Newsgroup: sci.crypt
document_id: 14147
From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>
Subject: RIPEM Frequently Asked Questions

Archive-name: ripem/faq
Last-update: Sun, 7 Mar 93 21:00:00 -0500

ABOUT THIS POSTING
------------------
This is a (still rather rough) listing of likely questions and
information about RIPEM, a program for public key mail encryption.  It
(this FAQ, not RIPEM) was written and will be maintained by Marc
VanHeyningen, <mvanheyn@whale.cs.indiana.edu>.  It will be posted to a
variety of newsgroups on a monthly basis; follow-up discussion specific
to RIPEM is redirected to the group alt.security.ripem.

This month, I have reformatted this posting in an attempt to comply
with the standards for HyperText FAQ formatting to allow easy
manipulation of this document over the World Wide Web.  Let me know
what you think.

DISCLAIMER
----------
Nothing in this FAQ should be considered legal advice, or anything
other than one person's opinion.  If you want real legal advice, talk
to a real lawyer.

QUESTIONS AND ANSWERS
---------------------

1)  What is RIPEM?

 RIPEM is a program which performs Privacy Enhanced Mail (PEM) using
 the cryptographic techniques of RSA and DES.  It allows your
 electronic mail to have the properties of authentication (i.e. who
 sent it can be confirmed) and privacy (i.e. nobody can read it except
 the intended recipient.)

 RIPEM was written primarily by Mark Riordan <mrr@scss3.cl.msu.edu>.
 Most of the code is in the public domain, except for the RSA routines,
 which are a library called RSAREF licensed from RSA Data Security Inc.

2)  How can I get RIPEM?

 RIPEM contains the library of cryptographic routines RSAREF, which is
 considered munitions and thus is export-restricted from distribution
 to people who are not citizens or permanent residents of the U.S. or
 Canada.  Therefore, the following request is quoted from the README
 file:

 #Please do not export the cryptographic code in this distribution
 #outside of the USA or Canada.  This is a personal request from me,
 #the author of RIPEM, and a condition of your use of RIPEM.

 Note that RSAREF is not in the public domain, and a license for it is
 included with the distribution.  You should read it before using
 RIPEM.

 The best way to get it is to ask a friend for a copy, since this will
 reduce the load on those sites that do carry it (not to mention the
 humans that run them.)  Naturally this requires that you trust the
 friend.

 RIPEM is available via anonymous FTP to citizens and permanent residents
 in the U.S. from rsa.com; cd to rsaref/ and read the README file for
 info.  Last I looked, this site contains only the source tree, and
 does not contain compiled binaries or the nice Mac version.

 RIPEM, as well as some other crypt stuff, has its "home site" on
 rpub.cl.msu.edu, which is open to non-anonymous FTP for users in the
 U.S. and Canada who are citizens or permanent residents.  To find out
 how to obtain access, ftp there, cd to pub/crypt/, and read the file
 GETTING_ACCESS.  For convenience, binaries for many architectures are
 available here in addition to the full source tree.

3)  Will RIPEM run on my machine?

 Probably.  It has already been ported to MS-DOS and most flavors of
 Unix (SunOS, NeXT, Linux, AIX, ULTRIX, Solaris, etc.)  Ports to
 Macintosh include a standard UNIX-style port and a rather nice
 Mac-like port written by Raymond Lau, author of StuffIt.  More ports
 are expected, and help of users is invited.

4)  Will RIPEM work with my mailer?

 Probably.  How easy and clean the effective interface is will depend
 on the sophistication and modularity of the mailer, though.  The users
 guide, included with the distribution, discusses ways to use RIPEM
 with many popular mailers, including Berkeley, mush, Elm, and MH.
 Code is also included in elisp to allow easy use of RIPEM inside GNU
 Emacs.

 If you make a new interface for RIPEM or create an improvement on one
 in the distribution which you believe is convenient to use, secure,
 and may be useful to others, feel free to post it to alt.security.ripem.

5)  What is RSA?

 RSA is a crypto system which is asymmetric, or public-key.  This means
 that there are two different, related keys: one to encrypt and one to
 decrypt.  Because one cannot (reasonably) be derived from the other,
 you may publish your encryption, or public key widely and keep your
 decryption, or private key to yourself.  Anyone can use your public
 key to encrypt a message, but only you hold the private key needed to
 decrypt it.  (Note that the "message" sent with RSA is normally just
 the DES key to the real message. (See "What is DES?")

 Note that the above only provides for privacy.  For authentication,
 the fingerprint of the message (See "What is a fingerprint, like
 MD5?") is encrypted with the sender's private key.  The recipient can
 use the sender's public key to decrypt it and confirm that the message
 must have come from the sender.

 RSA was named for the three men (Rivest, Shamir and Adleman) who
 invented it.  To find out more about RSA, ftp to rsa.com and look in
 pub/faq/ or look in sci.crypt.

6)  What is DES?

 DES is the Data Encryption Standard, a widely used symmetric, or
 secret-key, crypto system.  Unlike RSA, DES uses the same key to
 encrypt and decrypt messages.  However, DES is much faster than RSA.

 RIPEM uses both DES and RSA; it generates a random key and encrypts
 your mail with DES using that key.  It then encrypts that key with the
 recipient's public RSA key and includes the result in the letter,
 allowing the recipient to recover the DES key.

 DES is sometimes considered weak because it is somewhat old and uses a
 key length considered too short by modern standards.  However, it
 should be reasonably safe against an opponent smaller than a large
 corporation or government agency.  It is not unlikely that future
 RIPEMs will strengthen the symmetric cipher, possibly by using
 multiple encryption with DES.

7)  What is PEM, and how does RIPEM relate?

 PEM is Privacy Enhanced Mail, a system for allowing easy transfer of
 encrypted electronic mail.  It is described in RFCs 1421-1424; these
 documents have been approved and obsolete the old RFCs 1113-1115.

 RIPEM is not really a complete implementation of PEM, because PEM
 specifies certificates for authenticating keys, which RIPEM does not
 handle at this time.  Their addition is planned.

8)  What's this about distributing and authenticating keys?

 For a remote user to be able to send secure mail to you, she must know
 your public key.  For you to be able to confirm that the message
 received came from her, you must know her public key.  It is important
 that this information be accurate; if a "bad guy" convinces her that
 his key is in fact yours, she will send messages which he can read.

 RIPEM allows for three methods of key management: a central server,
 the distributed finger servers, and a flat file.  All three are
 described in the RIPEM users guide which is part of the distribution.
 None of them provide perfect security.

9)  Why do all RIPEM public keys look very similar?

 RIPEM public keys begin with a PKCS identifier describing various
 characteristics about the key, so the first bunch of characters in
 your key may be the same as those of lots of other people's keys.
 This does not mean your keys are similar, but only that they are the
 same class of key, were generated with the same program, are of the
 same length, etc.

10)  What is a fingerprint, like MD5?

 MD5 is a message digest algorithm produced by RSA Data Security Inc.
 It provides a 128-bit fingerprint, or cryptographically secure hash,
 of the plaintext.  It is cryptographically secure because it is not
 possible (in a reasonable amount of computation) to produce a
 different plaintext which produces the same fingerprint.  Thus,
 instead of signing the entire message with the sender's private key,
 only the MD5 of the message needs to be signed for authentication.

 MD5 is sometimes used for other purposes; for example, it is often
 used to map an input of arbitrary length to 128 bits of data, as a
 passphrase interpreter or cookie generator.

 MD5 is described in its entirety (including an implementation in C) in
 RFC 1321.

11)  What is PGP?

 PGP is another cryptographic mail program called Pretty Good Privacy.
 PGP has been around longer than RIPEM, and works somewhat differently.
 PGP is not compatible with RIPEM in any way, though PGP does also use RSA.

 Some major differences between PGP and RIPEM:

 - PGP has more key management features, particularly for users without
   a direct network connection.

 - RIPEM conforms to the PEM RFCs and thus has a greater probability of
   working with other PEM software.  PGP makes no attempt to be compatible
   with anything other than PGP (in fact, PGP 1.0 is not compatible with
   PGP 2.0.)

 - RIPEM uses RSAREF, a library of RSA routines from RSA Data Security
   Inc.  RSAREF comes with a license which allows noncommercial use.
   PGP uses its own implementation of RSA which is not licensed; thus,
   PKP, the firm holding the U.S. patents on the RSA algorithm, claims
   that it is a infringement of that patent to make, use or sell PGP in
   the U.S. or Canada.  In acknowledgement of this, PGP's original
   author, Phil Zimmermann, says in the documentation:

   #In fact, if you live in the USA, and you are not a Federal agency, 
   #you shouldn't actually run PGP on your computer, because Public
   #Key Partners wants to forbid you from running my software.  PGP is
   #contraband.  

 - Both PGP and RIPEM are export-restricted, and cannot be sent outside
   the U.S. and Canada.  However, PGP already exists on many ftp sites
   in Europe and other places.

 Whether you use PGP or RIPEM or whatever, the documentation to PGP is
 recommended reading to anyone interested in such issues.

 Note that the above facts, both regarding patent and export
 restrictions, are somewhat controversial; many people think it
 shouldn't be that way, and some people interpret various documents
 differently.  Unfortunately, discussions of it on the net inevitably
 seem to produce more heat than light, and probably belong in
 misc.legal.computing.  (See:  "DISCLAIMER")

12)  What about RPEM?

 RPEM stands for Rabin Privacy Enhanced Mail.  It was similar to RIPEM,
 but used a public-key cipher invented by Rabin (which is not RSA) in
 an attempt to avoid the patent on RSA.  It was written by Mark
 Riordan, the same author as RIPEM.

 Its distribution was halted when, contrary to the beliefs of many
 (including Rabin), Public Key Partners (PKP) claimed that their patent
 was broad enough to cover any public-key cipher whose strength rested
 in the difficulty of factoring products of large primes, not just RSA.
 This claim is not universally accepted by any means, but was not
 challenged for pragmatic reasons.

 RPEM is not really used anymore.  It is not compatible with RIPEM or PGP.

13)  What is MIME?

 MIME stands for Multipurpose Internet Mail Extensions, and is
 described in RFC 1341.  You can find out about it in the newsgroup
 comp.mail.mime.  How PEM should interact with MIME is not yet entirely
 clear; some people use the stopgap solution of having a MIME type
 application/x-ripem in order to send RIPEM messages as MIME ones.  I
 hope some standards will emerge.  Draft Internet documents exist on
 the matter.

14)  I have this simple way to defeat the security of RIPEM...

 You may wish to check the companion post "ripem-attacks" which
 discusses some of the more obvious attacks on RIPEM's security and
 what procedures will minimize the risk.  RIPEM's main "weak area" is
 probably key distribution.

Newsgroup: sci.crypt
document_id: 14831
From: mvanheyn@cs.indiana.edu (Marc VanHeyningen)
Subject: RIPEM Frequently Asked Questions

Archive-name: ripem/faq
Last-update: 31 Mar 93 22:00:00 -0500

ABOUT THIS POSTING
------------------
This is a listing of likely questions and information about RIPEM, a
program for public key mail encryption.  It (this FAQ, not RIPEM) was
written and will be maintained by Marc VanHeyningen
<mvanheyn@cs.indiana.edu>.  It will be posted to a variety of
newsgroups on a monthly basis; follow-up discussion specific to RIPEM
is redirected to the group alt.security.ripem.

WHAT'S NEW
----------
I am now running a World Wide Web archive of RIPEM information.  It
does not contain much of anything that isn't available elsewhere, but
it has convenient pointers to the most current version of this FAQ and
some other stuff.  The URL is "http://cs.indiana.edu/ripem/dir.html".

This month's version has a fair amount of new pointers to information
on patents and stuff like that.  I've also reordered a few things to
have a more sensible ordering.  I hope I don't have to edit this again
soon. :-)

DISCLAIMER
----------
Nothing in this FAQ should be considered legal advice, or anything
other than one layperson's opinion.  If you want real legal advice,
talk to a real lawyer, preferably one with experience in patent law,
export regulations, or whatever area of law is in question.

LIST OF QUESTIONS
-----------------
1)  What is RIPEM?
2)  How can I get RIPEM?
3)  Will RIPEM run on my machine?
4)  Will RIPEM work with my mailer?
5)  What is RSA?
6)  What is DES?
7)  What is a fingerprint, like MD5?
8)  What is PEM?
9)  What's this about distributing and authenticating keys?
10)  Isn't it a bad idea to use patented algorithms in standards like PEM?
11)  What about RSADSI/PKP?
12)  Why do all RIPEM public keys look very similar?
13)  What is PGP?
14)  What about RPEM?
15)  What is MIME?
16)  What is TIS/PEM?
17)  I have this simple way to defeat the security of RIPEM...

QUESTIONS AND ANSWERS
---------------------

1)  What is RIPEM?

 RIPEM is a (not yet complete, but useful) implementation of Privacy
 Enhanced Mail (PEM).  RIPEM allows your electronic mail to have the
 four security facilities provided by PEM: disclosure protection
 (optional), originator authenticity, message integrity measures, and
 non-repudiation of origin (always).  (See: "What is PEM?")

 RIPEM was written primarily by Mark Riordan <mrr@scss3.cl.msu.edu>.
 Most of the code is in the public domain, except for the RSA routines,
 which are a library called RSAREF licensed from RSA Data Security Inc.

 The current version of RIPEM is 1.0.5; the current version of the
 Macintosh port of RIPEM is 0.7.

2)  How can I get RIPEM?

 RIPEM uses the library of cryptographic routines RSAREF, which is
 considered munitions and thus is export-restricted from distribution
 to persons who are not citizens or permanent residents in the U.S or
 Canada without an export license.  No such license has been obtained
 (nor would one likely be granted unless the RSA key exchange were
 shortened to 512 bits and the symmetric cipher changed to something
 weaker than DES.  There are some suggestions that this situation may
 change now that Clinton is in office.)  The author requests in the
 README file that this law not be violated:

 #Please do not export the cryptographic code in this distribution
 #outside of the USA or Canada.  This is a personal request from me,
 #the author of RIPEM, and a condition of your use of RIPEM.

 Note that RSAREF is not in the public domain, and a license for it is
 included with the distribution.  You should read it before using
 RIPEM.

 RIPEM is available via anonymous FTP to citizens and permanent
 residents in the U.S. from rsa.com; cd to rsaref/ and read the README
 file for info.  Note that the non-RSAREF portion of RIPEM is not a
 product of RSA Data Security, Incorporated; they merely are helping
 distribute it.

 RIPEM, as well as some other crypt stuff, has its "home site" on
 ripem.msu.edu, which is open to non-anonymous FTP for users in the
 U.S. and Canada who are citizens or permanent residents.  To find out
 how to obtain access, FTP there, cd to pub/crypt/, and read the file
 GETTING_ACCESS.  For convenience, binaries for many architectures are
 available here in addition to the full source tree.

3)  Will RIPEM run on my machine?

 Probably.  It has already been ported to MS-DOS and most flavors of
 Unix (SunOS, NeXT, Linux, AIX, ULTRIX, Solaris, etc.)  Ports to
 Macintosh include a standard UNIX-style port and a rather nice
 Mac-like port written by Raymond Lau, author of StuffIt.  More ports
 are expected, and help of users is invited.

4)  Will RIPEM work with my mailer?

 Probably.  How easy and clean the effective interface is will depend
 on the sophistication and modularity of the mailer, though.  The users
 guide, included with the distribution, discusses ways to use RIPEM
 with many popular mailers, including Berkeley, mush, Elm, and MH.
 Code is also included in elisp to allow easy use of RIPEM inside GNU
 Emacs.

 If you make a new interface for RIPEM or create an improvement on one
 in the distribution which you believe is convenient to use, secure,
 and may be useful to others, feel free to post it to alt.security.ripem.

5)  What is RSA?

 RSA is a crypto system which is asymmetric, or public-key.  This means
 that there are two different, related keys: one to encrypt and one to
 decrypt.  Because one cannot (reasonably) be derived from the other,
 you may publish your encryption, or public, key widely and keep your
 decryption, or private, key to yourself.  Anyone can use your public
 key to encrypt a message, but only you hold the private key needed to
 decrypt it.  Note that the "message" sent with RSA is normally just
 the DES key to the real plaintext. (See "What is DES?")

 Note that the above only provides for disclosure protection.  For
 originator authenticity, message integrity, and non-repudiation of
 origin services to be implemented, the fingerprint of the message
 (See "What is a fingerprint, like MD5?") is encrypted with the
 sender's private key.  The recipient, or a dispute-resolving
 authority, can use the sender's public key to decrypt it and confirm
 that the message must have come from the sender and was not altered.

 RSA was named for the three men (Rivest, Shamir and Adleman) who
 invented it.  To find out lots more about RSA and modern cryptography
 in general, ftp to rsa.com and look in pub/faq/.  Some information
 also may be in sci.crypt.

6)  What is DES?

 DES is the Data Encryption Standard, a widely used symmetric, or
 secret-key, crypto system.  Unlike RSA, DES uses the same key to
 encrypt and decrypt messages.  However, DES is much faster than RSA.

 RIPEM uses both DES and RSA; it generates a random key and encrypts
 your mail with DES using that key.  It then encrypts that key with the
 recipient's public RSA key and includes the result in the letter,
 allowing the recipient to recover the DES key.

 DES is sometimes considered weak because it is somewhat old and uses a
 key length considered too short by modern standards.  However, it
 should be reasonably safe against an opponent smaller than a large
 corporation or government agency.  It is not likely that the PEM
 standard will incorporate support for other symmetric ciphers in the
 near future, because there is a strong feeling that PEM should be
 stable so it can become utilized widely without early problems with
 interoperability.

7)  What is a fingerprint, like MD5?

 MD5 is a message digest algorithm produced by RSA Data Security Inc.
 It provides a 128-bit fingerprint, or cryptographically secure hash,
 of the plaintext.  It is cryptographically secure because it is not
 possible (in a reasonable amount of computation) to produce a
 different plaintext which produces the same fingerprint.  Thus,
 instead of signing the entire message with the sender's private key,
 only the MD5 of the message needs to be signed for authentication.

 MD5s can also be exchanged directly for authentication; for example,
 RIPEM public keys include an MD5 of the public key in the file, so
 parties wishing to confirm their keys are authentic via a separate
 channel merely need exchange MD5s of keys and verify their accuracy.

 MD5 is sometimes used for other purposes; for example, it is often
 used to map an input of arbitrary length to 128 bits of data, as a
 passphrase interpreter or cookie generator.

 MD5 is described in its entirety (including an implementation in C) in
 RFC 1321.

 There have been some recent suggestions that MD5 may not be as strong
 a hash as was originally believed; presumably some other hash
 function will be used if this is accepted as true.

8)  What is PEM?

 PEM is Privacy Enhanced Mail, a standard for allowing transfer of
 encrypted electronic mail generated over a long period of time by a
 working group of experts.  It is described in RFCs 1421-1424; these
 documents have been approved and obsolete the old RFCs 1113-1115.

 RIPEM is not really a complete implementation of PEM, because PEM
 specifies certificates for authenticating keys, which RIPEM does not
 handle at this time.  Their addition is planned.

9)  What's this about distributing and authenticating keys?

 For a remote user to be able to send secure mail to you, she must know
 your public key.  For you to be able to confirm that the message
 received came from her, you must know her public key.  It is important
 that this information be accurate; if a "bad guy" convinces her that
 his key is in fact yours, she will send messages which he can read.

 RIPEM allows for three methods of key management: a central server,
 the distributed finger servers, and a flat file.  All three are
 described in the RIPEM users guide which is part of the distribution.
 None of them provide perfect security.  The PEM standard calls for
 key management by certificates; the addition of this feature to RIPEM
 is planned, but chicken-egg issues still exist.

10)  Isn't it a bad idea to use patented algorithms in standards like PEM?

 This issue has been considered in the standards process.  RFC 1310,
 the specification for Internet standards, has a discussion (section
 6) on what specifications for nondiscriminatory availability must be
 met for a patented method to be included in a standard.  RFC 1421
 addresses this issue with regard to the patents covering public-key
 cryptography.

 This does not, of course, mean that all questions are settled or that
 everyone is in agreement.  An interesting exchange on the use of
 patented algorithms in standards with regard to public-key
 cryptography is in the League for Programming Freedom archive
 (available via FTP: ftp.uu.net:/doc/lpf) in the files bidzos.letter
 and bidzos.response.  (Amusingly, the LPF files on ftp.uu.net are
 compressed with a patented algorithm.)

11)  What about RSADSI/PKP?

 RSA Data Security, Inc. (RSADSI) is a California-based company
 specializing in cryptographic technologies.  Public Key Partners is a
 firm which holds exclusive sub-licensing rights of the following U.S.
 patents and all of their corresponding foreign patents:

      Cryptographic Apparatus and Method
      ("Diffie-Hellman")............................... No. 4,200,770

      Public Key Cryptographic Apparatus
      and Method ("Hellman-Merkle").................... No. 4,218,582

      Cryptographic Communications System and
      Method ("RSA")................................... No. 4,405,829

      Exponential Cryptographic Apparatus
      and Method ("Hellman-Pohlig").................... No. 4,424,414

 PKP claims these four patents cover all known methods of public key
 cryptography.  The two businesses are rather closely related (for
 example, the same person, Jim Bidzos, is president of both of them.)
 PKP has licensed this technology to a considerable number of
 companies (IBM, DEC, Motorola, AT&T, Lotus...) for use in their
 products.  PKP has also threatened and filed lawsuits defending their
 patents.

 RIPEM was originally created with no connection to RSADSI other than
 its use of the RSAREF library, and for no reason other than its
 author's desire to see widespread use of public-key cryptography.
 However, after the ball started rolling, people at RSADSI got
 interested.  RSADSI decided to carry RIPEM on its FTP site, and some
 people there started making their own RIPEM keys and contributing
 code.  RIPEM even won the "Best Application Built on RSAREF in 1992"
 award.

12)  Why do all RIPEM public keys look very similar?

 RIPEM public keys begin with a PKCS (Public-Key Cryptography
 Standards) identifier describing various characteristics about the
 key, so the first bunch of characters in your key may be the same as
 those of lots of other people's keys.  This does not mean your keys
 are similar, but only that they are the same class of key, were
 generated with the same program, are of the same length, etc.

13)  What is PGP?

 PGP is another cryptographic mail program called Pretty Good Privacy.
 PGP has been around longer than RIPEM, and works somewhat differently.
 PGP is not compatible with RIPEM in any way, though PGP does also use RSA.

 A few major differences between PGP and RIPEM:

 - PGP has more key management features, particularly for users without
   a direct network connection.

 - RIPEM conforms to the PEM RFCs and thus has a greater probability
   of working with other PEM software.  PGP makes no attempt to be
   compatible with anything other than itself.

 - RIPEM uses RSAREF, a library of RSA routines from RSADSI which
   comes with a license allowing noncommercial use.  PGP uses its own
   implementation of RSA.  PKP claims that it is a violation of its
   patents to "make, use or sell" PGP in the U.S. or Canada without
   either a license or written permission.  (See: "DISCLAIMER")
   (See: "What about RSADSI/PKP?")  Phil Zimmermann, the author of
   PGP, stopped distributing it after being threatened with legal
   action; he believed that a licensing scheme could be arranged, but
   it hasn't happened and there seems little prospect of it happening
   in the future.  He acknowledges in the PGP User's Guide:

   #In fact, if you live in the USA, and you are not a Federal agency, 
   #you shouldn't actually run PGP on your computer, because Public
   #Key Partners wants to forbid you from running my software.  PGP is
   #contraband.

 - Both PGP and RIPEM are export-restricted, and cannot be sent outside
   the U.S. and Canada without an export license.  However, PGP
   already exists on many ftp sites in Europe and other places.

 Whether you use PGP or RIPEM or whatever, the documentation to PGP is
 recommended reading to anyone interested in such issues.
 Unfortunately, it's not distributed separately from the program,
 which can be difficult to find in the U.S. on FTP sites due to
 liability concerns.

14)  What about RPEM?

 RPEM stands for Rabin Privacy Enhanced Mail.  It was similar to RIPEM,
 but used a public-key cipher invented by Rabin (which is not RSA) in
 an attempt to avoid the patents on public-key systems.  It was
 written by Mark Riordan, who later wrote RIPEM.

 Its distribution was halted when, contrary to the beliefs of many
 (including Rabin), PKP claimed that their patents were broad enough
 to cover the cipher employed.  This claim is not universally
 accepted, but was not challenged for pragmatic reasons.

 RPEM is not really used anymore.  It is not compatible with RIPEM or PGP.

15)  What is MIME?

 MIME stands for Multipurpose Internet Mail Extensions, and is
 described in RFC 1341.  You can find out about it in the newsgroup
 comp.mail.mime; a FAQ exists on it.  How PEM should interact with
 MIME is not yet entirely clear; some people use the stopgap solution
 of having a MIME type application/x-ripem in order to send RIPEM
 messages as MIME ones.  I hope some standards will emerge.  Draft
 Internet documents exist on the matter.

16)  What is TIS/PEM?

 Trusted Information Systems is working on a version of Privacy
 Enhanced Mail for general availability.  Last I heard, it was
 rumored to be integrated into an existing mail user agent (MH)
 rather than a stand-alone system, and in beta test.  I don't know
 much more than that.

17)  I have this simple way to defeat the security of RIPEM...

 You may wish to check the companion post "ripem-attacks" which
 discusses some of the more obvious attacks on RIPEM's security and
 what procedures will minimize the risk.  RIPEM's main "weak area" is
 probably key distribution.

Newsgroup: sci.crypt
document_id: 14832
From: mvanheyn@cs.indiana.edu (Marc VanHeyningen)
Subject: RIPEM Frequently Noted Vulnerabilities

Archive-name: ripem/attacks
Last-update: 31 Mar 93 21:00:00 -0500

SOME POSSIBLE ATTACKS ON RIPEM
------------------------------

This is a living list of potential weaknesses to keep your eyes open
for when using RIPEM for secure electronic mail.  It does not go into
great detail, and is almost certainly not exhaustive.  Obviously, many
of the weaknesses are weaknesses of cryptographically secured mail in
general, and will pertain to secure mail programs other than RIPEM.
It is maintained by Marc VanHeyningen <mvanheyn@cs.indiana.edu>.  It
is posted monthly to a variety of news groups; followups pertaining
specifically to RIPEM should go to alt.security.ripem.

CRYPTANALYSIS ATTACKS
---------------------

- Breaking RSA would allow an attacker to find out your private key,
  in which case he could read any mail encrypted to you and sign
  messages with your private key.

  RSA is generally believed to be resistant to all standard
  cryptanalytic techniques.  Even a standard key (about 516 bits with
  RIPEM) is long enough to render this impractical, barring a
  huge investment in hardware or a breakthrough in factoring.

- Breaking DES would allow an attacker to read any given message,
  since the message itself is encrypted with DES.  It would not allow
  an attacker to claim to be you.

  DES has only 56 bits in its key, and thus could conceivably be
  compromised by brute force with sufficient hardware, but few agencies
  have such money to devote to simply read one message.  Since each
  message has a different DES key, the work for each message would
  remain high.

KEY MANAGEMENT ATTACKS
----------------------

- Stealing your private key would allow the same benefits as breaking
  RSA.  To safeguard it, it is encrypted with a DES key which is derived
  from a passphrase you type in.  However, if an attacker can get a copy
  of your private keyfile and your passphrase (by snooping network
  packets, tapping lines, or whatever) he could break the whole scheme.

  The main risk is that of transferring either the passphrase or the
  private key file across an untrusted link.  So don't do that.  Run 
  RIPEM on a trusted machine, preferably one sitting right in front of
  you.  Ideally, your own machine in your own home (or maybe office)
  which nobody else has physical access to.

- Fooling you into accepting a bogus public key for someone else could 
  allow an opponent to deceive you into sending secret messages to him
  rather than to the real recipient.  If the enemy can fool your
  intended recipient as well, he could re-encrypt the messages with
  the other bogus public key and pass them along.

  It is important to get the proper public keys of other people.
  The most common mechanism for this is finger; assuming the opponent
  has not compromised routers or daemons or such, finger can be 
  given a fair amount of trust.  The strongest method of key
  authentication is to exchange keys in person; however, this is
  not always practical.  Having other people "vouch for you" by
  signing a statement containing your key is possible, although 
  RIPEM doesn't have features for doing this as automatically as
  PGP.  RIPEM does generate and check MD5 fingerprints of public keys
  in the key files; they may be exchanged via a separate channel for
  authentication.

PLAYBACK ATTACKS
----------------

- Even if an opponent cannot break the cryptography, an opponent could
  still cause difficulties.  For example, suppose you send a message
  with MIC-ONLY (a PEM mode which does not provide disclosure protection)
  to Alice which says "OK, let's do that." Your opponent intercepts
  it, and now resends it to Bob, who now has a message which is
  authenticated as from you telling him to do that.  Of course, he may
  interpret it in an entirely different context.  Or your opponent
  could transmit the same message to the same recipient much later,
  figuring it would be seen differently at a later time.  Or the
  opponent could change the Originator-Name: to himself, register 
  your public key as his, and send a message hoping the recipient
  will send him return mail indicating (perhaps even quoting!) the
  unknown message.

  To defeat playback attacks, the plaintext of each message should 
  include some indication of the sender and recipient, and a unique
  identifier (typically the date).  A good front-end script for RIPEM
  should do this automatically (IMHO).  As a recipient, you should be
  sure that the Originator-Name: header and the sender indicated within
  the plaintext are the same, that you really are a recipient, and that
  the message is not an old one.  Some this also can and should be
  automated.  The author of this FAQ has made a modest attempt at
  automating the process of generating and checking encapsulated
  headers; the programs are included in the standard distribution in
  the utils directory.

LOCAL ATTACKS
-------------

- Clearly, the security of RIPEM cannot be greater than the security of
  the machine where the encryption is performed.  For example, under
  UNIX, a super-user could manage to get at your encrypted mail,
  although it would take some planning and effort to do something like
  replace the RIPEM executable with a Trojan horse or to get a copy of
  the plaintext, depending how it's stored.

  In addition, the link between you and the machine running RIPEM is
  an extension of that.  If you decrypt with RIPEM on a remote machine
  which you are connected to via network (or, worse yet, modem), an
  eavesdropper could see the plaintext (and probably also your
  passphrase.)

  RIPEM should only be executed on systems you trust, obviously.  In
  the extreme case, RIPEM should only be used on your own machine,
  which you have total control over and which nobody else has access
  to, which has only carefully examined software known to be free of
  viruses, and so on.  However, there's a very real trade-off between
  convenience and security here.

  A more moderately cautious user might use RIPEM on a UNIX workstation
  where other people have access (even root access), but increase
  security by keeping private keys and the (statically linked, of
  course) executable on a floppy disk.

  Some people will keep RIPEM on a multi-user system, but when dialing
  in over an insecure line, they will download the message to their
  own system and perform the RIPEM decryption there.  However, the
  security provided by such a mechanism is somewhat illusory; since
  you presumably type your cleartext password to log in, you've just
  given away the store, since the attacker can now log in as you and
  install traps in your account to steal your private key next time
  you use it from a less insecure line.  This will likely remain the
  situation as long as most systems use the rather quaint mechanism of
  cleartext password authentication.

  I find it nice to put a brief statement of how carefully I manage my
  security arrangement in my .plan next to my public key, so that
  potential correspondents can be aware what level of precautions are
  in place.  Some people use two keys, a short one which is not
  carefully managed for ordinary use and a longer one which is treated
  with greater care for critical correspondence.

UNTRUSTED PARTNER ATTACKS
-------------------------

- RIPEM's encryption will ensure that only a person with the private key
  corresponding to the public key used to encrypt the data may read the
  traffic.  However, once someone with that key gets the message, she
  may always make whatever kind of transformations she wishes.  There 
  exist no cryptographic barriers to a recipient, say, taking an
  ENCRYPTED message and converting it to a MIC-ONLY message, signed by
  you and readable by anyone, although RIPEM does not provide this
  functionality.  Indeed, the latest PEM draft I have seen specifically
  states that such transformations should be possible to allow
  forwarding functions to work.
 
  Including the recipients in the plaintext, as mentioned above, will
  make it possible for recipients of a redistributed message to be aware
  of its original nature.  Naturally, the security of the cryptography
  can never be greater than the security of the people using it.

Newsgroup: sci.crypt
document_id: 14982
From: Jim-Miller@suite.com
Subject: Certifying Authority question answered.

>>If you have access to FTP, try FTPing to rsa.com, login as anonymous.
>>There are several documents there, including a "frequently asked questions
>>about today's cryptography" document.  It has FAQ in its name.
>>I believe this document explains the idea behind the certifying authorities.
>>
>>Good luck
>>
>>--John Kelsey, c445585@mizzou1.missouri.edu

Thanks.  I've ftp'ed the FAQ file and it is just what I was looking for.

Jim-Miller@suite.com

Newsgroup: sci.crypt
document_id: 14983
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: "Rubber-hose cryptanalysis"

   Some sick part of me really liked that phrase....
 
   Actually, merely the threat of a *long* prison sentence, even without
a beating, can get most people to give in.  Especially if it's also
punctuated with a trip to the county jail, where one just happens to get
locked up with all the drunk/stoned/crazy folks that are too violent to be
left in cells with other people....

Newsgroup: sci.crypt
document_id: 14984
From: grady@netcom.com (1016/2EF221)
Subject: Declassifying media

There are many Urban Legends (maybe this ought to be in the Crypt 
FAQ?) about what is actually sufficient to clear or declassify 
magnetic media when used for classified data.  Here is some 
information "from the horse's mouth".

(Regarding the sufficient overwriting of media ("clearing") meant to 
be *retained* within the controlled environment, or declassifying 
the material to be reused *outside* the controlled environment,)

From National Telecommunications and Information Systems 
Security (NTISS) "Advisory Memorandum on Office Automation 
Security Guidelines"  (NTISSAM COMPUSEC/1/87):

------

"7.6.2.1 Clearing of Magnetic Media

Certain types of removable media (e.g., magnetic tape, floppy disk, 
cassettes, and magnetic cards) may be cleared by overwriting the 
entire media one time with any one character.  Floppy disks may be 
cleared by applying a vendor's formatting program that overwrites 
each location with a given character.

Fixed media (e.g., Winchester disks) should be cleared by overwriting 
at least one time with any one character.  One way to do this is by 
applying a vendor-supplied formatting program that overwrites each 
location on the disk with a given character, if it can be shown that 
this program actually works as advertised.  The user should beware: 
some programs that purport to overwrite all locations do not 
actually do this.

Cleared media may be resides within the controlled facility or 
released for destruction; however, they should be marked and 
controlled at the level of the most restrictive sensitivity of 
information ever recorded.

7.6.2.2 Declassification of Magnetic Media

Certain types of removable media can be declassified using a 
degaussing device that has been approved for declassifying media of 
that type.  (A list of approved devices is maintained by the NSA.)

If a fixed medium (for example, a hard, or Winchester, disk) is 
operative, an approved method of declassifying the disk pack is to 
employ an overwrite procedure which must overwrite all 
addressable locations at least three times by writing any character, 
then its complement (e.g., binary ones and binary zeros) 
alternatively.

When fixed  media become inoperative, it is impossible to declassify 
the media by the overwrite method.  In this case, there are two 
alternate procedures that may be used: (1) disassemble the disk 
pack, and degauss each platter with the appropriate approved 
degaussing equipment; and (2) courier the inoperative media to the 
vendor's facility, have the magnetic media (e.g., disk platter) 
removed in sight of the courier and returned to the courier for 
destruction at the secure site.  The vendor can then install new 
platters and repair any other problems with the disk unit.

7.6.3 Destruction of Magnetic Media"

[see DoD Computer Security Center, "Department of Defense Magnetic 
Remanence Security Guideline", CSC-STD-003-85  FOR OFFICIAL USE 
ONLY]

------

This and many other interesting documents (many that are more 
informative than probably intended) on computer security procedures 
can be obtained (free) from:

Executive Secretary
National Telecommunications and Informations
  Systems Security Committee
National Security Agency
Fort George G. Meade, MD  20755-6000

Write them!  It's fun to be on the NSA's mailing list... 

-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
document_id: 14985
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Hard drive security for FBI targets

	From: res@colnet.cmhnet.org (Rob Stampfli)

	>separate locations to gain credibility. If they are seized and you are
	>compelled to decrypt it, you simply explain that you are an amateur
	>cryptologist playing around with one time pads, and that the first
	>file is the pad for the second. They XOR the two files, and sure
	>enough, out pops a copy of "War and Peace".

	So, judging from recent history, at this point they drop the original
	charges, preemptively find you guilty of copyright violations, and seize
	your computer, your home, and your financial reserves under federal
	forfeiture laws.

Ah no - what *really* happens is that they turn up at the court with
*another* file which when exored with your document gives up the famous
E911 document :-)  [And I tell you, some judges would fall for it...]

G

Newsgroup: sci.crypt
document_id: 14986
From: warlord@MIT.EDU (Derek Atkins)
Subject: Re: disk safety measure?

-----BEGIN PGP SIGNED MESSAGE-----

In article <1pq0re$gc2@network.ucsd.edu> loki@sdphu3.ucsd.edu (Lance M Cottrell) writes:

   BTW I have not been able to get pgp to produce a signature
   that I can attatch to the end of this message.  What is 
   the procedure?  Thanks.

try:
	pgp -sat +clearsig=on

This will do the clearsig signing...

Enjoy!

- -derek

PGP 2 key available upon request on the key-server:
	pgp-public-keys@toxicwaste.mit.edu

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQBuAgUBK8DNazh0K1zBsGrxAQFoZQLEC/XKXMoDhCPf/AZ3aOQSLfz+6w400UDk
Ng6prxnPuEuSZQEiiusMCVcRcGnWbaVrxFjA1o4yubh01Czcg3ZC9wLJolXlxJn7
iSJh/eTZxmJnNynJxlGs0Ao=
=4eZb
-----END PGP SIGNATURE-----
--
  Derek Atkins, MIT '93, Electrical Engineering and Computer Science
     Secretary, MIT Student Information Processing Board (SIPB)
           MIT Media Laboratory, Speech Research Group
           warlord@MIT.EDU       PP-ASEL        N1NWH

Newsgroup: sci.crypt
document_id: 14987
From: neuhaus@bloch.informatik.uni-kl.de (Stephan Neuhaus (HiWi Mattern))
Subject: Re: PGP 2.2: general comments

neuhaus@vier.informatik.uni-kl.de (Stephan Neuhaus (HiWi Mattern)) writes:

>[Lots of stuff.]

I hate to follow up to my own posting, but I should perhaps clarify
some things so I won't get flamed.

First of all, when I'm talking about ``factoring the modulus'' or a
``breakthrough in factoring'', what I really mean is a breakthrough in
the cryptanalysis of RSA.  I know that factoring and breaking RSA are
not proven to be equivalent; it's just so damn convenient not to
repeat this every time.

I also have to admit that I don't really know if the ``non-group''
property of a cipher is essential only for key chaining.  I have
thought about it a little while, but I can't find a way that a
cryptanalyst could exploit a group structure.  That, of course, means
nothing at all.

Then I wrote,

>Please note that as long as it is much harder to factor a RSA modulus
>than it is to generate it, the increase in computer speed alone will
>keep key lengths and modulus factoring in lock-step, i.e., people will
>simply start using longer moduli and still be safe.

What I meant was that as long as the only advantage of the
cryptanalyst is a faster computer, then we will probably have RSA for
a long time to come, because even if 1024-bit moduli somehow could be
broken with fast computers (not with a new algorithm), then people
would simply use longer moduli.  Both users and cryptanalysts benefit
from better technology in the same way.

Hope this keeps the flames away...  Have fun.

-- 
Stephan <neuhaus@informatik.uni-kl.de>
sig closed for inventory.  Please leave your pickaxe outside.
PGP 2.2 public key available on request.  Note the expiration date.

Newsgroup: sci.crypt
document_id: 14988
From: WHMurray@DOCKMASTER.NCSC.MIL
Subject: Licensing.....


>This thread brings up the more general question.  Can any crypto
>implementation for which highly publicly scrutinized source code is not
>available EVER be trusted?

After IBM had invented the DES and the NBS had advertised for proposals,
but before IBM had decided to respond, I argued strenuously that they 
should not; they should keep it proprietary. 

The biggest proponent of proposing was Dr. Lewis Branscomb.  Dr. Branscomb
was the IBM Chief Scientist and had come to IBM from NBS.  Fortunately
for all of us, Dr. Branscomb understood the answer to the above question
much better than I.  He realized how difficult it would be to gain
acceptance for any cryptographic mechanism.  Because of the necessary
complexity, publicity would not be sufficient and neither would 
authority.  In fact, it has taken both of those plus more than 15 
years.

We have also had independence.  The DES was solicited by NBS, invented
and proposed by IBM, and vetted by NBS.  It has also been examined and
vetted by experts like Adi Shamir, who are not subject to influence by
any of these.

Even now, there are still people posting on this list who do not trust
the DES in spite of all the time, all of the analysis, and all of the
public scrutiny.

(Of course, it is just this point that NIST misses when it attempts to 
gain acceptance for a novel mechanism, developed in secret, on the basis
of authority alone.)

We had a long thread here about whether or not the NSA can "break" the
DES.  That is a silly question.  At some cost and in some time they
can "break" anything.  The important question is at what cost and in
what time.

The fundamental strength of the DES and RSA are not nearly so important
as what we know about their strength.  As long as we understand the
cost and duration for an attacker, then we can use them in a safe way.
At this point, we may never replace either because of the inability of
any successor to overcome this knowledge gap.

DES and RSA are among the most significant inventions of the century
and the most important inventions in the history of cryptography.
We are damned lucky to have them.

William Hugh Murray, Executive Consultant, Information System Security
49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840                
1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL

Newsgroup: sci.crypt
document_id: 14989
From: ho@cs.arizona.edu (Hilarie Orman)
Subject: Re: Licensing of public key implementations

With regard to your speculations on NSA involvement in the creation of
PKP, I find that it fails the test of Occam's butcher knife.  Never
attribute to conspiracy what can be explained by forthright greed.


Hilarie Orman

Newsgroup: sci.crypt
document_id: 14990
From: ken@sugra.uucp (Kenneth Ng)
Subject: Re: Identifying / Securing Files

In article <2bb29f4c@mash.boulder.co.us: rmashlan%mash@csn.org (Robert Mashlan) writes:
:tarnold@vnet.IBM.COM (Todd W. Arnold) said in article <19930322.101356.617@almaden.ibm.com>:
:>It's OK as long as you trust the end-user to stay out of your application
:>program - or as long as it runs in a system where the user can't get to it.
:>Otherwise, you can't stop him from finding the "load a module" code in your
:>program, and simply bypassing the check for a valid module.  The devious user
:>can either modify the object code before running the program, or he can run
:>the program under a debugger and change the instructions in memory.
:There is a way to foil debuggers, by clearing the single step 
:interrupt, on which a debugger depends, every few instructions in 
:the sensitive areas of the code.

This assumes the person is using the hardware debug instruction of an X86
type processor.  It can be negated by NOP'ing the clear debug instruction,
or by running the code on a machine simulator, like one I wrote as a senior
project in college.  It can bypass and trace practically anything one could
write in software.  Kind of like being on a Star Trek Holideck :-).

-- 
Kenneth Ng
Please reply to ken@eies2.njit.edu for now.
"All this might be an elaborate simulation running in a little device sitting
on someone's table" -- J.L. Picard: ST:TNG

Newsgroup: sci.crypt
document_id: 14991
From: ninassup@athena.mit.edu (Nikos I Nassuphis)
Subject: LGA ncrypt source

I got a number of requests for code.
So, here it is.
Its written in 80x86 ASM. 
Borland TASM will do.

TASM LGA.ASM
TLINK /t LGA.ASM


The code:

;----------------------------------------------------------------------
; LGA ncryption
; (C) by Nick Nassuphis
;----------------------------------------------------------------------

CODE	SEGMENT
	ASSUME	CS:CODE, DS:CODE
	
	ORG	100h

Start:
	JMP	Begin

;----------------------------------------------------------------------
;
; Gas particle assigment:
;
; BIT 0    particle moving EAST
; BIT 1    particle moving WEST
; BIT 2    particle moving NORTH
; BIT 3    particle moving SOUTH
;
; BIT 4    particle moving EAST
; BIT 5    particle moving WEST
; BIT 6    particle moving NORTH
; BIT 7    particle moving SOUTH
;
;
; Collisiong Rules:
;
; 1. Gas Rules
;
; IF (E & W) AND !(N & S) THEN (E,W)->(N,S)
; IF (N & S) AND !(E & W) THEN (N,S)->(E,W)
;
; for nibbles:
;
; 1100 -> 0011
; 0011 -> 0011
;
; and for bytes:
;
; 11000000 -> 00110000
; 00110000 -> 11000000
; 00001100 -> 00000011
; 00000011 -> 00001100
; 00110011 -> 11001100
; 00111100 -> 11000011
; 11000011 -> 00111100
; 11001100 -> 00110011
;
;
; 2. Reflection Rules
;
; just swap bits along directions
;
;----------------------------------------------------------------------

;
; This look-up table implements two particle collisions
; for the HPP lattice gas
;
HPPRule:
DB   00000000B   ;00000000
DB   00000001B   ;00000001
DB   00000010B   ;00000010
DB   00001100B   ;00000011
DB   00000100B   ;00000100
DB   00000101B   ;00000101
DB   00000110B   ;00000110
DB   00000111B   ;00000111
DB   00001000B   ;00001000
DB   00001001B   ;00001001
DB   00001010B   ;00001010
DB   00001011B   ;00001011
DB   00000011B   ;00001100
DB   00001101B   ;00001101
DB   00001110B   ;00001110
DB   00001111B   ;00001111
DB   00010000B   ;00010000
DB   00010001B   ;00010001
DB   00010010B   ;00010010
DB   00011100B   ;00010011
DB   00010100B   ;00010100
DB   00010101B   ;00010101
DB   00010110B   ;00010110
DB   00010111B   ;00010111
DB   00011000B   ;00011000
DB   00011001B   ;00011001
DB   00011010B   ;00011010
DB   00011011B   ;00011011
DB   00010011B   ;00011100
DB   00011101B   ;00011101
DB   00011110B   ;00011110
DB   00011111B   ;00011111
DB   00100000B   ;00100000
DB   00100001B   ;00100001
DB   00100010B   ;00100010
DB   00101100B   ;00100011
DB   00100100B   ;00100100
DB   00100101B   ;00100101
DB   00100110B   ;00100110
DB   00100111B   ;00100111
DB   00101000B   ;00101000
DB   00101001B   ;00101001
DB   00101010B   ;00101010
DB   00101011B   ;00101011
DB   00100011B   ;00101100
DB   00101101B   ;00101101
DB   00101110B   ;00101110
DB   00101111B   ;00101111
DB   11000000B   ;00110000
DB   11000001B   ;00110001
DB   11000010B   ;00110010
DB   11001100B   ;00110011
DB   11000100B   ;00110100
DB   11000101B   ;00110101
DB   11000110B   ;00110110
DB   11000111B   ;00110111
DB   11001000B   ;00111000
DB   11001001B   ;00111001
DB   11001010B   ;00111010
DB   11001011B   ;00111011
DB   11000011B   ;00111100
DB   11001101B   ;00111101
DB   11001110B   ;00111110
DB   11001111B   ;00111111
DB   01000000B   ;01000000
DB   01000001B   ;01000001
DB   01000010B   ;01000010
DB   01001100B   ;01000011
DB   01000100B   ;01000100
DB   01000101B   ;01000101
DB   01000110B   ;01000110
DB   01000111B   ;01000111
DB   01001000B   ;01001000
DB   01001001B   ;01001001
DB   01001010B   ;01001010
DB   01001011B   ;01001011
DB   01000011B   ;01001100
DB   01001101B   ;01001101
DB   01001110B   ;01001110
DB   01001111B   ;01001111
DB   01010000B   ;01010000
DB   01010001B   ;01010001
DB   01010010B   ;01010010
DB   01011100B   ;01010011
DB   01010100B   ;01010100
DB   01010101B   ;01010101
DB   01010110B   ;01010110
DB   01010111B   ;01010111
DB   01011000B   ;01011000
DB   01011001B   ;01011001
DB   01011010B   ;01011010
DB   01011011B   ;01011011
DB   01010011B   ;01011100
DB   01011101B   ;01011101
DB   01011110B   ;01011110
DB   01011111B   ;01011111
DB   01100000B   ;01100000
DB   01100001B   ;01100001
DB   01100010B   ;01100010
DB   01101100B   ;01100011
DB   01100100B   ;01100100
DB   01100101B   ;01100101
DB   01100110B   ;01100110
DB   01100111B   ;01100111
DB   01101000B   ;01101000
DB   01101001B   ;01101001
DB   01101010B   ;01101010
DB   01101011B   ;01101011
DB   01100011B   ;01101100
DB   01101101B   ;01101101
DB   01101110B   ;01101110
DB   01101111B   ;01101111
DB   01110000B   ;01110000
DB   01110001B   ;01110001
DB   01110010B   ;01110010
DB   01111100B   ;01110011
DB   01110100B   ;01110100
DB   01110101B   ;01110101
DB   01110110B   ;01110110
DB   01110111B   ;01110111
DB   01111000B   ;01111000
DB   01111001B   ;01111001
DB   01111010B   ;01111010
DB   01111011B   ;01111011
DB   01110011B   ;01111100
DB   01111101B   ;01111101
DB   01111110B   ;01111110
DB   01111111B   ;01111111
DB   10000000B   ;10000000
DB   10000001B   ;10000001
DB   10000010B   ;10000010
DB   10001100B   ;10000011
DB   10000100B   ;10000100
DB   10000101B   ;10000101
DB   10000110B   ;10000110
DB   10000111B   ;10000111
DB   10001000B   ;10001000
DB   10001001B   ;10001001
DB   10001010B   ;10001010
DB   10001011B   ;10001011
DB   10000011B   ;10001100
DB   10001101B   ;10001101
DB   10001110B   ;10001110
DB   10001111B   ;10001111
DB   10010000B   ;10010000
DB   10010001B   ;10010001
DB   10010010B   ;10010010
DB   10011100B   ;10010011
DB   10010100B   ;10010100
DB   10010101B   ;10010101
DB   10010110B   ;10010110
DB   10010111B   ;10010111
DB   10011000B   ;10011000
DB   10011001B   ;10011001
DB   10011010B   ;10011010
DB   10011011B   ;10011011
DB   10010011B   ;10011100
DB   10011101B   ;10011101
DB   10011110B   ;10011110
DB   10011111B   ;10011111
DB   10100000B   ;10100000
DB   10100001B   ;10100001
DB   10100010B   ;10100010
DB   10101100B   ;10100011
DB   10100100B   ;10100100
DB   10100101B   ;10100101
DB   10100110B   ;10100110
DB   10100111B   ;10100111
DB   10101000B   ;10101000
DB   10101001B   ;10101001
DB   10101010B   ;10101010
DB   10101011B   ;10101011
DB   10100011B   ;10101100
DB   10101101B   ;10101101
DB   10101110B   ;10101110
DB   10101111B   ;10101111
DB   10110000B   ;10110000
DB   10110001B   ;10110001
DB   10110010B   ;10110010
DB   10111100B   ;10110011
DB   10110100B   ;10110100
DB   10110101B   ;10110101
DB   10110110B   ;10110110
DB   10110111B   ;10110111
DB   10111000B   ;10111000
DB   10111001B   ;10111001
DB   10111010B   ;10111010
DB   10111011B   ;10111011
DB   10110011B   ;10111100
DB   10111101B   ;10111101
DB   10111110B   ;10111110
DB   10111111B   ;10111111
DB   00110000B   ;11000000
DB   00110001B   ;11000001
DB   00110010B   ;11000010
DB   00111100B   ;11000011
DB   00110100B   ;11000100
DB   00110101B   ;11000101
DB   00110110B   ;11000110
DB   00110111B   ;11000111
DB   00111000B   ;11001000
DB   00111001B   ;11001001
DB   00111010B   ;11001010
DB   00111011B   ;11001011
DB   00110011B   ;11001100
DB   00111101B   ;11001101
DB   00111110B   ;11001110
DB   00111111B   ;11001111
DB   11010000B   ;11010000
DB   11010001B   ;11010001
DB   11010010B   ;11010010
DB   11011100B   ;11010011
DB   11010100B   ;11010100
DB   11010101B   ;11010101
DB   11010110B   ;11010110
DB   11010111B   ;11010111
DB   11011000B   ;11011000
DB   11011001B   ;11011001
DB   11011010B   ;11011010
DB   11011011B   ;11011011
DB   11010011B   ;11011100
DB   11011101B   ;11011101
DB   11011110B   ;11011110
DB   11011111B   ;11011111
DB   11100000B   ;11100000
DB   11100001B   ;11100001
DB   11100010B   ;11100010
DB   11101100B   ;11100011
DB   11100100B   ;11100100
DB   11100101B   ;11100101
DB   11100110B   ;11100110
DB   11100111B   ;11100111
DB   11101000B   ;11101000
DB   11101001B   ;11101001
DB   11101010B   ;11101010
DB   11101011B   ;11101011
DB   11100011B   ;11101100
DB   11101101B   ;11101101
DB   11101110B   ;11101110
DB   11101111B   ;11101111
DB   11110000B   ;11110000
DB   11110001B   ;11110001
DB   11110010B   ;11110010
DB   11111100B   ;11110011
DB   11110100B   ;11110100
DB   11110101B   ;11110101
DB   11110110B   ;11110110
DB   11110111B   ;11110111
DB   11111000B   ;11111000
DB   11111001B   ;11111001
DB   11111010B   ;11111010
DB   11111011B   ;11111011
DB   11110011B   ;11111100
DB   11111101B   ;11111101
DB   11111110B   ;11111110
DB   11111111B   ;11111111

;
; This rule implements the velocity-reversal needed to
; run the gas evolution in reverse. Its called a WallRule
; because its the same as is all particles hit a wall
; head on.
;
WallRule:
DB   00000000B   ;00000000
DB   00000010B   ;00000001
DB   00000001B   ;00000010
DB   00001100B   ;00000011
DB   00001000B   ;00000100
DB   00001010B   ;00000101
DB   00001001B   ;00000110
DB   00001011B   ;00000111
DB   00000100B   ;00001000
DB   00000110B   ;00001001
DB   00000101B   ;00001010
DB   00000111B   ;00001011
DB   00000011B   ;00001100
DB   00001110B   ;00001101
DB   00001101B   ;00001110
DB   00001111B   ;00001111
DB   00100000B   ;00010000
DB   00100010B   ;00010001
DB   00100001B   ;00010010
DB   00101100B   ;00010011
DB   00101000B   ;00010100
DB   00101010B   ;00010101
DB   00101001B   ;00010110
DB   00101011B   ;00010111
DB   00100100B   ;00011000
DB   00100110B   ;00011001
DB   00100101B   ;00011010
DB   00100111B   ;00011011
DB   00100011B   ;00011100
DB   00101110B   ;00011101
DB   00101101B   ;00011110
DB   00101111B   ;00011111
DB   00010000B   ;00100000
DB   00010010B   ;00100001
DB   00010001B   ;00100010
DB   00011100B   ;00100011
DB   00011000B   ;00100100
DB   00011010B   ;00100101
DB   00011001B   ;00100110
DB   00011011B   ;00100111
DB   00010100B   ;00101000
DB   00010110B   ;00101001
DB   00010101B   ;00101010
DB   00010111B   ;00101011
DB   00010011B   ;00101100
DB   00011110B   ;00101101
DB   00011101B   ;00101110
DB   00011111B   ;00101111
DB   11000000B   ;00110000
DB   11000010B   ;00110001
DB   11000001B   ;00110010
DB   11001100B   ;00110011
DB   11001000B   ;00110100
DB   11001010B   ;00110101
DB   11001001B   ;00110110
DB   11001011B   ;00110111
DB   11000100B   ;00111000
DB   11000110B   ;00111001
DB   11000101B   ;00111010
DB   11000111B   ;00111011
DB   11000011B   ;00111100
DB   11001110B   ;00111101
DB   11001101B   ;00111110
DB   11001111B   ;00111111
DB   10000000B   ;01000000
DB   10000010B   ;01000001
DB   10000001B   ;01000010
DB   10001100B   ;01000011
DB   10001000B   ;01000100
DB   10001010B   ;01000101
DB   10001001B   ;01000110
DB   10001011B   ;01000111
DB   10000100B   ;01001000
DB   10000110B   ;01001001
DB   10000101B   ;01001010
DB   10000111B   ;01001011
DB   10000011B   ;01001100
DB   10001110B   ;01001101
DB   10001101B   ;01001110
DB   10001111B   ;01001111
DB   10100000B   ;01010000
DB   10100010B   ;01010001
DB   10100001B   ;01010010
DB   10101100B   ;01010011
DB   10101000B   ;01010100
DB   10101010B   ;01010101
DB   10101001B   ;01010110
DB   10101011B   ;01010111
DB   10100100B   ;01011000
DB   10100110B   ;01011001
DB   10100101B   ;01011010
DB   10100111B   ;01011011
DB   10100011B   ;01011100
DB   10101110B   ;01011101
DB   10101101B   ;01011110
DB   10101111B   ;01011111
DB   10010000B   ;01100000
DB   10010010B   ;01100001
DB   10010001B   ;01100010
DB   10011100B   ;01100011
DB   10011000B   ;01100100
DB   10011010B   ;01100101
DB   10011001B   ;01100110
DB   10011011B   ;01100111
DB   10010100B   ;01101000
DB   10010110B   ;01101001
DB   10010101B   ;01101010
DB   10010111B   ;01101011
DB   10010011B   ;01101100
DB   10011110B   ;01101101
DB   10011101B   ;01101110
DB   10011111B   ;01101111
DB   10110000B   ;01110000
DB   10110010B   ;01110001
DB   10110001B   ;01110010
DB   10111100B   ;01110011
DB   10111000B   ;01110100
DB   10111010B   ;01110101
DB   10111001B   ;01110110
DB   10111011B   ;01110111
DB   10110100B   ;01111000
DB   10110110B   ;01111001
DB   10110101B   ;01111010
DB   10110111B   ;01111011
DB   10110011B   ;01111100
DB   10111110B   ;01111101
DB   10111101B   ;01111110
DB   10111111B   ;01111111
DB   01000000B   ;10000000
DB   01000010B   ;10000001
DB   01000001B   ;10000010
DB   01001100B   ;10000011
DB   01001000B   ;10000100
DB   01001010B   ;10000101
DB   01001001B   ;10000110
DB   01001011B   ;10000111
DB   01000100B   ;10001000
DB   01000110B   ;10001001
DB   01000101B   ;10001010
DB   01000111B   ;10001011
DB   01000011B   ;10001100
DB   01001110B   ;10001101
DB   01001101B   ;10001110
DB   01001111B   ;10001111
DB   01100000B   ;10010000
DB   01100010B   ;10010001
DB   01100001B   ;10010010
DB   01101100B   ;10010011
DB   01101000B   ;10010100
DB   01101010B   ;10010101
DB   01101001B   ;10010110
DB   01101011B   ;10010111
DB   01100100B   ;10011000
DB   01100110B   ;10011001
DB   01100101B   ;10011010
DB   01100111B   ;10011011
DB   01100011B   ;10011100
DB   01101110B   ;10011101
DB   01101101B   ;10011110
DB   01101111B   ;10011111
DB   01010000B   ;10100000
DB   01010010B   ;10100001
DB   01010001B   ;10100010
DB   01011100B   ;10100011
DB   01011000B   ;10100100
DB   01011010B   ;10100101
DB   01011001B   ;10100110
DB   01011011B   ;10100111
DB   01010100B   ;10101000
DB   01010110B   ;10101001
DB   01010101B   ;10101010
DB   01010111B   ;10101011
DB   01010011B   ;10101100
DB   01011110B   ;10101101
DB   01011101B   ;10101110
DB   01011111B   ;10101111
DB   01110000B   ;10110000
DB   01110010B   ;10110001
DB   01110001B   ;10110010
DB   01111100B   ;10110011
DB   01111000B   ;10110100
DB   01111010B   ;10110101
DB   01111001B   ;10110110
DB   01111011B   ;10110111
DB   01110100B   ;10111000
DB   01110110B   ;10111001
DB   01110101B   ;10111010
DB   01110111B   ;10111011
DB   01110011B   ;10111100
DB   01111110B   ;10111101
DB   01111101B   ;10111110
DB   01111111B   ;10111111
DB   00110000B   ;11000000
DB   00110010B   ;11000001
DB   00110001B   ;11000010
DB   00111100B   ;11000011
DB   00111000B   ;11000100
DB   00111010B   ;11000101
DB   00111001B   ;11000110
DB   00111011B   ;11000111
DB   00110100B   ;11001000
DB   00110110B   ;11001001
DB   00110101B   ;11001010
DB   00110111B   ;11001011
DB   00110011B   ;11001100
DB   00111110B   ;11001101
DB   00111101B   ;11001110
DB   00111111B   ;11001111
DB   11100000B   ;11010000
DB   11100010B   ;11010001
DB   11100001B   ;11010010
DB   11101100B   ;11010011
DB   11101000B   ;11010100
DB   11101010B   ;11010101
DB   11101001B   ;11010110
DB   11101011B   ;11010111
DB   11100100B   ;11011000
DB   11100110B   ;11011001
DB   11100101B   ;11011010
DB   11100111B   ;11011011
DB   11100011B   ;11011100
DB   11101110B   ;11011101
DB   11101101B   ;11011110
DB   11101111B   ;11011111
DB   11010000B   ;11100000
DB   11010010B   ;11100001
DB   11010001B   ;11100010
DB   11011100B   ;11100011
DB   11011000B   ;11100100
DB   11011010B   ;11100101
DB   11011001B   ;11100110
DB   11011011B   ;11100111
DB   11010100B   ;11101000
DB   11010110B   ;11101001
DB   11010101B   ;11101010
DB   11010111B   ;11101011
DB   11010011B   ;11101100
DB   11011110B   ;11101101
DB   11011101B   ;11101110
DB   11011111B   ;11101111
DB   11110000B   ;11110000
DB   11110010B   ;11110001
DB   11110001B   ;11110010
DB   11111100B   ;11110011
DB   11111000B   ;11110100
DB   11111010B   ;11110101
DB   11111001B   ;11110110
DB   11111011B   ;11110111
DB   11110100B   ;11111000
DB   11110110B   ;11111001
DB   11110101B   ;11111010
DB   11110111B   ;11111011
DB   11110011B   ;11111100
DB   11111110B   ;11111101
DB   11111101B   ;11111110
DB   11111111B   ;11111111


MAXBYTE	EQU	55
LINENO	EQU	23

SrcPtr	DW	OFFSET Buffer1
DesPtr	DW	OFFSET Buffer2

SaveBuff:
	DB	MAXBYTE*(LINENO+1) DUP(0)
	
Buffer1:
	DB	MAXBYTE*(LINENO+1) DUP(0)
	DB	256 DUP(0)

Buffer2:
	DB	MAXBYTE*(LINENO+1) DUP(0)
	DB	256 DUP(0)

;----------------------------------------------------------------------
;
;
;
;----------------------------------------------------------------------

Data:
DB	"                                                       "
DB	"                                                       "
DB	"                                                       "
DB	" This is a test for a Lattice Gas based encryption     "
DB	" algorithm. The data is encoded as particles of a      "
DB	" digital gas, whose time evolution is then simulated   "
DB	" with a cellular-automaton type algorithm. Decryption  "
DB	" can be achieved by running the simulation in reverse. "
DB	" A thermodynamic argument ensures that even if a single"
DB	" bit is flipped, no decryption of the data is possible "
DB	"                                                       "
DB	" After the gas is let to evolve for 256 timesteps,     "
DB	" one can either run the reverse evolution by pressing  "
DB	" space, or flip a bit and then run by pressing '0'     "
DB	"                                                       "
DB	" For a cryptographic application, the key would consist"
DB	" of the number of time steps and the time and location "
DB	" of specific bit inversions.                           "
DB	"                                                       "
DB	"                                                       "
DB	"                                                       "
DB	"                                                       "
DB	"                                                       "

;
; Fill the gas with a piece of code
;
InitGas:
	MOV	DI,CS:SrcPtr
	MOV	SI,OFFSET Data

	MOV	CX,LINENO
IG0:
	PUSH	DI
	PUSH	CX
	MOV	CX,MAXBYTE
IG1:
	MOV	AL,CS:[SI]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
	LOOP	IG1
	POP	CX
	POP	DI
	ADD	DI,MAXBYTE
	LOOP	IG0
	MOV	SI,CS:SrcPtr
	MOV	DI,OFFSET InitGas
	MOV	CX,MAXBYTE*3
	MOV	AL,0
LG2:
	MOV	BYTE PTR CS:[SI],AL
	NOT	AL
	INC	SI
	LOOP	LG2
	RET

;----------------------------------------------------------------------
;
; Display gas molecules bouncing around
;
ShowGas:
	PUSH	ES
	PUSH	SI
	PUSH	DI
	PUSH	CX
	PUSH	BX

	MOV	AX,0B800h
	MOV	ES,AX
	MOV	SI,CS:SrcPtr
	MOV	DI,160*2+10*2
	MOV	CX,LINENO-3
	ADD	SI,MAXBYTE*3
SG1:
	PUSH	CX
	PUSH	DI

	MOV	CX,MAXBYTE
SG2:
	MOV	AL,CS:[SI]
	MOV	BYTE PTR ES:[DI],AL
	INC	SI
	ADD	DI,2
	DEC	CX
	JNZ	SG2

	POP	DI
	POP	CX
	ADD	DI,160
	LOOP	SG1
	
	POP	BX
	POP	CX
	POP	DI
	POP	SI
	POP	ES
	RET

;----------------------------------------------------------------------
;
; CS:SI 	->	Sourse of Data
; CS:DI		->	Destination of Data
;
ScanOneMiddleLine:
;
; first byte is a special case because of warparound
;
	MOV	BL,0			; AL is the "assembled" byte.
	MOV	BH,CS:[SI-MAXBYTE]	; NORTH is one line "up" (lower)
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI+MAXBYTE]	; SOUTH is one line "down" (higher)
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI+(MAXBYTE-1)]	; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI+1]		; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
;
; middle bytes can be handled in a loop 
;
	MOV	CX,MAXBYTE-2
SOL1:
	MOV	BL,0			; AL is the "assembled" byte.
	MOV	BH,CS:[SI-MAXBYTE]	; NORTH is one line "up" (lower)
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI+MAXBYTE]	; SOUTH is one line "down" (higher)
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI-1]		; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI+1]		; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
	LOOP	SOL1
;
; last byte is also special
;
	MOV	BL,0			; AL is the "assembled" byte.
	MOV	BH,CS:[SI-MAXBYTE]	; NORTH is one line "up" (lower)
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI+MAXBYTE]	; SOUTH is one line "down" (higher)
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI-1]		; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI-(MAXBYTE-1)]	; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
	RET


;----------------------------------------------------------------------
;
; CS:SI 	->	Sourse of Data
; CS:DI		->	Destination of Data
;
ScanFirstLine:
;
; first byte is a special case because of warparound
;
	MOV	BL,0				
	MOV	BH,CS:[SI+MAXBYTE*(LINENO-1)]	
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI+MAXBYTE]
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI+MAXBYTE-1]	; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI+1]		; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
;
; middle bytes can be handled in a loop 
;
	MOV	CX,MAXBYTE-2
SFL1:
	MOV	BL,0			; AL is the "assembled" byte.
	MOV	BH,CS:[SI+MAXBYTE*(LINENO-1)]
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI+MAXBYTE]
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI-1]		; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI+1]		; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
	LOOP	SFL1
;
; last byte is also special
;
	MOV	BL,0			; AL is the "assembled" byte.
	MOV	BH,CS:[SI+MAXBYTE*(LINENO-1)]
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI+MAXBYTE]
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI-1]		; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI-(MAXBYTE-1)]	; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	RET


;----------------------------------------------------------------------
;
; CS:SI 	->	Sourse of Data
; CS:DI		->	Destination of Data
;
ScanLastLine:
;
; first byte is a special case because of warparound
;
	MOV	BL,0			; AL is the "assembled" byte.
	MOV	BH,CS:[SI-MAXBYTE]
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI-MAXBYTE*(LINENO-1)]
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI+(MAXBYTE-1)]	; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI+1]		; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
;
; middle bytes can be handled in a loop 
;
	MOV	CX,MAXBYTE-2
SLL1:
	MOV	BL,0			; AL is the "assembled" byte.
	MOV	BH,CS:[SI-MAXBYTE]
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI-MAXBYTE*(LINENO-1)]
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI-1]		; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI+1]		; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
	LOOP	SLL1
;
; last byte is also special
;
	MOV	BL,0			; AL is the "assembled" byte.
	MOV	BH,CS:[SI-MAXBYTE]
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI-MAXBYTE*(LINENO-1)]
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI-1]		; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI-(MAXBYTE-1)]	; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
	RET



;----------------------------------------------------------------------
;
; Invert all velocities in the gas
;
InvertAll:
	PUSH	BX
	PUSH	CX
	PUSH	SI
	MOV	SI,CS:SrcPtr
	MOV	BX,0
	MOV	CX,LINENO
IA1:
	PUSH	CX
	MOV	CX,MAXBYTE
IA2:
	MOV	BL,CS:[SI]
	MOV	AL,BYTE PTR CS:[BX + (OFFSET WallRule)]
	MOV	CS:[SI],AL
	INC	SI
	LOOP	IA2
	POP	CX
	LOOP	IA1
	POP	SI
	POP	CX
	POP	BX
	RET

;----------------------------------------------------------------------
; 
;
IterateOnce:
	MOV	SI,CS:SrcPtr
	MOV	DI,CS:DesPtr
	MOV	CS:SrcPtr,DI
	MOV	CS:DesPtr,SI

	PUSH	SI
	PUSH	DI
	CALL	ScanFirstLine
	POP	DI
	POP	SI
	ADD	SI,MAXBYTE
	ADD	DI,MAXBYTE	
	MOV	CX,LINENO-2		; dont scan first and last
L1:
	PUSH	SI
	PUSH	DI
	PUSH	CX
	CALL	ScanOneMiddleLine
	POP	CX
	POP	DI
	POP	SI
	ADD	SI,MAXBYTE
	ADD	DI,MAXBYTE
	LOOP	L1

	PUSH	SI
	PUSH	DI
	CALL	ScanLastLine
	POP	SI
	POP	DI
L3:
	RET

;----------------------------------------------------------------------
;
; Iterate HPP rule CX times
;
Iterate:
	PUSH	CX
	CALL	IterateOnce
	POP	CX
	CALL	ShowGas
	LOOP	Iterate
	RET

;----------------------------------------------------------------------
;
; Iterate HPP rule CX times
;
IterateUntil:	
	MOV	SI,0
	MOV	CX,OFFSET IU4 - OFFSET IU3
IU00:
	MOV	AL,BYTE PTR CS:[SI + OFFSET IU3]
	XOR	BYTE PTR CS:[SI + OFFSET IU4],AL
	INC	SI
	LOOP	IU00
IU0:
	CALL	IterateOnce
	CALL	ShowGas
	MOV	SI,CS:SrcPtr
	MOV	CX,MAXBYTE*3
	MOV	BX,0
	MOV	AH,0
	MOV	AL,255
IU1:
	MOV	BL,BYTE PTR CS:[SI]
	MOV	DL,BYTE PTR CS:[BX+WallRule]
	NOT	AH
	XOR	DL,AH
	AND	AL,DL
	INC	SI
	LOOP	IU1
	MOV	SI,0
	MOV	CX,OFFSET IU4 - OFFSET IU3
IU2:
	MOV	AH,BYTE PTR CS:[SI+OFFSET IU4]
	AND	AH,AL
	XOR	BYTE PTR CS:[SI+OFFSET IU3],AH
	INC	SI
	LOOP	IU2
	JMP	IU3
IU3:
	MOV	AX,OFFSET IU0
	PUSH	AX
	RET
	DB	256 DUP(90h)
IU4:
	PUSH	AX
	PUSH	BX
	PUSH	CX
	PUSH	DX
	PUSH	DS

	MOV	AH,9
	MOV	DX,CS:MsgPtr
	INT	21H

	POP	DS
	POP	DX
	POP	CX
	POP	BX
	POP	AX
	RET

	DB	512 DUP(90h)

MsgPtr	DW	OFFSET Msg
Msg	DB	"This message is printed out by",10,13
	DB	"code decrypted using data from the lattice",10,13
	DB	"which was applied to the decoding routine",10,13
	DB	"after every time step",10,13
	DB	"The decoding function left the code unchanged",10,13
	DB	"except after the gas evolution had completelly",10,13
	DB	"reversed the thermalization",10,13,"$"


TIMES	EQU	16		; 256 repetitions are enough to
				; "equilibrate" the gas

Begin:
	MOV	AX,0600h
	MOV	BH,7
	MOV	DH,25
	MOV	DL,80
	MOV	CX,0
	INT	10h

	MOV	AH,2
	MOV	BH,0
	MOV	DH,24
	MOV	DL,0
	INT	10h

	CALL	InitGas
	CALL	ShowGas
	MOV	AH,0
	INT	16h
	PUSH	CX
	MOV	CX,TIMES
	CALL	Iterate
	CALL	InvertAll
	CALL	ShowGas
	MOV	AH,0
	INT	16h
	CMP	AL,"0"
	JNE	Begin0
	MOV	SI,CS:SrcPtr
	XOR	BYTE PTR CS:[SI],10000001B
Begin0:
	MOV	CX,TIMES
	CALL	IterateUntil
	CALL	InvertAll
	CALL	ShowGas
	MOV	AX,4C00h
	INT	21h
	

CODE	ENDS
	END	Start


Newsgroup: sci.crypt
document_id: 14992
Subject: Re: Illegal Wiretaps (was Denning's Trust)
From: kubo@zariski.harvard.edu (Tal Kubo)

In article <1ppg02$i2k@bigboote.WPI.EDU> 
ear@bigwpi.WPI.EDU (Mr. Neat-O [tm]) writes:
>>
>>It is apparently quite easy to get hold of a person's calling records
>>through the phone company.  Police (and some lawyers) are able to acquire
>>such information without any warrant or judicial supervision, whether or
>>not the target is suspected of specific crimes.
>
>Pardon me, but isn't this very illegal?  I was under the impression that a
>warrent *is* needed to get this information out of the phone company in
>order to protect people's privacy. 

Legal or not, I've seen it done.  Phone records were obtained
in order to *establish* probable cause, rather than as a result of it.
In other words, for a fishing expedition.

 
>                                   A local (Worcester, MA) police officer I
>spoke with only a couple of nights ago told me that they usually only
>subpeona the phone companies records in *extreme* conditions because it's so
>much of a hassle.

And does the phone company require written, subpoena-able evidence
of probable cause in order to process the request?  I suggest that
the officer was disinterested in pursuing your case -- even if you
could prove the offender had called you at a certain time, your 
chances of winning a harassment suit on the strength of this evidence
are nil.  My contact with several people who have dealt with cases
of extreme phone harassment (several thousand calls in one case) teaches 
me that police in this area are quite lethargic about pursuing such matters.


Tal

Newsgroup: sci.crypt
document_id: 14993
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Licensing of public key implementations

strnlght@netcom.com (David Sternlight) writes:

> I will provide one hint: it is reported that RSA expressed puzzlement (at
> their conference) that nobody has asked for permission to use RIPEM to
> write a PGP-compatible program.

This actually supports Bill's speculation - IF there is a backdoor in
RSAREF and IF PKP is supported secretly by the NSA, then it is more
than natural that they will welcome ANY public-key implementation that
uses RSAREF and will strongly oppose themselves against ANY
implementation that doesn't.

I personally cannot see how one could put a backdoor in a
long-precision modular arithmetic library that comes in source, but,
of course, the fact that -I- cannot see it means nothing...

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
document_id: 14994
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: opinions of RC2 alg.

Markowitz@DOCKMASTER.NCSC.MIL writes:

> It is interesting to note in this regard that permission to export
> PKZIP's encryption scheme has twice been denied by NSA.  Draw you own
> conclusions.

Uh, I'm afraid that your information is slightly out of date... PKWare
has obtained a license to export their program to the whole world,
except a very limited list of countries... Draw your own conclusions
about the strength of the algorithm... :-)

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
document_id: 14995
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: disk safety measure?

cuffell@spot.Colorado.EDU (Tim Cuffel) writes:

> There is no guarantee that the deleted space would be overwritten during
> optimization.  Likely, but no guarantee.  A quicker and more secure method
> would be a batch file that overwrote all of your free space.  For example
> fill.bat:
> 	echo %1 >> out
> 	fill.bat
> (This is off the top of my head.  #include <std_disclaimer.h>)

It is MUCH easier, faster, and probably even more secure to use Norton
Utilties 6.0 (I'm talking IBM PC here) and to tell WipeInfo to (a)
clean the free disk space and (b) clean the slack space at the end of
the files. Use to Government standard option for more careful
overwriting...

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
document_id: 14996
From: WHMurray@DOCKMASTER.NCSC.MIL
Subject: Licensing...


>This actually supports Bill's speculation - IF there is a backdoor in
>RSAREF and IF PKP is supported secretly by the NSA, then it is more
>than natural that they will welcome ANY public-key implementation that
>uses RSAREF and will strongly oppose themselves against ANY
>implementation that doesn't.

My speculation does not include or depend upon a trapdoor in RSAREF. I
do not believe that RSA would consent to such.  

However, there are other limitation in the concept of RSAREF in which
NSA has an interest.  It has an interest in a limited number of
implementations, i.e., targets.  It has an interest in fixed key or
maximum modulus size.  

It has a legitimate (literally) right to pursue such interests.  Within
bounds, it probably has a right to pursue those interests by covert
means.  At least it has the same right as the rest of us not to disclose
all of its motives and intentions.  (Institutions are not self-aware;
they do not know their intentions in any meaningful sense.)

William Hugh Murray, Executive Consultant, Information System Security
49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840                
1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL

Newsgroup: sci.crypt
document_id: 14997
From: tom_van_vleck@taligent.com (Tom Van Vleck)
Subject: Re: looking for one-way (trap-door, password encryption, etc.) algorithms

Michael Levin wrote:
>      I am looking for references to algorithms which can be used for
> password encryption. I.e., someone has a clear-text word, runs it
> through the algorithm, and it becomes some other sequence of symbols.
> I want this algorithm to have the property that it is a) next to
> impossible to reverse, and b) would take too long to try all possible
> words to see which one works (even by use of a high-speed computer).
> Please send references or ideas to mlevin@husc8.harvard.edu.

The original one-way encryption I put into Multics about 1968 (as suggested

by Joe Weizenbaum) was invertible.  An Air Force tiger team demonstrated 
this to me in May 1973.  I then asked an expert (who requested anonymity) 
what I should use instead; the expert's suggestion was to treat the 
8-byte password as both key and data for the LUCIFER encryption algorithm, 
which is similar or identical to DES.  This method or something stronger 
should take care of (a).  Issue (b) is discussed in comp.security.misc: 
longer passwords and quality control on what users can choose as passwords
are the common tactics.

tom_vanvleck@taligent.com

Newsgroup: sci.crypt
document_id: 14998
From: yerazunis@cthulu.enet.dec.com
Subject: Re: Hard drive security for FBI targets


>cme@ellisun.sw.stratus.com (Carl Ellison) writes:
>For example, if I had a program on my disk which created totally random
>files looking like encrypted messages and could demonstrate that the file
>in question *could have been* created by that program, then my claim that
>it was, in fact, created by that program must stand as true (since I'm
>innocent) unless someone can prove me wrong.

HMMM... that brings up a neat idea.  

Unfortunately, it's SOOO neat, I think I ought to patent it.

So I can't tell you about it.

Sorry.  :-)

	-Bill

Copyright 1993 William S. Yerazunis (aka Crah the Merciless)
All rights reserved, no responsibility taken.

     "I love the smell of flash powder in the morning! It smells like...like theatre"

Newsgroup: sci.crypt
document_id: 14999
From: jgk@osc.COM (Joe Keane)
Subject: Re: Hard drive security for FBI targets

In article <1993Apr2.050451.7866@ucsu.Colorado.EDU> cuffell@spot.Colorado.EDU
(Tim Cuffel) writes:
>How about this.  I create a bunch of sets of random data, and encrypt it.  I 
>keep only one of the sets of random data around, to show that I encypt random
>data for kicks.  The rest, I delete with their keys.  I tell all my friends.
>I think this establishes reasonable doubt about the contents of any encrypted
>files, and my ability to provides keys.  Since anyone could do this, any law
>that forces a user to provide keys on demand is worthless.

The law is much worse than worthless.  It gives police the power to put
innocent people in jail because they (the police) find something they don't
understand.  Most police don't know what the return key does, never mind the
difference between a core file and classified military secrets.

There are plenty of scenarios where the user would have no idea what something
is either.  It could be uninitialized junk.  The burden of proof is on the
user to show that it's something a normal upstanding citizen should have.  No
one should ever be put in that situation, especially in America.

What's disgusting about this is how easily most people go along with it, to
provide a bargaining chip against some hypothetical *alleged* child molester
or drug dealer, or whatever bad thing is in style at the time.  Basically most
people don't have a clear distinction between criminals and suspects.

As an analogy, it's like they find a loose screw in your house, and they
insist that you're building a bomb or machine gun.  They ask you where it came
from (like you'd know), and ask you to prove your claim.  When you explain it
in such simple terms, people may start to get the idea.

As a matter of fact, i do keep random files on my disk.  The reason is,
without special-purpose hardware, it takes a long time to generate good random
bits.  I have programs that crank out a couple bits per minute, which is
pretty conservative, but over time that's more than i need.

If you think about it, there's no point in actually encrypting random data,
because it just gives you different random data.  If you want some data to
look like an encrypted file, you just put an appropriate header on it.  If
enough people do this, some of them will be put in jail.

When you get arrested and the police ask for your keys, you can tell them it's
just random junk, although of course they won't believe you.  While you're
sitting in jail, you can take consolation in the fact that the government will
burn a few CPU-years trying to find something that's not there.

--
Joe Keane, amateur cryptologist
jgk@osc.com (uunet!amdcad!osc!jgk)

Newsgroup: sci.crypt
document_id: 15000
From: Graham Toal <gtoal@gtoal.com>
Subject: Re: Hard drive security for FBI targets

In article <6040@osc.COM> Joe Keane <jgk@osc.com> writes:
:As a matter of fact, i do keep random files on my disk.  The reason is,
:without special-purpose hardware, it takes a long time to generate good random
:bits.  I have programs that crank out a couple bits per minute, which is
:pretty conservative, but over time that's more than i need.

Sounds like a useful program - interested in posting it to alt.sources?

G

Newsgroup: sci.crypt
document_id: 15001
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Hard drive security

In article <m5c5fkj@rpi.edu> antonh@rpi.edu writes:
>say, can anyone send my info on how to encrpyt a hard disk [...]
>ps.  I would also like know the consequences of those types of actions if i
>so chose to do them in the future in this country and european countries.

People have been encrypting notes in their notebooks for hundreds of years
-- maybe over a thousand.  It's a long tradition dating at least back to
the alchemists.

I know of nothing bad happening to them.  I would assume that nothing bad
would happen to you, given this long history establishing encryption as
the property of individuals, to do with as they please.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
document_id: 15002
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Licensing of public key implementations

In article <1993Apr4.221640.8104@magnus.acs.ohio-state.edu> jebright@magnus.acs.ohio-state.edu (James R Ebright) writes:
>I guess we will have to wait for the time in the far future
>when everyone uses such good crypto that the NSA has no job.  Then the
>agency will be disbanded and its files opened after the approprate
>historical delay.  ;)

You've overlooked a fundamental Truth:

	both headcount and budget of any government agency are
	monotonic increasing functions.

Given that Truth, you need to look for what the agency can do to occupy
all those people and spend all that money when crypto is unbreakable.

Perhaps they could talk the world's telephone companies into making equipment
they could break into and tap.

Maybe they could convince people that distributed computing was a good idea
so that even the internal state of a process would be available for access
by wiretapping.

Maybe....

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
document_id: 15003
From: ray@ole.cdac.com (Ray Berry)
Subject: Re: Hard drive security for FBI targets

rja14@cl.cam.ac.uk (Ross Anderson) writes:

>In article <1993Apr2.050451.7866@ucsu.Colorado.EDU>, cuffell@spot.Colorado.EDU 
>(Tim Cuffel) writes:

>This suggests a new PC security product design approach - first fill the hard
>drive with 50% random files and 50% files encrypted under a number of known 
>keys. Then whenever a new secret file is created, you delete a random file and
>replace it with real encrypted data. New non-secret files are encrypted under
>a known key.

   Better yet, instead of thrashing around on the DOS file system, take
it a step further.  Write yourself a minimal "file system" program that
is used to create/delete files, en/decrypt them to ramdisk, list a
directory. Put the util, password protected, on a floppy.

   The catch is that the storage space used by this util is NOT part
of the DOS file system.  Instead, defrag your disk, thus packing all
allocated clusters into clusters 0-n.  Then use the back end of the
partition to hold your 'stealth' file system.  Or, leave a small 2nd
partition on the disk that is not assigned to DOS.  Another approach
might be to use a directory that contains a set of invariant files (DOS
system files, for instance).  Due to DOS allocating a minimum storage 
unit of a "cluster" there is unused physical space on the disk between
the tail end of each file and the end of its associated cluster. These
dead spaces could be concatenated and used to hold your stealth file
system.

   Now you have a situation where no encrypted data "appears" on your
disk at all :-). 
-- 
Ray Berry kb7ht ray@ole.cdac.com  rjberry@eskimo.com  73407.3152@compuserve.com

Newsgroup: sci.crypt
document_id: 15168
From: so@eiffel.cs.psu.edu (Nicol C So)
Subject: Re: Source of random bits on a Unix workstation

In article <897@pivot.sbi.com> bet@sbi.com (Bennett Todd @ Salomon Brothers Inc., NY ) writes:
>This came up because I decided to configure up MIT-MAGIC-COOKIE-1 security
>for X11R5. For this to work you need to stick some bits that an intruder
>can't guess in a file (readable only by you) which X client applications
>read. They pass the bits back to the server when they want to establish a
>connection.
>
>...
>What I settled on was grabbing a bunch of traffic off the network.
>Basically, I ran
>
>	etherfind -u -x greater 0|compress
>
>and skipped over 10K of output, then grabbed my bits. As best I can tell,
>these are bits that can be expected to be reasonably uniformly distributed,
>and quite unguessable by an intruder.

For your application, what you can do is to encrypt the real-time clock
value with a secret key.

Newsgroup: sci.crypt
document_id: 15169
From: ji@cs.columbia.edu (John Ioannidis)
Subject: Re: Source of random bits on a Unix workstation

In article <C5JA6s.A59@cs.psu.edu> so@eiffel.cs.psu.edu (Nicol C So) writes:
>In article <897@pivot.sbi.com> bet@sbi.com (Bennett Todd @ Salomon Brothers Inc., NY ) writes:
>>This came up because I decided to configure up MIT-MAGIC-COOKIE-1 security
>>for X11R5. For this to work you need to stick some bits that an intruder
>>can't guess in a file (readable only by you) which X client applications
>>read. They pass the bits back to the server when they want to establish a
>>connection.
>>
>>...
>>What I settled on was grabbing a bunch of traffic off the network.
>>Basically, I ran
>>
>>	etherfind -u -x greater 0|compress
>>
>>and skipped over 10K of output, then grabbed my bits. As best I can tell,
>>these are bits that can be expected to be reasonably uniformly distributed,
>>and quite unguessable by an intruder.
>
>For your application, what you can do is to encrypt the real-time clock
>value with a secret key.

For a good discussion of cryptographically "good" random number
generators, check out the draft-ietf-security-randomness-00.txt
Internet Draft, available at your local friendly internet drafts
repository. 

A reasonably source of randomness is the output of a cryptographic
hash function (e.g., MD5), when fed with a large amount of
more-or-less random data. For example, running MD5 on /dev/mem is a
slow, but random enough, source of random bits; there are bound to be
128 bits of entropy in the tens (or hundreds) of megabytes of data in
a modern workstation's memory, as a fair amount of them are system
timers, i/o buffers, etc.

/ji

Newsgroup: sci.crypt
document_id: 15170
From: bear@kestrel.fsl.noaa.gov (Bear Giles)
Subject: Re: Fifth Amendment and Passwords

In article <1993Apr15.160415.8559@magnus.acs.ohio-state.edu> ashall@magnus.acs.ohio-state.edu (Andrew S Hall) writes:
>I am postive someone will correct me if I am wrong, but doesn't the Fifth
>also cover not being forced to do actions that are self-incriminating?
>e.g. The police couldn't demand that you silently take them to where the
>body is buried or where the money is hidden.

But they can make you piss in a jar, and possibly provide DNA, semen,
and hair samples or to undergo tests for gunpowder residues on your hand.

(BTW, that was why the chemical engineer arrested in the WTC explosion
thrust his hands into a toilet filled with urine as the cops were breaking
down the door -- the nitrogen in the urine would mask any residue from
explosives.  I found it interesting the news reported his acts, but not
his reasons).

Somewhere, perhaps a privacy group, they discussed the legal ramifications
of using a password like

  I shot Jimmy Hoffa and his body is in a storage locker in Camden

a while back.  The impression I got was that real judges would dismiss
arguments that this password is self-incrimination as first-year law
school sophistry -- the fact that you use a statement for a password has
no bearing on the veracity of that phrase.

You are not being asked to incrimidate yourself (e.g., "where did you
bury the body?"); you are being asked to provide information necessary
to execute a legal search warrant.  Refusing to provide the password is
akin to refusing to provide a key to a storage locker... except that they
could always _force_ their way into the locker.

Of course, that doesn't mean you have to help them _understand_ what
they find, or point out things they overlooked in their search!

-- 
Bear Giles
bear@fsl.noaa.gov

Newsgroup: sci.crypt
document_id: 15171
From: zrepachol@cc.curtin.edu.au (Paul Repacholi)
Subject: What is going on?...

In article <1qhc2p$8d8@transfer.stratus.com>, cme@ellisun.sw.stratus.com (Carl Ellison) writes:
> In article <1993Apr14.120229.15878@mnemosyne.cs.du.edu> rwebb@nyx.cs.du.edu (Russell Webb) writes:
...
> Call me paranoid, but this is the same kind of scare story which Dorothy
> Denning was citing while calling for the limitation of cryptography.
> 
> I doubt that DD is behind this -- 
> 
> but I suspect that the FBI (and maybe NSA) are behind DD and those agencies
> could easily be mounting a nationwide campaign (with our tax dollars?) to
> build up public outcry against digital communication -- especially against
> unbreakable, encrypted communication.
> 
> 
> What's going on here??
> 

Haven't you read any of Noam Chomsky's works? A widely used information net
outside the control of the 'right people' is unthinkable. Hundreds of billions
of dollars will be spent to wipe it out, sorry, 'regulate and order it' once
the major media and poitical powers wake up to the efect it can have.

If you can't be bothered reading, get the video "Manufacturing Consent".

~Paul


Newsgroup: sci.crypt
document_id: 15172
From: marc@tanda.isis.org (Marc Thibault)
Subject: Re: Hard drive security for FBI targets


     1. Do a straight encryption of your keyrings and put the
        results with misleading names somewhere they won't be noticed
        (eg. in the \windows directory; nobody knows what half those
        files are).

     2. Do a straight encryption of a .BAT file that will decrypt
        the keyrings to RAMdisk and will set PGPPATH to point at it.

     3. Set up another .BAT file to decrypt and execute the first
        (again on RAM disk). Have it take the name of the target file
        as an argument so that there is no link between this file and
        the (non-existent) batch file referred to by the rest of the
        system. Comment it so it looks like a test script for fooling
        around with PGP. Set PGPPATH to the PGP directory.

     4. Leave the original keyrings that came with PGP in the
        directory with PGP; a good indication that you are playing
        with, but haven't made serious use of PGP. Add a set of keys
        with your name and a really simple passphrase. Never use it,
        or use it as your widely published key for low-security
        e-mail.

     5. When needed, run the second .BAT file. Make sure all
        intermediate and plainfiles are generated on RAMdisk.

     6. When you hear the concussion grenade, hit the power switch.
        
        Cheers,
                Marc

---
 Marc Thibault        | CIS:71441,2226     |  Put another log
 marc@tanda.isis.org  | NC FreeNet: aa185  |  on the fire.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.0

mQBNAiqxYTkAAAECALfeHYp0yC80s1ScFvJSpj5eSCAO+hihtneFrrn+vuEcSavh
AAUwpIUGyV2N8n+lFTPnnLc42Ms+c8PJUPYKVI8ABRG0I01hcmMgVGhpYmF1bHQg
PG1hcmNAdGFuZGEuaXNpcy5vcmc+
=HLnv
-----END PGP PUBLIC KEY BLOCK-----



Newsgroup: sci.crypt
document_id: 15173
From: grady@netcom.com (1016/2EF221)
Subject: SOURCE to Mactinosh PGP 2.2 in C available 

*** SOURCE code to Macintosh PGP 2.2 now available via anonymous FTP ***

FTP netcom.com
CD pub/grady
MGET MacPGP2.2src.sea.hqx
MGET MacPGP2.2srcSIGNATURE

Convert to a Compact Pro self-extracting archive with BinHex 4.0.

If appropriate, check the digital signature of the .hqx file with
your copy of PGP.  (Non-Macintosh users wishing to check the digital
signature please note that 'CR' denotes the end-of-line on a Macintosh,
not 'LF' or 'CRLF'.)

For the purposes of the ITAR act, this 'unclassified technical
documentation' is hereby released into the public domain.  (However
no representation is made as to copyright or other commercial rights
that may exist in this package.)

Full source code, Symantec THINK C 5.0.4 projects and full user
documentation is included for both 68020 and 68000 versions of Pretty
Good Privacy, a strong public key encryption and digital signature
application using the RSA algorithm patented in the United States
and the IDEA cipher patented in Switzerland.

No executables are included.

Executables are available via anonymous FTP from:

leif.thep.lu.se (Sweden)
night.nig.ac.jp (Japan)
van-bc.wimsey.bc.ca (Canada)
soda.berkeley.edu (P.R. of Berkeley)
src.doc.ic.ac.uk (United Kingdom)
ghost.dsi.unimi.it (Italy)
plaza.aarnet.edu.au (Australia)
nic.funet.fi (Finland)


Other's public keys are available from anonymous server sites:
(Send message subject "help" for more information.)

Internet sites:
        pgp-public-keys@junkbox.cc.iastate.edu
                Michael Graff
                explorer@iastate.edu
                FTP: tbird.cc.iastate.edu:/usr/explorer/public-keys.pgp
        pgp-public-keys@toxicwaste.mit.edu
                Derek Atkins
                warlord@MIT.EDU
                FTP: toxicwaste.mit.edu:/pub/keys/public-keys.pgp
        pgp-public-keys@phil.utmb.edu
                John Perry
                perry@phil.utmb.edu
                FTP: phil.utmb.edu:/pub/pgp/public-keys.pgp
        pgp-public-keys@demon.co.uk
                Mark Turner
                mark@demon.co.uk
                FTP: ftp.demon.co.uk:/pub/pgp/pubring.pgp

UUCP site:
        pgp-public-keys@jpunix.com
                John Perry
                perry@jpunix.com

The executable application built from these sources has NOT been
licensed by RSA Data Security, Inc. nor has the RSA public key
algorithm or the IDEA block cipher algorithm been approved by
the National Security Agency.

This unclassified technical documentation is made available for
EDUCATIONAL USE ONLY; possession, distribution, or use of an
executable binary built from this source may be a civil or criminal
offense.

Suggested improvements, bugs, or comments should be directly posted
to alt.security.pgp or to the principal developers listed among
the source documents.  General questions and comments about public
key cryptography or the IDEA cipher may be posted to alt.security.pgp
or to the sci.crypt Usenet groups.

-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
document_id: 15174
From: kadie@cs.uiuc.edu (Carl M Kadie)
Subject: Re: Fifth Amendment and Passwords

ashall@magnus.acs.ohio-state.edu (Andrew S Hall) writes:

>I am postive someone will correct me if I am wrong, but doesn't the Fifth
>also cover not being forced to do actions that are self-incriminating?
[...]

[From Mike Godwin <mnemonic@eff.org>, posted with permission - Carl]

Sadly, it does not. Suspects can be compelled to give handwriting and
voice exemplars, and to take blood and DNA tests.

> e.g. The police couldn't demand that you silently take them to where the
> body is buried or where the money is hidden.

No, but they could compell you to produce the key to a safe where, as it
happens, evidence that will convict you is stored. 

The crypto-key disclosure issue hasn't come up yet, but current law
suggests that it's a loser for the defendant--he'll be compelled to turn
over the key.

The test for compelled self-incrimination is whether the material to 
be disclosed *in itself* tends to inculpate the discloser. In the example
I gave above, the safe key itself has no testimonial value--ergo, it can
be disclosed under compulsion (e.g., subpoena duces tecum).

Moreover, the government can always immunize the disclosure of a crypto
key--compelling you to disclose the key at the price of not using the fact
of your disclosure as evidence in the case against you. Of course, they
can use whatever they discover as a result of this disclosure against
you.


--Mike





-- 
Carl Kadie -- I do not represent any organization; this is just me.
 = kadie@cs.uiuc.edu =

Newsgroup: sci.crypt
document_id: 15175
From: bob@natasha.portal.com (Bob Cain)
Subject: Re: Pgp, PEM, and RFC's (Was: Cryptography Patents)

Charles Kincy (ckincy@cs.umr.edu) wrote:
: 
: All I have to say is...yeah, right.  If you're willing to pay them
: mucho big bucks and/or use the routines *they* tell you to do.  
: Doesn't sound very reasonable to me.

All I have to say is this is full of shit.  I have negotiated a license
and the bucks are incredibly reasonable with an upfront charge on a
sliding scale depending on your capitalization.  If you are a startup
and can't afford it you can't afford to start up in the first place.
Why do people insist on making unequivocal statements about that which
they know nothing.

: 
: But I don't guess PKP and RSA are interested in big bucks.  Maybe
: they have some other agenda?  Secure communications only for 
: government agents, perhaps?

Have you considered treatment for paranoia?  The government is the
single biggest thorn in RSA's side.

: 
: Some limitation.  Let me guess:  don't use the code in any way PKP or
: RSA doesn't like....such as...providing secure communications for the
: average citizen.

That was exactly its purpose if you know anything about it.  There is
nothing at all preventing the average citizen using it, only selling
it.

: 
: I hope my cynicism is misplaced here.  Go ahead...I'm not afraid to
: be wrong every once in a while.  But, I have an uneasy feeling that I
: am right.  :(

It is and you are wrong yet you emotionally state a bunch of crap as fact
with a tiny disclaimer at the end.  Check your facts first and grow up.
Why is there such a strong correlation between interest in cryptography
and immaturity I wonder.

Bob Cain (normally rcain@netcom.com)

Newsgroup: sci.crypt
document_id: 15176
From: ld231782@longs.lance.colostate.edu (L. Detweiler)
Subject: Privacy & Anonymity on the Internet FAQ (1 of 3)

Archive-name: net-privacy/part1
Last-modified: 1993/3/3
Version: 2.1


IDENTITY, PRIVACY, and ANONYMITY on the INTERNET
================================================

(c) 1993 L. Detweiler.  Not for commercial use except by permission
from author, otherwise may be freely copied.  Not to be altered. 
Please credit if quoted.

SUMMARY
=======

Information on email and account privacy, anonymous mailing and 
posting, encryption, and other privacy and rights issues associated
with use of the Internet and global networks in general.

(Search for <#.#> for exact section. Search for '_' (underline) for
next section.)

PART 1
====== (this file)

Identity
--------
<1.1> What is `identity' on the internet?
<1.2> Why is identity (un)important on the internet?
<1.3> How does my email address (not) identify me and my background?
<1.4> How can I find out more about somebody from their email address?
<1.5> Why is identification (un)stable on the internet? 
<1.6> What is the future of identification on the internet?

Privacy
-------
<2.1> What is `privacy' on the internet?
<2.2> Why is privacy (un)important on the internet?
<2.3> How (in)secure are internet networks?
<2.4> How (in)secure is my account?
<2.5> How (in)secure are my files and directories?
<2.6> How (in)secure is X Windows?
<2.7> How (in)secure is my email?
<2.8> How am I (not) liable for my email and postings?
<2.9> How do I provide more/less information to others on my identity?
<2.10> Who is my sysadmin?  What does s/he know about me?
<2.11> Why is privacy (un)stable on the internet?
<2.12> What is the future of privacy on the internet?

Anonymity
---------
<3.1> What is `anonymity' on the internet?
<3.2> Why is `anonymity' (un)important on the internet?
<3.3> How can anonymity be protected on the internet?
<3.4> What is `anonymous mail'?
<3.5> What is `anonymous posting'?
<3.6> Why is anonymity (un)stable on the internet?
<3.7> What is the future of anonymity on the internet?


PART 2
====== (next file)

Resources
---------

<4.1> What UNIX programs are related to privacy?
<4.2> How can I learn about or use cryptography?
<4.3> What is the cypherpunks mailing list?
<4.4> What are some privacy-related newsgroups?  FAQs?
<4.5> What is internet Privacy Enhanced Mail (PEM)?
<4.6> What are other Request For Comments (RFCs) related to privacy?
<4.7> How can I run an anonymous remailer?
<4.8> What are references on privacy in email?
<4.9> What are some email, Usenet, and internet use policies?
<4.10> What is the MIT ``CROSSLINK'' anonymous message TV program?

Miscellaneous
-------------

<5.1> What is ``digital cash''?
<5.2> What is a ``hacker'' or ``cracker''?
<5.3> What is a ``cypherpunk''?
<5.4> What is `steganography' and anonymous pools?
<5.5> What is `security through obscurity'?
<5.6> What are `identity daemons'?
<5.7> What standards are needed to guard electronic privacy?

Issues
------

<6.1> What is the Electronic Frontier Foundation (EFF)?
<6.2> Who are Computer Professionals for Social Responsibility (CPSR)?
<6.3> What was `Operation Sun Devil' and the Steve Jackson Game case?
<6.4> What is Integrated Services Digital Network (ISDN)?
<6.5> What is the National Research and Education Network (NREN)?
<6.6> What is the FBI's proposed Digital Telephony Act?
<6.7> What other U.S. legislation is related to privacy on networks?
<6.8> What are references on rights in cyberspace?
<6.9> What is the Computers and Academic Freedom (CAF) archive?

Footnotes
---------

<7.1> What is the background behind the Internet?
<7.2> How is Internet `anarchy' like the English language?
<7.3> Most Wanted list
<7.4> Change history


PART 3
====== (last file)

Anonymizing
-----------

<8.1> What are some known anonymous remailing and posting sites?
<8.2> What are the responsibilities associated with anonymity?
<8.3> How do I `kill' anonymous postings?
<8.4> What is the history behind anonymous posting servers?
<8.5> What is the value of anonymity?
<8.6> Should anonymous posting to all groups be allowed?
<8.7> What should system operators do with anonymous postings?
<8.8> What is going on with anon.penet.fi maintained by J. Helsingius?


* * *


IDENTITY
========

_____
<1.1> What is `identity' on the internet?

  Generally, today people's `identity' on the internet is primarily
  determined by their email address in the sense that this is their
  most unchanging 'face' in the electronic realm.   This is your
  login name qualified by the complete address domain information,
  for example ``ld231782@longs.lance.colostate.edu''.  People see
  this address when receiving mail or reading USENET posts from you
  and in other situations where programs record usage.  Some obsolete
  forms of addresses (such as BITNET) still persist.

  In email messages, additional information on the path that a message
  takes is prepended to the message received by the recipient.  This
  information identifies the chain of hosts involved in the
  transmission and is a very accurate trace of its origination.  This
  type of identify-and-forward protocol is also used in the USENET
  protocol to a lesser extent.  Forging these fields requires
  corrupted mailing software at sites involved in the forwarding and
  is very uncommon.  Not so uncommon is forging the chain at the
  origination point, so that all initial sites in the list are faked
  at the time the message is created.  Tracing these messages can be
  difficult or impossible when the initial faked fields are names of
  real machines and represent real transfer routes.

_____
<1.2> Why is identity (un)important on the internet?

  The concept of identity is closely intertwined with communication,
  privacy, and security, which in turn are all critical aspects of
  computer networks. For example, the convenience of communication
  afforded by email would be impossible without conventions for
  identification.  But there are many potential abuses of identity
  possible that can have very severe consequences, with massive
  computer networks at the forefront of the issue, which can
  potentially either exacerbate or solve these problems.

  Verifying that an identity is correct is called `authentication',
  and one classic example of the problems associated with it is
  H.G.Well's ``War of the Worlds'' radio broadcast that fooled
  segments of the population into thinking that an alien invasion was
  in progress.  Hoaxes of this order are not uncommon on Usenet and
  forged identities makes them more insidious.  People and their
  reputations can be assaulted by forgery.

  However, the fluidity of identity on the internet is for some one of
  its most attractive features. Identity is just as useful as it is
  harmful.  A professor might carefully explain a topic until he
  finds he is talking to an undergraduate. A person of a particular
  occupation may be able to converse with others who might normally
  shun him.  Some prejudices are erased, but, on the other hand, many
  prejudices are useful!  A scientist might argue he can better
  evaluate the findings of a paper as a reviewer if he knows more
  about the authors.  Likewise, he may be more likely to reject it
  based on unfair or irrelevant criteria.  On the other side of the
  connection,  the author may find identities of reviewers useful in
  exerting pressure for acceptance.

  Identity is especially crucial in establishing and regulating
  `credit' (not necessarily financial) and `ownership' and `usage'. 
  Many functions in society demand reliable and accurate techniques
  for identification. Heavy reliance will be placed on digital
  authentication as global economies become increasingly electronic. 
  Many government functions and services are based on identification,
  and law enforcement frequently hinges on it.  Hence, employees of
  many government organizations push toward stronger identification
  structures.  But when does identification invade privacy?

  The growth of the internet is provoking social forces of massive
  proportions. Decisions made now on issues of identity will affect
  many future users, especially as the network becomes increasingly
  global, universal, widespread, and entrenched; and the positive or
  adverse affects of these actions, intended and inadvertent,  will
  literally be magnified exponentially.

_____
<1.3> How does my email address (not) identify me and my background?

  Your email address may contain information that influences people's
  perceptions of your background.  The address may `identify' you as
  from a department at a particular university, an employee at a
  company, or a government worker.  It may contain your last name,
  initials, or cryptic identification codes independent of both.  In
  the US some are based on parts of social security numbers.  Others
  are in the form 'u2338' where the number is incremented in the
  order that new users are added to the system.

  Standard internet addresses  also can contain information  on your
  broad geographical location or nationhood.  However, none of this
  information is guaranteed to be correct or be there at all.  The
  fields in the domain qualification of the username are based on
  rather arbitrary organization, such as (mostly invisible) network
  cabling distributions.  The only point to make is that early fields
  in the address are more specific (such as specific computer names
  or local networks) and the later ones the most general (such as
  continental domains).  Typically the first field is the name of the
  computer receiving mail.

  Gleaning information from the email address alone is sometimes an
  inspired art or an inconsistent and futile exercise.  (For more
  information, see the FAQs on email  addresses and known
  geographical distributions below.)  However, UNIX utilities exist
  to aid in the quest (see the question on this).

  Common Suffixes
  ---------------

  .us    United States
  .uk    United Kingdom
  .ca    Canada
  .fi    Finland
  .au    Australia

  .edu   university or college
  .com   commercial organization
  .org   'other' (e.g. nonprofit organization)
  .gov   government
  .mil   military site
 
_____
<1.4> How can I find out more about somebody with a given email address?

  One simple way is to send email to that address, asking.  Another
  way is to send mail to the postmaster at that address (i.e.
  postmaster@address), although the postmaster's job is more to help
  find user ID's of particular people given their real name and solve
  mail routing problems.  The sysadmin (i.e. `root@address') may also
  be able to supply information.  Users with related email address
  may have information.  However, all of these methods rely on the
  time and patience of others so use them minimally.

  One of the most basic tools for determining identity over the
  internet is the UNIX utility 'finger'.  The basic syntax is:

    finger user@here.there.everywhere

  This utility uses communication protocols to query the computer
  named in the address for information on the user named.  The
  response is generated completely by the receiving computer and may
  be in any format.  Possible responses are as follows:

  - A message `unknown host' meaning some aspect of the address is
    incorrect, two lines with no information and '???'.
  
  - A message 'In real life: ???' in which case the receiving computer
    could not find any kind of a match on the username. The finger
    utility may return this response in other situations.
  
  - A listing of information associated with multiple users. Some
    computers will search only for matching user IDs, others will
    attempt to find the username you specified as a substring of all
    actual full names of users kept in a local database.
  
  At some sites 'finger' can be used to get a list of all users on the
  system with a `finger @address'.  In general this is often
  considered weak security, however, because `attackers' know valid
  user ID's to `crack' passwords.

  More information on the fields returned by `finger' is given below. 
  More information on `finger' and locating people's email addresses
  is given in the email FAQ (such as the WHOIS lookup utility).  Just
  as you can use these means to find out about others, they can use
  them to find out about you.  You can `finger' yourself to find out
  what is publicly reported by your UNIX system about you.  Be
  careful when modifying `finger' data; virtually anyone with
  internet access worldwide can query this information.  In one
  amazing case, the New York Times writer J. Markoff uncovered the
  identity of R. Morris, author of the Internet Worm,  through
  the use of an anonymous tip and 'finger'.  See the book Cyberspace
  by K. Hafner and J. Markoff.

_____
<1.5> Why is identification (un)stable on the internet?

  Generally, identity is an amorphous and almost nonexistent concept
  on the Internet for a variety of reasons.  One is the inherent
  fluidity of `cyberspace' where people emerge and submerge
  frequently, and absences are not readily noted in the `community'. 
  Most people remember faces and voices, the primary means of casual
  identification in the 'real world'.  The arbitary and cryptic 
  sequences of letters and digits comprising most email addresses are
  not particularly noticeable or memorable and far from a unique
  identification of an individual, who may use multiple accounts on
  multiple machines anywhere in the world.

  Currently internet users do not really have any great assurances
  that the messages in email and USENET are from who they appear to
  be. A person's mailing address is far from an identification of an
  individual.  
  
  - Anyone with access to the account, e.g. they know the password,
    either legitimately or otherwise, can send mail with that address
    in the From: line.
  
  - Email addresses for an individual tend to change frequently as
    they switch jobs or make moves inside their organizations. 

  - As part of current mailing protocol standards, forging the From:
    line in mail messages is a fairly trivial operation for many
    hackers.
    
  The status and path information prepended to messages by
  intermediate hosts is generally unforgeable. In general, while
  possible, forgeries are fairly rare on most newsgroups and in
  email.  Besides these pathological cases abve there are many basic
  problems with today's internet protocols affecting identification
  on the internet:

  - Internet mail standards, described in RFC-822, are still evolving
    rapidly and not entirely orderly.  For example, standards for
    mail address `munging' or `parsing' tend to vary slightly between
    sites and frequently mean the difference between finding
    addresses and bouncing mail.
  
  - Domain names and computer names are frequently changed at sites,
    and there are delays in the propagation of this data.
  
  - Addresses cannot be resolved when certain critical computers
    crash, such as the receiving computer or other computers involved
    in resolving names into addresses called `nameservers'. 
  
  - A whole slew of problems is associated with  `nameservers'; if
    they are not updated they will not find name addresses, and even
    the operation of what constitutes `updating' has different
    interpretations at different sites.
  
  The current internet mailing and addressing protocols are slightly
  anachronistic in that they were created when the network was
  somewhat obscure and not widespread, with only a fraction of the
  traffic it now sees.  Today a large proportion of internet traffic
  is email, comprising  millions of messages.

_____
<1.6> What is the future of identification on the internet?

  Some new technologies and standards are introducing facial images
  and voice messages  into mail and these will improve the sense of
  community that comes from the familiarity of identification.
  However, they are not currently widespread, require large amounts
  of data transfer, standardized software, and make some compromises
  in privacy.

  Promising new cryptographic techniques may make 'digital signatures'
  and 'digital authentication' common (see below).  Also, the trend
  in USENET standards is toward greater authentication of posted
  information.  On the other hand, advances in ensuring anonymity
  (such as remailers) are forthcoming.  See below.


PRIVACY
=======

_____
<2.1> What is `privacy' on the internet?

  Generally, while `privacy' has multiple connotations in society and
  perhaps even more on the internet, in cyberspace most take it to
  mean that you have exclusive use and access to your account and the
  data stored on and and directed to it (such as email), and you do
  not encounter arbitrary restrictions or searches.  In other words, 
  others may obtain data associated with your account, but not
  without your permission.  These ideas are probably both fairly
  limiting and liberal in their scope in what most internet users
  consider their private domains.  Some users don't expect or want
  any privacy, some expect and demand it.

_____
<2.2> Why is privacy (un)important on the internet?

  This is a somewhat debatable and inflammatory topic, arousing
  passionate opinions.  On the internet, some take privacy for
  granted and are rudely surprised to find it tenuous or nonexistent.
  Most governments have rules that protect privacy (such as the
  illegal search and seizure clause of the U.S. constitution, adopted
  by others) but have many that are antithetical to it (such as laws
  prohibiting secret communications or allowing wiretapping). These
  rules generally carry over to the internet with few specific rules
  governing it.  However, the legal repercussions of the global
  internet are still largely unknown and untested (i.e. no strong
  legal precedents and court cases).  The fact that internet traffic
  frequently passes past international boundaries, and is not
  centrally managed, significantly complicates and strongly
  discourages its regulation.

_____
<2.3> How (in)secure are internet networks?

  - `Theoretically' people at any site in the chain of sites with
    access to hardware and network media that transmits data over the
    Internet  could potentially monitor or archive it. However, the
    sheer volume and general 'noise' inherent to this data makes
    these scenarios highly improbable, even by government agencies
    with supposedly vast funding and resources.
  
  - Technologies exist to `tap' magnetic fields given off by
    electrical wires without detection.  Less obscurely, any machine
    with a network connection is a potential station for traffic
    detection, but this scenario requires knowledge and access to
    very low-level hardware (the network card) to pursue, if even
    possible.
  
  - A company Network General Inc. is one of many that manufactures
    and markets sophisticated network monitoring tools that can
    'filter' and read packets by arbitrary criteria for
    troubleshooting purposes, but the cost of this type of device is
    prohibitive for casual use.

  Known instances of the above types of security  breaches at a major
  scale (such as at network hubs) are very rare. The greatest risks
  tend to emerge locally.  Note that all these approaches are almost
  completely defused with the use of cryptography.
    
_____
<2.4> How (in)secure is my account?

  By default, not very.  There are a multitude of factors that may
  reinforce or compromise aspects of your privacy on the internet. 
  First, your account must be secure from other users. The universal
  system is to use a password, but if it is `weak' (i.e. easy to
  guess) this security is significantly diminished.  Somewhat
  surprisingly and frighteningly to some, certain  users of the
  system, particularly the administrator, generally have unlimited
  access regardless of passwords, and may grant that access to
  others.  This means that they may read any file in your account
  without detection.

  Furthermore, not universally known, most UNIX systems keep fairly
  extensive accounting records of when and where you logged in, what
  commands you execute, and when they are executed (in fact, login
  information is usually public). Most features of this `auditing' or
   `process accounting' information are enabled by default after the
  initial installation and the system administrator may customize it
  to strengthen or weaken it to satisfy performance or privacy aims. 
  This information is frequently consulted for troubleshooting
  purposes and may otherwise be ignored.  This data tracks
  unsuccessful login attempts and other 'suspicious' activities on
  the system. A traditional part of the UNIX system that tracks user
  commands is easily circumvented by the user with the use of
  symbolic links (described  in 'man ln').
  
  UNIX implementations vary widely particularly in tracking features
  and new sophisticated mechanisms are introduced by companies
  regularly. Typically system adminstrators augment the basic UNIX
  functionality with public-domain programs and locally-developed
  tools for monitoring, and use them only to isolate `suspicious'
  activity as it arises (e.g. remote accesses to the 'passwd' file, incorrect
  login attempts, remote connection attempts, etc.).
  
  Generally, you should expect little privacy on your account for
  various reasons:
  
  - Potentially, every keystroke you type could be intercepted by
    someone else. 

  - System administrators make extensive backups that are completely
    invisible to users which may record the states of an account over
    many weeks. 

  - Erased files can, under many operating systems, be undeleted. 

  - Most automated services keep logs of use for troubleshooting or
    otherwise; for example FTP sites usually log the commands and
    record the domain originations of users, including anonymous
    ones.

  - Some software exacerbates these problems.  See the section on
    ``X Windows (in)security''.

  Indepedent of malevolent administrators are fellow users, a much
  more commonly harmful threat. There are multiple ways to help
  ensure that your account will not be accessed by others, and
  compromises can often be traced to failures in these guidelines:

  - Choose a secure password.  Change it periodically.
  - Make sure to logout always.
  - Do not leave a machine unattended for long.
  - Make sure no one watches you when you type your password.
  - Avoid password references in email.
  - Be conservative in the use of the .rhost file.
  - Use utilities like `xlock' to protect a station, but be
    considerate.

  Be wary of situations where you think you should supply your
  password.  There are only several basic situations where UNIX
  prompts you for a password: when you are logging in to a system or
  changing your password.  Situations can arise in which prompts for
  passwords are forged by other users, especially in cases where you
  are talking to them (such as Internet Relay Chat).  Also, be  aware
  that forged login screens are one method to illegitimately obtain 
  passwords.


  (Thanks to Jim Mattson <mattson@cs.ucsd.edu> for contributions
  here.)

_____
<2.5> How (in)secure are my files and directories?

  The most important privacy considerations are related to file
  rights, and many lapses can be traced to their misunderstood nature
  or haphazard maintenance. Be aware of the rights associated with
  your files and directories in UNIX. If the `x' (`execute') right on
  your parent directory is off for users, groups, and other, these
  users cannot gain information on anything in your directories. 
  Anything less may allow others to read, change, or even delete
  files in your home directory. The rights on a directory supersede
  the rights associated with files in that directory. For a
  directory, 'x' means that access to the files (or subdirectories)
  in the directory is possible -- if you know their names.  To list
  the contents of the directory, however, requires the 'r' right.
 
  By default most accounts are accessable only to the owner, but the
  initial configuration varies between sites based on administrator
  preference.  The default file mode specifies the initial rights
  associated with newly created files, and can be set in the shell
  with `umask'.  The details of rights implementations tend to vary
  between versions of UNIX.  Consult man pages on `chmod' and `ls'.

  Examples
  --------

    traver.lance % ls -ld ~
    drwx------ 15 ld231782     1536 Jan 31 21:22 /users/ld231782/

  Here is a listing of the rights associated with a user's home
  directory, denoted by `~'.  The columns at the left identify what
  rights are available. The first column identifies the entry as a
  directory, and the next three columns mean that read, write, and
  execute rights, respectively, are permitted for that user.  For
  directories, the `x' right means that contents (file and
  subdirectory names) within that directory can be listed. The
  subsequent columns indicate that no other users have any rights to
  anything in the directory tree originating at that point.  They
  can't even `see' any lower files or subdirectories; the hierarchy
  is completely invisible to them.

    traver.lance % ls -l msg
    -rw-r--r--  1 ld231782   35661 Jan 29 23:13 msg
    traver.lance % chmod u=rw,g=,o= msg
    traver.lance % ls -l msg
    -rw-------  1 ld231782   35661 Jan 29 23:13 msg

  Here the modes on the file `msg' were changed to take away rights
  from `group' and `other'. 
  
  Note that `ls -l <file>' requires both the 'r' right to get the list
  of files and subdirectories, and the 'x' right to access the files
  and subdirectories in order to get their size, etc. For example,
  suppose the directory `foo' has rights dr--r--r--,  the following
  is possible:

    ls foo

  These commands would fail independent of file rights:
  
    ls -l foo
    ls -l foo/file
    cat foo/file
    cd foo

  If the directory `foo' has rights d--x--x--x, the following are
  possible if it is known beforehand that `foo' contains an 'r'
  readable file named `file':
  
    ls -l foo/file
    cat foo/file
    cd foo
  
  The following commands fail:
  
    ls foo
    ls -l foo
  

  (Thanks to Uwe Waldmann <uwe@mpi-sb.mpg.de> for contributions here.)

_____
<2.6> How (in)secure is X Windows?

  X Windows is the primary software developed by the MIT Athena
  project which is funded by U.S. government grants to develop
  applications to harness the power of networks in enhancing
  computational tasks, particularly the human-computer interface. 
  The software implements a client-server interface to a computer via
  graphical windows. In this case the `client' is the application
  requesting or utilizing  graphical resources (such as windows or a
  mouse) and the `server' is the machine that provides them.  In many
  situations the client is an application program running on the same
  machine as the server.

  The great utility of X Windows comes from its complete dissociation
  of the client and server so that windows may be `broadcast' to a
  server at a remote location from the  client. Unfortunately this
  dynamic power also introduces many deep, intricate, and complicated
  security considerations.  The primary security and privacy issue
  associated with X Windows is that much more sensitive data may be
  sent over a network, and over wider regions, than in the case where
  the human is situated near the host computer.  Currently there is
  no encryption of data such as screen updates and keystrokes in X
  Windows.

  Due to either intentional design decisions or unintentional design
  flaws,  early versions of the X Window system are extremely
  insecure. Anyone with an account on the server machine can disrupt
  that display or read it electronically based on access to the
  device unix:0.0 by any regular user.   There are no protections
  from this type of access in these versions.   The problem arises
  because the security is completely based on machine addresses
  rather than users, such that any user at a `trusted' machine is
  himself trusted. Quoting from X documentation (man Xsecurity):
  
  > Any client on a host in the host access control list is allowed
  > access to the X server. This system can work reasonably well in
  > an environment where everyone trusts everyone, or when only a
  > single person can log into a given machine...This system does not
  > work well when multiple people can log in to a single machine and
  > mutual trust does not exist. 
  
  With the access control list, the `xhost' command may prevent some
  naive attempts (i.e. those other than the direct-access unix:0.0
  evasion); the syntax as typed on the host machine is  ``xhost
  +[name]'' where [name] is the domain name or internet address of an
  authorized client machine. By default clients running nonlocal to
  the host are disabled.  Public domain programs to disrupt a display
  momentarily (such as 'flip' or slowly mirror the screen image, or
  cause pixels to 'melt' down to the bottom) have been circulating on
  the internet among hackers for several years and played as pranks
  on unsuspecting or inexperienced users.  Much more serious security
  breaches are conceivable from similar mechanisms exploiting this
  inherent weaknesses.  (The minimal, easily-bypassed `trusted'
  security mode of `xhost' has been jokingly referred to as ``X
  Hanging Open, Security Terrible.''). 

  New versions of the X Window system (X11R5 and higher) by default 
  make server access as secure as the file system using a .Xauthority
  file and 'magic cookies'.  Remote machines must have a code in the
  .Xauthority file in the home directory that matches the code
  allowed by the server.  Many older programs and even new
  vendor-supplied code does not support or is incompatible with
  `magic cookies'. The basic magic cookie mechanism is vulnerable to
  monitoring techniques described earlier because no encryption of
  keys occurs in transmission.  X11R5 also includes other
  sophisticated encryption mechanisms.  Try `man Xsecurity' to find
  out what is supported at your site.  Even though improved security 
  mechanisms have been available in X Windows since ~1990, local
  sites often update this software infrequently because installation
  is extremely complex.


  (Thanks to Marc Vanheyningen <mvanheyn@whale.cs.indiana.edu>, 
  Jim Mattson <mattson@cs.ucsd.edu>, and Bill Marshall
  <marshall@cs.iastate.edu> for contributions here.)

_____
<2.7> How (in)secure is my email?

  By default, not very.  The characters that you are reading are
  almost certainly encoded in ASCII, the American Standard Code for
  Information Interchange that maps alphabetic and symbolic
  characters onto numeric codes and vice versa.  Virtually every
  computer system uses this code, and if not, has ways of converting
  to and from it.  When you write a mail message, by default it is
  being sent in ASCII,  and since the standard is virtually
  universal, there is no intrinsic privacy.  Despite milleniums worth
  of accumulated cryptographic knowledge, cryptographic technologies
  are only recently being established that afford high priority to
  privacy as a primary criteria in computer and network design.  Some
  potential pitfalls in privacy are as follows:

  - The most serious threats are instances of immature or unscrupulous
    system operators reading private mail in the `spool files' at a
    local site (i.e. at the source or destination of the message),
    such as a university. 
  
  - System administrators may also release files to law enforcement
    agencies, but conventions and protocols for warrants involving
    computer searches have still not been strongly established and
    tested legally.

  - Note that bounced messages go to postmasters at a given site in
    their entirety.  This means that if you address mail with an
    incorrect address it has a good chance of being seen by a human
    other than the recipient.

  - Typically new user accounts are always set up such that the local
    mail directory is private, but this is not guaranteed and can be
    overridden.

  - Finally, be aware that some mailing lists (email addresses of 
    everyone on a list) are actually publicly accessable via mail 
    routing software mechanisms.  This `feature' can be disabled.

  Most potential compromises in email privacy can be thoroughly
  avoided with the use of strong end-to-end cryptography, which has
  its own set of caveats (for example, unscrupulous administrators
  may still be a threat if the encryption site is shared or
  nonlocal).  See the sections on ``email privacy'' and ``email
  policies.''

_____
<2.8> How am I (not) liable for my email and postings?

  As punishment or whatever, your system administrator can revoke
  certain `privileges' such as emailing, USENET posting or reading
  certain groups, file transferring, remote communications, or
  generally any subset of capabilities available from your account. 
  This all is completely at the discretion of the local administrator
  and under the procedures followed at a particular site, which in
  many cases are haphazard and crisis-oriented.  Currently there are
  virtually no widespread, uniform guidelines or procedures  for
  restricting use to any internet services, and local administrators
  are free to make arbitrary decisions on access.

  Today punitive measures are regularly applied in various situations.
  In the typical scenario complaint(s) reach a system adminstrator
  regarding abuses by a user, usually but not necessarily preceded by
  complaints to the user in email, regarding that person's
  objectionable email or postings.  `abusive' posters to USENET are
  usually first given admonitions from their system administrators as
  urged by others on the `net'. (The debate persists endlessly on
  many newsgroups whether this is also used  as a questionable means
  of attacking or silencing `harmless crackpots' or censoring
  unpopular opinions.)
  
  System administrators at remote sites regularly cooperate to
  'squelch' severe cases of abuse.  In general, however, by tradition
  Usenet readers are remarkably tolerant of diverse views and uses of
  the system, but a colorful vocabularly of slang helps describe
  their alternatives when this patience is sapped: the options
  wielded by the individual user are to simply advance to the next
  message (referred to as ``hitting the `n' key''), or to `plonk'
  annoying posters (according to the Hacker's Dictionary, the sound a
  jerk makes at the end of a fall to the bottom of a kill file).

  In cases where punitive actions are applied, generally system
  administrators are least likely to restrict email.  USENET postings
  are much more commonly restricted, either to individual users or 
  entire groups (such as a university campus).  Restrictions are most
  commonly associated with the following `abuses':

  - harassing or threatening notes, `email terrorism'
  - illegal uses, e.g. piracy or propagation of copyrighted material
  - `ad hominem' attacks, i.e. insulting the reputation of the
    poster instead of citing the content of the message
  - intentional or extreme vulgarity and offensiveness
  - inappropriate postings, esp. binary files in regular groups
    `mail-bombing': inundating mail boxes with numerous or massive
    files

  Major problems originate from lack of distinctions in private and
  official email or postings.  Most users have internet access via
  accounts at businesses or universities and their activities on the
  internet can be construed as representative of their parent
  organizations. Many people put disclaimers in their `signatures' in
  an attempt dissociate their identity and activities from parent
  organizations as a precaution. A recent visible political case
  involves the privacy of electronic mail  written by White House
  staff members of the Bush administration.  Following are some
  guidelines:

  - Acquaint yourself with your company or university policy.
  - If possible, avoid use of your company email address for private
    communication.
  - Use a disclaimer.
  - Keep a low profile (avoid `flamewars' or simply don't post).
  - Avoid posting information that could be  construed to be
    proprietary or `internal'.

  The following references are available from ftp.eff.com
  (see also the section on ``internet use policies''):

  /pub/academic/banned.1991
  /pub/academic/banned.1992
  ---
    Computer material that was banned/challenged in academia in 1991
    and 1992 including USENET hierarchies.

  /pub/academic/cases
  ---
    This is an on-line collection of information about specific
    computers and academic freedom cases. File README is a detailed
    description of the items in the directory.

  /pub/academic/faq/netnews.liability
  ---
    Notes on university liability for Usenet.

_____
<2.9> How do I provide more/less information to others on my identity?

  The public information of your identity and account is mostly
  available though the UNIX utility `finger' described above. 
  
  - You have control over most of this information with the utility
    `chfn', the specifics vary between sites (on some systems use
    `passwd -f').
   
  - You can provide unlimited information in the .plan file which is
    copied directly to the destination during the fingering. 
    
  - A technique that works at some sites allows you to find out who is
    'finger'ing you and even to  vary the .plan file sent to them.
    
  - Your signature is determined by the environment variable SIGNATURE
    
  - USENET signatures are conventionally stored in the .signature file
    in your home directory.
    
  Providing less information on your online identity is more difficult
  and involved.  One approach is to ask your system adminstrator to
  change or delete information about you (such as your full name). 
  You may be able to obtain access on a public account or one from
  someone unrelated to you personally.  You may be able to remotely
  login (via modem or otherwise) to computers that you are not
  physically near.  These are tactics for hiding or masking your
  online activities but nothing is foolproof.  Consult man pages on
  the 'chmod' command and the default file mode.  Generally, files on
  a shared system have good safeguards within the user pool but very
  little protection is possible from corrupt system administrators.

  To mask your identity in email or on USENET you can use different
  accounts. More untraceable are new `anonymous posting' and
  remailing services that are very recently being established.  See
  below.

______
<2.10> Who is my sysadmin?  What does s/he know about me?

  The requirements and screening for getting a system administration
  job (and thereby access to all information on a system) vary widely
  between sites and are sometimes frighteningly lax, especially at
  universities.  Many UNIX systems at universities are largely
  managed by undergraduates with a background in computing and often
  `hacking'.  In general, commercial and industrial sites are more
  strict on qualifications and background, and government sites are
  extremely strict.

  The system adminstrator (root user) can monitor what commands you
  used and at what times.  S/he may have a record (backups) of files
  on your account over a few weeks. S/he can monitor when  you send
  email or post USENET messages, and potentially read either.  S/he
  may have access to records indicating what hosts you are using,
  both locally and elsewhere.  Administrators sometimes employ
  specialized programs to  track `strange' or `unusual' activity,
  which can potentially be misused.

______
<2.11> Why is privacy (un)stable on the internet?

  For the numerous reasons listed above, privacy should not be an
  expectation with current use of the internet.  Furthermore, large
  parts of the internet are funded by the U.S. NSF (National Science
  Foundation) which places certain restrictions on its use (such as
  prohibiting commercial use).  Some high-level officials in this and
  other government agencies may be opposed to emerging techniques to
  guarantee privacy (such as encryption and anonymous services).

  Historically the major threats to privacy on the internet have been
  local. Perhaps the most common example of this are the widespread
  occurrences of university administrators refusing to carry some
  portion of USENET newsgroups labelled as `pornographic'. The
  `alternative' hierarchy in the USENET system, which has virtually
  no restrictions on propagation and new group creation, is
  frequently targeted (although this material may appear anywhere).

  From the global point of view traffic is generally completely
  unimpeded on the internet  and only the most egregious offenders
  are pursued.  For example,  verbatim transcriptions of copyrighted
  material (such as newspaper or magazine articles) are posted to
  USENET with regularity without major consequences (some email
  complaints may ensue).  More astonishing to some is that currently
  significant portions of USENET traffic, and less so internet
  traffic, is comprised of sexually-explicit digitized images almost
  entirely originating from copyrighted material (newsgroups such as
  `alt.sex' regularly have the  highest traffic).
  
______
<2.12> What is the future of privacy on the internet?

  Some argue that the internet currently has an adequate or
  appropriate level of privacy.  Others will argue that as a
  prototype for future global networks it has woefully inadequate
  safeguards.  The internet is growing to become a completely global,
  international superhighway for data, and this traffic will
  inevitably entail data such as voice messages, postal mail, and
  many other items of extremely personal nature. Computer items that
  many people consider completely private (such as their local hard
  drives) will literally be inches from global network connections.
  Also, sensitive industrial and business information is exchanged
  over networks currently and this volume may conceivably merge with
  the internet.
  
  Most would agree that, for these basic but sensitive uses of the
  internet, no significant mechanisms are currently in place to
  ensure much privacy. New standards are calling for uniform
  introduction of `privacy enhanced mail' (PEM) which uses encryption
  technologies to ensure privacy, so that privacy protection is
  automatic, and may significantly improve safeguards.

  The same technology that can be extremely destructive to privacy
  (such as with  surreptitious surveilance) can be overwhelmingly
  effective in protecting  it (e.g. with encryption). Some government
  agencies are opposed to unlimited privacy in general, and believe
  that it should lawfully be forfeited in cases of criminal conduct
  (e.g. court-authorized wiretapping).  However, powerful new
  technologies to protect privacy on computers are becoming
  increasingly popular, provoking some to say that ``the cat is out
  of the bag'' and the ``genie can't be put back in the bottle''.  In
  less idiomatic terms, they believe that the spread of strong
  cryptography is already underway will be socially and technically
  unstoppable.
  
  To date, no feasible system that guarantees both secure
  communication and government oversight has been proposed (the two
  goals are largely incompatible). Proposals for ``registration'' of
  secret keys (by D. Denning on sci.crypt, for example) have been met
  with hot controversy at best and ridicule and derision at worst,
  mainly because of concerns for the right to privacy and objections
  of inherent feasibility.  Electronic privacy issues, and
  particularly the proper roles of networks and the internet, will
  foreseeably become highly visible and explosive over the next few
  years.


ANONYMITY
=========

_____
<3.1> What is `anonymity' on the internet?

  Simply stated, anonymity is the absence of identity, the
  ultimate in privacy. However, there are several variations on
  this simple theme.  A person may wish to be consistently
  identified by a certain pseudonym or `handle' and establish a
  reputation under it in some area, providing pseudo-anonymity.
  A person may wish to be completely untraceable for a single
  one-way message (a sort of `hit-and-run'). Or, a person may
  wish to be openly anonymous but carry on a conversation with
  others (with either known or anonymous identities) via an
  `anonymous return address'.  A user may wish to appear as a
  `regular user' but actually be untraceable.  Sometimes a user
  wishes to hide who he is sending mail to (in addition to the
  message itself). The anonymous item itself may be directed at
  individuals or groups.  A user may wish to access some
  service and hide all  signs of the association. 
  
  All of these uses are feasible on the internet but are currently
  tricky to carry out in practice, because of all the tracking
  mechanisms inherent to operating systems and network protocols. 
  Officials of the NSF and other government agencies may be opposed
  to any of these uses because of the potential for abuse. 
  Nevertheless, the inherent facelessness of large networks will
  always guarantee a certain element of anonymity.

_____
<3.2> Why is `anonymity' (un)important on the internet?

  Anonymity is another powerful tool that can be beneficial or
  problematic depending on its use.  Arguably absence of
  identification is important as the presence of it.  It may be the
  case that many strong benefits from electronic anonymity will be
  discovered that were unforeseen and unpredicted, because true
  anonymity has been historically very difficult to establish.

  One can use anonymity to make personal statements to a colleague
  that would sabotage a relationship if stated openly (such as
  employer/employee scenarios).  One can use it to pass information
  and evade any threat of direct retribution.  For example,
  `whistleblowers' reporting on government abuses (economic, social,
  or  political) can bring issues to light without fear of stigma or
  retaliation. Sensitive, personal, potentially damaging information
  is often posted to some USENET groups, a risky situation where
  anonymity allows conversations to be carried on completely
  independent of the identities of the participants.  Some police
  departments run phone services that allow anonymous reporting of
  crimes; such uses would be straightforward on the network.
  Unfortunately, extortion and harassment become more insidious with
  assurances of anonymity.

_____
<3.3> How can anonymity be protected on the internet?

  The chief means, as alluded to above, are masking identities in
  email and posting. However, anonymous accounts (public accounts as
  accessable and anonymous as e.g. public telephones) may be
  effective as well, but this use is generally not officially
  supported and even discouraged by some system adminstrators and NSF
  guidelines.  The nonuniformity in the requirements of obtaining
  accounts at different sites and institutions makes anonymous
  accounts generally difficult to obtain to the public at large.

  Many communications protocols are inherently detrimental to
  anonymity.  Virtually every protocol in existence currently
  contains information on both sender and receiver in every packet.
  New communications protocols will likely develop that guarantee
  much higher degrees of secure anonymous communication.

_____
<3.4> What is `anonymous mail'?

  One approach to `anonymizing' mail has been to set up an `anonymous
  server' that, when activated by email to its address, responds by
  allocating and supplying an `anonymous ID' that is unique to the
  person requesting it (based on his email address).  This will vary
  for the same person for different machine address email
  originations. To send anonymous mail, the user sends email directed
  to the server containing the final destination. The server
  `anonymizes' the message by stripping of identification information
  and forwards the message, which appears to originate from the
  anonymous server only from the corresponding anonymous user id. 
  This is the `interactive' use of anonymity or pseudonymity
  mentioned above.

  Another more `fringe' approach is to run a `cypherpunk' remailer
  from a regular user account (no root system privileges are
  required). These are currently being pioneered by  Eric Hughes and
  Hal Finney <hal@alumni.caltech.edu>. The operator runs a process on
  a machine that anonymizes mail sent to him with certain
  characteristics that distinguish it from his regular incoming mail
  (typically fields in the header). One has been implemented as a 
  PERL script running on UNIX.  Several of these are in existence
  currently but sites and software currently are highly unstable;
  they may be in operation outside of system administrator knowledge.
  The remailers don't generally support anonymous return addresses. 
  Mail that is incorrectly addressed is received by the operator. 
  Generally the user of the remailer has to disavow any
  responsibility for the messages forwarded through his system,
  although actually may be held liable regardless.

  These approaches have several serious disadvantages and weaknesses:
  
  - The anonymous server approach requires maintaining a mapping of
    anonymous ID's to real addresses that must be maintained
    indefinitely.  One alternative is to allow `deallocation' of
    aliases at the request of the user, but this has not been
    implemented yet.

  - Although an unlikely scenario, traffic to any of these sites could
    conceivably be monitored from the `outside', necessitating the
    use of cryptography for basic protection,.

  - Local administrators can shut them down either out of caprice or
    under pressure from local, network, or government agencies.
  
  - Unscrupulous providers of the services can monitor the traffic
    that goes through them.

  - Most remailers currently keep logs that may be inspected. 

  - The cypherpunk approach tends to be highly unstable because these
    operators are basically  network users who do not own the
    equipment and are accountable  to their own system
    administrators, who may be unaware of the use and unsympathetic
    to the philosophy of anonymity when the operation is discovered,
    regarding it as illicit use. 

  - In all cases, a high degree of trust is placed in the anonymous
    server operator by the user.

  Currently the most direct route to anonymity involves using SMTP
  protocols to submit a message directly to a server with arbitrary
  field information.  This practice, not uncommon to hackers, and the
  approach used by remailers, is generally viewed with hostility by
  most system administrators.  Information in the header routing data
  and logs of network port connection information may be retained
  that can be used to track the originating site.  In practice, this
  is generally infeasible and rarely carried out.  Some
  administrators on the network will contact local administrators to
  request a message be tracked and its writer admonished or punished
  more severely (such as revoking the account), all of this actually
  happening occasionally but infrequently.

  See the sections ``known anonymous mail and posting sites'' and 
  ``responsibilities associated with anonymity''.

_____
<3.5> What is `anonymous posting'?

  Anonymous servers have been established as well for anonymous Usenet
  posting with all the associated caveats above (monitored traffic,
  capricious or risky local circumstances, logging).  Make sure to
  test the system at least once by e.g. anonymous posting to
  misc.test (however some operators don't recommend this because many
  sites `autorespond' to test messages, possibly causing the
  anonymous server to allocate anonymous IDs for those machines). 
  See the ``responsibilties associated with anonymous posting''
  before proceeding.

  Another direct route involves using NNTP protocols to submit a
  message directly to a newserver with arbitrary field information.
  This practice, not uncommon to hackers, is also generally viewed
  with hostility by most system administrators, and similar
  consequences can ensue.

  See the sections ``known anonymous mail and posting sites'' and 
  ``responsibilities associated with anonymity''.

_____
<3.6> Why is anonymity (un)stable on the internet?

  As noted, many factors compromise the anonymity currently available
  to the general internet community, and these services should be
  used with great caution.  To summarize, the technology is in its
  infancy and current approaches are unrefined, unreliable, and not
  completely trustworthy.  No standards have been established and
  troubling situations of loss of anonymity and bugs in the software
  are prevalent.  Here are some encountered and potential bugs: 
  
  - One  anonymous remailer reallocated already allocated anonymous
    return addresses. 
  - Others passed signature information embedded in messages
    unaltered. 
  - Address resolution problems resulting in anonymized mail bounced
    to a remailer are common.
  - Forgeries to the anonymous server itself are a problem,  possibly
    allowing unauthorized users to potentially glean anon ID - email
    address  mappings in the alias file.  This can be remedied with
    the use of passwords.
  - Infinite mail loops are possible with chaining remailers.
  
  Source code is being distributed, tested, and refined for these
  systems, but standards are progressing slowly and weakly.  The
  field is not likely to improve considerably without  official
  endorsement and action by network agencies.  The whole idea is
  essentially still in its infancy and viewed with suspicion and
  distrust by many on the internet, seen as illegitimate or favorable
  to criminality.  The major objection to anonymity over regular
  internet use  is the perceived lack of accountability to system
  operators, i.e. invulnerability to account restrictions resulting
  from outside complaints.  System adminstrators at some sites have
  threatened to filter anonymous news postings generated by the
  prominent servers from their redistribution flows.  This may only
  have the effect of encouraging server operators to create less
  characteristically detectable headers.  Probably the least
  problematic approach, and the most traditional to Usenet, is for
  individual users to deal with anonymous mail however they prefer,
  e.g. ignoring it or filtering it with kill files.
  
_____
<3.7> What is the future of anonymity on the internet?

  New anonymous protocols effectively serve to significantly increase
  safeguards of anonymity.  For example, the same mechanism that
  routes email over multiple hosts, thereby threatening its privacy,
  can also be used to guarantee it. In a scheme called `chaining' an
  anonymous message is passed through multiple anonymous servers
  before reaching a destination.  In this way generally multiple
  links of the chain have to be `broken' for security to be
  compromised. Re-encryption at each link makes this scenario even
  more unlikely.  Even more significantly the anonymous remailers
  could be spread over the internet globally so that local weaknesses
  (such as corrupt governments or legal wiretapping within a nation)
  would be more unlikely to sacrifice overall security by message
  tracing. However, remailers run by corrupt operators are possible.
  
  The future of anonymous services on the internet is, at this time,
  highly uncertain and fraught with peril. While specific groups seem
  to benefit significantly from anonymous posting capabilities, many
  feel that unlimited newsgroup scope for anonymous posting is a
  disruptive and dangerous idea and detracts from discussions in
  `serious' groups.   The introduction of unlimited group anonymity
  may have fundamental repercussions on Usenet conventions and
  distribution mechanisms such as moderated and `alt' groups have had
  in the past. For example, as part of new group creation, the
  charter may specify whether `anonymous' posting is (un)welcome. 

  Nevertheless, the widespread introduction and use of anonymity may
  be inevitable. Based on traffic statistics, anonymous services are
  in huge demand. Pervasive and readily available anonymity could
  carry significant and unforeseen social consequences.  However, if
  its use is continued to be generally regarded as subversive it may
  be confined to the underground.  The ramifications of widespread
  introduction of anonymity to Usenet are still largely unknown. It
  is unclear whether it will provoke signficant amounts of new
  traffic or, instead of expansion, cause a shift where a greater
  portion of existing traffic is anonymized.  Conceivably the
  services could play a role in influencing future mainstream social
  acceptance of Usenet.


* * *

This is Part 1 of the Privacy & Anonymity FAQ, obtained via anonymous
  FTP to pit-manager@mit.edu:/pub/usenet/news.answers/net-privacy/ or 
  newsgroups news.answers, sci.answers, alt.answers every 21 days.
Written by L. Detweiler <ld231782@longs.lance.colostate.edu>.
All rights reserved.


Newsgroup: sci.crypt
document_id: 15177
From: ld231782@longs.lance.colostate.edu (L. Detweiler)
Subject: Privacy & Anonymity on the Internet FAQ (2 of 3)

Archive-name: net-privacy/part2
Last-modified: 1993/3/3
Version: 2.1


IDENTITY, PRIVACY, and ANONYMITY on the INTERNET
================================================

(c) 1993 L. Detweiler.  Not for commercial use except by permission
from author, otherwise may be freely copied.  Not to be altered. 
Please credit if quoted.

SUMMARY
=======

Email and account privacy, anonymity, file encryption,  academic 
computer policies, relevant legislation and references, EFF, and 
other privacy and rights issues associated with use of the Internet
and global networks in general.

(Search for <#.#> for exact section. Search for '_' (underline) for
next section.)

PART 2
====== (this file)

Resources
---------

<4.1> What UNIX programs are related to privacy?
<4.2> How can I learn about or use cryptography?
<4.3> What is the cypherpunks mailing list?
<4.4> What are some privacy-related newsgroups?  FAQs?
<4.5> What is internet Privacy Enhanced Mail (PEM)?
<4.6> What are other Request For Comments (RFCs) related to privacy?
<4.7> How can I run an anonymous remailer?
<4.8> What are references on privacy in email?
<4.9> What are some email, Usenet, and internet use policies?
<4.10> What is the MIT ``CROSSLINK'' anonymous message TV program?

Miscellaneous
-------------

<5.1> What is ``digital cash''?
<5.2> What is a ``hacker'' or ``cracker''?
<5.3> What is a ``cypherpunk''?
<5.4> What is `steganography' and anonymous pools?
<5.5> What is `security through obscurity'?
<5.6> What are `identity daemons'?
<5.7> What standards are needed to guard electronic privacy?

Issues
------

<6.1> What is the Electronic Frontier Foundation (EFF)?
<6.2> Who are Computer Professionals for Social Responsibility (CPSR)?
<6.3> What was `Operation Sun Devil' and the Steve Jackson Game case?
<6.4> What is Integrated Services Digital Network (ISDN)?
<6.5> What is the National Research and Education Network (NREN)?
<6.6> What is the FBI's proposed Digital Telephony Act?
<6.7> What other U.S. legislation is related to privacy on networks?
<6.8> What are references on rights in cyberspace?
<6.9> What is the Computers and Academic Freedom (CAF) archive?

Footnotes
---------

<7.1> What is the background behind the Internet?
<7.2> How is Internet `anarchy' like the English language?
<7.3> Most Wanted list
<7.4> Change history


* * *


RESOURCES
=========


_____
<4.1> What UNIX programs are related to privacy?

  For more information, type `man [cmd]' or `apropos [keyword]' at the
  UNIX shell prompt.

    passwd - change password
    finger - obtain information about a remote user
    chfn   - change information about yourself obtainable by remote
             users (sometimes `passwd -f')
    chmod  - change the rights associated with a file or directory
    umask  - (shell) change the default (on creation) file access
             rights
    ls     - list the rights associated with files and directories
    xhost  - allow or disable access control of particular users to an
             Xwindow server
    last   - list the latest user logins on the system and their
             originations
    who    - list other users, login/idle times, originations
    w      - list other users and what they are running
    xhost  - access control list for X Window client use
    xauth  - control X Window server authentication
    
    .signature  - file in the home directory appended to USENET posts
    .forward    - file used to forward email to other accounts
    .Xauthority - file used for X Window server authentication keys
    $SIGNATURE  - variable used for name in email and USENET postings

  The 'tcpdump' packet-tracing program is loosely based on SMI's
  "etherfind" although none of the etherfind code remains.  It was
  originally written by Van Jacobson, Lawrence Berkeley Laboratory,
  as part of an ongoing research project to investigate and improve
  tcp and internet gateway performance.  A current version is
  available via anonymous ftp from host ftp.ee.lbl.gov (currently at
  address 128.3.254.68) file tcpdump.tar.Z (a compressed Unix tar
  file). This program is subject to  the 'standard' Berkeley network
  software copyright.

_____
<4.2> How can I learn about or use cryptography?

  A general introduction to mostly theoretical cryptographic issues,
  especially those frequently discussed in sci.crypt, is available
  in FAQ form:

  >  Compiled by:
  >        cme@ellisun.sw.stratus.com (Carl Ellison)
  >        Gwyn@BRL.MIL (Doug Gwyn)
  >        smb@ulysses.att.com (Steven Bellovin)

  NIST (U.S. National Institute for Standards and Technology)
  publishes an introductory paper on cryptography, special
  publication 800-2 ``Public-Key Cryptograhy'' by James Nechvatal
  (April 1991).  Available via anonymous FTP from
  csrc.ncsl.nist.gov (129.6.54.11), file pub/nistpubs/800-2.txt. 
  Also via available anonymous FTP from wimsey.bc.ca as crypt.txt.Z
  in the crypto directory.  Covers technical mathematical aspects
  of encryption such as number theory.

  More general information can be found in a FAQ by Paul Fahn of RSA
  Labortories via anonymous FTP from rsa.com in /pub/faq.ps.Z.  See
  the `readme' file for information on the `tex' version.  Also
  available as hardcopy for $20 from   RSA Laboratories, 100 Marine
  Parkway, Redwood City, CA  94065.  Send questions to
  faq-editor@rsa.com.

  Phil Zimmerman's PGP (Pretty Good Privacy) public-domain package
  for public key encryption is available at numerous sites, and is
  in widespread use over the internet for general UNIX-based file
  encryption (including email).  Consult the archie FTP database. 
  Also see the newsgroup alt.security.pgp.  Mailing list requests
  to info-pgp-request@lucpul.it.luc.edu.

  From the RIPEM FAQ by Marc VanHeyningen
  <mvanheyn@whale.cs.indiana.edu> on news.answers:

  > RIPEM is a program which performs Privacy Enhanced Mail (PEM)
  > using the cryptographic techniques of RSA and DES.  It allows
  > your electronic mail to have the properties of authentication
  > (i.e. who sent it can be confirmed) and privacy (i.e. nobody can
  > read it except the intended recipient.)
  > 
  > RIPEM was written primarily by Mark Riordan
  > <mrr@scss3.cl.msu.edu>. Most of the code is in the public domain,
  > except for the RSA routines, which are a library called RSAREF
  > licensed from RSA Data Security Inc.
  > 
  > RIPEM is available via anonymous FTP to citizens and permanent
  > residents in the U.S. from rsa.com; cd to rsaref/ and read the
  > README file for info.
  > 
  > RIPEM, as well as some other crypt stuff, has its `home site' on
  > rpub.cl.msu.edu, which is open to non-anonymous FTP for users in
  > the U.S. and Canada who are citizens or permanent residents.  To
  > find out how to obtain access, ftp there, cd to pub/crypt/, and
  > read the file GETTING_ACCESS.

  Note: cryptography is generally not well integrated into email yet
  and some system proficiency is required by users to utilize it.

_____
<4.3> What is the cypherpunks mailing list?

  Eric Hughes <hughes@toad.com> runs the `cypherpunk' mailing list
  dedicated to ``discussion about technological defenses for privacy
  in the digital domain.''  Send email to
  cypherpunks-request@toad.com to be added or subtracted from the
  list. From the charter:

  > The most important means to the defense of privacy is encryption.
  > To encrypt is to indicate the desire for privacy.  But to encrypt
  > with weak cryptography is to indicate not too much desire for
  > privacy. Cypherpunks hope that all people desiring privacy will
  > learn how best to defend it.

_____
<4.4> What are some privacy-related newsgroups?  FAQs?
  
  Newsgroups
  ==========

  alt.comp.acad-freedom.news
  alt.comp.acad-freedom.talk 
  --------------------------
    Moderated and unmoderated issues related to academic freedom and
    privacy at universities. Documented examples of violated
    privacy in e.g. email.  Documented examples of `censorship' as
    in e.g. limiting USENET groups local availability.

  alt.cyberpunks
  --------------
    Virtual reality, (science) fiction by William Gibson and Bruce 
    Sterling, cyberpunk in the mainstream.
 
  alt.hackers
  -----------
    USENET Network News Transfer Protocol (NNTP) posting mechanisms, 
    Simple Mail Transfer Protocol (SMTP), `obligatory hack' reports.

  alt.privacy
  -----------
    General privacy issues involving taxpaying, licensing, social
    security numbers, etc.
  
  alt.security 
  comp.security.misc
  ------------------
    Computer related security issues.  FAQ in news.answers below.
  
  alt.security.pgp
  alt.security.ripem
  ----------------
    Dedicated to discussing public domain cryptographic software
    packages: PGP, or ``Pretty Good Privacy'' Software developed by
    Phil Zimmerman for public key encryption, and RIPEM by Mark
    Riordan for public key and DES encryption.
  
  comp.society.privacy
  --------------------
    Privacy issues associated with computer technologies.  Examples:
    caller identification, social security numbers, credit
    applications, mailing lists, etc.  Moderated.
    
  comp.eff.news
  comp.eff.talk
  -------------
    Moderated and unmoderated groups associated with the Electronic
    Frontier Foundation started by Mitch Kapor for protecting civil
    and constitutional rights in the electronic realm.
  
  news.admin
  news.admin.policy
  -----------------
    Concerns of news administrators.  NNTP standards and mechanisms.
    
  news.lists
  ----------
    USENET traffic distributions.  Most frequent posters, most
    voluminous groups, most active sites, etc.
  
  sci.crypt
  ---------
    Considers scientific and social issues of cryptography. 
    Examples: legitimate use of PGP, public-key patents, DES,
    cryptographic security, cypher breaking, etc.
  

  FAQs
  ====

  FAQs or ``Frequently-Asked Questions'' are available in the
  newsgroups *.answers or via anonymous FTP to pit-manager.mit.edu
  [18.172.1.27] (also rtfm.mit.edu)  from the directory
  /pub/usenet/news.answers/[x] where [x] is the archive name. This
  FAQ is archived in the file `net-privacy'.   Others are:

  network-info/part1  
  ------------------
    Sources of information about the Internet and how to connect to
    it, through the NSF or commercial vendors.
  
  alt-security-faq
  ----------------
    Computer related security issues arising in alt.security and
    comp.security.misc, mostly UNIX related.
  
  ssn-privacy 
  -----------
    Privacy issues associated with the use of the U.S. Social
    Security number (SSN).
  
  pdial
  -----
    Public dialup internet accounts list.
  
  college-email/part1
  -------------------
    How to find email addresses for undergraduate and graduate
    students, faculty and staff at various colleges and
    universities.
  
  ripem/faq
  ---------
    Information on RIPEM, a program for public key mail encryption
    officially sanctioned by Public Key Partners Inc., the company
    that owns patents on public key cryptography.
  
  unix-faq/faq/part1
  ------------------
    Frequently-asked questions about UNIX, including information on
    `finger' and terminal spying.

  distributions/*
  ---------------
     Known geographic, university, and network distributions.

_____
<4.5> What is internet Privacy Enhanced Mail (PEM)?

  Internet drafts on Privacy Enhanced Mail (PEM) describe a standard
  under revision for six years delineating the official protocols for
  email encryption.  The standard has only recently stabilized and
  implementations are being developed.

  - RFC-1421: ``Privacy Enhancement for Internet Electronic Mail: 
    Part I: Message Encryption and Authentication Procedures.'' J.
    Linn <104-8456@mcimail.com>

  - RFC-1422: ``Privacy Enhancement for Internet Electronic Mail: Part
    II: Certificate-Based Key Management'' S. Kent <Kent@BBN.com>

  - RFC-1424: ``Privacy Enhancement for Internet Electronic Mail: 
    Part IV: Key Certification and Related Services'' B. Kaliski
    <burt@rsa.com>

  - RFC-1423: ``Privacy Enhancement for Internet Electronic Mail: Part
    III: Algorithms, Modes, and Identifiers'' D. Balenson
    <belenson@tis.com>

  Send email to pem-info@tis.com for more information.  See ``RFCs 
  related to privacy'' for information on how to obtain RFCs.
  
_____
<4.6> What are other Requests For Comments (RFCs) related to privacy?

  RFC-822:  SMTP, Simple Mail Transfer Protocol
  RFC-977:  NNTP, Network News Transfer Protocol
  RFC-1036: Standard for interchange of network news messages
  RFC-1208: Glossary of Networking Terms
  RFC-1207: Answers to ``experienced Internet user'' questions
  RFC-1206: Answers to ``new Internet user'' questions
  RFC-1355: Privacy issues in Network Information center databases

  
  RFC-1177 is ``FYI: Answers to commonly asked ``new internet user'' 
  questions, and includes: basic terminology on the Internet (TCP/IP,
  SMTP, FTP), internet  organizations such as IAB (Internet
  Activities Board) and IETF  (Internet Enbgineering Task Force), and
  a glossary of terms.  Also from ftp.eff.org:
  /pub/internet-info/internet.q.

  > RFCs can be obtained via FTP from NIC.DDN.MIL, with the pathname
  > RFC:RFCnnnn.TXT or RFC:RFCnnnn.PS (where `nnnn' refers to the
  > number of the RFC).  Login with FTP, username `anonymous' and
  > password `guest'.  The NIC also provides an automatic mail
  > service for those sites which cannot use FTP.  Address the
  > request to SERVICE@NIC.DDN.MIL and in the subject field of the
  > message indicate the RFC number, as in `Subject: RFC nnnn' (or
  > `Subject: RFC nnnn.PS' for PostScript RFCs).
  >
  > RFCs can also be obtained via FTP from NIS.NSF.NET.  Using FTP,
  > login with username `anonymous' and password `guest'; then
  > connect to the RFC directory (`cd RFC').  The file name is of the
  > form RFCnnnn.TXT-1 (where `nnnn' refers to the number of the
  > RFC).  The NIS also provides an automatic mail service for those
  > sites which cannot use FTP.  Address the request to
  > NIS-INFO@NIS.NSF.NET and leave the subject field of the message
  > blank.  The first line of the text of the message must be `SEND
  > RFCnnnn.TXT-1', where nnnn is replaced by the RFC number.
  
_____
<4.7> How can I run an anonymous remailer?

  Cypherpunk remailer source is at soda.berkeley.edu in the
  /pub/cypherpunks directory.  It's written in PERL, and is
  relatively easy to install (no administrative rights are required).
  Karl Barrus  <elee9sf@menudo.uh.edu> has more information and
  modifications. Also, most remailer operators mentioned above are
  amenable to discussing features, problems, and helping new sites
  become operational. Address all points in the section
  ``responsibities of anonymous use'' in this document prior to
  advertising your service.  You should be committed to the long-term
  stability of the site and avoid running one surreptitiously.

_____
<4.8> What are references on privacy in email?


  Brown, Bob. ``EMA Urges Users to Adopt Policy on E-mail Privacy.''  
  Network World (Oct 29, 1990), 7.44: 2.
  
  Bairstow, Jeffrey. ``Who Reads your Electronic Mail?'' Electronic
  Business  (June 11, 1990) 16 (11): 92.

  ``Electronic Envelopes - the uncertainty of keeping e-mail private''
  Scientific American, February 1993.

  ftp.eff.org
  ===========

  /pub/eff/papers/email_privacy
  ---
    Article on the rights of email privacy. by Ruel T. Hernandez.

  /pub/academic/law/privacy.email
  ---
    ``Computer Electronic Mail and Privacy'', an edited version of a
    law school seminar paper by Ruel T. Hernadez.

  /pub/eff/papers/email-privacy-biblio-2
  ---
    Compilation of bibliography on E-Mail and its privacy issues (part
    2 of the work).  Compiled by Stacy B. Veeder (12/91).

  /pub/eff/papers/email-privacy-research
  ---
    The author at Digital Research tried to formalize their employee
    privacy policy on E-Mail.  The casesightings are divided into two
    groups: US Constitutional law, and California law.

  /pub/eff/papers/company-email
  ---
    Formulating a Company Policy on Access to and Disclosure of
    Electronic Mail on Company Computer Systems by David R. Johnson
    and John Podesta for the Electronic Mail Assocation

  /pub/cud/alcor
  ---
    Information on Alcor Co., an e-mail privacy suit.

  /pub/academic/law/privacy.email
  ---
    Email privacy search at Berkeley.

_____
<4.9> What are some email, Usenet, and internet use policies?

  The Computer Policy and Critiques Archive is a collection of the
  computer policies of many schools and networks, run by the
  Computers and Academic Freedom group on the Electronic Frontier
  Foundation FTP site. The collection also includes critiques of some
  of the policies.

  > If you have gopher, the archive is browsable with the command:
  > gopher -p academic/policies gopher.eff.org
  > 
  > The archive is also accessible via anonymous ftp and email. Ftp
  > to ftp.eff.org (192.88.144.4). It is in directory
  > `pub/academic/policies'. For email access, send email to
  > archive-server@eff.org. Include the line:
  > 
  > send acad-freedom/policies <filenames>
  > 
  > where <filenames> is a list of the files that you want. File
  > README is a detailed description of the items in the directory.
  > 
  > For more information, to make contributions, or to report typos
  > contact J.S. Greenfield (greeny@eff.org). Directory `widener'
  > contains additional policies (but not critiques).


  ftp.eff.org
  ===========
  
  /pub/cud/networks
  ---
    Acceptable Use Policies for various networks, including CompuServe
    (file `compuserve'), NSFNET (file `nsfnet') with information on
    research and commercial uses. See /pub/cud/networks/index.

  /pub/cud/networks/email
  ---
    Policies from various sysadmins about how they handle the issue of
    email privacy,  control, and abuse, compiled by T. Hooper 
    <hooper_ta@cc.curtin.edu.au>.
  
  /pub/cud/schools/
  ---
    Computer use policies of a number of schools. See schools/Index
    for a full list and description.

  
  Commentary
  ==========

  /pub/academic/faq/policy.best
  ---
    Opinions on the best academic computer policies.


  /pub/academic/faq/email.policies
  ---
    Do any universities treat email and computer files as private?

  /pub/academic/faq/netnews.writing
  ---
    Policies on what users write on Usenet.

  /pub/academic/faq/netnews.reading
  ---
    Policies on what users read on Usenet: should my university remove
    (or restrict) Netnews newsgroups because some people find them
    offensive?

  /pub/academic/faq/policy
  ---
    What guidance is there for creating or evaluating a university's
    academic computer policy?

______
<4.10> What is the MIT ``CROSSLINK'' anonymous message TV program?

  > CROSSLINK is an anonymous message system run on MIT Student
  > Cable TV-36. It provides an anonymous medium through which MIT
  > students can say those things they might otherwise find
  > difficult, inconvenient or impossible to say in person.  It's
  > also a way to send fun or totally random messages to your
  > friends over the air.  It is similar to the anonymous message
  > pages found in many college newspapers, except that it's
  > electronic in nature and it's free.

  Messages can be posted to the service via email.  For more
  information send email to crosslink@athena.mit.edu.


MISCELLANEOUS
=============

_____
<5.1> What is ``digital cash''?

  With digital encryption and authentication technologies, the
  possibility of a widespread digital cash system may someday be
  realized.  A system utilizing codes sent between users and banks
  (similar to today's checking system except entirely digital) may
  be one approach.  The issues of cryptography, privacy, and
  anonymity are closely associated with transfer of cash in an
  economy.  See the article in Scientific American by David Chaum
  (~Dec.1992).

  An experimental digital bank is run by Karl Barrus
  <elee9sf@Menudo.UH.EDU> based on suggestions by Hal Finney on the
  cypherpunks mailing list.  To use the server send mail to
  elee7h5@rosebud.ee.uh.edu message with the following text:

    ::
    command: help
    
    user@host

  where `user@host' is your email address.
 
  
_____
<5.2> What is a ``hacker'' or ``cracker''?

  These terms arouse strong feelings by many on their meaning,
  especially on the internet.  In the general news media in the past
  a person who uses computers and networks to malicious ends (such as
  breaking into systems) has been referred to as a hacker, but most
  internet users prefer the term ``cracker'' for this.  Instead, a
  ``hacker'' is perceived as a benign but intensely ambitious,
  curious, and driven computer user who explores obscure areas of a
  system, for example---something of a proud electronic pioneer and
  patriot.  This is the sense intended in this document.  See also
  the ``Hacker's Dictionary'' and the FAQ `alt-security-faq'.
 
 
_____
<5.3> What is a ``cypherpunk''?

  From the charter of the cypherpunk mailing list:

  > Cypherpunks assume privacy is a good thing and wish there were
  > more of it.  Cypherpunks acknowledge that those who want privacy
  > must create it for themselves and not expect governments,
  > corporations, or other large, faceless organizations to grant
  > them privacy out of beneficence.  Cypherpunks know that people
  > have been creating their own privacy for centuries with whispers,
  > envelopes, closed doors, and couriers.  Cypherpunks do not seek
  > to prevent other people from speaking about their experiences or
  > their opinions.

  See information on the cypherpunk mailing list below.

  See also the CryptoAnarchist Manifesto and the Cryptography Glossary
  in soda.berkeley.edu:/pub/cypherpunks.

_____
<5.4> What is `steganography' and anonymous pools?

  Closely associated with encryption is `steganography' or the
  techniques for not only pursuing private (encrypted) communication
  but concealing the very  existence of the communication itself. 
  Many new possibilities in this area are introduced with the
  proliferation of computer technology.  For example, it is possible
  to encode messages in the least-significant bits of images,
  typically the most 'noisy'. In addition, when such an item is
  posted in a public place (such as a newsgroup), virtually
  untraceable  communication can take place between sender and
  receiver.  For  steganographic communications in the electronic
  realm one another possibility is setting up a mailing list where
  individual messages get broadcast to the entire list and individual
  users decode particular messages with their unique key.   An
  anonymous pool has been set up by Miron Cuperman
  (miron@extropia.wimsey.com) for experiments.  Send email to
  <pool0-request@extropia.wimsey.com>  with one of the following
  commands in the subject line:

    subscribe
    unsubscribe
    help

_____
<5.5> What is `security through obscurity'?

  `Security through obscurity' refers to the attempt to gain
  protection from system weaknesses by hiding sensitive information
  or programs relating to them.  For example, a company may not make
  public information on its software's encryption techniques to evade
  `attacks' based on knowledge of it. Another example would be
  concealing data on the existence of security holes or bugs in
  operating systems.  Or, some reliance may be made on the fact that
  some standard or mechanism with potential problems is serious
  because they are ``not widely known'' or ``not widely used.'' This
  argument is occasionally applied to mechanisms for email and Usenet
  posting `forgery'. `Security through obscurity' is regarded as a
  very feeble  technique at best and inappropriate and ineffective at
  worst (also called the ``head-in-the-sand approach''). See the FAQ
  for alt.security.  
  
  Some remarks of John Perry Barlow, cofounder of the Electronic
  Frontier Foundation, directed to NSA agents at the First
  International Symposium on National Security & National
  Competitiveness held in McLean, Virginia  Dec. 1, 1992:

  > Digitized information is very hard to stamp classified or keep
  > contained. ... This stuff is incredibly leaky and volatile.  It's
  > almost a life form in its ability to self-propagate.  If
  > something hits the Net and it's something which people on there
  > find interesting it will spread like a virus of the mind.  I
  > believe you must simply accept the idea that we are moving into
  > an environment where any information which is at all interesting
  > to people is going to get out.  And there will be very little
  > that you can do about it.  This is not a bad thing in my view,
  > but you may differ...

_____
<5.6> What are `identity daemons'?
  
  RFC-931 describes a protocol standard that allows UNIX programs to
  query a remote user's login name after connection to a local
  communication socket (a connection of this type is established
  during FTP and TELNET sessions, for example).  The standard is not
  widely supported, perhaps 10% of internet sites currently implement
  it but the number is increasing.  The mechanism is detrimental to
  anonymity.  Regular users cannot disable it but system
  adminstrators can circumvent it.  This standard may represent a
  trend toward greater authentication mechanisms.

_____
<5.7> What new standards are needed to guard electronic privacy?


  Remailing/Posting
  -----------------
  
  - Stable, secure, protected, officially sanctioned and permitted,
    publicly and privately operated anonymous servers and hubs.
  - Official standards for encryption and anonymity in mail and USENET
    postings.
  - Truly anonymous protocols with source and destination information
    obscured or absent and hidden routing mechanisms (chaining,
    encrypted addresses, etc.)
  - Standards for anonymous email addressing, embedding files, and
    remailer site chaining.
  
  General
  -------
  
  - Recognition of anonymity, cryptography, and related privacy
    shields as legitimate, useful, desirable, and crucial by the
    general public and their governments.
  - Widespread use and implementation of these technologies 
    by systems designers into
    hardware, software, and standards, implemented `securely,'
    `seamlessly,' and `transparently'.
  - General shift of use, dependence, and reliance to means other than
    wiretapping and electronic surveillance by law enforcement
    agencies.
  - Publicity, retraction, and dissolution of laws and government
    agencies opposed to privacy, replaced by structures dedicated to
    strengthening and protecting it.


ISSUES
======

_____
<6.1> What is the Electronic Frontier Foundation (EFF)?

  From ftp.eff.org:/pub/EFF/mission_statement:

  > A new world is arising in the vast web of digital, electronic
  > media which connect us.  Computer-based communication media like
  > electronic mail and computer conferencing are becoming the basis
  > of new forms of community.  These communities without a single,
  > fixed geographical location comprise the first settlements on an
  > electronic frontier.
  > 
  > While well-established legal principles and cultural norms give
  > structure and coherence to uses of conventional media like
  > newspapers, books, and telephones, the new digital media do not
  > so easily fit into existing frameworks.  Conflicts come about as
  > the law struggles to define its application in a context where
  > fundamental notions of speech, property, and place take
  > profoundly new forms. People sense both the promise and the
  > threat inherent in new computer and communications technologies,
  > even as they struggle to master or simply cope with them in the
  > workplace and the home.
  > 
  > The Electronic Frontier Foundation has been established to help
  > civilize the electronic frontier; to make it truly useful and
  > beneficial not just to a technical elite, but to everyone; and to
  > do this in a way which is in keeping with our society's highest
  > traditions of the free and open flow of information and
  > communication.
  
  EFF was started by the multimillionaire Mitchell Kapor, founder of
  Lotus software, and John Barlow, lyricist for the Grateful Dead
  rock band.  A highly publicized endeavor of the organization
  involved the legal defense of  Steve Jackson Games after an FBI
  raid and an accompanying civil suit  (see section on ``Steve
  Jackson Games'').  The foundation publishes EFF News (EFFector
  Online) electronically, send requests to effnews-request@eff.org.
  
  In a letter to Mitchell Kapor from the Chairman of the Subcommittee
  with primary jurisdiction over telecommunications policy dated
  November 5, 1991,  Representative  Edward J. Markey complemented
  Mitchell Kapor on his ``insights on the development of a national
  public information infrastructure'' which ``were appreciated greatly
  by myself and the Members of the Subcommittee'' (complete text in 
  ftp.eff.com:/pub/pub-infra/1991-12):

  > ...we need to pursue policies that encourage the Bell companies to
  > work with other sectors of the communications industry to create
  > a consumer-oriented, public information network. Please let me or
  > my staff know what policies you and others in the computer
  > industry believe would best serve the public interest in creating
  > a reasonably priced, widely available network in which
  > competition is open and innovation rewarded.  I also want to
  > learn what lessons from the computer industry over the past ten
  > to fifteen years should apply to the current debate on
  > structuring the information and communications networks of the
  > future....I ask your help in gaining input from the computer
  > industry so that the Subcommittee can shape policies that will
  > bring this spirit of innovation and entrepreneurship to the
  > information services industry.  

  ftp.eff.org
  ===========
  
  /pub/eff/about-eff
  ---
    A file of basic information about EFF including goals, mission,
    achievements, and current projects. Contains a membership form.

  /pub/eff/mission-statement
  ---
    EFF mission statement.

  /pub/eff/historical/founding-announcement
  ---
    EFF founding press release.

  /pub/eff/historical/eff-history
  ---
    John Perry Barlow's ``Not Terribly Brief History of the EFF'' (July
    10, 1990).  How EFF was conceived and founded, major legal cases,
    and the organizational directions.

  /pub/eff/historical/legal-case-summary
  ---
    EFF legal case summary.


_____
<6.2> Who are Computer Professionals for Social Responsibility (CPSR)?

  The Computer Professionals for Social Responsibility have been
  working to protect and promote electronic civil liberties issues
  since ~1982.  The group has three offices (Palo Alto, Cambridge,
  Washington, DC) and 20 chapters. It is involved in  litigation
  against the FBI, The NSA, NIST, the Secret Service and other other
  U.S. government agencies  to declassify and provide documentation
  on issues such as Operation Sundevil, the FBI wiretap proposal,
  NSA's interference in crypography, the breakup of the 2600 raid in
  Arlington, Va in Nov 1992. Members speak frequently in front on
  Congress, state legislators and public utility commissions to
  testify on privacy, information policy, computer security, and
  caller identification.

  CPSR has created an extensive Internet Privacy library available
  via FTP, Gopher, WAIS, and email at cpsr.org, currently comprising
  the largest collection of privacy documents on the internet.  For
  more information, anonymous FTP  cpsr.org:/cpsr/.


  (Thanks to Dave Banisar <banisar@washofc.cpsr.org> for contributions
  here.)

_____
<6.3> What was `Operation Sundevil' and the Steve Jackson Game case?

  In the early 1990's a fear spread among U.S. law enforcement agencies
  on the illicit activities of `hackers' and `phreakers' involved in
  such activities as credit card fraud and long-distance call thievery.
  
  (see ftp.eff.org:/pub/SJG/General_Information/EFFector1.04):

  > `Operation Sundevil,' the Phoenix-inspired crackdown of May
  > 8,1990, concentrated on telephone code-fraud and credit-card
  > abuse, and followed this seizure plan with some success. 
  > [Bulletin Board Systems] went down all over America, terrifying
  > the underground and swiftly depriving them of at least some of
  > their criminal instruments.  It also saddled analysts with some
  > 24,000 floppy disks, and confronted harried Justice Department
  > prosecutors with the daunting challenge of a gigantic nationwide
  > hacker show-trial involving highly technical issues in dozens of
  > jurisdictions.

  Massive `show-trials' never materialized, although isolated
  instances of prosecution were pursued.  The movement reached a
  crescendo in Texas with the highly publicized case of illegal
  search and seizure involving the Steve Jackson Games company of
  Austin Texas on March 1, 1990.  From the column GURPS' LABOUR LOST
  by Bruce Sterling <bruces@well.sf.ca.us> in Fantasy and Science
  Fiction Magazine:

  > In an early morning raid with an unlawful and unconstitutional
  > warrant, agents of the Secret Service conducted a search of the
  > SJG office.  When they left they took a manuscript being prepared
  > for publication, private electronic mail, and several computers,
  > including the hardware and software of the SJG Computer Bulletin
  > Board System.  Yet Jackson and his business were not only
  > innocent of any crime, but never suspects in the first place. 
  > The raid had been staged on the unfounded suspicion that
  > somewhere in Jackson's office there `might be' a document
  > compromising the security of the 911 telephone system.

  FBI agents involved in the seizure were named in a civil suit filed
  on behalf of Steve Jackson Games by The Electronic Frontier
  Foundation.  See information on EFF below.  From an article by Joe
  Abernathy in the Houston Chronicle ~Feb 1, 1993:
  
  > AUSTIN -- An electronic civil rights case against the Secret
  > Service closed Thursday with a clear statement by federal
  > District Judge Sam Sparks that the Service failed to conduct a
  > proper investigation in a notorious computer crime crackdown,
  > and went too far in retaining  custody of seized equipment. 
  > 
  > Secret Service Special Agent Timothy Foley of Chicago, who was in
  > charge of three Austin computer search-and-seizures on March 1,
  > 1990, that led to the lawsuit, stoically endured Spark's rebuke
  > over the Service's poor investigation and abusive computer
  > seizure policies.  While the Service has seized dozens of
  > computers since the crackdown began in 1990, this is the first
  > case to challenge the practice. 
  > 
  > Sparks grew visibly angry when it was established that the Austin
  > science fiction magazine and game book publisher was never
  > suspected of a crime, and that agents did not do even marginal
  > research to establish a criminal connection between the firm and
  > the suspected illegal activities of an employee, or to determine
  > that the company was a publisher. Indeed, agents testified that
  > they were not even trained in the Privacy Protection Act at the
  > special Secret Service school on computer crime. 
  > 
  > "How long would it have taken you, Mr. Foley, to find out what
  > Steve Jackson Games did, what it was?" asked Sparks. "An hour? 
  > 
  > "Was there any reason why, on March 2, you could not return to
  > Steve Jackson Games a copy, in floppy disk form, of everything
  > taken? 
  > 
  > "Did you read the article in Business Week magazine where it had
  > a picture of Steve Jackson -- a law-abiding, tax-paying citizen
  > -- saying he was a computer crime suspect? 
  > 
  > "Did it ever occur to you, Mr. Foley, that seizing this material
  > could harm Steve Jackson economically?" 
  > 
  > Foley replied, "No, sir," but the judge offered his own answer. 
  > 
  > "You actually did, you just had no idea anybody would actually go
  > out and hire a lawyer and sue you." 
  > 
  > More than $200,000 has been spent by the Electronic Frontier 
  > Foundation in bringing the case to trial. The EFF was founded by 
  > Mitchell Kapor amid a civil liberties movement sparked in large
  > part by the Secret Service computer crime crackdown. 


  ftp.eff.org
  ===========
  
  /pub/cud/papers/sundevil
  ---
    A collection of information on Operation SunDevil by the Epic
    nonprofit publishing project. Everything you wanted to know but
    could never find.

  /pub/cud/papers/sj-resp
  ---
    Steve Jackson's response to the charges against him.

_____
<6.4> What is Integrated Services Digital Network (ISDN)?

  ISDN is a high-speed data communications standard that utilizes
  existing copper telephone lines, and is a possible inexpensive and
  intermediate alternative to laying fiber optic cable for phone
  networks.  The speeds involved may be sufficient for audio and
  video transmission applications.  G. V. der Leun in the file
  ftp.eff.org: /pub/pub-infra/1991-11:

  > Telecommunications in the United States is at a crossroads.  With
  > the Regional Bell Operating Companies now free to provide
  > content, the shape of the information networking is about to be
  > irrevocably altered.  But will that network be the open,
  > accessible, affordable network that the American public needs? 
  > You can help decide this question.
  > 
  > The Electronic Frontier Foundation recently presented a plan to
  > Congress calling for the immediate deployment of a national
  > network based on existing ISDN technology, accessible to anyone
  > with a telephone connection, and priced like local voice service.
  >  We believe deployment of such a platform will spur the
  > development of innovative new information services, and maximize
  > freedom, competitiveness, and civil liberties throughout the
  > nation.
  > 
  > The EFF is testifying before Congress and the FCC; making
  > presentations to public utility commisions from Massachusetts to
  > California; and meeting with representatives from telephone
  > companies, publishers, consumer advocates, and other stakeholders
  > in the telecommunications policy debate.
  > 
  > The EFF believes that participants on the Internet, as pioneers on
  > the electronic frontier, need to have their voices heard at this
  > critical moment.

  To automatically receive a description of the platform and details,
  send mail to archive-server@eff.org, with the following line:

    send documents open-platform-overview

  or send mail to eff@eff.org.  See also the Introduction to the EFF
  Open Platform Proposal in ftp.eff.org:/pub/pub-infra/1991-02.

  
  References
  ==========

  ``Digital Data On Demand.'' MacWorld, 2/82 (page 224).
  ---
    56Kbps vs. ISDN services and products. See comments by J. Powers
    in ftp.eff.org:pub/pub-infra/1992-02.

  ``Telephone Service That Rings of the Future.'' By Joshua Quittner. 
  Newsday, Tue, Jan 7 1992.
  ---
    Implications of ISDN for the masses, written in popular science
    style.   John Perry Barlow (cofounder EFF). Regional telephone
    companies (Ohio Bell).  ISDN as ``Technological Rorschach Test.''
     Anecdotes about McDonald's,  Barbara Bush teleconferencing. See
    complete text in ftp.eff.org:/pub/pub-infra/1992-01.
    
  ftp.eff.org:/pub/pub-infra/
  ---
    Files 1991-11 through 1992-05 containing email from the EFF public
    infrastructure group organized by month.  Opinions and facts on
    the pros and cons of ISDN, Integrated Services Digital Network. 
    Uses of ISDN (phone video, audio, etc.)  Japanese model.
    Alternatives to ISDN (HDSL, ADSL, fiber optics). Technical 
    specifications of ISDN, implementation details, cost issues,
    political obstacles, (RBOC, Regional Bell Operating Companies or
    `Baby Bells', e.g. NET, New England Telephone).  Influencing
    development of future networks (e.g. ISDN and NREN, National
    Research and Education  Network), encouraging competition (cable
    TV systems). Press releases and news articles.  Letter from Rep.
    E. J. Markey to M. Kapor.

_____
<6.5> What is the National Research and Education Network (NREN)?

  The Nation Research and Education Network was introduced in
  legislation cosponsored by Sen. A. Gore to promote high-speed data
  network infrastructure augmenting the internet with up to 50 times
  faster transmission rates.  The bill passed the House on November
  20, 1991, the Senate on November 22, 1991, and was signed by the
  President on December 9, 1991.

  ftp.eff.org
  ===========
  
  /pub/EFF/legislation/nren-bill-text
  ---
    The complete text of the House-Senate compromise version of S.
    272, the High-Performance Computing Act.

  /pub/internet-info/gore.bill
  ---
    102nd congress 1st Session. Text of high performance computing
    bill cosponsored by Sen. A. Gore.


  /pub/EFF/legislation/gore-infrastructure-bill
  ---
    The text of S.2937, the Information Infrastructure and Technology
    Act of 1992 introduced by Senator Gore to expand Federal efforts
    to develop technologies for applications of high-performance
    computing and high-speed networking, and to provide for a
    coordinated Federal program to accelerate development and
    deployment of an advanced information infrastructure.

  U.S. SAID TO PLAY FAVORITES IN PROMOTING NATIONWIDE COMPUTER NETWORK
  By John Markoff, N.Y. Times (~18 Dec 91).
  ---
    President Bush's legislation for natiowide computer data
    `superhighway.'  IBM-MCI venture as monopoly destructive to fair
    competition and  innovation?  National Science Foundation NSFnet.
    complete text in  /pub/pub-infra/1991-12.

  Commentary
  ==========

  /pub/academic/statements/nren.privacy.cpsr
  ---
    ``Proposed Privacy Guidelines for the NREN'' -- Statement of Marc
    Rotenberg, Washington Director Computer Professionals for Social
    Responsibility (CPSR).

  /pub/internet-info/cisler.nren
  ---
    The National Research and Education Network: Two meetings Steve
    Cisler, Senior Scientist Apple Computer Library December 17, 1990
    Summary of meetings exploring educational issues of NREN by
    diverse members of academia and industry.

  /pub/internet-info/privatized.nren
  ---
    Feb. 14 1991 essay by M. Kapor advocating advantages of a private
    National Public  Network, and specific recommendations for open
    NREN policies encouraging  competition.


  /pub/eff/papers/netproposition
  ---
    An FYI about the proposed NREN setup.

_____
<6.6> What is the FBI's proposed Digital Telephony Act?

  ``Providers of electronic communication services and private branch
  exchange operators shall provide within the United States
  capability and capacity for the government to intercept wire and
  electronic communications when authorized by law...''
  
  From `BBS Legislative Watch: FBIs Wiretapping Proposal Thwarted' by
  S. Steele in Boardwatch Magazine, Feb. 1993, p. 19-22:
 
  > In a move that worried privacy experts, software manufacturers and
  > telephone companies, the FBI proposed legislation to amend the
  > Communications Act of 1934 to make it easier for the Bureau to
  > perform electronic wiretapping. The proposed legislation,
  > entitled 'Digital Telephony,' would have required communications
  > service providers and hardware manufacturers to make their
  > systems 'tappable' by providing 'back doors' through which law
  > enforcement officers could intercept communications. Furthermore,
  > this capability would have been provided undetectably, while the
  > communications was in progress, exclusive of any communications
  > between other parties, regardless of the mobility of the target
  > of the FBI's investigation, and without degradation of service.
  >  
  > ...under the proposal, the Department of Justice (DOJ) can keep
  > communications products off the market if it determines that
  > these products do not meet the DOJ's own ... guidelines. This
  > [could] result in increased costs and reduced competitiveness for
  > service providers and equipment manufacturers, since they will be
  > unlikely to add any features that may result in a DOJ rejection
  > of their entire product. ...the FBI proposal suggests that the
  > cost of this wiretapping 'service' to the Bureau would have to be
  > borne by the service provider itself...
  > 
  > The Electronic Frontier Foundation organized a broad coalition of
  > public interest and industry groups, from Computer Professionals
  > for Social Responsibilty (CPSR) and the ACLU to AT&T and Sun
  > Microsystems, to oppose the legislation. A white paper produced
  > by the EFF and ratified by the coalition, entitled, `An Analysis
  > of the FBI Digital Telephony Proposal,' was widely distributed
  > throughout the Congress.  ... The Justice Department lobbied hard
  > in the final days to get Congress to take up the bill before
  > Congress adjourned, but the bill never ... found a Congressional
  > sponsor (and was therefore never officially introduced). The FBI
  > [may] reintroduce "Digital Telephony" when the 103rd Congress
  > convenes in January.

  ftp.eff.org
  ===========
  
  /pub/eff/legislation/fbi-wiretap-bill
  /pub/EFF/legislation/new-fbi-wiretap-bill
  ---
    A bill to ensure the continuing access of law enforcement to the
    content of wire and electronic communications when authorized by
    law and for other purposes. Version 2 of the bill after FBI
    changes in response to public response.

  /pub/cud/law/hr3515
  ---
    House of Rep bill 3515, Telecommunications Law.

  Commentary
  ==========
  
  /pub/eff/papers/eff-fbi-analysis
  ---
    The EFF-sponsored analysis of the FBI's Digital Telephony proposal.

  /pub/eff/papers/ecpa.layman
  ---
    The Electronic Communications Privacy Act of 1986: A Layman's View.

  /pub/eff/papers/nightline-wire
  ---
    Transcript of ABC's Nightline of May 22, 1992, on the FBI,
    Privacy, and Proposed Wire-Tapping Legislation. Featured are Marc
    Rotenberg of the CPSR and William Sessions, Director of the FBI.

  /pub/eff/papers/edwards_letter
  ---
    A letter from the Director of the Secret Service to US Rep. Don
    Edwards, D-California, in response to questions raised by
    Edwards' Subcommittee. This copy came from Computer Professionals
    for Social Responsibility in Washington, D.C.

  /pub/eff/papers/fbi.systems
  ---
    A description of how information is stored on the FBI's computer
    systems.


_____
<6.7> What other U.S. legislation is related to privacy?

  ftp.eff.org
  ===========
  
  /pub/cud/law/<state>  
  ---
    State computer crime laws:
                                  AL, AK, AZ, CA, CO, CT, DE, FL, GA,
                                  HI, IA, ID, IL, IN, MD, MN, NC, NJ,
                                  NM, NY, OR, TX, VT, VA, WA, WI, WV.

  /pub/cud/law/<country>
  ---
    Current computer crime laws for: The United States (federal
    code), Canada, Ghana, and Great Britain.

  /pub/cud/law/bill.s.618
  ---
    Senate bill 618, addressing registration of encryption keys with
    the government.

  /pub/cud/law/improve
  ---
    Improvement of Information Access bill.

  /pub/cud/law/monitoring
  ---
    Senate bill 516; concerning abuses of electronic monitoring in the
    workplace.

  /pub/cud/law/us.e-privacy
  ---
    Title 18, relating to computer crime & email privacy.

  /pub/academic/law/privacy.electronic.bill
  ---
    The text of Simon's electronic privacy bill, S. 516. ``To prevent
    potential abuses of electronic monitoring in the workplace.''

_____
<6.8> What are references on rights in cyberspace?

  ftp.eff.org
  ===========

  /pub/cud/papers/const.in.cyberspace
  ---
    Laurence Tribe's keynote address at the first Conference on
    Computers, Freedom, & Privacy. `The Constitution in Cyberspace'

  /pub/cud/papers/denning
  ---
    Paper presented to 13th Nat'l Comp Security Conf ``Concerning
    Hackers Who Break into Computer Systems'' by Dorothy E Denning.

  /pub/cud/papers/privacy
  ---
    ``Computer Privacy vs First and Fourth Amendment Rights'' by
    Michael S. Borella

  /pub/cud/papers/rights-of-expr
  ---
    Rights of Expression in Cyberspace by R. E. Baird

  /pub/academic/eff.rights
  ---
    Bill of Rights' meaning in the Electronic Frontier.

_____
<6.9> What is the Computers and Academic Freedom (CAF) archive?

  The CAF Archive is an electronic library of information about
  computers and academic freedom. run by the Computers and Academic
  Freedom group on the Electronic Frontier Foundation FTP site.
  
  > If you have gopher, the archive is browsable with the command:
  >   gopher -p academic gopher.eff.org
  > 
  > It is available via anonymous ftp to ftp.eff.org (192.88.144.4) in
  > directory `pub/academic'. It is also available via email. For
  > information on email access send email to archive-server@eff.org.
  > In the body of your note include the lines `help' and `index'.
  > 
  > For more information, to make contributions, or to report typos
  > contact J.S. Greenfield (greeny@eff.org).

  ftp.eff.org
  ===========
  
  /pub/academic/statements/caf-statement
  ---
    Codifies the application of academic freedom to academic
    computers, reflecting seven months of on-line discussion about
    computers and academic freedom.  Covers free expression, due
    process, privacy, and user participation.

  /pub/academic/books
  ---
    Directory of book references related to Computers and Academic
    Freedom or mentioned in the CAF discussion. The file books/README
    is a bibliography.

  /pub/academic/faq/archive
  ---
    List of files available on the Computers and Academic Freedom
    archive.

  /pub/academic/news
  ---
    Directory of all issues of the Computers and Academic Freedom
    News. A full list of abstracts is available in file `abstracts'.
    The special best-of-the-month issues are named with their month,
    for example, `June'.


FOOTNOTES
=========


_____
<7.1> What is the background behind the Internet?
 
  The article ``Internet'' in Fantasy and Science Fiction by Bruce
  Sterling <bruces@well.sf.ca.us> contains general and nontechnical
  introductory notes on origins of the Internet, including the role
  of the RAND corporation, the goal of network resilience in face of
  nuclear attack, MIT, UCLA, ARPANET, TCP/IP, NSF, NREN, etc.:

  > ARPANET itself formally expired in 1989, a happy victim of its 
  > own overwhelming success.  Its users scarcely noticed, for
  > ARPANET's  functions not only continued but steadily improved. 
  > The use of  TCP/IP standards for computer networking is now
  > global.  In 1971, a  mere twenty-one years ago, there were only
  > four nodes in the  ARPANET  network.  Today there are tens of
  > thousands of  nodes in  the Internet,  scattered over forty-two
  > countries, with more coming  on-line every day.   Three million,
  > possibly four million people use  this gigantic
  > mother-of-all-computer-networks.   
  > 
  > The Internet is especially popular among scientists, and is 
  > probably the most important scientific instrument of the late 
  > twentieth century.   The  powerful, sophisticated access that it 
  > provides to specialized data and personal communication  has sped
  > up the pace of scientific research enormously.  
  > 
  > The Internet's pace of growth in the early 1990s is  spectacular, 
  > almost ferocious.  It is spreading faster than cellular phones,
  > faster  than fax machines.  Last year the Internet was growing at
  > a rate of  twenty percent a *month.*  The number of `host'
  > machines with direct  connection to TCP/IP has been doubling
  > every year since  1988.   The Internet is moving out of  its
  > original base in military and  research institutions,  into
  > elementary and high schools, as well as into  public libraries
  > and the commercial sector.

  References
  ==========

  Bowers, K., T. LaQuey, J. Reynolds, K. Roubicek, M. Stahl, and A.
  Yuan, ``Where to Start - A Bibliography of General Internetworking
  Information'' (RFC-1175), CNRI, U Texas, ISI, BBN, SRI, Mitre,
  August 1990.

  The Whole Internet Catalog & User's Guide by Ed Krol.  (1992)
  O'Reilly  and Associates, Inc.
  ---
    A clear, non-jargonized introduction to the  intimidating business
    of network literacy written in humorous style.

  Krol, E., ``The Hitchhikers Guide to the Internet'' (RFC-1118),
  University of Illinois Urbana, September 1989.

  ``The User's Directory to Computer Networks'', by Tracy LaQuey.

  The Matrix: Computer Networks and Conferencing Systems Worldwide. 
  by John Quarterman.  Digital Press: Bedford, MA. (1990)  
  ---
    Massive and highly technical compendium detailing the
    mind-boggling scope and  complexity of global internetworks.

  ``!%@:: A Directory of Electronic Mail Addressing and Networks'' by
  Donnalyn Frey and Rick Adams.
      
  The Internet Companion, by Tracy LaQuey with Jeanne C. Ryer (1992)  
  Addison Wesley. 
  ---
    ``Evangelical'' etiquette guide to the Internet featuring 
    anecdotal tales of life-changing Internet experiences.  Foreword
    by  Senator Al Gore.

  Zen and the Art of the Internet: A Beginner's Guide by Brendan P. 
  Kehoe (1992)  Prentice Hall. 
  ---
    Brief but useful Internet guide with  plenty of good advice on
    useful databases.


  See also ftp.eff.com:/pub/internet-info/.  (Thanks to Bruce Sterling
  <bruces@well.sf.ca.us> for contributions here.)


  General
  =======

  Cunningham, Scott and Alan L. Porter. ``Communication Networks: A
  dozen  ways they'll change our lives.'' The Futurist 26, 1
  (January-February,  1992): 19-22.

  Brian Kahin, ed., BUILDING INFORMATION INFRASTRUCTURE (New York: 
  McGraw-Hill, 1992) ISBN# 0-390-03083-X
  ---
    Essays on information infrastructure.  Policy and design issues,
    research and NREN, future visions, information markets.  See
    table  of contents in ftp.eff.org:/pub/pub-infra/1992-03.

  Shapard, Jeffrey. ``Observations on Cross-Cultural Electronic 
  Networking.'' Whole Earth Review (Winter) 1990: 32-35.

  Varley, Pamela. ``Electronic Democracy.'' Technology Review 
  (November/December, 1991): 43-51.

______
<7.2> How Internet `anarchy' like the English language?

  According to Bruce Sterling <bruces@well.sf.ca.us>:

  > The Internet's `anarchy' may seem strange or even unnatural,  but
  > it makes a certain deep and basic sense.  It's rather like the 
  > `anarchy' of the English language.  Nobody rents English, and
  > nobody  owns English.    As an English-speaking person, it's up
  > to you to learn  how to speak English properly  and make whatever
  > use you please  of it (though the government provides certain
  > subsidies to help you  learn to read and write a bit).  
  > Otherwise, everybody just sort of  pitches in, and somehow the
  > thing evolves on its own, and somehow  turns out workable.  And
  > interesting.   Fascinating, even.   Though a lot  of people earn
  > their living from using and exploiting  and teaching  English,
  > `English' as an institution is public property, a public good.  
  > Much the same goes for the Internet.   Would English  be improved
  > if  the `The English Language, Inc.'  had a board of directors
  > and a chief  executive officer, or a President and a Congress?  
  > There'd probably be  a lot fewer new words in English, and a lot
  > fewer new ideas.  


_____
<7.3> Most Wanted list

  Hopefully you have benefitted from this creation, compilation, and
  condensation of information from various sources regarding privacy,
  identity, and anonymity on the internet.  The author is committed
  to keeping this up-to-date and strengthening it, but this can only
  be effective with your feedback.  In particular, the following
  items are sought:
  
  - Short summaries of RFC documents and other references listed,
    esp. CPSR files.
  - More data on the specific uses and penetration of RFC-931.
  - Internet traffic statistics.  How much is email?  How much
    USENET?  What are the costs involved?
  - Famous or obscure examples of compromised privacy
    on the internet.
        - FTP site for the code (NOT the code) to turn the .plan file into a
                named pipe for sensing/reacting to remote `fingers'.
  - Knowledge on the `promiscuous' mode of receipt or transmission 
    on network  cards.
  - Details on the infamous experiment where a scientist resubmitted 
    previously accepted papers to a prominent journal with new and
    unknown authors that were subsequently rejected.
  - X Windows, EFF, CPSR FAQhood in news.answers.
  
  Commerical use of this document is negotiable and is a way for the
  author to recoup from a significant time investment. Email feedback
  to ld231782@longs.lance.colostate.edu.  Please note where you saw
  this (which newsgroup, etc.).

_____
<7.4> Change history

  3/3/93 v2.1 (current)
    
    CPSR pointer, new UNIX mode examples, digital telephony act,
    Steve Jackson incident, additions/ reorganization to
    anonymity section, part 3.  Note: v2.0 post to sci.crypt,
    alt.privacy, news.answers, alt.answers, sci.answers was cancelled
    by J. Kamens because of incorrect subject line.
    
  2/14/93 v2.0

    Major revisions.  New section for X Windows.  Some email privacy
    items reorganized to network security section.  New sections for
    email liability issues, anonymity history and responsibilities. 
    Split into three files.  Many new sources added, particularly
    from EFF and CAF in new `issues' part. `commentary' from 
    news.admin.policy.  21 day automated posting starts.

  2/3/93 v1.0

    More newsgroups & FAQs added.  More `Most Wanted'.  Posted to
    news.answers.  Future monthly posting to sci.crypt, alt.privacy.

  2/1/93 v0.3
  
    Formatted to 72 columns for quoting etc. `miscellaneous,'
    `resources' sections added with cypherpunk servers and use
    warnings.  More UNIX examples (`ls' and `chmod').  Posted to
    alt.privacy, comp.society.privacy.
  
  1/29/93 v0.2
    
    `Identity' and `Privacy' sections added.  `Anonymity' expanded.
    Remailer addresses removed due to lack of information and
    instability.  Posted to sci.crypt.
  
  1/25/93 v0.1
  
    Originally posted to the cypherpunks mailing list on 1/25/93 as a
    call to organize a list of anonymous servers.
  
  email ld231782@longs.lance.colostate.edu for earlier versions.


* * *

SEE ALSO
========

Part 1 (previous file)
------

<1.1> What is `identity' on the internet?
<1.2> Why is identity (un)important on the internet?
<1.3> How does my email address (not) identify me and my background?
<1.4> How can I find out more about somebody from their email address?
<1.5> Why is identification (un)stable on the internet? 
<1.6> What is the future of identification on the internet?

<2.1> What is `privacy' on the internet?
<2.2> Why is privacy (un)important on the internet?
<2.3> How (in)secure are internet networks?
<2.4> How (in)secure is my account?
<2.5> How (in)secure are my files and directories?
<2.6> How (in)secure is X Windows?
<2.7> How (in)secure is my email?
<2.8> How am I (not) liable for my email and postings?
<2.9> How do I provide more/less information to others on my identity?
<2.10> Who is my sysadmin?  What does s/he know about me?
<2.11> Why is privacy (un)stable on the internet?
<2.12> What is the future of privacy on the internet?

<3.1> What is `anonymity' on the internet?
<3.2> Why is `anonymity' (un)important on the internet?
<3.3> How can anonymity be protected on the internet?
<3.4> What is `anonymous mail'?
<3.5> What is `anonymous posting'?
<3.6> Why is anonymity (un)stable on the internet?
<3.7> What is the future of anonymity on the internet?

Part 3 (next file)
------

<8.1> What are some known anonymous remailing and posting sites?
<8.2> What are the responsibilities associated with anonymity?
<8.3> How do I `kill' anonymous postings?
<8.4> What is the history behind anonymous posting servers?
<8.5> What is the value of anonymity?
<8.6> Should anonymous posting to all groups be allowed?
<8.7> What should system operators do with anonymous postings?
<8.8> What is going on with anon.penet.fi maintained by J. Helsingius?


* * *

This is Part 2 of the Privacy & Anonymity FAQ, obtained via anonymous
  FTP to pit-manager@mit.edu:/pub/usenet/news.answers/net-privacy/ or 
  newsgroups news.answers, sci.answers, alt.answers every 21 days.
Written by L. Detweiler <ld231782@longs.lance.colostate.edu>.
All rights reserved.

Newsgroup: sci.crypt
document_id: 15178
From: ld231782@longs.lance.colostate.edu (L. Detweiler)
Subject: Privacy & Anonymity on the Internet FAQ (3 of 3)

Archive-name: net-privacy/part3
Last-modified: 1993/3/3
Version: 2.1


NOTES on ANONYMITY on the INTERNET
==================================

Compiled by L. Detweiler <ld231782@longs.lance.colostate.edu>.


<8.1> What are some known anonymous remailing and posting sites?
<8.2> What are the responsibilities associated with anonymity?
<8.3> How do I `kill' anonymous postings?
<8.4> What is the history behind anonymous posting servers?
<8.5> What is the value of anonymity?
<8.6> Should anonymous posting to all groups be allowed?
<8.7> What should system operators do with anonymous postings?
<8.8> What is going on with anon.penet.fi maintained by J. Helsingius?


* * *

_____
<8.1> What are some known anonymous remailing and posting sites?

  Currently the most stable of anonymous remailing and posting sites
  is anon.penet.fi operated by julf@penet.fi for several months, who
  has system adminstrator privileges and owns the equipment. 
  Including anonymized mail, Usenet posting, and return addresses 
  (no encryption).  Send mail to help@penet.fi for information.
 
  Hal Finney has contributed an instruction manual for the cypherpunk
  remailers on the ftp site soda.berkeley.edu (128.32.149.19):
  pub/cypherpunks/hal's.instructions. See also scripts.tar.Z (UNIX
  scripts to aid remailer use) and anonmail.arj (MSDOS batch files to
  aid remailer use).

  ebrandt@jarthur.claremont.edu
  -----------------------------
    Anonymized mail.  Request information from above address.
    
  elee7h5@rosebud.ee.uh.edu
  -------------------------
    Experimental anonymous remailer run Karl Barrus
    <elee9sf@Menudo.UH.EDU>, with encryption to the server.  Request
    information from that address.
    
  hal@alumni.caltech.edu
  ----------------------
    Experimental remailer with encryption to server and return
    addresses.  Request information from above address.

  hh@soda.berkeley.edu
  hh@cicada.berkeley.edu
  hh@pmantis.berkeley.edu
  ----------------------
    Experimental remailer.  Include header `Request-Remailing-To'.

  nowhere@bsu-cs.bsu.edu 
  ----------------------
    Experimental remailer allowing one level of chaining.  Run by
    Chael Hall.  Request information from above address.

  phantom@mead.u.washington.edu 
  -----------------------------
    Experimental remailer with encryption to server.  `finger' site
    address for information.

  Notes
  =====
  
  - Cypherpunk remailers tend to be unstable because they are often
    running without site administrator knowledge. Liability issues
    are wholly unresolved.
  
  - So far, all encryption is based on public-key cryptography and PGP
    software (see the question on cryptography). 

  - Encryption aspects (message text, destination address, replies)
    vary between sites.

  - Multiple chaining, alias unlinking, and address encryption are
    mostly untested, problematic, or unsupported at this time.

_____
<8.2> What are the responsibilities associated with anonymity?

  
  Users
  -----

  - Use anonymity only if you have to. Frivolous uses weaken the
    seriousness and usefulness of the capability for others.
  - Do not use anonymity to provoke, harass, or threaten others.
  - Do not hide behind anonymity to evade established conventions on
    Usenet,  such as posting binary pictures to regular newsgroups.
  - If posting large files, be attentive to bandwidth considerations.
    Remember, simply sending the posting to the service increases
    network traffic.
  - Avoid posting anonymously to the regular hierarchy of Usenet; this
    is the mostly likely place to alienate readers. The `alt'
    hierarchy is preferred.
  - Give as much information as possible in the posting (i.e.
    references, etc.) Remember that content is the only means for
    readers to judge the truth of the message, and that any
    inaccuracies will tend to discredit the entire message and even
    future ones under the same handle.
  - Be careful not to include information that will reveal your
    identity or enable someone to deduce it.  Test the system by
    sending anonymized mail to yourself.
  - Be aware of the policies of the anonymous site and respect them. 
    Be prepared to forfeit your anonymity if you abuse the privilege.
  - Be considerate and respectful of other's objections to anonymity.
  - ``Hit-and-run'' anonymity should be used with utmost reservation.
    Use services that provide anonymous return addresses instead.
  - Be courteous to the system operator, who may have invested large
    amounts of time, be personally risking his account, or dedicating
    his hardware, all for your convenience.

  Operators
  ---------

  - Document thoroughly acceptable and unacceptable uses in an
    introductory file that is sent to new users.  Have a coherent and
    consistent policy and stick to it. State clearly what logging and
    monitoring is occurring. Describe your background, interest, and
    security measures. Will the general approach be totalitarian or
    lassaiz-faire?
  - Formulate a plan for problematic ethical situations and anticipate
    potentially intense moral quandaries and dilemmas. What if a user
    is blackmailing someone through your service? What if a user
    posts suicidal messages through your service? Remember, your
    users trust you to protect them.
  - In the site introductory note, give clear examples  of situations
    where you will take action and what these actions will be (e.g.
    warn the user, limit anonymity to email or posting only, revoke
    the account, 'out' the user, contact local administrator, etc.)
  - Describe exactly the limitations of the software and hardware.
    Address the bandwidth limitations of your site. Report candidly
    and thoroughly all bugs that have  occurred.  Work closely with
    users to isolate and fix bugs. Address all bugs noted below under
    ``(in)stability of anonymity''.
  - Document the stability of the site---how long has it been running?
    What compromises have occured? Why are you running it? What is
    your commitment to it?
  - Include a disclaimer in outgoing mail and messages.  Include an
    address for complaints, ideally appended to every outgoing item. 
    Consult a lawyer about your liability.
  - Be committed to the long-term stability of the site. Be prepared
    to deal with complaints and `hate mail' addressed to you.  If you
    do not own the hardware the system runs on or are not the system
    adminstrator, consult those who do and are.
  - Be considerate of providing anonymity to various groups.  If
    possible, query group readers.
  - Keep a uniformity and simplicity of style in outgoing message
    format that can be screened effectively by kill files.  Ensure
    the key text `Anon' is  somewhere in every header.
  - Take precautions to ensure the security of the server from
    physical and  network-based attacks and infiltrations.

  Readers
  -------
  
  - Do not complain, attack, or discredit a poster for the sole reason
    that he is posting anonymously, make blanket condemnations that
    equate anonymity with cowardice and criminality, or assail
    anonymous traffic in general for mostly neutral reasons (e.g. its
    volume is heavy or increasing).
  - React to the anonymous information unemotionally.  Abusive posters
    will be encouraged further if they get irrationally irate
    responses.  Sometimes the most effective response is silence.
  - Notify operators if very severe abuses occur, such as piracy,
    harassment, extortion, etc.
  - Do not complain about postings being inappropriate because they
    offend you personally.
  - Use kill files to screen anonymous postings if you object to the
    idea of anonymity itself.
  - Avoid the temptation to proclaim that all anonymous postings
    should be barred from particular groups because no `possible' or
    `conceivable' need exists.

  References
  ----------
  
  See e.g. ftp.eff.org:/pub/academic/anonymity:

  > This article is an excerpt from an issue of FIDONEWS on individual
  > privacy and the use of handles.  It accepts the need of a system
  > operator to know the name of a user; but suggests that the use of
  > a handle is analogous to a request to withhold the name in a
  > letter to the editor. The article concludes with a set of
  > guidelines for preserving the right to be anonymous.

_____
<8.3> How do I `kill' anonymous postings?

  James Thomas Green <jgreen@zeus.calpoly.edu>:

  > Try putting this in your kill file:
  >   
  >   /Anon/h:j
  >   /Anonymous/h:j
  > 
  > This will search the headers of the messages and kill any that
  > contain `Anon' or `Anonymous' in them.  Not perfect and won't
  > kill followups. 
  
  Note that anonymous server operators have the capability to mask
  anonymous postings under which the above method will not work; so
  far this practice is not widespread, but it may become more common
  as a countermeasure to widespread anonymous filtering.
  
_____
<8.4> What is the history behind anonymous posting servers?

  Originally anonymous posting services were introduced for
  individual, particularly volatile newsgroups, where anonymity is
  almost the preferred method of communication, such as talk.abortion
  and alt.sex.bondage.  One of the first was one by Dave Mack
  started in ~1988 for alt.sex.bondage. Another early one was
  wizvax.methuen.ma.us run by Stephanie Gilgut (Gilgut Enterprises)
  but was disbanded due to  lack of funds.  The system provided
  anonymous return addresses. n7kbt.rain.com (John Opalko) took up
  the functions of this server, including reinstating the anonymous
  alias file. The group ``alt.personals has been chewing through
  servers like there's no tomorrow.''
  
  Spurred by the disappearance of `wizvax' and interested in
  researching the idea, Karl Kleinpaste
  <Karl_Kleinpaste@godiva.nectar.cs.cmu.edu> developed his own system
  from scratch in six hours. By this time the idea of extending the
  server to new, more `mainstream'  groups was starting to emerge,
  and he explored the possibility partly at the specific request  by
  multiple users for anonymity in other groups. ``The intended
  advantage of my system was specifically to allow multiple group
  support, with a single anon identifier across all.  This was
  arguably the single biggest deficiency of previous anon systems.'' 
  K. Kleinpaste posted a message on rec.nude asking users whether an
  anonymous service would be welcome there, and judged a consensus
  against it. 

  K. Kleinpaste introduced what he calls a ``fire extinguisher'' to
  `squelch' or `plonk' abusive users in response to complaints, and
  used this in three cases. Nevertheless, after a few months of
  intense traffic he was eventually overwhelmed by the abuses of his
  server. ``Even as restricted as it was, my system was subjected to
  abuses to the point where it was ordered dismantled by the
  facilities staff here. Such abuses started right after it was
  created.''

  In ~Nov 1992, Johan Helsingius (julf@penet.FI) set up the most
  controversial anonymous site to date. anon.penet.fi is based on
  scripts and C code written by K. Kleinpaste and supports anonymized
  mail, posting, and return addresses. He initially wanted to confine
  the service to Scandinavian users but expanded it to worldwide
  accessability in response to 'lots' of international requests.
  
  J. Helsingius policy of allowing anonymous posting to every Usenet
  newsgroup has been met with strong and serious ideological
  opposition (e.g. by news adminstrators in news.admin.policy).
  Because of the relative newness and recent emergence of the medium,
  abuses by anonymous posters  tend to have higher visibility than
  ``routine'' abuses. His total commitment to preservation of
  anonymity is also controversial.

  For example, in a highly controversial and publicized case in ~Feb
  1993,  an anonymous user posted a supposed transcript of desperate
  crew dialogue during the Challenger shuttle disaster via
  anon.penet.fi to sci.astro. Despite that the transcript had been
  posted in the same place up to a year earlier (then
  non-anonymously) and actually originated not with the poster but a
  New York news tabloid, subsequent responses consisted largely of
  vociferous outrage at the poster's use of anonymity, reverberating
  through many newsgroups. 
  
  The original poster, using the same anonymous handle, later conceded
  that the story ``seemed likely to have been fabricated,''
  suggesting the plausible possibility that the original intent was
  not to provoke outrage but gauge reactions on the authenticity of
  the story (albeit crudely), free of personal risk from perceived
  association with the item.  The ensuing commotion generated queries
  for the original article by late-entering readers. The anonymous
  user later posted deliberately offensive comments at his
  detractors.

  Despite piercingly irate and outraged complaints, and even the vocal
  opposition and verbal abuse of K. Kleinpaste and eminent news
  operators, J. Helsingius has largely avoided use of the ``fire
  extingisher'' and the ``group bouncer'' mechanisms that limit the
  scope of the service. As of ~March 1993 the anon.penet.fi site is
  best described as `inundated': it has registered over 13,000 users
  in its initial three months of operation, forwards ~3000 messages a
  day, and approximately 5% of all Usenet postings are anonymized
  through the site. The immense popularity is probably largely due
  to the capability for `global' anonymity which has allowed users to
  find creative uses in diverse areas not previously envisioned.

  Johan Helsingius has been subject to extraordinary pressure to
  dismantle his server in ~Feb 1993. At one point K. Kleinpaste
  threatened publicly to organize a sort of vigilante group of irate
  news operators to  send out revocation commands on all messages
  originating from the site.  J. Helsingius has also alluded to
  threats of flooding the  server.  The server has crashed several
  times, at least once due to a saturation `mailbombing' through it
  by an anonymous user.  Mr. Helsingius reports spending up to 5
  hours per day  answering email requests alone associated with the
  service's administration. In response to the serious threats he
  disabled global group access temporarily for one week and
  encouraged his users to defend the service publicly.
  
  Based on fast-moving dialogue and creative suggestions by
  ``cypherpunks,'' J. Helsingius has identified many security
  weaknesses and valuable new features for the service, and is
  currently in the process of code development and testing. He is
  planning on upgrading the IBM compatible 386 machine to a 486 soon
  to handle the voluminous load and is  considering integrating a new
  system with very sophisticated functionality, including multiple
  email aliases, alias allocation control, public-key encryption,
  etc.

  A very sophisticated anonymous posting system was set up in Dec.
  1992 by D. Clunie <dclunie@pax.tpa.com.au> that used cryptography
  in both directions (to/from) the server for the highest degree of
  confidentiality seen so far.  However, it was running on a public
  access account, and he had to shut it down after only several
  weeks, upon receiving requests and conditions apparently ultimately
  originating from NSF representatives. D. Clunie has released the
  software to the public domain.

  Recently the idea of a newsgroup devoted to `whistleblowing' on
  government abuses has received wide and focused attention, and
  group formation is currently underway.  In the basic scenario the
  group would allow people to post pseudonymously using remailers,
  and even establish reputations based on their authentifiable
  digital signatures. The traffic may eventually reach reporters in
  the mainstream news media.  deltorto@aol.com has volunteered to
  attack multiple aspects of this project, including distributing
  easy-to-read documentation on posting, anonymization, and
  encryption.

  See also sections on ``views on anonymous posting'' below and ``what
  is going on with anon.penet.fi?'' in this document.
  
  (Thanks to Carl Kleinpaste
  <Karl_Kleinpaste@godiva.nectar.cs.cmu.edu>, David Clunie
  <dclunie@pax.tpa.com.au> and Johan Helsingius <julf@penet.fi> for
  contributions here.)


_____
<8.5> What is the value of anonymity?

  KONDARED@PURCCVM.BITNET:
    
  > I think anonymous posts do help in focusing our attention on the
  > content of one's message. Sure lot of anonymous posts are abusive
  > or frivolous but in most cases these are by users who find the
  > anon facility novel. Once the novelty wears off they are stopping
  > their pranks...

  morgan@engr.uky.edu (Wes Morgan):

  > I don't mind seeing the miscellaneous hatred/prejudice/racism;
  > those things are part of our nature.  However,  the notion of
  > providing anonymity's shield for these ideas repulses me.  If
  > they have such strong feelings, why can't they put their name(s)
  > on  their postings? ... Quite frankly, I loathe communication
  > with people who refuse to use their names.

  dclunie@pax.tpa.com.au (David Clunie)
   
  > Many seem to question the value of anonymity. But who are they to
  > say what risks another individual should take ? There is no
  > question that in this rather conservative society that we live
  > in, holding certain views, making certain statements, adopting a
  > certain lifestyle, are likely to result in public censure,
  > ridicule, loss of status, employment, or even legal action. Given
  > the heterogeneity of the legal jurisdictions from where the many
  > contributors to usenet post, who knows what is legal and what is
  > not ! Some say that anonymous posters are "cowards" and should
  > stand up and be counted. Perhaps that is one point of view but
  > what right do these detractors have to exercise such censorship ?

  From: doug@cc.ysu.edu (Doug Sewell)
  
  > Why is it censorship to not expect someone to speak for
  > themselves, without the cloak of anonymity. This is at best a
  > lame argument. 
  > 
  > You tell me why what you have to say requires anonymity.  And you
  > tell me why the wishes of a majority of non-anonymous users of a
  > newsgroup should be disregarded when they don't want anonymous
  > posts.
  > 
  > Anonymous users have LESS rights than any others. They are not
  > legitimate usenet participants. I would not honor RFDs, CFVs,
  > control messages, or votes from one.

  brad@clarinet.com (Brad Templeton):
  
  > I can think of no disadvantage caused by anon posting sites that
  > doesn't already exist, other than the fact that they do make more
  > naive net users who don't know how to post anonymously the old
  > way more prone to do it.

  From: mandel@netcom.com (Tom Mandel)
  
  > I cannot speak for others but I regard anonymous postings in a
  > serious discussion as pretty much worthless. ... views that hide 
  > behind the veil of anon are hardly worth the trouble of reading.
  
  n8729@anon.penet.fi (Hank Pankey)
  
  > Since I began posting anonymously (to show support for general
  > principles of personal privacy) I have been subject to far more
  > abuse and attack than I ever received before. People seem to
  > find it easier to flame and insult someone whose name they don't
  > know. Perhaps it's easier to pretend that there is no person
  > behind the email address who feels the sting of abusive comments.
  > 
  > Anonymity does hinder some methods of controlling other posters'
  > actions.  People who seek such control will naturally oppose it.

  From: 00acearl@leo.bsuvc.bsu.edu
  
  > Instead of making this a "free-er medium" by allowing posters to
  > "protect themselves" with anonymity, simply require that all
  > posters be prepared to discuss their sources of information and
  > take the heat for unsubstantiated dribble.  This seems to be the
  > way things are currently done; 

  xtkmg@trentu.ca (Kate Gregory):
  
  > In misc.kids there are three threads going on started by anonymous
  > posters. One was about changing jobs so as to work less hours,
  > job sharing and so on, from a woman who didn't want anyone at her
  > current place of work to know she was thinking of looking for
  > work elsewhere. The next was from a woman who is thinking of
  > having a baby sometime soon and doesn't want coworkers, friends,
  > family etc etc to know all about it, but who wants advice. The
  > third is about sex after parenthood -- actually this was started
  > by people posting in the usual way but then it was pointed out
  > that the anonymous posting service might let more people
  > participate.
  > 
  > Misc.kids doesn't seem to be suffering any harm from the presence
  > of anonymous posters; in fact it seems to have been helped by it.

  hoey@zogwarg.etl.army.mil (Dan Hoey):
  
  > While there has never been any real security against anonymous or
  > forged postings on Usenet, the process has until now been
  > sufficiently inconvenient, error-prone, and undocumented to limit
  > its use by persons who have not learned the culture of the net.
  >
  > On the other hand, a recent use of the anonymous posting service
  > on sci.math seemed seemed to be a student asking help on a
  > homework problem. It has now been attributed to a teacher,
  > asking for an explanation of a dubious answer in his teaching
  > guide.  He says his news posting is broken, so he is using the
  > anonymous service as a mail-to-news gateway.

  Karl Barrus <elee9sf@Menudo.UH.EDU>
   
  > Some argue that the opinions of the people who hide behind a veil
  > of anonymity are worthless, and that people should own up to
  > their thoughts.  I agree with the latter point - in an ideal
  > world we would all be sitting around engaging in Socratic
  > dialogues, freely exchanging our opinions in an effort to
  > learn.  But in an ideal world nobody will threaten you for your
  > thoughts, or ridicule you.
  > 
  > But we live in a world where the people who don't agree with you
  > may try to harm you.  Let's face it, some people aren't going to
  > agree with your opinion no matter how logically you try to
  > present it, or how reasoned out it may be.  This is sad since it
  > does restrict people from voicing their opinions.

  red@redpoll.neoucom.edu (Richard E. Depew):

  > The consensus seems to be that a general anonymous posting service
  > such as that at anon.penet.fi seems sufficiently corrosive of the
  > trust and civility of the net that this particular experiment
  > should be ended.  Perhaps the next time the question comes up we
  > can say: "We tried it - we learned it does more harm than good -
  > and we stopped it." 

  From: C96@vm.urz.uni-heidelberg.de (Alexander EICHENER)

  > anonymous posting has not created major problems aside from
  > angering irate people (like you?) who would rather ban
  > anonymous/pseudonymous posting altogether because "real men can
  > stand up for what they said" or comparable puerile arguments as
  > others have brought up.

  dave@elxr.jpl.nasa.gov (Dave Hayes):

  > What a primal example of human nature. I have three questions for
  > you folks. 
  > 
  > Do people really say different things to each other based upon
  > whether their identity is or isn't known?
  > 
  > Are people really so affected by what other people say that the
  > verbage is labeled "abuse"?
  > 
  > Most importantly, on a forum that prizes itself on the freedom of
  > communication that it enjoys, is there really such a thing as
  > freedom of communication?
  
  From: terry@geovision.gvc.com (Terry McGonigal)
  
  > <sigh>...  Just how many anon services are needed?  Will
  > *everybody* start running one soon?  What's the purpose?  Who
  > stands to benefit when there are N anon services, then 2*N, then
  > N^2, out there.  Where *has* this sudden fasination with anon
  > services come from?
  > 
  > For better or (IMHO) worse, it looks like we'er gonna get stuck
  > with these things, and as much as I don't like the idea (of
  > services like this becoming the norm) I don't really think
  > there's much to be done since it's obvious that anyone who wants
  > to can set one up with a bit of work.

  Karl_Kleinpaste@cs.cmu.edu (Karl Kleinpaste):

  > Weak reasoning.
  > With freedom comes responsibility.

  dave@elxr.jpl.nasa.gov (Dave Hayes):
  
  > Responsibility isn't real if it is enforced. True responsibilty
  > comes with no coercion. 

_____
<8.6> Should anonymous posting to all groups be allowed?

  morgan@engr.uky.edu (Wes Morgan):
  
  > I will be the first to admit that I hold some controversial
  > opinions; indeed, I'm sure that none of us are completely
  > orthodox in our opinions. However,  I've received *hundreds* of
  > anonymous email messages over the last few years; fewer than 20
  > of them were "reasonable posts made with good motives." It's 
  > getting more and more difficult to remember why we need anonymity
  > at all; the abusers are (once again) lousing things up for those
  > who truly need the service  (or those who would put it to good
  > use).
  > 
  > I'm not suggesting that we should ban anonymous servers; as I've
  > said, there are several situations in which anonymity is a Good
  > Thing (tm). 
  > 
  > However, the notion that anonymity's shield should be
  > automatically extended to every Usenet discussion is ridiculous;
  > it opens the door to further abuse. 

  twpierce@unix.amherst.edu (Tim Pierce):
  
  > Of course, how does one determine whether a "group" requests the
  > service?  A flat majority of posters voting in favor? A positive
  > margin of 100 votes?  Or what?  No one speaks for a newsgroup.
  > 
  > I'm not convinced by the arguments that an anonymous posting
  > service for all newsgroups is inherently a bad idea, simply
  > because it's a diversion from the status quo. Since the status
  > quo previously permitted anonymous posting to *no* newsgroups,
  > any anonymous posting service would reject the status quo.
  
  hartman@ulogic.UUCP (Richard M. Hartman) writes:
  
  > It is facist to suggest that a newsgroup is best able to decide
  > whether it wants to allow anonymous postings instead of having
  > them forced upon them by an service administrator?

  ogil@quads.uchicago.edu (Brian W. Ogilvie):

  > The service provides a mechanism for forwarding mail to the
  > original poster. Since most Usenet readers don't know John Smith
  > from Jane Doe except by their opinions and their address, the
  > effect of having an anonymous posting to which mail replies can
  > be directed is minimal, except for those who personally know the
  > poster--and ... the lack of anonymity could be serious. Any
  > mechanism like this is liable to abuse, but the benefits as well
  > as the costs must be weighed. Limiting the service to alt groups,
  > or specific groups, would not help those who want advice on
  > sensitive issues in more 'professional' newsgroups.

  From: tarl@sw.stratus.com (Tarl Neustaedter)
  
  > An additional point is that some of us find anonimity in technical
  > matters to be profoundly offensive; anonimity in different forums
  > has different meanings. If I get a phone call from someone who
  > won't identify himself, I hang up. If I get U.S. mail with no
  > return address, it goes into the garbage unopened. If someone
  > accosts me in the street while wearing a mask, I back away -
  > carefully, and expecting violence. In a technical discussion,
  > anonimity means that the individual isn't willing to associate
  > himself with the matter being discussed, which discredits his
  > utterances and makes listening to them a waste of time.
  >   
  > Anonimity leads to fun psych experiments; the literature is filled
  > with all the various things that people will do anonymously that
  > they won't otherwise. Including one notorious study involving
  > torture that would not have passed today's ethical standards. Fun
  > stuff, in any case.
  > 
  > FINE. LEAVE US OUT OF IT.

  From: jbuck@forney.berkeley.edu (Joe Buck)

  > You obviously have never submitted an article to a refereed
  > journal, where you will receive anonymous reviews through a server
  > (the editor) that behaves much like the one in Finland (e.g. you 
  > may reply and the editor will maintain the anonymity).  ...  Your
  > comparison of someone who wants to express him/herself on a 
  > technical issue anonymously with a person who approaches you on a 
  > dark street with a ski mask is just emotionally overwrought 
  > nonsense; such posters pose no physical threat to you.
 
  jik@mit.edu (J. Kamens):
  
  > It seems obvious to me that the default should be *not* to allow
  > anonymous postings in a newsgroup.  The Usenet has always
  > operated on the principle that the status quo should be kept
  > unless there's a large number of people who want to change it.
  > 
  > If someone REALLY needs to post a message anonymous in a newsgroup
  > in which this usually isn't done, they can usually find someone
  > on the net to do this for them. They don't need an automated
  > service to do it, and the automated service is by its nature
  > incapable of making the judgment call necessary to decide whether
  > a particular posting really needs to be anonymous.

  From: twpierce@unix.amherst.edu (Tim Pierce)
  
  > For any newsgroup you name, I bet I can envision a scenario
  > involving a need for secrecy. If an accurate content-based
  > filter of each anonymous posting could be devised to screen out
  > those that don't require secrecy, wonderful.  But it can't be
  > done.

  From: lhp@daimi.aau.dk (Lasse Hiller|e Petersen)
  
  > If a newsgroup wants to be noise- and nuisance-free, then it
  > should call for moderation. This should happen on a per-newsgroup
  > basis, and not as a general USENET ban on anonymous postings. Of
  > course one principle of moderation might be to keep out all
  > anonymous postings, and could be achieved automatically. It would
  > still be _moderation_. Personally I would prefer moderation
  > criteria being based on actual content.

  David A. Clunie (dclunie@pax.tpa.com.au)
  
  > If a "group" doesn't want to receive certain posts it should
  > become moderated - there are clearly defined mechanisms on
  > non-alt groups for this to take place. An automated moderator
  > excluding posts from certain (eg. anonymous) sites or individuals
  > could easily be established. If anyone wants to take such a
  > draconian approach then they are welcome to do so and good luck
  > to them. I doubt if I will be reading their group !

  From: dave@frackit.UUCP (Dave Ratcliffe)
  
  > What possible need would someone have for posting anonymously to a
  > sci.* group? 
  > 
  > Sure most adults are willing to post under their own names. Why
  > would they want to hide behind an anonymous posting service?
  > Ashamed of what they have to say or just trying to rile people
  > without fear of being identified? 
  > 
  > Anonymous posting have their place in CERTAIN groups. If I or
  > anyone else needs to tell you what those groups are then you've
  > been on another planet breathing exotic gases for too long.

  From: Karl_Kleinpaste@cs.cmu.edu
  
  > It's bloody fascinating that (all?) the proponents of unimpeded
  > universal anon posting access can't seem to find any middle
  > ground at all.  Why is there such a perception of
  > absolutism? Where does this instant gratification syndrome come
  > from, "I want anon access and I want it NOW"?  Who are the
  > control freaks here?
  
  From: 00acearl@leo.bsuvc.bsu.edu

  > Remember, this is a newsgroup for posters writing about SCIENTIFIC
  > issues. Anonymous discussion of scientific issues leads to bad
  > science.

  From: noring@netcom.com (Jon Noring)
  
  > Though many have personal philosophical arguments against
  > anonymous posters, their arguments have not been compelling
  > enough to convince me that omni-newsgroup anonymous posting
  > should be banned or severely restricted.  Though I cannot prove
  > it, it seems to me that those who do not like anonymous posting
  > (in principle) do so for reasons that are personal (read,
  > psychological discomfort) rather than for reasons related to
  > maintaining the "integrity" of Usenet.
  > 
  > Remember, it is impossible to be able to ascertain all the
  > conceivable and legitimate motives for anonymous posting to
  > newsgroups one normally would not deem to be "sensitive". ... in
  > general, I fear even letting newsgroup readers vote on either
  > allowing or not allowing anonymous posting, since a priori they
  > *cannot* know all the motives of *legitimate* posters, and I do
  > not believe that any system should ever be instituted that would
  > inhibit the posting of legitimate and informative posts. 

  lestat@wixer.cactus.org (Lyle J. Mackey) writes:

  > I personally don't believe that pseudonymous postings are
  > appropriate in a serious discussion area.  If there is a
  > LEGITIMATE reason for concealing the posters' identity, perhaps,
  > but simply because they're not so sure if they want their name
  > attached doesn't qualify as LEGITIMATE in my book.  (Oh, and if
  > you can come up with a legitimate purpose for anonymous postings,
  > please, enlighten me.)

  sderby@crick.ssctr.bcm.tmc.edu (Stuart P. Derby)
  
  > Three of our (the U.S.'s) founding fathers, Madison, Hamilton, and
  > Jay, seemed to think "anonymous posting" was OK. The Federalist
  > papers were originally printed in New York newspapers with
  > authorship attributed to "Publius". I wonder if you would find
  > their purpose "LEGITIMATE"?


_____
<8.7> What should system operators do with anonymous postings?

  From: emcguire@intellection.com (Ed McGuire)
  
  > I would like to know how to junk all articles posted by the
  > anonymous service currently being discussed.  Ideally I would
  > actually tell my feed site not to feed me articles posted by the
  > anonymous service. Assuming the C News Performance Release, what
  > is a simple way to accomplish this? Or where should I look to
  > learn how to do it myself?
  
  From: dclunie@pax.tpa.com.au (David Clunie)
  
  > That's a bit draconian isn't it ? Have your users unanimously
  > decided that they would like you to do this or have you decided
  > for them ?
  
  From: emcguire@intellection.com (Ed McGuire)
  
  > Good question.  Nobody has decided. I have no definite plan to do
  > this, just wanted the technical data.

  Carl Kleinpaste (Karl_Kleinpaste@godiva.nectar.cs.cmu.edu):
  
  > ...were I to be in the position of offering such a service again,
  > my promises of protection of anonymity would be limited.  Not on
  > the basis of personal opinion of what gets posted, but on the
  > basis of postings which disrupt the smooth operation of the
  > Usenet. The most obvious and direct recourse would be to `out'
  > the abusive individual. Less drastic possibilities exist -- the
  > software supports a "fire extinguisher" by which individuals can
  > be prevented from posting.

  john@iastate.edu (John Hascall):
  
  > Since when is Usenet a democracy? If someone wants to run an
  > anonymous service, that's their business. If you want to put
  > that host in your killfile, that's your business. If a newsadmin
  > wants to blanket-drop all postings from that site, that's between
  > them and the other people at that site. If everyone ignores a
  > service, the service effectively doesn't exist.

  From: jik@athena.mit.edu (Jonathan I. Kamens)
  
  > NNTP servers that allow posting from anyone are NOT "a service to
  > the net."  They do the net a disservice.
  > 
  > Terminal servers have the same problems as open NNTP servers --
  > they allow people who want to do illegal/immoral/unethical things
  > on the Internet to do so without accountability.
  > 
  > There are, by now, public access sites all over this country, if
  > not all over the world, that allow very inexpensive access to the
  > Usenet and the Internet.  There is no reason for NNTP servers to
  > allow anyone to post messages through them, and there is no
  > reason for terminal servers to allow anyone to connect to them
  > and then make outbound connections through them.  Perhaps when it
  > was harder to get to the Internet or the Usenet, open servers
  > could be justified, but not now.

  jbotz@mtholyoke.edu (Jurgen Botz): 
  
  > I think that what ... these points show clearly is that an
  > anonymous posting service has a great deal of responsibility,
  > both towards its clients and towards the Net as a whole.  Such a
  > service should (IMHO) have a set of well-defined rules and a
  > contract that its clients should sign, under the terms of which
  > they are assured anonymity.

  From: an8785@anon.penet.fi
  
  > Is the problem that some are used to "punishing" posters who are
  > upsetting in some vague way by complaining to the (usually
  > acquiescent) sysadmin or organizations that the poster belongs
  > to? That surely is the most gutless approach to solving
  > problems, but my experience on the net shows that the same users
  > who vilify anonymous postings are the first to write obsessively
  > detailed grievances to the poster's supervisor when his or her
  > tranquility is disturbed by some "intrusive" or subversive post
  > or another.
  > 
  > Anonymous postings prevent just this kind of intimidation.

  From: gandalf@cyberspace.org (Eric Schilling)
  
  > The main point I would like to make here is that while we can go
  > through and revise the news sw to "reject anon posts to technical
  > newsgroups" or some such thing, I think the attempt will prove
  > futile. Each attempt to modify news can result in a changed
  > approach by anon service providers to thwart the change.  I think
  > this would be pointless.

  From: julf@penet.fi (Johan Helsingius)

  > I have tried to stay out of this discussion, and see where the
  > discussion leads. But now I rally feel like I have to speak up.
  > ... I have repeatedly made clear ... that I *do* block users if
  > they continue their abuse after having been warned. In many cases
  > the users have taken heed of the warning and stopped, and in some
  > cases even apologized in public. And when the warning has not had
  > the desired effect, I have blocked a number of users. I have also
  > blocked access to groups where the readership has taken a vote to
  > ban anonymous postings, although I feel changing the newsgroup
  > status to moderated is the only permanent solution for newsgroups
  > that want to "formalize" discussion.
 
  red@redpoll.neoucom.edu (Richard E. Depew)

  > Does this ... mean that you are volunteering to issue a Request 
  > For Discussion to ban anonymous postings or to moderate each of 
  > the 4000+ newsgroups that your server can reach?  I don't think 
  > so, but this illustrates the trouble that your server is causing!
  >
  > please listen to the consensus of the news administrators in this 
  > group:  any newsgroup should be consulted *before* letting your 
  > server post messages to that group.
 
  From: C96@vm.urz.uni-heidelberg.de (Alexander EICHENER)
  
  > There is no pompous "consensus of *the* news administrators" 
  > here - maybe you would like to invent one. There is a sizeable 
  > number of people who are concerned about the possible (and, to a 
  > minor extent, about the actual abuse of the server as it is 
  > configured now). These concerns are respectable; Johan is dealing
  > with them. ... There are some (few) who rage with foam before 
  > their mouth and condemn the service altogether. And a number who
  > defend it, pointing out, like Kate Gregory, that even a group 
  > like misc.kids. can benefit from pseudonymous postings.

  From: julf@penet.fi (Johan Helsingius)

  > I have answered a lot of personal mail related to server abuse,
  > and as a result of that, blocked a number of abusive users. I
  > have also withdrawn the service from several newsgroups where the
  > users have taken a vote on the issue. I have not made any
  > comments on news.admin.policy, partly because the
  > newly-implemented password feature (as a emergency measure
  > against a security hole) has kept me really busy answering user
  > queries the last two weeks, and partly because I feel it is not
  > for me to justify the service, but for the users. The problem
  > with news.admin.policy is that the readership is rather elective,
  > representing people whith a strong interest in centralised
  > control.

  From: hartman@ulogic.UUCP (Richard M. Hartman)
  
  > This seems to be a rather bigoted attitude.  I would consider that
  > this group is for anyone who wishes to discuss how the net should
  > be controlled.  Saying that we only have an interest in
  > "centralized control" is a clear indication of bias.  You are
  > perfectly welcome to join in the discussions here to promote your
  > views on control.

  jbuck@ohm.berkeley.edu
  
  > This whole debate is a lot of "sound and fury signifying nothing"
  > because, even if you all decide to ban anonymous posting servers,
  > it is not enforceable.  The only people who conceivably could
  > enforce retrictions are those that control the international
  > links.
  > 
  > Policy changes should be made by cooperation, not by attempting
  > to dictate. ...you need to persuade those who run the services
  > to act like this through friendly persuasion, not by trying to
  > beat them over the head with a stick (especially a stick you
  > don't even have).

  spp@zabriskie.berkeley.edu (Steve Pope)
  
  > I am finding this bias against pseudonymity boring.  Our friend
  > posting through penet has a point.  The old guard would like to
  > keep their network the way it always has been... and this new
  > thing, these pseudonymous servers, cuts into their turf.  So they
  > whine and bitch about it, and every time there's the slightest
  > abuse (such as somebody's .sig being too long),  they try to
  > parlay that into an argument against pseudonymity.
  > 
  > I'll go on record as saying: three cheers for the admins at anon
  > servers like penet, pax, and n7kbt... and for all the  access
  > service providers who are willing to preserve their clients
  > privacy.
  > 
  > And a pox on those who try to defeat and restrict pseudonymity.
  
  mimir@stein.u.washington.edu (Al Billings)
  
  > I wouldn't help people get rid of anon postings as a group. If you
  > don't like what someone says, then you put THAT anon address in
  > your kill file, not all of them. Of course, if and when I get an
  > anon site going, I'm just going to assign fake names like
  > "jsmith" instead of "anon5564" to avoid most of the hassles.
  > You'll never know it is anonymous will you?

  From: anne@alcor.concordia.ca (Anne Bennett)
  
  > I must admit to some astonishment at this argument.  I see the
  > value of anonymous postings under some circumstances, yet believe
  > strongly that these should be identified as such, so that people
  > who do not wish to read material from people who won't identify
  > themselves, don't have to.
  > 
  > I fail to see what good you would be accomplishing, and indeed
  > surmise that you will cause many people inconvenience and
  > annoyance, by hiding the anonymity of postings from your
  > anonymous site.  Would you care to justify where the hell you get
  > the gall to try to prevent people from effectively filtering
  > their news as they see fit?
  
  From: dclunie@pax.tpa.com.au (David Clunie)
  
  > I thought I was out of reach here in Australia too. Unfortunately
  > one of the US sites involved in the US/Aus feed complained to the
  > Australian Academic Reasearch Network through whom my site is
  > connected, not about anything in particular, just the concept of
  > anonymous mail having no redeeming features and consuming a
  > narrow bandwidth link (with which I can't argue) and that was
  > that ... stop the service or face disconnection.
  >
  > I consider the demise of [my] service to have been rather
  > unfortunate, and I wish the Finnish remailer luck ! It is a pity
  > that there are very few if any similar services provided with in
  > the US. I guess that's the benefit of having a constitution that
  > guarantees one freedom of speech and a legal and political system
  > that conspires to subvert it in the name of the public good.


_____
<8.8> What is going on with anon.penet.fi run by J. Helsingius?


  From: Karl_Kleinpaste@cs.cmu.edu
  
  > Funny, how beating the rest of the Usenet over the head with a
  > stick is OK if it's anon.penet.fi and universal anon access.  But
  > somehow people on the other side of the same equation (not even
  > arguing to shut it off entirely, but rather just to have some
  > control applied to the abuses that manifest themselves) aren't
  > allowed to do that.
  > 
  > I have written to Johan several times in the last couple of
  > weeks.  He used to reply to me quite readily. After all, I was
  > the source of the software as originally delivered to him -- he
  > used to be downright _prompt_ about replying to me. Funny, now
  > he's being an impolite bastard who doesn't answer mail _at_all_,
  > even when it consists of really very civil queries.
  
  From: julf@penet.fi (Johan Helsingius)
  
  > In your mail you told me you sent me one or more messages on Feb.
  > 8th. Feb 7th and 8th the server was down, and the flood of mail
  > that resulted from the server coming up again crashed my own mail
  > host. The problem was aggregated by an abusive user sending
  > thousands of messages to another user, filling up that users
  > mailbox. The bounce messages ended up in my mailbox, overflowing
  > my local disk as well.
  > 
  > I can only suppose that your message got lost in that hassle, as
  > I have tried to answer as much as possible of the anon-related
  > messages I get, from routine mis-addessed messages to complaints
  > about the service. On the average I spend 4-5 hours per day
  > answering anon-related messages.
  
  From: Karl_Kleinpaste@cs.cmu.edu
  
  > Why is it that everybody else has to put up with the impoliteness
  > and insensitivity of the misuse of anon.penet.fi?  Whose
  > definitions of "polite" and "sense" apply, and why? Why is
  > universal anon access considered to be within the realm of this
  > fuzzy concept of "politeness" in the first place?
  > 
  > I think Johan has long since crossed the line into being a rude
  > bastard, and I told him so in private mail a little while ago.
  > 
  > At this point, I deeply regret [a] having created an anonymous
  > system supporting >1 newsgroup and [b] having given the code to
  > Johan.  I didn't copyright it, but I thought that some concept of
  > politeness and good sense might follow it to new
  > homes.  Interesting that Johan's ideas of politeness and good
  > sense seem to have nearly no interesection with mine. I could
  > even cope with universal anon access _if_ Johan would be willing
  > to engage in abuse control, but somehow that seems to be outside
  > the range of reality...

  From: julf@penet.fi (Johan Helsingius)
  
  > There is no way for me to convey how sad and upset your message
  > made me. I do, to some extent, understand your feelings, but it
  > still feels really bad. Running the server requires getting used
  > to a lot of flames, but mindlessly abusive hate mail is so much
  > easier to deal with than something like this, as I do respect and
  > value your views and opinions to a high degree. No, I'm not
  > asking for sympathy, I just wanted you to know that I am really
  > giving your views quite a lot of weight.
  > 
  > When I asked for the software, I was actually only going to
  > provide the service to scandinavian users. But a lot of people
  > requested that I keep the service open to the international
  > community. I now realize that I ought to have contacted you at
  > that point to ask how you feel about me using your stuff in such
  > a context. Again, I really want to apologise. And I will replace
  > the remaining few pieces of code thet still stem from your
  > system. Unfortunately there is no way to remove the ideas and
  > structure I got from you.
  > 
  > Again, I am really sorry that the results of your work ended up
  > being used in a way that you don't approve of. And I will be
  > giving a lot of hard thought to the possibility of shutting down
  > the server alltogether.
  
  From: Karl_Kleinpaste@cs.cmu.edu
  
  > I think I'm feeling especially rude and impolite.  If it's good
  > for Johan, it's good for me.  After all, he didn't ask the
  > greater Usenet whether universal anon access was a good idea; he
  > just did it. ... Yes, I'm a seriously rude pain in the ass now,
  > and I think I'll arm the Usenet Death Penalty, slightly modified,
  > not for strategic whole-site attack, but tactical assault, just
  > "an[0-9]*@anon.penet.fi" destruction. Only outside alt.*, too,
  > let's say.
  > 
  > To parrot this line...people have been doing things like the UDP
  > (that is, cancelling others' postings) for years, no one could
  > ever stop them, and it's only politeness and good sense that has
  > prevented them up to now.
  > 
  > In fact, I have 8 people who have expressed privately the desire
  > and ability to arm the UDP.
  > 
  > ...
  > 
  > PS- No, in fact there are not 8 newsadmins ready to arm the
  > UDP.  It would be amusing to know how many people gulped hard
  > when they read that, though.  I don't see it as any different
  > from Johan's configuration.
  > 
  > PPS- Now that I've calmed some fears by the above PS...  There
  > are 2 newsadmins ready to arm the UDP.  They've asked for my
  > code.  I haven't sent it yet. Only one site would be necessary
  > to bring anon.penet.fi to a screeching halt.  Anyone can
  > implement the UDP on their own, if they care to.  Politeness and
  > good sense prevents them from doing so. I wonder how long before
  > one form of impoliteness brings on another form.

  From: julf@penet.fi (Johan Helsingius)
  
  > It would be trivially easy to bring anon.penet.fi to a screeching
  > halt. In fact it has happened a couple of times already. But as
  > we are talking threats here, let me make one as well. A very
  > simple one. If somebody uses something like the UDP or
  > maliciously brings down anon.penet.fi by some other means, it
  > will stay down. But I will let the users know why. And name the
  > person who did it. OK? As somebody said on this thread: "You have
  > to take personal responsibility for your actions", right?
  
  From: avs20@ccc.amdahl.com (  134 Atul V Salgaonkar)
  
  > I am very grateful and appreciative of this service , courtesey of
  > penet.fi.  Some important questions about my personal
  > life/career/job were resolved due to kind help of other people
  > who had been thru similar situations. In return, I have also
  > replied to anon postings where I thought I could make a positive
  > contribution.
  > 
  > In general, anon service is a great, in my opinion, although like
  > any tool some people will not use it responsibly. I suggest that
  > it should be kept alive. Wasting bandwidth is less important than
  > saving lives, I think.
  
  From: us273532@mmm.serc.3m.com (Elisa J. Collins)
  
  > I have been informed that the anonymous posting service to many
  > newsgroups has been turned off as a result of discussions in this
  > newsgroup over people abusing it.
  > 
  > I had been posting to a nontechnical misc newsgroup about an
  > intimate topic for which I felt I required privacy. I have
  > received immeasurable help from the people in that newsgroup, and
  > I have never used anonymity to behave in an abusive, immature, or
  > unethical fashion toward anyone.
  > 
  > Please, folks, believe me, I *need* this service.  Please
  > consider my point of view and permit admin@anon.penet.fi to turn
  > the service back on...
  > 
  > Thank you.

* * *

SEE ALSO
========

Part 1 (first file)
------

<1.1> What is `identity' on the internet?
<1.2> Why is identity (un)important on the internet?
<1.3> How does my email address (not) identify me and my background?
<1.4> How can I find out more about somebody from their email address?
<1.5> Why is identification (un)stable on the internet? 
<1.6> What is the future of identification on the internet?

<2.1> What is `privacy' on the internet?
<2.2> Why is privacy (un)important on the internet?
<2.3> How (in)secure are internet networks?
<2.4> How (in)secure is my account?
<2.5> How (in)secure are my files and directories?
<2.6> How (in)secure is X Windows?
<2.7> How (in)secure is my email?
<2.8> How am I (not) liable for my email and postings?
<2.9> How do I provide more/less information to others on my identity?
<2.10> Who is my sysadmin?  What does s/he know about me?
<2.11> Why is privacy (un)stable on the internet?
<2.12> What is the future of privacy on the internet?

<3.1> What is `anonymity' on the internet?
<3.2> Why is `anonymity' (un)important on the internet?
<3.3> How can anonymity be protected on the internet?
<3.4> What is `anonymous mail'?
<3.5> What is `anonymous posting'?
<3.6> Why is anonymity (un)stable on the internet?
<3.7> What is the future of anonymity on the internet?

Part 2 (previous file)
------

<4.1> What UNIX programs are related to privacy?
<4.2> How can I learn about or use cryptography?
<4.3> What is the cypherpunks mailing list?
<4.4> What are some privacy-related newsgroups?  FAQs?
<4.5> What is internet Privacy Enhanced Mail (PEM)?
<4.6> What are other Request For Comments (RFCs) related to privacy?
<4.7> How can I run an anonymous remailer?
<4.8> What are references on privacy in email?
<4.9> What are some email, Usenet, and internet use policies?
<4.10> What is the MIT ``CROSSLINK'' anonymous message TV program?

<5.1> What is ``digital cash''?
<5.2> What is a ``hacker'' or ``cracker''?
<5.3> What is a ``cypherpunk''?
<5.4> What is `steganography' and anonymous pools?
<5.5> What is `security through obscurity'?
<5.6> What are `identity daemons'?
<5.7> What standards are needed to guard electronic privacy?

<6.1> What is the Electronic Frontier Foundation (EFF)?
<6.2> Who are Computer Professionals for Social Responsibility (CPSR)?
<6.3> What was `Operation Sun Devil' and the Steve Jackson Game case?
<6.4> What is Integrated Services Digital Network (ISDN)?
<6.5> What is the National Research and Education Network (NREN)?
<6.6> What is the FBI's proposed Digital Telephony Act?
<6.7> What other U.S. legislation is related to privacy on networks?
<6.8> What are references on rights in cyberspace?
<6.9> What is the Computers and Academic Freedom (CAF) archive?

<7.1> What is the background behind the Internet?
<7.2> How is Internet `anarchy' like the English language?
<7.3> Most Wanted list
<7.4> Change history


* * *

This is Part 3 of the Privacy & Anonymity FAQ, obtained via anonymous
  FTP to pit-manager@mit.edu:/pub/usenet/news.answers/net-privacy/ or 
  newsgroups news.answers, sci.answers, alt.answers every 21 days.
Written by L. Detweiler <ld231782@longs.lance.colostate.edu>.
All rights reserved.



Newsgroup: sci.crypt
document_id: 15179
From: ckincy@cs.umr.edu (Charles Kincy)
Subject: Re: Pgp, PEM, and RFC's (Was: Cryptography Patents)

In article <1993Apr16.001321.3692@natasha.portal.com> bob@natasha.portal.com (Bob Cain) writes:

>: I hope my cynicism is misplaced here.  Go ahead...I'm not afraid to
>: be wrong every once in a while.  But, I have an uneasy feeling that I
>: am right.  :(
>
>It is and you are wrong yet you emotionally state a bunch of crap as fact
>with a tiny disclaimer at the end.  Check your facts first and grow up.
>Why is there such a strong correlation between interest in cryptography
>and immaturity I wonder.

Oh, I see, flame someone, tell them that they are immature, tell them
they are wrong, and then don't offer any proof for your assertions.

You really *are* a putz.  Put up or shut up.

cpk
-- 
It's been 80 days.  Do you know where your wallet is?

Newsgroup: sci.crypt
document_id: 15180
Subject: Re: Fifth Amendment and Passwords
From: pgut1@cs.aukuni.ac.nz (Peter Gutmann)

In <C5Jzsz.Jzo@cs.uiuc.edu> kadie@cs.uiuc.edu (Carl M Kadie) writes:

>The crypto-key disclosure issue hasn't come up yet, but current law
>suggests that it's a loser for the defendant--he'll be compelled to turn
>over the key.

It has actually come up (or it will in a week or two) in NZ.  I'll post the
outcome when the trial finishes (which could take months BTW).  Overall it
looks like you can't be forced to reveal a password, if anyone can provide
a convincing legal argument to the contrary (ie an actual court case) I'd
be most interested...

Peter.
--
 pgut1@cs.aukuni.ac.nz||p_gutmann@cs.aukuni.ac.nz||gutmann_p@kosmos.wcc.govt.nz
peterg@kcbbs.gen.nz||peter@nacjack.gen.nz||peter@phlarnschlorpht.nacjack.gen.nz
             (In order of preference - one of 'em's bound to work)
                          -- Think!  (or thwim) --


Newsgroup: sci.crypt
document_id: 15181
From: Rob Shirey <shirey@mitre.org>
Subject: ISOC Symposium on Net Security


                             CALL FOR PAPERS
                    The Internet Society Symposium on
                 Network and Distributed System Security

        3-4 February 1994, Catamaran Hotel, San Diego, California

The symposium will bring together people who are building software and
hardware to provide network or distributed system security services.
The symposium is intended for those interested in practical aspects of
network and distributed system security, rather than in theory.  Symposium
proceedings will be published by the Internet Society.  Topics for the
symposium include, but are not limited to, the following:

*  Design and implementation of services--access control, authentication,
   availability, confidentiality, integrity, and non-repudiation
   --including criteria for placing services at particular protocol
layers.

*  Design and implementation of security mechanisms and support
   services--encipherment and key management systems, authorization
   and audit systems, and intrusion detection systems.

*  Requirements and architectures for distributed applications and
   network functions--message handling, file transport, remote
   file access, directories, time synchronization, interactive
   sessions, remote data base management and access, routing, voice and
   video multicast and conferencing, news groups, network management,
   boot services, mobile computing, and remote I/O.

*  Special issues and problems in security architecture, such as
   -- very large systems like the international Internet, and
   -- high-speed systems like the gigabit testbeds now being built.

*  Interplay between security goals and other goals--efficiency,
   reliability, interoperability, resource sharing, and low cost.

GENERAL CHAIR:
   Dan Nessett, Lawrence Livermore National Laboratory

PROGRAM CHAIRS:
   Russ Housley, Xerox Special Information Systems
   Rob Shirey, The MITRE Corporation

PROGRAM COMMITTEE:
   Dave Balenson, Trusted Information Systems
   Tom Berson, Anagram Laboratories
   Matt Bishop, Dartmouth College
   Ed Cain, U.S. Defense Information Systems Agency
   Jim Ellis, CERT Coordination Center
   Steve Kent, Bolt, Beranek and Newman
   John Linn, Independent Consultant
   Clifford Neuman, Information Sciences Institute
   Michael Roe, Cambridge University
   Rob Rosenthal, U.S. National Institute of Standards and Technology
   Jeff Schiller, Massachusetts Institute of Technology
   Ravi Sandhu, George Mason University
   Peter Yee, U.S. National Aeronautics and Space Administration

SUBMISSIONS:  The  committee seeks both original technical papers and
proposals for panel discussions on technical and other topics of general
interest.  Technical papers should be 10-20 pages in length.  Panels
should include three or four speakers.  A panel proposal must name the
panel chair, include a one-page topic introduction authored by the chair,
and also include one-page position summaries authored by each speaker
Both the technical papers and the panel papers will appear in the
proceedings.

Submissions must be made by 16 August 1993.  Submissions should be made
via electronic mail to

                   1994symposium@smiley.mitre.org.

Submissions may be in either of two formats:  ASCII or PostScript.  If
the committee is unable to read a PostScript submission, it will be
returned and ASCII requested.  Therefore, PostScript submissions should
arrive well before 16 August.  If electronic submission is absolutely
impossible, submissions should be sent via postal mail to

                   Robert W. Shirey, Mail Stop Z202
                   The MITRE Corporation
                   McLean, Virginia  22102-3481  USA

All submissions must include both an Internet electronic mail address and
a postal address.  Each submission will be acknowledged through the
medium by which it is received.  If acknowledgment is not received within
seven days, please contact either Rob Shirey <Shirey@MITRE.org> or
Russ Housley <Housley.McLean_CSD@xerox.com>, or telephone Mana Weigand at
MITRE in Mclean, 703-883-5397. 

Authors and panelists will be notified of acceptance by 15 October 1993.
Instructions for preparing camera-ready copy for the proceedings will be
postal mailed at that time.  The camera-ready copy must be received by
15 November 1993.

Newsgroup: sci.crypt
document_id: 15182
From: marc@tanda.isis.org (Marc Thibault)
Subject: Re: PEM and MIME

In article <1qg8m2$2e5@nigel.msen.com> 
(Edward Vielmetti) writes: 

> I would suggest that 50 attractive MIME formatted news messages a day would be
> sufficient to get a few people thinking about adding MIME support to news
> readers, esp if the content is really worth it.

        But that's just the problem. There is no such thing as
        "MIME-Formatted". By analogy, MIME is a content-labelling
        standard for the box, not a specification for the contents
        themselves. It provides a standard for "like-minded"
        individuals to exchange mail containing an agreed-upon data
        format.

        You say tomahto, I say tomaeto; you say postscript, I say
        SGML...
        
        Cheers,
                Marc

---
 Marc Thibault        | CIS:71441,2226     |  Put another log
 marc@tanda.isis.org  | NC FreeNet: aa185  |  on the fire.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.0

mQBNAiqxYTkAAAECALfeHYp0yC80s1ScFvJSpj5eSCAO+hihtneFrrn+vuEcSavh
AAUwpIUGyV2N8n+lFTPnnLc42Ms+c8PJUPYKVI8ABRG0I01hcmMgVGhpYmF1bHQg
PG1hcmNAdGFuZGEuaXNpcy5vcmc+
=HLnv
-----END PGP PUBLIC KEY BLOCK-----



Newsgroup: sci.crypt
document_id: 15183
From: clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement)
Subject: text of White House announcement and Q&As on clipper chip encryption


Note:  This file will also be available via anonymous file
transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and
via the NIST Computer Security BBS at 301-948-5717.
     ---------------------------------------------------

                         THE WHITE HOUSE

                  Office of the Press Secretary

_________________________________________________________________

For Immediate Release                           April 16, 1993


                STATEMENT BY THE PRESS SECRETARY


The President today announced a new initiative that will bring
the Federal Government together with industry in a voluntary
program to improve the security and privacy of telephone
communications while meeting the legitimate needs of law
enforcement.

The initiative will involve the creation of new products to
accelerate the development and use of advanced and secure
telecommunications networks and wireless communications links.

For too long there has been little or no dialogue between our
private sector and the law enforcement community to resolve the
tension between economic vitality and the real challenges of
protecting Americans.  Rather than use technology to accommodate
the sometimes competing interests of economic growth, privacy and
law enforcement, previous policies have pitted government against
industry and the rights of privacy against law enforcement.

Sophisticated encryption technology has been used for years to
protect electronic funds transfer.  It is now being used to
protect electronic mail and computer files.  While encryption
technology can help Americans protect business secrets and the
unauthorized release of personal information, it also can be used
by terrorists, drug dealers, and other criminals.

A state-of-the-art microcircuit called the "Clipper Chip" has
been developed by government engineers.  The chip represents a
new approach to encryption technology.  It can be used in new,
relatively inexpensive encryption devices that can be attached to
an ordinary telephone.  It scrambles telephone communications
using an encryption algorithm that is more powerful than many in
commercial use today.

This new technology will help companies protect proprietary
information, protect the privacy of personal phone conversations
and prevent unauthorized release of data transmitted
electronically.  At the same time this technology preserves the
ability of federal, state and local law enforcement agencies to
intercept lawfully the phone conversations of criminals. 

A "key-escrow" system will be established to ensure that the
"Clipper Chip" is used to protect the privacy of law-abiding
Americans.  Each device containing the chip will have two unique


                                2


"keys," numbers that will be needed by authorized government
agencies to decode messages encoded by the device.  When the
device is manufactured, the two keys will be deposited separately
in two "key-escrow" data bases that will be established by the
Attorney General.  Access to these keys will be limited to
government officials with legal authorization to conduct a
wiretap.

The "Clipper Chip" technology provides law enforcement with no
new authorities to access the content of the private
conversations of Americans.

To demonstrate the effectiveness of this new technology, the
Attorney General will soon purchase several thousand of the new
devices.  In addition, respected experts from outside the
government will be offered access to the confidential details of
the algorithm to assess its capabilities and publicly report
their findings.

The chip is an important step in addressing the problem of
encryption's dual-edge sword:  encryption helps to protect the
privacy of individuals and industry, but it also can shield
criminals and terrorists.  We need the "Clipper Chip" and other
approaches that can both provide law-abiding citizens with access
to the encryption they need and prevent criminals from using it
to hide their illegal activities.  In order to assess technology
trends and explore new approaches (like the key-escrow system),
the President has directed government agencies to develop a
comprehensive policy on encryption that accommodates:

     --   the privacy of our citizens, including the need to
          employ voice or data encryption for business purposes;

     --   the ability of authorized officials to access telephone
          calls and data, under proper court or other legal
          order, when necessary to protect our citizens;

     --   the effective and timely use of the most modern
          technology to build the National Information
          Infrastructure needed to promote economic growth and
          the competitiveness of American industry in the global
          marketplace; and 

     --   the need of U.S. companies to manufacture and export
          high technology products.

The President has directed early and frequent consultations with
affected industries, the Congress and groups that advocate the
privacy rights of individuals as policy options are developed.



                                3

The Administration is committed to working with the private
sector to spur the development of a National Information
Infrastructure which will use new telecommunications and computer
technologies to give Americans unprecedented access to
information.  This infrastructure of high-speed networks
("information superhighways") will transmit video, images, HDTV
programming, and huge data files as easily as today's telephone
system transmits voice.

Since encryption technology will play an increasingly important
role in that infrastructure, the Federal Government must act
quickly to develop consistent, comprehensive policies regarding
its use.  The Administration is committed to policies that
protect all Americans' right to privacy while also protecting
them from those who break the law.

Further information is provided in an accompanying fact sheet. 
The provisions of the President's directive to acquire the new
encryption technology are also available.  

For additional details, call Mat Heyman, National Institute of
Standards and Technology, (301) 975-2758.

---------------------------------


QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S
TELECOMMUNICATIONS INITIATIVE




Q:   Does this approach expand the authority of government
     agencies to listen in on phone conversations?

A:   No.  "Clipper Chip" technology provides law enforcement with
     no new authorities to access the content of the private
     conversations of Americans.

Q:   Suppose a law enforcement agency is conducting a wiretap on
     a drug smuggling ring and intercepts a conversation
     encrypted using the device.  What would they have to do to
     decipher the message?

A:   They would have to obtain legal authorization, normally a
     court order, to do the wiretap in the first place.  They
     would then present documentation of this authorization to
     the two entities responsible for safeguarding the keys and
     obtain the keys for the device being used by the drug
     smugglers.  The key is split into two parts, which are
     stored separately in order to ensure the security of the key
     escrow system.

Q:   Who will run the key-escrow data banks?

A:   The two key-escrow data banks will be run by two independent
     entities.  At this point, the Department of Justice and the
     Administration have yet to determine which agencies will
     oversee the key-escrow data banks.

Q:   How strong is the security in the device?  How can I be sure
     how strong the security is?  

A:   This system is more secure than many other voice encryption
     systems readily available today.  While the algorithm will
     remain classified to protect the security of the key escrow
     system, we are willing to invite an independent panel of
     cryptography experts to evaluate the algorithm to assure all
     potential users that there are no unrecognized
     vulnerabilities.

Q:   Whose decision was it to propose this product?

A:   The National Security Council, the Justice Department, the
     Commerce Department, and other key agencies were involved in
     this decision.  This approach has been endorsed by the
     President, the Vice President, and appropriate Cabinet
     officials.

Q:   Who was consulted?  The Congress?  Industry?

A:   We have on-going discussions with Congress and industry on
     encryption issues, and expect those discussions to intensify
     as we carry out our review of encryption policy.  We have
     briefed members of Congress and industry leaders on the
     decisions related to this initiative.

Q:   Will the government provide the hardware to manufacturers?

A:   The government designed and developed the key access
     encryption microcircuits, but it is not providing the
     microcircuits to product manufacturers.  Product
     manufacturers can acquire the microcircuits from the chip
     manufacturer that produces them.

Q:   Who provides the "Clipper Chip"?

A:   Mykotronx programs it at their facility in Torrance,
     California, and will sell the chip to encryption device
     manufacturers.  The programming function could be licensed
     to other vendors in the future.

Q:   How do I buy one of these encryption devices? 

A:   We expect several manufacturers to consider incorporating
     the "Clipper Chip" into their devices.
     
Q:   If the Administration were unable to find a technological
     solution like the one proposed, would the Administration be
     willing to use legal remedies to restrict access to more
     powerful encryption devices?

A:   This is a fundamental policy question which will be
     considered during the broad policy review.  The key escrow
     mechanism will provide Americans with an encryption product
     that is more secure, more convenient, and less expensive
     than others readily available today, but it is just one
     piece of what must be the comprehensive approach to
     encryption technology, which the Administration is
     developing.

     The Administration is not saying, "since encryption
     threatens the public safety and effective law enforcement,
     we will prohibit it outright" (as some countries have
     effectively done); nor is the U.S. saying that "every
     American, as a matter of right, is entitled to an
     unbreakable commercial encryption product."  There is a
     false "tension" created in the assessment that this issue is
     an "either-or" proposition.  Rather, both concerns can be,
     and in fact are, harmoniously balanced through a reasoned,
     balanced approach such as is proposed with the "Clipper
     Chip" and similar encryption techniques.

Q:   What does this decision indicate about how the Clinton
     Administration's policy toward encryption will differ from
     that of the Bush Administration?  

A:   It indicates that we understand the importance of encryption
     technology in telecommunications and computing and are
     committed to working with industry and public-interest
     groups to find innovative ways to protect Americans'
     privacy, help businesses to compete, and ensure that law
     enforcement agencies have the tools they need to fight crime
     and terrorism.

Q:   Will the devices be exportable?  Will other devices that use
     the government hardware?

A:   Voice encryption devices are subject to export control
     requirements.  Case-by-case review for each export is
     required to ensure appropriate use of these devices.  The
     same is true for other encryption devices.  One of the
     attractions of this technology is the protection it can give
     to U.S. companies operating at home and abroad.  With this
     in mind, we expect export licenses will be granted on a
     case-by-case basis for U.S. companies seeking to use these
     devices to secure their own communications abroad.  We plan
     to review the possibility of permitting wider exportability
     of these products.

 
     

Newsgroup: sci.crypt
document_id: 15184
Subject: Re: Keeping Your Mouth Shut (was: Hard drive security)
From: vkub@charlie.usd.edu (Vince Kub)

In article <1993Apr13.143712.15338@cadkey.com>, eric@cadkey.com (Eric Holtman) writes:
>In article <Apr13.011855.69422@yuma.ACNS.ColoState.EDU> holland@CS.ColoState.EDU (douglas craig holland) writes:
>>
>>I'm not a lawyer, so correct me if I'm wrong, but doing that could be
>>considered obstruction of justice, which could land you in prison for
>>quite a while.
>>
>>The thing that's great about the secret key is it is IDEA encrypted, so
>>even if the FBI do get the key, they're SOL unless they know the magic
>>word.  If they try to force you to give them your pass phrase, just say
>>"Oops, I forgot."  Since the burden of proof is still on the prosecution
>>in this country, if you keep your mouth shut, how can they prove that you
>>didn't forget your pass phrase.
>>
>
>Well, I'm no lawyer, but I'll supply some ancedotal evidence which may
>change your mind.  ** Note ** I do not agree AT ALL with what went on in
>this case, and neither will most of you.  THAT DOESN'T CHANGE THE FACT 
>THAT IT *DID* HAPPEN.  Right here in America even.....
>
>About three or four years ago, there was a rather nasty custody case in
>or around Washington D.C.  The upshot was, an ex-husband was suing for 
>visitation rights, which were granted.  The woman believed that the man
>had been sexually molesting her children.  (much like Allen/Farrow, but
>not as famous).  Anyhows, she spirits away the kids and refuses to tell the
>court where they are, and denies him visitation rights.
>
>She "keeps her mouth shut", and what happens?  She SITS IN JAIL for almost
>a year, on CONTEMPT OF COURT, until the legislature passes a special law
>limiting the time a person can be held.  If they hadn't passed the law, she'd
>most likely still be there.  The kids were in New Zealand, I belive.
>
>Now (story finished, commetary starting)....  IMHO, the only reason the
>legislature moved was because there was an outpouring of public sympathy
>for this woman...  most people believed she was right, and were outraged.
>Not likely to happen for Joe Random Drug Dealer, Child Molester or perfectly
>innocent privacy lover, who might have something
>to hide.  Innocent until proven guilty doesn't mean you get to walk out
>of court humming a happy tune because the FBI can't read your disk.  Just
>ask those held for contempt, those who can't make bail, etc, etc.
>
>Again.... I disagree totally with the concept of holding someone based
>on suspicion, but people who keep thinking that it won't happen are bound
>to get a rude shock when it does......
>-- 

 Also not a lawyer, etc. but if I remember correctly the Contempt of Court
business is used in order to compel cooperation with what is (perhaps
questionably, different issue) the legitimate business of that court. Quite
literally the party is found guilty of holding the court "in contempt". Now,
the original scheme as suggested here would be to have the key disappear if
certain threatening conditions are met. Once the key is gone there is no
question of Contempt of Court as there is nothing to compell, the key is no
longer there to be produced.

  Obstruction of justice would be a different issue but if the suspect in
question would have some legitmate reason to protect his data from prying eyes
(however extenuated) I think that this charge would be a hard nut to make. 

  Perhaps it is time for a lawyer to step in and clear this all up?


             -=*=-    -=*=-     -=*=-     -=*=-    -=*=-
                                 
Vincent A. Kub, WD0DBX            |  "Saints should always be judged
                                  |   guilty until they are proven
    vkub@charlie.usd.edu          |   innocent." -Geo. Orwell
                                  |
     14 W.Cherry St. #2           |  "It is good to die before one has
  Vermillion, S.Dakota 57069      |   done anything deserving of death."
phone or fax to (605) 624-8680    |       - Anaxandirdes
                                  |            King of Sparta
  -------------------------------------------------------------------

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.2

mQBNAiudo1MAAAECAKRkUUWW+Tqsoa1nD+GaSbpXcDhSrHpMEBPjKlyiKuIjzaT6
auO/hnqW/652YicVaJlXspb5D2giMc09TG2sGY0ABRG0CVZpbmNlIEt1Yg==
=IuUb
-----END PGP PUBLIC KEY BLOCK-----


Newsgroup: sci.crypt
document_id: 15185
From: hooper@ccs.QueensU.CA (Andy Hooper)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

Isn't Clipper a trademark of Fairchild Semiconductor?

Andy Hooper

Newsgroup: sci.crypt
document_id: 15186
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption


Well, it now seems obvious what Professor Denning was doing last fall
when this key escrow trial balloon was raised!

All the more need for end-to-end encryption schemes that bypass the
government-approved system.

By the way, the "Clipper" name...isn't this already used for the
Clipper processor from Intergraph? I doubt they're the ones making the
chip, so a name conflict may be present.

-Tim May

-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
document_id: 15187
From: jad@nsa.hp.com (John Dilley)
Subject: compress | crypt foo | des -e -k foo


	I have a bunch of questions about the encryption scheme
referenced in the Subject of this message.  What is the relative data
privacy provided by the above sequence as compared with straight DES?
Does the addition of compression then encrypting make the cyphertext
significantly harder to crack using current methods than straight DES?
Would running crypt after DES provide greater data privacy?  Is it
important to remove the (constant) compress header before encryption?
Thank you, net, for your wisdom.

			 --       jad       --
		    John A. Dilley <jad@nsa.hp.com>

Newsgroup: sci.crypt
document_id: 15188
From: jim@rand.org (Jim Gillogly)
Subject: Clipper Chip and crypto key-escrow

This document is in the anonymous ftp directory at NIST.  Looks to me
like the other shoe has dropped.

	Jim Gillogly
	Trewesday, 25 Astron S.R. 1993, 17:00

-------------------

Note:  This file will also be available via anonymous file
transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and
via the NIST Computer Security BBS at 301-948-5717.
     ---------------------------------------------------

                         THE WHITE HOUSE

                  Office of the Press Secretary

_________________________________________________________________

For Immediate Release                           April 16, 1993


                STATEMENT BY THE PRESS SECRETARY


The President today announced a new initiative that will bring
the Federal Government together with industry in a voluntary
program to improve the security and privacy of telephone
communications while meeting the legitimate needs of law
enforcement.

The initiative will involve the creation of new products to
accelerate the development and use of advanced and secure
telecommunications networks and wireless communications links.

For too long there has been little or no dialogue between our
private sector and the law enforcement community to resolve the
tension between economic vitality and the real challenges of
protecting Americans.  Rather than use technology to accommodate
the sometimes competing interests of economic growth, privacy and
law enforcement, previous policies have pitted government against
industry and the rights of privacy against law enforcement.

Sophisticated encryption technology has been used for years to
protect electronic funds transfer.  It is now being used to
protect electronic mail and computer files.  While encryption
technology can help Americans protect business secrets and the
unauthorized release of personal information, it also can be used
by terrorists, drug dealers, and other criminals.

A state-of-the-art microcircuit called the "Clipper Chip" has
been developed by government engineers.  The chip represents a
new approach to encryption technology.  It can be used in new,
relatively inexpensive encryption devices that can be attached to
an ordinary telephone.  It scrambles telephone communications
using an encryption algorithm that is more powerful than many in
commercial use today.

This new technology will help companies protect proprietary
information, protect the privacy of personal phone conversations
and prevent unauthorized release of data transmitted
electronically.  At the same time this technology preserves the
ability of federal, state and local law enforcement agencies to
intercept lawfully the phone conversations of criminals. 

A "key-escrow" system will be established to ensure that the
"Clipper Chip" is used to protect the privacy of law-abiding
Americans.  Each device containing the chip will have two unique


                                2


"keys," numbers that will be needed by authorized government
agencies to decode messages encoded by the device.  When the
device is manufactured, the two keys will be deposited separately
in two "key-escrow" data bases that will be established by the
Attorney General.  Access to these keys will be limited to
government officials with legal authorization to conduct a
wiretap.

The "Clipper Chip" technology provides law enforcement with no
new authorities to access the content of the private
conversations of Americans.

To demonstrate the effectiveness of this new technology, the
Attorney General will soon purchase several thousand of the new
devices.  In addition, respected experts from outside the
government will be offered access to the confidential details of
the algorithm to assess its capabilities and publicly report
their findings.

The chip is an important step in addressing the problem of
encryption's dual-edge sword:  encryption helps to protect the
privacy of individuals and industry, but it also can shield
criminals and terrorists.  We need the "Clipper Chip" and other
approaches that can both provide law-abiding citizens with access
to the encryption they need and prevent criminals from using it
to hide their illegal activities.  In order to assess technology
trends and explore new approaches (like the key-escrow system),
the President has directed government agencies to develop a
comprehensive policy on encryption that accommodates:

     --   the privacy of our citizens, including the need to
          employ voice or data encryption for business purposes;

     --   the ability of authorized officials to access telephone
          calls and data, under proper court or other legal
          order, when necessary to protect our citizens;

     --   the effective and timely use of the most modern
          technology to build the National Information
          Infrastructure needed to promote economic growth and
          the competitiveness of American industry in the global
          marketplace; and 

     --   the need of U.S. companies to manufacture and export
          high technology products.

The President has directed early and frequent consultations with
affected industries, the Congress and groups that advocate the
privacy rights of individuals as policy options are developed.



                                3

The Administration is committed to working with the private
sector to spur the development of a National Information
Infrastructure which will use new telecommunications and computer
technologies to give Americans unprecedented access to
information.  This infrastructure of high-speed networks
("information superhighways") will transmit video, images, HDTV
programming, and huge data files as easily as today's telephone
system transmits voice.

Since encryption technology will play an increasingly important
role in that infrastructure, the Federal Government must act
quickly to develop consistent, comprehensive policies regarding
its use.  The Administration is committed to policies that
protect all Americans' right to privacy while also protecting
them from those who break the law.

Further information is provided in an accompanying fact sheet. 
The provisions of the President's directive to acquire the new
encryption technology are also available.  

For additional details, call Mat Heyman, National Institute of
Standards and Technology, (301) 975-2758.

---------------------------------


QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S
TELECOMMUNICATIONS INITIATIVE




Q:   Does this approach expand the authority of government
     agencies to listen in on phone conversations?

A:   No.  "Clipper Chip" technology provides law enforcement with
     no new authorities to access the content of the private
     conversations of Americans.

Q:   Suppose a law enforcement agency is conducting a wiretap on
     a drug smuggling ring and intercepts a conversation
     encrypted using the device.  What would they have to do to
     decipher the message?

A:   They would have to obtain legal authorization, normally a
     court order, to do the wiretap in the first place.  They
     would then present documentation of this authorization to
     the two entities responsible for safeguarding the keys and
     obtain the keys for the device being used by the drug
     smugglers.  The key is split into two parts, which are
     stored separately in order to ensure the security of the key
     escrow system.

Q:   Who will run the key-escrow data banks?

A:   The two key-escrow data banks will be run by two independent
     entities.  At this point, the Department of Justice and the
     Administration have yet to determine which agencies will
     oversee the key-escrow data banks.

Q:   How strong is the security in the device?  How can I be sure
     how strong the security is?  

A:   This system is more secure than many other voice encryption
     systems readily available today.  While the algorithm will
     remain classified to protect the security of the key escrow
     system, we are willing to invite an independent panel of
     cryptography experts to evaluate the algorithm to assure all
     potential users that there are no unrecognized
     vulnerabilities.

Q:   Whose decision was it to propose this product?

A:   The National Security Council, the Justice Department, the
     Commerce Department, and other key agencies were involved in
     this decision.  This approach has been endorsed by the
     President, the Vice President, and appropriate Cabinet
     officials.

Q:   Who was consulted?  The Congress?  Industry?

A:   We have on-going discussions with Congress and industry on
     encryption issues, and expect those discussions to intensify
     as we carry out our review of encryption policy.  We have
     briefed members of Congress and industry leaders on the
     decisions related to this initiative.

Q:   Will the government provide the hardware to manufacturers?

A:   The government designed and developed the key access
     encryption microcircuits, but it is not providing the
     microcircuits to product manufacturers.  Product
     manufacturers can acquire the microcircuits from the chip
     manufacturer that produces them.

