics and Space Administration SUBMISSIONS: The committee seeks both original technical papers and proposals for panel discussions on technical and other topics of general interest. Technical papers should be 10-20 pages in length. Panels should include three or four speakers. A panel proposal must name the panel chair, include a one-page topic introduction authored by the chair, and also include one-page position summaries authored by each speaker Both the technical papers and the panel papers will appear in the proceedings. Submissions must be made by 16 August 1993. Submissions should be made via electronic mail to 1994symposium@smiley.mitre.org. Submissions may be in either of two formats: ASCII or PostScript. If the committee is unable to read a PostScript submission, it will be returned and ASCII requested. Therefore, PostScript submissions should arrive well before 16 August. If electronic submission is absolutely impossible, submissions should be sent via postal mail to Robert W. Shirey, Mail Stop Z202 The MITRE Corporation McLean, Virginia 22102-3481 USA All submissions must include both an Internet electronic mail address and a postal address. Each submission will be acknowledged through the medium by which it is received. If acknowledgment is not received within seven days, please contact either Rob Shirey or Russ Housley , or telephone Mana Weigand at MITRE in Mclean, 703-883-5397. Authors and panelists will be notified of acceptance by 15 October 1993. Instructions for preparing camera-ready copy for the proceedings will be postal mailed at that time. The camera-ready copy must be received by 15 November 1993. Newsgroup: sci.crypt document_id: 15182 From: marc@tanda.isis.org (Marc Thibault) Subject: Re: PEM and MIME In article <1qg8m2$2e5@nigel.msen.com> (Edward Vielmetti) writes: > I would suggest that 50 attractive MIME formatted news messages a day would be > sufficient to get a few people thinking about adding MIME support to news > readers, esp if the content is really worth it. But that's just the problem. There is no such thing as "MIME-Formatted". By analogy, MIME is a content-labelling standard for the box, not a specification for the contents themselves. It provides a standard for "like-minded" individuals to exchange mail containing an agreed-upon data format. You say tomahto, I say tomaeto; you say postscript, I say SGML... Cheers, Marc --- Marc Thibault | CIS:71441,2226 | Put another log marc@tanda.isis.org | NC FreeNet: aa185 | on the fire. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.0 mQBNAiqxYTkAAAECALfeHYp0yC80s1ScFvJSpj5eSCAO+hihtneFrrn+vuEcSavh AAUwpIUGyV2N8n+lFTPnnLc42Ms+c8PJUPYKVI8ABRG0I01hcmMgVGhpYmF1bHQg PG1hcmNAdGFuZGEuaXNpcy5vcmc+ =HLnv -----END PGP PUBLIC KEY BLOCK----- Newsgroup: sci.crypt document_id: 15183 From: clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) Subject: text of White House announcement and Q&As on clipper chip encryption Note: This file will also be available via anonymous file transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and via the NIST Computer Security BBS at 301-948-5717. --------------------------------------------------- THE WHITE HOUSE Office of the Press Secretary _________________________________________________________________ For Immediate Release April 16, 1993 STATEMENT BY THE PRESS SECRETARY The President today announced a new initiative that will bring the Federal Government together with industry in a voluntary program to improve the security and privacy of telephone communications while meeting the legitimate needs of law enforcement. The initiative will involve the creation of new products to accelerate the development and use of advanced and secure telecommunications networks and wireless communications links. For too long there has been little or no dialogue between our private sector and the law enforcement community to resolve the tension between economic vitality and the real challenges of protecting Americans. Rather than use technology to accommodate the sometimes competing interests of economic growth, privacy and law enforcement, previous policies have pitted government against industry and the rights of privacy against law enforcement. Sophisticated encryption technology has been used for years to protect electronic funds transfer. It is now being used to protect electronic mail and computer files. While encryption technology can help Americans protect business secrets and the unauthorized release of personal information, it also can be used by terrorists, drug dealers, and other criminals. A state-of-the-art microcircuit called the "Clipper Chip" has been developed by government engineers. The chip represents a new approach to encryption technology. It can be used in new, relatively inexpensive encryption devices that can be attached to an ordinary telephone. It scrambles telephone communications using an encryption algorithm that is more powerful than many in commercial use today. This new technology will help companies protect proprietary information, protect the privacy of personal phone conversations and prevent unauthorized release of data transmitted electronically. At the same time this technology preserves the ability of federal, state and local law enforcement agencies to intercept lawfully the phone conversations of criminals. A "key-escrow" system will be established to ensure that the "Clipper Chip" is used to protect the privacy of law-abiding Americans. Each device containing the chip will have two unique 2 "keys," numbers that will be needed by authorized government agencies to decode messages encoded by the device. When the device is manufactured, the two keys will be deposited separately in two "key-escrow" data bases that will be established by the Attorney General. Access to these keys will be limited to government officials with legal authorization to conduct a wiretap. The "Clipper Chip" technology provides law enforcement with no new authorities to access the content of the private conversations of Americans. To demonstrate the effectiveness of this new technology, the Attorney General will soon purchase several thousand of the new devices. In addition, respected experts from outside the government will be offered access to the confidential details of the algorithm to assess its capabilities and publicly report their findings. The chip is an important step in addressing the problem of encryption's dual-edge sword: encryption helps to protect the privacy of individuals and industry, but it also can shield criminals and terrorists. We need the "Clipper Chip" and other approaches that can both provide law-abiding citizens with access to the encryption they need and prevent criminals from using it to hide their illegal activities. In order to assess technology trends and explore new approaches (like the key-escrow system), the President has directed government agencies to develop a comprehensive policy on encryption that accommodates: -- the privacy of our citizens, including the need to employ voice or data encryption for business purposes; -- the ability of authorized officials to access telephone calls and data, under proper court or other legal order, when necessary to protect our citizens; -- the effective and timely use of the most modern technology to build the National Information Infrastructure needed to promote economic growth and the competitiveness of American industry in the global marketplace; and -- the need of U.S. companies to manufacture and export high technology products. The President has directed early and frequent consultations with affected industries, the Congress and groups that advocate the privacy rights of individuals as policy options are developed. 3 The Administration is committed to working with the private sector to spur the development of a National Information Infrastructure which will use new telecommunications and computer technologies to give Americans unprecedented access to information. This infrastructure of high-speed networks ("information superhighways") will transmit video, images, HDTV programming, and huge data files as easily as today's telephone system transmits voice. Since encryption technology will play an increasingly important role in that infrastructure, the Federal Government must act quickly to develop consistent, comprehensive policies regarding its use. The Administration is committed to policies that protect all Americans' right to privacy while also protecting them from those who break the law. Further information is provided in an accompanying fact sheet. The provisions of the President's directive to acquire the new encryption technology are also available. For additional details, call Mat Heyman, National Institute of Standards and Technology, (301) 975-2758. --------------------------------- QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S TELECOMMUNICATIONS INITIATIVE Q: Does this approach expand the authority of government agencies to listen in on phone conversations? A: No. "Clipper Chip" technology provides law enforcement with no new authorities to access the content of the private conversations of Americans. Q: Suppose a law enforcement agency is conducting a wiretap on a drug smuggling ring and intercepts a conversation encrypted using the device. What would they have to do to decipher the message? A: They would have to obtain legal authorization, normally a court order, to do the wiretap in the first place. They would then present documentation of this authorization to the two entities responsible for safeguarding the keys and obtain the keys for the device being used by the drug smugglers. The key is split into two parts, which are stored separately in order to ensure the security of the key escrow system. Q: Who will run the key-escrow data banks? A: The two key-escrow data banks will be run by two independent entities. At this point, the Department of Justice and the Administration have yet to determine which agencies will oversee the key-escrow data banks. Q: How strong is the security in the device? How can I be sure how strong the security is? A: This system is more secure than many other voice encryption systems readily available today. While the algorithm will remain classified to protect the security of the key escrow system, we are willing to invite an independent panel of cryptography experts to evaluate the algorithm to assure all potential users that there are no unrecognized vulnerabilities. Q: Whose decision was it to propose this product? A: The National Security Council, the Justice Department, the Commerce Department, and other key agencies were involved in this decision. This approach has been endorsed by the President, the Vice President, and appropriate Cabinet officials. Q: Who was consulted? The Congress? Industry? A: We have on-going discussions with Congress and industry on encryption issues, and expect those discussions to intensify as we carry out our review of encryption policy. We have briefed members of Congress and industry leaders on the decisions related to this initiative. Q: Will the government provide the hardware to manufacturers? A: The government designed and developed the key access encryption microcircuits, but it is not providing the microcircuits to product manufacturers. Product manufacturers can acquire the microcircuits from the chip manufacturer that produces them. Q: Who provides the "Clipper Chip"? A: Mykotronx programs it at their facility in Torrance, California, and will sell the chip to encryption device manufacturers. The programming function could be licensed to other vendors in the future. Q: How do I buy one of these encryption devices? A: We expect several manufacturers to consider incorporating the "Clipper Chip" into their devices. Q: If the Administration were unable to find a technological solution like the one proposed, would the Administration be willing to use legal remedies to restrict access to more powerful encryption devices? A: This is a fundamental policy question which will be considered during the broad policy review. The key escrow mechanism will provide Americans with an encryption product that is more secure, more convenient, and less expensive than others readily available today, but it is just one piece of what must be the comprehensive approach to encryption technology, which the Administration is developing. The Administration is not saying, "since encryption threatens the public safety and effective law enforcement, we will prohibit it outright" (as some countries have effectively done); nor is the U.S. saying that "every American, as a matter of right, is entitled to an unbreakable commercial encryption product." There is a false "tension" created in the assessment that this issue is an "either-or" proposition. Rather, both concerns can be, and in fact are, harmoniously balanced through a reasoned, balanced approach such as is proposed with the "Clipper Chip" and similar encryption techniques. Q: What does this decision indicate about how the Clinton Administration's policy toward encryption will differ from that of the Bush Administration? A: It indicates that we understand the importance of encryption technology in telecommunications and computing and are committed to working with industry and public-interest groups to find innovative ways to protect Americans' privacy, help businesses to compete, and ensure that law enforcement agencies have the tools they need to fight crime and terrorism. Q: Will the devices be exportable? Will other devices that use the government hardware? A: Voice encryption devices are subject to export control requirements. Case-by-case review for each export is required to ensure appropriate use of these devices. The same is true for other encryption devices. One of the attractions of this technology is the protection it can give to U.S. companies operating at home and abroad. With this in mind, we expect export licenses will be granted on a case-by-case basis for U.S. companies seeking to use these devices to secure their own communications abroad. We plan to review the possibility of permitting wider exportability of these products. Newsgroup: sci.crypt document_id: 15184 Subject: Re: Keeping Your Mouth Shut (was: Hard drive security) From: vkub@charlie.usd.edu (Vince Kub) In article <1993Apr13.143712.15338@cadkey.com>, eric@cadkey.com (Eric Holtman) writes: >In article holland@CS.ColoState.EDU (douglas craig holland) writes: >> >>I'm not a lawyer, so correct me if I'm wrong, but doing that could be >>considered obstruction of justice, which could land you in prison for >>quite a while. >> >>The thing that's great about the secret key is it is IDEA encrypted, so >>even if the FBI do get the key, they're SOL unless they know the magic >>word. If they try to force you to give them your pass phrase, just say >>"Oops, I forgot." Since the burden of proof is still on the prosecution >>in this country, if you keep your mouth shut, how can they prove that you >>didn't forget your pass phrase. >> > >Well, I'm no lawyer, but I'll supply some ancedotal evidence which may >change your mind. ** Note ** I do not agree AT ALL with what went on in >this case, and neither will most of you. THAT DOESN'T CHANGE THE FACT >THAT IT *DID* HAPPEN. Right here in America even..... > >About three or four years ago, there was a rather nasty custody case in >or around Washington D.C. The upshot was, an ex-husband was suing for >visitation rights, which were granted. The woman believed that the man >had been sexually molesting her children. (much like Allen/Farrow, but >not as famous). Anyhows, she spirits away the kids and refuses to tell the >court where they are, and denies him visitation rights. > >She "keeps her mouth shut", and what happens? She SITS IN JAIL for almost >a year, on CONTEMPT OF COURT, until the legislature passes a special law >limiting the time a person can be held. If they hadn't passed the law, she'd >most likely still be there. The kids were in New Zealand, I belive. > >Now (story finished, commetary starting).... IMHO, the only reason the >legislature moved was because there was an outpouring of public sympathy >for this woman... most people believed she was right, and were outraged. >Not likely to happen for Joe Random Drug Dealer, Child Molester or perfectly >innocent privacy lover, who might have something >to hide. Innocent until proven guilty doesn't mean you get to walk out >of court humming a happy tune because the FBI can't read your disk. Just >ask those held for contempt, those who can't make bail, etc, etc. > >Again.... I disagree totally with the concept of holding someone based >on suspicion, but people who keep thinking that it won't happen are bound >to get a rude shock when it does...... >-- Also not a lawyer, etc. but if I remember correctly the Contempt of Court business is used in order to compel cooperation with what is (perhaps questionably, different issue) the legitimate business of that court. Quite literally the party is found guilty of holding the court "in contempt". Now, the original scheme as suggested here would be to have the key disappear if certain threatening conditions are met. Once the key is gone there is no question of Contempt of Court as there is nothing to compell, the key is no longer there to be produced. Obstruction of justice would be a different issue but if the suspect in question would have some legitmate reason to protect his data from prying eyes (however extenuated) I think that this charge would be a hard nut to make. Perhaps it is time for a lawyer to step in and clear this all up? -=*=- -=*=- -=*=- -=*=- -=*=- Vincent A. Kub, WD0DBX | "Saints should always be judged | guilty until they are proven vkub@charlie.usd.edu | innocent." -Geo. Orwell | 14 W.Cherry St. #2 | "It is good to die before one has Vermillion, S.Dakota 57069 | done anything deserving of death." phone or fax to (605) 624-8680 | - Anaxandirdes | King of Sparta ------------------------------------------------------------------- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.2 mQBNAiudo1MAAAECAKRkUUWW+Tqsoa1nD+GaSbpXcDhSrHpMEBPjKlyiKuIjzaT6 auO/hnqW/652YicVaJlXspb5D2giMc09TG2sGY0ABRG0CVZpbmNlIEt1Yg== =IuUb -----END PGP PUBLIC KEY BLOCK----- Newsgroup: sci.crypt document_id: 15185 From: hooper@ccs.QueensU.CA (Andy Hooper) Subject: Re: text of White House announcement and Q&As on clipper chip encryption Isn't Clipper a trademark of Fairchild Semiconductor? Andy Hooper Newsgroup: sci.crypt document_id: 15186 From: tcmay@netcom.com (Timothy C. May) Subject: Re: text of White House announcement and Q&As on clipper chip encryption Well, it now seems obvious what Professor Denning was doing last fall when this key escrow trial balloon was raised! All the more need for end-to-end encryption schemes that bypass the government-approved system. By the way, the "Clipper" name...isn't this already used for the Clipper processor from Intergraph? I doubt they're the ones making the chip, so a name conflict may be present. -Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Newsgroup: sci.crypt document_id: 15187 From: jad@nsa.hp.com (John Dilley) Subject: compress | crypt foo | des -e -k foo I have a bunch of questions about the encryption scheme referenced in the Subject of this message. What is the relative data privacy provided by the above sequence as compared with straight DES? Does the addition of compression then encrypting make the cyphertext significantly harder to crack using current methods than straight DES? Would running crypt after DES provide greater data privacy? Is it important to remove the (constant) compress header before encryption? Thank you, net, for your wisdom. -- jad -- John A. Dilley Newsgroup: sci.crypt document_id: 15188 From: jim@rand.org (Jim Gillogly) Subject: Clipper Chip and crypto key-escrow This document is in the anonymous ftp directory at NIST. Looks to me like the other shoe has dropped. Jim Gillogly Trewesday, 25 Astron S.R. 1993, 17:00 ------------------- Note: This file will also be available via anonymous file transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and via the NIST Computer Security BBS at 301-948-5717. --------------------------------------------------- THE WHITE HOUSE Office of the Press Secretary _________________________________________________________________ For Immediate Release April 16, 1993 STATEMENT BY THE PRESS SECRETARY The President today announced a new initiative that will bring the Federal Government together with industry in a voluntary program to improve the security and privacy of telephone communications while meeting the legitimate needs of law enforcement. The initiative will involve the creation of new products to accelerate the development and use of advanced and secure telecommunications networks and wireless communications links. For too long there has been little or no dialogue between our private sector and the law enforcement community to resolve the tension between economic vitality and the real challenges of protecting Americans. Rather than use technology to accommodate the sometimes competing interests of economic growth, privacy and law enforcement, previous policies have pitted government against industry and the rights of privacy against law enforcement. Sophisticated encryption technology has been used for years to protect electronic funds transfer. It is now being used to protect electronic mail and computer files. While encryption technology can help Americans protect business secrets and the unauthorized release of personal information, it also can be used by terrorists, drug dealers, and other criminals. A state-of-the-art microcircuit called the "Clipper Chip" has been developed by government engineers. The chip represents a new approach to encryption technology. It can be used in new, relatively inexpensive encryption devices that can be attached to an ordinary telephone. It scrambles telephone communications using an encryption algorithm that is more powerful than many in commercial use today. This new technology will help companies protect proprietary information, protect the privacy of personal phone conversations and prevent unauthorized release of data transmitted electronically. At the same time this technology preserves the ability of federal, state and local law enforcement agencies to intercept lawfully the phone conversations of criminals. A "key-escrow" system will be established to ensure that the "Clipper Chip" is used to protect the privacy of law-abiding Americans. Each device containing the chip will have two unique 2 "keys," numbers that will be needed by authorized government agencies to decode messages encoded by the device. When the device is manufactured, the two keys will be deposited separately in two "key-escrow" data bases that will be established by the Attorney General. Access to these keys will be limited to government officials with legal authorization to conduct a wiretap. The "Clipper Chip" technology provides law enforcement with no new authorities to access the content of the private conversations of Americans. To demonstrate the effectiveness of this new technology, the Attorney General will soon purchase several thousand of the new devices. In addition, respected experts from outside the government will be offered access to the confidential details of the algorithm to assess its capabilities and publicly report their findings. The chip is an important step in addressing the problem of encryption's dual-edge sword: encryption helps to protect the privacy of individuals and industry, but it also can shield criminals and terrorists. We need the "Clipper Chip" and other approaches that can both provide law-abiding citizens with access to the encryption they need and prevent criminals from using it to hide their illegal activities. In order to assess technology trends and explore new approaches (like the key-escrow system), the President has directed government agencies to develop a comprehensive policy on encryption that accommodates: -- the privacy of our citizens, including the need to employ voice or data encryption for business purposes; -- the ability of authorized officials to access telephone calls and data, under proper court or other legal order, when necessary to protect our citizens; -- the effective and timely use of the most modern technology to build the National Information Infrastructure needed to promote economic growth and the competitiveness of American industry in the global marketplace; and -- the need of U.S. companies to manufacture and export high technology products. The President has directed early and frequent consultations with affected industries, the Congress and groups that advocate the privacy rights of individuals as policy options are developed. 3 The Administration is committed to working with the private sector to spur the development of a National Information Infrastructure which will use new telecommunications and computer technologies to give Americans unprecedented access to information. This infrastructure of high-speed networks ("information superhighways") will transmit video, images, HDTV programming, and huge data files as easily as today's telephone system transmits voice. Since encryption technology will play an increasingly important role in that infrastructure, the Federal Government must act quickly to develop consistent, comprehensive policies regarding its use. The Administration is committed to policies that protect all Americans' right to privacy while also protecting them from those who break the law. Further information is provided in an accompanying fact sheet. The provisions of the President's directive to acquire the new encryption technology are also available. For additional details, call Mat Heyman, National Institute of Standards and Technology, (301) 975-2758. --------------------------------- QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S TELECOMMUNICATIONS INITIATIVE Q: Does this approach expand the authority of government agencies to listen in on phone conversations? A: No. "Clipper Chip" technology provides law enforcement with no new authorities to access the content of the private conversations of Americans. Q: Suppose a law enforcement agency is conducting a wiretap on a drug smuggling ring and intercepts a conversation encrypted using the device. What would they have to do to decipher the message? A: They would have to obtain legal authorization, normally a court order, to do the wiretap in the first place. They would then present documentation of this authorization to the two entities responsible for safeguarding the keys and obtain the keys for the device being used by the drug smugglers. The key is split into two parts, which are stored separately in order to ensure the security of the key escrow system. Q: Who will run the key-escrow data banks? A: The two key-escrow data banks will be run by two independent entities. At this point, the Department of Justice and the Administration have yet to determine which agencies will oversee the key-escrow data banks. Q: How strong is the security in the device? How can I be sure how strong the security is? A: This system is more secure than many other voice encryption systems readily available today. While the algorithm will remain classified to protect the security of the key escrow system, we are willing to invite an independent panel of cryptography experts to evaluate the algorithm to assure all potential users that there are no unrecognized vulnerabilities. Q: Whose decision was it to propose this product? A: The National Security Council, the Justice Department, the Commerce Department, and other key agencies were involved in this decision. This approach has been endorsed by the President, the Vice President, and appropriate Cabinet officials. Q: Who was consulted? The Congress? Industry? A: We have on-going discussions with Congress and industry on encryption issues, and expect those discussions to intensify as we carry out our review of encryption policy. We have briefed members of Congress and industry leaders on the decisions related to this initiative. Q: Will the government provide the hardware to manufacturers? A: The government designed and developed the key access encryption microcircuits, but it is not providing the microcircuits to product manufacturers. Product manufacturers can acquire the microcircuits from the chip manufacturer that produces them. Q: Who provides the "Clipper Chip"? A: Mykotronx programs it at their facility in Torrance, California, and will sell the chip to encryption device manufacturers. The programming function could be licensed to other vendors in the future. Q: How do I buy one of these encryption devices? A: We expect several manufacturers to consider incorporating the "Clipper Chip" into their devices. Q: If the Administration were unable to find a technological solution like the one proposed, would the Administration be willing to use legal remedies to restrict access to more powerful encryption devices? A: This is a fundamental policy question which will be considered during the broad policy review. The key escrow mechanism will provide Americans with an encryption product that is more secure, more convenient, and less expensive than others readily available today, but it is just one piece of what must be the comprehensive approach to encryption technology, which the Administration is developing. The Administration is not saying, "since encryption threatens the public safety and effective law enforcement, we will prohibit it outright" (as some countries have effectively done); nor is the U.S. saying that "every American, as a matter of right, is entitled to an unbreakable commercial encryption product." There is a false "tension" created in the assessment that this issue is an "either-or" proposition. Rather, both concerns can be, and in fact are, harmoniously balanced through a reasoned, balanced approach such as is proposed with the "Clipper Chip" and similar encryption techniques. Q: What does this decision indicate about how the Clinton Administration's policy toward encryption will differ from that of the Bush Administration? A: It indicates that we understand the importance of encryption technology in telecommunications and computing and are committed to working with industry and public-interest groups to find innovative ways to protect Americans' privacy, help businesses to compete, and ensure that law enforcement agencies have the tools they need to fight crime and terrorism. Q: Will the devices be exportable? Will other devices that use the government hardware? A: Voice encryption devices are subject to export control requirements. Case-by-case review for each export is required to ensure appropriate use of these devices. The same is true for other encryption devices. One of the attractions of this technology is the protection it can give to U.S. companies operating at home and abroad. With this in mind, we expect export licenses will be granted on a case-by-case basis for U.S. companies seeking to use these devices to secure their own communications abroad. We plan to review the possibility of permitting wider exportability of these products. -- Jim Gillogly Trewesday, 25 Astron S.R. 1993, 17:01 Newsgroup: sci.crypt document_id: 15189 From: jim@rand.org (Jim Gillogly) Subject: Secret algorithm [Re: Clipper Chip and crypto key-escrow] May as well look at one piece of this at a time. This paragraph: >To demonstrate the effectiveness of this new technology, the >Attorney General will soon purchase several thousand of the new >devices. In addition, respected experts from outside the >government will be offered access to the confidential details of >the algorithm to assess its capabilities and publicly report >their findings. means they aren't planning to make it public, as was done with DES. As it says in both sci.crypt FAQs, there's no way we are going to achieve the same level of comfort with Clipper that we finally have with DES if we can't actually get our hands on the bits and watch them flow around. Even the best experts aren't going to think of everything: look how long it took Biham and Shamir to get a handle on just how good DES is... and for all we know there's still more to learn. -- Jim Gillogly Trewesday, 25 Astron S.R. 1993, 17:10 Newsgroup: sci.crypt document_id: 15190 From: ptrei@bistromath.mitre.org (Peter Trei) Subject: Re: Fifth Amendment and Passwords In article kadie@cs.uiuc.edu (Carl M Kadie) writes: >ashall@magnus.acs.ohio-state.edu (Andrew S Hall) writes: > >>I am postive someone will correct me if I am wrong, but doesn't the Fifth >>also cover not being forced to do actions that are self-incriminating? >[From Mike Godwin , posted with permission - Carl] >No, but they could compell you to produce the key to a safe where, as it >happens, evidence that will convict you is stored. > >The crypto-key disclosure issue hasn't come up yet, but current law >suggests that it's a loser for the defendant--he'll be compelled to turn >over the key. > >The test for compelled self-incrimination is whether the material to >be disclosed *in itself* tends to inculpate the discloser. In the example >I gave above, the safe key itself has no testimonial value--ergo, it can >be disclosed under compulsion (e.g., subpoena duces tecum). >Moreover, the government can always immunize the disclosure of a crypto >key--compelling you to disclose the key at the price of not using the fact >of your disclosure as evidence in the case against you. Of course, they >can use whatever they discover as a result of this disclosure against >you. >--Mike Lets carry this one step further. Suppose the text of the key is in itself conclusive evidence of the SAME CRIME for which the encrypted material is further evidence. I find myself envisaging a scenario like this: You have made some scans of Peanuts strips. You encrypt them. The key is a phrase. The Comic Police haul you in. They seize your system. They find the encrypted file. CP: "Whats that file?" You: "I take the fifth." CP: "What's the keyphrase to that file?" You: "I take the fifth." Judge: "You have to reveal the keyphrase" [I disagree, but I'm not a judge.] You: "Your Honor, revealing the keyphrase, in it's own right, would tend to incriminate me of breaking laws, independent of what may or may not be in the encrypted file." Judge: "I grant you immunity from whatever may be learned from the key itself" You: "The keyphrase is: "I confess to deliberately evading copyright; the file encoded with this keyphrase contains illegal scans of copyrighted Peanuts strips."" Judge and CP: "Oh." How will they get you now? I'm not saying that they won't, or can't (or even that they shouldn't :-), but what legal mechanism will they use? Should we be crossposting this to misc.legal? Peter Trei ptrei@mitre.org Newsgroup: sci.crypt document_id: 15191 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: text of White House announcement and Q&As on clipper chip encryption clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes: > The President today announced a new initiative that will bring > the Federal Government together with industry in a voluntary > program to improve the security and privacy of telephone > communications while meeting the legitimate needs of law > enforcement. A nice formulation for the introduction of the first encryption devices with built-in trapdoors - just like the Feds wanted... > For too long there has been little or no dialogue between our > private sector and the law enforcement community to resolve the > tension between economic vitality and the real challenges of > protecting Americans. Rather than use technology to accommodate > the sometimes competing interests of economic growth, privacy and > law enforcement, previous policies have pitted government against > industry and the rights of privacy against law enforcement. Bla-bla. > protect electronic mail and computer files. While encryption > technology can help Americans protect business secrets and the > unauthorized release of personal information, it also can be used > by terrorists, drug dealers, and other criminals. Indeed, and the current proposal does nothing to prevent the latter. > an ordinary telephone. It scrambles telephone communications > using an encryption algorithm that is more powerful than many in > commercial use today. This doesn't say much. There are many incredibly weak encryption algorithms in commercial use today... > This new technology will help companies protect proprietary > information, protect the privacy of personal phone conversations > and prevent unauthorized release of data transmitted > electronically. Except from the government. > At the same time this technology preserves the > ability of federal, state and local law enforcement agencies to > intercept lawfully the phone conversations of criminals. Nope. The criminals won't be stupid enough to use the new chip, they'll use something secure. This technology provides only means to intercept the phone conversations of people who are stupid enough to use it. > agencies to decode messages encoded by the device. When the > device is manufactured, the two keys will be deposited separately > in two "key-escrow" data bases that will be established by the > Attorney General. Access to these keys will be limited to > government officials with legal authorization to conduct a > wiretap. That is, the government has the keys. It doesn't matter much if they are in one or in two of its hands... > The "Clipper Chip" technology provides law enforcement with no > new authorities to access the content of the private > conversations of Americans. Correct. It does, however, provide those Americans with the false sense of privacy. > devices. In addition, respected experts from outside the > government will be offered access to the confidential details of > the algorithm to assess its capabilities and publicly report > their findings. If the screening is not public, it cannot be trusted. Some people do not trust DES even today, after all the examinations - only because some parts of its design were kept secret. > The chip is an important step in addressing the problem of > encryption's dual-edge sword: encryption helps to protect the > privacy of individuals and industry, but it also can shield > criminals and terrorists. We need the "Clipper Chip" and other > approaches that can both provide law-abiding citizens with access > to the encryption they need and prevent criminals from using it > to hide their illegal activities. In order to assess technology So they'll use a different technology to hide their illegal activities. So will those law-abiding citizens, who do not trust their government not to misuse its abilities to decrypt their conversations. > -- the privacy of our citizens, including the need to > employ voice or data encryption for business purposes; Except from the government. > -- the need of U.S. companies to manufacture and export > high technology products. Huh? Later it says that the new technology will be export restricted. > Since encryption technology will play an increasingly important > role in that infrastructure, the Federal Government must act > quickly to develop consistent, comprehensive policies regarding > its use. The Administration is committed to policies that > protect all Americans' right to privacy while also protecting > them from those who break the law. In short, the new technology can: 1) Protect the law abiding citizen's privacy from the casual snooper. It cannot: 1) Protect him from the government, if it decides to misuse its ability to decrypt the conversations. 2) Protect him from the criminals who succeed to break the new encryption scheme or to steal the keys, or to bribe the people who handle them, etc. 3) Prevent the criminals from using secure encryption for communication. > Q: Does this approach expand the authority of government > agencies to listen in on phone conversations? > A: No. "Clipper Chip" technology provides law enforcement with > no new authorities to access the content of the private > conversations of Americans. Correct. However, it does not provide them that much privacy as it claims. > Q: Who will run the key-escrow data banks? > A: The two key-escrow data banks will be run by two independent > entities. At this point, the Department of Justice and the > Administration have yet to determine which agencies will > oversee the key-escrow data banks. Two candidates: the NSA and the Mafia. > Q: How strong is the security in the device? How can I be sure > how strong the security is? > A: This system is more secure than many other voice encryption > systems readily available today. That is, "trust us". > While the algorithm will > remain classified to protect the security of the key escrow "Security through obscurity". > system, we are willing to invite an independent panel of > cryptography experts to evaluate the algorithm to assure all > potential users that there are no unrecognized > vulnerabilities. If it's not entirely open to public examination, it cannot be trusted. Besides, who can prove that the devices used for examination and the ones built into your phones will be the same? > Q: Whose decision was it to propose this product? > A: The National Security Council, the Justice Department, the The NSA and the FBI? > Q: Who was consulted? The Congress? Industry? > A: We have on-going discussions with Congress and industry on > encryption issues, and expect those discussions to intensify > as we carry out our review of encryption policy. We have > briefed members of Congress and industry leaders on the > decisions related to this initiative. Why did they "forget" the Academia? > Q: Will the government provide the hardware to manufacturers? > A: The government designed and developed the key access > encryption microcircuits, but it is not providing the > microcircuits to product manufacturers. Product > manufacturers can acquire the microcircuits from the chip > manufacturer that produces them. Doesn't this smell to monopolism? > Q: Who provides the "Clipper Chip"? > A: Mykotronx programs it at their facility in Torrance, > California, and will sell the chip to encryption device > manufacturers. The programming function could be licensed > to other vendors in the future. Like the Mafia? > Q: If the Administration were unable to find a technological > solution like the one proposed, would the Administration be > willing to use legal remedies to restrict access to more > powerful encryption devices? This is the main question, why was it buried at the end? > A: This is a fundamental policy question which will be > considered during the broad policy review. The key escrow "We'll see". > mechanism will provide Americans with an encryption product > that is more secure, more convenient, and less expensive > than others readily available today, but it is just one "Trust us". > The Administration is not saying, "since encryption > threatens the public safety and effective law enforcement, > we will prohibit it outright" (as some countries have In short, "If we decide to outlaw strong crypto, we'll tell you". > effectively done); nor is the U.S. saying that "every > American, as a matter of right, is entitled to an > unbreakable commercial encryption product." There is a Since the US government seems to consider strong crypto as munitions and since the US constitutions guarantees the right to every American to bear arms, why is not every American entitled, as a matter of right, to an unbreakable commercial encryption product? > A: It indicates that we understand the importance of encryption > technology in telecommunications and computing and are > committed to working with industry and public-interest > groups to find innovative ways to protect Americans' > privacy, help businesses to compete, and ensure that law > enforcement agencies have the tools they need to fight crime > and terrorism. Bullshit. The proposed technology provides a false sense of security, encryption devices with built-in capabilities for breaking the encryption, does not prevent the criminals to use strong crypto, and is a step to outlaw strong crypto. > Q: Will the devices be exportable? Will other devices that use > the government hardware? > A: Voice encryption devices are subject to export control > requirements. Case-by-case review for each export is > required to ensure appropriate use of these devices. The Who was the optimist who believed that the new administration will leave the export controls on strong crypto devices? OK, I'm not American, it's not my business, but I just couldn't resist to comment... The whole plot looks so totalitaristic... It's up to you, Americans, to fight for your rights. Regards, Vesselin P.S. Now is the time for David Sternlight to pop up and claim that the new system is great. -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany Newsgroup: sci.crypt document_id: 15192 From: hal@cco.caltech.edu (Hal Finney) Subject: Re: text of White House announcement and Q&As on clipper chip encryption The key question is whether non-Clipper encryption will be made illegal. > The Administration is not saying, "since encryption > threatens the public safety and effective law enforcement, > we will prohibit it outright" (as some countries have > effectively done); nor is the U.S. saying that "every > American, as a matter of right, is entitled to an > unbreakable commercial encryption product." There is a > false "tension" created in the assessment that this issue is > an "either-or" proposition. Rather, both concerns can be, > and in fact are, harmoniously balanced through a reasoned, > balanced approach such as is proposed with the "Clipper > Chip" and similar encryption techniques. The clear middle ground implied by these statements is to say that Americans have the right to Clipper encryption, but not to unbreakable encryption. This implies that, ultimately, non-Clipper strong encryption must become illegal. (As an aside, isn't the language here jarring? All this talk about "harmonious balance" when they're talking about taking away people's right to communications privacy?) Although the article emphasizes voice communication, data and mail encryption is mentioned as well: >Sophisticated encryption technology has been used for years to >protect electronic funds transfer. It is now being used to >protect electronic mail and computer files. > -- the privacy of our citizens, including the need to > employ voice or data encryption for business purposes; It looks like the worst nightmares raised by Dorothy Denning's proposals are coming true. If the government continues on this course, I imagine that we will see strong cryptography made illegal. Encryption programs for disk files and email, as well as software to allow for encrypted voice communications, will be distributed only through the "underground". People will have to learn how to hide the fact that they are protecting their privacy. It's shocking and frightening to see that this is actually happening here. Hal Finney hal@alumni.caltech.edu Newsgroup: sci.crypt document_id: 15193 From: karn@servo.qualcomm.com (Phil Karn) Subject: The battle is joined It looks like Dorothy Denning's wrong-headed ideas have gotten to the Administration even sooner than we feared. It's time to make sure they hear the other side of the story, and hear it loudly! Phil ------- Forwarded Message Subject: text of White House announcement and Q&As on clipper chip encryption Note: This file will also be available via anonymous file transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and via the NIST Computer Security BBS at 301-948-5717. --------------------------------------------------- THE WHITE HOUSE Office of the Press Secretary _________________________________________________________________ For Immediate Release April 16, 1993 STATEMENT BY THE PRESS SECRETARY The President today announced a new initiative that will bring the Federal Government together with industry in a voluntary program to improve the security and privacy of telephone communications while meeting the legitimate needs of law enforcement. The initiative will involve the creation of new products to accelerate the development and use of advanced and secure telecommunications networks and wireless communications links. For too long there has been little or no dialogue between our private sector and the law enforcement community to resolve the tension between economic vitality and the real challenges of protecting Americans. Rather than use technology to accommodate the sometimes competing interests of economic growth, privacy and law enforcement, previous policies have pitted government against industry and the rights of privacy against law enforcement. Sophisticated encryption technology has been used for years to protect electronic funds transfer. It is now being used to protect electronic mail and computer files. While encryption technology can help Americans protect business secrets and the unauthorized release of personal information, it also can be used by terrorists, drug dealers, and other criminals. A state-of-the-art microcircuit called the "Clipper Chip" has been developed by government engineers. The chip represents a new approach to encryption technology. It can be used in new, relatively inexpensive encryption devices that can be attached to an ordinary telephone. It scrambles telephone communications using an encryption algorithm that is more powerful than many in commercial use today. This new technology will help companies protect proprietary information, protect the privacy of personal phone conversations and prevent unauthorized release of data transmitted electronically. At the same time this technology preserves the ability of federal, state and local law enforcement agencies to intercept lawfully the phone conversations of criminals. A "key-escrow" system will be established to ensure that the "Clipper Chip" is used to protect the privacy of law-abiding Americans. Each device containing the chip will have two unique 2 "keys," numbers that will be needed by authorized government agencies to decode messages encoded by the device. When the device is manufactured, the two keys will be deposited separately in two "key-escrow" data bases that will be established by the Attorney General. Access to these keys will be limited to government officials with legal authorization to conduct a wiretap. The "Clipper Chip" technology provides law enforcement with no new authorities to access the content of the private conversations of Americans. To demonstrate the effectiveness of this new technology, the Attorney General will soon purchase several thousand of the new devices. In addition, respected experts from outside the government will be offered access to the confidential details of the algorithm to assess its capabilities and publicly report their findings. The chip is an important step in addressing the problem of encryption's dual-edge sword: encryption helps to protect the privacy of individuals and industry, but it also can shield criminals and terrorists. We need the "Clipper Chip" and other approaches that can both provide law-abiding citizens with access to the encryption they need and prevent criminals from using it to hide their illegal activities. In order to assess technology trends and explore new approaches (like the key-escrow system), the President has directed government agencies to develop a comprehensive policy on encryption that accommodates: -- the privacy of our citizens, including the need to employ voice or data encryption for business purposes; -- the ability of authorized officials to access telephone calls and data, under proper court or other legal order, when necessary to protect our citizens; -- the effective and timely use of the most modern technology to build the National Information Infrastructure needed to promote economic growth and the competitiveness of American industry in the global marketplace; and -- the need of U.S. companies to manufacture and export high technology products. The President has directed early and frequent consultations with affected industries, the Congress and groups that advocate the privacy rights of individuals as policy options are developed. 3 The Administration is committed to working with the private sector to spur the development of a National Information Infrastructure which will use new telecommunications and computer technologies to give Americans unprecedented access to information. This infrastructure of high-speed networks ("information superhighways") will transmit video, images, HDTV programming, and huge data files as easily as today's telephone system transmits voice. Since encryption technology will play an increasingly important role in that infrastructure, the Federal Government must act quickly to develop consistent, comprehensive policies regarding its use. The Administration is committed to policies that protect all Americans' right to privacy while also protecting them from those who break the law. Further information is provided in an accompanying fact sheet. The provisions of the President's directive to acquire the new encryption technology are also available. For additional details, call Mat Heyman, National Institute of Standards and Technology, (301) 975-2758. - - --------------------------------- QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S TELECOMMUNICATIONS INITIATIVE Q: Does this approach expand the authority of government agencies to listen in on phone conversations? A: No. "Clipper Chip" technology provides law enforcement with no new authorities to access the content of the private conversations of Americans. Q: Suppose a law enforcement agency is conducting a wiretap on a drug smuggling ring and intercepts a conversation encrypted using the device. What would they have to do to decipher the message? A: They would have to obtain legal authorization, normally a court order, to do the wiretap in the first place. They would then present documentation of this authorization to the two entities responsible for safeguarding the keys and obtain the keys for the device being used by the drug smugglers. The key is split into two parts, which are stored separately in order to ensure the security of the key escrow system. Q: Who will run the key-escrow data banks? A: The two key-escrow data banks will be run by two independent entities. At this point, the Department of Justice and the Administration have yet to determine which agencies will oversee the key-escrow data banks. Q: How strong is the security in the device? How can I be sure how strong the security is? A: This system is more secure than many other voice encryption systems readily available today. While the algorithm will remain classified to protect the security of the key escrow system, we are willing to invite an independent panel of cryptography experts to evaluate the algorithm to assure all potential users that there are no unrecognized vulnerabilities. Q: Whose decision was it to propose this product? A: The National Security Council, the Justice Department, the Commerce Department, and other key agencies were involved in this decision. This approach has been endorsed by the President, the Vice President, and appropriate Cabinet officials. Q: Who was consulted? The Congress? Industry? A: We have on-going discussions with Congress and industry on encryption issues, and expect those discussions to intensify as we carry out our review of encryption policy. We have briefed members of Congress and industry leaders on the decisions related to this initiative. Q: Will the government provide the hardware to manufacturers? A: The government designed and developed the key access encryption microcircuits, but it is not providing the microcircuits to product manufacturers. Product manufacturers can acquire the microcircuits from the chip manufacturer that produces them. Q: Who provides the "Clipper Chip"? A: Mykotronx programs it at their facility in Torrance, California, and will sell the chip to encryption device manufacturers. The programming function could be licensed to other vendors in the future. Q: How do I buy one of these encryption devices? A: We expect several manufacturers to consider incorporating the "Clipper Chip" into their devices. Q: If the Administration were unable to find a technological solution like the one proposed, would the Administration be willing to use legal remedies to restrict access to more powerful encryption devices? A: This is a fundamental policy question which will be considered during the broad policy review. The key escrow mechanism will provide Americans with an encryption product that is more secure, more convenient, and less expensive than others readily available today, but it is just one piece of what must be the comprehensive approach to encryption technology, which the Administration is developing. The Administration is not saying, "since encryption threatens the public safety and effective law enforcement, we will prohibit it outright" (as some countries have effectively done); nor is the U.S. saying that "every American, as a matter of right, is entitled to an unbreakable commercial encryption product." There is a false "tension" created in the assessment that this issue is an "either-or" proposition. Rather, both concerns can be, and in fact are, harmoniously balanced through a reasoned, balanced approach such as is proposed with the "Clipper Chip" and similar encryption techniques. Q: What does this decision indicate about how the Clinton Administration's policy toward encryption will differ from that of the Bush Administration? A: It indicates that we understand the importance of encryption technology in telecommunications and computing and are committed to working with industry and public-interest groups to find innovative ways to protect Americans' privacy, help businesses to compete, and ensure that law enforcement agencies have the tools they need to fight crime and terrorism. Q: Will the devices be exportable? Will other devices that use the government hardware? A: Voice encryption devices are subject to export control requirements. Case-by-case review for each export is required to ensure appropriate use of these devices. The same is true for other encryption devices. One of the attractions of this technology is the protection it can give to U.S. companies operating at home and abroad. With this in mind, we expect export licenses will be granted on a case-by-case basis for U.S. companies seeking to use these devices to secure their own communications abroad. We plan to review the possibility of permitting wider exportability of these products. Newsgroup: sci.crypt document_id: 15194 From: grady@netcom.com (1016/2EF221) Subject: Re: MacPGP 2.2 Source Problems Yes -- my error -- you will need the DIFF between the standard console.h and console.c supplied with Symantec's THINK C 5.0.4 and the specially modified one that works with MacPGP 2.2. I added the two DIFFs to the end of the signature file "MacPGP2.2srcSIGNATURE" in pub/grady of netcom.com Please download via anonymous FTP and, using SED (oops), cutting and pasting, fix-em-up. Will one of you Mac-geniuses PLEASE port this to MacApp or AppMaker, or...? Grady -- grady@netcom.com 2EF221 / 15 E2 AD D3 D1 C6 F3 FC 58 AC F7 3D 4F 01 1E 2F Newsgroup: sci.crypt document_id: 15195 From: Danny Weitzner Subject: Re-inventing Crypto Policy? An EFF Statement April 16, 1993 INITIAL EFF ANALYSIS OF CLINTON PRIVACY AND SECURITY PROPOSAL The Clinton Administration today made a major announcement on cryptography policy which will effect the privacy and security of millions of Americans. The first part of the plan is to begin a comprehensive inquiry into major communications privacy issues such as export controls which have effectively denied most people easy access to robust encryption, and law enforcement issues posed by new technology. However, EFF is very concerned that the Administration has already reached a conclusion on one critical part of the inquiry, before any public comment or discussion has been allowed. Apparently, the Administration is going to use its leverage to get all telephone equipment vendors to adopt a voice encryption standard developed by the National Security Agency. The so-called "Clipper Chip" is an 80-bit, split key escrowed encryption scheme which will be built into chips manufactured by a military contractor. Two separate escrow agents would store users' keys, and be required to turn them over law enforcement upon presentation of a valid warrant. The encryption scheme used is to be classified, but the chips will be available to any manufacturer for incorporation into its communications products. This proposal raises a number of serious concerns . First, the Administration has adopted a solution before conducting an inquiry. The NSA-developed Clipper Chip may not be the most secure product. Other vendors or developers may have better schemes. Furthermore, we should not rely on the government as the sole source for the Clipper or any other chips. Rather, independent chip manufacturers should be able to produce chipsets based on open standards. Second, an algorithm cannot be trusted unless it can be tested. Yet, the Administration proposes to keep the chip algorithm classified. EFF believes that any standard adopted ought to be public and open. The public will only have confidence in the security of a standard that is open to independent, expert scrutiny. Third, while the use of the use of a split-key, dual escrowed system may prove to be a reasonable balance between privacy and law enforcement needs, the details of this scheme must be explored publicly before it is adopted. What will give people confidence in the safety of their keys? Does disclosure of keys to a third party waive an individual's Fifth Amendment rights in subsequent criminal inquiries? These are but a few of the many questions the Administrations proposal raised but fails to answer. In sum, the Administration has shown great sensitivity to the importance of these issues by planning a comprehensive inquiry into digital privacy and security. However, the "Clipper Chip" solution ought to be considered as part of the inquiry, and not be adopted before the discussion even begins. DETAILS OF THE PROPOSAL: ESCROW The 80-bit key will be divided between two escrow agents, each of whom hold 40-bits of each key. The manufacturer of the communications device would be required to register all keys with the two independent escrow agents. A key is tied to the device, however, not the person using it. Upon presentation of a valid court order, the two escrow agents would have to turn the key parts over to law enforcement agents. According to the Presidential Directive just issued, the Attorney General will be asked to identify appropriate escrow agents. Some in the Administration have suggested that one non-law enforcement federal agency (perhaps the Federal Reserve), and one non-governmental organization could be chosen, but there is no agreement on the identity of the agents yet. CLASSIFIED ALGORITHM AND THE POSSIBILITY OF BACK DOORS The Administration claims that there are no back doors -- means by which the government or others could break the code without securing keys from the escrow agents -- and that the President will be told there are no back doors to this classified algorithm. In order to prove this, Administration sources are interested in arranging for an all-star crypto cracker team to come in, under a security arrangement, and examine the algorithm for trap doors. The results of the investigation would then be made public. The Clipper Chipset was designed and is being produced and a sole-source, secret contract between the National Security Agency and two private firms: VLSI and Mycotronx. NSA work on this plan has been underway for about four years. The manufacturing contract was let 14 months ago. GOVERNMENT AS MARKET DRIVER In order to get a market moving, and to show that the government believes in the security of this system, the feds will be the first big customers for this product. Users will include the FBI, Secret Service, VP Al Gore, and maybe even the President. At today's Commerce Department press briefing, a number of people asked this question, though: why would any private organization or individual adopt a classified standard that had no independent guaranty of security or freedom from trap doors? COMPREHENSIVE POLICY INQUIRY The Administration has also announced that it is about to commence an inquiry into all policy issues related to privacy protection, encryption, and law enforcement. The items to be considered include: export controls on encryption technology and the FBI's Digital Telephony Proposal. It appears that the this inquiry will be conducted by the National Security Council. Unfortunately, however, the Presidential Directive describing the inquiry is classified. Some public involvement in the process has been promised, but they terms have yet to be specified. FROM MORE INFORMATION CONTACT: Jerry Berman, Executive Director (jberman@eff.org) Daniel J. Weitzner, Senior Staff Counsel (djw@eff.org) Full text of the Press releases and Fact Sheets issued by the Administration will be available on EFF's ftp site. Danny Weitzner Senior Staff Counsel, EFF +1 202 544 3077 Newsgroup: sci.crypt document_id: 15196 From: grady@netcom.com (1016/2EF221) Subject: Re: text of White House announcement and Q&As on clipper chip encryption I am eager to hear the legal theory behind restricting exchange of cryptographic data and encrypted messages, given the first admendment; the theory behind regulating the *personal* encryption of one's personal *thoughts and feelings* seems even less tenable. Perhaps if we make a *treaty* with, say, Iceland, to restrict crypto paraphernalia can a good "end run" around the Constitution happen... (Treaties -- as someone pointed out -- has the force of any other "law of the land". Like the Bill of Rights.) Amendment 1 Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances. Amendment 2 A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. Amendment 3 No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law. Amendment 4 The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. Amendment 5 No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation. Well -- at least for a few minutes we had some privacy... -- grady@netcom.com 2EF221 / 15 E2 AD D3 D1 C6 F3 FC 58 AC F7 3D 4F 01 1E 2F Newsgroup: sci.crypt document_id: 15197 From: jru@Comtech.com (Jimmy R. Upton) Subject: [Rubick] Shortest Path Algorithm - Status? What is the expected run time (+/- a factor of 10) on a 486DX/50 using the best known algorithm for finding the shortest path solution for Rubicks Cube from a randomly chosen position? I have read the FAQ and followed the recent discussion on Rubicks Cube but I don't believe this question has been answered. Notice that I am specifically looking for an algorithm that finds the SHORTEST path, not just any solution. It seems to me that the underlying assumption is that such a program would need to do a brute force search though 10^20 positions. That seems an unreasonably pessimistic assumption to me and I want to know if someone has significantly improved on that. I have some ideas of my own on how to approach this problem, but before I spend to much time developing them I wanted to know if someone else has already done the work. ADMINISTRIVIA: I have posted this to three groups and attempted to set the followup to rec.puzzles which seems to me to be the place to continue this discussion. I will cross post a summary when and if it becomes appropriate. Email replies gladly accepted. Jimmy jru@Comtech.com Newsgroup: sci.crypt document_id: 15198 From: bob@natasha.portal.com (Bob Cain) Subject: Re: Pgp, PEM, and RFC's (Was: Cryptography Patents) Charles Kincy (ckincy@cs.umr.edu) wrote: : In article <1993Apr16.001321.3692@natasha.portal.com> bob@natasha.portal.com (Bob Cain) writes: : : >: I hope my cynicism is misplaced here. Go ahead...I'm not afraid to : >: be wrong every once in a while. But, I have an uneasy feeling that I : >: am right. :( : > : >It is and you are wrong yet you emotionally state a bunch of crap as fact : >with a tiny disclaimer at the end. Check your facts first and grow up. : >Why is there such a strong correlation between interest in cryptography : >and immaturity I wonder. : : Oh, I see, flame someone, tell them that they are immature, tell them : they are wrong, and then don't offer any proof for your assertions. : : You really *are* a putz. Put up or shut up. : I will provide any proof you wish in private. Name it, dickhead. Putz Cain Newsgroup: sci.crypt document_id: 15199 From: clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) Subject: White House Public Encryption Management Fact Sheet Note: The following was released by the White House today in conjunction with the announcement of the Clipper Chip encryption technology. FACT SHEET PUBLIC ENCRYPTION MANAGEMENT The President has approved a directive on "Public Encryption Management." The directive provides for the following: Advanced telecommunications and commercially available encryption are part of a wave of new computer and communications technology. Encryption products scramble information to protect the privacy of communications and data by preventing unauthorized access. Advanced telecommunications systems use digital technology to rapidly and precisely handle a high volume of communications. These advanced telecommunications systems are integral to the infrastructure needed to ensure economic competitiveness in the information age. Despite its benefits, new communications technology can also frustrate lawful government electronic surveillance. Sophisticated encryption can have this effect in the United States. When exported abroad, it can be used to thwart foreign intelligence activities critical to our national interests. In the past, it has been possible to preserve a government capability to conduct electronic surveillance in furtherance of legitimate law enforcement and national security interests, while at the same time protecting the privacy and civil liberties of all citizens. As encryption technology improves, doing so will require new, innovative approaches. In the area of communications encryption, the U. S. Government has developed a microcircuit that not only provides privacy through encryption that is substantially more robust than the current government standard, but also permits escrowing of the keys needed to unlock the encryption. The system for the escrowing of keys will allow the government to gain access to encrypted information only with appropriate legal authorization. To assist law enforcement and other government agencies to collect and decrypt, under legal authority, electronically transmitted information, I hereby direct the following action to be taken: INSTALLATION OF GOVERNMENT-DEVELOPED MICROCIRCUITS The Attorney General of the United States, or her representative, shall request manufacturers of communications hardware which incorporates encryption to install the U.S. government-developed key-escrow microcircuits in their products. The fact of law enforcement access to the escrowed keys will not be concealed from the American public. All appropriate steps shall be taken to ensure that any existing or future versions of the key-escrow microcircuit are made widely available to U.S. communications hardware manufacturers, consistent with the need to ensure the security of the key-escrow system. In making this decision, I do not intend to prevent the private sector from developing, or the government from approving, other microcircuits or algorithms that are equally effective in assuring both privacy and a secure key- escrow system. KEY-ESCROW The Attorney General shall make all arrangements with appropriate entities to hold the keys for the key-escrow microcircuits installed in communications equipment. In each case, the key holder must agree to strict security procedures to prevent unauthorized release of the keys. The keys shall be released only to government agencies that have established their authority to acquire the content of those communications that have been encrypted by devices containing the microcircuits. The Attorney General shall review for legal sufficiency the procedures by which an agency establishes its authority to acquire the content of such communications. PROCUREMENT AND USE OF ENCRYPTION DEVICES The Secretary of Commerce, in consultation with other appropriate U.S. agencies, shall initiate a process to write standards to facilitate the procurement and use of encryption devices fitted with key-escrow microcircuits in federal communications systems that process sensitive but unclassified information. I expect this process to proceed on a schedule that will permit promulgation of a final standard within six months of this directive. The Attorney General will procure and utilize encryption devices to the extent needed to preserve the government's ability to conduct lawful electronic surveillance and to fulfill the need for secure law enforcement communications. Further, the Attorney General shall utilize funds from the Department of Justice Asset Forfeiture Super Surplus Fund to effect this purchase. Newsgroup: sci.crypt document_id: 15200 From: kadie@cs.uiuc.edu (Carl M Kadie) Subject: [EFF] Initial EFF Analysis of Clinton Privacy and Security Proposal [An article from comp.org.eff.news, EFFector Online 5.06 - Carl] April 16, 1993 INITIAL EFF ANALYSIS OF CLINTON PRIVACY AND SECURITY PROPOSAL The Clinton Administration today made a major announcement on cryptography policy which will effect the privacy and security of millions of Americans. The first part of the plan is to begin a comprehensive inquiry into major communications privacy issues such as export controls which have effectively denied most people easy access to robust encryption as well as law enforcement issues posed by new technology. However, EFF is very concerned that the Administration has already reached a conclusion on one critical part of the inquiry, before any public comment or discussion has been allowed. Apparently, the Administration is going to use its leverage to get all telephone equipment vendors to adopt a voice encryption standard developed by the National Security Agency. The so-called "Clipper Chip" is an 80-bit, split key escrowed encryption scheme which will be built into chips manufactured by a military contractor. Two separate escrow agents would store users' keys, and be required to turn them over law enforcement upon presentation of a valid warrant. The encryption scheme used is to be classified, but they chips will be available to any manufacturer for incorporation into their communications products. This proposal raises a number of serious concerns . First, the Administration appears to be adopting a solution before conducting an inquiry. The NSA-developed Clipper chip may not be the most secure product. Other vendors or developers may have better schemes. Furthermore, we should not rely on the government as the sole source for Clipper or any other chips. Rather, independent chip manufacturers should be able to produce chipsets based on open standards. Second, an algorithm can not be trusted unless it can be tested. Yet the Administration proposes to keep the chip algorithm classified. EFF believes that any standard adopted ought to be public and open. The public will only have confidence in the security of a standard that is open to independent, expert scrutiny. Third, while the use of the split-key, dual-escrowed system may prove to be a reasonable balance between privacy and law enforcement needs, the details of this scheme must be explored publicly before it is adopted. What will give people confidence in the safety of their keys? Does disclosure of keys to a third party waive individual's fifth amendment rights in subsequent criminal inquiries? In sum, the Administration has shown great sensitivity to the importance of these issues by planning a comprehensive inquiry into digital privacy and security. However, the "Clipper chip" solution ought to be considered as part of the inquiry, not be adopted before the discussion even begins. DETAILS OF THE PROPOSAL: ESCROW The 80-bit key will be divided between two escrow agents, each of whom hold 40 bits of each key. Upon presentation of a valid warrant, the two escrow agents would have to turn the key parts over to law enforcement agents. Most likely the Attorney General will be asked to identify appropriate escrow agents. Some in the Administration have suggested one non-law enforcement federal agency, perhaps the Federal Reserve, and one non-governmental organization. But, there is no agreement on the identity of the agents yet. Key registration would be done by the manufacturer of the communications device. A key is tied to the device, not to the person using it. CLASSIFIED ALGORITHM AND THE POSSIBILITY OF BACK DOORS The Administration claims that there are no back door means by which the government or others could break the code without securing keys from the escrow agents and that the President will be told there are no back doors to this classified algorithm. In order to prove this, Administration sources are interested in arranging for an all-star crypto cracker team to come in, under a security arrangement, and examine the algorithm for trap doors. The results of the investigation would then be made public. GOVERNMENT AS MARKET DRIVER In order to get a market moving, and to show that the government believes in the security of this system, the feds will be the first big customers for this product. Users will include the FBI, Secret Service, VP Al Gore, and maybe even the President. FROM MORE INFORMATION CONTACT: Jerry Berman, Executive Director Daniel J. Weitzner, Senior Staff Counsel -- Carl Kadie -- I do not represent any organization; this is just me. = kadie@cs.uiuc.edu = Newsgroup: sci.crypt document_id: 15201 From: cme@ellisun.sw.stratus.com (Carl Ellison) Subject: Re: Clipper Crypto I sent a response to the White House at 0005895485@MCIMAIL.COM (White House) and received a nice, automatic reply from MICMAIL noting, in passing, that if I had included a SNail address, I would get a reply in due course. For those who care, my reply was: 1. yes, let's protect the voice network 2. privately-developed crypto has always been available and always will be -- so let's think about how to do law enforcement given that fact not about how to hope to legislate against it 3. my needs for crypto as a system designer are not met by the Clipper Chip. I want freely to export uses of algorithms (like DES & RSA) which are already freely available in the destination country -- - <> - Carl Ellison cme@sw.stratus.com - Stratus Computer Inc. M3-2-BKW TEL: (508)460-2783 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298 FAX: (508)624-7488 Newsgroup: sci.crypt document_id: 15202 From: strnlght@netcom.com (David Sternlight) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] Though some may argue about the nose of the camel, it's worth noting that the government proposal is limited to scrambled telephony. If it is only used for that purpose, and does not extend to electronic mail or file encryption, then it IS an improvement over the current mass-produced standard civilian technology which, with a few exceptions, is limited to easy-to-break inverters. Note that the big issue for the feds is the continued ability to wiretap. Before we go off the deep end with long discusions about secure crypto for e-mail and files, let's focus on this. One question that was not asked in the release is whether this proposal is limited to telephony, or if the government intends to expand it. Though I share many of the concerns expressed by some, I find the proposal less threatening than many others, since right now most Americans have no secure telephony, and any jerk with a pair of clip leads and a "goat" can eavesdrop. This would also plug up the security hole in cellular and cordless phones. ------- Reading between the lines, I infer that the system is highly secure without access to the keys. This would meet the needs of U.S. businesses confronted by rich and powerful adversaries, including French and Japanese security services and rich Japanese companies. It allows the NSA to make available some of its better stuff while protecting law enforcement needs. Most legitimate U.S. corporations trust the NSA, and would be delighted to have a high-security system certified by them, even at the price of depositing keys in escrow. I see no difficulty in creating a reliable escrow. Corporations entrust their secrets to attorneys every day of the week, and that system has worked pretty well. From my point of view this is a fair starting point. There are concerns that need to be addressed, including the reliability of the escrows. But in return we get access to high-security crypto. Many have suggested that DES and other systems may be breakable by the NSA and hence others similarly skilled and endowed. There is at least a good possibility (which should be checked) that the proposed system is not so breakable. It doesn't have to be, nor does it have to have trapdoors, if the government can get the keys pursuant to a legitimate court order. Thus they can protect legitimate communications against economic adversaries, while still being able to eavesdrop on crooks pursuant to a court order. ------ In discussing this, let's try to avoid the nastiness, personal attacks and noise of some previous threads. This is a substantive and technical issue, and personal remarks have no place in such a discussion. -- David Sternlight Great care has been taken to ensure the accuracy of our information, errors and omissions excepted. Newsgroup: sci.crypt document_id: 15203 From: lbrintle@news.weeg.uiowa.edu (Lee Brintle) Subject: Re: Re-inventing Crypto Policy? An EFF Statement In article <1993Apr16.204207.24564@eff.org> Danny Weitzner writes: >The 80-bit key will be divided between two escrow agents, each of whom >hold 40-bits of each key. Presumably, the key split is so that no one group controls the privacy of the key, and that it would be infeasible to illicitly gain access from both agents. However, if one agent wishes to break the crypto without the cooperation of the other agent, a 40-bit key is not going to stand in the way of a brute force attack. If an agency (for example, the NSA) were to hold one of the two key-halves, then I don't imagine they really need the other half of the key to start listening in. Or was that the point? (This is not to imply, at all, that I like the idea of the rest of the system.) -- Lee Brintle | ``And so, I leave you with this final word: Director, Project Panda | twang.'' Newsgroup: sci.crypt document_id: 15204 From: Jay Fenton Subject: How to detect use of an illegal cipher? How can the government tell which encryption method one is using without being able to decode the traffic? i.e., In order to accuse me of using an unauthorized strong encryption technique they would have to take both keys out of escrow, run them against my ciphertext and "draw a blank". I can imagine the ciphertext exhibiting certain statistical characteristics that might give a clue as to the encryption technique used, but not enough to give a handle for diferential cryptoanalysis. However, superencipherment or some other scheme that shapes the percieved properties of my ciphertext could thwart this. Newsgroup: sci.crypt document_id: 15205 From: mike@avon.demon.co.uk ("Mike H.") Subject: Re: Another data hiding scheme... In article <1993Apr13.225348.6511@colorado.edu> bear@tigger.cs.Colorado.EDU writes: >since the price of 1.44 M 3.5" floppies were still high until the last >few years. If you store "old" data, with old file times, in the public >filesystem the casual observer may miss the "HD"... especially if you >"accidently" cover it with something). > >-- >Bear Giles >bear@cs.colorado.edu/fsl.noaa.gov > It has been done already! In the UK the Atari ST box was shipped with 360K disks in the first few years and then later 720K disks. In order to make life less complicated, many freebie disks on mags were double formatted like this. Side 0 of the disk had 360K on it and could be read by any ST. It also had a flip-side program. This would swap the sides around so that side 1 became side 0. -- Mike (mike@avon.demon.co.uk) Newsgroup: sci.crypt document_id: 15206 From: arc@leland.Stanford.EDU (Andrew Richard Conway) Subject: Re: text of White House announcement and Q&As on clipper chip encryption In article <1qmugcINNpu9@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes: >The key question is whether non-Clipper encryption will be made illegal. > >> The Administration is not saying, "since encryption >> threatens the public safety and effective law enforcement, >> we will prohibit it outright" (as some countries have >> effectively done); nor is the U.S. saying that "every Does anyone know what countries are these? >> American, as a matter of right, is entitled to an >> unbreakable commercial encryption product." There is a >> false "tension" created in the assessment that this issue is >> an "either-or" proposition. Rather, both concerns can be, >> and in fact are, harmoniously balanced through a reasoned, >> balanced approach such as is proposed with the "Clipper >> Chip" and similar encryption techniques. > >The clear middle ground implied by these statements is to say that Americans >have the right to Clipper encryption, but not to unbreakable encryption. >This implies that, ultimately, non-Clipper strong encryption must become >illegal. With the following logical consequences (a) Using any code designed to obscure informatio which is not easily breakable will be illegal, including (i) Using code words such as ``Project P5'' (ii) Speaking a language other than English (iii) Ever refering implicitly to events not known to everyone, eg "Hi John. How was last night?" For all the listener knows, this may be a code for "Did you pick up the drugs OK last night?" of be a code for "OK. We blow up the Pentagon at midnight." (iv) Mentioning anything that could not be perfectly understood by an average person with no education. (v) Words with more than one syllable. (vi) Speaking with a heavy accent that could bemisunderstood by people not used to it. (vii) books with an "Inner meaning"...such as "Animal Farm". >(As an aside, isn't the language here jarring? All this talk about >"harmonious balance" when they're talking about taking away people's >right to communications privacy?) Yes. >It looks like the worst nightmares raised by Dorothy Denning's proposals >are coming true. If the government continues on this course, I imagine >that we will see strong cryptography made illegal. Encryption programs >for disk files and email, as well as software to allow for encrypted >voice communications, will be distributed only through the >"underground". People will have to learn how to hide the fact that >they are protecting their privacy. I have a wonderful encrypter you can borrow that converts a message eg "Meet me at 11:30 to bomb the White House. Bring some dynamite" to an apparently (relatively) innoculous message. This message here is an example of the output for the above message :-). >It's shocking and frightening to see that this is actually happening here. It is shockiong that it could happen anywhere. It is shocking that it could happen in a country that has the arrogance to call itself free. What you can do: (1) Write to your congress person in plain text. (2) Write to your congress person in encrypted text. (decrypter optional) (3) Send some random keystroked to your congressperson (4) Send some random keystrokes accross the US boundaries, and keep the spooks busy trying to decode it. (5) Write your own encryption algorithms. (6) Don't buy clipper products. P.S. I can't work out why the US government doesn't want to sell them overseas. After all, they are rather easy for US interests to decode, so make a perfect tool for industrial/military espionage...lulling anyone stupid enough to buy it into a false sense of security. You will notice that there is NO mention anywhere about safety for non-Americans. Disclaimer: My opinions are mine alone, and do not represent anyone elses. I have nothing that I particularly want to hide at the moment...though I consider the right to be able to use whatever method of coding data I like to be high on my list of priorities. -- ----------------------------------------------------------------- Andrew Conway arc@leland.stanford.edu Phone: USA 415 497 1094 Newsgroup: sci.crypt document_id: 15209 From: eifrig@beanworld.cs.jhu.edu (Jonathan Eifrig) Subject: Re: Pgp, PEM, and RFC's (Was: Cryptography Patents) In article <1993Apr16.001321.3692@natasha.portal.com> bob@natasha.portal.com (Bob Cain) writes: > Check your facts first and grow up. >Why is there such a strong correlation between interest in cryptography >and immaturity I wonder. Hmmm. "Check your facts." Good advice. Let's check Mr. Cain's facts a bit, shall we? >Charles Kincy (ckincy@cs.umr.edu) wrote: >: Some limitation. Let me guess: don't use the code in any way PKP or >: RSA doesn't like....such as...providing secure communications for the >: average citizen. > >That was exactly its purpose if you know anything about it. There is >nothing at all preventing the average citizen using it, only selling >it. FACT: It is unlawful to distribute code implementing RSA without a license to do so from PKP, whether or not one is charging for it. Furthermore, any use of RSA, other than for research purposes allowed under US patent law, is similarly unlawful. Therefore, the "average citizen" cannot use RSA to encrypt message traffic in the US without a license from PKP. There is no licensed, freely available product in the US that uses RSA encryption other than RSAREF (and hence RIPEM), at least as far as I am aware. If you know of another, please post it here. >: All I have to say is...yeah, right. If you're willing to pay them >: mucho big bucks and/or use the routines *they* tell you to do. >: Doesn't sound very reasonable to me. > >All I have to say is this is full of shit. I have negotiated a license >and the bucks are incredibly reasonable with an upfront charge on a >sliding scale depending on your capitalization. If you are a startup >and can't afford it you can't afford to start up in the first place. >Why do people insist on making unequivocal statements about that which >they know nothing. FACT: The last contact I had with RSA Data Security, Inc was with some guy trying to sell me a license (unsolicited, I might add) for TIPEM. Cost: $15K plus 2-5 percent royalties. I suppose it is a matter of opinion as to whether or not these terms count as "mucho bucks" or "incredibly reasonable." Either way, however, this definitely falls into the "routines *they* tell you to (use)". >: But I don't guess PKP and RSA are interested in big bucks. Maybe >: they have some other agenda? Secure communications only for >: government agents, perhaps? > >Have you considered treatment for paranoia? The government is the >single biggest thorn in RSA's side. FACT: There are no restrictions (yet!) on the use of cryptography under US law, although this is beginning to look like it will change. The only impediments to widespread use of RSA cryptography in the US are PKP's patents. Mr. Cain, please shut up until you get your facts straight. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "Better than the whole world be destroyed and crumble to dust than a free man deny one of his desires." -Benito Mussolini, Italian anarchist and poet. Jack Eifrig (eifrig@cs.jhu.edu) The Johns Hopkins University, C.S. Dept. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Newsgroup: sci.crypt document_id: 15210 From: avg@rodan.UU.NET (Vadim Antonov) Subject: Re: Re-inventing Crypto Policy? An EFF Statement In article <1993Apr16.204207.24564@eff.org> Danny Weitzner writes: >The 80-bit key will be divided between two escrow agents, each of whom >hold 40-bits of each key. I somehow started to doubt technical competence of the people who designed the system. Why on the Earth split the 80-bit key in 40-bit parts to keep them in escrow separately (having 40 bit and large volumes of data voice links produce it should be relatively easy to break it) when they simply could keep 80-bit sequences in N (N>=2) independent places and then XOR all the partial keys to get the actual key (N-1 sequences should obviously be selected randomly and Nth is the actual key XOR-ed with the random sequences). (Or is it a conspiracy? 1/2 :-) --vadim Newsgroup: sci.crypt document_id: 15211 From: karn@servo.qualcomm.com (Phil Karn) Subject: Re: Keeping Your Mouth Shut (was: Hard drive security) In article , vkub@charlie.usd.edu (Vince Kub) writes: |> Now, |> the original scheme as suggested here would be to have the key disappear if |> certain threatening conditions are met. Once the key is gone there is no |> question of Contempt of Court as there is nothing to compell, the key is no |> longer there to be produced. Getting rid of the keys is actually pretty easy to do automatically on a communications link, as opposed to storage where the keys have to be retained somehow as long as the owner wants to be able to retrieve the data. The right way to do communications security is to generate a random session key with Diffie Hellman, use it for a while and then destroy it. Once it's gone, there's no getting it back, and no way to decrypt recordings of the conversation. To make sure you aren't being attacked by a man in the middle, you have to authenticate your DH exchanges. The AT&T secure phone does this by displaying the DH key so you can compare them verbally over the phone. This is nice and simple, but it relies on user awareness plus the inability of the man in the middle to duplicate the users' voices. A better way is to authenticate the exchanges with RSA. Since you'd never use RSA for actual encryption, compromising your RSA secret key would only allow someone to impersonate you in a future conversation, and even that only until you revoke your public key. They would still not be able to decrypt recordings of prior conversations for which the session keys have been destroyed. I'm convinced that this is how the government's own secure phones (the STU-III) must work. Neat, eh? Phil Newsgroup: sci.crypt document_id: 15212 From: pcw@access.digex.com (Peter Wayner) Subject: The Old Key Registration Idea... Okay, let's suppose that the NSA/NIST/Mykotronix Registered Key system becomes standard and I'm able to buy such a system from my local radio shack. Every phone comes with a built in chip and the government has the key to every phone call. I go and buy a phone and dutifully register the key. What's to prevent me from swapping phones with a friend or buying a used phone at a garage sale? Whooa. The secret registered keys just became unsynchronized. When the government comes to listen in, they only receive gobbledly-gook because the secret key registered under my name isn't the right one. That leads me to conjecture that: 1) The system isn't that secure. There are just two master keys that work for all the phones in the country. The part about registering your keys is just bogus. or 2) The system is vulnerable to simple phone swapping attacks like this. Criminals will quickly figure this out and go to town. In either case, I think we need to look at this a bit deeper."'jbl)mW:wxlD2 Newsgroup: sci.crypt document_id: 15213 From: ig25@fg70.rz.uni-karlsruhe.de (Thomas Koenig) Subject: Re: White House Public Encryption Management Fact Sheet clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes: >The President has approved a directive on "Public Encryption >Management." The directive provides for the following: [...] >When >exported abroad, it can be used to thwart foreign intelligence >activities critical to our national interests. [...] >The Attorney General of the United States, or her representative, >shall request manufacturers of communications hardware which >incorporates encryption to install the U.S. government-developed >key-escrow microcircuits in their products. Quite interesting. How does the US administration intend to persuade non - US governments to let the NSA eavesdrop on them? Or should U.S. companies install these chips in communication systems sold abroad without the customer's knowedge or consent, or not at all? -- Thomas Koenig, ig25@rz.uni-karlsruhe.de, ig25@dkauni2.bitnet The joy of engineering is to find a straight line on a double logarithmic diagram. Newsgroup: sci.crypt document_id: 15214 From: betel@camelot.bradley.edu (Robert Crawford) Subject: Re: How to detect use of an illegal cipher? Jay Fenton writes: >How can the government tell which encryption method one is using without >being able to decode the traffic? i.e., In order to accuse me of using an >unauthorized strong encryption technique they would have to take both >keys out of escrow, run them against my ciphertext and "draw a blank". I was thinking about this, also. It's quite possible the system transmits, in clear, the serial number of the device being used. That way they can start a tap, get the serial number, and use the warrant for the first tap to get the key. If they tap someone who's apparently using encryption, but don't find that prefix, then they'll assume it's an "un-authorized" encryption scheme. -- May the Kloo Gnomes be generous to you. Robert Crawford betel@camelot.bradley.edu Newsgroup: sci.crypt document_id: 15215 From: philip@charon.cto.citicorp.com (Philip Gladstone) Subject: More Clipper Stuff As of yet, there has been no description of the general principles behind the Clipper proposal. For example, is this a public key system or a private key system? If the latter, then I don't see how the system could work (given that the keys are tied to the device and not the person). Further, the escrowed 80-bit keys are split into two 40-bit chunks. I would guess that the availability of one of these 40-bit chunks and a reasonable key-search machine, would allow you to read the traffic. I'm not suggesting that this is a deliberate weakness of the system, but it does make you think. Of course, this is easily fixable by giving out two 80-bit chunks which could be x-ored to generate the real 80-bit key. Philip Newsgroup: sci.crypt document_id: 15216 From: cme@ellisun.sw.stratus.com (Carl Ellison) Subject: Re: White House Public Encryption Management Fact Sheet In article clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes: >PROCUREMENT AND USE OF ENCRYPTION DEVICES [ ... ] >The Attorney General will procure and utilize encryption devices to >the extent needed to preserve the government's ability to conduct >lawful electronic surveillance and to fulfill the need for secure >law enforcement communications. Further, the Attorney General >shall utilize funds from the Department of Justice Asset Forfeiture >Super Surplus Fund to effect this purchase. Talk about adding insult to injury ... I, for one, believe that the use of civil forfeiture should be abolished by a decent administration, not continued. Instead, it looks like that ill-gotten gain will be used to help pay for wiretap equipment. -- - <> - Carl Ellison cme@sw.stratus.com - Stratus Computer Inc. M3-2-BKW TEL: (508)460-2783 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298 FAX: (508)624-7488 Newsgroup: sci.crypt document_id: 15217 From: m.t.palmer@larc.nasa.gov (Michael T. Palmer) Subject: re: text of White House announcement and Q&As on clipper chip encryption In article clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes: >Q: Suppose a law enforcement agency is conducting a wiretap on > a drug smuggling ring and intercepts a conversation... [etc] ^^^^^^^^^^^^^^^^^^^\ Great... nice choice of bad guys to convince everyone how "bad" unrestricted encryption is. Why not use a child molester instead? Of course, the word *suspect* is never used here, so I guess these people have already been convicted and are operating this drug ring from their jail cells. How about *this* question instead? Q: Suppose a law enforcement agency is conducting a wiretap on a political opponent of a senior administration official and intercepts a conversation... Kinda changes your interpretation of the event, doesn't it? And yes, the presence of the Clipper Chip DOES change things, because it will not only give the people talking on the phone a false sense of security, it will also give federal law enforcement agencies the justification to deny use of strong encryption methods that are inconvenient to them. Dang it all, it's SUPPOSED to be inconvenient (but not impossible). That's the ONLY sure way to make sure that abuses are minimized while still allowing legitimate law enforcement access. >Q: How strong is the security in the device? How can I be sure > how strong the security is? > >A: This system is more secure than many other voice encryption > systems readily available today. While the algorithm will > remain classified to protect the security of the key escrow > system, we are willing to invite an independent panel of > cryptography experts to evaluate the algorithm to assure all > potential users that there are no unrecognized > vulnerabilities. Uh huh... sure. I predict that within two months (weeks?) of the chip's debut, the full technical details will be posted to sci.crypt. And if this has ANY impact on the security of the key escrow system, then we've been lied to. Any cryptosystem worth its salt can withstand the light of public scrutiny, and there is NO WAY you can be sure that an algorithm has no "unrecognized vulnerabilities" unless you have half the world trying to break it for a decade or so. Even then, you gotta be careful. Michael T. Palmer | "A man is crazy who writes a secret in any m.t.palmer@larc.nasa.gov | other way than one which will conceal it RIPEM key on server | from the vulgar." - Roger Bacon, 1220-1292 Newsgroup: sci.crypt document_id: 15218 From: karn@servo.qualcomm.com (Phil Karn) Subject: Re: Re-inventing Crypto Policy? An EFF Statement In article <1qna0tINNf5p@rodan.UU.NET>, avg@rodan.UU.NET (Vadim Antonov) writes: |> I somehow started to doubt technical competence of the |> people who designed the system. Why on the Earth split the |> 80-bit key in 40-bit parts to keep them in escrow separately |> (having 40 bit and large volumes of data voice links produce |> it should be relatively easy to break it) when they simply |> could keep 80-bit sequences in N (N>=2) independent places |> and then XOR all the partial keys to get the actual key (N-1 |> sequences should obviously be selected randomly and Nth is the |> actual key XOR-ed with the random sequences). Without real technical details, it's hard to answer this question. But suppose they already *are* XORing the two 40-bit parts to produce only 40 bits of real key material? Maybe they're using the exportable version of RC2...? :-) PHil Newsgroup: sci.crypt document_id: 15219 Subject: text of White House announcement and Q&As on clipper chip encryption From: oleg@gd.cs.CSUFresno.EDU (Oleg Kibirev) In article clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes: Here is an article I found today in comp.security.misc. I'll send my reply in a separate post to comp.off.eff.org so thayt you guys can get original text. Have fun! ;( Oleg Relay-Version: VMS News - V6.1B5 17/9/92 VAX/VMS V5.5-2; site nic.csu.net Path: nic.csu.net!csus.edu!netcom.com!netcomsv!decwrl!uunet!dove!csrc.ncsl.nist.gov!clipper Newsgroups: comp.security.misc From: clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) Date: Fri, 16 Apr 1993 15:17:33 GMT Sender: news@dove.nist.gov Distribution: na Organization: National Institute of Standards & Technology Lines: 280 Note: This file will also be available via anonymous file transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and via the NIST Computer Security BBS at 301-948-5717. --------------------------------------------------- THE WHITE HOUSE Office of the Press Secretary _________________________________________________________________ For Immediate Release April 16, 1993 STATEMENT BY THE PRESS SECRETARY The President today announced a new initiative that will bring the Federal Government together with industry in a voluntary program to improve the security and privacy of telephone communications while meeting the legitimate needs of law enforcement. The initiative will involve the creation of new products to accelerate the development and use of advanced and secure telecommunications networks and wireless communications links. For too long there has been little or no dialogue between our private sector and the law enforcement community to resolve the tension between economic vitality and the real challenges of protecting Americans. Rather than use technology to accommodate the sometimes competing interests of economic growth, privacy and law enforcement, previous policies have pitted government against industry and the rights of privacy against law enforcement. Sophisticated encryption technology has been used for years to protect electronic funds transfer. It is now being used to protect electronic mail and computer files. While encryption technology can help Americans protect business secrets and the unauthorized release of personal information, it also can be used by terrorists, drug dealers, and other criminals. A state-of-the-art microcircuit called the "Clipper Chip" has been developed by government engineers. The chip represents a new approach to encryption technology. It can be used in new, relatively inexpensive encryption devices that can be attached to an ordinary telephone. It scrambles telephone communications using an encryption algorithm that is more powerful than many in commercial use today. This new technology will help companies protect proprietary information, protect the privacy of personal phone conversations and prevent unauthorized release of data transmitted electronically. At the same time this technology preserves the ability of federal, state and local law enforcement agencies to intercept lawfully the phone conversations of criminals. A "key-escrow" system will be established to ensure that the "Clipper Chip" is used to protect the privacy of law-abiding Americans. Each device containing the chip will have two unique 2 "keys," numbers that will be needed by authorized government agencies to decode messages encoded by the device. When the device is manufactured, the two keys will be deposited separately in two "key-escrow" data bases that will be established by the Attorney General. Access to these keys will be limited to government officials with legal authorization to conduct a wiretap. The "Clipper Chip" technology provides law enforcement with no new authorities to access the content of the private conversations of Americans. To demonstrate the effectiveness of this new technology, the Attorney General will soon purchase several thousand of the new devices. In addition, respected experts from outside the government will be offered access to the confidential details of the algorithm to assess its capabilities and publicly report their findings. The chip is an important step in addressing the problem of encryption's dual-edge sword: encryption helps to protect the privacy of individuals and industry, but it also can shield criminals and terrorists. We need the "Clipper Chip" and other approaches that can both provide law-abiding citizens with access to the encryption they need and prevent criminals from using it to hide their illegal activities. In order to assess technology trends and explore new approaches (like the key-escrow system), the President has directed government agencies to develop a comprehensive policy on encryption that accommodates: -- the privacy of our citizens, including the need to employ voice or data encryption for business purposes; -- the ability of authorized officials to access telephone calls and data, under proper court or other legal order, when necessary to protect our citizens; -- the effective and timely use of the most modern technology to build the National Information Infrastructure needed to promote economic growth and the competitiveness of American industry in the global marketplace; and -- the need of U.S. companies to manufacture and export high technology products. The President has directed early and frequent consultations with affected industries, the Congress and groups that advocate the privacy rights of individuals as policy options are developed. 3 The Administration is committed to working with the private sector to spur the development of a National Information Infrastructure which will use new telecommunications and computer technologies to give Americans unprecedented access to information. This infrastructure of high-speed networks ("information superhighways") will transmit video, images, HDTV programming, and huge data files as easily as today's telephone system transmits voice. Since encryption technology will play an increasingly important role in that infrastructure, the Federal Government must act quickly to develop consistent, comprehensive policies regarding its use. The Administration is committed to policies that protect all Americans' right to privacy while also protecting them from those who break the law. Further information is provided in an accompanying fact sheet. The provisions of the President's directive to acquire the new encryption technology are also available. For additional details, call Mat Heyman, National Institute of Standards and Technology, (301) 975-2758. --------------------------------- QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S TELECOMMUNICATIONS INITIATIVE Q: Does this approach expand the authority of government agencies to listen in on phone conversations? A: No. "Clipper Chip" technology provides law enforcement with no new authorities to access the content of the private conversations of Americans. Q: Suppose a law enforcement agency is conducting a wiretap on a drug smuggling ring and intercepts a conversation encrypted using the device. What would they have to do to decipher the message? A: They would have to obtain legal authorization, normally a court order, to do the wiretap in the first place. They would then present documentation of this authorization to the two entities responsible for safeguarding the keys and obtain the keys for the device being used by the drug smugglers. The key is split into two parts, which are stored separately in order to ensure the security of the key escrow system. Q: Who will run the key-escrow data banks? A: The two key-escrow data banks will be run by two independent entities. At this point, the Department of Justice and the Administration have yet to determine which agencies will oversee the key-escrow data banks. Q: How strong is the security in the device? How can I be sure how strong the security is? A: This system is more secure than many other voice encryption systems readily available today. While the algorithm will remain classified to protect the security of the key escrow system, we are willing to invite an independent panel of cryptography experts to evaluate the algorithm to assure all potential users that there are no unrecognized vulnerabilities. Q: Whose decision was it to propose this product? A: The National Security Council, the Justice Department, the Commerce Department, and other key agencies were involved in this decision. This approach has been endorsed by the President, the Vice President, and appropriate Cabinet officials. Q: Who was consulted? The Congress? Industry? A: We have on-going discussions with Congress and industry on encryption issues, and expect those discussions to intensify as we carry out our review of encryption policy. We have briefed members of Congress and industry leaders on the decisions related to this initiative. Q: Will the government provide the hardware to manufacturers? A: The government designed and developed the key access encryption microcircuits, but it is not providing the microcircuits to product manufacturers. Product manufacturers can acquire the microcircuits from the chip manufacturer that produces them. Q: Who provides the "Clipper Chip"? A: Mykotronx programs it at their facility in Torrance, California, and will sell the chip to encryption device manufacturers. The programming function could be licensed to other vendors in the future. Q: How do I buy one of these encryption devices? A: We expect several manufacturers to consider incorporating the "Clipper Chip" into their devices. Q: If the Administration were unable to find a technological solution like the one proposed, would the Administration be willing to use legal remedies to restrict access to more powerful encryption devices? A: This is a fundamental policy question which will be considered during the broad policy review. The key escrow mechanism will provide Americans with an encryption product that is more secure, more convenient, and less expensive than others readily available today, but it is just one piece of what must be the comprehensive approach to encryption technology, which the Administration is developing. The Administration is not saying, "since encryption threatens the public safety and effective law enforcement, we will prohibit it outright" (as some countries have effectively done); nor is the U.S. saying that "every American, as a matter of right, is entitled to an unbreakable commercial encryption product." There is a false "tension" created in the assessment that this issue is an "either-or" proposition. Rather, both concerns can be, and in fact are, harmoniously balanced through a reasoned, balanced approach such as is proposed with the "Clipper Chip" and similar encryption techniques. Q: What does this decision indicate about how the Clinton Administration's policy toward encryption will differ from that of the Bush Administration? A: It indicates that we understand the importance of encryption technology in telecommunications and computing and are committed to working with industry and public-interest groups to find innovative ways to protect Americans' privacy, help businesses to compete, and ensure that law enforcement agencies have the tools they need to fight crime and terrorism. Q: Will the devices be exportable? Will other devices that use the government hardware? A: Voice encryption devices are subject to export control requirements. Case-by-case review for each export is required to ensure appropriate use of these devices. The same is true for other encryption devices. One of the attractions of this technology is the protection it can give to U.S. companies operating at home and abroad. With this in mind, we expect export licenses will be granted on a case-by-case basis for U.S. companies seeking to use these devices to secure their own communications abroad. We plan to review the possibility of permitting wider exportability of these products. Newsgroup: sci.crypt document_id: 15220 From: bear@kestrel.fsl.noaa.gov (Bear Giles) Subject: How do they know what keys to ask for? (Re: Clipper) This may be a stupid question, but how does the government know which keys to ask for? Will owners be required to REGISTER their phones, faxes, modems, etc., and inform the government when they are moved to a different phone number? Will there be penalities if the public does not do this? Will identification (the National Health Care ID, perhaps) be required when purchasing a Clipper-equipted phone? Or will each chip transmit identifying information at the start of a conversation? Identification which could be used to automatically log who calls whom? (The _phone_ company keeps records, but this information would be accessable by a well-placed van near a microwave relay station). This raises the question of how the two phones agree on a communications encryption key. Will it be something that is derived from information exchanged at the start of the conversation -- and hence derivable by an eavesdropper? -- Bear Giles bear@fsl.noaa.gov Newsgroup: sci.crypt document_id: 15221 From: brad@clarinet.com (Brad Templeton) Subject: Re: text of White House announcement and Q&As on clipper chip encryption The stragegy of the government is interesting. The real fear comes from them doing more than this. This is a voluntary program, and thus harder for us to object to on the surface. Their strategy is a business one rather than legal one. They are pushing to get a standard in place, a secret standard, and if they get it as a standard then they will drive competitors out of the market. It will be legal to sell better, untapable encryption that doesn't have registered keys, but it will be difficult, and thus not a plan for most phone companies. You see, with clipper chip phones you'll be able to talk to any cellular company, or other phones or ports because they will follow the standard. AT&T has already announced a clipper chip encryption product. The government has marketed hard to get major vendors to use these chips. If they get enough market share, they will rule. And thus there will be very little market for systems that can't be tapped by the police. The public isn't that concerned about it now, after all. They freely do calls that anybody with an old TV can listen to today! They won't pay big extra bucks for proprietary phones that secure them only from the police. Well, some people will buy these phones, but they will only work with other proprietary phones, so the market will be small and the phones expensive. Unless they are made in numbers large enough to sell them cheap, only the Mob will buy them. And this means that the FBI will want to track the customer lists of better encryption phones, because "the only reason a person would want one is to evade the police." Interesting. -- Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366 Newsgroup: sci.crypt document_id: 15222 From: matt@wardsgi.med.yale.edu (Matt Healy) Subject: Re: Illegal Wiretaps (was In article <3702.204.uupcb@ssr.com>, dick.zeitlin%acc1bbs@ssr.com (Dick Zeitlin) wrote: > > PK> .Perhaps we need the telephony equivalent of an anonymous remailer for > > .the telephone network? Back in Prohibition days (alcohol, that is) I > > .understand a device called the "cheesebox" was a popular means to thwart > > .the tracing of telephone calls. It connected two phone lines in the back > > .room of an otherwise uninvolved business. It was the conceptual predecesso > > .of today's anonymous email remailer. > > The old "cheesebox" was the pre-Carterphone version of the "call > diverter." After the Carterphone decision there were several vendors > that sold call diverters. I've got a couple in my basement that > were used to redirect my office phone to my home number when I > didn't feel like going into the office. > > It'd be quite easy to generate an "anonymous redialer" version of the > call diverter. > About 18 months ago, I heard a report on NPR about a 900-number "1-900-STO-PPER" or some such, for placing untraceable calls. You call them, and on "bong" tone dial the number you want to call; they told the NPR interviewer that nothing short of a court order (which they'd fight) would make them release their records. Matt Healy "I pretend to be a network administrator; the lab net pretends to work" matt@wardsgi.med.yale.edu Newsgroup: sci.crypt document_id: 15223 From: ld231782@LANCE.ColoState.Edu (L. Detweiler) Subject: An Open Letter to Mr. Clinton I'm quite astonished, shocked, and appalled at this serious frontal assault on emerging American freedoms. The Clinton administration nor any other government agency has any legitimate role whatsoever in regulating cryptography. To do so is tantamount to regulating `acceptable' speech, and is blatantly unconstitutional. Perhaps we should rename this year `1984' in honor of such an illustrious proposal. Let the Crappy Chip live in infamy, and the adminstration receive great shame and discredit for this bizarre misadventure. I am outraged that my tax money is being used to develop technology to restrict my freedoms far beyond reasonable measures. The U.S. government will have my full uncooperation and disobedience on any serious threat to my liberties such as this, and I call on everyone with an interest in a sensible government to resist and defy this proposal. The administration does not seem to understand that they are merely a subservient instrument to implement the will of the public, and hence anyone involved in this proposal in this respect is wholly negligent and remiss in performing their lawful duty. >While encryption >technology can help Americans protect business secrets and the >unauthorized release of personal information, it also can be used >by terrorists, drug dealers, and other criminals. It seems to me that U.S. Diplomatic communications should be tappable by the U.N. whenever any countries produce a warrant to the U.N. In fact, I think we should stop paying the NSA billions of dollars a year to produce unbreakable codes for this reason. These actions violate the sovereignity of international law. (I hope Mr. Clinton is shrewd enough to recognize my sarcasm and satire here. But if he isn't, it's a modest and reasonable proposal, so he should find merit with it nevertheless.) Cryptography is neutral technology. If everybody has strong cryptography (including policemen, bureacrats, businessmen, housewives, thugs and hoodlums), we have a sustainable equilibrium. Anything less is an unworkable anti-egaltarian arrangement, intrinsically antithetical to American freedoms, and guaranteed to collapse under its own weight of inherent impracticality. We don't need to compromise on issues of freedom. >For too long there has been little or no dialogue between our >private sector and the law enforcement community to resolve the >tension between economic vitality and the real challenges of >protecting Americans. For too long our government has demonstrated itself to be increasingly hostile and a serious obstacle to economic vitality and protecting Americans. >Since encryption technology will play an increasingly important >role in that infrastructure, the Federal Government must act >quickly to develop consistent, comprehensive policies regarding >its use. The Administration is committed to policies that >protect all Americans' right to privacy while also protecting >them from those who break the law. It is not possible for the Federal Government to ``act quickly'' or develop ``consistent, comprehensive policies'' PERIOD. And even if by some grandiose miracle such a thing were possible, it would only be an efficient way to deprive American citizens of fundamental and inalienable rights. The administration has to be committed to leaving private industries alone, esp. on this issue. The government has no legitimate role in regulating the content of communications. Law enforcement agencies must be prepared to forfeit their surveillance bludgeon; they are soon and inevitably to be disarmed of it. >Q: If the Administration were unable to find a technological > solution like the one proposed, would the Administration be > willing to use legal remedies to restrict access to more > powerful encryption devices? No such laws can be constitutionally sound, and this is equivalent to a veiled threat, which I don't appreciate. This kind of extortion tends to agitate me and others into radicalism. I will trade threats for threats, and violation for violation. > The Administration is not saying, "since encryption > threatens the public safety and effective law enforcement, > we will prohibit it outright" (as some countries have > effectively done); If the administration did say this, it would find itself impeached for reckless and outrageous disregard of essential, established, entrenched, and explicit constitutional privacy guarantees. The administration would have no legal standing whatsoever; such an action would be egregiously illegal and criminal, and wholly untolerated and disregarded by vast segments of the population. > nor is the U.S. saying that "every > American, as a matter of right, is entitled to an > unbreakable commercial encryption product." The U.S., comprised of a vast majority of people fanatically committed to preserving their privacy in the face of an increasingly totalitarian government, is saying just that. Take your chips and give them to NSA employees as Christmas bonuses. We can run any algorithm on our computers we damn well please, and we will make any chips we please, and we will send any bit pattern over our data highways we please. And if you try to stop us, you will be gradually or abruptly dissolved into nothingness. [privacy vs. law enforcement] > There is a > false "tension" created in the assessment that this issue is > an "either-or" proposition. This is an outright Dingaling Denning lie. The two aims of privacy and surveillance are intrinsically and fundamentally incompatible, and you have to work for the NSA to think otherwise. Americans are about to discover ways, through the use of technology, to preserve their inalienable but forgotten freedoms that have slowly been eroded away by an increasingly distant and unresponsive and *unrepresentative* government. -- ld231782@longs.LANCE.ColoState.EDU Newsgroup: sci.crypt document_id: 15224 From: tcmay@netcom.com (Timothy C. May) Subject: "Clipper" an Infringement on Intergraph's Name? Besides being an infringement on our civil liberties (not the subject in this post), the name "Clipper Chip" seems very confusable with the "Clipper" chip of Intergraph. Originally designed by a team at Fairchild Semiconductor, Clipper was a 32-bit RISC microprocessor. It is still used in some workstations, notably those from Intergraph, the supplier of CAD tools. Intergraph acquired the Clipper product line when Fairchild was sold to National Semiconductor several years back. When I first saw "Clipper Chip" in the announcement, I immediately thought the article was referring to the Clipper chip I know. This seems to be grounds for Intergraph to sue, but then I'm not a lawyer. I'd say I'm a cryptologist, but I don't want to incriminate myself under the laws of the new regime. -Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Newsgroup: sci.crypt document_id: 15225 From: matt@wardsgi.med.yale.edu (Matt Healy) Subject: Re: Patents (was RC2 RC4) In article , bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: > > ahaley@eoe.co.uk (Andrew Haley) writes: > > > : Coca-Cola has always understood it. > > > Coca-cola is made under licence in dozens of countries around the > > world. You're crazy if you think PepsiCo doesn't know the recipe. > > In all those countries Coca-cola is distributed in a form of > concentrate what the local producers simply mix with water and other > simple ingredients. The trick is to know what is in the concentrate... > I don't know if this is still true, but at one time Coca-Cola took elaborate measures to keep the formula secret. For instance, several plants in different cities each made one of six partial concentrates, which were then shipped back-and forth and remixed in a complicated scheme so that no single plant made the whole formula. By now, I would guess that PepsiCo's chemists would have reverse-engineered it; can't be all that exotic. Actually I prefer Pepsi anyhow; in about 3 minutes I'm gonna put money into a Pepsi vending machine... Matt Healy "I pretend to be a network administrator; the lab net pretends to work" matt@wardsgi.med.yale.edu Newsgroup: sci.crypt document_id: 15226 From: rlglende@netcom.com (Robert Lewis Glendenning) Subject: Re: The Old Key Registration Idea... The Clipper Chip will have no effect. Current generation PCs, portable and desktop, all have analog voice -> digital voice and vice versa capabilities. So, I only need a modem output to the telephone, and I can interpose any encryption screen on my voice traffic I want. Not even a big deal, but it will pass muster if the have a way of checking whether I am using their Clipper Chip encryption without a full decoding. I have been chided for stating that Dorthy Denning was intellectually dishonest in the ACM debate and in this newsgroup. I have previously refrained from suggesting that she is arguing on behalf of consulting clients. Now, I say that it is clear that Dorthy Denning has been functioning as a lobbyist, not a computer scientist. She has used legal ethics (truth is what you can convince anyone of), not scientific ethics (truth is understanding the external world). Maybe we can revoke her ACM membership? 8) Lew -- Lew Glendenning rlglende@netcom.com "Perspective is worth 80 IQ points." Niels Bohr (or somebody like that). Newsgroup: sci.crypt document_id: 15227 From: mjr@tis.com (Marcus J Ranum) Subject: Re: How to detect use of an illegal cipher? >>How can the government tell which encryption method one is using without >>being able to decode the traffic? i.e., In order to accuse me of using an >>unauthorized strong encryption technique they would have to take both >>keys out of escrow, run them against my ciphertext and "draw a blank". > > I was thinking about this, also. It's quite possible the >system transmits, in clear, the serial number of the device being >used. That way they can start a tap, get the serial number, and use >the warrant for the first tap to get the key. > > If they tap someone who's apparently using encryption, but >don't find that prefix, then they'll assume it's an "un-authorized" >encryption scheme. This doesn't handle superencrypted traffic. If the clipper doesn't impose any unfortunate performance side-effects there's no reason not to use it to superencrypt a stream of triple-DES encrypted traffic. That way your traffic looks "normal" and perhaps anyone desiring to listen in won't even bother, since they know nobody's going to really trust crypto that has classified internals for important stuff. mjr. Newsgroup: sci.crypt document_id: 15228 Subject: Re: Pgp, PEM, and RFC's (Was: Cryptography Patents) From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin) In eifrig@beanworld.cs.jhu.edu (Jonathan Eifrig) writes: >FACT: It is unlawful to distribute code implementing RSA without a license >to do so from PKP, whether or not one is charging for it. Furthermore, >any use of RSA, other than for research purposes allowed under US patent >law, is similarly unlawful. Therefore, the "average citizen" cannot use >RSA to encrypt message traffic in the US without a license from PKP. WRONG: I don't think even PKP claims this one. It is not unlawful to distribute code implementing RSA. It appears to be unlawful to use it, so I agree with your last sentence. >FACT: There are no restrictions (yet!) on the use of cryptography under >US law, although this is beginning to look like it will change. The only >impediments to widespread use of RSA cryptography in the US are PKP's >patents. Yes, that's correct. -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) My opinions are my own, and do not represent those of my employer. Newsgroup: sci.crypt document_id: 15229 From: jhesse@netcom.com (John Hesse) Subject: Re: text of White House announcement and Q&As on clipper chip encryption Stupid me. I believed the Democrats stood for principles of personal privacy while it was the Neanderthal Republicans that wanted into every aspect of our lives. Clinton is just more clever than the other guy. Looks like gun control for privacy technology. One small step at a time. Wait a minute.... Let me think about this. Hmmm, I feel better now. I believe the White House when they tell us this first step is, in fact, the final step. All is OK. We've nothing to fear. They're here to help us. God bless America. -- ------------------------------------------------------------------------------ John Hesse | A man, jhesse@netcom.com | a plan, Moss Beach, Calif | a canal, Bob. ------------------------------------------------------------------------------ Newsgroup: sci.crypt document_id: 15230 From: mjr@tis.com (Marcus J Ranum) Subject: Re: text of White House announcement and Q&As on clipper chip encryption brad@clarinet.com (Brad Templeton) writes: >And this means that the FBI will want to track the customer lists of >better encryption phones, because "the only reason a person would want >one is to evade the police." Then they'll probably also want to start tracking the customer lists of people purchasing SoundBlaster and similar boards, which can be configured with the use of some code and a modem, to act as a pretty decent digital-encrypting telephone. It's expensive, though, and kind of awkward. I don't know any drug lords, but I'm sure they'd favor something tappable over something secure as long as the user interface is nice. When you've got HRH Prince of Wales saying stupid things over cordless phones, it's not hard to imagine that drug dealers, child pornographers, commies, LISP programmers, and other threats to the civilized world might transact incriminating business over "encrypting" cellular phones. mjr. Newsgroup: sci.crypt document_id: 15231 From: jhesse@netcom.com (John Hesse) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] In article strnlght@netcom.com (David Sternlight) writes: > > >Though I share many of the concerns expressed by some, I find the proposal >less threatening than many others, since right now most Americans have no >secure telephony, and any jerk with a pair of clip leads and a "goat" can >eavesdrop. This would also plug up the security hole in cellular and >cordless phones. > Oh great. Wonderful news. Nobody can listen in--except the feds. You believe that the feds offer the least threat to liberty of anyone, and I'm sure I do too. Glad that jerk won't be tapping my phone anymore. -- ------------------------------------------------------------------------------ John Hesse | A man, jhesse@netcom.com | a plan, Moss Beach, Calif | a canal, Bob. ------------------------------------------------------------------------------ Newsgroup: sci.crypt document_id: 15232 From: rboudrie@chpc.org (Rob Boudrie) Subject: Re: White House Public Encryption Management Fact Sheet >security of the key-escrow system. In making this decision, I do >not intend to prevent the private sector from developing, or the >government from approving, other microcircuits or algorithms that >are equally effective in assuring both privacy and a secure key- >escrow system. Yeah, but does he intend to prevent the private sector from developing other applications that are equally effective in assuring privacy, but do not have a key escrow system? Newsgroup: sci.crypt document_id: 15233 Subject: Re: text of White House announcement and Q&As on clipper chip encryption From: uni@acs.bu.edu (Shaen Bernhardt) In article <1qmugcINNpu9@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes: >The key question is whether non-Clipper encryption will be made illegal. > >> The Administration is not saying, "since encryption >> threatens the public safety and effective law enforcement, >> we will prohibit it outright" (as some countries have >> effectively done); nor is the U.S. saying that "every >> American, as a matter of right, is entitled to an >> unbreakable commercial encryption product." There is a >> false "tension" created in the assessment that this issue is >> an "either-or" proposition. Rather, both concerns can be, >> and in fact are, harmoniously balanced through a reasoned, >> balanced approach such as is proposed with the "Clipper >> Chip" and similar encryption techniques. > >The clear middle ground implied by these statements is to say that Americans >have the right to Clipper encryption, but not to unbreakable encryption. >This implies that, ultimately, non-Clipper strong encryption must become >illegal. [Text deleted, no value judgement implied] >It's shocking and frightening to see that this is actually happening here. > >Hal Finney >hal@alumni.caltech.edu More than shocking. What this says to me is no less than that government is very interested in monitoring the public. This does more than scare me, it mortifies me. PGP and RIPEM must become widespread enough to resist what Mr. Finney has [IMHO correctly] identified as the next logical step. What was once an academic discussion with regard to concealing cyphertext, has now become a real consideration. The rhetoric that the clinton administration seems obsessed with, harmony, either or propositions, tension, tells me that they know how difficult it will be to sell this proposition. The phrase I hear more and more is "I can't believe this is actually happening here." Call me conserative, Clinton was a huge mistake that we'll all be paying for tommorow and many years from now. Have we approached the age of speakeasy public key depositiories? uni (Dark) -- uni@acs.bu.edu -> Public Keys by finger and/or request Public Key Archives at Sovereignty is the sign of a brutal past. Newsgroup: sci.crypt document_id: 15234 From: hal@cco.caltech.edu (Hal Finney) Subject: Re: text of White House announcement and Q&As on clipper chip encryption brad@clarinet.com (Brad Templeton) writes: >Their strategy is a business one rather than legal one. They are >pushing to get a standard in place, a secret standard, and if they >get it as a standard then they will drive competitors out of the market. >It will be legal to sell better, untapable encryption that doesn't have >registered keys, but it will be difficult, and thus not a plan for >most phone companies. If Brad's analysis is correct, it may offer an explanation for why the encryption algorithm is being kept secret. This will prevent competitors from coming out with Clipper-compatible phones which lack the government- installed "back door." The strategy Brad describes will only work as long as the only way to get compatible phones is to have ones with the government chips. (It would be nice, from the point of view of personal privacy, if Brad turns out to be right. As long as people still have the power to provide their own encryption in place of or in addition to the Clipper, privacy is still possible. But the wording of several passages in the announcement makes me doubt whether this will turn out to be true.) Hal Finney Newsgroup: sci.crypt document_id: 15235 From: rboudrie@chpc.org (Rob Boudrie) Subject: Re: The Old Key Registration Idea... In article <1qn1ic$hp6@access.digex.net> pcw@access.digex.com (Peter Wayner) writes: >Okay, let's suppose that the NSA/NIST/Mykotronix Registered >Key system becomes standard and I'm able to buy such a system >from my local radio shack. Every phone comes with a built in >chip and the government has the key to every phone call. >I go and buy a phone and dutifully register the key. > >What's to prevent me from swapping phones with a friend or >buying a used phone at a garage sale? Whooa. The secret registered >keys just became unsynchronized. When the government comes It's very possible, even likely, that the serial number of the invididual chip is broadcast either in a standard encrypted format, so that all the big brother types need to do is listen to the traffic, get a court order (generally just by saying that they think you may be a crook) and go to it. r >to listen in, they only receive gobbledly-gook because the >secret key registered under my name isn't the right one. > >That leads me to conjecture that: > >1) The system isn't that secure. There are just two master keys >that work for all the phones in the country. The part about >registering your keys is just bogus. > >or > >2) The system is vulnerable to simple phone swapping attacks >like this. Criminals will quickly figure this out and go to >town. > >In either case, I think we need to look at this a bit deeper."'jbl)mW:wxlD2 Newsgroup: sci.crypt document_id: 15236 From: rboudrie@chpc.org (Rob Boudrie) Subject: Why the algorithm is secret My thoughts on why the algorithm is secret : The chip is (regretably) likely to become a standard. There will be many applications where economic factors dictate use of this chip, like it or not. If the alrogithm is public, and the code is as secure (absent the access to escrowed keys) as represented, an enterprising sort would make "compatible crypto chips for which no key had been escrowed". This is likely what the release was refering to when they refered to the secrecy of the algorithm protecting the security of the escrow system. rob boudrie Newsgroup: sci.crypt document_id: 15237 From: schneier@chinet.chi.il.us (Bruce Schneier) Subject: ISSA '93 Conference If there is anyone attending the ISSA conference in Arlington, VA next week, I would appreciate them getting in touch with me. Bruce Newsgroup: sci.crypt document_id: 15238 From: brad@clarinet.com (Brad Templeton) Subject: Re: How do they know what keys to ask for? (Re: Clipper) The actual algorithm is classified, however, their main thrust here is for cellular phones, and encryption is only over the radio end, not end to end, I think. End to end will come later. And of course you have to identify yourself to the phone company, and since the phone company complies with court orders, they will know the magic number of your chip when they sign out a warrant on you, and then can present the warrant to the key escrow house. -- Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366 Newsgroup: sci.crypt document_id: 15239 From: brad@clarinet.com (Brad Templeton) Subject: Re: text of White House announcement and Q&As on clipper chip encryption In article <1qnn7b$ddc@sol.TIS.COM> mjr@tis.com (Marcus J Ranum) writes: > When you've got HRH Prince of Wales saying stupid things over >cordless phones, it's not hard to imagine that drug dealers, child >pornographers, commies, LISP programmers, and other threats to the >civilized world might transact incriminating business over "encrypting" >cellular phones. > Let's assume, for the moment, that the system really is secure unless you get both halves of the encryption key from the two independent escrow houses. Let's say you even trust the escrow houses -- one is the ACLU and the other is the EFF. (And I'm not entirely joking about those two names) In that case the Prince of Wales has nothing to worry about on this system. Indeed, as pointed out, since the current systems, even the current digital systems, are very easy to decode -- right now anybody with an old TV can hear them -- for most people, this will be viewed as an "oh goody" step upwards. And look at how tolerant the public is. They're willing to let the neighbours with the radios hear right now. It was suggested by one person that a *lot* of non-evidentiary wiretapping is going on right now without warrants, because anybody can do it and it's just an ECPA violation. This would stop that. All tapping would need a warrant, or a breach of security at the escrow houses. -- Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366 Newsgroup: sci.crypt document_id: 15240 From: brad@clarinet.com (Brad Templeton) Subject: Once tapped, your code is no good any more. It occurs to me that if they get a wiretap order on you, and the escrow houses release your code to the cops, your code is now no longer secure. It's in the hands of cops, and while I am sure most of the time they are good, their security will not be as good as the escrow houses. What this effectively means is that if they perform a wiretap on you, at the end of the wiretap, they should be obligated to inform you that a tap was performed, and replace (for free) the clipper chip in your cellular phone so that it is once again a code known only to the escrow houses. Do the police normally reveal every tap they do even if no charges are laid? In many ways, it would be a positive step if they had to. Judges set time limits on warrants, I assume. At the end of the time limit they should have to renew or replace your chip. That's if we go with this scheme, which I am not sure I agree with. -- Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366 Newsgroup: sci.crypt document_id: 15241 From: amanda@intercon.com (Amanda Walker) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] jhesse@netcom.com (John Hesse) writes: > Oh great. Wonderful news. Nobody can listen in--except the feds. Hey, it's better than the status quo. I am far less worried about "the feds" tapping my phone than high school scanner surfers who get their kicks out of eavesdropping on cellular and cordless phone calls. It would be stupid to rely on even a "Clipperized" channel for truly sensitive material, but it *does* seem to finally offer a reasonable way to guard against casual eavesdropping. For example, even with my strong "right to bear arms" view of the private right to possess and use strong cryptosystems, the system as described provides enough security that I would actually buy a cordless phone, and would be much less wary of using cellular phones, walkie-talkies, and so on. As long as it's only used for mass-market voice scrambling, I actually don't see a problem with it. If you want more security than it offers, use something different. Use PKCS for electronic mail, CELP over DES or triple DES with Diffie-Hellman key exchange for your voice traffic, or whatever. And yes, I'd rather just see all crypto restrictions lifted, but this is at least an incrememental improvement for certain applications... Amanda Walker InterCon Systems Corporation Newsgroup: sci.crypt document_id: 15242 From: amanda@intercon.com (Amanda Walker) Subject: Re: text of White House announcement and Q&As on clipper chip encryption In article <115713@bu.edu>, uni@acs.bu.edu (Shaen Bernhardt) writes: > More than shocking. What this says to me is no less than that > government is very interested in monitoring the public. This does more > than scare me, it mortifies me. If this is any surprise to you, *I'm* shocked. Amanda Walker InterCon Systems Corporation Newsgroup: sci.crypt document_id: 15243 From: crypt-comments@math.ncsu.edu Subject: Cryptography FAQ 01/10 - Overview Archive-name: cryptography-faq/part01 Last-modified: 1993/4/15 FAQ for sci.crypt, part 1: Overview This is the first of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read this part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. Disclaimer: This document is the product of the Crypt Cabal, a secret society which serves the National Secu---uh, no. Seriously, we're the good guys, and we've done what we can to ensure the completeness and accuracy of this document, but in a field of military and commercial importance like cryptography you have to expect that some people and organizations consider their interests more important than open scientific discussion. Trust only what you can verify firsthand. And don't sue us. Many people have contributed to this FAQ. In alphabetical order: Eric Bach, Steve Bellovin, Dan Bernstein, Nelson Bolyard, Carl Ellison, Jim Gillogly, Mike Gleason, Doug Gwyn, Luke O'Connor, Tony Patti, William Setzer. We apologize for any omissions. If you have suggestions, comments, or criticism, please let the current editors know by sending e-mail to crypt-comments@math.ncsu.edu. We don't assume that this FAQ is at all complete at this point. Archives: sci.crypt has been archived since October 1991 on cl-next2.cl.msu.edu, though these archives are available only to U.S. and Canadian users. Please contact crypt-comments@math.ncsu.edu if you know of other archives. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers every 21 days. Table of contents: 1 Overview 2 Net Etiquette * What groups are around? What's a FAQ? Who am I? Why am I here? * Do political discussions belong in sci.crypt? * How do I present a new encryption scheme in sci.crypt? 3 Basic Cryptology * What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key? * What references can I start with to learn cryptology? * How does one go about cryptanalysis? * What is a brute-force search and what is its cryptographic relevance? * What are some properties satisfied by every strong cryptosystem? * If a cryptosystem is theoretically unbreakable, then is it guaranteed analysis-proof in practice? * Why are many people still using cryptosystems that are relatively easy to break? 4 Mathematical Cryptology * In mathematical terms, what is a private-key cryptosystem? * What is an attack? * What's the advantage of formulating all this mathematically? * Why is the one-time pad secure? * What's a ciphertext-only attack? * What's a known-plaintext attack? * What's a chosen-plaintext attack? * In mathematical terms, what can you say about brute-force attacks? * What's a key-guessing attack? What's entropy? 5 Product ciphers * What is a product cipher? * What makes a product cipher secure? * What are some group-theoretic properties of product ciphers? * What can be proven about the security of a product cipher? * How are block ciphers used to encrypt data longer than the block size? * Can symmetric block ciphers be used for message authentication? * What exactly is DES? * What is triple DES? * What is differential cryptanalysis? * How was NSA involved in the design of DES? * Is DES available in software? * Is DES available in hardware? * Can DES be used to protect classified information? * What are "ECB", "CBC", "CFB", and "OFB" encryption? 6 Public-Key Cryptography * What is public-key cryptography? * What's RSA? * Is RSA secure? * How fast can people factor numbers? * What about other public-key cryptosystems? 7 Digital Signatures and Hash Functions * What is a one-way hash function? * What is the difference between public, private, secret, shared, etc.? * What are MD4 and MD5? * What is Snefru? 8 Technical Miscellany * How do I recover from lost passwords in WordPerfect? * How do I break a Vigenere (repeated-key) cipher? * How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...] * Is the UNIX crypt command secure? * How do I use compression with encryption? * Is there an unbreakable cipher? * What does ``random'' mean in cryptography? * What is the unicity point (a.k.a. unicity distance)? * What is key management and why is it important? * Can I use pseudo-random or chaotic numbers as a key stream? * What is the correct frequency list for English letters? * What is the Enigma? * How do I shuffle cards? * Can I foil S/W pirates by encrypting my CD-ROM? * Can you do automatic cryptanalysis of simple ciphers? * What is the coding system used by VCR+? 9 Other Miscellany * What is the National Security Agency (NSA)? * What are the US export regulations? * What is TEMPEST? * What are the Beale Ciphers, and are they a hoax? * What is the American Cryptogram Association, and how do I get in touch? * Is RSA patented? * What about the Voynich manuscript? 10 References * Books on history and classical methods * Books on modern methods * Survey articles * Reference articles * Journals, conference proceedings * Other * How may one obtain copies of FIPS and ANSI standards cited herein? * Electronic sources * RFCs (available from [FTPRF]) * Related newsgroups Newsgroup: sci.crypt document_id: 15244 From: crypt-comments@math.ncsu.edu Subject: Cryptography FAQ 04/10 - Mathematical Cryptology Archive-name: cryptography-faq/part04 Last-modified: 1993/4/15 FAQ for sci.crypt, part 4: Mathematical Cryptology This is the fourth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers every 21 days. Contents: * In mathematical terms, what is a private-key cryptosystem? * What is an attack? * What's the advantage of formulating all this mathematically? * Why is the one-time pad secure? * What's a ciphertext-only attack? * What's a known-plaintext attack? * What's a chosen-plaintext attack? * In mathematical terms, what can you say about brute-force attacks? * What's a key-guessing attack? What's entropy? * In mathematical terms, what is a private-key cryptosystem? A private-key cryptosystem consists of an encryption system E and a decryption system D. The encryption system E is a collection of functions E_K, indexed by ``keys'' K, mapping some set of ``plaintexts'' P to some set of ``ciphertexts'' C. Similarly the decryption system D is a collection of functions D_K such that D_K(E_K(P)) = P for every plaintext P. That is, succesful decryption of ciphertext into plaintext is accomplished using the same key (index) as was used for the corresponding encryption of plaintext into ciphertext. Such systems, wherein the same key value is used to encrypt and decrypt, are also known as ``symmetric'' cryptoystems. * What is an attack? In intuitive terms a (passive) attack on a cryptosystem is any method of starting with some information about plaintexts and their corresponding ciphertexts under some (unknown) key, and figuring out more information about the plaintexts. It's possible to state mathematically what this means. Here we go. Fix functions F, G, and H of n variables. Fix an encryption system E, and fix a distribution of plaintexts and keys. An attack on E using G assuming F giving H with probability p is an algorithm A with a pair f, g of inputs and one output h, such that there is probability p of computing h = H(P_1,...,P_n), if we have f = F(P_1,...,P_n) and g = G(E_K(P_1),...,E_K(P_n)). Note that this probability depends on the distribution of the vector (K,P_1,...,P_n). The attack is trivial (or ``pointless'') if there is probability at least p of computing h = H(P_1,...,P_n) if f = F(P_1,...,P_n) and g = G(C_1,...,C_n). Here C_1,...,C_n range uniformly over the possible ciphertexts, and have no particular relation to P_1,...,P_n. In other words, an attack is trivial if it doesn't actually use the encryptions E_K(P_1),...,E_K(P_n). An attack is called ``one-ciphertext'' if n = 1, ``two-ciphertext'' if n = 2, and so on. * What's the advantage of formulating all this mathematically? In basic cryptology you can never prove that a cryptosystem is secure. Read part 3: we keep saying ``a strong cryptosystem must have this property, but having this property is no guarantee that a cryptosystem is strong!'' In contrast, the purpose of mathematical cryptology is to precisely formulate and, if possible, prove the statement that a cryptosystem is strong. We say, for example, that a cryptosystem is secure against all (passive) attacks if any nontrivial attack against the system (as defined above) is too slow to be practical. If we can prove this statement then we have confidence that our cryptosystem will resist any (passive) cryptanalytic technique. If we can reduce this statement to some well-known unsolved problem then we still have confidence that the cryptosystem isn't easy to break. Other parts of cryptology are also amenable to mathematical definition. Again the point is to explicitly identify what assumptions we're making and prove that they produce the desired results. We can figure out what it means for a particular cryptosystem to be used properly: it just means that the assumptions are valid. The same methodology is useful for cryptanalysis too. The cryptanalyst can take advantage of incorrect assumptions. Often he can try to construct a proof of security for a system, see where the proof fails, and use these failures as the starting points for his analysis. * Why is the one-time pad secure? By definition, the one-time pad is a cryptosystem where the plaintexts, ciphertexts, and keys are all strings (say byte strings) of some length m, and E_K(P) is just the sum (let's say the exclusive or) of K and P. It is easy to prove mathematically that there are _no_ nontrivial single-ciphertext attacks on the one-time pad, assuming a uniform distribution of keys. Note that we don't have to assume a uniform distribution of plaintexts. (Here's the proof: Let A be an attack, i.e., an algorithm taking two inputs f, g and producing one output h, with some probability p that h = H(P) whenever f = F(P) and g = G(E_K(P)) (i.e., g = G(K + P)). Then, because the distribution of K is uniform and independent of P, the distribution of K + P must also be uniform and independent of P. But also the distribution of C is uniform and independent of P. Hence there is probability exactly p that h = H(P) whenever f = F(P) and g = G(C), over all P and C. Thus a fortiori A is trivial.) On the other hand the one-time pad is _not_ secure if a key K is used for more than one plaintext: i.e., there are nontrivial multiple-ciphertext attacks. So to be properly used a key K must be thrown away after one encryption. The key is also called a ``pad''; this explains the name ``one-time pad.'' * What's a ciphertext-only attack? In the notation above, a ciphertext-only attack is one where F is constant. Given only some information G(E_K(P_1),...,E_K(P_n)) about n ciphertexts, the attack has to have some chance of producing some information H(P_1,...,P_n) about the plaintexts. The attack is trivial if it has just as good a chance of producing H(P_1,...,P_n) when given G(C_1,...,C_n) for random C_1,...,C_n. For example, say G(C) = C, and say H(P) is the first bit of P. We can easily write down an attack---the ``guessing attack,'' which simply guesses that H(P) is 1. This attack is trivial because it doesn't use the ciphertext: it has a fifty-fifty chance of guessing correctly no matter what. On the other hand there is an attack on RSA which produces one bit of information about P, with 100% success, using C. If it is fed a random C then the success rate drops to 50%. So this is a nontrivial attack. * What's a known-plaintext attack? The classic known-plaintext attack has F(P_1,P_2) = P_1, G(C_1,C_2) = (C_1,C_2), and H(P_1,P_2) depending only on P_2. In other words, given two ciphertexts C_1 and C_2 and one decryption P_1, the known-plaintext attack should produce information about the other decryption P_2. Note that known-plaintext attacks are often defined in the literature as producing information about the key, but this is pointless: the cryptanalyst generally cares about the key only insofar as it lets him decrypt further messages. * What's a chosen-plaintext attack? A chosen-plaintext attack is the first of an increasingly impractical series of _active_ attacks on a cryptosystem: attacks where the cryptanalyst feeds data to the encryptor. These attacks don't fit into our model of passive attacks explained above. Anyway, a chosen-plaintext attack lets the cryptanalyst choose a plaintext and look at the corresponding ciphertext, then repeat until he has figured out how to decrypt any message. More absurd examples of this sort of attack are the ``chosen-key attack'' and ``chosen-system attack.'' A much more important form of active attack is a message corruption attack, where the attacker tries to change the ciphertext in such a way as to make a useful change in the plaintext. There are many easy ways to throw kinks into all of these attacks: for instance, automatically encrypting any plaintext P as T,E_K(h(T+R+P),R,P), where T is a time-key (sequence number) chosen anew for each message, R is a random number, and h is a one-way hash function. Here comma means concatenation and plus means exclusive-or. * In mathematical terms, what can you say about brute-force attacks? Consider the following known-plaintext attack. We are given some plaintexts P_1,...,P_{n-1} and ciphertexts C_1,...,C_{n-1}. We're also given a ciphertext C_n. We run through every key K. When we find K such that E_K(P_i) = C_i for every i < n, we print D_K(C_n). If n is big enough that only one key works, this attack will succeed on valid inputs all the time, while it will produce correct results only once in a blue moon for random inputs. Thus this is a nontrivial attack. Its only problem is that it is very slow if there are many possible keys. * What's a key-guessing attack? What's entropy? Say somebody is using the one-time pad---but isn't choosing keys randomly and uniformly from all m-bit messages, as he was supposed to for our security proof. In fact say he's known to prefer keys which are English words. Then a cryptanalyst can run through all English words as possible keys. This attack will often succeed, and it's much faster than a brute-force search of the entire keyspace. We can measure how bad a key distribution is by calculating its entropy. This number E is the number of ``real bits of information'' of the key: a cryptanalyst will typically happen across the key within 2^E guesses. E is defined as the sum of -p_K log_2 p_K, where p_K is the probability of key K. Newsgroup: sci.crypt document_id: 15245 From: crypt-comments@math.ncsu.edu Subject: Cryptography FAQ 08/10 - Technical Miscellany Archive-name: cryptography-faq/part08 Last-modified: 1993/4/15 FAQ for sci.crypt, part 8: Technical Miscellany This is the eighth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers every 21 days. Contents * How do I recover from lost passwords in WordPerfect? * How do I break a Vigenere (repeated-key) cipher? * How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...] * Is the UNIX crypt command secure? * How do I use compression with encryption? * Is there an unbreakable cipher? * What does ``random'' mean in cryptography? * What is the unicity point (a.k.a. unicity distance)? * What is key management and why is it important? * Can I use pseudo-random or chaotic numbers as a key stream? * What is the correct frequency list for English letters? * What is the Enigma? * How do I shuffle cards? * Can I foil S/W pirates by encrypting my CD-ROM? * Can you do automatic cryptanalysis of simple ciphers? * What is the coding system used by VCR+? * How do I recover from lost passwords in WordPerfect? WordPerfect encryption has been shown to be very easy to break. The method uses XOR with two repeating key streams: a typed password and a byte-wide counter initialized to 1+. Full descriptions are given in Bennett [BEN87] and Bergen and Caelli [BER91]. Chris Galas writes: ``Someone awhile back was looking for a way to decrypt WordPerfect document files and I think I have a solution. There is a software company named: Accessdata (87 East 600 South, Orem, UT 84058), 1-800-658-5199 that has a software package that will decrypt any WordPerfect, Lotus 1-2-3, Quatro-Pro, MS Excel and Paradox files. The cost of the package is $185. Steep prices, but if you think your pw key is less than 10 characters, (or 10 char) give them a call and ask for the free demo disk. The demo disk will decrypt files that have a 10 char or less pw key.'' * How do I break a Vigenere (repeated-key) cipher? A repeated-key cipher, where the ciphertext is something like the plaintext xor KEYKEYKEYKEY (and so on), is called a Vigenere cipher. If the key is not too long and the plaintext is in English, do the following: 1. Discover the length of the key by counting coincidences. (See Gaines [GAI44], Sinkov [SIN66].) Trying each displacement of the ciphertext against itself, count those bytes which are equal. If the two ciphertext portions have used the same key, something over 6% of the bytes will be equal. If they have used different key, then less than 0.4% will be equal (assuming random 8-bit bytes of key covering normal ASCII text). The smallest displacement which indicates an equal key is the length of the repeated key. 2. Shift the text by that length and XOR it with itself. This removes the key and leaves you with text XORed with itself. Since English has about 1 bit of real information per byte, 2 streams of text XORed together has 2 bits of info per 8-bit byte, providing plenty of redundancy for choosing a unique decryption. (And in fact one stream of text XORed with itself has just 1 bit per byte.) If the key is short, it might be even easier to treat this as a standard polyalphabetic substitution. All the old cryptanalysis texts show how to break those. It's possible with those methods, in the hands of an expert, if there's only ten times as much text as key. See, for example, Gaines [GAI44], Sinkov [SIN66]. * How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...] Here's one popular method, using the des command: cat file | compress | des private_key | uuencode | mail Meanwhile, there is a de jure Internet standard in the works called PEM (Privacy Enhanced Mail). It is described in RFCs 1421 through 1424. To join the PEM mailing list, contact pem-dev-request@tis.com. There is a beta version of PEM being tested at the time of this writing. There are also two programs available in the public domain for encrypting mail: PGP and RIPEM. Both are available by FTP. Each has its own newsgroup: alt.security.pgp and alt.security.ripem. Each has its own FAQ as well. PGP is most commonly used outside the USA since it uses the RSA algorithm without a license and RSA's patent is valid only (or at least primarily) in the USA. RIPEM is most commonly used inside the USA since it uses the RSAREF which is freely available within the USA but not available for shipment outside the USA. Since both programs use a secret key algorithm for encrypting the body of the message (PGP used IDEA; RIPEM uses DES) and RSA for encrypting the message key, they should be able to interoperate freely. Although there have been repeated calls for each to understand the other's formats and algorithm choices, no interoperation is available at this time (as far as we know). * Is the UNIX crypt command secure? No. See [REE84]. There is a program available called cbw (crypt breaker's workbench) which can be used to do ciphertext-only attacks on files encrypted with crypt. One source for CBW is [FTPCB]. * How do I use compression with encryption? A number of people have proposed doing perfect compression followed by some simple encryption method (e.g., XOR with a repeated key). Unfortunately, you can only compress perfectly if you know the exact distribution of possible inputs. For all practical purposes it's impossible to describe ``the typical English text'' beyond coarse characteristics such as single-letter frequencies. You can build up more and more sophisticated models of your inputs, but if the enemy has a slightly more accurate model, he'll be able to find some redundancy in your compressed output. Note that nearly all practical compression schemes, unless they have been designed with cryptography in mind, produce output that actually starts off with high redundancy. For example, the output of UNIX compress begins with a well-known three-byte ``magic number'' that can serve as an entering wedge for cryptanalysis. This is not to say that compression before encryption is inherently a bad idea; it just has to be done very, very carefully, and by no means removes the need for strong encryption. Compression after encryption is silly. * Is there an unbreakable cipher? Yes. The one-time pad is unbreakable; see part 4. Unfortunately the one-time pad requires secure distribution of as much key material as plaintext. Of course, a cryptosystem need not be utterly unbreakable to be useful. Rather, it needs to be strong enough to resist attacks by likely enemies for whatever length of time the data it protects is expected to remain valid. * What does ``random'' mean in cryptography? Cryptographic applications demand much more out of a pseudorandom number generator than most applications. For a source of bits to be cryptographically random, it must be computationally impossible to predict what the Nth random bit will be given complete knowledge of the algorithm or hardware generating the stream and the sequence of 0th through N-1st bits, for all N up to the lifetime of the source. A software generator (also known as pseudo-random) has the function of expanding a truly random seed to a longer string of apparently random bits. This seed must be large enough not to be guessed by the opponent. Ideally, it should also be truly random (perhaps generated by a hardware random number source). Those who have Sparcstation 1 workstations could, for example, generate random numbers using the audio input device as a source of entropy, by not connecting anything to it. For example, cat /dev/audio | compress - >foo gives a file of high entropy (not random but with much randomness in it). One can then encrypt that file using part of itself as a key, for example, to convert that seed entropy into a pseudo-random string. When looking for hardware devices to provide this entropy, it is important really to measure the entropy rather than just assume that because it looks complicated to a human, it must be "random". For example, disk operation completion times sound like they might be unpredictable (to many people) but a spinning disk is much like a clock and its output completion times are relatively low in entropy. * What is the unicity point (a.k.a. unicity distance)? See [SHA49]. The unicity distance is an approximation to that amount of ciphertext such that the sum of the real information (entropy) in the corresponding source text and encryption key equals the number of ciphertext bits used. Ciphertexts significantly longer than this can be shown probably to have a unique decipherment. This is used to back up a claim of the validity of a ciphertext-only cryptanalysis. Ciphertexts significantly shorter than this are likely to have multiple, equally valid decryptions and therefore to gain security from the opponent's difficulty choosing the correct one. Unicity distance, like all statistical or information-theoretic measures, does not make deterministic predictions but rather gives probabilistic results: namely, the minimum amount of ciphertext for which it is likely that there is only a single intelligible plaintext corresponding to the ciphertext, when all possible keys are tried for the decryption. Working cryptologists don't normally deal with unicity distance as such. Instead they directly determine the likelihood of events of interest. Let the unicity distance of a cipher be D characters. If fewer than D ciphertext characters have been intercepted, then there is not enough information to distinguish the real key from a set of possible keys. DES has a unicity distance of 17.5 characters, which is less than 3 ciphertext blocks (each block corresponds to 8 ASCII characters). This may seem alarmingly low at first, but the unicity distance gives no indication of the computational work required to find the key after approximately D characters have been intercepted. In fact, actual cryptanalysis seldom proceeds along the lines used in discussing unicity distance. (Like other measures such as key size, unicity distance is something that guarantees insecurity if it's too small, but doesn't guarantee security if it's high.) Few practical cryptosystems are absolutely impervious to analysis; all manner of characteristics might serve as entering ``wedges'' to crack some cipher messages. However, similar information-theoretic considerations are occasionally useful, for example, to determine a recommended key change interval for a particular cryptosystem. Cryptanalysts also employ a variety of statistical and information-theoretic tests to help guide the analysis in the most promising directions. Unfortunately, most literature on the application of information statistics to cryptanalysis remains classified, even the seminal 1940 work of Alan Turing (see [KOZ84]). For some insight into the possibilities, see [KUL68] and [GOO83]. * What is key management and why is it important? One of the fundamental axioms of cryptography is that the enemy is in full possession of the details of the general cryptographic system, and lacks only the specific key data employed in the encryption. (Of course, one would assume that the CIA does not make a habit of telling Mossad about its cryptosystems, but Mossad probably finds out anyway.) Repeated use of a finite amount of key provides redundancy that can eventually facilitate cryptanalytic progress. Thus, especially in modern communication systems where vast amounts of information are transferred, both parties must have not only a sound cryptosystem but also enough key material to cover the traffic. Key management refers to the distribution, authentication, and handling of keys. A publicly accessible example of modern key management technology is the STU III secure telephone unit, which for classified use employs individual coded ``Crypto Ignition Keys'' and a central Key Management Center operated by NSA. There is a hierarchy in that certain CIKs are used by authorized cryptographic control personnel to validate the issuance of individual traffic keys and to perform installation/maintenance functions, such as the reporting of lost CIKs. This should give an inkling of the extent of the key management problem. For public-key systems, there are several related issues, many having to do with ``whom do you trust?'' * Can I use pseudo-random or chaotic numbers as a key stream? Chaotic equations and fractals produce an apparent randomness from relatively compact generators. Perhaps the simplest example is a linear congruential sequence, one of the most popular types of random number generators, where there is no obvious dependence between seeds and outputs. Unfortunately the graph of any such sequence will, in a high enough dimension, show up as a regular lattice. Mathematically this lattice corresponds to structure which is notoriously easy for cryptanalysts to exploit. More complicated generators have more complicated structure, which is why they make interesting pictures--- but a cryptographically strong sequence will have no computable structure at all. See [KNU81], exercise 3.5-7; [REE77]; and [BOY89]. * What is the correct frequency list for English letters? There are three answers to this question, each slightly deeper than the one before. You can find the first answer in various books: namely, a frequency list computed directly from a certain sample of English text. Of course any such list will be ``correctly'' computed, but exactly which list you get depends on which sample was taken. The second answer is that the question doesn't make sense. What do you mean by ``English letters''? The ``English language'' is not a fixed, finite, closed object that can be exactly characterized. It has changed over time; it is different between different authors. Any particular message will have different statistics from those of the language as a whole. The third answer is that yes, no particular message is going to have exactly the same characteristics as English in general, but for all reasonable statistical uses these slight discrepancies won't matter. In fact there's an entire field called ``Bayesian statistics'' (other buzzwords are ``maximum entropy methods'' and ``maximum likelihood estimation'') which studies questions like ``What's the chance that a text with these letter frequencies is in English?'' and comes up with reasonably robust answers. So make your own list from your own samples of English text. It will be good enough for practical work, if you use it properly. * What is the Enigma? ``For a project in data security we are looking for sources of information about the German Enigma code and how it was broken by the British during WWII.'' See [WEL82], [DEA85], [KOZ84], [HOD83], [KAH91]. * How do I shuffle cards? Card shuffling is a special case of the permutation of an array of values, using a random or pseudo-random function. All possible output permutations of this process should be equally likely. To do this, you need a random function (modran(x)) which will produce a uniformly distributed random integer in the interval [0..x-1]. Given that function, you can shuffle with the following [C] code: (assuming ARRLTH is the length of array arr[] and swap() interchanges values at the two addresses given) for ( n = ARRLTH-1; n > 0 ; n-- ) swap( &arr[modran( n+1 )], &arr[n] ) ; modran(x) can not be achieved exactly with a simple (ranno() % x) since ranno()'s interval may not be divisible by x, although in most cases the error will be very small. To cover this case, one can take ranno()'s modulus mod x, call that number y, and if ranno() returns a value less than y, go back and get another ranno() value. * Can I foil S/W pirates by encrypting my CD-ROM? Someone will frequently express the desire to publish a CD-ROM with possibly multiple pieces of software, perhaps with each encrypted separately, and will want to use different keys for each user (perhaps even good for only a limited period of time) in order to avoid piracy. As far as we know, this is impossible, since there is nothing in standard PC or workstation hardware which uniquely identifies the user at the keyboard. If there were such an identification, then the CD-ROM could be encrypted with a key based in part on the one sold to the user and in part on the unique identifier. However, in this case the CD-ROM is one of a kind and that defeats the intended purpose. If the CD-ROM is to be encrypted once and then mass produced, there must be a key (or set of keys) for that encryption produced at some stage in the process. That key is useable with any copy of the CD-ROM's data. The pirate needs only to isolate that key and sell it along with the illegal copy. * Can you do automatic cryptanalysis of simple ciphers? schneier@chinet.chi.il.us (Bruce Schneier) says: AccessData of Orem, Utah sells products that break the password scheme of a number of popular Macintosh and PC software packages. Their telephone number is (801) 224-6970 No PD software has been cited but there are many papers on the subject.... Peleg, S. and Rosenfeld, A. "Breaking Substitution Ciphers Using a Relaxation Algorithm" Comm. ACM Vol. 22(11) pp 598-605 (Nov. 1979) Lucks, Michael, "A Constraint Satisfaction Algorithm for the Automated Decryption of Simple Substitution Ciphers", Advances in Cryptology -- CRYPTO '88, Springer Lecture Notes in Computer Science, vol. 403 (The paper also contains references to earlier work on the subject.) John Carrol and Steve Martin, "The Automated Cryptanalysis of Substitution Ciphers", Cryptologia, vol X number 4, Oct 86 p193-209. John Carrol and Lynda Robbins, "Automated Cryptanalysis of Polyalphabetic Ciphers", Cryptologia, vol XI number 4, Oct 87 p193-205 Martin Kochanski, "A Survey of Data Insecurity Packages", Cryptologia, vol XI number 1, Jan 87 p1-15 Martin Kochanski, "Another Data Insecurity Package", Cryptologia, vol XII number 3, July 88, p165-177. Cryptologia Vol XIII Number 4 1989 pp 303-326. King and Bahler, "Probabilistic Relaxation in the Cryptanalysis of Simple Substitution Ciphers" Cryptologia 16(3):215-225. King and Bahler, "An Algorithmic Solution of Sequential Homophonic Ciphers". Cryptologia, April 93 (in press). R. Spillman et.al., "Use of Genetic Algorithms in Cryptanalysis of Simple Substitution Ciphers", Cryptologia, vol XVII Number 1, Jan 93 p31-44. * What is the coding system used by VCR+? One very frequently asked question in sci.crypt is about how the VCR+ codes work. The following article attempts to describe it. K. Shirriff, C. Welch, A. Kinsman, "Decoding a VCR Controller Code," Cryptologia, 16(3), July 1992, pp 227-234. Newsgroup: sci.crypt document_id: 15246 From: crypt-comments@math.ncsu.edu Subject: Cryptography FAQ 10/10 - References Archive-name: cryptography-faq/part10 Last-modified: 1993/4/15 FAQ for sci.crypt, part 10: References This is the tenth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in this part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers every 21 days. Contents * Books on history and classical methods * Books on modern methods * Survey articles * Reference articles * Journals, conference proceedings * Other * Electronic sources * RFCs (available from [FTPRF]) * Related newsgroups * Books on history and classical methods [CF] Lambros D. Callimahos, William F. Friedman, Military Cryptanalytics. Aegean Park Press, ?. [DEA85] Cipher A. Deavours & Louis Kruh, Machine Cryptography and Modern Cryptanalysis. Artech House, 610 Washington St., Dedham, MA 02026, 1985. [FRIE2] William F. Friedman, Solving German Codes in World War I. Aegean Park Press, ?. [GAI44] H. Gaines, Cryptanalysis, a study of ciphers and their solution. Dover Publications, 1944. [HIN00] F.H.Hinsley, et al., British Intelligence in the Second World War. Cambridge University Press. (vol's 1, 2, 3a, 3b & 4, so far). XXX Years and authors, fix XXX [HOD83] Andrew Hodges, Alan Turing: The Enigma. Burnett Books Ltd., 1983 [KAH91] David Kahn, Seizing the Enigma. Houghton Mifflin, 1991. [KAH67] D. Kahn, The Codebreakers. Macmillan Publishing, 1967. [history] [The abridged paperback edition left out most technical details; the original hardcover edition is recommended.] [KOZ84] W. Kozaczuk, Enigma. University Publications of America, 1984 [KUL76] S. Kullback, Statistical Methods in Cryptanalysis. Aegean Park Press, 1976. [SIN66] A. Sinkov, Elementary Cryptanalysis. Math. Assoc. Am. 1966. [WEL82] Gordon Welchman, The Hut Six Story. McGraw-Hill, 1982. [YARDL] Herbert O. Yardley, The American Black Chamber. Aegean Park Press, ?. * Books on modern methods [BEK82] H. Beker, F. Piper, Cipher Systems. Wiley, 1982. [BRA88] G. Brassard, Modern Cryptology: a tutorial. Spinger-Verlag, 1988. [DEN82] D. Denning, Cryptography and Data Security. Addison-Wesley Publishing Company, 1982. [KOB89] N. Koblitz, A course in number theory and cryptography. Springer-Verlag, 1987. [KON81] A. Konheim, Cryptography: a primer. Wiley, 1981. [MEY82] C. Meyer and S. Matyas, Cryptography: A new dimension in computer security. Wiley, 1982. [PAT87] Wayne Patterson, Mathematical Cryptology for Computer Scientists and Mathematicians. Rowman & Littlefield, 1987. [PFL89] C. Pfleeger, Security in Computing. Prentice-Hall, 1989. [PRI84] W. Price, D. Davies, Security for computer networks. Wiley, 1984. [RUE86] R. Rueppel, Design and Analysis of Stream Ciphers. Springer-Verlag, 1986. [SAL90] A. Saloma, Public-key cryptography. Springer-Verlag, 1990. [WEL88] D. Welsh, Codes and Cryptography. Claredon Press, 1988. * Survey articles [ANG83] D. Angluin, D. Lichtenstein, Provable Security in Crypto- systems: a survey. Yale University, Department of Computer Science, #288, 1983. [BET90] T. Beth, Algorithm engineering for public key algorithms. IEEE Selected Areas of Communication, 1(4), 458--466, 1990. [DAV83] M. Davio, J. Goethals, Elements of cryptology. in Secure Digital Communications, G. Longo ed., 1--57, 1983. [DIF79] W. Diffie, M. Hellman, Privacy and Authentication: An introduction to cryptography. IEEE proceedings, 67(3), 397--427, 1979. [DIF88] W. Diffie, The first ten years of public key cryptography. IEEE proceedings, 76(5), 560--577, 1988. [FEI73] H. Feistel, Cryptography and Computer Privacy. Scientific American, 228(5), 15--23, 1973. [FEI75] H. Feistel, H, W. Notz, J. Lynn Smith. Some cryptographic techniques for machine-to-machine data communications, IEEE IEEE proceedings, 63(11), 1545--1554, 1975. [HEL79] M. Hellman, The mathematics of public key cryptography. Scientific American, 130--139, 1979. [LAK83] S. Lakshmivarahan, Algorithms for public key cryptosystems. In Advances in Computers, M. Yovtis ed., 22, Academic Press, 45--108, 1983. [LEM79] A. Lempel, Cryptology in transition, Computing Surveys, 11(4), 285--304, 1979. [MAS88] J. Massey, An introduction to contemporary cryptology, IEEE proceedings, 76(5), 533--549, 1988. [SIM91] G. Simmons (ed.), Contemporary Cryptology: the Science of Information Integrity. IEEE press, 1991. * Reference articles [AND83] D. Andelman, J. Reeds, On the cryptanalysis of rotor and substitution-permutation networks. IEEE Trans. on Inform. Theory, 28(4), 578--584, 1982. [BEN87] John Bennett, Analysis of the Encryption Algorithm Used in the WordPerfect Word Processing Program. Cryptologia 11(4), 206--210, 1987. [BER91] H. A. Bergen and W. J. Caelli, File Security in WordPerfect 5.0. Cryptologia 15(1), 57--66, January 1991. [BIH91] E. Biham and A. Shamir, Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology, vol. 4, #1, 3--72, 1991. [BI91a] E. Biham, A. Shamir, Differential cryptanalysis of Snefru, Khafre, REDOC-II, LOKI and LUCIFER. In Proceedings of CRYPTO '91, ed. by J. Feigenbaum, 156--171, 1992. [BOY89] J. Boyar, Inferring Sequences Produced by Pseudo-Random Number Generators. Journal of the ACM, 1989. [BRI86] E. Brickell, J. Moore, M. Purtill, Structure in the S-boxes of DES. In Proceedings of CRYPTO '86, A. M. Odlyzko ed., 3--8, 1987. [BRO89] L. Brown, A proposed design for an extended DES, Computer Security in the Computer Age. Elsevier Science Publishers B.V. (North Holland), IFIP, W. J. Caelli ed., 9--22, 1989. [BRO90] L. Brown, J. Pieprzyk, J. Seberry, LOKI - a cryptographic primitive for authentication and secrecy applications. In Proceedings of AUSTCRYPT 90, 229--236, 1990. [CAE90] H. Gustafson, E. Dawson, W. Caelli, Comparison of block ciphers. In Proceedings of AUSCRYPT '90, J. Seberry and J. Piepryzk eds., 208--220, 1990. [CAM93] K. W. Campbell, M. J. Wiener, Proof the DES is Not a Group. In Proceedings of CRYPTO '92, 1993. [ELL88] Carl M. Ellison, A Solution of the Hebern Messages. Cryptologia, vol. XII, #3, 144-158, Jul 1988. [EVE83] S. Even, O. Goldreich, DES-like functions can generate the alternating group. IEEE Trans. on Inform. Theory, vol. 29, #6, 863--865, 1983. [GAR91] G. Garon, R. Outerbridge, DES watch: an examination of the sufficiency of the Data Encryption Standard for financial institutions in the 1990's. Cryptologia, vol. XV, #3, 177--193, 1991. [GIL80] Gillogly, ?. Cryptologia 4(2), 1980. [GM82] Shafi Goldwasser, Silvio Micali, Probabilistic Encryption and How To Play Mental Poker Keeping Secret All Partial Information. Proceedings of the Fourteenth Annual ACM Symposium on Theory of Computing, 1982. [HUM83] D. G. N. Hunter and A. R. McKenzie, Experiments with Relaxation Algorithms for Breaking Simple Substitution Ciphers. Computer Journal 26(1), 1983. [KAM78] J. Kam, G. Davida, A structured design of substitution- permutation encryption networks. IEEE Trans. Information Theory, 28(10), 747--753, 1978. [KIN78] P. Kinnucan, Data encryption gurus: Tuchman and Meyer. Cryptologia, vol. II #4, 371--XXX, 1978. [KRU88] Kruh, ?. Cryptologia 12(4), 1988. [LAI90] X. Lai, J. Massey, A proposal for a new block encryption standard. EUROCRYPT 90, 389--404, 1990. [LUB88] C. Rackoff, M. Luby, How to construct psuedorandom permutations from psuedorandom functions. SIAM Journal of Computing, vol. 17, #2, 373--386, 1988. [MAS88] J. Massey, An introduction to contemporary cryptology. IEEE proceedings, 76(5), 533--549, 1988. [ME91a] R. Merkle, Fast software encryption functions. In Proceedings of CRYPTO '90, Menezes and Vanstone ed., 476--501, 1991. [MEY78] C. Meyer, Ciphertext/plaintext and ciphertext/key dependence vs. number of rounds for the Data Encryption Standard. AFIPS Conference proceedings, 47, 1119--1126, 1978. [NBS77] Data Encryption Standard. National Bureau of Standards, FIPS PUB 46, Washington, DC, January 1977. [REE77] J. Reeds, `Cracking' a Random Number Generator. Cryptologia 1(1), 20--26, 1977. [REE84] J. A. Reeds and P. J. Weinberger, File Security and the UNIX Crypt Command. AT&T Bell Laboratories Technical Journal, Vol. 63 #8, part 2, 1673--1684, October, 1984. [SHA49] C. Shannon, Communication Theory of Secrecy Systems. Bell System Technical Journal 28(4), 656--715, 1949. [SHE88] B. Kaliski, R. Rivest, A. Sherman, Is the Data Encryption Standard a Group. Journal of Cryptology, vol. 1, #1, 1--36, 1988. [SHI88] A. Shimizu, S. Miyaguchi, Fast data encipherment algorithm FEAL. EUROCRYPT '87, 267--278, 1988. [SOR84] A. Sorkin, LUCIFER: a cryptographic algorithm. Cryptologia, 8(1), 22--35, 1984. * Journals, conference proceedings CRYPTO Eurocrypt IEEE Transactions on Information Theory Cryptologia: a cryptology journal, quarterly since Jan 1977. Cryptologia; Rose-Hulman Institute of Technology; Terre Haute Indiana 47803 [general: systems, analysis, history, ...] Journal of Cryptology; International Association for Cryptologic Research; published by Springer Verlag (quarterly since 1988). The Cryptogram (Journal of the American Cryptogram Association); 18789 West Hickory Street; Mundelein, IL 60060; [primarily puzzle cryptograms of various sorts] Cryptosystems Journal, Published by Tony Patti, P.O. Box 188, Newtown PA, USA 18940-0188 or tony_s_patti@cup.portal.com. Publisher's comment: Includes complete cryptosystems with source and executable programs on diskettes. Tutorial. The typical cryptosystems supports multi-megabit keys and Galois Field arithmetic. Inexpensive hardware random number generator details. Computer and Communication Security Reviews, published by Ross Anderson. Sample issue available from various ftp sites, including black.ox.ac.uk. Editorial c/o rja14@cl.cam.ac.uk. Publisher's comment: We review all the conference proceedings in this field, including not just Crypto and Eurocrypt, but regional gatherings like Auscrypt and Chinacrypt. We also abstract over 50 journals, and cover computer security as well as cryptology, so readers can see the research trends in applications as well as theory. * Other Address of note: Aegean Park Press, P.O. Box 2837, Laguna Hills, CA 92654-0837. Answering machine at 714-586-8811. The ``Orange Book'' is DOD 5200.28-STD, published December 1985 as part of the ``rainbow book'' series. Write to Department of Defense, National Security Agency, ATTN: S332, 9800 Savage Road, Fort Meade, MD 20755-6000, and ask for the Trusted Computer System Evaluation Criteria. Or call 301-766-8729. [BAMFD] Bamford, The Puzzle Palace. Penguin Books, ?. [GOO83] I. J. Good, Good Thinking: the foundations of probability and its applications. University of Minnesota Press, 1983. [KNU81] D. E. Knuth, The Art of Computer Programming, volume 2: Seminumerical Algorithms. Addison-Wesley, 1981. [KUL68] Soloman Kullbach, Information Theory and Statistics. Dover, 1968. [YAO88] A. Yao, Computational Information Theory. In Complexity in Information Theory, ed. by Abu-Mostafa, 1988. * How may one obtain copies of FIPS and ANSI standards cited herein? Many textbooks on cryptography contain complete reprints of the FIPS standards, which are not copyrighted. The following standards may be ordered from the U.S. Department of Commerce, National Technical Information Service, Springfield, VA 22161. FIPS PUB 46-1 "Data Encryption Standard" (this is DES) FIPS PUB 74 "Guidelines for Implementing as Using the NBS DES" FIPS PUB 81 "DES Modes of Operation" FIPS PUB 113 "Computer Data Authentication" (using DES) The following standards may be ordered from the American National Standards Institute Sales Office, 1430 Broadway, New York, NY 10018. Phone 212.642.4900 ANSI X3.92-1981 "Data Encryption Algorithm" (identical to FIPS 46-1) ANSI X3.106-1983 "DEA Modes of Operation" (identical to FIPS 113) Notes: Figure 3 in FIPS PUB 46-1 is in error, but figure 3 in X3.92-1981 is correct. The text is correct in both publications. * Electronic sources Anonymous ftp: [FTPBK] ftp.uu.net:bsd-sources/usr.bin/des/ [FTPCB] ftp.uu.net:usenet/comp.sources.unix/volume10/cbw/ [FTPDF] ftp.funet.fi:pub/unix/security/destoo.tar.Z [FTPEY] ftp.psy.uq.oz.au:pub/DES/ [FTPMD] rsa.com:? [FTPMR] cl-next3.cl.msu.edu:pub/crypt/newdes.tar.Z [FTPOB] ftp.3com.com:Orange-book [FTPPF] prep.ai.mit.edu:pub/lpf/ [FTPPK] ucsd.edu:hamradio/packet/tcpip/crypto/des.tar.Z [FTPRF] nic.merit.edu:documents/rfc/ [FTPSF] beta.xerox.com:pub/hash/ [FTPSO] chalmers.se:pub/des/des.1.0.tar.Z [FTPUF] ftp.uu.net:usenet/comp.sources.unix/volume28/ufc-crypt/ [FTPWP] garbo.uwasa.fi:pc/util/wppass2.zip * RFCs (available from [FTPRF]) 1424 Kaliski, B. Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services. 1993 February; 9 p. (Format: TXT=17538 bytes) 1423 Balenson, D. Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers. 1993 February; 14 p. (Format: TXT=33278 bytes) (Obsoletes RFC 1115) 1422 Kent, S. Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management. 1993 February; 32 p. (Format: TXT=86086 bytes) (Obsoletes RFC 1114) 1421 Linn, J. Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures. 1993 February; 42 p. (Format: TXT=103895 bytes) (Obsoletes RFC 1113) * Related newsgroups There are other newsgroups which a sci.crypt reader might want also to read. Some have their own FAQ as well. alt.comp.compression discussion of compression algorithms and code alt.security general security discussions alt.security.index index to alt.security alt.security.pgp discussion of PGP alt.security.ripem discussion of RIPEM alt.society.civil-liberty general civil liberties, including privacy comp.org.eff.news News reports from EFF comp.org.eff.talk discussion of EFF related issues comp.patents discussion of S/W patents, including RSA comp.risks some mention of crypto and wiretapping comp.society.privacy general privacy issues comp.security.announce announcements of security holes misc.legal.computing sci.math general math discussion Newsgroup: sci.crypt document_id: 15247 From: ckincy@cs.umr.edu (Charles Kincy) Subject: Bob "Putz" Cain (was: Pgp and other BS) In article <1993Apr16.195927.3952@natasha.portal.com> bob@natasha.portal.com (Bob Cain) writes: >Charles Kincy (ckincy@cs.umr.edu) wrote: >: In article <1993Apr16.001321.3692@natasha.portal.com> bob@natasha.portal.com (Bob Cain) writes: [...] >: Oh, I see, flame someone, tell them that they are immature, tell them >: they are wrong, and then don't offer any proof for your assertions. >: >: You really *are* a putz. Put up or shut up. >: > >I will provide any proof you wish in private. Name it, dickhead. Don't bother. has pretty much made your pathetic ass superfluous. You lose. Pack up your bags and go home. >Putz Cain Well, if the shoe fits.... cpk Newsgroup: sci.crypt document_id: 15248 From: crypt-comments@math.ncsu.edu Subject: Cryptography FAQ 03/10 - Basic Cryptology Archive-name: cryptography-faq/part03 Last-modified: 1993/4/15 FAQ for sci.crypt, part 3: Basic Cryptology This is the third of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers every 21 days. Contents: * What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key? * What references can I start with to learn cryptology? * How does one go about cryptanalysis? * What is a brute-force search and what is its cryptographic relevance? * What are some properties satisfied by every strong cryptosystem? * If a cryptosystem is theoretically unbreakable, then is it guaranteed analysis-proof in practice? * Why are many people still using cryptosystems that are relatively easy to break? * What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key? The story begins: When Julius Caesar sent messages to his trusted acquaintances, he didn't trust the messengers. So he replaced every A by a C, every B by a D, and so on through the alphabet. Only someone who knew the ``shift by 2'' rule could decipher his messages. A cryptosystem or cipher system is a method of disguising messages so that only certain people can see through the disguise. Cryptography is the art of creating and using cryptosystems. Cryptanalysis is the art of breaking cryptosystems---seeing through the disguise even when you're not supposed to be able to. Cryptology is the study of both cryptography and cryptanalysis. The original message is called a plaintext. The disguised message is called a ciphertext. Encryption means any procedure to convert plaintext into ciphertext. Decryption means any procedure to convert ciphertext into plaintext. A cryptosystem is usually a whole collection of algorithms. The algorithms are labelled; the labels are called keys. For instance, Caesar probably used ``shift by n'' encryption for several different values of n. It's natural to say that n is the key here. The people who are supposed to be able to see through the disguise are called recipients. Other people are enemies, opponents, interlopers, eavesdroppers, or third parties. * What references can I start with to learn cryptology? For an introduction to technical matter, the survey articles given in part 10 are the best place to begin as they are, in general, concise, authored by competent people, and well written. However, these articles are mostly concerned with cryptology as it has developed in the last 50 years or so, and are more abstract and mathematical than historical. The Codebreakers by Kahn [KAH67] is encyclopedic in its history and technical detail of cryptology up to the mid-60's. Introductory cryptanalysis can be learned from Gaines [GAI44] or Sinkov [SIN66]. This is recommended especially for people who want to devise their own encryption algorithms since it is a common mistake to try to make a system before knowing how to break one. The selection of an algorithm for the DES drew the attention of many public researchers to problems in cryptology. Consequently several textbooks and books to serve as texts have appeared. The book of Denning [DEN82] gives a good introduction to a broad range of security including encryption algorithms, database security, access control, and formal models of security. Similar comments apply to the books of Price & Davies [PRI84] and Pfleeger [PFL89]. The books of Konheim [KON81] and Meyer & Matyas [MEY82] are quite technical books. Both Konheim and Meyer were directly involved in the development of DES, and both books give a thorough analysis of DES. Konheim's book is quite mathematical, with detailed analyses of many classical cryptosystems. Meyer and Matyas concentrate on modern cryptographic methods, especially pertaining to key management and the integration of security facilities into computer systems and networks. The books of Rueppel [RUE86] and Koblitz [KOB89] concentrate on the application of number theory and algebra to cryptography. * How does one go about cryptanalysis? Classical cryptanalysis involves an interesting combination of analytical reasoning, application of mathematical tools, pattern finding, patience, determination, and luck. The best available textbooks on the subject are the Military Cryptanalytics series [FRIE1]. It is clear that proficiency in cryptanalysis is, for the most part, gained through the attempted solution of given systems. Such experience is considered so valuable that some of the cryptanalyses performed during WWII by the Allies are still classified. Modern public-key cryptanalysis may consist of factoring an integer, or taking a discrete logarithm. These are not the traditional fare of the cryptanalyst. Computational number theorists are some of the most successful cryptanalysts against public key systems. * What is a brute-force search and what is its cryptographic relevance? In a nutshell: If f(x) = y and you know y and can compute f, you can find x by trying every possible x. That's brute-force search. Example: Say a cryptanalyst has found a plaintext and a corresponding ciphertext, but doesn't know the key. He can simply try encrypting the plaintext using each possible key, until the ciphertext matches---or decrypting the ciphertext to match the plaintext, whichever is faster. Every well-designed cryptosystem has such a large key space that this brute-force search is impractical. Advances in technology sometimes change what is considered practical. For example, DES, which has been in use for over 10 years now, has 2^56, or about 10^17, possible keys. A computation with this many operations was certainly unlikely for most users in the mid-70's. The situation is very different today given the dramatic decrease in cost per processor operation. Massively parallel machines threaten the security of DES against brute force search. Some scenarios are described by Garron and Outerbridge [GAR91]. One phase of a more sophisticated cryptanalysis may involve a brute-force search of some manageably small space of possibilities. * What are some properties satisfied by every strong cryptosystem? The security of a strong system resides with the secrecy of the key rather than with an attempt to keep the algorithm itself secret. A strong cryptosystem has a large keyspace, as mentioned above. The unicity distance is a measure which gives the minimum amount of ciphertext that must be intercepted to uniquely identify the key and if for some key, the unicity distance is much longer than the amount of ciphertext you intend to encrypt under that key, the system is probably strong. A strong cryptosystem will certainly produce ciphertext which appears random to all standard statistical tests (see, for example, [CAE90]). A strong cryptosystem will resist all known previous attacks. A system which has never been subjected to scrutiny is suspect. If a system passes all the tests mentioned above, is it necessarily strong? Certainly not. Many weak cryptosystems looked good at first. However, sometimes it is possible to show that a cryptosystem is strong by mathematical proof. ``If Joe can break this system, then he can also solve the well-known difficult problem of factoring integers.'' See part 6. Failing that, it's a crap shoot. * If a cryptosystem is theoretically unbreakable, then is it guaranteed analysis-proof in practice? Cryptanalytic methods include what is known as ``practical cryptanalysis'': the enemy doesn't have to just stare at your ciphertext until he figures out the plaintext. For instance, he might assume ``cribs''---stretches of probable plaintext. If the crib is correct then he might be able to deduce the key and then decipher the rest of the message. Or he might exploit ``isologs''---the same plaintext enciphered in several cryptosystems or several keys. Thus he might obtain solutions even when cryptanalytic theory says he doesn't have a chance. Sometimes, cryptosystems malfunction or are misused. The one-time pad, for example, loses all security if it is used more than once! Even chosen-plaintext attacks, where the enemy somehow feeds plaintext into the encryptor until he can deduce the key, have been employed. See [KAH67]. * Why are many people still using cryptosystems that are relatively easy to break? Some don't know any better. Often amateurs think they can design secure systems, and are not aware of what an expert cryptanalyst could do. And sometimes there is insufficient motivation for anybody to invest the work needed to crack a system. Newsgroup: sci.crypt document_id: 15249 From: strnlght@netcom.com (David Sternlight) Subject: Re: An Open Letter to Mr. Clinton Here's a simple way to convert the Clipper proposal to an unexceptionable one: Make it voluntary. That is--you get high quality secure NSA classified technology if you agree to escrow your key. Otherwise you are on your own. David -- David Sternlight Great care has been taken to ensure the accuracy of our information, errors and omissions excepted. Newsgroup: sci.crypt document_id: 15250 From: tcmay@netcom.com (Timothy C. May) Subject: Re: Once tapped, your code is no good any more. Brad Templeton (brad@clarinet.com) wrote: : It occurs to me that if they get a wiretap order on you, and the escrow : houses release your code to the cops, your code is now no longer secure. : : It's in the hands of cops, and while I am sure most of the time they are : good, their security will not be as good as the escrow houses. : : : What this effectively means is that if they perform a wiretap on you, : at the end of the wiretap, they should be obligated to inform you that : a tap was performed, and replace (for free) the clipper chip in your : cellular phone so that it is once again a code known only to the : escrow houses. Getting the court order to reveal the key *also* makes decipherable all *past* conversations (which may be on tape, or disk, or whatver), as I understand the proposal. I could be wrong, but I've seen no mention of "session keys" being the escrowed entities. As the EFF noted, this raises further issues about the fruits of one bust leading to incrimination in other areas. But is it any worse than the current unsecure system? It becomes much worse, of course, if the government then uses this "Clinton Clipper" to argue for restrictions on unapproved encryption. (This is the main concern of most of us, I think. The camel's nose in the tent, etc.) And it may also become much worse if the ostensible security is increased, thus allowing greater access to "central office" records by the government (the conversations being encrypted, who will object to letting the government have access to them, perhaps even automatically archiving large fractions...). This was one of the main objections to the S.266 proposal, that it would force telecom suppliers to provide easy access for the government. One the government has had access to months or years of your encrypted conversations, now all it takes is one misstep, one violation that gets them the paperwork needed to decrypt *all* of them! Do we want anyone to have this kind of power? -Tim May, whose sig block may get him busted in the New Regime -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Newsgroup: sci.crypt document_id: 15251 From: crypt-comments@math.ncsu.edu Subject: Cryptography FAQ 02/10 - Net Etiquette Archive-name: cryptography-faq/part02 Last-modified: 1993/4/15 FAQ for sci.crypt, part 2: Net Etiquette This is the second of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers every 21 days. Contents: * What groups are around? What's a FAQ? Who am I? Why am I here? * Do political discussions belong in sci.crypt? * How do I present a new encryption scheme in sci.crypt? * What groups are around? What's a FAQ? Who am I? Why am I here? Read news.announce.newusers and news.answers for a few weeks. Always make sure to read a newsgroup for some time before you post to it. You'll be amazed how often the same question can be asked in the same newsgroup. After a month you'll have a much better sense of what the readers want to see. * Do political discussions belong in sci.crypt? No. In fact some newsgroups (notably misc.legal.computing) were created exactly so that political questions like ``Should RSA be patented?'' don't get in the way of technical discussions. Many sci.crypt readers also read misc.legal.computing, comp.org.eff.talk, comp.patents, sci.math, comp.compression, et al.; for the benefit of people who don't care about those other topics, try to put your postings in the right group. Questions about microfilm and smuggling and other non-cryptographic ``spy stuff'' don't belong in sci.crypt either. * How do I present a new encryption scheme in sci.crypt? ``I just came up with this neat method of encryption. Here's some ciphertext: FHDSIJOYW^&%$*#@OGBUJHKFSYUIRE. Is it strong?'' Without a doubt questions like this are the most annoying traffic on sci.crypt. If you have come up with an encryption scheme, providing some ciphertext from it is not adequate. Nobody has ever been impressed by random gibberish. Any new algorithm should be secure even if the opponent knows the full algorithm (including how any message key is distributed) and only the private key is kept secret. There are some systematic and unsystematic ways to take reasonably long ciphertexts and decrypt them even without prior knowledge of the algorithm, but this is a time-consuming and possibly fruitless exercise which most sci.crypt readers won't bother with. So what do you do if you have a new encryption scheme? First of all, find out if it's really new. Look through this FAQ for references and related methods. Familiarize yourself with the literature and the introductory textbooks. When you can appreciate how your cryptosystem fits into the world at large, try to break it yourself! You shouldn't waste the time of tens of thousands of readers asking a question which you could have easily answered on your own. If you really think your system is secure, and you want to get some reassurance from experts, you might try posting full details of your system, including working code and a solid theoretical explanation, to sci.crypt. (Keep in mind that the export of cryptography is regulated in some areas.) If you're lucky an expert might take some interest in what you posted. You can encourage this by offering cash rewards---for instance, noted cryptographer Ralph Merkle is offering $1000 to anyone who can break Snefru-4---but there are no guarantees. If you don't have enough experience, then most likely any experts who look at your system will be able to find a flaw. If this happens, it's your responsibility to consider the flaw and learn from it, rather than just add one more layer of complication and come back for another round. A different way to get your cryptosystem reviewed is to have the NSA look at it. A full discussion of this procedure is outside the scope of this FAQ. Among professionals, a common rule of thumb is that if you want to design a cryptosystem, you have to have experience as a cryptanalyst. Newsgroup: sci.crypt document_id: 15252 From: crypt-comments@math.ncsu.edu Subject: Cryptography FAQ 05/10 - Product Ciphers Archive-name: cryptography-faq/part05 Last-modified: 1993/4/15 FAQ for sci.crypt, part 5: Product ciphers This is the fifth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers every 21 days. Contents: * What is a product cipher? * What makes a product cipher secure? * What are some group-theoretic properties of product ciphers? * What can be proven about the security of a product cipher? * How are block ciphers used to encrypt data longer than the block size? * Can symmetric block ciphers be used for message authentication? * What exactly is DES? * What is triple DES? * What is differential cryptanalysis? * How was NSA involved in the design of DES? * Is DES available in software? * Is DES available in hardware? * Can DES be used to protect classified information? * What are "ECB", "CBC", "CFB", and "OFB" encryption? * What is a product cipher? A product cipher is a block cipher that iterates several weak operations such as substitution, transposition, modular addition/multiplication, and linear transformation. (A ``block cipher'' just means a cipher that encrypts a block of data---8 bytes, say---all at once, then goes on to the next block.) The notion of product ciphers is due to Shannon [SHA49]. Examples of modern product ciphers include LUCIFER [SOR84], DES [NBS77], SP-networks [KAM78], LOKI [BRO90], FEAL [SHI84], PES [LAI90], Khufu and Khafre [ME91a]. The so-called Feistel ciphers are a class of product ciphers which operate on one half of the ciphertext at each round, and then swap the ciphertext halves after each round. LUCIFER, DES, LOKI, and FEAL are examples of Feistel ciphers. The following table compares the main parameters of several product ciphers: cipher | block length | key bits | number of rounds LUCIFER 128 128 16 DES 64 56 16 LOKI 64 64 16 FEAL 64 128 2^x, x >= 5 PES 64 128 8 * What makes a product cipher secure? Nobody knows how to prove mathematically that a product cipher is completely secure. So in practice one begins by demonstrating that the cipher ``looks highly random''. For example, the cipher must be nonlinear, and it must produce ciphertext which functionally depends on every bit of the plaintext and the key. Meyer [MEY78] has shown that at least 5 rounds of DES are required to guarantee such a dependence. In this sense a product cipher should act as a ``mixing'' function which combines the plaintext, key, and ciphertext in a complex nonlinear fashion. The fixed per-round substitutions of the product cipher are referred to as S-boxes. For example, LUCIFER has 2 S-boxes, and DES has 8 S-boxes. The nonlinearity of a product cipher reduces to a careful design of these S-boxes. A list of partial design criteria for the S-boxes of DES, which apply to S-boxes in general, may be found in Brown [BRO89] and Brickell et al. [BRI86]. * What are some group-theoretic properties of product ciphers? Let E be a product cipher that maps N-bit blocks to N-bit blocks. Let E_K(X) be the encryption of X under key K. Then, for any fixed K, the map sending X to E_K(X) is a permutation of the set of N-bit blocks. Denote this permutation by P_K. The set of all N-bit permutations is called the symmetric group and is written S_{2^N}. The collection of all these permutations P_K, where K ranges over all possible keys, is denoted E(S_{2^N}). If E were a random mapping from plaintexts to ciphertexts then we would expect E(S_{2^N}) to generate a large subset of S_{2^N}. Coppersmith and Grossman [COP74] have shown that a very simple product cipher can generate the alternating group A_{2^N} given a sufficient number of rounds. (The alternating group is half of the symmetric group: it consists of all ``even'' permutations, i.e., all permutations which can be written as an even number of swaps.) Even and Goldreich [EVE83] were able to extend these results to show that Feistel ciphers can generate A_{2^N}, given a sufficient number of rounds. The security of multiple encipherment also depends on the group-theoretic properties of a cipher. Multiple encipherment is an extension over single encipherment if for keys K1, K2 there does not exist a third key K3 such that E_K2(E_K1(X)) == E_(K3)(X) (**) which indicates that encrypting twice with two independent keys K1, K2 is equal to a single encryption under the third key K3. If for every K1, K2 there exists a K3 such that eq. (**) is true then we say that E is a group. This question of whether DES is a group under this definition was extensively studied by Sherman, Kaliski, and Rivest [SHE88]. In their paper they give strong evidence for the hypothesis that DES is not a group. In fact DES is not a group [CAM93]. * What can be proven about the security of a product cipher? Recall from above that P_K is a permutation produced by E under some key K. The goal of the designer of E is to ensure that P_K appears to be a random element of S_{2^N}, the symmetric group. Let R be an element of S_{2^N} selected randomly. We will say that P_K and R are indistinguishable if an observer given P_K and R in some order cannot distinguish between these two permutations in polynomial time. That is, with time bounded resources, the observer cannot determine which of the permutations is produced by E: the optimal decision is no better than simply guessing. Luby and Rackoff [LUB88] have shown that a class of Feistel ciphers are secure in this sense when the round mapping is replaced by random boolean functions. * How are block ciphers used to encrypt data longer than the block size? There are four standard "modes of operation" (and numerous non-standard ones as well). The standard modes of operation are defined in the U.S. Department of Commerce Federal Information Processing Standard (FIPS) 81, published in 1980. See the question about "ECB" below for more details. Although they are defined for the DES block cipher, the "modes of operation" can be used with any block cipher. * Can symmetric block ciphers be used for message authentication? One may use a symmetric cryptosystem block cipher to prove to himself that he did or did not generate a message, and to prove to himself whether his message was altered or unaltered since generation. But one cannot prove these things to another without revealing the key, and thereafter that key cannot be used to prove anything about any messages that were authenticated using that key. See ANSI X3.106-1983 and FIPS 113 (1985) for a standard method of message authentication using DES. * What exactly is DES? DES is the U.S. Government's Data Encryption Standard - a product cipher that operates on 64-bit blocks of data, using a 56-bit key. It is defined in FIPS 46-1 (1988) [which supersedes FIPS 46 (1977)]. FIPS are Federal Information Processing Standards published by NTIS. DES is identical to the ANSI standard Data Encryption Algorithm (DEA) defined in ANSI X3.92-1981. * What is triple DES? Triple DES is a product cipher which, like DES, operates on 64-bit data blocks. There are several forms, each of which uses the DES cipher 3 times. Some forms use two 56-bit keys, some use three. The "DES modes of operation" may also be used with triple-DES. Some people refer to E(K1,D(K2,E(K1,x))) as triple-DES. This method is defined in chapter 7.2 of the ANSI standard X9.17-1985 "Financial Institution Key Management" and is intended for use in encrypting DES keys and IVs for "Automated Key Distribution". Its formal name is "Encryption and Decryption of a Single Key by a Key Pair", but it is referenced in other standards documents as EDE. That standard says (section 7.2.1): "Key encrypting keys may be a single DEA key or a DEA key pair. Key pairs shoud be used where additional security is needed (e.g., the data protected by the key(s) has a long security life). A key pair shall not be encrypted or decrypted using a single key." Others use the term "triple-DES" for E(K1,D(K2,E(K3,x))) or E(K1,E(K2,E(K3,x))). One of us (Carl Ellison) keeps advocating DES triple use in the form E(K1, TRAN( E(K2, TRAN( E(K3, COMPRESS( x )))))), where each DES instance has its own key and IV (for CBC mode) and TRAN has been posted on sci.crypt. (It is a large-block transposition program taking its key from the data stream itself, so that it is not an encryption program on its own part.) * What is differential cryptanalysis? Differential cryptanalysis is a statistical attack that can be applied to any iterated mapping (ie. any mapping which is based on a repeated round function). The method was recently popularized by Biham and Shamir [BIH91], but Coppersmith has remarked that the S-boxes of DES were optimized against this attack some 20 years ago. This method has proved effective against several product ciphers, notably FEAL [BI91a]. Differential cryptanalysis is based on observing a large number of ciphertexts Y, Y' whose corresponding plaintexts X, X' satisfy a known difference D = X+X', where + is componentwise XOR. In the basic Biham-Shamir attack, 2^{47} such plaintext pairs are required to determine the key for DES. Substantially fewer pairs are required if DES is truncated to 6 or 8 rounds. In these cases, the actual key can be recovered in a matter of minutes using a few thousand pairs. For full DES this attack is impractical because it requires so many known plaintexts. The work of Biham and Shamir on DES revealed several startling observations on the algorithm. Most importantly, if the key schedule was removed from DES and a 16*48 = 768-bit key was used, the key could be recovered in less than 2^{64} steps. Thus independent subkeys do not add substantial security to DES. Further, the S-boxes of DES are extremely sensitive in that changing even single entries in these tables yields significant improvement in the differential attack. Adi Shamir is quoted to say (NYTimes Oct 13 1991), ``I would say that, contrary to what some people believe, there is no evidence of tampering with the DES so that the basic design was weakened.'' * How was NSA involved in the design of DES? According to Kinnucan [KIN78], Tuchman, a member of the group that developed DES at IBM is quoted as saying, ``We developed the DES algorithm entirely within IBM using IBMers. The NSA did not dictate a single wire!'' Tuchman and Meyer (another developer of DES) spent a year breaking ciphers and finding weaknesses in Lucifer. They then spent two years strengthening Lucifer. ``Their basic approach was to look for strong substitution, permutation, and key scheduling functions ... IBM has classified the notes containing the selection criteria at the request of the NSA.... `The NSA told us we had inadvertently reinvented some of the deep secrets it uses to make its own algorithms,' explains Tuchman.'' On the other hand, a document called ``Involvement of the NSA in the development of DES: unclassified summary of the United States Select Committee on Intelligence'', printed in the IEEE Communications Magazine, p53-55, 1978, states: ``In the development of DES, NSA convinced IBM that a reduced keysize was sufficient; indirectly assisted in the development of the S-box structures; and certified that the final DES algorithm was, to the best of their knowledge, free from any statistical or mathematical weakness.'' Clearly the key size was reduced at the insistence of the NSA. The article further states that the NSA did not tamper with the algorithm itself, just the parameters, which in some sense resolves the apparent conflict in the remarks of Meyer and Tuchman presented above. * Is DES available in software? Several people have made DES code available via ftp (see part 10 for pathnames): Stig Ostholm [FTPSO]; BSD [FTPBK]; Eric Young [FTPEY]; Dennis Furguson [FTPDF]; Mark Riordan [FTPMR]; Phil Karn [FTPPK]. A Pascal listing of DES is also given in Patterson [PAT87]. FIPS 46-1 says "The algorithm specified in this standard is to be implemented ... using hardware (not software) technology. ... Software implementations in general purpose computers are not in compliance with this standard." Despite this, software implementations abound, and are used by government agencies. * Is DES available in hardware? The following paragraphs are quoted from messages sent to the editors. We don't vouch for the quality or even existence of the products. Chip Rosenthal says: ``Dallas Semiconductor makes a DES encryption/decryption device for use on standard, digital 64Kbps PCM telecom data streams. It is capable of processing data in real time, e.g. one sample/frame. It is the DS2160. Their phone number is 214-450-0400. You would probably need to talk with Dewight in Telecom marketing.'' Christian Franke, franke@informatik.rwth-aachen.de, says: ``1. Cryptech CRY12C102: 22.5Mbit/s according to Data Sheet, with 32 Bit interface. We use this one, because it was the only one available when we started the project. No problems ! 2. Pijnenburg PCC100: 20Mbit/s according to Data Sheet. Address: PIJNENBURG B.V., Boxtelswweg 26, NL-5261 NE Vught, The Netherlands. 3. INFOSYS DES Chip (Germany): S-Boxes must be loaded by software. So you can modify the Algorithm. Sorry, I don't have the data sheet handy. Please E-Mail me if you need further information.'' mjr@tis.com (Marcus J Ranum) says: "SuperCrypt" 100Mb/sec and faster DES and Proprietary Storage for 16 56-bit keys Key stream generator Integrated hardware DES3 procedure Extended mode with 112 bit keys; Computer Elektronik Infosys; 512-A Herndon Parkway,; Herndon, VA 22070; (800)322-3464 thember@gandalf.ca (Tim Hember) says: Newbridge Microsystems sells an AM9568 compatible DES chip that operates at 25MHz, performs a round of encryption in 18 clocks, has a three-stage pipeline, supports ECB, CBC, CFB-8 and >>> CFB-1 <<<<. Further it is very reasonable priced as opposed to other high-end DES chips. Call Newbridge Microsystems, Ottawa, (613) 592-0714. (... there are no import/export issues with Canada and the US). If you require custom DES or Public Key ICs then Timestep Engineering developed Newbridge's crypto chips and ICs for other commercial and educational establishments. They can be reached at (613) 820-0024. * Can DES be used to protect classified information? DES is not intended to protect classified data. FIPS 46-1 says: "This standard will be used by Federal departments and agencies for the cryptographic protection of computer data when the following conditions apply: 1. ... cryptographic protection is required; and 2. the data is not classified according to the National Security Act of 1947, as amended, or the Atomic Energy Act of 1954, as amended." * What are "ECB", "CBC", "CFB", and "OFB" encryption? These are methods for using block ciphers, such as DES, to encrypt messages, files, and blocks of data, known as "modes of operation." Four "modes of operation" are defined in FIPS 81 (1980 December 2), and also in ANSI X3.106-1983. FIPS 81 specifies that when 7-bit ASCII data is sent in octets, the unused most-significant bit is to be set to 1. FIPS 81 also specifies the padding for short blocks. The four DES modes of operation are: Electronic Code Book (ECB), Cipher Block Chaining (CBC), K-bit Cipher FeedBack (CFB), and K-bit Output FeedBack (OFB). These methods are explained below in a c-language-like notation. Some symbols: P[n] The n'th block of plaintext, input to encryption, output from decryption. Size of block determined by the mode. C[n] The n'th block of ciphertext, output from encryption, input to decryption. Size of block determined by the mode. E(m) The DES encryption function, performed on 64-bit block m, using the 16-key schedule derived from some 56-bit key. D(m) The DES decryption function, performed on 64-bit block m, using the same key schedule as in E(m), except that the 16 keys in the schedule are used in the opposite order as in E(m). IV A 64-bit "initialization vector", a secret value which, along with the key, is shared by both encryptor and decryptor. I[n] The n'th value of a 64-bit variable, used in some modes. R[n] The n'th value of a 64-bit variable, used in some modes. LSB(m,k) The k least significant (right-most) bits of m. e.g. m & ((1 << k) - 1) MSB(m,k) The k most significant (left-most) bits of m. e.g. (m >> (64-k)) & ((1 << k) - 1) = ^ << >> & operators as defined in the c langage. Electronic Code Book (ECB): P[n] and C[n] are each 64-bits long. Encryption: Decryption: C[n] = E(P[n]) P[n] = D(C[n]) Cipher Block Chaining (CBC): P[n] and C[n] are each 64-bits long. Encryption: Decryption: C[0] = E(P[0]^IV) P[0] = D(C[0])^IV (n>0) C[n] = E(P[n]^C[n-1]) P[n] = D(C[n])^C[n-1] k-bit Cipher FeedBack (CFB): P[n] and C[n] are each k bits long, 1 <= k <= 64. Encryption: Decryption: I[0] = IV I[0] = IV (n>0) I[n] = I[n-1]<0) I[n] = C[n-1] I[n] = C[n-1] (all n) R[n] = E(I[n]) R[n] = E(I[n]) (all n) C[n] = P[n]^R[n] P[n] = C[n]^R[n] CFB notes: Since I[n] depends only on the plain or cipher text from the previous operation, the E() function can be performed in parallel with the reception of the text with which it is used. k-bit Output FeedBack (OFB): P[n] and C[n] are each k bits long, 1 <= k <= 64. Encryption: Decryption: I[0] = IV I[0] = IV (n>0) I[n] = I[n-1]<0) I[n] = R[n-1] I[n] = R[n-1] (all n) R[n] = E(I[n]) R[n] = E(I[n]) (all n) C[n] = P[n]^R[n] P[n] = C[n]^R[n] OFB notes: encryption and decryption are identical. Since I[n] is independent of P and C, the E() function can be performed in advance of the receipt of the plain/cipher text with which it is to be used. Additional notes on DES "modes of operation": ECB and CBC use E() to encrypt and D() to decrypt, but the feedback modes use E() to both encrypt and decrypt. This disproves the erroneous claim that systems which feature E() but not D() cannot be used for data confidentiality, and therefore are not subject to export controls. Newsgroup: sci.crypt document_id: 15253 From: crypt-comments@math.ncsu.edu Subject: Cryptography FAQ 06/10 - Public Key Cryptography Archive-name: cryptography-faq/part06 Last-modified: 1993/4/15 FAQ for sci.crypt, part 6: Public-Key Cryptography This is the sixth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers every 21 days. Contents: * What is public-key cryptography? * What's RSA? * Is RSA secure? * How fast can people factor numbers? * What about other public-key cryptosystems? * What is public-key cryptography? In a classic cryptosystem, we have encryption functions E_K and decryption functions D_K such that D_K(E_K(P)) = P for any plaintext P. In a public-key cryptosystem, E_K can be easily computed from some ``public key'' X which in turn is computed from K. X is published, so that anyone can encrypt messages. If D_K cannot be easily computed from X, then only the person who generated K can decrypt messages. That's the essence of public-key cryptography, published by Diffie and Hellman in 1976. In a classic cryptosystem, if you want your friends to be able to send secret messages to you, you have to make sure nobody other than them sees the key K. In a public-key cryptosystem, you just publish X, and you don't have to worry about spies. This is only the beginning of public-key cryptography. There is an extensive literature on security models for public-key cryptography, applications of public-key cryptography, other applications of the mathematical technology behind public-key cryptography, and so on. * What's RSA? RSA is a public-key cryptosystem defined by Rivest, Shamir, and Adleman. For full details, there is a FAQ available by ftp at RSA.COM. Here's a small example. Plaintexts are positive integers up to 2^{512}. Keys are quadruples (p,q,e,d), with p a 256-bit prime number, q a 258-bit prime number, and d and e large numbers with (de - 1) divisible by (p-1)(q-1). We define E_K(P) = P^e mod pq, D_K(C) = C^d mod pq. Now E_K is easily computed from the pair (pq,e)---but, as far as anyone knows, there is no easy way to compute D_K from the pair (pq,e). So whoever generates K can publish (pq,e). Anyone can send a secret message to him; he is the only one who can read the messages. * Is RSA secure? Nobody knows. An obvious attack on RSA is to factor pq into p and q. See below for comments on how fast state-of-the-art factorization algorithms run. Unfortunately nobody has the slightest idea how to prove that factorization---or any realistic problem at all, for that matter---is inherently slow. It is easy to formalize what we mean by ``RSA is/isn't strong''; but, as Hendrik W. Lenstra, Jr., says, ``Exact definitions appear to be necessary only when one wishes to prove that algorithms with certain properties do _not_ exist, and theoretical computer science is notoriously lacking in such negative results.'' * How fast can people factor numbers? It depends on the size of the numbers. In October 1992 Arjen Lenstra and Dan Bernstein factored 2^523 - 1 into primes, using about three weeks of MasPar time. (The MasPar is a 16384-processor SIMD machine; each processor can add about 200000 integers per second.) The algorithm there is called the ``number field sieve''; it is quite a bit faster for special numbers like 2^523 - 1 than for general numbers n, but it takes time only about exp(O(log^{1/3} n log^{2/3} log n)) in any case. An older and more popular method for smaller numbers is the ``multiple polynomial quadratic sieve'', which takes time exp(O(log^{1/2} n log^{1/2} log n))---faster than the number field sieve for small n, but slower for large n. The breakeven point is somewhere between 100 and 150 digits, depending on the implementations. Factorization is a fast-moving field---the state of the art just a few years ago was nowhere near as good as it is now. If no new methods are developed, then 2048-bit RSA keys will always be safe from factorization, but one can't predict the future. (Before the number field sieve was found, many people conjectured that the quadratic sieve was asymptotically as fast as any factoring method could be.) * What about other public-key cryptosystems? We've talked about RSA because it's well known and easy to describe. But there are lots of other public-key systems around, many of which are faster than RSA or depend on problems more widely believed to be difficult. This has been just a brief introduction; if you really want to learn about the many facets of public-key cryptography, consult the books and journal articles listed in part 10. Newsgroup: sci.crypt document_id: 15254 From: crypt-comments@math.ncsu.edu Subject: Cryptography FAQ 07/10 - Digital Signatures Archive-name: cryptography-faq/part07 Last-modified: 1993/4/15 FAQ for sci.crypt, part 7: Digital Signatures and Hash Functions This is the seventh of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers every 21 days. Contents: * What is a one-way hash function? * What is the difference between public, private, secret, shared, etc.? * What are MD4 and MD5? * What is Snefru? * What is a one-way hash function? A typical one-way hash function takes a variable-length message and produces a fixed-length hash. Given the hash it is computationally impossible to find a message with that hash; in fact one can't determine any usable information about a message with that hash, not even a single bit. For some one-way hash functions it's also computationally impossible to determine two messages which produce the same hash. A one-way hash function can be private or public, just like an encryption function. Here's one application of a public one-way hash function, like MD5 or Snefru. Most public-key signature systems are relatively slow. To sign a long message may take longer than the user is willing to wait. Solution: Compute the one-way hash of the message, and sign the hash, which is short. Now anyone who wants to verify the signature can do the same thing. Another name for one-way hash function is message digest function. * What is the difference between public, private, secret, shared, etc.? There is a horrendous mishmash of terminology in the literature for a very small set of concepts. When an algorithm depends on a key which isn't published, we call it a private algorithm; otherwise we call it a public algorithm. We have encryption functions E and decryption functions D, so that D(E(M)) = M for any message M. We also have hashing functions H and verification functions V, such that V(M,X) = 1 if and only if X = H(M). A public-key cryptosystem has public encryption and private decryption. Checksums, such as the application mentioned in the previous question, have public hashing and public verification. Digital signature functions have private hashing and public verification: only one person can produce the hash for a message, but everyone can verify that the hash is correct. Obviously, when an algorithm depends on a private key, it's meant to be unusable by anyone who doesn't have the key. There's no real difference between a ``shared'' key and a private key: a shared key isn't published, so it's private. If you encrypt data for a friend rather than ``for your eyes only'', are you suddenly doing ``shared-key encryption'' rather than private-key encryption? No. * What are MD4 and MD5? MD4 and MD5 are message digest functions developed by Ron Rivest. Definitions appear in RFC 1320 and RFC 1321 (see part 10). Code is available from [FTPMD]. Note that a transcription error was found in the original MD5 draft RFC. The corrected algorithm should be called MD5a, though some people refer to it as MD5. * What is Snefru? Snefru is a family of message digest functions developed by Ralph Merkle. Snefru-8 is an 8-round function, the newest in the family. Definitions appear in Merkle's paper [ME91a]. Code is available from [FTPSF]. Newsgroup: sci.crypt document_id: 15255 From: crypt-comments@math.ncsu.edu Subject: Cryptography FAQ 09/10 - Other Miscellany Archive-name: cryptography-faq/part09 Last-modified: 1993/4/15 FAQ for sci.crypt, part 9: Other Miscellany This is the ninth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers every 21 days. Contents: * What is the National Security Agency (NSA)? * What are the US export regulations? * What is TEMPEST? * What are the Beale Ciphers, and are they a hoax? * What is the American Cryptogram Association, and how do I get in touch? * Is RSA patented? * What about the Voynich manuscript? * What is the National Security Agency (NSA)? The NSA is the official security body of the U.S. government. It was given its charter by President Truman in the late 40's, and has continued research in cryptology till the present. The NSA is known to be the largest employer of mathematicians in the world, and is also the largest purchaser of computer hardware in the world. Governments in general have always been prime employers of cryptologists. The NSA probably possesses cryptographic expertise many years ahead of the public state of the art, and can undoubtedly break many of the systems used in practice; but for reasons of national security almost all information about the NSA is classified. Bamford's book [BAMFD] gives a history of the people and operations of the NSA. The following quote from Massey [MAS88] highlights the difference between public and private research in cryptography: ``... if one regards cryptology as the prerogative of government, one accepts that most cryptologic research will be conducted behind closed doors. Without doubt, the number of workers engaged today in such secret research in cryptology far exceeds that of those engaged in open research in cryptology. For only about 10 years has there in fact been widespread open research in cryptology. There have been, and will continue to be, conflicts between these two research communities. Open research is common quest for knowledge that depends for its vitality on the open exchange of ideas via conference presentations and publications in scholarly journals. But can a government agency, charged with responsibilities of breaking the ciphers of other nations, countenance the publication of a cipher that it cannot break? Can a researcher in good conscience publish such a cipher that might undermine the effectiveness of his own government's code-breakers? One might argue that publication of a provably-secure cipher would force all governments to behave like Stimson's `gentlemen', but one must be aware that open research in cryptography is fraught with political and ethical considerations of a severity than in most scientific fields. The wonder is not that some conflicts have occurred between government agencies and open researchers in cryptology, but rather that these conflicts (at least those of which we are aware) have been so few and so mild.'' * What are the US export regulations? In a nutshell, there are two government agencies which control export of encryption software. One is the Bureau of Export Administration (BXA) in the Department of Commerce, authorized by the Export Administration Regulations (EAR). Another is the Office of Defense Trade Controls (DTC) in the State Department, authorized by the International Traffic in Arms Regulations (ITAR). As a rule of thumb, BXA (which works with COCOM) has less stringent requirements, but DTC (which takes orders from NSA) wants to see everything first and can refuse to transfer jurisdiction to BXA. The newsgroup misc.legal.computing carries many interesting discussions on the laws surrounding cryptographic export, what people think about those laws, and many other complex issues which go beyond the scope of technical groups like sci.crypt. Make sure to consult your lawyer before doing anything which will get you thrown in jail; if you are lucky, your lawyer might know a lawyer who has at least heard of the ITAR. * What is TEMPEST? TEMPEST is a standard for electromagnetic shielding for computer equipment. It was created in response to the discovery that information can be read from computer radiation (e.g., from a CRT) at quite a distance and with little effort. Needless to say, encryption doesn't do much good if the cleartext is available this way. * What are the Beale Ciphers, and are they a hoax? (Thanks to Jim Gillogly for this information and John King for corrections.) The story in a pamphlet by J. B. Ward (1885) goes: Thomas Jefferson Beale and a party of adventurers accumulated a huge mass of treasure and buried it in Bedford County, Virginia, leaving three ciphers with an innkeeper; the ciphers describe the location, contents, and intended beneficiaries of the treasure. Ward gives a decryption of the second cipher (contents) called B2; it was encrypted as a book cipher using the initial letters of the Declaration of Independence (DOI) as key. B1 and B3 are unsolved; many documents have been tried as the key to B1. Aficionados can join a group that attempts to solve B1 by various means with an eye toward splitting the treasure: The Beale Cypher Association P.O. Box 975 Beaver Falls, PA 15010 You can get the ciphers from the rec.puzzles FAQL by including the line: send index in a message to netlib@peregrine.com and following the directions. (There are apparently several different versions of the cipher floating around. The correct version is based on the 1885 pamphlet, says John King .) Some believe the story is a hoax. Kruh [KRU88] gives a long list of problems with the story. Gillogly [GIL80] decrypted B1 with the DOI and found some unexpected strings, including ABFDEFGHIIJKLMMNOHPP. Hammer (president of the Beale Cypher Association) agrees that this string couldn't appear by chance, but feels there must be an explanation; Gwyn (sci.crypt expert) is unimpressed with this string. * What is the American Cryptogram Association, and how do I get in touch? The ACA is an organization devoted to cryptography, with an emphasis on cryptanalysis of systems that can be attacked either with pencil-and-paper or computers. Its organ ``The Cryptogram'' includes articles and challenge ciphers. Among the more than 50 cipher types in English and other languages are simple substitution, Playfair, Vigenere, bifid, Bazeries, grille, homophonic, and cryptarithm. Dues are $15 for one year (6 issues); more outside of North America; less for students under 18 and seniors. Subscriptions should be sent to ACA Treasurer, 18789 West Hickory St., Mundelein, IL 60060. * Is RSA patented? Yes. The patent number is 4,405,829, filed 12/14/77, granted 9/20/83. For further discussion of this patent, whether it should have been granted, algorithm patents in general, and related legal and moral issues, see comp.patents and misc.legal.computing. For information about the League for Programming Freedom see [FTPPF]. Note that one of the original purposes of comp.patents was to collect questions such as ``should RSA be patented?'', which often flooded sci.crypt and other technical newsgroups, into a more appropriate forum. * What about the Voynich manuscript? nelson@reed.edu (Nelson Minar) says there is a mailing list on the subject. the address to write to subscribe to the VMS mailing list is: the ftp archive is: rand.org:/pub/voynich There's all sorts of information about the manuscript itself, of course. A good bibliography can be found on the ftp site. Kahn's "The Codebreakers" gives a good introduction. Newsgroup: sci.crypt document_id: 15256 From: johnson@trwacs.fp.trw.com (Steve Johnson) Subject: Re: How do they know what keys to ask for? (Re: Clipper) brad@clarinet.com (Brad Templeton) writes: [...] >And of course you have to identify yourself to the phone company, and >since the phone company complies with court orders, they will know the >magic number of your chip when they sign out a warrant on you, and >then can present the warrant to the key escrow house. Who makes them forget and destroy all copies of the key once they've decided you're not a criminal today? Just curious. >-- >Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366 ------- Any views expressed are those of myself and not my employer. -------- Steven C. Johnson, WB3IRU / VK2GDS | TRW | johnson@trwacs.fp.trw.com FP1 / 3133 | [129.193.172.90] 1 Federal Systems Park Drive | Phone: +1 (703) 968.1000 Fairfax, Virginia 22033-4412 U.S.A. | Fax: +1 (703) 803.5189 -- ------- Any views expressed are those of myself and not my employer. -------- Steven C. Johnson, WB3IRU / VK2GDS | TRW | johnson@trwacs.fp.trw.com FP1 / 3133 | [129.193.172.90] Newsgroup: sci.crypt document_id: 15257 From: bet@sbi.com (Bennett Todd @ Salomon Brothers Inc., NY ) Subject: Re: Source of random bits on a Unix workstation >>For your application, what you can do is to encrypt the real-time clock >>value with a secret key. Well, almost.... If I only had to solve the problem for myself, and were willing to have to type in a second password (the secret key) whenever I logged in, it could work. However, I'm trying to create a solution that anyone can use, and which, once installed, is just as effortless to start up as the non-solution of just using xhost(1) to control access. I've got religeous problems with storing secret keys on multiuser computers. >For a good discussion of cryptographically "good" random number >generators, check out the draft-ietf-security-randomness-00.txt >Internet Draft, available at your local friendly internet drafts >repository. Thanks for the pointer! It was good reading, and I liked the idea of using several unrelated sources with a strong mixing function. However, unless I missed something, the only source they suggested (aside from a hardware RNG) that seems available, and unguessable by an intruder, when a Unix is fresh-booted, is I/O buffers related to network traffic. I believe my solution basically uses that strategy, without requiring me to reach into the kernel. >A reasonably source of randomness is the output of a cryptographic >hash function (e.g., MD5), when fed with a large amount of >more-or-less random data. For example, running MD5 on /dev/mem is a >slow, but random enough, source of random bits; there are bound to be >128 bits of entropy in the tens (or hundreds) of megabytes of data in >a modern workstation's memory, as a fair amount of them are system >timers, i/o buffers, etc. I heard about this solution, and it sounded good. Then I heard that folks were experiencing times of 30-60 seconds to run this, on reasonably-configured workstations. I'm not willing to add that much delay to someone's login process. My approach (etherfind|compress, skip 10K) takes a second or two to run. I'm considering writing the be-all and end-all of solutions, that launches the MD5, and simultaneously tries to suck bits off the net, and if the net should be sitting __SO__ idle that it can't get 10K after compression before MD5 finishes, use the MD5. This way I could have guaranteed good bits, and a deterministic upper bound on login time, and still have the common case of login take only a couple of extra seconds. -Bennett bet@sbi.com Newsgroup: sci.crypt document_id: 15258 From: george@minster.york.ac.uk Subject: Non-word password generator Does anyone know of a non-word password generator program for PC's?? i.e. it will produce a nonsense word but still be pronouncible. e.g. lisgollan Wanted to "force" users to adopt more secure passwords, but still be memorable! Thanks - George Bolt p.s. please email me as well if possible "george@psychmips.york.ac.uk" Newsgroup: sci.crypt document_id: 15259 From: brad@clarinet.com (Brad Templeton) Subject: Re: Once tapped, your code is no good any more. In article tcmay@netcom.com (Timothy C. May) writes: >Getting the court order to reveal the key *also* makes decipherable >all *past* conversations (which may be on tape, or disk, or whatver), >as I understand the proposal. I could be wrong, but I've seen no >mention of "session keys" being the escrowed entities. True in theory. In practice? The technology of cellular phones will probably be spread spectrum and quite difficult to record the crypttext without the key. If the frequency path depends on they key, as I understand it to, it *could* be made effectively impossible to record. Once it hits land you can record it if you have telco access. The telco isn't supposed to give that without a warrant. That's the rule today. But even so, the evidence would not be admissible, I think, unless the judge so ordered. I think that even interception of the crypttext without a warrant would be illegal. Cops can't record today's plain cellular calls and then ask a judge, "Hey, can we have permission to listen to those tapes?" can they? >worse, of course, if the government then uses this "Clinton Clipper" >to argue for restrictions on unapproved encryption. (This is the main >concern of most of us, I think. The camel's nose in the tent, etc.) Yes, that is a major concern, but I think that they think they can win just by having 99.5% of the USA use this system. They don't even have to care about the cautious .5% that's left. They don't catch the really smart crooks anyway. John Gotti, who would have to be retarded not to realize he was likely to be wiretapped, glibly chatted away on his tapped phone about murder plans. That's why he's in jail now. Hard to believe, but true. This scheme can succeed without laws forbidding more, which people would fight a lot harder. They like this enough that they are dropping the so called "Digital Telephony" proposal, according to rumours. However the meaning of that is complex, since they still want to get at the crypttext on telco systems, and that requires a bit of work. -- Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366 Newsgroup: sci.crypt document_id: 15260 From: johnson@trwacs.fp.trw.com (Steve Johnson) Subject: Re: Once tapped, your code is no good any more. tcmay@netcom.com (Timothy C. May) writes: >Brad Templeton (brad@clarinet.com) wrote: >: It occurs to me that if they get a wiretap order on you, and the escrow >: houses release your code to the cops, your code is now no longer secure. >: >: It's in the hands of cops, and while I am sure most of the time they are >: good, their security will not be as good as the escrow houses. >: >: What this effectively means is that if they perform a wiretap on you, >: at the end of the wiretap, they should be obligated to inform you that >: a tap was performed, and replace (for free) the clipper chip in your >: cellular phone so that it is once again a code known only to the >: escrow houses. >Getting the court order to reveal the key *also* makes decipherable >all *past* conversations (which may be on tape, or disk, or whatver), >as I understand the proposal. I could be wrong, but I've seen no >mention of "session keys" being the escrowed entities. >As the EFF noted, this raises further issues about the fruits of one >bust leading to incrimination in other areas. >But is it any worse than the current unsecure system? It becomes much >worse, of course, if the government then uses this "Clinton Clipper" >to argue for restrictions on unapproved encryption. (This is the main >concern of most of us, I think. The camel's nose in the tent, etc.) >And it may also become much worse if the ostensible security is >increased, thus allowing greater access to "central office" records by >the government (the conversations being encrypted, who will object to >letting the government have access to them, perhaps even automatically >archiving large fractions...). This was one of the main objections to >the S.266 proposal, that it would force telecom suppliers to provide >easy access for the government. >One the government has had access to months or years of your encrypted >conversations, now all it takes is one misstep, one violation that >gets them the paperwork needed to decrypt *all* of them! >Do we want anyone to have this kind of power? >-Tim May, whose sig block may get him busted in the New Regime A remark I heard the other day is beginning to take on increasingly frightening significance. The comment was made that "In other parts of the world the Democrats [note the big "D"] would be known as Socialists" A [note the small "d"] democrat who wonders what Thomas Jefferson, on this the 250th anniversary of his birth, would have thought of the state of affairs between the government and the governed. ------- Any views expressed are those of myself and not my employer. -------- Steven C. Johnson, WB3IRU / VK2GDS | TRW | johnson@trwacs.fp.trw.com FP1 / 3133 | [129.193.172.90] 1 Federal Systems Park Drive | Phone: +1 (703) 968.1000 Fairfax, Virginia 22033-4412 U.S.A. | Fax: +1 (703) 803.5189 -- ------- Any views expressed are those of myself and not my employer. -------- Steven C. Johnson, WB3IRU / VK2GDS | TRW | johnson@trwacs.fp.trw.com FP1 / 3133 | [129.193.172.90] Newsgroup: sci.crypt document_id: 15261 From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) Subject: Re: text of White House announcement and Q&As on clipper chip encryption In article jhesse@netcom.com (John Hesse) writes: Stupid me. I believed the Democrats stood for principles of personal privacy while it was the Neanderthal Republicans that wanted into every aspect of our lives. Clinton is just more clever than the other guy. Looks like gun control for privacy technology. One small step at a time. Remember "Defend Firearms - Defeat Dukakis", followed by Bush's soon-after- election support for gun-control? This is the Democrats' version "Defend Free Speech - Reject Republicans" followed by speech control. Wait a minute.... Let me think about this. Hmmm, I feel better now. I believe the White House when they tell us this first step is, in fact, the final step. All is OK. We've nothing to fear. They're here to help us. God bless America. Hey, like the grrreat J.R. "Bob" Dobbs says, you've got to pull the wool over your *own* eyes! -- # Pray for peace; Bill # Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ # No, I'm *from* New Jersey, I only *work* in cyberspace.... # White House Commect Line 1-202-456-1111 fax 1-202-456-2461 Newsgroup: sci.crypt document_id: 15262 From: sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes) Subject: Clipper Crap >encryption's dual-edge sword: encryption helps to protect the >privacy of individuals and industry, but it also can shield >criminals and terrorists. We need the "Clipper Chip" and other ^^^^^^^^^^^^^^^^^^^^^^^^ Just a random passing thought, but can anyone cite a documented use of encryption technology by criminals and terrorists. (Excluding the Iran-Contra Gang) -- Shaun P. Hughes sphughes@sfsuvax1.sfsu.edu finger for PGP 2.2 Public Key Newsgroup: sci.crypt document_id: 15263 From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) Subject: White House Wiretap Chip Disinformation Sheet Fascinating. Most of the content of the White House announcements was in what was *not* said. It gives us almost nothing of value, threatens to take away a lot, and does it with a sincere smile on its face, and the nice friendly word "Management". FACT SHEET PUBLIC ENCRYPTION MANAGEMENT The first thing it doesn't say is "We're giving you stronger encryption". what it says is the U. S. Government has developed a microcircuit that not only provides privacy through encryption that is substantially more robust than the current government standard, but also permits escrowing of the keys needed to unlock the encryption. The system for the escrowing of keys will allow the government to gain access to encrypted information only with appropriate legal authorization. But DES is strong enough that only the government can break it now, so the major effect is to make it EASIER for government to break! *At best* it makes it more difficult for the NSA to break, since they need to get one of the two escrowed keys to do a brute-force search for the other 40-bit key. Similarly, it didn't say "We're making encryption is commercially available." because encryption *is* already commercially available, including forms the NSA may not be able to break, like triple-DES or IDEA. And phone companies could offer DES-based systems *now* if they were convinced the government would let them and they could make enough money. The next thing it didn't say is "We're making encryption legal", because of course encryption *has always been* legal, and the President can't change the First Amendment merely by decree. What it *did* say was: In making this decision, I do not intend to prevent the private sector from developing, or the government from approving, other microcircuits or algorithms that are equally effective in assuring both privacy and a secure key- escrow system. which clearly means "We're making encryption illegal unless we get your keys. Soon. Once business buys into this." Another thing it didn't say is "We're going to ask Congress for money to do *lots* more wiretapping", because of course, there's a budget crisis, and Congress might debate the policy issues or not give them the cash. What it *did* say was: The Attorney General will procure and utilize encryption devices to the extent needed to preserve the government's ability to conduct lawful electronic surveillance and to fulfill the need for secure law enforcement communications. Further, the Attorney General shall utilize funds from the Department of Justice Asset Forfeiture Super Surplus Fund to effect this purchase. which means "We've got money Congress can't control and we're going to buy lots of wiretapping equipment with it to detect NON-APPROVED CRYPTO (that's what "preserve the government's ability to conduct ... surveillance" means.) -- # Pray for peace; Bill # Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ # No, I'm *from* New Jersey, I only *work* in cyberspace.... # White House Commect Line 1-202-456-1111 fax 1-202-456-2461 Newsgroup: sci.crypt document_id: 15264 From: brad@clarinet.com (Brad Templeton) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] Interestingly enough, in designing the escrow, we may want to use some rather unusual technology, such as sealed boxes of paper, or destructive read memory, rather than typical computer databases, which is fun for a database of hundreds of millions of keys. The greatest danger of the escrow database, if it were kept on disk, would be the chance that a complete copy could somehow leak out. You can design lots of protection, but with enough corruption a complete copy is always possible. Storing it on paper or something very hard to copy at once may actually make sense. Or a medium that can't be copied -- for example, something with very slow access times or which leaves a destructive trail if it is even read. Of course then it's hard to backup. However, I think the consequences of no backup -- the data is not there when a warrant comes -- are worse than the consequences of a secret backup. An audit trail that reveals when data has been access, that *can't* be erased by the humans involved, is also necessary. -- Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366 Newsgroup: sci.crypt document_id: 15265 From: rdippold@qualcomm.com (Ron "Asbestos" Dippold) Subject: Re: Clinton Boost in Spy Spending Right on the heels of the Clinton "registered encryption key" debacle comes: sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes) writes: >[From yesterdays S.F. Chronicle] >"President Clinton has asked Congress for authority to spend more money >on spy agencies, satellites and other intelligence activities in fiscal >1994 than it allotted for 1993, congressional and administration >officials say. " >.... Clinton had promised to slash intelligence spending by $7 billion >over four years. >.... Although the size of the nations' vast intelligence budget remains >an official secret, administration and congressional officials disclosed >yesterday that it would total about $28 billion if the increase >requested by Clinton is approved. Wonder how much of that extra money goes into coming up with encryption schemes they can easily crack? -- The Theorem Theorem: If if, then then Newsgroup: sci.crypt document_id: 15266 From: rdippold@qualcomm.com (Ron "Asbestos" Dippold) Subject: Re: White House Wiretap Chip Disinformation Sheet wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes: >Fascinating. Most of the content of the White House announcements was >in what was *not* said. It gives us almost nothing of value, threatens to >take away a lot, and does it with a sincere smile on its face, >and the nice friendly word "Management". The computer, err, government, is your friend. Have a nice day (under penalty of law). -- To refuse praise is to seek praise twice. Newsgroup: sci.crypt document_id: 15267 From: rdippold@qualcomm.com (Ron "Asbestos" Dippold) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] jhesse@netcom.com (John Hesse) writes: >Oh great. Wonderful news. Nobody can listen in--except the feds. And anybody who can get the keys from the escrow company. This is a database that's going to take plenty of updating - they think they can keep it secure? Please... and that's just primary, not secondary sources, such as police using the key under a warrant. Would anyone be surprised if they just "neglected" to erase the key if it turned out they couldn't nail you on anything? -- Nourish a waif and it will pick out your eyes. Newsgroup: sci.crypt document_id: 15268 From: brad@clarinet.com (Brad Templeton) Subject: Re: How to detect use of an illegal cipher? In article <1qnmnp$db8@sol.TIS.COM> mjr@tis.com (Marcus J Ranum) writes: >traffic. That way your traffic looks "normal" and perhaps anyone >desiring to listen in won't even bother, since they know nobody's >going to really trust crypto that has classified internals for >important stuff. Nice to think, but naive. The fact is that millions of people today are sending highly confidential information over unencoded, easy to receive cellular phones. They figure the chances of being heard are small, so they risk it. And 99.9% of people don't understand crypto the way the least of the sci.crypt newbies does. If Clinton tells them it's good crypto, they'll believe him, and send important stuff over it, and be thankful that they're no longer using clear-voice FM cellular phones. Only a tiny fraction of people will want more crypto. Worse, in the eyes of the government, which swears up and down the algorithim is spook-level secure (and it may indeed be) the only reason you could possibly want this extra level is to avoid police. By using it, you'll attract attention as a likely lawbreaker. "Your honour, the suspect suddenly started using another level of cryptography and we can't tap his phone calls any more. He must have something to hide. Please sign the warrant to search his house..." -- Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366 Newsgroup: sci.crypt document_id: 15269 From: barrett@lucy.ee.und.ac.za (Alan Barrett) Subject: Re: White House Public Encryption Management Fact Sheet In article , clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes: > Distribution: na No thanks. This topic is of interest to a much wider audience. > In making this decision, I do > not intend to prevent the private sector from developing, or the > government from approving, other microcircuits or algorithms that > are equally effective in assuring both privacy and a secure key- > escrow system. "In making this decision, I intend to prevent the private sector from developing, except with the government's approval, other microcircuits or algorithms that are more effective in assuring privacy." --apb Alan Barrett, Dept. of Electronic Eng., Univ. of Natal, Durban, South Africa RFC822: barrett@ee.und.ac.za Newsgroup: sci.crypt document_id: 15270 From: louie@sayshell.umd.edu (Louis A. Mamakos) Subject: Re: Once tapped, your code is no good any more. In article tcmay@netcom.com (Timothy C. May) writes: >But is it any worse than the current unsecure system? It becomes much >worse, of course, if the government then uses this "Clinton Clipper" >to argue for restrictions on unapproved encryption. (This is the main >concern of most of us, I think. The camel's nose in the tent, etc.) Excuse me? This has *already* happened. There's a couple of humps in the tent already. Ask the folks at Qualcomm what became of the non-trivial encryption scheme they proposed for use in their CDMA digitial cellular phone standard? There *already* are restrictions in place. Louis Mamakos Newsgroup: sci.crypt document_id: 15271 From: ken@sugra.uucp (Kenneth Ng) Subject: Re: Fifth Amendment and Passwords In article <1993Apr16.165423.27204@linus.mitre.org: ptrei@bistromath.mitre.org (Peter Trei) writes: :Judge: "I grant you immunity from whatever may be learned from the key : itself" :You: "The keyphrase is: "I confess to deliberately evading copyright; : the file encoded with this keyphrase contains illegal scans of : copyrighted Peanuts strips."" :Judge and CP: "Oh." : How will they get you now? I'm not saying that they won't, or :can't (or even that they shouldn't :-), but what legal mechanism will :they use? Should we be crossposting this to misc.legal? Hm, could another court try you via a bypass of the double jeopardy amendment like they are doing in the LAPD trial? Ie your judge is a state judge, and then a federal judge retries you under the justification that its not the same trail. -- Kenneth Ng Please reply to ken@blue.njit.edu for now. "All this might be an elaborate simulation running in a little device sitting on someone's table" -- J.L. Picard: ST:TNG Newsgroup: sci.crypt document_id: 15272 From: smb@research.att.com (Steven Bellovin) Subject: Re: The Old Key Registration Idea... In article , rlglende@netcom.com (Robert Lewis Glendenning) writes: > I have been chided for stating that Dorthy Denning was intellectually > dishonest in the ACM debate and in this newsgroup. I have previously > refrained from suggesting that she is arguing on behalf of consulting > clients. > > Now, I say that it is clear that Dorthy Denning has been functioning > as a lobbyist, not a computer scientist. She has used legal ethics > (truth is what you can convince anyone of), not scientific ethics > (truth is understanding the external world). > > Maybe we can revoke her ACM membership? 