Q:   Who provides the "Clipper Chip"?

A:   Mykotronx programs it at their facility in Torrance,
     California, and will sell the chip to encryption device
     manufacturers.  The programming function could be licensed
     to other vendors in the future.

Q:   How do I buy one of these encryption devices? 

A:   We expect several manufacturers to consider incorporating
     the "Clipper Chip" into their devices.
     
Q:   If the Administration were unable to find a technological
     solution like the one proposed, would the Administration be
     willing to use legal remedies to restrict access to more
     powerful encryption devices?

A:   This is a fundamental policy question which will be
     considered during the broad policy review.  The key escrow
     mechanism will provide Americans with an encryption product
     that is more secure, more convenient, and less expensive
     than others readily available today, but it is just one
     piece of what must be the comprehensive approach to
     encryption technology, which the Administration is
     developing.

     The Administration is not saying, "since encryption
     threatens the public safety and effective law enforcement,
     we will prohibit it outright" (as some countries have
     effectively done); nor is the U.S. saying that "every
     American, as a matter of right, is entitled to an
     unbreakable commercial encryption product."  There is a
     false "tension" created in the assessment that this issue is
     an "either-or" proposition.  Rather, both concerns can be,
     and in fact are, harmoniously balanced through a reasoned,
     balanced approach such as is proposed with the "Clipper
     Chip" and similar encryption techniques.

Q:   What does this decision indicate about how the Clinton
     Administration's policy toward encryption will differ from
     that of the Bush Administration?  

A:   It indicates that we understand the importance of encryption
     technology in telecommunications and computing and are
     committed to working with industry and public-interest
     groups to find innovative ways to protect Americans'
     privacy, help businesses to compete, and ensure that law
     enforcement agencies have the tools they need to fight crime
     and terrorism.

Q:   Will the devices be exportable?  Will other devices that use
     the government hardware?

A:   Voice encryption devices are subject to export control
     requirements.  Case-by-case review for each export is
     required to ensure appropriate use of these devices.  The
     same is true for other encryption devices.  One of the
     attractions of this technology is the protection it can give
     to U.S. companies operating at home and abroad.  With this
     in mind, we expect export licenses will be granted on a
     case-by-case basis for U.S. companies seeking to use these
     devices to secure their own communications abroad.  We plan
     to review the possibility of permitting wider exportability
     of these products.

 
     
-- 
	Jim Gillogly
	Trewesday, 25 Astron S.R. 1993, 17:01

Newsgroup: sci.crypt
document_id: 15189
From: jim@rand.org (Jim Gillogly)
Subject: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

May as well look at one piece of this at a time.  This paragraph:

>To demonstrate the effectiveness of this new technology, the
>Attorney General will soon purchase several thousand of the new
>devices.  In addition, respected experts from outside the
>government will be offered access to the confidential details of
>the algorithm to assess its capabilities and publicly report
>their findings.

means they aren't planning to make it public, as was done with DES.  As it
says in both sci.crypt FAQs, there's no way we are going to achieve the
same level of comfort with Clipper that we finally have with DES if we
can't actually get our hands on the bits and watch them flow around.  Even
the best experts aren't going to think of everything: look how long it
took Biham and Shamir to get a handle on just how good DES is... and for
all we know there's still more to learn.
-- 
	Jim Gillogly
	Trewesday, 25 Astron S.R. 1993, 17:10

Newsgroup: sci.crypt
document_id: 15190
From: ptrei@bistromath.mitre.org (Peter Trei)
Subject: Re: Fifth Amendment and Passwords

In article <C5Jzsz.Jzo@cs.uiuc.edu> kadie@cs.uiuc.edu (Carl M Kadie) writes:
>ashall@magnus.acs.ohio-state.edu (Andrew S Hall) writes:
>
>>I am postive someone will correct me if I am wrong, but doesn't the Fifth
>>also cover not being forced to do actions that are self-incriminating?
>[From Mike Godwin <mnemonic@eff.org>, posted with permission - Carl]

>No, but they could compell you to produce the key to a safe where, as it
>happens, evidence that will convict you is stored. 
>
>The crypto-key disclosure issue hasn't come up yet, but current law
>suggests that it's a loser for the defendant--he'll be compelled to turn
>over the key.
>
>The test for compelled self-incrimination is whether the material to 
>be disclosed *in itself* tends to inculpate the discloser. In the example
>I gave above, the safe key itself has no testimonial value--ergo, it can
>be disclosed under compulsion (e.g., subpoena duces tecum).

>Moreover, the government can always immunize the disclosure of a crypto
>key--compelling you to disclose the key at the price of not using the fact
>of your disclosure as evidence in the case against you. Of course, they
>can use whatever they discover as a result of this disclosure against
>you.
>--Mike

    Lets carry this one step further. Suppose the text of the key is
in itself conclusive evidence of the SAME CRIME for which the
encrypted material is further evidence. I find myself envisaging a
scenario like this:

You have made some scans of Peanuts strips. You encrypt them. The key
is a phrase.

The Comic Police haul you in. They seize your system. They find the
encrypted file.

CP:    "Whats that file?"

You:   "I take the fifth."

CP:    "What's the keyphrase to that file?" 

You:   "I take the fifth."

Judge: "You have to reveal the keyphrase" [I disagree, but I'm not a judge.]

You:   "Your Honor, revealing the keyphrase, in it's own right, would 
	tend to incriminate me of breaking laws, independent of what 
	may or may not be in the encrypted file."  

Judge: "I grant you immunity from whatever may be learned from the key
	itself"

You:    "The keyphrase is: "I confess to deliberately evading copyright; 
	the file encoded with this keyphrase contains illegal scans of 
        copyrighted Peanuts strips.""

Judge and CP: "Oh."

     How will they get you now? I'm not saying that they won't, or
can't (or even that they shouldn't :-), but what legal mechanism will
they use? Should we be crossposting this to misc.legal?

							Peter Trei
							ptrei@mitre.org


Newsgroup: sci.crypt
document_id: 15191
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:

> The President today announced a new initiative that will bring
> the Federal Government together with industry in a voluntary
> program to improve the security and privacy of telephone
> communications while meeting the legitimate needs of law
> enforcement.

A nice formulation for the introduction of the first encryption
devices with built-in trapdoors - just like the Feds wanted...

> For too long there has been little or no dialogue between our
> private sector and the law enforcement community to resolve the
> tension between economic vitality and the real challenges of
> protecting Americans.  Rather than use technology to accommodate
> the sometimes competing interests of economic growth, privacy and
> law enforcement, previous policies have pitted government against
> industry and the rights of privacy against law enforcement.

Bla-bla.

> protect electronic mail and computer files.  While encryption
> technology can help Americans protect business secrets and the
> unauthorized release of personal information, it also can be used
> by terrorists, drug dealers, and other criminals.

Indeed, and the current proposal does nothing to prevent the latter.

> an ordinary telephone.  It scrambles telephone communications
> using an encryption algorithm that is more powerful than many in
> commercial use today.

This doesn't say much. There are many incredibly weak encryption
algorithms in commercial use today...

> This new technology will help companies protect proprietary
> information, protect the privacy of personal phone conversations
> and prevent unauthorized release of data transmitted
> electronically.

Except from the government.

>  At the same time this technology preserves the
> ability of federal, state and local law enforcement agencies to
> intercept lawfully the phone conversations of criminals. 

Nope. The criminals won't be stupid enough to use the new chip,
they'll use something secure. This technology provides only means to
intercept the phone conversations of people who are stupid enough to
use it.

> agencies to decode messages encoded by the device.  When the
> device is manufactured, the two keys will be deposited separately
> in two "key-escrow" data bases that will be established by the
> Attorney General.  Access to these keys will be limited to
> government officials with legal authorization to conduct a
> wiretap.

That is, the government has the keys. It doesn't matter much if they
are in one or in two of its hands...

> The "Clipper Chip" technology provides law enforcement with no
> new authorities to access the content of the private
> conversations of Americans.

Correct. It does, however, provide those Americans with the false
sense of privacy.

> devices.  In addition, respected experts from outside the
> government will be offered access to the confidential details of
> the algorithm to assess its capabilities and publicly report
> their findings.

If the screening is not public, it cannot be trusted. Some people do
not trust DES even today, after all the examinations - only because
some parts of its design were kept secret.

> The chip is an important step in addressing the problem of
> encryption's dual-edge sword:  encryption helps to protect the
> privacy of individuals and industry, but it also can shield
> criminals and terrorists.  We need the "Clipper Chip" and other
> approaches that can both provide law-abiding citizens with access
> to the encryption they need and prevent criminals from using it
> to hide their illegal activities.  In order to assess technology

So they'll use a different technology to hide their illegal
activities. So will those law-abiding citizens, who do not trust their
government not to misuse its abilities to decrypt their conversations.

>      --   the privacy of our citizens, including the need to
>           employ voice or data encryption for business purposes;

Except from the government.

>      --   the need of U.S. companies to manufacture and export
>           high technology products.

Huh? Later it says that the new technology will be export restricted.

> Since encryption technology will play an increasingly important
> role in that infrastructure, the Federal Government must act
> quickly to develop consistent, comprehensive policies regarding
> its use.  The Administration is committed to policies that
> protect all Americans' right to privacy while also protecting
> them from those who break the law.

In short, the new technology can:

1) Protect the law abiding citizen's privacy from the casual snooper.

It cannot:

1) Protect him from the government, if it decides to misuse its
ability to decrypt the conversations.

2) Protect him from the criminals who succeed to break the new
encryption scheme or to steal the keys, or to bribe the people who
handle them, etc.

3) Prevent the criminals from using secure encryption for
communication.

> Q:   Does this approach expand the authority of government
>      agencies to listen in on phone conversations?

> A:   No.  "Clipper Chip" technology provides law enforcement with
>      no new authorities to access the content of the private
>      conversations of Americans.

Correct. However, it does not provide them that much privacy as it
claims.

> Q:   Who will run the key-escrow data banks?

> A:   The two key-escrow data banks will be run by two independent
>      entities.  At this point, the Department of Justice and the
>      Administration have yet to determine which agencies will
>      oversee the key-escrow data banks.

Two candidates: the NSA and the Mafia.

> Q:   How strong is the security in the device?  How can I be sure
>      how strong the security is?  

> A:   This system is more secure than many other voice encryption
>      systems readily available today. 

That is, "trust us".

> While the algorithm will
>      remain classified to protect the security of the key escrow

"Security through obscurity".

>      system, we are willing to invite an independent panel of
>      cryptography experts to evaluate the algorithm to assure all
>      potential users that there are no unrecognized
>      vulnerabilities.

If it's not entirely open to public examination, it cannot be
trusted. Besides, who can prove that the devices used for examination
and the ones built into your phones will be the same?

> Q:   Whose decision was it to propose this product?

> A:   The National Security Council, the Justice Department, the

The NSA and the FBI?

> Q:   Who was consulted?  The Congress?  Industry?

> A:   We have on-going discussions with Congress and industry on
>      encryption issues, and expect those discussions to intensify
>      as we carry out our review of encryption policy.  We have
>      briefed members of Congress and industry leaders on the
>      decisions related to this initiative.

Why did they "forget" the Academia?

> Q:   Will the government provide the hardware to manufacturers?

> A:   The government designed and developed the key access
>      encryption microcircuits, but it is not providing the
>      microcircuits to product manufacturers.  Product
>      manufacturers can acquire the microcircuits from the chip
>      manufacturer that produces them.

Doesn't this smell to monopolism?

> Q:   Who provides the "Clipper Chip"?

> A:   Mykotronx programs it at their facility in Torrance,
>      California, and will sell the chip to encryption device
>      manufacturers.  The programming function could be licensed
>      to other vendors in the future.

Like the Mafia?

> Q:   If the Administration were unable to find a technological
>      solution like the one proposed, would the Administration be
>      willing to use legal remedies to restrict access to more
>      powerful encryption devices?

This is the main question, why was it buried at the end?

> A:   This is a fundamental policy question which will be
>      considered during the broad policy review.  The key escrow

"We'll see".

>      mechanism will provide Americans with an encryption product
>      that is more secure, more convenient, and less expensive
>      than others readily available today, but it is just one

"Trust us".

>      The Administration is not saying, "since encryption
>      threatens the public safety and effective law enforcement,
>      we will prohibit it outright" (as some countries have

In short, "If we decide to outlaw strong crypto, we'll tell you".

>      effectively done); nor is the U.S. saying that "every
>      American, as a matter of right, is entitled to an
>      unbreakable commercial encryption product."  There is a

Since the US government seems to consider strong crypto as munitions
and since the US constitutions guarantees the right to every American
to bear arms, why is not every American entitled, as a matter of
right, to an unbreakable commercial encryption product?

> A:   It indicates that we understand the importance of encryption
>      technology in telecommunications and computing and are
>      committed to working with industry and public-interest
>      groups to find innovative ways to protect Americans'
>      privacy, help businesses to compete, and ensure that law
>      enforcement agencies have the tools they need to fight crime
>      and terrorism.

Bullshit. The proposed technology provides a false sense of security,
encryption devices with built-in capabilities for breaking the
encryption, does not prevent the criminals to use strong crypto, and
is a step to outlaw strong crypto.

> Q:   Will the devices be exportable?  Will other devices that use
>      the government hardware?

> A:   Voice encryption devices are subject to export control
>      requirements.  Case-by-case review for each export is
>      required to ensure appropriate use of these devices.  The

Who was the optimist who believed that the new administration will
leave the export controls on strong crypto devices?

OK, I'm not American, it's not my business, but I just couldn't resist
to comment... The whole plot looks so totalitaristic... It's up to
you, Americans, to fight for your rights.

Regards,
Vesselin

P.S. Now is the time for David Sternlight to pop up and claim that the
new system is great.
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
document_id: 15192
From: hal@cco.caltech.edu (Hal Finney)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

The key question is whether non-Clipper encryption will be made illegal.

>     The Administration is not saying, "since encryption
>     threatens the public safety and effective law enforcement,
>     we will prohibit it outright" (as some countries have
>     effectively done); nor is the U.S. saying that "every
>     American, as a matter of right, is entitled to an
>     unbreakable commercial encryption product."  There is a
>     false "tension" created in the assessment that this issue is
>     an "either-or" proposition.  Rather, both concerns can be,
>     and in fact are, harmoniously balanced through a reasoned,
>     balanced approach such as is proposed with the "Clipper
>     Chip" and similar encryption techniques.

The clear middle ground implied by these statements is to say that Americans
have the right to Clipper encryption, but not to unbreakable encryption.
This implies that, ultimately, non-Clipper strong encryption must become
illegal.

(As an aside, isn't the language here jarring?  All this talk about
"harmonious balance" when they're talking about taking away people's
right to communications privacy?)

Although the article emphasizes voice communication, data and mail encryption
is mentioned as well:

>Sophisticated encryption technology has been used for years to
>protect electronic funds transfer.  It is now being used to
>protect electronic mail and computer files.

>     --   the privacy of our citizens, including the need to
>          employ voice or data encryption for business purposes;

It looks like the worst nightmares raised by Dorothy Denning's proposals
are coming true.  If the government continues on this course, I imagine
that we will see strong cryptography made illegal.  Encryption programs
for disk files and email, as well as software to allow for encrypted
voice communications, will be distributed only through the
"underground".  People will have to learn how to hide the fact that
they are protecting their privacy.

It's shocking and frightening to see that this is actually happening here.

Hal Finney
hal@alumni.caltech.edu

Newsgroup: sci.crypt
document_id: 15193
From: karn@servo.qualcomm.com (Phil Karn)
Subject: The battle is joined

It looks like Dorothy Denning's wrong-headed ideas have gotten to the
Administration even sooner than we feared. It's time to make sure they
hear the other side of the story, and hear it loudly!

Phil



------- Forwarded Message

Subject: text of White House announcement and Q&As on clipper chip encryption

Note:  This file will also be available via anonymous file
transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and
via the NIST Computer Security BBS at 301-948-5717.
     ---------------------------------------------------

                         THE WHITE HOUSE

                  Office of the Press Secretary

_________________________________________________________________

For Immediate Release                           April 16, 1993


                STATEMENT BY THE PRESS SECRETARY


The President today announced a new initiative that will bring
the Federal Government together with industry in a voluntary
program to improve the security and privacy of telephone
communications while meeting the legitimate needs of law
enforcement.

The initiative will involve the creation of new products to
accelerate the development and use of advanced and secure
telecommunications networks and wireless communications links.

For too long there has been little or no dialogue between our
private sector and the law enforcement community to resolve the
tension between economic vitality and the real challenges of
protecting Americans.  Rather than use technology to accommodate
the sometimes competing interests of economic growth, privacy and
law enforcement, previous policies have pitted government against
industry and the rights of privacy against law enforcement.

Sophisticated encryption technology has been used for years to
protect electronic funds transfer.  It is now being used to
protect electronic mail and computer files.  While encryption
technology can help Americans protect business secrets and the
unauthorized release of personal information, it also can be used
by terrorists, drug dealers, and other criminals.

A state-of-the-art microcircuit called the "Clipper Chip" has
been developed by government engineers.  The chip represents a
new approach to encryption technology.  It can be used in new,
relatively inexpensive encryption devices that can be attached to
an ordinary telephone.  It scrambles telephone communications
using an encryption algorithm that is more powerful than many in
commercial use today.

This new technology will help companies protect proprietary
information, protect the privacy of personal phone conversations
and prevent unauthorized release of data transmitted
electronically.  At the same time this technology preserves the
ability of federal, state and local law enforcement agencies to
intercept lawfully the phone conversations of criminals. 

A "key-escrow" system will be established to ensure that the
"Clipper Chip" is used to protect the privacy of law-abiding
Americans.  Each device containing the chip will have two unique


                                2


"keys," numbers that will be needed by authorized government
agencies to decode messages encoded by the device.  When the
device is manufactured, the two keys will be deposited separately
in two "key-escrow" data bases that will be established by the
Attorney General.  Access to these keys will be limited to
government officials with legal authorization to conduct a
wiretap.

The "Clipper Chip" technology provides law enforcement with no
new authorities to access the content of the private
conversations of Americans.

To demonstrate the effectiveness of this new technology, the
Attorney General will soon purchase several thousand of the new
devices.  In addition, respected experts from outside the
government will be offered access to the confidential details of
the algorithm to assess its capabilities and publicly report
their findings.

The chip is an important step in addressing the problem of
encryption's dual-edge sword:  encryption helps to protect the
privacy of individuals and industry, but it also can shield
criminals and terrorists.  We need the "Clipper Chip" and other
approaches that can both provide law-abiding citizens with access
to the encryption they need and prevent criminals from using it
to hide their illegal activities.  In order to assess technology
trends and explore new approaches (like the key-escrow system),
the President has directed government agencies to develop a
comprehensive policy on encryption that accommodates:

     --   the privacy of our citizens, including the need to
          employ voice or data encryption for business purposes;

     --   the ability of authorized officials to access telephone
          calls and data, under proper court or other legal
          order, when necessary to protect our citizens;

     --   the effective and timely use of the most modern
          technology to build the National Information
          Infrastructure needed to promote economic growth and
          the competitiveness of American industry in the global
          marketplace; and 

     --   the need of U.S. companies to manufacture and export
          high technology products.

The President has directed early and frequent consultations with
affected industries, the Congress and groups that advocate the
privacy rights of individuals as policy options are developed.



                                3

The Administration is committed to working with the private
sector to spur the development of a National Information
Infrastructure which will use new telecommunications and computer
technologies to give Americans unprecedented access to
information.  This infrastructure of high-speed networks
("information superhighways") will transmit video, images, HDTV
programming, and huge data files as easily as today's telephone
system transmits voice.

Since encryption technology will play an increasingly important
role in that infrastructure, the Federal Government must act
quickly to develop consistent, comprehensive policies regarding
its use.  The Administration is committed to policies that
protect all Americans' right to privacy while also protecting
them from those who break the law.

Further information is provided in an accompanying fact sheet. 
The provisions of the President's directive to acquire the new
encryption technology are also available.  

For additional details, call Mat Heyman, National Institute of
Standards and Technology, (301) 975-2758.

- - ---------------------------------


QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S
TELECOMMUNICATIONS INITIATIVE




Q:   Does this approach expand the authority of government
     agencies to listen in on phone conversations?

A:   No.  "Clipper Chip" technology provides law enforcement with
     no new authorities to access the content of the private
     conversations of Americans.

Q:   Suppose a law enforcement agency is conducting a wiretap on
     a drug smuggling ring and intercepts a conversation
     encrypted using the device.  What would they have to do to
     decipher the message?

A:   They would have to obtain legal authorization, normally a
     court order, to do the wiretap in the first place.  They
     would then present documentation of this authorization to
     the two entities responsible for safeguarding the keys and
     obtain the keys for the device being used by the drug
     smugglers.  The key is split into two parts, which are
     stored separately in order to ensure the security of the key
     escrow system.

Q:   Who will run the key-escrow data banks?

A:   The two key-escrow data banks will be run by two independent
     entities.  At this point, the Department of Justice and the
     Administration have yet to determine which agencies will
     oversee the key-escrow data banks.

Q:   How strong is the security in the device?  How can I be sure
     how strong the security is?  

A:   This system is more secure than many other voice encryption
     systems readily available today.  While the algorithm will
     remain classified to protect the security of the key escrow
     system, we are willing to invite an independent panel of
     cryptography experts to evaluate the algorithm to assure all
     potential users that there are no unrecognized
     vulnerabilities.

Q:   Whose decision was it to propose this product?

A:   The National Security Council, the Justice Department, the
     Commerce Department, and other key agencies were involved in
     this decision.  This approach has been endorsed by the
     President, the Vice President, and appropriate Cabinet
     officials.

Q:   Who was consulted?  The Congress?  Industry?

A:   We have on-going discussions with Congress and industry on
     encryption issues, and expect those discussions to intensify
     as we carry out our review of encryption policy.  We have
     briefed members of Congress and industry leaders on the
     decisions related to this initiative.

Q:   Will the government provide the hardware to manufacturers?

A:   The government designed and developed the key access
     encryption microcircuits, but it is not providing the
     microcircuits to product manufacturers.  Product
     manufacturers can acquire the microcircuits from the chip
     manufacturer that produces them.

Q:   Who provides the "Clipper Chip"?

A:   Mykotronx programs it at their facility in Torrance,
     California, and will sell the chip to encryption device
     manufacturers.  The programming function could be licensed
     to other vendors in the future.

Q:   How do I buy one of these encryption devices? 

A:   We expect several manufacturers to consider incorporating
     the "Clipper Chip" into their devices.
     
Q:   If the Administration were unable to find a technological
     solution like the one proposed, would the Administration be
     willing to use legal remedies to restrict access to more
     powerful encryption devices?

A:   This is a fundamental policy question which will be
     considered during the broad policy review.  The key escrow
     mechanism will provide Americans with an encryption product
     that is more secure, more convenient, and less expensive
     than others readily available today, but it is just one
     piece of what must be the comprehensive approach to
     encryption technology, which the Administration is
     developing.

     The Administration is not saying, "since encryption
     threatens the public safety and effective law enforcement,
     we will prohibit it outright" (as some countries have
     effectively done); nor is the U.S. saying that "every
     American, as a matter of right, is entitled to an
     unbreakable commercial encryption product."  There is a
     false "tension" created in the assessment that this issue is
     an "either-or" proposition.  Rather, both concerns can be,
     and in fact are, harmoniously balanced through a reasoned,
     balanced approach such as is proposed with the "Clipper
     Chip" and similar encryption techniques.

Q:   What does this decision indicate about how the Clinton
     Administration's policy toward encryption will differ from
     that of the Bush Administration?  

A:   It indicates that we understand the importance of encryption
     technology in telecommunications and computing and are
     committed to working with industry and public-interest
     groups to find innovative ways to protect Americans'
     privacy, help businesses to compete, and ensure that law
     enforcement agencies have the tools they need to fight crime
     and terrorism.

Q:   Will the devices be exportable?  Will other devices that use
     the government hardware?

A:   Voice encryption devices are subject to export control
     requirements.  Case-by-case review for each export is
     required to ensure appropriate use of these devices.  The
     same is true for other encryption devices.  One of the
     attractions of this technology is the protection it can give
     to U.S. companies operating at home and abroad.  With this
     in mind, we expect export licenses will be granted on a
     case-by-case basis for U.S. companies seeking to use these
     devices to secure their own communications abroad.  We plan
     to review the possibility of permitting wider exportability
     of these products.

Newsgroup: sci.crypt
document_id: 15194
From: grady@netcom.com (1016/2EF221)
Subject: Re: MacPGP 2.2 Source Problems

Yes -- my error -- you will need the DIFF between the
standard console.h and console.c supplied with
Symantec's THINK C 5.0.4 and the specially modified
one that works with MacPGP 2.2.

I added the two DIFFs to the end of the signature
file "MacPGP2.2srcSIGNATURE" in pub/grady of netcom.com

Please download via anonymous FTP and, using SED (oops),
cutting and pasting, fix-em-up.        

Will one of you Mac-geniuses PLEASE port this to MacApp
or AppMaker, or...?

Grady

-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
document_id: 15195
From: Danny Weitzner <djw@eff.org>
Subject: Re-inventing Crypto Policy?  An EFF Statement





April 16, 1993

INITIAL EFF ANALYSIS OF CLINTON PRIVACY AND SECURITY PROPOSAL

The Clinton Administration today made a major announcement on
cryptography policy which will effect the privacy and security of
millions of Americans.  The first part of the plan is to begin a
comprehensive inquiry into major communications privacy issues such as
export controls which have effectively denied most people easy access to
robust encryption, and law enforcement issues posed by new technology.

However, EFF is very concerned that the Administration has already
reached a conclusion on one critical part of the inquiry, before any
public comment or discussion has been allowed.  Apparently, the
Administration is going to use its leverage to get all telephone
equipment vendors to adopt a voice encryption standard developed by the
National Security Agency.  The so-called "Clipper Chip" is an 80-bit,
split key escrowed encryption scheme which will be built into chips
manufactured by a military contractor.  Two separate escrow agents would
store users' keys, and be required to turn them over law enforcement upon
presentation of a valid warrant.  The encryption scheme used is to be
classified, but the chips will be available to any manufacturer for
incorporation into its communications products.

     This proposal raises a number of serious concerns .

First, the Administration has adopted a solution before conducting an
inquiry.  The NSA-developed Clipper Chip may not be the most secure
product. Other vendors or developers may have better schemes.
Furthermore, we should not rely on the government as the sole source for
the Clipper or any other chips.  Rather, independent chip manufacturers
should be able to produce chipsets based on open standards.

Second, an algorithm cannot be trusted unless it can be tested. Yet, the
Administration proposes to keep the chip algorithm classified.  EFF
believes that any standard adopted ought to be public and open.  The
public will only have confidence in the security of a standard that is
open to independent, expert scrutiny.  

Third, while the use of the use of a split-key, dual escrowed system may
prove to be a reasonable balance between privacy and law enforcement
needs, the details of this scheme must be explored publicly before it is
adopted.  What will give people confidence in the safety of their keys? 
Does disclosure of keys to a third party waive an individual's Fifth
Amendment rights in subsequent criminal inquiries?  These are but a few
of the many questions the Administrations proposal raised but fails to
answer.

In sum, the Administration has shown great sensitivity to the importance
of these issues by planning a comprehensive inquiry into digital privacy
and security.  However, the "Clipper Chip" solution ought to be
considered as part of the inquiry, and not be adopted before the
discussion even begins.

DETAILS OF THE PROPOSAL:

ESCROW

The 80-bit key will be divided between two escrow agents, each of whom
hold 40-bits of each key.  The manufacturer of the communications device
would be required to register all keys with the two independent escrow
agents.  A key is tied to the device, however, not the person using it.

Upon presentation of a valid court order, the two escrow agents would
have to turn the key parts over to law enforcement agents.  According to
the Presidential Directive just issued, the Attorney General will be
asked to identify appropriate escrow agents.  Some in the Administration
have suggested that one non-law enforcement federal agency (perhaps the
Federal Reserve), and one non-governmental organization could be chosen,
but there is no agreement on the identity of the agents yet.

CLASSIFIED ALGORITHM AND THE POSSIBILITY OF BACK DOORS

The Administration claims that there are no back doors -- means by which
the government or others could break the code without securing keys from
the escrow agents -- and that the President will be told there are no
back doors to this classified algorithm.  In order to prove this,
Administration sources are interested in arranging for an all-star crypto
cracker team to come in, under a security arrangement, and examine the
algorithm for trap doors.  The results of the investigation would then be
made public.

The Clipper Chipset was designed and is being produced and a sole-source,
secret contract between the National Security Agency and two private
firms:  VLSI and Mycotronx.  NSA work on this plan has been underway for
about four years.  The manufacturing contract was let 14 months ago.

GOVERNMENT AS MARKET DRIVER

In order to get a market moving, and to show that the government believes
in the security of this system, the feds will be the first big customers
for this product.  Users will include the FBI, Secret Service, VP Al
Gore, and maybe even the President.  At today's Commerce Department press
briefing, a number of people asked this question, though:  why would any
private organization or individual adopt a classified standard that had
no independent guaranty of security or freedom from trap doors?

COMPREHENSIVE POLICY INQUIRY

The Administration has also announced that it is about to commence an
inquiry into all policy issues related to privacy protection, encryption,
and law enforcement.  The items to be considered include:  export
controls on encryption technology and the FBI's Digital Telephony
Proposal.  It appears that the this inquiry will be conducted by the
National Security Council.  Unfortunately, however, the Presidential
Directive describing the inquiry is classified.  Some public involvement
in the process has been promised, but they terms have yet to be specified.

FROM MORE INFORMATION CONTACT:

Jerry Berman, Executive Director (jberman@eff.org)
Daniel J. Weitzner, Senior Staff Counsel (djw@eff.org)

Full text of the Press releases and Fact Sheets issued by the
Administration will be available on EFF's ftp site.

Danny Weitzner                      Senior Staff Counsel, EFF
                                    +1 202 544 3077

Newsgroup: sci.crypt
document_id: 15196
From: grady@netcom.com (1016/2EF221)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

I am eager to hear the legal theory behind restricting exchange of
cryptographic data and encrypted messages, given the first admendment;
the theory behind regulating the *personal* encryption of one's personal
*thoughts and feelings* seems even less tenable.

Perhaps if we make a *treaty* with, say, Iceland, to restrict crypto
paraphernalia can a good "end run" around the Constitution happen...
(Treaties -- as someone pointed out -- has the force of any other "law of
the land".  Like the Bill of Rights.)


    Amendment 1

    Congress shall make no law respecting an establishment of religion, or
prohibiting the free exercise thereof; or abridging the freedom of speech,
or of the press; or the right of the people peaceably to assemble, and to
petition the Government for a redress of grievances.

    Amendment 2

    A well regulated Militia, being necessary to the security of a free State,
the right of the people to keep and bear Arms, shall not be infringed.

    Amendment 3

    No Soldier shall, in time of peace be quartered in any house, without the
consent of the Owner, nor in time of war, but in a manner to be prescribed
by law.

    Amendment 4

    The right of the people to be secure in their persons, houses, papers, and
effects, against unreasonable searches and seizures, shall not be violated,
and no Warrants shall issue, but upon probable cause, supported by Oath or
affirmation, and particularly describing the place to be searched, and the
persons or things to be seized.

    Amendment 5

    No person shall be held to answer for a capital, or otherwise infamous
crime, unless on a presentment or indictment of a Grand Jury, except in
cases arising in the land or naval forces, or in the Militia, when in
actual service in time of War or public danger; nor shall any person be
subject for the same offence to be twice put in jeopardy of life or limb;
nor shall be compelled in any criminal case to be a witness against
himself, nor be deprived of life, liberty, or property, without due process
of law; nor shall private property be taken for public use, without just
compensation.


Well -- at least for a few minutes we had some privacy...
-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
document_id: 15197
From: jru@Comtech.com (Jimmy R. Upton)
Subject: [Rubick] Shortest Path Algorithm - Status?

What is the expected run time (+/- a factor of 10) on a 486DX/50
using the best known algorithm for finding the shortest path
solution for Rubicks Cube from a randomly chosen position?

I have read the FAQ and followed the recent discussion on Rubicks
Cube but I don't believe this question has been answered.  Notice
that I am specifically looking for an algorithm that finds the 
SHORTEST path, not just any solution.

It seems to me that the underlying assumption is that such a program
would need to do a brute force search though 10^20 positions.  That
seems an unreasonably pessimistic assumption to me and I want to 
know if someone has significantly improved on that.

I have some ideas of my own on how to approach this problem, but
before I spend to much time developing them I wanted to know if
someone else has already done the work.

ADMINISTRIVIA:  I have posted this to three groups and attempted
to set the followup to rec.puzzles which seems to me to be the
place to continue this discussion.  I will cross post a summary
when and if it becomes appropriate.  Email replies gladly accepted.

Jimmy
jru@Comtech.com 

Newsgroup: sci.crypt
document_id: 15198
From: bob@natasha.portal.com (Bob Cain)
Subject: Re: Pgp, PEM, and RFC's (Was: Cryptography Patents)

Charles Kincy (ckincy@cs.umr.edu) wrote:
: In article <1993Apr16.001321.3692@natasha.portal.com> bob@natasha.portal.com (Bob Cain) writes:
: 
: >: I hope my cynicism is misplaced here.  Go ahead...I'm not afraid to
: >: be wrong every once in a while.  But, I have an uneasy feeling that I
: >: am right.  :(
: >
: >It is and you are wrong yet you emotionally state a bunch of crap as fact
: >with a tiny disclaimer at the end.  Check your facts first and grow up.
: >Why is there such a strong correlation between interest in cryptography
: >and immaturity I wonder.
: 
: Oh, I see, flame someone, tell them that they are immature, tell them
: they are wrong, and then don't offer any proof for your assertions.
: 
: You really *are* a putz.  Put up or shut up.
: 

I will provide any proof you wish in private.  Name it, dickhead.


Putz Cain

Newsgroup: sci.crypt
document_id: 15199
From: clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement)
Subject: White House Public Encryption Management Fact Sheet



Note:     The following was released by the White House today in
          conjunction with the announcement of the Clipper Chip
          encryption technology.

                           FACT SHEET

                  PUBLIC ENCRYPTION MANAGEMENT

The President has approved a directive on "Public Encryption
Management."  The directive provides for the following:

Advanced telecommunications and commercially available encryption
are part of a wave of new computer and communications technology. 
Encryption products scramble information to protect the privacy of
communications and data by preventing unauthorized access. 
Advanced telecommunications systems use digital technology to
rapidly and precisely handle a high volume of communications. 
These advanced telecommunications systems are integral to the
infrastructure needed to ensure economic competitiveness in the
information age.

Despite its benefits, new communications technology can also
frustrate lawful government electronic surveillance.  Sophisticated
encryption can have this effect in the United States.  When
exported abroad, it can be used to thwart foreign intelligence
activities critical to our national interests.  In the past, it has
been possible to preserve a government capability to conduct
electronic surveillance in furtherance of legitimate law
enforcement and national security interests, while at the same time
protecting the privacy and civil liberties of all citizens.  As
encryption technology improves, doing so will require new,
innovative approaches.

In the area of communications encryption, the U. S. Government has
developed a microcircuit that not only provides privacy through
encryption that is substantially more robust than the current
government standard, but also permits escrowing of the keys needed
to unlock the encryption.  The system for the escrowing of keys
will allow the government to gain access to encrypted information
only with appropriate legal authorization.

To assist law enforcement and other government agencies to collect
and decrypt, under legal authority, electronically transmitted
information, I hereby direct the following action to be taken:

INSTALLATION OF GOVERNMENT-DEVELOPED MICROCIRCUITS

The Attorney General of the United States, or her representative,
shall request manufacturers of communications hardware which
incorporates encryption to install the U.S. government-developed
key-escrow microcircuits in their products.  The fact of law
enforcement access to the escrowed keys will not be concealed from
the American public.  All appropriate steps shall be taken to
ensure that any existing or future versions of the key-escrow
microcircuit are made widely available to U.S. communications
hardware manufacturers, consistent with the need to ensure the
security of the key-escrow system.  In making this decision, I do
not intend to prevent the private sector from developing, or the
government from approving, other microcircuits or algorithms that
are equally effective in assuring both privacy and a secure key-
escrow system.

KEY-ESCROW

The Attorney General shall make all arrangements with appropriate
entities to hold the keys for the key-escrow microcircuits
installed in communications equipment.  In each case, the key
holder must agree to strict security procedures to prevent
unauthorized release of the keys.  The keys shall be released only
to government agencies that have established their authority to
acquire the content of those communications that have been
encrypted by devices containing the microcircuits.  The Attorney
General shall review for legal sufficiency the procedures by which
an agency establishes its authority to acquire the content of such
communications.

PROCUREMENT AND USE OF ENCRYPTION DEVICES

The Secretary of Commerce, in consultation with other appropriate
U.S. agencies, shall initiate a process to write standards to
facilitate the procurement and use of encryption devices fitted
with key-escrow microcircuits in federal communications systems
that process sensitive but unclassified information.  I expect this
process to proceed on a schedule that will permit promulgation of
a final standard within six months of this directive. 

The Attorney General will procure and utilize encryption devices to
the extent needed to preserve the government's ability to conduct
lawful electronic surveillance and to fulfill the need for secure
law enforcement communications.  Further, the Attorney General
shall utilize funds from the Department of Justice Asset Forfeiture
Super Surplus Fund to effect this purchase.

Newsgroup: sci.crypt
document_id: 15200
From: kadie@cs.uiuc.edu (Carl M Kadie)
Subject: [EFF] Initial EFF Analysis of Clinton Privacy and Security Proposal

[An article from comp.org.eff.news, EFFector Online 5.06 - Carl]

                       April 16, 1993

      INITIAL EFF ANALYSIS OF CLINTON PRIVACY AND SECURITY  
                           PROPOSAL

       The Clinton Administration today made a major announcement 
on cryptography policy which will effect the privacy and security of 
millions of Americans.  The first part of the plan is to begin a 
comprehensive inquiry into major communications privacy issues 
such as export controls which have effectively denied most people 
easy access to robust encryption as well as law enforcement issues 
posed by new technology.

       However, EFF is very concerned that the Administration has 
already reached a conclusion on one critical part of the inquiry, before 
any public comment or discussion has been allowed.  Apparently, the 
Administration is going to use its leverage to get all telephone 
equipment vendors to adopt a voice encryption standard developed 
by the National Security Agency. The so-called "Clipper Chip" is an 
80-bit, split key escrowed encryption scheme which will be built into 
chips manufactured by a military contractor.  Two separate escrow 
agents would store users' keys, and be required to turn them over 
law enforcement upon presentation of a valid warrant.  The 
encryption scheme used is to be classified, but they chips will be 
available to any manufacturer for incorporation into their 
communications products.

       This proposal raises a number of serious concerns .

       First, the Administration appears to be adopting a solution 
before conducting an inquiry.  The NSA-developed Clipper chip may 
not be the most secure product. Other vendors or developers may 
have better schemes. Furthermore, we should not rely on the 
government as the sole source for Clipper or any other chips.  Rather,
independent chip manufacturers should be able to produce chipsets 
based on open standards.

       Second, an algorithm can not be trusted unless it can be tested. 
Yet the Administration proposes to keep the chip algorithm 
classified.  EFF believes that any standard adopted ought to be public 
and open.  The public will only have confidence in the security of a 
standard that is open to independent, expert scrutiny.  

       Third, while the use of the split-key, dual-escrowed 
system may prove to be a reasonable balance between privacy and 
law enforcement needs, the details of this scheme must be explored 
publicly before it is adopted.  What will give people confidence in the 
safety of their keys?  Does disclosure of keys to a third party waive 
individual's fifth amendment rights in subsequent criminal 
inquiries?  

       In sum, the Administration has shown great sensitivity to the 
importance of these issues by planning a comprehensive inquiry into 
digital privacy and security.  However, the "Clipper chip" solution 
ought to be considered as part of the inquiry, not be adopted before 
the discussion even begins.

DETAILS OF THE PROPOSAL:

ESCROW

The 80-bit key will be divided between two escrow agents, each of 
whom hold 40 bits of each key.  Upon presentation of a valid 
warrant, the two escrow agents would have to turn the key parts 
over to law enforcement agents.  Most likely the Attorney General 
will be asked to identify appropriate escrow agents.  Some in the 
Administration have suggested one non-law enforcement federal 
agency, perhaps the Federal Reserve, and one non-governmental 
organization.  But, there is no agreement on the identity of the agents 
yet.

Key registration would be done by the manufacturer of the 
communications device.  A key is tied to the device, not to the person 
using it.

CLASSIFIED ALGORITHM AND THE POSSIBILITY OF BACK DOORS

The Administration claims that there are no back door means by 
which the government or others could break the code without 
securing keys from the escrow agents and that the President will 
be told there are no back doors to this classified algorithm.  In order 
to prove this, Administration sources are interested in arranging for 
an all-star crypto cracker team to come in, under a security 
arrangement, and examine the algorithm for trap doors.  The results 
of the investigation would then be made public.

GOVERNMENT AS MARKET DRIVER

In order to get a market moving, and to show that the government 
believes in the security of this system, the feds will be the first big 
customers for this product.  Users will include the FBI, Secret Service, 
VP Al Gore, and maybe even the President. 

FROM MORE INFORMATION CONTACT:

Jerry Berman, Executive Director
Daniel J. Weitzner, Senior Staff Counsel





-- 
Carl Kadie -- I do not represent any organization; this is just me.
 = kadie@cs.uiuc.edu =

Newsgroup: sci.crypt
document_id: 15201
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Clipper Crypto

I sent a response to the White House at

	0005895485@MCIMAIL.COM (White House)

and received a nice, automatic reply from MICMAIL noting, in passing, that
if I had included a SNail address, I would get a reply in due course.

For those who care, my reply was:

	1.	yes, let's protect the voice network

	2.	privately-developed crypto has always been available and
		always will be -- so let's think about how to do law
		enforcement given that fact not about how to hope to
		legislate against it

	3.	my needs for crypto as a system designer are not met by the
		Clipper Chip.  I want freely to export uses of algorithms
		(like DES & RSA) which are already freely available in the
		destination country

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
document_id: 15202
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]


Though some may argue about the nose of the camel, it's worth noting that
the government proposal is limited to scrambled telephony. If it is only
used for that purpose, and does not extend to electronic mail or file
encryption, then it IS an improvement over the current mass-produced
standard civilian technology which, with a few exceptions, is limited to
easy-to-break inverters.

Note that the big issue for the feds is the continued ability to wiretap.
Before we go off the deep end with long discusions about secure crypto for
e-mail and files, let's focus on this.

One question that was not asked in the release is whether this proposal is
limited to telephony, or if the government intends to expand it.

Though I share many of the concerns expressed by some, I find the proposal
less threatening than many others, since right now most Americans have no
secure telephony, and any jerk with a pair of clip leads and a "goat" can
eavesdrop. This would also plug up the security hole in cellular and
cordless phones.

-------

Reading between the lines, I infer that the system is highly secure
without access to the keys. This would meet the needs of U.S. businesses
confronted by rich and powerful adversaries, including French and Japanese
security services and rich Japanese companies. It allows the NSA to make
available some of its better stuff while protecting law enforcement needs.

Most legitimate U.S. corporations trust the NSA, and would be delighted to
have a high-security system certified by them, even at the price of
depositing keys in escrow. I see no difficulty in creating a reliable
escrow. Corporations entrust their secrets to attorneys every day of the
week, and that system has worked pretty well.

From my point of view this is a fair starting point. There are concerns that
need to be addressed, including the reliability of the escrows. But in
return we get access to high-security crypto. Many have suggested that DES
and other systems may be breakable by the NSA and hence others similarly
skilled and endowed. There is at least a good possibility (which should be
checked) that the proposed system is not so breakable. It doesn't have to
be, nor does it have to have trapdoors, if the government can get the keys
pursuant to a legitimate court order. Thus they can protect legitimate
communications against economic adversaries, while still being able to
eavesdrop on crooks pursuant to a court order.

------

In discussing this, let's try to avoid the nastiness, personal attacks and
noise of some previous threads. This is a substantive and technical issue,
and personal remarks have no place in such a discussion.

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15203
From: lbrintle@news.weeg.uiowa.edu (Lee Brintle)
Subject: Re: Re-inventing Crypto Policy?  An EFF Statement

In article <1993Apr16.204207.24564@eff.org> Danny Weitzner <djw@eff.org> 
writes:
>The 80-bit key will be divided between two escrow agents, each of whom
>hold 40-bits of each key. 

Presumably, the key split is so that no one group controls the privacy
of the key, and that it would be infeasible to illicitly gain access from
both agents.

However, if one agent wishes to break the crypto without the cooperation
of the other agent, a 40-bit key is not going to stand in the way of a
brute force attack.  If an agency (for example, the NSA) were to hold one
of the two key-halves, then I don't imagine they really need the other half of
the key to start listening in.

Or was that the point?   <grin>


(This is not to imply, at all, that I like the idea of the rest of the
system.)
-- 
Lee Brintle                    | ``And so, I leave you with this final word:
Director, Project Panda        |     twang.''

Newsgroup: sci.crypt
document_id: 15204
From: Jay Fenton <Fenton@Kaleida.Com>
Subject: How to detect use of an illegal cipher?

How can the government tell which encryption method one is using without
being able to decode the traffic? i.e., In order to accuse me of using an
unauthorized strong encryption technique they would have to take both
keys out of escrow, run them against my ciphertext and "draw a blank".

I can imagine the ciphertext exhibiting certain statistical
characteristics that might give a clue as to the encryption technique
used, but not enough to give a handle for diferential cryptoanalysis.
However, superencipherment or some other scheme that shapes the percieved
properties of my ciphertext could thwart this.

Newsgroup: sci.crypt
document_id: 15205
From: mike@avon.demon.co.uk ("Mike H.")
Subject: Re: Another data hiding scheme... 

In article <1993Apr13.225348.6511@colorado.edu> bear@tigger.cs.Colorado.EDU writes:

>since the price of 1.44 M 3.5" floppies were still high until the last
>few years.  If you store "old" data, with old file times, in the public
>filesystem the casual observer may miss the "HD"... especially if you 
>"accidently" cover it with something).
>
>-- 
>Bear Giles
>bear@cs.colorado.edu/fsl.noaa.gov
>

It has been done already!

In the UK the Atari ST box was shipped with 360K disks in the first few
years and then later 720K disks. In order to make life less complicated,
many freebie disks on mags were double formatted like this. Side 0 of the
disk had 360K on it and could be read  by any ST. It also had a flip-side
program. This would swap the sides around so that side 1 became side 0.

-- 

                        Mike (mike@avon.demon.co.uk)

Newsgroup: sci.crypt
document_id: 15206
From: arc@leland.Stanford.EDU (Andrew Richard Conway)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <1qmugcINNpu9@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes:
>The key question is whether non-Clipper encryption will be made illegal.
>
>>     The Administration is not saying, "since encryption
>>     threatens the public safety and effective law enforcement,
>>     we will prohibit it outright" (as some countries have
>>     effectively done); nor is the U.S. saying that "every

Does anyone know what countries are these?

>>     American, as a matter of right, is entitled to an
>>     unbreakable commercial encryption product."  There is a
>>     false "tension" created in the assessment that this issue is
>>     an "either-or" proposition.  Rather, both concerns can be,
>>     and in fact are, harmoniously balanced through a reasoned,
>>     balanced approach such as is proposed with the "Clipper
>>     Chip" and similar encryption techniques.
>
>The clear middle ground implied by these statements is to say that Americans
>have the right to Clipper encryption, but not to unbreakable encryption.
>This implies that, ultimately, non-Clipper strong encryption must become
>illegal.

With the following logical consequences
	(a) Using any code designed to obscure informatio which is 
	    not easily breakable will be illegal, including
		(i) Using code words such as ``Project P5''
		(ii) Speaking a language other than English
		(iii) Ever refering implicitly to events not known to
			everyone, eg
			"Hi John. How was last night?"
		      For all the listener knows, this may be a code for
			"Did you pick up the drugs OK last night?"
		      of be a code for
		        "OK. We blow up the Pentagon at midnight."
		(iv) Mentioning anything that could not be perfectly
		     understood by an average person with no education.
		(v) Words with more than one syllable.
		(vi) Speaking with a heavy accent that could bemisunderstood
		     by people not used to it.
		(vii) books with an "Inner meaning"...such
		      as "Animal Farm".

>(As an aside, isn't the language here jarring?  All this talk about
>"harmonious balance" when they're talking about taking away people's
>right to communications privacy?)

Yes.

>It looks like the worst nightmares raised by Dorothy Denning's proposals
>are coming true.  If the government continues on this course, I imagine
>that we will see strong cryptography made illegal.  Encryption programs
>for disk files and email, as well as software to allow for encrypted
>voice communications, will be distributed only through the
>"underground".  People will have to learn how to hide the fact that
>they are protecting their privacy.

I have a wonderful encrypter you can borrow that converts a message
eg "Meet me at 11:30 to bomb the White House. Bring some dynamite"
to an apparently (relatively) innoculous message. This message
here is an example of the output for the above message :-).

>It's shocking and frightening to see that this is actually happening here.

It is shockiong that it could happen anywhere.
It is shocking that it could happen in a country 
that has the arrogance to call itself free.

What you can do:
	(1) Write to your congress person in plain text.
	(2) Write to your congress person in encrypted text.
		(decrypter optional)
	(3) Send some random keystroked to your congressperson
	(4) Send some random keystrokes accross the US boundaries,
		and keep the spooks busy trying to decode it.
	(5) Write your own encryption algorithms.
	(6) Don't buy clipper products.

P.S. I can't work out why the US government doesn't want to sell
them overseas. After all, they are rather easy for US interests to decode,
so make a perfect tool for industrial/military espionage...lulling 
anyone stupid enough to buy it into a false sense of security. You will
notice that there is NO mention anywhere about safety for non-Americans.

Disclaimer: My opinions are mine alone, and do not represent anyone elses.
I have nothing that I particularly want to hide at the moment...though I 
consider the right
to be able to use whatever method of coding data I like to be high on my
list of priorities.

-- 
-----------------------------------------------------------------
Andrew Conway    arc@leland.stanford.edu  Phone: USA 415 497 1094


Newsgroup: sci.crypt
document_id: 15209
From: eifrig@beanworld.cs.jhu.edu (Jonathan Eifrig)
Subject: Re: Pgp, PEM, and RFC's (Was: Cryptography Patents)

In article <1993Apr16.001321.3692@natasha.portal.com> bob@natasha.portal.com
(Bob Cain) writes:

>  Check your facts first and grow up.
>Why is there such a strong correlation between interest in cryptography
>and immaturity I wonder.

	Hmmm.  "Check your facts."  Good advice.  Let's check Mr. Cain's
facts a bit, shall we?

>Charles Kincy (ckincy@cs.umr.edu) wrote:

>: Some limitation.  Let me guess:  don't use the code in any way PKP or
>: RSA doesn't like....such as...providing secure communications for the
>: average citizen.
>
>That was exactly its purpose if you know anything about it.  There is
>nothing at all preventing the average citizen using it, only selling
>it.

FACT:  It is unlawful to distribute code implementing RSA without a license
to do so from PKP, whether or not one is charging for it.  Furthermore,
any use of RSA, other than for research purposes allowed under US patent
law, is similarly unlawful.  Therefore, the "average citizen" cannot use
RSA to encrypt message traffic in the US without a license from PKP.

There is no licensed, freely available product in the US that uses RSA
encryption other than RSAREF (and hence RIPEM), at least as far as I am
aware.  If you know of another, please post it here.

>: All I have to say is...yeah, right.  If you're willing to pay them
>: mucho big bucks and/or use the routines *they* tell you to do.  
>: Doesn't sound very reasonable to me.
>
>All I have to say is this is full of shit.  I have negotiated a license
>and the bucks are incredibly reasonable with an upfront charge on a
>sliding scale depending on your capitalization.  If you are a startup
>and can't afford it you can't afford to start up in the first place.
>Why do people insist on making unequivocal statements about that which
>they know nothing.

FACT:  The last contact I had with RSA Data Security, Inc was with some
guy trying to sell me a license (unsolicited, I might add) for TIPEM.
Cost: $15K plus 2-5 percent royalties.

I suppose it is a matter of opinion as to whether or not these terms count
as "mucho bucks" or "incredibly reasonable."  Either way, however, this
definitely falls into the "routines *they* tell you to (use)".

>: But I don't guess PKP and RSA are interested in big bucks.  Maybe
>: they have some other agenda?  Secure communications only for 
>: government agents, perhaps?
>
>Have you considered treatment for paranoia?  The government is the
>single biggest thorn in RSA's side.

FACT:  There are no restrictions (yet!) on the use of cryptography under
US law, although this is beginning to look like it will change.  The only
impediments to widespread use of RSA cryptography in the US are PKP's
patents.

	Mr. Cain, please shut up until you get your facts straight.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
	"Better than the whole world be destroyed and crumble to dust than
a free man deny one of his desires."
		-Benito Mussolini, Italian anarchist and poet.

Jack Eifrig (eifrig@cs.jhu.edu)       The Johns Hopkins University, C.S. Dept.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Newsgroup: sci.crypt
document_id: 15210
From: avg@rodan.UU.NET (Vadim Antonov)
Subject: Re: Re-inventing Crypto Policy?  An EFF Statement

In article <1993Apr16.204207.24564@eff.org> Danny Weitzner <djw@eff.org> 
writes:
>The 80-bit key will be divided between two escrow agents, each of whom
>hold 40-bits of each key. 

I somehow started to doubt technical competence of the
people who designed the system.  Why on the Earth split the
80-bit key in 40-bit parts to keep them in escrow separately
(having 40 bit and large volumes of data voice links produce
it should be relatively easy to break it) when they simply
could keep 80-bit sequences in N (N>=2) independent places
and then XOR all the partial keys to get the actual key (N-1
sequences should obviously be selected randomly and Nth is the
actual key XOR-ed with the random sequences).

(Or is it a conspiracy? 1/2 :-)

--vadim

Newsgroup: sci.crypt
document_id: 15211
From: karn@servo.qualcomm.com (Phil Karn)
Subject: Re: Keeping Your Mouth Shut (was: Hard drive security)

In article <C5K1CE.51A@sunfish.usd.edu>, vkub@charlie.usd.edu (Vince Kub) writes:
|> Now,
|> the original scheme as suggested here would be to have the key disappear if
|> certain threatening conditions are met. Once the key is gone there is no
|> question of Contempt of Court as there is nothing to compell, the key is no
|> longer there to be produced.

Getting rid of the keys is actually pretty easy to do automatically on
a communications link, as opposed to storage where the keys have to be
retained somehow as long as the owner wants to be able to retrieve the
data.

The right way to do communications security is to generate a random
session key with Diffie Hellman, use it for a while and then destroy
it. Once it's gone, there's no getting it back, and no way to decrypt
recordings of the conversation.

To make sure you aren't being attacked by a man in the middle, you
have to authenticate your DH exchanges. The AT&T secure phone does
this by displaying the DH key so you can compare them verbally over
the phone. This is nice and simple, but it relies on user awareness
plus the inability of the man in the middle to duplicate the users'
voices.

A better way is to authenticate the exchanges with RSA. Since you'd
never use RSA for actual encryption, compromising your RSA secret key
would only allow someone to impersonate you in a future conversation,
and even that only until you revoke your public key.  They would still
not be able to decrypt recordings of prior conversations for which the
session keys have been destroyed.

I'm convinced that this is how the government's own secure phones
(the STU-III) must work. Neat, eh?

Phil



Newsgroup: sci.crypt
document_id: 15212
From: pcw@access.digex.com (Peter Wayner)
Subject: The Old Key Registration Idea...

Okay, let's suppose that the NSA/NIST/Mykotronix Registered
Key system becomes standard and I'm able to buy such a system
from my local radio shack. Every phone comes with a built in
chip and the government has the key to every phone call. 
I go and buy a phone and dutifully register the key. 

What's to prevent me from swapping phones with a friend or 
buying a used phone at a garage sale? Whooa. The secret registered
keys just became unsynchronized. When the government comes 
to listen in, they only receive gobbledly-gook because the 
secret key registered under my name isn't the right one. 

That leads me to conjecture that:

1) The system isn't that secure. There are just two master keys
that work for all the phones in the country. The part about
registering your keys is just bogus. 

or 

2) The system is vulnerable to simple phone swapping attacks
like this. Criminals will quickly figure this out and go to
town.

In either case, I think we need to look at this a bit deeper."'jbl)mW:wxlD2

Newsgroup: sci.crypt
document_id: 15213
From: ig25@fg70.rz.uni-karlsruhe.de (Thomas Koenig)
Subject: Re: White House Public Encryption Management Fact Sheet

clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:

>The President has approved a directive on "Public Encryption
>Management."  The directive provides for the following:

[...]

>When
>exported abroad, it can be used to thwart foreign intelligence
>activities critical to our national interests.

[...]

>The Attorney General of the United States, or her representative,
>shall request manufacturers of communications hardware which
>incorporates encryption to install the U.S. government-developed
>key-escrow microcircuits in their products.

Quite interesting.  How does the US administration intend to persuade
non - US governments to let the NSA eavesdrop on them?  Or should U.S.
companies install these chips in communication systems sold abroad
without the customer's knowedge or consent, or not at all?
-- 
Thomas Koenig, ig25@rz.uni-karlsruhe.de, ig25@dkauni2.bitnet
The joy of engineering is to find a straight line on a double
logarithmic diagram.

Newsgroup: sci.crypt
document_id: 15214
From: betel@camelot.bradley.edu (Robert Crawford)
Subject: Re: How to detect use of an illegal cipher?

Jay Fenton <Fenton@Kaleida.Com> writes:

>How can the government tell which encryption method one is using without
>being able to decode the traffic? i.e., In order to accuse me of using an
>unauthorized strong encryption technique they would have to take both
>keys out of escrow, run them against my ciphertext and "draw a blank".

	I was thinking about this, also. It's quite possible the
system transmits, in clear, the serial number of the device being
used. That way they can start a tap, get the serial number, and use
the warrant for the first tap to get the key.

	If they tap someone who's apparently using encryption, but
don't find that prefix, then they'll assume it's an "un-authorized"
encryption scheme.

--
	May the Kloo Gnomes be generous to you.

Robert Crawford				betel@camelot.bradley.edu

Newsgroup: sci.crypt
document_id: 15215
From: philip@charon.cto.citicorp.com (Philip Gladstone)
Subject: More Clipper Stuff

As of yet, there has been no description of the general principles
behind the Clipper proposal. For example, is this a public key system
or a private key system? If the latter, then I don't see how the
system could work (given that the keys are tied to the device and
not the person).

Further, the escrowed 80-bit keys are split into two 40-bit chunks.
I would guess that the availability of one of these 40-bit chunks
and a reasonable key-search machine, would allow you to read the traffic.
I'm not suggesting that this is a deliberate weakness of the system,
but it does make you think. Of course, this is easily fixable by 
giving out two 80-bit chunks which could be x-ored to generate the 
real 80-bit key.

Philip

Newsgroup: sci.crypt
document_id: 15216
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: White House Public Encryption Management Fact Sheet

In article <C5LGAz.250@dove.nist.gov> clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:

>PROCUREMENT AND USE OF ENCRYPTION DEVICES

[ ... ]

>The Attorney General will procure and utilize encryption devices to
>the extent needed to preserve the government's ability to conduct
>lawful electronic surveillance and to fulfill the need for secure
>law enforcement communications.  Further, the Attorney General
>shall utilize funds from the Department of Justice Asset Forfeiture
>Super Surplus Fund to effect this purchase.


Talk about adding insult to injury ... 

I, for one, believe that the use of civil forfeiture should be abolished by
a decent administration, not continued.  Instead, it looks like that
ill-gotten gain will be used to help pay for wiretap equipment.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
document_id: 15217
From: m.t.palmer@larc.nasa.gov (Michael T. Palmer)
Subject: re: text of White House announcement and Q&As on clipper chip encryption


In article <C5L12t.GCI@dove.nist.gov> clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:

>Q:   Suppose a law enforcement agency is conducting a wiretap on
>     a drug smuggling ring and intercepts a conversation... [etc]
        ^^^^^^^^^^^^^^^^^^^\
                            Great... nice choice of bad guys to
                            convince everyone how "bad" unrestricted
                            encryption is.  Why not use a child
                            molester instead?  Of course, the word
                            *suspect* is never used here, so I guess
                            these people have already been convicted
                            and are operating this drug ring from
                            their jail cells.

How about *this* question instead?

Q:   Suppose a law enforcement agency is conducting a wiretap on
     a political opponent of a senior administration official and
     intercepts a conversation...

Kinda changes your interpretation of the event, doesn't it?  And yes,
the presence of the Clipper Chip DOES change things, because it will
not only give the people talking on the phone a false sense of security,
it will also give federal law enforcement agencies the justification
to deny use of strong encryption methods that are inconvenient to them.
Dang it all, it's SUPPOSED to be inconvenient (but not impossible).
That's the ONLY sure way to make sure that abuses are minimized while
still allowing legitimate law enforcement access.


>Q:   How strong is the security in the device?  How can I be sure
>     how strong the security is?  
>
>A:   This system is more secure than many other voice encryption
>     systems readily available today.  While the algorithm will
>     remain classified to protect the security of the key escrow
>     system, we are willing to invite an independent panel of
>     cryptography experts to evaluate the algorithm to assure all
>     potential users that there are no unrecognized
>     vulnerabilities.

Uh huh... sure.  I predict that within two months (weeks?) of the chip's
debut, the full technical details will be posted to sci.crypt.  And if
this has ANY impact on the security of the key escrow system, then we've
been lied to.  Any cryptosystem worth its salt can withstand the light
of public scrutiny, and there is NO WAY you can be sure that an
algorithm has no "unrecognized vulnerabilities" unless you have half
the world trying to break it for a decade or so.  Even then, you gotta
be careful.

 
Michael T. Palmer         |  "A man is crazy who writes a secret in any
m.t.palmer@larc.nasa.gov  |   other way than one which will conceal it
RIPEM key on server       |   from the vulgar." - Roger Bacon, 1220-1292


Newsgroup: sci.crypt
document_id: 15218
From: karn@servo.qualcomm.com (Phil Karn)
Subject: Re: Re-inventing Crypto Policy?  An EFF Statement

In article <1qna0tINNf5p@rodan.UU.NET>, avg@rodan.UU.NET (Vadim Antonov) writes:
|> I somehow started to doubt technical competence of the
|> people who designed the system.  Why on the Earth split the
|> 80-bit key in 40-bit parts to keep them in escrow separately
|> (having 40 bit and large volumes of data voice links produce
|> it should be relatively easy to break it) when they simply
|> could keep 80-bit sequences in N (N>=2) independent places
|> and then XOR all the partial keys to get the actual key (N-1
|> sequences should obviously be selected randomly and Nth is the
|> actual key XOR-ed with the random sequences).

Without real technical details, it's hard to answer this question. But
suppose they already *are* XORing the two 40-bit parts to produce only
40 bits of real key material? Maybe they're using the exportable version
of RC2...? :-)

PHil

Newsgroup: sci.crypt
document_id: 15219
Subject: text of White House announcement and Q&As on clipper chip encryption 
From: oleg@gd.cs.CSUFresno.EDU (Oleg Kibirev)

In article <C5L15A.GF6@dove.nist.gov> clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:


Here is an article I found today in comp.security.misc. I'll send my reply in
a separate post to comp.off.eff.org so thayt you guys can get original text.
Have fun! ;(

Oleg

   Relay-Version: VMS News - V6.1B5 17/9/92 VAX/VMS V5.5-2; site nic.csu.net
   Path: nic.csu.net!csus.edu!netcom.com!netcomsv!decwrl!uunet!dove!csrc.ncsl.nist.gov!clipper
   Newsgroups: comp.security.misc
   From: clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement)
   Date: Fri, 16 Apr 1993 15:17:33 GMT
   Sender: news@dove.nist.gov
   Distribution: na
   Organization: National Institute of Standards & Technology
   Lines: 280

   Note:  This file will also be available via anonymous file
   transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and
   via the NIST Computer Security BBS at 301-948-5717.
	---------------------------------------------------

			    THE WHITE HOUSE

		     Office of the Press Secretary

   _________________________________________________________________

   For Immediate Release                           April 16, 1993


		   STATEMENT BY THE PRESS SECRETARY


   The President today announced a new initiative that will bring
   the Federal Government together with industry in a voluntary
   program to improve the security and privacy of telephone
   communications while meeting the legitimate needs of law
   enforcement.

   The initiative will involve the creation of new products to
   accelerate the development and use of advanced and secure
   telecommunications networks and wireless communications links.

   For too long there has been little or no dialogue between our
   private sector and the law enforcement community to resolve the
   tension between economic vitality and the real challenges of
   protecting Americans.  Rather than use technology to accommodate
   the sometimes competing interests of economic growth, privacy and
   law enforcement, previous policies have pitted government against
   industry and the rights of privacy against law enforcement.

   Sophisticated encryption technology has been used for years to
   protect electronic funds transfer.  It is now being used to
   protect electronic mail and computer files.  While encryption
   technology can help Americans protect business secrets and the
   unauthorized release of personal information, it also can be used
   by terrorists, drug dealers, and other criminals.

   A state-of-the-art microcircuit called the "Clipper Chip" has
   been developed by government engineers.  The chip represents a
   new approach to encryption technology.  It can be used in new,
   relatively inexpensive encryption devices that can be attached to
   an ordinary telephone.  It scrambles telephone communications
   using an encryption algorithm that is more powerful than many in
   commercial use today.

   This new technology will help companies protect proprietary
   information, protect the privacy of personal phone conversations
   and prevent unauthorized release of data transmitted
   electronically.  At the same time this technology preserves the
   ability of federal, state and local law enforcement agencies to
   intercept lawfully the phone conversations of criminals. 

   A "key-escrow" system will be established to ensure that the
   "Clipper Chip" is used to protect the privacy of law-abiding
   Americans.  Each device containing the chip will have two unique


				   2


   "keys," numbers that will be needed by authorized government
   agencies to decode messages encoded by the device.  When the
   device is manufactured, the two keys will be deposited separately
   in two "key-escrow" data bases that will be established by the
   Attorney General.  Access to these keys will be limited to
   government officials with legal authorization to conduct a
   wiretap.

   The "Clipper Chip" technology provides law enforcement with no
   new authorities to access the content of the private
   conversations of Americans.

   To demonstrate the effectiveness of this new technology, the
   Attorney General will soon purchase several thousand of the new
   devices.  In addition, respected experts from outside the
   government will be offered access to the confidential details of
   the algorithm to assess its capabilities and publicly report
   their findings.

   The chip is an important step in addressing the problem of
   encryption's dual-edge sword:  encryption helps to protect the
   privacy of individuals and industry, but it also can shield
   criminals and terrorists.  We need the "Clipper Chip" and other
   approaches that can both provide law-abiding citizens with access
   to the encryption they need and prevent criminals from using it
   to hide their illegal activities.  In order to assess technology
   trends and explore new approaches (like the key-escrow system),
   the President has directed government agencies to develop a
   comprehensive policy on encryption that accommodates:

	--   the privacy of our citizens, including the need to
	     employ voice or data encryption for business purposes;

	--   the ability of authorized officials to access telephone
	     calls and data, under proper court or other legal
	     order, when necessary to protect our citizens;

	--   the effective and timely use of the most modern
	     technology to build the National Information
	     Infrastructure needed to promote economic growth and
	     the competitiveness of American industry in the global
	     marketplace; and 

	--   the need of U.S. companies to manufacture and export
	     high technology products.

   The President has directed early and frequent consultations with
   affected industries, the Congress and groups that advocate the
   privacy rights of individuals as policy options are developed.



				   3

   The Administration is committed to working with the private
   sector to spur the development of a National Information
   Infrastructure which will use new telecommunications and computer
   technologies to give Americans unprecedented access to
   information.  This infrastructure of high-speed networks
   ("information superhighways") will transmit video, images, HDTV
   programming, and huge data files as easily as today's telephone
   system transmits voice.

   Since encryption technology will play an increasingly important
   role in that infrastructure, the Federal Government must act
   quickly to develop consistent, comprehensive policies regarding
   its use.  The Administration is committed to policies that
   protect all Americans' right to privacy while also protecting
   them from those who break the law.

   Further information is provided in an accompanying fact sheet. 
   The provisions of the President's directive to acquire the new
   encryption technology are also available.  

   For additional details, call Mat Heyman, National Institute of
   Standards and Technology, (301) 975-2758.

   ---------------------------------


   QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S
   TELECOMMUNICATIONS INITIATIVE




   Q:   Does this approach expand the authority of government
	agencies to listen in on phone conversations?

   A:   No.  "Clipper Chip" technology provides law enforcement with
	no new authorities to access the content of the private
	conversations of Americans.

   Q:   Suppose a law enforcement agency is conducting a wiretap on
	a drug smuggling ring and intercepts a conversation
	encrypted using the device.  What would they have to do to
	decipher the message?

   A:   They would have to obtain legal authorization, normally a
	court order, to do the wiretap in the first place.  They
	would then present documentation of this authorization to
	the two entities responsible for safeguarding the keys and
	obtain the keys for the device being used by the drug
	smugglers.  The key is split into two parts, which are
	stored separately in order to ensure the security of the key
	escrow system.

   Q:   Who will run the key-escrow data banks?

   A:   The two key-escrow data banks will be run by two independent
	entities.  At this point, the Department of Justice and the
	Administration have yet to determine which agencies will
	oversee the key-escrow data banks.

   Q:   How strong is the security in the device?  How can I be sure
	how strong the security is?  

   A:   This system is more secure than many other voice encryption
	systems readily available today.  While the algorithm will
	remain classified to protect the security of the key escrow
	system, we are willing to invite an independent panel of
	cryptography experts to evaluate the algorithm to assure all
	potential users that there are no unrecognized
	vulnerabilities.

   Q:   Whose decision was it to propose this product?

   A:   The National Security Council, the Justice Department, the
	Commerce Department, and other key agencies were involved in
	this decision.  This approach has been endorsed by the
	President, the Vice President, and appropriate Cabinet
	officials.

   Q:   Who was consulted?  The Congress?  Industry?

   A:   We have on-going discussions with Congress and industry on
	encryption issues, and expect those discussions to intensify
	as we carry out our review of encryption policy.  We have
	briefed members of Congress and industry leaders on the
	decisions related to this initiative.

   Q:   Will the government provide the hardware to manufacturers?

   A:   The government designed and developed the key access
	encryption microcircuits, but it is not providing the
	microcircuits to product manufacturers.  Product
	manufacturers can acquire the microcircuits from the chip
	manufacturer that produces them.

   Q:   Who provides the "Clipper Chip"?

   A:   Mykotronx programs it at their facility in Torrance,
	California, and will sell the chip to encryption device
	manufacturers.  The programming function could be licensed
	to other vendors in the future.

   Q:   How do I buy one of these encryption devices? 

   A:   We expect several manufacturers to consider incorporating
	the "Clipper Chip" into their devices.

   Q:   If the Administration were unable to find a technological
	solution like the one proposed, would the Administration be
	willing to use legal remedies to restrict access to more
	powerful encryption devices?

   A:   This is a fundamental policy question which will be
	considered during the broad policy review.  The key escrow
	mechanism will provide Americans with an encryption product
	that is more secure, more convenient, and less expensive
	than others readily available today, but it is just one
	piece of what must be the comprehensive approach to
	encryption technology, which the Administration is
	developing.

	The Administration is not saying, "since encryption
	threatens the public safety and effective law enforcement,
	we will prohibit it outright" (as some countries have
	effectively done); nor is the U.S. saying that "every
	American, as a matter of right, is entitled to an
	unbreakable commercial encryption product."  There is a
	false "tension" created in the assessment that this issue is
	an "either-or" proposition.  Rather, both concerns can be,
	and in fact are, harmoniously balanced through a reasoned,
	balanced approach such as is proposed with the "Clipper
	Chip" and similar encryption techniques.

   Q:   What does this decision indicate about how the Clinton
	Administration's policy toward encryption will differ from
	that of the Bush Administration?  

   A:   It indicates that we understand the importance of encryption
	technology in telecommunications and computing and are
	committed to working with industry and public-interest
	groups to find innovative ways to protect Americans'
	privacy, help businesses to compete, and ensure that law
	enforcement agencies have the tools they need to fight crime
	and terrorism.

   Q:   Will the devices be exportable?  Will other devices that use
	the government hardware?

   A:   Voice encryption devices are subject to export control
	requirements.  Case-by-case review for each export is
	required to ensure appropriate use of these devices.  The
	same is true for other encryption devices.  One of the
	attractions of this technology is the protection it can give
	to U.S. companies operating at home and abroad.  With this
	in mind, we expect export licenses will be granted on a
	case-by-case basis for U.S. companies seeking to use these
	devices to secure their own communications abroad.  We plan
	to review the possibility of permitting wider exportability
	of these products.



Newsgroup: sci.crypt
document_id: 15220
From: bear@kestrel.fsl.noaa.gov (Bear Giles)
Subject: How do they know what keys to ask for?  (Re: Clipper)


This may be a stupid question, but how does the government know which keys
to ask for?

Will owners be required to REGISTER their phones, faxes, modems, etc.,
and inform the government when they are moved to a different phone number?
Will there be penalities if the public does not do this?  Will identification
(the National Health Care ID, perhaps) be required when purchasing a
Clipper-equipted phone?

Or will each chip transmit identifying information at the start of
a conversation?  Identification which could be used to automatically
log who calls whom?  (The _phone_ company keeps records, but this 
information would be accessable by a well-placed van near a microwave
relay station).

This raises the question of how the two phones agree on a communications
encryption key.  Will it be something that is derived from information
exchanged at the start of the conversation -- and hence derivable by
an eavesdropper?

-- 
Bear Giles
bear@fsl.noaa.gov

Newsgroup: sci.crypt
document_id: 15221
From: brad@clarinet.com (Brad Templeton)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

The stragegy of the government is interesting.  The real fear comes from
them doing more than this.

This is a voluntary program, and thus harder for us to object to on
the surface.

Their strategy is a business one rather than legal one.  They are
pushing to get a standard in place, a secret standard, and if they
get it as a standard then they will drive competitors out of the market.
It will be legal to sell better, untapable encryption that doesn't have
registered keys, but it will be difficult, and thus not a plan for
most phone companies.

You see, with clipper chip phones you'll be able to talk to any
cellular company, or other phones or ports because they will follow
the standard.  AT&T has already announced a clipper chip encryption
product.  The government has marketed hard to get major vendors to
use these chips.   If they get enough market share, they will rule.

And thus there will be very little market for systems that can't be
tapped by the police.  The public isn't that concerned about it now,
after all.  They freely do calls that anybody with an old TV can listen
to today!  They won't pay big extra bucks for proprietary phones that secure
them only from the police.

Well, some people will buy these phones, but they will only work with
other proprietary phones, so the market will be small and the phones
expensive.  Unless they are made in numbers large enough to sell them
cheap, only the Mob will buy them.

And this means that the FBI will want to track the customer lists of
better encryption phones, because "the only reason a person would want
one is to evade the police."

Interesting.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
document_id: 15222
From: matt@wardsgi.med.yale.edu (Matt Healy)
Subject: Re: Illegal Wiretaps (was

In article <3702.204.uupcb@ssr.com>, dick.zeitlin%acc1bbs@ssr.com (Dick
Zeitlin) wrote:
> 
> PK> .Perhaps we need the telephony equivalent of an anonymous remailer for
>   > .the telephone network? Back in Prohibition days (alcohol, that is) I
>   > .understand a device called the "cheesebox" was a popular means to thwart
>   > .the tracing of telephone calls. It connected two phone lines in the back
>   > .room of an otherwise uninvolved business. It was the conceptual predecesso
>   > .of today's anonymous email remailer.
> 
> The old "cheesebox" was the pre-Carterphone version of the "call
> diverter."  After the Carterphone decision there were several vendors
> that sold call diverters.  I've got a couple in my basement that
> were used to redirect my office phone to my home number when I
> didn't feel like going into the office.
> 
> It'd be quite easy to generate an "anonymous redialer" version of the
> call diverter.
> 

About 18 months ago, I heard a report on NPR about a 900-number
"1-900-STO-PPER" or some such, for placing untraceable calls.
You call them, and on "bong" tone dial the number you want to
call; they told the NPR interviewer that nothing short of a
court order (which they'd fight) would make them release their
records.                                                                   
                                            

Matt Healy
"I pretend to be a network administrator;
 the lab net pretends to work"

matt@wardsgi.med.yale.edu

Newsgroup: sci.crypt
document_id: 15223
From: ld231782@LANCE.ColoState.Edu (L. Detweiler)
Subject: An Open Letter to Mr. Clinton


I'm quite astonished, shocked, and appalled at this serious frontal 
assault on emerging American freedoms.  The Clinton administration 
nor any other government agency has any legitimate role whatsoever 
in regulating cryptography. To do so is tantamount to regulating 
`acceptable' speech, and is blatantly unconstitutional. Perhaps we 
should rename this year `1984' in honor of such an illustrious 
proposal.  Let the Crappy Chip live in infamy, and the adminstration
receive great shame and discredit for this bizarre misadventure.

I am outraged that my tax money is being used to develop technology
to restrict my freedoms far beyond reasonable measures.  The U.S.
government will have my full uncooperation and disobedience on any
serious threat to my liberties such as this, and I call on everyone
with an interest in a sensible government to resist and defy this 
proposal.  The administration does not seem to understand that they
are merely a subservient instrument to implement the will of the
public, and hence anyone involved in this proposal in this respect is 
wholly negligent and remiss in performing their lawful duty.

>While encryption
>technology can help Americans protect business secrets and the
>unauthorized release of personal information, it also can be used
>by terrorists, drug dealers, and other criminals.

It seems to me that U.S. Diplomatic communications should be 
tappable by the U.N. whenever any countries produce a warrant to
the U.N.  In fact, I think we should stop paying the NSA billions
of dollars a year to produce unbreakable codes for this reason.
These actions violate the sovereignity of international law. (I hope
Mr. Clinton is shrewd enough to recognize my sarcasm and satire here.
But if he isn't, it's a modest and reasonable proposal, so he should
find merit with it nevertheless.)

Cryptography is neutral technology. If everybody has strong 
cryptography (including policemen, bureacrats, businessmen, 
housewives, thugs and hoodlums), we have a sustainable 
equilibrium.  Anything less is an unworkable anti-egaltarian 
arrangement, intrinsically antithetical to American freedoms, and
guaranteed to collapse under its own weight of inherent 
impracticality. We don't need to compromise on issues of freedom.

>For too long there has been little or no dialogue between our
>private sector and the law enforcement community to resolve the
>tension between economic vitality and the real challenges of
>protecting Americans.

For too long our government has demonstrated itself to be 
increasingly hostile and a serious obstacle to economic vitality 
and protecting Americans.

>Since encryption technology will play an increasingly important
>role in that infrastructure, the Federal Government must act
>quickly to develop consistent, comprehensive policies regarding
>its use.  The Administration is committed to policies that
>protect all Americans' right to privacy while also protecting
>them from those who break the law.

It is not possible for the Federal Government
to ``act quickly'' or develop ``consistent, comprehensive
policies'' PERIOD.  And even if by some grandiose miracle such
a thing were possible, it would only be an efficient way to
deprive American citizens of fundamental and inalienable rights.

The administration has to be committed to leaving private 
industries alone, esp. on this issue.  The government has no 
legitimate role in regulating the content of communications.
Law enforcement agencies must be prepared to forfeit their
surveillance bludgeon; they are soon and inevitably to be 
disarmed of it. 

>Q:   If the Administration were unable to find a technological
>     solution like the one proposed, would the Administration be
>     willing to use legal remedies to restrict access to more
>     powerful encryption devices?

No such laws can be constitutionally sound, and this is equivalent
to a veiled threat, which I don't appreciate.  This kind of 
extortion tends to agitate me and others into radicalism. I will
trade threats for threats, and violation for violation.

>     The Administration is not saying, "since encryption
>     threatens the public safety and effective law enforcement,
>     we will prohibit it outright" (as some countries have
>     effectively done);

If the administration did say this, it would find itself 
impeached for reckless and outrageous disregard of essential,
established, entrenched, and explicit constitutional privacy 
guarantees. The administration would have no legal standing 
whatsoever; such an action would be egregiously illegal and
criminal, and wholly untolerated and disregarded by vast 
segments of the population.

>     nor is the U.S. saying that "every
>     American, as a matter of right, is entitled to an
>     unbreakable commercial encryption product." 

The U.S., comprised of a vast majority of people fanatically 
committed to preserving their privacy in the face of an 
increasingly totalitarian government, is saying just that.  
Take your chips and give them to NSA employees as Christmas bonuses.
We can run any algorithm on our computers we damn well please, 
and we will make any chips we please, and we will send any bit 
pattern over our data highways we please. And if you try to stop 
us, you will be gradually or abruptly dissolved into nothingness.

[privacy vs. law enforcement]
>     There is a
>     false "tension" created in the assessment that this issue is
>     an "either-or" proposition. 

This is an outright Dingaling Denning lie.  The two aims of
privacy and surveillance are intrinsically and fundamentally 
incompatible, and you have to work for the NSA to think otherwise. 
Americans are about to discover ways, through the use of technology, 
to preserve their inalienable but forgotten freedoms that have slowly 
been eroded away by an increasingly distant and unresponsive and 
*unrepresentative* government.

--

ld231782@longs.LANCE.ColoState.EDU

Newsgroup: sci.crypt
document_id: 15224
From: tcmay@netcom.com (Timothy C. May)
Subject: "Clipper" an Infringement on Intergraph's Name?

Besides being an infringement on our civil liberties (not the subject
in this post), the name "Clipper Chip" seems very confusable with the
"Clipper" chip of Intergraph.

Originally designed by a team at Fairchild Semiconductor, Clipper was
a 32-bit RISC microprocessor. It is still used in some workstations,
notably those from Intergraph, the supplier of CAD tools. Intergraph
acquired the Clipper product line when Fairchild was sold to National
Semiconductor several years back.

When I first saw "Clipper Chip" in the announcement, I immediately
thought the article was referring to the Clipper chip I know.

This seems to be grounds for Intergraph to sue, but then I'm not a
lawyer. I'd say I'm a cryptologist, but I don't want to incriminate
myself under the laws of the new regime.

-Tim May


-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
document_id: 15225
From: matt@wardsgi.med.yale.edu (Matt Healy)
Subject: Re: Patents (was RC2 RC4)

In article <bontchev.734787730@fbihh>,
bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote:
> 
> ahaley@eoe.co.uk (Andrew Haley) writes:
> 
> > : Coca-Cola has always understood it.
> 
> > Coca-cola is made under licence in dozens of countries around the
> > world.  You're crazy if you think PepsiCo doesn't know the recipe.
> 
> In all those countries Coca-cola is distributed in a form of
> concentrate what the local producers simply mix with water and other
> simple ingredients. The trick is to know what is in the concentrate...
> 

I don't know if this is still true, but at one time Coca-Cola
took elaborate measures to keep the formula secret.  For instance,
several plants in different cities each made one of six partial
concentrates, which were then shipped back-and forth and remixed
in a complicated scheme so that no single plant made the whole
formula.  By now, I would guess that PepsiCo's chemists would have
reverse-engineered it; can't be all that exotic.  Actually I
prefer Pepsi anyhow; in about 3 minutes I'm gonna put money
into a Pepsi vending machine...

Matt Healy
"I pretend to be a network administrator;
 the lab net pretends to work"

matt@wardsgi.med.yale.edu

Newsgroup: sci.crypt
document_id: 15226
From: rlglende@netcom.com (Robert Lewis Glendenning)
Subject: Re: The Old Key Registration Idea...

The Clipper Chip will have no effect.  Current generation PCs, portable
and desktop, all have analog voice -> digital voice and vice versa
capabilities.  So, I only need a modem output to the telephone,
and I can interpose any encryption screen on my voice traffic I want.

Not even a big deal, but it will pass muster if the have a way
of checking whether I am using their Clipper Chip encryption without
a full decoding.

I have been chided for stating that Dorthy Denning was intellectually
dishonest in the ACM debate and in this newsgroup.  I have previously
refrained from suggesting that she is arguing on behalf of consulting
clients.

Now, I say that it is clear that Dorthy Denning has been functioning
as a lobbyist, not a computer scientist.  She has used legal ethics
(truth is what you can convince anyone of), not scientific ethics
(truth is understanding the external world).

Maybe we can revoke her ACM membership? 8)

Lew
-- 
Lew Glendenning		rlglende@netcom.com
"Perspective is worth 80 IQ points."	Niels Bohr (or somebody like that).

Newsgroup: sci.crypt
document_id: 15227
From: mjr@tis.com (Marcus J Ranum)
Subject: Re: How to detect use of an illegal cipher?

>>How can the government tell which encryption method one is using without
>>being able to decode the traffic? i.e., In order to accuse me of using an
>>unauthorized strong encryption technique they would have to take both
>>keys out of escrow, run them against my ciphertext and "draw a blank".
>
>	I was thinking about this, also. It's quite possible the
>system transmits, in clear, the serial number of the device being
>used. That way they can start a tap, get the serial number, and use
>the warrant for the first tap to get the key.
>
>	If they tap someone who's apparently using encryption, but
>don't find that prefix, then they'll assume it's an "un-authorized"
>encryption scheme.

	This doesn't handle superencrypted traffic. If the clipper
doesn't impose any unfortunate performance side-effects there's no
reason not to use it to superencrypt a stream of triple-DES encrypted
traffic. That way your traffic looks "normal" and perhaps anyone
desiring to listen in won't even bother, since they know nobody's
going to really trust crypto that has classified internals for
important stuff.

mjr.

Newsgroup: sci.crypt
document_id: 15228
Subject: Re: Pgp, PEM, and RFC's (Was: Cryptography Patents)
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <C5LJ0t.K52@blaze.cs.jhu.edu> eifrig@beanworld.cs.jhu.edu (Jonathan Eifrig) writes:

>FACT:  It is unlawful to distribute code implementing RSA without a license
>to do so from PKP, whether or not one is charging for it.  Furthermore,
>any use of RSA, other than for research purposes allowed under US patent
>law, is similarly unlawful.  Therefore, the "average citizen" cannot use
>RSA to encrypt message traffic in the US without a license from PKP.

WRONG:  I don't think even PKP claims this one.  It is not unlawful to
distribute code implementing RSA.  It appears to be unlawful to use it, so
I agree with your last sentence.

>FACT:  There are no restrictions (yet!) on the use of cryptography under
>US law, although this is beginning to look like it will change.  The only
>impediments to widespread use of RSA cryptography in the US are PKP's
>patents.

Yes, that's correct.
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
document_id: 15229
From: jhesse@netcom.com (John Hesse)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption


Stupid me. I believed the Democrats stood for principles of personal
privacy while it was the Neanderthal Republicans that wanted into every
aspect of our lives. 

Clinton is just more clever than the other guy. Looks like gun control for
privacy technology. One small step at a time.

Wait a minute....  Let me think about this.

Hmmm, I feel better now. I believe the White House when they tell us
this first step is, in fact, the final step. All is OK. We've nothing to fear.
They're here to help us. 

God bless America.
-- 
------------------------------------------------------------------------------
John Hesse           |          A man,     
jhesse@netcom.com    |                 a plan, 
Moss Beach, Calif    |                         a canal, Bob.
------------------------------------------------------------------------------

Newsgroup: sci.crypt
document_id: 15230
From: mjr@tis.com (Marcus J Ranum)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

brad@clarinet.com (Brad Templeton) writes:
>And this means that the FBI will want to track the customer lists of
>better encryption phones, because "the only reason a person would want
>one is to evade the police."

	Then they'll probably also want to start tracking the customer
lists of people purchasing SoundBlaster and similar boards, which can
be configured with the use of some code and a modem, to act as a pretty
decent digital-encrypting telephone. It's expensive, though, and kind
of awkward. I don't know any drug lords, but I'm sure they'd favor
something tappable over something secure as long as the user interface
is nice.

	When you've got HRH Prince of Wales saying stupid things over
cordless phones, it's not hard to imagine that drug dealers, child
pornographers, commies, LISP programmers, and other threats to the
civilized world might transact incriminating business over "encrypting"
cellular phones.


mjr.

Newsgroup: sci.crypt
document_id: 15231
From: jhesse@netcom.com (John Hesse)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <strnlghtC5LGFI.JqA@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>
>
>Though I share many of the concerns expressed by some, I find the proposal
>less threatening than many others, since right now most Americans have no
>secure telephony, and any jerk with a pair of clip leads and a "goat" can
>eavesdrop. This would also plug up the security hole in cellular and
>cordless phones.
>

Oh great. Wonderful news. Nobody can listen in--except the feds. You
believe that the feds offer the least threat to liberty of anyone, and I'm
sure I do too.

Glad that jerk won't be tapping my phone anymore.
-- 
------------------------------------------------------------------------------
John Hesse           |          A man,     
jhesse@netcom.com    |                 a plan, 
Moss Beach, Calif    |                         a canal, Bob.
------------------------------------------------------------------------------

Newsgroup: sci.crypt
document_id: 15232
From: rboudrie@chpc.org (Rob Boudrie)
Subject: Re: White House Public Encryption Management Fact Sheet


>security of the key-escrow system.  In making this decision, I do
>not intend to prevent the private sector from developing, or the
>government from approving, other microcircuits or algorithms that
>are equally effective in assuring both privacy and a secure key-
>escrow system.

Yeah, but does he intend to prevent the private sector from
developing other applications that are equally effective in 
assuring privacy, but do not have a key escrow system?

Newsgroup: sci.crypt
document_id: 15233
Subject: Re: text of White House announcement and Q&As on clipper chip encryption
From: uni@acs.bu.edu (Shaen Bernhardt)

In article <1qmugcINNpu9@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes:
>The key question is whether non-Clipper encryption will be made illegal.
>
>>     The Administration is not saying, "since encryption
>>     threatens the public safety and effective law enforcement,
>>     we will prohibit it outright" (as some countries have
>>     effectively done); nor is the U.S. saying that "every
>>     American, as a matter of right, is entitled to an
>>     unbreakable commercial encryption product."  There is a
>>     false "tension" created in the assessment that this issue is
>>     an "either-or" proposition.  Rather, both concerns can be,
>>     and in fact are, harmoniously balanced through a reasoned,
>>     balanced approach such as is proposed with the "Clipper
>>     Chip" and similar encryption techniques.
>
>The clear middle ground implied by these statements is to say that Americans
>have the right to Clipper encryption, but not to unbreakable encryption.
>This implies that, ultimately, non-Clipper strong encryption must become
>illegal.

[Text deleted, no value judgement implied]

>It's shocking and frightening to see that this is actually happening here.
>
>Hal Finney
>hal@alumni.caltech.edu

More than shocking.  What this says to me is no less than that government
is very interested in monitoring the public.  This does more than scare me,
it mortifies me.

PGP and RIPEM must become widespread enough to resist what Mr. Finney has
[IMHO correctly] identified as the next logical step.  What was once an
academic discussion with regard to concealing cyphertext, has now become
a real consideration.

The rhetoric that the clinton administration seems obsessed with, harmony,
either or propositions, tension, tells me that they know how difficult
it will be to sell this proposition.

The phrase I hear more and more is "I can't believe this is actually happening
here."  Call me conserative, Clinton was a huge mistake that we'll all be
paying for tommorow and many years from now.

Have we approached the age of speakeasy public key depositiories?

uni (Dark)
-- 
uni@acs.bu.edu  ->  Public Keys by finger and/or request
Public Key Archives at <pgp-public-keys@junkbox.cc.iastate.edu>
Sovereignty is the sign of a brutal past.

Newsgroup: sci.crypt
document_id: 15234
From: hal@cco.caltech.edu (Hal Finney)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

brad@clarinet.com (Brad Templeton) writes:

>Their strategy is a business one rather than legal one.  They are
>pushing to get a standard in place, a secret standard, and if they
>get it as a standard then they will drive competitors out of the market.
>It will be legal to sell better, untapable encryption that doesn't have
>registered keys, but it will be difficult, and thus not a plan for
>most phone companies.

If Brad's analysis is correct, it may offer an explanation for why the
encryption algorithm is being kept secret.  This will prevent competitors
from coming out with Clipper-compatible phones which lack the government-
installed "back door."  The strategy Brad describes will only work as long
as the only way to get compatible phones is to have ones with the government
chips.

(It would be nice, from the point of view of personal privacy, if Brad
turns out to be right.  As long as people still have the power to provide
their own encryption in place of or in addition to the Clipper, privacy
is still possible.  But the wording of several passages in the announcement
makes me doubt whether this will turn out to be true.)

Hal Finney

Newsgroup: sci.crypt
document_id: 15235
From: rboudrie@chpc.org (Rob Boudrie)
Subject: Re: The Old Key Registration Idea...

In article <1qn1ic$hp6@access.digex.net> pcw@access.digex.com (Peter Wayner) writes:
>Okay, let's suppose that the NSA/NIST/Mykotronix Registered
>Key system becomes standard and I'm able to buy such a system
>from my local radio shack. Every phone comes with a built in
>chip and the government has the key to every phone call. 
>I go and buy a phone and dutifully register the key. 
>
>What's to prevent me from swapping phones with a friend or 
>buying a used phone at a garage sale? Whooa. The secret registered
>keys just became unsynchronized. When the government comes 

It's very possible, even likely, that the serial number of the
invididual chip is broadcast either in a standard encrypted 
format, so that all the big brother types need to do is listen to
the traffic, get  a court order (generally just by saying that they
think you may be a crook) and go to it.
r
>to listen in, they only receive gobbledly-gook because the 
>secret key registered under my name isn't the right one. 
>
>That leads me to conjecture that:
>
>1) The system isn't that secure. There are just two master keys
>that work for all the phones in the country. The part about
>registering your keys is just bogus. 
>
>or 
>
>2) The system is vulnerable to simple phone swapping attacks
>like this. Criminals will quickly figure this out and go to
>town.
>
>In either case, I think we need to look at this a bit deeper."'jbl)mW:wxlD2



Newsgroup: sci.crypt
document_id: 15236
From: rboudrie@chpc.org (Rob Boudrie)
Subject: Why the algorithm is secret


My thoughts on why the algorithm is secret :

   The chip is (regretably) likely to become a standard.   There will
   be many applications where economic factors dictate use of this
   chip, like it or not.

   If the alrogithm is public, and the code is as secure (absent the 
   access to escrowed keys) as represented, an enterprising sort 
   would make "compatible crypto chips for which no key had been
   escrowed".  This is likely what the release was refering to when 
   they refered to the secrecy of the algorithm protecting the
   security of the escrow system.

                                        rob boudrie

Newsgroup: sci.crypt
document_id: 15237
From: schneier@chinet.chi.il.us (Bruce Schneier)
Subject: ISSA '93 Conference

If there is anyone attending the ISSA conference in Arlington, VA next
week, I would appreciate them getting in touch with me.

Bruce

Newsgroup: sci.crypt
document_id: 15238
From: brad@clarinet.com (Brad Templeton)
Subject: Re: How do they know what keys to ask for?  (Re: Clipper)

The actual algorithm is classified, however, their main thrust here is
for cellular phones, and encryption is only over the radio end, not
end to end, I think.   End to end will come later.

And of course you have to identify yourself to the phone company, and
since the phone company complies with court orders, they will know the
magic number of your chip when they sign out a warrant on you, and
then can present the warrant to the key escrow house.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
document_id: 15239
From: brad@clarinet.com (Brad Templeton)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <1qnn7b$ddc@sol.TIS.COM> mjr@tis.com (Marcus J Ranum) writes:
>	When you've got HRH Prince of Wales saying stupid things over
>cordless phones, it's not hard to imagine that drug dealers, child
>pornographers, commies, LISP programmers, and other threats to the
>civilized world might transact incriminating business over "encrypting"
>cellular phones.
>

Let's assume, for the moment, that the system really is secure unless
you get both halves of the encryption key from the two independent
escrow houses.  Let's say you even trust the escrow houses -- one is
the ACLU and the other is the EFF.  (And I'm not entirely joking about
those two names)

In that case the Prince of Wales has nothing to worry about on this
system.  Indeed, as pointed out, since the current systems, even the
current digital systems, are very easy to decode -- right now anybody
with an old TV can hear them -- for most people, this will be viewed
as an "oh goody" step upwards.

And look at how tolerant the public is.  They're willing to let the
neighbours with the radios hear right now.

It was suggested by one person that a *lot* of non-evidentiary wiretapping
is going on right now without warrants, because anybody can do it and it's
just an ECPA violation.  This would stop that.  All tapping would need
a warrant, or a breach of security at the escrow houses.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
document_id: 15240
From: brad@clarinet.com (Brad Templeton)
Subject: Once tapped, your code is no good any more.

It occurs to me that if they get a wiretap order on you, and the escrow
houses release your code to the cops, your code is now no longer secure.

It's in the hands of cops, and while I am sure most of the time they are
good, their security will not be as good as the escrow houses.


What this effectively means is that if they perform a wiretap on you,
at the end of the wiretap, they should be obligated to inform you that
a tap was performed, and replace (for free) the clipper chip in your
cellular phone so that it is once again a code known only to the
escrow houses.

Do the police normally reveal every tap they do even if no charges are
laid?   In many ways, it would be a positive step if they had to.
Judges set time limits on warrants, I assume.  At the end of the time
limit they should have to renew or replace your chip.


That's if we go with this scheme, which I am not sure I agree with.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
document_id: 15241
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

jhesse@netcom.com (John Hesse) writes:
> Oh great. Wonderful news. Nobody can listen in--except the feds. 

Hey, it's better than the status quo.

I am far less worried about "the feds" tapping my phone than high school 
scanner surfers who get their kicks out of eavesdropping on cellular and 
cordless phone calls.

It would be stupid to rely on even a "Clipperized" channel for truly 
sensitive material, but it *does* seem to finally offer a reasonable way to 
guard against casual eavesdropping.  For example, even with my strong "right 
to bear arms" view of the private right to possess and use strong 
cryptosystems, the system as described provides enough security that I would 
actually buy a cordless phone, and would be much less wary of using cellular 
phones, walkie-talkies, and so on.  As long as it's only used for mass-market 
voice scrambling, I actually don't see a problem with it.

If you want more security than it offers, use something different.  Use PKCS 
for electronic mail, CELP over DES or triple DES with Diffie-Hellman key 
exchange for your voice traffic, or whatever.

And yes, I'd rather just see all crypto restrictions lifted, but this is at 
least an incrememental improvement for certain applications...


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15242
From: amanda@intercon.com (Amanda Walker)
Subject: Re: text of White House announcement and Q&As on clipper chip 
	encryption

In article <115713@bu.edu>, uni@acs.bu.edu (Shaen Bernhardt) writes:
> More than shocking.  What this says to me is no less than that 
> government is very interested in monitoring the public.  This does more 
> than scare me, it mortifies me. 

If this is any surprise to you, *I'm* shocked.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15243
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 01/10 - Overview

Archive-name: cryptography-faq/part01
Last-modified: 1993/4/15


FAQ for sci.crypt, part 1: Overview

This is the first of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read this part before the rest. We
don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

Disclaimer: This document is the product of the Crypt Cabal, a secret
society which serves the National Secu---uh, no. Seriously, we're the
good guys, and we've done what we can to ensure the completeness and
accuracy of this document, but in a field of military and commercial
importance like cryptography you have to expect that some people and
organizations consider their interests more important than open
scientific discussion. Trust only what you can verify firsthand.
And don't sue us.

Many people have contributed to this FAQ. In alphabetical order:
Eric Bach, Steve Bellovin, Dan Bernstein, Nelson Bolyard, Carl Ellison,
Jim Gillogly, Mike Gleason, Doug Gwyn, Luke O'Connor, Tony Patti,
William Setzer. We apologize for any omissions.

If you have suggestions, comments, or criticism, please let the current
editors know by sending e-mail to crypt-comments@math.ncsu.edu.  We don't
assume that this FAQ is at all complete at this point.

Archives: sci.crypt has been archived since October 1991 on
cl-next2.cl.msu.edu, though these archives are available only to U.S. and
Canadian users. Please contact crypt-comments@math.ncsu.edu if you know of
other archives.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers 
every 21 days.


Table of contents:

1 Overview

2 Net Etiquette
* What groups are around? What's a FAQ? Who am I? Why am I here?
* Do political discussions belong in sci.crypt?
* How do I present a new encryption scheme in sci.crypt?

3 Basic Cryptology
* What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key?
* What references can I start with to learn cryptology?
* How does one go about cryptanalysis?
* What is a brute-force search and what is its cryptographic relevance?
* What are some properties satisfied by every strong cryptosystem?
* If a cryptosystem is theoretically unbreakable, then is it
  guaranteed analysis-proof in practice?
* Why are many people still using cryptosystems that are
  relatively easy to break?

4 Mathematical Cryptology
* In mathematical terms, what is a private-key cryptosystem?
* What is an attack?
* What's the advantage of formulating all this mathematically?
* Why is the one-time pad secure?
* What's a ciphertext-only attack?
* What's a known-plaintext attack?
* What's a chosen-plaintext attack?
* In mathematical terms, what can you say about brute-force attacks?
* What's a key-guessing attack? What's entropy?

5 Product ciphers
* What is a product cipher?
* What makes a product cipher secure?
* What are some group-theoretic properties of product ciphers?
* What can be proven about the security of a product cipher?
* How are block ciphers used to encrypt data longer than the block size?
* Can symmetric block ciphers be used for message authentication?
* What exactly is DES?
* What is triple DES?
* What is differential cryptanalysis?
* How was NSA involved in the design of DES?
* Is DES available in software?
* Is DES available in hardware?
* Can DES be used to protect classified information?
* What are "ECB", "CBC", "CFB", and "OFB" encryption?

6 Public-Key Cryptography
* What is public-key cryptography?
* What's RSA?
* Is RSA secure?
* How fast can people factor numbers?
* What about other public-key cryptosystems?

7 Digital Signatures and Hash Functions
* What is a one-way hash function?
* What is the difference between public, private, secret, shared, etc.?
* What are MD4 and MD5?
* What is Snefru?

8 Technical Miscellany
* How do I recover from lost passwords in WordPerfect?
* How do I break a Vigenere (repeated-key) cipher?
* How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...]
* Is the UNIX crypt command secure?
* How do I use compression with encryption?
* Is there an unbreakable cipher?
* What does ``random'' mean in cryptography?
* What is the unicity point (a.k.a. unicity distance)?
* What is key management and why is it important?
* Can I use pseudo-random or chaotic numbers as a key stream?
* What is the correct frequency list for English letters?
* What is the Enigma?
* How do I shuffle cards?
* Can I foil S/W pirates by encrypting my CD-ROM?
* Can you do automatic cryptanalysis of simple ciphers?
* What is the coding system used by VCR+?

9 Other Miscellany
* What is the National Security Agency (NSA)?
* What are the US export regulations?
* What is TEMPEST?
* What are the Beale Ciphers, and are they a hoax?
* What is the American Cryptogram Association, and how do I get in touch?
* Is RSA patented?
* What about the Voynich manuscript?

10 References
* Books on history and classical methods
* Books on modern methods
* Survey articles
* Reference articles
* Journals, conference proceedings
* Other
* How may one obtain copies of FIPS and ANSI standards cited herein?
* Electronic sources
* RFCs (available from [FTPRF])
* Related newsgroups

Newsgroup: sci.crypt
document_id: 15244
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 04/10 - Mathematical Cryptology

Archive-name: cryptography-faq/part04
Last-modified: 1993/4/15


FAQ for sci.crypt, part 4: Mathematical Cryptology

This is the fourth of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers
every 21 days.


Contents:

* In mathematical terms, what is a private-key cryptosystem?
* What is an attack?
* What's the advantage of formulating all this mathematically?
* Why is the one-time pad secure?
* What's a ciphertext-only attack?
* What's a known-plaintext attack?
* What's a chosen-plaintext attack?
* In mathematical terms, what can you say about brute-force attacks?
* What's a key-guessing attack? What's entropy?


* In mathematical terms, what is a private-key cryptosystem?

  A private-key cryptosystem consists of an encryption system E and a
  decryption system D. The encryption system E is a collection of
  functions E_K, indexed by ``keys'' K, mapping some set of
  ``plaintexts'' P to some set of ``ciphertexts'' C. Similarly the
  decryption system D is a collection of functions D_K such that
  D_K(E_K(P)) = P for every plaintext P.  That is, succesful decryption
  of ciphertext into plaintext is accomplished using the same key
  (index) as was used for the corresponding encryption of plaintext
  into ciphertext.  Such systems, wherein the same key value is used to
  encrypt and decrypt, are also known as ``symmetric'' cryptoystems.

* What is an attack?

  In intuitive terms a (passive) attack on a cryptosystem is any method
  of starting with some information about plaintexts and their
  corresponding ciphertexts under some (unknown) key, and figuring out
  more information about the plaintexts. It's possible to state
  mathematically what this means. Here we go.

  Fix functions F, G, and H of n variables. Fix an encryption system E,
  and fix a distribution of plaintexts and keys.

  An attack on E using G assuming F giving H with probability p is an
  algorithm A with a pair f, g of inputs and one output h, such that
  there is probability p of computing h = H(P_1,...,P_n), if we have
  f = F(P_1,...,P_n) and g = G(E_K(P_1),...,E_K(P_n)). Note that this
  probability depends on the distribution of the vector (K,P_1,...,P_n).

  The attack is trivial (or ``pointless'') if there is probability at
  least p of computing h = H(P_1,...,P_n) if f = F(P_1,...,P_n) and
  g = G(C_1,...,C_n). Here C_1,...,C_n range uniformly over the possible
  ciphertexts, and have no particular relation to P_1,...,P_n. In other
  words, an attack is trivial if it doesn't actually use the encryptions
  E_K(P_1),...,E_K(P_n).

  An attack is called ``one-ciphertext'' if n = 1, ``two-ciphertext'' if
  n = 2, and so on.

* What's the advantage of formulating all this mathematically?

  In basic cryptology you can never prove that a cryptosystem is secure.
  Read part 3: we keep saying ``a strong cryptosystem must have this
  property, but having this property is no guarantee that a cryptosystem
  is strong!''

  In contrast, the purpose of mathematical cryptology is to precisely
  formulate and, if possible, prove the statement that a cryptosystem is
  strong. We say, for example, that a cryptosystem is secure against
  all (passive) attacks if any nontrivial attack against the system (as
  defined above) is too slow to be practical. If we can prove this
  statement then we have confidence that our cryptosystem will resist
  any (passive) cryptanalytic technique. If we can reduce this statement
  to some well-known unsolved problem then we still have confidence that
  the cryptosystem isn't easy to break.

  Other parts of cryptology are also amenable to mathematical
  definition. Again the point is to explicitly identify what assumptions
  we're making and prove that they produce the desired results. We can
  figure out what it means for a particular cryptosystem to be used
  properly: it just means that the assumptions are valid.

  The same methodology is useful for cryptanalysis too. The cryptanalyst
  can take advantage of incorrect assumptions. Often he can try to
  construct a proof of security for a system, see where the proof fails,
  and use these failures as the starting points for his analysis.
  
* Why is the one-time pad secure?

  By definition, the one-time pad is a cryptosystem where the
  plaintexts, ciphertexts, and keys are all strings (say byte strings)
  of some length m, and E_K(P) is just the sum (let's say the exclusive
  or) of K and P.

  It is easy to prove mathematically that there are _no_ nontrivial
  single-ciphertext attacks on the one-time pad, assuming a uniform
  distribution of keys. Note that we don't have to assume a uniform
  distribution of plaintexts. (Here's the proof: Let A be an attack,
  i.e., an algorithm taking two inputs f, g and producing one output h,
  with some probability p that h = H(P) whenever f = F(P) and
  g = G(E_K(P)) (i.e., g = G(K + P)). Then, because the distribution of
  K is uniform and independent of P, the distribution of K + P must also
  be uniform and independent of P. But also the distribution of C is
  uniform and independent of P. Hence there is probability exactly p
  that h = H(P) whenever f = F(P) and g = G(C), over all P and C. Thus
  a fortiori A is trivial.)

  On the other hand the one-time pad is _not_ secure if a key K is used
  for more than one plaintext: i.e., there are nontrivial
  multiple-ciphertext attacks. So to be properly used a key K must be
  thrown away after one encryption. The key is also called a ``pad'';
  this explains the name ``one-time pad.''

* What's a ciphertext-only attack?

  In the notation above, a ciphertext-only attack is one where F is
  constant. Given only some information G(E_K(P_1),...,E_K(P_n)) about
  n ciphertexts, the attack has to have some chance of producing some
  information H(P_1,...,P_n) about the plaintexts. The attack is trivial
  if it has just as good a chance of producing H(P_1,...,P_n) when given
  G(C_1,...,C_n) for random C_1,...,C_n.

  For example, say G(C) = C, and say H(P) is the first bit of P. We can
  easily write down an attack---the ``guessing attack,'' which simply
  guesses that H(P) is 1. This attack is trivial because it doesn't use
  the ciphertext: it has a fifty-fifty chance of guessing correctly no
  matter what. On the other hand there is an attack on RSA which
  produces one bit of information about P, with 100% success, using C.
  If it is fed a random C then the success rate drops to 50%. So this is
  a nontrivial attack.

* What's a known-plaintext attack?

  The classic known-plaintext attack has F(P_1,P_2) = P_1,
  G(C_1,C_2) = (C_1,C_2), and H(P_1,P_2) depending only on P_2.
  In other words, given two ciphertexts C_1 and C_2 and one decryption
  P_1, the known-plaintext attack should produce information about the
  other decryption P_2.

  Note that known-plaintext attacks are often defined in the literature
  as producing information about the key, but this is pointless: the
  cryptanalyst generally cares about the key only insofar as it lets him
  decrypt further messages.

* What's a chosen-plaintext attack?

  A chosen-plaintext attack is the first of an increasingly impractical
  series of _active_ attacks on a cryptosystem: attacks where the
  cryptanalyst feeds data to the encryptor. These attacks don't fit into
  our model of passive attacks explained above. Anyway, a
  chosen-plaintext attack lets the cryptanalyst choose a plaintext and
  look at the corresponding ciphertext, then repeat until he has figured
  out how to decrypt any message. More absurd examples of this sort of
  attack are the ``chosen-key attack'' and ``chosen-system attack.''

  A much more important form of active attack is a message corruption
  attack, where the attacker tries to change the ciphertext in such a
  way as to make a useful change in the plaintext.

  There are many easy ways to throw kinks into all of these attacks:
  for instance, automatically encrypting any plaintext P as
  T,E_K(h(T+R+P),R,P), where T is a time-key (sequence number) chosen anew
  for each message, R is a random number, and h is a one-way hash
  function. Here comma means concatenation and plus means exclusive-or.

* In mathematical terms, what can you say about brute-force attacks?

  Consider the following known-plaintext attack. We are given some
  plaintexts P_1,...,P_{n-1} and ciphertexts C_1,...,C_{n-1}. We're
  also given a ciphertext C_n. We run through every key K. When we find
  K such that E_K(P_i) = C_i for every i < n, we print D_K(C_n).

  If n is big enough that only one key works, this attack will succeed
  on valid inputs all the time, while it will produce correct results
  only once in a blue moon for random inputs. Thus this is a nontrivial
  attack. Its only problem is that it is very slow if there are many
  possible keys.

* What's a key-guessing attack? What's entropy?

  Say somebody is using the one-time pad---but isn't choosing keys
  randomly and uniformly from all m-bit messages, as he was supposed to
  for our security proof. In fact say he's known to prefer keys which
  are English words. Then a cryptanalyst can run through all English
  words as possible keys. This attack will often succeed, and it's much
  faster than a brute-force search of the entire keyspace.

  We can measure how bad a key distribution is by calculating its
  entropy. This number E is the number of ``real bits of information''
  of the key: a cryptanalyst will typically happen across the key within
  2^E guesses. E is defined as the sum of -p_K log_2 p_K, where p_K is
  the probability of key K.

Newsgroup: sci.crypt
document_id: 15245
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 08/10 - Technical Miscellany

Archive-name: cryptography-faq/part08
Last-modified: 1993/4/15


FAQ for sci.crypt, part 8: Technical Miscellany

This is the eighth of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers
every 21 days.


Contents

* How do I recover from lost passwords in WordPerfect?
* How do I break a Vigenere (repeated-key) cipher?
* How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...]
* Is the UNIX crypt command secure?
* How do I use compression with encryption?
* Is there an unbreakable cipher?
* What does ``random'' mean in cryptography?
* What is the unicity point (a.k.a. unicity distance)?
* What is key management and why is it important?
* Can I use pseudo-random or chaotic numbers as a key stream?
* What is the correct frequency list for English letters?
* What is the Enigma?
* How do I shuffle cards?
* Can I foil S/W pirates by encrypting my CD-ROM?
* Can you do automatic cryptanalysis of simple ciphers?
* What is the coding system used by VCR+?


* How do I recover from lost passwords in WordPerfect?

  WordPerfect encryption has been shown to be very easy to break.
  The method uses XOR with two repeating key streams: a typed password
  and a byte-wide counter initialized to 1+<the password length>. Full
  descriptions are given in Bennett [BEN87] and Bergen and Caelli
  [BER91].

  Chris Galas writes: ``Someone awhile back was looking for a way to
  decrypt WordPerfect document files and I think I have a solution. 
  There is a software company named: Accessdata (87 East 600 South,
  Orem, UT 84058), 1-800-658-5199 that has a software package that will
  decrypt any WordPerfect, Lotus 1-2-3, Quatro-Pro, MS Excel and Paradox
  files. The cost of the package is $185. Steep prices, but if you
  think your pw key is less than 10 characters, (or 10 char) give them a
  call and ask for the free demo disk. The demo disk will decrypt files
  that have a 10 char or less pw key.''

* How do I break a Vigenere (repeated-key) cipher?

  A repeated-key cipher, where the ciphertext is something like the
  plaintext xor KEYKEYKEYKEY (and so on), is called a Vigenere cipher.
  If the key is not too long and the plaintext is in English, do the
  following: 

  1. Discover the length of the key by counting coincidences.
  (See Gaines [GAI44], Sinkov [SIN66].) Trying each displacement of
  the ciphertext against itself, count those bytes which are equal. 
  If the two ciphertext portions have used the same key, something
  over 6% of the bytes will be equal. If they have used different
  key, then less than 0.4% will be equal (assuming random 8-bit bytes
  of key covering normal ASCII text). The smallest displacement which
  indicates an equal key is the length of the repeated key.

  2. Shift the text by that length and XOR it with itself. This
  removes the key and leaves you with text XORed with itself. Since
  English has about 1 bit of real information per byte, 2 streams of
  text XORed together has 2 bits of info per 8-bit byte, providing
  plenty of redundancy for choosing a unique decryption. (And in fact
  one stream of text XORed with itself has just 1 bit per byte.)

  If the key is short, it might be even easier to treat this as a
  standard polyalphabetic substitution. All the old cryptanalysis
  texts show how to break those. It's possible with those methods, in
  the hands of an expert, if there's only ten times as much text as key.
  See, for example, Gaines [GAI44], Sinkov [SIN66].

* How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...]

  Here's one popular method, using the des command:

    cat file | compress | des private_key | uuencode | mail

  Meanwhile, there is a de jure Internet standard in the works called
  PEM (Privacy Enhanced Mail). It is described in RFCs 1421 through
  1424. To join the PEM mailing list, contact pem-dev-request@tis.com.
  There is a beta version of PEM being tested at the time of this
  writing.

  There are also two programs available in the public domain for encrypting
  mail: PGP and RIPEM.  Both are available by FTP.  Each has its own
  newsgroup: alt.security.pgp and alt.security.ripem.  Each has its own FAQ
  as well.

  PGP is most commonly used outside the USA since it uses the RSA algorithm
  without a license and RSA's patent is valid only (or at least primarily)
  in the USA.

  RIPEM is most commonly used inside the USA since it uses the RSAREF which
  is freely available within the USA but not available for shipment outside
  the USA.

  Since both programs use a secret key algorithm for encrypting the body of
  the message (PGP used IDEA; RIPEM uses DES) and RSA for encrypting the
  message key, they should be able to interoperate freely.  Although there
  have been repeated calls for each to understand the other's formats and
  algorithm choices, no interoperation is available at this time (as far as
  we know).

* Is the UNIX crypt command secure?

  No. See [REE84]. There is a program available called cbw (crypt
  breaker's workbench) which can be used to do ciphertext-only attacks
  on files encrypted with crypt. One source for CBW is [FTPCB].

* How do I use compression with encryption?

  A number of people have proposed doing perfect compression followed by
  some simple encryption method (e.g., XOR with a repeated key).

  Unfortunately, you can only compress perfectly if you know the exact
  distribution of possible inputs. For all practical purposes it's
  impossible to describe ``the typical English text'' beyond coarse
  characteristics such as single-letter frequencies. You can build up
  more and more sophisticated models of your inputs, but if the enemy
  has a slightly more accurate model, he'll be able to find some
  redundancy in your compressed output.

  Note that nearly all practical compression schemes, unless they
  have been designed with cryptography in mind, produce output that
  actually starts off with high redundancy. For example, the output of
  UNIX compress begins with a well-known three-byte ``magic number''
  that can serve as an entering wedge for cryptanalysis.
  
  This is not to say that compression before encryption is inherently a
  bad idea; it just has to be done very, very carefully, and by no means
  removes the need for strong encryption.

  Compression after encryption is silly.

* Is there an unbreakable cipher?

  Yes. The one-time pad is unbreakable; see part 4. Unfortunately the
  one-time pad requires secure distribution of as much key material as
  plaintext.

  Of course, a cryptosystem need not be utterly unbreakable to be
  useful. Rather, it needs to be strong enough to resist attacks by
  likely enemies for whatever length of time the data it protects is
  expected to remain valid.

* What does ``random'' mean in cryptography?

  Cryptographic applications demand much more out of a pseudorandom
  number generator than most applications. For a source of bits to be
  cryptographically random, it must be computationally impossible to
  predict what the Nth random bit will be given complete knowledge of
  the algorithm or hardware generating the stream and the sequence of
  0th through N-1st bits, for all N up to the lifetime of the source.

  A software generator (also known as pseudo-random) has the function
  of expanding a truly random seed to a longer string of apparently
  random bits.  This seed must be large enough not to be guessed by
  the opponent.  Ideally, it should also be truly random (perhaps
  generated by a hardware random number source).

  Those who have Sparcstation 1 workstations could, for example,
  generate random numbers using the audio input device as a source of
  entropy, by not connecting anything to it.  For example,

	cat /dev/audio | compress - >foo

  gives a file of high entropy (not random but with much randomness in
  it).  One can then encrypt that file using part of itself as a key,
  for example, to convert that seed entropy into a pseudo-random
  string.

  When looking for hardware devices to provide this entropy, it is
  important really to measure the entropy rather than just assume that
  because it looks complicated to a human, it must be "random".  For
  example, disk operation completion times sound like they might be
  unpredictable (to many people) but a spinning disk is much like a
  clock and its output completion times are relatively low in entropy.

* What is the unicity point (a.k.a. unicity distance)?

  See [SHA49]. The unicity distance is an approximation to that amount
  of ciphertext such that the sum of the real information (entropy) in
  the corresponding source text and encryption key equals the number
  of ciphertext bits used. Ciphertexts significantly longer than this
  can be shown probably to have a unique decipherment. This is used to
  back up a claim of the validity of a ciphertext-only cryptanalysis. 
  Ciphertexts significantly shorter than this are likely to have
  multiple, equally valid decryptions and therefore to gain security
  from the opponent's difficulty choosing the correct one.

  Unicity distance, like all statistical or information-theoretic
  measures, does not make deterministic predictions but rather gives
  probabilistic results: namely, the minimum amount of ciphertext
  for which it is likely that there is only a single intelligible
  plaintext corresponding to the ciphertext, when all possible keys
  are tried for the decryption. Working cryptologists don't normally
  deal with unicity distance as such. Instead they directly determine
  the likelihood of events of interest.

  Let the unicity distance of a cipher be D characters. If fewer than
  D ciphertext characters have been intercepted, then there is not
  enough information to distinguish the real key from a set of
  possible keys. DES has a unicity distance of 17.5 characters,
  which is less than 3 ciphertext blocks (each block corresponds to
  8 ASCII characters). This may seem alarmingly low at first, but
  the unicity distance gives no indication of the computational work
  required to find the key after approximately D characters have been
  intercepted.

  In fact, actual cryptanalysis seldom proceeds along the lines used
  in discussing unicity distance. (Like other measures such as key
  size, unicity distance is something that guarantees insecurity if
  it's too small, but doesn't guarantee security if it's high.) Few
  practical cryptosystems are absolutely impervious to analysis; all
  manner of characteristics might serve as entering ``wedges'' to crack
  some cipher messages. However, similar information-theoretic
  considerations are occasionally useful, for example, to determine a
  recommended key change interval for a particular cryptosystem.
  Cryptanalysts also employ a variety of statistical and
  information-theoretic tests to help guide the analysis in the most
  promising directions.

  Unfortunately, most literature on the application of information
  statistics to cryptanalysis remains classified, even the seminal
  1940 work of Alan Turing (see [KOZ84]). For some insight into the
  possibilities, see [KUL68] and [GOO83].

* What is key management and why is it important?

  One of the fundamental axioms of cryptography is that the enemy is in
  full possession of the details of the general cryptographic system,
  and lacks only the specific key data employed in the encryption. (Of
  course, one would assume that the CIA does not make a habit of telling
  Mossad about its cryptosystems, but Mossad probably finds out anyway.)
  Repeated use of a finite amount of key provides redundancy that can
  eventually facilitate cryptanalytic progress. Thus, especially in
  modern communication systems where vast amounts of information are
  transferred, both parties must have not only a sound cryptosystem but
  also enough key material to cover the traffic.

  Key management refers to the distribution, authentication, and
  handling of keys.

  A publicly accessible example of modern key management technology
  is the STU III secure telephone unit, which for classified use
  employs individual coded ``Crypto Ignition Keys'' and a central Key
  Management Center operated by NSA. There is a hierarchy in that
  certain CIKs are used by authorized cryptographic control
  personnel to validate the issuance of individual traffic keys and
  to perform installation/maintenance functions, such as the
  reporting of lost CIKs.

  This should give an inkling of the extent of the key management
  problem. For public-key systems, there are several related issues,
  many having to do with ``whom do you trust?''

* Can I use pseudo-random or chaotic numbers as a key stream?

  Chaotic equations and fractals produce an apparent randomness from
  relatively compact generators. Perhaps the simplest example is a
  linear congruential sequence, one of the most popular types of random
  number generators, where there is no obvious dependence between seeds
  and outputs. Unfortunately the graph of any such sequence will, in a
  high enough dimension, show up as a regular lattice. Mathematically
  this lattice corresponds to structure which is notoriously easy for
  cryptanalysts to exploit. More complicated generators have more
  complicated structure, which is why they make interesting pictures---
  but a cryptographically strong sequence will have no computable
  structure at all.

  See [KNU81], exercise 3.5-7; [REE77]; and [BOY89].

* What is the correct frequency list for English letters?

  There are three answers to this question, each slightly deeper than
  the one before. You can find the first answer in various books:
  namely, a frequency list computed directly from a certain sample of
  English text. Of course any such list will be ``correctly'' computed,
  but exactly which list you get depends on which sample was taken.

  The second answer is that the question doesn't make sense. What do
  you mean by ``English letters''? The ``English language'' is not a
  fixed, finite, closed object that can be exactly characterized. It
  has changed over time; it is different between different authors.
  Any particular message will have different statistics from those of
  the language as a whole.

  The third answer is that yes, no particular message is going to have
  exactly the same characteristics as English in general, but for all
  reasonable statistical uses these slight discrepancies won't matter.
  In fact there's an entire field called ``Bayesian statistics'' (other
  buzzwords are ``maximum entropy methods'' and ``maximum likelihood
  estimation'') which studies questions like ``What's the chance that a
  text with these letter frequencies is in English?'' and comes up with
  reasonably robust answers.

  So make your own list from your own samples of English text. It will
  be good enough for practical work, if you use it properly.

* What is the Enigma?

  ``For a project in data security we are looking for sources of
  information about the German Enigma code and how it was broken by
  the British during WWII.''

  See [WEL82], [DEA85], [KOZ84], [HOD83], [KAH91].

* How do I shuffle cards?

  Card shuffling is a special case of the permutation of an array of
  values, using a random or pseudo-random function.  All possible output
  permutations of this process should be equally likely.  To do this, you
  need a random function (modran(x)) which will produce a uniformly
  distributed random integer in the interval [0..x-1].  Given that
  function, you can shuffle with the following [C] code: (assuming ARRLTH
  is the length of array arr[] and swap() interchanges values at the two
  addresses given)

  for ( n = ARRLTH-1; n > 0 ; n-- ) swap( &arr[modran( n+1 )], &arr[n] ) ;

  modran(x) can not be achieved exactly with a simple (ranno() % x) since
  ranno()'s interval may not be divisible by x, although in most cases the
  error will be very small.  To cover this case, one can take ranno()'s
  modulus mod x, call that number y, and if ranno() returns a value less
  than y, go back and get another ranno() value.


* Can I foil S/W pirates by encrypting my CD-ROM?

  Someone will frequently express the desire to publish a CD-ROM with
  possibly multiple pieces of software, perhaps with each encrypted
  separately, and will want to use different keys for each user (perhaps
  even good for only a limited period of time) in order to avoid piracy.

  As far as we know, this is impossible, since there is nothing in standard
  PC or workstation hardware which uniquely identifies the user at the
  keyboard.  If there were such an identification, then the CD-ROM could be
  encrypted with a key based in part on the one sold to the user and in
  part on the unique identifier.  However, in this case the CD-ROM is one
  of a kind and that defeats the intended purpose.

  If the CD-ROM is to be encrypted once and then mass produced, there must
  be a key (or set of keys) for that encryption produced at some stage in
  the process.  That key is useable with any copy of the CD-ROM's data.
  The pirate needs only to isolate that key and sell it along with the
  illegal copy.


* Can you do automatic cryptanalysis of simple ciphers?

  schneier@chinet.chi.il.us (Bruce Schneier) says: AccessData of Orem,
  Utah sells products that break the password scheme of a number of
  popular Macintosh and PC software packages.  Their telephone number
  is (801) 224-6970

  No PD software has been cited but there are many papers on the
  subject....

  Peleg, S. and Rosenfeld, A.  "Breaking Substitution Ciphers Using a
  Relaxation Algorithm" Comm. ACM Vol. 22(11) pp 598-605 (Nov. 1979)
  
  Lucks, Michael, "A Constraint Satisfaction Algorithm for the
  Automated Decryption of Simple Substitution Ciphers", Advances in
  Cryptology -- CRYPTO '88, Springer Lecture Notes in Computer
  Science, vol. 403 (The paper also contains references to earlier
  work on the subject.)
  
  John Carrol and Steve Martin, "The Automated Cryptanalysis of
  Substitution Ciphers", Cryptologia, vol X number 4, Oct 86 p193-209.
  
  John Carrol and Lynda Robbins, "Automated Cryptanalysis of
  Polyalphabetic Ciphers", Cryptologia, vol XI number 4, Oct 87
  p193-205
  
  Martin Kochanski, "A Survey of Data Insecurity Packages",
  Cryptologia, vol XI number 1, Jan 87 p1-15
  
  Martin Kochanski, "Another Data Insecurity Package", Cryptologia,
  vol XII number 3, July 88, p165-177.
  
  Cryptologia Vol XIII Number 4  1989 pp 303-326.
  
  King and Bahler, "Probabilistic Relaxation in the Cryptanalysis of
  Simple Substitution Ciphers" Cryptologia 16(3):215-225.
  
  King and Bahler, "An Algorithmic Solution of Sequential Homophonic
  Ciphers".  Cryptologia, April 93 (in press).
  
  R. Spillman et.al., "Use of Genetic Algorithms in Cryptanalysis of
  Simple Substitution Ciphers", Cryptologia, vol XVII Number 1, Jan 93
  p31-44.


* What is the coding system used by VCR+?

  One very frequently asked question in sci.crypt is about how the VCR+ codes
  work.  The following article attempts to describe it.

    K. Shirriff, C. Welch, A. Kinsman, "Decoding a VCR Controller Code,"
    Cryptologia, 16(3), July 1992, pp 227-234.


Newsgroup: sci.crypt
document_id: 15246
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 10/10 - References

Archive-name: cryptography-faq/part10
Last-modified: 1993/4/15


FAQ for sci.crypt, part 10: References

This is the tenth of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in this part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers 
every 21 days.


Contents

* Books on history and classical methods
* Books on modern methods
* Survey articles
* Reference articles
* Journals, conference proceedings
* Other
* Electronic sources
* RFCs (available from [FTPRF])
* Related newsgroups


* Books on history and classical methods

  [CF]    Lambros D. Callimahos, William F. Friedman, Military Cryptanalytics.
	  Aegean Park Press, ?.
  [DEA85] Cipher A. Deavours & Louis Kruh, Machine Cryptography and
          Modern Cryptanalysis. Artech House, 610 Washington St.,
          Dedham, MA 02026, 1985.
  [FRIE2] William F. Friedman, Solving German Codes in World War I.
          Aegean Park Press, ?.
  [GAI44] H. Gaines, Cryptanalysis, a study of ciphers and their
          solution. Dover Publications, 1944.
  [HIN00] F.H.Hinsley, et al., British Intelligence in the Second
          World War. Cambridge University Press. (vol's 1, 2, 3a, 3b
          & 4, so far).  XXX Years and authors, fix XXX
  [HOD83] Andrew Hodges, Alan Turing: The Enigma. Burnett Books
          Ltd., 1983
  [KAH91] David Kahn, Seizing the Enigma. Houghton Mifflin, 1991.
  [KAH67] D. Kahn, The Codebreakers. Macmillan Publishing, 1967.
          [history] [The abridged paperback edition left out most
          technical details; the original hardcover edition is
          recommended.]
  [KOZ84] W. Kozaczuk, Enigma. University Publications of America, 1984
  [KUL76] S. Kullback, Statistical Methods in Cryptanalysis. Aegean
          Park Press, 1976.
  [SIN66] A. Sinkov, Elementary Cryptanalysis. Math. Assoc. Am. 1966.
  [WEL82] Gordon Welchman, The Hut Six Story. McGraw-Hill, 1982.
  [YARDL] Herbert O. Yardley, The American Black Chamber. Aegean Park
          Press, ?.

* Books on modern methods

  [BEK82] H. Beker, F. Piper, Cipher Systems. Wiley, 1982.
  [BRA88] G. Brassard, Modern Cryptology: a tutorial.
          Spinger-Verlag, 1988.
  [DEN82] D. Denning, Cryptography and Data Security. Addison-Wesley
          Publishing Company, 1982.
  [KOB89] N. Koblitz, A course in number theory and cryptography.
          Springer-Verlag, 1987.
  [KON81] A. Konheim, Cryptography: a primer. Wiley, 1981.
  [MEY82] C. Meyer and S. Matyas, Cryptography: A new dimension in
          computer security. Wiley, 1982.
  [PAT87] Wayne Patterson, Mathematical Cryptology for Computer
          Scientists and Mathematicians. Rowman & Littlefield, 1987.
  [PFL89] C. Pfleeger, Security in Computing. Prentice-Hall, 1989.
  [PRI84] W. Price, D. Davies, Security for computer networks. Wiley, 1984. 
  [RUE86] R. Rueppel, Design and Analysis of Stream Ciphers.
          Springer-Verlag, 1986.
  [SAL90] A. Saloma, Public-key cryptography. Springer-Verlag, 1990.
  [WEL88] D. Welsh, Codes and Cryptography. Claredon Press, 1988.

* Survey articles

  [ANG83] D. Angluin, D. Lichtenstein, Provable Security in Crypto-
          systems: a survey. Yale University, Department of Computer
          Science, #288, 1983.
  [BET90] T. Beth, Algorithm engineering for public key algorithms.
          IEEE Selected Areas of Communication, 1(4), 458--466,
          1990.
  [DAV83] M. Davio, J. Goethals, Elements of cryptology. in Secure
          Digital Communications, G. Longo ed., 1--57, 1983.
  [DIF79] W. Diffie, M. Hellman, Privacy and Authentication: An
          introduction to cryptography. IEEE proceedings, 67(3),
          397--427, 1979.
  [DIF88] W. Diffie, The first ten years of public key cryptography.
          IEEE proceedings, 76(5), 560--577, 1988.
  [FEI73] H. Feistel, Cryptography and Computer Privacy. Scientific 
          American, 228(5), 15--23, 1973.
  [FEI75] H. Feistel, H, W. Notz, J. Lynn Smith. Some cryptographic
          techniques for machine-to-machine data communications,
          IEEE IEEE proceedings, 63(11), 1545--1554, 1975.
  [HEL79] M. Hellman, The mathematics of public key cryptography.
          Scientific American, 130--139, 1979.
  [LAK83] S. Lakshmivarahan, Algorithms for public key
          cryptosystems. In Advances in Computers, M. Yovtis ed.,
          22, Academic Press, 45--108, 1983.
  [LEM79] A. Lempel, Cryptology in transition, Computing Surveys,
          11(4), 285--304, 1979.
  [MAS88] J. Massey, An introduction to contemporary cryptology, IEEE
          proceedings, 76(5), 533--549, 1988.
  [SIM91] G. Simmons (ed.), Contemporary Cryptology: the Science of
          Information Integrity. IEEE press, 1991.

* Reference articles

  [AND83] D. Andelman, J. Reeds, On the cryptanalysis of rotor and
          substitution-permutation networks. IEEE Trans. on Inform.
          Theory, 28(4), 578--584, 1982.
  [BEN87] John Bennett, Analysis of the Encryption Algorithm Used in
          the WordPerfect Word Processing Program. Cryptologia 11(4),
          206--210, 1987.
  [BER91] H. A. Bergen and W. J. Caelli, File Security in WordPerfect
          5.0. Cryptologia 15(1), 57--66, January 1991.
  [BIH91] E. Biham and A. Shamir, Differential cryptanalysis of
          DES-like cryptosystems. Journal of Cryptology, vol. 4, #1,
          3--72, 1991.
  [BI91a] E. Biham, A. Shamir, Differential cryptanalysis of Snefru,
          Khafre, REDOC-II, LOKI and LUCIFER. In Proceedings of CRYPTO
          '91, ed. by J. Feigenbaum, 156--171, 1992.
  [BOY89] J. Boyar, Inferring Sequences Produced by Pseudo-Random
          Number Generators. Journal of the ACM, 1989.
  [BRI86] E. Brickell, J. Moore, M. Purtill, Structure in the
          S-boxes of DES. In Proceedings of CRYPTO '86, A. M. Odlyzko
          ed., 3--8, 1987.
  [BRO89] L. Brown, A proposed design for an extended DES, Computer
          Security in the Computer Age. Elsevier Science Publishers
          B.V. (North Holland), IFIP, W. J. Caelli ed., 9--22, 1989.
  [BRO90] L. Brown, J. Pieprzyk, J. Seberry, LOKI - a cryptographic
          primitive for authentication and secrecy applications.
          In Proceedings of AUSTCRYPT 90, 229--236, 1990.
  [CAE90] H. Gustafson, E. Dawson, W. Caelli, Comparison of block
          ciphers. In Proceedings of AUSCRYPT '90, J. Seberry and J.
          Piepryzk eds., 208--220, 1990.
  [CAM93] K. W. Campbell, M. J. Wiener, Proof the DES is Not a Group.
          In Proceedings of CRYPTO '92, 1993.
  [ELL88] Carl M. Ellison, A Solution of the Hebern Messages. Cryptologia,
          vol. XII, #3, 144-158, Jul 1988.
  [EVE83] S. Even, O. Goldreich, DES-like functions can generate the
          alternating group. IEEE Trans. on Inform. Theory, vol. 29,
          #6, 863--865, 1983.
  [GAR91] G. Garon, R. Outerbridge, DES watch: an examination of the
          sufficiency of the Data Encryption Standard for financial
          institutions in the 1990's. Cryptologia, vol. XV, #3,
          177--193, 1991.
  [GIL80] Gillogly, ?. Cryptologia 4(2), 1980.
  [GM82]  Shafi Goldwasser, Silvio Micali, Probabilistic Encryption and
	  How To Play Mental Poker Keeping Secret All Partial Information.
	  Proceedings of the Fourteenth Annual ACM Symposium on Theory of
	  Computing, 1982.
  [HUM83] D. G. N. Hunter and A. R. McKenzie, Experiments with
          Relaxation Algorithms for Breaking Simple Substitution
          Ciphers. Computer Journal 26(1), 1983.
  [KAM78] J. Kam, G. Davida, A structured design of substitution-
          permutation encryption networks. IEEE Trans. Information
          Theory, 28(10), 747--753, 1978.
  [KIN78] P. Kinnucan, Data encryption gurus: Tuchman and Meyer.
          Cryptologia, vol. II #4, 371--XXX, 1978.
  [KRU88] Kruh, ?. Cryptologia 12(4), 1988.
  [LAI90] X. Lai, J. Massey, A proposal for a new block encryption 
          standard. EUROCRYPT 90, 389--404, 1990.
  [LUB88] C. Rackoff, M. Luby, How to construct psuedorandom
          permutations from psuedorandom functions. SIAM Journal of
          Computing, vol. 17, #2, 373--386, 1988.
  [MAS88] J. Massey, An introduction to contemporary cryptology.
          IEEE proceedings, 76(5), 533--549, 1988.
  [ME91a] R. Merkle, Fast software encryption functions. In Proceedings
          of CRYPTO '90, Menezes and Vanstone ed., 476--501, 1991.
  [MEY78] C. Meyer, Ciphertext/plaintext and ciphertext/key
          dependence vs. number of rounds for the Data Encryption
          Standard. AFIPS Conference proceedings, 47, 1119--1126,
          1978.
  [NBS77] Data Encryption Standard. National Bureau of Standards,
          FIPS PUB 46, Washington, DC, January 1977.
  [REE77] J. Reeds, `Cracking' a Random Number Generator.
          Cryptologia 1(1), 20--26, 1977.
  [REE84] J. A. Reeds and P. J. Weinberger, File Security and the UNIX
          Crypt Command. AT&T Bell Laboratories Technical Journal,
          Vol. 63 #8, part 2, 1673--1684, October, 1984.
  [SHA49] C. Shannon, Communication Theory of Secrecy Systems. Bell
          System Technical Journal 28(4), 656--715, 1949.
  [SHE88] B. Kaliski, R. Rivest, A. Sherman, Is the Data Encryption
          Standard a Group. Journal of Cryptology, vol. 1, #1,
          1--36, 1988.
  [SHI88] A. Shimizu, S. Miyaguchi, Fast data encipherment algorithm
          FEAL. EUROCRYPT '87, 267--278, 1988.
  [SOR84] A. Sorkin, LUCIFER: a cryptographic algorithm.
          Cryptologia, 8(1), 22--35, 1984.
	
* Journals, conference proceedings

  CRYPTO
  Eurocrypt
  IEEE Transactions on Information Theory
  Cryptologia: a cryptology journal, quarterly since Jan 1977.
          Cryptologia; Rose-Hulman Institute of Technology; Terre Haute
          Indiana 47803 [general: systems, analysis, history, ...]
  Journal of Cryptology; International Association for Cryptologic
          Research; published by Springer Verlag (quarterly since
          1988).
  The Cryptogram (Journal of the American Cryptogram Association);
          18789 West Hickory Street; Mundelein, IL 60060; [primarily
          puzzle cryptograms of various sorts]
  Cryptosystems Journal, Published by Tony Patti, P.O. Box 188,
          Newtown PA, USA 18940-0188 or tony_s_patti@cup.portal.com.
	  Publisher's comment: Includes complete cryptosystems with
	  source and executable programs on diskettes. Tutorial. The
	  typical cryptosystems supports multi-megabit keys and Galois
	  Field arithmetic. Inexpensive hardware random number
	  generator details.

  Computer and Communication Security Reviews, published by Ross Anderson.
	  Sample issue available from various ftp sites, including
	  black.ox.ac.uk.  Editorial c/o rja14@cl.cam.ac.uk.  Publisher's
	  comment: We review all the conference proceedings in this field,
	  including not just Crypto and Eurocrypt, but regional gatherings
	  like Auscrypt and Chinacrypt. We also abstract over 50 journals,
	  and cover computer security as well as cryptology, so readers can
	  see the research trends in applications as well as theory.

* Other

  Address of note: Aegean Park Press, P.O. Box 2837, Laguna Hills, CA
  92654-0837. Answering machine at 714-586-8811.

  The ``Orange Book'' is DOD 5200.28-STD, published December 1985 as
  part of the ``rainbow book'' series. Write to Department of Defense,
  National Security Agency, ATTN: S332, 9800 Savage Road, Fort Meade, MD
  20755-6000, and ask for the Trusted Computer System Evaluation
  Criteria. Or call 301-766-8729.

  [BAMFD] Bamford, The Puzzle Palace. Penguin Books, ?.
  [GOO83] I. J. Good, Good Thinking: the foundations of probability and
          its applications. University of Minnesota Press, 1983.
  [KNU81] D. E. Knuth, The Art of Computer Programming, volume 2:
          Seminumerical Algorithms. Addison-Wesley, 1981.
  [KUL68] Soloman Kullbach, Information Theory and Statistics.
          Dover, 1968.
  [YAO88] A. Yao, Computational Information Theory. In Complexity in
          Information Theory, ed. by Abu-Mostafa, 1988.

* How may one obtain copies of FIPS and ANSI standards cited herein?

  Many textbooks on cryptography contain complete reprints of the FIPS
  standards, which are not copyrighted.

  The following standards may be ordered from the
      U.S. Department of Commerce, National Technical Information Service,
      Springfield, VA 22161.

      FIPS PUB 46-1 "Data Encryption Standard"  (this is DES)
      FIPS PUB 74   "Guidelines for Implementing as Using the NBS DES"
      FIPS PUB 81   "DES Modes of Operation"
      FIPS PUB 113  "Computer Data Authentication" (using DES)

  The following standards may be ordered from the
      American National Standards Institute Sales Office,
      1430 Broadway, New York, NY 10018.
      Phone 212.642.4900

      ANSI X3.92-1981  "Data Encryption Algorithm" (identical to FIPS 46-1)
      ANSI X3.106-1983 "DEA Modes of Operation"    (identical to FIPS 113)

  Notes:  Figure 3 in FIPS PUB 46-1 is in error, but figure 3 in X3.92-1981
      is correct.  The text is correct in both publications.


* Electronic sources

  Anonymous ftp:

  [FTPBK] ftp.uu.net:bsd-sources/usr.bin/des/
  [FTPCB] ftp.uu.net:usenet/comp.sources.unix/volume10/cbw/
  [FTPDF] ftp.funet.fi:pub/unix/security/destoo.tar.Z
  [FTPEY] ftp.psy.uq.oz.au:pub/DES/
  [FTPMD] rsa.com:?
  [FTPMR] cl-next3.cl.msu.edu:pub/crypt/newdes.tar.Z
  [FTPOB] ftp.3com.com:Orange-book
  [FTPPF] prep.ai.mit.edu:pub/lpf/
  [FTPPK] ucsd.edu:hamradio/packet/tcpip/crypto/des.tar.Z
  [FTPRF] nic.merit.edu:documents/rfc/
  [FTPSF] beta.xerox.com:pub/hash/
  [FTPSO] chalmers.se:pub/des/des.1.0.tar.Z
  [FTPUF] ftp.uu.net:usenet/comp.sources.unix/volume28/ufc-crypt/
  [FTPWP] garbo.uwasa.fi:pc/util/wppass2.zip

* RFCs (available from [FTPRF])


1424  Kaliski, B.  Privacy Enhancement for Internet Electronic Mail: Part IV:
      Key Certification and Related Services.  1993 February; 9 p. (Format:
      TXT=17538 bytes)

1423  Balenson, D.  Privacy Enhancement for Internet Electronic Mail: Part
      III: Algorithms, Modes, and Identifiers.  1993 February; 14 p. (Format:
      TXT=33278 bytes)  (Obsoletes RFC 1115)

1422  Kent, S.  Privacy Enhancement for Internet Electronic Mail: Part II:
      Certificate-Based Key Management.  1993 February; 32 p. (Format:
      TXT=86086 bytes)  (Obsoletes RFC 1114)

1421  Linn, J.  Privacy Enhancement for Internet Electronic Mail: Part I:
      Message Encryption and Authentication Procedures.  1993 February; 42 p.
      (Format: TXT=103895 bytes)  (Obsoletes RFC 1113)


* Related newsgroups

  There are other newsgroups which a sci.crypt reader might want also to
  read.  Some have their own FAQ as well.

  alt.comp.compression		discussion of compression algorithms and code
  alt.security			general security discussions
  alt.security.index		index to alt.security
  alt.security.pgp		discussion of PGP
  alt.security.ripem		discussion of RIPEM
  alt.society.civil-liberty	general civil liberties, including privacy
  comp.org.eff.news		News reports from EFF
  comp.org.eff.talk		discussion of EFF related issues
  comp.patents			discussion of S/W patents, including RSA
  comp.risks			some mention of crypto and wiretapping
  comp.society.privacy		general privacy issues
  comp.security.announce	announcements of security holes
  misc.legal.computing		
  sci.math			general math discussion

Newsgroup: sci.crypt
document_id: 15247
From: ckincy@cs.umr.edu (Charles Kincy)
Subject: Bob "Putz" Cain  (was: Pgp and other BS)

In article <1993Apr16.195927.3952@natasha.portal.com> bob@natasha.portal.com (Bob Cain) writes:
>Charles Kincy (ckincy@cs.umr.edu) wrote:
>: In article <1993Apr16.001321.3692@natasha.portal.com> bob@natasha.portal.com (Bob Cain) writes:
[...]
>: Oh, I see, flame someone, tell them that they are immature, tell them
>: they are wrong, and then don't offer any proof for your assertions.
>: 
>: You really *are* a putz.  Put up or shut up.
>: 
>
>I will provide any proof you wish in private.  Name it, dickhead.

Don't bother.  <C5J0t.K52@blaze.cs.jhu.edu> has pretty much made
your pathetic ass superfluous.  You lose.  Pack up your bags and
go home.

>Putz Cain

Well, if the shoe fits....

cpk

Newsgroup: sci.crypt
document_id: 15248
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 03/10 - Basic Cryptology

Archive-name: cryptography-faq/part03
Last-modified: 1993/4/15


FAQ for sci.crypt, part 3: Basic Cryptology

This is the third of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers 
every 21 days.



Contents:

* What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key?
* What references can I start with to learn cryptology?
* How does one go about cryptanalysis?
* What is a brute-force search and what is its cryptographic relevance?
* What are some properties satisfied by every strong cryptosystem?
* If a cryptosystem is theoretically unbreakable, then is it
  guaranteed analysis-proof in practice?
* Why are many people still using cryptosystems that are
  relatively easy to break?


* What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key?

  The story begins: When Julius Caesar sent messages to his trusted
  acquaintances, he didn't trust the messengers. So he replaced every A
  by a C, every B by a D, and so on through the alphabet. Only someone
  who knew the ``shift by 2'' rule could decipher his messages.

  A cryptosystem or cipher system is a method of disguising messages so
  that only certain people can see through the disguise. Cryptography is
  the art of creating and using cryptosystems. Cryptanalysis is the art
  of breaking cryptosystems---seeing through the disguise even when
  you're not supposed to be able to. Cryptology is the study of both
  cryptography and cryptanalysis.

  The original message is called a plaintext. The disguised message is
  called a ciphertext. Encryption means any procedure to convert
  plaintext into ciphertext. Decryption means any procedure to convert
  ciphertext into plaintext.

  A cryptosystem is usually a whole collection of algorithms. The
  algorithms are labelled; the labels are called keys. For instance,
  Caesar probably used ``shift by n'' encryption for several different
  values of n. It's natural to say that n is the key here.

  The people who are supposed to be able to see through the disguise are
  called recipients. Other people are enemies, opponents, interlopers,
  eavesdroppers, or third parties.

* What references can I start with to learn cryptology?

  For an introduction to technical matter, the survey articles given
  in part 10 are the best place to begin as they are, in general,
  concise, authored by competent people, and well written. However,
  these articles are mostly concerned with cryptology as it has
  developed in the last 50 years or so, and are more abstract and
  mathematical than historical. The Codebreakers by Kahn [KAH67] is
  encyclopedic in its history and technical detail of cryptology up
  to the mid-60's.

  Introductory cryptanalysis can be learned from Gaines [GAI44] or
  Sinkov [SIN66]. This is recommended especially for people who want
  to devise their own encryption algorithms since it is a common
  mistake to try to make a system before knowing how to break one.

  The selection of an algorithm for the DES drew the attention of
  many public researchers to problems in cryptology. Consequently
  several textbooks and books to serve as texts have appeared. The
  book of Denning [DEN82] gives a good introduction to a broad range
  of security including encryption algorithms, database security,
  access control, and formal models of security. Similar comments
  apply to the books of Price & Davies [PRI84] and Pfleeger [PFL89].

  The books of Konheim [KON81] and Meyer & Matyas [MEY82] are quite
  technical books. Both Konheim and Meyer were directly involved in
  the development of DES, and both books give a thorough analysis of
  DES. Konheim's book is quite mathematical, with detailed analyses
  of many classical cryptosystems. Meyer and Matyas concentrate on
  modern cryptographic methods, especially pertaining to key management
  and the integration of security facilities into computer systems and
  networks.

  The books of Rueppel [RUE86] and Koblitz [KOB89] concentrate on
  the application of number theory and algebra to cryptography.

* How does one go about cryptanalysis?

  Classical cryptanalysis involves an interesting combination of
  analytical reasoning, application of mathematical tools, pattern
  finding, patience, determination, and luck. The best available
  textbooks on the subject are the Military Cryptanalytics series
  [FRIE1]. It is clear that proficiency in cryptanalysis is, for
  the most part, gained through the attempted solution of given
  systems. Such experience is considered so valuable that some of the
  cryptanalyses performed during WWII by the Allies are still
  classified.

  Modern public-key cryptanalysis may consist of factoring an integer,
  or taking a discrete logarithm. These are not the traditional fare
  of the cryptanalyst. Computational number theorists are some of the
  most successful cryptanalysts against public key systems.

* What is a brute-force search and what is its cryptographic relevance?

  In a nutshell: If f(x) = y and you know y and can compute f, you can
  find x by trying every possible x. That's brute-force search.

  Example: Say a cryptanalyst has found a plaintext and a corresponding
  ciphertext, but doesn't know the key. He can simply try encrypting the
  plaintext using each possible key, until the ciphertext matches---or
  decrypting the ciphertext to match the plaintext, whichever is faster.
  Every well-designed cryptosystem has such a large key space that this
  brute-force search is impractical.
    
  Advances in technology sometimes change what is considered
  practical. For example, DES, which has been in use for over 10 years
  now, has 2^56, or about 10^17, possible keys. A computation with
  this many operations was certainly unlikely for most users in the
  mid-70's. The situation is very different today given the dramatic
  decrease in cost per processor operation. Massively parallel
  machines threaten the security of DES against brute force search.
  Some scenarios are described by Garron and Outerbridge [GAR91].

  One phase of a more sophisticated cryptanalysis may involve a
  brute-force search of some manageably small space of possibilities.

* What are some properties satisfied by every strong cryptosystem?

  The security of a strong system resides with the secrecy of the key
  rather than with an attempt to keep the algorithm itself secret.

  A strong cryptosystem has a large keyspace, as mentioned above.  The
  unicity distance is a measure which gives the minimum amount of
  ciphertext that must be intercepted to uniquely identify the key and
  if for some key, the unicity distance is much longer than the amount
  of ciphertext you intend to encrypt under that key, the system is
  probably strong.

  A strong cryptosystem will certainly produce ciphertext which appears
  random to all standard statistical tests (see, for example, [CAE90]).
    
  A strong cryptosystem will resist all known previous attacks. A
  system which has never been subjected to scrutiny is suspect.

  If a system passes all the tests mentioned above, is it necessarily
  strong? Certainly not. Many weak cryptosystems looked good at first.
  However, sometimes it is possible to show that a cryptosystem is
  strong by mathematical proof. ``If Joe can break this system, then
  he can also solve the well-known difficult problem of factoring
  integers.'' See part 6.  Failing that, it's a crap shoot.

* If a cryptosystem is theoretically unbreakable, then is it
  guaranteed analysis-proof in practice?

  Cryptanalytic methods include what is known as ``practical
  cryptanalysis'': the enemy doesn't have to just stare at your
  ciphertext until he figures out the plaintext. For instance, he might
  assume ``cribs''---stretches of probable plaintext. If the crib is
  correct then he might be able to deduce the key and then decipher the
  rest of the message. Or he might exploit ``isologs''---the same
  plaintext enciphered in several cryptosystems or several keys. Thus
  he might obtain solutions even when cryptanalytic theory says he
  doesn't have a chance.

  Sometimes, cryptosystems malfunction or are misused. The one-time pad,
  for example, loses all security if it is used more than once! Even
  chosen-plaintext attacks, where the enemy somehow feeds plaintext into
  the encryptor until he can deduce the key, have been employed. See
  [KAH67].
  
* Why are many people still using cryptosystems that are
  relatively easy to break?

  Some don't know any better. Often amateurs think they can design
  secure systems, and are not aware of what an expert cryptanalyst
  could do. And sometimes there is insufficient motivation for anybody
  to invest the work needed to crack a system.

Newsgroup: sci.crypt
document_id: 15249
From: strnlght@netcom.com (David Sternlight)
Subject: Re: An Open Letter to Mr. Clinton


Here's a simple way to convert the Clipper proposal to an unexceptionable
one: Make it voluntary.

That is--you get high quality secure NSA classified technology if you agree
to escrow your key. Otherwise you are on your own.

David

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15250
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: Once tapped, your code is no good any more.

Brad Templeton (brad@clarinet.com) wrote:
: It occurs to me that if they get a wiretap order on you, and the escrow
: houses release your code to the cops, your code is now no longer secure.
: 
: It's in the hands of cops, and while I am sure most of the time they are
: good, their security will not be as good as the escrow houses.
: 
: 
: What this effectively means is that if they perform a wiretap on you,
: at the end of the wiretap, they should be obligated to inform you that
: a tap was performed, and replace (for free) the clipper chip in your
: cellular phone so that it is once again a code known only to the
: escrow houses.

Getting the court order to reveal the key *also* makes decipherable
all *past* conversations (which may be on tape, or disk, or whatver),
as I understand the proposal. I could be wrong, but I've seen no
mention of "session keys" being the escrowed entities.

As the EFF noted, this raises further issues about the fruits of one
bust leading to incrimination in other areas.

But is it any worse than the current unsecure system? It becomes much
worse, of course, if the government then uses this "Clinton Clipper"
to argue for restrictions on unapproved encryption. (This is the main
concern of most of us, I think. The camel's nose in the tent, etc.)

And it may also become much worse if the ostensible security is
increased, thus allowing greater access to "central office" records by
the government (the conversations being encrypted, who will object to
letting the government have access to them, perhaps even automatically
archiving large fractions...). This was one of the main objections to
the S.266 proposal, that it would force telecom suppliers to provide
easy access for the government.

One the government has had access to months or years of your encrypted
conversations, now all it takes is one misstep, one violation that
gets them the paperwork needed to decrypt *all* of them!

Do we want anyone to have this kind of power?

-Tim May, whose sig block may get him busted in the New Regime

-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
document_id: 15251
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 02/10 - Net Etiquette

Archive-name: cryptography-faq/part02
Last-modified: 1993/4/15


FAQ for sci.crypt, part 2: Net Etiquette

This is the second of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers 
every 21 days.


Contents:

* What groups are around? What's a FAQ? Who am I? Why am I here?
* Do political discussions belong in sci.crypt?
* How do I present a new encryption scheme in sci.crypt?


* What groups are around? What's a FAQ? Who am I? Why am I here?

  Read news.announce.newusers and news.answers for a few weeks. Always
  make sure to read a newsgroup for some time before you post to it.
  You'll be amazed how often the same question can be asked in the same
  newsgroup. After a month you'll have a much better sense of what the
  readers want to see.

* Do political discussions belong in sci.crypt?

  No. In fact some newsgroups (notably misc.legal.computing) were
  created exactly so that political questions like ``Should RSA be
  patented?'' don't get in the way of technical discussions. Many
  sci.crypt readers also read misc.legal.computing, comp.org.eff.talk,
  comp.patents, sci.math, comp.compression, et al.; for the benefit of
  people who don't care about those other topics, try to put your
  postings in the right group.

  Questions about microfilm and smuggling and other non-cryptographic
  ``spy stuff'' don't belong in sci.crypt either.

* How do I present a new encryption scheme in sci.crypt?

  ``I just came up with this neat method of encryption. Here's some
  ciphertext: FHDSIJOYW^&%$*#@OGBUJHKFSYUIRE. Is it strong?'' Without a
  doubt questions like this are the most annoying traffic on sci.crypt.

  If you have come up with an encryption scheme, providing some
  ciphertext from it is not adequate. Nobody has ever been impressed by
  random gibberish. Any new algorithm should be secure even if the
  opponent knows the full algorithm (including how any message key is
  distributed) and only the private key is kept secret. There are some
  systematic and unsystematic ways to take reasonably long ciphertexts
  and decrypt them even without prior knowledge of the algorithm, but
  this is a time-consuming and possibly fruitless exercise which most
  sci.crypt readers won't bother with.

  So what do you do if you have a new encryption scheme? First of all,
  find out if it's really new. Look through this FAQ for references and
  related methods. Familiarize yourself with the literature and the
  introductory textbooks.

  When you can appreciate how your cryptosystem fits into the world at
  large, try to break it yourself! You shouldn't waste the time of tens
  of thousands of readers asking a question which you could have easily
  answered on your own.

  If you really think your system is secure, and you want to get some
  reassurance from experts, you might try posting full details of your
  system, including working code and a solid theoretical explanation, to
  sci.crypt. (Keep in mind that the export of cryptography is regulated
  in some areas.)

  If you're lucky an expert might take some interest in what you posted.
  You can encourage this by offering cash rewards---for instance, noted
  cryptographer Ralph Merkle is offering $1000 to anyone who can break
  Snefru-4---but there are no guarantees. If you don't have enough
  experience, then most likely any experts who look at your system will
  be able to find a flaw. If this happens, it's your responsibility to
  consider the flaw and learn from it, rather than just add one more
  layer of complication and come back for another round.

  A different way to get your cryptosystem reviewed is to have the NSA
  look at it. A full discussion of this procedure is outside the scope
  of this FAQ.

  Among professionals, a common rule of thumb is that if you want to
  design a cryptosystem, you have to have experience as a cryptanalyst.

Newsgroup: sci.crypt
document_id: 15252
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 05/10 - Product Ciphers

Archive-name: cryptography-faq/part05
Last-modified: 1993/4/15


FAQ for sci.crypt, part 5: Product ciphers

This is the fifth of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers
every 21 days.


Contents:

* What is a product cipher?
* What makes a product cipher secure?
* What are some group-theoretic properties of product ciphers?
* What can be proven about the security of a product cipher?
* How are block ciphers used to encrypt data longer than the block size?
* Can symmetric block ciphers be used for message authentication?
* What exactly is DES?
* What is triple DES?
* What is differential cryptanalysis?
* How was NSA involved in the design of DES?
* Is DES available in software?
* Is DES available in hardware?
* Can DES be used to protect classified information?
* What are "ECB", "CBC", "CFB", and "OFB" encryption?


* What is a product cipher?

  A product cipher is a block cipher that iterates several weak
  operations such as substitution, transposition, modular
  addition/multiplication, and linear transformation. (A ``block
  cipher'' just means a cipher that encrypts a block of data---8 bytes,
  say---all at once, then goes on to the next block.) The notion of
  product ciphers is due to Shannon [SHA49]. Examples of modern
  product ciphers include LUCIFER [SOR84], DES [NBS77], SP-networks
  [KAM78], LOKI [BRO90], FEAL [SHI84], PES [LAI90], Khufu and Khafre
  [ME91a]. The so-called Feistel ciphers are a class of product
  ciphers which operate on one half of the ciphertext at each round,
  and then swap the ciphertext halves after each round. LUCIFER,
  DES, LOKI, and FEAL are examples of Feistel ciphers.

  The following table compares the main parameters of several product 
  ciphers:

  cipher   |   block length   |   key bits   |   number of rounds
  LUCIFER          128               128                16
  DES               64                56                16
  LOKI              64                64                16
  FEAL              64               128            2^x, x >= 5
  PES               64               128                 8

* What makes a product cipher secure?

  Nobody knows how to prove mathematically that a product cipher is
  completely secure. So in practice one begins by demonstrating that the
  cipher ``looks highly random''. For example, the cipher must be
  nonlinear, and it must produce ciphertext which functionally depends
  on every bit of the plaintext and the key. Meyer [MEY78] has shown
  that at least 5 rounds of DES are required to guarantee such a
  dependence. In this sense a product cipher should act as a ``mixing''
  function which combines the plaintext, key, and ciphertext in a
  complex nonlinear fashion.

  The fixed per-round substitutions of the product cipher are
  referred to as S-boxes. For example, LUCIFER has 2 S-boxes, and DES
  has 8 S-boxes. The nonlinearity of a product cipher reduces to a
  careful design of these S-boxes. A list of partial design criteria
  for the S-boxes of DES, which apply to S-boxes in general, may be
  found in Brown [BRO89] and Brickell et al. [BRI86].

* What are some group-theoretic properties of product ciphers?

  Let E be a product cipher that maps N-bit blocks to N-bit blocks.
  Let E_K(X) be the encryption of X under key K. Then, for any fixed K,
  the map sending X to E_K(X) is a permutation of the set of N-bit
  blocks. Denote this permutation by P_K. The set of all N-bit
  permutations is called the symmetric group and is written S_{2^N}.
  The collection of all these permutations P_K, where K ranges over all
  possible keys, is denoted E(S_{2^N}). If E were a random mapping from
  plaintexts to ciphertexts then we would expect E(S_{2^N}) to generate
  a large subset of S_{2^N}.

  Coppersmith and Grossman [COP74] have shown that a very simple
  product cipher can generate the alternating group A_{2^N} given a
  sufficient number of rounds. (The alternating group is half of the
  symmetric group: it consists of all ``even'' permutations, i.e., all
  permutations which can be written as an even number of swaps.)
  Even and Goldreich [EVE83] were able to extend these results to show
  that Feistel ciphers can generate A_{2^N}, given a sufficient number
  of rounds.

  The security of multiple encipherment also depends on the
  group-theoretic properties of a cipher. Multiple encipherment is an
  extension over single encipherment if for keys K1, K2 there does
  not exist a third key K3 such that

  E_K2(E_K1(X)) == E_(K3)(X)                (**)

  which indicates that encrypting twice with two independent keys
  K1, K2 is equal to a single encryption under the third key K3.  If
  for every K1, K2 there exists a K3 such that eq. (**) is true then
  we say that E is a group.

  This question of whether DES is a group under this definition was
  extensively studied by Sherman, Kaliski, and Rivest [SHE88]. In their
  paper they give strong evidence for the hypothesis that DES is not a
  group. In fact DES is not a group [CAM93].

* What can be proven about the security of a product cipher?

  Recall from above that P_K is a permutation produced by E under
  some key K. The goal of the designer of E is to ensure that P_K
  appears to be a random element of S_{2^N}, the symmetric group.
  Let R be an element of S_{2^N} selected randomly. We will say that P_K
  and R are indistinguishable if an observer given P_K and R in some
  order cannot distinguish between these two permutations in polynomial
  time. That is, with time bounded resources, the observer cannot
  determine which of the permutations is produced by E: the optimal
  decision is no better than simply guessing.

  Luby and Rackoff [LUB88] have shown that a class of Feistel ciphers
  are secure in this sense when the round mapping is replaced by
  random boolean functions.

* How are block ciphers used to encrypt data longer than the block size?

  There are four standard "modes of operation" (and numerous non-standard
  ones as well).  The standard modes of operation are defined in the U.S.
  Department of Commerce Federal Information Processing Standard (FIPS) 81,
  published in 1980.  See the question about "ECB" below for more details.

  Although they are defined for the DES block cipher, the "modes of
  operation" can be used with any block cipher.

* Can symmetric block ciphers be used for message authentication?

  One may use a symmetric cryptosystem block cipher to prove to himself
  that he did or did not generate a message, and to prove to himself 
  whether his message was altered or unaltered since generation.  But one
  cannot prove these things to another without revealing the key, and 
  thereafter that key cannot be used to prove anything about any messages
  that were authenticated using that key.
  
  See ANSI X3.106-1983 and FIPS 113 (1985) for a standard method of message
  authentication using DES.

* What exactly is DES?

  DES is the U.S. Government's Data Encryption Standard - a product 
  cipher that operates on 64-bit blocks of data, using a 56-bit key.  

  It is defined in FIPS 46-1 (1988) [which supersedes FIPS 46 (1977)].
  FIPS are Federal Information Processing Standards published by NTIS.
  DES is identical to the ANSI standard Data Encryption Algorithm (DEA)
  defined in ANSI X3.92-1981. 

* What is triple DES?

  Triple DES is a product cipher which, like DES, operates on 64-bit 
  data blocks.  There are several forms, each of which uses the DES
  cipher 3 times.  Some forms use two 56-bit keys, some use three.
  The "DES modes of operation" may also be used with triple-DES.

  Some people refer to E(K1,D(K2,E(K1,x))) as triple-DES.

  This method is defined in chapter 7.2 of the ANSI standard X9.17-1985
  "Financial Institution Key Management" and is intended for use in
  encrypting DES keys and IVs for "Automated Key Distribution".  Its
  formal name is "Encryption and Decryption of a Single Key by a Key
  Pair", but it is referenced in other standards documents as EDE.

  That standard says (section 7.2.1): "Key encrypting keys may be a single
  DEA key or a DEA key pair.  Key pairs shoud be used where additional
  security is needed (e.g., the data protected by the key(s) has a long
  security life).  A key pair shall not be encrypted or decrypted using a
  single key."

  Others use the term "triple-DES" for E(K1,D(K2,E(K3,x))) or
  E(K1,E(K2,E(K3,x))).

  One of us (Carl Ellison) keeps advocating DES triple use in the form
  E(K1, TRAN( E(K2, TRAN( E(K3, COMPRESS( x )))))), where each DES instance
  has its own key and IV (for CBC mode) and TRAN has been posted on
  sci.crypt.  (It is a large-block transposition program taking its key
  from the data stream itself, so that it is not an encryption program on
  its own part.)

* What is differential cryptanalysis?

  Differential cryptanalysis is a statistical attack that can be
  applied to any iterated mapping (ie. any mapping which is based on
  a repeated round function). The method was recently popularized by
  Biham and Shamir [BIH91], but Coppersmith has remarked that the
  S-boxes of DES were optimized against this attack some 20 years ago.
  This method has proved effective against several product ciphers,
  notably FEAL [BI91a].

  Differential cryptanalysis is based on observing a large number of
  ciphertexts Y, Y' whose corresponding plaintexts X, X' satisfy a
  known difference D = X+X', where + is componentwise XOR. In the
  basic Biham-Shamir attack, 2^{47} such plaintext pairs are required
  to determine the key for DES. Substantially fewer pairs are required
  if DES is truncated to 6 or 8 rounds. In these cases, the actual key
  can be recovered in a matter of minutes using a few thousand pairs.
  For full DES this attack is impractical because it requires so many
  known plaintexts.

  The work of Biham and Shamir on DES revealed several startling
  observations on the algorithm. Most importantly, if the key
  schedule was removed from DES and a 16*48 = 768-bit key was used,
  the key could be recovered in less than 2^{64} steps. Thus
  independent subkeys do not add substantial security to DES.
  Further, the S-boxes of DES are extremely sensitive in that
  changing even single entries in these tables yields significant
  improvement in the differential attack.

  Adi Shamir is quoted to say (NYTimes Oct 13 1991), ``I would say
  that, contrary to what some people believe, there is no evidence
  of tampering with the DES so that the basic design was weakened.''

* How was NSA involved in the design of DES?

  According to Kinnucan [KIN78], Tuchman, a member of the group that
  developed DES at IBM is quoted as saying, ``We developed the DES
  algorithm entirely within IBM using IBMers. The NSA did not
  dictate a single wire!'' Tuchman and Meyer (another developer of
  DES) spent a year breaking ciphers and finding weaknesses in
  Lucifer. They then spent two years strengthening Lucifer. ``Their
  basic approach was to look for strong substitution, permutation,
  and key scheduling functions ... IBM has classified the notes
  containing the selection criteria at the request of the NSA....
  `The NSA told us we had inadvertently reinvented some of the deep
  secrets it uses to make its own algorithms,' explains Tuchman.''
  
  On the other hand, a document called ``Involvement of the NSA in
  the development of DES: unclassified summary of the United States
  Select Committee on Intelligence'', printed in the IEEE
  Communications Magazine, p53-55, 1978, states: ``In the development
  of DES, NSA convinced IBM that a reduced keysize was sufficient;
  indirectly assisted in the development of the S-box structures; and
  certified that the final DES algorithm was, to the best of their
  knowledge, free from any statistical or mathematical weakness.''

  Clearly the key size was reduced at the insistence of the NSA.
  The article further states that the NSA did not tamper with the
  algorithm itself, just the parameters, which in some sense
  resolves the apparent conflict in the remarks of Meyer and Tuchman
  presented above.

* Is DES available in software?

  Several people have made DES code available via ftp (see part 10 for
  pathnames): Stig Ostholm [FTPSO]; BSD [FTPBK]; Eric Young [FTPEY];
  Dennis Furguson [FTPDF]; Mark Riordan [FTPMR]; Phil Karn [FTPPK].
  A Pascal listing of DES is also given in Patterson [PAT87].

  FIPS 46-1 says "The algorithm specified in this standard is to be
  implemented ... using hardware (not software) technology.  ...
  Software implementations in general purpose computers are not in
  compliance with this standard."  Despite this, software
  implementations abound, and are used by government agencies.

* Is DES available in hardware?

  The following paragraphs are quoted from messages sent to the editors.
  We don't vouch for the quality or even existence of the products.

  Chip Rosenthal says: ``Dallas Semiconductor makes a DES
  encryption/decryption device for use on standard, digital 64Kbps PCM
  telecom data streams. It is capable of processing data in real time,
  e.g. one sample/frame. It is the DS2160. Their phone number is
  214-450-0400. You would probably need to talk with Dewight in Telecom
  marketing.''

  Christian Franke, franke@informatik.rwth-aachen.de, says: ``1.
  Cryptech CRY12C102: 22.5Mbit/s according to Data Sheet, with 32 Bit
  interface. We use this one, because it was the only one available when
  we started the project. No problems !  2. Pijnenburg PCC100: 20Mbit/s
  according to Data Sheet. Address: PIJNENBURG B.V., Boxtelswweg 26,
  NL-5261 NE Vught, The Netherlands.  3. INFOSYS DES Chip (Germany):
  S-Boxes must be loaded by software. So you can modify the Algorithm.
  Sorry, I don't have the data sheet handy. Please E-Mail me if you need
  further information.''

  mjr@tis.com (Marcus J Ranum) says: "SuperCrypt" 100Mb/sec and faster
  DES and Proprietary Storage for 16 56-bit keys Key stream generator
  Integrated hardware DES3 procedure Extended mode with 112 bit keys;
  Computer Elektronik Infosys; 512-A Herndon Parkway,; Herndon, VA
  22070; (800)322-3464

  thember@gandalf.ca (Tim Hember) says: Newbridge Microsystems sells
  an AM9568 compatible DES chip that operates at 25MHz, performs a
  round of encryption in 18 clocks, has a three-stage pipeline,
  supports ECB, CBC, CFB-8 and >>> CFB-1 <<<<.  Further it is very
  reasonable priced as opposed to other high-end DES chips.  Call
  Newbridge Microsystems, Ottawa, (613) 592-0714.  (... there are no
  import/export issues with Canada and the US).  If you require custom
  DES or Public Key ICs then Timestep Engineering developed
  Newbridge's crypto chips and ICs for other commercial and
  educational establishments. They can be reached at (613) 820-0024.

* Can DES be used to protect classified information?

  DES is not intended to protect classified data.  FIPS 46-1 says:
  "This standard will be used by Federal departments and agencies for
  the cryptographic protection of computer data when the following
  conditions apply: 1.  ...  cryptographic protection is required; and
  2. the data is not classified according to the National Security Act
  of 1947, as amended, or the Atomic Energy Act of 1954, as amended."

* What are "ECB", "CBC", "CFB", and "OFB" encryption?

  These are methods for using block ciphers, such as DES, to encrypt 
  messages, files, and blocks of data, known as "modes of operation."
  Four "modes of operation" are defined in FIPS 81 (1980 December 2), 
  and also in ANSI X3.106-1983.   

  FIPS 81 specifies that when 7-bit ASCII data is sent in octets, the
  unused most-significant bit is to be set to 1.
  FIPS 81 also specifies the padding for short blocks.

  The four DES modes of operation are: 
	Electronic Code Book  (ECB), 
	Cipher Block Chaining (CBC), 
	K-bit Cipher FeedBack (CFB), and 
	K-bit Output FeedBack (OFB).

  These methods are explained below in a c-language-like notation.

  Some symbols:

  P[n]	The n'th block of plaintext, input to encryption, output from
  	decryption.  Size of block determined by the mode.

  C[n]	The n'th block of ciphertext, output from encryption, input to
  	decryption.  Size of block determined by the mode.

  E(m)	The DES encryption function, performed on 64-bit block m, using
  	the 16-key schedule derived from some 56-bit key.

  D(m)	The DES decryption function, performed on 64-bit block m, using
  	the same key schedule as in E(m), except that the 16 keys
  	in the schedule are used in the opposite order as in E(m).

  IV	A 64-bit "initialization vector", a secret value which, along with
  	the key, is shared by both encryptor and decryptor.

  I[n]	The n'th value of a 64-bit variable, used in some modes.
  R[n]	The n'th value of a 64-bit variable, used in some modes.

  LSB(m,k) The k least significant (right-most) bits of m.
  	e.g.  m & ((1 << k) - 1)

  MSB(m,k) The k most significant (left-most) bits of m.
  	e.g.  (m >> (64-k)) & ((1 << k) - 1)

  = ^ << >> &  operators as defined in the c langage.


  Electronic Code Book (ECB):

  	  P[n] and C[n] are each 64-bits long.

  	  Encryption:			Decryption:
  	  C[n] = E(P[n])		P[n] = D(C[n])


  Cipher Block Chaining (CBC):

  	  P[n] and C[n] are each 64-bits long.

  	  Encryption:			Decryption:
  	  C[0] = E(P[0]^IV)		P[0] = D(C[0])^IV
  (n>0)	  C[n] = E(P[n]^C[n-1])		P[n] = D(C[n])^C[n-1]


  k-bit Cipher FeedBack (CFB):

  	  P[n] and C[n] are each k bits long, 1 <= k <= 64.  

  	  Encryption:			Decryption:
  	  I[0] = IV			I[0] = IV
  (n>0)	  I[n] = I[n-1]<<k | C[n-1]	I[n] = I[n-1]<<k | C[n-1]	
  (all n) R[n] = MSB(E(I[n]),k)		R[n] = MSB(E(I[n]),k)
  (all n) C[n] = P[n]^R[n]		P[n] = C[n]^R[n]

  	  Note that for k==64, this reduces to:

  	  I[0] = IV			I[0] = IV
  (n>0)	  I[n] = C[n-1]			I[n] = C[n-1]	
  (all n) R[n] = E(I[n])		R[n] = E(I[n])
  (all n) C[n] = P[n]^R[n]		P[n] = C[n]^R[n]

  CFB notes: Since I[n] depends only on the plain or cipher text from the
  previous operation, the E() function can be performed in parallel with
  the reception of the text with which it is used.


  k-bit Output FeedBack (OFB):

  	  P[n] and C[n] are each k bits long, 1 <= k <= 64.  

  	  Encryption:			Decryption:
  	  I[0] = IV			I[0] = IV
  (n>0)	  I[n] = I[n-1]<<k | R[n-1]	I[n] = I[n-1]<<k | R[n-1]	
  (all n) R[n] = MSB(E(I[n]),k)		R[n] = MSB(E(I[n]),k)
  (all n) C[n] = P[n]^R[n]		P[n] = C[n]^R[n]

  	  Note that for k==64, this reduces to:

  	  I[0] = IV			I[0] = IV
  (n>0)	  I[n] = R[n-1]			I[n] = R[n-1]	
  (all n) R[n] = E(I[n])		R[n] = E(I[n])
  (all n) C[n] = P[n]^R[n]		P[n] = C[n]^R[n]

  OFB notes: encryption and decryption are identical.  Since I[n] is
  independent of P and C, the E() function can be performed in advance of
  the receipt of the plain/cipher text with which it is to be used.


  Additional notes on DES "modes of operation":

  ECB and CBC use E() to encrypt and D() to decrypt, but the feedback modes
  use E() to both encrypt and decrypt.  This disproves the erroneous claim
  that systems which feature E() but not D() cannot be used for data
  confidentiality, and therefore are not subject to export controls.

Newsgroup: sci.crypt
document_id: 15253
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 06/10 - Public Key Cryptography

Archive-name: cryptography-faq/part06
Last-modified: 1993/4/15


FAQ for sci.crypt, part 6: Public-Key Cryptography

This is the sixth of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers 
every 21 days.


Contents:

* What is public-key cryptography?
* What's RSA?
* Is RSA secure?
* How fast can people factor numbers?
* What about other public-key cryptosystems?


* What is public-key cryptography?

  In a classic cryptosystem, we have encryption functions E_K and
  decryption functions D_K such that D_K(E_K(P)) = P for any plaintext
  P. In a public-key cryptosystem, E_K can be easily computed from some
  ``public key'' X which in turn is computed from K. X is published, so
  that anyone can encrypt messages. If D_K cannot be easily computed
  from X, then only the person who generated K can decrypt messages.
  That's the essence of public-key cryptography, published by Diffie
  and Hellman in 1976.

  In a classic cryptosystem, if you want your friends to be able to
  send secret messages to you, you have to make sure nobody other than
  them sees the key K. In a public-key cryptosystem, you just publish X,
  and you don't have to worry about spies.

  This is only the beginning of public-key cryptography. There is an
  extensive literature on security models for public-key cryptography,
  applications of public-key cryptography, other applications of the
  mathematical technology behind public-key cryptography, and so on.

* What's RSA?

  RSA is a public-key cryptosystem defined by Rivest, Shamir, and
  Adleman.  For full details, there is a FAQ available by ftp at
  RSA.COM. Here's a small example.

  Plaintexts are positive integers up to 2^{512}. Keys are quadruples
  (p,q,e,d), with p a 256-bit prime number, q a 258-bit prime number,
  and d and e large numbers with (de - 1) divisible by (p-1)(q-1). We
  define E_K(P) = P^e mod pq, D_K(C) = C^d mod pq.

  Now E_K is easily computed from the pair (pq,e)---but, as far as
  anyone knows, there is no easy way to compute D_K from the pair
  (pq,e). So whoever generates K can publish (pq,e). Anyone can send a
  secret message to him; he is the only one who can read the messages.

* Is RSA secure?

  Nobody knows. An obvious attack on RSA is to factor pq into p and q.
  See below for comments on how fast state-of-the-art factorization
  algorithms run. Unfortunately nobody has the slightest idea how to
  prove that factorization---or any realistic problem at all, for that
  matter---is inherently slow. It is easy to formalize what we mean by
  ``RSA is/isn't strong''; but, as Hendrik W. Lenstra, Jr., says,
  ``Exact definitions appear to be necessary only when one wishes to
  prove that algorithms with certain properties do _not_ exist, and
  theoretical computer science is notoriously lacking in such negative
  results.''

* How fast can people factor numbers?

  It depends on the size of the numbers. In October 1992 Arjen Lenstra
  and Dan Bernstein factored 2^523 - 1 into primes, using about three
  weeks of MasPar time. (The MasPar is a 16384-processor SIMD machine;
  each processor can add about 200000 integers per second.) The
  algorithm there is called the ``number field sieve''; it is quite a
  bit faster for special numbers like 2^523 - 1 than for general numbers
  n, but it takes time only about exp(O(log^{1/3} n log^{2/3} log n)) in
  any case.

  An older and more popular method for smaller numbers is the ``multiple
  polynomial quadratic sieve'', which takes time exp(O(log^{1/2} n
  log^{1/2} log n))---faster than the number field sieve for small n,
  but slower for large n. The breakeven point is somewhere between 100
  and 150 digits, depending on the implementations.

  Factorization is a fast-moving field---the state of the art just a few
  years ago was nowhere near as good as it is now. If no new methods are
  developed, then 2048-bit RSA keys will always be safe from
  factorization, but one can't predict the future. (Before the number
  field sieve was found, many people conjectured that the quadratic
  sieve was asymptotically as fast as any factoring method could be.)

* What about other public-key cryptosystems?

  We've talked about RSA because it's well known and easy to describe.
  But there are lots of other public-key systems around, many of which
  are faster than RSA or depend on problems more widely believed to be
  difficult. This has been just a brief introduction; if you really want
  to learn about the many facets of public-key cryptography, consult the
  books and journal articles listed in part 10.

Newsgroup: sci.crypt
document_id: 15254
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 07/10 - Digital Signatures

Archive-name: cryptography-faq/part07
Last-modified: 1993/4/15


FAQ for sci.crypt, part 7: Digital Signatures and Hash Functions

This is the seventh of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers
every 21 days.


Contents:

* What is a one-way hash function?
* What is the difference between public, private, secret, shared, etc.?
* What are MD4 and MD5?
* What is Snefru?


* What is a one-way hash function?

  A typical one-way hash function takes a variable-length message and
  produces a fixed-length hash. Given the hash it is computationally
  impossible to find a message with that hash; in fact one can't
  determine any usable information about a message with that hash, not
  even a single bit. For some one-way hash functions it's also
  computationally impossible to determine two messages which produce the
  same hash.

  A one-way hash function can be private or public, just like an
  encryption function. Here's one application of a public one-way hash
  function, like MD5 or Snefru. Most public-key signature systems are
  relatively slow. To sign a long message may take longer than the user
  is willing to wait. Solution: Compute the one-way hash of the message,
  and sign the hash, which is short. Now anyone who wants to verify the
  signature can do the same thing.

  Another name for one-way hash function is message digest function.

* What is the difference between public, private, secret, shared, etc.?

  There is a horrendous mishmash of terminology in the literature for a
  very small set of concepts. When an algorithm depends on a key which
  isn't published, we call it a private algorithm; otherwise we call it
  a public algorithm. We have encryption functions E and decryption
  functions D, so that D(E(M)) = M for any message M. We also have
  hashing functions H and verification functions V, such that V(M,X) = 1
  if and only if X = H(M).

  A public-key cryptosystem has public encryption and private
  decryption. Checksums, such as the application mentioned in the
  previous question, have public hashing and public verification.
  Digital signature functions have private hashing and public
  verification: only one person can produce the hash for a message,
  but everyone can verify that the hash is correct.

  Obviously, when an algorithm depends on a private key, it's meant to
  be unusable by anyone who doesn't have the key. There's no real
  difference between a ``shared'' key and a private key: a shared key
  isn't published, so it's private. If you encrypt data for a friend
  rather than ``for your eyes only'', are you suddenly doing
  ``shared-key encryption'' rather than private-key encryption? No.

* What are MD4 and MD5?

  MD4 and MD5 are message digest functions developed by Ron Rivest.
  Definitions appear in RFC 1320 and RFC 1321 (see part 10). Code is
  available from [FTPMD].

  Note that a transcription error was found in the original MD5 draft
  RFC. The corrected algorithm should be called MD5a, though some
  people refer to it as MD5.

* What is Snefru?

  Snefru is a family of message digest functions developed by Ralph
  Merkle. Snefru-8 is an 8-round function, the newest in the family.
  Definitions appear in Merkle's paper [ME91a]. Code is available from
  [FTPSF].

Newsgroup: sci.crypt
document_id: 15255
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 09/10 - Other Miscellany

Archive-name: cryptography-faq/part09
Last-modified: 1993/4/15


FAQ for sci.crypt, part 9: Other Miscellany

This is the ninth of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers 
every 21 days.


Contents:

* What is the National Security Agency (NSA)?
* What are the US export regulations?
* What is TEMPEST?
* What are the Beale Ciphers, and are they a hoax?
* What is the American Cryptogram Association, and how do I get in touch?
* Is RSA patented?
* What about the Voynich manuscript?


* What is the National Security Agency (NSA)?

  The NSA is the official security body of the U.S. government. It
  was given its charter by President Truman in the late 40's, and
  has continued research in cryptology till the present. The NSA is
  known to be the largest employer of mathematicians in the world,
  and is also the largest purchaser of computer hardware in the
  world. Governments in general have always been prime employers of
  cryptologists. The NSA probably possesses cryptographic expertise many
  years ahead of the public state of the art, and can undoubtedly break
  many of the systems used in practice; but for reasons of national
  security almost all information about the NSA is classified.

  Bamford's book [BAMFD] gives a history of the people and operations of
  the NSA. The following quote from Massey [MAS88] highlights the
  difference between public and private research in cryptography:

  ``... if one regards cryptology as the prerogative of government,
  one accepts that most cryptologic research will be conducted
  behind closed doors. Without doubt, the number of workers engaged
  today in such secret research in cryptology far exceeds that of
  those engaged in open research in cryptology. For only about 10
  years has there in fact been widespread open research in
  cryptology. There have been, and will continue to be, conflicts
  between these two research communities. Open research is common
  quest for knowledge that depends for its vitality on the open
  exchange of ideas via conference presentations and publications in
  scholarly journals. But can a government agency, charged with
  responsibilities of breaking the ciphers of other nations,
  countenance the publication of a cipher that it cannot break? Can
  a researcher in good conscience publish such a cipher that might
  undermine the effectiveness of his own government's code-breakers?
  One might argue that publication of a provably-secure cipher would
  force all governments to behave like Stimson's `gentlemen', but one
  must be aware that open research in cryptography is fraught with
  political and ethical considerations of a severity than in most
  scientific fields. The wonder is not that some conflicts have
  occurred between government agencies and open researchers in
  cryptology, but rather that these conflicts (at least those of which
  we are aware) have been so few and so mild.''

* What are the US export regulations?

  In a nutshell, there are two government agencies which control
  export of encryption software. One is the Bureau of Export
  Administration (BXA) in the Department of Commerce, authorized by
  the Export Administration Regulations (EAR). Another is the Office
  of Defense Trade Controls (DTC) in the State Department, authorized
  by the International Traffic in Arms Regulations (ITAR). As a rule
  of thumb, BXA (which works with COCOM) has less stringent
  requirements, but DTC (which takes orders from NSA) wants to see
  everything first and can refuse to transfer jurisdiction to BXA.

  The newsgroup misc.legal.computing carries many interesting
  discussions on the laws surrounding cryptographic export, what
  people think about those laws, and many other complex issues which
  go beyond the scope of technical groups like sci.crypt. Make sure to
  consult your lawyer before doing anything which will get you thrown in
  jail; if you are lucky, your lawyer might know a lawyer who has at
  least heard of the ITAR.

* What is TEMPEST?

  TEMPEST is a standard for electromagnetic shielding for computer
  equipment. It was created in response to the discovery that
  information can be read from computer radiation (e.g., from a CRT) at
  quite a distance and with little effort.

  Needless to say, encryption doesn't do much good if the cleartext
  is available this way.

* What are the Beale Ciphers, and are they a hoax?

  (Thanks to Jim Gillogly for this information and John King for
  corrections.)

  The story in a pamphlet by J. B. Ward (1885) goes: Thomas
  Jefferson Beale and a party of adventurers accumulated a huge mass
  of treasure and buried it in Bedford County, Virginia, leaving
  three ciphers with an innkeeper; the ciphers describe the
  location, contents, and intended beneficiaries of the treasure.
  Ward gives a decryption of the second cipher (contents) called B2;
  it was encrypted as a book cipher using the initial letters of the
  Declaration of Independence (DOI) as key. B1 and B3 are unsolved;
  many documents have been tried as the key to B1.

  Aficionados can join a group that attempts to solve B1 by various
  means with an eye toward splitting the treasure:

  The Beale Cypher Association
  P.O. Box 975
  Beaver Falls, PA 15010

  You can get the ciphers from the rec.puzzles FAQL by including the
  line:

  send index

  in a message to netlib@peregrine.com and following the directions.
  (There are apparently several different versions of the cipher
  floating around. The correct version is based on the 1885 pamphlet,
  says John King <kingj@hpcc01.corp.hp.com>.)

  Some believe the story is a hoax. Kruh [KRU88] gives a long list of
  problems with the story. Gillogly [GIL80] decrypted B1 with the DOI
  and found some unexpected strings, including ABFDEFGHIIJKLMMNOHPP.
  Hammer (president of the Beale Cypher Association) agrees that this
  string couldn't appear by chance, but feels there must be an
  explanation; Gwyn (sci.crypt expert) is unimpressed with this
  string.

* What is the American Cryptogram Association, and how do I get in touch?

  The ACA is an organization devoted to cryptography, with an emphasis
  on cryptanalysis of systems that can be attacked either with
  pencil-and-paper or computers. Its organ ``The Cryptogram'' includes
  articles and challenge ciphers. Among the more than 50 cipher types in
  English and other languages are simple substitution, Playfair,
  Vigenere, bifid, Bazeries, grille, homophonic, and cryptarithm.

  Dues are $15 for one year (6 issues); more outside of North America;
  less for students under 18 and seniors. Subscriptions should be sent
  to ACA Treasurer, 18789 West Hickory St., Mundelein, IL 60060.

* Is RSA patented?

  Yes. The patent number is 4,405,829, filed 12/14/77, granted 9/20/83.
  For further discussion of this patent, whether it should have been
  granted, algorithm patents in general, and related legal and moral
  issues, see comp.patents and misc.legal.computing. For information
  about the League for Programming Freedom see [FTPPF]. Note that one of
  the original purposes of comp.patents was to collect questions such as
  ``should RSA be patented?'', which often flooded sci.crypt and other
  technical newsgroups, into a more appropriate forum.

* What about the Voynich manuscript?

  nelson@reed.edu (Nelson Minar) says there is a mailing list on the
  subject.  the address to write to subscribe to the VMS mailing list
  is: <voynich-request@rand.org>

  the ftp archive is: rand.org:/pub/voynich

  There's all sorts of information about the manuscript itself, of
  course. A good bibliography can be found on the ftp site. Kahn's
  "The Codebreakers" gives a good introduction.

Newsgroup: sci.crypt
document_id: 15256
From: johnson@trwacs.fp.trw.com (Steve Johnson)
Subject: Re: How do they know what keys to ask for? (Re: Clipper)

brad@clarinet.com (Brad Templeton) writes:

[...]
>And of course you have to identify yourself to the phone company, and
>since the phone company complies with court orders, they will know the
>magic number of your chip when they sign out a warrant on you, and
>then can present the warrant to the key escrow house.

  Who makes them forget and destroy all copies of the key once they've
decided you're not a criminal today?  Just curious.
>-- 
>Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366
------- Any views expressed are those of myself and not my employer. --------
Steven C. Johnson, WB3IRU / VK2GDS      |
TRW                                     | johnson@trwacs.fp.trw.com
FP1 / 3133                              |         [129.193.172.90]
1 Federal Systems Park Drive            | Phone:        +1 (703) 968.1000
Fairfax, Virginia  22033-4412  U.S.A.   | Fax:          +1 (703) 803.5189
-- 
------- Any views expressed are those of myself and not my employer. --------
Steven C. Johnson, WB3IRU / VK2GDS      |
TRW                                     | johnson@trwacs.fp.trw.com
FP1 / 3133                              |         [129.193.172.90]

Newsgroup: sci.crypt
document_id: 15257
From: bet@sbi.com (Bennett Todd @ Salomon Brothers Inc., NY )
Subject: Re: Source of random bits on a Unix workstation

>>For your application, what you can do is to encrypt the real-time clock
>>value with a secret key.

Well, almost.... If I only had to solve the problem for myself, and were
willing to have to type in a second password (the secret key) whenever I
logged in, it could work. However, I'm trying to create a solution that
anyone can use, and which, once installed, is just as effortless to start up
as the non-solution of just using xhost(1) to control access. I've got
religeous problems with storing secret keys on multiuser computers.

>For a good discussion of cryptographically "good" random number
>generators, check out the draft-ietf-security-randomness-00.txt
>Internet Draft, available at your local friendly internet drafts
>repository.

Thanks for the pointer! It was good reading, and I liked the idea of using
several unrelated sources with a strong mixing function. However, unless I
missed something, the only source they suggested (aside from a hardware RNG)
that seems available, and unguessable by an intruder, when a Unix is
fresh-booted, is I/O buffers related to network traffic. I believe my
solution basically uses that strategy, without requiring me to reach into
the kernel.

>A reasonably source of randomness is the output of a cryptographic
>hash function (e.g., MD5), when fed with a large amount of
>more-or-less random data. For example, running MD5 on /dev/mem is a
>slow, but random enough, source of random bits; there are bound to be
>128 bits of entropy in the tens (or hundreds) of megabytes of data in
>a modern workstation's memory, as a fair amount of them are system
>timers, i/o buffers, etc.

I heard about this solution, and it sounded good. Then I heard that folks
were experiencing times of 30-60 seconds to run this, on
reasonably-configured workstations. I'm not willing to add that much delay
to someone's login process. My approach (etherfind|compress, skip 10K) takes
a second or two to run. I'm considering writing the be-all and end-all of
solutions, that launches the MD5, and simultaneously tries to suck bits off
the net, and if the net should be sitting __SO__ idle that it can't get 10K
after compression before MD5 finishes, use the MD5. This way I could have
guaranteed good bits, and a deterministic upper bound on login time, and
still have the common case of login take only a couple of extra seconds.

-Bennett
bet@sbi.com

Newsgroup: sci.crypt
document_id: 15258
From: george@minster.york.ac.uk
Subject: Non-word password generator

Does anyone know of a non-word password generator program
for PC's?? i.e. it will produce a nonsense word but still
be pronouncible. e.g. lisgollan

Wanted to "force" users to adopt more secure passwords,
but still be memorable!

Thanks - George Bolt

p.s. please email me as well if possible "george@psychmips.york.ac.uk"

Newsgroup: sci.crypt
document_id: 15259
From: brad@clarinet.com (Brad Templeton)
Subject: Re: Once tapped, your code is no good any more.

In article <tcmayC5M2xv.JEx@netcom.com> tcmay@netcom.com (Timothy C. May) writes:
>Getting the court order to reveal the key *also* makes decipherable
>all *past* conversations (which may be on tape, or disk, or whatver),
>as I understand the proposal. I could be wrong, but I've seen no
>mention of "session keys" being the escrowed entities.

True in theory.  In practice?  The technology of cellular phones will
probably be spread spectrum and quite difficult to record the crypttext
without the key.  If the frequency path depends on they key, as I
understand it to, it *could* be made effectively impossible to record.

Once it hits land you can record it if you have telco access.  The
telco isn't supposed to give that without a warrant.  That's the rule
today.

But even so, the evidence would not be admissible, I think, unless the
judge so ordered.  I think that even interception of the crypttext
without a warrant would be illegal.   Cops can't record today's plain
cellular calls and then ask a judge, "Hey, can we have permission to
listen to those tapes?" can they?

>worse, of course, if the government then uses this "Clinton Clipper"
>to argue for restrictions on unapproved encryption. (This is the main
>concern of most of us, I think. The camel's nose in the tent, etc.)

Yes, that is a major concern, but I think that they think they can
win just by having 99.5% of the USA use this system.  They don't even
have to care about the cautious .5% that's left.  They don't catch the
really smart crooks anyway.   John Gotti, who would have to be retarded
not to realize he was likely to be wiretapped, glibly chatted away
on his tapped phone about murder plans.  That's why he's in jail now.
Hard to believe, but true.


This scheme can succeed without laws forbidding more, which people would
fight a lot harder.  They like this enough that they are dropping the so
called "Digital Telephony" proposal, according to rumours.  However the
meaning of that is complex, since they still want to get at the crypttext
on telco systems, and that requires a bit of work.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
document_id: 15260
From: johnson@trwacs.fp.trw.com (Steve Johnson)
Subject: Re: Once tapped, your code is no good any more.

tcmay@netcom.com (Timothy C. May) writes:

>Brad Templeton (brad@clarinet.com) wrote:
>: It occurs to me that if they get a wiretap order on you, and the escrow
>: houses release your code to the cops, your code is now no longer secure.
>: 
>: It's in the hands of cops, and while I am sure most of the time they are
>: good, their security will not be as good as the escrow houses.
>: 
>: What this effectively means is that if they perform a wiretap on you,
>: at the end of the wiretap, they should be obligated to inform you that
>: a tap was performed, and replace (for free) the clipper chip in your
>: cellular phone so that it is once again a code known only to the
>: escrow houses.

>Getting the court order to reveal the key *also* makes decipherable
>all *past* conversations (which may be on tape, or disk, or whatver),
>as I understand the proposal. I could be wrong, but I've seen no
>mention of "session keys" being the escrowed entities.

>As the EFF noted, this raises further issues about the fruits of one
>bust leading to incrimination in other areas.

>But is it any worse than the current unsecure system? It becomes much
>worse, of course, if the government then uses this "Clinton Clipper"
>to argue for restrictions on unapproved encryption. (This is the main
>concern of most of us, I think. The camel's nose in the tent, etc.)

>And it may also become much worse if the ostensible security is
>increased, thus allowing greater access to "central office" records by
>the government (the conversations being encrypted, who will object to
>letting the government have access to them, perhaps even automatically
>archiving large fractions...). This was one of the main objections to
>the S.266 proposal, that it would force telecom suppliers to provide
>easy access for the government.

>One the government has had access to months or years of your encrypted
>conversations, now all it takes is one misstep, one violation that
>gets them the paperwork needed to decrypt *all* of them!

>Do we want anyone to have this kind of power?

>-Tim May, whose sig block may get him busted in the New Regime

  A remark I heard the other day is beginning to take on increasingly
frightening significance.  The comment was made that "In other parts
of the world the Democrats [note the big "D"] would be known as
Socialists" 

  A [note the small "d"] democrat who wonders what Thomas Jefferson, on
this the 250th anniversary of his birth, would have thought of the state
of affairs between the government and the governed.


------- Any views expressed are those of myself and not my employer. --------
Steven C. Johnson, WB3IRU / VK2GDS      |
TRW                                     | johnson@trwacs.fp.trw.com
FP1 / 3133                              |         [129.193.172.90]
1 Federal Systems Park Drive            | Phone:        +1 (703) 968.1000
Fairfax, Virginia  22033-4412  U.S.A.   | Fax:          +1 (703) 803.5189
-- 
------- Any views expressed are those of myself and not my employer. --------
Steven C. Johnson, WB3IRU / VK2GDS      |
TRW                                     | johnson@trwacs.fp.trw.com
FP1 / 3133                              |         [129.193.172.90]

Newsgroup: sci.crypt
document_id: 15261
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <jhesseC5Ltt5.IMC@netcom.com> jhesse@netcom.com (John Hesse) writes:
   Stupid me. I believed the Democrats stood for principles of personal
   privacy while it was the Neanderthal Republicans that wanted into every
   aspect of our lives. 
   Clinton is just more clever than the other guy. Looks like gun control for
   privacy technology. One small step at a time.

Remember "Defend Firearms - Defeat Dukakis", followed by Bush's soon-after-
election support for gun-control?   This is the Democrats' version
"Defend Free Speech - Reject Republicans" followed by speech control.

   Wait a minute....  Let me think about this.

   Hmmm, I feel better now. I believe the White House when they tell us
   this first step is, in fact, the final step. All is OK. We've nothing to fear.
   They're here to help us.   God bless America.
 
Hey, like the grrreat J.R. "Bob" Dobbs says, you've got to pull the
wool over your *own* eyes!

--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15262
From: sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes)
Subject: Clipper Crap


>encryption's dual-edge sword:  encryption helps to protect the
>privacy of individuals and industry, but it also can shield
>criminals and terrorists.  We need the "Clipper Chip" and other
 ^^^^^^^^^^^^^^^^^^^^^^^^


   Just a random passing thought, but can anyone cite a documented use
of encryption technology by criminals and terrorists.
   (Excluding the Iran-Contra Gang)


-- 

             Shaun P. Hughes  sphughes@sfsuvax1.sfsu.edu 

                    finger for PGP 2.2 Public Key

Newsgroup: sci.crypt
document_id: 15263
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: White House Wiretap Chip Disinformation Sheet

Fascinating.  Most of the content of the White House announcements was
in what was *not* said.  It gives us almost nothing of value, threatens to
take away a lot, and does it with a sincere smile on its face,
and the nice friendly word "Management".

			      FACT SHEET
		     PUBLIC ENCRYPTION MANAGEMENT

The first thing it doesn't say is "We're giving you stronger encryption".
what it says is 
   the U. S. Government has developed a microcircuit that not only
   provides privacy through encryption that is substantially more robust
   than the current government standard, but also permits escrowing of
   the keys needed to unlock the encryption.  The system for the
   escrowing of keys will allow the government to gain access to
   encrypted information only with appropriate legal authorization.
But DES is strong enough that only the government can break it now,
so the major effect is to make it EASIER for government to break!
*At best* it makes it more difficult for the NSA to break, since they
need to get one of the two escrowed keys to do a brute-force search
for the other 40-bit key.

Similarly, it didn't say "We're making encryption is commercially available."
because encryption *is* already commercially available, including
forms the NSA may not be able to break, like triple-DES or IDEA.
And phone companies could offer DES-based systems *now* if they were
convinced the government would let them and they could make enough money.

The next thing it didn't say is "We're making encryption legal",
because of course encryption *has always been* legal, and the
President can't change the First Amendment merely by decree.
What it *did* say was:
	In making this decision, I do not intend to prevent the
	private sector from developing, or the government from approving,
	other microcircuits or algorithms that are equally effective in
	assuring both privacy and a secure key- escrow system.
which clearly means "We're making encryption illegal unless we get your keys.
Soon.  Once business buys into this."

Another thing it didn't say is "We're going to ask Congress for money
to do *lots* more wiretapping", because of course, there's a budget crisis,
and Congress might debate the policy issues or not give them the cash.
What it *did* say was:
   The Attorney General will procure and utilize encryption devices to
   the extent needed to preserve the government's ability to conduct
   lawful electronic surveillance and to fulfill the need for secure
   law enforcement communications.  Further, the Attorney General
   shall utilize funds from the Department of Justice Asset Forfeiture
   Super Surplus Fund to effect this purchase.
which means "We've got money Congress can't control and we're going to
buy lots of wiretapping equipment with it to detect NON-APPROVED CRYPTO
(that's what "preserve the government's ability to conduct ... surveillance" 
means.)  
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15264
From: brad@clarinet.com (Brad Templeton)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

Interestingly enough, in designing the escrow, we may want to use some
rather unusual technology, such as sealed boxes of paper, or
destructive read memory, rather than typical computer databases, which
is fun for a database of hundreds of millions of keys.

The greatest danger of the escrow database, if it were kept on disk,
would be the chance that a complete copy could somehow leak out.  You
can design lots of protection, but with enough corruption a complete
copy is always possible.   Storing it on paper or something very hard
to copy at once may actually make sense.  Or a medium that can't be
copied -- for example, something with very slow access times or which
leaves a destructive trail if it is even read.

Of course then it's hard to backup.  However, I think the consequences
of no backup -- the data is not there when a warrant comes -- are worse
than the consequences of a secret backup.

An audit trail that reveals when data has been access, that *can't* be
erased by the humans involved, is also necessary.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
document_id: 15265
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Clinton Boost in Spy Spending


Right on the heels of the Clinton "registered encryption key" debacle comes:

sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes) writes:
>[From yesterdays S.F. Chronicle]

>"President Clinton has asked Congress for authority to spend more money
>on spy agencies, satellites and other intelligence activities in fiscal
>1994 than it allotted for 1993, congressional and administration
>officials say. "

>.... Clinton had promised to slash intelligence spending by $7 billion
>over four years.

>.... Although the size of the nations' vast intelligence budget remains
>an official secret, administration and congressional officials disclosed
>yesterday that it would total about $28 billion if the increase
>requested by Clinton is approved.

Wonder how much of that extra money goes into coming up with
encryption schemes they can easily crack?
-- 
The Theorem Theorem: If if, then then

Newsgroup: sci.crypt
document_id: 15266
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: White House Wiretap Chip Disinformation Sheet

wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes:
>Fascinating.  Most of the content of the White House announcements was
>in what was *not* said.  It gives us almost nothing of value, threatens to
>take away a lot, and does it with a sincere smile on its face,
>and the nice friendly word "Management".

The computer, err, government, is your friend.  Have a nice day (under
penalty of law).
-- 
To refuse praise is to seek praise twice.

Newsgroup: sci.crypt
document_id: 15267
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

jhesse@netcom.com (John Hesse) writes:
>Oh great. Wonderful news. Nobody can listen in--except the feds.

And anybody who can get the keys from the escrow company.  This is a
database that's going to take plenty of updating - they think they can
keep it secure?  Please...  and that's just primary, not secondary
sources, such as police using the key under a warrant.  Would anyone
be surprised if they just "neglected" to erase the key if it turned
out they couldn't nail you on anything?
-- 
Nourish a waif and it will pick out your eyes.

Newsgroup: sci.crypt
document_id: 15268
From: brad@clarinet.com (Brad Templeton)
Subject: Re: How to detect use of an illegal cipher?

In article <1qnmnp$db8@sol.TIS.COM> mjr@tis.com (Marcus J Ranum) writes:
>traffic. That way your traffic looks "normal" and perhaps anyone
>desiring to listen in won't even bother, since they know nobody's
>going to really trust crypto that has classified internals for
>important stuff.


Nice to think, but naive.  The fact is that millions of people today
are sending highly confidential information over unencoded, easy to
receive cellular phones.  They figure the chances of being heard are
small, so they risk it.

And 99.9% of people don't understand crypto the way the least of the
sci.crypt newbies does.   If Clinton tells them it's good crypto,
they'll believe him, and send important stuff over it, and be thankful
that they're no longer using clear-voice FM cellular phones.

Only a tiny fraction of people will want more crypto.  Worse, in the
eyes of the government, which swears up and down the algorithim is
spook-level secure (and it may indeed be) the only reason you could
possibly want this extra level is to avoid police.

By using it, you'll attract attention as a likely lawbreaker.

"Your honour, the suspect suddenly started using another level of
cryptography and we can't tap his phone calls any more.  He must
have something to hide.  Please sign the warrant to search his
house..."
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
document_id: 15269
From: barrett@lucy.ee.und.ac.za (Alan Barrett)
Subject: Re: White House Public Encryption Management Fact Sheet

In article <C5LGAz.250@dove.nist.gov>,
clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:
> Distribution: na

No thanks.  This topic is of interest to a much wider audience.

> In making this decision, I do
> not intend to prevent the private sector from developing, or the
> government from approving, other microcircuits or algorithms that
> are equally effective in assuring both privacy and a secure key-
> escrow system.

"In making this decision, I intend to prevent the private sector from
developing, except with the government's approval, other microcircuits
or algorithms that are more effective in assuring privacy."

--apb
Alan Barrett, Dept. of Electronic Eng., Univ. of Natal, Durban, South Africa
RFC822: barrett@ee.und.ac.za

Newsgroup: sci.crypt
document_id: 15270
From: louie@sayshell.umd.edu (Louis A. Mamakos)
Subject: Re: Once tapped, your code is no good any more.

In article <tcmayC5M2xv.JEx@netcom.com> tcmay@netcom.com (Timothy C. May) writes:

>But is it any worse than the current unsecure system? It becomes much
>worse, of course, if the government then uses this "Clinton Clipper"
>to argue for restrictions on unapproved encryption. (This is the main
>concern of most of us, I think. The camel's nose in the tent, etc.)

Excuse me?  This has *already* happened.  There's a couple of humps in
the tent already.  Ask the folks at Qualcomm what became of the
non-trivial encryption scheme they proposed for use in their CDMA
digitial cellular phone standard?  There *already* are restrictions in
place.

Louis Mamakos

Newsgroup: sci.crypt
document_id: 15271
From: ken@sugra.uucp (Kenneth Ng)
Subject: Re: Fifth Amendment and Passwords

In article <1993Apr16.165423.27204@linus.mitre.org: ptrei@bistromath.mitre.org (Peter Trei) writes:
:Judge: "I grant you immunity from whatever may be learned from the key
:	itself"
:You:    "The keyphrase is: "I confess to deliberately evading copyright; 
:	the file encoded with this keyphrase contains illegal scans of 
:        copyrighted Peanuts strips.""
:Judge and CP: "Oh."
:     How will they get you now? I'm not saying that they won't, or
:can't (or even that they shouldn't :-), but what legal mechanism will
:they use? Should we be crossposting this to misc.legal?

Hm, could another court try you via a bypass of the double jeopardy amendment
like they are doing in the LAPD trial?  Ie your judge is a state judge, and
then a federal judge retries you under the justification that its not the
same trail.

-- 
Kenneth Ng
Please reply to ken@blue.njit.edu for now.
"All this might be an elaborate simulation running in a little device sitting
on someone's table" -- J.L. Picard: ST:TNG

Newsgroup: sci.crypt
document_id: 15272
From: smb@research.att.com (Steven Bellovin)
Subject: Re: The Old Key Registration Idea...

In article <rlglendeC5LrwC.95C@netcom.com>, rlglende@netcom.com (Robert Lewis Glendenning) writes:
> I have been chided for stating that Dorthy Denning was intellectually
> dishonest in the ACM debate and in this newsgroup.  I have previously
> refrained from suggesting that she is arguing on behalf of consulting
> clients.
> 
> Now, I say that it is clear that Dorthy Denning has been functioning
> as a lobbyist, not a computer scientist.  She has used legal ethics
> (truth is what you can convince anyone of), not scientific ethics
> (truth is understanding the external world).
> 
> Maybe we can revoke her ACM membership? 8)

I suggest that you refrain from such insults unless and until you can
produce some evidence to back up that claim.  Given the measures proposed
or passed in the last year or so, such as S.266 and the scanner ban,
her proposal need not be any more than her own attempt at a technical
solution.  It's entirely possible, in fact, that it was the notion of
splitting the key, which came up in the debate, that softened this proposal.

Newsgroup: sci.crypt
document_id: 15273
From: ji@cs.columbia.edu (John Ioannidis)
Subject: Re: Source of random bits on a Unix workstation

In article <899@pivot.sbi.com> bet@sbi.com (Bennett Todd @ Salomon Brothers Inc., NY ) writes:
>
>I heard about this solution, and it sounded good. Then I heard that folks
>were experiencing times of 30-60 seconds to run this, on
>reasonably-configured workstations. I'm not willing to add that much delay
>to someone's login process. My approach (etherfind|compress, skip 10K) takes
>a second or two to run. I'm considering writing the be-all and end-all of
>solutions, that launches the MD5, and simultaneously tries to suck bits off
>the net, and if the net should be sitting __SO__ idle that it can't get 10K
>after compression before MD5 finishes, use the MD5. This way I could have
>guaranteed good bits, and a deterministic upper bound on login time, and
>still have the common case of login take only a couple of extra seconds.
>

53 seconds to hash 20M of core (I bet I know who the source of your
information is!). No, it's not acceptable if it's part of your login
process. But if you are going to use network traffic as the source of
pseudo-random information, do the right thing and pass it through a
cryptographic hash function, not a compressor. Aside from the fact
that it will run faster, it will give better results (think of a
cryptographic hash as a function that "distills" randomness).
Something along the lines of 
	etherfind -t -x -n  | dd bs=1k count=10 2>/dev/null | md5
should do the trick. -t gives you timestamps, and the lack of -u makes
sure that dd does not get ten lines as opposed to ten K. The above
takes a couple of seconds on a lightly-loaded ethernet.

>-Bennett
>bet@sbi.com

/ji


Newsgroup: sci.crypt
document_id: 15274
From: zrepachol@cc.curtin.edu.au (Paul Repacholi)
Subject: Re: How do they know what keys to ask for? (Re: Clipper)

In article <johnson.735023704@trwacs>, johnson@trwacs.fp.trw.com (Steve Johnson) writes:
> brad@clarinet.com (Brad Templeton) writes:
>>And of course you have to identify yourself to the phone company, and
>>since the phone company complies with court orders, they will know the
>>magic number of your chip when they sign out a warrant on you, and
>>then can present the warrant to the key escrow house.


Lets hope. Years ago a Telecom tech refused to tap a line unless he saw the 
warrant. The managment type who told him to do it fired him. The appeal
against the dismissal was lost.

>   Who makes them forget and destroy all copies of the key once they've
> decided you're not a criminal today?  Just curious.

Good luck.

~Paul


Newsgroup: sci.crypt
document_id: 15275
From: zrepachol@cc.curtin.edu.au (Paul Repacholi)
Subject: Re: What is going on?...

In article <1993Apr16.055100.1@cc.curtin.edu.au>, zrepachol@cc.curtin.edu.au (Paul Repacholi) writes:
...
> If you can't be bothered reading, get the video "Manufacturing Consent".
> 

In reply to mail queries; I don't know if a video is available yet. I asked
about a month ao and was told RSN.

Several have also asked which of Chomskys books. My answer is ALL of them, and
anything else you can get as well. How ever, due to irritations like the 24 hr
day etc, I would say 'Manafacturing Conscent' first, them th last parts of
'Detering Democracy' ie the bits about the "domestic 3rd world". Chilling.

Anyone at MIT have a good St. Noam bibliography?

~Paul


Newsgroup: sci.crypt
document_id: 15276
From: deuelpm@craft.camp.clarkson.edu (Hobbit)
Subject: Re: White House Public Encryption Management Fact Sheet


I have a question about digital communications encryption:

	The Fact Sheet mentioned encryption/decryption microcircuitry with 
special "keys" for law enforcement for wire tapping purposes.

	If I wanted to, couldn't I develop  encryption of my own?  That
is, if me and a partner in crime had unique Encryption/decryption
devices installed before the "tappable" one, couldn't we circumvent
the "keys" system?  Or replace it?

	I'd be really interested in knowing how the E/D microcircuits might
be made to prevent such befuddlement! (Laymans' Language, please! maybe a bit
technical...)

Please E-mail to me, as I'm not in Net News as much as I'd like to be!


Pete
deuelpm@craft.camp.clarkson.edu

--
=====================================
deuelpm@craft.camp.clarkson.edu
=====================================
"*Regret* is a rough sheet to sleep on."  -Herman Brooks

Newsgroup: sci.crypt
document_id: 15277
From: gtoal@news.ibmpcug.co.uk (Graham Toal)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <strnlghtC5LGFI.JqA@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>
>Though some may argue about the nose of the camel, it's worth noting that
>the government proposal is limited to scrambled telephony. If it is only
>used for that purpose, and does not extend to electronic mail or file
>encryption, then it IS an improvement over the current mass-produced
>standard civilian technology which, with a few exceptions, is limited to
>easy-to-break inverters.

Try reading between the lines David - there are *strong* hints in there
that they're angling for NREN next, and the only conceivable meaning of
applying this particular technology to a computer network is that they
intend it to be used in exclusion to any other means of encryption.

Don't be lulled by the wedge because its end looks so thin.

Graham

Newsgroup: sci.crypt
document_id: 15278
From: eck@panix.com (Mark Eckenwiler)
Subject: Re: Once tapped, your code is no good any more.

In <1993Apr17.032828.14262@clarinet.com>, brad@clarinet.com sez:
>
>Do the police normally reveal every tap they do even if no charges are
>laid?   In many ways, it would be a positive step if they had to.
>Judges set time limits on warrants, I assume.  

Under the relevant federal law, 18 USC sec. 2518(8)(d), the
authorizing judge must notify the targets within 90 days after the tap
period (with extensions) expires.  This is the "normal" practice.

Of course, no wiretap law would be complete without the Unless Clause,
which in subsection 8(d) reads like this: "On an ex parte showing
[i.e., by the gov't without opposition, since that would obviously
involve notice to the targets] of good cause to a judge of competent
jurisdiction the serving of the inventory required by this subsection
[the order itself; dates of interception; etc.] *may be postponed*"
(emphasis added).


[Followups directed to a few select groups.]

-- 
MORAL: Always Choose the Right Sort of Parents 
       Before You Start in to be Rough
                                        - George Ade
	Mark Eckenwiler    eck@panix.com    ...!cmcl2!panix!eck

Newsgroup: sci.crypt
document_id: 15279
From: murray@src.dec.com (Hal Murray)
Subject: Re: How do they know what keys to ask for?  (Re: Clipper)

In article <1993Apr17.031520.13902@clarinet.com>, brad@clarinet.com (Brad Templeton) writes:
|> The actual algorithm is classified, however, their main thrust here is
|> for cellular phones, and encryption is only over the radio end, not
|> end to end, I think.   End to end will come later.

Encrypting just the radio link doesn't make sense to me.  That means the telco
has to do the decryption, and hence they need the keys.  How are they going to be
kept secure?

Newsgroup: sci.crypt
document_id: 15280
From: amolitor@nmsu.edu (Andrew Molitor)
Subject: Re: Once tapped, your code is no good any more.

In article <tcmayC5M2xv.JEx@netcom.com>
	tcmay@netcom.com (Timothy C. May) writes:
>
>But is it any worse than the current unsecure system? It becomes much
>worse, of course, if the government then uses this "Clinton Clipper"
>to argue for restrictions on unapproved encryption. (This is the main
>concern of most of us, I think. The camel's nose in the tent, etc.)
>

	Not to pick on Mr. May in particular, of course, but isn't this
kind of the domino theory? When one little country falls, its neighbor
will surely follow, and before you know it, we're all mining salt
in Siberia for not turning in our Captain Crunch Secret Decoder Rings.

	Surely the hypothesis relying on the least wild assumptions is
to take this at face value. Our lads at the fort were asked to cook up
something that's pretty secure, with a key that can be escrowed neatly,
and they did. The government plans to sell this thing, for the reasons
they state. Yes, those evil guys in the FBI can probably, with some
effort, abuse the system. I got news for you, if the evil guys in
the FBI decide they want to persecute you, they're gonna, and you're
gonna hate it. Fact is, the FBI doesn't want to listen to your phone
calls, and if they do, and if you're using triple-DES, they'll just
get a parabolic microphone and point it at your head.

	This is pretty clearly an effort by the government to do exactly
what they're saying they're doing. As is typical with governments,
it's mismanaged, and full of holes and compromises. As is typical
with our government, it's not too bad, could be worse.

	My interpretation.

	Andrew

>-Tim May, whose sig block may get him busted in the New Regime
                           ^^^^^^^^^^^^^^^^^^

	Isn't this just a little melodramatic?

Newsgroup: sci.crypt
document_id: 15281
From: grady@netcom.com (1016/2EF221)
Subject: powerful "similarity" too

A Unix tool of cryptographic significance is available
for anonymous ftp.

"agrep 2.0.4" -- a fast approximate pattern-matching tool

source code project available from:

cs.arizona.edu 

in directory "agrep"

agrep is a very fast fuzzy search tool with a tremendous
number of powerful search options.  The one most obviously
applicable to cryptography (key selection) is to be able to
specify the "similarity" of matches in the data.

For example say you make up a password/phrase of "qimwe7l".
Of course you rightly suspect that this key itself is not
in any dictionary or word list.  But how *close* is it to
en entry that could be varied by some "crack" program to
brute-force search for it?

You use agrep to find out.  Looking with argument for none,
one or two errors, no matches.  Good so far.  But 

agrep -3 "qimwe7l" bigwordandphraselist

finds that the pattern "qimwe7l" is too close to the
pattern "imsel" (part of "himself" and a host of others),
to be of any cryptographic value as a key.

An error of level two corresponds to a simple transposition of
letters like "teh" for "the".  A minimally acceptable password
would have to pass as *least* level 3 in order not immediately
ruled-out as even a remote possibility of being a good password.
(In real cryptographic use, my personal passphrases clear at
*least* level 8 on my rather large [>80 meg] word and phrase lists.)


And for searching for key words in human-typed data (lots o'
typos) the tool is unexcelled.  For example, For example,
say I want to find out what people think about Gibson's
SF book "Neuromancer" in the huge SF-Lover's archives.
Even with an error distance specification as small as
of "1" I will find all those people who think the title
was "Necromancer" or other common typos.  Why miss anything?

Also, the program can look for up to 30,000 patterns IN PARALLEL
at Boyer-Moore (sublinear) speeds.  Great for a NSA wannabe
to look for your name, terrorists names, special Tagalog or
religious words, etc. in the news or e-mail spool directories.

You can even search for ciphertext by using, say, 30,000
random three-byte combinations and eliminate all texts that
don't score the X chi-square 'birthday' hits on message size Y.

You think some crypto-terrorist is try to foil you by changing
the pattern on you?  No problem.  Try agrep -p NSA to find
NSA, National Security Agency, NSecAg, No Such Agency,
National Scrabble Association, N*S*A, etc.

You can also specify "fixed" areas: looking for license
plate XYZ123 when you know that the letters are correct,
you might say:

agrep -2 <XYZ>123 licenseplatedatabase

will find all plates starting with XYZ with up to two errors
(addition, substitution, deletion) in the number area.  You can
also "weight" the relative "cost" for substiutions, additions,
or deletion errors.  For example, when searching DNA patterns
for a particular protein combination, you might know that
some kinds of damage cause the "A" nucelotide to drop out more
than other errors... you could adjust for this bias by setting
-Dc where you set the "deletion cost" to count as "c" errors.

A steganographic use (I even used "agrep -2 "<steg>eograp" E"
just now to find the correct spelling!) would be to intentionally
introduce errors of a certain type and magnitude into a plaintext
and then later recover the orginal it via an agrep pipe.  Lots of
possibilities here when only outlaws can have ciphertext...

Also with agrep's powerful extraction options it makes it easy
to abstract the "hits" into a useful form.  For example,

agrep -d "^From" 'PGP;(passphrase|Zimmerman|NSA)'

says output the entire mail record, delimited by 'From'
that contains 'PGP' and contains either 'passphrase',
'Zimmerman', or 'NSA'.

And agrep has been measured an order-of-magnitude faster
than the second-best similarity tool publicly available.

As usual, I will be glad to e-mail the source and docs
to those who reqest them by e-mail IF they cannot do
an anonymous FTP.

Get this now.
It is too powerful to stay in the hands of the NSA.


Grady Ward, vendor to the NSA (and proud of it)

-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
document_id: 15282
From: mearle@netcom.com (Mark Earle)
Subject: PGP 2.0 vs 2.2


I've seen PGP 2.2 mentioned for the Mac platform. I use 2.0 on MS/DOS.
Is there a 2.2 for MS/DOS? If so, a site or two that has it available
(I'd need executables, although source would be nice to review).
What was "fixed" or changed from 2.0 > 2.2?
 
Thanks, mwe
mearle@netcom.com
finger for pgp2.0 public key


Newsgroup: sci.crypt
document_id: 15283
From: gthomas@fraser.sfu.ca (Guy Thomas)
Subject: Re: What is going on?...

zrepachol@cc.curtin.edu.au (Paul Repacholi) writes:

>In article <1993Apr16.055100.1@cc.curtin.edu.au>, zrepachol@cc.curtin.edu.au (Paul Repacholi) writes:
>...
>> If you can't be bothered reading, get the video "Manufacturing Consent".
>> 

>In reply to mail queries; I don't know if a video is available yet. I asked
>about a month ao and was told RSN.

Yes it is. From the National Film Board of Canada.
Guy
gthomas@native-ed.bc.ca

Newsgroup: sci.crypt
document_id: 15284
From: smb@research.att.com (Steven Bellovin)
Subject: Clipper -- some new thoughts

I'd *desparately* prefer it if we didn't rehash the same arguments
that went on ad infinitum last time.  That's especially true for
sci.crypt.  For that matter, I've created alt.privacy.clipper, since
the traffic is appearing in *many* different groups right now.

I'm going to focus here on some technical aspects of the plan, hence my
followup to sci.crypt.  Frankly, if you're not an absolutist, your
feelings may turn on some of these issues.  For example -- with an
80-bit key, simply splitting it into two 40-bit pieces is much less
acceptable than other schemes, because it means that if just one
repository is, shall we say, overly pliable, a would-be eavesdropper
would need to recover just 40 more bits of key.  I need not point out
in this newsgroup that that's pretty easy to do by exhaustive search.
A slightly more complex scheme -- XOR-ing the key with a random number,
and then with its complement -- would produce two 80-bit subkeys,
neither of which is useful alone.  That variant is much more resistant
to attack.  Clearly, one can get even more sophisticated, to protect
the subkeys even more.

Other thoughts...  Some people have noted the size and complexity of
the databases necessary.  But the id strings the phones emit could be
their back door key, double-encrypted with the escrow repositories'
public keys.  For that matter, they could do that only with session
keys, and have no back door at all.  In that case, the FBI would have
to bring every intercept to the repositories to be decrypted.  This
would answer many of the objections along the lines of ``how do you
make sure they stop''.

We can even combine that with a variant of the digital telephony back
door -- have the switch do the tap, but with a digitally-signed record
of the time, phone number, etc, of the call.  That provides proof to
the escrow agents that the tap was done in compliance with the terms of
the warrant.

I can suggest other variations, too.  Suppose each Clipper chip had 100
public key pairs.  Each would be used ~10 times, after which you'd need
more keying material.  (Not a bad idea in any event.)  This could be
used to enforce time limits, or rather, usage limits, on each warrant;
the keys the repository agents would deliver wouldn't last for very
long.

I suspect that the cryptographic algorithm itself is secure.  Apart from
the obvious -- why push a weak algorithm when you've already got the
back door? -- I think that the government is still genuinely concerned
about foreign espionage, especially aimed at commercial targets.  This
scheme lets the spooks have their cake and eat it, too.  (I've heard
rumors, over the years, that some factions within NSA were unhappy with
DES because it was too good.  Not that they couldn't crack it, but it
was much too expensive to do so as easily as they'd want.)  They're keeping
the details secret so that others don't build their own implementations
without the back door.

The cryptographic protocol, though, is another matter.  I see no valid
reasons for keeping it secret, and -- as I hope I've shown above -- there
are a lot of ways to do things that aren't (quite) as bad.

Newsgroup: sci.crypt
document_id: 15285
From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>
Subject: How does it really work? (was Re: text of White House announcement and Q&As on clipper chip encryption)

This announcement is somewhat disconcerting; it doesn't do anything
evil in and of itself, but bodes badly for the future of open
algorithms and standards in information security.  I won't start
panicking until/unless DES or RSA or stuff like that is prohibited, but
I'm a little anxious.  (No doubt it won't be long before someone posts
explaining how this just a small part of some far-ranging and
long-lived NSA-PKP-IRS-FBI-CIA-HandgunControlInc-Clinton conspiracy to
subvert freedom, democracy, and mathematics.)  My feeling is that the
administration probably isn't that worried about things like DES and
RSA and PGP and RIPEM, since they'll never be used by a group much
wider than us computer geeks.

The fact that this just came out now suggests one of two things:

1.  The NSA has been working on this for a long time, and it only just
    now happened to be ``ready'' to release to the world at this time.

2.  The NSA has been working on this for a long time, but wasn't able
    to get the Bush administration to go along with this plan.  (I
    find it unlikely that this would have been because of a sympathy
    for the unescrowed use of cryptography; more likely the
    administration felt that even escrowed, secret-algorithm and, for
    all we know, trivially breakable cryptography should not be made
    widely available.)

Thus said clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement):
>This new technology will help companies protect proprietary
>information, protect the privacy of personal phone conversations
>and prevent unauthorized release of data transmitted
>electronically.  At the same time this technology preserves the
>ability of federal, state and local law enforcement agencies to
>intercept lawfully the phone conversations of criminals. 

The majority of the discussion involving this "Clipper Chip" seems to
pertain to the encryption of telephone conversations.  Does anyone
know if that means this chip is designed to work primarily with analog
signals?  The language sort of suggests this, but it's hard to say.

The main thing I just don't get is whether this chip implements
symmetric or asymmetric cryptographic techniques.  Anybody know?

I'm guessing symmetric, but they don't get very clear about it.  If it
is symmetric, how is it useful for anything other than link-level
encryption with an identical chip at each end?  How can you negotiate
a per-session key using symmetric cryptography without using a trusted
third party who knows your key?  (Or does it even use a per-session
key?)

If it's asymmetric, what about PKP's patents, which they claim cover
all methods of doing asymmetric cryptography?  Are they getting
royalties, or is hiding infringement the real reason for keeping the
algorithm secret? :-)
--
Marc VanHeyningen   mvanheyn@cs.indiana.edu   MIME & RIPEM accepted
Kirk:  I won't hurt you.
Alien: You hit me!
Kirk:  Well, I won't hit you again.

Newsgroup: sci.crypt
document_id: 15286
From: cuffell@spot.Colorado.EDU (Tim Cuffel)
Subject: Re: Once tapped, your code is no good any more.

I change login passwords every couple of months.  I sure would suck if I had
to get a new sparc station everytime I wanted to do this.  It seems that this
is what they expect you to do if you want to routinely change your password
on your phone.  I'm sure the government contractor doesn't mind, but a system
where you can cheaply change keys (DES) has inherent security advantages, 
regardless of the algorithms involved.
-- 
-Tim Cuffel	Finger for PGP 2.1  The CIA has admitted that the assassination
                                    of Saddam Hussien was one of their goals.
They failed, of course.  Seems as though that motorcade through downtown Dallas
trick only works once.

Newsgroup: sci.crypt
document_id: 15287
From: smythw@vccnw03.its.rpi.edu (William Smythe)
Subject: Re: How to detect use of an illegal cipher?

In article <betel.734997645@camelot> betel@camelot.bradley.edu (Robert Crawford) writes:
>Jay Fenton <Fenton@Kaleida.Com> writes:
>
>>How can the government tell which encryption method one is using without
>>being able to decode the traffic? i.e., In order to accuse me of using an
>>unauthorized strong encryption technique they would have to take both
>>keys out of escrow, run them against my ciphertext and "draw a blank".
>
>	I was thinking about this, also. It's quite possible the
>system transmits, in clear, the serial number of the device being
>used. That way they can start a tap, get the serial number, and use
>the warrant for the first tap to get the key.
>
>	If they tap someone who's apparently using encryption, but
>don't find that prefix, then they'll assume it's an "un-authorized"
>encryption scheme.

From the limited details released so far, It seems that the clipper chip 
system must employ some sort of public key cryptography. Otherwise, the key 
management problems inherent to symetric ciphers would make the system 
unworkable. It probably has some sort of public key exchange that takes place
at the start of each call. Thats how they would identify the private key in 
their data base?

This means that either the NSA has developed some non RSA public key 
algorythm or the feds have decided to subsidize PKP & RSADSI. The former is 
rather an exciting posibility since keeping the algorythm secret while making
chip implimentations widely avalibe will be exceptionally hard. If the feds
are forced to make it avalible in order to gain public acceptance than that 
could break RSA's stranglehold on public key crypto in the U.S.   

As for my impressions of the whole scheme It seems that instead of trying to
ban strong crypto, they are trying to co-opt it. Their contention that they 
need to keep the algorythm secret to protect the security of the key
registration suggests possible inherent weakness to the algorythm. More likely
is that they dont want anyone constructing black market devices which dont 
have the keys registered. Anyone else notice that in their Q&A session, they
talk about releasing the keys only to people with proper autiorization but
carefully dance around stating that the keys will simply have to be supeonaed.
They seem to be trying to keep open the posibility of obtaining keys without 
court order even though tapping a phone line requires one. Also pick up on 
their implicit threat of eithe accept this or we'll ban strong crypto outright?
I dont trust this plan at all and plan to oppose it in all (legal) ways
possible.

Bill Smythe


Newsgroup: sci.crypt
document_id: 15288
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Once tapped, your code is no good any more.

tcmay@netcom.com (Timothy C. May) writes:
> But is it any worse than the current unsecure system? It becomes much 
> worse, of course, if the government then uses this "Clinton Clipper" to 
> argue for restrictions on unapproved encryption. (This is the main 
> concern of most of us, I think. The camel's nose in the tent, etc.) 

I agree.  This is the danger I see, not the system itself.  That is to say, 
this is a political issue, not a technical one.


Amanda Walker
InterCon Systems Corporation






Newsgroup: sci.crypt
document_id: 15289
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

gtoal@news.ibmpcug.co.uk (Graham Toal) writes:
> Try reading between the lines David - there are *strong* hints in there 
> that they're angling for NREN next,

Where?  I honestly didn't see any...

> and the only conceivable meaning of 
> applying this particular technology to a computer network is that they 
> intend it to be used in exclusion to any other means of encryption. 

I disagree, if for no other reason than that there are already other 
standards in place.  Besides, even if they restrict encryption on the NREN, 
who cares?  Most of the Internet is commercial anyway.  The NREN is only for 
geovernment and university research (read the proposals--it's a "data 
superhighway" for Cray users, not anything having to do with the Internet).


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15290
From: pat@rwing.UUCP (Pat Myrto)
Subject: New Clipper Chip Proposal from the Guv...

I saw this article posted in a local newsgroup.  I haven't seen it,
or any followup traffic relating to it in these groups or other groups
which I subscribe to.  So, I am posting it here so others can read it,
check it out, and comment on it, and provide ideas for handling these
sorts of things.

I have no verification to the accuracy or lack of accuracy of this
article, but if accurate, I find it extremely disturbing, especially in
light of various abuses of the SSN number regarding privacy, (I understand
it is now to be required in CA to renew a drivers license, or to register
a car) and other proposals regarding 'smart' national Identity Cards,
wiretap proposals, and such.  One simply wonders what other gems are in
the wings ready to be sprung on the people by our government.  Perhaps
suggestions and ideas for preventing this and other such proposals from
acquiring the force of law would be useful.  The cost simply outweighs
any possible benefits, IMO.

BTW, reading this makes me think of some ideas a Prof Denning has been
promoting, in an even more disturbing form.

That said, with no further comment, the article follows:

------------ Begin included article ---------

Note:  This file will also be available via anonymous file
transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and
via the NIST Computer Security BBS at 301-948-5717.
     ---------------------------------------------------

                         THE WHITE HOUSE

                  Office of the Press Secretary

_________________________________________________________________

For Immediate Release                           April 16, 1993


                STATEMENT BY THE PRESS SECRETARY


The President today announced a new initiative that will bring
the Federal Government together with industry in a voluntary
program to improve the security and privacy of telephone
communications while meeting the legitimate needs of law
enforcement.

The initiative will involve the creation of new products to
accelerate the development and use of advanced and secure
telecommunications networks and wireless communications links.

For too long there has been little or no dialogue between our
private sector and the law enforcement community to resolve the
tension between economic vitality and the real challenges of
protecting Americans.  Rather than use technology to accommodate
the sometimes competing interests of economic growth, privacy and
law enforcement, previous policies have pitted government against
industry and the rights of privacy against law enforcement.

Sophisticated encryption technology has been used for years to
protect electronic funds transfer.  It is now being used to
protect electronic mail and computer files.  While encryption
technology can help Americans protect business secrets and the
unauthorized release of personal information, it also can be used
by terrorists, drug dealers, and other criminals.

A state-of-the-art microcircuit called the "Clipper Chip" has
been developed by government engineers.  The chip represents a
new approach to encryption technology.  It can be used in new,
relatively inexpensive encryption devices that can be attached to
an ordinary telephone.  It scrambles telephone communications
using an encryption algorithm that is more powerful than many in
commercial use today.

This new technology will help companies protect proprietary
information, protect the privacy of personal phone conversations
and prevent unauthorized release of data transmitted
electronically.  At the same time this technology preserves the
ability of federal, state and local law enforcement agencies to
intercept lawfully the phone conversations of criminals. 

A "key-escrow" system will be established to ensure that the
"Clipper Chip" is used to protect the privacy of law-abiding
Americans.  Each device containing the chip will have two unique


                                2


"keys," numbers that will be needed by authorized government
agencies to decode messages encoded by the device.  When the
device is manufactured, the two keys will be deposited separately
in two "key-escrow" data bases that will be established by the
Attorney General.  Access to these keys will be limited to
government officials with legal authorization to conduct a
wiretap.

The "Clipper Chip" technology provides law enforcement with no
new authorities to access the content of the private
conversations of Americans.

To demonstrate the effectiveness of this new technology, the
Attorney General will soon purchase several thousand of the new
devices.  In addition, respected experts from outside the
government will be offered access to the confidential details of
the algorithm to assess its capabilities and publicly report
their findings.

The chip is an important step in addressing the problem of
encryption's dual-edge sword:  encryption helps to protect the
privacy of individuals and industry, but it also can shield
criminals and terrorists.  We need the "Clipper Chip" and other
approaches that can both provide law-abiding citizens with access
to the encryption they need and prevent criminals from using it
to hide their illegal activities.  In order to assess technology
trends and explore new approaches (like the key-escrow system),
the President has directed government agencies to develop a
comprehensive policy on encryption that accommodates:

     --   the privacy of our citizens, including the need to
          employ voice or data encryption for business purposes;

     --   the ability of authorized officials to access telephone
          calls and data, under proper court or other legal
          order, when necessary to protect our citizens;

     --   the effective and timely use of the most modern
          technology to build the National Information
          Infrastructure needed to promote economic growth and
          the competitiveness of American industry in the global
          marketplace; and 

     --   the need of U.S. companies to manufacture and export
          high technology products.

The President has directed early and frequent consultations with
affected industries, the Congress and groups that advocate the
privacy rights of individuals as policy options are developed.



                                3

The Administration is committed to working with the private
sector to spur the development of a National Information
Infrastructure which will use new telecommunications and computer
technologies to give Americans unprecedented access to
information.  This infrastructure of high-speed networks
("information superhighways") will transmit video, images, HDTV
programming, and huge data files as easily as today's telephone
system transmits voice.

Since encryption technology will play an increasingly important
role in that infrastructure, the Federal Government must act
quickly to develop consistent, comprehensive policies regarding
its use.  The Administration is committed to policies that
protect all Americans' right to privacy while also protecting
them from those who break the law.

Further information is provided in an accompanying fact sheet. 
The provisions of the President's directive to acquire the new
encryption technology are also available.  

For additional details, call Mat Heyman, National Institute of
Standards and Technology, (301) 975-2758.

---------------------------------


QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S
TELECOMMUNICATIONS INITIATIVE




Q:   Does this approach expand the authority of government
     agencies to listen in on phone conversations?

A:   No.  "Clipper Chip" technology provides law enforcement with
     no new authorities to access the content of the private
     conversations of Americans.

Q:   Suppose a law enforcement agency is conducting a wiretap on
     a drug smuggling ring and intercepts a conversation
     encrypted using the device.  What would they have to do to
     decipher the message?

A:   They would have to obtain legal authorization, normally a
     court order, to do the wiretap in the first place.  They
     would then present documentation of this authorization to
     the two entities responsible for safeguarding the keys and
     obtain the keys for the device being used by the drug
     smugglers.  The key is split into two parts, which are
     stored separately in order to ensure the security of the key
     escrow system.

Q:   Who will run the key-escrow data banks?

A:   The two key-escrow data banks will be run by two independent
     entities.  At this point, the Department of Justice and the
     Administration have yet to determine which agencies will
     oversee the key-escrow data banks.

Q:   How strong is the security in the device?  How can I be sure
     how strong the security is?  

A:   This system is more secure than many other voice encryption
     systems readily available today.  While the algorithm will
     remain classified to protect the security of the key escrow
     system, we are willing to invite an independent panel of
     cryptography experts to evaluate the algorithm to assure all
     potential users that there are no unrecognized
     vulnerabilities.

Q:   Whose decision was it to propose this product?

A:   The National Security Council, the Justice Department, the
     Commerce Department, and other key agencies were involved in
     this decision.  This approach has been endorsed by the
     President, the Vice President, and appropriate Cabinet
     officials.

Q:   Who was consulted?  The Congress?  Industry?

A:   We have on-going discussions with Congress and industry on
     encryption issues, and expect those discussions to intensify
     as we carry out our review of encryption policy.  We have
     briefed members of Congress and industry leaders on the
     decisions related to this initiative.

Q:   Will the government provide the hardware to manufacturers?

A:   The government designed and developed the key access
     encryption microcircuits, but it is not providing the
     microcircuits to product manufacturers.  Product
     manufacturers can acquire the microcircuits from the chip
     manufacturer that produces them.

Q:   Who provides the "Clipper Chip"?

A:   Mykotronx programs it at their facility in Torrance,
     California, and will sell the chip to encryption device
     manufacturers.  The programming function could be licensed
     to other vendors in the future.

Q:   How do I buy one of these encryption devices? 

A:   We expect several manufacturers to consider incorporating
     the "Clipper Chip" into their devices.
     
Q:   If the Administration were unable to find a technological
     solution like the one proposed, would the Administration be
     willing to use legal remedies to restrict access to more
     powerful encryption devices?

A:   This is a fundamental policy question which will be
     considered during the broad policy review.  The key escrow
     mechanism will provide Americans with an encryption product
     that is more secure, more convenient, and less expensive
     than others readily available today, but it is just one
     piece of what must be the comprehensive approach to
     encryption technology, which the Administration is
     developing.

     The Administration is not saying, "since encryption
     threatens the public safety and effective law enforcement,
     we will prohibit it outright" (as some countries have
     effectively done); nor is the U.S. saying that "every
     American, as a matter of right, is entitled to an
     unbreakable commercial encryption product."  There is a
     false "tension" created in the assessment that this issue is
     an "either-or" proposition.  Rather, both concerns can be,
     and in fact are, harmoniously balanced through a reasoned,
     balanced approach such as is proposed with the "Clipper
     Chip" and similar encryption techniques.

Q:   What does this decision indicate about how the Clinton
     Administration's policy toward encryption will differ from
     that of the Bush Administration?  

A:   It indicates that we understand the importance of encryption
     technology in telecommunications and computing and are
     committed to working with industry and public-interest
     groups to find innovative ways to protect Americans'
     privacy, help businesses to compete, and ensure that law
     enforcement agencies have the tools they need to fight crime
     and terrorism.

Q:   Will the devices be exportable?  Will other devices that use
     the government hardware?

A:   Voice encryption devices are subject to export control
     requirements.  Case-by-case review for each export is
     required to ensure appropriate use of these devices.  The
     same is true for other encryption devices.  One of the
     attractions of this technology is the protection it can give
     to U.S. companies operating at home and abroad.  With this
     in mind, we expect export licenses will be granted on a
     case-by-case basis for U.S. companies seeking to use these
     devices to secure their own communications abroad.  We plan
     to review the possibility of permitting wider exportability
     of these products.

----------- End included article ----------- 

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 15291
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <1qp9d1$e37@dorothy.ibmpcug.co.uk>, gtoal@news.ibmpcug.co.uk (Graham Toal) writes:
> Try reading between the lines David - there are *strong* hints in there
> that they're angling for NREN next, and the only conceivable meaning of
> applying this particular technology to a computer network is that they
> intend it to be used in exclusion to any other means of encryption.

Umm...  I beg to differ with the phrase ``only conceivable meaning''.
The SDNS protocols, for example, make explicit provision for multiple
encryption systems, as does PEM.  (And I'd love to see how they'd
mandate this new system for PEM without disclosing it....)

Mind you, I'm not saying that multiple algorithms will actually be
used -- but the relevant technologies certainly provide for them, which
certainly casts doubt on your choice of words.

Newsgroup: sci.crypt
document_id: 15292
From: rlglende@netcom.com (Robert Lewis Glendenning)
Subject: Don't fight Clipper Chip, subvert or replace it !

Clipper Chip is a response to the fact that there is no business
or professional body in a position to establish a standard and
provide chipsets to implement it for analog or digial transmission
systems.

RSA might be in position to do it, if they had active cooperation of
a couple of manufacturers of cellular phones or desktop phones.

Large companies in the voice/data comm business are out, because they
all have contracts with the gov which would be used to pressure them.

If we, as professionals in crypto organizations, EFF, etc. were to
put our collective minds and interests toward establishing a
crypto standard for transmission, and getting our companies to
implement it, we might avoid government control.

Otherwise, I think it will happen to us by default.  Gov isn't probably
strong enough or foolish enough to prevent strong crypt.  They
are strong enough, and we may be foolish enough, to push through
the Clipper Chip.

Is RSA independt of the gov enough to spearhead this?  I, for one,
would *gladly* pay royalties via purchasing secure phones.

If not this, we should provide an algorithm which can be implemented
in either SW or HW and publish it, then push to make it the defacto
standard in the way that PGP and RIPEM are becoming such.

We are opposing, charging the bunker.  We should be nimble and clever.
The gov is strong, not clever.

Lew
-- 
Lew Glendenning		rlglende@netcom.com
"Perspective is worth 80 IQ points."	Niels Bohr (or somebody like that).

Newsgroup: sci.crypt
document_id: 15293
From: masjhd@gdr.bath.ac.uk (James Davenport)
Subject: Re: Trinomial-Based PRNG

I tried to mail Peter Boucher, who posted the question, but my e-mail
bounced, so, apologies to thsoe who are not interested.
>trinomials are all of the form X**a + X**b + 1, where a
Have you read:
Bremner,A.,
On Trinomials of Type x$+n$-+Ax$+m$-+1.
Math. Scand. 49(1981) pp. 145-155.
Zbl. 458.12012.
MR 83k:12002.

Ljunggren,W.,
On the Irreducibility of Certain Trinomials and Quadrinomials.
Math. Scand. 8(1960) pp. 65-70.
.

Tverberg,H.,
On the Irreducibility of the Trinomials
x$+n$-$mpm$$x$+m$-$mpm$$1.
Math. Scand. 8(1960) pp. 121-126.

Tverberg,H.,
On Cubic Factors of Certain Trinomials.
Math. Scand. 53(1983) pp. 178-184.
Zbl. 513.12003.

James Davenport
jhd@maths.bath.ac.uk

Newsgroup: sci.crypt
document_id: 15294
From: kadie@cs.uiuc.edu (Carl M Kadie)
Subject: Re: Clipper Crap

>encryption's dual-edge sword:  encryption helps to protect the
>privacy of individuals and industry, but it also can shield
>criminals and terrorists.  We need the "Clipper Chip" and other

"Necessity is the plea for every infringement of human freedom. It is
the argument of tyrants; it is the creed of slaves." -- William Pitt
-- 
Carl Kadie -- I do not represent any organization; this is just me.
 = kadie@cs.uiuc.edu =

Newsgroup: sci.crypt
document_id: 15295
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: Don't fight Clipper Chip, subvert or replace it !

Robert Lewis Glendenning (rlglende@netcom.com) wrote:
: Clipper Chip is a response to the fact that there is no business
: or professional body in a position to establish a standard and
: provide chipsets to implement it for analog or digial transmission
: systems.
: 
: RSA might be in position to do it, if they had active cooperation of
: a couple of manufacturers of cellular phones or desktop phones.
.......
: Is RSA independt of the gov enough to spearhead this?  I, for one,
: would *gladly* pay royalties via purchasing secure phones.


Hear hear! I completely agree that we need to work quickly to
establish alternatives to the government's Clinton Clipper. As Brad
Templeton and others have noted, once the Clipper becomes ensconced in
enough phones there will be enormous pressure to make it the *legal*
standard, and it will become the "market* standard as well. (There is
a lot of confusion in the proposal about whether the use of Clipper is
mandated, about whether non-escrow alternatives will be allowed, etc.)

(There are also unclear issues about how hard, or how illegal, it will
be to make "workalikes" which meet the standard but which generate
phony or untappable keys...I'm sure the next several weeks will see
these issues thrashed out in this and other groups.)

Meanwhile, I'd be interested to hear RSA Data Security's reaction.
Often criticized in this group for their licensing policies (the usual
complaints about MailSafe costing too much, at $125 or so, and the
general issue of software patents...), we may find that *allying*
ourselves with RSA is the best thing we can do. What's a mere
licensing fee when our liberty may be at stake? (If everyone who
wanted true security paid, say, $100 for a lifetime use of all of
RSA's patents--which expire in the period 1998-2002, or so--then RSA
would make tons of money and be happy, I'm sure. A small price to pay.
For those to whom $100 sounds like too much, I'm sure the actual terms
could be different, spread out over several years, whatever. To me,
it's a small price to pay.)

Strong crypto means strong privacy. Escrowing keys, sending copies of
keys to large databases, and splitting keys into two 40-bit pieces,
all done with secret and non-analyzable protocols and algorithms, is
*NOT* strong crypto!

Whatever some of us may think about the abstract principles of
patenting number theory applications, this minor issue pales in
comparison with the potential dangers of the Clipper proposal (note
that I said "potential"...we'll presumably learn more in the coming
months).

The RSA algorithms are at least public, have been analyzed and
attacked for years, and source code is available (to better ensure no
deliberate weakenesses or trapdoors).

I know of a number of groups putting together voice encryption systems
using off-the-shelf hardware (like Soundblaster boards for the PC) and
CELP-type software. The new generations of PCs, using fast 486s and
Pentiums are fast enough to do real-time voice encryption. Combined
with Diffie-Hellman key exchange, this should provide an alternative
to the Clipper system.

Of course, we don't really know if the Administration proposes to
outlaw competing systems. (It seems to me that their goal of tapping
terrorists, child pornographers, and Hilary bashers would be thwarted
if low-cost alternatives to Clipper proliferated. Not to defend child
pornographers or terrorists, but limiting basic freedoms to catch a
few criminals is not the American way of doing things. End of soapbox
mode.)

I suggest we in these groups set aside any differences we may have had
with RSA (and don't look at me....I have both MacPGP *and* a fully
legal copy of "MailSafe"!) and instead work with them as quickly as we can.

RSA?, Jim?, are you listening?

-Tim May

P.S. I reserve the right to retract these opinions if it should turn
out that RSA Data Security was involved in the Clipper proposal.
-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
document_id: 15296
From: brad@clarinet.com (Brad Templeton)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

One presumes the system could work as follows:

a) Blank clips are manufactured by Mykotronx and VLSI.  The number
produced is carefully audited and they are shipped to the first
escrow house.

It programs the chips with its half the key, and prints out a paper slip
with the key half and non-secret chip serial number.   The reams of paper
are filed in locked boxes in the vault, a fuse is burnt in the chip so
that the key is now unreadable.

The chip then goes to the next escrow house, where the same thing is
done.  This continues through N escrow houses, perhaps, could be more than
2.

The last one provides the chip to the cellular phone maker.

And yes, this has to be a public key system or it would be almost
impossible to handle.  It might not be RSA, but that does not mean
that PKP doesn't get paid.  Until 1997, PKP has the patent on the
general concept of public key encryption, as well as the particular
implementation known as RSA.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
document_id: 15297
From: jhesse@netcom.com (John Hesse)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <1qnupd$jpm@news.intercon.com> amanda@intercon.com (Amanda Walker) writes:
>jhesse@netcom.com (John Hesse) writes:
>> Oh great. Wonderful news. Nobody can listen in--except the feds. 
>
>Hey, it's better than the status quo.
>
>I am far less worried about "the feds" tapping my phone than high school 
>scanner surfers who get their kicks out of eavesdropping on cellular and 
>cordless phone calls.
>

Really? Why are so you worried about high school kids "getting their kicks"
with scanners, as compared to what the feds can do, and have done, to their
targets?

"Better than the status quo" isn't good enough, I'd say. The same 
technology could be implemented WITHOUT a back door open to the state.

We all know about power and corruption. But we all know that abuse is
something that only happens to the other guy.

>
>Amanda Walker
>InterCon Systems Corporation
>
>


-- 
------------------------------------------------------------------------------
John Hesse           |          A man,     
jhesse@netcom.com    |                 a plan, 
Moss Beach, Calif    |                         a canal, Bob.
------------------------------------------------------------------------------

Newsgroup: sci.crypt
document_id: 15298
From: reeds@alice.att.com (Jim Reeds)
Subject: Re: Patents (was RC2 RC4)

In article <matt-160493203627@wardibm2.med.yale.edu>, matt@wardsgi.med.yale.edu (Matt Healy) writes:
and
> bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote:
and
> > ahaley@eoe.co.uk (Andrew Haley) writes:

about Coca-Cola and Pepsi Cola and what they can teach us.


Surely, if we must use pop patent law examples to discuss RC2 and RC4,
it would make more sense to consider the case of RC Cola?

Jim Reeds

Newsgroup: sci.crypt
document_id: 15299
From: uni@acs.bu.edu (Shaen Bernhardt)
Subject: Re: Once tapped, your code is no good any more.

In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes:
>In article <tcmayC5M2xv.JEx@netcom.com>
>	tcmay@netcom.com (Timothy C. May) writes:
>>
>>But is it any worse than the current unsecure system? It becomes much
>>worse, of course, if the government then uses this "Clinton Clipper"
>>to argue for restrictions on unapproved encryption. (This is the main
>>concern of most of us, I think. The camel's nose in the tent, etc.)
>>
>
>	Not to pick on Mr. May in particular, of course, but isn't this
>kind of the domino theory? When one little country falls, its neighbor
>will surely follow, and before you know it, we're all mining salt
>in Siberia for not turning in our Captain Crunch Secret Decoder Rings.

I wish I could agree with you.  Ask yourself this.  Why would any private
sector entity wish to buy a crypto system that was KNOWN to be at least
partially compromised? (Key escrows in this instance)  Why would any
private sector entity wish to buy a crypto system that had not been properly
evaluated?  (i.e. algorythm not publically released)
The answer seems obvious to me, they wouldn't.  There is other hardware out
there not compromised.  DES as an example (triple DES as a better one.)

My suspicion is that the prices will drop dramatically on these non clipper
systems.  If not we're in trouble.

Given that the Clinton administration is not entirely stupid (although we'd like
to think so) I cannot believe that they have failed to realize this.
They know their initiative will fail, much as crippled DES was never taken
seriously.  The only way their moves can work is by coercion.  You know
little about politics if you don't realize that this is just a first step
in the next move, it makes NO sense otherwise.  The next move, banning
or SEVERLY crippling crypto not using the "Clipper" system is easily
justified "Why would anyone want other encryption unless they were trying
to subvert the government?  We've provided you with a very secure alternative
so use it or go to jail/be fined/whatever."
How can you reconcile the administrations self proclaimed purpose of providing
law enforcement with access to encrypted data without making the clipper system
the only crypto available in the U.S... ?  You simply can't, and the administration
knows it.  Anyone who wanted to keep the govt. out of their hair, be it for
drug dealing or whatever, would just buy still available non-clipper systems.

Don't sell our crafty Clinton types short, they can't be THAT stupid.
Either banning non clipper crypto is the next answer or the administrations
collective I.Q. is about that of a potato.

Why do you think AT&T jumped on so fast?  They know it's going to be big,
and NOT because it's better.  Right on the face of it, noone will buy the
stuff that doesn't have to.  AT&T must know this too, THINK MAN, why the
hell would they jump the gun?

>	My interpretation.
>
>	Andrew
>
>>-Tim May, whose sig block may get him busted in the New Regime
>                           ^^^^^^^^^^^^^^^^^^
>
>	Isn't this just a little melodramatic?

I really wonder.

To wit:  The letter I just sent to Clinton:

The White House
Office of the Press Secretary c/o:
Presidential Comment Line (fax)
(202) 456-2461
 
April 17, 1993
 
Sir and/or Madam:
 
 
I must object most strongly to the administrations evolving position on encryption and
cryptography.  I am shocked at the Clinton regimes increasing lean towards a authoritarian approach with regard to privacy and freedom from government oversight in day to day life.
 
It is apparent to me that those who drafted the "Clipper Chip Proposal" (which is, incidentally, gaining notoriety as the "Big Brother Proposal") are either incredibly ignorant or very sly indeed.  Anyone knowledgeable in the nuances of cryptographic development and research must understand that a key step in the development of a new algorithm, especially one destined for standardization, is the full disclosure of the algorithm to the private and academic sectors.  The proper evaluation of an algorithm dep





ends on careful scrutiny by these sectors, and only such scrutiny can provide true public confidence in the security of the algorithm.  The assumption that a new algorithm will be accepted based on assurances from "experts" without full disclosure is plain ignorance.
 
In addition, the assumption that an algorithm will be marketable over other technology, such as DES, when it is characterized by key escrow is lunacy.  It seems an easy step in the logic chain that probable consumers will prefer to purchase equipment not crippled by government key escrow, no matter how "tamper proof" the key escrows might be.
 
I cannot believe that even the least educated policy maker would have failed to realize these flaws.  I can only assume then that the drafters of the "Clipper Chip Proposal" knew very well the difficulties of selling a crippled system to the private sector.  The only way this proposal makes any sense, or has any chance of succeeding is in coercion.  Even the language of the proposal makes it painfully clear that the next logical step is the outlawing of other encryption devices and hardware that do not uti





lize the "Big Brother Chip."
 
Unfortunately the public at large is not educated enough on the issue to realize what they are losing.  I expect the Big Brother proposal to encounter little resistance from the American people who you will have so efficiently duped once again with pretty words like "harmony," "right to encryption," and "voluntary."
 
It mortifies me that the phrase that seems to be used more and more often to characterize the Clinton administration is "I can't believe it's happening here."  More startling is a question a colleague of mine posed and the realization that everyday it becomes more and more relevant; "When is the Reichstag fire planned for?"
 
 
						Most Concerned,
 
						[Signature]
						Shaen Logan Bernhardt I
uni@acs.bu.edu

-- 
uni@acs.bu.edu  ->  Public Keys by finger and/or request
Public Key Archives at <pgp-public-keys@junkbox.cc.iastate.edu>
DF610670F2467B99  97DE2B5C3749148C  Sovereignty is the sign of a brutal past.
Cryptography is not a crime.  Fight the Big Brother Proposal!

Newsgroup: sci.crypt
document_id: 15300
From: ebrandt@jarthur.claremont.edu (Eli Brandt)
Subject: Re: How to detect use of an illegal cipher?

In article <1993Apr17.085358.18460@clarinet.com> brad@clarinet.com (Brad Templeton) writes:
>"Your honour, the suspect suddenly started using another level of
>cryptography and we can't tap his phone calls any more.  He must
>have something to hide.  Please sign the warrant to search his
>house..."

What they would need to do, though, is make sure that nobody has
access to decent crypto in the first place.  They probably can't
tell Clippered voice from Clippered triple-DESed voice until they
get their copy of your key.  Any criminal who's going to use
encryption will do it under cover of Clipper.  The only way to avoid
this will be to try to prohibit strong encryption.

I probably shouldn't say this, but they could try to detect the use
of an illegal cypher by transmitting in the clear some statistical
properties of the plaintext.  An old-fashioned wiretap could then
detect the use of pre-encryption, which would drastically increase
the measured entropy of the input.  A countermeasure to this would
be to use steganographic techniques which put out voice.

You can tell if the NSA built this feature in: blow on the mike, and
observe whether a band of thugs comes through your ceiling.

	 PGP 2 key by finger or e-mail
   Eli   ebrandt@jarthur.claremont.edu

Newsgroup: sci.crypt
document_id: 15301
From: hal@cco.caltech.edu (Hal Finney)
Subject: Re: How does it really work? (was Re: text of White House announcement and Q&As on clipper chip encryption)

Marc VanHeyningen <mvanheyn@cs.indiana.edu> writes:

>The main thing I just don't get is whether this chip implements
>symmetric or asymmetric cryptographic techniques.  Anybody know?

I don't know, but I'm as willing to speculate as anyone.

Several people have suggested that the chips use public-key cryptography.
Another possibility is to use Diffie-Hellman key exchange, or some other
algorithm which has a similar effect.  DH allows both ends to agree on
a session key which they use with symmetric cryptography (something
like DES) for the encryption.

How could the "back door" keys work in this system?  I can see a few
possibilities.  One is that the DH-like algorithm has the property that
the session key can be deduced by an eavesdropper who knows the back door
keys for one (or possibly both) communicants.  Perhaps the random numbers
used in the DH are seeded by the back door key, or some such.

Another possibility, as was suggested here earlier, is that the chips
simply broadcast the session key, encrypted with the chip's own
internal secret key.  In this system the back door keys are secret keys
usable for decrypting this session key broadcast.  Actually the chip's
secret key doesn't need to be a public key in this usage, but can be
identical to the secret back-door key.  (This proposal seems most
straightforward to me.)

Still another possibility is that the encryption algorithm used for the
message itself has a "dual key" property, that possession of either of
two keys can be used to decrypt it.  One key would be the session key from
the DH exchange, and the other would be the back door key for the chip.

It's worth noting that one of the proposals Dorothy Denning raised
during her amazingly prescient on-line discussion last November and
December was a variation on Diffie-Hellman in which a third party would
participate in deriving the session keys.  This doesn't quite fit into
what we know of how Clipper works but it hints that those who had early
knowledge of Clipper (or whose thinking was somehow synchronized with
Clipper designers) may have had Diffie-Hellman on their minds.

Hal Finney

Newsgroup: sci.crypt
document_id: 15302
From: ebrandt@jarthur.claremont.edu (Eli Brandt)
Subject: Re: The battle is joined

In article <1993Apr16.181040.9381@qualcomm.com> karn@servo.qualcomm.com (Phil Karn) writes:
>It looks like Dorothy Denning's wrong-headed ideas have gotten to the
>Administration even sooner than we feared.

I'd lay long odds that it was the other way around.  Clinton didn't
just pull this plan out of any bodily orifices; the NSA has to have
been working on it for years.  While it's possible that Denning (and
other prominent people) just happened to start arguing for such a
system, it seems more likely that there was a suggestion involved.
If this guess is wrong, I apologize.

	 PGP 2 key by finger or e-mail
   Eli   ebrandt@jarthur.claremont.edu

Newsgroup: sci.crypt
document_id: 15303
From: marc@mit.edu (Marc Horowitz N1NZU)
Subject: The source of that announcement

The message from the NIST about the clipper chip comes from the
following address:

	clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement)

Just who is that, I asked myself, or rather, I asked the computer.

    % telnet csrc.ncsl.nist.gov 25
    Trying...
    Connected to csrc.ncsl.nist.gov.
    Escape character is '^]'.
    220 first.org sendmail 4.1/NIST ready at Sat, 17 Apr 93 20:42:56 EDT
    expn clipper
    250-<csspab@mail-gw.ncsl.nist.gov>
    250-<denning@cs.georgetown.edu>
    250-<hoffman@seas.gwu.edu>
    250-<mkapor@eff.org>
    250-<rotenberg@cpsr.org>
    250-<rivest@mit.edu>
    250-<mhellman@stanford.edu>
    250-<alanrp@aol.com>
    250-<dparker@sri.com>
    250-<jim@rsa.com>
    250-<branstad@tis.com>
    250 <mgrsplus@csmes.ncsl.nist.gov>
    quit
    221 first.org closing connection
    Connection closed.

Well, isn't that interesting.  Dorothy Denning, Mitch Kapor, Marc
Rotenberg, Ron Rivest, Jim Bidzos, and others.  The Government, RSA,
TIS, CPSR, and the EFF are all represented.  I don't suppose anybody
within any of these organizations would care to comment?  Or is this
just the White House's idea of a cruel joke on these peoples' inboxes?

		Marc
--
Marc Horowitz N1NZU <marc@mit.edu>				617-253-7788

Newsgroup: sci.crypt
document_id: 15304
From: silly@ugcs.caltech.edu (Brad Threatt)
Subject: Remote file system security

In light of my recent paranoia concerning government proposals, I'd love to
see a UNIX-based encryption scheme that:

1) Kept some files encrypted on the host machine (say, all the files in your
   home directory)
2) Used a key system that could not be compromised by eavesdropping over a
   modem line.

It seems that this would require modifications to a shell program and a
way of telling whether a file was encrypted or not, among other things.

I'd love to know about potential security holes in such a system.

Does such a system exist?  If it were made easy-to-use and readily
available, I think it would be a Good Thing(tm).  I realize that this
would probably just involve putting a nice front-end on a readily available
and very secure encryption scheme, but it should be done.

Thanks for the ear,
Brad 

Newsgroup: sci.crypt
document_id: 15305
From: jef@netcom.com (Jef Poskanzer)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

brad@clarinet.com (Brad Templeton):
}And yes, this has to be a public key system or it would be almost
}impossible to handle.  It might not be RSA, but that does not mean
}that PKP doesn't get paid.  Until 1997, PKP has the patent on the
}general concept of public key encryption, as well as the particular
}implementation known as RSA.

Hmm, my first thought was that they're using Diffie-Hellman exponential
session key exchange, or an equivalent.  However, the Diffie-Hellman
patent, like the Hellman-Merkle one on public key systems, claims
all equivalents, so the basic point stands.

Interestingly, a quote from Jim Bidzos showed up in the media real
soon after the announcement, and he sounded very pissed.  Maybe he hadn't
yet realized that PKP might have just struck gold?  All they have to
do is get someone to admit the general scheme that the Clipper uses.
---
Jef

           Jef Poskanzer  jef@netcom.com  jef@well.sf.ca.us
"An object never serves the same function as its image - or its name."
                           -- Rene Magritte

Newsgroup: sci.crypt
document_id: 15306
From: whughes@lonestar.utsa.edu (William W. Hughes)
Subject: Re: Once tapped, your code is no good any more.

In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu
(Andrew Molitor) writes:
>In article <tcmayC5M2xv.JEx@netcom.com>
>tcmay@netcom.com (Timothy C. May) writes:
>
>>-Tim May, whose sig block may get him busted in the New Regime
>                           ^^^^^^^^^^^^^^^^^^
>Isn't this just a little melodramatic?

Not at all. Two weeks ago I registered a concern about some programming
that was being conducted by a student organisation here at the
University of Texas at San Antonio.  As a result, I was interrogated
by the capus police, who also attempted to create a positive-identification
file (photo, fingerprints, etc.). I refused to permit this, and filed a
complaint with the University administration.  The Vice-President for
Business Affairs (the 'boss' of the campus police) stated that he had no
interest in the legal/Constitutional implications of those actions.

-- 
The greatest threat facing the citizens of the United States in the decade of
the 90s is the United States Government; at all levels -- Federal, State, Local
[All opinions are mine, and I reserve the right to deny them at any time - WWH]

Newsgroup: sci.crypt
document_id: 15307
From: ptrei@bistromath.mitre.org (Peter Trei)
Subject: Re: Fifth Amendment and Passwords

In article <1993Apr17.122651.1874@sugra.uucp> ken@sugra.uucp (Kenneth Ng) writes:
>In article <1993Apr16.165423.27204@linus.mitre.org: ptrei@bistromath.mitre.org (Peter Trei) writes:
>:Judge: "I grant you immunity from whatever may be learned from the key
>:	itself"
>:You:    "The keyphrase is: "I confess to deliberately evading copyright; 
>:	the file encoded with this keyphrase contains illegal scans of 
>:        copyrighted Peanuts strips.""
>:Judge and CP: "Oh."
>:     How will they get you now? I'm not saying that they won't, or
>:can't (or even that they shouldn't :-), but what legal mechanism will
>:they use? Should we be crossposting this to misc.legal?
>
>Hm, could another court try you via a bypass of the double jeopardy amendment
>like they are doing in the LAPD trial?  Ie your judge is a state judge, and
>then a federal judge retries you under the justification that its not the
>same trail.

    No. The LAPD officers were tried first by the State of California
on charges of police brutality, and secondly by the Federal Government
on depriving RK of his civil rights - a different crime.

    The scenario I outline is more similar to the Oliver North trial.
Ollie confessed to treason (aiding an enemy of the US) during Senate
hearings, under immunity. The team which was later to prosecute him on
criminal charges had to sequester itself from all reports of ON's
immunized testimony. ON's lawyer brought up the probability that at
least someone on the team had heard about the Senate testimony, and it
was a strong factor against the prosecution, which is one of the
reasons this ON is still walking around free today.

								Peter Trei
								ptrei@mitre.org


Newsgroup: sci.crypt
document_id: 15308
From: wesommer@mit.edu (Bill Sommerfeld)
Subject: Re: The source of that announcement

       % telnet csrc.ncsl.nist.gov 25
       Trying...
       Connected to csrc.ncsl.nist.gov.
       Escape character is '^]'.
       220 first.org sendmail 4.1/NIST ready at Sat, 17 Apr 93 20:42:56 EDT
       expn clipper
       250-<csspab@mail-gw.ncsl.nist.gov>
       250-<denning@cs.georgetown.edu>
       250-<hoffman@seas.gwu.edu>
       250-<mkapor@eff.org>
       250-<rotenberg@cpsr.org>
       250-<rivest@mit.edu>
       250-<mhellman@stanford.edu>
       250-<alanrp@aol.com>
       250-<dparker@sri.com>
       250-<jim@rsa.com>
       250-<branstad@tis.com>
       250 <mgrsplus@csmes.ncsl.nist.gov>
       quit
       221 first.org closing connection
       Connection closed.

Note also:

% telnet csmes.ncsl.nist.gov 25
Trying 129.6.54.2...
Connected to csmes.ncsl.nist.gov.
Escape character is '^]'.
220 csmes.ncsl.nist.gov sendmail 4.1/NIST(rbj/dougm) ready at Sat, 17 Apr 93 23:08:58 EDT
expn mgrsplus
250-<mcnulty@ecf.ncsl.nist.gov>
250-Irene Gilbert <igilbert>
250-Dennis Branstad <branstad>
250-Robert Rosenthal <rmr>
250-Gene Troy <troy>
250-<smid@st1.ncsl.nist.gov>
250-Dennis Steinauer <dds>
250 <katzke@st1.ncsl.nist.gov>

telnet mail-gw.ncsl.nist.gov 25
Trying 129.6.48.199...
Connected to mail-gw.ncsl.nist.gov.
Escape character is '^]'.
220 mail-gw.ncsl.nist.gov sendmail 4.1/rbj/jck-3 ready at Sat, 17 Apr 93 23:06:50 EDT
expn csspab
250-<burrows@ecf>
250-<mcnulty@ecf>
250-Bill Colvin <colvin>
250-<Gangemi@dockmaster.ncsc.mil>
250-John Kuyers <kuyers>
250-<slambert@cgin.cto.citicorp.com>
250-<lipner@mitre.org>
250-<gallagher@dockmaster.ncsc.mil>
250-<cindy_rand@postmaster.dot.gov>
250-<walker@tis.com>
250-<willis@rand.org>
250-Eddie Zeitler <zeitler>
250-Cris Castro <castro>
250 <whitehurst@vnet.ibm.com>

% telnet st1.ncsl.nist.gov 25
Trying 129.6.54.91...
Connected to st1.ncsl.nist.gov.
Escape character is '^]'.
220 st1.ncsl.nist.gov SEndMaIl 4.1/NBS-rbj.11 rEadY At Sat, 17 Apr 93 23:13:43 EDT
expn smid
250 Miles Smid <smid>
expn katzke
250 Stuart Katzke <katzke>
quit
221 st1.ncsl.nist.gov closing connection
Connection closed by foreign host.

% telnet ecf.ncsl.nist.gov 25
Trying 129.6.48.2...
Connected to ecf.ncsl.nist.gov.
Escape character is '^]'.
220 ECF.NCSL.NIST.GOV TGV/MultiNet SMTP service ready.
expn burrows
250 Burrows, James <burrows>
expn mcnulty
250 McNulty, Lynn <mcnulty>
quit
221 ECF.NCSL.NIST.GOV TGV/MultiNet SMTP service complete.

% whois -h rs.internic.net first.org
National Institute of Standards and Technology (FIRST-DOM)
   225/A216
   	 NIST
   	 GAITHERSBURG, MD 20899

   Domain Name: FIRST.ORG

   Administrative Contact:
      Wack, John P.  (JPW18)  WACK@ENH.NIST.GOV
      (301) 975-3411 (FTS) 879-3411
   Technical Contact, Zone Contact:
      Hunt, Craig W.  (CWH3)  Hunt@ENH.NIST.GOV
      (301) 975-3827 (FTS) 879-3827

   Record last updated on 17-Dec-91.

   Domain servers in listed order:

   DOVE.NIST.GOV		129.6.16.2
   AMES.ARC.NASA.GOV		128.102.18.3


The InterNIC Registration Services Host ONLY contains Internet Information
(Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.
--

Newsgroup: sci.crypt
document_id: 15309
From: jebright@magnus.acs.ohio-state.edu (James R Ebright)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article brad@clarinet.com (Brad Templeton) writes:

[...]>
>The greatest danger of the escrow database, if it were kept on disk,
>would be the chance that a complete copy could somehow leak out.  You
[...]>
>Of course then it's hard to backup.  However, I think the consequences
>of no backup -- the data is not there when a warrant comes -- are worse
>than the consequences of a secret backup.

If the data isn't there when the warrant comes, you effectively have
secure crypto.  If secret backups are kept...then you effectively have
no crypto.  Thus, this poster is essentialy arguing no crypto is better
than secure crypto.

If the data isn't there when the warrant comes, then the government will
just have to use normal law enforcement techniques to catch crooks.  Is
this so bad?   BTW, bugging isn't YET a normal law enforcement technique.
With the privacy clipper, it WILL become a normal technique.
/Jim
-- 
 Information farming at...     For addr&phone: finger             A/~~\A
 THE Ohio State University  jebright@magnus.acs.ohio-state.edu   ((0  0))____
      Jim Ebright             e-mail: jre+@osu.edu                 \  /      \
                                                                   (--)\      

Newsgroup: sci.crypt
document_id: 15310
From: sethf@athena.mit.edu (Seth Finkelstein)
Subject: Re: The source of that announcement

Also note (from <branstad@tis.com> and <walker@tis.com>):

% whois -h rs.internic.net tis-dom
Trusted Information Systems, Inc. (TIS-DOM)
   3060 Washington Road, Route 97
   Glenwood, MD 21738

   Domain Name: TIS.COM

   Administrative Contact:
      Walker, Stephen T.  (STW3)  walker@TIS.COM
      (301) 854-6889
   Technical Contact, Zone Contact:
      Dalva, David I.  (DID1)  dave@TIS.COM
      (301) 854-6889

   Record last updated on 02-Jul-92.

   Domain servers in listed order:

   TIS.COM                      192.33.112.100
   LA.TIS.COM                   192.5.49.8

	And "dockmaster" is an infamous address ...

--
Seth Finkelstein                                sethf@athena.mit.edu
"The road to Hell is paved with good intentions"

Newsgroup: sci.crypt
document_id: 15311
From: mkagalen@lynx.dac.northeastern.edu (michael kagalenko)
Subject: Re: How to detect use of an illegal cipher?

In article <C5nMB1.CoF@news.claremont.edu> ebrandt@jarthur.claremont.edu (Eli Brandt) writes:
>
>I probably shouldn't say this, but they could try to detect the use
>of an illegal cypher by transmitting in the clear some statistical
>properties of the plaintext.  An old-fashioned wiretap could then
>detect the use of pre-encryption, which would drastically increase
>the measured entropy of the input.  A countermeasure to this would
>be to use steganographic techniques which put out voice.

This way to detect pre-encryption may be defeated ; one can do  
transformation of the spectrum of encrypted signal just by adding some 
pre-arranged (in the beginning of communication) function.
I think so. Say, you can do FFT of your encrypted signal.
Just thinking ... 

-- 
--------------------------------------------------------------------------------
      For PGP2.1 public key finger mkagalen@lynx.dac.northeastern.edu
--------------------------------------------------------------------------------

Newsgroup: sci.crypt
document_id: 15312
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Once tapped, your code is no good any more.

In article <115863@bu.edu> uni@acs.bu.edu (Shaen Bernhardt) writes:

>
>I wish I could agree with you.  Ask yourself this.  Why would any private
>sector entity wish to buy a crypto system that was KNOWN to be at least
>partially compromised? (Key escrows in this instance)  Why would any
>private sector entity wish to buy a crypto system that had not been properly
>evaluated?  (i.e. algorythm not publically released)
>The answer seems obvious to me, they wouldn't.  There is other hardware out
>there not compromised.  DES as an example (triple DES as a better one.)

What follows is my opinion. It is not asserted to be "the truth" so no
flames, please.  It comes out of a background of 20 years as a senior
corporate staff executive in two Fortune 50 companies.

I'd be happy to use a crypto system supplied by the NSA for business, if
they told me it was more secure than DES, and in particular resistant to
attempts by Japanese, French, and other competitive companies and
governments to break.

I'd be happy to do so even with escrowed keys, provided I was happy about
the bona fides of the escrow agencies (the Federal Reserve would certainly
satisfy me, as would something set up by one of the big 8 accounting firms).

I'd trust the NSA or the President if they stated there were no trap
doors--I'd be even happier if a committee of independent experts examined
the thing under seal of secrecy and reported back that it was secure.

I'd trust something from the NSA long before I'd trust something from some
Swiss or anybody Japanese.