8) I suggest that you refrain from such insults unless and until you can produce some evidence to back up that claim. Given the measures proposed or passed in the last year or so, such as S.266 and the scanner ban, her proposal need not be any more than her own attempt at a technical solution. It's entirely possible, in fact, that it was the notion of splitting the key, which came up in the debate, that softened this proposal. Newsgroup: sci.crypt document_id: 15273 From: ji@cs.columbia.edu (John Ioannidis) Subject: Re: Source of random bits on a Unix workstation In article <899@pivot.sbi.com> bet@sbi.com (Bennett Todd @ Salomon Brothers Inc., NY ) writes: > >I heard about this solution, and it sounded good. Then I heard that folks >were experiencing times of 30-60 seconds to run this, on >reasonably-configured workstations. I'm not willing to add that much delay >to someone's login process. My approach (etherfind|compress, skip 10K) takes >a second or two to run. I'm considering writing the be-all and end-all of >solutions, that launches the MD5, and simultaneously tries to suck bits off >the net, and if the net should be sitting __SO__ idle that it can't get 10K >after compression before MD5 finishes, use the MD5. This way I could have >guaranteed good bits, and a deterministic upper bound on login time, and >still have the common case of login take only a couple of extra seconds. > 53 seconds to hash 20M of core (I bet I know who the source of your information is!). No, it's not acceptable if it's part of your login process. But if you are going to use network traffic as the source of pseudo-random information, do the right thing and pass it through a cryptographic hash function, not a compressor. Aside from the fact that it will run faster, it will give better results (think of a cryptographic hash as a function that "distills" randomness). Something along the lines of etherfind -t -x -n | dd bs=1k count=10 2>/dev/null | md5 should do the trick. -t gives you timestamps, and the lack of -u makes sure that dd does not get ten lines as opposed to ten K. The above takes a couple of seconds on a lightly-loaded ethernet. >-Bennett >bet@sbi.com /ji Newsgroup: sci.crypt document_id: 15274 From: zrepachol@cc.curtin.edu.au (Paul Repacholi) Subject: Re: How do they know what keys to ask for? (Re: Clipper) In article , johnson@trwacs.fp.trw.com (Steve Johnson) writes: > brad@clarinet.com (Brad Templeton) writes: >>And of course you have to identify yourself to the phone company, and >>since the phone company complies with court orders, they will know the >>magic number of your chip when they sign out a warrant on you, and >>then can present the warrant to the key escrow house. Lets hope. Years ago a Telecom tech refused to tap a line unless he saw the warrant. The managment type who told him to do it fired him. The appeal against the dismissal was lost. > Who makes them forget and destroy all copies of the key once they've > decided you're not a criminal today? Just curious. Good luck. ~Paul Newsgroup: sci.crypt document_id: 15275 From: zrepachol@cc.curtin.edu.au (Paul Repacholi) Subject: Re: What is going on?... In article <1993Apr16.055100.1@cc.curtin.edu.au>, zrepachol@cc.curtin.edu.au (Paul Repacholi) writes: ... > If you can't be bothered reading, get the video "Manufacturing Consent". > In reply to mail queries; I don't know if a video is available yet. I asked about a month ao and was told RSN. Several have also asked which of Chomskys books. My answer is ALL of them, and anything else you can get as well. How ever, due to irritations like the 24 hr day etc, I would say 'Manafacturing Conscent' first, them th last parts of 'Detering Democracy' ie the bits about the "domestic 3rd world". Chilling. Anyone at MIT have a good St. Noam bibliography? ~Paul Newsgroup: sci.crypt document_id: 15276 From: deuelpm@craft.camp.clarkson.edu (Hobbit) Subject: Re: White House Public Encryption Management Fact Sheet I have a question about digital communications encryption: The Fact Sheet mentioned encryption/decryption microcircuitry with special "keys" for law enforcement for wire tapping purposes. If I wanted to, couldn't I develop encryption of my own? That is, if me and a partner in crime had unique Encryption/decryption devices installed before the "tappable" one, couldn't we circumvent the "keys" system? Or replace it? I'd be really interested in knowing how the E/D microcircuits might be made to prevent such befuddlement! (Laymans' Language, please! maybe a bit technical...) Please E-mail to me, as I'm not in Net News as much as I'd like to be! Pete deuelpm@craft.camp.clarkson.edu -- ===================================== deuelpm@craft.camp.clarkson.edu ===================================== "*Regret* is a rough sheet to sleep on." -Herman Brooks Newsgroup: sci.crypt document_id: 15277 From: gtoal@news.ibmpcug.co.uk (Graham Toal) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] In article strnlght@netcom.com (David Sternlight) writes: > >Though some may argue about the nose of the camel, it's worth noting that >the government proposal is limited to scrambled telephony. If it is only >used for that purpose, and does not extend to electronic mail or file >encryption, then it IS an improvement over the current mass-produced >standard civilian technology which, with a few exceptions, is limited to >easy-to-break inverters. Try reading between the lines David - there are *strong* hints in there that they're angling for NREN next, and the only conceivable meaning of applying this particular technology to a computer network is that they intend it to be used in exclusion to any other means of encryption. Don't be lulled by the wedge because its end looks so thin. Graham Newsgroup: sci.crypt document_id: 15278 From: eck@panix.com (Mark Eckenwiler) Subject: Re: Once tapped, your code is no good any more. In <1993Apr17.032828.14262@clarinet.com>, brad@clarinet.com sez: > >Do the police normally reveal every tap they do even if no charges are >laid? In many ways, it would be a positive step if they had to. >Judges set time limits on warrants, I assume. Under the relevant federal law, 18 USC sec. 2518(8)(d), the authorizing judge must notify the targets within 90 days after the tap period (with extensions) expires. This is the "normal" practice. Of course, no wiretap law would be complete without the Unless Clause, which in subsection 8(d) reads like this: "On an ex parte showing [i.e., by the gov't without opposition, since that would obviously involve notice to the targets] of good cause to a judge of competent jurisdiction the serving of the inventory required by this subsection [the order itself; dates of interception; etc.] *may be postponed*" (emphasis added). [Followups directed to a few select groups.] -- MORAL: Always Choose the Right Sort of Parents Before You Start in to be Rough - George Ade Mark Eckenwiler eck@panix.com ...!cmcl2!panix!eck Newsgroup: sci.crypt document_id: 15279 From: murray@src.dec.com (Hal Murray) Subject: Re: How do they know what keys to ask for? (Re: Clipper) In article <1993Apr17.031520.13902@clarinet.com>, brad@clarinet.com (Brad Templeton) writes: |> The actual algorithm is classified, however, their main thrust here is |> for cellular phones, and encryption is only over the radio end, not |> end to end, I think. End to end will come later. Encrypting just the radio link doesn't make sense to me. That means the telco has to do the decryption, and hence they need the keys. How are they going to be kept secure? Newsgroup: sci.crypt document_id: 15280 From: amolitor@nmsu.edu (Andrew Molitor) Subject: Re: Once tapped, your code is no good any more. In article tcmay@netcom.com (Timothy C. May) writes: > >But is it any worse than the current unsecure system? It becomes much >worse, of course, if the government then uses this "Clinton Clipper" >to argue for restrictions on unapproved encryption. (This is the main >concern of most of us, I think. The camel's nose in the tent, etc.) > Not to pick on Mr. May in particular, of course, but isn't this kind of the domino theory? When one little country falls, its neighbor will surely follow, and before you know it, we're all mining salt in Siberia for not turning in our Captain Crunch Secret Decoder Rings. Surely the hypothesis relying on the least wild assumptions is to take this at face value. Our lads at the fort were asked to cook up something that's pretty secure, with a key that can be escrowed neatly, and they did. The government plans to sell this thing, for the reasons they state. Yes, those evil guys in the FBI can probably, with some effort, abuse the system. I got news for you, if the evil guys in the FBI decide they want to persecute you, they're gonna, and you're gonna hate it. Fact is, the FBI doesn't want to listen to your phone calls, and if they do, and if you're using triple-DES, they'll just get a parabolic microphone and point it at your head. This is pretty clearly an effort by the government to do exactly what they're saying they're doing. As is typical with governments, it's mismanaged, and full of holes and compromises. As is typical with our government, it's not too bad, could be worse. My interpretation. Andrew >-Tim May, whose sig block may get him busted in the New Regime ^^^^^^^^^^^^^^^^^^ Isn't this just a little melodramatic? Newsgroup: sci.crypt document_id: 15281 From: grady@netcom.com (1016/2EF221) Subject: powerful "similarity" too A Unix tool of cryptographic significance is available for anonymous ftp. "agrep 2.0.4" -- a fast approximate pattern-matching tool source code project available from: cs.arizona.edu in directory "agrep" agrep is a very fast fuzzy search tool with a tremendous number of powerful search options. The one most obviously applicable to cryptography (key selection) is to be able to specify the "similarity" of matches in the data. For example say you make up a password/phrase of "qimwe7l". Of course you rightly suspect that this key itself is not in any dictionary or word list. But how *close* is it to en entry that could be varied by some "crack" program to brute-force search for it? You use agrep to find out. Looking with argument for none, one or two errors, no matches. Good so far. But agrep -3 "qimwe7l" bigwordandphraselist finds that the pattern "qimwe7l" is too close to the pattern "imsel" (part of "himself" and a host of others), to be of any cryptographic value as a key. An error of level two corresponds to a simple transposition of letters like "teh" for "the". A minimally acceptable password would have to pass as *least* level 3 in order not immediately ruled-out as even a remote possibility of being a good password. (In real cryptographic use, my personal passphrases clear at *least* level 8 on my rather large [>80 meg] word and phrase lists.) And for searching for key words in human-typed data (lots o' typos) the tool is unexcelled. For example, For example, say I want to find out what people think about Gibson's SF book "Neuromancer" in the huge SF-Lover's archives. Even with an error distance specification as small as of "1" I will find all those people who think the title was "Necromancer" or other common typos. Why miss anything? Also, the program can look for up to 30,000 patterns IN PARALLEL at Boyer-Moore (sublinear) speeds. Great for a NSA wannabe to look for your name, terrorists names, special Tagalog or religious words, etc. in the news or e-mail spool directories. You can even search for ciphertext by using, say, 30,000 random three-byte combinations and eliminate all texts that don't score the X chi-square 'birthday' hits on message size Y. You think some crypto-terrorist is try to foil you by changing the pattern on you? No problem. Try agrep -p NSA to find NSA, National Security Agency, NSecAg, No Such Agency, National Scrabble Association, N*S*A, etc. You can also specify "fixed" areas: looking for license plate XYZ123 when you know that the letters are correct, you might say: agrep -2 123 licenseplatedatabase will find all plates starting with XYZ with up to two errors (addition, substitution, deletion) in the number area. You can also "weight" the relative "cost" for substiutions, additions, or deletion errors. For example, when searching DNA patterns for a particular protein combination, you might know that some kinds of damage cause the "A" nucelotide to drop out more than other errors... you could adjust for this bias by setting -Dc where you set the "deletion cost" to count as "c" errors. A steganographic use (I even used "agrep -2 "eograp" E" just now to find the correct spelling!) would be to intentionally introduce errors of a certain type and magnitude into a plaintext and then later recover the orginal it via an agrep pipe. Lots of possibilities here when only outlaws can have ciphertext... Also with agrep's powerful extraction options it makes it easy to abstract the "hits" into a useful form. For example, agrep -d "^From" 'PGP;(passphrase|Zimmerman|NSA)' says output the entire mail record, delimited by 'From' that contains 'PGP' and contains either 'passphrase', 'Zimmerman', or 'NSA'. And agrep has been measured an order-of-magnitude faster than the second-best similarity tool publicly available. As usual, I will be glad to e-mail the source and docs to those who reqest them by e-mail IF they cannot do an anonymous FTP. Get this now. It is too powerful to stay in the hands of the NSA. Grady Ward, vendor to the NSA (and proud of it) -- grady@netcom.com 2EF221 / 15 E2 AD D3 D1 C6 F3 FC 58 AC F7 3D 4F 01 1E 2F Newsgroup: sci.crypt document_id: 15282 From: mearle@netcom.com (Mark Earle) Subject: PGP 2.0 vs 2.2 I've seen PGP 2.2 mentioned for the Mac platform. I use 2.0 on MS/DOS. Is there a 2.2 for MS/DOS? If so, a site or two that has it available (I'd need executables, although source would be nice to review). What was "fixed" or changed from 2.0 > 2.2? Thanks, mwe mearle@netcom.com finger for pgp2.0 public key Newsgroup: sci.crypt document_id: 15283 From: gthomas@fraser.sfu.ca (Guy Thomas) Subject: Re: What is going on?... zrepachol@cc.curtin.edu.au (Paul Repacholi) writes: >In article <1993Apr16.055100.1@cc.curtin.edu.au>, zrepachol@cc.curtin.edu.au (Paul Repacholi) writes: >... >> If you can't be bothered reading, get the video "Manufacturing Consent". >> >In reply to mail queries; I don't know if a video is available yet. I asked >about a month ao and was told RSN. Yes it is. From the National Film Board of Canada. Guy gthomas@native-ed.bc.ca Newsgroup: sci.crypt document_id: 15284 From: smb@research.att.com (Steven Bellovin) Subject: Clipper -- some new thoughts I'd *desparately* prefer it if we didn't rehash the same arguments that went on ad infinitum last time. That's especially true for sci.crypt. For that matter, I've created alt.privacy.clipper, since the traffic is appearing in *many* different groups right now. I'm going to focus here on some technical aspects of the plan, hence my followup to sci.crypt. Frankly, if you're not an absolutist, your feelings may turn on some of these issues. For example -- with an 80-bit key, simply splitting it into two 40-bit pieces is much less acceptable than other schemes, because it means that if just one repository is, shall we say, overly pliable, a would-be eavesdropper would need to recover just 40 more bits of key. I need not point out in this newsgroup that that's pretty easy to do by exhaustive search. A slightly more complex scheme -- XOR-ing the key with a random number, and then with its complement -- would produce two 80-bit subkeys, neither of which is useful alone. That variant is much more resistant to attack. Clearly, one can get even more sophisticated, to protect the subkeys even more. Other thoughts... Some people have noted the size and complexity of the databases necessary. But the id strings the phones emit could be their back door key, double-encrypted with the escrow repositories' public keys. For that matter, they could do that only with session keys, and have no back door at all. In that case, the FBI would have to bring every intercept to the repositories to be decrypted. This would answer many of the objections along the lines of ``how do you make sure they stop''. We can even combine that with a variant of the digital telephony back door -- have the switch do the tap, but with a digitally-signed record of the time, phone number, etc, of the call. That provides proof to the escrow agents that the tap was done in compliance with the terms of the warrant. I can suggest other variations, too. Suppose each Clipper chip had 100 public key pairs. Each would be used ~10 times, after which you'd need more keying material. (Not a bad idea in any event.) This could be used to enforce time limits, or rather, usage limits, on each warrant; the keys the repository agents would deliver wouldn't last for very long. I suspect that the cryptographic algorithm itself is secure. Apart from the obvious -- why push a weak algorithm when you've already got the back door? -- I think that the government is still genuinely concerned about foreign espionage, especially aimed at commercial targets. This scheme lets the spooks have their cake and eat it, too. (I've heard rumors, over the years, that some factions within NSA were unhappy with DES because it was too good. Not that they couldn't crack it, but it was much too expensive to do so as easily as they'd want.) They're keeping the details secret so that others don't build their own implementations without the back door. The cryptographic protocol, though, is another matter. I see no valid reasons for keeping it secret, and -- as I hope I've shown above -- there are a lot of ways to do things that aren't (quite) as bad. Newsgroup: sci.crypt document_id: 15285 From: Marc VanHeyningen Subject: How does it really work? (was Re: text of White House announcement and Q&As on clipper chip encryption) This announcement is somewhat disconcerting; it doesn't do anything evil in and of itself, but bodes badly for the future of open algorithms and standards in information security. I won't start panicking until/unless DES or RSA or stuff like that is prohibited, but I'm a little anxious. (No doubt it won't be long before someone posts explaining how this just a small part of some far-ranging and long-lived NSA-PKP-IRS-FBI-CIA-HandgunControlInc-Clinton conspiracy to subvert freedom, democracy, and mathematics.) My feeling is that the administration probably isn't that worried about things like DES and RSA and PGP and RIPEM, since they'll never be used by a group much wider than us computer geeks. The fact that this just came out now suggests one of two things: 1. The NSA has been working on this for a long time, and it only just now happened to be ``ready'' to release to the world at this time. 2. The NSA has been working on this for a long time, but wasn't able to get the Bush administration to go along with this plan. (I find it unlikely that this would have been because of a sympathy for the unescrowed use of cryptography; more likely the administration felt that even escrowed, secret-algorithm and, for all we know, trivially breakable cryptography should not be made widely available.) Thus said clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement): >This new technology will help companies protect proprietary >information, protect the privacy of personal phone conversations >and prevent unauthorized release of data transmitted >electronically. At the same time this technology preserves the >ability of federal, state and local law enforcement agencies to >intercept lawfully the phone conversations of criminals. The majority of the discussion involving this "Clipper Chip" seems to pertain to the encryption of telephone conversations. Does anyone know if that means this chip is designed to work primarily with analog signals? The language sort of suggests this, but it's hard to say. The main thing I just don't get is whether this chip implements symmetric or asymmetric cryptographic techniques. Anybody know? I'm guessing symmetric, but they don't get very clear about it. If it is symmetric, how is it useful for anything other than link-level encryption with an identical chip at each end? How can you negotiate a per-session key using symmetric cryptography without using a trusted third party who knows your key? (Or does it even use a per-session key?) If it's asymmetric, what about PKP's patents, which they claim cover all methods of doing asymmetric cryptography? Are they getting royalties, or is hiding infringement the real reason for keeping the algorithm secret? :-) -- Marc VanHeyningen mvanheyn@cs.indiana.edu MIME & RIPEM accepted Kirk: I won't hurt you. Alien: You hit me! Kirk: Well, I won't hit you again. Newsgroup: sci.crypt document_id: 15286 From: cuffell@spot.Colorado.EDU (Tim Cuffel) Subject: Re: Once tapped, your code is no good any more. I change login passwords every couple of months. I sure would suck if I had to get a new sparc station everytime I wanted to do this. It seems that this is what they expect you to do if you want to routinely change your password on your phone. I'm sure the government contractor doesn't mind, but a system where you can cheaply change keys (DES) has inherent security advantages, regardless of the algorithms involved. -- -Tim Cuffel Finger for PGP 2.1 The CIA has admitted that the assassination of Saddam Hussien was one of their goals. They failed, of course. Seems as though that motorcade through downtown Dallas trick only works once. Newsgroup: sci.crypt document_id: 15287 From: smythw@vccnw03.its.rpi.edu (William Smythe) Subject: Re: How to detect use of an illegal cipher? In article betel@camelot.bradley.edu (Robert Crawford) writes: >Jay Fenton writes: > >>How can the government tell which encryption method one is using without >>being able to decode the traffic? i.e., In order to accuse me of using an >>unauthorized strong encryption technique they would have to take both >>keys out of escrow, run them against my ciphertext and "draw a blank". > > I was thinking about this, also. It's quite possible the >system transmits, in clear, the serial number of the device being >used. That way they can start a tap, get the serial number, and use >the warrant for the first tap to get the key. > > If they tap someone who's apparently using encryption, but >don't find that prefix, then they'll assume it's an "un-authorized" >encryption scheme. From the limited details released so far, It seems that the clipper chip system must employ some sort of public key cryptography. Otherwise, the key management problems inherent to symetric ciphers would make the system unworkable. It probably has some sort of public key exchange that takes place at the start of each call. Thats how they would identify the private key in their data base? This means that either the NSA has developed some non RSA public key algorythm or the feds have decided to subsidize PKP & RSADSI. The former is rather an exciting posibility since keeping the algorythm secret while making chip implimentations widely avalibe will be exceptionally hard. If the feds are forced to make it avalible in order to gain public acceptance than that could break RSA's stranglehold on public key crypto in the U.S. As for my impressions of the whole scheme It seems that instead of trying to ban strong crypto, they are trying to co-opt it. Their contention that they need to keep the algorythm secret to protect the security of the key registration suggests possible inherent weakness to the algorythm. More likely is that they dont want anyone constructing black market devices which dont have the keys registered. Anyone else notice that in their Q&A session, they talk about releasing the keys only to people with proper autiorization but carefully dance around stating that the keys will simply have to be supeonaed. They seem to be trying to keep open the posibility of obtaining keys without court order even though tapping a phone line requires one. Also pick up on their implicit threat of eithe accept this or we'll ban strong crypto outright? I dont trust this plan at all and plan to oppose it in all (legal) ways possible. Bill Smythe Newsgroup: sci.crypt document_id: 15288 From: amanda@intercon.com (Amanda Walker) Subject: Re: Once tapped, your code is no good any more. tcmay@netcom.com (Timothy C. May) writes: > But is it any worse than the current unsecure system? It becomes much > worse, of course, if the government then uses this "Clinton Clipper" to > argue for restrictions on unapproved encryption. (This is the main > concern of most of us, I think. The camel's nose in the tent, etc.) I agree. This is the danger I see, not the system itself. That is to say, this is a political issue, not a technical one. Amanda Walker InterCon Systems Corporation Newsgroup: sci.crypt document_id: 15289 From: amanda@intercon.com (Amanda Walker) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] gtoal@news.ibmpcug.co.uk (Graham Toal) writes: > Try reading between the lines David - there are *strong* hints in there > that they're angling for NREN next, Where? I honestly didn't see any... > and the only conceivable meaning of > applying this particular technology to a computer network is that they > intend it to be used in exclusion to any other means of encryption. I disagree, if for no other reason than that there are already other standards in place. Besides, even if they restrict encryption on the NREN, who cares? Most of the Internet is commercial anyway. The NREN is only for geovernment and university research (read the proposals--it's a "data superhighway" for Cray users, not anything having to do with the Internet). Amanda Walker InterCon Systems Corporation Newsgroup: sci.crypt document_id: 15290 From: pat@rwing.UUCP (Pat Myrto) Subject: New Clipper Chip Proposal from the Guv... I saw this article posted in a local newsgroup. I haven't seen it, or any followup traffic relating to it in these groups or other groups which I subscribe to. So, I am posting it here so others can read it, check it out, and comment on it, and provide ideas for handling these sorts of things. I have no verification to the accuracy or lack of accuracy of this article, but if accurate, I find it extremely disturbing, especially in light of various abuses of the SSN number regarding privacy, (I understand it is now to be required in CA to renew a drivers license, or to register a car) and other proposals regarding 'smart' national Identity Cards, wiretap proposals, and such. One simply wonders what other gems are in the wings ready to be sprung on the people by our government. Perhaps suggestions and ideas for preventing this and other such proposals from acquiring the force of law would be useful. The cost simply outweighs any possible benefits, IMO. BTW, reading this makes me think of some ideas a Prof Denning has been promoting, in an even more disturbing form. That said, with no further comment, the article follows: ------------ Begin included article --------- Note: This file will also be available via anonymous file transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and via the NIST Computer Security BBS at 301-948-5717. --------------------------------------------------- THE WHITE HOUSE Office of the Press Secretary _________________________________________________________________ For Immediate Release April 16, 1993 STATEMENT BY THE PRESS SECRETARY The President today announced a new initiative that will bring the Federal Government together with industry in a voluntary program to improve the security and privacy of telephone communications while meeting the legitimate needs of law enforcement. The initiative will involve the creation of new products to accelerate the development and use of advanced and secure telecommunications networks and wireless communications links. For too long there has been little or no dialogue between our private sector and the law enforcement community to resolve the tension between economic vitality and the real challenges of protecting Americans. Rather than use technology to accommodate the sometimes competing interests of economic growth, privacy and law enforcement, previous policies have pitted government against industry and the rights of privacy against law enforcement. Sophisticated encryption technology has been used for years to protect electronic funds transfer. It is now being used to protect electronic mail and computer files. While encryption technology can help Americans protect business secrets and the unauthorized release of personal information, it also can be used by terrorists, drug dealers, and other criminals. A state-of-the-art microcircuit called the "Clipper Chip" has been developed by government engineers. The chip represents a new approach to encryption technology. It can be used in new, relatively inexpensive encryption devices that can be attached to an ordinary telephone. It scrambles telephone communications using an encryption algorithm that is more powerful than many in commercial use today. This new technology will help companies protect proprietary information, protect the privacy of personal phone conversations and prevent unauthorized release of data transmitted electronically. At the same time this technology preserves the ability of federal, state and local law enforcement agencies to intercept lawfully the phone conversations of criminals. A "key-escrow" system will be established to ensure that the "Clipper Chip" is used to protect the privacy of law-abiding Americans. Each device containing the chip will have two unique 2 "keys," numbers that will be needed by authorized government agencies to decode messages encoded by the device. When the device is manufactured, the two keys will be deposited separately in two "key-escrow" data bases that will be established by the Attorney General. Access to these keys will be limited to government officials with legal authorization to conduct a wiretap. The "Clipper Chip" technology provides law enforcement with no new authorities to access the content of the private conversations of Americans. To demonstrate the effectiveness of this new technology, the Attorney General will soon purchase several thousand of the new devices. In addition, respected experts from outside the government will be offered access to the confidential details of the algorithm to assess its capabilities and publicly report their findings. The chip is an important step in addressing the problem of encryption's dual-edge sword: encryption helps to protect the privacy of individuals and industry, but it also can shield criminals and terrorists. We need the "Clipper Chip" and other approaches that can both provide law-abiding citizens with access to the encryption they need and prevent criminals from using it to hide their illegal activities. In order to assess technology trends and explore new approaches (like the key-escrow system), the President has directed government agencies to develop a comprehensive policy on encryption that accommodates: -- the privacy of our citizens, including the need to employ voice or data encryption for business purposes; -- the ability of authorized officials to access telephone calls and data, under proper court or other legal order, when necessary to protect our citizens; -- the effective and timely use of the most modern technology to build the National Information Infrastructure needed to promote economic growth and the competitiveness of American industry in the global marketplace; and -- the need of U.S. companies to manufacture and export high technology products. The President has directed early and frequent consultations with affected industries, the Congress and groups that advocate the privacy rights of individuals as policy options are developed. 3 The Administration is committed to working with the private sector to spur the development of a National Information Infrastructure which will use new telecommunications and computer technologies to give Americans unprecedented access to information. This infrastructure of high-speed networks ("information superhighways") will transmit video, images, HDTV programming, and huge data files as easily as today's telephone system transmits voice. Since encryption technology will play an increasingly important role in that infrastructure, the Federal Government must act quickly to develop consistent, comprehensive policies regarding its use. The Administration is committed to policies that protect all Americans' right to privacy while also protecting them from those who break the law. Further information is provided in an accompanying fact sheet. The provisions of the President's directive to acquire the new encryption technology are also available. For additional details, call Mat Heyman, National Institute of Standards and Technology, (301) 975-2758. --------------------------------- QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S TELECOMMUNICATIONS INITIATIVE Q: Does this approach expand the authority of government agencies to listen in on phone conversations? A: No. "Clipper Chip" technology provides law enforcement with no new authorities to access the content of the private conversations of Americans. Q: Suppose a law enforcement agency is conducting a wiretap on a drug smuggling ring and intercepts a conversation encrypted using the device. What would they have to do to decipher the message? A: They would have to obtain legal authorization, normally a court order, to do the wiretap in the first place. They would then present documentation of this authorization to the two entities responsible for safeguarding the keys and obtain the keys for the device being used by the drug smugglers. The key is split into two parts, which are stored separately in order to ensure the security of the key escrow system. Q: Who will run the key-escrow data banks? A: The two key-escrow data banks will be run by two independent entities. At this point, the Department of Justice and the Administration have yet to determine which agencies will oversee the key-escrow data banks. Q: How strong is the security in the device? How can I be sure how strong the security is? A: This system is more secure than many other voice encryption systems readily available today. While the algorithm will remain classified to protect the security of the key escrow system, we are willing to invite an independent panel of cryptography experts to evaluate the algorithm to assure all potential users that there are no unrecognized vulnerabilities. Q: Whose decision was it to propose this product? A: The National Security Council, the Justice Department, the Commerce Department, and other key agencies were involved in this decision. This approach has been endorsed by the President, the Vice President, and appropriate Cabinet officials. Q: Who was consulted? The Congress? Industry? A: We have on-going discussions with Congress and industry on encryption issues, and expect those discussions to intensify as we carry out our review of encryption policy. We have briefed members of Congress and industry leaders on the decisions related to this initiative. Q: Will the government provide the hardware to manufacturers? A: The government designed and developed the key access encryption microcircuits, but it is not providing the microcircuits to product manufacturers. Product manufacturers can acquire the microcircuits from the chip manufacturer that produces them. Q: Who provides the "Clipper Chip"? A: Mykotronx programs it at their facility in Torrance, California, and will sell the chip to encryption device manufacturers. The programming function could be licensed to other vendors in the future. Q: How do I buy one of these encryption devices? A: We expect several manufacturers to consider incorporating the "Clipper Chip" into their devices. Q: If the Administration were unable to find a technological solution like the one proposed, would the Administration be willing to use legal remedies to restrict access to more powerful encryption devices? A: This is a fundamental policy question which will be considered during the broad policy review. The key escrow mechanism will provide Americans with an encryption product that is more secure, more convenient, and less expensive than others readily available today, but it is just one piece of what must be the comprehensive approach to encryption technology, which the Administration is developing. The Administration is not saying, "since encryption threatens the public safety and effective law enforcement, we will prohibit it outright" (as some countries have effectively done); nor is the U.S. saying that "every American, as a matter of right, is entitled to an unbreakable commercial encryption product." There is a false "tension" created in the assessment that this issue is an "either-or" proposition. Rather, both concerns can be, and in fact are, harmoniously balanced through a reasoned, balanced approach such as is proposed with the "Clipper Chip" and similar encryption techniques. Q: What does this decision indicate about how the Clinton Administration's policy toward encryption will differ from that of the Bush Administration? A: It indicates that we understand the importance of encryption technology in telecommunications and computing and are committed to working with industry and public-interest groups to find innovative ways to protect Americans' privacy, help businesses to compete, and ensure that law enforcement agencies have the tools they need to fight crime and terrorism. Q: Will the devices be exportable? Will other devices that use the government hardware? A: Voice encryption devices are subject to export control requirements. Case-by-case review for each export is required to ensure appropriate use of these devices. The same is true for other encryption devices. One of the attractions of this technology is the protection it can give to U.S. companies operating at home and abroad. With this in mind, we expect export licenses will be granted on a case-by-case basis for U.S. companies seeking to use these devices to secure their own communications abroad. We plan to review the possibility of permitting wider exportability of these products. ----------- End included article ----------- -- pat@rwing.uucp [Without prejudice UCC 1-207] (Pat Myrto) Seattle, WA If all else fails, try: ...!uunet!pilchuck!rwing!pat WISDOM: "Only two things are infinite; the universe and human stupidity, and I am not sure about the former." - Albert Einstien Newsgroup: sci.crypt document_id: 15291 From: smb@research.att.com (Steven Bellovin) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] In article <1qp9d1$e37@dorothy.ibmpcug.co.uk>, gtoal@news.ibmpcug.co.uk (Graham Toal) writes: > Try reading between the lines David - there are *strong* hints in there > that they're angling for NREN next, and the only conceivable meaning of > applying this particular technology to a computer network is that they > intend it to be used in exclusion to any other means of encryption. Umm... I beg to differ with the phrase ``only conceivable meaning''. The SDNS protocols, for example, make explicit provision for multiple encryption systems, as does PEM. (And I'd love to see how they'd mandate this new system for PEM without disclosing it....) Mind you, I'm not saying that multiple algorithms will actually be used -- but the relevant technologies certainly provide for them, which certainly casts doubt on your choice of words. Newsgroup: sci.crypt document_id: 15292 From: rlglende@netcom.com (Robert Lewis Glendenning) Subject: Don't fight Clipper Chip, subvert or replace it ! Clipper Chip is a response to the fact that there is no business or professional body in a position to establish a standard and provide chipsets to implement it for analog or digial transmission systems. RSA might be in position to do it, if they had active cooperation of a couple of manufacturers of cellular phones or desktop phones. Large companies in the voice/data comm business are out, because they all have contracts with the gov which would be used to pressure them. If we, as professionals in crypto organizations, EFF, etc. were to put our collective minds and interests toward establishing a crypto standard for transmission, and getting our companies to implement it, we might avoid government control. Otherwise, I think it will happen to us by default. Gov isn't probably strong enough or foolish enough to prevent strong crypt. They are strong enough, and we may be foolish enough, to push through the Clipper Chip. Is RSA independt of the gov enough to spearhead this? I, for one, would *gladly* pay royalties via purchasing secure phones. If not this, we should provide an algorithm which can be implemented in either SW or HW and publish it, then push to make it the defacto standard in the way that PGP and RIPEM are becoming such. We are opposing, charging the bunker. We should be nimble and clever. The gov is strong, not clever. Lew -- Lew Glendenning rlglende@netcom.com "Perspective is worth 80 IQ points." Niels Bohr (or somebody like that). Newsgroup: sci.crypt document_id: 15293 From: masjhd@gdr.bath.ac.uk (James Davenport) Subject: Re: Trinomial-Based PRNG I tried to mail Peter Boucher, who posted the question, but my e-mail bounced, so, apologies to thsoe who are not interested. >trinomials are all of the form X**a + X**b + 1, where a Have you read: Bremner,A., On Trinomials of Type x$+n$-+Ax$+m$-+1. Math. Scand. 49(1981) pp. 145-155. Zbl. 458.12012. MR 83k:12002. Ljunggren,W., On the Irreducibility of Certain Trinomials and Quadrinomials. Math. Scand. 8(1960) pp. 65-70. . Tverberg,H., On the Irreducibility of the Trinomials x$+n$-$mpm$$x$+m$-$mpm$$1. Math. Scand. 8(1960) pp. 121-126. Tverberg,H., On Cubic Factors of Certain Trinomials. Math. Scand. 53(1983) pp. 178-184. Zbl. 513.12003. James Davenport jhd@maths.bath.ac.uk Newsgroup: sci.crypt document_id: 15294 From: kadie@cs.uiuc.edu (Carl M Kadie) Subject: Re: Clipper Crap >encryption's dual-edge sword: encryption helps to protect the >privacy of individuals and industry, but it also can shield >criminals and terrorists. We need the "Clipper Chip" and other "Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves." -- William Pitt -- Carl Kadie -- I do not represent any organization; this is just me. = kadie@cs.uiuc.edu = Newsgroup: sci.crypt document_id: 15295 From: tcmay@netcom.com (Timothy C. May) Subject: Re: Don't fight Clipper Chip, subvert or replace it ! Robert Lewis Glendenning (rlglende@netcom.com) wrote: : Clipper Chip is a response to the fact that there is no business : or professional body in a position to establish a standard and : provide chipsets to implement it for analog or digial transmission : systems. : : RSA might be in position to do it, if they had active cooperation of : a couple of manufacturers of cellular phones or desktop phones. ....... : Is RSA independt of the gov enough to spearhead this? I, for one, : would *gladly* pay royalties via purchasing secure phones. Hear hear! I completely agree that we need to work quickly to establish alternatives to the government's Clinton Clipper. As Brad Templeton and others have noted, once the Clipper becomes ensconced in enough phones there will be enormous pressure to make it the *legal* standard, and it will become the "market* standard as well. (There is a lot of confusion in the proposal about whether the use of Clipper is mandated, about whether non-escrow alternatives will be allowed, etc.) (There are also unclear issues about how hard, or how illegal, it will be to make "workalikes" which meet the standard but which generate phony or untappable keys...I'm sure the next several weeks will see these issues thrashed out in this and other groups.) Meanwhile, I'd be interested to hear RSA Data Security's reaction. Often criticized in this group for their licensing policies (the usual complaints about MailSafe costing too much, at $125 or so, and the general issue of software patents...), we may find that *allying* ourselves with RSA is the best thing we can do. What's a mere licensing fee when our liberty may be at stake? (If everyone who wanted true security paid, say, $100 for a lifetime use of all of RSA's patents--which expire in the period 1998-2002, or so--then RSA would make tons of money and be happy, I'm sure. A small price to pay. For those to whom $100 sounds like too much, I'm sure the actual terms could be different, spread out over several years, whatever. To me, it's a small price to pay.) Strong crypto means strong privacy. Escrowing keys, sending copies of keys to large databases, and splitting keys into two 40-bit pieces, all done with secret and non-analyzable protocols and algorithms, is *NOT* strong crypto! Whatever some of us may think about the abstract principles of patenting number theory applications, this minor issue pales in comparison with the potential dangers of the Clipper proposal (note that I said "potential"...we'll presumably learn more in the coming months). The RSA algorithms are at least public, have been analyzed and attacked for years, and source code is available (to better ensure no deliberate weakenesses or trapdoors). I know of a number of groups putting together voice encryption systems using off-the-shelf hardware (like Soundblaster boards for the PC) and CELP-type software. The new generations of PCs, using fast 486s and Pentiums are fast enough to do real-time voice encryption. Combined with Diffie-Hellman key exchange, this should provide an alternative to the Clipper system. Of course, we don't really know if the Administration proposes to outlaw competing systems. (It seems to me that their goal of tapping terrorists, child pornographers, and Hilary bashers would be thwarted if low-cost alternatives to Clipper proliferated. Not to defend child pornographers or terrorists, but limiting basic freedoms to catch a few criminals is not the American way of doing things. End of soapbox mode.) I suggest we in these groups set aside any differences we may have had with RSA (and don't look at me....I have both MacPGP *and* a fully legal copy of "MailSafe"!) and instead work with them as quickly as we can. RSA?, Jim?, are you listening? -Tim May P.S. I reserve the right to retract these opinions if it should turn out that RSA Data Security was involved in the Clipper proposal. -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Newsgroup: sci.crypt document_id: 15296 From: brad@clarinet.com (Brad Templeton) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] One presumes the system could work as follows: a) Blank clips are manufactured by Mykotronx and VLSI. The number produced is carefully audited and they are shipped to the first escrow house. It programs the chips with its half the key, and prints out a paper slip with the key half and non-secret chip serial number. The reams of paper are filed in locked boxes in the vault, a fuse is burnt in the chip so that the key is now unreadable. The chip then goes to the next escrow house, where the same thing is done. This continues through N escrow houses, perhaps, could be more than 2. The last one provides the chip to the cellular phone maker. And yes, this has to be a public key system or it would be almost impossible to handle. It might not be RSA, but that does not mean that PKP doesn't get paid. Until 1997, PKP has the patent on the general concept of public key encryption, as well as the particular implementation known as RSA. -- Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366 Newsgroup: sci.crypt document_id: 15297 From: jhesse@netcom.com (John Hesse) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] In article <1qnupd$jpm@news.intercon.com> amanda@intercon.com (Amanda Walker) writes: >jhesse@netcom.com (John Hesse) writes: >> Oh great. Wonderful news. Nobody can listen in--except the feds. > >Hey, it's better than the status quo. > >I am far less worried about "the feds" tapping my phone than high school >scanner surfers who get their kicks out of eavesdropping on cellular and >cordless phone calls. > Really? Why are so you worried about high school kids "getting their kicks" with scanners, as compared to what the feds can do, and have done, to their targets? "Better than the status quo" isn't good enough, I'd say. The same technology could be implemented WITHOUT a back door open to the state. We all know about power and corruption. But we all know that abuse is something that only happens to the other guy. > >Amanda Walker >InterCon Systems Corporation > > -- ------------------------------------------------------------------------------ John Hesse | A man, jhesse@netcom.com | a plan, Moss Beach, Calif | a canal, Bob. ------------------------------------------------------------------------------ Newsgroup: sci.crypt document_id: 15298 From: reeds@alice.att.com (Jim Reeds) Subject: Re: Patents (was RC2 RC4) In article , matt@wardsgi.med.yale.edu (Matt Healy) writes: and > bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: and > > ahaley@eoe.co.uk (Andrew Haley) writes: about Coca-Cola and Pepsi Cola and what they can teach us. Surely, if we must use pop patent law examples to discuss RC2 and RC4, it would make more sense to consider the case of RC Cola? Jim Reeds Newsgroup: sci.crypt document_id: 15299 From: uni@acs.bu.edu (Shaen Bernhardt) Subject: Re: Once tapped, your code is no good any more. In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes: >In article > tcmay@netcom.com (Timothy C. May) writes: >> >>But is it any worse than the current unsecure system? It becomes much >>worse, of course, if the government then uses this "Clinton Clipper" >>to argue for restrictions on unapproved encryption. (This is the main >>concern of most of us, I think. The camel's nose in the tent, etc.) >> > > Not to pick on Mr. May in particular, of course, but isn't this >kind of the domino theory? When one little country falls, its neighbor >will surely follow, and before you know it, we're all mining salt >in Siberia for not turning in our Captain Crunch Secret Decoder Rings. I wish I could agree with you. Ask yourself this. Why would any private sector entity wish to buy a crypto system that was KNOWN to be at least partially compromised? (Key escrows in this instance) Why would any private sector entity wish to buy a crypto system that had not been properly evaluated? (i.e. algorythm not publically released) The answer seems obvious to me, they wouldn't. There is other hardware out there not compromised. DES as an example (triple DES as a better one.) My suspicion is that the prices will drop dramatically on these non clipper systems. If not we're in trouble. Given that the Clinton administration is not entirely stupid (although we'd like to think so) I cannot believe that they have failed to realize this. They know their initiative will fail, much as crippled DES was never taken seriously. The only way their moves can work is by coercion. You know little about politics if you don't realize that this is just a first step in the next move, it makes NO sense otherwise. The next move, banning or SEVERLY crippling crypto not using the "Clipper" system is easily justified "Why would anyone want other encryption unless they were trying to subvert the government? We've provided you with a very secure alternative so use it or go to jail/be fined/whatever." How can you reconcile the administrations self proclaimed purpose of providing law enforcement with access to encrypted data without making the clipper system the only crypto available in the U.S... ? You simply can't, and the administration knows it. Anyone who wanted to keep the govt. out of their hair, be it for drug dealing or whatever, would just buy still available non-clipper systems. Don't sell our crafty Clinton types short, they can't be THAT stupid. Either banning non clipper crypto is the next answer or the administrations collective I.Q. is about that of a potato. Why do you think AT&T jumped on so fast? They know it's going to be big, and NOT because it's better. Right on the face of it, noone will buy the stuff that doesn't have to. AT&T must know this too, THINK MAN, why the hell would they jump the gun? > My interpretation. > > Andrew > >>-Tim May, whose sig block may get him busted in the New Regime > ^^^^^^^^^^^^^^^^^^ > > Isn't this just a little melodramatic? I really wonder. To wit: The letter I just sent to Clinton: The White House Office of the Press Secretary c/o: Presidential Comment Line (fax) (202) 456-2461 April 17, 1993 Sir and/or Madam: I must object most strongly to the administrations evolving position on encryption and cryptography. I am shocked at the Clinton regimes increasing lean towards a authoritarian approach with regard to privacy and freedom from government oversight in day to day life. It is apparent to me that those who drafted the "Clipper Chip Proposal" (which is, incidentally, gaining notoriety as the "Big Brother Proposal") are either incredibly ignorant or very sly indeed. Anyone knowledgeable in the nuances of cryptographic development and research must understand that a key step in the development of a new algorithm, especially one destined for standardization, is the full disclosure of the algorithm to the private and academic sectors. The proper evaluation of an algorithm dep ends on careful scrutiny by these sectors, and only such scrutiny can provide true public confidence in the security of the algorithm. The assumption that a new algorithm will be accepted based on assurances from "experts" without full disclosure is plain ignorance. In addition, the assumption that an algorithm will be marketable over other technology, such as DES, when it is characterized by key escrow is lunacy. It seems an easy step in the logic chain that probable consumers will prefer to purchase equipment not crippled by government key escrow, no matter how "tamper proof" the key escrows might be. I cannot believe that even the least educated policy maker would have failed to realize these flaws. I can only assume then that the drafters of the "Clipper Chip Proposal" knew very well the difficulties of selling a crippled system to the private sector. The only way this proposal makes any sense, or has any chance of succeeding is in coercion. Even the language of the proposal makes it painfully clear that the next logical step is the outlawing of other encryption devices and hardware that do not uti lize the "Big Brother Chip." Unfortunately the public at large is not educated enough on the issue to realize what they are losing. I expect the Big Brother proposal to encounter little resistance from the American people who you will have so efficiently duped once again with pretty words like "harmony," "right to encryption," and "voluntary." It mortifies me that the phrase that seems to be used more and more often to characterize the Clinton administration is "I can't believe it's happening here." More startling is a question a colleague of mine posed and the realization that everyday it becomes more and more relevant; "When is the Reichstag fire planned for?" Most Concerned, [Signature] Shaen Logan Bernhardt I uni@acs.bu.edu -- uni@acs.bu.edu -> Public Keys by finger and/or request Public Key Archives at DF610670F2467B99 97DE2B5C3749148C Sovereignty is the sign of a brutal past. Cryptography is not a crime. Fight the Big Brother Proposal! Newsgroup: sci.crypt document_id: 15300 From: ebrandt@jarthur.claremont.edu (Eli Brandt) Subject: Re: How to detect use of an illegal cipher? In article <1993Apr17.085358.18460@clarinet.com> brad@clarinet.com (Brad Templeton) writes: >"Your honour, the suspect suddenly started using another level of >cryptography and we can't tap his phone calls any more. He must >have something to hide. Please sign the warrant to search his >house..." What they would need to do, though, is make sure that nobody has access to decent crypto in the first place. They probably can't tell Clippered voice from Clippered triple-DESed voice until they get their copy of your key. Any criminal who's going to use encryption will do it under cover of Clipper. The only way to avoid this will be to try to prohibit strong encryption. I probably shouldn't say this, but they could try to detect the use of an illegal cypher by transmitting in the clear some statistical properties of the plaintext. An old-fashioned wiretap could then detect the use of pre-encryption, which would drastically increase the measured entropy of the input. A countermeasure to this would be to use steganographic techniques which put out voice. You can tell if the NSA built this feature in: blow on the mike, and observe whether a band of thugs comes through your ceiling. PGP 2 key by finger or e-mail Eli ebrandt@jarthur.claremont.edu Newsgroup: sci.crypt document_id: 15301 From: hal@cco.caltech.edu (Hal Finney) Subject: Re: How does it really work? (was Re: text of White House announcement and Q&As on clipper chip encryption) Marc VanHeyningen writes: >The main thing I just don't get is whether this chip implements >symmetric or asymmetric cryptographic techniques. Anybody know? I don't know, but I'm as willing to speculate as anyone. Several people have suggested that the chips use public-key cryptography. Another possibility is to use Diffie-Hellman key exchange, or some other algorithm which has a similar effect. DH allows both ends to agree on a session key which they use with symmetric cryptography (something like DES) for the encryption. How could the "back door" keys work in this system? I can see a few possibilities. One is that the DH-like algorithm has the property that the session key can be deduced by an eavesdropper who knows the back door keys for one (or possibly both) communicants. Perhaps the random numbers used in the DH are seeded by the back door key, or some such. Another possibility, as was suggested here earlier, is that the chips simply broadcast the session key, encrypted with the chip's own internal secret key. In this system the back door keys are secret keys usable for decrypting this session key broadcast. Actually the chip's secret key doesn't need to be a public key in this usage, but can be identical to the secret back-door key. (This proposal seems most straightforward to me.) Still another possibility is that the encryption algorithm used for the message itself has a "dual key" property, that possession of either of two keys can be used to decrypt it. One key would be the session key from the DH exchange, and the other would be the back door key for the chip. It's worth noting that one of the proposals Dorothy Denning raised during her amazingly prescient on-line discussion last November and December was a variation on Diffie-Hellman in which a third party would participate in deriving the session keys. This doesn't quite fit into what we know of how Clipper works but it hints that those who had early knowledge of Clipper (or whose thinking was somehow synchronized with Clipper designers) may have had Diffie-Hellman on their minds. Hal Finney Newsgroup: sci.crypt document_id: 15302 From: ebrandt@jarthur.claremont.edu (Eli Brandt) Subject: Re: The battle is joined In article <1993Apr16.181040.9381@qualcomm.com> karn@servo.qualcomm.com (Phil Karn) writes: >It looks like Dorothy Denning's wrong-headed ideas have gotten to the >Administration even sooner than we feared. I'd lay long odds that it was the other way around. Clinton didn't just pull this plan out of any bodily orifices; the NSA has to have been working on it for years. While it's possible that Denning (and other prominent people) just happened to start arguing for such a system, it seems more likely that there was a suggestion involved. If this guess is wrong, I apologize. PGP 2 key by finger or e-mail Eli ebrandt@jarthur.claremont.edu Newsgroup: sci.crypt document_id: 15303 From: marc@mit.edu (Marc Horowitz N1NZU) Subject: The source of that announcement The message from the NIST about the clipper chip comes from the following address: clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) Just who is that, I asked myself, or rather, I asked the computer. % telnet csrc.ncsl.nist.gov 25 Trying... Connected to csrc.ncsl.nist.gov. Escape character is '^]'. 220 first.org sendmail 4.1/NIST ready at Sat, 17 Apr 93 20:42:56 EDT expn clipper 250- 250- 250- 250- 250- 250- 250- 250- 250- 250- 250- 250 quit 221 first.org closing connection Connection closed. Well, isn't that interesting. Dorothy Denning, Mitch Kapor, Marc Rotenberg, Ron Rivest, Jim Bidzos, and others. The Government, RSA, TIS, CPSR, and the EFF are all represented. I don't suppose anybody within any of these organizations would care to comment? Or is this just the White House's idea of a cruel joke on these peoples' inboxes? Marc -- Marc Horowitz N1NZU 617-253-7788 Newsgroup: sci.crypt document_id: 15304 From: silly@ugcs.caltech.edu (Brad Threatt) Subject: Remote file system security In light of my recent paranoia concerning government proposals, I'd love to see a UNIX-based encryption scheme that: 1) Kept some files encrypted on the host machine (say, all the files in your home directory) 2) Used a key system that could not be compromised by eavesdropping over a modem line. It seems that this would require modifications to a shell program and a way of telling whether a file was encrypted or not, among other things. I'd love to know about potential security holes in such a system. Does such a system exist? If it were made easy-to-use and readily available, I think it would be a Good Thing(tm). I realize that this would probably just involve putting a nice front-end on a readily available and very secure encryption scheme, but it should be done. Thanks for the ear, Brad Newsgroup: sci.crypt document_id: 15305 From: jef@netcom.com (Jef Poskanzer) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] brad@clarinet.com (Brad Templeton): }And yes, this has to be a public key system or it would be almost }impossible to handle. It might not be RSA, but that does not mean }that PKP doesn't get paid. Until 1997, PKP has the patent on the }general concept of public key encryption, as well as the particular }implementation known as RSA. Hmm, my first thought was that they're using Diffie-Hellman exponential session key exchange, or an equivalent. However, the Diffie-Hellman patent, like the Hellman-Merkle one on public key systems, claims all equivalents, so the basic point stands. Interestingly, a quote from Jim Bidzos showed up in the media real soon after the announcement, and he sounded very pissed. Maybe he hadn't yet realized that PKP might have just struck gold? All they have to do is get someone to admit the general scheme that the Clipper uses. --- Jef Jef Poskanzer jef@netcom.com jef@well.sf.ca.us "An object never serves the same function as its image - or its name." -- Rene Magritte Newsgroup: sci.crypt document_id: 15306 From: whughes@lonestar.utsa.edu (William W. Hughes) Subject: Re: Once tapped, your code is no good any more. In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes: >In article >tcmay@netcom.com (Timothy C. May) writes: > >>-Tim May, whose sig block may get him busted in the New Regime > ^^^^^^^^^^^^^^^^^^ >Isn't this just a little melodramatic? Not at all. Two weeks ago I registered a concern about some programming that was being conducted by a student organisation here at the University of Texas at San Antonio. As a result, I was interrogated by the capus police, who also attempted to create a positive-identification file (photo, fingerprints, etc.). I refused to permit this, and filed a complaint with the University administration. The Vice-President for Business Affairs (the 'boss' of the campus police) stated that he had no interest in the legal/Constitutional implications of those actions. -- The greatest threat facing the citizens of the United States in the decade of the 90s is the United States Government; at all levels -- Federal, State, Local [All opinions are mine, and I reserve the right to deny them at any time - WWH] Newsgroup: sci.crypt document_id: 15307 From: ptrei@bistromath.mitre.org (Peter Trei) Subject: Re: Fifth Amendment and Passwords In article <1993Apr17.122651.1874@sugra.uucp> ken@sugra.uucp (Kenneth Ng) writes: >In article <1993Apr16.165423.27204@linus.mitre.org: ptrei@bistromath.mitre.org (Peter Trei) writes: >:Judge: "I grant you immunity from whatever may be learned from the key >: itself" >:You: "The keyphrase is: "I confess to deliberately evading copyright; >: the file encoded with this keyphrase contains illegal scans of >: copyrighted Peanuts strips."" >:Judge and CP: "Oh." >: How will they get you now? I'm not saying that they won't, or >:can't (or even that they shouldn't :-), but what legal mechanism will >:they use? Should we be crossposting this to misc.legal? > >Hm, could another court try you via a bypass of the double jeopardy amendment >like they are doing in the LAPD trial? Ie your judge is a state judge, and >then a federal judge retries you under the justification that its not the >same trail. No. The LAPD officers were tried first by the State of California on charges of police brutality, and secondly by the Federal Government on depriving RK of his civil rights - a different crime. The scenario I outline is more similar to the Oliver North trial. Ollie confessed to treason (aiding an enemy of the US) during Senate hearings, under immunity. The team which was later to prosecute him on criminal charges had to sequester itself from all reports of ON's immunized testimony. ON's lawyer brought up the probability that at least someone on the team had heard about the Senate testimony, and it was a strong factor against the prosecution, which is one of the reasons this ON is still walking around free today. Peter Trei ptrei@mitre.org Newsgroup: sci.crypt document_id: 15308 From: wesommer@mit.edu (Bill Sommerfeld) Subject: Re: The source of that announcement % telnet csrc.ncsl.nist.gov 25 Trying... Connected to csrc.ncsl.nist.gov. Escape character is '^]'. 220 first.org sendmail 4.1/NIST ready at Sat, 17 Apr 93 20:42:56 EDT expn clipper 250- 250- 250- 250- 250- 250- 250- 250- 250- 250- 250- 250 quit 221 first.org closing connection Connection closed. Note also: % telnet csmes.ncsl.nist.gov 25 Trying 129.6.54.2... Connected to csmes.ncsl.nist.gov. Escape character is '^]'. 220 csmes.ncsl.nist.gov sendmail 4.1/NIST(rbj/dougm) ready at Sat, 17 Apr 93 23:08:58 EDT expn mgrsplus 250- 250-Irene Gilbert 250-Dennis Branstad 250-Robert Rosenthal 250-Gene Troy 250- 250-Dennis Steinauer 250 telnet mail-gw.ncsl.nist.gov 25 Trying 129.6.48.199... Connected to mail-gw.ncsl.nist.gov. Escape character is '^]'. 220 mail-gw.ncsl.nist.gov sendmail 4.1/rbj/jck-3 ready at Sat, 17 Apr 93 23:06:50 EDT expn csspab 250- 250- 250-Bill Colvin 250- 250-John Kuyers 250- 250- 250- 250- 250- 250- 250-Eddie Zeitler 250-Cris Castro 250 % telnet st1.ncsl.nist.gov 25 Trying 129.6.54.91... Connected to st1.ncsl.nist.gov. Escape character is '^]'. 220 st1.ncsl.nist.gov SEndMaIl 4.1/NBS-rbj.11 rEadY At Sat, 17 Apr 93 23:13:43 EDT expn smid 250 Miles Smid expn katzke 250 Stuart Katzke quit 221 st1.ncsl.nist.gov closing connection Connection closed by foreign host. % telnet ecf.ncsl.nist.gov 25 Trying 129.6.48.2... Connected to ecf.ncsl.nist.gov. Escape character is '^]'. 220 ECF.NCSL.NIST.GOV TGV/MultiNet SMTP service ready. expn burrows 250 Burrows, James expn mcnulty 250 McNulty, Lynn quit 221 ECF.NCSL.NIST.GOV TGV/MultiNet SMTP service complete. % whois -h rs.internic.net first.org National Institute of Standards and Technology (FIRST-DOM) 225/A216 NIST GAITHERSBURG, MD 20899 Domain Name: FIRST.ORG Administrative Contact: Wack, John P. (JPW18) WACK@ENH.NIST.GOV (301) 975-3411 (FTS) 879-3411 Technical Contact, Zone Contact: Hunt, Craig W. (CWH3) Hunt@ENH.NIST.GOV (301) 975-3827 (FTS) 879-3827 Record last updated on 17-Dec-91. Domain servers in listed order: DOVE.NIST.GOV 129.6.16.2 AMES.ARC.NASA.GOV 128.102.18.3 The InterNIC Registration Services Host ONLY contains Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information. -- Newsgroup: sci.crypt document_id: 15309 From: jebright@magnus.acs.ohio-state.edu (James R Ebright) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] In article brad@clarinet.com (Brad Templeton) writes: [...]> >The greatest danger of the escrow database, if it were kept on disk, >would be the chance that a complete copy could somehow leak out. You [...]> >Of course then it's hard to backup. However, I think the consequences >of no backup -- the data is not there when a warrant comes -- are worse >than the consequences of a secret backup. If the data isn't there when the warrant comes, you effectively have secure crypto. If secret backups are kept...then you effectively have no crypto. Thus, this poster is essentialy arguing no crypto is better than secure crypto. If the data isn't there when the warrant comes, then the government will just have to use normal law enforcement techniques to catch crooks. Is this so bad? BTW, bugging isn't YET a normal law enforcement technique. With the privacy clipper, it WILL become a normal technique. /Jim -- Information farming at... For addr&phone: finger A/~~\A THE Ohio State University jebright@magnus.acs.ohio-state.edu ((0 0))____ Jim Ebright e-mail: jre+@osu.edu \ / \ (--)\ Newsgroup: sci.crypt document_id: 15310 From: sethf@athena.mit.edu (Seth Finkelstein) Subject: Re: The source of that announcement Also note (from and ): % whois -h rs.internic.net tis-dom Trusted Information Systems, Inc. (TIS-DOM) 3060 Washington Road, Route 97 Glenwood, MD 21738 Domain Name: TIS.COM Administrative Contact: Walker, Stephen T. (STW3) walker@TIS.COM (301) 854-6889 Technical Contact, Zone Contact: Dalva, David I. (DID1) dave@TIS.COM (301) 854-6889 Record last updated on 02-Jul-92. Domain servers in listed order: TIS.COM 192.33.112.100 LA.TIS.COM 192.5.49.8 And "dockmaster" is an infamous address ... -- Seth Finkelstein sethf@athena.mit.edu "The road to Hell is paved with good intentions" Newsgroup: sci.crypt document_id: 15311 From: mkagalen@lynx.dac.northeastern.edu (michael kagalenko) Subject: Re: How to detect use of an illegal cipher? In article ebrandt@jarthur.claremont.edu (Eli Brandt) writes: > >I probably shouldn't say this, but they could try to detect the use >of an illegal cypher by transmitting in the clear some statistical >properties of the plaintext. An old-fashioned wiretap could then >detect the use of pre-encryption, which would drastically increase >the measured entropy of the input. A countermeasure to this would >be to use steganographic techniques which put out voice. This way to detect pre-encryption may be defeated ; one can do transformation of the spectrum of encrypted signal just by adding some pre-arranged (in the beginning of communication) function. I think so. Say, you can do FFT of your encrypted signal. Just thinking ... -- -------------------------------------------------------------------------------- For PGP2.1 public key finger mkagalen@lynx.dac.northeastern.edu -------------------------------------------------------------------------------- Newsgroup: sci.crypt document_id: 15312 From: strnlght@netcom.com (David Sternlight) Subject: Re: Once tapped, your code is no good any more. In article <115863@bu.edu> uni@acs.bu.edu (Shaen Bernhardt) writes: > >I wish I could agree with you. Ask yourself this. Why would any private >sector entity wish to buy a crypto system that was KNOWN to be at least >partially compromised? (Key escrows in this instance) Why would any >private sector entity wish to buy a crypto system that had not been properly >evaluated? (i.e. algorythm not publically released) >The answer seems obvious to me, they wouldn't. There is other hardware out >there not compromised. DES as an example (triple DES as a better one.) What follows is my opinion. It is not asserted to be "the truth" so no flames, please. It comes out of a background of 20 years as a senior corporate staff executive in two Fortune 50 companies. I'd be happy to use a crypto system supplied by the NSA for business, if they told me it was more secure than DES, and in particular resistant to attempts by Japanese, French, and other competitive companies and governments to break. I'd be happy to do so even with escrowed keys, provided I was happy about the bona fides of the escrow agencies (the Federal Reserve would certainly satisfy me, as would something set up by one of the big 8 accounting firms). I'd trust the NSA or the President if they stated there were no trap doors--I'd be even happier if a committee of independent experts examined the thing under seal of secrecy and reported back that it was secure. I'd trust something from the NSA long before I'd trust something from some Swiss or anybody Japanese. This may seem surprising to some here, but I suggest most corporations would feel the same way. Most/many/some (pick one) corporations have an attitude that the NSA is part of our government and "we support our government", as one very famous CEO put it to me one day. Just some perspective from another point of view. -- David Sternlight Great care has been taken to ensure the accuracy of our information, errors and omissions excepted. Newsgroup: sci.crypt document_id: 15313 From: tuinstra@sunspot.ece.clarkson.edu.soe (Dwight Tuinstra) Subject: re: WH announcement Q: Who was consulted? The Congress? Industry? A: We have on-going discussions with Congress and industry on encryption issues, and expect those discussions to intensify as we carry out our review of encryption policy. We have briefed members of Congress and industry leaders on the decisions related to this initiative. Congress?? So we're playing politics before we talk to CPSR, academia, the public, internet users? I`ve heard of top-down design, but top-down democracy?? [Just whose state/district are the chip manufacturers in?] Q: If the Administration were unable to find a technological solution like the one proposed, would the Administration be willing to use legal remedies to restrict access to more powerful encryption devices? A: This is a fundamental policy question which will be considered during the broad policy review. [...bs about the wonderfulness of the key escrow system...] The Administration is not saying, "since encryption threatens the public safety and effective law enforcement, we will prohibit it outright" (as some countries have effectively done); They'll just provide an easily-compromised version to JQ Public. nor is the U.S. saying that "every American, as a matter of right, is entitled to an unbreakable commercial encryption product." Maybe we need a CRA -- Cryptographic Rights Amendment. There is a false "tension" created in the assessment that this issue is an "either-or" proposition. Rather, both concerns can be, and in fact are, harmoniously balanced through a reasoned, balanced approach such as is proposed with the "Clipper Chip" and similar encryption techniques. Nice lullaby. But why am I not soothed? ---------------- Also, In article 15472@leland.Stanford.EDU, arc@leland.Stanford.EDU (Andrew Richard Conway) writes: >P.S. I can't work out why the US government doesn't want to sell >them overseas. After all, they are rather easy for US interests to decode, >so make a perfect tool for industrial/military espionage...lulling >anyone stupid enough to buy it into a false sense of security. You will >notice that there is NO mention anywhere about safety for non-Americans. > Why repeat themselves? It appears to some (and the story looks pretty convincing to me, too) that the Justice Department stole a case-tracking system, modified it, and distributed it to "friendly" police and suchlike agencies around the world, eg. the Canadian Mounties. Of course, I have no doubt they swore Scout's Honor that there were no backdoors. With that kind of intelligence, who'd want to be swamped with terabytes of commercial traffic? +========================================================================+ | dwight tuinstra best: tuinstra@sandman.ece.clarkson.edu | | tolerable: tuinstrd@craft.camp.clarkson.edu | | | | "Homo sapiens: planetary cancer?? ... News at six" | +========================================================================+ Newsgroup: sci.crypt document_id: 15314 From: rdippold@qualcomm.com (Ron "Asbestos" Dippold) Subject: Re: The battle is joined In article <1993Apr16.181040.9381@qualcomm.com> karn@servo.qualcomm.com (Phil Karn) writes: >It looks like Dorothy Denning's wrong-headed ideas have gotten to the >Administration even sooner than we feared. If the Administration is this far along, is it possible that the government been working on it for a while and has been using the Dennings to prime the pump, so to speak, or as the Judas goat? Whether paid off, just gullible, or what, doesn't really matter. It might also be possible that the NSA / whoever has had the idea for this for quite a while, has been promoting it (Denning, et al) and siezed the new opportunity - a new administration who wants to spend more money on espionage than Bush did. Whatever, i'm not so sure that the cause/effect order is totally obvious. -- You will lose your "Drug Free And Proud" ribbon. Two days later, you will catch a neighborhood kid smoking it. Newsgroup: sci.crypt document_id: 15315 From: ptrei@bistromath.mitre.org (Peter Trei) Subject: Re: The battle is joined In article ebrandt@jarthur.claremont.edu (Eli Brandt) writes: >In article <1993Apr16.181040.9381@qualcomm.com> karn@servo.qualcomm.com (Phil Karn) writes: >>It looks like Dorothy Denning's wrong-headed ideas have gotten to the >>Administration even sooner than we feared. > >I'd lay long odds that it was the other way around. Clinton didn't >just pull this plan out of any bodily orifices; the NSA has to have >been working on it for years. ^^^^^^^^^^^^^^^^^^^^^^^ I first heard rumors of a similar government proposal (in Risks Digest???) in 1987 or 1988. Peter Trei ptrei@mitre.org Newsgroup: sci.crypt document_id: 15316 From: "dan mckinnon" Subject: "clipper chip" I have lurked here a bit lately, and though some of the math is unknown to me, found it interesting. I thought I would post an article I found in the Saturday, April 17, 1993 Toronto Star: 'CLIPPER CHIP' to protect privacy Washington (REUTER) - President Bill CLinton announced yesterday a plan to plant a new "Clipper Chip" in every government telephone and computer line to prevent eavesdropping. Eventually the chips, developed by the government's National Institute for Standards and Technology, would be used by commercial and private electronics communication users. The White House said that to assure privacy, each device containing the encryption devices would be assigned two unique "keys" - numbers that will be needed by government agencies to decode messages. The attorney-general has been assigned the task of arranging that the keys are deposited in two "key-escrow" data bases. Access to them would be limited to government officials with legal authorization to conduct a wiretap, the White House said in a statement. -30- Dan McKinnon -- Canada Remote Systems - Toronto, Ontario 416-629-7000/629-7044 Newsgroup: sci.crypt document_id: 15317 From: tcmay@netcom.com (Timothy C. May) Subject: Re: The source of that announcement Marc Horowitz N1NZU (marc@mit.edu) wrote: : The message from the NIST about the clipper chip comes from the : following address: : : clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) : : Just who is that, I asked myself, or rather, I asked the computer. : : % telnet csrc.ncsl.nist.gov 25 ...list of name elided for brevity...... : : Well, isn't that interesting. Dorothy Denning, Mitch Kapor, Marc : Rotenberg, Ron Rivest, Jim Bidzos, and others. The Government, RSA, : TIS, CPSR, and the EFF are all represented. I don't suppose anybody : within any of these organizations would care to comment? Or is this : just the White House's idea of a cruel joke on these peoples' inboxes? I know that at least one person on that list says the first he heard of Clipper was in the Friday morning newspaper! And another has already fired off a letter of protest to NIST. My point? I suspect this list, interesting as it is for various reasons, does not represent the cabal that put this proposal together. Some of them, yes. Others, no. This may be nothing more than a mailing list of people who get crypto-related announcements from NSA, er, I mean "NIST." -Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Newsgroup: sci.crypt document_id: 15318 From: zeev@ccc.amdahl.com (Ze'ev Wurman) Subject: Is there ANY security in the Clipper? It seems to me that all discussions about Clipper security are almost irrelevant - if I cannot choose the key, but have to use a key chosen for me by the foundry, the security of the WHOLE UNIVERSE OF USERS is as good (or as bad) as the security of VLSI Technologies Inc. It is a trivial effort to run any ciphertext agains ALL THE KEYS EVER MANUFACTURED - after all we are talking about 1 to 100 million keys that will ever be manufactured. The key depositories can be as secure and incorruptible as they wish to be, nobody cares anyway...:-( Now if someone would convince me that the shipping docks of VTI, ATT and others are impenetrable (remember: the chips have to ship with the key - you or the dealer are going to submit it to the authorities eventually) I'd be a bit happier. But do we really believe that the various governments (including ours) won't have the full lists of all the keys ever manufactured? Did I miss something here? My own opinions, quite obviously... -- ------------------------------------------------------------------ From........: Ze'ev Wurman email.......: or Organization: Amdahl Corp. 46525 Landing Parkway (M/S 581), Freemont CA 94538 Phone.......: (510) 623-2345 (Office) Fax.........: (510) 770-0493 (Attn: Zeev Wurman) Newsgroup: sci.crypt document_id: 15320 From: warlord@MIT.EDU (Derek Atkins) Subject: Re: The Old Key Registration Idea... -----BEGIN PGP SIGNED MESSAGE----- In article <1qn1ic$hp6@access.digex.net> pcw@access.digex.com (Peter Wayner) writes: 2) The system is vulnerable to simple phone swapping attacks like this. Criminals will quickly figure this out and go to town. Depends.. Its possible that the phone sends its serial number in the clear at some specified interval... So all a listener needs to do is get that SN, and then get the key for it... So swapping phones isn't a problem (for the gov't, that is). They still know that this line belongs to you, so they just watch the line and see the SN, and then they get the key for that SN... In either case, I think we need to look at this a bit deeper."'jbl)mW:wxlD2 Well, I think this is understood. The major problem is that a lot of people just don't trust this key escrow stuff, and the fact that the algorithms are classified... So, yes, a lot of this needs to be looked at closer! - -derek PGP 2 key available upon request on the key-server: pgp-public-keys@toxicwaste.mit.edu -----BEGIN PGP SIGNATURE----- Version: 2.2 iQBuAgUBK9EbXDh0K1zBsGrxAQHzcALCAlvWtnvi7aySWf565id1MN++nsybTwQI jQLgPKX/4tx6qjGC69BUQRZAtMQutkoVnvx/MqT5EZFM7uundRWD4cOwbb7CC4Gy gT7JtLRqU0aF9VSf4SGNQqg= =fGRj -----END PGP SIGNATURE----- -- Derek Atkins, MIT '93, Electrical Engineering and Computer Science Secretary, MIT Student Information Processing Board (SIPB) MIT Media Laboratory, Speech Research Group warlord@MIT.EDU PP-ASEL N1NWH Newsgroup: sci.crypt document_id: 15321 From: earle@isolar.Tujunga.CA.US (Greg Earle) Subject: Re: PEM and MIME In article <1qg8m2$2e5@nigel.msen.com> emv@garnet.msen.com (Edward Vielmetti) writes: >W C Newell Jr (wcn@u.washington.edu) wrote: > >>Before we can have a global multimedia e-mail solution, there must be some >>definition of a minimum service level, and MIME does not provide for this >>(yet). > >Before the Internet will invest in software, people need to see content. >I would suggest that 50 attractive MIME formatted news messages a day would be >sufficient to get a few people thinking about adding MIME support to news >readers, esp if the content is really worth it. > >>IMHO, we have a long way to go before the Unix-specific MUAs, newsreaders, etc >>reach the service levels of the other commercial platforms. There ought to be >>such a definition, consisting of known object data types and rules for their >>handling, included in the transport specification document. > >Yes. But there is also a long way to go before most Mac, PC, and Windows >MUAs and newsreaders are ready to handle the sheer volume of news and mail >that many Unix specific tools are able to cope with. When the choice is >"more feechurs" or "make the damn thing fast enough to keep up with the >flood", you have to bet that "fast enough" wins. Ed, as usual, makes a very good point. One time a friend of mine at Sun sent me an e-mail. He composed it using the Sun OpenWindows 3 "mailtool" which handles (non-MIME) "attachments" and the like. Since I don't use "mailtool", I had to manually save it, cut & paste, and then "uudecode" the actual attachment. What I got - after a not-inconsiderable amount of time spent doing this - was an audio file. The original message was over 32Kb of mail headers and uuencoded data; the resulting audio message was a single sentence that I transcribed as a 135 character message. If he had sent me the sentence in plain text, the e-mail would have been around 250 bytes, and it would have taken me about 3 seconds to process it at most. Instead, it was 32k and it took at least a minute. A complete waste of (my) time and bandwidth, as far as I'm concerned. Sending plain text is still the most efficient method of transmission, given the same transport mechanism. I shudder to think what would happen if everyone started posting their Usenet articles as audio files instead of plain text! Meltdown of the Net predicted! Film at Eleven! Back to Mono! (-: [This sub-thread no longer has anything to do with PEM or administrative] [policy, so I've redirected followups back to comp.mail.mime ... - Greg ] -- - Greg Earle Phone: (818) 353-8695 FAX: (818) 353-1877 Internet: earle@isolar.Tujunga.CA.US UUCP: isolar!earle@elroy.JPL.NASA.GOV a.k.a. ...!elroy!isolar!earle Newsgroup: sci.crypt document_id: 15322 From: schinagl@fstgds15.tu-graz.ac.at (Hermann Schinagl) Subject: Need source of FEAL encrytion algorithm Hi ! I am interested in the source of FEAL encryption algorithm. Does someone of you know where I can get the source from, or where I can find documentation about FEAL. Thanks in advance Ciao Hermann Please email me !!! Newsgroup: sci.crypt document_id: 15323 From: ygoland@wright.seas.ucla.edu (The Jester) Subject: Re: Don't fight Clipper Chip, subvert or replace it ! The Clipper chip is just the culmination of Dorthy Denning et all. But lets ignore that for the moment. The fundamental question is:Can the government stop me from using encryption? Ignoring for the moment the question of patented processes (such as Public Keys), can the government stop me from using an encryption process? If the answer is yes then what freedom we have in this country is truly gone and its time to get out the guns or the lawyers (depending upon which causes more damage and to whom). However assuming that I can still encrypt things as I please, who cares about the clipper chip? As far as I'm concerned a phone line is insecure PERIOD. I don't care if they encrypt it 10 ways from sunday, if I didn't do the encrypting, I don't trust it. This is the attitude that everyone else should have. Instead of worrying about a clipper chip, simply connect your handset to your computer and feed the voice single through, process, encrypt, and transmit over the phone. The guy on the other hand then does the same in reverse. Can't work you say? No Standard you say? Obviously you have never uses PGP. Anyone who expects the government to protect their freedoms is kidding themselves. Only you can protect your own freedoms. One final thought addressed to EFF: 1.Do you support the implementation of ANY form of encryption where the encryption key must be revealed? 2.If you do, why? If not, why? 3.What SPECIFIC actions are you planning to take to either support or stop this proposal? 4.If you do not support this proposal, what alternatives do you offer? The Jester -- Proof Windows is a Virus:It is very widespread, It eats up your disk space, It slows down your computer, It takes control over your computer, It performs disk access at random times, It displays silly messages on your screen, It randomly crashes the computer-Vesselin Newsgroup: sci.crypt document_id: 15324 From: tuinstra@sunspot.ece.clarkson.edu.soe (Dwight Tuinstra) Subject: WH proposal from Police point of view It might pay to start looking at what this proposal might mean to a police agency. It just might be a bad idea for them, too. OK, suppose the NY State Police want to tap a suspect's phone. They need a warrant, just like the old days. But unlike the old days, they now need to (a) get two federal agencies to give them the two parts of the key. Now, what happens if there's a tiff between the two escrow houses? Posession/release of keys becomes a political bargaining chit. State and lower-level police agencies have to watch the big boys play politics, while potentially good leads disappear, lives and property are lost, statutes of limitations run out, etc. Not to mention: a moderately clever person who suspects the police are after her/him will be buying new phones faster than tap requests can be processed. Or using stolen ones. [Will the Turing Police come and arrest you for transmitting without a dialing license?] There's also bureacracy and security problems -- within each escrow house, how will requests for key disclosure be authenticated? Put in enough safeguards of the kind bureaucrats and activists feel comfortable with, and it might take a LONG time to get that key. [Even when a request is approved, how is the key going to be disclosed? Will it be encrypted by a Clipper-type chip for transmission? In a bureaucracy the size of the Federal Government, with a databank of the necessary size, and data traffic of the projected volume, there's going to be a lot of weak links. How many of these kinds of problems will be open for public or "expert" scrutiny?] Furthermore, the Feds might be leery of handing completed keys around, even to State Police agencies: a trust and security issue. This would be an especially acute issue if some other State's Police had mishandled a key, resulting in lawsuits, financial settlements, and political embarassment. So, the Feds implement it this way: (b) some federal agency gets the keys, performs the tap, and turns the results over to the NY State Police. But let's say Cuomo's been causing some problems over a Clinton Aid-To-Urban-Areas proposal. Or there just happens to be a turf war going on between the State cops and the Justice department on a case. Now, not only do we have the keys as a political chit, we have an extra player in the game *and* we have the tap's tapes as another bargaining chit. Again, the State Police lose. I understand that (legal) wiretaps are quite expensive to maintain. In scenario (b), who pays the bill? +========================================================================+ | dwight tuinstra best: tuinstra@sandman.ece.clarkson.edu | | tolerable: tuinstrd@craft.camp.clarkson.edu | | | | "Homo sapiens: planetary cancer?? ... News at six" | +========================================================================+ Newsgroup: sci.crypt document_id: 15325 From: bena@dec05.cs.monash.edu.au (Ben Aveling) Subject: Re: text of White House announcement and Q&As on clipper chip encryption Andrew Richard Conway (arc@leland.Stanford.EDU) wrote: : P.S. I can't work out why the US government doesn't want to sell : them overseas. After all, they are rather easy for US interests to decode, : so make a perfect tool for industrial/military espionage...lulling : anyone stupid enough to buy it into a false sense of security. You will : notice that there is NO mention anywhere about safety for non-Americans. Don't forget, you are in the country that wouldn't let the Russians buy Apple II's because of security concerns. -- Ben (-: bena@bruce.cs.monash.edu.au :-) Newsgroup: sci.crypt document_id: 15326 From: jfc@athena.mit.edu (John F Carr) Subject: Re: Don't fight Clipper Chip, subvert or replace it ! In article ygoland@wright.seas.ucla.edu (The Jester) writes: >Ignoring for the moment the question of patented processes (such as >Public Keys), can the government stop me from using an encryption >process? Following precedent in other areas, the government is likely to put a tax on encryption technology. Once the tax is imposed, it becomes a federal matter and suspicision of an unlicensed cryptographic tool will bring the BATF or FBI tossing grenades into your house. (The BATF appears to be the logical agency to enforce such regulations: federal control over alocohol, tobacco, and firearms is similary based on taxes.) Look at the FCC: they won't allow sale of any receiever that can receive bands that are supposed to be private. This has nothing to do with any desire to prevent harmful interference. If the government can make a radio receiver illegal what makes you think they won't claim the right to control encryption? -- John Carr (jfc@athena.mit.edu) Newsgroup: sci.crypt document_id: 15327 From: Graham Toal Subject: Re: The battle is joined In article ebrandt@jarthur.claremont.edu (Eli Brandt) writes: :In article <1993Apr16.181040.9381@qualcomm.com> karn@servo.qualcomm.com (Phil Karn) writes: :>It looks like Dorothy Denning's wrong-headed ideas have gotten to the :>Administration even sooner than we feared. : :I'd lay long odds that it was the other way around. Clinton didn't :just pull this plan out of any bodily orifices; the NSA has to have :been working on it for years. While it's possible that Denning (and :other prominent people) just happened to start arguing for such a :system, it seems more likely that there was a suggestion involved. :If this guess is wrong, I apologize. I'm sure Dorothy Denning is an honest person and wouldn't lie to us. Simply think up a question to ask her about her involvement, but be very careful to phrase it in such a way that there can be no Jesuitical evasion or a true but wholly misleading answer. In this country, MI5 are *experts* at answering these questions; for instance there was a British journalist (Jonathon Moyle) killed in South America a couple of years ago. Parliament asked "Was he an MI5 employee" "No." - turns out afterwards he wasn't paid, therefore wasn't an employee. They could equally have said he wasn't an agent - he went abroad on his private business with no brief from MI5, but was interviewed and debriefed at length only *on his return*. G Newsgroup: sci.crypt document_id: 15328 From: steve-b@access.digex.com (Steve Brinich) Subject: Re: text of White House announcement and Q&As on clipper chip encryption The dead giveaway is the repeated protestations that the new plan is aimed at "criminals", "drug dealers", "terrorists", etc. You'd think the tactic would be too obvious to trot out yet again after a decade of Sarah and the rest of the Brady Bunch using it to destroy the Second Amendment, but evidently the control nuts feel it will serve them one more time. As far as the export needs of American companies are concerned, I could almost believe that the plan to saddle the US industry with a hidden sabotaged algorithm was invented by a cabal of Japanese lobbyists. Newsgroup: sci.crypt document_id: 15329 From: pat@rwing.UUCP (Pat Myrto) Subject: Re: Once tapped, your code is no good any more. In article <1993Apr17.061326.16130@clarinet.com> brad@clarinet.com (Brad Templeton) writes: >In article tcmay@netcom.com (Timothy C. May) writes: >>Getting the court order to reveal the key *also* makes decipherable >>all *past* conversations (which may be on tape, or disk, or whatver), >>as I understand the proposal. I could be wrong, but I've seen no >>mention of "session keys" being the escrowed entities. > >True in theory. In practice? The technology of cellular phones will >probably be spread spectrum and quite difficult to record the crypttext >without the key. If the frequency path depends on they key, as I >understand it to, it *could* be made effectively impossible to record. I am not an expert in the cryptography science, but some basic things seem evident to me, things which this Clinton Clipper do not address. The all pertain to opportunites for abuse, and conclusions based on what I have seen the membership of this group (except for two notable persons) agree to. If anything bad is possible by the government in theory, it almost always ends up happening in fact. So the key is to make abuse IMPOSSIBLE. Question authority, and remember power DOES corrupt. I think one has to regard this whole idea in the sense that it WILL be expanded to include other data forms, such as data transfer and stored data. and as such should be treated as if it were expanded (or such expansion will be almost impossible to stop, using Clipper as a precident). There was a hint of that in the proposal, remember. That said, please bear with me, I am not very articulate, so I take more words to say what others could say much more briefly. Thank you. >Once it hits land you can record it if you have telco access. The >telco isn't supposed to give that without a warrant. That's the rule >today. As I suggested this is NOW. The hint is in the proposal that this or similar proposals are being considered for other forms of encryptions such as data transfer, data files, and such, largely dependent on how this thing is accepted or flies. I think one would be wise to treat this in the manner one would when (not if) it gets expanded to other areas than cellular phones. I think this is guaranteed to happen, if this proposal gets by. Salami politics. It has been and is used in several other areas, it is certain to be used here. Government is not going to easily give up on the idea that they should be able to eavesedrop whenever they want to. 'Court order required' has proven to be a rather flimsy guarantee. If the case warrants, they can always sieze the material, and force one to give the key, or sit in jail forever on periodically renewed contempt charges. So it is not denying the justice system the information, nor the ability to lock someone up if guilty (or refuses to divulge the means to access the info - this is not protected under the Fifth - one can be forced to perform ACTS that would result in divulging incriminating evidence). So, blocking restrictions on private encryption is not preventing LEGITIMATE law enforcement - it does make ILLEGITIMATE law enforcement a bunch more difficult. Especially fishing expeditions without the target's knowlege. Don't give up the right to be safe from that - that should be non-negotiable, and Clinton and Co. know it (which is probably why they quietly developed this thing, figuring if they get it this far, they can ram it on through). How come those consulted could be roughly described as "us insiders"? They cannot quietely IMPLIMENT it though, when they ban other schemes to ensure its exclusive use. Hence the nice PR document to try and reassure everyone. Don't buy into it. Has government really earned that kind of trust, past or future? To be secure and free, one must keep government honest and the only way to do that is to make abuse IMPOSSIBLE, not 'unlikely' or 'difficult'. >But even so, the evidence would not be admissible, I think, unless the >judge so ordered. I think that even interception of the crypttext >without a warrant would be illegal. Cops can't record today's plain >cellular calls and then ask a judge, "Hey, can we have permission to >listen to those tapes?" can they? So what? One could use information gained by re-use of the keys (saved after the last case was finished) or other means (master key, backdoor, easily broken algorithm) to find other evidence which, given to a judge, would authorize a tap which wouldn't have been possible otherwise. This has been the more common manner of abuse of wiretaps in the past... For local cops, this might be workable to keep them honest, but the Feds have a workaround somehow, BET on it. Does anyone really believe for example, that the government will use a scheme NSA cannot listen in on scanning for keywords - either easily defeated in realtime or via a 'master key'? I sure don't. This whole thing sounds like something to eliminate the need to use old-fashioned police work to build a case. In the past, eavesdropping was rather easy (with or without a court order). I think the Law Enforcement community has become a bit spoiled, and will resist changes that require them to revert to using old-fashioned detective work. I just find it somewhat surprising coming from a bunch that cares so much about civil and individual rights, that "puts people first". The question is "put people first" to WHERE? With the innards not being revealed, how is one to be sure there DOESN'T exist a 'master key' for use by NSA, etc (so they can do their keyword scan, etc on conversations they routinely monitor, without a specific court order)? Remember, the cellular phone limitiation is only TEMPORARY. Bet on it. And so far I have not heard about police telling people that they have been tapped and nothing incriminating was found. What is to keep them from simply keeping the keys on file for 'next time'? After awhile, they would have quite a collection. Kept especially for folks they deem 'disruptive'. And if they get only one key, that would reduce the search space a lot, unless it is an RSA scheme. Remember Nixon years? Need for court orders really slowed them down, didn't it? And unless the escrow accounts are not government controlled (fat chance! I see one ending up being under, say Treasury, the other under Justice :-)) it could be worth some serious bucks to some folks to get keys to a competitor's Clinton Clipper (or descendent when this idea is expanded to be used for all non-government encryption). Enough bucks would get one the keys or the innards for this algorithm. Perhaps not an important concern, but given past government behavior and the other problems... >>worse, of course, if the government then uses this "Clinton Clipper" >>to argue for restrictions on unapproved encryption. (This is the main >>concern of most of us, I think. The camel's nose in the tent, etc.) > >Yes, that is a major concern, but I think that they think they can >win just by having 99.5% of the USA use this system. They don't even >have to care about the cautious .5% that's left. They don't catch the >really smart crooks anyway. John Gotti, who would have to be retarded >not to realize he was likely to be wiretapped, glibly chatted away >on his tapped phone about murder plans. That's why he's in jail now. >Hard to believe, but true. What will one do when it is expanded to data storage encryption? You can BET that if Clipper is accepted, that will be next on the agenda. It is even hinted at in the proposal - read it carefully... Expect the argumet "well, if you got nothing to hide..." Fine. Then using that argument, one should not object to video cameras being installed in every room of one's home. Granted - an exteme expansion of the idea but the principle holds. Private stuff should remain private, even from a govt fishing expedition. And laws/rules may change in the future as to 'safeguards'. When it comes to the Fed Government, safeguards are pretty meaningless, if they want to do/get something. Don't work so hard to give up some rather treasured rights, or establish bad precidents, please. The price could be hell to pay, later. >This scheme can succeed without laws forbidding more, which people would >fight a lot harder. They like this enough that they are dropping the so >called "Digital Telephony" proposal, according to rumours. However the >meaning of that is complex, since they still want to get at the crypttext >on telco systems, and that requires a bit of work. People would fight laws forbidding more NOW, but in, say two years, because we have this 'crisis' situation which MUST be addressed by some 'drastic action', just this added reasonable restriction will only bother those who have someting to hide... etc. Please don't buy into it. If the Clinton Clipper is so very good, why not make its algrithm public so many people can exchange ideas and examine it, rather than a few isolated 'respected experts' (respected by whom? for what? Perhaps a certain professor who likes key banks would be one of the selected experts... this does seem to expand on some ideas the person was advocating, if I recall :-). How would anybody know that what the experts examine is the same as what will end up being used in the Clipper Chip, if it is kept secret? Perhaps the Clipper will use a crippled version (with a 'master key' provision), or features not present in the version subjected for study and evaluation by the experts. And who chooses the expertes? The government? No conflict of interest there... :-) And isn't it a REQUIREMENT for any decent encryption scheme that it NOT have its effectiveness reduced by having the algrorithm widely known? I was lead to believe that one should assume the other side has everything you have, except for the key(s)... I recall ideas presented to this group are rejected if a requirement exists the algorithm be secret... Another question - since it is a safe bet this Clipper thing would not be used for government security, they are regarding it as not real secure but "good enough" for common folk. I think I would like to see a full description (not a PR non-statement) of just what "good enough" means? I think when saying how strong it is, "good enough" really means "not very". The excuse that other countries have these restrictions is not acceptable: Other countries do not have our Bill of Rights and Constitution (which the people, not the governments, of those other countries often regard with envy - what we have as rights they have as revokable privileges). And if we expect to retain those rights and protections, we must not allow them to be gutted because we just GOTTA have this thing to 'fight crime'. We have allready have our Bill of Rights pretty much torn to shreds. We should not permit more weakining for yet another 'noble cause', instead we should be trying to repair the damage. Our crime problem may have a number of causes, but "too many rights and safeguards" is not a signifigant one. A broken court system and poor police work are a much more signifigant cause as having "too many rights" (disregarding addressing the root causes for crime, etc). BTW - those who suggest that this is just an attack on Clinton, believe this: I would be going ballistic reagardless WHO seriously proposed this thing. It is just another step in a gradual erosion of our rights under the Constitution or Bill of Rights. The last couple of decades have been a non-stop series of end-runs around the protections of the Constitution. It has to stop. Now is as good a time as any, if it isn't too late allready. >-- >Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366 -- pat@rwing.uucp [Without prejudice UCC 1-207] (Pat Myrto) Seattle, WA If all else fails, try: ...!uunet!pilchuck!rwing!pat WISDOM: "Only two things are infinite; the universe and human stupidity, and I am not sure about the former." - Albert Einstien Newsgroup: sci.crypt document_id: 15330 From: al@escom.com (Al Donaldson) Subject: Re: Once tapped, your code is no good any more. amolitor@nmsu.edu (Andrew Molitor) writes: >Yes, those evil guys in the FBI can probably, with some >effort, abuse the system. I got news for you, if the evil guys in >the FBI decide they want to persecute you, they're gonna, ... And if Richard Nixon had had this kind of toy, he wouldn't have had to send people into the Watergate. But that's not really the issue. The real issue is whether this will be used to justify a ban against individuals' use of private (i.e., anything else) encryption methods. Unrelated question...isn't the term "Clipper," as neat as it is, already taken by Intergraph? Al Newsgroup: sci.crypt document_id: 15331 From: mrr@scss3.cl.msu.edu (Mark Riordan) Subject: Re: Source of random bits on a Unix workstation Bennett Todd @ Salomon Brothers Inc., NY (bet@sbi.com) wrote: : However, unless I : missed something, the only source they suggested (aside from a hardware RNG) : that seems available, and unguessable by an intruder, when a Unix is : fresh-booted, is I/O buffers related to network traffic. I believe my : solution basically uses that strategy, without requiring me to reach into : the kernel. A few more sources are statistics on your filesystems (easily and quickly obtained) and the output from the "rusage" system call. You can also exec a finger to one or more favorite heavily-used systems, though this can take several seconds. cf. the source code to RIPEM on ripem.msu.edu. Mark R. Newsgroup: sci.crypt document_id: 15332 From: schneier@chinet.chi.il.us (Bruce Schneier) Subject: Re: An Open Letter to Mr. Clinton In article strnlght@netcom.com (David Sternlight) writes: > >Here's a simple way to convert the Clipper proposal to an unexceptionable >one: Make it voluntary. > >That is--you get high quality secure NSA classified technology if you agree >to escrow your key. Otherwise you are on your own. > As long as "you are on your own" means that you can use your own encryption, I'm sold. Bruce Newsgroup: sci.crypt document_id: 15333 From: eldar@fraser.sfu.ca (Danny Eldar) Subject: Need help !! I am currently writing a paper on computer protocols security. I would appreciate your help. I currently have no insight into these topics except that they relate to security in multilevel security network. Please semd me any references, books, FAQs or contact persons names and Internet addresses. The topics I am interested in: 1. The "firewall gateway model" as implemented in Internet gateways. 2. Kerberos Authentication Service Please send me a private e-mail at eldar@sfu.ca and/or post it on the board. Thanks a lot, Danny Newsgroup: sci.crypt document_id: 15334 From: holland@CS.ColoState.EDU (douglas craig holland) Subject: Re: Once tapped, your code is no good any more. In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes: >In article > tcmay@netcom.com (Timothy C. May) writes: >> >>But is it any worse than the current unsecure system? It becomes much >>worse, of course, if the government then uses this "Clinton Clipper" >>to argue for restrictions on unapproved encryption. (This is the main >>concern of most of us, I think. The camel's nose in the tent, etc.) >> > > Not to pick on Mr. May in particular, of course, but isn't this >kind of the domino theory? When one little country falls, its neighbor >will surely follow, and before you know it, we're all mining salt >in Siberia for not turning in our Captain Crunch Secret Decoder Rings. > > Surely the hypothesis relying on the least wild assumptions is >to take this at face value. Our lads at the fort were asked to cook up >something that's pretty secure, with a key that can be escrowed neatly, >and they did. The government plans to sell this thing, for the reasons >they state. Yes, those evil guys in the FBI can probably, with some >effort, abuse the system. I got news for you, if the evil guys in >the FBI decide they want to persecute you, they're gonna, and you're >gonna hate it. Fact is, the FBI doesn't want to listen to your phone >calls, and if they do, and if you're using triple-DES, they'll just >get a parabolic microphone and point it at your head. > With E-Mail, if they can't break your PGP encryption, they'll just call up one of their TEMPEST trucks and read the electromagnetic emmisions from your computer or terminal. Note that measures to protect yourself from TEMPEST surveillance are still classified, as far as I know. > This is pretty clearly an effort by the government to do exactly >what they're saying they're doing. As is typical with governments, >it's mismanaged, and full of holes and compromises. As is typical >with our government, it's not too bad, could be worse. > > My interpretation. > > Andrew > >>-Tim May, whose sig block may get him busted in the New Regime > ^^^^^^^^^^^^^^^^^^ > > Isn't this just a little melodramatic? If the new regime comes to fruition, make sure you protect your First Amendment rights by asserting your Second Amendment Rights. Doug Holland Newsgroup: sci.crypt document_id: 15335 From: bill@Celestial.COM (Bill Campbell) Subject: Re: Once tapped, your code is no good any more. In <1993Apr17.032828.14262@clarinet.com> brad@clarinet.com (Brad Templeton) writes: :It occurs to me that if they get a wiretap order on you, and the escrow :houses release your code to the cops, your code is now no longer secure. A very good point! :It's in the hands of cops, and while I am sure most of the time they are :good, their security will not be as good as the escrow houses. Why should we expect the cops to be honest! They're underpaid for the risks they face every day. The media dumps on the all the time and blames them for all sorts of discrimination, brutality.... How can we expect them to be more than human? Besides there are lots of cases of police abuses ranging from protection scams to outright robbery (when I worked in D.C. there was a breakin at a local Radio Shack and the alarm company heard the cops responding to the call over the audio pickup in the store:-). :What this effectively means is that if they perform a wiretap on you, :at the end of the wiretap, they should be obligated to inform you that :a tap was performed, and replace (for free) the clipper chip in your :cellular phone so that it is once again a code known only to the :escrow houses. Then you would know that Big Brother had been listening. Does he really want to let you know? :Do the police normally reveal every tap they do even if no charges are :laid? In many ways, it would be a positive step if they had to. :Judges set time limits on warrants, I assume. At the end of the time :limit they should have to renew or replace your chip. :That's if we go with this scheme, which I am not sure I agree with. I'm completely against anything that makes it easier for the government to encroach on the rights of individuals. The founders of this country spent a lot of effort limiting the power of the government and specifying exactly what the governments rights were (and this didn't include a gov't spy in every bedroom). IMHO, there are entirely too many things going on today designed to preserve the government organism at the expense of individuals. Look around and reread 1984 and many early Heinlein books. Aren't there many parallels between the thought police (can you spell Waco Texas?), and Heinlein's ``Crazy Years''? Bill -- INTERNET: bill@Celestial.COM Bill Campbell; Celestial Software UUCP: ...!thebes!camco!bill 6641 East Mercer Way uunet!camco!bill Mercer Island, WA 98040; (206) 947-5591 SPEED COSTS MONEY -- HOW FAST DO YOU WANT TO GO? Newsgroup: sci.crypt document_id: 15336 From: holland@CS.ColoState.EDU (douglas craig holland) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] In article strnlght@netcom.com (David Sternlight) writes: > >Though some may argue about the nose of the camel, it's worth noting that >the government proposal is limited to scrambled telephony. If it is only >used for that purpose, and does not extend to electronic mail or file >encryption, then it IS an improvement over the current mass-produced >standard civilian technology which, with a few exceptions, is limited to >easy-to-break inverters. > >Note that the big issue for the feds is the continued ability to wiretap. >Before we go off the deep end with long discusions about secure crypto for >e-mail and files, let's focus on this. > >One question that was not asked in the release is whether this proposal is >limited to telephony, or if the government intends to expand it. > >Though I share many of the concerns expressed by some, I find the proposal >less threatening than many others, since right now most Americans have no >secure telephony, and any jerk with a pair of clip leads and a "goat" can >eavesdrop. This would also plug up the security hole in cellular and >cordless phones. > >------- > >Reading between the lines, I infer that the system is highly secure >without access to the keys. This would meet the needs of U.S. businesses >confronted by rich and powerful adversaries, including French and Japanese >security services and rich Japanese companies. It allows the NSA to make >available some of its better stuff while protecting law enforcement needs. > >Most legitimate U.S. corporations trust the NSA, and would be delighted to >have a high-security system certified by them, even at the price of >depositing keys in escrow. I see no difficulty in creating a reliable >escrow. Corporations entrust their secrets to attorneys every day of the >week, and that system has worked pretty well. > >From my point of view this is a fair starting point. There are concerns that >need to be addressed, including the reliability of the escrows. But in >return we get access to high-security crypto. Many have suggested that DES >and other systems may be breakable by the NSA and hence others similarly >skilled and endowed. There is at least a good possibility (which should be >checked) that the proposed system is not so breakable. It doesn't have to >be, nor does it have to have trapdoors, if the government can get the keys >pursuant to a legitimate court order. Thus they can protect legitimate >communications against economic adversaries, while still being able to >eavesdrop on crooks pursuant to a court order. > Let me ask you this. Would you trust Richard Nixon with your crypto keys? I wouldn't. Doug Holland Newsgroup: sci.crypt document_id: 15337 From: smb@research.att.com (Steven Bellovin) Subject: Clipper chip -- technical details I received the following two notes from Martin Hellman with details on how Clipper will work. They are posted with his permission. The implications of some details are fascinating. ------- Date: Sat, 17 Apr 93 23:05:23 PDT From: "Martin Hellman" To: (a long list of recipients) Subject: Clipper Chip Most of you have seen the announcement in Friday's NY Times, etc. about NIST (National Institute of Standards & Technology) announcing the "Clipper Chip" crypto device. Several messges on the net have asked for more technical details, and some have been laboring under understandable misunderstandings given the lack of details in the news articles. So here to help out is your friendly NSA link: me. I was somewhat surprised Friday to get a call from the Agency which supplied many of the missing details. I was told the info was public, so here it is (the cc of this to Dennis Branstad at NIST is mostly as a double check on my facts since I assume he is aware of all this; please let me know if I have anything wrong): The Clipper Chip will have a secret crypto algorithm embedded in Silicon. Each chip will have two secret, 80-bit keys. One will be the same for all chips (ie a system-wide key) and the other will be unit specific. I don't know what NIST and NSA will call them, but I will call them the system key SK and unit key UK in this message. The IC will be designed to be extremely difficult to reverse so that the system key can be kept secret. (Aside: It is clear that they also want to keep the algorithm secret and, in my opinion, it may be as much for that as this stated purpose.) The unit key will be generated as the XOR of two 80-bit random numbers K1 and K2 (UK=K1+K2) which will be kept by the two escrow authorities. Who these escrow authorities will be is still to be decided by the Attorney General, but it was stressed to me that they will NOT be NSA or law enforcement agencies, that they must be parties acceptable to the users of the system as unbiased. When a law enforcement agency gets a court order, they will present it to these two escrow authorities and receive K1 and K2, thereby allowing access to the unit key UK. In addition to the system key, each user will get to choose his or her own key and change it as often as desired. Call this key plain old K. When a message is to be sent it will first be encrypted under K, then K will be encrypted under the unit key UK, and the serial number of the unit added to produce a three part message which will then be encrypted under the system key SK producing E{ E[M; K], E[K; UK], serial number; SK} When a court order obtains K1 and K2, and thence K, the law enforcement agency will use SK to decrypt all information flowing on the suspected link [Aside: It is my guess that they may do this constantly on all links, with or without a court order, since it is almost impossible to tell which links over which a message will flow.] This gives the agency access to E[M; K], E[K; UK], serial number in the above message. They then check the serial number of the unit and see if it is on the "watch list" for which they have a court order. If so, they will decrypt E[K; UK] to obtain K, and then decrypt E[M; K] to obtain M. I am still in the process of assessing this scheme, so please do not take the above as any kind of endorsement of the proposed scheme. All I am trying to do is help all of us assess the scheme more knowledgably. But I will say that the need for just one court order worries me. I would feel more comfortable (though not necessarily comfortable!) if two separate court orders were needed, one per escrow authority. While no explanation is needed, the following story adds some color: In researching some ideas that Silvio Micali and I have been kicking around, I spoke with Gerald Gunther, the constitutional law expert here at Stanford and he related the following story: When Edward Levi became Pres. Ford's attorney general (right after Watergate), he was visited by an FBI agent asking for "the wiretap authorizations." When Levy asked for the details so he could review the cases as required by law, the agent told him that his predecessors just turned over 40-50 blank, signed forms every time. Levi did not comply and changed the system, but the lesson is clear: No single person or authority should have the power to authorize wiretaps (or worse yet, divulging of personal keys). Sometimes he or she will be an Edward Levi and sometimes a John Mitchell. Martin Hellman ---- Date: Sun, 18 Apr 93 11:41:42 PDT From: "Martin Hellman" To: smb@research.att.com Subject: Re: Clipper Chip It is fine to post my previous message to sci.crypt if you also post this message with it in which: 1. I ask recipients to be sparse in their requesting further info from me or asking for comments on specific questions. By this posting I apologize for any messages I am unable to respond to. (I already spend too much time answering too much e-mail and am particularly overloaded this week with other responsibilities.) 2. I note a probably correction sent to me by Dorothy Denning. She met with the person from NSA that I talked with by phone, so her understanding is likely to better than mine on this point: Where I said the transmitted info is E{ E[M; K], E[K; UK], serial number; SK} she says the message is not double encrypted. The system key (or family key as she was told it is called) only encrypts the serial number or the serial number and the encrypted unit key. This is not a major difference, but I thought it should be mentioned and thank her for bringing it to my attention. It makes more sense since it cuts down on encryption computation overhead. Newsgroup: sci.crypt document_id: 15338 From: pmetzger@snark.shearson.com (Perry E. Metzger) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] In article <1qnupd$jpm@news.intercon.com> amanda@intercon.com (Amanda Walker) writes: From: amanda@intercon.com (Amanda Walker) jhesse@netcom.com (John Hesse) writes: > Oh great. Wonderful news. Nobody can listen in--except the feds. Hey, it's better than the status quo. I am far less worried about "the feds" tapping my phone than high school scanner surfers who get their kicks out of eavesdropping on cellular and cordless phone calls. I'm a political dissident. I'm scared shitless of the feds listening in on my calls. My opinions are the sort that would get me "disappeared" in a slightly less free society -- and who knows what sort of society we will be in in five or ten years? I have friends who have had their phones tapped -- none of this is theoretical to me. As for "its better than the status quo", well, first of all, you can get a cryptophone from companies like Cylink today -- and they work well. In addition, a number of groups are now working on building software to turn any PC into a privacy enhanced phone right now -- and they are all working in overdrive mode. And yes, I'd rather just see all crypto restrictions lifted, but this is at least an incrememental improvement for certain applications... There ARE no crypto restrictions... yet. You can use anything you want RIGHT NOW. The point is to maintain that right. -- Perry Metzger pmetzger@shearson.com -- Laissez faire, laissez passer. Le monde va de lui meme. Newsgroup: sci.crypt document_id: 15339 From: pmetzger@snark.shearson.com (Perry E. Metzger) Subject: Re: Once tapped, your code is no good any more. In article <1qovj8$74m@ni.umd.edu> louie@sayshell.umd.edu (Louis A. Mamakos) writes: In article tcmay@netcom.com (Timothy C. May) writes: >But is it any worse than the current unsecure system? It becomes much >worse, of course, if the government then uses this "Clinton Clipper" >to argue for restrictions on unapproved encryption. (This is the main >concern of most of us, I think. The camel's nose in the tent, etc.) Excuse me? This has *already* happened. There's a couple of humps in the tent already. Ask the folks at Qualcomm what became of the non-trivial encryption scheme they proposed for use in their CDMA digitial cellular phone standard? There *already* are restrictions in place. You have it slightly wrong. They dumped the encryption system because they could not export it -- not because they could not produce it for U.S. use. There are no legal restraints on citizen use of strong cryptography -- yet. -- Perry Metzger pmetzger@shearson.com -- Laissez faire, laissez passer. Le monde va de lui meme. Newsgroup: sci.crypt document_id: 15340 From: pmetzger@snark.shearson.com (Perry E. Metzger) Subject: are we being hysterical? No! In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes: >In article > tcmay@netcom.com (Timothy C. May) writes: >> >>But is it any worse than the current unsecure system? It becomes much >>worse, of course, if the government then uses this "Clinton Clipper" >>to argue for restrictions on unapproved encryption. (This is the main >>concern of most of us, I think. The camel's nose in the tent, etc.) >> > Not to pick on Mr. May in particular, of course, but isn't this >kind of the domino theory? As John Gilmore has pointed out repeatedly, if you produce the infrastructure that would permit a police state to function, all that is required to suddenly find yourself living in one is a change of attitude on the part of the government. Our constitution was built by men who had to risk their lives to ensure freedom in our country. They designed the system to make it difficult for tyranny to arise. For instance, one of the reasons the fourth amendment was put there was to make it harder for the government to try to make smuggling a crime. Think I jest? John Hancock made all his money smuggling rum, which is, after all, a drug. Think about it. The government has everyones keys in escrow, and the FBI gets their pet "wiretap without leaving the office" scheme. There is a coup, which happens every day all around the world. Within hours, everyone in the country who might oppose the tyrants is being monitored more closely than ever before possible. Without the tools being in place, a tyranny cannot stand. With tools like this in place, a tyrannical dictatorship could actually be successfully imposed. Why give the government tools with which to enslave you? Maybe you can trust Bill Clinton, but are you willing to tell me that you can trust EVERY government that will ever arise in the U.S. hereafter? I am not willing to make that leap of faith. >>-Tim May, whose sig block may get him busted in the New Regime > ^^^^^^^^^^^^^^^^^^ > Isn't this just a little melodramatic? I'm a political dissident. As such, I am acutely aware of what happens to political dissidents in most of the world. In most of the world, I could be killed for my beliefs. Call Amnesty International some time to find out what happens to dissidents in most of the world. All that seperates the U.S. from most of those places is a thin piece of parchment in the National Archives thats being constantly more and more eroded by such farces as the war on drugs. Coups have happened in countries that have had stable democracies for over a hundred years. Governments throughout history have fallen. No government has lasted for more than a few hundred years. Often, they are replaced by dictatorships. Do you really believe so intensely that it could never ever ever happen here that you are willing to bet your own life and the lives of your children and other loved ones on it? If we construct the tools with which tyranny could be enforced, we make it orders of magnitude more likely that it could happen, because if it happened with the tools already in place it could actually stick. Naive fools such as our leadership believe they can protect us where hundreds that have gone before have failed. Thriving democracies led by men far more skillfull than Bill Clinton have fallen to dictatorship. Rome had a thriving republic run by exquisitely skilled men before they became a tyranny. I, for one, am unwilling to trust that it could never happen here. Only hubris would allow us to believe we are immune to what has happened elsewhere. -- Perry Metzger pmetzger@shearson.com -- Laissez faire, laissez passer. Le monde va de lui meme. Newsgroup: sci.crypt document_id: 15341 From: marc@mit.edu (Marc Horowitz N1NZU) Subject: Re: The source of that announcement In article tcmay@netcom.com (Timothy C. May) writes: I know that at least one person on that list says the first he heard of Clipper was in the Friday morning newspaper! And another has already fired off a letter of protest to NIST. My point? I suspect this list, interesting as it is for various reasons, does not represent the cabal that put this proposal together. Some of them, yes. Others, no. I received mail from Mitch Kapor saying that he did not ask to be on the list, and does not know why he was added. I'm sure the same applies to others on the list. So, I guess my initial theory was right, that the clipper list was just someone's idea of a bad joke. I guess I should be happy it wasn't a conspiracy. Marc -- Marc Horowitz N1NZU 617-253-7788 Newsgroup: sci.crypt document_id: 15342 From: strnlght@netcom.com (David Sternlight) Subject: Re: Once tapped, your code is no good any more. In article holland@CS.ColoState.EDU (douglas craig holland) writes: >Note that measures to protect yourself from >TEMPEST surveillance are still classified, as far as I know. I think this to be inaccurate. One can buy TEMPEST equipment commercially. Even Macs. David -- David Sternlight Great care has been taken to ensure the accuracy of our information, errors and omissions excepted. Newsgroup: sci.crypt document_id: 15343 From: djb@silverton.berkeley.edu (D. J. Bernstein) Subject: Re: Clipper chip -- technical details Short summary of what Bellovin says Hellman says the NSA says: There is a global key G, plus one key U_C for each chip C. The user can choose a new session key K_P for each phone call P he makes. Chip C knows three keys: G, its own U_C, and the user's K_P. The government as a whole knows G and every U_C. Apparently a message M is encrypted as E_G(E_{U_C}(K_P),C) , E_{K_P}(M). That's it. The system as described here can't possibly work. What happens when someone plugs the above ciphertext into a receiving chip? To get M the receiving chip needs K_P; to get K_P the receiving chip needs U_C. The only information it can work with is C. If U_C can be computed from C then the system is cryptographically useless and the ``key escrow'' is bullshit. Otherwise how is a message decrypted? ---Dan Newsgroup: sci.crypt document_id: 15344 Subject: Re: Once tapped, your code is no good any more. From: steiner@jupiter.cse.utoledo.edu (Jason 'Think!' Steiner) douglas craig holland (holland@CS.ColoState.EDU) writes: > > With E-Mail, if they can't break your PGP encryption, they'll just > call up one of their TEMPEST trucks and read the electromagnetic > emmisions from your computer or terminal. Note that measures to > protect yourself from TEMPEST surveillance are still classified, as > far as I know. are LCD displays vulnerable to tempest? > If the new regime comes to fruition, make sure you protect your First > Amendment rights by asserting your Second Amendment Rights. i'll second that. jason -- "I stood up on my van. I yelled, `Excuse me, sir. Ain't nothing wrong with this country that a few plastic explosives won't cure!'" - Steve Taylor, I Blew Up the Clinic Real Good `,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,` steiner@jupiter.cse.utoledo.edu `,`,`,` Newsgroup: sci.crypt document_id: 15345 From: amolitor@nmsu.edu (Andrew Molitor) Subject: Re: Once tapped, your code is no good any more. al@escom.COM (Al Donaldson) writes: >amolitor@nmsu.edu (Andrew Molitor) writes: >>Yes, those evil guys in the FBI can probably, with some >>effort, abuse the system. I got news for you, if the evil guys in >>the FBI decide they want to persecute you, they're gonna, ... > >And if Richard Nixon had had this kind of toy, he wouldn't have had >to send people into the Watergate. > This appears to be generic calling upon the name of the anti-christ. Just for the hell of it, let's destroy this remark. Let us imagine that the executive branch actually could extract keys from the escrow houses without anyone knowing, or telling. Now what? Dick has 80 bits of data. What the hell's he gonna do with it? 1) Trot around to the telco and say 'we'd like an unauthorised decrypting tap'. Uh huh. 2) Break in to watergate and install his own tap (so his people still do have to break in, neat, huh?) record some noise, then get the Executive Branch Phone Decryption Box (huh? they've got one? Goodness, wait 'til the washington post gets hold of this) and decrypt the noise. 3) More likely, stare at the key, and say 'Oh, hell it's not worth all this bloody hassle' Truth is, even granted *lots* of covert power on the part of the Executive Branch, this system is *more* difficult to tap with than POTS gear. The fact that it is easier to tap than some hypothetical system neither you nor I am going to place on our phones is neither here nor there. The only rational concerns I am seeing raised are: a) is the key really just chopped in half, and not some XOR arrangement? That is, has some egregious technical error been built in to the plan? b) is this is the first step toward strict regulation of strong encryption? >But that's not really the issue. The real issue is whether this >will be used to justify a ban against individuals' use of private >(i.e., anything else) encryption methods. This is b), of course. I suspect not. If the government actually wanted to make such regs, they'd just do it. A few hundred people on Usenet yelling about it wouldn't even slow the machine down. Besides, who is this mysterious 'they' who's going to take away all our rights the instant we let our guard down? Congress? That gang of buffoons can't even balance their checkbooks. The FBI? But.. they don't make the laws. The NSA? Ditto. The white house? Bill Clinton is probably still looking for the bathroom. It's a big place, after all. Andrew > >Al Newsgroup: sci.crypt document_id: 15346 From: uni@acs.bu.edu (Shaen Bernhardt) Subject: Re: An Open Letter to Mr. Clinton In article schneier@chinet.chi.il.us (Bruce Schneier) writes: >In article strnlght@netcom.com (David Sternlight) writes: >> >>Here's a simple way to convert the Clipper proposal to an unexceptionable >>one: Make it voluntary. >> >>That is--you get high quality secure NSA classified technology if you agree >>to escrow your key. Otherwise you are on your own. >> > >As long as "you are on your own" means that you can use your own encryption, >I'm sold. > >Bruce As am I If "high quality secure NSA classified technology" means handing my key over to whomever, I'll take PGP any day. Right now they are billing it as voluntary, i.e. bend over, here it comes. As soon as enough Wiretap chip based units are out there, how much easier do you think it will be to redefine "on your own" to mean write it yourself and don't even THINK about distributing it...? Get honest, no one is going to buy this trash if they KNOW it's compromised already, and less will buy it if the algorithm is not disclosed. The NSA knows that making this stuff available to the public means handing it to whatever foreign powers are interested in the process. Since when has export control stopped anyone (especially software wise) Ask yourself carefully if " high quality secure NSA classified technology " is something they are going to hand out. Not unless you can drive a NSA van through the holes. uni (Dark) -- uni@acs.bu.edu -> Public Keys by finger and/or request Public Key Archives at DF610670F2467B99 97DE2B5C3749148C Sovereignty is the sign of a brutal past. Cryptography is not a crime. Fight the Big Brother Proposal! Newsgroup: sci.crypt document_id: 15347 From: sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes) Subject: Who should be hearing my views on Clipper ? Being a browser of this group for some time, and being very concerned about the clipper chip proposal, I am hoping someone with more knowledge can help out. Who would be the most influential people to write to, protesting the obvious next step hinted at by this proposal ? (Heads of what committees, etc.) What are the major flaws in the plan ? (From a cryptological standpoint) -- Shaun P. Hughes "Facts are Stupid Things." sphughes@sfsuvax1.sfsu.edu Ronald Reagan Republican National Finger for PGP 2.2 Public Key Convention 1988 Newsgroup: sci.crypt document_id: 15348 From: hallam@dscomsa.desy.de (Phill Hallam-Baker) Subject: Re: Once tapped, your code is no good any more. In article <1993Apr18.022011.15502@ringer.cs.utsa.edu>, whughes@lonestar.utsa.edu (William W. Hughes) writes: |>In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu |>(Andrew Molitor) writes: |>>In article |>>tcmay@netcom.com (Timothy C. May) writes: |>> |>>>-Tim May, whose sig block may get him busted in the New Regime |>> ^^^^^^^^^^^^^^^^^^ |>>Isn't this just a little melodramatic? |> |>Not at all. Two weeks ago I registered a concern about some programming |>that was being conducted by a student organisation here at the |>University of Texas at San Antonio. As a result, I was interrogated |>by the capus police, who also attempted to create a positive-identification |>file (photo, fingerprints, etc.). I refused to permit this, and filed a |>complaint with the University administration. The Vice-President for |>Business Affairs (the 'boss' of the campus police) stated that he had no |>interest in the legal/Constitutional implications of those actions. In article , johnson@trwacs.fp.trw.com (Steve Johnson) writes: |> A remark I heard the other day is beginning to take on increasingly |>frightening significance. The comment was made that "In other parts |>of the world the Democrats [note the big "D"] would be known as |>Socialists" We might get further if we begin by accepting that the government really couldn't be bothered less about the political opinions of the right wing pro establishment types. Just about the only circumstances in which I could think that they would be interested in their political views would be to recruit them as spooks. They can be guaranteed to give the government line when it counts. In US history it has been the socialists such as myself who have been persecuted. Now before people start asserting that there is no mechanism by which the administration can get their new chip adopted without legal force lets try thinking. In the first place the clipper chip must have existed for several years as a defense project. Therefore this is not a party matter at all. George Bush was in any case hardly adverse to tapping calls, he was chief spook remember. Secondly the govt can quite easily apply pressure. They simply "ask" their chums who they give huge defense contracts to (motorola etc) to be "nice" boys. After all Bill is giving them a nice little trade monopoly since the chips won't be avaliable to foreign firms. Thirdly the people who consider the Democrats to be socialist are not the same as the ones who consider socialists to be communist. People might know this if the US education system did not suffer from the Mcarthyite and Dewy version of political correctness - the sort with tribunals and show trials. Ever seen Ed Meese pissed? I have, it was when he said that socialism and communism were the same thing and brought the house down with laughter. It took several minutes before we realised that he was serious. Phill Hallam-Baker Phill Hallam-Baker Newsgroup: sci.crypt document_id: 15349 From: artmel@well.sf.ca.us (Arthur Melnick) Subject: Big Brother (Clipper) chip There are some issues which come to mind when one considers the law enforcement aspects of the use of the Big Brother (Clipper) chip. The drug dealers and terrorists aren't going to let themselves be caught by using this type of encryption. In 1985 the New York Times reported that government investigators broke up a narcotics ring that was operating highly sophisticated equipment capable of allowing the leaders of the ring to eavesdrop on the law-enforcement agents who were trying to arrest them. A Mr. Deely, an NSA official, said "There are a lot of medium-sized countries that would have been proud to have the signals intelligence operation of this group." For every John Gotti there are probably many more people who have the sophistication to know what the risks of unsecure communications are. The press given to the Big Brother chip will only increase their numbers. Even if there is some benefit to law-enforcement through the use of Big Brother, it must be weighed against the constitutional and civil liberties questions involved. For example, in some areas of the world torture is used as an investigative tool by the local "law-enforcement" people. I suspect it is an effective means of obtaining information and shortening many investigations. It probably also helps keep the conviction rate high. The fact that the torture tool is not used in this country (even with a court order obtained by showing "probable cause") is because we have rightly balanced the questions of expediency and what is ethically and morally right. I think that the same question of expediency versus morality should come into play when considering the use of Big Brother. I vote for morality. I am quite disturbed by what I interpret as a veiled threat to prohibit the use of all encryption if this Big Brother chip is not put into wide spread use. After a quick reading of the White House press release I came away with that impression. To most of the American public, the word "hacker" has rightly or wrongly come to mean "high tech adolescent vandal". It has struck me that most of the people posting to sci.crypt regarding this issue are intelligent, thoughtful individuals who have genuine concerns about the privacy and constitutional issues surrounding Big Brother. I hope that the use of Big Brother does not become mandatory and other encryption become illegal. I would hate to see this become some kind of high tech Volstead Act. The high speed digital communications revolution is coming at us with the speed of an SST. The times they are a changing, and just as IBM is learning that they can't do business the same way they have done it for the past 40 years, maybe NSA should evaluate another approach. EFF, who have correctly questioned the cryptographic strength of Big Brother, may need to send a stronger message out regarding the constitutional issues involved. Al Gore may want to think this one through a little more. And as for Dorothy Elizabeth Robling Denning: En quoi cela vous concerne, cheri? Newsgroup: sci.crypt document_id: 15350 From: C445585@mizzou1.missouri.edu (John Kelsey) Subject: Clipper chip and key exchange methods I was wanting to ask the same question Dan Bernstein asked--how does the Clipper chip exchange keys? If the public key is only 80 or 160 bits long, does anyone know of any public-key schemes that are secure with that key size? (Diffie-Hellman or maybe El Gamal, with p set to a constant value?) Presumably, the real scheme is something like: 1. Exchange/verify public keys. 2. Send encrypted (randomly-generated) session key. 3. Encrypt / Decrypt voice trafic with some sort of fast stream cipher. Can anyone elaborate on this, or show me what I'm missing here? --John Kelsey, c445585@mizzou1.missouri.edu Newsgroup: sci.crypt document_id: 15351 From: rclark@nyx.cs.du.edu Subject: Re: Is there ANY security in the Clipper? zeev@ccc.amdahl.com (Ze'ev Wurman) writes: >But do we really believe that the various governments >(including ours) won't have the full lists of all the keys ever manufactured? Yes, but they'll be encrypted with Cripple Chip encryption, the encryption algorithm so great it's TOP SECRET and so unbreakable they WON'T EVEN LET YOU LOOK AT IT! Doesn't that make you feel SECURE? ---- Robert W. Clark Just Say No! to the rclark@nyx.cs.du.edu Big Brother Chip Newsgroup: sci.crypt document_id: 15352 From: jyork@iastate.edu (Justin York) Subject: Clipper Chip - How would it work? With all the talk about this Clipper chip, I have developed one question... HOW DOES IT WORK??? If you use this, then how does it get decrypted on the other end? Does the other party (receiving the phone call/mail/etc) have to know some code to undo it? Do I use a different method for calling one party than I would for another?. If the other party can decrypt it, doesn't that mean that someone else could also? I assume that if everyone has a different key, the only use would be storing secure data for later retrieval by the same key. This seems like a fundamental question to me, but I have very little experience with cryptosystems, other than DES. If someone could give me an explanation as to how it would be used (remember that I have had little experience with this sort of thing) it would be very much appreciated. Justin York jyork@iastate.edu Newsgroup: sci.crypt document_id: 15353 From: rogue@ccs.northeastern.edu (Free Radical) Subject: Re: Once tapped, your code is no good any more. In article holland@CS.ColoState.EDU (douglas craig holland) writes: [...] > With E-Mail, if they can't break your PGP encryption, they'll just >call up one of their TEMPEST trucks and read the electromagnetic emmisions >from your computer or terminal. Note that measures to protect yourself from >TEMPEST surveillance are still classified, as far as I know. I don't know about classified, but I do seem to remember that unless you're authorized by the Govt, it's illegal to TEMPEST-shield your equipment. Besides, effective TEMPEST-shielding is much more difficult than you might think (hi Jim!). RA rogue@cs.neu.edu (Rogue Agent/SoD!) ----------------------------------- The NSA is now funding research not only in cryptography, but in all areas of advanced mathematics. If you'd like a circular describing these new research opportunities, just pick up your phone, call your mother, and ask for one. Newsgroup: sci.crypt document_id: 15354 From: prz@sage.cgd.ucar.edu (Philip Zimmermann) Subject: Fighting the Clipper Initiative Here are some ideas for those of you who want to oppose the White House Clipper chip crypto initiative. I think this is going to be a tough measure to fight, since the Government has invested a lot of resources in developing this high-profile initiative. They are serious about it now. It won't be as easy as it was defeating Senate Bill 266 in 1991. Possible actions to take in response: 1) Mobilize your friends to to all the things on this list, and more. 2) Work the Press. Talk with your local newspaper's science and technology reporter. Write to your favorite trade rags. Better yet, write some articles yourself for your favorite magazines or newspapers. Explain why the Clipper chip initiative is a bad idea. Remember to tailor it to your audience. The general public may be slow to grasp why it's a bad idea, since it seems so technical and arcane and innocent sounding. Try not to come across as a flaming libertarian paranoid extremist, even if you are one. 3) Lobby Congress. Write letters and make phone calls to your Member of Congress in your own district, as well as your two US Senators. Many Members of Congress have aides that advise them of technology issues. Talk to those aides. 4) Involve your local political parties. The Libertarian party would certainly be interested. There are also libertarian wings of the Democrat and Republican parties. The right to privacy has a surprisingly broad appeal, spanning all parts of the political spectrum. We have many natural allies. The ACLU. The NRA. Other activist groups that may someday find themselves facing a government that can suppress them much more efficiently if these trends play themselves out. But you must articulate our arguments well if you want to draw in people who are not familiar with these issues. 4) Contribute money to the Electronic Frontier Foundation (EFF) and Computer Professionals for Social Responsibility (CPSR), assuming these groups will fight this initiative. They need money for legal expenses and lobbying. 5) Mobilize opposition in industry. Companies that will presumably develop products that will incorporate the Clipper chip should be lobbied against it, from within and from without. If you work for a telecommunications equipment vendor, first enlist the aid of your coworkers and fellow engineers against this initiative, and then present your company's management with a united front of engineering talent against this initiative. Write persuasive memos to your management, with your name and your colleagues' names on it. Hold meetings on it. 6) Publicize, deploy and entrench as much guerrilla techno-monkeywrenching apparatus as you can. That means PGP, anonymous mail forwarding systems based on PGP, PGP key servers, etc. The widespread availability of this kind of technology might also be used as an argument that it can't be effectively suppressed by Government action. I will also be working to develop new useful tools for these purposes. 7) Be prepared to engage in an impending public policy debate on this topic. We don't know yet how tough this fight will be, so we may have to compromise to get most of what we want. If we can't outright defeat it, we may have to live with a modified version of this Clipper chip plan in the end. So we'd better be prepared to analyze the Government's plan, and articulate how we want it modified. -Philip Zimmermann Newsgroup: sci.crypt document_id: 15355 From: mcbeeb@atlantis.CSOS.ORST.EDU (Brian Mcbee) Subject: How can clipper stay classified? Maybe I don't know enough to know what I am asking, but with millions of these things about, how could the algorythm possibly stay secret? Couldn't some clever hackers just grind the thing down layer by layer, and see how it worked? -- ---- Brian McBee mcbeeb@atlantis.cs.orst.edu Finger me for PGP 2.1 key Newsgroup: sci.crypt document_id: 15356 From: johnl@iecc.cambridge.ma.us (John R. Levine) Subject: Why the clipper algorithm is secret >The cryptographic protocol, though, is another matter. I see no valid >reasons for keeping it secret, and -- as I hope I've shown above -- there >are a lot of ways to do things that aren't (quite) as bad. It just occurred to me why the algorithm is secret. If it were published, one could then build physically identical clone versions of the chip that would interoperate with official Clipper chips. But the cloner wouldn't provide the keys to the escrow houses. Hmmn. Or is there a technical hack that I've missed? E.g. how about if the chips were made unprogrammed but serialized, and then shipped to the two escrow houses who programmed in their halves of the keys, but in a way that requires that secret keys known only to the escrow houses be installed as well, without which clone versions wouldn't interoperate? This is getting awfully complicated, but that's crypto for you. -- John R. Levine, IECC, POB 349, Cambridge MA 02238, +1 617 492 3869 johnl@iecc.cambridge.ma.us, {ima|spdcc|world}!iecc!johnl "Time is Money! Steal some today!" Newsgroup: sci.crypt document_id: 15357 From: rjc@hal.gnu.ai.mit.edu (Ray) Subject: Re: Once tapped, your code is no good any more. In article hallam@zeus02.desy.de writes: >views would be to recruit them as spooks. They can be guaranteed to give >the government line when it counts. In US history it has been the >socialists such as myself who have been persecuted. And in Russia, capitalists were persecuted for trading goods on the black market. And in the US, capitalist minded types are imprisoned and killed for things such as selling drugs, guns, pornography, and other victimless activities. It doesn't matter whether you are socialist or capitalist, power and control are central to government. Since citizens can't be trusted to run their own affairs, the government must watch them. (for their own good of course. I mean, with strong cryptography, citizens might start to hide things from the IRS, sell drugs/guns/pornography, and that cannot be allowed!) >trials. Ever seen Ed Meese pissed? I have, it was when he said that socialism >and communism were the same thing and brought the house down with laughter. >It took several minutes before we realised that he was serious. Not very surprising to anyone who believes in "hands off" government. If you believe that your private life (both social and financial) are none of anyone else's business, the difference between socialism and communism is like the difference between murder by lethal injection or by chainsaw. The more centralized the economy is, the more potential abuses for accumulation of information on individuals. If you think credit companies are bad, ... Well, I'm sure a democratic socialist society would vote for absolute privacy of all citizens -- NOT! Newsgroup: sci.crypt document_id: 15358 From: Marc VanHeyningen Subject: Re: Clipper chip -- technical details Thus said djb@silverton.berkeley.edu (D. J. Bernstein): >Short summary of what Bellovin says Hellman says the NSA says: There is >a global key G, plus one key U_C for each chip C. The user can choose a >new session key K_P for each phone call P he makes. Chip C knows three >keys: G, its own U_C, and the user's K_P. The government as a whole >knows G and every U_C. Apparently a message M is encrypted as >E_G(E_{U_C}(K_P),C) , E_{K_P}(M). That's it. > >The system as described here can't possibly work. What happens when >someone plugs the above ciphertext into a receiving chip? To get M >the receiving chip needs K_P; to get K_P the receiving chip needs U_C. >The only information it can work with is C. If U_C can be computed >from C then the system is cryptographically useless and the ``key >escrow'' is bullshit. Otherwise how is a message decrypted? Given the description of the algorithm given, the only plausible explantion I can find is that K_P must be agreed to out of bandwidth in advance by the two parties; i.e. it's a standard shared symmetric key. -- Marc VanHeyningen mvanheyn@cs.indiana.edu MIME & RIPEM accepted Security through Diversion: n. Theory which states that the public availability of good computer games is vital to maintaining system safety. Contrast Security through Obscurity. Newsgroup: sci.crypt document_id: 15359 From: amolitor@moink.nmsu.edu (Andrew Molitor) Subject: What the clipper nay-sayers sound like to me. The following is available in some FTP archive somewhere, I insert my comments liberally throughout this demonic memo of Big Brotherdom: > White House Announcement on Screw Thread Standards > -------------------------------------------------- > > This is to announce that the American National Standards >Institute (or whatever it is) has been given the authority to define >standard dimensions for screw threads. Look! This is clearly the first step toward outlawing our own screw thread specifications. If this madness isn't fought, tooth and nail, every step of the way, it'll be a crime to use screw threads other than those our Fearless Leaders so *graciously* define for us. > The purpose of this is to permit industry to draw upon a standard >pool of specifications and designations, to ensure interoperability of >various threaded objects across vendors. Rubbish, I say! ANSI standard screw threads will have subtle weaknesses, allowing their agents to disassemble our automobiles more easily, causing our mufflers to fall off at inoppurtune moments. > Questions and Answers on the ANSI screw thread standards > -------------------------------------------------------- > >Q: Will the screw threads defined by ANSI be as good as other screw thread >designs available elsewhere? > >A: Yes. Hah! "trust us" >Q: Will I be able to use my own screw threads if I desire? > >A: Of course, but this will make your threaded objects unlikely to >interoperate correctly with others within the industry. See??! See? This is the first step. It is clear we must band together, write your congressman! Use Pretty Good Screw Threads, not this devil-inspired ANSI trash. Protect your constitutional right to use whatever screw thread you desire. Guerilla Screw Thread Activism must become the order of the day. Boycott GM, and build your own car, using screws from STZ Screw Thread Associates. Screw you, Bill Clinton! You and your totalitarianist thugs! ------------------------------------------------------------------------ amolitor@nmsu.edu | finger for PGST personal screw thread pitch, or Screw Threads | see the screw thread servers. must be freed! | ------------------------------------------------------------------------ Newsgroup: sci.crypt document_id: 15360 From: howland@noc.arc.nasa.gov (Curt Howland) Subject: Re: White House Wiretap Chip Disinformation Sheet |> The Attorney General will procure and utilize encryption devices to |> the extent needed to preserve the government's ability to conduct |> lawful electronic surveillance and to fulfill the need for secure |> law enforcement communications. Further, the Attorney General |> shall utilize funds from the Department of Justice Asset Forfeiture |> Super Surplus Fund to effect this purchase. This is the one part that really scares me. Without the keys, it can likely be determined if a person is using the "State Approved" encryption method, and if not then that persons life is forfet, and the profits go to making more busts, and more profit. "Power corrupts. Absolute power corrupts absolutely." Human nature has not changed very much in only a few hundred years.... --- Curt Howland howland@nsipo.nasa.gov NSI Operations Center NASA Ames (800) 424-9920 Newsgroup: sci.crypt document_id: 15361 From: ns111310@LANCE.ColoState.Edu (Nathaniel Sammons) Subject: Re: What the clipper nay-sayers sound like to me. [... a bunch of well-meaning (maybe) cynnical text about screw-thread sizes, the rights of people to have their own standards, and the non-right of the gov. to regulate screw-threads...] Well, as funny as your little comment may seem, it has very little to do with your personal privacy as a citizen, and about the governemnt being able to look at everything you have ever typed into a computer at one point or another. This "Clipper Chip" stuff is the seeds for nightmares to make the Nightmare on Elmstreet cheese-on-celluloid movies look like episodes of Mr. Roger's Neighborhood. IF the gov establishes a cryptography standard that has to be used by everyone, and everyone's personal key is divided into two segments and stored at two separate, albeit easy to find places, and that key is only 80 bits to begin with, we are screwed (pardon the allusion to the affore-mentioned article)! the gov, I believe, as do many others probably already have the cracking chips for this Clipper Chip made. Hell, they probably based the encoder on the chip that cracks it, that way it's easier to break the code, but since it is a classified algorythm, no one knows that they can crack it so easily. I, for one, and quite scared of this kind of thing, and plan to support organizations (and even disorganizations) who are fighting against this Clipper Chip in any way that I can. I do not want the government to be able to have access, even with a search warrant, to my keys... and I don't want those keys to be only 80 bits long to begin with! -nate sammons o---------------------------+======================================o | "I hate quotations. | This message brought you by | | Tell me what you know." | Nate Sammons, and the number 42. | | --Ralph Waldo Emerson | ns111310@longs.lance.colostate.edu | o---------------------------+======================================o Newsgroup: sci.crypt document_id: 15362 From: jed@pollux.usc.edu (Jonathan DeMarrais) Subject: Crypto Conference I need to know the following information about the upcoming Crypto Conference; The address to submit articles, and the number of copies needed. Thanks, Jonathan DeMarrais jed@pollux.usc.edu -- --- Jay jed@pollux.usc.edu (University of Southern California) What a depressingly stupid machine. Marvin Newsgroup: sci.crypt document_id: 15363 From: pgf@srl03.cacs.usl.edu (Phil G. Fraering) Subject: Re: Once tapped, your code is no good any more. strnlght@netcom.com (David Sternlight) writes: >What follows is my opinion. It is not asserted to be "the truth" so no >flames, please. It comes out of a background of 20 years as a senior >corporate staff executive in two Fortune 50 companies. >I'd be happy to use a crypto system supplied by the NSA for business, if >they told me it was more secure than DES, and in particular resistant to >attempts by Japanese, French, and other competitive companies and >governments to break. >I'd be happy to do so even with escrowed keys, provided I was happy about >the bona fides of the escrow agencies (the Federal Reserve would certainly >satisfy me, as would something set up by one of the big 8 accounting firms). >I'd trust the NSA or the President if they stated there were no trap >doors--I'd be even happier if a committee of independent experts examined >the thing under seal of secrecy and reported back that it was secure. >I'd trust something from the NSA long before I'd trust something from some >Swiss or anybody Japanese. A lot of us out here in the hinderland will trust the Japanese before we'll trust the NSA, the President, or those stupid Fortune 50 companies you're so proud of. >This may seem surprising to some here, but I suggest most corporations would >feel the same way. Most/many/some (pick one) corporations have an attitude >that the NSA is part of our government and "we support our government", as >one very famous CEO put it to me one day. >Just some perspective from another point of view. And since the Japanese corps aren't part of our "government/governors" they may be more trusted out htere than you are. People are getting tired of this "be patriotic, do whatever we say without question, and pay more taxes" attitude that comes from America's political party... or should that be caste? >-- >David Sternlight Great care has been taken to ensure the accuracy of > our information, errors and omissions excepted. -- Phil Fraering |"Seems like every day we find out all sorts of stuff. pgf@srl02.cacs.usl.edu|Like how the ancient Mayans had televison." Repo Man Newsgroup: sci.crypt document_id: 15364 From: pgf@srl03.cacs.usl.edu (Phil G. Fraering) Subject: Re: Once tapped, your code is no good any more. holland@CS.ColoState.EDU (douglas craig holland) writes: > With E-Mail, if they can't break your PGP encryption, they'll just >call up one of their TEMPEST trucks and read the electromagnetic emmisions >from your computer or terminal. Note that measures to protect yourself from >TEMPEST surveillance are still classified, as far as I know. 1. I don't think they are classified. 2. I could independently invent about half a dozen right off the top of my head. If I had studied Advanced E & M a little better, I could probably come up with a _very_ good system. ... > If the new regime comes to fruition, make sure you protect your First >Amendment rights by asserting your Second Amendment Rights. > Doug Holland -- Phil Fraering |"Seems like every day we find out all sorts of stuff. pgf@srl02.cacs.usl.edu|Like how the ancient Mayans had televison." Repo Man Newsgroup: sci.crypt document_id: 15365 From: mkagalen@lynx.dac.northeastern.edu (michael kagalenko) Subject: Some thoughts on Clipper proposal I envision incorporation of new standart into various communication systems, thus making it prevalent on the market & therefore cheap. The way to do that may be detaching crypto chip from communication equipment. It seems logical to provide Clipper chip to the end-user not as a part of phone, fax, modem & like but in the form of smart-card compatible with various telecomm. products. Banks will encourage extensive use of new cards to make transactions by phone. Natural step will be to cross-reference this card to the person in the government databases - or else this new version of "wiretap proposal" make no sence at all; one wish to eavesdrop (spell.) on the particular person, not on the particular modem or phone. As a side note, I disagree with one poster, who said he won't care about ability of the government to eavesdrop, since they can do that now anyway. Clipper will take away electronic survelliance from citizens, making it monopoly of the government. May be, we can find examples when interceptions made by (unauthorised) people uncovered crimes of state officials ? -- -------------------------------------------------------------------------------- For PGP2.1 public key finger mkagalen@lynx.dac.northeastern.edu -------------------------------------------------------------------------------- Newsgroup: sci.crypt document_id: 15366 From: tribe831@snake.cs.uidaho.edu (Mr. Duane Tribe; Esq.) Subject: Underground encryption (was Re: text of White House announcement ...) In article <1qmugcINNpu9@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes: >It looks like the worst nightmares raised by Dorothy Denning's proposals >are coming true. If the government continues on this course, I imagine >that we will see strong cryptography made illegal. Encryption programs >for disk files and email, as well as software to allow for encrypted >voice communications, will be distributed only through the >"underground". People will have to learn how to hide the fact that >they are protecting their privacy. Some thoughts: Has any work been done on encapsulating encrypted data inside "non-encrypted" data files? Many file formats can be written with "gaps" in them to hide other data. New file formats could be designed to have alternate data hidden by dispersing it amongst the "legitimate" data. The hidden data would only show up with the right key(s), and a file with hidden data would be indistinguishable from one without. So, only the correct key(s) would reveal the presence of an "illegal" document. If I devise a custom file compression algorithm and only I and a friend have the uncompressor, and otherwise the file appears to be total gigerish, do I have the right to transmit the file? Will we have to "escrow" all our data file formats? Are gangs required to escrow their hand signals, colors and catch phrases? I think that it's important to evaluate the content of electronic speach by replacing the media with pen and paper or verbal speach and then re-ask the question. Newsgroup: sci.crypt document_id: 15367 From: "Douglas Johnson" Subject: Unix crypt for DOS I've recently moved from Unix to a DOS box and have a number of files that I used crypt to "protect". Does anyone know of a DOS version of crypt? I've found one, but it insists on six letter keys and I used some shorter ones. Thanks for your help. -- Doug Newsgroup: sci.crypt document_id: 15368 From: ignatz@chinet.chi.il.us (Dave Ihnat) Subject: Re: Once tapped, your code is no good any more. In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes: > Not to pick on Mr. May in particular, of course, but isn't this >kind of the domino theory? When one little country falls, its neighbor >will surely follow, and before you know it, we're all mining salt >in Siberia for not turning in our Captain Crunch Secret Decoder Rings. But, for all the wrongness of our attempt to correct it (VietNam, et. al.), the domino theory wasn't disproved at all. Newsgroup: sci.crypt document_id: 15369 From: Subject: Re: Clipper -- some new thoughts The cryptographic algorythm MUST be kept secret, or private individuals could make ClipperClones with which they could transmit messages which the feds would not have ready access to. This is clearly unacceptable. I hope somebody starts doing this soon after the first ones are released... Newsgroup: sci.crypt document_id: 15370 From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) Subject: Re: Once tapped, your code is no good any more. In article <1993Apr17.061326.16130@clarinet.com> brad@clarinet.com (Brad Templeton) writes: Once it hits land you can record it if you have telco access. The telco isn't supposed to give that without a warrant. That's the rule today. But even so, the evidence would not be admissible, I think, unless the judge so ordered. I think that even interception of the crypttext without a warrant would be illegal. Cops can't record today's plain cellular calls and then ask a judge, "Hey, can we have permission to listen to those tapes?" can they? How long do you think it will be before it becomes legal for the police to record encrypted conversations "It's not violating your privacy because we can't read the encryption without a warrant", with the usual good-faith exception if they accidentally record a non-encrypted conversation. Besides, it's covered by the Drug Exception to the Fourth Amendment... -- # Pray for peace; Bill # Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ # No, I'm *from* New Jersey, I only *work* in cyberspace.... # White House Commect Line 1-202-456-1111 fax 1-202-456-2461 Newsgroup: sci.crypt document_id: 15371 From: strnlght@netcom.com (David Sternlight) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] In article holland@CS.ColoState.EDU (douglas craig holland) writes: > Let me ask you this. Would you trust Richard Nixon with your >crypto keys? I wouldn't. I take it you mean President Nixon, not private citizen Nixon. Sure. Nothing I'm doing would be of the slightest interest to President Nixon . David -- David Sternlight Great care has been taken to ensure the accuracy of our information, errors and omissions excepted. Newsgroup: sci.crypt document_id: 15372 From: karn@unix.ka9q.ampr.org (Phil Karn) Subject: Re: White House Wiretap Chip Disinformation Sheet In article , wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes: |> The Attorney General will procure and utilize encryption devices to |> the extent needed to preserve the government's ability to conduct |> lawful electronic surveillance and to fulfill the need for secure |> law enforcement communications. Further, the Attorney General |> shall utilize funds from the Department of Justice Asset Forfeiture |> Super Surplus Fund to effect this purchase. This is a very curious thing to say. STU-IIIs (NSA-designed secure telephones cleared for classified traffic) are already readily available to law enforcement agencies. Word has it they're standard in every FBI office, for example. Something like several hundred thousand of these phones exist in all. They are clearly the US government standard. So why does the DoJ need to buy new phones that, unlike STU-IIIs, will not be certified for classified traffic, and in all likelihood will not be compatible with existing STU-IIIs? Unless, of course, they're gearing up for large scale decryption of civilian Clipper users, and they need compatible hardware... Phil Newsgroup: sci.crypt document_id: 15373 From: strnlght@netcom.com (David Sternlight) Subject: Re: WH proposal from Police point of view dwight tuinstra posts a very interesting message in which he comments on the effects of the Clipper chip on state and local police. Actually, reading between the lines, it could be a very good thing for civil liberties in one respect, since it will at least prevent cowboy cops and cowboy state and local agancies from reading your traffic if they tap it illegally. There has been extensive discussion in the eff forum, for example, about inadmissible taps being used to develop information that could then lead to admissible evidence. This might put a stop to such things, which must from time to time be simple fishing expeditions. David -- David Sternlight Great care has been taken to ensure the accuracy of our information, errors and omissions excepted. Newsgroup: sci.crypt document_id: 15374 From: hal@cco.caltech.edu (Hal Finney) Subject: Re: Clipper chip -- technical details djb@silverton.berkeley.edu (D. J. Bernstein) writes: >[Summary elided] >The system as described here can't possibly work. What happens when >someone plugs the above ciphertext into a receiving chip? To get M >the receiving chip needs K_P; to get K_P the receiving chip needs U_C. >The only information it can work with is C. If U_C can be computed >from C then the system is cryptographically useless and the ``key >escrow'' is bullshit. Otherwise how is a message decrypted? The description of the chip's operation evidently leaves out some of the key management aspects. Either the K_P is the secret key corresponding to a public key which is broadcast at message initiation, or it is the result of a Diffie-Hellman key exchange or something similar. Either way there must be some protocols beyond those described here. It isn't clear whether they are implemented in the Clipper wiretap chip or must be provided by other system components. Hal Finney Newsgroup: sci.crypt document_id: 15375 From: smb@research.att.com (Steven Bellovin) Subject: Re: Clipper chip -- technical details In article <1667.Apr1821.58.3593@silverton.berkeley.edu>, djb@silverton.berkeley.edu (D. J. Bernstein) writes: > Short summary of what Bellovin says Hellman says the NSA says: There is > a global key G, plus one key U_C for each chip C. The user can choose a > new session key K_P for each phone call P he makes. Chip C knows three > keys: G, its own U_C, and the user's K_P. The government as a whole > knows G and every U_C. Apparently a message M is encrypted as > E_G(E_{U_C}(K_P),C) , E_{K_P}(M). That's it. > > The system as described here can't possibly work. What happens when > someone plugs the above ciphertext into a receiving chip? To get M > the receiving chip needs K_P; to get K_P the receiving chip needs U_C. > The only information it can work with is C. If U_C can be computed > from C then the system is cryptographically useless and the ``key > escrow'' is bullshit. Otherwise how is a message decrypted? Via K_P, of course. Nothing was said about where K_P comes from. It's the session key, though, and it's chosen however you usually choose session keys --- exponential key exchange, shared secret, RSA, etc. But however you choose it, the chip will apparently emit the escrow header when you do. Newsgroup: sci.crypt document_id: 15376 From: C445585@mizzou1.missouri.edu (John Kelsey) Subject: Corporate acceptance of the wiretap chip strnlght@netcom.com (David Sternlight) writes: > >>What follows is my opinion. It is not asserted to be "the truth" so no >>flames, please. It comes out of a background of 20 years as a senior >>corporate staff executive in two Fortune 50 companies. > >>I'd be happy to use a crypto system supplied by the NSA for business, if >>they told me it was more secure than DES, and in particular resistant to >>attempts by Japanese, French, and other competitive companies and >>governments to break. > >>I'd be happy to do so even with escrowed keys, provided I was happy about >>the bona fides of the escrow agencies (the Federal Reserve would certainly >>satisfy me, as would something set up by one of the big 8 accounting firms). I don't doubt that this will be the attitude of many corporate leaders. It's understandable--most corporate execs don't know much about cryptology, and it's easy to get taken in by someone peddling snake oil. And, the proposed scheme *is* a major improvement in telephone security to what exists now. The problem is that, with any security scheme of this kind, you have to concern yourself with the weakest link in the chain. I suspect that NSA has put a fairly strong encryption algorithm in this wiretap chip of theirs, probably at least as strong as (say) DES in OFB-mode. Unfortunately, the existence of the key-registry system seems to make possible all kinds of possible attacks at a small fraction of the expense of trying to build (say) a DES keysearch machine. As originally described, it sounded like any police / court combination could acquire the key for a given chip. I hope that's not the case, since it would imply a glaring hole. (How much does it cost to find *one* crooked jodge and *one* crooked cop? Especially for a foreign intelligence agency or organized crime boss?) However, even if more intelligent schemes are used to allow access to the unencrypted phone conversations, there will be weak- nesses. They may be very expensive, and very difficult. But who would trust his/her confidential information to an encryption scheme that, for (say) $100,000 could by cracked one time in a hundred? (DES, for all the complaints about a 56-bit key, would probably cost several million dollars to build a keysearch machine for.) How many million dollars would the confidential phone messages of the GM headquarters be worth to Nissan, Chrysler, or Audi? How about home phones of major execs and important engineers and designers? "Gee, Mr Jones, I understand you've had some financial problems lately. Maybe I can help..." >>I'd trust something from the NSA long before I'd trust something from some >>Swiss or anybody Japanese. Indeed, if NSA really designed the algorithm to be secure, it's very likely as secure as IDEA or 2-key DES. However, the system as a whole isn't resistant to "practical cryptanalysis." In _The Puzzle Palace_, Bamford describes how several NSA employees were turned by foreign (presumably KGB) agents, despite security measures that I doubt any Big 8 accounting firm could match. And NSA confidential data was *not* subject to being requested by thousands of police organizations and courts across the land. --John Kelsey, c445585@mizzou1.missouri.edu Newsgroup: sci.crypt document_id: 15377 From: dfl@panix.com (Danny O'Bedlam) Subject: Re: Why the clipper algorithm is secret In <1993Apr18.225502.358@iecc.cambridge.ma.us> johnl@iecc.cambridge.ma.us (John R. Levine) writes: (quoting someone else here) >>The cryptographic protocol, though, is another matter. I see no valid >>reasons for keeping it secret, and -- as I hope I've shown above -- there >>are a lot of ways to do things that aren't (quite) as bad. >It just occurred to me why the algorithm is secret. If it were >published, one could then build physically identical clone versions >of the chip that would interoperate with official Clipper chips. But >the cloner wouldn't provide the keys to the escrow houses. Hmmn. Yeah! The algorithm is classified because a military contract (or similar government equivalent to military) has been let for this "proprietary" design that the Feds say that NSA developed. Is there a patent? Is that patent publicly available? My betting is that that too is classified. If the algorithm were made public, or reverse-engineered, it would compromise not only the goal of Justice of being able to read every chip users cypto-data but would reduce profits for the selected chip maker. Wouldn't that just be too bad? -- *********************************************************************** * Danny O'Bedlam = dfl@panix.com = cmcl2!panix!dfl = Danny Lieberman * * PO Box 3131 Church St Station, New Yawk, New Yawk, 10008-3131 (usa) * *********************************************************************** Newsgroup: sci.crypt document_id: 15378 From: C445585@mizzou1.missouri.edu (John Kelsey) Subject: The wiretap chip, clones, and secure key-exchange U23590@uicvm.uic.edu writes: >The cryptographic algorythm MUST be kept secret, or >private individuals could make ClipperClones with >which they could transmit messages which the feds would not have >ready access to. Not necessarily. I've been thinking about this, and if this chip/scheme is to provide any real security, there must be some sort of key exchange, either using a public-key encryption scheme, or using a key exchange scheme like Diffie-Hellman. If there's an out-of-band transmission of a shared session key, then what protects that band from eavesdropping? If the phone company or some other online central authority generates a session key and sends it to both users, then what's the point of going to the trouble of having some complicated key-depositories? Just ask the phone company for a copy of the session key for each call. Now, it's probably not practical for each user to keep an online copy of every public key used by anyone anywhere, right? So, probably, there will be some way of getting these keys verified. This might be a digitally- signed (by the chip manufacturer) copy of the public key in this unit, stored by this unit. It might also be an online directory with access to everyone's public keys. (This would introduce another weakness to the security of the scheme, of course.) Presumably, if you don't use your designated key, you can't get a verified connection to other standard chips. It might be useful to have a modified chip, which would allow you to use either the original public/private key pair, or some other key pair and verification scheme. Unfortunately, this would not allow you to call most people and establish secure communications.... --John Kelsey >I hope somebody starts doing this soon after the first >ones are released... Newsgroup: sci.crypt document_id: 15379 From: brad@clarinet.com (Brad Templeton) Subject: Re: How to detect use of an illegal cipher? In article ebrandt@jarthur.claremont.edu (Eli Brandt) writes: >get their copy of your key. Any criminal who's going to use >encryption will do it under cover of Clipper. The only way to avoid >this will be to try to prohibit strong encryption. This isn't true. Today's criminals regularly use all sorts of unsafe methods, from cordless phones to cellular phones to plain old copper wire analog phones that you can put alligator clips on to plan and execute their crimes. It is amazing how stupid they are, which is why the FBI was so keen on the digital telphony law, and its successor the clipper chip. They're hoping here that most crooks will remain stupid, feel safe using clipper chip phones and get caught. -- Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366 Newsgroup: sci.crypt document_id: 15380 From: brad@clarinet.com (Brad Templeton) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] In article <1993Apr18.032405.23325@magnus.acs.ohio-state.edu> jebright@magnus.acs.ohio-state.edu (James R Ebright) writes: >In article brad@clarinet.com (Brad Templeton) writes: > >[...]