This may seem surprising to some here, but I suggest most corporations would
feel the same way. Most/many/some (pick one) corporations have an attitude
that the NSA is part of our government and "we support our government", as
one very famous CEO put it to me one day.

Just some perspective from another point of view.

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15313
From: tuinstra@sunspot.ece.clarkson.edu.soe (Dwight Tuinstra)
Subject: re: WH announcement


Q:   Who was consulted?  The Congress?  Industry?

A:   We have on-going discussions with Congress and industry on
     encryption issues, and expect those discussions to intensify
     as we carry out our review of encryption policy.  We have
     briefed members of Congress and industry leaders on the
     decisions related to this initiative.

Congress??  So we're playing politics before we talk to CPSR, academia,
the public, internet users?  I`ve heard of top-down design, but top-down 
democracy?? [Just whose state/district are the chip manufacturers in?]

Q:   If the Administration were unable to find a technological
     solution like the one proposed, would the Administration be
     willing to use legal remedies to restrict access to more
     powerful encryption devices?

A:   This is a fundamental policy question which will be
     considered during the broad policy review. [...bs about
     the wonderfulness of the key escrow system...]

     The Administration is not saying, "since encryption
     threatens the public safety and effective law enforcement,
     we will prohibit it outright" (as some countries have
     effectively done); 

They'll just provide an easily-compromised version to JQ Public.

                         nor is the U.S. saying that "every
     American, as a matter of right, is entitled to an
     unbreakable commercial encryption product."  

Maybe we need a CRA -- Cryptographic Rights Amendment.

                                                  There is a
     false "tension" created in the assessment that this issue is
     an "either-or" proposition.  Rather, both concerns can be,
     and in fact are, harmoniously balanced through a reasoned,
     balanced approach such as is proposed with the "Clipper
     Chip" and similar encryption techniques.

Nice lullaby.  But why am I not soothed?

----------------
Also, 

In article 15472@leland.Stanford.EDU, arc@leland.Stanford.EDU (Andrew Richard Conway) writes:
>P.S. I can't work out why the US government doesn't want to sell
>them overseas. After all, they are rather easy for US interests to decode,
>so make a perfect tool for industrial/military espionage...lulling 
>anyone stupid enough to buy it into a false sense of security. You will
>notice that there is NO mention anywhere about safety for non-Americans.
>

Why repeat themselves?  It appears to some (and the story looks pretty
convincing to me, too) that the Justice Department stole a case-tracking
system, modified it, and distributed it to "friendly" police and suchlike
agencies around the world, eg. the Canadian Mounties.  Of course, I have 
no doubt they swore Scout's Honor that there were no backdoors.

With that kind of intelligence, who'd want to be swamped with terabytes
of commercial traffic?

+========================================================================+
|  dwight tuinstra             best:  tuinstra@sandman.ece.clarkson.edu  |
|                         tolerable:  tuinstrd@craft.camp.clarkson.edu   |
|                                                                        |
|        "Homo sapiens: planetary cancer??  ...  News at six"            |
+========================================================================+

Newsgroup: sci.crypt
document_id: 15314
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: The battle is joined

In article <1993Apr16.181040.9381@qualcomm.com> karn@servo.qualcomm.com (Phil Karn) writes:
>It looks like Dorothy Denning's wrong-headed ideas have gotten to the
>Administration even sooner than we feared.

If the Administration is this far along, is it possible that the
government been working on it for a while and has been using the
Dennings to prime the pump, so to speak, or as the Judas goat?
Whether paid off, just gullible, or what, doesn't really matter.

It might also be possible that the NSA / whoever has had the idea for
this for quite a while, has been promoting it (Denning, et al) and
siezed the new opportunity - a new administration who wants to spend
more money on espionage than Bush did.

Whatever, i'm not so sure that the cause/effect order is totally
obvious.
-- 
You will lose your "Drug Free And Proud" ribbon.  Two days later, you will
catch a neighborhood kid smoking it.

Newsgroup: sci.crypt
document_id: 15315
From: ptrei@bistromath.mitre.org (Peter Trei)
Subject: Re: The battle is joined

In article <C5nn9I.D5q@news.claremont.edu> ebrandt@jarthur.claremont.edu (Eli Brandt) writes:
>In article <1993Apr16.181040.9381@qualcomm.com> karn@servo.qualcomm.com (Phil Karn) writes:
>>It looks like Dorothy Denning's wrong-headed ideas have gotten to the
>>Administration even sooner than we feared.
>
>I'd lay long odds that it was the other way around.  Clinton didn't
>just pull this plan out of any bodily orifices; the NSA has to have
>been working on it for years.
      ^^^^^^^^^^^^^^^^^^^^^^^

     I first heard rumors of a similar government proposal (in Risks
Digest???) in 1987 or 1988.

							Peter Trei
							ptrei@mitre.org

Newsgroup: sci.crypt
document_id: 15316
From: "dan mckinnon" <dan.mckinnon@canrem.com>
Subject: "clipper chip"

   I have lurked here a bit lately, and though some of the math is
unknown to me, found it interesting. I thought I would post an article I
found in the Saturday, April 17, 1993 Toronto Star:

                  'CLIPPER CHIP' to protect privacy

   Washington (REUTER) - President Bill CLinton announced yesterday a
plan to plant a new "Clipper Chip" in every government telephone and
computer line to prevent eavesdropping.

   Eventually the chips, developed by the government's National
Institute for Standards and Technology, would be used by commercial and
private electronics communication users.

   The White House said that to assure privacy, each device containing
the encryption devices would be assigned two unique "keys" - numbers
that will be needed by government agencies to decode messages.

   The attorney-general has been assigned the task of arranging that the
keys are deposited in two "key-escrow" data bases. Access to them would
be limited to government officials with legal authorization to conduct a
wiretap, the White House said in a statement.

                              -30-


 Dan McKinnon
--
Canada Remote Systems - Toronto, Ontario
416-629-7000/629-7044

Newsgroup: sci.crypt
document_id: 15317
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: The source of that announcement

Marc Horowitz N1NZU (marc@mit.edu) wrote:
: The message from the NIST about the clipper chip comes from the
: following address:
: 
: 	clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement)
: 
: Just who is that, I asked myself, or rather, I asked the computer.
: 
:     % telnet csrc.ncsl.nist.gov 25
...list of name elided for brevity......
: 
: Well, isn't that interesting.  Dorothy Denning, Mitch Kapor, Marc
: Rotenberg, Ron Rivest, Jim Bidzos, and others.  The Government, RSA,
: TIS, CPSR, and the EFF are all represented.  I don't suppose anybody
: within any of these organizations would care to comment?  Or is this
: just the White House's idea of a cruel joke on these peoples' inboxes?

I know that at least one person on that list says the first he heard
of Clipper was in the Friday morning newspaper! And another has
already fired off a letter of protest to NIST.

My point? I suspect this list, interesting as it is for various
reasons, does not represent the cabal that put this proposal together.
Some of them, yes. Others, no. 

This may be nothing more than a mailing list of people who get
crypto-related announcements from NSA, er, I mean "NIST."

-Tim May
-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
document_id: 15318
From: zeev@ccc.amdahl.com (Ze'ev Wurman)
Subject: Is there ANY security in the Clipper?

It seems to me that all discussions about Clipper security are almost 
irrelevant - if I cannot choose the key, but have to use a key chosen for
me by the foundry, the security of the WHOLE UNIVERSE OF USERS is as good
(or as bad) as the security of VLSI Technologies Inc.

It is a trivial effort to run any ciphertext agains ALL THE KEYS EVER 
MANUFACTURED - after all we are talking about 1 to 100 million keys that
will ever be manufactured. The key depositories can be as secure and
incorruptible as they wish to be, nobody cares anyway...:-(

Now if someone would convince me that the shipping docks of VTI, ATT and
others are impenetrable (remember: the chips have to ship with the key - 
you or the dealer are going to submit it to the authorities eventually)
I'd be a bit happier. But do we really believe that the various governments
(including ours) won't have the full lists of all the keys ever manufactured?

Did I miss something here?

My own opinions, quite obviously...
--
------------------------------------------------------------------
From........: Ze'ev Wurman 
email.......: <zeev@key.amdahl.com> or <zeev@ccc.amdahl.com> 
Organization: Amdahl Corp. 46525 Landing Parkway (M/S 581), Freemont CA 94538
Phone.......: (510) 623-2345 (Office)
Fax.........: (510) 770-0493  (Attn: Zeev Wurman)

Newsgroup: sci.crypt
document_id: 15320
From: warlord@MIT.EDU (Derek Atkins)
Subject: Re: The Old Key Registration Idea...

-----BEGIN PGP SIGNED MESSAGE-----

In article <1qn1ic$hp6@access.digex.net> pcw@access.digex.com (Peter Wayner) writes:

   2) The system is vulnerable to simple phone swapping attacks
   like this. Criminals will quickly figure this out and go to
   town.

Depends..  Its possible that the phone sends its serial number in the
clear at some specified interval... So all a listener needs to do is
get that SN, and then get the key for it...  So swapping phones isn't
a problem (for the gov't, that is).  They still know that this line
belongs to you, so they just watch the line and see the SN, and then
they get the key for that SN...

   In either case, I think we need to look at this a bit deeper."'jbl)mW:wxlD2

Well, I think this is understood.  The major problem is that a lot of
people just don't trust this key escrow stuff, and the fact that the
algorithms are classified...  So, yes, a lot of this needs to be looked
at closer!

- -derek

PGP 2 key available upon request on the key-server:
	pgp-public-keys@toxicwaste.mit.edu

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQBuAgUBK9EbXDh0K1zBsGrxAQHzcALCAlvWtnvi7aySWf565id1MN++nsybTwQI
jQLgPKX/4tx6qjGC69BUQRZAtMQutkoVnvx/MqT5EZFM7uundRWD4cOwbb7CC4Gy
gT7JtLRqU0aF9VSf4SGNQqg=
=fGRj
-----END PGP SIGNATURE-----
--
  Derek Atkins, MIT '93, Electrical Engineering and Computer Science
     Secretary, MIT Student Information Processing Board (SIPB)
           MIT Media Laboratory, Speech Research Group
           warlord@MIT.EDU       PP-ASEL        N1NWH

Newsgroup: sci.crypt
document_id: 15321
From: earle@isolar.Tujunga.CA.US (Greg Earle)
Subject: Re: PEM and MIME

In article <1qg8m2$2e5@nigel.msen.com> emv@garnet.msen.com (Edward Vielmetti) writes:
>W C Newell Jr (wcn@u.washington.edu) wrote:
>
>>Before we can have a global multimedia e-mail solution, there must be some
>>definition of a minimum service level, and MIME does not provide for this
>>(yet).  
>
>Before the Internet will invest in software, people need to see content. 
>I would suggest that 50 attractive MIME formatted news messages a day would be
>sufficient to get a few people thinking about adding MIME support to news
>readers, esp if the content is really worth it.
>
>>IMHO, we have a long way to go before the Unix-specific MUAs, newsreaders, etc
>>reach the service levels of the other commercial platforms.  There ought to be
>>such a definition, consisting of known object data types and rules for their
>>handling, included in the transport specification document.
>
>Yes.  But there is also a long way to go before most Mac, PC, and Windows
>MUAs and newsreaders are ready to handle the sheer volume of news and mail
>that many Unix specific tools are able to cope with.  When the choice is
>"more feechurs" or "make the damn thing fast enough to keep up with the
>flood", you have to bet that "fast enough" wins.

Ed, as usual, makes a very good point.

One time a friend of mine at Sun sent me an e-mail.  He composed it using the
Sun OpenWindows 3 "mailtool" which handles (non-MIME) "attachments" and the
like.

Since I don't use "mailtool", I had to manually save it, cut & paste, and
then "uudecode" the actual attachment.  What I got - after a not-inconsiderable
amount of time spent doing this - was an audio file.  The original message
was over 32Kb of mail headers and uuencoded data; the resulting audio message
was a single sentence that I transcribed as a 135 character message.

If he had sent me the sentence in plain text, the e-mail would have been
around 250 bytes, and it would have taken me about 3 seconds to process it at
most.  Instead, it was 32k and it took at least a minute.  A complete waste of
(my) time and bandwidth, as far as I'm concerned.  Sending plain text is still
the most efficient method of transmission, given the same transport mechanism.
I shudder to think what would happen if everyone started posting their Usenet
articles as audio files instead of plain text!  Meltdown of the Net predicted!
Film at Eleven!

Back to Mono!	(-:

[This sub-thread no longer has anything to do with PEM or administrative]
[policy, so I've redirected followups back to comp.mail.mime ... - Greg ]

-- 
	- Greg Earle
	  Phone: (818) 353-8695		FAX: (818) 353-1877
	  Internet: earle@isolar.Tujunga.CA.US
	  UUCP: isolar!earle@elroy.JPL.NASA.GOV a.k.a. ...!elroy!isolar!earle

Newsgroup: sci.crypt
document_id: 15322
From: schinagl@fstgds15.tu-graz.ac.at (Hermann Schinagl)
Subject: Need source of FEAL encrytion algorithm

Hi !

I am interested in the source of FEAL encryption algorithm.
Does someone of you know where I can get the source from, or
where I can find documentation about FEAL.

Thanks in advance


Ciao Hermann

Please email me !!!

Newsgroup: sci.crypt
document_id: 15323
From: ygoland@wright.seas.ucla.edu (The Jester)
Subject: Re: Don't fight Clipper Chip, subvert or replace it !

The Clipper chip is just the culmination of Dorthy Denning et all.
But lets ignore that for the moment.

The fundamental question is:Can the government stop me from using
encryption?

Ignoring for the moment the question of patented processes (such as
Public Keys), can the government stop me from using an encryption
process?

If the answer is yes then what freedom we have in this country is
truly gone and its time to get out the guns or the lawyers
(depending upon which causes more damage and to whom).

However assuming that I can still encrypt things as I please, who
cares about the clipper chip? As far as I'm concerned a phone line
is insecure PERIOD. I don't care if they encrypt it 10 ways from
sunday, if I didn't do the encrypting, I don't trust it. This is the
attitude that everyone else should have. Instead of worrying about a
clipper chip, simply connect your handset to your computer and feed
the voice single through, process, encrypt, and transmit over the
phone. The guy on the other hand then does the same in reverse.

Can't work you say? No Standard you say? Obviously you have never
uses PGP.

Anyone who expects the government to protect their freedoms is
kidding themselves. Only you can protect your own freedoms.

One final thought addressed to EFF:
	1.Do you support the implementation of ANY form of
	encryption where the encryption key must be revealed?
	2.If you do, why? If not, why?
	3.What SPECIFIC actions are you planning to take to either
	support or stop this proposal?
	4.If you do not support this proposal, what alternatives do
	you offer?

				The Jester
-- 
Proof Windows is a Virus:It is very widespread, It eats up your disk
space, It slows down your computer, It takes control over your
computer, It performs disk access at random times, It displays silly
messages on your screen, It randomly crashes the computer-Vesselin

Newsgroup: sci.crypt
document_id: 15324
From: tuinstra@sunspot.ece.clarkson.edu.soe (Dwight Tuinstra)
Subject: WH proposal from Police point of view

It might pay to start looking at what this proposal might mean to a
police agency.  It just might be a bad idea for them, too.

OK, suppose the NY State Police want to tap a suspect's phone.  They
need a warrant, just like the old days.  But unlike the old days, they
now need to 

   (a) get two federal agencies to give them the two parts of
       the key.

Now, what happens if there's a tiff between the two escrow houses?
Posession/release of keys becomes a political bargaining chit.  State
and lower-level police agencies have to watch the big boys play politics,
while potentially good leads disappear, lives and property are lost,
statutes of limitations run out, etc.  Not to mention: a moderately
clever person who suspects the police are after her/him will be buying
new phones faster than tap requests can be processed.  Or using stolen
ones.  [Will the Turing Police come and arrest you for transmitting
without a dialing license?]

There's also bureacracy and security problems -- within each escrow house, 
how will requests for key disclosure be authenticated?  Put in enough
safeguards of the kind bureaucrats and activists feel comfortable with, and 
it might take a LONG time to get that key.  [Even when a request is approved, 
how is the key going to be disclosed?  Will it be encrypted by a Clipper-type
chip for transmission?  In a bureaucracy the size of the Federal
Government, with a databank of the necessary size, and data traffic of
the projected volume, there's going to be a lot of weak links.  How many of 
these kinds of problems will be open for public or "expert" scrutiny?]  

Furthermore, the Feds might be leery of handing completed keys around, 
even to State Police agencies: a trust and security issue.  This would be 
an especially acute issue if some other State's Police had mishandled a 
key, resulting in lawsuits, financial settlements, and political 
embarassment.  So, the Feds implement it this way:
 
   (b) some federal agency gets the keys, performs the tap, and
       turns the results over to the NY State Police.

But let's say Cuomo's been causing some problems over a Clinton
Aid-To-Urban-Areas proposal.  Or there just happens to be a turf war
going on between the State cops and the Justice department on a case.
Now, not only do we have the keys as a political chit, we have an
extra player in the game *and* we have the tap's tapes as another
bargaining chit.  Again, the State Police lose.

I understand that (legal) wiretaps are quite expensive to maintain. In
scenario (b), who pays the bill?

+========================================================================+
|  dwight tuinstra             best:  tuinstra@sandman.ece.clarkson.edu  |
|                         tolerable:  tuinstrd@craft.camp.clarkson.edu   |
|                                                                        |
|        "Homo sapiens: planetary cancer??  ...  News at six"            |
+========================================================================+

Newsgroup: sci.crypt
document_id: 15325
From: bena@dec05.cs.monash.edu.au (Ben Aveling)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

Andrew Richard Conway (arc@leland.Stanford.EDU) wrote:

: P.S. I can't work out why the US government doesn't want to sell
: them overseas. After all, they are rather easy for US interests to decode,
: so make a perfect tool for industrial/military espionage...lulling 
: anyone stupid enough to buy it into a false sense of security. You will
: notice that there is NO mention anywhere about safety for non-Americans.

Don't forget, you are in the country that wouldn't let the Russians
buy Apple II's because of security concerns.
--
        Ben  (-: bena@bruce.cs.monash.edu.au :-)  

Newsgroup: sci.crypt
document_id: 15326
From: jfc@athena.mit.edu (John F Carr)
Subject: Re: Don't fight Clipper Chip, subvert or replace it !

In article <ygoland.735123994@wright>
	ygoland@wright.seas.ucla.edu (The Jester) writes:

>Ignoring for the moment the question of patented processes (such as
>Public Keys), can the government stop me from using an encryption
>process?

Following precedent in other areas, the government is likely to put a tax on
encryption technology.  Once the tax is imposed, it becomes a federal matter
and suspicision of an unlicensed cryptographic tool will bring the BATF or
FBI tossing grenades into your house.  (The BATF appears to be the logical
agency to enforce such regulations: federal control over alocohol, tobacco,
and firearms is similary based on taxes.)

Look at the FCC: they won't allow sale of any receiever that can receive
bands that are supposed to be private.  This has nothing to do with any
desire to prevent harmful interference. If the government can make a radio
receiver illegal what makes you think they won't claim the right to control
encryption?

--
    John Carr (jfc@athena.mit.edu)

Newsgroup: sci.crypt
document_id: 15327
From: Graham Toal <gtoal@gtoal.com>
Subject: Re: The battle is joined

In article <C5nn9I.D5q@news.claremont.edu> ebrandt@jarthur.claremont.edu (Eli Brandt) writes:
:In article <1993Apr16.181040.9381@qualcomm.com> karn@servo.qualcomm.com (Phil Karn) writes:
:>It looks like Dorothy Denning's wrong-headed ideas have gotten to the
:>Administration even sooner than we feared.
:
:I'd lay long odds that it was the other way around.  Clinton didn't
:just pull this plan out of any bodily orifices; the NSA has to have
:been working on it for years.  While it's possible that Denning (and
:other prominent people) just happened to start arguing for such a
:system, it seems more likely that there was a suggestion involved.
:If this guess is wrong, I apologize.

I'm sure Dorothy Denning is an honest person and wouldn't lie to us.
Simply think up a question to ask her about her involvement, but be
very careful to phrase it in such a way that there can be no Jesuitical
evasion or a true but wholly misleading answer.

In this country, MI5 are *experts* at answering these questions; for
instance there was a British journalist (Jonathon Moyle) killed in South
America a couple of years ago.  Parliament asked "Was he an MI5 employee"
"No." - turns out afterwards he wasn't paid, therefore wasn't an employee.
They could equally have said he wasn't an agent - he went abroad on his
private business with no brief from MI5, but was interviewed and debriefed
at length only *on his return*.

G


Newsgroup: sci.crypt
document_id: 15328
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

  The dead giveaway is the repeated protestations that the new plan is aimed
at "criminals", "drug dealers", "terrorists", etc.  You'd think the tactic
would be too obvious to trot out yet again after a decade of Sarah and the
rest of the Brady Bunch using it to destroy the Second Amendment, but evidently
the control nuts feel it will serve them one more time.

  As far as the export needs of American companies are concerned, I could
almost believe that the plan to saddle the US industry with a hidden sabotaged
algorithm was invented by a cabal of Japanese lobbyists.



Newsgroup: sci.crypt
document_id: 15329
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr17.061326.16130@clarinet.com> brad@clarinet.com (Brad Templeton) writes:
>In article <tcmayC5M2xv.JEx@netcom.com> tcmay@netcom.com (Timothy C. May) writes:
>>Getting the court order to reveal the key *also* makes decipherable
>>all *past* conversations (which may be on tape, or disk, or whatver),
>>as I understand the proposal. I could be wrong, but I've seen no
>>mention of "session keys" being the escrowed entities.
>
>True in theory.  In practice?  The technology of cellular phones will
>probably be spread spectrum and quite difficult to record the crypttext
>without the key.  If the frequency path depends on they key, as I
>understand it to, it *could* be made effectively impossible to record.

I am not an expert in the cryptography science, but some basic things
seem evident to me, things which this Clinton Clipper do not address.
The all pertain to opportunites for abuse, and conclusions based on what
I have seen the membership of this group (except for two notable persons)
agree to.  If anything bad is possible by the government in theory, it
almost always ends up happening in fact.  So the key is to make abuse
IMPOSSIBLE.  Question authority, and remember power DOES corrupt.

I think one has to regard this whole idea in the sense that it WILL be
expanded to include other data forms, such as data transfer and stored
data. and as such should be treated as if it were expanded (or such
expansion will be almost impossible to stop, using Clipper as a precident).
There was a hint of that in the proposal, remember.  That said, please
bear with me, I am not very articulate, so I take more words to say
what others could say much more briefly.  Thank you.

>Once it hits land you can record it if you have telco access.  The
>telco isn't supposed to give that without a warrant.  That's the rule
>today.

As I suggested this is NOW.  The hint is in the proposal that this or
similar proposals are being considered for other forms of encryptions
such as data transfer, data files, and such, largely dependent on how
this thing is accepted or flies.  I think one would be wise to treat
this in the manner one would when (not if) it gets expanded to other
areas than cellular phones.  I think this is guaranteed to happen, if
this proposal gets by.  Salami politics.  It has been and is used in
several other areas, it is certain to be used here.  Government is not
going to easily give up on the idea that they should be able to eavesedrop
whenever they want to.  'Court order required' has proven to be a rather
flimsy guarantee.  If the case warrants, they can always sieze the
material, and force one to give the key, or sit in jail forever on
periodically renewed contempt charges.  So it is not denying the justice
system the information, nor the ability to lock someone up if guilty
(or refuses to divulge the means to access the info - this is not
protected under the Fifth - one can be forced to perform ACTS that would
result in divulging incriminating evidence).  So, blocking restrictions
on private encryption is not preventing LEGITIMATE law enforcement - it
does make ILLEGITIMATE law enforcement a bunch more difficult.  Especially
fishing expeditions without the target's knowlege.  Don't give up the
right to be safe from that - that should be non-negotiable, and Clinton
and Co. know it (which is probably why they quietly developed this thing,
figuring if they get it this far, they can ram it on through).  How come
those consulted could be roughly described as "us insiders"?  They cannot
quietely IMPLIMENT it though, when they ban other schemes to ensure its
exclusive use.  Hence the nice PR document to try and reassure everyone.
Don't buy into it.  Has government really earned that kind of trust,
past or future?  To be secure and free, one must keep government honest
and the only way to do that is to make abuse IMPOSSIBLE, not 'unlikely'
or 'difficult'.

>But even so, the evidence would not be admissible, I think, unless the
>judge so ordered.  I think that even interception of the crypttext
>without a warrant would be illegal.   Cops can't record today's plain
>cellular calls and then ask a judge, "Hey, can we have permission to
>listen to those tapes?" can they?

So what?  One could use information gained by re-use of the keys (saved
after the last case was finished) or other means (master key, backdoor,
easily broken algorithm) to find other evidence which, given to a judge,
would authorize a tap which wouldn't have been possible otherwise.  This
has been the more common manner of abuse of wiretaps in the past...  For
local cops, this might be workable to keep them honest, but the Feds
have a workaround somehow, BET on it.  Does anyone really believe
for example, that the government will use a scheme NSA cannot listen
in on scanning for keywords - either easily defeated in realtime or
via a 'master key'?  I sure don't.

This whole thing sounds like something to eliminate the need to use
old-fashioned police work to build a case.  In the past, eavesdropping
was rather easy (with or without a court order).  I think the Law
Enforcement community has become a bit spoiled, and will resist changes
that require them to revert to using old-fashioned detective work.  I
just find it somewhat surprising coming from a bunch that cares so much
about civil and individual rights, that "puts people first".  The question
is "put people first" to WHERE?

With the innards not being revealed, how is one to be sure there DOESN'T
exist a 'master key' for use by NSA, etc (so they can do their keyword
scan, etc on conversations they routinely monitor, without a specific
court order)?   Remember, the cellular phone limitiation is only TEMPORARY.
Bet on it.  And so far I have not heard about police telling people that
they have been tapped and nothing incriminating was found.  What is to
keep them from simply keeping the keys on file for 'next time'? After
awhile, they would have quite a collection.  Kept especially for folks
they deem 'disruptive'.  And if they get only one key, that would
reduce the search space a lot, unless it is an RSA scheme.  Remember
Nixon years?  Need for court orders really slowed them down, didn't it?

And unless the escrow accounts are not government controlled (fat chance!
I see one ending up being under, say Treasury, the other under Justice
:-)) it could be worth some serious bucks to some folks to get keys to
a competitor's Clinton Clipper (or descendent when this idea is expanded
to be used for all non-government encryption).  Enough bucks would get
one the keys or the innards for this algorithm.  Perhaps not an important
concern, but given past government behavior and the other problems...

>>worse, of course, if the government then uses this "Clinton Clipper"
>>to argue for restrictions on unapproved encryption. (This is the main
>>concern of most of us, I think. The camel's nose in the tent, etc.)
>
>Yes, that is a major concern, but I think that they think they can
>win just by having 99.5% of the USA use this system.  They don't even
>have to care about the cautious .5% that's left.  They don't catch the
>really smart crooks anyway.   John Gotti, who would have to be retarded
>not to realize he was likely to be wiretapped, glibly chatted away
>on his tapped phone about murder plans.  That's why he's in jail now.
>Hard to believe, but true.

What will one do when it is expanded to data storage encryption?  You
can BET that if Clipper is accepted, that will be next on the agenda.
It is even hinted at in the proposal - read it carefully...  Expect the
argumet "well, if you got nothing to hide..."  Fine. Then using that
argument, one should not object to video cameras being installed in
every room of one's home.  Granted - an exteme expansion of the idea but
the principle holds.  Private stuff should remain private, even from a
govt fishing expedition.  And laws/rules may change in the future as
to 'safeguards'.  When it comes to the Fed Government, safeguards are
pretty meaningless, if they want to do/get something.

Don't work so hard to give up some rather treasured rights, or establish
bad precidents, please.  The price could be hell to pay, later.

>This scheme can succeed without laws forbidding more, which people would
>fight a lot harder.  They like this enough that they are dropping the so
>called "Digital Telephony" proposal, according to rumours.  However the
>meaning of that is complex, since they still want to get at the crypttext
>on telco systems, and that requires a bit of work.

People would fight laws forbidding more NOW, but in, say two years,
because we have this 'crisis' situation which MUST be addressed by some
'drastic action', just this added reasonable restriction will only bother
those who have someting to hide... etc.  Please don't buy into it.

If the Clinton Clipper is so very good, why not make its algrithm public
so many people can exchange ideas and examine it, rather than a few
isolated 'respected experts' (respected by whom?  for what?  Perhaps a
certain professor who likes key banks would be one of the selected
experts... this does seem to expand on some ideas the person was
advocating, if I recall :-).  How would anybody know that what the
experts examine is the same as what will end up being used in the Clipper
Chip, if it is kept secret?   Perhaps the Clipper will use a crippled
version (with a 'master key' provision), or features not present in the
version subjected for study and evaluation by the experts.  And who
chooses the expertes?  The government?  No conflict of interest there...
:-)

And isn't it a REQUIREMENT for any decent encryption scheme that it NOT
have its effectiveness reduced by having the algrorithm widely known?
I was lead to believe that one should assume the other side has everything
you have, except for the key(s)... I recall ideas presented to this
group are rejected if a requirement exists the algorithm be secret...

Another question - since it is a safe bet this Clipper thing would not
be used for government security, they are regarding it as not real secure
but "good enough" for common folk.  I think I would like to see a full
description (not a PR non-statement) of just what "good enough" means?
I think when saying how strong it is, "good enough" really means "not
very".  The excuse that other countries have these restrictions is not
acceptable:  Other countries do not have our Bill of Rights and
Constitution (which the people, not the governments, of those other
countries often regard with envy - what we have as rights they have as
revokable privileges).  And if we expect to retain those rights and
protections, we must not allow them to be gutted because we just GOTTA
have this thing to 'fight crime'.  We have allready have our Bill of
Rights pretty much torn to shreds.  We should not permit more weakining
for yet another 'noble cause', instead we should be trying to repair
the damage.  Our crime problem may have a number of causes, but "too
many rights and safeguards" is not a signifigant one.  A broken court
system and poor police work are a much more signifigant cause as having
"too many rights" (disregarding addressing the root causes for crime,
etc).

BTW - those who suggest that this is just an attack on Clinton, believe
this:  I would be going ballistic reagardless WHO seriously proposed
this thing.  It is just another step in a gradual erosion of our rights
under the Constitution or Bill of Rights.  The last couple of decades
have been a non-stop series of end-runs around the protections of the
Constitution.  It has to stop.  Now is as good a time as any, if it
isn't too late allready.

>-- 
>Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366


-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 15330
From: al@escom.com (Al Donaldson)
Subject: Re: Once tapped, your code is no good any more.

amolitor@nmsu.edu (Andrew Molitor) writes:
>Yes, those evil guys in the FBI can probably, with some
>effort, abuse the system. I got news for you, if the evil guys in
>the FBI decide they want to persecute you, they're gonna, ...

And if Richard Nixon had had this kind of toy, he wouldn't have had
to send people into the Watergate.

But that's not really the issue.  The real issue is whether this 
will be used to justify a ban against individuals' use of private 
(i.e., anything else) encryption methods.

Unrelated question...isn't the term "Clipper," as neat as it is,
already taken by Intergraph?

Al

Newsgroup: sci.crypt
document_id: 15331
From: mrr@scss3.cl.msu.edu (Mark Riordan)
Subject: Re: Source of random bits on a Unix workstation

Bennett Todd @ Salomon Brothers Inc., NY (bet@sbi.com) wrote:
: However, unless I
: missed something, the only source they suggested (aside from a hardware RNG)
: that seems available, and unguessable by an intruder, when a Unix is
: fresh-booted, is I/O buffers related to network traffic. I believe my
: solution basically uses that strategy, without requiring me to reach into
: the kernel.

A few more sources are statistics on your filesystems (easily
and quickly obtained) and the output from the "rusage" system
call.  

You can also exec a finger to one or more favorite heavily-used
systems, though this can take several seconds.

cf. the source code to RIPEM on ripem.msu.edu.

Mark R.

Newsgroup: sci.crypt
document_id: 15332
From: schneier@chinet.chi.il.us (Bruce Schneier)
Subject: Re: An Open Letter to Mr. Clinton

In article <strnlghtC5M2Cv.8Hx@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>
>Here's a simple way to convert the Clipper proposal to an unexceptionable
>one: Make it voluntary.
>
>That is--you get high quality secure NSA classified technology if you agree
>to escrow your key. Otherwise you are on your own.
>

As long as "you are on your own" means that you can use your own encryption,
I'm sold.

Bruce

Newsgroup: sci.crypt
document_id: 15333
From: eldar@fraser.sfu.ca (Danny Eldar)
Subject: Need help !!

I am currently writing a paper on computer protocols security. I would 
appreciate your help.  I currently have no insight into these topics except
that they relate to security in multilevel security network.  Please semd me
any references, books, FAQs or contact persons names and Internet addresses.
The topics I am interested in:
1.  The "firewall gateway model" as implemented in Internet gateways.
2.  Kerberos Authentication Service

Please send me a private e-mail at eldar@sfu.ca and/or post it on the board.

Thanks a lot,

      Danny 


Newsgroup: sci.crypt
document_id: 15334
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Once tapped, your code is no good any more.

In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes:
>In article <tcmayC5M2xv.JEx@netcom.com>
>	tcmay@netcom.com (Timothy C. May) writes:
>>
>>But is it any worse than the current unsecure system? It becomes much
>>worse, of course, if the government then uses this "Clinton Clipper"
>>to argue for restrictions on unapproved encryption. (This is the main
>>concern of most of us, I think. The camel's nose in the tent, etc.)
>>
>
>	Not to pick on Mr. May in particular, of course, but isn't this
>kind of the domino theory? When one little country falls, its neighbor
>will surely follow, and before you know it, we're all mining salt
>in Siberia for not turning in our Captain Crunch Secret Decoder Rings.
>
>	Surely the hypothesis relying on the least wild assumptions is
>to take this at face value. Our lads at the fort were asked to cook up
>something that's pretty secure, with a key that can be escrowed neatly,
>and they did. The government plans to sell this thing, for the reasons
>they state. Yes, those evil guys in the FBI can probably, with some
>effort, abuse the system. I got news for you, if the evil guys in
>the FBI decide they want to persecute you, they're gonna, and you're
>gonna hate it. Fact is, the FBI doesn't want to listen to your phone
>calls, and if they do, and if you're using triple-DES, they'll just
>get a parabolic microphone and point it at your head.
>
	With E-Mail, if they can't break your PGP encryption, they'll just
call up one of their TEMPEST trucks and read the electromagnetic emmisions
from your computer or terminal.  Note that measures to protect yourself from
TEMPEST surveillance are still classified, as far as I know.

>	This is pretty clearly an effort by the government to do exactly
>what they're saying they're doing. As is typical with governments,
>it's mismanaged, and full of holes and compromises. As is typical
>with our government, it's not too bad, could be worse.
>
>	My interpretation.
>
>	Andrew
>
>>-Tim May, whose sig block may get him busted in the New Regime
>                           ^^^^^^^^^^^^^^^^^^
>
>	Isn't this just a little melodramatic?

	If the new regime comes to fruition, make sure you protect your First
Amendment rights by asserting your Second Amendment Rights.

						Doug Holland


Newsgroup: sci.crypt
document_id: 15335
From: bill@Celestial.COM (Bill Campbell)
Subject: Re: Once tapped, your code is no good any more.

In <1993Apr17.032828.14262@clarinet.com> brad@clarinet.com (Brad Templeton) writes:

:It occurs to me that if they get a wiretap order on you, and the escrow
:houses release your code to the cops, your code is now no longer secure.

A very good point!

:It's in the hands of cops, and while I am sure most of the time they are
:good, their security will not be as good as the escrow houses.

Why should we expect the cops to be honest!  They're underpaid
for the risks they face every day.  The media dumps on the all
the time and blames them for all sorts of discrimination,
brutality....  How can we expect them to be more than human?

Besides there are lots of cases of police abuses ranging from
protection scams to outright robbery (when I worked in D.C. there
was a breakin at a local Radio Shack and the alarm company heard the
cops responding to the call over the audio pickup in the store:-).

:What this effectively means is that if they perform a wiretap on you,
:at the end of the wiretap, they should be obligated to inform you that
:a tap was performed, and replace (for free) the clipper chip in your
:cellular phone so that it is once again a code known only to the
:escrow houses.

Then you would know that Big Brother had been listening.  Does he
really want to let you know?

:Do the police normally reveal every tap they do even if no charges are
:laid?   In many ways, it would be a positive step if they had to.
:Judges set time limits on warrants, I assume.  At the end of the time
:limit they should have to renew or replace your chip.

:That's if we go with this scheme, which I am not sure I agree with.

I'm completely against anything that makes it easier for the
government to encroach on the rights of individuals.  The
founders of this country spent a lot of effort limiting the power
of the government and specifying exactly what the governments
rights were (and this didn't include a gov't spy in every
bedroom).  IMHO, there are entirely too many things going on
today designed to preserve the government organism at the expense
of individuals.  Look around and reread 1984 and many early
Heinlein books.  Aren't there many parallels between the thought
police (can you spell Waco Texas?), and Heinlein's ``Crazy Years''?

Bill
-- 
INTERNET:  bill@Celestial.COM   Bill Campbell; Celestial Software
UUCP:   ...!thebes!camco!bill   6641 East Mercer Way
             uunet!camco!bill   Mercer Island, WA 98040; (206) 947-5591
SPEED COSTS MONEY -- HOW FAST DO YOU WANT TO GO?

Newsgroup: sci.crypt
document_id: 15336
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <strnlghtC5LGFI.JqA@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>
>Though some may argue about the nose of the camel, it's worth noting that
>the government proposal is limited to scrambled telephony. If it is only
>used for that purpose, and does not extend to electronic mail or file
>encryption, then it IS an improvement over the current mass-produced
>standard civilian technology which, with a few exceptions, is limited to
>easy-to-break inverters.
>
>Note that the big issue for the feds is the continued ability to wiretap.
>Before we go off the deep end with long discusions about secure crypto for
>e-mail and files, let's focus on this.
>
>One question that was not asked in the release is whether this proposal is
>limited to telephony, or if the government intends to expand it.
>
>Though I share many of the concerns expressed by some, I find the proposal
>less threatening than many others, since right now most Americans have no
>secure telephony, and any jerk with a pair of clip leads and a "goat" can
>eavesdrop. This would also plug up the security hole in cellular and
>cordless phones.
>
>-------
>
>Reading between the lines, I infer that the system is highly secure
>without access to the keys. This would meet the needs of U.S. businesses
>confronted by rich and powerful adversaries, including French and Japanese
>security services and rich Japanese companies. It allows the NSA to make
>available some of its better stuff while protecting law enforcement needs.
>
>Most legitimate U.S. corporations trust the NSA, and would be delighted to
>have a high-security system certified by them, even at the price of
>depositing keys in escrow. I see no difficulty in creating a reliable
>escrow. Corporations entrust their secrets to attorneys every day of the
>week, and that system has worked pretty well.
>
>From my point of view this is a fair starting point. There are concerns that
>need to be addressed, including the reliability of the escrows. But in
>return we get access to high-security crypto. Many have suggested that DES
>and other systems may be breakable by the NSA and hence others similarly
>skilled and endowed. There is at least a good possibility (which should be
>checked) that the proposed system is not so breakable. It doesn't have to
>be, nor does it have to have trapdoors, if the government can get the keys
>pursuant to a legitimate court order. Thus they can protect legitimate
>communications against economic adversaries, while still being able to
>eavesdrop on crooks pursuant to a court order.
>
	Let me ask you this.  Would you trust Richard Nixon with your
crypto keys?  I wouldn't.

						Doug Holland



Newsgroup: sci.crypt
document_id: 15337
From: smb@research.att.com (Steven Bellovin)
Subject: Clipper chip -- technical details

I received the following two notes from Martin Hellman with details
on how Clipper will work.  They are posted with his permission.  The
implications of some details are fascinating.

-------
Date: Sat, 17 Apr 93 23:05:23 PDT
From: "Martin Hellman" <hellman@isl.stanford.edu>
To: (a long list of recipients)
Subject: Clipper Chip


Most of you have seen the announcement in Friday's NY Times,
etc. about NIST (National Institute of Standards & Technology)
announcing the "Clipper Chip" crypto device. Several messges
on the net have asked for more technical details, and some have
been laboring under understandable misunderstandings given
the lack of details in the news  articles. So here to help out
is your friendly NSA link: me. I was somewhat surprised Friday
to get a call from the Agency which supplied many of the missing
details. I was told the info was public, so here it is (the cc of this
to Dennis Branstad at NIST is mostly as a double check on my
facts since I assume he is aware of all this; please let me know
if I have anything wrong):

The Clipper Chip will have a secret crypto algorithm embedded in 
Silicon. Each chip will have two secret, 80-bit keys. One will be the 
same for all chips (ie a system-wide key) and the other will be unit 
specific. I don't know what NIST and NSA will call them, but I will 
call them the system key SK and unit key UK in this message. 
The IC will be designed to be extremely difficult to reverse so 
that the system key can be kept secret. (Aside: It is clear that 
they also want to keep the algorithm secret and, in my opinion, 
it may be as much for that as this stated purpose.) The unit key 
will be generated as the XOR of two 80-bit random numbers K1 
and K2 (UK=K1+K2) which will be kept by the two escrow 
authorities. Who these escrow authorities will be is still to be 
decided by the Attorney General, but it was stressed to me that 
they will NOT be NSA or law enforcement agencies, that they 
must be parties acceptable to the users of the system as unbiased. 
When a law enforcement agency gets a court order, they will 
present it to these two escrow authorities and receive K1 and 
K2, thereby allowing access to the unit key UK.

In addition to the system key, each user will get to choose his 
or her own key and change it as often as desired. Call this key 
plain old K. When a message is to be sent it will first be 
encrypted under K, then K will be encrypted under the unit key UK, 
and the serial number of the unit added to produce a three part 
message which will then be encrypted under the system key SK 
producing

     E{ E[M; K], E[K; UK], serial number;  SK}

When a court order obtains K1 and K2, and thence K, the law 
enforcement agency will use SK to decrypt all information 
flowing on the suspected link [Aside: It is my guess that 
they may do this constantly on all links, with or without a 
court order, since it is almost impossible to tell which links 
over which a message will flow.] This gives the agency access to 

     E[M; K], E[K; UK], serial number

in the above message. They then check the serial number 
of the unit and see if it is on the "watch list" for which they 
have a court order. If so, they will decrypt E[K; UK] to obtain K, 
and then decrypt E[M; K] to obtain M.

I am still in the process of assessing this scheme, so please do 
not take the above as any kind of endorsement of the proposed 
scheme. All I am trying to do is help all of us assess the scheme 
more knowledgably. But I will say that the need for just one court 
order worries me. I would feel more comfortable (though not 
necessarily comfortable!) if two separate court orders were 
needed, one per escrow authority. While no explanation is
needed, the following story adds some color: In researching
some ideas that Silvio Micali and I have been kicking around,
I spoke with Gerald Gunther, the constitutional law expert
here at Stanford and he related the following story: When
Edward Levi became Pres. Ford's attorney general (right
after Watergate), he was visited by an FBI agent asking
for "the wiretap authorizations." When Levy asked for
the details so he could review the cases as required by
law, the agent told him that his predecessors just turned
over 40-50 blank, signed forms every time. Levi did not
comply and changed the system, but the lesson is clear: 
No single person or authority should have the power to
authorize wiretaps (or worse yet, divulging of personal
keys). Sometimes he or she will be an Edward Levi
and sometimes a John Mitchell.

Martin Hellman

----

Date: Sun, 18 Apr 93 11:41:42 PDT
From: "Martin Hellman" <hellman@isl.stanford.edu>
To: smb@research.att.com
Subject: Re: Clipper Chip

It is fine to post my previous message to sci.crypt 
if you also post this message with it in which:

1. I ask recipients to be sparse in their requesting further info 
from me or asking for comments on specific questions. By
this posting I apologize for any messages I am unable to
respond to. (I already spend too much time answering too much
e-mail and am particularly overloaded this week with other
responsibilities.) 

2. I note a probably correction sent to me by Dorothy Denning.
She met with the person from NSA that
I talked with by phone, so her understanding is likely to
better than mine on this point: Where I said the transmitted
info is  E{ E[M; K], E[K; UK], serial number;  SK}
she says the message is not double encrypted. The system
key (or family key as she was told it is called) only encrypts
the serial number or the serial number and the encrypted
unit key. This is not a major difference, but I thought it
should be mentioned and thank her for bringing it to
my attention. It makes more sense since it cuts down
on encryption computation overhead.

Newsgroup: sci.crypt
document_id: 15338
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]


In article <1qnupd$jpm@news.intercon.com> amanda@intercon.com (Amanda Walker) writes:

   From: amanda@intercon.com (Amanda Walker)

   jhesse@netcom.com (John Hesse) writes:
   > Oh great. Wonderful news. Nobody can listen in--except the feds. 

   Hey, it's better than the status quo.

   I am far less worried about "the feds" tapping my phone than high school 
   scanner surfers who get their kicks out of eavesdropping on cellular and 
   cordless phone calls.

I'm a political dissident. I'm scared shitless of the feds listening
in on my calls. My opinions are the sort that would get me
"disappeared" in a slightly less free society -- and who knows what
sort of society we will be in in five or ten years? I have friends who
have had their phones tapped -- none of this is theoretical to me.

As for "its better than the status quo", well, first of all, you can
get a cryptophone from companies like Cylink today -- and they work
well. In addition, a number of groups are now working on building
software to turn any PC into a privacy enhanced phone right now -- and
they are all working in overdrive mode.

   And yes, I'd rather just see all crypto restrictions lifted, but this is at 
   least an incrememental improvement for certain applications...

There ARE no crypto restrictions... yet. You can use anything you want
RIGHT NOW. The point is to maintain that right.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15339
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Once tapped, your code is no good any more.


In article <1qovj8$74m@ni.umd.edu> louie@sayshell.umd.edu (Louis A. Mamakos) writes:

   In article <tcmayC5M2xv.JEx@netcom.com> tcmay@netcom.com (Timothy C. May) writes:

   >But is it any worse than the current unsecure system? It becomes much
   >worse, of course, if the government then uses this "Clinton Clipper"
   >to argue for restrictions on unapproved encryption. (This is the main
   >concern of most of us, I think. The camel's nose in the tent, etc.)

   Excuse me?  This has *already* happened.  There's a couple of humps in
   the tent already.  Ask the folks at Qualcomm what became of the
   non-trivial encryption scheme they proposed for use in their CDMA
   digitial cellular phone standard?  There *already* are restrictions in
   place.

You have it slightly wrong. They dumped the encryption system because
they could not export it -- not because they could not produce it for
U.S. use. There are no legal restraints on citizen use of strong
cryptography -- yet.
--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15340
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: are we being hysterical? No!


In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes:

>In article <tcmayC5M2xv.JEx@netcom.com>
>	tcmay@netcom.com (Timothy C. May) writes:
>>
>>But is it any worse than the current unsecure system? It becomes much
>>worse, of course, if the government then uses this "Clinton Clipper"
>>to argue for restrictions on unapproved encryption. (This is the main
>>concern of most of us, I think. The camel's nose in the tent, etc.)
>>

>	Not to pick on Mr. May in particular, of course, but isn't this
>kind of the domino theory?

As John Gilmore has pointed out repeatedly, if you produce the
infrastructure that would permit a police state to function, all that
is required to suddenly find yourself living in one is a change of
attitude on the part of the government.

Our constitution was built by men who had to risk their lives to
ensure freedom in our country. They designed the system to make it
difficult for tyranny to arise. For instance, one of the reasons the
fourth amendment was put there was to make it harder for the
government to try to make smuggling a crime. Think I jest? John
Hancock made all his money smuggling rum, which is, after all, a drug.

Think about it. The government has everyones keys in escrow, and the
FBI gets their pet "wiretap without leaving the office" scheme. There
is a coup, which happens every day all around the world. Within hours,
everyone in the country who might oppose the tyrants is being
monitored more closely than ever before possible.

Without the tools being in place, a tyranny cannot stand. With tools
like this in place, a tyrannical dictatorship could actually be
successfully imposed.

Why give the government tools with which to enslave you? Maybe you can
trust Bill Clinton, but are you willing to tell me that you can trust
EVERY government that will ever arise in the U.S. hereafter? I am not
willing to make that leap of faith.

>>-Tim May, whose sig block may get him busted in the New Regime
>                           ^^^^^^^^^^^^^^^^^^
>	Isn't this just a little melodramatic?

I'm a political dissident. As such, I am acutely aware of what happens
to political dissidents in most of the world. In most of the world, I
could be killed for my beliefs. Call Amnesty International some time
to find out what happens to dissidents in most of the world.

All that seperates the U.S. from most of those places is a thin piece
of parchment in the National Archives thats being constantly more and
more eroded by such farces as the war on drugs. Coups have happened in
countries that have had stable democracies for over a hundred years.
Governments throughout history have fallen. No government has lasted
for more than a few hundred years. Often, they are replaced by
dictatorships. Do you really believe so intensely that it could never
ever ever happen here that you are willing to bet your own life and
the lives of your children and other loved ones on it?

If we construct the tools with which tyranny could be enforced, we
make it orders of magnitude more likely that it could happen, because
if it happened with the tools already in place it could actually
stick. 

Naive fools such as our leadership believe they can protect us where
hundreds that have gone before have failed. Thriving democracies led
by men far more skillfull than Bill Clinton have fallen to
dictatorship. Rome had a thriving republic run by exquisitely skilled
men before they became a tyranny.

I, for one, am unwilling to trust that it could never happen here.
Only hubris would allow us to believe we are immune to what has
happened elsewhere.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15341
From: marc@mit.edu (Marc Horowitz N1NZU)
Subject: Re: The source of that announcement

In article <tcmayC5o715.Mrs@netcom.com> tcmay@netcom.com (Timothy C. May) writes:

   I know that at least one person on that list says the first he heard
   of Clipper was in the Friday morning newspaper! And another has
   already fired off a letter of protest to NIST.

   My point? I suspect this list, interesting as it is for various
   reasons, does not represent the cabal that put this proposal together.
   Some of them, yes. Others, no. 

I received mail from Mitch Kapor saying that he did not ask to be on
the list, and does not know why he was added.  I'm sure the same
applies to others on the list.  So, I guess my initial theory was
right, that the clipper list was just someone's idea of a bad joke.  I
guess I should be happy it wasn't a conspiracy.

		Marc
--
Marc Horowitz N1NZU <marc@mit.edu>				617-253-7788

Newsgroup: sci.crypt
document_id: 15342
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Once tapped, your code is no good any more.

In article <Apr18.194927.17048@yuma.ACNS.ColoState.EDU>
holland@CS.ColoState.EDU (douglas craig holland) writes:

>Note that measures to protect yourself from
>TEMPEST surveillance are still classified, as far as I know.

I think this to be inaccurate. One can buy TEMPEST equipment commercially.
Even Macs.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15343
From: djb@silverton.berkeley.edu (D. J. Bernstein)
Subject: Re: Clipper chip -- technical details

Short summary of what Bellovin says Hellman says the NSA says: There is
a global key G, plus one key U_C for each chip C. The user can choose a
new session key K_P for each phone call P he makes. Chip C knows three
keys: G, its own U_C, and the user's K_P. The government as a whole
knows G and every U_C. Apparently a message M is encrypted as
E_G(E_{U_C}(K_P),C) , E_{K_P}(M). That's it.

The system as described here can't possibly work. What happens when
someone plugs the above ciphertext into a receiving chip? To get M
the receiving chip needs K_P; to get K_P the receiving chip needs U_C.
The only information it can work with is C. If U_C can be computed
from C then the system is cryptographically useless and the ``key
escrow'' is bullshit. Otherwise how is a message decrypted?

---Dan

Newsgroup: sci.crypt
document_id: 15344
Subject: Re: Once tapped, your code is no good any more.
From: steiner@jupiter.cse.utoledo.edu (Jason 'Think!' Steiner)

douglas craig holland (holland@CS.ColoState.EDU) writes:
>
> With E-Mail, if they can't break your PGP encryption, they'll just
> call up one of their TEMPEST trucks and read the electromagnetic 
> emmisions from your computer or terminal.  Note that measures to 
> protect yourself from TEMPEST surveillance are still classified, as 
> far as I know.

are LCD displays vulnerable to tempest?

> 	If the new regime comes to fruition, make sure you protect your First
> Amendment rights by asserting your Second Amendment Rights.

i'll second that.

jason


--
   "I stood up on my van. I yelled, `Excuse me, sir. Ain't nothing wrong
    with this country that a few plastic explosives won't cure!'"
              - Steve Taylor, I Blew Up the Clinic Real Good
`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,` steiner@jupiter.cse.utoledo.edu `,`,`,`

Newsgroup: sci.crypt
document_id: 15345
From: amolitor@nmsu.edu (Andrew Molitor)
Subject: Re: Once tapped, your code is no good any more.

al@escom.COM (Al Donaldson) writes:
>amolitor@nmsu.edu (Andrew Molitor) writes:
>>Yes, those evil guys in the FBI can probably, with some
>>effort, abuse the system. I got news for you, if the evil guys in
>>the FBI decide they want to persecute you, they're gonna, ...
>
>And if Richard Nixon had had this kind of toy, he wouldn't have had
>to send people into the Watergate.
>

	This appears to be generic calling upon the name of the anti-christ.
Just for the hell of it, let's destroy this remark. Let us imagine that
the executive branch actually could extract keys from the escrow houses
without anyone knowing, or telling. Now what? Dick has 80 bits of data.
What the hell's he gonna do with it?

	1) Trot around to the telco and say 'we'd like an unauthorised
decrypting tap'. Uh huh.
	2) Break in to watergate and install his own tap (so his people still
do have to break in, neat, huh?) record some noise, then get the Executive
Branch Phone Decryption Box (huh? they've got one? Goodness, wait 'til the
washington post gets hold of this) and decrypt the noise.
	3) More likely, stare at the key, and say 'Oh, hell it's not
worth all this bloody hassle'

	Truth is, even granted *lots* of covert power on the part of
the Executive Branch, this system is *more* difficult to tap with than
POTS gear. The fact that it is easier to tap than some hypothetical
system neither you nor I am going to place on our phones is neither
here nor there.

	The only rational concerns I am seeing raised are:

	a) is the key really just chopped in half, and not some XOR
arrangement? That is, has some egregious technical error been built
in to the plan?
	b) is this is the first step toward strict regulation of strong
encryption?


>But that's not really the issue.  The real issue is whether this 
>will be used to justify a ban against individuals' use of private 
>(i.e., anything else) encryption methods.

	This is b), of course. I suspect not. If the government actually
wanted to make such regs, they'd just do it. A few hundred people on Usenet
yelling about it wouldn't even slow the machine down.

	Besides, who is this mysterious 'they' who's going to take away
all our rights the instant we let our guard down? Congress? That gang
of buffoons can't even balance their checkbooks. The FBI? But.. they
don't make the laws. The NSA? Ditto. The white house? Bill Clinton
is probably still looking for the bathroom. It's a big place, after all.

	Andrew

>
>Al

Newsgroup: sci.crypt
document_id: 15346
From: uni@acs.bu.edu (Shaen Bernhardt)
Subject: Re: An Open Letter to Mr. Clinton

In article <C5oy0z.ILy@chinet.chi.il.us> schneier@chinet.chi.il.us (Bruce Schneier) writes:
>In article <strnlghtC5M2Cv.8Hx@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>>
>>Here's a simple way to convert the Clipper proposal to an unexceptionable
>>one: Make it voluntary.
>>
>>That is--you get high quality secure NSA classified technology if you agree
>>to escrow your key. Otherwise you are on your own.
>>
>
>As long as "you are on your own" means that you can use your own encryption,
>I'm sold.
>
>Bruce

As am I

If "high quality secure NSA classified technology" means handing my key
over to whomever, I'll take PGP any day.

Right now they are billing it as voluntary, i.e. bend over, here it comes.

As soon as enough Wiretap chip based units are out there, how much
easier do you think it will be to redefine "on your own" to mean
write it yourself and don't even THINK about distributing it...?

Get honest, no one is going to buy this trash if they KNOW it's compromised
already, and less will buy it if the algorithm is not disclosed.

The NSA knows that making this stuff available to the public means
handing it to whatever foreign powers are interested in the process.
Since when has export control stopped anyone (especially software wise)

Ask yourself carefully if " high quality secure NSA classified technology "
is something they are going to hand out.  Not unless you can drive a
NSA van through the holes.

uni (Dark)

-- 
uni@acs.bu.edu  ->  Public Keys by finger and/or request
Public Key Archives at <pgp-public-keys@pgp.iastate.edu>
DF610670F2467B99  97DE2B5C3749148C  Sovereignty is the sign of a brutal past.
Cryptography is not a crime.  Fight the Big Brother Proposal!

Newsgroup: sci.crypt
document_id: 15347
From: sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes)
Subject: Who should be hearing my views on Clipper ?


Being a browser of this group for some time,
  and being very concerned about the clipper chip proposal,
    I am hoping someone with more knowledge can help out.

Who would be the most influential people to write to, protesting 
the obvious next step hinted at by this proposal ?
 (Heads of what committees, etc.)

What are the major flaws in the plan ?
 (From a cryptological standpoint)


-- 
  Shaun P. Hughes                          "Facts are Stupid Things."
  sphughes@sfsuvax1.sfsu.edu                Ronald Reagan
                                            Republican National
  Finger for PGP 2.2 Public Key             Convention 1988

Newsgroup: sci.crypt
document_id: 15348
From: hallam@dscomsa.desy.de (Phill Hallam-Baker)
Subject: Re: Once tapped, your code is no good any more.


In article <1993Apr18.022011.15502@ringer.cs.utsa.edu>, whughes@lonestar.utsa.edu (William W. Hughes) writes:

|>In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu
|>(Andrew Molitor) writes:
|>>In article <tcmayC5M2xv.JEx@netcom.com>
|>>tcmay@netcom.com (Timothy C. May) writes:
|>>
|>>>-Tim May, whose sig block may get him busted in the New Regime
|>>                           ^^^^^^^^^^^^^^^^^^
|>>Isn't this just a little melodramatic?
|>
|>Not at all. Two weeks ago I registered a concern about some programming
|>that was being conducted by a student organisation here at the
|>University of Texas at San Antonio.  As a result, I was interrogated
|>by the capus police, who also attempted to create a positive-identification
|>file (photo, fingerprints, etc.). I refused to permit this, and filed a
|>complaint with the University administration.  The Vice-President for
|>Business Affairs (the 'boss' of the campus police) stated that he had no
|>interest in the legal/Constitutional implications of those actions.

In article <johnson.735025464@trwacs>, johnson@trwacs.fp.trw.com (Steve Johnson) writes:

|>  A remark I heard the other day is beginning to take on increasingly
|>frightening significance.  The comment was made that "In other parts
|>of the world the Democrats [note the big "D"] would be known as
|>Socialists" 

We might get further if we begin by accepting that the government 
really couldn't be bothered less about the political opinions of the 
right wing pro establishment types. Just about the only circumstances 
in which I could think that they would be interested in their political 
views would be to recruit them as spooks. They can be guaranteed to give
the government line when it counts. In US history it has been the 
socialists such as myself who have been persecuted. 


Now before people start asserting that there is no mechanism by which
the administration can get their new chip adopted without legal force
lets try thinking.

In the first place the clipper chip must have existed for several years as
a defense project. Therefore this is not a party matter at all. George Bush
was in any case hardly adverse to tapping calls, he was chief spook 
remember.

Secondly the govt can quite easily apply pressure. They simply "ask" their
chums who they give huge defense contracts to (motorola etc) to be "nice"
boys. After all Bill is giving them a nice little trade monopoly since the
chips won't be avaliable to foreign firms.

Thirdly the people who consider the Democrats to be socialist are not the
same as the ones who consider socialists to be communist. People might know
this if the US education system did not suffer from the Mcarthyite and 
Dewy version of political correctness - the sort with tribunals and show 
trials. Ever seen Ed Meese pissed? I have, it was when he said that socialism
and communism were the same thing and brought the house down with laughter.
It took several minutes before we realised that he was serious.


Phill Hallam-Baker

Phill Hallam-Baker

Newsgroup: sci.crypt
document_id: 15349
From: artmel@well.sf.ca.us (Arthur Melnick)
Subject: Big Brother (Clipper) chip


     There are some issues which come to mind when one considers
the law enforcement aspects of the use of the Big Brother
(Clipper) chip.
     The drug dealers and terrorists aren't going to let
themselves be caught by using this type of encryption.  In 1985
the New York Times reported that government investigators broke
up a narcotics ring that was operating highly sophisticated
equipment capable of allowing the leaders of the ring to
eavesdrop on the law-enforcement agents who were trying to arrest
them.
     A Mr. Deely, an NSA official, said "There are a lot of
medium-sized countries that would have been proud to have the
signals intelligence operation of this group."
     For every John Gotti there are probably many more people who
have the sophistication to know what the risks of unsecure
communications are.  The press given to the Big Brother chip will
only increase their numbers.
     Even if there is some benefit to law-enforcement through the
use of Big Brother, it must be weighed against the constitutional
and civil liberties questions involved.
     For example, in some areas of the world torture is used as
an investigative tool by the local "law-enforcement" people.  I
suspect it is an effective means of obtaining information and
shortening many investigations.  It probably also helps keep the
conviction rate high.
     The fact that the torture tool is not used in this country
(even with a court order obtained by showing "probable cause") is
because we have rightly balanced the questions of expediency and
what is ethically and morally right.
     I think that the same question of expediency versus morality
should come into play when considering the use of Big Brother.  I
vote for morality.
     I am quite disturbed by what I interpret as a veiled threat
to prohibit the use of all encryption if this Big Brother chip is
not put into wide spread use.  After a quick reading of the White
House press release I came away with that impression.
     To most of the American public, the word "hacker" has
rightly or wrongly come to mean "high tech adolescent vandal".
It has struck me that most of the people posting to sci.crypt
regarding this issue are intelligent, thoughtful individuals who
have genuine concerns about the privacy and constitutional issues
surrounding Big Brother.  I hope that the use of Big Brother does
not become mandatory and other encryption become illegal.  I
would hate to see this become some kind of high tech Volstead
Act.
     The high speed digital communications revolution is coming
at us with the speed of an SST.  The times they are a changing,
and just as IBM is learning that they can't do business the same
way they have done it for the past 40 years, maybe NSA should
evaluate another approach.
     EFF, who have correctly questioned the cryptographic
strength of Big Brother, may need to send a stronger message out
regarding the constitutional issues involved.
     Al Gore may want to think this one through a little more.
     And as for Dorothy Elizabeth Robling Denning: En quoi cela
vous concerne, cheri?

Newsgroup: sci.crypt
document_id: 15350
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Clipper chip and key exchange methods

   I was wanting to ask the same question Dan Bernstein asked--how does the
Clipper chip exchange keys?  If the public key is only 80 or 160 bits long,
does anyone know of any public-key schemes that are secure with that key
size?  (Diffie-Hellman or maybe El Gamal, with p set to a constant value?)
   Presumably, the real scheme is something like:
 
   1.  Exchange/verify public keys.
   2.  Send encrypted (randomly-generated) session key.
   3.  Encrypt / Decrypt voice trafic with some sort of fast stream cipher.
 
   Can anyone elaborate on this, or show me what I'm missing here?
 
   --John Kelsey, c445585@mizzou1.missouri.edu

Newsgroup: sci.crypt
document_id: 15351
From: rclark@nyx.cs.du.edu
Subject: Re: Is there ANY security in the Clipper?

zeev@ccc.amdahl.com (Ze'ev Wurman) writes:

>But do we really believe that the various governments
>(including ours) won't have the full lists of all the keys ever manufactured?

Yes, but they'll be encrypted with Cripple Chip encryption, the
encryption algorithm so great it's TOP SECRET and so unbreakable
they WON'T EVEN LET YOU LOOK AT IT!

Doesn't that make you feel SECURE?
----
Robert W. Clark             Just Say No! to the
rclark@nyx.cs.du.edu        Big Brother Chip  

Newsgroup: sci.crypt
document_id: 15352
From: jyork@iastate.edu (Justin York)
Subject: Clipper Chip - How would it work?


With all the talk about this Clipper chip, I have developed one question...

			HOW DOES IT WORK???

If you use this, then how does it get decrypted on the other end? Does the
other party (receiving the phone call/mail/etc) have to know some code to 
undo it? Do I use a different method for calling one party than I would for 
another?. If the other party can decrypt it, doesn't that mean that someone
else could also? I assume that if everyone has a different key, the only use
would be storing secure data for later retrieval by the same key. This seems
like a fundamental question to me, but I have very little experience with
cryptosystems, other than DES. If someone could give me an explanation as
to how it would be used (remember that I have had little experience with
this sort of thing) it would be very much appreciated. 

					Justin York
					jyork@iastate.edu

Newsgroup: sci.crypt
document_id: 15353
From: rogue@ccs.northeastern.edu (Free Radical)
Subject: Re: Once tapped, your code is no good any more.

In article <Apr18.194927.17048@yuma.ACNS.ColoState.EDU>
holland@CS.ColoState.EDU (douglas craig holland) writes: 
[...]
>	With E-Mail, if they can't break your PGP encryption, they'll just
>call up one of their TEMPEST trucks and read the electromagnetic emmisions
>from your computer or terminal.  Note that measures to protect yourself from
>TEMPEST surveillance are still classified, as far as I know.

I don't know about classified, but I do seem to remember that unless
you're authorized by the Govt, it's illegal to TEMPEST-shield your
equipment.  Besides, effective TEMPEST-shielding is much more
difficult than you might think (hi Jim!).

	RA

rogue@cs.neu.edu (Rogue Agent/SoD!)
-----------------------------------
The NSA is now funding research not only in cryptography, but in all areas
of advanced mathematics. If you'd like a circular describing these new
research opportunities, just pick up your phone, call your mother, and
ask for one.

Newsgroup: sci.crypt
document_id: 15354
From: prz@sage.cgd.ucar.edu (Philip Zimmermann)
Subject: Fighting the Clipper Initiative

Here are some ideas for those of you who want to oppose the White
House Clipper chip crypto initiative.  I think this is going to be a
tough measure to fight, since the Government has invested a lot of
resources in developing this high-profile initiative.  They are
serious about it now.  It won't be as easy as it was defeating Senate
Bill 266 in 1991.

Possible actions to take in response:

1)  Mobilize your friends to to all the things on this list, and
more.

2)  Work the Press.  Talk with your local newspaper's science and
technology reporter.  Write to your favorite trade rags.  Better yet,
write some articles yourself for your favorite magazines or
newspapers.  Explain why the Clipper chip initiative is a bad idea. 
Remember to tailor it to your audience.  The general public may be
slow to grasp why it's a bad idea, since it seems so technical and
arcane and innocent sounding.  Try not to come across as a flaming
libertarian paranoid extremist, even if you are one. 

3)  Lobby Congress.  Write letters and make phone calls to your
Member of Congress in your own district, as well as your two US
Senators.  Many Members of Congress have aides that advise them of
technology issues.  Talk to those aides.

4)  Involve your local political parties.  The Libertarian party
would certainly be interested.  There are also libertarian wings of
the Democrat and Republican parties.  The right to privacy has a
surprisingly broad appeal, spanning all parts of the political
spectrum.  We have many natural allies.  The ACLU.  The NRA.  Other
activist groups that may someday find themselves facing a government
that can suppress them much more efficiently if these trends play
themselves out.  But you must articulate our arguments well if you
want to draw in people who are not familiar with these issues.

4)  Contribute money to the Electronic Frontier Foundation (EFF) and
Computer Professionals for Social Responsibility (CPSR), assuming
these groups will fight this initiative.  They need money for legal
expenses and lobbying.

5)  Mobilize opposition in industry.  Companies that will presumably
develop products that will incorporate the Clipper chip should be
lobbied against it, from within and from without.  If you work for a
telecommunications equipment vendor, first enlist the aid of your
coworkers and fellow engineers against this initiative, and then
present your company's management with a united front of engineering
talent against this initiative.  Write persuasive memos to your
management, with your name and your colleagues' names on it.  Hold
meetings on it.

6)  Publicize, deploy and entrench as much guerrilla
techno-monkeywrenching apparatus as you can.  That means PGP,
anonymous mail forwarding systems based on PGP, PGP key servers,
etc.  The widespread availability of this kind of technology might
also be used as an argument that it can't be effectively suppressed
by Government action.  I will also be working to develop new useful
tools for these purposes. 

7)  Be prepared to engage in an impending public policy debate on
this topic.  We don't know yet how tough this fight will be, so we
may have to compromise to get most of what we want.  If we can't
outright defeat it, we may have to live with a modified version of
this Clipper chip plan in the end.  So we'd better be prepared to
analyze the Government's plan, and articulate how we want it
modified.


-Philip Zimmermann



Newsgroup: sci.crypt
document_id: 15355
From: mcbeeb@atlantis.CSOS.ORST.EDU (Brian Mcbee)
Subject: How can clipper stay classified?

Maybe I don't know enough to know what I am asking, but with millions
of these things about, how could the algorythm possibly stay secret?
Couldn't some clever hackers just grind the thing down layer by layer,
and see how it worked?

-- 
----
Brian McBee    mcbeeb@atlantis.cs.orst.edu   Finger me for PGP 2.1 key

Newsgroup: sci.crypt
document_id: 15356
From: johnl@iecc.cambridge.ma.us (John R. Levine)
Subject: Why the clipper algorithm is secret

>The cryptographic protocol, though, is another matter.  I see no valid
>reasons for keeping it secret, and -- as I hope I've shown above -- there
>are a lot of ways to do things that aren't (quite) as bad.

It just occurred to me why the algorithm is secret.  If it were
published, one could then build physically identical clone versions
of the chip that would interoperate with official Clipper chips.  But
the cloner wouldn't provide the keys to the escrow houses.  Hmmn.

Or is there a technical hack that I've missed?  E.g. how about if the
chips were made unprogrammed but serialized, and then shipped to the
two escrow houses who programmed in their halves of the keys, but
in a way that requires that secret keys known only to the escrow houses
be installed as well, without which clone versions wouldn't
interoperate?  This is getting awfully complicated, but that's
crypto for you.

-- 
John R. Levine, IECC, POB 349, Cambridge MA 02238, +1 617 492 3869
johnl@iecc.cambridge.ma.us, {ima|spdcc|world}!iecc!johnl
"Time is Money!  Steal some today!"

Newsgroup: sci.crypt
document_id: 15357
From: rjc@hal.gnu.ai.mit.edu (Ray)
Subject: Re: Once tapped, your code is no good any more.

In article <C5pGFu.IA4@dscomsa.desy.de> hallam@zeus02.desy.de writes:
>views would be to recruit them as spooks. They can be guaranteed to give
>the government line when it counts. In US history it has been the 
>socialists such as myself who have been persecuted. 

  And in Russia, capitalists were persecuted for trading goods on the
black market. And in the US, capitalist minded types are imprisoned and killed
for things such as selling drugs, guns, pornography, and other victimless
activities.  It doesn't matter whether you are socialist or capitalist,
power and control are central to government. Since citizens can't be trusted to
run their own affairs, the government must watch them.  (for their
own good of course. I mean, with strong cryptography, citizens might <gasp!>
start to hide things from the IRS, sell drugs/guns/pornography, and
that cannot be allowed!)

>trials. Ever seen Ed Meese pissed? I have, it was when he said that socialism
>and communism were the same thing and brought the house down with laughter.
>It took several minutes before we realised that he was serious.

  Not very surprising to anyone who believes in "hands off" government. If
you believe that your private life (both social and financial) are none of
anyone else's business, the difference between socialism and communism is
like the difference between murder by lethal injection or by
chainsaw. The more centralized the economy is, the more potential
abuses for accumulation of information on individuals. If you think
credit companies are bad, ...  Well, I'm sure a democratic socialist society
would vote for absolute privacy of all citizens -- NOT!

Newsgroup: sci.crypt
document_id: 15358
From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>
Subject: Re: Clipper chip -- technical details

Thus said djb@silverton.berkeley.edu (D. J. Bernstein):
>Short summary of what Bellovin says Hellman says the NSA says: There is
>a global key G, plus one key U_C for each chip C. The user can choose a
>new session key K_P for each phone call P he makes. Chip C knows three
>keys: G, its own U_C, and the user's K_P. The government as a whole
>knows G and every U_C. Apparently a message M is encrypted as
>E_G(E_{U_C}(K_P),C) , E_{K_P}(M). That's it.
>
>The system as described here can't possibly work. What happens when
>someone plugs the above ciphertext into a receiving chip? To get M
>the receiving chip needs K_P; to get K_P the receiving chip needs U_C.
>The only information it can work with is C. If U_C can be computed
>from C then the system is cryptographically useless and the ``key
>escrow'' is bullshit. Otherwise how is a message decrypted?

Given the description of the algorithm given, the only plausible
explantion I can find is that K_P must be agreed to out of bandwidth
in advance by the two parties; i.e. it's a standard shared symmetric
key.
--
Marc VanHeyningen   mvanheyn@cs.indiana.edu   MIME & RIPEM accepted
Security through Diversion: n. Theory which states that the public
availability of good computer games is vital to maintaining system
safety.  Contrast Security through Obscurity.

Newsgroup: sci.crypt
document_id: 15359
From: amolitor@moink.nmsu.edu (Andrew Molitor)
Subject: What the clipper nay-sayers sound like to me.

	The following is available in some FTP archive somewhere, I insert
my comments liberally throughout this demonic memo of Big Brotherdom:

>	White House Announcement on Screw Thread Standards
>	--------------------------------------------------
>
>	This is to announce that the American National Standards
>Institute (or whatever it is) has been given the authority to define
>standard dimensions for screw threads.

   Look! This is clearly the first step toward outlawing our
   own screw thread specifications. If this madness isn't fought,
   tooth and nail, every step of the way, it'll be a crime to use
   screw threads other than those our Fearless Leaders so *graciously*
   define for us.

>	The purpose of this is to permit industry to draw upon a standard
>pool of specifications and designations, to ensure interoperability of
>various threaded objects across vendors.

   Rubbish, I say! ANSI standard screw threads will have subtle weaknesses,
   allowing their agents to disassemble our automobiles more easily,
   causing our mufflers to fall off at inoppurtune moments.

>	Questions and Answers on the ANSI screw thread standards
>	--------------------------------------------------------
>
>Q: Will the screw threads defined by ANSI be as good as other screw thread
>designs available elsewhere?
>
>A: Yes.

	Hah! "trust us"

>Q: Will I be able to use my own screw threads if I desire?
>
>A: Of course, but this will make your threaded objects unlikely to
>interoperate correctly with others within the industry.

	See??! See? This is the first step.

	It is clear we must band together, write your congressman!
Use Pretty Good Screw Threads, not this devil-inspired ANSI trash.
Protect your constitutional right to use whatever screw thread you
desire. Guerilla Screw Thread Activism must become the order of the
day. Boycott GM, and build your own car, using screws from STZ
Screw Thread Associates.

	Screw you, Bill Clinton! You and your totalitarianist thugs!

------------------------------------------------------------------------
amolitor@nmsu.edu | finger for PGST personal screw thread pitch, or
Screw Threads     |  see the screw thread servers.
must be freed!    |
------------------------------------------------------------------------

Newsgroup: sci.crypt
document_id: 15360
From: howland@noc.arc.nasa.gov (Curt Howland)
Subject: Re: White House Wiretap Chip Disinformation Sheet



|>    The Attorney General will procure and utilize encryption devices to
|>    the extent needed to preserve the government's ability to conduct
|>    lawful electronic surveillance and to fulfill the need for secure
|>    law enforcement communications.  Further, the Attorney General
|>    shall utilize funds from the Department of Justice Asset Forfeiture
|>    Super Surplus Fund to effect this purchase.

This is the one part that really scares me. Without
the keys, it can likely be determined if a person
is using the "State Approved" encryption method,
and if not then that persons life is forfet, and
the profits go to making more busts, and more 
profit. 

"Power corrupts. Absolute power corrupts absolutely."
Human nature has not changed very much in only a few
hundred years....

---
Curt Howland        howland@nsipo.nasa.gov 
NSI Operations Center      NASA Ames
(800) 424-9920

Newsgroup: sci.crypt
document_id: 15361
From: ns111310@LANCE.ColoState.Edu (Nathaniel Sammons)
Subject: Re: What the clipper nay-sayers sound like to me.

[... a bunch of well-meaning (maybe) cynnical text about screw-thread
	sizes, the rights of people to have their own standards,
	and the non-right of the gov. to regulate screw-threads...]

Well, as funny as your little comment may seem, it has very little to
do with your personal privacy as a citizen, and about the governemnt
being able to look at everything you have ever typed into a computer
at one point or another.

This "Clipper Chip" stuff is the seeds for nightmares to make the 
Nightmare on Elmstreet cheese-on-celluloid movies look like episodes
of Mr. Roger's Neighborhood.

IF the gov establishes a cryptography standard that has to be used by
everyone, and everyone's personal key is divided into two segments
and stored at two separate, albeit easy to find places, and that key is
only 80 bits to begin with, we are screwed (pardon the allusion to the 
affore-mentioned article)!

the gov, I believe, as do many others probably already have the cracking chips
for this Clipper Chip made.  Hell, they probably based the encoder on the 
chip that cracks it, that way it's easier to break the code, but since it is a 
classified algorythm, no one knows that they can crack it so easily.

I, for one, and quite scared of this kind of thing, and plan to support 
organizations (and even disorganizations) who are fighting against this
Clipper Chip in any way that I can.

I do not want the government to be able to have access, even with a search
warrant, to my keys... and I don't want those keys to be only 80 bits long
to begin with!

-nate sammons

o---------------------------+======================================o
| "I hate quotations.       |     This message brought you by      |
|   Tell me what you know." |   Nate Sammons, and the number 42.   |
|    --Ralph Waldo Emerson  |  ns111310@longs.lance.colostate.edu  |
o---------------------------+======================================o

Newsgroup: sci.crypt
document_id: 15362
From: jed@pollux.usc.edu (Jonathan DeMarrais)
Subject: Crypto Conference

I need to know the following information about the upcoming
Crypto Conference; The address to submit articles, and the
number of copies needed.  Thanks,
				Jonathan DeMarrais 
				jed@pollux.usc.edu

-- 
--- Jay      jed@pollux.usc.edu          (University of Southern California)

What a depressingly stupid machine.
                                     Marvin

Newsgroup: sci.crypt
document_id: 15363
From: pgf@srl03.cacs.usl.edu (Phil G. Fraering)
Subject: Re: Once tapped, your code is no good any more.

strnlght@netcom.com (David Sternlight) writes:

>What follows is my opinion. It is not asserted to be "the truth" so no
>flames, please.  It comes out of a background of 20 years as a senior
>corporate staff executive in two Fortune 50 companies.

>I'd be happy to use a crypto system supplied by the NSA for business, if
>they told me it was more secure than DES, and in particular resistant to
>attempts by Japanese, French, and other competitive companies and
>governments to break.

>I'd be happy to do so even with escrowed keys, provided I was happy about
>the bona fides of the escrow agencies (the Federal Reserve would certainly
>satisfy me, as would something set up by one of the big 8 accounting firms).

>I'd trust the NSA or the President if they stated there were no trap
>doors--I'd be even happier if a committee of independent experts examined
>the thing under seal of secrecy and reported back that it was secure.

>I'd trust something from the NSA long before I'd trust something from some
>Swiss or anybody Japanese.

A lot of us out here in the hinderland will trust the Japanese
before we'll trust the NSA, the President, or those stupid
Fortune 50 companies you're so proud of.

>This may seem surprising to some here, but I suggest most corporations would
>feel the same way. Most/many/some (pick one) corporations have an attitude
>that the NSA is part of our government and "we support our government", as
>one very famous CEO put it to me one day.

>Just some perspective from another point of view.

And since the Japanese corps aren't part of our "government/governors"
they may be more trusted out htere than you are.


People are getting tired of this "be patriotic, do whatever we say
without question, and pay more taxes" attitude that comes from
America's political party...
or should that be caste?

>-- 
>David Sternlight         Great care has been taken to ensure the accuracy of
>                         our information, errors and omissions excepted.  


--
Phil Fraering         |"Seems like every day we find out all sorts of stuff.
pgf@srl02.cacs.usl.edu|Like how the ancient Mayans had televison." Repo Man



Newsgroup: sci.crypt
document_id: 15364
From: pgf@srl03.cacs.usl.edu (Phil G. Fraering)
Subject: Re: Once tapped, your code is no good any more.

holland@CS.ColoState.EDU (douglas craig holland) writes:


>	With E-Mail, if they can't break your PGP encryption, they'll just
>call up one of their TEMPEST trucks and read the electromagnetic emmisions
>from your computer or terminal.  Note that measures to protect yourself from
>TEMPEST surveillance are still classified, as far as I know.

1. I don't think they are classified.

2. I could independently invent about half a dozen right off
the top of my head. If I had studied Advanced E & M a little better,
I could probably come up with a _very_ good system.

...
>	If the new regime comes to fruition, make sure you protect your First
>Amendment rights by asserting your Second Amendment Rights.

>						Doug Holland

--
Phil Fraering         |"Seems like every day we find out all sorts of stuff.
pgf@srl02.cacs.usl.edu|Like how the ancient Mayans had televison." Repo Man



Newsgroup: sci.crypt
document_id: 15365
From: mkagalen@lynx.dac.northeastern.edu (michael kagalenko)
Subject: Some thoughts on Clipper proposal 


I envision incorporation of new standart into
various communication systems, thus making it prevalent on the market & 
therefore cheap. The way to do that may be detaching crypto chip from 
communication equipment. It seems logical to provide Clipper chip 
to the end-user not as a part of phone, fax, modem & like but in the
form of smart-card compatible with various telecomm. products. Banks 
will encourage extensive use of new cards to make transactions by phone.
Natural step will be to cross-reference this card to the person in the 
government databases - or else this new version of "wiretap proposal" 
make no sence at all; one wish to eavesdrop (spell.) on the particular 
person, not on the particular modem or phone.
 
As a side note, I disagree with one poster, who said he won't care about
ability of the government to eavesdrop, since they can do that now 
anyway. Clipper will take away electronic survelliance from citizens, 
making it monopoly of the government. May be, we can find examples when
interceptions made by (unauthorised) people uncovered crimes of 
state officials ?


-- 
--------------------------------------------------------------------------------
      For PGP2.1 public key finger mkagalen@lynx.dac.northeastern.edu
--------------------------------------------------------------------------------

Newsgroup: sci.crypt
document_id: 15366
From: tribe831@snake.cs.uidaho.edu (Mr. Duane Tribe; Esq.)
Subject: Underground encryption (was Re: text of White House announcement ...)

In article <1qmugcINNpu9@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes:
>It looks like the worst nightmares raised by Dorothy Denning's proposals
>are coming true.  If the government continues on this course, I imagine
>that we will see strong cryptography made illegal.  Encryption programs
>for disk files and email, as well as software to allow for encrypted
>voice communications, will be distributed only through the
>"underground".  People will have to learn how to hide the fact that
>they are protecting their privacy.

Some thoughts:

Has any work been done on encapsulating encrypted data inside "non-encrypted"
data files?  Many file formats can be written with "gaps" in them to hide
other data.  New file formats could be designed to have alternate data hidden
by dispersing it amongst the "legitimate" data.  The hidden data would only
show up with the right key(s), and a file with hidden data would be
indistinguishable from one without.  So, only the correct key(s) would reveal
the presence of an "illegal" document.

If I devise a custom file compression algorithm and only I and a friend have
the uncompressor, and otherwise the file appears to be total gigerish, do I
have the right to transmit the file?  Will we have to "escrow" all our data
file formats?  Are gangs required to escrow their hand signals, colors and
catch phrases?

I think that it's important to evaluate the content of electronic speach by
replacing the media with pen and paper or verbal speach and then re-ask the
question.

Newsgroup: sci.crypt
document_id: 15367
From: "Douglas Johnson" <p00450@psilink.com>
Subject: Unix crypt for DOS

I've recently moved from Unix to a DOS box and have a number of files 
that I used crypt to "protect".  Does anyone know of a DOS version of 
crypt?  I've found one, but it insists on six letter keys and I used 
some shorter ones.  Thanks for your help.  -- Doug

Newsgroup: sci.crypt
document_id: 15368
From: ignatz@chinet.chi.il.us (Dave Ihnat)
Subject: Re: Once tapped, your code is no good any more.

In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes:
>	Not to pick on Mr. May in particular, of course, but isn't this
>kind of the domino theory? When one little country falls, its neighbor
>will surely follow, and before you know it, we're all mining salt
>in Siberia for not turning in our Captain Crunch Secret Decoder Rings.

But, for all the wrongness of our attempt to correct it (VietNam, et. al.),
the domino theory wasn't disproved at all.

Newsgroup: sci.crypt
document_id: 15369
From: <U23590@uicvm.uic.edu>
Subject: Re: Clipper -- some new thoughts

The cryptographic algorythm MUST be kept secret, or
private individuals could make ClipperClones with
which they could transmit messages which the feds would not have
ready access to.  This is clearly unacceptable.

I hope somebody starts doing this soon after the first
ones are released...

Newsgroup: sci.crypt
document_id: 15370
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr17.061326.16130@clarinet.com> brad@clarinet.com (Brad Templeton) writes:
   Once it hits land you can record it if you have telco access.  The
   telco isn't supposed to give that without a warrant.  That's the rule today.

   But even so, the evidence would not be admissible, I think, unless the
   judge so ordered.  I think that even interception of the crypttext
   without a warrant would be illegal.   Cops can't record today's plain
   cellular calls and then ask a judge, "Hey, can we have permission to
   listen to those tapes?" can they?

How long do you think it will be before it becomes legal for the
police to record encrypted conversations "It's not violating your
privacy because we can't read the encryption without a warrant", with the usual
good-faith exception if they accidentally record a non-encrypted conversation.

Besides, it's covered by the Drug Exception to the Fourth Amendment...
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15371
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <Apr18.204843.50316@yuma.ACNS.ColoState.EDU>
holland@CS.ColoState.EDU (douglas craig holland) writes:


>	Let me ask you this.  Would you trust Richard Nixon with your
>crypto keys?  I wouldn't.

I take it you mean President Nixon, not private citizen Nixon. Sure.
Nothing I'm doing would be of the slightest interest to President Nixon .

David


-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15372
From: karn@unix.ka9q.ampr.org (Phil Karn)
Subject: Re: White House Wiretap Chip Disinformation Sheet

In article <WCS.93Apr17034914@rainier.ATT.COM>, wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes:
|>    The Attorney General will procure and utilize encryption devices to
|>    the extent needed to preserve the government's ability to conduct
|>    lawful electronic surveillance and to fulfill the need for secure
|>    law enforcement communications.  Further, the Attorney General
|>    shall utilize funds from the Department of Justice Asset Forfeiture
|>    Super Surplus Fund to effect this purchase.

This is a very curious thing to say. STU-IIIs (NSA-designed secure
telephones cleared for classified traffic) are already readily
available to law enforcement agencies. Word has it they're standard in
every FBI office, for example.  Something like several hundred
thousand of these phones exist in all. They are clearly the US government
standard.

So why does the DoJ need to buy new phones that, unlike STU-IIIs, will
not be certified for classified traffic, and in all likelihood will
not be compatible with existing STU-IIIs?

Unless, of course, they're gearing up for large scale decryption of
civilian Clipper users, and they need compatible hardware...

Phil


Newsgroup: sci.crypt
document_id: 15373
From: strnlght@netcom.com (David Sternlight)
Subject: Re: WH proposal from Police point of view


dwight tuinstra posts a very interesting message in which he comments on the
effects of the Clipper chip on state and local police. Actually, reading
between the lines, it could be a very good thing for civil liberties in one
respect, since it will at least prevent cowboy cops and cowboy state and
local agancies from reading your traffic if they tap it illegally.

There has been extensive discussion in the eff forum, for example, about
inadmissible taps being used to develop information that could then lead to
admissible evidence.  This might put a stop to such things, which must from
time to time be simple fishing expeditions.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15374
From: hal@cco.caltech.edu (Hal Finney)
Subject: Re: Clipper chip -- technical details

djb@silverton.berkeley.edu (D. J. Bernstein) writes:

>[Summary elided]
>The system as described here can't possibly work. What happens when
>someone plugs the above ciphertext into a receiving chip? To get M
>the receiving chip needs K_P; to get K_P the receiving chip needs U_C.
>The only information it can work with is C. If U_C can be computed
>from C then the system is cryptographically useless and the ``key
>escrow'' is bullshit. Otherwise how is a message decrypted?

The description of the chip's operation evidently leaves out some of the
key management aspects.  Either the K_P is the secret key corresponding
to a public key which is broadcast at message initiation, or it is the
result of a Diffie-Hellman key exchange or something similar.  Either
way there must be some protocols beyond those described here.  It isn't
clear whether they are implemented in the Clipper wiretap chip or must
be provided by other system components.

Hal Finney

Newsgroup: sci.crypt
document_id: 15375
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Clipper chip -- technical details

In article <1667.Apr1821.58.3593@silverton.berkeley.edu>, djb@silverton.berkeley.edu (D. J. Bernstein) writes:
> Short summary of what Bellovin says Hellman says the NSA says: There is
> a global key G, plus one key U_C for each chip C. The user can choose a
> new session key K_P for each phone call P he makes. Chip C knows three
> keys: G, its own U_C, and the user's K_P. The government as a whole
> knows G and every U_C. Apparently a message M is encrypted as
> E_G(E_{U_C}(K_P),C) , E_{K_P}(M). That's it.
> 
> The system as described here can't possibly work. What happens when
> someone plugs the above ciphertext into a receiving chip? To get M
> the receiving chip needs K_P; to get K_P the receiving chip needs U_C.
> The only information it can work with is C. If U_C can be computed
> from C then the system is cryptographically useless and the ``key
> escrow'' is bullshit. Otherwise how is a message decrypted?

Via K_P, of course.  Nothing was said about where K_P comes from.  It's
the session key, though, and it's chosen however you usually choose
session keys --- exponential key exchange, shared secret, RSA, etc.
But however you choose it, the chip will apparently emit the escrow
header when you do.

Newsgroup: sci.crypt
document_id: 15376
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Corporate acceptance of the wiretap chip

 
strnlght@netcom.com (David Sternlight) writes:
>
>>What follows is my opinion. It is not asserted to be "the truth" so no
>>flames, please.  It comes out of a background of 20 years as a senior
>>corporate staff executive in two Fortune 50 companies.
>
>>I'd be happy to use a crypto system supplied by the NSA for business, if
>>they told me it was more secure than DES, and in particular resistant to
>>attempts by Japanese, French, and other competitive companies and
>>governments to break.
>
>>I'd be happy to do so even with escrowed keys, provided I was happy about
>>the bona fides of the escrow agencies (the Federal Reserve would certainly
>>satisfy me, as would something set up by one of the big 8 accounting firms).
 
   I don't doubt that this will be the attitude of many corporate leaders.
It's understandable--most corporate execs don't know much about cryptology,
and it's easy to get taken in by someone peddling snake oil.  And, the
proposed scheme *is* a major improvement in telephone security to what
exists now.
 
   The problem is that, with any security scheme of this kind, you have to
concern yourself with the weakest link in the chain.  I suspect that NSA
has put a fairly strong encryption algorithm in this wiretap chip of theirs,
probably at least as strong as (say) DES in OFB-mode.  Unfortunately, the
existence of the key-registry system seems to make possible all kinds of
possible attacks at a small fraction of the expense of trying to build (say)
a DES keysearch machine.
 
   As originally described, it sounded like any police / court combination
could acquire the key for a given chip.  I hope that's not the case, since
it would imply a glaring hole.  (How much does it cost to find *one* crooked
jodge and *one* crooked cop?  Especially for a foreign intelligence agency
or organized crime boss?)  However, even if more intelligent schemes are used
to allow access to the unencrypted phone conversations, there will be weak-
nesses.  They may be very expensive, and very difficult.  But who would
trust his/her confidential information to an encryption scheme that, for
(say) $100,000 could by cracked one time in a hundred?  (DES, for all the
complaints about a 56-bit key, would probably cost several million dollars
to build a keysearch machine for.)
 
   How many million dollars would the confidential phone messages of
the GM headquarters be worth to Nissan, Chrysler, or Audi?  How about
home phones of major execs and important engineers and designers?
"Gee, Mr Jones, I understand you've had some financial problems lately.
Maybe I can help..."
 
>>I'd trust something from the NSA long before I'd trust something from some
>>Swiss or anybody Japanese.
 
   Indeed, if NSA really designed the algorithm to be secure, it's very likely
as secure as IDEA or 2-key DES.  However, the system as a whole isn't resistant
to "practical cryptanalysis."  In _The Puzzle Palace_, Bamford describes how
several NSA employees were turned by foreign (presumably KGB) agents, despite
security measures that I doubt any Big 8 accounting firm could match.  And
NSA confidential data was *not* subject to being requested by thousands of
police organizations and courts across the land.
 
   --John Kelsey, c445585@mizzou1.missouri.edu

Newsgroup: sci.crypt
document_id: 15377
From: dfl@panix.com (Danny O'Bedlam)
Subject: Re: Why the clipper algorithm is secret

In <1993Apr18.225502.358@iecc.cambridge.ma.us> johnl@iecc.cambridge.ma.us (John R. Levine) writes:
(quoting someone else here) 
>>The cryptographic protocol, though, is another matter.  I see no valid
>>reasons for keeping it secret, and -- as I hope I've shown above -- there
>>are a lot of ways to do things that aren't (quite) as bad.

>It just occurred to me why the algorithm is secret.  If it were
>published, one could then build physically identical clone versions
>of the chip that would interoperate with official Clipper chips.  But
>the cloner wouldn't provide the keys to the escrow houses.  Hmmn.

								Yeah!

	The algorithm is classified because a military contract (or similar
government equivalent to military) has been let for this "proprietary"
design that the Feds say that NSA developed.  Is there a patent?  Is that
patent publicly available?  My betting is that that too is classified.

	If the algorithm were made public, or reverse-engineered, it would
compromise not only the goal of Justice of being able to read every chip
users cypto-data but would reduce profits for the selected chip maker.

	Wouldn't that just be too bad?

-- 
***********************************************************************
* Danny O'Bedlam  = dfl@panix.com = cmcl2!panix!dfl = Danny Lieberman *
* PO Box 3131 Church St Station, New Yawk, New Yawk, 10008-3131 (usa) *
***********************************************************************

Newsgroup: sci.crypt
document_id: 15378
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: The wiretap chip, clones, and secure key-exchange

U23590@uicvm.uic.edu writes:
>The cryptographic algorythm MUST be kept secret, or
>private individuals could make ClipperClones with
>which they could transmit messages which the feds would not have
>ready access to.
 
   Not necessarily.  I've been thinking about this, and if this chip/scheme
is to provide any real security, there must be some sort of key exchange,
either using a public-key encryption scheme, or using a key exchange scheme
like Diffie-Hellman.  If there's an out-of-band transmission of a shared
session key, then what protects that band from eavesdropping?  If the phone
company or some other online central authority generates a session key and
sends it to both users, then what's the point of going to the trouble of
having some complicated key-depositories?  Just ask the phone company for
a copy of the session key for each call.
 
   Now, it's probably not practical for each user to keep an online copy of
every public key used by anyone anywhere, right?  So, probably, there will
be some way of getting these keys verified.  This might be a digitally-
signed (by the chip manufacturer) copy of the public key in this unit,
stored by this unit.  It might also be an online directory with access to
everyone's public keys.  (This would introduce another weakness to the
security of the scheme, of course.)  Presumably, if you don't use your
designated key, you can't get a verified connection to other standard chips.
 
   It might be useful to have a modified chip, which would allow you to
use either the original public/private key pair, or some other key pair
and verification scheme.  Unfortunately, this would not allow you to call
most people and establish secure communications....
 
   --John Kelsey
>I hope somebody starts doing this soon after the first
>ones are released...

Newsgroup: sci.crypt
document_id: 15379
From: brad@clarinet.com (Brad Templeton)
Subject: Re: How to detect use of an illegal cipher?

In article <C5nMB1.CoF@news.claremont.edu> ebrandt@jarthur.claremont.edu (Eli Brandt) writes:
>get their copy of your key.  Any criminal who's going to use
>encryption will do it under cover of Clipper.  The only way to avoid
>this will be to try to prohibit strong encryption.

This isn't true.  Today's criminals regularly use all sorts of unsafe
methods, from cordless phones to cellular phones to plain old copper
wire analog phones that you can put alligator clips on to plan and
execute their crimes.

It is amazing how stupid they are, which is why the FBI was so keen on
the digital telphony law, and its successor the clipper chip.  They're
hoping here that most crooks will remain stupid, feel safe using clipper
chip phones and get caught.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
document_id: 15380
From: brad@clarinet.com (Brad Templeton)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <1993Apr18.032405.23325@magnus.acs.ohio-state.edu> jebright@magnus.acs.ohio-state.edu (James R Ebright) writes:
>In article brad@clarinet.com (Brad Templeton) writes:
>
>[...]>
>>The greatest danger of the escrow database, if it were kept on disk,
>>would be the chance that a complete copy could somehow leak out.  You
>[...]>
>>Of course then it's hard to backup.  However, I think the consequences
>>of no backup -- the data is not there when a warrant comes -- are worse
>>than the consequences of a secret backup.
>
>If the data isn't there when the warrant comes, you effectively have
>secure crypto.  If secret backups are kept...then you effectively have
>no crypto.  Thus, this poster is essentialy arguing no crypto is better
>than secure crypto.

No, the poster (me) has his brain in the wrong gear.  As you can infer
from the first sentence, I meant the consequences of no backup are *better*
than the consequences of an easy to copy database.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
document_id: 15381
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Competing standard

   Perhaps one way of getting away from this cripple chip that the U.S.
government seems to be pushing would be to come up with a good alternative.
For example, how about a scheme using RSA, and some hybrid of DES-CFB and
another strong stream cipher (Maybe IDEA-CFB)?  This could be substantially
the same as the cripple chip, except that instead of key-registration, the
police could demand that you give up your secret key to them (with a court-
issued warrant).  Then, they could read the last few months of wiretapped
messages you've sent, and assuming you've committed no crimes, you could
generate a new key pair and go about your business.  I find that I'd be
willing to pay RSA for the right to use such a system, especially given the
alternative.  If you were unwilling to give up your secret key, then you'd
probably stay in jail (has anyone got a real legal precedent for this?).
   This would allow court-issued warrants to be used to gather information
on suspected criminals, but it couldn't be done in secrecy, and there
would be enormously less likelihood of corruption or theft of escrowed keys.
(Maybe someone from the law-enforcement or intelligent community will correct
me, but this doesn't *seem* like such a big loss in terms of law-enforcement
capabilities.)
 
   Any comments?
 
   --John Kelsey

Newsgroup: sci.crypt
document_id: 15382
From: djb@silverton.berkeley.edu (D. J. Bernstein)
Subject: Re: Clipper chip -- technical details

In article <1993Apr19.052005.20665@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
> Nothing was said about where K_P comes from.

Oh? Hellman said ``each user will get to choose his or her own key.''
That's the key which I called K_P, the session key. According to
Hellman, if Alice and Bob are communicating with the Clipper Chip,
then Alice chooses ``her own key'' and Bob chooses ``his own key.''
This is incompatible with the suggestion that when Alice and Bob are
talking, they use a _common_ K_P, chosen by classical or public-key
approaches.

The protocol/key-management description published so far is either
incomplete or incorrect. It leaves me with no idea of how the system
would actually _work_. I hope the CPSR FOIA request succeeds so that
we get full details.

---Dan

Newsgroup: sci.crypt
document_id: 15383
From: holthaus@news.weeg.uiowa.edu (James R. Holthaus)
Subject: Re: Fighting the Clipper Initiative

prz@sage.cgd.ucar.edu (Philip Zimmermann) writes:

Philip,
I think your ideas are well taken and constructive.  Thanks for
articulating them in this forum.

>2)  Work the Press.  Talk with your local newspaper's science and
>technology reporter.  Write to your favorite trade rags.  Better yet,
>write some articles yourself for your favorite magazines or
>newspapers.  Explain why the Clipper chip initiative is a bad idea. 
>Remember to tailor it to your audience.  The general public may be
>slow to grasp why it's a bad idea, since it seems so technical and
>arcane and innocent sounding.  Try not to come across as a flaming
>libertarian paranoid extremist, even if you are one. 

As a flaming libertarian paranoid extremist (:-), I'at a loss for
specific objections that don't sound frighteningly technical.  Any
suggestions?  Perhaps somebody could post a list of these?

>5)  Mobilize opposition in industry.  Companies that will presumably
>develop products that will incorporate the Clipper chip should be
>lobbied against it, from within and from without.  If you work for a
>telecommunications equipment vendor, first enlist the aid of your
>coworkers and fellow engineers against this initiative, and then
>present your company's management with a united front of engineering
>talent against this initiative.  Write persuasive memos to your
>management, with your name and your colleagues' names on it.  Hold
>meetings on it.
 
One way to do this might be to suggest that these companies should be
implementing their own schemes, not being limited to the govt's
scheme.

I find that most of my reasons for opposition to the CLipper scheme
are algoritm insecurity and mistrust of the govt/NSA.  These are hard 
to sell in letters to the editor and to nontechnical people.  Any
hints or advice.  Maybe a small FAQ-type thing "Why should I Hate
Clipper" would be a good idea.
-- 
<><><><><><><><><><>James Holthaus  james-holthaus@uiowa.edu<><><><><><><><><>
<   Government is an association of men who do violence to the rest of us.   >
<             -- Leo Tolstoy                                                 >
<><><><><>PGP 2.2 Public key available on request or from key server<><><><><>

Newsgroup: sci.crypt
document_id: 15384
From: finchm@csugrad.cs.vt.edu (Michael >Finchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchm< Finch)
Subject: Re: Why the clipper algorithm is secret

johnl@iecc.cambridge.ma.us (John R. Levine) writes:
> >The cryptographic protocol, though, is another matter.  I see no valid
> >reasons for keeping it secret, and -- as I hope I've shown above -- there
> It just occurred to me why the algorithm is secret.  If it were
> published, one could then build physically identical clone versions

I recall seeing a post some time ago saying that if the details of
an encryption scheme couldn't be revealed, then the encryption
scheme is worthless.  I believe the statement was in response to
somebody saying that they had some new snazzy scheme, but the
algorithm was a secret.

Does this algorithm depend on the fact that the scheme is secret or
is it for the stated reasons above?


-Mike

Newsgroup: sci.crypt
document_id: 15386
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Fighting the Clipper Initiative

 >As a flaming libertarian paranoid extremist (:-), I'at a loss for
 >specific objections that don't sound frighteningly technical.

  The idea that foisting the Cripple Chip standard on US manufacturers would
result in saying "Sayonara" to yet another high-tech market isn't technical,
isn't in the least difficult to understand, and plays on a concern lots of
people are worried about already....



Newsgroup: sci.crypt
document_id: 15387
From: stan@tacobel.UUCP (stan)
Subject: Re: text of White House announcement and Q&As on clipper chip encryp

brad@clarinet.com (Brad Templeton) writes:
> Let's assume, for the moment, that the system really is secure unless
> you get both halves of the encryption key from the two independent
> escrow houses.  Let's say you even trust the escrow houses -- one is
> the ACLU and the other is the EFF.  (And I'm not entirely joking about
> those two names)
> 
Hi, I'm new to Internet, so this is a bit of a test message, so even a 
token reply would be very appreciated.

Anyways, reading this I'd figure this would be as excellent a method of 
corrupting the ACLU and the EFF as could be wished for.  "Who Gaurds the 
Guardians?", etc...

Newsgroup: sci.crypt
document_id: 15388
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Automatic online encryption of data

	From: andersom@spot.Colorado.EDU (Marc Anderson)

	>Also.. how about a box that you plug your phone into, which would allow
	>encrypted voice communications with someone who has a similar box?  
	>(digitizing input speech, transmitting, and decrypting on the other end).  I 
	>don't know how a public-key system could work in this regard, but it might 
	[...]

	heh heh... I posted this just before reading all the Clinton Chip messages..
	I guess they beat me to it..  Anyway, I think it would be a great idea to
	develop such a product, perhaps in the underground, as it would otherwise
	probably become illegal pretty quickly here...

It's really very feasible and shouldn't be too expensive - all that's needed
is a box with a phone jack on one side, a DSP in the middle to do codec
functions of speech->compressed bytestream, and an RS232 on the other side.

You'd plug your phone into it, plug the RS232 into your computer, and have
a good old fashioned normal modem on your other RS232 port.  The CPU in the
middle would do the encryption with a version of pgp modified to work on
a byte stream.

With v32bis or better modems to carry the bytestream, it should work. 
Quality would only be marginally lower than a normal telephone.

At the very highest price, you could use one of those voice-mail compatible
modems to do the digitisation - that puts an upper bound of about $500 on
the cost of such a box.  In practice, you really ought to be able to get
the price well below $100 - I could do it now in software on my cheap&nasty
home RISC box (Acorn Archimedes) with the digitising microphone I bought
for 25 pounds, if I knew how to write good speech compression software
(which I don't).

The reason it won't work of course is that hardly anyone will have one -
the only consumer equipment to have encryption will use the wiretap chip.
Economics, I'm afraid.

However... we can get about 2Kcps throughput on the internet even with
the bottleneck of a v32bis modem.  When we get ISDN for all (ha ha ha)
and the new NREN, it might then be trivial to run compressed speech
over a tcp/ip connection on the Internet.  Perhaps we should start
thinking now of a standard to keep voice on the internet compatible
for everyone, and side-step the clipper stuff and use internet for
all our phone calls in future :-)  [1/2 joking]

G

Newsgroup: sci.crypt
document_id: 15389
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Clipper chip -- technical details

	The protocol/key-management description published so far is either
	incomplete or incorrect. It leaves me with no idea of how the system
	would actually _work_. I hope the CPSR FOIA request succeeds so that
	we get full details.

Wouldn't it be easier just to ask denning@cs.georgetown.edu? ;-)

G

Newsgroup: sci.crypt
document_id: 15390
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Corporate acceptance of the wiretap chip

:    Indeed, if NSA really designed the algorithm to be secure, it's very likely
: as secure as IDEA or 2-key DES.  However, the system as a whole isn't resistant
: to "practical cryptanalysis."  In _The Puzzle Palace_, Bamford describes how
: several NSA employees were turned by foreign (presumably KGB) agents, despite
: security measures that I doubt any Big 8 accounting firm could match.  And
: NSA confidential data was *not* subject to being requested by thousands of
: police organizations and courts across the land.

Ah yes, don't anyone mention Ronald William Pelton[*], heh heh heh.  How
embarrassing.

G
[*: NSA, 1964-1979; KGB 1980-1985]

Newsgroup: sci.crypt
document_id: 15391
From: bell@mars.dev.promis.com (Mike Bell)
Subject: Clipper proposal - key length?

Danny Weitzner <djw@eff.org> writes:





>April 16, 1993

>INITIAL EFF ANALYSIS OF CLINTON PRIVACY AND SECURITY PROPOSAL

>DETAILS OF THE PROPOSAL:

>ESCROW

>The 80-bit key will be divided between two escrow agents, each of whom
>hold 40-bits of each key.  The manufacturer of the communications device
>would be required to register all keys with the two independent escrow
>agents.  A key is tied to the device, however, not the person using it.

So if we subvert one of the two escrow agents, we only have a 40-bit
space to search through...

2^40 doesn't sound that big - is digital telephony subject to a known
plaintext attack?

In which case half the key seems to be all that is needed, and the two
agent escrow arrangement is pointless. 

Of course, the unknown algorithm might turn gaps in speech into 
pseudo-random sequences, or there might be some magic involved, or...
-- 
-- Mike -- <bell@promis.com>

Newsgroup: sci.crypt
document_id: 15392
From: rlward1@afterlife.ncsc.mil (Robert Ward)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <bontchev.734981805@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
>and since the US constitutions guarantees the right to every American
>to bear arms, why is not every American entitled, as a matter of

Have you read the applicable part of the Constitution and interpreted it IN 
CONTEXT?  If not, please do so before posting this misinterpretation again.
It refers to the right of the people to organize a militia, not for individuals 
to carry handguns, grenades, and assault rifles.  

Robert L. Ward


Newsgroup: sci.crypt
document_id: 15393
From: lewis@eecg.toronto.edu (david lewis)
Subject: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <16BB51156.C445585@mizzou1.missouri.edu> C445585@mizzou1.missouri.edu (John Kelsey) writes:
> 
>strnlght@netcom.com (David Sternlight) writes:
>>
[..stuff deleted]
>existence of the key-registry system seems to make possible all kinds of
>possible attacks at a small fraction of the expense of trying to build (say)
>a DES keysearch machine.
> 
>   As originally described, it sounded like any police / court combination
>could acquire the key for a given chip.  I hope that's not the case, since
>it would imply a glaring hole.  (How much does it cost to find *one* crooked
>jodge and *one* crooked cop?  Especially for a foreign intelligence agency
>or organized crime boss?)  However, even if more intelligent schemes are used
>to allow access to the unencrypted phone conversations, there will be weak-
>nesses.  They may be very expensive, and very difficult.  But who would
>trust his/her confidential information to an encryption scheme that, for
>(say) $100,000 could by cracked one time in a hundred?  (DES, for all the
>complaints about a 56-bit key, would probably cost several million dollars
>to build a keysearch machine for.)
> 

I can buy a DES keysearch machine off the shelf now for approx $500K, but
it is not sold by that name. Go buy a circuit emulation machine (eg. Quickturn)
containing a bunch of FPGAs, (say 500 to 1000 3090's), and program each
to be a DES search engine. Lets say 500 chips, running at 10Mhz = 5G tests/sec.
Time is 14e6 sec max = 23 weeks, 12 weeks average. Can't wait that long?
Buy a bigger machine.


David Lewis

Newsgroup: sci.crypt
document_id: 15394
From: jdailey@asic.sc.ti.com (Jim Dailey)
Subject: Re: Once tapped, your code is no good any

>amolitor@nmsu.edu (Andrew Molitor) writes:
>>	Not to pick on Mr. May in particular, of course, but isn't this
>>kind of the domino theory? When one little country falls, its neighbor
>>will surely follow, and before you know it, we're all mining salt
>>in Siberia for not turning in our Captain Crunch Secret Decoder Rings.

There was an interesting column on the editorial page of the Dallas
Morning News on Saturday by Walter Williams, who I believe is a
professor at Georgetown (I wonder if he knows of Dorothy "you're not in
Kansas anymore" Denning).  The article was titled "Government slowly
eroding our liberties", and in it he tells a story attributed to the
late Leonard Read who

        explained that if you wanted to take liberty away from
        Americans, you had to know how to cook a frog.  Mr. Read
        said you can't cook a frog by boiling a pot of water and
        then throwing the frog in.  His reflexes are so quick that
        as soon as his feet touch the water, he will leap away.
        You must put the frog in a pot of cold water and heat it
        up bit by bit.  By the time the frog realizes he's being
        cooked, it is too late.  It is the same with Americans.
        If anyone tried to take our freedoms all at once, we
        would naturally rebel and suppress the tyrant.  But as
        with successful frog cooking, our liberties can be taken
        a little bit at a time.

The last line of the article says, "It's not too late for us, but the
water is getting pretty warm."  I'd have toagree that it's warm and the
Clipper is keeping the temperature on an upward course.

NOTE: followups redirected to alt.privacy.clipper

---
Jim  jdailey@asic.sc.ti.com
   TI pays absolutely no attention to me or my opinions; therefore,
   the foregoing information cannot possibly represent TI's viewpoint.

Newsgroup: sci.crypt
document_id: 15395
From: prm@ecn.purdue.edu (Philip R. Moyer)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <1993Apr17.032022.14021@clarinet.com>, brad@clarinet.com (Brad Templeton) writes:
|>
|> Let's assume, for the moment, that the system really is secure unless
|> you get both halves of the encryption key from the two independent
|> escrow houses.  Let's say you even trust the escrow houses -- one is
|> the ACLU and the other is the EFF.  (And I'm not entirely joking about
|> those two names)
|> 
|> In that case the Prince of Wales has nothing to worry about on this
|> system.

I must respectfully disagree with this assertion, Brad.  The government is
notoriously sloppy with physical, communications, and information security.  They
can't keep their computers safe, and they're "trying".  Read "DEA is
Not Adequately Protecting National Security Information" [GAO/IMTEC 92-31] for an
excellent example of what I'm talking about.

Private sector organizations tend to be even more lax in their security measures.
I believe that the escrow organizations will be penetrated by foreign
intelligence services within months, if not weeks, of their selection.  Private
organizations that lack the resources of a full-fleged intelligence service will
take longer - perhaps on the order of one to two years.  Nonetheless, the
penetrations will take place, without question.

Philip R. Moyer						     ECN Software Staff
Engineering Computer Network				    Voice: 317-494-3648
prm@ecn.purdue.edu					    Fax:   317-494-6440

Newsgroup: sci.crypt
document_id: 15396
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: An Open Letter to Mr. Clinton

strnlght@netcom.com (David Sternlight) writes:

> Here's a simple way to convert the Clipper proposal to an unexceptionable
> one: Make it voluntary.

As usually, you are not reading. The proposal -does- say that it is a
"voluntary program". This doesn't make it more desirable, though...

> That is--you get high quality secure NSA classified technology if you agree
> to escrow your key. Otherwise you are on your own.

"Secure"? How do you know? Because NSA is trying to make you believe it?
"Trust us." Yeah, right.

"Otherwise you are on your own"? How do you know that tomorrow they
will not outlaw encrypring devices that don't use "their" technology?
Because they are promising you? Gee, they are not doing even that -
read the proposal again.

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
document_id: 15397
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Once tapped, your code is no good any more.

strnlght@netcom.com (David Sternlight) writes:

> What follows is my opinion. It is not asserted to be "the truth" so no
> flames, please. 

It is incompetent, like almost anything you have posted here, so
you'll be flamed, sorry.

> It comes out of a background of 20 years as a senior
> corporate staff executive in two Fortune 50 companies.

%/$( your "20 years of background in two Fortune 50 companies"; I've
lived 30 years under a totalitarian regime, and boy, I *can* recognize
a totalitarian plot when I see one...

> I'd be happy to use a crypto system supplied by the NSA for business, if
> they told me it was more secure than DES, and in particular resistant to

I am sure that -you- would be happy to use anything "they" tell you is
secure; we're talking about the intelligent people here... Or the
criminal ones, if you don't like the previous sentence... :-) Or those
who don't want their privacy to be guaranteed to be invadable by the
government - any current and future government, mind you...

> I'd be happy to do so even with escrowed keys, provided I was happy about
> the bona fides of the escrow agencies (the Federal Reserve would certainly
> satisfy me, as would something set up by one of the big 8 accounting firms).

Even if you ignore the nonsense of the above statement for a moment,
and even if you are happy with such system and the current escrow
agencies NOW, what guarantees that you'll be happy with them TOMORROW,
when the government changes? Or when the current government throws
away the sheep skin? All the sheep who are reasoning like you will get
caught by surprise, but it will be too late, because then cryptography
that is not guaranteed to be breakable by the government will already
have been outlawed... After all, you've already got privacy that is
said to be breakable only by the law enforcement agencies, so if you
are law-abiding, you have no reasons to use a stronger one, right? So,
if you are using a stronger one, you have something to hide from the
law enforcement agencies, right? Something unlawful, right? Therefore,
strong crypto is a clear idndication that you are doing something
unlawful.

> I'd trust the NSA or the President if they stated there were no trap

Considering the level of competence in cryptology that you have
demonstrated in your messages, you would trust just anything... And
no, this is not an ad hominem attack; it's an attack against the
contents of your messages <grin>.

> doors--I'd be even happier if a committee of independent experts examined
> the thing under seal of secrecy and reported back that it was secure.

And how do you know that these experts are not corrupted? And how do
you know that they will not make a mistake? And how do you know that
the version of the algorithm they will be let to examine is the same
as the one that will be really used?

Regarding the mistake - even the few information "they" have let out
has revealed a serious security hole in the protocol - the 80-bit key
is split in two 40-bit ones, thus the whole system is easily
breakable, if you have only one of the keys.

> I'd trust something from the NSA long before I'd trust something from some
> Swiss or anybody Japanese.

The Swiss or the Japanese are motivated by simple greed; NSA is
motivated by their wish to control the people. That's why the drug
dealers have their accounts in Swiss banks, instead of in American
ones. For some reason, they do trust the Swiss banks more... Guess
they'll trust the Swiss encryption more too... I see IDEA becoming
suddenly popular... :-)

> This may seem surprising to some here, but I suggest most corporations would
> feel the same way. Most/many/some (pick one) corporations have an attitude
> that the NSA is part of our government and "we support our government", as
> one very famous CEO put it to me one day.

It's not surprising at all, but not because of the reason you give.
It's because it is obvious that the US government has put a lot of
money behind this program and it will support it. Thus, most
corporations will try to get their piece from the pie by supporting it
too. The same good old greed. Strong encryption is not widely
available now not because of some plot, but because the companies
don't see much money in it. It will be available even less, if the
companies can see any penalties associated with it...

> Just some perspective from another point of view.

Yeah, just as I predicted, you are here again, to support the new
system.

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
document_id: 15398
From: ricktait@bnr.co.uk (Rick Tait)
Subject: Re: What the clipper nay-sayers sound like to me.

Nathaniel Sammons (ns111310@LANCE.ColoState.Edu) wrote on Mon, 19 Apr 1993 02:36:36 GMT: 
> If the gov establishes a cryptography standard that has to be used by
> everyone, and everyone's personal key is divided into two segments
> and stored at two separate, albeit easy to find places, and that key is
> only 80 bits to begin with, we are screwed (pardon the allusion to the 
> affore-mentioned article)!

> The gov, I believe, as do many others probably already have the cracking chips
> for this Clipper Chip made.  Hell, they probably based the encoder on the 
> chip that cracks it, that way it's easier to break the code, but since it is a 
> classified algorythm, no one knows that they can crack it so easily.

Agreed. No agency such as the NSA (or whoever) would approve the public 
release of a crypto-system, if they didn't already have the technical
means or the know-how to decrypt everything at their whim. Surely the whole
point of all this madness is to make Joe Public think that his/her
communications will be kept safe, while James Bond at the NSA can, if need
be, have full, decrypted access to someone's communications? That'll be
quite a heist, if they can pull it off. 


I thought that the US Government were going to release the algorithm to a
panel of "carefully chosen experts", who would then "study it deeply, and
report their findings"? Exactly who will these people be? Academics? Or
Government-sponsored researchers? Tiny-toons?

> I, for one, and quite scared of this kind of thing, and plan to support 
> organizations (and even disorganizations) who are fighting against this
> Clipper Chip in any way that I can.

I can only hope that the same sort of thing doesn't start filtering over
into the ears of the UK Government, and if the European Parliament gets
wind of it, well, we can kiss goodbye to any form of Democracy in Europe 
at all.

> I do not want the government to be able to have access, even with a search
> warrant, to my keys... and I don't want those keys to be only 80 bits long
> to begin with!

Hallelujah! :-)
--
Rick M. Tait                                Bell Northern Research Europe
Tel: +44-81-945-3352, Fax: +44-81-945-3352     Network Management Systems
<PGP 2.2 public key available on request>       New Southgate, London. UK
email: ricktait@bnr.co.uk  || rt@cix.compulink.co.uk  ||  ricktait@bnr.ca

Newsgroup: sci.crypt
document_id: 15399
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

strnlght@netcom.com (David Sternlight) writes:

> Though some may argue about the nose of the camel, it's worth noting that
> the government proposal is limited to scrambled telephony. If it is only
> used for that purpose, and does not extend to electronic mail or file

As usual, David Sternlight is demonstrating his inability to read. The
proposal clearly states:

=> The initiative will involve the creation of new products to
=> accelerate the development and use of advanced and secure
=> telecommunications networks and wireless communications links.

It speaks about telecommunications in general. Read it again, David.
Maybe you'll understand it the next time... Nah, probably not.

> encryption, then it IS an improvement over the current mass-produced
> standard civilian technology which, with a few exceptions, is limited to
> easy-to-break inverters.

That's exactly what the government wants all sheep-minded people to
think. Let's look at the current situation. It allows to almost
anybody to eavesdrop almost everybody, unless secure (and I mean
secure) encryption is used. What will happen when ("if"? Ha!
optimists...) the new proposal gets accepted? Almost nobody EXCEPT
SOME will be able to eavesdrop everybody else, but the ability of
these "some" to eavesdrop will be guaranteed! The proposal emphasizes
on the former ("almost nobody") - which is clearly an improvement -
and "forgets" to mention the drawbacks of the latter ("guaranteed").
Yes, my statement assumes that the next step will be to make the
strong crypto unlawful. You think that it will not happen? Good luck.

> Note that the big issue for the feds is the continued ability to wiretap.

It's not just "continued ability". It's -guaranteed- ability.

> Before we go off the deep end with long discusions about secure crypto for
> e-mail and files, let's focus on this.

Yeah, that's exactly what your government wants you to think. Let's
take small steps, one at a time. Concentrate on the current one, don't
think about the future. Trust us.

> One question that was not asked in the release is whether this proposal is
> limited to telephony, or if the government intends to expand it.

It's not asked because the proposal clearly says that this is the
intention. They, unlike you, read what they write.

> Though I share many of the concerns expressed by some, I find the proposal
> less threatening than many others, since right now most Americans have no
> secure telephony, and any jerk with a pair of clip leads and a "goat" can
> eavesdrop. This would also plug up the security hole in cellular and
> cordless phones.

Yes, it will. It will stop the jerk who is eavesdropping now. It will
allow only to the government to eavesdrop. (If the scheme is secure,
of course, which is yet to be proven.) But how do you know that the
jerk you are fearing now will not get a government job tomorrow? The
new proposal -guarantees- him the ability to eavesdrop then. Hell,
that will even motivate him to get that job - if he indeed is that
mentally pervert...

> Reading between the lines, I infer that the system is highly secure
> without access to the keys.

Great. The Greatest Cryptographer of All Times David Sternlight (tm)
has succeeded to evaluate the new system in the absense of any
details whatsoever and has concluded that it is "highly secure". I
guess, that comes from the background of working some 50 years for the
two major crypto evaluating companies, right? Gee, now the government
can save all that money and trouble to ask a secret council of crypto
experts to secretly analyse the new secret method - for David
Sternlight has already done all the job for them...

> This would meet the needs of U.S. businesses
> confronted by rich and powerful adversaries, including French and Japanese
> security services and rich Japanese companies. It allows the NSA to make
> available some of its better stuff while protecting law enforcement needs.

"Trust us, we're from the Government and we're here to help you."

> Most legitimate U.S. corporations trust the NSA, and would be delighted to
> have a high-security system certified by them, even at the price of
> depositing keys in escrow. I see no difficulty in creating a reliable

"Those who are prepared to trade their liberties for the promises of
future safety, do not deserve either." This (or something like that; I
don't have the exact quote, but the meaning is the same) has been said
by one of your great men. Maybe you should study their works more
carefully, if you have the brains to understand them, of course.

> From my point of view this is a fair starting point. There are concerns that
> need to be addressed, including the reliability of the escrows. But in

The main question is to guarantee to availability of -really- secure
cryptography to the masses. Gee, if the proposal was saying "we
guarantee that every American will still have the full right to use
any kind of encryption s/he would like and regard this proposal as
just a default, voluntary implementation", there would have been much
less opposition... For some reason, they didn't even try to promise
you that. I wonder why... Was Orwell off only by 10 years?

> return we get access to high-security crypto.

No, in return you get crypto that is guaranteed to be crippled.

> Many have suggested that DES
> and other systems may be breakable by the NSA and hence others similarly
> skilled and endowed.

While the above is just rumors, and while even if it is true, it is
not done -easily-, the new scheme can is guaranteed to be easily
breakable by anybody who has the two keys. It might be also breakable
by somebody who does not have them but knows the right trick. Or who
has only one of them. NSA also told you that DES is secure, why don't
you simply trust them, huh?

> There is at least a good possibility (which should be
> checked) that the proposed system is not so breakable. It doesn't have to

It is -guaranteed- to be -easily- breakable - just get the keys. It
might be even easier, but until there is some evidence, this is just a
wild speculation.

> be, nor does it have to have trapdoors, if the government can get the keys

The trapdoors -are- there. In government's hands. The keys.

> pursuant to a legitimate court order. Thus they can protect legitimate
> communications against economic adversaries, while still being able to
> eavesdrop on crooks pursuant to a court order.

Legitimate? And who decides what communications are legitimate? Oh, I
guess, it's the government, right? The guys who already have the keys?
It's kinda if I have the keys from your car and I am asked to decide
who has the right to use it "legitimately"...

> In discussing this, let's try to avoid the nastiness, personal attacks and
> noise of some previous threads.

Impossible, since you are demonstrating the same level of incompetence
and ignorance as in the provious threads.

> This is a substantive and technical issue,
> and personal remarks have no place in such a discussion.

Unfortunately, I have yet to see you posting a technically competent
message.

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
document_id: 15400
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

strnlght@netcom.com (David Sternlight) writes:

> Nothing I'm doing would be of the slightest interest to President Nixon .

A typical example of seep-minded thinking. We all know that David
Sternlight is a jerk, but I'm afraid that in this case 90% of the
population will think like him. Realize it guys - NSA, Dorothy
Denning, and the US government have already won the battle...

Unless... unless you succeed to wake up the people... but nah, that's
too unlikely... The events are happening too fast, cryptography is a
too sophisticated issue, and almost nobody cares anyway... A few
thousand of net.readers won't make the difference, if millions are
caught asleep... Too sad... :-(((((

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
document_id: 15401
From: smb@research.att.com (Steven Bellovin)
Subject: More technical details

Here are some corrections and additions to Hellman's note, courtesy of
Dorothy Denning.  Again, this is reposted with permission.

Two requests -- first, note the roles of S1 and S2.  It appears to me
and others that anyone who knows those values can construct the unit
key.  And the nature of the generation process for K1 and K2 is such
that neither can be produced alone.  Thus, the scheme cannot be
implemented such that one repository generates the first half-key, and
another generates the second.  *That* is ominous.

Second -- these postings are not revealed scripture, nor are they
carefully-crafted spook postings.  Don't attempt to draw out hidden
meanings (as opposed to, say, the official announcements of Clipper).
Leave Denning out of this; given Hellman's record of opposition to DES,
which goes back before some folks on this newsgroup knew how to read, I
don't think you can impugn his integrity.

Oh yeah -- the folks who invented Clipper aren't stupid.  If you think
something doesn't make sense, it's almost certainly because you don't
understand their goals.

		--Steve Bellovin

-----

Date: Sun, 18 Apr 93 07:56:39 EDT
From: denning@cs.georgetown.edu (Dorothy Denning)
Subject: Re:  Clipper Chip
To: (a long list of folks)

I was also briefed by the NSA and FBI, so let me add a few comments to
Marty's message:

        The Clipper Chip will have a secret crypto algorithm embedded in 

The algorithm operates on 64-bit blocks (like DES) and the chip supports
all 4 DES modes of operation.  The algorithm uses 32 rounds of scrambling
compared with 16 in DES.

	In addition to the system key, each user will get to choose his 
	or her own key and change it as often as desired. Call this key 
	plain old K. When a message is to be sent it will first be 

K is the session key shared by the sender and receiver.  Any method
(e.g., public key) can be used to establish the session key.  In the
AT&T telephone security devices, which will have the new chip, the key
is negotiated using a public-key protocol.
 
	encrypted under K, then K will be encrypted under the unit key UK, 
	and the serial number of the unit added to produce a three part 
	message which will then be encrypted under the system key SK 
	producing

	     E{ E[M; K], E[K; UK], serial number;  SK}

My understanding is that E[M; K] is not encrypted under SK (called the
"family key") and that the decrypt key corresponding to SK is held by
law enforcement.  Does anyone have first hand knowledge on this?  I
will also check it out, but this is 7am Sunday so I did not want to wait.

        The unit key 
	will be generated as the XOR of two 80-bit random numbers K1 
	and K2 (UK=K1+K2) which will be kept by the two escrow 

The unit key, also called the "chip key," is generated from the
serial number N as follows.  Let N1, N2, and N3 be 64 bit blocks
derived from N, and let S1 and S2 be two 80-bit seeds used as keys.
Compute the 64-bit block 

        R1 = E[D[E[N1; S1]; S2]; S1] 

(Note that this is like using the DES in triple encryption mode with
two keys.)  Similarly compute blocks R2 and R3 starting with N2 and N3.
(I'm unlear about whether the keys S1 and S2 change.  The fact that
they're called seeds suggests they might.)  Then R1, R2, and R3 are
concatenated together giving 192 bits.  The first 80 bits  form K1 and
the next 80 bits form K2.  The remaining bits are discarded.

	authorities. Who these escrow authorities will be is still to be 
	decided by the Attorney General, but it was stressed to me that 
	they will NOT be NSA or law enforcement agencies, that they 
	must be parties acceptable to the users of the system as unbiased. 

Marty is right on this and the FBI has asked me for suggestions.
Please pass them to me along with your reasons.  In addition to Marty's
criteria, I would add that the agencies must have an established record
of being able to safeguard highly sensitive information.  Some suggestions
I've received so far include SRI, Rand, Mitre, the national labs (Sandia,
LANL, Los Alamos), Treasury, GAO.

	When a court order obtains K1 and K2, and thence K, the law 
	enforcement agency will use SK to decrypt all information 
	flowing on the suspected link [Aside: It is my guess that 
	they may do this constantly on all links, with or without a 
	court order, since it is almost impossible to tell which links 
	over which a message will flow.] 

My understanding is that there will be only one decode box and that it
will be operated by the FBI.  The service provider will isolate the
communications stream and pass it to the FBI where it will pass through
the decode box, which will have been keyed with K.

	for "the wiretap authorizations." When Levy asked for
	the details so he could review the cases as required by
	law, the agent told him that his predecessors just turned
	over 40-50 blank, signed forms every time. Levi did not
        comply and changed the system, but the lesson is clear: 
        No single person or authority should have the power to
        authorize wiretaps

No single person does, at least for FBI taps.  After completing a mound
of paperwork, an agent must get the approval of several people on a chain
that includes FBI legal counsel before the request is even taken to the
Attorney General for final approval.

Dorothy Denning

Newsgroup: sci.crypt
document_id: 15402
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: WH proposal from Police point of view

strnlght@netcom.com (David Sternlight) writes:

> dwight tuinstra posts a very interesting message in which he comments on the
> effects of the Clipper chip on state and local police. Actually, reading
> between the lines, it could be a very good thing for civil liberties in one
> respect, since it will at least prevent cowboy cops and cowboy state and
> local agancies from reading your traffic if they tap it illegally.

Instead of reading between the lines, try to think a little bit. OK,
if that's way too difficult to you, here are some hints.

Indeed, the new proposal imposes some additional burocratic burden on
the local police, if they badly want to tape the magic cookie recipie
that your mom is telling you on the phone. So, guess what they will
do? Propose that the new technology is removed? Or implement some
"facilitations"? Of course, you won't want to wait until they get the
approval from two different agencies to decrypt the conversation
between two child molesters, because meanwhile those two child
molesters might be conspiring about molesting your child, right? So,
there should be some way for them to get access to those keys
-quickly-, right? Like, they could have a copy of the database, and
worry about a warrant later...

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
document_id: 15403
From: grady@netcom.com (1016/2EF221)
Subject: Re: powerful "similarity" too

I've been asked to supply more specific directions
for automated fetching of the source and documentation
for "agrep," the powerful similarity pattern matching tool.

It is at

cs.arizona.edu
192.12.69.5

in directory

/agrep/README
/agrep/agrep-2.04.tar.Z
/agrep/agrep.ps.1.Z
/agrep/agrep.ps.2.Z

(The .ps suffixed files are the optional postscript docs; 
a reasonably good research report with benchmarks is
included.)

Note for Macintosh MPW users: after a few hours of drudgery,
I ported the tool to MPW 3.2.3 running under System 7.1.
If you would like me to e-mail a binhexed copy of the tool
suitable for dropping in to your MPW/tools folder, please write...

Other than the more purely cryptographic uses for the tool
I've been having lots of fun picking up the "lost"
references to things I'm interested in. For example,
starting a search like:

agrep -1 -i 'Burning Chrome' cyberpunkspool 

immediately finds references like 'burning crome' that I
have always missed before.  See how many times John
Gilmore's name is mentioned in the CUD archives
(and how often misspelled).  How about _your_ name?

As usual, I will e-mail the uuencoded tar.Z upon request
if you cannot do anonymous FTP.


-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
document_id: 15404
From: aj@sage.cc.purdue.edu (John Dormer)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

  Misinterpretation, though it should be a crime in itself, is what
United States lawyers use to make their bread and butter.

  In Manchester, CT a few years ago, a small company wanted to run a
game system galled "LaserGames," similar in many aspects to Photon
(tm). Three lawyers and about a hundred citizens found an ancient law
in Manchester's books which clearly from context was designed to
prohibit travelling carnivals by enumerating the features of a carnival
which they felt at the time made the prohibition obvious. Among these
things was "shooting galleries," which is what the lawyers for the
opposition to LaserGames wanted to harp upon. The judge took the two
words from this law, completely out of context, and ruled that
LaserGames could not operate in Manchester.

  Keep in mind that most travelling carnivals use projectile weapons in
their shooting galleries, and not light beams. Clearly from context,
LaserGames got shafted, but if the two words are applied, their denial
of operating permission was justified.

  If I had the text of the law I'd post it, but I'm afraid I don't
remember it all well enough to even try. That little bit with the two
words stuck well, though.

:	John Dormer
:	jad@expert.cc.purdue.edu


Newsgroup: sci.crypt
document_id: 15405
From: brands@cwi.nl (Stefan Brands)
Subject: * REPORT ON PRIVACY-PROTECTING OFF-LINE CASH AVAILABLE *

I recently published a new privacy-protecting off-line electronic cash
system as a technical report at CWI. Being a PhD-student at David
Chaum's cryptography-group, our group has a long history in research
in the field of privacy-protecting cash systems.

The report is called CS-R9323.ps.Z, contains 77 pages, and can be
retrieved from

ftp.cwi.nl   (192.16.184.180)

from the directory pub/CWIreports/AA.
The postscript-file is suitable for 300dpi laserprinters.

====================================================================
ABSTRACT (from coverpage): We present a new off-line electronic cash
system based on a problem, called the representation problem, of which
little use has been made in literature thus far. Our system is the
first to be based entirely on discrete logarithms.  Using the
representation problem as a basic concept, some techniques are
introduced that enable us to construct protocols for withdrawal and
payment that do not use the cut and choose methodology of earlier
systems. As a consequence, our cash system is much more efficient in
both computation and communication complexity than any such system
proposed previously.
  
Another important aspect of our system concerns its provability.
Contrary to previously proposed systems, its correctness can be
mathematically proven to a very great extent. Specifically, if we
make one plausible assumption concerning a single hash-function, the
ability to break the system seems to imply that one can break the
Diffie-Hellman problem. 
  
Our system offers a number of extensions that are hard to achieve in
previously known systems. In our opinion the most interesting of these
is that the entire cash system (including all the extensions) can be
incorporated in a setting based on wallets with observers, which has
the important advantage that double-spending can be prevented in the
first place, rather than detecting the identity of a double-spender
after the fact. In particular, it can be incorporated even under the
most stringent requirements conceivable about the privacy of the user,
which seems to be impossible to do with previously proposed systems.
Another benefit of our system is that framing attempts by a bank have
negligible probability of success (independent of computing power) by
a simple mechanism from within the system, which is something that
previous solutions lack entirely. Furthermore, the basic cash system
can be extended to checks, multi-show cash and divisibility, while
retaining its computational efficiency.
====================================================================

Cryptographers are challenged to try to break this system!  

I made a particular effort to keep the report as self-contained as
possible.  Nevertheless, if you have any questions, please e-mail to
me and I will try to reply as good as I can. Any comments are also
welcome!

Stefan Brands, 
--------------------------------------------------------
CWI, Kruislaan 413, 1098 SJ Amsterdam, The Netherlands 
Tel: +31 20 5924103, e-mail: brands@cwi.nl  

Newsgroup: sci.crypt
document_id: 15406
From: habs@panix.com (Harry Shapiro)
Subject: Re: The source of that announcement

In <MARC.93Apr18174241@oliver.mit.edu> marc@mit.edu (Marc Horowitz
N1NZU) writes:

>I received mail from Mitch Kapor saying that he did not ask to be on
>the list, and does not know why he was added.  I'm sure the same
>applies to others on the list.  So, I guess my initial theory was
>right, that the clipper list was just someone's idea of a bad joke.  I
>guess I should be happy it wasn't a conspiracy.

I have also been in contact with Mitch about this. I believe
him when he says he didn't ask to be on the "clipper" list.

He also forwarded the traffic he had recieved through that list to
me which will be placed at some ftp site.

However, the first alias on the "clipper list" was csspab which was
another mailing list. It basically contained the addresses for
staffers and board members of the NIST security board. Several of
these people had their accounts within the dockmaster domain.

These are the people we might wish to FOIA...

/harry
-- 
Harry Shapiro  				      habs@panix.com
List Administrator of the Extropy Institute Mailing List
Private Communication for the Extropian Community since 1991

Newsgroup: sci.crypt
document_id: 15407
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Once tapped, your code is no good any more.

uni@acs.bu.edu (Shaen Bernhardt) writes:
> I wish I could agree with you.  Ask yourself this.  Why would any 
> private sector entity wish to buy a crypto system that was KNOWN to be 
> at least partially compromised?

(a) To use for sensitive but not strategically important traffic,
(b) if the system was cheap.

For example, I don't own a cordless phone.  With Clipper, I would.  If the 
local men in blue really want to listen to me talk to my friends or order 
pizza, I'm no worse off than I am now, and I don't have to worry about
local kids or nosy neighbors.

That is to say, Clipper "raises the bar" on insecure channels.  It doesn't 
make them secure, by any means, but a wall, even if the FBI can get a master 
key by court order, is still better than a "keep off the grass" sign.

> The answer seems obvious to me, they wouldn't.  There is other hardware 
> out there not compromised.  DES as an example (triple DES as a better 
> one.) 

So, where can I buy a DES-encrypted cellular phone?  How much does it cost?
Personally, Cylink stuff is out of my budget for personal use :)...

> How can you reconcile the administrations self proclaimed purpose of 
> providing law enforcement with access to encrypted data without making 
> the clipper system the only crypto available in the U.S... ?

The Second and Fourth Amendments do come to mind.  


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15408
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

rlward1@afterlife.ncsc.mil (Robert Ward) writes:

> >and since the US constitutions guarantees the right to every American
> >to bear arms, why is not every American entitled, as a matter of

> Have you read the applicable part of the Constitution and interpreted it IN 
> CONTEXT? 

Yes. BTW, the appropriate Amendments were posted here some time ago.

> If not, please do so before posting this misinterpretation again.
> It refers to the right of the people to organize a militia, not for individual
> to carry handguns, grenades, and assault rifles.  

It's OK, it's OK... Just a month ago I expressed my belief that the
right to have a means to shoot your neighbor is not that much
necessary to ensure a people's right to be free and got flamed by lots
of American gun supporters. So I thought that...

Never mind. The new Cripple Chip is a purely American problem, so deal
with the mess yourselves. I just wanted to share with you a bit of my
experience of living 30 years under a totalitarian regime (I'm
Bulgarian) - because I thought that it might be useful to you. Oh
well.

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
document_id: 15409
From: srt@duke.cs.duke.edu (Stephen R. Tate)
Subject: Re: Why the clipper algorithm is secret

In article <1993Apr18.225502.358@iecc.cambridge.ma.us> johnl@iecc.cambridge.ma.us (John R. Levine) writes:
>It just occurred to me why the algorithm is secret.  If it were
>published, one could then build physically identical clone versions
>of the chip that would interoperate with official Clipper chips.  But
>the cloner wouldn't provide the keys to the escrow houses.  Hmmn.

Not necessarily --- they could release the details of the algorithm
without releasing the "system key" (called SK by Hellman).  That would
make most people happy, and with some sort of verification procedure
before key exchange, the "official" chips would only work with other
"official" chips.  In other words, secrecy of SK makes "physically
identical clone versions" impossible;  secrecy of the algorithm shouldn't
be necessary.

Of course, revealing the algorithm opens them up to attacks on SK ---
since all units share this key, compromising it may be a big deal.
Personally, I wouldn't feel too comfortable knowing that one "secret"
80-bit number held in many places was all that guaranteed my security.
Of course, compromise of SK doesn't necessarily mean that the system
is compromised, but it's impossible to tell whether or not that's true
with a secret algorithm.

Incidentally, what's to keep a "secret algorithm" from using the secret
SK as the main key, with UK being only marginally important.  Then
a court order for UK may not even be necessary to do a wiretap.

-- 
Steve Tate srt@cs.duke.edu | The reason why mathematics enjoys special esteem,
Dept. of Computer Science  | above all other sciences, is that its laws are
Duke University     | absolutely certain and indisputable, while those of all
Durham, NC  27706   | other sciences are to some extent debatable. (Einstein)

Newsgroup: sci.crypt
document_id: 15410
From: skt@dcs.glasgow.ac.uk (Simon K Train)
Subject: Help me please!

I am a PhD student.
Can I get the sci.crypt group posted directly to me???
Also I would like some feed-back on the encryption schemes that my research in
finite fields can be applied to. Any takers
Reply to gamv25@udcf.gla.ac.uk
Thanks yours
Gavin.

Newsgroup: sci.crypt
document_id: 15411
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

pmetzger@snark.shearson.com (Perry E. Metzger) writes:
> I'm a political dissident. I'm scared shitless of the feds listening in 
> on my calls. My opinions are the sort that would get me 
> "disappeared" in a slightly less free society -- and who knows what 
> sort of society we will be in in five or ten years? I have friends who 
> have had their phones tapped -- none of this is theoretical to me. 

I understand, believe it or not, and there are any number of kinds of 
conversation and communication I engage in that I wouldn't even consider 
using this scheme for.  On the other hand, I don't see "Clipper" as providing 
a secure channel--it just prevents casual eavesdropping.  This is part of why 
I am not worried about it per se.  Trying to look at Clipper as a serious 
security tool is simply ludicrous.  It's a voice scrambler, nothing more.

There is still plenty of market for real crypto.

> As for "its better than the status quo", well, first of all, you can 
> get a cryptophone from companies like Cylink today -- and they work 
> well.

They cost an arm and a leg, though. "Clipper" is obviously aimed at the mass 
market.  It certainly won't put Cylink out of business.

> In addition, a number of groups are now working on building 
> software to turn any PC into a privacy enhanced phone right now -- and 
> they are all working in overdrive mode. 

This is old news.  I can do this now.

> There ARE no crypto restrictions... yet. You can use anything you want 
> RIGHT NOW. The point is to maintain that right. 

There ARE restrictions.  Example: We're a networking software vendor with a 
large overseas share of our market.  We cannot currently ship PEM, or even 
simple DES, in our products without case-by-case approval from the Department 
of State.  ITAR presents a material trade barrier to US firms trying to 
compete in international information systems markets.

Sure, you can use whatever freebie software you want to talk over BBS's in 
the USA.  I, on the other hand, want strong crypto (PKCS, for example) to be 
the *default* for electronic mail, worldwide.  I want priests to be able to 
hear confession over email.  I want lawyers to be able to talk to clients in 
confidence over email, or doctors talk with patients.  I want to be able to 
order products from my favorite Japanese mail-order catalog over the net.  I 
want to be able to sign contracts, transact business, and so on 
electronically.

This is so far infeasible as a result of the current restrictions on 
crytographic systems, especially beyond the borders of the USA.

Clipper is irrelevant, and if it distracts the authorities into feeling safe, 
all the better.  Its only danger is if it emboldens them into trying to put 
more restrictions into place, on the theory that it is "good enough for 
anyone who has nothing to hide."  That argument is, of course, utter BS, just 
as much as "no one needs an assault rifle".


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15412
From: amanda@intercon.com (Amanda Walker)
Subject: Re: text of White House announcement and Q&As on clipper chip 
	encryption

rlward1@afterlife.ncsc.mil (Robert Ward) writes:
> It refers to the right of the people to organize a militia, not for 
> individuals to carry handguns, grenades, and assault rifles.  

False, as federal courts have affirmed on many occasions.  This is getting 
out of sci.crypt territory, though...


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15413
From: res@colnet.cmhnet.org (Rob Stampfli)
Subject: Re: Fifth Amendment and Passwords

>>I am postive someone will correct me if I am wrong, but doesn't the Fifth
>>also cover not being forced to do actions that are self-incriminating?
>
>[From Mike Godwin <mnemonic@eff.org>, posted with permission - Carl]
>
>Sadly, it does not. Suspects can be compelled to give handwriting and
>voice exemplars, and to take blood and DNA tests.

I am sure that Mike is correct on this point.  I am also pretty sure that
administering "truth serum" would be ruled a violation of your right
not to incriminate yourself.  But, what is the salient difference?
Both drawing blood and injecting "truth serum" incapacitate you for
a while, but do no permanent damage.  Is it simply that we have come to
view one as acceptable, while the other is viewed as a fundamental
violation of one's rights?  If this is the case, how do we expand the
protections of the 5th amendment to incorporate new technologies without
the results being a hodgepodge of different judges personal opinions?
-- 
Rob Stampfli  rob@colnet.cmhnet.org      The neat thing about standards:
614-864-9377  HAM RADIO: kd8wk@n8jyv.oh  There are so many to choose from.

Newsgroup: sci.crypt
document_id: 15414
From: arromdee@jyusenkyou.cs.jhu.edu (Ken Arromdee)
Subject: Re: Once tapped, your code is no good any more.

In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes:
>Yes, those evil guys in the FBI can probably, with some
>effort, abuse the system. I got news for you, if the evil guys in
>the FBI decide they want to persecute you, they're gonna, and you're
>gonna hate it. Fact is, the FBI doesn't want to listen to your phone
>calls, and if they do, and if you're using triple-DES, they'll just
>get a parabolic microphone and point it at your head.

Just because they can do it anyway, somehow, does not mean it is smart to make
the job easier for them.
--
"On the first day after Christmas my truelove served to me...  Leftover Turkey!
On the second day after Christmas my truelove served to me...  Turkey Casserole
    that she made from Leftover Turkey.
[days 3-4 deleted] ...  Flaming Turkey Wings! ...
   -- Pizza Hut commercial (and M*tlu/A*gic bait)

Ken Arromdee (arromdee@jyusenkyou.cs.jhu.edu)

Newsgroup: sci.crypt
document_id: 15415
From: robichau@lambda.msfc.nasa.gov (Paul Robichaux)
Subject: Suggestions for escrow agencies (was: Re: More technical details)

( Below is my response to Dr. Denning's letter to Steven Bellovin. Comments
  are invited. - Paul )

In alt.privacy.clipper, Steve Bellovin posted your message to
him, which included a brief passage concerning selection of agencies
as escrow agencies.

I am glad to see that the proposal as written states that the escrow
agencies won't be law enforcement agencies. I would argue, however,
that *one* of the escrow agencies shouldn't be federal at all.

As a private citizen, I would feel much more "secure in my person and
papers" knowing that an organization committed to individual civil
liberties- the ACLU and the NRA come to mind- was safeguarding half of
my key. Both the ACLU and the NRA are resistent to government pressure
by the simple expedient fact that they are not supported, funded, or
overtly controlled by the government.

Of those federal and federally funded candidate agencies that you
mentioned, I have the following comments:

	- SRI, Rand, Mitre, and national labs: I agree that they have
        great experience safeguarding sensitive information. I am not
        convinced that they would adequately safeguard _this_
	information, since in any case requiring disclosure, there's
      	likely to be sigificant pressure for disclosure- possibly
 	*wrongful* disclosure.

	- GAO: perhaps. I would like to see more concrete evidence of
 	their fidelity and ability.

	- *TREASURY*? Surely you're joking. Perhaps you'd ask BATF
	to safeguard keys. Maybe the Federal Reserve would be a 
	better choice.

Ever since last fall's "trial balloon" was posted in sci.crypt, your
name has been synonymous with those who place a great deal of trust in
the ability of government agencies and agents to act within the law.

I agree with you in part: those agencies and agents *almost always*
act properly. However, there have been enough cases where _sworn
agents of the Federal Government_ have acted wrongly to make me feel
that having two federal agencies as key repositories is unacceptable.


Respectfully,
-Paul Robichaux
 (not speaking for NTI, BCSS, or NASA)


-- 
Paul Robichaux, KD4JZG                | HELP STOP THE BIG BROTHER CHIP!
NTI Mission Software Development Div. | RIPEM key on request.

Newsgroup: sci.crypt
document_id: 15416
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

  You're drifting off topic.  In any case, if you check on any of the
topics devoted to gun rights issues, you will find ample evidence that
the "misinformation" is your assertion that the term "the people" in
the Second Amendment has mysteriously taken on a meaning diametrically
opposite the meaning of the exact same term in the First and Fourth
Amendments.



Newsgroup: sci.crypt
document_id: 15417
From: caronni@nessie.cs.id.ethz.ch (Germano Caronni)
Subject: Re: More technical details

In article <1993Apr19.134346.2620@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
>Here are some corrections and additions to Hellman's note, courtesy of
>Dorothy Denning.  Again, this is reposted with permission.
>
>Two requests -- first, note the roles of S1 and S2.  It appears to me
>and others that anyone who knows those values can construct the unit
>key.  And the nature of the generation process for K1 and K2 is such
>that neither can be produced alone.  Thus, the scheme cannot be
>implemented such that one repository generates the first half-key, and
>another generates the second.  *That* is ominous.
>
>Second -- these postings are not revealed scripture, nor are they
>carefully-crafted spook postings.  Don't attempt to draw out hidden
>meanings (as opposed to, say, the official announcements of Clipper).
>Leave Denning out of this; given Hellman's record of opposition to DES,
>which goes back before some folks on this newsgroup knew how to read, I
>don't think you can impugn his integrity.
>
>Oh yeah -- the folks who invented Clipper aren't stupid.  If you think
>something doesn't make sense, it's almost certainly because you don't
>understand their goals.
>

This is an addition (posted with permission) to some tech. details of
cliper. They enligthen ??? the use of S1 and S2 for keygeneration.
-------------------------------------------
Date: Mon, 19 Apr 93 08:51:57 EDT
From: denning@cs.cosc.georgetown.edu (Dorothy Denning)
Subject: Re:  Clipper Chip

I just had another conversation with NSA to clarify some of the features
of Clipper.  Please feel free to distribute this and my other messages
on Clipper.

The name of the encryption algorithm is "Skipjack."

Martin Hellman had written

                and the serial number of the unit added to produce a three part
                message which will then be encrypted under the system key SK
                producing

                     E{ E[M; K], E[K; UK], serial number;  SK}

To which I responded:

        My understanding is that E[M; K] is not encrypted under SK (called the
        "family key") and that the decrypt key corresponding to SK is held by
        law enforcement.  Does anyone have first hand knowledge on this?

I was correct in that E[M; K] is not encrypted under SK.  However, Skipjack
being a single-key system, there is, of course, not a separate decrypt key
for the family key SK.

        The unit key, also called the "chip key," is generated from the
        serial number N as follows.  Let N1, N2, and N3 be 64 bit blocks
        derived from N, and let S1 and S2 be two 80-bit seeds used as keys.
        Compute the 64-bit block

                R1 = E[D[E[N1; S1]; S2]; S1]

        (Note that this is like using the DES in triple encryption mode with
        two keys.)  Similarly compute blocks R2 and R3 starting with N2 and N3.
        (I'm unlear about whether the keys S1 and S2 change.  The fact that
        they're called seeds suggests they might.)  Then R1, R2, and R3 are
        concatenated together giving 192 bits.  The first 80 bits  form K1 and
        the next 80 bits form K2.  The remaining bits are discarded.

The seeds S1 and S2 do not change.   The whole process is performed on
a laptop computer, and S1 and S2 are supplied by two independent people
so that no one person knows both.  The same S1 and S2 are used during
an entire "programming session" to generate keys for a stream of serial
numbers.  Everything is discarded at the end (the computer could be
thrown out if desired).

The serial number is 30 bits and the values N1, N2, and N3 are formed
by padding the serial number with fixed 34-bit blocks (separate padding
for each value).

The resulting keys K1 and K2 are output onto separate floppy disks, paired
up with their serial number.  Each pair is stored in a separate file.  The
floppy disks are taken away by two separate people on behalf of the two
escrow agencies.

Dorothy Denning
denning@cs.georgetown.edu

--------------------------------------------------------
I am sure more technical detail will be known when time goes by.
Please remark, that in posting this, I do not automatically agree
with it's contents and implications. So don't swamp my mailbox :-)

I just think this is an valuable addition to the less than technical
discussion that is rising here. And, no, I don't mind if you call
S1 and S2 'backdoor', as I could imagine the key-generation process
working without these seeds and the dependency of K1,K2 from the
Serial-Number.


Friendly greetings,

	Germano Caronni
-- 
Instruments register only through things they're designed to register.
Space still contains infinite unknowns.
                                                              PGP-Key-ID:341027
Germano Caronni caronni@nessie.cs.id.ethz.ch   FD560CCF586F3DA747EA3C94DD01720F

Newsgroup: sci.crypt
document_id: 15418
From: ethridge@crchh403 (Allen Ethridge)
Subject: Re: Once tapped, your code is no good any more.

Amanda Walker (amanda@intercon.com) wrote:
: uni@acs.bu.edu (Shaen Bernhardt) writes:
: [deletions]
: 
: > How can you reconcile the administrations self proclaimed purpose of 
: > providing law enforcement with access to encrypted data without making 
: > the clipper system the only crypto available in the U.S... ?
: 
: The Second and Fourth Amendments do come to mind.  
: 

I think i heard someplace (misc.legal?, comp.org.eff.talk?) that the courts
have pretty much eliminated the fourth amendment already.

--
allen@well.sf.ca.us             Words got me the wound
ethridge@bnr.ca                  and will get me well,
my opinions are my own            if you believe it.
                                    -- Jim Morrison

Newsgroup: sci.crypt
document_id: 15419
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <strnlghtC5puCL.6Kp@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>In article <Apr18.204843.50316@yuma.ACNS.ColoState.EDU>
>holland@CS.ColoState.EDU (douglas craig holland) writes:
>
>
>>	Let me ask you this.  Would you trust Richard Nixon with your
>>crypto keys?  I wouldn't.
>
>I take it you mean President Nixon, not private citizen Nixon. Sure.
>Nothing I'm doing would be of the slightest interest to President Nixon .
>
	Are you sure you aren't being watched?  Let me remind you that 
Watergate was only the tip of the iceberg.  Nixon extensively used the NSA
to watch people because he didn't like them.  According to _Decrypting the
Puzzle Palace_:

	Presumably, the NSA is restricted from conducting American surveillance
	by both the Foreign Intelligence Surveillance Act of 1978(FISA) and a
	series of presidential directives, beginning with one issued by
	President Ford following Richard Nixon's bold misuse of the NSA, in
	which he explicitly directed the NSA to conduct widespread domestic
	surveillance of political dissidents and drug users.

	Of course, just because there are laws saying the gov't is not 
supposed to conduct illegal surveillance doesn't mean those laws can't be
broken when they are in the way.
						Doug Holland



Newsgroup: sci.crypt
document_id: 15420
From: zrepachol@cc.curtin.edu.au (Paul Repacholi)
Subject: Re: What is going on?...

In article <gthomas.735070935@sfu.ca>, gthomas@fraser.sfu.ca (Guy Thomas) writes:
> zrepachol@cc.curtin.edu.au (Paul Repacholi) writes:
> 
>>In article <1993Apr16.055100.1@cc.curtin.edu.au>, zrepachol@cc.curtin.edu.au (Paul Repacholi) writes:
>>...
>>> If you can't be bothered reading, get the video "Manufacturing Consent".
>>> 
> 
>>In reply to mail queries; I don't know if a video is available yet. I asked
>>about a month ao and was told RSN.
> 
> Yes it is. From the National Film Board of Canada.

Ah, not in the USA. Thats a relief, thought 'reality' must be slipping for a
second. :-)

St Noam was on the radio tonight, he has just published a new book "501 years".
Published by South End i guess. Could some bostonian confirm please?

I would love to hear what he thinks of the Clipper scam.

~Paul

PS The first posting I saw I thought was a joke in *VERY* bad taste. My appologies
to the person who broke the news.



Newsgroup: sci.crypt
document_id: 15421
From: cuffell@spot.Colorado.EDU (Tim Cuffel)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <strnlghtC5puCL.6Kp@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>In article <Apr18.204843.50316@yuma.ACNS.ColoState.EDU>
>holland@CS.ColoState.EDU (douglas craig holland) writes:
>
>
>>	Let me ask you this.  Would you trust Richard Nixon with your
>>crypto keys?  I wouldn't.
>
>I take it you mean President Nixon, not private citizen Nixon. Sure.
>Nothing I'm doing would be of the slightest interest to President Nixon .
>
>David
>
>
>-- 
>David Sternlight         Great care has been taken to ensure the accuracy of
>                         our information, errors and omissions excepted.  
>
>

Ergo, if your life is sufficiently boring, you have no need for privacy?

(This is not meant to be personal, just the logical conclusion of your
statement.)
-- 
-Tim Cuffel	Finger for PGP 2.1  The CIA has admitted that the assassination
                                    of Saddam Hussien was one of their goals.
They failed, of course.  Seems as though that motorcade through downtown Dallas
trick only works once.

Newsgroup: sci.crypt
document_id: 15422
From: karn@unix.ka9q.ampr.org (Phil Karn)
Subject: Re: Fifth Amendment and Passwords

In article <1993Apr18.233112.24107@colnet.cmhnet.org>, res@colnet.cmhnet.org (Rob Stampfli) writes:
|> >Sadly, it does not. Suspects can be compelled to give handwriting and
|> >voice exemplars, and to take blood and DNA tests.
|> 
|> I am sure that Mike is correct on this point.  I am also pretty sure that
|> administering "truth serum" would be ruled a violation of your right
|> not to incriminate yourself.  But, what is the salient difference?

You can find the salient difference in any number of 5th amendment
related Supreme Court opinions. The Court limits 5th amendment
protections to what they call "testimonial" evidence, as opposed to
physical evidence.

The whole question would hinge on whether a crypto key would be
considered "testimonial" evidence. I suppose arguments could be made
either way, though obviously I would hope it would be considered
testimonial.

Phil

Newsgroup: sci.crypt
document_id: 15423
From: srt@duke.cs.duke.edu (Stephen R. Tate)
Subject: Re: More technical details

In article <1993Apr19.162936.7517@bernina.ethz.ch> caronni@nessie.cs.id.ethz.ch (Germano Caronni) (actually Dorothy Denning) writes:
>The seeds S1 and S2 do not change.  

Let me see if I have this straight --- if a person knows S1 and S2,
and the serial number of the unit, it's easy to reconstruct UK.
Of course, if they know SK, the "family key", they can easily get the
serial number of any unit that has made a transmission.  So with S1 and
S2 being used for a while "batch" of the unit keys, the number of
used S1/S2 pairs will probably be fairly low.  Of course, you have to
believe that the NSA/FBI/name-your-favorite-government agency will
know SK so all it needs is the S1/S2 pairs, and presto, nasty details 
like court orders for wire taps are no longer necessary.

Now, I'm not one of the people who distrusts the government at every
turn, but taking someone's word for it that the S1/S2 pairs are not kept
around is pushing what I'm willing to believe just a little bit too far.


-- 
Steve Tate srt@cs.duke.edu | The reason why mathematics enjoys special esteem,
Dept. of Computer Science  | above all other sciences, is that its laws are
Duke University     | absolutely certain and indisputable, while those of all
Durham, NC  27706   | other sciences are to some extent debatable. (Einstein)

Newsgroup: sci.crypt
document_id: 15424
From: Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant)
Subject: Re: Key Registering Bodies

If we do not trust the NSA to be a registrar of Clipper Chip key halves,
I would not trust Mitre either.  Mitre does lots of work for NSA, at least
in the Trusted Product Evaluation Program (evaluation of commercial off the
shelf software for its efficacy in safeguarding classified information), and
I assume in other, less open, programs.

There are at least two other FFRDCs (Federally Funded Research and Development
Corporations) that work for NSA: Aerospace Corporation and the Institute for
Defense Analysis.  Now, if NSA were to be untrustworthy (a position that I
am neutral about, for purposes of this posting), it would be in a position to
exert economic pressure upon Mitre to release key halves on demand.  It could
just say, "If you don't cooperate with us, we'll place all our evaluation
contracts with Aerospace and IDA."

I am not saying that people at NSA, Mitre, Aerospace, or IDA are dishonest
folk.  But since they are people, and people occasionally go bad, the
system works better if organizations that you are depending upon to be
independent really are.

And, of course, I speak for myself, not my employer.

Lynn Grant

Newsgroup: sci.crypt
document_id: 15425
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: WH proposal from Police point of view


In article <strnlghtC5puor.704@netcom.com> strnlght@netcom.com (David Sternlight) writes:

   There has been extensive discussion in the eff forum, for example, about
   inadmissible taps being used to develop information that could then lead to
   admissible evidence.  This might put a stop to such things, which must from
   time to time be simple fishing expeditions.

Far more likely, these things will continue to be done no matter what
assurances we are given. "Key Escrow" is likely going to prove to be a
joke.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15426
From: caronni@nessie.cs.id.ethz.ch (Germano Caronni)
Subject: Re: More technical details

Hmm, followup on my own posting... Well, who cares.

First let me try to work out the facts that we get to know about the
Clipper-Chip, from what Hellman and Denning were able to tell us:

The chip itself is not confined to (digital) telephony, but performs
general encryption in a symmetric manner.  The chip supports CFB OFB
ECB (and whatever the fourth mode of operation for DES is), the algorithm
consists of 32 rounds of *whatever*, and takes 80-Bit keys. Input data
seems to be 64 Bit? Yes.
So if two people want secure communication (whatever that means when 
Clipper is involved) they have first to agree on ONE secret key. 
(Or is it one key per direction ?)
They can exchange this key via DH-schemes or however.
Somehow the two feed their so won secret key into the Clipper-chip
which is now ready to work.
The clipper chip carries an unique Serial-Number (30 Bit's), and 160 Key-Bits.
These 160 key-bits seem to have been gained by encrypting the serial-number
with 160 seed-bits. (The seed-bits seem not to be stored in the chip)
At beginning of communication (and perhaps at certain invtervals whithin??)
before sending the fist real 64-bit output of the first encryption the Clipper
chip put's out packets (I guess 3) which represent the serial number,
and the session key. This might look like
X{ E[K; chipkeyK1+K2], serial number}
where X is a transformation of these 3? Packets involving a family-key.
This family(sp?)-key is equal for ALL chips. (X might be a simple XOR ???)
After that, the (digital?) phone-call can be done as usual, every packet
being encrypted and decrypted by Clipper.

Denning describes how K1 and K2 shall be generated, using a seed of 160
Bit's.

Now, leaving alone politics, which does not concern me as much as you, not
being an American Citicien(tm) [ :-) ] , there are some weak points in this
scheme, which might be exploited by several parties.

As far as I know about the generation of K1,K2 ; S1 and S2 look like the 
obvious backdoor. They could be used to generate the chip-keys by knowing
the serial-number (and also the family-key) of the chip. I really can't
imagine why these seeds would be needed otherwise, as true random-sources
for the generation of the K1,K2 can be bought for not to much money.

Then, the escrows. Each of them will get 80 bit of a 160-Bit key. Security
could (as little as existant) be maximized by giving them 160-bits
each, which have to be xored together to give the K1,K2. Now let's simply
assume the escrows are trustworthy, and can't be fooled by criminals or
law enforchemnt agencies. (And there will be no quarrel between escrows
and l.e.a which would hinder the l.e.a in doing their duties, and so on
and so on) Once the keys are surrendered, the corresponding
chip is compromised forever. Not very clever, IMHO [ :-)) ].
How about sending in the encrypted session-keys for each phone-call that
the police (or whoever) want's to listen to? Escrows could then simply decode
this session-key and send it back to police. (And would naturally not do this
after the warrant has expired...) This would be a better technical solution,
but I guess politics will not work that way.

Apparently (as Miss Dennings stated) the only one performing actually decodes
of intercepted messages shall be the FBI. Great. So local guys can not inter-
cept (understand) your traffic anymore. Does this mean that the FBI monopolizes
the right to do legal wiretaps ? (How is law over there, I have no idea who
is allowed to tap, and who not) This certainly means that watched communi-
cations will be routed automatically from the service-providing company
to the FBI, if the communicaiton is a watched one. And this means as far
as I understand it that the family-key has to be known by each switching-
company, and those providing cellular-phone servies etcetc. So the family-key
will not be very secret, and thus serial-numbers of calls will be readable
by anybody who cares. I _like_ traffic-analysis!

What do you guess, what happens, if you use the chip in ECB mode, and the
first few packets of the chip are somehow lost or garbled? So the session
key would not be actually broadcasted over the line? Hmmm. Shouldn't be so
difficult to do *that* :^)

And now a last point, for the other side. After all I have read and heard about
Clipper (not the programming language for dBase, is it ? [:-)]) it seems
to have many advantages, which shold not be overseen!


Now an afterthought to your rights. Please note that I have no idea what I am
talking about!!!

From: grady@netcom.com (1016/2EF221)
>    Amendment 1                                                           
>                                                                          
>    Congress shall make no law respecting an establishment of religion, or
>prohibiting the free exercise thereof; or abridging the freedom of speech,
>or of the press; or the right of the people peaceably to assemble, and to 
>petition the Government for a redress of grievances.

If this text is actually in your Bill of Rights, who can overrule this ?
But: 'Freedom of speech' is not 'Secrecy of speech'

Maybe you need to extend your Amendment #4  to cover information and
communication too ?

I am not very sure in what position your government actually is *legally*
when it tries to ban cryptography (and arms) Amendment say you may have them,
but not under what conditions. Hmm, tricky situation :-(

Actually it will make not much sense to discuss that topic in sci.crypt...
Discussion of technical details and vulnerabilites of the system are highly
suggested and appreciated :-)

Friendly greetings,

	Germano Caronni


DISCLAIMER: Everything in here is derived from things I heard and read from
other persons, so everything could be wrong. All opinions and thoughts in here
are mine, and subject to change without further notification. No warranty,
neither implicit not explicit etc. etc. etc. ad nauseam.

p.s. Please don't ask me about political opinions, as I might not bother to re-
     ply. (For further information read the last line of P. Metzgers signature)
-- 
Instruments register only through things they're designed to register.
Space still contains infinite unknowns.
                                                              PGP-Key-ID:341027
Germano Caronni caronni@nessie.cs.id.ethz.ch   FD560CCF586F3DA747EA3C94DD01720F

Newsgroup: sci.crypt
document_id: 15427
From: paul@charon.gsfc.nasa.gov (Paul Olson)
Subject: Re: White House Public Encryption Management Fact Sheet

In article <1qnav4$r3l@transfer.stratus.com>, cme@ellisun.sw.stratus.com (Carl Ellison) writes...
>In article <C5LGAz.250@dove.nist.gov> clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:
> 
>>Further, the Attorney General
>>shall utilize funds from the Department of Justice Asset Forfeiture
>>Super Surplus Fund to effect this purchase.
> 
>Talk about adding insult to injury ... 
> 
>I, for one, believe that the use of civil forfeiture should be abolished by
>a decent administration, not continued.  Instead, it looks like that
>ill-gotten gain will be used to help pay for wiretap equipment.

I wholeheartedly agree.  Knowing that WE have let our law enforcement agencies
seize our property against the Fifth Amendment of OUR Constitution tells me that
we are absolving ourselves of our responsibility for SELF-GOVERNANCE.  WE have
to take our government back from the self-serving politicians who create laws
and rules only to better their positions within the government.  WE have allowed
them to take too much power from the people of this nation.  That situation has
to be changed.

Allowing the law enforcement agencies to use the seized property to pay-off drug
informants who lie and continue to deal in drugs is tantamount to making a pact
with the Devil himself.  It's a vicious cycle.  The law enforcement agencies are
motivated to seize property to fund their own activities.  And having no easy
way for the citizen to regain the property intact once taken gives even more
incentive for the agencies to take property.

It's also interesting to note that two months ago Rush Limbaugh said that
Clinton would have the "plumbers" out in force shortly.  Clinton and his
henchmen firmly believe in strong ubiquitous government control.  Anytime a
leader believes in that, the leader will use every means possible to retain that
control and take more.

WE have to take OUR government back.  Otherwise we will end up living in the
equivalent of a high-tech third world dictatorship.  We have to take
responsibility for ourselves, our personal welfare, and our actions.

       __  Paul J. Olson - VAX Systems Manager & Resident Amiga Addict
  C=  ///  Voice -    301/286-4246, 301/210-7701
 __  ///   DECnet-    CHARON::PAUL                                    
 \\\///    Internet - paul@charon.gsfc.nasa.gov                       
  \XX/     Disclaimer: Statements in my messages are wholely my own.   
  AMIGA    "Ignorance is a renewable resource." -- P.J. O'Rourke

Newsgroup: sci.crypt
document_id: 15429
From: zrepachol@cc.curtin.edu.au (Paul Repacholi)
Subject: Re: Clipper Chip. LONG follow up.

In article <16695@rand.org>, jim@rand.org (Jim Gillogly) writes:
> This document is in the anonymous ftp directory at NIST.  Looks to me
> like the other shoe has dropped.
> 
> 	Jim Gillogly
> 	Trewesday, 25 Astron S.R. 1993, 17:00
> 

Thanks for posting this and making it available. This post will be LONG, I will
comment on most of it, and am reluctantly leaving all of the original in place
to provide context.

Please note that an alt. group has been set up for the Clipper stuff.

> -------------------
> 
> Note:  This file will also be available via anonymous file
> transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and
> via the NIST Computer Security BBS at 301-948-5717.
>      ---------------------------------------------------
> 
>                          THE WHITE HOUSE
> 
>                   Office of the Press Secretary
> 
> _________________________________________________________________
> 
> For Immediate Release                           April 16, 1993
> 
> 
>                 STATEMENT BY THE PRESS SECRETARY
> 
> 
> The President today announced a new initiative that will bring
> the Federal Government together with industry in a voluntary
                                                     ^^^^^^^^^
Hum, AT&T, VLSI and Mykotronx are 'industry'?
Wonder what happened to IBM, this should be right up their street.
And a mandateed scheme is voluntary? Mr Orwell would love this.

> program to improve the security and privacy of telephone
                                                 ^^^^^^^^^
> communications while meeting the legitimate needs of law
> enforcement.

Telephone encryption and scrambleing are years behind digital ones like RSA,
IDEA, or even DES. The above, while literaly true, is a clasic straw-man claim
in the context of non-real-time circuits such as E-mail and the like.

> The initiative will involve the creation of new products to
> accelerate the development and use of advanced and secure
> telecommunications networks and wireless communications links.
> 

I would modestly propose that a mandated use of ISDN would do more for commun-
ications than this lot.

> For too long there has been little or no dialogue between our
> private sector and the law enforcement community to resolve the
> tension between economic vitality and the real challenges of
> protecting Americans.  Rather than use technology to accommodate
> the sometimes competing interests of economic growth, privacy and
> law enforcement, previous policies have pitted government against
> industry and the rights of privacy against law enforcement.
> 
> Sophisticated encryption technology has been used for years to
> protect electronic funds transfer.  It is now being used to
> protect electronic mail and computer files.  While encryption

Normmaly DES.

> technology can help Americans protect business secrets and the
                                        ^^^^^^^^^^^^^^^^
> unauthorized release of personal information, it also can be used
> by terrorists, drug dealers, and other criminals.

Note the use of the word "business" in the above. The whole tenor of this
release seems to be establishing a ground rule that only "business" use
is legitimate for debate. If you want the nothings you drop in your wife's
ear to remain secret and private, that is not even on the agenda for debate.
Note that there is NO role for you to contain private info in this. The only
reference is to information already in the hands of others. The 'unauthorized
release' bit is also drawing a long bow. Most of these cases are by people who
have legitimate access abusing it, and revealing, or often selling the info.
These people are, of course, in this proposal, the people who will have the
keys.

The criminals also use lawers, courts, the CIA, white-house officials and pens
to go about their business. When will they be outlawed as well? Yeah, several
of them would be a better idea than CLipper!

Them again, the protections of law and the courts have been seriously erroded
over the last decade ofr so.

> A state-of-the-art microcircuit called the "Clipper Chip" has
> been developed by government engineers.  The chip represents a
                    ^^^^^^^^^^^^^^^^^^^^
NSA

> new approach to encryption technology.

Yeah, this bit is VERY true.

>....It can be used in new,
> relatively inexpensive encryption devices that can be attached to
> an ordinary telephone.  It scrambles telephone communications
> using an encryption algorithm that is more powerful than many in
> commercial use today.
> 

Note the repeated mixing of telephone scrabeling and encryption. A demo
of the above claim on an ordanary POTS would be a good nights entertainment
I suspect. Note also the 'many'. not 'all', as the general tone implies.

> This new technology will help companies protect proprietary
                                ^^^^^^^^^
> information, protect the privacy of personal phone conversations
                                      ^^^^^^^^^^^^^^
> and prevent unauthorized release of data transmitted
> electronically.  At the same time this technology preserves the
> ability of federal, state and local law enforcement agencies to
> intercept lawfully the phone conversations of criminals. 

The case record seems to indicate that what is needed is a brutal tightening
of the current abuses. I have not heard, yet, of a case that was impeaded by
the use of secure encryption by the men in black. The other side, abuse by law
enforcers is well documented, even by govt agencies. And the phone vs other coms
is blurred yet again.


















> A "key-escrow" system will be established to ensure that the
> "Clipper Chip" is used to protect the privacy of law-abiding
> Americans.















> A "key-escrow" system will be established to ensure that the
> "Clipper Chip" is used to protect the privacy of law-abiding
> Americans.

Lets run that line twice. Not **VERY** carefully what it says. The stated
purpose of the key eschrow is to make the use of Clipper compulsory. Note the
word "ensure". As to 'protect', or 'law-abiding', I will leave to you.
So to the person who asked if it included the outlawing of other encryptions,
the answer in this press release is, YES.

> ...Each device containing the chip will have two unique
> "keys," numbers that will be needed by authorized government
> agencies to decode messages encoded by the device.  When the
> device is manufactured, the two keys will be deposited separately
> in two "key-escrow" data bases that will be established by the
> Attorney General.  Access to these keys will be limited to
> government officials with legal authorization to conduct a
> wiretap.

Just as they only can wiretap now with a warrent. 

> The "Clipper Chip" technology provides law enforcement with no
> new authorities to access the content of the private
> conversations of Americans.

Just makes sure that the illegal ones are preserved.

> To demonstrate the effectiveness of this new technology, the
> Attorney General will soon purchase several thousand of the new
> devices.  In addition, respected experts from outside the
> government will be offered access to the confidential details of
> the algorithm to assess its capabilities and publicly report
> their findings.

Where do you find many experts. Any ex KGB people looking for a contract? :-)
And as a later posting asks, what of the STU-IIIs they already have. It will
be very interesting to see if the military and US embasies start to use it.
After all, it is secure, isn't it. The govt will answer that point by its own
actions.

> The chip is an important step in addressing the problem of
> encryption's dual-edge sword:  encryption helps to protect the
> privacy of individuals and industry, but it also can shield
> criminals and terrorists.  We need the "Clipper Chip" and other
> approaches that can both provide law-abiding citizens with access
> to the encryption they need and prevent criminals from using it
> to hide their illegal activities.  In order to assess technology
> trends and explore new approaches (like the key-escrow system),
> the President has directed government agencies to develop a
> comprehensive policy on encryption that accommodates:
> 
>      --   the privacy of our citizens, including the need to
>           employ voice or data encryption for business purposes;
                                                ^^^^^^^^

Again, personal use seems to be a unaskable question.

> 
>      --   the ability of authorized officials to access telephone
>           calls and data, under proper court or other legal
                                                  ^^^^^
>           order, when necessary to protect our citizens;

Ah, so warrents are not always needed it seems.

> 
>      --   the effective and timely use of the most modern
>           technology to build the National Information
>           Infrastructure needed to promote economic growth and
>           the competitiveness of American industry in the global
>           marketplace; and 
> 
>      --   the need of U.S. companies to manufacture and export
>           high technology products.

The ITARs seem to slightly impeed this.

> The President has directed early and frequent consultations with
> affected industries, the Congress and groups that advocate the
> privacy rights of individuals as policy options are developed.
> The Administration is committed to working with the private
> sector to spur the development of a National Information
> Infrastructure which will use new telecommunications and computer
> technologies to give Americans unprecedented access to
> information.  This infrastructure of high-speed networks
> ("information superhighways") will transmit video, images, HDTV
> programming, and huge data files as easily as today's telephone
> system transmits voice.

Note that all this wonderfull stuff will be in secret. Only the 'proper people'
will be able to express an opinion, hence only the desired result will emerge.

> Since encryption technology will play an increasingly important
> role in that infrastructure, the Federal Government must act
> quickly to develop consistent, comprehensive policies regarding
> its use.  The Administration is committed to policies that
> protect all Americans' right to privacy while also protecting
> them from those who break the law.

Encryption and codes have been around for millenia. They are generaly in
equilibrium with the technology of the time. The systematic study of cyphers
has resulted in a swing in favor of the encrypter, AT THE MOMENT. I have no
doubt that the factoring problem will fall in time. Probably fofr practical
purposes by the middle of the next century.

> Further information is provided in an accompanying fact sheet. 
> The provisions of the President's directive to acquire the new
> encryption technology are also available.  
> 
> For additional details, call Mat Heyman, National Institute of
> Standards and Technology, (301) 975-2758.
> 
> ---------------------------------
> 
> 
> QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S
> TELECOMMUNICATIONS INITIATIVE
> 
> 
> 
> 
> Q:   Does this approach expand the authority of government
>      agencies to listen in on phone conversations?
> 
> A:   No.  "Clipper Chip" technology provides law enforcement with
>      no new authorities to access the content of the private
>      conversations of Americans.
> 
> Q:   Suppose a law enforcement agency is conducting a wiretap on
>      a drug smuggling ring and intercepts a conversation
>      encrypted using the device.  What would they have to do to
>      decipher the message?
> 
> A:   They would have to obtain legal authorization, normally a
>      court order, to do the wiretap in the first place.  They
>      would then present documentation of this authorization to
>      the two entities responsible for safeguarding the keys and
>      obtain the keys for the device being used by the drug
>      smugglers.  The key is split into two parts, which are
>      stored separately in order to ensure the security of the key
>      escrow system.
> 
> Q:   Who will run the key-escrow data banks?
> 
> A:   The two key-escrow data banks will be run by two independent
>      entities.  At this point, the Department of Justice and the
>      Administration have yet to determine which agencies will
>      oversee the key-escrow data banks.

It is a little hard to critisise a non-proposal.

> Q:   How strong is the security in the device?  How can I be sure
>      how strong the security is?  
> 
> A:   This system is more secure than many other voice encryption
>      systems readily available today.

Note we drop back to 'phone-mode' again. If this is a true answer, it can be
rephrased as " It sucks big time. Anyone who can drive the crypt work-bench
will use it for light amusement before breakfast."

> ...   While the algorithm will
>      remain classified to protect the security of the key escrow
>      system,

This link between the security of the key-eschrow, and the actual algorithm is 
a real winner. Given that I have 2 secret 40 bit numbers, could someone please
explain how the details of an encryption algorithm will reveal them?

> ...  we are willing to invite an independent panel of
>      cryptography experts to evaluate the algorithm to assure all
>      potential users that there are no unrecognized
>      vulnerabilities.

Just make sure you read the CVs REAL carfully, OK.

> 
> Q:   Whose decision was it to propose this product?
> 
> A:   The National Security Council, the Justice Department, the
>      Commerce Department, and other key agencies were involved in
>      this decision.  This approach has been endorsed by the
>      President, the Vice President, and appropriate Cabinet
>      officials.

Quick, with out looking back, What name is missing from that list?

> Q:   Who was consulted?  The Congress?  Industry?
> 
> A:   We have on-going discussions with Congress and industry on
>      encryption issues, and expect those discussions to intensify
>      as we carry out our review of encryption policy.  We have
>      briefed members of Congress and industry leaders on the
>      decisions related to this initiative.

The people who agree with us and who think there is a buck in it for them.

> Q:   Will the government provide the hardware to manufacturers?
> 
> A:   The government designed and developed the key access
>      encryption microcircuits, but it is not providing the
>      microcircuits to product manufacturers.  Product
>      manufacturers can acquire the microcircuits from the chip
>      manufacturer that produces them.

The reverse engineering provisions of the 'Mask-work' act could be relevent
here.

> Q:   Who provides the "Clipper Chip"?
> 
> A:   Mykotronx programs it at their facility in Torrance,
>      California, and will sell the chip to encryption device
>      manufacturers.  The programming function could be licensed
>      to other vendors in the future.
> 
> Q:   How do I buy one of these encryption devices? 
> 
> A:   We expect several manufacturers to consider incorporating
>      the "Clipper Chip" into their devices.

You don't. Not unless you are one of the 'right people'.

> Q:   If the Administration were unable to find a technological
>      solution like the one proposed, would the Administration be
>      willing to use legal remedies to restrict access to more
>      powerful encryption devices?
> 
> A:   This is a fundamental policy question which will be
>      considered during the broad policy review.  The key escrow

They missed the word secret here. He needs a grammar lesson too.

>      mechanism will provide Americans with an encryption product
>      that is more secure, more convenient, and less expensive
>      than others readily available today, but it is just one
>      piece of what must be the comprehensive approach to
>      encryption technology, which the Administration is
>      developing.

I would say "less secure, less conveniant, more expensive ( PGP is free ),
less available, and more prone to being comprimised"
Proofs to the contarary will be welcome. Note PROOF.

>      The Administration is not saying, "since encryption
>      threatens the public safety and effective law enforcement,
>      we will prohibit it outright" (as some countries have
>      effectively done); nor is the U.S. saying that "every
>      American, as a matter of right, is entitled to an
>      unbreakable commercial encryption product."

They don't seem to be saying anything that makes much sense. And this proposal
DOES prohibit it except in a very limited way. And, this is the one explicit
reference to personal rights. It is a denial. And yes, I don't think that the
Mexicans, Brazilians, and Canucks are included in Clinton et als magnanamous
gesture.

> ...  There is a
>      false "tension" created in the assessment that this issue is
>      an "either-or" proposition.  Rather, both concerns can be,
>      and in fact are, harmoniously balanced through a reasoned,
>      balanced approach such as is proposed with the "Clipper
>      Chip" and similar encryption techniques.

The 'false tension' is false. The balance is between two repugnant points. The
RIGHT to privacy is hand-waved to non-existance by putting it behind the "false
assessment". It is assumed that the removal of the right to take what ever steps
YOU deem suitable to protect YOUR privacy is non negotiable, hence is defined
in the govenment language to be non-existant. If you don't agree, you must be a
criminal, as only criminals don't agree with out laws. Also note the non-
question. "If what is here was not possible..."

> Q:   What does this decision indicate about how the Clinton
>      Administration's policy toward encryption will differ from
>      that of the Bush Administration?  
> 
> A:   It indicates that we understand the importance of encryption
>      technology in telecommunications and computing and are
>      committed to working with industry and public-interest
>      groups to find innovative ways to protect Americans'
>      privacy, help businesses to compete, and ensure that law
>      enforcement agencies have the tools they need to fight crime
>      and terrorism.

It indicates we know that Bush dropped the ball in squashing that nasty < insert
suitable retoric > and will stamp out this disorderly, unruley outbreak of
freedom and ultra-national sentiment.

> Q:   Will the devices be exportable?  Will other devices that use
>      the government hardware?
> 
> A:   Voice encryption devices are subject to export control
>      requirements.  Case-by-case review for each export is
>      required to ensure appropriate use of these devices.  The
>      same is true for other encryption devices.  One of the
>      attractions of this technology is the protection it can give
>      to U.S. companies operating at home and abroad.  With this
>      in mind, we expect export licenses will be granted on a
>      case-by-case basis for U.S. companies seeking to use these
>      devices to secure their own communications abroad.  We plan
>      to review the possibility of permitting wider exportability
>      of these products.
> 

This one is a real giggle. In Australia or France, they will have to reveal the
keys, and the algorithm. Don't think it's at the top of my list of things I must
have, so the restrictions will protect me from saleks trying to sell me a bill
of crock.

Any for any others using it, they must be nuts!

Good luck folks.

~Paul


Newsgroup: sci.crypt
document_id: 15431
From: rab@well.sf.ca.us (Bob Bickford)
Subject: Re: More technical details


The system, or 'family', key would appear to be cryptographically
useless, since *every* chip must know it and be able to remove its
effects from the bitstream.  I daresay that it will be widely known
almost immediately after this system is deployed, and since it's been
pointed out that there is not a separate decrypt key -- the same key
is used for both encryption and decryption -- there goes any benefit
to the use of a system-wide key in SkipJack.
--
 Robert Bickford      "A Hacker is any person who derives joy from
 rab@well.sf.ca.us    discovering ways to circumvent limitations." rab'86
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"I recognize that a class of criminals and juvenile delinquents has
taken to calling themselves 'hackers', but I consider them irrelevant
to the true meaning of the word; just as the Mafia calls themselves
'businessmen' but nobody pays that fact any attention."            rab'90
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Newsgroup: sci.crypt
document_id: 15432
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Once tapped, your code is no good any more.

   For example, I don't own a cordless phone.  With Clipper, I would.  If the 
   local men in blue really want to listen to me talk to my friends or order 
   pizza, I'm no worse off than I am now, and I don't have to worry about
   local kids or nosy neighbors.
I do tend to agree.  Sigh.

   So, where can I buy a DES-encrypted cellular phone?  How much does it cost?

Of course, if we didn't have government monopolies on cellular phone service,
there probably *would* be some available.

   > How can you reconcile the administrations self proclaimed purpose of 
   > providing law enforcement with access to encrypted data without making 
   > the clipper system the only crypto available in the U.S... ?
   The Second and Fourth Amendments do come to mind.  

The Second Amendment is especially apt, given the ITAR definitions of
crypto equipment as munitions, and the gun-control people's increasing
ability to define things as "assault weapons" and make them illegal.
Triple-DES is obviously used for "assault phones", while
Cripple will be legal, and Triple-Cripple may fall into the gray area
of "illegally upgrading to an assault phone"...

--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15433
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <1993Apr19.130132.12650@afterlife.ncsc.mil> rlward1@afterlife.ncsc.mil (Robert Ward) writes:
>In article <bontchev.734981805@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
>>and since the US constitutions guarantees the right to every American
>>to bear arms, why is not every American entitled, as a matter of
>
>Have you read the applicable part of the Constitution and interpreted it IN 
>CONTEXT?  If not, please do so before posting this misinterpretation again.
>It refers to the right of the people to organize a militia, not for individuals
>to carry handguns, grenades, and assault rifles.  

Read the Constitution yourself.  The Second Amendment says the right to bear
arms shall not be infringed, so a well regulated militia may be more easily
formed.  I have an interpretation of the Second that shows there are no 
qualifications to the right to keep and bear arms.  If you want, I can E-mail
it to you.  By the way, gun talk belongs in talk.politics.guns.
							Doug Holland


Newsgroup: sci.crypt
document_id: 15434
Subject: Re: Once tapped, your code is no good any more.
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <strnlghtC5nrHw.1qB@netcom.com> strnlght@netcom.com (David Sternlight) writes:

>In article <115863@bu.edu> uni@acs.bu.edu (Shaen Bernhardt) writes:

>>
>>I wish I could agree with you.  Ask yourself this.  Why would any private
>>sector entity wish to buy a crypto system that was KNOWN to be at least
>>partially compromised? (Key escrows in this instance)  Why would any
>>private sector entity wish to buy a crypto system that had not been properly
>>evaluated?  (i.e. algorythm not publically released)
>>The answer seems obvious to me, they wouldn't.  There is other hardware out
>>there not compromised.  DES as an example (triple DES as a better one.)

>What follows is my opinion. It is not asserted to be "the truth" so no
>flames, please.  It comes out of a background of 20 years as a senior
>corporate staff executive in two Fortune 50 companies.

No wonder American businesses are going down the tubes! :-|

>I'd be happy to use a crypto system supplied by the NSA for business, if
>they told me it was more secure than DES, and in particular resistant to
>attempts by Japanese, French, and other competitive companies and
>governments to break.

(It's NIST, not NSA.  NSA is not supposed to have anything to do with this.)
They didn't say that.  They said is was better than some commercial-grade
encryptions.  I, for one, wouldn't trust them if they did, unless they
release the algorithm for investigation.

>I'd be happy to do so even with escrowed keys, provided I was happy about
>the bona fides of the escrow agencies (the Federal Reserve would certainly
>satisfy me, as would something set up by one of the big 8 accounting firms).

Maybe the ACLU and EFF.  (It would have to be a non-profit, so the big 8
would be out.)

>I'd trust the NSA or the President if they stated there were no trap
>doors--I'd be even happier if a committee of independent experts examined
>the thing under seal of secrecy and reported back that it was secure.

I wouldn't trust the NSA.  I think I would trust the President on this, but
I'm not certain he would be told.

>I'd trust something from the NSA long before I'd trust something from some
>Swiss or anybody Japanese.

That's your problem.

>This may seem surprising to some here, but I suggest most corporations would
>feel the same way. Most/many/some (pick one) corporations have an attitude
>that the NSA is part of our government and "we support our government", as
>one very famous CEO put it to me one day.

I want to emphasize the I am not speaking for Beckman Instruments at this
point.  However, we are an international company, and I would like to think
that our customers come first, ahead of our government's whims.
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
document_id: 15435
From: geoff@ficus.cs.ucla.edu (Geoffrey Kuenning)
Subject: Re: Once tapped, your code is no good any more.

In article <2073@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:

> fishing expeditions without the target's knowlege.  Don't give up the
> right to be safe from that - that should be non-negotiable, and Clinton
> and Co. know it (which is probably why they quietly developed this thing,
> figuring if they get it this far, they can ram it on through).

It always amazes me how quick people are to blame whatever
administration is current for things they couldn't possibly have
initiated.  This chip had to take *years* to develop, yet already
we're claiming that the Clinton administration sneaked it in on us.
Bullshit.  The *Bush* administration and the career Gestapo were
responsible for this horror, and the careerists presented it to the
new presidency as a fait accompli.  That doesn't excuse Clinton and
Gore from criticism for being so stupid as to go for it, but let's lay
the body at the proper door to start with.
-- 
	Geoff Kuenning	geoff@maui.cs.ucla.edu	geoff@ITcorp.com

Newsgroup: sci.crypt
document_id: 15436
From: jhart@agora.rain.com (Jim Hart)
Subject: Screw the people, crypto is for hard-core hackers & spooks only

Since the wiretap chip is being distributed internationally,
allowing the U.S. government to spy on foreign governments,
companies and people as as well as to wiretap domestic citizens,
this is a world-wide issue.  Please put DISTRIBUTION: WORLD on the 
Distrubution: line.  Thank you.

ygoland@wright.seas.ucla.edu (The Jester) writes:

>However assuming that I can still encrypt things as I please, who
>cares about the clipper chip? 

You don't care that people are being lied to, fooled into believing
the chip gives "privacy" when it fact it allows wiretaps?  You
don't give a shit about anybody's privacy except your own?  (And
not even your own; are you so smart that you know when you're talking to
somebody who has a wiretap chip on their phone instead of a privacy
chip with private keys?)

>attitude that everyone else should have. Instead of worrying about a
>clipper chip, simply connect your handset to your computer and feed
>the voice single through, process, encrypt, and transmit over the
>phone. The guy on the other hand then does the same in reverse.

"Simply?" "Everyone" should have this attitude?   The only people
who can have this attitude are the most hard-core
computer hackers, who never make phone calls away from their
computer, who apparently never call anybody except another computer 
hacker, or perhaps another spook (U.S. classified agents refuse to use
their own system, only oblivious civilian dupes get that dubious privilege).
Only spooks and hard-core hackers need privacy, huh?

We *do* need an alternative to NSA-bugged telephones, but
we're talking inexpensive *telephones* here, including hand-sized
cellulars, that need strong crypto, real privacy.  Make-shift
computer hacker rigs that require living by your computer to
talk privately over the phone are just a dumb stunt that doesn't 
do anything for anybody's privacy in the real world.  

What we need is a true *privacy chip*.  For example, a real-time 
voice-encryption RSA, put it into a silicon compiler and spit out ASIC.  
Put this chip on the market as a de facto standard for international 
business, diplomats, and private communications.  If the U.S. bans 
it, we make it somewhere else and import it.  The Japanese, German,
Dutch, Taiwanese, Korean, etc. electronics companies don't want the 
NSA spying on them.  U.S. workers lose more jobs to government fascist
stupidity.

jhart@agora.rain.com

Newsgroup: sci.crypt
document_id: 15437
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Once tapped, your code is no good any more.


geoff@ficus.cs.ucla.edu (Geoffrey Kuenning) writes:
>Bullshit.  The *Bush* administration and the career Gestapo were
>responsible for this horror, and the careerists presented it to the
>new presidency as a fait accompli.  That doesn't excuse Clinton and
>Gore from criticism for being so stupid as to go for it, but let's lay
>the body at the proper door to start with.

The final stages of denial... I can hardly imagine what the result
would have been if the Clinton administration had actually supported
this plan, instead of merely acquiescing with repugnance as they've so
obviously doing.  I don't believe the chip originated with the Clinton
administration either, but the Clinton administration has embraced it
and brought it to fruition.

Both of the major parties have what they consider excellent reasons
for limiting your freedoms and violating your privacy, and even seem
to feel that they're doing you a favor.  If this is really surprising
to anyone it means they've been willfully ignoring quite a bit of
previous evidence.  There's only one political party (not calling
anarchists a party) that considers your freedom and privacy goals
worthy in and of themselves.  If you're voting for the big two, you're
supporting a reduction of those rights (given their goals and their
histories), regardless of whether you personally support that
reduction.  To paint Clinton and Gore as unwitting tools is really
stretching things.

-- 
When you have to kill a man it costs nothing to be polite. -- Churchill

Newsgroup: sci.crypt
document_id: 15438
From: trussell@cwis.unomaha.edu (Tim Russell)
Subject: Re: Once tapped, your code is no good any more.

geoff@ficus.cs.ucla.edu (Geoffrey Kuenning) writes:

>It always amazes me how quick people are to blame whatever
>administration is current for things they couldn't possibly have
>initiated.  This chip had to take *years* to develop, yet already
>we're claiming that the Clinton administration sneaked it in on us.

    No kidding.  The most recent post I saw in alt.privacy.clipper (and I
hope anyone interested in this topic ends up there) states that Clipper
has been in development for over four years.

    I am, however, more than a little PO'd that Clinton put his name on
this monstrosity, or even allowed it to get out the door, for that matter.
He's already heard from me, and I hope you'll all take the time to voice
your extreme displeasure as well.

--
   Tim Russell                 Omaha, NE              trussell@unomaha.edu

Newsgroup: sci.crypt
document_id: 15439
From: mccoy@ccwf.cc.utexas.edu (Jim McCoy)
Subject: Re: Fifth Amendment and Passwords


In article <1993Apr19.180049.20572@qualcomm.com>, karn@unix.ka9q.ampr.org (Phil Karn) writes:
> In article <1993Apr18.233112.24107@colnet.cmhnet.org>, res@colnet.cmhnet.org (Rob Stampfli) writes:
> |> >Sadly, it does not. Suspects can be compelled to give handwriting and
> |> >voice exemplars, and to take blood and DNA tests.
> |> 
> |> I am sure that Mike is correct on this point.  I am also pretty sure that
> |> administering "truth serum" would be ruled a violation of your right
> |> not to incriminate yourself.  But, what is the salient difference?
> 
> You can find the salient difference in any number of 5th amendment
> related Supreme Court opinions. The Court limits 5th amendment
> protections to what they call "testimonial" evidence, as opposed to
> physical evidence.

I have a question that is a slight variation on the previously mentioned
examples that perhaps people could give me some pointers on (it has been a
couple of years since my Con Law class in college so I hope I am not
missing something obvious here...)

Basic Scenario:

	I set up a bbs that uses public-key encryption and encryption of
	files on disk.  The general setup is designed so that when users 
	connect they send a private key encrypted using the system public
	key and the user's public-private keypair is used to wrap the
	one-time session keys used for encrypting the files on disk.  The
	result of this is that even if I reveal the system private key it
	is impossible for anyone to gain access to the files stored on the
	machine.  What is possible is for someone to use the revealed
	system private key to entice users into revealing thier personal
	private keys during the authentication sequence.

Questions:

	Does the fact that the system private key does not provide any
	information useful for a search give me any protection as far as
	being coerced to reveal the key?  (I doubt it myself..)

	It seems providing the system private key does not mean that I am
	assisting in "entrapment" (the users would send thier key anyway
	and are not being enticed into doing something they would not
	otherwise do) but is there any other hook that can be used?

	Would the user private-key enticement require wiretap approval?

Any answers or general musings on the subject would be appreciated...

jim
-- 
Jim McCoy                |  UT Unix Sysadmin Tiger Team
mccoy@ccwf.cc.utexas.edu |  #include <disclaimer.h>
j-mccoy@nwu.edu          |  pgp key available via finger or upon request

Newsgroup: sci.crypt
document_id: 15440
From: langley@dirac.scri.fsu.edu (Randolph Langley)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption


Gee, I guess they should also have such a repository for house keys,
car keys, safety deposit keys, ... :-(

rdl
--



Newsgroup: sci.crypt
document_id: 15441
From: uni@acs.bu.edu (Shaen Bernhardt)
Subject: Re: What the clipper nay-sayers sound like to me.

In article <1qsvfcINNq9v@dns1.NMSU.Edu> amolitor@moink.nmsu.edu (Andrew Molitor) writes:
>
>	The following is available in some FTP archive somewhere, I insert
>my comments liberally throughout this demonic memo of Big Brotherdom:
>
>>	White House Announcement on Screw Thread Standards
>>	--------------------------------------------------
>>
>>	This is to announce that the American National Standards
>>Institute (or whatever it is) has been given the authority to define
>>standard dimensions for screw threads.
>
>   Look! This is clearly the first step toward outlawing our
>   own screw thread specifications. If this madness isn't fought,
>   tooth and nail, every step of the way, it'll be a crime to use
>   screw threads other than those our Fearless Leaders so *graciously*
>   define for us.

[Sarcastic text deleted, No value judgement implied]

>	Screw you, Bill Clinton! You and your totalitarianist thugs!
>
>------------------------------------------------------------------------
>amolitor@nmsu.edu | finger for PGST personal screw thread pitch, or
>Screw Threads     |  see the screw thread servers.
>must be freed!    |
>------------------------------------------------------------------------

At first I was going to complain that your analogy was completely
irrelevant.  But then I remembered something.

Remember that move to get the U.S. to the metric system all those
years ago?  As far as I know we were supposed to be there by now.

The government sold it as better for the people, easier to be in
tune with the rest of the world.  They had decided it was for
our own good.

Then, when the plan was released, it soon became apparant that the
government were a bunch 'o' thickies.

Think about it, change all the railroad track widths, signs,
screws, abolish the old regime.

At the cost of millions of dollars.

Your point is well taken.  You think there is nothing to worry
about, you could care less who designs your cryptography, any
more than who designs your screws or the system of measurement
you use.

Sit back, that's right, just relax, we'll take care of all your
needs Mr. Molitor.


-- 
uni@acs.bu.edu  ->  Public Keys by finger and/or request
Public Key Archives: <pgp-public-keys@pgp.iastate.edu> 
Sovereignty is the sign of a brutal past.<>Fight Clinton's Wiretap Chip!
DF610670F2467B99 97DE2B5C3749148C <> Crypto is not a Crime! Ask me how!

Newsgroup: sci.crypt
document_id: 15442
From: artmel@well.sf.ca.us (Arthur Melnick)
Subject: Some questions regarding Big Brother (Clipper)


     In previous postings by Hellman, Bellovin, etal it was
reported the Big Brother (Clipper) chip will encrypt plaintext in
64 bit blocks as is done with DES.  The users key K which can be
derived from RSA, Diffy-Hellman, etc. is used to encrypt
plaintext M and is then used to form a "three part message".
     This three part message consists of E[M; K], K encrypted
with some other key, and the chip serial number.  This three part
message is then encrypted by still another key.
     My question is: What is a message?
     For example, say we are dealing with an encrypted digitized
voice application.  The speech waveform is sampled and digitized
and then some number of samples are grouped into a 64 bit block.
This block is then encrypted and transmitted over a non-secure
communications link.
     Where is the three part message?  Is something appended to
each 64 bit block?  Is a header sent at the beginning of the
session?
     If the header is sent at the beginning of the session, how
do they insure the equipment manufacturer using the chip does
just that?  Can just anyone manufacture products using the chip?
Is a facility clearance required to manufacture?
     Any ideas?

Newsgroup: sci.crypt
document_id: 15443
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <strnlghtC5puCL.6Kp@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>In article <Apr18.204843.50316@yuma.ACNS.ColoState.EDU>
>holland@CS.ColoState.EDU (douglas craig holland) writes:
>
>
>>	Let me ask you this.  Would you trust Richard Nixon with your
>>crypto keys?  I wouldn't.
>
>I take it you mean President Nixon, not private citizen Nixon. Sure.
>Nothing I'm doing would be of the slightest interest to President Nixon .

I am sure you didn't miss the implication that we could have another
Richard Nixon type president in the future (perhaps not too distant
future, acutally).  With that in mind, then I take it you also would
not object to the Gov coming up with a decision (not proposal - just
like Clinton Cripple is a decision, not a proposal) sprung on us to
start placing video cameras with sound in every room of your house,
which could be activated without your knowlege.  They would be well
concealed so you wouldn't know the location, to prevent you from covering
the lens opening.  After all, nothing you're doing would be of the
slightest interest to a government official, right?  So, you surely
should not object to such a proposal...

Not the best anology, but the principle is pretty close - the ability
to eavesdrop on your activity with little or no effort, without your
knowlege, protected by entirely by "government safeguards".  You can
still draw your curtains, so you can still have your privacy from everyone
else (except Big Brother)!!  After all we need this for protection from
drug dealers and terrorists and other criminals (like 'enemies of the
STATE')... and you don't really have a right to "unbreakable" privacy
anyway, sort of as the press release of the Clinton Cripple DECISION
puts it...

I find it curious they use the word "unbreakable" when the term really
should be "difficult to break without proper authorization" (which the
Government most certainly has at their disposal, right?  They wouldn't
want to be able to break it ILLEGALLY, would they?)...  Nawww, not
"for the People" Clinton....

Can you, while my mind is on it, give us one good reason that the
algorithm should be a secret algorithm, unless this encryption scheme
either is a joke, or contains features like a 'master key' or other back
door for UNAUTHORIZED eavesdropping? If it was really even moderately
secure, and the government really meant to require the proper court
order and the keys that are in the Escrow accounts to be able to decipher
the traffic, what is the need to keep the algorithm secret?  Seems I
hear rather often that if an encryption scheme requires the algorithm
to remain a secret to be effective, it is not a worthwhile scheme... is
this just idle talk, or is the Administration bullshitting everyone?

With GREAT skepticism, and many doubts on our Administrations intentions...

And WAIT!! We haven't been told the NEXT gem the Administration has in
mind for e-mail and datafile security.  The press release does say that
this is part of a comprehensive thing on data security for us unprivileged
citizens.  Perhaps 'subjects' would be the better term - 'citizens'
somehow does not seem appropriate... that implies a free people, 'subjects'
better fits a population who serve at the pleasure of their rulers.
One thing for certain:  The government no longer regards the citizens
as their bosses anymore, but the other way around...

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 15444
From: uri@watson.ibm.com (Uri Blumenthal)
Subject: Re: Key Registering Bodies

In article <930419182442.669507@DOCKMASTER.NCSC.MIL>, Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant) writes:
|> If we do not trust the NSA to be a registrar of Clipper Chip key halves,
|> I would not trust Mitre either. 

I wouldn't trust Mitre  for another reason: 
remember "The Cuckoo's Egg"?  How great was
their security, eh?

NSA - well, with the list of known "turncoats",
does it make you wonder how many more unknown 
still are there?

(:-) (:-(
-- 
Regards,
Uri. 	  uri@watson.ibm.com	 scifi!angmar!uri 
------------
<Disclaimer>

Newsgroup: sci.crypt
document_id: 15445
From: pla@sktb.demon.co.uk ("Paul L. Allen")
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

-----BEGIN PGP SIGNED MESSAGE-----

In article <PMETZGER.93Apr18141006@snark.shearson.com> pmetzger@snark.shearson.com (Perry E. Metzger) writes:

> In article <1qnupd$jpm@news.intercon.com> amanda@intercon.com (Amanda Walker) writes:
> 
>    From: amanda@intercon.com (Amanda Walker)
> 
>    jhesse@netcom.com (John Hesse) writes:
>    > Oh great. Wonderful news. Nobody can listen in--except the feds. 
> 
>    Hey, it's better than the status quo.
> 
>    I am far less worried about "the feds" tapping my phone than high school 
>    scanner surfers who get their kicks out of eavesdropping on cellular and 
>    cordless phone calls.
> 
> I'm a political dissident. I'm scared shitless of the feds listening
> in on my calls. My opinions are the sort that would get me
> "disappeared" in a slightly less free society -- and who knows what
> sort of society we will be in in five or ten years? I have friends who
> have had their phones tapped -- none of this is theoretical to me.
> 
> As for "its better than the status quo", well, first of all, you can
> get a cryptophone from companies like Cylink today -- and they work
> well. In addition, a number of groups are now working on building
> software to turn any PC into a privacy enhanced phone right now -- and
> they are all working in overdrive mode.
> 
>    And yes, I'd rather just see all crypto restrictions lifted, but this is at 
>    least an incrememental improvement for certain applications...
> 
> There ARE no crypto restrictions... yet. You can use anything you want
> RIGHT NOW. The point is to maintain that right.

The point you all seem to have missed was covered when the UK cellphone
scrambling system was discussed.  Incidentally, my MP has responded to
my questions on that issue, and it appears that the UK and other `approved'
countries will get the secure A5 encryption, and `dodgy' countries will
get A5X.  Existing mobile equipment will drop to clear mode when used with
A5X systems, but newer equipment will use A5/A5X/clear depending on the
capabilities of the base station.

The cops/feds do *not* need to be able to get hold of your private key to
listen in to cellular conversations.  Encryption is not end-to-end, but 
cellphone to base-station - it *has* to be this way so that cellular users
and fixed installations can talk to each other.  For cellular to cellular
calls, the transmission is decrypted at the base-station, passed to another
base-station and re-encrypted.  The cops/feds can listen to the unscrambled
call *provided* they get a warrant to tap into the cellular provider's
equipment.  The only reason for wanting a crackable system is so they can
listen without having to obtain a warrant.

But, maybe the Clipper system is secure, and they really do need a warrant
to get the key out of escrow before they can listen in using a scanner (see
above - they don't *have* to go down this route anyway).  I have my doubts,
but even if true once they have the key they will *never* again need a
warrant to tap into that particular phone whenever they want.  `Well, Judge,
it appears he wasn't a drug-dealer after all, so naturally we'll stop
listening in'...

You have every reason to be scared shitless.  Take a look at the records
of McCarthy, Hoover (J. Edgar, not the cleaner - though they both excelled at
sucking) and Nixon.

- --Paul

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQCVAgUBK9IAl2v14aSAK9PNAQEvxgQAoXrviAggvpVRDLWzCHbNQo6yHuNuj8my
cvPx2zVkhHjzkfs5lUW6z63rRwejvHxegV79EX4xzsssWVUzbLvyQUkGS08SZ2Eq
bLSuij9aFXalv5gJ4jB/hU40qvU6I7gKKrVgtLxEYpkvXFd+tFC4n9HovumvNRUc
ve5ZY8988pY=
=NOcG
-----END PGP SIGNATURE-----


Newsgroup: sci.crypt
document_id: 15446
From: ameline@vnet.IBM.COM (Ian Ameline)
Subject: Screw the people, crypto is for hard-core hackers & spooks only

   I suspect that this clipper thing could backfire on the Gov in a
big hurry. I expect that products using these chips will socket them
rather than soldering them, since once the keys are handed over by the
escrow agencies, the chip is so much garbage, and will need to be
replaced. I expect that someone will come along with a pin compatible
chip that uses secure encryption -- possibly even disguised so that it's
not possible to tell it from the clipper chip until you try to use the
2 backdoor keys.

   If I were to manufacture such a chip, as part of my marketing
strategy, I would try to subvert one or both escrow agencies either
through bribes or industrial espionage -- and then publicize the fact.
(doing my best not to be connected with such activities -- which would
likely not be legal :-) Publicly discrediting the escrow agencies would
go quite far towards creating a market for a secure alternative.

  I also believe that someone will reverse engineer the clipper chip,
and knowlege of the algorithm will likely be fairly widespread. Any back-
doors or weaknesses would further discredit the scheme, and help grow
the market demand for a secure alternative.

 I believe that the company that provides such an alternative will make
few friends in the LE community, but lots of money. I also believe that
the government will do it's best to make such plug replacements illegal.
I expect that they will see the same success in limiting the availability
of such alternatives as they have seen in limiting the availability of
certain illicit drugs -- ie. little to none.

Regards,
Ian Ameline.
(Of course the ramblings above have nothing to do with my employer, nor
do I necessarily advocate doing any of the things described here -- I
just believe that the events above are likely to take place)

Newsgroup: sci.crypt
document_id: 15447
From: caronni@nessie.cs.id.ethz.ch (Germano Caronni)
Subject: Re: Fifth Amendment and Passwords

In article <1qv83m$5i2@geraldo.cc.utexas.edu> mccoy@ccwf.cc.utexas.edu (Jim McCoy) writes:
>	I set up a bbs that uses public-key encryption and encryption of
>	files on disk.  The general setup is designed so that when users 
>	connect they send a private key encrypted using the system public
>	key and the user's public-private keypair is used to wrap the
>	one-time session keys used for encrypting the files on disk.  The
>	result of this is that even if I reveal the system private key it
>	is impossible for anyone to gain access to the files stored on the
>	machine.  What is possible is for someone to use the revealed
>	system private key to entice users into revealing thier personal
>	private keys during the authentication sequence.
>
>Any answers or general musings on the subject would be appreciated...
>

Just a question. 
As a provider of a public BBS service - aren't you bound by law to gurantee
intelligble access to the data of the users on the BBS, if police comes
with sufficent authorisation ? I guessed this would be  a basic condition
for such systems. (I did run a bbs some time ago, but that was in Switzerland)

Friendly greetings,
	Germano Caronni
-- 
Instruments register only through things they're designed to register.
Space still contains infinite unknowns.
                                                              PGP-Key-ID:341027
Germano Caronni caronni@nessie.cs.id.ethz.ch   FD560CCF586F3DA747EA3C94DD01720F

Newsgroup: sci.crypt
document_id: 15448
From: rab@well.sf.ca.us (Bob Bickford)
Subject: Re: More technical details


Another objection occurred to me.  There was a comment about how
supposedly there would only be one decode box, operated by the FBI.
This is flat ridiculous, and I don't believe it for a millisecond.
Even *if* they in fact only build one (or two or some other small
number) of these, that won't stop others from building one.  Make
it work like two Clipper-chip phones, one listening to each side
of the recorded conversation.  I'll have to have another look at
the specs posted so far, but offhand I didn't see anything that
would preclude this sort of thing.....
--
        Robert Bickford                       rab@well.sf.ca.us
 Treasurer and Newsletter Editor,    /-------------------------------------\
 Lib. Party of Marin County (CA)     | Don't Blame Me: I Voted Libertarian |
Member, CA State Central Committee   \-------------------------------------/

Newsgroup: sci.crypt
document_id: 15449
From: <U23590@uicvm.uic.edu>
Subject: Cripple Chip

How about this:  The
TelCo has your Clipper key.  The TelCo
has your intended partner's key, if he is
using one.  Whenever you call, the message
gets decrypted and reencrypted wihtout
y key exchange.  I know it's a stupid
system, but for the feds, it'd be
great.  The point of this isn;t to
take over the crypto market, BTW.  Clinton
doen not want people to have any sort of crypto at
all (just like Busch).  But he needs some support
for the "technology initiative" garbage he's
pushing (industrial policy stuff) and a computer
hip designed by the gov't is just the thing.

Who's going to thing about the (literal) Billions of
Dollars it took for a government agency to design?

-watkins@earth.eecs.uic.edu

Newsgroup: sci.crypt
document_id: 15450
From: jfw@ksr.com (John F. Woods)
Subject: Re: Once tapped, your code is no good any more.

johnson@trwacs.fp.trw.com (Steve Johnson) writes:
>>-Tim May, whose sig block may get him busted in the New Regime
>  A remark I heard the other day is beginning to take on increasingly
>frightening significance.  The comment was made that "In other parts
>of the world the Democrats [note the big "D"] would be known as
>Socialists" 

And in other parts of the world, European "Socialists" would be known as
fascist capitalist pigs.  Get your head out of your labels and think carefully
for once:

According to the EFF announcement on this thing, the NSA has been developing
this turkey for *four* years.  The manufacturing contract was let *14 months
ago*.  Anyone out there who believes that the fact that Clinton's name was
on this White House announcement means that Bush or any other Republican is
a staunch supporter of personal privacy is a fool.

If this topic disturbs you, can the political finger-pointing and talk about
what you can do about it.  If you've just GOT to point fingers, remember that
this scheme was STARTED when a secret policeman was President.

Newsgroup: sci.crypt
document_id: 15451
From: jebright@magnus.acs.ohio-state.edu (James R Ebright)
Subject: Re: WH proposal from Police point of view

In article <PMETZGER.93Apr19122105@snark.shearson.com> pmetzger@lehman.com writes:
>
>In article <strnlghtC5puor.704@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>
>   There has been extensive discussion in the eff forum, for example, about
>   inadmissible taps being used to develop information that could then lead to
>   admissible evidence.  This might put a stop to such things, which must from
>   time to time be simple fishing expeditions.
>
>Far more likely, these things will continue to be done no matter what
>assurances we are given. "Key Escrow" is likely going to prove to be a
>joke.

I feel like Winston Churchill in 1941 :( ...... but,
the privacy Clipper will, TO THE EXTENT KEY ESCROW IS LEGITIMATE, stop
most of the abuse of wiretaps by local cops, company cops, angry husbands/
wives, etc...  It is going to be hard for the keystone cops, the
Proctor&Gamble cops, etc. to bypass even a product as flawed as the ClipJob.

Now I admit, I am hard pressed to find anything else good to say about it
except that, if it actually takes off, someone will certainly come up with
a REAL crypto chip (pin compatable!) that we can buy... Unless, of course,
Big Brother makes it illegal to have real crypto 'cause good honest law
abiding citizens will be HAPPY to let the government listen to their
every word.... "Me? Did I say THAT?"

        "I am not a crook." - President Richard M. Nixon
                              ^^^^^^^^^

-- 
 Information farming at...     For addr&phone: finger             A/~~\A
 THE Ohio State University  jebright@magnus.acs.ohio-state.edu   ((0  0))____
      Jim Ebright             e-mail: jre+@osu.edu                 \  /      \
                                                                   (--)\      

Newsgroup: sci.crypt
document_id: 15452
From: bear@kestrel.fsl.noaa.gov (Bear Giles)
Subject: Re: Fifth Amendment and Passwords

In article <1993Apr20.000359.20098@bernina.ethz.ch> caronni@nessie.cs.id.ethz.ch (Germano Caronni) writes:
>
>Just a question. 
>As a provider of a public BBS service - aren't you bound by law to gurantee
>intelligble access to the data of the users on the BBS, if police comes
>with sufficent authorisation ? I guessed this would be  a basic condition
>for such systems. (I did run a bbs some time ago, but that was in Switzerland)

That sounds like an old _Dragnet_ episode.

  "Joe and I went to the apartment of Prime Suspect.  Nobody answered the
  door, but his landlord gave us permission to search the apartment."

Perhaps that worked in California in the 60's, but as I understand the
law landlords do _not_ have authority to grant permission to search space
rented by a third party, provided the lease is not in default, etc.
(I'm not even sure if they can provide the master key, when shown a search
warrant, since the _subject_ of the search is supposed to be notified).

At this point the question becomes: did the user "rent" the disk space
her encrypted file occupies?  If she did, it _should_ fall under the same
body of case law that applies to apartments, storage lockers, etc.  (As
to whether any court would recognize this fact....)  If she did not (i.e.,
no compensation exchanged), I don't know how it would be treated -- there
doesn't seem to be a non-cyberspace equivalent.

-- 
Bear Giles
bear@fsl.noaa.gov

Newsgroup: sci.crypt
document_id: 15453
From: bear@kestrel.fsl.noaa.gov (Bear Giles)
Subject: Re: Why the clipper algorithm is secret

In article <C5pstr.Lu2@panix.com> dfl@panix.com (Danny O'Bedlam) writes:
>	The algorithm is classified because a military contract (or similar
>government equivalent to military) has been let for this "proprietary"
>design that the Feds say that NSA developed.  Is there a patent?  Is that
>patent publicly available?  My betting is that that too is classified.

Unless there has been a _major_ change in the law, there's no such beast
as a "classified patent."  Patents exist to encourage communications and
develop the state of the art. 

(The 17-year lock is a nuisance, but historically has been pretty trivial.
It's only in an industry which doubles performance every three years (or
18 months, for some hardware) that 17 years is an eternity).

The same thing applies in civilian development: you can't patent something 
_and_ declare it a "trade secret."  However, you can (and should) mark all
software (including proprietary code) "unpublished copyright" so that it
ever does get exposed you still have some legal protection.

(Post-Berne this isn't required, since everything is "born copyrighted."
But it takes a while for people to learn the new rules).

-- 
Bear Giles
bear@fsl.noaa.gov

Newsgroup: sci.crypt
document_id: 15454
From: johng@ecs.comm.mot.com (John Gilbert)
Subject: clipper chip --Bush did it

In article <WCS.93Apr17024857@rainier.ATT.COM> wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes:
>... This is the Democrats' version
>"Defend Free Speech - Reject Republicans" followed by speech control.

This must have been in the works for some time.  The Bush administration must
have been working on it for quite a while.  --Clinton simply took the credit (or
blame, depending on how you look at it).

-- 
John Gilbert                          johng@ecs.comm.mot.com  

Newsgroup: sci.crypt
document_id: 15455
From: denning@guvax.acc.georgetown.edu
Subject: THE CLIPPER CHIP: A TECHNICAL SUMMARY

The following document summarizes the Clipper Chip, how it is used,
how programming of the chip is coupled to key generation and the
escrow process, and how law enforcement decrypts communications.
Since there has been some speculation on this news group about my
own involvement in this project, I'd like to add that I was not in
any way involved.  I found out about it when the FBI briefed me on
Thursday evening, April 15.  Since then I have spent considerable
time talking with the NSA and FBI to learn more about this, and I
attended the NIST briefing at the Department of Commerce on April 16.  
The document below is the result of that effort. 

Dorothy Denning
---------------

                     THE CLIPPER CHIP: A TECHNICAL SUMMARY

                               Dorothy Denning

                                April 19, 1993


INTRODUCTION

On April 16, the President announced a new initiative that will bring
together the Federal Government and industry in a voluntary program
to provide secure communications while meeting the legitimate needs of
law enforcement.  At the heart of the plan is a new tamper-proof encryption
chip called the "Clipper Chip" together with a split-key approach to
escrowing keys.  Two escrow agencies are used, and the key parts from
both are needed to reconstruct a key.


CHIP STRUCTURE

The Clipper Chip contains a classified 64-bit block encryption
algorithm called "Skipjack."  The algorithm uses 80 bit keys (compared
with 56 for the DES) and has 32 rounds of scrambling (compared with 16
for the DES).  It supports all 4 DES modes of operation.  Throughput is
16 Mbits a second.

Each chip includes the following components:

   the Skipjack encryption algorithm
   F, an 80-bit family key that is common to all chips
   N, a 30-bit serial number
   U, an 80-bit secret key that unlocks all messages encrypted with the chip


ENCRYPTING WITH THE CHIP

To see how the chip is used, imagine that it is embedded in the AT&T
telephone security device (as it will be).  Suppose I call someone and
we both have such a device.  After pushing a button to start a secure
conversation, my security device will negotiate a session key K with
the device at the other end (in general, any method of key exchange can
be used).  The key K and message stream M (i.e., digitized voice) are then
fed into the Clipper Chip to produce two values:

   E[M; K], the encrypted message stream, and 
   E[E[K; U] + N; F], a law enforcement block.  

The law enforcement block thus contains the session key K encrypted
under the unit key U concatenated with the serial number N, all
encrypted under the family key F.


CHIP PROGRAMMING AND ESCROW

All Clipper Chips are programmed inside a SCIF (secure computer
information facility), which is essentially a vault.  The SCIF contains
a laptop computer and equipment to program the chips.  About 300 chips
are programmed during a single session.  The SCIF is located at
Mikotronx.

At the beginning of a session, a trusted agent from each of the two key
escrow agencies enters the vault.  Agent 1 enters an 80-bit value S1
into the laptop and agent 2 enters an 80-bit value S2. These values
serve as seeds to generate keys for a sequence of serial numbers.

To generate the unit key for a serial number N, the 30-bit value N is
first padded with a fixed 34-bit block to produce a 64-bit block N1.
S1 and S2 are then used as keys to triple-encrypt N1, producing a
64-bit block R1:

        R1 = E[D[E[N1; S1]; S2]; S1] .

Similarly, N is padded with two other 34-bit blocks to produce N2 and
N3, and two additional 64-bit blocks R2 and R3 are computed:  

        R2 = E[D[E[N2; S1]; S2]; S1] 
        R3 = E[D[E[N3; S1]; S2]; S1] .

R1, R2, and R3 are then concatenated together, giving 192 bits. The
first 80 bits are assigned to U1 and the second 80 bits to U2.  The
rest are discarded.  The unit key U is the XOR of U1 and U2.  U1 and U2
are the key parts that are separately escrowed with the two escrow
agencies.

As a sequence of values for U1, U2, and U are generated, they are
written onto three separate floppy disks.  The first disk contains a
file for each serial number that contains the corresponding key part
U1.  The second disk is similar but contains the U2 values.  The third
disk contains the unit keys U.  Agent 1 takes the first disk and agent
2 takes the second disk.  The third disk is used to program the chips.
After the chips are programmed, all information is discarded from the
vault and the agents leave.  The laptop may be destroyed for additional
assurance that no information is left behind.
 
The protocol may be changed slightly so that four people are in the
room instead of two.  The first two would provide the seeds S1 and S2,
and the second two (the escrow agents) would take the disks back to
the escrow agencies.

The escrow agencies have as yet to be determined, but they will not
be the NSA, CIA, FBI, or any other law enforcement agency.  One or
both may be independent from the government.


LAW ENFORCEMENT USE

When law enforcement has been authorized to tap an encrypted line, they
will first take the warrant to the service provider in order to get
access to the communications line.  Let us assume that the tap is in
place and that they have determined that the line is encrypted with
Clipper.  They will first decrypt the law enforcement block with the
family key F.  This gives them E[K; U] + N.  They will then take a
warrant identifying the chip serial number N to each of the key escrow
agents and get back U1 and U2.  U1 and U2 are XORed together to produce
the unit key U, and E[K; U] is decrypted to get the session key K.
Finally the message stream is decrypted.  All this will be accomplished
through a special black box decoder operated by the FBI.


ACKNOWLEDGMENT AND DISTRIBUTION NOTICE.  All information is based on
information provided by NSA, NIST, and the FBI.  Permission to
distribute this document is granted.


    

Newsgroup: sci.crypt
document_id: 15456
From: hagberg@violet.ccit.arizona.edu (HAGBERG JR, D. J.)
Subject: Clipper and Ranting Libertarians

I would think that you could reduce the defense of using non-clipper
based encryption technologies to defending freedom of expression 
(IE, free speech).  That you have to right to express whatever you
want in whatever form your little heart desires so long as you do
not impinge on the rights of others.

Encrypted text/sound/video is just another form of expression of that
particular text/sound/video.  Just like digitized sound is another 
means of expression of sound -- streams of 100100101111 instead of
continuous waveforms.

Also, it shouldn't be up to the government at all.  Encryption 
_Standards_ can be decided upon by Independent Standards Orgainizations
(apologies for the acronym).  One can note how well this has worked
with ISO and the Metric System, SAE, etc.  Independent entities 
or consortia of people/industries in that particular area are far
more qualified to set standards than any One government agency.
Consider for example what the Ascii character set would have looked
like if it was decided by the government.

I hope this helps folks to formulate their defenses.  I'm still working
on mine and hope to be faxing my congressmen soon...

			-=- D. J. Hagberg
			-=- hagberg@ccit.arizona.edu
			-=- finger ^ for Info and PGP Public Key

Newsgroup: sci.crypt
document_id: 15458
From: kadie@eff.org (Carl M. Kadie)
Subject: Would "clipper" make a good cover for other encryption method?

Clipper might be a good way to cover the use of another layer of
encryption.

Currently, when you send an encrypted message, an opponent can usually
tell 1) that you are using encryption 2) which encryption method you
are using [because that information is usually in the clear].

With clipper, most opponents will only know that you are sending
clipper-text, they won't know that your clipper-text is itself
encoded.

Only those few opponents who get your clipper-keys will know
that your message is double encrypted.

... kind of like a safety deposit box containing a lock box.

So, don't just think of replacements for clipper, also think of front
ends.

- Carl



-- 
Carl Kadie -- I do not represent EFF; this is just me.
 =kadie@eff.org, kadie@cs.uiuc.edu =

Newsgroup: sci.crypt
document_id: 15459
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <1qnpjuINN8ci@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes:
>brad@clarinet.com (Brad Templeton) writes:
>
>>Their strategy is a business one rather than legal one.  They are
>>pushing to get a standard in place, a secret standard, and if they
>>get it as a standard then they will drive competitors out of the market.
>>It will be legal to sell better, untapable encryption that doesn't have
>>registered keys, but it will be difficult, and thus not a plan for
>>most phone companies.
>
>If Brad's analysis is correct, it may offer an explanation for why the
>encryption algorithm is being kept secret.  This will prevent competitors
>from coming out with Clipper-compatible phones which lack the government-
>installed "back door."  The strategy Brad describes will only work as long
>as the only way to get compatible phones is to have ones with the government
>chips.
>
>(It would be nice, from the point of view of personal privacy, if Brad
>turns out to be right.  As long as people still have the power to provide
>their own encryption in place of or in addition to the Clipper, privacy
>is still possible.  But the wording of several passages in the announcement
>makes me doubt whether this will turn out to be true.)

Even if what Brad says turns out to be accurate, you can bet that the
Administration will have made it "very clear" to the vendors that "it
would very much be in their best interests" to institute a "voluntary"
policy of refusing to sell anything but Clinton Cripple equipped equipment
to anyone other than "Authorized government agencies and Law Enforcement",
or individuals and corporations who "have been been determined by the
Administration to have a valid need on a case-by-case basis" for an
effective system.

Note that this is very much like the language used in many gun control
bills/laws the Administration is pushing for, or otherwise supporting.
The logic and actual rationale (as opposed to the excuses that get fed
to the media) is the same in both cases, only the items or technology
in question are different.

I think this is no accident.  It comes from the same philosophy that
the government rules/controls the people, not the people controlling
the government, that the unconnected citizens are not sophisticated enough
to know what is best for them, so the government must tell the people
what they need or do not need ... "we know best...".  And the idea that
that a commoner can defend himself against government eavesdropping
or unlawful attack is totally unacceptable to people with this outlook.

>
>Hal Finney

Combine this all with pushing for national identity cards with 'smart
chips' to encode anything they please (internal passport) under the
guise of streamlining the State People's Health Care System, and with
(you can be certain) more jewels yet to come, and one sees an extremely
ominous trend.  So what if "1984" will be ten years late... it still is
turning out to be an amazingly accurate prophecy... unless a LOT of
people wake up, and in a hurry.

One should ALWAYS have every red warning light and bell and danger flag
come up when the government seeks to set itself apart in regard to
rights, etc.  from the unconnected/unprivileged citizen (or should we
now be saying 'subject' instead?)...  Why SHOULDN'T the average person
have a good, secure system of data security, not dependent on nebulous
'safeguards' for maintaining that security?  Why SHOULDN'T the average
person be able to defend himself from an agency gone rogue?  0I am sure
the Feds could break into any data they really wanted to (but it would
take some WORK), and using the same logic, one should not be allowed to
have a good safe, unless a duplicate of the key(s) or combination are
submitted for 'safekeeping' by the government?  I don't really see a
difference, philosophically.  Encrypted data sure won't evaporate, not
with such high-tech tools as a TAPE RECORDER...

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 15460
From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>
Subject: Re: More technical details

>	encrypted under K, then K will be encrypted under the unit key UK, 
>	and the serial number of the unit added to produce a three part 
>	message which will then be encrypted under the system key SK 
>	producing
>
>	     E{ E[M; K], E[K; UK], serial number;  SK}
>
>My understanding is that E[M; K] is not encrypted under SK (called the
>"family key") and that the decrypt key corresponding to SK is held by
>law enforcement.  Does anyone have first hand knowledge on this?  I
>will also check it out, but this is 7am Sunday so I did not want to wait.

Ok, so there are in fact two distinct components transmitted by the
chip; the real message encrypted with the "conventional" key, and the
serial number and encrypted "conventional" key encrypted with the
(IMHO kind of bogus, as the whole concept of "one key that millions of
people use which can't be changed" doesn't seem reasonable) "family
key".

Suppose I analyze the output of this chip and I'm able to determine
which bits are the encrypted packet which contains the serial number
and session key.  Suppose I also design a simple algorithm based on
this information which takes the data containing the encrypted session
key and twiddles a bit (or several) before it's sent down the line.

Mind you, I'm sure the NSA thought of this along with a dozen other
attacks I can't imagine, and the system is probably somehow designed
so that manipulation of this information will cause a compliant
receiving chip to somehow fail to decrypt successfully.  But how?
What if the two parties agree in advance on some kind of consistent
bit-twiddling scheme, so the decryption chip sees the restored
"proper" bitstream but an eavesdropper gets a E[K; UK] packet that's
wrong?

I suppose this could be easily defeated if the chip "sends" that
information out many times in slightly different ways, making it
effectively impossible to be certain you know all the information
being sent.
--
Marc VanHeyningen   mvanheyn@cs.indiana.edu   MIME & RIPEM accepted
If your theory predicts different outcomes depending on whether you use
discrete mathematics or continuous mathematics, then you've got the wrong
theory.		- Bruce MacLennan

Newsgroup: sci.crypt
document_id: 15461
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: More technical details

srt@duke.cs.duke.edu (Stephen R. Tate) writes:
>
>Now, I'm not one of the people who distrusts the government at every
>turn, but taking someone's word for it that the S1/S2 pairs are not kept
>around is pushing what I'm willing to believe just a little bit too far.
>

Even if they somehow address this issue it is unlikely to be the only
back door in -- they might even have a few intentionally visible to
distract from the ones that aren't visible.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15462
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: The Escrow Database.

Here is a disturbing thought.

Now, we no longer live in the days of big filing cabinets. We live in
the electronic age. I asked myself, how big could the escrow database
get? How hard might it be to steal the whole thing, particularly were
I an NSA official operating with the tacit permission of the escrow
houses? (We can pretend that such will not happen, but thats naive.)

Well, lets see. Ten bytes of each escrow half. Lets asume ten bytes of
serial number -- in fact, I believe the serial number is smaller, but
this is an order of magnitude calculation. We assume 250*10^6 as the
population, and that each person has a key. I get five gigabytes for
each of the two escrow databases. Fits conveniently on a single very
valuable Exabyte tape. This can only get easier with time, but who
cares -- I can already hold all the clipper keys in the country in my
pocket on two 8mm tapes.

Admittely, they will think of safeguards. They won't put the whole
database on one disk, prehaps. Maybe they will throw stumbling blocks
in the way. This changes nothing -- they keys will be needed every day
by hundreds if not thousands of law enforcement types, so convenience
will dictate that the system permit quick electronic retrieval. At
some point, with or without collusion by the agencies, those exabyte
tapes are going to get cut. Dorothy Denning and David Sternlight will
doubtless claim this can't happen -- but we know that "can't" is a
prayer, not a word that in this instance connotes realism.

With two exabyte tapes in your pocket, you would hold the keys for
every person's conversations in the country in your hands. Yeah, you
need the "master key" two -- but thats just ten bytes of information
that have to be stored an awful lot of places.

Come to think of it, even if the NSA getting a copy of the database
isn't a threat to you because unlike me you have no contraversial
political views, consider foreign intelligence services. You know, the
ones that David Sternlight wants to protect us from because of the
evil industrial espionage that they do. The French apparently do have
a big spying operation in friendly countries to get industrial
secrets, so he isn't being completely irrational here (although why
our companies couldn't use cryptosystems without back doors is left
unexplained by those that point out this threat.) 

Presumably, foreign intelligence services can get moles into the NSA
and other agencies. We have proof by example of this: its happened
many times. Presumably, someday they will get their hands on some
fraction of the keys. You can't avoid that sort of thing.

Don't pretend that no one unauthorized will ever get their hands on
the escrow databases.

We crypto types are all taught something very important at the
beginning of intro to cryptography -- security must depend on the
easily changed key that you pick to run your system, and not on a
secret. The escrow databases aren't the sorts of secrets that our
teachers told us about, but they are the sort of big secrets they
would lump into this category. Imagine trying to replace 100 million
Clipper chips.

I cannot believe that the NSA or whomever it is thats doing this
doesn't realize all this already. They are too smart. There are too
many of them who have made their bones in the real world. I suspect
that they know precisely what they are doing -- and that what they are
doing is giving us the appearance of safety so that they can continue
to surveil in spite of the growth of strong cryptography. I suspect
that they realize that they can't put things off forever, but they can
try to delay things as long as possible.

Who knows. Maybe even some of the higher ups, the inevitable
bureaucratic types that rise in any organization, really do believe
that this scheme might give people some security, even as their
subordinates in Fort Meade wring their hands over the foolishness of
it all.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15463
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

rlward1@afterlife.ncsc.mil (Robert Ward) writes:
>In article <bontchev.734981805@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
>>and since the US constitutions guarantees the right to every American
>>to bear arms, why is not every American entitled, as a matter of
>
>Have you read the applicable part of the Constitution and interpreted it IN 
>CONTEXT?  If not, please do so before posting this misinterpretation again.
>It refers to the right of the people to organize a militia, not for individuals 
>to carry handguns, grenades, and assault rifles.  

The Supreme Court seems to disagree with you -- they have stated that
"the people" is a term of art refering to an individual right, and
have explicitly mentioned the second amendment as an example.

I quote:

  "... 'the people' seems to have been a term of art employed in
  select parts of the Constitution.  The Preamble declares that the
  Constitution is ordained, and established by 'the people of the
  the U.S.'  The Second Amendment protects the right of the people
  to keep and bear Arms ...."
	- Supreme Court of the U.S.,  U.S. v. Uerdugo-Uriquidez (1990).

Furthermore, in the Miller decision, they only permitted prosecution
for possession of a sawed-off shotgun because the defense had not
presented testimony and they therefore accepted the argument of the
government that such weapons have no military value -- they held that
the amendment protected the individual right to possess military
weapons. Unfortunately, no second amendment case has successfully
gotten to the court in fifty years. However, that does not change the
interpretation.

Furthermore, it appears that others disagree with you as well, vis:

 "The conclusion is thus inescapable that the history, concept,
  and wording of the Second Amendment to the Constitution of the
  United States, as well as its interpretation by every major
  commentator and court in the first half-century after its ratifi-
  cation, indicates that what is protected is an individual right
  of a private citizen to own and carry firearms in a peaceful manner."
   - Report of the Subcommittee on the Constitution of the
     Committee on the Judiciary, United States Senate,
     97th Congress, Second Session ( February 1982 )

You might rightfully ask "well then, what does that first bit about
militias mean?"

Well, "militia" in historical context basically means the whole of the
adult males of the country. (Indeed, the U.S. Code still defines
"militia" as all armed men over the age of 17).

   "The Militia comprised all males physically capable of acting
    in concert for the common defense ....  And ... these men were
    expected to appear bearing arms supplied by themselves and of
    the kind in common use at the time."
	- Supreme Court of the United States,  U.S. v. Miller (1939).

The reason for the phrase being there was to explain the rationale
behind the amendment, which was this: by depending on the people to
bear arms in defense of the country, no centralization of military
power could ever occur which would permit tyranny -- in short, the
government would remain perpetually in fear of the people, rather than
the other way around.

   "No free man shall ever be debarred the use of arms.  The strongest reason
   for the people to retain the right to keep and bear arms is, as a last
   resort, to protect themselves against tyranny in government."
     - Thomas Jefferson, Proposal Virginia Constitution, June 1776
       1 Thomas Jefferson Papers, 334 (C. J. Boyd, Ed., 1950).

   "And what country can preserve its liberties, if its rulers are not
   warned from time to time that this people preserve the spirit of
   resistance ?  Let them take arms ... The tree of liberty must be
   refreshed from time to time, with the blood of patriots and tyrants."
     - Thomas Jefferson (letter to William S. Smith, 1787, in
       Jefferson, On Democracy 20, S. Padover, ed., 1939).

   "Before a standing army can rule, the people must be disarmed;
   as they are in almost every kingdom of Europe.  The supreme
   power in America cannot enforce unjust laws by the sword;
   because the whole body of the people are armed, and constitute
   a force superior to any bands of regular troops that can be, on
   any pretense, raised in the United States."
     - Noah Webster, "An Examination into the Leading Principles
       of the Federal Constitution" (1787), in Pamphlets on the
       Constitution of the United States (P. Ford, 1888).

You may disagree with the second amendment, and wish that it be
repealed, but please do not pretend that it isn't there and that it
doesn't mean what it says. You might argue that conditions have
changed and that it should no longer be present, but you can't imagine
it away.

I could fill a book with detailed argumentation. Many have already.

However, none of this has anything to do with cryptography.  Lets get
it out of here. If you insist on discussing this, please do it in
talk.politics.guns, where people will gladly discuss this matter with
you.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15464
From: metatron!joe@dogface.austin.tx.us (Joe Zitt)
Subject: Re: Fighting the Clipper Initiative

steve-b@access.digex.com (Steve Brinich) writes:

>  >As a flaming libertarian paranoid extremist (:-), I'at a loss for
>  >specific objections that don't sound frighteningly technical.
> 
>   The idea that foisting the Cripple Chip standard on US manufacturers would
> result in saying "Sayonara" to yet another high-tech market isn't technical,
> isn't in the least difficult to understand, and plays on a concern lots of
> people are worried about already....
> 
>

Could you expand on this? I have a feeling you're right, but I don't quite
understand.
-- 
"You could be an ocarina salesman going  | Metatron Press | Austin, Texas!
from door to door..." -- Laurie Anderson | Human Systems Performance Group

Newsgroup: sci.crypt
document_id: 15465
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: clipper chip --Bush did it

johng@ecs.comm.mot.com (John Gilbert) writes:
>This must have been in the works for some time.  The Bush administration must
>have been working on it for quite a while.  --Clinton simply took the credit (or
>blame, depending on how you look at it).

And the initiative for actual implementation.  Clinton is not just an
innocent bystander here - They didn't just slap his name on it without
consulting him.  What exactly is his extensive history of individual
rights advocacy that people are assuming he really has nothing to do
with this?  He just went back on his pledge to cut the espionage
budget, and is now asking for more money than even Bush wanted.
-- 
I've left my body to science - and science is contesting the will.

Newsgroup: sci.crypt
document_id: 15466
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: Once tapped, your code is no good any more.

Dave Ihnat (ignatz@chinet.chi.il.us) wrote:
: In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes:
: >	Not to pick on Mr. May in particular, of course, but isn't this
: >kind of the domino theory? When one little country falls, its neighbor
: >will surely follow, and before you know it, we're all mining salt
: >in Siberia for not turning in our Captain Crunch Secret Decoder Rings.
: 
: But, for all the wrongness of our attempt to correct it (VietNam, et. al.),
: the domino theory wasn't disproved at all.

Ironically, the domino theory in fact *was* a reasonable metaphor for
the collapse of communism, from the liberalizations in Poland and
Hungary to the border crossings in the summer of '89 to the fall of
the Wall later that year....and then to the ultimate collapse of the
USSR.

-Tim May
-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
document_id: 15467
From: markh@wimsey.bc.ca (Mark C. Henderson)
Subject: Re: Source of random bits on a Unix workstation

In article <1qs6cg$7cq@msuinfo.cl.msu.edu> mrr@scss3.cl.msu.edu (Mark Riordan) writes:
>A few more sources are statistics on your filesystems (easily
>and quickly obtained) and the output from the "rusage" system
>call.  
>
>You can also exec a finger to one or more favorite heavily-used
>systems, though this can take several seconds.
>
>cf. the source code to RIPEM on ripem.msu.edu.
>
>Mark R.

Other alternatives include output of vmstat, iostat, pstat and friends
with various flags, or even better crash. 

e.g. on an RS/6000 (AIX 3.2) you can get lots of relatively
unpredicatble data out of crash. (the output from the following script 
usually gives about 600k of goo on a moderately busy system.)

#!/bin/sh
crash <<!
proc -
tty
stack
pcb
callout
vfs -
socket
vnode
inode -
mbuf
file
mst
buffer
le
!

-- 
Mark Henderson
markh@wimsey.bc.ca
RIPEM key available by key server/finger/E-mail
  MD5OfPublicKey: F1F5F0C3984CBEAF3889ADAFA2437433

Newsgroup: sci.crypt
document_id: 15468
From: ngorelic@speclab.cr.usgs.gov.cr.usgs.gov (Noel S. Gorelick)
Subject: Re: White House Public Encryption Management Fact Sheet

Alan Barrett (barrett@lucy.ee.und.ac.za) wrote:
> In article <C5LGAz.250@dove.nist.gov>,
> clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:
> 
>> In making this decision, I do
>> not intend to prevent the private sector from developing, or the
>> government from approving, other microcircuits or algorithms that
>> are equally effective in assuring both privacy and a secure key-
>> escrow system.
> 
> "In making this decision, I intend to prevent the private sector from
> developing, except with the government's approval, other microcircuits
> or algorithms that are more effective in assuring privacy."
> 

Doesn't this just mean that the government might not approve
something for use by other government agencies.  This does not
sound to me to be any form of threat that Joe User can't develop
and use his own encryption algorithm.

--
"You want it should sing too?"   | /*  Yeah we got dogs and Valvoline
  ngorelic@speclab.cr.usgs.gov   |     Its a pretty damn good time.    */
"Life is pain. Anyone that tells you different is trying to sell you something"

Newsgroup: sci.crypt
document_id: 15469
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Do we need the clipper for cheap security?

amanda@intercon.com (Amanda Walker) writes:
>> The answer seems obvious to me, they wouldn't.  There is other hardware 
>> out there not compromised.  DES as an example (triple DES as a better 
>> one.) 
>
>So, where can I buy a DES-encrypted cellular phone?  How much does it cost?
>Personally, Cylink stuff is out of my budget for personal use :)...

If the Clipper chip can do cheap crypto for the masses, obviously one
could do the same thing WITHOUT building in back doors.

Indeed, even without special engineering, you can construct a good
system right now. A standard codec chip, a chip to do vocoding, a DES
chip, a V32bis integrated modem module, and a small processor to do
glue work, are all you need to have a secure phone. You can dump one
or more of the above if you have a fast processor. With integration,
you could put all of them onto a single chip -- and in the future they
can be.

Yes, cheap crypto is good -- but we don't need it from the government.
You can do everything the clipper chip can do without needing it to be
compromised. When the White House releases stuff saying "this is good
because it gives people privacy", note that we didn't need them to
give us privacy, the capability is available using commercial hardware
right now.

Indeed, were it not for the government doing everything possible to
stop them, Qualcomm would have designed strong encryption right in to
the CDMA cellular phone system they are pioneering. Were it not for
the NSA and company, cheap encryption systems would be everywhere. As
it is, they try every trick in the book to stop it. Had it not been
for them, I'm sure cheap secure phones would be out right now.

They aren't the ones making cheap crypto available. They are the ones
keeping cheap crypto out of people's hands. When they hand you a
clipper chip, what you are getting is a mess of pottage -- your prize
for having traded in your birthright.

And what did we buy with our birthright? Did we get safety from
foreigners? No. They can read conference papers as well as anyone else
and are using strong cryptography. Did we get safety from professional
terrorists? I suspect that they can get cryptosystems themselves on
the open market that work just fine -- most of them can't be idiots
like the guys that bombed the trade center. Are we getting cheaper
crypto for ourselves? No, because the market would have provided that
on its own had they not deliberately sabotaged it.

Someone please tell me what exactly we get in our social contract in
exchange for giving up our right to strong cryptography?
--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15470
From: tedwards@wam.umd.edu (technopagan priest)
Subject: Re: Would "clipper" make a good cover for other encryption method?

In article <1993Apr20.032623.3046@eff.org> kadie@eff.org (Carl M. Kadie) writes:
>Clipper might be a good way to cover the use of another layer of
>encryption.

True, but will traditional encryptions schemes, when further encrypted
by Clipper, be _more_ vulnerable to attacks such as partially known
plaintext?

-Thomas



Newsgroup: sci.crypt
document_id: 15471
From: barrett@lucy.ee.und.ac.za (Alan Barrett)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <C5qy3M.DE3@agora.rain.com>,
jhart@agora.rain.com (Jim Hart) writes:
> Since the wiretap chip is being distributed internationally,
> allowing the U.S. government to spy on foreign governments,
> companies and people as as well as to wiretap domestic citizens,
> this is a world-wide issue.  Please put DISTRIBUTION: WORLD on the 
> Distrubution: line.  Thank you.

No!  Distribution keywords are case sensitive.  What you want
is

	Distribution: world

or no Distribution line at all.  "WORLD" in capital letters is wrong.

--apb
Alan Barrett, Dept. of Electronic Eng., Univ. of Natal, Durban, South Africa
RFC822: barrett@ee.und.ac.za

Newsgroup: sci.crypt
document_id: 15474
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: The Escrow Database.

Perry E. Metzger (pmetzger@snark.shearson.com) wrote:
: Here is a disturbing thought.
....good stuff elided....
: Don't pretend that no one unauthorized will ever get their hands on
: the escrow databases.
: 
.......
: secret. The escrow databases aren't the sorts of secrets that our
: teachers told us about, but they are the sort of big secrets they
: would lump into this category. Imagine trying to replace 100 million
: Clipper chips.

Sounds to me like a *great* gimmick for a replacement market...every
so often issue a "Clipper Alert" announcing that some key backup tapes
are missing, that some Drug Lords got 'em, whatever. Then the owners
of these $1200 Clipperphones have to trot down to their local Key
Escrow Agency and buy new chips and have them programmed.

Microtoxin, the Clipper supplier, will make a killing...maybe this was
the real idea. (Anybody know if Janet Reno has stock in Microtoxin,
VLSI Technology, or AT&T?)

Could be a good opportunity to undermine this with some
disinformation: float rumors that the key database has been stolen.
All the chips need replacing. It angers people, undermines confidence
even more, and kills sales.

After the Waco Massacre and the Big Brother Wiretap Chip, any tactic
is fair.

-Tim May


-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
document_id: 15475
From: bill@Celestial.COM (Bill Campbell)
Subject: Re: Once tapped, your code is no good any more.

In <strnlghtC5p7zp.3zM@netcom.com> strnlght@netcom.com (David Sternlight) writes:

:In article <Apr18.194927.17048@yuma.ACNS.ColoState.EDU>
:holland@CS.ColoState.EDU (douglas craig holland) writes:

:>Note that measures to protect yourself from
:>TEMPEST surveillance are still classified, as far as I know.

:I think this to be inaccurate. One can buy TEMPEST equipment commercially.
:Even Macs.

Sure you can buy a TEMPEST approved Mac -- if you have enough
money.  I haven't had any reason to look at this type of pricing
for about 10 years, but a TEMPEST rating in 1982 would raise the
price of a $2,495.00 Radio Shack Model III to something around
$15,000.00.

Bill
-- 
INTERNET:  bill@Celestial.COM   Bill Campbell; Celestial Software
UUCP:   ...!thebes!camco!bill   6641 East Mercer Way
             uunet!camco!bill   Mercer Island, WA 98040; (206) 947-5591
SPEED COSTS MONEY -- HOW FAST DO YOU WANT TO GO?

Newsgroup: sci.crypt
document_id: 15476
From: jfc@athena.mit.edu (John F Carr)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <19930419.155204.305@almaden.ibm.com>
	ameline@vnet.IBM.COM (Ian Ameline) writes:

>  I also believe that someone will reverse engineer the clipper chip,
>and knowlege of the algorithm will likely be fairly widespread.

The chip and algorithm are classified.  If you reverse engineer it and
tell people, you are likely to go to jail.

Perhaps some foreign governments or corporations could help us out by
cracking the system outside the USA.  The US government could probably
stop importation of clone hardware, but a software implementation
should be practical.

--
    John Carr (jfc@athena.mit.edu)

Newsgroup: sci.crypt
document_id: 15477
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Do we need the clipper for cheap security?

: From: pmetzger@snark.shearson.com (Perry E. Metzger)

: Indeed, were it not for the government doing everything possible to
: stop them, Qualcomm would have designed strong encryption right in to
: the CDMA cellular phone system they are pioneering. Were it not for
: the NSA and company, cheap encryption systems would be everywhere. As
: it is, they try every trick in the book to stop it. Had it not been
: for them, I'm sure cheap secure phones would be out right now.

In the UK, it's impossible to get approval to attach any crypto device
to the phone network.  (Anything that plugs in to our BT phone sockets
must be approved - for some reason crypto devices just never are...)

I was wondering some time ago how big a market there was for good old-
fashion acoustic coupler technology to build a secure phone :-) ... is
it possible to mask out all the real voice well enough so that none of
it strays into the mouthpiece?  Perhaps a well-sealed coupler attachment
that was as well blocked as possible, then a white noise generator on
the outside to muffle any real speech?

G

Newsgroup: sci.crypt
document_id: 15478
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

: The cops/feds do *not* need to be able to get hold of your private key to
: listen in to cellular conversations.  Encryption is not end-to-end, but 
: cellphone to base-station - it *has* to be this way so that cellular users
: and fixed installations can talk to each other.  For cellular to cellular
: calls, the transmission is decrypted at the base-station, passed to another
: base-station and re-encrypted.  The cops/feds can listen to the unscrambled
: call *provided* they get a warrant to tap into the cellular provider's
: equipment.  The only reason for wanting a crackable system is so they can
: listen without having to obtain a warrant.

: But, maybe the Clipper system is secure, and they really do need a warrant
: to get the key out of escrow before they can listen in using a scanner (see
: above - they don't *have* to go down this route anyway).  I have my doubts,
: but even if true once they have the key they will *never* again need a
: warrant to tap into that particular phone whenever they want.  `Well, Judge,
: it appears he wasn't a drug-dealer after all, so naturally we'll stop
: listening in'...

That was true for the UK Paul, but I'm fairly sure they're talking about
building end-to-end encryption phones out of this chip.  It's *not* for
cellular (though it certainly could be used there in the way you suggest)

G

Newsgroup: sci.crypt
document_id: 15479
From: jhart@agora.rain.com (Jim Hart)
Subject: Screw the people, crypto is for hard-core hackers & spooks only 

Since the AT&T wiretap chip is scheduled to be distributed 
internationally, allowing the U.S. government to spy on foreign 
governments, companies and people as as well as to wiretap domestic 
citizens, this is a world-wide issue.  Thus Distribution: world.

ygoland@wright.seas.ucla.edu (The Jester) writes:

>However assuming that I can still encrypt things as I please, who
>cares about the clipper chip? 

Why do we hackers care about the Clipper chip?  Do we give a shit
about anybody's privacy accept our own?  And perhaps not even our
own; are we so smart that we always know when we're talking to
somebody who has a wiretap on their phone?

I find the "call thru your computer" ideas may reflect this attitude.
Ideas that are of, by, and for hackers, and don't help anybody in the
real world, aren't going to do anybody much good, including ourselves
where voice phones are concerned.

We *do* need an alternative to NSA-bugged telephones, but
we're talking inexpensive *telephones* here, including hand-sized
cellulars, that need strong crypto, real privacy.  Make-shift
computer hacker rigs that require living by your computer to
talk privately over the phone are just a dumb stunt that doesn't 
do anything for anybody's privacy in the real world.  

What we need is a true *privacy chip*.  For example, a real-time 
voice-encryption RSA, silicon compile it and spit out ASIC.  
Put this chip on the market as a de facto standard for international 
business, diplomats, and private communications.  If the U.S. bans 
it, we make it somewhere else and import it.  The Japanese, German,
Dutch, Taiwanese, Korean, etc. electronics companies don't want the 
NSA spying on them.  U.S. workers lose more jobs to government fascist
stupidity.

jhart@agora.rain.com

Newsgroup: sci.crypt
document_id: 15480
From: gumby@tweedledumb.cygnus.com (D V Henkel-Wallace)
Subject: Screw the people, crypto is for hard-core hackers & spooks only

   Date: 19 Apr 93 19:57:21 GMT
   From: jhart@agora.rain.com (Jim Hart)

   "Simply?" "Everyone" should have this attitude?   The only people
   who can have this attitude are the most hard-core
   computer hackers, who never make phone calls away from their
   computer

In 10 yeards everybody will be talkig into his or her PDA anyway.
That should solve most of the problem.


Newsgroup: sci.crypt
document_id: 15481
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Fighting the Clipper Initiative

> > >As a flaming libertarian paranoid extremist (:-), I'at a loss for
> > >specific objections that don't sound frighteningly technical.
> >
> >  The idea that foisting the Cripple Chip standard on US manufacturers would
> >result in saying "Sayonara" to yet another high-tech market isn't technical,
> >isn't in the least difficult to understand, and plays on a concern lots of
> >people are worried about already....     
>
>  Could you expand on this...?


  Simple -- if you have a choice between:

 1. American manufacturers peddling Cripple Chips with a secret untested
     algorithm whose keys are held by people with a history of untrustworthy
     behavoir, or

 2. Japanese (to pick the obvious example) manufacturers peddling encryption
     chips with an algorithm that has faced public scrutiny and keys under
     the control of the user,

which would you choose?  At most, the American government can deny this
choice to American citizens (and probably not that, if the glorious success
of the War on Drugs is any example); it can't do much about the global market.

Newsgroup: sci.crypt
document_id: 15482
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Fifth Amendment and Passwords


In article <1993Apr20.000359.20098@bernina.ethz.ch> caronni@nessie.cs.id.ethz.ch (Germano Caronni) writes:


   Just a question. 
   As a provider of a public BBS service - aren't you bound by law to gurantee
   intelligble access to the data of the users on the BBS, if police comes
   with sufficent authorisation ? I guessed this would be  a basic condition
   for such systems. (I did run a bbs some time ago, but that was in Switzerland)

You are obliged to let the police search the equipment if they have a
proper court order. You are under no legal obligation to keep the data
intelligble. If you wish to run your BBS entirely with all data
encrypted such that if the police show up they cannot read anything,
well, thats their problem. There are no legal restrictions on domestic
use of cryptography in the United States -- YET.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15483
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Facinating facts: 30 bit serial number, possibly fixed S1 and S2


denning@guvax.acc.georgetown.edu (Vidkun Abraham Lauritz Quisling) writes:

   Each chip includes the following components:

      the Skipjack encryption algorithm
      F, an 80-bit family key that is common to all chips
      N, a 30-bit serial number
      U, an 80-bit secret key that unlocks all messages encrypted with the chip

Hmmm. A thirty bit serial number. And, we are told, the unit key U is
derived deterministically from this serial number. That means that
there are only one billion possible unit keys.

   To generate the unit key for a serial number N, the 30-bit value N is
   first padded with a fixed 34-bit block to produce a 64-bit block N1.
   S1 and S2 are then used as keys to triple-encrypt N1, producing a
   64-bit block R1:

	   R1 = E[D[E[N1; S1]; S2]; S1] .

   Similarly, N is padded with two other 34-bit blocks to produce N2 and
   N3, and two additional 64-bit blocks R2 and R3 are computed:  

	   R2 = E[D[E[N2; S1]; S2]; S1] 
	   R3 = E[D[E[N3; S1]; S2]; S1] .

   R1, R2, and R3 are then concatenated together, giving 192 bits. The
   first 80 bits are assigned to U1 and the second 80 bits to U2.  The
   rest are discarded.  The unit key U is the XOR of U1 and U2.  U1 and U2
   are the key parts that are separately escrowed with the two escrow
   agencies.

Hmmm. We must assume that generating the unit key U from the serial
number N rather than generating it from a randomly selected U1 and U2
is an intentional way of assuring a "fail safe" for the government --
U is completedly determined given S1, S2 and N. If S1 and S2 do not
change they constitute effective "master keys" (along with F), the
theft of which (or the possession of which by various authorities)
completely obviates the security of the system. However, more
interestingly, we know, for a fact that if S1 and S2 are fixed no
matter what the keyspace for U is no more than 2^30. Why not pick U1
and U2 at random? Why this interesting restriction of they key space
if it NOT to provide an additional back door?

I find it disturbing that at the very best my security is dependant on
approximately 30 bytes worth of information that could be written on
the back of a napkin.

Even if S1 and S2 change periodically, the rationale behind this
restriction in the size of the keyspace seems strange if one is
assuming that the goal is security -- and makes perfect sense if the
goal is an illusion of security.

If S1 and S2 do not change, even if they remain secret I wonder if
they can somehow be back-derived given enough unit key/serial number
pairs. We are assured that this cannot happen -- but no one
understands how Skipjack works outside of government officials and,
soon, foreign intelligence services that gain the information via
espionage. Presumably we will eventually have the information as well
-- reverse engineering gets more and more advanced every year -- but
by the time we know it may be too late.

   As a sequence of values for U1, U2, and U are generated, they are
   written onto three separate floppy disks.  The first disk contains a
   file for each serial number that contains the corresponding key part
   U1.  The second disk is similar but contains the U2 values.  The third
   disk contains the unit keys U.  Agent 1 takes the first disk and agent
   2 takes the second disk.  The third disk is used to program the chips.
   After the chips are programmed, all information is discarded from the
   vault and the agents leave.  The laptop may be destroyed for additional
   assurance that no information is left behind.

None of this makes me feel the least bit secure. The silly notion of
"destroying the laptop" appears to be yet another bizarre distraction.
We all know that you can't read data from DRAM that has been turned
off for more than a few moments. On the other hand, what we don't know
is why there is a need to generate the unit keys from S1 and S2 in the
first place other than to weaken the system. We don't know if the
agents in question would resist a million in cash a piece for their
information -- its probably worth hundreds of million, so you can make
the bribe arbitrarily hard to resist. And to tell you the truth, doing
this in a "vault" rather than in Joe Random Tempest-shielded Room
with a laptop computer seems like melodrama designed to make
high-school dropouts from Peoria impressed -- but it does very little
for most of the rest of us.

   The protocol may be changed slightly so that four people are in the
   room instead of two.  The first two would provide the seeds S1 and S2,
   and the second two (the escrow agents) would take the disks back to
   the escrow agencies.

What would this provide? Lets say the escrow agencies are the ACLU and
the NRA and their agents personally take back the disks and are always
honest. Who cares? The NSA must be laughing out loud, because they
have the algorithm to regenerate U given N and likely don't need to
steal they keys as they effectively already have them.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15484
From: jebright@magnus.acs.ohio-state.edu (James R Ebright)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <1993Apr19.093227.1093@jarvis.csri.toronto.edu> lewis@eecg.toronto.edu (david lewis) writes:
>In article <16BB51156.C445585@mizzou1.missouri.edu> C445585@mizzou1.missouri.edu (John Kelsey) writes:
>> 
>>strnlght@netcom.com (David Sternlight) writes:
>>>
[..stuff deleted]
>>But who would
>>trust his/her confidential information to an encryption scheme that, for
>>(say) $100,000 could by cracked one time in a hundred?  (DES, for all the
>>complaints about a 56-bit key, would probably cost several million dollars
>>to build a keysearch machine for.)
>> 
>
>I can buy a DES keysearch machine off the shelf now for approx $500K, but
>it is not sold by that name. Go buy a circuit emulation machine (eg. Quickturn)
>containing a bunch of FPGAs, (say 500 to 1000 3090's), and program each
>to be a DES search engine. Lets say 500 chips, running at 10Mhz = 5G tests/sec.
>Time is 14e6 sec max = 23 weeks, 12 weeks average. Can't wait that long?
>Buy a bigger machine.
>
Oh, but can Big Brother afford such things in these times of tight
budgets?

I don't know how many folks noticed it, but Dorothy "Trust Me" Denning gave
a real clue to the current state of the art at NSA on decrypto machines when
she said the NSA told her they didn't even want to be the holder of any
part of the key.  

Now why is that?  I doubt there is a trapdoor in Skipjack.  (But we will
never know).  And I doubt the NSA would promote a mass market chip they
couldn't compromise.  Ergo, NSA is now capable of compromising (probably
with brute force keysearch) engines of the complexity of Skipjack.  Look
at the specs.  Why, I bet they have thousands of little chips chugging
away in their crypto busters... Maybe even tens of thousands.  Complexity?
Not much more than a 3090.  How many such machines will fit into Fort Meade?

I think PGP2.3 should have 256 bit IDEA keys...

-- 
 Information farming at...     For addr&phone: finger             A/~~\A
 THE Ohio State University  jebright@magnus.acs.ohio-state.edu   ((0  0))____
      Jim Ebright             e-mail: jre+@osu.edu                 \  /      \
                          Support Privacy: Support Encryption      (--)\      

Newsgroup: sci.crypt
document_id: 15485
From: jebright@magnus.acs.ohio-state.edu (James R Ebright)
Subject: Re: Once tapped, your code is no good any more.

In article a_rubin@dsg4.dse.beckman.com (Arthur Rubin) writes:
>In strnlght@netcom.com (David Sternlight) writes:
>
[...]
>>I'd be happy to use a crypto system supplied by the NSA for business, if
>>they told me it was more secure than DES, and in particular resistant to
>>attempts by Japanese, French, and other competitive companies and
>>governments to break.
>
>(It's NIST, not NSA.  NSA is not supposed to have anything to do with this.)

With all the activity in sci.crypt these past few days, I am not supprised
you missed it... NIST got Skipjack from the NSA :)

[...]
>>I'd trust the NSA or the President if they stated there were no trap
>>doors--I'd be even happier if a committee of independent experts examined
>>the thing under seal of secrecy and reported back that it was secure.
>
>I wouldn't trust the NSA.  I think I would trust the President on this, but
>I'm not certain he would be told.

"I am not a crook." President Richard M. Nixon
                    ^^^^^^^^^
-- 
 Information farming at...     For addr&phone: finger             A/~~\A
 THE Ohio State University  jebright@magnus.acs.ohio-state.edu   ((0  0))____
      Jim Ebright             e-mail: jre+@osu.edu                 \  /      \
                          Support Privacy: Support Encryption      (--)\      

Newsgroup: sci.crypt
document_id: 15486
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

	From: brad@clarinet.com (Brad Templeton)

	Let's assume, for the moment, that the system really is secure unless
	you get both halves of the encryption key from the two independent
	escrow houses.  Let's say you even trust the escrow houses -- one is
	the ACLU and the other is the EFF.  (And I'm not entirely joking about
	those two names)

I'm really not entirely sure I trust EFF any more to be honest.

Anyway, any organisation can be deeply infiltrated.  Look at CND in Britain
a dozen years ago - one of their top members was an SIS spy who stole their
complete address list.  How hard would it be to get one person to sneak in
and copy the escrow data to disk?

G

Newsgroup: sci.crypt
document_id: 15487
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

Bred wrote:
	And this means that the FBI will want to track the customer lists of
	better encryption phones, because "the only reason a person would want
	one is to evade the police."

They don't have to track customer lists - they merely have to digitally
listen to any phone line and eliminate any that don't have the clipper
header/signature.  (No-one has said how it will be modulated - want a bet
it's a non-standard and hence easily recognisable baudrate?)

Devices to scan exchanges and detect modems etc already exist.  I've seen
them advertised in the trade press.

Once you eliminate crippled crypto devices and ordinary data modems, what's
left is crypto worth looking more closely at.  I guess any substitute scheme
will have to be v32bis or v.fast to disguise it, though then they just start
looking at the data too...

Whatever happens though, the effect of this new chip will be to make private
crypto stand out like a sore thumb.

G

Newsgroup: sci.crypt
document_id: 15488
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

pat@rwing.UUCP (Pat Myrto) writes:

> Can you, while my mind is on it, give us one good reason that the
> algorithm should be a secret algorithm, unless this encryption scheme
> either is a joke, or contains features like a 'master key' or other back
> door for UNAUTHORIZED eavesdropping?

Hmm, here are a couple:

1) If the algorithm becomes known, it will be easy to produce
pin-compatible non-crippled chips that provide -real- encryption and
privacy, because their keys are only in their users' hands.

2) Since SkipJack is a symmetric key cypher, it needs some way to
agree on a session key. The released information says that any
protocol may be used (e.g., DH). From a theoretical point of view,
this is probably true. However, from a practical point of view, those
chips must have some kind of key exchange protocol built-in. What if
it is good old RSA? This will mean that the producer will have to pay
lots of bucks to PKP. By keeping the details secret this can be
avoided...

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
document_id: 15489
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Fifth Amendment and Passwords

   In article <1993Apr20.000359.20098@bernina.ethz.ch> caronni@nessie.cs.id.ethz.ch (Germano Caronni) writes:
      Just a question. 
      As a provider of a public BBS service - aren't you bound by law to gurantee
      intelligble access to the data of the users on the BBS, if police comes
      with sufficent authorisation ? I guessed this would be  a basic condition
      for such systems. (I did run a bbs some time ago, but that was in Switzerland)

The US doesn't yet have many laws covering BBSs - they're not common carriers,
they're not phone companies, they're just private machines or services
operated by businesses.  There's no obligation to keep records.
As Perry Metzger points out, if the police come with a search warrant,
you have to let them see what the warrant demands, if it exists,
and they generally can confiscate the equipment as "evidence"
(which is not Constitutionally valid, but we're only beginning to
develop court cases supporting us).  A court MAY be able to compel
you to tell them information you know, such as the encryption password
for the disk - there aren't any definitive cases yet, since it's a new
situation, and there probably aren't laws specifically covering it.
But the court can't force you to *know* the keys, and there are no
laws preventing you from allowing your users to have their own keys
for their own files without giving them to you.

Even in areas that do have established law, there is uncertainty.
There was a guy in Idaho a few years ago who had his business records
subpoenaed as evidence for taxes or some other business-restriction law,
so he gave the court the records.  Which were in Hebrew.
The US doesn't have laws forcing you to keep your records in English,
and these were the originals of the records.  HE didn't speak Hebrew,
and neither did anybody in the court organization.  Don't think they
were able to do much about it.

It might be illegal for your BBS to deny access to potential customers
based on race, religion, national origin, gender, or sexual preference;
it probably hasn't been tested in court, but it seems like a plausible
extension of anti-discrimination laws affecting other businesses.


--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15490
From: tuinstra@signal.ece.clarkson.edu.soe (Dwight Tuinstra)
Subject: (new) reason for Clipper alg'm secrecy

[Apologies for not posting to alt.clipper, or whatever, but it seems it
may not be in the newsfeed here.]

There may be another reason (good from NSA's point of view, horrible
from everyone else's) why the algorithm/chip design might be secret.

First, note that the "experts" will only look at "details", and of just 
the algorithm:

    In addition, respected experts from outside the
    government will be offered access to the confidential details of
    the algorithm to assess its capabilities and publicly report
    their findings.

Why not the chip design?  Well, here's the possiblity:  in addition to
encryption, the chip pre-processes voice signals to make them easier
to analyze/transcribe electronically.  The chip, once widespread, might
effectively be part of a massively parallel computer for "voice-
grepping" the US phone network (or the criminal & wrong-thinking patrons
thereof).

I wouldn't put it past the NSA.  Think how much easier it would make life
for them.

And if this is indeed the case, think of the possible public outcry should
it become widely known.  Thus the secrecy.

It might be a good idea to have experts in DSP, voice recognition, and
AI conversation-understanding to be on that panel, and insist they be
given (authenticatable) design specs and implementation documentation.

+========================================================================+
|  dwight tuinstra             best:  tuinstra@sandman.ece.clarkson.edu  |
|                         tolerable:  tuinstrd@craft.camp.clarkson.edu   |
|                                                                        |
|           Look out, kid, it's something that you did.                  |
|           God knows when, but you're doin' it again ...                |
+========================================================================+

Newsgroup: sci.crypt
document_id: 15491
From: ameline@vnet.IBM.COM (Ian Ameline)
Subject: Facinating facts: 30 bit serial number, possibly fixed S1 and S2

>Hmmm. We must assume that generating the unit key U from the serial
>number N rather than generating it from a randomly selected U1 and U2
>is an intentional way of assuring a "fail safe" for the government --
>U is completedly determined given S1, S2 and N. If S1 and S2 do not
>change they constitute effective "master keys" (along with F), the
>theft of which (or the possession of which by various authorities)
>completely obviates the security of the system. However, more
>interestingly, we know, for a fact that if S1 and S2 are fixed no
>matter what the keyspace for U is no more than 2^30. Why not pick U1
>and U2 at random? Why this interesting restriction of they key space
>if it NOT to provide an additional back door?
>
>I find it disturbing that at the very best my security is dependant on
>approximately 30 bytes worth of information that could be written on
>the back of a napkin.
>
>Even if S1 and S2 change periodically, the rationale behind this
>restriction in the size of the keyspace seems strange if one is
>assuming that the goal is security -- and makes perfect sense if the
>goal is an illusion of security.
>
>If S1 and S2 do not change, even if they remain secret I wonder if
>they can somehow be back-derived given enough unit key/serial number
>pairs. We are assured that this cannot happen -- but no one
>understands how Skipjack works outside of government officials and,
>soon, foreign intelligence services that gain the information via
>espionage. Presumably we will eventually have the information as well
>-- reverse engineering gets more and more advanced every year -- but
>by the time we know it may be too late.

Perhaps the trusted escrow agencies can be the ones who come up with
S1 and S2, and if these agencies are really trusted (ACLU & NRA is an
interesting example), we can hope that they'll use some physical
process to come up with truly random numbers. If the NSA comes up with
the numbers, that's a trap door you could drive a truck through.

>None of this makes me feel the least bit secure.

Me either.

   It seems from the following that the CPSR is atleats starting to
question this bogosity:

    ----------------------------------------------------------------
April 16, 1993
Washington, DC

               COMPUTER PROFESSIONALS CALL FOR PUBLIC
           DEBATE ON NEW GOVERNMENT ENCRYPTION INITIATIVE

        Computer Professionals for Social Responsibility (CPSR)
today called for the public disclosure of technical data
underlying the government's newly-announced "Public Encryption
Management" initiative.  The new cryptography scheme was
announced today by the White House and the National Institute
for Standards and Technology (NIST), which will implement the
technical specifications of the plan.  A NIST spokesman
acknowledged that the National Security Agency (NSA), the super-
secret military intelligence agency, had actually developed the
encryption technology around which the new initiative is built.

        According to NIST, the technical specifications and the
Presidential directive establishing the plan are classified.  To
open the initiative to public review and debate, CPSR today
filed a series of Freedom of Information Act (FOIA) requests
with key agencies, including NSA, NIST, the National Security
Council and the FBI for information relating to the encryption
plan.  The CPSR requests are in keeping with the spirit of the
Computer Security Act, which Congress passed in 1987 in order to
open the development of non-military computer security standards
to public scrutiny and to limit NSA's role in the creation of
such standards.

        CPSR previously has questioned the role of NSA in
developing the so-called "digital signature standard" (DSS), a
communications authentication technology that NIST proposed for
government-wide use in 1991.  After CPSR sued NIST in a FOIA
lawsuit last year, the civilian agency disclosed for the first
time that NSA had, in fact, developed that security standard.
NSA is due to file papers in federal court next week justifying
the classification of records concerning its creation of the
DSS.

        David Sobel, CPSR Legal Counsel, called the
administration's apparent commitment to the privacy of
electronic communications, as reflected in today's official
statement,  "a step in the right direction."  But he questioned
the propriety of NSA's role in the process and the apparent
secrecy that has thus far shielded the development process from
public scrutiny.  "At a time when we are moving towards the
development of a new information infrastructure, it is vital
that standards designed to protect personal privacy be
established openly and with full public participation.  It is
not appropriate for NSA -- an agency with a long tradition of
secrecy and opposition to effective civilian cryptography -- to
play a leading role in the development process."

        CPSR is a national public-interest alliance of computer
industry professionals dedicated to examining the impact of
technology on society.   CPSR has 21 chapters in the U.S. and
maintains offices in Palo Alto, California, Cambridge,
Massachusetts and Washington, DC.  For additional information on
CPSR, call (415) 322-3778 or e-mail <cpsr@csli.stanford.edu>.
      -----------------------------------------------
Regards,
Ian Ameline.

Newsgroup: sci.crypt
document_id: 15492
From: rjq@phys.ksu.edu (Rob Quinn)
Subject: Stray thought (was Re: More technical details

In <1993Apr19.134346.2620@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
>Date: Sun, 18 Apr 93 07:56:39 EDT
>From: denning@cs.georgetown.edu (Dorothy Denning)
>        The Clipper Chip will have a secret crypto algorithm embedded in 
>The algorithm operates on 64-bit blocks (like DES) and the chip supports
>all 4 DES modes of operation.  The algorithm uses 32 rounds of scrambling
>compared with 16 in DES.

 So in a few years there could be millions of these chips in the USA, all
networked together? Sounds like a good science fiction story - the government
wants to crack foreign DES (or whatever) messages, so they con the public into
individually buying all of the components and installing them. Soon the US
could be covered by the largest parallel computer in the world, built on top of
our current phone net.
--
| "Those who suppress freedom always                             Rob Quinn |
| do so in the name of law                                rjq@phys.ksu.edu |
| and order." --John Lindsay                         QuinnBob@KSUVM.BITNET |

Newsgroup: sci.crypt
document_id: 15493
From: mrr@scss3.cl.msu.edu (Mark Riordan)
Subject: List of large integer arithmetic packages

This is the file BIGNUMS.TXT from ripem.msu.edu, last updated April 1993.

In response to Email requests, I have assembled this list of
large-integer arithmetic packages of which I have heard.
Most of these are C function libraries, available in source form.

For your convenience, I have placed copies of
some of these on ripem.msu.edu (35.8.1.178).  They are
available for anonymous FTP in the directory "pub/bignum".
However, what I have may not be the most current version in all cases.

Here they are, in no particular order:

mp
    Multiple Precision package that comes with some Unixes
    
    Multiple precision package accessed via -lmp flag on your
    compiler.  Provides +, -, *, /, gcd, exponentiation,
    sqrt.  Comes with SunOS, NeXT Mach, BBN Mach 1000, 
    and probably a few others.  See "man mp".  
    Object code only, of course.

PARI
    Henri Cohen, et al., Universite Bordeaux I, Paris, FRANCE
    
    Multiple precision desk calculator and library routines.
    Contains optimized assembly code for Motorola 68020, 
    semi-optimized code for SPARC, and apparently rather slow
    generic C version.  Does both integers and reals.
    Does vectors and matrices as well as scalars.
    Contains a number of advanced functions, some of which I've
    never heard of.  ("Weber's function"?)
    Has a factorization function, primality test, & other related stuff.
    Plenty of TEX documentation.
    Public domain, but you can't distribute modified versions.
    Available via anonymous FTP from math.ucla.edu.  There seem to
    be Mac- and NeXT-specific versions there in addition to:
    Filename:  pari-1.35a.tar.Z
    
Arithmetic in Global Fields  (Arith)
    Kevin R. Coombes, David R. Grant
    
    Package of routines for arbitrary precision integers or
    polynomials over finite fields.  Includes basic +, -, *, /
    and a few others like gcd.  Source code in C.
    Distributed under the terms of the GNU public license.
    Includes man pages and TEX documentation.
    Filename:  arith.tar.Z

Arbitrary Precision Math Library
    Lloyd Zusman   Los Gatos, CA
    
    C package which supports basic +, -, *, /.  Provides for radix
    points (i.e., non-integers).  Not as polished as the others here.
    Posted to comp.sources.misc in October 1988.
    Filename:  apml.tar.Z
    
BigNum
    J. Vuillemin, INRIA, FRANCE, and others.
    Distributed by Digital Equipment Paris Research Lab (DECPRL)
    
    A "portable and efficient arbitrary-precision integer" package.
    C code, with generic C "kernel", plus assembly "kernels" for
    MC680x0, Intel i960, MIPS, NS32032, Pyramid, and of course VAX.
    This is probably one of the better-known packages of this type.
    Implements +, -, *, /, mod, plus logical operations OR, AND, XOR.
    Both signed and unsigned arithmetic available.
    Available via email from librarian@decprl.dec.com.
    You will receive 5 shell archives.  Give your postal address
    and you will also receive printed documentation from France.
    Package includes TEX documentation.
    Publicly available for non-commercial use.
    I removed this from my archive when I heard a rumor that PRL
    doesn't like others to distribute it.  However, BIGNUM *is*
    distributed as part of ecpp (see below).