> >>The greatest danger of the escrow database, if it were kept on disk, >>would be the chance that a complete copy could somehow leak out. You >[...]> >>Of course then it's hard to backup. However, I think the consequences >>of no backup -- the data is not there when a warrant comes -- are worse >>than the consequences of a secret backup. > >If the data isn't there when the warrant comes, you effectively have >secure crypto. If secret backups are kept...then you effectively have >no crypto. Thus, this poster is essentialy arguing no crypto is better >than secure crypto. No, the poster (me) has his brain in the wrong gear. As you can infer from the first sentence, I meant the consequences of no backup are *better* than the consequences of an easy to copy database. -- Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366 Newsgroup: sci.crypt document_id: 15381 From: C445585@mizzou1.missouri.edu (John Kelsey) Subject: Competing standard Perhaps one way of getting away from this cripple chip that the U.S. government seems to be pushing would be to come up with a good alternative. For example, how about a scheme using RSA, and some hybrid of DES-CFB and another strong stream cipher (Maybe IDEA-CFB)? This could be substantially the same as the cripple chip, except that instead of key-registration, the police could demand that you give up your secret key to them (with a court- issued warrant). Then, they could read the last few months of wiretapped messages you've sent, and assuming you've committed no crimes, you could generate a new key pair and go about your business. I find that I'd be willing to pay RSA for the right to use such a system, especially given the alternative. If you were unwilling to give up your secret key, then you'd probably stay in jail (has anyone got a real legal precedent for this?). This would allow court-issued warrants to be used to gather information on suspected criminals, but it couldn't be done in secrecy, and there would be enormously less likelihood of corruption or theft of escrowed keys. (Maybe someone from the law-enforcement or intelligent community will correct me, but this doesn't *seem* like such a big loss in terms of law-enforcement capabilities.) Any comments? --John Kelsey Newsgroup: sci.crypt document_id: 15382 From: djb@silverton.berkeley.edu (D. J. Bernstein) Subject: Re: Clipper chip -- technical details In article <1993Apr19.052005.20665@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes: > Nothing was said about where K_P comes from. Oh? Hellman said ``each user will get to choose his or her own key.'' That's the key which I called K_P, the session key. According to Hellman, if Alice and Bob are communicating with the Clipper Chip, then Alice chooses ``her own key'' and Bob chooses ``his own key.'' This is incompatible with the suggestion that when Alice and Bob are talking, they use a _common_ K_P, chosen by classical or public-key approaches. The protocol/key-management description published so far is either incomplete or incorrect. It leaves me with no idea of how the system would actually _work_. I hope the CPSR FOIA request succeeds so that we get full details. ---Dan Newsgroup: sci.crypt document_id: 15383 From: holthaus@news.weeg.uiowa.edu (James R. Holthaus) Subject: Re: Fighting the Clipper Initiative prz@sage.cgd.ucar.edu (Philip Zimmermann) writes: Philip, I think your ideas are well taken and constructive. Thanks for articulating them in this forum. >2) Work the Press. Talk with your local newspaper's science and >technology reporter. Write to your favorite trade rags. Better yet, >write some articles yourself for your favorite magazines or >newspapers. Explain why the Clipper chip initiative is a bad idea. >Remember to tailor it to your audience. The general public may be >slow to grasp why it's a bad idea, since it seems so technical and >arcane and innocent sounding. Try not to come across as a flaming >libertarian paranoid extremist, even if you are one. As a flaming libertarian paranoid extremist (:-), I'at a loss for specific objections that don't sound frighteningly technical. Any suggestions? Perhaps somebody could post a list of these? >5) Mobilize opposition in industry. Companies that will presumably >develop products that will incorporate the Clipper chip should be >lobbied against it, from within and from without. If you work for a >telecommunications equipment vendor, first enlist the aid of your >coworkers and fellow engineers against this initiative, and then >present your company's management with a united front of engineering >talent against this initiative. Write persuasive memos to your >management, with your name and your colleagues' names on it. Hold >meetings on it. One way to do this might be to suggest that these companies should be implementing their own schemes, not being limited to the govt's scheme. I find that most of my reasons for opposition to the CLipper scheme are algoritm insecurity and mistrust of the govt/NSA. These are hard to sell in letters to the editor and to nontechnical people. Any hints or advice. Maybe a small FAQ-type thing "Why should I Hate Clipper" would be a good idea. -- <><><><><><><><><><>James Holthaus james-holthaus@uiowa.edu<><><><><><><><><> < Government is an association of men who do violence to the rest of us. > < -- Leo Tolstoy > <><><><><>PGP 2.2 Public key available on request or from key server<><><><><> Newsgroup: sci.crypt document_id: 15384 From: finchm@csugrad.cs.vt.edu (Michael >Finchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchm< Finch) Subject: Re: Why the clipper algorithm is secret johnl@iecc.cambridge.ma.us (John R. Levine) writes: > >The cryptographic protocol, though, is another matter. I see no valid > >reasons for keeping it secret, and -- as I hope I've shown above -- there > It just occurred to me why the algorithm is secret. If it were > published, one could then build physically identical clone versions I recall seeing a post some time ago saying that if the details of an encryption scheme couldn't be revealed, then the encryption scheme is worthless. I believe the statement was in response to somebody saying that they had some new snazzy scheme, but the algorithm was a secret. Does this algorithm depend on the fact that the scheme is secret or is it for the stated reasons above? -Mike Newsgroup: sci.crypt document_id: 15386 From: steve-b@access.digex.com (Steve Brinich) Subject: Re: Fighting the Clipper Initiative >As a flaming libertarian paranoid extremist (:-), I'at a loss for >specific objections that don't sound frighteningly technical. The idea that foisting the Cripple Chip standard on US manufacturers would result in saying "Sayonara" to yet another high-tech market isn't technical, isn't in the least difficult to understand, and plays on a concern lots of people are worried about already.... Newsgroup: sci.crypt document_id: 15387 From: stan@tacobel.UUCP (stan) Subject: Re: text of White House announcement and Q&As on clipper chip encryp brad@clarinet.com (Brad Templeton) writes: > Let's assume, for the moment, that the system really is secure unless > you get both halves of the encryption key from the two independent > escrow houses. Let's say you even trust the escrow houses -- one is > the ACLU and the other is the EFF. (And I'm not entirely joking about > those two names) > Hi, I'm new to Internet, so this is a bit of a test message, so even a token reply would be very appreciated. Anyways, reading this I'd figure this would be as excellent a method of corrupting the ACLU and the EFF as could be wished for. "Who Gaurds the Guardians?", etc... Newsgroup: sci.crypt document_id: 15388 From: gtoal@gtoal.com (Graham Toal) Subject: Re: Automatic online encryption of data From: andersom@spot.Colorado.EDU (Marc Anderson) >Also.. how about a box that you plug your phone into, which would allow >encrypted voice communications with someone who has a similar box? >(digitizing input speech, transmitting, and decrypting on the other end). I >don't know how a public-key system could work in this regard, but it might [...] heh heh... I posted this just before reading all the Clinton Chip messages.. I guess they beat me to it.. Anyway, I think it would be a great idea to develop such a product, perhaps in the underground, as it would otherwise probably become illegal pretty quickly here... It's really very feasible and shouldn't be too expensive - all that's needed is a box with a phone jack on one side, a DSP in the middle to do codec functions of speech->compressed bytestream, and an RS232 on the other side. You'd plug your phone into it, plug the RS232 into your computer, and have a good old fashioned normal modem on your other RS232 port. The CPU in the middle would do the encryption with a version of pgp modified to work on a byte stream. With v32bis or better modems to carry the bytestream, it should work. Quality would only be marginally lower than a normal telephone. At the very highest price, you could use one of those voice-mail compatible modems to do the digitisation - that puts an upper bound of about $500 on the cost of such a box. In practice, you really ought to be able to get the price well below $100 - I could do it now in software on my cheap&nasty home RISC box (Acorn Archimedes) with the digitising microphone I bought for 25 pounds, if I knew how to write good speech compression software (which I don't). The reason it won't work of course is that hardly anyone will have one - the only consumer equipment to have encryption will use the wiretap chip. Economics, I'm afraid. However... we can get about 2Kcps throughput on the internet even with the bottleneck of a v32bis modem. When we get ISDN for all (ha ha ha) and the new NREN, it might then be trivial to run compressed speech over a tcp/ip connection on the Internet. Perhaps we should start thinking now of a standard to keep voice on the internet compatible for everyone, and side-step the clipper stuff and use internet for all our phone calls in future :-) [1/2 joking] G Newsgroup: sci.crypt document_id: 15389 From: gtoal@gtoal.com (Graham Toal) Subject: Re: Clipper chip -- technical details The protocol/key-management description published so far is either incomplete or incorrect. It leaves me with no idea of how the system would actually _work_. I hope the CPSR FOIA request succeeds so that we get full details. Wouldn't it be easier just to ask denning@cs.georgetown.edu? ;-) G Newsgroup: sci.crypt document_id: 15390 From: gtoal@gtoal.com (Graham Toal) Subject: Re: Corporate acceptance of the wiretap chip : Indeed, if NSA really designed the algorithm to be secure, it's very likely : as secure as IDEA or 2-key DES. However, the system as a whole isn't resistant : to "practical cryptanalysis." In _The Puzzle Palace_, Bamford describes how : several NSA employees were turned by foreign (presumably KGB) agents, despite : security measures that I doubt any Big 8 accounting firm could match. And : NSA confidential data was *not* subject to being requested by thousands of : police organizations and courts across the land. Ah yes, don't anyone mention Ronald William Pelton[*], heh heh heh. How embarrassing. G [*: NSA, 1964-1979; KGB 1980-1985] Newsgroup: sci.crypt document_id: 15391 From: bell@mars.dev.promis.com (Mike Bell) Subject: Clipper proposal - key length? Danny Weitzner writes: >April 16, 1993 >INITIAL EFF ANALYSIS OF CLINTON PRIVACY AND SECURITY PROPOSAL >DETAILS OF THE PROPOSAL: >ESCROW >The 80-bit key will be divided between two escrow agents, each of whom >hold 40-bits of each key. The manufacturer of the communications device >would be required to register all keys with the two independent escrow >agents. A key is tied to the device, however, not the person using it. So if we subvert one of the two escrow agents, we only have a 40-bit space to search through... 2^40 doesn't sound that big - is digital telephony subject to a known plaintext attack? In which case half the key seems to be all that is needed, and the two agent escrow arrangement is pointless. Of course, the unknown algorithm might turn gaps in speech into pseudo-random sequences, or there might be some magic involved, or... -- -- Mike -- Newsgroup: sci.crypt document_id: 15392 From: rlward1@afterlife.ncsc.mil (Robert Ward) Subject: Re: text of White House announcement and Q&As on clipper chip encryption In article bontchev@fbihh.informatik.uni-hamburg.de writes: >and since the US constitutions guarantees the right to every American >to bear arms, why is not every American entitled, as a matter of Have you read the applicable part of the Constitution and interpreted it IN CONTEXT? If not, please do so before posting this misinterpretation again. It refers to the right of the people to organize a militia, not for individuals to carry handguns, grenades, and assault rifles. Robert L. Ward Newsgroup: sci.crypt document_id: 15393 From: lewis@eecg.toronto.edu (david lewis) Subject: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip) In article <16BB51156.C445585@mizzou1.missouri.edu> C445585@mizzou1.missouri.edu (John Kelsey) writes: > >strnlght@netcom.com (David Sternlight) writes: >> [..stuff deleted] >existence of the key-registry system seems to make possible all kinds of >possible attacks at a small fraction of the expense of trying to build (say) >a DES keysearch machine. > > As originally described, it sounded like any police / court combination >could acquire the key for a given chip. I hope that's not the case, since >it would imply a glaring hole. (How much does it cost to find *one* crooked >jodge and *one* crooked cop? Especially for a foreign intelligence agency >or organized crime boss?) However, even if more intelligent schemes are used >to allow access to the unencrypted phone conversations, there will be weak- >nesses. They may be very expensive, and very difficult. But who would >trust his/her confidential information to an encryption scheme that, for >(say) $100,000 could by cracked one time in a hundred? (DES, for all the >complaints about a 56-bit key, would probably cost several million dollars >to build a keysearch machine for.) > I can buy a DES keysearch machine off the shelf now for approx $500K, but it is not sold by that name. Go buy a circuit emulation machine (eg. Quickturn) containing a bunch of FPGAs, (say 500 to 1000 3090's), and program each to be a DES search engine. Lets say 500 chips, running at 10Mhz = 5G tests/sec. Time is 14e6 sec max = 23 weeks, 12 weeks average. Can't wait that long? Buy a bigger machine. David Lewis Newsgroup: sci.crypt document_id: 15394 From: jdailey@asic.sc.ti.com (Jim Dailey) Subject: Re: Once tapped, your code is no good any >amolitor@nmsu.edu (Andrew Molitor) writes: >> Not to pick on Mr. May in particular, of course, but isn't this >>kind of the domino theory? When one little country falls, its neighbor >>will surely follow, and before you know it, we're all mining salt >>in Siberia for not turning in our Captain Crunch Secret Decoder Rings. There was an interesting column on the editorial page of the Dallas Morning News on Saturday by Walter Williams, who I believe is a professor at Georgetown (I wonder if he knows of Dorothy "you're not in Kansas anymore" Denning). The article was titled "Government slowly eroding our liberties", and in it he tells a story attributed to the late Leonard Read who explained that if you wanted to take liberty away from Americans, you had to know how to cook a frog. Mr. Read said you can't cook a frog by boiling a pot of water and then throwing the frog in. His reflexes are so quick that as soon as his feet touch the water, he will leap away. You must put the frog in a pot of cold water and heat it up bit by bit. By the time the frog realizes he's being cooked, it is too late. It is the same with Americans. If anyone tried to take our freedoms all at once, we would naturally rebel and suppress the tyrant. But as with successful frog cooking, our liberties can be taken a little bit at a time. The last line of the article says, "It's not too late for us, but the water is getting pretty warm." I'd have toagree that it's warm and the Clipper is keeping the temperature on an upward course. NOTE: followups redirected to alt.privacy.clipper --- Jim jdailey@asic.sc.ti.com TI pays absolutely no attention to me or my opinions; therefore, the foregoing information cannot possibly represent TI's viewpoint. Newsgroup: sci.crypt document_id: 15395 From: prm@ecn.purdue.edu (Philip R. Moyer) Subject: Re: text of White House announcement and Q&As on clipper chip encryption In article <1993Apr17.032022.14021@clarinet.com>, brad@clarinet.com (Brad Templeton) writes: |> |> Let's assume, for the moment, that the system really is secure unless |> you get both halves of the encryption key from the two independent |> escrow houses. Let's say you even trust the escrow houses -- one is |> the ACLU and the other is the EFF. (And I'm not entirely joking about |> those two names) |> |> In that case the Prince of Wales has nothing to worry about on this |> system. I must respectfully disagree with this assertion, Brad. The government is notoriously sloppy with physical, communications, and information security. They can't keep their computers safe, and they're "trying". Read "DEA is Not Adequately Protecting National Security Information" [GAO/IMTEC 92-31] for an excellent example of what I'm talking about. Private sector organizations tend to be even more lax in their security measures. I believe that the escrow organizations will be penetrated by foreign intelligence services within months, if not weeks, of their selection. Private organizations that lack the resources of a full-fleged intelligence service will take longer - perhaps on the order of one to two years. Nonetheless, the penetrations will take place, without question. Philip R. Moyer ECN Software Staff Engineering Computer Network Voice: 317-494-3648 prm@ecn.purdue.edu Fax: 317-494-6440 Newsgroup: sci.crypt document_id: 15396 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: An Open Letter to Mr. Clinton strnlght@netcom.com (David Sternlight) writes: > Here's a simple way to convert the Clipper proposal to an unexceptionable > one: Make it voluntary. As usually, you are not reading. The proposal -does- say that it is a "voluntary program". This doesn't make it more desirable, though... > That is--you get high quality secure NSA classified technology if you agree > to escrow your key. Otherwise you are on your own. "Secure"? How do you know? Because NSA is trying to make you believe it? "Trust us." Yeah, right. "Otherwise you are on your own"? How do you know that tomorrow they will not outlaw encrypring devices that don't use "their" technology? Because they are promising you? Gee, they are not doing even that - read the proposal again. Regards, Vesselin -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany Newsgroup: sci.crypt document_id: 15397 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Once tapped, your code is no good any more. strnlght@netcom.com (David Sternlight) writes: > What follows is my opinion. It is not asserted to be "the truth" so no > flames, please. It is incompetent, like almost anything you have posted here, so you'll be flamed, sorry. > It comes out of a background of 20 years as a senior > corporate staff executive in two Fortune 50 companies. %/$( your "20 years of background in two Fortune 50 companies"; I've lived 30 years under a totalitarian regime, and boy, I *can* recognize a totalitarian plot when I see one... > I'd be happy to use a crypto system supplied by the NSA for business, if > they told me it was more secure than DES, and in particular resistant to I am sure that -you- would be happy to use anything "they" tell you is secure; we're talking about the intelligent people here... Or the criminal ones, if you don't like the previous sentence... :-) Or those who don't want their privacy to be guaranteed to be invadable by the government - any current and future government, mind you... > I'd be happy to do so even with escrowed keys, provided I was happy about > the bona fides of the escrow agencies (the Federal Reserve would certainly > satisfy me, as would something set up by one of the big 8 accounting firms). Even if you ignore the nonsense of the above statement for a moment, and even if you are happy with such system and the current escrow agencies NOW, what guarantees that you'll be happy with them TOMORROW, when the government changes? Or when the current government throws away the sheep skin? All the sheep who are reasoning like you will get caught by surprise, but it will be too late, because then cryptography that is not guaranteed to be breakable by the government will already have been outlawed... After all, you've already got privacy that is said to be breakable only by the law enforcement agencies, so if you are law-abiding, you have no reasons to use a stronger one, right? So, if you are using a stronger one, you have something to hide from the law enforcement agencies, right? Something unlawful, right? Therefore, strong crypto is a clear idndication that you are doing something unlawful. > I'd trust the NSA or the President if they stated there were no trap Considering the level of competence in cryptology that you have demonstrated in your messages, you would trust just anything... And no, this is not an ad hominem attack; it's an attack against the contents of your messages . > doors--I'd be even happier if a committee of independent experts examined > the thing under seal of secrecy and reported back that it was secure. And how do you know that these experts are not corrupted? And how do you know that they will not make a mistake? And how do you know that the version of the algorithm they will be let to examine is the same as the one that will be really used? Regarding the mistake - even the few information "they" have let out has revealed a serious security hole in the protocol - the 80-bit key is split in two 40-bit ones, thus the whole system is easily breakable, if you have only one of the keys. > I'd trust something from the NSA long before I'd trust something from some > Swiss or anybody Japanese. The Swiss or the Japanese are motivated by simple greed; NSA is motivated by their wish to control the people. That's why the drug dealers have their accounts in Swiss banks, instead of in American ones. For some reason, they do trust the Swiss banks more... Guess they'll trust the Swiss encryption more too... I see IDEA becoming suddenly popular... :-) > This may seem surprising to some here, but I suggest most corporations would > feel the same way. Most/many/some (pick one) corporations have an attitude > that the NSA is part of our government and "we support our government", as > one very famous CEO put it to me one day. It's not surprising at all, but not because of the reason you give. It's because it is obvious that the US government has put a lot of money behind this program and it will support it. Thus, most corporations will try to get their piece from the pie by supporting it too. The same good old greed. Strong encryption is not widely available now not because of some plot, but because the companies don't see much money in it. It will be available even less, if the companies can see any penalties associated with it... > Just some perspective from another point of view. Yeah, just as I predicted, you are here again, to support the new system. Regards, Vesselin -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany Newsgroup: sci.crypt document_id: 15398 From: ricktait@bnr.co.uk (Rick Tait) Subject: Re: What the clipper nay-sayers sound like to me. Nathaniel Sammons (ns111310@LANCE.ColoState.Edu) wrote on Mon, 19 Apr 1993 02:36:36 GMT: > If the gov establishes a cryptography standard that has to be used by > everyone, and everyone's personal key is divided into two segments > and stored at two separate, albeit easy to find places, and that key is > only 80 bits to begin with, we are screwed (pardon the allusion to the > affore-mentioned article)! > The gov, I believe, as do many others probably already have the cracking chips > for this Clipper Chip made. Hell, they probably based the encoder on the > chip that cracks it, that way it's easier to break the code, but since it is a > classified algorythm, no one knows that they can crack it so easily. Agreed. No agency such as the NSA (or whoever) would approve the public release of a crypto-system, if they didn't already have the technical means or the know-how to decrypt everything at their whim. Surely the whole point of all this madness is to make Joe Public think that his/her communications will be kept safe, while James Bond at the NSA can, if need be, have full, decrypted access to someone's communications? That'll be quite a heist, if they can pull it off. I thought that the US Government were going to release the algorithm to a panel of "carefully chosen experts", who would then "study it deeply, and report their findings"? Exactly who will these people be? Academics? Or Government-sponsored researchers? Tiny-toons? > I, for one, and quite scared of this kind of thing, and plan to support > organizations (and even disorganizations) who are fighting against this > Clipper Chip in any way that I can. I can only hope that the same sort of thing doesn't start filtering over into the ears of the UK Government, and if the European Parliament gets wind of it, well, we can kiss goodbye to any form of Democracy in Europe at all. > I do not want the government to be able to have access, even with a search > warrant, to my keys... and I don't want those keys to be only 80 bits long > to begin with! Hallelujah! :-) -- Rick M. Tait Bell Northern Research Europe Tel: +44-81-945-3352, Fax: +44-81-945-3352 Network Management Systems New Southgate, London. UK email: ricktait@bnr.co.uk || rt@cix.compulink.co.uk || ricktait@bnr.ca Newsgroup: sci.crypt document_id: 15399 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] strnlght@netcom.com (David Sternlight) writes: > Though some may argue about the nose of the camel, it's worth noting that > the government proposal is limited to scrambled telephony. If it is only > used for that purpose, and does not extend to electronic mail or file As usual, David Sternlight is demonstrating his inability to read. The proposal clearly states: => The initiative will involve the creation of new products to => accelerate the development and use of advanced and secure => telecommunications networks and wireless communications links. It speaks about telecommunications in general. Read it again, David. Maybe you'll understand it the next time... Nah, probably not. > encryption, then it IS an improvement over the current mass-produced > standard civilian technology which, with a few exceptions, is limited to > easy-to-break inverters. That's exactly what the government wants all sheep-minded people to think. Let's look at the current situation. It allows to almost anybody to eavesdrop almost everybody, unless secure (and I mean secure) encryption is used. What will happen when ("if"? Ha! optimists...) the new proposal gets accepted? Almost nobody EXCEPT SOME will be able to eavesdrop everybody else, but the ability of these "some" to eavesdrop will be guaranteed! The proposal emphasizes on the former ("almost nobody") - which is clearly an improvement - and "forgets" to mention the drawbacks of the latter ("guaranteed"). Yes, my statement assumes that the next step will be to make the strong crypto unlawful. You think that it will not happen? Good luck. > Note that the big issue for the feds is the continued ability to wiretap. It's not just "continued ability". It's -guaranteed- ability. > Before we go off the deep end with long discusions about secure crypto for > e-mail and files, let's focus on this. Yeah, that's exactly what your government wants you to think. Let's take small steps, one at a time. Concentrate on the current one, don't think about the future. Trust us. > One question that was not asked in the release is whether this proposal is > limited to telephony, or if the government intends to expand it. It's not asked because the proposal clearly says that this is the intention. They, unlike you, read what they write. > Though I share many of the concerns expressed by some, I find the proposal > less threatening than many others, since right now most Americans have no > secure telephony, and any jerk with a pair of clip leads and a "goat" can > eavesdrop. This would also plug up the security hole in cellular and > cordless phones. Yes, it will. It will stop the jerk who is eavesdropping now. It will allow only to the government to eavesdrop. (If the scheme is secure, of course, which is yet to be proven.) But how do you know that the jerk you are fearing now will not get a government job tomorrow? The new proposal -guarantees- him the ability to eavesdrop then. Hell, that will even motivate him to get that job - if he indeed is that mentally pervert... > Reading between the lines, I infer that the system is highly secure > without access to the keys. Great. The Greatest Cryptographer of All Times David Sternlight (tm) has succeeded to evaluate the new system in the absense of any details whatsoever and has concluded that it is "highly secure". I guess, that comes from the background of working some 50 years for the two major crypto evaluating companies, right? Gee, now the government can save all that money and trouble to ask a secret council of crypto experts to secretly analyse the new secret method - for David Sternlight has already done all the job for them... > This would meet the needs of U.S. businesses > confronted by rich and powerful adversaries, including French and Japanese > security services and rich Japanese companies. It allows the NSA to make > available some of its better stuff while protecting law enforcement needs. "Trust us, we're from the Government and we're here to help you." > Most legitimate U.S. corporations trust the NSA, and would be delighted to > have a high-security system certified by them, even at the price of > depositing keys in escrow. I see no difficulty in creating a reliable "Those who are prepared to trade their liberties for the promises of future safety, do not deserve either." This (or something like that; I don't have the exact quote, but the meaning is the same) has been said by one of your great men. Maybe you should study their works more carefully, if you have the brains to understand them, of course. > From my point of view this is a fair starting point. There are concerns that > need to be addressed, including the reliability of the escrows. But in The main question is to guarantee to availability of -really- secure cryptography to the masses. Gee, if the proposal was saying "we guarantee that every American will still have the full right to use any kind of encryption s/he would like and regard this proposal as just a default, voluntary implementation", there would have been much less opposition... For some reason, they didn't even try to promise you that. I wonder why... Was Orwell off only by 10 years? > return we get access to high-security crypto. No, in return you get crypto that is guaranteed to be crippled. > Many have suggested that DES > and other systems may be breakable by the NSA and hence others similarly > skilled and endowed. While the above is just rumors, and while even if it is true, it is not done -easily-, the new scheme can is guaranteed to be easily breakable by anybody who has the two keys. It might be also breakable by somebody who does not have them but knows the right trick. Or who has only one of them. NSA also told you that DES is secure, why don't you simply trust them, huh? > There is at least a good possibility (which should be > checked) that the proposed system is not so breakable. It doesn't have to It is -guaranteed- to be -easily- breakable - just get the keys. It might be even easier, but until there is some evidence, this is just a wild speculation. > be, nor does it have to have trapdoors, if the government can get the keys The trapdoors -are- there. In government's hands. The keys. > pursuant to a legitimate court order. Thus they can protect legitimate > communications against economic adversaries, while still being able to > eavesdrop on crooks pursuant to a court order. Legitimate? And who decides what communications are legitimate? Oh, I guess, it's the government, right? The guys who already have the keys? It's kinda if I have the keys from your car and I am asked to decide who has the right to use it "legitimately"... > In discussing this, let's try to avoid the nastiness, personal attacks and > noise of some previous threads. Impossible, since you are demonstrating the same level of incompetence and ignorance as in the provious threads. > This is a substantive and technical issue, > and personal remarks have no place in such a discussion. Unfortunately, I have yet to see you posting a technically competent message. Regards, Vesselin -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany Newsgroup: sci.crypt document_id: 15400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] strnlght@netcom.com (David Sternlight) writes: > Nothing I'm doing would be of the slightest interest to President Nixon . A typical example of seep-minded thinking. We all know that David Sternlight is a jerk, but I'm afraid that in this case 90% of the population will think like him. Realize it guys - NSA, Dorothy Denning, and the US government have already won the battle... Unless... unless you succeed to wake up the people... but nah, that's too unlikely... The events are happening too fast, cryptography is a too sophisticated issue, and almost nobody cares anyway... A few thousand of net.readers won't make the difference, if millions are caught asleep... Too sad... :-((((( Regards, Vesselin -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany Newsgroup: sci.crypt document_id: 15401 From: smb@research.att.com (Steven Bellovin) Subject: More technical details Here are some corrections and additions to Hellman's note, courtesy of Dorothy Denning. Again, this is reposted with permission. Two requests -- first, note the roles of S1 and S2. It appears to me and others that anyone who knows those values can construct the unit key. And the nature of the generation process for K1 and K2 is such that neither can be produced alone. Thus, the scheme cannot be implemented such that one repository generates the first half-key, and another generates the second. *That* is ominous. Second -- these postings are not revealed scripture, nor are they carefully-crafted spook postings. Don't attempt to draw out hidden meanings (as opposed to, say, the official announcements of Clipper). Leave Denning out of this; given Hellman's record of opposition to DES, which goes back before some folks on this newsgroup knew how to read, I don't think you can impugn his integrity. Oh yeah -- the folks who invented Clipper aren't stupid. If you think something doesn't make sense, it's almost certainly because you don't understand their goals. --Steve Bellovin ----- Date: Sun, 18 Apr 93 07:56:39 EDT From: denning@cs.georgetown.edu (Dorothy Denning) Subject: Re: Clipper Chip To: (a long list of folks) I was also briefed by the NSA and FBI, so let me add a few comments to Marty's message: The Clipper Chip will have a secret crypto algorithm embedded in The algorithm operates on 64-bit blocks (like DES) and the chip supports all 4 DES modes of operation. The algorithm uses 32 rounds of scrambling compared with 16 in DES. In addition to the system key, each user will get to choose his or her own key and change it as often as desired. Call this key plain old K. When a message is to be sent it will first be K is the session key shared by the sender and receiver. Any method (e.g., public key) can be used to establish the session key. In the AT&T telephone security devices, which will have the new chip, the key is negotiated using a public-key protocol. encrypted under K, then K will be encrypted under the unit key UK, and the serial number of the unit added to produce a three part message which will then be encrypted under the system key SK producing E{ E[M; K], E[K; UK], serial number; SK} My understanding is that E[M; K] is not encrypted under SK (called the "family key") and that the decrypt key corresponding to SK is held by law enforcement. Does anyone have first hand knowledge on this? I will also check it out, but this is 7am Sunday so I did not want to wait. The unit key will be generated as the XOR of two 80-bit random numbers K1 and K2 (UK=K1+K2) which will be kept by the two escrow The unit key, also called the "chip key," is generated from the serial number N as follows. Let N1, N2, and N3 be 64 bit blocks derived from N, and let S1 and S2 be two 80-bit seeds used as keys. Compute the 64-bit block R1 = E[D[E[N1; S1]; S2]; S1] (Note that this is like using the DES in triple encryption mode with two keys.) Similarly compute blocks R2 and R3 starting with N2 and N3. (I'm unlear about whether the keys S1 and S2 change. The fact that they're called seeds suggests they might.) Then R1, R2, and R3 are concatenated together giving 192 bits. The first 80 bits form K1 and the next 80 bits form K2. The remaining bits are discarded. authorities. Who these escrow authorities will be is still to be decided by the Attorney General, but it was stressed to me that they will NOT be NSA or law enforcement agencies, that they must be parties acceptable to the users of the system as unbiased. Marty is right on this and the FBI has asked me for suggestions. Please pass them to me along with your reasons. In addition to Marty's criteria, I would add that the agencies must have an established record of being able to safeguard highly sensitive information. Some suggestions I've received so far include SRI, Rand, Mitre, the national labs (Sandia, LANL, Los Alamos), Treasury, GAO. When a court order obtains K1 and K2, and thence K, the law enforcement agency will use SK to decrypt all information flowing on the suspected link [Aside: It is my guess that they may do this constantly on all links, with or without a court order, since it is almost impossible to tell which links over which a message will flow.] My understanding is that there will be only one decode box and that it will be operated by the FBI. The service provider will isolate the communications stream and pass it to the FBI where it will pass through the decode box, which will have been keyed with K. for "the wiretap authorizations." When Levy asked for the details so he could review the cases as required by law, the agent told him that his predecessors just turned over 40-50 blank, signed forms every time. Levi did not comply and changed the system, but the lesson is clear: No single person or authority should have the power to authorize wiretaps No single person does, at least for FBI taps. After completing a mound of paperwork, an agent must get the approval of several people on a chain that includes FBI legal counsel before the request is even taken to the Attorney General for final approval. Dorothy Denning Newsgroup: sci.crypt document_id: 15402 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: WH proposal from Police point of view strnlght@netcom.com (David Sternlight) writes: > dwight tuinstra posts a very interesting message in which he comments on the > effects of the Clipper chip on state and local police. Actually, reading > between the lines, it could be a very good thing for civil liberties in one > respect, since it will at least prevent cowboy cops and cowboy state and > local agancies from reading your traffic if they tap it illegally. Instead of reading between the lines, try to think a little bit. OK, if that's way too difficult to you, here are some hints. Indeed, the new proposal imposes some additional burocratic burden on the local police, if they badly want to tape the magic cookie recipie that your mom is telling you on the phone. So, guess what they will do? Propose that the new technology is removed? Or implement some "facilitations"? Of course, you won't want to wait until they get the approval from two different agencies to decrypt the conversation between two child molesters, because meanwhile those two child molesters might be conspiring about molesting your child, right? So, there should be some way for them to get access to those keys -quickly-, right? Like, they could have a copy of the database, and worry about a warrant later... Regards, Vesselin -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany Newsgroup: sci.crypt document_id: 15403 From: grady@netcom.com (1016/2EF221) Subject: Re: powerful "similarity" too I've been asked to supply more specific directions for automated fetching of the source and documentation for "agrep," the powerful similarity pattern matching tool. It is at cs.arizona.edu 192.12.69.5 in directory /agrep/README /agrep/agrep-2.04.tar.Z /agrep/agrep.ps.1.Z /agrep/agrep.ps.2.Z (The .ps suffixed files are the optional postscript docs; a reasonably good research report with benchmarks is included.) Note for Macintosh MPW users: after a few hours of drudgery, I ported the tool to MPW 3.2.3 running under System 7.1. If you would like me to e-mail a binhexed copy of the tool suitable for dropping in to your MPW/tools folder, please write... Other than the more purely cryptographic uses for the tool I've been having lots of fun picking up the "lost" references to things I'm interested in. For example, starting a search like: agrep -1 -i 'Burning Chrome' cyberpunkspool immediately finds references like 'burning crome' that I have always missed before. See how many times John Gilmore's name is mentioned in the CUD archives (and how often misspelled). How about _your_ name? As usual, I will e-mail the uuencoded tar.Z upon request if you cannot do anonymous FTP. -- grady@netcom.com 2EF221 / 15 E2 AD D3 D1 C6 F3 FC 58 AC F7 3D 4F 01 1E 2F Newsgroup: sci.crypt document_id: 15404 From: aj@sage.cc.purdue.edu (John Dormer) Subject: Re: text of White House announcement and Q&As on clipper chip encryption Misinterpretation, though it should be a crime in itself, is what United States lawyers use to make their bread and butter. In Manchester, CT a few years ago, a small company wanted to run a game system galled "LaserGames," similar in many aspects to Photon (tm). Three lawyers and about a hundred citizens found an ancient law in Manchester's books which clearly from context was designed to prohibit travelling carnivals by enumerating the features of a carnival which they felt at the time made the prohibition obvious. Among these things was "shooting galleries," which is what the lawyers for the opposition to LaserGames wanted to harp upon. The judge took the two words from this law, completely out of context, and ruled that LaserGames could not operate in Manchester. Keep in mind that most travelling carnivals use projectile weapons in their shooting galleries, and not light beams. Clearly from context, LaserGames got shafted, but if the two words are applied, their denial of operating permission was justified. If I had the text of the law I'd post it, but I'm afraid I don't remember it all well enough to even try. That little bit with the two words stuck well, though. : John Dormer : jad@expert.cc.purdue.edu Newsgroup: sci.crypt document_id: 15405 From: brands@cwi.nl (Stefan Brands) Subject: * REPORT ON PRIVACY-PROTECTING OFF-LINE CASH AVAILABLE * I recently published a new privacy-protecting off-line electronic cash system as a technical report at CWI. Being a PhD-student at David Chaum's cryptography-group, our group has a long history in research in the field of privacy-protecting cash systems. The report is called CS-R9323.ps.Z, contains 77 pages, and can be retrieved from ftp.cwi.nl (192.16.184.180) from the directory pub/CWIreports/AA. The postscript-file is suitable for 300dpi laserprinters. ==================================================================== ABSTRACT (from coverpage): We present a new off-line electronic cash system based on a problem, called the representation problem, of which little use has been made in literature thus far. Our system is the first to be based entirely on discrete logarithms. Using the representation problem as a basic concept, some techniques are introduced that enable us to construct protocols for withdrawal and payment that do not use the cut and choose methodology of earlier systems. As a consequence, our cash system is much more efficient in both computation and communication complexity than any such system proposed previously. Another important aspect of our system concerns its provability. Contrary to previously proposed systems, its correctness can be mathematically proven to a very great extent. Specifically, if we make one plausible assumption concerning a single hash-function, the ability to break the system seems to imply that one can break the Diffie-Hellman problem. Our system offers a number of extensions that are hard to achieve in previously known systems. In our opinion the most interesting of these is that the entire cash system (including all the extensions) can be incorporated in a setting based on wallets with observers, which has the important advantage that double-spending can be prevented in the first place, rather than detecting the identity of a double-spender after the fact. In particular, it can be incorporated even under the most stringent requirements conceivable about the privacy of the user, which seems to be impossible to do with previously proposed systems. Another benefit of our system is that framing attempts by a bank have negligible probability of success (independent of computing power) by a simple mechanism from within the system, which is something that previous solutions lack entirely. Furthermore, the basic cash system can be extended to checks, multi-show cash and divisibility, while retaining its computational efficiency. ==================================================================== Cryptographers are challenged to try to break this system! I made a particular effort to keep the report as self-contained as possible. Nevertheless, if you have any questions, please e-mail to me and I will try to reply as good as I can. Any comments are also welcome! Stefan Brands, -------------------------------------------------------- CWI, Kruislaan 413, 1098 SJ Amsterdam, The Netherlands Tel: +31 20 5924103, e-mail: brands@cwi.nl Newsgroup: sci.crypt document_id: 15406 From: habs@panix.com (Harry Shapiro) Subject: Re: The source of that announcement In marc@mit.edu (Marc Horowitz N1NZU) writes: >I received mail from Mitch Kapor saying that he did not ask to be on >the list, and does not know why he was added. I'm sure the same >applies to others on the list. So, I guess my initial theory was >right, that the clipper list was just someone's idea of a bad joke. I >guess I should be happy it wasn't a conspiracy. I have also been in contact with Mitch about this. I believe him when he says he didn't ask to be on the "clipper" list. He also forwarded the traffic he had recieved through that list to me which will be placed at some ftp site. However, the first alias on the "clipper list" was csspab which was another mailing list. It basically contained the addresses for staffers and board members of the NIST security board. Several of these people had their accounts within the dockmaster domain. These are the people we might wish to FOIA... /harry -- Harry Shapiro habs@panix.com List Administrator of the Extropy Institute Mailing List Private Communication for the Extropian Community since 1991 Newsgroup: sci.crypt document_id: 15407 From: amanda@intercon.com (Amanda Walker) Subject: Re: Once tapped, your code is no good any more. uni@acs.bu.edu (Shaen Bernhardt) writes: > I wish I could agree with you. Ask yourself this. Why would any > private sector entity wish to buy a crypto system that was KNOWN to be > at least partially compromised? (a) To use for sensitive but not strategically important traffic, (b) if the system was cheap. For example, I don't own a cordless phone. With Clipper, I would. If the local men in blue really want to listen to me talk to my friends or order pizza, I'm no worse off than I am now, and I don't have to worry about local kids or nosy neighbors. That is to say, Clipper "raises the bar" on insecure channels. It doesn't make them secure, by any means, but a wall, even if the FBI can get a master key by court order, is still better than a "keep off the grass" sign. > The answer seems obvious to me, they wouldn't. There is other hardware > out there not compromised. DES as an example (triple DES as a better > one.) So, where can I buy a DES-encrypted cellular phone? How much does it cost? Personally, Cylink stuff is out of my budget for personal use :)... > How can you reconcile the administrations self proclaimed purpose of > providing law enforcement with access to encrypted data without making > the clipper system the only crypto available in the U.S... ? The Second and Fourth Amendments do come to mind. Amanda Walker InterCon Systems Corporation Newsgroup: sci.crypt document_id: 15408 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: text of White House announcement and Q&As on clipper chip encryption rlward1@afterlife.ncsc.mil (Robert Ward) writes: > >and since the US constitutions guarantees the right to every American > >to bear arms, why is not every American entitled, as a matter of > Have you read the applicable part of the Constitution and interpreted it IN > CONTEXT? Yes. BTW, the appropriate Amendments were posted here some time ago. > If not, please do so before posting this misinterpretation again. > It refers to the right of the people to organize a militia, not for individual > to carry handguns, grenades, and assault rifles. It's OK, it's OK... Just a month ago I expressed my belief that the right to have a means to shoot your neighbor is not that much necessary to ensure a people's right to be free and got flamed by lots of American gun supporters. So I thought that... Never mind. The new Cripple Chip is a purely American problem, so deal with the mess yourselves. I just wanted to share with you a bit of my experience of living 30 years under a totalitarian regime (I'm Bulgarian) - because I thought that it might be useful to you. Oh well. Regards, Vesselin -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany Newsgroup: sci.crypt document_id: 15409 From: srt@duke.cs.duke.edu (Stephen R. Tate) Subject: Re: Why the clipper algorithm is secret In article <1993Apr18.225502.358@iecc.cambridge.ma.us> johnl@iecc.cambridge.ma.us (John R. Levine) writes: >It just occurred to me why the algorithm is secret. If it were >published, one could then build physically identical clone versions >of the chip that would interoperate with official Clipper chips. But >the cloner wouldn't provide the keys to the escrow houses. Hmmn. Not necessarily --- they could release the details of the algorithm without releasing the "system key" (called SK by Hellman). That would make most people happy, and with some sort of verification procedure before key exchange, the "official" chips would only work with other "official" chips. In other words, secrecy of SK makes "physically identical clone versions" impossible; secrecy of the algorithm shouldn't be necessary. Of course, revealing the algorithm opens them up to attacks on SK --- since all units share this key, compromising it may be a big deal. Personally, I wouldn't feel too comfortable knowing that one "secret" 80-bit number held in many places was all that guaranteed my security. Of course, compromise of SK doesn't necessarily mean that the system is compromised, but it's impossible to tell whether or not that's true with a secret algorithm. Incidentally, what's to keep a "secret algorithm" from using the secret SK as the main key, with UK being only marginally important. Then a court order for UK may not even be necessary to do a wiretap. -- Steve Tate srt@cs.duke.edu | The reason why mathematics enjoys special esteem, Dept. of Computer Science | above all other sciences, is that its laws are Duke University | absolutely certain and indisputable, while those of all Durham, NC 27706 | other sciences are to some extent debatable. (Einstein) Newsgroup: sci.crypt document_id: 15410 From: skt@dcs.glasgow.ac.uk (Simon K Train) Subject: Help me please! I am a PhD student. Can I get the sci.crypt group posted directly to me??? Also I would like some feed-back on the encryption schemes that my research in finite fields can be applied to. Any takers Reply to gamv25@udcf.gla.ac.uk Thanks yours Gavin. Newsgroup: sci.crypt document_id: 15411 From: amanda@intercon.com (Amanda Walker) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] pmetzger@snark.shearson.com (Perry E. Metzger) writes: > I'm a political dissident. I'm scared shitless of the feds listening in > on my calls. My opinions are the sort that would get me > "disappeared" in a slightly less free society -- and who knows what > sort of society we will be in in five or ten years? I have friends who > have had their phones tapped -- none of this is theoretical to me. I understand, believe it or not, and there are any number of kinds of conversation and communication I engage in that I wouldn't even consider using this scheme for. On the other hand, I don't see "Clipper" as providing a secure channel--it just prevents casual eavesdropping. This is part of why I am not worried about it per se. Trying to look at Clipper as a serious security tool is simply ludicrous. It's a voice scrambler, nothing more. There is still plenty of market for real crypto. > As for "its better than the status quo", well, first of all, you can > get a cryptophone from companies like Cylink today -- and they work > well. They cost an arm and a leg, though. "Clipper" is obviously aimed at the mass market. It certainly won't put Cylink out of business. > In addition, a number of groups are now working on building > software to turn any PC into a privacy enhanced phone right now -- and > they are all working in overdrive mode. This is old news. I can do this now. > There ARE no crypto restrictions... yet. You can use anything you want > RIGHT NOW. The point is to maintain that right. There ARE restrictions. Example: We're a networking software vendor with a large overseas share of our market. We cannot currently ship PEM, or even simple DES, in our products without case-by-case approval from the Department of State. ITAR presents a material trade barrier to US firms trying to compete in international information systems markets. Sure, you can use whatever freebie software you want to talk over BBS's in the USA. I, on the other hand, want strong crypto (PKCS, for example) to be the *default* for electronic mail, worldwide. I want priests to be able to hear confession over email. I want lawyers to be able to talk to clients in confidence over email, or doctors talk with patients. I want to be able to order products from my favorite Japanese mail-order catalog over the net. I want to be able to sign contracts, transact business, and so on electronically. This is so far infeasible as a result of the current restrictions on crytographic systems, especially beyond the borders of the USA. Clipper is irrelevant, and if it distracts the authorities into feeling safe, all the better. Its only danger is if it emboldens them into trying to put more restrictions into place, on the theory that it is "good enough for anyone who has nothing to hide." That argument is, of course, utter BS, just as much as "no one needs an assault rifle". Amanda Walker InterCon Systems Corporation Newsgroup: sci.crypt document_id: 15412 From: amanda@intercon.com (Amanda Walker) Subject: Re: text of White House announcement and Q&As on clipper chip encryption rlward1@afterlife.ncsc.mil (Robert Ward) writes: > It refers to the right of the people to organize a militia, not for > individuals to carry handguns, grenades, and assault rifles. False, as federal courts have affirmed on many occasions. This is getting out of sci.crypt territory, though... Amanda Walker InterCon Systems Corporation Newsgroup: sci.crypt document_id: 15413 From: res@colnet.cmhnet.org (Rob Stampfli) Subject: Re: Fifth Amendment and Passwords >>I am postive someone will correct me if I am wrong, but doesn't the Fifth >>also cover not being forced to do actions that are self-incriminating? > >[From Mike Godwin , posted with permission - Carl] > >Sadly, it does not. Suspects can be compelled to give handwriting and >voice exemplars, and to take blood and DNA tests. I am sure that Mike is correct on this point. I am also pretty sure that administering "truth serum" would be ruled a violation of your right not to incriminate yourself. But, what is the salient difference? Both drawing blood and injecting "truth serum" incapacitate you for a while, but do no permanent damage. Is it simply that we have come to view one as acceptable, while the other is viewed as a fundamental violation of one's rights? If this is the case, how do we expand the protections of the 5th amendment to incorporate new technologies without the results being a hodgepodge of different judges personal opinions? -- Rob Stampfli rob@colnet.cmhnet.org The neat thing about standards: 614-864-9377 HAM RADIO: kd8wk@n8jyv.oh There are so many to choose from. Newsgroup: sci.crypt document_id: 15414 From: arromdee@jyusenkyou.cs.jhu.edu (Ken Arromdee) Subject: Re: Once tapped, your code is no good any more. In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes: >Yes, those evil guys in the FBI can probably, with some >effort, abuse the system. I got news for you, if the evil guys in >the FBI decide they want to persecute you, they're gonna, and you're >gonna hate it. Fact is, the FBI doesn't want to listen to your phone >calls, and if they do, and if you're using triple-DES, they'll just >get a parabolic microphone and point it at your head. Just because they can do it anyway, somehow, does not mean it is smart to make the job easier for them. -- "On the first day after Christmas my truelove served to me... Leftover Turkey! On the second day after Christmas my truelove served to me... Turkey Casserole that she made from Leftover Turkey. [days 3-4 deleted] ... Flaming Turkey Wings! ... -- Pizza Hut commercial (and M*tlu/A*gic bait) Ken Arromdee (arromdee@jyusenkyou.cs.jhu.edu) Newsgroup: sci.crypt document_id: 15415 From: robichau@lambda.msfc.nasa.gov (Paul Robichaux) Subject: Suggestions for escrow agencies (was: Re: More technical details) ( Below is my response to Dr. Denning's letter to Steven Bellovin. Comments are invited. - Paul ) In alt.privacy.clipper, Steve Bellovin posted your message to him, which included a brief passage concerning selection of agencies as escrow agencies. I am glad to see that the proposal as written states that the escrow agencies won't be law enforcement agencies. I would argue, however, that *one* of the escrow agencies shouldn't be federal at all. As a private citizen, I would feel much more "secure in my person and papers" knowing that an organization committed to individual civil liberties- the ACLU and the NRA come to mind- was safeguarding half of my key. Both the ACLU and the NRA are resistent to government pressure by the simple expedient fact that they are not supported, funded, or overtly controlled by the government. Of those federal and federally funded candidate agencies that you mentioned, I have the following comments: - SRI, Rand, Mitre, and national labs: I agree that they have great experience safeguarding sensitive information. I am not convinced that they would adequately safeguard _this_ information, since in any case requiring disclosure, there's likely to be sigificant pressure for disclosure- possibly *wrongful* disclosure. - GAO: perhaps. I would like to see more concrete evidence of their fidelity and ability. - *TREASURY*? Surely you're joking. Perhaps you'd ask BATF to safeguard keys. Maybe the Federal Reserve would be a better choice. Ever since last fall's "trial balloon" was posted in sci.crypt, your name has been synonymous with those who place a great deal of trust in the ability of government agencies and agents to act within the law. I agree with you in part: those agencies and agents *almost always* act properly. However, there have been enough cases where _sworn agents of the Federal Government_ have acted wrongly to make me feel that having two federal agencies as key repositories is unacceptable. Respectfully, -Paul Robichaux (not speaking for NTI, BCSS, or NASA) -- Paul Robichaux, KD4JZG | HELP STOP THE BIG BROTHER CHIP! NTI Mission Software Development Div. | RIPEM key on request. Newsgroup: sci.crypt document_id: 15416 From: steve-b@access.digex.com (Steve Brinich) Subject: Re: text of White House announcement and Q&As on clipper chip encryption You're drifting off topic. In any case, if you check on any of the topics devoted to gun rights issues, you will find ample evidence that the "misinformation" is your assertion that the term "the people" in the Second Amendment has mysteriously taken on a meaning diametrically opposite the meaning of the exact same term in the First and Fourth Amendments. Newsgroup: sci.crypt document_id: 15417 From: caronni@nessie.cs.id.ethz.ch (Germano Caronni) Subject: Re: More technical details In article <1993Apr19.134346.2620@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes: >Here are some corrections and additions to Hellman's note, courtesy of >Dorothy Denning. Again, this is reposted with permission. > >Two requests -- first, note the roles of S1 and S2. It appears to me >and others that anyone who knows those values can construct the unit >key. And the nature of the generation process for K1 and K2 is such >that neither can be produced alone. Thus, the scheme cannot be >implemented such that one repository generates the first half-key, and >another generates the second. *That* is ominous. > >Second -- these postings are not revealed scripture, nor are they >carefully-crafted spook postings. Don't attempt to draw out hidden >meanings (as opposed to, say, the official announcements of Clipper). >Leave Denning out of this; given Hellman's record of opposition to DES, >which goes back before some folks on this newsgroup knew how to read, I >don't think you can impugn his integrity. > >Oh yeah -- the folks who invented Clipper aren't stupid. If you think >something doesn't make sense, it's almost certainly because you don't >understand their goals. > This is an addition (posted with permission) to some tech. details of cliper. They enligthen ??? the use of S1 and S2 for keygeneration. ------------------------------------------- Date: Mon, 19 Apr 93 08:51:57 EDT From: denning@cs.cosc.georgetown.edu (Dorothy Denning) Subject: Re: Clipper Chip I just had another conversation with NSA to clarify some of the features of Clipper. Please feel free to distribute this and my other messages on Clipper. The name of the encryption algorithm is "Skipjack." Martin Hellman had written and the serial number of the unit added to produce a three part message which will then be encrypted under the system key SK producing E{ E[M; K], E[K; UK], serial number; SK} To which I responded: My understanding is that E[M; K] is not encrypted under SK (called the "family key") and that the decrypt key corresponding to SK is held by law enforcement. Does anyone have first hand knowledge on this? I was correct in that E[M; K] is not encrypted under SK. However, Skipjack being a single-key system, there is, of course, not a separate decrypt key for the family key SK. The unit key, also called the "chip key," is generated from the serial number N as follows. Let N1, N2, and N3 be 64 bit blocks derived from N, and let S1 and S2 be two 80-bit seeds used as keys. Compute the 64-bit block R1 = E[D[E[N1; S1]; S2]; S1] (Note that this is like using the DES in triple encryption mode with two keys.) Similarly compute blocks R2 and R3 starting with N2 and N3. (I'm unlear about whether the keys S1 and S2 change. The fact that they're called seeds suggests they might.) Then R1, R2, and R3 are concatenated together giving 192 bits. The first 80 bits form K1 and the next 80 bits form K2. The remaining bits are discarded. The seeds S1 and S2 do not change. The whole process is performed on a laptop computer, and S1 and S2 are supplied by two independent people so that no one person knows both. The same S1 and S2 are used during an entire "programming session" to generate keys for a stream of serial numbers. Everything is discarded at the end (the computer could be thrown out if desired). The serial number is 30 bits and the values N1, N2, and N3 are formed by padding the serial number with fixed 34-bit blocks (separate padding for each value). The resulting keys K1 and K2 are output onto separate floppy disks, paired up with their serial number. Each pair is stored in a separate file. The floppy disks are taken away by two separate people on behalf of the two escrow agencies. Dorothy Denning denning@cs.georgetown.edu -------------------------------------------------------- I am sure more technical detail will be known when time goes by. Please remark, that in posting this, I do not automatically agree with it's contents and implications. So don't swamp my mailbox :-) I just think this is an valuable addition to the less than technical discussion that is rising here. And, no, I don't mind if you call S1 and S2 'backdoor', as I could imagine the key-generation process working without these seeds and the dependency of K1,K2 from the Serial-Number. Friendly greetings, Germano Caronni -- Instruments register only through things they're designed to register. Space still contains infinite unknowns. PGP-Key-ID:341027 Germano Caronni caronni@nessie.cs.id.ethz.ch FD560CCF586F3DA747EA3C94DD01720F Newsgroup: sci.crypt document_id: 15418 From: ethridge@crchh403 (Allen Ethridge) Subject: Re: Once tapped, your code is no good any more. Amanda Walker (amanda@intercon.com) wrote: : uni@acs.bu.edu (Shaen Bernhardt) writes: : [deletions] : : > How can you reconcile the administrations self proclaimed purpose of : > providing law enforcement with access to encrypted data without making : > the clipper system the only crypto available in the U.S... ? : : The Second and Fourth Amendments do come to mind. : I think i heard someplace (misc.legal?, comp.org.eff.talk?) that the courts have pretty much eliminated the fourth amendment already. -- allen@well.sf.ca.us Words got me the wound ethridge@bnr.ca and will get me well, my opinions are my own if you believe it. -- Jim Morrison Newsgroup: sci.crypt document_id: 15419 From: holland@CS.ColoState.EDU (douglas craig holland) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] In article strnlght@netcom.com (David Sternlight) writes: >In article >holland@CS.ColoState.EDU (douglas craig holland) writes: > > >> Let me ask you this. Would you trust Richard Nixon with your >>crypto keys? I wouldn't. > >I take it you mean President Nixon, not private citizen Nixon. Sure. >Nothing I'm doing would be of the slightest interest to President Nixon . > Are you sure you aren't being watched? Let me remind you that Watergate was only the tip of the iceberg. Nixon extensively used the NSA to watch people because he didn't like them. According to _Decrypting the Puzzle Palace_: Presumably, the NSA is restricted from conducting American surveillance by both the Foreign Intelligence Surveillance Act of 1978(FISA) and a series of presidential directives, beginning with one issued by President Ford following Richard Nixon's bold misuse of the NSA, in which he explicitly directed the NSA to conduct widespread domestic surveillance of political dissidents and drug users. Of course, just because there are laws saying the gov't is not supposed to conduct illegal surveillance doesn't mean those laws can't be broken when they are in the way. Doug Holland Newsgroup: sci.crypt document_id: 15420 From: zrepachol@cc.curtin.edu.au (Paul Repacholi) Subject: Re: What is going on?... In article , gthomas@fraser.sfu.ca (Guy Thomas) writes: > zrepachol@cc.curtin.edu.au (Paul Repacholi) writes: > >>In article <1993Apr16.055100.1@cc.curtin.edu.au>, zrepachol@cc.curtin.edu.au (Paul Repacholi) writes: >>... >>> If you can't be bothered reading, get the video "Manufacturing Consent". >>> > >>In reply to mail queries; I don't know if a video is available yet. I asked >>about a month ao and was told RSN. > > Yes it is. From the National Film Board of Canada. Ah, not in the USA. Thats a relief, thought 'reality' must be slipping for a second. :-) St Noam was on the radio tonight, he has just published a new book "501 years". Published by South End i guess. Could some bostonian confirm please? I would love to hear what he thinks of the Clipper scam. ~Paul PS The first posting I saw I thought was a joke in *VERY* bad taste. My appologies to the person who broke the news. Newsgroup: sci.crypt document_id: 15421 From: cuffell@spot.Colorado.EDU (Tim Cuffel) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] In article strnlght@netcom.com (David Sternlight) writes: >In article >holland@CS.ColoState.EDU (douglas craig holland) writes: > > >> Let me ask you this. Would you trust Richard Nixon with your >>crypto keys? I wouldn't. > >I take it you mean President Nixon, not private citizen Nixon. Sure. >Nothing I'm doing would be of the slightest interest to President Nixon . > >David > > >-- >David Sternlight Great care has been taken to ensure the accuracy of > our information, errors and omissions excepted. > > Ergo, if your life is sufficiently boring, you have no need for privacy? (This is not meant to be personal, just the logical conclusion of your statement.) -- -Tim Cuffel Finger for PGP 2.1 The CIA has admitted that the assassination of Saddam Hussien was one of their goals. They failed, of course. Seems as though that motorcade through downtown Dallas trick only works once. Newsgroup: sci.crypt document_id: 15422 From: karn@unix.ka9q.ampr.org (Phil Karn) Subject: Re: Fifth Amendment and Passwords In article <1993Apr18.233112.24107@colnet.cmhnet.org>, res@colnet.cmhnet.org (Rob Stampfli) writes: |> >Sadly, it does not. Suspects can be compelled to give handwriting and |> >voice exemplars, and to take blood and DNA tests. |> |> I am sure that Mike is correct on this point. I am also pretty sure that |> administering "truth serum" would be ruled a violation of your right |> not to incriminate yourself. But, what is the salient difference? You can find the salient difference in any number of 5th amendment related Supreme Court opinions. The Court limits 5th amendment protections to what they call "testimonial" evidence, as opposed to physical evidence. The whole question would hinge on whether a crypto key would be considered "testimonial" evidence. I suppose arguments could be made either way, though obviously I would hope it would be considered testimonial. Phil Newsgroup: sci.crypt document_id: 15423 From: srt@duke.cs.duke.edu (Stephen R. Tate) Subject: Re: More technical details In article <1993Apr19.162936.7517@bernina.ethz.ch> caronni@nessie.cs.id.ethz.ch (Germano Caronni) (actually Dorothy Denning) writes: >The seeds S1 and S2 do not change. Let me see if I have this straight --- if a person knows S1 and S2, and the serial number of the unit, it's easy to reconstruct UK. Of course, if they know SK, the "family key", they can easily get the serial number of any unit that has made a transmission. So with S1 and S2 being used for a while "batch" of the unit keys, the number of used S1/S2 pairs will probably be fairly low. Of course, you have to believe that the NSA/FBI/name-your-favorite-government agency will know SK so all it needs is the S1/S2 pairs, and presto, nasty details like court orders for wire taps are no longer necessary. Now, I'm not one of the people who distrusts the government at every turn, but taking someone's word for it that the S1/S2 pairs are not kept around is pushing what I'm willing to believe just a little bit too far. -- Steve Tate srt@cs.duke.edu | The reason why mathematics enjoys special esteem, Dept. of Computer Science | above all other sciences, is that its laws are Duke University | absolutely certain and indisputable, while those of all Durham, NC 27706 | other sciences are to some extent debatable. (Einstein) Newsgroup: sci.crypt document_id: 15424 From: Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant) Subject: Re: Key Registering Bodies If we do not trust the NSA to be a registrar of Clipper Chip key halves, I would not trust Mitre either. Mitre does lots of work for NSA, at least in the Trusted Product Evaluation Program (evaluation of commercial off the shelf software for its efficacy in safeguarding classified information), and I assume in other, less open, programs. There are at least two other FFRDCs (Federally Funded Research and Development Corporations) that work for NSA: Aerospace Corporation and the Institute for Defense Analysis. Now, if NSA were to be untrustworthy (a position that I am neutral about, for purposes of this posting), it would be in a position to exert economic pressure upon Mitre to release key halves on demand. It could just say, "If you don't cooperate with us, we'll place all our evaluation contracts with Aerospace and IDA." I am not saying that people at NSA, Mitre, Aerospace, or IDA are dishonest folk. But since they are people, and people occasionally go bad, the system works better if organizations that you are depending upon to be independent really are. And, of course, I speak for myself, not my employer. Lynn Grant Newsgroup: sci.crypt document_id: 15425 From: pmetzger@snark.shearson.com (Perry E. Metzger) Subject: Re: WH proposal from Police point of view In article strnlght@netcom.com (David Sternlight) writes: There has been extensive discussion in the eff forum, for example, about inadmissible taps being used to develop information that could then lead to admissible evidence. This might put a stop to such things, which must from time to time be simple fishing expeditions. Far more likely, these things will continue to be done no matter what assurances we are given. "Key Escrow" is likely going to prove to be a joke. -- Perry Metzger pmetzger@shearson.com -- Laissez faire, laissez passer. Le monde va de lui meme. Newsgroup: sci.crypt document_id: 15426 From: caronni@nessie.cs.id.ethz.ch (Germano Caronni) Subject: Re: More technical details Hmm, followup on my own posting... Well, who cares. First let me try to work out the facts that we get to know about the Clipper-Chip, from what Hellman and Denning were able to tell us: The chip itself is not confined to (digital) telephony, but performs general encryption in a symmetric manner. The chip supports CFB OFB ECB (and whatever the fourth mode of operation for DES is), the algorithm consists of 32 rounds of *whatever*, and takes 80-Bit keys. Input data seems to be 64 Bit? Yes. So if two people want secure communication (whatever that means when Clipper is involved) they have first to agree on ONE secret key. (Or is it one key per direction ?) They can exchange this key via DH-schemes or however. Somehow the two feed their so won secret key into the Clipper-chip which is now ready to work. The clipper chip carries an unique Serial-Number (30 Bit's), and 160 Key-Bits. These 160 key-bits seem to have been gained by encrypting the serial-number with 160 seed-bits. (The seed-bits seem not to be stored in the chip) At beginning of communication (and perhaps at certain invtervals whithin??) before sending the fist real 64-bit output of the first encryption the Clipper chip put's out packets (I guess 3) which represent the serial number, and the session key. This might look like X{ E[K; chipkeyK1+K2], serial number} where X is a transformation of these 3? Packets involving a family-key. This family(sp?)-key is equal for ALL chips. (X might be a simple XOR ???) After that, the (digital?) phone-call can be done as usual, every packet being encrypted and decrypted by Clipper. Denning describes how K1 and K2 shall be generated, using a seed of 160 Bit's. Now, leaving alone politics, which does not concern me as much as you, not being an American Citicien(tm) [ :-) ] , there are some weak points in this scheme, which might be exploited by several parties. As far as I know about the generation of K1,K2 ; S1 and S2 look like the obvious backdoor. They could be used to generate the chip-keys by knowing the serial-number (and also the family-key) of the chip. I really can't imagine why these seeds would be needed otherwise, as true random-sources for the generation of the K1,K2 can be bought for not to much money. Then, the escrows. Each of them will get 80 bit of a 160-Bit key. Security could (as little as existant) be maximized by giving them 160-bits each, which have to be xored together to give the K1,K2. Now let's simply assume the escrows are trustworthy, and can't be fooled by criminals or law enforchemnt agencies. (And there will be no quarrel between escrows and l.e.a which would hinder the l.e.a in doing their duties, and so on and so on) Once the keys are surrendered, the corresponding chip is compromised forever. Not very clever, IMHO [ :-)) ]. How about sending in the encrypted session-keys for each phone-call that the police (or whoever) want's to listen to? Escrows could then simply decode this session-key and send it back to police. (And would naturally not do this after the warrant has expired...) This would be a better technical solution, but I guess politics will not work that way. Apparently (as Miss Dennings stated) the only one performing actually decodes of intercepted messages shall be the FBI. Great. So local guys can not inter- cept (understand) your traffic anymore. Does this mean that the FBI monopolizes the right to do legal wiretaps ? (How is law over there, I have no idea who is allowed to tap, and who not) This certainly means that watched communi- cations will be routed automatically from the service-providing company to the FBI, if the communicaiton is a watched one. And this means as far as I understand it that the family-key has to be known by each switching- company, and those providing cellular-phone servies etcetc. So the family-key will not be very secret, and thus serial-numbers of calls will be readable by anybody who cares. I _like_ traffic-analysis! What do you guess, what happens, if you use the chip in ECB mode, and the first few packets of the chip are somehow lost or garbled? So the session key would not be actually broadcasted over the line? Hmmm. Shouldn't be so difficult to do *that* :^) And now a last point, for the other side. After all I have read and heard about Clipper (not the programming language for dBase, is it ? [:-)]) it seems to have many advantages, which shold not be overseen! Now an afterthought to your rights. Please note that I have no idea what I am talking about!!! From: grady@netcom.com (1016/2EF221) > Amendment 1 > > Congress shall make no law respecting an establishment of religion, or >prohibiting the free exercise thereof; or abridging the freedom of speech, >or of the press; or the right of the people peaceably to assemble, and to >petition the Government for a redress of grievances. If this text is actually in your Bill of Rights, who can overrule this ? But: 'Freedom of speech' is not 'Secrecy of speech' Maybe you need to extend your Amendment #4 to cover information and communication too ? I am not very sure in what position your government actually is *legally* when it tries to ban cryptography (and arms) Amendment say you may have them, but not under what conditions. Hmm, tricky situation :-( Actually it will make not much sense to discuss that topic in sci.crypt... Discussion of technical details and vulnerabilites of the system are highly suggested and appreciated :-) Friendly greetings, Germano Caronni DISCLAIMER: Everything in here is derived from things I heard and read from other persons, so everything could be wrong. All opinions and thoughts in here are mine, and subject to change without further notification. No warranty, neither implicit not explicit etc. etc. etc. ad nauseam. p.s. Please don't ask me about political opinions, as I might not bother to re- ply. (For further information read the last line of P. Metzgers signature) -- Instruments register only through things they're designed to register. Space still contains infinite unknowns. PGP-Key-ID:341027 Germano Caronni caronni@nessie.cs.id.ethz.ch FD560CCF586F3DA747EA3C94DD01720F Newsgroup: sci.crypt document_id: 15427 From: paul@charon.gsfc.nasa.gov (Paul Olson) Subject: Re: White House Public Encryption Management Fact Sheet In article <1qnav4$r3l@transfer.stratus.com>, cme@ellisun.sw.stratus.com (Carl Ellison) writes... >In article clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes: > >>Further, the Attorney General >>shall utilize funds from the Department of Justice Asset Forfeiture >>Super Surplus Fund to effect this purchase. > >Talk about adding insult to injury ... > >I, for one, believe that the use of civil forfeiture should be abolished by >a decent administration, not continued. Instead, it looks like that >ill-gotten gain will be used to help pay for wiretap equipment. I wholeheartedly agree. Knowing that WE have let our law enforcement agencies seize our property against the Fifth Amendment of OUR Constitution tells me that we are absolving ourselves of our responsibility for SELF-GOVERNANCE. WE have to take our government back from the self-serving politicians who create laws and rules only to better their positions within the government. WE have allowed them to take too much power from the people of this nation. That situation has to be changed. Allowing the law enforcement agencies to use the seized property to pay-off drug informants who lie and continue to deal in drugs is tantamount to making a pact with the Devil himself. It's a vicious cycle. The law enforcement agencies are motivated to seize property to fund their own activities. And having no easy way for the citizen to regain the property intact once taken gives even more incentive for the agencies to take property. It's also interesting to note that two months ago Rush Limbaugh said that Clinton would have the "plumbers" out in force shortly. Clinton and his henchmen firmly believe in strong ubiquitous government control. Anytime a leader believes in that, the leader will use every means possible to retain that control and take more. WE have to take OUR government back. Otherwise we will end up living in the equivalent of a high-tech third world dictatorship. We have to take responsibility for ourselves, our personal welfare, and our actions. __ Paul J. Olson - VAX Systems Manager & Resident Amiga Addict C= /// Voice - 301/286-4246, 301/210-7701 __ /// DECnet- CHARON::PAUL \\\/// Internet - paul@charon.gsfc.nasa.gov \XX/ Disclaimer: Statements in my messages are wholely my own. AMIGA "Ignorance is a renewable resource." -- P.J. O'Rourke Newsgroup: sci.crypt document_id: 15429 From: zrepachol@cc.curtin.edu.au (Paul Repacholi) Subject: Re: Clipper Chip. LONG follow up. In article <16695@rand.org>, jim@rand.org (Jim Gillogly) writes: > This document is in the anonymous ftp directory at NIST. Looks to me > like the other shoe has dropped. > > Jim Gillogly > Trewesday, 25 Astron S.R. 1993, 17:00 > Thanks for posting this and making it available. This post will be LONG, I will comment on most of it, and am reluctantly leaving all of the original in place to provide context. Please note that an alt. group has been set up for the Clipper stuff. > ------------------- > > Note: This file will also be available via anonymous file > transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and > via the NIST Computer Security BBS at 301-948-5717. > --------------------------------------------------- > > THE WHITE HOUSE > > Office of the Press Secretary > > _________________________________________________________________ > > For Immediate Release April 16, 1993 > > > STATEMENT BY THE PRESS SECRETARY > > > The President today announced a new initiative that will bring > the Federal Government together with industry in a voluntary ^^^^^^^^^ Hum, AT&T, VLSI and Mykotronx are 'industry'? Wonder what happened to IBM, this should be right up their street. And a mandateed scheme is voluntary? Mr Orwell would love this. > program to improve the security and privacy of telephone ^^^^^^^^^ > communications while meeting the legitimate needs of law > enforcement. Telephone encryption and scrambleing are years behind digital ones like RSA, IDEA, or even DES. The above, while literaly true, is a clasic straw-man claim in the context of non-real-time circuits such as E-mail and the like. > The initiative will involve the creation of new products to > accelerate the development and use of advanced and secure > telecommunications networks and wireless communications links. > I would modestly propose that a mandated use of ISDN would do more for commun- ications than this lot. > For too long there has been little or no dialogue between our > private sector and the law enforcement community to resolve the > tension between economic vitality and the real challenges of > protecting Americans. Rather than use technology to accommodate > the sometimes competing interests of economic growth, privacy and > law enforcement, previous policies have pitted government against > industry and the rights of privacy against law enforcement. > > Sophisticated encryption technology has been used for years to > protect electronic funds transfer. It is now being used to > protect electronic mail and computer files. While encryption Normmaly DES. > technology can help Americans protect business secrets and the ^^^^^^^^^^^^^^^^ > unauthorized release of personal information, it also can be used > by terrorists, drug dealers, and other criminals. Note the use of the word "business" in the above. The whole tenor of this release seems to be establishing a ground rule that only "business" use is legitimate for debate. If you want the nothings you drop in your wife's ear to remain secret and private, that is not even on the agenda for debate. Note that there is NO role for you to contain private info in this. The only reference is to information already in the hands of others. The 'unauthorized release' bit is also drawing a long bow. Most of these cases are by people who have legitimate access abusing it, and revealing, or often selling the info. These people are, of course, in this proposal, the people who will have the keys. The criminals also use lawers, courts, the CIA, white-house officials and pens to go about their business. When will they be outlawed as well? Yeah, several of them would be a better idea than CLipper! Them again, the protections of law and the courts have been seriously erroded over the last decade ofr so. > A state-of-the-art microcircuit called the "Clipper Chip" has > been developed by government engineers. The chip represents a ^^^^^^^^^^^^^^^^^^^^ NSA > new approach to encryption technology. Yeah, this bit is VERY true. >....It can be used in new, > relatively inexpensive encryption devices that can be attached to > an ordinary telephone. It scrambles telephone communications > using an encryption algorithm that is more powerful than many in > commercial use today. > Note the repeated mixing of telephone scrabeling and encryption. A demo of the above claim on an ordanary POTS would be a good nights entertainment I suspect. Note also the 'many'. not 'all', as the general tone implies. > This new technology will help companies protect proprietary ^^^^^^^^^ > information, protect the privacy of personal phone conversations ^^^^^^^^^^^^^^ > and prevent unauthorized release of data transmitted > electronically. At the same time this technology preserves the > ability of federal, state and local law enforcement agencies to > intercept lawfully the phone conversations of criminals. The case record seems to indicate that what is needed is a brutal tightening of the current abuses. I have not heard, yet, of a case that was impeaded by the use of secure encryption by the men in black. The other side, abuse by law enforcers is well documented, even by govt agencies. And the phone vs other coms is blurred yet again. > A "key-escrow" system will be established to ensure that the > "Clipper Chip" is used to protect the privacy of law-abiding > Americans. > A "key-escrow" system will be established to ensure that the > "Clipper Chip" is used to protect the privacy of law-abiding > Americans. Lets run that line twice. Not **VERY** carefully what it says. The stated purpose of the key eschrow is to make the use of Clipper compulsory. Note the word "ensure". As to 'protect', or 'law-abiding', I will leave to you. So to the person who asked if it included the outlawing of other encryptions, the answer in this press release is, YES. > ...Each device containing the chip will have two unique > "keys," numbers that will be needed by authorized government > agencies to decode messages encoded by the device. When the > device is manufactured, the two keys will be deposited separately > in two "key-escrow" data bases that will be established by the > Attorney General. Access to these keys will be limited to > government officials with legal authorization to conduct a > wiretap. Just as they only can wiretap now with a warrent. > The "Clipper Chip" technology provides law enforcement with no > new authorities to access the content of the private > conversations of Americans. Just makes sure that the illegal ones are preserved. > To demonstrate the effectiveness of this new technology, the > Attorney General will soon purchase several thousand of the new > devices. In addition, respected experts from outside the > government will be offered access to the confidential details of > the algorithm to assess its capabilities and publicly report > their findings. Where do you find many experts. Any ex KGB people looking for a contract? :-) And as a later posting asks, what of the STU-IIIs they already have. It will be very interesting to see if the military and US embasies start to use it. After all, it is secure, isn't it. The govt will answer that point by its own actions. > The chip is an important step in addressing the problem of > encryption's dual-edge sword: encryption helps to protect the > privacy of individuals and industry, but it also can shield > criminals and terrorists. We need the "Clipper Chip" and other > approaches that can both provide law-abiding citizens with access > to the encryption they need and prevent criminals from using it > to hide their illegal activities. In order to assess technology > trends and explore new approaches (like the key-escrow system), > the President has directed government agencies to develop a > comprehensive policy on encryption that accommodates: > > -- the privacy of our citizens, including the need to > employ voice or data encryption for business purposes; ^^^^^^^^ Again, personal use seems to be a unaskable question. > > -- the ability of authorized officials to access telephone > calls and data, under proper court or other legal ^^^^^ > order, when necessary to protect our citizens; Ah, so warrents are not always needed it seems. > > -- the effective and timely use of the most modern > technology to build the National Information > Infrastructure needed to promote economic growth and > the competitiveness of American industry in the global > marketplace; and > > -- the need of U.S. companies to manufacture and export > high technology products. The ITARs seem to slightly impeed this. > The President has directed early and frequent consultations with > affected industries, the Congress and groups that advocate the > privacy rights of individuals as policy options are developed. > The Administration is committed to working with the private > sector to spur the development of a National Information > Infrastructure which will use new telecommunications and computer > technologies to give Americans unprecedented access to > information. This infrastructure of high-speed networks > ("information superhighways") will transmit video, images, HDTV > programming, and huge data files as easily as today's telephone > system transmits voice. Note that all this wonderfull stuff will be in secret. Only the 'proper people' will be able to express an opinion, hence only the desired result will emerge. > Since encryption technology will play an increasingly important > role in that infrastructure, the Federal Government must act > quickly to develop consistent, comprehensive policies regarding > its use. The Administration is committed to policies that > protect all Americans' right to privacy while also protecting > them from those who break the law. Encryption and codes have been around for millenia. They are generaly in equilibrium with the technology of the time. The systematic study of cyphers has resulted in a swing in favor of the encrypter, AT THE MOMENT. I have no doubt that the factoring problem will fall in time. Probably fofr practical purposes by the middle of the next century. > Further information is provided in an accompanying fact sheet. > The provisions of the President's directive to acquire the new > encryption technology are also available. > > For additional details, call Mat Heyman, National Institute of > Standards and Technology, (301) 975-2758. > > --------------------------------- > > > QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S > TELECOMMUNICATIONS INITIATIVE > > > > > Q: Does this approach expand the authority of government > agencies to listen in on phone conversations? > > A: No. "Clipper Chip" technology provides law enforcement with > no new authorities to access the content of the private > conversations of Americans. > > Q: Suppose a law enforcement agency is conducting a wiretap on > a drug smuggling ring and intercepts a conversation > encrypted using the device. What would they have to do to > decipher the message? > > A: They would have to obtain legal authorization, normally a > court order, to do the wiretap in the first place. They > would then present documentation of this authorization to > the two entities responsible for safeguarding the keys and > obtain the keys for the device being used by the drug > smugglers. The key is split into two parts, which are > stored separately in order to ensure the security of the key > escrow system. > > Q: Who will run the key-escrow data banks? > > A: The two key-escrow data banks will be run by two independent > entities. At this point, the Department of Justice and the > Administration have yet to determine which agencies will > oversee the key-escrow data banks. It is a little hard to critisise a non-proposal. > Q: How strong is the security in the device? How can I be sure > how strong the security is? > > A: This system is more secure than many other voice encryption > systems readily available today. Note we drop back to 'phone-mode' again. If this is a true answer, it can be rephrased as " It sucks big time. Anyone who can drive the crypt work-bench will use it for light amusement before breakfast." > ... While the algorithm will > remain classified to protect the security of the key escrow > system, This link between the security of the key-eschrow, and the actual algorithm is a real winner. Given that I have 2 secret 40 bit numbers, could someone please explain how the details of an encryption algorithm will reveal them? > ... we are willing to invite an independent panel of > cryptography experts to evaluate the algorithm to assure all > potential users that there are no unrecognized > vulnerabilities. Just make sure you read the CVs REAL carfully, OK. > > Q: Whose decision was it to propose this product? > > A: The National Security Council, the Justice Department, the > Commerce Department, and other key agencies were involved in > this decision. This approach has been endorsed by the > President, the Vice President, and appropriate Cabinet > officials. Quick, with out looking back, What name is missing from that list? > Q: Who was consulted? The Congress? Industry? > > A: We have on-going discussions with Congress and industry on > encryption issues, and expect those discussions to intensify > as we carry out our review of encryption policy. We have > briefed members of Congress and industry leaders on the > decisions related to this initiative. The people who agree with us and who think there is a buck in it for them. > Q: Will the government provide the hardware to manufacturers? > > A: The government designed and developed the key access > encryption microcircuits, but it is not providing the > microcircuits to product manufacturers. Product > manufacturers can acquire the microcircuits from the chip > manufacturer that produces them. The reverse engineering provisions of the 'Mask-work' act could be relevent here. > Q: Who provides the "Clipper Chip"? > > A: Mykotronx programs it at their facility in Torrance, > California, and will sell the chip to encryption device > manufacturers. The programming function could be licensed > to other vendors in the future. > > Q: How do I buy one of these encryption devices? > > A: We expect several manufacturers to consider incorporating > the "Clipper Chip" into their devices. You don't. Not unless you are one of the 'right people'. > Q: If the Administration were unable to find a technological > solution like the one proposed, would the Administration be > willing to use legal remedies to restrict access to more > powerful encryption devices? > > A: This is a fundamental policy question which will be > considered during the broad policy review. The key escrow They missed the word secret here. He needs a grammar lesson too. > mechanism will provide Americans with an encryption product > that is more secure, more convenient, and less expensive > than others readily available today, but it is just one > piece of what must be the comprehensive approach to > encryption technology, which the Administration is > developing. I would say "less secure, less conveniant, more expensive ( PGP is free ), less available, and more prone to being comprimised" Proofs to the contarary will be welcome. Note PROOF. > The Administration is not saying, "since encryption > threatens the public safety and effective law enforcement, > we will prohibit it outright" (as some countries have > effectively done); nor is the U.S. saying that "every > American, as a matter of right, is entitled to an > unbreakable commercial encryption product." They don't seem to be saying anything that makes much sense. And this proposal DOES prohibit it except in a very limited way. And, this is the one explicit reference to personal rights. It is a denial. And yes, I don't think that the Mexicans, Brazilians, and Canucks are included in Clinton et als magnanamous gesture. > ... There is a > false "tension" created in the assessment that this issue is > an "either-or" proposition. Rather, both concerns can be, > and in fact are, harmoniously balanced through a reasoned, > balanced approach such as is proposed with the "Clipper > Chip" and similar encryption techniques. The 'false tension' is false. The balance is between two repugnant points. The RIGHT to privacy is hand-waved to non-existance by putting it behind the "false assessment". It is assumed that the removal of the right to take what ever steps YOU deem suitable to protect YOUR privacy is non negotiable, hence is defined in the govenment language to be non-existant. If you don't agree, you must be a criminal, as only criminals don't agree with out laws. Also note the non- question. "If what is here was not possible..." > Q: What does this decision indicate about how the Clinton > Administration's policy toward encryption will differ from > that of the Bush Administration? > > A: It indicates that we understand the importance of encryption > technology in telecommunications and computing and are > committed to working with industry and public-interest > groups to find innovative ways to protect Americans' > privacy, help businesses to compete, and ensure that law > enforcement agencies have the tools they need to fight crime > and terrorism. It indicates we know that Bush dropped the ball in squashing that nasty < insert suitable retoric > and will stamp out this disorderly, unruley outbreak of freedom and ultra-national sentiment. > Q: Will the devices be exportable? Will other devices that use > the government hardware? > > A: Voice encryption devices are subject to export control > requirements. Case-by-case review for each export is > required to ensure appropriate use of these devices. The > same is true for other encryption devices. One of the > attractions of this technology is the protection it can give > to U.S. companies operating at home and abroad. With this > in mind, we expect export licenses will be granted on a > case-by-case basis for U.S. companies seeking to use these > devices to secure their own communications abroad. We plan > to review the possibility of permitting wider exportability > of these products. > This one is a real giggle. In Australia or France, they will have to reveal the keys, and the algorithm. Don't think it's at the top of my list of things I must have, so the restrictions will protect me from saleks trying to sell me a bill of crock. Any for any others using it, they must be nuts! Good luck folks. ~Paul Newsgroup: sci.crypt document_id: 15431 From: rab@well.sf.ca.us (Bob Bickford) Subject: Re: More technical details The system, or 'family', key would appear to be cryptographically useless, since *every* chip must know it and be able to remove its effects from the bitstream. I daresay that it will be widely known almost immediately after this system is deployed, and since it's been pointed out that there is not a separate decrypt key -- the same key is used for both encryption and decryption -- there goes any benefit to the use of a system-wide key in SkipJack. -- Robert Bickford "A Hacker is any person who derives joy from rab@well.sf.ca.us discovering ways to circumvent limitations." rab'86 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I recognize that a class of criminals and juvenile delinquents has taken to calling themselves 'hackers', but I consider them irrelevant to the true meaning of the word; just as the Mafia calls themselves 'businessmen' but nobody pays that fact any attention." rab'90 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Newsgroup: sci.crypt document_id: 15432 From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) Subject: Re: Once tapped, your code is no good any more. For example, I don't own a cordless phone. With Clipper, I would. If the local men in blue really want to listen to me talk to my friends or order pizza, I'm no worse off than I am now, and I don't have to worry about local kids or nosy neighbors. I do tend to agree. Sigh. So, where can I buy a DES-encrypted cellular phone? How much does it cost? Of course, if we didn't have government monopolies on cellular phone service, there probably *would* be some available. > How can you reconcile the administrations self proclaimed purpose of > providing law enforcement with access to encrypted data without making > the clipper system the only crypto available in the U.S... ? The Second and Fourth Amendments do come to mind. The Second Amendment is especially apt, given the ITAR definitions of crypto equipment as munitions, and the gun-control people's increasing ability to define things as "assault weapons" and make them illegal. Triple-DES is obviously used for "assault phones", while Cripple will be legal, and Triple-Cripple may fall into the gray area of "illegally upgrading to an assault phone"... -- # Pray for peace; Bill # Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ # No, I'm *from* New Jersey, I only *work* in cyberspace.... # White House Commect Line 1-202-456-1111 fax 1-202-456-2461 Newsgroup: sci.crypt document_id: 15433 From: holland@CS.ColoState.EDU (douglas craig holland) Subject: Re: text of White House announcement and Q&As on clipper chip encryption In article <1993Apr19.130132.12650@afterlife.ncsc.mil> rlward1@afterlife.ncsc.mil (Robert Ward) writes: >In article bontchev@fbihh.informatik.uni-hamburg.de writes: >>and since the US constitutions guarantees the right to every American >>to bear arms, why is not every American entitled, as a matter of > >Have you read the applicable part of the Constitution and interpreted it IN >CONTEXT? If not, please do so before posting this misinterpretation again. >It refers to the right of the people to organize a militia, not for individuals >to carry handguns, grenades, and assault rifles. Read the Constitution yourself. The Second Amendment says the right to bear arms shall not be infringed, so a well regulated militia may be more easily formed. I have an interpretation of the Second that shows there are no qualifications to the right to keep and bear arms. If you want, I can E-mail it to you. By the way, gun talk belongs in talk.politics.guns. Doug Holland Newsgroup: sci.crypt document_id: 15434 Subject: Re: Once tapped, your code is no good any more. From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin) In strnlght@netcom.com (David Sternlight) writes: >In article <115863@bu.edu> uni@acs.bu.edu (Shaen Bernhardt) writes: >> >>I wish I could agree with you. Ask yourself this. Why would any private >>sector entity wish to buy a crypto system that was KNOWN to be at least >>partially compromised? (Key escrows in this instance) Why would any >>private sector entity wish to buy a crypto system that had not been properly >>evaluated? (i.e. algorythm not publically released) >>The answer seems obvious to me, they wouldn't. There is other hardware out >>there not compromised. DES as an example (triple DES as a better one.) >What follows is my opinion. It is not asserted to be "the truth" so no >flames, please. It comes out of a background of 20 years as a senior >corporate staff executive in two Fortune 50 companies. No wonder American businesses are going down the tubes! :-| >I'd be happy to use a crypto system supplied by the NSA for business, if >they told me it was more secure than DES, and in particular resistant to >attempts by Japanese, French, and other competitive companies and >governments to break. (It's NIST, not NSA. NSA is not supposed to have anything to do with this.) They didn't say that. They said is was better than some commercial-grade encryptions. I, for one, wouldn't trust them if they did, unless they release the algorithm for investigation. >I'd be happy to do so even with escrowed keys, provided I was happy about >the bona fides of the escrow agencies (the Federal Reserve would certainly >satisfy me, as would something set up by one of the big 8 accounting firms). Maybe the ACLU and EFF. (It would have to be a non-profit, so the big 8 would be out.) >I'd trust the NSA or the President if they stated there were no trap >doors--I'd be even happier if a committee of independent experts examined >the thing under seal of secrecy and reported back that it was secure. I wouldn't trust the NSA. I think I would trust the President on this, but I'm not certain he would be told. >I'd trust something from the NSA long before I'd trust something from some >Swiss or anybody Japanese. That's your problem. >This may seem surprising to some here, but I suggest most corporations would >feel the same way. Most/many/some (pick one) corporations have an attitude >that the NSA is part of our government and "we support our government", as >one very famous CEO put it to me one day. I want to emphasize the I am not speaking for Beckman Instruments at this point. However, we are an international company, and I would like to think that our customers come first, ahead of our government's whims. -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) My opinions are my own, and do not represent those of my employer. Newsgroup: sci.crypt document_id: 15435 From: geoff@ficus.cs.ucla.edu (Geoffrey Kuenning) Subject: Re: Once tapped, your code is no good any more. In article <2073@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes: > fishing expeditions without the target's knowlege. Don't give up the > right to be safe from that - that should be non-negotiable, and Clinton > and Co. know it (which is probably why they quietly developed this thing, > figuring if they get it this far, they can ram it on through). It always amazes me how quick people are to blame whatever administration is current for things they couldn't possibly have initiated. This chip had to take *years* to develop, yet already we're claiming that the Clinton administration sneaked it in on us. Bullshit. The *Bush* administration and the career Gestapo were responsible for this horror, and the careerists presented it to the new presidency as a fait accompli. That doesn't excuse Clinton and Gore from criticism for being so stupid as to go for it, but let's lay the body at the proper door to start with. -- Geoff Kuenning geoff@maui.cs.ucla.edu geoff@ITcorp.com Newsgroup: sci.crypt document_id: 15436 From: jhart@agora.rain.com (Jim Hart) Subject: Screw the people, crypto is for hard-core hackers & spooks only Since the wiretap chip is being distributed internationally, allowing the U.S. government to spy on foreign governments, companies and people as as well as to wiretap domestic citizens, this is a world-wide issue. Please put DISTRIBUTION: WORLD on the Distrubution: line. Thank you. ygoland@wright.seas.ucla.edu (The Jester) writes: >However assuming that I can still encrypt things as I please, who >cares about the clipper chip? You don't care that people are being lied to, fooled into believing the chip gives "privacy" when it fact it allows wiretaps? You don't give a shit about anybody's privacy except your own? (And not even your own; are you so smart that you know when you're talking to somebody who has a wiretap chip on their phone instead of a privacy chip with private keys?) >attitude that everyone else should have. Instead of worrying about a >clipper chip, simply connect your handset to your computer and feed >the voice single through, process, encrypt, and transmit over the >phone. The guy on the other hand then does the same in reverse. "Simply?" "Everyone" should have this attitude? The only people who can have this attitude are the most hard-core computer hackers, who never make phone calls away from their computer, who apparently never call anybody except another computer hacker, or perhaps another spook (U.S. classified agents refuse to use their own system, only oblivious civilian dupes get that dubious privilege). Only spooks and hard-core hackers need privacy, huh? We *do* need an alternative to NSA-bugged telephones, but we're talking inexpensive *telephones* here, including hand-sized cellulars, that need strong crypto, real privacy. Make-shift computer hacker rigs that require living by your computer to talk privately over the phone are just a dumb stunt that doesn't do anything for anybody's privacy in the real world. What we need is a true *privacy chip*. For example, a real-time voice-encryption RSA, put it into a silicon compiler and spit out ASIC. Put this chip on the market as a de facto standard for international business, diplomats, and private communications. If the U.S. bans it, we make it somewhere else and import it. The Japanese, German, Dutch, Taiwanese, Korean, etc. electronics companies don't want the NSA spying on them. U.S. workers lose more jobs to government fascist stupidity. jhart@agora.rain.com Newsgroup: sci.crypt document_id: 15437 From: rdippold@qualcomm.com (Ron "Asbestos" Dippold) Subject: Re: Once tapped, your code is no good any more. geoff@ficus.cs.ucla.edu (Geoffrey Kuenning) writes: >Bullshit. The *Bush* administration and the career Gestapo were >responsible for this horror, and the careerists presented it to the >new presidency as a fait accompli. That doesn't excuse Clinton and >Gore from criticism for being so stupid as to go for it, but let's lay >the body at the proper door to start with. The final stages of denial... I can hardly imagine what the result would have been if the Clinton administration had actually supported this plan, instead of merely acquiescing with repugnance as they've so obviously doing. I don't believe the chip originated with the Clinton administration either, but the Clinton administration has embraced it and brought it to fruition. Both of the major parties have what they consider excellent reasons for limiting your freedoms and violating your privacy, and even seem to feel that they're doing you a favor. If this is really surprising to anyone it means they've been willfully ignoring quite a bit of previous evidence. There's only one political party (not calling anarchists a party) that considers your freedom and privacy goals worthy in and of themselves. If you're voting for the big two, you're supporting a reduction of those rights (given their goals and their histories), regardless of whether you personally support that reduction. To paint Clinton and Gore as unwitting tools is really stretching things. -- When you have to kill a man it costs nothing to be polite. -- Churchill Newsgroup: sci.crypt document_id: 15438 From: trussell@cwis.unomaha.edu (Tim Russell) Subject: Re: Once tapped, your code is no good any more. geoff@ficus.cs.ucla.edu (Geoffrey Kuenning) writes: >It always amazes me how quick people are to blame whatever >administration is current for things they couldn't possibly have >initiated. This chip had to take *years* to develop, yet already >we're claiming that the Clinton administration sneaked it in on us. No kidding. The most recent post I saw in alt.privacy.clipper (and I hope anyone interested in this topic ends up there) states that Clipper has been in development for over four years. I am, however, more than a little PO'd that Clinton put his name on this monstrosity, or even allowed it to get out the door, for that matter. He's already heard from me, and I hope you'll all take the time to voice your extreme displeasure as well. -- Tim Russell Omaha, NE trussell@unomaha.edu Newsgroup: sci.crypt document_id: 15439 From: mccoy@ccwf.cc.utexas.edu (Jim McCoy) Subject: Re: Fifth Amendment and Passwords In article <1993Apr19.180049.20572@qualcomm.com>, karn@unix.ka9q.ampr.org (Phil Karn) writes: > In article <1993Apr18.233112.24107@colnet.cmhnet.org>, res@colnet.cmhnet.org (Rob Stampfli) writes: > |> >Sadly, it does not. Suspects can be compelled to give handwriting and > |> >voice exemplars, and to take blood and DNA tests. > |> > |> I am sure that Mike is correct on this point. I am also pretty sure that > |> administering "truth serum" would be ruled a violation of your right > |> not to incriminate yourself. But, what is the salient difference? > > You can find the salient difference in any number of 5th amendment > related Supreme Court opinions. The Court limits 5th amendment > protections to what they call "testimonial" evidence, as opposed to > physical evidence. I have a question that is a slight variation on the previously mentioned examples that perhaps people could give me some pointers on (it has been a couple of years since my Con Law class in college so I hope I am not missing something obvious here...) Basic Scenario: I set up a bbs that uses public-key encryption and encryption of files on disk. The general setup is designed so that when users connect they send a private key encrypted using the system public key and the user's public-private keypair is used to wrap the one-time session keys used for encrypting the files on disk. The result of this is that even if I reveal the system private key it is impossible for anyone to gain access to the files stored on the machine. What is possible is for someone to use the revealed system private key to entice users into revealing thier personal private keys during the authentication sequence. Questions: Does the fact that the system private key does not provide any information useful for a search give me any protection as far as being coerced to reveal the key? (I doubt it myself..) It seems providing the system private key does not mean that I am assisting in "entrapment" (the users would send thier key anyway and are not being enticed into doing something they would not otherwise do) but is there any other hook that can be used? Would the user private-key enticement require wiretap approval? Any answers or general musings on the subject would be appreciated... jim -- Jim McCoy | UT Unix Sysadmin Tiger Team mccoy@ccwf.cc.utexas.edu | #include j-mccoy@nwu.edu | pgp key available via finger or upon request Newsgroup: sci.crypt document_id: 15440 From: langley@dirac.scri.fsu.edu (Randolph Langley) Subject: Re: text of White House announcement and Q&As on clipper chip encryption Gee, I guess they should also have such a repository for house keys, car keys, safety deposit keys, ... :-( rdl -- Newsgroup: sci.crypt document_id: 15441 From: uni@acs.bu.edu (Shaen Bernhardt) Subject: Re: What the clipper nay-sayers sound like to me. In article <1qsvfcINNq9v@dns1.NMSU.Edu> amolitor@moink.nmsu.edu (Andrew Molitor) writes: > > The following is available in some FTP archive somewhere, I insert >my comments liberally throughout this demonic memo of Big Brotherdom: > >> White House Announcement on Screw Thread Standards >> -------------------------------------------------- >> >> This is to announce that the American National Standards >>Institute (or whatever it is) has been given the authority to define >>standard dimensions for screw threads. > > Look! This is clearly the first step toward outlawing our > own screw thread specifications. If this madness isn't fought, > tooth and nail, every step of the way, it'll be a crime to use > screw threads other than those our Fearless Leaders so *graciously* > define for us. [Sarcastic text deleted, No value judgement implied] > Screw you, Bill Clinton! You and your totalitarianist thugs! > >------------------------------------------------------------------------ >amolitor@nmsu.edu | finger for PGST personal screw thread pitch, or >Screw Threads | see the screw thread servers. >must be freed! | >------------------------------------------------------------------------ At first I was going to complain that your analogy was completely irrelevant. But then I remembered something. Remember that move to get the U.S. to the metric system all those years ago? As far as I know we were supposed to be there by now. The government sold it as better for the people, easier to be in tune with the rest of the world. They had decided it was for our own good. Then, when the plan was released, it soon became apparant that the government were a bunch 'o' thickies. Think about it, change all the railroad track widths, signs, screws, abolish the old regime. At the cost of millions of dollars. Your point is well taken. You think there is nothing to worry about, you could care less who designs your cryptography, any more than who designs your screws or the system of measurement you use. Sit back, that's right, just relax, we'll take care of all your needs Mr. Molitor. -- uni@acs.bu.edu -> Public Keys by finger and/or request Public Key Archives: Sovereignty is the sign of a brutal past.<>Fight Clinton's Wiretap Chip! DF610670F2467B99 97DE2B5C3749148C <> Crypto is not a Crime! Ask me how! Newsgroup: sci.crypt document_id: 15442 From: artmel@well.sf.ca.us (Arthur Melnick) Subject: Some questions regarding Big Brother (Clipper) In previous postings by Hellman, Bellovin, etal it was reported the Big Brother (Clipper) chip will encrypt plaintext in 64 bit blocks as is done with DES. The users key K which can be derived from RSA, Diffy-Hellman, etc. is used to encrypt plaintext M and is then used to form a "three part message". This three part message consists of E[M; K], K encrypted with some other key, and the chip serial number. This three part message is then encrypted by still another key. My question is: What is a message? For example, say we are dealing with an encrypted digitized voice application. The speech waveform is sampled and digitized and then some number of samples are grouped into a 64 bit block. This block is then encrypted and transmitted over a non-secure communications link. Where is the three part message? Is something appended to each 64 bit block? Is a header sent at the beginning of the session? If the header is sent at the beginning of the session, how do they insure the equipment manufacturer using the chip does just that? Can just anyone manufacture products using the chip? Is a facility clearance required to manufacture? Any ideas? Newsgroup: sci.crypt document_id: 15443 From: pat@rwing.UUCP (Pat Myrto) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] In article strnlght@netcom.com (David Sternlight) writes: >In article >holland@CS.ColoState.EDU (douglas craig holland) writes: > > >> Let me ask you this. Would you trust Richard Nixon with your >>crypto keys? I wouldn't. > >I take it you mean President Nixon, not private citizen Nixon. Sure. >Nothing I'm doing would be of the slightest interest to President Nixon . I am sure you didn't miss the implication that we could have another Richard Nixon type president in the future (perhaps not too distant future, acutally). With that in mind, then I take it you also would not object to the Gov coming up with a decision (not proposal - just like Clinton Cripple is a decision, not a proposal) sprung on us to start placing video cameras with sound in every room of your house, which could be activated without your knowlege. They would be well concealed so you wouldn't know the location, to prevent you from covering the lens opening. After all, nothing you're doing would be of the slightest interest to a government official, right? So, you surely should not object to such a proposal... Not the best anology, but the principle is pretty close - the ability to eavesdrop on your activity with little or no effort, without your knowlege, protected by entirely by "government safeguards". You can still draw your curtains, so you can still have your privacy from everyone else (except Big Brother)!! After all we need this for protection from drug dealers and terrorists and other criminals (like 'enemies of the STATE')... and you don't really have a right to "unbreakable" privacy anyway, sort of as the press release of the Clinton Cripple DECISION puts it... I find it curious they use the word "unbreakable" when the term really should be "difficult to break without proper authorization" (which the Government most certainly has at their disposal, right? They wouldn't want to be able to break it ILLEGALLY, would they?)... Nawww, not "for the People" Clinton.... Can you, while my mind is on it, give us one good reason that the algorithm should be a secret algorithm, unless this encryption scheme either is a joke, or contains features like a 'master key' or other back door for UNAUTHORIZED eavesdropping? If it was really even moderately secure, and the government really meant to require the proper court order and the keys that are in the Escrow accounts to be able to decipher the traffic, what is the need to keep the algorithm secret? Seems I hear rather often that if an encryption scheme requires the algorithm to remain a secret to be effective, it is not a worthwhile scheme... is this just idle talk, or is the Administration bullshitting everyone? With GREAT skepticism, and many doubts on our Administrations intentions... And WAIT!! We haven't been told the NEXT gem the Administration has in mind for e-mail and datafile security. The press release does say that this is part of a comprehensive thing on data security for us unprivileged citizens. Perhaps 'subjects' would be the better term - 'citizens' somehow does not seem appropriate... that implies a free people, 'subjects' better fits a population who serve at the pleasure of their rulers. One thing for certain: The government no longer regards the citizens as their bosses anymore, but the other way around... -- pat@rwing.uucp [Without prejudice UCC 1-207] (Pat Myrto) Seattle, WA If all else fails, try: ...!uunet!pilchuck!rwing!pat WISDOM: "Only two things are infinite; the universe and human stupidity, and I am not sure about the former." - Albert Einstien Newsgroup: sci.crypt document_id: 15444 From: uri@watson.ibm.com (Uri Blumenthal) Subject: Re: Key Registering Bodies In article <930419182442.669507@DOCKMASTER.NCSC.MIL>, Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant) writes: |> If we do not trust the NSA to be a registrar of Clipper Chip key halves, |> I would not trust Mitre either. I wouldn't trust Mitre for another reason: remember "The Cuckoo's Egg"? How great was their security, eh? NSA - well, with the list of known "turncoats", does it make you wonder how many more unknown still are there? (:-) (:-( -- Regards, Uri. uri@watson.ibm.com scifi!angmar!uri ------------ Newsgroup: sci.crypt document_id: 15445 From: pla@sktb.demon.co.uk ("Paul L. Allen") Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] -----BEGIN PGP SIGNED MESSAGE----- In article pmetzger@snark.shearson.com (Perry E. Metzger) writes: > In article <1qnupd$jpm@news.intercon.com> amanda@intercon.com (Amanda Walker) writes: > > From: amanda@intercon.com (Amanda Walker) > > jhesse@netcom.com (John Hesse) writes: > > Oh great. Wonderful news. Nobody can listen in--except the feds. > > Hey, it's better than the status quo. > > I am far less worried about "the feds" tapping my phone than high school > scanner surfers who get their kicks out of eavesdropping on cellular and > cordless phone calls. > > I'm a political dissident. I'm scared shitless of the feds listening > in on my calls. My opinions are the sort that would get me > "disappeared" in a slightly less free society -- and who knows what > sort of society we will be in in five or ten years? I have friends who > have had their phones tapped -- none of this is theoretical to me. > > As for "its better than the status quo", well, first of all, you can > get a cryptophone from companies like Cylink today -- and they work > well. In addition, a number of groups are now working on building > software to turn any PC into a privacy enhanced phone right now -- and > they are all working in overdrive mode. > > And yes, I'd rather just see all crypto restrictions lifted, but this is at > least an incrememental improvement for certain applications... > > There ARE no crypto restrictions... yet. You can use anything you want > RIGHT NOW. The point is to maintain that right. The point you all seem to have missed was covered when the UK cellphone scrambling system was discussed. Incidentally, my MP has responded to my questions on that issue, and it appears that the UK and other `approved' countries will get the secure A5 encryption, and `dodgy' countries will get A5X. Existing mobile equipment will drop to clear mode when used with A5X systems, but newer equipment will use A5/A5X/clear depending on the capabilities of the base station. The cops/feds do *not* need to be able to get hold of your private key to listen in to cellular conversations. Encryption is not end-to-end, but cellphone to base-station - it *has* to be this way so that cellular users and fixed installations can talk to each other. For cellular to cellular calls, the transmission is decrypted at the base-station, passed to another base-station and re-encrypted. The cops/feds can listen to the unscrambled call *provided* they get a warrant to tap into the cellular provider's equipment. The only reason for wanting a crackable system is so they can listen without having to obtain a warrant. But, maybe the Clipper system is secure, and they really do need a warrant to get the key out of escrow before they can listen in using a scanner (see above - they don't *have* to go down this route anyway). I have my doubts, but even if true once they have the key they will *never* again need a warrant to tap into that particular phone whenever they want. `Well, Judge, it appears he wasn't a drug-dealer after all, so naturally we'll stop listening in'... You have every reason to be scared shitless. Take a look at the records of McCarthy, Hoover (J. Edgar, not the cleaner - though they both excelled at sucking) and Nixon. - --Paul -----BEGIN PGP SIGNATURE----- Version: 2.2 iQCVAgUBK9IAl2v14aSAK9PNAQEvxgQAoXrviAggvpVRDLWzCHbNQo6yHuNuj8my cvPx2zVkhHjzkfs5lUW6z63rRwejvHxegV79EX4xzsssWVUzbLvyQUkGS08SZ2Eq bLSuij9aFXalv5gJ4jB/hU40qvU6I7gKKrVgtLxEYpkvXFd+tFC4n9HovumvNRUc ve5ZY8988pY= =NOcG -----END PGP SIGNATURE----- Newsgroup: sci.crypt document_id: 15446 From: ameline@vnet.IBM.COM (Ian Ameline) Subject: Screw the people, crypto is for hard-core hackers & spooks only I suspect that this clipper thing could backfire on the Gov in a big hurry. I expect that products using these chips will socket them rather than soldering them, since once the keys are handed over by the escrow agencies, the chip is so much garbage, and will need to be replaced. I expect that someone will come along with a pin compatible chip that uses secure encryption -- possibly even disguised so that it's not possible to tell it from the clipper chip until you try to use the 2 backdoor keys. If I were to manufacture such a chip, as part of my marketing strategy, I would try to subvert one or both escrow agencies either through bribes or industrial espionage -- and then publicize the fact. (doing my best not to be connected with such activities -- which would likely not be legal :-) Publicly discrediting the escrow agencies would go quite far towards creating a market for a secure alternative. I also believe that someone will reverse engineer the clipper chip, and knowlege of the algorithm will likely be fairly widespread. Any back- doors or weaknesses would further discredit the scheme, and help grow the market demand for a secure alternative. I believe that the company that provides such an alternative will make few friends in the LE community, but lots of money. I also believe that the government will do it's best to make such plug replacements illegal. I expect that they will see the same success in limiting the availability of such alternatives as they have seen in limiting the availability of certain illicit drugs -- ie. little to none. Regards, Ian Ameline. (Of course the ramblings above have nothing to do with my employer, nor do I necessarily advocate doing any of the things described here -- I just believe that the events above are likely to take place) Newsgroup: sci.crypt document_id: 15447 From: caronni@nessie.cs.id.ethz.ch (Germano Caronni) Subject: Re: Fifth Amendment and Passwords In article <1qv83m$5i2@geraldo.cc.utexas.edu> mccoy@ccwf.cc.utexas.edu (Jim McCoy) writes: > I set up a bbs that uses public-key encryption and encryption of > files on disk. The general setup is designed so that when users > connect they send a private key encrypted using the system public > key and the user's public-private keypair is used to wrap the > one-time session keys used for encrypting the files on disk. The > result of this is that even if I reveal the system private key it > is impossible for anyone to gain access to the files stored on the > machine. What is possible is for someone to use the revealed > system private key to entice users into revealing thier personal > private keys during the authentication sequence. > >Any answers or general musings on the subject would be appreciated... > Just a question. As a provider of a public BBS service - aren't you bound by law to gurantee intelligble access to the data of the users on the BBS, if police comes with sufficent authorisation ? I guessed this would be a basic condition for such systems. (I did run a bbs some time ago, but that was in Switzerland) Friendly greetings, Germano Caronni -- Instruments register only through things they're designed to register. Space still contains infinite unknowns. PGP-Key-ID:341027 Germano Caronni caronni@nessie.cs.id.ethz.ch FD560CCF586F3DA747EA3C94DD01720F Newsgroup: sci.crypt document_id: 15448 From: rab@well.sf.ca.us (Bob Bickford) Subject: Re: More technical details Another objection occurred to me. There was a comment about how supposedly there would only be one decode box, operated by the FBI. This is flat ridiculous, and I don't believe it for a millisecond. Even *if* they in fact only build one (or two or some other small number) of these, that won't stop others from building one. Make it work like two Clipper-chip phones, one listening to each side of the recorded conversation. I'll have to have another look at the specs posted so far, but offhand I didn't see anything that would preclude this sort of thing..... -- Robert Bickford rab@well.sf.ca.us Treasurer and Newsletter Editor, /-------------------------------------\ Lib. Party of Marin County (CA) | Don't Blame Me: I Voted Libertarian | Member, CA State Central Committee \-------------------------------------/ Newsgroup: sci.crypt document_id: 15449 From: Subject: Cripple Chip How about this: The TelCo has your Clipper key. The TelCo has your intended partner's key, if he is using one. Whenever you call, the message gets decrypted and reencrypted wihtout y key exchange. I know it's a stupid system, but for the feds, it'd be great. The point of this isn;t to take over the crypto market, BTW. Clinton doen not want people to have any sort of crypto at all (just like Busch). But he needs some support for the "technology initiative" garbage he's pushing (industrial policy stuff) and a computer hip designed by the gov't is just the thing. Who's going to thing about the (literal) Billions of Dollars it took for a government agency to design? -watkins@earth.eecs.uic.edu Newsgroup: sci.crypt document_id: 15450 From: jfw@ksr.com (John F. Woods) Subject: Re: Once tapped, your code is no good any more. johnson@trwacs.fp.trw.com (Steve Johnson) writes: >>-Tim May, whose sig block may get him busted in the New Regime > A remark I heard the other day is beginning to take on increasingly >frightening significance. The comment was made that "In other parts >of the world the Democrats [note the big "D"] would be known as >Socialists" And in other parts of the world, European "Socialists" would be known as fascist capitalist pigs. Get your head out of your labels and think carefully for once: According to the EFF announcement on this thing, the NSA has been developing this turkey for *four* years. The manufacturing contract was let *14 months ago*. Anyone out there who believes that the fact that Clinton's name was on this White House announcement means that Bush or any other Republican is a staunch supporter of personal privacy is a fool. If this topic disturbs you, can the political finger-pointing and talk about what you can do about it. If you've just GOT to point fingers, remember that this scheme was STARTED when a secret policeman was President. Newsgroup: sci.crypt document_id: 15451 From: jebright@magnus.acs.ohio-state.edu (James R Ebright) Subject: Re: WH proposal from Police point of view In article pmetzger@lehman.com writes: > >In article strnlght@netcom.com (David Sternlight) writes: > > There has been extensive discussion in the eff forum, for example, about > inadmissible taps being used to develop information that could then lead to > admissible evidence. This might put a stop to such things, which must from > time to time be simple fishing expeditions. > >Far more likely, these things will continue to be done no matter what >assurances we are given. "Key Escrow" is likely going to prove to be a >joke. I feel like Winston Churchill in 1941 :( ...... but, the privacy Clipper will, TO THE EXTENT KEY ESCROW IS LEGITIMATE, stop most of the abuse of wiretaps by local cops, company cops, angry husbands/ wives, etc... It is going to be hard for the keystone cops, the Proctor&Gamble cops, etc. to bypass even a product as flawed as the ClipJob. Now I admit, I am hard pressed to find anything else good to say about it except that, if it actually takes off, someone will certainly come up with a REAL crypto chip (pin compatable!) that we can buy... Unless, of course, Big Brother makes it illegal to have real crypto 'cause good honest law abiding citizens will be HAPPY to let the government listen to their every word.... "Me? Did I say THAT?" "I am not a crook." - President Richard M. Nixon ^^^^^^^^^ -- Information farming at... For addr&phone: finger A/~~\A THE Ohio State University jebright@magnus.acs.ohio-state.edu ((0 0))____ Jim Ebright e-mail: jre+@osu.edu \ / \ (--)\ Newsgroup: sci.crypt document_id: 15452 From: bear@kestrel.fsl.noaa.gov (Bear Giles) Subject: Re: Fifth Amendment and Passwords In article <1993Apr20.000359.20098@bernina.ethz.ch> caronni@nessie.cs.id.ethz.ch (Germano Caronni) writes: > >Just a question. >As a provider of a public BBS service - aren't you bound by law to gurantee >intelligble access to the data of the users on the BBS, if police comes >with sufficent authorisation ? I guessed this would be a basic condition >for such systems. (I did run a bbs some time ago, but that was in Switzerland) That sounds like an old _Dragnet_ episode. "Joe and I went to the apartment of Prime Suspect. Nobody answered the door, but his landlord gave us permission to search the apartment." Perhaps that worked in California in the 60's, but as I understand the law landlords do _not_ have authority to grant permission to search space rented by a third party, provided the lease is not in default, etc. (I'm not even sure if they can provide the master key, when shown a search warrant, since the _subject_ of the search is supposed to be notified). At this point the question becomes: did the user "rent" the disk space her encrypted file occupies? If she did, it _should_ fall under the same body of case law that applies to apartments, storage lockers, etc. (As to whether any court would recognize this fact....) If she did not (i.e., no compensation exchanged), I don't know how it would be treated -- there doesn't seem to be a non-cyberspace equivalent. -- Bear Giles bear@fsl.noaa.gov Newsgroup: sci.crypt document_id: 15453 From: bear@kestrel.fsl.noaa.gov (Bear Giles) Subject: Re: Why the clipper algorithm is secret In article dfl@panix.com (Danny O'Bedlam) writes: > The algorithm is classified because a military contract (or similar >government equivalent to military) has been let for this "proprietary" >design that the Feds say that NSA developed. Is there a patent? Is that >patent publicly available? My betting is that that too is classified. Unless there has been a _major_ change in the law, there's no such beast as a "classified patent." Patents exist to encourage communications and develop the state of the art. (The 17-year lock is a nuisance, but historically has been pretty trivial. It's only in an industry which doubles performance every three years (or 18 months, for some hardware) that 17 years is an eternity). The same thing applies in civilian development: you can't patent something _and_ declare it a "trade secret." However, you can (and should) mark all software (including proprietary code) "unpublished copyright" so that it ever does get exposed you still have some legal protection. (Post-Berne this isn't required, since everything is "born copyrighted." But it takes a while for people to learn the new rules). -- Bear Giles bear@fsl.noaa.gov Newsgroup: sci.crypt document_id: 15454 From: johng@ecs.comm.mot.com (John Gilbert) Subject: clipper chip --Bush did it In article wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes: >... This is the Democrats' version >"Defend Free Speech - Reject Republicans" followed by speech control. This must have been in the works for some time. The Bush administration must have been working on it for quite a while. --Clinton simply took the credit (or blame, depending on how you look at it). -- John Gilbert johng@ecs.comm.mot.com Newsgroup: sci.crypt document_id: 15455 From: denning@guvax.acc.georgetown.edu Subject: THE CLIPPER CHIP: A TECHNICAL SUMMARY The following document summarizes the Clipper Chip, how it is used, how programming of the chip is coupled to key generation and the escrow process, and how law enforcement decrypts communications. Since there has been some speculation on this news group about my own involvement in this project, I'd like to add that I was not in any way involved. I found out about it when the FBI briefed me on Thursday evening, April 15. Since then I have spent considerable time talking with the NSA and FBI to learn more about this, and I attended the NIST briefing at the Department of Commerce on April 16. The document below is the result of that effort. Dorothy Denning --------------- THE CLIPPER CHIP: A TECHNICAL SUMMARY Dorothy Denning April 19, 1993 INTRODUCTION On April 16, the President announced a new initiative that will bring together the Federal Government and industry in a voluntary program to provide secure communications while meeting the legitimate needs of law enforcement. At the heart of the plan is a new tamper-proof encryption chip called the "Clipper Chip" together with a split-key approach to escrowing keys. Two escrow agencies are used, and the key parts from both are needed to reconstruct a key. CHIP STRUCTURE The Clipper Chip contains a classified 64-bit block encryption algorithm called "Skipjack." The algorithm uses 80 bit keys (compared with 56 for the DES) and has 32 rounds of scrambling (compared with 16 for the DES). It supports all 4 DES modes of operation. Throughput is 16 Mbits a second. Each chip includes the following components: the Skipjack encryption algorithm F, an 80-bit family key that is common to all chips N, a 30-bit serial number U, an 80-bit secret key that unlocks all messages encrypted with the chip ENCRYPTING WITH THE CHIP To see how the chip is used, imagine that it is embedded in the AT&T telephone security device (as it will be). Suppose I call someone and we both have such a device. After pushing a button to start a secure conversation, my security device will negotiate a session key K with the device at the other end (in general, any method of key exchange can be used). The key K and message stream M (i.e., digitized voice) are then fed into the Clipper Chip to produce two values: E[M; K], the encrypted message stream, and E[E[K; U] + N; F], a law enforcement block. The law enforcement block thus contains the session key K encrypted under the unit key U concatenated with the serial number N, all encrypted under the family key F. CHIP PROGRAMMING AND ESCROW All Clipper Chips are programmed inside a SCIF (secure computer information facility), which is essentially a vault. The SCIF contains a laptop computer and equipment to program the chips. About 300 chips are programmed during a single session. The SCIF is located at Mikotronx. At the beginning of a session, a trusted agent from each of the two key escrow agencies enters the vault. Agent 1 enters an 80-bit value S1 into the laptop and agent 2 enters an 80-bit value S2. These values serve as seeds to generate keys for a sequence of serial numbers. To generate the unit key for a serial number N, the 30-bit value N is first padded with a fixed 34-bit block to produce a 64-bit block N1. S1 and S2 are then used as keys to triple-encrypt N1, producing a 64-bit block R1: R1 = E[D[E[N1; S1]; S2]; S1] . Similarly, N is padded with two other 34-bit blocks to produce N2 and N3, and two additional 64-bit blocks R2 and R3 are computed: R2 = E[D[E[N2; S1]; S2]; S1] R3 = E[D[E[N3; S1]; S2]; S1] . R1, R2, and R3 are then concatenated together, giving 192 bits. The first 80 bits are assigned to U1 and the second 80 bits to U2. The rest are discarded. The unit key U is the XOR of U1 and U2. U1 and U2 are the key parts that are separately escrowed with the two escrow agencies. As a sequence of values for U1, U2, and U are generated, they are written onto three separate floppy disks. The first disk contains a file for each serial number that contains the corresponding key part U1. The second disk is similar but contains the U2 values. The third disk contains the unit keys U. Agent 1 takes the first disk and agent 2 takes the second disk. The third disk is used to program the chips. After the chips are programmed, all information is discarded from the vault and the agents leave. The laptop may be destroyed for additional assurance that no information is left behind. The protocol may be changed slightly so that four people are in the room instead of two. The first two would provide the seeds S1 and S2, and the second two (the escrow agents) would take the disks back to the escrow agencies. The escrow agencies have as yet to be determined, but they will not be the NSA, CIA, FBI, or any other law enforcement agency. One or both may be independent from the government. LAW ENFORCEMENT USE When law enforcement has been authorized to tap an encrypted line, they will first take the warrant to the service provider in order to get access to the communications line. Let us assume that the tap is in place and that they have determined that the line is encrypted with Clipper. They will first decrypt the law enforcement block with the family key F. This gives them E[K; U] + N. They will then take a warrant identifying the chip serial number N to each of the key escrow agents and get back U1 and U2. U1 and U2 are XORed together to produce the unit key U, and E[K; U] is decrypted to get the session key K. Finally the message stream is decrypted. All this will be accomplished through a special black box decoder operated by the FBI. ACKNOWLEDGMENT AND DISTRIBUTION NOTICE. All information is based on information provided by NSA, NIST, and the FBI. Permission to distribute this document is granted. Newsgroup: sci.crypt document_id: 15456 From: hagberg@violet.ccit.arizona.edu (HAGBERG JR, D. J.) Subject: Clipper and Ranting Libertarians I would think that you could reduce the defense of using non-clipper based encryption technologies to defending freedom of expression (IE, free speech). That you have to right to express whatever you want in whatever form your little heart desires so long as you do not impinge on the rights of others. Encrypted text/sound/video is just another form of expression of that particular text/sound/video. Just like digitized sound is another means of expression of sound -- streams of 100100101111 instead of continuous waveforms. Also, it shouldn't be up to the government at all. Encryption _Standards_ can be decided upon by Independent Standards Orgainizations (apologies for the acronym). One can note how well this has worked with ISO and the Metric System, SAE, etc. Independent entities or consortia of people/industries in that particular area are far more qualified to set standards than any One government agency. Consider for example what the Ascii character set would have looked like if it was decided by the government. I hope this helps folks to formulate their defenses. I'm still working on mine and hope to be faxing my congressmen soon... -=- D. J. Hagberg -=- hagberg@ccit.arizona.edu -=- finger ^ for Info and PGP Public Key Newsgroup: sci.crypt document_id: 15458 From: kadie@eff.org (Carl M. Kadie) Subject: Would "clipper" make a good cover for other encryption method? Clipper might be a good way to cover the use of another layer of encryption. Currently, when you send an encrypted message, an opponent can usually tell 1) that you are using encryption 2) which encryption method you are using [because that information is usually in the clear]. With clipper, most opponents will only know that you are sending clipper-text, they won't know that your clipper-text is itself encoded. Only those few opponents who get your clipper-keys will know that your message is double encrypted. ... kind of like a safety deposit box containing a lock box. So, don't just think of replacements for clipper, also think of front ends. - Carl -- Carl Kadie -- I do not represent EFF; this is just me. =kadie@eff.org, kadie@cs.uiuc.edu = Newsgroup: sci.crypt document_id: 15459 From: pat@rwing.UUCP (Pat Myrto) Subject: Re: text of White House announcement and Q&As on clipper chip encryption In article <1qnpjuINN8ci@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes: >brad@clarinet.com (Brad Templeton) writes: > >>Their strategy is a business one rather than legal one. They are >>pushing to get a standard in place, a secret standard, and if they >>get it as a standard then they will drive competitors out of the market. >>It will be legal to sell better, untapable encryption that doesn't have >>registered keys, but it will be difficult, and thus not a plan for >>most phone companies. > >If Brad's analysis is correct, it may offer an explanation for why the >encryption algorithm is being kept secret. This will prevent competitors >from coming out with Clipper-compatible phones which lack the government- >installed "back door." The strategy Brad describes will only work as long >as the only way to get compatible phones is to have ones with the government >chips. > >(It would be nice, from the point of view of personal privacy, if Brad >turns out to be right. As long as people still have the power to provide >their own encryption in place of or in addition to the Clipper, privacy >is still possible. But the wording of several passages in the announcement >makes me doubt whether this will turn out to be true.) Even if what Brad says turns out to be accurate, you can bet that the Administration will have made it "very clear" to the vendors that "it would very much be in their best interests" to institute a "voluntary" policy of refusing to sell anything but Clinton Cripple equipped equipment to anyone other than "Authorized government agencies and Law Enforcement", or individuals and corporations who "have been been determined by the Administration to have a valid need on a case-by-case basis" for an effective system. Note that this is very much like the language used in many gun control bills/laws the Administration is pushing for, or otherwise supporting. The logic and actual rationale (as opposed to the excuses that get fed to the media) is the same in both cases, only the items or technology in question are different. I think this is no accident. It comes from the same philosophy that the government rules/controls the people, not the people controlling the government, that the unconnected citizens are not sophisticated enough to know what is best for them, so the government must tell the people what they need or do not need ... "we know best...". And the idea that that a commoner can defend himself against government eavesdropping or unlawful attack is totally unacceptable to people with this outlook. > >Hal Finney Combine this all with pushing for national identity cards with 'smart chips' to encode anything they please (internal passport) under the guise of streamlining the State People's Health Care System, and with (you can be certain) more jewels yet to come, and one sees an extremely ominous trend. So what if "1984" will be ten years late... it still is turning out to be an amazingly accurate prophecy... unless a LOT of people wake up, and in a hurry. One should ALWAYS have every red warning light and bell and danger flag come up when the government seeks to set itself apart in regard to rights, etc. from the unconnected/unprivileged citizen (or should we now be saying 'subject' instead?)... Why SHOULDN'T the average person have a good, secure system of data security, not dependent on nebulous 'safeguards' for maintaining that security? Why SHOULDN'T the average person be able to defend himself from an agency gone rogue? 0I am sure the Feds could break into any data they really wanted to (but it would take some WORK), and using the same logic, one should not be allowed to have a good safe, unless a duplicate of the key(s) or combination are submitted for 'safekeeping' by the government? I don't really see a difference, philosophically. Encrypted data sure won't evaporate, not with such high-tech tools as a TAPE RECORDER... -- pat@rwing.uucp [Without prejudice UCC 1-207] (Pat Myrto) Seattle, WA If all else fails, try: ...!uunet!pilchuck!rwing!pat WISDOM: "Only two things are infinite; the universe and human stupidity, and I am not sure about the former." - Albert Einstien Newsgroup: sci.crypt document_id: 15460 From: Marc VanHeyningen Subject: Re: More technical details > encrypted under K, then K will be encrypted under the unit key UK, > and the serial number of the unit added to produce a three part > message which will then be encrypted under the system key SK > producing > > E{ E[M; K], E[K; UK], serial number; SK} > >My understanding is that E[M; K] is not encrypted under SK (called the >"family key") and that the decrypt key corresponding to SK is held by >law enforcement. Does anyone have first hand knowledge on this? I >will also check it out, but this is 7am Sunday so I did not want to wait. Ok, so there are in fact two distinct components transmitted by the chip; the real message encrypted with the "conventional" key, and the serial number and encrypted "conventional" key encrypted with the (IMHO kind of bogus, as the whole concept of "one key that millions of people use which can't be changed" doesn't seem reasonable) "family key". Suppose I analyze the output of this chip and I'm able to determine which bits are the encrypted packet which contains the serial number and session key. Suppose I also design a simple algorithm based on this information which takes the data containing the encrypted session key and twiddles a bit (or several) before it's sent down the line. Mind you, I'm sure the NSA thought of this along with a dozen other attacks I can't imagine, and the system is probably somehow designed so that manipulation of this information will cause a compliant receiving chip to somehow fail to decrypt successfully. But how? What if the two parties agree in advance on some kind of consistent bit-twiddling scheme, so the decryption chip sees the restored "proper" bitstream but an eavesdropper gets a E[K; UK] packet that's wrong? I suppose this could be easily defeated if the chip "sends" that information out many times in slightly different ways, making it effectively impossible to be certain you know all the information being sent. -- Marc VanHeyningen mvanheyn@cs.indiana.edu MIME & RIPEM accepted If your theory predicts different outcomes depending on whether you use discrete mathematics or continuous mathematics, then you've got the wrong theory. - Bruce MacLennan Newsgroup: sci.crypt document_id: 15461 From: pmetzger@snark.shearson.com (Perry E. Metzger) Subject: Re: More technical details srt@duke.cs.duke.edu (Stephen R. Tate) writes: > >Now, I'm not one of the people who distrusts the government at every >turn, but taking someone's word for it that the S1/S2 pairs are not kept >around is pushing what I'm willing to believe just a little bit too far. > Even if they somehow address this issue it is unlikely to be the only back door in -- they might even have a few intentionally visible to distract from the ones that aren't visible. -- Perry Metzger pmetzger@shearson.com -- Laissez faire, laissez passer. Le monde va de lui meme. Newsgroup: sci.crypt document_id: 15462 From: pmetzger@snark.shearson.com (Perry E. Metzger) Subject: The Escrow Database. Here is a disturbing thought. Now, we no longer live in the days of big filing cabinets. We live in the electronic age. I asked myself, how big could the escrow database get? How hard might it be to steal the whole thing, particularly were I an NSA official operating with the tacit permission of the escrow houses? (We can pretend that such will not happen, but thats naive.) Well, lets see. Ten bytes of each escrow half. Lets asume ten bytes of serial number -- in fact, I believe the serial number is smaller, but this is an order of magnitude calculation. We assume 250*10^6 as the population, and that each person has a key. I get five gigabytes for each of the two escrow databases. Fits conveniently on a single very valuable Exabyte tape. This can only get easier with time, but who cares -- I can already hold all the clipper keys in the country in my pocket on two 8mm tapes. Admittely, they will think of safeguards. They won't put the whole database on one disk, prehaps. Maybe they will throw stumbling blocks in the way. This changes nothing -- they keys will be needed every day by hundreds if not thousands of law enforcement types, so convenience will dictate that the system permit quick electronic retrieval. At some point, with or without collusion by the agencies, those exabyte tapes are going to get cut. Dorothy Denning and David Sternlight will doubtless claim this can't happen -- but we know that "can't" is a prayer, not a word that in this instance connotes realism. With two exabyte tapes in your pocket, you would hold the keys for every person's conversations in the country in your hands. Yeah, you need the "master key" two -- but thats just ten bytes of information that have to be stored an awful lot of places. Come to think of it, even if the NSA getting a copy of the database isn't a threat to you because unlike me you have no contraversial political views, consider foreign intelligence services. You know, the ones that David Sternlight wants to protect us from because of the evil industrial espionage that they do. The French apparently do have a big spying operation in friendly countries to get industrial secrets, so he isn't being completely irrational here (although why our companies couldn't use cryptosystems without back doors is left unexplained by those that point out this threat.) Presumably, foreign intelligence services can get moles into the NSA and other agencies. We have proof by example of this: its happened many times. Presumably, someday they will get their hands on some fraction of the keys. You can't avoid that sort of thing. Don't pretend that no one unauthorized will ever get their hands on the escrow databases. We crypto types are all taught something very important at the beginning of intro to cryptography -- security must depend on the easily changed key that you pick to run your system, and not on a secret. The escrow databases aren't the sorts of secrets that our teachers told us about, but they are the sort of big secrets they would lump into this category. Imagine trying to replace 100 million Clipper chips. I cannot believe that the NSA or whomever it is thats doing this doesn't realize all this already. They are too smart. There are too many of them who have made their bones in the real world. I suspect that they know precisely what they are doing -- and that what they are doing is giving us the appearance of safety so that they can continue to surveil in spite of the growth of strong cryptography. I suspect that they realize that they can't put things off forever, but they can try to delay things as long as possible. Who knows. Maybe even some of the higher ups, the inevitable bureaucratic types that rise in any organization, really do believe that this scheme might give people some security, even as their subordinates in Fort Meade wring their hands over the foolishness of it all. -- Perry Metzger pmetzger@shearson.com -- Laissez faire, laissez passer. Le monde va de lui meme. Newsgroup: sci.crypt document_id: 15463 From: pmetzger@snark.shearson.com (Perry E. Metzger) Subject: Re: text of White House announcement and Q&As on clipper chip encryption rlward1@afterlife.ncsc.mil (Robert Ward) writes: >In article bontchev@fbihh.informatik.uni-hamburg.de writes: >>and since the US constitutions guarantees the right to every American >>to bear arms, why is not every American entitled, as a matter of > >Have you read the applicable part of the Constitution and interpreted it IN >CONTEXT? If not, please do so before posting this misinterpretation again. >It refers to the right of the people to organize a militia, not for individuals >to carry handguns, grenades, and assault rifles. The Supreme Court seems to disagree with you -- they have stated that "the people" is a term of art refering to an individual right, and have explicitly mentioned the second amendment as an example. I quote: "... 'the people' seems to have been a term of art employed in select parts of the Constitution. The Preamble declares that the Constitution is ordained, and established by 'the people of the the U.S.' The Second Amendment protects the right of the people to keep and bear Arms ...." - Supreme Court of the U.S., U.S. v. Uerdugo-Uriquidez (1990). Furthermore, in the Miller decision, they only permitted prosecution for possession of a sawed-off shotgun because the defense had not presented testimony and they therefore accepted the argument of the government that such weapons have no military value -- they held that the amendment protected the individual right to possess military weapons. Unfortunately, no second amendment case has successfully gotten to the court in fifty years. However, that does not change the interpretation. Furthermore, it appears that others disagree with you as well, vis: "The conclusion is thus inescapable that the history, concept, and wording of the Second Amendment to the Constitution of the United States, as well as its interpretation by every major commentator and court in the first half-century after its ratifi- cation, indicates that what is protected is an individual right of a private citizen to own and carry firearms in a peaceful manner." - Report of the Subcommittee on the Constitution of the Committee on the Judiciary, United States Senate, 97th Congress, Second Session ( February 1982 ) You might rightfully ask "well then, what does that first bit about militias mean?" Well, "militia" in historical context basically means the whole of the adult males of the country. (Indeed, the U.S. Code still defines "militia" as all armed men over the age of 17). "The Militia comprised all males physically capable of acting in concert for the common defense .... And ... these men were expected to appear bearing arms supplied by themselves and of the kind in common use at the time." - Supreme Court of the United States, U.S. v. Miller (1939). The reason for the phrase being there was to explain the rationale behind the amendment, which was this: by depending on the people to bear arms in defense of the country, no centralization of military power could ever occur which would permit tyranny -- in short, the government would remain perpetually in fear of the people, rather than the other way around. "No free man shall ever be debarred the use of arms. The strongest reason for the people to retain the right to keep and bear arms is, as a last resort, to protect themselves against tyranny in government." - Thomas Jefferson, Proposal Virginia Constitution, June 1776 1 Thomas Jefferson Papers, 334 (C. J. Boyd, Ed., 1950). "And what country can preserve its liberties, if its rulers are not warned from time to time that this people preserve the spirit of resistance ? Let them take arms ... The tree of liberty must be refreshed from time to time, with the blood of patriots and tyrants." - Thomas Jefferson (letter to William S. Smith, 1787, in Jefferson, On Democracy 20, S. Padover, ed., 1939). "Before a standing army can rule, the people must be disarmed; as they are in almost every kingdom of Europe. The supreme power in America cannot enforce unjust laws by the sword; because the whole body of the people are armed, and constitute a force superior to any bands of regular troops that can be, on any pretense, raised in the United States." - Noah Webster, "An Examination into the Leading Principles of the Federal Constitution" (1787), in Pamphlets on the Constitution of the United States (P. Ford, 1888). You may disagree with the second amendment, and wish that it be repealed, but please do not pretend that it isn't there and that it doesn't mean what it says. You might argue that conditions have changed and that it should no longer be present, but you can't imagine it away. I could fill a book with detailed argumentation. Many have already. However, none of this has anything to do with cryptography. Lets get it out of here. If you insist on discussing this, please do it in talk.politics.guns, where people will gladly discuss this matter with you. -- Perry Metzger pmetzger@shearson.com -- Laissez faire, laissez passer. Le monde va de lui meme. Newsgroup: sci.crypt document_id: 15464 From: metatron!joe@dogface.austin.tx.us (Joe Zitt) Subject: Re: Fighting the Clipper Initiative steve-b@access.digex.com (Steve Brinich) writes: > >As a flaming libertarian paranoid extremist (:-), I'at a loss for > >specific objections that don't sound frighteningly technical. > > The idea that foisting the Cripple Chip standard on US manufacturers would > result in saying "Sayonara" to yet another high-tech market isn't technical, > isn't in the least difficult to understand, and plays on a concern lots of > people are worried about already.... > > Could you expand on this? I have a feeling you're right, but I don't quite understand. -- "You could be an ocarina salesman going | Metatron Press | Austin, Texas! from door to door..." -- Laurie Anderson | Human Systems Performance Group Newsgroup: sci.crypt document_id: 15465 From: rdippold@qualcomm.com (Ron "Asbestos" Dippold) Subject: Re: clipper chip --Bush did it johng@ecs.comm.mot.com (John Gilbert) writes: >This must have been in the works for some time. The Bush administration must >have been working on it for quite a while. --Clinton simply took the credit (or >blame, depending on how you look at it). And the initiative for actual implementation. Clinton is not just an innocent bystander here - They didn't just slap his name on it without consulting him. What exactly is his extensive history of individual rights advocacy that people are assuming he really has nothing to do with this? He just went back on his pledge to cut the espionage budget, and is now asking for more money than even Bush wanted. -- I've left my body to science - and science is contesting the will. Newsgroup: sci.crypt document_id: 15466 From: tcmay@netcom.com (Timothy C. May) Subject: Re: Once tapped, your code is no good any more. Dave Ihnat (ignatz@chinet.chi.il.us) wrote: : In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes: : > Not to pick on Mr. May in particular, of course, but isn't this : >kind of the domino theory? When one little country falls, its neighbor : >will surely follow, and before you know it, we're all mining salt : >in Siberia for not turning in our Captain Crunch Secret Decoder Rings. : : But, for all the wrongness of our attempt to correct it (VietNam, et. al.), : the domino theory wasn't disproved at all. Ironically, the domino theory in fact *was* a reasonable metaphor for the collapse of communism, from the liberalizations in Poland and Hungary to the border crossings in the summer of '89 to the fall of the Wall later that year....and then to the ultimate collapse of the USSR. -Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Newsgroup: sci.crypt document_id: 15467 From: markh@wimsey.bc.ca (Mark C. Henderson) Subject: Re: Source of random bits on a Unix workstation In article <1qs6cg$7cq@msuinfo.cl.msu.edu> mrr@scss3.cl.msu.edu (Mark Riordan) writes: >A few more sources are statistics on your filesystems (easily >and quickly obtained) and the output from the "rusage" system >call. > >You can also exec a finger to one or more favorite heavily-used >systems, though this can take several seconds. > >cf. the source code to RIPEM on ripem.msu.edu. > >Mark R. Other alternatives include output of vmstat, iostat, pstat and friends with various flags, or even better crash. e.g. on an RS/6000 (AIX 3.2) you can get lots of relatively unpredicatble data out of crash. (the output from the following script usually gives about 600k of goo on a moderately busy system.) #!