Lenstra's package
    Arjen Lenstra   Bellcore
    
    Portable unsigned integer package written entirely in C.
    Includes +, -, *, /, exponentiation, mod, primality testing,
    sqrt, random number generator, and a few others.  The package
    was uncommented and undocumented; I have tried to add enough
    comments to get by.  This is the only of these packages that I
    have actually used.  It works well and is very portable.  
    I haven't done any benchmarks against the others, but the code 
    looks clever & Lenstra is an accomplished number theorist.
    Unlike the other packages here, this one requires you to allocate
    storage statically--only a problem if your numbers are really huge.
    Arjen has placed the code in the public domain.  
    Filename:  lenstra.tar.Z

lenstra_3.1
    Arjen Lenstra,  Bellcore

    An improved version of Arjen's package above.  This one
    does signed arithmetic and dynamic allocation (which can be turned
    off as an option). Has a few new routines, too.  "lenstra_3.1" contains
    minor bugfixes to the previously-available "lenstra_2" and "lenstra_3".
    Filename:  lenstra_3.1.c

bmp  (Brent's Multiple Precision?)
    R. P. Brent

    1981 vintage FORTRAN code to do extended precision floating &
    fixed point arithmetic.  Includes most of the mathematical
    functions you'd find in a FORTRAN run-time library.
    This code is an ACM algorithm, number 524.
    To obtain, send a mail message to  netlib@ornl.gov
    containing the line "send mp.f from bmp" or better yet, perhaps
    just start with "help".

SPX
    Kannan Alagappan & Joseph Tardo, DEC
    
    This is a huge prototype public key authentication system
    based on RSA.  I mention it here because those who have heard
    of SPX have probably correctly guessed that it contains a large
    integer package and I want to inform you that the large integer
    package it contains is indeed DEC's BigNum from France.
    You can get a beta test copy of SPX from crl.dec.com (192.58.206.2). 
    Use it only for testing, as it "may" expire on a certain date.
    (I don't know whether this has expired yet.)

amp  (Antti's Multiple Precision?)
    Antti Louko   alo@kampi.hut.fi

    Multiple precision integer package in C.  Includes +, -, *, /, %,
    pow, mod, 1/x mod y, random, sqrt, gcd.  Available for non-commercial
    use.  The package includes "share-secret", a public key system based
    on the Diffie-Hellman algorithm.
    This is normally part of the well-known "des-dist.tar.Z",
    but I have removed the DES part to avoid having to deal with 
    cryptographic export laws, and have named the result:
    Filename:  amp.tar.Z

gennum  
    Per Bothner   U of Wisconsin-Madison

    C++ routines and classes to do generic arithmetic, both
    integer and rational.  
    Formerly available on sevenlayer.cs.wis.edu.  However, it
    seems to have disappeared.  Sorry.

MIRACL
    (By someone in Dublin, Ireland)

    Integer and fractional multiple precision package.
    Includes factorization, primality testing, encryption.
    Not public domain, apparently.  It is available from the Austin
    Code Works.  (See ads in Byte Magazine or Dr. Dobbs.)

precision
    Dave Barrett  barrettd@tigger.colorado.edu

    Multiple precision integer package in C with +,-,*,/, sqrt, rand,
    mod, pow, log.  Simple vector support.  Does dynamic allocation of memory.
    Free as long as you don't sell it or any program that uses it.
    Filename:  precision.tar.Z

UBASIC
    Prof. Yuji Kida, Rikkyo University, Nishi-Ikebukuro 3, Tokyo 171, Japan
    kida@rkmath.rikkyo.ac.jp

    Multiple-precision version of the BASIC programming language,
    for MS-DOS.  Includes floating point.  Said (by Keith Briggs)
    to be pretty fast.  Object only, I think.  ervin@morekypr.bitnet
    says:  "This is the best package that I know of for
    fast arithmetic.  Has a version optimized for 386 machines.  Includes
    routines to do MPQS, the fastest currently known general factoring
    algorithm.  An additional file is at both sites to allow MPQS to use
    hard drives so that it can factor up to 80 digits.  Many number
    theoretical functions are included in UBASIC.  It allows over 2500
    digits of precision."
    Available via anonymous FTP from shape.mps.ohio-state.edu,
    or simtel20.army.mil, or wuarchive.wustl.edu.

calc_v22
    Unknown

    MS-DOS C-like language that allows "infinite" precision.
    Nice intrinsic functions.  ervin@morekypr.bitnet reports problems
    when changing precision on the fly.
    See simtel20 or wuarchive.

briggs_arith
    Keith Briggs (kbriggs@mundoe.maths.mu.oz.au)

    Turbo Pascal 5 source for routines that do multiple-precision
    +, -, *, /, sqrt, gcd, factoring, rand for integers; also includes
    +, -, *, / and rand for rational numbers.
    Filename:  briggs_arith.pas

Institute fur Experimentelle Mathematik
    Dr Gerhard Schneider (?)

    Fast C multiple-precision subroutine library.
    I don't know anything about it; sl25@ely.cl.cam.ac.uk says
    to contact MAT420@DE0HRZ1A.BITNET for more info.
    Postal Address:
    Institute fur Experimentelle Mathematik
    EllernStr 29
    D4300 Essen-12    GERMANY

LongInt
    Markus Mueller (mueller@komsys.tik.ethz.ch)

    "Multi precision arithmetic written in MODULA-2, with the most time critical
    parts written in Assembler. Includes basic arithmetics (+, -, *, /, %) as
    well as arithmetics MODULO a number. An additional module provides a
    collection of procedures for primality testing, gcd, multiplicative
    inverse and more. The package is part of a Privacy Enhanced Mail (PEM)
    package which includes a PEM mailer, RSA key generator and Certificate
    generation tools."

    Source is in Modula-2, C, and assembler for Sun 3.  LongInt has
    also been ported to MS-DOS under Logitech Modula-2 and Turbo
    Assembler.  Availability:  free for university use (research and
    education); otherwise, a source license is required.  To obtain,
    write or email to:

        Markus Mueller
        Bertastrasse 7
        CH-8953 Dietikon
        Switzerland
        email:  mueller@komsys.tik.ethz.ch

bignum-1.2
    Henrik.Johansson@Nexus.Comm.SE

    Bignum package written in portable C.  Will in the future
    conform to the Common Lisp functions that handles integers.
    Currently includes +, -, *, /, exponentiation, "exptmod",
    comparison, random numbers, and gcd.
    Filename: bignum-1.2

GNU Multiple Precision
    GNU (Free Software Foundation) multiple precision package.
    I haven't looked at it yet.  This is current as of April 1992,
    but there may be a more recent version by the time you read 
    this.  This package is very widely available on FTP sites.
    Filename: gmp-1.2.tar.Z

Elliptic Curve Primality Proving 
    Francois Morian, France.

    Large package to prove the primality of any prime.
    Includes Inria's BIGNUM package. 
    Obtained from ftp.inria.fr (128.93.1.26).
    Filename: ecpp.V3.4.1.tar.Z

PGP (Pretty Good Privacy)
    Philip Zimmermann   prz@sage.cgd.ucar.EDU

    Intel-based crypto package that includes bignum routines in C,
    said to be quite fast for Intel processors.  Unix and Mac
    versions also available.
    The crypto package violates RSA patents, but the bignum routines
    can be used without fear of legal repercussions.

Bell's Arbitrary Precision Calculator
    David I. Bell, Australia  (dbell@pdact.pd.necisa.oz.au)

    Arbitrary-precision calculator with good online help, C-like
    language, many builtin functions, support for integers,
    rational numbers (they work like floating point), complex numbers,
    matrices, strings, lists, files, "objects".  Includes 
    gcd, primality testing, even trig functions.  Recommended.
    (Large package, though.)  Obtained from comp.sources.unix.
    Filename: calc-1.24.7.tar.Z

Built-in support in other languages
    Various

    Multiple precision arithmetic is available in a number of 
    programming languages, such as Lisp and ABC (cf. mcsun.eu.net).
    Perl (by Larry Wall, available from devvax.jpl.nasa.gov)
    includes source, in Perl, for such a package, but it's probably
    not suitable for serious use.
    For some of these, source code may be available.  This list is
    long enough, so I'm not going to pursue it aggressively.

Thanks to Ed Vielmetti and several others who contributed to this list.

Mark Riordan   mrr@ripem.msu.edu

Newsgroup: sci.crypt
document_id: 15494
From: ted@nmsu.edu (Ted Dunning)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption


nobody seems to have noticed that the clipper chip *must* have been
under development for considerably longer than the 3 months that
clinton has been president.  this is not something that choosing
choosing bush over clinton would have changed in the slightest; it has
been in the works for some time.


Newsgroup: sci.crypt
document_id: 15495
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Facinating facts: 30 bit serial number, possibly fixed S1 and S2

	From: pmetzger@snark.shearson.com (Perry E. Metzger)

	denning@guvax.acc.georgetown.edu (Vidkun Abraham Lauritz Quisling) writes:

	   Each chip includes the following components:

	      the Skipjack encryption algorithm
	      F, an 80-bit family key that is common to all chips
	      N, a 30-bit serial number
	      U, an 80-bit secret key that unlocks all messages encrypted with the chip

	Hmmm. A thirty bit serial number. And, we are told, the unit key U is
	derived deterministically from this serial number. That means that
	there are only one billion possible unit keys.

Oh hell, it's *much* worse than that.  You think they'll ever make
more than a million of them?  Serial numbers aren't handed out at random
you know, they start at 1 and work up...  Call it a 20 bit space maybe.

G

Newsgroup: sci.crypt
document_id: 15496
From: rja14@cl.cam.ac.uk (Ross Anderson)
Subject: Re: Clipper chip -- technical details

In article <1993Apr19.052005.20665@ulysses.att.com> smb@research.att.com (Steven 
Bellovin) writes:

> Nothing was said about where K_P comes from.

If you've got a secure device, you don't need public keys.

If the secret key which all chips share is SK, you can just use KP = 
E{(myname, yourname, date) ; SK}.

Maybe that's why Jim Bidzos was reported as being cheesed off.

Ross

Newsgroup: sci.crypt
document_id: 15497
From: res@colnet.cmhnet.org (Rob Stampfli)
Subject: Re: Once tapped, your code is no good any more.

>>	With E-Mail, if they can't break your PGP encryption, they'll just
>>call up one of their TEMPEST trucks and read the electromagnetic emmisions
>>from your computer or terminal.  Note that measures to protect yourself from
>
>2. I could independently invent about half a dozen right off
>the top of my head. If I had studied Advanced E & M a little better,
>I could probably come up with a _very_ good system.

Wouldn't a a second monitor of similar type scrolling gibberish and adjacent
to the one being used provide reasonable resistance to tempest attacks?
-- 
Rob Stampfli  rob@colnet.cmhnet.org      The neat thing about standards:
614-864-9377  HAM RADIO: kd8wk@n8jyv.oh  There are so many to choose from.

Newsgroup: sci.crypt
document_id: 15498
From: res@colnet.cmhnet.org (Rob Stampfli)
Subject: Re: The Old Key Registration Idea...

In article <1qn1ic$hp6@access.digex.net> pcw@access.digex.com (Peter Wayner) writes:
>That leads me to conjecture that:
...
>2) The system is vulnerable to simple phone swapping attacks

I seriously doubt that any practical implementation of this proposal would
place the onus on the individual to register keys.  Realistically, the
Clipper-Chip will probably emit an ID code which will serve as the identifier
when requesting the key fragments.  The chip manufacturer would register
this identifier code vs. key combination when the chip is made and the
(uninitiated) end-user can therefore remain completely outside the loop.
The chip could be used in a cellular phone, a modem, or other device --
it really makes no difference:  When the authorities detect the use of this
encryption standard during surveillance, they would then capture the ID
and apply for the key in order to decrypt the data.
-- 
Rob Stampfli  rob@colnet.cmhnet.org      The neat thing about standards:
614-864-9377  HAM RADIO: kd8wk@n8jyv.oh  There are so many to choose from.

Newsgroup: sci.crypt
document_id: 15499
From: felixg@coop.com (Felix Gallo)
Subject: Re: Once tapped, your code is no good any more.

pat@rwing.UUCP (Pat Myrto) writes:

>If the Clinton Clipper is so very good, [...]

Please note that Bill Clinton probably has little if anything to do
with the design, implementation or reasoning behind this chip or behind
any "moves" being made using this chip as a pawn.

Remember, when you elect a president of the united states, it's not
the case that all the Republicans, etc. in the NSA and FBI and CIA
immediately pack their bags and get replaced by a team of fresh young
Democrats.  Most of the government -- say, 96% -- is appointed or
hired rather than elected.  Since this Clipper device has been in
production for over six months, it probably has little or no 
foundation in the currently elected Democratic Executive body.

>BTW - those who suggest that this is just an attack on Clinton, believe
>this:  I would be going ballistic reagardless WHO seriously proposed
>this thing.  It is just another step in a gradual erosion of our rights
>under the Constitution or Bill of Rights.  The last couple of decades
>have been a non-stop series of end-runs around the protections of the
>Constitution.  It has to stop.  Now is as good a time as any, if it
>isn't too late allready.

Could be.  However, the sky hasn't fallen yet, Chicken Little.

>-- 
>pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
>         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
>WISDOM: "Only two things are infinite; the universe and human stupidity,
>         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 15500
From: marc@tanda.isis.org (Marc Thibault)
Subject: Re: Don't fight Clipper Chip, subvert or replace it !

In article <ygoland.735123994@wright> 
(The Jester) writes: 

> Proof Windows is a Virus:It is very widespread, It eats up your disk
> space, It slows down your computer, It takes control over your
> computer, It performs disk access at random times, It displays silly
> messages on your screen, It randomly crashes the computer-Vesselin

        This sounds like a version Unix. Solaris?


Newsgroup: sci.crypt
document_id: 15501
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Spoofing Clipper Serial Number

Secrecy in Clipper Chip

The serial number of the clipper chip is encrypted with the system key and
transmitted as one part of a three part message.

Presumably the protocol can be recovered (if by nothing else, differential
analysis).

Postulate if you will, a chip (or logic) sitting between the clipper chip
and its communications channel.  The purpose of this chip is twofold:
    
	1) Transmit Channel

	    The spoof chip XORs the 30 bit encrypted serial number with
	    a secondary keying variable.  This renders the serial number
	    unrecoverable with just the system key

	2) Recieve Channel

	    The spoof chip XORs the incoming encrypted serial number
	    with a secondary keying variable (assuming the serial number
	    is necessary for local operation).

This has the net result of hiding the serial number.  This gets more
interesting when the number of serial numbers issued becomes large,
making it difficult to distinguish between valid serial numbers and
a spoofed serial number.  Without knowing the system key, you could
lie about the serial number, but risk detection of the lie.

IF you had the system key and the encryption algorithm you could
successfully lie with a lower probability of detection by emulating the
format of your own serial number.

Makes you wonder whats being hidden here?   Seems  like the secrecy is
to prevent you from lying about who you are.

Newsgroup: sci.crypt
document_id: 15502
From: butzerd@maumee.eng.ohio-state.edu (Dane C. Butzer)
Subject: How large are commercial keys?

What are the typical sizes for keys for commercial secret key algorithms?
I know DES is 56 bits ("tripple DES" is 112 bits) and IDEA is 128 bits.  Is
there anything made in the US that has 128 bit keys?  Anything anywhere
that has larger keys?  I've heard that RC2 can be scaled to arbitrarily
large keys, but is this actually implemented anywhere?

Finally, can anyone even concieve of a time/place where 128 bit keys aren't
sufficient?  (I certainly can't - even at a trillion keys a second, it
would take about 10 billion years to search just one billionth of that keys
space.)

Thanks,
Dane

Newsgroup: sci.crypt
document_id: 15503
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Do we need the clipper for cheap security?

pmetzger@snark.shearson.com (Perry E. Metzger) writes:
> If the Clipper chip can do cheap crypto for the masses, obviously one 
> could do the same thing WITHOUT building in back doors. 

I agree.  So why is Cylink the only (and expensive) game in town?

Note: I think Cylink is great, and if my boss would double my salary, I'd buy 
a bunch of their stuff :).

One thing that Clipper offers is interoperability, at a higher degree of 
security than we currently have in non-proprietary voice encryption systems.
This means it will be cheaper than anyone's proprietary scheme, and easier to 
deploy.  This is, of course, either a bug or a feature depending on how you 
look at it :).

> Indeed, even without special engineering, you can construct a good 
> system right now. A standard codec chip, a chip to do vocoding, a DES 
> chip, a V32bis integrated modem module, and a small processor to do 
> glue work, are all you need to have a secure phone.

Great!  Where can I buy it?

Another note: If "Clipper" increases the incentive to bring stronger 
encryption to the mass market, all the better.  It's far overpriced at 
the moment.

> Yes, cheap crypto is good -- but we don't need it from the government.

I don't care where we *need* to get it from, I care where we *can* get it 
from, and whether it will interoperate with everyone else.
 
> Indeed, were it not for the government doing everything possible to 
> stop them, Qualcomm would have designed strong encryption right in to 
> the CDMA cellular phone system they are pioneering. Were it not for the 
> NSA and company, cheap encryption systems would be everywhere. As it 
> is, they try every trick in the book to stop it. Had it not been for 
> them, I'm sure cheap secure phones would be out right now. 

You can build them right now as long as you don't want to export (a 
restriction I firmly oppose).  The only thing stopping people from making 
cheap encryption is greed: they want a lock on the market.

> They aren't the ones making cheap crypto available. They are the ones 
> keeping cheap crypto out of people's hands. When they hand you a 
> clipper chip, what you are getting is a mess of pottage -- your prize 
> for having traded in your birthright. 

Oh, come on.  Only if you trust it farther than it deserves.  A Clipper phone 
*IS NOT* a substitute for a Cylink phone, or a STU-III.  It's a substitute 
for the "voice scramblers" advertised in the back of Radio Electronics.

> Are we getting cheaper crypto 
> for ourselves? No, because the market would have provided that on its 
> own had they not deliberately sabotaged it.

I disagree.  Modulo ITAR, it's not the government that has sabotaged the 
market.

> Someone please tell me what exactly we get in our social contract in 
> exchange for giving up our right to strong cryptography? 

Can you tell me where exactly we have given up that right?


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15504
From: brad@optilink.COM (Brad Yearwood)
Subject: Clipper considered harmful

If Clipper comes to cellular phones along with legal proscriptions against
using other cipher systems on these phones, a new and potentially dangerous
class of crime is created.

Criminals who very badly want inscrutable tactical communications (specifically
the terrorists and drug dealers who proponents of key escrow cite as threats)
will be highly motivated to steal the cipher phone of a legitimate user, and
to kill this person or hold them hostage so discovery of compromise of the
device will be delayed.

Once a suitable collection of devices is stolen, criminals can communicate
with impunity (assuming the cipher system carries no trapdoors apart from
key escrow) until and unless the compromise is discovered by some other means.

Because life-is-cheap criminals are currently willing to kill people to steal
very large and conspicuous property (luxury cars), it is reasonable to assume
that they will be willing to kill people to steal small and inconspicuous
property (a cipher cellular phone).  Just as we have seen in the past with
"blue box" technology, and in the present with modified cellular phones,
we can expect to see among high-stakes criminals a lucrative market for
stolen cipher phones which can be used for a few days.  The high-stakes
criminals will pay the life-is-cheap types substantial amounts for stolen
instruments.

Because a person is typically discovered as missing or dead in a few days,
a stolen instrument will be usable for only a few days.  There will be a
continuing demand for fresh phones: fresh bodies.

In other words, Clipper and similar systems have the potential to turn a
current inconvenience to law enforcement into a direct, vicious, and
persistent threat to the general public.

On the other hand, if a criminal were to apply some arbitrary cipher to a
device in a mostly non-ciphered network, the communication will at least
stand out as being unusual, and perhaps worthy of other means of investigation.

Finally, because there is essentially no possibility of intercepting in
realtime the scrutable content of communications between stolen instruments,
there will exist strong motivation to record and archive _all_ communications
in the network for ex-post-facto scrutiny (once some criminal act is discovered,
and the instruments involved have been identified).  While recording and
archiving may not be feasible for wireline networks, it is probably feasible
across the more limited bandwidth of radio networks.  The existence of these
recordings could open up vast potential for abuse.

Brad Yearwood    brad@optilink.com     {uunet, pyramid}!optilink!brad
Petaluma, CA


Newsgroup: sci.crypt
document_id: 15505
From: butzerd@maumee.eng.ohio-state.edu (Dane C. Butzer)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr20.034724.3748@colnet.cmhnet.org> res@colnet.cmhnet.org (Rob Stampfli) writes:
>>>	With E-Mail, if they can't break your PGP encryption, they'll just
>>>call up one of their TEMPEST trucks and read the electromagnetic emmisions
>>>from your computer or terminal.  Note that measures to protect yourself from
>>
>>2. I could independently invent about half a dozen right off
>>the top of my head. If I had studied Advanced E & M a little better,
>>I could probably come up with a _very_ good system.
>
>Wouldn't a a second monitor of similar type scrolling gibberish and adjacent
>to the one being used provide reasonable resistance to tempest attacks?

Actually, old video games and pinball machines are supposed to work pretty
good (at blocking EM eavesdropping), too.  Those things put out a LOT of EM
noise.  Back in the 80's, I read about computer companies putting bunches
of games in their buildings for just this purpose (not to mention the $$$).


Dane

Newsgroup: sci.crypt
document_id: 15506
From: lars@spectrum.CMC.COM (Lars Poulsen)
Subject: Re: Is there ANY security in the Clipper?

In article <ZEEV.93Apr18014822@sepia.ccc.amdahl.com> zeev@ccc.amdahl.com (Ze'ev Wurman) writes:
>It seems to me that all discussions about Clipper security are almost 
>irrelevant - if I cannot choose the key, but have to use a key chosen for
>me by the foundry, the security of the WHOLE UNIVERSE OF USERS is as good
>(or as bad) as the security of VLSI Technologies Inc.

- or their handlers.

>It is a trivial effort to run any ciphertext agains ALL THE KEYS EVER 
>MANUFACTURED - after all we are talking about 1 to 100 million keys that
>will ever be manufactured. The key depositories can be as secure and
>incorruptible as they wish to be, nobody cares anyway...:-(

They key depositories are IRRELEVANT. In order for the applicable law
enformcement agencies to be able to know what keys to request from
escrow, the system will have to squawk its serial number in clear text
as part of the link establishment protocol. Whoever owns the program 
that assigns keys to each serial number won't need access to the key
depository.

In other words, the FBI may need a court-ordered release of escrowed
keys, but the NSA has the keys before the chip is ever manufactured.
There is no need to go through the escrow or to try all keys. While
relations between law enforment agencies have sometimes been strained,
there is also a long history of trading favors. This will re-establish
the NSA as a very important agency for everyone to get along with,
because they can give you untraceable encryption leaks without court
orders.

The more I think about this affair, the fouler it smells. I'd rather
have a DES with an engineered-in backdoor ...
-- 
/ Lars Poulsen, SMTS Software Engineer	Internet E-mail: lars@CMC.COM
  CMC Network Products / Rockwell Int'l	Telephone: +1-805-968-4262	
  Santa Barbara, CA 93117-3083		TeleFAX:   +1-805-968-8256

Newsgroup: sci.crypt
document_id: 15507
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks 
	only

jhart@agora.rain.com (Jim Hart) writes:
> You don't care that people are being lied to, fooled into believing the 
> chip gives "privacy" when it fact it allows wiretaps?

It does give privacy, just not absolute privacy.  The announcement was very 
up front about this, and about allowing wiretaps.  How is this "fooling" 
anyone?

> are you so smart that you know when you're talking 
> to somebody who has a wiretap chip on their phone instead of a privacy 
> chip with private keys?) 

Sure.  The two don't interoperate.  You couldn't talk to, say, a Cylink phone 
from a Clipper phone.  I would expect even multiprotocal phones to come with 
indicators saying which kind of link encryption is in use...

> We *do* need an alternative to NSA-bugged telephones, but 
> we're talking inexpensive *telephones* here, including hand-sized 
> cellulars, that need strong crypto, real privacy.

So start a company and build them.  This is still mostly a capitalist 
economy...

> What we need is a true *privacy chip*.  For example, a real-time 
> voice-encryption RSA, put it into a silicon compiler and spit out 
> ASIC.  Put this chip on the market as a de facto standard for 
> international business, diplomats, and private communications.

I agree.  Go for it.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15508
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

Ted Dunning (ted@nmsu.edu) wrote:
: 
: nobody seems to have noticed that the clipper chip *must* have been
: under development for considerably longer than the 3 months that
: clinton has been president.  this is not something that choosing
: choosing bush over clinton would have changed in the slightest; it has
: been in the works for some time.

Actually, many of us have noted this. We have noted that the program
started at least 4 years ago, that the contracts with VLSI Technology
and Microtoxin were let at least 14 months ago, that production of the
chips is well underway, and so forth.

Nobody I know has claimed Clinton intitiated the program. But he chose
to go ahead with it.


-Tim May
-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
document_id: 15509
From: ray@ole.cdac.com (Ray Berry)
Subject: Clipper- business as usual?


    Notwithstanding all the legitimate fuss about this proposal, how much
of a change is it?  ATT's last product in this area (a) was priced over
$1000, as I suspect 'clipper' phones will be; (b) came to the customer 
with the key automatically preregistered with government authorities. Thus,
aside from attempting to further legitimize and solidify the fed's posture,
Clipper seems to be "more of the same", rather than a new direction.
   Yes, technology will eventually drive the cost down and thereby promote
more widespread use- but at present, the man on the street is not going
to purchase a $1000 crypto telephone, especially when the guy on the other
end probably doesn't have one anyway.  Am I missing something?
   The real question is what the gov will do in a year or two when air-
tight voice privacy on a phone line is as close as your nearest pc.  That
has got to a problematic scenario for them, even if the extent of usage
never surpasses the 'underground' stature of PGP.
-- 
Ray Berry kb7ht ray@ole.cdac.com  rjberry@eskimo.com  73407.3152@compuserve.com

Newsgroup: sci.crypt
document_id: 15510
From: shirriff@sprite.berkeley.edu (Ken Shirriff)
Subject: Re: Once tapped, your code is no good any more.

In article <Apr18.194927.17048@yuma.ACNS.ColoState.EDU> holland@CS.ColoState.EDU (douglas craig holland) writes:
>	With E-Mail, if they can't break your PGP encryption, they'll just
>call up one of their TEMPEST trucks and read the electromagnetic emmisions
>from your computer or terminal.  Note that measures to protect yourself from
>TEMPEST surveillance are still classified, as far as I know.

Note that TEMPEST is the name of the shielding standard.  TEMPEST is not
the name of the surveillance technique.

Ken Shirriff				shirriff@sprite.Berkeley.EDU
Disclaimer: this is what I've heard and it's in the sci.crypt FAQ, so it's
probably true but I can't guarantee it.  I'd like to know if I'm wrong.

Newsgroup: sci.crypt
document_id: 15511
From: amanda@intercon.com (Amanda Walker)
Subject: Re: text of White House announcement and Q&As on clipper chip 
	encryption

gtoal@gtoal.com (Graham Toal) writes:
> Whatever happens though, the effect of this new chip will be to make 
> private crypto stand out like a sore thumb. 

It already does.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15512
From: eachus@spectre.mitre.org (Robert I. Eachus)
Subject: Re: Would "clipper" make a good cover for other encryption method?

In article <1993Apr20.032623.3046@eff.org> kadie@eff.org (Carl M. Kadie) writes:

  > Clipper might be a good way to cover the use of another layer of
  > encryption.

  But, if you are making custom equipment in any case, why not just
roll your own Clipper implementation and report the wrong keys to the
Escrow agency?  (Tells us who is going to be in the chip business if
this thing goes through--NSA, and those with something to hide from
NSA.)

  If anyone can verify that your phone is not using the key registered
to that serial number, either:

  1) They have a court ordered wiretap.  But what are they going to
do?  Tell the judge that this individual really does have privacy?
All they know is that the keys are not enough, but not why.

  2) They have a court ordered wiretap on a phone in this series.
(This part is really scary.  Since the "expectation" is that all
chips in a particular batch will uses seeds based on the same S1 and
S2 and the serial number, getting the keys for one of a batch may give
access to all.)

  3) There is a backdoor which allows all messages to be deciphered
without the keys.  I find this one especially threatening since the
scheme seems very open to known plaintext attacks.  (What I need to
decipher is the data in the header.  If I talk to someone who has one
of these phones, presumably there will be an automatically negotiated
key generated.  I'm not trying to decipher the record of the
conversation to know what was said, I use it as a known plaintext to
recover the backdoor represented by the header, but I know what the
header says for conversations I participate in.  Even worse, if the
phones in a series have related keys, I can buy a phone/chip from the
same production lot.  Then I can recover its keys, either elegantly by
talking to myself, or by brute force analysis of the actual chip, then
apply the key generation process with those seeds to find the target
keys.)

    Hmmm!  I don't think I want to ever come close to these phones.
Even DES is starting to look good.  Two cans and a string will provide
much better security.



--

					Robert I. Eachus

with Standard_Disclaimer;
use  Standard_Disclaimer;
function Message (Text: in Clever_Ideas) return Better_Ideas is...

Newsgroup: sci.crypt
document_id: 15513
From: cepek@vixvax.mgi.com
Subject: Tempest vs LCD (was: Re: Once tapped...)

douglas craig holland (holland@CS.ColoState.EDU) writes:
>
> With E-Mail, if they can't break your PGP encryption, they'll just
> call up one of their TEMPEST trucks and read the electromagnetic 
> emmisions from your computer or terminal.  Note that measures to 
> protect yourself from TEMPEST surveillance are still classified, as 
> far as I know.

steiner@jupiter.cse.utoledo.edu (Jason 'Think!' Steiner) writes:

> are LCD displays vulnerable to tempest?

I can see high-voltage type display devices being vulnerable (CRTs,
plasma displays, etc.)  But Jason beat me to this question.  What
about EM radiation from low-voltage items like LCD displays?

Perhaps the critical element is the driver circuitry?  The cabling?
What about a portable PC/Mac/etc., where all the "noise" is bunched
into one tiny area?

Newsgroup: sci.crypt
document_id: 15514
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <1993Apr20.150531.2059@magnus.acs.ohio-state.edu>, jebright@magnus.acs.ohio-state.edu (James R Ebright) writes:
> Now why is that?  I doubt there is a trapdoor in Skipjack.  (But we will
> never know).  And I doubt the NSA would promote a mass market chip they
> couldn't compromise.  Ergo, NSA is now capable of compromising (probably
> with brute force keysearch) engines of the complexity of Skipjack.  Look
> at the specs.  Why, I bet they have thousands of little chips chugging
> away in their crypto busters... Maybe even tens of thousands.  Complexity?
> Not much more than a 3090.  How many such machines will fit into Fort Meade?

> I think PGP2.3 should have 256 bit IDEA keys...

Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
has 2^80 possible keys.  Let's assume a brute-force engine like that
hypothesized for DES:  1 microsecond per trial, 1 million chips.  That's
10^12 trials per second, or about 38,000 years for 2^80 trials.  Well,
maybe they can get chips running at one trial per nanosecond, and build
a machine with 10 million chips.  Sure -- only 3.8 years for each solution.

IDEA uses 128-bit keys.  Shall I bother doing the calculations for you?
Hint:  multiply 3.8 years by 2^(128-80).  And you can't do IDEA at that
speed; key setup takes much too long.  I wouldn't be surprised if that
were the case for Skipjack, too, though there's no way of knowing just
yet.  DES used only xor because that's what was feasible with mid-70's
technology.  Modern chips can do a lot more.

NSA may or may not know how to crack Skipjack and IDEA (I doubt it for
the former; I have no idea for the latter, though it does seem to be a
strong cryptosystem).  But it ain't gonna be by exhaustive search.

Newsgroup: sci.crypt
document_id: 15515
From: kepley@photon.phys.unca.edu (Brad Kepley)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr20.161838.13213@coop.com> felixg@coop.com (Felix Gallo) writes:
>pat@rwing.UUCP (Pat Myrto) writes:
>
>>If the Clinton Clipper is so very good, [...]
>
>Please note that Bill Clinton probably has little if anything to do
>with the design, implementation or reasoning behind this chip or behind

Can't we move the political bickering to a more appropriate group?
-- 
Brad Kepley                  Internet         kepley@photon.phys.unca.edu
Work-days                    Voice            (704)252-8330
--

Newsgroup: sci.crypt
document_id: 15516
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Clipper considered harmful

brad@optilink.COM (Brad Yearwood) writes:

> Criminals who very badly want inscrutable tactical communications (specificall
> the terrorists and drug dealers who proponents of key escrow cite as threats)
> will be highly motivated to steal the cipher phone of a legitimate user, and
> to kill this person or hold them hostage so discovery of compromise of the
> device will be delayed.

Why doing it in such a rough manner? It is much more professional to
steal the chip from the phone and even to replace it with a
pin-compatible do-nothing chip that does not encrypt at all. Chances
are that the victim will not notice anything, especially if it is done
professionally.

> Once a suitable collection of devices is stolen, criminals can communicate
> with impunity (assuming the cipher system carries no trapdoors apart from
> key escrow) until and unless the compromise is discovered by some other means.

No, because the Feds will still be able to decrypt the conversations.
True, they'll blame the wrong guys, but nevertheless one cannot say
something like "The drugs arrive tommorrow on the ship 'Terminus'"
when the Feds are listening, even if they cannot identify who the
speaker is.

No, the criminals will just use some secure encryption. The new
proposal does not stop criminals; it ensures that the government will
be able to wiretap the average citizen and stops the casual snooper.
To me, it also clearly looks as a step towards outlawing any other
strong encryption devices.

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
document_id: 15517
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: How large are commercial keys?

butzerd@maumee.eng.ohio-state.edu (Dane C. Butzer) writes:

> Finally, can anyone even concieve of a time/place where 128 bit keys aren't
> sufficient?  

It depends on the algorithm used. 128-bit secret keys for RSA are
definitively not secure enough.

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
document_id: 15518
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

jfc@athena.mit.edu (John F Carr) writes:
>In article <19930419.155204.305@almaden.ibm.com>
>	ameline@vnet.IBM.COM (Ian Ameline) writes:
>
>>  I also believe that someone will reverse engineer the clipper chip,
>>and knowlege of the algorithm will likely be fairly widespread.
>
>The chip and algorithm are classified.  If you reverse engineer it and
>tell people, you are likely to go to jail.

Well, I'm not a lawyer, but from what I can tell this is completely
and utterly untrue.

You see, this country has this thing called a "constitution".

If you legitimately aquire the device, and you yourself are
not a government employee or otherwise encumbered, I don't think they
can stop you from revealing anything about the device you can
determine. Remember the Pentagon Papers precedent? The First Amendment
applies here.

The U.S. does NOT have an official secrets act. We do have laws that
will punish you for revealing what classified information you learned
in your capacity as a government official, contractor, etc, and we
have laws that prohibit stealing such information. However, if they
sell you the chip, I can't see that they can make reverse engineering
it and revealing the details illegal.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15519
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: How does it really work? (was Re: text of White House announcement and Q&As on clipper chip encryption)

	From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>

	The majority of the discussion involving this "Clipper Chip" seems to
	pertain to the encryption of telephone conversations.  Does anyone
	know if that means this chip is designed to work primarily with analog
	signals?  The language sort of suggests this, but it's hard to say.

I'd lay a few bucks that its just data-in-data-out in parallel.  I suspect
to make it a phone you'd need a codec and speech compression.  There would
be a loss of bandwidth on the speech signal, which I suspect would scupper
any of the suggestions I've seen here about putting a different encryption
front end on it.

There's no hint of any modulation scheme in the docs.  I'm sure it's purely
a digital chip.  The back end will come later, but I'm *positive* it won't
be left to the manufacturers - they all have to be the same modulation
scheme to make it easy for the NSA to tap them.

The only other possibility is that this is intended only for ISDN phones.
(Puts a whole new spin on EFFs obsession about ISDN if true, bwahahaha! ;-) )

G

Newsgroup: sci.crypt
document_id: 15520
From: Graham Toal <gtoal@gtoal.com>
Subject: Re: Once tapped, your code is no good any more.

In article <2073@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:
:If the Clinton Clipper is so very good, why not make its algrithm public
:so many people can exchange ideas and examine it, rather than a few
:isolated 'respected experts' (respected by whom?  for what?  Perhaps a
:certain professor who likes key banks would be one of the selected
:experts... this does seem to expand on some ideas the person was
:advocating, if I recall :-).  How would anybody know that what the

Actually, I am *completely* baffled by why Dorothy Denning has chosen
to throw away her academic respectability like this.  It looks to me
like a *major* Career Limiting Move.  There can be very few people
who know what she's been saying who take her seriously any more.

I wonder if she landed such a fat fee from cooperation with the NSA in
the design and propoganda stages that she doesn't care any more?

G

Newsgroup: sci.crypt
document_id: 15521
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: "clipper chip"

	From: "dan mckinnon" <dan.mckinnon@canrem.com>

	   I have lurked here a bit lately, and though some of the math is
	unknown to me, found it interesting. I thought I would post an article I
	found in the Saturday, April 17, 1993 Toronto Star:

	                  'CLIPPER CHIP' to protect privacy

Politics is of course Dirty Pool, old man, and here we have a classic
example: the NSA and the administration have been working on this for
a *long* time, and in parallel with the announcement to us techies, we
see they're hitting the press with propoganda.

It's my bet the big magazines - Byte, Scientific American, et all - will
be ready to run with a pre-written government-slanted story on this in
the next issue.  ('Just keep us some pages spare boys, we'll give you
the copy in time for the presses')

We *must* get big names in the industry to write well argued pieces against
this proposal (can you call it that when it's a de facto announcement?) and
get them into the big magazines before too much damage is done.

It would be well worth folks archiving all the discussions from here since
the day of the announcement to keep all the arguments at our fingertips.  I
think between us we could write quite a good piece.

Now, who among us carries enough clout to guarantee publication?  Phil?
Don Parker?  Mitch Kapor?

G

Newsgroup: sci.crypt
document_id: 15522
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

] gtoal@news.ibmpcug.co.uk (Graham Toal) writes:
] > Try reading between the lines David - there are *strong* hints in there 
] > that they're angling for NREN next,

] Where?  I honestly didn't see any...

Hint 1:

: Sophisticated encryption technology has been used for years to
: protect electronic funds transfer.  It is now being used to
: protect electronic mail and computer files.  While encryption
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Hint 2:

: This new technology will help companies protect proprietary
: information, protect the privacy of personal phone conversations
: and prevent unauthorized release of data transmitted
                                      ^^^^^^^^^^^^^^^^
: electronically.  At the same time this technology preserves the
  ^^^^^^^^^^^^^^ 
:      --   the privacy of our citizens, including the need to
:           employ voice or data encryption for business purposes;
                         ^^^^^^^^^^^^^^^^^^
:      --   the ability of authorized officials to access telephone
:           calls and data, under proper court or other legal
                  ^^^^^^^^
:           order, when necessary to protect our citizens;

VERY BIG HINT 3:

# The Administration is committed to working with the private
# sector to spur the development of a National Information
# Infrastructure which will use new telecommunications and computer
# technologies to give Americans unprecedented access to
# information.  This infrastructure of high-speed networks
# ("information superhighways") will transmit video, images, HDTV
# programming, and huge data files as easily as today's telephone
# system transmits voice.

VERY BIG HINT 4: (See above)

## Since encryption technology will play an increasingly important
## role in that infrastructure, the Federal Government must act
## quickly to develop consistent, comprehensive policies regarding
## its use.

] > and the only conceivable meaning of 
] > applying this particular technology to a computer network is that they 
] > intend it to be used in exclusion to any other means of encryption. 

] I disagree, if for no other reason than that there are already other 
] standards in place.  Besides, even if they restrict encryption on the NREN, 
] who cares?  Most of the Internet is commercial anyway.  The NREN is only for 
] geovernment and university research (read the proposals--it's a "data 
] superhighway" for Cray users, not anything having to do with the Internet).

Oh, I see your point.  I think you're wrong.  But if you sit back and wait
to find out if I'm right, it'll be too late.  Just listen *very* carefully
for the first 'such and such will not be permitted on network XYZ' shoe to
drop.

G



Newsgroup: sci.crypt
document_id: 15523
From: jbotz@mtholyoke.edu (Jurgen Botz)
Subject: Re: The [secret] source of that announcement

In article <MARC.93Apr17211937@oliver.mit.edu> marc@mit.edu (Marc Horowitz N1NZU) writes:
>Just who is that, I asked myself, or rather, I asked the computer.
>
>    % telnet csrc.ncsl.nist.gov 25
>    Trying...
>    Connected to csrc.ncsl.nist.gov.
>    Escape character is '^]'.
>    220 first.org sendmail 4.1/NIST ready at Sat, 17 Apr 93 20:42:56 EDT
>    expn clipper
>    250-<csspab@mail-gw.ncsl.nist.gov>
>[...]
>    221 first.org closing connection
>    Connection closed.
>
>Well, isn't that interesting.  Dorothy Denning, Mitch Kapor, [...]

Even more interesting: the SMTP server at csrc.ncsl.nist.gov no longer
recognizes the 'expn' and 'vrfy' commands...

   telnet csrc.ncsl.nist.gov smtp
   Trying 129.6.54.11...
   Connected to csrc.ncsl.nist.gov.
   Escape character is '^]'.
   220 first.org sendmail 4.1/NIST ready at Tue, 20 Apr 93 17:01:34 EDT
   expn clipper
   500 Command unrecognized

Seems like sombody didn't like your snooping around, Marc.
-- 
Jurgen Botz, jbotz@mtholyoke.edu | Vending machines SHOULD respond to a [finger]
South Hadley, MA, USA            | request with a list of all items currently
--Unix is dead, long live Unix-- | available for purchase... -RFC1288

Newsgroup: sci.crypt
document_id: 15524
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

ted@nmsu.edu (Ted Dunning) writes:
>nobody seems to have noticed that the clipper chip *must* have been
>under development for considerably longer than the 3 months that
>clinton has been president.  this is not something that choosing
>choosing bush over clinton would have changed in the slightest; it has
>been in the works for some time.

I've got no doubts that this would probably have gone ahead if Bush
was still president.  What's puzzling to me are the people who are
apparently amazed that Clinton is going along with it.
-- 
Other than that, Mrs. Lincoln, how did you like the play?

Newsgroup: sci.crypt
document_id: 15525
From: Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant)
Subject: Another key registration body bites the dust (IMHO)

One of the candidates that has been suggested for a key registration
body is the ACLU.  I think this is poor choice.   The ACLU is
essentially a group of auditors: they audit how people's civil
liberties are administered.  Traditionally, auditors do not like to get
involved in the design or operational aspects of things, and with good
reason.

When I was a systems programmer, it always infuriated me that the
auditors would come in and tell us our implementation stunk from a
security point of view, but wouldn't tell us how to fix it.  I always
figured they just liked to critcize, without doing the work to help fix
the problem.

Then I took a stint as an auditor, and I found out the real reason.
Auditors don't like to recommend solutions, because it puts them in a
bad position if they have to criticize the implementation later.  The
auditee can say, "Well, you told us this way would be OK."  It
compromises the independence that is a necessary part of the auditor's
job.

Taking the case at hand, suppose ACLU becomes a key half registrar.
Suppose that, perhaps through some error on ACLU's part, a key half gets
away that shouldn't, and is used to deprive someone of her civil
liberties.  The ACLU gets wind of this, and wants to take it to court.
But they end up being at the same time on the side of the defendant
and of the plaintiff, which is not an easy position to be in.

There are exceptions to the complete independence of auditors: at one
place where I worked, when payroll checks were printed, they were signed
automatically by a signature drum on the bursting machine.  This drum
was kept by the auditors (who also kept the check stock), and
was brought down to Data Processing when it was time to do the checks.

I believe the difference between this situation and the key registration
situation is that it is fairly obvious when it is time to do the payroll
checks:  if they were done yesterday, and someone wants to do them again
today, he better be able to produce yesterday's checks so that they can
be destroyed.  Determining which of the many requests for key halves are
legit is a trickier process, one much more prone to mistakes that could
put the ACLU in a protecting-the-client versus protecting-the-ACLU
conflict of interest.

As always, my opinions are my own.

Lynn Grant
Grant@Dockmaster.NCSC.MIL

Newsgroup: sci.crypt
document_id: 15526
From: amolitor@nmsu.edu (Andrew Molitor)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <1993Apr20.192105.11751@ulysses.att.com>
	smb@research.att.com (Steven Bellovin) writes:
>
> [ responding to claims about Skipjack cracking engines ]
>
>Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
>has 2^80 possible keys.  Let's assume a brute-force engine like that
>hypothesized for DES:  1 microsecond per trial, 1 million chips.  That's
>10^12 trials per second, or about 38,000 years for 2^80 trials.  Well,
>maybe they can get chips running at one trial per nanosecond, and build
>a machine with 10 million chips.  Sure -- only 3.8 years for each solution.
>

	I think I should also point out that the mystical DES engines
are known plaintext engines (unless you add a ton of really smart
hardware?)

	The 'plaintext' is digitized voice, and exists for a very short
time, probably in a couple inches of copper, tops. It's flatly not
available -- your bug in my office can hear my voice, and even digitize
it, but it's going to get a different bitstream.

	It is horribly naive to suppose that regular folks can figure
out how to crack skipjack, or clipper based telephones. I'm certainly
not devoting a great deal of thought to it.

	Andrew Molitor


Newsgroup: sci.crypt
document_id: 15527
From: hanson@kronos.arc.nasa.gov (Robin Hanson)
Subject: Estimating Wiretap Costs/Benefits

I'm attempting to write a serious policy paper examining whether the
proposed wiretap (or "Clipper") chip is a cost-effective tool for
police investigation.  That is, ignoring concerns about government
intrusions into individual privacy, is the value of easy wiretaps to
investigators greater than the cost to the communications industry,
and their customers, to support this wiretap technology?  

A rough estimate suggests that wiretaps are worth about five million
dollars per year to U.S. law enforcement agencies.  (In 1990, 872 U.S.
wiretaps led to 2057 arrests, while total police expenditures of $28
billion led to 11.25 million arrests [ref US Statistical Abstracts].)
I'm working on estimating this wiretap benefit more accurately, but
I'd like to ask hardware experts out there to help me with estimating
the costs of the new proposed wiretap technology.

Please send me quotable/citeable estimates for:

- How many chips which would need to be made per year to keep all
  phones with wiretap chips?
- How much would it cost to make each chip?
- How much did it cost to develop this technology in the first place?
- How much more would supporting hardware, people, etc. cost, per chip?
- What percentage cheaper would encryption chips and support have been
  if private enterprise could compete to meet customer encryption needs?
- What percentage of phone traffic would be taken up by the proposed
  "law enforcement blocks"?
- What is the total cost of handling all phone traffic per year?

Put another way, the question I'm asking is, what if each police
agency that wanted a particular wiretap had to pay for it, being
charged their share of the full social cost of forcing communication
to be wiretap compatible?  Would they choose to buy such wiretaps, or
would they find it more cost-effective to instead investigate crimes
in other ways?
-- 
Robin Hanson  hanson@ptolemy.arc.nasa.gov 
415-604-3361  MS-269-2, NASA Ames Research Center, Moffett Field, CA 94035
510-651-7483  47164 Male Terrace, Fremont, CA  94539-7921 

Newsgroup: sci.crypt
document_id: 15528
From: Markowitz@DOCKMASTER.NCSC.MIL
Subject: exportability of PKZIP (was: RE: RC2)

Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) writes:

>>Markowitz@DOCKMASTER.NCSC.MIL writes:  >>> It is interesting to note
in this regard that permission to export >>> PKZIP's encryption scheme
has twice been denied by NSA.  Draw you own >>> conclusions.

>>Uh, I'm afraid that your information is slightly out of date...
PKWare >>has obtained a license to export their program to the whole
world, >>except a very limited list of countries...  Draw your own
conclusions >>about the strength of the algorithm...  :-)

Sorry if I was less than clear.  :-) I was referring to our own efforts
to receive export permission from NSA for the PKZIP encryption
algorithm, not to any effort on the part of Phil Katz or PKWare.

I should point out that the original version of this algorithm was
designed by Roger Schlafly and that WE (meaning Roger and myself) were
twice denied an export license for it.  The second go 'round was just
this past fall.

I had no knowledge of Phil's attempts in this.  I do not even *know* for
sure if he choose to implement the algorithm as it was designed by
Roger, though I *believe* that was at least the case for versions prior
to 2.0.  And then there's the question of key management.  :-)

And even if our applications were identical, there is no reason to
assume the NSA would treat them that way.  :-)

-mjm

----------
  Michael J. Markowitz, VP R&D      markowitz@dockmaster.ncsc.mil
  Information Security Corp.        708 405-0500, fax: 708 405-0506
  1141 Lake Cook Rd., Suite D       MCI:  363-1959
  Deerfield, IL  60302              CIS: 76206,2617


Newsgroup: sci.crypt
document_id: 15529
From: amolitor@nmsu.edu (Andrew Molitor)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <1r1otuINNdb2@dns1.NMSU.Edu>
	amolitor@nmsu.edu (Andrew Molitor) writes:

>	The 'plaintext' is digitized voice, and exists for a very short
>time, probably in a couple inches of copper, tops. It's flatly not
>available -- your bug in my office can hear my voice, and even digitize
>it, but it's going to get a different bitstream.

	I am an idiot. The plaintext that's relevant is the session key.
If you know that, you probably don't need a roomful of chips, do you?
If you were going to brute force something interesting, that'd be the
message stream, which is sort of approximately known by, say, a bug in
my office. Then your roomful of chips could get the session key. Which
I change every morning.

	Really, it's just a whole lot easier for the illicit wiretappers
to stick a bug in your phone.

	Andrew Molitor

Newsgroup: sci.crypt
document_id: 15530
From: hollasch@kpc.com (Steve Hollasch)
Subject: Re: Clipper considered harmful

brad@optilink.COM (Brad Yearwood) writes:
| If Clipper comes to cellular phones along with legal proscriptions against
| using other cipher systems on these phones, a new and potentially dangerous
| class of crime is created.
| 
| Criminals who very badly want inscrutable tactical communications
| (specifically the terrorists and drug dealers who proponents of key escrow
| cite as threats) will be highly motivated to steal the cipher phone of a
| legitimate user, and to kill this person or hold them hostage so discovery
| of compromise of the device will be delayed.

    Yow - get some sleep Brad!  You mean that people (i.e. life-is-cheap
terrorists & drug-dealing warlords) who want to communicate in privacy will
prefer to break into my house, kill or kidnap me, and steal my telephone,
rather than:

        - Spending $15 at K-mart to buy a new phone.

        - Purchasing a load of phones from the black market / flea market /
          super market.

        - Talking (*gasp*) face-to-face.

        - Walking down to any one of millions of pay phones.

        - Using messengers.

        - Going to excruciating effort to think of code phrases like "I had
          a blowout on the freeway today".

    Look, this system does nothing to threaten folks who _know_ they're
being wiretapped, since it's trivial to find other avenues of communication;
they'd have no reason to resort to extreme measures, since a plethora of
simple alternatives are easily available to them.

    Among all the legitimate reasons to damn the proposed system, I don't
think we need to worry about terrorist commie drug warlord assasin thugs
murdering our families, kicking the dog and leaving the toilet seat up just
to steal a $15 telephone.  The system is more like urine testing:  it
catches some small number of very stupid people, has no effect on the "bad
guys" with at least three neurons working in unison who wish to subvert it,
and penalizes most heavily those who have no cause to be subject to it.

______________________________________________________________________________
Steve Hollasch                                   Kubota Pacific Computer, Inc.
hollasch@kpc.com                                 Santa Clara, California

Newsgroup: sci.crypt
document_id: 15531
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

gtoal@gtoal.com (Graham Toal) writes:
> Oh, I see your point.  I think you're wrong.  But if you sit back and 
> wait to find out if I'm right, it'll be too late.  Just listen *very* 
> carefully for the first 'such and such will not be permitted on network 
> XYZ' shoe to drop. 

I've been a very intent NREN spectator of the NREN for years.  As a 
commercial IP software vendor, it really is my professional opinion that the 
NREN, at this point, is irrelevant to private sector networking.  If it had 
been deployed five years ago, it would have been a major development.  Now,
however, it's just an upgrade to the NSFnet, and an attempt to revive the 
lagging use of the national supercomputer centers.  You could cut out the 
NSFnet completely, and the Internet would continue chugging along without a 
hiccup (aside from a few universities).

Long-haul networking and Internet connectivity have long since ceased to be 
under federal sponsorship or regulation, at least in the USA.  The success of 
the CIX (Commercial Internet Exchange) is a prime example of this.  While our 
dear VP has been promoting his "data superhighway," the private sector has 
been building it, without the NSFnet's restrictions.

To illustrate, a connection from the machine on my desk to the machine your 
article was posted from (pizzabox.demon.co.uk) involves *only* commercial IP 
providers until it hits Amsterdam.  No NSFnet.  No NREN.  No "appropriate 
use" restrictions.  It's even 1.544mbps (T1) until it hits the EUnet 
gateway...

QED.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15532
From: usenet@news.cso.uiuc.edu (Net Noise owner)
Subject: Re: Facinating facts: 30 bit serial number, possibly fixed S1 and S2

The only way to view this method of generating unit keys is as a back-door.
What else can you call a key deterministically generated from the serial
number?


 To generate the unit key for a serial number N, the 30-bit value N is
   first padded with a fixed 34-bit block to produce a 64-bit block N1.
   S1 and S2 are then used as keys to triple-encrypt N1, producing a
   64-bit block R1:

	   R1 = E[D[E[N1; S1]; S2]; S1] .

   Similarly, N is padded with two other 34-bit blocks to produce N2 and
   N3, and two additional 64-bit blocks R2 and R3 are computed:  

	   R2 = E[D[E[N2; S1]; S2]; S1] 
	   R3 = E[D[E[N3; S1]; S2]; S1] .

   R1, R2, and R3 are then concatenated together, giving 192 bits. The
   first 80 bits are assigned to U1 and the second 80 bits to U2.  The
   rest are discarded.  The unit key U is the XOR of U1 and U2.  U1 and U2
   are the key parts that are separately escrowed with the two escrow
   agencies.


What happens is that the need for the Escrow houses is completely eliminated.
Or should I say, the need to _access_ the Escrow houses to decrypt the data.
The houses will still serve a real purpose as far as generating the illusion
of protection, and small-town cops won't be let in on the "secret", so they
will still go through the motions of going to the Escrow houses, but the fact
is __the Federal government CAN and WILL build a chip which generates the unit
keys from the encrypted serial number!__  'Nuff Said.

Newsgroup: sci.crypt
document_id: 15533
From: warlord@MIT.EDU (Derek Atkins)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

-----BEGIN PGP SIGNED MESSAGE-----

> Why do we hackers care about the Clipper chip?  Do we give a shit
> about anybody's privacy accept our own?  And perhaps not even our
> own; are we so smart that we always know when we're talking to
> somebody who has a wiretap on their phone?

I find this a very disturbing view!  Yes, we DO care about EVERYONE's
privacy... Even if "they" don't know it. What happens if the gov't
starts creating legislation such that the Clipper and such
technologies become the only "legal" encryption forms?  What happens
when the Clipper is the *ONLY* type of encryption chips available to
the masses?

Sure, you might have your own method of encryption, but if you don't
have anyone else to talk to, what use is it?  You can't assume that
EVERYONE will be as open as you appear to be about encryption.

The point here is not the specific instance of the Wiretap Chip.
Rather, it is like having the government telling you that they want a
copy of your house key, safe-deposit box keys, etc., and telling you
that "they wont use them unless its totally neccessary."  I sure
wouldn't want that.  Why should encryption be any different?

- -derek

PGP 2 key available upon request on the key-server:
	pgp-public-keys@toxicwaste.mit.edu

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQBuAgUBK9RxVjh0K1zBsGrxAQHd8ALEDi3Ear7rEmr1UHuxqv2YIblH6px6VXnb
+sJLcUGzZxTCfxbRqIf7msLp98p0EvYYnLZbbORyVhfSzyyHYHeQqQILHEK3LPQE
aP29+od6YZrCCHarNRS024E=
=Ftek
-----END PGP SIGNATURE-----
--
  Derek Atkins, MIT '93, Electrical Engineering and Computer Science
     Secretary, MIT Student Information Processing Board (SIPB)
           MIT Media Laboratory, Speech Research Group
           warlord@MIT.EDU       PP-ASEL        N1NWH

Newsgroup: sci.crypt
document_id: 15534
From: pdc@dcs.ed.ac.uk (Paul Crowley)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

Quoting pla@sktb.demon.co.uk in article <8AOHOnj024n@sktb.demon.co.uk>:
>You have every reason to be scared shitless.  Take a look at the records
>of McCarthy, Hoover (J. Edgar, not the cleaner - though they both excelled at
>sucking) and Nixon.

History does not record whether J. Edgar Hoover was any good at sucking.
As for the cleaners, I'll stick with my 850W Electrolux and damn the
carpet.
  __                                  _____
\/ o\ Paul Crowley   pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/  Fold a fish for Jesus!

Newsgroup: sci.crypt
document_id: 15535
From: amolitor@nmsu.edu (Andrew Molitor)
Subject: Re: Once tapped, your code is no good any more.

In article <C5so84.Hxv@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
>Actually, I am *completely* baffled by why Dorothy Denning has chosen
>to throw away her academic respectability like this.  It looks to me
>like a *major* Career Limiting Move.  There can be very few people
>who know what she's been saying who take her seriously any more.

	Actually, I've been following her remarks for some time, with
interest. I'm also a member of academia, and her remarks have nothing
but elevate her respectability in my eyes. It remains to be seen whether
you are the radical fringe, or I.

	It is generally an error to assume that your beliefs are held by
the majority, or even a sizable minority. Especially when you're seeing
tens, nay dozens, of people on usenet agreeing with you.

	Andrew Molitor

Newsgroup: sci.crypt
document_id: 15536
From: dgr@ENG.Vitalink.COM (Daniel Robinson)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <1993Apr19.130132.12650@afterlife.ncsc.mil> rlward1@afterlife.ncsc.mil (Robert Ward) writes:
+In article <bontchev.734981805@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
+>and since the US constitutions guarantees the right to every American
+>to bear arms, why is not every American entitled, as a matter of
+
+Have you read the applicable part of the Constitution and interpreted it IN 
+CONTEXT?  If not, please do so before posting this misinterpretation again.
+It refers to the right of the people to organize a militia, not for individuals 
+to carry handguns, grenades, and assault rifles.  

Hmmm, this could become a flame war very quickly.  The text is "...well
regulated militia..."  When that amendment was written and approved,
"regulated" meand "armed".  Remember all of those Westerns where bounty
hunters were called "regulators"?  This is now an archaic usage of the
word, but the original intent of the amendment was about weapons, not
control.

My $0.02.

Dan Robinson

Newsgroup: sci.crypt
document_id: 15537
From: Graham Toal <gtoal@gtoal.com>
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <1993Apr20.192105.11751@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
:Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
:has 2^80 possible keys.

We don't yet know if all 80 bits count.  Anyway, its looking like the
keys and escrow arrangements are smoke and mirrors to cover the way the NSA
can regenerate the key from the transmitted serial number.

G

Newsgroup: sci.crypt
document_id: 15538
From: olson@umbc.edu (Bryan Olson; CMSC)
Subject: Re: WH proposal from Police point of view


In article <1993Apr18.034352.19470@news.clarkson.edu>, tuinstra@sunspot.ece.clarkson.edu.soe (Dwight Tuinstra) writes:
|> It might pay to start looking at what this proposal might mean to a
|> police agency.  It just might be a bad idea for them, too.
|> 
|> OK, suppose the NY State Police want to tap a suspect's phone.  They
|> need a warrant, just like the old days.  But unlike the old days, they
|> now need to 
|> 
|>    (a) get two federal agencies to give them the two parts of
|>        the key.
|> 
|> Now, what happens if there's a tiff between the two escrow houses?
|> Posession/release of keys becomes a political bargaining chit.

	While I think it is unrealistic to suppose that the federal
agencies will fail to promptly comply with a court order, there is 
still a good point here.  Local law enforcement will be unable to perform
a wiretap without bringing in federal agencies.   Based on the (possibly
incomplete) understanding of the system quoted from D. Denning, only the
FBI will be able to decrypt the system key encryption layer, which seems
to be needed even to identify what escrowed keys to request.  This moves
a great deal of law enforcement power to the federal level.
	The reason I like this point is that it may sway or even persuade
people who don't generally line up with the civil liberties crowd.  A
national police force is opposed by people from a broad range of political 
viewpoints.


olson@umbc.edu

Newsgroup: sci.crypt
document_id: 15539
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Once tapped, your code is no good any more.

  For that matter, it shouldn't be that difficult to design a black box
that gives off EMR similar to a monitor with gibberish on the screen....





Newsgroup: sci.crypt
document_id: 15540
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Once tapped, your code is no good any more.

Graham Toal <gtoal@gtoal.com> writes:
>Actually, I am *completely* baffled by why Dorothy Denning has chosen
>to throw away her academic respectability like this.  It looks to me
>like a *major* Career Limiting Move.  There can be very few people
>who know what she's been saying who take her seriously any more.

I'm not sure it is a major limiting move... in the academic circles
I've seen, arguing for increased government intervention and
management is almost always a plus (not the least because it usually
means more high paying jobs for academics as "advisors").  Also
consider that it looks like Denning has some decent NSA / government
connections, which is always a plus for an academic institute that
wants more government funding and work tossed their way.

Despicable, yes; career limiting, well, the publicity probably
outweighs the drawbacks.  And there are a whole bunch of people who
think the whole thing is just peachy keen. If it's only going to be
used against drug dealers, child pornographers, and terrorists, well
it must be good. :p
-- 
Truth is hard to find and harder to obscure.

Newsgroup: sci.crypt
document_id: 15541
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Clipper considered harmful

 > > Criminals who very badly want inscrutable tactical communications
 > >(specifically the terrorists and drug dealers who proponents of key escrow
 > >cite as threats) will be highly motivated to steal the cipher phone of
 > >a legitimate user, and to kill this person or hold them hostage so
 > >discovery of compromise of the device will be delayed.

 >Why doing it in such a rough manner? It is much more professional to
 >steal the chip from the phone and even to replace it with a
 >pin-compatible do-nothing chip that does not encrypt at all. Chances
 >are that the victim will not notice anything, especially if it is done
 >professionally.

  Assuming that the bad guys can easily obtain substitute chips which don't
cause any noticeable effect to either the user or the person at the other end
of the line (if there is any significant difficulty to obtaining such chips,
some of the criminals will decide to fall back on the murder/kidnap method).

 > > Once a suitable collection of devices is stolen, criminals can communicate
 > >with impunity (assuming the cipher system carries no trapdoors apart from
 > >key escrow) until and unless the compromise is discovered by some other
 > >means.

 > No, because the Feds will still be able to decrypt the conversations.
 >True, they'll blame the wrong guys, but nevertheless one cannot say
 >something like "The drugs arrive tommorrow on the ship 'Terminus'"
 >when the Feds are listening, even if they cannot identify who the
 >speaker is.

 This assumes that the Feds are tapping Clipper phones belonging to ordinary
citizens (getting such a phone is the whole point of the crime under
discussion).  To be sure, I wouldn't put it past them -- but raising the
possibility of such crime has the benefit of forcing the Feds to either
'fess up about such intentions in advance or state that using Clipper
exposes the user to an additional criminal threat. <g>

 > No, the criminals will just use some secure encryption. The new
 >proposal does not stop criminals; it ensures that the government will
 >be able to wiretap the average citizen and stops the casual snooper.
 >To me, it also clearly looks as a step towards outlawing any other
 >strong encryption devices.

  Agreed.

Newsgroup: sci.crypt
document_id: 15542
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

pdc@dcs.ed.ac.uk (Paul Crowley) writes:
> As for the cleaners, I'll stick with my 850W Electrolux and damn the 
> carpet. 

Nah.  Nothing sucks like a VAX :)...


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15543
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Once tapped, your code is no good any more.

 > I wonder if she landed such a fat fee from cooperation with the NSA in
 >the design and propoganda stages that she doesn't care any more? 

  Which is to say: is the NSA -totally- perfidious, or does it at least
have the redeeming virtue of taking care of its own? <g>

Newsgroup: sci.crypt
document_id: 15544
From: rlglende@netcom.com (Robert Lewis Glendenning)
Subject: Re: Estimating Wiretap Costs/Benefits

In article <1993Apr20.203756.20667@kronos.arc.nasa.gov> hanson@kronos.arc.nasa.gov (Robin Hanson) writes:
>I'm attempting to write a serious policy paper examining whether the
>proposed wiretap (or "Clipper") chip is a cost-effective tool for
>police investigation.  That is, ignoring concerns about government
>intrusions into individual privacy, is the value of easy wiretaps to
>investigators greater than the cost to the communications industry,
>and their customers, to support this wiretap technology?  
>
>A rough estimate suggests that wiretaps are worth about five million
>dollars per year to U.S. law enforcement agencies.  (In 1990, 872 U.S.
>wiretaps led to 2057 arrests, while total police expenditures of $28
>billion led to 11.25 million arrests [ref US Statistical Abstracts].)
>I'm working on estimating this wiretap benefit more accurately, but
>I'd like to ask hardware experts out there to help me with estimating
>the costs of the new proposed wiretap technology.
>
>Please send me quotable/citeable estimates for:
>
>- How many chips which would need to be made per year to keep all
>  phones with wiretap chips?
>- How much would it cost to make each chip?
>- How much did it cost to develop this technology in the first place?
>- How much more would supporting hardware, people, etc. cost, per chip?
>- What percentage cheaper would encryption chips and support have been
>  if private enterprise could compete to meet customer encryption needs?
>- What percentage of phone traffic would be taken up by the proposed
>  "law enforcement blocks"?
>- What is the total cost of handling all phone traffic per year?
>
>Put another way, the question I'm asking is, what if each police
>agency that wanted a particular wiretap had to pay for it, being
>charged their share of the full social cost of forcing communication
>to be wiretap compatible?  Would they choose to buy such wiretaps, or
>would they find it more cost-effective to instead investigate crimes
>in other ways?
>-- 
>Robin Hanson  hanson@ptolemy.arc.nasa.gov 
>415-604-3361  MS-269-2, NASA Ames Research Center, Moffett Field, CA 94035
>510-651-7483  47164 Male Terrace, Fremont, CA  94539-7921 

First, what the fuck is NASA doing wasting my tax dollars doing
policy papers on stuff far outside of their purvew/mission?
                                                                         
Second, this isn't a problem of economics.  This is a problem of
the incremental accumulation of police-state powers by our government.
 
How, exactly, do you put a price on the loss of freedom of a society?
Maybe use the dollars/life lost calculations for the extra people
killed by the gov.  The pain and suffering cases for those tortured.
The dollars/life lost caused by the inevitable collapse of the economy,
and all the secondary effects of diseases, diet, etc.  Plus, the
inevitable collapse of the economy as the gov controls it, becomes 
corrupt, etc.

Do us a favor.  Resign rather than right this paper for NASA.  Go
do useful work for the society.

lew
-- 
Lew Glendenning		rlglende@netcom.com
"Perspective is worth 80 IQ points."	Niels Bohr (or somebody like that).

Newsgroup: sci.crypt
document_id: 15545
From: boucher@csl.sri.com (Peter K. Boucher)
Subject: Pseudo-Random Character Generators (large state)

Here are four pseudo-random character generators, based on
irreducible trinomials.  Each contains 16 separate trinomials,
one of which is selected on initialization (there are 64
distinct trinomials between the 4 PRCGs).  The PRCGs are
initialized with a 32-bit seed, and a 4-bit trinomial-
selector.

I would like to get comments on these by anyone who is
interested enough to look them over.  Please email,
because our news is on the fritz (Note that this was
posted via email).

Peter K. Boucher    <boucher@csl.sri.com>

================ CLIP CLIP =================================

begin 660 rnd.tar.Z
M'YV0<MR0B>%B#("#"!,J7,BPH<.'$"-*1 BBH@T;,$  J AB!@T:&D'$D!&C
M!LB-'#G:N$$C1L4:,VS4B$$SI@R.-4C6V#BQI\^?0(,*'4JTJ-&C2),J71KQ
MA0H0"D \#3BP((@6+:*JT,H1RIPR=<B\:2$GC, W;4",01.F[!@Z9>2 .%/&
M3=PP=-[(<5%12)BO9$"\<0,B#)LS>M/00=.&:\4Z@$&D(;RX# @A4XB J.(F
M#1X0*.BT20&BK$"K<^B089-&#(@V;\C485/&A6,04.2\L9.&3)DY(FV H),'
MSF_!9G!+<7($M&$V("!//@,"SALV>=R@36,8^!LSMRN#,*,W+185*L* 6 'B
MO K7[&.DL"V5ZY W</+(27,&#1V1.>0P VYEP"77$GP)\48=:\7%%11QM9'&
M''.D,=AP;T3W%0MJX9<'A["1D889'Q8F$ @BIK:?&'7 -1P:$W(UQW=TW-&6
M968%IAAP8HU11QMUT8&7A821)Y=9>517AQS6?65B8'<HAL:"='!E1AF630@"
M&G&5(4:29Y@&%QD<PJ$;;[X%MAA>+^(HQFZ6C>'A?OU5*14(VM&1QA@XPF%<
M6Y(1]ER'<*3Q&WTJO*"  B/X9L9DEA%1Q!%?9!33#8PZ"BD(4Q0!1:4BW1##
MHHV6\:A=($A*J4LTS#!JJ:=:UNFG+LD  PRD:HJJJE_<5 ,,,V1JZJ:S]@J"
M##3@D.NPNT[ZQ8 TV! LK,1Z^NRQ,="P;*RI.@L2#3#D("RWQ8*$ Z;C;LIK
M#2#8$ .FU*):++NVXIINLY0*)ZJX\<IJK7 EV=MOMY3>T*ZK]_K[J<$SP(#N
MP+SB  (.,DRKJ\)?2"P##@)?3/ 7.4Q\;L*<6AOR##%MJZZS,634\@S\>EQL
MRR"TI"S)O-(D4KCPRFRMSCC8H#*^7XPDD@PWQ,PLQD:3)#3.+ ](DX DSRSU
M#<%"O2I(([U;]<\@P9PUQ"RS&P/,2I/[,[VV+IK:D&-4Q,9@9R20P-MPQ;#%
MQR6!T,4."N"]I]QTVZV"&7#0(4<,@ L>-PASNU%W BHPJ3CC@0NIY^.13ZY"
M761\D?CB@"M0AQL5GF%78&NUI0!5,:"0@@)[*)" '&6<,:&!T:'.W^J0%YX&
MX+?GOGM<P4M.N1D!T=$#XI=S6'D9;?5@.>F+)I &"#U(Q;P;_[$W?5O$']X\
M]Y(1/R(*%:VPPO?_@>!#]R" +OKE%9$&0NT)I 0_^G@K ^;ZQQ'WX8Y\MNM#
M_=C@I/W9+B7K:]\*#B@7^='/?J-S"0CT1T$ :DZ Q.N#[:"WN.<UCWC7BX'U
MJ"<'%!9H26Y@'PI.ESK@M4X.*4#!]GS@@YV1)@6 $Z$"[/"&WH#@*W3X E6^
M\)4R#(1]3233<(ICF=FE!'>Z2PWR:/@[)R:/.E$$7$JXJ#HO3B9^Q#%.Z?B'
MQ>/)A8S ZYSV./2?[J6Q#"8HB0NSR#LX>E&.O@D3EDIWNPQZ$"\@M-T<HD2'
MM;#O/Z2I74HFR9$Q_,4R,-"![1(02-Q9IGN\@@'Q$H!!_'4O@"YA3RA'24*7
MG/*#J2S9IT2Y23$<< UBI.0D+>FD&&C2;IW$$OIR-LI2+NZ0>5L/WUAIR%<B
M,I8S&Z4MJ8?+J.@R);RTC Q^R<G<>7*8SI)!,05ROV,Z,YFJ#"<S37E$6"JS
M6.*LY2US><V*9+,CW SF)S\V@W&&KIGM?*8R>=7/3;82F0)\I[4*:K=IAJ&:
M]:SD)6N63V\*$Y3>\F<Y71E0='Z,!NLT9T<3RIYR27.>UHSH/6M044'N<UT:
M!2@J!^JL&H24HS,MJ;5L*D]JTK.>][1!2[^)T7S%E)TY_9@-;HI0:/[KI#Y-
M*5 G>H.A7O1C-SBJ2)/*JZP:5*;NU.G"H/K0GU[SGCBPZDN=A0.MXC2L'VOK
M5Y$*UV+)M:$HC:@])YH#M8*34CEP:U-I"EBFGI.DL@0962&JUWNVS*]%+1HM
M[6;,MPHTG:N:; (.>EBGTDJS#F6L2B=*$\CR;8"D)"=8+WM:PX[4LT5#;6C-
MJDO';G.3^OQKT>))6=72E;4YX^UF5^O1F0EWME(]*VEG8-J<,32U__RM1YWK
MVJ1:;;&TI:1C:=!<EH%TDY4=+&:+]EV[<?:U"J55>1. 7+VJA;0LQ:U%U[HJ
MGO8VNEN%:\[L.USI(G9F_$5N D1X-UCN+2-= ""6R$ \([%O>]UCG&1 P ,4
MS7<'DG'?!BO"OY1$$7TH0.46TI#@"+]L)CFA00U4\.'X5$S%0$R@[7+;/12T
M3 7Z) U[0KS@$N2XP7IY,/I$.>$*ZQ/#:= P!P42NQ@+D2D H(H,"@+E*D-9
M)1@)244\<I*CE:3+E%P)N%X2DYG4Q 8W>8E.>&+E-KOYS7".LYSG3&>B. 4J
M=Y*R5;"BE=MX!2QB(4N.T*(6MKB%=W2Q2UGRLI>^7#(P%S(,8O:SF,;<Z3&1
MF4R;+I.9S73F,Z$936ERA!K5L,8U(9I-;?Q\IMX<)P;"N:-WD@.%Y30'!8.2
MCN2J<YWL;*<[R D/E\93GO:@1SWL<0]\1#*?/M_I/OFADW\ )" "\0Y!EUE0
M@^3PH A-J$(7RHN&RL A.>4'1+$948ERA*+=K:A%EEE,C.XT(S/4Z$9/D@P=
M>/0&'P$)?$.ZD)%,E"0X+*E).#H1(Z?4(BL)4TM<PMV7YB(F)Y:IU6EZ$9O$
M$X8WV2%.<^*/?[B2ISWUZ4]RT?2@S&VH.2!*45H#U0QP8+&E)=9E,+@9V58%
M@IR\RF>T"H[./<:KFV#DYS:'Y[%@((.A1<I9 [(!#7J6](6*Y%=._VB['/:U
M3W%MZEE?%PAN,).N?X%=KNJ8S7DEG!S Q.S"D0&RPNXL@^7@!E17V\)JQC&Z
M4TIB LI[M3XE,5<];><@VQG"!E:LD-'D\$1GF<M*@G2]2Q8$.5 [MW+FDI'@
M(&V#C^VQ:-#TF!OM;$@SN]&B!?FU1TTD,R")Z@>4$[^3%_;N4CU(:M#ZS9=-
M). "O;S6!B!M90YNA%->@1$I@[WMUV^-T]S@OF@X$L;3<<GWW/6N+WW.%8YR
MQHRGZ7Q71M89^G4"D8'L:&>[-FKQC>2/H_#VZ$;JFP]\SQN=#*1'0>OIGY 0
MYCWG(SX45#[_TSW#8SL1M![O<SX65!'AES\<]D <<8 CQ5LI84 L%$(+U$ =
MQA$+J(& \H#UXUMRD&8<Q$((Q5L$9GTF!#XHI'\KA$#%0P<P)$-^9'YMD4,[
MU$,V\$-!M"A$9$1(I$3D%$7J=T0+1D=4M$%2Y7Y]%']_1#=*Z$0_E8.!@D94
MM$;M9SSOUSLU-(7*DP9TA#YWE$?V!85;)(6! 4@7ECW;MX+$LTB*X4C#L6&2
MU%@3E4GRY5*ZI5D1>%@W,5Z:97TKF%Z5@EW)55NDU5V4(ER!>(&$530A=1."
MB(BRE5=ZZ"2W!4SSI5N0:(*6*(GC)5R&>(EBU2N*Z%[WQ%Q]2%3\I%6C&$"#
M&(MS=8*'F(K/U5Z;:!G<]8I7Q2OK%8FT.(GK=8JDF%CKQ8NCY23QY8E^&%G\
M18P?5(LP=8NS6(V(&&":V(R6(53 2%]?L%3@)8JYJ%25>([%0HYX%56L2%6.
M^ 5>=5_EE(W,-XGSV%^XB(J)E8_,.%5.DE;AJ%MW!5WU>(X1DX[\:%>KV(N8
M%X^!58[X98]P88W.$I'FI7_J:#(-Z8T[$X\M(XL(*7D*F8PS UK=")"645H#
M&5DT(9+\R'DE68RI^)(]55:+J%VDU8G=%(U\$XH3.9*K8HH:N9 _<UPIJ5R]
MY(K0"(O4)9$'&9-1,Y/:6).[F)2,V$N_V)3!Z%TPF8PY<XQ%:9)@TY$J>74@
M.8WF*)7U197W6)/<&%4#IDC5>&!^HV!6.$)!-F$1AF049F$NA61*-H$$5!$?
M5F.T.&(E)A(G5A+(LF(M=C0>40,Q-I<]"8LV!@,X-E\Z!AI1Y&.<"61R(&3=
M0V3;8V07EF'LL61DH'Y.MB@* &54,0-45F>VV1!8EA$HT1$?$1)=8Q):-DEB
MEF8P(1,T<39HAA-R!P-L=IO.^9S0&9W2.9U'<6=<,9M[EA7U<6FX\15A,1:F
M(19I<4-A\!;(DVAWP6A\<1F/)AB"<AB)46FW 1EF1!G#AAF:P1F> 1JB01KA
M66JKT1JO$1NJABA=@7&O%FM4-&O*P1S.P0;0H6O481W8H1T2 FS?(6R6823F
M<6S*I&S*)!^(8A\A5R?4-B 0<FT)HFT1UVUR("$40B08,F[EYB'H)B(DPB'L
MEB**TQKP]B+S]A3U=F^XDV\[@B+]]B-!$G!%HA<$IR1,\@9.PFX+1R4.ER7 
M$7%> B85)T5FLANNIB9L\1\<YW$@%VTB9R=/47)\4AA^HH(J!Z&$TG(O9WL9
M,77"AS$9(7?&AWBL C.J=W6]MS*/V',VD*>)=1,DH7F$>BTS\':,9W7O,C:1
M1RD@<0.I%ZE>)Q)]%W/L<@.':G;T FNV)QPX@ .5%WIQES(Q9S TAZC%8C F
M87N EP.I.GR$5S.8:GN.=RNP:C+ -W2NEUF,"2RJYS)29WLZ,Q(P<*M,XQ(S
M)ZR^-Y1'<W>J=Q,QD /2VJAG WN9"G1%,R SL*NF]W7AHGLUDZRF9S;)\JNT
M0B^U=WR;DWUV$T SX'R_]S?R.GURM#RC4U#81WV4<ST VWWT"GXF6%#C%X8Z
MR&VSN7YLY(51R+#4EX#%PT?((T?WYSPD- /\QT+^IS@*JSWHL['*-#XM9#LF
MBX#J8P;LPX#_0X+&-" ;YD"%.1[G<U@,E8$3M($)U(&68;,0Y+(2U$$RF[ 2
M6!HJJ+,A-$+_^H)T$(,B.X,I6X,W"!I8>$,\*#\]= - J !"-(2!481+%$4S
M $5+.$7&X817)+%K2+&=4X4,)E58>$85<4=<>+'UAX5R1(9W:$=4A(;T]X5\
M6SA'!H?_BE ,18>-A :/A(<YN4M[&(^ B+0Z.XF%F+B7FXHHZ8X.Z4LM:8OT
MJ+DC-2#CA5H=J[B8:)9*J4WQ")3E-"";^S%$*;*JFXI(Z;D>R927V964\EPS
M>[NBJX^R6[J(>)6Z>Y9;V;OB.(R6:[SC)9:V.[LF=9.B=9;/R+RZI9;X5;SV
M.HG\E;K4NU.LFY7?&(_L:)"D^[WCE;[B"[V)E;[_V+IC%X_Y&+RSVU4AY;T?
M9+K]6+XZ&9#Q6)#X"[\)>8O\BTC^RY#6FUV2ZR1]%;J\@I'J.[T&?)'[*[R-
M!\ /O))\R)7B&))0N;[].XDBG)$6S+Z)=<+LA94!O)*@"\*Z99.CF\(E?+JH
M2\(*C(F9F+ST.Q(@";LZ#!?^&UP9/+ZTDKLX^8Y+"9+ ^[PJ_)0H+ <)3,28
MB+Q+_+G+2V-\X[S=*[QA><3P.S/+Z,(=C)827#9:5<5E4,1JC, :O#:*:)GV
M:I>+&49Z.9I\*1)^B9J!J9HU^X&&N6 @5L<DACXT 2PH]I@L1L@N-IF526!<
MG)F;Z5*=R6-.!)J6+)JD"0*F^9='!LBL>;:O&9M+014T4)O426>Y&9Q<YILZ
M 6;"R1+$66;':1/*21+-N<J\W,N^_,O C!36F6<"D<IQPV?;^105\6??*6AG
M,9Z&5IZ(5A?IJ1?KZ1>1$6GP26F,,9^99I^6@9^>MI^AYI^D%C>I$:"H1J"T
M8:#+C*#  6MJ>QS?T:"WEFL5LFL4ZFL7RD#!QIWBP:'&EAX?BA[+)J+.]A30
MIA]I>J+6ACS8IB ,TJ)W B$O^FTR*F[T6:/G-J XNFXGPJ/OYB+R-@<R0B,V
M4J3L=J0]HJ0 IR<"YZ1( J4(EV]5VG!W<B58NB5=,G%A8A9C<G%@FG%K0J;#
MUG%P0B@,72<D]P:;<W)P^I[0P7*'HA4PAWAWVJQFYS(WP*A$\Z<U9WF=%P/;
M2C0WD2R"AZO&D@-]6JG7LA)A'7H#(@/QBG@@(77.JHP=,:A$PRX<XZYGAWFE
MAWBF6@-IC3'" 2Z#[=9VMQ)F9S"+2JN*%]=J+3$TH*V\NC/28G8A8RME_73$
M2A,R -@TX]G*.M:0"JXZ(P,V\-D_>305<ZT]=ZK**C7(0MIS/:[*RC67@JYG
MT];#6C3L&MN:*MS'LC%N8[ "&T T@*_U!7W[ZGW*=SBC\UT!VZ^54]W1AWP"
M^SDF^%T+VT4-BWYD0 ,0VX48"W]P.W_H77\:"S_YIS@T\+'5<SW@3;+=8[($
MZ+/+D[/IHX!$"[,..#\0^-U)*\@X"SX(55X\6X _6P8,%+0('H(].X($7H+X
M!1(UVT&'55XM6-U0*[5R0 -4ZT(V&! XR(:%MH,ZQ+7',@-?&[9%-+8%8H2A
M$T7F+;=,N+96Q!%JJ-[B_45R>X4J;K?SG+<_#H9!WK=E"+C&(;CM3;@J[H:!
MB;CRO>!SR$AV"$D.Q,281+E:!1(=CKDA)>8C!1*<R\'8U(AI;*EAON F7.9P
M7I-J+E&<^+IO/N:E*.=ZGJAUOE=.PKM<3%!Y?N:3^%PD9.;,?;Q__EY.LL6?
M&%E>7$Z*_D%H_E%\;NBI6,8^;+X]%X_<2^ES_C'A6]VC/B^-'E3H6^B+WKZ9
MWNKQF^KPV.;RR.J6CH^O?NNIZ(]FO.8"3.L$;.!]?L!37.F(=.D,W(Y9[)$1
M+,.11<'&9.QP<>D3G.O'CH@4/+^>_EBTSL+1/NHYD[E7WN<G*>N]%,/:ZY*H
M]>W#SC(Y/.Z:OL(]O.QG"<3=+L3P#NM&?(O27@;(?I3FOI*"'NE\\\09#NY3
MR>^G_C-8?+T_#.D^&<8CG.^ZWL76/NV8R.GT_L/9.^AO7,,CCO!MJ?#D+L<-
M+&/+-^UVC)=SNUE[&8 2=IJ Z4F"N9J$Z6&$C)B6KIB(W)@I!IF.+)DPUK3I
M#AHWEF/*A,EDH,F>5)D.ML>?[,<T+\H5@<JR$X2F',Q:O_5<W_5>__5@'_9B
M/_9D7_9F?_9HGQ!^6C. 6MR=QWNVYRNA6MR*VC*V)ZZI776?<C64&MR7^JUZ
M_P5<TZF(]ZES#ZZCRM>@/8XBD]?K^.**CU43T_;@*JO /:T9@WFV:G:63:Z(
MUZOG6MR.ERS*.GG&ZO;(>OG<VGFVXO@_ ZVT;7K8.MJ'O<+8BMFF)S6Q5_M6
MTQ&>[];9 GRAK]K?HJY^RJZ?IWKP6GK7_7UUS#?LHJ_-/]T=N]WSVMT$:_W\
M^GW>W;VED[7G]["S$['IK>3E5[&#RSOOW3SQ3<7T+0<A2\4 6++_L]\TN++_
MK3T![CXQ>^'!&\@4J")8('M%/!H<?U,@$,X#!4#)L/\J7 7Q?TAKPRVMTD7T
M.E:(:S]/R\%9+12'M52<UFIQ/&3LQ#@A-..44!(I6POF;.FX><:V?)S; G+G
M+V[AL3%2Y!3<D5L4Y&]O33GAT>3F&9336U)NO2F/PX4!;9@"RW)UR''=H4@2
MN7S=EZ-UE>N+Y2]G(>ZH6!R;)0%/),0C@Q>[P!C+$&,J+)J</"]W+/#<Q+."
M4_ 1@<$;YN?&H$,:>!$/ZJPQ+_B[UN .TT59$.(YI8QR!MF8&W-S< R)";XL
MV/$(WC4">7X0?-E!*Y:*XM+&\W3@R-FAHSY(!\?1(FQCB$A^]3H[9QFJ"JV[
M7U",#>JO0#C&K 6OZW0O;&(,L#F8!C/&)5Q@UJ(@:;M4V.R*7K6CA*V0@KVO
M,,B1W*!'XG:2,-RQP@N665XA)NI<CS 5LJ1@Z.Z&811KAJ20%]**>>?PMAU/
M\GA#R1F*0I91N]!@*4QB6?!L.#%M> <+GC&T2N%0#_HN\D(.&:'%BX9LD(R%
MPT(8!T<>(JR$>@0>ED, ,\<(S/-#,"R/D^VQF ?*4E.2L7E"BR,<)L_4OWB>
MB5%DCDG%-#(O\LB&'LJ;9$>/,R6]S_1C\E@GBWHS;Y!0O=(@$$@9UF,*J$R5
MI;V?T,IVTRO;"+])EJ6$X41FC-.923,]1^[$@%VV$GNB3_R)SVF8385BEIT2
M6E?P3H$F/!$:\F2>Y )Z6C36S-%DL_<T::2$I5%FXT9'@#-.DY\^#7\2-?\)
MG9D: 95JVAFK&6H):IXQJ%KCH'"-G))0O*9"_1I_EJ$ VK 1:.X!V0RT@]9L
MDAD(6&C2YC]DJVJ3HB#:BIIH#J*B>9L8%6XRQ$93:C=*W>BHD.9N?!1)@Q$F
MC=Z@-'RSTO8-DO(W2PJF-:DCX08*SL&14@D'2D@)*Y73'DZ6ZFE<"JA9G.J 
MH,34QCEJ9DJI!<:F]M3<%,H)%(5!3E$UEV/5[%3-T&K%C:MYM<4'U@(537!M
M18?O\#YK<1/8VMUK%UC#[,RUNN;6[EI+,#MA(_*)G;\FJ@1;J9H8A@WN',?%
M%MP:VW3<.Y$MYDB,ET'9,(9EPWV?3[/5Q\32V7).Z6-,H^U8+1WHZ.X84]X3
M:[6BM2FKV4?<5)NOB'U^RK9=MMGSXAX&\.-MCLWM\3;5]]6&VWX$,,?M9DR_
MR<'<G)MQDW[*#;LE.NTGW;2/=HMN!ZO[4;KOYP'#7S$[;T!P8BTY]I8C,U;A
MV%CM;[Y)A?YCW^9??JM_0Y*_X3^+1>'ZWP4Q< #P9@U 2U< "X@#Y$ )4,(M
M0 IGM"#@P9. @*+#54 0!S]$'(G3@+CCQ,60#DBQ/F />G$C<(B40+)UA!9,
MCHLB.ZZ*/*$7:/[DSZZ9@1RA;ME O(4#HYR.C($\\&_YP'S8(V&@GZP;1+"0
M4+QCAP0;U^-B@F3P@]E"*FCKKATANGC^#A$APVJH#./1I#-U[6Y5@,I_1RNR
MX#4TA.KD#/8[:A<KB]W"^Q1*C%2>,3BX!^N@K!1YSV)5,CI?J+Q,9:?$>-%+
M6&XZ0@CJCF6H'"^E;E(BR\3B"'6E$VP7J^Y7IDI+2/+BW3K*@IZ0&18,9TDK
MQV6WA'6Q*@L*)''I"K5EO"-V^FA6(B)9N D!G66HA=A0L;A+?8?!SF7%VV#$
M\H=IRGSI[83=NR1)_M)3KK!1Z<"NY3+<E*MBW1E,?ADQE:6\"X>OLA[N%G)I
MPKJAO*Q)N;)A<D+8,P[W9<638O'R5H:K= B23J6T?);OT%:6//4R#],2QSQ=
MT3+DS4SAU@_ITK%;>:=DP0A$F-?'0F(9J'E1$N=Y$9WW,P_90WQ4$1'H442A
=1YF('D;43$AOQW#$T.01H5[1#&4'<</=R%+&% !Y
 
end

Newsgroup: sci.crypt
document_id: 15546
From: shirriff@sprite.berkeley.edu (Ken Shirriff)
Subject: Re: Clipper considered harmful

In article <15469@optilink.COM> brad@optilink.COM (Brad Yearwood) writes:
>Finally, because there is essentially no possibility of intercepting in
>realtime the scrutable content of communications between stolen instruments,
>there will exist strong motivation to record and archive _all_ communications
>in the network for ex-post-facto scrutiny (once some criminal act is
>discovered, and the instruments involved have been identified).

It seems likely to me that that a large subset of encrypted communications
would be archived to tape so they could be read if sometime in the future
probable cause arises and a warrant is obtained.  I can even imagine this
being found legal and constitutional, since nothing is actually listened to
until a valid warrant is issued and the keys are obtained.

Imagine archiving all pay-phone conversations, so if someone turns out
to be a drug dealer, you can listen to all their past drug deals.  And
archive calls to/from suspected Mafia members, potential terrorists,
radicals, etc.  Imagine the convenience for the police of being able to
get a warrant now and listening to all the calls the World Trade Center
bombers made in the past year.

Since archiving would be such a powerful tool and so easy to do, why
wouldn't it happen?

Ken Shirriff				shirriff@sprite.Berkeley.EDU

Newsgroup: sci.crypt
document_id: 15547
From: sommerfeld@apollo.hp.com (Bill Sommerfeld)
Subject: A little political philosophy worth reading.

Read this through once or twice.  Then replace "prince" with
"government" or "president", as appropriate, and read it again.  

[From Chapter XX of _The Prince_, by N. Macchiavelli, as translated by
Daniel Donno.]

	In order to keep their lands secure, some princes have
disarmed their subjects; others have prompted division within the
cities they have subjugated.  Some have nurtured animosities against
themselves; others have sought to win the approval of those they
initially distrusted.  Some have erected fortresses; others have
destroyed them.  Now, although it is impossible to set down definite
judgements on all of these measures without considering the particular
circumstances of the states where they may be employed, I shall
nevertheless discuss them in such broad terms as the subject itself
will allow.

	To begin with, there has never been a case of a new prince
disarming his subjects.  Indeed, whenever he found them disarmed, he
proceeded to arm them.  For by arming your subjects, you make their
arms your own.  Those among them who are suspicious become loyal,
while those who are already loyal remain so, and from subjects they
are transformed into partisans.  Though you cannot arm them all,
nonetheless you increase your safety among those you leave unarmed by
extending privileges to those you arm.  Your different treatment of
the two categories will make the latter feel obligated to you, while
the former will consider it proper thoat those who assume added duties
and dangers should receive advantages.  

	When you disarm your subjects, however, you offend them, by
showing that, either from cowardliness or from lack of faith, you
distrust them; and either conclusion will induce them to hate you.
Moreover, since it is impossible for you to remain unarmed, you would
have to resort to mercenaries, whose limitations have already been
discussed. Even if such troops were good, however, they could never be
good enough to defend you from powerful enemies, and doubtful
subjects.  Therefore, as I have said, a new prince in a newly acquired
state has always taken measures to arm his subjects, and history is
full of examples proving that this is so.

	But when a prince takes posession of a new state which he
annexes as an addition to his original domain, then he must disarm all
the subjects of the new state except those who helped him to acquire
it; and these, as time and occasion permit, he must seek to render
soft and weak.  He must arrange matters in such a way that the arms of
the entire state will be in the hands of soldiers who are native to
his original domain.

	...

	And since the subject demands it, I will not fail to remind
any prince who has acquired a new state by the aid of its inhabitants
that he soundly consider what induced them to assist him; if the
reason is not natural affection for him, but rather dissatisfaction
with the former government, he will find it extremely difficult to
keep them friendly, for it will be impossible to please them.  If he
will carefully think the matter through in the light of examples drawn
from ancient and modern affairs, he will understand why it is much
easier to win the favor of those who were happy with their former
government, and hence were his enemies, than to keep the favor of
those who, out of dissatisfaction with the former rule, helped him to
replace it.





Newsgroup: sci.crypt
document_id: 15548
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Re: How large are commercial keys?

In article <1993Apr20.182038.12009@ee.eng.ohio-state.edu>
butzerd@maumee.eng.ohio-state.edu (Dane C. Butzer) writes:
 
>Finally, can anyone even concieve of a time/place where 128 bit keys aren't
>sufficient?  (I certainly can't - even at a trillion keys a second, it
>would take about 10 billion years to search just one billionth of that keys
>space.)
 
   It depends on the attack.  Adding a bit to the key doubles the amount of
work to be done in a straight brute-force attack, where you try every single
possible key until one works.  Processing and storage requirements for this
kind of attack on a 128-bit key seem like they ought to make it effectively
impossible.  However, there may be other attacks whose difficulty is (for
example) proportional to, say, 2**sqrt(n), or some such.  Also, a long
key does you little good if there is a way to incrementally guess a little
of the key at a time....
 
>Thanks,
>Dane
   --John

Newsgroup: sci.crypt
document_id: 15549
From: andersom@spot.Colorado.EDU (Marc Anderson)
Subject: Re: Once tapped, your code is no good any more.

In article <rdippold.735253985@qualcom> rdippold@qualcomm.com (Ron "Asbestos" Dippold) writes:
>
>geoff@ficus.cs.ucla.edu (Geoffrey Kuenning) writes:
>>Bullshit.  The *Bush* administration and the career Gestapo were
>>responsible for this horror, and the careerists presented it to the
>>new presidency as a fait accompli.  That doesn't excuse Clinton and
>>Gore from criticism for being so stupid as to go for it, but let's lay
>>the body at the proper door to start with.
>
>The final stages of denial... I can hardly imagine what the result
>would have been if the Clinton administration had actually supported
>this plan, instead of merely acquiescing with repugnance as they've so
>obviously doing.  I don't believe the chip originated with the Clinton
>administration either, but the Clinton administration has embraced it
>and brought it to fruition.

[...]

(the date I have for this is 1-26-93)

note Clinton's statements about encryption in the 3rd paragraph..  I guess
this statement doesen't contradict what you said, though.

--- cut here ---

        WASHINGTON (UPI) -- The War on Drugs is about to get a fresh
start, President Clinton told delegates to the National Federation
of Police Commisioners convention in Washington.
        In the first speech on the drug issue since his innaugural,
Clinton said that his planned escalation of the Drug War ``would make
everything so far seem so half-hearted that for all practical
purposes this war is only beginning now.'' He repeatedly emphasized
his view that ``regardless of what has been tried, or who has tried
it, or how long they've been trying it, this is Day One to me.''
The audience at the convention, whose theme is ``How do we spell
fiscal relief?  F-O-R-F-E-I-T-U-R-E,'' interrupted Clinton frequently
with applause.
        Clinton's program, presented in the speech, follows the
outline given in his campaign position papers: a cabinet-level Drug
Czar and ``boot camps'' for first-time youthful offenders.  He did,
however, cover in more detail his plans for improved enforcement
methods.  ``This year's crime bill will have teeth, not bare gums,''
Clinton said.  In particular, his administration will place strict
controls on data formats and protocols, and require the registration
of so-called ``cryptographic keys,'' in the hope of denying drug
dealers the ability to communicate in secret.  Clinton said the
approach could be used for crackdowns on other forms of underground
economic activity, such as ``the deficit-causing tax evaders who
live in luxury at the expense of our grandchildren.''
        Clinton expressed optimism that the drug war can be won
``because even though not everyone voted for Bill Clinton last
November, everyone did vote for a candidate who shares my sense of
urgency about fighting the drug menace.  The advocates of
legalization -- the advocates of surrender -- may be very good at
making noise,'' Clinton said.  ``But when the American people cast
their ballots, it only proved what I knew all along -- that the
advocates of surrender are nothing more than a microscopic fringe.''



Newsgroup: sci.crypt
document_id: 15550
From: strnlght@netcom.com (David Sternlight)
Subject: Re: The Escrow Database.

In article <tcmayC5rs6n.Lz8@netcom.com> tcmay@netcom.com (Timothy C. May) writes:

>
>After the Waco Massacre and the Big Brother Wiretap Chip, any tactic
>is fair.

This is pernicious nonsense!

David



-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15551
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Would "clipper" make a good cover for other encryption method?

In article <1993Apr20.032623.3046@eff.org> kadie@eff.org (Carl M. Kadie) writes:


>So, don't just think of replacements for clipper, also think of front
>ends.

This only makes sense if the government prohibits alternative non-escrowed
encryption schemes. Otherwise, why not just use the front end without
clipper?

David

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15552
From: pla@sktb.demon.co.uk ("Paul L. Allen")
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

-----BEGIN PGP SIGNED MESSAGE-----

In message <9304190956.AA10390@pizzabox.demon.co.uk> you write:

> : The cops/feds do *not* need to be able to get hold of your private key to
> : listen in to cellular conversations.  Encryption is not end-to-end, but 
> : cellphone to base-station
[...]

> That was true for the UK Paul, but I'm fairly sure they're talking about
> building end-to-end encryption phones out of this chip.  It's *not* for
> cellular (though it certainly could be used there in the way you suggest)

I'd lost the White House's deathless prose when I posted (that's what happens
when you read news at home when you're rat-arsed), but I did have a bunch
of follow-ups going on about cellular/cordless comms.  The original article
has reappeared, so:

    The President today announced a new initiative that will bring
    the Federal Government together with industry in a voluntary
    program to improve the security and privacy of telephone
    communications while meeting the legitimate needs of law
    enforcement.

Hmm, telephone communications could indeed include end-to-end encryption on
ordinary landlines.

    The initiative will involve the creation of new products to
    accelerate the development and use of advanced and secure
    telecommunications networks and wireless communications links.

But the next paragraph says telecoms networks and wireless communications
links.

OK, it's far from clear exactly what Cripple (what an apposite anagram) will
be applied to, but the reason Joe Public wants secure comms is to stop
people listening in to his cellular or cordless phones (and he wouldn't
even be bothered about that were it not for Wingnut and Squidqy's
misfortunes).

Yes, Cripple *might* be for end-to-end encyption, dropping to clear
when the other end doesn't have Cripple.  But then a cordless-to-ordinary
conversation would be in clear leaving the cordless end just as vulnerable
as at present.  Nope, I suspect that Cripple will only be used on radio
links.

OK, it's possible `telecommunications networks' could mean `ordinary phone
lines', but I'm betting it means the microwave links used by the telcos.

My apologies if I'm wrong, particularly if the turgid Press Release makes it
clear that I'm wrong and I missed it, but as far as I can see it was full of
obfuscation, and anyone expecting end-to-end encryption is in for a surprise
(IMHO).


BTW, Graham, I've posted questions to alt.security.pgp and not seen any
replies/followups from outside Europe - how about you?  Have I made it into
everyone's kill file, or is there some problem?

- --Paul

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQCVAgUBK9SPBmv14aSAK9PNAQGJBwP/ZoKyrm0gemlyYsNj8bqoH8l8qLJoMRBo
eOCClpKsTavebtdCLIGqHNzoWC6Ar2K1blIbpUa2tWnqwRGVa15OgOc7XXKJJ093
yb7P/vWvQbXYiA6zDJ5zkQsDeP7X6ckIDVDRz5CdIS+oNXtiOtHk3s3B3wjQBjCU
vks8KOV8gfg=
=gVy0
-----END PGP SIGNATURE-----


Newsgroup: sci.crypt
document_id: 15553
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <1993Apr19.130132.12650@afterlife.ncsc.mil> rlward1@afterlife.ncsc.mil (Robert Ward) writes:
>In article <bontchev.734981805@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
>>and since the US constitutions guarantees the right to every American
>>to bear arms, why is not every American entitled, as a matter of
>
>Have you read the applicable part of the Constitution and interpreted it IN 
>CONTEXT?  If not, please do so before posting this misinterpretation again.
>It refers to the right of the people to organize a militia, not for individuals 
>to carry handguns, grenades, and assault rifles.  

Read it again yourself, then re-apply the admonition you gave to the
previous poster to yourself, as well.  The first clause is not a condition,
it is a reason for explicitly supporting the right WHICH EXISTS, MILITIA
OR NOT, that the people have a right to keep and bear arms.  This is
NOT a right granted by the Constitution, it is a right presumed to exist
by default.  The Constitution mentioning a right is to prevent the
government from removing that right by stating very clearly the government
shall NOT infringe (mess with, block, limit) that right.  Remember the
Constitution is a bunch of negative things - things the government CANNOT
do.  All rights, etc not epxressly given to the government go to the
states and the PEOPLE (the same people the other 9 Amendments in the
Bill of Rights talk about).

Since I am sure you will summarily reject my interpretation, I am
appending a linguistic analysis by one far more expert than myself (and
you, I suspect).  I am sure you will find his qualifications adequate.
If that isn't enough I can send you the Senate Subcommitee to the
Judiciary on the Constitution report on the same thing...  There are
some things in there that Big Brother types, like Biden, etc must have
really had to swallow hard to admit.

I think you will find that people that seriously study the Constitution
and state what it means will say the same thing.  Those who come up
with 'new improved meanings' are those who are trying to subvert the
Constitution for a given agenda.  Like Clinton and his Clinton Cripple,
Gun Control, People Control, and Control Control, and the whole nasty
mess.

Please tell us how this person is in error, won't you? (And please back it
up with some proof, since I am backing my assertion up with independent
proof, and have a BUNCH MORE I can provide...).

NOTE:  Followups set to talk.politics.guns

--------- Begin included article -------

			THE UNABRIDGED SECOND AMENDMENT

			      by J. Neil Schulman

If you wanted to know all about the Big Bang, you'd ring up Carl Sagan,
right ?  And if you wanted to know about desert warfare, the man to call
would be Norman Schwarzkopf, no question about it.  But who would you call
if you wanted the top expert on American usage, to tell you the meaning
of the Second Amendment to the United States Constitution ?

That was the question I asked A.C. Brocki, editorial coordinator of the Los
Angeles Unified School District and formerly senior editor at Houghton
Mifflin Publishers -- who himself had been recommended to me as the
foremost expert on English usage in the Los Angeles school system.  Mr.
Brocki told me to get in touch with Roy Copperud, a retired professor
journalism at the University of Southern California and the author of
"American Usage and Style: The Consensus."

A little research lent support to Brocki's opinion of Professor Copperud's
expertise.

Roy Copperud was a newspaper writer on major dailies for over three decades
before embarking on a a distinguished 17-year career teaching journalism at
USC.  Since 1952, Copperud has been writing a column dealing with the
professional aspects of journalism for "Editor and Publisher", a weekly
magazine focusing on the journalism field.

He's on the usage panel of the American Heritage Dictionary, and Merriam
Webster's Usage Dictionary frequently cites him as an expert.  Copperud's
fifth book on usage, "American Usage and Style: The Consensus," has been in
continuous print from Van Nostrand Reinhold since 1981, and is the winner
of the Association of American Publisher's Humanities Award.

That sounds like an expert to me.

After a brief telephone call to Professor Copperud in which I introduced
myself but did not give him any indication of why I was interested, I sent
the following letter:

"I am writing you to ask you for your professional opinion as an expert in
English usage, to analyze the text of the Second Amendment to the United
States Constitution, and extract the intent from the text.

"The text of the Second Amendment is, 'A well-regulated Militia, being
necessary for the security of a free State, the right of the people to keep
and bear Arms, shall not be infringed.'

"The debate over this amendment has been whether the first part of the
sentence, 'A well-regulated Militia, being necessary to the security of a
free State', is a restrictive clause or a subordinate clause, with respect
to the independent clause containing the subject of the sentence, 'the
right of the people to keep and bear Arms, shall not be infringed.'

"I would request that your analysis of this sentence not take into
consideration issues of political impact or public policy, but be restricted
entirely to a linguistic analysis of its meaning and intent.  Further,
since your professional analysis will likely become part of litigation
regarding the consequences of the Second Amendment, I ask that whatever
analysis you make be a professional opinion that you would be willing to
stand behind with your reputation, and even be willing to testify under
oath to support, if necessary."

My letter framed several questions about the test of the Second Amendment,
then concluded:

"I realize that I am asking you to take on a major responsibility and task
with this letter.  I am doing so because, as a citizen, I believe it is
vitally important to extract the actual meaning of the Second Amendment.
While I ask that your analysis not be affected by the political importance of
its results, I ask that you do this because of that importance."

After several more letters and phone calls, in which we discussed terms for
his doing such an analysis, but in which we never discussed either of our
opinions regarding the Second Amendment, gun control, or any other political
subject, Professor Copperud sent me the follow analysis (into which I have
inserted my questions for the sake of clarity):

[Copperud:] "The words 'A well-regulated militia, being necessary to the
security of a free state,' contrary to the interpretation cited in your
letter of July 26, 1991, constitutes a present participle, rather than a
clause.  It is used as an adjective, modifying 'militia,' which is
followed by the main clause of the sentence (subject 'the right', verb
'shall').  The to keep and bear arms is asserted as an essential for
maintaining a militia.

"In reply to your numbered questions:

[Schulman:] "(1) Can the sentence be interpreted to grant the right to keep
and bear arms solely to 'a well-regulated militia'?"

[Copperud:] "(1) The sentence does not restrict the right to keep and bear
arms, nor does it state or imply possession of the right elsewhere or by
others than the people; it simply makes a positive statement with respect
to a right of the people."

[Schulman:] "(2) Is 'the right of the people to keep and bear arms' granted
by the words of the Second Amendment, or does the Second Amendment assume a
preexisting right of the people to keep and bear arms, and merely state
that such right 'shall not be infringed'?"

[Copperud:] "(2) The right is not granted by the amendment; its existence
is assumed.  The thrust of the sentence is that the right shall be
preserved inviolate for the sake of ensuring a militia."

[Schulman:] "(3) Is the right of the people to keep and bear arms
conditioned upon whether or not a well regulated militia, is, in fact
necessary to the security of a free State, and if that condition is not
existing, is the statement 'the right of the people to keep and bear Arms,
shall not be infringed' null and void?"

[Copperud:] "(3) No such condition is expressed or implied.  The right to
keep and bear arms is not said by the amendment to depend on the existence
of a militia.  No condition is stated or implied as to the relation of the
right to keep and bear arms and to the necessity of a well-regulated
militia as a requisite to the security of a free state.  The right to keep
and bear arms is deemed unconditional by the entire sentence."

[Schulman:] "(4) Does the clause 'A well-regulated Militia, being necessary
to the security of a free State,' grant a right to the government to place
conditions on the 'right of the people to keep and bear arms,' or is such
right deemed unconditional by the meaning of the entire sentence?"

[Copperud:] "(4) The right is assumed to exist and to be unconditional, as
previously stated.  It is invoked here specifically for the sake of the
militia."

[Schulman:] "(5) Which of the following does the phrase 'well-regulated
militia' mean: 'well-equipped', 'well-organized,' 'well-drilled,'
'well-educated,' or 'subject to regulations of a superior authority'?"

[Copperud:] "(5) The phrase means 'subject to regulations of a superior
authority;' this accords with the desire of the writers for civilian
control over the military."

[Schulman:] "(6) (If at all possible, I would ask you to take account the
changed meanings of words, or usage, since that sentence was written 200
years ago, but not take into account historical interpretations of the
intents of the authors, unless those issues can be clearly separated."

[Copperud:] "To the best of my knowledge, there has been no change in the
meaning of words or in usage that would affect the meaning of the
amendment.  If it were written today, it might be put: "Since a
well-regulated militia is necessary tot he security of a free state, the
right of the people to keep and bear arms shall not be abridged.'

[Schulman:] "As a 'scientific control' on this analysis, I would also
appreciate it if you could compare your analysis of the text of the Second
Amendment to the following sentence,

"A well-schooled electorate, being necessary to the security of a free
State, the right of the people to keep and read Books, shall not be
infringed.'

"My questions for the usage analysis of this sentence would be,

"(1) Is the grammatical structure and usage of this sentence and the way
the words modify each other, identical to the Second Amendment's sentence?;
and

"(2) Could this sentence be interpreted to restrict 'the right of the people
to keep and read Books' _only_ to 'a well-educated electorate' -- for
example, registered voters with a high-school diploma?"

[Copperud:] "(1) Your 'scientific control' sentence precisely parallels the
amendment in grammatical structure.

"(2) There is nothing in your sentence that either indicates or implies the
possibility of a restricted interpretation."

Professor Copperud had only one additional comment, which he placed in his
cover letter: "With well-known human curiosity, I made some speculative
efforts to decide how the material might be used, but was unable to reach
any conclusion."

So now we have been told by one of the top experts on American usage what
many knew all along: the Constitution of the United States unconditionally
protects the people's right to keep and bear arms, forbidding all
governments formed under the Constitution from abridging that right.

As I write this, the attempted coup against constitutional government in the
Soviet Union has failed, apparently because the will of the people in that
part of the world to be free from capricious tyranny is stronger than the
old guard's desire to maintain a monopoly on dictatorial power.

And here in the United States, elected lawmakers, judges, and appointed
officials who are pledged to defend the Constitution of the United States
ignore, marginalize, or prevaricate about the Second Amendment routinely.
American citizens are put in American prisons for carrying arms, owning
arms of forbidden sorts, or failing to satisfy bureaucratic requirements
regarding the owning and carrying of firearms -- all of which is an
abridgement of the unconditional right of the people to keep and bear arms,
guaranteed by the Constitution.

And even the American Civil Liberties Union (ACLU), staunch defender of the
rest of the Bill of Rights, stands by and does nothing.

it seems it is up to those who believe in the right to keep and bear arms to
preserve that right.  no one else will.  No one else can.  Will we beg our
elected representatives not to take away our rights, and continue regarding
them as representing us if they do?  Will we continue obeying judges who
decide that the Second Amendment doesn't mean what it says it means but
means whatever they say it means in their Orwellian doublespeak ?

Or will be simply keep and bear the arms of our choice, as the Constitution
of the United States promises us we can, and pledge that we will defend
that promise with our lives, our fortuned, and our sacred honor ?

(C) 1991 by The New Gun Week and Second Amendment Foundation.
Informational reproduction of the entire article is hereby authorized
provided the author, The New Gun Week and Second Amendment Foundation are
credited.  All other rights reserved.

			About the Author

J. Neil Schulman is the award-winning author of novels endorsed by Anthony
Burgess and Nobel-economist Milton Friedman, and writer of the CBS "Twilight
Zone" episode in which a time-traveling historian prevents the JFK
assassination.  He's also the founder and president of SoftServ Publishing,
the first publishing company to distribute "paperless books" via personal
computers and modems.

Most recently, Schulman has founded the Committee to Enforce the Second
Amendment (CESA), through which he intends to see the individual's right to
keep and bear arms recognized as a constitutional protection equal to those
afforded in the First, Fourth, Fifth, Ninth and Fourteenth amendments.

------------- End included article --------

Can you still honestly say the Second is a 'State-Run militia only right'?

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 15554
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <bontchev.735232729@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
>rlward1@afterlife.ncsc.mil (Robert Ward) writes:
>
>> >and since the US constitutions guarantees the right to every American
>> >to bear arms, why is not every American entitled, as a matter of
>
>> Have you read the applicable part of the Constitution and interpreted it IN 
>> CONTEXT? 
>
>Yes. BTW, the appropriate Amendments were posted here some time ago.
>
>> If not, please do so before posting this misinterpretation again.
>> It refers to the right of the people to organize a militia, not for individual
>> to carry handguns, grenades, and assault rifles.  
>
>It's OK, it's OK... Just a month ago I expressed my belief that the
>right to have a means to shoot your neighbor is not that much
>necessary to ensure a people's right to be free and got flamed by lots
>of American gun supporters. So I thought that...
>
>Never mind. The new Cripple Chip is a purely American problem, so deal
>with the mess yourselves. I just wanted to share with you a bit of my
>experience of living 30 years under a totalitarian regime (I'm
>Bulgarian) - because I thought that it might be useful to you. Oh
>well.

I think your experiences under the Bulgarian regime are highly relevant.
We have too many people with their heads in the sand saying it cannot
happen here, as our Constitutional Rights are being trashed every day
because the government justifies doing some end-run around the protections
by a 'crisis' requiring 'drastic action'.   It is most likely that in the
future possession of secure encryption tools will be regarded as possession
of 'terrorist and drug dealers tools', and be some serious Fedaral Felony.
Just like common tools are 'burgular tools' if the police say so, common
computer programs (even computers themselves) are now 'hackers tools',
and will become 'terrorist tools'.  BET ON IT.

The insights of someone who has lived throught this are very important.
If the US goes the way of the old Soviet Union and its client states
as far as individual rights, privacy and overall freedom are concerned,
the rest of the world (remember 'New World Order'?) will not be far
behind - only a few years.

Please keep posting anything you find that is deficient or that threatens
ones rights in this thing.

For example, a conversation between a suspect and a lawyer will no longer
be private from Big Brother eavesdropping.  Political dissent allready
is very dangerous in this country, all it takes is the government to
decide that enough people will take one seriously, then one becomes
guilty of 'plotting to overthrow the government by illegal means'.  The
phrase 'illegal means' is defined as whatever the government wants it
to be defined as.

Couple this with Clinton's pressing for a 'smart' National ID card (an
'Internal passport'?), with the added wrinkle that anything about you and
your past can be put on it, and you can only take the government's
word as to what is really on it (since they will be the only ones
with the means to completely read and reprogram the thing).  Isn't
that nice?

While the Feds can bust into one's safe without the keys, the owner
knows his safe has been broken into.  When they break into your 'secure'
phone conversations (or other stored/transmitted data in the near future)
you have no way of knowing, so accountability as to the legalities has
gone out the window.  Just like a safe, if they have a legal cause, they
can get the keys from the suspect, just like they can get the keys to
a safe or the combination from the suspect.  Same with encryption:
Record everything, get the warrants, THEN decode it with the keys
obtained from the suspect.

This Clinton Cripple, along with its natural extensions, will make any
priviliged communications between client and lawyer, and any meaningful
political dissent virtually impossible.  Which is the general idea.
Any propeganda about its being secure, and the safeguards, and all
of that are just that - propeganda to reassure people so they will
by into this monstrosity.  DON'T BE SUCKERED.

BIG BROTHER IS LISTENING!!!

>
>Regards,
>Vesselin
>-- 
>Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
>Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
>< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
>e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany


-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 15555
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: An Open Letter to Mr. Clinton

In article <bontchev.735226256@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
<strnlght@netcom.com (David Sternlight) writes:
<
<> Here's a simple way to convert the Clipper proposal to an unexceptionable
<> one: Make it voluntary.
<
<As usually, you are not reading. The proposal -does- say that it is a
<"voluntary program". This doesn't make it more desirable, though...
<
<> That is--you get high quality secure NSA classified technology if you agree
<> to escrow your key. Otherwise you are on your own.
<
<"Secure"? How do you know? Because NSA is trying to make you believe it?
<"Trust us." Yeah, right.
<
<"Otherwise you are on your own"? How do you know that tomorrow they
<will not outlaw encrypring devices that don't use "their" technology?
<Because they are promising you? Gee, they are not doing even that -
<read the proposal again.

One minor nitpick:  It is not a proposal.  It is a *DECISION* ... from their
point of view it is a DONE DEAL.  The chips are being manufactured, it
obviously has been budgeted, the whole thing.  THAT IS WHAT IS SO UPSETTING.
THIS WAS ALL DONE IN SECRET.  Because they DIDN'T want the people to know
what was going on until it is too late.

Otherwise, I agree with you 100 percent.

How come it always takes someone who has lived under the Eastern Bloc to
remind us about how precious and fragile our liberties are?

Please, keep up the good work.  Hopefully you will wake SOMEONE up...

<
<Regards,
<Vesselin
<-- 
<Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
<Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
<< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
<e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany


-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 15556
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only 

In article <C5rrtD.1Gz@agora.rain.com> jhart@agora.rain.com (Jim Hart) writes:

>
>What we need is a true *privacy chip*.  For example, a real-time 
>voice-encryption RSA, silicon compile it and spit out ASIC.  
>Put this chip on the market as a de facto standard for international 
>business, diplomats, and private communications.  If the U.S. bans 
>it, we make it somewhere else and import it.  The Japanese, German,
>Dutch, Taiwanese, Korean, etc. electronics companies don't want the 
>NSA spying on them.  U.S. workers lose more jobs to government fascist
>stupidity.
>

Some countries have laws about importing crypto gear--I believe the U.S.
does. Without a license the above scheme won't work (at least not legally)
in such countries, including at least France and the U.S.

David


-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15557
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Would "clipper" make a good cover for other encryption method?

In article <EACHUS.93Apr20140314@spectre.mitre.org> eachus@spectre.mitre.org
(Robert I. Eachus) writes:
>
>  But, if you are making custom equipment in any case, why not just
>roll your own Clipper implementation and report the wrong keys to the
>Escrow agency?  (Tells us who is going to be in the chip business if
>this thing goes through--NSA, and those with something to hide from
>NSA.)

This won't work if there is a checksum on the keys you don't know about.
Neither will registering a clipper chip and then substituting a
"counterfeit" one if the serial number contains a checksum.

Chances are the government has thought of this, and "just anyone" won't be
permitted access to enough of the internals to make a "fake" clipper chip.
Chances are that the government has classified some details of the internals
at a very high level, and manufacturers are required to observe security
safeguards and clearances corresponding to that level.

While not perfect, it would prevent Joe Hacker from rolling his own spoofing
chip, since not many counterfeiters can survive a background investigation.
Some of the more notorious self-styled dissidents here, for example, have
already got their heads so high above the tall grass that they'd have little
chance of getting a clearance.

Of course it's not impossible that someone do this, but probably extremely
difficult. Chances are there will also be very heavy criminal penalties for
phony clipper chips, on some national security/classified info grounds or
other, thus making the game not worth the candle.

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15558
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <WARLORD.93Apr20175546@deathtongue.mit.edu> warlord@MIT.EDU
(Derek Atkins) writes:


>
>The point here is not the specific instance of the Wiretap Chip.
>Rather, it is like having the government telling you that they want a
>copy of your house key, safe-deposit box keys, etc., and telling you
>that "they wont use them unless its totally neccessary."  I sure
>wouldn't want that.  Why should encryption be any different?

Actually the govrnment is telling you that if you want to use their
"product" the manufacturer (actually better yet, some "trusted" pair
of escrow agencies) has to have the key.

Most of us already are in this situation--our car makers have keys to our
cars (or can get them quickly from the VIN  number), and I have no doubt
that if presented with a court order, they'd surrender copies to the
government.

Chances are that many locksmiths have the code numbers for house locks
they've installed, and in an emergency can cut keys; thus they'd also
provide such keys to the government pursuant to a court order.

The state has no difficulty gaining access to your safe deposit box if they
have a court order.

Bad analogy.

This is not to argue for or against the proposal, but rather better
distinctions are required in thinking about it than "house key, safe-deposit
keys, etc.".

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15559
Subject: Organized Lobbying for Cryptography
From: kubo@zariski.harvard.edu (Tal Kubo)

In article <4014.Apr2003.03.4093@silverton.berkeley.edu> 
djb@silverton.berkeley.edu (D. J. Bernstein) writes:
>
>I want to see an organization which will combat such statements.
>Encryption does _not_ threaten the public safety, any more than ski
>masks do. Every American _is_ entitled to use strong encryption which
>ensures his own privacy and is _not_ crippled by a key-escrow system.
>I guess I'm looking for a ``League for Cryptographic Freedom.'' Or a
>``National Cryptography Association.''

An excellent idea.

>
>To what extent does the EFF serve this purpose? Is a new organization
>necessary? Does it already exist?

While I don't know the full scope of the activities of the EFF, 
from what little I've seen I think it would be better to lobby for 
strong cryptography through a distinct organization.

The EFF has been associated with efforts to prevent the banning of sex
and pictures newsgroups at various universities. Horror stories about the
contents of those groups (e.g. exploitative pictures of possibly underaged
models) have already surfaced in the press. The White House bulletin
already raised the specter of drug-dealing and terrorism, which is only one
step removed from the old "crypto-wielding child molester" argument.  An
EFF lobbying effort for cryptography would be too easily derailed by the
connection to child pornography and the like.

Similarly, LPF is connected with Stallman and his Gnu project.  In
light of, say, the Gnu Manifesto, this means that in a public debate it
stands to be labelled as "communist", "anarchist hackers", radical, etc.  

I don't know about CPSR, but if it is an offshoot of Physicians for Social
Responsibility (best known for Helen Caldicott and her hysterical
antinuclear lobbying) then it probably also carries unwelcome political
baggage.

Perhaps for practical reasons a lobbying organization for cryptography
would best be formed under the umbrella of EFF or some other existing
group, but its charter should then be distinct, independent, and limited to
advocacy for the right to cryptography.  To reiterate Dan Bernstein's
question: does any suitable organization exist?  If not, what are you going
to do about it?

Having mentioned the possible dangers of unwelcome political associations,
I would be remiss not to suggest something in the opposite direction:
gathering the support of the NRA by emphasizing the RKBA side of the
issue as well as the First-Amendment side.



Tal  kubo@math.harvard.edu



Newsgroup: sci.crypt
document_id: 15560
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Do we need the clipper for cheap security?

gtoal@gtoal.com (Graham Toal) writes:
>
>In the UK, it's impossible to get approval to attach any crypto device
>to the phone network.  (Anything that plugs in to our BT phone sockets
>must be approved - for some reason crypto devices just never are...)
>

Whats the difference between a V.32bis modem and a V.32bis modem?

I'm not being entirely silly here: what I'm pointing out is that the
modems that they have already approved for data transmission will work
just fine to transmit scrambled vocoded voice.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15561
From: smk5@quads.uchicago.edu (Steve Kramarsky)
Subject: Re: Hard drive security for FBI targets

In article <Apr13.011855.69422@yuma.ACNS.ColoState.EDU> holland@CS.ColoState.EDU (douglas craig holland) writes:
>I'm not a lawyer, so correct me if I'm wrong, but doing that could be
>considered obstruction of justice, which could land you in prison for
>quite a while.
>
>The thing that's great about the secret key is it is IDEA encrypted, so
>even if the FBI do get the key, they're SOL unless they know the magic
>word.  If they try to force you to give them your pass phrase, just say
>"Oops, I forgot."  Since the burden of proof is still on the prosecution
>in this country, if you keep your mouth shut, how can they prove that you
>didn't forget your pass phrase.
>
  OK, Doug is right, it would be obstruction of justice, blah blah blah,
BUT, saying "I forgot" is a lie, which is just as bad from a moral point
of view _IF_ you think "lawfulness" is a good in and of itself (which 
admittedly most people do not.)  But there's an even better way out of this.
PROVIDED the government is prosecuting you criminally, you can probably
plead the fifth amendmeent and thus LEGALLY avoid revealing your key.  The
government cannot demand information from a criminal defendant which "may
tend to incriminate" that defendant.  Though this has never been applied
in the cryptography context (at least as far as I can tell) it seems an
obvious application to me.  

 This may be a common suggestion in this group, but if it's not (I'm new
here) I'd love to hear what people have to say about it.  Since I don't
really read this group (and since the subject matter is more legal than
cryptoid) maybe misc.legal.computing would be an appropriate place?

  Steve.

-- 
            Steve Kramarsky, University of Chicago Law School
           steve@faerie.chi.il.us -or- smk5@quads.uchicago.edu 
     "All I did was kiss a girl." - Jake, the night before his hanging.

Newsgroup: sci.crypt
document_id: 15562
From: tedwards@eng.umd.edu (Thomas Grant Edwards)
Subject: Re: Once tapped, your code is no good any more.

In article <1r1r3nINNebn@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes:
>In article <C5so84.Hxv@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
>>Actually, I am *completely* baffled by why Dorothy Denning has chosen
>>to throw away her academic respectability like this.

>	Actually, I've been following her remarks for some time, with
>interest. I'm also a member of academia, and her remarks have nothing
>but elevate her respectability in my eyes. It remains to be seen whether
>you are the radical fringe, or I.

>	It is generally an error to assume that your beliefs are held by
>the majority, or even a sizable minority. Especially when you're seeing
>tens, nay dozens, of people on usenet agreeing with you.

The people on usenet are clearly a special bunch.  We live the net, which
is the future of our culture.  Usenetters have rapid electronic access to
information.  Society in general must depend on CNN.  

I can only hope we can make this information accessable by the public before
the radical fringe, which _is_ the majority, destroys the fabric of
this country.  Freedom is never easily won.

-Thomas



Newsgroup: sci.crypt
document_id: 15563
From: smk5@quads.uchicago.edu (Steve Kramarsky)
Subject: Re: Keeping Your Mouth Shut (was: Hard drive security)

In article <1993Apr14.055903.5358@qualcomm.com> karn@servo.qualcomm.com (Phil Karn) writes:
>
>
>I say "in theory" because in another case, a woman was held in
>contempt for refusing to reveal the location of her child even after
>taking the 5th. In this case, the woman was suspected of having
>murdered the kid, so taking the 5th wasn't surprising. Sure, so she
>was probably guilty, but that's not good enough. In our system you're
>not supposed to be able to force a suspect to confess to a crime, no
>matter how strongly you think they're guilty.  You have to develop
>your evidence independently. Doing otherwise might catch a few more
>crooks, but only at the cost of turning the clock back to the middle
>ages, when confessions were routinely tortured out of suspects both
>guilty and innocent.
>
 OK, I should have read the thread before posting my own $0.02.  I would
just add to Phil's very infomative discussion the following caveat: the
fifth amendment applies ONLY in crinial cases.  ("...nor shall any person .
. . be compelled in any criminal case to be a witness against himself...").
Thus if the father sued for custody of the children, the case would be
civil and the defendant mother would not have fifth amendment protection.
Oddly enough, her refusal to give information in a civil case can lead to
criminal contempt charges (thus landing her in jail.)  The interesting part
of all this is that in a murder trial, the woman CAN plead the fifth as 
to the location of the child--this is routine.  A "computer crime" 
prosecution thus would seem to be fertile ground for this kind of defense, 
where a suit by a party injured by "hackers" would not.  If I am accused, 
for example, of sending encrypted kiddie porn over the nets the fifth should 
protect my key.  If I am accused of sending copyrighted material, however,
it proabably will not (copyright infringement not being a "crime" in the
technical sense.)  The REALLY tricky question is, say I do both (naughty
boy that I am) can the government use the information gained in the civil
trial (ie. my key) to gain access to my files for use in the criminal
prosecution.  The answer should certainly be no, but lord only knows how
this would work out.

Steve.
 

-- 
            Steve Kramarsky, University of Chicago Law School
           steve@faerie.chi.il.us -or- smk5@quads.uchicago.edu 
     "All I did was kiss a girl." - Jake, the night before his hanging.

Newsgroup: sci.crypt
document_id: 15564
Subject: Re: Don't fight Clipper Chip, subvert or replace it !
From: steiner@jupiter.cse.utoledo.edu (Jason 'Think!' Steiner)

Marc Thibault (marc@tanda.isis.org) writes:
> (The Jester) writes: 

> > Proof Windows is a Virus:It is very widespread, It eats up your disk
> > space, It slows down your computer, It takes control over your
> > computer, It performs disk access at random times, It displays silly
> > messages on your screen, It randomly crashes the computer-Vesselin

>         This sounds like a version Unix. Solaris?

as someone who just lived through a switch from SunOS4.x.x. to
Solaris, i'll heartily agree with this. 

ObCrypt: one of my main gripes with Solaris is its braindead mailx,
which is -almost- enough like mail to get you hoping, but crashes
horribly when you try to do anything useful with it. (like use pgp-
capable sendmail replacements.)

jason

--
   "I stood up on my van. I yelled, `Excuse me, sir. Ain't nothing wrong
    with this country that a few plastic explosives won't cure!'"
              - Steve Taylor, I Blew Up the Clinic Real Good
`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,` steiner@jupiter.cse.utoledo.edu `,`,`,`

Newsgroup: sci.crypt
document_id: 15565
From: smk5@quads.uchicago.edu (Steve Kramarsky)
Subject: Re: Fifth Amendment and Passwords

In article <1993Apr17.122651.1874@sugra.uucp> ken@sugra.uucp (Kenneth Ng) writes:
>In article <1993Apr16.165423.27204@linus.mitre.org: ptrei@bistromath.mitre.org (Peter Trei) writes:
>:Judge: "I grant you immunity from whatever may be learned from the key
>:	itself"
>:You:    "The keyphrase is: "I confess to deliberately evading copyright; 
>:	the file encoded with this keyphrase contains illegal scans of 
>:        copyrighted Peanuts strips.""

Can we use murder instead of copyright violation, just to keep things
straight?  The 5th applies only to criminal cases which copyright 
infringements are not (they are civil).

Steve

P.S. I'm sorry to waste bandwidth on a quibble, I just don't want
anyone to get confused.  I think a bunch of kiddie porn GIFs make
a better test case than a bunch of Peanuts strips and that IS criminal
both in posession and distribution.

-- 
            Steve Kramarsky, University of Chicago Law School
           steve@faerie.chi.il.us -or- smk5@quads.uchicago.edu 
     "All I did was kiss a girl." - Jake, the night before his hanging.

Newsgroup: sci.crypt
document_id: 15566
From: kadie@cs.uiuc.edu (Carl M Kadie)
Subject: Re: Organized Lobbying for Cryptography

kubo@zariski.harvard.edu (Tal Kubo) writes:

[...]
>The EFF has been associated with efforts to prevent the banning of sex
>and pictures newsgroups at various universities.
[...]

So what? Justices William Brennan, Thurgood Marshall, John Paul
Stevens, and Byron White are associated with a plurality Supreme Court
decision that prevented the removal of "anti-American, anti-Christian,
anti-Semitic, and just plain filthy" books from a public high school
library [_Board of Education v. Pico_ (1982)]. Does this mean that
they could no longer defend free expression and privacy?

- Carl
-- 
Carl Kadie -- I do not represent any organization; this is just me.
 = kadie@cs.uiuc.edu =

Newsgroup: sci.crypt
document_id: 15567
From: holthaus@news.weeg.uiowa.edu (James R. Holthaus)
Subject: Re: Estimating Wiretap Costs/Benefits

rlglende@netcom.com (Robert Lewis Glendenning) writes:

>In article <1993Apr20.203756.20667@kronos.arc.nasa.gov> hanson@kronos.arc.nasa.gov (Robin Hanson) writes:
>>I'm attempting to write a serious policy paper examining whether the
>>proposed wiretap (or "Clipper") chip is a cost-effective tool for
>>police investigation.  That is, ignoring concerns about government
>>intrusions into individual privacy, is the value of easy wiretaps to
>>investigators greater than the cost to the communications industry,
>>and their customers, to support this wiretap technology?  
>>[...]

>First, what the fuck is NASA doing wasting my tax dollars doing
>policy papers on stuff far outside of their purvew/mission?
>[...]                                                                         
>Do us a favor.  Resign rather than right this paper for NASA.  Go
>do useful work for the society.

Whew!  Take it easy on the guy.  Maybe he's going to do this in his
spare time.  Maybe he's going to do this to see how much a wiretap
*really* costs.  Maybe he's going to do this so he can add to the
opposition to Clipper.  I don't know fully why he might do this, but
maybe we shouldn't start flaming at the drop of a hat.  
-- 
<><><><><><><><><><>James Holthaus  james-holthaus@uiowa.edu<><><><><><><><><>
<   Government is an association of men who do violence to the rest of us.   >
<             -- Leo Tolstoy                                                 >
<><><><><>PGP 2.2 Public key available on request or from key server<><><><><>

Newsgroup: sci.crypt
document_id: 15568
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

mathew <mathew@mantis.co.uk> writes:

> bena@dec05.cs.monash.edu.au (Ben Aveling) writes:
> > Don't forget, you are in the country that wouldn't let the Russians
> > buy Apple II's because of security concerns.

> That's nothing.  They wouldn't let the British buy Inmos Transputer systems
> because of security concerns.  And we designed the damn things!

Funny, we had plenty of them in Bulgaria, regardless of the embargo...
:-) So much for export controls...

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
document_id: 15569
From: holthaus@news.weeg.uiowa.edu (James R. Holthaus)
Subject: Cryptology in the world

What is the status of cruptology for private citizens throughout the
world? or, more clearly, is there a listing of countries and their
policies on citizens encrypting electronic data?  

I'm curious how the Europeans handle this, for instance.
-- 
<><><><><><><><><><>James Holthaus  james-holthaus@uiowa.edu<><><><><><><><><>
<   Government is an association of men who do violence to the rest of us.   >
<             -- Leo Tolstoy                                                 >
<><><><><>PGP 2.2 Public key available on request or from key server<><><><><>

Newsgroup: sci.crypt
document_id: 15570
From: tarl@coyoacan.sw.stratus.com (Tarl Neustaedter)
Subject: Re: Organized Lobbying for Cryptography

In article <C5tBpD.Lt@cs.uiuc.edu> kadie@cs.uiuc.edu (Carl M Kadie) writes:
>[...]
>>The EFF has been associated with efforts to prevent the banning of sex
>>and pictures newsgroups at various universities.
>[...]
>
>So what? Justices William Brennan, Thurgood Marshall, John Paul
>Stevens, and Byron White are associated with [...]

It means that the EFF's public stance is complicated with issues irrelevant
to the encryption issue per se. There may well be people who care about
the encryption issue who don't care to associate themselves with the
network erotica issue (or may even disagree with the EFF's position).

Ending up with pallets of baggage to drag around is a frequent 
problem with permanent organizations. EFF is no exception.
	Tarl

Newsgroup: sci.crypt
document_id: 15571
Subject: Looking for MS-DOS crypto programs
From: EXTDSM@LURE.LATROBE.EDU.AU (MADDISON,David)

I am a new reader of sci.crypt I would like to obtain a copy of a
public domain program that can encrypt files, preferably using DES,
that runs under MS-DOS.

I would also like to obtain a program which will password protect
floppy disks, if this is possible.

Thanks.

David Maddison
Melbourne, Australia

Newsgroup: sci.crypt
document_id: 15572
From: oz@ursa.sis.yorku.ca (Ozan S. Yigit)
Subject: Re: List of large integer arithmetic packages

Mark Riordan writes:

	[a list of large-integer arithmetic packages elided]

I thought I would note that except Lenstra's packages, none of the
large-integer packages are in the public domain. As an alternative,
a straightforward *PD* implementation of Knuth's algorithms may be
found as a part of Uof Arizona's ICON distribution.

oz
---
With diligence, it is possible to make | electric: oz@sis.yorku.ca
anything run slowly.        --Tom Duff | ph:[416] 736 2100 x 33976

			




Newsgroup: sci.crypt
document_id: 15573
From: scs@lokkur.dexter.mi.us (Steve Simmons)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

smb@research.att.com (Steven Bellovin) writes:

>Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
>has 2^80 possible keys.  Let's assume a brute-force engine like that
>hypothesized for DES:  1 microsecond per trial, 1 million chips.  That's
>10^12 trials per second, or about 38,000 years for 2^80 trials.  Well,
>maybe they can get chips running at one trial per nanosecond, and build
>a machine with 10 million chips.  Sure -- only 3.8 years for each solution.

Normally I'd be the last to argue with Steve . . . but shouldn't that
read "3.8 years for *all* solutions".  I mean, if we can imagine the
machine that does 1 trial/nanosecond, we can imagine the storage medium
that could index and archive it.
-- 
 "Shadwell hated all southerners and, by inference, was standing at the
  North Pole."
	-- "Good Omens", by Neil Gaiman and Terry Pratchett

Newsgroup: sci.crypt
document_id: 15574
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Clipper considered harmful

shirriff@sprite.berkeley.edu (Ken Shirriff) writes:
> Since archiving would be such a powerful tool and so easy to do, why 
> wouldn't it happen? 

Not enough magtape.

Seriously, do you have any idea how much traffic flows through the US phone 
system in a single day?


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15575
From: tuinstra@signal.ece.clarkson.edu.soe (Dwight Tuinstra)
Subject: Clipper will corrupt cops (was WH proposal from Police point of view)

In article 735230663@fbihh, bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
>strnlght@netcom.com (David Sternlight) writes:
>
>> dwight tuinstra posts a very interesting message in which he comments on the
>> effects of the Clipper chip on state and local police. Actually, reading
>> between the lines, it could be a very good thing for civil liberties in one
>> respect, since it will at least prevent cowboy cops and cowboy state and
>> local agancies from reading your traffic if they tap it illegally.
>
>Instead of reading between the lines, try to think a little bit. OK,
>if that's way too difficult to you, here are some hints.
>
>Indeed, the new proposal imposes some additional burocratic burden on
>the local police, if they badly want to tape the magic cookie recipie
>that your mom is telling you on the phone. So, guess what they will
>do? Propose that the new technology is removed? Or implement some
>"facilitations"? Of course, you won't want to wait until they get the
>approval from two different agencies to decrypt the conversation
>between two child molesters, because meanwhile those two child
>molesters might be conspiring about molesting your child, right? So,
>there should be some way for them to get access to those keys
>-quickly-, right? Like, they could have a copy of the database, and
>worry about a warrant later...

I perhaps should have been clearer and more concise in my post, but that's
what I get from posting at 1 am...

The central point I made is that local/state police agencies attempting to
play by the rules and get warrants, legit escrowed keys, etc., may find
themselves at the mercy of bureaucratic inertia and agency infighting
at the federal level.  

I disagree that this would assist civil liberties by hobbling the cowboy
cops.  It would be a strong incentive, as Vesselin points out, for more
police agencies to "go rogue" and try to get keys through more efficient
(but less Constitutional) means.  Notice what the release said:

   Q:   Suppose a law enforcement agency is conducting a wiretap on
        a drug smuggling ring and intercepts a conversation
        encrypted using the device.  What would they have to do to
        decipher the message?

   A:   They would have to obtain legal authorization, normally a
                                                       ^^^^^^^^^^
        court order, to do the wiretap in the first place.
        ^^^^^^^^^^^

The clear implication is that there are "legal" authorizations other
than a court order.  Just how leaky are these?  (And who 
knows what's in those 7 pages that authorized the NSA?).  There
may well arise a black market of sorts _within_ police agencies, in which
keys are traded.  Furthermore, the police will be in an excellent
position to carry out this kind of thing without being caught.  They
already have a communication infrastructure with secure portions.  There
are a few laws that I know of, that limit citizens' rights to access
police communications (or use the information they get).  It may be
very difficult to prove police misuse -- the fact that you have such
evidence may itself be evidence that YOU have broken some other law.

Throw in private detectives, who have even fewer policy/constitutional
restrictions.  Also consider mercenaries who've "retired" from intelligence
agencies.  William Gibson must be loving it.  Great story material.

Don't think it'll happen?  

Well, consider e.g. the Michigan State Police, generally a very professional
organization, which for years kept "Red Files" on thousands of suspected 
commies, knowing full well it was not consititutional.  The standards
of evidence were just about zero: people were in the file because they
happened to park near a place where, say, a US-China People's Friendship
rally was happening -- the police went around writing down license
plate numbers.  If you happened to be visiting a friend who lived near the 
meeting place, well, the state police wound up filing you as a subversive.
(They were eventually found out and a court ruled against carrying on any
more such nonsense.  I believe thay may have had to destroy the tapes
as well.)

Even with well-meaning cops (and I'm sure there are many), there will 
be strong pressure to bend the constitutional safeguards.  We don't need
to assume corrupt or unbalanced officers -- it will all be in the interest 
of enforcing sensible laws, saving lives, and protecting property.  
Compromises will be made by well-meaning officers, facing what (to them) 
will be a moral dilemma.

Clipper will make criminals out of cops.  Do we want to do this to our
police forces?

+========================================================================+
|  dwight tuinstra             best:  tuinstra@sandman.ece.clarkson.edu  |
|                         tolerable:  tuinstrd@craft.camp.clarkson.edu   |
|                                                                        |
|        "Homo sapiens: planetary cancer??  ...  News at six"            |
+========================================================================+

Newsgroup: sci.crypt
document_id: 15576
Subject: Re: Once tapped, your code is no good any more.
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <1993Apr20.151718.2576@magnus.acs.ohio-state.edu> jebright@magnus.acs.ohio-state.edu (James R Ebright) writes:

>In article a_rubin@dsg4.dse.beckman.com (Arthur Rubin) writes:

>>I wouldn't trust the NSA.  I think I would trust the President on this, but
>>I'm not certain he would be told.

>"I am not a crook." President Richard M. Nixon
>                    ^^^^^^^^^

THIS President.  (And I could easily be wrong.)
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
document_id: 15577
From: warlord@MIT.EDU (Derek Atkins)
Subject: Re: Would "clipper" make a good cover for other encryption method?

-----BEGIN PGP SIGNED MESSAGE-----

In article <strnlghtC5t3nH.Is1@netcom.com> strnlght@netcom.com (David Sternlight) writes:

   In article <1993Apr20.032623.3046@eff.org> kadie@eff.org (Carl M. Kadie) writes:


   >So, don't just think of replacements for clipper, also think of front
   >ends.

   This only makes sense if the government prohibits alternative non-escrowed
   encryption schemes. Otherwise, why not just use the front end without
   clipper?

   David

David, they (== the gov't) have already said that they hope to DO THIS
in the long run...

- -derek

PGP 2 key available upon request on the key-server:
	pgp-public-keys@toxicwaste.mit.edu

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQBuAgUBK9TknDh0K1zBsGrxAQEAQgLFEFNH9HlHyoVHuWR5RWD9Y+mBrXkYKWsC
aAZO1x1WXhca5FG+UK9/TYYoBpBTLqGSUrgKgdzPXWFH8/+ZXgXrggwf6wP2eDSt
BYCCYb9JRX3LoZcg5whgOi4=
=8H7Y
-----END PGP SIGNATURE-----
--
  Derek Atkins, MIT '93, Electrical Engineering and Computer Science
     Secretary, MIT Student Information Processing Board (SIPB)
           MIT Media Laboratory, Speech Research Group
           warlord@MIT.EDU       PP-ASEL        N1NWH

Newsgroup: sci.crypt
document_id: 15578
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Would "clipper" make a good cover for other encryption method?

strnlght@netcom.com (David Sternlight) writes:
> Chances are the government has thought of this, and "just anyone" won't 
> be permitted access to enough of the internals to make a "fake" clipper 
> chip. 

Once the chips are released (in phones, or whatever), they are vulnerable to 
phsyical inspection and observation.  Now, I will grant that there will no 
doubt be safeguards against "peeling" the chip, but the NSA has no monopoly 
on cleverness.  The chip, and the algorithms it uses, will not remain secret 
for very long.  Any university with a VLSI lab has the required equipment, as 
does any offshore semiconductor manufacturer.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15579
From: smythw@vccsouth23.its.rpi.edu (William Smythe)
Subject: Re: Once tapped, your code is no good any more.

In article <1qsip1INNnj2@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes:
>al@escom.COM (Al Donaldson) writes:
>>amolitor@nmsu.edu (Andrew Molitor) writes:

>	This appears to be generic calling upon the name of the anti-christ.
>Just for the hell of it, let's destroy this remark. Let us imagine that
>the executive branch actually could extract keys from the escrow houses
>without anyone knowing, or telling. Now what? Dick has 80 bits of data.
>What the hell's he gonna do with it?
>
>	1) Trot around to the telco and say 'we'd like an unauthorised
>decrypting tap'. Uh huh.
>	2) Break in to watergate and install his own tap (so his people still
>do have to break in, neat, huh?) record some noise, then get the Executive
>Branch Phone Decryption Box (huh? they've got one? Goodness, wait 'til the
>washington post gets hold of this) and decrypt the noise.
>	3) More likely, stare at the key, and say 'Oh, hell it's not
>worth all this bloody hassle'


No, he gives the keys to the FBI (who may then give them to the local police
on request) who then simply put some alagator clips on your phone junction
box and conduct an illegal tap. They then decrypt when they recover the tape.
Its just doing what the government does best: breaking the law.

Bill Smythe




Newsgroup: sci.crypt
document_id: 15580
From: strnlght@netcom.com (David Sternlight)
Subject: Re: The [secret] source of that announcement


grady@netcom.com suggests using a common but restricted-distribution private
key to allow public key system encrypted postings. In theory that will work
fine as long as the privae key remains secure.

In practice it would be a good idea to check to see if that would be a
violation of some net rule, practice, custom, etc. I don't say it would be,
just that it would be a good idea to check. This is not like rot13 where
everybody can have the key trivially.

It would also be a good idea to check to see if such posts would be
forwarded by the sites needed to make the chain work.

Of course there'd be no problem with a discussion group travelling over
facilities entirely under the control of the members. Probably there would
also be no problem with a mailing list approach. It might even  be fun for
some.

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15581
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Once tapped, your code is no good any more.

In article <ELEE9SF.93Apr21095141@menudo.menudo.UH.EDU>
elee9sf@menudo.menudo.UH.EDU (Karl Barrus) writes:

>
>Would you trust a black-box from the NSA versus an "open system" from
>elsewhere?

Absolutely, if I were assured by someone I trusted that the black box was
more secure. I have nothing to conceal from the government, but I would like
to be sure that any Russian, Japanese, French, or other competitors for my
services can't read my traffic. I'd like to be sure that competitive bid
information was safe from commercial competitors and foreign governments
which would aid them.

I believe the NSA has identical motivations with respect to my activities.
The President and many other senior government officials have made it very
clear that they share these motivations. Thus I'd trust them on the
"coincidence of interests" argument as well as on a basic trust in their
professionalism and a high confidence in their skills.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15582
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: 80-bit keyseach machine

In article <1993Apr21.001230.26384@lokkur.dexter.mi.us>
scs@lokkur.dexter.mi.us (Steve Simmons) writes:
 
>Normally I'd be the last to argue with Steve . . . but shouldn't that
>read "3.8 years for *all* solutions".  I mean, if we can imagine the
>machine that does 1 trial/nanosecond, we can imagine the storage medium
>that could index and archive it.
 
   Hmmmm.  I think, with really large keyspaces like this, you need to
alter the strategy discussed for DES.  Attempt decryption of several
blocks, and check the disctribution of the contents.  I don't think it's
at all feasible to keep 2**80 encryptions of a known plaintext block on
*any* amount of tape or CD-ROM.  And certainly not 2**128 such encrypted
blocks.  (Anyone know a cheap way of converting every atom in the solar
system into a one bit storage device?)
 
   Actually, a keysearch of this kind shouldn't be much worse than the
simpler kind in terms of speed.  It's just that you have to do it over
for *every* encrypted message.
 
   Dumb question:  Has anyone ever done any serious research on how many
legitimate ASCII-encoded 8-byte blocks there are that could be part of
an english sentence?  For attacking DES in ECB mode, it seems like a
dictionary of this kind might be pretty valuable....
 
   --John Kelsey

Newsgroup: sci.crypt
document_id: 15583
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Fighting the Clipper Initiative

In article <1r0nov$p3e@access.digex.net> steve-b@access.digex.com (Steve
Brinich) writes:


>
> 1. American manufacturers peddling Cripple Chips with a secret untested
>     algorithm whose keys are held by people with a history of untrustworthy
>     behavoir, or
>

er, excuse me but since the escrow agencies aren't yet chosen, how can you
say they have a "history of untrustworthy behavoir[sic]"?

I'm sure each of us can think of agencies without such a history. Price
Waterhouse has kept the secret of the Academy Awards for many years, even in
the face of an aggressive press. The Federal Reserve Open Market Committee
has successfully kept decisions from leaking for the statutory period until
publication. Even the Department of Agriculture has successfully kept crop
forecasts from leaking prematurely.

Frankly, I'd trust the above (not the D of A, of course since they might be
subject to political pressure) far sooner than the ACLU, EFF, or CPSR which,
though not exactly government apologists, have no particular track record
for internal security that I know of.

David

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15584
From: jebright@magnus.acs.ohio-state.edu (James R Ebright)
Subject: Re: 80-bit keyseach machine

In article <16BB71018.C445585@mizzou1.missouri.edu> C445585@mizzou1.missouri.edu (John Kelsey) writes:
>In article <1993Apr21.001230.26384@lokkur.dexter.mi.us>
>scs@lokkur.dexter.mi.us (Steve Simmons) writes:
> 
>>Normally I'd be the last to argue with Steve . . . but shouldn't that
>>read "3.8 years for *all* solutions".  I mean, if we can imagine the
>>machine that does 1 trial/nanosecond, we can imagine the storage medium
>>that could index and archive it.
> 
>   Hmmmm.  I think, with really large keyspaces like this, you need to
>alter the strategy discussed for DES.  Attempt decryption of several
>blocks, and check the disctribution of the contents.  I don't think it's
>at all feasible to keep 2**80 encryptions of a known plaintext block on
>*any* amount of tape or CD-ROM.  And certainly not 2**128 such encrypted
>blocks.  (Anyone know a cheap way of converting every atom in the solar
>system into a one bit storage device?)
[...]

I don't claim to be a crypto analyist... there isn't a whole lot of good
literature on the subject, and the best people don't seem to publish
their work :)  but I rather doubt the approach such folks use is brute
force (sorry to have implied that in my previous post).  The history
of these things is folks find clever ways of limiting the search and
bang from there.

I guess my real problem with Skipjack is I can not believe NSA would
make publicly available a system they couldn't break if they wanted...
it just isn't in their charter.  Remember DES came from IBM, not NSA
and, when first published, was given a useful life of 20 years... I think
we are well past that point now :(

Remember, based on the size of the NSA budget, they spend a lot more
on the technology of decryption than most computer companies spend on
R&D.  I have to imagine their stuff is real interesting...

A friend who once worked for them (he is dead now) said he always enjoyed
monitoring SAC's (Strategic Air Command) crypto traffic :)  and I rather
suspect that stuff is a bit more complex than Skipjack  (Or was it the
military got the stuff from the NSA just like we get Skipjack from them ;)
[BTW, folks, NSA wasn't being given the keys.  And the Walker spy case
shows for some of the systems, the KGB didn't need them either.]

-- 
 Information farming at...     For addr&phone: finger             A/~~\A
 THE Ohio State University  jebright@magnus.acs.ohio-state.edu   ((0  0))____
      Jim Ebright             e-mail: jre+@osu.edu                 \  /      \
                          Support Privacy: Support Encryption      (--)\      

Newsgroup: sci.crypt
document_id: 15585
From: ebrandt@jarthur.claremont.edu (Eli Brandt)
Subject: Re: Do we need the clipper for cheap security?

In article <1r1f62$rh5@news.intercon.com> amanda@intercon.com (Amanda Walker) writes:
>One thing that Clipper offers is interoperability, at a higher degree of 
>security than we currently have in non-proprietary voice encryption systems.
>This means it will be cheaper than anyone's proprietary scheme, and easier to 
>deploy.

I may be an anarchist nutcase, but I wouldn't have frothed overmuch
had the government proposed a secure encryption standard.  In fact,
if the NSA had come up with a privacy chip rather than a wiretap
chip, I would have been happy.  They *could* have done this -- set
up an ANSI committee, picked a secure cryptosystem, defined a
protocol and interface, and said, "Hey, start building them."

Instead we have a deliberately brain-dead version of a cryptosystem
that has not even been peer reviewed.  Yes, the NSA owns some smart
people.  But if they pulled a FEAL, well, AT&T is going to be left
with a lot of dud phones on its hands.

>Perry said:
>> Someone please tell me what exactly we get in our social contract in 
>> exchange for giving up our right to strong cryptography? 
>
>Can you tell me where exactly we have given up that right?

Heh heh.  The government already gave it up for us.  Remember in the
announcement they described this scheme as balancing the two
extremes of having no privacy and claiming that citizens had a
Constitutional right to encryption?  

So much for Clinton's support of the "right of privacy".

	 PGP 2 key by finger or e-mail  (void when prohibited)
   Eli   ebrandt@jarthur.claremont.edu



Newsgroup: sci.crypt
document_id: 15586
From: jpb@calmasd.Prime.COM (Jan Bielawski)
Subject: Re: Clipper Chip. LONG follow up.

In article <1993Apr20.030538.1@cc.curtin.edu.au> zrepachol@cc.curtin.edu.au (Paul Repacholi) writes:
<> 
<> QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S
<> TELECOMMUNICATIONS INITIATIVE
<> 
<> Q:   Suppose a law enforcement agency is conducting a wiretap on
<>      a drug smuggling ring and intercepts a conversation
<>      encrypted using the device.  What would they have to do to
<>      decipher the message?
<> 
<> A:   They would have to obtain legal authorization, normally a
<>      court order, to do the wiretap in the first place.  They
<>      would then present documentation of this authorization to
<>      the two entities responsible for safeguarding the keys and
<>      obtain the keys for the device being used by the drug
<>      smugglers.  The key is split into two parts, which are
<>      stored separately in order to ensure the security of the key
<>      escrow system.

I apologize for being so dense but this sentence reads as if it
was lifted from a Luis Bunuel screenplay.  Am I missing something?
Why on earth would drug smugglers even _use_ the device then?
Obviously, they'll be using something like triple encryption DES instead.
As long as alternatives to Clipper remain legal, Clipper accomplishes
absolutely nothing, ZERO, as far as law enforcement is concerned.
The whole scheme is an absolute, total, incredible, waste of government
time and money AS LONG AS other encryption schemes that are any good 
remain legal.  In order for Clipper to work as intended all strong
cryptosystems have to be outlawed.

	Jan Bielawski
	Computervision, San Diego
	jpb@calmasd.prime.com


Newsgroup: sci.crypt
document_id: 15587
From: Borut.B.Lavrencic@ijs.si
Subject: Re: Cryptology in the world

In article <1993Apr21.031524.11080@news.weeg.uiowa.edu>, 
holthaus@news.weeg.uiowa.edu (James R. Holthaus) writes:

> What is the status of cruptology for private citizens throughout the
> world? or, more clearly, is there a listing of countries and their
> policies on citizens encrypting electronic data?  
> 
> I'm curious how the Europeans handle this, for instance.
> -- 

Good question. I also wanted to find out and I did a while ago.

In our former communist times such activity (i.e. sending crypto emails)
would be prevented sooner ot later, law or no law. But now there is no law 
against it. So we are free to use it. We now have an EC conformant law for 
protection and registration of personal files. You must remember that the 
situation in small countries is vastly different from the big ones.
-- 
Borut B. Lavrencic, D.Sc.     | X.400   :C=si;A=mail;P=ac;O=ijs;S=lavrencic
J. Stefan Institute           | Internet:Borut.B.Lavrencic@ijs.si
University of Ljubljana,      | Phone   :+ 386 1 159 199
SI-61111 Ljubljana, Slovenia  |	    PGP Public Key available on request

DOLGO SMOIS KALIS OVRAZ NIKEI NJIHK OCNOO DKRIL IVSEB IPIKA


Newsgroup: sci.crypt
document_id: 15588
From: stevew@helios.unl.edu (Steve Wu)
Subject: CRYPTO 93 FINAL CALL


............................................................................
        CRYPTO '93  -  Conference Announcement & Final Call for Papers
............................................................................

The Thirteenth Annual CRYPTO Conference, sponsored by the International 
Association for Cryptologic Research (IACR), in cooperation with 
the IEEE Computer Society Technical Committee on Security and Privacy, 
the Computer Science Department of the University of California, Santa 
Barbara, and Bell-Northern Research (a subsidiary of Northern Telecom), 
will be held on the campus of the University of California, Santa Barbara, 
on August 22-26, 1993. Original research papers and technical expository talks 
are solicited on all practical and theoretical aspects of cryptology. It is 
anticipated that some talks may also be presented by special invitation of the 
Program Committee.
-------------------------        
INSTRUCTIONS FOR AUTHORS:  Authors are requested to send 12 copies of a 
detailed abstract (not a full paper) by April 26, 1993, to the Program Chair 
at the address given below. A limit of 10 pages of 12pt type (not counting 
the bibliography or the title page) is placed on all submissions. Submissions 
must arrive on time or be postmarked no later than April 21, 1993 and sent by 
airmail in order to receive consideration by the Program Committee. It is 
required that submissions start with a succinct statement of the problem 
addressed, the solution proposed, and its significance to cryptology, 
appropriate for a non-specialist reader. Technical development directed to 
the specialist should follow as needed.
-------------------------        
Abstracts that have been submitted to other conferences that have proceedings 
are NOT eligible for submission.

Submissions MUST BE ANONYMOUS. This means that names and affiliations of 
authors should only appear on the title page of the submission; it should 
be possible to remove this page and send the papers to Program Committee 
members. A Latex style file that produces output in this format is available by email from the Program Chair.

Authors will be informed of acceptance or rejection in a letter mailed on 
or before June 21, 1993. A compilation of all accepted abstracts will be 
available at the conference in the form of pre-proceedings. Authors of 
accepted abstracts will be allowed to submit revised versions for the 
pre-proceedings. A revised abstract should contain only minor changes and 
corrections to the originally submitted abstract. All revised abstracts must 
be received by the Program Chair by July 16, 1993. THE 10 PAGE LIMIT WILL BE 
STRICTLY ENFORCED for the pre-proceedings.

Complete conference proceedings are expected to be published in Springer-
Verlag's Lecture Notes in Computer Science series at a later date, pending 
negotiation.
-------------------------        
The Program Committee consists of 

   D. Stinson (Chair, Nebraska)   
   M. Bellare (IBM T. J. Watson)       E. Biham (Technion, Israel)
   E. Brickell (Sandia National Labs)  J. Feigenbaum (AT&T Bell Labs)
   R. Impagliazzo (UCSD)               A. Odlyzko (AT&T Bell Labs)
   T. Okamoto (NTT, Japan)             B. Pfitzmann (Hildesheim, Germany)
   R. Rueppel (R3, Switzerland)        S. Vanstone (Waterloo, Canada)
-------------------------        
Send submissions to the Program Chair:        

Douglas R. Stinson, Crypto '93        
Computer Science and Engineering Department         
115 Ferguson Hall, University of Nebraska        
Lincoln, NE 68588-0115 USA        
Telephone: (402)-472-7791         
Fax: (402)-472-7767        
Internet: stinson@bibd.unl.edu        

For other information, contact the General Chair: 

Paul C. Van Oorschot, Crypto '93 
Bell-Northern Research (MAIL STOP 000) 
3500 Carling Ave. 
Nepean, Ontario K2H 8E9  Canada 
Telephone: (613)-763-4199 
Fax: (613)-763-2626 
Internet: crypto93@bnr.ca

............................................................................
        CRYPTO '93  -  General Information  (August 22 - 26, 1993)
............................................................................

THE PROGRAM:  Crypto'93 is the thirteenth in a series of workshops on 
cryptology held at Santa Barbara, and is sponsored by the International 
Association for Cryptologic Research, in cooperation with the IEEE 
Computer Society Technical Committee on Security and Privacy, the Computer 
Science Department of the University of California, Santa Barbara, and 
Bell-Northern Research (a subsidiary of Northern Telecom). The program 
for the workshop will cover all aspects of cryptology. Extended abstracts of 
the papers presented at the conference will be distributed to all attendees 
at the conference, and formal proceedings will be published at a later date.

In addition to the regular program of papers selected or invited by the 
program committee, there will be a rump session on Tuesday evening for 
informal presentations. Facilities will also be provided for attendees to 
demonstrate hardware, software and other items of cryptographic interest. 
If you wish to demonstrate such items, you are urged to contact the General 
Chair so that your needs will be attended to. The social program will include 
hosted cocktail parties on Sunday and Monday. In addition, there will be a 
beach barbecue on Wednesday evening. The price of the barbecue is included 
in the room and board charge, and extra tickets may be purchased.

ABOUT THE CONFERENCE FACILITIES:  The workshop will be held on the campus of 
the University of California, Santa Barbara. The campus is located adjacent 
to the Santa Barbara airport and the Pacific Ocean. Accommodations are 
available in the university dormitories at relatively low cost for conference 
participants. Children under the age of 13 are not allowed to stay in the 
dormitories, so those bringing small children will need to make separate 
arrangements in one of several nearby hotels. More information on hotels is 
enclosed. Parking on campus is available at no cost to the participants. 
However, participants must indicate on the registration form if they desire 
a parking permit.

TRAVEL INFORMATION:  The campus is located approximately 2 miles from the 
Santa Barbara airport, which is served by several airlines, including 
American, America West, Delta, United, and US Air. Free shuttle bus service 
will be provided between the Santa Barbara airport and the campus on Sunday 
and Thursday afternoons. All major rental car agencies are also represented 
in Santa Barbara, and AMTRAK has rail connections to San Francisco from the 
north and Los Angeles from the south. Santa Barbara is approximately 100 miles 
north of Los Angeles airport, and 350 miles south of San Francisco.

REGISTRATION:  Participation is invited by interested parties, but attendance 
at the workshop is limited, and pre-registration is strongly advised. Late 
registrations, subject to a late registration fee, may be accepted if space 
is available, but there are NO GUARANTEES. To register, fill out the attached 
registration form and return to the address on the form along with payment in 
full before July 9, 1993. Campus accommodations will be available on a first 
come, first serve basis for attendees who register by July 9, 1993. The 
conference fees include participation in the program and all social functions, 
as well as membership to the IACR and a subscription to the Journal of 
Cryptology. The room and board charges include dormitory lodging and meals 
>from dinner on Sunday to lunch on Thursday. Technical sessions will run 
>from Monday morning to Thursday at noon. A very limited number of stipends 
are available to those unable to obtain funding. Applications for stipends 
should be sent to the General Chair before June 4, 1993.

............................................................................
        CRYPTO '93  -  CRYPTO '93 Registration Form 
............................................................................
                       REGISTRATION DEADLINE: July 9, 1993

Last Name:   _____________________________________________

First Name:  _____________________________________________ Sex: (M)__  (F)__

Affiliation: _______________________________________________________________ 

Mailing Address:  __________________________________________________________

                  __________________________________________________________

                  __________________________________________________________

                  ___________________________________________________________

Phone:  __________________________________ FAX:  ___________________________ 

Electronic Mail:  __________________________________________________________ 

Payment of the conference fee entitles you to membership in the International 
Association for Cryptologic Research for one year at no extra charge, 
including a subscription to the Journal of Cryptology, published by Springer-
Verlag, at no extra charge.  Do you wish to be an IACR member?   YES__  NO__

The conference fee also includes the conference proceedings when they become 
available, containing final versions of conference papers. The book of 
extended abstracts distributed at the conference will contain only shortened 
preliminary versions of these papers (maximum 10 pages).

Conference fee: Regular ($280)                        US$ _______
                Attended Eurocrypt'93, Norway ($230)      _______
                Full time student ($190)                  _______ 
                deduct $50 if you do not wish proceedings _______
                Total conference fee:                              US$_______

Room and Board (4 nights):   Smoking ___  Non-smoking ___
        Single room ($275 per person)                                 _______
        Double room ($225 per person)                                 _______
               Roommate's name:  ____________________________________

Extra barbecue tickets ($20 each; one is included in room and board)  _______ 
$40 late fee for registration after July 9; 
    REGISTRATION NOT GUARANTEED AFTER JULY 9                          _______

Total funds enclosed (U.S. dollars):                              US$ _______

Payment must be by check PAYABLE IN U.S. FUNDS, by money order IN U.S. FUNDS, 
or by U.S. BANK DRAFT, payable to: CRYPTO'93.  Payment should be mailed to the 
General Chair:
               Paul C. Van Oorschot, CRYPTO'93 
               Bell-Northern Research (MAIL STOP 000)
               3500 Carling Ave.
               Nepean, Ontario K2H 8E9   Canada 

............................................................................
        CRYPTO '93  -  Hotel Information
............................................................................

For those who choose not to stay in the dormitories, the following is a 
partial list of hotels in the area. Those who choose to stay off campus are 
responsible for making their own reservations, and early reservations are 
advised since August is a popular season in Santa Barbara. Note that Goleta 
is closer to UCSB than Santa Barbara, but that a car will probably be 
required to travel between any hotel and the campus. All prices are subject 
to change; prices should be confirmed by calling the individual hotels 
directly. However, mention CRYPTO'93 when you are making your reservation and 
in several of the hotels listed you will be eligible for the university rate 
which can be significantly less than the normal rates. We are not able to 
block rooms in these hotels, so please make reservations as early as 
possible. The quality of the hotels range from rather expensive beach-front 
resorts to basic inexpensive accommodations. For further information, try 
contacting the Santa Barbara Convention and Visitors Center, (805)-966-9222. 

South Coast Inn: 5620 Calle Real, Goleta, CA 93117. Regular rates: Single $89, 
Double $94; call for University rates. Contact Murrill Forrester at 
(805)-967-3200 or toll-free at (800)-350-3614.

Cathedral Oaks Lodge: 4770 Calle Real, Santa Barbara, 93110. Single rates not 
available, Double rates start at $84 including breakfast; no University rates. 
Call Tom Patton at (805)-964-3511 or toll-free at (800)-654-1965.

Motel 6: 5897 Calle Real, Goleta, CA 93117. Single $33.95, Double $39.95, 
no University rate available. Call (505)-891-6161.

The Sandman Inn: 3714 State St., Santa Barbara, CA 93105. Regular rates: 
Single or Double $84, $94 for king-size, University rate $65. Call Jean 
Ingerle at (805)-687-2468 or toll-free at (800)-350-8174.

Miramar Hotel (Beachfront): 3 miles south of Santa Barbara on U.S. 101 at 
San Ysidro turnoff. Regular rates: $70-$135. No University rates. Call 
(805)-969-2203. 

Pepper Tree Inn: 3850 State St., Santa Barbara, CA 93105. Regular rates: 
$106-$112 for two people, University rates $96-$102 for two people. Call 
Christopher Oliphant at (805)-687-5511 or toll-free at (800)-338-0030.

Encina Lodge: 220 Bath Street, Santa Barbara, CA 93105. Regular rates 
$106-$108 for two people, no University rates. Call Carol Wolford at 
(805)-682-7550 or toll-free at (800)-526-2282.

Quality Suites: 5500 Hollister Ave, Santa Barbara, CA 93111 (close to campus). 
Regular rates: Single $125, Double $145, University rates $99 double 
(must mention you are attending a UCSB program). Call Michael Ensign at 
(805)-683-6722.

Upham Hotel (bed-and-breakfast): 1404 De La Vina Road, Santa Barbara, 
CA 93101. University rate $85 (mention you are from Crypto). Call Sheila 
Donegan at (805)-962-0058.
............................................................................




--
stevew@helios.unl.edu  |=| \ Fender / |=| ... smoke on the water, fire in
                       |=|   \    /   |=| the sky...   Smoke on the water.
stevew@hoss.unl.edu    |=|     \/     |=|     (36 bars guitar solo)
		      Deep purple, the best

Newsgroup: sci.crypt
document_id: 15589
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Clipper considered harmful

In article <15469@optilink.COM> brad@optilink.COM (Brad Yearwood) writes:
<If Clipper comes to cellular phones along with legal proscriptions against
<using other cipher systems on these phones, a new and potentially dangerous
<class of crime is created.

Aside from possession of "terrorist tools" (unapproved encryption devices
or programs)...

<Criminals who very badly want inscrutable tactical communications (specifically
<the terrorists and drug dealers who proponents of key escrow cite as threats)
<will be highly motivated to steal the cipher phone of a legitimate user, and
<to kill this person or hold them hostage so discovery of compromise of the
<device will be delayed.
<
<Once a suitable collection of devices is stolen, criminals can communicate
<with impunity (assuming the cipher system carries no trapdoors apart from
<key escrow) until and unless the compromise is discovered by some other means.
<
<Because life-is-cheap criminals are currently willing to kill people to steal
<very large and conspicuous property (luxury cars), it is reasonable to assume
<that they will be willing to kill people to steal small and inconspicuous
<property (a cipher cellular phone).  Just as we have seen in the past with
<"blue box" technology, and in the present with modified cellular phones,
<we can expect to see among high-stakes criminals a lucrative market for
<stolen cipher phones which can be used for a few days.  The high-stakes
<criminals will pay the life-is-cheap types substantial amounts for stolen
<instruments.
<
<Because a person is typically discovered as missing or dead in a few days,
<a stolen instrument will be usable for only a few days.  There will be a
<continuing demand for fresh phones: fresh bodies.

And since Clinton is also going full-bore to deny unconnected citizens
the means to defend themselves ("we will protect you ... 911 is good
enough for you...") by perverting or trashing the Second Amendment,
the targeted individuals will be GUARANTEED easy prey.  What is a few
bodies compared to the "greater good" of the Fed being able to defeat
a citizen's security with impunity?  You don't think there doesn't
exist a means by which the NSA can do their usual eavesdropping, scanning
for keywords, with OR WITHOUT a court order or any 'keys', do you?
If so, I got some great Florida real estate you might be interested in...

Perhaps the idea of escrowed keys is meant to divert the discussion to
how they will be safeguarded, and away from the basic fact that the
government is systematically taking away our right to privacy, to be
secure, for the means of self-defense, and just about every other right
spelled out in the Bill of Rights?

Nawwww - they are the GOVERNMENT!  "Trust us..."

<In other words, Clipper and similar systems have the potential to turn a
<current inconvenience to law enforcement into a direct, vicious, and
<persistent threat to the general public.

What is more important to the government?  Law Enforcement (people control)
or the safety of the general public?  The gun control issue should answer
that one - look at how good that works in making cities safer:  The places
that are the worst in that regard are also the places with the 'best' gun
control.  Government is NOT about public good, it is about CONTROL.

Never forget that.  Our Founding Fathers sure were concerned about it.

<
<  [ ... remainder deleted ... ]
<


-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 15590
From: marc@math.uni-sb.de (Marc Conrad)
Subject: Re: List of large integer arithmetic packages

mrr@scss3.cl.msu.edu (Mark Riordan) writes:

[not very comprehensive list deleted]

There is a very comprehensive list in sci.math.symbolic, 
which detailed descriptions of many packages. 
(Especially you, Mark, should update your list :-) )
Here it is: 


			Available    Systems

This is the  list of  currently  developed  and   distributed  software  for 
symbolic math applications. No informations is supplied on systems no longer 
being supported like: SAINT, FORMAC, ALPAK, ALTRAN, MATHLAB, SIN, SAC, CAMAL, 
ScratchPad, MuMath, SHEEP, TRIGMAN, ANALITIK, SMP or CCALC.

For more detailed info on any of the systems below,  look into the directory
pub/Symbolic_Math in the anonymous FTP of "math.berkeley.edu". No particular 
recommendation is made for any of these.      If you want prices contact the 
company. Programs are listed by (aprox.) the reverse order of the number  of 
machines they run on, in each class, general purpose systems first.

If you have any information to add to this list (we know we are missing
MuPAD & FELIX) please send it to :

			ca@math.berkeley.edu
Paulo Ney de Souza
Department of Mathematics
University of California
Berkeley CA 94720 				desouza@math.berkeley.edu

GENERAL PURPOSE
===============
 
Maple:: 
	Type:      commercial
	Machines:  Most impressive list of machines I seen for a program:
                   workstations (DEC, HP, IBM, MIPS, Sun, SGI, Apollo), 
                   386 PC's, Mac, Amiga, Atari, AT&T 3B2, Gould, Convex,
                   NCR, Pyramid, Sequent, Unisys and Cray's.
	Contact:   maple@daisy.waterloo.edu
		   Waterloo Maple Software, 160 Columbia Street West,
        	   Waterloo, Ontario, Canada     N2L 3L3
        	   Phone: (519) 747-2373
	Version:   5 Release 1
	Comments:  General purpose , source available for most routines ,
		   graphics support in 5.0. A demo of the program for PC-DOS
		   can be obtained from anonymous FTP at
		   wuarchive.wustl.edu:/edu/math/msdos/modern.algebra/maplev.zip

Mathematica::
	Type: 	   commercial
	Machines:  Cray YMP down to Mac's and PC's
	Contact:   info@wri.com, Phone: 1-800-441-MATH
		   Wolfram Research, Inc.
 	           100 Trade Center Drive, Champaign IL 61820-7237
	Version:   2.1
	Comments:  General purpose, Notebook interface on Next, Mac, 
	           nice graphics. 

Macsyma:: 
   	Type:      commercial
    	Machines:  Sun-3, Sun-4 (SPARC), VAX (UNIX and VMS), Apollo, 
		   HP 9000, DEC RISC, PC386/DOS, Symbolics computers, 
		   368/387 and 486 (no SX's) PC's.
    	Contact:   macsyma-service@macsyma.com, Phone: 800-MACSYMA
		   Macsyma Inc,  20 Academy St., Arlington MA 02174-6436
    	Version:   depends on machine: 417.100 is the latest (for Sun-4, HP, 
		   and DEC RISC), 417.125 for PC's
   	Comments:  General purpose, many diverse capabilities, one of the 
		   oldest around. Includes propietary improvements from 
		   Symbolics and Macsyma Inc. Descendant of MIT's Macsyma.

DOE-Macsyma:
	Type:      distribution fee only
	Machines:  GigaMos, Symbolics, and TI Explorer Lisp machines.  The NIL 
                   version runs on Vaxes using the VMS system.  The public 
                   domain Franz Lisp version, runs on Unix machines, including 
                   Suns and Vaxes using Unix.
	Contact:   ESTSC - Energy Science & Technology Software Center 
		   P. O. Box 1020 Oak Ridge TN 37831-1020
		   Phone: (615) 576-2606
	Comments:  Help with DOE-Macsyma, general and help with issues such as
	           obtaining support, new versions, etc: lph@paradigm.com
                   Leon Harten from Paradigm Assoc. Paradigm Associates, Inc. 
                   29 Putnam Avenue, Suite 6 Cambridge, MA 02139 (617) 492-6079.

Maxima::
	Type:	   Licence for a fee. Get licence from ESTC before download.
	Machines:  Unix workstations (Sun, MIPS, HP, PC's) and PC-DOS (beta).
        Contact:   wfs@rascal.utexas.edu (Bill Schelter)
	Version:   4.155
	Comments:  General purpose -  MIT Macsyma family. Common Lisp 
                   implementation by William F. Schelter, based on Kyoto
		   Common Lisp. Modified version of DOE-Macsyma available
		   to ESTSC (DOE) sites. Get the licence from ESTSC (phone:
		   615-576-2606) and then dowload the software from 
		   DOS: math.utexas.edu:pub/beta-max.zip   or
		   UNIX: rascal.ics.utexas.edu:pub/maxima-4-155.tar.Z
		   Currently their charge for 1 machine license is $165 to
		   universities. Site licenses are also available.

Aljabr::
	Type:      commercial
	Machines:  Mac's with 4Meg of RAM. 
	Contact:   aljabr@fpr.com,  Phone: (508) 263-9692, Fort Pond Research.
                   15 Fort Pond Road, Acton MA  01720 US
	Version:   1.0
	Comments:  MIT Macsyma family descendant, uses Franz LISP.

Paramacs::
	Type:      commercial 
	Machines:  VAX-VMS, Sun-3, Sun-4, (SGI and Mac's on the works)
	Contact:   lph@paradigm.com
	Version:   ???
	Comments:  ???

Vaxima::
	Type:	   distribution fee only
	Machines:  VAX-Unix
        Contact:   ESTSC (see DOE-Macsyma above)
	Version:   ???
	Comments:  General purpose -  MIT Macsyma family descendant.
		   Includes source and binaries with assembler for Macsyma 
		   and Franz Lisp Opus 38

Reduce::
	Type:      commercial
	Machines:  All Unix workstations, a variety of mainframes, 
 	           MS-DOS/386/4Mbyte and Atari ST. 
	Contact:   reduce-netlib@rand.org
	Version:   3.34 
	Comments:  General purpose 

FORM::
	Type:      Public domain verison 1 , Version 2 commercial
	Machines:  Msdos, AtariSt , Mac, Sun3, Sun4/sparc, Apollo, NeXT,
 		   VAX/VMS, VAX/Ultrix , DECStation , and others
	Contact:   t68@nikhef.nl (Jos Vermaseren)
		   Binary versions of version 1 are available
 		   by anonymous ftp from nikhef.nikhef.nl (192.16.199.1)
	Version:   1 and 2.
	Comments:  General purpose , designed for BIG problems , batch-like
 		   interface 

Axiom::
	Type:      commercial
	Machines:  IBM RS 6000's and other IBM plataforms
	Contact:   ryan@nag.com,  Phone: (708) 971-2337 FAX: (708) 971-2706
                   NAG - Numerical Algorithms Group, Inc
		   1400 Opus Place, Suite 200, Downers Grove, Il 60515-5702
	Version:   ???
	Comments:  General purpose.

SIMATH::
	Type:      anonymous ftp 
	Machines:  Suns, Apollo DN and Siemens workstations.
	Contact:   simath@math.uni-sb.de
	Version:   3.5
	Comments:  General purpose

Derive::
	Type:      commercial 
	Machines:  Runs on PC's and HP 95's.
	Contact:   808-734-5801 
 		   Soft Warehouse Inc. 3615 Harding Ave, Suite 505
                   Honolulu, Hawaii 96816-3735
        Version:   2.01
	Comments:  Said to be very robust, gets problems that other larger
 		   programs fail on. Low cost. 

Theorist::
	Type:      commercial
	Machines:  Mac's
        Contact:   prescien@well.sf.ca.us, phone:(415)543-2252 fax:(415)882-0530
		   Prescience Corp, 939 Howard St #333, San Francisco, CA 94103
	Version:   1.11
	Comments:  General purpose , Graphics , If you like the mac interface
 		   you'll love this , fixed precision ( 19 digits ), runs on
 		   smaller mac's than MMA.

MAS::
	Type:      Anonymous FTP
	Machines:  Atari ST (TDI and SPC Modula-2 compilers), IBM PC/AT 
		   (M2SDS and Topspeed Modula-2 compilers) and Commodore 
		   Amiga (M2AMIGA compiler).  
	Contact:   H. Kredel. Computer Algebra Group
		   University of Passau, Germany
        Version:   0.60
	Comments:  MAS is an experimental computer algebra system combining 
		   imperative programming facilities with algebraic 
		   specification capabilities for design and study of algebraic
		   algorithms. MAS is available via anonymous ftp from: 
    		   alice.fmi.uni-passau.de = 123.231.10.1 

MockMma::
	Type:      anonymous FTP from peoplesparc.berkeley.edu
	Machines:  Anywhere running Common LISP.
	Contact:   fateman@cs.berkeley.edu
        Version:   ???????
	Comments:  It does Matematica (or I mispelled that!).

Weyl::
	Type:      anonymous FTP from ftp.cs.cornell.edu /pub/Weyl
	Contact:   rz@cs.cornell.edu
        Version:   4.240
	Comments:  Intended to be incorporated in larger, more specialized
		   systems.

FLAC::
	Type:      ???
	Machines:  IBM PC's (DOS)
	Contact:   Victor L. Kistlerov, Institute for Control Sciences, 
		   Profsoyuznaya 65, Moscow, USSR
	Version:   ???
	Comments:  Functional language


GROUP THEORY
============

Cayley::
	Type:      Cost recovery
	Machines:  SUN 3, SUN 4, IBM AIX and VM machines, Apollo, DEC
	           VAX/VMS, Mac running A/UX 2.01 or higher and Convex.
	Contact:   cayley@maths.su.oz.au 
		   Phone: (61) (02) 692 3338, Fax: (61) (02) 692 4534
		   Computational Algebra Group
                   University of Sydney
                   NSW 2006 Australia
	Version:   3.8.3
	Comments:  Designed for fast computation with algebraic and
 		   combinatorial structures such as groups, rings,
 		   fields, modules and graphs. Although it began as a
 		   group theory system it has recently evolved into a
 		   general (abstract) algebra system.

GAP::
	Type:      anonymous ftp (free, but not PD; basically GNU copyleft)
	Machines:  All Unix workstations, ATARI ST, IBM PC and MAC 
        Contact:   gap@samson.math.rwth-aachen.de
	FTP site:  samson.math.rwth-aachen.de (137.226.152.6) & math.ucla.edu
	Version:   3.1 (3.2 to be released Dec 92)
	Comments:  group theory calculations.


ALGEBRA & NUMBER THEORY
=======================

PARI::
	Type:      anonymous ftp  
	Machines:  Most workstations, Mac and NeXT
	Contact:   pari@mizar.greco-prog.fr
                   anonymous ftp to math.ucla.edu (128.97.64.16)
	           in the directory /pub/pari
	Version:   1.35
	Comments:  Number theoretical computations, source available, key 
		   routines are in assembler, ascii and Xwindows graphics. 
		   PC-DOS version available from anonymous FTP at 
		   wuarchive.wustl.edu:/edu/math/msdos/modern.algebra/pari386

Macaulay::
	Type:      anonymous ftp
	Machines:  Complete source available, Binary Mac versions available
	Contact:   anonymous ftp to zariski.harvard.edu (128.103.1.107)
	Version:   ???
	Comments:  focused on Algebra type computations ( polynomial rings
 		   over finite fields ), things like that.

Kant::
	Type:      ???
	Machines:  ???
	Contact:   KANT Group
		   Prof. Dr. M. E. Pohst / Dr. Johannes Graf v. Schmettow 
		   Mathematisches Institut, Heinrich-Heine-Universit\"at 
		   Universit\"atsstr. 1, D-4000 D\"usseldorf 1 
		   pohst@dd0rud81.bitnet or schmetto@dd0rud81.bitnet
        Version:   1 & 2
	Comments:  Kant (Computational  Algebraic  Number  Theory) is 
		   subroutine  package for algorithms  from geometry of 
		   numbers and  algebraic number theory. There are  two 
		   versions of  Kant:  Kant  V1 is written  in Ansi-Fortran 77,
		   while Kant V2 is built on the Cayley Platform and written in 
		   Ansi-C.

LiE::
	Type:      commercial 
	Machines:  Unix workstations (SUN, DEC, SGI, IBM), NeXT, PC's,
                   Atari and Mac's.
	Contact:   lie@can.nl, Phone: +31 20 592-6050,  FAX: +31 20 592-4199
                   CAN Expertise Centre, Kruislaan 413, 
                   1098 SJ Amsterdam, The Netherlands
	Version:   2
	Comments:  Lie group computations

UBASIC::
	Type:	   anonymous FTP (ubas830.zip)
	Machines:  Mac and IBM PC's
	Contact:   malm@argo.acs.oakland.edu, Phone: (313) 370-3425
	 	   Donald E. G. Malm, Department of Mathematical Sciences
                   Oakland University, Rochester, MI 48309-4401
	Version:   8.30
	Comments:  BASIC-like environment for number theory. In the collection
		   of programs written for it one can find: 
		   MALM (Collection of UBASIC Number Theory Programs (malm.zip)
		   by Donald E. G. Malm (and copyrighted by him), including: 
		   Baillie-Wagstaff Lucas pseudoprime test, Algorithm for 
  		   Chinese remaindering, Elliptic curve method to factorize n, 
		   Fermat's method of factoring, General periodic continued 
		   fraction to quadratic routine, Evaluates Carmichael's 
		   function & D. H. Lehmer's method of solving x^2 = q (mod p).
		   UBMPQS (Prime factorization program for numbers over 80 
		   digits (ubmpqs32.zip)), that can be found in the WURST 
		   Archives (wuarchive.wustl.edu).

Numbers::
	Type:      Free but not Public Domain, registration required.
	Machines:  PC-DOS
	Contact:   Ivo Dntsch                   Phone:    (++49) 541-969 2346
	           Rechenzentrum                 Fax:     (++49) 541-969 2470
          	   Universitt Osnabrck         Bitnet:   duentsch@dosuni1
          	   Postfach 4469
          	   W 4500 Osnabrck GERMANY
        Version:   202c
	Comments:  Numbers is a calculator for number theory. It performs 
	   	   various routines in elementary number theory, some of  
		   which are also usable in algebra or combinatorics.
	  	   Available in the anonymous FTP in ftp.rz.Uni-Osnabrueck.de  
		   in the directory /pub/msdos/math

CoCoA::
	Type:      ???
	Machines:  Mac's
	Contact:   cocoa@igecuniv.bitnet
	Version:   ???
	Comments:  Computations in commutative algebra

Galois::
	Type:      Commercial
	Machines:  IBM-PC DOS
	Contact:   CIFEG Inc., Kalkgruberweg 26, A-4040 Linz, Austria
        Version:   ???
	Comments:  Algebra and number theory microcomputer  written by
   		   R. Lidl, R. W. Matthews, and R. Wells from the U. Tasmania 
		   in Turbo Pascal v3.0.

GANITH::
	Type:      Anonymous FTP
	Machines:  Any system with vanilla Common Lisp, X 11, and has at least 
		   a rudimentary Lisp/C interface.
	Contact:   Chanderjit Bajaj & Andrew Royappa 
                   Department of Computer Science, Purdue University
                   West Lafayette, IN 47907
		   (bajaj and royappa@cs.purdue.edu)
        Version:   
	Comments:  GANITH is an algebraic geometry toolkit, for computing 
		   and visualising solutions to systems of algebraic equations.
                   It is written in Common Lisp and C, and runs under version
  		   11 of the X window system.
  		   GANITH is available from the anonymous FTP at 
		   cs.purdue.edu in the file /pub/avr/ganith-src.tar.Z


TENSOR ANALYSIS
===============

SchoonShip::
	Type:      ???
	Machines:  ???
	Contact:   mentioned in  Comp.Phys. Comm. 8, 1 (1974).
	Version:   ???
	Comments:  I have heard this program mentioned , supposely it's designed
 		   for large problems (i.e. thousands of terms in series 
 		   expansions ). Developed at CERN for CDC7600 ? 

STENSOR::
	Type:	   ????
	Machines:  VAX, SUN, Apollos, Orion, Atari & Amiga
	Contact:   lh@vand.physto.se, 
		   Lars Hornfeldt, Physics Department, University of Stockholm
                   Vanadisv.9, S-113 46, Stockholm, Sweden
        Version:   ????
	Comments:  System for tensor calculus and noncommutative algebra


LISP CALCULATORS
================

JACAL:: 
	Type:      Gnu CopyLeft
	Machines:  Needs a Lisp (either Common or Scheme) 
	Contact:   Available by anon ftp to altdorf.ai.mit.edu [18.43.0.246]
	Version:   ???
	Comments:  An IBM PC version on floppy for $50 is available from 
 		   Aubrey Jaffer, 84 Pleasant St. Wakefield MA 01880, USA.

GNU-calc::
	Type:      GNU copyleft
	Machines:  Where Emacs runs.
	Contact:   Free Software Foundation
        Version:   ???
	Comments:  It runs inside GNU Emacs and is written entirely in Emacs
		   Lisp. It does the usual things: arbitrary precision integer,
		   real, and complex arithmetic (all written in Lisp), 
		   scientific functions, symbolic algebra and calculus, 
		   matrices, graphics, etc. and can display expressions with 
		   square root signs and integrals by drawing them on the 
		   screen with ascii characters. It comes with well written 
		   600 page online manual. You can FTP it from any GNU site.


DIFFERENTIAL EQUATIONS
======================

DELiA::
	Type:      Informal distribution
	Machines:  IBM PC's (DOS)
	Contact:   A. V. Bocharov, Program Systems Institute, 
		   USSR Academy of Science, Pereslavl, 
                   P.O. Box 11, 152140 USSR, Tlx: 412531 BOAT
	Version:   ????
	Comments:  Differetial equation computations


PC SHAREWARE
============

SymbMath::
	Type:      shareware, student and advanced versions.
	Machines:  IBM PC
	Contact:   chen@deakin.OZ.AU
	Version:   2.1.1
	Comments:  Runs on plain (640k) DOS machines. The shareware version
		   is available in the file sm211a.zip on the Wurst Archives.
		   More capable versions are available by mail-order from the 
	           author.  

CLA::
	Type:      anonymous FTP
	Machines:  PC-DOS
	Contact:   ????
        Version:   2.0
	Comments:  A linear or matrix algebra package which computes
		   rank, determinant, rwo-reduced echelon form, Jordan 
		   canonical form, characteristic equation, eigenvalues, 
	 	   etc. of a matrix. File cla20.zip on the Wurst Archives.

XPL::
	Type:      anonymous FTP
	Machines:  PC-DOS
	Contact:   David Meredith, Department of Mathematics
                   San Francisco State University
                   San Francisco, CA 94132
                   meredith@sfsuvax1.sfsu.edu
        Version:   4.0
	Comments:  Formerly called CCALC. Well-integrated graphics and some
		   (numerical) matrix manipulation routines. Intended for 
		   calculus students. Prentice Hall sells this with a book 
		   (ISBN 0-13-117441-X--or by calling 201-767-5937), but it 
		   is also available (without the manual but with a 
		   comprehensive help system) by anonymous FTP from 
		   wuarchive.wustl.edu: /edu/math/msdos/calculus/cc4-9206.zip.

AMP::
	Type:      Commercial, evaluation copy available by anonymous FTP
	Machines:  PC-DOS
	Contact:   Mark Garber (71571,2006@compuserve.com) Ph: (404) 452-1129
     		   Cerebral Software, PO Box 80332, Chamblee, GA 30366
        Version:   3.0
	Comments:  The Algebraic Manipulation Program (AMP) is written in 
		   Modula-2 and is a symbolic calculation tool. AMP functions 
		   in an interpreter mode and program mode. It  has tensor 
		   manipulation using index notation.  The evaluation copy is
		   available in the anonymous FTP at:
		   ftp.rz.Uni-Osnabrueck.de:pub/msdos/math/amp30.zip

Mercury::
	Type:      Shareware
	Machines:  PC-DOS
	Contact:   ???
        Version:   2.06
	Comments:  Limited in symbolic capabilities, but is extremely adept 
		   at numerically solving equations and produces publication
		   quality graphical output. This used to be Borland's Eureka!, 
		   but when Borland abandoned it, its original author started 
		   selling it as shareware under the name Mercury. Available
		   from anonymous FTP at 
		   wuarchive.wustl.edu:/edu/math/msdos/calculus/mrcry206.zip

PFSA::
	Type:      Public Domain
	Machines:  PC-DOS
	Contact:   ???
        Version:   5.46
	Comments:  Available from the anonymous FTP at 
		   wuarchive.wustl.edu:/edu/math/msdos/modern.algebra/vol546.zip

LIE::
	Type:      Public Domain
	Machines:  PC-DOS
	Contact:   HEAD@RIVETT.MST.CSIRO.AU (A. K. Head)
		   CSIRO Division of Materials Science and Technology
		   Melbourne Australia   or
		   Locked Bag 33, Clayton, Vic 3168, Australia
		   Phone: (03) 542 2861 Telex: AA 32945 Fax: (03) 544 1128
        Version:   3.3
	Comments:  LIE is a program written in the MuMath language (not a 
		   package) for Lie analysis of differential equations. 
		   Available from anonymous FTP at 
		   wuarchive.wustl.edu: /edu/math/msdos/adv.diff.equations/lie33

Calculus::
	Type:      Shareware
	Machines:  PC-DOS with EGA
	Contact:   Byoung Keum, Dept. of Mathematics
		   University of IL.  Urbana, IL 61801.
        Version:   9.0
	Comments:  Program for Calculus and Differential Equations. It has
     		   symbolic diff. & integration (simple functions), graphs.
		   Very unstable program - no reason to use it, except for
		   price (suggested registration fee is $ 30.00).
		   Available from anonymous FTP at 
		   wuarchive.wustl.edu: /edu/math/msdos/calculus/calc.arc 

--
     \   /                     | Marc Conrad, Universitaet des Saarlandes 
      \ Luxemburg              | marc@math.uni-sb.de   
France \|   Germany            | these opinions are not necessarily these   
        \x <---- you are here! | of the SIMATH-group (and maybe even not mine).

Newsgroup: sci.crypt
document_id: 15591
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Do we need the clipper for cheap security?

	gtoal@gtoal.com (Graham Toal) writes:
	>
	>In the UK, it's impossible to get approval to attach any crypto device
	>to the phone network.  (Anything that plugs in to our BT phone sockets
	>must be approved - for some reason crypto devices just never are...)
	>

	Whats the difference between a V.32bis modem and a V.32bis modem?

	I'm not being entirely silly here: what I'm pointing out is that the
	modems that they have already approved for data transmission will work
	just fine to transmit scrambled vocoded voice.

Absolutely.  I just meant that no secure *dedicated* crypto device has
ever been given approval.  Guerrilla underground devices should be well
possible with today's high-speed modems (not that I can think of many v32bis
modems that are approved either mind you - just the overpriced Couriers)

Can someone tell me if hardware compression is or is not needed to run
digital speech down 14.4K?  I think it is; I've heard it's not.  Lets
say 8 bit samples.  Would *raw* data at the corresponding sampling rate
be usable?  If not, how fancy does the compression need to be?

G

Newsgroup: sci.crypt
document_id: 15592
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

		I think I should also point out that the mystical DES engines
	are known plaintext engines (unless you add a ton of really smart
	hardware?)

Assume the ton of smart hardware.  It doesn't really have to be that smart.

G



Newsgroup: sci.crypt
document_id: 15593
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: The [secret] source of that announcement

	Even more interesting: the SMTP server at csrc.ncsl.nist.gov no longer
	recognizes the 'expn' and 'vrfy' commands...

	   telnet csrc.ncsl.nist.gov smtp
	   Trying 129.6.54.11...
	   Connected to csrc.ncsl.nist.gov.
	   Escape character is '^]'.
	   220 first.org sendmail 4.1/NIST ready at Tue, 20 Apr 93 17:01:34 EDT
	   expn clipper
	   500 Command unrecognized

	Seems like sombody didn't like your snooping around, Marc.

Or mine.  Or the dozen or so other people who probably had the same idea :-)

So does this rush to shut it down imply that some of the names on that
list *are* heavy-duty spooks? :-)))

G

Newsgroup: sci.crypt
document_id: 15594
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

	Actually, many of us have noted this. We have noted that the program
	started at least 4 years ago, that the contracts with VLSI Technology
	and Microtoxin were let at least 14 months ago, that production of the
	chips is well underway, and so forth.

	Nobody I know has claimed Clinton intitiated the program. But he chose
	to go ahead with it.

Perhaps the NSA realised that *no-one* would even contemplate falling for
the dual-escrow bluff while under the Bush administration and *had* to
wait for a Democrat govt to con into promoting this because people *might*
just believe they were honest.  (Didn't work, did it? :-) )

G

Newsgroup: sci.crypt
document_id: 15595
From: redsonja@olias.linet.org (Red Sonja)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <1qmugcINNpu9@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes:
>The key question is whether non-Clipper encryption will be made illegal.
>
It seems pretty obvious that it will be made illegal if VERY LOUD NOISE is
not made about this IMMEDIATELY to Congress and the House!

>It looks like the worst nightmares raised by Dorothy Denning's proposals
>are coming true.  If the government continues on this course, I imagine
>that we will see strong cryptography made illegal.  Encryption programs
>for disk files and email, as well as software to allow for encrypted
>voice communications, will be distributed only through the
>"underground".  People will have to learn how to hide the fact that
>they are protecting their privacy.
 
I don't know what's worse - the waste of money, or the fact that (in SPITE
of all Clinton's rhetoric to the contrary) this is a feeble attempt by
a large group of bored intelligence bureaucrats to justify their currently
useless jobs. Clinton said he was going to trim the fat from the government.
This doesn't look very dietetic to me! 

As I said before in this group: drug dealing and terrorism both tend to
be international crimes which are not going to cease if the US starts to
regulate encryption. The drug dealers and terrorists will simply go to
other countries to communicate their plans, and will still carry them out
here and/or wherever else. This is not the solution to the problem.

They try to invent a new problem by saying we "need" encryption. I guess
it's a good thing Bill Gates isn't a 4-star general or we would all "need"
our own copies of MS-DOS too, right?

Und vee haff vays uff findink out iff you are usink DOCTOR DOS!!

>It's shocking and frightening to see that this is actually happening here.

Our health care and education systems are in the toilet and they come up
with THIS pearl. If this goddamned government doesn't get a clue real quick
and start trying to repair the infrastructure of the country rather than
inventing someone to blame, Germany and Japan are going to eat the US alive,
and we will deserve it. It's not like there's any shortage of REAL problems
to solve, guys! 

A Clipper chip is really going to help the homeless! A Clipper chip is
really going to help educate the children in the ghettos of our cities!
Just think of the generation gap that can be developed when they rehire
DoD engineer dad to work on Clipper chips that will be used to decrypt
slightly rebellious adolescent hacker son's naughty GIF files! I can see
the shitcom already.

If that wasn't a forged post or a sick joke, I'm popping that Dead Kennedys
tape into the car stereo and tearing ass to Canada. Clinton on White Horse
is near. It's the suede/denim secret police! They have come for your uncool
niece! Don't worry it's only a phone...shit, I knew I should have gotten
some of those "consent to monitoring" stickers they keep on Autovon phones
when I had the chance. I should have known I'd need them in civilian life.

-- 
redsonja@olias.linet.org     \\\RS///     Self possession is 9/10 of the law.
Alien: "We control the laws of nature!" | "How come when it's human, it's an
Joel: "And you still dress that way?"   | abortion, but when it's a chicken, 
(MST3K#17 - Gamera vs Guiron)           | it's an omelet?" - George Carlin

Newsgroup: sci.crypt
document_id: 15596
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Fighting the Clipper Initiative

 > er, excuse me but since the escrow agencies aren't yet chosen, how can you
 >say they have a "history of untrustworthy behavoir[sic]"? 

  I refer to the Federal law enforcement apparatus (which is ultimately in
charge of this) generally.



Newsgroup: sci.crypt
document_id: 15597
From: random@presto.UUCP (Jeff W. Hyche)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr18.150259.1748@escom.com>, Al Donaldson writes:

> Unrelated question...isn't the term "Clipper," as neat as it is,
> already taken by Intergraph?
> 

Yes, "Clipper" is a trademark of Intergraph.  Its the RISC chip used
in some of thier workstations. 

I wonder what Intergraph is going to do to this infringement on thier
name sake?

--
                                // Jeff Hyche  
 -There Can Be Only One-    \\ //  presto!random@uunet.uu.net
                             \X/ 

Newsgroup: sci.crypt
document_id: 15598
From: strnlght@netcom.com (David Sternlight)
Subject: Re: An Open Letter to Mr. Clinton

In article <01050810.vkcsbl@mbeckman.mbeckman.com> mbeckman@mbeckman.com writes:


>  As an economist, I'm sure you can see the flaws in this logic. If the (naive)
>market is flooded with proprietary, but weak, encryption, then truly strong 
>encryption will be unable to compete.

This is true for the mass market, but not for those who need strong crypto
and are willing to pay the price. After all, one can buy strong crypto today
if one is willing to spend enough.

Thus the concern is not economic.

The issue most worth worrying about is that after the system takes hold, the
government will outlaw other systems, and something voluntary will become
the only system available. That is a political, not an economic issue.

As a separate matter, you may be making an implied advocacy for cheap secure
crypto for everyone. It's true that the Clipper chip would probably prevent
that except via Clipper, but "cheap, secure crypto for everyone" is a
political discussion, not an economic one, and the whole point of Clipper is 
to resolve that political (policy) tension between securing legitimate
communications and tapping the crooks.

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15599
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Do we need the clipper for cheap security?

ebrandt@jarthur.claremont.edu (Eli Brandt) writes:
> Instead we have a deliberately brain-dead version of a cryptosystem 
> that has not even been peer reviewed.  Yes, the NSA owns some smart 
> people.  But if they pulled a FEAL, well, AT&T is going to be left with 
> a lot of dud phones on its hands. 

Agreed.  Remember, I don't even think of Clipper as encryption in any real 
sense--if I did, I'd probably be a lot more annoyed about it.

> Heh heh.  The government already gave it up for us.  Remember in the 
> announcement they described this scheme as balancing the two 
> extremes of having no privacy and claiming that citizens had a 
> Constitutional right to encryption?  

That's not for Clinton (or anyone under him) to say, though.  Only the 
federal and supreme courts can say anything about the constitutionality.
Anything the administration or any governmental agency says is opinion at 
best.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15600
From: eachus@spectre.mitre.org (Robert I. Eachus)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)


   smb@research.att.com (Steven Bellovin) writes:

   >Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
   >has 2^80 possible keys.  Let's assume a brute-force engine like that
   >hypothesized for DES:  1 microsecond per trial, 1 million chips.  That's
   >10^12 trials per second, or about 38,000 years for 2^80 trials.  Well,
   >maybe they can get chips running at one trial per nanosecond, and build
   >a machine with 10 million chips.  Sure -- only 3.8 years for each solution.

   But there is a MUCH more pernicious problem with the scheme as
proposed.  Building a brute force machine to test 2^40 possible keys
if you have the other half from one escrow agent is EASY.  (One chip,
one test per microsecond gives you one break every two weeks, and that
break gives you all messages involving that phone.)

   The XOR scheme so that the files from one escrow agent gives you
nothing is an improvement, but notice that XORing with (truely random)
bit strings allows for an arbitrary number of escrow agents.  Using +
for XOR, SK for the escrowed key, and A and B for two random bit
strings, hand SK+A+B, SK+A, and SK+B to three escrow agents.  It is
possible to come with an encoding scheme to match any escrow pattern,
for example 3 of 4, such that fewer cooperating escrow agents gives
the cracking agency no benefit.

--

					Robert I. Eachus

with Standard_Disclaimer;
use  Standard_Disclaimer;
function Message (Text: in Clever_Ideas) return Better_Ideas is...

Newsgroup: sci.crypt
document_id: 15601
From: jfc@athena.mit.edu (John F Carr)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <1993Apr20.145338.14804@shearson.com>
	pmetzger@snark.shearson.com (Perry E. Metzger) writes:

[I wrote:]
>>The chip and algorithm are classified.  If you reverse engineer it and
>>tell people, you are likely to go to jail.

>Well, I'm not a lawyer, but from what I can tell this is completely
>and utterly untrue.

>The U.S. does NOT have an official secrets act. We do have laws that
>will punish you for revealing what classified information you learned
>in your capacity as a government official, contractor, etc, and we
>have laws that prohibit stealing such information. However, if they
>sell you the chip, I can't see that they can make reverse engineering
>it and revealing the details illegal.

In most cases information you come by properly is yours to use as you wish,
but there are certainly exceptions.  If you write a paper which includes
sufficiently detailed information on how to build a nuclear weapon, it is
classified.  As I understand the law, nuclear weapons design is
_automatically_ classified even if you do the work yourself.  I believe you
are then not allowed to read your own paper.

A less serious example: if you tell drivers about a speed trap they are
about to run into, you can be fined, even though you might argue that you
broke no law when you discovered the location of the policeman.  The charge
is interfering with a police officer, which is quite similar what you would
be doing by reverse engineering the Clipper chip.

Don't tell me that you think this violates the Constitution -- find some
court cases which have struck down such laws.  Many people would not be
comforted by the fact that the government violated their rights when it
imprisoned them.

--
    John Carr (jfc@athena.mit.edu)

Newsgroup: sci.crypt
document_id: 15602
From: ee92jks@brunel.ac.uk (Jonathan K Saville)
Subject: Re: freely distributable public key cryptography c++ code:  where?

D. Wigglesworth (smhanaes@gpu.utcc.utoronto.ca) wrote:

: Do you know of any freely distributable c++ (or c) code for public
: key cryptography (such as RSA)?  

: I've tried various archie searches to no avail.  

Have you heard of PGP? I assume from your post that you have not. PGP 2.2
is a freeware RSA encryption program which includes digital signatures and
comprehensive key management facilities. Most sites also keep the source code.
A growing number of people are using this excellent software to encrypt (to
a very high standard) their email and data. Get it before Clinton outlaws it.

Two of the many sites are:
      rsa.com     /pub/pgp
      soda.berkeley.edu      /pub/cypherpunks/pgp

Hope this helps,

Jon
--
 ------------------------ -------------------------------------
|      Jon Saville       |   Who alive can say, 'Thou art no   |
|  ee92jks@brunel.ac.uk  |  Poet, may'st not tell thy dreams?' |
 ------------------------ -----------  Keats, 1819  -----------
     PGP 2.2 public key available upon request or by finger

Newsgroup: sci.crypt
document_id: 15603
From: peter@memex.co.uk (Peter Ilieve)
Subject: Re: Clipper Chip and crypto key-escrow

Excerpts from the Clipper announcement, with some questions:

>     --   the ability of authorized officials to access telephone
>          calls and data, under proper court or other legal
>          order, when necessary to protect our citizens;

>Q:   Suppose a law enforcement agency is conducting a wiretap on
>     a drug smuggling ring and intercepts a conversation
>     encrypted using the device.  What would they have to do to
>     decipher the message?
>
>A:   They would have to obtain legal authorization, normally a
>     court order, to do the wiretap in the first place.  They
>     would then present documentation of this authorization to
>     the two entities responsible for safeguarding the keys and
>     obtain the keys for the device being used by the drug
>     smugglers.  The key is split into two parts, which are
>     stored separately in order to ensure the security of the key
>     escrow system.

In these two sections the phrases `or other legal order' and `normally a
court order' imply there is some other way or ways of doing a legal
wiretap. What is/are these? How do they affect the way people who trust the
system of court orders to protect them feel about this escrow system?

The second section shows the sequence of events.
The law enforcer, armed with his warrant, attaches his headphones to the
line with his croc-clips (remember, these are the folk who couldn't cope
with digital telephony) and hears a load of modem-like tones (we are
talking analogue telephony here).
What next? What modulation scheme do these Clipper boxes use?
Is it possible to record the tones for use after the keys are obtained?
I thought it was quite difficult to record a modem session at some
intermediate point on the line. Maybe they have taken a crash course
in data comms and have a unit that demodulates the tones and stores the
digital stream for decryption later. This would still suffer from the
same problems as trying to record the tones as the demodulator would not
be at one end of the line. If calls can't be recorded for decryption later
it would be quite easy to foil the system by buying lots of Clipper units
(these are supposed to be cheap mass market items) and using them in turn.

How tolerant is the modulation scheme to errors? These things are proposed
for use by US corporations to secure their foreign offices, where phone
line quality may well be poor. It seems hard enough to me to get digitised
speech of any quality into something a modem can handle without having to
add lots of error correction to keep the decryption in sync.

>Q:   Will the devices be exportable?  Will other devices that use
>     the government hardware?
>
>A:   Voice encryption devices are subject to export control
>     requirements.  ...  One of the
>     attractions of this technology is the protection it can give
>     to U.S. companies operating at home and abroad.  With this
>     in mind, we expect export licenses will be granted on a
>     case-by-case basis for U.S. companies seeking to use these
>     devices to secure their own communications abroad.
>     ...

This raises an intersting question in the UK. Here it is illegal to connect
anything to a public telecomms network without it being approved by a body
called BABT. It has been stated, either here or in the uk.telecom group,
that they will not approve equipment that does encryption. I don't know
if this is true or not, but this would make a good test case.
Perhaps `friendly' countries, and the UK may still qualify, will get
to fish in the escrowed key pool as well.


		Peter Ilieve		peter@memex.co.uk


Newsgroup: sci.crypt
document_id: 15604
From: purinton@toyon-next.Stanford.EDU (Joshua Jordan Purinton)
Subject: Re: The [secret] source of that announcement

In article <1r3hgqINNdaa@uwm.edu> Rick Miller <rick@ee.uwm.edu> writes:
>jbotz@mtholyoke.edu (Jurgen Botz) writes:
>>marc@mit.edu (Marc Horowitz N1NZU) writes:


>>Seems like sombody didn't like your snooping around, Marc.
>
>Or, the more *likely* explanation is that Marc is spoofing.
>                                          ^^^^^^^^^^^^^^^^
>I sincerely doubt that Denning and crew are keen enough to react that
>quickly, and I doubt they'd want to cripple their SMTP server t'boot.
>

Marc is not spoofing.  Try it yourself.  At least, the commands work
exactly as he described (i.e. they do not work.)

- Josh.


-- 
No pattern, content or thing is the being who looks out from each pair of eyes.
And only that is important.  - E. T. Gendlin

Newsgroup: sci.crypt
document_id: 15605
From: Rick Miller - former spook <rick@ee.uwm.edu>
Subject: Alternate *legal* wiretaps.

tuinstra@signal.ece.clarkson.edu.soe writes:
[...]
>  It would be a strong incentive, as Vesselin points out, for more
>police agencies to "go rogue" and try to get keys through more efficient
>(but less Constitutional) means.  Notice what the release said:
>
>   Q:   Suppose a law enforcement agency is conducting a wiretap on
>        a drug smuggling ring and intercepts a conversation
>        encrypted using the device.  What would they have to do to
>        decipher the message?
>
>   A:   They would have to obtain legal authorization, normally a
>                                                       ^^^^^^^^^^
>        court order, to do the wiretap in the first place.
>        ^^^^^^^^^^^

>The clear implication is that there are "legal" authorizations other
>than a court order.  Just how leaky are these?  (And who 
>knows what's in those 7 pages that authorized the NSA?).  There
[...]

I was a cryptologic tech in the US Navy (CTRSN, nothing big).  All 'spooks'
in the Navy are required to know the "gist" of "USSID 18", the Navy-way of
naming a particular Presidential "Executive Order".  It outlines what spooks
can and can't do with respect to the privacy of US nationals.

The following information is (of course) UNCLASSIFIED.

The whole issue hangs about what you mean by "wiretap".  If the signal can
be detected by "non-intrusive" means (like radio listening), then it may be
recorded and it may be "analyzed".  "Analyzed" means that it may be either
deciphered and/or radio-location may be used to locate the transmitter.

The catch is this:  Any and all record of the signal and its derivatives
may only be kept for a maximum of 90 days, after which they are destroyed
unless permission is obtained from the US Attorney General to keep them.

Didn't you ever wonder how Coast Guard cutters *find* those drug-runners
in all those tens of thousands of square miles of sea, even in the dark?!?

Rick Miller  <rick@ee.uwm.edu> | <ricxjo@discus.mil.wi.us>   Ricxjo Muelisto
Send a postcard, get one back! | Enposxtigu bildkarton kaj vi ricevos alion!
          RICK MILLER // 16203 WOODS // MUSKEGO, WIS. 53150 // USA

Newsgroup: sci.crypt
document_id: 15606
From: jgfoot@minerva.cis.yale.edu (Josh A. Goldfoot)
Subject: Re: Organized Lobbying for Cryptography

Tarl Neustaedter (tarl@coyoacan.sw.stratus.com) wrote:

: It means that the EFF's public stance is complicated with issues irrelevant
: to the encryption issue per se. There may well be people who care about
: the encryption issue who don't care to associate themselves with the
: network erotica issue (or may even disagree with the EFF's position).

Perhaps these encryption-only types would defend the digitized porn if it
was posted encrypted?

These issues are not as seperable as you maintain.


Newsgroup: sci.crypt
document_id: 15607
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Once tapped, your code is no good any more.

random@presto.UUCP (Jeff W. Hyche) writes:
>Yes, "Clipper" is a trademark of Intergraph.  Its the RISC chip used
>in some of thier workstations.  I wonder what Intergraph is going to
>do to this infringement on thier name sake?

Probably keep quiet and take it, lest they get their kneecaps busted.
-- 
Good news.  Ten weeks from Friday will be a good day.

Newsgroup: sci.crypt
document_id: 15608
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Why the clipper algorithm is secret

In article <1993Apr20.014135.24134@fsl.noaa.gov> bear@kestrel.fsl.noaa.gov (Bear Giles) writes:
   In article <C5pstr.Lu2@panix.com> dfl@panix.com (Danny O'Bedlam) writes:
   >	The algorithm is classified because a military contract (or similar
   >government equivalent to military) has been let for this "proprietary"
   >design that the Feds say that NSA developed.  Is there a patent?  Is that
   >patent publicly available?  My betting is that that too is classified.

   Unless there has been a _major_ change in the law, there's no such beast
   as a "classified patent."  Patents exist to encourage communications and
   develop the state of the art. 

While there aren't classified patents, there are "patent secrecy orders".

Suppose you invent a voice scrambler for CB radio, and apply for a patent.
The Patent Office decides the NSA might be interested, gives them a copy
of your application, and you get a nice note back saying your patent
application has now been classified for national security reasons and
you're no longer allowed to make and sell it.  
I'm picking this example because it happened in the late 1970s.
It was probably some analog scrambler, and would have probably
violated FCC rules anyway, but it did get classified.

Or suppose you publish a paper on your Really Spiffy Algorithm and
then file a patent application.  Since it's been published,
they can't gain anything by classifying it, though you can't get
patents in most countries other than the US, where patent laws are different.

Obviously a system of classified patents would be highly bogus
"You can't sell that widget, because there's a classified patent on it.
You're not allowed to see the patent, or know who owns the design,
so just give us all your money and work in progress and maybe we won't throw
you in jail for espionage."  Some countries might have that kind of
system :-(, but we don't have that here.  Quite.  Yet.
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15609
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <C5sy1z.4tD@demon.co.uk>, Graham Toal <gtoal@gtoal.com> writes:
> In article <1993Apr20.192105.11751@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
> :Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
> :has 2^80 possible keys.
> 
> We don't yet know if all 80 bits count.

That doesn't worry me at all; they're not going to cheat at something
they can get caught at.  And key size is one of the things that can be
verified externally.  Feed lots of random key/input pairs into the
chip, then try flipping random key bits, and see what happens to the
output.  We already know what *should* happen -- about half the output
bits should vary, on average, from a 1-bit key change or input change.

If they were out to build a weak cryptosystem, it might be the case that
some of the bits are much less powerful than others, in the sense that
they only enter into the encryption very late in the game.  By contrast,
DES was designed to use each key bit as early as possible; the 50% output
change rate appears as early as round 5.  Again, though, I don't think
NSA is going to cheat that crudely; they're likely to get caught.

Remember that they've promised to let a committee of outside experts see
the cryptosystem design.  If you assume something DES-like, a biased
subkey generation schedule will stick out like a sore thumb.  The committee
can and should run lots of tests, and retain the output.  This can be verified
later against the chip.  And yes, the civilian community has at least some
secure storage facilities that I don't think even NSA can get into without
it being noticed, until Fort Meade gets its transporter working again.
(Oops -- I don't think I was supposed to talk about that...)  The committee
members can even retain secure copies of the code -- in two halves, which
you have to XOR together to recover the program...

Seriously, there are, I think, problems with this whole scheme.  But the
people who invented it aren't stupid, and they've been in the crypto game
and the smoke-and-mirrors game far longer than most of us.  They're not
going to lie in ways that can be detected easily, since their credibility
is the *only* thing they can use to sell this system.  If they've lied
about the civilian committee, no one will believe them about the absence
of other back doors.  If they've lied about the key size, no one will
believe that they haven't copied the programming disk with the U keys.
If they've lied about obvious aspects of the strength of the cryptosystem,
no one will believe the escrow agencies aren't in cahoots with them.

That isn't to say that they aren't lying about all those other things
anyway.  And I'm certainly not claiming that NSA can't build a cryptosystem
with a back door that the committee can't find -- look how long it took
for folks to believe that the S-boxes weren't sabotaged.  It's entirely
possible that the committee will release an ambiguous report, for just
such reasons.  But that's a subtle point (i.e., one you can't explain to
a Senator...).

> Anyway, its looking like the
> keys and escrow arrangements are smoke and mirrors to cover the way the NSA
> can regenerate the key from the transmitted serial number.

I don't like the unit key generation process any better than you do.
However -- S1 and S2 are supposed to be under control of the same
escrow agents.  If they can't be trusted to keep the seed values secure,
they can't be trusted to keep the half-keys secure.

I still don't know if or when S1 and S2 change.  I thought I had seen
something about them being constant, but I just reread Denning's technical
information post, and it doesn't say anything, one way or the other.


		--Steve Bellovin

Newsgroup: sci.crypt
document_id: 15610
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Would "clipper" make a good cover for other encryption method?

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
> If there are many as..., er, people in the USA who reason like the 
> above, then it should not be surprising that the current plot has been 
> allowed to happen... 

The willingness of the majority of the people to give up their freedom in 
exchange for a sense of safety is hardly limited to the USA, and is an 
endemic problem in any human society of any appreciable size.  The structure 
of the US government does try to combat this tendency to some extent, but 
fighting entropy is always a losing battle.  Most people would rather have 
comfort than freedom.  The paradox is that you can't really have the former, 
in the long term, unless you have the latter.

One of the reasons that I probably come across to some people as a weird 
cross between a libertarian and an "establishment tool" is that I end up 
taking an utterly pragmatic view of government.  I don't get up in arms when 
the government fails to protect the interests of the people, because in my 
lifetime it never has--therefore, I have no expectation that it will.  

As a result, I protect my own interests rather than expecting the government 
to be "fair".  I will use strong cryptography when I think it is needed, 
whether or not it is legal at the time.  Same thing with anything else the 
government would rather not see in private hands--that's their problem.  
What's important to me is using the right tool for the job.  If it's legal, 
so much the better.  If it is not, but does not violate my (very strong) 
sense of personal ethics, I will use it anyway as long I think it is worth 
it.  Expecting the government to actually protect the interests of its 
citizens, except by accident, is utter folly.  Even Jefferson, one of the 
major architects of the American system of government, figured that in a 
couple hundred years it would become so corrupt and self-serving that it 
would be time dismantle it and try again, by revolution if necessary.  I 
agree, and while I don't go around trying to spark one, I'll certainly 
participate if it happens when I'm around.  There is a reason I am such a 
strong supporter of individual rights while being so cynical about politics.  
I've already written off politics.

And yes, this may get me in trouble some day.  If so, so be it.  I drive 
faster than 55 MPH, too.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15611
From: grady@netcom.com (1016/2EF221)
Subject: Re: The [secret] source of that announcement

Andrew Molitor (amolitor@nmsu.edu) wrote:
: 
: 	1) Monitor my phonecalls.
: 	2) Monitor usenet.
: 	3) Provide only cryptosystems they can easily crack.
: 	4) etc etc.
: 
: 	This is not to say that they *don't*, they might. But you don't
: know that they do, and you have no evidence that they do, for almost
: all values of you. It follows, therefore, that for most values of 'you',
: your claims about the NSA border on paranoia.
: 
: 	Andrew

Now I wouldn't be the one to claim that you are injecting some
disinformation into the net, Andrew, but 'paranoia' refers to
unwarranted or excessive suspicions or fear, not those that
have reasonable roots.

Let's start with looking at the professionals, the NSA itself.
Its birth was by secret executive order by Harry S Truman
in 1952.  Until even 1976 not even one word of this executive
order chartering the NSA was sealed.  Paranoia, right?

On the outside of the NSA complex is a ten foot Cyclone fence
with multiple rows of barbed wire, with high voltage, complete with signs
prohibiting even making sketches under penalty of the Internal
Security Act.  The area is completely scanned by closed circuit
television.  More paranoia.

These are professionals,  Maybe they know something we don't, eh?

Do you think it would have helped Admiral Yamamoto if the Japanese
had been a little more 'paranoid' of their purple cipher?

Or maybe the Germans should have been a little more 'paranoid' about
their Engima with respect to Turing and the British.

How about the cracking of the Zimmerman telegram?  Would a little
more paranoia have helped the Germans here?

Maybe the NSA should have been a little more 'paranoid' about
Emma Woikin, or Joseph Sidney Petersen, Jr., or  ...

Maybe you want to talk about Macmillan publishers cooperation
with the CIA and NSA to suppress Yardley's Japanese Diplomatic
Secrets or even Kahn's The Codebreakers.. paranoia, right?

The most popular cipher systems in captured soviet spies was
the one-time pad, even with the necessity of keeping incriminating
evidence about, is known to be the only proven unbreakable system.
Soviet paranoia, right?

And what do you think the NSA does with its Wullenwebers?  And 
huge Rhombics pointed embassy row?  And their sites near
satellite uplink and downlink sites?  Duh.

When I worked in a classified MITRE communications lab at one time
even with a "secret" clearance I had to be escorted to the toilet
and the entire site was built INTO a Mosler-type vault with *very*
thick bomb-proof door.  MITRE paranoia?

I could cite probably a hundred more facts which all support, as
best hypothesis, the notion that the NSA is grabbing as much as
it can, as fast as it can.  One would be a fool to ignore the
pattern of facts and conclude that they were random...

And we know the government is violent -- even against children as
recent events prove.  Judge William Sessions is a disgrace
but a solemn warning to those who ignore the web of evidence
that our government institutions have in their contempt for our
civil rights.

And of course we have to err somewhat on the excessive side of
caution because that does much less harm than erring on the
reckless side. As member of the crew of the USS Liberty might aver.

I might suggest, Andrew, that you read Kahn's Codebreakers and
Bamford's Puzzle Palace and come back with some more facts to
support your sheepish acquiescence to authority.
 
-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
document_id: 15612
Subject: Re: Clipper considered harmful
From: yuan1@scws7.harvard.edu (Nina Yuan)

shirriff@sprite.berkeley.edu (Ken Shirriff) writes:

>It seems likely to me that that a large subset of encrypted communications
>would be archived to tape so they could be read if sometime in the future
>probable cause arises and a warrant is obtained.  I can even imagine this
>being found legal and constitutional, since nothing is actually listened to
>until a valid warrant is issued and the keys are obtained.

>Imagine archiving all pay-phone conversations, so if someone turns out
>to be a drug dealer, you can listen to all their past drug deals.  And
>archive calls to/from suspected Mafia members, potential terrorists,
>radicals, etc.  Imagine the convenience for the police of being able to
>get a warrant now and listening to all the calls the World Trade Center
>bombers made in the past year.

Imagine if this were available during the 1992 elections; instead of
clumsily searching through the Clinton passport file, they could have 
just done a "voice-grep" (as someone stated earlier) on his telephone
conversations for the last 10 years.

I'm not a lawyer and I don't even play one on TV, but intuitively there's
something wrong with having one's words archived for possible future
use against you.  This possibility frightens me more than any of the
talk about the Clipper Chip, right to cryptography, etc.

>Since archiving would be such a powerful tool and so easy to do, why
>wouldn't it happen?

I'm afraid it just might.

-nhy

-- 
----------------------------------------------------------------------------
Nina H. Yuan                               "It's a miracle that curiosity
Harvard College                             survives formal education."
yuan1@husc.harvard.edu                                  - Albert Einstein

Newsgroup: sci.crypt
document_id: 15613
From: mcbay@clam.com (George McBay)
Subject: Re: What the clipper nay-sayers sound like to me.

In article <1qsvfcINNq9v@dns1.NMSU.Edu> amolitor@moink.nmsu.edu (Andrew Molitor) writes:
[A lot of this article has been deleted for space.]

>   Look! This is clearly the first step toward outlawing our
>   own screw thread specifications. If this madness isn't fought,
>   tooth and nail, every step of the way, it'll be a crime to use
>   screw threads other than those our Fearless Leaders so *graciously*
>   define for us.

	The Clipper standard *is* the first step toward outlawing other
strong encryption standards.  If the government didn't intend to outlaw
other forms of encryption, than Clipper is just a big waste of time and money.
Why, you ask?  Because anyone who is transferring data that any government
agency could use against him/her would be a total fool to use the Clipper
system..So why add the backdoor-key if all lawbreakers will use alternate
encryption methods? Because they assume they can just do away with everything
else.
	I, for one, am planning on boycotting any equipment that contains
clipper technology.



Newsgroup: sci.crypt
document_id: 15614
From: jhan@debra.dgbt.doc.ca (Jerry Han)
Subject: Re: Once tapped, your code is no good any more.

In article <bontchev.735404289@fbihh>
bontchev@fbihh.informatik.uni-hamburg.de writes: 

>And some people thought that I am exaggerating when claiming that the
>Cripple Chip is just a first step in a totalitarian plot against the
>civil liberties in the USA... It seems that I've even been an optimist
>- the things are happening even faster than I expected.... That's
>another of the dirty tricks they used to apply on us under the
>communist regime - do something secret, THEN tell the people about is
>(after the fact, when nothing can be done any more), and of course,
>explaining them how much better the situation is now...
>
>In my previous messages I wrote that the Americans should wake up and
>fight against the new proposal. Now it seems to me that it is already
>too late - it has already happened, the civil liberties have been
>violated, no, stollen from the American people, while the most part of
>this people has been sleeping happily... :-((( Too sad...

As one of the happily sleeping people, I would just like to ask this->
aren't people just slightly overreacting to this?  Or are we all of a
sudden going to draw parallels to Nazi Germany and Communist Russia?

The point of the matter is that; yes this is a serious problem.  But it is
not the end of the world.  Guess what?  We're doing something now you
can't do in a Communist country or Nazi Germany.  We're complaining about
it, (or rather, you're complaining about it) and nobody is shooting at us.  

(Or, rather, if they're shooting at me, they have real bad aim.  (:-) )

GUESS WHAT PEOPLE?  You live in one of the few countries in the world
where a person can complain without getting shot at.  

People are always complaining that somebody did this wrong, or somebody
did that wrong, or whatever.  Sit down and figure out two things:

1)  What have they done right?
2)  How much worse can it get?

And you'll find that you and I, are pretty damn lucky.

So let's talk about it, get some action going, decide what's going on. 
But let's not overreact!  

>
>Regards,
>Vesselin
>-- 
>Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
>Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
>< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
>e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany


-- 
Jerry Han-CRC-DOC-Div. of Behavioural Research-"jhan@debra.dgbt.doc.ca"
///////////// These are my opinions, and my opinions only. \\\\\\\\\\\\\
\\\\\\\\\ A proud and frozen member of the Mighty Warriors Band ////////  
"Memories of those I've left behind, still ringing in my ears."-Genesis-

Newsgroup: sci.crypt
document_id: 15615
From: rlglende@netcom.com (Robert Lewis Glendenning)
Subject: Re: Organized Lobbying for Cryptography

Generally, an organization has influence in proportion to:

	The narrowness of its objectives
	The number of members
	The strength of belief of its members

This is why the pro- and anti-abortion groups are so strong: narrow objectives,
lots of interested members who are real passionate.

For this reason, mixing with the NRA is probably a bad idea.  It diffuses
the interests of both groups.  It may well diminish the Passion Index
of the combined organization.  It is not clear it would greatly enlarge
the NRA.

So, I believe a new organization, which may cooperate with NRA where the
two organization's interest coincide, is the optimum strategy.

lew
-- 
Lew Glendenning		rlglende@netcom.com
"Perspective is worth 80 IQ points."	Niels Bohr (or somebody like that).

Newsgroup: sci.crypt
document_id: 15616
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Do we need the clipper for cheap security?

gtoal@gtoal.com (Graham Toal) writes:
>Can someone tell me if hardware compression is or is not needed to run
>digital speech down 14.4K?  I think it is; I've heard it's not.  Lets
>say 8 bit samples.  Would *raw* data at the corresponding sampling rate
>be usable?  If not, how fancy does the compression need to be?

A good vocoder like ours will give you 8000 bits per second locked at
full rate (it's a variable rate voice activity vocoder).  If you want
less quality, cut that to 4000 bps (half rate).  At full rate variable
you could put two full-duplex conversations on a V.32bis modem.  This
requires a DSP or ASICs, though.  An RS-6000 has a CPU that could
probably do it in real-time, because it has the add-and-multiply
instruction and a few other DSP things.

If you want to do speech in real-time you need about 4000 samples a
second (for not very good voice) with your 8 bit samples (ISDN is 8000
8-bit samples a second), which is 32 kbps.  You could do a fast 2:1
compression on that to get it down to 16 kbps, which is just about
V.32bis.  The quality at this point is very bleah, but it should work.
Now add in the time for your encryption method.  You're going to need
sampling hardware, which is no problem on a new Mac, an Amiga.  Or a
PC with a SoundBlaster card (just because they're so popular and cheap
- you could also build a simple ADC).  The problem with the
SoundBlaster is that it doesn't seem to be full duplex - you can't
sample and play backq at the same time, making a two-way conversation
a bit tough.  The special hardware or a more capable sound card may be
required.

The only thing that worries me is that 2:1 compression - the
SoundBlaster can do it automatically in hardware, but other than that
I don't have a good feel for how processor intensive it is, so I can't
estimate how fast a PC you'd need.


-- 
Not all men who drink are poets.  Some of us drink because we are not poets.

Newsgroup: sci.crypt
document_id: 15617
From: vjs@rhyolite.wpd.sgi.com (Vernon Schryver)
Subject: Re: Fighting the Clipper Initiative

In article <strnlghtC5toC6.KIu@netcom.com>, strnlght@netcom.com (David Sternlight) writes:
> ...
>                                  The Federal Reserve Open Market Committee
> has successfully kept decisions from leaking for the statutory period until
> publication.

How are you sure of that?  Weren't there some recent studies that
found corelations between not-yet announced decisions and market changes?

Aren't there continuing early rumors of their deliberations?


>              Even the Department of Agriculture has successfully kept crop
> forecasts from leaking prematurely.

Sheesh!  Remember the big scandal a year or two (or 3?) ago about
exactly such leaks?


Vernon Schryver,  vjs@sgi.com

Newsgroup: sci.crypt
document_id: 15618
From: rab@well.sf.ca.us (Bob Bickford)
Subject: Re: Off the shelf cheap DES keyseach machine

In article <TOM.93Apr21114536@amber.ssd.csd.harris.com>,
  tom@ssd.csd.harris.com (Tom Horsley) writes:
>
>This isn't intended to be a flame or anything, I am just really curious
>how to manufacture these things while still maintaining the key escrow
>security without simply saying "trust the manufacturer, they won't look".

Without getting into the *really* *thorny* questions about reverse
engineering and all of that, let me just point out that there already
exist gate arrays and suchlike that have what's known as a security fuse
which can be programmed after you've verified all other programming --
this makes it impossible to read out the programming of the device
(again, ignoring the reverse engineering questions).  Speaking from
experience here: I had to completely reinvent one of my designs some
six or seven years ago when the disk file was zapped, the backups were
all bad, and the devices were unreadable because of the security fuses.
Made me appreciate the value of printouts.  ;-)

So on this point at least there's not so much worry.

But whether or not we can get the chips made reliably and securely is
really secondary to the question of whether use of the chip is itself
likely to be secure, methinks.
--
 Robert Bickford      "A Hacker is any person who derives joy from
 rab@well.sf.ca.us    discovering ways to circumvent limitations." rab'86
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"I recognize that a class of criminals and juvenile delinquents has
taken to calling themselves 'hackers', but I consider them irrelevant
to the true meaning of the word; just as the Mafia calls themselves
'businessmen' but nobody pays that fact any attention."            rab'90
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Newsgroup: sci.crypt
document_id: 15619
From: ab@ersys.edmonton.ab.ca (Allan Brockman)
Subject: I don't have FTP, live in Canada, how do i get RSA(RAS?) 4 my atariS

i don't have FTP and i live in canada ( this means that it would be 
illeagle for a U.S. citizen to send the program to me. their gigerment 
wishes to restrict its dispersil ) but someone in europe must have ported 
a coppy of RSA to the atariST by now.  how do i get a coppy of the RSA 
from a non-FTP news feed?


--
Allan Brockman              ab@ersys.edmonton.ab.ca 

Newsgroup: sci.crypt
document_id: 15620
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: THE CLIPPER CHIP: A TECHNICAL SUMMARY

In article <1993Apr19.182327.3420@guvax.acc.georgetown.edu> denning@guvax.acc.georgetown.edu writes:
	[Prof. Denning's description of SkipJack mostly omitted]

	CHIP STRUCTURE
	The Clipper Chip contains a classified 64-bit block encryption
	algorithm called "Skipjack."  The algorithm uses 80 bit keys (compared
	with 56 for the DES) and has 32 rounds of scrambling (compared with 16
	for the DES).  It supports all 4 DES modes of operation.  Throughput is
	16 Mbits a second. [...]

	F, an 80-bit family key that is common to all chips
	N, a 30-bit serial number
	U, an 80-bit secret key that unlocks all messages encrypted
		 with the chip
	The key K and message stream M (i.e., digitized voice) are then
	fed into the Clipper Chip to produce two values:

  	   E[M; K], the encrypted message stream, and 
	   E[E[K; U] + N; F], a law enforcement block.  

Three questions:
1) It looks like each 64 bits of input gives you 4*64 bits of output:
		E[M;K] = 64 bits
		E[K;U] = E[ 80 bits ] = 128 bits
		E[ E[K;U], N ; F ] = E[ 128 + 30 bits ] = 192 bits
   Do you really need to transmit all 256 bits each time,
   or do you only transmit the 192 bits of wiretap block at the beginning?   
   All 256 would be really obnoxious for bandwidth-limited applications
   like cellular phones (or even regular phones over 

2) how do the 4 DES modes interact with the two-part output?
   Do the various feedback modes only apply to the message block,
   or also to the wiretap block?  Or, if the wiretap block is only
   transmitted at the beginning, does it get incorporated into
   everything through feedback modes, but not during ECB mode?

3) Does the Clipper Chip check the wiretap block itself?
   Does the block have to be present at all?
   Since the receiving chip doesn't know the transmitter's U,
   it presumably can't check the validity of E[K;U], so it's 
   limited to checking the *form* of the wiretap block,
   and maybe checking the serial number for reasonableness
   (unless there's some sort of back-door structure that lets
   it recognize a valid E[K;U].)
   
   In that case, can you replace the wiretap block with a DIFFERENT
   wiretap block, presumably an old valid one to avoid attracting attention?
   (The chip won't do it, so you postprocess the output.)
   Regular people can do one with their own serial number and a dummy key;
   paranoid people can use someone else's serial number.

   On the other hand, if I could think of that solution so easily,
   presumably the NSA could too - have they done something to block it,
   like use message encryption that's really E[M; K,U,N] ?


	Thanks!
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15621
From: elee9sf@menudo.menudo.UH.EDU (Karl Barrus)
Subject: Re: Once tapped, your code is no good any more.


David Sternlight writes:

> I'd trust something from the NSA long before I'd trust something from
> some Swiss or anbody Japanese.

What???  This is an incredible statement!  The NSA tried to suppress
public key crypto and RSA, and yet they claim to encourage use of
strong crypto for US citizens.

Would you trust a black-box from the NSA versus an "open system" from
elsewhere?

/-----------------------------------\
| Karl L. Barrus                    |
| elee9sf@menudo.uh.edu             | <- preferred address
| barrus@tree.egr.uh.edu (NeXTMail) |
\-----------------------------------/



--
/-----------------------------------\
| Karl L. Barrus                    |
| elee9sf@menudo.uh.edu             | <- preferred address
| barrus@tree.egr.uh.edu (NeXTMail) |
\-----------------------------------/

Newsgroup: sci.crypt
document_id: 15622
From: mjr@tis.com (Marcus J Ranum)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

>I mean, if we can imagine the
>machine that does 1 trial/nanosecond, we can imagine the storage medium
>that could index and archive it.

	I think you'd have to do some massive data compression just to
fit a bit of key information on each primary particle of the known
universe.
	But, hey, it's fun to imagine.

mjr.

Newsgroup: sci.crypt
document_id: 15623
From: smhanaes@gpu.utcc.utoronto.ca (D. Wigglesworth)
Subject: freely distributable public key cryptography c++ code:  where?


Do you know of any freely distributable c++ (or c) code for public
key cryptography (such as RSA)?  

I've tried various archie searches to no avail.  

	Thanks,
	Dan

Newsgroup: sci.crypt
document_id: 15624
From: rboudrie@chpc.org (Rob Boudrie)
Subject: Re: Once tapped, your code is no good any more.

In article <C5so84.Hxv@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
>In article <2073@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:
>:If the Clinton Clipper is so very good, why not make its algrithm public
>:so many people can exchange ideas and examine it, rather than a few
>:isolated 'respected experts' (respected by whom?  for what?  Perhaps a

One more time...

    If they released the algorithm, it would be possible for someone
    to come up with an implementation which was identical, but
    lacking an escrowed key.

    Note that the press announcement mentioned that the algorithm was
    being kept secret for security of the key escrow system.  In this
    case security means "an escrowed key for EVERY clipper chip".


    Assuming you believed all that is said about the effective of
    the algorithm, and the escrow system, which would you buy :

     (a)  Chip from firm A with the escrowed key
     (b)  Second source chip from reputable firm B with no key
          in government escrow.

    There would obviously be powerful economic incentives for a second
    source, non escrowed, vendor.

Newsgroup: sci.crypt
document_id: 15625
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Once tapped, your code is no good any more.

andersom@spot.Colorado.EDU (Marc Anderson) writes:

> methods.  ``This year's crime bill will have teeth, not bare gums,''
> Clinton said.  In particular, his administration will place strict
> controls on data formats and protocols, and require the registration
> of so-called ``cryptographic keys,'' in the hope of denying drug
> dealers the ability to communicate in secret.  Clinton said the
> approach could be used for crackdowns on other forms of underground
> economic activity, such as ``the deficit-causing tax evaders who
> live in luxury at the expense of our grandchildren.''

And some people thought that I am exaggerating when claiming that the
Cripple Chip is just a first step in a totalitarian plot against the
civil liberties in the USA... It seems that I've even been an optimist
- the things are happening even faster than I expected.... That's
another of the dirty tricks they used to apply on us under the
communist regime - do something secret, THEN tell the people about is
(after the fact, when nothing can be done any more), and of course,
explaining them how much better the situation is now...

In my previous messages I wrote that the Americans should wake up and
fight against the new proposal. Now it seems to me that it is already
too late - it has already happened, the civil liberties have been
violated, no, stollen from the American people, while the most part of
this people has been sleeping happily... :-((( Too sad...

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
document_id: 15626
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Would "clipper" make a good cover for other encryption method?

strnlght@netcom.com (David Sternlight) writes:

> Some of the more notorious self-styled dissidents here, for example, have
> already got their heads so high above the tall grass that they'd have little
> chance of getting a clearance.

If there are many as..., er, people in the USA who reason like the
above, then it should not be surprising that the current plot has been
allowed to happen...

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
document_id: 15627
From: grady@netcom.com (1016/2EF221)
Subject: Re: The [secret] source of that announcement

I guess the cryptowranglers read this group too.  But of
course I knew that because it is so easy to do.  There is
not a single doubt in my mind that every byte that passes
every significant gateway or 'bone is captured for the
colligation of data about __________?  (Maybe your name is here).

Maybe we should start a newsgroup for the distribution of encrypted 
posts intended of members of affinity groups with a shared private
key.  For example at the coming up Cypherpunks meeting, a private
key corresponding to that particular meeting could be passed out
by a moderator.  Minutes, followup comments to other participants,
and so on could be posted to the alt.encrypted group for the use
of the people who attended. Communiques intended by the group for
non-attendees could of course just be signed using the private key
but otherwises not encrypted.

Starting a alt.encrypted newsgroup rather than just maintaining
mailing lists is better for several reasons.  First, it would be
easier to archive for people who might join a group "late" and
who might like to easily read earlier posts; second, traffic analysis
to know exactly to whom an affinity message is directed would be foiled;
three, a newsgroup is much more public and would serve to publicize
available privacy measures on the internet.

And it would be fun to accumulate a secret keyring full of such
keys -- it beats giving out t-shirts as a door prize.

We could send a copy of alt.encrypted directly to Judge William
Sessions or Admiral Studeman to save them the time of having it
collected for them.


-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
document_id: 15628
From: ptrei@bistromath.mitre.org (Peter Trei)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <strnlghtC5t4o3.K5p@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>Actually the govrnment is telling you that if you want to use their
>"product" the manufacturer (actually better yet, some "trusted" pair
>of escrow agencies) has to have the key.
>
>Most of us already are in this situation--our car makers have keys to our
>cars (or can get them quickly from the VIN  number), and I have no doubt
>that if presented with a court order, they'd surrender copies to the
>government.

>Chances are that many locksmiths have the code numbers for house locks
>they've installed, and in an emergency can cut keys; thus they'd also
>provide such keys to the government pursuant to a court order.

    Of course, nothing prevents you from buying a new lock with cash
and installing it yourself. Even modifying the core to match some
arbitrary key is not difficult to do at home. I once knew someone who
had fixed his locks in this way - his house, office and cars all took
the same key (which he took GOOD care of :-)

>The state has no difficulty gaining access to your safe deposit box if they
>have a court order.

>Bad analogy.

    Very bad (yours, that is). Have you ever had a safety deposit box?
They work on a two-key system. The bank clerk has one, and you have
the other (they are different keys). The bank does NOT keep a copy of
your key. If you lose it, they have to drill out the lock, and replace
the door. This is a time consuming and expensive process (which they
will be happy to charge to your account :-).

     This process is exactly analogous to having a private key which
is NOT in a escrow system, and the state having to crack your cipher
to get the data.

     Please do not use false analogies.

							Peter Trei
							ptrei@mitre.org


Newsgroup: sci.crypt
document_id: 15629
From: langford@gems.vcu.edu
Subject: Re: Organized Lobbying for Cryptography

In article <1993Apr20.213718.23129@husc3.harvard.edu>, kubo@zariski.harvard.edu (Tal Kubo) writes:
 
> Having mentioned the possible dangers of unwelcome political associations,
> I would be remiss not to suggest something in the opposite direction:
> gathering the support of the NRA by emphasizing the RKBA side of the
> issue as well as the First-Amendment side.
> 
> Tal  kubo@math.harvard.edu
> 
> 
Hmmm, this gave me an interesting idea.  How about this argument:

1)  Second Amendment gives us the right to keep and bear arms.

2)  Strong cryptography is "arms", according to the U.S. government (that's
    why it's so hard to export).

Therefore, we have a constituitional right to strong cryptography!  
Q.E.D.

However, it's likely to be as hard or harder to exercise this right as it
is getting to exercise the other rights that the government is slowly
restricting.  Maybe the NRA _would_ be the best existing organization?
(Although I think a new one might be better, but perhaps would take too long
to start up.  I would certainly join.)
-- 
| From the electronic desk of Bob Langford          Health Sciences Computing
| 804-786-9843   (fax: 804-786-9807)         Virginia Commonwealth University
| e-mail:  langford@gems.vcu.edu     [or]     langford@vcuvax  (for BITNET)

Newsgroup: sci.crypt
document_id: 15630
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

 > > :Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
 > > :has 2^80 possible keys.
 > >
 > > We don't yet know if all 80 bits count.
 >
 > That doesn't worry me at all; they're not going to cheat at something
 >they can get caught at.  And key size is one of the things that can be
 >verified externally.  Feed lots of random key/input pairs into the
 >chip, then see what happens to the output....

  If the device is designed to use the key that's registered with the Feds,
I don't see how you -can- feed it a different key.  If the user can change
the key to any of the 2^80 possibilities, the main reason for regarding
this proposal as unacceptable disappears.




Newsgroup: sci.crypt
document_id: 15631
From: tom@ssd.csd.harris.com (Tom Horsley)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

>I don't like the unit key generation process any better than you do.
>However -- S1 and S2 are supposed to be under control of the same
>escrow agents.  If they can't be trusted to keep the seed values secure,
>they can't be trusted to keep the half-keys secure.

I hope there is something I don't understand about this system, but can
someone tell me how these chips are going to be manufactured while maintaining
each half key under total control of the separate escrow agencies? Don't
both halfs of the key have to come together (in some form) at the time
the chip is constructed?

Or is it built like a fusable prom, with the chip being sent to the 1st
escrow agency to program its 1/2 key, then the 2nd agency to program its
1/2 key (but who invents the safeguards that prevent the 2nd agency from
reading the information already programmed by the 1st)?

This isn't intended to be a flame or anything, I am just really curious
how to manufacture these things while still maintaining the key escrow
security without simply saying "trust the manufacturer, they won't look".
--
======================================================================
domain: tahorsley@csd.harris.com       USMail: Tom Horsley
  uucp: ...!uunet!hcx1!tahorsley               511 Kingbird Circle
                                               Delray Beach, FL  33444
+==== Censorship is the only form of Obscenity ======================+
|     (Wait, I forgot government tobacco subsidies...)               |
+====================================================================+

Newsgroup: sci.crypt
document_id: 15632
From: angel@Foghorn_Leghorn.coe.northeastern.edu (Kirill Shklovsky)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr21.204036.13723@rick.dgbt.doc.ca> jhan@debra.dgbt.doc.ca (Jerry Han) writes:
>As one of the happily sleeping people, I would just like to ask this->
>aren't people just slightly overreacting to this?  Or are we all of a
>sudden going to draw parallels to Nazi Germany and Communist Russia?
>
>The point of the matter is that; yes this is a serious problem.  But it is
>not the end of the world.  Guess what?  We're doing something now you
>can't do in a Communist country or Nazi Germany.  We're complaining about
>it, (or rather, you're complaining about it) and nobody is shooting at us.  
>
>(Or, rather, if they're shooting at me, they have real bad aim.  (:-) )
>
>GUESS WHAT PEOPLE?  You live in one of the few countries in the world
>where a person can complain without getting shot at.  
>
>People are always complaining that somebody did this wrong, or somebody
>did that wrong, or whatever.  Sit down and figure out two things:
>
>1)  What have they done right?
>2)  How much worse can it get?
>
>And you'll find that you and I, are pretty damn lucky.
>
>So let's talk about it, get some action going, decide what's going on. 
>But let's not overreact!  
>
Us having the liberties to talk about this doesn't make the problem go
away.  It doesn't make it right.  Rather the opposite, if we do not do 
anything about it, you can bet it's going to get worse.

        *             Angel@foghorn_leghorn.coe.northeastern.edu
   *   * *     *   BTW: These are my opinions, and not that of any other entity
- * * *   *   * * ------------------------------------------------------------*
     *     * *               My god, its full of stars! - Dave
            *        I don't know about you, but we've got company!  - Epidemic


Newsgroup: sci.crypt
document_id: 15633
From: sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes)
Subject: Re: Organized Lobbying for Cryptography

In article <1r3jgbINN35i@eli.CS.YALE.EDU> jgfoot@minerva.cis.yale.edu writes:
>Tarl Neustaedter (tarl@coyoacan.sw.stratus.com) wrote:
>
>: It means that the EFF's public stance is complicated with issues irrelevant
>: to the encryption issue per se. There may well be people who care about
>: the encryption issue who don't care to associate themselves with the
>: network erotica issue (or may even disagree with the EFF's position).
>
>Perhaps these encryption-only types would defend the digitized porn if it
>was posted encrypted?
>
>These issues are not as seperable as you maintain.
>

Now why would anyone "post" anything encrypted? Encryption is only of 
use between persons who know how to decrypt the data.

And why should I care what other people look at? 

What does concern me is the continued erosion of my constitutional
rights. ( Amendments I, II, IV, and V to note a few. )

-- 
  Shaun P. Hughes                          "Facts are Stupid Things."
  sphughes@sfsuvax1.sfsu.edu                Ronald Reagan
                                            Republican National
  Finger for PGP 2.2 Public Key             Convention 1988

Newsgroup: sci.crypt
document_id: 15634
From: jgfoot@minerva.cis.yale.edu (Josh A. Goldfoot)
Subject: Re: Organized Lobbying for Cryptography

Shaun P. Hughes (sphughes@sfsuvax1.sfsu.edu) wrote:
: In article <1r3jgbINN35i@eli.CS.YALE.EDU> jgfoot@minerva.cis.yale.edu writes:
[deletion]
: >Perhaps these encryption-only types would defend the digitized porn if it
: >was posted encrypted?
: >
: >These issues are not as seperable as you maintain.
: >

: Now why would anyone "post" anything encrypted? Encryption is only of 
: use between persons who know how to decrypt the data.

: And why should I care what other people look at? 

I was responding to another person (Tarl Neustaedter) who held that the
EFF wasn't the best organization to fight for crytography rights since the
EFF also supports the right to distribute pornography over the internet,
something some Crypto people might object to. In other words, he's
implying that there are people who will protect any speech, just  as long
as it is encrypted.


Newsgroup: sci.crypt
document_id: 15635
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Once tapped, your code is no good any more.

  Agreed.  This is like the Bay of Pigs fiasco (planned by the Eisenhower
Administration but given the final green light by Kennedy).
  To be sure, hen it all went down, Kennedy was at least man enough to take
full responsibility, which is not what I expect from Slick Willie Clinton....


Newsgroup: sci.crypt
document_id: 15636
From: arc@leland.Stanford.EDU (Andrew Richard Conway)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr21.204036.13723@rick.dgbt.doc.ca> jhan@debra.dgbt.doc.ca (Jerry Han) writes:
>In article <bontchev.735404289@fbihh>
>
>As one of the happily sleeping people, I would just like to ask this->
>aren't people just slightly overreacting to this?  Or are we all of a
>sudden going to draw parallels to Nazi Germany and Communist Russia?

Yes. Reasonable parallels. (though I don't think Russia ever claimed to be
Communist)

>The point of the matter is that; yes this is a serious problem.  But it is
>not the end of the world.  Guess what?  We're doing something now you
>can't do in a Communist country or Nazi Germany.  We're complaining about

I must protest your "...in a Communist country". How do you know?
There haven't been any, and are unlikely to ever be any. In some Socialist
dictatorships, you can't, whilst in some socialist democracies
(such as France or Australia)
you can. Of course, some people may disagree about France & Australia being
socialist...

>it, (or rather, you're complaining about it) and nobody is shooting at us.  

Yet.

>(Or, rather, if they're shooting at me, they have real bad aim.  (:-) )
>
>GUESS WHAT PEOPLE?  You live in one of the few countries in the world
>where a person can complain without getting shot at.  

In some circumstances. I was at a public meeting last night (in the USA), where
a protester, who was very nice and calm, and just said before the
speaker started to beware of his opinions, was forced out of the meeting by
two armed policemen.

There are a lot of things that one cannot do in the USA. You may not
notice them, but as an Australian visitor, I notice them.

>People are always complaining that somebody did this wrong, or somebody
>did that wrong, or whatever.  Sit down and figure out two things:
>
>1)  What have they done right?
>2)  How much worse can it get?
>
>And you'll find that you and I, are pretty damn lucky.

Yes, we are lucky at the moment. I hope that is still true in
a few years time. Because it didn't just happen...it required concious
effort.

>So let's talk about it, get some action going, decide what's going on. 
>But let's not overreact!  

Of course don't over react --- but don't under react.

Andrew.
Disclaimer: All my opinions are my own, and do not represent the society
for the conservation of momentum or any other group. I hope I don't lose
my student Visa as a result of these opinions..


-- 
-----------------------------------------------------------------
Andrew Conway    arc@leland.stanford.edu  Phone: USA 415 497 1094


Newsgroup: sci.crypt
document_id: 15637
From: ebrandt@jarthur.claremont.edu (Eli Brandt)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <1993Apr21.132318.16981@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
>Remember that they've promised to let a committee of outside experts see
>the cryptosystem design.

I hope there are some silicon jocks on the committee who can follow
the algorithm through to hardware.  While I doubt the NSA would pull
any monkey business on this point -- they have to expect that the
chip will be reverse-engineered sooner or later -- it's an obvious
opportunity to introduce additional holes.

>		--Steve Bellovin

	 PGP 2 key by finger or e-mail
   Eli   ebrandt@jarthur.claremont.edu


Newsgroup: sci.crypt
document_id: 15638
From: george@tessi.com (George Mitchell)
Subject: Re: Organized Lobbying for Cryptography

langford@gems.vcu.edu writes:

>In article <1993Apr20.213718.23129@husc3.harvard.edu>, kubo@zariski.harvard.edu (Tal Kubo) writes:
>> Having mentioned the possible dangers of unwelcome political associations,
>> I would be remiss not to suggest something in the opposite direction:
>> gathering the support of the NRA by emphasizing the RKBA side of the
>> issue as well as the First-Amendment side.

>Hmmm, this gave me an interesting idea.  How about this argument:
>1)  Second Amendment gives us the right to keep and bear arms.
>2)  Strong cryptography is "arms", according to the U.S. government (that's
>    why it's so hard to export).
>Therefore, we have a constituitional right to strong cryptography!  
>Q.E.D.

>[. . .]  Maybe the NRA _would_ be the best existing organization?

I think a new organization would be a much better idea, as the NRA
carries as much undesireable baggage for me as the EFF and CPSR do
for others.

Are any hot-shot, reputable organizers reading this message?  If an
effective group comes into existence, it can count on me signing up.

-- George Mitchell (george@tessi.com)

Newsgroup: sci.crypt
document_id: 15639
From: A. Charles Gross <acg@eff.org>
Subject: I have seen the lobby, and it is us

In article <1993Apr21.113152.395@gems.vcu.edu> , langford@gems.vcu.edu
writes:
>However, it's likely to be as hard or harder to exercise this right as it
>is getting to exercise the other rights that the government is slowly
>restricting.  Maybe the NRA _would_ be the best existing organization?
>(Although I think a new one might be better, but perhaps would take too
long
>to start up.  I would certainly join.)

The NRA is successful because (among a number of things), on the drop of
a hat, they can get a congresspersons office flooded with postcards,
faxes and phone calls.  Certainly, with our way-cool Internet powers of
organization, we can act in the same way, if such action is appropriate.

As long as we are kept informed of events, anyone on this bboard can make
a call to action.  Hopefully, we're a strong enough community to act on
those calls.  I realize this is a little optomistic, and I'm glad EFF is
working in the loop on these issues, but don't underestimate the
potential of the net for political action.

Adam
* I speak for myself

Newsgroup: sci.crypt
document_id: 15640
From: andyl@harlqn.co.uk (Andy Latto)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)


In article <1993Apr21.132318.16981@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:

   In article <C5sy1z.4tD@demon.co.uk>, Graham Toal <gtoal@gtoal.com> writes:
   > In article <1993Apr20.192105.11751@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
   > :Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
   > :has 2^80 possible keys.
   > 
   > We don't yet know if all 80 bits count.

   That doesn't worry me at all; they're not going to cheat at something
   they can get caught at.  And key size is one of the things that can be
   verified externally.  Feed lots of random key/input pairs into the
   chip, then try flipping random key bits, and see what happens to the
   output.  We already know what *should* happen -- about half the output
   bits should vary, on average, from a 1-bit key change or input change.

   If they were out to build a weak cryptosystem, it might be the case that
   some of the bits are much less powerful than others, in the sense that
   they only enter into the encryption very late in the game.  By contrast,
   DES was designed to use each key bit as early as possible; the 50% output
   change rate appears as early as round 5.  Again, though, I don't think
   NSA is going to cheat that crudely; they're likely to get caught.

Consider a cryptosytem that starts out by XORing bits 23 and 47, and
not using either of these bits except through this XOR. This system
makes early use of every bit. but an exhaustive key search would now
only have 2^79 keys to search. Your test by varying single key bits
wouldn't turn up anything interesting.

   Remember that they've promised to let a committee of outside experts see
   the cryptosystem design.  If you assume something DES-like, a biased
   subkey generation schedule will stick out like a sore thumb.

The algorithm I suggest above would stick out like a sore thumb, but
I'm sure I could design a system with a more subtle key redundancy
which was well-hidden, but would still make an exhaustive key search
take far less than 2^80 encryptions. I don't believe your claim that
the real keysize can be verified externally.

							Andy Latto
							andyl@harlequin.com

Newsgroup: sci.crypt
document_id: 15641
From: caronni@nessie.cs.id.ethz.ch (Germano Caronni)
Subject: Re: Do we need the clipper for cheap security?

In article <9304201003.AA05465@pizzabox.demon.co.uk> gtoal@gtoal.com (Graham Toal) writes:
>Can someone tell me if hardware compression is or is not needed to run
>digital speech down 14.4K?  I think it is; I've heard it's not.  Lets
>say 8 bit samples.  Would *raw* data at the corresponding sampling rate
>be usable?  If not, how fancy does the compression need to be?

As far as I know ISDN (call it Swissnet here, and it's being plugged in) it's
8 bit 8000Hz (gives you one channel of 64kBit/sec) I guess you should not go
below a sampling rate of 6000 Hz if you want to have same quality as on an
analog-line. Anybody knows compression-algorithms & -factors for voice ?

Greetings,

	Germano Caronni
-- 
Instruments register only through things they're designed to register.
Space still contains infinite unknowns.
                                                              PGP-Key-ID:341027
Germano Caronni caronni@nessie.cs.id.ethz.ch   FD560CCF586F3DA747EA3C94DD01720F

Newsgroup: sci.crypt
document_id: 15642
From: Tony Lezard <tony@mantis.co.uk>
Subject: Re: text of White House announcement and Q&As on clipper chip encryp

gtoal@gtoal.com (Graham Toal) writes:

> Whatever happens though, the effect of this new chip will be to make private
> crypto stand out like a sore thumb.

ONLY IF this chip catches on. Which means alternatives have to be
developed. Which will only happen if Clipper is discredited.

-- 
Tony Lezard IS tony@mantis.co.uk | PGP 2.2 public key available from key
OR tony%mantis.co.uk@uknet.ac.uk | servers such as pgp-public-keys@demon.co.uk
OR EVEN      arl10@phx.cam.ac.uk | 172045 / 3C85783F 09BBEA0C B86CF9C6 7A5FA172


Newsgroup: sci.crypt
document_id: 15643
From: mathew <mathew@mantis.co.uk>
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

bena@dec05.cs.monash.edu.au (Ben Aveling) writes:
> Don't forget, you are in the country that wouldn't let the Russians
> buy Apple II's because of security concerns.

That's nothing.  They wouldn't let the British buy Inmos Transputer systems
because of security concerns.  And we designed the damn things!


mathew

Newsgroup: sci.crypt
document_id: 15644
From: psionic@wam.umd.edu (Haywood J. Blowme)
Subject: new encryption

   As promised, I spoke today with the company mentioned in a Washington
Times article about the Clipper chip announcement. The name of the company
is Secure Communicatiions Technology (Information will be given at the end
of this message on how to contact them).

   Basically they are disturbed about the announcement for many reasons that
we are. More specifically however, Mr. Bryen of Secure Communications
brought to light many points that might interest most of the readers.

   His belief is that AT&T was made known of the clipper well before the
rest of the industry. This is for several reasons, several of which are:

 - A company of AT&T's size could never be able to make a decision to use
   the new chip on the SAME DAY it was announced.

 - Months ago they proposed using their own chip for AT&T's secure telephone
   devices. AT&T basically blew them off as being not interested at all.
   This stuck them as strange, until now...


   Also I spoke with Art Melnick, their cryptographer, he expressed several
concerns over the new Clipper Chip:

  - The obvious backdoor will be able to let many people decrypt the code.

  - Once the key is released to authorities the security of the crypto
    system is lost forever. These keys can end up in the hands of any agency
    of the government.

  - The fact that the escrowed keys never change means that the algorithm
    is vulnerable over time to an attacker.

  - The classified algorithm may hide another backdoor. But he feels that
    it is probably to keep people from forging fake serial numbers, or
    changing the keys themselves.

  - Additionally he feels that the NSA has probably spent enough time and
    money in working on a way to keep this chip from being reversed
    engineered, that he feels that reverse engineering it will be very
    difficult to do. He feels that they have developed a suitable technique
    to protect the chip from this attack. Also he feels that the chip is
    hardware encoded with the algorithm and not microcoded onto the chip.

Additonally I spoke with Mr. Melnick about their algorithm. He couldn't tell
me much about their new agorithm because it hasn't been patented yet.
However he told me a little:

 - The algorithm will be released for public review after patents have been
   granted for it. This is so the crypto community can see that it is
   secure.

 - The algorithm is called NEA for New Encryption Algorithm.
   The details were sketchy because now it is held as a trade secret
   until the patent was issued, but I was told that it will incorporate
   the following:

    - It will have fast encryption of data (Exact specs not given, but
      Mr. Melnick stated "Much faster than what an RS-232 can put out.")

    - It is a symmetric cipher, just like IDEA and DES.

    - It will use 64 bit data blocks for encryption (like DES and IDEA).

    - The key length was not given to me, but Mr. Melnick states that
      it is _adujustable_ and is "More than adequate for security."

    - The algorithm is written in C and Assembler in software form, and
      can be ported to many platforms (Unlike the the Clipper Chip which
      is hardware ONLY and cannot be made into software) This I
      consider a definite plus for the NEA for widespread use.

    - The algorithm will accomodate public key distribution techniques
      such as RSA or Diffie-Hellman. This will also be supported in the
      hardware chip.

    - Right now the projected cost of the NEA chip will be about 10 dollars
      for each!! (Clipper will run 25 each chip [that is if it is produced
      enough, which probably won't happen]).

    - They currently sell a program called C-COM that uses the algorithm
      and a special streaming protocol that does not divide the encrypted
      data into "blocks." This could prevent plaintext attacks if you know
      what the block header is. This program operates at all supported
      RS-232 speeds and uses the software implementation of the algorithm.

    - Most importantly: IT DOES NOT HAVE A BACKDOOR!!



Right now the company is afraid that the new clipper chip will put them out
of business. This is a very real possibility. So they really need help in
stopping the clipper chip from becoming a standard. If you want to contact
them, they can be reached at..

Secure Communications Technology
8700 Georgia Ave. Suite 302
Silver Spring, MD

(301) 588-2200

I talked to Mr. Bryen who represents the company. He can answer any
questions you have.




Any factual errors occurring in this write up are my own and I apologize for
them ahead of time.

 

=============================================================================
      ///    | psionic@wam.umd.edu | Fight the WIRETAP CHIP!! Ask me how!
 __  /// C=  | -Craig H. Rowland-  |
 \\\/// Amiga| PGP Key Available   | "Those who would give up liberty for
  \///  1200 | by request.         |  security deserve neither."
=============================================================================
A



Newsgroup: sci.crypt
document_id: 15645
From: neuhaus@vier.informatik.uni-kl.de (Stephan Neuhaus (HiWi Mattern))
Subject: Re: Do we need the clipper for cheap security?

gtoal@gtoal.com (Graham Toal) writes:

>Can someone tell me if hardware compression is or is not needed to run
>digital speech down 14.4K?  I think it is; I've heard it's not.  Lets
>say 8 bit samples.  Would *raw* data at the corresponding sampling rate
>be usable?  If not, how fancy does the compression need to be?

Note: I am *not* a cable freak, so I might have completely
misunderstood what you said.  Also, my math is frequently noted for
being wrong, so you'll better check the calculations yourself.

I assume that 14.4K means 14.4K Bits.  So if we assume one start and
one stopbit, and no protocol overhead, the effective number of bytes
per second is 1.44K.

Let's also assume that you do not want to transmit your speech in
stereo, so that you can send 1,440 samples/sec.  This corresponds to a
Nyquist frequency of 720 Hz, which should be too low, especially if
you think about the 8-bit low quality sound.  Furthermore, your D/A
converter will probably not present you with a signal that has been
cut off at 720 Hz, but will instead alias in all the higher
frequencies.  (Although you can definitely build a filter to overcome
that problem.)

On the other hand, speech should be easily compressible.  For example,
you could form power spectra, or you could simply band-pass filter and
then linearize the fourier transforms.  It won't be CD quality sound,
but it'll be discernible.  The power spectrum method is very good in
that respect.  I have once programmed such a software compressor, and
compression rates of 90% with relative errors due to linearization of
less than 5% were common.  Although I must say that these were musical
sounds, not speech.

Have fun.

-- 
Stephan <neuhaus@informatik.uni-kl.de>
sig closed for inventory.  Please leave your pickaxe outside.
PGP 2.2 public key available on request.  Note the expiration date.

Newsgroup: sci.crypt
document_id: 15646
From: m.t.palmer@larc.nasa.gov (Michael T. Palmer)
Subject: Re: Once tapped, your code is no good any more.


In article <1993Apr21.150815.6657@chpc.org> rboudrie@chpc.org (Rob Boudrie) writes:
>In article <C5so84.Hxv@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
>>In article <2073@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:
>>:If the Clinton Clipper is so very good, why not make its algrithm public
>>:so many people can exchange ideas and examine it, rather than a few
>>:isolated 'respected experts' (respected by whom?  for what?  Perhaps a
>
>One more time...
>
>    If they released the algorithm, it would be possible for someone
>    to come up with an implementation which was identical, but
>    lacking an escrowed key.
>
>    Note that the press announcement mentioned that the algorithm was
>    being kept secret for security of the key escrow system.  In this
>    case security means "an escrowed key for EVERY clipper chip".
>
>
>    Assuming you believed all that is said about the effective of
>    the algorithm, and the escrow system, which would you buy :
>
>     (a)  Chip from firm A with the escrowed key
>     (b)  Second source chip from reputable firm B with no key
>          in government escrow.
>
>    There would obviously be powerful economic incentives for a second
>    source, non escrowed, vendor.

But what about second sources for pin-compatible non-Clipper algorithm
chips that also have escrowed keys?  If a "reputable firm" produces a
chip (with escrowed key) that is a pop-in replacement for the Clipper
chip in my phone, and uses an algorithm that is widely known and evaluated
and "trusted," then what's the problem?

The Clipper is going to be reverse engineered anyway by any organization
with sufficient resources (can you say "billions of cocaine dollars?") so
those drug dealers they're so worried about will be slipping through the
cracks.  We law-abiding (non-incredibly-wealthy) citizens, naturally, will
not have this recourse.  But claiming that the algorithm can't be
released to prevent people from using non-key-escrowed chips is plain
deceitful... analysis of the chip output will provide information on
the necessary headers and whatnot, so the "bad guys" could build chips
using a *different* algorithm and still not escrow their keys.

Or, they could just buy bunches of cheap phones at K-mart every week,
and play Swap-the-Clipper-Chip with their cellular phone every day.


Michael T. Palmer         |  "A man is crazy who writes a secret in any
m.t.palmer@larc.nasa.gov  |   other way than one which will conceal it
RIPEM key on server       |   from the vulgar." - Roger Bacon, 1220-1292

Newsgroup: sci.crypt
document_id: 15647
From: rboudrie@chpc.org (Rob Boudrie)
Subject: Re: How to detect use of an illegal cipher?

>As for my impressions of the whole scheme It seems that instead of trying to
>ban strong crypto, they are trying to co-opt it. Their contention that they 
>need to keep the algorythm secret to protect the security of the key
>registration suggests possible inherent weakness to the algorythm. More likely
>is that they dont want anyone constructing black market devices which dont 
>have the keys registered. Anyone else notice that in their Q&A session, they

Preventing black market chips w/non-escrowed keys IS exactly what they
mean by protecting the security of the key escrow system.  There are
two parts to the security of such a system:
  
    (a) Preventing decruption by unauthorized personel
    (b) Assuring that the gummit can always decrypt clipper
        traffic when it authorizes itself to do so.

Of course, the ministry of propoganda will do a lot of tallking about
(a) and very little about (b).

                                        rob boudrie
                                        rboudrie@chpc.org

ps: Anyone care to guess what encryption scheme the gov't is using on
    its newly formed database of anarch-cryptists who oppose this entire
    lunacy?


Newsgroup: sci.crypt
document_id: 15648
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <1r47l1INN8gq@senator-bedfellow.MIT.EDU> jfc@athena.mit.edu (John F Carr) writes:

>In most cases information you come by properly is yours to use as you wish,
>but there are certainly exceptions.  If you write a paper which includes
>sufficiently detailed information on how to build a nuclear weapon, it is
>classified.  As I understand the law, nuclear weapons design is
>_automatically_ classified even if you do the work yourself.  I believe you
>are then not allowed to read your own paper.

This has now been thrown out by the courts.  (The "Progressive" case.)

>A less serious example: if you tell drivers about a speed trap they are
>about to run into, you can be fined, even though you might argue that you
>broke no law when you discovered the location of the policeman.  The charge
>is interfering with a police officer, which is quite similar what you would
>be doing by reverse engineering the Clipper chip.

This is outright illegal.  It DOES violate the first amendment.  If you
would, give a case in which your "speed trap" example has been upheld by
the courts.
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
document_id: 15649
Subject: Re: Once tapped, your code is no good any more.
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <strnlghtC5uIJ4.76t@netcom.com> strnlght@netcom.com (David Sternlight) writes:

>In article <ELEE9SF.93Apr21095141@menudo.menudo.UH.EDU>
>elee9sf@menudo.menudo.UH.EDU (Karl Barrus) writes:

>>
>>Would you trust a black-box from the NSA versus an "open system" from
>>elsewhere?

>Absolutely, if I were assured by someone I trusted that the black box was
>more secure. I have nothing to conceal from the government, but I would like
>to be sure that any Russian, Japanese, French, or other competitors for my
>services can't read my traffic. I'd like to be sure that competitive bid
>information was safe from commercial competitors and foreign governments
>which would aid them.

>I believe the NSA has identical motivations with respect to my activities.
>The President and many other senior government officials have made it very
>clear that they share these motivations. Thus I'd trust them on the
>"coincidence of interests" argument as well as on a basic trust in their
>professionalism and a high confidence in their skills.

>David
>-- 
>David Sternlight         Great care has been taken to ensure the accuracy of
>                         our information, errors and omissions excepted.  

Nothing but errors and omissions here!

--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
document_id: 15650
From: mbeckman@mbeckman.mbeckman.com (Mel Beckman)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption


In article <1993Apr17.032022.14021@clarinet.com> (sci.crypt,alt.security,comp.org.eff.talk,comp.security.misc,comp.org.acm,comp.org.ieee), brad@clarinet.com (Brad Templeton) writes:
> Let's assume, for the moment, that the system really is secure unless
> you get both halves of the encryption key from the two independent
> escrow houses.  Let's say you even trust the escrow houses -- one is
> the ACLU and the other is the EFF.  (And I'm not entirely joking about
> those two names)

The problem with "Let's assume" reasoning is that, taken to the extreme
(and you're close), you arrive at "Let's assume this is perfectly OK."

The assumptions you make are big ones. If the system is really secure, then
why does the government have to keep the algorithm secret?  There are plenty
of encryption algorithms that don't depend upon nondisclosure to be secure,
so why in the world use one that does?  There are reasons, of course, but
I certainly can't think of any honest ones.

Next, you assume we can "trust" the escrow houses. But the last time I checked,
EVERY SINGLE BRANCH OF GOVERNMENT has experienced unauthorized disclosure,
corruption, and even fabrication, of supposedly secure data. The govt is
saying "Yeah, but NOW we're serious, so you can trust us."  Bullcrypt. 

And finally, although you didn't state it explicitly, you implicitly assume
that the warrant mechanism in this country is safe and reasonable. The case
in Ventura County of a man shot and killed by officers serving a deliberately
fraudulant warrant tells me that the govt has a long ways to go on this
score.

Remember that all this is to catch the drug dealers, right?  As others
have pointed out, the current proposal will, if deployed, render truly secure
encryption much more expensive and inconvenient than Uncle Sam's brand.
Who will be able to afford, and be sufficiently motivated, to purchase this
expensive, inconvenient higher protection?  Somebody with lots of extra
cash...

The following is more true than ever:

  "When [strong] encryption is outlawed, only outlaws will have [strong]
encryption."


________________________________________________________________________
| Mel beckman                  |   Internet: mbeckman@mbeckman.com     |
| Beckman Software Engineering | Compuserve: 75226,2257                |
| Ventura, CA 93003            |  Voice/fax: 805/647-1641 805/647-3125 |
|______________________________|_______________________________________|
 "You can observe a lot just by watching."  -Yogi Bera

Newsgroup: sci.crypt
document_id: 15651
From: mbeckman@mbeckman.mbeckman.com (Mel Beckman)
Subject: Re: An Open Letter to Mr. Clinton


In article <strnlghtC5M2Cv.8Hx@netcom.com> (sci.crypt), strnlght@netcom.com (David Sternlight) writes:
> Here's a simple way to convert the Clipper proposal to an unexceptionable
> one: Make it voluntary.
> 
> That is--you get high quality secure NSA classified technology if you agree
> to escrow your key. Otherwise you are on your own.
> 

David,

  As an economist, I'm sure you can see the flaws in this logic. If the (naive)
market is flooded with proprietary, but weak, encryption, then truly strong 
encryption will be unable to compete. Suppose the govt had a secret TV broadcast
standard, and then sold TVs below cost. Private industry has a better standard,
but it's not as widespread due to the govt early flooding of the market
with cheap proprietary sets. Even though the industry's technology is better,
the programming is being broadcast to the govt's unduplicatable standard.
Who could compete?

  The other flaw, of course, is that making something voluntary today ensures
that it will be voluntary in the future. I went to renew my CA drivers license
last week and was required not only to give my SSN, but to PRODUCE AN SSN
CARD to veryify the number!  Note that a federal law once said that no state
or local govt could ever require the use of SSNs for drivers license registration
(specifically!).

   I do not trust the govt that says "trust me on this even though we could
have an arrangement that doesn't require your trust."  Something is big
time fishy. If you look more carefully, you'll see it.

  -mel

________________________________________________________________________
| Mel beckman                  |   Internet: mbeckman@mbeckman.com     |
| Beckman Software Engineering | Compuserve: 75226,2257                |
| Ventura, CA 93003            |  Voice/fax: 805/647-1641 805/647-3125 |
|______________________________|_______________________________________|
 "You can observe a lot just by watching."  -Yogi Bera

Newsgroup: sci.crypt
document_id: 15652
From: rschnapp@metaflow.com (Russ Schnapp)
Subject: Re: Once tapped, your code is no good any more.

It might be nice to:

1. cut out the ad hominem attacks on Prof. Denning, Mr. Sternlight,
etc.  If you have something objective to say about their views, go
ahead and say it (subject to point 2.).  Personal attacks reflect more
on the attacker more than on the attackee.  Throw light, not heat!

2. restrict the discussion to appropriate newsgroups. I submit that
comp.org.acm and comp.org.ieee are not appropriate for this
discussion.  You have now made subscribers to these newsgroups aware of
the issue.  If they want to know more or participate in the discussion,
they can easily join sci.crypt, comp.security.misc, alt.security, or
comp.org.eff.talk.
-- 

...Russ Schnapp
Email: netcom!metaflow!rschnapp or rschnapp@Metaflow.com or rschnapp@BIX.com
Metaflow Technologies   Voice: 619/452-6608x230;  FAX: 619/452-0401
La Jolla, California    Unless otw specified, I`m speaking only for myself!

Newsgroup: sci.crypt
document_id: 15653
From: mbeckman@mbeckman.mbeckman.com (Mel Beckman)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]


In article <1993Apr17.090731.18680@clarinet.com> (sci.crypt), brad@clarinet.com (Brad Templeton) writes:
> Interestingly enough, in designing the escrow, we may want to use some
> rather unusual technology, such as sealed boxes of paper, or
> destructive read memory, rather than typical computer databases, which
> is fun for a database of hundreds of millions of keys.
> 

To me, a larger problem is that once disclosed, your keys could be used
to decrypt any previously recorded conversations. I gather that from this
proposal a warrant would be required to get the keys, but not to collect
conversations! Consider the scenario where an agency collects preemptively
all encrypted conversations for certain people likely to be targets (and
not necessarily "legitimate" targets), then arranges for some unrelated
incident that can trigger a warrant:

   "Your honor, we know that the suspect has received calls from noted 
crime figure Bugsy Butthead [said calls arranged by the agency] and we must 
therefore have this warrant to determine whether this suspect, in a
sensitive govt post, is corrupt."

  I suppose that it is conceivable that there are session keys involved
somewhere, but that doesn't seem likely; if there are, why wouldn't the
technical overview mention them when it goes to such details as the number
of bits held by each escrow authority?

  This scheme is full of holes, and stinks to high heaven.

  -mel

________________________________________________________________________
| Mel beckman                  |   Internet: mbeckman@mbeckman.com     |
| Beckman Software Engineering | Compuserve: 75226,2257                |
| Ventura, CA 93003            |  Voice/fax: 805/647-1641 805/647-3125 |
|______________________________|_______________________________________|
 "You can observe a lot just by watching."  -Yogi Bera

Newsgroup: sci.crypt
document_id: 15654
From: ifarqhar@laurel.ocs.mq.edu.au (Ian Farquhar)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <1r0ausINNi01@senator-bedfellow.MIT.EDU> jfc@athena.mit.edu (John F Carr) writes:
>The chip and algorithm are classified.  If you reverse engineer it and
>tell people, you are likely to go to jail.

I don't find this a credible argument, for two reasons.  One you have
supplied below: unless I care about entering the USA at any time in the
future (eg. the Taiwanese backyard cloners - who BTW have been known to
decap custom silicon and reproduce it on daughterboards when pirating
high-profit arcade machines and the like - who wouldn't care less), I am not 
going to care much about US confidentiality, am I?  Only people like the
real me, who does care about travelling to various countries for business
reasons, will sit up and follow laws like this, but I would contend that
we're not the main threat.

I also have grave doubts whether an algorythm widely distributed in silicon
could possibly be called "classified."  It's like handing out military
secrets to the whole world in envelopes marked "don't open me."  I can
imagine several credible defences which could be employed if it came to
a trial.  One would be the stupidity of the government's actions.

>Perhaps some foreign governments or corporations could help us out by
>cracking the system outside the USA.  The US government could probably
>stop importation of clone hardware, but a software implementation
>should be practical.

Amusing thought: could they have employed an algorythm which is infeasable
for a fast software implementation, but which is easy in custom hardware?
In DES, the extensive use of permutation tables (trivial in hardware: you
just swap bus lines), but relatively slow in software have had a big effect
on the speed difference between hardware and software implementations of
that cipher (indeed, I suspect that Lucifer's designers were well aware that
it would be, and approved.)  Certain algorythms (usually parallel search
algorythms) can be very slow in software, yet can fly in custom hardware.
I have no proof of their employment in Clipper -- it is pure conjecture.  
However, as a software implementation of this cipher is something that its 
designers would have been trying to avoid at all costs, then the inclusion 
of such techniques seems credible.

Hmmm... I also wonder what Intergraph thinks about the use of the name
"Clipper" for this device. :)

--
Ian Farquhar                      Phone : + 61 2 805-9400
Office of Computing Services      Fax   : + 61 2 805-7433
Macquarie University  NSW  2109   Also  : + 61 2 805-7420
Australia                         EMail : ifarqhar@laurel.ocs.mq.edu.au.

Newsgroup: sci.crypt
document_id: 15655
From: ifarqhar@laurel.ocs.mq.edu.au (Ian Farquhar)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <19930419.155204.305@almaden.ibm.com> ameline@vnet.IBM.COM (Ian Ameline) writes:
>  I also believe that someone will reverse engineer the clipper chip,
>and knowlege of the algorithm will likely be fairly widespread. Any back-
>doors or weaknesses would further discredit the scheme, and help grow
>the market demand for a secure alternative.

I must admit that this point has been running through my mind for most of
the discussion: one the dice are out there, it won't be long before someone
decaps it and, after a bit of work, has full details of the Clipper
algorythm.  This isn't trivial to do, but then again, it is not impossibly
difficult either.  Any half way decent VLSI design student should be able
to take a photograph of a technology s/he is familiar with, and given a
description of the input, output, control and supply lines, figure out 
the function of various subsystems on the die.  Indeed, this is not an
uncommon exercise performed during training (because it makes you think
about design decisions made by other designers.

I could speculate that these chips are going to be manufactured using
"tamperproof" carriers (unlikely - such techniques are *very* expensive
and this thing is supposed to be relatively cheap to produce), or that
there will be some legal or legislative framework to prevent publication
of the algorythm (unlikely - please correct me if I am wrong but aren't these
supposed to be sold internationally?).  I suppose that the most likely
reason the algorythm is remaining secret for the moment is that some idiot
bureaucrat, untrammeled by the realities of the situation, decided that
"well, we should keep it a secret because it is supposed to be secret,
isn't it?"

Just some random thoughts...

--
Ian Farquhar                      Phone : + 61 2 805-9400
Office of Computing Services      Fax   : + 61 2 805-7433
Macquarie University  NSW  2109   Also  : + 61 2 805-7420
Australia                         EMail : ifarqhar@laurel.ocs.mq.edu.au.

Newsgroup: sci.crypt
document_id: 15656
From: Lyle_Seaman@transarc.com
Subject: Re: Once tapped, your code is no good any more.

jhan@debra.dgbt.doc.ca (Jerry Han) writes:
> The point of the matter is that; yes this is a serious problem.  But it is
> not the end of the world.  Guess what?  We're doing something now you
> can't do in a Communist country or Nazi Germany. 

Or John Edgar Hoover's USA.

> We're complaining about
> it, (or rather, you're complaining about it) and nobody is shooting at us.  

yet.

> GUESS WHAT PEOPLE?  You live in one of the few countries in the world
> where a person can complain without getting shot at.  

yet.

> People are always complaining that somebody did this wrong, or somebody
> did that wrong, or whatever.  Sit down and figure out two things:
> 
> 1)  What have they done right?
> 2)  How much worse can it get?
> 
> And you'll find that you and I, are pretty damn lucky.

so far.

> So let's talk about it, get some action going, decide what's going on. 
> But let's not overreact!  

What harm is there in overreacting?
This may be the largest single threat to civil liberties yet in my
lifetime.  The US has done some pretty heinous things in the past, 
and we haven't yet recovered from all of them.  There certainly seems
to be a historical trend towards less liberty, with occasional
perturbations. 

Time to break out the quotes from American political radicals.

Lyle		Transarc		707 Grant Street
412 338 4474	The Gulf Tower		Pittsburgh 15219

 There are more instances of the abridgement of the freedom of the
 people by the gradual and silent encroachment of those in power,
 than by violent and sudden usurpation.          -- James Madison



Newsgroup: sci.crypt
document_id: 15657
From: amolitor@nmsu.edu (Andrew Molitor)
Subject: Re: The [secret] source of that announcement

In article <gradyC5uAMw.BnG@netcom.com> grady@netcom.com (1016/2EF221) writes:
>I guess the cryptowranglers read this group too.  But of
>course I knew that because it is so easy to do.  There is
>not a single doubt in my mind that every byte that passes
>every significant gateway or 'bone is captured for the
>colligation of data about __________?  (Maybe your name is here).

	I really like these claims. Where did they come from? We hear,
practically daily, that the NSA monitors, oh, everything. They can
crack anything. They'd never release a cryptosystem they couldn't crack.

	Where do people get these fascinating facts? 'The Puzzle Palace'?
If you can get it for a buck, 2nd hand, it must be true, eh? I'm pretty
sure the NSA is supposed to, among many other things, provide high-quality
cryptosystems to a variety of places. I don't recall reading anywhere
reliable that they're supposed to:

	1) Monitor my phonecalls.
	2) Monitor usenet.
	3) Provide only cryptosystems they can easily crack.
	4) etc etc.

	This is not to say that they *don't*, they might. But you don't
know that they do, and you have no evidence that they do, for almost
all values of you. It follows, therefore, that for most values of 'you',
your claims about the NSA border on paranoia.

	Andrew


Newsgroup: sci.crypt
document_id: 15658
From: rbrand@usasoc.soc.mil (Raymond S. Brand)
Subject: "Clipper Chip" facts: a request

Having read the various "Clipper" announcements on the net over the last few 
days and a LOT of uninformed speculation about the chip, its uses,
government plots, etc, I have the following questions.

  1) What does the "Clipper chip" actually implement? Just the Skipjack
	cryptographic algorithm? Or does it also implement a "chip to chip"
	communications protocol? If it does implement a communications
	protocol, can it be used as just a "crypt chip" also.

  2) Where can the chip specifications and spec sheets be obtained?

  3) Who may purchase them and under what conditions?

  4) Are there restrictions as to how the chip may be used in a system?

  5) The security of the algorithm and the encrypted communications does
	not appear to require that the "Family key" be a secret. Why is
	it a secret? What happens when the "family key" becomes well known?
	If it's a secret to make traffic analysis more difficult, does
	the "Law enforcement message" contain any random information?
	How much and how random is it?

  6) Can the chip be programmed to reveal the "Unit key"? The chip "serial
	number"? Any of the programming parameters?

-----------------------------------------------------------------------------
Raymond S. Brand					rbrand@usasoc.soc.mil
-----------------------------------------------------------------------------

Newsgroup: sci.crypt
document_id: 15659
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Once tapped, your code is no good any more.

In article <bontchev.735404289@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
>andersom@spot.Colorado.EDU (Marc Anderson) writes:
>
>> methods.  ``This year's crime bill will have teeth, not bare gums,''
>> Clinton said.  In particular, his administration will place strict
>> controls on data formats and protocols, and require the registration
>> of so-called ``cryptographic keys,'' in the hope of denying drug
>> dealers the ability to communicate in secret.  Clinton said the
>> approach could be used for crackdowns on other forms of underground
>> economic activity, such as ``the deficit-causing tax evaders who
>> live in luxury at the expense of our grandchildren.''
>
>And some people thought that I am exaggerating when claiming that the
>Cripple Chip is just a first step in a totalitarian plot against the
>civil liberties in the USA... It seems that I've even been an optimist
>- the things are happening even faster than I expected.... That's
>another of the dirty tricks they used to apply on us under the
>communist regime - do something secret, THEN tell the people about is
>(after the fact, when nothing can be done any more), and of course,
>explaining them how much better the situation is now...
>
>In my previous messages I wrote that the Americans should wake up and
>fight against the new proposal. Now it seems to me that it is already
>too late - it has already happened, the civil liberties have been
>violated, no, stollen from the American people, while the most part of
>this people has been sleeping happily... :-((( Too sad...
>

	I'm definitely going to write my Congressman, and nobody's ever
going to make me respect a law that violates my freedom of speech, and
if the feds try to enforce this law on me, I will protect my freedoms, with
force if it ever comes to that. (Hopefully, it won't)

Doug Holland

-- 
----------------------------------------------------------------------------
|  Doug Holland                | Anyone who tries to take away my freedom  |
|  holland@cs.colostate.edu    | of speech will have to pry it from my     |
|  PGP key available by E-mail | cold, dead lips!!                         |

Newsgroup: sci.crypt
document_id: 15660
From: ebrandt@jarthur.claremont.edu (Eli Brandt)
Subject: Re: Do we need the clipper for cheap security?

In article <1r466c$an3@news.intercon.com> amanda@intercon.com (Amanda Walker) writes:
>Agreed.  Remember, I don't even think of Clipper as encryption in any real 
>sense--if I did, I'd probably be a lot more annoyed about it.

I agree with this assessment.  Furthermore, its promotion as
providing greater protection than bare voice is quite true, as far
as it goes.  However, the only way for it to fulfill its stated goal
of letting LE wiretap "terrorists and drug dealers" is to restrict
stronger techniques.  

Wiretap targets presently use strong encryption, weak encryption, or
(the vast majority) no encryption.  The latter two classes can be
tapped.  With weak encryption in every phone, the no-encryption
class is merged into the weak-encryption class.  Will the
introduction of Clipper cause targets presently enjoying strong
privacy to give up on it?  that is, to rely for privacy on a system
expressly designed to deny it to people like them?  I doubt it.  The
mere introduction of this scheme will give the government *nothing*.

The stated goal of preventing the degradation of wiretapping
capabilities can be fulfilled by restriction of domestic
cryptography, and only by this restriction.  "Clipper" appears to be
no more than a sop, given to the public to mute any complaints.  We
would find this a grossly inadequate tradeoff, but I fear the public
at large will not care.  I hate to even mention gun control, but
most people seem to think that an `assault weapon' (as the NYT uses
the word) is some sort of automatic weapon, .50 caliber maybe.  Who
wants to have such a thing legal?  Well, people know even less about
cryptology; I suspect that strong cryptography could easily be
labeled "too much secrecy for law-abiding citizens to need".

>That's not for Clinton (or anyone under him) to say, though.  Only the 
>federal and supreme courts can say anything about the constitutionality.
>Anything the administration or any governmental agency says is opinion at 
>best.

What they say is opinion, but what they do is what matters, and will
continue unless overturned.  And the courts are reluctant to annul
law or regulation, going to some length to decide cases on other
grounds.  Furthermore, Congress can get away with quite a bit.  They
could levy a burdensome tax; this would place enforcement in the
hands of the BATF, who as we've seen you really don't want on your
case.  They could invoke the Commerce Clause; this seems most
likely.  This clause will get you anywhere these days.  The 18th was
required because the Supreme Court ruled a prohibitory statute
unconstitutional.  In 1970 Congress prohibited many drugs, with a
textual nod to the Commerce Clause.  The Controlled Substances
Act of 1970 still stands.  I think the government could get away
with it.

>Amanda Walker

	 PGP 2 key by finger or e-mail
   Eli   ebrandt@jarthur.claremont.edu



Newsgroup: sci.crypt
document_id: 15661
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Would "clipper" make a good cover for other encryption method?

amanda@intercon.com (Amanda Walker) writes:
> I don't get up in arms when 
> the government fails to protect the interests of the people, because in 
> my lifetime it never has--therefore, I have no expectation that it will. 

Just to make sure everyone is clear on this: "it never has" refers to 
"protects", not "fails to protect"; i.e., in my lifetime I have never seen 
the U.S. government consistently protect the interest of U.S. citizens, 
except by accident.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15662
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Once tapped, your code is no good any more.

res@colnet.cmhnet.org (Rob Stampfli) writes:
>
>Wouldn't a a second monitor of similar type scrolling gibberish and adjacent
>to the one being used provide reasonable resistance to tempest attacks?

It would be in a different location, so a directional antenna could
probably lock in on just the one monitor. Failing that, a phased array
could likely seperate the signals. Admittedly, this is expensive, but
so is all the rest of this stuff anyway.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15663
From: arussell@austin.ibm.com (AG Russell)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)


In article <1993Apr21.001230.26384@lokkur.dexter.mi.us>, scs@lokkur.dexter.mi.us (Steve Simmons) writes:
> smb@research.att.com (Steven Bellovin) writes:
> 
> >Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
> >has 2^80 possible keys.  Let's assume a brute-force engine like that
> >hypothesized for DES:  1 microsecond per trial, 1 million chips.  That's
> >10^12 trials per second, or about 38,000 years for 2^80 trials.  Well,
> >maybe they can get chips running at one trial per nanosecond, and build
> >a machine with 10 million chips.  Sure -- only 3.8 years for each solution.
> 
> Normally I'd be the last to argue with Steve . . . but shouldn't that
> read "3.8 years for *all* solutions".  I mean, if we can imagine the
> machine that does 1 trial/nanosecond, we can imagine the storage medium
> that could index and archive it.

At the company I worked for previously, I received a file that was des encryped
and the person that had sent it, went on vaction.  Rather than wait two weeks
I set up a straight frontal attack with one key at a time.  It only took two(2)
days to crack the file.  No, I don't have any faith in DES.

A.G.



-- 
A.G. Russell   Dept A06S  OLTP section of PALS Group   VM ID  SC39093 at AUSVM1
Email  arussell@austin.ibm.com       Phone 512-838-7953        TieLine 678-7953
These are my views, on anyone else they would look silly. FREE THE BERKELEY 4.4

Newsgroup: sci.crypt
document_id: 15664
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: White House Public Encryption Management Fact Sheet

In article <19APR199313020883@charon.gsfc.nasa.gov> paul@charon.gsfc.nasa.gov (Paul Olson) writes:
>In article <1qnav4$r3l@transfer.stratus.com>, cme@ellisun.sw.stratus.com (Carl Ellison) writes...
>>In article <C5LGAz.250@dove.nist.gov> clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:
>> 
>>>Further, the Attorney General
>>
> [ ... good post describing what is in store for us deleted ... ]
>
>It's also interesting to note that two months ago Rush Limbaugh said that
>Clinton would have the "plumbers" out in force shortly.  Clinton and his
>henchmen firmly believe in strong ubiquitous government control.  Anytime a
>leader believes in that, the leader will use every means possible to retain
>that control and take more.
>
>WE have to take OUR government back.  Otherwise we will end up living in the
>equivalent of a high-tech third world dictatorship.  We have to take
>responsibility for ourselves, our personal welfare, and our actions.

I totally agree.  But how do you propose we take government back?  They
obviously don't listen to the people or want the people to know who is
responsibile for what (a person telnetted the site of the Clipper chip
release, to see what the entity 'clipper' was, and got a few lists.
BUt when another person tried a bit later, the commands were disabled)
Does not sound like an Administration that wants to have any accountability
or information they don't control given to the people.  The secret
development and implimentation of the Clipper Chip decision further
backs that up.  You can bet unaurhorized encryption methods and software
will be considered 'terrorist tools' and also subject to civil forfeiture,
along with the systems that are running it.  YOU WATCH, SEE IF I AM WRONG.

The government is not going to be very cooperative about the people taking
it back.  And they have all the resources, unlimited access to the media
for propeganda, and almost all the guns (soon to be ALL the guns if
Clinton's agenda succeeds)...   Those that do not play ball?  Waco
might be a good example of what to expect...  The warrant (just released)
stated the reason for the raid was the BDs spent a very large sum
for weapons, over an undetermined amount of time.  I don't recall
spending a lot of money on guns, etc being illegal ... yet, that is.

Clinton might go down in history as the worst thing to ever happen to
the US of A. ... Now to be known as the 'Peoples Socalist Democratic
Republic of America'  (PSDRA).

Big Brother is LISTENING!!!

Hail Big Brother... (and Sister...?)  only ten years late!!!

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 15665
From: cmsph02@nt.com  (Steven Holton)
Subject: Re: Do we need the clipper for cheap security?

In article <1r1f62$rh5@news.intercon.com>, amanda@intercon.com (Amanda
Walker) wrote:
> One thing that Clipper offers is interoperability, at a higher degree of 
> security than we currently have in non-proprietary voice encryption systems.
> This means it will be cheaper than anyone's proprietary scheme, and easier to 
                        ^^^^^^^
Probably cheaper than you think.  I'll bet some of my (and yours)
tax dollars become a subsidy for these chips.  If these chips don't
sell well, what's to stop the US government from 'giving' them
away (in the interest of National Security)?

> deploy.  This is, of course, either a bug or a feature depending on how you 
> look at it :).
> 
> Amanda Walker
> InterCon Systems Corporation

-- 
Steven P. Holton
Network Administrator - RTP FAST
Northern Telecom, Inc.
Replies To:  cmsph02@nt.com
on bounce: [ sholton@aol.com | 70521.2430@compuserve.com ]
 
"Opinions expressed here are my own."

Newsgroup: sci.crypt
document_id: 15666
From: pdc@dcs.ed.ac.uk (Paul Crowley)
Subject: Re: Would "clipper" make a good cover for other encryption method?

Quoting strnlght@netcom.com (David Sternlight) in article <strnlghtC5t3nH.Is1@netcom.com>:
>In article <1993Apr20.032623.3046@eff.org> kadie@eff.org (Carl M. Kadie) writes:
>
>
>>So, don't just think of replacements for clipper, also think of front
>>ends.
>
>This only makes sense if the government prohibits alternative non-escrowed
>encryption schemes. Otherwise, why not just use the front end without
>clipper?

Because that will make private encryption stick out like a sore thumb
and the government will start to take a sharp interest in everything you
do.
  __                                  _____
\/ o\ Paul Crowley   pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/  Fold a fish for Jesus!

Newsgroup: sci.crypt
document_id: 15667
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr20.161838.13213@coop.com> felixg@coop.com (Felix Gallo) writes:
<pat@rwing.UUCP (Pat Myrto) writes:
<
<>If the Clinton Clipper is so very good, [...]
<
<Please note that Bill Clinton probably has little if anything to do
<with the design, implementation or reasoning behind this chip or behind
<any "moves" being made using this chip as a pawn.

Uh, I notice he has not either asked for or allowed public input, and he damn
sure has not stopped it...

<Remember, when you elect a president of the united states, it's not
<the case that all the Republicans, etc. in the NSA and FBI and CIA
<immediately pack their bags and get replaced by a team of fresh young
<Democrats.  Most of the government -- say, 96% -- is appointed or
<hired rather than elected.  Since this Clipper device has been in
<production for over six months, it probably has little or no 
<foundation in the currently elected Democratic Executive body.

Again, if it was something Clinton didn't like, how come he did not
stop it, or get PUBLIC input before implimenting the DECISION?  He
sure has asserted his authority on other things he did not agree with
from the Bush administrationk, I notice.   He is the president, therefore
he is RESPONSIBLE for the actions of the Execuitive Branch.  I have
not the slightest bit of doubt you would be holding Bush or Reagan
to that standard had they been in office when this thing was cast into
stone...

<>BTW - those who suggest that this is just an attack on Clinton, believe
<>this:  I would be going ballistic reagardless WHO seriously proposed
<>this thing.  It is just another step in a gradual erosion of our rights
<>under the Constitution or Bill of Rights.  The last couple of decades
<>have been a non-stop series of end-runs around the protections of the
<>Constitution.  It has to stop.  Now is as good a time as any, if it
<>isn't too late allready.
<
<Could be.  However, the sky hasn't fallen yet, Chicken Little.

Thanks for the name-calling.  That really makes your position higly
credible.  Lenin had a term for folks with your outlook.  Do you REALLY
have THAT MUCH faith in the trustworthiness and honesty of the government
that is primarily concerned with people control?   I suspect you will
be in for an unpleasant surprise.  I would just as soon see this nipped
in the bud while/if it still can be done, instead of waiting for yet
more abridgements of our Bill of Rights, thank you...

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 15668
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr19.193528.5655@cs.ucla.edu> geoff@ficus.cs.ucla.edu (Geoffrey Kuenning) writes:
>In article <2073@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:
>
>> fishing expeditions without the target's knowlege.  Don't give up the
>> right to be safe from that - that should be non-negotiable, and Clinton
>> and Co. know it (which is probably why they quietly developed this thing,
>> figuring if they get it this far, they can ram it on through).
>
>It always amazes me how quick people are to blame whatever
>administration is current for things they couldn't possibly have
>initiated.  This chip had to take *years* to develop, yet already
>we're claiming that the Clinton administration sneaked it in on us.
>Bullshit.  The *Bush* administration and the career Gestapo were
>responsible for this horror, and the careerists presented it to the
>new presidency as a fait accompli.  That doesn't excuse Clinton and
>Gore from criticism for being so stupid as to go for it, but let's lay
>the body at the proper door to start with.

You are so correct - Clinton did not initiate it.  He just cast it in
GRANITE by implimenting, NOT stopping the DECISION.  I also stated in another
post I don't give a damn what administration does it, I still find it
totally unacceptable, and whoever impliments it or rams it down our throats
ought to be run out of office.

Also, Bush was not trying to deprive us of our Second Amendment rights.
Clinton is BUSTING HIS BUTT in that regard.  That reveals a total difference
in philosophy.  Clinton appears to support the idea of TOTAL people
control.  Eavesdropping whenever they feel like it, no real security
for the common person, and no ability to defend oneself against illegal
attack, from whatever source.  "Trust us, we will protect (and control)
you... if we don't find it inconvenient..."

Clinton has also shown his utter contempt for public disclosure and
accountability, as well.  He had plenty of time to change the policy.

HE DIDN'T.  HE EXPANDED ON IT.

I bet had Bush been in office, you would be in there howling louder
than I.

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 15669
From: pdc@dcs.ed.ac.uk (Paul Crowley)
Subject: Re: Organized Lobbying for Cryptography

Quoting jgfoot@minerva.cis.yale.edu in article <1r3jgbINN35i@eli.CS.YALE.EDU>:
>Perhaps these encryption-only types would defend the digitized porn if it
>was posted encrypted?

>These issues are not as seperable as you maintain.

In fact, since effective encryption makes censorship impossible, they
are almost the same issue and they certainly fall into the brief of the
EFF.
  __                                  _____
\/ o\ Paul Crowley   pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/  Fold a fish for Jesus!

Newsgroup: sci.crypt
document_id: 15670
From: denning@guvax.acc.georgetown.edu
Subject: REVISED TECHNICAL SUMMARY OF CLIPPER CHIP

Here is a revised version of my summary which corrects some errors
and provides some additional information and explanation.


                     THE CLIPPER CHIP: A TECHNICAL SUMMARY

                               Dorothy Denning

                           Revised, April 21, 1993


INTRODUCTION

On April 16, the President announced a new initiative that will bring
together the Federal Government and industry in a voluntary program
to provide secure communications while meeting the legitimate needs of
law enforcement.  At the heart of the plan is a new tamper-proof encryption
chip called the "Clipper Chip" together with a split-key approach to
escrowing keys.  Two escrow agencies are used, and the key parts from
both are needed to reconstruct a key.


CHIP CONTENTS

The Clipper Chip contains a classified single-key 64-bit block
encryption algorithm called "Skipjack."  The algorithm uses 80 bit keys
(compared with 56 for the DES) and has 32 rounds of scrambling
(compared with 16 for the DES).  It supports all 4 DES modes of
operation.  The algorithm takes 32 clock ticks, and in Electronic
Codebook (ECB) mode runs at 12 Mbits per second.

Each chip includes the following components:

   the Skipjack encryption algorithm
   F, an 80-bit family key that is common to all chips
   N, a 30-bit serial number (this length is subject to change)
   U, an 80-bit secret key that unlocks all messages encrypted with the chip

The chips are programmed by Mykotronx, Inc., which calls them the
"MYK-78."  The silicon is supplied by VLSI Technology Inc.  They are
implemented in 1 micron technology and will initially sell for about
$30 each in quantities of 10,000 or more.  The price should drop as the
technology is shrunk to .8 micron.


ENCRYPTING WITH THE CHIP

To see how the chip is used, imagine that it is embedded in the AT&T
telephone security device (as it will be).  Suppose I call someone and
we both have such a device.  After pushing a button to start a secure
conversation, my security device will negotiate an 80-bit session key K
with the device at the other end.  This key negotiation takes place
without the Clipper Chip.  In general, any method of key exchange can
be used such as the Diffie-Hellman public-key distribution method.

Once the session key K is established, the Clipper Chip is used to
encrypt the conversation or message stream M (digitized voice).  The
telephone security device feeds K and M into the chip to produce two
values:

   E[M; K], the encrypted message stream, and 
   E[E[K; U] + N; F], a law enforcement field , 

which are transmitted over the telephone line.  The law enforcement
field thus contains the session key K encrypted under the unit key U
concatenated with the serial number N, all encrypted under the family
key F.  The law enforcement field is decrypted by law enforcement after
an authorized wiretap has been installed.

The ciphertext E[M; K] is decrypted by the receiver's device using the
session key:

   D[E[M; K]; K] = M .


CHIP PROGRAMMING AND ESCROW

All Clipper Chips are programmed inside a SCIF (Secure Compartmented
Information Facility), which is essentially a vault.  The SCIF contains
a laptop computer and equipment to program the chips.  About 300 chips
are programmed during a single session.  The SCIF is located at
Mykotronx.

At the beginning of a session, a trusted agent from each of the two key
escrow agencies enters the vault.  Agent 1 enters a secret, random
80-bit value S1 into the laptop and agent 2 enters a secret, random
80-bit value S2. These random values serve as seeds to generate unit
keys for a sequence of serial numbers.  Thus, the unit keys are a
function of 160 secret, random bits, where each agent knows only 80.
  
To generate the unit key for a serial number N, the 30-bit value N is
first padded with a fixed 34-bit block to produce a 64-bit block N1.
S1 and S2 are then used as keys to triple-encrypt N1, producing a
64-bit block R1:

        R1 = E[D[E[N1; S1]; S2]; S1] .

Similarly, N is padded with two other 34-bit blocks to produce N2 and
N3, and two additional 64-bit blocks R2 and R3 are computed:  

        R2 = E[D[E[N2; S1]; S2]; S1] 
        R3 = E[D[E[N3; S1]; S2]; S1] .

R1, R2, and R3 are then concatenated together, giving 192 bits. The
first 80 bits are assigned to U1 and the second 80 bits to U2.  The
rest are discarded.  The unit key U is the XOR of U1 and U2.  U1 and U2
are the key parts that are separately escrowed with the two escrow
agencies.

As a sequence of values for U1, U2, and U are generated, they are
written onto three separate floppy disks.  The first disk contains a
file for each serial number that contains the corresponding key part
U1.  The second disk is similar but contains the U2 values.  The third
disk contains the unit keys U.  Agent 1 takes the first disk and agent
2 takes the second disk.  Thus each agent walks away knowing
an 80-bit seed and the 80-bit key parts.  However, the agent does not
know the other 80 bits used to generate the keys or the other 80-bit
key parts.  

The third disk is used to program the chips.  After the chips are
programmed, all information is discarded from the vault and the agents
leave.  The laptop may be destroyed for additional assurance that no
information is left behind.
 
The protocol may be changed slightly so that four people are in the
room instead of two.  The first two would provide the seeds S1 and S2,
and the second two (the escrow agents) would take the disks back to
the escrow agencies. 

The escrow agencies have as yet to be determined, but they will not
be the NSA, CIA, FBI, or any other law enforcement agency.  One or
both may be independent from the government.


LAW ENFORCEMENT USE

When law enforcement has been authorized to tap an encrypted line, they
will first take the warrant to the service provider in order to get
access to the communications line.  Let us assume that the tap is in
place and that they have determined that the line is encrypted with the
Clipper Chip.  The law enforcement field is first decrypted with the
family key F, giving E[K; U] + N.  Documentation certifying that a tap
has been authorized for the party associated with serial number N is
then sent (e.g., via secure FAX) to each of the key escrow agents, who
return (e.g., also via secure FAX) U1 and U2.  U1 and U2 are XORed
together to produce the unit key U, and E[K; U] is decrypted to get the
session key K.  Finally the message stream is decrypted.  All this will
be accomplished through a special black box decoder.


CAPSTONE: THE NEXT GENERATION

A successor to the Clipper Chip, called "Capstone" by the government
and "MYK-80" by Mykotronx, has already been developed.  It will include
the Skipjack algorithm, the Digital Signature Standard (DSS), the
Secure Hash Algorithm (SHA), a method of key exchange, a fast
exponentiator, and a randomizer.  A prototoype will be available for
testing on April 22, and the chips are expected to be ready for
delivery in June or July.


ACKNOWLEDGMENT AND DISTRIBUTION NOTICE.  This article is based on
information provided by NSA, NIST, FBI, and Mykotronx.  Permission to
distribute this document is granted.


    

Newsgroup: sci.crypt
document_id: 15671
From: ns111310@LANCE.ColoState.Edu (Nathaniel Sammons)
Subject: Re: I have seen the lobby, and it is us

In article <1993Apr21.163929.21149@eff.org> A. Charles Gross <acg@eff.org> writes:
>Certainly, with our way-cool Internet powers of
>organization, we can act in the same way, if such action is appropriate.
>
>As long as we are kept informed of events, anyone on this bboard can make
>a call to action.  Hopefully, we're a strong enough community to act on
>those calls.  I realize this is a little optomistic, and I'm glad EFF is
>working in the loop on these issues, but don't underestimate the
>potential of the net for political action.
>
>Adam
>* I speak for myself

I second the motion.

All in favor?

BTW>> a few days ago, Charles Fee <CXF111@psuvm.psu.edu> posted the names,
addresses, and phone numbers (voice and fax) of almost all the 103rd 
congress's members.  This info, along witha great number of cabinet men, etc...
I captured it, as did many others, I am sure.

We should single out a few of the people on the list, and bombard them 
with lobbying against the Clipper Chip, et al.

-nate


o---------------------------+======================================o
| "I hate quotations.       |     This message brought you by      |
|   Tell me what you know." |   Nate Sammons, and the number 42.   |
|    --Ralph Waldo Emerson  |  ns111310@longs.lance.colostate.edu  |
o---------------------------+======================================o

Newsgroup: sci.crypt
document_id: 15672
From: ariel@world.std.com (Robert L Ullmann)
Subject: Re: Why the algorithm is secret

Exactly.

But I'll add another observation: if the chip does become a standard,
the algorithm won't _remain_ secret.

Leaving the government with the only remaining option: to make use
of un-escrowed keys illegal. Which won't begin to bother the terrorists
and child abusers the government is so fond of referring to.

Note that the Federalist papers stress _one_ reason for the right
of citizens to bear arms: to defend themselves _against_ the army.
_Our_ army.

IMHO the _primary_ purpose of private crypto is defend ourselves
_against_ the government. The odd terrorist I'm not worried about;
the goverment damages my quality of life every day.

Rob
--
Robert Ullmann		Ariel@World.STD.COM	+1 508 879 6994 x226
Quand Maigret poussa la porte du Tabac Fontaine, vers une heure et demie,
le patron du bar, qui venait de se lever, descendait lentement un escalier
en colimaon qui s'amorait dans l'arrire-salle. ... Arriv derrire le
comptoir, il repousa le garon d'un geste ngligent de la main, saisit
une bouteille de vin blanc, un verre, mlangea au vin de l'eau minrale et,
la tte renverse en arrire, se gargarisa.  -- Simenon
[text is ISO 10646 UTF-1 universal character set]

Newsgroup: sci.crypt
document_id: 15673
From: carl@lvsun.com (Carl Shapiro)
Subject: Re: Estimating Wiretap Costs/Benefits

In article <1993Apr20.203756.20667@kronos.arc.nasa.gov> hanson@kronos.arc.nasa.gov (Robin Hanson) writes:
>A rough estimate suggests that wiretaps are worth about five million
>dollars per year to U.S. law enforcement agencies.  (In 1990, 872 U.S.
>wiretaps led to 2057 arrests, while total police expenditures of $28
>billion led to 11.25 million arrests [ref US Statistical Abstracts].)
>I'm working on estimating this wiretap benefit more accurately, but

You seem to be assuming that all arrests are of equal value, and that
the use of wiretaps is spread uniformly among them.

Given this comparatively tiny number of wiretaps, and the associated
difficulty and cost involved (judges, technicians, etc) I expect that
law enforcement reserves the use of wiretaps for the most valuable
cases.  Since the "value" of an arrest can vary over an enormous range
(eg. jaywalking -> mass murder) I think your $5 million estimate may
be too low by a couple of orders of magnitude.

Newsgroup: sci.crypt
document_id: 15674
From: ebrandt@jarthur.claremont.edu (Eli Brandt)
Subject: Re: The [secret] source of that announcement

In article <1r3hgqINNdaa@uwm.edu> Rick Miller <rick@ee.uwm.edu> writes:
>jbotz@mtholyoke.edu (Jurgen Botz) writes:
>>Seems like sombody didn't like your snooping around, Marc.
>
>Or, the more *likely* explanation is that Marc is spoofing.

While I didn't try the expansion personally, I know of at least two
other people who did and got the same results.  Your allegation is
incorrect at best.

	 PGP 2 key by finger or e-mail
   Eli   ebrandt@jarthur.claremont.edu

Newsgroup: sci.crypt
document_id: 15675
From: mrr@scss3.cl.msu.edu (Mark Riordan)
Subject: DOS 6.0 compression API: partial answer

For those of you looking for information on MS-DOS 6.0's
file system compression API:

Today I called Microsoft's DOS 6.0 hotline at (800)228-7007.
They told me that the DOS 6.0 Resource Kit had the specifications
for the compression interface.  The Resource Kit costs $19.95,
plus tax and $5 shipping.

I ordered a copy and will post further when I get it and know more
about it.  I am posting now because the order turnaround is 15 
working days.  

If anyone knows for sure where's there's a good
source of info on this API, please speak up.  I am 
slightly skeptical about the Resource Kit's likelihood
of having detailed programming info.

Mark R.  mrr@ripem.msu.edu

(posted also to sci.crypt, since the API could presumably also
be used for file system encryption.)

Newsgroup: sci.crypt
document_id: 15676
From: eachus@spectre.mitre.org (Robert I. Eachus)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)


      Don't get fooled by exponents 2^80 (possible keys) is not in the
same league with 10^80 (particles in the universe).  2^80 < 10^25.
Remember Avagadro's number?  There are about that many elementary
particles (not molecules) in one mole.  Pretty small universe!  Or if
you can put 5 Gigabytes on one tape, you would need about 10 trillion
tapes (allowing several bytes per entry).  Still more than all of the
existing magnetic media on the planet, but wait a few years.  (I'm
including existing audio and video cassettes in the total.  Ten
trillion is about 2,000 per person worldwide...  Gives new meaning to
the suspicions of hiden messages.)

--

					Robert I. Eachus

with Standard_Disclaimer;
use  Standard_Disclaimer;
function Message (Text: in Clever_Ideas) return Better_Ideas is...

Newsgroup: sci.crypt
document_id: 15677
From: dcd@se.houston.geoquest.slb.com (Dan Day)
Subject: Re: The Escrow Database.

In article <1993Apr20.021846.2423@shearson.com> pmetzger@snark.shearson.com (Perry E. Metzger) writes:
>
>each of the two escrow databases. Fits conveniently on a single very
>valuable Exabyte tape. This can only get easier with time, but who
>cares -- I can already hold all the clipper keys in the country in my
>pocket on two 8mm tapes.

Excellent point, and there's a related point I'd like to make.
They'll have to back up these databases themselves, won't they?
How many tape copies will there be, and how secure will the
tapes be?  If they store them off-site, it wouldn't be too
hard to hijack them in transit.  If they're all kept on-site,
one good bomb attack by some group intent on freeing us from
the threat of government snooping will take care of the problem
once and for all.  I can see it now -- "Hi, we're from the
government and we, um, misplaced our copy of your key.  Could
you mail us a copy?"

Newsgroup: sci.crypt
document_id: 15678
From: ebrandt@jarthur.claremont.edu (Eli Brandt)
Subject: Re: Would "clipper" make a good cover for other encryption method?

In article <1993Apr20.032623.3046@eff.org> kadie@eff.org (Carl M. Kadie) writes:
>Clipper might be a good way to cover the use of another layer of
>encryption.

Could somebody provide an overview of the proposed systems using the
chip?  (Ought to see if ATT has a spec sheet)  Skipjack sounds like a
normal digital encryption algorithm, so the data path will have to be
	voice --> digitize --> compress --> encrypt 
Compression will be necessary to fit the data on the wire, unless
they want to wait for ISDN (that we should be so lucky...).  Feeding
pre-encrypted data into the compressor will cause it to chuckle at
you; you'd have to tap into the guts of the phone and hack either
the compressed data stream, or selected parts of the output stream
before it hits the modem.  Unless you want to pay for two fast
modems on top of the encryption, and just plug the box in between
your phone and the wall.

>- Carl

	 PGP 2 key by finger or e-mail
   Eli   ebrandt@jarthur.claremont.edu


Newsgroup: sci.crypt
document_id: 15679
From: habs@panix.com (Harry Shapiro)
Subject: Re: The [secret] source of that announcement

In <1r1om5$c5m@slab.mtholyoke.edu> jbotz@mtholyoke.edu (Jurgen Botz)
writes:

>Even more interesting: the SMTP server at csrc.ncsl.nist.gov no longer
>recognizes the 'expn' and 'vrfy' commands...

>   telnet csrc.ncsl.nist.gov smtp
>   Trying 129.6.54.11...
>   Connected to csrc.ncsl.nist.gov.
>   Escape character is '^]'.
>   220 first.org sendmail 4.1/NIST ready at Tue, 20 Apr 93 17:01:34 EDT
>   expn clipper
>   500 Command unrecognized

>Seems like sombody didn't like your snooping around, Marc.

Then it is a good thing we already have this:

The csspub mailing list: csspab@mail-gw.ncsl.nist.gov, and address on
the clipper mailing list, seems to contain basically the members of
the NIST security board.

In addition to the names already posted, their true names are as
follows:

burrows@ecf = James Burrows a director of NIST's National Computer
Systems Laboratory

mcnulty@ecf = F. Lynn McNulty an associate director for computer
security at the National Institute of Standards and Technology's
Computer Systems Laboratory

Gangemi@dockmaster.ncsc.mil = Gaetano Gangemi is director of the
secure systems program at Wang Laboratories Inc. He wrote: Computer
Security Basics by Deborah Russell and G. T.  Gangemi, Sr. -1991,
O'Reilly and Associates

slambert@cgin.cto.citicorp.com = Sandra Lambert is vice-president of
information security at Citibank, N.A.

lipner@mitre.org = Lipner is Mitre Corp.'s director of information
systems.

gallagher@dockmaster.ncsc.mil = Patrick Gallagher, director of the
National Security Agency's National Computer Security Center and a
security board member

walker@tis.com = Stephen Walker a computer security expert and
president of Trusted Information Systems, Inc. in Glenwood, Md

willis@rand.org = Willis H.  Ware a the Rand Corp.  executive who
chairs the security board.

whitehurst@vnet.ibm.com = William Whitehurst is a security board
member and director of IBM Corp.'s data security programs.

-- 
Harry Shapiro  				      habs@panix.com
List Administrator of the Extropy Institute Mailing List
Private Communication for the Extropian Community since 1991

-- 
Harry Shapiro  				      habs@panix.com
List Administrator of the Extropy Institute Mailing List
Private Communication for the Extropian Community since 1991

Newsgroup: sci.crypt
document_id: 15680
From: tfs@gravity.gmu.edu (Tim Scanlon)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]



	After reading the debate over the Clipper, I have a few things to
add.

	First, most of the people I know who activly use encryption
privately do not care about most of the issues that surround this debate,
and any questions about what is or is not ok to use in the US. All they
care about is wether or not what they are using is secure or not. That,
after all IS the bottom line. 

	Second, if I look at all the people I know who use any form
of encryption at all, and this group spans people from the morons who
still insist that the DES is a good and secure standard, to people 
looking at trying to improve upon existing strategies, I can not think
of anyone of them who would approve blindly of a strategy that leaves
their methods open to abuse. The Clipper does this, because people make
mistakes by nature, and the US government is made up of people who are
just as vulnerable to mistakes as everyone else. 

	Third, since most of the people I know are at least marginaly
familiar with the vulnerabilities present in current software encryption
stratigies, I can't see how most of them are going to blindly trust that
someone will not figure out a good way to compromise the Clipper Chip.
That despite any strengths or weaknesses that may exist in it. So, I can 
not see a high degree of confidence developing in the chip.

	Fourth, when it comes to criminal abuse, sure there are many stupid
people out there. And yes, some will be open to being caught via the 
built in back door of the Clipper Chip. However, anyone who is going to
do any serious investigation of how best to secure their data is going
to run into that problem pretty damned fast and, I would assume, start
looking around for other easily obtainible methods of encryption. 


	If nothing else were avalible, none of this would be an issue. However,
the truth is that most private encryption users that I've ever run into
simply do not give a damn about the legal status of RSA or PGP or anything
else. If it works, they use it. This is not going to change either. I do
not think for a moment that anyone with serious criminal intent will be
slowed down by the advent of the Clipper Chip. It is all to easy to 
convert encrypted data into unintellgible garbage as it is, if anything,
the Clipper Chip just adds another tool to the user.


	The bottom line here is that people will use what works, and
unavoidibly, I'm sure most criminals would rather face an encryption
related charge than one which could potentialy lead to death penalty
charges in the case of criminals who murder as part of their conspiricy.
	The other thing that has struck me since the advent and wide 
useage of public encryption has begun is that quite simply the cat is
out of the bag (Or if you have an interest in snooping, Pandora's Box
has been opened), and this is not going to change. I've seen a blindness
to this that I've found utterly stunning, and the Clipper Chip, along
with the way it has been presented only confirms this to me to a larger
degree.


			Sincerly,

			Tim Scanlon

-- 

tfs@gravity.gmu.edu

Newsgroup: sci.crypt
document_id: 15681
From: ebrandt@jarthur.claremont.edu (Eli Brandt)
Subject: Re: Estimating Wiretap Costs/Benefits

In article <rlglendeC5t133.En3@netcom.com> rlglende@netcom.com (Robert Lewis Glendenning) writes:
>First, what the fuck is NASA doing wasting my tax dollars doing
>policy papers on stuff far outside of their purvew/mission?

I don't think they're paying for it.

>Do us a favor.  Resign rather than right this paper for NASA.  Go
>do useful work for the society.

Useful?  I find his estimate of the annual value to law enforcement
of $5 million quite useful, if rough (e.g. wiretaps may be
preferentially used on otherwise-hard-to-catch criminals, resulting
in an underestimate).  This comes to twenty cents a head over the
U.S. population.  I would find some rigorous numbers on this quite
useful -- it would make for nice slogans: "Your privacy is worth
$0.37", or whatever it turns out to be.

>Lew Glendenning		rlglende@netcom.com

	 PGP 2 key by finger or e-mail
   Eli   ebrandt@jarthur.claremont.edu



Newsgroup: sci.crypt
document_id: 15682
From: makey@VisiCom.COM (Jeff Makey)
Subject: Re: Once tapped, your code is no good any more.

In article <C5so84.Hxv@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
>I am *completely* baffled by why Dorothy Denning has chosen
>to throw away her academic respectability like this.

She hasn't.  Dorothy Denning has spent many years earning the
professional respect of her colleagues, and something won in this
manner is not easily lost.  Her support of the clipper -- no matter
how unpopular that position may be -- serves far more to enhance the
clipper's respectability than to diminish her own.

                           :: Jeff Makey

Department of Tautological Pleonasms and Superfluous Redundancies Department
    Disclaimer: All opinions are strictly those of the author.
    Domain: makey@VisiCom.COM    UUCP: nosc!visicom!makey

Newsgroup: sci.crypt
document_id: 15683
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Will FEDs troll for mutilated law enforcement blocks?

From Denning:

   the Skipjack encryption algorithm
   F, an 80-bit family key that is common to all chips
   N, a 30-bit serial number
   U, an 80-bit secret key that unlocks all messages encrypted with the chip

   E[M; K], the encrypted message stream, and 
   E[E[K; U] + N; F], a law enforcement block.  

Where the session key is K, and is transmitted encrypted in the unit Key U.
Which along with the serial number N is encrypted in the Family key F.

Presumably the protocol can be recovered (if by nothing else, differential
analysis).

Postulate if you will, a chip (or logic) sitting between the clipper chip
and its communications channel.  The function of this spoof chip is twofold:
    
	1) Transmit Channel

	    The spoof chip XORs the 30 bit encrypted serial number with
	    a secondary keying variable.  This renders the serial number
	    unrecoverable with just the family key

	2) Receive Channel

	    The spoof chip XORs the incoming encrypted serial number
	    with a secondary keying variable (assuming integrity of the
	    law enforcement block is necessary for local operation -
	    checksums, sequence control, etc.).

This has the net result of hiding the serial number.  It is probable theere is
a known plaintext pattern used as a filler in the block containing N (34 bits
as used in generating U, U1,U2) correctness of the law enforcement block
can be determined with only the family key F.  Whereas, no one has proposed
Federal Agencies be denied F, and because they could recover it themselves,
The correctness of the serial number can be tested by examining the pad bits
of N in E[N; F].

The one could selectively alter the law enforcement block as above, but the
mutilation could be detected.  A better approach would be to mutilate the
entire law enforcement block.  If it were done with a group encryption scheme
such as DES or (presumably) Skipjack, the chances the law enforcement block
can be recovered are lessened.

What do you want to bet the transmission protocol can be recognized and the
serial numbers decrypted in a target search?  When digital transmission
becomes widely available, would there be a requirement that clipper protocol
transmissions be refused when containing mutilated law enforcement blocks?

One way to avoid notice, would be to spoof protocol information of the block
containing M, as well as spoofing the law enforcement block.

The goal is to use a secure communications scheme, without redress to 
detection or key K interception (contained encrypted within the law
enforcement block).  The data stream is returned to its original state
for use by the clipper chip (or system) if required, for proper operation.

It is somewhat improbable that the entire protocol will be contained within
the clipper chip, yet likely that sequence of events will be tested for,
requiring a valid law enforcement block to be received before accepting
and decrypting E(M; K);

The spoof chip could be implemented anywhere in the protocols, including
on the resulting serial data stream.  Existing clipper products could
be subborned.  After all, they are high security encryption systems right?

Super encipherment/encryption could allow the chip to be used without
redress to detection of the use of the chip, or disclosure of the serial
number.  Security must be adequate to deny the serial number, which should
not be recoverable by other means.  One can see the use of cut outs for
procurring clipper phones, or once the number of units is high enough,
stealing them.  It would be a mistake on the part of authority, but nice
from a point of privacy, if the serial number N were not associated with
a particular clipper chip or lot of chips through the manufacturing and 
distribution process.  Hopefully the list of known missing or stolen
clipper serial numbers N encrypted with F, and the protocols are not 
sufficient plaintext to attact the super encrypted clipper stream.
This could be further made difficult by altering the temporal and or
spatial relationship of the clipper stream to that of the super encrypted
stream.

Detection of an encrypted stream could tip off the use of the aforementioned
scheme.

******************************************************************************

If you could capture valid law enforcement blocks not your own, and use
them in a codebook sustitution with your own, where they point to a valid
law enforcement block stored in a library utilizing a session key matching
the remainder of the transmission, you could simply out and out lie, yet
deliver to monitoring and/or hostile forces a seemingly valid law enforcement
block.   These captured law enforcement blocks would be used as authenticators,
such as in a manually keyed encryption system.  Fending this off would require
escalation in examining the protocols and blocks in the transmission.

The M code stream  might be independently attacked based on knowledge of
clipper chip protocols as revealed plaintext.  This could be invalidated
by changing the temporal and or spatial relationship of the clipper M stream
and the actual transmitted stream, under the control of a secure key
generator synchronized between endpoints.

The useful life time of captured law enforcement blocks might be limited
based on hostile forces using them as targets following transmission
interception.  You would need a large number of them, but, hey there's
supposed to be millions of these things, right?  Adding time stamps to
the encrypted law enforcement block is probably impractical, who wants
an encryption chip with a real time clock?

*****************************************************************************

The entire idea of the law enforcement block can be invalidated.









Newsgroup: sci.crypt
document_id: 15684
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Re: Will FEDs troll for mutilated law enforcement blocks?

The M code stream  might be independently attacked based on knowledge of
clipper chip protocols as revealed plaintext.  This could be invalidated
by changing the temporal and or spatial relationship of the clipper M stream
and the actual transmitted stream, under the control of a secure key
generator synchronized between endpoints.

The useful life time of captured law enforcement blocks might be limited
based on hostile forces using them as targets following transmission
interception.  You would need a large number of them, but, hey there's
supposed to be millions of these things, right?  Adding time stamps to
the encrypted law enforcement block is probably impractical, who wants
an encryption chip with a real time clock?

*****************************************************************************

The entire idea of the law enforcement block can be invalidated.

I just had the thought, that you could capture your own law enforcement blocks
for session keys K that you will not use in actual transmissions as
the session key authenticators.  The proviso that you don't mind your own
serial number being discovered.

d. denning just sent out further information of a new version of the clipper
chip.	If a hash function were to be embedded in a clipper M transmission
block reflecting the law enforcement block, it better not fall on 64 bit block
boundaries.  If it were a recognizeable datum, you could lie with it too.

I like the randomizer inclusion in the MYK-80.  I remember reading that
Intel had an approved random noise source on silicon, hence the ability
to put it Inside.

You ever think that Mykotronx sounds like one of those made up names of 
companies used as fronts for intelligence organizations?











Newsgroup: sci.crypt
document_id: 15685
From: tuinstra@signal.ece.clarkson.edu.soe (Dwight Tuinstra)
Subject: political point of attack: Clipper infrastructure

My earlier argument that "Clipper will encourage state and local cops 
to commit criminal acts" is largely moot, now that we've learned that 
the FBI will perform the actual tap.  [It will encourage the *FBI* to
commit (even more) criminal acts, but that's not the point here.]

But this gives another avenue of attack on the Clipper proposal.  When
the EFF/ACLU/CPSR FOIA requests are made, they should ask for details
on the bureaucratic and equipment infrastructure that is proposed (or 
even already budgeted) for the FBI to service tapping requests -- for now
and the projected future. 

From these figures, estimate the number of Clipper-tap requests the FBI
is expecting.  Publish this figure.  Compare it on a per-capita basis
with the amount of tapping now known or suspected.

Also estimate how expensive it would be for the FBI to install more
Clipper-tapping stations, and how rapidly they could be built and
installed ... ie, get the "plus or minus" epsilon for the near future.

Might be a mite disturbing for J. Q. Public to know these things.

And despite all the technical details [BTW, thanks to those who've been
providing them!], we still don't know 

1) how the tapping requests will be transmitted and authenticated (though
   it isn't too hard to guess a good scheme).

2) how the results will be securely transmitted (Fed Ex the audio tapes?)

3) how privacy will be re-established when an investigation is complete.

+========================================================================+
|  dwight tuinstra             best:  tuinstra@sandman.ece.clarkson.edu  |
|                         tolerable:  tuinstrd@craft.camp.clarkson.edu   |
|                                                                        |
|        "Homo sapiens: planetary cancer??  ...  News at six"            |
+========================================================================+

Newsgroup: sci.crypt
document_id: 15686
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Clipper will corrupt cops (was WH proposal from Police point of view)

In article <1993Apr21.041033.16550@news.clarkson.edu>, tuinstra@signal.ece.clarkson.edu.soe (Dwight Tuinstra) writes:
> The clear implication is that there are "legal" authorizations other
> than a court order.  Just how leaky are these?

I don't have the wiretap statute handy.  But here's what the law says
on pen registers.  This is all from Title 18 of the U.S. Code.  Note
how vague S. 3125(a)(1)(B) is....  I haven't had a chance to check
out 50 U.S.C. 1801 yet.

----

18 USC  S. 3121 Pen Registers (as of 4/93)


S. 3121. General prohibition on  pen register  and trap and trace device
use; exception

   (a) In general. Except as provided in this section, no person may
install or use a  pen register  or a trap and trace device without first
obtaining a court order under section 3123 of this title or under the
Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.).

.....

S. 3125.  Emergency  pen register  and trap and trace device
installation

   (a) Notwithstanding any other provision of this chapter , any
investigative or law enforcement officer, specially designated by the
Attorney General, the Deputy Attorney General, the Associate Attorney
General, any Assistant Attorney General, any acting Assistant Attorney
General, or any Deputy Assistant Attorney General, or by the principal
prosecuting attorney of any State or subdivision thereof acting pursuant
to a statute of that State, who reasonably determines that--

   (1) an emergency situation exists that involves--

   (A) immediate danger of death or serious bodily injury to any person;
or

   (B) conspiratorial activities characteristic of organized crime,

   that requires the installation and use of a  pen register  or a trap
and trace device before an order authorizing such installation and use
can, with due diligence, be obtained, and

   (2) there are grounds upon which an order could be entered under this
chapter to authorize such installation and use "may have installed and
use a  pen register  or trap and trace device if, within forty-eight
hours after the installation has occurred, or begins to occur, an order
approving the installation or use is issued in accordance with section
3123 of this title."

   (b) In the absence of an authorizing order, such use shall
immediately terminate when the information sought is obtained, when the
application for the order is denied or when forty-eight hours have
lapsed since the installation of the  pen register  or trap and trace
device, whichever is earlier.

   (c) The knowing installation or use by any investigative or law
enforcement officer of a  pen register  or trap and trace device
pursuant to subsection (a) without application for the authorizing order
within forty-eight hours of the installation shall constitute a
violation of this chapter.


Newsgroup: sci.crypt
document_id: 15687
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Clipper considered harmful

In article <1r24us$oeh@agate.berkeley.edu>, shirriff@sprite.berkeley.edu (Ken Shirriff) writes:
> Imagine archiving all pay-phone conversations, so if someone turns out
> to be a drug dealer, you can listen to all their past drug deals.  And
> archive calls to/from suspected Mafia members, potential terrorists,
> radicals, etc.  Imagine the convenience for the police of being able to
> get a warrant now and listening to all the calls the World Trade Center
> bombers made in the past year.
> 
> Since archiving would be such a powerful tool and so easy to do, why
> wouldn't it happen?

Apart from the storage and search requirements, because the evidence
is inadmissible:  wiretaps require a warrant.  And as soon as one
such case comes to light, all previous cases are likely to be discovered,
and thrown out.  There was an article in the NY Times a few months ago
about how many convictions in the state might be invalidated because
they relied on pen registers -- and the Court of Appeals ruled that
pen registers were equivalent to wiretaps, and hence required warrants
under New York law.

Newsgroup: sci.crypt
document_id: 15688
From: eab@msc.edu (Edward Bertsch)
Subject: Re: I have seen the lobby, and it is us

I agree that notifying your elected officials of your feelings on this
(and any other, for that matter) issue is the way to go.  And by the
way, the phone #s on the list posted the other day were all in Washington
D.C.  --  For most of you, your elected officials will also maintain
a local office in your area code.

When I 'manage' my elected officials, I use their local office #'s
exclusively, and my fax modem and windows-print-capture software are
my tool of choice.  They see my words as I have stated them, rather
than a summary as they would if I called in /voice/ and left a
comment with the office staff.


-- 
Edward A. Bertsch (eab@msc.edu)   Minnesota Supercomputer Center, Inc.
Operations/User Services          1200 Washington Avenue South
(612) 626-1888 work               Minneapolis, Minnesota  55415
(612) 645-0168 voice mail         [DISCLAIMER: MY OPINIONS; NOT MSCI'S]

Newsgroup: sci.crypt
document_id: 15689
From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>
Subject: Re: freely distributable public key cryptography c++ code:  where?

Thus said ee92jks@brunel.ac.uk (Jonathan K Saville):
>D. Wigglesworth (smhanaes@gpu.utcc.utoronto.ca) wrote:
>
>: Do you know of any freely distributable c++ (or c) code for public
>: key cryptography (such as RSA)?  
>
>: I've tried various archie searches to no avail.  
>
>Have you heard of PGP? I assume from your post that you have not. PGP 2.2
>is a freeware RSA encryption program which includes digital signatures and
>comprehensive key management facilities. Most sites also keep the source code.
>A growing number of people are using this excellent software to encrypt (to
>a very high standard) their email and data. Get it before Clinton outlaws it.
>
>Two of the many sites are:
>      rsa.com     /pub/pgp
>      soda.berkeley.edu      /pub/cypherpunks/pgp

PGP is not available on the archive site rsa.com.  If it were, it
would be highly amusing, since rsa.com (actually Public Key Partners,
but it's the same entity) is the organization holding the patents
which they claim are violated if you actually "make, use or sell" PGP.
I believe those patents also apply in Canada, but I'm not a patent
lawyer or anything.

There is no such thing as freely redistributable code for RSA which
can be used in North America without legal entanglements.  You may
wish to consider RSAREF, however, which *is* available from the FTP
site rsa.com in /rsaref but probably doesn't meet your definition of
"freely redistributable" (it's readily available in source, in C, and
does RSA, MD5, etc. and comes with a license allowing noncommercial
use.  Like any other strong crypto software, it's not exportable
legally.  It can be modified with permission from RSADSI, which a
number of people have received in the past.)  For reasons that aren't
entirely clear to me, RSA says that only U.S. people should take
RSAREF from its server, although there aren't ITAR issues regarding
Canada.  The RIPEM distribution site (ripem.msu.edu) has RSAREF in its
distribution, and is OK for Canadians.
--
Marc VanHeyningen   mvanheyn@cs.indiana.edu   MIME & RIPEM accepted


"Barney the Dinosaur is simply Rush Limbaugh in a Dinosaur Suit."  - Lost Boy

Newsgroup: sci.crypt
document_id: 15690
From: caronni@nessie.cs.id.ethz.ch (Germano Caronni)
Subject: Some Questions (was: REVISED SUMMARY)



> Here is a revised version of my summary that corrects some errors and
> provides some additional information and explanation.

Thank you very much. After reading the text some distinct questions
arised to me, which I guess will also be asked by other people. Perhaps
would it be interesting to find an answer to these questions ?


>                      THE CLIPPER CHIP: A TECHNICAL SUMMARY
>    N, a 30-bit serial number (this length is subject to change)

shorter or longer ?

> Once the session key K is established, the Clipper Chip is used to
> encrypt the conversation or message stream M (digitized voice).  The
> telephone security device feeds K and M into the chip to produce two
> values:

>    E[M; K], the encrypted message stream, and
>    E[E[K; U] + N; F], a law enforcement field ,

> which are transmitted over the telephone line.  The law enforcement
> field thus contains the session key K encrypted under the unit key U
> concatenated with the serial number N, all encrypted under the family
> key F.  The law enforcement field is decrypted by law enforcement after
> an authorized wiretap has been installed.

First question: When will the LawEnforcmentField be transmitted, and how
does the remote Clipper Chip handle it? Is it transmitted periodically
in the stream of encrypted blocks, or just at the beginning ? Does the
phone at the other side discard those packets via a protocol whatsoever,
or tries it to turn them into voice-output ? (Which would not be disturbing)


> At the beginning of a session, a trusted agent from each of the two key
> escrow agencies enters the vault.  Agent 1 enters a secret, random
> 80-bit value S1 into the laptop and agent 2 enters a secret, random
> 80-bit value S2. These random values serve as seeds to generate unit
> keys for a sequence of serial numbers.  Thus, the unit keys are a
> function of 160 secret, random bits, where each agent knows only 80.

Second question: Why!?!? Why is such a strange procedure used, and not
a real RNG ? This turns those S1,S2 in a kind of bottleneck for system-
security.


> When law enforcement has been authorized to tap an encrypted line, they
> will first take the warrant to the service provider in order to get
> access to the communications line.  Let us assume that the tap is in
> place and that they have determined that the line is encrypted with the
> Clipper Chip.  The law enforcement field is first decrypted with the
> family key F, giving E[K; U] + N.  Documentation certifying that a tap
> has been authorized for the party associated with serial number N is
> then sent (e.g., via secure FAX) to each of the key escrow agents, who
> return (e.g., also via secure FAX) U1 and U2.  U1 and U2 are XORed
> together to produce the unit key U, and E[K; U] is decrypted to get the
> session key K.  Finally the message stream is decrypted.  All this will
> be accomplished through a special black box decoder.

So no (technical) provision will be taken to place a 'timeout' on these
warrants? This would be a unique possibility to realize such a technical
restriction, by letting the escrow-agencies perform the decoding of the
session key. Just take modem-lines instead of secure fax. Is this such
a bad idea ?


> A successor to the Clipper Chip, called "Capstone" by the government
> and "MYK-80" by Mykotronx, has already been developed.  It will include
> the Skipjack algorithm, the Digital Signature Standard (DSS), the
> Secure Hash Algorithm (SHA), a method of key exchange, a fast
> exponentiator, and a randomizer.  A prototoype will be available for
> testing on April 22, and the chips are expected to be ready for
> delivery in June or July.

Wow! (How does the randomizer work?) Are the SHA (and Key exchange) secret,
or publicly known ? Key-Exchange is DH, I guess ?

It seems that those who are opposed to this chip shall have a tough time,
your government realy means to act. :-(

Friendly greetings,
	   Germano Caronni

-- 
Instruments register only through things they're designed to register.
Space still contains infinite unknowns.
                                                              PGP-Key-ID:341027
Germano Caronni caronni@nessie.cs.id.ethz.ch   FD560CCF586F3DA747EA3C94DD01720F

Newsgroup: sci.crypt
document_id: 15691
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <1r47l1INN8gq@senator-bedfellow.MIT.EDU> jfc@athena.mit.edu (John F Carr) writes:
>
>In most cases information you come by properly is yours to use as you wish,
>but there are certainly exceptions.  If you write a paper which includes
>sufficiently detailed information on how to build a nuclear weapon, it is
>classified.  As I understand the law, nuclear weapons design is
>_automatically_ classified even if you do the work yourself.  I believe you
>are then not allowed to read your own paper.
>
	Hate to mess up your point, but it is incredibly easy to learn how
to make a nuclear weapon.  The hard part is getting the radioactives to
put in it.  Have you ever read Tom Clancy's _The Sum of All Fears_?  It
describes in great detail how a Palestinian terrorist group constructed a
nuclear bomb using stolen (actually found) plutonium, with some help from
an East German nuclear physicist.  For some non fiction, read Tom Clancy's
article _Five Minutes Till Midnight_.  It shows how a terrorist group could
construct a nuke using Neptunium, a low grade radioactive waste product
dumped in toxic waste sites and forgotten about.  He also claims information
on constructing a nuke is easily found in any large library.  Sounds
kind of scary, doesn't it? :-(

>A less serious example: if you tell drivers about a speed trap they are
>about to run into, you can be fined, even though you might argue that you
>broke no law when you discovered the location of the policeman.  The charge
>is interfering with a police officer, which is quite similar what you would
>be doing by reverse engineering the Clipper chip.
>
>Don't tell me that you think this violates the Constitution -- find some
>court cases which have struck down such laws.  Many people would not be
>comforted by the fact that the government violated their rights when it
>imprisoned them.
>

	Don't know whether you could get busted for warning of a speedtrap.

Doug Holland

-- 
----------------------------------------------------------------------------
|  Doug Holland                | Anyone who tries to take away my freedom  |
|  holland@cs.colostate.edu    | of speech will have to pry it from my     |
|  PGP key available by E-mail | cold, dead lips!!                         |

Newsgroup: sci.crypt
document_id: 15692
From: brad@optilink.COM (Brad Yearwood)
Subject: Re: Would "clipper" make a good cover for other encryption method?

In article <strnlghtC5t42t.J9B@netcom.com>, strnlght@netcom.com (David Sternlight) writes:
> 
> Chances are the government has thought of this, and "just anyone" won't be
> permitted access to enough of the internals to make a "fake" clipper chip.
> Chances are that the government has classified some details of the internals
> at a very high level, and manufacturers are required to observe security
> safeguards and clearances corresponding to that level.

Assume in this case the usual canard-adversary of narcotraficantes.  They
probably have more cash than the KGB did, and they're probably more generous
at handing it out.  It will be easier than ever to find or cultivate Walkers
and Pollards for the keys, and it will be easy enough to find someone to
reverse-engineer the chip (unless the tamper proofing is damned clever and
effective).

Brad Yearwood     brad@optilink.com     {uunet, pyramid}!optilink!brad
Petaluma, CA



Newsgroup: sci.crypt
document_id: 15693
From: djb@silverton.berkeley.edu (D. J. Bernstein)
Subject: Re: Off the shelf cheap DES keyseach machine

In article <1993Apr21.132318.16981@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
> And key size is one of the things that can be
> verified externally.

Gee. Say they feed the 80-bit key through Snefru-8 and take the first 60
bits of the result, then use those 60 bits as the real key. How do you
figure out that each key is one of 2^20 ``equal'' keys? You can try a
birthday attack, but if the key can be changed only once a second then
you will need several lifetimes to get reliable statistics. Somehow I
don't think you could catch the NSA at this sort of skulduggery.

---Dan

Newsgroup: sci.crypt
document_id: 15694
From: bear@tigger.cs.Colorado.EDU (Bear Giles)
Subject: Re: The [secret] source of that announcement

>Andrew Molitor (amolitor@nmsu.edu) wrote:
>: 
>: 	1) Monitor my phonecalls.
>: 	2) Monitor usenet.

They may collect the data, but making sense of it is another matter.

On sci.crypt I'm a graduate CS major (with strong math background) and
experienced programmer taking a cryptology course.  (<< keyword for
alleged NSA filters).

On sci.skeptic I'm an ex-physics major who's a new-age flake, talking
about silly things like how a person's expectations colors what he
sees.

On talk.religion.newage I'm a physics geek who enjoys squashing
interesting idea with WASP science, although I do write occasional
posts showing a minimal knowledge of Zen, mythology, etc.

I could go on, but I'm sure you see my point.  I'm a single person,
but I react differently on different groups (admittedly, in part
because I'm a contrarian you always shouts "but, on the other hand...").
On top of that, I _loath_ certainty and have taken public positions
in the past for no reason other than to challenge "conventional wisdom".
I wish them luck in figuring out who "I" am based on that information.

(They can probably figure out I'm liberal, with a technical degree
but humanistic interests, from a common thread throughout my posts.
But that describes a fair portion of the users of Internet).

-- 
Bear Giles
bear@cs.colorado.edu/fsl.noaa.gov

Newsgroup: sci.crypt
document_id: 15695
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: An Open Letter to Mr. Clinton

In article <strnlghtC5M2Cv.8Hx@netcom.com> strnlght@netcom.com (David Sternlight) writes:
   Here's a simple way to convert the Clipper proposal to an unexceptionable
   one: Make it voluntary.

   That is--you get high quality secure NSA classified technology if you agree
   to escrow your key. Otherwise you are on your own.

That's the disturbing part - use of other products IS voluntary, for now,
and the press releases talk about the White House's unwillingness to
decide that citizens have a right to good commercial crypto gear,
and about how commercial alternatives will be permitted as long as
they provide key escrow services.  That's a clear implication that
they're considering banning alternatives.

Additionally, use of real alternatives ISN'T totally legal -
you're not allowed to export really good crypto equipment except to
the government's friends (e.g. the Australian government)
you can only export even BAD crypto equipment with their permission,
and the regulators who control the cellular telephone companies make
sure there are only two competitors, so Joe's Garage Cellular can't
start offering a secure service.  
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15696
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Clipper considered harmful

In article <1r24us$oeh@agate.berkeley.edu> shirriff@sprite.berkeley.edu (Ken Shirriff) writes:
   In article <15469@optilink.COM> brad@optilink.COM (Brad Yearwood) writes:
   >Finally, because there is essentially no possibility of intercepting in
   >realtime the scrutable content of communications between stolen instruments,
   >there will exist strong motivation to record and archive _all_ communications
   >in the network for ex-post-facto scrutiny (once some criminal act is
   >discovered, and the instruments involved have been identified).

"All" is a *very* big number.  The AT&T Long Distance network has
around 20,000 T3 trunks (45 Mbit/sec), which is on the order of 10**12 bits/sec.
That doesn't even count the amount of traffic in the LOCAL phone companies,
or our long-distance competitors.  It's about 200 Exabytes tapes / second,
which is pretty large even for the NSA :-)

On the other hand, I can easily see them recording the traffic for
"interesting" people, such as dissidents, suspected criminals,
foreign telephone calls, and anybody noticed using encryption.
As Ken Shiriff speculates, recording encrypted traffic will probably
be judged not to be an invasion of privacy pretty soon ....
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15697
From: andersom@spot.Colorado.EDU (Marc Anderson)
Subject: **Sorry folks** (read this)

In article <1993Apr21.001707.9999@ucsu.Colorado.EDU> andersom@spot.Colorado.EDU (Marc Anderson) writes:
[...]
>
>(the date I have for this is 1-26-93)
>
>note Clinton's statements about encryption in the 3rd paragraph..  I guess
>this statement doesen't contradict what you said, though.
>
>--- cut here ---
>
>        WASHINGTON (UPI) -- The War on Drugs is about to get a fresh
>start, President Clinton told delegates to the National Federation
>of Police Commisioners convention in Washington.
>        In the first speech on the drug issue since his innaugural,
>Clinton said that his planned escalation of the Drug War ``would make
>everything so far seem so half-hearted that for all practical
[...]

I just found out from my source that this article was a joke.  Heh heh..  
It seemed pretty damn convincing to me from the start -- I just didn't
notice the smiley at the end of the article, and there were a few other
hints which I should of caught.

Anyway -- I guess this 'joke' did turn out to resemble Clinton's true 
feelings at least to some extent.  

Sorry about that...

-marc
andersom@spot.colorado.edu



Newsgroup: sci.crypt
document_id: 15698
From: anthonyf@microsoft.com (Anthony Francisco)
Subject: Re: Clipper and Ranting Libertarians

Just a little nitpicking. Wasn't it the government that required
a standard railway gauge ? Didn't that improve things ?

Please don't misunderstand. I'm utter suspicious of this Clipper
chip. Why hold the design TOP SECRET ? Was this a work around the
law that says that any discoveries made by people working for the
government is public domain. ( e.g. NIH Class Library, etc. )
DES has its designs published all over the place and it is considered
fairly strong ( although could be stronger ).

							- Ants

Newsgroup: sci.crypt
document_id: 15699
From: steve-b@access.digex.com (Steve Brinich)
Subject: Fear, Uncertainty, Doubt

  I suspect that the decisive element in the political battle will be the
FUD (Fear, Uncertainty, Doubt) factor.
  If the people who would be end users of the Cripple Chip hear of the whole
debate only vaguely -- the government says it's solid; other people in the
field say it's Swiss cheese -- the balance of doubt could shift against the
Feds.  Any attempt to limit other forms of encryption could then be presented
as the government covering its own butt by protecting its poor product from
superior competition.
  Comments?


Newsgroup: sci.crypt
document_id: 15700
Subject: Re: How large are commercial keys?
From: pgut1@cs.aukuni.ac.nz (Peter Gutmann)

In <1993Apr20.182038.12009@ee.eng.ohio-state.edu> butzerd@maumee.eng.ohio-state.edu (Dane C. Butzer) writes:

>What are the typical sizes for keys for commercial secret key algorithms?
>I know DES is 56 bits ("tripple DES" is 112 bits) and IDEA is 128 bits.  Is
>there anything made in the US that has 128 bit keys?  Anything anywhere
>that has larger keys?  I've heard that RC2 can be scaled to arbitrarily
>large keys, but is this actually implemented anywhere?

My MDC cipher (which uses any one-way hash function as a CFB-mode stream
cipher, the current implementation uses MD5) uses a key of up to 2048 bits
(that is, you can use a 1-bit key if you want and copy it over the entire
2048-bit range, or you can use the entire 2048 bits).  Runtime is
independant of key size, the system runs slightly slower than MD5 itself.
I presume RC2 and RC4 use a similar system (or possibly they just hash an
arbitrary-length key down to n bits, maybe 128, using something like MD5).

Peter.

Newsgroup: sci.crypt
document_id: 15701
From: rita@eff.org (Rita Marie Rouvalis)
Subject: Re: **Sorry folks** (read this)

In article <1993Apr22.014646.28445@ucsu.Colorado.EDU> andersom@spot.Colorado.EDU (Marc Anderson) writes:

>I just found out from my source that this article was a joke.  Heh heh..  
>It seemed pretty damn convincing to me from the start -- I just didn't
>notice the smiley at the end of the article, and there were a few other
>hints which I should of caught.

	People took this article seriously?  I mean, I know it's the
Net and all, but the prankster didn't even have Clinton's sound-bites
right.


-- 
Rita Rouvalis
rita@village.com

Newsgroup: sci.crypt
document_id: 15702
Subject: Re: Once tapped, your code is no good any more.
From: pgut1@cs.aukuni.ac.nz (Peter Gutmann)

In <1993Apr21.001707.9999@ucsu.Colorado.EDU> andersom@spot.Colorado.EDU (Marc Anderson) writes:

>(the date I have for this is 1-26-93)

>note Clinton's statements about encryption in the 3rd paragraph..  I guess
>this statement doesen't contradict what you said, though.

>--- cut here ---

>        WASHINGTON (UPI) -- The War on Drugs is about to get a fresh
>start, President Clinton told delegates to the National Federation
>of Police Commisioners convention in Washington.
>        In the first speech on the drug issue since his innaugural,
>Clinton said that his planned escalation of the Drug War ``would make
>everything so far seem so half-hearted that for all practical
>purposes this war is only beginning now.'' He repeatedly emphasized
>his view that ``regardless of what has been tried, or who has tried
>it, or how long they've been trying it, this is Day One to me.''
>The audience at the convention, whose theme is ``How do we spell
>fiscal relief?  F-O-R-F-E-I-T-U-R-E,'' interrupted Clinton frequently
>with applause.
>        Clinton's program, presented in the speech, follows the
>outline given in his campaign position papers: a cabinet-level Drug
>Czar and ``boot camps'' for first-time youthful offenders.  He did,
>however, cover in more detail his plans for improved enforcement
>methods.  ``This year's crime bill will have teeth, not bare gums,''
>Clinton said.  In particular, his administration will place strict
>controls on data formats and protocols, and require the registration
>of so-called ``cryptographic keys,'' in the hope of denying drug
>dealers the ability to communicate in secret.  Clinton said the
>approach could be used for crackdowns on other forms of underground
>economic activity, such as ``the deficit-causing tax evaders who
>live in luxury at the expense of our grandchildren.''
>        Clinton expressed optimism that the drug war can be won
>``because even though not everyone voted for Bill Clinton last
>November, everyone did vote for a candidate who shares my sense of
>urgency about fighting the drug menace.  The advocates of
>legalization -- the advocates of surrender -- may be very good at
>making noise,'' Clinton said.  ``But when the American people cast
>their ballots, it only proved what I knew all along -- that the
>advocates of surrender are nothing more than a microscopic fringe.''

Just doing a quick reality check here - is this for real or did someone
invent it to provoke a reaction from people?  It sounds more like the
sort of thing you'd have heard, suitably rephrased, from the leader of a 
certain German political party in the 1930's....

Peter. 

Newsgroup: sci.crypt
document_id: 15703
From: rlglende@netcom.com (Robert Lewis Glendenning)
Subject: Re: Estimating Wiretap Costs/Benefits

I am most embarassed that my irrate, intemperate post is still
circulating.

I have been chided by experts for my behavior.  I now agree with
all of them, although some were no more restrained in their
speech than I was 8)

I have apologized to Robin Hanson.

Lew
-- 
Lew Glendenning		rlglende@netcom.com
"Perspective is worth 80 IQ points."	Niels Bohr (or somebody like that).

Newsgroup: sci.crypt
document_id: 15704
From: duck@nuustak.csir.co.za (Paul Ducklin)
Subject: Re: Do we need the clipper for cheap security?


gtoal@gtoal.com (Graham Toal) writes:

>Can someone tell me if hardware compression is or is not needed to run
>digital speech down 14.4K?  I think it is; I've heard it's not.  Lets
>say 8 bit samples.  Would *raw* data at the corresponding sampling rate
>be usable?  If not, how fancy does the compression need to be?

It's all easy with a DSP. The Olivetti Quaderno, for example [*great* 1kg
subnotebook/palmtop PC -- sorry for the plug, folks, but Olivetti don't
seem to be doing a good job marketing it themselves :-)] includes sound
digitisation hardware; they provide vocoders for their DSP which produce
varous bit-rates. There's one which gives pretty acceptable voice
quality at 13Kbit/sec, just right for a V.32bis modem.

Their DSP can play and record at the same time, too -- so you wouldn't
need to play "two-way-radio". You can also download code to the DSP
subunit, though you'd need a software development kit for the DSP in 
question [dunno which it is...] if you wanted to produce your own 
vocoder for, say, V.32 speeds.

Paul

    /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
    \  Paul Ducklin                         duck@nuustak.csir.co.za  /
    /  CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa  \
    \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Newsgroup: sci.crypt
document_id: 15705
From: TSOS@uni-duesseldorf.de (Detlef Lannert)
Subject: Re: Facinating facts: 30 bit serial number, possibly fixed S1 and S2

In article <PMETZGER.93Apr20065402@snark.shearson.com> pmetzger@snark.shearson.com (Perry E. Metzger) writes:

>Hmmm. We must assume that generating the unit key U from the serial
>number N rather than generating it from a randomly selected U1 and U2
>is an intentional way of assuring a "fail safe" for the government --
>U is completedly determined given S1, S2 and N. 
 [...]
>If S1 and S2 do not change, even if they remain secret I wonder if
>they can somehow be back-derived given enough unit key/serial number
>pairs. [...]

Maybe 300 such pairs suffice to reconstruct S1 and S2? By such a back-
door (in the encryption algorithm perhaps) it would be possible (for  
the manufacturer) to get the keys of all chips that were programmed in 
one session. This would not, btw, enable anybody else to retrieve the 
keys in the same way because they'll never get a bunch of 300 (N,U) 
pairs with identical S1 and S2. (Note that these have to be constant 
for the whole batch by the very nature of the procedure, i.e., they 
have to be typed in manually by the `random number supplying agents'!)

And I was wondering why they'll always do 300 chips in one session ... 
Since the procedure described by Ms Denning imposes high costs on the 
production of every chip (at least three persons for one hour each, 
plus the cost of a laptop finally blown to pieces in a spectacular, 
Hollywood-like bonfire; add travelling expenses, drinks and lighting, 
divide the sum by 300) there won't be a larger demand -- not from the 
private sector anyway. 

And let me mention one other thought that certainly has occurred to all 
the notoriously paranoid people in this group before: Who is going to 
verify that _no_ interested party will perform tempest attacks on the 
vault?? 

Where there's so much smoke and mirrors -- there can't be a nice, honest 
fire but something really worth hiding ... 
--
Detlef Lannert       DC3EK       E-Mail: tsos@rz.uni-duesseldorf.de
PGP 2.2 key via server or finger lannert@clio.rz.uni-duesseldorf.de
"I am Psmith." - "Oh, you're Smith, are you?" - "With a preliminary
P. Which, however, is not sounded."                   P.G.Wodehouse

Newsgroup: sci.crypt
document_id: 15706
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Off the shelf cheap DES keyseach machine

In article <7020.Apr2207.05.3993@silverton.berkeley.edu>, djb@silverton.berkeley.edu (D. J. Bernstein) writes:
> In article <1993Apr21.132318.16981@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
> > And key size is one of the things that can be
> > verified externally.
> 
> Gee. Say they feed the 80-bit key through Snefru-8 and take the first 60
> bits of the result, then use those 60 bits as the real key. How do you
> figure out that each key is one of 2^20 ``equal'' keys? You can try a
> birthday attack, but if the key can be changed only once a second then
> you will need several lifetimes to get reliable statistics.

You're right, and I retract the suggestion.  Still, I wonder.  That
there are only 60 bits of key information should, in principle, be
detectable.  Maybe some variant of the tests Rivest et al. did to
demonstrate that DES was probably not a group?  It should make an
interesting paper -- a black-box analysis of a cryptosystem.

Newsgroup: sci.crypt
document_id: 15707
From: whughes@lonestar.utsa.edu (William W. Hughes)
Subject: Re: Tempest

In article <1993Apr22.105915.5584@infodev.cam.ac.uk> rja14@cl.cam.ac.uk
(Ross Anderson) writes:
>res@colnet.cmhnet.org (Rob Stampfli) writes:
>> Wouldn't a a second monitor of similar type scrolling gibberish and adjacent
>> to the one being used provide reasonable resistance to tempest attacks?
>We've got a tempest receiver in the lab here, and there's no difficulty in
>picking up individual monitors. Their engineering tolerances are slack enough
>that they tend to radiate on different frequencies. Even where they overlap, you
>can discriminate because they have different line synch frequencies - you can
>lock in on one and average the others out.
>
>The signals are weird in any case, with varying polarisations and all sorts
>of interactions with the building. Just moving a folded dipole around is also
>highly effective as a (randomised) means of switching from one monitor to
>another,
>
Hell, just set up a spark jammer, or some other _very_ electrically-noisy
device. Or build an active Farrady cage around the room, with a "noise"
signal piped into it. While these measures will not totally mask the
emissions of your equipment, they will provide sufficient interference to
make remote monitoring a chancy proposition, at best. There is, of course,
the consideration that these measures may (and almost cretainly will)
cause a certain amount of interference in your own systems. It's a matter
of balancing security versus convenience.

BTW, I'm an ex-Air Force Telecommunications Systems Control Supervisor and
Telecommunications/Cryptographic Equipment Technician.

-- 
                            REMEMBER WACO!
     Who will the government decide to murder next? Maybe you?
[Opinions are mine; I don't care if you blame the University or the State.]

Newsgroup: sci.crypt
document_id: 15708
From: pom@anke.imsd.uni-mainz.DE (Prof. Dr. Klaus Pommerening)
Subject: DES: init vector as additional key?

The recent discussion in this news group suggests that a key search attack  
against DES is quite feasible now. But normally DES is applied in CBC or CFB  
mode where one chooses a random init vector of 8 bytes. Questions:

 - Makes it sense to handle the init vector as an additional key? Then we have  
a 56 + 64 = 120 bit key.
 
 - If yes: Is anything known about the security of this key scheme? Can we  
break it faster than by exhaustive search through the 120 bit key space?

--
Klaus Pommerening
Institut fuer Medizinische Statistik und Dokumentation
der Johannes-Gutenberg-Universitaet
Obere Zahlbacher Strasse 69, W-6500 Mainz, Germany

Newsgroup: sci.crypt
document_id: 15709
From: lfoard@hopper.Virginia.EDU (Lawrence C. Foard)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr22.065357.9667@cs.aukuni.ac.nz> pgut1@cs.aukuni.ac.nz (Peter Gutmann) writes:
[article deleted]
>
>Just doing a quick reality check here - is this for real or did someone
>invent it to provoke a reaction from people?  It sounds more like the
>sort of thing you'd have heard, suitably rephrased, from the leader of a 
>certain German political party in the 1930's....

It sounds like a joke (but then the war on drugs has always been a joke...).

-- 
------          Join the Pythagorean Reform Church!               .
\    /        Repent of your evil irrational numbers             . .
 \  /   and bean eating ways. Accept 10 into your heart!        . . .
  \/   Call the Pythagorean Reform Church BBS at 508-793-9568  . . . .
    

Newsgroup: sci.crypt
document_id: 15710
From: harryb@phred.UUCP (harry barnett)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article 29778@yuma.ACNS.ColoState.EDU, holland@CS.ColoState.EDU (douglas craig holland) writes:
>In article <1993Apr19.130132.12650@afterlife.ncsc.mil> rlward1@afterlife.ncsc.mil (Robert Ward) writes:
>>In article <bontchev.734981805@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
>>>and since the US constitutions guarantees the right to every American
>>>to bear arms, why is not every American entitled, as a matter of
>>
>>Have you read the applicable part of the Constitution and interpreted it IN 
>>CONTEXT?  If not, please do so before posting this misinterpretation again.
>>It refers to the right of the people to organize a militia, not for individuals
>>to carry handguns, grenades, and assault rifles.  
>
>Read the Constitution yourself.  The Second Amendment says the right to bear
>arms shall not be infringed, so a well regulated militia may be more easily
>formed.  I have an interpretation of the Second that shows there are no 
>qualifications to the right to keep and bear arms.  If you want, I can E-mail
>it to you.  By the way, gun talk belongs in talk.politics.guns.
>							Doug Holland

Mr. Ward, before you start blathering about your skill "interpreting"
the Constitution, it might be helpful to learn to read.  After a review
with a high school English teacher emphasizing participial phrases, you
might start with the Second Amendment, and follow it up with:

 97th Congress, 2nd Session, Committee Print, *The Right To Keep and
 Bear Arms*, of the Subcomittee on the Constitution of the Committee on
 the Judiciary, United States Senate, 97th Congress, Second Session,
 February, 1982.  GPO No. 88-618-O

This authoritative, heavily researched and annotated document clearly
turns your "interpretation" into specious claptrap, which is a polite
way of saying utter bullshit.  In spite of your false assertion to the
contrary, the Second Amendment DOES protect the right of the individual
citizen, in his capacity as an individual, to keep and bear arms.

And, Mr. Holland, IMHO, blatantly and harmfully false information,
asserted as fact and globally distributed, deserves globally
distributed rebuttal in the forum in which it is posted.

(And besides, this site doesn't carry t.p.g...:-)

harryb%phred@data-io.com
phred!harryb@data-io.com
-----------------------------------------------------------------------
No free man shall ever be debarred the use of arms.  The strongest
reason for the people to retain the right to keep and bear arms is,
as a last resort, to protect themselves against tyranny in government.
					--Thomas Jefferson
-----------------------------------------------------------------------

Newsgroup: sci.crypt
document_id: 15711
From: Borut.B.Lavrencic@ijs.si
Subject: Re: The [secret] source of that announcement

In article <gradyC5unp0.D21@netcom.com>, 
grady@netcom.com (1016/2EF221) writes:
> Andrew Molitor (amolitor@nmsu.edu) wrote:
> : 
> : 	1) Monitor my phonecalls.
> : 	2) Monitor usenet.
> : 	3) Provide only cryptosystems they can easily crack.
> : 	4) etc etc.
> : 
> : 	This is not to say that they *don't*, they might. But you don't
> : know that they do, and you have no evidence that they do, for almost
> : all values of you. It follows, therefore, that for most values of 'you',
> : your claims about the NSA border on paranoia.
> : 
> : 	Andrew

.....
.....
.....

> 
> Or maybe the Germans should have been a little more 'paranoid' about
> their Engima with respect to Turing and the British.
> 
> How about the cracking of the Zimmerman telegram?  Would a little
> more paranoia have helped the Germans here?
> 
> Maybe the NSA should have been a little more 'paranoid' about
> Emma Woikin, or Joseph Sidney Petersen, Jr., or  ...
> 
> Maybe you want to talk about Macmillan publishers cooperation
> with the CIA and NSA to suppress Yardley's Japanese Diplomatic
> Secrets or even Kahn's The Codebreakers.. paranoia, right?
> 
> The most popular cipher systems in captured soviet spies was
> the one-time pad, even with the necessity of keeping incriminating
> evidence about, is known to be the only proven unbreakable system.
> Soviet paranoia, right?
> 
> And what do you think the NSA does with its Wullenwebers?  And 
> huge Rhombics pointed embassy row?  And their sites near
> satellite uplink and downlink sites?  Duh.
> 
.....  
> -- 
> grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F
>

One case of Slovenian paranoia.

Once upon a time a tried to walk over the (famous) Marathon field, not far away 
from Athens. I could not do that mostly becouse the field is now a huge 
antenna farm. Probably a Greek COMINT installation, would you agree? 
-- 
Borut B. Lavrencic, D.Sc.     | X.400   :C=si;A=mail;P=ac;O=ijs;S=lavrencic
J. Stefan Institute           | Internet:Borut.B.Lavrencic@ijs.si
University of Ljubljana,      | Phone   :+ 386 1 159 199
SI-61111 Ljubljana, Slovenia  |	    PGP Public Key available on request

DOLGO SMOIS KALIS OVRAZ NIKEI NJIHK OCNOO DKRIL IVSEB IPIKA


Newsgroup: sci.crypt
document_id: 15712
From: pdc@dcs.ed.ac.uk (Paul Crowley)
Subject: Re: Do we need the clipper for cheap security?

Quoting pmetzger@snark.shearson.com (Perry E. Metzger) in article <1993Apr21.012011.27470@shearson.com>:
>Whats the difference between a V.32bis modem and a V.32bis modem?

How fast do the fastest modems go?

How far can voice be compressed?

I've seen various assertions about this, but anyone with the
straightforward bits-per-second figures will be my friend forever...
  __                                  _____
\/ o\ Paul Crowley   pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/  Fold a fish for Jesus!

Newsgroup: sci.crypt
document_id: 15713
From: pdc@dcs.ed.ac.uk (Paul Crowley)
Subject: Re: Hard drive security for FBI targets

If "I forgot" doesn't have as much credibility as you'd like, consider
this alternative.  Somewhere on the hard disk, duplicated a few times,
keep a 128-bit random number.  When the 128-bit digest of your
passphrase is computed, it is XORred with the random number before being
used as the key for your hard disk.  Writing random junk over the random
numbers makes the hard disk unreadable by anyone.

Now, if you were merely to *claim* that you have written random junk
over the XOR key, no-one would be able to tell whether or not you were
telling the truth.  This is (a) perjury, and (b) vunerable to
rubber-hose cryptography, but otherwise effective.
  __                                  _____
\/ o\ Paul Crowley   pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/  Fold a fish for Jesus!

Newsgroup: sci.crypt
document_id: 15714
From: gtf1000@cus.cam.ac.uk (G.T. Falk)
Subject: alt.security.pgp

-----BEGIN PGP SIGNED MESSAGE-----

Hi all..

Does anyone know of a UNIX utility allowing encrypted telnet sessions using
public-key? I'd like something so that nobody can snoop my password or
session text while I'm logging in remotely over the network.

Thanks

g.

- -------------------------------------------------------------------------
PLEASE REPORT UNSIGNED (HENCE UNAUTHORISED) MESSAGES PURPORTEDLY FROM ME,
SENT AFTER 22/04/93.                                gtf1000@cus.cam.ac.uk
- -------------------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQBVAgUBK9ZxMTQRcjh0adt3AQFHrwH9HwBPyWwr+/O+pEocO9glPOZ5odKHynW8
AJIiF6Tsm+YMqBwmVHoLm7bUb4JPybQanpkmz8tdd4tYuinSX68cVg==
=Gw7z
-----END PGP SIGNATURE-----

Newsgroup: sci.crypt
document_id: 15715
From: abaum@armltd.uucp (Allen Baum)
Subject: Re: 80-bit keyseach machine

jebright@magnus.acs.ohio-state.edu (James R Ebright) writes:

(regarding NSA monitoring of US military code traffic)

>[BTW, folks, NSA wasn't being given the keys.  And the Walker spy case
>shows for some of the systems, the KGB didn't need them either.]

On the contrary- The Walker spy case is one where the KGB was
given keys (as I recall)
-- 

----------------
Allen J. Baum		Apple Computer		baum@apple.com, abaum@armltd.co.uk

Newsgroup: sci.crypt
document_id: 15716
From: pdh@netcom.com (P D H)
Subject: Re: An Open Letter to Mr. Clinton

ld231782@LANCE.ColoState.Edu (L. Detweiler) writes:

>I'm quite astonished, shocked, and appalled at this serious frontal 
>assault on emerging American freedoms.  The Clinton administration 
>nor any other government agency has any legitimate role whatsoever 
>in regulating cryptography. To do so is tantamount to regulating 
>`acceptable' speech, and is blatantly unconstitutional. Perhaps we 
>should rename this year `1984' in honor of such an illustrious 
>proposal.  Let the Crappy Chip live in infamy, and the adminstration
>receive great shame and discredit for this bizarre misadventure.

IMHO, encryption is (also) protected under the SECOND amendment of
the Constitution of the United States.


>I am outraged that my tax money is being used to develop technology
>to restrict my freedoms far beyond reasonable measures.  The U.S.
>government will have my full uncooperation and disobedience on any
>serious threat to my liberties such as this, and I call on everyone
>with an interest in a sensible government to resist and defy this 
>proposal.  The administration does not seem to understand that they
>are merely a subservient instrument to implement the will of the
>public, and hence anyone involved in this proposal in this respect is 
>wholly negligent and remiss in performing their lawful duty.

I am not surprised that this administration is doing this.
I could have told you so.


>Cryptography is neutral technology. If everybody has strong 
>cryptography (including policemen, bureacrats, businessmen, 
>housewives, thugs and hoodlums), we have a sustainable 
>equilibrium.  Anything less is an unworkable anti-egaltarian 
>arrangement, intrinsically antithetical to American freedoms, and
>guaranteed to collapse under its own weight of inherent 
>impracticality. We don't need to compromise on issues of freedom.

Privacy has ALWAYS been something that has the effect of restricting
out ability to prosecute criminals.  We are supposed to have the
presumption of innocence.

I have the right to pull the curtains over my windows and close my
door, and the police may not come in.  If I perform a crim in my home,
they will have to find out by means other than simply looking.

Encryption is to my data as the window curtains are to my home.
Simple enough?


>For too long our government has demonstrated itself to be 
>increasingly hostile and a serious obstacle to economic vitality 
>and protecting Americans.

And yet the people vote for these people because they come out a lie
to them about promising to fix things.


>The administration has to be committed to leaving private 
>industries alone, esp. on this issue.  The government has no 
>legitimate role in regulating the content of communications.
>Law enforcement agencies must be prepared to forfeit their
>surveillance bludgeon; they are soon and inevitably to be 
>disarmed of it. 

You mean they might have to go back to actually WORKING to do their job?
Oh heavens.


>No such laws can be constitutionally sound, and this is equivalent
>to a veiled threat, which I don't appreciate.  This kind of 
>extortion tends to agitate me and others into radicalism. I will
>trade threats for threats, and violation for violation.

Perhaps the FIRST amendment.  Definitely the SECOND and FIFTH.


>If the administration did say this, it would find itself 
>impeached for reckless and outrageous disregard of essential,
>established, entrenched, and explicit constitutional privacy 
>guarantees. The administration would have no legal standing 
>whatsoever; such an action would be egregiously illegal and
>criminal, and wholly untolerated and disregarded by vast 
>segments of the population.

Unfortunately, the vast segments of the population are misinformed.
They just haven't appended -SR to the name of out country, yet.


>This is an outright Dingaling Denning lie.  The two aims of
>privacy and surveillance are intrinsically and fundamentally 
>incompatible, and you have to work for the NSA to think otherwise. 
>Americans are about to discover ways, through the use of technology, 
>to preserve their inalienable but forgotten freedoms that have slowly 
>been eroded away by an increasingly distant and unresponsive and 
>*unrepresentative* government.

I seriously doubt that the NSA thinks that privacy and surveillance are
compatible.  I doubt of any smart person in any other agency thinks
so, either.  The PROBLEM is that they simply hold PRIVACY to be of no
value at all.
-- 
| Phil Howard,  pdh@netcom.com,  KA9WGN         Spell protection?  "1(911)A1" |
| Right wing conservative capitalists are out to separate you from your MONEY |
| Left wing liberal do gooders are out to separate you from EVERYTHING ELSE!! |
+-----------------------------------------------------------------------------+

Newsgroup: sci.crypt
document_id: 15717
From: jhan@debra.dgbt.doc.ca (Jerry Han)
Subject: Overreacting (was Re: Once tapped, your code is no good any more)

In this giant bally-ho over this Clipper chip I noticed a rather
disturbing trend in some of the E-mail and posts I've tossing back and
forth.  

Somebody asked me what was wrong about overreacting in cases such as this.

The reason is very simple:  How many people do you want to die in a riot? 
In a new Civil War? 

Everybody is jumping up and down and screaming about it, and I'm worried
that people are going to reach for their hammers and rifles before their pens
and paper.  

Can people work within the system before trying to break it?  Examine your
history books, and find out how many armed revolutions led to Democratic
(or Democratic style) governments.  I think you'll only find one in over
five thousand years of written history.

That's not very good odds.  

Somebody once said something like: "Armed Violence is meant only to be
used in response to an armed attack.  It is not meant to be used in
agression.  This is the difference between self-defence and murder."

Let's try to avoid killing things, eh?  There's enough blood shed in the
world, without adding a couple of riots, Civil Wars, etc.

I'm probably overreacting.  But what I've read scared me a lot.  I don't
want my children growing up in a War Zone.


-- 
Jerry Han-CRC-DOC-Div. of Behavioural Research-"jhan@debra.dgbt.doc.ca"
///////////// These are my opinions, and my opinions only. \\\\\\\\\\\\\
\\\\\\\\\ A proud and frozen member of the Mighty Warriors Band ////////  
"Memories of those I've left behind, still ringing in my ears."-Genesis-

Newsgroup: sci.crypt
document_id: 15718
From: rja14@cl.cam.ac.uk (Ross Anderson)
Subject: Re: Tempest


res@colnet.cmhnet.org (Rob Stampfli) writes:

> Wouldn't a a second monitor of similar type scrolling gibberish and adjacent
> to the one being used provide reasonable resistance to tempest attacks?

We've got a tempest receiver in the lab here, and there's no difficulty in
picking up individual monitors. Their engineering tolerances are slack enough
that they tend to radiate on different frequencies. Even where they overlap, you
can discriminate because they have different line synch frequencies - you can
lock in on one and average the others out.

The signals are weird in any case, with varying polarisations and all sorts
of interactions with the building. Just moving a folded dipole around is also
highly effective as a (randomised) means of switching from one monitor to
another,

Ross


Newsgroup: sci.crypt
document_id: 15719
From: smb@research.att.com (Steven Bellovin)
Subject: Re: (new) reason for Clipper alg'm secrecy

In article <1993Apr20.155924.29995@news.clarkson.edu>, tuinstra@signal.ece.clarkson.edu.soe (Dwight Tuinstra) writes:
> First, note that the "experts" will only look at "details", and of just 
> the algorithm:
> 
>     In addition, respected experts from outside the
>     government will be offered access to the confidential details of
>     the algorithm to assess its capabilities and publicly report
>     their findings.
> 
> Why not the chip design?  Well, here's the possiblity:  in addition to
> encryption, the chip pre-processes voice signals to make them easier
> to analyze/transcribe electronically.  The chip, once widespread, might
> effectively be part of a massively parallel computer for "voice-
> grepping" the US phone network (or the criminal & wrong-thinking patrons
> thereof).

First of all, the chip doesn't do that.  It runs at 16 megabits/second,
which is far beyond what you need for voice.  It's obviously intended
for data as well, and on high-speed lines at that.

Second -- what advantage is there to doing the processing in the phone?
I don't care how fancy that chip is; it's not as fancy as the roomful
of analyzers at Fort Meade running the program they'll have 5 years from
now.  They can't update every Clipper chip that's out there.

Third -- if they did do this preprocessing in the chip, it would probably
have a serious effect on recognizability of the voice patterns.  If
nothing else, that would hurt the acceptability of the product.  The
V.32bis modems are just barely fast enough to do a good job on properly-
massaged voice as is; add any more to the mix, and you're completely out
of the ballpark.

Newsgroup: sci.crypt
document_id: 15720
From: steve-b@access.digex.com (Steve Brinich)
Subject: S1, S2

 > Second question: Why!?!? Why is such a strange procedure used, and not
 >a real RNG ? This turns those S1,S2 in a kind of bottleneck for system-
 >security.

  The only theory that makes any sense is that S1 and S2 are either the
same for all chips, or vary among very few possibilities, so that anyone
trying to break the encryption by brute force need only plow through the
possible serial numbers (2^30, about one billion), multiplied by the number
of different S1, S2 combinations.





Newsgroup: sci.crypt
document_id: 15721
From: rj@ri.cadre.com (Rob deFriesse)
Subject: Can DES code be shipped to Canada?

Someone in Canada asked me to send him some public domain DES file
encryption code I have.  Is it legal for me to send it?

Thanx.
--
Eschew Obfuscation

Rob deFriesse                    Mail:  rj@ri.cadre.com
Cadre Technologies Inc.          Phone:  (401) 351-5950
222 Richmond St.                 Fax:    (401) 351-7380
Providence, RI  02903

I don't speak for my employer.

Newsgroup: sci.crypt
document_id: 15722
From: throopw%sheol@concert.net
Subject: Re: Clipper considered harmful

: From: shirriff@sprite.berkeley.edu (Ken Shirriff)
: Message-ID: <1r24us$oeh@agate.berkeley.edu>
: It seems likely to me that that a large subset of encrypted communications
: would be archived to tape so they could be read if sometime in the future
: probable cause arises and a warrant is obtained.

I think it is unlikely that data like this could be used in court.
Currently LEAs can install wiretaps on large numbers of phones, record
calls without listening to them, and then post-facto obtain warrants
and listen to calls after probable cause is established.  But this
strategy wouldn't get the stuff admitted in court.  (At least, not
in the near term.)

In other words, near as I can tell, the thing that makes such evidence
inadmissable is the interception without a warrant, not the attempt to
interpret what was intercepted without a warrant.  I'd be surprised
that archiving data without consent would be interpreted as anything
but analogous to a wiretap by the courts.

Note that that doesn't mean I think it won't be done if technically
feasible.  Just as I'm sure many wiretaps are done now without
warrants, just to fish for avenues to investigate.  So in the future,
start surveilance, start archiving data, trump up some probable cause,
decrypt post-facto after the warrant is in hand, and the investigation
gets a boost from data that, sadly, won't ever be presented to a jury.

While I'm posting...  for an interesting cautionary tale projecting this
archiving scenario to extremes, read "Lacey and his Friends", a
collection of sf stories by David Drake.  The US starts down the
slippery slope by archiving *everyghing*.  But don't worry folks, it's
stored in a secure repository where nobody but LEAs with warrants can
get to it.  And by the way, we'll be installing cameras on all major
streets.  Hey, this is nothing new, we already have cameras in banks and
teller machines, don't we?

And then we'll pass laws requiring cameras covering *all* public
places.  Then in some private places.  Then we'll make it a crime ever
to be out of range of a camera, except in legally licensed privacy
cubicles.  Only alone.  And with a thorough body search before and
after.  But, see, there's still a right to privacy.  We haven't
curtailed any rights, not really.  And just think how much easier it'd
be to solve crimes in such a situation: just obtain a warrant, put on a
VR helmet and take a walk down memory lane.

And hey, nobody'll be tracking *you* or *me*, no need to be self-conscious.

After all, if you're not doing anything illegal...

Funny, though.  While speeding and the radar detector industry became
pretty much a thing of the past, somehow all this didn't elminate all
crime in the story.  And somehow, politicians got exemptions on grounds
of national security, and rich corporations got exemptions for their
execs on grounds of industrial espionage and the preservation of
competition.  And not everybody was exactly happy with the system.  
I can't imagine why.

--
Wayne Throop   throopw%sheol@concert.net
               throop%aurgate@concert.net

Newsgroup: sci.crypt
document_id: 15723
From: grady@netcom.com (1016/2EF221)
Subject: IDEA vectors?

I am testing IDEA block cipher implementations for correctness
and needs some golden test vectors.  I've looked through
the postscript IDEA chapter but the single example gives me
zero degrees of freedom.  I'll contact the inventor if necessary
but since we are NOT paying him money for use of his invention,
I'd like to offload this from him.  Anybody got vectors?
(No disease vectors, please).

-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
document_id: 15724
From: clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement)
Subject: Re: The [secret] source of that announcement

In article <C5uxGv.Dv7@panix.com> habs@panix.com (Harry Shapiro) writes:
>In <1r1om5$c5m@slab.mtholyoke.edu> jbotz@mtholyoke.edu (Jurgen Botz)
>writes:
>
>>Even more interesting: the SMTP server at csrc.ncsl.nist.gov no longer
>>recognizes the 'expn' and 'vrfy' commands...
>
>>   telnet csrc.ncsl.nist.gov smtp
>>   Trying 129.6.54.11...
>>   Connected to csrc.ncsl.nist.gov.
>>   Escape character is '^]'.
>>   220 first.org sendmail 4.1/NIST ready at Tue, 20 Apr 93 17:01:34 EDT
>>   expn clipper
>>   500 Command unrecognized
>
>>Seems like sombody didn't like your snooping around, Marc.
>
>Then it is a good thing we already have this:
>
>The csspub mailing list: csspab@mail-gw.ncsl.nist.gov, and address on
> [rest of names deleted]

Sigh... my version of 'rn' asked me whether I really want to send this
posting!

You may as well know that all this stuff about the secret source of the
Clipper announcement is because of a silly mistake.  I am the administrator
of csrc.ncsl.nist.gov, alias first.org.  It's a system set up to help out
the needs of FIRST, a Forum of Incident Response and Security Teams, which 
includes a number of world-wide incident response teams such as CERT/CC and
other places in Europe.  As to the VRFY and EXPN commands, they are normally
disabled, since early on we didn't want crackers to find out the names of
incident response folks on our mailing lists.  We had a disk crash several
months ago which required completely rebuilding the O/S files - same old
story, our backups weren't especially helpful.  As you can guess, I didn't
remember to re-disable VRFY and EXPN until I saw people on the net trying to
find out who was behind clipper@csrc...  When I saw people's names posted
here, I felt it was time to clear things up.  So, EXPN and VRFY on csrc have
always been disabled in the past for reasons having nothing to do with 
Clipper.

I posted the White House announcements at the request of policy folks here
because csrc also provides Usenet service.  I posted them from an account
called 'clipper.'  I also created an alias called 'clipper' that contains
the addresses of members of the NIST Computer Security Privacy and Advisory
Board, set up under law of the Computer Security Act of 1987, and addresses
of other individuals not affiliated with NIST but involved in cryptography,
security, and privacy - I believe that these individuals were included on
this list because NIST felt it important to get them the Clipper information
first-hand.

The 'clipper' alias is there for the benefit of those named above.  It is 
not a source for information, it was set up solely to monitor any initial
traffic.  Individuals on the list have requested that they continue to get
traffic that is not already duplicated on Usenet.

While you can rightfully say we were a bit disorganized in handling this,
I would ask that people stop speculating about any hidden agendas or motives
of the individuals on the 'clipper' alias - I've already apologized to them
for what's happened.  Disabling EXPN and VRFY is an increasingly common
practice (albeit unfriendly to some), and any effect of disabling it again
was unintentional.

-John Wack
  

Newsgroup: sci.crypt
document_id: 15725
From: karl@genesis.MCS.COM (Karl Denninger)
Subject: Re: Do we need the clipper for cheap security?

In article <9304201003.AA05465@pizzabox.demon.co.uk> gtoal@gtoal.com (Graham Toal) writes:
>	gtoal@gtoal.com (Graham Toal) writes:
>	>
>	>In the UK, it's impossible to get approval to attach any crypto device
>	>to the phone network.  (Anything that plugs in to our BT phone sockets
>	>must be approved - for some reason crypto devices just never are...)
>	>
>
>	Whats the difference between a V.32bis modem and a V.32bis modem?
>
>	I'm not being entirely silly here: what I'm pointing out is that the
>	modems that they have already approved for data transmission will work
>	just fine to transmit scrambled vocoded voice.
>
>Absolutely.  I just meant that no secure *dedicated* crypto device has
>ever been given approval.  Guerrilla underground devices should be well
>possible with today's high-speed modems (not that I can think of many v32bis
>modems that are approved either mind you - just the overpriced Couriers)
>
>Can someone tell me if hardware compression is or is not needed to run
>digital speech down 14.4K?  I think it is; I've heard it's not.  Lets
>say 8 bit samples.  Would *raw* data at the corresponding sampling rate
>be usable?  If not, how fancy does the compression need to be?

Reasonably fancy.

Standard "voice" circuits run at 56kbps inter-exchange in the US.
Therefore, you need to achieve 4:1 to get standard voice quality.

If you're willing to give up some quality, you need only 2:1.  This is still
acceptable from a speech standpoint; it will be a little less faithful to
the original, but certainly intelligable.  That's all you really need for
this application.

--
Karl Denninger (karl@genesis.MCS.COM) 	| You can never please everyone except
Data Line: [+1 312 248-0900]		| by bankrupting yourself.
         	   LIVE Internet in Chicago; an MCSNET first!


Newsgroup: sci.crypt
document_id: 15726
From: croley@magic.mcc.com (David Croley)
Subject: Re: new encryption

In article <1993Apr21.225435.6292@wam.umd.edu>, psionic@wam.umd.edu (Haywood J. Blowme) writes:
|>    As promised, I spoke today with the company mentioned in a Washington
|> Times article about the Clipper chip announcement. The name of the company
|> is Secure Communications Technology (Information will be given at the end
|> of this message on how to contact them).
|>
|>     ...
|> 
|>    His belief is that AT&T was made known of the clipper well before the
|> rest of the industry. This is for several reasons, several of which are:
|> 
	This is a very good point.  AT&T obviously knew and participated in the
development of the Clipper chip.  This amounts to unfair business practice and
gives AT&T an early monopoly on the market [hopefully a non-existant market].
Other companies that compete with AT&T in the cellular market (Motorola, NEC, etc)
have grounds to file a complaint over this.

|> 
|> Right now the company is afraid that the new clipper chip will put them out
|> of business. This is a very real possibility. So they really need help in
|> stopping the clipper chip from becoming a standard. If you want to contact
|> them, they can be reached at..
|> 
|> Secure Communications Technology
|> 8700 Georgia Ave. Suite 302
|> Silver Spring, MD
|> 
|> (301) 588-2200
|> 
|>  ...

It would seem that the one fact that the government has overlooked in this
whole fiasco is the economic standpoint.  As others have mentioned, the most
difficulty the Clipper chip faces is an economic one.  Let's face it, the
average consumer doesn't care or know that the Clipper is a bad idea.  If
there is a perceived need for cellular encryption, then the companies will
provide one.  Most likely, a standard will emerge.  But if the Clipper is
too expensive (and $25 a chip is way too much) then they will develope their
own or buy a cheaper one.  I give SCT my full support, and hope the
Clipper chip goes the way of the Beta video tape format.

Also hope they get sued over re-using the name Clipper.

-- 
 ---------------------------------------Cyberspace:--------------------------
| David T. Croley | MCC - Exp Sys Lab | A place not real, no stone, no steel.|
| croley@mcc.com  | UT Austin, Texas  | A ghost unseen...the world "between".|
 ----------------------------------------------------------------------------

Newsgroup: sci.crypt
document_id: 15727
From: gregb@den.mmc.com (gregb)
Subject: Looking for crypto paper

Looking for PostScript or Tex version of a paper called:
	"PUBLIC-KEY CRYPTOGRAPHY"

Written by:
	James Nechvatal
	Security Technology Group
	National Computer Systems Laboratory
	National Institute of Standards and Technology
	Gaithersburg, MD 20899

	December 1990

The version I obtained is plain text and all symbolic character
formatting has been lost.

--
gregb@tosgcla.den.mmc.com

Newsgroup: sci.crypt
document_id: 15728
From: jac55@cas.org ()
Subject: Re: Why the clipper algorithm is secret

In article <1993Apr20.014135.24134@fsl.noaa.gov> bear@kestrel.fsl.noaa.gov (Bear Giles) writes:
>In article <C5pstr.Lu2@panix.com> dfl@panix.com (Danny O'Bedlam) writes:
>>      The algorithm is classified because a military contract (or similar
>>government equivalent to military) has been let for this "proprietary"
>>design that the Feds say that NSA developed.  Is there a patent?  Is that
>>patent publicly available?  My betting is that that too is classified.
>
>Unless there has been a _major_ change in the law, there's no such beast
>as a "classified patent."  Patents exist to encourage communications and
>develop the state of the art.

	Yes there is, the patent can be classified as secret.  I recently
	saw a patent from 1947 (dealing with nuclear weapons technology)
	that was only declassified in the last couple of years.  There
	is of course the problem of enforcing the patent.

>The same thing applies in civilian development: you can't patent something
>_and_ declare it a "trade secret."  However, you can (and should) mark all
>software (including proprietary code) "unpublished copyright" so that it
>ever does get exposed you still have some legal protection.

	This is absolutely right.

	Alec Chambers

Newsgroup: sci.crypt
document_id: 15729
Subject: Re: freely distributable public key cryptography c++ code: where?
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <15314.735453769@moose.cs.indiana.edu> Marc VanHeyningen <mvanheyn@cs.indiana.edu> writes:

>PGP is not available on the archive site rsa.com.  If it were, it
>would be highly amusing, since rsa.com (actually Public Key Partners,
>but it's the same entity) is the organization holding the patents
>which they claim are violated if you actually "make, use or sell" PGP.
>I believe those patents also apply in Canada, but I'm not a patent
>lawyer or anything.

(Sorry about double posting, but I forgot something.)

"make, use or sell" in this context have non-standard meanings:

"Make" means making an encrypted message.  "Use" may mean using PGP, or
using an encrypted message.  "Sell" would probably mean selling an
encrypted message.  It is the message created by a "patented" process
incorporated in PGP, which infringes.

--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
document_id: 15730
Subject: Re: Key Registering Bodies
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <nagleC5w79E.7HL@netcom.com> nagle@netcom.com (John Nagle) writes:

>       Since the law requires that wiretaps be requested by the Executive
>Branch and approved by the Judicial Branch, it seems clear that one
>of the key registering bodies should be under the control of the
>Judicial Branch.  I suggest the Supreme Court, or, regionally, the
>Courts of Appeal.  More specifically, the offices of their Clerks.

Now THAT makes sense.  But the other half must be in a non-government
escrow.  (I still like EFF, but I admin their security has not been
tested.)

--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
document_id: 15731
From: dds@doc.ic.ac.uk (Diomidis Spinellis)
Subject: "Greek" COMINT installation (was Re: The [secret] source of that announcement)

From article <1993Apr22.145106.158@cathy.ijs.si>, by Borut.B.Lavrencic@ijs.si:
> In article <gradyC5unp0.D21@netcom.com>, 
> grady@netcom.com (1016/2EF221) writes:
[...]
>> The most popular cipher systems in captured soviet spies was
>> the one-time pad, even with the necessity of keeping incriminating
>> evidence about, is known to be the only proven unbreakable system.
>> Soviet paranoia, right?
>> 
>> And what do you think the NSA does with its Wullenwebers?  And 
>> huge Rhombics pointed embassy row?  And their sites near
>> satellite uplink and downlink sites?  Duh.
[...]
> One case of Slovenian paranoia.
> 
> Once upon a time a tried to walk over the (famous) Marathon field, not far away 
> from Athens. I could not do that mostly becouse the field is now a huge 
> antenna farm. Probably a Greek COMINT installation, would you agree? 

Are you sure that the field is in the area you found the antenna
farm?  The tomb ("Ymvos") of Marathon which Herodotus specifies as near
the fighting area is in an area open to the public.

You must be referring to the U.S. army base of "Nea Makri".  It was
built by the U.S. in the same manner as bases all over the world
(W. Germany, Spain, Philippines, Turkey etc.) were built.  I think
it was a telecommunications hub.  Over the recent years U.S. forces
have withdrawn from the base and removed all military equipment.  The
area is currently under the control of the Greek Navy until the all
interested parties (local goverment, central goverment, political parties
agree on what should be done with the land (park, recreation area,
real-estate.)

(This has nothing to do with cryptography, security and the EFF; I have
redirected followups to soc.culture.greek)

Diomidis
-- 
Diomidis Spinellis    Internet: <dds@doc.ic.ac.uk>  UUCP: ...!uknet!icdoc!dds
Department of Computing, Imperial College, London SW7     #include "/dev/tty"

Newsgroup: sci.crypt
document_id: 15732
Subject: Re: Once tapped, your code is no good any more.
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <305@VisiCom.COM> makey@VisiCom.COM (Jeff Makey) writes:

>In article <C5so84.Hxv@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
>>I am *completely* baffled by why Dorothy Denning has chosen
>>to throw away her academic respectability like this.

>She hasn't.  Dorothy Denning has spent many years earning the
>professional respect of her colleagues, and something won in this
>manner is not easily lost.  Her support of the clipper -- no matter
>how unpopular that position may be -- serves far more to enhance the
>clipper's respectability than to diminish her own.

I wouldn't think so.  Asking people to trust a secret algorithm seems
unsound to me.
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
document_id: 15733
Subject: Re: freely distributable public key cryptography c++ code: where?
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <15314.735453769@moose.cs.indiana.edu> Marc VanHeyningen <mvanheyn@cs.indiana.edu> writes:

>PGP is not available on the archive site rsa.com.  If it were, it
>would be highly amusing, since rsa.com (actually Public Key Partners,
>but it's the same entity) is the organization holding the patents
>which they claim are violated if you actually "make, use or sell" PGP.
>I believe those patents also apply in Canada, but I'm not a patent
>lawyer or anything.

The patents don't apply in Canada.  I think the free trade agreement may
provide for recognition of new patents, but not old ones.


--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
document_id: 15734
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

 > Somebody asked me what was wrong about overreacting in cases such as this.
 >
 > The reason is very simple:  How many people do you want to die in a riot?
 >In a new Civil War?

  Not me -- which is precisely why the government must be cut off at the
knees when it pulls stunts like this, lest the situation worsen to the point
where extreme measures are required.






Newsgroup: sci.crypt
document_id: 15735
From: nagle@netcom.com (John Nagle)
Subject: Re: Key Registering Bodies

       Since the law requires that wiretaps be requested by the Executive
Branch and approved by the Judicial Branch, it seems clear that one
of the key registering bodies should be under the control of the
Judicial Branch.  I suggest the Supreme Court, or, regionally, the
Courts of Appeal.  More specifically, the offices of their Clerks.

       Courts already operate substantial record-keeping operations.  Some
of these records are confidential.  So the concept of a court holding
information in confidence in accordance with law has longstanding legal 
precedents.  The judiciary is more immune to pressure from the executive
branch than any executive branch agency or contractor can be.  So judicial
control of keys is appropriate.

       For the other half of the key, I suggest a unit of Congress, the
General Accounting Office.  The GAO is Congress's staff unit for keeping
tabs on the Executive Branch, and has an excellent reputation.  It's
controlled strictly by Congress; the Executive Branch has no authority
over it.

       With keys split between the Legislative and Judicial branches,
we might have a chance of this system working honestly.  If, of course,
a way can be found to keep the keys from being siphoned off before
they reach the repositories.

       This should not be construed as an endorsement by me of the
whole Clipper concept.  But if we have to have it, splitting control
across all three branches of government might make it work.

					John Nagle

Newsgroup: sci.crypt
document_id: 15736
From: pjhong@cs.sunysb.edu (P. Joseph Hong)
Subject: Hidden Markov Modeling

In the article "At last! Now you can talk to your computer." in the May
issue of FORTUNE magazine, it was mentioned that phoneme prediction
used Hidden Markov Modeling.  This was the statistical method that Markov
developed to predict letter sequences in Pushkin's novel, _Eugene Onegin_.
It was then said that this technique worked so well that the NSA used
it to crack codes.
Does anyone have any references for HMM and how the NSA used it?
Or is this just an extension of the letter frequency tables that we
are all using anyway?

Joe	pjhong@clio.rad.sunysb.edu

Newsgroup: sci.crypt
document_id: 15737
From: agk@neural.hampshire.edu (Andrew Kriger)
Subject: Re: How to detect use of an illegal cipher?


could someone repost or send to me via email the original posting of the
Clipper Chip press release.

thanks

andrew kriger
hampshire college
agk@neural.hampshire.edu
-- 
Andrew Kriger					"Three may keep a secret
Hampshire College				 if two of them are dead"
agk@neural.hampshire.edu			 	---Benjamin Franklin

Newsgroup: sci.crypt
document_id: 15738
From: msnyder@nmt.edu (Rebecca Snyder)
Subject: public awareness (wasRe: text of White House announcement and Q&As on clipper chip encryption)

In article <2076@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:
>I think this is no accident.  It comes from the same philosophy that
>the government rules/controls the people, not the people controlling
>the government, that the unconnected citizens are not sophisticated enough
>to know what is best for them, so the government must tell the people
>what they need or do not need ... "we know best...".  And the idea that
>that a commoner can defend himself against government eavesdropping
>or unlawful attack is totally unacceptable to people with this outlook.
>
>
>Combine this all with pushing for national identity cards with 'smart
>chips' to encode anything they please (internal passport) under the
>guise of streamlining the State People's Health Care System, and with
>(you can be certain) more jewels yet to come, and one sees an extremely
>ominous trend.  So what if "1984" will be ten years late... it still is
>turning out to be an amazingly accurate prophecy... unless a LOT of
>people wake up, and in a hurry.
>
>One should ALWAYS have every red warning light and bell and danger flag
>come up when the government seeks to set itself apart in regard to
>rights, etc.  from the unconnected/unprivileged citizen (or should we
>now be saying 'subject' instead?)...  Why SHOULDN'T the average person
>have a good, secure system of data security, not dependent on nebulous
>'safeguards' for maintaining that security?  Why SHOULDN'T the average
>person be able to defend himself from an agency gone rogue?  0I am sure
>the Feds could break into any data they really wanted to (but it would
>take some WORK), and using the same logic, one should not be allowed to
>have a good safe, unless a duplicate of the key(s) or combination are
>submitted for 'safekeeping' by the government?  I don't really see a
>difference, philosophically.  Encrypted data sure won't evaporate, not
>with such high-tech tools as a TAPE RECORDER...
>

The average amerikan today seems to think that the government should be
able to eavesdrop on everyone (else).  Opinion polls show that most
people belive the Bill of Rights to grant too much freedom to people,
when it is not identified as such (BTW, if anyone knows of a cite for that,
I'd love to have it).  Not only does this mean that these people are 
willing to give up everyone (else's) rights, they don't even know what 
the Bill of Rights actually says.

How can we show the average person (not the average USENET reader) that
people are actually entitiled to these rights?  So many people don't
care if the government is taking more and more control of us all, a little 
at a time.  

If there was some sort of awareness of what the government is trying
to do by a majority of the US population... Just think about what
could be accomplished - but there are so many that trust, unthinkingly,
in whatever the media and government tell them.

Newsgroup: sci.crypt
document_id: 15739
From: kbeal@amber (Ken Beal)
Subject: Re: Once tapped, your code is no good any more.

Lawrence C. Foard (lfoard@hopper.Virginia.EDU) wrote:
> In article <1993Apr22.065357.9667@cs.aukuni.ac.nz> pgut1@cs.aukuni.ac.nz (Peter Gutmann) writes:
> [article deleted]
> >
> >Just doing a quick reality check here - is this for real or did someone
> >invent it to provoke a reaction from people?  It sounds more like the
> >sort of thing you'd have heard, suitably rephrased, from the leader of a 
> >certain German political party in the 1930's....
> It sounds like a joke (but then the war on drugs has always been a joke...).

I remember seeing it several months ago, and it was marked as a joke.
Funny how things circulate!
--
Kenneth L. Beal, Jr.  kbeal@amber.ssd.csd.harris.com | Use OS/2 2.1! :-) often.
"Does Pavlov ring a bell?"               - NLP tapes | Learn.  Keep moving.
"Street person my responsibility."   -  Indigo Girls | Better yourself.  Fnord.
"One man gathers what another man spills."   -  Dead | <> Opinions are mine. <>
Is YOUR religion BATF-approved?                      | pro!=con; progress != 

Newsgroup: sci.crypt
document_id: 15740
From: mckee@cs.Buffalo.EDU (Douglas McKee)
Subject: Re: **Sorry folks** (read this)


In article <1993Apr22.014646.28445@ucsu.Colorado.EDU>, andersom@spot.Colorado.EDU (Marc Anderson) writes:
|> In article <1993Apr21.001707.9999@ucsu.Colorado.EDU> andersom@spot.Colorado.EDU (Marc Anderson) writes:
|> [...]
|> >
|> >(the date I have for this is 1-26-93)
|> >
|> >note Clinton's statements about encryption in the 3rd paragraph..  I guess
|> >this statement doesen't contradict what you said, though.
|> >
|> >--- cut here ---
|> >
|> >        WASHINGTON (UPI) -- The War on Drugs is about to get a fresh
|> >start, President Clinton told delegates to the National Federation
|> >of Police Commisioners convention in Washington.
|> >        In the first speech on the drug issue since his innaugural,
|> >Clinton said that his planned escalation of the Drug War ``would make
|> >everything so far seem so half-hearted that for all practical
|> [...]
|> 
|> I just found out from my source that this article was a joke.  Heh heh..  
|> It seemed pretty damn convincing to me from the start -- I just didn't
|> notice the smiley at the end of the article, and there were a few other
|> hints which I should of caught.

Well, isn't this just a hoot! :)  All I read on this group is a bunch
of ppl fearing the misuses of information by the big bad evil govt.
This just happens to be a case of an ordinary-joe-netter, who decided
that he would create and/or distribute some misinformation.  Ppl buy
into BS posts like this (I know, because I forwarded a copy of the
post to my office mate, who turned around and was (although he won't
admit it...sorry Joe!) ready to get in a fight about F-O-R-F-E-I-T-U-R-E!!!)
Please, if we're going to hold our govt (which admittedly has had and
still has its problems) to high standards, then mustn't we follow these
too?  Electronic Freedoms only go so far.

 
|> Anyway -- I guess this 'joke' did turn out to resemble Clinton's true 
|> feelings at least to some extent.  
|> 
|> Sorry about that...
|> 
|> -marc
|> andersom@spot.colorado.edu

Hey, I'm willing to forgive...after of course my office mate takes his
extra anti-paranoia pills! :)

Doug McKee
mckee@cs.buffalo.edu

Newsgroup: sci.crypt
document_id: 15741
From: gardner@convex.com (Steve Gardner)
Subject: Re: The Escrow Database.

In article <strnlghtC5t3K6.InF@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>>After the Waco Massacre and the Big Brother Wiretap Chip, any tactic
>>is fair.
>
>This is pernicious nonsense!
	In what way David?  Our government is totally out of control,
	whether you realize it or not.  I know you find it painful to
	think of your old buddy Uncle Sam as evil but it's true.  Other
	democracies have fallen before.  Ours is on its way and knee-jerk
	sheep that instinctively trust government are helping it slide.
	Power corrupts David, why is that so hard to understand?


Newsgroup: sci.crypt
document_id: 15742
From: jhan@debra.dgbt.doc.ca (Jerry Han)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <1r6g1n$rvb@access.digex.net> steve-b@access.digex.com (Steve Brinich) writes:
> > Somebody asked me what was wrong about overreacting in cases such as this.
> >
> > The reason is very simple:  How many people do you want to die in a riot?
> >In a new Civil War?
>
>  Not me -- which is precisely why the government must be cut off at the
>knees when it pulls stunts like this, lest the situation worsen to the point
>where extreme measures are required.


Fine then.  Cut them off with pen and paper, and not the sword.



-- 
Jerry Han-CRC-DOC-Div. of Behavioural Research-"jhan@debra.dgbt.doc.ca"
///////////// These are my opinions, and my opinions only. \\\\\\\\\\\\\
\\\\\\\\\ A proud and frozen member of the Mighty Warriors Band ////////  
"Memories of those I've left behind, still ringing in my ears."-Genesis-

Newsgroup: sci.crypt
document_id: 15743
From: strnlght@netcom.com (David Sternlight)
Subject: Re: new encryption


psionic@wam.umd.edu, whose parenthesized name is either an unfortunate
coincidence or casts serious doubt on his bona fides, posts a message in
which he seems willing to take the word of a private firm about which he
knows little that their new encryption algorithm is secure and contains no
trapdoors, while seemingly distrusting that of the government about clipper.

I suppose it depends on how paranoid one wishes to be, but how does the
writer know the firm isn't, for example, an NSA front? For purposes of this
message, how do we know "psionic" isn't?

I don't suggest that, but post this to point out that there is a class of
speculation that has no more truth value, without lots of hard evidence,
than the contrary one.

By the way, if "psionic" had said, in lower case letters, that the firm
CLAIMS there was no back door, I'd have no problem with that phrasing.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15744
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <C5uvn4.MF7@austin.ibm.com> arussell@austin.ibm.com (AG Russell)
writes:

>
>At the company I worked for previously, I received a file that was des encryped
>and the person that had sent it, went on vaction.  Rather than wait two weeks
>I set up a straight frontal attack with one key at a time.  It only took two(2)
>days to crack the file.  No, I don't have any faith in DES.
>

Taking this at face value (though it seems quite dissonant with much else
that has been published here about brute force DES cracking, unless Russell
was lucky with respect to the key), I'd be very interested in whether the
program Russell used is available? In whether he used a cleartext
recognition algorithm in the program or whether he had to examine each
decryption by hand? In whether he used a known plaintext attack?

He probably should also tell us, given his address, what machine he used--a
desktop, workstation, or super-computer.

Depending on his answer, this could be an appalling development calling into
question both DES and RSA/DES. Dunno about RSA/IDEA.

If any bright programmer with a little idle machine time can crack a single
DES message in a couple of days (assuming no tricks that are
message-specific), then here's my Clipper key, NSA; give me the chip at
once.  :-)

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15745
From: victori@xetron.com (Victor Iseli)
Subject: Re: freely distributable public key cryptography c++ code:  where?



"Numerical Recipes in C"..Fortran..Pascal  has a nice section on
encryption and decryption based on the DES algorithm.  There is
also source code provided (I think some versions of this book are 
distributed with the source code on disk; the source code can
also be ordered from the publisher).

--Victor Iseli
victori@xetron.com

Newsgroup: sci.crypt
document_id: 15746
From: "Jon C. R. Bennett" <jb7m+@andrew.cmu.edu>
Subject: Ideas on Clipper


I have an idea as to why the encryption algorithm needs to be keep secret,
and some things that i think it implies. (Of course these could all be
wrong.....) 

from 

                     THE CLIPPER CHIP: A TECHNICAL SUMMARY
                               Dorothy Denning
                           Revised, April 21, 1993

.
.
.

The Clipper Chip contains a classified single-key 64-bit block
encryption algorithm called "Skipjack."  The algorithm uses 80 bit keys
(compared with 56 for the DES) and has 32 rounds of scrambling
(compared with 16 for the DES).  It supports all 4 DES modes of
operation.  The algorithm takes 32 clock ticks, and in Electronic
Codebook (ECB) mode runs at 12 Mbits per second.

Each chip includes the following components:

   the Skipjack encryption algorithm
   F, an 80-bit family key that is common to all chips
   N, a 30-bit serial number (this length is subject to change)
   U, an 80-bit secret key that unlocks all messages encrypted with the chip

.
.
.

ENCRYPTING WITH THE CHIP

To see how the chip is used, imagine that it is embedded in the AT&T
telephone security device (as it will be).  Suppose I call someone and
we both have such a device.  After pushing a button to start a secure
conversation, my security device will negotiate an 80-bit session key K
with the device at the other end.  This key negotiation takes place
without the Clipper Chip.  In general, any method of key exchange can
be used such as the Diffie-Hellman public-key distribution method.

Once the session key K is established, the Clipper Chip is used to
encrypt the conversation or message stream M (digitized voice).  The
telephone security device feeds K and M into the chip to produce two
values:

   E[M; K], the encrypted message stream, and 
   E[E[K; U] + N; F], a law enforcement field , 

which are transmitted over the telephone line.  The law enforcement
field thus contains the session key K encrypted under the unit key U
concatenated with the serial number N, all encrypted under the family
key F.  The law enforcement field is decrypted by law enforcement after
an authorized wiretap has been installed.

------------------

suppose i knew how the algorithm worked and knew the N for my chip, but
did not know F, then by cryptanalysis i might be able to determine F from
if law enforcement field 
   E[E[K; U] + N; F]
not knowing N would might make this much harder.

Now suppose that I know F, (either legitimately or not),
If I know K (either because I am involved in the conversation, or I know U
for a party in the conversation), I may now be able to determine U for the
other party.

If I know F I can also defeat the law enforcement field, since I could
make my own, with a different K then the one I am using. Knowing F also
allows traffic analysis to be performed. So I might not know what you are
saying but I could know who you are saying it too.

Now I admit that someone trying to compute U will not have lots of
messages to work from, but since we have no way of knowing that the key
generation method does not (deliberately?) generate weak keys, or for that
matter that the published method is in fact used, perhaps the U's will be
chosen from know weak keys for the system.

Obviously the compromise of F would be a disaster, both to law enforcement
for whom this whole thing is designed, and for the people who believe that
it is giving them security. F is but one number, and I sure that alot of
people (more then 1) know what it is (and if some "panel of experts" is
going to check it over for flaws then many more will know F, forget
grinding chips, bribery and blackmail work just fine.

So, am I wrong? Or are these problems.

jon


Newsgroup: sci.crypt
document_id: 15747
From: strnlght@netcom.com (David Sternlight)
Subject: Re: The Escrow Database.

In article <1993Apr22.170418.15799@news.eng.convex.com> gardner@convex.com
(Steve Gardner) writes:

>In article <strnlghtC5t3K6.InF@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>>>After the Waco Massacre and the Big Brother Wiretap Chip, any tactic
>>>is fair.
>>
>>This is pernicious nonsense!
>	In what way David?  Our government is totally out of control,
>	whether you realize it or not.  I know you find it painful to
>	think of your old buddy Uncle Sam as evil but it's true.  Other
>	democracies have fallen before.  Ours is on its way and knee-jerk
>	sheep that instinctively trust government are helping it slide.
>	Power corrupts David, why is that so hard to understand?
>

That wasn't my point. My point is that your implied position about the "Waco
Massacre" is an assertion cum political position. According to a CNN poll,
about 86% of Americans think the FBI acted properly, and a majority think
they should have done it (the tear gas) a lot sooner. A large majority also
believe the FBI was not at all responsible for the death of the victims,
Koresh was. (Let's avoid the kind of fruitless argument of the sort If A
hadn't X'd, then B might not have Y'd....)

What you call the "Big Brother Chip" is right now a proposal under
discussion, and it is not yet clear that strong crypto is going to be
banned.

Therefore neither justifies "any tactic is fair." Thus the statement is
nonsense. It is pernicious, because "any tactic" can lead to damaging
others.

As I see you know from the tone of your reply, there's nothing personal
intended.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15748
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Once tapped, your code is no good any more.

In article <1r21t1$4mc@access.digex.net> steve-b@access.digex.com (Steve Brinich) writes:
<
< > I wonder if she landed such a fat fee from cooperation with the NSA in
< >the design and propoganda stages that she doesn't care any more? 
<
<  Which is to say: is the NSA -totally- perfidious, or does it at least
<have the redeeming virtue of taking care of its own? <g>

Of course they take care of their own ... very well ... until the person
has 'outlived his/her/undefined usefulness'... then 'elimination' becomes
a consideration...  :-)

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 15749
From: boyd@acsu.buffalo.edu (Daniel F Boyd)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <strnlghtC5wCMo.Fx5@netcom.com> strnlght@netcom.com (David Sternlight) writes:
> In article <C5uvn4.MF7@austin.ibm.com> arussell@austin.ibm.com (AG Russell)
> writes:
> >At the company I worked for previously, I received a file that was
> >des encryped and the person that had sent it, went on vaction.
> >Rather than wait two weeks I set up a straight frontal attack with
> >one key at a time.  It only took two(2) days to crack the file.

> Taking this at face value (though it seems quite dissonant with much else
> that has been published here about brute force DES cracking, unless Russell
> was lucky with respect to the key), I'd be very interested in whether the
> program Russell used is available? In whether he used a cleartext
> recognition algorithm in the program or whether he had to examine each
> decryption by hand? In whether he used a known plaintext attack?


This has to be a dictionary attack.  No other attack makes sense.


This means that whoever encrypted the file just typed some password
which was a single dictionary word, and then Russell tried all the
words in the dictionary.  This isn't too implausible, especially if he
was smart and clipped the first plaintext block off the ciphertext (if
the first block doesn't decrypt then obviously the others won't
either).

Assuming one attempt a second, it takes seven hours to try all the
words in /usr/dict/words.   Not real tough.

If you want DES to be secure, you have to use RANDOM KEYS.  You can't
just type your wife's name and think "aha they'll never guess that
one!"



-- 
Daniel F. Boyd -- boyd@cs.buffalo.edu 

"Welcome to the First Church of Appliantology.  The white zone is for
loading and unloading only."

Newsgroup: sci.crypt
document_id: 15750
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: The Escrow Database.

David Sternlight (strnlght@netcom.com) wrote:
: In article <1993Apr22.170418.15799@news.eng.convex.com> gardner@convex.com
: (Steve Gardner) writes:

...cascades elided to preserve our sanity....

: That wasn't my point. My point is that your implied position about the "Waco
: Massacre" is an assertion cum political position. According to a CNN poll,
....
: What you call the "Big Brother Chip" is right now a proposal under
: discussion, and it is not yet clear that strong crypto is going to be
: banned.

Just to set the record straight, Steve Gardner was not the author of
the bit you quoted--I was. Steve just took issue with David's
characterization of my words as "pernicious nonsense."

I won't further comment on my own views...folks either support 'em or
they don't, and the lines in question were neither central to the
points I was making in my original post nor to the important debate
here in sci.crypt and elsewhere.


-Tim May, who continues to hold the same views but doesn't feel like
debating politics

-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
document_id: 15751
From: dmuntz@quip.eecs.umich.edu (Dan Muntz)
Subject: Re: new encryption

In article <strnlghtC5wC3z.Erw@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>psionic@wam.umd.edu, whose parenthesized name is either an unfortunate
>coincidence or casts serious doubt on his bona fides, posts a message in
>which he seems willing to take the word of a private firm about which he
>knows little that their new encryption algorithm is secure and contains no
>trapdoors, while seemingly distrusting that of the government about clipper.

Will someone please post the David Sternlight FAQ to alt.privacy.clipper before
someone unfamiliar with him takes him seriously and starts yet another
flame fest?

  -Dan


Newsgroup: sci.crypt
document_id: 15752
From: ns111310@LANCE.ColoState.Edu (Nathaniel Sammons)
Subject: Re: I have seen the lobby, and it is us

1) I think that most of us can afford a stamp and an envelope, and the
cost of printing out a letter.

2) If some kind soul out there would write a letter, and upload it to 
the net, everyone could capture it, print it out, and snail-mail it
out to their local congressional critter.

BTW>> I'm working on one.

-nate

o---------------------------+======================================o
| "I hate quotations.       |     This message brought you by      |
|   Tell me what you know." |   Nate Sammons, and the number 42.   |
|    --Ralph Waldo Emerson  |  ns111310@longs.lance.colostate.edu  |
o---------------------------+======================================o

Newsgroup: sci.crypt
document_id: 15753
From: ns111310@LANCE.ColoState.Edu (Nathaniel Sammons)
Subject: could someone mail me the text from the White House Clipper announcement?

thanks a bunch,

-nate

o---------------------------+======================================o
| "I hate quotations.       |     This message brought you by      |
|   Tell me what you know." |   Nate Sammons, and the number 42.   |
|    --Ralph Waldo Emerson  |  ns111310@longs.lance.colostate.edu  |
o---------------------------+======================================o

Newsgroup: sci.crypt
document_id: 15754
From: wingo@apple.com (Tony Wingo)
Subject: Re: new encryption

In article <1993Apr22.092959@magic.mcc.com>, croley@magic.mcc.com (David
Croley) wrote:

> 
> It would seem that the one fact that the government has overlooked in this
> whole fiasco is the economic standpoint.  As others have mentioned, the most
> difficulty the Clipper chip faces is an economic one.  Let's face it, the
> average consumer doesn't care or know that the Clipper is a bad idea.  If
> there is a perceived need for cellular encryption, then the companies will
> provide one.  Most likely, a standard will emerge.  But if the Clipper is
> too expensive (and $25 a chip is way too much) then they will develope their
> own or buy a cheaper one.  

This is an interesting point.  As a VERY COARSE rule of thumb, you can
figure that the final price of a product is 3 to 5 times the Cost Of Goods.
(The exact multiplier depends largely on economies of scale: Products that
sell tens of millions of units/year will be at the low end, those that sell
thousands of units/year will be at the high end.  I suspect cellular phones
are in the middle).  This implies that adding a $25 chip would increase the
cost of the phone by approx $100, or about 25% - 30%.

I don't think you'll get a lot of consumer support for this.


-tony

>>usual disclaimer<<

Newsgroup: sci.crypt
document_id: 15755
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Clipper considered harmful

In article <bontchev.735336144@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
>No, because the Feds will still be able to decrypt the conversations.
>True, they'll blame the wrong guys, but nevertheless one cannot say
>something like "The drugs arrive tommorrow on the ship 'Terminus'"
>when the Feds are listening, even if they cannot identify who the
>speaker is.


It's not a question just of who is holding the phone.  It's a question of
what circuit to wiretap in the first place.  If two drug dealers are both
using stolen cellular phones, the FBI doesn't know which lines to tap
-- unless of course they're tapping *all* phones (maybe *all* cellular
phones).  If they haven't tapped the connection (ie., at least one end of
the connection) then they don't know what key to request.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
document_id: 15756
From: grady@netcom.com (1016/2EF221)
Subject: Re: freely distributable public key cryptography c++ code:  where?

Victor Iseli (victori@xetron.com) wrote:
: 
: 
: "Numerical Recipes in C"..Fortran..Pascal  has a nice section on
: encryption and decryption based on the DES algorithm.  There is
: also source code provided (I think some versions of this book are 
: distributed with the source code on disk; the source code can
: also be ordered from the publisher).
: 
: --Victor Iseli
: victori@xetron.com

Yes I benchmarked the DES implementation in the Recipes in C
book.. it is about 1 1/2 orders of magnitude SLOWER than the
Outerbridge/Karn/Gillogly/et al implementation.

It may be instructional, but it isn't very fast.
-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
document_id: 15757
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Once tapped, your code is no good any more.

In article <C5vMF3.MBt@murdoch.acc.Virginia.EDU>, lfoard@hopper.Virginia.EDU (Lawrence C. Foard) writes:
> In article <1993Apr22.065357.9667@cs.aukuni.ac.nz> pgut1@cs.aukuni.ac.nz (Peter Gutmann) writes:
> [article deleted]
> >
> >Just doing a quick reality check here - is this for real or did someone
> >invent it to provoke a reaction from people?  It sounds more like the
> >sort of thing you'd have heard, suitably rephrased, from the leader of a 
> >certain German political party in the 1930's....
> 
> It sounds like a joke (but then the war on drugs has always been a joke...).

I'm seeking permission to repost the actual note, but someone on another
mailing list checked the archives on Nexis (UPI and all major newspapers),
and found no mention of that article.

Newsgroup: sci.crypt
document_id: 15758
From: gardner@convex.com (Steve Gardner)
Subject: Re: Clipper will corrupt cops (was WH proposal from Police point of view)

In article <1993Apr21.041033.16550@news.clarkson.edu> tuinstra@signal.ece.clarkson.edu.soe writes:
>Clipper will make criminals out of cops.  Do we want to do this to our
>police forces?
	The War on some drugs has already turned alot of police into
	criminals.  This is yet another nail in the constitution's coffin.


							smg

Newsgroup: sci.crypt
document_id: 15759
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Re: new encryption

>From: denning@guvax.acc.georgetown.edu
>                     THE CLIPPER CHIP: A TECHNICAL SUMMARY

>                               Dorothy Denning

>                           Revised, April 21, 1993

>The chips are programmed by Mykotronx, Inc., which calls them the
>"MYK-78."  The silicon is supplied by VLSI Technology Inc.


>All Clipper Chips are programmed inside a SCIF (Secure Compartmented
>Information Facility), which is essentially a vault.  The SCIF contains
>a laptop computer and equipment to program the chips.  About 300 chips
>are programmed during a single session.  The SCIF is located at
>Mykotronx.

>ACKNOWLEDGMENT AND DISTRIBUTION NOTICE.  This article is based on
>information provided by NSA, NIST, FBI, and Mykotronx.  Permission to
>distribute this document is granted.

So, who is Mykotronx, Inc.?  It would be nice to know that they were
not a front company used by an intelligence or other agency of the 
U.S. government.  Trusting the fox to guard the chickens, and all that.
Seems suspicious when the rest of the sources are foxes.

While we are at it, the chip design(s) should be examined and verified
against silicon to insure no trap doors or hidden protocols exist in silicon,
regardless of the security level of the encryption algorithm.  It would be a 
shame if some three letter agency had the ability to interrogate my chip, when
all I'd know is that someone rang, and when I attempted to go off hook the
line went dead.  Could be even worse if the chip were intended to connect
directly to a modem.

The design examination should be done to the gate level.  Does anyone have
a good idea how to tell if there is a piggyback design on silicon?  The model
would be extra logic sharing pins with the advertised function.  Tip offs
would be circuitry that would ignore incoming data if formats or sequence
is not right.  I can think of only two ways an output pin could be used,
and its possible that might be noticed, but could be edited from the netlist.
I think the silicon itself needs to be investigated.  Imagine a design
done in two layer metalization, yet finding a third layer under the
microscope.  

The government is asking for a lot of blind trust:  the encryption algorithm, 
operating protocols, the agency having physical control of the devices, the 
silicon implementation.  I'd feel like keeping one hand on my wallet.




Newsgroup: sci.crypt
document_id: 15760
From: rsilvers@nynexst.com (Robert Silvers)
Subject: Re: I have seen the lobby, and it is us

In article <Apr22.185314.14420@yuma.ACNS.ColoState.EDU> ns111310@LANCE.ColoState.Edu (Nathaniel Sammons) writes:
>1) I think that most of us can afford a stamp and an envelope, and the
>cost of printing out a letter.
>
>2) If some kind soul out there would write a letter, and upload it to 
>the net, everyone could capture it, print it out, and snail-mail it
>out to their local congressional critter.
>
>BTW>> I'm working on one.

	Send something to Rush Linbaugh about Clinton taking away our right
to privacy and how if the govt. standard takes off, only people with lots
of money (drug dealers) will be able to justify DES stuff.  He will slam
Clinton for this on the air.
						--Rob.


Newsgroup: sci.crypt
document_id: 15761
From: hanson@kronos.arc.nasa.gov (Robin Hanson)
Subject: Estimating Wiretap Costs/Benefits

              WOULD WIRETAP CHIP BE COST-EFFECTIVE?

                        by Robin Hanson
                     Draft, April 21, 1993

  SUMMARY: Compared to an average monthly phone bill of sixty dollars,
  wiretaps are only worth two cents a month to police.  So the
  proposed wiretap chip must raise phone costs by less than one part 
  in three thousand to be cost-effective. 

BACKGROUND

Until now, phones have happened to allow the existence of "wiretaps",
detectors which could pick up conversations on a phone line.  And over
time, law enforcement agencies have come to rely on this capability to
aid in criminal investigations.  However, powerful new encryption
technologies threaten this status quo, by making possible truly
private communication.  A small chip in each phone could soon make it
literally impossible to overhear a conversation without physical
microphones at either end.

In order to preserve the ability of law enforcement agencies to tap
phone conversations, the U.S. government announced on April 16, 1993
that it had developed and begun manufacturing a special "wiretap" chip
to be placed in future phones, instead of the total privacy chips
which have been under private development.  The same day, AT&T
announced it would use these chips "in all its secure telephone
products".

Each chip would be created under government supervision, when it would
be given a fixed indentifier and encryption key.  Periodically during
each conversation, the chip would broadcast its identifier and other
info in a special "law enforcement block".  Law enforcement officers
with a court order could then obtain the key corresponding to the
indentifier from special trust agencies, and could thereby listen in
on any future or previously recorded conversations on that phone.

To date, most concerns voiced about this plan have been about its
security.  The government won't disclose the encryption algorithm, and
many suspect the government will not limit its access in the way it
has claimed.  The track record of previous governments does not
inspire confidence on this point [1].

However, this paper will neglect these concerns, and ask instead
whether this new wiretap chip is a cost-effective tool for police
investigation.  That is, which is a cheaper way for society to
investigate crime: force phone communications to support wiretaps, or
give police agencies more money to investigate crimes in other ways?
Or to put it another way, would police agencies be willing to pay for
each wiretap, if they had to pay their share of the full social cost
of forcing phones to support wiretaps?

To start to answer this question, we might compare the current
benefits wiretaps provide to law enforcement agencies with projected
costs of implementing the new wiretap chip plan.  And since current
benefits are easier to estimate, we begin there.

WIRETAP BENEFITS

1990 is the latest year for which wiretap statistics are available
[2].  In that year, 872 wiretap installations were requested, and no
requests were denied.  (This figure does not include wiretaps obtained
with the consent of a party to the conversation.)  2057 arrests
resulted from wiretaps started the same year, 1486 arrests came from
wiretaps in previous years, and 55% of arrests led to convictions.
76% of the wiretaps were for phones (vs pagers, email, etc.), 60% were
regarding drug offenses, and 40% were requested by federal
authorities.  Each wiretap installation heard an average of 1487
calls, 22% of them incriminating, among 131 people, and cost an
average of $45,125 (extrapolating from the 794 installations
reporting costs), mostly for labor.

Thus a total of about $40 Million was spent on wiretaps, to obtain
about 4000 arrests, at $10,000 per arrest.  Thus these arrests are at
least four times more expensive than the $2500 per arrest figure one
gets by dividing the $28 Billion spent by all police nationally by the
total 11 Million non-traffic arrests [3].  Thus the $30 Million per
year spent on phone taps is only one thousanth of the total police
expenditures.  And if we divide this by the 138 Million phone "access"
lines in the country [3], we get about 23 cents spent per year per
phone line, or about two cents a month.

In general, we deter a given class of criminals through a combination
of a perceived probability of being caught and convicted, and some
expected punishment level if convicted.  So the social value of having
wiretaps is no more than the amount that we would have to pay to get
the same criminal deterrence through other means.  If unable to
wiretap a particular suspect's phone, police might instead use hidden
microphones, or investigate that suspect in other ways.  Or police
might focus on suspects more easily investigated without wiretaps.  Or
we might raise the fine or prison time for certain types of crime.

If we generously assume that these substitutes for wiretaps would be
on average twice as expensive as wiretaps, then the annual social
benefit of phone wiretaps is about equal to the current spending level
of two cents a month per phone line.

WIRETAP COSTS

Let us for the moment optimistically assume that the US government
encryption scheme is as secure as whatever private enterprise would
have offered instead, protecting our conversations from the spying
ears of neighbors, corporations, and governments, both foreign and
domestic.  Even so, the need to support wiretaps would add many
additional costs to build and maintain our communication system.

Extra law enforcement blocks would be added to phone transmissions,
increasing traffic by some unknown percentage.  A special process must
be used to add encryption keys to chips, while securely distributing
these keys to special agencies, which must be funded and monitored.
The chips themselves are designed by a military contractor, whose
design is to remain secret, and are manufactured through a special
process so that the chip becomes nearly impossible to take apart.
(Chips are now offered at the relatively high price of $30 a peice in
lots of 10,000 [4].)  Private encryption systems not supporting
wiretaps would require none of these extra costs.

Perhaps most important, government degree would at least partially
replace private marketplace evolution of standards for how voice is to
be represented, encrypted, and exchanged in our future phones.  It is
widely believed that governments are less efficient than private
enterprise in procuring products and standards, though they may perhaps
perform a useful brokering role when we choose between competing private
standards.  How much less efficient is a matter of debate, some say
they pay twice as much, while others might say only 10% more.    

Currently, a total of $96 Billion is spent as operating expenses of
U.S. phone companies [3], which comes out to about $60 per month per
access line.  If we compare this to the wiretap value of two cents per
month, we see that if wiretaps raise average operating costs by even
as much as one part in 3000, then wiretaps are not cost effective!
And this doesn't even include extra costs phone owners pay because
their encryption chips are more expensive.  Of course most phones
wouldn't have encryption chips for a while, but the wiretap benefit
per phone is still the same, so this argument still applies.

CONCLUSION

Given this dramatic difference between the total cost of running the
phone system and the value of wiretaps, we can justify only the
slightest modification of the phone system to accommodate wiretaps.
When the only modification required was to allow investigators in to
attach clips to phone wires, wiretap support may have been reasonable.
But when we consider substantial modification, the burden of proof is
clearly on those proposing such modification to show that the costs
would really be less than the benefits.  

If consensus cannot be obtain on this cost/benefit estimate, a
compromise might be to tax phones which do not support wiretaps at a
rate of say five cents per month, a tax payable to police agencies
nationwide to compensate them for their loss of wiretap abilities.

[1] The Invisible Weapon, Oxford Press, ISBN 0-19-506273-6

[2] Report on Applications for Orders Authorizing or Approving the
    Interception of Wire, Oral, or Electronic Communications, 1990,
    Administrative Office of U.S. Courts, Washington, DC 20544.

[3] U.S. Statistical Abstracts, 1992.  

[4] Dorothy Denning, "The Clipper Chip: A Technical Summary",
    distributed to sci.crypt newsgroup April 21, 1993. 
-- 
Robin Hanson  hanson@ptolemy.arc.nasa.gov 
415-604-3361  MS-269-2, NASA Ames Research Center, Moffett Field, CA 94035
510-651-7483  47164 Male Terrace, Fremont, CA  94539-7921 

Newsgroup: sci.crypt
document_id: 15762
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Do we need the clipper for cheap security?


pdc@dcs.ed.ac.uk (Paul Crowley) writes:
>Quoting pmetzger@snark.shearson.com (Perry E. Metzger) in article <1993Apr21.012011.27470@shearson.com>:
>>Whats the difference between a V.32bis modem and a V.32bis modem?

>How fast do the fastest modems go?
>How far can voice be compressed?
>I've seen various assertions about this, but anyone with the
>straightforward bits-per-second figures will be my friend forever...

How about half a friend?  The Motorola Codex preliminary V.Fast modem
(which you can by right now) does 24.4 kbps (raw) over standard phone
lines.  28.8 kbps is what is usually claimed for the "final" v.fast,
but you can't go out and buy that right now, the standard isn't done yet.

Again, voice can be compressed quite well down to 4000 or 8000 bps
depending on how good you want it to be, but that requires a DSP or a
special ASIC to do in real-time.
-- 
I think I am! I think I am! - the little engine that philosophized

Newsgroup: sci.crypt
document_id: 15763
From: martin@world.std.com (Martin J Hannigan)
Subject: Re: new encryption

In article <1993Apr22.185330.20976@zip.eecs.umich.edu> dmuntz@quip.eecs.umich.edu (Dan Muntz) writes:
>In article <strnlghtC5wC3z.Erw@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>>psionic@wam.umd.edu, whose parenthesized name is either an unfortunate
>>coincidence or casts serious doubt on his bona fides, posts a message in
>>which he seems willing to take the word of a private firm about which he
>>knows little that their new encryption algorithm is secure and contains no
>>trapdoors, while seemingly distrusting that of the government about clipper.
>
>Will someone please post the David Sternlight FAQ to alt.privacy.clipper before
>someone unfamiliar with him takes him seriously and starts yet another
>flame fest?
>
>  -Dan
>


Hello. I am the David Sternlight keeper of the FAQ. Unfortuantely I cannot
find it at the present time.

From the original FAQ:

Question: Does anyone take David Sternlight serious?

Fact: No one takes David Sternlight serious. They review his opinions and
in most cases immediately discard them or jerk them over to
alt.fan.david-sternlight which actually should be alt.flame.david-sternlight.

A photograph of David Sternlight for the curious:



                         |\/\/\/\|
                         |       |
                         |  (o)(o)
                         C       _)           David Sternlight
                          |  ,___|            Net.Police
                          |    /              a.k.a. PROUD
              _0--------/\/----\/\-------0_   DICK OF
             /         /0 \----/ 0\        \  THE INTERNET
            /     |      \ \||/ /     |     \
           /     /|DAVID    ||  POLICE|\     \
         _/_____/ ||     ]  ||  | [#] || \_____\_
        |_______/ |\____/   ||  \__*_/| \_______|                    


Question: Why does David continue to relate mis statements regarding
encryption and other topics?

Fact: David Sternlight has a chemical imbalance of the right side of his
brain.



-- 
Martin Hannigan    :       Twisted Pair Consulting       : 617-623-3534
Mac                :         IBM PC & Mainframe          : UNIX

Newsgroup: sci.crypt
document_id: 15764
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Once tapped, your code is no good any more.

In article <a_rubin.735496128@dsg4.dse.beckman.com>
a_rubin@dsg4.dse.beckman.com (Arthur Rubin) writes:

>
>I wouldn't think so.  Asking people to trust a secret algorithm seems
>unsound to me.

Maybe so, but it's quite common. There are millions of Macintosh users who
have no idea what's in Apple's patented ROMs. Many have modems connected.
How do you know all your business secrets aren't being stolen? Answer:
1. Because you trust Apple;
2. Because if any such attempt, however sophicsticated, came out, it would
destroy Apple's credibility forever.

In the Clipper case, a representative body of experts is going to be allowed
to audit it, and we'll have assurances (maybe even from the President) that
other than the escrowed keys there are no back doors. While some may not
have confidence in that (I am not among them), it's a lot more assurance
than we get for many things we routinely trust in everyday life.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15765
From: ted@nmsu.edu (Ted Dunning)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)


In article <strnlghtC5wCMo.Fx5@netcom.com> strnlght@netcom.com (David
Sternlight) writes:

   >At the company I worked for previously, I received a file that was
   >des encryped and the person that had sent it, went on vaction.
   >Rather than wait two weeks I set up a straight frontal attack with
   >one key at a time.  It only took two(2) days to crack the file.
   >No, I don't have any faith in DES.
   

   Taking this at face value (though it seems quite dissonant with
   much else that has been published here about brute force DES
   cracking, unless Russell was lucky with respect to the key), I'd be
   very interested in whether the program Russell used is available?

key search is very practical in many real situations since people use
such stupid keys on the average.  password crackers know this well.

   Depending on his answer, this could be an appalling development
   calling into question both DES and RSA/DES.

not really.  in fact, public key based communication systems very
often pick keys automatically which are much better than passwords or
pass phrases.

   If any bright programmer with a little idle machine time can crack
   a single DES message in a couple of days (assuming no tricks that
   are message-specific),

if a person picked the password or pass phrase, then the key search is
pretty straightforward.  in running english text, the average content
of a single word is about 8 bits.  in pass phrases, this may increase
to 10 bits or so.  searching 30bit spaces is semi-practical even in
software and searching 40bit spaces isn't outrageous to imagine with
hardware assists of moderate size.

Newsgroup: sci.crypt
document_id: 15766
Subject: Re: Organized Lobbying for Cryptography
From: kubo@zariski.harvard.edu (Tal Kubo)

In article <C5uprt.GMq@dcs.ed.ac.uk> pdc@dcs.ed.ac.uk (Paul Crowley) writes:
>
>>Perhaps these encryption-only types would defend the digitized porn if it
>>was posted encrypted?
>
>>These issues are not as seperable as you maintain.
>
>In fact, since effective encryption makes censorship impossible, they
>are almost the same issue and they certainly fall into the brief of the
>EFF.


It also falls within the purview of the ACLU, but that doesn't mean
the ACLU (or the EFF) would be the most effective instrument to 
"win the hearts and minds" in favor of access to cryptography. 

It's precisely slogans like "cryptography makes censorship impossible"
which stand to torpedo any attempt to generate a broad consensus in favor
of encryption.  It is not true, and in the context of a public debate it
would be a dangerous red herring.  Advocates of strong crypto had better
prepare themselves to answer such charges in pragmatic terms that laypeople
and politicians can sympathize with. The usual mumblings about
Constitutional amendments are not enough.



Tal  kubo@math.harvard.edu

Newsgroup: sci.crypt
document_id: 15767
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only


Doug Holland claims Tom Clancy has provided the recipe for nuclear bombs.
Clancy himself says he has omitted certain crucial steps. Further, how do we
know Clancy knows, rather than repeating what he's read or been told in the
unclassified domain?

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15768
From: strnlght@netcom.com (David Sternlight)
Subject: Re: political point of attack: Clipper infrastructure

In article <1993Apr22.022324.17172@news.clarkson.edu> tuinstra@signal.ece.clarkson.edu.soe writes:

>
>From these figures, estimate the number of Clipper-tap requests the FBI
>is expecting.  Publish this figure.  Compare it on a per-capita basis
>with the amount of tapping now known or suspected.

The Attorney General publishes the number of court-ordered taps each year.
It isn't enough (around a thousand) for the average non-crook, non-spy to
worry about. In fact, considering any reasonable guess about the number of
big-time crooks and spies around, it may not be enough even for most crooks
and spies to worry about.

There's no reason to believe that it will go up with Clipper, since the
number of taps now includes many targets too stupid to use encryption (based
on the playbacks we've heard in court cases).

David

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15769
From: gardner@convex.com (Steve Gardner)
Subject: Re: Would "clipper" make a good cover for other encryption method?

In article <strnlghtC5t3nH.Is1@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>In article <1993Apr20.032623.3046@eff.org> kadie@eff.org (Carl M. Kadie) writes:
>
>
>>So, don't just think of replacements for clipper, also think of front
>>ends.
>
>This only makes sense if the government prohibits alternative non-escrowed
>encryption schemes. Otherwise, why not just use the front end without
>clipper?
	Because everyone but you expects that making alternative methods of 
	encryption illegal is the next step.  Otherwise the Cripple chip is 
	utterly worthless.  It should be obvious that 
		a) the Cripple Chip is aimed at spying on ordinary citizens
				OR
		b) that other forms of encryption will soon be illegal.

						smg



Newsgroup: sci.crypt
document_id: 15770
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Can DES code be shipped to Canada?

In article <1993Apr22.125402.27561@fripp.ri.cadre.com> rj@ri.cadre.com writes:
>Someone in Canada asked me to send him some public domain DES file
>encryption code I have.  Is it legal for me to send it?

I believe it is illegal to send any cryptographic code out of the country
without an export license. (Others will correct me if this is inaccurate.)

Dunno if you'd get one for the particular code you have; the only way to
find out is to apply for a license.

Note that you need to distinguish between what is legal to send to Canada if
YOU have such a license, and what is legal to send if you don't.

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  

Newsgroup: sci.crypt
document_id: 15771
From: strnlght@netcom.com (David Sternlight)
Subject: Wiretapping reality today


Some of the messages here seem to reflect the view that the government is
listening in on everything and one will have to hide one's clipper messages
somehow if non-escrowed crypto goes away.

A little perspective might be in order.

The number of court ordered wire taps is pretty low. Law enforcement has to
present pretty good evidence to get even that limited number of
authorizations.

Thus the overwhelming majority of conversations are neither tapped nor
recorded by the government, and for that to happen they have to:
a) Have a pretty good reason, with evidence;
b) Use this sparingly on highest priority "pretty good reasons."

Though the system may be imperfect, it is a long way from the horror stories
some here seem to believe or anticipate.

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15772
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Fear, Uncertainty, Doubt

In article <1r4vo3$koj@access.digex.net> steve-b@access.digex.com (Steve
Brinich) writes:

>  I suspect that the decisive element in the political battle will be the
>FUD (Fear, Uncertainty, Doubt) factor.
>  If the people who would be end users of the Cripple Chip hear of the whole
>debate only vaguely -- the government says it's solid; other people in the
>field say it's Swiss cheese -- the balance of doubt could shift against the
>Feds.  Any attempt to limit other forms of encryption could then be presented
>as the government covering its own butt by protecting its poor product from
>superior competition.
>  Comments?
>
Since you asked, the above is a bit inaccurate. More accurate is that the
government says its solid, other people in the field who might be able to
find out haven't yet done their review of the chip design, and there's been
a lot of wild speculation and guesswork from those with little information
that it might be Swiss cheese.

David


-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15773
From: strnlght@netcom.com (David Sternlight)
Subject: Re: I have seen the lobby, and it is us

hIn article <Apr22.185314.14420@yuma.ACNS.ColoState.EDU>
ns111310@LANCE.ColoState.Edu (Nathaniel Sammons) writes:

>1) I think that most of us can afford a stamp and an envelope, and the
>cost of printing out a letter.
>
>2) If some kind soul out there would write a letter, and upload it to 
>the net, everyone could capture it, print it out, and snail-mail it
>out to their local congressional critter.
>
>BTW>> I'm working on one.

Far more effective than mass mailing of a standard letter (this is taken
usually to represent one pressure group) is a set of individual letters.

Perhaps Nathaniel Sammons or someone else would like to prepare a set of
"talking points" from which individuals could compose their own letters.

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  

Newsgroup: sci.crypt
document_id: 15774
From: kadie@cs.uiuc.edu (Carl M Kadie)
Subject: Re: political point of attack: Clipper infrastructure

strnlght@netcom.com (David Sternlight) writes:

[...]
>The Attorney General publishes the number of court-ordered taps each year.
[...]

I believe you are mistaken. I don't believe the AG publishes the
number of state wiretaps.

- Carl

-- 
Carl Kadie -- I do not represent any organization; this is just me.
 = kadie@cs.uiuc.edu =

Newsgroup: sci.crypt
document_id: 15775
From: Lyle_Seaman@transarc.com
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

jhan@debra.dgbt.doc.ca (Jerry Han) writes:
> Somebody asked me what was wrong about overreacting in cases such as this.

That was probably me.
I meant only that nobody has overreacted yet.  It seemed to me that
Jerry was suggesting that people are currently overreacting, and I 
vehemently disagree.  I see a lot of talk, but not much action.
I see now that I misunderstood Jerry's position.

> The reason is very simple:  How many people do you want to die in a riot? 
> In a new Civil War? 
>
> Everybody is jumping up and down and screaming about it, and I'm worried
> that people are going to reach for their hammers and rifles before their pens
> and paper.  

Not this bunch.  They'll just bitch on the Net for a while, and 
then go back to lurking.

> Can people work within the system before trying to break it?  Examine your
> history books, and find out how many armed revolutions led to Democratic
> (or Democratic style) governments.  I think you'll only find one in over
> five thousand years of written history.

Actually, it's not quite that bad, but it's close.

Look, we (collectively) have the power to throw the bums out, but we
don't use it.  We clearly don't need to go burning things down, but we
clearly do need to throw at least some of the bums out.
Unfortunately, the bums have learned to target only small groups of
people at a single time, so the masses won't react and throw them out.
Eventually, the masses will react, unless the bums cease their
relentless encroachment on liberty and despoilment of the economy.
The sooner it happens, the less the damages will be.  I don't want to
live in a war zone, either -- I want to see the bums thrown out before
they do some *real* damage.

Lyle		Transarc		707 Grant Street
412 338 4474	The Gulf Tower		Pittsburgh 15219

Newsgroup: sci.crypt
document_id: 15776
From: calkin@math34.gatech (Neil Calkin)
Subject: Re: political point of attack: Clipper infrastructure

In article <C5wMu9.MqJ@cs.uiuc.edu> kadie@cs.uiuc.edu (Carl M Kadie) writes:
   strnlght@netcom.com (David Sternlight) writes:

   [...]
   >The Attorney General publishes the number of court-ordered taps each year.
   [...]

   I believe you are mistaken. I don't believe the AG publishes the
   number of state wiretaps.

   - Carl

   -- 
   Carl Kadie -- I do not represent any organization; this is just me.
    = kadie@cs.uiuc.edu =

Hmmm.... now if we could have *3* keys kept in escrow, with one of the 
groups keeping a key being the government, then the states would need
federal permission to run a wiretap.... interesting possibility:-)


Neil

Newsgroup: sci.crypt
document_id: 15777
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Clipper considered harmful

brad@optilink.COM (Brad Yearwood) writes:
>If Clipper comes to cellular phones along with legal proscriptions against
>using other cipher systems on these phones, a new and potentially dangerous
>class of crime is created.
>
>Criminals who very badly want inscrutable tactical communications (specifically
>the terrorists and drug dealers who proponents of key escrow cite as threats)
>will be highly motivated to steal the cipher phone of a legitimate user, and
>to kill this person or hold them hostage so discovery of compromise of the
>device will be delayed.

You obviously haven't read the information about the system. The chips
put out serial number infomation into the cypher stream to allow
themselves to be identified. The system does not rely on registering
people as owning particular phone units.

I am against the proposal, but lets be accurate in our objections.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15778
From: davidc@montagar.com (David L. Cathey)
Subject: Re: The [secret] source of that announcement

In article <gradyC5uAMw.BnG@netcom.com>, grady@netcom.com (1016/2EF221) writes:
> Maybe we should start a newsgroup for the distribution of encrypted 
> posts intended of members of affinity groups with a shared private
> key.  For example at the coming up Cypherpunks meeting, a private
> key corresponding to that particular meeting could be passed out
> by a moderator.  Minutes, followup comments to other participants,
> and so on could be posted to the alt.encrypted group for the use
> of the people who attended. Communiques intended by the group for
> non-attendees could of course just be signed using the private key
> but otherwises not encrypted.

	I like it.  PGP would be useful, I guess.  Although I don't have
a working version for VMS yet... :-(

> grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
David L. Cathey		                |INET: davidc@montagar.com
Montagar Software Concepts              |UUCP: ...!montagar!davidc
P. O. Box 260772, Plano TX  75026-0772  |Fone: (214)-618-2117

Newsgroup: sci.crypt
document_id: 15779
From: lefty@apple.com (Lefty)
Subject: Re: freely distributable public key cryptography c++ code:  where?

In article <gradyC5wGrz.CvC@netcom.com>, grady@netcom.com (1016/2EF221)
wrote:
> 
> Victor Iseli (victori@xetron.com) wrote:
> : 
> : 
> : "Numerical Recipes in C"..Fortran..Pascal  has a nice section on
> : encryption and decryption based on the DES algorithm.  There is
> : also source code provided (I think some versions of this book are 
> : distributed with the source code on disk; the source code can
> : also be ordered from the publisher).
> : 
> : --Victor Iseli
> : victori@xetron.com
> 
> Yes I benchmarked the DES implementation in the Recipes in C
> book.. it is about 1 1/2 orders of magnitude SLOWER than the
> Outerbridge/Karn/Gillogly/et al implementation.
> 
> It may be instructional, but it isn't very fast.

It has also apparently been excised from the second edition.

--
Lefty (lefty@apple.com)
C:.M:.C:., D:.O:.D:.

Newsgroup: sci.crypt
document_id: 15780
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: CELP vocoders

gtoal@gtoal.com (Graham Toal) writes:
>Absolutely.  I just meant that no secure *dedicated* crypto device has
>ever been given approval.  Guerrilla underground devices should be well
>possible with today's high-speed modems (not that I can think of many v32bis
>modems that are approved either mind you - just the overpriced Couriers)
>
>Can someone tell me if hardware compression is or is not needed to run
>digital speech down 14.4K?  I think it is; I've heard it's not.  Lets
>say 8 bit samples.  Would *raw* data at the corresponding sampling rate
>be usable?  If not, how fancy does the compression need to be?

It is said that CELP vocoders can run on the highest speed 486s with
some room to spare -- they turn 64kbit (8 bit samples, 8k samples/sec)
into 4800 baud. However, DSP is hairy, and I have yet to see actual
proof of this in the form of an implementation. I have heard fairly
reliable rumors to the effect that a famous internetworking guru has a
CELP implementation that runs on Sparcstation 1+'s with some room to
spare, but I have not succeeded thus far in getting my hands on a copy
-- the guru in question has a reputation for not releasing code
without having beaten on it for a very very long time first. 

DSP experts are heavily encouraged to try their own hand at this
problem.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15781
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Is key escrow enough?

>From: denning@guvax.acc.georgetown.edu
>                           Revised, April 21, 1993

>The chips are programmed by Mykotronx, Inc., which calls them the
>"MYK-78."  The silicon is supplied by VLSI Technology Inc.

>All Clipper Chips are programmed inside a SCIF (Secure Compartmented
>Information Facility), which is essentially a vault.  The SCIF contains
>a laptop computer and equipment to program the chips.  About 300 chips
>are programmed during a single session.  The SCIF is located at
>Mykotronx.

>ACKNOWLEDGMENT AND DISTRIBUTION NOTICE.  This article is based on
>information provided by NSA, NIST, FBI, and Mykotronx.  Permission to
>distribute this document is granted.

So, who is Mykotronx, Inc.?  It would be nice to know that they are
not a front company used by an intelligence or other agency of the 
U.S. government.

While we are at it, the chip design(s) should be examined and verified
against silicon to insure no trap doors or hidden protocols exist in silicon,
regardless of the security level of the encryption algorithm.  There is
no proof that the chip won't squeel and role over for someone with the
proper knowledge to interrogate it via the communications link.

The design examination should be done to the gate level.  Also, how does one
verify that what you are looking at is reflected in tapeout, or masks?

The silicon should be examined as well, the design in hand (a clean room
publicly defined clipper chip) can be merged with another design later, or
changed between completion and mask out.  There is little proof that what
you are told is in the chip is all that is in the chip.

Put the (verified) masks in escrow, and use them for chip production,
use a third escrow party for programming the chips. 

The government is asking for a lot of blind trust:  the encryption algorithm, 
operating protocols, the agency having physical control of the devices, the 
silicon implementation.  If the  government is so trustworthy, why escrow
anything?








Newsgroup: sci.crypt
document_id: 15782
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks  only

amanda@intercon.com (Amanda Walker) writes:
>
>> We *do* need an alternative to NSA-bugged telephones, but 
>> we're talking inexpensive *telephones* here, including hand-sized 
>> cellulars, that need strong crypto, real privacy.
>
>So start a company and build them.  This is still mostly a capitalist 
>economy...

Qualcomm had spare cycles in the DSPs for their new CDMA digital
cellular phones. They wanted to put strong crypto into them since they
had the capacity. The government decided to "discourage" them.

Really, none of this stuff is especially hard. All you need for a true
private phone is an ISDN codec, a vocoder (either a chip or
software), an encryptor (a chip is fine, but software is more than
fast enough), a V.32 or V.32bis modem module, and maybe a
microcontroller to run the whole thing. Its easy to do, its cheap. And
any "normal" company trying to put one out will likely get a visit
from the boys in the dark suits from Washington, just like Qualcomm
did. I suspect that companies like Cylink are tolerated because their
products are too expensive.

However, no law yet stops one from building really private phones, in
spite of the hints the administration has made when discussing the new
"crime bill" and in connection with the Clipper/Skipjack Big Brother
chip. Someone out there WILL build a unit to do all this. Better yet,
prehaps someone will produce a package that turns any 486 box with a
sound card into a secure phone.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15783
From: grady@netcom.com (1016/2EF221)
Subject: Re: transparent cyphertext?

 (34AEJ7D@CMUVM.BITNET) wrote:
: In light of recent events, it may soon become a very good idea
: to include the ability to produce transparent, or at least non-obvious,
: cyphertext in upcoming revisions.

This won't help if the NSA/FBA axis requires all messages to
undergo textual analysis and reduction to canonical form to
eliminate concealed messages.

After reading several National Computer Security Center
documents, I'm convinced that they are already using this
filter.  DoubleplusgoodNOT.

-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
document_id: 15784
From: arussell@austin.ibm.com (AG Russell)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)


In article <strnlghtC5wCMo.Fx5@netcom.com>, strnlght@netcom.com (David Sternlight) writes:
> In article <C5uvn4.MF7@austin.ibm.com> arussell@austin.ibm.com (AG Russell)
> writes:
> 
> >
> >At the company I worked for previously, I received a file that was des encryped
> >and the person that had sent it, went on vaction.  Rather than wait two weeks
> >I set up a straight frontal attack with one key at a time.  It only took two(2)
> >days to crack the file.  No, I don't have any faith in DES.
> >
> 
> Taking this at face value (though it seems quite dissonant with much else
> that has been published here about brute force DES cracking, unless Russell
> was lucky with respect to the key), I'd be very interested in whether the
> program Russell used is available? In whether he used a cleartext
> recognition algorithm in the program or whether he had to examine each
> decryption by hand? In whether he used a known plaintext attack?

Given that certain archival methods have certain key(cleartext) in a file I
used a programatic dictionary attack.  I used the DES library provided with the
system that I was using.  What is to keep anyone from being lucky with a key?
 
> He probably should also tell us, given his address, what machine he used--a
> desktop, workstation, or super-computer.

My previous employment has nothing to do with my current address, other than
the fact that the fastest machine in the office was an IBM RISC System/6000 
model 530, with 16 meg of memory.(not a super-computer)
 
> Depending on his answer, this could be an appalling development calling into
> question both DES and RSA/DES. Dunno about RSA/IDEA.

I really think this more of a statement of the limitations placed on the key
by the interface(ascii char/no padding), and most programs don't bother to
clear off the archival front and backend ID's.

> If any bright programmer with a little idle machine time can crack a single
> DES message in a couple of days (assuming no tricks that are
> message-specific), then here's my Clipper key, NSA; give me the chip at
> once.  :-)

Yes any moderatly bright programmer with a little idle machine time, can
crack most of todays real world encryption.  I sure that you or I could
select a key, and prepare the data inorder that the decryption will become a 
worst case.  but that is not the real world, and I'm sure that is how any 
agency would start an attack on a message, as you pointed out, there are some 
very good recognition algorithms availible, I'm just not familiar with them.

A.G.
-- 
A.G. Russell   Dept A06S  OLTP section of PALS Group   VM ID  SC39093 at AUSVM1
Email  arussell@austin.ibm.com       Phone 512-838-7953        TieLine 678-7953
These are my views, on anyone else they would look silly. FREE THE BERKELEY 4.4

Newsgroup: sci.crypt
document_id: 15785
From: rens@stimpys.imsi.com (Rens Troost)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <1993Apr22.134214.18517@rick.dgbt.doc.ca> jhan@debra.dgbt.doc.ca (Jerry Han) writes:

>   In this giant bally-ho over this Clipper chip I noticed a rather
>   disturbing trend in some of the E-mail and posts I've tossing back and
>   forth.  

Me too. A tendency on the part of some people to hide their head in
the sand.

>   The reason is very simple:  How many people do you want to die in a riot? 
>   In a new Civil War? 

How many people do you want jailed for their convictions, for their
insistence on real privacy? Why sit by quietly while the preconditions
for a real civil war are put in place by a short-sighted government.

>   Everybody is jumping up and down and screaming about it, and I'm worried
>   that people are going to reach for their hammers and rifles before their pens
>   and paper.  

The terminal is mightier than the pen :)

>   Can people work within the system before trying to break it?  Examine your
>   history books, and find out how many armed revolutions led to Democratic
>   (or Democratic style) governments.  I think you'll only find one in over
>   five thousand years of written history.

Really? I guess you mean the U.S. revolution. How about England,
India, Mexico, France, Holland....

>   That's not very good odds.  

You are misinformed. But this whole issue is off the topic.

>   Somebody once said something like: "Armed Violence is meant only to be
>   used in response to an armed attack.  It is not meant to be used in
>   agression.  This is the difference between self-defence and murder."

When the cops kick in your door for using PGP, tell them that. All
we're doing here is exercising our (so-called, rapidly narrowing)
right to free speech. 

>   I'm probably overreacting.  But what I've read scared me a lot.  I don't
>   want my children growing up in a War Zone.

Perhaps you should talk to the government about that. Or are you a
disciple of David "The cops are our FRIENDS" Sternlight?

The implied threat of the illegalization of private crypto, the
not-so-subtle subtext of the clipper announcement, is what worries me.
I don't want my children growing up in a police state.

-Rens

**Disclaimer: all opinions herein are mine and mine alone, and do not
              necessarily represent those of any organization with
              which I may be affiliated.
--
  o===============================================================o
  | J. Laurens Troost - UNIX Systems  | At Work: rens@imsi.com    |
  | Investment Management Svcs, Inc.  | At Play: rens@century.com |
  | 12 East 49th Street,  35th floor  |   Phone: (212) 339-2823   |
  | New York, New York         10017  |     Fax: (212) 444-1980   |
  o===============================================================o
     -- IMS is unlikely to share any of the above opinions --

Newsgroup: sci.crypt
document_id: 15786
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

  It is my intent to cut the government off at the knees with the pen
(and keyboard).  True, the lawyer and the lawbook only go so far, but
I agree that it is best to use those resources to the maximum extent
before seriously contemplating anything more... disruptive.


Newsgroup: sci.crypt
document_id: 15787
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Once tapped, your code is no good any more.

 > Maybe so, but it's quite common. There are millions of Macintosh users who
 >have no idea what's in Apple's patented ROMs. Many have modems connected.
 >How do you know all your business secrets aren't being stolen? Answer:
 >1. Because you trust Apple;
 >2. Because if any such attempt, however sophicsticated, came out, it would
destroy Apple's credibility forever.  

  The reason I could theoretically trust Apple (though I'm a PC person
myself :-) ) is that Apple has to worry about their customers deserting
them if they screw up badly enough.  The government doesn't have any such
worry; it can change the rules by force to get the outcome it wants.  This
is the ultimate reason why private enterprise is usually more efficient
than government agencies.


Newsgroup: sci.crypt
document_id: 15788
From: mjs@behemoth.genetics.wisc.edu (Mike Schmelzer)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <strnlghtC5puCL.6Kp@netcom.com> strnlght@netcom.com (David Sternlight) writes:
> In article <Apr18.204843.50316@yuma.ACNS.ColoState.EDU>
> holland@CS.ColoState.EDU (douglas craig holland) writes:


>>	Let me ask you this.  Would you trust Richard Nixon with your
>>crypto keys?  I wouldn't.

> I take it you mean President Nixon, not private citizen Nixon. Sure.
> Nothing I'm doing would be of the slightest interest to President Nixon .

Mr. Sternlight, your naivete and historical ignorance is appalling.

[ History lesson detailing 1968-74 deleted. ]
--
=== Mike Schmelzer,  mjs@genetics.wisc.edu, (608)262-4550. Finger for PGP.
=== "People didn't riot the minute they saw that film.
=== They waited on justice. Which never came." - Ice T.

Newsgroup: sci.crypt
document_id: 15789
From: mjr@tis.com (Marcus J Ranum)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks  only

pmetzger@snark.shearson.com (Perry E. Metzger) writes:
>Really, none of this stuff is especially hard. All you need for a true
>private phone is an ISDN codec, a vocoder (either a chip or
>software), an encryptor (a chip is fine, but software is more than
>fast enough), a V.32 or V.32bis modem module, and maybe a
>microcontroller to run the whole thing. Its easy to do, its cheap. And
>any "normal" company trying to put one out will likely get a visit
>from the boys in the dark suits from Washington, just like Qualcomm
>did.

	Have the feds shut down the people making Sound Blaster? What
about Apple and NeXT? Apple, NeXT, Sun, and others make systems that
can handle CD-quality audio in and out, and can perform arbitrary
transformation on it in the process of transmitting it across a network
or modem.

	Perhaps there's a market for a portable vocoder. Not a crypto
device, simply an RS232<->voice converter. Make it capable of recording
speech and playing it back simultaneously. It has applications for
multimedia, computing for the handicapped, Internet Talk Radio, IRC,
etc, etc, etc.  It wouldn't be a cryptographic device at all - but I
suppose someone could have it hooked to a 486 laptop with a V.32bis
modem and some crypto software. I'd market the thing with an API for
text-to-speech using simple phonemes and the ability to use speech
samples. And, of course, I'd publish the interface to it so other
folks could write any applications they wanted to talk to the thing.

mjr.

Newsgroup: sci.crypt
document_id: 15790
From: tauren@rigel.cs.pdx.edu (Tauren N Mills)
Subject: Thoughts and questions

I just joined this group recently and really do not know much about
cryptography, but a couple things came to mind while reading through
the posts.

1.  Is the Clipper chip going to be exported?  If not, how will
people communicate with other countries?  Will they have to do
that in un-crypt-mode.  Will other encryption techniques be
legal (assuming the government cracks down on using others) when
going overseas, but not within the states?

2.  I've read about authentication systems that use an electronic  
security card that looks like a calculator to create an encrypted
PIN based on the time/date.  The host system has the algorithm
built into it as well so that it can authenticate a user.
Is there some form of encryption technology that would create
keys that are only valid at a certain instant in time?  The 
systems would then allow a "window" of time around this instant
where the key would work.
I realize that this technique would increase the amount of information
needing to be stored because you would need entire algorithms rather
than just keys.  But for smaller scale things it might work.
Could some similar method be used to make the two 80-bit keys that
are issued to police/FBI/etc to tap a phone only usable for one-week
(for instance).  If further surveilance was needed, they would have
to go back to the escrow service to get another key.  This would
make it useless for local police to database keys they have used.

I assume this is not possible because the receiving phone would need
to be able to decypher the message.  But any thoughts on the subject?

Thanks,
Tauren Mills

Tauren Mills
tauren@rigel.cs.pdx.edu

Newsgroup: sci.crypt
document_id: 15791
From: "Jon C. R. Bennett" <jb7m+@andrew.cmu.edu>
Subject: Re: Ideas on Clipper

Jim Gillogly <jim@mycroft.rand.org> writes:
> In article <0fpiZBG00WC70qOKYw@andrew.cmu.edu> you write:
> >suppose i knew how the algorithm worked and knew the N for my chip, but
> >did not know F, then by cryptanalysis i might be able to determine F from
> >if law enforcement field 
> >   E[E[K; U] + N; F]
> >not knowing N would might make this much harder.
> 
> They're betting that you can't do this, even if you know N.  Even if you
> know E, in fact, which they're trying to keep secret.  If you can find E
> by grinding down the chip, presumably you can find F as well.  But we can't
> do this right now with DES, even knowing the encryption method without
> doing almost the whole 56-bit search.

That is not true, with chosen plaintext attacks DES keys can be determined
without the full search.

> 
> >Now suppose that I know F, (either legitimately or not),
> >If I know K (either because I am involved in the conversation, or I know U
> >for a party in the conversation), I may now be able to determine U for the
> >other party.
> 
> Again, they're betting that you can't find U given K -- i.e. they claim the
> encryption is strong.  (Trust us...)

I am not willing to take that bet.

> >If I know F I can also defeat the law enforcement field, since I could
> >make my own, with a different K then the one I am using. Knowing F also
> >allows traffic analysis to be performed. So I might not know what you are
> >saying but I could know who you are saying it too.
> 
> I'm not sure there'll be a way to shove arbitrary key and data through your
> chip, but if so, this part's OK.  (We're assuming E is unknown.)

You can obviously shove arbitrary data through your chip......
As for the key, it is stated that the sesion key exchange is external to
the chip, so I can pick my keys too.

> >Now I admit that someone trying to compute U will not have lots of
> >messages to work from, but since we have no way of knowing that the key
> >generation method does not (deliberately?) generate weak keys, or for that
> >matter that the published method is in fact used, perhaps the U's will be
> >chosen from know weak keys for the system.
> 
> They assume that you won't be able to find U no matter how many messages
> you have.  If <they> could break U, they wouldn't need the key escrow.

BING BING BING BING BING, THAT EXACTLY MY POINT, SINCE WE CANT KNOW THAT
THEY DO NOT HAVE THIS CAPABILITY, THE ONLY SAFE ASSUMPTION IS THAT THEY
DO... i admit that most of my cryptographic complaints are probably
unfounded, but since we cant know one way or the other, im not gonig to
take their word for it....

> >Obviously the compromise of F would be a disaster, both to law enforcement
> >for whom this whole thing is designed, and for the people who believe that
> >it is giving them security. F is but one number, and I sure that alot of
> >people (more then 1) know what it is (and if some "panel of experts" is
> >going to check it over for flaws then many more will know F, forget
> >grinding chips, bribery and blackmail work just fine.
> 
> It's not clear that the "experts" will be told F.  In fact, I'd be surprised.
> I'd expect something more of the form of the FIPS pub describing DES, so that
> they could look at the algorithm in general, rather than with the specific
> set of keys chosen.

Oh come on, thats like saying you could evaluate DES without the S-box
constants.....

jon

Newsgroup: sci.crypt
document_id: 15792
From: rschnapp@metaflow.com (Russ Schnapp)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <1993Apr22.134214.18517@rick.dgbt.doc.ca>, jhan@debra.dgbt.doc.ca (Jerry Han) writes:
|> In this giant bally-ho over this Clipper chip I noticed a rather
|> disturbing trend in some of the E-mail and posts I've tossing back and
|> forth.  
|> 
|> Somebody asked me what was wrong about overreacting in cases such as this.
|> 
|> The reason is very simple:  How many people do you want to die in a riot? 
|> In a new Civil War? 
|> 
|> Everybody is jumping up and down and screaming about it, and I'm worried
|> that people are going to reach for their hammers and rifles before their pens
|> and paper.  

Well, I know one person who is ready to kill.  Me.  And the victim is
this whole topic, damnit.  

PLEASE STOP COPYING ALL THIS CRAP TO comp.org.acm.  PLEASE?
-- 

...Russ Schnapp
Email: netcom!metaflow!rschnapp or rschnapp@Metaflow.com or rschnapp@BIX.com
Metaflow Technologies   Voice: 619/452-6608x230;  FAX: 619/452-0401
La Jolla, California    Unless otw specified, I`m speaking only for myself!

Newsgroup: sci.crypt
document_id: 15793
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: new encryption

In article <strnlghtC5wC3z.Erw@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>
>psionic@wam.umd.edu, whose parenthesized name is either an unfortunate
>coincidence or casts serious doubt on his bona fides, posts a message in
>which he seems willing to take the word of a private firm about which he
>knows little that their new encryption algorithm is secure and contains no
>trapdoors, while seemingly distrusting that of the government about clipper.

I have a couple reasons why I would be more likely to trust this algorithm:
	1. The algorithm will be made totally public, once it is patented.
	2. The keys will NOT be escrowed.
Of course if either of these is not true, I will not use this new algorithm.
Since I have never seen this new algorithm, I have no idea how secure it is
yet.

>I suppose it depends on how paranoid one wishes to be, but how does the
>writer know the firm isn't, for example, an NSA front? For purposes of this
>message, how do we know "psionic" isn't?
>
>I don't suggest that, but post this to point out that there is a class of
>speculation that has no more truth value, without lots of hard evidence,
>than the contrary one.
>
>By the way, if "psionic" had said, in lower case letters, that the firm
>CLAIMS there was no back door, I'd have no problem with that phrasing.
>
I can't make any judgements about the algorithm itself yet, but I do notice
that the creators of this algorithm are being more open about how the
thing works, and is willing to make it public, showing that after a bit
of scrutiny, any weaknesses will probably be revealed, while we don't know
about Clipper.

Doug Holland

-- 
|  Doug Holland                | Anyone who tries to take away my freedom  |
|  holland@cs.colostate.edu    | of speech will have to pry it from my     |
|  PGP key available by E-mail | cold, dead lips!!                         |

Newsgroup: sci.crypt
document_id: 15794
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <C5uup3.5wp@news.claremont.edu> ebrandt@jarthur.claremont.edu (Eli Brandt) writes:
   In article <1993Apr21.132318.16981@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
   >Remember that they've promised to let a committee of outside experts see
   >the cryptosystem design.

   I hope there are some silicon jocks on the committee who can follow
   the algorithm through to hardware.  While I doubt the NSA would pull
   any monkey business on this point -- they have to expect that the
   chip will be reverse-engineered sooner or later -- it's an obvious
   opportunity to introduce additional holes.

The chip isn't the place to pull the monkey business - you do it in
the key generation, either by having a mathematical backdoor,
or by having the program on the laptop that supposedly generates the
keys also save a copy of S1 and S2 and leak it out somehow,
or by having the program that supposedly puts the official keys
on the chip actually put a *different* key there (VERY hard to detect,
since the escrow agents have to either trust the NSA laptop or
give each other the S* keys, and they still don't know the algorithm.)
Or have the chip-burner at the factory make copies of the keys.
Or whatever.
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15795
From: rlglende@netcom.com (Robert Lewis Glendenning)
Subject: Re: Do we need the clipper for cheap security?

There are chips which perform the voice compression/expansion.  They can't
be expensive, because they exist in many phones connected to PBXs or on the
PBX line cards, as well as in a lot of equipment which compresses
voice-grade circuits to save the cost of long-distance, leased T1s or
satellite circuits.

I can't remember the generic term for these chips.  My impression is that
this was a big deal 10 years ago, but circuits have gotten so cheap that
it isn't done much now.

Lew

-- 
Lew Glendenning		rlglende@netcom.com
"Perspective is worth 80 IQ points."	Niels Bohr (or somebody like that).

Newsgroup: sci.crypt
document_id: 15796
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Wiretapping reality today

strnlght@netcom.com (David Sternlight) writes:
>Some of the messages here seem to reflect the view that the government is
>listening in on everything and one will have to hide one's clipper messages
>somehow if non-escrowed crypto goes away.
>A little perspective might be in order.

Right.  People here believe the government is listening in on
everything.  Sure.  If you can't provide an answer, change the
assumptions to something you can deal with.

It's not a matter of the government listening on on everything, it's a
matter of the government listening on anyone they take an interest in.
Say, if you do something heinous like attend a computer meeting at a
mall, the Secret Service decides to go for a warrantless search, and
acquires your name.  It's a matter of any number of possible wiretap
abuses that cryptology makes far less likely, and this chip can
sabotage. 

Par for the course, though.  I predicted that you'd be jumping in in
favor of this.  The reply was that you'd justify anything up to and
including death camps as long as the government backed them and had a
written policy statement.  Perhaps a little extreme, but not much.
-- 
"Seattle" is an Indian word meaning "52 degrees and raining."

Newsgroup: sci.crypt
document_id: 15797
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Do we need the clipper for cheap security?

In article <C5upHy.GH7@dcs.ed.ac.uk> pdc@dcs.ed.ac.uk (Paul Crowley) writes:
   How fast do the fastest modems go?

V.FAST is targeted for about 28kbps; 14.4kbps is ~$500, and 19.2 may
be here soon too.  (Remember to ignore compression figures which make
your modem go faster on compressible data, because voice gets
compressed better than that, and encryption makes further compression impossible.)

   How far can voice be compressed?

The STU-III phones on the market from AT&T, Motorola, and (I forget who else),
give you a choice of 9600, 4800, and 2400 baud.  The 9600 and 4800 are CELP,
and I think the 2400 is some earlier military vocoder stuff.
9600 is decent, 2400 is pretty artificial, anything less is Speak&Spell.
16000 can produce quite adequate sound.  There's also some 8 kbps CELP around.
DSPs have made it possible to do all this in real time for cheap.

Old-hand government crypto have trouble adjusting to systems faster
than 9600 baud, because if the voice on the other end sounds good,
you assume the crypto hasn't been turned on yet :-)
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15798
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <strnlghtC5wJAG.46L@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>
>Doug Holland claims Tom Clancy has provided the recipe for nuclear bombs.
>Clancy himself says he has omitted certain crucial steps. Further, how do we
>know Clancy knows, rather than repeating what he's read or been told in the
>unclassified domain?
>
Tom Clancy omitted these key steps to try to prevent groups of people from
building a nuclear bomb.  However, he asserts that you can find these key
steps in any university library.  The main point of _Five Minutes To Midnight_
is that it is impossible to prevent the proliferation of nuclear weapons,
since it has become easy to acquire the knowledge to build one, and fissible
materials are nearly impossible to control.  Read this article, or better
yet, run to your library yourself and dig up some stuff on constructing a
nuclear weapon.

Doug Holland

-- 
|  Doug Holland                | Anyone who tries to take away my freedom  |
|  holland@cs.colostate.edu    | of speech will have to pry it from my     |
|  PGP key available by E-mail | cold, dead lips!!                         |

Newsgroup: sci.crypt
document_id: 15799
From: rlglende@netcom.com (Robert Lewis Glendenning)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <1r4g7l$fdl@sunb.ocs.mq.edu.au> ifarqhar@laurel.ocs.mq.edu.au (Ian Farquhar) writes:
>In article <19930419.155204.305@almaden.ibm.com> ameline@vnet.IBM.COM (Ian Ameline) writes:
>>  I also believe that someone will reverse engineer the clipper chip,
>>and knowlege of the algorithm will likely be fairly widespread. Any back-
>>doors or weaknesses would further discredit the scheme, and help grow
>>the market demand for a secure alternative.
>

There are companies (one in Canada, as I recall) which specialize in
analyzing chips to understand process technology, design rules,
... to understand the probable yield of the assembly line making them,
and therefore the probable current cost and possible future cost curves,
given design shrinks, statistical quality control -> better yields, etc.

Taiwanese, Japanese and especially Korean semiconductor manufacturers
have all (korea continues) reverse-engineered foreign chips and
produced the chip.  Taiwan and Japan have signed intellectual
property treaties, and now at least extract the gate/transitor level
design before laying the chip out again.  The koreans still
use mask-level copying, I believe.  At least, they are under a lot
of pressure to pass laws to meet international intellectual property
standards.

All this despite lots of attempts to hide the designs.  There are lots
of techniques to do so in both hardware and software design.

For a complex chip, there will be real intellectual effort extracting
the gate design from the transistor design, and the algorithm from
the gate design.  But it won't take two smart guys even 6 months, working
40 hour weeks.  Koreans work 60 or more 8)

Lew
-- 
Lew Glendenning		rlglende@netcom.com
"Perspective is worth 80 IQ points."	Niels Bohr (or somebody like that).

Newsgroup: sci.crypt
document_id: 15800
From: "Stephen J. Ludwick" <sl3b+@andrew.cmu.edu>
Subject: Encryption Chip Availibility

Hi everybody!

Does anyone know of companies that are currently manufacturing
encryption chips for sale to the general public?  Get them while you
can!  Some pointers would be greatly appreciated.

Thanks

Steve

Newsgroup: sci.crypt
document_id: 15801
From: jim@rand.org (Jim Gillogly)
Subject: Re: Ideas on Clipper

I was annoyed to find that this guy posted my private e-mail response to
him, but since I believe what I said, I'll defend it anyway.

In article <gfpo=Wu00WC70qOQ4O@andrew.cmu.edu> jb7m+@andrew.cmu.edu (Jon C. R. Bennett) writes:
>Jim Gillogly <jim@mycroft.rand.org> writes (in private e-mail):

>> They're betting that you can't [cryptanalyze E to get U given N].
>> ...  But we can't
>> do this right now with DES, even knowing the encryption method without
>> doing almost the whole 56-bit search.
>
>That is not true, with chosen plaintext attacks DES keys can be determined
>without the full search.

By "almost" I mean the differential cryptanalysis attack.  The chosen
plaintext attack requires a detailed analysis of about 2^36 chosen plaintexts
drawn from a total of about 2^47 that need to be run, if I understand the
situation correctly.  This is certainly a "break" under the meaning of the
Act, but does not constitute much less work than the brute force keysearch.

The rest of his article assumes that we can figure out the Skipjack
encryption algorithm E by choosing the correct data to send through it and
observe the results.  I wish him joy of it, and choose not to try that attack.

I am not defending the system, and in fact am offended by the ideas of
escrowed keys or a secret algorithm becoming a de facto industry standard.
However, I also object to opposing it for the wrong reasons, since that
weakens the case against it.

I said (in my private e-mail):
>> It's not clear that the "experts" will be told F.  In fact, I'd be surprised.
>> I'd expect something more of the form of the FIPS pub describing DES, so that
>> they could look at the algorithm in general, rather than with the specific
>> set of keys chosen.
>
>Oh come on, thats like saying you could evaluate DES without the S-box
>constants.....

No, it's quite different.  The government would have no percentage in
choosing F to be a weak key, since it's not to their advantage to have
anybody else know it.  The "experts" could thus assume that F is no worse
than anything else during their analysis.  Totally different situation
from unknown S-boxes.  Again, I'm not saying it would be good or
satisfactory for the experts to just be given the raw algorithm without
the rest of the surrounding details regarding the chip and protocols and
so on -- simply that I doubt that they <would> be given all the
information.
-- 
	Jim Gillogly
	Trewesday, 2 Thrimidge S.R. 1993, 03:01

Newsgroup: sci.crypt
document_id: 15802
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <2079@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:
>For example, a conversation between a suspect and a lawyer will no longer
>be private from Big Brother eavesdropping.

Now, almost 100 years later, we have the right words for the problem here.

Phone calls are "virtual visits".  Those experienced in virtual reality
would know from that title that phone calls need to have all the properties
of a walk in the park with your friend -- security from casual overhearing
and easy verification to see if anyone is listening secretively.  As designed,
they fail at that.

..trouble is, telephones were invented a long time ago and people didn't
realize the danger or the concept of virtual reality back then.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
document_id: 15803
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Do we need the clipper for cheap security?

In article <C5trGt.Ew4@news.claremont.edu> ebrandt@jarthur.claremont.edu (Eli Brandt) writes:
>Remember in the
>announcement they described this scheme as balancing the two
>extremes of having no privacy and claiming that citizens had a
>Constitutional right to encryption?  
>
>So much for Clinton's support of the "right of privacy".

There's an out for him.  The announcement talked about strong cryptography
I believe.  Specifically:

	nor is the U.S. saying that "every
     American, as a matter of right, is entitled to an
     unbreakable commercial encryption product."

Every vendor claims his product is unbreakable -- so this was sloppy wording.

I am not claiming that we private citizens should have access to the NSA's
best, secret algorithms.  I don't want any NSA algorithms, actually.

I'll let them break my pitiful amateur algorithms -- and RSA's.

All I want is what I have already -- the ability and right to invent and use
my own algorithms, share them with my friends and sell them.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
document_id: 15804
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Write to Clinton


I've been reading the sci.crypt, alt.privacy.clipper and comp.org.eff.talk
discussions about the Clipper chip and find (as usual) that most of us
think alike -- so there's a lot of repitition.  If each of these messages
were sent to Clinton as well as to the net (or instead of to the net), we
might actually have some effect.

	0005895485@MCIMAIL.COM  (White House)

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
document_id: 15805
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Organized Lobbying for Cryptography

In article <1r3jgbINN35i@eli.CS.YALE.EDU> jgfoot@minerva.cis.yale.edu writes:
>
>Perhaps these encryption-only types would defend the digitized porn if it
>was posted encrypted?
>
>These issues are not as seperable as you maintain.
>

To paraphrase, I may not agree with what you're encrypting, but I defend
your right to encrypt it.



-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
document_id: 15806
From: "Stephen J. Ludwick" <sl3b+@andrew.cmu.edu>
Subject: Encryption Chips


Does anyone know where I can get a hold of some secure encrypting chips
or devices before they are banned completely?!?

Steve


"If encryption is outlawed, only outlaws will have encryption"

Newsgroup: sci.crypt
document_id: 15807
From: artmel@well.sf.ca.us (Arthur Melnick)
Subject: New Encryption Algorithm


     Ever since Craig Rowland posted his piece "New Encryption"
to sci.crypt there has been some discussion of our company,
Secured Communications Technologies, Inc, and on encryption
algorithm, NEA.
     I spoke to Craig at length on 4/21/93 and we covered a lot
of ground.  Some of the information in the posting requires some
clarification, and I would like to answer some of the questions
raised on sci.crypt.
     SCT is a small company based in Silver Spring Maryland.  Our
two main products at this time are a PC based secure
communications program called SECOM and a general purpose
encryption chip which uses the NEA algorithm developed for SECOM.
     SECOM provides an encrypted secure communication link
between two PC's connected over dial up telephone lines.  It
supports simultaneous bi-directional file transfer and keyboard
to screen "chat".  It has its own proprietary communications
protocol which is tightly integrated to the encryption.  All
though it is a packetized link, the data stream appears to be
continuous because the packet boundaries are hidden.
     When SECOM was initially developed, it was implemented to
use DES encryption.  A business decision was made to seek export
approval for the product because it was perceived that the
overseas market was a large one and provided a good marketing
opportunity.
     We soon found out that we would NEVER be granted general
export approval for anything using DES.  All though the reason
for this was never explicitly stated, it seems to have something
to do with secret government to government agreements which are
still in effect.
     In any event, the decision was made to develop a new and
different algorithm which would take the place of DES.  This was
the reason NEA (New Encryption Algorithm) was born.
     At this time NEA is being held as a trade secret.  The
preliminary work of patenting it has begun, and the plan is to
make it public once the patent process is complete.  All though
one can make certain legal arguments for keeping it an ongoing
secret, I think in the case of an encryption algorithm it is
necessary to let people "shoot at it" over an extended period of
time to prove its worth.
     In order to get export approval for SECOM/NEA, it was
necessary to go through NSA and to reveal to them the details of
the program and algorithm.  This was done only AFTER we had a
finished product to submit.
     Let me state unequivocally that there is NO "back door" to
the program or the algorithm.  Secured Communications
Technologies is a closely held private company and
NSA/FBI/CIA/NIST/WHATEVER has NO financial interest in any way
whatsoever with the company or any of the people involved.
     From a practical business standpoint, we are interested in
selling chips and software (hopefully in large quantities) and a
back door to the encryption, if found out, could destroy our
credibility and our business.
     With the encryption algorithm approved for export, we set
out to talk to a number of potential customers for encryption
products and systems.  We were able to identify several common
threads of functionality requirements.  This led to the design of
a chip with the encryption algorithm "cast in silicon" and
certain other capabilities added so that the chip could fulfill
the broad range of requirements that we identified.
     We are strongly opposed to the clipper/capstone chips.  In a
press release today, our president, Dr. Stephen Bryen stated:

          "It seems as if the government has an unlimited source
     of funds to use to push its new bugged chips on the American
     Public.  But do we not understand how the National Security
     Agency, which is not supposed to be involved in domestic
     spying, can fund the development of a commercial chip
     intended to accommodate U.S. government domestic spying
     activities."

     If they had asked me to put a "back door" in NEA I would
have told them to g__ f____ed.
     Can NSA break NEA?  Or for that matter can they break DES,
RSA, IDEA, Diffy-Hellman, PGP, RC2, RC4, or whatever?  I don't
know and probably never will.

Newsgroup: sci.crypt
document_id: 15808
From: quilty@twain.ucs.umass.edu (Lulu of the lotus-eaters)
Subject: Info on Mathematics of Encryption Wanted

I just signed up for this group, so I hope I'm not missing something
in a FAQ, but I'm looking for a good introduction to the mathematics
of encryption -- particularly DES and Public-Key, though others would
be interesting also.  Probably a good library could help me out, but I
thought it might be even easier if I could obtain a nice article
entirely electronically (besides, I have this rather *rational* phobia
of libraries for reasons stemming from this "dissertation" thing
hanging over my head :-)).  
	I have a basic knowledge of mathematics... number-theory is a
bit unfamiliar to me, but I've had a few graduate-level math courses
in some other areas; anyway, I'm not a complete novice to the field.
So probably something aimed at a basic graduate introductory level
would be about right.  Something, anyway, which is more specific than
"a really big prime number is generated to code the message".
	If someone knows of a good text available by ftp (or gopher),
or would like to email me one... please let me know.  I'll probably keep
reading this group; but it would be nice if you would email me at the
same time, so I don't miss it.

Thanx, Lulu...
-- 
      _/_/_/ THIS MESSAGE WAS BROUGHT TO YOU BY: Postmodern Enterprises _/_/_/ 
     _/_/    ~~~~~~~~~~~~~~~~[quilty@philos.umass.edu]~~~~~~~~~~~~~~~~~  _/_/ 
    _/_/  The opinions expressed here must be those of my employer...   _/_/ 
   _/_/_/_/_/_/_/_/_/_/ Surely you don't think that *I* believe them!  _/_/ 

Newsgroup: sci.crypt
document_id: 15809
From: merlin@lerami.lerctr.org (David Hayes)
Subject: Re: The [secret] source of that announcement

In article <1r3vjhINN5iq@dns1.NMSU.Edu>
amolitor@nmsu.edu (Andrew Molitor) writes:
>In article <gradyC5uAMw.BnG@netcom.com> grady@netcom.com (1016/2EF221) writes:
>If you can get it for a buck, 2nd hand, it must be true, eh? I'm pretty
>sure the NSA is supposed to, among many other things, provide high-quality
>cryptosystems to a variety of places. I don't recall reading anywhere
>reliable that they're supposed to:
>
>	1) Monitor my phonecalls.
>	2) Monitor usenet.
>	3) Provide only cryptosystems they can easily crack.
>	4) etc etc.
>
>	This is not to say that they *don't*, they might. But you don't
>know that they do, and you have no evidence that they do, for almost
>all values of you. It follows, therefore, that for most values of 'you',
>your claims about the NSA border on paranoia.
>
>	Andrew
>

OK, Andrew, I'll provide some evidence. A friend of mine worked for an
electronics manufacturer on with a west-coast office. They routinely sold
equipment to the Japanese. One day, the Japanese started showing up with
discount demands that were amazingly close to the cost to manufacture the
products.

This company routinely sent most of the manufacturing data to the field 
offices. The Japanese had simply intercepted it. So my friend, the computer
systems admin, came up with a solution. He started sending the data out
double-block-encrypted with DES. 

Two days after this new distribution plan was implemented, the president of
the company got a visit from a pair of government agents. They told him to
"knock it off". The president gave in, since his company did a considerable
business with the federal government.

Now, if the government wasn't monitoring the communications, how would they
even know that the encryption system was installed? Further, since encryp-
tion isn't illegal, and DES certainly isn't, what is the basis of the
government's cease-and-desist demand?

The spooks do whatever they think is necessary, with or without the blessings
of the law. I'll say "no thanks" to Clipper, or anything else the government
produces. For the moment, double or triple DES is probably adequate. And when
the line is idle, send random garbage, just to keep 'em busy. 

    David Hayes    merlin@lerami.lerctr.org




Newsgroup: sci.crypt
document_id: 15810
From: uni@acs.bu.edu (Shaen Bernhardt)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <1993Apr22.134214.18517@rick.dgbt.doc.ca> jhan@debra.dgbt.doc.ca (Jerry Han) writes:
>In this giant bally-ho over this Clipper chip I noticed a rather
>disturbing trend in some of the E-mail and posts I've tossing back and
>forth.  
>
>Somebody asked me what was wrong about overreacting in cases such as this.
>
>The reason is very simple:  How many people do you want to die in a riot? 
>In a new Civil War? 
>
>Everybody is jumping up and down and screaming about it, and I'm worried
>that people are going to reach for their hammers and rifles before their pens
>and paper.  
>
>Can people work within the system before trying to break it?

A circut court judge in Illinois once said "When dealing with a government
that seeks continually new and more creative ways to spy on its' citizenry,
one cannot discourage the move to empower the common citizen with the means
to parry this attack on personal privacy."

(Unfortunately the comment was with regard to the banning of radar
detectors....)

The point remains.  More and more I see the government slowly washing
away privacy.  Even unwittingly.  Do you think I will ever live in a
soceity that issues smart cards to citizens at birth?  Do you think I
will live in a soceity that insists I register my crypto keys so they
can keep track of what I'm saying?  Even if there is no evidence of my
guilt?  Do you think I will ever live in a soceity that seeks to meddle
in the affairs of its' citizenry without recourse of any kind?  I'm tired
of it.  There is (IMHO) no compromise with an administration that seeks
to implement these proposals under the guise of enhancing privacy.

More than the proposals themselves, I read the language of the press
releases, the obvious deception involved in presenting these pieces to
the public, and I am sickened.  I am revolted.  I am repulsed.

90%, perhaps even 95% of this country could care less about the
clipper chip, the wiretap bill, the smart card, because they are so
entrapped in the rhetoric of the Clinton Administration.

This saddens and frightens me.

I am a conserveative believe it or not.  A law and order conserveative.
But the move to a centralized authoratarian regime really scares me,
mostly because I know you cant go far wrong underestimating the
intelligence of the American people.  Tell them it's going to keep
them safe from drug dealers and terrorists, and they will let you
put cameras in their home.

Even in the wake of Waco, you find those who support the increasingly
totalatarian moves.

>Somebody once said something like: "Armed Violence is meant only to be
>used in response to an armed attack.  It is not meant to be used in
>agression.  This is the difference between self-defence and murder."

To be quite honest, the way things are going, I'd call it self defense.

>Let's try to avoid killing things, eh?  There's enough blood shed in the
>world, without adding a couple of riots, Civil Wars, etc.
>
>I'm probably overreacting.  But what I've read scared me a lot.  I don't
>want my children growing up in a War Zone.


And I dont want mine growning up in the eyes of a security camera
24 hours a day.
>-- 
>Jerry Han-CRC-DOC-Div. of Behavioural Research-"jhan@debra.dgbt.doc.ca"
>///////////// These are my opinions, and my opinions only. \\\\\\\\\\\\\
>\\\\\\\\\ A proud and frozen member of the Mighty Warriors Band ////////  
>"Memories of those I've left behind, still ringing in my ears."-Genesis-

uni

-- 
uni@acs.bu.edu  ->  Public Keys by finger and/or request
Public Key Archives: <pgp-public-keys@pgp.iastate.edu> 
Sovereignty is the sign of a brutal past.<>Fight Clinton's Wiretap Chip!
DF610670F2467B99 97DE2B5C3749148C <> Crypto is not a Crime! Ask me how!

Newsgroup: sci.crypt
document_id: 15811
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: Estimating Wiretap Costs/Benefits

Robin Hanson (hanson@kronos.arc.nasa.gov) wrote:
:               WOULD WIRETAP CHIP BE COST-EFFECTIVE?

:   SUMMARY: Compared to an average monthly phone bill of sixty dollars,
:   wiretaps are only worth two cents a month to police.  So the
:   proposed wiretap chip must raise phone costs by less than one part 
:   in three thousand to be cost-effective. 

Robin's calculation is interesting and important, even if it's off by
an order of magnitude (for example).

Even if hardware costs for the Clipper Chip phones were ZERO, the
protocol overhead in transmitting the escrow field would be much
higher than the 1 part in 3 thousand...it depends on the exact details
of the phone call length, protocol, etc. (shorter calls get a
proportionately greater hit).

However, I suspect most Americans will not find this line of reasoning
as persuasive as the analogies about escrowing keys to one's house
are.

-Tim May


-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
document_id: 15812
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: THE CLIPPER CHIP: A TECHNICAL SUMMARY

In article <1993Apr19.182327.3420@guvax.acc.georgetown.edu> denning@guvax.acc.georgetown.edu writes:
>The following document summarizes the Clipper Chip, how it is used,
>how programming of the chip is coupled to key generation and the
>escrow process, and how law enforcement decrypts communications.

Interesting.  Tell us, what happens if I were to say OK, I want to have
something else.  If the law enforcement wants my traffic, they can record
it, then get a search warrant, and get the keys FROM ME, just like they
would the keys to a stout private safe, etc. (Lets say I suspect that
there is a way to trivially crack this at the Fed level, with no warrant,
say for NSA scanning for keywords, etc., and the government has abused
great power in the past...).

So I say "Mr Vendor, I want something different, independent.  I am
a paranoid sort, ya understand...".

Will the result be "Sorry, without Government permission, we cannot sell
you anything secure", or would it be "Sorry, we know which side our
bread is buttered on, we cannot sell except to government people, law
enforcement, and 'special' people...".

What, in your opinion, would be the chances of "sure, we will sell you
this secure system ... be happy to..."

Also, please be so kind as to tell us what the plans are for private
encryption of, say files transferred by modem, or FTP, or data stored
on disk?  SURELY you have a feel for what the administration is planning
for us people on that....  With your rather intimate relationship with
the FBI, NSA, etc. you must CERTAINLY have an idea.  You are surely
not going to say "the people are not to know, until it is too late..."
This IS supposed to be government of the people by the PEOPLE, isn't
it?  That is, the people ARE the government's BOSSES?  The BOSSES
want to know what the *@()#*&(@ is going on here...

You see, I am kind of nervous, because in the last month or so, I have
seen a non-stop stream of ideas coming out of Wash DC that at least
appear VERY STRONGLY to have a common trait to limit privacy (freedom
from Govt eavesdropping), and the ability to defend ourselves against
violent attack (no, 911 is *NOT* good enough for 'common folk', they
arrive only in time to clean up the mess: I would be DEAD if I had to
depend on 911...).   You see, with all that talk about National smart
ID cards, limiting of encryption to 'government approved', denial of
means to effective personal defense (EIGHT bills in congress right now),
it looks an AWFULLY lot like the whole thing is to be able to trace
EVERY ACTIVITY of an individual from cradle to grave.  All it would take
is requiring that National ID card to be used in all transactions...
and with no effective data protection, and with the people suitably
disarmed, there would not be a helluva lot they could do about it, now
would there?  All in the name of the War on the Constitu ... er ...
drugs, and of course that catch word 'terrorists'.  What is wrong with
good OLD-FASHIONED POLICE WORK to build a case?  They don't want to
have to be burdened to leave the office, it seems...

Please read the Bill of Rights (first ten amendments to the US
Constitution) and tell us how you can reconcile this Big Brother-ish
policy of the Administration (always for a 'crisis' of some kind, isn't
it?) with that Bill of Rights in the context of the people who wrote
it?

Reassure us - please... (or is that no longer regarded as necessary,
seeing as apparantly the people have NO input on this agenda, the
Administration preferring to make all the DECISIONS in secret, then
springing it on us...).  Doesn't sound much like ... by the PEOPLE
to me.  I cannot help notice that the congress people involved were
NOT mentioned on the press release.  I find that more than a little
bit curious, don't you?  I sure would like to know who to not vote
for come election time...

Yes, I am upset.  I feel you are a part of this, because I recall it
was you that was posting HEAVILY in favor of a very similar idea (could
have been the SAME thing, it was so close) a few months ago...  I
also recall it was not well received.  Apparantly powers-that-be
really didn't care (or were not told, or both).

From what I see, Clipper will ONLY be useful for conversations I don't
want the neighborhood kid listening in on.  Any SERIOUS security I don't
think I would want to trust it a bit.  Might as well use cleartext.
Certainly corporations would be rather dumb to depend on this for serious
trade-secret data, especially if millions depended on that security.
Given enough money, one could BUY any keys they wanted.  Buy a crooked
judge, and a crooked cop.   Given a few hundred thou, they wouldn't be
hard to find.  So, we end up with only criminals, terrorists, and the
Government with real security, and the ability to eavesdrop.  You know
the first two, if they are serious, ain't going to use this thing for
THEIR communications.  I bet the government won't, either (except perhaps
to order a pizza).

Tell us, will that be prima face evidence of criminal activity,
someone not using the 'government approved' methods?  That just a desire
to have PRIVACY is no longer regarded as a legitimate right of an
unconnected citizen?  Will that be grounds for a fly-through-the-door
raid, and confiscation of all one's equipment, as 'terrorist tools',
using civil forfeiture, so there will be no inconvenient need to
PROVE any wrongdoing on the part of the citizen?

I have yet another question, are we going to see articles in all the
public magazines, consisting of soothing text telling us how great
this is, how nice the government is by LETTING us have this illusion
of privacy?  That the government is going to be so kind as to let
us 'sort of' exercise a RIGHT?  What you want to bet that I am
correct here?

Please answer these questions.  As citizens of the United States, we
hava a RIGHT to know what our Government plans to 'let' us have
out of the goodness of their hearts...

Funny thing, though - with all these proposals, I don't feel ONE BIT
safer from drug dealers, terrorists, or a common street thug.  I am
beginning to wonder if the greater danger lies in the above entities,
or our own government gone out of control?

Re-assure us, please.  So far, I haven't seen much to reassure me...
and a LOT to greatly disturb me.

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 15813
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Fear, Uncertainty, Doubt

 > More accurate is that the government says its solid, other people
 >in the field who might be able to find out haven't yet done their
 >review of the chip design, and there's been a lot of wild speculation
 >and guesswork from those with little information that it might be
 >Swiss cheese.

  Oh, that puts the debate on -excellent- terms for our side:

  FEDS:  You people saying that Clipper is insecure don't have any real
information to support that judgment.
  ME:  Fine -- show me this "information" that would prove me wrong.
  FEDS:  That's secret!

  When it comes down to that, it looks suspiciously like some government
official pasting "TOP SECRET" stamps over embarrasing information in order
to save his own hide.  In fact, framing the secrecy issue in that perspective
is more likely to turn Joe Sixpack's suspicions against the Feds than the
Constitutional argument -- a point I urge the others on the pro-freedom
side to consider when making their case.



Newsgroup: sci.crypt
document_id: 15814
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Re: Clipper considered harmful

 
   The clipper chip's User key is formed by:
 
           R1 = E[D[E[N1;S1];S2];S1]
           R2 = E[D[E[N2;S1];S2];S1]
           R3 = E[D[E[N3;S1];S2];S1]
 
   Why is the triple-encrytion used?  Is it just to gain an effective
increase in keyspace to defeat a potential keysearch?  (If so, why use
80 bit keys?)  Not knowing anything about the Skipjack algorithm, it's
not really possible to guess whether this makes it harder or easier to
guess S1,S2.
 
   Why are N1, N2, and N3 formed as they are?  It would be facinating to
see the Skipjack algorithm, to look for ways of attacking it that require
three ciphertext blocks formed in that odd way.
 
   Where do the 34-bit constant values that are concatenated with the
serial number to form N1,N2,N3 come from?  Are they changed from chip to
chip, or session to session?  (Even if they're published in the NY Times,
if SkipJack is resistant to known-plaintext attacks, when using triple-
encryption, then there's no break in security.  But why allow that kind
of weird format?  If those three 34-bit values are truly-random bits, then
maybe it's used to ensure that a known-plaintext attack on SkipJack, if
it exists, can't be easily used to derive S1 and S2 for a whole production
run of these chips....)
 
   Does Dorothy Denning read this group?  If not, is someone on the group
forwarding questions like these to her, or Martin Hellman, or anyone else
who's seen more details about the chip?
 
   --John Kelsey

Newsgroup: sci.crypt
document_id: 15815
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Is key escrow enough?

  The points raised about checking what is actually -in- the chip, as
opposed to what is allegedly programmed therein, raise yet another trust
issue.  Even if we assume that these "trusted agents" are really entering
a wide range of S1 and S2 seeds (rather than using the same one all the
time to reduce the key search space to 30 bits), I assume they are not
doing so by picking up an iron filing and poking it into the circuitry
at carefully selected points to encode data.  They would presumably be
punching numbers into a computer, which for all they know could program
the chips in a manner completely independent of the S1 and S2 values they
are feeding into the system.





Newsgroup: sci.crypt
document_id: 15816
From: servalan@access.digex.com (Servalan)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks  only

In article <1993Apr22.223906.25929@lehman.com> pmetzger@snark.shearson.com (Perry E. Metzger) writes:
>Qualcomm had spare cycles in the DSPs for their new CDMA digital
>cellular phones. They wanted to put strong crypto into them since they
>had the capacity. The government decided to "discourage" them.

You're blowing smoke.  Qualcomm wants to sell to nice, lucrative overseas
markets like Japan and the EC.  The government told them "don't do encryption
if you ever hope to export this technology".  The reason that CDMA doesn't
have encryption is NOT because the G-men came a'knocking at Qualcomm's door.
It's because Qualcomm doesn't think that the US market for digital cellular
is big enough for them.  This is just the International Traffic in Arms
Regulations all over again.

If you don't believe me, call Qualcomm and ASK THEM.  Don't just throw
out conspicracy theories.  At least, don't do it on sci.crypt--there are
whole other newsgroups devoted to this kind of uninformed claptrap.

>any "normal" company trying to put one out will likely get a visit
>from the boys in the dark suits from Washington, just like Qualcomm
>did. I suspect that companies like Cylink are tolerated because their
>products are too expensive.

Hah.  They're not that much more expensive.  Besides, if a drug dealer
can afford a Rolex and a Mercedes, he can darn well afford Cylink phones.
No, Cylink sells their phones because they're willing to make different
stuff for domestic use vs. export.  Qualcomm isn't.  So Cylink makes
money--that's capitalism, comrade.

>Someone out there WILL build a unit to do all this. Better yet,
>prehaps someone will produce a package that turns any 486 box with a
>sound card into a secure phone.

"Someone" this and "someone" that.  If you think it's so easy, why are
you whining on the net instead of getting your butt in gear and writing
it?  Your name would become known and loved by dozens!  But no, that would
require actual EFFORT.

					-= Servalan =-

Newsgroup: sci.crypt
document_id: 15817
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Crypto papers on the net.

   I've recently been reading a paper of Merkle's (publixhed only on the
net, I think) discussing three potential replacements for DES.  Was
anyting ever done with these?  Are Khufu, Khafre, and/or Snefru still
being discussed anywhere?  (I know Snefru is referenced in the RSA
FAQ, and I think it may also be in the sci.crypt FAQ.)
   On a related topic, can anyone point me toward good sites to find
papers/articles/discussions of cryptology?  I think I've about exhausted
the Math/Sci library here, which doesn't seem to have anything more recent
than about '84.
 
   Thanks.
 
   --John Kelsey

Newsgroup: sci.crypt
document_id: 15818
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: PGP ideas for IBM systems

   I've been thinking about how difficult it would be to make PGP available
in some form on EBCDIC machines.  The message authentication would be ugly,
but I think at least the IDEA encryption could work, if PGP had a switch
to tell it to use IDEA in OFB-mode or ECB-mode.  In OFB-mode, errors in
translating EBCDIC-->ASCII-->EBCDIC would only affect their byte, not the
16 bytes that would be affected under CBC.
   Is PGP set up to use different IDEA modes?  I don't recall notincing it
in the executable, but I haven't gone through it as carefully as I probably
should....
 
   --John Kelsey

Newsgroup: sci.crypt
document_id: 15819
From: Peter.White <Peter.White@mixcom.mixcom.com>
Subject: Why are we being censored in a free America? This node specificaly

I have been scanning and trying to read the articles in the sci.crypt area,
but what do I get?   SURPRISINGLY, the blurb comes upon the screen " file xxx
has either been cancelled or expired.       Now I ask you, If it expired,
wouldn't it be out of the available file cache?
I am 32 and not a paranoid, but the older I get, the greater my cynicism of
both federal and state governments becomes.    
The censorship  of this Internet (and it is no less than censorship [stupid me, it's the GOVT.])
is ridiculous.  The Japanese have far outstripped our ciphertechnology,  and 
our government is now, before your very observant eyes, trying to force the
"crypto standard" onto a framefork where the "standard" is now an ancient
relic in terms of modern Japanese security techniques.


Now, I pose the question: Why censor folks on the net and send the warning
shown above ("cancelled or expired") when it would be wiser to not let people
see the post at all??


Which Article of the Constitution gives me the right of revolution if things
seem to be going cockeyed??


Hmmm...
-- 
Peter G. White, President, Synthesis 93 Inc.
Milwaukee, Wisconsin, U.S.A.  
Peter.White@mixcom.com

Newsgroup: sci.crypt
document_id: 15820
From: rab@well.sf.ca.us (Bob Bickford)
Subject: Re: New Encryption Algorithm

In article <artmel.735538777@well.sf.ca.us>,
   artmel@well.sf.ca.us (Arthur Melnick) writes:
>
>     In order to get export approval for SECOM/NEA, it was
>necessary to go through NSA and to reveal to them the details of
>the program and algorithm.  This was done only AFTER we had a
>finished product to submit.

    . . . . .

>     With the encryption algorithm approved for export, we set

Please don't be insulted, but based on this I would say that your
encryption algorithm is very likely not worth the paper it's printed
on.  If the NSA gave export approval, that means they felt confident
that they could crack it -- that's their JOB, mandated by LAW, and
I'm sure they believe in what they do.  If they gave export approval
to an encryption algorithm which they weren't confident of being able
to crack, they would be derelict in their sworn duty to monitor foreign
communications for US national security related material.

Just because many (most?) of us think that the government and the spooks
are pugnacious slimeballs is no reason to lose sight of the fact that
they do their jobs to the best of their ability, and further that said
ability is rather high.  I hope that one day we can make them all
obsolete....... but until then, we have to cope with their existence.
Export approvals are one thing they do that we can learn a lot from,
for example.

--
  Robert Bickford        /-------------------------------------\
  rab@well.sf.ca.us      | Don't Blame Me: I Voted Libertarian |
                         \-------------------------------------/

Newsgroup: sci.crypt
document_id: 15821
From: "Jon \\lnes" <jon@ifi.uio.no>
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate
        acceptance of the wiretap chip)

In article <strnlghtC5wCMo.Fx5@netcom.com> strnlght@netcom.com (David Sternlight) writes:

> In article <C5uvn4.MF7@austin.ibm.com> arussell@austin.ibm.com (AG Russell)
> writes:
> 
> >
> >At the company I worked for previously, I received a file that was des encryped
> >and the person that had sent it, went on vaction.  Rather than wait two weeks
> >I set up a straight frontal attack with one key at a time.  It only took two(2)
> >days to crack the file.  No, I don't have any faith in DES.
> >
> 
> Taking this at face value (though it seems quite dissonant with much else
> that has been published here about brute force DES cracking, unless Russell
> was lucky with respect to the key), I'd be very interested in whether the
> program Russell used is available? In whether he used a cleartext
> recognition algorithm in the program or whether he had to examine each
> decryption by hand? In whether he used a known plaintext attack?
> 
> He probably should also tell us, given his address, what machine he used--a
> desktop, workstation, or super-computer.
> 
> Depending on his answer, this could be an appalling development calling into
> question both DES and RSA/DES. Dunno about RSA/IDEA.
> 
> If any bright programmer with a little idle machine time can crack a single
> DES message in a couple of days (assuming no tricks that are
> message-specific), then here's my Clipper key, NSA; give me the chip at
> once.  :-)
> 
> David
> -- 
> David Sternlight         Great care has been taken to ensure the accuracy of
>                          our information, errors and omissions excepted.  
> 
> 

A person I know, belonging to a research lab of a rivate
company, claimed to me during a priavte conversation that, given the
equipment in his lab, he could crack a Kerberos ticket in 15 minutes to
an hour. He had access to rather powerful DES hardware, but not of an
extraordinare kind, I believe. The attack was possible because of the
amount of known plaintext in the ticket, which itself constitutes a small
message. This was two years ago.
DES is no longer usable for encryption of really sensitive data. For a
lot of purposes, however, it is still very adequate.

Jon Olnes, Norwegian Computing Centre, Oslo, Norway
E-mail: Jon.Olnes@nr.no   or   jon@ifi.uio.no

Newsgroup: sci.crypt
document_id: 15822
From: stan@tacobel.UUCP (stan)
Subject: Re: I have seen the lobby, and it is us

ns111310@LANCE.ColoState.Edu (Nathaniel Sammons) writes:
> I second the motion.
> 
> All in favor?

In favor.  If y'all have any newsletters or are taking down addresses for 
any in the future, feel free to put me on such a list.

Newsgroup: sci.crypt
document_id: 15823
From: redsonja@olias.linet.org (Red Sonja)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr20.054308.15985@Celestial.COM> bill@Celestial.COM (Bill Campbell) writes:
>In <strnlghtC5p7zp.3zM@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>
>:In article <Apr18.194927.17048@yuma.ACNS.ColoState.EDU>
>:holland@CS.ColoState.EDU (douglas craig holland) writes:
>
>:>Note that measures to protect yourself from
>:>TEMPEST surveillance are still classified, as far as I know.
>
>:I think this to be inaccurate. One can buy TEMPEST equipment commercially.
>:Even Macs.
>
>Sure you can buy a TEMPEST approved Mac -- if you have enough
>money.  I haven't had any reason to look at this type of pricing
>for about 10 years, but a TEMPEST rating in 1982 would raise the
>price of a $2,495.00 Radio Shack Model III to something around
>$15,000.00.
>
Or just dig a deep enough hole in the ground. 50 feet should do it.


-- 
redsonja@olias.linet.org     \\\RS///     Self possession is 9/10 of the law.
Alien: "We control the laws of nature!" | "How come when it's human, it's an
Joel: "And you still dress that way?"   | abortion, but when it's a chicken, 
(MST3K#17 - Gamera vs Guiron)           | it's an omelet?" - George Carlin

Newsgroup: sci.crypt
document_id: 15824
From: jebright@magnus.acs.ohio-state.edu (James R Ebright)
Subject: Re: The [secret] source of that announcement

In article merlin@lerami.lerctr.org (David Hayes) writes:
>In article amolitor@nmsu.edu (Andrew Molitor) writes:
>>If you can get it for a buck, 2nd hand, it must be true, eh? I'm pretty
>>sure the NSA is supposed to, among many other things, provide high-quality
>>cryptosystems to a variety of places. I don't recall reading anywhere
>>reliable that they're supposed to:
>>
>>	1) Monitor my phonecalls.
>>	2) Monitor usenet.
>>	3) Provide only cryptosystems they can easily crack.
>>	4) etc etc.
>>
>>	This is not to say that they *don't*, they might. But you don't
>>know that they do, and you have no evidence that they do, for almost
>>all values of you. It follows, therefore, that for most values of 'you',
>>your claims about the NSA border on paranoia.
>>
>>	Andrew
>>
>
>OK, Andrew, I'll provide some evidence. A friend of mine worked for an
>electronics manufacturer on with a west-coast office. They routinely sold
[story deleted]

Let me give you another story that actually happened to ME.  We sell
communications boards that use a 68000.  They used to be high tech. Our
agent in the UK sold a system to a company in CH which packaged it in a
product for CZ (London-Bern-Prague).  I telexed the Brits and told them
the Swiss need to pass export paperwork through the US as, at the time,
you needed an export lisence for these systems.

Now I knew the NSA was watching this traffic (just like they are watching
THIS traffic.)

And what do you know... two weeks later an agent of the US government shows
up in my office to remind me if we or our agents sold systems into the Evil
Empire, we had better make sure the export lisences were handled properly.

He was part of a FIVE man office in COLUMBUS OHIO!! who did this stuff
based on sources he could not reveal. (I assume most of the time these
guys sat around the office with their thumbs up their ass as there isn't
that much stuff coming out of Columbus :)

Wow, the electric utility in Prague sure is a big worry for these folks :)

The point is, we have created a giant bureaucracy (NSA) with a budget
bigger than the CIA's who, like all bureaucracies, fill their time looking
for things to do.  The Evil Empire is gone.  The NSA is not.  They will do
something to fill their time and justify their budgets.  (I just wish they
too would sit around with their thumbs up their ass... but that is too
much to hope for... they will spy on us and do things like skipjack and
subvert people like Dorothy Denning.)  Sigh...
-- 
 Information farming at...     For addr&phone: finger             A/~~\A
 THE Ohio State University  jebright@magnus.acs.ohio-state.edu   ((0  0))____
      Jim Ebright             e-mail: jre+@osu.edu                 \  /      \
                          Support Privacy: Support Encryption      (--)\      

Newsgroup: sci.crypt
document_id: 15825
From: smoir@world.std.com (Scott A Moir)
Subject: Re: Organized Lobbying for Cryptography

In article <1993Apr21.154122.13015@csus.edu> sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes) writes:
>In article <1r3jgbINN35i@eli.CS.YALE.EDU> jgfoot@minerva.cis.yale.edu writes:
>>
>>Perhaps these encryption-only types would defend the digitized porn if it
>>was posted encrypted?
>>
>>These issues are not as seperable as you maintain.
>
>Now why would anyone "post" anything encrypted? Encryption is only of 
>use between persons who know how to decrypt the data.

You mean something like Uuencode? It isn't super crypto, but it is encrypted.

Scott


-- 
Scott Moir  /  Satyr on IRC    ______ # "There's really only one requirement 
smoir@world.std.com            \ \/ / #  for a Prophet, and you've got it."
B4 f t+ w g k+(+!) s+ m r p+    \/\/  # "What's that?"
Also: pentangl@ursa-major.spdcc.com   # "A mouth." - 'God' to J.R.'BoB' Dobbs

Newsgroup: sci.crypt
document_id: 15826
From: tarnold@vnet.IBM.COM (Todd W. Arnold)
Subject: Re: Can DES code be shipped to Canada?

In article <1993Apr22.125402.27561@fripp.ri.cadre.com> rj@ri.cadre.com writes:
>Someone in Canada asked me to send him some public domain DES file
>encryption code I have.  Is it legal for me to send it?

I believe it's legal to send DES code or equipment from the US to Canada
with no export license.  I think this is the only place you can do this - all
other countries require a license.

As an aside, I've always thought it should be legal to send DES software
anywhere, if you follow these rules:

   1.  Encrypt your DES software with DES.
   2.  Send the encrypted software to the recipient.
   3.  Send the key to the recipient.

The only way the person on the other end can use your DES software is if
he/she already *has* DES available - otherwise, they can't decrypt your
program, and it is useless.  If you've guaranteed they already have DES,
have you really violated any law by sending it to them in the form of
your program??  I'm sure it's still illegal, but it seems like a good idea...

- Todd

Newsgroup: sci.crypt
document_id: 15827
From: Rick Miller <rick@ee.uwm.edu>
Subject: Does Rush read his E-mail?

rsilvers@nynexst.com (Robert Silvers) writes:
>	Send something to Rush Linbaugh about Clinton taking away our right
>to privacy and how if the govt. standard takes off, only people with lots
>of money (drug dealers) will be able to justify DES stuff.  He will slam
>Clinton for this on the air.
>						--Rob.

I seem to recall Rush saying that he has a CompuServe account.  If anyone
wants to E-mail him, all we need is his account number (i.e.: 12345,6789)
and then we could e-mail him via gateway by using a dot instead of a comma
like so: "12345.6789@compuserve.com".  (THIS IS *NOT* HIS ADDRESS.)

So, does anyone know his e-mail address?  He *says* he uses it all the time.
(I wonder if he reads alt.fan.rush-limbaugh...   His ego is big enough!)

Rick Miller  <rick@ee.uwm.edu> | <ricxjo@discus.mil.wi.us>   Ricxjo Muelisto
Send a postcard, get one back! | Enposxtigu bildkarton kaj vi ricevos alion!
          RICK MILLER // 16203 WOODS // MUSKEGO, WIS. 53150 // USA

Newsgroup: sci.crypt
document_id: 15828
From: rja14@cl.cam.ac.uk (Ross Anderson)
Subject: Re: Key Registering Bodies

In article <a_rubin.735498087@dsg4.dse.beckman.com>, a_rubin@dsg4.dse.beckman.com
(Arthur Rubin) writes:

|> In <nagleC5w79E.7HL@netcom.com> nagle@netcom.com (John Nagle) writes:
|> 
|> >       Since the law requires that wiretaps be requested by the Executive
|> > Branch and approved by the Judicial Branch, it seems clear that one
|> > of the key registering bodies should be under the control of the
|> > Judicial Branch.  I suggest the Supreme Court, or, regionally, the
|> > Courts of Appeal.  More specifically, the offices of their Clerks.
|> 
|> Now THAT makes sense.  But the other half must be in a non-government
|> escrow.

Good idea, But why put all the eggs in one basket?

Given that the escrow keys are generated 200 at a time on floppy disks, why
not keep them there rather than creating one huge database that will have to
be guarded better than Fort Knox.

Give each floppy to a different bank for safekeeping. The USA has over 10,000
banks and thrifts - there are not likely to be more than 2,000,000 Clipper
phones sold.

Ross

Newsgroup: sci.crypt
document_id: 15829
From: russotto@vnet.IBM.COM (Matthew T. Russotto)
Subject: Re: Once tapped, your code is no good any more.

In <strnlghtC5wHo2.1FK@netcom.com> David Sternlight writes:
>In the Clipper case, a representative body of experts is going to be allowed
>to audit it, and we'll have assurances (maybe even from the President) that
>other than the escrowed keys there are no back doors. While some may not
>have confidence in that (I am not among them)

Wow, assurances from the President.  Why, those are almost as good as
campaign promises!  I don't see why ANYONE wouldn't have confidence in
those.

Newsgroup: sci.crypt
document_id: 15830
From: mathew <mathew@mantis.co.uk>
Subject: Re: new encryption

psionic@wam.umd.edu (Haywood J. Blowme) writes:
> Additonally I spoke with Mr. Melnick about their algorithm. He couldn't tell
> me much about their new agorithm because it hasn't been patented yet.
[...]
> Right now the company is afraid that the new clipper chip will put them out
> of business. This is a very real possibility. So they really need help in
> stopping the clipper chip from becoming a standard.

If they're planning on patenting an algorithm, then I hope they go out of
business as quickly as possible.  And you can tell them I said that.

I'm sure many other readers of these newsgroups will agree, too.


mathew

Newsgroup: sci.crypt
document_id: 15831
From: dougb@comm.mot.com (Doug Bank)
Subject: Re: REVISED TECHNICAL SUMMARY OF CLIPPER CHIP

In article <1993Apr21.192615.3465@guvax.acc.georgetown.edu>, denning@guvax.acc.georgetown.edu writes:

|> The chips are programmed by Mykotronx, Inc., which calls them the
|> "MYK-78."  The silicon is supplied by VLSI Technology Inc.  They are
|> implemented in 1 micron technology and will initially sell for about
|> $30 each in quantities of 10,000 or more.  The price should drop as the
|> technology is shrunk to .8 micron.

Hmmmmmm.  $30 seems a bit expensive.  How big is the chip?  What kind
of packages will be used?  3 volt or 5 volt technology?  How much
current will it draw?  I think there are many practical questions
that haven't been answered, especially since this chip already exists!

|> All Clipper Chips are programmed inside a SCIF (Secure Compartmented
|> Information Facility), which is essentially a vault.  The SCIF contains
|> a laptop computer and equipment to program the chips.  About 300 chips
|> are programmed during a single session.  The SCIF is located at
|> Mykotronx.
|> 
|> At the beginning of a session, a trusted agent from each of the two key
|> escrow agencies enters the vault.  Agent 1 enters a secret, random
|> 80-bit value S1 into the laptop and agent 2 enters a secret, random
|> 80-bit value S2. These random values serve as seeds to generate unit
|> keys for a sequence of serial numbers.  Thus, the unit keys are a
|> function of 160 secret, random bits, where each agent knows only 80.

OK, I've got a big problem with all of this.  How in the world do you
expect to sell these chips for even $30 after all the overhead involved
in this programming procedure?  2-4 people, a laptop, only 300 chips at 
a time:  give me a break.  And how long does all of this take?  Even if
it is a minute per chip, it will take the greater part of a day to 
turn out 300 of these things.  How long do you suppose it will take to
program those 10,000 chips mentioned above?  This is highly impractical!

|> To see how the chip is used, imagine that it is embedded in the AT&T
|> telephone security device (as it will be).  Suppose I call someone and
|> we both have such a device.  After pushing a button to start a secure
|> conversation, my security device will negotiate an 80-bit session key K
|> with the device at the other end.  

So where can I find info on this AT&T device?  What kind of vocoder
does it use?  Does it require ISDN phone lines?  If not, is it full
duplex?  How does it sound?  What kind of synchronization scheme is
used?  Will all other little black boxes have to conform to AT&Ts choices
of protocol, etc.?  Will anybody else be allowed to build boxes that
conform to these specifications?


-- 
Doug Bank                       Private Systems Division
dougb@ecs.comm.mot.com          Motorola Communications Sector
dougb@nwu.edu                   Schaumburg, Illinois
dougb@casbah.acns.nwu.edu       708-576-8207                    

Newsgroup: sci.crypt
document_id: 15832
Subject: Re: The [secret] source of that announcement
From: pgut1@cs.aukuni.ac.nz (Peter Gutmann)

In <C5x2xs.EF0@lerami.lerctr.org> merlin@lerami.lerctr.org (David Hayes) writes:

>OK, Andrew, I'll provide some evidence. A friend of mine worked for an
>electronics manufacturer on with a west-coast office. They routinely sold
>equipment to the Japanese. One day, the Japanese started showing up with
>discount demands that were amazingly close to the cost to manufacture the
>products.

>This company routinely sent most of the manufacturing data to the field 
>offices. The Japanese had simply intercepted it. So my friend, the computer
>systems admin, came up with a solution. He started sending the data out
>double-block-encrypted with DES. 

>Two days after this new distribution plan was implemented, the president of
>the company got a visit from a pair of government agents. They told him to
>"knock it off". The president gave in, since his company did a considerable
>business with the federal government.

>Now, if the government wasn't monitoring the communications, how would they
>even know that the encryption system was installed? Further, since encryp-
>tion isn't illegal, and DES certainly isn't, what is the basis of the
>government's cease-and-desist demand?

Something similar has happened to me - ages ago when we were working on PGP
we used to send short messages about development issues or simply to test 
new features around.  Now at this time PGP (and certainly the newer version)
was unknown over here.  Suddenly the admin at the site I was using received
a request that I stop sending encrypted email.  Now there is almost no way
that some automatic scanner could have found this, since they wouldn't have
known about PGP - they *must* have checked for unknown data types in the
message, tried to unscramble it, found they couldn't get past the PEM
armour part, and then contacted the sysadmin and asked me to stop.  Luckily
the current email carriers are less picky about what goes over their
networks :-).

In case people think email scanning doesn't take place, I can assure you
that it is done regularly by many sites - usually not by government
agencies (or at least not that I know of), but by local administrators who,
for reasons of their own, have decided to monitor all communications
(I'm sure you can all think of a whole mess of reasons - stop hackers/
terrorists/child pornographers/drug dealers/evil commies/whatever).  There
have been several occasions when I've got people into trouble simply by
including the traditional NSA bait in a message (I don't try it any more
now :-).  A friend of mine was once picked up for mentioning the name of
the UK town of Scunthorpe (hint: look for words embedded in it).  I'm sure
there are many more examples of this happening (in fact if anyone has any
examples I'd appreciate hearing from them - I could use them as
ammunition during talks on privacy issues).

Peter.
--
 pgut1@cs.aukuni.ac.nz||p_gutmann@cs.aukuni.ac.nz||gutmann_p@kosmos.wcc.govt.nz
peterg@kcbbs.gen.nz||peter@nacjack.gen.nz||peter@phlarnschlorpht.nacjack.gen.nz
             (In order of preference - one of 'em's bound to work)
               -- Don't vote.  You'll only encourage them --


Newsgroup: sci.crypt
document_id: 15833
From: Lyle_Seaman@transarc.com
Subject: Re: new encryption

martin@world.std.com (Martin J Hannigan) writes:
> Hello. I am the David Sternlight keeper of the FAQ. Unfortuantely I cannot
> find it at the present time.

Cool it, will you?  Let people form their own opinions.
Even Mr. Sternlight might be right sometime, and you guys
are setting things up so that the only way he can regain 
any credibility is to renounce his previous statements and
move towards the mainstream of net.opinion.  This does not
bespeak tolerance, IMO.

>                          C       _)           David Sternlight
>                           |  ,___|            Net.Police

Indeed...  

Lyle		Transarc		707 Grant Street
412 338 4474	The Gulf Tower		Pittsburgh 15219

Newsgroup: sci.crypt
document_id: 15834
From: jhan@debra.dgbt.doc.ca (Jerry Han)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <RENS.93Apr22153654@stimpys.imsi.com> rens@imsi.com (Rens
Troost) writes: 

>>   In this giant bally-ho over this Clipper chip I noticed a rather
>>   disturbing trend in some of the E-mail and posts I've tossing back and
>>   forth.  
>
>Me too. A tendency on the part of some people to hide their head in
>the sand.

I never advocated "hiding in the sand."  I'm advocating a peaceful
solution while a peaceful solution is possible.  Unless you want blood on
your hands.

>How many people do you want jailed for their convictions, for their
>insistence on real privacy? Why sit by quietly while the preconditions
>for a real civil war are put in place by a short-sighted government.

Read the above.

>>   Everybody is jumping up and down and screaming about it, and I'm worried
>>   that people are going to reach for their hammers and rifles before their pens
>>   and paper.  
>
>The terminal is mightier than the pen :)

I type corrected.  (:-)

>Really? I guess you mean the U.S. revolution. How about England,
>India, Mexico, France, Holland....

English revolution-> what revolution?  They never had one.  
India-> If they could get around their religion restrictions
Mexico-> Point Taken, I forgot about this one.  
France-> Napoleon Bonepart would have something to say about this.
Holland-> I didn't know they had one, won't comment because I don't know
enough.

>>   That's not very good odds.  
>
>You are misinformed. But this whole issue is off the topic.

Actually, I consider the issue on topic.  When you start gambling with
fire crackers, sooner or later, somebody is going to lose a hand.

>When the cops kick in your door for using PGP, tell them that. All
>we're doing here is exercising our (so-called, rapidly narrowing)
>right to free speech. 

Fine.  Exercise the right to free speech.  That's great!  But don't resort
to armed violence until there's no other possibility.

>Perhaps you should talk to the government about that. Or are you a
>disciple of David "The cops are our FRIENDS" Sternlight?

No.  I believe there are bad cops, and good cops.  There are bad people,
and good people.  (And all that grey inbetween.)  

I have had the pleasure of knowing a police officer who did his best to
uphold the laws he swore to defend.  I have also seen what happens when
police power is abused.

Don't generalize in either direction.  It just causes problems.

>The implied threat of the illegalization of private crypto, the
>not-so-subtle subtext of the clipper announcement, is what worries me.
>I don't want my children growing up in a police state.

Me either.  Nice can of worms, ain't it?

-- 
Jerry Han-CRC-DOC-Div. of Behavioural Research-"jhan@debra.dgbt.doc.ca"
///////////// These are my opinions, and my opinions only. \\\\\\\\\\\\\
\\\\\\\\\ A proud and frozen member of the Mighty Warriors Band ////////  
"Memories of those I've left behind, still ringing in my ears."-Genesis-

Newsgroup: sci.crypt
document_id: 15835
From: jhan@debra.dgbt.doc.ca (Jerry Han)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <116530@bu.edu> uni@acs.bu.edu (Shaen Bernhardt) writes:
>
>The point remains.  More and more I see the government slowly washing
>away privacy.  Even unwittingly.  Do you think I will ever live in a
>soceity that issues smart cards to citizens at birth?  Do you think I
>will live in a soceity that insists I register my crypto keys so they
>can keep track of what I'm saying?  Even if there is no evidence of my
>guilt?  Do you think I will ever live in a soceity that seeks to meddle
>in the affairs of its' citizenry without recourse of any kind?  I'm tired
>of it.  There is (IMHO) no compromise with an administration that seeks
>to implement these proposals under the guise of enhancing privacy.
>
>More than the proposals themselves, I read the language of the press
>releases, the obvious deception involved in presenting these pieces to
>the public, and I am sickened.  I am revolted.  I am repulsed.
>
>90%, perhaps even 95% of this country could care less about the
>clipper chip, the wiretap bill, the smart card, because they are so
>entrapped in the rhetoric of the Clinton Administration.
>
>This saddens and frightens me.
>
>I am a conserveative believe it or not.  A law and order conserveative.
>But the move to a centralized authoratarian regime really scares me,
>mostly because I know you cant go far wrong underestimating the
>intelligence of the American people.  Tell them it's going to keep
>them safe from drug dealers and terrorists, and they will let you
>put cameras in their home.
>
>Even in the wake of Waco, you find those who support the increasingly
>totalatarian moves.
>
>To be quite honest, the way things are going, I'd call it self defense.
>
>And I dont want mine growning up in the eyes of a security camera
>24 hours a day.

I never advocated not saying what you believe in.  I'm advocating second
thought, and calm.  

"A smart warrior defeats the enemy in ambush on the battlefield"
"A smarter warrior defeats the enemy in open warfare on the battlefield"
"The smartest warrior defeats the enemy without using the battlefield"

Think about it.  


>-- 
>uni@acs.bu.edu  ->  Public Keys by finger and/or request
>Public Key Archives: <pgp-public-keys@pgp.iastate.edu> 
>Sovereignty is the sign of a brutal past.<>Fight Clinton's Wiretap Chip!
>DF610670F2467B99 97DE2B5C3749148C <> Crypto is not a Crime! Ask me how!


-- 
Jerry Han-CRC-DOC-Div. of Behavioural Research-"jhan@debra.dgbt.doc.ca"
///////////// These are my opinions, and my opinions only. \\\\\\\\\\\\\
\\\\\\\\\ A proud and frozen member of the Mighty Warriors Band ////////  
"Memories of those I've left behind, still ringing in my ears."-Genesis-

Newsgroup: sci.crypt
document_id: 15836
From: Lyle_Seaman@transarc.com
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

"Jon \\lnes" <jon@ifi.uio.no> writes:
> A person I know, belonging to a research lab of a rivate
> company, claimed to me during a priavte conversation that, given the
> equipment in his lab, he could crack a Kerberos ticket in 15 minutes to
> an hour. He had access to rather powerful DES hardware, but not of an
> extraordinare kind, I believe. The attack was possible because of the
> amount of known plaintext in the ticket, which itself constitutes a small
> message. This was two years ago.

That would be a V4 ticket, presumably, not a V5 ticket.  The V4 ticket
format can even be complicated several more orders of magnitude...

Lyle		Transarc		707 Grant Street
412 338 4474	The Gulf Tower		Pittsburgh 15219

Newsgroup: sci.crypt
document_id: 15837
From: martin@world.std.com (Martin J Hannigan)
Subject: Re: new encryption

In article <sfpzMNz0BwwbMDwhUC@transarc.com> Lyle_Seaman@transarc.com writes:
>martin@world.std.com (Martin J Hannigan) writes:
>> Hello. I am the David Sternlight keeper of the FAQ. Unfortuantely I cannot
>> find it at the present time.
>
>Cool it, will you?  Let people form their own opinions.
>Even Mr. Sternlight might be right sometime, and you guys
>are setting things up so that the only way he can regain 
>any credibility is to renounce his previous statements and
>move towards the mainstream of net.opinion.  This does not
>bespeak tolerance, IMO.
>
>>                          C       _)           David Sternlight
>>                           |  ,___|            Net.Police
>
>Indeed...  
>
>Lyle		Transarc		707 Grant Street
>412 338 4474	The Gulf Tower		Pittsburgh 15219


Hopefully, he doesnt take it personal...
-- 
Martin Hannigan    :       Twisted Pair Consulting       : 617-623-3534
Mac                :         IBM PC & Mainframe          : UNIX

Newsgroup: sci.crypt
document_id: 15838
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Strong Encryption

I just posted this reply to comp.risks (answering RISKS DIGEST 14.53).
Summary: Re: [14.53 Mark Seecof] "key escrow"
References: <CMM.0.90.1.735527964.risks@chiron.csl.sri.com>

>From: Mark Seecof <marks@wimsey.latimes.com>
>Subject: "key escrow" (Clipper Chip; RISKS 14.51)

>Advances in digital computing have made it possible for ordinary people to
>use powerful machine cipher techniques.

It is tempting (albeit chauvinistic) to believe that we have a new situation
here, thanks to our pet computers.  This is not true.  David Kahn's "The
Codebreakers", a history of cryptography, makes two things obvious:

1.	Cryptography is a spontaneous invention of private human individuals
	and has been going on for thousands of years.  [Teen-age slang and
	cipher inventions provide a modern example of this spontaneous
	creation.]

2.	The systems people created on their own were roughly as secure as (and
	sometimes more secure than) those used by military and diplomatic
	users *of that time* (although they seem very simple and insecure
	today). [e.g., In places, the Bible used a more complex simple
	substitution than Caesar did for his military dispatches, but before
	Caesar.]

I commend Kahn's book to all who might be interested.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
document_id: 15839
From: johan@blade.stack.urc.tue.nl (Johan Wevers)
Subject: Re: Once tapped, your code is no good any more.

russotto@vnet.IBM.COM (Matthew T. Russotto) writes:

>>In the Clipper case, a representative body of experts is going to be allowed
>>to audit it, and we'll have assurances (maybe even from the President) that
>>other than the escrowed keys there are no back doors. While some may not
>>have confidence in that (I am not among them)

>Wow, assurances from the President.  Why, those are almost as good as
>campaign promises!  I don't see why ANYONE wouldn't have confidence in
>those.

I don't think mr. Clinton can even understand the technical details of
the clipper encryption scheme. So, his "assurances" are of no value at
al, if he gives them he just says what a panel of experts(?) told him.
If I lived in the USA, I would hope those experts were not paid by the
<fill here you favorite 3-letter combination>.
-- 
J.C.A. Wevers             The only nature of reality is physics.
johan@stack.urc.tue.nl  

Newsgroup: sci.crypt
document_id: 15840
From: morgan@engr.uky.edu (Wes Morgan)
Subject: Re: I have seen the lobby, and it is us

ns111310@LANCE.ColoState.Edu (Nathaniel Sammons) wrote:
>2) If some kind soul out there would write a letter, and upload it to 
>the net, everyone could capture it, print it out, and snail-mail it
>out to their local congressional critter.
>
>BTW>> I'm working on one.

You should realize that form letters are the *worst* way to influence
your congresscritters; exact copies are routinely placed on the lowest
rung of the opinion ladder.

If you want to write (and I think you should!), take the time to really
*write* a letter.  Things to emphasize:

	- It's been said that Usenet is available to the 'technical
	  elite', i.e. the techies at corporate sites and universi-
	  ties.  Emphasize that you are part of the group that will
	  be making/developing/using Clinton's 'data superhighway.'

	- Explain how you are intimately familiar with both computing
	  and data communications. (if this is the case; don't call your-
	  self an 'expert' after wiring in a 1200 bps modem.)   This
	  will distinguish your letter from the random flamers.  Don't
	  turn it into braggadocio; just tell them that you know the
	  technical sides of the issue.

	- Don't overdo jargon and gobbledygook.  Remember, your letter
	  will be first read (in all likelihood) by a staffer who may
	  even be a college student; if they don't understand it, your
	  views won't even make the 'running total' sheets.

	- Be concise; don't ramble.  Rants are *definitely* out of place.
	  Cite references, if necessary, but only use "accepted" references
	  like academic journals.  "My neighbor Jim" is *not* a real refer-
	  ence.  8)

	- Unfortunately, very few Congresscritters *really* understand
	  electronic communications.  Encourage them to pick up access
	  to Compuserve, America Online, or one of the Free-Nets.  Offer
	  to send them samples.  If you are in a position to do so, offer
	  them (or their staffers back in the home state) access to your
	  systems.  Offer to give a demonstration the next time they're in
	  town.  Your offer to get *personally* involved in helping them
	  *will* give your opinions more credence.

	- In addition to sending mail to your representatives, send mail
	  to the members of the committee (or subcommittee) that is dealing
	  with the issue.  If your Congresscritter isn't on the committee,
	  they can't be of much help until the matter comes to the floor.

--Wes

ps> I'd suggest drawing analogies between digital communication and the
    more traditional media, but Usenet doesn't have a decent track record
    in the analogy department.  8)

-- 
Rachel Elizabeth Morgan  --  4/13/93, 7:00 am    | Oh yeah, I can be reached as
9 pounds 4 ounces (despite coming 3 weeks early) |     morgan@engr.uky.edu
                                                 |-----------------------------
To netters who gave constant encouragement and prayer - thanks for everything!

Newsgroup: sci.crypt
document_id: 15841
From: mathew <mathew@mantis.co.uk>
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

ifarqhar@laurel.ocs.mq.edu.au (Ian Farquhar) writes:
> Hmmm... I also wonder what Intergraph thinks about the use of the name
> "Clipper" for this device. :)

Not to mention Computer Associates.  I'll have to be careful to stop telling
people I'm a Clipper programmer, they might lynch me... :-)


mathew

Newsgroup: sci.crypt
document_id: 15842
From: n9045178@henson.cc.wwu.edu (Sean Dean)
Subject: Re: Does Rush read his E-mail?

rick@ee.uwm.edu (Rick Miller) writes:

>rsilvers@nynexst.com (Robert Silvers) writes:
>>	Send something to Rush Linbaugh about Clinton taking away our right
>>to privacy and how if the govt. standard takes off, only people with lots
>>of money (drug dealers) will be able to justify DES stuff.  He will slam
>>Clinton for this on the air.
>>						--Rob.

>I seem to recall Rush saying that he has a CompuServe account.  If anyone
>wants to E-mail him, all we need is his account number (i.e.: 12345,6789)
>and then we could e-mail him via gateway by using a dot instead of a comma
>like so: "12345.6789@compuserve.com".  (THIS IS *NOT* HIS ADDRESS.)

>So, does anyone know his e-mail address?  He *says* he uses it all the time.
>(I wonder if he reads alt.fan.rush-limbaugh...   His ego is big enough!)

>Rick Miller  <rick@ee.uwm.edu> | <ricxjo@discus.mil.wi.us>   Ricxjo Muelisto
>Send a postcard, get one back! | Enposxtigu bildkarton kaj vi ricevos alion!


I've heard he doesn't read alt.fan.rush.....
But I have no idea of a Compuserve e-mail address...

Newsgroup: sci.crypt
document_id: 15843
From: hshubs@cis.umassd.edu (Howard S Shubs)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In <4fplPDH0BwwbEDweNJ@transarc.com> Lyle_Seaman@transarc.com writes:

>Look, we (collectively) have the power to throw the bums out, but we
>don't use it.  We clearly don't need to go burning things down, but we
>clearly do need to throw at least some of the bums out.
>Unfortunately, the bums have learned to target only small groups of
>people at a single time, so the masses won't react and throw them out.
>Eventually, the masses will react, unless the bums cease their
>relentless encroachment on liberty and despoilment of the economy.
>The sooner it happens, the less the damages will be.  I don't want to
>live in a war zone, either -- I want to see the bums thrown out before
>they do some *real* damage.

Before they do some real damage??  You haven't been paying attention, it
seems.  The so-called War on Drugs has already done major damage to
the US Constitution.
-- 
Howard S Shubs    hshubs@bix.com          For to win 100 victories in 100
The Denim Adept   hshubs@cis.umassd.edu   battles is not the acme of skill.

Newsgroup: sci.crypt
document_id: 15844
From: levin@bbn.com (Joel B Levin)
Subject: Re: Does Rush read his E-mail?

rsilvers@nynexst.com (Robert Silvers) writes:
|>>	Send something to Rush Linbaugh about Clinton taking away our right
|>>to privacy and how if the govt. standard takes off, only people with lots
|>>of money (drug dealers) will be able to justify DES stuff.  He will slam
|>>Clinton for this on the air.

He'll slam Clinton for anything at all on the air.  I just do not
understand why he remains so popular.  He'll take a piece of video of
Clinton walking along; find a frame in which Clinton wrinkles his
nose, say; freeze on it and blow it up full screen; and then rant for
five minutes on how no one could possibly trust someone with such a
face and such beady greedy little eyes.  I've seen this on his TV show
(it was around the time of the inauguration).  Can anyone call this
stuff legitimate (I hate to say "informed") commentary?  How can
anyone with half a brain in his or her head[1] continue to watch
it[2]?

The American TV-watching (and I guess radio-listening) public never
ceases to amaze me.

	/J

[1] Oops, have I just inadvertently answered my own question?

[2] I myself only see it when I run across it every couple months when
    channel-surfing late at night; the longest I've been able to stand
    him was about 10 minutes.

(Apologies for stripping the alt.fan.rush groups from the Newsgroups
line; the software here apparently rejects anything with groups we
don't carry, and we don't carry those.  Also I removed sci.crypt from
followups.)

=
Nets: levin@bbn.com  |  "There were sweetheart roses on Yancey Wilmerding's
POTS: (617)873-3463  |  bureau that morning.  Wide-eyed and distraught, she
              N1MNF  |  stood with all her faculties rooted to the floor."
                     |					-- S. J. Perelman

Newsgroup: sci.crypt
document_id: 15845
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Organized Lobbying for Cryptography

In article <1993Apr21.113152.395@gems.vcu.edu> langford@gems.vcu.edu writes:
>1)  Second Amendment gives us the right to keep and bear arms.
>
>2)  Strong cryptography is "arms", according to the U.S. government (that's
>    why it's so hard to export).
>
>Therefore, we have a constituitional right to strong cryptography!  


Better, I think, is our right peacably to assemble.  I have a right to meet
you in a park and talk privately.  I have a right to see if anyone is
nearby, listening.

In cyberspace, cryptography gives us a right to assemble with control over
who overhears us.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
document_id: 15846
From: lkimes@alshain.usc.edu (Lance 'Moof' Kimes)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)


In article <116530@bu.edu>, uni@acs.bu.edu (Shaen Bernhardt) writes:

|> I am a conserveative believe it or not.  A law and order conserveative.
|> But the move to a centralized authoratarian regime really scares me,
|> mostly because I know you cant go far wrong underestimating the
|> intelligence of the American people.  Tell them it's going to keep
|> them safe from drug dealers and terrorists, and they will let you
|> put cameras in their home.


There is one point I'd like to make, that most people seem to have forgotten.
That is that one of the underlining principles in the Constitution is a DISTRUST
of governmental authority and control. All those "checks & balances" is because
they realize that you should distrust those in power. What everyone seems to have
forgotten as well is the original reason that the Bill of Rights guaranteed the
right to bear arms. It's inclusion was not to allow you to protect yourself
against other citizens, but to prevent the government from taking away your only
means of protecting yourself from an armed and aggressive government. Its hard to
oppress your citizenry when its armed against you.

I am not a fanatic, I'm a retired Naval officer. Because I have spent so much
time defending it, perhaps I understand its "purpose" as well as its "plan".

Lance Kimes

Newsgroup: sci.crypt
document_id: 15847
From: r1b6116@zeus.tamu.edu (Mr. Weather)
Subject: Re: Does Rush read his E-mail?

n9045178@henson.cc.wwu.edu (Sean Dean) writes...

[other 2 posts deleted]

|I've heard he doesn't read alt.fan.rush.....
|But I have no idea of a Compuserve e-mail address...

Does anyone have Rush Limbaugh's e-mail address?  Is there anyone out there
on Compuserve who might be able to look it up or otherwise find it?
Maybe it would be impossible, but I thought I should at least ask...

               Mr. Weather / r1b6116@zeus.tamu.edu / Ken Blair

Newsgroup: sci.crypt
document_id: 15848
Subject: Re: Write to Clinton
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <1r74a4$h2t@transfer.stratus.com> cme@ellisun.sw.stratus.com (Carl Ellison) writes:


>I've been reading the sci.crypt, alt.privacy.clipper and comp.org.eff.talk
>discussions about the Clipper chip and find (as usual) that most of us
>think alike -- so there's a lot of repitition.  If each of these messages
>were sent to Clinton as well as to the net (or instead of to the net), we
>might actually have some effect.

>	0005895485@MCIMAIL.COM  (White House)

I've already written a 5000 char commentary (from my MCI MAIL account, so I
can't be accused of being a "hacker".)
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
document_id: 15849
From: helleset@solar.usc.edu (Tor Helleseth)
Subject: PROGRAM EUROCRYPT'93, MAY 23-27, LOFTHUS, NORWAY


PROGRAM EUROCRYPT'93, MAY 23-27, LOFTHUS, NORWAY
------------------------------------------------
General chair : Kaare Presttun 
                email: eurocrypt93@alcatel.no                

Program chair : Tor Helleseth
                Department of Informatics 
                University of Bergen
                N-5020 Bergen
                NORWAY
                email: torh@ii.uib.no

=========================================================================

                      MONDAY,  May 24
                      ---------------
                 
              SESSION 1 : AUTHENTICATION
              --------------------------
              Chair: J. Seberry

 9.00- 9.30   Welcome and opening remarks
 9.30-10.00   On the Relation Between A-codes and Codes Correcting Independent 
              Errors, T. Johansson, B. Smeets (Lund University, Sweden), 
              and G. Kabatianskii (Institute for Problems of Information 
              Transmission, Russia)
10.00-10.20   Optimal Authentication Systems, R. Safavi-Naini and L. Tombak 
              (University of Wollongong, Australia)

10.20-10.50   Coffee or tea


              SESSION 2 : PUBLIC KEY
              ----------------------
              Chair: A. Odlyzko

10.50-11.10   Factoring Integers using SIMD Sieves, B. Dixon (Princeton 
              University, USA) and A.K. Lenstra (Bellcore, USA)
11.10-11.30   A New Elliptic Curve Based Analogue of RSA, 
              N. Demytko (Telecom Research Laboratories, Australia)
11.30-11.50   Weaknesses of a Public-Key Cryptosystem Based on Factorization 
              of Finite Groups, J. Stern (ENS, France)

11.50-14.00   Lunch


              SESSION 3 : BLOCK CIPHERS
              -------------------------
              Chair: A. De Santis

14.00-14.20   Differentially Uniform Mappings for Cryptography, 
              K. Nyberg (Technical University of Vienna, Austria)
14.20-14.40   On Permutations Against Differential Cryptanalysis, 
              T. Beth and C. Ding (EISS, University of Karlsruhe, Germany)
14.40-15.10   Two New Classes of Bent Functions, 
              C. Carlet (INRIA, France)
15.10-15.30   Boolean Functions Satisfying a Higher Order Strict Avalanche
              Condition, T.W. Cusick (SUNY, Buffalo, USA)

15.30-16.00   Coffee or tea


              SESSION 4 : SECRET SHARING
              --------------------------
              Chair: Y. Desmedt

16.00-16.30  Size of Shares and Probability of Cheating in Threshold Schemes, 
             M. Carpentieri, A. De Santis and U. Vaccaro (University of 
             Salerno, Italy)
16.30-17.00  Nonperfect Secret Sharing Schemes and Matroids, K. Kurosawa,
             K. Okada, K. Sakano, W. Ogata and S. Tsujii (Tokyo Institute of
             Technology, Japan)
     

                      TUESDAY, May 25
                      ---------------

             SESSION 5 : STREAMCIPHERS I
             ---------------------------
             Chair: T. Helleseth 

 9.00-10.00 From the Memoars of a Norwegian Cryptolog, E. Selmer (University 
            of Bergen, Norway) (Invited talk)
10.00-10.20 On the Linear Complexity of Products of Shift-Register Sequences, 
            R. Gottfert and H. Niderreiter (Austrian Academy of Sciences, 
            Vienna, Austria)

10.20-10.50 Coffee or tea


             SESSION 6 : STREAMCIPHERS II
             ----------------------------
             Chair: D. Gollman

10.50-11.20  Resynchronisation Weaknesses in Synchronous Stream Ciphers,
             J. Daemen, R. Govaerts and J. Vandewalle (ESAT, KU Leuven, 
             Belgium)
11.20-11.40  Blind Synchronization of m-Sequences with Even Span,
             R. Games and J.J. Rushanan (MITRE, USA)
11.40-12.10  On Constructions and Nonlinearity of Correlation Immune Functions,
             J. Seberry, X. Zhang and Y. Zheng (University of Wollongong, 
             Australia)

12.10-14.00  Lunch


             SESSION 7 : DIGITAL SIGNATURES
             ------------------------------
             Chair: C. Schnorr

14.00-14.30  Practical and Provable Secure Release of a Secret and Exchange of
             Signatures, I.B. Damgard (Aarhus University, Denmark)
14.30-14.50  Subliminal Communication is Easy Using the DSA, 
             G.J. Simmons
14.50-15.10  Can OSS be Repaired, D. Naccache (Gemplus, France)

15.10-15.40  Coffee or tea


             SESSION 8 : PROTOCOLS I
             -----------------------
             Chair: K. Kurosawa

15.40-16.00  Limitations of Logical Analysis of Cryptographic Protocols,  
             C. Boyd and W. Mao (University of Manchester, United Kingdom)
16.00-16.30  Practical Anonymous and Secure Voting Scheme, K. Itoh, C. Park 
             and K. Kurosawa (Tokyo Institute of Technology, Japan)
16.30-16.50  Untransferable Rights in a Client-Independent Server Environment,
             J. Domingo-Ferrer (University of Barcelona, Spain)
16.50-17.20  Interactive Hashing Simplifies Zero-Knowledge Protocol Design,
             R. Ostrovsky (UC Berkeley, USA), R. Venkatesan (Bellcore, USA) and
             M. Yung (IBM T. Watson, USA)

             RUMP SESSION
             -------------
             Chair: I. Ingemarsson     

20.00-24.00  Accepted paper: 
             Security in Digital Mobile Communication Systems,
             C. Park, K. Kurosawa, T. Okamoto and S. Tsujii (Tokyo
             Institute of Technology, Japan)


                     WEDNESDAY, May 26
                     -----------------

             SESSION 9 : HASH FUNCTIONS
             ---------------------------
             Chair: B. Preneel

 9.00- 9.20  One-Way Accumulators: A Decentralized Alternative to Digital
             Signatures, J. Benaloh and M. de Mare (Clarkson University, USA)
 9.20- 9.40  Some Attacks on the ARL Hash Function, I.B. Damgard and 
             L.R. Knudsen (Aarhus University, Denmark)
 9.40-10.10  Collisions for the Compression Function of MD5, B. den Boer and
             A. Bosselaers (ESAT, KU Leuven, Belgium)
10.10-10.30  How to Find and Avoid Collisions for the Knapsack Hash Function, 
             J. Patarin (Bull CP8, France)
  
10.30-11.00  Coffee or tea


             SESSION 10: PAYMENT SYSTEMS
             ---------------------------
             Chair: I.B. Damgard

11.00-11.20  Single Term Off-Line Coins, N.T. Ferguson (CWI Amsterdam,
             The Netherlands)
11.20-11.40  Improved Privacy in Wallets with Observers,
             R.J.F. Cramer (CWI Amsterdam, The Netherlands) and 
             T.P. Pedersen (Aarhus University, Denmark)
11.40-12.10  How to Prevent the Mafia Fraud Using Distance-Bounding Protocols,
             S. Brands and D. Chaum (CWI Amsterdam, The Netherlands)
           
12.10-14.00 Lunch
 

             SESSION 11: CRYPTANALYSIS
             --------------------------
             Chair: G.J. Simmons

14.00-14.20 On the Distribution of Characteristics in Bijective Mappings,
            L. O'Connor (University of Waterloo, Canada)
14.20-14.40 On the Security of the IDEA Block Cipher, 
            W. Meier (HTL, Switzerland)
14.40-15.10 Linear Cryptanalysis Method for DES Cipher,
            M. Matsui (Mitsubishi, Japan)
15.10-15.40 New Types of Cryptanalytic Attacks Using Related Keys, 
            E. Biham (Technion, Israel)

15.40-16.10 Coffee or tea
 

             SESSION 12 : PROTOCOLS II
             -------------------------
             Chair: P. Landrock

16.10-16.40  Reconciliation on a Secret Key Through Public Discussion,
             G. Brassard and L. Salvail (University of Montreal, Canada)
16.40-17.10  Global, Unpredictable Bit Generation Without Broadcast,
             D. Beaver and N. So (Penn State University, USA)
17.10-17.40  IACR Business meeting

==========================================================================
















Keywords: 


Newsgroup: sci.crypt
document_id: 15850
From: azoghlin@uxa.cso.uiuc.edu (Very Old Freshman (VOF))
Subject: Re: The [secret] source of that announcement

bear@tigger.cs.Colorado.EDU (Bear Giles) writes:
>I wish them luck in figuring out who "I" am based on that information.

>(They can probably figure out I'm liberal, with a technical degree
>but humanistic interests, from a common thread throughout my posts.
>But that describes a fair portion of the users of Internet).