/bin/sh crash < In article , > clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes: > >> In making this decision, I do >> not intend to prevent the private sector from developing, or the >> government from approving, other microcircuits or algorithms that >> are equally effective in assuring both privacy and a secure key- >> escrow system. > > "In making this decision, I intend to prevent the private sector from > developing, except with the government's approval, other microcircuits > or algorithms that are more effective in assuring privacy." > Doesn't this just mean that the government might not approve something for use by other government agencies. This does not sound to me to be any form of threat that Joe User can't develop and use his own encryption algorithm. -- "You want it should sing too?" | /* Yeah we got dogs and Valvoline ngorelic@speclab.cr.usgs.gov | Its a pretty damn good time. */ "Life is pain. Anyone that tells you different is trying to sell you something" Newsgroup: sci.crypt document_id: 15469 From: pmetzger@snark.shearson.com (Perry E. Metzger) Subject: Do we need the clipper for cheap security? amanda@intercon.com (Amanda Walker) writes: >> The answer seems obvious to me, they wouldn't. There is other hardware >> out there not compromised. DES as an example (triple DES as a better >> one.) > >So, where can I buy a DES-encrypted cellular phone? How much does it cost? >Personally, Cylink stuff is out of my budget for personal use :)... If the Clipper chip can do cheap crypto for the masses, obviously one could do the same thing WITHOUT building in back doors. Indeed, even without special engineering, you can construct a good system right now. A standard codec chip, a chip to do vocoding, a DES chip, a V32bis integrated modem module, and a small processor to do glue work, are all you need to have a secure phone. You can dump one or more of the above if you have a fast processor. With integration, you could put all of them onto a single chip -- and in the future they can be. Yes, cheap crypto is good -- but we don't need it from the government. You can do everything the clipper chip can do without needing it to be compromised. When the White House releases stuff saying "this is good because it gives people privacy", note that we didn't need them to give us privacy, the capability is available using commercial hardware right now. Indeed, were it not for the government doing everything possible to stop them, Qualcomm would have designed strong encryption right in to the CDMA cellular phone system they are pioneering. Were it not for the NSA and company, cheap encryption systems would be everywhere. As it is, they try every trick in the book to stop it. Had it not been for them, I'm sure cheap secure phones would be out right now. They aren't the ones making cheap crypto available. They are the ones keeping cheap crypto out of people's hands. When they hand you a clipper chip, what you are getting is a mess of pottage -- your prize for having traded in your birthright. And what did we buy with our birthright? Did we get safety from foreigners? No. They can read conference papers as well as anyone else and are using strong cryptography. Did we get safety from professional terrorists? I suspect that they can get cryptosystems themselves on the open market that work just fine -- most of them can't be idiots like the guys that bombed the trade center. Are we getting cheaper crypto for ourselves? No, because the market would have provided that on its own had they not deliberately sabotaged it. Someone please tell me what exactly we get in our social contract in exchange for giving up our right to strong cryptography? -- Perry Metzger pmetzger@shearson.com -- Laissez faire, laissez passer. Le monde va de lui meme. Newsgroup: sci.crypt document_id: 15470 From: tedwards@wam.umd.edu (technopagan priest) Subject: Re: Would "clipper" make a good cover for other encryption method? In article <1993Apr20.032623.3046@eff.org> kadie@eff.org (Carl M. Kadie) writes: >Clipper might be a good way to cover the use of another layer of >encryption. True, but will traditional encryptions schemes, when further encrypted by Clipper, be _more_ vulnerable to attacks such as partially known plaintext? -Thomas Newsgroup: sci.crypt document_id: 15471 From: barrett@lucy.ee.und.ac.za (Alan Barrett) Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only In article , jhart@agora.rain.com (Jim Hart) writes: > Since the wiretap chip is being distributed internationally, > allowing the U.S. government to spy on foreign governments, > companies and people as as well as to wiretap domestic citizens, > this is a world-wide issue. Please put DISTRIBUTION: WORLD on the > Distrubution: line. Thank you. No! Distribution keywords are case sensitive. What you want is Distribution: world or no Distribution line at all. "WORLD" in capital letters is wrong. --apb Alan Barrett, Dept. of Electronic Eng., Univ. of Natal, Durban, South Africa RFC822: barrett@ee.und.ac.za Newsgroup: sci.crypt document_id: 15474 From: tcmay@netcom.com (Timothy C. May) Subject: Re: The Escrow Database. Perry E. Metzger (pmetzger@snark.shearson.com) wrote: : Here is a disturbing thought. ....good stuff elided.... : Don't pretend that no one unauthorized will ever get their hands on : the escrow databases. : ....... : secret. The escrow databases aren't the sorts of secrets that our : teachers told us about, but they are the sort of big secrets they : would lump into this category. Imagine trying to replace 100 million : Clipper chips. Sounds to me like a *great* gimmick for a replacement market...every so often issue a "Clipper Alert" announcing that some key backup tapes are missing, that some Drug Lords got 'em, whatever. Then the owners of these $1200 Clipperphones have to trot down to their local Key Escrow Agency and buy new chips and have them programmed. Microtoxin, the Clipper supplier, will make a killing...maybe this was the real idea. (Anybody know if Janet Reno has stock in Microtoxin, VLSI Technology, or AT&T?) Could be a good opportunity to undermine this with some disinformation: float rumors that the key database has been stolen. All the chips need replacing. It angers people, undermines confidence even more, and kills sales. After the Waco Massacre and the Big Brother Wiretap Chip, any tactic is fair. -Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Newsgroup: sci.crypt document_id: 15475 From: bill@Celestial.COM (Bill Campbell) Subject: Re: Once tapped, your code is no good any more. In strnlght@netcom.com (David Sternlight) writes: :In article :holland@CS.ColoState.EDU (douglas craig holland) writes: :>Note that measures to protect yourself from :>TEMPEST surveillance are still classified, as far as I know. :I think this to be inaccurate. One can buy TEMPEST equipment commercially. :Even Macs. Sure you can buy a TEMPEST approved Mac -- if you have enough money. I haven't had any reason to look at this type of pricing for about 10 years, but a TEMPEST rating in 1982 would raise the price of a $2,495.00 Radio Shack Model III to something around $15,000.00. Bill -- INTERNET: bill@Celestial.COM Bill Campbell; Celestial Software UUCP: ...!thebes!camco!bill 6641 East Mercer Way uunet!camco!bill Mercer Island, WA 98040; (206) 947-5591 SPEED COSTS MONEY -- HOW FAST DO YOU WANT TO GO? Newsgroup: sci.crypt document_id: 15476 From: jfc@athena.mit.edu (John F Carr) Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only In article <19930419.155204.305@almaden.ibm.com> ameline@vnet.IBM.COM (Ian Ameline) writes: > I also believe that someone will reverse engineer the clipper chip, >and knowlege of the algorithm will likely be fairly widespread. The chip and algorithm are classified. If you reverse engineer it and tell people, you are likely to go to jail. Perhaps some foreign governments or corporations could help us out by cracking the system outside the USA. The US government could probably stop importation of clone hardware, but a software implementation should be practical. -- John Carr (jfc@athena.mit.edu) Newsgroup: sci.crypt document_id: 15477 From: gtoal@gtoal.com (Graham Toal) Subject: Re: Do we need the clipper for cheap security? : From: pmetzger@snark.shearson.com (Perry E. Metzger) : Indeed, were it not for the government doing everything possible to : stop them, Qualcomm would have designed strong encryption right in to : the CDMA cellular phone system they are pioneering. Were it not for : the NSA and company, cheap encryption systems would be everywhere. As : it is, they try every trick in the book to stop it. Had it not been : for them, I'm sure cheap secure phones would be out right now. In the UK, it's impossible to get approval to attach any crypto device to the phone network. (Anything that plugs in to our BT phone sockets must be approved - for some reason crypto devices just never are...) I was wondering some time ago how big a market there was for good old- fashion acoustic coupler technology to build a secure phone :-) ... is it possible to mask out all the real voice well enough so that none of it strays into the mouthpiece? Perhaps a well-sealed coupler attachment that was as well blocked as possible, then a white noise generator on the outside to muffle any real speech? G Newsgroup: sci.crypt document_id: 15478 From: gtoal@gtoal.com (Graham Toal) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] : The cops/feds do *not* need to be able to get hold of your private key to : listen in to cellular conversations. Encryption is not end-to-end, but : cellphone to base-station - it *has* to be this way so that cellular users : and fixed installations can talk to each other. For cellular to cellular : calls, the transmission is decrypted at the base-station, passed to another : base-station and re-encrypted. The cops/feds can listen to the unscrambled : call *provided* they get a warrant to tap into the cellular provider's : equipment. The only reason for wanting a crackable system is so they can : listen without having to obtain a warrant. : But, maybe the Clipper system is secure, and they really do need a warrant : to get the key out of escrow before they can listen in using a scanner (see : above - they don't *have* to go down this route anyway). I have my doubts, : but even if true once they have the key they will *never* again need a : warrant to tap into that particular phone whenever they want. `Well, Judge, : it appears he wasn't a drug-dealer after all, so naturally we'll stop : listening in'... That was true for the UK Paul, but I'm fairly sure they're talking about building end-to-end encryption phones out of this chip. It's *not* for cellular (though it certainly could be used there in the way you suggest) G Newsgroup: sci.crypt document_id: 15479 From: jhart@agora.rain.com (Jim Hart) Subject: Screw the people, crypto is for hard-core hackers & spooks only Since the AT&T wiretap chip is scheduled to be distributed internationally, allowing the U.S. government to spy on foreign governments, companies and people as as well as to wiretap domestic citizens, this is a world-wide issue. Thus Distribution: world. ygoland@wright.seas.ucla.edu (The Jester) writes: >However assuming that I can still encrypt things as I please, who >cares about the clipper chip? Why do we hackers care about the Clipper chip? Do we give a shit about anybody's privacy accept our own? And perhaps not even our own; are we so smart that we always know when we're talking to somebody who has a wiretap on their phone? I find the "call thru your computer" ideas may reflect this attitude. Ideas that are of, by, and for hackers, and don't help anybody in the real world, aren't going to do anybody much good, including ourselves where voice phones are concerned. We *do* need an alternative to NSA-bugged telephones, but we're talking inexpensive *telephones* here, including hand-sized cellulars, that need strong crypto, real privacy. Make-shift computer hacker rigs that require living by your computer to talk privately over the phone are just a dumb stunt that doesn't do anything for anybody's privacy in the real world. What we need is a true *privacy chip*. For example, a real-time voice-encryption RSA, silicon compile it and spit out ASIC. Put this chip on the market as a de facto standard for international business, diplomats, and private communications. If the U.S. bans it, we make it somewhere else and import it. The Japanese, German, Dutch, Taiwanese, Korean, etc. electronics companies don't want the NSA spying on them. U.S. workers lose more jobs to government fascist stupidity. jhart@agora.rain.com Newsgroup: sci.crypt document_id: 15480 From: gumby@tweedledumb.cygnus.com (D V Henkel-Wallace) Subject: Screw the people, crypto is for hard-core hackers & spooks only Date: 19 Apr 93 19:57:21 GMT From: jhart@agora.rain.com (Jim Hart) "Simply?" "Everyone" should have this attitude? The only people who can have this attitude are the most hard-core computer hackers, who never make phone calls away from their computer In 10 yeards everybody will be talkig into his or her PDA anyway. That should solve most of the problem. Newsgroup: sci.crypt document_id: 15481 From: steve-b@access.digex.com (Steve Brinich) Subject: Re: Fighting the Clipper Initiative > > >As a flaming libertarian paranoid extremist (:-), I'at a loss for > > >specific objections that don't sound frighteningly technical. > > > > The idea that foisting the Cripple Chip standard on US manufacturers would > >result in saying "Sayonara" to yet another high-tech market isn't technical, > >isn't in the least difficult to understand, and plays on a concern lots of > >people are worried about already.... > > Could you expand on this...? Simple -- if you have a choice between: 1. American manufacturers peddling Cripple Chips with a secret untested algorithm whose keys are held by people with a history of untrustworthy behavoir, or 2. Japanese (to pick the obvious example) manufacturers peddling encryption chips with an algorithm that has faced public scrutiny and keys under the control of the user, which would you choose? At most, the American government can deny this choice to American citizens (and probably not that, if the glorious success of the War on Drugs is any example); it can't do much about the global market. Newsgroup: sci.crypt document_id: 15482 From: pmetzger@snark.shearson.com (Perry E. Metzger) Subject: Re: Fifth Amendment and Passwords In article <1993Apr20.000359.20098@bernina.ethz.ch> caronni@nessie.cs.id.ethz.ch (Germano Caronni) writes: Just a question. As a provider of a public BBS service - aren't you bound by law to gurantee intelligble access to the data of the users on the BBS, if police comes with sufficent authorisation ? I guessed this would be a basic condition for such systems. (I did run a bbs some time ago, but that was in Switzerland) You are obliged to let the police search the equipment if they have a proper court order. You are under no legal obligation to keep the data intelligble. If you wish to run your BBS entirely with all data encrypted such that if the police show up they cannot read anything, well, thats their problem. There are no legal restrictions on domestic use of cryptography in the United States -- YET. -- Perry Metzger pmetzger@shearson.com -- Laissez faire, laissez passer. Le monde va de lui meme. Newsgroup: sci.crypt document_id: 15483 From: pmetzger@snark.shearson.com (Perry E. Metzger) Subject: Facinating facts: 30 bit serial number, possibly fixed S1 and S2 denning@guvax.acc.georgetown.edu (Vidkun Abraham Lauritz Quisling) writes: Each chip includes the following components: the Skipjack encryption algorithm F, an 80-bit family key that is common to all chips N, a 30-bit serial number U, an 80-bit secret key that unlocks all messages encrypted with the chip Hmmm. A thirty bit serial number. And, we are told, the unit key U is derived deterministically from this serial number. That means that there are only one billion possible unit keys. To generate the unit key for a serial number N, the 30-bit value N is first padded with a fixed 34-bit block to produce a 64-bit block N1. S1 and S2 are then used as keys to triple-encrypt N1, producing a 64-bit block R1: R1 = E[D[E[N1; S1]; S2]; S1] . Similarly, N is padded with two other 34-bit blocks to produce N2 and N3, and two additional 64-bit blocks R2 and R3 are computed: R2 = E[D[E[N2; S1]; S2]; S1] R3 = E[D[E[N3; S1]; S2]; S1] . R1, R2, and R3 are then concatenated together, giving 192 bits. The first 80 bits are assigned to U1 and the second 80 bits to U2. The rest are discarded. The unit key U is the XOR of U1 and U2. U1 and U2 are the key parts that are separately escrowed with the two escrow agencies. Hmmm. We must assume that generating the unit key U from the serial number N rather than generating it from a randomly selected U1 and U2 is an intentional way of assuring a "fail safe" for the government -- U is completedly determined given S1, S2 and N. If S1 and S2 do not change they constitute effective "master keys" (along with F), the theft of which (or the possession of which by various authorities) completely obviates the security of the system. However, more interestingly, we know, for a fact that if S1 and S2 are fixed no matter what the keyspace for U is no more than 2^30. Why not pick U1 and U2 at random? Why this interesting restriction of they key space if it NOT to provide an additional back door? I find it disturbing that at the very best my security is dependant on approximately 30 bytes worth of information that could be written on the back of a napkin. Even if S1 and S2 change periodically, the rationale behind this restriction in the size of the keyspace seems strange if one is assuming that the goal is security -- and makes perfect sense if the goal is an illusion of security. If S1 and S2 do not change, even if they remain secret I wonder if they can somehow be back-derived given enough unit key/serial number pairs. We are assured that this cannot happen -- but no one understands how Skipjack works outside of government officials and, soon, foreign intelligence services that gain the information via espionage. Presumably we will eventually have the information as well -- reverse engineering gets more and more advanced every year -- but by the time we know it may be too late. As a sequence of values for U1, U2, and U are generated, they are written onto three separate floppy disks. The first disk contains a file for each serial number that contains the corresponding key part U1. The second disk is similar but contains the U2 values. The third disk contains the unit keys U. Agent 1 takes the first disk and agent 2 takes the second disk. The third disk is used to program the chips. After the chips are programmed, all information is discarded from the vault and the agents leave. The laptop may be destroyed for additional assurance that no information is left behind. None of this makes me feel the least bit secure. The silly notion of "destroying the laptop" appears to be yet another bizarre distraction. We all know that you can't read data from DRAM that has been turned off for more than a few moments. On the other hand, what we don't know is why there is a need to generate the unit keys from S1 and S2 in the first place other than to weaken the system. We don't know if the agents in question would resist a million in cash a piece for their information -- its probably worth hundreds of million, so you can make the bribe arbitrarily hard to resist. And to tell you the truth, doing this in a "vault" rather than in Joe Random Tempest-shielded Room with a laptop computer seems like melodrama designed to make high-school dropouts from Peoria impressed -- but it does very little for most of the rest of us. The protocol may be changed slightly so that four people are in the room instead of two. The first two would provide the seeds S1 and S2, and the second two (the escrow agents) would take the disks back to the escrow agencies. What would this provide? Lets say the escrow agencies are the ACLU and the NRA and their agents personally take back the disks and are always honest. Who cares? The NSA must be laughing out loud, because they have the algorithm to regenerate U given N and likely don't need to steal they keys as they effectively already have them. -- Perry Metzger pmetzger@shearson.com -- Laissez faire, laissez passer. Le monde va de lui meme. Newsgroup: sci.crypt document_id: 15484 From: jebright@magnus.acs.ohio-state.edu (James R Ebright) Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip) In article <1993Apr19.093227.1093@jarvis.csri.toronto.edu> lewis@eecg.toronto.edu (david lewis) writes: >In article <16BB51156.C445585@mizzou1.missouri.edu> C445585@mizzou1.missouri.edu (John Kelsey) writes: >> >>strnlght@netcom.com (David Sternlight) writes: >>> [..stuff deleted] >>But who would >>trust his/her confidential information to an encryption scheme that, for >>(say) $100,000 could by cracked one time in a hundred? (DES, for all the >>complaints about a 56-bit key, would probably cost several million dollars >>to build a keysearch machine for.) >> > >I can buy a DES keysearch machine off the shelf now for approx $500K, but >it is not sold by that name. Go buy a circuit emulation machine (eg. Quickturn) >containing a bunch of FPGAs, (say 500 to 1000 3090's), and program each >to be a DES search engine. Lets say 500 chips, running at 10Mhz = 5G tests/sec. >Time is 14e6 sec max = 23 weeks, 12 weeks average. Can't wait that long? >Buy a bigger machine. > Oh, but can Big Brother afford such things in these times of tight budgets? I don't know how many folks noticed it, but Dorothy "Trust Me" Denning gave a real clue to the current state of the art at NSA on decrypto machines when she said the NSA told her they didn't even want to be the holder of any part of the key. Now why is that? I doubt there is a trapdoor in Skipjack. (But we will never know). And I doubt the NSA would promote a mass market chip they couldn't compromise. Ergo, NSA is now capable of compromising (probably with brute force keysearch) engines of the complexity of Skipjack. Look at the specs. Why, I bet they have thousands of little chips chugging away in their crypto busters... Maybe even tens of thousands. Complexity? Not much more than a 3090. How many such machines will fit into Fort Meade? I think PGP2.3 should have 256 bit IDEA keys... -- Information farming at... For addr&phone: finger A/~~\A THE Ohio State University jebright@magnus.acs.ohio-state.edu ((0 0))____ Jim Ebright e-mail: jre+@osu.edu \ / \ Support Privacy: Support Encryption (--)\ Newsgroup: sci.crypt document_id: 15485 From: jebright@magnus.acs.ohio-state.edu (James R Ebright) Subject: Re: Once tapped, your code is no good any more. In article a_rubin@dsg4.dse.beckman.com (Arthur Rubin) writes: >In strnlght@netcom.com (David Sternlight) writes: > [...] >>I'd be happy to use a crypto system supplied by the NSA for business, if >>they told me it was more secure than DES, and in particular resistant to >>attempts by Japanese, French, and other competitive companies and >>governments to break. > >(It's NIST, not NSA. NSA is not supposed to have anything to do with this.) With all the activity in sci.crypt these past few days, I am not supprised you missed it... NIST got Skipjack from the NSA :) [...] >>I'd trust the NSA or the President if they stated there were no trap >>doors--I'd be even happier if a committee of independent experts examined >>the thing under seal of secrecy and reported back that it was secure. > >I wouldn't trust the NSA. I think I would trust the President on this, but >I'm not certain he would be told. "I am not a crook." President Richard M. Nixon ^^^^^^^^^ -- Information farming at... For addr&phone: finger A/~~\A THE Ohio State University jebright@magnus.acs.ohio-state.edu ((0 0))____ Jim Ebright e-mail: jre+@osu.edu \ / \ Support Privacy: Support Encryption (--)\ Newsgroup: sci.crypt document_id: 15486 From: gtoal@gtoal.com (Graham Toal) Subject: Re: text of White House announcement and Q&As on clipper chip encryption From: brad@clarinet.com (Brad Templeton) Let's assume, for the moment, that the system really is secure unless you get both halves of the encryption key from the two independent escrow houses. Let's say you even trust the escrow houses -- one is the ACLU and the other is the EFF. (And I'm not entirely joking about those two names) I'm really not entirely sure I trust EFF any more to be honest. Anyway, any organisation can be deeply infiltrated. Look at CND in Britain a dozen years ago - one of their top members was an SIS spy who stole their complete address list. How hard would it be to get one person to sneak in and copy the escrow data to disk? G Newsgroup: sci.crypt document_id: 15487 From: gtoal@gtoal.com (Graham Toal) Subject: Re: text of White House announcement and Q&As on clipper chip encryption Bred wrote: And this means that the FBI will want to track the customer lists of better encryption phones, because "the only reason a person would want one is to evade the police." They don't have to track customer lists - they merely have to digitally listen to any phone line and eliminate any that don't have the clipper header/signature. (No-one has said how it will be modulated - want a bet it's a non-standard and hence easily recognisable baudrate?) Devices to scan exchanges and detect modems etc already exist. I've seen them advertised in the trade press. Once you eliminate crippled crypto devices and ordinary data modems, what's left is crypto worth looking more closely at. I guess any substitute scheme will have to be v32bis or v.fast to disguise it, though then they just start looking at the data too... Whatever happens though, the effect of this new chip will be to make private crypto stand out like a sore thumb. G Newsgroup: sci.crypt document_id: 15488 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] pat@rwing.UUCP (Pat Myrto) writes: > Can you, while my mind is on it, give us one good reason that the > algorithm should be a secret algorithm, unless this encryption scheme > either is a joke, or contains features like a 'master key' or other back > door for UNAUTHORIZED eavesdropping? Hmm, here are a couple: 1) If the algorithm becomes known, it will be easy to produce pin-compatible non-crippled chips that provide -real- encryption and privacy, because their keys are only in their users' hands. 2) Since SkipJack is a symmetric key cypher, it needs some way to agree on a session key. The released information says that any protocol may be used (e.g., DH). From a theoretical point of view, this is probably true. However, from a practical point of view, those chips must have some kind of key exchange protocol built-in. What if it is good old RSA? This will mean that the producer will have to pay lots of bucks to PKP. By keeping the details secret this can be avoided... Regards, Vesselin -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany Newsgroup: sci.crypt document_id: 15489 From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) Subject: Re: Fifth Amendment and Passwords In article <1993Apr20.000359.20098@bernina.ethz.ch> caronni@nessie.cs.id.ethz.ch (Germano Caronni) writes: Just a question. As a provider of a public BBS service - aren't you bound by law to gurantee intelligble access to the data of the users on the BBS, if police comes with sufficent authorisation ? I guessed this would be a basic condition for such systems. (I did run a bbs some time ago, but that was in Switzerland) The US doesn't yet have many laws covering BBSs - they're not common carriers, they're not phone companies, they're just private machines or services operated by businesses. There's no obligation to keep records. As Perry Metzger points out, if the police come with a search warrant, you have to let them see what the warrant demands, if it exists, and they generally can confiscate the equipment as "evidence" (which is not Constitutionally valid, but we're only beginning to develop court cases supporting us). A court MAY be able to compel you to tell them information you know, such as the encryption password for the disk - there aren't any definitive cases yet, since it's a new situation, and there probably aren't laws specifically covering it. But the court can't force you to *know* the keys, and there are no laws preventing you from allowing your users to have their own keys for their own files without giving them to you. Even in areas that do have established law, there is uncertainty. There was a guy in Idaho a few years ago who had his business records subpoenaed as evidence for taxes or some other business-restriction law, so he gave the court the records. Which were in Hebrew. The US doesn't have laws forcing you to keep your records in English, and these were the originals of the records. HE didn't speak Hebrew, and neither did anybody in the court organization. Don't think they were able to do much about it. It might be illegal for your BBS to deny access to potential customers based on race, religion, national origin, gender, or sexual preference; it probably hasn't been tested in court, but it seems like a plausible extension of anti-discrimination laws affecting other businesses. -- # Pray for peace; Bill # Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ # No, I'm *from* New Jersey, I only *work* in cyberspace.... # White House Commect Line 1-202-456-1111 fax 1-202-456-2461 Newsgroup: sci.crypt document_id: 15490 From: tuinstra@signal.ece.clarkson.edu.soe (Dwight Tuinstra) Subject: (new) reason for Clipper alg'm secrecy [Apologies for not posting to alt.clipper, or whatever, but it seems it may not be in the newsfeed here.] There may be another reason (good from NSA's point of view, horrible from everyone else's) why the algorithm/chip design might be secret. First, note that the "experts" will only look at "details", and of just the algorithm: In addition, respected experts from outside the government will be offered access to the confidential details of the algorithm to assess its capabilities and publicly report their findings. Why not the chip design? Well, here's the possiblity: in addition to encryption, the chip pre-processes voice signals to make them easier to analyze/transcribe electronically. The chip, once widespread, might effectively be part of a massively parallel computer for "voice- grepping" the US phone network (or the criminal & wrong-thinking patrons thereof). I wouldn't put it past the NSA. Think how much easier it would make life for them. And if this is indeed the case, think of the possible public outcry should it become widely known. Thus the secrecy. It might be a good idea to have experts in DSP, voice recognition, and AI conversation-understanding to be on that panel, and insist they be given (authenticatable) design specs and implementation documentation. +========================================================================+ | dwight tuinstra best: tuinstra@sandman.ece.clarkson.edu | | tolerable: tuinstrd@craft.camp.clarkson.edu | | | | Look out, kid, it's something that you did. | | God knows when, but you're doin' it again ... | +========================================================================+ Newsgroup: sci.crypt document_id: 15491 From: ameline@vnet.IBM.COM (Ian Ameline) Subject: Facinating facts: 30 bit serial number, possibly fixed S1 and S2 >Hmmm. We must assume that generating the unit key U from the serial >number N rather than generating it from a randomly selected U1 and U2 >is an intentional way of assuring a "fail safe" for the government -- >U is completedly determined given S1, S2 and N. If S1 and S2 do not >change they constitute effective "master keys" (along with F), the >theft of which (or the possession of which by various authorities) >completely obviates the security of the system. However, more >interestingly, we know, for a fact that if S1 and S2 are fixed no >matter what the keyspace for U is no more than 2^30. Why not pick U1 >and U2 at random? Why this interesting restriction of they key space >if it NOT to provide an additional back door? > >I find it disturbing that at the very best my security is dependant on >approximately 30 bytes worth of information that could be written on >the back of a napkin. > >Even if S1 and S2 change periodically, the rationale behind this >restriction in the size of the keyspace seems strange if one is >assuming that the goal is security -- and makes perfect sense if the >goal is an illusion of security. > >If S1 and S2 do not change, even if they remain secret I wonder if >they can somehow be back-derived given enough unit key/serial number >pairs. We are assured that this cannot happen -- but no one >understands how Skipjack works outside of government officials and, >soon, foreign intelligence services that gain the information via >espionage. Presumably we will eventually have the information as well >-- reverse engineering gets more and more advanced every year -- but >by the time we know it may be too late. Perhaps the trusted escrow agencies can be the ones who come up with S1 and S2, and if these agencies are really trusted (ACLU & NRA is an interesting example), we can hope that they'll use some physical process to come up with truly random numbers. If the NSA comes up with the numbers, that's a trap door you could drive a truck through. >None of this makes me feel the least bit secure. Me either. It seems from the following that the CPSR is atleats starting to question this bogosity: ---------------------------------------------------------------- April 16, 1993 Washington, DC COMPUTER PROFESSIONALS CALL FOR PUBLIC DEBATE ON NEW GOVERNMENT ENCRYPTION INITIATIVE Computer Professionals for Social Responsibility (CPSR) today called for the public disclosure of technical data underlying the government's newly-announced "Public Encryption Management" initiative. The new cryptography scheme was announced today by the White House and the National Institute for Standards and Technology (NIST), which will implement the technical specifications of the plan. A NIST spokesman acknowledged that the National Security Agency (NSA), the super- secret military intelligence agency, had actually developed the encryption technology around which the new initiative is built. According to NIST, the technical specifications and the Presidential directive establishing the plan are classified. To open the initiative to public review and debate, CPSR today filed a series of Freedom of Information Act (FOIA) requests with key agencies, including NSA, NIST, the National Security Council and the FBI for information relating to the encryption plan. The CPSR requests are in keeping with the spirit of the Computer Security Act, which Congress passed in 1987 in order to open the development of non-military computer security standards to public scrutiny and to limit NSA's role in the creation of such standards. CPSR previously has questioned the role of NSA in developing the so-called "digital signature standard" (DSS), a communications authentication technology that NIST proposed for government-wide use in 1991. After CPSR sued NIST in a FOIA lawsuit last year, the civilian agency disclosed for the first time that NSA had, in fact, developed that security standard. NSA is due to file papers in federal court next week justifying the classification of records concerning its creation of the DSS. David Sobel, CPSR Legal Counsel, called the administration's apparent commitment to the privacy of electronic communications, as reflected in today's official statement, "a step in the right direction." But he questioned the propriety of NSA's role in the process and the apparent secrecy that has thus far shielded the development process from public scrutiny. "At a time when we are moving towards the development of a new information infrastructure, it is vital that standards designed to protect personal privacy be established openly and with full public participation. It is not appropriate for NSA -- an agency with a long tradition of secrecy and opposition to effective civilian cryptography -- to play a leading role in the development process." CPSR is a national public-interest alliance of computer industry professionals dedicated to examining the impact of technology on society. CPSR has 21 chapters in the U.S. and maintains offices in Palo Alto, California, Cambridge, Massachusetts and Washington, DC. For additional information on CPSR, call (415) 322-3778 or e-mail . ----------------------------------------------- Regards, Ian Ameline. Newsgroup: sci.crypt document_id: 15492 From: rjq@phys.ksu.edu (Rob Quinn) Subject: Stray thought (was Re: More technical details In <1993Apr19.134346.2620@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes: >Date: Sun, 18 Apr 93 07:56:39 EDT >From: denning@cs.georgetown.edu (Dorothy Denning) > The Clipper Chip will have a secret crypto algorithm embedded in >The algorithm operates on 64-bit blocks (like DES) and the chip supports >all 4 DES modes of operation. The algorithm uses 32 rounds of scrambling >compared with 16 in DES. So in a few years there could be millions of these chips in the USA, all networked together? Sounds like a good science fiction story - the government wants to crack foreign DES (or whatever) messages, so they con the public into individually buying all of the components and installing them. Soon the US could be covered by the largest parallel computer in the world, built on top of our current phone net. -- | "Those who suppress freedom always Rob Quinn | | do so in the name of law rjq@phys.ksu.edu | | and order." --John Lindsay QuinnBob@KSUVM.BITNET | Newsgroup: sci.crypt document_id: 15493 From: mrr@scss3.cl.msu.edu (Mark Riordan) Subject: List of large integer arithmetic packages This is the file BIGNUMS.TXT from ripem.msu.edu, last updated April 1993. In response to Email requests, I have assembled this list of large-integer arithmetic packages of which I have heard. Most of these are C function libraries, available in source form. For your convenience, I have placed copies of some of these on ripem.msu.edu (35.8.1.178). They are available for anonymous FTP in the directory "pub/bignum". However, what I have may not be the most current version in all cases. Here they are, in no particular order: mp Multiple Precision package that comes with some Unixes Multiple precision package accessed via -lmp flag on your compiler. Provides +, -, *, /, gcd, exponentiation, sqrt. Comes with SunOS, NeXT Mach, BBN Mach 1000, and probably a few others. See "man mp". Object code only, of course. PARI Henri Cohen, et al., Universite Bordeaux I, Paris, FRANCE Multiple precision desk calculator and library routines. Contains optimized assembly code for Motorola 68020, semi-optimized code for SPARC, and apparently rather slow generic C version. Does both integers and reals. Does vectors and matrices as well as scalars. Contains a number of advanced functions, some of which I've never heard of. ("Weber's function"?) Has a factorization function, primality test, & other related stuff. Plenty of TEX documentation. Public domain, but you can't distribute modified versions. Available via anonymous FTP from math.ucla.edu. There seem to be Mac- and NeXT-specific versions there in addition to: Filename: pari-1.35a.tar.Z Arithmetic in Global Fields (Arith) Kevin R. Coombes, David R. Grant Package of routines for arbitrary precision integers or polynomials over finite fields. Includes basic +, -, *, / and a few others like gcd. Source code in C. Distributed under the terms of the GNU public license. Includes man pages and TEX documentation. Filename: arith.tar.Z Arbitrary Precision Math Library Lloyd Zusman Los Gatos, CA C package which supports basic +, -, *, /. Provides for radix points (i.e., non-integers). Not as polished as the others here. Posted to comp.sources.misc in October 1988. Filename: apml.tar.Z BigNum J. Vuillemin, INRIA, FRANCE, and others. Distributed by Digital Equipment Paris Research Lab (DECPRL) A "portable and efficient arbitrary-precision integer" package. C code, with generic C "kernel", plus assembly "kernels" for MC680x0, Intel i960, MIPS, NS32032, Pyramid, and of course VAX. This is probably one of the better-known packages of this type. Implements +, -, *, /, mod, plus logical operations OR, AND, XOR. Both signed and unsigned arithmetic available. Available via email from librarian@decprl.dec.com. You will receive 5 shell archives. Give your postal address and you will also receive printed documentation from France. Package includes TEX documentation. Publicly available for non-commercial use. I removed this from my archive when I heard a rumor that PRL doesn't like others to distribute it. However, BIGNUM *is* distributed as part of ecpp (see below). Lenstra's package Arjen Lenstra Bellcore Portable unsigned integer package written entirely in C. Includes +, -, *, /, exponentiation, mod, primality testing, sqrt, random number generator, and a few others. The package was uncommented and undocumented; I have tried to add enough comments to get by. This is the only of these packages that I have actually used. It works well and is very portable. I haven't done any benchmarks against the others, but the code looks clever & Lenstra is an accomplished number theorist. Unlike the other packages here, this one requires you to allocate storage statically--only a problem if your numbers are really huge. Arjen has placed the code in the public domain. Filename: lenstra.tar.Z lenstra_3.1 Arjen Lenstra, Bellcore An improved version of Arjen's package above. This one does signed arithmetic and dynamic allocation (which can be turned off as an option). Has a few new routines, too. "lenstra_3.1" contains minor bugfixes to the previously-available "lenstra_2" and "lenstra_3". Filename: lenstra_3.1.c bmp (Brent's Multiple Precision?) R. P. Brent 1981 vintage FORTRAN code to do extended precision floating & fixed point arithmetic. Includes most of the mathematical functions you'd find in a FORTRAN run-time library. This code is an ACM algorithm, number 524. To obtain, send a mail message to netlib@ornl.gov containing the line "send mp.f from bmp" or better yet, perhaps just start with "help". SPX Kannan Alagappan & Joseph Tardo, DEC This is a huge prototype public key authentication system based on RSA. I mention it here because those who have heard of SPX have probably correctly guessed that it contains a large integer package and I want to inform you that the large integer package it contains is indeed DEC's BigNum from France. You can get a beta test copy of SPX from crl.dec.com (192.58.206.2). Use it only for testing, as it "may" expire on a certain date. (I don't know whether this has expired yet.) amp (Antti's Multiple Precision?) Antti Louko alo@kampi.hut.fi Multiple precision integer package in C. Includes +, -, *, /, %, pow, mod, 1/x mod y, random, sqrt, gcd. Available for non-commercial use. The package includes "share-secret", a public key system based on the Diffie-Hellman algorithm. This is normally part of the well-known "des-dist.tar.Z", but I have removed the DES part to avoid having to deal with cryptographic export laws, and have named the result: Filename: amp.tar.Z gennum Per Bothner U of Wisconsin-Madison C++ routines and classes to do generic arithmetic, both integer and rational. Formerly available on sevenlayer.cs.wis.edu. However, it seems to have disappeared. Sorry. MIRACL (By someone in Dublin, Ireland) Integer and fractional multiple precision package. Includes factorization, primality testing, encryption. Not public domain, apparently. It is available from the Austin Code Works. (See ads in Byte Magazine or Dr. Dobbs.) precision Dave Barrett barrettd@tigger.colorado.edu Multiple precision integer package in C with +,-,*,/, sqrt, rand, mod, pow, log. Simple vector support. Does dynamic allocation of memory. Free as long as you don't sell it or any program that uses it. Filename: precision.tar.Z UBASIC Prof. Yuji Kida, Rikkyo University, Nishi-Ikebukuro 3, Tokyo 171, Japan kida@rkmath.rikkyo.ac.jp Multiple-precision version of the BASIC programming language, for MS-DOS. Includes floating point. Said (by Keith Briggs) to be pretty fast. Object only, I think. ervin@morekypr.bitnet says: "This is the best package that I know of for fast arithmetic. Has a version optimized for 386 machines. Includes routines to do MPQS, the fastest currently known general factoring algorithm. An additional file is at both sites to allow MPQS to use hard drives so that it can factor up to 80 digits. Many number theoretical functions are included in UBASIC. It allows over 2500 digits of precision." Available via anonymous FTP from shape.mps.ohio-state.edu, or simtel20.army.mil, or wuarchive.wustl.edu. calc_v22 Unknown MS-DOS C-like language that allows "infinite" precision. Nice intrinsic functions. ervin@morekypr.bitnet reports problems when changing precision on the fly. See simtel20 or wuarchive. briggs_arith Keith Briggs (kbriggs@mundoe.maths.mu.oz.au) Turbo Pascal 5 source for routines that do multiple-precision +, -, *, /, sqrt, gcd, factoring, rand for integers; also includes +, -, *, / and rand for rational numbers. Filename: briggs_arith.pas Institute fur Experimentelle Mathematik Dr Gerhard Schneider (?) Fast C multiple-precision subroutine library. I don't know anything about it; sl25@ely.cl.cam.ac.uk says to contact MAT420@DE0HRZ1A.BITNET for more info. Postal Address: Institute fur Experimentelle Mathematik EllernStr 29 D4300 Essen-12 GERMANY LongInt Markus Mueller (mueller@komsys.tik.ethz.ch) "Multi precision arithmetic written in MODULA-2, with the most time critical parts written in Assembler. Includes basic arithmetics (+, -, *, /, %) as well as arithmetics MODULO a number. An additional module provides a collection of procedures for primality testing, gcd, multiplicative inverse and more. The package is part of a Privacy Enhanced Mail (PEM) package which includes a PEM mailer, RSA key generator and Certificate generation tools." Source is in Modula-2, C, and assembler for Sun 3. LongInt has also been ported to MS-DOS under Logitech Modula-2 and Turbo Assembler. Availability: free for university use (research and education); otherwise, a source license is required. To obtain, write or email to: Markus Mueller Bertastrasse 7 CH-8953 Dietikon Switzerland email: mueller@komsys.tik.ethz.ch bignum-1.2 Henrik.Johansson@Nexus.Comm.SE Bignum package written in portable C. Will in the future conform to the Common Lisp functions that handles integers. Currently includes +, -, *, /, exponentiation, "exptmod", comparison, random numbers, and gcd. Filename: bignum-1.2 GNU Multiple Precision GNU (Free Software Foundation) multiple precision package. I haven't looked at it yet. This is current as of April 1992, but there may be a more recent version by the time you read this. This package is very widely available on FTP sites. Filename: gmp-1.2.tar.Z Elliptic Curve Primality Proving Francois Morian, France. Large package to prove the primality of any prime. Includes Inria's BIGNUM package. Obtained from ftp.inria.fr (128.93.1.26). Filename: ecpp.V3.4.1.tar.Z PGP (Pretty Good Privacy) Philip Zimmermann prz@sage.cgd.ucar.EDU Intel-based crypto package that includes bignum routines in C, said to be quite fast for Intel processors. Unix and Mac versions also available. The crypto package violates RSA patents, but the bignum routines can be used without fear of legal repercussions. Bell's Arbitrary Precision Calculator David I. Bell, Australia (dbell@pdact.pd.necisa.oz.au) Arbitrary-precision calculator with good online help, C-like language, many builtin functions, support for integers, rational numbers (they work like floating point), complex numbers, matrices, strings, lists, files, "objects". Includes gcd, primality testing, even trig functions. Recommended. (Large package, though.) Obtained from comp.sources.unix. Filename: calc-1.24.7.tar.Z Built-in support in other languages Various Multiple precision arithmetic is available in a number of programming languages, such as Lisp and ABC (cf. mcsun.eu.net). Perl (by Larry Wall, available from devvax.jpl.nasa.gov) includes source, in Perl, for such a package, but it's probably not suitable for serious use. For some of these, source code may be available. This list is long enough, so I'm not going to pursue it aggressively. Thanks to Ed Vielmetti and several others who contributed to this list. Mark Riordan mrr@ripem.msu.edu Newsgroup: sci.crypt document_id: 15494 From: ted@nmsu.edu (Ted Dunning) Subject: Re: text of White House announcement and Q&As on clipper chip encryption nobody seems to have noticed that the clipper chip *must* have been under development for considerably longer than the 3 months that clinton has been president. this is not something that choosing choosing bush over clinton would have changed in the slightest; it has been in the works for some time. Newsgroup: sci.crypt document_id: 15495 From: gtoal@gtoal.com (Graham Toal) Subject: Re: Facinating facts: 30 bit serial number, possibly fixed S1 and S2 From: pmetzger@snark.shearson.com (Perry E. Metzger) denning@guvax.acc.georgetown.edu (Vidkun Abraham Lauritz Quisling) writes: Each chip includes the following components: the Skipjack encryption algorithm F, an 80-bit family key that is common to all chips N, a 30-bit serial number U, an 80-bit secret key that unlocks all messages encrypted with the chip Hmmm. A thirty bit serial number. And, we are told, the unit key U is derived deterministically from this serial number. That means that there are only one billion possible unit keys. Oh hell, it's *much* worse than that. You think they'll ever make more than a million of them? Serial numbers aren't handed out at random you know, they start at 1 and work up... Call it a 20 bit space maybe. G Newsgroup: sci.crypt document_id: 15496 From: rja14@cl.cam.ac.uk (Ross Anderson) Subject: Re: Clipper chip -- technical details In article <1993Apr19.052005.20665@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes: > Nothing was said about where K_P comes from. If you've got a secure device, you don't need public keys. If the secret key which all chips share is SK, you can just use KP = E{(myname, yourname, date) ; SK}. Maybe that's why Jim Bidzos was reported as being cheesed off. Ross Newsgroup: sci.crypt document_id: 15497 From: res@colnet.cmhnet.org (Rob Stampfli) Subject: Re: Once tapped, your code is no good any more. >> With E-Mail, if they can't break your PGP encryption, they'll just >>call up one of their TEMPEST trucks and read the electromagnetic emmisions >>from your computer or terminal. Note that measures to protect yourself from > >2. I could independently invent about half a dozen right off >the top of my head. If I had studied Advanced E & M a little better, >I could probably come up with a _very_ good system. Wouldn't a a second monitor of similar type scrolling gibberish and adjacent to the one being used provide reasonable resistance to tempest attacks? -- Rob Stampfli rob@colnet.cmhnet.org The neat thing about standards: 614-864-9377 HAM RADIO: kd8wk@n8jyv.oh There are so many to choose from. Newsgroup: sci.crypt document_id: 15498 From: res@colnet.cmhnet.org (Rob Stampfli) Subject: Re: The Old Key Registration Idea... In article <1qn1ic$hp6@access.digex.net> pcw@access.digex.com (Peter Wayner) writes: >That leads me to conjecture that: ... >2) The system is vulnerable to simple phone swapping attacks I seriously doubt that any practical implementation of this proposal would place the onus on the individual to register keys. Realistically, the Clipper-Chip will probably emit an ID code which will serve as the identifier when requesting the key fragments. The chip manufacturer would register this identifier code vs. key combination when the chip is made and the (uninitiated) end-user can therefore remain completely outside the loop. The chip could be used in a cellular phone, a modem, or other device -- it really makes no difference: When the authorities detect the use of this encryption standard during surveillance, they would then capture the ID and apply for the key in order to decrypt the data. -- Rob Stampfli rob@colnet.cmhnet.org The neat thing about standards: 614-864-9377 HAM RADIO: kd8wk@n8jyv.oh There are so many to choose from. Newsgroup: sci.crypt document_id: 15499 From: felixg@coop.com (Felix Gallo) Subject: Re: Once tapped, your code is no good any more. pat@rwing.UUCP (Pat Myrto) writes: >If the Clinton Clipper is so very good, [...] Please note that Bill Clinton probably has little if anything to do with the design, implementation or reasoning behind this chip or behind any "moves" being made using this chip as a pawn. Remember, when you elect a president of the united states, it's not the case that all the Republicans, etc. in the NSA and FBI and CIA immediately pack their bags and get replaced by a team of fresh young Democrats. Most of the government -- say, 96% -- is appointed or hired rather than elected. Since this Clipper device has been in production for over six months, it probably has little or no foundation in the currently elected Democratic Executive body. >BTW - those who suggest that this is just an attack on Clinton, believe >this: I would be going ballistic reagardless WHO seriously proposed >this thing. It is just another step in a gradual erosion of our rights >under the Constitution or Bill of Rights. The last couple of decades >have been a non-stop series of end-runs around the protections of the >Constitution. It has to stop. Now is as good a time as any, if it >isn't too late allready. Could be. However, the sky hasn't fallen yet, Chicken Little. >-- >pat@rwing.uucp [Without prejudice UCC 1-207] (Pat Myrto) Seattle, WA > If all else fails, try: ...!uunet!pilchuck!rwing!pat >WISDOM: "Only two things are infinite; the universe and human stupidity, > and I am not sure about the former." - Albert Einstien Newsgroup: sci.crypt document_id: 15500 From: marc@tanda.isis.org (Marc Thibault) Subject: Re: Don't fight Clipper Chip, subvert or replace it ! In article (The Jester) writes: > Proof Windows is a Virus:It is very widespread, It eats up your disk > space, It slows down your computer, It takes control over your > computer, It performs disk access at random times, It displays silly > messages on your screen, It randomly crashes the computer-Vesselin This sounds like a version Unix. Solaris? Newsgroup: sci.crypt document_id: 15501 From: koontzd@phobos.lrmsc.loral.com (David Koontz ) Subject: Spoofing Clipper Serial Number Secrecy in Clipper Chip The serial number of the clipper chip is encrypted with the system key and transmitted as one part of a three part message. Presumably the protocol can be recovered (if by nothing else, differential analysis). Postulate if you will, a chip (or logic) sitting between the clipper chip and its communications channel. The purpose of this chip is twofold: 1) Transmit Channel The spoof chip XORs the 30 bit encrypted serial number with a secondary keying variable. This renders the serial number unrecoverable with just the system key 2) Recieve Channel The spoof chip XORs the incoming encrypted serial number with a secondary keying variable (assuming the serial number is necessary for local operation). This has the net result of hiding the serial number. This gets more interesting when the number of serial numbers issued becomes large, making it difficult to distinguish between valid serial numbers and a spoofed serial number. Without knowing the system key, you could lie about the serial number, but risk detection of the lie. IF you had the system key and the encryption algorithm you could successfully lie with a lower probability of detection by emulating the format of your own serial number. Makes you wonder whats being hidden here? Seems like the secrecy is to prevent you from lying about who you are. Newsgroup: sci.crypt document_id: 15502 From: butzerd@maumee.eng.ohio-state.edu (Dane C. Butzer) Subject: How large are commercial keys? What are the typical sizes for keys for commercial secret key algorithms? I know DES is 56 bits ("tripple DES" is 112 bits) and IDEA is 128 bits. Is there anything made in the US that has 128 bit keys? Anything anywhere that has larger keys? I've heard that RC2 can be scaled to arbitrarily large keys, but is this actually implemented anywhere? Finally, can anyone even concieve of a time/place where 128 bit keys aren't sufficient? (I certainly can't - even at a trillion keys a second, it would take about 10 billion years to search just one billionth of that keys space.) Thanks, Dane Newsgroup: sci.crypt document_id: 15503 From: amanda@intercon.com (Amanda Walker) Subject: Re: Do we need the clipper for cheap security? pmetzger@snark.shearson.com (Perry E. Metzger) writes: > If the Clipper chip can do cheap crypto for the masses, obviously one > could do the same thing WITHOUT building in back doors. I agree. So why is Cylink the only (and expensive) game in town? Note: I think Cylink is great, and if my boss would double my salary, I'd buy a bunch of their stuff :). One thing that Clipper offers is interoperability, at a higher degree of security than we currently have in non-proprietary voice encryption systems. This means it will be cheaper than anyone's proprietary scheme, and easier to deploy. This is, of course, either a bug or a feature depending on how you look at it :). > Indeed, even without special engineering, you can construct a good > system right now. A standard codec chip, a chip to do vocoding, a DES > chip, a V32bis integrated modem module, and a small processor to do > glue work, are all you need to have a secure phone. Great! Where can I buy it? Another note: If "Clipper" increases the incentive to bring stronger encryption to the mass market, all the better. It's far overpriced at the moment. > Yes, cheap crypto is good -- but we don't need it from the government. I don't care where we *need* to get it from, I care where we *can* get it from, and whether it will interoperate with everyone else. > Indeed, were it not for the government doing everything possible to > stop them, Qualcomm would have designed strong encryption right in to > the CDMA cellular phone system they are pioneering. Were it not for the > NSA and company, cheap encryption systems would be everywhere. As it > is, they try every trick in the book to stop it. Had it not been for > them, I'm sure cheap secure phones would be out right now. You can build them right now as long as you don't want to export (a restriction I firmly oppose). The only thing stopping people from making cheap encryption is greed: they want a lock on the market. > They aren't the ones making cheap crypto available. They are the ones > keeping cheap crypto out of people's hands. When they hand you a > clipper chip, what you are getting is a mess of pottage -- your prize > for having traded in your birthright. Oh, come on. Only if you trust it farther than it deserves. A Clipper phone *IS NOT* a substitute for a Cylink phone, or a STU-III. It's a substitute for the "voice scramblers" advertised in the back of Radio Electronics. > Are we getting cheaper crypto > for ourselves? No, because the market would have provided that on its > own had they not deliberately sabotaged it. I disagree. Modulo ITAR, it's not the government that has sabotaged the market. > Someone please tell me what exactly we get in our social contract in > exchange for giving up our right to strong cryptography? Can you tell me where exactly we have given up that right? Amanda Walker InterCon Systems Corporation Newsgroup: sci.crypt document_id: 15504 From: brad@optilink.COM (Brad Yearwood) Subject: Clipper considered harmful If Clipper comes to cellular phones along with legal proscriptions against using other cipher systems on these phones, a new and potentially dangerous class of crime is created. Criminals who very badly want inscrutable tactical communications (specifically the terrorists and drug dealers who proponents of key escrow cite as threats) will be highly motivated to steal the cipher phone of a legitimate user, and to kill this person or hold them hostage so discovery of compromise of the device will be delayed. Once a suitable collection of devices is stolen, criminals can communicate with impunity (assuming the cipher system carries no trapdoors apart from key escrow) until and unless the compromise is discovered by some other means. Because life-is-cheap criminals are currently willing to kill people to steal very large and conspicuous property (luxury cars), it is reasonable to assume that they will be willing to kill people to steal small and inconspicuous property (a cipher cellular phone). Just as we have seen in the past with "blue box" technology, and in the present with modified cellular phones, we can expect to see among high-stakes criminals a lucrative market for stolen cipher phones which can be used for a few days. The high-stakes criminals will pay the life-is-cheap types substantial amounts for stolen instruments. Because a person is typically discovered as missing or dead in a few days, a stolen instrument will be usable for only a few days. There will be a continuing demand for fresh phones: fresh bodies. In other words, Clipper and similar systems have the potential to turn a current inconvenience to law enforcement into a direct, vicious, and persistent threat to the general public. On the other hand, if a criminal were to apply some arbitrary cipher to a device in a mostly non-ciphered network, the communication will at least stand out as being unusual, and perhaps worthy of other means of investigation. Finally, because there is essentially no possibility of intercepting in realtime the scrutable content of communications between stolen instruments, there will exist strong motivation to record and archive _all_ communications in the network for ex-post-facto scrutiny (once some criminal act is discovered, and the instruments involved have been identified). While recording and archiving may not be feasible for wireline networks, it is probably feasible across the more limited bandwidth of radio networks. The existence of these recordings could open up vast potential for abuse. Brad Yearwood brad@optilink.com {uunet, pyramid}!optilink!brad Petaluma, CA Newsgroup: sci.crypt document_id: 15505 From: butzerd@maumee.eng.ohio-state.edu (Dane C. Butzer) Subject: Re: Once tapped, your code is no good any more. In article <1993Apr20.034724.3748@colnet.cmhnet.org> res@colnet.cmhnet.org (Rob Stampfli) writes: >>> With E-Mail, if they can't break your PGP encryption, they'll just >>>call up one of their TEMPEST trucks and read the electromagnetic emmisions >>>from your computer or terminal. Note that measures to protect yourself from >> >>2. I could independently invent about half a dozen right off >>the top of my head. If I had studied Advanced E & M a little better, >>I could probably come up with a _very_ good system. > >Wouldn't a a second monitor of similar type scrolling gibberish and adjacent >to the one being used provide reasonable resistance to tempest attacks? Actually, old video games and pinball machines are supposed to work pretty good (at blocking EM eavesdropping), too. Those things put out a LOT of EM noise. Back in the 80's, I read about computer companies putting bunches of games in their buildings for just this purpose (not to mention the $$$). Dane Newsgroup: sci.crypt document_id: 15506 From: lars@spectrum.CMC.COM (Lars Poulsen) Subject: Re: Is there ANY security in the Clipper? In article zeev@ccc.amdahl.com (Ze'ev Wurman) writes: >It seems to me that all discussions about Clipper security are almost >irrelevant - if I cannot choose the key, but have to use a key chosen for >me by the foundry, the security of the WHOLE UNIVERSE OF USERS is as good >(or as bad) as the security of VLSI Technologies Inc. - or their handlers. >It is a trivial effort to run any ciphertext agains ALL THE KEYS EVER >MANUFACTURED - after all we are talking about 1 to 100 million keys that >will ever be manufactured. The key depositories can be as secure and >incorruptible as they wish to be, nobody cares anyway...:-( They key depositories are IRRELEVANT. In order for the applicable law enformcement agencies to be able to know what keys to request from escrow, the system will have to squawk its serial number in clear text as part of the link establishment protocol. Whoever owns the program that assigns keys to each serial number won't need access to the key depository. In other words, the FBI may need a court-ordered release of escrowed keys, but the NSA has the keys before the chip is ever manufactured. There is no need to go through the escrow or to try all keys. While relations between law enforment agencies have sometimes been strained, there is also a long history of trading favors. This will re-establish the NSA as a very important agency for everyone to get along with, because they can give you untraceable encryption leaks without court orders. The more I think about this affair, the fouler it smells. I'd rather have a DES with an engineered-in backdoor ... -- / Lars Poulsen, SMTS Software Engineer Internet E-mail: lars@CMC.COM CMC Network Products / Rockwell Int'l Telephone: +1-805-968-4262 Santa Barbara, CA 93117-3083 TeleFAX: +1-805-968-8256 Newsgroup: sci.crypt document_id: 15507 From: amanda@intercon.com (Amanda Walker) Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only jhart@agora.rain.com (Jim Hart) writes: > You don't care that people are being lied to, fooled into believing the > chip gives "privacy" when it fact it allows wiretaps? It does give privacy, just not absolute privacy. The announcement was very up front about this, and about allowing wiretaps. How is this "fooling" anyone? > are you so smart that you know when you're talking > to somebody who has a wiretap chip on their phone instead of a privacy > chip with private keys?) Sure. The two don't interoperate. You couldn't talk to, say, a Cylink phone from a Clipper phone. I would expect even multiprotocal phones to come with indicators saying which kind of link encryption is in use... > We *do* need an alternative to NSA-bugged telephones, but > we're talking inexpensive *telephones* here, including hand-sized > cellulars, that need strong crypto, real privacy. So start a company and build them. This is still mostly a capitalist economy... > What we need is a true *privacy chip*. For example, a real-time > voice-encryption RSA, put it into a silicon compiler and spit out > ASIC. Put this chip on the market as a de facto standard for > international business, diplomats, and private communications. I agree. Go for it. Amanda Walker InterCon Systems Corporation Newsgroup: sci.crypt document_id: 15508 From: tcmay@netcom.com (Timothy C. May) Subject: Re: text of White House announcement and Q&As on clipper chip encryption Ted Dunning (ted@nmsu.edu) wrote: : : nobody seems to have noticed that the clipper chip *must* have been : under development for considerably longer than the 3 months that : clinton has been president. this is not something that choosing : choosing bush over clinton would have changed in the slightest; it has : been in the works for some time. Actually, many of us have noted this. We have noted that the program started at least 4 years ago, that the contracts with VLSI Technology and Microtoxin were let at least 14 months ago, that production of the chips is well underway, and so forth. Nobody I know has claimed Clinton intitiated the program. But he chose to go ahead with it. -Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Newsgroup: sci.crypt document_id: 15509 From: ray@ole.cdac.com (Ray Berry) Subject: Clipper- business as usual? Notwithstanding all the legitimate fuss about this proposal, how much of a change is it? ATT's last product in this area (a) was priced over $1000, as I suspect 'clipper' phones will be; (b) came to the customer with the key automatically preregistered with government authorities. Thus, aside from attempting to further legitimize and solidify the fed's posture, Clipper seems to be "more of the same", rather than a new direction. Yes, technology will eventually drive the cost down and thereby promote more widespread use- but at present, the man on the street is not going to purchase a $1000 crypto telephone, especially when the guy on the other end probably doesn't have one anyway. Am I missing something? The real question is what the gov will do in a year or two when air- tight voice privacy on a phone line is as close as your nearest pc. That has got to a problematic scenario for them, even if the extent of usage never surpasses the 'underground' stature of PGP. -- Ray Berry kb7ht ray@ole.cdac.com rjberry@eskimo.com 73407.3152@compuserve.com Newsgroup: sci.crypt document_id: 15510 From: shirriff@sprite.berkeley.edu (Ken Shirriff) Subject: Re: Once tapped, your code is no good any more. In article holland@CS.ColoState.EDU (douglas craig holland) writes: > With E-Mail, if they can't break your PGP encryption, they'll just >call up one of their TEMPEST trucks and read the electromagnetic emmisions >from your computer or terminal. Note that measures to protect yourself from >TEMPEST surveillance are still classified, as far as I know. Note that TEMPEST is the name of the shielding standard. TEMPEST is not the name of the surveillance technique. Ken Shirriff shirriff@sprite.Berkeley.EDU Disclaimer: this is what I've heard and it's in the sci.crypt FAQ, so it's probably true but I can't guarantee it. I'd like to know if I'm wrong. Newsgroup: sci.crypt document_id: 15511 From: amanda@intercon.com (Amanda Walker) Subject: Re: text of White House announcement and Q&As on clipper chip encryption gtoal@gtoal.com (Graham Toal) writes: > Whatever happens though, the effect of this new chip will be to make > private crypto stand out like a sore thumb. It already does. Amanda Walker InterCon Systems Corporation Newsgroup: sci.crypt document_id: 15512 From: eachus@spectre.mitre.org (Robert I. Eachus) Subject: Re: Would "clipper" make a good cover for other encryption method? In article <1993Apr20.032623.3046@eff.org> kadie@eff.org (Carl M. Kadie) writes: > Clipper might be a good way to cover the use of another layer of > encryption. But, if you are making custom equipment in any case, why not just roll your own Clipper implementation and report the wrong keys to the Escrow agency? (Tells us who is going to be in the chip business if this thing goes through--NSA, and those with something to hide from NSA.) If anyone can verify that your phone is not using the key registered to that serial number, either: 1) They have a court ordered wiretap. But what are they going to do? Tell the judge that this individual really does have privacy? All they know is that the keys are not enough, but not why. 2) They have a court ordered wiretap on a phone in this series. (This part is really scary. Since the "expectation" is that all chips in a particular batch will uses seeds based on the same S1 and S2 and the serial number, getting the keys for one of a batch may give access to all.) 3) There is a backdoor which allows all messages to be deciphered without the keys. I find this one especially threatening since the scheme seems very open to known plaintext attacks. (What I need to decipher is the data in the header. If I talk to someone who has one of these phones, presumably there will be an automatically negotiated key generated. I'm not trying to decipher the record of the conversation to know what was said, I use it as a known plaintext to recover the backdoor represented by the header, but I know what the header says for conversations I participate in. Even worse, if the phones in a series have related keys, I can buy a phone/chip from the same production lot. Then I can recover its keys, either elegantly by talking to myself, or by brute force analysis of the actual chip, then apply the key generation process with those seeds to find the target keys.) Hmmm! I don't think I want to ever come close to these phones. Even DES is starting to look good. Two cans and a string will provide much better security. -- Robert I. Eachus with Standard_Disclaimer; use Standard_Disclaimer; function Message (Text: in Clever_Ideas) return Better_Ideas is... Newsgroup: sci.crypt document_id: 15513 From: cepek@vixvax.mgi.com Subject: Tempest vs LCD (was: Re: Once tapped...) douglas craig holland (holland@CS.ColoState.EDU) writes: > > With E-Mail, if they can't break your PGP encryption, they'll just > call up one of their TEMPEST trucks and read the electromagnetic > emmisions from your computer or terminal. Note that measures to > protect yourself from TEMPEST surveillance are still classified, as > far as I know. steiner@jupiter.cse.utoledo.edu (Jason 'Think!' Steiner) writes: > are LCD displays vulnerable to tempest? I can see high-voltage type display devices being vulnerable (CRTs, plasma displays, etc.) But Jason beat me to this question. What about EM radiation from low-voltage items like LCD displays? Perhaps the critical element is the driver circuitry? The cabling? What about a portable PC/Mac/etc., where all the "noise" is bunched into one tiny area? Newsgroup: sci.crypt document_id: 15514 From: smb@research.att.com (Steven Bellovin) Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip) In article <1993Apr20.150531.2059@magnus.acs.ohio-state.edu>, jebright@magnus.acs.ohio-state.edu (James R Ebright) writes: > Now why is that? I doubt there is a trapdoor in Skipjack. (But we will > never know). And I doubt the NSA would promote a mass market chip they > couldn't compromise. Ergo, NSA is now capable of compromising (probably > with brute force keysearch) engines of the complexity of Skipjack. Look > at the specs. Why, I bet they have thousands of little chips chugging > away in their crypto busters... Maybe even tens of thousands. Complexity? > Not much more than a 3090. How many such machines will fit into Fort Meade? > I think PGP2.3 should have 256 bit IDEA keys... Thousands? Tens of thousands? Do some arithmetic, please... Skipjack has 2^80 possible keys. Let's assume a brute-force engine like that hypothesized for DES: 1 microsecond per trial, 1 million chips. That's 10^12 trials per second, or about 38,000 years for 2^80 trials. Well, maybe they can get chips running at one trial per nanosecond, and build a machine with 10 million chips. Sure -- only 3.8 years for each solution. IDEA uses 128-bit keys. Shall I bother doing the calculations for you? Hint: multiply 3.8 years by 2^(128-80). And you can't do IDEA at that speed; key setup takes much too long. I wouldn't be surprised if that were the case for Skipjack, too, though there's no way of knowing just yet. DES used only xor because that's what was feasible with mid-70's technology. Modern chips can do a lot more. NSA may or may not know how to crack Skipjack and IDEA (I doubt it for the former; I have no idea for the latter, though it does seem to be a strong cryptosystem). But it ain't gonna be by exhaustive search. Newsgroup: sci.crypt document_id: 15515 From: kepley@photon.phys.unca.edu (Brad Kepley) Subject: Re: Once tapped, your code is no good any more. In article <1993Apr20.161838.13213@coop.com> felixg@coop.com (Felix Gallo) writes: >pat@rwing.UUCP (Pat Myrto) writes: > >>If the Clinton Clipper is so very good, [...] > >Please note that Bill Clinton probably has little if anything to do >with the design, implementation or reasoning behind this chip or behind Can't we move the political bickering to a more appropriate group? -- Brad Kepley Internet kepley@photon.phys.unca.edu Work-days Voice (704)252-8330 -- Newsgroup: sci.crypt document_id: 15516 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Clipper considered harmful brad@optilink.COM (Brad Yearwood) writes: > Criminals who very badly want inscrutable tactical communications (specificall > the terrorists and drug dealers who proponents of key escrow cite as threats) > will be highly motivated to steal the cipher phone of a legitimate user, and > to kill this person or hold them hostage so discovery of compromise of the > device will be delayed. Why doing it in such a rough manner? It is much more professional to steal the chip from the phone and even to replace it with a pin-compatible do-nothing chip that does not encrypt at all. Chances are that the victim will not notice anything, especially if it is done professionally. > Once a suitable collection of devices is stolen, criminals can communicate > with impunity (assuming the cipher system carries no trapdoors apart from > key escrow) until and unless the compromise is discovered by some other means. No, because the Feds will still be able to decrypt the conversations. True, they'll blame the wrong guys, but nevertheless one cannot say something like "The drugs arrive tommorrow on the ship 'Terminus'" when the Feds are listening, even if they cannot identify who the speaker is. No, the criminals will just use some secure encryption. The new proposal does not stop criminals; it ensures that the government will be able to wiretap the average citizen and stops the casual snooper. To me, it also clearly looks as a step towards outlawing any other strong encryption devices. Regards, Vesselin -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany Newsgroup: sci.crypt document_id: 15517 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: How large are commercial keys? butzerd@maumee.eng.ohio-state.edu (Dane C. Butzer) writes: > Finally, can anyone even concieve of a time/place where 128 bit keys aren't > sufficient? It depends on the algorithm used. 128-bit secret keys for RSA are definitively not secure enough. Regards, Vesselin -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany Newsgroup: sci.crypt document_id: 15518 From: pmetzger@snark.shearson.com (Perry E. Metzger) Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only jfc@athena.mit.edu (John F Carr) writes: >In article <19930419.155204.305@almaden.ibm.com> > ameline@vnet.IBM.COM (Ian Ameline) writes: > >> I also believe that someone will reverse engineer the clipper chip, >>and knowlege of the algorithm will likely be fairly widespread. > >The chip and algorithm are classified. If you reverse engineer it and >tell people, you are likely to go to jail. Well, I'm not a lawyer, but from what I can tell this is completely and utterly untrue. You see, this country has this thing called a "constitution". If you legitimately aquire the device, and you yourself are not a government employee or otherwise encumbered, I don't think they can stop you from revealing anything about the device you can determine. Remember the Pentagon Papers precedent? The First Amendment applies here. The U.S. does NOT have an official secrets act. We do have laws that will punish you for revealing what classified information you learned in your capacity as a government official, contractor, etc, and we have laws that prohibit stealing such information. However, if they sell you the chip, I can't see that they can make reverse engineering it and revealing the details illegal. -- Perry Metzger pmetzger@shearson.com -- Laissez faire, laissez passer. Le monde va de lui meme. Newsgroup: sci.crypt document_id: 15519 From: gtoal@gtoal.com (Graham Toal) Subject: Re: How does it really work? (was Re: text of White House announcement and Q&As on clipper chip encryption) From: Marc VanHeyningen The majority of the discussion involving this "Clipper Chip" seems to pertain to the encryption of telephone conversations. Does anyone know if that means this chip is designed to work primarily with analog signals? The language sort of suggests this, but it's hard to say. I'd lay a few bucks that its just data-in-data-out in parallel. I suspect to make it a phone you'd need a codec and speech compression. There would be a loss of bandwidth on the speech signal, which I suspect would scupper any of the suggestions I've seen here about putting a different encryption front end on it. There's no hint of any modulation scheme in the docs. I'm sure it's purely a digital chip. The back end will come later, but I'm *positive* it won't be left to the manufacturers - they all have to be the same modulation scheme to make it easy for the NSA to tap them. The only other possibility is that this is intended only for ISDN phones. (Puts a whole new spin on EFFs obsession about ISDN if true, bwahahaha! ;-) ) G Newsgroup: sci.crypt document_id: 15520 From: Graham Toal Subject: Re: Once tapped, your code is no good any more. In article <2073@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes: :If the Clinton Clipper is so very good, why not make its algrithm public :so many people can exchange ideas and examine it, rather than a few :isolated 'respected experts' (respected by whom? for what? Perhaps a :certain professor who likes key banks would be one of the selected :experts... this does seem to expand on some ideas the person was :advocating, if I recall :-). How would anybody know that what the Actually, I am *completely* baffled by why Dorothy Denning has chosen to throw away her academic respectability like this. It looks to me like a *major* Career Limiting Move. There can be very few people who know what she's been saying who take her seriously any more. I wonder if she landed such a fat fee from cooperation with the NSA in the design and propoganda stages that she doesn't care any more? G Newsgroup: sci.crypt document_id: 15521 From: gtoal@gtoal.com (Graham Toal) Subject: Re: "clipper chip" From: "dan mckinnon" I have lurked here a bit lately, and though some of the math is unknown to me, found it interesting. I thought I would post an article I found in the Saturday, April 17, 1993 Toronto Star: 'CLIPPER CHIP' to protect privacy Politics is of course Dirty Pool, old man, and here we have a classic example: the NSA and the administration have been working on this for a *long* time, and in parallel with the announcement to us techies, we see they're hitting the press with propoganda. It's my bet the big magazines - Byte, Scientific American, et all - will be ready to run with a pre-written government-slanted story on this in the next issue. ('Just keep us some pages spare boys, we'll give you the copy in time for the presses') We *must* get big names in the industry to write well argued pieces against this proposal (can you call it that when it's a de facto announcement?) and get them into the big magazines before too much damage is done. It would be well worth folks archiving all the discussions from here since the day of the announcement to keep all the arguments at our fingertips. I think between us we could write quite a good piece. Now, who among us carries enough clout to guarantee publication? Phil? Don Parker? Mitch Kapor? G Newsgroup: sci.crypt document_id: 15522 From: gtoal@gtoal.com (Graham Toal) Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow] ] gtoal@news.ibmpcug.co.uk (Graham Toal) writes: ] > Try reading between the lines David - there are *strong* hints in there ] > that they're angling for NREN next, ] Where? I honestly didn't see any... Hint 1: : Sophisticated encryption technology has been used for years to : protect electronic funds transfer. It is now being used to : protect electronic mail and computer files. While encryption ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Hint 2: : This new technology will help companies protect proprietary : information, protect the privacy of personal phone conversations : and prevent unauthorized release of data transmitted ^^^^^^^^^^^^^^^^ : electronically. At the same time this technology preserves the ^^^^^^^^^^^^^^ : -- the privacy of our citizens, including the need to : employ voice or data encryption for business purposes; ^^^^^^^^^^^^^^^^^^ : -- the ability of authorized officials to access telephone : calls and data, under proper court or other legal ^^^^^^^^ : order, when necessary to protect our citizens; VERY BIG HINT 3: # The Administration is committed to working with the private # sector to spur the development of a National Information # Infrastructure which will use new telecommunications and computer # technologies to give Americans unprecedented access to # information. This infrastructure of high-speed networks # ("information superhighways") will transmit video, images, HDTV # programming, and huge data files as easily as today's telephone # system transmits voice. VERY BIG HINT 4: (See above) ## Since encryption technology will play an increasingly important ## role in that infrastructure, the Federal Government must act ## quickly to develop consistent, comprehensive policies regarding ## its use. ] > and the only conceivable meaning of ] > applying this particular technology to a computer network is that they ] > intend it to be used in exclusion to any other means of encryption. ] I disagree, if for no other reason than that there are already other ] standards in place. Besides, even if they restrict encryption on the NREN, ] who cares? Most of the Internet is commercial anyway. The NREN is only for ] geovernment and university research (read the proposals--it's a "data ] superhighway" for Cray users, not anything having to do with the Internet). Oh, I see your point. I think you're wrong. But if you sit back and wait to find out if I'm right, it'll be too late. Just listen *very* carefully for the first 'such and such will not be permitted on network XYZ' shoe to drop. G Newsgroup: sci.crypt document_id: 15523 From: jbotz@mtholyoke.edu (Jurgen Botz) Subject: Re: The [secret] source of that announcement In article marc@mit.edu (Marc Horowitz N1NZU) writes: >Just who is that, I asked myself, or rather, I asked the computer. > > % telnet csrc.ncsl.nist.gov 25 > Trying... > Connected to csrc.ncsl.nist.gov. > Escape character is '^]'. > 220 first.org sendmail 4.1/NIST ready at Sat, 17 Apr 93 20:42:56 EDT > expn clipper > 250- >[...] > 221 first.org closing connection > Connection closed. > >Well, isn't that interesting. Dorothy Denning, Mitch Kapor, [...] Even more interesting: the SMTP server at csrc.ncsl.nist.gov no longer recognizes the 'expn' and 'vrfy' commands... telnet csrc.ncsl.nist.gov smtp Trying 129.6.54.11... Connected to csrc.ncsl.nist.gov. Escape character is '^]'. 220 first.org sendmail 4.1/NIST ready at Tue, 20 Apr 93 17:01:34 EDT expn clipper 500 Command unrecognized Seems like sombody didn't like your snooping around, Marc. -- Jurgen Botz, jbotz@mtholyoke.edu | Vending machines SHOULD respond to a [finger] South Hadley, MA, USA | request with a list of all items currently --Unix is dead, long live Unix-- | available for purchase... -RFC1288 Newsgroup: sci.crypt document_id: 15524 From: rdippold@qualcomm.com (Ron "Asbestos" Dippold) Subject: Re: text of White House announcement and Q&As on clipper chip encryption ted@nmsu.edu (Ted Dunning) writes: >nobody seems to have noticed that the clipper chip *must* have been >under development for considerably longer than the 3 months that >clinton has been president. this is not something that choosing >choosing bush over clinton would have changed in the slightest; it has >been in the works for some time. I've got no doubts that this would probably have gone ahead if Bush was still president. What's puzzling to me are the people who are apparently amazed that Clinton is going along with it. -- Other than that, Mrs. Lincoln, how did you like the play? Newsgroup: sci.crypt document_id: 15525 From: Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant) Subject: Another key registration body bites the dust (IMHO) One of the candidates that has been suggested for a key registration body is the ACLU. I think this is poor choice. The ACLU is essentially a group of auditors: they audit how people's civil liberties are administered. Traditionally, auditors do not like to get involved in the design or operational aspects of things, and with good reason. When I was a systems programmer, it always infuriated me that the auditors would come in and tell us our implementation stunk from a security point of view, but wouldn't tell us how to fix it. I always figured they just liked to critcize, without doing the work to help fix the problem. Then I took a stint as an auditor, and I found out the real reason. Auditors don't like to recommend solutions, because it puts them in a bad position if they have to criticize the implementation later. The auditee can say, "Well, you told us this way would be OK." It compromises the independence that is a necessary part of the auditor's job. Taking the case at hand, suppose ACLU becomes a key half registrar. Suppose that, perhaps through some error on ACLU's part, a key half gets away that shouldn't, and is used to deprive someone of her civil liberties. The ACLU gets wind of this, and wants to take it to court. But they end up being at the same time on the side of the defendant and of the plaintiff, which is not an easy position to be in. There are exceptions to the complete independence of auditors: at one place where I worked, when payroll checks were printed, they were signed automatically by a signature drum on the bursting machine. This drum was kept by the auditors (who also kept the check stock), and was brought down to Data Processing when it was time to do the checks. I believe the difference between this situation and the key registration situation is that it is fairly obvious when it is time to do the payroll checks: if they were done yesterday, and someone wants to do them again today, he better be able to produce yesterday's checks so that they can be destroyed. Determining which of the many requests for key halves are legit is a trickier process, one much more prone to mistakes that could put the ACLU in a protecting-the-client versus protecting-the-ACLU conflict of interest. As always, my opinions are my own. Lynn Grant Grant@Dockmaster.NCSC.MIL Newsgroup: sci.crypt document_id: 15526 From: amolitor@nmsu.edu (Andrew Molitor) Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip) In article <1993Apr20.192105.11751@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes: > > [ responding to claims about Skipjack cracking engines ] > >Thousands? Tens of thousands? Do some arithmetic, please... Skipjack >has 2^80 possible keys. Let's assume a brute-force engine like that >hypothesized for DES: 1 microsecond per trial, 1 million chips. That's >10^12 trials per second, or about 38,000 years for 2^80 trials. Well, >maybe they can get chips running at one trial per nanosecond, and build >a machine with 10 million chips. Sure -- only 3.8 years for each solution. > I think I should also point out that the mystical DES engines are known plaintext engines (unless you add a ton of really smart hardware?) The 'plaintext' is digitized voice, and exists for a very short time, probably in a couple inches of copper, tops. It's flatly not available -- your bug in my office can hear my voice, and even digitize it, but it's going to get a different bitstream. It is horribly naive to suppose that regular folks can figure out how to crack skipjack, or clipper based telephones. I'm certainly not devoting a great deal of thought to it. Andrew Molitor Newsgroup: sci.crypt document_id: 15527 From: hanson@kronos.arc.nasa.gov (Robin Hanson) Subject: Estimating Wiretap Costs/Benefits I'm attempting to write a serious policy paper examining whether the proposed wiretap (or "Clipper") chip is a cost-effective tool for police investigation. That is, ignoring concerns about government intrusions into individual privacy, is the value of easy wiretaps to investigators greater than the cost to the communications industry, and their customers, to support this wiretap technology? A rough estimate suggests that wiretaps are worth about five million dollars per year to U.S. law enforcement agencies. (In 1990, 872 U.S. wiretaps led to 2057 arrests, while total police expenditures of $28 billion led to 11.25 million arrests [ref US Statistical Abstracts].) I'm working on estimating this wiretap benefit more accurately, but I'd like to ask hardware experts out there to help me with estimating the costs of the new proposed wiretap technology. Please send me quotable/citeable estimates for: - How many chips which would need to be made per year to keep all phones with wiretap chips? - How much would it cost to make each chip? - How much did it cost to develop this technology in the first place? - How much more would supporting hardware, people, etc. cost, per chip? - What percentage cheaper would encryption chips and support have been if private enterprise could compete to meet customer encryption needs? - What percentage of phone traffic would be taken up by the proposed "law enforcement blocks"? - What is the total cost of handling all phone traffic per year? Put another way, the question I'm asking is, what if each police agency that wanted a particular wiretap had to pay for it, being charged their share of the full social cost of forcing communication to be wiretap compatible? Would they choose to buy such wiretaps, or would they find it more cost-effective to instead investigate crimes in other ways? -- Robin Hanson hanson@ptolemy.arc.nasa.gov 415-604-3361 MS-269-2, NASA Ames Research Center, Moffett Field, CA 94035 510-651-7483 47164 Male Terrace, Fremont, CA 94539-7921 Newsgroup: sci.crypt document_id: 15528 From: Markowitz@DOCKMASTER.NCSC.MIL Subject: exportability of PKZIP (was: RE: RC2) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) writes: >>Markowitz@DOCKMASTER.NCSC.MIL writes: >>> It is interesting to note in this regard that permission to export >>> PKZIP's encryption scheme has twice been denied by NSA. Draw you own >>> conclusions. >>Uh, I'm afraid that your information is slightly out of date... PKWare >>has obtained a license to export their program to the whole world, >>except a very limited list of countries... Draw your own conclusions >>about the strength of the algorithm... :-) Sorry if I was less than clear. :-) I was referring to our own efforts to receive export permission from NSA for the PKZIP encryption algorithm, not to any effort on the part of Phil Katz or PKWare. I should point out that the original version of this algorithm was designed by Roger Schlafly and that WE (meaning Roger and myself) were twice denied an export license for it. The second go 'round was just this past fall. I had no knowledge of Phil's attempts in this. I do not even *know* for sure if he choose to implement the algorithm as it was designed by Roger, though I *believe* that was at least the case for versions prior to 2.0. And then there's the question of key management. :-) And even if our applications were identical, there is no reason to assume the NSA would treat them that way. :-) -mjm ---------- Michael J. Markowitz, VP R&D markowitz@dockmaster.ncsc.mil Information Security Corp. 708 405-0500, fax: 708 405-0506 1141 Lake Cook Rd., Suite D MCI: 363-1959 Deerfield, IL 60302 CIS: 76206,2617 Newsgroup: sci.crypt document_id: 15529 From: amolitor@nmsu.edu (Andrew Molitor) Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip) In article <1r1otuINNdb2@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes: > The 'plaintext' is digitized voice, and exists for a very short >time, probably in a couple inches of copper, tops. It's flatly not >available -- your bug in my office can hear my voice, and even digitize >it, but it's going to get a different bitstream. I am an idiot. The plaintext that's relevant is the session key. If you know that, you probably don't need a roomful of chips, do you? If you were going to brute force something interesting, that'd be the message stream, which is sort of approximately known by, say, a bug in my office. Then your roomful of chips could get the session key. Which I change every morning. Really, it's just a whole lot easier for the illicit wiretappers to stick a bug in your phone. Andrew Molitor Newsgroup: sci.crypt document_id: 15530 From: hollasch@kpc.com (Steve Hollasch) Subject: Re: Clipper considered harmful brad@optilink.COM (Brad Yearwood) writes: | If Clipper comes to cellular phones along with legal proscriptions against | using other cipher systems on these phones, a new and potentially dangerous | class of crime is created. | | Criminals who very badly want inscrutable tactical communications | (specifically the terrorists and drug dealers who proponents of key escrow | cite as threats) will be highly motivated to steal the cipher phone of a | legitimate user, and to kill this person or hold them hostage so discovery | of compromise of the device will be delayed. Yow - get some sleep Brad! You mean that people (i.e. life-is-cheap terrorists & drug-dealing warlords) who want to communicate in privacy will prefer to break into my house, kill or kidnap me, and steal my telephone, rather than: - Spending $15 at K-mart to buy a new phone. - Purchasing a load of phones from the black market / flea market / super market. - Talking (*gasp*) face-to-face. - Walking down to any one of millions of pay phones. - Using messengers. - Going to excruciating effort to think of code phrases like "I had a blowout on the freeway today". Look, this system does nothing to threaten folks who _know_ they're being wiretapped, since it's trivial to find other avenues of communication; they'd have no reason to resort to extreme measures, since a plethora of simple alternatives are easily available to them. Among all the legitimate reasons to damn the proposed system, I don't think we need to worry about terrorist commie drug warlord assasin thugs murdering our families, kicking the dog and leaving the toilet seat up just to steal a $15 telephone. The system is more like urine testing: it catches some small number of v