Sounds like you are the brother of sibble to me. <hey that wasn't
nice> {Oh shut up, I'm posting now} [Both of you pipe down, or I
will take control of the arms and sock you in the mouth]



Newsgroup: sci.crypt
document_id: 15851
From: johne@vcd.hp.com (John Eaton)
Subject: Re: Suggestions for escrow agencies (was: Re: More technical details)

Paul Robichaux (robichau@lambda.msfc.nasa.gov) wrote:
: 
: As a private citizen, I would feel much more "secure in my person and
: papers" knowing that an organization committed to individual civil
: liberties- the ACLU and the NRA come to mind- was safeguarding half of
: my key. Both the ACLU and the NRA are resistent to government pressure
: by the simple expedient fact that they are not supported, funded, or
: overtly controlled by the government.
: --------------------------
Thats one problem that has so far been overlooked. These two escrow
agencies will have to create a secure database and service the
input and output of Keys. Who pays for this? If they refuse an
illegal request from some congressman to deliver a key can their
budget by cut to punish them? Will congress be forced to fund
them forever?

The problem is that laws can change. Congress may pass a law setting
up an escrow agency with instructions that keys are private. Some
future congress may change that law. Suppose pre-nazi Germany had
a clipper system. Do you think the escrow agencies would have
told Hitler that he could not have the keys without a valid 
court order?

In effect you must set up escrow agencies as a fourth branch of
the goverment and isolate them from any outside interferance. 
They will be able to directly tap into Federal funds with no
accountability to anyone except through a court challenge.

John Eaton
!hp-vcd!johne



Newsgroup: sci.crypt
document_id: 15852
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: I have seen the lobby, and it is us

In article <1993Apr21.163929.21149@eff.org> A. Charles Gross <acg@eff.org> writes:
>The NRA is successful because (among a number of things), on the drop of
>a hat, they can get a congresspersons office flooded with postcards,
>faxes and phone calls.  Certainly, with our way-cool Internet powers of
>organization, we can act in the same way, if such action is appropriate.

I don't know about you, but I have nearly forgotten how to generate paper
mail.

If I had e-mail to Congress, I would have written many letters by now.
I haven't written one yet, as it turns out.  Writing on paper is such
a complicated job, for those of us hooked on our way-cool Internet.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
document_id: 15853
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate

In article <CMM.0.90.2.735554186.jon@gode.ifi.uio.no>, "Jon \\lnes" <jon@ifi.uio.no> writes:
> A person I know, belonging to a research lab of a rivate
> company, claimed to me during a priavte conversation that, given the
> equipment in his lab, he could crack a Kerberos ticket in 15 minutes to
> an hour. He had access to rather powerful DES hardware, but not of an
> extraordinare kind, I believe. The attack was possible because of the
> amount of known plaintext in the ticket, which itself constitutes a small
> message. This was two years ago.
> DES is no longer usable for encryption of really sensitive data. For a
> lot of purposes, however, it is still very adequate.

This sounds an awful lot like a password-guesser, not a weakness in
DES.  Merritt and I pointed out this weakness in Kerberos in a paper
that came out about 2.5 years ago, in both Computer Communications
Review and Usenix.  For that matter, it was loudly discussed on the
Kerberos mailing list even earlier.

The problem has nothing whatsoever to do with DES, and everything to do
with bad password selection.

I'm perfectly willing to believe that there are cryptanalytic attacks
possible on DES.  I'm quite dubious that private research labs know
them.  And the parameters of a brute-force attack are quite well
established; see, for example, the Garon and Outerbridge paper in the
July '91 Cryptologia.  You're not going to do it in an hour with only
``rather powerful DES hardware''.  I'll leave the arithmetic as an
exercise for the reader.  On average, you'll need to do 2^55 trials.
Pick your own parameters for how fast the DES engine runs, and for
how many such engines are used.

Newsgroup: sci.crypt
document_id: 15854
From: kliegel@key.amdahl.com (James Kliegel)
Subject: Crypto-PenPals

I came. I lurked. I read the FAQ.

Now having purchased the recommended books, and having taken to heart the advice that
one knows nothing about crypto without having done a stint as a cryptanalyst, I would like
to correspond with people interested in cryptology.

I am working on implementing the cryptanalyst's workbench example in Booch's OOD with
Applications. I hope to start sending ciphers back and forth so each of us can practice cracking
them.  I would like to start with simple Ceaser's ciphers and progress roughly according to
David Kahn's book. Of course I would be interested in general discussions and math also.

I hope to have some foriegn correspondants so that we can test the response time of the
"men in the suits" I've been hearing so much about. Unfortunately as a product of the American
education system I only know English.

Looking forward to any and all responses.

James
---
======================================================================
James M. Kliegel
kliegel@key.amdahl.com                                  (510) 623-3148
======================================================================


Newsgroup: sci.crypt
document_id: 15855
Subject: Re: I have seen the lobby, and it is us
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <1r9av2$bg6@transfer.stratus.com> cme@ellisun.sw.stratus.com (Carl Ellison) writes:

>In article <1993Apr21.163929.21149@eff.org> A. Charles Gross <acg@eff.org> writes:
>>The NRA is successful because (among a number of things), on the drop of
>>a hat, they can get a congresspersons office flooded with postcards,
>>faxes and phone calls.  Certainly, with our way-cool Internet powers of
>>organization, we can act in the same way, if such action is appropriate.

>I don't know about you, but I have nearly forgotten how to generate paper
>mail.

>If I had e-mail to Congress, I would have written many letters by now.
>I haven't written one yet, as it turns out.  Writing on paper is such
>a complicated job, for those of us hooked on our way-cool Internet.

That's what MCI Mail is for!  (CompuServe also has "CongressGrams" (TM).)

This is not intended as an advertisement; that really is what MCI Mail WAS
intended for (according to their ads).
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
document_id: 15856
From: mgr@anhep3.hep.anl.gov (Dr. mike)
Subject: clipper/freedom/comments


-----BEGIN PGP SIGNED MESSAGE-----

Gasp!

I've just spent 3 hours catching up on sci.crypt here (slow reader I
guess) and I really have to put out a few comments too.  First, let me
flame the famous Dave S. : He's obviously only 10 years old.  Cut him
some slack. :^}

The joke about Clinton/crypto/drugs slammed me thru the roof.  Nice job
guys!  I've been working on marijuana legalization for over 5 years
now, Clinton's actions so far have really helped.  But because of
government action taken against various other groups, I have developed
a 64 bit DES based on public literature to protect my mailing list.
The S-boxes are the critical component, and since I chose 32 out of 57
based on the key, cracking this DES is going to tough.  (The reason it
slows you down a touch is that for each key you try you need to use a
different set of s-boxes, I know it's only a vector, but it sure makes
random search a pain).  Several marijuana legalization groups have had
their mailing lists confiscated when people were charged with drug
use/sales.  It's not a crime to be a member of a legalization org,
*but* you will be watched.

It really is important to write a letter to every official you
personally vote for to explain *why* your privacy is being destroyed by
the "cripple chip".  Amazingly enough they do listen when they get
*enough* mail.  The Doonsbery jokes about NRA postcards are real, and
the IMI (Illinois Marijuana Initiative) has grown to the point where we
*are* seeing some changes.

It's pretty clear that all the hullabaloo is really about the
implimentation decision being made behind our backs.  As Vesselin
points out, this was common practice in communist regimes (and may be
again depending on how the vote goes).  But just as criminals have guns
and "law abiding" citizens don't, and criminals like me have marijuana
and "law abiding" subjects don't, criminals like me will have secure
crypto while "law abiding" robots don't.  PGP is nice, but as time goes
on we all can do better.  And to save our hides we will.

Someone posted an excerpt from Machiavelli.  He's my favorite dude.
500 years ago he saw clearly how people *are*, and tried to explain
that to "princes" who wanted people to *obey*.  One section not quoted
(I've got "The Prince" at home, so I'll just paraphrase :) ) had to do
with conquring a free city.  The only way is to *completly destroy*
it.  Failing that, you must appoint locals to high positions and accept
the people's customs.  Even after 100 years of oppression, a people
will remember their heratige and rise up to overthrow the oppresive
government.  And he gave an example.  And that was 300 years *before*
Thomas Jefferson.

There were questions about watching traffic.  Only *interesting* traffic
is watched: stuff that goes overseas and comes back; stuff with keywords
like marijauana, cryptography, NSA;  certain individuals who are known
subversives, etc.  It is easy enough to store all that traffic.  So if
you know how to be *subversive* i.e. how to be unseen, it's pretty easy
to go unnoticed for a long time.  The stronger your crypto system and the
less you're noticed, the better your chances of developing an organization
which can diseminate truth to the masses.

Which gets me to the thread about a "public encrypted conference".
That's just silly.  The first thing the feds do is send in an
infiltrator (like Dave S.) and they know what you're doing.  It will be
fun for teenagers and college students, but for the real world it's
pretty pointless.  Crypto is useful for more things than hiding where
you get your marijuana.

Guns, drugs and crypto do have some commonality: there are people in
government who want you to *obey* their rules.  As Lundquist says in
alt.drugs "Live free or don't".  Machiavelli pointed out that's just
how most people actually live, inspite of appearences to the contrary.
It's true that the decision to shove the clipper (not the same thing as
Intergraph's!!!) down our throats violates the principles of what the
U.S. was founded on, but the government is full of idiotic robots
called bureaucrats and there's less to worry about than one might
think.  Only really innocent (read naive) subjects of the U.S. will be
hurt by this, the rest of us *criminals* will live in secure freedom.
de Toqueville pointed out 150+ years ago that the tyranny of the
majority will be mitigated by the mediocrity of the government.

And given what I see government officials doing where I work (Argonne
National Lab.) the level of stupidity makes Dave S. look smart.

Patience, persistence, truth,		work: dvader@hemp-imi.hep.anl.gov
Dr. mike				home: mrosing@igc.org

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQBVAgUBK9hETK3mm/E84rLHAQFV+gH9ExvzfXbNR4x0BTg2nQIxB5/ZMaxT289B
G4QjTsv8mszMrzU1DcJ8eLIQ37BwX53jATBH9U4B/biqmGKiPzHCmA==
=S3hf
-----END PGP SIGNATURE-----


Newsgroup: sci.crypt
document_id: 15857
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Once tapped, your code is no good any more.

In article <strnlghtC5wHo2.1FK@netcom.com> strnlght@netcom.com (David Sternlight) writes:
   >I wouldn't think so.  Asking people to trust a secret algorithm seems
   >unsound to me.

   Maybe so, but it's quite common. There are millions of Macintosh users who
   have no idea what's in Apple's patented ROMs. Many have modems connected.
   How do you know all your business secrets aren't being stolen? Answer:
   1. Because you trust Apple;
   2. Because if any such attempt, however sophicsticated, came out, it would
   destroy Apple's credibility forever.

Then there's also
3) Because it's NOT SECRET.  If I want to, I CAN go look at Apple's
copyrighted ROMs in a Mac, so they're not keeping any secrets.  
You don't even have to pry the top off the chip and use an electron microscope,
you just have to read the data in memory and see if you can figure out what it means.
(Motorola object code isn't all *that* obscure!)  
Yes, it's copyrighted, so I can't go selling copies, or using the copy myself,
but I CAN see it, and disassemble it.

4) They're not asking me to trust their honesty.  They're asking me to
trust the quality of their assembly language programming :-),
but I can see for myself what the performance, price, and crashes/day are.
NSA, an organization not known for its honesty or openness, 
is asking me to trust them with my privacy, but they won't trust me.  Feh!
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15858
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Clipper Not Good Enough for Government?

There's been some discussion very recently as to whether the
government once again might exempt themselves from something they use
to screw us over...  Well, from comp.dcom.telecom:

From: lesreeves@attmail.com
Subject: Odds 'n Ends in the News

* The Clipper Chip device introduced yesterday by AT&T may not be
suitable for government use, says House Telecom Subcommittee Chairman
Markey.  In a letter to Commerce Secretary Brown, Markey asked whether
the use of the technology could lead to "inadvertently increased costs
to those U.S. companies hoping to serve both" the government and
private markets.  Markey has ordered Brown to answer several questions
about security and cost concerns by April 28.  (Communications Daily,
4/20/93)
-- 
Show me a guy who's afraid to look bad, and I'll show you a guy you can beat
every time. -- Renee Auberjonois

Newsgroup: sci.crypt
document_id: 15859
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks  only

   In article <1993Apr22.223906.25929@lehman.com> pmetzger@snark.shearson.com (Perry E. Metzger) writes:
   >Qualcomm had spare cycles in the DSPs for their new CDMA digital
   >cellular phones. They wanted to put strong crypto into them since they
   >had the capacity. The government decided to "discourage" them.

   You're blowing smoke.  Qualcomm wants to sell to nice, lucrative overseas
   markets like Japan and the EC.  The government told them "don't do encryption
   if you ever hope to export this technology".  The reason that CDMA doesn't
   have encryption is NOT because the G-men came a'knocking at Qualcomm's door.
   It's because Qualcomm doesn't think that the US market for digital cellular
   is big enough for them.  This is just the International Traffic in Arms
   Regulations all over again.

Perry has already stated on the net that Qualcomm wanted to sell overseas, and
the government told them they wouldn't be allowed to export,
so he's only blowing the same smoke you are :-)
Sure, they probably could have made a US version, and a non-crypto
export version, and contracted with a Bulgarian or Japanese software house to
develop an overseas crypto ROM, but that's getting pretty expensive.

   No, Cylink sells their phones because they're willing to make different
   stuff for domestic use vs. export.  Qualcomm isn't.  So Cylink makes
   money--that's capitalism, comrade.

Well, some people like capitalism, and others prefer free enterprise;
they're different!  Using the government to stifle your competition is capitalist.

   >Someone out there WILL build a unit to do all this. Better yet,
   >prehaps someone will produce a package that turns any 486 box with a
   >sound card into a secure phone.
   "Someone" this and "someone" that.  If you think it's so easy, why are
   you whining on the net instead of getting your butt in gear and writing it?

Writing good crypto code is something most good programmers can do;
writing good new crypto algorithms is a very specialized skill.
Developing new voice coding algorithms is also pretty specialized,
but finding ways to implement the more complex ones when you don't
have enough horsepower is still fairly hairy stuff.
Once the 586/Pentium becomes widespread, or the next generation of
sound boards has DSPs on it, I suspect we'll see it happen.
Maybe the vanilla 486+Soundblaster is enough.
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15860
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <strnlghtC5wJAG.46L@netcom.com> strnlght@netcom.com (David Sternlight) writes:
   Doug Holland claims Tom Clancy has provided the recipe for nuclear bombs.
   Clancy himself says he has omitted certain crucial steps. Further, how do we
   know Clancy knows, rather than repeating what he's read or been told in the
   unclassified domain?

On the other hand, when John Aristotle Phillips was a junior at Princeton
trying to keep from flunking physics by doing a terrific term paper,
his atom bomb design was good enough that it got classified.
A few of the steps were derived from social engineering 
(e.g. the name of the explosive), but it was fundamentally sound (and DID get an A.)
The Pakistan embassy also called him up trying to get a copy;
at the time they were lobbying the US government to get some nuclear
reactors for "purely non-military" electrical power generation.


--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15861
From: tuinstra@signal.ece.clarkson.edu.soe (Dwight Tuinstra)
Subject: Re: Organized Lobbying for Cryptography

In article hcs@transfer.stratus.com, cme@ellisun.sw.stratus.com (Carl Ellison) writes:
>
>To paraphrase, I may not agree with what you're encrypting, but I defend
>your right to encrypt it.
>

Great slogan!  I'm ready to sign up with a crypto-lobbying effort (though
I wouldn't want to do it through an NRA offshoot).  Shall we also push
for the CRA  -- Cryptographic Rights Amendment ??

+========================================================================+
|  dwight tuinstra             best:  tuinstra@sandman.ece.clarkson.edu  |
|                         tolerable:  tuinstrd@craft.camp.clarkson.edu   |
|                                                                        |
|        "Homo sapiens: planetary cancer??  ...  News at six"            |
+========================================================================+

Newsgroup: sci.crypt
document_id: 15862
From: gtoal@gtoal.com (Graham Toal)
Subject: Let's build software cryptophones for over the internet...

Well, after a lot of trawling through archives, I found the post
I reproduce in full below.  Is it time to get together to develop
a tcp/ip standard for crypto voice that we could then layer on
point-to-point SLIP as *the* free standard for crypto voice like
pgp is for mail?

(PS Note the date of this post.  Appropriate, huh? :-) )

---
From jpcampb@afterlife.ncsc.mil Thu Jul  9 11:50:11 1992
From: jpcampb@afterlife.ncsc.mil (Joe Campbell)
Newsgroups: comp.compression.research
Subject: Re: sound compression algorithms
Date: 4 Jul 92 14:46:04 GMT
Organization: The Great Beyond

In article <1992Jun26.165210.15088@sequent.com> lff@sequent.com (Lou Fernandez) writes:
>The techniques for production systems revolve around Code Excited Linear
>Prediction (CELP) algorithms which capture 20 ms or so of speech and
>attempt to match the speech with a combination of signals from a
>codebook, choosing the combination which minimizes the error....

In case you'd like to experiment with CELP, you can obtain a software
implementation of the 4800 bps Fed Std CELP coder for free:

The U.S. DoD's Federal-Standard-1016 based 4800 bps code excited linear
prediction voice coder version 3.2 (CELP 3.2) Fortran and C simulation source
codes are now available for worldwide distribution at no charge (on DOS
diskettes, but configured to compile on Sun SPARC stations) from:

Bob Fenichel
National Communications System
Washington, D.C.  20305
1-703-692-2124
1-703-746-4960 (fax)

In addition to the source codes, example input and processed speech files
are included along with a technical information bulletin to assist in
implementation of FS-1016 CELP.  (An anonymous ftp site is being considered
for future releases.)

Copies of the actual standard "Federal Standard 1016, Telecommunications:
Analog to Digital Conversion of Radio Voice by 4,800 bit/second Code
Excited Linear Prediction (CELP)" are available for $2.50 each from:

GSA Rm 6654
7th & D St SW
Washington, D.C.  20407
1-202-708-9205

The following articles describe the Federal-Standard-1016 4.8-kbps CELP
coder (it's unnecessary to read more than one):

Campbell, Joseph P. Jr., Thomas E. Tremain and Vanoy C. Welch,
"The Federal Standard 1016 4800 bps CELP Voice Coder," Digital Signal
Processing, Academic Press, 1991, Vol. 1, No. 3, p. 145-155.

Campbell, Joseph P. Jr., Thomas E. Tremain and Vanoy C. Welch,
"The DoD 4.8 kbps Standard (Proposed Federal Standard 1016),"
in Advances in Speech Coding, ed. Atal, Cuperman and Gersho,
Kluwer Academic Publishers, 1991, Chapter 12, p. 121-133.

Campbell, Joseph P. Jr., Thomas E. Tremain and Vanoy C. Welch, "The
Proposed Federal Standard 1016 4800 bps Voice Coder:  CELP," Speech
Technology Magazine, April/May 1990, p. 58-64.

For U.S. FED-STD-1016 (4800 bps CELP) _realtime_ DSP code
and information about products using this code, contact:

John DellaMorte
DSP Software Engineering
165 Middlesex Tpk, Suite 206
Bedford, MA  01730
1-617-275-3733
1-617-275-4323 (fax)
dspse.bedford@channel1.com

DSP Software Engineering's code can run on a DSP Research's Tiger 30 board
(a PC board with a TMS320C3x and analog interface suited to development work)
or on Intellibit's AE2000 TMS320C31 based 3" by 2.5" card.

DSP Research                Intellibit
1095 E. Duane Ave.          P.O. Box 9785
Sunnyvale, CA  94086        McLean, VA  22102-0785
(408)773-1042               (703)442-4781
(408)736-3451 (fax)         (703)442-4784 (fax)
-- 
.............................................................................
; Joe Campbell  N3JBC  jpcampb@afterlife.ncsc.mil  74040.305@compuserve.com ;
; My opinions are mine!   Happiness = Reality - Expectations, Click & Clack ;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Newsgroup: sci.crypt
document_id: 15863
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Suggestions for escrow agencies (was: Re: More technical details)

In article <C5y746.73K@vcd.hp.com> johne@vcd.hp.com (John Eaton) writes:

>Thats one problem that has so far been overlooked. These two escrow
>agencies will have to create a secure database and service the
>input and output of Keys. Who pays for this? If they refuse an
>illegal request from some congressman to deliver a key can their
>budget by cut to punish them? Will congress be forced to fund
>them forever?
>

The easiest way is a user fee for each clipper chip manufactured. This makes
the funding separate from government.

It also has the neat side property that if the chip doesn't catch on, the
scheme breaks down, and the government is back to the drawing boards,
assuming that they haven't prohibited alternatives in the meantime.

In fact, maybe this should be part of the "official" system. Before the
government is allowed to move this past the "experimental" stage, they
should have to demonstrate economic viability by mass adoption. The
government is very fond of demonstration projects proving feasibility in the
use of government funds for social programs--they should have to make a
similar feasibility demonstration (on economic viability cum acceptance
terms) for this baby as well. Let's put it to the only vote that counts--a
marketplace vote among those who have to pay for it.

David

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15864
From: whitaker@eternity.demon.co.uk (Russell Earl Whitaker)
Subject: MEETING: UK Cryptoprivacy Association

-----BEGIN PGP SIGNED MESSAGE-----

Meeting of the UK Cryptoprivacy Association
- -------------------------------------------

Saturday, 8 May 1993, 1500

To be held at the offices of:

  FOREST
  4th floor
  2 Grosvenor Gardens
  London  SW1W 0DH

This is located at the corner of Hobart Place, a couple of
blocks west of Victoria Station, and almost directly across from
the dark green cabbie shelter.

If you have trouble finding the place, please call the office on
071-823-6550.  Or, call me (Russell Whitaker) on my pager,
081-812-2661, and leave an informative message with the
telephone number where you can be reached; I will return the
call almost immediately.

Discussion will range from the usual general topics, such as the
use of secure public key cryptosystems to protect message data, to
specific topics, such as recent moves by the U.S. government
to restrict choice in data privacy (reference recent discussion
on Usenet groups, e.g. sci.crypt and alt.security.pgp).

All are invited.  Particularly welcome are members of the
newly-formed UK CommUnity group ... the local
EFF-in-spirit-if-not-in-name folks.

Those who plan to attend should email me and let me know.
Please.

All attendees are requested to bring diskettes - preferably
MS-DOS - with their PGP 2.+ public keys.  As is usual at these
gatherings, several of us will bring our laptops, and will sign
public keys, subject to the usual caveats (reference the
documentation for PGP 2.2, specifically files PGPDOC1.DOC and
PGPDOC2.DOC).

If you do not already have a copy of PGP 2.2 (MS-DOS), and would
like to have a copy of this public domain program, please bring
a formatted, medium or high density 3.5 inch floppy PC diskette;
you will be provided a copy of the program.

Of course, you might prefer to ftp a version of the program from
one of the various archive sites.  I suggest trying Demon
Internet Systems, which carries the full range of PGP (Phil
Zimmerman's "Pretty Good Privacy") implementations: directory
/pub/pgp at gate.demon.co.uk.

Meetings are of indeterminate time.  Those who are interested
are invited to join the rest of us at a pseudorandomly
determined pub afterwards.

Please note:
- ------------
In the past few months, interested people have emailed me,
requesting FAQs and special information mailings.  I regret
that, except in very unusual cases (e.g. working press), I
cannot, in a timely manner, respond to these requests.  I will,
however - and for the first time - do a writeup of this meeting,
which I will post in various places.

What I *am* willing to supply is general information on our
activities for the maintainers of existing FAQs, such as that
for alt.privacy.  FAQ maintainers can contact me at
whitaker@eternity.demon.co.uk

Russell Earl Whitaker                   whitaker@eternity.demon.co.uk
Communications Editor                                 AMiX: RWhitaker
EXTROPY: The Journal of Transhumanist Thought
Board member, Extropy Institute (ExI)
================ PGP 2.2 public key available =======================

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQCVAgUBK9bG/ITj7/vxxWtPAQG0/AQAmPQKQl7KNB43DyniRyuDu5tixStXd2F7
k5CiWNwN/u9ExZfptPgajwY91dsafX0H53RV5+lT8OSnvIx35QMmgBmPQOJCGnGj
ZUJ2eGiSvfuLtAmgMQtSLtJh5x/VXmUIl8SJHzrffIz3SjnKcENTzrQnGc7UdIQ6
x85InstiJzU=
=Y9GS
-----END PGP SIGNATURE-----


Newsgroup: sci.crypt
document_id: 15865
From: strnlght@netcom.com (David Sternlight)
Subject: Re: The [secret] source of that announcement

In article <1993Apr23.110149.29470@cs.aukuni.ac.nz> pgut1@cs.aukuni.ac.nz
(Peter Gutmann) writes:

>
>Something similar has happened to me - ages ago when we were working on PGP
>we used to send short messages about development issues or simply to test 
>new features around.  Now at this time PGP (and certainly the newer version)
>was unknown over here.  Suddenly the admin at the site I was using received
>a request that I stop sending encrypted email.  Now there is almost no way
>that some automatic scanner could have found this, since they wouldn't have
>known about PGP - they *must* have checked for unknown data types in the
>message, tried to unscramble it, found they couldn't get past the PEM
>armour part, and then contacted the sysadmin and asked me to stop.  Luckily
>the current email carriers are less picky about what goes over their
>networks :-).

Is the sending of encrypted traffic without government permission legal in
New Zealand?

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15866
From: tomw@orac.asd.sgi.com (Tom Weinstein)
Subject: Re: REVISED TECHNICAL SUMMARY OF CLIPPER CHIP

In article <1993Apr21.192615.3465@guvax.acc.georgetown.edu>, denning@guvax.acc.georgetown.edu writes:

> Each chip includes the following components:

>    the Skipjack encryption algorithm
>    F, an 80-bit family key that is common to all chips
>    N, a 30-bit serial number (this length is subject to change)
>    U, an 80-bit secret key that unlocks all messages encrypted with the chip
[ ... ]

> To see how the chip is used, imagine that it is embedded in the AT&T
> telephone security device (as it will be).  Suppose I call someone and
> we both have such a device.  After pushing a button to start a secure
> conversation, my security device will negotiate an 80-bit session key K
> with the device at the other end.  This key negotiation takes place
> without the Clipper Chip.  In general, any method of key exchange can
> be used such as the Diffie-Hellman public-key distribution method.

> Once the session key K is established, the Clipper Chip is used to
> encrypt the conversation or message stream M (digitized voice).  The
> telephone security device feeds K and M into the chip to produce two
> values:

>    E[M; K], the encrypted message stream, and 
>    E[E[K; U] + N; F], a law enforcement field , 
[ ... ]

> which are transmitted over the telephone line.  The law enforcement
> field thus contains the session key K encrypted under the unit key U
> concatenated with the serial number N, all encrypted under the family
> key F.  The law enforcement field is decrypted by law enforcement after
> an authorized wiretap has been installed.

One very interesting thing I notice about this is that the only use of
the chip key is to encode the session key for the law enforcement field.
It is not used at all by the encryption algorithm.

It seems like it would be possible to create a device that would be
otherwise compatible, but would send out a bogus law enforcement field.
This might render the device unusable with "normal" devices if there's
some sort of validation involving the law enforcement field, but it
could certainly be used with other such modified devices.

Of course, this is irrelevant if the NSA has a backdoor in the
algorithm, but it does make it possible to defeat the key escrow system.

--
Wilt thou seal up avenues of ill?  Pay every      |   Tom Weinstein
debt, as though God wrote the bill. -- Emmerson   |   tomw@orac.esd.sgi.com

Newsgroup: sci.crypt
document_id: 15867
From: amanda@intercon.com (Amanda Walker)
Subject: Re: The [secret] source of that announcement

jebright@magnus.acs.ohio-state.edu (James R Ebright) writes:
> (I assume most of the time these guys sat around the office with their
> thumbs up their ass as there isn't that much stuff coming out of
> Columbus :) 

CompuServe is in Columbus, OH.  So are the corporate headquarters of several 
major insurance companies, the largest private R&D company in the world 
(Batelle Memorial Institute), DCSC (The Defense Construction & Supply 
Center), Ohio State University (one of the three largest US universities), 
OCLC (the Online College Library Center), and so on.  You'd be amazed, 
actually.

Columbus only *looks* like a cow town.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 15868
From: fw@world.std.com (forrest d whitcher)
Subject: SUMMARY: responses / research on oracle password security

My original post was:

>I am building an oracle v6 database to serve as a repository for
>information which is considered proprietary or confidential. As such
>I want to verify the security of oracle passwords and apply some of
>the same security checking techniques we use on our *nix systems.
>Specifically I would like to use Crack, or something like it to check
>the encrypted data for easily guessed passwords.
>
>The use of 'Crack' would depend on oracle using the unix password
>encryption scheme, does anyone know if this is the case, or what
>method is used?
>
>Any other methods for security checking / audit in the oracle
>environment would be much appreciated.

This article will just scratch the surface of a few security
considerations, comments are requested. (email: fw@world.std.com)
My thanks to the people who responded, both on usenet and from
Oracle Corp.

The most common response was to suggest use of oracle audit 
features or OPS$ passwords to control access (opinion on OPS$
included suggestions to use and not use). I was also advised to 
use table views to refine the granularity of access control.

One important security consideration in networked installations
is that OPS$ accounts presume that the client host provides user
authentication. Os/2 server OPS$ users are only as secure as the 
_least_ secure machine on the network. Hence you should probably 
not define any OPS$ accounts on systems with PC's, or limit access 
of OPS$ accounts to data with no security concerns. Unix oracle 
servers provide for disabling OPS$ access over the network (orasrv
option), while relying on host security for local processes. 

Internally Oracle provides powerful and well documented (sic) 
audit mechanisms which the DBA will use to monitor system and
data access. These tools can be used to track the primary security
risks from within the Oracle environment.

Oracle password security is based on a proprietary usage of DES
encryption. Oracle Corp. states that the algorithm is not prone
to cleartext attack. This is a difficult claim to substantiate 
since the algorithm is unknown. The concern here is that if users 
choose easily guessed passwords. _If_ a cracker can gain access 
to your oracle database files through the host operating system, 
s/he could extract the 'cyphertext' password data and apply 
cryptanalysis techniques to learn the users passwords.

As security risks go, the above scenario is pretty low severity.
Certainly once an intruder has access to the raw database files,
s/he can access to the data in them. If a cracker _could_ break 
the passwords, however, s/he could do substantial damage without
alerting the auditing mechanism's, and leaving and audit trail
which would point to valid users. At present Oracle (like Unix)
provides no native means of ensuring that passwords are not 
guessable. 

As with all computer security, the most important defense is to 
educate users in the safe choice of passwords. These techniques
are well discussed in internet rfc#1281 and the Crack manual, 
(both available from ftp archive servers) and, UNIX(R) System 
Security (Curry, David A. - Addison-Welsey 1992) 



Forrest Whitcher                 fw@world.std.com
Boston Scientific Corp.          Watertown MA

Newsgroup: sci.crypt
document_id: 15869
From: uni@acs.bu.edu (Shaen Bernhardt)
Subject: Re: Once tapped, your code is no good any more.

In article <strnlghtC5wHo2.1FK@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>In article <a_rubin.735496128@dsg4.dse.beckman.com>
>a_rubin@dsg4.dse.beckman.com (Arthur Rubin) writes:
>
>>I wouldn't think so.  Asking people to trust a secret algorithm seems
>>unsound to me.
>
>Maybe so, but it's quite common.

Not when your talking about cryptography.

>There are millions of Macintosh users who
>have no idea what's in Apple's patented ROMs. Many have modems connected.
>How do you know all your business secrets aren't being stolen? Answer:
>1. Because you trust Apple;

Think again.  You won't see me using apple's new signature from the
finder feature.

>2. Because if any such attempt, however sophicsticated, came out, it would
>destroy Apple's credibility forever.

This analogy fails in its assumption that the government gives two
squirts about credibility.


In addition, Apple's proclaimed purpose in releasing the Macintosh wasn't
survellience.

Quite the opposite:
"On January 24, Apple will introduce.... Macintosh, and you'll see why
1984 won't be, like '1984'"

So don't give me any bullshit analogies about how we trust coke not to
put mind control drugs in every can to get us to buy more.


>In the Clipper case, a representative body of experts is going to be allowed
>to audit it, and we'll have assurances (maybe even from the President) that
>other than the escrowed keys there are no back doors. While some may not
>have confidence in that (I am not among them), it's a lot more assurance
>than we get for many things we routinely trust in everyday life.

One of the reasons we should be all the more suspicious.  When was the
last time the president wasted his time to comfort americans?
Just another reason to look closely at exactally what's going on.

>David
>-- 
>David Sternlight         Great care has been taken to ensure the accuracy of
>                         our information, errors and omissions excepted.  

uni@acs.bu.edu
-- 
uni@acs.bu.edu  ->  Public Keys by finger and/or request
Public Key Archives: <pgp-public-keys@pgp.iastate.edu> 
Sovereignty is the sign of a brutal past.<>Fight Clinton's Wiretap Chip!
DF610670F2467B99 97DE2B5C3749148C <> Crypto is not a Crime! Ask me how!

Newsgroup: sci.crypt
document_id: 15870
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: What would happen if export restrictions violated?


OK, I heard a lot of talk about the NSA's infamous control over encryption
export through the ITAR.  Here's a question.  Say I develop this great new
encryption system, and I want to sell my software worldwide.  The thought
police then come in and say "This algorithm is a threat to national security.
You will not be permitted to export it."  At this point, what kind of trouble
could I get into if I ignored the ITAR and sold my program to international
customers anyway?

Doug Holland

-- 
|  Doug Holland                | Anyone who tries to take away my freedom  |
|  holland@cs.colostate.edu    | of speech will have to pry it from my     |
|  PGP key available by E-mail | cold, dead lips!!                         |

Newsgroup: sci.crypt
document_id: 15871
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <MJS.93Apr22194125@behemoth.genetics.wisc.edu>
mjs@behemoth.genetics.wisc.edu (Mike Schmelzer) writes:

>
>>>	Let me ask you this.  Would you trust Richard Nixon with your
>>>crypto keys?  I wouldn't.
>
>> I take it you mean President Nixon, not private citizen Nixon. Sure.
>> Nothing I'm doing would be of the slightest interest to President Nixon .
>
>Mr. Sternlight, your naivete and historical ignorance is appalling.
>
>[ History lesson detailing 1968-74 deleted. ]

Nonsense! I wasn't asked if Larry O'Brien should trust Nixon with his keys,
but whether I would.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15872
From: strnlght@netcom.com (David Sternlight)
Subject: Re: THE CLIPPER CHIP: A TECHNICAL SUMMARY


Pat Myrto says if law enforcement wants keys, let them get a court order and
then ask him for them.

Most use of probably cause wiretapping warrants isn't to decrypt historical
traffic, but for prospective listening once probably cause is established.
Pat's approach would tip off the crooks.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15873
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: A Parable.

scottmi@microsoft.com (Scott Miller (TechCom)) writes:
>Stikes me that all this concern over the government's ability
>to eavesdrop is a little overblown... what can't they do today?
>My understanding is that they already can tap, listen, get access
>exc. to our phone lines, bank records, etc. etc again.

Well, they can't listen in on much of mine, since I already use
cryptography for much of my electronic mail, and will start using it
for my telephony as soon as practical.

However, allow me to tell a parable.

There was once a far away land called Ruritania, and in Ruritania
there was a strange phenonmenon -- all the trees that grew in
Ruritainia were transparent. Now, in the days when people had lived in
mud huts, this had not been a problem, but now high-tech wood
technology had been developed, and in the new age of wood, everyone in
Ruritania found that their homes were all 100% see through. Now, until
this point, no one ever thought of allowing the police to spy on
someone's home, but the new technology made this tempting. This being
a civilized country, however, warrants were required to use binoculars
and watch someone in their home. The police, taking advantage of this,
would get warrants to use binoculars and peer in to see what was going
on. Occassionally, they would use binoculars without a warrant, but
everyone pretended that this didn't happen.

One day, a smart man invented paint -- and if you painted your house,
suddenly the police couldn't watch all your actions at will. Things
would go back to the way they were in the old age -- completely
private.

Indignant, the state decided to try to require that all homes have
video cameras installed in every nook and cranny. "After all", they
said, "with this new development crime could run rampant. Installing
video cameras doesn't mean that the police get any new capability --
they are just keeping the old one."

A wise man pointed out that citizens were not obligated to make the
lives of the police easy, that the police had survived all through the
mud hut age without being able to watch the citizens at will, and that
Ruritania was a civilized country where not everything that was
expedient was permitted. For instance, in a neighboring country, it
had been discovered that torture was an extremely effective way to
solve crimes. Ruritania had banned this practice in spite of its
expedience. Indeed, "why have warrants at all", he asked, "if we are
interested only in expedience?"

A famous paint technologist, Dorothy Quisling, intervened however. She
noted that people might take photographs of children masturbating
should the new paint technology be widely deployed without safeguards,
and the law was passed.

Soon it was discovered that some citizens would cover their mouths
while speaking to each other, thus preventing the police from reading
their lips through the video cameras. This had to be prevented, the
police said. After all, it was preventing them from conducting their
lawful surveilance. The wise man pointed out that the police had never
before been allowed to listen in on people's homes, but Dorothy
Quisling pointed out that people might use this new invention of
covering their mouths with veils to discuss the kidnapping and
mutilation of children. No one in the legislature wanted to be accused
of being in favor of mutilating children, but then again, no one
wanted to interfere in people's rights to wear what they liked, so a
compromise was reached whereby all homes were installed with
microphones in each room to accompany the video cameras. The wise man
lamented few if any child mutilations had ever been solved by the old
lip reading technology, but it was too late -- the microphones were
installed everwhere.

However, it was discovered that this was insufficient to prevent
citizens from hiding information from the authorities, because some of
them would cleverly speak in languages that the police could not
understand. A new law was proposed to force all citizens to speak at
all times only in Ruritanian, and, for good measure, to require that
they speak clearly and distinctly near the microphones. "After all",
Dorothy Quisling pointed out, "they might be using the opportunity to
speak in private to mask terrorist activities!"  Terrorism struck
terror into everyone's hearts, and they rejoiced at the brulliance of
this new law.

Meanwhile, the wise man talked one evening to his friends on how all
of this was making a sham of the constitution of Ruritania, of which
all Ruritanians were proud. "Why", he asked, "are we obligated to
sacrifice all our freedom and privacy to make the lives of the police
easier? There isn't any real evidence that this makes any big dent in
crime anyway! All it does is make our privacy forfeit to the state!"

However, the wise man made the mistake of saying this, as the law
required, in Ruritanian, clearly and distinctly, and near a
microphone.  Soon, the newly formed Ruritanian Secret Police arrived
and took him off, and got him to confess by torturing him. Torture
was, after all, far more efficient than the old methods, and had been
recently instituted to stop the recent wave of people thinking obscene
thoughts about tomatoes, which Dorothy Quisling noted was one of the
major problems of the new age of plenty and joy.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15874
From: strnlght@netcom.com (David Sternlight)
Subject: Re: New Encryption Algorithm


Arthur Melnick posts an interesting first-hand message about his NEA
algorithm. Though I have no reason to disbelieve anything he says, I want to
clarify one point:

He says he has no connection with the NSA. If he was part of an "NSA plot",
of course he'd say that.

Now I don't think he is. But the level of some discussion here is of that
sort, and very quickly we reach the point where it's impossible to continue
rationally discussing some issues.

"I am not a crook"

"Well, if you were, of course you'd say that"


or the ever popular favorite:

"Please prove the following negative."

I don't know what to do with such messages, so I have taken to ignoring
them.

Comments?

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15875
From: strnlght@netcom.com (David Sternlight)
Subject: Re: THE CLIPPER CHIP: A TECHNICAL SUMMARY


For some reason my fingers want to type "probably" cause whenever I want to
say "probable" cause. Sorry for any confusion in the previous message.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15876
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Once tapped, your code is no good any more.

In article <116664@bu.edu> uni@acs.bu.edu (Shaen Bernhardt) writes:


>
>So don't give me any bullshit analogies about how we trust coke not to
>put mind control drugs in every can to get us to buy more.

Shhh--coke drinkers haven't found out about Phosphoric Acid yet.

:-)

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15877
From: eachus@spectre.mitre.org (Robert I. Eachus)
Subject: Re: Can DES code be shipped to Canada?

In article <strnlghtC5wKrt.6JA@netcom.com> strnlght@netcom.com (David Sternlight) writes:

   > I believe it is illegal to send any cryptographic code out of the
   > country without an export license. (Others will correct me if
   > this is inaccurate.)

   Glad to!  You are correct, it is illegal to send cryptographic
code (and lots of other things) out of the country without a license.
HOWEVER, every US citizen has a general export license, allowing
export of lots of things, including constitutionally protected speech.
This has the effect that it is legal for US citizens to export some
things which it is illegal for a US corporation to export without
first obtaining a license.

   > Dunno if you'd get one for the particular code you have; the only
   > way to find out is to apply for a license.

   Nope, talk to a good lawyer in the area of export law.  But, in
general, the government has to have a very good national security case
to try prevent the export of anything you personally might wish to
publish.  (Yes, I worded that the way I did intentionally.  It is a
lot easier for the government to TRY to prevent the export of
information than to charge someone with a crime after the fact.
Espionage is probably the only exception.)

   > Note that you need to distinguish between what is legal to send
   > to Canada if YOU have such a license, and what is legal to send
   > if you don't.

    If you are a US citizen, you have a general license.  (I am not a
lawyer, so take some of this with a grain of salt.  However, I have
also had to swim through both ITAR and export regs in a few cases.)

--

					Robert I. Eachus

with Standard_Disclaimer;
use  Standard_Disclaimer;
function Message (Text: in Clever_Ideas) return Better_Ideas is...

Newsgroup: sci.crypt
document_id: 15878
From: pvr@wang.com ()
Subject: Crypto File System reference?

   A while ago there was a reference to a paper on a crypto file
system (CFS) given by someone at at AT&T (?).   How can I
get a copy?   Is it available on the net?   Was it published?
Who was the author?

   Thanks
   
--
-->>>>>>>>>> Peter Reilley ..... pvr@wiis.wang.com ..... KA1LAT <<<<<<<<<<<--
                     Well, that about says it.

Newsgroup: sci.crypt
document_id: 15879
From: andersom@spot.Colorado.EDU (Marc Anderson)
Subject: Re: **Sorry folks** (read this)

In article <C5w9qw.5pB@acsu.buffalo.edu> mckee@cs.Buffalo.EDU (Douglas McKee) writes:
>In article <1993Apr22.014646.28445@ucsu.Colorado.EDU>, andersom@spot.Colorado.EDU (Marc Anderson) writes:
>|> In article <1993Apr21.001707.9999@ucsu.Colorado.EDU> andersom@spot.Colorado.EDU (Marc Anderson) writes:
>|> [...]
>|> >(the date I have for this is 1-26-93)
[...]
>|> >        WASHINGTON (UPI) -- The War on Drugs is about to get a fresh
[...]
>|> I just found out from my source that this article was a joke.  Heh heh..  
>|> It seemed pretty damn convincing to me from the start -- I just didn't
>|> notice the smiley at the end of the article, and there were a few other
>|> hints which I should of caught.
>
>Well, isn't this just a hoot! :)  All I read on this group is a bunch
>of ppl fearing the misuses of information by the big bad evil govt.
>This just happens to be a case of an ordinary-joe-netter, who decided
>that he would create and/or distribute some misinformation.  Ppl buy
>into BS posts like this (I know, because I forwarded a copy of the
>post to my office mate, who turned around and was (although he won't
>admit it...sorry Joe!) ready to get in a fight about F-O-R-F-E-I-T-U-R-E!!!)
>Please, if we're going to hold our govt (which admittedly has had and
>still has its problems) to high standards, then mustn't we follow these
>too?  Electronic Freedoms only go so far.

Again -- I'm extremely sorry about this..  I got this message several 
months ago (quite a bit before the clipper chip proposal) when it was posted
to a different newsgroup.  It was very startling to me as well, and I guess
I should of verified the source at least to some extent before reposting..

Aaack..  

-marc

Newsgroup: sci.crypt
document_id: 15880
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

jfc@athena.mit.edu (John F Carr) writes:
>	pmetzger@snark.shearson.com (Perry E. Metzger) writes:
>>Well, I'm not a lawyer, but from what I can tell this is completely
>>and utterly untrue.
>
>>The U.S. does NOT have an official secrets act. We do have laws that
>>will punish you for revealing what classified information you learned
>>in your capacity as a government official, contractor, etc, and we
>>have laws that prohibit stealing such information. However, if they
>>sell you the chip, I can't see that they can make reverse engineering
>>it and revealing the details illegal.
>
>In most cases information you come by properly is yours to use as you wish,
>but there are certainly exceptions.  If you write a paper which includes
>sufficiently detailed information on how to build a nuclear weapon, it is
>classified.  As I understand the law, nuclear weapons design is
>_automatically_ classified even if you do the work yourself.  I believe you
>are then not allowed to read your own paper.

Oh? What about the precedent in which nuclear weapons information was
published in "The Progressive"? I was under the impression that the
court held that prior restraint could NOT be used. Any lawyers out
there?

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15881
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Is this overreaction?

jhan@debra.dgbt.doc.ca (Jerry Han) writes:
>As one of the happily sleeping people, I would just like to ask this->
>aren't people just slightly overreacting to this?  Or are we all of a
>sudden going to draw parallels to Nazi Germany and Communist Russia?
>
>The point of the matter is that; yes this is a serious problem.  But it is
>not the end of the world.  Guess what?  We're doing something now you
>can't do in a Communist country or Nazi Germany.  We're complaining about
>it, (or rather, you're complaining about it) and nobody is shooting at us.  

We would like to keep it that way. Thats the point. By reacting
strongly and forcefully now, we will assure that we continue to remain
free. You cannot overreact to a threat like this. The worst that
happens if we overreact is that we waste time and effort. The worst that
happens if we underreact is tyranny. I prefer overreaction myself.

>GUESS WHAT PEOPLE?  You live in one of the few countries in the world
>where a person can complain without getting shot at.  

Doesn't that tell you how precious and hard to maintain freedom is?

Only through centuries of overreaction have we managed to maintain
ourselves in this state of even moderate freedom. I suggest that
overreacting now and in the future is a good thing.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15882
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: How to make the Clipper chip and wiretapping less bad

   I've got an idea that would remove most of the political complaints
I have about the Clipper chip.  Pass a law stating that if, within a
year of performaing a wiretap on someone, a police agency hasn't
managed to convict the suspect of the crime the warrant/wiretap was for,
then that agency owes the suspect $1 million to repay him/her for
lost privacy.
   Of course, there are *still* problems with the technical aspects of
Clipper, and with the one-size-fits-all mentality that would be behind
an attempt to enforce it as a standard.  But this would be a way for
those in favor of allowing continued wiretaps to assure us that it will
only be used in cases where the crime is important and the police are
all but certain that there really will be a conviction....
 
   --John KJ
            elsey

Newsgroup: sci.crypt
document_id: 15883
From: niteowl@stein2.u.washington.edu (Jamie Jamison)
Subject: Re: Wiretapping reality today

strnlght@netcom.com (David Sternlight) writes:


>Some of the messages here seem to reflect the view that the government is
>listening in on everything and one will have to hide one's clipper messages
>somehow if non-escrowed crypto goes away.

>A little perspective might be in order.

>The number of court ordered wire taps is pretty low. Law enforcement has to
>present pretty good evidence to get even that limited number of
>authorizations.

>Thus the overwhelming majority of conversations are neither tapped nor
>recorded by the government, and for that to happen they have to:
>a) Have a pretty good reason, with evidence;
>b) Use this sparingly on highest priority "pretty good reasons."

>Though the system may be imperfect, it is a long way from the horror stories
>some here seem to believe or anticipate.

>-- 
>David Sternlight         Great care has been taken to ensure the accuracy of
>                         our information, errors and omissions excepted.  

	Again we have the trust in government problem here. Members of 
Mr. Sternlight's generation trust the government to a degree which
members of my generation find ridiculous. I would suggest that Mr. Sternlight
read about the COINTELPRO program, or about J. Edgar Hoover, or about
the wire-tapping of Martin Luther King, then, after he has digested this
information he can ponder the fact that while the government does not
tap every conversation that they have a record of tapping many conversations
that they have no right to, even under their own laws. Given the long
history of members of the US government ignoring the laws that apply
to them, it is no wonder that so many people in here sound so paranoid, and
given the fact that it is often difficult or impossible to punish these
individuals once they are discovered, it is no wonder that so many people
in here have so little faith in the escrow proposal for Clipper.




Jamie Jamison

Newsgroup: sci.crypt
document_id: 15884
From: burt@chirality.rsa.com (Burt Kaliski)
Subject: Pseudocollisions in MD5

Following is a short note commenting on den Boer and Bosselaers'
recent work on the MD5 message-digest algorithm. Feel free to email
questions or further comments.

-- Burt Kaliski
RSA Laboratories
----------------------------------------------------------------------
\documentstyle[12pt]{article}
\begin{document}

\title{On ``Pseudocollisions'' in the MD5 Message-Digest Algorithm}
\author{Burton S. Kaliski Jr. \\
{\tt burt@rsa.com} \and
Matthew J.B. Robshaw \\
{\tt matt@rsa.com} \and
RSA Laboratories \\
100 Marine Parkway \\
Redwood City, CA  94065}
\date{April 23, 1993}

\maketitle

A message-digest algorithm maps a message of arbitrary length to a
``digest'' of fixed length, and has three properties: Computing the
digest is easy, finding a message with a given
digest---``inversion''---is hard, and finding two messages with the
same digest---``collision''---is also hard. Message-digest algorithms
have many applications, including digital signatures and message
authentication.

RSA Data Security's MD5 message-digest algorithm, developed by Ron
Rivest \cite{rfc-md5}, maps a message to a 128-bit message digest.
Computing the digest of a one-megabyte message takes as little as a
second.  While no message-digest algorithm can yet be {\em proved}
secure, MD5 is believed to be at least as good as any other that maps
to a 128-bit digest.  Inversion should take about $2^{128}$
operations, and collision should take about $2^{64}$ operations.  No
one has found a faster approach to inversion or collision.

Recent work by den Boer and Bosselaers \cite{den-boer-md5} presents
a special kind of ``pseudocollision'' in MD5's
internal compression function, which maps
a 512-bit message block $x$ and a
128-bit input state $s$ to a 128-bit output
state. They show how to find a message block $x$
and two related input states $s_1$ and $s_2$ that yield the same
output state: $f(x,s_1)$ = $f(x,s_2)$. Their well-thought approach
exploits structural properties of the collision function to find 
a pseudocollision in about $2^{16}$ operations, much less than one
would expect.

Practical implications of this pseudocollision work to the security of
MD5 are not evident. While a real collision in MD5 implies a
pseudocollision (or a ``pseudo-inversion''), a
pseudocollision need not imply a real collision. Indeed, a real
collision, since it involves two different messages, would almost
always involve {\em different} message blocks $x_1$ and $x_2$ such that
$f(x_1,s_1) = f(x_2,s_2)$, but the pseudocollisions have the same
message blocks. Moreover, the input states $s_1$ and $s_2$ would
generally be unrelated, but the pseudocollisions' input states are
the same except for four bits.  There does not seem to be any way to
extend den Boer and Bosselaers' approach to anything beyond the
special pseudocollisions, a limitation they readily admit.

It is reasonable, therefore, to believe that MD5 remains secure. While den
Boer and Bosselaers have found interesting structural properties in
MD5, the properties seem only to lead to special pseudocollisions
and not anything approaching real collisions. Further research, of
course, will give a better understanding of the strengths of MD5 and
other message-digest algorithms, with the eventual hope that
such algorithms can, in some sense, be proved secure.

\bibliographystyle{plain}
\begin{thebibliography}{1}

\bibitem{den-boer-md5}
Bert den~Boer and Antoon Bosselaers.
\newblock Collisions for the compression function of {MD5}.
\newblock In {\it Advances in Cryptology --- Eurocrypt '93}, 1993.
\newblock Preprint.

\bibitem{rfc-md5}
R.L. Rivest.
\newblock {\it {RFC} 1321: The {MD5 Message-Digest Algorithm}}.
\newblock Internet Activities Board, April 1992.

\end{thebibliography}

\end{document}

Newsgroup: sci.crypt
document_id: 15885
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Suggestions for escrow agencies (was: Re: More technical details)

In article <strnlghtC5yBKA.Dp5@netcom.com> strnlght@netcom.com (David Sternlight) 
brings up the issue of how the escrow agent will be paid, and the fact
that the government had financial leverage if they don't cooperate.
It's an important issue, especially if one of the escrow agents
decides they'd rather stop offering the service. 
I assume that if the escrow agent isn't the government,
then the contract for providing escrow service would include some
termination clause like returning the keys.

>   The easiest way is a user fee for each clipper chip manufactured. 
>   This makes the funding separate from government.

But who's the user paying the fees here, and what's the service?  
If the user is the government, then the funding's not separate from the government.

If the user is the buyer, what's the service?  
Keeping the key for me?  No thanks - I don't need, and won't buy their service!
Not telling everybody my key?  Sounds like blackmail!

If the user is the manufacturer, does the user have a choice about buying?
The alternative is to just generate the key and not escrow it, which is fine -
I'd certainly pay more for this kind of key than an escrowed key!

Face it, the escrow provider is providing a service the users don't want.
The only people who want it are the government, not the users.
What you're really talking about is either the government paying for
the service, up front or per-year, either from general taxes,
or from a special direct tax on wiretap chips, or on an indirect tax
(forcing the manufacturer to pay the fee to the escrow agent.)

I hope the escrow people have no way of finding out your name from
your serial number, especially if the escrow is a government agency.

Here in New Jersey, we have lots of people willing to provide that
sort of services for user fees.  There are people willing to keep your
store from burning down for a small monthly fee, though sometimes people
refuse to pay and discover that the service really was effective.
If you go to a baseball game at Yankee Stadium, there are people who
will watch your car in the parking lot for a small user fee.
Something could scratch the paint, after all.
And what a shame if your Clipper key got out!
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15886
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Re: How to make the Clipper chip and wiretapping less bad

What is the reason for the push on clipper?

Two days after the lead story here in the Mercury Times (murky news)
there was another article on industrial espionage by the french.

Someone had said what can it hurt to allow the government to have
continued access to our communications, they already have it.  The
problem is that, yes the do have access, and probably more than
we realize.  The government wants exclusive access to communications
intercept here in the united states, cutting out other access detrimental
to the national security (tm).

I also doubt that a certain3 letter agency, that originated the encryption
algorithm and the chip designs needs to have anything to do with the 
escrow system to continue their intercept effort.  

Better yet, who owns the company doing the programming?


Newsgroup: sci.crypt
document_id: 15887
From: sean@sdg.dra.com
Subject: Re: Fighting the Clipper Initiative

In article <he1pb02@rhyolite.wpd.sgi.com>, vjs@rhyolite.wpd.sgi.com (Vernon Schryver) writes:
> In article <strnlghtC5toC6.KIu@netcom.com>, strnlght@netcom.com (David Sternlight) writes:
>>              Even the Department of Agriculture has successfully kept crop
>> forecasts from leaking prematurely.
> 
> Sheesh!  Remember the big scandal a year or two (or 3?) ago about
> exactly such leaks?

My choice for the escow house would be the Smithsonian, and someplace on
the west coast.  My biggest concern isn't that the escrow house could
be compromised (it will be), but the fact it has been compromised will
be kept secret.  

The keys could be kept under glass, with 24-hour C-SPAN coverage.  If you
thought your key had been stolen just turn on the cable, and wait until
the roving camera reachs the musuem case with your key.  Or if you think the
C-SPAN satellite has been compromised, take a tour of the Smithsonian
yourself, and view the seal on your key.

-- 
Sean Donelan, Data Research Associates, Inc, St. Louis, MO
Domain: sean@sdg.dra.com, Voice: (Work) +1 314-432-1100

Newsgroup: sci.crypt
document_id: 15888
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: What would happen if export restrictions violated?

In article <Apr23.215306.83257@yuma.ACNS.ColoState.EDU> holland@CS.ColoState.EDU (douglas craig holland) writes:
   OK, I heard a lot of talk about the NSA's infamous control over encryption
   export through the ITAR.  Here's a question.  Say I develop this great new
   encryption system, and I want to sell my software worldwide.  The thought
   police then come in and say "This algorithm is a threat to national security.
   You will not be permitted to export it."  At this point, what kind of trouble
   could I get into if I ignored the ITAR and sold my program to international
   customers anyway?

First of all, it's not the thought police, it's the export police.
If you move overseas with your great thoughts in your head, write the software there,
and then sell it, the US Thought Police probably can't do too much about it,
though you might want to check with your lawyer first.

However, if you write the program here, and sell it to furriners,
you are now an international arms dealer and can get thrown in the
clink for *many* years, especially if they decide you'd be a good example,
and Cuban Drug Dealers and Fanatic Middle Eastern Terrorists buy your stuff.

(Definitions of "public domain" are different for ITAR purposes, so if
you've got a good enough lawyer who'll do your case for free after
they've confiscated everything you own as evidence, you might win.
But nobody wants to go first, since the stakes are _quite_ high.)
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15889
From: amolitor@nmsu.edu (Andrew Molitor)
Subject: Re: New Encryption Algorithm

In article <artmel.735538777@well.sf.ca.us>
	artmel@well.sf.ca.us (Arthur Melnick) writes:
>     We are strongly opposed to the clipper/capstone chips.  In a
>press release today, our president, Dr. Stephen Bryen stated:
>
>          "It seems as if the government has an unlimited source
>     of funds to use to push its new bugged chips on the American
>     Public.  But do we not understand how the National Security
>     Agency, which is not supposed to be involved in domestic
>     spying, can fund the development of a commercial chip
>     intended to accommodate U.S. government domestic spying
>     activities."
>

	Well, actually, this one's easy. It's their job. The NSA is
supposed to develop cryptosystems. If the government chooses to go
ahead and sell those cryptosystems to the masses, so be it.

	This sounds a lot like slamming the competition, not a cry
for justice. These guys are way out on a limb, if I read that right.
They've commited their new algorithm to silicon before it's been
made public. What are they gonna do if Shamir writes a paper showing
how to crack the entire class of algorithms in 5 minutes with a slide
rule and a pencil?

	If they weren't busy throwing muck to smear their competitors,
I'd feel kinda sorry for 'em. Still do, a little.

	Andrew


Newsgroup: sci.crypt
document_id: 15890
From:  (Jamie Lawrence)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr21.222016.18990@leland.Stanford.EDU>, arc@leland.Stanford.EDU (Andrew Richard Conway) writes:
> I must protest your "...in a Communist country". How do you know?
> There haven't been any, and are unlikely to ever be any. In some Socialist
> dictatorships, you can't, whilst in some socialist democracies
> (such as France or Australia)
> you can. Of course, some people may disagree about France & Australia being
> socialist...
> 
> >it, (or rather, you're complaining about it) and nobody is shooting at us.  
> 
> Yet.
> 
> >GUESS WHAT PEOPLE?  You live in one of the few countries in the world
> >where a person can complain without getting shot at.  
> 
> In some circumstances. I was at a public meeting last night (in the USA), where
> a protester, who was very nice and calm, and just said before the
> speaker started to beware of his opinions, was forced out of the meeting by
> two armed policemen.
> 
> There are a lot of things that one cannot do in the USA. You may not
> notice them, but as an Australian visitor, I notice them.
> 
> 
> Of course don't over react --- but don't under react.
> 
Thank you Andrew.  Not only for the firm rebuttal, but for understanding the 
difference between communism and socialism (even though this is off topic).
Why do people just not understand that just because all those pretty songs about
the land of the free and so on sound nice, that they may not be true?
Take off those rose colored glasses and get a clue (to use two of the better 
cliches around)
thanks you again
jamie

Newsgroup: sci.crypt
document_id: 15891
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Let's build software cryptophones for over the internet...

I forwarded an old posting about CELP speech compression:

	In case you'd like to experiment with CELP, you can obtain a software
	implementation of the 4800 bps Fed Std CELP coder for free:

	The U.S. DoD's Federal-Standard-1016 based 4800 bps code excited linear
	prediction voice coder version 3.2 (CELP 3.2) Fortran and C simulation source
	codes are now available for worldwide distribution at no charge (on DOS
	diskettes, but configured to compile on Sun SPARC stations) from:

I've since been told that the source of this is on cygnus.com
in /pub/celp.speech.tar.Z

I'm not in a position to; any Sun tcp/ip gurus out there who think they
can marry this with netfone by the end of the week? ;-)  Seriously.  I
think someone with real net access and two sparcs could have this running
by the end of the week.  Then we ask the pgp guys to add a bytestream
crypto filter.  Two weeks at the most.  [Damn, I wish I had my sparc
back... I'm stuck on a 25mhz 386sx]


Share and Enjoy!

G
PS  You'll have to use archie to find netfone - I have a copy but no note
of where it's from; author in the docs is kelvin@autodesk.com and he
appears to be located in France

Newsgroup: sci.crypt
document_id: 15892
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Do we need the clipper for cheap security?

: From: caronni@nessie.cs.id.ethz.ch (Germano Caronni)

: In article <9304201003.AA05465@pizzabox.demon.co.uk> gtoal@gtoal.com (Graham Toal) writes:
: >Can someone tell me if hardware compression is or is not needed to run
: >digital speech down 14.4K?  I think it is; I've heard it's not.  Lets
: >say 8 bit samples.  Would *raw* data at the corresponding sampling rate
: >be usable?  If not, how fancy does the compression need to be?

: As far as I know ISDN (call it Swissnet here, and it's being plugged in) it's
: 8 bit 8000Hz (gives you one channel of 64kBit/sec) I guess you should not go
: below a sampling rate of 6000 Hz if you want to have same quality as on an
: analog-line. Anybody knows compression-algorithms & -factors for voice ?

I've posted some info on CELP coding on sci.crypt.  Looks like you can
squeeze speech into 4000bps if you have a fast enough computer like a
sparcstation (or a Newton with the Acorn Risc Machine in it :-) )

This drops the bandwidth to so low a figure that it's feasible to run
speech over tcp/ip running on top of slip down a v32bis modem.  Not only
will this let us run point to point encrypted speech, it'll let us
run speech internationally over the internet if no-one stops us by
getting *very* heavy about regulations.  The thought of this, if the
administration realised, would probably scare them shitless.

Now of course the trick is to develop and define a standard protocol
for internet speech *damn fast*, allowing anyone who feels brave to
inplement custom handheld hardware as well as us hacking it on our
workstations.  Shouldn't be too difficult.  The CELP stuff is standardised,
we use tcp/ip streams, and a protocol allowing silences to be used to
catch up on any net lag, and also to avoid sending any data during
silences (ie it's not wise to be synchronised real-time on each end
because any net delays would add up to big voice-lags)

As for me, I'm going to press ahead on trying this stuff as soon as
I get my sparc back from being loaned out and buy the necessary microphone.
It'll save me a fortune in calling my friend in texas every night :)
(whether encrypted or not)

You know, surely *someone* is working on this.  Who?  It's so obvious,
why doesn't it exist already?  I've only seen netphone for Suns and
it didn't do the CELP compression so was restricted to ether connections.

G

Newsgroup: sci.crypt
document_id: 15893
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Would "clipper" make a good cover for other encryption method?

: From: brad@optilink.COM (Brad Yearwood)

: Assume in this case the usual canard-adversary of narcotraficantes.  They
: probably have more cash than the KGB did, and they're probably more generous
: at handing it out.  It will be easier than ever to find or cultivate Walkers
: and Pollards for the keys, and it will be easy enough to find someone to
: reverse-engineer the chip (unless the tamper proofing is damned clever and
: effective).

If the administration *really* believes big-time drug dealers are the threat
(personally I thought it was the CIA and the air force that did all the real
drug shipping :-) ) then they *ought* to take this seriously: unlike the
KGB, drug dealers can make a most convincing argument for cooperation: "help
us and we'll be nice and give you some money, don't help us and we'll start
cutting off your favourite body parts"

After all, it was probably an argument like that that persuaded Jack Ruby to
shoot Oswald in full view of the police.  Life in jail probably seems much
more preferable to most people than several weeks of something nasty
followed by no life at all...

G

Newsgroup: sci.crypt
document_id: 15894
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

: At the company I worked for previously, I received a file that was des encryped
: and the person that had sent it, went on vaction.  Rather than wait two weeks
: I set up a straight frontal attack with one key at a time.  It only took two(2)
: days to crack the file.  No, I don't have any faith in DES.

: A.G.

Fun!  Three questions:

1) What hardware did you use?
2) When you found the key, was there anything about it that was special
   that meant you had been lucky to find it early? (Like the first 30 bits
   all being 0)
3) ... or did you mean a dictionary attack rather than a binary key attack?

G

Newsgroup: sci.crypt
document_id: 15895
From: cramer@optilink.COM (Clayton Cramer)
Subject: Re: The Escrow Database.

In article <strnlghtC5t3K6.InF@netcom.com>, strnlght@netcom.com (David Sternlight) writes:
> In article <tcmayC5rs6n.Lz8@netcom.com> tcmay@netcom.com (Timothy C. May) writes:
> >After the Waco Massacre and the Big Brother Wiretap Chip, any tactic
> >is fair.
> 
> This is pernicious nonsense!
> 
> David Sternlight         Great care has been taken to ensure the accuracy of

Since the FBI's account of what happened is being contradicted on an
increasingly frequent basis by other officials investigating the
fire, the most pernicious idea of all is believing that Big Brother
is going to be well-behaved with respect to cryptographic keys.

In light of the very serious allegations with respect to the DOJ
selling software to various other intelligence services, what do
you suppose the chances are of some future DOJ selling escrowed
keys to business firms?

Trusting the government to be honest and fair is putting the 
fox in charge of protecting the chickens.


-- 
Clayton E. Cramer {uunet,pyramid}!optilink!cramer  My opinions, all mine!
Relations between people to be by mutual consent, or not at all.

Newsgroup: sci.crypt
document_id: 15896
From: Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant)
Subject: Re: Once they get your keys....

About 50 people so far have asked, "Once the FBI gets your Clipper keys,
won't they be able to read all your future and past traffic?"

There has been no response from NIST, NSA, Ms. Denning, Mr. Hellman, or
anyone else who might be able to give us an authoritative answer.
This is troubling.

Didn't NSA think about this?  Or is it a feature, and they thought we
wouldn't notice?

I would have thought that by now they would have responded with something
of the form, "Well, that won't be a problem because ...."

Very curious.

Lynn Grant

Newsgroup: sci.crypt
document_id: 15897
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Wiretapping reality today

In article <1r9vouINN2tv@shelley.u.washington.edu> niteowl@stein2.u.washington.edu (Jamie Jamison) writes:


>	Again we have the trust in government problem here. Members of 
>Mr. Sternlight's generation trust the government to a degree which
>members of my generation find ridiculous. I would suggest that Mr. Sternlight
>read about the COINTELPRO program, or about J. Edgar Hoover, or about

You should read the history. It was Hoover who stopped Nixon's COINTELPRO
dead in its tracks because he said it was unconstitutional. They tried to
get around him every way they could.

Despite other things he may have done, for this alone, Hoover saved the
Constitution.

David

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15898
From: ed@titipu.resun.com (Edward Reid)
Subject: Re: Once tapped, PLEASE RESTRICT YOUR FOLLOWUPS

However valuable, this discussion does NOT belong on comp.org.acm or on
comp.org.ieee.  Please edit your followups to include only the appropriate
newsgroups.

--
Edward Reid  Greensboro FL   ed@titipu.resun.com  or  nosc!blkhole!ed
  (looking for programming contracts, especially Unisys A-Series)

Newsgroup: sci.crypt
document_id: 15899
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Once they get your keys....

In article <930424031634.176183@DOCKMASTER.NCSC.MIL> Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant) writes:

>About 50 people so far have asked, "Once the FBI gets your Clipper keys,
>won't they be able to read all your future and past traffic?"
>
>There has been no response from NIST, NSA, Ms. Denning, Mr. Hellman, or
>anyone else who might be able to give us an authoritative answer.
>This is troubling.

The proposal could be modified so that if they get a court order to tap you
and don't charge you with a crime within, say, 90 days, they have to buy you
a new phone.

If they do charge you, and you are found innocent, they have to buy you a
new phone.

:-)

David

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15900
From: schneier@chinet.chi.il.us (Bruce Schneier)
Subject: Re: Crypto papers on the net.

In article <16BB91429.C445585@mizzou1.missouri.edu> C445585@mizzou1.missouri.edu (John Kelsey) writes:
>   I've recently been reading a paper of Merkle's (publixhed only on the
>net, I think) discussing three potential replacements for DES.  Was
>anyting ever done with these?  Are Khufu, Khafre, and/or Snefru still
>being discussed anywhere?  (I know Snefru is referenced in the RSA
>FAQ, and I think it may also be in the sci.crypt FAQ.)
>   On a related topic, can anyone point me toward good sites to find
>papers/articles/discussions of cryptology?  I think I've about exhausted
>the Math/Sci library here, which doesn't seem to have anything more recent
>than about '84.
> 
>   Thanks.
> 
>   --John Kelsey

Khufu and Khafre are both patented (#5003597).  Biham and Shamir showed
that differential cryptanalysis can break 16-round Khafre with a chosen-
plaintext attack using 1500 different encryptions.  Khafre with 24 rounds
can be broken with the same attack using 2^53 different encryptions.
(There are probably more efficient differential cryptanalytic attacks, if
someone wants to take the time to look.)

Khufu has key-dependent S-boxes, and is immune to differential cryptanalysis.
Source code for this algorithm (and Khafre) are in the patent.

Snefru is a public-domain one-way hash function.  The version of Snefru
that produces a 128-bit hash is vulnerable to differential cryptanalysis
(vulnerable means that the attack is more efficient that brute force) for
four passes or less.  Given that, SHA and MD5 are much more efficient.

Oh yes, anyone interested in licensing the patent should contact Dave Petre,
Director of Patent Licencing for Xerox, (203) 986-3231.

Bruce 

Newsgroup: sci.crypt
document_id: 15901
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: Once they get your keys....

(alt.security.clipper added, to keep them informed of this issue)


David Sternlight (strnlght@netcom.com) wrote:
....
: The proposal could be modified so that if they get a court order to tap you
: and don't charge you with a crime within, say, 90 days, they have to buy you
: a new phone.
: 
: If they do charge you, and you are found innocent, they have to buy you a
: new phone.
: 
: :-)

Yes, but will they buy you a ticket on a time machine to allow you to
go back and use the phone with the new key instead of the phone whose
key they obtained?

It is unclear whether obtaining the key at time 0 also unlocks
messages recorded (by whomever) at earlier times. The announcement was
silent on this. The betting seems to be that once your key has been
obtained (by the authorities, by divorce lawyers, by the Mafia, by the
FBI, by lost or stolen backup tapes, by the NSA, etc.). all previous
conversations are unsecure. (Session keys are negotiated, but knowing
the private key is believed by many commentators here to break the
security. No doubt more details will emerge.)

So, the loss of a key, whether one is guilty or innocent, may mean a lot
more than merely replacing the phone.

Sort of like saying to someone, "Oh, I copied your diary. But I'll buy
you a new one."


And the system, if made mandatory (as I expect), will make such
storing of conversations much easier, I fear. For one thing, the
transmission of the escrow key field acts as a clear signal to anyone
listening, a kind of "Caller ID" and "Callee ID" on a grand scale.
Also, the phone companies may not care as much about protecting the
privacy of the calls, as they perceive them all to be useless
encrypted junk. (This is a bit of a reach, I know, suggesting that the
Clipper will make security more lax...).

Anyway, still lots of issues unresolved.


-Tim May


-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
document_id: 15902
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: Is this overreaction?

Perry E. Metzger (pmetzger@snark.shearson.com) wrote:
...
: We would like to keep it that way. Thats the point. By reacting
: strongly and forcefully now, we will assure that we continue to remain
: free. You cannot overreact to a threat like this. The worst that
: happens if we overreact is that we waste time and effort. The worst that
: happens if we underreact is tyranny. I prefer overreaction myself.
....
: Only through centuries of overreaction have we managed to maintain
: ourselves in this state of even moderate freedom. I suggest that
: overreacting now and in the future is a good thing.

Perry is right on target here. Careful analysis of the Clipper Chip
announcement reveals that is *not* likely to remain "voluntary" for
very long...the cost of the system, the cost of generating and _then
storing_ the escrow keys, and the admitted security holes pretty much
make the ClipperPhone a loser.

Strong crypto will outcompete it, if strong crypto is allowed. This is
the battle we face.

We had rumblings of this totalitarian key registration thing a while
back, and now the other shoe has dropped. The firestorm of commentary
and criticism this time around reveals the almost immediate revulsion
this Wiretap Chip (and automatic Caller ID and Callee ID, don't
forget!) generates in everyone, or almost everyone, who hears about
it.

This is a battle we can't afford to lose.


-Tim May


-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
document_id: 15903
From: brad@optilink.COM (Brad Yearwood)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <1993Apr22.222016.25628@lehman.com>, pmetzger@snark.shearson.com (Perry E. Metzger) writes:
> You obviously haven't read the information about the system. The chips
> put out serial number infomation into the cypher stream to allow
> themselves to be identified. The system does not rely on registering
> people as owning particular phone units.
> 
> I am against the proposal, but lets be accurate in our objections.
> 

Do not presume to tell me what I have and have not read.  The system may
not rely upon registering people as owning particular phone units, but
it is necessary to know which phone units are likely to be used for some
suspected criminal communication before you can obtain their unit keys
from escrow.  This necessity raises the stakes in favor of a criminal's
coercing or colluding use of some other person's Clipper phone.

I will restate my assumptions more explicitly and amplify my argument.
The original title perhaps should have been "Distinction between legal
and illegal cipher systems considered harmful", but "Clipper considered
harmful" is not inaccurate, and is more eye-catching in the current context.

Assumptions:

  1.  Clipper is made available.

  2.  Laws are passed to make use of cipher systems other than Clipper illegal
      (either on radio systems, or on any common carrier system).  These laws
      also include enforcement authority to listen across the relevant radio
      spectrum (or other medium), characterize signals, validate Clipper
      wrappers, detect probable use of non-Clipper ciphers, and make such
      detection a cause for further action.

  3.  For escrowed keys to be useful, some specific Clipper chip must be
      associated with a suspected criminal.  This means that at a minimum
      some association between the common carrier's unique phone ID (ESN) and
      the Clipper chip serial number N will be stored in a government database.
      An observed pairing of N and ESN other than the one recorded raises a
      red flag.

  4.  To reduce ordinary fraud, the cellphone system which offers Clipper
      will also be constructed with an ESN mechanism much more tamper-proof
      and much less spoofable than today's cellphones.

  5.  Criminals want inscrutable communications.  Some criminals are not
      entirely stupid or ignorant, and will figure out both that Clipper
      cellphones offer excellent security in normal circumstances, and that
      they offer no security against law enforcement once a (presumably
      legitimate) wiretap order exists.  They will also figure out that the
      wiretap order must necessarily be against a specific cellphone, because
      each one has a unique unit key.

  6.  Criminals do not want to call attention to themselves.  Because they
      are not stupid or ignorant (or because they read netnews), and because
      they know that their open use of a non-Clipper cipher is likely to be
      detected, they will generally avoid using non-Clipper ciphers directly
      on some monitorable/tappable channel.  They know that do so would raise
      a red flag, putting a given cellphone (if not a given person) under
      immediate suspicion.

  7.  It is impractical to reverse engineer Skipjack, discover family key F,
      and construct a functional clone of a Clipper chip.

By #2, #3, #4, and #7 it will be very difficult to spoof a given Clipper
phone without immediate detection.  Because it is difficult to obscure one's
association to a specific phone by reprogramming or changing chips
around, the criminal will be motivated to find an intact phone which is
associated with someone else.

A non-stupid criminal will conclude that they can have Clipper-secure
communications, at least for some limited time T, if they buy, beg, borrow,
or steal use of someone's phone in a way that prevents that person from
reporting compromise of the phone for at least time T.  The encrypted
communications might have been recorded, and thus be retrievable later,
but the criminal can delay, and quite likely evade, discovery by destroying
or abandoning the phone before T elapses.

It would be unusual for an innocent person to volunteer use of their Clipper
phone to someone else.  The honest subscriber doesn't want to pay someone
else's bill, and he doesn't want to fall under suspicion.

This leaves two sources of Clipper phones for criminal use: coercion
and collusion.

Coercion first.  Theft bears a relatively low risk, but also sometimes
a low time until detection (a few minutes if a phone is stolen from
a car parked in front of a store, a couple of weeks if a phone is stolen
from someone who is away on vacation).  Criminal commerce is likely to
arise in stolen Clipper phones, with phones coming from risk-inured poor
criminals, and cash coming from risk-averse wealthy criminals.  Someone
who is extraordinarily motivated to gain a day or two of undetected
communication (like a terrorist) could kill a person or hold them hostage.
The limited time (before detection) that a coerced phone is useful means
that continuing criminal enterprises require a continuing supply of
freshly coerced phones.

There would also be created a collusive commerce between relatively
wealthy criminals, and ignorant or don't-care patsies who need money,
and who will submit to being paid in return for subscribing to Clipper
phone service for someone else's use.

Criminals will learn that it is more to their advantage to coerce use of a
Clipper cellphone than it is to apply a non-Clipper cipher to a normal
cellphone.  They will call much less attention to themselves (or at least to
their stolen phone) this way.  The fact of a phone's use being coerced must
first be reported before it can be identified as an interesting phone, and
have its keys obtained from escrow.

Clipper also allows an extraordinary opportunity for the criminal to
conceal use of super-encryption.  An automated full-system surveillance
mechanism (quite feasible across radio bandwidth) which knows family key F,
can validate Clipper wrappers and N:ESN associations, but it cannot reveal
in realtime the use of super-encryption, unless it knows all unit keys,
which we are being assured are only to be made available in two separate
pieces, upon specific wiretap-like order.

Whereas a criminal's use of any cipher within a normally cleartext medium
would stand out, a criminal's use of a non-Clipper cipher within a Clipper
medium would be very difficult to detect, even ex post facto in bulk
recordings, as long as the association between criminal and specific Clipper
chip is fractured.

If you make use of this other cipher illegal per se, then you can charge
the criminal with this (if you can identify the true criminal - he'll be
using someone else's phone), but you'll have no evidence to help you against
whatever traditional crime he might have been planning.  You will not even be
able to detect that unusual (encrypted) communications are occurring until you
identify specific phones and obtain their keys from escrow.

The gangster and terrorist are thus arguably more, not less, secure than
they were before Clipper came along.

I therefore consider Clipper harmful because:

  1.  It does not provide absolute privacy to the honest public against
      aggressive or dishonest government.

  2.  If other ciphers are proscribed, it engenders new types of direct
      criminal threat to the honest public.

  3.  It provides an extraordinarily effective mechanism for criminals to
      hide their use of some other cipher, making it more difficult than
      ever even to gain notice that unusual communications are occurring
      and that plans for some criminal act might be in progress.

  4.  If other ciphers are proscribed, lazy investigators and prosecutors
      are more likely to pursue the easily quantifiable cipher-use crime
      than they are the traditional and directly harmful crimes which key
      escrow is claimed to help against.

  5.  If other ciphers are proscribed, the stage is set for witch hunting
      of "illegal" cipher use.  Because any computer can be used as a cipher
      machine...

Brad Yearwood    brad@optilink.com     {uunet, pyramid}!optilink!brad
Petaluma, CA

Newsgroup: sci.crypt
document_id: 15904
From: mg@cs.princeton.edu (Michael Golan)
Subject: clipper serial numbers need 2nd court order?

something that no one has discussed yet (or I missed it):

The FBI sets up a wiretap AFTER the court order was handed. 
Only at this point they can access the line and detect 
the serial number N.

What happens next, does the FBI simply asks for the keys
for N, and, since a warrant was issued for the line, the FBI 
simply gets it? What if multiple phones are used from the
same house, the FBI just asks for N1, N2, etc.?

Exactly who is to prevent the FBI from claiming some
other serial number, X, was also used over the wirtapped 
line and get the keys for X? 

Either a second court order (for the specific serial/key)
is required (and I have seen no indication of this), or
the FBI can effectively ask for any pair of keys at any
time, so the escrow key holders are a total fake.

An unrelated issue: if and when all phones always use
the clipper chip, how are call-transfers going to take 
place?!


 Michael Golan
 mg@cs.princeton.edu


Newsgroup: sci.crypt
document_id: 15905
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

 > Nonsense! I wasn't asked if Larry O'Brien should trust Nixon with his keys,
 >but whether I would.

  Well, that explains it.  The government has no real need to spy on people
who already love Big Brother; it's the people who are inclined to talk
back who need to be watched.

Newsgroup: sci.crypt
document_id: 15906
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: New Encryption Algorithm

 >  Well, actually, this one's easy. It's their job. The NSA is
 >supposed to develop cryptosystems. If the government chooses to go
 >ahead and sell those cryptosystems to the masses, so be it.

  Ah, but developing cryptosystems which are specificially designed to
protect the government's domestic spying capabilities takes them beyond
that mandate, into the forbidden field of domestic wiretapping.


Newsgroup: sci.crypt
document_id: 15907
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Suggestions for escrow agencies (was: Re: More technical details)

  On the contrary, the entire Clipper proposal is an example of the
government servicing the people (in the sense of the term found in the
sentence, "The farmer paid $100 to rent a bull to service his cows.")



Newsgroup: sci.crypt
document_id: 15908
From: Graham Toal <gtoal@gtoal.com>
Subject: Re: Key Registering Bodies

In article <nagleC5w79E.7HL@netcom.com> nagle@netcom.com (John Nagle) writes:
:       Since the law requires that wiretaps be requested by the Executive
:Branch and approved by the Judicial Branch, it seems clear that one
:of the key registering bodies should be under the control of the
:Judicial Branch.  I suggest the Supreme Court, or, regionally, the
:Courts of Appeal.  More specifically, the offices of their Clerks.

I've got a better idea.  We give one set to the KGB c/o Washington embassy,
and the other set to the Red chinese.

G

Newsgroup: sci.crypt
document_id: 15909
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: PGP ideas for IBM systems

:    I've been thinking about how difficult it would be to make PGP available
: in some form on EBCDIC machines.

Don't encourage them.  Let EBCDIC machines die an honorable death :)

G


Newsgroup: sci.crypt
document_id: 15910
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Is key escrow enough?

	  The points raised about checking what is actually -in- the chip, as
	opposed to what is allegedly programmed therein, raise yet another trust
	issue.  Even if we assume that these "trusted agents" are really entering
	a wide range of S1 and S2 seeds (rather than using the same one all the
	time to reduce the key search space to 30 bits), I assume they are not
	doing so by picking up an iron filing and poking it into the circuitry
	at carefully selected points to encode data.  They would presumably be
	punching numbers into a computer, which for all they know could program
	the chips in a manner completely independent of the S1 and S2 values they
	are feeding into the system.

S1 and S2 are clearly the backdoor - we should assume they are all
compromised.  If they're not compromisable, why the hell not use a
hardware true random number source.  There isn't a random number
source *anywhere* in this proposal.  The whole thing is deterministic
from the day the serial number is stamped on the chip.

Nope, it can't be trusted.  This is all about two levels of access -
the (possibly honest) key escrow that police forces have to use, and
ostensibly the FBI; and the back door that lets the NSA decode *everything*
on the fly - and maybe some back-handers to the FBI when they want a
warrantless tab in exchange for favours.

G

Newsgroup: sci.crypt
document_id: 15911
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Do we need the clipper for cheap security?

: There are chips which perform the voice compression/expansion.  They can't
: be expensive, because they exist in many phones connected to PBXs or on the
: PBX line cards, as well as in a lot of equipment which compresses
: voice-grade circuits to save the cost of long-distance, leased T1s or
: satellite circuits.

: I can't remember the generic term for these chips.  My impression is that
: this was a big deal 10 years ago, but circuits have gotten so cheap that
: it isn't done much now.

Codecs.  They have to get about 6:1 compression on 8 bit samples to squeeze
them down v32bis.  I played around with the lossless 'shorten' program
last night, but it only managed 2.5:1.  I've got some specimen CELP code
but it's not obvious that it runs in real time; I think it's just proof-of-
concept code, and I have some mucking about with file formats to do before
I can put my own sample through it.

Looks like the current option is to use a voice-mail modem with built-in
DSP chip to do this in hardware.  That means two modems for a system,
putting the cost at $600 upwards.  Ouch.  Maybe soon we'll be able to
do it in software on high-powered games consoles - isn't the 3DO an
Acorn RISC machine inside?  That cpu runs like shit off a shovel... and
will be nicely mass-market too.

G

Newsgroup: sci.crypt
document_id: 15912
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Clipper considered harmful

	From: pmetzger@snark.shearson.com (Perry E. Metzger)

	You obviously haven't read the information about the system. The chips
	put out serial number infomation into the cypher stream to allow
	themselves to be identified. The system does not rely on registering
	people as owning particular phone units.

And probably as a back door to allow re-generation of the secret key.

Have we determined yet that S1 and S2 don't ever change?

G

Newsgroup: sci.crypt
document_id: 15913
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Clipper considered harmful

:    Does Dorothy Denning read this group?  If not, is someone on the group
: forwarding questions like these to her, or Martin Hellman, or anyone else
: who's seen more details about the chip?

Of course she does; it's just she's been toasted so often for being
an NSA patsy that she's keeping her head down.  You can always mail
her directly as denning@guvax.acc.georgetown.edu,
denning@cs.cosc.georgetown.edu or denning@cs.georgetown.edu

G

Newsgroup: sci.crypt
document_id: 15914
From: mike@avon.demon.co.uk ("Mike H.")
Subject: Re: Clipper Chip and crypto key-esc 

In article <1993Apr21.131510.3215@memex.co.uk> peter@memex.co.uk writes:

>I thought it was quite difficult to record a modem session at some
>intermediate point on the line. Maybe they have taken a crash course
>in data comms and have a unit that demodulates the tones and stores the
>digital stream for decryption later. This would still suffer from the

>called BABT. It has been stated, either here or in the uk.telecom group,
>that they will not approve equipment that does encryption. I don't know
>if this is true or not, but this would make a good test case.
>
>                Peter Ilieve            peter@memex.co.uk

You forget the obvious! If it is an *authorised* tap then it can be done at
the exchange. If the exchange is *digital* then I suspect that you can
auto-monitor a line and pickup the full link. Therefore syncing a piggyback
modem on the line would not be impossible - I suspect.
-- 

                        Mike H. (mike@avon.demon.co.uk)

Newsgroup: sci.crypt
document_id: 15915
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Once tapped, your code is no good any more.

	I don't think mr. Clinton can even understand the technical details of
	the clipper encryption scheme. So, his "assurances" are of no value at
	al, if he gives them he just says what a panel of experts(?) told him.
	If I lived in the USA, I would hope those experts were not paid by the
	<fill here you favorite 3-letter combination>.

"The doctrine of plausible deniability".  No-one is going to tell him
it has a back door.  The NSA will assume he has the sense to work it out
for himself or they wouldn't be pushing it.  Clinton might even *believe*
the NSA when they tell him, for the record, it doesn't have a back door.

And no FOIA request in the world will ever find it.  These guys don't
play by that set of rules.  They have their own rule book, and no, you're
not allowed to see that either.

G

Newsgroup: sci.crypt
document_id: 15916
From: stan@tacobel.UUCP (stan)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more

jhan@debra.dgbt.doc.ca (Jerry Han) writes:
> Can people work within the system before trying to break it?  Examine your
> history books, and find out how many armed revolutions led to Democratic
> (or Democratic style) governments.  I think you'll only find one in over
> five thousand years of written history.
> 
> That's not very good odds.  

I may be misreading you here.  Are you saying the American Revolution 
wasn't a good idea because it was bad odds?

I kind of doubt that any revolution, armed or otherwise, was ever started 
without vast amounts of failed "working within a system".  A good sign of 
a system being not worth preserving would probably be that very inability 
to work within it productively.

Hopefully I've misunderstood.  (BTW, I'm not a big fan of arms myself.  

Newsgroup: sci.crypt
document_id: 15917
From: ijames@helix.nih.gov (Carl Ijames)
Subject: Re: REVISED TECHNICAL SUMMARY OF CLIPPER CHIP

> In article <1993Apr21.192615.3465@guvax.acc.georgetown.edu>, denning@guvax.acc.georgetown.edu writes:
> 
> > Each chip includes the following components:
> 
> >    the Skipjack encryption algorithm
> >    F, an 80-bit family key that is common to all chips
> >    N, a 30-bit serial number (this length is subject to change)
> >    U, an 80-bit secret key that unlocks all messages encrypted with the chip
> [ ... ]
> 
> > To see how the chip is used, imagine that it is embedded in the AT&T
> > telephone security device (as it will be).  Suppose I call someone and
> > we both have such a device.  After pushing a button to start a secure
> > conversation, my security device will negotiate an 80-bit session key K
> > with the device at the other end.  This key negotiation takes place
> > without the Clipper Chip.  In general, any method of key exchange can
> > be used such as the Diffie-Hellman public-key distribution method.
> 
> > Once the session key K is established, the Clipper Chip is used to
> > encrypt the conversation or message stream M (digitized voice).  The
> > telephone security device feeds K and M into the chip to produce two
> > values:
> 
> >    E[M; K], the encrypted message stream, and 
> >    E[E[K; U] + N; F], a law enforcement field , 
> [ ... ]
> 
> > which are transmitted over the telephone line.  The law enforcement
> > field thus contains the session key K encrypted under the unit key U
> > concatenated with the serial number N, all encrypted under the family
> > key F.  The law enforcement field is decrypted by law enforcement after
> > an authorized wiretap has been installed.

Is the U used in the law enforcement field from the phone which placed the
call, from the unit whose 'start secure session' button was pressed first,
or does each phone transmit its own law enforcement field?  Even assuming
one of the first two choices, the FBI is going to get a fresh N,U for its
own database about every other phone call, eventually accumulating keys for
all the phones used to connect to the line they are monitoring, not just
the 'suspects' key.  (Assuming the ever-thrifty FBI doesn't forget each key
after its wiretap permission has expired.)  Not quite a pyramid, but not
bad, either.

Carl Ijames     ijames@helix.nih.gov        More worried every day.

Newsgroup: sci.crypt
document_id: 15918
From: jluther@cs.umr.edu (John W. Luther)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr21.222016.18990@leland.Stanford.EDU> arc@leland.Stanford.EDU (Andrew Richard Conway) writes:

>Of course don't over react --- but don't under react.
>
Better yet: act.

John
-- 
* John W. Luther                        |   Anybody who mistakes my *
* jluther@cs.umr.edu   <-Best for Email |   opinions for UMR's just *
* 71140.313@compuserve.com  <-$$$$$!    |   doesn't know UMR.       *
********************************************************************

Newsgroup: sci.crypt
document_id: 15919
From: feustel@netcom.com (David Feustel)
Subject: Re: The Escrow Database.

And the fox has rabies too.
-- 
Dave Feustel N9MYI <feustel@netcom.com>

<sig being revised>

Newsgroup: sci.crypt
document_id: 15920
From: pla@sktb.demon.co.uk ("Paul L. Allen")
Subject: Re: Wiretapping reality today

-----BEGIN PGP SIGNED MESSAGE-----

In article <strnlghtC5wKH0.62x@netcom.com> strnlght@netcom.com (David Sternlight) writes:

> The number of court ordered wire taps is pretty low. Law enforcement has to
> present pretty good evidence to get even that limited number of
> authorizations.
> 
> Thus the overwhelming majority of conversations are neither tapped nor
> recorded by the government, and for that to happen they have to:
> a) Have a pretty good reason, with evidence;
> b) Use this sparingly on highest priority "pretty good reasons."

David, given the proposition of the first first paragraph, the conclusion of
the second *should* read:

> Thus the overwhelming majority of conversations are neither tapped nor
> recorded legally by the government [...]
           ^^^^^^^

Which completely overturns your argument.  To not see this requires an
unbelievable degree of stupidity or naivete on your part.  Perhaps it's time
for you to own up and say which spook agency you work for...

- --Paul


-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQCVAgUBK9h5ymv14aSAK9PNAQHUPQP/VJ3fNzRljlIXkjU2BnDC0mZEh1im2vM1
B3kOhisgJhkmPA6Y8F/mpj2FIZDnCkresnuJq8tc4kQQJpPDG/RKydr7W4hkA/z2
jfWT8bxZNrwVQjAC539LGYoneNa8dC6hCpG4zKty8Q4hBzohNs8/eTMHAOpxj1PJ
jD8ZuW3aIZk=
=y8CT
-----END PGP SIGNATURE-----


Newsgroup: sci.crypt
document_id: 15921
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Is this overreaction?

  Good points.  In addition, I would point out that now is one of the
best times to fight this political battle, with much of the opposition
in disarray -- an FBI director (Sessions) on his way out, an Attorney
General (Reno) who has only been in long enough to find the office coffee
machine two tries out of three (and, between slow confirmations and
Clinton's Saturday Night Massacre, hasn't much of a staff in place).
If we really get lucky, both of the above will be too busy trying to
keep their feet from being held to the Waco fire to spend much effort
insisting on their alleged right to spy on the American people.

  "I swear to you, we aren't finished yet." -- James T. Kirk, ST III


Newsgroup: sci.crypt
document_id: 15922
From: jhart@agora.rain.com (Jim Hart)
Subject: Trademark violation claimed


Forwarded from libernet@dartmouth.edu:

Date: Tue, 20 Apr 93 10:30:47 PDT
From: ald@clipper.clipper.ingr.com (Al Date)
Subject: "Clipper Chip"  --NOT!
To: libernet@Dartmouth.EDU

Clipper TM chip is a registered trademark of Intergraph Corp.

The so-called Clipper chip which was recently mentioned here
and in other media
with respect to encryption is being used in violation of that trademark.  

The Intergraph Clipper chip is a Unix microprocessor, originally 
developed by Fairchild Semiconductors, and has no relationship
to the encryption chip whatsoever.  

I mention this here with the hope that someone reading this will
intercede before the group alt.privacy."clipper" is established.


--Al Date



Newsgroup: sci.crypt
document_id: 15923
From: <34AEJ7D@CMUVM.BITNET>
Subject: Re: Encryption Chip Availibility

In article <ofppPcS00iUy0_k3Mr@andrew.cmu.edu>, "Stephen J. Ludwick"
<sl3b+@andrew.cmu.edu> says:
>
>Hi everybody!
>
>Does anyone know of companies that are currently manufacturing
>encryption chips for sale to the general public?  Get them while you
>can!  Some pointers would be greatly appreciated.
>
>Thanks
>
>Steve

I believe Fisher(sp?) International, makers of the Watchdog(tm) PC
security package offers a hardware implementation of DES as an add-on
to that package.

Newsgroup: sci.crypt
document_id: 15924
From: nobody@alumni.cco.caltech.edu
Subject: Jerry Berman on pseudonymous privacy

Hello all,
I thought you all might like to see this. It's a letter from Jerry
Berman to David Chaum from November of 1985, in response to
information that Mr. Chaum sent to Mr. Berman.

While I have to congratulate EFF for its prompt response to the
Clipper Chip announcement from the White House, I think it's important
to recognize the philosophy of their Executive Director, as explained
below.

I agree that legal remedies are important, but when pressed, I'd
prefer to retain the ability to use purely technical solutions to
preserve my privacy, because they'll hold up under fire.

Mr. Chaum has consented to the publication of this letter on the Net. 

I don't work for, nor am I a member of EFF, ACLU, or any similar
organizations, but I do agree with them on a great many things. 

					--Aristophanes

----------


                     AMERICAN CIVIL LIBERTIES UNION


                       WASHINGTON OFFICE        
                                                               
                                                    122 Maryland Avenue, NE
 November 1, 1985                                   Washington, DC 20002
                                                    --------------------
                                                    National Headquarters
Mr. David Chaum                                     132 West 43rd Street    
Centre for Mathematics and Computer Science         New York. NY 10036    
P.O. Box 4079                                       (212) 944-9800        
19O9 AB Amsterdam                                   Norman Dorsen           
                                              President        
Dear Mr. Chaum:                                     Ira Glasser
                                                      Executive Director
                                                    Eleanor Holmes Norton
                                                      CHAIR
                                                    National Advisory       
                                                  Council
                                                                         
                                                                         
                                                                            
 
                                              

	Thank you for sending me a most interesting article.   A
society of  individuals  and  organizations  that  would  expend  the
time and resources to use a  series  of  'digital  pseudonyms' to
avoid data linkage does not in my opinion make big brother
obsolete but  acts  on  the  assumption  that  big  brother  is  ever
present.  I  view  your  system  as  a  form  of  societal  paranoia.

	As a matter of  principle,  we  are  working  to  enact  formal
legal protections for  individual  privacy  rather  than  relying  on
technical solutions.   We want to  assume  a  society  of  law  which
respects legal limits rather than  a  society  that  will  disobey  the
law, requiring  citizens  to  depend  on  technical  solutions.  e.g.
require  a  judical  warrant  for  government  interception  of  data
communications rather than  encrypt  all  messages  on  the  assumption
that regardless of the lawt  the  government  will  abuse  its  power
and invade privacy.

	As a  matter  of  practicality,  I  do  not  think  your  system
offers much hope for privacy.    First, the trend toward universal
identifiers  is  as  much.-a  movement  generated  by  government  or
industry's desire to keep track of all citizens as it is by
citizens seeking simplicity and convenience in all transactions.
At best,  your  system  would  benefit  the  sophisticated  and  most
would opt for  simplicity.  The  poor  and  the  undereducated  would
never use or benefit from it.

	Finally where there's a  will, there's  a  way. If  government
wants to link data bases, it  will,  by  law, require  the  disclosure
of various individual pseudonyms used by citizens or prohibit it
for data bases which the government wants to link.      Since
corporations  make  money  by  trading  commercial  lists  with   one
another, they will never adopt  the  system  or  if  it  is  adopted,
will use "fine printn  contracts  to  permit  selling  various   codes
used by their customers to other firms.

	The solution remains law, policy, and consensus about limits
on government or corporate intrusion into areas of individual
autonomy.  Technique can be used to enforce that consensus or to
override it. It cannot be used as a substitute for such
consensus.



                                            Sincerely Yours,

                                             /Sig/

                                            Jerry J. Berman
                                            Chief Legislative Counsel
                                            & Direrector ACLU
                                            Privacy Technology Project


   cc: John Shattuck





Newsgroup: sci.crypt
document_id: 15925
From: quilty@twain.ucs.umass.edu (Lulu of the lotus-eaters)
Subject: Information on Mathematics of Cryptography (followup)

I posted an informational request about any electronically available
articles on cryptographic algorithms a couple of days ago.  As I
mentioned, I was interested, in particular, in DES and Public-Key --
but also wouldn't mind learning about others.  As I said, I can read
an intro-graduate level text book, having had some mathematics, though
not much number-theory per se.  I'd like to see the technical details
of the mathematics of cryptography, as oppossed to the popularizations
of things like _scientific am_ which just say, "then you find a
*really* big prime number....".

Following my request, several people were so kind as to suggest
reading-lists, which I hope to get around to.  Two other people were
so *very* kind as to send large documents, which I presume were actual
articles (about 1000 lines each); but I've stupidly deleted them
accidentally before having a chance even to skim them.  If they can
forgive me for my careless use of file-commands, would the original
senders be so kind as to resend? Or anyone else who has good
crypto-articles at a fairly technical mathematical level? Also,
ftp-able or gopher-able docs would be nice to know about.

Yours, Lulu...

-- 
      _/_/_/ THIS MESSAGE WAS BROUGHT TO YOU BY: Postmodern Enterprises _/_/_/ 
     _/_/    ~~~~~~~~~~~~~~~~[quilty@philos.umass.edu]~~~~~~~~~~~~~~~~~  _/_/ 
    _/_/  The opinions expressed here must be those of my employer...   _/_/ 
   _/_/_/_/_/_/_/_/_/_/ Surely you don't think that *I* believe them!  _/_/ 

Newsgroup: sci.crypt
document_id: 15926
From: injc@sun.rz.tu-clausthal.de (Joerg Czeranski)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

AG Russell (arussell@austin.ibm.com) wrote:
: At the company I worked for previously, I received a file that was
: des encryped
: and the person that had sent it, went on vaction.  Rather than wait
: two weeks
: I set up a straight frontal attack with one key at a time.  It only
: took two(2)
: days to crack the file.  No, I don't have any faith in DES.

Then it was either _really_ good luck or you had some _very_ fast
machine.  DES has 2^56 possible keys, each two of which are simply
to convert into each other, so you have to expect 2^54 trial encryptions
in the mean case, assuming known plaintext.
2^54 / 2 / (24*60*60) / 1000000 is ca. 104250.
So you must have managed to do 104250 encryptions per microsecond.
CE Infosys builds a very fast DES chip that manages 2 (!) encryptions
per microsecond.

Yes, I'm not very seriously bothered about the security of DES yet;
though you might prefer to use triple DES or IDEA, both of which
use more key bits.

joerg

--
Joerg Czeranski                EMail czeranski@rz.tu-clausthal.de
Osteroeder Strasse 55          SMTP  injc@[139.174.2.10]
W-3392 Clausthal-Zellerfeld    Voice (at work)  +49-5323-72-3896
Germany                        Voice (at home)  +49-5323-78858

To obtain PGP public key, finger injc@sun.rz.tu-clausthal.de, or email me.

Newsgroup: sci.crypt
document_id: 15927
From: anovak@twain.ucs.umass.edu (Tree Hugger)
Subject: Rush Limbaugh's address (oops from before)

	I think this didn't get posted before (I've been reading
USENET for the longest time, but never had much interest in posting
until recently).  This is what I typed before:

	I have written Mr. Limbaugh before, and I loathe to use the
name Rush in association with him, because he is unworthy to have a
name in common with some of the greatest musicians in our time, the
BAND, Rush.  
	His address, as some of you wanted is:
	70277.2502@compuserve.com
	He has been to wrapped up in himself to respond to me, but
maybe some of you will have better luck.  :)  bye!
--
	g'bye for now...

	-=I   Tree   I=-                  a.k.a. Andy Novak

---------------------------------------------------------------------
            anovak@titan.ucs.umass.edu 
                  anovak@twain.ucs.umass.edu
---------------------------------------------------------------------
--
	g'bye for now...

	-=I   Tree   I=-                  a.k.a. Andy Novak

---------------------------------------------------------------------
            anovak@titan.ucs.umass.edu 
                  anovak@twain.ucs.umass.edu
--------------------------------------------------------------------- 

Newsgroup: sci.crypt
document_id: 15928
From: mkapor@eff.org (Mitch Kapor)
Subject: Re: Jerry Berman on pseudonymous privacy

nobody@alumni.cco.caltech.edu correctly states Jerry Berman's 1985 view on
privacy, but he mistakenly assumes that this represents Berman's 1993 view as
EFF Executive Director.

As one of the people who convinced Jerry that legal protections for privacy
are insufficient, and that technical measures, especially public key
cryptography, are also vitally necessary, I can tell you that Jerry and EFF
are fully committed to this position.

The previous poster is apparently unaware of a long series of EFF positions in
support of this view.  I suggest those interested read EFF's position on
Clipper or our other work in digital privacy.  Check ftp.eff.org for more
details.

One of the great things about human beings is that they are capable of change
and evolution in their thinking.  The idea that crypto is critical to privacy
is one which is no longer limited to certain net afficianados, but is 
spreading to parts of the public policy community in Washington.

Mitch Kapor
co-Founder, EFF 

Newsgroup: sci.crypt
document_id: 15929
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Clipper considered harmful

In article <16BB9F30.C445585@mizzou1.missouri.edu>, C445585@mizzou1.missouri.edu (John Kelsey) writes:
>  
>    The clipper chip's User key is formed by:
>  
>            R1 = E[D[E[N1;S1];S2];S1]
>            R2 = E[D[E[N2;S1];S2];S1]
>            R3 = E[D[E[N3;S1];S2];S1]
>  
>    Why is the triple-encrytion used?  Is it just to gain an effective
> increase in keyspace to defeat a potential keysearch?  (If so, why use
> 80 bit keys?)  Not knowing anything about the Skipjack algorithm, it's
> not really possible to guess whether this makes it harder or easier to
> guess S1,S2.
>  
>    Why are N1, N2, and N3 formed as they are?  It would be facinating to
> see the Skipjack algorithm, to look for ways of attacking it that require
> three ciphertext blocks formed in that odd way.
>  
>    Where do the 34-bit constant values that are concatenated with the
> serial number to form N1,N2,N3 come from?  Are they changed from chip to
> chip, or session to session?  (Even if they're published in the NY Times,
> if SkipJack is resistant to known-plaintext attacks, when using triple-
> encryption, then there's no break in security.  But why allow that kind
> of weird format?  If those three 34-bit values are truly-random bits, then
> maybe it's used to ensure that a known-plaintext attack on SkipJack, if
> it exists, can't be easily used to derive S1 and S2 for a whole production
> run of these chips....)

I can't answer all our questions in detail, but I can take a stab at
them.

The form the operations that compute R1, R2, and R3 is, of course, the
famous ``triple encryption'' suggested for use with DES.  It's much
stronger than a single encryption, and has an effective key length of
160 bits.  For reasons that were discussed when DES was first
standardized, a simple double encryption would not have the same
strength.  Triple encryption has been used by IBM since more or less
the beginning to encrypt other keys.  It's recommended for anything of
very high value.  And I think we can agree that the R_i and S_i fit
that description.

Why n_1, n_2, and n_3?  Well, you need different plaintext values.  I
have no idea if they'll be disclosed or not.  At a guess, they're
constructed so that they differ in as many bit positions as possible.
A goo cryptosystem will scramble things a lot with even a 1-bit change
-- but the values of N in a series will have fairly similar bit
patterns, and there might, conceivably, be a weakness.  So the n_i
values are -- and I'm guessing -- chosen to increase the Hamming
distance.

In any event, I'm quite convinced that one cannot go back to the S_i
from the U_i, let alone U.  (Observe:  if the NSA has U, they don't
need to find S_i.  But even if they do, they can't get U_1 and U_2.  In
theory, they should never even see those values, even with a warrant.)

The real question, I think, is why use this scheme at all, as opposed
to a hardware random number generator.  My answer is that this is
*much* more verifiable.  Look -- suppose that NSA, NIST, the ACLU, the
EFF, and the NRA combined to build a *really* good random number
generator, and that it passed every test you could think of.  When you
come back next week to program some more chips, does it still work that
well?  Have any components changed in value?  Have the components been
changed out from under you?  Does it still work well the in the
presence of a focused microwave beam that tends to bias it towards
selecting 1 bits?  Yes, you can run detailed statistical tests on it
again, but that's hard.

Consider, on the other hand, a software solution.  You bring your own
floppies with you, you can run cryptographic checksums, etc.  It's a
lot easier to verify that the software is unchanged, in other words.
(Yes, I can think of ways to cheat software, too.  I think that they're
a lot harder.)

There are three issues with Clipper.  The first is whether or not the
architecture of the whole scheme is capable of working.  My answer,
with one significant exception, is yes.  I really do think that NSA and
NIST have designed this scheme about as well as can be, assuming that
their real objectives are as stated: to permit wiretapping, under
certain carefully-controlled circumstances, with a minimum risk of
abuse.  (The exception is that U exists outside of the chip, on a
programming diskette.  That's seriously wrong.  U_1 and U_2 should be
loaded onto the chip separately.)  To those who disagree (and I don't
claim my answer is obvious, though I found my own reasoning
sufficiently persuasive that I was forced to rewrite the Conclusions
section of my technical analysis paper -- I had originally blasted the
scheme), I issue this invitation:  assume that you were charged with
implementing such a system, with complete regard for civil rights and
due process.  What would you do differently?  In answering this
question, please accept NSA's fundamental assumptions:  that both
strong cryptography against outsiders, and the ability to wiretap
*some* domestic users, is necessary.  (If you feel it necessary to
challenge those assumptions, do it in the context of the last issue I
present below.  Right here, I'm discussing *just* the technical
aspects.  And no, I don't by any means claim that just because
something can be done, it should be.)

The second issue is whether or not this whole architecture is actually
going to be used.  Just because Clipper chips are made this way doesn't
mean that that's the only way they'll be made.  Maybe the NSA will
substitute its own chips between the programming facility and the
shipping dock.  And they'll generate bogus warrant requests, so that
the escrow agents don't wonder why they've never called.  (``Sorry,
guys; all them terrorists and drug dealers and pedophiles seem to have
bought triple-DES phones instead.  Who'd 'a' thunk it?'')  I have no
answer to this question, and at the moment, I don't see a way of
answering it.  Those concerns are part of my reasoning in my answer
to the final question, below.

The third, and most serious issue, is whether or not Clipper is a good
idea even if carried out strictly according to the letter of the law.
I think that the answer is no, but it's not a no-brainer.  I'm a civil
libertarian, not a libertarian, for reasons that I explained at great
length on the net in the Elder Days, and that I don't have the energy
to repeat now.  But that means that I'm willing to accept that some
laws are necessary, so long as they respect the essential rights of
individuals.  The government already has the ability and -- in our
system -- the right to issue search warrants, and while that power has
certainly been abused, it's also been used quite properly and fairly in
other cases.  Is key escrow sufficiently different?  I think so -- but
again, it's not an easy question for me.  (It is easy for libertarians
to answer, of course, since Clipper is completely alien to much of the
rest of their (oft-admirable) philosophy.  And it's also easy for those
who give their unreserved trust to government, a group I'm much more
distant from.)


		--Steve Bellovin

Newsgroup: sci.crypt
document_id: 15930
From: mike@avon.demon.co.uk ("Mike H.")
Subject: Re: S1, S2 

In article <1r60ue$102@access.digex.net> steve-b@access.digex.com writes:
>  The only theory that makes any sense is that S1 and S2 are either the
>same for all chips, or vary among very few possibilities, so that anyone
>trying to break the encryption by brute force need only plow through the
>possible serial numbers (2^30, about one billion), multiplied by the number
>of different S1, S2 combinations.
>
Iff the phones transmit their serial nos. as part of the message then what
is to say that each phone can take that serial number and use it to generate
the required key....



Newsgroup: sci.crypt
document_id: 15931
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Once they get your keys....

In article <930424031634.176183@DOCKMASTER.NCSC.MIL>, Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant) writes:
> About 50 people so far have asked, "Once the FBI gets your Clipper keys,
> won't they be able to read all your future and past traffic?"
> 
> There has been no response from NIST, NSA, Ms. Denning, Mr. Hellman, or
> anyone else who might be able to give us an authoritative answer.
> This is troubling.
> 
> Didn't NSA think about this?  Or is it a feature, and they thought we
> wouldn't notice?
> 
> I would have thought that by now they would have responded with something
> of the form, "Well, that won't be a problem because ...."

Don Alvarez posted a good partial solution to this problem to
comp.risks.  I'll present my variant on it instead, since I feel it's a
bit stronger against some likely attempts to cheat.  depends on the
protocol that's followed for reading traffic.  Briefly, the cops get a
wiretap warrant, and record the call.  They then notice the encryption
and the disclosure header.  It, along with a copy of their warrant, is
sent to the FBI, or whoever it is who holds the family key.  The
F-holder decrypts the header, and sends the serial number N and the
encrypted session key U[K] to the escrow agents.  They, in turn, use U1
and U2 to recover K, and send that to the local police.

Note how this solves the problem of wiretapping forever.  Neither the
cops nor the FBI ever see U, so they can't read other traffic.  Every
request must be validated by both the FBI and the escrow agents.  The
cops and the FBI together can't cheat, since they don't have U.  (I
regard that as a likely pairing of folks who might try to beat the
system.  It's to prevent this that I modified Alvarez's scheme.)  The
escrow agents can't read the conversation, since they don't have it;
all they have is N and U[K].  And the police don't even see N.

It's harder to see how to block decryption of old, warrantless,
wiretaps.  There is one protection -- you have to persuade the escrow
agents that the call is current.  But that's not nearly as strong.
There are approaches I can see that might work, involving sequences of
data on an unalterable medium, complete with cryptographic protection
against insertion onto a new medium.  But I don't have anything yet
that isn't too complex for comfort, or too hard to install in the real
world.  The NSA might have an answer; they may or may not be smarter
than me, but I've been working on this for a week, and they've had years.

Newsgroup: sci.crypt
document_id: 15932
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Clipper considered harmful [Restated and amplified]


Brad Yearwood posts a long response to the issue of registering a
phone-clipper relationship.

It doesn't wash.

Recall that law enforcement gets a court order to tap a suspect's phone
calls. They do what they do now--figure out which lines to tap. They then
record the stuff. If it's Clipper, they read the law enforcement block,
extract the serial number, and get the keys using the court order.

No new difficulties (such as using someone else's phone instrument or phone
line) are introduced that wouldn't have existed absent clipper. If the
crooks were going to use a pay phone (say), they could have done so without
clipper. If the government figures out they're so doing, they listen in, and
if it's a clipper conversation they get the serial number and then the keys.

If the crooks use an innocent person's clipper phone on the tapped line
there's no problem. The Feds don't care whose phone instrument is used, just
that the conversation is by the suspect on the tapped line. They get the
serial number, get the keys, and they are in business.

No clipper chip to person association is ever needed.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15933
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <1rae88$b5j@access.digex.net> steve-b@access.digex.com (Steve Brinich) writes:
> > Nonsense! I wasn't asked if Larry O'Brien should trust Nixon with his keys,
> >but whether I would.
>
>  Well, that explains it.  The government has no real need to spy on people
>who already love Big Brother; it's the people who are inclined to talk
>back who need to be watched.

Though I think this an overstatement, it does contain a grain of truth. It's
drug dealers, spies, terrorists, and organized crime figures (assuming
enough probable cause to convince a judge) who need to be watched, not
law-abiding citizens.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15934
From: strnlght@netcom.com (David Sternlight)
Subject: Back doors in Clipper?


I think it very unlikely there are back doors in clipper, for two reasons:

1. The government doesn't need them if it can get the key (and yes, I assume
that the "official" government obeys court orders, etc.--and that the design
of the chip and its approval were "official");

2. It would defeat the whole purpose of providing secure crypto for American
business that couldn't be read by our economic adversaries. If this were not
a legitimate and genuine purpose, and as many think, the NSA can read DES,
why bother otherwise?

Rational responses preferred to conspiracy theories, thanks.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15935
From: strnlght@netcom.com (David Sternlight)
Subject: Re: clipper serial numbers need 2nd court order?

In article <1993Apr23.051005.28404@Princeton.EDU> mg@cs.princeton.edu (Michael Golan) writes:
>something that no one has discussed yet (or I missed it):
>
>The FBI sets up a wiretap AFTER the court order was handed. 
>Only at this point they can access the line and detect 
>the serial number N.
>
>What happens next, does the FBI simply asks for the keys
>for N, and, since a warrant was issued for the line, the FBI 
>simply gets it? What if multiple phones are used from the
>same house, the FBI just asks for N1, N2, etc.?
>
>Exactly who is to prevent the FBI from claiming some
>other serial number, X, was also used over the wirtapped 
>line and get the keys for X? 
>
>Either a second court order (for the specific serial/key)
>is required (and I have seen no indication of this), or
>the FBI can effectively ask for any pair of keys at any
>time, so the escrow key holders are a total fake.
>

Two safeguards:

1. The FBI could be asked to produce the law enforcement block to the escrow
agencies, and associate it with a particular court order;

2. If the thing comes to trial the defense attorneys can probe this issue
closely. It is not too different from proving that the speaker on a legal
wiretap is the person the court order covered.

Putting it another way, this question is not very different from the
pre-clipper question "What's to prevent the FBI from getting a court order
to tap Al Capone and then using it to tap Jonathan Livingstone Seagull
instead?"

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15936
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Once they get your keys....

In article <tcmayC5z3yE.F38@netcom.com> tcmay@netcom.com (Timothy C. May)
writes:

>(alt.security.clipper added, to keep them informed of this issue)
>
>
>David Sternlight (strnlght@netcom.com) wrote:
>....
>: The proposal could be modified so that if they get a court order to tap you
>: and don't charge you with a crime within, say, 90 days, they have to buy you
>: a new phone.
>: 
>: If they do charge you, and you are found innocent, they have to buy you a
>: new phone.
>: 
>: :-)
>
>Yes, but will they buy you a ticket on a time machine to allow you to
>go back and use the phone with the new key instead of the phone whose
>key they obtained?
>
>It is unclear whether obtaining the key at time 0 also unlocks
>messages recorded (by whomever) at earlier times. The announcement was
>silent on this. The betting seems to be that once your key has been
>obtained (by the authorities, by divorce lawyers, by the Mafia, by the
>FBI, by lost or stolen backup tapes, by the NSA, etc.). all previous
>conversations are unsecure. (Session keys are negotiated, but knowing
>the private key is believed by many commentators here to break the
>security. No doubt more details will emerge.)
>

Doesn't matter if we assume they are obeying the law, since they won't have
had a court order to tap calls prior to the date of the court order, and
thus won't have them available.

If they aren't obeying the law, we are in an entirely different discussion,
in which this is the least of one's worries.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15937
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Re: Once they get your keys....

>In article <930424031634.176183@DOCKMASTER.NCSC.MIL> Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant) writes:
>
>About 50 people so far have asked, "Once the FBI gets your Clipper keys,
>won't they be able to read all your future and past traffic?"
>
>There has been no response from NIST, NSA, Ms. Denning, Mr. Hellman, or
>anyone else who might be able to give us an authoritative answer.
>This is troubling.
 
   It was implied in the first technical posting by Dorothy Denning that the
FBI would do the decryption *for* the law enforcement agencies.  It wasn't
clear to me from the post whether this would be done in realtime or not, or
whether the FBI would just decrypt the session keys for the locals, or would
do the whole message.
 
   One thing I'm a bit puzzled by:  Why aren't they doing this with a public
key scheme of some sort?  You could generate two uniqe public/private pairsor
for each chip.  Then, escrow the private keys with the escrow agencies.  Set
the protocol up to encrypt the session key with both public keys.  To decrypt
a message, both escrow agencies (in the right order, for most PK schemes)
have to decrypt with the escrowed private key.  This way, there wouldn't be
thecconcern that, once the police had asked fo  a warrant/wiretap, they
would have your key forver.
 
   --John Kelsey

Newsgroup: sci.crypt
document_id: 15938
From: gardner@convex.com (Steve Gardner)
Subject: Re: What would happen if export restrictions violated?

In article <Apr23.215306.83257@yuma.ACNS.ColoState.EDU> holland@CS.ColoState.EDU (douglas craig holland) writes:
>
>At this point, what kind of trouble
>could I get into if I ignored the ITAR and sold my program to international
>customers anyway?
	I'm not sure it has been established that the government can
	prevent you from sending an algorithm abroad.  The NSA seems
	to have won by intimidation so far.  Why don't you try it? ;-)
	Of course you could just distribute your algorithm widely for
	free and screw them up big time.  (That would be my approach ;-))


						smg

Newsgroup: sci.crypt
document_id: 15939
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <4fplPDH0BwwbEDweNJ@transarc.com> Lyle_Seaman@transarc.com writes:
<jhan@debra.dgbt.doc.ca (Jerry Han) writes:
<> Somebody asked me what was wrong about overreacting in cases such as this.
<
<That was probably me.
<I meant only that nobody has overreacted yet.  It seemed to me that
<Jerry was suggesting that people are currently overreacting, and I 
<vehemently disagree.  I see a lot of talk, but not much action.
<I see now that I misunderstood Jerry's position.
<
<> The reason is very simple:  How many people do you want to die in a riot? 
<> In a new Civil War? 
<>
<> Everybody is jumping up and down and screaming about it, and I'm worried
<> that people are going to reach for their hammers and rifles before their pens
<> and paper.  
<
<Not this bunch.  They'll just bitch on the Net for a while, and 
<then go back to lurking.
<
<> Can people work within the system before trying to break it?  Examine your
<> history books, and find out how many armed revolutions led to Democratic
<> (or Democratic style) governments.  I think you'll only find one in over
<> five thousand years of written history.
<
<Actually, it's not quite that bad, but it's close.

I think everyone would just as soon work within the system.  The presence
of the POSSIBILITY of using the bullet box instead of the ballot box
is supposed to be a deterrent - by keeping the price of massive abuse
unacceptable.  However, governments being what they are, sure would
like to REMOVE that deterrence, which will make the need for armed
citizens all the more great (you don't need 'em till you don't have 'em).
Then I think we can be more accurately called 'subjects' instead of
'citizens'.  The idea of the people being sovereign over the government
is sure not in vogue in the Beltway these days, that is for sure...
The Administration is saying "We know best.  We will tell you what
you need, or don't need..."  "After, that old-fashioned anachronism
called the Bill of Rights is not needed in these 'enlightened times'...

<Look, we (collectively) have the power to throw the bums out, but we
<don't use it.  We clearly don't need to go burning things down, but we

Not if the government has its way:  There are EIGHT bills before Congress
that will either ban, tax exhorbitantly, or register all useful weapons
in the hands of the unconnected US subject.   Can you say $200.00 just
for a box of cartridges for practice?  One of the current Administrations
top priority items is to disarm all who are not well-connected, or that
work for the government.

<clearly do need to throw at least some of the bums out.
<Unfortunately, the bums have learned to target only small groups of
<people at a single time, so the masses won't react and throw them out.
<Eventually, the masses will react, unless the bums cease their
<relentless encroachment on liberty and despoilment of the economy.
<The sooner it happens, the less the damages will be.  I don't want to
<live in a war zone, either -- I want to see the bums thrown out before
<they do some *real* damage.

Another tactic is to toss out so many outrages at once that nobody can
give justice to them all.  Like is being done RIGHT NOW.

<Lyle		Transarc		707 Grant Street
<412 338 4474	The Gulf Tower		Pittsburgh 15219


-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 15940
From: jim@rand.org (Jim Gillogly)
Subject: Re: Clipper considered harmful

Steve Bellovin writes a well-thought-out and nearly persuasive article about
why the Clipper (are we still calling it Clipper today, or have they figured
out a non-infringing word yet?) protocol is almost as good as one can do
given their marching ordes.

In article <1993Apr24.160121.17189@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
>         I issue this invitation:  assume that you were charged with
>implementing such a system, with complete regard for civil rights and
>due process.  What would you do differently?  In answering this
>question, please accept NSA's fundamental assumptions:  that both
>strong cryptography against outsiders, and the ability to wiretap
>*some* domestic users, is necessary.

I'll accept the second assumption only for the sake of argument.  In my
view the primary remaining flaw is that the encryption algorithm is
secret, leading to suspicion that there is a back door.  Without complete
disclosure this suspicion cannot be dispelled, no matter how many trusted
experts are allowed to look at it in isolation.

Is it possible to do this whole thing with a public algorithm?  The only
concern I've seen with making Skipjack public is that someone could build
Clipperphones without registering the keys.  Assume F can really be kept
secret as the Government assumes.  Then as part of the initial connection,
a Clipperphone executes a protocol with the Pseudophone to demonstrate
that they both know F.  For example, the initiating phone picks a number Q
and sends E[Q; F].  The receiver sends back E[Q+1; F], and the initiator
sends back E[Q+2; F] to demonstrate that her first packet wasn't just a
random 64-bit block.  Repeat in the opposite direction with another Q so
it can't be defeated by somebody building up a library of sequential
numbers by remembering responses and using those responses as the initial
numbers of subsequent challenges.  This way Clipperphones will talk only
to other Clipperphones.  Of course the Pseudo Company can build their own
proprietary Skipjack phone, but the Presidential Fact Sheet implies that
they won't get approval for it without equivalent key escrow.

What's wrong with this picture?  It depends of F staying secret and on
Skipjack being resistant to cryptanalysis, but the Government appears to
believe in both of these.  Even if the particular Q&A I suggest has some
flaw, I imagine there's a zero-knowledge-proof protocol that doesn't.

smb says:
>The third, and most serious issue, is whether or not Clipper is a good
>idea even if carried out strictly according to the letter of the law.

Agreed.  My view, and you can quote me: if it's not worth doing, it's
not worth doing well.
-- 
	Jim Gillogly
	Hevensday, 3 Thrimidge S.R. 1993, 20:48

Newsgroup: sci.crypt
document_id: 15941
From: steve-b@access.digex.com (Steve Brinich)
Subject: How To Escrow, If Escrowing Were OK

  There is a description of something called a "fair crypto system" in the
May 1993 issue of BYTE, p. 134, attributed to MIT professor Silvio Micali.

  The way it works is as follows:

  You generate your private key S, and break it up into pieces s1, s2, s3,
s4, and s5, such that (s1 + s2 + ... + s5) mod p = S.
  You give each piece s1, s2, etc. to a different escrow agency.
  The agencies each compute g^sn mod p, and forward the result to the public
key telephone book keeper.
  The public key telephone book keeper multiplies all the g^sn mod p, reduces
the result to mod p, and this will be the user's public key.

  Now, if there were several hundered recognized escrow agencies, and the user
could give a piece of the key to each of the ones he trusted, the result would
be something of an improvement over the proposed Clipper system.

  I still don't think key escrow is a good idea, for both philosophical and
security reasons, but I do offer this suggestion simply to determine whether
escrow advocates are at all interested in considering alternatives in good
faith, or whether the goal is to insure the use of only two agencies selected
for spinelessness in the face of official requests.



Newsgroup: sci.crypt
document_id: 15942
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Clipper considered harmful [Restated and amplified]

 > If the crooks use an innocent person's clipper phone on the tapped line
 >there's no problem. The Feds don't care whose phone instrument is used, just
 >that the conversation is by the suspect on the tapped line. They get the
 >serial number, get the keys, and they are in business.

  So, you admit that Clipper opens the doors wide for the following scenario:

  FEDS: We need the keys to Joe Blow's phone.

  ESCROW AGENT: Joe Blow?  You have a warrant to tap his line?

  FEDS: Well, no, but we have a warrant to tap Carlos "Slime-Devil" Gonzales'
     line, and our tap shows that Mr. Gonzales is using Mr. Blow's phone.

  ESCROW AGENT: Well, OK....






Newsgroup: sci.crypt
document_id: 15943
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

 > Though I think this an overstatement, it does contain a grain of truth. It's
 >drug dealers, spies, terrorists, and organized crime figures (assuming
 >enough probable cause to convince a judge) who need to be watched, not
 >law-abiding citizens.

  Don't tell me; tell the Feds.  They, not I, need to get a clue about this.




Newsgroup: sci.crypt
document_id: 15944
From: bzs@world.std.com (Barry Shein)
Subject: Re: Clipper considered harmful [Restated and amplified]


>If the crooks use an innocent person's clipper phone on the tapped line
>there's no problem. The Feds don't care whose phone instrument is used, just
>that the conversation is by the suspect on the tapped line. They get the
>serial number, get the keys, and they are in business.
>
>No clipper chip to person association is ever needed.

Yeah, but who wants to start a pool on the first person arrested
mistakenly and has their life turned upside-down because some law
enforcement agency *does* make a chip::person association?

I wonder if there are any plans to keep these records (e.g. encode the
serial number into the UPC scanned at K-Mart along with the credit
card info, voila.)

At least your phone number tends to only locate to your house or
whatever (i.e. to be coming from your telephone number the person
likely is in your house etc.), plus or minus some shenanigans of
course.

But I'd hate to think of these guys getting the clipper id, recording
the conversation, then doing a quick cross-lookup and your name comes
up as owner of that id (mistakenly, maybe you sold the phone at a
garage sale or the phone was stolen from your car or whatever.) They
might only know who one side of the conversation is, for example.

Anyone who thinks the govt is forbidden by law to cross-correlate such
databases loses two points. First, law enforcement agencies can of
course do this. Second, they're only forbidden from BUDGETING any
money for it. The IRS, for example, does do this anyhow. They just
don't spend any money on it so it's (technically) legal I guess.

Instead they probably trade little favors with companies like
mastercard (if you're the IRS I'll bet you have a *lot* of
opportunities to trade favors with major corps for their databases.)

I know, an IRS guy read an amazing list off to me (from his screen, I
could hear him typing to pull up each screen) once on the phone during
a dispute I had with them (to intimidate me, actually, not much of a
dispute, I didn't particularly disagree, but for some reason this
fellow wanted to play tough guy with me, I hope he's better now.)

Amazing stuff he had at his finger tips. Be afraid.

-- 
        -Barry Shein

Software Tool & Die    | bzs@world.std.com          | uunet!world!bzs
Purveyors to the Trade | Voice: 617-739-0202        | Login: 617-739-WRLD

Newsgroup: sci.crypt
document_id: 15945
From: "Jon C. R. Bennett" <jb7m+@andrew.cmu.edu>
Subject: Re: Clipper considered harmful [Restated and amplified]



strnlght@netcom.com (David Sternlight) writes:
> If the crooks use an innocent person's clipper phone on the tapped line
> there's no problem. The Feds don't care whose phone instrument is used, just
> that the conversation is by the suspect on the tapped line. They get the
> serial number, get the keys, and they are in business.
> 
> No clipper chip to person association is ever needed.

celular phones...........


jon

Newsgroup: sci.crypt
document_id: 15946
From: caronni@nessie.cs.id.ethz.ch (Germano Caronni)
Subject: Re: Once they get your keys....

In article <tcmayC5z3yE.F38@netcom.com> tcmay@netcom.com (Timothy C. May) writes:
>It is unclear whether obtaining the key at time 0 also unlocks
>messages recorded (by whomever) at earlier times. The announcement was
>silent on this. The betting seems to be that once your key has been
>obtained (by the authorities, by divorce lawyers, by the Mafia, by the
>FBI, by lost or stolen backup tapes, by the NSA, etc.). all previous
>conversations are unsecure. (Session keys are negotiated, but knowing
>the private key is believed by many commentators here to break the
>security. No doubt more details will emerge.)

It is completely clear. You have to assume that each byte that was encrypted
by this 'Clipper Chip' has been compromised. 
Some people wondered, why Denning, Hellman and others did not respond,
when asked what would be done about such compromised phones, or if
compromise could not be restricted in time. (I did too) Let us just assume
that a) They do not know and b) Those who know don't tell and c)
They do not care. It seem's to be an 'Other Person's Problem' ...

 gec
-- 
Instruments register only through things they're designed to register.
Space still contains infinite unknowns.
                                                              PGP-Key-ID:341027
Germano Caronni caronni@nessie.cs.id.ethz.ch   FD560CCF586F3DA747EA3C94DD01720F

Newsgroup: sci.crypt
document_id: 15947
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Do we need the clipper for cheap security?

pdc@dcs.ed.ac.uk (Paul Crowley) writes:
>How fast do the fastest modems go?

The Shannon limit for voice lines is likely somewhere around 25kbps.
We are rapidly approaching it. The fastest affordable full-duplex
modems currently on the market are V32bis, which is 14400bps.

>How far can voice be compressed?

CELP manages to sound decent at 4800 bps.

In theory, if you built a speech recognition system that turned voice
into ASCII, and a perfect synthesis system on the other end that
sounded just like the person you were speaking to, you could get it
down to the information content of the speech.

With various kinds of LPC, you can get it down to 2400 bps or prehaps
even less, at which point it sounds horrible.

4800 bps is more than adequite for our purposes.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15948
From: johnf@uhheph.phys.hawaii.edu (John Flanagan)
Subject: Re: The [secret] source of that announcement

In article <C5x2xs.EF0@lerami.lerctr.org> merlin@lerami.lerctr.org
(David Hayes) writes:
>
>This company routinely sent most of the manufacturing data to the field 
>offices. The Japanese had simply intercepted it. So my friend, the computer
>systems admin, came up with a solution. He started sending the data out
>double-block-encrypted with DES. 
>
>Two days after this new distribution plan was implemented, the president of
>the company got a visit from a pair of government agents. They told him to
>"knock it off". The president gave in, since his company did a considerable
>business with the federal government.
>
>Now, if the government wasn't monitoring the communications, how would they
>even know that the encryption system was installed?

How can you be sure the two visitors were really government agents?
:-)

--John
-- 
John Flanagan                          ||"I believe in my theories,    
johnf@uhheph.phys.hawaii.edu           || they give me a feeling of    
U. of Hawaii, Dept. of Physics & Astro.|| security, and, they inflate  
2505 Correa Rd., Honolulu, HI 96822    || my ego enormously." --A. Abian

Newsgroup: sci.crypt
document_id: 15949
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Tempest

whughes@lonestar.utsa.edu (William W. Hughes) writes:
>Hell, just set up a spark jammer, or some other _very_ electrically-noisy
>device.

As I've noted, you can likely get around that with a directional
sensor. Phased array systems could completely defeat this scheme.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 15950
From: feeley@cattell.psych.upenn.edu (Wm. Michael Feeley)
Subject: Clipper and conference calls

Just curious, how would the Clipper Chip system handle
conference calls?




Newsgroup: sci.crypt
document_id: 15951
From: kingj@hpcc01.corp.hp.com (John C. King)
Subject: Wanted: Riverbank Pub. No. 16

I'm looking for a copy of Friedman's Riverbank Publication No. 16 "Methods
for the Solution of Running-Key Ciphers."  Agean Park Press tells me that their
publication C-23 "The Riverbank Publications, Volume 1" is out of print.  Can
anyone snail-mail me a photocopy of No. 16?  If someone could it would be much
appreciated.

Regards,

John King
kingj@corp.hp.com

Newsgroup: sci.crypt
document_id: 15952
From: warlord@MIT.EDU (Derek Atkins)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <strnlghtC5t4D6.Jn8@netcom.com> strnlght@netcom.com (David Sternlight) writes:

   Some countries have laws about importing crypto gear--I believe the U.S.
   does. Without a license the above scheme won't work (at least not legally)
   in such countries, including at least France and the U.S.

   David

BZZT!

Wrong.  The US does NOT have crypto import laws.

-derek
--
  Derek Atkins, MIT '93, Electrical Engineering and Computer Science
     Secretary, MIT Student Information Processing Board (SIPB)
           MIT Media Laboratory, Speech Research Group
           warlord@MIT.EDU       PP-ASEL        N1NWH

Newsgroup: sci.crypt
document_id: 15953
From: whughes@lonestar.utsa.edu (William W. Hughes)
Subject: Re: Tempest

In article <1993Apr24.233742.26839@lehman.com> pmetzger@snark.shearson.com (Perry E. Metzger) writes:
>whughes@lonestar.utsa.edu (William W. Hughes) writes:
>>Hell, just set up a spark jammer, or some other _very_ electrically-noisy
>>device.
>
>As I've noted, you can likely get around that with a directional
>sensor. Phased array systems could completely defeat this scheme.

True, but the basic idea behind any communications security system is not
to absolutely deny access, but to make access more expensive (in time,
money, manpower) than it is worth.

-- 
                            REMEMBER WACO!
     Who will the government decide to murder next? Maybe you?
[Opinions are mine; I don't care if you blame the University or the State.]

Newsgroup: sci.crypt
document_id: 15954
From: mbeckman@mbeckman.mbeckman.com (Mel Beckman)
Subject: Re: Once tapped, your code is no good any more.


In article <strnlghtC5wHo2.1FK@netcom.com> (sci.crypt,alt.security,comp.org.ieee), strnlght@netcom.com (David Sternlight) writes:
> Maybe so, but it's quite common. There are millions of Macintosh users who
> have no idea what's in Apple's patented ROMs. Many have modems connected.
> How do you know all your business secrets aren't being stolen? Answer:
> 1. Because you trust Apple;
> 2. Because if any such attempt, however sophicsticated, came out, it would
> destroy Apple's credibility forever.
> 

David,

   Neither (1) or (2) apply with the government, though. The feds, unlike
Apple, have repeatedly demonstrated that trust is an unsafe thread on which
to hang your freedom. Why?  Because unlike Apple in (2), the govt has no
credibility to lose. I'm serious about this. One can name just about any
agency -- the IRS, RTC, FCC, FAA, FBI, NSA, CIA -- and find numerous examples
of the public trust run roughshod over. Worse, one can rarely find in such 
examples any serious consequences to the offending agency. Even supposing
we could get a reign on trust somehow, there's always the matter of competence
in govt agencies. Can they even trust themselves?

  -mel

  P.S. I was amused when you mentioned the USDA as an example of an agency
capable of managing the an escrow. I'm a consultant to the USDA, and while those
*I* work with are wonderful <grin>, the agency itself is ranked in industry
publications such as Govt Computer News as one of the worst caretakers of
its computer resources. Recently, Prime Time Live did a long segment on
the USDA's computer troubles. They are making a concerted effort to change,
but intentions don't make a track record.

________________________________________________________________________
| Mel beckman                  |   Internet: mbeckman@mbeckman.com     |
| Beckman Software Engineering | Compuserve: 75226,2257                |
| Ventura, CA 93003            |  Voice/fax: 805/647-1641 805/647-3125 |
|______________________________|_______________________________________|
 "You can observe a lot just by watching."  -Yogi Bera

Newsgroup: sci.crypt
document_id: 15955
From: jhesse@netcom.com (John Hesse)
Subject: Re: Fighting the Clipper Initiative

In article <strnlghtC5toC6.KIu@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>>
>
>er, excuse me but since the escrow agencies aren't yet chosen, how can you
>say they have a "history of untrustworthy behavoir[sic]"?
>
>I'm sure each of us can think of agencies without such a history. Price
>Waterhouse has kept the secret of the Academy Awards for many years, even in
>

Damn, you're dead right! That pretty much settles it. Not to worry.

-- 
------------------------------------------------------------------------------
John Hesse           |          A man,     
jhesse@netcom.com    |                 a plan, 
Moss Beach, Calif    |                         a canal, Bob.
------------------------------------------------------------------------------

Newsgroup: sci.crypt
document_id: 15956
From: rogue@ccs.northeastern.edu (Free Radical)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <1rcboi$j4a@access.digex.net> steve-b@access.digex.com
(Steve Brinich) writes: 
[...]
>  FEDS: We need the keys to Joe Blow's phone.
>
>  ESCROW AGENT: Joe Blow?  You have a warrant to tap his line?
>
>  FEDS: Well, no, but we have a warrant to tap Carlos "Slime-Devil" Gonzales'
>     line, and our tap shows that Mr. Gonzales is using Mr. Blow's phone.
>
>  ESCROW AGENT: Well, OK....

No no no no no no no.

It will go like this:

FEDS: We need the key to phone 334RE67D99.

ESCROW: You have a warrant to tap the line phone 334RE67D99 is on?

FEDS: Yes.

ESCROW: Fine, here is our key.

What happens is, Feds tap a line; find Clipper is being used; extract
serial number; get key; decipher convo.  The serial number is never
registered to a specific owner, it is _sent_ as part of the
conversation.  If I give you my Clipper phone, you do not need to
re-register it (mainly because it was never 'registered' to me in the
first place).

There are a lot of things that bother me about Clipper, but this is
not one of them.  Let's get our facts straight and not waste effort
demolishing straw men.

	RA

rogue@cs.neu.edu (Rogue Agent/SoD!)
-----------------------------------
The NSA is now funding research not only in cryptography, but in all areas
of advanced mathematics. If you'd like a circular describing these new
research opportunities, just pick up your phone, call your mother, and
ask for one.

Newsgroup: sci.crypt
document_id: 15957
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Clipper considered harmful

In article <WCS.93Apr21204048@rainier.ATT.COM>, wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes:
> On the other hand, I can easily see them recording the traffic for
> "interesting" people, such as dissidents, suspected criminals,
> foreign telephone calls, and anybody noticed using encryption.
> As Ken Shiriff speculates, recording encrypted traffic will probably
> be judged not to be an invasion of privacy pretty soon ....

As I read the current wiretap law, it would not be legal now.  On the
other hand, assuming a legislative change, recording but not decrypting
Clipper conversations would probably be found constitutional by the Supreme
Court, using the same reasoning (or the lack thereof...) by which they
permit random roadblocks to check for drunk drivers.

Incidentally, if we use that as our model, the Court will likely not
uphold selective recording.  (On the other hand, I don't think they've
thrown out ``drug courier profiles'' yet.  Must be that exception to
the Fourth Amendment that I can never find in my copy of the Bill of
Rights.)

A lot -- and I mean a *lot* -- will depend on exactly how Clippertaps
(or Tipperclaps, for encrypted music?) are used.  Don Alvarez showed in
the latest RISKS digest that it's possible to prevent the cops from
reading traffic after their warrant expires.

That is -- the cops send the LEF to the F-holder.  The F-holder strips
off F, and sends U[K],N to the escrow agents.  They send either U or K
to the cops.  (Don says U, I say K.)  The cops can't use U in the
future, because they can't strip off F.  The F-holder never sees U.  In
Don's model, the escrow agents can't read the traffic, because they
don't have K; in my model, they have K, but not the message itself.
And I trust that more because I think the cops and the FBI (the
F-holder) are more likely to collaborate on breaking the rules.  The
net result is that by involving the F-holder and the escrow agents on
every tap, we can avoid extending permission to tap.

Newsgroup: sci.crypt
document_id: 15958
From: mbeckman@mbeckman.mbeckman.com (Mel Beckman)
Subject: Re: Suggestions for escrow agencies (was: Re: More technical details)


In article <strnlghtC5yBKA.Dp5@netcom.com> (sci.crypt,alt.privacy.clipper), strnlght@netcom.com (David Sternlight) writes:
> The easiest way is a user fee for each clipper chip manufactured. This makes
> the funding separate from government.
> 
> It also has the neat side property that if the chip doesn't catch on, the
> scheme breaks down, and the government is back to the drawing boards,
> assuming that they haven't prohibited alternatives in the meantime.
> 
> In fact, maybe this should be part of the "official" system. Before the
> government is allowed to move this past the "experimental" stage, they
> should have to demonstrate economic viability by mass adoption. 

David,

  While I disagree strongly with you on the issue of our trusting the government,
I think you have a good idea here. There is danger that, with funding coming
from asset forfeitures, the government could continue to promulgate a bad
product in spite of poor acceptance. Making the product pay its way (as
it must for private ventures) would be a good incentive for quality and
listening to we, the ranters. :)

  -mel

________________________________________________________________________
| Mel beckman                  |   Internet: mbeckman@mbeckman.com     |
| Beckman Software Engineering | Compuserve: 75226,2257                |
| Ventura, CA 93003            |  Voice/fax: 805/647-1641 805/647-3125 |
|______________________________|_______________________________________|
 "You can observe a lot just by watching."  -Yogi Bera

Newsgroup: sci.crypt
document_id: 15959
From: mbeckman@mbeckman.mbeckman.com (Mel Beckman)
Subject: Re: Wiretapping reality today


In article <strnlghtC5z0KA.B9u@netcom.com> (sci.crypt), strnlght@netcom.com (David Sternlight) writes:
> You should read the history. It was Hoover who stopped Nixon's COINTELPRO
> dead in its tracks because he said it was unconstitutional. They tried to
> get around him every way they could.
> 

Unfortunately, Hoover thought himself above the constitution, whatever he
considered the limits others should obey. He ruthlessly invaded the privacy
of many private and public citizens. 

  -mel

________________________________________________________________________
| Mel beckman                  |   Internet: mbeckman@mbeckman.com     |
| Beckman Software Engineering | Compuserve: 75226,2257                |
| Ventura, CA 93003            |  Voice/fax: 805/647-1641 805/647-3125 |
|______________________________|_______________________________________|
 "You can observe a lot just by watching."  -Yogi Bera

Newsgroup: sci.crypt
document_id: 15960
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Tempest

In article <1993Apr25.024032.26935@ringer.cs.utsa.edu> whughes@lonestar.utsa.edu (William W. Hughes) writes:
>In article <1993Apr24.233742.26839@lehman.com> pmetzger@snark.shearson.com (Perry E. Metzger) writes:
>>whughes@lonestar.utsa.edu (William W. Hughes) writes:
>>>Hell, just set up a spark jammer, or some other _very_ electrically-noisy
>>>device.
>>
>>As I've noted, you can likely get around that with a directional
>>sensor. Phased array systems could completely defeat this scheme.
>
>True, but the basic idea behind any communications security system is not
>to absolutely deny access, but to make access more expensive (in time,
>money, manpower) than it is worth.
>
Another idea: Use a laptop computer.  As mentioned earlier, the LCD screen
is a lot less noisy than a standard CRT, but since many laptops have power
supplies that run at 3 volts instead of 5, they would be considerably 
quieter.

Doug Holland


-- 
|  Doug Holland                | Anyone who tries to take away my freedom  |
|  holland@cs.colostate.edu    | of speech will have to pry it from my     |
|  PGP key available by E-mail | cold, dead lips!!                         |

Newsgroup: sci.crypt
document_id: 15961
From: mg@hart (Michael Golan)
Subject: Re: clipper serial numbers need 2nd court order?

strnlght@netcom.com (David Sternlight) writes:
>Two safeguards:

>1. The FBI could be asked to produce the law enforcement block to the escrow
>agencies, and associate it with a particular court order;

Exactly what would that show, ?! the "law enforcement block" is easy to
create, given the Government key and any serial number. 

>2. If the thing comes to trial the defense attorneys can probe this issue
>closely. It is not too different from proving that the speaker on a legal
>wiretap is the person the court order covered.

*IF* it comes to trail about the wiretap.... ya, some safegaurd that is.
What if they just harass people as a result, or learn things they shouldn't
have learned, etc? 

>Putting it another way, this question is not very different from the
>pre-clipper question "What's to prevent the FBI from getting a court order
>to tap Al Capone and then using it to tap Jonathan Livingstone Seagull
>instead?"

The whole point of the Escrow system is to prevent the FBI from making 
illegal wiretaps. Why not have the FBI holds the
keys and that's it? Why do we need the escrow system at all?

Unless a 3rd party (a judge) verifies that the requested serial number
is "right", and the FBI can get any key they like at anytime, the escrow
system is useless.

-- Michael Golan
   mg@cs.princeon.edu



Newsgroup: sci.crypt
document_id: 15962
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Once they get your keys....

strnlght@netcom.com (David Sternlight) writes:
>The proposal could be modified so that if they get a court order to tap you
>and don't charge you with a crime within, say, 90 days, they have to buy you
>a new phone.
>If they do charge you, and you are found innocent, they have to buy you a
>new phone.
>:-)

Yeah, right, and if the ATF trashes your place on a bad tip they have
to pay to repair it, sure.  And if your computer equipment is
confisticated in a raid they have to charge you with a crime within,
say, 90 days.  You're stretching the naivete bit on this one.
-- 
Love:  two minds without a single thought. -- Philip Barry

Newsgroup: sci.crypt
document_id: 15963
From: zrepachol@cc.curtin.edu.au (Paul Repacholi)
Subject: Re: I have seen the lobby, and it is us

In article <1993Apr22.194121.25386@nynexst.com>, rsilvers@nynexst.com (Robert Silvers) writes:
...
> 	Send something to Rush Linbaugh about Clinton taking away our right
> to privacy and how if the govt. standard takes off, only people with lots
> of money (drug dealers) will be able to justify DES stuff.  He will slam
> Clinton for this on the air.

Well, lets for a hypothetical put our selves in the place of the US end
of the drug rings. What do we do about the Cripple chip? First off, we
would express disaproval to our congress critters, and remind them of the
large sums of money our legitimate co.s provide to their campain coffers. We
would also let them know via the 'other' channels that a) their income is about
to take a hit, and b) their health may not be too good either.

But just in case, the next obvious step to take is to BUY Mycotoxic and VLSI!
Yeah, free enterprise at work. :-) Now they have the Cripple in their pockets,
literaly as well as figurativly. Tough about the masses though.

~Paul


Newsgroup: sci.crypt
document_id: 15964
From: jhupp@shockwave.win.net (Jeff Hupp)
Subject: PGP Where to get it?

        I am both new to this news group and to the net.
        
        I am facinated by the things I have heard about the PGP
encryption program.  Does anybody out there know where I might get a
version of this program that runs under Windows 3.1, MS-Dos, Unix
w/source?  As of this writting I have no UNIX access and am running on a
nifty windows implamentation of uucico.
        Thanks in advance!
 

_____________________________________________________________________
\Jeff Hupp                      |Internet: jhupp@shockwave.win.net   \
|9797 Medowglen, Apt. 1807      |Ad:    Contract Programming, Novell |
|Houston, Texas  77042          |       Network Design and Support.  |
|Voice: (713) 780 - 9419        |"The best govenment doesn't" -- me. |
\_____________________________________________________________________\ 

Newsgroup: sci.crypt
document_id: 15965
From: jhart@agora.rain.com (Jim Hart)
Subject: Dorothy Denning opposes Clipper, Capstone wiretap chips

"The security of the system should depend only on the secrecy of
the keys and not on the secrecy of the algorithms" -- Dorothy Denning

jhart@agora.rain.com

Newsgroup: sci.crypt
document_id: 15966
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Clipper and conference calls

In article <122723@netnews.upenn.edu>, feeley@cattell.psych.upenn.edu (Wm. Michael Feeley) writes:
> Just curious, how would the Clipper Chip system handle
> conference calls?

It's not Clipper, it's any encryption system.  I've seen a number of
designs; they generally involve a multi-line cleartext bridge.

Newsgroup: sci.crypt
document_id: 15967
Subject: Re: Tempest
From: pgut1@cs.aukuni.ac.nz (Peter Gutmann)

In <1993Apr22.132638.19448@ringer.cs.utsa.edu> whughes@lonestar.utsa.edu (William W. Hughes) writes:

>Hell, just set up a spark jammer, or some other _very_ electrically-noisy
>device. Or build an active Farrady cage around the room, with a "noise"
>signal piped into it. While these measures will not totally mask the
>emissions of your equipment, they will provide sufficient interference to
>make remote monitoring a chancy proposition, at best. There is, of course,
>the consideration that these measures may (and almost cretainly will)
>cause a certain amount of interference in your own systems. It's a matter
>of balancing security versus convenience.

The problem is that this will also cause  "a certain amount of interference"
in *all* systems within the range of the device.  A long time ago I built a
small jammer to dissuade my brother from using his radio alarm clock at 
something like 4am, which had just enough range to cover my room and his.
However something powerful enough to mask all (or at least most) emissions from
your computer equipment is also going to knock out half your neighbourhoods
radio and TV reception.  This isn't going to make you many friends.

Incidentally, an older-model TRS80 makes a fine wideband jammer <grin>

Peter.
--
 pgut1@cs.aukuni.ac.nz||p_gutmann@cs.aukuni.ac.nz||gutmann_p@kosmos.wcc.govt.nz
peterg@kcbbs.gen.nz||peter@nacjack.gen.nz||peter@phlarnschlorpht.nacjack.gen.nz
             (In order of preference - one of 'em's bound to work)
            -- Everything was so different before it all changed --

Newsgroup: sci.crypt
document_id: 15968
Subject: Re: Crypto papers on the net.
From: pgut1@cs.aukuni.ac.nz (Peter Gutmann)

In <16BB91429.C445585@mizzou1.missouri.edu> C445585@mizzou1.missouri.edu (John Kelsey) writes:

>   I've recently been reading a paper of Merkle's (publixhed only on the
>net, I think) discussing three potential replacements for DES.  Was
>anyting ever done with these?  Are Khufu, Khafre, and/or Snefru still
>being discussed anywhere?  (I know Snefru is referenced in the RSA
>FAQ, and I think it may also be in the sci.crypt FAQ.)

The paper was distributed (against the wishes of the NSA - I have a copy
with a few 'illicit distribution' footnotes scribbled on it :-), and eventually
published at one of the crypto conferences.  Things were looking good.

Then Xerox patented the algorithms.  <Plonk!>

I don't know of anything which uses them.  Also, Khafre was broken at a
later conference and from work on a related algorithm I don't think the
existing Khufu would hold up too well against a converted differential
cryptanalysis attack, although it can probably be changed to resist this
type of attack....

Peter.

[In case you don't know what the <Plonk> is about, check _The New Hacker's
 Dictionary_.  It's the sound someone makes when they fall to the bottom
 of a killfile]


Newsgroup: sci.crypt
document_id: 15969
From: warlord@MIT.EDU (Derek Atkins)
Subject: Re: Clipper and conference calls

In article <1993Apr25.114820.14022@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:

   In article <122723@netnews.upenn.edu>, feeley@cattell.psych.upenn.edu (Wm. Michael Feeley) writes:
   > Just curious, how would the Clipper Chip system handle
   > conference calls?

   It's not Clipper, it's any encryption system.  I've seen a number of
   designs; they generally involve a multi-line cleartext bridge.

Depending on the encryption system, so long as everyone has the same
key, it can be done.  For example, I was using "vat", which is an
Internet Audio tool, for a conference call, and we were encrypting the
session.  (Unfortunately, one site was doing more work, and didn't
have the CPU for it, so it didn't sound all that good at a different
site)

So, you don't neccessarily have to have a clear-text bridge.  But if
you do, its totally internal to one of the sites involved in the
conversation....

-derek


--
  Derek Atkins, MIT '93, Electrical Engineering and Computer Science
     Secretary, MIT Student Information Processing Board (SIPB)
           MIT Media Laboratory, Speech Research Group
           warlord@MIT.EDU       PP-ASEL        N1NWH

Newsgroup: sci.crypt
document_id: 15970
From: schneier@chinet.chi.il.us (Bruce Schneier)
Subject: Re: New Encryption Algorithm

In article <1raeir$be1@access.digex.net> steve-b@access.digex.com (Steve Brinich) writes:
> >  Well, actually, this one's easy. It's their job. The NSA is
> >supposed to develop cryptosystems. If the government chooses to go
> >ahead and sell those cryptosystems to the masses, so be it.
>
>  Ah, but developing cryptosystems which are specificially designed to
>protect the government's domestic spying capabilities takes them beyond
>that mandate, into the forbidden field of domestic wiretapping.
>

Unlike the CIA, the NSA has no prohibition against domestic spying.  Read
Bamford's THE PUZZLE PALACE.

Bruce

Newsgroup: sci.crypt
document_id: 15971
From: hal@cco.caltech.edu (Hal Finney)
Subject: Re: Let's build software cryptophones for over the internet...

gtoal@gtoal.com (Graham Toal) writes:

>I forwarded an old posting about CELP speech compression:
>[...]
>I've since been told that the source of this is on cygnus.com
>in /pub/celp.speech.tar.Z

>I'm not in a position to; any Sun tcp/ip gurus out there who think they
>can marry this with netfone by the end of the week? ;-)  Seriously.  I
>think someone with real net access and two sparcs could have this running
>by the end of the week.  Then we ask the pgp guys to add a bytestream
>crypto filter.  Two weeks at the most.  [Damn, I wish I had my sparc
>back... I'm stuck on a 25mhz 386sx]

I tried this code yesterday.  On my Sparcstation ELC it takes over
300 seconds to compress 22 seconds' worth of speech.  This means that it
needs to be "optimized" by over a factor of 10 before it will be usable
in even a half-duplex mode.

I question whether CELP is the best approach for this application.  It produces
great compression but at the expense of tremendous CPU loads.  We want
something that can be run on ordinary workstations or even high-end PC's
without DSP cards.  My guess is that some other algorithm is going to be
a better starting point.

Hal Finney

Newsgroup: sci.crypt
document_id: 15972
From: hal@cco.caltech.edu (Hal Finney)
Subject: Re: S1, S2

steve-b@access.digex.com (Steve Brinich) writes:

> > Second question: Why!?!? Why is such a strange procedure used, and not
> >a real RNG ? This turns those S1,S2 in a kind of bottleneck for system-
> >security.

>  The only theory that makes any sense is that S1 and S2 are either the
>same for all chips, or vary among very few possibilities, so that anyone
>trying to break the encryption by brute force need only plow through the
>possible serial numbers (2^30, about one billion), multiplied by the number
>of different S1, S2 combinations.

My interpretation of Denning's description is that S1 and S2 are chosen
randomly by agents of the key escrow companies at the start of each 300-
chip programming session.  I imagine that the chips are in a carrier which
will allow them all to be programmed fairly quickly - there would not be
a need to transfer chips one at a time into a little PLA programmer as some
people have envisioned.

My guess as to why this procedure is used is that basing the keys on the
S1 and S2 using a specified algorithm provides an (in-principle) checkable
way to verify that no back doors exist in the choice of the random numbers
used to generate the keys.  Since we have to trust the escrow companies
anyway, it does not weaken the system to have the keys be generated from
random seeds entered by the escrow agents.  And since the algorithm for
key-generation is public (modulo Skipjack secrecy) then in principle an
agent could challenge the procedure, ask for S1 and S2 to be exposed, and
run his own independent calculation of U1 and U2 to verify that that is
what is actually being put onto the floppies.

And yes, there are many ways in which failures to follow this scheme could
be hard to check.  The laptop probably will not really be destroyed each
time.  Hidden cameras in the ceiling could see the S1 and S2 entered by
the trusted escrow agents.  Back doors in the chip could allow U to be
recovered.  Heck, each chip could be recorded with the same U, ignoring
what was on the floppy.

Hal Finney

Newsgroup: sci.crypt
document_id: 15973
From: schneier@chinet.chi.il.us (Bruce Schneier)
Subject: Re: What would happen if export restrictions violated?

In article <Apr23.215306.83257@yuma.ACNS.ColoState.EDU> holland@CS.ColoState.EDU (douglas craig holland) writes:
>
>OK, I heard a lot of talk about the NSA's infamous control over encryption
>export through the ITAR.  Here's a question.  Say I develop this great new
>encryption system, and I want to sell my software worldwide.  The thought
>police then come in and say "This algorithm is a threat to national security.
>You will not be permitted to export it."  At this point, what kind of trouble
>could I get into if I ignored the ITAR and sold my program to international
>customers anyway?
>
>Doug Holland

You would be arrested as an international arms trafficker.

Bruce

Newsgroup: sci.crypt
document_id: 15974
From: mpcline@cats.ucsc.edu (The Hermit)
Subject: Re: I have seen the lobby, and it is us


In <Apr21.233200.70723@yuma.ACNS.ColoState.EDU> ns111310@LANCE.ColoState.Edu (Nathaniel Sammons) writes:

>In article <1993Apr21.163929.21149@eff.org> A. Charles Gross <acg@eff.org> writes:
>>Certainly, with our way-cool Internet powers of
>>organization, we can act in the same way, if such action is appropriate.
>>
>>As long as we are kept informed of events, anyone on this bboard can make
>>a call to action.  Hopefully, we're a strong enough community to act on
>>those calls.  I realize this is a little optomistic, and I'm glad EFF is
>>working in the loop on these issues, but don't underestimate the
>>potential of the net for political action.
>>
>>Adam
>>* I speak for myself

>I second the motion.

>All in favor?

Sounds great.  But how would something like this be done?  Start up a
news group for discussions of things like lobbying tecniques and how to
get non-computer geeks as pissed-off as we are?
-- 
/-----------------------------------------------------------------------------\
|Matthew Cline        | Read in the "letters to the editor" colum of "TIME"   |
|                     | in response to an article on teen suicide: "People    |
|mpcline@cats.ucsc.edu| should be aware of the dangers of killing themselves" |
\-----------------------------------------------------------------------------/

Newsgroup: sci.crypt
document_id: 15975
From: nagle@netcom.com (John Nagle)
Subject: Re: New Encryption Algorithm

artmel@well.sf.ca.us (Arthur Melnick) writes:
>     Ever since Craig Rowland posted his piece "New Encryption"
>to sci.crypt there has been some discussion of our company,
>Secured Communications Technologies, Inc, and on encryption
>algorithm, NEA.

       The classic comment on new encryption algorithms comes from
Friedman:

	"No new cypher is worth considering unless it comes 
	from someone who has already broken a very hard one."

Historically, Friedman has been right.  It's really hard to develop
a good cypher.  IBM's Lucifer, the precursor to DES, turns out to have
been fatally flawed.  Most of the DES-like systems other than DES seem
to be vulnerable to differential cryptanalysis.  The first two tries at
public key encryption (remember knapsack cyphers?) were broken.  Most
if not all of the machine cyphers of the electromechanical era were
broken eventually.  Attempts in the computer era to home-brew encryption
have been disappointing; the classic "A survey of data insecurity packages"
in Cryptologia contains analyses and breaking techniques for a few of the
popular "security packages" of the late 1980s.

        A new, proprietary algorithm?  No way.

        If the US is permitting general export of this thing, it has
to be weak; that's how the current regulations work.  Currently there's
a willingness to allow systems with short keys (32 bits appears to be
no problem; the 56 bits of DES are too many) or weak algorithms
(I think Word Perfect qualifies under that rule) to be exported.
I can't believe these guys shepherded their technique through the 
PTO and the State Department's Arms Control Division without finding that out.

					John Nagle

p.s. No, I'm not thrilled with Clipper either, but that's a different issue.

Newsgroup: sci.crypt
document_id: 15976
From: oml@eloka.demon.co.uk (Owen Lewis)
Subject: Re: Tempest 

In article <1993Apr25.024032.26935@ringer.cs.utsa.edu> whughes@lonestar.utsa.edu writes:

>In article <1993Apr24.233742.26839@lehman.com> pmetzger@snark.shearson.com


> ...the basic idea behind any communications security system is not
>to absolutely deny access, but to make access more expensive (in time,
>money, manpower) than it is worth.
>
True of all security sytems, I think, and it is the fundamental measure to 
be used in establishing a requisite security level.

-- 

                               -= Owen Lewis =-
                                      @
      Tele/fax  +44-(0)794-301731   ELOKA   Consultancy & Project Management
                            oml@eloka.demon.co.uk
                        pgp 2.x public key on request

Newsgroup: sci.crypt
document_id: 15977
From: Graham Toal <gtoal@gtoal.com>
Subject: Re: Let's build software cryptophones for over the internet...

In article <1regq0INNn7u@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes:
:I tried this code yesterday.  On my Sparcstation ELC it takes over
:300 seconds to compress 22 seconds' worth of speech.  This means that it
:needs to be "optimized" by over a factor of 10 before it will be usable
:in even a half-duplex mode.

Ouch!  Thanks for trying it.

:I question whether CELP is the best approach for this application.  It produces
:great compression but at the expense of tremendous CPU loads.  We want
:something that can be run on ordinary workstations or even high-end PC's
:without DSP cards.  My guess is that some other algorithm is going to be
:a better starting point.

Yes.  I'm not sure if my xposting to comp.speech made it to here too, but
I've found that a low sample rate (3300 samples/sec at 8 bits per sample)
plus the pd 'shorten' lossless sound compression code actually does get
speech into 14.4K with a simdgen left over.  This is *definitely* worth
working on, folks.  And shorten works in well under real-time.

G

Newsgroup: sci.crypt
document_id: 15978
From: smk5@quads.uchicago.edu (Steve Kramarsky)
Subject: Re: Clipper considered harmful

In article <1993Apr23.183655.13710@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
>
>That is -- the cops send the LEF to the F-holder.  The F-holder strips
>off F, and sends U[K],N to the escrow agents.  They send either U or K
>to the cops.  (Don says U, I say K.)  The cops can't use U in the
>future, because they can't strip off F.  The F-holder never sees U.  In
>Don's model, the escrow agents can't read the traffic, because they
>don't have K; in my model, they have K, but not the message itself.
>And I trust that more because I think the cops and the FBI (the
>F-holder) are more likely to collaborate on breaking the rules.  The
>net result is that by involving the F-holder and the escrow agents on
>every tap, we can avoid extending permission to tap.

I've been reading this board passively for a while now and find the
subject absolutely fascinating, especially from the point of view of
a civil rights nut like myself.  My problem is that I'm new to the field
and paragraphs like the above keep popping up.  I'm sure what Mr. 
Bellovin is writing about is both fascinating and important, but I have 
NO IDEA what it means.  :-)   
  
  Anyway I'm keen to learn and will read anything I can get my hands on
that explains this stuff in lay terms (I have a decent CS background, but
not a huge amount of hyper-advanced math).  Can anyone point me to a FAQ
or a decent source of information about the guts of current cryptography and
maybe a little history as well?  I read the piece in this month's WIRED, can
anyone tell me how much I should trust the references they suggest?

  Thanks in advance,
   Steve.

-- 
            Steve Kramarsky, University of Chicago Law School
           steve@faerie.chi.il.us -or- smk5@quads.uchicago.edu 
     "All I did was kiss a girl." - Jake, the night before his hanging.

Newsgroup: sci.crypt
document_id: 15980
From: mt92mmj@brunel.ac.uk (Pwgll)
Subject: Re: Looking for MS-DOS crypto programs

MADDISON,David wrote:
: I am a new reader of sci.crypt I would like to obtain a copy of a
: public domain program that can encrypt files, preferably using DES,
: that runs under MS-DOS.

: I would also like to obtain a program which will password protect
: floppy disks, if this is possible.

: Thanks.

: David Maddison
: Melbourne, Australia

When you find out a floppy password protect program, could you e-mail me.
Thanks

Marcus Jones 						mt92mmj@brunel.ac.uk
Dept. Materials Technology, Brunel University.
PGP v2.2 Public Key on request

Newsgroup: sci.crypt
document_id: 15981
From: jim@rand.org (Jim Gillogly)
Subject: Re: New Encryption Algorithm

In article <C61rDq.5v5@chinet.chi.il.us> schneier@chinet.chi.il.us (Bruce Schneier) writes:
>In article <1raeir$be1@access.digex.net> steve-b@access.digex.com (Steve Brinich) writes:
>>  Ah, but developing cryptosystems which are specificially designed to
>>protect the government's domestic spying capabilities takes them beyond
>>that mandate, into the forbidden field of domestic wiretapping.
>>
>
>Unlike the CIA, the NSA has no prohibition against domestic spying.  Read
>Bamford's THE PUZZLE PALACE.

I did.  You're mistaken.  NSA's communications intelligence mission is
strictly against foreign governments.  Here's an excerpt from the enabling
charter (24 Oct 52, Truman) that should clarify this.  The charter was
declassified in about Feb 1990 when an FOIA request made it public.  Mind
you, I don't know that they never collect anything they're not supposed
to... but spying on US citizens isn't in their charter.

    b. The COMINT  mission of the National  Security Agency
	(NSA) shall be to provide an effective,  unified organization
	and control of the communications  intelligence activities of
	the United States  conducted against foreign  governments, to
	provide for  integrated operational  policies and  procedures
	pertaining thereto.   As  used in  this directive,  the terms
	"communications intelligence"  or "COMINT" shall be construed
	to mean all  procedures and methods used in  the interception
	of communications  other  than foreign  press and  propaganda
	broadcasts  and  the  obtaining  of   information  from  such
	communications by other  than intended recipients,  but shall
	exclude censorship  and the  production and dissemination  of
	finished intelligence.

They're also tasked with protecting the US's communications, but I haven't
seen the specific enabling memo on that.  I assume that's the role under
which Skipjack was developed.

NSA is not in the standard-setting business, though -- that's why this
Clipper stuff came from NIST, which I believe is tasked with coming up
with standards based on their best inputs from other government agencies,
which would include NSA.
-- 
	Jim Gillogly
	Mersday, 4 Thrimidge S.R. 1993, 21:59

Newsgroup: sci.crypt
document_id: 15982
From: mjr@tis.com (Marcus J Ranum)
Subject: Re: Let's build software cryptophones for over the internet...

Graham Toal <gtoal@gtoal.com> writes:
>Yes.  I'm not sure if my xposting to comp.speech made it to here too, but
>I've found that a low sample rate (3300 samples/sec at 8 bits per sample)
>plus the pd 'shorten' lossless sound compression code actually does get
>speech into 14.4K with a simdgen left over.  This is *definitely* worth
>working on, folks.  And shorten works in well under real-time.

	I don't think that this should be worked on just in the context
of cryptography. That's sure to pose all sorts of problems for all sorts
of people.

	What's needed is for someone to develop a portable telephone
quality speech<->RS232 converter. Imagine, if you will, a little box that
takes data on its serial port and puts out sound, and takes sound and codes
it to signals on its serial port. Full duplex. Now, this device is not a
cryptographic device. It's a portable poor man's sound blaster or whatever
you want to call it. It's got loads of perfectly legitimate applications
for:
	a) speech synthesis (with a few nifty libraries and some samples)
	b) speech recording for electronic messaging
	c) building voicemail systems
	d) internet talk radio
	e) internet relay chat

	Of course, some of the electronic messaging in item b might be
encrypted, possibly realtime, but that's the user's decision. One would
need 2 of these talky boxes and a pair of modems and some kind of cutout
to switch over, and some code on, say, a 486 laptop.

	I'd really like to see such a thing developed so that interactive
internet talk radio could be done. Ideally, though, it should be a general
purpose device. It should be a general purpose enough device that nobody
should be able to balk at its widespread use. Obviously, to make it easy
for homebrewers, it should use pretty common hardware.

	It's interesting to note that I'd already talked with a couple
of folks about building such a thing, before this whole clipper thing
started. I even went so far as to track down a couple of folks who are
able to make sample units, given incentive and some time. I'd envisioned
finding a couple of folks interested in such a project and helping fund
development of a public domain board layout and parts set, that could
be published in the form of CAD drawings for a couple of major CAD
packages, and in PostScript.

	Anyone interested? I'll start a provisional mailing list. Let
me know if you want on.

mjr.

Newsgroup: sci.crypt
document_id: 15983
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <sfqPuJu00WC7IqOP5T@andrew.cmu.edu> "Jon C. R. Bennett" <jb7m+@andrew.cmu.edu> writes:
>
>
>strnlght@netcom.com (David Sternlight) writes:
>> If the crooks use an innocent person's clipper phone on the tapped line
>> there's no problem. The Feds don't care whose phone instrument is used, just
>> that the conversation is by the suspect on the tapped line. They get the
>> serial number, get the keys, and they are in business.
>> 
>> No clipper chip to person association is ever needed.
>
>celular phones...........

Direction-finding and directional monitoring receivers. Can you say "little
black bakery truck"?

:-)

David

>
>jon


-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 15984
From: tedcrum@garnet.berkeley.edu (Ted Crum)
Subject: Re: Trademark violation claimed


The RISC processor made by Fairchild, sold to Intergraph, much the same
story as the R4000.

Remember how Spielberg lost the control of Star Wars when the DOD started
using the name? The loss was confirmed in court. 

Newsgroup: sci.crypt
document_id: 15985
From: mjs@behemoth.genetics.wisc.edu (Mike Schmelzer)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]


Argh. This is what I get for acknowledging David Sternlight's existence.

In article <strnlghtC602x2.Ir2@netcom.com> strnlght@netcom.com (David Sternlight) writes:
> Though I think this an overstatement, it does contain a grain of truth. It's
> drug dealers, spies, terrorists, and organized crime figures (assuming
> enough probable cause to convince a judge) who need to be watched, not
> law-abiding citizens.

Okay, it looks like I am going to have to do the history lesson after all.

During the Vietnam war, there were a great many citizens opposed to it
who considered themselves perfectly law abiding, although Mr. Nixon and
his lackeys thought otherwise.

The Federal government had no compunction about adding "people who
are otherwise decent, law abiding and upstanding, but disagree with
us" to your nice little list. Do you think this could never happen
again?

Note that I am not speculating about what the government could do,
but discussing the sort of "observation" - including but not limited
to phone tapping - that the government put its citizens under during
a time of national tension.

Your naivete is still appalling, BTW. I mean, read what you posted again.
How are we to differentiate between Good People and Bad People? Answer:
A priori, we can't; we have to assume. Now, which way do we assume? Do
we assume a priori that a citizen is law-abiding, or rather a potential
CommunistDrugLordChildAbuserCultMessiah? One of the things that's
supposedly great about America is the freedoms enjoyed by citizens who
are presumed to be law-abiding until proven otherwise.
--

--
=== Mike Schmelzer,  mjs@genetics.wisc.edu, (608)262-4550. Finger for PGP.
=== "People didn't riot the minute they saw that film.
=== They waited on justice. Which never came." - Ice T.


Newsgroup: sci.crypt
document_id: 15986
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <116530@bu.edu> uni@acs.bu.edu (Shaen Bernhardt) writes:
<In article <1993Apr22.134214.18517@rick.dgbt.doc.ca> jhan@debra.dgbt.doc.ca (Jerry Han) writes:
<>In this giant bally-ho over this Clipper chip I noticed a rather
<>disturbing trend in some of the E-mail and posts I've tossing back and
<>forth.  
<> [ ... deleted ... ]
<A circut court judge in Illinois once said "When dealing with a government
<that seeks continually new and more creative ways to spy on its' citizenry,
<one cannot discourage the move to empower the common citizen with the means
<to parry this attack on personal privacy."
<
<(Unfortunately the comment was with regard to the banning of radar
<detectors....)
<
<The point remains.  More and more I see the government slowly washing
<away privacy.  Even unwittingly.  Do you think I will ever live in a
<soceity that issues smart cards to citizens at birth?  Do you think I
<will live in a soceity that insists I register my crypto keys so they
<can keep track of what I'm saying?  Even if there is no evidence of my
<guilt?  Do you think I will ever live in a soceity that seeks to meddle
<in the affairs of its' citizenry without recourse of any kind?  I'm tired
<of it.  There is (IMHO) no compromise with an administration that seeks
<to implement these proposals under the guise of enhancing privacy.
<
<More than the proposals themselves, I read the language of the press
<releases, the obvious deception involved in presenting these pieces to
<the public, and I am sickened.  I am revolted.  I am repulsed.
<
<90%, perhaps even 95% of this country could care less about the
<clipper chip, the wiretap bill, the smart card, because they are so
<entrapped in the rhetoric of the Clinton Administration.

The problem is, the people are not having the scope, or implicataions
pointed out to them.  Hell, most haven't even heard of Clipper, and
when they do, it will be in soothing language telling everyone how
nice the government is at 'letting them have' privacy.

How come the media is not telling about the provisions of the Clipper
decision?  The provisions of the Crime Bill?  The abuses of Civil Forfeiture?
The government uses polls to support 75 percent of the people want
gun bans, etc., yet the same pollsters have determined (according to
the media) that 30 percent of the people are unaware of what the Holocaust
is...

The people cannot be expected to give decent decisions when they are
denied the information that all these abuses and whittling away of
rights are going on quietly.  When they find out (when it hits them),
it will be too late.  One cannot expect each citizen to spend all their
time probing, searching, researching, etc.   For example, how big a
percentage of the average population even has access to USENET?  Way
less than 1 percent, I bet.   How many outside of Internet/USENET
are even AWARE of what Big Brother is doing, or have been exposed to
arguments of both sides of the issue?

What the public will get is only ONE side:  The Government's side.

THAT is scary.

<
<This saddens and frightens me.
<
<I am a conserveative believe it or not.  A law and order conserveative.
<But the move to a centralized authoratarian regime really scares me,
<mostly because I know you cant go far wrong underestimating the
<intelligence of the American people.  Tell them it's going to keep
<them safe from drug dealers and terrorists, and they will let you
<put cameras in their home.

How can the bulk of the people be informed, when the media refuses to
do it?

<Even in the wake of Waco, you find those who support the increasingly
<totalatarian moves.
<
<>Somebody once said something like: "Armed Violence is meant only to be
<>used in response to an armed attack.  It is not meant to be used in
<>agression.  This is the difference between self-defence and murder."
<
<To be quite honest, the way things are going, I'd call it self defense.
<
<>Let's try to avoid killing things, eh?  There's enough blood shed in the
<>world, without adding a couple of riots, Civil Wars, etc.
<>
<>I'm probably overreacting.  But what I've read scared me a lot.  I don't
<>want my children growing up in a War Zone.
<
<
<And I dont want mine growning up in the eyes of a security camera
<24 hours a day.

The people at large need to be informed.  BUT HOW?   I am but one person.
I try to talk to everyone that will listen, but I can hardly make any
kind of dent.

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 15987
From: Greg.Onufer@Eng.Sun.COM (Greg Onufer)
Subject: Re: Let's build software cryptophones for over the internet...

In <C622A1.7t6@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
>In article <1regq0INNn7u@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes:
>:I tried this code yesterday.  On my Sparcstation ELC it takes over
>:300 seconds to compress 22 seconds' worth of speech.  This means that it
>:needs to be "optimized" by over a factor of 10 before it will be usable
>:in even a half-duplex mode.

>Ouch!  Thanks for trying it.

The following program is a very quick hack I created a few months
ago to determine whether a Sun Sparcstation IPC could perform
real-time, full-duplex encrypted audio with resulting data rates
sustainable by today's modems.

This test program reads linearly-encoded audio from the audio device,
compresses it with GSM 06.10 (compresses frames of 160 13-bit samples
recorded at 8kHz into 260 bits resulting in a 50 Hz frame rate), encrypts
it with DES, then reverses the process and sends the reconstructed audio
back to the audio device.  The compressed, encrypted audio stream
is 13 kbits/s (!).

My Sparcstation IPC (not exactly a very fast machine these days,
certainly slower than an ELC) would just barely sustain this activity
(audio underruns would occcur but the speech was very intelligible).  I
ran it as a real-time process to get the best results.  Remember,
though, that this program is a quick hack and the performance can
certainly be improved.

The audio compression routines can be ftp'd from tub.cs.tu-berlin.de,
I believe (look for gsm or toast).  I used Eric Young's DES
implementation but I no longer know where I got it from.

Cheers!greg

<--------------------------- CUT HERE ----------------------------->
/*
 * Test program to see how much CPU it takes for secure digital audio.
 * Written by G. Onufer (greg@cheers.Bungi.COM).
 *
 * Written on a Sun IPC running Solaris 2.2 with a Sun ISDN S-Bus card
 * and a SpeakerBox.
 */
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/audioio.h>
#include <stropts.h>

#include <gsm.h>
#include <des.h>

boolean_t
svs_audio_init(int fd, audio_info_t *prev_info)
{
	audio_info_t info;

	if (prev_info != NULL) {
		if (ioctl(fd, AUDIO_GETINFO, prev_info) < 0) {
			perror("AUDIO_GETINFO");
			return (B_FALSE);
		}
	}

	AUDIO_INITINFO(&info);

	info.record.pause = B_TRUE;
	info.play.pause = B_TRUE;

	info.play.sample_rate = 8000;
	info.play.encoding = AUDIO_ENCODING_LINEAR;
	info.play.channels = 1;
	info.play.precision = 16;
	info.record.sample_rate = 8000;
	info.record.encoding = AUDIO_ENCODING_LINEAR;
	info.record.channels = 1;
	info.record.precision = 16;

	info.record.buffer_size = 320 * 4;

	if (ioctl(fd, AUDIO_SETINFO, &info) < 0) {
		perror("AUDIO_SETINFO");
		return (B_FALSE);
	}

	if (ioctl(fd, I_FLUSH, FLUSHRW) < 0) {
		perror("I_FLUSH");
		return (B_FALSE);
	}

	
	AUDIO_INITINFO(&info);

	info.record.pause = B_FALSE;
	info.play.pause = B_FALSE;

	if (ioctl(fd, AUDIO_SETINFO, &info) < 0) {
		perror("AUDIO_SETINFO");
		return (B_FALSE);
	}

	return (B_TRUE);
}


boolean_t
svs_in(int ifd, gsm handle, gsm_byte *buf)
{
	gsm_signal sample[160];

	if (read(ifd, sample, sizeof (sample)) != sizeof (sample)) {
		fprintf(stderr, "svs_in: short read\n");
		return (B_FALSE);
	}

	gsm_encode(handle, sample, buf);

	return (B_TRUE);
}


boolean_t
svs_out(int ofd, gsm handle, gsm_byte *buf)
{
	gsm_signal sample[160];

	if (gsm_decode(handle, buf, sample) < 0) {
		fprintf(stderr, "svs_out: gsm_decode failed\n");
		return (B_FALSE);
	}

	if (write(ofd, sample, sizeof (sample)) != sizeof (sample)) {
		fprintf(stderr, "svs_out: short write\n");
		return (B_FALSE);
	}

	return (B_TRUE);
}


main()
{
	gsm handle;
	gsm_frame frame;
	int audiofd;
	int option;
	des_cblock key, ivec_in, ivec_out;
	des_key_schedule ks_in, ks_out;
	des_cblock cbuf_in[4], cbuf_out[4], cbuf_buf[4];

	audiofd = open("/dev/audio", O_RDWR);
	if (audiofd < 0) {
		perror("open");
		exit(4);
	}

	/*
	 * Initialize GSM compression code
	 */
	if ((handle = gsm_create()) == NULL) {
		fprintf(stderr, "svs: gsm_create failed\n");
		exit(4);
	}

	option = B_TRUE;
	if (gsm_option(handle, GSM_OPT_FAST, &option) < 0) {
		fprintf(stderr, "svs: gsm_option (FAST) failed\n");
		exit(4);
	}

	/*
	 * Initialize DES code
	 */
	des_random_key(&key);

	if (des_set_key(&key, ks_in) < 0) {
		fprintf(stderr, "svs: des_set_key failed\n");
		exit(4);
	}
	if (des_set_key(&key, ks_out) < 0) {
		fprintf(stderr, "svs: des_set_key failed\n");
		exit(4);
	}
	memset(ivec_in, 0, sizeof (ivec_in));
	memset(ivec_out, 0, sizeof (ivec_out));

	/*
	 * Open audio device and configure it
	 */
	if (!svs_audio_init(audiofd, NULL))
		exit(3);

	for (;;) {
		/*
		 * Get 160 samples (16-bit linear 8000Hz) and
		 * convert to a 33 byte frame
		 */
		if (!svs_in(audiofd, handle, frame))
			exit(1);

		/*
		 * Encrypt/Decrypt block
		 */
		des_cbc_encrypt(frame, cbuf_out, (long)32, ks_in, ivec_in,
		    DES_ENCRYPT);
		des_cbc_encrypt(cbuf_out, cbuf_buf, (long)32, ks_out, ivec_out,
		    DES_DECRYPT);

		memmove(frame, cbuf_buf, 32);

#if 0
		if (memcmp(cbuf_in, cbuf_buf, 32) != 0) {
			fprintf(stderr, "svs: memcmp failed\n");
			exit(4);
		}
#endif

		/*
		 * Take 33 byte frame and convert to 160 samples
		 * and play
		 */
		if (!svs_out(audiofd, handle, frame))
			exit(2);
	}

	gsm_destroy(handle);
}
<--------------------------- CUT HERE ----------------------------->

Newsgroup: sci.crypt
document_id: 15988
From: Graham Toal <gtoal@gtoal.com>
Subject: Re: Let's build software cryptophones for over the internet...

In article <1rf04s$jqu@sol.TIS.COM> mjr@tis.com (Marcus J Ranum) writes:
:	I'd really like to see such a thing developed so that interactive
:internet talk radio could be done. Ideally, though, it should be a general
:purpose device. It should be a general purpose enough device that nobody
:should be able to balk at its widespread use. Obviously, to make it easy
:for homebrewers, it should use pretty common hardware.

I suggest we start with the ubiquitous Sun, to get a lot of momentum
going.  Custom hardware isn't going to go anywhere until there's a
user base.

:	Anyone interested? I'll start a provisional mailing list. Let
:me know if you want on.

Count me in.  I need someone at the US end to experiment on the 
protocols with, and I like the way you code.  Give me 3 weeks to
move house and settle in then we'll go for it seriously...

G

Newsgroup: sci.crypt
document_id: 15989
From: dhesi@rahul.net (Rahul Dhesi)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In <2109@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:

>How come the media is not telling about the provisions of the Clipper
>decision? ...

>How can the bulk of the people be informed, when the media refuses to
>do it?

The answer to your second question lies in the way you phrased the
first one:  'the media is...'.

The medis isn't 'is'.  The media 'are'.  'Media' means 'more than one
medium.'  There are thousands of publications.  Some say this, some say
that.  

     How can the bulk of the people be informed, when they won't read
     informative publications?
-- 
Rahul Dhesi <dhesi@rahul.net>
also:  dhesi@cirrus.com

Newsgroup: sci.crypt
document_id: 15990
From: tenney@netcom.com (Glenn S. Tenney)
Subject: Hearing on 29 April 1993

I received a fax of a letter from Representative Markey (Subcommittee on 
Telecommunications and Finance) to Ron Brown (Secretary of Commerce).  Since 
encryption and the Clipper chip are raised in this letter, I felt it would be
of interest.  I understand that on 29 April, Mr. Markey will be holding a
hearing on the questions raised in this letter.  There may also be a follow-on
hearing dedicated to the clipper chip, but that's not definite.

I've typed in the letter, which follows.  Any errors in transcription are 
mine...

---
Glenn Tenney
tenney@netcom.com            Amateur radio: AA6ER
Voice: (415) 574-3420        Fax: (415) 574-0546

------------------ letter of interest follows ----------------

April 19, 1993

The Honorable Ronald H. Brown
Secretary
Department of Commerce
14th and Pennsylvania Ave., NW
Washington, DC 20236

Dear Secretary Brown:

   As you know, I have long been interested in the privacy 
and security of telecommunications transmissions and data in 
a networked environment.  Recent reports concerning the 
Administration's endorsement of an electronic encryption 
standard, based upon "clipper chip" technology, have raised a 
number of related issues.  The international competitiveness 
of U.S. high tech manufacturers and the software industry is 
a key factor that the government should consider when 
addressing issues of encryption and data security.  As the 
nation moves forward in developing the national 
communications and information infrastructure, security of 
telecommunications transmissions and network data will be an 
increasingly important factor for protecting the privacy of 
users.

   The "hacker" community can compromise the integrity of 
telecommunications transmissions and databases linked by the 
network.  The people and businesses that use the nation's 
telecommunications network and the personal computers linked 
through it increasingly are demanding that information be 
protected against unauthorized access, alteration, and theft.

   I am concerned that the Administration's plan may mean 
that to remain competitive internationally, U.S. companies 
would be compelled to develop two products -- one for U.S. 
government customers, and another for private, commercial 
users who may want a higher encryption standard.  This may 
inadvertently increase costs to those U.S. companies hoping 
to serve both markets.  To assist the Subcommittee's analysis 
of this issue, please respond to the following questions:

1. Has the encryption algorithm or standard endorsed by the 
Administration been tested by any entity other than NSA, NIST 
or the vendor?  If so, please identify such entities and the 
nature of testing performed.  If not, please describe any 
plans to have the algorithm tested by outside experts and how 
such experts will be chosen.

2. Under the Administration's plan, what entities will be the 
holders of the "keys" to decrypt scrambled data?  What 
procedures or criteria will the Administration utilize to 
designate such key holders?

3. Does the encryption algorithm endorsed by the 
Administration contain a "trap door" or "back door," which 
could allow an agency or entity of the Federal government to 
crack the code?

4. It is clear that over time, changes in technologies used 
for communications will require new techniques and additional 
equipment.  How will encryption devices adapt to the rapid 
advancement of telecommunications technology?

5. What additional costs would the proposed encryption place 
on the Federal government?  What is the estimated cost to 
consumers and businesses which opt for the federal standard 
in their equipment?

6. What is the Commerce Department's assessment of the 
competitive impact of the Administration's endorsement of the 
"clipper chip" technology on U.S. exports of computer and 
telecommunications hardware and software products?

   I would appreciate your response by no later than close-
of-business, Wednesday, April 28, 1993.  If you have any 
questions, please have your staff contact Colin Crowell or 
Karen Colannino of the Subcommittee staff at (202) 226-2424.

Sincerely,

Edward J. Markey
Chairman

###
-- 
Glenn Tenney
voice: (415) 574-3420      fax: (415) 574-0546
tenney@netcom.com          Ham radio: AA6ER

Newsgroup: sci.crypt
document_id: 15991
From: matt@consent.uucp (Matthew)
Subject: Implementing a Diffie-Hellman key exchange.


I want to add link encryption to a module that multiplexes upper
level routines into a single data link. The upper levels won't know
about this, and thus key exchange shall only need to occur once (at
the initial link establishment). I figure that I can do this with
DES and a Diffie-Hellman key exchange.

Is using a Diffie-Hellman exchange to establish a 64 bit DES key
acceptable, in other words, what are the pro's and con's of such a 
setup? Are there any important issues to watch out for (aside from
filtering out unacceptable keys)?

And in order to achieve this, I guess I will need to use 64bit math
routines (for probable prime number calculation, exponentiation etc),
so could someone point me towards a good package (this is strictly
non-commercial).

Matthew.
-- 
matt%consent@uts.EDU.AU - 
'The power of one man seems like a small squirt ...' -- tDHoH

Newsgroup: sci.crypt
document_id: 15992
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Let's build software cryptophones for over the internet...

In article <C62D8r.C7p@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
>In article <1rf04s$jqu@sol.TIS.COM> mjr@tis.com (Marcus J Ranum) writes:
>:	I'd really like to see such a thing developed so that interactive
>:internet talk radio could be done. Ideally, though, it should be a general
>:purpose device. It should be a general purpose enough device that nobody
>:should be able to balk at its widespread use. Obviously, to make it easy
>:for homebrewers, it should use pretty common hardware.
>
>I suggest we start with the ubiquitous Sun, to get a lot of momentum
>going.  Custom hardware isn't going to go anywhere until there's a
>user base.

     Why don't we move down even further toward the masses by setting this
up on an IBM PC clone(probably needs to be a 386 or a 486) with a 
sound blaster and a V.32bis modem.  Those components are very widely
available.  I don't know if the PC has enough horsepower to encrypt the data
at realtime, but the sound blaster has 4 to 1 hardware compression and will
work at any sampling rate from 4KHz to 23 KHz.

Doug Holland

-- 
|  Doug Holland                | Anyone who tries to take away my freedom  |
|  holland@cs.colostate.edu    | of speech will have to pry it from my     |
|  PGP key available by E-mail | cold, dead lips!!                         |

Newsgroup: sci.crypt
document_id: 15993
From: Theodore M.P. Lee <tmplee@TIS.COM>
Subject: Re: Hearing on 29 April 1993

In article <tenneyC62HqH.6s1@netcom.com> Glenn S. Tenney,
tenney@netcom.com writes:
> of interest.  I understand that on 29 April, Mr. Markey will be holding
a
> hearing on the questions raised in this letter.  There may also be a
follow-on
> hearing dedicated to the clipper chip, but that's not definite.

Glenn,

Thanks for posting that.  I was surprised to notice, however, that one
question I might have expected to be asked was not:  "Are all forms of
strong encryption other than the Clipper to be made illegal?"  Speaking
of which, is anyone aware of whether that question *has* been asked of
any knowledgeable or official spokesperson for the government?  I have
not yet seen it mentioned in any of a dozen places it might have been
reported, but I could have easily missed it.

Ted Lee                                                
Trusted Information System, Inc.                        tmplee@tis.com
PO Box 1718                                             
Minnetonka, MN 55345

Newsgroup: sci.crypt
document_id: 15994
From: jhupp@shockwave.win.net (Jeff Hupp)
Subject: Re: New Encryption Algorithm

 
> >  Well, actually, this one's easy. It's their job. The NSA is
> >supposed to develop cryptosystems. If the government chooses to go
> >ahead and sell those cryptosystems to the masses, so be it.
>
>  Ah, but developing cryptosystems which are specificially designed to
>protect the government's domestic spying capabilities takes them beyond
>that mandate, into the forbidden field of domestic wiretapping.
>
>
    The NSA's charter forbids them from doing any purely domestic
intelligence work, I would think that even providing assistance in
development of the Skipjack algorithom is a violation of that charter. 
But as with any intrenched government agency, they will do what they
think is expedent.


_____________________________________________________________________
\Jeff Hupp                      |Internet: jhupp@shockwave.win.net   \
|9797 Medowglen, Apt. 1807      |Ad:    Contract Programming, Novell |
|Houston, Texas  77042          |       Network Design and Support.  |
|Voice: (713) 780 - 9419        |"The best govenment doesn't" -- me. |
\_____________________________________________________________________\ 

Newsgroup: sci.crypt
document_id: 15995
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: New Encryption Algorithm

In article <16724@rand.org> jim@rand.org (Jim Gillogly) writes:
   I did.  You're mistaken.  NSA's communications intelligence mission is
   strictly against foreign governments.  Here's an excerpt from the enabling
   charter (24 Oct 52, Truman) that should clarify this.  The charter was
   declassified in about Feb 1990 when an FOIA request made it public.
Interesting!  Where can I get the whole thing?

   NSA is not in the standard-setting business, though -- that's why this
   Clipper stuff came from NIST, which I believe is tasked with coming up
   with standards based on their best inputs from other government agencies,
   which would include NSA.

Several of the newspaper reports have made it fairly clear that the
NSA did all the real work.  You can't believe everything you read in
the papers :-), but the package of information the NIST is faxing out
has so little information beyond what's widely known that it sounds
like it's true.
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 15996
From: gideony@microsoft.com (Gideon Yuval)
Subject: Re: Clipper considered harmful

In article <9304221116.AA02093@pizzabox.demon.co.uk> gtoal@gtoal.com (Graham Toal) writes:
>:    Does Dorothy Denning read this group?  If not, is someone on the group
>: forwarding questions like these to her, or Martin Hellman, or anyone else
>: who's seen more details about the chip?
>
>Of course she does; it's just she's been toasted so often for being
>an NSA patsy that she's keeping her head down.  You can always mail
>her directly as denning@guvax.acc.georgetown.edu,
>denning@cs.cosc.georgetown.edu or denning@cs.georgetown.edu
>
>G

I found the personal attacks on Prof. Denning pretty disgusting.
I don't agree with all her positions; but I think scholars can
disagree without the argument getting into the gutter.

If these personal attacks are what stopped Prof. Denning from
replying on issues of substance, they have cause real harm
to the serious debate here.
-- 
Gideon Yuval, gideony@microsoft.com, 206-882-8080 (fax:-883-8101;TWX:160520)

Newsgroup: sci.crypt
document_id: 15997
From: mnemonic@eff.org (Mike Godwin)
Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips

In article <C614BJ.BK6@agora.rain.com> jhart@agora.rain.com (Jim Hart) writes:
>"The security of the system should depend only on the secrecy of
>the keys and not on the secrecy of the algorithms" -- Dorothy Denning

Cite source, please.


--Mike




-- 
Mike Godwin,    |    Ariel Rose Godwin
mnemonic@eff.org|    Born 4-15-93 at 4:34 pm in Cambridge 
(617) 576-4510  |    7 pounds, 1.5 ounces, 19.75 inches long 
EFF, Cambridge  |    A new citizen of the Electronic Frontier 

Newsgroup: sci.crypt
document_id: 15998
From: mg@elan (Michael Golan)
Subject: Re: Clipper scope [was: Overreacting]

pat@rwing.UUCP (Pat Myrto) writes:


>The problem is, the people are not having the scope, or implicataions
>pointed out to them.  Hell, most haven't even heard of Clipper, and
>when they do, it will be in soothing language telling everyone how
>nice the government is at 'letting them have' privacy.

[much more deleted]

>The people at large need to be informed.  BUT HOW?   I am but one person.
>I try to talk to everyone that will listen, but I can hardly make any
>kind of dent.

Here is how! Lets write a DOCUMENT which includes all the reasons
we oppose Clipper, in clear, concise, non-techincal manner. I urge 
everyone of you to take the (very simple) "start" below and repost it
with changes. Let the text evolve until we reach something most of us
like. Then, all of you should send a copy (with a personnel letter)
to your congress critter, local reporter on sci/tech, etc.

Please, to make this a success, try to post only an "agreed" version,
not flames. To respond to a flame to this, please change the subject
to, e.g, "clipper scope - discussion".

-- Michael Golan
   mg@cs.princeton.edu

[all of these are points - which should be made into paragraphs]

What is wrong with the clipper chip - By usenet users
-----------------------------------------------------

1) It is secret. 
2) How can we trust the escrow agencies?
3) It is not cost-effective
4) We want other encryption systems, the government seems to want to
   disallow it in the future
5) Anyone can build a non-key system
6) We are worried about a back door
7) Once everyone uses a clipper chip, the mechanism for a Big-Brother
   government is in place, a change of government can lead to it. 
   Especially since the escrow agencies operation is not governed by
   law (so the president can change the rules to allow free access to
   the keys at any time, e.g., during war)
8) Few criminals are caught by wiretaps, the cost [and risks] are unjustified
9) Once the FBI get hold of a key, it can decrypt past and future conversations

...

   

Newsgroup: sci.crypt
document_id: 15999
Subject: Re: What is going on?...
From: sdoty@odie.santarosa.edu (Scott Doty)

Paul Repacholi (zrepachol@cc.curtin.edu.au) wrote:

: PS The first posting I saw I thought was a joke in *VERY* bad taste. My appologies
: to the person who broke the news.

For what it's worth...

Clipper Chip Announcement (clipper@csrc.ncsl.nist.gov) wrote:

: Note:  This file will also be available via anonymous file
: transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and
: via the NIST Computer Security BBS at 301-948-5717.
:      ---------------------------------------------------
: 
:                          THE WHITE HOUSE
: 

I haven't been able to open an ftp session with that machine.

Operating under the assumption that the address was wrong, I tried using
nslookup and nicname/whois...

> ls nist.gov 
[nnsc.nsf.net]
Host or domain name            Internet address              
[...]
 ncsl                           server = mail-gw.ncsl.nist.gov         
 mail-gw.ncsl                   129.6.48.199
 ncsl                           server = dove.nist.gov                 
 ncsl                           server = ecf.ncsl.nist.gov             
 ecf.ncsl                       129.6.48.2
 ncsl                           server = enh.nist.gov                  
 ncsl                           server = SUNMGR.NCSL.NIST.GOV          
 SUNMGR.NCSL                    129.6.48.12
[...]

That's all I could find about the ncsl domain...oh, and I tried an MX lookup
on the machine in question, which failed.  Nicname/whois domain lookups at
both registries failed, too. 

So I thought, "hey, I'm just not using the tools right" and tried calling
the BBS number -- no answer.

I'm probably doing something wrong...or, perhaps, the machine has been put
behind a firewall.  But it does look like csrc.ncsl.nist.gov has become an
un-machine.  If someone would try ftp'ing to it, or knows what's up, I'd
really appreciate the info. 

Scott Doty <sdoty@odie.santarosa.edu>

Newsgroup: sci.crypt
document_id: 16000
From: jhupp@shockwave.win.net (Jeff Hupp)
Subject: Re: Clipper and conference calls

 
>In article <122723@netnews.upenn.edu>, feeley@cattell.psych.upenn.edu (Wm. Michael Feeley) writes:
>> Just curious, how would the Clipper Chip system handle
>> conference calls?
>
>It's not Clipper, it's any encryption system.  I've seen a number of
>designs; they generally involve a multi-line cleartext bridge.
>
        A 'multi-line cleartext bridge?"
                      ^^^^^^^^^
        And just were would you put that bridge?  If it isn't at one of
the receiptants location, forget encryption at all.  You have blown any
security you thought you might have had. 

_____________________________________________________________________
\Jeff Hupp                      |Internet: jhupp@shockwave.win.net   \
|9797 Medowglen, Apt. 1807      |Ad:    Contract Programming, Novell |
|Houston, Texas  77042          |       Network Design and Support.  |
|Voice: (713) 780 - 9419        |"The best govenment doesn't" -- me. |
\_____________________________________________________________________\ 

Newsgroup: sci.crypt
document_id: 16001
From: Borut.B.Lavrencic@ijs.si
Subject: Re: Key Registering Bodies

In article <C5wDFo.327@demon.co.uk>, 
Graham Toal <gtoal@gtoal.com> writes:
> In article <nagleC5w79E.7HL@netcom.com> nagle@netcom.com (John Nagle) writes:
> :       Since the law requires that wiretaps be requested by the Executive
> :Branch and approved by the Judicial Branch, it seems clear that one
> :of the key registering bodies should be under the control of the
> :Judicial Branch.  I suggest the Supreme Court, or, regionally, the
> :Courts of Appeal.  More specifically, the offices of their Clerks.
> 
> I've got a better idea.  We give one set to the KGB c/o Washington embassy,
> and the other set to the Red chinese.
> 
IMHO, one should place the keybanks into satellites (space). The 
recovery should be done only by (highly visible) teams of astronauts.


-- 
Borut B. Lavrencic, D.Sc.     | X.400   :C=si;A=mail;P=ac;O=ijs;S=lavrencic
J. Stefan Institute           | Internet:Borut.B.Lavrencic@ijs.si
University of Ljubljana,      | Phone   :+ 386 1 159 199
SI-61111 Ljubljana, Slovenia  |	    PGP Public Key available on request

DOLGO SMOIS KALIS OVRAZ NIKEI NJIHK OCNOO DKRIL IVSEB IPIKA


Newsgroup: sci.crypt
document_id: 16002
From: rja14@cl.cam.ac.uk (Ross Anderson)
Subject: Re: Tempest

whughes@lonestar.utsa.edu (William W. Hughes) writes:

> Hell, just set up a spark jammer, or some other _very_ electrically-noisy
> device.

This doesn't work, due to the near-field far-field effect. You may stop
someone five yards away from listening in, but someone fifty yards away will
be relatively unaffected - unless you pump out hundreds of watts and jam all 
the neighbourhood TV's as well. In that case the government will stomp on you -
ask any radio ham! Democratic governments care even more about their voters' 
right to watch soap operas than they do about national security, and dictators 
consider their propaganda to be an integral part of their national security.

And holland@cs.colostate.edu (Doug Holland) writes:

> Another idea: Use a laptop computer.  As mentioned earlier, the LCD screen
> is a lot less noisy than a standard CRT, but since many laptops have power
> supplies that run at 3 volts instead of 5, they would be considerably 
> quieter.

I'm afraid this doesn't work either. We can pick up laptop screens without any
problem.

Most of the so-called `low radiation' monitors are also useless. The description
turns out to a marketing assertion rather than an engineering one.

We thought there might be a market for a monitor which was not as hugely
expensive as the military Tempest kit, but which was well enough shielded to
stop eavesdropping using available receivers. We built a prototype, it works,
and it's still sitting on my lab bench. Commercial interest was exactly zero.

In the absence of open standards, a monitor which really is `low radiation'
(and costs 500 dollars more) can't compete against a monitor which just
claims to be `low radiation' (and whose only extra cost of production is the
pretty blue sticker on the box).

Ross

Newsgroup: sci.crypt
document_id: 16003
From: rja14@cl.cam.ac.uk (Ross Anderson)
Subject: Re: New Encryption Algorithm

In article <C61rDq.5v5@chinet.chi.il.us>, schneier@chinet.chi.il.us 
(Bruce Schneier) writes:
 
|> Unlike the CIA, the NSA has no prohibition against domestic spying.  Read
|> Bamford's THE PUZZLE PALACE.

We had a senior NSA scientist in Cambridge at one of our workshops recently
(in fact he was here when the Clipper announcement was made, but we didn't
learn of it till after he'd gone). He said on this point that he was forbidden
by law to monitor conversations between US nationals (and he is a chap who is 
very precise about his choice of words). So I don't expect he'd have any qualms
about monitoring a domestic US conversation if one of the parties was an alien.

However it got me thinking of the Navajo code talkers. Just imagine:

+ `Hello, is that the Iraqi mission in New York? This is the Iraqi foreign
+ ministry in Baghdad, I am Farouq Hussein, US citizen, social security number
+ so-and-so'

+ `Yes, indeed, this is the New York mission, Mustafa Jadid speaking, also a
+ US citizen, my social security number is such-and-such, here is our report
+ on activities against the Satan Clinton'

Ross

Newsgroup: sci.crypt
document_id: 16004
From: jebright@magnus.acs.ohio-state.edu (James R Ebright)
Subject: Re: Tempest

In article <1993Apr26.104320.10398@infodev.cam.ac.uk> rja14@cl.cam.ac.uk (Ross Anderson) writes:
>whughes@lonestar.utsa.edu (William W. Hughes) writes:
[ideas that are claimed not to work deleted...]

How about putting your system inside a faraday cage?  Even I could build
one...
/Jim

-- 
 Information farming at...     For addr&phone: finger             A/~~\A
 THE Ohio State University  jebright@magnus.acs.ohio-state.edu   ((0  0))____
      Jim Ebright             e-mail: jre+@osu.edu                 \  /      \
                          Support Privacy: Support Encryption      (--)\      

Newsgroup: sci.crypt
document_id: 16005
From: Borut.B.Lavrencic@ijs.si
Subject: Re: Wiretapping reality today

In article <01050810.vuumdq@mbeckman.mbeckman.com>, 
mbeckman@mbeckman.mbeckman.com (Mel Beckman) writes:
> 
> Unfortunately, Hoover thought himself above the constitution, whatever he
> considered the limits others should obey. He ruthlessly invaded the privacy
> of many private and public citizens. 
> 
>   -mel

In 1967, when I was a grad student at UW in Seattle I had a chance to 
read Hoover's book "Masters of Deceit", and I quote a sentence (from 
memory):

"and beware my fellow Americans, a communist may look just as an 
ordinary person..."

I went to the mirror and it was true.

-- 
Borut B. Lavrencic, D.Sc.     | X.400   :C=si;A=mail;P=ac;O=ijs;S=lavrencic
J. Stefan Institute           | Internet:Borut.B.Lavrencic@ijs.si
University of Ljubljana,      | Phone   :+ 386 1 159 199
SI-61111 Ljubljana, Slovenia  |	    PGP Public Key available on request

DOLGO SMOIS KALIS OVRAZ NIKEI NJIHK OCNOO DKRIL IVSEB IPIKA


Newsgroup: sci.crypt
document_id: 16006
From: elee9sf@menudo.menudo.UH.EDU (Karl Barrus)
Subject: Re: Wiretapping reality today


David Sternlight writes:
> A little perspective might be in order.

I cannot believe you can make these claims given hard evidence of
abuse.  Do you ignore stories about survellience of Martin Luther
King, have you blocked from your mind McCarthy's crusade in the 50's?

> The number of court ordered wire taps is pretty low.

And how many illegal wiretaps are performed?  Funny, but I'll be that
the FBI doesn't keep statistics on these!

"confidential informer" = illegal wiretap

/-----------------------------------\
| Karl L. Barrus                    |
| elee9sf@menudo.uh.edu             | <- preferred address
| barrus@tree.egr.uh.edu (NeXTMail) |
\-----------------------------------/

--
/-----------------------------------\
| Karl L. Barrus                    |
| elee9sf@menudo.uh.edu             | <- preferred address
| barrus@tree.egr.uh.edu (NeXTMail) |
\-----------------------------------/

Newsgroup: sci.crypt
document_id: 16007
From: smb@research.att.com (Steven Bellovin)
Subject: Re: New Encryption Algorithm

In article <41@shockwave.win.net>, jhupp@shockwave.win.net (Jeff Hupp) writes:
>     The NSA's charter forbids them from doing any purely domestic
> intelligence work, I would think that even providing assistance in
> development of the Skipjack algorithom is a violation of that charter. 
> But as with any intrenched government agency, they will do what they
> think is expedent.

There are other laws and directives which bear upon the subject.  For
example, the National Computer Security Act of 1987 specifically directs
NBS [sic] to work with NSA on developing security standards for civilian
Federal computers.  (Pick up the bill from cpsr.org; it also includes
a report describing it, and some of the legislative history, including
concerns about NSA's involvement.)  Note also that NSA is specifically
charged with running the National Computer Security Center,  -- to
quote the aforementioned report -- ``NSA also will work with industries at
the DOD Computer Security Center to develop security standards for private
sector use.''

It may or may not be a good idea to have NSA tinkering with this, but
I'm pretty sure it's legal.  (Btw -- when it comes to development of
cryptosystems, there may be two choices.  Either NSA helped develop it,
in which case maybe they can crack it, maybe not, but probably, no one
else can; or NSA didn't help, in which case they probably can crack it,
and maybe others as well...)

Newsgroup: sci.crypt
document_id: 16008
From: spp@zabriskie.berkeley.edu (Steve Pope)
Subject: Re: What is going on?...

sdoty@odie.santarosa.edu (Scott Doty) writes:

> But it does look like csrc.ncsl.nist.gov has become an
> un-machine.  If someone would try ftp'ing to it, or knows what's up, 
> I'd really appreciate the info. 

csrc.ncsl.nist.gov (129.6.54.11) is ftp-able from here...


Steve

Newsgroup: sci.crypt
document_id: 16009
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Re: Clipper considered harmful [Restated and amplified]

>Clipper also allows an extraordinary opportunity for the criminal to
>conceal use of super-encryption.  An automated full-system surveillance
>mechanism (quite feasible across radio bandwidth) which knows family key F,
>can validate Clipper wrappers and N:ESN associations, but it cannot reveal
>in realtime the use of super-encryption, unless it knows all unit keys,
>which we are being assured are only to be made available in two separate
>pieces, upon specific wiretap-like order.

The serial number will be in a 64 bit block, with a 34 bit filler.  Doesn't
take a lot to check to see if that is correct.


Newsgroup: sci.crypt
document_id: 16010
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Tempest

  The "low radiation" claims one sees on monitors these days pertain to
allegedly harmful electromagnetic emissions, which does not necessarily have
anything to do wtih TEMPEST security.
  (I think the alleged hazard is BS, but that's another topic.)



Newsgroup: sci.crypt
document_id: 16011
From: ad@cat.de (Axel Dunkel)
Subject: How sensible is DES towards bit-errors?

Hello,

how sensible is DES encrypted data towards bit errors? How much data per
bit will be lost in average (I assume you still have the correct key)?

Thanx for hints,
Axel

---
Experience is what you get if you don't get what you want...

Systemberatung Axel Dunkel, Koenigsberger Strasse 41, D 6239 Kriftel, Germany
E-Mail: ad@cat.de, Voice: +49-6192-46949, Fax: +49-6192-46949


Newsgroup: sci.crypt
document_id: 16012
From: zrepachol@cc.curtin.edu.au (Paul Repacholi)
Subject: Re: I have seen the lobby, and it is us

In article <1r9av2$bg6@transfer.stratus.com>, cme@ellisun.sw.stratus.com (Carl Ellison) writes:
> I don't know about you, but I have nearly forgotten how to generate paper
> mail.
> 
> If I had e-mail to Congress, I would have written many letters by now.
> I haven't written one yet, as it turns out.  Writing on paper is such
> a complicated job, for those of us hooked on our way-cool Internet.

Just ask postmaster for the e-mail address of the printer. :-)

~Paul


Newsgroup: sci.crypt
document_id: 16013
From: dougb@comm.mot.com (Doug Bank)
Subject: Re: Clipper Not Good Enough for Government?

In article <rdippold.735595213@qualcom>, rdippold@qualcomm.com (Ron "Asbestos" Dippold) writes:
|> There's been some discussion very recently as to whether the
|> government once again might exempt themselves from something they use
|> to screw us over...  Well, from comp.dcom.telecom:
|> 
|> From: lesreeves@attmail.com
|> Subject: Odds 'n Ends in the News
|> 
|> * The Clipper Chip device introduced yesterday by AT&T may not be
|> suitable for government use, says House Telecom Subcommittee Chairman
|> Markey.  In a letter to Commerce Secretary Brown, Markey asked whether
|> the use of the technology could lead to "inadvertently increased costs
|> to those U.S. companies hoping to serve both" the government and
|> private markets.  Markey has ordered Brown to answer several questions
|> about security and cost concerns by April 28.  (Communications Daily,
|> 4/20/93)

This is stupid.  Won't it cost more to those companies hoping to 
serve the gov't and private markets if they DON'T use the same
technology?

-- 
Doug Bank                       Private Systems Division
dougb@ecs.comm.mot.com          Motorola Communications Sector
dougb@nwu.edu                   Schaumburg, Illinois
dougb@casbah.acns.nwu.edu       708-576-8207                    

Newsgroup: sci.crypt
document_id: 16014
From: dougb@comm.mot.com (Doug Bank)
Subject: Re: Encryption Chip Availibility

In article <93113.11034134AEJ7D@CMUVM.BITNET>, <34AEJ7D@CMUVM.BITNET> writes:
|> In article <ofppPcS00iUy0_k3Mr@andrew.cmu.edu>, "Stephen J. Ludwick"
|> <sl3b+@andrew.cmu.edu> says:
|> >
|> >Hi everybody!
|> >
|> >Does anyone know of companies that are currently manufacturing
|> >encryption chips for sale to the general public?  Get them while you
|> >can!  Some pointers would be greatly appreciated.

Motorola certainly makes them, but I don't know how you
would go about buying one.  You'd probably have to buy one
of our secure radios.  

You could also bring in encryption chips from outside the country.

-- 
Doug Bank                       Private Systems Division
dougb@ecs.comm.mot.com          Motorola Communications Sector
dougb@nwu.edu                   Schaumburg, Illinois
dougb@casbah.acns.nwu.edu       708-576-8207                    

Newsgroup: sci.crypt
document_id: 16015
From: mlm@fuzine.mt.cs.cmu.edu (Michael Mauldin)
Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips

In article <1993Apr26.063532.10120@eff.org> mnemonic@eff.org (Mike Godwin)  
writes:
> In article <C614BJ.BK6@agora.rain.com> jhart@agora.rain.com (Jim Hart)  
writes:
> >"The security of the system should depend only on the secrecy of
> >the keys and not on the secrecy of the algorithms" -- Dorothy Denning
> 
> Cite source, please.

Dorothy Denning, _Cryptography and Data Security_, 1982, Addison Wesley.
Page 8, under the heading "Cryptosystems must satisfy three general
requirements.  The other two are efficiency and ease of use.

--Michael L. Mauldin
  Carnegie Mellon University


Newsgroup: sci.crypt
document_id: 16016
From: tarnold@vnet.IBM.COM (Todd W. Arnold)
Subject: Re: How sensible is DES towards bit-errors?

In <ad.735831059@cat> Axel Dunkel writes:
>how sensible is DES encrypted data towards bit errors? How much data per
>bit will be lost in average (I assume you still have the correct key)?

It depends on the mode you're using.  For a single 64-bit input block, a
one-bit error will have a 50 percent chance of corrupting each of the 64
output bits - in other words, it essentially turns the output block into
a random number.  If you're encrypting data in CBC mode, however, only the
one 64-bit block will be affected.  The next block, and all that follow it
will be decrypted properly.

It's a good idea to have some kind of error correction in your system if
corrupted bits are likely.

   - Todd

Newsgroup: sci.crypt
document_id: 16017
From: georgel@NeoSoft.com (George Livsey)
Subject: Is it illegal to transmit encrypted data?


   I am aware of the restrictions imposed by the munitions act
on the export of cryptographic technology, however, is it illegal to
transmit encrypted data from the U.S. to another country?  If so,
then which laws apply to this situation?
 
-- 
georgel@NeoSoft.com   |                        
George Livsey         |           Visualize Whirrled Peas!           
Net's Worth           |                        
(713) 994-0447

Newsgroup: sci.crypt
document_id: 16018
From: eachus@spectre.mitre.org (Robert I. Eachus)
Subject: Re: Keeping Your Mouth Shut (was: Hard drive security)

In article <1993Apr21.023319.13965@midway.uchicago.edu> smk5@quads.uchicago.edu (Steve Kramarsky) writes:

  > OK, I should have read the thread before posting my own $0.02.  I would
  > just add to Phil's very infomative discussion the following caveat: the
  > fifth amendment applies ONLY in crinial cases.  ("...nor shall any person .
  > . . be compelled in any criminal case to be a witness against himself...").

    Maybe you are using the wrong amendment.  If someone were to seize
a safe containing your (paper) records, and demand that you produce
the combination, the applicable defense would be on grounds of
unreasonable search and seizure.  The police would be entitled to
subpoena documents relating to a specific matter, but any broad search
such as implied by impounding all your records would be unconstitutional.
In the case of the safe, they would probably get a locksmith and
assert that they ONLY examined documents covered by the warrent.
(Sure!)  In the cryptographic case, their only resort would be
rubber-hose cryptography.

    (This would also make a good "mental experiment" to use in
choosing escrow agents.  Would you trust this proposed agent with a
key to your hard disk?--or half the key for that matter.)

--

					Robert I. Eachus

with Standard_Disclaimer;
use  Standard_Disclaimer;
function Message (Text: in Clever_Ideas) return Better_Ideas is...

Newsgroup: sci.crypt
document_id: 16019
From: patl@golem.mit.edu (Patrick J. LoPresti)
Subject: Re: S1, S2


>>>>> In article <1r60ue$102@access.digex.net>,
>>>>> steve-b@access.digex.com (Steve Brinich) writes:

 > Second question: Why!?!? Why is such a strange procedure used, and
 >not a real RNG ? This turns those S1,S2 in a kind of bottleneck for
 >system- security.

	>> The only theory that makes any sense is that S1 and S2 are
	>> either the same for all chips, or vary among very few
	>> possibilities, so that anyone trying to break the encryption
	>> by brute force need only plow through the possible serial
	>> numbers (2^30, about one billion), multiplied by the number
	>> of different S1, S2 combinations.


Suppose instead that S1 and S2 can be reconstructed given 3 or 4 of the
unit keys generated in a single batch (through some sort of known
plaintext attack, say).  Suppose further that 3 or 4 of the chips
programmed in each session never find their way into commercial
products, but instead end up "elsewhere".

Suppose the folks at "elsewhere" can determine a unit key, given
physical access to one of these chips.  Then those same folks can
determine S1 and S2 for the whole batch...

Too many suppositions?  Yeah, probably.

- Pat




Newsgroup: sci.crypt
document_id: 16020
From: jbs@watson.ibm.com
Subject: Re: Clipper chip

         Is it realistic for the government to try to keep the details
of the encrytion algorithm secret if it intends to use evidence from
wiretaps in court?  Won't defense attorneys attempt to obtain the
details of the method if the prosecution attempts to present evidence
from wiretaps in court?  Is it certain that such attempts will fail?
                          James B. Shearer

Newsgroup: sci.crypt
document_id: 16021
From: ee92jks@brunel.ac.uk (Jonathan K Saville)
Subject: Re: PGP Where to get it?

Jeff Hupp (jhupp@shockwave.win.net) wrote:
:         
:         I am facinated by the things I have heard about the PGP
: encryption program.  Does anybody out there know where I might get a
: version of this program that runs under Windows 3.1, MS-Dos, Unix
: w/source?  As of this writting I have no UNIX access and am running on a
: nifty windows implamentation of uucico.

At the moment PGP is available in executable format for MS-DOS and Mac,
and source code for most other platforms including UNIX. Many FTP sites
keep a copy (although the Mac version is getting hard to find). Try the
following site:

soda.berkeley.edu           /pub/cypherpunks/pgp

Jon
--
#      Jon Saville       |   Who alive can say, 'Thou art no
#  ee92jks@brunel.ac.uk  |  Poet, may'st not tell thy dreams?'
                                 ---  Keats, 1819  ---
     PGP 2.2 public key available upon request or by finger


Newsgroup: sci.crypt
document_id: 16022
From: dougb@comm.mot.com (Doug Bank)
Subject: Re: Clipper and conference calls


|>    > Just curious, how would the Clipper Chip system handle
|>    > conference calls?
 
|> Depending on the encryption system, so long as everyone has the same
|> key, it can be done.  For example, I was using "vat", which is an
|> Internet Audio tool, for a conference call, and we were encrypting the
|> session.  (Unfortunately, one site was doing more work, and didn't
|> have the CPU for it, so it didn't sound all that good at a different
|> site)

You would have to use something other than the AT&T black box - in other
words, I don't think public key would work.  The session key would have 
to be agreed upon prior to the conversation and distributed to all 
sites beforehand.

Or go out and get a STU-III ;-)

-- 
Doug Bank                       Private Systems Division
dougb@ecs.comm.mot.com          Motorola Communications Sector
dougb@nwu.edu                   Schaumburg, Illinois
dougb@casbah.acns.nwu.edu       708-576-8207                    

These opinions do NOT reflect Motorola thinking in any way, shape, or form.

Newsgroup: sci.crypt
document_id: 16023
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Hearing on 29 April 1993

In article <C62oJM.CJH@News.MR.Net> tmplee@TIS.COM (Theodore M.P. Lee) writes:
>In article <tenneyC62HqH.6s1@netcom.com> Glenn S. Tenney,
>tenney@netcom.com writes:
>> of interest.  I understand that on 29 April, Mr. Markey will be holding
>a
>> hearing on the questions raised in this letter.  There may also be a
>follow-on
>> hearing dedicated to the clipper chip, but that's not definite.
>
>Glenn,
>
>Thanks for posting that.  I was surprised to notice, however, that one
>question I might have expected to be asked was not:  "Are all forms of
>strong encryption other than the Clipper to be made illegal?"  Speaking
>of which, is anyone aware of whether that question *has* been asked of
>any knowledgeable or official spokesperson for the government?  I have
>not yet seen it mentioned in any of a dozen places it might have been
>reported, but I could have easily missed it.

Please let us know if you get a solid answer to the question of legality
of other strong cryptosystems.   So far any references I have seen
have been weasel-words ("more plans in the future, etc"), but nothing
that could be taken as a "NO (strong crypto will NOT be outlawed)".  I
have heard (not verified) that the Crime Bill before Congress has
language that either requires escrow of keys, or that will regard
all systems 'unapproved' for public use, like strong cryptosystems
not trivially broken by the Govt, or without escrowed keys
which one cannot readily change (read: use being only permitted by
folks with 'special' connections, or government agencies) as either
'terrorist tools' or 'drug dealers tools'.  Not outlawed SPECIFICALLY
but by added Civil Forfeiture powers, and clever wording, EFFECTIVELY
outlawed for all intents and purposes.

Now, for some idle speculation ... for those who don't care, hit 'n' now.

Crypto being EFFECTIVELY outlawed could be done without SPECIFICALLY
outlawing ANY class of crypto systems.  For example, a crowbar, hammers,
screwdrivers, and such can be regarded as 'burglar tools' pretty much
at the whim of the authorities, based primarily on the individual
possessing them in the car, etc. not being in a trade that makes routine
use of these tools.  In a like manner, one who has no 'legitimate need'
(gov't definition) for strong crypto software or systems, and is caught
using them, might find themselves in possession of 'terrorist tools'.
In other words, if one is not working for a corporation with extremely
sensitive commercial data that warrants (in the Fed's opinion) strong
security, or a government agency, and securing only work-related data,
not personal data, one will most likely be nailed on this if discoverd.
A personal desire for 'privacy' most certainly will not be regarded as
a 'legitimate NEED': 
"Why do you want such strong security, especially from 'legitimate law
enforcement'? An individual with 'legitimate' endeavors would not be so
concerned - government is not in the business of revealing your personal
secrets to the public... so you must be trying to conceal or planning
to conceal some unlawful or criminal activity...  DO YOU HAVE SOMETHING
TO HIDE, HMMMM?"
I expect that initially there will be some people selected either at
random, or who happen to have been 'troublemakers' for the purposes of
'making an example' for those who think the Feds are not SERIOUS about
this... (mega ':-('s)

One asking about a 'right' to privacy will probably get a response that
there is no constitutional right for privacy spelled out AS SUCH (an
argument used in the abortion debate):  "You do NOT have a right to have
security that 'Legitimate Law Enforcement cannot break'" (as suggested
in the Clipper Press Release).

This, in a nutshell, is what I find so extremely frightening.  Not only
for crypto systems, as in this case, but for the precident it will set,
laying the groundwork for future erosions of privacy (escrow of both
safe-deposit box keys - 'master' keys or combinations for privately
owned safes, and so on.  WHY NOT?)...

I cannot think of a better way to make an 'end-run' around those
'inconvenient' parts of the US Constitution.  A law cannot be easily
declared unconstitutional, if it there IS NO SPECIFIC LAW.  It would
simply be a minor extension of the RICO statutes or WoD policies. A
simple policy decision, just like so many of the gun regulations are
mainly BATF policy decisions...  The Conversation of the Fed agents
would go something like:

"We are gonna seize your home, your computers, your car, your bank
account, (you don't have to undress and give us yer clothes, unless you
have a floppy in yer pocket) because they are all connected with your
acquisition, transport, and use of 'terrorist tools' and/or 'drug dealers
tools' - part of the WoD or against terrorism, ya unnerstand... no
decent American Subject would be against these noble causes...".

"Note we are not accusing YOU of any wrong-doing ... we are only saying
your HOME, COMPUTERS, CAR, BANK ASSETS are connected with wrong-doing
SOMEHOW - they housed, transported, and funded these 'terrorist tools'.
Only a civil matter ...  <heh-heh> ... We had this 'tip'...<grin>".

"Therefore, the Constitutional Protection on Individual rights do NOT
apply - we are 'arresting' the tainted PROPERTY... not YOU...<evil grin>".

"If you wish to deposit a BOND, hire some attorneys, and go to court to
PROVE the innocence of this property (that they are not 'terrorist tools'
and again to prove they are not also 'drug dealers tools'), go ahead,
we have no problem with that!  'Course, with your bank assets seized,
no car, computer, or home, (probably no job, too) and your
less-than-limitless resources, you might run into some minor practical
difficulties <grin>...".

THAT is what has me going so damned ballistic...  It is EXACTLY how
the logic goes when someone gives a 'tip' that your home has been
used to store DRUGS...  Note no trace of drugs need to be found on
the property... only some bozo who will say 'yup.  I stored stuff in
that dude's house...' (probably to get out of a 10 year sentence for
dealing).  Much more cost effective to let him walk, to bust another
day, and hit the jackpot with YOUR assets...

Ob Disclaimer (of course)...

Ok, note that I am not a lawyer, and can only base these speculations
on what I have read/heard/been told regarding past Civil Forfeiture
cases, and how they are used to augment the budgets of assorted agencies,
or to get 'cooperation' of folks who just want to be left alone, or who
do not wish to be put in a risky situation (especially in areas where
they are denied either meaningful police protection, AND the means to be
able to even pretend to defend themselves, as is quite common back East,
like NJ, MA, NYC, Wa DC, or out West in CA).  These people have the
choice of cowering under the government boot, or cowering under threats
of pissed off drug dealing gang-bangers... helpless in either case...
All behind some dude who drops a dime on you for his gain, or behind
the Feds wanting to 'make an example'...  Civil Forfeiture being the 'hook'.

Point is, are these speculations way out of line, or are they all too
typical, and if so, does the extension to crypto and just about anything
that the Feds regard as 'inconvenient' seem reasonable?  And if not
why not (what are our guarantees, besides the government promises)?

NONE?

>Ted Lee
>Trusted Information System, Inc.                        tmplee@tis.com
>PO Box 1718 
>Minnetonka, MN 55345

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 16024
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <1993Apr26.145937.3570@wdl.loral.com> koontzd@phobos.lrmsc.loral.com (David Koontz ) writes:
   >Clipper also allows an extraordinary opportunity for the criminal to
   >conceal use of super-encryption.  An automated full-system surveillance
   >mechanism (quite feasible across radio bandwidth) which knows family key F,
   >can validate Clipper wrappers and N:ESN associations, but it cannot reveal
   >in realtime the use of super-encryption, unless it knows all unit keys,
   >which we are being assured are only to be made available in two separate
   >pieces, upon specific wiretap-like order.

   The serial number will be in a 64 bit block, with a 34 bit filler.  Doesn't
   take a lot to check to see if that is correct.

Depends on whether the filler is a constant (makes checking easy,
but susceptible to replay), or variable (e.g. timer, counter, random),
which makes replay harder and can also make it easier for the
inquisitors to know if they've missed messages, or gotten them out of
sequence, or other interesting things that sort of person might care about.

It is still easy to conceal super-encryption, at least until the
inquisitors get ahold of the K key, which can take a while,
presumably not in near-real-time.  (Worst-case, in which the escrow agencies
provide the U key to the local cops, still only gets one side of the
conversation per warrant, unless the same key is used for both directions,
which I suppose the CAPSTONE version of the chip will probably insist on.)
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 16025
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Clipper and conference calls

In article <42@shockwave.win.net> jhupp@shockwave.win.net (Jeff Hupp) writes:
   >> conference calls?
   >It's not Clipper, it's any encryption system.  I've seen a number of
   >designs; they generally involve a multi-line cleartext bridge.

	   A 'multi-line cleartext bridge?"
			 ^^^^^^^^^
	   And just were would you put that bridge?  If it isn't at one of
   the receiptants location, forget encryption at all.  You have blown any
   security you thought you might have had. 

Most of the people using encrypted conference bridges these days are
military (or equivalent, like CIA and other embassy personnel),
so putting bridges on the recipient's location is normal -
it's in a vault on a military base or Ft. Meade, and the
secure phones are in sound-proof rooms with big locks on the doors
because they're talking about Classified Stuff (or Golf with Other Generals.)

That paradigm will change as we start using encrypted phones in our
offices or homes to carry on normal conversations about dinner plans
and stock purchases and meeting schedules and technical info
and the good batch of illegal frop that we got last weekend from Bob;
most people don't use sound-proof vaults, and may use bridges in their
PBX or from the local phone company (3-way calls) or Long Distance
or value-added phone company (e.g. Alliance conference bridges).

If Clipjack is mainly used for the radio portion of cellular phones,
the conferencing aspects don't change.  But there may be a market niche for
trusted conference-bridge providers, though I suppose the inquisitors
would try to get a blanket wiretap authorization for many bridges,
just in case a Bad Guy might use the service.
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 16026
From: angel@Foghorn_Leghorn.coe.northeastern.edu (Kirill Shklovsky)
Subject: Re: Tempest

In article <1993Apr26.104320.10398@infodev.cam.ac.uk> rja14@cl.cam.ac.uk (Ross Anderson) writes:
>I'm afraid this doesn't work either. We can pick up laptop screens without any
>problem.
>
>Most of the so-called `low radiation' monitors are also useless. The description
>turns out to a marketing assertion rather than an engineering one.
>
>We thought there might be a market for a monitor which was not as hugely
>expensive as the military Tempest kit, but which was well enough shielded to
>stop eavesdropping using available receivers. We built a prototype, it works,
>and it's still sitting on my lab bench. Commercial interest was exactly zero.
>
>In the absence of open standards, a monitor which really is `low radiation'
>(and costs 500 dollars more) can't compete against a monitor which just
>claims to be `low radiation' (and whose only extra cost of production is the
>pretty blue sticker on the box).
>
>Ross

I heard somewhere (can't name the source) that TEMPEST does not necessarily
pick-up just CRTs, but it can pick up emissions from almost any chip.  If
that is true, the kind monitor would not make any difference becuase everything
on the screen can be picked-up from the video controller.  Can anybody verify
or refute this?

        *             Angel@foghorn_leghorn.coe.northeastern.edu
   *   * *     *   BTW: These are my opinions, and not that of any other entity
- * * *   *   * * ------------------------------------------------------------*
     *     * *               My god, its full of stars! - Dave
            *        I don't know about you, but we've got company!  - Epidemic


Newsgroup: sci.crypt
document_id: 16028
From: mgr@anhep3.hep.anl.gov (Dr. mike)
Subject: Official Secrets act (USA)

Sorry, my news reader doesn't seem to know how to copy a subject header.
This tracks the thread "why people don't need strong crypto....."

The Atomic Energy Act of 1954 expressly forbids *thinking* about building
nuclear devices.  While I was in grad school, a friend of mine got a 
security clearance to work on the defense for the Progressive magazine.
He found lots of articles which were public domain *removed* from the
local engineering library (Madison Wisconsin).  So the lawyers sent him
all over the states to other libraries to show that the information in
the article was already public.  What pissed everyone off was a local
underground paper went and published the article anyway (it had been
precensored by the feds, that's what this was all about) so the judge
declared the case moot.

The Atomic Energy Act of 1954 has never been tested in court.  From my
discussions with several people familiar with the case, only 2 other
times has this preemptive clause been used.  In every case the people
simply did what they felt like and courts tossed the cases out.

For all intents and purposes, the government *does* have precidence for
declaring things classified *after* it has been published.  While I was
working on Star Wars this happened to me: my clearance was in the works
and I developed a method for tracking particle beams.  It was good enough
to classify, so I was no longer allowed to work on it.  A friend from
Canada was in the same boat: he developed a method to compute stripping
cross sections, but because the subject was classified *he was not allowed
to present his own paper at a conference!*.  He later published it in an
open journal without problems.

When the going gets wierd, the wierd turn pro.  The feds can do whatever
they want whenever they feel like it, and they will make up rules to let
themselves get away with it.  Since the mass media can't tell the difference
between a joke and the real thing (like "ranch appocolypse" for the Waco
massacre) don't count on them to help spread the word about their loss
of freedom.  The government *can* make strong crypto illegal.  SO WHAT?
Since the government does not obey any of its own rules, why should we?

Patience, persistence, truth,		reality: dvader@hemp-imi.hep.anl.gov
Dr. mike				home:    mrosing@igc.org

Newsgroup: sci.crypt
document_id: 16029
From: weaver@kuttner.sfc.sony.com (Eric Weaver)
Subject: Citations for Electronic Cash papers please


Deeply grateful for citations to any papers on electronic cash schemes.
Enquiring minds &c...
-- 
Eric Weaver  Sony AVTC  677 River Oaks Pkwy, MS 35  SJ CA 95134  408 944-4904
& Chief Engineer, KFJC 89.7 Foothill College, Los Altos Hills CA 94022

Newsgroup: sci.crypt
document_id: 16030
From: baxter@ed0118.ped.pto.ford.com (Gene Baxter)
Subject: Re: Let's build software cryptophones for over the internet...

douglas craig holland (holland@CS.ColoState.EDU) wrote:
: In article <C62D8r.C7p@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
: >In article <1rf04s$jqu@sol.TIS.COM> mjr@tis.com (Marcus J Ranum) writes:
: >:	I'd really like to see such a thing developed so that interactive
: >:internet talk radio could be done. Ideally, though, it should be a general
: >:purpose device. It should be a general purpose enough device that nobody
: >:should be able to balk at its widespread use. Obviously, to make it easy
: >:for homebrewers, it should use pretty common hardware.
: 
:      Why don't we move down even further toward the masses by setting this
: up on an IBM PC clone(probably needs to be a 386 or a 486) with a 
: sound blaster and a V.32bis modem.  Those components are very widely

	I concur for a PC to PC version.  BUT for a interactive thing like
internet talk radio?!?!  It makes me cringe at the amount of hogging such
a thing would do to the bandwidth of the internet.  I mean 15 meg files getting
floated around for internet talk radio is bad enough.  I have a solution; use
the phone system; take your electronics and use them on point to point 
conversations through the phone and thats it.  If you need to tell someone 
something secret and very important wouldn't it make more sense to write it 
out concisely? And if it's just a quick "YO" then use a code word and spend 
your twenty cents.
	Those good ol analog systems like Shortwave, Telephones, and TV's have
a use don't gunk up a nice digital packet network trying to emulate them!

Baxter
Baxter.

Newsgroup: sci.crypt
document_id: 16031
From: rbrand@usasoc.soc.mil (Raymond S. Brand)
Subject: Re: Clipper considered harmful

In article <1993Apr24.160121.17189@ulysses.att.com>, smb@research.att.com (Steven Bellovin) writes:
[...]
> There are three issues with Clipper.  The first is whether or not the
> architecture of the whole scheme is capable of working.  My answer,
> with one significant exception, is yes.  I really do think that NSA and
> NIST have designed this scheme about as well as can be, assuming that
> their real objectives are as stated: to permit wiretapping, under
> certain carefully-controlled circumstances, with a minimum risk of
> abuse.  (The exception is that U exists outside of the chip, on a
> programming diskette.  That's seriously wrong.  U_1 and U_2 should be
> loaded onto the chip separately.)  To those who disagree (and I don't
> claim my answer is obvious, though I found my own reasoning
> sufficiently persuasive that I was forced to rewrite the Conclusions
> section of my technical analysis paper -- I had originally blasted the
> scheme), I issue this invitation:  assume that you were charged with
> implementing such a system, with complete regard for civil rights and
> due process.  What would you do differently?  In answering this
> question, please accept NSA's fundamental assumptions:  that both
> strong cryptography against outsiders, and the ability to wiretap
> *some* domestic users, is necessary.  (If you feel it necessary to
> challenge those assumptions, do it in the context of the last issue I
> present below.  Right here, I'm discussing *just* the technical
> aspects.  And no, I don't by any means claim that just because
> something can be done, it should be.)

OK Steve, here's a sketch of an alternative that I believe addresses
most of the objections to the Clipper scheme.

Notation:
	+	concatenation
	^	exclusive or
	E(M,K)	message M encrypted by key K
	D(M,K)	message M decrypted by key K
	H(M)	hash (digest/signature) of message M

Important Values:
	U0[X]		local chip unit key from escrow agency X
	U1[X]		remote chip unit key from escrow agency X
	N[0]		serial number of the local chip
	N[1]		serial number of the remote chip
	A		number of escrow agencies
	K[0],K[1]	"session keys" agreed upon external to this protocol
	F		"family key", need not be secret

Protocol:
	Choose K0[1],...K0[A] such that K[0] = K0[1]^...^K0[A]
	Remote chip does same for K[1],K1[1],...,K1[A].

	Compute the following:

		L0[1] = E(K0[1], U0[1])
		...
		L0[A] = E(K0[A], U0[A])

		L[0] = N[0] + E(N[0] + L0[1] + ... + L0[A], F)

		Remote chip does the same for L1[1],...,L1[A],L[1]

	Send L[0] to remote chip and receive L[1] from remote chip

	Compute:

		KE[0] = H(K[0] + N[0] + L0[1] + ... + L0[A]
			+ K[1] + D(L[1], F)

		KD[0] = H(K[1] + D(L[1], F)
			+ K[0] + N[0] + L0[1] + ... + L0[A]

		Note that D(L[1], F) = N[1] + L1[1] + ... + L1[A]

		Remote chip does the same for KE[1] and KD[1]

	User data is encrypted (decrypted) with keys KE[0], KE[1]
		(KD[0], KD[1])

Assumptions:
	No trap doors in E(), D() and H(). H() is not invertible.

	Algorithms for E(), D() and H() are secret. Otherwise a software
	implementation (bogus chip) could communicate with a real chip.

	The chip only supports the following operation:

		1)  Return N[0]
		2)  Load K0[x]
		3)  Return E(K0[x], U0[x])
		4)  Return E(N[0] + L0[1] + ... + L0[A], F)
		5)  Given E(N[1] + L1[1] + ... + L1[A], F),
			return N[1],L1[1],...,L1[A]
		6)  Load K[1]
		7)  Given E(N[1] + L1[1] + ... + L1[A], F),
			compute KE[0], KD[0]
		8)  Given M, return E(M, KE[0])
		9)  Given M, return D(M, KD[0])

	Anything programmed into the chip can be determined by destroying
	the chip (U[1],...,U[A],F,N[0]).

	U[1],...,U[A] can not be determined except by destroying the chip.
	(Unfortunately this may not be true in reality. I suppose it's
	possible to determine how a chip has been programmed with a
	sophisticated[sp?] x-ray machine to look for blown fuses.)

	The U's are programmed independantly by the escrow agencies.

Notes:
	For tapping escrow agency Y is given N[0], E(K0[Y], U0[Y]), N[1],
	E(K1[Y], U1[Y]) and returns K0[Y], K1[Y].

	LEA's must contact all escrow agencies with the serial numbers from
	both chips and the encrypted partial keys. This allows the agencies
	to record that both chips were tapped.

	LEA's only get the session key, not the key to all conversations
	of a particular chip. This precludes real-time decrypting of a
	conversation but that isn't one of the STATED requirements.

Observation:
	In order for any secure by "tap-able" communication scheme to work,
	the active parts need to share a secret. And if this secret is
	revealed, communications by those that know the secret can be made
	"un-tap-able". Obvious candidates are the cryptographic algorithm
	and the master (family) key. Relative size and complexity suggests
	that the key can be obtained from a silicon implementation of the
	scheme a LOT easier and faster than the algorithm.


						rsbx

-----------------------------------------------------------------------------
Raymond S. Brand					rbrand@usasoc.soc.mil
-----------------------------------------------------------------------------

Newsgroup: sci.crypt
document_id: 16032
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Once tapped, your code is no good any more.

In article <116664@bu.edu>, uni@acs.bu.edu (Shaen Bernhardt) writes:
> Think again.  You won't see me using apple's new signature from the 
> finder feature. 

Why not?  It hasn't been released, so there's no way for you to evaluate it 
yet.  After all, Apple could have been smart and had AOCE use an MD5 hash 
encrypted with RSA, just like PKCS signatures.  They could even be actually 
PKCS compliant, for all you know; why not wait until it is released, and hard 
information is available, before passing judgement on it?

AOCE's algorithm's aren't secret because Apple's being fascistic--AOCE itself 
remains secret (except for Apple demos at MacWorld :)), simply because it's 
not done yet.

It may be flawed, and it may not.  However, you can't tell which until you 
actually see it.  I, at least, am quite impressed with what I have seen so 
far, and have no expectation of being disappointed.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
document_id: 16033
From: karl@genesis.MCS.COM (Karl Denninger)
Subject: Government intentions regarding encryptoion

There is an article in Communications Week (April 12's issue) which
states definitively that not only is the justice department trying to revive
the "wiretapping bill", but they are ALSO trying to find a way to force key
registration.  CLIPPER is an obvious thrust in exactly this direction.
Dorothy Dennings is quoted in this missive.

Communications Week, April 12th, page 8.  Read it and get peeved folks.
Then ACT NOW or lose your fundamental right to privacy.

Clinton has shown us that his only interest in this has to do with abortion,
and not the right of all citizens to be secure in their papers and effects.

--
Karl Denninger (karl@genesis.MCS.COM) 	| You can never please everyone except
Data Line: [+1 312 248-0900]		| by bankrupting yourself.
         	   LIVE Internet in Chicago; an MCSNET first!

Newsgroup: sci.crypt
document_id: 16034
From: gardner@convex.com (Steve Gardner)
Subject: Re: Hearing on 29 April 1993

In article <2112@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:
>A personal desire for 'privacy' most certainly will not be regarded as
>a 'legitimate NEED': 
>"Why do you want such strong security, especially from 'legitimate law
>enforcement'? An individual with 'legitimate' endeavors would not be so
>concerned - government is not in the business of revealing your personal
>secrets to the public... so you must be trying to conceal or planning
>to conceal some unlawful or criminal activity...  DO YOU HAVE SOMETHING
>TO HIDE, HMMMM?"
	You have underlined here the battle that must be fought.  It is
	a battle for the "hearts and minds" of the american public.
	People must realize that the government is not their a fit
	"father confessor".  The government does not have a right to
	share our every thought the moment we decide to share that
	thought with someone else at a distance.  In order to protect
	ourselves from a government bent on undermining the constitution
	we must realize that our government is our enemy as much if not
	more than the Soviet Union ever was.  This is hard for 
	some people who have been brought up with loyalty to our government
	cast as being synonmous with patriotism.  

>I expect that initially there will be some people selected either at
>random, or who happen to have been 'troublemakers' for the purposes of
>'making an example' for those who think the Feds are not SERIOUS about
>this... (mega ':-('s)
	We must be vigilant and make sure that we do not let such
	events go by unprotested.  We must be willing to fight the
	government at every step of the way.  

>THAT is what has me going so damned ballistic...  It is EXACTLY how
>the logic goes when someone gives a 'tip' that your home has been
>used to store DRUGS...  Note no trace of drugs need to be found on
>the property... only some bozo who will say 'yup.  I stored stuff in
>that dude's house...' (probably to get out of a 10 year sentence for
>dealing).  Much more cost effective to let him walk, to bust another
>day, and hit the jackpot with YOUR assets...
	Its time we rolled back this nonsense.  Civil forfeiture is
	the most effective end run around the constitution that has
	ever been promulgated.  Our enemy used to be the Soviets now
	it is clearly our own government.  



							smg

Newsgroup: sci.crypt
document_id: 16035
From: jrbd@craycos.com (James Davies)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <1993Apr26.145937.3570@wdl.loral.com> koontzd@phobos.lrmsc.loral.com (David Koontz ) writes:
>>Clipper also allows an extraordinary opportunity for the criminal to
>>conceal use of super-encryption.  An automated full-system surveillance
>>mechanism (quite feasible across radio bandwidth) which knows family key F,
>>can validate Clipper wrappers and N:ESN associations, but it cannot reveal
>>in realtime the use of super-encryption, unless it knows all unit keys,
>>which we are being assured are only to be made available in two separate
>>pieces, upon specific wiretap-like order.
>
>The serial number will be in a 64 bit block, with a 34 bit filler.  Doesn't
>take a lot to check to see if that is correct.

Yes, but the extra encryption could be applied *before* the message
is encrypted by the Clipper, so that the wrapper would be fine, the
phone's serial number and the session key would be in the law-enforcement
field, etc., but the message wouldn't be readable even if the particular
Clipper's key were obtained from the escrow agents.  In fact, it shouldn't
even be possible to detect that a message has been double-encrypted without
a court order, right?

Newsgroup: sci.crypt
document_id: 16036
From: jrbd@craycos.com (James Davies)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <WCS.93Apr26141950@rainier.ATT.COM> wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes:
>
>It is still easy to conceal super-encryption, at least until the
>inquisitors get ahold of the K key, which can take a while,
>presumably not in near-real-time.  (Worst-case, in which the escrow agencies
>provide the U key to the local cops, still only gets one side of the
>conversation per warrant, unless the same key is used for both directions,
>which I suppose the CAPSTONE version of the chip will probably insist on.)

I was under the impression (from reading Denning's description of the
Clipper's operation) that the same session key *is* used in both directions for
encrypting the message text, but that each chip uses it's own key for
encrypting the session key into the law-enforcement field.  So, you only
need to know the U key for one of the phones involved to decrypt the
messages in both directions.

Newsgroup: sci.crypt
document_id: 16037
From: uni@acs2.bu.edu (Shaen Bernhardt)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <1993Apr23.134422.25521@rick.dgbt.doc.ca> jhan@debra.dgbt.doc.ca (Jerry Han) writes:
>In article <116530@bu.edu> uni@acs.bu.edu (Shaen Bernhardt) writes:

[Text Deleted]

>>To be quite honest, the way things are going, I'd call it self defense.

>I never advocated not saying what you believe in.  I'm advocating second
>thought, and calm.  
>
>"A smart warrior defeats the enemy in ambush on the battlefield"
>"A smarter warrior defeats the enemy in open warfare on the battlefield"
>"The smartest warrior defeats the enemy without using the battlefield"
>
>Think about it.  

I have, my thesis was on Sun Tzu.

More to the point:

Those who are called the good militarists of old, could make opponents
lost contact between front and back lines, lose reliability between
large and small groups, lose mutual concern for the welfare of the
different social classes among them, lose mutual accomodation between
the rulers and the ruled, lose enlistments among the soldiers, lose
coherence within the armies.  They went into action when it was
advantageous, stopped when it was not.

Today it is.  Sitting on your hands will get you nowhere in this battle.

>-- 
>Jerry Han-CRC-DOC-Div. of Behavioural Research-"jhan@debra.dgbt.doc.ca"
>///////////// These are my opinions, and my opinions only. \\\\\\\\\\\\\
>\\\\\\\\\ A proud and frozen member of the Mighty Warriors Band ////////  
>"Memories of those I've left behind, still ringing in my ears."-Genesis-

uni@acs.bu.edu
-- 
uni@acs.bu.edu  ->  Public Keys by finger and/or request
Public Key Archives: <pgp-public-keys@pgp.iastate.edu> 
Sovereignty is the sign of a brutal past.<>Fight Clinton's Wiretap Chip!
DF610670F2467B99 97DE2B5C3749148C <> Crypto is not a Crime! Ask me how!

Newsgroup: sci.crypt
document_id: 16038
From: gjb@fig.citib.com (Greg Brail)
Subject: Re: Write to Clinton

In article <1r74a4$h2t@transfer.stratus.com> cme@ellisun.sw.stratus.com (Carl Ellison) writes:
>
>I've been reading the sci.crypt, alt.privacy.clipper and comp.org.eff.talk
>discussions about the Clipper chip and find (as usual) that most of us
>think alike -- so there's a lot of repitition.  If each of these messages
>were sent to Clinton as well as to the net (or instead of to the net), we
>might actually have some effect.
>
>	0005895485@MCIMAIL.COM  (White House)

Is this "White House e-mail address" really working yet? Someone
posted such an address on CompuServe a few months ago, but apparently
the White House wasn't really set up to recive hundreds (thousands?)
of messages a day to that account and didn't want people to use it
yet. So is this MCI address something the people at the White House
actually read, or is it another Craig Shergold story? I don't know --
I'm just asking.

Unless the people at the White House print and distribute this mail
every day, you may have better luck printing out a letter (on paper,
that flat white stuff all over my desk) and Snail-Mailing it to the
White House. I imagine writing to your local representative and
senator wouldn't hurt either. Heck, why not write to Al Gore while
you're at it?

				greg	

-- 
Greg Brail ------------------ Citibank -------------------- gjb@fig.citib.com

Newsgroup: sci.crypt
document_id: 16039
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate

"Jon \\lnes" <jon@ifi.uio.no> writes:
>A person I know, belonging to a research lab of a rivate
>company, claimed to me during a priavte conversation that, given the
>equipment in his lab, he could crack a Kerberos ticket in 15 minutes to
>an hour. He had access to rather powerful DES hardware, but not of an
>extraordinare kind, I believe. The attack was possible because of the
>amount of known plaintext in the ticket, which itself constitutes a small
>message. This was two years ago.

I don't believe you, and I don't believe your friend.

Why? 

Because DES is not known to have any known plaintext attacks readily
availble. Unless your friend knows something and is keeping it secret,
he was bullshitting you.

Now, it IS possible that he noted a weakness in the *implementation* of
the Kerberos protocol. For instance, using a weak RNG to generate keys
might cut down on the keyspace (not for the user keys -- for the other
kind who's name I can't remember). However, this is not what was
claimed. You are claiming a general weakness in DES, which is not
known to exist in the open literature.

Don't get me wrong -- DES is weaker than it should be. However,
cracking it in 15 minutes requires more money be spent on the cracking
machine than ANY organization I know of has available.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 16040
From: mjr@tis.com (Marcus J Ranum)
Subject: Re: Write to Clinton

>>	0005895485@MCIMAIL.COM  (White House)
>
>Is this "White House e-mail address" really working yet? Someone
>posted such an address on CompuServe a few months ago, but apparently
>the White House wasn't really set up to recive hundreds (thousands?)

	This is a real address. My understanding of the current process
that mail takes is it gets downloaded on floppy disk and is processed
by retiree volunteers, who match the message against message profiles
and check the message count. (I.e.: "yeah, that's a for gays in the
military. what's this clipper stuff? must be against gays in the
military...")

	The higher-volume white-house email stuff is in the works,
I know for a fact, but won't be online for probably another month
or two at the soonest. My understanding is that the link speed will
increase (direct internet instead of Compu$erve to floppy) but the
message processing will remain the same.

>Unless the people at the White House print and distribute this mail
>every day, you may have better luck printing out a letter (on paper,
>that flat white stuff all over my desk) and Snail-Mailing it to the
>White House. I imagine writing to your local representative and
>senator wouldn't hurt either. Heck, why not write to Al Gore while
>you're at it?

	The white house email does get read. I agree that printing it
and sending Cc: to everyone you can think of is probably better because
it is more visible, but the message processing (fitting messages against
a template) is the same in either case.

mjr.

Newsgroup: sci.crypt
document_id: 16041
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Is it illegal to transmit encrypted data?

In article <C63Ly7.GBx@sugar.neosoft.com> georgel@NeoSoft.com (George Livsey) writes:
      I am aware of the restrictions imposed by the munitions act
   on the export of cryptographic technology, however, is it illegal to
   transmit encrypted data from the U.S. to another country?  If so,
   then which laws apply to this situation?

From the US law perspective, unless you're engaging in illegal speech,
it's not illegal to use encryption.  Yet.  The NSA is allowed to try
to listen, but you're not obligated to make it easy for them.  Yet.
The other country may have more repressive laws about that;
I gather France's bureaucracy wants to know what you're saying, 
and in the old Soviet Union, they didn't need laws to make things illegal :-(

(paranoia follows, for those of you who want to play it safe :-)
The fact that the NSA is listening may affect your willingness to use
wimpy crypto technologies, but it may also affect your willingness to
use technologies that violate RSA's patents, e.g. if you use PGP, the
NSA may tell RSA that you're doing so, and if the Secret Service catches on,
they may decide that the mere fact that RSA hasn't filed a lawsuit
against you doesn't mean that you don't deserve to have your computer
confiscated for possible patent violation, munitions law violation,
espionage, money laundering, drug importation, and creatin' a disturbance,
and then not give it back because you *did* violate the patent even
though they had to drop all the other charges, unlike that nasty Steve
Jackson who had the gall not to be guilty of *anything*.
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 16042
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Tempest

In article <1993Apr26.193801.12416@lynx.dac.northeastern.edu> angel@Foghorn_Leghorn.coe.northeastern.edu (Kirill Shklovsky) writes:
   In article <1993Apr26.104320.10398@infodev.cam.ac.uk> rja14@cl.cam.ac.uk (Ross Anderson) writes:
   >I'm afraid this doesn't work either. We can pick up laptop screens without any
   >problem. [...]

   I heard somewhere (can't name the source) that TEMPEST does not necessarily
   pick-up just CRTs, but it can pick up emissions from almost any chip.  If
   that is true, the kind monitor would not make any difference becuase everything
   on the screen can be picked-up from the video controller.  Can anybody verify
   or refute this?

Yes, that's true.  TEMPEST is nothing magic, it's just listening to any
available electromagnetic emissions and using all the analysis techniques  
you know to separate out the interesting stuff. 

The nice thing about old CRTs is that they used to put out LOTS of
signal, so they're easy to detect, and if you do your sync carefully,
you can watch the output on the monitor in your deceptively-marked
Chevy Step-Van.  Some brands of electric typewriters were even worse.
In both cases, it's especially nice because it gets you the data the
user is looking at, rather than whatever stuff the paging algorithm is
paging out to disk, etc.

With newer, quieter equipment, there isn't as much signal, and it's harder to
isolate the fun parts.  TEMPEST-rated equipment has much lower signal levels.
But "Everything has vibrations", as Master Chuan said.
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
document_id: 16043
From: allen@well.sf.ca.us (Allen Barrett Ethridge)
Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips

In <1993Apr26.063532.10120@eff.org> mnemonic@eff.org (Mike Godwin) writes:

>In article <C614BJ.BK6@agora.rain.com> jhart@agora.rain.com (Jim Hart) writes:
>>"The security of the system should depend only on the secrecy of
>>the keys and not on the secrecy of the algorithms" -- Dorothy Denning

>Cite source, please.

"Cryptography and Data Security", page 8, perhaps.

Newsgroup: sci.crypt
document_id: 16044
From: uskmg@emoryu1.cc.emory.edu (Ken Guyton)
Subject: Amiga RIPEM?

Has anyone ported RIPEM to the Amiga yet or is anyone working on it?

Emailed responses are fine.

--
Ken Guyton, Emory University    | PREFERRED:  uskmg@unix.cc.emory.edu
Information Technology Division | UUCP:      ...gatech!emoryu1!uskmg
Atlanta, GA 30322               | NON-DOMAIN BITNET:   uskmg@emoryu1
Phone: (404) 727-7685           | FAX:  (404) 727-2599

Newsgroup: sci.crypt
document_id: 16045
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Tempest

In article <1993Apr26.193801.12416@lynx.dac.northeastern.edu> angel@Foghorn_Leghorn.coe.northeastern.edu (Kirill Shklovsky) writes:
>In article <1993Apr26.104320.10398@infodev.cam.ac.uk> rja14@cl.cam.ac.uk (Ross Anderson) writes:
>>I'm afraid this doesn't work either. We can pick up laptop screens without any
>>problem.
>>
>>Most of the so-called `low radiation' monitors are also useless. The description
>>turns out to a marketing assertion rather than an engineering one.
>>
>>We thought there might be a market for a monitor which was not as hugely
>>expensive as the military Tempest kit, but which was well enough shielded to
>>stop eavesdropping using available receivers. We built a prototype, it works,
>>and it's still sitting on my lab bench. Commercial interest was exactly zero.
>>
>>In the absence of open standards, a monitor which really is `low radiation'
>>(and costs 500 dollars more) can't compete against a monitor which just
>>claims to be `low radiation' (and whose only extra cost of production is the
>>pretty blue sticker on the box).
>>
>>Ross
>
>I heard somewhere (can't name the source) that TEMPEST does not necessarily
>pick-up just CRTs, but it can pick up emissions from almost any chip.  If
>that is true, the kind monitor would not make any difference becuase everything
>on the screen can be picked-up from the video controller.  Can anybody verify
>or refute this?
>
Just thought of something.  Yes, laptops can still be read, but it's not quite
as easy as a normal pc with a CRT.  My thought, Airline pilots lately have
been complaining about how laptops being used in flight mess with the plane's
instruments.  If this can be hyped up, manufacturers may start building
laptops with even lower emmisions.  It would probably still be possible to
pick up with surveillance equipment, but at this point, it would be a lot
cheaper to mask the remaining signals with TEMPEST techniques.

Doug Holland

-- 
|  Doug Holland                | Anyone who tries to take away my freedom  |
|  holland@cs.colostate.edu    | of speech will have to pry it from my     |
|  PGP key available by E-mail | cold, dead lips!!                         |

Newsgroup: sci.crypt
document_id: 16046
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Re: Implementing a Diffie-Hellman key exchange.

   You should probably use numbers much larger than 64-bits.  Also, you
may want to include some randomly-generated bitstrings in your protocol.
This way, if someone should find the shared key you and another person
use on one day, they won't be able to guess it for the next day....
 
   Ie A sends G**A mod P and random string R0
      B sends G**B mod P and random string R1
 
      Both find (G**A mod P)** B mod P = Shared Key, then both calculate
 
      Session Key = Hash(R0,Shared Key, R1)
 
   Also, you will want to make sure that you're getting the right public
key value G**A mod P.  Someone with the power to intercept and change messages
can oterwise spoof you by sending both of you *his* public key, and then
acquiring a session key with each of you....
 
   --John

Newsgroup: sci.crypt
document_id: 16047
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Clipper considered harmful

In article <1993Apr25.193300.1707@microsoft.com> gideony@microsoft.com
(Gideon Yuval) writes:

>If these personal attacks are what stopped Prof. Denning from
>replying on issues of substance, they have cause real harm
>to the serious debate here.

They are and they have.

David

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 16048
From: schneier@chinet.chi.il.us (Bruce Schneier)
Subject: Comments on Clipper for Publication


I am writing an article on Clipper for Network World.  I am looking for
comments and opinions (that I can quote) on the scheme, its implications
for security and privacy, its acceptance here and overseas, etc. 

I hope this to be a balenced article, with opinions from various quarters.
The only  catch is that your name and company affiliation will appear in
print.

I am on very tight deadline (I need to finish this Wednesday night).  Please
call or E-Mail responses.

Thanks,
Bruce
(708) 524-9461

Newsgroup: sci.crypt
document_id: 16049
From: jongsma@esseye.si.com (Ken Jongsma)
Subject: Re: Does Rush read his E-mail?

In <1993Apr23.153320.4568@henson.cc.wwu.edu> n9045178@henson.cc.wwu.edu (Sean Dean) writes:

>But I have no idea of a Compuserve e-mail address...

70277.2502@compuserve.com


-- 
Ken Jongsma                                          
Smiths Industries                                jongsma@swdev.si.com
Grand Rapids, Michigan                      73115.1041@compuserve.com

Newsgroup: sci.crypt
document_id: 16050
From: marc@tanda.isis.org (Marc Thibault)
Subject: A Trojan Horse on the Clipper

Gentlefolk,

        It seems to me that the "Step 1" of taking a warrant to the
        telco to get a wiretap is so much stinky red herring (don't
        you love animal metaphors).

        With each phone broadcasting the serial number of its chip
        ("E(N;F)" is not syntactically different than "N"), all they
        have to do is aim a reciever in the general direction of
        today's target and use the serial number to identify the
        session they want, and get the chip number of the other end of
        the conversation. Even without the key, this is great for
        traffic analysis. I can think of several ways to learn the
        right serial number.

        It looks like one intended effect of the Clipper is to
        eliminate the awkward business of getting the telco to
        cooperate (or risking getting caught in the act with your
        alligator clips erect). This is particularly handy if you have
        S1 and S2.

        BTW, did anyone explain why they are scrambling the serial
        number?
        
        Cheers,
                Marc

---
 Marc Thibault                             | marc@tanda.isis.org
 Automation Architect                      | CIS:71441,2226
 R.R.1, Oxford Mills, Ontario, Canada      | NC FreeNet: aa185

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQBNAiqxYTkAAAECALfeHYp0yC80s1ScFvJSpj5eSCAO+hihtneFrrn+vuEcSavh
AAUwpIUGyV2N8n+lFTPnnLc42Ms+c8PJUPYKVI8ABRG0I01hcmMgVGhpYmF1bHQg
PG1hcmNAdGFuZGEuaXNpcy5vcmc+
=HLnv
-----END PGP PUBLIC KEY BLOCK-----


Newsgroup: sci.crypt
document_id: 16051
From: marc@tanda.isis.org (Marc Thibault)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr21.204036.13723@rick.dgbt.doc.ca> 
(Jerry Han) writes: 
> GUESS WHAT PEOPLE?  You live in one of the few countries in the world
> where a person can complain without getting shot at.  

        Only guessing, but from his address I'd say that Jerry, like
        me, lives in Canada. Unlike me, he thinks that our friends in
        the US enjoy the same freedom that we do, and he has not seen
        the slow but steady erosion to the south of us.

        We have the benefit of relatively slow politicians and
        ineffective law enforcement. Our rednecks tend to be the
        objects of derision rather than elected officials. It's
        everything LE can do to keep up with the real criminals. Any
        time they actually go after somebody just because they don't
        like his or her attitude, it's national news (It also often
        blows up in their faces: eg. the well-intentioned but flawed
        Zundel case, which resulted in a scolding from the Supreme
        Court, not only to LE for prosecuting the case but to
        Parliament for passing the law it was prosecuted under).

        Our friends south of the border don't have as easy a time of
        it. Among other things they have as many LE agencies as we
        have agencies, and some of them have teeth. They also have the
        War on Drugs which gives law-enforcement agencies exceptional
        powers to ignore individuals' rights (the DEA has more
        arbitrary power than that given to Canadian agencies under the
        War Measures Act). We have the RCMP and CSIS who can't stop
        fighting each other long enough to do any really effective
        suppression of private citizens' rights. Not only that, our
        Police Commissions have teeth, as I learned when I had to fend
        off a bent cop.

        It may be ironic that the nation founded on Life, Liberty and
        the Pursuit of Happiness is getting government-imposed order,
        while the nation founded on Peace, Order and Good Government
        is getting in-your-face liberty.

        That's not to say our time won't come. It looks like Chretien
        is going to run on a law-and-order platform. Be afraid.

        Cheers,
                Marc

---
 Marc Thibault                             | marc@tanda.isis.org
 Automation Architect                      | CIS:71441,2226
 R.R.1, Oxford Mills, Ontario, Canada      | NC FreeNet: aa185

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQBNAiqxYTkAAAECALfeHYp0yC80s1ScFvJSpj5eSCAO+hihtneFrrn+vuEcSavh
AAUwpIUGyV2N8n+lFTPnnLc42Ms+c8PJUPYKVI8ABRG0I01hcmMgVGhpYmF1bHQg
PG1hcmNAdGFuZGEuaXNpcy5vcmc+
=HLnv
-----END PGP PUBLIC KEY BLOCK-----


Newsgroup: sci.crypt
document_id: 16052
From: marc@tanda.isis.org (Marc Thibault)
Subject: Re: Do we need the clipper for cheap security?

In article <rdippold.735426379@qualcom> 
(Ron "Asbestos" Dippold) writes: 
  ...
> The only thing that worries me is that 2:1 compression - the
> SoundBlaster can do it automatically in hardware, but other than that
> I don't have a good feel for how processor intensive it is, so I can't
> estimate how fast a PC you'd need.

        There's a better way. Doesn't Qualcom have a secure design
        that it decided not to market?  Since they aren't going to
        use it, wouldn't the patriotic thing be to put the design in
        the public domain? How about selling a "Cryptography
        Educational Kit" with the critical parts? Something that could
        end up as a PC option board with two phone jacks?

        Cheers,
                Marc

---
 Marc Thibault                             | marc@tanda.isis.org
 Automation Architect                      | CIS:71441,2226
 R.R.1, Oxford Mills, Ontario, Canada      | NC FreeNet: aa185

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQBNAiqxYTkAAAECALfeHYp0yC80s1ScFvJSpj5eSCAO+hihtneFrrn+vuEcSavh
AAUwpIUGyV2N8n+lFTPnnLc42Ms+c8PJUPYKVI8ABRG0I01hcmMgVGhpYmF1bHQg
PG1hcmNAdGFuZGEuaXNpcy5vcmc+
=HLnv
-----END PGP PUBLIC KEY BLOCK-----


Newsgroup: sci.crypt
document_id: 16053
From: marc@tanda.isis.org (Marc Thibault)
Subject: Re: Organized Lobbying for Cryptography

In article <1993Apr23.195051.16862@news.clarkson.edu> 
(Dwight Tuinstra) writes: 
> Great slogan!  I'm ready to sign up with a crypto-lobbying effort (though
> I wouldn't want to do it through an NRA offshoot).  Shall we also push
> for the CRA  -- Cryptographic Rights Amendment ??

        Looking at it from up here in the Frozen North, it looks like
        you could do worse than get the NRA involved. They have a
        kindred problem, a large number of voters, the right attitude,
        and lots of funds.

        From an ethical _or_ constitutional viewpoint, I haven't seen
        a good argument for cryptographic rights that doesn't also
        support the NRA position on guns (and vice-versa).

        Cheers,
                Marc

---
 Marc Thibault                             | marc@tanda.isis.org
 Automation Architect                      | CIS:71441,2226
 R.R.1, Oxford Mills, Ontario, Canada      | NC FreeNet: aa185

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQBNAiqxYTkAAAECALfeHYp0yC80s1ScFvJSpj5eSCAO+hihtneFrrn+vuEcSavh
AAUwpIUGyV2N8n+lFTPnnLc42Ms+c8PJUPYKVI8ABRG0I01hcmMgVGhpYmF1bHQg
PG1hcmNAdGFuZGEuaXNpcy5vcmc+
=HLnv
-----END PGP PUBLIC KEY BLOCK-----


Newsgroup: sci.crypt
document_id: 16054
From: marc@tanda.isis.org (Marc Thibault)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <1993Apr23.134422.25521@rick.dgbt.doc.ca> 
(Jerry Han) writes: 

> "A smart warrior defeats the enemy in ambush on the battlefield"
> "A smarter warrior defeats the enemy in open warfare on the battlefield"
> "The smartest warrior defeats the enemy without using the battlefield"

        Y'all got the first two reversed.

                - Judge Roy Bean


Newsgroup: sci.crypt
document_id: 16055
From: dave@tygra.Michigan.COM (David Conrad)
Subject: Re: New Encryption Algorithm

In article <1raeir$be1@access.digex.net> steve-b@access.digex.com (Steve Brinich) writes:
> >  Well, actually, this one's easy. It's their job. The NSA is
> >supposed to develop cryptosystems. If the government chooses to go
> >ahead and sell those cryptosystems to the masses, so be it.
>
>  Ah, but developing cryptosystems which are specificially designed to
>protect the government's domestic spying capabilities takes them beyond
>that mandate, into the forbidden field of domestic wiretapping.
>

But the NSA will not be doing any wiretapping.  The actual wiretapping will,
presumably, be conducted by the FBI.  Of course, the capability for this was
provided by the NSA, but I think that they are still within the limitations
of their charter.

I realize this is a fine point, and some may differ, but this is my opinion.
Although I don't care for Clipper and won't support or use it, I don't see
the NSA as having overstepped their bounds.

David R. Conrad		"No his mind is not for rent/To any god or government"
-- 
=  CAT-TALK Conferencing Network, Computer Conferencing and File Archive      =
-  1-313-882-2209, 300bps-14400bps, V.32/V.32bis/TurboPEP New users use 'new' - 
=  as a login id.  AVAILABLE VIA PC-PURSUIT!!! (City code "MIDET")            =
   E-MAIL Address: dave@Michigan.COM

Newsgroup: sci.crypt
document_id: 16056
From: mattair@sun44.synercom.hounix.org (Charles Mattair)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <1993Apr25.025459.12837@random.ccs.northeastern.edu> rogue@ccs.northeastern.edu (Free Radical) writes:
>
>No no no no no no no.
>
>It will go like this:
>
>FEDS: We need the key to phone 334RE67D99.
>
>ESCROW: You have a warrant to tap the line phone 334RE67D99 is on?
>
>FEDS: Yes.
>
>ESCROW: Fine, here is our key.
>
>rogue@cs.neu.edu (Rogue Agent/SoD!)

It also goes like this:

FED1: We need to listen into <mafia head/druglord/terrorist/BBS sysop>'s
      conversations but don't have probable cause for a tap.

FED2: Who do we have a tap on?

FED1: <some other enemy of the state>.

FED2: So get the keys - we can always claim that phone's being used on the
      tapped line.

There's got to be some way to associate an instrument with an individual or
the state effectively has a tap, possibly not admissible (given the War on
Drugs exceptions to the 4/5 ammendments, who knows) but none the less
listenable tap on any phone.
-- 
Charles Mattair		 		(work)	mattair@synercom.hounix.org
<standard.disclaimer>			(home)	cgm@elmat.synercom.hounix.org
In a mature society, "civil servant" is semantically equivalent to
       "civil master." - Robert Heinlein, _The Notebooks of Lazarus Long_

Newsgroup: sci.crypt
document_id: 16057
From: wendyg@skeptic.demon.co.uk ("Wendy M. Grossman")
Subject: Re: Fifth Amendment and Passwords 

In article <1993Apr16.113151.7648@cs.aukuni.ac.nz> pgut1@cs.aukuni.ac.nz writes:

>In <C5Jzsz.Jzo@cs.uiuc.edu> kadie@cs.uiuc.edu (Carl M Kadie) writes:
>
>looks like you can't be forced to reveal a password, if anyone can provide
>a convincing legal argument to the contrary (ie an actual court case) I'd
>be most interested...
>
This is the case in Britain, according to the head of the computer crime
unit here when I interviewed him a couple of months ago.

wg
-- 
                 Wendy M. Grossman
9A North Avenue, Kew         Founder, The Skeptic (UK)
Richmond, Surrey TW9 3LZ     Freelance writer
+(44) (81) 948 3784          Recovering folksinger

Newsgroup: sci.crypt
document_id: 16058
From: eah1@gauguin.wustl.edu (Edward Anthony Hutchins)
Subject: Re: Let's build software cryptophones for over the internet...

Hmmm.... CELP takes up about 12.6 MIPS for full duplex, and has been
implemented on about a million DSP chips... the 56001 card in my PC only cost
about $700, and I'm sure once demand goes up the prices would drop. The Analog
Devices 21020 board that we're looking at now cost about $500 (academic price).
I don't think hardware is something to worry about... if you get it working,
people will snap up internet phone cards like there was no tomorrow.
What we need here is a good implementation of CELP (the government code is
absolute crap, I got a 30% speedup after looking at it for a couple of hours),
and modifications to pgp to allow it to compress/decompress 144 bit frames
every 30msec... I think the AD21020 should have enough juice for this (50MIPS).
As part of the project I'm working on now, we're trying to get CELP up and
running in realtime full duplex mode... I gotta find the source to pgp and
see how tough it would be to integrate the en/decryption parts into the code.
I'll play with it. Anyone else out there got an AD21020 setup?
	- Ed
_____________________________________________________________________________
:-)  ('')  (-:  (,,)  :-)  ('')  (-:  (,,)  :-) | see lidflip instructions on
Edward Hutchins, eah1@cec1.wustl.edu            | other side of card

Newsgroup: sci.crypt
document_id: 16059
From: rogue@ccs.northeastern.edu (Free Radical)
Subject: Re: Tempest

In article <1993Apr26.193801.12416@lynx.dac.northeastern.edu>
angel@Foghorn_Leghorn.coe.northeastern.edu (Kirill Shklovsky) writes: 
[...]
>I heard somewhere (can't name the source) that TEMPEST does not necessarily
>pick-up just CRTs, but it can pick up emissions from almost any chip.  If
>that is true, the kind monitor would not make any difference becuase everything
>on the screen can be picked-up from the video controller.  Can anybody verify
>or refute this?

As anyone who attended HoHoCon will attest, you can pick information
off the video chip.  It's surprisingly easy too.  The guy did it with
a portable TV, with very minor mods.  It only worked from 3 feet, but
then it was just a demonstration.

	RA

rogue@cs.neu.edu (Rogue Agent/SoD!)
-----------------------------------
The NSA is now funding research not only in cryptography, but in all areas
of advanced mathematics. If you'd like a circular describing these new
research opportunities, just pick up your phone, call your mother, and
ask for one.

Newsgroup: sci.crypt
document_id: 16060
From: steve-b@access.digex.com (Steve Brinich)
Subject: Basic Crypto Requirements


  In order to have formulate a rational position on what cryptography
policies are acceptable, we must set forth a list of basic requirements.
I would propose the following as a starting point:

  1. The algorithm must be publicly known, and must have a record of
       surviving attempts by outside experts to find weaknesses.

  2. The system implementation must make it possible to verify that the
       advertised algorithm is, in fact, the one that is being used.

  3. The key must be quickly changeable by the user, and must be of a
       sufficient length and complexity to defeat any brute-force search
       possible now or in the reasonably near future.

  Note that these requirements are not incompatible with some form of key
escrow system; the May 1993 issue of "Byte" describes an example of an
encryption system which can clearly be implemented in a manner consistent
with the above requirements while requiring that parts of the key be
escrowed in order to have one's public key listed by a central distributor.

Newsgroup: sci.crypt
document_id: 16061
From: als@kowari.cpsg.com.au (Anthony Shipman)
Subject: Re: Clipper considered harmful

yuan1@scws7.harvard.edu (Nina Yuan) writes:

>I'm not a lawyer and I don't even play one on TV, but intuitively there's
>something wrong with having one's words archived for possible future
>use against you.  This possibility frightens me more than any of the
>talk about the Clipper Chip, right to cryptography, etc.

:-)

I can just imagine it.  The mother is wheeled into the labour ward.  After
delivery a government agent steps up to read the baby its rights...
	"You have the right to remain silent.  If you give up this right anything
	you say may be taken down and used in evidence against you."

	"Waaaaaaaaah"


--
Anthony Shipman                 "You've got to be taught before it's too late,
CP Software Export Pty Ltd,      Before you are six or seven or eight,
19 Cato St., East Hawthorn,      To hate all the people your relatives hate,
Melbourne, Australia, 3121       You've got to be carefully taught."  R&H

E-mail: als@cpsg.com.au

Newsgroup: sci.crypt
document_id: 16062
From: jin@spdcc.com (Jerry Natowitz)
Subject: PD code for crypt(1) like encryption

I am looking for some Public Domain (and exportable) code for
encryption.  Nothing elaborate, just something that will satisfy
a marketing need :-)
Oh yes, UNIX platform.
-- 
     Jerry Natowitz
     Guest user on:
ARPA jin@ursa-major.spdcc.com
UUCP {ima,harvard,rayssd,linus,m2c}!spdcc!jin

Newsgroup: sci.crypt
document_id: 16063
From: paul@fairgate.com
Subject: Birthday attack?


I recently saw a message here (posted by Bob Silverman, I think) which 
referred to a "birthday" attack on a cryptosystem. I'm looking for 
references on, and explanations of, this type of attack.

Thanks,
-Paul

Newsgroup: sci.crypt
document_id: 16064
Subject: Re: Tempest
From: pgut1@cs.aukuni.ac.nz (Peter Gutmann)

In <1993Apr27.071549.22910@random.ccs.northeastern.edu> rogue@ccs.northeastern.edu (Free Radical) writes:

>As anyone who attended HoHoCon will attest, you can pick information
                        ^^^^^^^
>off the video chip.  It's surprisingly easy too.  The guy did it with
>a portable TV, with very minor mods.  It only worked from 3 feet, but
>then it was just a demonstration.

A convention for Santa Claus impersonators?  Please elaborate, enquiring minds
(those in the second and third jars from the left) want to know....

Peter.

Newsgroup: sci.crypt
document_id: 16065
From: pdc@dcs.ed.ac.uk (Paul Crowley)
Subject: Re: Clipper and conference calls

Quoting dougb@ecs.comm.mot.com in article <1993Apr26.150434.227@lmpsbbs.comm.mot.com>:
>You would have to use something other than the AT&T black box - in other
>words, I don't think public key would work.  The session key would have 
>to be agreed upon prior to the conversation and distributed to all 
>sites beforehand.

Why can't one site decide a session key and send it to the other sites
by public key encryption?
  __                                  _____
\/ o\ Paul Crowley   pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/  Fold a fish for Jesus!

Newsgroup: sci.crypt
document_id: 16066
From: hamrick@convex.com (Ed Hamrick)
Subject: Re: PD code for crypt(1) like encryption

In article <1993Apr27.114659.28363@spdcc.com> jin@spdcc.com (Jerry Natowitz) writes:
>I am looking for some Public Domain (and exportable) code for
>encryption.  Nothing elaborate, just something that will satisfy
>a marketing need :-)
>Oh yes, UNIX platform.

You can find what you're looking for on hundreds of sites worldwide.  Try

	anonymous ftp to nic.funet.fi (Finland)

	/pub/unix/4.3bsd/net2/lib/libc/gen/crypt.c.Z

This includes source code for fully-functional DES encryption and decryption.

There are some who believe that public domain code is exportable, some
who don't.  Make your own judgements, but it seems obvious to me.

Regards,
Ed Hamrick

Newsgroup: sci.crypt
document_id: 16067
From: rwirthli@nyx.cs.du.edu (Ralph Wirthlin)
Subject: Re: Is it illegal to transmit encrypted data?

wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes:

>The fact that the NSA is listening may affect your willingness to use
>wimpy crypto technologies, but it may also affect your willingness to
>use technologies that violate RSA's patents, e.g. if you use PGP, the
>NSA may tell RSA that you're doing so, and if the Secret Service catches on,

I'm afraid I have to disagree with you on that point.  NSA will *not*
tell RSA or any other non-DOD entity anything that its eavesdropping
reveals.  That includes the FBI and Secrect Service (although there
have been rare exceptions).   


Newsgroup: sci.crypt
document_id: 16068
From: fig@eff.org (Cliff Figallo)
Subject: Re: Organized Lobbying for Cryptography

jgfoot@minerva.cis.yale.edu (Josh A. Goldfoot) writes:

>Tarl Neustaedter (tarl@coyoacan.sw.stratus.com) wrote:

>: It means that the EFF's public stance is complicated with issues irrelevant
>: to the encryption issue per se. There may well be people who care about
>: the encryption issue who don't care to associate themselves with the
>: network erotica issue (or may even disagree with the EFF's position).

>Perhaps these encryption-only types would defend the digitized porn if it
>was posted encrypted?

>These issues are not as seperable as you maintain.

Well, regardless of what policy liabilities anyone in Washington may think
EFF has, it is going ahead aggressively attacking the assumptions that are
behind the Administrations Clipper Chip initiative.  For all the reasons
stated here.  In Washington, you have to work under the assumption that 
everyone has some liabilities.  Government and non-governmental 
organizations alike all share the same glass house.  EFF is variously
identified as the Hacker Defense Fund, the First Amendment Absolutists,
the New Communists, etc, but it is also an acknowledged leader in the
civil liberties arena and is respected as a serious player in the 
policy circles.  So unless there is another organization with the
credibility and clout and right policy stance that you know of in
Washington, please don't count EFF out as a valid representative of
your views in the Clipper Chip matter.
-- 
                    <<*>><<*>><<*>><<*>><<*>><<*>>                         
Cliff Figallo                                     fig@eff.org
EFF Online Guy                                  (617)576-4506

Newsgroup: sci.crypt
document_id: 16069
From: anton@hydra.unm.edu (Stanton McCandlish)
Subject: Re: PGP Where to get it?

>At the moment PGP is available in executable format for MS-DOS and Mac,
>and source code for most other platforms including UNIX. Many FTP sites
>keep a copy (although the Mac version is getting hard to find). Try the
>following site:
>
>soda.berkeley.edu           /pub/cypherpunks/pgp

For those with out FTP access, try NitV-BBS (see .sig).  I have the following:
(all from nic.funet.fi, garbo.uwasa.fi, sony.com, and ftp.uni-erlangen.de)

PLATFORM    EXECS   SOURCE   PATCH4SRC   XTRAS  BBS FILE AREA    FIDO FREQNAME

DOS           x       x                    x      LOGIN         PGPDOS, PGPSDOS
MAC           x       x                           NONIBM        PGPMAC, PGPSMAC
AMIGA         x       ?                           NONIBM        PGPAMI
ARCHIMEDES    x       ?                           NONIBM        PGPARC
OS/2          x       ?                           WIN           PGPOS2
NeXT                            x                 NONIBM        PGPNXT
UNIX          x       x                           NONIBM        PGPUNX

? = haven't looked in the archive to see if it has source or not (usually 
because I can't handle the format).  For FidoNet FREQ magic-names, the
PGPS??? names are source code, others are either execs or execs + src 
[+ extras], or in the case of NeXT, just a patch (you still need one of
the full source code packages).

NitV-BBS is FREE.  This is not an ad, it is a public service announcement.

-- 
Testes saxi solidi!  **********************   Podex opacus gravedinosus est!  
Stanton McCandlish,  SysOp:  Noise in the Void Data Center BBS
IndraNet: 369:1/1      FidoNet: 1:301/2      Internet: anton@hydra.unm.edu
Data phone: +1-505-246-8515 (24hr, 1200-14400 v32bis, N-8-1)

Newsgroup: sci.crypt
document_id: 16070
From: jhupp@shockwave.win.net (Jeff Hupp)
Subject: Re: New Encryption Algorithm

 
>In article <1raeir$be1@access.digex.net> steve-b@access.digex.com (Steve Brinich) writes:
>> >  Well, actually, this one's easy. It's their job. The NSA is
>> >supposed to develop cryptosystems. If the government chooses to go
>> >ahead and sell those cryptosystems to the masses, so be it.
>>
>>  Ah, but developing cryptosystems which are specificially designed to
>>protect the government's domestic spying capabilities takes them beyond
>>that mandate, into the forbidden field of domestic wiretapping.
>>
>
>Unlike the CIA, the NSA has no prohibition against domestic spying.  Read
>Bamford's THE PUZZLE PALACE.
>
>Bruce
>
        I have that book, and the way I read it is, one side of the
conversation MUST be from outside the United States.
        Of coures, that ASS U MEs that the NSA plays by the rules...
 

_____________________________________________________________________
\Jeff Hupp                      |Internet: jhupp@shockwave.win.net   \
|9797 Medowglen, Apt. 1807      |Ad:    Contract Programming, Novell |
|Houston, Texas  77042          |       Network Design and Support.  |
|Voice: (713) 780 - 9419        |"The best govenment doesn't" -- me. |
\_____________________________________________________________________\ 

Newsgroup: sci.crypt
document_id: 16071
From: jhupp@shockwave.win.net (Jeff Hupp)
Subject: Re: New Encryption Algorithm

 
>In article <C61rDq.5v5@chinet.chi.il.us>, schneier@chinet.chi.il.us 
>(Bruce Schneier) writes:
> 
>|> Unlike the CIA, the NSA has no prohibition against domestic spying.  Read
>|> Bamford's THE PUZZLE PALACE.
>
>We had a senior NSA scientist in Cambridge at one of our workshops recently
>(in fact he was here when the Clipper announcement was made, but we didn't
>learn of it till after he'd gone). He said on this point that he was forbidden
>by law to monitor conversations between US nationals (and he is a chap who is 
>very precise about his choice of words). So I don't expect he'd have any qualms
>about monitoring a domestic US conversation if one of the parties was an alien.
>
>However it got me thinking of the Navajo code talkers. Just imagine:
>
>+ `Hello, is that the Iraqi mission in New York? This is the Iraqi foreign
>+ ministry in Baghdad, I am Farouq Hussein, US citizen, social security number
>+ so-and-so'
>
>+ `Yes, indeed, this is the New York mission, Mustafa Jadid speaking, also a
>+ US citizen, my social security number is such-and-such, here is our report
>+ on activities against the Satan Clinton'
>
>Ross
>
        This one is easy, they 'tape' the conversation, call the FBI or
Secret Service.  You see "activities against the Satan Clinton" could be
construed as a threat against the President of the United States.  I am
sure they(NSA,FBI,SS,...,...) have enough judges in their collective
pockets to have a warrent before the call is over..... 

_____________________________________________________________________
\Jeff Hupp                      |Internet: jhupp@shockwave.win.net   \
|9797 Medowglen, Apt. 1807      |Ad:    Contract Programming, Novell |
|Houston, Texas  77042          |       Network Design and Support.  |
|Voice: (713) 780 - 9419        |"The best govenment doesn't" -- me. |
\_____________________________________________________________________\ 

Newsgroup: sci.crypt
document_id: 16073
Subject: Re: What would happen if export restrictions violated?
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <C61rt8.6BC@chinet.chi.il.us> schneier@chinet.chi.il.us (Bruce Schneier) writes:

>In article <Apr23.215306.83257@yuma.ACNS.ColoState.EDU> holland@CS.ColoState.EDU (douglas craig holland) writes:
>>
>>OK, I heard a lot of talk about the NSA's infamous control over encryption
>>export through the ITAR.  Here's a question.  Say I develop this great new
>>encryption system, and I want to sell my software worldwide.  The thought
>>police then come in and say "This algorithm is a threat to national security.
>>You will not be permitted to export it."  At this point, what kind of trouble
>>could I get into if I ignored the ITAR and sold my program to international
>>customers anyway?
>>
>>Doug Holland

>You would be arrested as an international arms trafficker.

There are several things in ITAR which have never been tested in court. 
The concensus appears to be:

You could be arrested as an international arms trafficker.  (You could,
regardless of the state of the law, but there are some paragraphs which
suggest you would be violating the law.)

If it goes to court, the ITARs could be thrown out is incompatible with the
First amendment; or the court could rule that "software" is "technical
data" not subject to the ITARs; or the court could rule that the
phrase "publicly available" as defined in the ITARs would apply,
making it only subject to requiring a general export license; or, you could
be prosecuted successfully for arms trafficing or espionage.  General
concensus among lawyers who have read the ITARs, is that one of the first
two would occur.
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
document_id: 16074
From: zrepachol@cc.curtin.edu.au (Paul Repacholi)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <strnlghtC602KA.IFD@netcom.com>, strnlght@netcom.com (David Sternlight) writes:
> 
> Brad Yearwood posts a long response to the issue of registering a
> phone-clipper relationship.
> 
> It doesn't wash.
> 
> Recall that law enforcement gets a court order to tap a suspect's phone
> calls. They do what they do now--figure out which lines to tap. They then
> record the stuff. If it's Clipper, they read the law enforcement block,
> extract the serial number, and get the keys using the court order.
> 
> No new difficulties (such as using someone else's phone instrument or phone
> line) are introduced that wouldn't have existed absent clipper. If the
> crooks were going to use a pay phone (say), they could have done so without
> clipper. If the government figures out they're so doing, they listen in, and
> if it's a clipper conversation they get the serial number and then the keys.
> 
> If the crooks use an innocent person's clipper phone on the tapped line
> there's no problem. The Feds don't care whose phone instrument is used, just
> that the conversation is by the suspect on the tapped line. They get the
> serial number, get the keys, and they are in business.
> 
> No clipper chip to person association is ever needed.
> 
> David
> -- 
> David Sternlight         Great care has been taken to ensure the accuracy of
>                          our information, errors and omissions excepted.  
> 
> 

Newsgroup: sci.crypt
document_id: 16075
From: TSOS@uni-duesseldorf.de (Detlef Lannert)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <WCS.93Apr26141950@rainier.ATT.COM> wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes:

>   The serial number will be in a 64 bit block, with a 34 bit filler.  Doesn't
>   take a lot to check to see if that is correct.
>
>Depends on whether the filler is a constant (makes checking easy,
>but susceptible to replay), or variable (e.g. timer, counter, random),
>which makes replay harder and can also make it easier for the
>inquisitors to know if they've missed messages, or gotten them out of
>sequence, or other interesting things that sort of person might care about.

I'd use a secret (nope, obscure) cryptographic encoding to expand the 
30 bit serial number to a 64 bit block. The redundancy hereby introduced 
can be used to detect tampered Clipper signals where some public enemy 
replaced the L.E. block by random data. 

And of course the L.E. block would be used to initialise the encryption 
of the user data so that at the receiving end the correct L.E. block must 
be processed in order to have any chance of getting the plaintext back. 

For those of you who might want to mangle the L.E. block (e.g. by xor-ing 
a constant pattern) on the transmission line and restore it before feeding 
it into the receiving Crippler Chip I would add further encrypted copies 
of this block (perhaps created by repeated application of the encryption 
algorithm or so) at regular intervals during the transmission. If the 
receiving chip detects a mismatch it must assume that the line is bad and 
it will cease to work; in your own interest you are protected from getting 
faulty plaintext, you know -- it's just like a checksum for your own 
safety ;-(. 

The `monitoring agencies' won't have the famous black box which is needed 
for actual decryption and will be kept by the FBI; but nothing prevents 
them from using special boxes which will do the redundancy check for the 
serial number block and consistency checks on the embedded L.E. blocks 
within the transmission. These boxes will turn a red light on as soon as 
they detect a bitstream that violates the correct protocol.

So don't anyone think that you can use the chip and fool L.E. about the 
tapping key -- I bet the developpers have provided much better checks 
than those suggested above. Of course it's absolutely crucial that the 
algorithms (and protocols) remain secret. Personally I doubt they will.

--
Detlef Lannert       DC3EK       E-Mail: tsos@rz.uni-duesseldorf.de
PGP 2.2 key via server or finger lannert@clio.rz.uni-duesseldorf.de
"I am Psmith." - "Oh, you're Smith, are you?" - "With a preliminary
P. Which, however, is not sounded."                   P.G.Wodehouse

Newsgroup: sci.crypt
document_id: 16076
From: jap@cbnews.cb.att.com (james.a.parker)
Subject: Re: The [secret] source of that announcement

In article <1r9m97$enn@news.intercon.com> amanda@intercon.com (Amanda Walker) writes:
>CompuServe is in Columbus, OH.  So are the corporate headquarters of several 
>major insurance companies, the largest private R&D company in the world 
>(Batelle Memorial Institute), DCSC (The Defense Construction & Supply 
>Center), Ohio State University (one of the three largest US universities), 
>OCLC (the Online College Library Center), and so on.  You'd be amazed, 
>actually.

Don't forget Chemical Abstracts Service (which is pretty much the international
clearinghouse for all chemical information), whose former director (Ronald
Wigington) and head of R&D (Nick Farmer) were openly former NSA employees.

                                      James Parker
                                      jap@cb1focus.att.com

Newsgroup: sci.crypt
document_id: 16077
From: ad@cat.de (Axel Dunkel)
Subject: Summary: How sensible is DES towards bit-errors?

Hi,

I'd like to thank you all for the fast responses. 
Special thanks go to those who replied (lexical order):

Marcus J Ranum <mjr@TIS.COM>
Paul Crowley <pdc@dcs.ed.ac.uk>
pausch@saaf.se (Paul Schlyter)
tarnold@vnet.IBM.COM (Todd W. Arnold)
wcs@anchor.ho.att.com (Bill Stewart) 

My question was:

>how sensible is DES encrypted data towards bit errors? How much data per
>bit will be lost in average (I assume you still have the correct key)?

How much of the DES-encrypted data is affected depends on the used
encryption mode. According to Marcus J Ranum (mjr@TIS.COM) there is:

|	cfb = cipher feedback mode
|	ecb = electronic code book mode
|	cbc = cipher block chaining mode
|	ofb = output feedback mode
|
|	each mode does some stuff better than others. ofb and cfb are designed
|for communications streams more than for files.

Unfortunally, people strongly disagree which mode will lead to destruction
of all of the following data. Sure seems that some modes will resync quite
fast, others will never, others will even only effect the very block.

Summarized, people said concerning *this* matter:

/
|In CBC mode, only the current block will be affected (tarnold@vnet.IBM.COM 
|<Todd W. Arnold>).
|
|If you use CBC (Cihper Block Chaining), then the remainder of the data
|will be destroyed as well. (pausch@saaf.se <Paul Schlyter>)
|
|In CFB mode, DES synchronizes quite fast (probably within 1 block 
|according to Maracus J Ranum <mjr@TIS.COM>).
\

Maybe someone *definitely* knows what happens in which mode?

Nevertheless, Thank you all very much again.

Axel Dunkel

--------------------------------------------------------------------

I include the responses I got:

From: tarnold@vnet.IBM.COM (Todd W. Arnold)

In <ad.735831059@cat> Axel Dunkel writes:
>how sensible is DES encrypted data towards bit errors? How much data per
>bit will be lost in average (I assume you still have the correct key)?

It depends on the mode you're using.  For a single 64-bit input block, a
one-bit error will have a 50 percent chance of corrupting each of the 64
output bits - in other words, it essentially turns the output block into
a random number.  If you're encrypting data in CBC mode, however, only the
one 64-bit block will be affected.  The next block, and all that follow it
will be decrypted properly.

It's a good idea to have some kind of error correction in your system if
corrupted bits are likely.

   - Todd

--------------------------------------------------------------------

From: pausch@saaf.se (Paul Schlyter)

In article <ad.735831059@cat> you write:
>Hello,
>
>how sensible is DES encrypted data towards bit errors? How much data per
>bit will be lost in average (I assume you still have the correct key)?

At least 8 bytes of data will be destroyed if one bit encrypted data is
in error.

If you use CBC (Cihper Block Chaining), then the remainder of the data
will be destroyed as well.

DES is VERY seisitive for single bit errors.  This is as it should be.

-- 
---
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Nybrogatan 75 A, 6 tr,  S-114 40 Stockholm,  Sweden
InterNet:  pausch@saaf.se

--------------------------------------------------------------------

From: Paul Crowley <pdc@dcs.ed.ac.uk>

> how sensible is DES encrypted data towards bit errors? How much data per
> bit will be lost in average (I assume you still have the correct key)?

Probably very bad; you might lose the rest of the data stream.  If you
want safety against dropped bits use an error correcting coder like the
freeware GNU ecc.
  __                                  _____
\/ o\ Paul Crowley   pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/  Fold a fish for Jesus!

--------------------------------------------------------------------

From: wcs@anchor.ho.att.com

   how sensible is DES encrypted data towards bit errors? How much data per
   bit will be lost in average (I assume you still have the correct key)?

It depends on the mode you're using DES in.
Electronic Code Book (ECB) takes a block of 64 input bits
and produces 64 output bits, so if any bits are changed,
the entire block of 64 bits becomes bad.
I forget which feedback mode is which.
In all of them, the results of encrypting one block affect later blocks.
With some modes, the system self-synchronizes, so errors are repaired
in a few blocks.  With other modes, once one block is bad,
all later blocks will be bad too.

There's also the framing problem.  If you have a bit change,
the block that it's in changes, and maybe later blocks also change.
But if you have bits lost or bits added (64 bits in, 63 or 65 bits out),
everything is confused after that.

--------------------------------------------------------------------

From: Marcus J Ranum <mjr@TIS.COM>

	depends on the mode you're using. cfb, for example, synchronises
pretty fast. figure a bit error will destroy the current block and the
next one.

mjr.

--------------------------------------------------------------------

---
Experience is what you get if you don't get what you want...

Systemberatung Axel Dunkel, Koenigsberger Strasse 41, D 6239 Kriftel, Germany
E-Mail: ad@cat.de, Voice: +49-6192-41360, Fax: +49-6192-46949


Newsgroup: sci.crypt
document_id: 16078
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Clipper considered harmful [Restated and amplified]

brad@optilink.COM (Brad Yearwood) writes:
>In article <1993Apr22.222016.25628@lehman.com>, pmetzger@snark.shearson.com (Perry E. Metzger) writes:
>> You obviously haven't read the information about the system. The chips
>> put out serial number infomation into the cypher stream to allow
>> themselves to be identified. The system does not rely on registering
>> people as owning particular phone units.
>> 
>> I am against the proposal, but lets be accurate in our objections.
>> 
>
>Do not presume to tell me what I have and have not read.  The system may
>not rely upon registering people as owning particular phone units, but
>it is necessary to know which phone units are likely to be used for some
>suspected criminal communication before you can obtain their unit keys
>from escrow.

Big deal. If you are a legitimate law enforcement agent and have a
legitimate wiretap order, you just listen in on the line for 10
minutes, get the serial number, and then take the order and go to the
escrow agencies. If you notice the criminal is now using a different
phone instrument, take your still-valid wiretap order to the escrow
agency with the new serial number. (This provides opportunities for
abuse by law enforcement, but thats not what we are discussing right
now.) I oppose Clipper, but the mechanics here are simple and easy to
understand. The whole rest of your article is based on a large series
of false premises, all predicated on the notion that this simple act
is somehow impossible.

I feel free to presume to tell you that you do not seem to understand
the mechanics of the proposal. Arguing that terrorists will be killing
people for their clipper phones is silly because its pointless. Lets
be alarmist about what really would show up as a problem, shall we?

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 16079
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

jhan@debra.dgbt.doc.ca (Jerry Han) writes:
>In article <RENS.93Apr22153654@stimpys.imsi.com> rens@imsi.com (Rens
>Troost) writes: 
>
>>>   In this giant bally-ho over this Clipper chip I noticed a rather
>>>   disturbing trend in some of the E-mail and posts I've tossing back and
>>>   forth.  
>>
>>Me too. A tendency on the part of some people to hide their head in
>>the sand.
>
>I never advocated "hiding in the sand."  I'm advocating a peaceful
>solution while a peaceful solution is possible.  Unless you want blood on
>your hands.

No one has mentioned violence other than you, Mr. Han. I believe you
are imagining things.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 16080
From: mjacques@flute.calpoly.edu (Michael Jacques)
Subject: Re: Does Rush read his E-mail?

In article <1993Apr26.121052.9530@esseye.si.com> jongsma@tws4.si.com writes:
>In <1993Apr23.153320.4568@henson.cc.wwu.edu> n9045178@henson.cc.wwu.edu (Sean Dean) writes:
>
>>But I have no idea of a Compuserve e-mail address...
>
>70277.2502@compuserve.com

However, he said on his radio show today that he won't read anything
from the two alt groups. He simply deletes them without reading them. He
says that some of the people in the two groups are vicious.

>
>
>-- 
>Ken Jongsma                                          
>Smiths Industries                                jongsma@swdev.si.com
>Grand Rapids, Michigan                      73115.1041@compuserve.com



Newsgroup: sci.crypt
document_id: 16081
From: bryan@jpl-devvax.jpl.nasa.gov (Bryan L. Allen)
Subject: Re: New Encryption Algorithm

In article <49@shockwave.win.net> jhupp@shockwave.win.net (Jeff Hupp) writes:
> 
>>In article <1raeir$be1@access.digex.net> steve-b@access.digex.com (Steve Brinich) writes:
[some deleted]
>>
>>Unlike the CIA, the NSA has no prohibition against domestic spying.  Read
>>Bamford's THE PUZZLE PALACE.
>>
>>Bruce
>>
>        I have that book, and the way I read it is, one side of the
>conversation MUST be from outside the United States.
>        Of coures, that ASS U MEs that the NSA plays by the rules...

One thing that seems ambiguous is whether a signal being echoed down from
geosynchronous orbit is "...from outside the United States."

Also, being able to assess whether NSA is playing by the rules requires
knowing what the rules are. We only know a subset. For those even more
suspicious, there could be other surveillance organizations "blacker"
than the NSA.

-- 
          Bryan L. Allen       bryan@devvax.jpl.nasa.gov
          Telos Corp./JPL      (818) 306-6425

Newsgroup: sci.crypt
document_id: 16082
From: ktl@wag.caltech.edu (Kian-Tat Lim)
Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips

The *security* of the system does depend only on the secrecy of the keys.

The ability to tap is an inherent *insecurity* which depends fundamentally on
the secrecy of the algorithm.  To spell it out, because so many people seem to
miss the point, if the algorithm were published, anyone could create a chip
which would work correctly with the Skipjack chips but which would not have
its key registered.

I believe there is no technical means of ensuring key escrow without the
government maintaining a secret of some kind.  For example, the secret could be
the private keys of the escrow agencies; their digital signatures would be
required before a key could be used.  In this case, the NSA/NIST/whoever has
decided that protecting the entire algorithm is easier/cheaper/more secure than
other possible protocols.

-- 
Kian-Tat Lim (ktl@wag.caltech.edu, GEnie: K.LIM1)
Materials & Molecular Simulation Center, Caltech
Henry Spencer left-of-|, Margaret "*" Puckette signature fan

Newsgroup: sci.crypt
document_id: 16083
From: bchen@wpi.WPI.EDU (Bi Chen)
Subject: Help: Where is FAQ for sci.crypt and other questions


Dear netters:

I have been scanning this news group for a while but has not found a FAQ.
Could someone enlight me where to find the FAQ if there is a one. Also,
could someone recommend a few good books about encription and decription,
about patent information, goverment regulation on this science/technology.
I will appreciate any of your help very much.

Sincerely

Bi Chen



Newsgroup: sci.crypt
document_id: 16084
From: mnemonic@eff.org (Mike Godwin)
Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips

In article <allen.735873202@well.sf.ca.us> allen@well.sf.ca.us (Allen Barrett Ethridge) writes:
>In <1993Apr26.063532.10120@eff.org> mnemonic@eff.org (Mike Godwin) writes:
>
>>In article <C614BJ.BK6@agora.rain.com> jhart@agora.rain.com (Jim Hart) writes:
>>>"The security of the system should depend only on the secrecy of
>>>the keys and not on the secrecy of the algorithms" -- Dorothy Denning
>
>>Cite source, please.
>
>"Cryptography and Data Security", page 8, perhaps.

Thanks. Got that from two other sources as well. The full quote is as
follows:

From Dorothy Denning, CRYPTOGRAPHY AND DATA SECURITY, Addison-Wesley
1982,1983, page 8:

"Cryptosystems must satisfy three general requirements:

"1. The enciphering and deciphering transformations must be efficient for
all keys.

"2. The system must be easy to use.

"3. The security of the system should depend only on the secrecy of the
keys and not on the secrecy of algorithms E [enciphering] or D
[deciphering]."



--Mike




-- 
Mike Godwin,    |    Ariel Rose Godwin
mnemonic@eff.org|    Born 4-15-93 at 4:34 pm in Cambridge 
(617) 576-4510  |    7 pounds, 1.5 ounces, 19.75 inches long 
EFF, Cambridge  |    A new citizen of the Electronic Frontier 

Newsgroup: sci.crypt
document_id: 16085
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Suggestions for escrow agencies (was: Re: More technical details)

In article <C5y746.73K@vcd.hp.com> johne@vcd.hp.com (John Eaton) writes:
<Paul Robichaux (robichau@lambda.msfc.nasa.gov) wrote:
<: 
<: As a private citizen, I would feel much more "secure in my person and
<: papers" knowing that an organization committed to individual civil
<: liberties- the ACLU and the NRA come to mind- was safeguarding half of
<: my key. Both the ACLU and the NRA are resistent to government pressure
<: by the simple expedient fact that they are not supported, funded, or
<: overtly controlled by the government.
<: --------------------------
<Thats one problem that has so far been overlooked. These two escrow
<agencies will have to create a secure database and service the
<input and output of Keys. Who pays for this? If they refuse an
<illegal request from some congressman to deliver a key can their
<budget by cut to punish them? Will congress be forced to fund
<them forever?

Congress isn't forced to do ANYTHING.  Not even follow their own rules,
if it isn't expedient.  If caught with their collective pants down,
they make some funny noises, perhaps crucify a skapegoat or two, then
continue business as usual.  I notice those senators involved with
the S&L Scandal weren't hurt too much, if at all.  DeConcini's personal
stake in suppliers to those big Aerostats hasn't affected his credibility
at all, inside Congress, at least.  He is still pushing his police state
agenda...

<The problem is that laws can change. Congress may pass a law setting
<up an escrow agency with instructions that keys are private. Some
<future congress may change that law. Suppose pre-nazi Germany had
<a clipper system. Do you think the escrow agencies would have
<told Hitler that he could not have the keys without a valid 
<court order?

It will be like the old saw in New Jersey and New York, Chicago, etc
when the politicians PROMISED that this spiffy new gun registration law
will NOT be used for future confiscation purposes.  Sure enough, a few
years later, when they WERE used JUST FOR THAT PURPOSE, and folks
complained, the response was "Well, *I* didn't make that promise..."
Some politicians may not even wait a few years...  Escrowed keys would
have the same assurances of security.  Besides, if someone wants to
snoop, how are YOU to know - you don't think they will send you a letter
saying "We are now snooping on your private conversations...", do you?
What are the assurances the escrow people will not be FORBIDDEN to
report any access attempts for one's keys?

So much for government assurances of privacy.

<In effect you must set up escrow agencies as a fourth branch of
<the goverment and isolate them from any outside interferance. 
<They will be able to directly tap into Federal funds with no
<accountability to anyone except through a court challenge.

How?  The Feds will just change the law, or just ignore it.  Nothing
new here...  They got the muscle, the resources, the guns...

As an aside, since export of crypto is verboten because of ITAR,
shouldn't the Second Amendment also come into play here?

<John Eaton
<!hp-vcd!johne

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 16086
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <WARLORD.93Apr24232556@podge.mit.edu> warlord@MIT.EDU (Derek Atkins) writes:
<In article <strnlghtC5t4D6.Jn8@netcom.com> strnlght@netcom.com (David Sternlight) writes:
<
<   Some countries have laws about importing crypto gear--I believe the U.S.
<   does. Without a license the above scheme won't work (at least not legally)
<   in such countries, including at least France and the U.S.
<
<   David
<
<BZZT!
<
<Wrong.  The US does NOT have crypto import laws.

I'd not be so sure about that:

Are there any MUNITIONS import laws, and could those be used against
importation of crypto hardware/software as well as firearms?

Importing so-called 'assault weapons' for use by commoners come to mind....

NOTE - talk.politics.guns added to Newsgroups for possible feedback...

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 16087
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <1993Apr27.190451.25650@lehman.com> pmetzger@snark.shearson.com
(Perry E. Metzger) writes:


>
>No one has mentioned violence other than you, Mr. Han. I believe you
>are imagining things.

This is factually incorrect. There was at least one message that said that
Waco and Clipper justified "anything" in response.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
document_id: 16088
From: jamesl@galaxy.nsc.com (James Lu x3702)
Subject: How to make this illuminating thing?


In some hobby shop, they sell a flexible tube (1/4-inch diameter,
18-inch ling) that will illuminate if you bend or shake it (it
is also sold in amusement parks in the evenings). The brightness
can last 2 to 4 hours. If it is left in refrigrator (in coldness),
you can prolong its life of illumination.

Is this something we can make ourself easily? Or, do you know any
reading can provide details about this stuff? Working with kids,
it would be nice if it can be a do-it-yourself project with 
minimum budget.




Newsgroup: sci.crypt
document_id: 16089
From: mcnally@quip.eecs.umich.edu (Mike McNally)
Subject: Re: I have seen the lobby, and it is us

In article <C5xxGA.GAv@ms.uky.edu> morgan@engr.uky.edu (Wes Morgan) writes:
>
>You should realize that form letters are the *worst* way to influence
>your congresscritters; exact copies are routinely placed on the lowest
>rung of the opinion ladder.
>
>If you want to write (and I think you should!), take the time to really
>*write* a letter.  Things to emphasize:

  [excellent and helpful list deleted] 

>	- Be concise; don't ramble.  Rants are *definitely* out of place.
>	  Cite references, if necessary, but only use "accepted" references
>	  like academic journals.  "My neighbor Jim" is *not* a real refer-
>	  ence.  8)

  Wes's list is of "do"s and "don't"s for writing your Congressional
representatives is a fine one but I'd like to encourage people to pay
extra attention to the point above.  As cliched as the saying may be
it's nevertheless true that you can catch more flies with honey than
with vinegar.

  While the writing styles prevalent on the net possess a certain charm
please remember that the person reading your letter is likely to be
uninfluenced or negatively influenced if you express your concerns in
a way that makes you sound like a flake or a paranoid crackpot.  Wild
and unsupported accusations about the menace from the NSA will not
carry much weight, nor are overblown conclusions about the inevitable
consequences of the proposal likely to convince (especially not ones
that attempt strained analogies to the rise of the Nazi party.  Please
save the Niemoller quote for another letter..)

  If you want your opinions to be taken seriously it is *very* important
that you state those opinions in a manner that is understandable and 
seems reasonable to a layman.  Don't overburden your reader with technical
details or expect them to know the history of various encryption 
technologies.  Before you mail it, hand your letter to a non-technical
friend and ask them to sanity-check it.

  Above all, realize that legislators are often motivated as much by
self-interest as by anything else.  Try to point out risks in terms that
will be meaningful and motivating to them such as the loss of individual
privacy rights or the damage restrictive export regulations do to American
businesses' ability to compete in the global marketplace.  Pull the 
strings that you think will work with your legislator -- if your
legislator is unlikely to be swayed by civil-rights concerns then point out
how a government-granted monopoly for Mycotronx damages the competitiveness
of businesses in your district that manufacture or market phone or crypto
technology.

                                                                 -mcnally.

Newsgroup: sci.crypt
document_id: 16092
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

strnlght@netcom.com (David Sternlight) writes:
>>  Well, that explains it.  The government has no real need to spy on people
>>who already love Big Brother; it's the people who are inclined to talk
>>back who need to be watched.

>Though I think this an overstatement, it does contain a grain of truth. It's
>drug dealers, spies, terrorists, and organized crime figures (assuming
>enough probable cause to convince a judge) who need to be watched, not
>law-abiding citizens.

And thus, COINTELPRO, in which horrible people who threatened the
republic by disagreeing with the Government were systematically kept
track of for years...

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
document_id: 16101
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: forbidden to reveal wiretap?


   If it's forbidden to inform someone of a police wiretap on their phone, then
is it legal to work privtely as a "sweeper," and report to the person you
work for whether you found a bug?

Newsgroup: sci.crypt
document_id: 16102
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Clipper and backdoors

David Sternlight says:
 
>It discredits the writer with third parties to claim Clipper has a back
>door. It does not.
 
   Actually, David, I don't think it's any more intellectually honest to
say there are no backdoors than to say there are backdoors, unless you've
had a chance to examine the algorithm and the silicon closely.  For all
we know, skipjack could be easily broken, or impossible to break.  And
clearly, if skipjack is not secure, then the clipper chip is not worth much.
 
   --John Kelsey

Newsgroup: sci.crypt
document_id: 16105
From: tedwards@eng.umd.edu (Thomas Grant Edwards)
Subject: Re: Clipper considered harmful

>Sternlight) writes:
>>>(Gideon Yuval) writes:
>>>>If these personal attacks are what stopped Prof. Denning from
>>>>replying on issues of substance, they have cause real harm
>>>>to the serious debate here.
>>>They are and they have.

If Prof. Denning is afraid of posting here due to personal attacks,
perhaps she should use an anonymous posting service.  That is why
they are there, to allow heated debate to occur without the personal
attacks.  

Is anon@penet back up yet?

-Thomas


Newsgroup: sci.crypt
document_id: 16115
From: grady@netcom.com (1016/2EF221)
Subject: Re: Subliminal Channels in DSS

May I suggest that any any proposed cipher system
having less entropy than the user's key and message can have
an embedded subliminal channel as big as the
difference in entropies between the entropy of the user
input (message) and the entropy of the output?

For example, take plain DES.  The unsuspecting
user inputs a string "PLAINTEXT" to be enciphered.

He cranks the algorithm which has been hacked
by George Quisling and comes out with j*3H4902d.

Nine char in and nine chars out.  Right?

The unsepecting user ships the ciphertext
to be decrpyted and the message "PLAINTEXT"
is produced.  Everything fine, right?  Nope.


Imagine the algorithm did a LZ compression
on PLAINTEXT before DESing. (Compressing is
down to four characters with more entropy:

9#wj

The opponent now pads the message with his
own message, also compressed

*3dk@

before applying DES to the concatenated
compressed pairs.  When decrpyted, the
first compressed message is stripped off
and declared sent.  Unbeknowst to the
receiver, the opponents accomplice collects
the remaining message in the bit bucket and
uncompresses to KILL NOW.

And to prevent all such subliminal or covert
storage channels you would need to have 
maximal entropy all the time -- which is
a priori impossible because (for example)
a stereotypical message might be
replaced by one bit in the output reserving
the rest of the output bits for the long
covert message.

In other words, if you opponent get to muck
with the algorithm -- you either have got to
muck with it LAST or concede his possible 
embedding of covert channels.

In other words, if you present a message
to an opponet with less than maximal entropy
then you have given him free bits of storage.

-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
document_id: 16117
From: amanda@intercon.com (Amanda Walker)
Subject: Re: My letter about Clipper

David Reeve Sward <sward+@CMU.EDU> writes:
> We don't know this, do we?  The algorithm is classified. 

I speculate, from the MykoTronx data sheet on the MYK-78, that the algorithm 
is a classified cryptosystem, similar in application to DES but cleared by 
the NSA for classified traffic, that has been in use for a number of years.  
Myktotronx refers to it as "Government Type II encryption", which matches the 
designation of one of the types of encryption available on STU-III phones, 
and may be the same as a cryptosystem I have heard called "CIPHER2".

This would make sense, since this is evidently a field-proven cryptosystem 
which can act as a "pin-compatible" substitute for DES.  Combined with a 
tappable key exchange protocol, this would offer exactly what is claimed for 
Clipper: secure encryption with access via a key escrow.  If this is fact the 
case, it would make me quite confident of the encipherment algorithm itself.

Now, I do not know if these are in fact the same cryptosystem; my knowledge 
of classified cryptography isn't even fuzzy :), it's nonexistent.  However, 
it would certainly have been the least-effort approach on the part of the 
government: take an old military cipher that people can drop in place of DES 
(and which is at least as secure), set up a key escrow scheme for law 
enforcement, and promote it for public use.  This also fits with Mykotronx, 
who's been around but almost invisible for years.

Has anyone else made this sort of connection, or am I just hallucinating pink 
elephants here? :).  My curiousity has been piqued...


Amanda Walker
InterCon Systems Corporation

Newsgroup: sci.crypt
document_id: 16118
From: kennejs@a.cs.okstate.edu (KENNEDY JAMES SCOT)
Subject: Re: RE: RE: Clipper Chip

From article <67@cyberia.win.net>, by johnston@cyberia.win.net (Robert Johnston):
> Encryption technologies are currently reguarded as arms by the
> Feds, hence the export ban.  While the Second is under enough
> attack for guarrentteing our rights to fire arms, perhaps we
> should reflect on this as well.  (Perhaps fire arms are not the
> only weapons covered under the Second Amendment)

Hmmm... I wouldn't consider encryption to be a weapon.  How would the
government classify encryption?  Seems to me that encryption ought to
be covered by the first amendment.   Using this line of reasoning, the
government shouldn't be able to restrict what data people encrypt and
what encryption algorithms they use because this would be restricting
one's freedom of speech.  In other words, encrypted data---text,
graphics, or other information---is just another form of free speech.
For this reason the government shouldn't be able to regulate the use
of encryption algorithms and encrypted data.  The only time the
government should be able to 'force' someone to reveal his or her
encryption keys for some encrypted data is when the encrypted data
in question may be something that isn't protected by the first
amendment such as kiddy porn.  Even in a case like this the
government should be required to get a search warrant before coercing
someone into revealing the keys.

BTW, what encryption methods are considered to be state-of-the-art
nowdays.  Have the feds relaxed export restrictions on DES yet?
Also, is DES still regarded as a good form of encryption?

> Robert Johnston
> johonston@cyberia.win.net


Scott Kennedy,  Brewer and Patriot

Before:  "David Koresh is a cheap thug who interprets
          the Bible through the barrel of a gun..."  --ATF spokesman
After:   "[The ATF] is a cheap thug who interprets
          [the Constitution] through the barrel of a gun..."  --Me

         *******************************************
         * BATF = Cigarette Cops                   *
         * FBI  = Fuehrer's Bureau of Incineration *
         *******************************************



Newsgroup: sci.crypt
document_id: 16119
From: maa@plato.ds.boeing.com (Mark A Allyn)
Subject: Clipper Chip: Reverse Engineering

I have been looking over the postings about the Clipper Chip and noticed
an interesting omission from the discussion.

You all mention that the algorithm is classified and have expressed 
concerns and ideas of how to figure out the algorithm using software.

The question that I have is why cant someone take one of these chips
and reverse engineer it? I mean, take the thing to a chip testing/
analysis facility, one with a decent electron microscope. Just pry
off the top of the chip and start scanning it with the electron
microcope and figure out the circuitry. I remembered a place that I use
to work for had one of these facilities that they used to analyze chips
that we accidently blew out while running tests. They could actually find
the area that was fried and show us where in the circuit it was. 

I am sure that many companies and universities must have these facilities
and that the potential is there, especially at a university where the
security at such a facility is looser, for someone to take a clipper
apart and analyze it?

What can the government do to prevent this? Start taking away all 
microchip analysis facilities and electron microscopes??

mark



Newsgroup: sci.crypt
document_id: 16120
From: smythw@vccsouth10.its.rpi.edu (William Smythe)
Subject: Re: I have seen the lobby, and it is us

In article <Apr22.185314.14420@yuma.ACNS.ColoState.EDU> ns111310@LANCE.ColoState.Edu (Nathaniel Sammons) writes:
>1) I think that most of us can afford a stamp and an envelope, and the
>cost of printing out a letter.
>
>2) If some kind soul out there would write a letter, and upload it to 
>the net, everyone could capture it, print it out, and snail-mail it
>out to their local congressional critter.
>
>BTW>> I'm working on one.

Dear Senator/Congressman/President {fill in the blank}

I am writing you to voice my strong opposition to President Clinton's Clipper 
Chip initiative. This proposal to establish a secret government designed
cryptography chip with government key registration as the standard for voice
encryption is very disturbing. The idea that citizens must register their 
secrets with the government just in case they are trying to keep them secret 
is patently unAmerican. Additionally, the press release for this program
strongly implied that other forms of cryptography would be banned after the 
Clipper Chip standard is in place. This latest attack on our civil rights is 
deeply disturbing and is frankly a voting issue for me. 

The presidents press release stated that the plan strikes a balance between the
legitimate needs of law enforcement and a citizens right to privacy but this 
is not the case. The fact is that since other strong cryptographic equipment 
is avalible the criminals, drug dealers and terrorists mentioned in the press 
release will simply use non clipper cryptography. Meanwhile the average citizen
may gain no protection against warentless wiretaps by the government since the 
government escrowed key is derived deterministicly from the unit serial number
which is broadcast by the chip durring its opperation. This seems like an 
obvious back door for the NSA and law enforcement. If you still do nott 
understand my objection to key registration, consider the way J. Edgar Hoover 
blackmailed government officials like yourself; would you now use a phone to 
transmit personal details of your life that the NSA and FBI have the keys to?


______________________________________________________________________________
Well heres a letter, I didnt spell check it since I dont know how in EMACS
so you might want to do that. 

Bill Smythe

Newsgroup: sci.crypt
document_id: 16121
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <C62EL4.4I4@rahul.net> dhesi@rahul.net (Rahul Dhesi) writes:
>In <2109@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:
>
>>How come the media is not telling about the provisions of the Clipper
>>decision? ...
>
>>How can the bulk of the people be informed, when the media refuses to
>>do it?
>
>The answer to your second question lies in the way you phrased the
>first one:  'the media is...'.
>
>The medis isn't 'is'.  The media 'are'.  'Media' means 'more than one
>medium.'  There are thousands of publications.  Some say this, some say
>that.  
>
>     How can the bulk of the people be informed, when they won't read
>     informative publications?

Because much of the public aren't even aware of the NAMES of informative
publications.  Look at the 'wealth' of material on the typical newsstand.
Unless the person is working in some kind of technical environment, with
the usual trade journals, all they ever see is the media (note: media
in this context is the popular media - TV, radio, daily newspapers, and
such publications as Time, Newsweek, and all that).  And they all say
pretty much the same thing.  I see most of them being in the range of
center-left to far Left, and generally supportive of pie-in-sky
we-will-take- care-of-you-think-for-you-cradle-to-grave.  There seems
to be an air of arrogance that the individual is not capable of
understanding major issues so the media doesn't bother to inform them
(as with Clipper, for example) or tells the people how to interpret
events in others.  What is lost sight of is that the people are not good
at understanding things because they are not TOLD accurate information
about them.  It is a lot to expect of the people for them to be
clarirvoyant.  For example, I would have been unaware of Clipper had
I not picked it up on USENET.  How much of the population has USENET,
let alone Internet access?

For access to better publications, the person has to spend time digging.
Many folks, especially who work long hours, have families, etc., do not
have TIME to go digging, and many are not (yet) aware things are wrong,
so are not motivated to dig.  Not saying its right, just saying that is
the way things are.  People aren't upset about things when they aren't
TOLD.  And the less than objective media is a major contributer to the
problem.

And then compound that with an attitude of arrogance in the civil service
(bureaucrats, politicians) that act as if the person without political
connections, or deep pockets (potential contributer) should have few if
any rights, being a resource to be used by those in control for their
polticial or financial gain.  Some Law Enforcement agencies act as if
they regard the common person with a rather intense degree of contempt,
peons that are supposed to do what they are TOLD, and get very nasty
when someone questions them.  The media pundits/editors, etc tend to
fall into those with privilege, and tend to not be upset by the current
state of affairs.  The fellow in DC, who shot the swimmer in his Jacuzzi
for daring to swim in it, with an ILLEGALLY owned gun (violating the law
he pushed to be foisted on everyone else), ends up walking where a less
well-connected person would have been crucified.  A typical example of
one standard for 'us', a much more restrictive standard for 'other folk'.

Perhaps I am not real eloquent in expressing this, but the solution
sure as hell is NOT to make it HARDER for people to find out what is
going on, or dismiss their concerns because one happens to be in a position
where one feels they are exempt or insulated.  Such as that hypocrite of
a journalist in DC described above.  One notices that these less-than
complimentary points about that double-standard was NOT covered in the
media.  I feel the reason was it dovetailed with their political views
on the subject, and it involved a 'brother' journalist.

Isn't it time for our 'objective' media, the MAIN SOURCE of info for the
average person, to start being what they claim to be, instead of spin
doctors for the Statist elements?

>-- 
>Rahul Dhesi <dhesi@rahul.net>
>also:  dhesi@cirrus.com


-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 16122
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Clipper considered harmful

In article <strnlghtC64Dx1.1zn@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>In article <1993Apr25.193300.1707@microsoft.com> gideony@microsoft.com
>(Gideon Yuval) writes:
>
>>If these personal attacks are what stopped Prof. Denning from
>>replying on issues of substance, they have cause real harm
>>to the serious debate here.
>
>They are and they have.

Are you in contact with her, is that what she said, or what you THINK
her reason is?

Also, could it be possible that she is not replying because she has
no reply that wouldn't confirm the worst suspicions?  If the suspicions
are way out of pocket, one would think the person would be in there
saying so, and indicating WHY they are out of pocket.  Hiding behind
a veil of secrecy is not reassuring.


-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
document_id: 16123
From: whitaker@eternity.demon.co.uk (Russell Earl Whitaker)
Subject: From Crossbows to Cryptography

-----BEGIN PGP SIGNED MESSAGE-----

Please note that the following speech was made by Chuck Hammill
in 1987.  Address all letters to his address, given at the end
of this document.
     -- Russell

  FROM CROSSBOWS TO CRYPTOGRAPHY:  THWARTING THE STATE VIA
                     TECHNOLOGY

  Given at the Future of Freedom Conference, November 1987


     You   know,   technology--and   particularly   computer
technology--has often gotten a bad rap in  Libertarian  cir-
cles.  We tend to think of Orwell's 1984, or Terry Gilliam's
Brazil,  or  the  proximity  detectors keeping East Berlin's
slave/citizens on their own side of the border, or  the  so-
phisticated  bugging  devices  Nixon used to harass those on
his "enemies list."  Or, we recognize that for the price  of
a  ticket  on  the Concorde we can fly at twice the speed of
sound, but only if we first walk thru a magnetometer run  by
a  government  policeman, and permit him to paw thru our be-
longings if it beeps.

     But I think that mind-set is a mistake.   Before  there
were cattle prods, governments tortured their prisoners with
clubs  and  rubber  hoses.    Before  there  were lasers for
eavesdropping, governments used binoculars and  lip-readers.
Though  government certainly uses technology to oppress, the
evil lies not in the tools but in the wielder of the tools.

     In fact, technology represents one of the most  promis-
ing  avenues  available  for  re-capturing our freedoms from
those who have stolen them.  By its very nature,  it  favors
the  bright  (who can put it to use) over the dull (who can-
not).  It favors the adaptable (who are  quick  to  see  the
merit  of  the  new  (over  the sluggish (who cling to time-
tested ways).  And what two better words are  there  to  de-
scribe government bureaucracy than "dull" and "sluggish"?

     One  of  the  clearest,  classic triumphs of technology
over tyranny I see is  the  invention  of  the  man-portable
crossbow.   With it, an untrained peasant could now reliably
and lethally engage a target out to  fifty  meters--even  if
that  target  were  a mounted, chain-mailed knight.  (Unlike
the longbow, which, admittedly was more powerful, and  could
get  off  more shots per unit time, the crossbow required no
formal training to utilize.   Whereas the  longbow  required
elaborate  visual,  tactile  and kinesthetic coordination to
achieve any degree of accuracy, the wielder  of  a  crossbow
could simply put the weapon to his shoulder, sight along the
arrow  itself, and be reasonably assured of hitting his tar-
get.)

     Moreover, since just about  the  only  mounted  knights
likely  to  visit  your  average peasant would be government
soldiers and tax collectors, the utility of the  device  was
plain:    With it, the common rabble could defend themselves
not only against one another, but against their governmental
masters.   It was the  medieval  equivalent  of  the  armor-
piercing  bullet,  and, consequently, kings and priests (the
medieval equivalent of a  Bureau  of  Alcohol,  Tobacco  and
Crossbows)  threatened  death  and  excommunication, respec-
tively, for its unlawful possession.

     Looking at later developments, we  see  how  technology
like  the  firearm--particularly the repeating rifle and the
handgun, later followed by the Gatling gun and more advanced
machine guns--radically altered the balance of interpersonal
and inter-group power.  Not without reason was the Colt  .45
called "the equalizer."  A frail dance-hall hostess with one
in  her  possession  was  now  fully able to protect herself
against the brawniest roughneck in any saloon.    Advertise-
ments  for  the period also reflect the merchandising of the
repeating cartridge  rifle  by  declaring  that  "a  man  on
horseback,  armed with one of these rifles, simply cannot be
captured."  And, as long as his captors  were  relying  upon
flintlocks  or  single-shot rifles, the quote is doubtless a
true one.

     Updating now to  the  present,  the  public-key  cipher
(with  a  personal  computer to run it) represents an equiv-
alent quantum leap--in a defensive weapon.    Not  only  can
such  a technique be used to protect sensitive data in one's
own possession, but it can also permit two strangers to  ex-
change   information   over   an   insecure   communications
channel--a  wiretapped   phone   line,   for   example,   or
skywriting, for that matter)--without ever having previously
met  to  exchange cipher keys.   With a thousand-dollar com-
puter, you can create a cipher that  a  multi-megabuck  CRAY
X-MP  can't  crack in a year.  Within a few years, it should
be economically feasible to similarly encrypt voice communi-
cations; soon after that, full-color digitized video images.
Technology will not only have made wiretapping obsolete,  it
will  have  totally demolished government's control over in-
formation transfer.

     I'd like to take just a moment to sketch the  mathemat-
ics  which makes this principle possible.  This algorithm is
called the RSA algorithm, after Rivest, Shamir, and  Adleman
who  jointly created it.  Its security derives from the fact
that, if a very large number is  the  product  of  two  very
large  primes,  then it is extremely difficult to obtain the
two prime factors from analysis  of  their  product.    "Ex-
tremely"  in  the  sense that if primes  p  and  q  have 100
digits apiece, then their 200-digit product cannot  in  gen-
eral be factored in less than 100 years by the most powerful
computer now in existence.

     The  "public" part of the key consists of (1) the prod-
uct  pq  of the two large primes p and q, and (2)  one  fac-
tor,  call it  x  , of the product  xy  where  xy = {(p-1) *
(q-1) + 1}.  The "private" part of the key consists  of  the
other factor  y.

     Each  block of the text to be encrypted is first turned
into an integer--either by using ASCII,  or  even  a  simple
A=01,  B=02,  C=03, ... , Z=26 representation.  This integer
is then raised to the power  x (modulo pq) and the resulting
integer is then sent as the encrypted message.  The receiver
decrypts by taking this integer to the  (secret)  power    y
(modulo  pq).  It can be shown that this process will always
yield the original number started with.

     What makes this a groundbreaking development,  and  why
it  is  called  "public-key"  cryptography,"  is  that I can
openly publish the product  pq and the number   x   ,  while
keeping  secret  the number  y  --so that anyone can send me
an encrypted message, namely
                       x
                     a    (mod pq)  ,
but only I can recover the original message  a  , by  taking
what  they  send, raising it to the power  y  and taking the
result (mod pq).  The risky step (meeting to exchange cipher
keys) has been eliminated.  So people who may not even trust
each other enough to want to meet, may  still  reliably  ex-
change  encrypted  messages--each  party having selected and
disseminated his own  pq  and his  x  ,   while  maintaining
the secrecy of his own  y.

     Another benefit of this scheme is the notion of a "dig-
ital signature," to enable one to authenticate the source of
a given message.  Normally, if I want to send you a message,
I raise my plaintext  a  to your x and take the result  (mod
your pq)  and send that.

    However,  if in my message, I take the plaintext  a and
raise it to my (secret) power  y  , take the result  (mod my
pq), then raise that result to your x   (mod  your  pq)  and
send this, then even after you have normally "decrypted" the
message,  it  will still look like garbage.  However, if you
then raise it to my public power x   , and take  the  result
(mod  my public pq  ), so you will not only recover the ori-
ginal plaintext message, but you will know that no one but I
could have sent it to you (since no one else knows my secret
y).

     And these are the very concerns by the way that are to-
day tormenting the Soviet Union about the whole question  of
personal  computers.    On the one hand, they recognize that
American schoolchildren are right now growing up  with  com-
puters  as commonplace as sliderules used to be--more so, in
fact, because there are things computers can do  which  will
interest  (and instruct) 3- and 4-year-olds.  And it is pre-
cisely these students who one generation hence will be going
head-to-head against their Soviet  counterparts.    For  the
Soviets  to  hold  back might be a suicidal as continuing to
teach swordsmanship  while  your  adversaries  are  learning
ballistics.    On  the  other hand, whatever else a personal
computer may be, it is also an exquisitely efficient copying
machine--a floppy disk will hold upwards of 50,000 words  of
text,  and  can  be  copied in a couple of minutes.  If this
weren't threatening enough, the computer that  performs  the
copy  can also encrypt the data in a fashion that is all but
unbreakable.  Remember that in Soviet society  publicly  ac-
cessible  Xerox  machines are unknown.   (The relatively few
copying machines in existence  are  controlled  more  inten-
sively than machine guns are in the United States.)

     Now  the  "conservative" position is that we should not
sell these computers to the Soviets, because they could  use
them  in weapons systems.  The "liberal" position is that we
should sell them, in  the  interests  of  mutual  trade  and
cooperation--and  anyway,  if  we don't make the sale, there
will certainly be some other nation willing to.

     For my part, I'm ready to suggest that the  Libertarian
position should be to give them to the Soviets for free, and
if  necessary, make them take them . . . and if that doesn't
work load up an SR-71  Blackbird  and  air  drop  them  over
Moscow in the middle of the night.  Paid for by private sub-
scription, of course, not taxation . . . I confess that this
is not a position that has gained much support among members
of  the conventional left-right political spectrum, but, af-
ter all, in the words of one of Illuminatus's characters, we
are political non-Euclideans:   The shortest distance  to  a
particular  goal may not look anything like what most people
would consider a "straight line."    Taking  a  long  enough
world-view,  it is arguable that breaking the Soviet govern-
ment monopoly on information transfer could better  lead  to
the enfeeblement and, indeed, to the ultimate dissolution of
the Soviet empire than would the production of another dozen
missiles aimed at Moscow.

     But  there's  the rub:  A "long enough" world view does
suggest that the evil, the oppressive, the coercive and  the
simply  stupid  will "get what they deserve," but what's not
immediately clear is how the rest of  us  can  escape  being
killed, enslaved, or pauperized in the process.

    When  the  liberals and other collectivists began to at-
tack freedom, they possessed a reasonably  stable,  healthy,
functioning economy, and almost unlimited time to proceed to
hamstring   and   dismantle  it.    A  policy  of  political
gradualism was at least  conceivable.    But  now,  we  have
patchwork  crazy-quilt  economy held together by baling wire
and spit.  The state not only taxes us to  "feed  the  poor"
while also inducing farmers to slaughter milk cows and drive
up food prices--it then simultaneously turns around and sub-
sidizes research into agricultural chemicals designed to in-
crease  yields of milk from the cows left alive.  Or witness
the fact that a decline in the price of oil is considered as
potentially frightening as a comparable increase a few years
ago.  When the price went up,  we  were  told,  the  economy
risked  collapse for for want of energy.  The price increase
was called the "moral equivalent of war" and the Feds  swung
into  action.    For the first time in American history, the
speed at which you drive your car to work in the morning be-
came an issue of Federal concern.   Now, when the  price  of
oil  drops, again we risk problems, this time because Ameri-
can oil companies and Third World  basket-case  nations  who
sell  oil  may  not  be  able to ever pay their debts to our
grossly over-extended banks.  The suggested panacea is  that
government  should now re-raise the oil prices that OPEC has
lowered, via a new oil tax.  Since the government is seeking
to raise oil prices to about the same extent  as  OPEC  did,
what  can we call this except the "moral equivalent of civil
war--the government against its own people?"

     And, classically, in international trade, can you imag-
ine any entity in the world except  a  government  going  to
court  claiming  that  a  vendor  was  selling  it goods too
cheaply and demanding not only that that naughty  vendor  be
compelled by the court to raise its prices, but also that it
be punished for the act of lowering them in the first place?

     So  while the statists could afford to take a couple of
hundred years to trash our  economy  and  our  liberties--we
certainly  cannot  count  on  having an equivalent period of
stability in which to reclaim them.   I contend  that  there
exists  almost  a  "black  hole"  effect in the evolution of
nation-states just as in the evolution of stars.  Once free-
dom contracts beyond a certain  minimum  extent,  the  state
warps  the fabric of the political continuum about itself to
the degree that subsequent re-emergence of  freedom  becomes
all but impossible.  A good illustration of this can be seen
in the area of so-called "welfare" payments.  When those who
sup  at the public trough outnumber (and thus outvote) those
whose taxes must replenish the trough,  then  what  possible
choice has a democracy but to perpetuate and expand the tak-
ing  from  the few for the unearned benefit of the many?  Go
down to the nearest "welfare" office, find just  two  people
on  the dole . . . and recognize that between them they form
a voting bloc that can forever outvote you on  the  question
of who owns your life--and the fruits of your life's labor.

     So essentially those who love liberty need an "edge" of
some  sort  if  we're ultimately going to prevail.  We obvi-
ously  can't  use  the  altruists'  "other-directedness"  of
"work,  slave, suffer, sacrifice, so that next generation of
a billion random strangers can  live  in  a  better  world."
Recognize  that, however immoral such an appeal might be, it
is nonetheless an extremely powerful one in today's culture.
If you can convince  people  to  work  energetically  for  a
"cause," caring only enough for their personal welfare so as
to  remain  alive  enough  and  healthy  enough  to continue
working--then you have a truly massive reservoir  of  energy
to draw from.  Equally clearly, this is just the sort of ap-
peal which tautologically cannot be utilized for egoistic or
libertarian goals.  If I were to stand up before you tonight
and say something like, "Listen, follow me as I enunciate my
noble "cause," contribute your money to support the "cause,"
give  up  your  free  time  to  work for the "cause," strive
selflessly to bring it about, and then (after you  and  your
children are dead) maybe your children's children will actu-
ally  live under egoism"--you'd all think I'd gone mad.  And
of course you'd be right.  Because the point I'm  trying  to
make is that libertarianism and/or egoism will be spread if,
when, and as, individual libertarians and/or egoists find it
profitable and/or enjoyable to do so.    And  probably  only
then.

     While I certainly do not disparage the concept of poli-
tical  action, I don't believe that it is the only, nor even
necessarily the most cost-effective path  toward  increasing
freedom  in  our time.  Consider that, for a fraction of the
investment in time, money and effort I might expend in  try-
ing  to  convince  the  state to abolish wiretapping and all
forms of censorship--I can teach every libertarian who's in-
terested  how  to   use   cryptography   to   abolish   them
unilaterally.

     There  is  a  maxim--a proverb--generally attributed to
the Eskimoes, which very likely most Libertarians  have  al-
ready  heard.    And while you likely would not quarrel with
the saying, you might well feel that you've heard  it  often
enough already, and that it has nothing further to teach us,
and moreover, that maybe you're even tired of hearing it.  I
shall therefore repeat it now:

     If you give a man a fish, the saying runs, you feed him
for a day.  But if you teach a man how to fish, you feed him
for a lifetime.

     Your exposure to the quote was probably in some sort of
a  "workfare"  vs.  "welfare"  context;  namely, that if you
genuinely wish to help someone in need, you should teach him
how to earn his sustenance, not simply how to  beg  for  it.
And of course this is true, if only because the next time he
is hungry, there might not be anybody around willing or even
able to give him a fish, whereas with the information on how
to fish, he is completely self sufficient.

     But  I  submit  that this exhausts only the first order
content of the quote, and if there were nothing  further  to
glean  from  it,  I would have wasted your time by citing it
again.  After all, it seems to have almost a crypto-altruist
slant, as though to imply that we should structure  our  ac-
tivities  so  as  to  maximize  the  benefits to such hungry
beggars as we may encounter.

     But consider:

     Suppose this Eskimo doesn't know how to  fish,  but  he
does  know  how  to hunt walruses.   You, on the other hand,
have often gone hungry while traveling thru  walrus  country
because  you  had  no idea how to catch the damn things, and
they ate most of the fish you could catch.  And now  suppose
the  two  of  you  decide to exchange information, bartering
fishing knowledge for hunting knowledge.   Well,  the  first
thing  to  observe  is  that  a  transaction  of  this  type
categorically and unambiguously refutes the Marxist  premise
that  every  trade  must  have a "winner" and a "loser;" the
idea that if one person gains, it must necessarily be at the
"expense" of another person who loses.  Clearly, under  this
scenario, such is not the case.  Each party has gained some-
thing  he  did  not have before, and neither has been dimin-
ished in any way.  When it comes to exchange of  information
(rather  than material objects) life is no longer a zero-sum
game.  This is an extremely powerful notion.   The  "law  of
diminishing   returns,"   the  "first  and  second  laws  of
thermodynamics"--all those "laws" which constrain our possi-
bilities in other contexts--no longer bind us!   Now  that's
anarchy!

     Or  consider  another possibility:  Suppose this hungry
Eskimo never learned  to  fish  because  the  ruler  of  his
nation-state    had  decreed fishing illegal.   Because fish
contain dangerous tiny bones, and sometimes sharp spines, he
tells us, the state has decreed that their  consumption--and
even  their  possession--are  too  hazardous to the people's
health to be permitted . . . even by knowledgeable,  willing
adults.   Perhaps it is because citizens' bodies are thought
to be government property, and therefore it is the  function
of the state to punish those who improperly care for govern-
ment  property.    Or perhaps it is because the state gener-
ously extends to competent adults the "benefits" it provides
to children and to the mentally ill:  namely,  a  full-time,
all-pervasive supervisory conservatorship--so that they need
not  trouble  themselves  with making choices about behavior
thought physically risky or morally "naughty."  But, in  any
case,  you  stare stupefied, while your Eskimo informant re-
lates how this law is taken so seriously that  a  friend  of
his was recently imprisoned for years for the crime of "pos-
session of nine ounces of trout with intent to distribute."

     Now  you  may  conclude  that  a society so grotesquely
oppressive as to enforce a law of this  type  is  simply  an
affront to the dignity of all human beings.  You may go far-
ther  and  decide to commit some portion of your discretion-
ary, recreational time specifically to the task of thwarting
this tyrant's goal.  (Your rationale may be "altruistic"  in
the   sense   of  wanting  to  liberate  the  oppressed,  or
"egoistic" in the sense of  proving  you  can  outsmart  the
oppressor--or  very likely some combination of these or per-
haps even other motives.)

     But, since you have zero desire to become a  martyr  to
your "cause," you're not about to mount a military campaign,
or  even try to run a boatload of fish through the blockade.
However, it is here that technology--and in  particular  in-
formation technology--can multiply your efficacy literally a
hundredfold.    I say "literally," because for a fraction of
the effort (and virtually none of  the  risk)  attendant  to
smuggling in a hundred fish, you can quite readily produce a
hundred  Xerox copies of fishing instructions.  (If the tar-
geted government, like present-day America, at least permits
open  discussion  of  topics  whose  implementation  is  re-
stricted,  then that should suffice.  But, if the government
attempts to suppress the flow of information as  well,  then
you will have to take a little more effort and perhaps write
your  fishing manual on a floppy disk encrypted according to
your mythical Eskimo's public-key parameters.  But as far as
increasing real-world access to fish you have  made  genuine
nonzero  headway--which  may  continue to snowball as others
re-disseminate the information you have provided.   And  you
have not had to waste any of your time trying to convert id-
eological  adversaries, or even trying to win over the unde-
cided.  Recall Harry Browne's dictum  from  "Freedom  in  an
Unfree World" that the success of any endeavor is in general
inversely proportional to the number of people whose persua-
sion is necessary to its fulfilment.

     If  you  look  at  history, you cannot deny that it has
been dramatically shaped by men with names like  Washington,
Lincoln,  .  .  .  Nixon  .  . . Marcos . . . Duvalier . . .
Khadaffi . . .  and their ilk.  But it has also been  shaped
by  people with names like Edison, Curie, Marconi, Tesla and
Wozniak.  And this latter shaping has been at least as  per-
vasive, and not nearly so bloody.

     And  that's  where  I'm  trying  to  take The LiberTech
Project.  Rather than beseeching the state to please not en-
slave, plunder or constrain us, I propose a libertarian net-
work spreading  the  technologies  by  which  we  may  seize
freedom for ourselves.

     But here we must be a bit careful.  While it is not (at
present)  illegal  to  encrypt  information  when government
wants to spy on you, there is no guarantee of what  the  fu-
ture  may hold.  There have been bills introduced, for exam-
ple, which would have made it a crime  to  wear  body  armor
when government wants to shoot you.  That is, if you were to
commit certain crimes while wearing a Kevlar vest, then that
fact  would  constitute a separate federal crime of its own.
This law to my knowledge has not passed . . . yet . . .  but
it does indicate how government thinks.

     Other  technological  applications,  however, do indeed
pose legal risks.  We recognize, for  example,  that  anyone
who  helped a pre-Civil War slave escape on the "underground
railroad" was making a clearly illegal use of technology--as
the sovereign government of the United States of America  at
that time found the buying and selling of human beings quite
as  acceptable  as  the buying and selling of cattle.  Simi-
larly, during Prohibition, anyone who used  his  bathtub  to
ferment  yeast and sugar into the illegal psychoactive drug,
alcohol--the controlled substance, wine--was using  technol-
ogy  in a way that could get him shot dead by federal agents
for his "crime"--unfortunately not to be  restored  to  life
when  Congress  reversed itself and re-permitted use of this
drug.

     So . . . to quote a former President,  un-indicted  co-
conspirator  and pardoned felon . . . "Let me make one thing
perfectly clear:"  The LiberTech Project does not  advocate,
participate  in, or conspire in the violation of any law--no
matter how oppressive,  unconstitutional  or  simply  stupid
such  law may be.  It does engage in description (for educa-
tional and informational  purposes  only)  of  technological
processes,  and some of these processes (like flying a plane
or manufacturing a firearm) may well require appropriate li-
censing to perform legally.    Fortunately,  no  license  is
needed  for  the  distribution or receipt of information it-
self.

     So, the next time you look at the political  scene  and
despair,  thinking,  "Well,  if 51% of the nation and 51% of
this State, and 51% of this city have  to  turn  Libertarian
before  I'll  be  free,  then  somebody might as well cut my
goddamn throat now, and put me out of my  misery"--recognize
that  such  is not the case.  There exist ways to make your-
self free.

     If you wish to explore such techniques via the Project,
you are welcome to give me your name and address--or a  fake
name  and  mail  drop, for that matter--and you'll go on the
mailing list for my erratically-published newsletter.    Any
friends  or acquaintances whom you think would be interested
are welcome as well.  I'm not even asking for stamped  self-
addressed envelopes, since my printer can handle mailing la-
bels and actual postage costs are down in the noise compared
with  the  other  efforts  in getting an issue out.   If you
should have an idea to share, or even a  useful  product  to
plug,  I'll be glad to have you write it up for publication.
Even if you want to be the proverbial "free rider" and  just
benefit  from  what others contribute--you're still welcome:
Everything will be public domain; feel free to  copy  it  or
give it away (or sell it, for that matter, 'cause if you can
get  money  for  it while I'm taking full-page ads trying to
give it away, you're certainly entitled to  your  capitalist
profit . . .)  Anyway, every application of these principles
should make the world just a little freer, and I'm certainly
willing to underwrite that, at least for the forseeable  fu-
ture.

     I  will leave you with one final thought:  If you don't
learn how to beat your plowshares into  swords  before  they
outlaw  swords,  then you sure as HELL ought to learn before
they outlaw plowshares too.

                                       --Chuck Hammill

                                 THE LIBERTECH PROJECT
                                 3194 Queensbury Drive
                               Los Angeles, California
                                                 90064
                                          310-836-4157

                                    hammill@netcom.com

[The above LiberTech address was updated December 1992, with the
 permission of Chuck Hammill, by Russell Whitaker]

Those interested in the issues raised in this piece should participate
in at least these newsgroups:

                alt.privacy
                alt.security.pgp
                comp.org.eff.talk
                sci.crypt

A copy of the RSA-based public key encryption program, PGP 2.1 (Pretty
Good Privacy), can be obtained at various ftp sites around the world.
One such site is gate.demon.co.uk, where an MS-DOS version can be had by
anonymous ftp as pgp22.zip in /pub/pgp.

Versions for other operating systems, including UNIX variants
and Macintosh, are also available.  Source code is also
available.

Here's the blurb for PGP, by the way:

- ----------------------  Quote ----------------------------------------
PGP (Pretty Good Privacy) ver 2.2 - RSA public-key encryption freeware
for MSDOS, protects E-mail.  Lets you communicate securely with people
you've never met, with no secure channels needed for prior exchange of
keys.  Well featured and fast!  Excellent user documentation.

PGP has sophisticated key management, an RSA/conventional hybrid
encryption scheme, message digests for digital signatures, data
compression before encryption, and good ergonomic design.  Source
code is free.

Filenames:  pgp22.zip (executable and manuals), pgp22src.zip (sources)
Keywords:   PGP, Pretty Good Privacy, RSA, public key, encryption,
            privacy, authentication, signatures, email
- ---------------------- End Quote -------------------------------------

Russell Earl Whitaker                   whitaker@eternity.demon.co.uk
Communications Editor                                 AMiX: RWhitaker
EXTROPY: The Journal of Transhumanist Thought
Board member, Extropy Institute (ExI)


-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQCVAgUBK922PYTj7/vxxWtPAQEbkgQAsgOxCtZjdZMZuRfm05nwm2ObsoLH/cFh
aHRnb6dmp1o+4+yxaR+BO4fpRAtNMMOhn6WUSOoUJz1qqqkghfolYRu/TeCdr9du
irrb7tCwndKsQC+wcTI/Q4+cmq3HrRRTnaIWYjmfaqXPEYRODVFDXc409umVGRJb
5IgXfNgaz78=
=T1vu
-----END PGP SIGNATURE-----


Newsgroup: sci.crypt
document_id: 16124
From: rmal@jet.uk (Richard Lucock)
Subject: triple des

I have seen various references to 'triple des' recently. Could anyone
tell me what it is ? From context, I would guess that it means
encrypting each block 3 times, with a different key each time, but
I'd like to be sure.

Replies by email preferred - our news is unreliable.

Thanks,
	Richard

-- 

--------------
PGP Public Key available on request
--------------
-- 

--------------
PGP Public Key available on request
--------------
- Disclaimer: Please note that the above is a personal view and should not 
  be construed as an official comment from the JET project.

Newsgroup: sci.crypt
document_id: 16125
From: pom@anke.imsd.uni-mainz.DE (Prof. Dr. Klaus Pommerening)
Subject: SUMMARY: DES: init vector as additional key?

At the risk of getting lost in the clipper chip discussion I give a  
summary on my recent question:

In article <PQSCBCNH@minnie.zdv.uni-mainz.de> I wrote:
> The recent discussion in this news group suggests that a key search
> attack  
> against DES is quite feasible now. But normally DES is applied in CBC or 
> CFB  
> mode where one chooses a random init vector of 8 bytes. Questions:
> 
>  - Makes it sense to handle the init vector as an additional key? Then
> we have  
> a 56 + 64 = 120 bit key.
>  
>  - If yes: Is anything known about the security of this key scheme? Can 
> we  
> break it faster than by exhaustive search through the 120 bit key space?

Unfortunately the answer is no - concealing the initialisation vector  
essentially doesn't give any additional security. I got 3 answers (from  
grady@netcom.com, Mark.Lomas@cl.cam.ac.uk, smb@research.att.com) that  
opened my eyes. It's pretty simple:

Say E is encryption (and D decryption) with key K on 64-bit blocks.

Let c[0] be the initialisation vector,
m[1], m[2], ... the message blocks,
c[1], c[2], ... the cipher text blocks.

Then encryption in cipher block chaining (CBC) mode works by the formula

   c[i] = E(m[i] XOR c[i-1]),

and decryption by

   m[i] = c[i-1] XOR D(c[i]).

So if the attacker doesn't have c[0] this only affects the first message  
block m[1]. But she can do her key search attack on m[2], m[3], ...

The situation in cipher feedback (CFB) mode is a bit more complicated but  
similar and left as an exercise for the reader :-)

Finally there is the modified output feedback mode (OFB) where DES (or  
whatever block cipher you use) simply acts as random generator by

   s[i] = E(s[i-1]) with initialisation vector (= seed) s[0],

and encryption is given by

   c[i] = m[i] XOR s[i].

Here the usual `known plaintext' attack against XOR-bitstream ciphers  
reduces the cracking to key search for K.

--
Klaus Pommerening
Institut fuer Medizinische Statistik und Dokumentation
der Johannes-Gutenberg-Universitaet
Obere Zahlbacher Strasse 69, W-6500 Mainz, Germany

Newsgroup: sci.crypt
document_id: 16126
From: brad@clarinet.com (Brad Templeton)
Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips

In article <C614BJ.BK6@agora.rain.com> jhart@agora.rain.com (Jim Hart) writes:
>"The security of the system should depend only on the secrecy of
>the keys and not on the secrecy of the algorithms" -- Dorothy Denning
>
>jhart@agora.rain.com


You're reading far too much into this (aside from the obvious fact
that you shouldn't hold anybody to what they wrote in a 10 year old
book in a rapidly changing field like this.)


Quite simply she says that the security should not DEPEND on the
secrecy of the algorithm.  A secret algorithm can still be secure,
after all, we just don't know it.  Only our level of trust is
affected, not the security of the system.

The algorithm *could* be RSA for all we know, which we believe to
be secure.

They have a much better reason to classify the algorithm than to
protect its security.  They want to protect its market share.

If they publish the algorithm, then shortly manufacturers would
make chips that implement the algorithm and standard but do not
use a key stored in escrow.  And of course, everybody would buy them.


The whole push of this chip is that by establishing a standard that
you can only use if you follow their rules, they get us to follow
their rules without enacting new laws that we would fight tooth and
nail.

Quite simply, with Clipper established, it would be much harder for
another encryption maker to define a new standard, to make phones that
can't talk to the leading phone companies.   The result is tappable
cryptography without laws forbidding other kinds, for 99% of the
populace.


To get untappable crypto, you would have to build a special phone that
runs on top of this system, and everybody you talk to would have to
have an indentical one.

That's the chicken and egg of crypto.  The government is using its
very special ability to solve chicken and egg problems of new
technologies to control this one in a way they like.


It's almost admirably clever.  When the EFF started, I posed the question here
"What are the police going to do when they wake up and discover they
can't wiretap?" and nobody here had an answer (or even thought it was
much of a question)

Then came the backdoor and Digital Telephony bills, which we fought.

Now we have their real answer, the cleverest of all.

-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
document_id: 16127
From: h2o@dmi.ens.fr (Philippe Hoogvorst)
Subject: Re: Clipper chip

In article <19930426.113215.145@almaden.ibm.com>, jbs@watson.ibm.com writes:
|>          Is it realistic for the government to try to keep the details
|> of the encrytion algorithm secret if it intends to use evidence from...
|>                           James B. Shearer

I do not think they can use the eavesdropping as evidence at all. However,
using the info they gather while listening, they can go searching THE right
place and find good, strong evidence, which they can use in court. 

Question : currently, it is easy to wire-tap, from the technical point of
view, at least. Anybody using the appropriate radio receiver can listen
to communications between a car-telephone and the ground station. The police
also, obviously. The clipper chip will make it much more difficult for the
non-authorized person to eavesdrop (note that I DO NOT write << impossible>> ).
The privacy will thus improve from the current situation. Poeple who REALLY
have something to hide already DO NOT use the phone to speak of these things.
If an illegal operation is really worth, one can afford having critical data
carried by a person rather than sending it electronically. 
The clipper chip will not change this. 

The problem is more politic. Foreign countries will never accept the clipper
chip is the access to the escrow cannot be directly granted to their own
police following their OWN law, not the US law. i.e. each country will have
its own escrow. How then will it be possible to monitor the international
traffic? or, will encrypted international traffic be possible ? or will there
be an international escrow, some kind of U.N. thing ?

Forbidding crypted communication is impractical: how is it possible to spot
a crypted communication in the thousands of megabytes of data which circulate
on the various existing networks. What about private networks ? And this will
be more and more impossible as the volume of electronic traffic will increrase
in the next years.

I think that the clipper chip can only be an interesting device to limit the
risk of , for instance, one's girlfriend's husband listening to his wife's
communications. It will bring no more as regards to security. Is it worth ?
I think so if its cost is limited, I think that many privacy invasions are done
not only by official services, but also by private entities. The clipper can
help reducing these. Provided we do not hope too much of it, it is not a real
danger and it can be helpful.

Ph. HOOGVORST

Newsgroup: sci.crypt
document_id: 16128
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Is it illegal to transmit encrypted data?

 > I'm afraid I have to disagree with you on that point.  NSA will *not*
 >tell RSA or any other non-DOD entity anything that its eavesdropping
 >reveals.

  I don't know about that; they might if they find it the most expedient
way to keep people from using something they can't crack.


Newsgroup: sci.crypt
document_id: 16129
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips

 > I believe there is no technical means of ensuring key escrow without the
 >government maintaining a secret of some kind.

  Not necessarily.  For instance, in the system outlined in the May 1993
issue of "Byte", the process of getting one's public key listed for general
use involves giving pieces of your private key to escrow agencies, which
do calculations on those pieces and forward the result to the publishers of
the public key directory, which combines these results into your listed
public key.  If you try to give the escrow agencies pieces which -don't-
yield your private key when they are all put together, the result is that
the public key listed for you is wrong and you can't read messages encrypted
to you.


Newsgroup: sci.crypt
document_id: 16130
From: jfc@athena.mit.edu (John F Carr)
Subject: Re: Clipper chip

In article <1993Apr28.104036.15896@ens.fr>
	h2o@dmi.ens.fr (Philippe Hoogvorst) writes:

>Forbidding crypted communication is impractical: how is it possible to spot
>a crypted communication in the thousands of megabytes of data which circulate
>on the various existing networks. What about private networks ?

I suspect the government feels it is enough to prevent companies from
offering secure encryption services.  Big companies don't take that
kind of risk.  They're too visible and have too much to lose.

The US government may not have to make encryption illegal to prevent its
use.  If they could credibly say to IBM or MIT: you will receive no US
government money next year unless you follow these voluntary guidelines on
use of encryption, I doubt either organization would delay making use of
encryption a violation of local policies.  The US government gets much of
its power by making it impractical to operate without getting money from the
government while putting restrictions on use of such money that would be
illegal if they were enacted as laws.

--
    John Carr (jfc@athena.mit.edu)

Newsgroup: sci.crypt
document_id: 16131
From: dave@tygra.Michigan.COM (David Conrad)
Subject: Re: Let's build software cryptophones for over the internet...

In article <1993Apr27.075011.12624@wuecl.wustl.edu>
 eah1@gauguin.wustl.edu (Edward Anthony Hutchins) writes:
>[modify] pgp to allow it to compress/decompress 144 bit frames
>every 30msec... 
>As part of the project I'm working on now, we're trying to get CELP up and
>running in realtime full duplex mode... I gotta find the source to pgp and
>see how tough it would be to integrate the en/decryption parts into the code.

I presume you are just going to use IDEA for the session encryption and
transmit the session key with RSA?

David R. Conrad		"No his mind is not for rent/To any god or government"
-- 
=  CAT-TALK Conferencing Network, Computer Conferencing and File Archive      =
-  1-313-882-2209, 300bps-14400bps, V.32/V.32bis/TurboPEP New users use 'new' - 
=  as a login id.  AVAILABLE VIA PC-PURSUIT!!! (City code "MIDET")            =
   E-MAIL Address: dave@Michigan.COM

Newsgroup: sci.crypt
document_id: 16132
From: dave@tygra.Michigan.COM (David Conrad)
Subject: Cryptography Bibliography

Yesterday I read an article from someone who was requesting references for
introductory texts on cryptography.  Although I marked the article to
return, it appears to have expired on this site.

Anyway, on one of the previous occasions when this subject arose I saved
a couple articles which made suggestions.  One of the articles contained
a quite impressive bibliography.  If the poster of the request (or anyone
else) would like to email me, I would be glad to send out copies of these
recommendations, including the bibliography.

David R. Conrad		"No his mind is not for rent/To any god or government"
-- 
=  CAT-TALK Conferencing Network, Computer Conferencing and File Archive      =
-  1-313-882-2209, 300bps-14400bps, V.32/V.32bis/TurboPEP New users use 'new' - 
=  as a login id.  AVAILABLE VIA PC-PURSUIT!!! (City code "MIDET")            =
   E-MAIL Address: dave@Michigan.COM

Newsgroup: sci.crypt
document_id: 16133
From: Peter.Bruells@arbi.informatik.uni-oldenburg.de (Peter Bruells)
Subject: Re: Clipper Crap



>>>>> On Wed, 28 Apr 1993 04:30:27 GMT, kckluge@eecs.umich.edu (Karl Kluge) said:

KK> (Shaun P. Hughes) writes:

KK>    Newsgroups: sci.crypt
KK>    From: sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes)
KK>    Date: Sat, 17 Apr 1993 07:18:59 GMT


	[..]

KK>       Just a random passing thought, but can anyone cite a documented use
KK>    of encryption technology by criminals and terrorists.
KK>       (Excluding the Iran-Contra Gang)

KK> Sure, the rum-runners in Prohibition. See Kahn's _The Codebreakers_.
KK> The irony was, they were using better codes and key security than
KK> most governments were.

And Fidel Castro / Che Guerra - they used one time pads, I think. It was in an Scientific American article about Quantum Cryptography.

Newsgroup: sci.crypt
document_id: 16134
From: res@colnet.cmhnet.org (Rob Stampfli)
Subject: Re: Organized Lobbying for Cryptography

In article <1r74ta$hcs@transfer.stratus.com> cme@ellisun.sw.stratus.com (Carl Ellison) writes:
>In article <1r3jgbINN35i@eli.CS.YALE.EDU> jgfoot@minerva.cis.yale.edu writes:
>>
>>Perhaps these encryption-only types would defend the digitized porn if it
>>was posted encrypted?
>
>To paraphrase, I may not agree with what you're encrypting, but I defend
>your right to encrypt it.

I suppose after Waco, it's only prudent to leave the "to the death" part out.
-- 
Rob Stampfli  rob@colnet.cmhnet.org      The neat thing about standards:
614-864-9377  HAM RADIO: kd8wk@n8jyv.oh  There are so many to choose from.

Newsgroup: sci.crypt
document_id: 16135
From: oml@eloka.demon.co.uk (Owen Lewis)
Subject: Re: Tempest 

In article <1993Apr26.193801.12416@lynx.dac.northeastern.edu> angel@Foghorn_Leghorn.coe.northeastern.edu writes:

>I heard somewhere (can't name the source) that TEMPEST does not necessarily
>pick-up just CRTs, but it can pick up emissions from almost any chip.  If
>that is true, the kind monitor would not make any difference becuase everything
>on the screen can be picked-up from the video controller.  Can anybody verify
>or refute this?

You are correct (several times). TEMPEST is a codeword for a standard, shared between the NATO governments, to limit the inadvertent emission of information by either electromagnetic radiation or conduction. The limits set in the 
standard are classified but there is open source information to the effect 
that either the electrical or magnetic components of electromagnetism can be 
exploited. It is a basic rule of physics that there is an electromagnetic 
field associated with any path that conducts a flow of electrons.

Among other things, I drive a 1987 Korean built AT clone and an associated 24 pin dotmatrix printer. The major source of unintentional emission is the CRT. To that can be added the video driver card, the RS232 parallel cable and the 
printer head. The emissions from these are gross can be detected with the 
crudest of equipment. Were I to apply good test equipment and some 
intelligence to measuring emission levels, I would find many other potential 
sources of leaked information.

Where cryptography is used for serious purposes, poor TEMPEST protection 
becomes an important security hazard.

In the early eighties, the need to allow some commercial concerns, 
particularly financial institutions, a level of protection against TEMPEST 
threat led to a series of briefings to invited corporations and to the 
'release' of a cut-down TEMPEST stansard for commercial use. I say 'release' 
for while equipment to meet the standard is available (at a price and to 
approved customers) AFAIK even the commercial standard remains classified. If
you think about it, it would really have to wouldn't it? 
   
-- 

                               -= Owen Lewis =-
                                      @
      Tele/fax  +44-(0)794-301731   ELOKA   Consultancy & Project Management
                            oml@eloka.demon.co.uk
                        pgp 2.x public key on request

Newsgroup: sci.crypt
document_id: 16136
From: jhupp@shockwave.win.net (Jeff Hupp)
Subject: Re: Clipper Not Good Enough for Government?

 
>
>This is stupid.  Won't it cost more to those companies hoping to 
>serve the gov't and private markets if they DON'T use the same
>technology?
>
        I would guess that they won't use Clipper at all.  What they will
do is use their STU-IIIs amoung themselves and the governmental agencies
they need to talk to, and ignore Clipper.  After all, if it's not secure
enough for the agency/department they are communicating with why should
the coprations trust it?
 

_____________________________________________________________________
\Jeff Hupp                      |Internet: jhupp@shockwave.win.net   \
|9797 Medowglen, Apt. 1807      |Ad:    Contract Programming, Novell |
|Houston, Texas  77042          |       Network Design and Support.  |
|Voice: (713) 780 - 9419        |"The best govenment doesn't" -- me. |
\_____________________________________________________________________\ 

Newsgroup: sci.crypt
document_id: 16137
From: "Josh N. Pritikin" <jpab+@andrew.cmu.edu>
Subject: Re: From Crossbows to Cryptography

>      But I think that mind-set is a mistake.   Before  there
> were cattle prods, governments tortured their prisoners with
> clubs  and  rubber  hoses.    Before  there  were lasers for
> eavesdropping, governments used binoculars and  lip-readers.
> Though  government certainly uses technology to oppress, the
> evil lies not in the tools but in the wielder of the tools.

Evil and good walk hand in hand.  It is also important to note that
the good in the tools lies in the wielder of the tools.

>      In fact, technology represents one of the most  promis-
> ing  avenues  available  for  re-capturing our freedoms from
> those who have stolen them.

I cannot accept this ridiculous leap in logic.  Technology is neutral
to good or evil.  When technology is used by "evil" men, it is called
evil technology.  When it is used by "good" men, it is called good
technology.  Really, it is just technology that allows action to be
realized more efficently and on a larger scale.

> By its very nature,  it  favors
> the  bright  (who can put it to use) over the dull (who can-
> not).

Try not to confused the development of technology with its use.
Certainly, "bright" people will be better at creating technology, but
even young children know how to program VCR machines.  Are VCR
machines not extremely complex to create?

> It favors the adaptable (who are  quick  to  see  the
> merit  of  the  new  (over  the sluggish (who cling to time-
> tested ways).

Adaptibility and flexibility is always better at enduring than the
stiff and stubborn.  A young child is soft and supple; an old man is
stiff and inflexible.  A dripping of water can cut through stone.
This has nothing to do with technology, rather technology just
allows us to magnify action.

> And what two better words are  there  to  de-
> scribe government bureaucracy than "dull" and "sluggish"?

I have no objection to this!  :)

joshp@cmu.edu   /o)\   Silent
                \(o/   Thunder

Newsgroup: sci.crypt
document_id: 16138
From: pose-rh@ee.up.ac.za (R H W Poser - 9155430 - Chemies)
Subject: Re: How to make this illuminating thing?

In article <1rn458INNguj@dns1.NMSU.Edu> jcho@dante.nmsu.edu (CHO) writes:

>My father having worked for American Cyanamid for sometime did mention
>that the "recipe" is a secret... Neither of us know of just how toxic
>the stuff is...but you can synthesize a simliar substance that is
>available to just about any organic lab...called Luminol.  You can usually
>find this in an organic lab book or something similiar... 

These substances are normally not the secret, but how to get at them. The 
method of preperation is normally patented, which means that no-one else can 
make the chemical in the same way, without undergoing an agreement with 
American Cyanamid. (But I guess you knew what a patent is :-) )

If you know what substance is used, you'll also know its toxicity.

>Rumor has it that luminol is some base form for the stuff used in the 
>light sticks...

The Luminol reaction has the disadvantage of not lasting as long as the 
commercial version.

Remember that cyano compounds are found in nature, and not all are poisonous.

Regards,

(--------------------------------------------------------------------)
( R.H.W. Poser          Chem.Eng. III         University of Pretoria )
(Fidonet : 5:7101/22.23  or : Rolf.Poser@p23.f22.n7101.z5.fidonet.org)
(   Fastest : pose-rh@babel.ee.up.ac.za        Tel.: +27-12-451528   )
(--------------------------------------------------------------------)

Newsgroup: sci.crypt
document_id: 16139
From: rwirthli@nyx.cs.du.edu (Ralph Wirthlin)
Subject: Re: Is it illegal to transmit encrypted data?

steve-b@access.digex.com (Steve Brinich) writes:


> > I'm afraid I have to disagree with you on that point.  NSA will *not*
> >tell RSA or any other non-DOD entity anything that its eavesdropping
> >reveals.

>  I don't know about that; they might if they find it the most expedient
>way to keep people from using something they can't crack.

Let's put it this way, they have a charter and several executive orders
to obey, among other things which *explicitly* prohibit sharing this
information (unless things have changed withing the last little while).
I suppose they could ignore it, if they choose.  But I doubt they would.
For an authoritative look at the NSA, get Bamford's "The Puzzle Palace".
That's all I can say.


			Ralph


Newsgroup: sci.crypt
document_id: 16140
From: george@tessi.com (George Mitchell)
Subject: Re: Organized Lobbying for Cryptography

marc@tanda.isis.org (Marc Thibault) writes:
>        Looking at it from up here in the Frozen North, it looks like
>        you could do worse than get the NRA involved. They have a
>        kindred problem, a large number of voters, the right attitude,
>        and lots of funds.

They also have a lot of the other voters really irritated at them.

>        From an ethical _or_ constitutional viewpoint, I haven't seen
>        a good argument for cryptographic rights that doesn't also
>        support the NRA position on guns (and vice-versa).

Okay, folks, I know I'm in the minority on this issue, but I can't
let this assertion go unchallenged yet again.  I'm going to say this
ONLY ONCE, in the hopes of NOT starting a flame war off of the main
topic.

Guns are offensive.  Cryptography is defensive.  See the difference?
The only way you can use a gun is to hurt somebody else.  Crypto-
graphy helps prevent other people from hurting you.

Sorry for the digression.  Let's not forget the issue that we DO
agree on: We want continued access to crypto technology of our
choice, without key registration.
-- George Mitchell (george@tessi.com)

Newsgroup: sci.crypt
document_id: 16141
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Re: triple des


Please post to news, too.




Newsgroup: sci.crypt
document_id: 16142
From: pdc@dcs.ed.ac.uk (Paul Crowley)
Subject: Re: Organized Lobbying for Cryptography

Quoting amanda@intercon.com (Amanda Walker) in article <1rn1b3$khb@news.intercon.com>:
>george@tessi.com (George Mitchell) writes:
>> Guns are offensive.  Cryptography is defensive.  See the difference? 

>Nope.  Information, properly delivered, can be just as deadly as lead.

The same is true of lemon meringue pie.
  __                                  _____
\/ o\ Paul Crowley   pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/  Fold a fish for Jesus!

Newsgroup: sci.crypt
document_id: 16143
From: jhupp@shockwave.win.net (Jeff Hupp)
Subject: STU-III - General Question

Why are people willing to trust the STU-III?
Because the government does?


_____________________________________________________________________
\Jeff Hupp                      |Internet: jhupp@shockwave.win.net   \
|9797 Medowglen, Apt. 1807      |Ad:    Contract Programming, Novell |
|Houston, Texas  77042          |       Network Design and Support.  |
|Voice: (713) 780 - 9419        |"The best govenment doesn't" -- me. |
\_____________________________________________________________________\ 

Newsgroup: sci.crypt
document_id: 16144
From: lsnyder@fig.ucsb.edu (Lowell R. Snyder)
Subject: Re: Tempest

angel@Foghorn_Leghorn.coe.northeastern.edu (Kirill Shklovsky) writes:

>In article <1993Apr26.104320.10398@infodev.cam.ac.uk> rja14@cl.cam.ac.uk (Ross Anderson) writes:
>I heard somewhere (can't name the source) that TEMPEST does not necessarily
>pick-up just CRTs, but it can pick up emissions from almost any chip.  If
>that is true, the kind monitor would not make any difference becuase everything
>on the screen can be picked-up from the video controller.  Can anybody verify
>or refute this?

Anything can be an emissions problem, right down to the video cable.  Given
the right equipment, you can pick the screen paint from the cable.  But,
given any cable, you must know what is being sent through it to know the
format of the signal, as well as how many wires, etc.

Newsgroup: sci.crypt
document_id: 16145
From: matt@ra.oc.com (Matthew Lyle)
Subject: Re: Clipper Chip: Reverse Engineering

maa@plato.ds.boeing.com (Mark A Allyn) writes:
>You all mention that the algorithm is classified and have expressed 
>concerns and ideas of how to figure out the algorithm using software.
>
>The question that I have is why cant someone take one of these chips
>and reverse engineer it? I mean, take the thing to a chip testing/
>analysis facility, one with a decent electron microscope. Just pry
>off the top of the chip and start scanning it with the electron
>microcope and figure out the circuitry. I remembered a place that I use
>to work for had one of these facilities that they used to analyze chips
>that we accidently blew out while running tests. They could actually find
>the area that was fried and show us where in the circuit it was. 
>
>I am sure that many companies and universities must have these facilities
>and that the potential is there, especially at a university where the
>security at such a facility is looser, for someone to take a clipper
>apart and analyze it?
>
>What can the government do to prevent this? Start taking away all 
>microchip analysis facilities and electron microscopes??


They are using some technology developed by VLSI systems, the other manufacturer of
the Clipper Chips, that produces chips that are supposed to be highly resistant to
reverse engineering.

-- 

Matthew Lyle                                           matt@oc.com
                                                       matt@utdallas.bitnet
OpenConnect System, Dallas, Texas                      (214) 888-0474

Newsgroup: sci.crypt
document_id: 16146
From: rboudrie@chpc.org (Rob Boudrie)
Subject: Re: Suggestions for escrow agencies (was: Re: More technical details)

>What are the assurances the escrow people will not be FORBIDDEN to
>report any access attempts for one's keys?


In NY State it is already a crime to inform anyone of a law enforcement
wiretap on their phone, even if the person doing the informing learns
about it through "non privliged" means.

Newsgroup: sci.crypt
document_id: 16147
From: mathew@mantis.co.uk (mathew)
Subject: Re: Clipper considered harmful

tedwards@eng.umd.edu (Thomas Grant Edwards) writes:
>>> If these personal attacks are what stopped Prof. Denning from
>>> replying on issues of substance, they have cause real harm
>>> to the serious debate here.
>> They are and they have.
> If Prof. Denning is afraid of posting here due to personal attacks,
> perhaps she should use an anonymous posting service.  That is why
> they are there, to allow heated debate to occur without the personal
> attacks.

Er, people are going to make personal attacks on Prof. Denning whether she
posts here or not.  That much should be obvious from looking at the traffic
over the last few weeks.  Therefore I conclude that the existence of personal
attacks is irrelevant to any decision concerning whether to post.

I suspect that Prof. Denning is actually using the attacks as an excuse for
not posting, and that the real reason for the silence is that Clipper is not
the sort of proposal any self-respecting cryptographer can support via
reasoned argument.


mathew
-- 
"If you want to have constructive discussions here, and more importantly, be
 taken seriously by your peers, you may wish to consider shaping up."
  -- Advice I was offered by David Sternlight

Newsgroup: sci.crypt
document_id: 16148
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips

brad@clarinet.com (Brad Templeton) writes:
> They have a much better reason to classify the algorithm than to 
> protect its security.  They want to protect its market share. 

That's one way to put it.  Keeping the algorithm classified means that 
disclosure of it falls under the rubric of "national security."  Nothing like 
federal marshalls to guard a monopoly...

> The result is tappable 
> cryptography without laws forbidding other kinds, for 99% of the 
> populace. 

Agreed, although this is still somewhat better than the status quo :).

> To get untappable crypto, you would have to build a special phone that 
> runs on top of this system, and everybody you talk to would have to 
> have an indentical one. 

Sounds like a job for the Free Software Foundation :)/2...


Amanda Walker
InterCon Systems Corporation

Newsgroup: sci.crypt
document_id: 16149
From: neuhaus@vier.informatik.uni-kl.de (Stephan Neuhaus (HiWi Mattern))
Subject: Re: Clipper Crap

kckluge@eecs.umich.edu (Karl Kluge) writes:

>In article <1993Apr17.071859.9555@csus.edu> sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes) writes:

>      Just a random passing thought, but can anyone cite a documented use
>   of encryption technology by criminals and terrorists.
>      (Excluding the Iran-Contra Gang)

Just a couple of days ago, I heard on the radio news that a Neo-Nazi
organization had set up a BBS to keep its members informed.  According
to the radio man, the Nazis were using encryption to reduce their risk
if they were prosecuted.  No, I do not have any more information.

Have fun.

-- 
Stephan <neuhaus@informatik.uni-kl.de>
sig closed for inventory.  Please leave your pickaxe outside.
PGP 2.2 public key available on request.  Note the expiration date.

Newsgroup: sci.crypt
document_id: 16150
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Organized Lobbying for Cryptography

In article <rdippold.736035556@qualcom> rdippold@qualcomm.com (Ron "Asbestos" Dippold) writes:
>george@tessi.com (George Mitchell) writes:
>>Guns are offensive.  Cryptography is defensive.  See the difference?
>No.  They're both neutral.  Whether they're offensive or defensive
>depends on how you use them.

Nonsense.

Mike, in Heinlein's "Moon is a Harsh Mistress" decides that a weapon is some
mechanism which allows you to deliver energy at a distance.  (I don't
have the book handy or I'd find the exact quote).

Guns do that.

Cryptosystems do not.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
document_id: 16151
From: ee92jks@brunel.ac.uk (Jonathan K Saville)
Subject: Re: triple des

Richard Lucock (rmal@jet.uk) wrote:
: I have seen various references to 'triple des' recently. Could anyone
: tell me what it is ? From context, I would guess that it means
: encrypting each block 3 times, with a different key each time, but
: I'd like to be sure.

: Replies by email preferred - our news is unreliable.

Could people replying to the above question post their responses here
as well, as I'm sure others (including myself) would like to hear them.

Thanks.

Jon
--
#      Jon Saville       #   Who alive can say, 'Thou art no   | Keats,
#  ee92jks@brunel.ac.uk  #  Poet, may'st not tell thy dreams?' | 1819
     PGP 2.2 public key available upon request or by finger

Newsgroup: sci.crypt
document_id: 16152
Subject: Re: Clipper Chip Questions
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <1rmrm4$jvb@sol.TIS.COM> mjr@tis.com (Marcus J Ranum) writes:

>[about scanning clipper and reverse-engineering the algorithm]
>>Am I missing something obvious here? What could have the government done
>>to address this possibility? Do they really care if it stays classified?

>	Yeah, you're missing the obvious fact that since the algorithm
>is classified, if you reverse engineer it from the chip, and later
>publish it, or build a compatible chip, you're divulging classified
>information and are in a big load of trouble.

I don't think they can do that without changing the law.  The chip itself
isn't classified, and reverse engineering is allowed by law (possibly)
unless prohibited by a valid contract.  The algorithm may be classified,
but there are many court cases ruling that information identical to
classfied information, but obtained from unclassified sources, is freely
publishable (with the possible exception of nuclear weapon information.)
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
document_id: 16165
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Clipper Crap

In article <KCKLUGE.93Apr27233027@krusty.eecs.umich.edu> kckluge@eecs.umich.edu (Karl Kluge) writes:
>In article <1993Apr17.071859.9555@csus.edu> sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes) writes:
>   >encryption's dual-edge sword:  encryption helps to protect the
>   >privacy of individuals and industry, but it also can shield
>   >criminals and terrorists.  We need the "Clipper Chip" and other
>    ^^^^^^^^^^^^^^^^^^^^^^^^
>      Just a random passing thought, but can anyone cite a documented use
>   of encryption technology by criminals and terrorists.
>      (Excluding the Iran-Contra Gang)
>
>Sure, the rum-runners in Prohibition. See Kahn's _The Codebreakers_.
>The irony was, they were using better codes and key security than
>most governments were.

Yes -- great chapter.  Elizabeth Friedman (sp?) comes shining through.

However, the chapter also notes that these rum runners invented their own
crypto -- hired ex-military folks, in fact.  (How's that for a revolving
door?)

Now, given that today's rum runners (coke runners, actually) have even more
money than yesterday's, it's reasonable to expect them to have even better
cryptography.  I doubt they have a chip foundry of their own yet, but ....

So, my question of the FBI/NIST/NSA is: "How are you going to make the rum
runners use the Clipper Chip?"

Answer:  	you're not.

Question:	OK -- in that case, your justification for taking away our
		rights has evaporated.  How do you justify our loss of rights
		if you can't use the drug dealers and terrorists?


-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
document_id: 16279
From: pla@sktb.demon.co.uk ("Paul L. Allen")
Subject: Re: Clipper: Two additional possible problems

-----BEGIN PGP SIGNED MESSAGE-----

In article <cliftonrC69tvt.4AL@netcom.com> cliftonr@netcom.com (Pope Clifton) writes:

[...]
> If I want to talk to someone, I don't need to have previously exchanged
> keys with him, I just call him up, and the phones establish a session key
> for us using a zero-knowledge algorithm or something of the kind.  (If I've
> misunderstood this part, it probably invalidates the rest of this notion.)
> 
> This lends itself to spoofing.
[...]
> I go buy a pair of Clipper phones to go on a pair of phone lines in a back
> room somewhere, and have the digital switch programmed to redirect his
> calls to one of my two lines instead of to his, whenever he receives a
> call.  The two phones are wired back-to-back in the clear.


> Anyone see any problem with this scheme, other than to assume that all
> public officials and phone company employees are totally incorruptible?

As far as I can see, no matter how the session keys are generated (be it
Diffie-Hellman or whatever), any Cripple conversation which travels in
whole or in part over a land-line is vulnerable to this scheme.  Law-
enforcement agencies can do it legally at the telco, or illegally by finding
some part of the phone line that they can cut into.  The degree of risk
depends very much on location - not good in the middle of a busy street,
but not bad on a line in open country (leading to a drug lord's ranch).  The
only way to defeat it would be if your phone had the equivalent of a public
key indexed against phone number for every phone you might want to call (all
of them) - totally impractical, even if some part of the Cripple algorithm
could be used as a kind of public key (I don't understand enough about these
things to know).

This sort of encryption scheme is only really workable over a radio link,
and even then you could probably interevene without causing problems for
other phones nearby if you were physically close to the target phone.

Gosh, yet another way to get round Cripple encryption.  How many is that
we've found so far?  And that's without even knowing the details of the
algorithm.

- --Paul

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQCVAgUBK+F5hGv14aSAK9PNAQHEFAP6Ap4AhhqHc9ewDJI14/1DP8woO6wpibkO
B/lrJBT9GRKdgFDSzrc5aYe2aRctnYjFKQO3RHot0uN68Ewv1e7+1CcQDTCTVgaq
ZaKHkGVkk99BaHEYGYy1Jn/MgKrJWrehIUfvHDp7x84tVPdCeMIMkAU0sZWwN2Kv
YbqiEgkRBcg=
=2pPL
-----END PGP SIGNATURE-----


Newsgroup: sci.crypt
document_id: 16344
From: rja14@cl.cam.ac.uk (Ross Anderson)
Subject: Re: hardware hash function

In article <C6DEo6.uyE@watson.ibm.com>, basturk@watson.ibm.com (Erol Basturk) 
writes:

|>                          So, the question is: has a "fast" hash
|> function been designed for hardware implementation ? 

Yes, you can use a stream cipher chip to hash data with only slight 
modification. See:

`A fast cryptographic checksum algorithm based on stream ciphers', X Lai,
RA Rueppel, J Woolven, Auscrypt 92 pp 8-7 to 8-11.

Ross

Newsgroup: sci.crypt
document_id: 16345
From: tenney@netcom.com (Glenn S. Tenney)
Subject: Re: HELP! Some nut is threatening to sue!

I don't wish to rehash the PGP patent issue at all, but I do feel
that some potential misconceptions in interpretting intellectual property
laws need to be raised.

In article <a_rubin.736125803@dsg4.dse.beckman.com> a_rubin@dsg4.dse.beckman.com (Arthur Rubin) writes:
>
>If PGP violates RSAs patents, then only executing PGP could be a violation.
>Distributing PGP could be contributory infringement, but the PGP
>documentation seemed sufficient to me to protect distributors (before I
>deleted it -- using PGP might be a patent violation in the US, so I have no
>need to keep it.)

You are correct that executing PGP would be a violation (unless the patent
were declared invalid by the courts), but...  there is a question as
to when, how, or if distributing PGP would be a violation.  If the person
or company distributing PGP receives money for doing so, then it is
clearly a sale (for example, if it were on Compuserve, they charge you
for access so they would be selling PGP).  When there is no charge for
PGP things get less clear, but there would still be a reasonable view
that it is inducing an infringement.

> ... [nb re: Jim Bidzos]
>You have no legal action you can take, unless you believe you can prove
>someone is using PGP in the US, for a purpose other than that specifically
>allowed by patent laws.  (Not entirely correct, anyone can sue for any
>reason, but, you cannot prevail unless you can prove that by a prepoderance
>of evidence).  Under patent laws, PGP does have legitimate uses, as a means
>to study your algorithm, in order to produce improvements (which would
>still require your approval to execute, until the patent runs out around
>2000).

This is a common misconception.  The patent laws do not mention any valid
purpose for infringing a patent.  Although it is clear that in order to
create a new invention either based on a prior patent or to avoid infringing
a prior patent, one must perform research on an existing patent.  To
just say that you infringed a patent (assume we're not talking the RSA
patent) only for research purposes (wink wink, nudge nudge) and then never
develop any related invention (ie. only use it), would be a clear
infringement.

-- 
Glenn Tenney
voice: (415) 574-3420      fax: (415) 574-0546
tenney@netcom.com          Ham radio: AA6ER

Newsgroup: sci.crypt
document_id: 16347
From: carl@lvsun.com (Carl Shapiro)
Subject: Re: My letter about Clipper

In article <strnlghtC6BJDw.MID@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>Part of the basis for my belief is that we [NSA] have more people, spend much
>more money, and have much better hardware than anyone else.

The same could be said for many other goverment agencies, but big budgets,
large staffs, and long lead time haven't made many of them into models of
effectiveness.

The fact is that those of us outside the inner circles have only James
Bamford's word that the people at the NSA use those legendary masses of
computers for anything other than reading netnews, like many of us.

The NSA *doesn't* have an impressive record of accomplishments, at least
not a public record.

>David Sternlight		  Great care has been taken to ensure the accuracy of
>						  our information, errors and omissions excepted.

This, on the other hand, is priceless!	Where's it from?

Newsgroup: sci.crypt
document_id: 16348
From: pooka@access.digex.net (Louis Emmet Mahoney)
Subject: Re: Clipper: Two additional possible problems

erwin@trwacs.fp.trw.com (Harry Erwin) writes:

>Anyone interested in adopting British Telecom's quantum encryption scheme?
>They've demonstrated it over a 10 km link. It automatically detects
>wiretapping.

Can you tell us more?

-pooka


Newsgroup: sci.crypt
document_id: 16351
From: mark@bart.demon.co.uk (Mark Starzewski)
Subject: Re: Clipper: Two additional possible problems

In article <erwin.736304526@trwacs> erwin@trwacs.fp.trw.com writes:

>Anyone interested in adopting British Telecom's quantum encryption scheme?
>They've demonstrated it over a 10 km link. It automatically detects
>wiretapping.
>
If the BT phone system is anything to go by...me thinks this should be
approached with great caution.

Mark
--
******************************************************************************
..without warranty,                           Internet: mark@bart.demon.co.uk
   implied merchantability                          CIS: 100114,2415
   or fitness for a particular purpose...Yo Dude!
******************************************************** Click,Click...brrr...

Newsgroup: sci.crypt
document_id: 16352
From: t31694c@kaira.hut.fi (Tapani Lindgren)
Subject: Re: DES salts

In article <1993Mar31.014220.7701@Demax.COM> mikel@Demax.COM (Mikel Lechner) writes:
>
>You could just as well use a 16 character password to perform the encryption
>of the 64 zero bits.  One simple method would be to use the first 8 characters
>to encrypt the 64 zero bits and then use the remaining 8 characters to
>encrypt the result again.  The output would still be 64 bits which encodes
>into 11 ASCII characters.
>
Wouldn't this method be vulnerable against a "birthday" attack?
Currently a cracker needs to find the _only_ (*1) key that produces
the given ciphertext.  He has to try about 2^63 keys on the average.
In the proposed method the cracker only needs _any pair_ of key halves.
If he can store about 2^32 guesses for one half, he is likely to find
a mathching pair in about 2^32 guesses.  (Here I have assumed that the
DES-encryption is reversable, if the key is guessed.  Is this so or do
the modifications of the S-boxes by the salt bits make it non-reversable?)

*1 Probably there is only one key; I think there is 1 chance in about 128
that there are two or more keys (can anyone verify this?), but this doesn't
help the cracker much.


Newsgroup: sci.crypt
document_id: 16353
From: schlege@lips.ecn.purdue.edu (Kevin L Schlegelmilch)
Subject: Source code for Substitution cipher

  I was wondering if anyone knew of where I could find source
code for a program to solve a substitution cipher?  

Thanks!
Kevin

(Please post your answer instead of e-mailing me directly)

Newsgroup: sci.crypt
document_id: 16354
From: msawyer@mael (Michael Sawyer)
Subject: Re: More Clipper stuff

Ben Liberman (ben@genesis.MCS.COM) wrote:
: What if clipper is fairly secure but leaves a distinct clipper signature...
: that is, what if it's not too difficult to tell that a msg. was clipper
: encrypted, even if you can't tell the contents?  In that case, anyone 
: who is trying to hide behind anther encryption scheme will stand out
: from all of the other traffic and raise a red flag to the NSA, etc.

I think the obvious answer (which may have been posted, but I haven't
seen it) is to encrypt your data with some other scheme, then run it
through clipper.  The only way the police will be able to detect the
other encryption is through a wiretap, so even if they do notice with
an illegal wiretap, I have a hard time seeing a judge issuing a
warrant for a search to "confiscate" the illegal scheme (assuming that
at one day, it comes to this; a worse case) based on an illegal
wiretap.  Then again, maybe I am an idealist.  :>

: 	------------    --------    ----------------------
: 	Ben Liberman    INTERNET    ben@genesis.MCS.COM
: 	                            ben@tai.chi.il.us

--
Michael Sawyer - My opinions are mine, not necessarily UH's, NSF's, or NASA's
University of Hawaii Physical Oceanography/Satellite Remote Sensing
RIPEM public key available, MD5OfPublicKey: C53C8744A87664168D135C0763DCCC1D


Newsgroup: sci.crypt
document_id: 16355
From: olson@umbc.edu (Bryan Olson; CMSC (G))
Subject: Advanced one time pad (was: Re: more one time pad stuff)


O.K.- if you've read this group for a while, you know all about the
one-time-pad, but here's a question I haven't seen.

The one-time-pad yeilds ideal security, but has a well-known flaw in
authentication.  Suppose you use a random bit stream as the pad, and
exclusive-or as the encryption operation.  If an adversary knows the 
plaintext of a message, he can change it into any other message.  
Here's how it works.

Alice is sending Bob a plaintext P, under a key stream S
Alice computes the ciphertext C = S xor P,  and sends it to Bob.

Eve knows the plainext P, but wants the message to appear as P'.
Eve intercepts C, and computes  C' = C xor P xor P' = S xor P'.
Eve sends C' to Bob.

Bob decrypts C' by computing  C'xor S = P',  thus receiving the 
false message which was substituted by Eve.


Now the question is how can this attack be defeated with information
theoretic security, not just computational security.
Can we define something like "ideal authentication" which is the
analog of ideal security.  Can we obtain ideal authentication ?

If not, how much can we limit Eve's control over the message ?

If we can achieve ideal authentication, does the solution use more
key bits or expand the message ?  Can we show the solution to be
optimal in one or more parameters ?

Does anyone know if these questions have been aswered before ?

olson@umbc.edu

Newsgroup: sci.crypt
document_id: 16356
From: tds@hoserve.att.com (Tony DeSimone)
Subject: Re: Audio CDs?

>>>>> On 30 Apr 1993 21:16:29 -0400, steve-b@access.digex.net (Steve Brinich) said:

Steve>   Hmmm... given the error corrections in modern audio CDs, is
Steve> it sufficient to simply instruct your agent to decrypt using
Steve> the bit stream from the second cut of the latest Garth Brooks
Steve> CD, or are the usual number of bit errors found acceptable in
Steve> commercial CDs because of that error correction enough to
Steve> garble the message if such a method is used?

One unreliable data point: while looking over the shoulder of a
recording engineer, I decided that he was seeing a raw error rate of
about 1 in 1e6 on a CD ``master.''  Both the extrapolation to
mass-market CDs and my state of mind while doing the arithmetic (I was
waiting for him to finish so we could go get something to eat) are
questionable. 
--
Tony DeSimone                               Room 3m321               
Performance Analysis Department             101 Crawfords Corner Road
AT&T Bell Laboratories                      Holmdel, NJ 07733-3030   

Newsgroup: sci.crypt
document_id: 16357
From: ji@cs.columbia.edu (John Ioannidis)
Subject: Re: Organized Lobbying for Cryptography

In article <1993Apr30.004519.7741@csus.edu> sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes) writes:
>
>Perhaps someone should ask Zippy the Pinhead for his opinion. :)
>

Yow! Am I ENCRYPTING yet?

Didn't we go over this guns'n'crypto discussion a few months ago? Must
we go over it again?

/ji

Newsgroup: sci.crypt
document_id: 16358
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: One-time pad authentication?

   I can think of a couple of ways of guaranteeing authenticity in a one-time
pad encrytped scheme, though I'm not sure how to prove that what kind of
authenicity they provide.
 
   An obvious first-attempt might be to prepend a truly random (unpredictable
for Eve) block to the message, and then calculate a CRC which included the
random starting block and all of the message.  This could be encrypted after
the message.  The problem is, I'm not sure it's impossible to come up with
a message that will hash to the same CRC regardless of the random starting
block.  (It intuitively seems like it ought to be hard, but I'm not *that*
sure....)  Clearly, a crypto-strength hash like MD5 or the SHA would be
stronger, but again, I'm not sure I'm comfortable claiming that it's
unbreakable.
 
   A scheme to use up some of the pad bits to decide how many bits of 0's
to include in the plaintext stream before going on wouldn't be too bad,
either.  At the cost of increasing the speed with which you use up your
pad, this could be used to give you arbitrarily low probability that your
opponent could spoof a valid-looking message, since any deciphered plaintext
in a spot that should be carrying 0's will show that something funny's going
on.
 
   If, for each message bit M_i, we used up one random bit, R_i, to decide
whether to insert a 0 into the plaintext stream, we'd get a total pad use
of 2.5 times the message length.  (We'd expand the message size by about
half.)  Each 0 that should appear in the plaintext stream that doesn't is a
guess for our would-be spoofer.  At each bit, she has to guess.  I'm trying
to see how to quantify her chances of making it all the way through the
spoofed message, but it gets a little complicated, because she can get un-
synched, and still happen to have a 0 in that place in the spoofed message.
 
   Now, I can see a simple way of doing this that's got to be as secure
as a one-time pad, at a cost of using 4 times the message length in pad bits.
 
   For each message bit, M_i, use one random bit, R_i, and xor them together
to get X_i.  Now, encrypt the three bits with the one-time pad.  The enemy
has no way of guessing what R_i is, so he/she can't guess what X_i is, either.
Any change she makes in the ciphertext stream will have to involve a guess
of what R_i was.  Is there any way to do this without using so many pad bits?
 
   Spoofing the message is equivalent to correctly guessing as many random
bits as there are bits in the message.  Clearly, this makes spoofing messages
just as hard if you know the whole message text as if you know none of it.
In fact, it looks to me like this makes it just as hard to generate a spoofed
message with the ciphertext as without it, but I'm not entirely sure about
that.
 
   Is there an easier way of doing this that's provably as secure as the
one-time pad?
 
   --John Kelsey

Newsgroup: sci.crypt
document_id: 16359
From: ggr@koonda.acci.com.au (Greg Rose)
Subject: Authentication and one-time-pads (was: Re: Advanced one time pad)

In article <1s1dbmINNehb@elang05.acslab.umbc.edu> olson@umbc.edu (Bryan Olson; CMSC (G)) writes:
>The one-time-pad yeilds ideal security, but has a well-known flaw in
>authentication.  Suppose you use a random bit stream as the pad, and
>exclusive-or as the encryption operation.  If an adversary knows the 
>plaintext of a message, he can change it into any other message.  
>Here's how it works.
>
>Alice is sending Bob a plaintext P, under a key stream S
>Alice computes the ciphertext C = S xor P,  and sends it to Bob.
>
>Eve knows the plainext P, but wants the message to appear as P'.
>Eve intercepts C, and computes  C' = C xor P xor P' = S xor P'.
>Eve sends C' to Bob.
>
>Bob decrypts C' by computing  C'xor S = P',  thus receiving the 
>false message which was substituted by Eve.

Firstly, an aside:

I agree that the weakness exists, but I have a lot of trouble
believing that it represents a difficulty in real life. Given:

1. the purpose of the one-time pad is to give unbreakable security,
and the expense of key distribution etc., imply that the clients
really do want that level of security

2. These same people want to keep P a secret

I find it hard to believe that Eve might happen to have a copy of P
lying around.

(I am aware that the same argument applies to Eve knowing even a small
part of the message, but Eve must know EXACTLY where (which bytes) in
C her known susequence starts, or the result will be garbled. I find
this at least as surprising.)

Back to the question:

If I had the resources to use a one-time-pad for such transmissions, I
would also append a Message Authentication Code to the message, using up
the next bits of the one-time-pad as the key perhaps. Your original
question basically asked whether there was any way to authenticate the
message with the same degree of security as the Pad itself provided,
and I don't know the answer. However, I would propose the following
for discussion.

Alice and Bob have an arbitrary number of secret, random bits to
share, which Eve doesn't know. She finds them out (effectively) by
knowing some P and the corresponding C. It is the fact that they
CORRESPOND that causes the problem. If a message authentication code was to
be created using some one-time-pad operation such that Eve could not
know which parts of the MAC were affected by which parts of the input,
she would be unable to forge a MAC to correspond.

What is required is a non-linear combiner of parts of the message.
(Non-linear so that simply xoring or subtracting or whatever doesn't
have exactly the same effect).

Now, at the end of the encrypted message C, Alice appends a n-bit MAC
computed as follows (S2 means the next full chunk of the one time pad):
  1. compute C2 = P xor S2, and pad to an n-bit boundary with more of S
  2. break C2 into n-bit chunks
  3. set MAC to 0 (initialisation vector)
  4. for i in each chunk sequentially
       set MAC = MAC NLOP C2[i]

At the end of this process MAC is the Message Authentication Code.

(Bob verifies the MAC in the obvious manner; he recovers the
plaintext P, then uses some more of his pad to reproduce the MAC in
the same manner.)

NLOP is the non-linear operator, and there is the rub. The simplest
non-linear operator I can think of is an S-box; that is, have a fixed
(even published) permutation of the n-bit integers, an indexable table
called Sbox, and use:
  x NLOP y = x xor Sbox[y].

Practically speaking, I think this solves your problem, as Eve never
sees the intermediate output C2, and hence can't deduce S2 or perform any valid
substitution on it.

Also practically speaking, you want the MAC to be fairly large, say 32
bits, but you might not want a 4 gigabyte (say) S-box, so you might
work on 4 byte-sized S-boxes, but I think that is an irrelevant detail
for the discussion at hand.

Who will be first to point out my errors, or give me a pointer to some
literature?
--
Greg Rose                 Australian Computing and Communications Institute
ggr@acci.com.au                                              +61 18 174 842
`Use of the standard phrase "HIJACKED" may be inadvisable' -- CAA

Newsgroup: sci.crypt
Document_id: 14147
From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>
Subject: RIPEM Frequently Asked Questions

Archive-name: ripem/faq
Last-update: Sun, 7 Mar 93 21:00:00 -0500

ABOUT THIS POSTING
------------------
This is a (still rather rough) listing of likely questions and
information about RIPEM, a program for public key mail encryption.  It
(this FAQ, not RIPEM) was written and will be maintained by Marc
VanHeyningen, <mvanheyn@whale.cs.indiana.edu>.  It will be posted to a
variety of newsgroups on a monthly basis; follow-up discussion specific
to RIPEM is redirected to the group alt.security.ripem.

This month, I have reformatted this posting in an attempt to comply
with the standards for HyperText FAQ formatting to allow easy
manipulation of this document over the World Wide Web.  Let me know
what you think.

DISCLAIMER
----------
Nothing in this FAQ should be considered legal advice, or anything
other than one person's opinion.  If you want real legal advice, talk
to a real lawyer.

QUESTIONS AND ANSWERS
---------------------

1)  What is RIPEM?

 RIPEM is a program which performs Privacy Enhanced Mail (PEM) using
 the cryptographic techniques of RSA and DES.  It allows your
 electronic mail to have the properties of authentication (i.e. who
 sent it can be confirmed) and privacy (i.e. nobody can read it except
 the intended recipient.)

 RIPEM was written primarily by Mark Riordan <mrr@scss3.cl.msu.edu>.
 Most of the code is in the public domain, except for the RSA routines,
 which are a library called RSAREF licensed from RSA Data Security Inc.

2)  How can I get RIPEM?

 RIPEM contains the library of cryptographic routines RSAREF, which is
 considered munitions and thus is export-restricted from distribution
 to people who are not citizens or permanent residents of the U.S. or
 Canada.  Therefore, the following request is quoted from the README
 file:

 #Please do not export the cryptographic code in this distribution
 #outside of the USA or Canada.  This is a personal request from me,
 #the author of RIPEM, and a condition of your use of RIPEM.

 Note that RSAREF is not in the public domain, and a license for it is
 included with the distribution.  You should read it before using
 RIPEM.

 The best way to get it is to ask a friend for a copy, since this will
 reduce the load on those sites that do carry it (not to mention the
 humans that run them.)  Naturally this requires that you trust the
 friend.

 RIPEM is available via anonymous FTP to citizens and permanent residents
 in the U.S. from rsa.com; cd to rsaref/ and read the README file for
 info.  Last I looked, this site contains only the source tree, and
 does not contain compiled binaries or the nice Mac version.

 RIPEM, as well as some other crypt stuff, has its "home site" on
 rpub.cl.msu.edu, which is open to non-anonymous FTP for users in the
 U.S. and Canada who are citizens or permanent residents.  To find out
 how to obtain access, ftp there, cd to pub/crypt/, and read the file
 GETTING_ACCESS.  For convenience, binaries for many architectures are
 available here in addition to the full source tree.

3)  Will RIPEM run on my machine?

 Probably.  It has already been ported to MS-DOS and most flavors of
 Unix (SunOS, NeXT, Linux, AIX, ULTRIX, Solaris, etc.)  Ports to
 Macintosh include a standard UNIX-style port and a rather nice
 Mac-like port written by Raymond Lau, author of StuffIt.  More ports
 are expected, and help of users is invited.

4)  Will RIPEM work with my mailer?

 Probably.  How easy and clean the effective interface is will depend
 on the sophistication and modularity of the mailer, though.  The users
 guide, included with the distribution, discusses ways to use RIPEM
 with many popular mailers, including Berkeley, mush, Elm, and MH.
 Code is also included in elisp to allow easy use of RIPEM inside GNU
 Emacs.

 If you make a new interface for RIPEM or create an improvement on one
 in the distribution which you believe is convenient to use, secure,
 and may be useful to others, feel free to post it to alt.security.ripem.

5)  What is RSA?

 RSA is a crypto system which is asymmetric, or public-key.  This means
 that there are two different, related keys: one to encrypt and one to
 decrypt.  Because one cannot (reasonably) be derived from the other,
 you may publish your encryption, or public key widely and keep your
 decryption, or private key to yourself.  Anyone can use your public
 key to encrypt a message, but only you hold the private key needed to
 decrypt it.  (Note that the "message" sent with RSA is normally just
 the DES key to the real message. (See "What is DES?")

 Note that the above only provides for privacy.  For authentication,
 the fingerprint of the message (See "What is a fingerprint, like
 MD5?") is encrypted with the sender's private key.  The recipient can
 use the sender's public key to decrypt it and confirm that the message
 must have come from the sender.

 RSA was named for the three men (Rivest, Shamir and Adleman) who
 invented it.  To find out more about RSA, ftp to rsa.com and look in
 pub/faq/ or look in sci.crypt.

6)  What is DES?

 DES is the Data Encryption Standard, a widely used symmetric, or
 secret-key, crypto system.  Unlike RSA, DES uses the same key to
 encrypt and decrypt messages.  However, DES is much faster than RSA.

 RIPEM uses both DES and RSA; it generates a random key and encrypts
 your mail with DES using that key.  It then encrypts that key with the
 recipient's public RSA key and includes the result in the letter,
 allowing the recipient to recover the DES key.

 DES is sometimes considered weak because it is somewhat old and uses a
 key length considered too short by modern standards.  However, it
 should be reasonably safe against an opponent smaller than a large
 corporation or government agency.  It is not unlikely that future
 RIPEMs will strengthen the symmetric cipher, possibly by using
 multiple encryption with DES.

7)  What is PEM, and how does RIPEM relate?

 PEM is Privacy Enhanced Mail, a system for allowing easy transfer of
 encrypted electronic mail.  It is described in RFCs 1421-1424; these
 documents have been approved and obsolete the old RFCs 1113-1115.

 RIPEM is not really a complete implementation of PEM, because PEM
 specifies certificates for authenticating keys, which RIPEM does not
 handle at this time.  Their addition is planned.

8)  What's this about distributing and authenticating keys?

 For a remote user to be able to send secure mail to you, she must know
 your public key.  For you to be able to confirm that the message
 received came from her, you must know her public key.  It is important
 that this information be accurate; if a "bad guy" convinces her that
 his key is in fact yours, she will send messages which he can read.

 RIPEM allows for three methods of key management: a central server,
 the distributed finger servers, and a flat file.  All three are
 described in the RIPEM users guide which is part of the distribution.
 None of them provide perfect security.

9)  Why do all RIPEM public keys look very similar?

 RIPEM public keys begin with a PKCS identifier describing various
 characteristics about the key, so the first bunch of characters in
 your key may be the same as those of lots of other people's keys.
 This does not mean your keys are similar, but only that they are the
 same class of key, were generated with the same program, are of the
 same length, etc.

10)  What is a fingerprint, like MD5?

 MD5 is a message digest algorithm produced by RSA Data Security Inc.
 It provides a 128-bit fingerprint, or cryptographically secure hash,
 of the plaintext.  It is cryptographically secure because it is not
 possible (in a reasonable amount of computation) to produce a
 different plaintext which produces the same fingerprint.  Thus,
 instead of signing the entire message with the sender's private key,
 only the MD5 of the message needs to be signed for authentication.

 MD5 is sometimes used for other purposes; for example, it is often
 used to map an input of arbitrary length to 128 bits of data, as a
 passphrase interpreter or cookie generator.

 MD5 is described in its entirety (including an implementation in C) in
 RFC 1321.

11)  What is PGP?

 PGP is another cryptographic mail program called Pretty Good Privacy.
 PGP has been around longer than RIPEM, and works somewhat differently.
 PGP is not compatible with RIPEM in any way, though PGP does also use RSA.

 Some major differences between PGP and RIPEM:

 - PGP has more key management features, particularly for users without
   a direct network connection.

 - RIPEM conforms to the PEM RFCs and thus has a greater probability of
   working with other PEM software.  PGP makes no attempt to be compatible
   with anything other than PGP (in fact, PGP 1.0 is not compatible with
   PGP 2.0.)

 - RIPEM uses RSAREF, a library of RSA routines from RSA Data Security
   Inc.  RSAREF comes with a license which allows noncommercial use.
   PGP uses its own implementation of RSA which is not licensed; thus,
   PKP, the firm holding the U.S. patents on the RSA algorithm, claims
   that it is a infringement of that patent to make, use or sell PGP in
   the U.S. or Canada.  In acknowledgement of this, PGP's original
   author, Phil Zimmermann, says in the documentation:

   #In fact, if you live in the USA, and you are not a Federal agency, 
   #you shouldn't actually run PGP on your computer, because Public
   #Key Partners wants to forbid you from running my software.  PGP is
   #contraband.  

 - Both PGP and RIPEM are export-restricted, and cannot be sent outside
   the U.S. and Canada.  However, PGP already exists on many ftp sites
   in Europe and other places.

 Whether you use PGP or RIPEM or whatever, the documentation to PGP is
 recommended reading to anyone interested in such issues.

 Note that the above facts, both regarding patent and export
 restrictions, are somewhat controversial; many people think it
 shouldn't be that way, and some people interpret various documents
 differently.  Unfortunately, discussions of it on the net inevitably
 seem to produce more heat than light, and probably belong in
 misc.legal.computing.  (See:  "DISCLAIMER")

12)  What about RPEM?

 RPEM stands for Rabin Privacy Enhanced Mail.  It was similar to RIPEM,
 but used a public-key cipher invented by Rabin (which is not RSA) in
 an attempt to avoid the patent on RSA.  It was written by Mark
 Riordan, the same author as RIPEM.

 Its distribution was halted when, contrary to the beliefs of many
 (including Rabin), Public Key Partners (PKP) claimed that their patent
 was broad enough to cover any public-key cipher whose strength rested
 in the difficulty of factoring products of large primes, not just RSA.
 This claim is not universally accepted by any means, but was not
 challenged for pragmatic reasons.

 RPEM is not really used anymore.  It is not compatible with RIPEM or PGP.

13)  What is MIME?

 MIME stands for Multipurpose Internet Mail Extensions, and is
 described in RFC 1341.  You can find out about it in the newsgroup
 comp.mail.mime.  How PEM should interact with MIME is not yet entirely
 clear; some people use the stopgap solution of having a MIME type
 application/x-ripem in order to send RIPEM messages as MIME ones.  I
 hope some standards will emerge.  Draft Internet documents exist on
 the matter.

14)  I have this simple way to defeat the security of RIPEM...

 You may wish to check the companion post "ripem-attacks" which
 discusses some of the more obvious attacks on RIPEM's security and
 what procedures will minimize the risk.  RIPEM's main "weak area" is
 probably key distribution.

Newsgroup: sci.crypt
Document_id: 14831
From: mvanheyn@cs.indiana.edu (Marc VanHeyningen)
Subject: RIPEM Frequently Asked Questions

Archive-name: ripem/faq
Last-update: 31 Mar 93 22:00:00 -0500

ABOUT THIS POSTING
------------------
This is a listing of likely questions and information about RIPEM, a
program for public key mail encryption.  It (this FAQ, not RIPEM) was
written and will be maintained by Marc VanHeyningen
<mvanheyn@cs.indiana.edu>.  It will be posted to a variety of
newsgroups on a monthly basis; follow-up discussion specific to RIPEM
is redirected to the group alt.security.ripem.

WHAT'S NEW
----------
I am now running a World Wide Web archive of RIPEM information.  It
does not contain much of anything that isn't available elsewhere, but
it has convenient pointers to the most current version of this FAQ and
some other stuff.  The URL is "http://cs.indiana.edu/ripem/dir.html".

This month's version has a fair amount of new pointers to information
on patents and stuff like that.  I've also reordered a few things to
have a more sensible ordering.  I hope I don't have to edit this again
soon. :-)

DISCLAIMER
----------
Nothing in this FAQ should be considered legal advice, or anything
other than one layperson's opinion.  If you want real legal advice,
talk to a real lawyer, preferably one with experience in patent law,
export regulations, or whatever area of law is in question.

LIST OF QUESTIONS
-----------------
1)  What is RIPEM?
2)  How can I get RIPEM?
3)  Will RIPEM run on my machine?
4)  Will RIPEM work with my mailer?
5)  What is RSA?
6)  What is DES?
7)  What is a fingerprint, like MD5?
8)  What is PEM?
9)  What's this about distributing and authenticating keys?
10)  Isn't it a bad idea to use patented algorithms in standards like PEM?
11)  What about RSADSI/PKP?
12)  Why do all RIPEM public keys look very similar?
13)  What is PGP?
14)  What about RPEM?
15)  What is MIME?
16)  What is TIS/PEM?
17)  I have this simple way to defeat the security of RIPEM...

QUESTIONS AND ANSWERS
---------------------

1)  What is RIPEM?

 RIPEM is a (not yet complete, but useful) implementation of Privacy
 Enhanced Mail (PEM).  RIPEM allows your electronic mail to have the
 four security facilities provided by PEM: disclosure protection
 (optional), originator authenticity, message integrity measures, and
 non-repudiation of origin (always).  (See: "What is PEM?")

 RIPEM was written primarily by Mark Riordan <mrr@scss3.cl.msu.edu>.
 Most of the code is in the public domain, except for the RSA routines,
 which are a library called RSAREF licensed from RSA Data Security Inc.

 The current version of RIPEM is 1.0.5; the current version of the
 Macintosh port of RIPEM is 0.7.

2)  How can I get RIPEM?

 RIPEM uses the library of cryptographic routines RSAREF, which is
 considered munitions and thus is export-restricted from distribution
 to persons who are not citizens or permanent residents in the U.S or
 Canada without an export license.  No such license has been obtained
 (nor would one likely be granted unless the RSA key exchange were
 shortened to 512 bits and the symmetric cipher changed to something
 weaker than DES.  There are some suggestions that this situation may
 change now that Clinton is in office.)  The author requests in the
 README file that this law not be violated:

 #Please do not export the cryptographic code in this distribution
 #outside of the USA or Canada.  This is a personal request from me,
 #the author of RIPEM, and a condition of your use of RIPEM.

 Note that RSAREF is not in the public domain, and a license for it is
 included with the distribution.  You should read it before using
 RIPEM.

 RIPEM is available via anonymous FTP to citizens and permanent
 residents in the U.S. from rsa.com; cd to rsaref/ and read the README
 file for info.  Note that the non-RSAREF portion of RIPEM is not a
 product of RSA Data Security, Incorporated; they merely are helping
 distribute it.

 RIPEM, as well as some other crypt stuff, has its "home site" on
 ripem.msu.edu, which is open to non-anonymous FTP for users in the
 U.S. and Canada who are citizens or permanent residents.  To find out
 how to obtain access, FTP there, cd to pub/crypt/, and read the file
 GETTING_ACCESS.  For convenience, binaries for many architectures are
 available here in addition to the full source tree.

3)  Will RIPEM run on my machine?

 Probably.  It has already been ported to MS-DOS and most flavors of
 Unix (SunOS, NeXT, Linux, AIX, ULTRIX, Solaris, etc.)  Ports to
 Macintosh include a standard UNIX-style port and a rather nice
 Mac-like port written by Raymond Lau, author of StuffIt.  More ports
 are expected, and help of users is invited.

4)  Will RIPEM work with my mailer?

 Probably.  How easy and clean the effective interface is will depend
 on the sophistication and modularity of the mailer, though.  The users
 guide, included with the distribution, discusses ways to use RIPEM
 with many popular mailers, including Berkeley, mush, Elm, and MH.
 Code is also included in elisp to allow easy use of RIPEM inside GNU
 Emacs.

 If you make a new interface for RIPEM or create an improvement on one
 in the distribution which you believe is convenient to use, secure,
 and may be useful to others, feel free to post it to alt.security.ripem.

5)  What is RSA?

 RSA is a crypto system which is asymmetric, or public-key.  This means
 that there are two different, related keys: one to encrypt and one to
 decrypt.  Because one cannot (reasonably) be derived from the other,
 you may publish your encryption, or public, key widely and keep your
 decryption, or private, key to yourself.  Anyone can use your public
 key to encrypt a message, but only you hold the private key needed to
 decrypt it.  Note that the "message" sent with RSA is normally just
 the DES key to the real plaintext. (See "What is DES?")

 Note that the above only provides for disclosure protection.  For
 originator authenticity, message integrity, and non-repudiation of
 origin services to be implemented, the fingerprint of the message
 (See "What is a fingerprint, like MD5?") is encrypted with the
 sender's private key.  The recipient, or a dispute-resolving
 authority, can use the sender's public key to decrypt it and confirm
 that the message must have come from the sender and was not altered.

 RSA was named for the three men (Rivest, Shamir and Adleman) who
 invented it.  To find out lots more about RSA and modern cryptography
 in general, ftp to rsa.com and look in pub/faq/.  Some information
 also may be in sci.crypt.

6)  What is DES?

 DES is the Data Encryption Standard, a widely used symmetric, or
 secret-key, crypto system.  Unlike RSA, DES uses the same key to
 encrypt and decrypt messages.  However, DES is much faster than RSA.

 RIPEM uses both DES and RSA; it generates a random key and encrypts
 your mail with DES using that key.  It then encrypts that key with the
 recipient's public RSA key and includes the result in the letter,
 allowing the recipient to recover the DES key.

 DES is sometimes considered weak because it is somewhat old and uses a
 key length considered too short by modern standards.  However, it
 should be reasonably safe against an opponent smaller than a large
 corporation or government agency.  It is not likely that the PEM
 standard will incorporate support for other symmetric ciphers in the
 near future, because there is a strong feeling that PEM should be
 stable so it can become utilized widely without early problems with
 interoperability.

7)  What is a fingerprint, like MD5?

 MD5 is a message digest algorithm produced by RSA Data Security Inc.
 It provides a 128-bit fingerprint, or cryptographically secure hash,
 of the plaintext.  It is cryptographically secure because it is not
 possible (in a reasonable amount of computation) to produce a
 different plaintext which produces the same fingerprint.  Thus,
 instead of signing the entire message with the sender's private key,
 only the MD5 of the message needs to be signed for authentication.

 MD5s can also be exchanged directly for authentication; for example,
 RIPEM public keys include an MD5 of the public key in the file, so
 parties wishing to confirm their keys are authentic via a separate
 channel merely need exchange MD5s of keys and verify their accuracy.

 MD5 is sometimes used for other purposes; for example, it is often
 used to map an input of arbitrary length to 128 bits of data, as a
 passphrase interpreter or cookie generator.

 MD5 is described in its entirety (including an implementation in C) in
 RFC 1321.

 There have been some recent suggestions that MD5 may not be as strong
 a hash as was originally believed; presumably some other hash
 function will be used if this is accepted as true.

8)  What is PEM?

 PEM is Privacy Enhanced Mail, a standard for allowing transfer of
 encrypted electronic mail generated over a long period of time by a
 working group of experts.  It is described in RFCs 1421-1424; these
 documents have been approved and obsolete the old RFCs 1113-1115.

 RIPEM is not really a complete implementation of PEM, because PEM
 specifies certificates for authenticating keys, which RIPEM does not
 handle at this time.  Their addition is planned.

9)  What's this about distributing and authenticating keys?

 For a remote user to be able to send secure mail to you, she must know
 your public key.  For you to be able to confirm that the message
 received came from her, you must know her public key.  It is important
 that this information be accurate; if a "bad guy" convinces her that
 his key is in fact yours, she will send messages which he can read.

 RIPEM allows for three methods of key management: a central server,
 the distributed finger servers, and a flat file.  All three are
 described in the RIPEM users guide which is part of the distribution.
 None of them provide perfect security.  The PEM standard calls for
 key management by certificates; the addition of this feature to RIPEM
 is planned, but chicken-egg issues still exist.

10)  Isn't it a bad idea to use patented algorithms in standards like PEM?

 This issue has been considered in the standards process.  RFC 1310,
 the specification for Internet standards, has a discussion (section
 6) on what specifications for nondiscriminatory availability must be
 met for a patented method to be included in a standard.  RFC 1421
 addresses this issue with regard to the patents covering public-key
 cryptography.

 This does not, of course, mean that all questions are settled or that
 everyone is in agreement.  An interesting exchange on the use of
 patented algorithms in standards with regard to public-key
 cryptography is in the League for Programming Freedom archive
 (available via FTP: ftp.uu.net:/doc/lpf) in the files bidzos.letter
 and bidzos.response.  (Amusingly, the LPF files on ftp.uu.net are
 compressed with a patented algorithm.)

11)  What about RSADSI/PKP?

 RSA Data Security, Inc. (RSADSI) is a California-based company
 specializing in cryptographic technologies.  Public Key Partners is a
 firm which holds exclusive sub-licensing rights of the following U.S.
 patents and all of their corresponding foreign patents:

      Cryptographic Apparatus and Method
      ("Diffie-Hellman")............................... No. 4,200,770

      Public Key Cryptographic Apparatus
      and Method ("Hellman-Merkle").................... No. 4,218,582

      Cryptographic Communications System and
      Method ("RSA")................................... No. 4,405,829

      Exponential Cryptographic Apparatus
      and Method ("Hellman-Pohlig").................... No. 4,424,414

 PKP claims these four patents cover all known methods of public key
 cryptography.  The two businesses are rather closely related (for
 example, the same person, Jim Bidzos, is president of both of them.)
 PKP has licensed this technology to a considerable number of
 companies (IBM, DEC, Motorola, AT&T, Lotus...) for use in their
 products.  PKP has also threatened and filed lawsuits defending their
 patents.

 RIPEM was originally created with no connection to RSADSI other than
 its use of the RSAREF library, and for no reason other than its
 author's desire to see widespread use of public-key cryptography.
 However, after the ball started rolling, people at RSADSI got
 interested.  RSADSI decided to carry RIPEM on its FTP site, and some
 people there started making their own RIPEM keys and contributing
 code.  RIPEM even won the "Best Application Built on RSAREF in 1992"
 award.

12)  Why do all RIPEM public keys look very similar?

 RIPEM public keys begin with a PKCS (Public-Key Cryptography
 Standards) identifier describing various characteristics about the
 key, so the first bunch of characters in your key may be the same as
 those of lots of other people's keys.  This does not mean your keys
 are similar, but only that they are the same class of key, were
 generated with the same program, are of the same length, etc.

13)  What is PGP?

 PGP is another cryptographic mail program called Pretty Good Privacy.
 PGP has been around longer than RIPEM, and works somewhat differently.
 PGP is not compatible with RIPEM in any way, though PGP does also use RSA.

 A few major differences between PGP and RIPEM:

 - PGP has more key management features, particularly for users without
   a direct network connection.

 - RIPEM conforms to the PEM RFCs and thus has a greater probability
   of working with other PEM software.  PGP makes no attempt to be
   compatible with anything other than itself.

 - RIPEM uses RSAREF, a library of RSA routines from RSADSI which
   comes with a license allowing noncommercial use.  PGP uses its own
   implementation of RSA.  PKP claims that it is a violation of its
   patents to "make, use or sell" PGP in the U.S. or Canada without
   either a license or written permission.  (See: "DISCLAIMER")
   (See: "What about RSADSI/PKP?")  Phil Zimmermann, the author of
   PGP, stopped distributing it after being threatened with legal
   action; he believed that a licensing scheme could be arranged, but
   it hasn't happened and there seems little prospect of it happening
   in the future.  He acknowledges in the PGP User's Guide:

   #In fact, if you live in the USA, and you are not a Federal agency, 
   #you shouldn't actually run PGP on your computer, because Public
   #Key Partners wants to forbid you from running my software.  PGP is
   #contraband.

 - Both PGP and RIPEM are export-restricted, and cannot be sent outside
   the U.S. and Canada without an export license.  However, PGP
   already exists on many ftp sites in Europe and other places.

 Whether you use PGP or RIPEM or whatever, the documentation to PGP is
 recommended reading to anyone interested in such issues.
 Unfortunately, it's not distributed separately from the program,
 which can be difficult to find in the U.S. on FTP sites due to
 liability concerns.

14)  What about RPEM?

 RPEM stands for Rabin Privacy Enhanced Mail.  It was similar to RIPEM,
 but used a public-key cipher invented by Rabin (which is not RSA) in
 an attempt to avoid the patents on public-key systems.  It was
 written by Mark Riordan, who later wrote RIPEM.

 Its distribution was halted when, contrary to the beliefs of many
 (including Rabin), PKP claimed that their patents were broad enough
 to cover the cipher employed.  This claim is not universally
 accepted, but was not challenged for pragmatic reasons.

 RPEM is not really used anymore.  It is not compatible with RIPEM or PGP.

15)  What is MIME?

 MIME stands for Multipurpose Internet Mail Extensions, and is
 described in RFC 1341.  You can find out about it in the newsgroup
 comp.mail.mime; a FAQ exists on it.  How PEM should interact with
 MIME is not yet entirely clear; some people use the stopgap solution
 of having a MIME type application/x-ripem in order to send RIPEM
 messages as MIME ones.  I hope some standards will emerge.  Draft
 Internet documents exist on the matter.

16)  What is TIS/PEM?

 Trusted Information Systems is working on a version of Privacy
 Enhanced Mail for general availability.  Last I heard, it was
 rumored to be integrated into an existing mail user agent (MH)
 rather than a stand-alone system, and in beta test.  I don't know
 much more than that.

17)  I have this simple way to defeat the security of RIPEM...

 You may wish to check the companion post "ripem-attacks" which
 discusses some of the more obvious attacks on RIPEM's security and
 what procedures will minimize the risk.  RIPEM's main "weak area" is
 probably key distribution.

Newsgroup: sci.crypt
Document_id: 14832
From: mvanheyn@cs.indiana.edu (Marc VanHeyningen)
Subject: RIPEM Frequently Noted Vulnerabilities

Archive-name: ripem/attacks
Last-update: 31 Mar 93 21:00:00 -0500

SOME POSSIBLE ATTACKS ON RIPEM
------------------------------

This is a living list of potential weaknesses to keep your eyes open
for when using RIPEM for secure electronic mail.  It does not go into
great detail, and is almost certainly not exhaustive.  Obviously, many
of the weaknesses are weaknesses of cryptographically secured mail in
general, and will pertain to secure mail programs other than RIPEM.
It is maintained by Marc VanHeyningen <mvanheyn@cs.indiana.edu>.  It
is posted monthly to a variety of news groups; followups pertaining
specifically to RIPEM should go to alt.security.ripem.

CRYPTANALYSIS ATTACKS
---------------------

- Breaking RSA would allow an attacker to find out your private key,
  in which case he could read any mail encrypted to you and sign
  messages with your private key.

  RSA is generally believed to be resistant to all standard
  cryptanalytic techniques.  Even a standard key (about 516 bits with
  RIPEM) is long enough to render this impractical, barring a
  huge investment in hardware or a breakthrough in factoring.

- Breaking DES would allow an attacker to read any given message,
  since the message itself is encrypted with DES.  It would not allow
  an attacker to claim to be you.

  DES has only 56 bits in its key, and thus could conceivably be
  compromised by brute force with sufficient hardware, but few agencies
  have such money to devote to simply read one message.  Since each
  message has a different DES key, the work for each message would
  remain high.

KEY MANAGEMENT ATTACKS
----------------------

- Stealing your private key would allow the same benefits as breaking
  RSA.  To safeguard it, it is encrypted with a DES key which is derived
  from a passphrase you type in.  However, if an attacker can get a copy
  of your private keyfile and your passphrase (by snooping network
  packets, tapping lines, or whatever) he could break the whole scheme.

  The main risk is that of transferring either the passphrase or the
  private key file across an untrusted link.  So don't do that.  Run 
  RIPEM on a trusted machine, preferably one sitting right in front of
  you.  Ideally, your own machine in your own home (or maybe office)
  which nobody else has physical access to.

- Fooling you into accepting a bogus public key for someone else could 
  allow an opponent to deceive you into sending secret messages to him
  rather than to the real recipient.  If the enemy can fool your
  intended recipient as well, he could re-encrypt the messages with
  the other bogus public key and pass them along.

  It is important to get the proper public keys of other people.
  The most common mechanism for this is finger; assuming the opponent
  has not compromised routers or daemons or such, finger can be 
  given a fair amount of trust.  The strongest method of key
  authentication is to exchange keys in person; however, this is
  not always practical.  Having other people "vouch for you" by
  signing a statement containing your key is possible, although 
  RIPEM doesn't have features for doing this as automatically as
  PGP.  RIPEM does generate and check MD5 fingerprints of public keys
  in the key files; they may be exchanged via a separate channel for
  authentication.

PLAYBACK ATTACKS
----------------

- Even if an opponent cannot break the cryptography, an opponent could
  still cause difficulties.  For example, suppose you send a message
  with MIC-ONLY (a PEM mode which does not provide disclosure protection)
  to Alice which says "OK, let's do that." Your opponent intercepts
  it, and now resends it to Bob, who now has a message which is
  authenticated as from you telling him to do that.  Of course, he may
  interpret it in an entirely different context.  Or your opponent
  could transmit the same message to the same recipient much later,
  figuring it would be seen differently at a later time.  Or the
  opponent could change the Originator-Name: to himself, register 
  your public key as his, and send a message hoping the recipient
  will send him return mail indicating (perhaps even quoting!) the
  unknown message.

  To defeat playback attacks, the plaintext of each message should 
  include some indication of the sender and recipient, and a unique
  identifier (typically the date).  A good front-end script for RIPEM
  should do this automatically (IMHO).  As a recipient, you should be
  sure that the Originator-Name: header and the sender indicated within
  the plaintext are the same, that you really are a recipient, and that
  the message is not an old one.  Some this also can and should be
  automated.  The author of this FAQ has made a modest attempt at
  automating the process of generating and checking encapsulated
  headers; the programs are included in the standard distribution in
  the utils directory.

LOCAL ATTACKS
-------------

- Clearly, the security of RIPEM cannot be greater than the security of
  the machine where the encryption is performed.  For example, under
  UNIX, a super-user could manage to get at your encrypted mail,
  although it would take some planning and effort to do something like
  replace the RIPEM executable with a Trojan horse or to get a copy of
  the plaintext, depending how it's stored.

  In addition, the link between you and the machine running RIPEM is
  an extension of that.  If you decrypt with RIPEM on a remote machine
  which you are connected to via network (or, worse yet, modem), an
  eavesdropper could see the plaintext (and probably also your
  passphrase.)

  RIPEM should only be executed on systems you trust, obviously.  In
  the extreme case, RIPEM should only be used on your own machine,
  which you have total control over and which nobody else has access
  to, which has only carefully examined software known to be free of
  viruses, and so on.  However, there's a very real trade-off between
  convenience and security here.

  A more moderately cautious user might use RIPEM on a UNIX workstation
  where other people have access (even root access), but increase
  security by keeping private keys and the (statically linked, of
  course) executable on a floppy disk.

  Some people will keep RIPEM on a multi-user system, but when dialing
  in over an insecure line, they will download the message to their
  own system and perform the RIPEM decryption there.  However, the
  security provided by such a mechanism is somewhat illusory; since
  you presumably type your cleartext password to log in, you've just
  given away the store, since the attacker can now log in as you and
  install traps in your account to steal your private key next time
  you use it from a less insecure line.  This will likely remain the
  situation as long as most systems use the rather quaint mechanism of
  cleartext password authentication.

  I find it nice to put a brief statement of how carefully I manage my
  security arrangement in my .plan next to my public key, so that
  potential correspondents can be aware what level of precautions are
  in place.  Some people use two keys, a short one which is not
  carefully managed for ordinary use and a longer one which is treated
  with greater care for critical correspondence.

UNTRUSTED PARTNER ATTACKS
-------------------------

- RIPEM's encryption will ensure that only a person with the private key
  corresponding to the public key used to encrypt the data may read the
  traffic.  However, once someone with that key gets the message, she
  may always make whatever kind of transformations she wishes.  There 
  exist no cryptographic barriers to a recipient, say, taking an
  ENCRYPTED message and converting it to a MIC-ONLY message, signed by
  you and readable by anyone, although RIPEM does not provide this
  functionality.  Indeed, the latest PEM draft I have seen specifically
  states that such transformations should be possible to allow
  forwarding functions to work.
 
  Including the recipients in the plaintext, as mentioned above, will
  make it possible for recipients of a redistributed message to be aware
  of its original nature.  Naturally, the security of the cryptography
  can never be greater than the security of the people using it.

Newsgroup: sci.crypt
Document_id: 14982
From: Jim-Miller@suite.com
Subject: Certifying Authority question answered.

>>If you have access to FTP, try FTPing to rsa.com, login as anonymous.
>>There are several documents there, including a "frequently asked questions
>>about today's cryptography" document.  It has FAQ in its name.
>>I believe this document explains the idea behind the certifying authorities.
>>
>>Good luck
>>
>>--John Kelsey, c445585@mizzou1.missouri.edu

Thanks.  I've ftp'ed the FAQ file and it is just what I was looking for.

Jim-Miller@suite.com

Newsgroup: sci.crypt
Document_id: 14983
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: "Rubber-hose cryptanalysis"

   Some sick part of me really liked that phrase....
 
   Actually, merely the threat of a *long* prison sentence, even without
a beating, can get most people to give in.  Especially if it's also
punctuated with a trip to the county jail, where one just happens to get
locked up with all the drunk/stoned/crazy folks that are too violent to be
left in cells with other people....

Newsgroup: sci.crypt
Document_id: 14984
From: grady@netcom.com (1016/2EF221)
Subject: Declassifying media

There are many Urban Legends (maybe this ought to be in the Crypt 
FAQ?) about what is actually sufficient to clear or declassify 
magnetic media when used for classified data.  Here is some 
information "from the horse's mouth".

(Regarding the sufficient overwriting of media ("clearing") meant to 
be *retained* within the controlled environment, or declassifying 
the material to be reused *outside* the controlled environment,)

From National Telecommunications and Information Systems 
Security (NTISS) "Advisory Memorandum on Office Automation 
Security Guidelines"  (NTISSAM COMPUSEC/1/87):

------

"7.6.2.1 Clearing of Magnetic Media

Certain types of removable media (e.g., magnetic tape, floppy disk, 
cassettes, and magnetic cards) may be cleared by overwriting the 
entire media one time with any one character.  Floppy disks may be 
cleared by applying a vendor's formatting program that overwrites 
each location with a given character.

Fixed media (e.g., Winchester disks) should be cleared by overwriting 
at least one time with any one character.  One way to do this is by 
applying a vendor-supplied formatting program that overwrites each 
location on the disk with a given character, if it can be shown that 
this program actually works as advertised.  The user should beware: 
some programs that purport to overwrite all locations do not 
actually do this.

Cleared media may be resides within the controlled facility or 
released for destruction; however, they should be marked and 
controlled at the level of the most restrictive sensitivity of 
information ever recorded.

7.6.2.2 Declassification of Magnetic Media

Certain types of removable media can be declassified using a 
degaussing device that has been approved for declassifying media of 
that type.  (A list of approved devices is maintained by the NSA.)

If a fixed medium (for example, a hard, or Winchester, disk) is 
operative, an approved method of declassifying the disk pack is to 
employ an overwrite procedure which must overwrite all 
addressable locations at least three times by writing any character, 
then its complement (e.g., binary ones and binary zeros) 
alternatively.

When fixed  media become inoperative, it is impossible to declassify 
the media by the overwrite method.  In this case, there are two 
alternate procedures that may be used: (1) disassemble the disk 
pack, and degauss each platter with the appropriate approved 
degaussing equipment; and (2) courier the inoperative media to the 
vendor's facility, have the magnetic media (e.g., disk platter) 
removed in sight of the courier and returned to the courier for 
destruction at the secure site.  The vendor can then install new 
platters and repair any other problems with the disk unit.

7.6.3 Destruction of Magnetic Media"

[see DoD Computer Security Center, "Department of Defense Magnetic 
Remanence Security Guideline", CSC-STD-003-85  FOR OFFICIAL USE 
ONLY]

------

This and many other interesting documents (many that are more 
informative than probably intended) on computer security procedures 
can be obtained (free) from:

Executive Secretary
National Telecommunications and Informations
  Systems Security Committee
National Security Agency
Fort George G. Meade, MD  20755-6000

Write them!  It's fun to be on the NSA's mailing list... 

-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
Document_id: 14985
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Hard drive security for FBI targets

	From: res@colnet.cmhnet.org (Rob Stampfli)

	>separate locations to gain credibility. If they are seized and you are
	>compelled to decrypt it, you simply explain that you are an amateur
	>cryptologist playing around with one time pads, and that the first
	>file is the pad for the second. They XOR the two files, and sure
	>enough, out pops a copy of "War and Peace".

	So, judging from recent history, at this point they drop the original
	charges, preemptively find you guilty of copyright violations, and seize
	your computer, your home, and your financial reserves under federal
	forfeiture laws.

Ah no - what *really* happens is that they turn up at the court with
*another* file which when exored with your document gives up the famous
E911 document :-)  [And I tell you, some judges would fall for it...]

G

Newsgroup: sci.crypt
Document_id: 14986
From: warlord@MIT.EDU (Derek Atkins)
Subject: Re: disk safety measure?

-----BEGIN PGP SIGNED MESSAGE-----

In article <1pq0re$gc2@network.ucsd.edu> loki@sdphu3.ucsd.edu (Lance M Cottrell) writes:

   BTW I have not been able to get pgp to produce a signature
   that I can attatch to the end of this message.  What is 
   the procedure?  Thanks.

try:
	pgp -sat +clearsig=on

This will do the clearsig signing...

Enjoy!

- -derek

PGP 2 key available upon request on the key-server:
	pgp-public-keys@toxicwaste.mit.edu

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQBuAgUBK8DNazh0K1zBsGrxAQFoZQLEC/XKXMoDhCPf/AZ3aOQSLfz+6w400UDk
Ng6prxnPuEuSZQEiiusMCVcRcGnWbaVrxFjA1o4yubh01Czcg3ZC9wLJolXlxJn7
iSJh/eTZxmJnNynJxlGs0Ao=
=4eZb
-----END PGP SIGNATURE-----
--
  Derek Atkins, MIT '93, Electrical Engineering and Computer Science
     Secretary, MIT Student Information Processing Board (SIPB)
           MIT Media Laboratory, Speech Research Group
           warlord@MIT.EDU       PP-ASEL        N1NWH

Newsgroup: sci.crypt
Document_id: 14987
From: neuhaus@bloch.informatik.uni-kl.de (Stephan Neuhaus (HiWi Mattern))
Subject: Re: PGP 2.2: general comments

neuhaus@vier.informatik.uni-kl.de (Stephan Neuhaus (HiWi Mattern)) writes:

>[Lots of stuff.]

I hate to follow up to my own posting, but I should perhaps clarify
some things so I won't get flamed.

First of all, when I'm talking about ``factoring the modulus'' or a
``breakthrough in factoring'', what I really mean is a breakthrough in
the cryptanalysis of RSA.  I know that factoring and breaking RSA are
not proven to be equivalent; it's just so damn convenient not to
repeat this every time.

I also have to admit that I don't really know if the ``non-group''
property of a cipher is essential only for key chaining.  I have
thought about it a little while, but I can't find a way that a
cryptanalyst could exploit a group structure.  That, of course, means
nothing at all.

Then I wrote,

>Please note that as long as it is much harder to factor a RSA modulus
>than it is to generate it, the increase in computer speed alone will
>keep key lengths and modulus factoring in lock-step, i.e., people will
>simply start using longer moduli and still be safe.

What I meant was that as long as the only advantage of the
cryptanalyst is a faster computer, then we will probably have RSA for
a long time to come, because even if 1024-bit moduli somehow could be
broken with fast computers (not with a new algorithm), then people
would simply use longer moduli.  Both users and cryptanalysts benefit
from better technology in the same way.

Hope this keeps the flames away...  Have fun.

-- 
Stephan <neuhaus@informatik.uni-kl.de>
sig closed for inventory.  Please leave your pickaxe outside.
PGP 2.2 public key available on request.  Note the expiration date.

Newsgroup: sci.crypt
Document_id: 14988
From: WHMurray@DOCKMASTER.NCSC.MIL
Subject: Licensing.....


>This thread brings up the more general question.  Can any crypto
>implementation for which highly publicly scrutinized source code is not
>available EVER be trusted?

After IBM had invented the DES and the NBS had advertised for proposals,
but before IBM had decided to respond, I argued strenuously that they 
should not; they should keep it proprietary. 

The biggest proponent of proposing was Dr. Lewis Branscomb.  Dr. Branscomb
was the IBM Chief Scientist and had come to IBM from NBS.  Fortunately
for all of us, Dr. Branscomb understood the answer to the above question
much better than I.  He realized how difficult it would be to gain
acceptance for any cryptographic mechanism.  Because of the necessary
complexity, publicity would not be sufficient and neither would 
authority.  In fact, it has taken both of those plus more than 15 
years.

We have also had independence.  The DES was solicited by NBS, invented
and proposed by IBM, and vetted by NBS.  It has also been examined and
vetted by experts like Adi Shamir, who are not subject to influence by
any of these.

Even now, there are still people posting on this list who do not trust
the DES in spite of all the time, all of the analysis, and all of the
public scrutiny.

(Of course, it is just this point that NIST misses when it attempts to 
gain acceptance for a novel mechanism, developed in secret, on the basis
of authority alone.)

We had a long thread here about whether or not the NSA can "break" the
DES.  That is a silly question.  At some cost and in some time they
can "break" anything.  The important question is at what cost and in
what time.

The fundamental strength of the DES and RSA are not nearly so important
as what we know about their strength.  As long as we understand the
cost and duration for an attacker, then we can use them in a safe way.
At this point, we may never replace either because of the inability of
any successor to overcome this knowledge gap.

DES and RSA are among the most significant inventions of the century
and the most important inventions in the history of cryptography.
We are damned lucky to have them.

William Hugh Murray, Executive Consultant, Information System Security
49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840                
1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL

Newsgroup: sci.crypt
Document_id: 14989
From: ho@cs.arizona.edu (Hilarie Orman)
Subject: Re: Licensing of public key implementations

With regard to your speculations on NSA involvement in the creation of
PKP, I find that it fails the test of Occam's butcher knife.  Never
attribute to conspiracy what can be explained by forthright greed.


Hilarie Orman

Newsgroup: sci.crypt
Document_id: 14990
From: ken@sugra.uucp (Kenneth Ng)
Subject: Re: Identifying / Securing Files

In article <2bb29f4c@mash.boulder.co.us: rmashlan%mash@csn.org (Robert Mashlan) writes:
:tarnold@vnet.IBM.COM (Todd W. Arnold) said in article <19930322.101356.617@almaden.ibm.com>:
:>It's OK as long as you trust the end-user to stay out of your application
:>program - or as long as it runs in a system where the user can't get to it.
:>Otherwise, you can't stop him from finding the "load a module" code in your
:>program, and simply bypassing the check for a valid module.  The devious user
:>can either modify the object code before running the program, or he can run
:>the program under a debugger and change the instructions in memory.
:There is a way to foil debuggers, by clearing the single step 
:interrupt, on which a debugger depends, every few instructions in 
:the sensitive areas of the code.

This assumes the person is using the hardware debug instruction of an X86
type processor.  It can be negated by NOP'ing the clear debug instruction,
or by running the code on a machine simulator, like one I wrote as a senior
project in college.  It can bypass and trace practically anything one could
write in software.  Kind of like being on a Star Trek Holideck :-).

-- 
Kenneth Ng
Please reply to ken@eies2.njit.edu for now.
"All this might be an elaborate simulation running in a little device sitting
on someone's table" -- J.L. Picard: ST:TNG

Newsgroup: sci.crypt
Document_id: 14991
From: ninassup@athena.mit.edu (Nikos I Nassuphis)
Subject: LGA ncrypt source

I got a number of requests for code.
So, here it is.
Its written in 80x86 ASM. 
Borland TASM will do.

TASM LGA.ASM
TLINK /t LGA.ASM


The code:

;----------------------------------------------------------------------
; LGA ncryption
; (C) by Nick Nassuphis
;----------------------------------------------------------------------

CODE	SEGMENT
	ASSUME	CS:CODE, DS:CODE
	
	ORG	100h

Start:
	JMP	Begin

;----------------------------------------------------------------------
;
; Gas particle assigment:
;
; BIT 0    particle moving EAST
; BIT 1    particle moving WEST
; BIT 2    particle moving NORTH
; BIT 3    particle moving SOUTH
;
; BIT 4    particle moving EAST
; BIT 5    particle moving WEST
; BIT 6    particle moving NORTH
; BIT 7    particle moving SOUTH
;
;
; Collisiong Rules:
;
; 1. Gas Rules
;
; IF (E & W) AND !(N & S) THEN (E,W)->(N,S)
; IF (N & S) AND !(E & W) THEN (N,S)->(E,W)
;
; for nibbles:
;
; 1100 -> 0011
; 0011 -> 0011
;
; and for bytes:
;
; 11000000 -> 00110000
; 00110000 -> 11000000
; 00001100 -> 00000011
; 00000011 -> 00001100
; 00110011 -> 11001100
; 00111100 -> 11000011
; 11000011 -> 00111100
; 11001100 -> 00110011
;
;
; 2. Reflection Rules
;
; just swap bits along directions
;
;----------------------------------------------------------------------

;
; This look-up table implements two particle collisions
; for the HPP lattice gas
;
HPPRule:
DB   00000000B   ;00000000
DB   00000001B   ;00000001
DB   00000010B   ;00000010
DB   00001100B   ;00000011
DB   00000100B   ;00000100
DB   00000101B   ;00000101
DB   00000110B   ;00000110
DB   00000111B   ;00000111
DB   00001000B   ;00001000
DB   00001001B   ;00001001
DB   00001010B   ;00001010
DB   00001011B   ;00001011
DB   00000011B   ;00001100
DB   00001101B   ;00001101
DB   00001110B   ;00001110
DB   00001111B   ;00001111
DB   00010000B   ;00010000
DB   00010001B   ;00010001
DB   00010010B   ;00010010
DB   00011100B   ;00010011
DB   00010100B   ;00010100
DB   00010101B   ;00010101
DB   00010110B   ;00010110
DB   00010111B   ;00010111
DB   00011000B   ;00011000
DB   00011001B   ;00011001
DB   00011010B   ;00011010
DB   00011011B   ;00011011
DB   00010011B   ;00011100
DB   00011101B   ;00011101
DB   00011110B   ;00011110
DB   00011111B   ;00011111
DB   00100000B   ;00100000
DB   00100001B   ;00100001
DB   00100010B   ;00100010
DB   00101100B   ;00100011
DB   00100100B   ;00100100
DB   00100101B   ;00100101
DB   00100110B   ;00100110
DB   00100111B   ;00100111
DB   00101000B   ;00101000
DB   00101001B   ;00101001
DB   00101010B   ;00101010
DB   00101011B   ;00101011
DB   00100011B   ;00101100
DB   00101101B   ;00101101
DB   00101110B   ;00101110
DB   00101111B   ;00101111
DB   11000000B   ;00110000
DB   11000001B   ;00110001
DB   11000010B   ;00110010
DB   11001100B   ;00110011
DB   11000100B   ;00110100
DB   11000101B   ;00110101
DB   11000110B   ;00110110
DB   11000111B   ;00110111
DB   11001000B   ;00111000
DB   11001001B   ;00111001
DB   11001010B   ;00111010
DB   11001011B   ;00111011
DB   11000011B   ;00111100
DB   11001101B   ;00111101
DB   11001110B   ;00111110
DB   11001111B   ;00111111
DB   01000000B   ;01000000
DB   01000001B   ;01000001
DB   01000010B   ;01000010
DB   01001100B   ;01000011
DB   01000100B   ;01000100
DB   01000101B   ;01000101
DB   01000110B   ;01000110
DB   01000111B   ;01000111
DB   01001000B   ;01001000
DB   01001001B   ;01001001
DB   01001010B   ;01001010
DB   01001011B   ;01001011
DB   01000011B   ;01001100
DB   01001101B   ;01001101
DB   01001110B   ;01001110
DB   01001111B   ;01001111
DB   01010000B   ;01010000
DB   01010001B   ;01010001
DB   01010010B   ;01010010
DB   01011100B   ;01010011
DB   01010100B   ;01010100
DB   01010101B   ;01010101
DB   01010110B   ;01010110
DB   01010111B   ;01010111
DB   01011000B   ;01011000
DB   01011001B   ;01011001
DB   01011010B   ;01011010
DB   01011011B   ;01011011
DB   01010011B   ;01011100
DB   01011101B   ;01011101
DB   01011110B   ;01011110
DB   01011111B   ;01011111
DB   01100000B   ;01100000
DB   01100001B   ;01100001
DB   01100010B   ;01100010
DB   01101100B   ;01100011
DB   01100100B   ;01100100
DB   01100101B   ;01100101
DB   01100110B   ;01100110
DB   01100111B   ;01100111
DB   01101000B   ;01101000
DB   01101001B   ;01101001
DB   01101010B   ;01101010
DB   01101011B   ;01101011
DB   01100011B   ;01101100
DB   01101101B   ;01101101
DB   01101110B   ;01101110
DB   01101111B   ;01101111
DB   01110000B   ;01110000
DB   01110001B   ;01110001
DB   01110010B   ;01110010
DB   01111100B   ;01110011
DB   01110100B   ;01110100
DB   01110101B   ;01110101
DB   01110110B   ;01110110
DB   01110111B   ;01110111
DB   01111000B   ;01111000
DB   01111001B   ;01111001
DB   01111010B   ;01111010
DB   01111011B   ;01111011
DB   01110011B   ;01111100
DB   01111101B   ;01111101
DB   01111110B   ;01111110
DB   01111111B   ;01111111
DB   10000000B   ;10000000
DB   10000001B   ;10000001
DB   10000010B   ;10000010
DB   10001100B   ;10000011
DB   10000100B   ;10000100
DB   10000101B   ;10000101
DB   10000110B   ;10000110
DB   10000111B   ;10000111
DB   10001000B   ;10001000
DB   10001001B   ;10001001
DB   10001010B   ;10001010
DB   10001011B   ;10001011
DB   10000011B   ;10001100
DB   10001101B   ;10001101
DB   10001110B   ;10001110
DB   10001111B   ;10001111
DB   10010000B   ;10010000
DB   10010001B   ;10010001
DB   10010010B   ;10010010
DB   10011100B   ;10010011
DB   10010100B   ;10010100
DB   10010101B   ;10010101
DB   10010110B   ;10010110
DB   10010111B   ;10010111
DB   10011000B   ;10011000
DB   10011001B   ;10011001
DB   10011010B   ;10011010
DB   10011011B   ;10011011
DB   10010011B   ;10011100
DB   10011101B   ;10011101
DB   10011110B   ;10011110
DB   10011111B   ;10011111
DB   10100000B   ;10100000
DB   10100001B   ;10100001
DB   10100010B   ;10100010
DB   10101100B   ;10100011
DB   10100100B   ;10100100
DB   10100101B   ;10100101
DB   10100110B   ;10100110
DB   10100111B   ;10100111
DB   10101000B   ;10101000
DB   10101001B   ;10101001
DB   10101010B   ;10101010
DB   10101011B   ;10101011
DB   10100011B   ;10101100
DB   10101101B   ;10101101
DB   10101110B   ;10101110
DB   10101111B   ;10101111
DB   10110000B   ;10110000
DB   10110001B   ;10110001
DB   10110010B   ;10110010
DB   10111100B   ;10110011
DB   10110100B   ;10110100
DB   10110101B   ;10110101
DB   10110110B   ;10110110
DB   10110111B   ;10110111
DB   10111000B   ;10111000
DB   10111001B   ;10111001
DB   10111010B   ;10111010
DB   10111011B   ;10111011
DB   10110011B   ;10111100
DB   10111101B   ;10111101
DB   10111110B   ;10111110
DB   10111111B   ;10111111
DB   00110000B   ;11000000
DB   00110001B   ;11000001
DB   00110010B   ;11000010
DB   00111100B   ;11000011
DB   00110100B   ;11000100
DB   00110101B   ;11000101
DB   00110110B   ;11000110
DB   00110111B   ;11000111
DB   00111000B   ;11001000
DB   00111001B   ;11001001
DB   00111010B   ;11001010
DB   00111011B   ;11001011
DB   00110011B   ;11001100
DB   00111101B   ;11001101
DB   00111110B   ;11001110
DB   00111111B   ;11001111
DB   11010000B   ;11010000
DB   11010001B   ;11010001
DB   11010010B   ;11010010
DB   11011100B   ;11010011
DB   11010100B   ;11010100
DB   11010101B   ;11010101
DB   11010110B   ;11010110
DB   11010111B   ;11010111
DB   11011000B   ;11011000
DB   11011001B   ;11011001
DB   11011010B   ;11011010
DB   11011011B   ;11011011
DB   11010011B   ;11011100
DB   11011101B   ;11011101
DB   11011110B   ;11011110
DB   11011111B   ;11011111
DB   11100000B   ;11100000
DB   11100001B   ;11100001
DB   11100010B   ;11100010
DB   11101100B   ;11100011
DB   11100100B   ;11100100
DB   11100101B   ;11100101
DB   11100110B   ;11100110
DB   11100111B   ;11100111
DB   11101000B   ;11101000
DB   11101001B   ;11101001
DB   11101010B   ;11101010
DB   11101011B   ;11101011
DB   11100011B   ;11101100
DB   11101101B   ;11101101
DB   11101110B   ;11101110
DB   11101111B   ;11101111
DB   11110000B   ;11110000
DB   11110001B   ;11110001
DB   11110010B   ;11110010
DB   11111100B   ;11110011
DB   11110100B   ;11110100
DB   11110101B   ;11110101
DB   11110110B   ;11110110
DB   11110111B   ;11110111
DB   11111000B   ;11111000
DB   11111001B   ;11111001
DB   11111010B   ;11111010
DB   11111011B   ;11111011
DB   11110011B   ;11111100
DB   11111101B   ;11111101
DB   11111110B   ;11111110
DB   11111111B   ;11111111

;
; This rule implements the velocity-reversal needed to
; run the gas evolution in reverse. Its called a WallRule
; because its the same as is all particles hit a wall
; head on.
;
WallRule:
DB   00000000B   ;00000000
DB   00000010B   ;00000001
DB   00000001B   ;00000010
DB   00001100B   ;00000011
DB   00001000B   ;00000100
DB   00001010B   ;00000101
DB   00001001B   ;00000110
DB   00001011B   ;00000111
DB   00000100B   ;00001000
DB   00000110B   ;00001001
DB   00000101B   ;00001010
DB   00000111B   ;00001011
DB   00000011B   ;00001100
DB   00001110B   ;00001101
DB   00001101B   ;00001110
DB   00001111B   ;00001111
DB   00100000B   ;00010000
DB   00100010B   ;00010001
DB   00100001B   ;00010010
DB   00101100B   ;00010011
DB   00101000B   ;00010100
DB   00101010B   ;00010101
DB   00101001B   ;00010110
DB   00101011B   ;00010111
DB   00100100B   ;00011000
DB   00100110B   ;00011001
DB   00100101B   ;00011010
DB   00100111B   ;00011011
DB   00100011B   ;00011100
DB   00101110B   ;00011101
DB   00101101B   ;00011110
DB   00101111B   ;00011111
DB   00010000B   ;00100000
DB   00010010B   ;00100001
DB   00010001B   ;00100010
DB   00011100B   ;00100011
DB   00011000B   ;00100100
DB   00011010B   ;00100101
DB   00011001B   ;00100110
DB   00011011B   ;00100111
DB   00010100B   ;00101000
DB   00010110B   ;00101001
DB   00010101B   ;00101010
DB   00010111B   ;00101011
DB   00010011B   ;00101100
DB   00011110B   ;00101101
DB   00011101B   ;00101110
DB   00011111B   ;00101111
DB   11000000B   ;00110000
DB   11000010B   ;00110001
DB   11000001B   ;00110010
DB   11001100B   ;00110011
DB   11001000B   ;00110100
DB   11001010B   ;00110101
DB   11001001B   ;00110110
DB   11001011B   ;00110111
DB   11000100B   ;00111000
DB   11000110B   ;00111001
DB   11000101B   ;00111010
DB   11000111B   ;00111011
DB   11000011B   ;00111100
DB   11001110B   ;00111101
DB   11001101B   ;00111110
DB   11001111B   ;00111111
DB   10000000B   ;01000000
DB   10000010B   ;01000001
DB   10000001B   ;01000010
DB   10001100B   ;01000011
DB   10001000B   ;01000100
DB   10001010B   ;01000101
DB   10001001B   ;01000110
DB   10001011B   ;01000111
DB   10000100B   ;01001000
DB   10000110B   ;01001001
DB   10000101B   ;01001010
DB   10000111B   ;01001011
DB   10000011B   ;01001100
DB   10001110B   ;01001101
DB   10001101B   ;01001110
DB   10001111B   ;01001111
DB   10100000B   ;01010000
DB   10100010B   ;01010001
DB   10100001B   ;01010010
DB   10101100B   ;01010011
DB   10101000B   ;01010100
DB   10101010B   ;01010101
DB   10101001B   ;01010110
DB   10101011B   ;01010111
DB   10100100B   ;01011000
DB   10100110B   ;01011001
DB   10100101B   ;01011010
DB   10100111B   ;01011011
DB   10100011B   ;01011100
DB   10101110B   ;01011101
DB   10101101B   ;01011110
DB   10101111B   ;01011111
DB   10010000B   ;01100000
DB   10010010B   ;01100001
DB   10010001B   ;01100010
DB   10011100B   ;01100011
DB   10011000B   ;01100100
DB   10011010B   ;01100101
DB   10011001B   ;01100110
DB   10011011B   ;01100111
DB   10010100B   ;01101000
DB   10010110B   ;01101001
DB   10010101B   ;01101010
DB   10010111B   ;01101011
DB   10010011B   ;01101100
DB   10011110B   ;01101101
DB   10011101B   ;01101110
DB   10011111B   ;01101111
DB   10110000B   ;01110000
DB   10110010B   ;01110001
DB   10110001B   ;01110010
DB   10111100B   ;01110011
DB   10111000B   ;01110100
DB   10111010B   ;01110101
DB   10111001B   ;01110110
DB   10111011B   ;01110111
DB   10110100B   ;01111000
DB   10110110B   ;01111001
DB   10110101B   ;01111010
DB   10110111B   ;01111011
DB   10110011B   ;01111100
DB   10111110B   ;01111101
DB   10111101B   ;01111110
DB   10111111B   ;01111111
DB   01000000B   ;10000000
DB   01000010B   ;10000001
DB   01000001B   ;10000010
DB   01001100B   ;10000011
DB   01001000B   ;10000100
DB   01001010B   ;10000101
DB   01001001B   ;10000110
DB   01001011B   ;10000111
DB   01000100B   ;10001000
DB   01000110B   ;10001001
DB   01000101B   ;10001010
DB   01000111B   ;10001011
DB   01000011B   ;10001100
DB   01001110B   ;10001101
DB   01001101B   ;10001110
DB   01001111B   ;10001111
DB   01100000B   ;10010000
DB   01100010B   ;10010001
DB   01100001B   ;10010010
DB   01101100B   ;10010011
DB   01101000B   ;10010100
DB   01101010B   ;10010101
DB   01101001B   ;10010110
DB   01101011B   ;10010111
DB   01100100B   ;10011000
DB   01100110B   ;10011001
DB   01100101B   ;10011010
DB   01100111B   ;10011011
DB   01100011B   ;10011100
DB   01101110B   ;10011101
DB   01101101B   ;10011110
DB   01101111B   ;10011111
DB   01010000B   ;10100000
DB   01010010B   ;10100001
DB   01010001B   ;10100010
DB   01011100B   ;10100011
DB   01011000B   ;10100100
DB   01011010B   ;10100101
DB   01011001B   ;10100110
DB   01011011B   ;10100111
DB   01010100B   ;10101000
DB   01010110B   ;10101001
DB   01010101B   ;10101010
DB   01010111B   ;10101011
DB   01010011B   ;10101100
DB   01011110B   ;10101101
DB   01011101B   ;10101110
DB   01011111B   ;10101111
DB   01110000B   ;10110000
DB   01110010B   ;10110001
DB   01110001B   ;10110010
DB   01111100B   ;10110011
DB   01111000B   ;10110100
DB   01111010B   ;10110101
DB   01111001B   ;10110110
DB   01111011B   ;10110111
DB   01110100B   ;10111000
DB   01110110B   ;10111001
DB   01110101B   ;10111010
DB   01110111B   ;10111011
DB   01110011B   ;10111100
DB   01111110B   ;10111101
DB   01111101B   ;10111110
DB   01111111B   ;10111111
DB   00110000B   ;11000000
DB   00110010B   ;11000001
DB   00110001B   ;11000010
DB   00111100B   ;11000011
DB   00111000B   ;11000100
DB   00111010B   ;11000101
DB   00111001B   ;11000110
DB   00111011B   ;11000111
DB   00110100B   ;11001000
DB   00110110B   ;11001001
DB   00110101B   ;11001010
DB   00110111B   ;11001011
DB   00110011B   ;11001100
DB   00111110B   ;11001101
DB   00111101B   ;11001110
DB   00111111B   ;11001111
DB   11100000B   ;11010000
DB   11100010B   ;11010001
DB   11100001B   ;11010010
DB   11101100B   ;11010011
DB   11101000B   ;11010100
DB   11101010B   ;11010101
DB   11101001B   ;11010110
DB   11101011B   ;11010111
DB   11100100B   ;11011000
DB   11100110B   ;11011001
DB   11100101B   ;11011010
DB   11100111B   ;11011011
DB   11100011B   ;11011100
DB   11101110B   ;11011101
DB   11101101B   ;11011110
DB   11101111B   ;11011111
DB   11010000B   ;11100000
DB   11010010B   ;11100001
DB   11010001B   ;11100010
DB   11011100B   ;11100011
DB   11011000B   ;11100100
DB   11011010B   ;11100101
DB   11011001B   ;11100110
DB   11011011B   ;11100111
DB   11010100B   ;11101000
DB   11010110B   ;11101001
DB   11010101B   ;11101010
DB   11010111B   ;11101011
DB   11010011B   ;11101100
DB   11011110B   ;11101101
DB   11011101B   ;11101110
DB   11011111B   ;11101111
DB   11110000B   ;11110000
DB   11110010B   ;11110001
DB   11110001B   ;11110010
DB   11111100B   ;11110011
DB   11111000B   ;11110100
DB   11111010B   ;11110101
DB   11111001B   ;11110110
DB   11111011B   ;11110111
DB   11110100B   ;11111000
DB   11110110B   ;11111001
DB   11110101B   ;11111010
DB   11110111B   ;11111011
DB   11110011B   ;11111100
DB   11111110B   ;11111101
DB   11111101B   ;11111110
DB   11111111B   ;11111111


MAXBYTE	EQU	55
LINENO	EQU	23

SrcPtr	DW	OFFSET Buffer1
DesPtr	DW	OFFSET Buffer2

SaveBuff:
	DB	MAXBYTE*(LINENO+1) DUP(0)
	
Buffer1:
	DB	MAXBYTE*(LINENO+1) DUP(0)
	DB	256 DUP(0)

Buffer2:
	DB	MAXBYTE*(LINENO+1) DUP(0)
	DB	256 DUP(0)

;----------------------------------------------------------------------
;
;
;
;----------------------------------------------------------------------

Data:
DB	"                                                       "
DB	"                                                       "
DB	"                                                       "
DB	" This is a test for a Lattice Gas based encryption     "
DB	" algorithm. The data is encoded as particles of a      "
DB	" digital gas, whose time evolution is then simulated   "
DB	" with a cellular-automaton type algorithm. Decryption  "
DB	" can be achieved by running the simulation in reverse. "
DB	" A thermodynamic argument ensures that even if a single"
DB	" bit is flipped, no decryption of the data is possible "
DB	"                                                       "
DB	" After the gas is let to evolve for 256 timesteps,     "
DB	" one can either run the reverse evolution by pressing  "
DB	" space, or flip a bit and then run by pressing '0'     "
DB	"                                                       "
DB	" For a cryptographic application, the key would consist"
DB	" of the number of time steps and the time and location "
DB	" of specific bit inversions.                           "
DB	"                                                       "
DB	"                                                       "
DB	"                                                       "
DB	"                                                       "
DB	"                                                       "

;
; Fill the gas with a piece of code
;
InitGas:
	MOV	DI,CS:SrcPtr
	MOV	SI,OFFSET Data

	MOV	CX,LINENO
IG0:
	PUSH	DI
	PUSH	CX
	MOV	CX,MAXBYTE
IG1:
	MOV	AL,CS:[SI]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
	LOOP	IG1
	POP	CX
	POP	DI
	ADD	DI,MAXBYTE
	LOOP	IG0
	MOV	SI,CS:SrcPtr
	MOV	DI,OFFSET InitGas
	MOV	CX,MAXBYTE*3
	MOV	AL,0
LG2:
	MOV	BYTE PTR CS:[SI],AL
	NOT	AL
	INC	SI
	LOOP	LG2
	RET

;----------------------------------------------------------------------
;
; Display gas molecules bouncing around
;
ShowGas:
	PUSH	ES
	PUSH	SI
	PUSH	DI
	PUSH	CX
	PUSH	BX

	MOV	AX,0B800h
	MOV	ES,AX
	MOV	SI,CS:SrcPtr
	MOV	DI,160*2+10*2
	MOV	CX,LINENO-3
	ADD	SI,MAXBYTE*3
SG1:
	PUSH	CX
	PUSH	DI

	MOV	CX,MAXBYTE
SG2:
	MOV	AL,CS:[SI]
	MOV	BYTE PTR ES:[DI],AL
	INC	SI
	ADD	DI,2
	DEC	CX
	JNZ	SG2

	POP	DI
	POP	CX
	ADD	DI,160
	LOOP	SG1
	
	POP	BX
	POP	CX
	POP	DI
	POP	SI
	POP	ES
	RET

;----------------------------------------------------------------------
;
; CS:SI 	->	Sourse of Data
; CS:DI		->	Destination of Data
;
ScanOneMiddleLine:
;
; first byte is a special case because of warparound
;
	MOV	BL,0			; AL is the "assembled" byte.
	MOV	BH,CS:[SI-MAXBYTE]	; NORTH is one line "up" (lower)
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI+MAXBYTE]	; SOUTH is one line "down" (higher)
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI+(MAXBYTE-1)]	; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI+1]		; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
;
; middle bytes can be handled in a loop 
;
	MOV	CX,MAXBYTE-2
SOL1:
	MOV	BL,0			; AL is the "assembled" byte.
	MOV	BH,CS:[SI-MAXBYTE]	; NORTH is one line "up" (lower)
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI+MAXBYTE]	; SOUTH is one line "down" (higher)
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI-1]		; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI+1]		; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
	LOOP	SOL1
;
; last byte is also special
;
	MOV	BL,0			; AL is the "assembled" byte.
	MOV	BH,CS:[SI-MAXBYTE]	; NORTH is one line "up" (lower)
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI+MAXBYTE]	; SOUTH is one line "down" (higher)
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI-1]		; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI-(MAXBYTE-1)]	; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
	RET


;----------------------------------------------------------------------
;
; CS:SI 	->	Sourse of Data
; CS:DI		->	Destination of Data
;
ScanFirstLine:
;
; first byte is a special case because of warparound
;
	MOV	BL,0				
	MOV	BH,CS:[SI+MAXBYTE*(LINENO-1)]	
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI+MAXBYTE]
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI+MAXBYTE-1]	; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI+1]		; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
;
; middle bytes can be handled in a loop 
;
	MOV	CX,MAXBYTE-2
SFL1:
	MOV	BL,0			; AL is the "assembled" byte.
	MOV	BH,CS:[SI+MAXBYTE*(LINENO-1)]
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI+MAXBYTE]
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI-1]		; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI+1]		; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
	LOOP	SFL1
;
; last byte is also special
;
	MOV	BL,0			; AL is the "assembled" byte.
	MOV	BH,CS:[SI+MAXBYTE*(LINENO-1)]
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI+MAXBYTE]
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI-1]		; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI-(MAXBYTE-1)]	; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	RET


;----------------------------------------------------------------------
;
; CS:SI 	->	Sourse of Data
; CS:DI		->	Destination of Data
;
ScanLastLine:
;
; first byte is a special case because of warparound
;
	MOV	BL,0			; AL is the "assembled" byte.
	MOV	BH,CS:[SI-MAXBYTE]
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI-MAXBYTE*(LINENO-1)]
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI+(MAXBYTE-1)]	; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI+1]		; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
;
; middle bytes can be handled in a loop 
;
	MOV	CX,MAXBYTE-2
SLL1:
	MOV	BL,0			; AL is the "assembled" byte.
	MOV	BH,CS:[SI-MAXBYTE]
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI-MAXBYTE*(LINENO-1)]
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI-1]		; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI+1]		; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
	LOOP	SLL1
;
; last byte is also special
;
	MOV	BL,0			; AL is the "assembled" byte.
	MOV	BH,CS:[SI-MAXBYTE]
	AND	BH,10001000B		; and at bits 7 and 3
	OR	BL,BH			; OR them into the assembled byte
	MOV	BH,CS:[SI-MAXBYTE*(LINENO-1)]
	AND	BH,01000100B		; and at bits 6 and 2
	OR	BL,BH			; place the stuff into AL
	MOV	BH,CS:[SI-1]		; WEST is one byte "left" (lower)
	AND	BH,00100010B		; and at bits 5 and 1
	OR	BL,BH
	MOV	BH,CS:[SI-(MAXBYTE-1)]	; EAST is one byte "right" (higher)
	AND	BH,00010001B		; and at bits 4 and 0
	OR	BL,BH
	MOV	BH,0
	MOV	AL,BYTE PTR CS:[BX + OFFSET HPPRule]
	MOV	CS:[DI],AL
	INC	SI
	INC	DI
	RET



;----------------------------------------------------------------------
;
; Invert all velocities in the gas
;
InvertAll:
	PUSH	BX
	PUSH	CX
	PUSH	SI
	MOV	SI,CS:SrcPtr
	MOV	BX,0
	MOV	CX,LINENO
IA1:
	PUSH	CX
	MOV	CX,MAXBYTE
IA2:
	MOV	BL,CS:[SI]
	MOV	AL,BYTE PTR CS:[BX + (OFFSET WallRule)]
	MOV	CS:[SI],AL
	INC	SI
	LOOP	IA2
	POP	CX
	LOOP	IA1
	POP	SI
	POP	CX
	POP	BX
	RET

;----------------------------------------------------------------------
; 
;
IterateOnce:
	MOV	SI,CS:SrcPtr
	MOV	DI,CS:DesPtr
	MOV	CS:SrcPtr,DI
	MOV	CS:DesPtr,SI

	PUSH	SI
	PUSH	DI
	CALL	ScanFirstLine
	POP	DI
	POP	SI
	ADD	SI,MAXBYTE
	ADD	DI,MAXBYTE	
	MOV	CX,LINENO-2		; dont scan first and last
L1:
	PUSH	SI
	PUSH	DI
	PUSH	CX
	CALL	ScanOneMiddleLine
	POP	CX
	POP	DI
	POP	SI
	ADD	SI,MAXBYTE
	ADD	DI,MAXBYTE
	LOOP	L1

	PUSH	SI
	PUSH	DI
	CALL	ScanLastLine
	POP	SI
	POP	DI
L3:
	RET

;----------------------------------------------------------------------
;
; Iterate HPP rule CX times
;
Iterate:
	PUSH	CX
	CALL	IterateOnce
	POP	CX
	CALL	ShowGas
	LOOP	Iterate
	RET

;----------------------------------------------------------------------
;
; Iterate HPP rule CX times
;
IterateUntil:	
	MOV	SI,0
	MOV	CX,OFFSET IU4 - OFFSET IU3
IU00:
	MOV	AL,BYTE PTR CS:[SI + OFFSET IU3]
	XOR	BYTE PTR CS:[SI + OFFSET IU4],AL
	INC	SI
	LOOP	IU00
IU0:
	CALL	IterateOnce
	CALL	ShowGas
	MOV	SI,CS:SrcPtr
	MOV	CX,MAXBYTE*3
	MOV	BX,0
	MOV	AH,0
	MOV	AL,255
IU1:
	MOV	BL,BYTE PTR CS:[SI]
	MOV	DL,BYTE PTR CS:[BX+WallRule]
	NOT	AH
	XOR	DL,AH
	AND	AL,DL
	INC	SI
	LOOP	IU1
	MOV	SI,0
	MOV	CX,OFFSET IU4 - OFFSET IU3
IU2:
	MOV	AH,BYTE PTR CS:[SI+OFFSET IU4]
	AND	AH,AL
	XOR	BYTE PTR CS:[SI+OFFSET IU3],AH
	INC	SI
	LOOP	IU2
	JMP	IU3
IU3:
	MOV	AX,OFFSET IU0
	PUSH	AX
	RET
	DB	256 DUP(90h)
IU4:
	PUSH	AX
	PUSH	BX
	PUSH	CX
	PUSH	DX
	PUSH	DS

	MOV	AH,9
	MOV	DX,CS:MsgPtr
	INT	21H

	POP	DS
	POP	DX
	POP	CX
	POP	BX
	POP	AX
	RET

	DB	512 DUP(90h)

MsgPtr	DW	OFFSET Msg
Msg	DB	"This message is printed out by",10,13
	DB	"code decrypted using data from the lattice",10,13
	DB	"which was applied to the decoding routine",10,13
	DB	"after every time step",10,13
	DB	"The decoding function left the code unchanged",10,13
	DB	"except after the gas evolution had completelly",10,13
	DB	"reversed the thermalization",10,13,"$"


TIMES	EQU	16		; 256 repetitions are enough to
				; "equilibrate" the gas

Begin:
	MOV	AX,0600h
	MOV	BH,7
	MOV	DH,25
	MOV	DL,80
	MOV	CX,0
	INT	10h

	MOV	AH,2
	MOV	BH,0
	MOV	DH,24
	MOV	DL,0
	INT	10h

	CALL	InitGas
	CALL	ShowGas
	MOV	AH,0
	INT	16h
	PUSH	CX
	MOV	CX,TIMES
	CALL	Iterate
	CALL	InvertAll
	CALL	ShowGas
	MOV	AH,0
	INT	16h
	CMP	AL,"0"
	JNE	Begin0
	MOV	SI,CS:SrcPtr
	XOR	BYTE PTR CS:[SI],10000001B
Begin0:
	MOV	CX,TIMES
	CALL	IterateUntil
	CALL	InvertAll
	CALL	ShowGas
	MOV	AX,4C00h
	INT	21h
	

CODE	ENDS
	END	Start


Newsgroup: sci.crypt
Document_id: 14992
Subject: Re: Illegal Wiretaps (was Denning's Trust)
From: kubo@zariski.harvard.edu (Tal Kubo)

In article <1ppg02$i2k@bigboote.WPI.EDU> 
ear@bigwpi.WPI.EDU (Mr. Neat-O [tm]) writes:
>>
>>It is apparently quite easy to get hold of a person's calling records
>>through the phone company.  Police (and some lawyers) are able to acquire
>>such information without any warrant or judicial supervision, whether or
>>not the target is suspected of specific crimes.
>
>Pardon me, but isn't this very illegal?  I was under the impression that a
>warrent *is* needed to get this information out of the phone company in
>order to protect people's privacy. 

Legal or not, I've seen it done.  Phone records were obtained
in order to *establish* probable cause, rather than as a result of it.
In other words, for a fishing expedition.

 
>                                   A local (Worcester, MA) police officer I
>spoke with only a couple of nights ago told me that they usually only
>subpeona the phone companies records in *extreme* conditions because it's so
>much of a hassle.

And does the phone company require written, subpoena-able evidence
of probable cause in order to process the request?  I suggest that
the officer was disinterested in pursuing your case -- even if you
could prove the offender had called you at a certain time, your 
chances of winning a harassment suit on the strength of this evidence
are nil.  My contact with several people who have dealt with cases
of extreme phone harassment (several thousand calls in one case) teaches 
me that police in this area are quite lethargic about pursuing such matters.


Tal

Newsgroup: sci.crypt
Document_id: 14993
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Licensing of public key implementations

strnlght@netcom.com (David Sternlight) writes:

> I will provide one hint: it is reported that RSA expressed puzzlement (at
> their conference) that nobody has asked for permission to use RIPEM to
> write a PGP-compatible program.

This actually supports Bill's speculation - IF there is a backdoor in
RSAREF and IF PKP is supported secretly by the NSA, then it is more
than natural that they will welcome ANY public-key implementation that
uses RSAREF and will strongly oppose themselves against ANY
implementation that doesn't.

I personally cannot see how one could put a backdoor in a
long-precision modular arithmetic library that comes in source, but,
of course, the fact that -I- cannot see it means nothing...

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
Document_id: 14994
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: opinions of RC2 alg.

Markowitz@DOCKMASTER.NCSC.MIL writes:

> It is interesting to note in this regard that permission to export
> PKZIP's encryption scheme has twice been denied by NSA.  Draw you own
> conclusions.

Uh, I'm afraid that your information is slightly out of date... PKWare
has obtained a license to export their program to the whole world,
except a very limited list of countries... Draw your own conclusions
about the strength of the algorithm... :-)

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
Document_id: 14995
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: disk safety measure?

cuffell@spot.Colorado.EDU (Tim Cuffel) writes:

> There is no guarantee that the deleted space would be overwritten during
> optimization.  Likely, but no guarantee.  A quicker and more secure method
> would be a batch file that overwrote all of your free space.  For example
> fill.bat:
> 	echo %1 >> out
> 	fill.bat
> (This is off the top of my head.  #include <std_disclaimer.h>)

It is MUCH easier, faster, and probably even more secure to use Norton
Utilties 6.0 (I'm talking IBM PC here) and to tell WipeInfo to (a)
clean the free disk space and (b) clean the slack space at the end of
the files. Use to Government standard option for more careful
overwriting...

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
Document_id: 14996
From: WHMurray@DOCKMASTER.NCSC.MIL
Subject: Licensing...


>This actually supports Bill's speculation - IF there is a backdoor in
>RSAREF and IF PKP is supported secretly by the NSA, then it is more
>than natural that they will welcome ANY public-key implementation that
>uses RSAREF and will strongly oppose themselves against ANY
>implementation that doesn't.

My speculation does not include or depend upon a trapdoor in RSAREF. I
do not believe that RSA would consent to such.  

However, there are other limitation in the concept of RSAREF in which
NSA has an interest.  It has an interest in a limited number of
implementations, i.e., targets.  It has an interest in fixed key or
maximum modulus size.  

It has a legitimate (literally) right to pursue such interests.  Within
bounds, it probably has a right to pursue those interests by covert
means.  At least it has the same right as the rest of us not to disclose
all of its motives and intentions.  (Institutions are not self-aware;
they do not know their intentions in any meaningful sense.)

William Hugh Murray, Executive Consultant, Information System Security
49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840                
1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL

Newsgroup: sci.crypt
Document_id: 14997
From: tom_van_vleck@taligent.com (Tom Van Vleck)
Subject: Re: looking for one-way (trap-door, password encryption, etc.) algorithms

Michael Levin wrote:
>      I am looking for references to algorithms which can be used for
> password encryption. I.e., someone has a clear-text word, runs it
> through the algorithm, and it becomes some other sequence of symbols.
> I want this algorithm to have the property that it is a) next to
> impossible to reverse, and b) would take too long to try all possible
> words to see which one works (even by use of a high-speed computer).
> Please send references or ideas to mlevin@husc8.harvard.edu.

The original one-way encryption I put into Multics about 1968 (as suggested

by Joe Weizenbaum) was invertible.  An Air Force tiger team demonstrated 
this to me in May 1973.  I then asked an expert (who requested anonymity) 
what I should use instead; the expert's suggestion was to treat the 
8-byte password as both key and data for the LUCIFER encryption algorithm, 
which is similar or identical to DES.  This method or something stronger 
should take care of (a).  Issue (b) is discussed in comp.security.misc: 
longer passwords and quality control on what users can choose as passwords
are the common tactics.

tom_vanvleck@taligent.com

Newsgroup: sci.crypt
Document_id: 14998
From: yerazunis@cthulu.enet.dec.com
Subject: Re: Hard drive security for FBI targets


>cme@ellisun.sw.stratus.com (Carl Ellison) writes:
>For example, if I had a program on my disk which created totally random
>files looking like encrypted messages and could demonstrate that the file
>in question *could have been* created by that program, then my claim that
>it was, in fact, created by that program must stand as true (since I'm
>innocent) unless someone can prove me wrong.

HMMM... that brings up a neat idea.  

Unfortunately, it's SOOO neat, I think I ought to patent it.

So I can't tell you about it.

Sorry.  :-)

	-Bill

Copyright 1993 William S. Yerazunis (aka Crah the Merciless)
All rights reserved, no responsibility taken.

     "I love the smell of flash powder in the morning! It smells like...like theatre"

Newsgroup: sci.crypt
Document_id: 14999
From: jgk@osc.COM (Joe Keane)
Subject: Re: Hard drive security for FBI targets

In article <1993Apr2.050451.7866@ucsu.Colorado.EDU> cuffell@spot.Colorado.EDU
(Tim Cuffel) writes:
>How about this.  I create a bunch of sets of random data, and encrypt it.  I 
>keep only one of the sets of random data around, to show that I encypt random
>data for kicks.  The rest, I delete with their keys.  I tell all my friends.
>I think this establishes reasonable doubt about the contents of any encrypted
>files, and my ability to provides keys.  Since anyone could do this, any law
>that forces a user to provide keys on demand is worthless.

The law is much worse than worthless.  It gives police the power to put
innocent people in jail because they (the police) find something they don't
understand.  Most police don't know what the return key does, never mind the
difference between a core file and classified military secrets.

There are plenty of scenarios where the user would have no idea what something
is either.  It could be uninitialized junk.  The burden of proof is on the
user to show that it's something a normal upstanding citizen should have.  No
one should ever be put in that situation, especially in America.

What's disgusting about this is how easily most people go along with it, to
provide a bargaining chip against some hypothetical *alleged* child molester
or drug dealer, or whatever bad thing is in style at the time.  Basically most
people don't have a clear distinction between criminals and suspects.

As an analogy, it's like they find a loose screw in your house, and they
insist that you're building a bomb or machine gun.  They ask you where it came
from (like you'd know), and ask you to prove your claim.  When you explain it
in such simple terms, people may start to get the idea.

As a matter of fact, i do keep random files on my disk.  The reason is,
without special-purpose hardware, it takes a long time to generate good random
bits.  I have programs that crank out a couple bits per minute, which is
pretty conservative, but over time that's more than i need.

If you think about it, there's no point in actually encrypting random data,
because it just gives you different random data.  If you want some data to
look like an encrypted file, you just put an appropriate header on it.  If
enough people do this, some of them will be put in jail.

When you get arrested and the police ask for your keys, you can tell them it's
just random junk, although of course they won't believe you.  While you're
sitting in jail, you can take consolation in the fact that the government will
burn a few CPU-years trying to find something that's not there.

--
Joe Keane, amateur cryptologist
jgk@osc.com (uunet!amdcad!osc!jgk)

Newsgroup: sci.crypt
Document_id: 15000
From: Graham Toal <gtoal@gtoal.com>
Subject: Re: Hard drive security for FBI targets

In article <6040@osc.COM> Joe Keane <jgk@osc.com> writes:
:As a matter of fact, i do keep random files on my disk.  The reason is,
:without special-purpose hardware, it takes a long time to generate good random
:bits.  I have programs that crank out a couple bits per minute, which is
:pretty conservative, but over time that's more than i need.

Sounds like a useful program - interested in posting it to alt.sources?

G

Newsgroup: sci.crypt
Document_id: 15001
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Hard drive security

In article <m5c5fkj@rpi.edu> antonh@rpi.edu writes:
>say, can anyone send my info on how to encrpyt a hard disk [...]
>ps.  I would also like know the consequences of those types of actions if i
>so chose to do them in the future in this country and european countries.

People have been encrypting notes in their notebooks for hundreds of years
-- maybe over a thousand.  It's a long tradition dating at least back to
the alchemists.

I know of nothing bad happening to them.  I would assume that nothing bad
would happen to you, given this long history establishing encryption as
the property of individuals, to do with as they please.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
Document_id: 15002
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Licensing of public key implementations

In article <1993Apr4.221640.8104@magnus.acs.ohio-state.edu> jebright@magnus.acs.ohio-state.edu (James R Ebright) writes:
>I guess we will have to wait for the time in the far future
>when everyone uses such good crypto that the NSA has no job.  Then the
>agency will be disbanded and its files opened after the approprate
>historical delay.  ;)

You've overlooked a fundamental Truth:

	both headcount and budget of any government agency are
	monotonic increasing functions.

Given that Truth, you need to look for what the agency can do to occupy
all those people and spend all that money when crypto is unbreakable.

Perhaps they could talk the world's telephone companies into making equipment
they could break into and tap.

Maybe they could convince people that distributed computing was a good idea
so that even the internal state of a process would be available for access
by wiretapping.

Maybe....

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
Document_id: 15003
From: ray@ole.cdac.com (Ray Berry)
Subject: Re: Hard drive security for FBI targets

rja14@cl.cam.ac.uk (Ross Anderson) writes:

>In article <1993Apr2.050451.7866@ucsu.Colorado.EDU>, cuffell@spot.Colorado.EDU 
>(Tim Cuffel) writes:

>This suggests a new PC security product design approach - first fill the hard
>drive with 50% random files and 50% files encrypted under a number of known 
>keys. Then whenever a new secret file is created, you delete a random file and
>replace it with real encrypted data. New non-secret files are encrypted under
>a known key.

   Better yet, instead of thrashing around on the DOS file system, take
it a step further.  Write yourself a minimal "file system" program that
is used to create/delete files, en/decrypt them to ramdisk, list a
directory. Put the util, password protected, on a floppy.

   The catch is that the storage space used by this util is NOT part
of the DOS file system.  Instead, defrag your disk, thus packing all
allocated clusters into clusters 0-n.  Then use the back end of the
partition to hold your 'stealth' file system.  Or, leave a small 2nd
partition on the disk that is not assigned to DOS.  Another approach
might be to use a directory that contains a set of invariant files (DOS
system files, for instance).  Due to DOS allocating a minimum storage 
unit of a "cluster" there is unused physical space on the disk between
the tail end of each file and the end of its associated cluster. These
dead spaces could be concatenated and used to hold your stealth file
system.

   Now you have a situation where no encrypted data "appears" on your
disk at all :-). 
-- 
Ray Berry kb7ht ray@ole.cdac.com  rjberry@eskimo.com  73407.3152@compuserve.com

Newsgroup: sci.crypt
Document_id: 15168
From: so@eiffel.cs.psu.edu (Nicol C So)
Subject: Re: Source of random bits on a Unix workstation

In article <897@pivot.sbi.com> bet@sbi.com (Bennett Todd @ Salomon Brothers Inc., NY ) writes:
>This came up because I decided to configure up MIT-MAGIC-COOKIE-1 security
>for X11R5. For this to work you need to stick some bits that an intruder
>can't guess in a file (readable only by you) which X client applications
>read. They pass the bits back to the server when they want to establish a
>connection.
>
>...
>What I settled on was grabbing a bunch of traffic off the network.
>Basically, I ran
>
>	etherfind -u -x greater 0|compress
>
>and skipped over 10K of output, then grabbed my bits. As best I can tell,
>these are bits that can be expected to be reasonably uniformly distributed,
>and quite unguessable by an intruder.

For your application, what you can do is to encrypt the real-time clock
value with a secret key.

Newsgroup: sci.crypt
Document_id: 15169
From: ji@cs.columbia.edu (John Ioannidis)
Subject: Re: Source of random bits on a Unix workstation

In article <C5JA6s.A59@cs.psu.edu> so@eiffel.cs.psu.edu (Nicol C So) writes:
>In article <897@pivot.sbi.com> bet@sbi.com (Bennett Todd @ Salomon Brothers Inc., NY ) writes:
>>This came up because I decided to configure up MIT-MAGIC-COOKIE-1 security
>>for X11R5. For this to work you need to stick some bits that an intruder
>>can't guess in a file (readable only by you) which X client applications
>>read. They pass the bits back to the server when they want to establish a
>>connection.
>>
>>...
>>What I settled on was grabbing a bunch of traffic off the network.
>>Basically, I ran
>>
>>	etherfind -u -x greater 0|compress
>>
>>and skipped over 10K of output, then grabbed my bits. As best I can tell,
>>these are bits that can be expected to be reasonably uniformly distributed,
>>and quite unguessable by an intruder.
>
>For your application, what you can do is to encrypt the real-time clock
>value with a secret key.

For a good discussion of cryptographically "good" random number
generators, check out the draft-ietf-security-randomness-00.txt
Internet Draft, available at your local friendly internet drafts
repository. 

A reasonably source of randomness is the output of a cryptographic
hash function (e.g., MD5), when fed with a large amount of
more-or-less random data. For example, running MD5 on /dev/mem is a
slow, but random enough, source of random bits; there are bound to be
128 bits of entropy in the tens (or hundreds) of megabytes of data in
a modern workstation's memory, as a fair amount of them are system
timers, i/o buffers, etc.

/ji

Newsgroup: sci.crypt
Document_id: 15170
From: bear@kestrel.fsl.noaa.gov (Bear Giles)
Subject: Re: Fifth Amendment and Passwords

In article <1993Apr15.160415.8559@magnus.acs.ohio-state.edu> ashall@magnus.acs.ohio-state.edu (Andrew S Hall) writes:
>I am postive someone will correct me if I am wrong, but doesn't the Fifth
>also cover not being forced to do actions that are self-incriminating?
>e.g. The police couldn't demand that you silently take them to where the
>body is buried or where the money is hidden.

But they can make you piss in a jar, and possibly provide DNA, semen,
and hair samples or to undergo tests for gunpowder residues on your hand.

(BTW, that was why the chemical engineer arrested in the WTC explosion
thrust his hands into a toilet filled with urine as the cops were breaking
down the door -- the nitrogen in the urine would mask any residue from
explosives.  I found it interesting the news reported his acts, but not
his reasons).

Somewhere, perhaps a privacy group, they discussed the legal ramifications
of using a password like

  I shot Jimmy Hoffa and his body is in a storage locker in Camden

a while back.  The impression I got was that real judges would dismiss
arguments that this password is self-incrimination as first-year law
school sophistry -- the fact that you use a statement for a password has
no bearing on the veracity of that phrase.

You are not being asked to incrimidate yourself (e.g., "where did you
bury the body?"); you are being asked to provide information necessary
to execute a legal search warrant.  Refusing to provide the password is
akin to refusing to provide a key to a storage locker... except that they
could always _force_ their way into the locker.

Of course, that doesn't mean you have to help them _understand_ what
they find, or point out things they overlooked in their search!

-- 
Bear Giles
bear@fsl.noaa.gov

Newsgroup: sci.crypt
Document_id: 15171
From: zrepachol@cc.curtin.edu.au (Paul Repacholi)
Subject: What is going on?...

In article <1qhc2p$8d8@transfer.stratus.com>, cme@ellisun.sw.stratus.com (Carl Ellison) writes:
> In article <1993Apr14.120229.15878@mnemosyne.cs.du.edu> rwebb@nyx.cs.du.edu (Russell Webb) writes:
...
> Call me paranoid, but this is the same kind of scare story which Dorothy
> Denning was citing while calling for the limitation of cryptography.
> 
> I doubt that DD is behind this -- 
> 
> but I suspect that the FBI (and maybe NSA) are behind DD and those agencies
> could easily be mounting a nationwide campaign (with our tax dollars?) to
> build up public outcry against digital communication -- especially against
> unbreakable, encrypted communication.
> 
> 
> What's going on here??
> 

Haven't you read any of Noam Chomsky's works? A widely used information net
outside the control of the 'right people' is unthinkable. Hundreds of billions
of dollars will be spent to wipe it out, sorry, 'regulate and order it' once
the major media and poitical powers wake up to the efect it can have.

If you can't be bothered reading, get the video "Manufacturing Consent".

~Paul


Newsgroup: sci.crypt
Document_id: 15172
From: marc@tanda.isis.org (Marc Thibault)
Subject: Re: Hard drive security for FBI targets


     1. Do a straight encryption of your keyrings and put the
        results with misleading names somewhere they won't be noticed
        (eg. in the \windows directory; nobody knows what half those
        files are).

     2. Do a straight encryption of a .BAT file that will decrypt
        the keyrings to RAMdisk and will set PGPPATH to point at it.

     3. Set up another .BAT file to decrypt and execute the first
        (again on RAM disk). Have it take the name of the target file
        as an argument so that there is no link between this file and
        the (non-existent) batch file referred to by the rest of the
        system. Comment it so it looks like a test script for fooling
        around with PGP. Set PGPPATH to the PGP directory.

     4. Leave the original keyrings that came with PGP in the
        directory with PGP; a good indication that you are playing
        with, but haven't made serious use of PGP. Add a set of keys
        with your name and a really simple passphrase. Never use it,
        or use it as your widely published key for low-security
        e-mail.

     5. When needed, run the second .BAT file. Make sure all
        intermediate and plainfiles are generated on RAMdisk.

     6. When you hear the concussion grenade, hit the power switch.
        
        Cheers,
                Marc

---
 Marc Thibault        | CIS:71441,2226     |  Put another log
 marc@tanda.isis.org  | NC FreeNet: aa185  |  on the fire.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.0

mQBNAiqxYTkAAAECALfeHYp0yC80s1ScFvJSpj5eSCAO+hihtneFrrn+vuEcSavh
AAUwpIUGyV2N8n+lFTPnnLc42Ms+c8PJUPYKVI8ABRG0I01hcmMgVGhpYmF1bHQg
PG1hcmNAdGFuZGEuaXNpcy5vcmc+
=HLnv
-----END PGP PUBLIC KEY BLOCK-----



Newsgroup: sci.crypt
Document_id: 15173
From: grady@netcom.com (1016/2EF221)
Subject: SOURCE to Mactinosh PGP 2.2 in C available 

*** SOURCE code to Macintosh PGP 2.2 now available via anonymous FTP ***

FTP netcom.com
CD pub/grady
MGET MacPGP2.2src.sea.hqx
MGET MacPGP2.2srcSIGNATURE

Convert to a Compact Pro self-extracting archive with BinHex 4.0.

If appropriate, check the digital signature of the .hqx file with
your copy of PGP.  (Non-Macintosh users wishing to check the digital
signature please note that 'CR' denotes the end-of-line on a Macintosh,
not 'LF' or 'CRLF'.)

For the purposes of the ITAR act, this 'unclassified technical
documentation' is hereby released into the public domain.  (However
no representation is made as to copyright or other commercial rights
that may exist in this package.)

Full source code, Symantec THINK C 5.0.4 projects and full user
documentation is included for both 68020 and 68000 versions of Pretty
Good Privacy, a strong public key encryption and digital signature
application using the RSA algorithm patented in the United States
and the IDEA cipher patented in Switzerland.

No executables are included.

Executables are available via anonymous FTP from:

leif.thep.lu.se (Sweden)
night.nig.ac.jp (Japan)
van-bc.wimsey.bc.ca (Canada)
soda.berkeley.edu (P.R. of Berkeley)
src.doc.ic.ac.uk (United Kingdom)
ghost.dsi.unimi.it (Italy)
plaza.aarnet.edu.au (Australia)
nic.funet.fi (Finland)


Other's public keys are available from anonymous server sites:
(Send message subject "help" for more information.)

Internet sites:
        pgp-public-keys@junkbox.cc.iastate.edu
                Michael Graff
                explorer@iastate.edu
                FTP: tbird.cc.iastate.edu:/usr/explorer/public-keys.pgp
        pgp-public-keys@toxicwaste.mit.edu
                Derek Atkins
                warlord@MIT.EDU
                FTP: toxicwaste.mit.edu:/pub/keys/public-keys.pgp
        pgp-public-keys@phil.utmb.edu
                John Perry
                perry@phil.utmb.edu
                FTP: phil.utmb.edu:/pub/pgp/public-keys.pgp
        pgp-public-keys@demon.co.uk
                Mark Turner
                mark@demon.co.uk
                FTP: ftp.demon.co.uk:/pub/pgp/pubring.pgp

UUCP site:
        pgp-public-keys@jpunix.com
                John Perry
                perry@jpunix.com

The executable application built from these sources has NOT been
licensed by RSA Data Security, Inc. nor has the RSA public key
algorithm or the IDEA block cipher algorithm been approved by
the National Security Agency.

This unclassified technical documentation is made available for
EDUCATIONAL USE ONLY; possession, distribution, or use of an
executable binary built from this source may be a civil or criminal
offense.

Suggested improvements, bugs, or comments should be directly posted
to alt.security.pgp or to the principal developers listed among
the source documents.  General questions and comments about public
key cryptography or the IDEA cipher may be posted to alt.security.pgp
or to the sci.crypt Usenet groups.

-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
Document_id: 15174
From: kadie@cs.uiuc.edu (Carl M Kadie)
Subject: Re: Fifth Amendment and Passwords

ashall@magnus.acs.ohio-state.edu (Andrew S Hall) writes:

>I am postive someone will correct me if I am wrong, but doesn't the Fifth
>also cover not being forced to do actions that are self-incriminating?
[...]

[From Mike Godwin <mnemonic@eff.org>, posted with permission - Carl]

Sadly, it does not. Suspects can be compelled to give handwriting and
voice exemplars, and to take blood and DNA tests.

> e.g. The police couldn't demand that you silently take them to where the
> body is buried or where the money is hidden.

No, but they could compell you to produce the key to a safe where, as it
happens, evidence that will convict you is stored. 

The crypto-key disclosure issue hasn't come up yet, but current law
suggests that it's a loser for the defendant--he'll be compelled to turn
over the key.

The test for compelled self-incrimination is whether the material to 
be disclosed *in itself* tends to inculpate the discloser. In the example
I gave above, the safe key itself has no testimonial value--ergo, it can
be disclosed under compulsion (e.g., subpoena duces tecum).

Moreover, the government can always immunize the disclosure of a crypto
key--compelling you to disclose the key at the price of not using the fact
of your disclosure as evidence in the case against you. Of course, they
can use whatever they discover as a result of this disclosure against
you.


--Mike





-- 
Carl Kadie -- I do not represent any organization; this is just me.
 = kadie@cs.uiuc.edu =

Newsgroup: sci.crypt
Document_id: 15175
From: bob@natasha.portal.com (Bob Cain)
Subject: Re: Pgp, PEM, and RFC's (Was: Cryptography Patents)

Charles Kincy (ckincy@cs.umr.edu) wrote:
: 
: All I have to say is...yeah, right.  If you're willing to pay them
: mucho big bucks and/or use the routines *they* tell you to do.  
: Doesn't sound very reasonable to me.

All I have to say is this is full of shit.  I have negotiated a license
and the bucks are incredibly reasonable with an upfront charge on a
sliding scale depending on your capitalization.  If you are a startup
and can't afford it you can't afford to start up in the first place.
Why do people insist on making unequivocal statements about that which
they know nothing.

: 
: But I don't guess PKP and RSA are interested in big bucks.  Maybe
: they have some other agenda?  Secure communications only for 
: government agents, perhaps?

Have you considered treatment for paranoia?  The government is the
single biggest thorn in RSA's side.

: 
: Some limitation.  Let me guess:  don't use the code in any way PKP or
: RSA doesn't like....such as...providing secure communications for the
: average citizen.

That was exactly its purpose if you know anything about it.  There is
nothing at all preventing the average citizen using it, only selling
it.

: 
: I hope my cynicism is misplaced here.  Go ahead...I'm not afraid to
: be wrong every once in a while.  But, I have an uneasy feeling that I
: am right.  :(

It is and you are wrong yet you emotionally state a bunch of crap as fact
with a tiny disclaimer at the end.  Check your facts first and grow up.
Why is there such a strong correlation between interest in cryptography
and immaturity I wonder.

Bob Cain (normally rcain@netcom.com)

Newsgroup: sci.crypt
Document_id: 15176
From: ld231782@longs.lance.colostate.edu (L. Detweiler)
Subject: Privacy & Anonymity on the Internet FAQ (1 of 3)

Archive-name: net-privacy/part1
Last-modified: 1993/3/3
Version: 2.1


IDENTITY, PRIVACY, and ANONYMITY on the INTERNET
================================================

(c) 1993 L. Detweiler.  Not for commercial use except by permission
from author, otherwise may be freely copied.  Not to be altered. 
Please credit if quoted.

SUMMARY
=======

Information on email and account privacy, anonymous mailing and 
posting, encryption, and other privacy and rights issues associated
with use of the Internet and global networks in general.

(Search for <#.#> for exact section. Search for '_' (underline) for
next section.)

PART 1
====== (this file)

Identity
--------
<1.1> What is `identity' on the internet?
<1.2> Why is identity (un)important on the internet?
<1.3> How does my email address (not) identify me and my background?
<1.4> How can I find out more about somebody from their email address?
<1.5> Why is identification (un)stable on the internet? 
<1.6> What is the future of identification on the internet?

Privacy
-------
<2.1> What is `privacy' on the internet?
<2.2> Why is privacy (un)important on the internet?
<2.3> How (in)secure are internet networks?
<2.4> How (in)secure is my account?
<2.5> How (in)secure are my files and directories?
<2.6> How (in)secure is X Windows?
<2.7> How (in)secure is my email?
<2.8> How am I (not) liable for my email and postings?
<2.9> How do I provide more/less information to others on my identity?
<2.10> Who is my sysadmin?  What does s/he know about me?
<2.11> Why is privacy (un)stable on the internet?
<2.12> What is the future of privacy on the internet?

Anonymity
---------
<3.1> What is `anonymity' on the internet?
<3.2> Why is `anonymity' (un)important on the internet?
<3.3> How can anonymity be protected on the internet?
<3.4> What is `anonymous mail'?
<3.5> What is `anonymous posting'?
<3.6> Why is anonymity (un)stable on the internet?
<3.7> What is the future of anonymity on the internet?


PART 2
====== (next file)

Resources
---------

<4.1> What UNIX programs are related to privacy?
<4.2> How can I learn about or use cryptography?
<4.3> What is the cypherpunks mailing list?
<4.4> What are some privacy-related newsgroups?  FAQs?
<4.5> What is internet Privacy Enhanced Mail (PEM)?
<4.6> What are other Request For Comments (RFCs) related to privacy?
<4.7> How can I run an anonymous remailer?
<4.8> What are references on privacy in email?
<4.9> What are some email, Usenet, and internet use policies?
<4.10> What is the MIT ``CROSSLINK'' anonymous message TV program?

Miscellaneous
-------------

<5.1> What is ``digital cash''?
<5.2> What is a ``hacker'' or ``cracker''?
<5.3> What is a ``cypherpunk''?
<5.4> What is `steganography' and anonymous pools?
<5.5> What is `security through obscurity'?
<5.6> What are `identity daemons'?
<5.7> What standards are needed to guard electronic privacy?

Issues
------

<6.1> What is the Electronic Frontier Foundation (EFF)?
<6.2> Who are Computer Professionals for Social Responsibility (CPSR)?
<6.3> What was `Operation Sun Devil' and the Steve Jackson Game case?
<6.4> What is Integrated Services Digital Network (ISDN)?
<6.5> What is the National Research and Education Network (NREN)?
<6.6> What is the FBI's proposed Digital Telephony Act?
<6.7> What other U.S. legislation is related to privacy on networks?
<6.8> What are references on rights in cyberspace?
<6.9> What is the Computers and Academic Freedom (CAF) archive?

Footnotes
---------

<7.1> What is the background behind the Internet?
<7.2> How is Internet `anarchy' like the English language?
<7.3> Most Wanted list
<7.4> Change history


PART 3
====== (last file)

Anonymizing
-----------

<8.1> What are some known anonymous remailing and posting sites?
<8.2> What are the responsibilities associated with anonymity?
<8.3> How do I `kill' anonymous postings?
<8.4> What is the history behind anonymous posting servers?
<8.5> What is the value of anonymity?
<8.6> Should anonymous posting to all groups be allowed?
<8.7> What should system operators do with anonymous postings?
<8.8> What is going on with anon.penet.fi maintained by J. Helsingius?


* * *


IDENTITY
========

_____
<1.1> What is `identity' on the internet?

  Generally, today people's `identity' on the internet is primarily
  determined by their email address in the sense that this is their
  most unchanging 'face' in the electronic realm.   This is your
  login name qualified by the complete address domain information,
  for example ``ld231782@longs.lance.colostate.edu''.  People see
  this address when receiving mail or reading USENET posts from you
  and in other situations where programs record usage.  Some obsolete
  forms of addresses (such as BITNET) still persist.

  In email messages, additional information on the path that a message
  takes is prepended to the message received by the recipient.  This
  information identifies the chain of hosts involved in the
  transmission and is a very accurate trace of its origination.  This
  type of identify-and-forward protocol is also used in the USENET
  protocol to a lesser extent.  Forging these fields requires
  corrupted mailing software at sites involved in the forwarding and
  is very uncommon.  Not so uncommon is forging the chain at the
  origination point, so that all initial sites in the list are faked
  at the time the message is created.  Tracing these messages can be
  difficult or impossible when the initial faked fields are names of
  real machines and represent real transfer routes.

_____
<1.2> Why is identity (un)important on the internet?

  The concept of identity is closely intertwined with communication,
  privacy, and security, which in turn are all critical aspects of
  computer networks. For example, the convenience of communication
  afforded by email would be impossible without conventions for
  identification.  But there are many potential abuses of identity
  possible that can have very severe consequences, with massive
  computer networks at the forefront of the issue, which can
  potentially either exacerbate or solve these problems.

  Verifying that an identity is correct is called `authentication',
  and one classic example of the problems associated with it is
  H.G.Well's ``War of the Worlds'' radio broadcast that fooled
  segments of the population into thinking that an alien invasion was
  in progress.  Hoaxes of this order are not uncommon on Usenet and
  forged identities makes them more insidious.  People and their
  reputations can be assaulted by forgery.

  However, the fluidity of identity on the internet is for some one of
  its most attractive features. Identity is just as useful as it is
  harmful.  A professor might carefully explain a topic until he
  finds he is talking to an undergraduate. A person of a particular
  occupation may be able to converse with others who might normally
  shun him.  Some prejudices are erased, but, on the other hand, many
  prejudices are useful!  A scientist might argue he can better
  evaluate the findings of a paper as a reviewer if he knows more
  about the authors.  Likewise, he may be more likely to reject it
  based on unfair or irrelevant criteria.  On the other side of the
  connection,  the author may find identities of reviewers useful in
  exerting pressure for acceptance.

  Identity is especially crucial in establishing and regulating
  `credit' (not necessarily financial) and `ownership' and `usage'. 
  Many functions in society demand reliable and accurate techniques
  for identification. Heavy reliance will be placed on digital
  authentication as global economies become increasingly electronic. 
  Many government functions and services are based on identification,
  and law enforcement frequently hinges on it.  Hence, employees of
  many government organizations push toward stronger identification
  structures.  But when does identification invade privacy?

  The growth of the internet is provoking social forces of massive
  proportions. Decisions made now on issues of identity will affect
  many future users, especially as the network becomes increasingly
  global, universal, widespread, and entrenched; and the positive or
  adverse affects of these actions, intended and inadvertent,  will
  literally be magnified exponentially.

_____
<1.3> How does my email address (not) identify me and my background?

  Your email address may contain information that influences people's
  perceptions of your background.  The address may `identify' you as
  from a department at a particular university, an employee at a
  company, or a government worker.  It may contain your last name,
  initials, or cryptic identification codes independent of both.  In
  the US some are based on parts of social security numbers.  Others
  are in the form 'u2338' where the number is incremented in the
  order that new users are added to the system.

  Standard internet addresses  also can contain information  on your
  broad geographical location or nationhood.  However, none of this
  information is guaranteed to be correct or be there at all.  The
  fields in the domain qualification of the username are based on
  rather arbitrary organization, such as (mostly invisible) network
  cabling distributions.  The only point to make is that early fields
  in the address are more specific (such as specific computer names
  or local networks) and the later ones the most general (such as
  continental domains).  Typically the first field is the name of the
  computer receiving mail.

  Gleaning information from the email address alone is sometimes an
  inspired art or an inconsistent and futile exercise.  (For more
  information, see the FAQs on email  addresses and known
  geographical distributions below.)  However, UNIX utilities exist
  to aid in the quest (see the question on this).

  Common Suffixes
  ---------------

  .us    United States
  .uk    United Kingdom
  .ca    Canada
  .fi    Finland
  .au    Australia

  .edu   university or college
  .com   commercial organization
  .org   'other' (e.g. nonprofit organization)
  .gov   government
  .mil   military site
 
_____
<1.4> How can I find out more about somebody with a given email address?

  One simple way is to send email to that address, asking.  Another
  way is to send mail to the postmaster at that address (i.e.
  postmaster@address), although the postmaster's job is more to help
  find user ID's of particular people given their real name and solve
  mail routing problems.  The sysadmin (i.e. `root@address') may also
  be able to supply information.  Users with related email address
  may have information.  However, all of these methods rely on the
  time and patience of others so use them minimally.

  One of the most basic tools for determining identity over the
  internet is the UNIX utility 'finger'.  The basic syntax is:

    finger user@here.there.everywhere

  This utility uses communication protocols to query the computer
  named in the address for information on the user named.  The
  response is generated completely by the receiving computer and may
  be in any format.  Possible responses are as follows:

  - A message `unknown host' meaning some aspect of the address is
    incorrect, two lines with no information and '???'.
  
  - A message 'In real life: ???' in which case the receiving computer
    could not find any kind of a match on the username. The finger
    utility may return this response in other situations.
  
  - A listing of information associated with multiple users. Some
    computers will search only for matching user IDs, others will
    attempt to find the username you specified as a substring of all
    actual full names of users kept in a local database.
  
  At some sites 'finger' can be used to get a list of all users on the
  system with a `finger @address'.  In general this is often
  considered weak security, however, because `attackers' know valid
  user ID's to `crack' passwords.

  More information on the fields returned by `finger' is given below. 
  More information on `finger' and locating people's email addresses
  is given in the email FAQ (such as the WHOIS lookup utility).  Just
  as you can use these means to find out about others, they can use
  them to find out about you.  You can `finger' yourself to find out
  what is publicly reported by your UNIX system about you.  Be
  careful when modifying `finger' data; virtually anyone with
  internet access worldwide can query this information.  In one
  amazing case, the New York Times writer J. Markoff uncovered the
  identity of R. Morris, author of the Internet Worm,  through
  the use of an anonymous tip and 'finger'.  See the book Cyberspace
  by K. Hafner and J. Markoff.

_____
<1.5> Why is identification (un)stable on the internet?

  Generally, identity is an amorphous and almost nonexistent concept
  on the Internet for a variety of reasons.  One is the inherent
  fluidity of `cyberspace' where people emerge and submerge
  frequently, and absences are not readily noted in the `community'. 
  Most people remember faces and voices, the primary means of casual
  identification in the 'real world'.  The arbitary and cryptic 
  sequences of letters and digits comprising most email addresses are
  not particularly noticeable or memorable and far from a unique
  identification of an individual, who may use multiple accounts on
  multiple machines anywhere in the world.

  Currently internet users do not really have any great assurances
  that the messages in email and USENET are from who they appear to
  be. A person's mailing address is far from an identification of an
  individual.  
  
  - Anyone with access to the account, e.g. they know the password,
    either legitimately or otherwise, can send mail with that address
    in the From: line.
  
  - Email addresses for an individual tend to change frequently as
    they switch jobs or make moves inside their organizations. 

  - As part of current mailing protocol standards, forging the From:
    line in mail messages is a fairly trivial operation for many
    hackers.
    
  The status and path information prepended to messages by
  intermediate hosts is generally unforgeable. In general, while
  possible, forgeries are fairly rare on most newsgroups and in
  email.  Besides these pathological cases abve there are many basic
  problems with today's internet protocols affecting identification
  on the internet:

  - Internet mail standards, described in RFC-822, are still evolving
    rapidly and not entirely orderly.  For example, standards for
    mail address `munging' or `parsing' tend to vary slightly between
    sites and frequently mean the difference between finding
    addresses and bouncing mail.
  
  - Domain names and computer names are frequently changed at sites,
    and there are delays in the propagation of this data.
  
  - Addresses cannot be resolved when certain critical computers
    crash, such as the receiving computer or other computers involved
    in resolving names into addresses called `nameservers'. 
  
  - A whole slew of problems is associated with  `nameservers'; if
    they are not updated they will not find name addresses, and even
    the operation of what constitutes `updating' has different
    interpretations at different sites.
  
  The current internet mailing and addressing protocols are slightly
  anachronistic in that they were created when the network was
  somewhat obscure and not widespread, with only a fraction of the
  traffic it now sees.  Today a large proportion of internet traffic
  is email, comprising  millions of messages.

_____
<1.6> What is the future of identification on the internet?

  Some new technologies and standards are introducing facial images
  and voice messages  into mail and these will improve the sense of
  community that comes from the familiarity of identification.
  However, they are not currently widespread, require large amounts
  of data transfer, standardized software, and make some compromises
  in privacy.

  Promising new cryptographic techniques may make 'digital signatures'
  and 'digital authentication' common (see below).  Also, the trend
  in USENET standards is toward greater authentication of posted
  information.  On the other hand, advances in ensuring anonymity
  (such as remailers) are forthcoming.  See below.


PRIVACY
=======

_____
<2.1> What is `privacy' on the internet?

  Generally, while `privacy' has multiple connotations in society and
  perhaps even more on the internet, in cyberspace most take it to
  mean that you have exclusive use and access to your account and the
  data stored on and and directed to it (such as email), and you do
  not encounter arbitrary restrictions or searches.  In other words, 
  others may obtain data associated with your account, but not
  without your permission.  These ideas are probably both fairly
  limiting and liberal in their scope in what most internet users
  consider their private domains.  Some users don't expect or want
  any privacy, some expect and demand it.

_____
<2.2> Why is privacy (un)important on the internet?

  This is a somewhat debatable and inflammatory topic, arousing
  passionate opinions.  On the internet, some take privacy for
  granted and are rudely surprised to find it tenuous or nonexistent.
  Most governments have rules that protect privacy (such as the
  illegal search and seizure clause of the U.S. constitution, adopted
  by others) but have many that are antithetical to it (such as laws
  prohibiting secret communications or allowing wiretapping). These
  rules generally carry over to the internet with few specific rules
  governing it.  However, the legal repercussions of the global
  internet are still largely unknown and untested (i.e. no strong
  legal precedents and court cases).  The fact that internet traffic
  frequently passes past international boundaries, and is not
  centrally managed, significantly complicates and strongly
  discourages its regulation.

_____
<2.3> How (in)secure are internet networks?

  - `Theoretically' people at any site in the chain of sites with
    access to hardware and network media that transmits data over the
    Internet  could potentially monitor or archive it. However, the
    sheer volume and general 'noise' inherent to this data makes
    these scenarios highly improbable, even by government agencies
    with supposedly vast funding and resources.
  
  - Technologies exist to `tap' magnetic fields given off by
    electrical wires without detection.  Less obscurely, any machine
    with a network connection is a potential station for traffic
    detection, but this scenario requires knowledge and access to
    very low-level hardware (the network card) to pursue, if even
    possible.
  
  - A company Network General Inc. is one of many that manufactures
    and markets sophisticated network monitoring tools that can
    'filter' and read packets by arbitrary criteria for
    troubleshooting purposes, but the cost of this type of device is
    prohibitive for casual use.

  Known instances of the above types of security  breaches at a major
  scale (such as at network hubs) are very rare. The greatest risks
  tend to emerge locally.  Note that all these approaches are almost
  completely defused with the use of cryptography.
    
_____
<2.4> How (in)secure is my account?

  By default, not very.  There are a multitude of factors that may
  reinforce or compromise aspects of your privacy on the internet. 
  First, your account must be secure from other users. The universal
  system is to use a password, but if it is `weak' (i.e. easy to
  guess) this security is significantly diminished.  Somewhat
  surprisingly and frighteningly to some, certain  users of the
  system, particularly the administrator, generally have unlimited
  access regardless of passwords, and may grant that access to
  others.  This means that they may read any file in your account
  without detection.

  Furthermore, not universally known, most UNIX systems keep fairly
  extensive accounting records of when and where you logged in, what
  commands you execute, and when they are executed (in fact, login
  information is usually public). Most features of this `auditing' or
   `process accounting' information are enabled by default after the
  initial installation and the system administrator may customize it
  to strengthen or weaken it to satisfy performance or privacy aims. 
  This information is frequently consulted for troubleshooting
  purposes and may otherwise be ignored.  This data tracks
  unsuccessful login attempts and other 'suspicious' activities on
  the system. A traditional part of the UNIX system that tracks user
  commands is easily circumvented by the user with the use of
  symbolic links (described  in 'man ln').
  
  UNIX implementations vary widely particularly in tracking features
  and new sophisticated mechanisms are introduced by companies
  regularly. Typically system adminstrators augment the basic UNIX
  functionality with public-domain programs and locally-developed
  tools for monitoring, and use them only to isolate `suspicious'
  activity as it arises (e.g. remote accesses to the 'passwd' file, incorrect
  login attempts, remote connection attempts, etc.).
  
  Generally, you should expect little privacy on your account for
  various reasons:
  
  - Potentially, every keystroke you type could be intercepted by
    someone else. 

  - System administrators make extensive backups that are completely
    invisible to users which may record the states of an account over
    many weeks. 

  - Erased files can, under many operating systems, be undeleted. 

  - Most automated services keep logs of use for troubleshooting or
    otherwise; for example FTP sites usually log the commands and
    record the domain originations of users, including anonymous
    ones.

  - Some software exacerbates these problems.  See the section on
    ``X Windows (in)security''.

  Indepedent of malevolent administrators are fellow users, a much
  more commonly harmful threat. There are multiple ways to help
  ensure that your account will not be accessed by others, and
  compromises can often be traced to failures in these guidelines:

  - Choose a secure password.  Change it periodically.
  - Make sure to logout always.
  - Do not leave a machine unattended for long.
  - Make sure no one watches you when you type your password.
  - Avoid password references in email.
  - Be conservative in the use of the .rhost file.
  - Use utilities like `xlock' to protect a station, but be
    considerate.

  Be wary of situations where you think you should supply your
  password.  There are only several basic situations where UNIX
  prompts you for a password: when you are logging in to a system or
  changing your password.  Situations can arise in which prompts for
  passwords are forged by other users, especially in cases where you
  are talking to them (such as Internet Relay Chat).  Also, be  aware
  that forged login screens are one method to illegitimately obtain 
  passwords.


  (Thanks to Jim Mattson <mattson@cs.ucsd.edu> for contributions
  here.)

_____
<2.5> How (in)secure are my files and directories?

  The most important privacy considerations are related to file
  rights, and many lapses can be traced to their misunderstood nature
  or haphazard maintenance. Be aware of the rights associated with
  your files and directories in UNIX. If the `x' (`execute') right on
  your parent directory is off for users, groups, and other, these
  users cannot gain information on anything in your directories. 
  Anything less may allow others to read, change, or even delete
  files in your home directory. The rights on a directory supersede
  the rights associated with files in that directory. For a
  directory, 'x' means that access to the files (or subdirectories)
  in the directory is possible -- if you know their names.  To list
  the contents of the directory, however, requires the 'r' right.
 
  By default most accounts are accessable only to the owner, but the
  initial configuration varies between sites based on administrator
  preference.  The default file mode specifies the initial rights
  associated with newly created files, and can be set in the shell
  with `umask'.  The details of rights implementations tend to vary
  between versions of UNIX.  Consult man pages on `chmod' and `ls'.

  Examples
  --------

    traver.lance % ls -ld ~
    drwx------ 15 ld231782     1536 Jan 31 21:22 /users/ld231782/

  Here is a listing of the rights associated with a user's home
  directory, denoted by `~'.  The columns at the left identify what
  rights are available. The first column identifies the entry as a
  directory, and the next three columns mean that read, write, and
  execute rights, respectively, are permitted for that user.  For
  directories, the `x' right means that contents (file and
  subdirectory names) within that directory can be listed. The
  subsequent columns indicate that no other users have any rights to
  anything in the directory tree originating at that point.  They
  can't even `see' any lower files or subdirectories; the hierarchy
  is completely invisible to them.

    traver.lance % ls -l msg
    -rw-r--r--  1 ld231782   35661 Jan 29 23:13 msg
    traver.lance % chmod u=rw,g=,o= msg
    traver.lance % ls -l msg
    -rw-------  1 ld231782   35661 Jan 29 23:13 msg

  Here the modes on the file `msg' were changed to take away rights
  from `group' and `other'. 
  
  Note that `ls -l <file>' requires both the 'r' right to get the list
  of files and subdirectories, and the 'x' right to access the files
  and subdirectories in order to get their size, etc. For example,
  suppose the directory `foo' has rights dr--r--r--,  the following
  is possible:

    ls foo

  These commands would fail independent of file rights:
  
    ls -l foo
    ls -l foo/file
    cat foo/file
    cd foo

  If the directory `foo' has rights d--x--x--x, the following are
  possible if it is known beforehand that `foo' contains an 'r'
  readable file named `file':
  
    ls -l foo/file
    cat foo/file
    cd foo
  
  The following commands fail:
  
    ls foo
    ls -l foo
  

  (Thanks to Uwe Waldmann <uwe@mpi-sb.mpg.de> for contributions here.)

_____
<2.6> How (in)secure is X Windows?

  X Windows is the primary software developed by the MIT Athena
  project which is funded by U.S. government grants to develop
  applications to harness the power of networks in enhancing
  computational tasks, particularly the human-computer interface. 
  The software implements a client-server interface to a computer via
  graphical windows. In this case the `client' is the application
  requesting or utilizing  graphical resources (such as windows or a
  mouse) and the `server' is the machine that provides them.  In many
  situations the client is an application program running on the same
  machine as the server.

  The great utility of X Windows comes from its complete dissociation
  of the client and server so that windows may be `broadcast' to a
  server at a remote location from the  client. Unfortunately this
  dynamic power also introduces many deep, intricate, and complicated
  security considerations.  The primary security and privacy issue
  associated with X Windows is that much more sensitive data may be
  sent over a network, and over wider regions, than in the case where
  the human is situated near the host computer.  Currently there is
  no encryption of data such as screen updates and keystrokes in X
  Windows.

  Due to either intentional design decisions or unintentional design
  flaws,  early versions of the X Window system are extremely
  insecure. Anyone with an account on the server machine can disrupt
  that display or read it electronically based on access to the
  device unix:0.0 by any regular user.   There are no protections
  from this type of access in these versions.   The problem arises
  because the security is completely based on machine addresses
  rather than users, such that any user at a `trusted' machine is
  himself trusted. Quoting from X documentation (man Xsecurity):
  
  > Any client on a host in the host access control list is allowed
  > access to the X server. This system can work reasonably well in
  > an environment where everyone trusts everyone, or when only a
  > single person can log into a given machine...This system does not
  > work well when multiple people can log in to a single machine and
  > mutual trust does not exist. 
  
  With the access control list, the `xhost' command may prevent some
  naive attempts (i.e. those other than the direct-access unix:0.0
  evasion); the syntax as typed on the host machine is  ``xhost
  +[name]'' where [name] is the domain name or internet address of an
  authorized client machine. By default clients running nonlocal to
  the host are disabled.  Public domain programs to disrupt a display
  momentarily (such as 'flip' or slowly mirror the screen image, or
  cause pixels to 'melt' down to the bottom) have been circulating on
  the internet among hackers for several years and played as pranks
  on unsuspecting or inexperienced users.  Much more serious security
  breaches are conceivable from similar mechanisms exploiting this
  inherent weaknesses.  (The minimal, easily-bypassed `trusted'
  security mode of `xhost' has been jokingly referred to as ``X
  Hanging Open, Security Terrible.''). 

  New versions of the X Window system (X11R5 and higher) by default 
  make server access as secure as the file system using a .Xauthority
  file and 'magic cookies'.  Remote machines must have a code in the
  .Xauthority file in the home directory that matches the code
  allowed by the server.  Many older programs and even new
  vendor-supplied code does not support or is incompatible with
  `magic cookies'. The basic magic cookie mechanism is vulnerable to
  monitoring techniques described earlier because no encryption of
  keys occurs in transmission.  X11R5 also includes other
  sophisticated encryption mechanisms.  Try `man Xsecurity' to find
  out what is supported at your site.  Even though improved security 
  mechanisms have been available in X Windows since ~1990, local
  sites often update this software infrequently because installation
  is extremely complex.


  (Thanks to Marc Vanheyningen <mvanheyn@whale.cs.indiana.edu>, 
  Jim Mattson <mattson@cs.ucsd.edu>, and Bill Marshall
  <marshall@cs.iastate.edu> for contributions here.)

_____
<2.7> How (in)secure is my email?

  By default, not very.  The characters that you are reading are
  almost certainly encoded in ASCII, the American Standard Code for
  Information Interchange that maps alphabetic and symbolic
  characters onto numeric codes and vice versa.  Virtually every
  computer system uses this code, and if not, has ways of converting
  to and from it.  When you write a mail message, by default it is
  being sent in ASCII,  and since the standard is virtually
  universal, there is no intrinsic privacy.  Despite milleniums worth
  of accumulated cryptographic knowledge, cryptographic technologies
  are only recently being established that afford high priority to
  privacy as a primary criteria in computer and network design.  Some
  potential pitfalls in privacy are as follows:

  - The most serious threats are instances of immature or unscrupulous
    system operators reading private mail in the `spool files' at a
    local site (i.e. at the source or destination of the message),
    such as a university. 
  
  - System administrators may also release files to law enforcement
    agencies, but conventions and protocols for warrants involving
    computer searches have still not been strongly established and
    tested legally.

  - Note that bounced messages go to postmasters at a given site in
    their entirety.  This means that if you address mail with an
    incorrect address it has a good chance of being seen by a human
    other than the recipient.

  - Typically new user accounts are always set up such that the local
    mail directory is private, but this is not guaranteed and can be
    overridden.

  - Finally, be aware that some mailing lists (email addresses of 
    everyone on a list) are actually publicly accessable via mail 
    routing software mechanisms.  This `feature' can be disabled.

  Most potential compromises in email privacy can be thoroughly
  avoided with the use of strong end-to-end cryptography, which has
  its own set of caveats (for example, unscrupulous administrators
  may still be a threat if the encryption site is shared or
  nonlocal).  See the sections on ``email privacy'' and ``email
  policies.''

_____
<2.8> How am I (not) liable for my email and postings?

  As punishment or whatever, your system administrator can revoke
  certain `privileges' such as emailing, USENET posting or reading
  certain groups, file transferring, remote communications, or
  generally any subset of capabilities available from your account. 
  This all is completely at the discretion of the local administrator
  and under the procedures followed at a particular site, which in
  many cases are haphazard and crisis-oriented.  Currently there are
  virtually no widespread, uniform guidelines or procedures  for
  restricting use to any internet services, and local administrators
  are free to make arbitrary decisions on access.

  Today punitive measures are regularly applied in various situations.
  In the typical scenario complaint(s) reach a system adminstrator
  regarding abuses by a user, usually but not necessarily preceded by
  complaints to the user in email, regarding that person's
  objectionable email or postings.  `abusive' posters to USENET are
  usually first given admonitions from their system administrators as
  urged by others on the `net'. (The debate persists endlessly on
  many newsgroups whether this is also used  as a questionable means
  of attacking or silencing `harmless crackpots' or censoring
  unpopular opinions.)
  
  System administrators at remote sites regularly cooperate to
  'squelch' severe cases of abuse.  In general, however, by tradition
  Usenet readers are remarkably tolerant of diverse views and uses of
  the system, but a colorful vocabularly of slang helps describe
  their alternatives when this patience is sapped: the options
  wielded by the individual user are to simply advance to the next
  message (referred to as ``hitting the `n' key''), or to `plonk'
  annoying posters (according to the Hacker's Dictionary, the sound a
  jerk makes at the end of a fall to the bottom of a kill file).

  In cases where punitive actions are applied, generally system
  administrators are least likely to restrict email.  USENET postings
  are much more commonly restricted, either to individual users or 
  entire groups (such as a university campus).  Restrictions are most
  commonly associated with the following `abuses':

  - harassing or threatening notes, `email terrorism'
  - illegal uses, e.g. piracy or propagation of copyrighted material
  - `ad hominem' attacks, i.e. insulting the reputation of the
    poster instead of citing the content of the message
  - intentional or extreme vulgarity and offensiveness
  - inappropriate postings, esp. binary files in regular groups
    `mail-bombing': inundating mail boxes with numerous or massive
    files

  Major problems originate from lack of distinctions in private and
  official email or postings.  Most users have internet access via
  accounts at businesses or universities and their activities on the
  internet can be construed as representative of their parent
  organizations. Many people put disclaimers in their `signatures' in
  an attempt dissociate their identity and activities from parent
  organizations as a precaution. A recent visible political case
  involves the privacy of electronic mail  written by White House
  staff members of the Bush administration.  Following are some
  guidelines:

  - Acquaint yourself with your company or university policy.
  - If possible, avoid use of your company email address for private
    communication.
  - Use a disclaimer.
  - Keep a low profile (avoid `flamewars' or simply don't post).
  - Avoid posting information that could be  construed to be
    proprietary or `internal'.

  The following references are available from ftp.eff.com
  (see also the section on ``internet use policies''):

  /pub/academic/banned.1991
  /pub/academic/banned.1992
  ---
    Computer material that was banned/challenged in academia in 1991
    and 1992 including USENET hierarchies.

  /pub/academic/cases
  ---
    This is an on-line collection of information about specific
    computers and academic freedom cases. File README is a detailed
    description of the items in the directory.

  /pub/academic/faq/netnews.liability
  ---
    Notes on university liability for Usenet.

_____
<2.9> How do I provide more/less information to others on my identity?

  The public information of your identity and account is mostly
  available though the UNIX utility `finger' described above. 
  
  - You have control over most of this information with the utility
    `chfn', the specifics vary between sites (on some systems use
    `passwd -f').
   
  - You can provide unlimited information in the .plan file which is
    copied directly to the destination during the fingering. 
    
  - A technique that works at some sites allows you to find out who is
    'finger'ing you and even to  vary the .plan file sent to them.
    
  - Your signature is determined by the environment variable SIGNATURE
    
  - USENET signatures are conventionally stored in the .signature file
    in your home directory.
    
  Providing less information on your online identity is more difficult
  and involved.  One approach is to ask your system adminstrator to
  change or delete information about you (such as your full name). 
  You may be able to obtain access on a public account or one from
  someone unrelated to you personally.  You may be able to remotely
  login (via modem or otherwise) to computers that you are not
  physically near.  These are tactics for hiding or masking your
  online activities but nothing is foolproof.  Consult man pages on
  the 'chmod' command and the default file mode.  Generally, files on
  a shared system have good safeguards within the user pool but very
  little protection is possible from corrupt system administrators.

  To mask your identity in email or on USENET you can use different
  accounts. More untraceable are new `anonymous posting' and
  remailing services that are very recently being established.  See
  below.

______
<2.10> Who is my sysadmin?  What does s/he know about me?

  The requirements and screening for getting a system administration
  job (and thereby access to all information on a system) vary widely
  between sites and are sometimes frighteningly lax, especially at
  universities.  Many UNIX systems at universities are largely
  managed by undergraduates with a background in computing and often
  `hacking'.  In general, commercial and industrial sites are more
  strict on qualifications and background, and government sites are
  extremely strict.

  The system adminstrator (root user) can monitor what commands you
  used and at what times.  S/he may have a record (backups) of files
  on your account over a few weeks. S/he can monitor when  you send
  email or post USENET messages, and potentially read either.  S/he
  may have access to records indicating what hosts you are using,
  both locally and elsewhere.  Administrators sometimes employ
  specialized programs to  track `strange' or `unusual' activity,
  which can potentially be misused.

______
<2.11> Why is privacy (un)stable on the internet?

  For the numerous reasons listed above, privacy should not be an
  expectation with current use of the internet.  Furthermore, large
  parts of the internet are funded by the U.S. NSF (National Science
  Foundation) which places certain restrictions on its use (such as
  prohibiting commercial use).  Some high-level officials in this and
  other government agencies may be opposed to emerging techniques to
  guarantee privacy (such as encryption and anonymous services).

  Historically the major threats to privacy on the internet have been
  local. Perhaps the most common example of this are the widespread
  occurrences of university administrators refusing to carry some
  portion of USENET newsgroups labelled as `pornographic'. The
  `alternative' hierarchy in the USENET system, which has virtually
  no restrictions on propagation and new group creation, is
  frequently targeted (although this material may appear anywhere).

  From the global point of view traffic is generally completely
  unimpeded on the internet  and only the most egregious offenders
  are pursued.  For example,  verbatim transcriptions of copyrighted
  material (such as newspaper or magazine articles) are posted to
  USENET with regularity without major consequences (some email
  complaints may ensue).  More astonishing to some is that currently
  significant portions of USENET traffic, and less so internet
  traffic, is comprised of sexually-explicit digitized images almost
  entirely originating from copyrighted material (newsgroups such as
  `alt.sex' regularly have the  highest traffic).
  
______
<2.12> What is the future of privacy on the internet?

  Some argue that the internet currently has an adequate or
  appropriate level of privacy.  Others will argue that as a
  prototype for future global networks it has woefully inadequate
  safeguards.  The internet is growing to become a completely global,
  international superhighway for data, and this traffic will
  inevitably entail data such as voice messages, postal mail, and
  many other items of extremely personal nature. Computer items that
  many people consider completely private (such as their local hard
  drives) will literally be inches from global network connections.
  Also, sensitive industrial and business information is exchanged
  over networks currently and this volume may conceivably merge with
  the internet.
  
  Most would agree that, for these basic but sensitive uses of the
  internet, no significant mechanisms are currently in place to
  ensure much privacy. New standards are calling for uniform
  introduction of `privacy enhanced mail' (PEM) which uses encryption
  technologies to ensure privacy, so that privacy protection is
  automatic, and may significantly improve safeguards.

  The same technology that can be extremely destructive to privacy
  (such as with  surreptitious surveilance) can be overwhelmingly
  effective in protecting  it (e.g. with encryption). Some government
  agencies are opposed to unlimited privacy in general, and believe
  that it should lawfully be forfeited in cases of criminal conduct
  (e.g. court-authorized wiretapping).  However, powerful new
  technologies to protect privacy on computers are becoming
  increasingly popular, provoking some to say that ``the cat is out
  of the bag'' and the ``genie can't be put back in the bottle''.  In
  less idiomatic terms, they believe that the spread of strong
  cryptography is already underway will be socially and technically
  unstoppable.
  
  To date, no feasible system that guarantees both secure
  communication and government oversight has been proposed (the two
  goals are largely incompatible). Proposals for ``registration'' of
  secret keys (by D. Denning on sci.crypt, for example) have been met
  with hot controversy at best and ridicule and derision at worst,
  mainly because of concerns for the right to privacy and objections
  of inherent feasibility.  Electronic privacy issues, and
  particularly the proper roles of networks and the internet, will
  foreseeably become highly visible and explosive over the next few
  years.


ANONYMITY
=========

_____
<3.1> What is `anonymity' on the internet?

  Simply stated, anonymity is the absence of identity, the
  ultimate in privacy. However, there are several variations on
  this simple theme.  A person may wish to be consistently
  identified by a certain pseudonym or `handle' and establish a
  reputation under it in some area, providing pseudo-anonymity.
  A person may wish to be completely untraceable for a single
  one-way message (a sort of `hit-and-run'). Or, a person may
  wish to be openly anonymous but carry on a conversation with
  others (with either known or anonymous identities) via an
  `anonymous return address'.  A user may wish to appear as a
  `regular user' but actually be untraceable.  Sometimes a user
  wishes to hide who he is sending mail to (in addition to the
  message itself). The anonymous item itself may be directed at
  individuals or groups.  A user may wish to access some
  service and hide all  signs of the association. 
  
  All of these uses are feasible on the internet but are currently
  tricky to carry out in practice, because of all the tracking
  mechanisms inherent to operating systems and network protocols. 
  Officials of the NSF and other government agencies may be opposed
  to any of these uses because of the potential for abuse. 
  Nevertheless, the inherent facelessness of large networks will
  always guarantee a certain element of anonymity.

_____
<3.2> Why is `anonymity' (un)important on the internet?

  Anonymity is another powerful tool that can be beneficial or
  problematic depending on its use.  Arguably absence of
  identification is important as the presence of it.  It may be the
  case that many strong benefits from electronic anonymity will be
  discovered that were unforeseen and unpredicted, because true
  anonymity has been historically very difficult to establish.

  One can use anonymity to make personal statements to a colleague
  that would sabotage a relationship if stated openly (such as
  employer/employee scenarios).  One can use it to pass information
  and evade any threat of direct retribution.  For example,
  `whistleblowers' reporting on government abuses (economic, social,
  or  political) can bring issues to light without fear of stigma or
  retaliation. Sensitive, personal, potentially damaging information
  is often posted to some USENET groups, a risky situation where
  anonymity allows conversations to be carried on completely
  independent of the identities of the participants.  Some police
  departments run phone services that allow anonymous reporting of
  crimes; such uses would be straightforward on the network.
  Unfortunately, extortion and harassment become more insidious with
  assurances of anonymity.

_____
<3.3> How can anonymity be protected on the internet?

  The chief means, as alluded to above, are masking identities in
  email and posting. However, anonymous accounts (public accounts as
  accessable and anonymous as e.g. public telephones) may be
  effective as well, but this use is generally not officially
  supported and even discouraged by some system adminstrators and NSF
  guidelines.  The nonuniformity in the requirements of obtaining
  accounts at different sites and institutions makes anonymous
  accounts generally difficult to obtain to the public at large.

  Many communications protocols are inherently detrimental to
  anonymity.  Virtually every protocol in existence currently
  contains information on both sender and receiver in every packet.
  New communications protocols will likely develop that guarantee
  much higher degrees of secure anonymous communication.

_____
<3.4> What is `anonymous mail'?

  One approach to `anonymizing' mail has been to set up an `anonymous
  server' that, when activated by email to its address, responds by
  allocating and supplying an `anonymous ID' that is unique to the
  person requesting it (based on his email address).  This will vary
  for the same person for different machine address email
  originations. To send anonymous mail, the user sends email directed
  to the server containing the final destination. The server
  `anonymizes' the message by stripping of identification information
  and forwards the message, which appears to originate from the
  anonymous server only from the corresponding anonymous user id. 
  This is the `interactive' use of anonymity or pseudonymity
  mentioned above.

  Another more `fringe' approach is to run a `cypherpunk' remailer
  from a regular user account (no root system privileges are
  required). These are currently being pioneered by  Eric Hughes and
  Hal Finney <hal@alumni.caltech.edu>. The operator runs a process on
  a machine that anonymizes mail sent to him with certain
  characteristics that distinguish it from his regular incoming mail
  (typically fields in the header). One has been implemented as a 
  PERL script running on UNIX.  Several of these are in existence
  currently but sites and software currently are highly unstable;
  they may be in operation outside of system administrator knowledge.
  The remailers don't generally support anonymous return addresses. 
  Mail that is incorrectly addressed is received by the operator. 
  Generally the user of the remailer has to disavow any
  responsibility for the messages forwarded through his system,
  although actually may be held liable regardless.

  These approaches have several serious disadvantages and weaknesses:
  
  - The anonymous server approach requires maintaining a mapping of
    anonymous ID's to real addresses that must be maintained
    indefinitely.  One alternative is to allow `deallocation' of
    aliases at the request of the user, but this has not been
    implemented yet.

  - Although an unlikely scenario, traffic to any of these sites could
    conceivably be monitored from the `outside', necessitating the
    use of cryptography for basic protection,.

  - Local administrators can shut them down either out of caprice or
    under pressure from local, network, or government agencies.
  
  - Unscrupulous providers of the services can monitor the traffic
    that goes through them.

  - Most remailers currently keep logs that may be inspected. 

  - The cypherpunk approach tends to be highly unstable because these
    operators are basically  network users who do not own the
    equipment and are accountable  to their own system
    administrators, who may be unaware of the use and unsympathetic
    to the philosophy of anonymity when the operation is discovered,
    regarding it as illicit use. 

  - In all cases, a high degree of trust is placed in the anonymous
    server operator by the user.

  Currently the most direct route to anonymity involves using SMTP
  protocols to submit a message directly to a server with arbitrary
  field information.  This practice, not uncommon to hackers, and the
  approach used by remailers, is generally viewed with hostility by
  most system administrators.  Information in the header routing data
  and logs of network port connection information may be retained
  that can be used to track the originating site.  In practice, this
  is generally infeasible and rarely carried out.  Some
  administrators on the network will contact local administrators to
  request a message be tracked and its writer admonished or punished
  more severely (such as revoking the account), all of this actually
  happening occasionally but infrequently.

  See the sections ``known anonymous mail and posting sites'' and 
  ``responsibilities associated with anonymity''.

_____
<3.5> What is `anonymous posting'?

  Anonymous servers have been established as well for anonymous Usenet
  posting with all the associated caveats above (monitored traffic,
  capricious or risky local circumstances, logging).  Make sure to
  test the system at least once by e.g. anonymous posting to
  misc.test (however some operators don't recommend this because many
  sites `autorespond' to test messages, possibly causing the
  anonymous server to allocate anonymous IDs for those machines). 
  See the ``responsibilties associated with anonymous posting''
  before proceeding.

  Another direct route involves using NNTP protocols to submit a
  message directly to a newserver with arbitrary field information.
  This practice, not uncommon to hackers, is also generally viewed
  with hostility by most system administrators, and similar
  consequences can ensue.

  See the sections ``known anonymous mail and posting sites'' and 
  ``responsibilities associated with anonymity''.

_____
<3.6> Why is anonymity (un)stable on the internet?

  As noted, many factors compromise the anonymity currently available
  to the general internet community, and these services should be
  used with great caution.  To summarize, the technology is in its
  infancy and current approaches are unrefined, unreliable, and not
  completely trustworthy.  No standards have been established and
  troubling situations of loss of anonymity and bugs in the software
  are prevalent.  Here are some encountered and potential bugs: 
  
  - One  anonymous remailer reallocated already allocated anonymous
    return addresses. 
  - Others passed signature information embedded in messages
    unaltered. 
  - Address resolution problems resulting in anonymized mail bounced
    to a remailer are common.
  - Forgeries to the anonymous server itself are a problem,  possibly
    allowing unauthorized users to potentially glean anon ID - email
    address  mappings in the alias file.  This can be remedied with
    the use of passwords.
  - Infinite mail loops are possible with chaining remailers.
  
  Source code is being distributed, tested, and refined for these
  systems, but standards are progressing slowly and weakly.  The
  field is not likely to improve considerably without  official
  endorsement and action by network agencies.  The whole idea is
  essentially still in its infancy and viewed with suspicion and
  distrust by many on the internet, seen as illegitimate or favorable
  to criminality.  The major objection to anonymity over regular
  internet use  is the perceived lack of accountability to system
  operators, i.e. invulnerability to account restrictions resulting
  from outside complaints.  System adminstrators at some sites have
  threatened to filter anonymous news postings generated by the
  prominent servers from their redistribution flows.  This may only
  have the effect of encouraging server operators to create less
  characteristically detectable headers.  Probably the least
  problematic approach, and the most traditional to Usenet, is for
  individual users to deal with anonymous mail however they prefer,
  e.g. ignoring it or filtering it with kill files.
  
_____
<3.7> What is the future of anonymity on the internet?

  New anonymous protocols effectively serve to significantly increase
  safeguards of anonymity.  For example, the same mechanism that
  routes email over multiple hosts, thereby threatening its privacy,
  can also be used to guarantee it. In a scheme called `chaining' an
  anonymous message is passed through multiple anonymous servers
  before reaching a destination.  In this way generally multiple
  links of the chain have to be `broken' for security to be
  compromised. Re-encryption at each link makes this scenario even
  more unlikely.  Even more significantly the anonymous remailers
  could be spread over the internet globally so that local weaknesses
  (such as corrupt governments or legal wiretapping within a nation)
  would be more unlikely to sacrifice overall security by message
  tracing. However, remailers run by corrupt operators are possible.
  
  The future of anonymous services on the internet is, at this time,
  highly uncertain and fraught with peril. While specific groups seem
  to benefit significantly from anonymous posting capabilities, many
  feel that unlimited newsgroup scope for anonymous posting is a
  disruptive and dangerous idea and detracts from discussions in
  `serious' groups.   The introduction of unlimited group anonymity
  may have fundamental repercussions on Usenet conventions and
  distribution mechanisms such as moderated and `alt' groups have had
  in the past. For example, as part of new group creation, the
  charter may specify whether `anonymous' posting is (un)welcome. 

  Nevertheless, the widespread introduction and use of anonymity may
  be inevitable. Based on traffic statistics, anonymous services are
  in huge demand. Pervasive and readily available anonymity could
  carry significant and unforeseen social consequences.  However, if
  its use is continued to be generally regarded as subversive it may
  be confined to the underground.  The ramifications of widespread
  introduction of anonymity to Usenet are still largely unknown. It
  is unclear whether it will provoke signficant amounts of new
  traffic or, instead of expansion, cause a shift where a greater
  portion of existing traffic is anonymized.  Conceivably the
  services could play a role in influencing future mainstream social
  acceptance of Usenet.


* * *

This is Part 1 of the Privacy & Anonymity FAQ, obtained via anonymous
  FTP to pit-manager@mit.edu:/pub/usenet/news.answers/net-privacy/ or 
  newsgroups news.answers, sci.answers, alt.answers every 21 days.
Written by L. Detweiler <ld231782@longs.lance.colostate.edu>.
All rights reserved.


Newsgroup: sci.crypt
Document_id: 15177
From: ld231782@longs.lance.colostate.edu (L. Detweiler)
Subject: Privacy & Anonymity on the Internet FAQ (2 of 3)

Archive-name: net-privacy/part2
Last-modified: 1993/3/3
Version: 2.1


IDENTITY, PRIVACY, and ANONYMITY on the INTERNET
================================================

(c) 1993 L. Detweiler.  Not for commercial use except by permission
from author, otherwise may be freely copied.  Not to be altered. 
Please credit if quoted.

SUMMARY
=======

Email and account privacy, anonymity, file encryption,  academic 
computer policies, relevant legislation and references, EFF, and 
other privacy and rights issues associated with use of the Internet
and global networks in general.

(Search for <#.#> for exact section. Search for '_' (underline) for
next section.)

PART 2
====== (this file)

Resources
---------

<4.1> What UNIX programs are related to privacy?
<4.2> How can I learn about or use cryptography?
<4.3> What is the cypherpunks mailing list?
<4.4> What are some privacy-related newsgroups?  FAQs?
<4.5> What is internet Privacy Enhanced Mail (PEM)?
<4.6> What are other Request For Comments (RFCs) related to privacy?
<4.7> How can I run an anonymous remailer?
<4.8> What are references on privacy in email?
<4.9> What are some email, Usenet, and internet use policies?
<4.10> What is the MIT ``CROSSLINK'' anonymous message TV program?

Miscellaneous
-------------

<5.1> What is ``digital cash''?
<5.2> What is a ``hacker'' or ``cracker''?
<5.3> What is a ``cypherpunk''?
<5.4> What is `steganography' and anonymous pools?
<5.5> What is `security through obscurity'?
<5.6> What are `identity daemons'?
<5.7> What standards are needed to guard electronic privacy?

Issues
------

<6.1> What is the Electronic Frontier Foundation (EFF)?
<6.2> Who are Computer Professionals for Social Responsibility (CPSR)?
<6.3> What was `Operation Sun Devil' and the Steve Jackson Game case?
<6.4> What is Integrated Services Digital Network (ISDN)?
<6.5> What is the National Research and Education Network (NREN)?
<6.6> What is the FBI's proposed Digital Telephony Act?
<6.7> What other U.S. legislation is related to privacy on networks?
<6.8> What are references on rights in cyberspace?
<6.9> What is the Computers and Academic Freedom (CAF) archive?

Footnotes
---------

<7.1> What is the background behind the Internet?
<7.2> How is Internet `anarchy' like the English language?
<7.3> Most Wanted list
<7.4> Change history


* * *


RESOURCES
=========


_____
<4.1> What UNIX programs are related to privacy?

  For more information, type `man [cmd]' or `apropos [keyword]' at the
  UNIX shell prompt.

    passwd - change password
    finger - obtain information about a remote user
    chfn   - change information about yourself obtainable by remote
             users (sometimes `passwd -f')
    chmod  - change the rights associated with a file or directory
    umask  - (shell) change the default (on creation) file access
             rights
    ls     - list the rights associated with files and directories
    xhost  - allow or disable access control of particular users to an
             Xwindow server
    last   - list the latest user logins on the system and their
             originations
    who    - list other users, login/idle times, originations
    w      - list other users and what they are running
    xhost  - access control list for X Window client use
    xauth  - control X Window server authentication
    
    .signature  - file in the home directory appended to USENET posts
    .forward    - file used to forward email to other accounts
    .Xauthority - file used for X Window server authentication keys
    $SIGNATURE  - variable used for name in email and USENET postings

  The 'tcpdump' packet-tracing program is loosely based on SMI's
  "etherfind" although none of the etherfind code remains.  It was
  originally written by Van Jacobson, Lawrence Berkeley Laboratory,
  as part of an ongoing research project to investigate and improve
  tcp and internet gateway performance.  A current version is
  available via anonymous ftp from host ftp.ee.lbl.gov (currently at
  address 128.3.254.68) file tcpdump.tar.Z (a compressed Unix tar
  file). This program is subject to  the 'standard' Berkeley network
  software copyright.

_____
<4.2> How can I learn about or use cryptography?

  A general introduction to mostly theoretical cryptographic issues,
  especially those frequently discussed in sci.crypt, is available
  in FAQ form:

  >  Compiled by:
  >        cme@ellisun.sw.stratus.com (Carl Ellison)
  >        Gwyn@BRL.MIL (Doug Gwyn)
  >        smb@ulysses.att.com (Steven Bellovin)

  NIST (U.S. National Institute for Standards and Technology)
  publishes an introductory paper on cryptography, special
  publication 800-2 ``Public-Key Cryptograhy'' by James Nechvatal
  (April 1991).  Available via anonymous FTP from
  csrc.ncsl.nist.gov (129.6.54.11), file pub/nistpubs/800-2.txt. 
  Also via available anonymous FTP from wimsey.bc.ca as crypt.txt.Z
  in the crypto directory.  Covers technical mathematical aspects
  of encryption such as number theory.

  More general information can be found in a FAQ by Paul Fahn of RSA
  Labortories via anonymous FTP from rsa.com in /pub/faq.ps.Z.  See
  the `readme' file for information on the `tex' version.  Also
  available as hardcopy for $20 from   RSA Laboratories, 100 Marine
  Parkway, Redwood City, CA  94065.  Send questions to
  faq-editor@rsa.com.

  Phil Zimmerman's PGP (Pretty Good Privacy) public-domain package
  for public key encryption is available at numerous sites, and is
  in widespread use over the internet for general UNIX-based file
  encryption (including email).  Consult the archie FTP database. 
  Also see the newsgroup alt.security.pgp.  Mailing list requests
  to info-pgp-request@lucpul.it.luc.edu.

  From the RIPEM FAQ by Marc VanHeyningen
  <mvanheyn@whale.cs.indiana.edu> on news.answers:

  > RIPEM is a program which performs Privacy Enhanced Mail (PEM)
  > using the cryptographic techniques of RSA and DES.  It allows
  > your electronic mail to have the properties of authentication
  > (i.e. who sent it can be confirmed) and privacy (i.e. nobody can
  > read it except the intended recipient.)
  > 
  > RIPEM was written primarily by Mark Riordan
  > <mrr@scss3.cl.msu.edu>. Most of the code is in the public domain,
  > except for the RSA routines, which are a library called RSAREF
  > licensed from RSA Data Security Inc.
  > 
  > RIPEM is available via anonymous FTP to citizens and permanent
  > residents in the U.S. from rsa.com; cd to rsaref/ and read the
  > README file for info.
  > 
  > RIPEM, as well as some other crypt stuff, has its `home site' on
  > rpub.cl.msu.edu, which is open to non-anonymous FTP for users in
  > the U.S. and Canada who are citizens or permanent residents.  To
  > find out how to obtain access, ftp there, cd to pub/crypt/, and
  > read the file GETTING_ACCESS.

  Note: cryptography is generally not well integrated into email yet
  and some system proficiency is required by users to utilize it.

_____
<4.3> What is the cypherpunks mailing list?

  Eric Hughes <hughes@toad.com> runs the `cypherpunk' mailing list
  dedicated to ``discussion about technological defenses for privacy
  in the digital domain.''  Send email to
  cypherpunks-request@toad.com to be added or subtracted from the
  list. From the charter:

  > The most important means to the defense of privacy is encryption.
  > To encrypt is to indicate the desire for privacy.  But to encrypt
  > with weak cryptography is to indicate not too much desire for
  > privacy. Cypherpunks hope that all people desiring privacy will
  > learn how best to defend it.

_____
<4.4> What are some privacy-related newsgroups?  FAQs?
  
  Newsgroups
  ==========

  alt.comp.acad-freedom.news
  alt.comp.acad-freedom.talk 
  --------------------------
    Moderated and unmoderated issues related to academic freedom and
    privacy at universities. Documented examples of violated
    privacy in e.g. email.  Documented examples of `censorship' as
    in e.g. limiting USENET groups local availability.

  alt.cyberpunks
  --------------
    Virtual reality, (science) fiction by William Gibson and Bruce 
    Sterling, cyberpunk in the mainstream.
 
  alt.hackers
  -----------
    USENET Network News Transfer Protocol (NNTP) posting mechanisms, 
    Simple Mail Transfer Protocol (SMTP), `obligatory hack' reports.

  alt.privacy
  -----------
    General privacy issues involving taxpaying, licensing, social
    security numbers, etc.
  
  alt.security 
  comp.security.misc
  ------------------
    Computer related security issues.  FAQ in news.answers below.
  
  alt.security.pgp
  alt.security.ripem
  ----------------
    Dedicated to discussing public domain cryptographic software
    packages: PGP, or ``Pretty Good Privacy'' Software developed by
    Phil Zimmerman for public key encryption, and RIPEM by Mark
    Riordan for public key and DES encryption.
  
  comp.society.privacy
  --------------------
    Privacy issues associated with computer technologies.  Examples:
    caller identification, social security numbers, credit
    applications, mailing lists, etc.  Moderated.
    
  comp.eff.news
  comp.eff.talk
  -------------
    Moderated and unmoderated groups associated with the Electronic
    Frontier Foundation started by Mitch Kapor for protecting civil
    and constitutional rights in the electronic realm.
  
  news.admin
  news.admin.policy
  -----------------
    Concerns of news administrators.  NNTP standards and mechanisms.
    
  news.lists
  ----------
    USENET traffic distributions.  Most frequent posters, most
    voluminous groups, most active sites, etc.
  
  sci.crypt
  ---------
    Considers scientific and social issues of cryptography. 
    Examples: legitimate use of PGP, public-key patents, DES,
    cryptographic security, cypher breaking, etc.
  

  FAQs
  ====

  FAQs or ``Frequently-Asked Questions'' are available in the
  newsgroups *.answers or via anonymous FTP to pit-manager.mit.edu
  [18.172.1.27] (also rtfm.mit.edu)  from the directory
  /pub/usenet/news.answers/[x] where [x] is the archive name. This
  FAQ is archived in the file `net-privacy'.   Others are:

  network-info/part1  
  ------------------
    Sources of information about the Internet and how to connect to
    it, through the NSF or commercial vendors.
  
  alt-security-faq
  ----------------
    Computer related security issues arising in alt.security and
    comp.security.misc, mostly UNIX related.
  
  ssn-privacy 
  -----------
    Privacy issues associated with the use of the U.S. Social
    Security number (SSN).
  
  pdial
  -----
    Public dialup internet accounts list.
  
  college-email/part1
  -------------------
    How to find email addresses for undergraduate and graduate
    students, faculty and staff at various colleges and
    universities.
  
  ripem/faq
  ---------
    Information on RIPEM, a program for public key mail encryption
    officially sanctioned by Public Key Partners Inc., the company
    that owns patents on public key cryptography.
  
  unix-faq/faq/part1
  ------------------
    Frequently-asked questions about UNIX, including information on
    `finger' and terminal spying.

  distributions/*
  ---------------
     Known geographic, university, and network distributions.

_____
<4.5> What is internet Privacy Enhanced Mail (PEM)?

  Internet drafts on Privacy Enhanced Mail (PEM) describe a standard
  under revision for six years delineating the official protocols for
  email encryption.  The standard has only recently stabilized and
  implementations are being developed.

  - RFC-1421: ``Privacy Enhancement for Internet Electronic Mail: 
    Part I: Message Encryption and Authentication Procedures.'' J.
    Linn <104-8456@mcimail.com>

  - RFC-1422: ``Privacy Enhancement for Internet Electronic Mail: Part
    II: Certificate-Based Key Management'' S. Kent <Kent@BBN.com>

  - RFC-1424: ``Privacy Enhancement for Internet Electronic Mail: 
    Part IV: Key Certification and Related Services'' B. Kaliski
    <burt@rsa.com>

  - RFC-1423: ``Privacy Enhancement for Internet Electronic Mail: Part
    III: Algorithms, Modes, and Identifiers'' D. Balenson
    <belenson@tis.com>

  Send email to pem-info@tis.com for more information.  See ``RFCs 
  related to privacy'' for information on how to obtain RFCs.
  
_____
<4.6> What are other Requests For Comments (RFCs) related to privacy?

  RFC-822:  SMTP, Simple Mail Transfer Protocol
  RFC-977:  NNTP, Network News Transfer Protocol
  RFC-1036: Standard for interchange of network news messages
  RFC-1208: Glossary of Networking Terms
  RFC-1207: Answers to ``experienced Internet user'' questions
  RFC-1206: Answers to ``new Internet user'' questions
  RFC-1355: Privacy issues in Network Information center databases

  
  RFC-1177 is ``FYI: Answers to commonly asked ``new internet user'' 
  questions, and includes: basic terminology on the Internet (TCP/IP,
  SMTP, FTP), internet  organizations such as IAB (Internet
  Activities Board) and IETF  (Internet Enbgineering Task Force), and
  a glossary of terms.  Also from ftp.eff.org:
  /pub/internet-info/internet.q.

  > RFCs can be obtained via FTP from NIC.DDN.MIL, with the pathname
  > RFC:RFCnnnn.TXT or RFC:RFCnnnn.PS (where `nnnn' refers to the
  > number of the RFC).  Login with FTP, username `anonymous' and
  > password `guest'.  The NIC also provides an automatic mail
  > service for those sites which cannot use FTP.  Address the
  > request to SERVICE@NIC.DDN.MIL and in the subject field of the
  > message indicate the RFC number, as in `Subject: RFC nnnn' (or
  > `Subject: RFC nnnn.PS' for PostScript RFCs).
  >
  > RFCs can also be obtained via FTP from NIS.NSF.NET.  Using FTP,
  > login with username `anonymous' and password `guest'; then
  > connect to the RFC directory (`cd RFC').  The file name is of the
  > form RFCnnnn.TXT-1 (where `nnnn' refers to the number of the
  > RFC).  The NIS also provides an automatic mail service for those
  > sites which cannot use FTP.  Address the request to
  > NIS-INFO@NIS.NSF.NET and leave the subject field of the message
  > blank.  The first line of the text of the message must be `SEND
  > RFCnnnn.TXT-1', where nnnn is replaced by the RFC number.
  
_____
<4.7> How can I run an anonymous remailer?

  Cypherpunk remailer source is at soda.berkeley.edu in the
  /pub/cypherpunks directory.  It's written in PERL, and is
  relatively easy to install (no administrative rights are required).
  Karl Barrus  <elee9sf@menudo.uh.edu> has more information and
  modifications. Also, most remailer operators mentioned above are
  amenable to discussing features, problems, and helping new sites
  become operational. Address all points in the section
  ``responsibities of anonymous use'' in this document prior to
  advertising your service.  You should be committed to the long-term
  stability of the site and avoid running one surreptitiously.

_____
<4.8> What are references on privacy in email?


  Brown, Bob. ``EMA Urges Users to Adopt Policy on E-mail Privacy.''  
  Network World (Oct 29, 1990), 7.44: 2.
  
  Bairstow, Jeffrey. ``Who Reads your Electronic Mail?'' Electronic
  Business  (June 11, 1990) 16 (11): 92.

  ``Electronic Envelopes - the uncertainty of keeping e-mail private''
  Scientific American, February 1993.

  ftp.eff.org
  ===========

  /pub/eff/papers/email_privacy
  ---
    Article on the rights of email privacy. by Ruel T. Hernandez.

  /pub/academic/law/privacy.email
  ---
    ``Computer Electronic Mail and Privacy'', an edited version of a
    law school seminar paper by Ruel T. Hernadez.

  /pub/eff/papers/email-privacy-biblio-2
  ---
    Compilation of bibliography on E-Mail and its privacy issues (part
    2 of the work).  Compiled by Stacy B. Veeder (12/91).

  /pub/eff/papers/email-privacy-research
  ---
    The author at Digital Research tried to formalize their employee
    privacy policy on E-Mail.  The casesightings are divided into two
    groups: US Constitutional law, and California law.

  /pub/eff/papers/company-email
  ---
    Formulating a Company Policy on Access to and Disclosure of
    Electronic Mail on Company Computer Systems by David R. Johnson
    and John Podesta for the Electronic Mail Assocation

  /pub/cud/alcor
  ---
    Information on Alcor Co., an e-mail privacy suit.

  /pub/academic/law/privacy.email
  ---
    Email privacy search at Berkeley.

_____
<4.9> What are some email, Usenet, and internet use policies?

  The Computer Policy and Critiques Archive is a collection of the
  computer policies of many schools and networks, run by the
  Computers and Academic Freedom group on the Electronic Frontier
  Foundation FTP site. The collection also includes critiques of some
  of the policies.

  > If you have gopher, the archive is browsable with the command:
  > gopher -p academic/policies gopher.eff.org
  > 
  > The archive is also accessible via anonymous ftp and email. Ftp
  > to ftp.eff.org (192.88.144.4). It is in directory
  > `pub/academic/policies'. For email access, send email to
  > archive-server@eff.org. Include the line:
  > 
  > send acad-freedom/policies <filenames>
  > 
  > where <filenames> is a list of the files that you want. File
  > README is a detailed description of the items in the directory.
  > 
  > For more information, to make contributions, or to report typos
  > contact J.S. Greenfield (greeny@eff.org). Directory `widener'
  > contains additional policies (but not critiques).


  ftp.eff.org
  ===========
  
  /pub/cud/networks
  ---
    Acceptable Use Policies for various networks, including CompuServe
    (file `compuserve'), NSFNET (file `nsfnet') with information on
    research and commercial uses. See /pub/cud/networks/index.

  /pub/cud/networks/email
  ---
    Policies from various sysadmins about how they handle the issue of
    email privacy,  control, and abuse, compiled by T. Hooper 
    <hooper_ta@cc.curtin.edu.au>.
  
  /pub/cud/schools/
  ---
    Computer use policies of a number of schools. See schools/Index
    for a full list and description.

  
  Commentary
  ==========

  /pub/academic/faq/policy.best
  ---
    Opinions on the best academic computer policies.


  /pub/academic/faq/email.policies
  ---
    Do any universities treat email and computer files as private?

  /pub/academic/faq/netnews.writing
  ---
    Policies on what users write on Usenet.

  /pub/academic/faq/netnews.reading
  ---
    Policies on what users read on Usenet: should my university remove
    (or restrict) Netnews newsgroups because some people find them
    offensive?

  /pub/academic/faq/policy
  ---
    What guidance is there for creating or evaluating a university's
    academic computer policy?

______
<4.10> What is the MIT ``CROSSLINK'' anonymous message TV program?

  > CROSSLINK is an anonymous message system run on MIT Student
  > Cable TV-36. It provides an anonymous medium through which MIT
  > students can say those things they might otherwise find
  > difficult, inconvenient or impossible to say in person.  It's
  > also a way to send fun or totally random messages to your
  > friends over the air.  It is similar to the anonymous message
  > pages found in many college newspapers, except that it's
  > electronic in nature and it's free.

  Messages can be posted to the service via email.  For more
  information send email to crosslink@athena.mit.edu.


MISCELLANEOUS
=============

_____
<5.1> What is ``digital cash''?

  With digital encryption and authentication technologies, the
  possibility of a widespread digital cash system may someday be
  realized.  A system utilizing codes sent between users and banks
  (similar to today's checking system except entirely digital) may
  be one approach.  The issues of cryptography, privacy, and
  anonymity are closely associated with transfer of cash in an
  economy.  See the article in Scientific American by David Chaum
  (~Dec.1992).

  An experimental digital bank is run by Karl Barrus
  <elee9sf@Menudo.UH.EDU> based on suggestions by Hal Finney on the
  cypherpunks mailing list.  To use the server send mail to
  elee7h5@rosebud.ee.uh.edu message with the following text:

    ::
    command: help
    
    user@host

  where `user@host' is your email address.
 
  
_____
<5.2> What is a ``hacker'' or ``cracker''?

  These terms arouse strong feelings by many on their meaning,
  especially on the internet.  In the general news media in the past
  a person who uses computers and networks to malicious ends (such as
  breaking into systems) has been referred to as a hacker, but most
  internet users prefer the term ``cracker'' for this.  Instead, a
  ``hacker'' is perceived as a benign but intensely ambitious,
  curious, and driven computer user who explores obscure areas of a
  system, for example---something of a proud electronic pioneer and
  patriot.  This is the sense intended in this document.  See also
  the ``Hacker's Dictionary'' and the FAQ `alt-security-faq'.
 
 
_____
<5.3> What is a ``cypherpunk''?

  From the charter of the cypherpunk mailing list:

  > Cypherpunks assume privacy is a good thing and wish there were
  > more of it.  Cypherpunks acknowledge that those who want privacy
  > must create it for themselves and not expect governments,
  > corporations, or other large, faceless organizations to grant
  > them privacy out of beneficence.  Cypherpunks know that people
  > have been creating their own privacy for centuries with whispers,
  > envelopes, closed doors, and couriers.  Cypherpunks do not seek
  > to prevent other people from speaking about their experiences or
  > their opinions.

  See information on the cypherpunk mailing list below.

  See also the CryptoAnarchist Manifesto and the Cryptography Glossary
  in soda.berkeley.edu:/pub/cypherpunks.

_____
<5.4> What is `steganography' and anonymous pools?

  Closely associated with encryption is `steganography' or the
  techniques for not only pursuing private (encrypted) communication
  but concealing the very  existence of the communication itself. 
  Many new possibilities in this area are introduced with the
  proliferation of computer technology.  For example, it is possible
  to encode messages in the least-significant bits of images,
  typically the most 'noisy'. In addition, when such an item is
  posted in a public place (such as a newsgroup), virtually
  untraceable  communication can take place between sender and
  receiver.  For  steganographic communications in the electronic
  realm one another possibility is setting up a mailing list where
  individual messages get broadcast to the entire list and individual
  users decode particular messages with their unique key.   An
  anonymous pool has been set up by Miron Cuperman
  (miron@extropia.wimsey.com) for experiments.  Send email to
  <pool0-request@extropia.wimsey.com>  with one of the following
  commands in the subject line:

    subscribe
    unsubscribe
    help

_____
<5.5> What is `security through obscurity'?

  `Security through obscurity' refers to the attempt to gain
  protection from system weaknesses by hiding sensitive information
  or programs relating to them.  For example, a company may not make
  public information on its software's encryption techniques to evade
  `attacks' based on knowledge of it. Another example would be
  concealing data on the existence of security holes or bugs in
  operating systems.  Or, some reliance may be made on the fact that
  some standard or mechanism with potential problems is serious
  because they are ``not widely known'' or ``not widely used.'' This
  argument is occasionally applied to mechanisms for email and Usenet
  posting `forgery'. `Security through obscurity' is regarded as a
  very feeble  technique at best and inappropriate and ineffective at
  worst (also called the ``head-in-the-sand approach''). See the FAQ
  for alt.security.  
  
  Some remarks of John Perry Barlow, cofounder of the Electronic
  Frontier Foundation, directed to NSA agents at the First
  International Symposium on National Security & National
  Competitiveness held in McLean, Virginia  Dec. 1, 1992:

  > Digitized information is very hard to stamp classified or keep
  > contained. ... This stuff is incredibly leaky and volatile.  It's
  > almost a life form in its ability to self-propagate.  If
  > something hits the Net and it's something which people on there
  > find interesting it will spread like a virus of the mind.  I
  > believe you must simply accept the idea that we are moving into
  > an environment where any information which is at all interesting
  > to people is going to get out.  And there will be very little
  > that you can do about it.  This is not a bad thing in my view,
  > but you may differ...

_____
<5.6> What are `identity daemons'?
  
  RFC-931 describes a protocol standard that allows UNIX programs to
  query a remote user's login name after connection to a local
  communication socket (a connection of this type is established
  during FTP and TELNET sessions, for example).  The standard is not
  widely supported, perhaps 10% of internet sites currently implement
  it but the number is increasing.  The mechanism is detrimental to
  anonymity.  Regular users cannot disable it but system
  adminstrators can circumvent it.  This standard may represent a
  trend toward greater authentication mechanisms.

_____
<5.7> What new standards are needed to guard electronic privacy?


  Remailing/Posting
  -----------------
  
  - Stable, secure, protected, officially sanctioned and permitted,
    publicly and privately operated anonymous servers and hubs.
  - Official standards for encryption and anonymity in mail and USENET
    postings.
  - Truly anonymous protocols with source and destination information
    obscured or absent and hidden routing mechanisms (chaining,
    encrypted addresses, etc.)
  - Standards for anonymous email addressing, embedding files, and
    remailer site chaining.
  
  General
  -------
  
  - Recognition of anonymity, cryptography, and related privacy
    shields as legitimate, useful, desirable, and crucial by the
    general public and their governments.
  - Widespread use and implementation of these technologies 
    by systems designers into
    hardware, software, and standards, implemented `securely,'
    `seamlessly,' and `transparently'.
  - General shift of use, dependence, and reliance to means other than
    wiretapping and electronic surveillance by law enforcement
    agencies.
  - Publicity, retraction, and dissolution of laws and government
    agencies opposed to privacy, replaced by structures dedicated to
    strengthening and protecting it.


ISSUES
======

_____
<6.1> What is the Electronic Frontier Foundation (EFF)?

  From ftp.eff.org:/pub/EFF/mission_statement:

  > A new world is arising in the vast web of digital, electronic
  > media which connect us.  Computer-based communication media like
  > electronic mail and computer conferencing are becoming the basis
  > of new forms of community.  These communities without a single,
  > fixed geographical location comprise the first settlements on an
  > electronic frontier.
  > 
  > While well-established legal principles and cultural norms give
  > structure and coherence to uses of conventional media like
  > newspapers, books, and telephones, the new digital media do not
  > so easily fit into existing frameworks.  Conflicts come about as
  > the law struggles to define its application in a context where
  > fundamental notions of speech, property, and place take
  > profoundly new forms. People sense both the promise and the
  > threat inherent in new computer and communications technologies,
  > even as they struggle to master or simply cope with them in the
  > workplace and the home.
  > 
  > The Electronic Frontier Foundation has been established to help
  > civilize the electronic frontier; to make it truly useful and
  > beneficial not just to a technical elite, but to everyone; and to
  > do this in a way which is in keeping with our society's highest
  > traditions of the free and open flow of information and
  > communication.
  
  EFF was started by the multimillionaire Mitchell Kapor, founder of
  Lotus software, and John Barlow, lyricist for the Grateful Dead
  rock band.  A highly publicized endeavor of the organization
  involved the legal defense of  Steve Jackson Games after an FBI
  raid and an accompanying civil suit  (see section on ``Steve
  Jackson Games'').  The foundation publishes EFF News (EFFector
  Online) electronically, send requests to effnews-request@eff.org.
  
  In a letter to Mitchell Kapor from the Chairman of the Subcommittee
  with primary jurisdiction over telecommunications policy dated
  November 5, 1991,  Representative  Edward J. Markey complemented
  Mitchell Kapor on his ``insights on the development of a national
  public information infrastructure'' which ``were appreciated greatly
  by myself and the Members of the Subcommittee'' (complete text in 
  ftp.eff.com:/pub/pub-infra/1991-12):

  > ...we need to pursue policies that encourage the Bell companies to
  > work with other sectors of the communications industry to create
  > a consumer-oriented, public information network. Please let me or
  > my staff know what policies you and others in the computer
  > industry believe would best serve the public interest in creating
  > a reasonably priced, widely available network in which
  > competition is open and innovation rewarded.  I also want to
  > learn what lessons from the computer industry over the past ten
  > to fifteen years should apply to the current debate on
  > structuring the information and communications networks of the
  > future....I ask your help in gaining input from the computer
  > industry so that the Subcommittee can shape policies that will
  > bring this spirit of innovation and entrepreneurship to the
  > information services industry.  

  ftp.eff.org
  ===========
  
  /pub/eff/about-eff
  ---
    A file of basic information about EFF including goals, mission,
    achievements, and current projects. Contains a membership form.

  /pub/eff/mission-statement
  ---
    EFF mission statement.

  /pub/eff/historical/founding-announcement
  ---
    EFF founding press release.

  /pub/eff/historical/eff-history
  ---
    John Perry Barlow's ``Not Terribly Brief History of the EFF'' (July
    10, 1990).  How EFF was conceived and founded, major legal cases,
    and the organizational directions.

  /pub/eff/historical/legal-case-summary
  ---
    EFF legal case summary.


_____
<6.2> Who are Computer Professionals for Social Responsibility (CPSR)?

  The Computer Professionals for Social Responsibility have been
  working to protect and promote electronic civil liberties issues
  since ~1982.  The group has three offices (Palo Alto, Cambridge,
  Washington, DC) and 20 chapters. It is involved in  litigation
  against the FBI, The NSA, NIST, the Secret Service and other other
  U.S. government agencies  to declassify and provide documentation
  on issues such as Operation Sundevil, the FBI wiretap proposal,
  NSA's interference in crypography, the breakup of the 2600 raid in
  Arlington, Va in Nov 1992. Members speak frequently in front on
  Congress, state legislators and public utility commissions to
  testify on privacy, information policy, computer security, and
  caller identification.

  CPSR has created an extensive Internet Privacy library available
  via FTP, Gopher, WAIS, and email at cpsr.org, currently comprising
  the largest collection of privacy documents on the internet.  For
  more information, anonymous FTP  cpsr.org:/cpsr/.


  (Thanks to Dave Banisar <banisar@washofc.cpsr.org> for contributions
  here.)

_____
<6.3> What was `Operation Sundevil' and the Steve Jackson Game case?

  In the early 1990's a fear spread among U.S. law enforcement agencies
  on the illicit activities of `hackers' and `phreakers' involved in
  such activities as credit card fraud and long-distance call thievery.
  
  (see ftp.eff.org:/pub/SJG/General_Information/EFFector1.04):

  > `Operation Sundevil,' the Phoenix-inspired crackdown of May
  > 8,1990, concentrated on telephone code-fraud and credit-card
  > abuse, and followed this seizure plan with some success. 
  > [Bulletin Board Systems] went down all over America, terrifying
  > the underground and swiftly depriving them of at least some of
  > their criminal instruments.  It also saddled analysts with some
  > 24,000 floppy disks, and confronted harried Justice Department
  > prosecutors with the daunting challenge of a gigantic nationwide
  > hacker show-trial involving highly technical issues in dozens of
  > jurisdictions.

  Massive `show-trials' never materialized, although isolated
  instances of prosecution were pursued.  The movement reached a
  crescendo in Texas with the highly publicized case of illegal
  search and seizure involving the Steve Jackson Games company of
  Austin Texas on March 1, 1990.  From the column GURPS' LABOUR LOST
  by Bruce Sterling <bruces@well.sf.ca.us> in Fantasy and Science
  Fiction Magazine:

  > In an early morning raid with an unlawful and unconstitutional
  > warrant, agents of the Secret Service conducted a search of the
  > SJG office.  When they left they took a manuscript being prepared
  > for publication, private electronic mail, and several computers,
  > including the hardware and software of the SJG Computer Bulletin
  > Board System.  Yet Jackson and his business were not only
  > innocent of any crime, but never suspects in the first place. 
  > The raid had been staged on the unfounded suspicion that
  > somewhere in Jackson's office there `might be' a document
  > compromising the security of the 911 telephone system.

  FBI agents involved in the seizure were named in a civil suit filed
  on behalf of Steve Jackson Games by The Electronic Frontier
  Foundation.  See information on EFF below.  From an article by Joe
  Abernathy in the Houston Chronicle ~Feb 1, 1993:
  
  > AUSTIN -- An electronic civil rights case against the Secret
  > Service closed Thursday with a clear statement by federal
  > District Judge Sam Sparks that the Service failed to conduct a
  > proper investigation in a notorious computer crime crackdown,
  > and went too far in retaining  custody of seized equipment. 
  > 
  > Secret Service Special Agent Timothy Foley of Chicago, who was in
  > charge of three Austin computer search-and-seizures on March 1,
  > 1990, that led to the lawsuit, stoically endured Spark's rebuke
  > over the Service's poor investigation and abusive computer
  > seizure policies.  While the Service has seized dozens of
  > computers since the crackdown began in 1990, this is the first
  > case to challenge the practice. 
  > 
  > Sparks grew visibly angry when it was established that the Austin
  > science fiction magazine and game book publisher was never
  > suspected of a crime, and that agents did not do even marginal
  > research to establish a criminal connection between the firm and
  > the suspected illegal activities of an employee, or to determine
  > that the company was a publisher. Indeed, agents testified that
  > they were not even trained in the Privacy Protection Act at the
  > special Secret Service school on computer crime. 
  > 
  > "How long would it have taken you, Mr. Foley, to find out what
  > Steve Jackson Games did, what it was?" asked Sparks. "An hour? 
  > 
  > "Was there any reason why, on March 2, you could not return to
  > Steve Jackson Games a copy, in floppy disk form, of everything
  > taken? 
  > 
  > "Did you read the article in Business Week magazine where it had
  > a picture of Steve Jackson -- a law-abiding, tax-paying citizen
  > -- saying he was a computer crime suspect? 
  > 
  > "Did it ever occur to you, Mr. Foley, that seizing this material
  > could harm Steve Jackson economically?" 
  > 
  > Foley replied, "No, sir," but the judge offered his own answer. 
  > 
  > "You actually did, you just had no idea anybody would actually go
  > out and hire a lawyer and sue you." 
  > 
  > More than $200,000 has been spent by the Electronic Frontier 
  > Foundation in bringing the case to trial. The EFF was founded by 
  > Mitchell Kapor amid a civil liberties movement sparked in large
  > part by the Secret Service computer crime crackdown. 


  ftp.eff.org
  ===========
  
  /pub/cud/papers/sundevil
  ---
    A collection of information on Operation SunDevil by the Epic
    nonprofit publishing project. Everything you wanted to know but
    could never find.

  /pub/cud/papers/sj-resp
  ---
    Steve Jackson's response to the charges against him.

_____
<6.4> What is Integrated Services Digital Network (ISDN)?

  ISDN is a high-speed data communications standard that utilizes
  existing copper telephone lines, and is a possible inexpensive and
  intermediate alternative to laying fiber optic cable for phone
  networks.  The speeds involved may be sufficient for audio and
  video transmission applications.  G. V. der Leun in the file
  ftp.eff.org: /pub/pub-infra/1991-11:

  > Telecommunications in the United States is at a crossroads.  With
  > the Regional Bell Operating Companies now free to provide
  > content, the shape of the information networking is about to be
  > irrevocably altered.  But will that network be the open,
  > accessible, affordable network that the American public needs? 
  > You can help decide this question.
  > 
  > The Electronic Frontier Foundation recently presented a plan to
  > Congress calling for the immediate deployment of a national
  > network based on existing ISDN technology, accessible to anyone
  > with a telephone connection, and priced like local voice service.
  >  We believe deployment of such a platform will spur the
  > development of innovative new information services, and maximize
  > freedom, competitiveness, and civil liberties throughout the
  > nation.
  > 
  > The EFF is testifying before Congress and the FCC; making
  > presentations to public utility commisions from Massachusetts to
  > California; and meeting with representatives from telephone
  > companies, publishers, consumer advocates, and other stakeholders
  > in the telecommunications policy debate.
  > 
  > The EFF believes that participants on the Internet, as pioneers on
  > the electronic frontier, need to have their voices heard at this
  > critical moment.

  To automatically receive a description of the platform and details,
  send mail to archive-server@eff.org, with the following line:

    send documents open-platform-overview

  or send mail to eff@eff.org.  See also the Introduction to the EFF
  Open Platform Proposal in ftp.eff.org:/pub/pub-infra/1991-02.

  
  References
  ==========

  ``Digital Data On Demand.'' MacWorld, 2/82 (page 224).
  ---
    56Kbps vs. ISDN services and products. See comments by J. Powers
    in ftp.eff.org:pub/pub-infra/1992-02.

  ``Telephone Service That Rings of the Future.'' By Joshua Quittner. 
  Newsday, Tue, Jan 7 1992.
  ---
    Implications of ISDN for the masses, written in popular science
    style.   John Perry Barlow (cofounder EFF). Regional telephone
    companies (Ohio Bell).  ISDN as ``Technological Rorschach Test.''
     Anecdotes about McDonald's,  Barbara Bush teleconferencing. See
    complete text in ftp.eff.org:/pub/pub-infra/1992-01.
    
  ftp.eff.org:/pub/pub-infra/
  ---
    Files 1991-11 through 1992-05 containing email from the EFF public
    infrastructure group organized by month.  Opinions and facts on
    the pros and cons of ISDN, Integrated Services Digital Network. 
    Uses of ISDN (phone video, audio, etc.)  Japanese model.
    Alternatives to ISDN (HDSL, ADSL, fiber optics). Technical 
    specifications of ISDN, implementation details, cost issues,
    political obstacles, (RBOC, Regional Bell Operating Companies or
    `Baby Bells', e.g. NET, New England Telephone).  Influencing
    development of future networks (e.g. ISDN and NREN, National
    Research and Education  Network), encouraging competition (cable
    TV systems). Press releases and news articles.  Letter from Rep.
    E. J. Markey to M. Kapor.

_____
<6.5> What is the National Research and Education Network (NREN)?

  The Nation Research and Education Network was introduced in
  legislation cosponsored by Sen. A. Gore to promote high-speed data
  network infrastructure augmenting the internet with up to 50 times
  faster transmission rates.  The bill passed the House on November
  20, 1991, the Senate on November 22, 1991, and was signed by the
  President on December 9, 1991.

  ftp.eff.org
  ===========
  
  /pub/EFF/legislation/nren-bill-text
  ---
    The complete text of the House-Senate compromise version of S.
    272, the High-Performance Computing Act.

  /pub/internet-info/gore.bill
  ---
    102nd congress 1st Session. Text of high performance computing
    bill cosponsored by Sen. A. Gore.


  /pub/EFF/legislation/gore-infrastructure-bill
  ---
    The text of S.2937, the Information Infrastructure and Technology
    Act of 1992 introduced by Senator Gore to expand Federal efforts
    to develop technologies for applications of high-performance
    computing and high-speed networking, and to provide for a
    coordinated Federal program to accelerate development and
    deployment of an advanced information infrastructure.

  U.S. SAID TO PLAY FAVORITES IN PROMOTING NATIONWIDE COMPUTER NETWORK
  By John Markoff, N.Y. Times (~18 Dec 91).
  ---
    President Bush's legislation for natiowide computer data
    `superhighway.'  IBM-MCI venture as monopoly destructive to fair
    competition and  innovation?  National Science Foundation NSFnet.
    complete text in  /pub/pub-infra/1991-12.

  Commentary
  ==========

  /pub/academic/statements/nren.privacy.cpsr
  ---
    ``Proposed Privacy Guidelines for the NREN'' -- Statement of Marc
    Rotenberg, Washington Director Computer Professionals for Social
    Responsibility (CPSR).

  /pub/internet-info/cisler.nren
  ---
    The National Research and Education Network: Two meetings Steve
    Cisler, Senior Scientist Apple Computer Library December 17, 1990
    Summary of meetings exploring educational issues of NREN by
    diverse members of academia and industry.

  /pub/internet-info/privatized.nren
  ---
    Feb. 14 1991 essay by M. Kapor advocating advantages of a private
    National Public  Network, and specific recommendations for open
    NREN policies encouraging  competition.


  /pub/eff/papers/netproposition
  ---
    An FYI about the proposed NREN setup.

_____
<6.6> What is the FBI's proposed Digital Telephony Act?

  ``Providers of electronic communication services and private branch
  exchange operators shall provide within the United States
  capability and capacity for the government to intercept wire and
  electronic communications when authorized by law...''
  
  From `BBS Legislative Watch: FBIs Wiretapping Proposal Thwarted' by
  S. Steele in Boardwatch Magazine, Feb. 1993, p. 19-22:
 
  > In a move that worried privacy experts, software manufacturers and
  > telephone companies, the FBI proposed legislation to amend the
  > Communications Act of 1934 to make it easier for the Bureau to
  > perform electronic wiretapping. The proposed legislation,
  > entitled 'Digital Telephony,' would have required communications
  > service providers and hardware manufacturers to make their
  > systems 'tappable' by providing 'back doors' through which law
  > enforcement officers could intercept communications. Furthermore,
  > this capability would have been provided undetectably, while the
  > communications was in progress, exclusive of any communications
  > between other parties, regardless of the mobility of the target
  > of the FBI's investigation, and without degradation of service.
  >  
  > ...under the proposal, the Department of Justice (DOJ) can keep
  > communications products off the market if it determines that
  > these products do not meet the DOJ's own ... guidelines. This
  > [could] result in increased costs and reduced competitiveness for
  > service providers and equipment manufacturers, since they will be
  > unlikely to add any features that may result in a DOJ rejection
  > of their entire product. ...the FBI proposal suggests that the
  > cost of this wiretapping 'service' to the Bureau would have to be
  > borne by the service provider itself...
  > 
  > The Electronic Frontier Foundation organized a broad coalition of
  > public interest and industry groups, from Computer Professionals
  > for Social Responsibilty (CPSR) and the ACLU to AT&T and Sun
  > Microsystems, to oppose the legislation. A white paper produced
  > by the EFF and ratified by the coalition, entitled, `An Analysis
  > of the FBI Digital Telephony Proposal,' was widely distributed
  > throughout the Congress.  ... The Justice Department lobbied hard
  > in the final days to get Congress to take up the bill before
  > Congress adjourned, but the bill never ... found a Congressional
  > sponsor (and was therefore never officially introduced). The FBI
  > [may] reintroduce "Digital Telephony" when the 103rd Congress
  > convenes in January.

  ftp.eff.org
  ===========
  
  /pub/eff/legislation/fbi-wiretap-bill
  /pub/EFF/legislation/new-fbi-wiretap-bill
  ---
    A bill to ensure the continuing access of law enforcement to the
    content of wire and electronic communications when authorized by
    law and for other purposes. Version 2 of the bill after FBI
    changes in response to public response.

  /pub/cud/law/hr3515
  ---
    House of Rep bill 3515, Telecommunications Law.

  Commentary
  ==========
  
  /pub/eff/papers/eff-fbi-analysis
  ---
    The EFF-sponsored analysis of the FBI's Digital Telephony proposal.

  /pub/eff/papers/ecpa.layman
  ---
    The Electronic Communications Privacy Act of 1986: A Layman's View.

  /pub/eff/papers/nightline-wire
  ---
    Transcript of ABC's Nightline of May 22, 1992, on the FBI,
    Privacy, and Proposed Wire-Tapping Legislation. Featured are Marc
    Rotenberg of the CPSR and William Sessions, Director of the FBI.

  /pub/eff/papers/edwards_letter
  ---
    A letter from the Director of the Secret Service to US Rep. Don
    Edwards, D-California, in response to questions raised by
    Edwards' Subcommittee. This copy came from Computer Professionals
    for Social Responsibility in Washington, D.C.

  /pub/eff/papers/fbi.systems
  ---
    A description of how information is stored on the FBI's computer
    systems.


_____
<6.7> What other U.S. legislation is related to privacy?

  ftp.eff.org
  ===========
  
  /pub/cud/law/<state>  
  ---
    State computer crime laws:
                                  AL, AK, AZ, CA, CO, CT, DE, FL, GA,
                                  HI, IA, ID, IL, IN, MD, MN, NC, NJ,
                                  NM, NY, OR, TX, VT, VA, WA, WI, WV.

  /pub/cud/law/<country>
  ---
    Current computer crime laws for: The United States (federal
    code), Canada, Ghana, and Great Britain.

  /pub/cud/law/bill.s.618
  ---
    Senate bill 618, addressing registration of encryption keys with
    the government.

  /pub/cud/law/improve
  ---
    Improvement of Information Access bill.

  /pub/cud/law/monitoring
  ---
    Senate bill 516; concerning abuses of electronic monitoring in the
    workplace.

  /pub/cud/law/us.e-privacy
  ---
    Title 18, relating to computer crime & email privacy.

  /pub/academic/law/privacy.electronic.bill
  ---
    The text of Simon's electronic privacy bill, S. 516. ``To prevent
    potential abuses of electronic monitoring in the workplace.''

_____
<6.8> What are references on rights in cyberspace?

  ftp.eff.org
  ===========

  /pub/cud/papers/const.in.cyberspace
  ---
    Laurence Tribe's keynote address at the first Conference on
    Computers, Freedom, & Privacy. `The Constitution in Cyberspace'

  /pub/cud/papers/denning
  ---
    Paper presented to 13th Nat'l Comp Security Conf ``Concerning
    Hackers Who Break into Computer Systems'' by Dorothy E Denning.

  /pub/cud/papers/privacy
  ---
    ``Computer Privacy vs First and Fourth Amendment Rights'' by
    Michael S. Borella

  /pub/cud/papers/rights-of-expr
  ---
    Rights of Expression in Cyberspace by R. E. Baird

  /pub/academic/eff.rights
  ---
    Bill of Rights' meaning in the Electronic Frontier.

_____
<6.9> What is the Computers and Academic Freedom (CAF) archive?

  The CAF Archive is an electronic library of information about
  computers and academic freedom. run by the Computers and Academic
  Freedom group on the Electronic Frontier Foundation FTP site.
  
  > If you have gopher, the archive is browsable with the command:
  >   gopher -p academic gopher.eff.org
  > 
  > It is available via anonymous ftp to ftp.eff.org (192.88.144.4) in
  > directory `pub/academic'. It is also available via email. For
  > information on email access send email to archive-server@eff.org.
  > In the body of your note include the lines `help' and `index'.
  > 
  > For more information, to make contributions, or to report typos
  > contact J.S. Greenfield (greeny@eff.org).

  ftp.eff.org
  ===========
  
  /pub/academic/statements/caf-statement
  ---
    Codifies the application of academic freedom to academic
    computers, reflecting seven months of on-line discussion about
    computers and academic freedom.  Covers free expression, due
    process, privacy, and user participation.

  /pub/academic/books
  ---
    Directory of book references related to Computers and Academic
    Freedom or mentioned in the CAF discussion. The file books/README
    is a bibliography.

  /pub/academic/faq/archive
  ---
    List of files available on the Computers and Academic Freedom
    archive.

  /pub/academic/news
  ---
    Directory of all issues of the Computers and Academic Freedom
    News. A full list of abstracts is available in file `abstracts'.
    The special best-of-the-month issues are named with their month,
    for example, `June'.


FOOTNOTES
=========


_____
<7.1> What is the background behind the Internet?
 
  The article ``Internet'' in Fantasy and Science Fiction by Bruce
  Sterling <bruces@well.sf.ca.us> contains general and nontechnical
  introductory notes on origins of the Internet, including the role
  of the RAND corporation, the goal of network resilience in face of
  nuclear attack, MIT, UCLA, ARPANET, TCP/IP, NSF, NREN, etc.:

  > ARPANET itself formally expired in 1989, a happy victim of its 
  > own overwhelming success.  Its users scarcely noticed, for
  > ARPANET's  functions not only continued but steadily improved. 
  > The use of  TCP/IP standards for computer networking is now
  > global.  In 1971, a  mere twenty-one years ago, there were only
  > four nodes in the  ARPANET  network.  Today there are tens of
  > thousands of  nodes in  the Internet,  scattered over forty-two
  > countries, with more coming  on-line every day.   Three million,
  > possibly four million people use  this gigantic
  > mother-of-all-computer-networks.   
  > 
  > The Internet is especially popular among scientists, and is 
  > probably the most important scientific instrument of the late 
  > twentieth century.   The  powerful, sophisticated access that it 
  > provides to specialized data and personal communication  has sped
  > up the pace of scientific research enormously.  
  > 
  > The Internet's pace of growth in the early 1990s is  spectacular, 
  > almost ferocious.  It is spreading faster than cellular phones,
  > faster  than fax machines.  Last year the Internet was growing at
  > a rate of  twenty percent a *month.*  The number of `host'
  > machines with direct  connection to TCP/IP has been doubling
  > every year since  1988.   The Internet is moving out of  its
  > original base in military and  research institutions,  into
  > elementary and high schools, as well as into  public libraries
  > and the commercial sector.

  References
  ==========

  Bowers, K., T. LaQuey, J. Reynolds, K. Roubicek, M. Stahl, and A.
  Yuan, ``Where to Start - A Bibliography of General Internetworking
  Information'' (RFC-1175), CNRI, U Texas, ISI, BBN, SRI, Mitre,
  August 1990.

  The Whole Internet Catalog & User's Guide by Ed Krol.  (1992)
  O'Reilly  and Associates, Inc.
  ---
    A clear, non-jargonized introduction to the  intimidating business
    of network literacy written in humorous style.

  Krol, E., ``The Hitchhikers Guide to the Internet'' (RFC-1118),
  University of Illinois Urbana, September 1989.

  ``The User's Directory to Computer Networks'', by Tracy LaQuey.

  The Matrix: Computer Networks and Conferencing Systems Worldwide. 
  by John Quarterman.  Digital Press: Bedford, MA. (1990)  
  ---
    Massive and highly technical compendium detailing the
    mind-boggling scope and  complexity of global internetworks.

  ``!%@:: A Directory of Electronic Mail Addressing and Networks'' by
  Donnalyn Frey and Rick Adams.
      
  The Internet Companion, by Tracy LaQuey with Jeanne C. Ryer (1992)  
  Addison Wesley. 
  ---
    ``Evangelical'' etiquette guide to the Internet featuring 
    anecdotal tales of life-changing Internet experiences.  Foreword
    by  Senator Al Gore.

  Zen and the Art of the Internet: A Beginner's Guide by Brendan P. 
  Kehoe (1992)  Prentice Hall. 
  ---
    Brief but useful Internet guide with  plenty of good advice on
    useful databases.


  See also ftp.eff.com:/pub/internet-info/.  (Thanks to Bruce Sterling
  <bruces@well.sf.ca.us> for contributions here.)


  General
  =======

  Cunningham, Scott and Alan L. Porter. ``Communication Networks: A
  dozen  ways they'll change our lives.'' The Futurist 26, 1
  (January-February,  1992): 19-22.

  Brian Kahin, ed., BUILDING INFORMATION INFRASTRUCTURE (New York: 
  McGraw-Hill, 1992) ISBN# 0-390-03083-X
  ---
    Essays on information infrastructure.  Policy and design issues,
    research and NREN, future visions, information markets.  See
    table  of contents in ftp.eff.org:/pub/pub-infra/1992-03.

  Shapard, Jeffrey. ``Observations on Cross-Cultural Electronic 
  Networking.'' Whole Earth Review (Winter) 1990: 32-35.

  Varley, Pamela. ``Electronic Democracy.'' Technology Review 
  (November/December, 1991): 43-51.

______
<7.2> How Internet `anarchy' like the English language?

  According to Bruce Sterling <bruces@well.sf.ca.us>:

  > The Internet's `anarchy' may seem strange or even unnatural,  but
  > it makes a certain deep and basic sense.  It's rather like the 
  > `anarchy' of the English language.  Nobody rents English, and
  > nobody  owns English.    As an English-speaking person, it's up
  > to you to learn  how to speak English properly  and make whatever
  > use you please  of it (though the government provides certain
  > subsidies to help you  learn to read and write a bit).  
  > Otherwise, everybody just sort of  pitches in, and somehow the
  > thing evolves on its own, and somehow  turns out workable.  And
  > interesting.   Fascinating, even.   Though a lot  of people earn
  > their living from using and exploiting  and teaching  English,
  > `English' as an institution is public property, a public good.  
  > Much the same goes for the Internet.   Would English  be improved
  > if  the `The English Language, Inc.'  had a board of directors
  > and a chief  executive officer, or a President and a Congress?  
  > There'd probably be  a lot fewer new words in English, and a lot
  > fewer new ideas.  


_____
<7.3> Most Wanted list

  Hopefully you have benefitted from this creation, compilation, and
  condensation of information from various sources regarding privacy,
  identity, and anonymity on the internet.  The author is committed
  to keeping this up-to-date and strengthening it, but this can only
  be effective with your feedback.  In particular, the following
  items are sought:
  
  - Short summaries of RFC documents and other references listed,
    esp. CPSR files.
  - More data on the specific uses and penetration of RFC-931.
  - Internet traffic statistics.  How much is email?  How much
    USENET?  What are the costs involved?
  - Famous or obscure examples of compromised privacy
    on the internet.
        - FTP site for the code (NOT the code) to turn the .plan file into a
                named pipe for sensing/reacting to remote `fingers'.
  - Knowledge on the `promiscuous' mode of receipt or transmission 
    on network  cards.
  - Details on the infamous experiment where a scientist resubmitted 
    previously accepted papers to a prominent journal with new and
    unknown authors that were subsequently rejected.
  - X Windows, EFF, CPSR FAQhood in news.answers.
  
  Commerical use of this document is negotiable and is a way for the
  author to recoup from a significant time investment. Email feedback
  to ld231782@longs.lance.colostate.edu.  Please note where you saw
  this (which newsgroup, etc.).

_____
<7.4> Change history

  3/3/93 v2.1 (current)
    
    CPSR pointer, new UNIX mode examples, digital telephony act,
    Steve Jackson incident, additions/ reorganization to
    anonymity section, part 3.  Note: v2.0 post to sci.crypt,
    alt.privacy, news.answers, alt.answers, sci.answers was cancelled
    by J. Kamens because of incorrect subject line.
    
  2/14/93 v2.0

    Major revisions.  New section for X Windows.  Some email privacy
    items reorganized to network security section.  New sections for
    email liability issues, anonymity history and responsibilities. 
    Split into three files.  Many new sources added, particularly
    from EFF and CAF in new `issues' part. `commentary' from 
    news.admin.policy.  21 day automated posting starts.

  2/3/93 v1.0

    More newsgroups & FAQs added.  More `Most Wanted'.  Posted to
    news.answers.  Future monthly posting to sci.crypt, alt.privacy.

  2/1/93 v0.3
  
    Formatted to 72 columns for quoting etc. `miscellaneous,'
    `resources' sections added with cypherpunk servers and use
    warnings.  More UNIX examples (`ls' and `chmod').  Posted to
    alt.privacy, comp.society.privacy.
  
  1/29/93 v0.2
    
    `Identity' and `Privacy' sections added.  `Anonymity' expanded.
    Remailer addresses removed due to lack of information and
    instability.  Posted to sci.crypt.
  
  1/25/93 v0.1
  
    Originally posted to the cypherpunks mailing list on 1/25/93 as a
    call to organize a list of anonymous servers.
  
  email ld231782@longs.lance.colostate.edu for earlier versions.


* * *

SEE ALSO
========

Part 1 (previous file)
------

<1.1> What is `identity' on the internet?
<1.2> Why is identity (un)important on the internet?
<1.3> How does my email address (not) identify me and my background?
<1.4> How can I find out more about somebody from their email address?
<1.5> Why is identification (un)stable on the internet? 
<1.6> What is the future of identification on the internet?

<2.1> What is `privacy' on the internet?
<2.2> Why is privacy (un)important on the internet?
<2.3> How (in)secure are internet networks?
<2.4> How (in)secure is my account?
<2.5> How (in)secure are my files and directories?
<2.6> How (in)secure is X Windows?
<2.7> How (in)secure is my email?
<2.8> How am I (not) liable for my email and postings?
<2.9> How do I provide more/less information to others on my identity?
<2.10> Who is my sysadmin?  What does s/he know about me?
<2.11> Why is privacy (un)stable on the internet?
<2.12> What is the future of privacy on the internet?

<3.1> What is `anonymity' on the internet?
<3.2> Why is `anonymity' (un)important on the internet?
<3.3> How can anonymity be protected on the internet?
<3.4> What is `anonymous mail'?
<3.5> What is `anonymous posting'?
<3.6> Why is anonymity (un)stable on the internet?
<3.7> What is the future of anonymity on the internet?

Part 3 (next file)
------

<8.1> What are some known anonymous remailing and posting sites?
<8.2> What are the responsibilities associated with anonymity?
<8.3> How do I `kill' anonymous postings?
<8.4> What is the history behind anonymous posting servers?
<8.5> What is the value of anonymity?
<8.6> Should anonymous posting to all groups be allowed?
<8.7> What should system operators do with anonymous postings?
<8.8> What is going on with anon.penet.fi maintained by J. Helsingius?


* * *

This is Part 2 of the Privacy & Anonymity FAQ, obtained via anonymous
  FTP to pit-manager@mit.edu:/pub/usenet/news.answers/net-privacy/ or 
  newsgroups news.answers, sci.answers, alt.answers every 21 days.
Written by L. Detweiler <ld231782@longs.lance.colostate.edu>.
All rights reserved.

Newsgroup: sci.crypt
Document_id: 15178
From: ld231782@longs.lance.colostate.edu (L. Detweiler)
Subject: Privacy & Anonymity on the Internet FAQ (3 of 3)

Archive-name: net-privacy/part3
Last-modified: 1993/3/3
Version: 2.1


NOTES on ANONYMITY on the INTERNET
==================================

Compiled by L. Detweiler <ld231782@longs.lance.colostate.edu>.


<8.1> What are some known anonymous remailing and posting sites?
<8.2> What are the responsibilities associated with anonymity?
<8.3> How do I `kill' anonymous postings?
<8.4> What is the history behind anonymous posting servers?
<8.5> What is the value of anonymity?
<8.6> Should anonymous posting to all groups be allowed?
<8.7> What should system operators do with anonymous postings?
<8.8> What is going on with anon.penet.fi maintained by J. Helsingius?


* * *

_____
<8.1> What are some known anonymous remailing and posting sites?

  Currently the most stable of anonymous remailing and posting sites
  is anon.penet.fi operated by julf@penet.fi for several months, who
  has system adminstrator privileges and owns the equipment. 
  Including anonymized mail, Usenet posting, and return addresses 
  (no encryption).  Send mail to help@penet.fi for information.
 
  Hal Finney has contributed an instruction manual for the cypherpunk
  remailers on the ftp site soda.berkeley.edu (128.32.149.19):
  pub/cypherpunks/hal's.instructions. See also scripts.tar.Z (UNIX
  scripts to aid remailer use) and anonmail.arj (MSDOS batch files to
  aid remailer use).

  ebrandt@jarthur.claremont.edu
  -----------------------------
    Anonymized mail.  Request information from above address.
    
  elee7h5@rosebud.ee.uh.edu
  -------------------------
    Experimental anonymous remailer run Karl Barrus
    <elee9sf@Menudo.UH.EDU>, with encryption to the server.  Request
    information from that address.
    
  hal@alumni.caltech.edu
  ----------------------
    Experimental remailer with encryption to server and return
    addresses.  Request information from above address.

  hh@soda.berkeley.edu
  hh@cicada.berkeley.edu
  hh@pmantis.berkeley.edu
  ----------------------
    Experimental remailer.  Include header `Request-Remailing-To'.

  nowhere@bsu-cs.bsu.edu 
  ----------------------
    Experimental remailer allowing one level of chaining.  Run by
    Chael Hall.  Request information from above address.

  phantom@mead.u.washington.edu 
  -----------------------------
    Experimental remailer with encryption to server.  `finger' site
    address for information.

  Notes
  =====
  
  - Cypherpunk remailers tend to be unstable because they are often
    running without site administrator knowledge. Liability issues
    are wholly unresolved.
  
  - So far, all encryption is based on public-key cryptography and PGP
    software (see the question on cryptography). 

  - Encryption aspects (message text, destination address, replies)
    vary between sites.

  - Multiple chaining, alias unlinking, and address encryption are
    mostly untested, problematic, or unsupported at this time.

_____
<8.2> What are the responsibilities associated with anonymity?

  
  Users
  -----

  - Use anonymity only if you have to. Frivolous uses weaken the
    seriousness and usefulness of the capability for others.
  - Do not use anonymity to provoke, harass, or threaten others.
  - Do not hide behind anonymity to evade established conventions on
    Usenet,  such as posting binary pictures to regular newsgroups.
  - If posting large files, be attentive to bandwidth considerations.
    Remember, simply sending the posting to the service increases
    network traffic.
  - Avoid posting anonymously to the regular hierarchy of Usenet; this
    is the mostly likely place to alienate readers. The `alt'
    hierarchy is preferred.
  - Give as much information as possible in the posting (i.e.
    references, etc.) Remember that content is the only means for
    readers to judge the truth of the message, and that any
    inaccuracies will tend to discredit the entire message and even
    future ones under the same handle.
  - Be careful not to include information that will reveal your
    identity or enable someone to deduce it.  Test the system by
    sending anonymized mail to yourself.
  - Be aware of the policies of the anonymous site and respect them. 
    Be prepared to forfeit your anonymity if you abuse the privilege.
  - Be considerate and respectful of other's objections to anonymity.
  - ``Hit-and-run'' anonymity should be used with utmost reservation.
    Use services that provide anonymous return addresses instead.
  - Be courteous to the system operator, who may have invested large
    amounts of time, be personally risking his account, or dedicating
    his hardware, all for your convenience.

  Operators
  ---------

  - Document thoroughly acceptable and unacceptable uses in an
    introductory file that is sent to new users.  Have a coherent and
    consistent policy and stick to it. State clearly what logging and
    monitoring is occurring. Describe your background, interest, and
    security measures. Will the general approach be totalitarian or
    lassaiz-faire?
  - Formulate a plan for problematic ethical situations and anticipate
    potentially intense moral quandaries and dilemmas. What if a user
    is blackmailing someone through your service? What if a user
    posts suicidal messages through your service? Remember, your
    users trust you to protect them.
  - In the site introductory note, give clear examples  of situations
    where you will take action and what these actions will be (e.g.
    warn the user, limit anonymity to email or posting only, revoke
    the account, 'out' the user, contact local administrator, etc.)
  - Describe exactly the limitations of the software and hardware.
    Address the bandwidth limitations of your site. Report candidly
    and thoroughly all bugs that have  occurred.  Work closely with
    users to isolate and fix bugs. Address all bugs noted below under
    ``(in)stability of anonymity''.
  - Document the stability of the site---how long has it been running?
    What compromises have occured? Why are you running it? What is
    your commitment to it?
  - Include a disclaimer in outgoing mail and messages.  Include an
    address for complaints, ideally appended to every outgoing item. 
    Consult a lawyer about your liability.
  - Be committed to the long-term stability of the site. Be prepared
    to deal with complaints and `hate mail' addressed to you.  If you
    do not own the hardware the system runs on or are not the system
    adminstrator, consult those who do and are.
  - Be considerate of providing anonymity to various groups.  If
    possible, query group readers.
  - Keep a uniformity and simplicity of style in outgoing message
    format that can be screened effectively by kill files.  Ensure
    the key text `Anon' is  somewhere in every header.
  - Take precautions to ensure the security of the server from
    physical and  network-based attacks and infiltrations.

  Readers
  -------
  
  - Do not complain, attack, or discredit a poster for the sole reason
    that he is posting anonymously, make blanket condemnations that
    equate anonymity with cowardice and criminality, or assail
    anonymous traffic in general for mostly neutral reasons (e.g. its
    volume is heavy or increasing).
  - React to the anonymous information unemotionally.  Abusive posters
    will be encouraged further if they get irrationally irate
    responses.  Sometimes the most effective response is silence.
  - Notify operators if very severe abuses occur, such as piracy,
    harassment, extortion, etc.
  - Do not complain about postings being inappropriate because they
    offend you personally.
  - Use kill files to screen anonymous postings if you object to the
    idea of anonymity itself.
  - Avoid the temptation to proclaim that all anonymous postings
    should be barred from particular groups because no `possible' or
    `conceivable' need exists.

  References
  ----------
  
  See e.g. ftp.eff.org:/pub/academic/anonymity:

  > This article is an excerpt from an issue of FIDONEWS on individual
  > privacy and the use of handles.  It accepts the need of a system
  > operator to know the name of a user; but suggests that the use of
  > a handle is analogous to a request to withhold the name in a
  > letter to the editor. The article concludes with a set of
  > guidelines for preserving the right to be anonymous.

_____
<8.3> How do I `kill' anonymous postings?

  James Thomas Green <jgreen@zeus.calpoly.edu>:

  > Try putting this in your kill file:
  >   
  >   /Anon/h:j
  >   /Anonymous/h:j
  > 
  > This will search the headers of the messages and kill any that
  > contain `Anon' or `Anonymous' in them.  Not perfect and won't
  > kill followups. 
  
  Note that anonymous server operators have the capability to mask
  anonymous postings under which the above method will not work; so
  far this practice is not widespread, but it may become more common
  as a countermeasure to widespread anonymous filtering.
  
_____
<8.4> What is the history behind anonymous posting servers?

  Originally anonymous posting services were introduced for
  individual, particularly volatile newsgroups, where anonymity is
  almost the preferred method of communication, such as talk.abortion
  and alt.sex.bondage.  One of the first was one by Dave Mack
  started in ~1988 for alt.sex.bondage. Another early one was
  wizvax.methuen.ma.us run by Stephanie Gilgut (Gilgut Enterprises)
  but was disbanded due to  lack of funds.  The system provided
  anonymous return addresses. n7kbt.rain.com (John Opalko) took up
  the functions of this server, including reinstating the anonymous
  alias file. The group ``alt.personals has been chewing through
  servers like there's no tomorrow.''
  
  Spurred by the disappearance of `wizvax' and interested in
  researching the idea, Karl Kleinpaste
  <Karl_Kleinpaste@godiva.nectar.cs.cmu.edu> developed his own system
  from scratch in six hours. By this time the idea of extending the
  server to new, more `mainstream'  groups was starting to emerge,
  and he explored the possibility partly at the specific request  by
  multiple users for anonymity in other groups. ``The intended
  advantage of my system was specifically to allow multiple group
  support, with a single anon identifier across all.  This was
  arguably the single biggest deficiency of previous anon systems.'' 
  K. Kleinpaste posted a message on rec.nude asking users whether an
  anonymous service would be welcome there, and judged a consensus
  against it. 

  K. Kleinpaste introduced what he calls a ``fire extinguisher'' to
  `squelch' or `plonk' abusive users in response to complaints, and
  used this in three cases. Nevertheless, after a few months of
  intense traffic he was eventually overwhelmed by the abuses of his
  server. ``Even as restricted as it was, my system was subjected to
  abuses to the point where it was ordered dismantled by the
  facilities staff here. Such abuses started right after it was
  created.''

  In ~Nov 1992, Johan Helsingius (julf@penet.FI) set up the most
  controversial anonymous site to date. anon.penet.fi is based on
  scripts and C code written by K. Kleinpaste and supports anonymized
  mail, posting, and return addresses. He initially wanted to confine
  the service to Scandinavian users but expanded it to worldwide
  accessability in response to 'lots' of international requests.
  
  J. Helsingius policy of allowing anonymous posting to every Usenet
  newsgroup has been met with strong and serious ideological
  opposition (e.g. by news adminstrators in news.admin.policy).
  Because of the relative newness and recent emergence of the medium,
  abuses by anonymous posters  tend to have higher visibility than
  ``routine'' abuses. His total commitment to preservation of
  anonymity is also controversial.

  For example, in a highly controversial and publicized case in ~Feb
  1993,  an anonymous user posted a supposed transcript of desperate
  crew dialogue during the Challenger shuttle disaster via
  anon.penet.fi to sci.astro. Despite that the transcript had been
  posted in the same place up to a year earlier (then
  non-anonymously) and actually originated not with the poster but a
  New York news tabloid, subsequent responses consisted largely of
  vociferous outrage at the poster's use of anonymity, reverberating
  through many newsgroups. 
  
  The original poster, using the same anonymous handle, later conceded
  that the story ``seemed likely to have been fabricated,''
  suggesting the plausible possibility that the original intent was
  not to provoke outrage but gauge reactions on the authenticity of
  the story (albeit crudely), free of personal risk from perceived
  association with the item.  The ensuing commotion generated queries
  for the original article by late-entering readers. The anonymous
  user later posted deliberately offensive comments at his
  detractors.

  Despite piercingly irate and outraged complaints, and even the vocal
  opposition and verbal abuse of K. Kleinpaste and eminent news
  operators, J. Helsingius has largely avoided use of the ``fire
  extingisher'' and the ``group bouncer'' mechanisms that limit the
  scope of the service. As of ~March 1993 the anon.penet.fi site is
  best described as `inundated': it has registered over 13,000 users
  in its initial three months of operation, forwards ~3000 messages a
  day, and approximately 5% of all Usenet postings are anonymized
  through the site. The immense popularity is probably largely due
  to the capability for `global' anonymity which has allowed users to
  find creative uses in diverse areas not previously envisioned.

  Johan Helsingius has been subject to extraordinary pressure to
  dismantle his server in ~Feb 1993. At one point K. Kleinpaste
  threatened publicly to organize a sort of vigilante group of irate
  news operators to  send out revocation commands on all messages
  originating from the site.  J. Helsingius has also alluded to
  threats of flooding the  server.  The server has crashed several
  times, at least once due to a saturation `mailbombing' through it
  by an anonymous user.  Mr. Helsingius reports spending up to 5
  hours per day  answering email requests alone associated with the
  service's administration. In response to the serious threats he
  disabled global group access temporarily for one week and
  encouraged his users to defend the service publicly.
  
  Based on fast-moving dialogue and creative suggestions by
  ``cypherpunks,'' J. Helsingius has identified many security
  weaknesses and valuable new features for the service, and is
  currently in the process of code development and testing. He is
  planning on upgrading the IBM compatible 386 machine to a 486 soon
  to handle the voluminous load and is  considering integrating a new
  system with very sophisticated functionality, including multiple
  email aliases, alias allocation control, public-key encryption,
  etc.

  A very sophisticated anonymous posting system was set up in Dec.
  1992 by D. Clunie <dclunie@pax.tpa.com.au> that used cryptography
  in both directions (to/from) the server for the highest degree of
  confidentiality seen so far.  However, it was running on a public
  access account, and he had to shut it down after only several
  weeks, upon receiving requests and conditions apparently ultimately
  originating from NSF representatives. D. Clunie has released the
  software to the public domain.

  Recently the idea of a newsgroup devoted to `whistleblowing' on
  government abuses has received wide and focused attention, and
  group formation is currently underway.  In the basic scenario the
  group would allow people to post pseudonymously using remailers,
  and even establish reputations based on their authentifiable
  digital signatures. The traffic may eventually reach reporters in
  the mainstream news media.  deltorto@aol.com has volunteered to
  attack multiple aspects of this project, including distributing
  easy-to-read documentation on posting, anonymization, and
  encryption.

  See also sections on ``views on anonymous posting'' below and ``what
  is going on with anon.penet.fi?'' in this document.
  
  (Thanks to Carl Kleinpaste
  <Karl_Kleinpaste@godiva.nectar.cs.cmu.edu>, David Clunie
  <dclunie@pax.tpa.com.au> and Johan Helsingius <julf@penet.fi> for
  contributions here.)


_____
<8.5> What is the value of anonymity?

  KONDARED@PURCCVM.BITNET:
    
  > I think anonymous posts do help in focusing our attention on the
  > content of one's message. Sure lot of anonymous posts are abusive
  > or frivolous but in most cases these are by users who find the
  > anon facility novel. Once the novelty wears off they are stopping
  > their pranks...

  morgan@engr.uky.edu (Wes Morgan):

  > I don't mind seeing the miscellaneous hatred/prejudice/racism;
  > those things are part of our nature.  However,  the notion of
  > providing anonymity's shield for these ideas repulses me.  If
  > they have such strong feelings, why can't they put their name(s)
  > on  their postings? ... Quite frankly, I loathe communication
  > with people who refuse to use their names.

  dclunie@pax.tpa.com.au (David Clunie)
   
  > Many seem to question the value of anonymity. But who are they to
  > say what risks another individual should take ? There is no
  > question that in this rather conservative society that we live
  > in, holding certain views, making certain statements, adopting a
  > certain lifestyle, are likely to result in public censure,
  > ridicule, loss of status, employment, or even legal action. Given
  > the heterogeneity of the legal jurisdictions from where the many
  > contributors to usenet post, who knows what is legal and what is
  > not ! Some say that anonymous posters are "cowards" and should
  > stand up and be counted. Perhaps that is one point of view but
  > what right do these detractors have to exercise such censorship ?

  From: doug@cc.ysu.edu (Doug Sewell)
  
  > Why is it censorship to not expect someone to speak for
  > themselves, without the cloak of anonymity. This is at best a
  > lame argument. 
  > 
  > You tell me why what you have to say requires anonymity.  And you
  > tell me why the wishes of a majority of non-anonymous users of a
  > newsgroup should be disregarded when they don't want anonymous
  > posts.
  > 
  > Anonymous users have LESS rights than any others. They are not
  > legitimate usenet participants. I would not honor RFDs, CFVs,
  > control messages, or votes from one.

  brad@clarinet.com (Brad Templeton):
  
  > I can think of no disadvantage caused by anon posting sites that
  > doesn't already exist, other than the fact that they do make more
  > naive net users who don't know how to post anonymously the old
  > way more prone to do it.

  From: mandel@netcom.com (Tom Mandel)
  
  > I cannot speak for others but I regard anonymous postings in a
  > serious discussion as pretty much worthless. ... views that hide 
  > behind the veil of anon are hardly worth the trouble of reading.
  
  n8729@anon.penet.fi (Hank Pankey)
  
  > Since I began posting anonymously (to show support for general
  > principles of personal privacy) I have been subject to far more
  > abuse and attack than I ever received before. People seem to
  > find it easier to flame and insult someone whose name they don't
  > know. Perhaps it's easier to pretend that there is no person
  > behind the email address who feels the sting of abusive comments.
  > 
  > Anonymity does hinder some methods of controlling other posters'
  > actions.  People who seek such control will naturally oppose it.

  From: 00acearl@leo.bsuvc.bsu.edu
  
  > Instead of making this a "free-er medium" by allowing posters to
  > "protect themselves" with anonymity, simply require that all
  > posters be prepared to discuss their sources of information and
  > take the heat for unsubstantiated dribble.  This seems to be the
  > way things are currently done; 

  xtkmg@trentu.ca (Kate Gregory):
  
  > In misc.kids there are three threads going on started by anonymous
  > posters. One was about changing jobs so as to work less hours,
  > job sharing and so on, from a woman who didn't want anyone at her
  > current place of work to know she was thinking of looking for
  > work elsewhere. The next was from a woman who is thinking of
  > having a baby sometime soon and doesn't want coworkers, friends,
  > family etc etc to know all about it, but who wants advice. The
  > third is about sex after parenthood -- actually this was started
  > by people posting in the usual way but then it was pointed out
  > that the anonymous posting service might let more people
  > participate.
  > 
  > Misc.kids doesn't seem to be suffering any harm from the presence
  > of anonymous posters; in fact it seems to have been helped by it.

  hoey@zogwarg.etl.army.mil (Dan Hoey):
  
  > While there has never been any real security against anonymous or
  > forged postings on Usenet, the process has until now been
  > sufficiently inconvenient, error-prone, and undocumented to limit
  > its use by persons who have not learned the culture of the net.
  >
  > On the other hand, a recent use of the anonymous posting service
  > on sci.math seemed seemed to be a student asking help on a
  > homework problem. It has now been attributed to a teacher,
  > asking for an explanation of a dubious answer in his teaching
  > guide.  He says his news posting is broken, so he is using the
  > anonymous service as a mail-to-news gateway.

  Karl Barrus <elee9sf@Menudo.UH.EDU>
   
  > Some argue that the opinions of the people who hide behind a veil
  > of anonymity are worthless, and that people should own up to
  > their thoughts.  I agree with the latter point - in an ideal
  > world we would all be sitting around engaging in Socratic
  > dialogues, freely exchanging our opinions in an effort to
  > learn.  But in an ideal world nobody will threaten you for your
  > thoughts, or ridicule you.
  > 
  > But we live in a world where the people who don't agree with you
  > may try to harm you.  Let's face it, some people aren't going to
  > agree with your opinion no matter how logically you try to
  > present it, or how reasoned out it may be.  This is sad since it
  > does restrict people from voicing their opinions.

  red@redpoll.neoucom.edu (Richard E. Depew):

  > The consensus seems to be that a general anonymous posting service
  > such as that at anon.penet.fi seems sufficiently corrosive of the
  > trust and civility of the net that this particular experiment
  > should be ended.  Perhaps the next time the question comes up we
  > can say: "We tried it - we learned it does more harm than good -
  > and we stopped it." 

  From: C96@vm.urz.uni-heidelberg.de (Alexander EICHENER)

  > anonymous posting has not created major problems aside from
  > angering irate people (like you?) who would rather ban
  > anonymous/pseudonymous posting altogether because "real men can
  > stand up for what they said" or comparable puerile arguments as
  > others have brought up.

  dave@elxr.jpl.nasa.gov (Dave Hayes):

  > What a primal example of human nature. I have three questions for
  > you folks. 
  > 
  > Do people really say different things to each other based upon
  > whether their identity is or isn't known?
  > 
  > Are people really so affected by what other people say that the
  > verbage is labeled "abuse"?
  > 
  > Most importantly, on a forum that prizes itself on the freedom of
  > communication that it enjoys, is there really such a thing as
  > freedom of communication?
  
  From: terry@geovision.gvc.com (Terry McGonigal)
  
  > <sigh>...  Just how many anon services are needed?  Will
  > *everybody* start running one soon?  What's the purpose?  Who
  > stands to benefit when there are N anon services, then 2*N, then
  > N^2, out there.  Where *has* this sudden fasination with anon
  > services come from?
  > 
  > For better or (IMHO) worse, it looks like we'er gonna get stuck
  > with these things, and as much as I don't like the idea (of
  > services like this becoming the norm) I don't really think
  > there's much to be done since it's obvious that anyone who wants
  > to can set one up with a bit of work.

  Karl_Kleinpaste@cs.cmu.edu (Karl Kleinpaste):

  > Weak reasoning.
  > With freedom comes responsibility.

  dave@elxr.jpl.nasa.gov (Dave Hayes):
  
  > Responsibility isn't real if it is enforced. True responsibilty
  > comes with no coercion. 

_____
<8.6> Should anonymous posting to all groups be allowed?

  morgan@engr.uky.edu (Wes Morgan):
  
  > I will be the first to admit that I hold some controversial
  > opinions; indeed, I'm sure that none of us are completely
  > orthodox in our opinions. However,  I've received *hundreds* of
  > anonymous email messages over the last few years; fewer than 20
  > of them were "reasonable posts made with good motives." It's 
  > getting more and more difficult to remember why we need anonymity
  > at all; the abusers are (once again) lousing things up for those
  > who truly need the service  (or those who would put it to good
  > use).
  > 
  > I'm not suggesting that we should ban anonymous servers; as I've
  > said, there are several situations in which anonymity is a Good
  > Thing (tm). 
  > 
  > However, the notion that anonymity's shield should be
  > automatically extended to every Usenet discussion is ridiculous;
  > it opens the door to further abuse. 

  twpierce@unix.amherst.edu (Tim Pierce):
  
  > Of course, how does one determine whether a "group" requests the
  > service?  A flat majority of posters voting in favor? A positive
  > margin of 100 votes?  Or what?  No one speaks for a newsgroup.
  > 
  > I'm not convinced by the arguments that an anonymous posting
  > service for all newsgroups is inherently a bad idea, simply
  > because it's a diversion from the status quo. Since the status
  > quo previously permitted anonymous posting to *no* newsgroups,
  > any anonymous posting service would reject the status quo.
  
  hartman@ulogic.UUCP (Richard M. Hartman) writes:
  
  > It is facist to suggest that a newsgroup is best able to decide
  > whether it wants to allow anonymous postings instead of having
  > them forced upon them by an service administrator?

  ogil@quads.uchicago.edu (Brian W. Ogilvie):

  > The service provides a mechanism for forwarding mail to the
  > original poster. Since most Usenet readers don't know John Smith
  > from Jane Doe except by their opinions and their address, the
  > effect of having an anonymous posting to which mail replies can
  > be directed is minimal, except for those who personally know the
  > poster--and ... the lack of anonymity could be serious. Any
  > mechanism like this is liable to abuse, but the benefits as well
  > as the costs must be weighed. Limiting the service to alt groups,
  > or specific groups, would not help those who want advice on
  > sensitive issues in more 'professional' newsgroups.

  From: tarl@sw.stratus.com (Tarl Neustaedter)
  
  > An additional point is that some of us find anonimity in technical
  > matters to be profoundly offensive; anonimity in different forums
  > has different meanings. If I get a phone call from someone who
  > won't identify himself, I hang up. If I get U.S. mail with no
  > return address, it goes into the garbage unopened. If someone
  > accosts me in the street while wearing a mask, I back away -
  > carefully, and expecting violence. In a technical discussion,
  > anonimity means that the individual isn't willing to associate
  > himself with the matter being discussed, which discredits his
  > utterances and makes listening to them a waste of time.
  >   
  > Anonimity leads to fun psych experiments; the literature is filled
  > with all the various things that people will do anonymously that
  > they won't otherwise. Including one notorious study involving
  > torture that would not have passed today's ethical standards. Fun
  > stuff, in any case.
  > 
  > FINE. LEAVE US OUT OF IT.

  From: jbuck@forney.berkeley.edu (Joe Buck)

  > You obviously have never submitted an article to a refereed
  > journal, where you will receive anonymous reviews through a server
  > (the editor) that behaves much like the one in Finland (e.g. you 
  > may reply and the editor will maintain the anonymity).  ...  Your
  > comparison of someone who wants to express him/herself on a 
  > technical issue anonymously with a person who approaches you on a 
  > dark street with a ski mask is just emotionally overwrought 
  > nonsense; such posters pose no physical threat to you.
 
  jik@mit.edu (J. Kamens):
  
  > It seems obvious to me that the default should be *not* to allow
  > anonymous postings in a newsgroup.  The Usenet has always
  > operated on the principle that the status quo should be kept
  > unless there's a large number of people who want to change it.
  > 
  > If someone REALLY needs to post a message anonymous in a newsgroup
  > in which this usually isn't done, they can usually find someone
  > on the net to do this for them. They don't need an automated
  > service to do it, and the automated service is by its nature
  > incapable of making the judgment call necessary to decide whether
  > a particular posting really needs to be anonymous.

  From: twpierce@unix.amherst.edu (Tim Pierce)
  
  > For any newsgroup you name, I bet I can envision a scenario
  > involving a need for secrecy. If an accurate content-based
  > filter of each anonymous posting could be devised to screen out
  > those that don't require secrecy, wonderful.  But it can't be
  > done.

  From: lhp@daimi.aau.dk (Lasse Hiller|e Petersen)
  
  > If a newsgroup wants to be noise- and nuisance-free, then it
  > should call for moderation. This should happen on a per-newsgroup
  > basis, and not as a general USENET ban on anonymous postings. Of
  > course one principle of moderation might be to keep out all
  > anonymous postings, and could be achieved automatically. It would
  > still be _moderation_. Personally I would prefer moderation
  > criteria being based on actual content.

  David A. Clunie (dclunie@pax.tpa.com.au)
  
  > If a "group" doesn't want to receive certain posts it should
  > become moderated - there are clearly defined mechanisms on
  > non-alt groups for this to take place. An automated moderator
  > excluding posts from certain (eg. anonymous) sites or individuals
  > could easily be established. If anyone wants to take such a
  > draconian approach then they are welcome to do so and good luck
  > to them. I doubt if I will be reading their group !

  From: dave@frackit.UUCP (Dave Ratcliffe)
  
  > What possible need would someone have for posting anonymously to a
  > sci.* group? 
  > 
  > Sure most adults are willing to post under their own names. Why
  > would they want to hide behind an anonymous posting service?
  > Ashamed of what they have to say or just trying to rile people
  > without fear of being identified? 
  > 
  > Anonymous posting have their place in CERTAIN groups. If I or
  > anyone else needs to tell you what those groups are then you've
  > been on another planet breathing exotic gases for too long.

  From: Karl_Kleinpaste@cs.cmu.edu
  
  > It's bloody fascinating that (all?) the proponents of unimpeded
  > universal anon posting access can't seem to find any middle
  > ground at all.  Why is there such a perception of
  > absolutism? Where does this instant gratification syndrome come
  > from, "I want anon access and I want it NOW"?  Who are the
  > control freaks here?
  
  From: 00acearl@leo.bsuvc.bsu.edu

  > Remember, this is a newsgroup for posters writing about SCIENTIFIC
  > issues. Anonymous discussion of scientific issues leads to bad
  > science.

  From: noring@netcom.com (Jon Noring)
  
  > Though many have personal philosophical arguments against
  > anonymous posters, their arguments have not been compelling
  > enough to convince me that omni-newsgroup anonymous posting
  > should be banned or severely restricted.  Though I cannot prove
  > it, it seems to me that those who do not like anonymous posting
  > (in principle) do so for reasons that are personal (read,
  > psychological discomfort) rather than for reasons related to
  > maintaining the "integrity" of Usenet.
  > 
  > Remember, it is impossible to be able to ascertain all the
  > conceivable and legitimate motives for anonymous posting to
  > newsgroups one normally would not deem to be "sensitive". ... in
  > general, I fear even letting newsgroup readers vote on either
  > allowing or not allowing anonymous posting, since a priori they
  > *cannot* know all the motives of *legitimate* posters, and I do
  > not believe that any system should ever be instituted that would
  > inhibit the posting of legitimate and informative posts. 

  lestat@wixer.cactus.org (Lyle J. Mackey) writes:

  > I personally don't believe that pseudonymous postings are
  > appropriate in a serious discussion area.  If there is a
  > LEGITIMATE reason for concealing the posters' identity, perhaps,
  > but simply because they're not so sure if they want their name
  > attached doesn't qualify as LEGITIMATE in my book.  (Oh, and if
  > you can come up with a legitimate purpose for anonymous postings,
  > please, enlighten me.)

  sderby@crick.ssctr.bcm.tmc.edu (Stuart P. Derby)
  
  > Three of our (the U.S.'s) founding fathers, Madison, Hamilton, and
  > Jay, seemed to think "anonymous posting" was OK. The Federalist
  > papers were originally printed in New York newspapers with
  > authorship attributed to "Publius". I wonder if you would find
  > their purpose "LEGITIMATE"?


_____
<8.7> What should system operators do with anonymous postings?

  From: emcguire@intellection.com (Ed McGuire)
  
  > I would like to know how to junk all articles posted by the
  > anonymous service currently being discussed.  Ideally I would
  > actually tell my feed site not to feed me articles posted by the
  > anonymous service. Assuming the C News Performance Release, what
  > is a simple way to accomplish this? Or where should I look to
  > learn how to do it myself?
  
  From: dclunie@pax.tpa.com.au (David Clunie)
  
  > That's a bit draconian isn't it ? Have your users unanimously
  > decided that they would like you to do this or have you decided
  > for them ?
  
  From: emcguire@intellection.com (Ed McGuire)
  
  > Good question.  Nobody has decided. I have no definite plan to do
  > this, just wanted the technical data.

  Carl Kleinpaste (Karl_Kleinpaste@godiva.nectar.cs.cmu.edu):
  
  > ...were I to be in the position of offering such a service again,
  > my promises of protection of anonymity would be limited.  Not on
  > the basis of personal opinion of what gets posted, but on the
  > basis of postings which disrupt the smooth operation of the
  > Usenet. The most obvious and direct recourse would be to `out'
  > the abusive individual. Less drastic possibilities exist -- the
  > software supports a "fire extinguisher" by which individuals can
  > be prevented from posting.

  john@iastate.edu (John Hascall):
  
  > Since when is Usenet a democracy? If someone wants to run an
  > anonymous service, that's their business. If you want to put
  > that host in your killfile, that's your business. If a newsadmin
  > wants to blanket-drop all postings from that site, that's between
  > them and the other people at that site. If everyone ignores a
  > service, the service effectively doesn't exist.

  From: jik@athena.mit.edu (Jonathan I. Kamens)
  
  > NNTP servers that allow posting from anyone are NOT "a service to
  > the net."  They do the net a disservice.
  > 
  > Terminal servers have the same problems as open NNTP servers --
  > they allow people who want to do illegal/immoral/unethical things
  > on the Internet to do so without accountability.
  > 
  > There are, by now, public access sites all over this country, if
  > not all over the world, that allow very inexpensive access to the
  > Usenet and the Internet.  There is no reason for NNTP servers to
  > allow anyone to post messages through them, and there is no
  > reason for terminal servers to allow anyone to connect to them
  > and then make outbound connections through them.  Perhaps when it
  > was harder to get to the Internet or the Usenet, open servers
  > could be justified, but not now.

  jbotz@mtholyoke.edu (Jurgen Botz): 
  
  > I think that what ... these points show clearly is that an
  > anonymous posting service has a great deal of responsibility,
  > both towards its clients and towards the Net as a whole.  Such a
  > service should (IMHO) have a set of well-defined rules and a
  > contract that its clients should sign, under the terms of which
  > they are assured anonymity.

  From: an8785@anon.penet.fi
  
  > Is the problem that some are used to "punishing" posters who are
  > upsetting in some vague way by complaining to the (usually
  > acquiescent) sysadmin or organizations that the poster belongs
  > to? That surely is the most gutless approach to solving
  > problems, but my experience on the net shows that the same users
  > who vilify anonymous postings are the first to write obsessively
  > detailed grievances to the poster's supervisor when his or her
  > tranquility is disturbed by some "intrusive" or subversive post
  > or another.
  > 
  > Anonymous postings prevent just this kind of intimidation.

  From: gandalf@cyberspace.org (Eric Schilling)
  
  > The main point I would like to make here is that while we can go
  > through and revise the news sw to "reject anon posts to technical
  > newsgroups" or some such thing, I think the attempt will prove
  > futile. Each attempt to modify news can result in a changed
  > approach by anon service providers to thwart the change.  I think
  > this would be pointless.

  From: julf@penet.fi (Johan Helsingius)

  > I have tried to stay out of this discussion, and see where the
  > discussion leads. But now I rally feel like I have to speak up.
  > ... I have repeatedly made clear ... that I *do* block users if
  > they continue their abuse after having been warned. In many cases
  > the users have taken heed of the warning and stopped, and in some
  > cases even apologized in public. And when the warning has not had
  > the desired effect, I have blocked a number of users. I have also
  > blocked access to groups where the readership has taken a vote to
  > ban anonymous postings, although I feel changing the newsgroup
  > status to moderated is the only permanent solution for newsgroups
  > that want to "formalize" discussion.
 
  red@redpoll.neoucom.edu (Richard E. Depew)

  > Does this ... mean that you are volunteering to issue a Request 
  > For Discussion to ban anonymous postings or to moderate each of 
  > the 4000+ newsgroups that your server can reach?  I don't think 
  > so, but this illustrates the trouble that your server is causing!
  >
  > please listen to the consensus of the news administrators in this 
  > group:  any newsgroup should be consulted *before* letting your 
  > server post messages to that group.
 
  From: C96@vm.urz.uni-heidelberg.de (Alexander EICHENER)
  
  > There is no pompous "consensus of *the* news administrators" 
  > here - maybe you would like to invent one. There is a sizeable 
  > number of people who are concerned about the possible (and, to a 
  > minor extent, about the actual abuse of the server as it is 
  > configured now). These concerns are respectable; Johan is dealing
  > with them. ... There are some (few) who rage with foam before 
  > their mouth and condemn the service altogether. And a number who
  > defend it, pointing out, like Kate Gregory, that even a group 
  > like misc.kids. can benefit from pseudonymous postings.

  From: julf@penet.fi (Johan Helsingius)

  > I have answered a lot of personal mail related to server abuse,
  > and as a result of that, blocked a number of abusive users. I
  > have also withdrawn the service from several newsgroups where the
  > users have taken a vote on the issue. I have not made any
  > comments on news.admin.policy, partly because the
  > newly-implemented password feature (as a emergency measure
  > against a security hole) has kept me really busy answering user
  > queries the last two weeks, and partly because I feel it is not
  > for me to justify the service, but for the users. The problem
  > with news.admin.policy is that the readership is rather elective,
  > representing people whith a strong interest in centralised
  > control.

  From: hartman@ulogic.UUCP (Richard M. Hartman)
  
  > This seems to be a rather bigoted attitude.  I would consider that
  > this group is for anyone who wishes to discuss how the net should
  > be controlled.  Saying that we only have an interest in
  > "centralized control" is a clear indication of bias.  You are
  > perfectly welcome to join in the discussions here to promote your
  > views on control.

  jbuck@ohm.berkeley.edu
  
  > This whole debate is a lot of "sound and fury signifying nothing"
  > because, even if you all decide to ban anonymous posting servers,
  > it is not enforceable.  The only people who conceivably could
  > enforce retrictions are those that control the international
  > links.
  > 
  > Policy changes should be made by cooperation, not by attempting
  > to dictate. ...you need to persuade those who run the services
  > to act like this through friendly persuasion, not by trying to
  > beat them over the head with a stick (especially a stick you
  > don't even have).

  spp@zabriskie.berkeley.edu (Steve Pope)
  
  > I am finding this bias against pseudonymity boring.  Our friend
  > posting through penet has a point.  The old guard would like to
  > keep their network the way it always has been... and this new
  > thing, these pseudonymous servers, cuts into their turf.  So they
  > whine and bitch about it, and every time there's the slightest
  > abuse (such as somebody's .sig being too long),  they try to
  > parlay that into an argument against pseudonymity.
  > 
  > I'll go on record as saying: three cheers for the admins at anon
  > servers like penet, pax, and n7kbt... and for all the  access
  > service providers who are willing to preserve their clients
  > privacy.
  > 
  > And a pox on those who try to defeat and restrict pseudonymity.
  
  mimir@stein.u.washington.edu (Al Billings)
  
  > I wouldn't help people get rid of anon postings as a group. If you
  > don't like what someone says, then you put THAT anon address in
  > your kill file, not all of them. Of course, if and when I get an
  > anon site going, I'm just going to assign fake names like
  > "jsmith" instead of "anon5564" to avoid most of the hassles.
  > You'll never know it is anonymous will you?

  From: anne@alcor.concordia.ca (Anne Bennett)
  
  > I must admit to some astonishment at this argument.  I see the
  > value of anonymous postings under some circumstances, yet believe
  > strongly that these should be identified as such, so that people
  > who do not wish to read material from people who won't identify
  > themselves, don't have to.
  > 
  > I fail to see what good you would be accomplishing, and indeed
  > surmise that you will cause many people inconvenience and
  > annoyance, by hiding the anonymity of postings from your
  > anonymous site.  Would you care to justify where the hell you get
  > the gall to try to prevent people from effectively filtering
  > their news as they see fit?
  
  From: dclunie@pax.tpa.com.au (David Clunie)
  
  > I thought I was out of reach here in Australia too. Unfortunately
  > one of the US sites involved in the US/Aus feed complained to the
  > Australian Academic Reasearch Network through whom my site is
  > connected, not about anything in particular, just the concept of
  > anonymous mail having no redeeming features and consuming a
  > narrow bandwidth link (with which I can't argue) and that was
  > that ... stop the service or face disconnection.
  >
  > I consider the demise of [my] service to have been rather
  > unfortunate, and I wish the Finnish remailer luck ! It is a pity
  > that there are very few if any similar services provided with in
  > the US. I guess that's the benefit of having a constitution that
  > guarantees one freedom of speech and a legal and political system
  > that conspires to subvert it in the name of the public good.


_____
<8.8> What is going on with anon.penet.fi run by J. Helsingius?


  From: Karl_Kleinpaste@cs.cmu.edu
  
  > Funny, how beating the rest of the Usenet over the head with a
  > stick is OK if it's anon.penet.fi and universal anon access.  But
  > somehow people on the other side of the same equation (not even
  > arguing to shut it off entirely, but rather just to have some
  > control applied to the abuses that manifest themselves) aren't
  > allowed to do that.
  > 
  > I have written to Johan several times in the last couple of
  > weeks.  He used to reply to me quite readily. After all, I was
  > the source of the software as originally delivered to him -- he
  > used to be downright _prompt_ about replying to me. Funny, now
  > he's being an impolite bastard who doesn't answer mail _at_all_,
  > even when it consists of really very civil queries.
  
  From: julf@penet.fi (Johan Helsingius)
  
  > In your mail you told me you sent me one or more messages on Feb.
  > 8th. Feb 7th and 8th the server was down, and the flood of mail
  > that resulted from the server coming up again crashed my own mail
  > host. The problem was aggregated by an abusive user sending
  > thousands of messages to another user, filling up that users
  > mailbox. The bounce messages ended up in my mailbox, overflowing
  > my local disk as well.
  > 
  > I can only suppose that your message got lost in that hassle, as
  > I have tried to answer as much as possible of the anon-related
  > messages I get, from routine mis-addessed messages to complaints
  > about the service. On the average I spend 4-5 hours per day
  > answering anon-related messages.
  
  From: Karl_Kleinpaste@cs.cmu.edu
  
  > Why is it that everybody else has to put up with the impoliteness
  > and insensitivity of the misuse of anon.penet.fi?  Whose
  > definitions of "polite" and "sense" apply, and why? Why is
  > universal anon access considered to be within the realm of this
  > fuzzy concept of "politeness" in the first place?
  > 
  > I think Johan has long since crossed the line into being a rude
  > bastard, and I told him so in private mail a little while ago.
  > 
  > At this point, I deeply regret [a] having created an anonymous
  > system supporting >1 newsgroup and [b] having given the code to
  > Johan.  I didn't copyright it, but I thought that some concept of
  > politeness and good sense might follow it to new
  > homes.  Interesting that Johan's ideas of politeness and good
  > sense seem to have nearly no interesection with mine. I could
  > even cope with universal anon access _if_ Johan would be willing
  > to engage in abuse control, but somehow that seems to be outside
  > the range of reality...

  From: julf@penet.fi (Johan Helsingius)
  
  > There is no way for me to convey how sad and upset your message
  > made me. I do, to some extent, understand your feelings, but it
  > still feels really bad. Running the server requires getting used
  > to a lot of flames, but mindlessly abusive hate mail is so much
  > easier to deal with than something like this, as I do respect and
  > value your views and opinions to a high degree. No, I'm not
  > asking for sympathy, I just wanted you to know that I am really
  > giving your views quite a lot of weight.
  > 
  > When I asked for the software, I was actually only going to
  > provide the service to scandinavian users. But a lot of people
  > requested that I keep the service open to the international
  > community. I now realize that I ought to have contacted you at
  > that point to ask how you feel about me using your stuff in such
  > a context. Again, I really want to apologise. And I will replace
  > the remaining few pieces of code thet still stem from your
  > system. Unfortunately there is no way to remove the ideas and
  > structure I got from you.
  > 
  > Again, I am really sorry that the results of your work ended up
  > being used in a way that you don't approve of. And I will be
  > giving a lot of hard thought to the possibility of shutting down
  > the server alltogether.
  
  From: Karl_Kleinpaste@cs.cmu.edu
  
  > I think I'm feeling especially rude and impolite.  If it's good
  > for Johan, it's good for me.  After all, he didn't ask the
  > greater Usenet whether universal anon access was a good idea; he
  > just did it. ... Yes, I'm a seriously rude pain in the ass now,
  > and I think I'll arm the Usenet Death Penalty, slightly modified,
  > not for strategic whole-site attack, but tactical assault, just
  > "an[0-9]*@anon.penet.fi" destruction. Only outside alt.*, too,
  > let's say.
  > 
  > To parrot this line...people have been doing things like the UDP
  > (that is, cancelling others' postings) for years, no one could
  > ever stop them, and it's only politeness and good sense that has
  > prevented them up to now.
  > 
  > In fact, I have 8 people who have expressed privately the desire
  > and ability to arm the UDP.
  > 
  > ...
  > 
  > PS- No, in fact there are not 8 newsadmins ready to arm the
  > UDP.  It would be amusing to know how many people gulped hard
  > when they read that, though.  I don't see it as any different
  > from Johan's configuration.
  > 
  > PPS- Now that I've calmed some fears by the above PS...  There
  > are 2 newsadmins ready to arm the UDP.  They've asked for my
  > code.  I haven't sent it yet. Only one site would be necessary
  > to bring anon.penet.fi to a screeching halt.  Anyone can
  > implement the UDP on their own, if they care to.  Politeness and
  > good sense prevents them from doing so. I wonder how long before
  > one form of impoliteness brings on another form.

  From: julf@penet.fi (Johan Helsingius)
  
  > It would be trivially easy to bring anon.penet.fi to a screeching
  > halt. In fact it has happened a couple of times already. But as
  > we are talking threats here, let me make one as well. A very
  > simple one. If somebody uses something like the UDP or
  > maliciously brings down anon.penet.fi by some other means, it
  > will stay down. But I will let the users know why. And name the
  > person who did it. OK? As somebody said on this thread: "You have
  > to take personal responsibility for your actions", right?
  
  From: avs20@ccc.amdahl.com (  134 Atul V Salgaonkar)
  
  > I am very grateful and appreciative of this service , courtesey of
  > penet.fi.  Some important questions about my personal
  > life/career/job were resolved due to kind help of other people
  > who had been thru similar situations. In return, I have also
  > replied to anon postings where I thought I could make a positive
  > contribution.
  > 
  > In general, anon service is a great, in my opinion, although like
  > any tool some people will not use it responsibly. I suggest that
  > it should be kept alive. Wasting bandwidth is less important than
  > saving lives, I think.
  
  From: us273532@mmm.serc.3m.com (Elisa J. Collins)
  
  > I have been informed that the anonymous posting service to many
  > newsgroups has been turned off as a result of discussions in this
  > newsgroup over people abusing it.
  > 
  > I had been posting to a nontechnical misc newsgroup about an
  > intimate topic for which I felt I required privacy. I have
  > received immeasurable help from the people in that newsgroup, and
  > I have never used anonymity to behave in an abusive, immature, or
  > unethical fashion toward anyone.
  > 
  > Please, folks, believe me, I *need* this service.  Please
  > consider my point of view and permit admin@anon.penet.fi to turn
  > the service back on...
  > 
  > Thank you.

* * *

SEE ALSO
========

Part 1 (first file)
------

<1.1> What is `identity' on the internet?
<1.2> Why is identity (un)important on the internet?
<1.3> How does my email address (not) identify me and my background?
<1.4> How can I find out more about somebody from their email address?
<1.5> Why is identification (un)stable on the internet? 
<1.6> What is the future of identification on the internet?

<2.1> What is `privacy' on the internet?
<2.2> Why is privacy (un)important on the internet?
<2.3> How (in)secure are internet networks?
<2.4> How (in)secure is my account?
<2.5> How (in)secure are my files and directories?
<2.6> How (in)secure is X Windows?
<2.7> How (in)secure is my email?
<2.8> How am I (not) liable for my email and postings?
<2.9> How do I provide more/less information to others on my identity?
<2.10> Who is my sysadmin?  What does s/he know about me?
<2.11> Why is privacy (un)stable on the internet?
<2.12> What is the future of privacy on the internet?

<3.1> What is `anonymity' on the internet?
<3.2> Why is `anonymity' (un)important on the internet?
<3.3> How can anonymity be protected on the internet?
<3.4> What is `anonymous mail'?
<3.5> What is `anonymous posting'?
<3.6> Why is anonymity (un)stable on the internet?
<3.7> What is the future of anonymity on the internet?

Part 2 (previous file)
------

<4.1> What UNIX programs are related to privacy?
<4.2> How can I learn about or use cryptography?
<4.3> What is the cypherpunks mailing list?
<4.4> What are some privacy-related newsgroups?  FAQs?
<4.5> What is internet Privacy Enhanced Mail (PEM)?
<4.6> What are other Request For Comments (RFCs) related to privacy?
<4.7> How can I run an anonymous remailer?
<4.8> What are references on privacy in email?
<4.9> What are some email, Usenet, and internet use policies?
<4.10> What is the MIT ``CROSSLINK'' anonymous message TV program?

<5.1> What is ``digital cash''?
<5.2> What is a ``hacker'' or ``cracker''?
<5.3> What is a ``cypherpunk''?
<5.4> What is `steganography' and anonymous pools?
<5.5> What is `security through obscurity'?
<5.6> What are `identity daemons'?
<5.7> What standards are needed to guard electronic privacy?

<6.1> What is the Electronic Frontier Foundation (EFF)?
<6.2> Who are Computer Professionals for Social Responsibility (CPSR)?
<6.3> What was `Operation Sun Devil' and the Steve Jackson Game case?
<6.4> What is Integrated Services Digital Network (ISDN)?
<6.5> What is the National Research and Education Network (NREN)?
<6.6> What is the FBI's proposed Digital Telephony Act?
<6.7> What other U.S. legislation is related to privacy on networks?
<6.8> What are references on rights in cyberspace?
<6.9> What is the Computers and Academic Freedom (CAF) archive?

<7.1> What is the background behind the Internet?
<7.2> How is Internet `anarchy' like the English language?
<7.3> Most Wanted list
<7.4> Change history


* * *

This is Part 3 of the Privacy & Anonymity FAQ, obtained via anonymous
  FTP to pit-manager@mit.edu:/pub/usenet/news.answers/net-privacy/ or 
  newsgroups news.answers, sci.answers, alt.answers every 21 days.
Written by L. Detweiler <ld231782@longs.lance.colostate.edu>.
All rights reserved.



Newsgroup: sci.crypt
Document_id: 15179
From: ckincy@cs.umr.edu (Charles Kincy)
Subject: Re: Pgp, PEM, and RFC's (Was: Cryptography Patents)

In article <1993Apr16.001321.3692@natasha.portal.com> bob@natasha.portal.com (Bob Cain) writes:

>: I hope my cynicism is misplaced here.  Go ahead...I'm not afraid to
>: be wrong every once in a while.  But, I have an uneasy feeling that I
>: am right.  :(
>
>It is and you are wrong yet you emotionally state a bunch of crap as fact
>with a tiny disclaimer at the end.  Check your facts first and grow up.
>Why is there such a strong correlation between interest in cryptography
>and immaturity I wonder.

Oh, I see, flame someone, tell them that they are immature, tell them
they are wrong, and then don't offer any proof for your assertions.

You really *are* a putz.  Put up or shut up.

cpk
-- 
It's been 80 days.  Do you know where your wallet is?

Newsgroup: sci.crypt
Document_id: 15180
Subject: Re: Fifth Amendment and Passwords
From: pgut1@cs.aukuni.ac.nz (Peter Gutmann)

In <C5Jzsz.Jzo@cs.uiuc.edu> kadie@cs.uiuc.edu (Carl M Kadie) writes:

>The crypto-key disclosure issue hasn't come up yet, but current law
>suggests that it's a loser for the defendant--he'll be compelled to turn
>over the key.

It has actually come up (or it will in a week or two) in NZ.  I'll post the
outcome when the trial finishes (which could take months BTW).  Overall it
looks like you can't be forced to reveal a password, if anyone can provide
a convincing legal argument to the contrary (ie an actual court case) I'd
be most interested...

Peter.
--
 pgut1@cs.aukuni.ac.nz||p_gutmann@cs.aukuni.ac.nz||gutmann_p@kosmos.wcc.govt.nz
peterg@kcbbs.gen.nz||peter@nacjack.gen.nz||peter@phlarnschlorpht.nacjack.gen.nz
             (In order of preference - one of 'em's bound to work)
                          -- Think!  (or thwim) --


Newsgroup: sci.crypt
Document_id: 15181
From: Rob Shirey <shirey@mitre.org>
Subject: ISOC Symposium on Net Security


                             CALL FOR PAPERS
                    The Internet Society Symposium on
                 Network and Distributed System Security

        3-4 February 1994, Catamaran Hotel, San Diego, California

The symposium will bring together people who are building software and
hardware to provide network or distributed system security services.
The symposium is intended for those interested in practical aspects of
network and distributed system security, rather than in theory.  Symposium
proceedings will be published by the Internet Society.  Topics for the
symposium include, but are not limited to, the following:

*  Design and implementation of services--access control, authentication,
   availability, confidentiality, integrity, and non-repudiation
   --including criteria for placing services at particular protocol
layers.

*  Design and implementation of security mechanisms and support
   services--encipherment and key management systems, authorization
   and audit systems, and intrusion detection systems.

*  Requirements and architectures for distributed applications and
   network functions--message handling, file transport, remote
   file access, directories, time synchronization, interactive
   sessions, remote data base management and access, routing, voice and
   video multicast and conferencing, news groups, network management,
   boot services, mobile computing, and remote I/O.

*  Special issues and problems in security architecture, such as
   -- very large systems like the international Internet, and
   -- high-speed systems like the gigabit testbeds now being built.

*  Interplay between security goals and other goals--efficiency,
   reliability, interoperability, resource sharing, and low cost.

GENERAL CHAIR:
   Dan Nessett, Lawrence Livermore National Laboratory

PROGRAM CHAIRS:
   Russ Housley, Xerox Special Information Systems
   Rob Shirey, The MITRE Corporation

PROGRAM COMMITTEE:
   Dave Balenson, Trusted Information Systems
   Tom Berson, Anagram Laboratories
   Matt Bishop, Dartmouth College
   Ed Cain, U.S. Defense Information Systems Agency
   Jim Ellis, CERT Coordination Center
   Steve Kent, Bolt, Beranek and Newman
   John Linn, Independent Consultant
   Clifford Neuman, Information Sciences Institute
   Michael Roe, Cambridge University
   Rob Rosenthal, U.S. National Institute of Standards and Technology
   Jeff Schiller, Massachusetts Institute of Technology
   Ravi Sandhu, George Mason University
   Peter Yee, U.S. National Aeronautics and Space Administration

SUBMISSIONS:  The  committee seeks both original technical papers and
proposals for panel discussions on technical and other topics of general
interest.  Technical papers should be 10-20 pages in length.  Panels
should include three or four speakers.  A panel proposal must name the
panel chair, include a one-page topic introduction authored by the chair,
and also include one-page position summaries authored by each speaker
Both the technical papers and the panel papers will appear in the
proceedings.

Submissions must be made by 16 August 1993.  Submissions should be made
via electronic mail to

                   1994symposium@smiley.mitre.org.

Submissions may be in either of two formats:  ASCII or PostScript.  If
the committee is unable to read a PostScript submission, it will be
returned and ASCII requested.  Therefore, PostScript submissions should
arrive well before 16 August.  If electronic submission is absolutely
impossible, submissions should be sent via postal mail to

                   Robert W. Shirey, Mail Stop Z202
                   The MITRE Corporation
                   McLean, Virginia  22102-3481  USA

All submissions must include both an Internet electronic mail address and
a postal address.  Each submission will be acknowledged through the
medium by which it is received.  If acknowledgment is not received within
seven days, please contact either Rob Shirey <Shirey@MITRE.org> or
Russ Housley <Housley.McLean_CSD@xerox.com>, or telephone Mana Weigand at
MITRE in Mclean, 703-883-5397. 

Authors and panelists will be notified of acceptance by 15 October 1993.
Instructions for preparing camera-ready copy for the proceedings will be
postal mailed at that time.  The camera-ready copy must be received by
15 November 1993.

Newsgroup: sci.crypt
Document_id: 15182
From: marc@tanda.isis.org (Marc Thibault)
Subject: Re: PEM and MIME

In article <1qg8m2$2e5@nigel.msen.com> 
(Edward Vielmetti) writes: 

> I would suggest that 50 attractive MIME formatted news messages a day would be
> sufficient to get a few people thinking about adding MIME support to news
> readers, esp if the content is really worth it.

        But that's just the problem. There is no such thing as
        "MIME-Formatted". By analogy, MIME is a content-labelling
        standard for the box, not a specification for the contents
        themselves. It provides a standard for "like-minded"
        individuals to exchange mail containing an agreed-upon data
        format.

        You say tomahto, I say tomaeto; you say postscript, I say
        SGML...
        
        Cheers,
                Marc

---
 Marc Thibault        | CIS:71441,2226     |  Put another log
 marc@tanda.isis.org  | NC FreeNet: aa185  |  on the fire.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.0

mQBNAiqxYTkAAAECALfeHYp0yC80s1ScFvJSpj5eSCAO+hihtneFrrn+vuEcSavh
AAUwpIUGyV2N8n+lFTPnnLc42Ms+c8PJUPYKVI8ABRG0I01hcmMgVGhpYmF1bHQg
PG1hcmNAdGFuZGEuaXNpcy5vcmc+
=HLnv
-----END PGP PUBLIC KEY BLOCK-----



Newsgroup: sci.crypt
Document_id: 15183
From: clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement)
Subject: text of White House announcement and Q&As on clipper chip encryption


Note:  This file will also be available via anonymous file
transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and
via the NIST Computer Security BBS at 301-948-5717.
     ---------------------------------------------------

                         THE WHITE HOUSE

                  Office of the Press Secretary

_________________________________________________________________

For Immediate Release                           April 16, 1993


                STATEMENT BY THE PRESS SECRETARY


The President today announced a new initiative that will bring
the Federal Government together with industry in a voluntary
program to improve the security and privacy of telephone
communications while meeting the legitimate needs of law
enforcement.

The initiative will involve the creation of new products to
accelerate the development and use of advanced and secure
telecommunications networks and wireless communications links.

For too long there has been little or no dialogue between our
private sector and the law enforcement community to resolve the
tension between economic vitality and the real challenges of
protecting Americans.  Rather than use technology to accommodate
the sometimes competing interests of economic growth, privacy and
law enforcement, previous policies have pitted government against
industry and the rights of privacy against law enforcement.

Sophisticated encryption technology has been used for years to
protect electronic funds transfer.  It is now being used to
protect electronic mail and computer files.  While encryption
technology can help Americans protect business secrets and the
unauthorized release of personal information, it also can be used
by terrorists, drug dealers, and other criminals.

A state-of-the-art microcircuit called the "Clipper Chip" has
been developed by government engineers.  The chip represents a
new approach to encryption technology.  It can be used in new,
relatively inexpensive encryption devices that can be attached to
an ordinary telephone.  It scrambles telephone communications
using an encryption algorithm that is more powerful than many in
commercial use today.

This new technology will help companies protect proprietary
information, protect the privacy of personal phone conversations
and prevent unauthorized release of data transmitted
electronically.  At the same time this technology preserves the
ability of federal, state and local law enforcement agencies to
intercept lawfully the phone conversations of criminals. 

A "key-escrow" system will be established to ensure that the
"Clipper Chip" is used to protect the privacy of law-abiding
Americans.  Each device containing the chip will have two unique


                                2


"keys," numbers that will be needed by authorized government
agencies to decode messages encoded by the device.  When the
device is manufactured, the two keys will be deposited separately
in two "key-escrow" data bases that will be established by the
Attorney General.  Access to these keys will be limited to
government officials with legal authorization to conduct a
wiretap.

The "Clipper Chip" technology provides law enforcement with no
new authorities to access the content of the private
conversations of Americans.

To demonstrate the effectiveness of this new technology, the
Attorney General will soon purchase several thousand of the new
devices.  In addition, respected experts from outside the
government will be offered access to the confidential details of
the algorithm to assess its capabilities and publicly report
their findings.

The chip is an important step in addressing the problem of
encryption's dual-edge sword:  encryption helps to protect the
privacy of individuals and industry, but it also can shield
criminals and terrorists.  We need the "Clipper Chip" and other
approaches that can both provide law-abiding citizens with access
to the encryption they need and prevent criminals from using it
to hide their illegal activities.  In order to assess technology
trends and explore new approaches (like the key-escrow system),
the President has directed government agencies to develop a
comprehensive policy on encryption that accommodates:

     --   the privacy of our citizens, including the need to
          employ voice or data encryption for business purposes;

     --   the ability of authorized officials to access telephone
          calls and data, under proper court or other legal
          order, when necessary to protect our citizens;

     --   the effective and timely use of the most modern
          technology to build the National Information
          Infrastructure needed to promote economic growth and
          the competitiveness of American industry in the global
          marketplace; and 

     --   the need of U.S. companies to manufacture and export
          high technology products.

The President has directed early and frequent consultations with
affected industries, the Congress and groups that advocate the
privacy rights of individuals as policy options are developed.



                                3

The Administration is committed to working with the private
sector to spur the development of a National Information
Infrastructure which will use new telecommunications and computer
technologies to give Americans unprecedented access to
information.  This infrastructure of high-speed networks
("information superhighways") will transmit video, images, HDTV
programming, and huge data files as easily as today's telephone
system transmits voice.

Since encryption technology will play an increasingly important
role in that infrastructure, the Federal Government must act
quickly to develop consistent, comprehensive policies regarding
its use.  The Administration is committed to policies that
protect all Americans' right to privacy while also protecting
them from those who break the law.

Further information is provided in an accompanying fact sheet. 
The provisions of the President's directive to acquire the new
encryption technology are also available.  

For additional details, call Mat Heyman, National Institute of
Standards and Technology, (301) 975-2758.

---------------------------------


QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S
TELECOMMUNICATIONS INITIATIVE




Q:   Does this approach expand the authority of government
     agencies to listen in on phone conversations?

A:   No.  "Clipper Chip" technology provides law enforcement with
     no new authorities to access the content of the private
     conversations of Americans.

Q:   Suppose a law enforcement agency is conducting a wiretap on
     a drug smuggling ring and intercepts a conversation
     encrypted using the device.  What would they have to do to
     decipher the message?

A:   They would have to obtain legal authorization, normally a
     court order, to do the wiretap in the first place.  They
     would then present documentation of this authorization to
     the two entities responsible for safeguarding the keys and
     obtain the keys for the device being used by the drug
     smugglers.  The key is split into two parts, which are
     stored separately in order to ensure the security of the key
     escrow system.

Q:   Who will run the key-escrow data banks?

A:   The two key-escrow data banks will be run by two independent
     entities.  At this point, the Department of Justice and the
     Administration have yet to determine which agencies will
     oversee the key-escrow data banks.

Q:   How strong is the security in the device?  How can I be sure
     how strong the security is?  

A:   This system is more secure than many other voice encryption
     systems readily available today.  While the algorithm will
     remain classified to protect the security of the key escrow
     system, we are willing to invite an independent panel of
     cryptography experts to evaluate the algorithm to assure all
     potential users that there are no unrecognized
     vulnerabilities.

Q:   Whose decision was it to propose this product?

A:   The National Security Council, the Justice Department, the
     Commerce Department, and other key agencies were involved in
     this decision.  This approach has been endorsed by the
     President, the Vice President, and appropriate Cabinet
     officials.

Q:   Who was consulted?  The Congress?  Industry?

A:   We have on-going discussions with Congress and industry on
     encryption issues, and expect those discussions to intensify
     as we carry out our review of encryption policy.  We have
     briefed members of Congress and industry leaders on the
     decisions related to this initiative.

Q:   Will the government provide the hardware to manufacturers?

A:   The government designed and developed the key access
     encryption microcircuits, but it is not providing the
     microcircuits to product manufacturers.  Product
     manufacturers can acquire the microcircuits from the chip
     manufacturer that produces them.

Q:   Who provides the "Clipper Chip"?

A:   Mykotronx programs it at their facility in Torrance,
     California, and will sell the chip to encryption device
     manufacturers.  The programming function could be licensed
     to other vendors in the future.

Q:   How do I buy one of these encryption devices? 

A:   We expect several manufacturers to consider incorporating
     the "Clipper Chip" into their devices.
     
Q:   If the Administration were unable to find a technological
     solution like the one proposed, would the Administration be
     willing to use legal remedies to restrict access to more
     powerful encryption devices?

A:   This is a fundamental policy question which will be
     considered during the broad policy review.  The key escrow
     mechanism will provide Americans with an encryption product
     that is more secure, more convenient, and less expensive
     than others readily available today, but it is just one
     piece of what must be the comprehensive approach to
     encryption technology, which the Administration is
     developing.

     The Administration is not saying, "since encryption
     threatens the public safety and effective law enforcement,
     we will prohibit it outright" (as some countries have
     effectively done); nor is the U.S. saying that "every
     American, as a matter of right, is entitled to an
     unbreakable commercial encryption product."  There is a
     false "tension" created in the assessment that this issue is
     an "either-or" proposition.  Rather, both concerns can be,
     and in fact are, harmoniously balanced through a reasoned,
     balanced approach such as is proposed with the "Clipper
     Chip" and similar encryption techniques.

Q:   What does this decision indicate about how the Clinton
     Administration's policy toward encryption will differ from
     that of the Bush Administration?  

A:   It indicates that we understand the importance of encryption
     technology in telecommunications and computing and are
     committed to working with industry and public-interest
     groups to find innovative ways to protect Americans'
     privacy, help businesses to compete, and ensure that law
     enforcement agencies have the tools they need to fight crime
     and terrorism.

Q:   Will the devices be exportable?  Will other devices that use
     the government hardware?

A:   Voice encryption devices are subject to export control
     requirements.  Case-by-case review for each export is
     required to ensure appropriate use of these devices.  The
     same is true for other encryption devices.  One of the
     attractions of this technology is the protection it can give
     to U.S. companies operating at home and abroad.  With this
     in mind, we expect export licenses will be granted on a
     case-by-case basis for U.S. companies seeking to use these
     devices to secure their own communications abroad.  We plan
     to review the possibility of permitting wider exportability
     of these products.

 
     

Newsgroup: sci.crypt
Document_id: 15184
Subject: Re: Keeping Your Mouth Shut (was: Hard drive security)
From: vkub@charlie.usd.edu (Vince Kub)

In article <1993Apr13.143712.15338@cadkey.com>, eric@cadkey.com (Eric Holtman) writes:
>In article <Apr13.011855.69422@yuma.ACNS.ColoState.EDU> holland@CS.ColoState.EDU (douglas craig holland) writes:
>>
>>I'm not a lawyer, so correct me if I'm wrong, but doing that could be
>>considered obstruction of justice, which could land you in prison for
>>quite a while.
>>
>>The thing that's great about the secret key is it is IDEA encrypted, so
>>even if the FBI do get the key, they're SOL unless they know the magic
>>word.  If they try to force you to give them your pass phrase, just say
>>"Oops, I forgot."  Since the burden of proof is still on the prosecution
>>in this country, if you keep your mouth shut, how can they prove that you
>>didn't forget your pass phrase.
>>
>
>Well, I'm no lawyer, but I'll supply some ancedotal evidence which may
>change your mind.  ** Note ** I do not agree AT ALL with what went on in
>this case, and neither will most of you.  THAT DOESN'T CHANGE THE FACT 
>THAT IT *DID* HAPPEN.  Right here in America even.....
>
>About three or four years ago, there was a rather nasty custody case in
>or around Washington D.C.  The upshot was, an ex-husband was suing for 
>visitation rights, which were granted.  The woman believed that the man
>had been sexually molesting her children.  (much like Allen/Farrow, but
>not as famous).  Anyhows, she spirits away the kids and refuses to tell the
>court where they are, and denies him visitation rights.
>
>She "keeps her mouth shut", and what happens?  She SITS IN JAIL for almost
>a year, on CONTEMPT OF COURT, until the legislature passes a special law
>limiting the time a person can be held.  If they hadn't passed the law, she'd
>most likely still be there.  The kids were in New Zealand, I belive.
>
>Now (story finished, commetary starting)....  IMHO, the only reason the
>legislature moved was because there was an outpouring of public sympathy
>for this woman...  most people believed she was right, and were outraged.
>Not likely to happen for Joe Random Drug Dealer, Child Molester or perfectly
>innocent privacy lover, who might have something
>to hide.  Innocent until proven guilty doesn't mean you get to walk out
>of court humming a happy tune because the FBI can't read your disk.  Just
>ask those held for contempt, those who can't make bail, etc, etc.
>
>Again.... I disagree totally with the concept of holding someone based
>on suspicion, but people who keep thinking that it won't happen are bound
>to get a rude shock when it does......
>-- 

 Also not a lawyer, etc. but if I remember correctly the Contempt of Court
business is used in order to compel cooperation with what is (perhaps
questionably, different issue) the legitimate business of that court. Quite
literally the party is found guilty of holding the court "in contempt". Now,
the original scheme as suggested here would be to have the key disappear if
certain threatening conditions are met. Once the key is gone there is no
question of Contempt of Court as there is nothing to compell, the key is no
longer there to be produced.

  Obstruction of justice would be a different issue but if the suspect in
question would have some legitmate reason to protect his data from prying eyes
(however extenuated) I think that this charge would be a hard nut to make. 

  Perhaps it is time for a lawyer to step in and clear this all up?


             -=*=-    -=*=-     -=*=-     -=*=-    -=*=-
                                 
Vincent A. Kub, WD0DBX            |  "Saints should always be judged
                                  |   guilty until they are proven
    vkub@charlie.usd.edu          |   innocent." -Geo. Orwell
                                  |
     14 W.Cherry St. #2           |  "It is good to die before one has
  Vermillion, S.Dakota 57069      |   done anything deserving of death."
phone or fax to (605) 624-8680    |       - Anaxandirdes
                                  |            King of Sparta
  -------------------------------------------------------------------

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.2

mQBNAiudo1MAAAECAKRkUUWW+Tqsoa1nD+GaSbpXcDhSrHpMEBPjKlyiKuIjzaT6
auO/hnqW/652YicVaJlXspb5D2giMc09TG2sGY0ABRG0CVZpbmNlIEt1Yg==
=IuUb
-----END PGP PUBLIC KEY BLOCK-----


Newsgroup: sci.crypt
Document_id: 15185
From: hooper@ccs.QueensU.CA (Andy Hooper)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

Isn't Clipper a trademark of Fairchild Semiconductor?

Andy Hooper

Newsgroup: sci.crypt
Document_id: 15186
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption


Well, it now seems obvious what Professor Denning was doing last fall
when this key escrow trial balloon was raised!

All the more need for end-to-end encryption schemes that bypass the
government-approved system.

By the way, the "Clipper" name...isn't this already used for the
Clipper processor from Intergraph? I doubt they're the ones making the
chip, so a name conflict may be present.

-Tim May

-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
Document_id: 15187
From: jad@nsa.hp.com (John Dilley)
Subject: compress | crypt foo | des -e -k foo


	I have a bunch of questions about the encryption scheme
referenced in the Subject of this message.  What is the relative data
privacy provided by the above sequence as compared with straight DES?
Does the addition of compression then encrypting make the cyphertext
significantly harder to crack using current methods than straight DES?
Would running crypt after DES provide greater data privacy?  Is it
important to remove the (constant) compress header before encryption?
Thank you, net, for your wisdom.

			 --       jad       --
		    John A. Dilley <jad@nsa.hp.com>

Newsgroup: sci.crypt
Document_id: 15188
From: jim@rand.org (Jim Gillogly)
Subject: Clipper Chip and crypto key-escrow

This document is in the anonymous ftp directory at NIST.  Looks to me
like the other shoe has dropped.

	Jim Gillogly
	Trewesday, 25 Astron S.R. 1993, 17:00

-------------------

Note:  This file will also be available via anonymous file
transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and
via the NIST Computer Security BBS at 301-948-5717.
     ---------------------------------------------------

                         THE WHITE HOUSE

                  Office of the Press Secretary

_________________________________________________________________

For Immediate Release                           April 16, 1993


                STATEMENT BY THE PRESS SECRETARY


The President today announced a new initiative that will bring
the Federal Government together with industry in a voluntary
program to improve the security and privacy of telephone
communications while meeting the legitimate needs of law
enforcement.

The initiative will involve the creation of new products to
accelerate the development and use of advanced and secure
telecommunications networks and wireless communications links.

For too long there has been little or no dialogue between our
private sector and the law enforcement community to resolve the
tension between economic vitality and the real challenges of
protecting Americans.  Rather than use technology to accommodate
the sometimes competing interests of economic growth, privacy and
law enforcement, previous policies have pitted government against
industry and the rights of privacy against law enforcement.

Sophisticated encryption technology has been used for years to
protect electronic funds transfer.  It is now being used to
protect electronic mail and computer files.  While encryption
technology can help Americans protect business secrets and the
unauthorized release of personal information, it also can be used
by terrorists, drug dealers, and other criminals.

A state-of-the-art microcircuit called the "Clipper Chip" has
been developed by government engineers.  The chip represents a
new approach to encryption technology.  It can be used in new,
relatively inexpensive encryption devices that can be attached to
an ordinary telephone.  It scrambles telephone communications
using an encryption algorithm that is more powerful than many in
commercial use today.

This new technology will help companies protect proprietary
information, protect the privacy of personal phone conversations
and prevent unauthorized release of data transmitted
electronically.  At the same time this technology preserves the
ability of federal, state and local law enforcement agencies to
intercept lawfully the phone conversations of criminals. 

A "key-escrow" system will be established to ensure that the
"Clipper Chip" is used to protect the privacy of law-abiding
Americans.  Each device containing the chip will have two unique


                                2


"keys," numbers that will be needed by authorized government
agencies to decode messages encoded by the device.  When the
device is manufactured, the two keys will be deposited separately
in two "key-escrow" data bases that will be established by the
Attorney General.  Access to these keys will be limited to
government officials with legal authorization to conduct a
wiretap.

The "Clipper Chip" technology provides law enforcement with no
new authorities to access the content of the private
conversations of Americans.

To demonstrate the effectiveness of this new technology, the
Attorney General will soon purchase several thousand of the new
devices.  In addition, respected experts from outside the
government will be offered access to the confidential details of
the algorithm to assess its capabilities and publicly report
their findings.

The chip is an important step in addressing the problem of
encryption's dual-edge sword:  encryption helps to protect the
privacy of individuals and industry, but it also can shield
criminals and terrorists.  We need the "Clipper Chip" and other
approaches that can both provide law-abiding citizens with access
to the encryption they need and prevent criminals from using it
to hide their illegal activities.  In order to assess technology
trends and explore new approaches (like the key-escrow system),
the President has directed government agencies to develop a
comprehensive policy on encryption that accommodates:

     --   the privacy of our citizens, including the need to
          employ voice or data encryption for business purposes;

     --   the ability of authorized officials to access telephone
          calls and data, under proper court or other legal
          order, when necessary to protect our citizens;

     --   the effective and timely use of the most modern
          technology to build the National Information
          Infrastructure needed to promote economic growth and
          the competitiveness of American industry in the global
          marketplace; and 

     --   the need of U.S. companies to manufacture and export
          high technology products.

The President has directed early and frequent consultations with
affected industries, the Congress and groups that advocate the
privacy rights of individuals as policy options are developed.



                                3

The Administration is committed to working with the private
sector to spur the development of a National Information
Infrastructure which will use new telecommunications and computer
technologies to give Americans unprecedented access to
information.  This infrastructure of high-speed networks
("information superhighways") will transmit video, images, HDTV
programming, and huge data files as easily as today's telephone
system transmits voice.

Since encryption technology will play an increasingly important
role in that infrastructure, the Federal Government must act
quickly to develop consistent, comprehensive policies regarding
its use.  The Administration is committed to policies that
protect all Americans' right to privacy while also protecting
them from those who break the law.

Further information is provided in an accompanying fact sheet. 
The provisions of the President's directive to acquire the new
encryption technology are also available.  

For additional details, call Mat Heyman, National Institute of
Standards and Technology, (301) 975-2758.

---------------------------------


QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S
TELECOMMUNICATIONS INITIATIVE




Q:   Does this approach expand the authority of government
     agencies to listen in on phone conversations?

A:   No.  "Clipper Chip" technology provides law enforcement with
     no new authorities to access the content of the private
     conversations of Americans.

Q:   Suppose a law enforcement agency is conducting a wiretap on
     a drug smuggling ring and intercepts a conversation
     encrypted using the device.  What would they have to do to
     decipher the message?

A:   They would have to obtain legal authorization, normally a
     court order, to do the wiretap in the first place.  They
     would then present documentation of this authorization to
     the two entities responsible for safeguarding the keys and
     obtain the keys for the device being used by the drug
     smugglers.  The key is split into two parts, which are
     stored separately in order to ensure the security of the key
     escrow system.

Q:   Who will run the key-escrow data banks?

A:   The two key-escrow data banks will be run by two independent
     entities.  At this point, the Department of Justice and the
     Administration have yet to determine which agencies will
     oversee the key-escrow data banks.

Q:   How strong is the security in the device?  How can I be sure
     how strong the security is?  

A:   This system is more secure than many other voice encryption
     systems readily available today.  While the algorithm will
     remain classified to protect the security of the key escrow
     system, we are willing to invite an independent panel of
     cryptography experts to evaluate the algorithm to assure all
     potential users that there are no unrecognized
     vulnerabilities.

Q:   Whose decision was it to propose this product?

A:   The National Security Council, the Justice Department, the
     Commerce Department, and other key agencies were involved in
     this decision.  This approach has been endorsed by the
     President, the Vice President, and appropriate Cabinet
     officials.

Q:   Who was consulted?  The Congress?  Industry?

A:   We have on-going discussions with Congress and industry on
     encryption issues, and expect those discussions to intensify
     as we carry out our review of encryption policy.  We have
     briefed members of Congress and industry leaders on the
     decisions related to this initiative.

Q:   Will the government provide the hardware to manufacturers?

A:   The government designed and developed the key access
     encryption microcircuits, but it is not providing the
     microcircuits to product manufacturers.  Product
     manufacturers can acquire the microcircuits from the chip
     manufacturer that produces them.

Q:   Who provides the "Clipper Chip"?

A:   Mykotronx programs it at their facility in Torrance,
     California, and will sell the chip to encryption device
     manufacturers.  The programming function could be licensed
     to other vendors in the future.

Q:   How do I buy one of these encryption devices? 

A:   We expect several manufacturers to consider incorporating
     the "Clipper Chip" into their devices.
     
Q:   If the Administration were unable to find a technological
     solution like the one proposed, would the Administration be
     willing to use legal remedies to restrict access to more
     powerful encryption devices?

A:   This is a fundamental policy question which will be
     considered during the broad policy review.  The key escrow
     mechanism will provide Americans with an encryption product
     that is more secure, more convenient, and less expensive
     than others readily available today, but it is just one
     piece of what must be the comprehensive approach to
     encryption technology, which the Administration is
     developing.

     The Administration is not saying, "since encryption
     threatens the public safety and effective law enforcement,
     we will prohibit it outright" (as some countries have
     effectively done); nor is the U.S. saying that "every
     American, as a matter of right, is entitled to an
     unbreakable commercial encryption product."  There is a
     false "tension" created in the assessment that this issue is
     an "either-or" proposition.  Rather, both concerns can be,
     and in fact are, harmoniously balanced through a reasoned,
     balanced approach such as is proposed with the "Clipper
     Chip" and similar encryption techniques.

Q:   What does this decision indicate about how the Clinton
     Administration's policy toward encryption will differ from
     that of the Bush Administration?  

A:   It indicates that we understand the importance of encryption
     technology in telecommunications and computing and are
     committed to working with industry and public-interest
     groups to find innovative ways to protect Americans'
     privacy, help businesses to compete, and ensure that law
     enforcement agencies have the tools they need to fight crime
     and terrorism.

Q:   Will the devices be exportable?  Will other devices that use
     the government hardware?

A:   Voice encryption devices are subject to export control
     requirements.  Case-by-case review for each export is
     required to ensure appropriate use of these devices.  The
     same is true for other encryption devices.  One of the
     attractions of this technology is the protection it can give
     to U.S. companies operating at home and abroad.  With this
     in mind, we expect export licenses will be granted on a
     case-by-case basis for U.S. companies seeking to use these
     devices to secure their own communications abroad.  We plan
     to review the possibility of permitting wider exportability
     of these products.

 
     
-- 
	Jim Gillogly
	Trewesday, 25 Astron S.R. 1993, 17:01

Newsgroup: sci.crypt
Document_id: 15189
From: jim@rand.org (Jim Gillogly)
Subject: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

May as well look at one piece of this at a time.  This paragraph:

>To demonstrate the effectiveness of this new technology, the
>Attorney General will soon purchase several thousand of the new
>devices.  In addition, respected experts from outside the
>government will be offered access to the confidential details of
>the algorithm to assess its capabilities and publicly report
>their findings.

means they aren't planning to make it public, as was done with DES.  As it
says in both sci.crypt FAQs, there's no way we are going to achieve the
same level of comfort with Clipper that we finally have with DES if we
can't actually get our hands on the bits and watch them flow around.  Even
the best experts aren't going to think of everything: look how long it
took Biham and Shamir to get a handle on just how good DES is... and for
all we know there's still more to learn.
-- 
	Jim Gillogly
	Trewesday, 25 Astron S.R. 1993, 17:10

Newsgroup: sci.crypt
Document_id: 15190
From: ptrei@bistromath.mitre.org (Peter Trei)
Subject: Re: Fifth Amendment and Passwords

In article <C5Jzsz.Jzo@cs.uiuc.edu> kadie@cs.uiuc.edu (Carl M Kadie) writes:
>ashall@magnus.acs.ohio-state.edu (Andrew S Hall) writes:
>
>>I am postive someone will correct me if I am wrong, but doesn't the Fifth
>>also cover not being forced to do actions that are self-incriminating?
>[From Mike Godwin <mnemonic@eff.org>, posted with permission - Carl]

>No, but they could compell you to produce the key to a safe where, as it
>happens, evidence that will convict you is stored. 
>
>The crypto-key disclosure issue hasn't come up yet, but current law
>suggests that it's a loser for the defendant--he'll be compelled to turn
>over the key.
>
>The test for compelled self-incrimination is whether the material to 
>be disclosed *in itself* tends to inculpate the discloser. In the example
>I gave above, the safe key itself has no testimonial value--ergo, it can
>be disclosed under compulsion (e.g., subpoena duces tecum).

>Moreover, the government can always immunize the disclosure of a crypto
>key--compelling you to disclose the key at the price of not using the fact
>of your disclosure as evidence in the case against you. Of course, they
>can use whatever they discover as a result of this disclosure against
>you.
>--Mike

    Lets carry this one step further. Suppose the text of the key is
in itself conclusive evidence of the SAME CRIME for which the
encrypted material is further evidence. I find myself envisaging a
scenario like this:

You have made some scans of Peanuts strips. You encrypt them. The key
is a phrase.

The Comic Police haul you in. They seize your system. They find the
encrypted file.

CP:    "Whats that file?"

You:   "I take the fifth."

CP:    "What's the keyphrase to that file?" 

You:   "I take the fifth."

Judge: "You have to reveal the keyphrase" [I disagree, but I'm not a judge.]

You:   "Your Honor, revealing the keyphrase, in it's own right, would 
	tend to incriminate me of breaking laws, independent of what 
	may or may not be in the encrypted file."  

Judge: "I grant you immunity from whatever may be learned from the key
	itself"

You:    "The keyphrase is: "I confess to deliberately evading copyright; 
	the file encoded with this keyphrase contains illegal scans of 
        copyrighted Peanuts strips.""

Judge and CP: "Oh."

     How will they get you now? I'm not saying that they won't, or
can't (or even that they shouldn't :-), but what legal mechanism will
they use? Should we be crossposting this to misc.legal?

							Peter Trei
							ptrei@mitre.org


Newsgroup: sci.crypt
Document_id: 15191
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:

> The President today announced a new initiative that will bring
> the Federal Government together with industry in a voluntary
> program to improve the security and privacy of telephone
> communications while meeting the legitimate needs of law
> enforcement.

A nice formulation for the introduction of the first encryption
devices with built-in trapdoors - just like the Feds wanted...

> For too long there has been little or no dialogue between our
> private sector and the law enforcement community to resolve the
> tension between economic vitality and the real challenges of
> protecting Americans.  Rather than use technology to accommodate
> the sometimes competing interests of economic growth, privacy and
> law enforcement, previous policies have pitted government against
> industry and the rights of privacy against law enforcement.

Bla-bla.

> protect electronic mail and computer files.  While encryption
> technology can help Americans protect business secrets and the
> unauthorized release of personal information, it also can be used
> by terrorists, drug dealers, and other criminals.

Indeed, and the current proposal does nothing to prevent the latter.

> an ordinary telephone.  It scrambles telephone communications
> using an encryption algorithm that is more powerful than many in
> commercial use today.

This doesn't say much. There are many incredibly weak encryption
algorithms in commercial use today...

> This new technology will help companies protect proprietary
> information, protect the privacy of personal phone conversations
> and prevent unauthorized release of data transmitted
> electronically.

Except from the government.

>  At the same time this technology preserves the
> ability of federal, state and local law enforcement agencies to
> intercept lawfully the phone conversations of criminals. 

Nope. The criminals won't be stupid enough to use the new chip,
they'll use something secure. This technology provides only means to
intercept the phone conversations of people who are stupid enough to
use it.

> agencies to decode messages encoded by the device.  When the
> device is manufactured, the two keys will be deposited separately
> in two "key-escrow" data bases that will be established by the
> Attorney General.  Access to these keys will be limited to
> government officials with legal authorization to conduct a
> wiretap.

That is, the government has the keys. It doesn't matter much if they
are in one or in two of its hands...

> The "Clipper Chip" technology provides law enforcement with no
> new authorities to access the content of the private
> conversations of Americans.

Correct. It does, however, provide those Americans with the false
sense of privacy.

> devices.  In addition, respected experts from outside the
> government will be offered access to the confidential details of
> the algorithm to assess its capabilities and publicly report
> their findings.

If the screening is not public, it cannot be trusted. Some people do
not trust DES even today, after all the examinations - only because
some parts of its design were kept secret.

> The chip is an important step in addressing the problem of
> encryption's dual-edge sword:  encryption helps to protect the
> privacy of individuals and industry, but it also can shield
> criminals and terrorists.  We need the "Clipper Chip" and other
> approaches that can both provide law-abiding citizens with access
> to the encryption they need and prevent criminals from using it
> to hide their illegal activities.  In order to assess technology

So they'll use a different technology to hide their illegal
activities. So will those law-abiding citizens, who do not trust their
government not to misuse its abilities to decrypt their conversations.

>      --   the privacy of our citizens, including the need to
>           employ voice or data encryption for business purposes;

Except from the government.

>      --   the need of U.S. companies to manufacture and export
>           high technology products.

Huh? Later it says that the new technology will be export restricted.

> Since encryption technology will play an increasingly important
> role in that infrastructure, the Federal Government must act
> quickly to develop consistent, comprehensive policies regarding
> its use.  The Administration is committed to policies that
> protect all Americans' right to privacy while also protecting
> them from those who break the law.

In short, the new technology can:

1) Protect the law abiding citizen's privacy from the casual snooper.

It cannot:

1) Protect him from the government, if it decides to misuse its
ability to decrypt the conversations.

2) Protect him from the criminals who succeed to break the new
encryption scheme or to steal the keys, or to bribe the people who
handle them, etc.

3) Prevent the criminals from using secure encryption for
communication.

> Q:   Does this approach expand the authority of government
>      agencies to listen in on phone conversations?

> A:   No.  "Clipper Chip" technology provides law enforcement with
>      no new authorities to access the content of the private
>      conversations of Americans.

Correct. However, it does not provide them that much privacy as it
claims.

> Q:   Who will run the key-escrow data banks?

> A:   The two key-escrow data banks will be run by two independent
>      entities.  At this point, the Department of Justice and the
>      Administration have yet to determine which agencies will
>      oversee the key-escrow data banks.

Two candidates: the NSA and the Mafia.

> Q:   How strong is the security in the device?  How can I be sure
>      how strong the security is?  

> A:   This system is more secure than many other voice encryption
>      systems readily available today. 

That is, "trust us".

> While the algorithm will
>      remain classified to protect the security of the key escrow

"Security through obscurity".

>      system, we are willing to invite an independent panel of
>      cryptography experts to evaluate the algorithm to assure all
>      potential users that there are no unrecognized
>      vulnerabilities.

If it's not entirely open to public examination, it cannot be
trusted. Besides, who can prove that the devices used for examination
and the ones built into your phones will be the same?

> Q:   Whose decision was it to propose this product?

> A:   The National Security Council, the Justice Department, the

The NSA and the FBI?

> Q:   Who was consulted?  The Congress?  Industry?

> A:   We have on-going discussions with Congress and industry on
>      encryption issues, and expect those discussions to intensify
>      as we carry out our review of encryption policy.  We have
>      briefed members of Congress and industry leaders on the
>      decisions related to this initiative.

Why did they "forget" the Academia?

> Q:   Will the government provide the hardware to manufacturers?

> A:   The government designed and developed the key access
>      encryption microcircuits, but it is not providing the
>      microcircuits to product manufacturers.  Product
>      manufacturers can acquire the microcircuits from the chip
>      manufacturer that produces them.

Doesn't this smell to monopolism?

> Q:   Who provides the "Clipper Chip"?

> A:   Mykotronx programs it at their facility in Torrance,
>      California, and will sell the chip to encryption device
>      manufacturers.  The programming function could be licensed
>      to other vendors in the future.

Like the Mafia?

> Q:   If the Administration were unable to find a technological
>      solution like the one proposed, would the Administration be
>      willing to use legal remedies to restrict access to more
>      powerful encryption devices?

This is the main question, why was it buried at the end?

> A:   This is a fundamental policy question which will be
>      considered during the broad policy review.  The key escrow

"We'll see".

>      mechanism will provide Americans with an encryption product
>      that is more secure, more convenient, and less expensive
>      than others readily available today, but it is just one

"Trust us".

>      The Administration is not saying, "since encryption
>      threatens the public safety and effective law enforcement,
>      we will prohibit it outright" (as some countries have

In short, "If we decide to outlaw strong crypto, we'll tell you".

>      effectively done); nor is the U.S. saying that "every
>      American, as a matter of right, is entitled to an
>      unbreakable commercial encryption product."  There is a

Since the US government seems to consider strong crypto as munitions
and since the US constitutions guarantees the right to every American
to bear arms, why is not every American entitled, as a matter of
right, to an unbreakable commercial encryption product?

> A:   It indicates that we understand the importance of encryption
>      technology in telecommunications and computing and are
>      committed to working with industry and public-interest
>      groups to find innovative ways to protect Americans'
>      privacy, help businesses to compete, and ensure that law
>      enforcement agencies have the tools they need to fight crime
>      and terrorism.

Bullshit. The proposed technology provides a false sense of security,
encryption devices with built-in capabilities for breaking the
encryption, does not prevent the criminals to use strong crypto, and
is a step to outlaw strong crypto.

> Q:   Will the devices be exportable?  Will other devices that use
>      the government hardware?

> A:   Voice encryption devices are subject to export control
>      requirements.  Case-by-case review for each export is
>      required to ensure appropriate use of these devices.  The

Who was the optimist who believed that the new administration will
leave the export controls on strong crypto devices?

OK, I'm not American, it's not my business, but I just couldn't resist
to comment... The whole plot looks so totalitaristic... It's up to
you, Americans, to fight for your rights.

Regards,
Vesselin

P.S. Now is the time for David Sternlight to pop up and claim that the
new system is great.
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
Document_id: 15192
From: hal@cco.caltech.edu (Hal Finney)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

The key question is whether non-Clipper encryption will be made illegal.

>     The Administration is not saying, "since encryption
>     threatens the public safety and effective law enforcement,
>     we will prohibit it outright" (as some countries have
>     effectively done); nor is the U.S. saying that "every
>     American, as a matter of right, is entitled to an
>     unbreakable commercial encryption product."  There is a
>     false "tension" created in the assessment that this issue is
>     an "either-or" proposition.  Rather, both concerns can be,
>     and in fact are, harmoniously balanced through a reasoned,
>     balanced approach such as is proposed with the "Clipper
>     Chip" and similar encryption techniques.

The clear middle ground implied by these statements is to say that Americans
have the right to Clipper encryption, but not to unbreakable encryption.
This implies that, ultimately, non-Clipper strong encryption must become
illegal.

(As an aside, isn't the language here jarring?  All this talk about
"harmonious balance" when they're talking about taking away people's
right to communications privacy?)

Although the article emphasizes voice communication, data and mail encryption
is mentioned as well:

>Sophisticated encryption technology has been used for years to
>protect electronic funds transfer.  It is now being used to
>protect electronic mail and computer files.

>     --   the privacy of our citizens, including the need to
>          employ voice or data encryption for business purposes;

It looks like the worst nightmares raised by Dorothy Denning's proposals
are coming true.  If the government continues on this course, I imagine
that we will see strong cryptography made illegal.  Encryption programs
for disk files and email, as well as software to allow for encrypted
voice communications, will be distributed only through the
"underground".  People will have to learn how to hide the fact that
they are protecting their privacy.

It's shocking and frightening to see that this is actually happening here.

Hal Finney
hal@alumni.caltech.edu

Newsgroup: sci.crypt
Document_id: 15193
From: karn@servo.qualcomm.com (Phil Karn)
Subject: The battle is joined

It looks like Dorothy Denning's wrong-headed ideas have gotten to the
Administration even sooner than we feared. It's time to make sure they
hear the other side of the story, and hear it loudly!

Phil



------- Forwarded Message

Subject: text of White House announcement and Q&As on clipper chip encryption

Note:  This file will also be available via anonymous file
transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and
via the NIST Computer Security BBS at 301-948-5717.
     ---------------------------------------------------

                         THE WHITE HOUSE

                  Office of the Press Secretary

_________________________________________________________________

For Immediate Release                           April 16, 1993


                STATEMENT BY THE PRESS SECRETARY


The President today announced a new initiative that will bring
the Federal Government together with industry in a voluntary
program to improve the security and privacy of telephone
communications while meeting the legitimate needs of law
enforcement.

The initiative will involve the creation of new products to
accelerate the development and use of advanced and secure
telecommunications networks and wireless communications links.

For too long there has been little or no dialogue between our
private sector and the law enforcement community to resolve the
tension between economic vitality and the real challenges of
protecting Americans.  Rather than use technology to accommodate
the sometimes competing interests of economic growth, privacy and
law enforcement, previous policies have pitted government against
industry and the rights of privacy against law enforcement.

Sophisticated encryption technology has been used for years to
protect electronic funds transfer.  It is now being used to
protect electronic mail and computer files.  While encryption
technology can help Americans protect business secrets and the
unauthorized release of personal information, it also can be used
by terrorists, drug dealers, and other criminals.

A state-of-the-art microcircuit called the "Clipper Chip" has
been developed by government engineers.  The chip represents a
new approach to encryption technology.  It can be used in new,
relatively inexpensive encryption devices that can be attached to
an ordinary telephone.  It scrambles telephone communications
using an encryption algorithm that is more powerful than many in
commercial use today.

This new technology will help companies protect proprietary
information, protect the privacy of personal phone conversations
and prevent unauthorized release of data transmitted
electronically.  At the same time this technology preserves the
ability of federal, state and local law enforcement agencies to
intercept lawfully the phone conversations of criminals. 

A "key-escrow" system will be established to ensure that the
"Clipper Chip" is used to protect the privacy of law-abiding
Americans.  Each device containing the chip will have two unique


                                2


"keys," numbers that will be needed by authorized government
agencies to decode messages encoded by the device.  When the
device is manufactured, the two keys will be deposited separately
in two "key-escrow" data bases that will be established by the
Attorney General.  Access to these keys will be limited to
government officials with legal authorization to conduct a
wiretap.

The "Clipper Chip" technology provides law enforcement with no
new authorities to access the content of the private
conversations of Americans.

To demonstrate the effectiveness of this new technology, the
Attorney General will soon purchase several thousand of the new
devices.  In addition, respected experts from outside the
government will be offered access to the confidential details of
the algorithm to assess its capabilities and publicly report
their findings.

The chip is an important step in addressing the problem of
encryption's dual-edge sword:  encryption helps to protect the
privacy of individuals and industry, but it also can shield
criminals and terrorists.  We need the "Clipper Chip" and other
approaches that can both provide law-abiding citizens with access
to the encryption they need and prevent criminals from using it
to hide their illegal activities.  In order to assess technology
trends and explore new approaches (like the key-escrow system),
the President has directed government agencies to develop a
comprehensive policy on encryption that accommodates:

     --   the privacy of our citizens, including the need to
          employ voice or data encryption for business purposes;

     --   the ability of authorized officials to access telephone
          calls and data, under proper court or other legal
          order, when necessary to protect our citizens;

     --   the effective and timely use of the most modern
          technology to build the National Information
          Infrastructure needed to promote economic growth and
          the competitiveness of American industry in the global
          marketplace; and 

     --   the need of U.S. companies to manufacture and export
          high technology products.

The President has directed early and frequent consultations with
affected industries, the Congress and groups that advocate the
privacy rights of individuals as policy options are developed.



                                3

The Administration is committed to working with the private
sector to spur the development of a National Information
Infrastructure which will use new telecommunications and computer
technologies to give Americans unprecedented access to
information.  This infrastructure of high-speed networks
("information superhighways") will transmit video, images, HDTV
programming, and huge data files as easily as today's telephone
system transmits voice.

Since encryption technology will play an increasingly important
role in that infrastructure, the Federal Government must act
quickly to develop consistent, comprehensive policies regarding
its use.  The Administration is committed to policies that
protect all Americans' right to privacy while also protecting
them from those who break the law.

Further information is provided in an accompanying fact sheet. 
The provisions of the President's directive to acquire the new
encryption technology are also available.  

For additional details, call Mat Heyman, National Institute of
Standards and Technology, (301) 975-2758.

- - ---------------------------------


QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S
TELECOMMUNICATIONS INITIATIVE




Q:   Does this approach expand the authority of government
     agencies to listen in on phone conversations?

A:   No.  "Clipper Chip" technology provides law enforcement with
     no new authorities to access the content of the private
     conversations of Americans.

Q:   Suppose a law enforcement agency is conducting a wiretap on
     a drug smuggling ring and intercepts a conversation
     encrypted using the device.  What would they have to do to
     decipher the message?

A:   They would have to obtain legal authorization, normally a
     court order, to do the wiretap in the first place.  They
     would then present documentation of this authorization to
     the two entities responsible for safeguarding the keys and
     obtain the keys for the device being used by the drug
     smugglers.  The key is split into two parts, which are
     stored separately in order to ensure the security of the key
     escrow system.

Q:   Who will run the key-escrow data banks?

A:   The two key-escrow data banks will be run by two independent
     entities.  At this point, the Department of Justice and the
     Administration have yet to determine which agencies will
     oversee the key-escrow data banks.

Q:   How strong is the security in the device?  How can I be sure
     how strong the security is?  

A:   This system is more secure than many other voice encryption
     systems readily available today.  While the algorithm will
     remain classified to protect the security of the key escrow
     system, we are willing to invite an independent panel of
     cryptography experts to evaluate the algorithm to assure all
     potential users that there are no unrecognized
     vulnerabilities.

Q:   Whose decision was it to propose this product?

A:   The National Security Council, the Justice Department, the
     Commerce Department, and other key agencies were involved in
     this decision.  This approach has been endorsed by the
     President, the Vice President, and appropriate Cabinet
     officials.

Q:   Who was consulted?  The Congress?  Industry?

A:   We have on-going discussions with Congress and industry on
     encryption issues, and expect those discussions to intensify
     as we carry out our review of encryption policy.  We have
     briefed members of Congress and industry leaders on the
     decisions related to this initiative.

Q:   Will the government provide the hardware to manufacturers?

A:   The government designed and developed the key access
     encryption microcircuits, but it is not providing the
     microcircuits to product manufacturers.  Product
     manufacturers can acquire the microcircuits from the chip
     manufacturer that produces them.

Q:   Who provides the "Clipper Chip"?

A:   Mykotronx programs it at their facility in Torrance,
     California, and will sell the chip to encryption device
     manufacturers.  The programming function could be licensed
     to other vendors in the future.

Q:   How do I buy one of these encryption devices? 

A:   We expect several manufacturers to consider incorporating
     the "Clipper Chip" into their devices.
     
Q:   If the Administration were unable to find a technological
     solution like the one proposed, would the Administration be
     willing to use legal remedies to restrict access to more
     powerful encryption devices?

A:   This is a fundamental policy question which will be
     considered during the broad policy review.  The key escrow
     mechanism will provide Americans with an encryption product
     that is more secure, more convenient, and less expensive
     than others readily available today, but it is just one
     piece of what must be the comprehensive approach to
     encryption technology, which the Administration is
     developing.

     The Administration is not saying, "since encryption
     threatens the public safety and effective law enforcement,
     we will prohibit it outright" (as some countries have
     effectively done); nor is the U.S. saying that "every
     American, as a matter of right, is entitled to an
     unbreakable commercial encryption product."  There is a
     false "tension" created in the assessment that this issue is
     an "either-or" proposition.  Rather, both concerns can be,
     and in fact are, harmoniously balanced through a reasoned,
     balanced approach such as is proposed with the "Clipper
     Chip" and similar encryption techniques.

Q:   What does this decision indicate about how the Clinton
     Administration's policy toward encryption will differ from
     that of the Bush Administration?  

A:   It indicates that we understand the importance of encryption
     technology in telecommunications and computing and are
     committed to working with industry and public-interest
     groups to find innovative ways to protect Americans'
     privacy, help businesses to compete, and ensure that law
     enforcement agencies have the tools they need to fight crime
     and terrorism.

Q:   Will the devices be exportable?  Will other devices that use
     the government hardware?

A:   Voice encryption devices are subject to export control
     requirements.  Case-by-case review for each export is
     required to ensure appropriate use of these devices.  The
     same is true for other encryption devices.  One of the
     attractions of this technology is the protection it can give
     to U.S. companies operating at home and abroad.  With this
     in mind, we expect export licenses will be granted on a
     case-by-case basis for U.S. companies seeking to use these
     devices to secure their own communications abroad.  We plan
     to review the possibility of permitting wider exportability
     of these products.

Newsgroup: sci.crypt
Document_id: 15194
From: grady@netcom.com (1016/2EF221)
Subject: Re: MacPGP 2.2 Source Problems

Yes -- my error -- you will need the DIFF between the
standard console.h and console.c supplied with
Symantec's THINK C 5.0.4 and the specially modified
one that works with MacPGP 2.2.

I added the two DIFFs to the end of the signature
file "MacPGP2.2srcSIGNATURE" in pub/grady of netcom.com

Please download via anonymous FTP and, using SED (oops),
cutting and pasting, fix-em-up.        

Will one of you Mac-geniuses PLEASE port this to MacApp
or AppMaker, or...?

Grady

-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
Document_id: 15195
From: Danny Weitzner <djw@eff.org>
Subject: Re-inventing Crypto Policy?  An EFF Statement





April 16, 1993

INITIAL EFF ANALYSIS OF CLINTON PRIVACY AND SECURITY PROPOSAL

The Clinton Administration today made a major announcement on
cryptography policy which will effect the privacy and security of
millions of Americans.  The first part of the plan is to begin a
comprehensive inquiry into major communications privacy issues such as
export controls which have effectively denied most people easy access to
robust encryption, and law enforcement issues posed by new technology.

However, EFF is very concerned that the Administration has already
reached a conclusion on one critical part of the inquiry, before any
public comment or discussion has been allowed.  Apparently, the
Administration is going to use its leverage to get all telephone
equipment vendors to adopt a voice encryption standard developed by the
National Security Agency.  The so-called "Clipper Chip" is an 80-bit,
split key escrowed encryption scheme which will be built into chips
manufactured by a military contractor.  Two separate escrow agents would
store users' keys, and be required to turn them over law enforcement upon
presentation of a valid warrant.  The encryption scheme used is to be
classified, but the chips will be available to any manufacturer for
incorporation into its communications products.

     This proposal raises a number of serious concerns .

First, the Administration has adopted a solution before conducting an
inquiry.  The NSA-developed Clipper Chip may not be the most secure
product. Other vendors or developers may have better schemes.
Furthermore, we should not rely on the government as the sole source for
the Clipper or any other chips.  Rather, independent chip manufacturers
should be able to produce chipsets based on open standards.

Second, an algorithm cannot be trusted unless it can be tested. Yet, the
Administration proposes to keep the chip algorithm classified.  EFF
believes that any standard adopted ought to be public and open.  The
public will only have confidence in the security of a standard that is
open to independent, expert scrutiny.  

Third, while the use of the use of a split-key, dual escrowed system may
prove to be a reasonable balance between privacy and law enforcement
needs, the details of this scheme must be explored publicly before it is
adopted.  What will give people confidence in the safety of their keys? 
Does disclosure of keys to a third party waive an individual's Fifth
Amendment rights in subsequent criminal inquiries?  These are but a few
of the many questions the Administrations proposal raised but fails to
answer.

In sum, the Administration has shown great sensitivity to the importance
of these issues by planning a comprehensive inquiry into digital privacy
and security.  However, the "Clipper Chip" solution ought to be
considered as part of the inquiry, and not be adopted before the
discussion even begins.

DETAILS OF THE PROPOSAL:

ESCROW

The 80-bit key will be divided between two escrow agents, each of whom
hold 40-bits of each key.  The manufacturer of the communications device
would be required to register all keys with the two independent escrow
agents.  A key is tied to the device, however, not the person using it.

Upon presentation of a valid court order, the two escrow agents would
have to turn the key parts over to law enforcement agents.  According to
the Presidential Directive just issued, the Attorney General will be
asked to identify appropriate escrow agents.  Some in the Administration
have suggested that one non-law enforcement federal agency (perhaps the
Federal Reserve), and one non-governmental organization could be chosen,
but there is no agreement on the identity of the agents yet.

CLASSIFIED ALGORITHM AND THE POSSIBILITY OF BACK DOORS

The Administration claims that there are no back doors -- means by which
the government or others could break the code without securing keys from
the escrow agents -- and that the President will be told there are no
back doors to this classified algorithm.  In order to prove this,
Administration sources are interested in arranging for an all-star crypto
cracker team to come in, under a security arrangement, and examine the
algorithm for trap doors.  The results of the investigation would then be
made public.

The Clipper Chipset was designed and is being produced and a sole-source,
secret contract between the National Security Agency and two private
firms:  VLSI and Mycotronx.  NSA work on this plan has been underway for
about four years.  The manufacturing contract was let 14 months ago.

GOVERNMENT AS MARKET DRIVER

In order to get a market moving, and to show that the government believes
in the security of this system, the feds will be the first big customers
for this product.  Users will include the FBI, Secret Service, VP Al
Gore, and maybe even the President.  At today's Commerce Department press
briefing, a number of people asked this question, though:  why would any
private organization or individual adopt a classified standard that had
no independent guaranty of security or freedom from trap doors?

COMPREHENSIVE POLICY INQUIRY

The Administration has also announced that it is about to commence an
inquiry into all policy issues related to privacy protection, encryption,
and law enforcement.  The items to be considered include:  export
controls on encryption technology and the FBI's Digital Telephony
Proposal.  It appears that the this inquiry will be conducted by the
National Security Council.  Unfortunately, however, the Presidential
Directive describing the inquiry is classified.  Some public involvement
in the process has been promised, but they terms have yet to be specified.

FROM MORE INFORMATION CONTACT:

Jerry Berman, Executive Director (jberman@eff.org)
Daniel J. Weitzner, Senior Staff Counsel (djw@eff.org)

Full text of the Press releases and Fact Sheets issued by the
Administration will be available on EFF's ftp site.

Danny Weitzner                      Senior Staff Counsel, EFF
                                    +1 202 544 3077

Newsgroup: sci.crypt
Document_id: 15196
From: grady@netcom.com (1016/2EF221)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

I am eager to hear the legal theory behind restricting exchange of
cryptographic data and encrypted messages, given the first admendment;
the theory behind regulating the *personal* encryption of one's personal
*thoughts and feelings* seems even less tenable.

Perhaps if we make a *treaty* with, say, Iceland, to restrict crypto
paraphernalia can a good "end run" around the Constitution happen...
(Treaties -- as someone pointed out -- has the force of any other "law of
the land".  Like the Bill of Rights.)


    Amendment 1

    Congress shall make no law respecting an establishment of religion, or
prohibiting the free exercise thereof; or abridging the freedom of speech,
or of the press; or the right of the people peaceably to assemble, and to
petition the Government for a redress of grievances.

    Amendment 2

    A well regulated Militia, being necessary to the security of a free State,
the right of the people to keep and bear Arms, shall not be infringed.

    Amendment 3

    No Soldier shall, in time of peace be quartered in any house, without the
consent of the Owner, nor in time of war, but in a manner to be prescribed
by law.

    Amendment 4

    The right of the people to be secure in their persons, houses, papers, and
effects, against unreasonable searches and seizures, shall not be violated,
and no Warrants shall issue, but upon probable cause, supported by Oath or
affirmation, and particularly describing the place to be searched, and the
persons or things to be seized.

    Amendment 5

    No person shall be held to answer for a capital, or otherwise infamous
crime, unless on a presentment or indictment of a Grand Jury, except in
cases arising in the land or naval forces, or in the Militia, when in
actual service in time of War or public danger; nor shall any person be
subject for the same offence to be twice put in jeopardy of life or limb;
nor shall be compelled in any criminal case to be a witness against
himself, nor be deprived of life, liberty, or property, without due process
of law; nor shall private property be taken for public use, without just
compensation.


Well -- at least for a few minutes we had some privacy...
-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
Document_id: 15197
From: jru@Comtech.com (Jimmy R. Upton)
Subject: [Rubick] Shortest Path Algorithm - Status?

What is the expected run time (+/- a factor of 10) on a 486DX/50
using the best known algorithm for finding the shortest path
solution for Rubicks Cube from a randomly chosen position?

I have read the FAQ and followed the recent discussion on Rubicks
Cube but I don't believe this question has been answered.  Notice
that I am specifically looking for an algorithm that finds the 
SHORTEST path, not just any solution.

It seems to me that the underlying assumption is that such a program
would need to do a brute force search though 10^20 positions.  That
seems an unreasonably pessimistic assumption to me and I want to 
know if someone has significantly improved on that.

I have some ideas of my own on how to approach this problem, but
before I spend to much time developing them I wanted to know if
someone else has already done the work.

ADMINISTRIVIA:  I have posted this to three groups and attempted
to set the followup to rec.puzzles which seems to me to be the
place to continue this discussion.  I will cross post a summary
when and if it becomes appropriate.  Email replies gladly accepted.

Jimmy
jru@Comtech.com 

Newsgroup: sci.crypt
Document_id: 15198
From: bob@natasha.portal.com (Bob Cain)
Subject: Re: Pgp, PEM, and RFC's (Was: Cryptography Patents)

Charles Kincy (ckincy@cs.umr.edu) wrote:
: In article <1993Apr16.001321.3692@natasha.portal.com> bob@natasha.portal.com (Bob Cain) writes:
: 
: >: I hope my cynicism is misplaced here.  Go ahead...I'm not afraid to
: >: be wrong every once in a while.  But, I have an uneasy feeling that I
: >: am right.  :(
: >
: >It is and you are wrong yet you emotionally state a bunch of crap as fact
: >with a tiny disclaimer at the end.  Check your facts first and grow up.
: >Why is there such a strong correlation between interest in cryptography
: >and immaturity I wonder.
: 
: Oh, I see, flame someone, tell them that they are immature, tell them
: they are wrong, and then don't offer any proof for your assertions.
: 
: You really *are* a putz.  Put up or shut up.
: 

I will provide any proof you wish in private.  Name it, dickhead.


Putz Cain

Newsgroup: sci.crypt
Document_id: 15199
From: clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement)
Subject: White House Public Encryption Management Fact Sheet



Note:     The following was released by the White House today in
          conjunction with the announcement of the Clipper Chip
          encryption technology.

                           FACT SHEET

                  PUBLIC ENCRYPTION MANAGEMENT

The President has approved a directive on "Public Encryption
Management."  The directive provides for the following:

Advanced telecommunications and commercially available encryption
are part of a wave of new computer and communications technology. 
Encryption products scramble information to protect the privacy of
communications and data by preventing unauthorized access. 
Advanced telecommunications systems use digital technology to
rapidly and precisely handle a high volume of communications. 
These advanced telecommunications systems are integral to the
infrastructure needed to ensure economic competitiveness in the
information age.

Despite its benefits, new communications technology can also
frustrate lawful government electronic surveillance.  Sophisticated
encryption can have this effect in the United States.  When
exported abroad, it can be used to thwart foreign intelligence
activities critical to our national interests.  In the past, it has
been possible to preserve a government capability to conduct
electronic surveillance in furtherance of legitimate law
enforcement and national security interests, while at the same time
protecting the privacy and civil liberties of all citizens.  As
encryption technology improves, doing so will require new,
innovative approaches.

In the area of communications encryption, the U. S. Government has
developed a microcircuit that not only provides privacy through
encryption that is substantially more robust than the current
government standard, but also permits escrowing of the keys needed
to unlock the encryption.  The system for the escrowing of keys
will allow the government to gain access to encrypted information
only with appropriate legal authorization.

To assist law enforcement and other government agencies to collect
and decrypt, under legal authority, electronically transmitted
information, I hereby direct the following action to be taken:

INSTALLATION OF GOVERNMENT-DEVELOPED MICROCIRCUITS

The Attorney General of the United States, or her representative,
shall request manufacturers of communications hardware which
incorporates encryption to install the U.S. government-developed
key-escrow microcircuits in their products.  The fact of law
enforcement access to the escrowed keys will not be concealed from
the American public.  All appropriate steps shall be taken to
ensure that any existing or future versions of the key-escrow
microcircuit are made widely available to U.S. communications
hardware manufacturers, consistent with the need to ensure the
security of the key-escrow system.  In making this decision, I do
not intend to prevent the private sector from developing, or the
government from approving, other microcircuits or algorithms that
are equally effective in assuring both privacy and a secure key-
escrow system.

KEY-ESCROW

The Attorney General shall make all arrangements with appropriate
entities to hold the keys for the key-escrow microcircuits
installed in communications equipment.  In each case, the key
holder must agree to strict security procedures to prevent
unauthorized release of the keys.  The keys shall be released only
to government agencies that have established their authority to
acquire the content of those communications that have been
encrypted by devices containing the microcircuits.  The Attorney
General shall review for legal sufficiency the procedures by which
an agency establishes its authority to acquire the content of such
communications.

PROCUREMENT AND USE OF ENCRYPTION DEVICES

The Secretary of Commerce, in consultation with other appropriate
U.S. agencies, shall initiate a process to write standards to
facilitate the procurement and use of encryption devices fitted
with key-escrow microcircuits in federal communications systems
that process sensitive but unclassified information.  I expect this
process to proceed on a schedule that will permit promulgation of
a final standard within six months of this directive. 

The Attorney General will procure and utilize encryption devices to
the extent needed to preserve the government's ability to conduct
lawful electronic surveillance and to fulfill the need for secure
law enforcement communications.  Further, the Attorney General
shall utilize funds from the Department of Justice Asset Forfeiture
Super Surplus Fund to effect this purchase.

Newsgroup: sci.crypt
Document_id: 15200
From: kadie@cs.uiuc.edu (Carl M Kadie)
Subject: [EFF] Initial EFF Analysis of Clinton Privacy and Security Proposal

[An article from comp.org.eff.news, EFFector Online 5.06 - Carl]

                       April 16, 1993

      INITIAL EFF ANALYSIS OF CLINTON PRIVACY AND SECURITY  
                           PROPOSAL

       The Clinton Administration today made a major announcement 
on cryptography policy which will effect the privacy and security of 
millions of Americans.  The first part of the plan is to begin a 
comprehensive inquiry into major communications privacy issues 
such as export controls which have effectively denied most people 
easy access to robust encryption as well as law enforcement issues 
posed by new technology.

       However, EFF is very concerned that the Administration has 
already reached a conclusion on one critical part of the inquiry, before 
any public comment or discussion has been allowed.  Apparently, the 
Administration is going to use its leverage to get all telephone 
equipment vendors to adopt a voice encryption standard developed 
by the National Security Agency. The so-called "Clipper Chip" is an 
80-bit, split key escrowed encryption scheme which will be built into 
chips manufactured by a military contractor.  Two separate escrow 
agents would store users' keys, and be required to turn them over 
law enforcement upon presentation of a valid warrant.  The 
encryption scheme used is to be classified, but they chips will be 
available to any manufacturer for incorporation into their 
communications products.

       This proposal raises a number of serious concerns .

       First, the Administration appears to be adopting a solution 
before conducting an inquiry.  The NSA-developed Clipper chip may 
not be the most secure product. Other vendors or developers may 
have better schemes. Furthermore, we should not rely on the 
government as the sole source for Clipper or any other chips.  Rather,
independent chip manufacturers should be able to produce chipsets 
based on open standards.

       Second, an algorithm can not be trusted unless it can be tested. 
Yet the Administration proposes to keep the chip algorithm 
classified.  EFF believes that any standard adopted ought to be public 
and open.  The public will only have confidence in the security of a 
standard that is open to independent, expert scrutiny.  

       Third, while the use of the split-key, dual-escrowed 
system may prove to be a reasonable balance between privacy and 
law enforcement needs, the details of this scheme must be explored 
publicly before it is adopted.  What will give people confidence in the 
safety of their keys?  Does disclosure of keys to a third party waive 
individual's fifth amendment rights in subsequent criminal 
inquiries?  

       In sum, the Administration has shown great sensitivity to the 
importance of these issues by planning a comprehensive inquiry into 
digital privacy and security.  However, the "Clipper chip" solution 
ought to be considered as part of the inquiry, not be adopted before 
the discussion even begins.

DETAILS OF THE PROPOSAL:

ESCROW

The 80-bit key will be divided between two escrow agents, each of 
whom hold 40 bits of each key.  Upon presentation of a valid 
warrant, the two escrow agents would have to turn the key parts 
over to law enforcement agents.  Most likely the Attorney General 
will be asked to identify appropriate escrow agents.  Some in the 
Administration have suggested one non-law enforcement federal 
agency, perhaps the Federal Reserve, and one non-governmental 
organization.  But, there is no agreement on the identity of the agents 
yet.

Key registration would be done by the manufacturer of the 
communications device.  A key is tied to the device, not to the person 
using it.

CLASSIFIED ALGORITHM AND THE POSSIBILITY OF BACK DOORS

The Administration claims that there are no back door means by 
which the government or others could break the code without 
securing keys from the escrow agents and that the President will 
be told there are no back doors to this classified algorithm.  In order 
to prove this, Administration sources are interested in arranging for 
an all-star crypto cracker team to come in, under a security 
arrangement, and examine the algorithm for trap doors.  The results 
of the investigation would then be made public.

GOVERNMENT AS MARKET DRIVER

In order to get a market moving, and to show that the government 
believes in the security of this system, the feds will be the first big 
customers for this product.  Users will include the FBI, Secret Service, 
VP Al Gore, and maybe even the President. 

FROM MORE INFORMATION CONTACT:

Jerry Berman, Executive Director
Daniel J. Weitzner, Senior Staff Counsel





-- 
Carl Kadie -- I do not represent any organization; this is just me.
 = kadie@cs.uiuc.edu =

Newsgroup: sci.crypt
Document_id: 15201
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Clipper Crypto

I sent a response to the White House at

	0005895485@MCIMAIL.COM (White House)

and received a nice, automatic reply from MICMAIL noting, in passing, that
if I had included a SNail address, I would get a reply in due course.

For those who care, my reply was:

	1.	yes, let's protect the voice network

	2.	privately-developed crypto has always been available and
		always will be -- so let's think about how to do law
		enforcement given that fact not about how to hope to
		legislate against it

	3.	my needs for crypto as a system designer are not met by the
		Clipper Chip.  I want freely to export uses of algorithms
		(like DES & RSA) which are already freely available in the
		destination country

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
Document_id: 15202
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]


Though some may argue about the nose of the camel, it's worth noting that
the government proposal is limited to scrambled telephony. If it is only
used for that purpose, and does not extend to electronic mail or file
encryption, then it IS an improvement over the current mass-produced
standard civilian technology which, with a few exceptions, is limited to
easy-to-break inverters.

Note that the big issue for the feds is the continued ability to wiretap.
Before we go off the deep end with long discusions about secure crypto for
e-mail and files, let's focus on this.

One question that was not asked in the release is whether this proposal is
limited to telephony, or if the government intends to expand it.

Though I share many of the concerns expressed by some, I find the proposal
less threatening than many others, since right now most Americans have no
secure telephony, and any jerk with a pair of clip leads and a "goat" can
eavesdrop. This would also plug up the security hole in cellular and
cordless phones.

-------

Reading between the lines, I infer that the system is highly secure
without access to the keys. This would meet the needs of U.S. businesses
confronted by rich and powerful adversaries, including French and Japanese
security services and rich Japanese companies. It allows the NSA to make
available some of its better stuff while protecting law enforcement needs.

Most legitimate U.S. corporations trust the NSA, and would be delighted to
have a high-security system certified by them, even at the price of
depositing keys in escrow. I see no difficulty in creating a reliable
escrow. Corporations entrust their secrets to attorneys every day of the
week, and that system has worked pretty well.

From my point of view this is a fair starting point. There are concerns that
need to be addressed, including the reliability of the escrows. But in
return we get access to high-security crypto. Many have suggested that DES
and other systems may be breakable by the NSA and hence others similarly
skilled and endowed. There is at least a good possibility (which should be
checked) that the proposed system is not so breakable. It doesn't have to
be, nor does it have to have trapdoors, if the government can get the keys
pursuant to a legitimate court order. Thus they can protect legitimate
communications against economic adversaries, while still being able to
eavesdrop on crooks pursuant to a court order.

------

In discussing this, let's try to avoid the nastiness, personal attacks and
noise of some previous threads. This is a substantive and technical issue,
and personal remarks have no place in such a discussion.

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15203
From: lbrintle@news.weeg.uiowa.edu (Lee Brintle)
Subject: Re: Re-inventing Crypto Policy?  An EFF Statement

In article <1993Apr16.204207.24564@eff.org> Danny Weitzner <djw@eff.org> 
writes:
>The 80-bit key will be divided between two escrow agents, each of whom
>hold 40-bits of each key. 

Presumably, the key split is so that no one group controls the privacy
of the key, and that it would be infeasible to illicitly gain access from
both agents.

However, if one agent wishes to break the crypto without the cooperation
of the other agent, a 40-bit key is not going to stand in the way of a
brute force attack.  If an agency (for example, the NSA) were to hold one
of the two key-halves, then I don't imagine they really need the other half of
the key to start listening in.

Or was that the point?   <grin>


(This is not to imply, at all, that I like the idea of the rest of the
system.)
-- 
Lee Brintle                    | ``And so, I leave you with this final word:
Director, Project Panda        |     twang.''

Newsgroup: sci.crypt
Document_id: 15204
From: Jay Fenton <Fenton@Kaleida.Com>
Subject: How to detect use of an illegal cipher?

How can the government tell which encryption method one is using without
being able to decode the traffic? i.e., In order to accuse me of using an
unauthorized strong encryption technique they would have to take both
keys out of escrow, run them against my ciphertext and "draw a blank".

I can imagine the ciphertext exhibiting certain statistical
characteristics that might give a clue as to the encryption technique
used, but not enough to give a handle for diferential cryptoanalysis.
However, superencipherment or some other scheme that shapes the percieved
properties of my ciphertext could thwart this.

Newsgroup: sci.crypt
Document_id: 15205
From: mike@avon.demon.co.uk ("Mike H.")
Subject: Re: Another data hiding scheme... 

In article <1993Apr13.225348.6511@colorado.edu> bear@tigger.cs.Colorado.EDU writes:

>since the price of 1.44 M 3.5" floppies were still high until the last
>few years.  If you store "old" data, with old file times, in the public
>filesystem the casual observer may miss the "HD"... especially if you 
>"accidently" cover it with something).
>
>-- 
>Bear Giles
>bear@cs.colorado.edu/fsl.noaa.gov
>

It has been done already!

In the UK the Atari ST box was shipped with 360K disks in the first few
years and then later 720K disks. In order to make life less complicated,
many freebie disks on mags were double formatted like this. Side 0 of the
disk had 360K on it and could be read  by any ST. It also had a flip-side
program. This would swap the sides around so that side 1 became side 0.

-- 

                        Mike (mike@avon.demon.co.uk)

Newsgroup: sci.crypt
Document_id: 15206
From: arc@leland.Stanford.EDU (Andrew Richard Conway)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <1qmugcINNpu9@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes:
>The key question is whether non-Clipper encryption will be made illegal.
>
>>     The Administration is not saying, "since encryption
>>     threatens the public safety and effective law enforcement,
>>     we will prohibit it outright" (as some countries have
>>     effectively done); nor is the U.S. saying that "every

Does anyone know what countries are these?

>>     American, as a matter of right, is entitled to an
>>     unbreakable commercial encryption product."  There is a
>>     false "tension" created in the assessment that this issue is
>>     an "either-or" proposition.  Rather, both concerns can be,
>>     and in fact are, harmoniously balanced through a reasoned,
>>     balanced approach such as is proposed with the "Clipper
>>     Chip" and similar encryption techniques.
>
>The clear middle ground implied by these statements is to say that Americans
>have the right to Clipper encryption, but not to unbreakable encryption.
>This implies that, ultimately, non-Clipper strong encryption must become
>illegal.

With the following logical consequences
	(a) Using any code designed to obscure informatio which is 
	    not easily breakable will be illegal, including
		(i) Using code words such as ``Project P5''
		(ii) Speaking a language other than English
		(iii) Ever refering implicitly to events not known to
			everyone, eg
			"Hi John. How was last night?"
		      For all the listener knows, this may be a code for
			"Did you pick up the drugs OK last night?"
		      of be a code for
		        "OK. We blow up the Pentagon at midnight."
		(iv) Mentioning anything that could not be perfectly
		     understood by an average person with no education.
		(v) Words with more than one syllable.
		(vi) Speaking with a heavy accent that could bemisunderstood
		     by people not used to it.
		(vii) books with an "Inner meaning"...such
		      as "Animal Farm".

>(As an aside, isn't the language here jarring?  All this talk about
>"harmonious balance" when they're talking about taking away people's
>right to communications privacy?)

Yes.

>It looks like the worst nightmares raised by Dorothy Denning's proposals
>are coming true.  If the government continues on this course, I imagine
>that we will see strong cryptography made illegal.  Encryption programs
>for disk files and email, as well as software to allow for encrypted
>voice communications, will be distributed only through the
>"underground".  People will have to learn how to hide the fact that
>they are protecting their privacy.

I have a wonderful encrypter you can borrow that converts a message
eg "Meet me at 11:30 to bomb the White House. Bring some dynamite"
to an apparently (relatively) innoculous message. This message
here is an example of the output for the above message :-).

>It's shocking and frightening to see that this is actually happening here.

It is shockiong that it could happen anywhere.
It is shocking that it could happen in a country 
that has the arrogance to call itself free.

What you can do:
	(1) Write to your congress person in plain text.
	(2) Write to your congress person in encrypted text.
		(decrypter optional)
	(3) Send some random keystroked to your congressperson
	(4) Send some random keystrokes accross the US boundaries,
		and keep the spooks busy trying to decode it.
	(5) Write your own encryption algorithms.
	(6) Don't buy clipper products.

P.S. I can't work out why the US government doesn't want to sell
them overseas. After all, they are rather easy for US interests to decode,
so make a perfect tool for industrial/military espionage...lulling 
anyone stupid enough to buy it into a false sense of security. You will
notice that there is NO mention anywhere about safety for non-Americans.

Disclaimer: My opinions are mine alone, and do not represent anyone elses.
I have nothing that I particularly want to hide at the moment...though I 
consider the right
to be able to use whatever method of coding data I like to be high on my
list of priorities.

-- 
-----------------------------------------------------------------
Andrew Conway    arc@leland.stanford.edu  Phone: USA 415 497 1094


Newsgroup: sci.crypt
Document_id: 15209
From: eifrig@beanworld.cs.jhu.edu (Jonathan Eifrig)
Subject: Re: Pgp, PEM, and RFC's (Was: Cryptography Patents)

In article <1993Apr16.001321.3692@natasha.portal.com> bob@natasha.portal.com
(Bob Cain) writes:

>  Check your facts first and grow up.
>Why is there such a strong correlation between interest in cryptography
>and immaturity I wonder.

	Hmmm.  "Check your facts."  Good advice.  Let's check Mr. Cain's
facts a bit, shall we?

>Charles Kincy (ckincy@cs.umr.edu) wrote:

>: Some limitation.  Let me guess:  don't use the code in any way PKP or
>: RSA doesn't like....such as...providing secure communications for the
>: average citizen.
>
>That was exactly its purpose if you know anything about it.  There is
>nothing at all preventing the average citizen using it, only selling
>it.

FACT:  It is unlawful to distribute code implementing RSA without a license
to do so from PKP, whether or not one is charging for it.  Furthermore,
any use of RSA, other than for research purposes allowed under US patent
law, is similarly unlawful.  Therefore, the "average citizen" cannot use
RSA to encrypt message traffic in the US without a license from PKP.

There is no licensed, freely available product in the US that uses RSA
encryption other than RSAREF (and hence RIPEM), at least as far as I am
aware.  If you know of another, please post it here.

>: All I have to say is...yeah, right.  If you're willing to pay them
>: mucho big bucks and/or use the routines *they* tell you to do.  
>: Doesn't sound very reasonable to me.
>
>All I have to say is this is full of shit.  I have negotiated a license
>and the bucks are incredibly reasonable with an upfront charge on a
>sliding scale depending on your capitalization.  If you are a startup
>and can't afford it you can't afford to start up in the first place.
>Why do people insist on making unequivocal statements about that which
>they know nothing.

FACT:  The last contact I had with RSA Data Security, Inc was with some
guy trying to sell me a license (unsolicited, I might add) for TIPEM.
Cost: $15K plus 2-5 percent royalties.

I suppose it is a matter of opinion as to whether or not these terms count
as "mucho bucks" or "incredibly reasonable."  Either way, however, this
definitely falls into the "routines *they* tell you to (use)".

>: But I don't guess PKP and RSA are interested in big bucks.  Maybe
>: they have some other agenda?  Secure communications only for 
>: government agents, perhaps?
>
>Have you considered treatment for paranoia?  The government is the
>single biggest thorn in RSA's side.

FACT:  There are no restrictions (yet!) on the use of cryptography under
US law, although this is beginning to look like it will change.  The only
impediments to widespread use of RSA cryptography in the US are PKP's
patents.

	Mr. Cain, please shut up until you get your facts straight.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
	"Better than the whole world be destroyed and crumble to dust than
a free man deny one of his desires."
		-Benito Mussolini, Italian anarchist and poet.

Jack Eifrig (eifrig@cs.jhu.edu)       The Johns Hopkins University, C.S. Dept.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Newsgroup: sci.crypt
Document_id: 15210
From: avg@rodan.UU.NET (Vadim Antonov)
Subject: Re: Re-inventing Crypto Policy?  An EFF Statement

In article <1993Apr16.204207.24564@eff.org> Danny Weitzner <djw@eff.org> 
writes:
>The 80-bit key will be divided between two escrow agents, each of whom
>hold 40-bits of each key. 

I somehow started to doubt technical competence of the
people who designed the system.  Why on the Earth split the
80-bit key in 40-bit parts to keep them in escrow separately
(having 40 bit and large volumes of data voice links produce
it should be relatively easy to break it) when they simply
could keep 80-bit sequences in N (N>=2) independent places
and then XOR all the partial keys to get the actual key (N-1
sequences should obviously be selected randomly and Nth is the
actual key XOR-ed with the random sequences).

(Or is it a conspiracy? 1/2 :-)

--vadim

Newsgroup: sci.crypt
Document_id: 15211
From: karn@servo.qualcomm.com (Phil Karn)
Subject: Re: Keeping Your Mouth Shut (was: Hard drive security)

In article <C5K1CE.51A@sunfish.usd.edu>, vkub@charlie.usd.edu (Vince Kub) writes:
|> Now,
|> the original scheme as suggested here would be to have the key disappear if
|> certain threatening conditions are met. Once the key is gone there is no
|> question of Contempt of Court as there is nothing to compell, the key is no
|> longer there to be produced.

Getting rid of the keys is actually pretty easy to do automatically on
a communications link, as opposed to storage where the keys have to be
retained somehow as long as the owner wants to be able to retrieve the
data.

The right way to do communications security is to generate a random
session key with Diffie Hellman, use it for a while and then destroy
it. Once it's gone, there's no getting it back, and no way to decrypt
recordings of the conversation.

To make sure you aren't being attacked by a man in the middle, you
have to authenticate your DH exchanges. The AT&T secure phone does
this by displaying the DH key so you can compare them verbally over
the phone. This is nice and simple, but it relies on user awareness
plus the inability of the man in the middle to duplicate the users'
voices.

A better way is to authenticate the exchanges with RSA. Since you'd
never use RSA for actual encryption, compromising your RSA secret key
would only allow someone to impersonate you in a future conversation,
and even that only until you revoke your public key.  They would still
not be able to decrypt recordings of prior conversations for which the
session keys have been destroyed.

I'm convinced that this is how the government's own secure phones
(the STU-III) must work. Neat, eh?

Phil



Newsgroup: sci.crypt
Document_id: 15212
From: pcw@access.digex.com (Peter Wayner)
Subject: The Old Key Registration Idea...

Okay, let's suppose that the NSA/NIST/Mykotronix Registered
Key system becomes standard and I'm able to buy such a system
from my local radio shack. Every phone comes with a built in
chip and the government has the key to every phone call. 
I go and buy a phone and dutifully register the key. 

What's to prevent me from swapping phones with a friend or 
buying a used phone at a garage sale? Whooa. The secret registered
keys just became unsynchronized. When the government comes 
to listen in, they only receive gobbledly-gook because the 
secret key registered under my name isn't the right one. 

That leads me to conjecture that:

1) The system isn't that secure. There are just two master keys
that work for all the phones in the country. The part about
registering your keys is just bogus. 

or 

2) The system is vulnerable to simple phone swapping attacks
like this. Criminals will quickly figure this out and go to
town.

In either case, I think we need to look at this a bit deeper."'jbl)mW:wxlD2

Newsgroup: sci.crypt
Document_id: 15213
From: ig25@fg70.rz.uni-karlsruhe.de (Thomas Koenig)
Subject: Re: White House Public Encryption Management Fact Sheet

clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:

>The President has approved a directive on "Public Encryption
>Management."  The directive provides for the following:

[...]

>When
>exported abroad, it can be used to thwart foreign intelligence
>activities critical to our national interests.

[...]

>The Attorney General of the United States, or her representative,
>shall request manufacturers of communications hardware which
>incorporates encryption to install the U.S. government-developed
>key-escrow microcircuits in their products.

Quite interesting.  How does the US administration intend to persuade
non - US governments to let the NSA eavesdrop on them?  Or should U.S.
companies install these chips in communication systems sold abroad
without the customer's knowedge or consent, or not at all?
-- 
Thomas Koenig, ig25@rz.uni-karlsruhe.de, ig25@dkauni2.bitnet
The joy of engineering is to find a straight line on a double
logarithmic diagram.

Newsgroup: sci.crypt
Document_id: 15214
From: betel@camelot.bradley.edu (Robert Crawford)
Subject: Re: How to detect use of an illegal cipher?

Jay Fenton <Fenton@Kaleida.Com> writes:

>How can the government tell which encryption method one is using without
>being able to decode the traffic? i.e., In order to accuse me of using an
>unauthorized strong encryption technique they would have to take both
>keys out of escrow, run them against my ciphertext and "draw a blank".

	I was thinking about this, also. It's quite possible the
system transmits, in clear, the serial number of the device being
used. That way they can start a tap, get the serial number, and use
the warrant for the first tap to get the key.

	If they tap someone who's apparently using encryption, but
don't find that prefix, then they'll assume it's an "un-authorized"
encryption scheme.

--
	May the Kloo Gnomes be generous to you.

Robert Crawford				betel@camelot.bradley.edu

Newsgroup: sci.crypt
Document_id: 15215
From: philip@charon.cto.citicorp.com (Philip Gladstone)
Subject: More Clipper Stuff

As of yet, there has been no description of the general principles
behind the Clipper proposal. For example, is this a public key system
or a private key system? If the latter, then I don't see how the
system could work (given that the keys are tied to the device and
not the person).

Further, the escrowed 80-bit keys are split into two 40-bit chunks.
I would guess that the availability of one of these 40-bit chunks
and a reasonable key-search machine, would allow you to read the traffic.
I'm not suggesting that this is a deliberate weakness of the system,
but it does make you think. Of course, this is easily fixable by 
giving out two 80-bit chunks which could be x-ored to generate the 
real 80-bit key.

Philip

Newsgroup: sci.crypt
Document_id: 15216
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: White House Public Encryption Management Fact Sheet

In article <C5LGAz.250@dove.nist.gov> clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:

>PROCUREMENT AND USE OF ENCRYPTION DEVICES

[ ... ]

>The Attorney General will procure and utilize encryption devices to
>the extent needed to preserve the government's ability to conduct
>lawful electronic surveillance and to fulfill the need for secure
>law enforcement communications.  Further, the Attorney General
>shall utilize funds from the Department of Justice Asset Forfeiture
>Super Surplus Fund to effect this purchase.


Talk about adding insult to injury ... 

I, for one, believe that the use of civil forfeiture should be abolished by
a decent administration, not continued.  Instead, it looks like that
ill-gotten gain will be used to help pay for wiretap equipment.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
Document_id: 15217
From: m.t.palmer@larc.nasa.gov (Michael T. Palmer)
Subject: re: text of White House announcement and Q&As on clipper chip encryption


In article <C5L12t.GCI@dove.nist.gov> clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:

>Q:   Suppose a law enforcement agency is conducting a wiretap on
>     a drug smuggling ring and intercepts a conversation... [etc]
        ^^^^^^^^^^^^^^^^^^^\
                            Great... nice choice of bad guys to
                            convince everyone how "bad" unrestricted
                            encryption is.  Why not use a child
                            molester instead?  Of course, the word
                            *suspect* is never used here, so I guess
                            these people have already been convicted
                            and are operating this drug ring from
                            their jail cells.

How about *this* question instead?

Q:   Suppose a law enforcement agency is conducting a wiretap on
     a political opponent of a senior administration official and
     intercepts a conversation...

Kinda changes your interpretation of the event, doesn't it?  And yes,
the presence of the Clipper Chip DOES change things, because it will
not only give the people talking on the phone a false sense of security,
it will also give federal law enforcement agencies the justification
to deny use of strong encryption methods that are inconvenient to them.
Dang it all, it's SUPPOSED to be inconvenient (but not impossible).
That's the ONLY sure way to make sure that abuses are minimized while
still allowing legitimate law enforcement access.


>Q:   How strong is the security in the device?  How can I be sure
>     how strong the security is?  
>
>A:   This system is more secure than many other voice encryption
>     systems readily available today.  While the algorithm will
>     remain classified to protect the security of the key escrow
>     system, we are willing to invite an independent panel of
>     cryptography experts to evaluate the algorithm to assure all
>     potential users that there are no unrecognized
>     vulnerabilities.

Uh huh... sure.  I predict that within two months (weeks?) of the chip's
debut, the full technical details will be posted to sci.crypt.  And if
this has ANY impact on the security of the key escrow system, then we've
been lied to.  Any cryptosystem worth its salt can withstand the light
of public scrutiny, and there is NO WAY you can be sure that an
algorithm has no "unrecognized vulnerabilities" unless you have half
the world trying to break it for a decade or so.  Even then, you gotta
be careful.

 
Michael T. Palmer         |  "A man is crazy who writes a secret in any
m.t.palmer@larc.nasa.gov  |   other way than one which will conceal it
RIPEM key on server       |   from the vulgar." - Roger Bacon, 1220-1292


Newsgroup: sci.crypt
Document_id: 15218
From: karn@servo.qualcomm.com (Phil Karn)
Subject: Re: Re-inventing Crypto Policy?  An EFF Statement

In article <1qna0tINNf5p@rodan.UU.NET>, avg@rodan.UU.NET (Vadim Antonov) writes:
|> I somehow started to doubt technical competence of the
|> people who designed the system.  Why on the Earth split the
|> 80-bit key in 40-bit parts to keep them in escrow separately
|> (having 40 bit and large volumes of data voice links produce
|> it should be relatively easy to break it) when they simply
|> could keep 80-bit sequences in N (N>=2) independent places
|> and then XOR all the partial keys to get the actual key (N-1
|> sequences should obviously be selected randomly and Nth is the
|> actual key XOR-ed with the random sequences).

Without real technical details, it's hard to answer this question. But
suppose they already *are* XORing the two 40-bit parts to produce only
40 bits of real key material? Maybe they're using the exportable version
of RC2...? :-)

PHil

Newsgroup: sci.crypt
Document_id: 15219
Subject: text of White House announcement and Q&As on clipper chip encryption 
From: oleg@gd.cs.CSUFresno.EDU (Oleg Kibirev)

In article <C5L15A.GF6@dove.nist.gov> clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:


Here is an article I found today in comp.security.misc. I'll send my reply in
a separate post to comp.off.eff.org so thayt you guys can get original text.
Have fun! ;(

Oleg

   Relay-Version: VMS News - V6.1B5 17/9/92 VAX/VMS V5.5-2; site nic.csu.net
   Path: nic.csu.net!csus.edu!netcom.com!netcomsv!decwrl!uunet!dove!csrc.ncsl.nist.gov!clipper
   Newsgroups: comp.security.misc
   From: clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement)
   Date: Fri, 16 Apr 1993 15:17:33 GMT
   Sender: news@dove.nist.gov
   Distribution: na
   Organization: National Institute of Standards & Technology
   Lines: 280

   Note:  This file will also be available via anonymous file
   transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and
   via the NIST Computer Security BBS at 301-948-5717.
	---------------------------------------------------

			    THE WHITE HOUSE

		     Office of the Press Secretary

   _________________________________________________________________

   For Immediate Release                           April 16, 1993


		   STATEMENT BY THE PRESS SECRETARY


   The President today announced a new initiative that will bring
   the Federal Government together with industry in a voluntary
   program to improve the security and privacy of telephone
   communications while meeting the legitimate needs of law
   enforcement.

   The initiative will involve the creation of new products to
   accelerate the development and use of advanced and secure
   telecommunications networks and wireless communications links.

   For too long there has been little or no dialogue between our
   private sector and the law enforcement community to resolve the
   tension between economic vitality and the real challenges of
   protecting Americans.  Rather than use technology to accommodate
   the sometimes competing interests of economic growth, privacy and
   law enforcement, previous policies have pitted government against
   industry and the rights of privacy against law enforcement.

   Sophisticated encryption technology has been used for years to
   protect electronic funds transfer.  It is now being used to
   protect electronic mail and computer files.  While encryption
   technology can help Americans protect business secrets and the
   unauthorized release of personal information, it also can be used
   by terrorists, drug dealers, and other criminals.

   A state-of-the-art microcircuit called the "Clipper Chip" has
   been developed by government engineers.  The chip represents a
   new approach to encryption technology.  It can be used in new,
   relatively inexpensive encryption devices that can be attached to
   an ordinary telephone.  It scrambles telephone communications
   using an encryption algorithm that is more powerful than many in
   commercial use today.

   This new technology will help companies protect proprietary
   information, protect the privacy of personal phone conversations
   and prevent unauthorized release of data transmitted
   electronically.  At the same time this technology preserves the
   ability of federal, state and local law enforcement agencies to
   intercept lawfully the phone conversations of criminals. 

   A "key-escrow" system will be established to ensure that the
   "Clipper Chip" is used to protect the privacy of law-abiding
   Americans.  Each device containing the chip will have two unique


				   2


   "keys," numbers that will be needed by authorized government
   agencies to decode messages encoded by the device.  When the
   device is manufactured, the two keys will be deposited separately
   in two "key-escrow" data bases that will be established by the
   Attorney General.  Access to these keys will be limited to
   government officials with legal authorization to conduct a
   wiretap.

   The "Clipper Chip" technology provides law enforcement with no
   new authorities to access the content of the private
   conversations of Americans.

   To demonstrate the effectiveness of this new technology, the
   Attorney General will soon purchase several thousand of the new
   devices.  In addition, respected experts from outside the
   government will be offered access to the confidential details of
   the algorithm to assess its capabilities and publicly report
   their findings.

   The chip is an important step in addressing the problem of
   encryption's dual-edge sword:  encryption helps to protect the
   privacy of individuals and industry, but it also can shield
   criminals and terrorists.  We need the "Clipper Chip" and other
   approaches that can both provide law-abiding citizens with access
   to the encryption they need and prevent criminals from using it
   to hide their illegal activities.  In order to assess technology
   trends and explore new approaches (like the key-escrow system),
   the President has directed government agencies to develop a
   comprehensive policy on encryption that accommodates:

	--   the privacy of our citizens, including the need to
	     employ voice or data encryption for business purposes;

	--   the ability of authorized officials to access telephone
	     calls and data, under proper court or other legal
	     order, when necessary to protect our citizens;

	--   the effective and timely use of the most modern
	     technology to build the National Information
	     Infrastructure needed to promote economic growth and
	     the competitiveness of American industry in the global
	     marketplace; and 

	--   the need of U.S. companies to manufacture and export
	     high technology products.

   The President has directed early and frequent consultations with
   affected industries, the Congress and groups that advocate the
   privacy rights of individuals as policy options are developed.



				   3

   The Administration is committed to working with the private
   sector to spur the development of a National Information
   Infrastructure which will use new telecommunications and computer
   technologies to give Americans unprecedented access to
   information.  This infrastructure of high-speed networks
   ("information superhighways") will transmit video, images, HDTV
   programming, and huge data files as easily as today's telephone
   system transmits voice.

   Since encryption technology will play an increasingly important
   role in that infrastructure, the Federal Government must act
   quickly to develop consistent, comprehensive policies regarding
   its use.  The Administration is committed to policies that
   protect all Americans' right to privacy while also protecting
   them from those who break the law.

   Further information is provided in an accompanying fact sheet. 
   The provisions of the President's directive to acquire the new
   encryption technology are also available.  

   For additional details, call Mat Heyman, National Institute of
   Standards and Technology, (301) 975-2758.

   ---------------------------------


   QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S
   TELECOMMUNICATIONS INITIATIVE




   Q:   Does this approach expand the authority of government
	agencies to listen in on phone conversations?

   A:   No.  "Clipper Chip" technology provides law enforcement with
	no new authorities to access the content of the private
	conversations of Americans.

   Q:   Suppose a law enforcement agency is conducting a wiretap on
	a drug smuggling ring and intercepts a conversation
	encrypted using the device.  What would they have to do to
	decipher the message?

   A:   They would have to obtain legal authorization, normally a
	court order, to do the wiretap in the first place.  They
	would then present documentation of this authorization to
	the two entities responsible for safeguarding the keys and
	obtain the keys for the device being used by the drug
	smugglers.  The key is split into two parts, which are
	stored separately in order to ensure the security of the key
	escrow system.

   Q:   Who will run the key-escrow data banks?

   A:   The two key-escrow data banks will be run by two independent
	entities.  At this point, the Department of Justice and the
	Administration have yet to determine which agencies will
	oversee the key-escrow data banks.

   Q:   How strong is the security in the device?  How can I be sure
	how strong the security is?  

   A:   This system is more secure than many other voice encryption
	systems readily available today.  While the algorithm will
	remain classified to protect the security of the key escrow
	system, we are willing to invite an independent panel of
	cryptography experts to evaluate the algorithm to assure all
	potential users that there are no unrecognized
	vulnerabilities.

   Q:   Whose decision was it to propose this product?

   A:   The National Security Council, the Justice Department, the
	Commerce Department, and other key agencies were involved in
	this decision.  This approach has been endorsed by the
	President, the Vice President, and appropriate Cabinet
	officials.

   Q:   Who was consulted?  The Congress?  Industry?

   A:   We have on-going discussions with Congress and industry on
	encryption issues, and expect those discussions to intensify
	as we carry out our review of encryption policy.  We have
	briefed members of Congress and industry leaders on the
	decisions related to this initiative.

   Q:   Will the government provide the hardware to manufacturers?

   A:   The government designed and developed the key access
	encryption microcircuits, but it is not providing the
	microcircuits to product manufacturers.  Product
	manufacturers can acquire the microcircuits from the chip
	manufacturer that produces them.

   Q:   Who provides the "Clipper Chip"?

   A:   Mykotronx programs it at their facility in Torrance,
	California, and will sell the chip to encryption device
	manufacturers.  The programming function could be licensed
	to other vendors in the future.

   Q:   How do I buy one of these encryption devices? 

   A:   We expect several manufacturers to consider incorporating
	the "Clipper Chip" into their devices.

   Q:   If the Administration were unable to find a technological
	solution like the one proposed, would the Administration be
	willing to use legal remedies to restrict access to more
	powerful encryption devices?

   A:   This is a fundamental policy question which will be
	considered during the broad policy review.  The key escrow
	mechanism will provide Americans with an encryption product
	that is more secure, more convenient, and less expensive
	than others readily available today, but it is just one
	piece of what must be the comprehensive approach to
	encryption technology, which the Administration is
	developing.

	The Administration is not saying, "since encryption
	threatens the public safety and effective law enforcement,
	we will prohibit it outright" (as some countries have
	effectively done); nor is the U.S. saying that "every
	American, as a matter of right, is entitled to an
	unbreakable commercial encryption product."  There is a
	false "tension" created in the assessment that this issue is
	an "either-or" proposition.  Rather, both concerns can be,
	and in fact are, harmoniously balanced through a reasoned,
	balanced approach such as is proposed with the "Clipper
	Chip" and similar encryption techniques.

   Q:   What does this decision indicate about how the Clinton
	Administration's policy toward encryption will differ from
	that of the Bush Administration?  

   A:   It indicates that we understand the importance of encryption
	technology in telecommunications and computing and are
	committed to working with industry and public-interest
	groups to find innovative ways to protect Americans'
	privacy, help businesses to compete, and ensure that law
	enforcement agencies have the tools they need to fight crime
	and terrorism.

   Q:   Will the devices be exportable?  Will other devices that use
	the government hardware?

   A:   Voice encryption devices are subject to export control
	requirements.  Case-by-case review for each export is
	required to ensure appropriate use of these devices.  The
	same is true for other encryption devices.  One of the
	attractions of this technology is the protection it can give
	to U.S. companies operating at home and abroad.  With this
	in mind, we expect export licenses will be granted on a
	case-by-case basis for U.S. companies seeking to use these
	devices to secure their own communications abroad.  We plan
	to review the possibility of permitting wider exportability
	of these products.



Newsgroup: sci.crypt
Document_id: 15220
From: bear@kestrel.fsl.noaa.gov (Bear Giles)
Subject: How do they know what keys to ask for?  (Re: Clipper)


This may be a stupid question, but how does the government know which keys
to ask for?

Will owners be required to REGISTER their phones, faxes, modems, etc.,
and inform the government when they are moved to a different phone number?
Will there be penalities if the public does not do this?  Will identification
(the National Health Care ID, perhaps) be required when purchasing a
Clipper-equipted phone?

Or will each chip transmit identifying information at the start of
a conversation?  Identification which could be used to automatically
log who calls whom?  (The _phone_ company keeps records, but this 
information would be accessable by a well-placed van near a microwave
relay station).

This raises the question of how the two phones agree on a communications
encryption key.  Will it be something that is derived from information
exchanged at the start of the conversation -- and hence derivable by
an eavesdropper?

-- 
Bear Giles
bear@fsl.noaa.gov

Newsgroup: sci.crypt
Document_id: 15221
From: brad@clarinet.com (Brad Templeton)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

The stragegy of the government is interesting.  The real fear comes from
them doing more than this.

This is a voluntary program, and thus harder for us to object to on
the surface.

Their strategy is a business one rather than legal one.  They are
pushing to get a standard in place, a secret standard, and if they
get it as a standard then they will drive competitors out of the market.
It will be legal to sell better, untapable encryption that doesn't have
registered keys, but it will be difficult, and thus not a plan for
most phone companies.

You see, with clipper chip phones you'll be able to talk to any
cellular company, or other phones or ports because they will follow
the standard.  AT&T has already announced a clipper chip encryption
product.  The government has marketed hard to get major vendors to
use these chips.   If they get enough market share, they will rule.

And thus there will be very little market for systems that can't be
tapped by the police.  The public isn't that concerned about it now,
after all.  They freely do calls that anybody with an old TV can listen
to today!  They won't pay big extra bucks for proprietary phones that secure
them only from the police.

Well, some people will buy these phones, but they will only work with
other proprietary phones, so the market will be small and the phones
expensive.  Unless they are made in numbers large enough to sell them
cheap, only the Mob will buy them.

And this means that the FBI will want to track the customer lists of
better encryption phones, because "the only reason a person would want
one is to evade the police."

Interesting.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
Document_id: 15222
From: matt@wardsgi.med.yale.edu (Matt Healy)
Subject: Re: Illegal Wiretaps (was

In article <3702.204.uupcb@ssr.com>, dick.zeitlin%acc1bbs@ssr.com (Dick
Zeitlin) wrote:
> 
> PK> .Perhaps we need the telephony equivalent of an anonymous remailer for
>   > .the telephone network? Back in Prohibition days (alcohol, that is) I
>   > .understand a device called the "cheesebox" was a popular means to thwart
>   > .the tracing of telephone calls. It connected two phone lines in the back
>   > .room of an otherwise uninvolved business. It was the conceptual predecesso
>   > .of today's anonymous email remailer.
> 
> The old "cheesebox" was the pre-Carterphone version of the "call
> diverter."  After the Carterphone decision there were several vendors
> that sold call diverters.  I've got a couple in my basement that
> were used to redirect my office phone to my home number when I
> didn't feel like going into the office.
> 
> It'd be quite easy to generate an "anonymous redialer" version of the
> call diverter.
> 

About 18 months ago, I heard a report on NPR about a 900-number
"1-900-STO-PPER" or some such, for placing untraceable calls.
You call them, and on "bong" tone dial the number you want to
call; they told the NPR interviewer that nothing short of a
court order (which they'd fight) would make them release their
records.                                                                   
                                            

Matt Healy
"I pretend to be a network administrator;
 the lab net pretends to work"

matt@wardsgi.med.yale.edu

Newsgroup: sci.crypt
Document_id: 15223
From: ld231782@LANCE.ColoState.Edu (L. Detweiler)
Subject: An Open Letter to Mr. Clinton


I'm quite astonished, shocked, and appalled at this serious frontal 
assault on emerging American freedoms.  The Clinton administration 
nor any other government agency has any legitimate role whatsoever 
in regulating cryptography. To do so is tantamount to regulating 
`acceptable' speech, and is blatantly unconstitutional. Perhaps we 
should rename this year `1984' in honor of such an illustrious 
proposal.  Let the Crappy Chip live in infamy, and the adminstration
receive great shame and discredit for this bizarre misadventure.

I am outraged that my tax money is being used to develop technology
to restrict my freedoms far beyond reasonable measures.  The U.S.
government will have my full uncooperation and disobedience on any
serious threat to my liberties such as this, and I call on everyone
with an interest in a sensible government to resist and defy this 
proposal.  The administration does not seem to understand that they
are merely a subservient instrument to implement the will of the
public, and hence anyone involved in this proposal in this respect is 
wholly negligent and remiss in performing their lawful duty.

>While encryption
>technology can help Americans protect business secrets and the
>unauthorized release of personal information, it also can be used
>by terrorists, drug dealers, and other criminals.

It seems to me that U.S. Diplomatic communications should be 
tappable by the U.N. whenever any countries produce a warrant to
the U.N.  In fact, I think we should stop paying the NSA billions
of dollars a year to produce unbreakable codes for this reason.
These actions violate the sovereignity of international law. (I hope
Mr. Clinton is shrewd enough to recognize my sarcasm and satire here.
But if he isn't, it's a modest and reasonable proposal, so he should
find merit with it nevertheless.)

Cryptography is neutral technology. If everybody has strong 
cryptography (including policemen, bureacrats, businessmen, 
housewives, thugs and hoodlums), we have a sustainable 
equilibrium.  Anything less is an unworkable anti-egaltarian 
arrangement, intrinsically antithetical to American freedoms, and
guaranteed to collapse under its own weight of inherent 
impracticality. We don't need to compromise on issues of freedom.

>For too long there has been little or no dialogue between our
>private sector and the law enforcement community to resolve the
>tension between economic vitality and the real challenges of
>protecting Americans.

For too long our government has demonstrated itself to be 
increasingly hostile and a serious obstacle to economic vitality 
and protecting Americans.

>Since encryption technology will play an increasingly important
>role in that infrastructure, the Federal Government must act
>quickly to develop consistent, comprehensive policies regarding
>its use.  The Administration is committed to policies that
>protect all Americans' right to privacy while also protecting
>them from those who break the law.

It is not possible for the Federal Government
to ``act quickly'' or develop ``consistent, comprehensive
policies'' PERIOD.  And even if by some grandiose miracle such
a thing were possible, it would only be an efficient way to
deprive American citizens of fundamental and inalienable rights.

The administration has to be committed to leaving private 
industries alone, esp. on this issue.  The government has no 
legitimate role in regulating the content of communications.
Law enforcement agencies must be prepared to forfeit their
surveillance bludgeon; they are soon and inevitably to be 
disarmed of it. 

>Q:   If the Administration were unable to find a technological
>     solution like the one proposed, would the Administration be
>     willing to use legal remedies to restrict access to more
>     powerful encryption devices?

No such laws can be constitutionally sound, and this is equivalent
to a veiled threat, which I don't appreciate.  This kind of 
extortion tends to agitate me and others into radicalism. I will
trade threats for threats, and violation for violation.

>     The Administration is not saying, "since encryption
>     threatens the public safety and effective law enforcement,
>     we will prohibit it outright" (as some countries have
>     effectively done);

If the administration did say this, it would find itself 
impeached for reckless and outrageous disregard of essential,
established, entrenched, and explicit constitutional privacy 
guarantees. The administration would have no legal standing 
whatsoever; such an action would be egregiously illegal and
criminal, and wholly untolerated and disregarded by vast 
segments of the population.

>     nor is the U.S. saying that "every
>     American, as a matter of right, is entitled to an
>     unbreakable commercial encryption product." 

The U.S., comprised of a vast majority of people fanatically 
committed to preserving their privacy in the face of an 
increasingly totalitarian government, is saying just that.  
Take your chips and give them to NSA employees as Christmas bonuses.
We can run any algorithm on our computers we damn well please, 
and we will make any chips we please, and we will send any bit 
pattern over our data highways we please. And if you try to stop 
us, you will be gradually or abruptly dissolved into nothingness.

[privacy vs. law enforcement]
>     There is a
>     false "tension" created in the assessment that this issue is
>     an "either-or" proposition. 

This is an outright Dingaling Denning lie.  The two aims of
privacy and surveillance are intrinsically and fundamentally 
incompatible, and you have to work for the NSA to think otherwise. 
Americans are about to discover ways, through the use of technology, 
to preserve their inalienable but forgotten freedoms that have slowly 
been eroded away by an increasingly distant and unresponsive and 
*unrepresentative* government.

--

ld231782@longs.LANCE.ColoState.EDU

Newsgroup: sci.crypt
Document_id: 15224
From: tcmay@netcom.com (Timothy C. May)
Subject: "Clipper" an Infringement on Intergraph's Name?

Besides being an infringement on our civil liberties (not the subject
in this post), the name "Clipper Chip" seems very confusable with the
"Clipper" chip of Intergraph.

Originally designed by a team at Fairchild Semiconductor, Clipper was
a 32-bit RISC microprocessor. It is still used in some workstations,
notably those from Intergraph, the supplier of CAD tools. Intergraph
acquired the Clipper product line when Fairchild was sold to National
Semiconductor several years back.

When I first saw "Clipper Chip" in the announcement, I immediately
thought the article was referring to the Clipper chip I know.

This seems to be grounds for Intergraph to sue, but then I'm not a
lawyer. I'd say I'm a cryptologist, but I don't want to incriminate
myself under the laws of the new regime.

-Tim May


-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
Document_id: 15225
From: matt@wardsgi.med.yale.edu (Matt Healy)
Subject: Re: Patents (was RC2 RC4)

In article <bontchev.734787730@fbihh>,
bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote:
> 
> ahaley@eoe.co.uk (Andrew Haley) writes:
> 
> > : Coca-Cola has always understood it.
> 
> > Coca-cola is made under licence in dozens of countries around the
> > world.  You're crazy if you think PepsiCo doesn't know the recipe.
> 
> In all those countries Coca-cola is distributed in a form of
> concentrate what the local producers simply mix with water and other
> simple ingredients. The trick is to know what is in the concentrate...
> 

I don't know if this is still true, but at one time Coca-Cola
took elaborate measures to keep the formula secret.  For instance,
several plants in different cities each made one of six partial
concentrates, which were then shipped back-and forth and remixed
in a complicated scheme so that no single plant made the whole
formula.  By now, I would guess that PepsiCo's chemists would have
reverse-engineered it; can't be all that exotic.  Actually I
prefer Pepsi anyhow; in about 3 minutes I'm gonna put money
into a Pepsi vending machine...

Matt Healy
"I pretend to be a network administrator;
 the lab net pretends to work"

matt@wardsgi.med.yale.edu

Newsgroup: sci.crypt
Document_id: 15226
From: rlglende@netcom.com (Robert Lewis Glendenning)
Subject: Re: The Old Key Registration Idea...

The Clipper Chip will have no effect.  Current generation PCs, portable
and desktop, all have analog voice -> digital voice and vice versa
capabilities.  So, I only need a modem output to the telephone,
and I can interpose any encryption screen on my voice traffic I want.

Not even a big deal, but it will pass muster if the have a way
of checking whether I am using their Clipper Chip encryption without
a full decoding.

I have been chided for stating that Dorthy Denning was intellectually
dishonest in the ACM debate and in this newsgroup.  I have previously
refrained from suggesting that she is arguing on behalf of consulting
clients.

Now, I say that it is clear that Dorthy Denning has been functioning
as a lobbyist, not a computer scientist.  She has used legal ethics
(truth is what you can convince anyone of), not scientific ethics
(truth is understanding the external world).

Maybe we can revoke her ACM membership? 8)

Lew
-- 
Lew Glendenning		rlglende@netcom.com
"Perspective is worth 80 IQ points."	Niels Bohr (or somebody like that).

Newsgroup: sci.crypt
Document_id: 15227
From: mjr@tis.com (Marcus J Ranum)
Subject: Re: How to detect use of an illegal cipher?

>>How can the government tell which encryption method one is using without
>>being able to decode the traffic? i.e., In order to accuse me of using an
>>unauthorized strong encryption technique they would have to take both
>>keys out of escrow, run them against my ciphertext and "draw a blank".
>
>	I was thinking about this, also. It's quite possible the
>system transmits, in clear, the serial number of the device being
>used. That way they can start a tap, get the serial number, and use
>the warrant for the first tap to get the key.
>
>	If they tap someone who's apparently using encryption, but
>don't find that prefix, then they'll assume it's an "un-authorized"
>encryption scheme.

	This doesn't handle superencrypted traffic. If the clipper
doesn't impose any unfortunate performance side-effects there's no
reason not to use it to superencrypt a stream of triple-DES encrypted
traffic. That way your traffic looks "normal" and perhaps anyone
desiring to listen in won't even bother, since they know nobody's
going to really trust crypto that has classified internals for
important stuff.

mjr.

Newsgroup: sci.crypt
Document_id: 15228
Subject: Re: Pgp, PEM, and RFC's (Was: Cryptography Patents)
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <C5LJ0t.K52@blaze.cs.jhu.edu> eifrig@beanworld.cs.jhu.edu (Jonathan Eifrig) writes:

>FACT:  It is unlawful to distribute code implementing RSA without a license
>to do so from PKP, whether or not one is charging for it.  Furthermore,
>any use of RSA, other than for research purposes allowed under US patent
>law, is similarly unlawful.  Therefore, the "average citizen" cannot use
>RSA to encrypt message traffic in the US without a license from PKP.

WRONG:  I don't think even PKP claims this one.  It is not unlawful to
distribute code implementing RSA.  It appears to be unlawful to use it, so
I agree with your last sentence.

>FACT:  There are no restrictions (yet!) on the use of cryptography under
>US law, although this is beginning to look like it will change.  The only
>impediments to widespread use of RSA cryptography in the US are PKP's
>patents.

Yes, that's correct.
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
Document_id: 15229
From: jhesse@netcom.com (John Hesse)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption


Stupid me. I believed the Democrats stood for principles of personal
privacy while it was the Neanderthal Republicans that wanted into every
aspect of our lives. 

Clinton is just more clever than the other guy. Looks like gun control for
privacy technology. One small step at a time.

Wait a minute....  Let me think about this.

Hmmm, I feel better now. I believe the White House when they tell us
this first step is, in fact, the final step. All is OK. We've nothing to fear.
They're here to help us. 

God bless America.
-- 
------------------------------------------------------------------------------
John Hesse           |          A man,     
jhesse@netcom.com    |                 a plan, 
Moss Beach, Calif    |                         a canal, Bob.
------------------------------------------------------------------------------

Newsgroup: sci.crypt
Document_id: 15230
From: mjr@tis.com (Marcus J Ranum)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

brad@clarinet.com (Brad Templeton) writes:
>And this means that the FBI will want to track the customer lists of
>better encryption phones, because "the only reason a person would want
>one is to evade the police."

	Then they'll probably also want to start tracking the customer
lists of people purchasing SoundBlaster and similar boards, which can
be configured with the use of some code and a modem, to act as a pretty
decent digital-encrypting telephone. It's expensive, though, and kind
of awkward. I don't know any drug lords, but I'm sure they'd favor
something tappable over something secure as long as the user interface
is nice.

	When you've got HRH Prince of Wales saying stupid things over
cordless phones, it's not hard to imagine that drug dealers, child
pornographers, commies, LISP programmers, and other threats to the
civilized world might transact incriminating business over "encrypting"
cellular phones.


mjr.

Newsgroup: sci.crypt
Document_id: 15231
From: jhesse@netcom.com (John Hesse)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <strnlghtC5LGFI.JqA@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>
>
>Though I share many of the concerns expressed by some, I find the proposal
>less threatening than many others, since right now most Americans have no
>secure telephony, and any jerk with a pair of clip leads and a "goat" can
>eavesdrop. This would also plug up the security hole in cellular and
>cordless phones.
>

Oh great. Wonderful news. Nobody can listen in--except the feds. You
believe that the feds offer the least threat to liberty of anyone, and I'm
sure I do too.

Glad that jerk won't be tapping my phone anymore.
-- 
------------------------------------------------------------------------------
John Hesse           |          A man,     
jhesse@netcom.com    |                 a plan, 
Moss Beach, Calif    |                         a canal, Bob.
------------------------------------------------------------------------------

Newsgroup: sci.crypt
Document_id: 15232
From: rboudrie@chpc.org (Rob Boudrie)
Subject: Re: White House Public Encryption Management Fact Sheet


>security of the key-escrow system.  In making this decision, I do
>not intend to prevent the private sector from developing, or the
>government from approving, other microcircuits or algorithms that
>are equally effective in assuring both privacy and a secure key-
>escrow system.

Yeah, but does he intend to prevent the private sector from
developing other applications that are equally effective in 
assuring privacy, but do not have a key escrow system?

Newsgroup: sci.crypt
Document_id: 15233
Subject: Re: text of White House announcement and Q&As on clipper chip encryption
From: uni@acs.bu.edu (Shaen Bernhardt)

In article <1qmugcINNpu9@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes:
>The key question is whether non-Clipper encryption will be made illegal.
>
>>     The Administration is not saying, "since encryption
>>     threatens the public safety and effective law enforcement,
>>     we will prohibit it outright" (as some countries have
>>     effectively done); nor is the U.S. saying that "every
>>     American, as a matter of right, is entitled to an
>>     unbreakable commercial encryption product."  There is a
>>     false "tension" created in the assessment that this issue is
>>     an "either-or" proposition.  Rather, both concerns can be,
>>     and in fact are, harmoniously balanced through a reasoned,
>>     balanced approach such as is proposed with the "Clipper
>>     Chip" and similar encryption techniques.
>
>The clear middle ground implied by these statements is to say that Americans
>have the right to Clipper encryption, but not to unbreakable encryption.
>This implies that, ultimately, non-Clipper strong encryption must become
>illegal.

[Text deleted, no value judgement implied]

>It's shocking and frightening to see that this is actually happening here.
>
>Hal Finney
>hal@alumni.caltech.edu

More than shocking.  What this says to me is no less than that government
is very interested in monitoring the public.  This does more than scare me,
it mortifies me.

PGP and RIPEM must become widespread enough to resist what Mr. Finney has
[IMHO correctly] identified as the next logical step.  What was once an
academic discussion with regard to concealing cyphertext, has now become
a real consideration.

The rhetoric that the clinton administration seems obsessed with, harmony,
either or propositions, tension, tells me that they know how difficult
it will be to sell this proposition.

The phrase I hear more and more is "I can't believe this is actually happening
here."  Call me conserative, Clinton was a huge mistake that we'll all be
paying for tommorow and many years from now.

Have we approached the age of speakeasy public key depositiories?

uni (Dark)
-- 
uni@acs.bu.edu  ->  Public Keys by finger and/or request
Public Key Archives at <pgp-public-keys@junkbox.cc.iastate.edu>
Sovereignty is the sign of a brutal past.

Newsgroup: sci.crypt
Document_id: 15234
From: hal@cco.caltech.edu (Hal Finney)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

brad@clarinet.com (Brad Templeton) writes:

>Their strategy is a business one rather than legal one.  They are
>pushing to get a standard in place, a secret standard, and if they
>get it as a standard then they will drive competitors out of the market.
>It will be legal to sell better, untapable encryption that doesn't have
>registered keys, but it will be difficult, and thus not a plan for
>most phone companies.

If Brad's analysis is correct, it may offer an explanation for why the
encryption algorithm is being kept secret.  This will prevent competitors
from coming out with Clipper-compatible phones which lack the government-
installed "back door."  The strategy Brad describes will only work as long
as the only way to get compatible phones is to have ones with the government
chips.

(It would be nice, from the point of view of personal privacy, if Brad
turns out to be right.  As long as people still have the power to provide
their own encryption in place of or in addition to the Clipper, privacy
is still possible.  But the wording of several passages in the announcement
makes me doubt whether this will turn out to be true.)

Hal Finney

Newsgroup: sci.crypt
Document_id: 15235
From: rboudrie@chpc.org (Rob Boudrie)
Subject: Re: The Old Key Registration Idea...

In article <1qn1ic$hp6@access.digex.net> pcw@access.digex.com (Peter Wayner) writes:
>Okay, let's suppose that the NSA/NIST/Mykotronix Registered
>Key system becomes standard and I'm able to buy such a system
>from my local radio shack. Every phone comes with a built in
>chip and the government has the key to every phone call. 
>I go and buy a phone and dutifully register the key. 
>
>What's to prevent me from swapping phones with a friend or 
>buying a used phone at a garage sale? Whooa. The secret registered
>keys just became unsynchronized. When the government comes 

It's very possible, even likely, that the serial number of the
invididual chip is broadcast either in a standard encrypted 
format, so that all the big brother types need to do is listen to
the traffic, get  a court order (generally just by saying that they
think you may be a crook) and go to it.
r
>to listen in, they only receive gobbledly-gook because the 
>secret key registered under my name isn't the right one. 
>
>That leads me to conjecture that:
>
>1) The system isn't that secure. There are just two master keys
>that work for all the phones in the country. The part about
>registering your keys is just bogus. 
>
>or 
>
>2) The system is vulnerable to simple phone swapping attacks
>like this. Criminals will quickly figure this out and go to
>town.
>
>In either case, I think we need to look at this a bit deeper."'jbl)mW:wxlD2



Newsgroup: sci.crypt
Document_id: 15236
From: rboudrie@chpc.org (Rob Boudrie)
Subject: Why the algorithm is secret


My thoughts on why the algorithm is secret :

   The chip is (regretably) likely to become a standard.   There will
   be many applications where economic factors dictate use of this
   chip, like it or not.

   If the alrogithm is public, and the code is as secure (absent the 
   access to escrowed keys) as represented, an enterprising sort 
   would make "compatible crypto chips for which no key had been
   escrowed".  This is likely what the release was refering to when 
   they refered to the secrecy of the algorithm protecting the
   security of the escrow system.

                                        rob boudrie

Newsgroup: sci.crypt
Document_id: 15237
From: schneier@chinet.chi.il.us (Bruce Schneier)
Subject: ISSA '93 Conference

If there is anyone attending the ISSA conference in Arlington, VA next
week, I would appreciate them getting in touch with me.

Bruce

Newsgroup: sci.crypt
Document_id: 15238
From: brad@clarinet.com (Brad Templeton)
Subject: Re: How do they know what keys to ask for?  (Re: Clipper)

The actual algorithm is classified, however, their main thrust here is
for cellular phones, and encryption is only over the radio end, not
end to end, I think.   End to end will come later.

And of course you have to identify yourself to the phone company, and
since the phone company complies with court orders, they will know the
magic number of your chip when they sign out a warrant on you, and
then can present the warrant to the key escrow house.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
Document_id: 15239
From: brad@clarinet.com (Brad Templeton)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <1qnn7b$ddc@sol.TIS.COM> mjr@tis.com (Marcus J Ranum) writes:
>	When you've got HRH Prince of Wales saying stupid things over
>cordless phones, it's not hard to imagine that drug dealers, child
>pornographers, commies, LISP programmers, and other threats to the
>civilized world might transact incriminating business over "encrypting"
>cellular phones.
>

Let's assume, for the moment, that the system really is secure unless
you get both halves of the encryption key from the two independent
escrow houses.  Let's say you even trust the escrow houses -- one is
the ACLU and the other is the EFF.  (And I'm not entirely joking about
those two names)

In that case the Prince of Wales has nothing to worry about on this
system.  Indeed, as pointed out, since the current systems, even the
current digital systems, are very easy to decode -- right now anybody
with an old TV can hear them -- for most people, this will be viewed
as an "oh goody" step upwards.

And look at how tolerant the public is.  They're willing to let the
neighbours with the radios hear right now.

It was suggested by one person that a *lot* of non-evidentiary wiretapping
is going on right now without warrants, because anybody can do it and it's
just an ECPA violation.  This would stop that.  All tapping would need
a warrant, or a breach of security at the escrow houses.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
Document_id: 15240
From: brad@clarinet.com (Brad Templeton)
Subject: Once tapped, your code is no good any more.

It occurs to me that if they get a wiretap order on you, and the escrow
houses release your code to the cops, your code is now no longer secure.

It's in the hands of cops, and while I am sure most of the time they are
good, their security will not be as good as the escrow houses.


What this effectively means is that if they perform a wiretap on you,
at the end of the wiretap, they should be obligated to inform you that
a tap was performed, and replace (for free) the clipper chip in your
cellular phone so that it is once again a code known only to the
escrow houses.

Do the police normally reveal every tap they do even if no charges are
laid?   In many ways, it would be a positive step if they had to.
Judges set time limits on warrants, I assume.  At the end of the time
limit they should have to renew or replace your chip.


That's if we go with this scheme, which I am not sure I agree with.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
Document_id: 15241
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

jhesse@netcom.com (John Hesse) writes:
> Oh great. Wonderful news. Nobody can listen in--except the feds. 

Hey, it's better than the status quo.

I am far less worried about "the feds" tapping my phone than high school 
scanner surfers who get their kicks out of eavesdropping on cellular and 
cordless phone calls.

It would be stupid to rely on even a "Clipperized" channel for truly 
sensitive material, but it *does* seem to finally offer a reasonable way to 
guard against casual eavesdropping.  For example, even with my strong "right 
to bear arms" view of the private right to possess and use strong 
cryptosystems, the system as described provides enough security that I would 
actually buy a cordless phone, and would be much less wary of using cellular 
phones, walkie-talkies, and so on.  As long as it's only used for mass-market 
voice scrambling, I actually don't see a problem with it.

If you want more security than it offers, use something different.  Use PKCS 
for electronic mail, CELP over DES or triple DES with Diffie-Hellman key 
exchange for your voice traffic, or whatever.

And yes, I'd rather just see all crypto restrictions lifted, but this is at 
least an incrememental improvement for certain applications...


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15242
From: amanda@intercon.com (Amanda Walker)
Subject: Re: text of White House announcement and Q&As on clipper chip 
	encryption

In article <115713@bu.edu>, uni@acs.bu.edu (Shaen Bernhardt) writes:
> More than shocking.  What this says to me is no less than that 
> government is very interested in monitoring the public.  This does more 
> than scare me, it mortifies me. 

If this is any surprise to you, *I'm* shocked.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15243
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 01/10 - Overview

Archive-name: cryptography-faq/part01
Last-modified: 1993/4/15


FAQ for sci.crypt, part 1: Overview

This is the first of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read this part before the rest. We
don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

Disclaimer: This document is the product of the Crypt Cabal, a secret
society which serves the National Secu---uh, no. Seriously, we're the
good guys, and we've done what we can to ensure the completeness and
accuracy of this document, but in a field of military and commercial
importance like cryptography you have to expect that some people and
organizations consider their interests more important than open
scientific discussion. Trust only what you can verify firsthand.
And don't sue us.

Many people have contributed to this FAQ. In alphabetical order:
Eric Bach, Steve Bellovin, Dan Bernstein, Nelson Bolyard, Carl Ellison,
Jim Gillogly, Mike Gleason, Doug Gwyn, Luke O'Connor, Tony Patti,
William Setzer. We apologize for any omissions.

If you have suggestions, comments, or criticism, please let the current
editors know by sending e-mail to crypt-comments@math.ncsu.edu.  We don't
assume that this FAQ is at all complete at this point.

Archives: sci.crypt has been archived since October 1991 on
cl-next2.cl.msu.edu, though these archives are available only to U.S. and
Canadian users. Please contact crypt-comments@math.ncsu.edu if you know of
other archives.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers 
every 21 days.


Table of contents:

1 Overview

2 Net Etiquette
* What groups are around? What's a FAQ? Who am I? Why am I here?
* Do political discussions belong in sci.crypt?
* How do I present a new encryption scheme in sci.crypt?

3 Basic Cryptology
* What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key?
* What references can I start with to learn cryptology?
* How does one go about cryptanalysis?
* What is a brute-force search and what is its cryptographic relevance?
* What are some properties satisfied by every strong cryptosystem?
* If a cryptosystem is theoretically unbreakable, then is it
  guaranteed analysis-proof in practice?
* Why are many people still using cryptosystems that are
  relatively easy to break?

4 Mathematical Cryptology
* In mathematical terms, what is a private-key cryptosystem?
* What is an attack?
* What's the advantage of formulating all this mathematically?
* Why is the one-time pad secure?
* What's a ciphertext-only attack?
* What's a known-plaintext attack?
* What's a chosen-plaintext attack?
* In mathematical terms, what can you say about brute-force attacks?
* What's a key-guessing attack? What's entropy?

5 Product ciphers
* What is a product cipher?
* What makes a product cipher secure?
* What are some group-theoretic properties of product ciphers?
* What can be proven about the security of a product cipher?
* How are block ciphers used to encrypt data longer than the block size?
* Can symmetric block ciphers be used for message authentication?
* What exactly is DES?
* What is triple DES?
* What is differential cryptanalysis?
* How was NSA involved in the design of DES?
* Is DES available in software?
* Is DES available in hardware?
* Can DES be used to protect classified information?
* What are "ECB", "CBC", "CFB", and "OFB" encryption?

6 Public-Key Cryptography
* What is public-key cryptography?
* What's RSA?
* Is RSA secure?
* How fast can people factor numbers?
* What about other public-key cryptosystems?

7 Digital Signatures and Hash Functions
* What is a one-way hash function?
* What is the difference between public, private, secret, shared, etc.?
* What are MD4 and MD5?
* What is Snefru?

8 Technical Miscellany
* How do I recover from lost passwords in WordPerfect?
* How do I break a Vigenere (repeated-key) cipher?
* How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...]
* Is the UNIX crypt command secure?
* How do I use compression with encryption?
* Is there an unbreakable cipher?
* What does ``random'' mean in cryptography?
* What is the unicity point (a.k.a. unicity distance)?
* What is key management and why is it important?
* Can I use pseudo-random or chaotic numbers as a key stream?
* What is the correct frequency list for English letters?
* What is the Enigma?
* How do I shuffle cards?
* Can I foil S/W pirates by encrypting my CD-ROM?
* Can you do automatic cryptanalysis of simple ciphers?
* What is the coding system used by VCR+?

9 Other Miscellany
* What is the National Security Agency (NSA)?
* What are the US export regulations?
* What is TEMPEST?
* What are the Beale Ciphers, and are they a hoax?
* What is the American Cryptogram Association, and how do I get in touch?
* Is RSA patented?
* What about the Voynich manuscript?

10 References
* Books on history and classical methods
* Books on modern methods
* Survey articles
* Reference articles
* Journals, conference proceedings
* Other
* How may one obtain copies of FIPS and ANSI standards cited herein?
* Electronic sources
* RFCs (available from [FTPRF])
* Related newsgroups

Newsgroup: sci.crypt
Document_id: 15244
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 04/10 - Mathematical Cryptology

Archive-name: cryptography-faq/part04
Last-modified: 1993/4/15


FAQ for sci.crypt, part 4: Mathematical Cryptology

This is the fourth of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers
every 21 days.


Contents:

* In mathematical terms, what is a private-key cryptosystem?
* What is an attack?
* What's the advantage of formulating all this mathematically?
* Why is the one-time pad secure?
* What's a ciphertext-only attack?
* What's a known-plaintext attack?
* What's a chosen-plaintext attack?
* In mathematical terms, what can you say about brute-force attacks?
* What's a key-guessing attack? What's entropy?


* In mathematical terms, what is a private-key cryptosystem?

  A private-key cryptosystem consists of an encryption system E and a
  decryption system D. The encryption system E is a collection of
  functions E_K, indexed by ``keys'' K, mapping some set of
  ``plaintexts'' P to some set of ``ciphertexts'' C. Similarly the
  decryption system D is a collection of functions D_K such that
  D_K(E_K(P)) = P for every plaintext P.  That is, succesful decryption
  of ciphertext into plaintext is accomplished using the same key
  (index) as was used for the corresponding encryption of plaintext
  into ciphertext.  Such systems, wherein the same key value is used to
  encrypt and decrypt, are also known as ``symmetric'' cryptoystems.

* What is an attack?

  In intuitive terms a (passive) attack on a cryptosystem is any method
  of starting with some information about plaintexts and their
  corresponding ciphertexts under some (unknown) key, and figuring out
  more information about the plaintexts. It's possible to state
  mathematically what this means. Here we go.

  Fix functions F, G, and H of n variables. Fix an encryption system E,
  and fix a distribution of plaintexts and keys.

  An attack on E using G assuming F giving H with probability p is an
  algorithm A with a pair f, g of inputs and one output h, such that
  there is probability p of computing h = H(P_1,...,P_n), if we have
  f = F(P_1,...,P_n) and g = G(E_K(P_1),...,E_K(P_n)). Note that this
  probability depends on the distribution of the vector (K,P_1,...,P_n).

  The attack is trivial (or ``pointless'') if there is probability at
  least p of computing h = H(P_1,...,P_n) if f = F(P_1,...,P_n) and
  g = G(C_1,...,C_n). Here C_1,...,C_n range uniformly over the possible
  ciphertexts, and have no particular relation to P_1,...,P_n. In other
  words, an attack is trivial if it doesn't actually use the encryptions
  E_K(P_1),...,E_K(P_n).

  An attack is called ``one-ciphertext'' if n = 1, ``two-ciphertext'' if
  n = 2, and so on.

* What's the advantage of formulating all this mathematically?

  In basic cryptology you can never prove that a cryptosystem is secure.
  Read part 3: we keep saying ``a strong cryptosystem must have this
  property, but having this property is no guarantee that a cryptosystem
  is strong!''

  In contrast, the purpose of mathematical cryptology is to precisely
  formulate and, if possible, prove the statement that a cryptosystem is
  strong. We say, for example, that a cryptosystem is secure against
  all (passive) attacks if any nontrivial attack against the system (as
  defined above) is too slow to be practical. If we can prove this
  statement then we have confidence that our cryptosystem will resist
  any (passive) cryptanalytic technique. If we can reduce this statement
  to some well-known unsolved problem then we still have confidence that
  the cryptosystem isn't easy to break.

  Other parts of cryptology are also amenable to mathematical
  definition. Again the point is to explicitly identify what assumptions
  we're making and prove that they produce the desired results. We can
  figure out what it means for a particular cryptosystem to be used
  properly: it just means that the assumptions are valid.

  The same methodology is useful for cryptanalysis too. The cryptanalyst
  can take advantage of incorrect assumptions. Often he can try to
  construct a proof of security for a system, see where the proof fails,
  and use these failures as the starting points for his analysis.
  
* Why is the one-time pad secure?

  By definition, the one-time pad is a cryptosystem where the
  plaintexts, ciphertexts, and keys are all strings (say byte strings)
  of some length m, and E_K(P) is just the sum (let's say the exclusive
  or) of K and P.

  It is easy to prove mathematically that there are _no_ nontrivial
  single-ciphertext attacks on the one-time pad, assuming a uniform
  distribution of keys. Note that we don't have to assume a uniform
  distribution of plaintexts. (Here's the proof: Let A be an attack,
  i.e., an algorithm taking two inputs f, g and producing one output h,
  with some probability p that h = H(P) whenever f = F(P) and
  g = G(E_K(P)) (i.e., g = G(K + P)). Then, because the distribution of
  K is uniform and independent of P, the distribution of K + P must also
  be uniform and independent of P. But also the distribution of C is
  uniform and independent of P. Hence there is probability exactly p
  that h = H(P) whenever f = F(P) and g = G(C), over all P and C. Thus
  a fortiori A is trivial.)

  On the other hand the one-time pad is _not_ secure if a key K is used
  for more than one plaintext: i.e., there are nontrivial
  multiple-ciphertext attacks. So to be properly used a key K must be
  thrown away after one encryption. The key is also called a ``pad'';
  this explains the name ``one-time pad.''

* What's a ciphertext-only attack?

  In the notation above, a ciphertext-only attack is one where F is
  constant. Given only some information G(E_K(P_1),...,E_K(P_n)) about
  n ciphertexts, the attack has to have some chance of producing some
  information H(P_1,...,P_n) about the plaintexts. The attack is trivial
  if it has just as good a chance of producing H(P_1,...,P_n) when given
  G(C_1,...,C_n) for random C_1,...,C_n.

  For example, say G(C) = C, and say H(P) is the first bit of P. We can
  easily write down an attack---the ``guessing attack,'' which simply
  guesses that H(P) is 1. This attack is trivial because it doesn't use
  the ciphertext: it has a fifty-fifty chance of guessing correctly no
  matter what. On the other hand there is an attack on RSA which
  produces one bit of information about P, with 100% success, using C.
  If it is fed a random C then the success rate drops to 50%. So this is
  a nontrivial attack.

* What's a known-plaintext attack?

  The classic known-plaintext attack has F(P_1,P_2) = P_1,
  G(C_1,C_2) = (C_1,C_2), and H(P_1,P_2) depending only on P_2.
  In other words, given two ciphertexts C_1 and C_2 and one decryption
  P_1, the known-plaintext attack should produce information about the
  other decryption P_2.

  Note that known-plaintext attacks are often defined in the literature
  as producing information about the key, but this is pointless: the
  cryptanalyst generally cares about the key only insofar as it lets him
  decrypt further messages.

* What's a chosen-plaintext attack?

  A chosen-plaintext attack is the first of an increasingly impractical
  series of _active_ attacks on a cryptosystem: attacks where the
  cryptanalyst feeds data to the encryptor. These attacks don't fit into
  our model of passive attacks explained above. Anyway, a
  chosen-plaintext attack lets the cryptanalyst choose a plaintext and
  look at the corresponding ciphertext, then repeat until he has figured
  out how to decrypt any message. More absurd examples of this sort of
  attack are the ``chosen-key attack'' and ``chosen-system attack.''

  A much more important form of active attack is a message corruption
  attack, where the attacker tries to change the ciphertext in such a
  way as to make a useful change in the plaintext.

  There are many easy ways to throw kinks into all of these attacks:
  for instance, automatically encrypting any plaintext P as
  T,E_K(h(T+R+P),R,P), where T is a time-key (sequence number) chosen anew
  for each message, R is a random number, and h is a one-way hash
  function. Here comma means concatenation and plus means exclusive-or.

* In mathematical terms, what can you say about brute-force attacks?

  Consider the following known-plaintext attack. We are given some
  plaintexts P_1,...,P_{n-1} and ciphertexts C_1,...,C_{n-1}. We're
  also given a ciphertext C_n. We run through every key K. When we find
  K such that E_K(P_i) = C_i for every i < n, we print D_K(C_n).

  If n is big enough that only one key works, this attack will succeed
  on valid inputs all the time, while it will produce correct results
  only once in a blue moon for random inputs. Thus this is a nontrivial
  attack. Its only problem is that it is very slow if there are many
  possible keys.

* What's a key-guessing attack? What's entropy?

  Say somebody is using the one-time pad---but isn't choosing keys
  randomly and uniformly from all m-bit messages, as he was supposed to
  for our security proof. In fact say he's known to prefer keys which
  are English words. Then a cryptanalyst can run through all English
  words as possible keys. This attack will often succeed, and it's much
  faster than a brute-force search of the entire keyspace.

  We can measure how bad a key distribution is by calculating its
  entropy. This number E is the number of ``real bits of information''
  of the key: a cryptanalyst will typically happen across the key within
  2^E guesses. E is defined as the sum of -p_K log_2 p_K, where p_K is
  the probability of key K.

Newsgroup: sci.crypt
Document_id: 15245
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 08/10 - Technical Miscellany

Archive-name: cryptography-faq/part08
Last-modified: 1993/4/15


FAQ for sci.crypt, part 8: Technical Miscellany

This is the eighth of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers
every 21 days.


Contents

* How do I recover from lost passwords in WordPerfect?
* How do I break a Vigenere (repeated-key) cipher?
* How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...]
* Is the UNIX crypt command secure?
* How do I use compression with encryption?
* Is there an unbreakable cipher?
* What does ``random'' mean in cryptography?
* What is the unicity point (a.k.a. unicity distance)?
* What is key management and why is it important?
* Can I use pseudo-random or chaotic numbers as a key stream?
* What is the correct frequency list for English letters?
* What is the Enigma?
* How do I shuffle cards?
* Can I foil S/W pirates by encrypting my CD-ROM?
* Can you do automatic cryptanalysis of simple ciphers?
* What is the coding system used by VCR+?


* How do I recover from lost passwords in WordPerfect?

  WordPerfect encryption has been shown to be very easy to break.
  The method uses XOR with two repeating key streams: a typed password
  and a byte-wide counter initialized to 1+<the password length>. Full
  descriptions are given in Bennett [BEN87] and Bergen and Caelli
  [BER91].

  Chris Galas writes: ``Someone awhile back was looking for a way to
  decrypt WordPerfect document files and I think I have a solution. 
  There is a software company named: Accessdata (87 East 600 South,
  Orem, UT 84058), 1-800-658-5199 that has a software package that will
  decrypt any WordPerfect, Lotus 1-2-3, Quatro-Pro, MS Excel and Paradox
  files. The cost of the package is $185. Steep prices, but if you
  think your pw key is less than 10 characters, (or 10 char) give them a
  call and ask for the free demo disk. The demo disk will decrypt files
  that have a 10 char or less pw key.''

* How do I break a Vigenere (repeated-key) cipher?

  A repeated-key cipher, where the ciphertext is something like the
  plaintext xor KEYKEYKEYKEY (and so on), is called a Vigenere cipher.
  If the key is not too long and the plaintext is in English, do the
  following: 

  1. Discover the length of the key by counting coincidences.
  (See Gaines [GAI44], Sinkov [SIN66].) Trying each displacement of
  the ciphertext against itself, count those bytes which are equal. 
  If the two ciphertext portions have used the same key, something
  over 6% of the bytes will be equal. If they have used different
  key, then less than 0.4% will be equal (assuming random 8-bit bytes
  of key covering normal ASCII text). The smallest displacement which
  indicates an equal key is the length of the repeated key.

  2. Shift the text by that length and XOR it with itself. This
  removes the key and leaves you with text XORed with itself. Since
  English has about 1 bit of real information per byte, 2 streams of
  text XORed together has 2 bits of info per 8-bit byte, providing
  plenty of redundancy for choosing a unique decryption. (And in fact
  one stream of text XORed with itself has just 1 bit per byte.)

  If the key is short, it might be even easier to treat this as a
  standard polyalphabetic substitution. All the old cryptanalysis
  texts show how to break those. It's possible with those methods, in
  the hands of an expert, if there's only ten times as much text as key.
  See, for example, Gaines [GAI44], Sinkov [SIN66].

* How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...]

  Here's one popular method, using the des command:

    cat file | compress | des private_key | uuencode | mail

  Meanwhile, there is a de jure Internet standard in the works called
  PEM (Privacy Enhanced Mail). It is described in RFCs 1421 through
  1424. To join the PEM mailing list, contact pem-dev-request@tis.com.
  There is a beta version of PEM being tested at the time of this
  writing.

  There are also two programs available in the public domain for encrypting
  mail: PGP and RIPEM.  Both are available by FTP.  Each has its own
  newsgroup: alt.security.pgp and alt.security.ripem.  Each has its own FAQ
  as well.

  PGP is most commonly used outside the USA since it uses the RSA algorithm
  without a license and RSA's patent is valid only (or at least primarily)
  in the USA.

  RIPEM is most commonly used inside the USA since it uses the RSAREF which
  is freely available within the USA but not available for shipment outside
  the USA.

  Since both programs use a secret key algorithm for encrypting the body of
  the message (PGP used IDEA; RIPEM uses DES) and RSA for encrypting the
  message key, they should be able to interoperate freely.  Although there
  have been repeated calls for each to understand the other's formats and
  algorithm choices, no interoperation is available at this time (as far as
  we know).

* Is the UNIX crypt command secure?

  No. See [REE84]. There is a program available called cbw (crypt
  breaker's workbench) which can be used to do ciphertext-only attacks
  on files encrypted with crypt. One source for CBW is [FTPCB].

* How do I use compression with encryption?

  A number of people have proposed doing perfect compression followed by
  some simple encryption method (e.g., XOR with a repeated key).

  Unfortunately, you can only compress perfectly if you know the exact
  distribution of possible inputs. For all practical purposes it's
  impossible to describe ``the typical English text'' beyond coarse
  characteristics such as single-letter frequencies. You can build up
  more and more sophisticated models of your inputs, but if the enemy
  has a slightly more accurate model, he'll be able to find some
  redundancy in your compressed output.

  Note that nearly all practical compression schemes, unless they
  have been designed with cryptography in mind, produce output that
  actually starts off with high redundancy. For example, the output of
  UNIX compress begins with a well-known three-byte ``magic number''
  that can serve as an entering wedge for cryptanalysis.
  
  This is not to say that compression before encryption is inherently a
  bad idea; it just has to be done very, very carefully, and by no means
  removes the need for strong encryption.

  Compression after encryption is silly.

* Is there an unbreakable cipher?

  Yes. The one-time pad is unbreakable; see part 4. Unfortunately the
  one-time pad requires secure distribution of as much key material as
  plaintext.

  Of course, a cryptosystem need not be utterly unbreakable to be
  useful. Rather, it needs to be strong enough to resist attacks by
  likely enemies for whatever length of time the data it protects is
  expected to remain valid.

* What does ``random'' mean in cryptography?

  Cryptographic applications demand much more out of a pseudorandom
  number generator than most applications. For a source of bits to be
  cryptographically random, it must be computationally impossible to
  predict what the Nth random bit will be given complete knowledge of
  the algorithm or hardware generating the stream and the sequence of
  0th through N-1st bits, for all N up to the lifetime of the source.

  A software generator (also known as pseudo-random) has the function
  of expanding a truly random seed to a longer string of apparently
  random bits.  This seed must be large enough not to be guessed by
  the opponent.  Ideally, it should also be truly random (perhaps
  generated by a hardware random number source).

  Those who have Sparcstation 1 workstations could, for example,
  generate random numbers using the audio input device as a source of
  entropy, by not connecting anything to it.  For example,

	cat /dev/audio | compress - >foo

  gives a file of high entropy (not random but with much randomness in
  it).  One can then encrypt that file using part of itself as a key,
  for example, to convert that seed entropy into a pseudo-random
  string.

  When looking for hardware devices to provide this entropy, it is
  important really to measure the entropy rather than just assume that
  because it looks complicated to a human, it must be "random".  For
  example, disk operation completion times sound like they might be
  unpredictable (to many people) but a spinning disk is much like a
  clock and its output completion times are relatively low in entropy.

* What is the unicity point (a.k.a. unicity distance)?

  See [SHA49]. The unicity distance is an approximation to that amount
  of ciphertext such that the sum of the real information (entropy) in
  the corresponding source text and encryption key equals the number
  of ciphertext bits used. Ciphertexts significantly longer than this
  can be shown probably to have a unique decipherment. This is used to
  back up a claim of the validity of a ciphertext-only cryptanalysis. 
  Ciphertexts significantly shorter than this are likely to have
  multiple, equally valid decryptions and therefore to gain security
  from the opponent's difficulty choosing the correct one.

  Unicity distance, like all statistical or information-theoretic
  measures, does not make deterministic predictions but rather gives
  probabilistic results: namely, the minimum amount of ciphertext
  for which it is likely that there is only a single intelligible
  plaintext corresponding to the ciphertext, when all possible keys
  are tried for the decryption. Working cryptologists don't normally
  deal with unicity distance as such. Instead they directly determine
  the likelihood of events of interest.

  Let the unicity distance of a cipher be D characters. If fewer than
  D ciphertext characters have been intercepted, then there is not
  enough information to distinguish the real key from a set of
  possible keys. DES has a unicity distance of 17.5 characters,
  which is less than 3 ciphertext blocks (each block corresponds to
  8 ASCII characters). This may seem alarmingly low at first, but
  the unicity distance gives no indication of the computational work
  required to find the key after approximately D characters have been
  intercepted.

  In fact, actual cryptanalysis seldom proceeds along the lines used
  in discussing unicity distance. (Like other measures such as key
  size, unicity distance is something that guarantees insecurity if
  it's too small, but doesn't guarantee security if it's high.) Few
  practical cryptosystems are absolutely impervious to analysis; all
  manner of characteristics might serve as entering ``wedges'' to crack
  some cipher messages. However, similar information-theoretic
  considerations are occasionally useful, for example, to determine a
  recommended key change interval for a particular cryptosystem.
  Cryptanalysts also employ a variety of statistical and
  information-theoretic tests to help guide the analysis in the most
  promising directions.

  Unfortunately, most literature on the application of information
  statistics to cryptanalysis remains classified, even the seminal
  1940 work of Alan Turing (see [KOZ84]). For some insight into the
  possibilities, see [KUL68] and [GOO83].

* What is key management and why is it important?

  One of the fundamental axioms of cryptography is that the enemy is in
  full possession of the details of the general cryptographic system,
  and lacks only the specific key data employed in the encryption. (Of
  course, one would assume that the CIA does not make a habit of telling
  Mossad about its cryptosystems, but Mossad probably finds out anyway.)
  Repeated use of a finite amount of key provides redundancy that can
  eventually facilitate cryptanalytic progress. Thus, especially in
  modern communication systems where vast amounts of information are
  transferred, both parties must have not only a sound cryptosystem but
  also enough key material to cover the traffic.

  Key management refers to the distribution, authentication, and
  handling of keys.

  A publicly accessible example of modern key management technology
  is the STU III secure telephone unit, which for classified use
  employs individual coded ``Crypto Ignition Keys'' and a central Key
  Management Center operated by NSA. There is a hierarchy in that
  certain CIKs are used by authorized cryptographic control
  personnel to validate the issuance of individual traffic keys and
  to perform installation/maintenance functions, such as the
  reporting of lost CIKs.

  This should give an inkling of the extent of the key management
  problem. For public-key systems, there are several related issues,
  many having to do with ``whom do you trust?''

* Can I use pseudo-random or chaotic numbers as a key stream?

  Chaotic equations and fractals produce an apparent randomness from
  relatively compact generators. Perhaps the simplest example is a
  linear congruential sequence, one of the most popular types of random
  number generators, where there is no obvious dependence between seeds
  and outputs. Unfortunately the graph of any such sequence will, in a
  high enough dimension, show up as a regular lattice. Mathematically
  this lattice corresponds to structure which is notoriously easy for
  cryptanalysts to exploit. More complicated generators have more
  complicated structure, which is why they make interesting pictures---
  but a cryptographically strong sequence will have no computable
  structure at all.

  See [KNU81], exercise 3.5-7; [REE77]; and [BOY89].

* What is the correct frequency list for English letters?

  There are three answers to this question, each slightly deeper than
  the one before. You can find the first answer in various books:
  namely, a frequency list computed directly from a certain sample of
  English text. Of course any such list will be ``correctly'' computed,
  but exactly which list you get depends on which sample was taken.

  The second answer is that the question doesn't make sense. What do
  you mean by ``English letters''? The ``English language'' is not a
  fixed, finite, closed object that can be exactly characterized. It
  has changed over time; it is different between different authors.
  Any particular message will have different statistics from those of
  the language as a whole.

  The third answer is that yes, no particular message is going to have
  exactly the same characteristics as English in general, but for all
  reasonable statistical uses these slight discrepancies won't matter.
  In fact there's an entire field called ``Bayesian statistics'' (other
  buzzwords are ``maximum entropy methods'' and ``maximum likelihood
  estimation'') which studies questions like ``What's the chance that a
  text with these letter frequencies is in English?'' and comes up with
  reasonably robust answers.

  So make your own list from your own samples of English text. It will
  be good enough for practical work, if you use it properly.

* What is the Enigma?

  ``For a project in data security we are looking for sources of
  information about the German Enigma code and how it was broken by
  the British during WWII.''

  See [WEL82], [DEA85], [KOZ84], [HOD83], [KAH91].

* How do I shuffle cards?

  Card shuffling is a special case of the permutation of an array of
  values, using a random or pseudo-random function.  All possible output
  permutations of this process should be equally likely.  To do this, you
  need a random function (modran(x)) which will produce a uniformly
  distributed random integer in the interval [0..x-1].  Given that
  function, you can shuffle with the following [C] code: (assuming ARRLTH
  is the length of array arr[] and swap() interchanges values at the two
  addresses given)

  for ( n = ARRLTH-1; n > 0 ; n-- ) swap( &arr[modran( n+1 )], &arr[n] ) ;

  modran(x) can not be achieved exactly with a simple (ranno() % x) since
  ranno()'s interval may not be divisible by x, although in most cases the
  error will be very small.  To cover this case, one can take ranno()'s
  modulus mod x, call that number y, and if ranno() returns a value less
  than y, go back and get another ranno() value.


* Can I foil S/W pirates by encrypting my CD-ROM?

  Someone will frequently express the desire to publish a CD-ROM with
  possibly multiple pieces of software, perhaps with each encrypted
  separately, and will want to use different keys for each user (perhaps
  even good for only a limited period of time) in order to avoid piracy.

  As far as we know, this is impossible, since there is nothing in standard
  PC or workstation hardware which uniquely identifies the user at the
  keyboard.  If there were such an identification, then the CD-ROM could be
  encrypted with a key based in part on the one sold to the user and in
  part on the unique identifier.  However, in this case the CD-ROM is one
  of a kind and that defeats the intended purpose.

  If the CD-ROM is to be encrypted once and then mass produced, there must
  be a key (or set of keys) for that encryption produced at some stage in
  the process.  That key is useable with any copy of the CD-ROM's data.
  The pirate needs only to isolate that key and sell it along with the
  illegal copy.


* Can you do automatic cryptanalysis of simple ciphers?

  schneier@chinet.chi.il.us (Bruce Schneier) says: AccessData of Orem,
  Utah sells products that break the password scheme of a number of
  popular Macintosh and PC software packages.  Their telephone number
  is (801) 224-6970

  No PD software has been cited but there are many papers on the
  subject....

  Peleg, S. and Rosenfeld, A.  "Breaking Substitution Ciphers Using a
  Relaxation Algorithm" Comm. ACM Vol. 22(11) pp 598-605 (Nov. 1979)
  
  Lucks, Michael, "A Constraint Satisfaction Algorithm for the
  Automated Decryption of Simple Substitution Ciphers", Advances in
  Cryptology -- CRYPTO '88, Springer Lecture Notes in Computer
  Science, vol. 403 (The paper also contains references to earlier
  work on the subject.)
  
  John Carrol and Steve Martin, "The Automated Cryptanalysis of
  Substitution Ciphers", Cryptologia, vol X number 4, Oct 86 p193-209.
  
  John Carrol and Lynda Robbins, "Automated Cryptanalysis of
  Polyalphabetic Ciphers", Cryptologia, vol XI number 4, Oct 87
  p193-205
  
  Martin Kochanski, "A Survey of Data Insecurity Packages",
  Cryptologia, vol XI number 1, Jan 87 p1-15
  
  Martin Kochanski, "Another Data Insecurity Package", Cryptologia,
  vol XII number 3, July 88, p165-177.
  
  Cryptologia Vol XIII Number 4  1989 pp 303-326.
  
  King and Bahler, "Probabilistic Relaxation in the Cryptanalysis of
  Simple Substitution Ciphers" Cryptologia 16(3):215-225.
  
  King and Bahler, "An Algorithmic Solution of Sequential Homophonic
  Ciphers".  Cryptologia, April 93 (in press).
  
  R. Spillman et.al., "Use of Genetic Algorithms in Cryptanalysis of
  Simple Substitution Ciphers", Cryptologia, vol XVII Number 1, Jan 93
  p31-44.


* What is the coding system used by VCR+?

  One very frequently asked question in sci.crypt is about how the VCR+ codes
  work.  The following article attempts to describe it.

    K. Shirriff, C. Welch, A. Kinsman, "Decoding a VCR Controller Code,"
    Cryptologia, 16(3), July 1992, pp 227-234.


Newsgroup: sci.crypt
Document_id: 15246
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 10/10 - References

Archive-name: cryptography-faq/part10
Last-modified: 1993/4/15


FAQ for sci.crypt, part 10: References

This is the tenth of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in this part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers 
every 21 days.


Contents

* Books on history and classical methods
* Books on modern methods
* Survey articles
* Reference articles
* Journals, conference proceedings
* Other
* Electronic sources
* RFCs (available from [FTPRF])
* Related newsgroups


* Books on history and classical methods

  [CF]    Lambros D. Callimahos, William F. Friedman, Military Cryptanalytics.
	  Aegean Park Press, ?.
  [DEA85] Cipher A. Deavours & Louis Kruh, Machine Cryptography and
          Modern Cryptanalysis. Artech House, 610 Washington St.,
          Dedham, MA 02026, 1985.
  [FRIE2] William F. Friedman, Solving German Codes in World War I.
          Aegean Park Press, ?.
  [GAI44] H. Gaines, Cryptanalysis, a study of ciphers and their
          solution. Dover Publications, 1944.
  [HIN00] F.H.Hinsley, et al., British Intelligence in the Second
          World War. Cambridge University Press. (vol's 1, 2, 3a, 3b
          & 4, so far).  XXX Years and authors, fix XXX
  [HOD83] Andrew Hodges, Alan Turing: The Enigma. Burnett Books
          Ltd., 1983
  [KAH91] David Kahn, Seizing the Enigma. Houghton Mifflin, 1991.
  [KAH67] D. Kahn, The Codebreakers. Macmillan Publishing, 1967.
          [history] [The abridged paperback edition left out most
          technical details; the original hardcover edition is
          recommended.]
  [KOZ84] W. Kozaczuk, Enigma. University Publications of America, 1984
  [KUL76] S. Kullback, Statistical Methods in Cryptanalysis. Aegean
          Park Press, 1976.
  [SIN66] A. Sinkov, Elementary Cryptanalysis. Math. Assoc. Am. 1966.
  [WEL82] Gordon Welchman, The Hut Six Story. McGraw-Hill, 1982.
  [YARDL] Herbert O. Yardley, The American Black Chamber. Aegean Park
          Press, ?.

* Books on modern methods

  [BEK82] H. Beker, F. Piper, Cipher Systems. Wiley, 1982.
  [BRA88] G. Brassard, Modern Cryptology: a tutorial.
          Spinger-Verlag, 1988.
  [DEN82] D. Denning, Cryptography and Data Security. Addison-Wesley
          Publishing Company, 1982.
  [KOB89] N. Koblitz, A course in number theory and cryptography.
          Springer-Verlag, 1987.
  [KON81] A. Konheim, Cryptography: a primer. Wiley, 1981.
  [MEY82] C. Meyer and S. Matyas, Cryptography: A new dimension in
          computer security. Wiley, 1982.
  [PAT87] Wayne Patterson, Mathematical Cryptology for Computer
          Scientists and Mathematicians. Rowman & Littlefield, 1987.
  [PFL89] C. Pfleeger, Security in Computing. Prentice-Hall, 1989.
  [PRI84] W. Price, D. Davies, Security for computer networks. Wiley, 1984. 
  [RUE86] R. Rueppel, Design and Analysis of Stream Ciphers.
          Springer-Verlag, 1986.
  [SAL90] A. Saloma, Public-key cryptography. Springer-Verlag, 1990.
  [WEL88] D. Welsh, Codes and Cryptography. Claredon Press, 1988.

* Survey articles

  [ANG83] D. Angluin, D. Lichtenstein, Provable Security in Crypto-
          systems: a survey. Yale University, Department of Computer
          Science, #288, 1983.
  [BET90] T. Beth, Algorithm engineering for public key algorithms.
          IEEE Selected Areas of Communication, 1(4), 458--466,
          1990.
  [DAV83] M. Davio, J. Goethals, Elements of cryptology. in Secure
          Digital Communications, G. Longo ed., 1--57, 1983.
  [DIF79] W. Diffie, M. Hellman, Privacy and Authentication: An
          introduction to cryptography. IEEE proceedings, 67(3),
          397--427, 1979.
  [DIF88] W. Diffie, The first ten years of public key cryptography.
          IEEE proceedings, 76(5), 560--577, 1988.
  [FEI73] H. Feistel, Cryptography and Computer Privacy. Scientific 
          American, 228(5), 15--23, 1973.
  [FEI75] H. Feistel, H, W. Notz, J. Lynn Smith. Some cryptographic
          techniques for machine-to-machine data communications,
          IEEE IEEE proceedings, 63(11), 1545--1554, 1975.
  [HEL79] M. Hellman, The mathematics of public key cryptography.
          Scientific American, 130--139, 1979.
  [LAK83] S. Lakshmivarahan, Algorithms for public key
          cryptosystems. In Advances in Computers, M. Yovtis ed.,
          22, Academic Press, 45--108, 1983.
  [LEM79] A. Lempel, Cryptology in transition, Computing Surveys,
          11(4), 285--304, 1979.
  [MAS88] J. Massey, An introduction to contemporary cryptology, IEEE
          proceedings, 76(5), 533--549, 1988.
  [SIM91] G. Simmons (ed.), Contemporary Cryptology: the Science of
          Information Integrity. IEEE press, 1991.

* Reference articles

  [AND83] D. Andelman, J. Reeds, On the cryptanalysis of rotor and
          substitution-permutation networks. IEEE Trans. on Inform.
          Theory, 28(4), 578--584, 1982.
  [BEN87] John Bennett, Analysis of the Encryption Algorithm Used in
          the WordPerfect Word Processing Program. Cryptologia 11(4),
          206--210, 1987.
  [BER91] H. A. Bergen and W. J. Caelli, File Security in WordPerfect
          5.0. Cryptologia 15(1), 57--66, January 1991.
  [BIH91] E. Biham and A. Shamir, Differential cryptanalysis of
          DES-like cryptosystems. Journal of Cryptology, vol. 4, #1,
          3--72, 1991.
  [BI91a] E. Biham, A. Shamir, Differential cryptanalysis of Snefru,
          Khafre, REDOC-II, LOKI and LUCIFER. In Proceedings of CRYPTO
          '91, ed. by J. Feigenbaum, 156--171, 1992.
  [BOY89] J. Boyar, Inferring Sequences Produced by Pseudo-Random
          Number Generators. Journal of the ACM, 1989.
  [BRI86] E. Brickell, J. Moore, M. Purtill, Structure in the
          S-boxes of DES. In Proceedings of CRYPTO '86, A. M. Odlyzko
          ed., 3--8, 1987.
  [BRO89] L. Brown, A proposed design for an extended DES, Computer
          Security in the Computer Age. Elsevier Science Publishers
          B.V. (North Holland), IFIP, W. J. Caelli ed., 9--22, 1989.
  [BRO90] L. Brown, J. Pieprzyk, J. Seberry, LOKI - a cryptographic
          primitive for authentication and secrecy applications.
          In Proceedings of AUSTCRYPT 90, 229--236, 1990.
  [CAE90] H. Gustafson, E. Dawson, W. Caelli, Comparison of block
          ciphers. In Proceedings of AUSCRYPT '90, J. Seberry and J.
          Piepryzk eds., 208--220, 1990.
  [CAM93] K. W. Campbell, M. J. Wiener, Proof the DES is Not a Group.
          In Proceedings of CRYPTO '92, 1993.
  [ELL88] Carl M. Ellison, A Solution of the Hebern Messages. Cryptologia,
          vol. XII, #3, 144-158, Jul 1988.
  [EVE83] S. Even, O. Goldreich, DES-like functions can generate the
          alternating group. IEEE Trans. on Inform. Theory, vol. 29,
          #6, 863--865, 1983.
  [GAR91] G. Garon, R. Outerbridge, DES watch: an examination of the
          sufficiency of the Data Encryption Standard for financial
          institutions in the 1990's. Cryptologia, vol. XV, #3,
          177--193, 1991.
  [GIL80] Gillogly, ?. Cryptologia 4(2), 1980.
  [GM82]  Shafi Goldwasser, Silvio Micali, Probabilistic Encryption and
	  How To Play Mental Poker Keeping Secret All Partial Information.
	  Proceedings of the Fourteenth Annual ACM Symposium on Theory of
	  Computing, 1982.
  [HUM83] D. G. N. Hunter and A. R. McKenzie, Experiments with
          Relaxation Algorithms for Breaking Simple Substitution
          Ciphers. Computer Journal 26(1), 1983.
  [KAM78] J. Kam, G. Davida, A structured design of substitution-
          permutation encryption networks. IEEE Trans. Information
          Theory, 28(10), 747--753, 1978.
  [KIN78] P. Kinnucan, Data encryption gurus: Tuchman and Meyer.
          Cryptologia, vol. II #4, 371--XXX, 1978.
  [KRU88] Kruh, ?. Cryptologia 12(4), 1988.
  [LAI90] X. Lai, J. Massey, A proposal for a new block encryption 
          standard. EUROCRYPT 90, 389--404, 1990.
  [LUB88] C. Rackoff, M. Luby, How to construct psuedorandom
          permutations from psuedorandom functions. SIAM Journal of
          Computing, vol. 17, #2, 373--386, 1988.
  [MAS88] J. Massey, An introduction to contemporary cryptology.
          IEEE proceedings, 76(5), 533--549, 1988.
  [ME91a] R. Merkle, Fast software encryption functions. In Proceedings
          of CRYPTO '90, Menezes and Vanstone ed., 476--501, 1991.
  [MEY78] C. Meyer, Ciphertext/plaintext and ciphertext/key
          dependence vs. number of rounds for the Data Encryption
          Standard. AFIPS Conference proceedings, 47, 1119--1126,
          1978.
  [NBS77] Data Encryption Standard. National Bureau of Standards,
          FIPS PUB 46, Washington, DC, January 1977.
  [REE77] J. Reeds, `Cracking' a Random Number Generator.
          Cryptologia 1(1), 20--26, 1977.
  [REE84] J. A. Reeds and P. J. Weinberger, File Security and the UNIX
          Crypt Command. AT&T Bell Laboratories Technical Journal,
          Vol. 63 #8, part 2, 1673--1684, October, 1984.
  [SHA49] C. Shannon, Communication Theory of Secrecy Systems. Bell
          System Technical Journal 28(4), 656--715, 1949.
  [SHE88] B. Kaliski, R. Rivest, A. Sherman, Is the Data Encryption
          Standard a Group. Journal of Cryptology, vol. 1, #1,
          1--36, 1988.
  [SHI88] A. Shimizu, S. Miyaguchi, Fast data encipherment algorithm
          FEAL. EUROCRYPT '87, 267--278, 1988.
  [SOR84] A. Sorkin, LUCIFER: a cryptographic algorithm.
          Cryptologia, 8(1), 22--35, 1984.
	
* Journals, conference proceedings

  CRYPTO
  Eurocrypt
  IEEE Transactions on Information Theory
  Cryptologia: a cryptology journal, quarterly since Jan 1977.
          Cryptologia; Rose-Hulman Institute of Technology; Terre Haute
          Indiana 47803 [general: systems, analysis, history, ...]
  Journal of Cryptology; International Association for Cryptologic
          Research; published by Springer Verlag (quarterly since
          1988).
  The Cryptogram (Journal of the American Cryptogram Association);
          18789 West Hickory Street; Mundelein, IL 60060; [primarily
          puzzle cryptograms of various sorts]
  Cryptosystems Journal, Published by Tony Patti, P.O. Box 188,
          Newtown PA, USA 18940-0188 or tony_s_patti@cup.portal.com.
	  Publisher's comment: Includes complete cryptosystems with
	  source and executable programs on diskettes. Tutorial. The
	  typical cryptosystems supports multi-megabit keys and Galois
	  Field arithmetic. Inexpensive hardware random number
	  generator details.

  Computer and Communication Security Reviews, published by Ross Anderson.
	  Sample issue available from various ftp sites, including
	  black.ox.ac.uk.  Editorial c/o rja14@cl.cam.ac.uk.  Publisher's
	  comment: We review all the conference proceedings in this field,
	  including not just Crypto and Eurocrypt, but regional gatherings
	  like Auscrypt and Chinacrypt. We also abstract over 50 journals,
	  and cover computer security as well as cryptology, so readers can
	  see the research trends in applications as well as theory.

* Other

  Address of note: Aegean Park Press, P.O. Box 2837, Laguna Hills, CA
  92654-0837. Answering machine at 714-586-8811.

  The ``Orange Book'' is DOD 5200.28-STD, published December 1985 as
  part of the ``rainbow book'' series. Write to Department of Defense,
  National Security Agency, ATTN: S332, 9800 Savage Road, Fort Meade, MD
  20755-6000, and ask for the Trusted Computer System Evaluation
  Criteria. Or call 301-766-8729.

  [BAMFD] Bamford, The Puzzle Palace. Penguin Books, ?.
  [GOO83] I. J. Good, Good Thinking: the foundations of probability and
          its applications. University of Minnesota Press, 1983.
  [KNU81] D. E. Knuth, The Art of Computer Programming, volume 2:
          Seminumerical Algorithms. Addison-Wesley, 1981.
  [KUL68] Soloman Kullbach, Information Theory and Statistics.
          Dover, 1968.
  [YAO88] A. Yao, Computational Information Theory. In Complexity in
          Information Theory, ed. by Abu-Mostafa, 1988.

* How may one obtain copies of FIPS and ANSI standards cited herein?

  Many textbooks on cryptography contain complete reprints of the FIPS
  standards, which are not copyrighted.

  The following standards may be ordered from the
      U.S. Department of Commerce, National Technical Information Service,
      Springfield, VA 22161.

      FIPS PUB 46-1 "Data Encryption Standard"  (this is DES)
      FIPS PUB 74   "Guidelines for Implementing as Using the NBS DES"
      FIPS PUB 81   "DES Modes of Operation"
      FIPS PUB 113  "Computer Data Authentication" (using DES)

  The following standards may be ordered from the
      American National Standards Institute Sales Office,
      1430 Broadway, New York, NY 10018.
      Phone 212.642.4900

      ANSI X3.92-1981  "Data Encryption Algorithm" (identical to FIPS 46-1)
      ANSI X3.106-1983 "DEA Modes of Operation"    (identical to FIPS 113)

  Notes:  Figure 3 in FIPS PUB 46-1 is in error, but figure 3 in X3.92-1981
      is correct.  The text is correct in both publications.


* Electronic sources

  Anonymous ftp:

  [FTPBK] ftp.uu.net:bsd-sources/usr.bin/des/
  [FTPCB] ftp.uu.net:usenet/comp.sources.unix/volume10/cbw/
  [FTPDF] ftp.funet.fi:pub/unix/security/destoo.tar.Z
  [FTPEY] ftp.psy.uq.oz.au:pub/DES/
  [FTPMD] rsa.com:?
  [FTPMR] cl-next3.cl.msu.edu:pub/crypt/newdes.tar.Z
  [FTPOB] ftp.3com.com:Orange-book
  [FTPPF] prep.ai.mit.edu:pub/lpf/
  [FTPPK] ucsd.edu:hamradio/packet/tcpip/crypto/des.tar.Z
  [FTPRF] nic.merit.edu:documents/rfc/
  [FTPSF] beta.xerox.com:pub/hash/
  [FTPSO] chalmers.se:pub/des/des.1.0.tar.Z
  [FTPUF] ftp.uu.net:usenet/comp.sources.unix/volume28/ufc-crypt/
  [FTPWP] garbo.uwasa.fi:pc/util/wppass2.zip

* RFCs (available from [FTPRF])


1424  Kaliski, B.  Privacy Enhancement for Internet Electronic Mail: Part IV:
      Key Certification and Related Services.  1993 February; 9 p. (Format:
      TXT=17538 bytes)

1423  Balenson, D.  Privacy Enhancement for Internet Electronic Mail: Part
      III: Algorithms, Modes, and Identifiers.  1993 February; 14 p. (Format:
      TXT=33278 bytes)  (Obsoletes RFC 1115)

1422  Kent, S.  Privacy Enhancement for Internet Electronic Mail: Part II:
      Certificate-Based Key Management.  1993 February; 32 p. (Format:
      TXT=86086 bytes)  (Obsoletes RFC 1114)

1421  Linn, J.  Privacy Enhancement for Internet Electronic Mail: Part I:
      Message Encryption and Authentication Procedures.  1993 February; 42 p.
      (Format: TXT=103895 bytes)  (Obsoletes RFC 1113)


* Related newsgroups

  There are other newsgroups which a sci.crypt reader might want also to
  read.  Some have their own FAQ as well.

  alt.comp.compression		discussion of compression algorithms and code
  alt.security			general security discussions
  alt.security.index		index to alt.security
  alt.security.pgp		discussion of PGP
  alt.security.ripem		discussion of RIPEM
  alt.society.civil-liberty	general civil liberties, including privacy
  comp.org.eff.news		News reports from EFF
  comp.org.eff.talk		discussion of EFF related issues
  comp.patents			discussion of S/W patents, including RSA
  comp.risks			some mention of crypto and wiretapping
  comp.society.privacy		general privacy issues
  comp.security.announce	announcements of security holes
  misc.legal.computing		
  sci.math			general math discussion

Newsgroup: sci.crypt
Document_id: 15247
From: ckincy@cs.umr.edu (Charles Kincy)
Subject: Bob "Putz" Cain  (was: Pgp and other BS)

In article <1993Apr16.195927.3952@natasha.portal.com> bob@natasha.portal.com (Bob Cain) writes:
>Charles Kincy (ckincy@cs.umr.edu) wrote:
>: In article <1993Apr16.001321.3692@natasha.portal.com> bob@natasha.portal.com (Bob Cain) writes:
[...]
>: Oh, I see, flame someone, tell them that they are immature, tell them
>: they are wrong, and then don't offer any proof for your assertions.
>: 
>: You really *are* a putz.  Put up or shut up.
>: 
>
>I will provide any proof you wish in private.  Name it, dickhead.

Don't bother.  <C5J0t.K52@blaze.cs.jhu.edu> has pretty much made
your pathetic ass superfluous.  You lose.  Pack up your bags and
go home.

>Putz Cain

Well, if the shoe fits....

cpk

Newsgroup: sci.crypt
Document_id: 15248
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 03/10 - Basic Cryptology

Archive-name: cryptography-faq/part03
Last-modified: 1993/4/15


FAQ for sci.crypt, part 3: Basic Cryptology

This is the third of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers 
every 21 days.



Contents:

* What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key?
* What references can I start with to learn cryptology?
* How does one go about cryptanalysis?
* What is a brute-force search and what is its cryptographic relevance?
* What are some properties satisfied by every strong cryptosystem?
* If a cryptosystem is theoretically unbreakable, then is it
  guaranteed analysis-proof in practice?
* Why are many people still using cryptosystems that are
  relatively easy to break?


* What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key?

  The story begins: When Julius Caesar sent messages to his trusted
  acquaintances, he didn't trust the messengers. So he replaced every A
  by a C, every B by a D, and so on through the alphabet. Only someone
  who knew the ``shift by 2'' rule could decipher his messages.

  A cryptosystem or cipher system is a method of disguising messages so
  that only certain people can see through the disguise. Cryptography is
  the art of creating and using cryptosystems. Cryptanalysis is the art
  of breaking cryptosystems---seeing through the disguise even when
  you're not supposed to be able to. Cryptology is the study of both
  cryptography and cryptanalysis.

  The original message is called a plaintext. The disguised message is
  called a ciphertext. Encryption means any procedure to convert
  plaintext into ciphertext. Decryption means any procedure to convert
  ciphertext into plaintext.

  A cryptosystem is usually a whole collection of algorithms. The
  algorithms are labelled; the labels are called keys. For instance,
  Caesar probably used ``shift by n'' encryption for several different
  values of n. It's natural to say that n is the key here.

  The people who are supposed to be able to see through the disguise are
  called recipients. Other people are enemies, opponents, interlopers,
  eavesdroppers, or third parties.

* What references can I start with to learn cryptology?

  For an introduction to technical matter, the survey articles given
  in part 10 are the best place to begin as they are, in general,
  concise, authored by competent people, and well written. However,
  these articles are mostly concerned with cryptology as it has
  developed in the last 50 years or so, and are more abstract and
  mathematical than historical. The Codebreakers by Kahn [KAH67] is
  encyclopedic in its history and technical detail of cryptology up
  to the mid-60's.

  Introductory cryptanalysis can be learned from Gaines [GAI44] or
  Sinkov [SIN66]. This is recommended especially for people who want
  to devise their own encryption algorithms since it is a common
  mistake to try to make a system before knowing how to break one.

  The selection of an algorithm for the DES drew the attention of
  many public researchers to problems in cryptology. Consequently
  several textbooks and books to serve as texts have appeared. The
  book of Denning [DEN82] gives a good introduction to a broad range
  of security including encryption algorithms, database security,
  access control, and formal models of security. Similar comments
  apply to the books of Price & Davies [PRI84] and Pfleeger [PFL89].

  The books of Konheim [KON81] and Meyer & Matyas [MEY82] are quite
  technical books. Both Konheim and Meyer were directly involved in
  the development of DES, and both books give a thorough analysis of
  DES. Konheim's book is quite mathematical, with detailed analyses
  of many classical cryptosystems. Meyer and Matyas concentrate on
  modern cryptographic methods, especially pertaining to key management
  and the integration of security facilities into computer systems and
  networks.

  The books of Rueppel [RUE86] and Koblitz [KOB89] concentrate on
  the application of number theory and algebra to cryptography.

* How does one go about cryptanalysis?

  Classical cryptanalysis involves an interesting combination of
  analytical reasoning, application of mathematical tools, pattern
  finding, patience, determination, and luck. The best available
  textbooks on the subject are the Military Cryptanalytics series
  [FRIE1]. It is clear that proficiency in cryptanalysis is, for
  the most part, gained through the attempted solution of given
  systems. Such experience is considered so valuable that some of the
  cryptanalyses performed during WWII by the Allies are still
  classified.

  Modern public-key cryptanalysis may consist of factoring an integer,
  or taking a discrete logarithm. These are not the traditional fare
  of the cryptanalyst. Computational number theorists are some of the
  most successful cryptanalysts against public key systems.

* What is a brute-force search and what is its cryptographic relevance?

  In a nutshell: If f(x) = y and you know y and can compute f, you can
  find x by trying every possible x. That's brute-force search.

  Example: Say a cryptanalyst has found a plaintext and a corresponding
  ciphertext, but doesn't know the key. He can simply try encrypting the
  plaintext using each possible key, until the ciphertext matches---or
  decrypting the ciphertext to match the plaintext, whichever is faster.
  Every well-designed cryptosystem has such a large key space that this
  brute-force search is impractical.
    
  Advances in technology sometimes change what is considered
  practical. For example, DES, which has been in use for over 10 years
  now, has 2^56, or about 10^17, possible keys. A computation with
  this many operations was certainly unlikely for most users in the
  mid-70's. The situation is very different today given the dramatic
  decrease in cost per processor operation. Massively parallel
  machines threaten the security of DES against brute force search.
  Some scenarios are described by Garron and Outerbridge [GAR91].

  One phase of a more sophisticated cryptanalysis may involve a
  brute-force search of some manageably small space of possibilities.

* What are some properties satisfied by every strong cryptosystem?

  The security of a strong system resides with the secrecy of the key
  rather than with an attempt to keep the algorithm itself secret.

  A strong cryptosystem has a large keyspace, as mentioned above.  The
  unicity distance is a measure which gives the minimum amount of
  ciphertext that must be intercepted to uniquely identify the key and
  if for some key, the unicity distance is much longer than the amount
  of ciphertext you intend to encrypt under that key, the system is
  probably strong.

  A strong cryptosystem will certainly produce ciphertext which appears
  random to all standard statistical tests (see, for example, [CAE90]).
    
  A strong cryptosystem will resist all known previous attacks. A
  system which has never been subjected to scrutiny is suspect.

  If a system passes all the tests mentioned above, is it necessarily
  strong? Certainly not. Many weak cryptosystems looked good at first.
  However, sometimes it is possible to show that a cryptosystem is
  strong by mathematical proof. ``If Joe can break this system, then
  he can also solve the well-known difficult problem of factoring
  integers.'' See part 6.  Failing that, it's a crap shoot.

* If a cryptosystem is theoretically unbreakable, then is it
  guaranteed analysis-proof in practice?

  Cryptanalytic methods include what is known as ``practical
  cryptanalysis'': the enemy doesn't have to just stare at your
  ciphertext until he figures out the plaintext. For instance, he might
  assume ``cribs''---stretches of probable plaintext. If the crib is
  correct then he might be able to deduce the key and then decipher the
  rest of the message. Or he might exploit ``isologs''---the same
  plaintext enciphered in several cryptosystems or several keys. Thus
  he might obtain solutions even when cryptanalytic theory says he
  doesn't have a chance.

  Sometimes, cryptosystems malfunction or are misused. The one-time pad,
  for example, loses all security if it is used more than once! Even
  chosen-plaintext attacks, where the enemy somehow feeds plaintext into
  the encryptor until he can deduce the key, have been employed. See
  [KAH67].
  
* Why are many people still using cryptosystems that are
  relatively easy to break?

  Some don't know any better. Often amateurs think they can design
  secure systems, and are not aware of what an expert cryptanalyst
  could do. And sometimes there is insufficient motivation for anybody
  to invest the work needed to crack a system.

Newsgroup: sci.crypt
Document_id: 15249
From: strnlght@netcom.com (David Sternlight)
Subject: Re: An Open Letter to Mr. Clinton


Here's a simple way to convert the Clipper proposal to an unexceptionable
one: Make it voluntary.

That is--you get high quality secure NSA classified technology if you agree
to escrow your key. Otherwise you are on your own.

David

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15250
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: Once tapped, your code is no good any more.

Brad Templeton (brad@clarinet.com) wrote:
: It occurs to me that if they get a wiretap order on you, and the escrow
: houses release your code to the cops, your code is now no longer secure.
: 
: It's in the hands of cops, and while I am sure most of the time they are
: good, their security will not be as good as the escrow houses.
: 
: 
: What this effectively means is that if they perform a wiretap on you,
: at the end of the wiretap, they should be obligated to inform you that
: a tap was performed, and replace (for free) the clipper chip in your
: cellular phone so that it is once again a code known only to the
: escrow houses.

Getting the court order to reveal the key *also* makes decipherable
all *past* conversations (which may be on tape, or disk, or whatver),
as I understand the proposal. I could be wrong, but I've seen no
mention of "session keys" being the escrowed entities.

As the EFF noted, this raises further issues about the fruits of one
bust leading to incrimination in other areas.

But is it any worse than the current unsecure system? It becomes much
worse, of course, if the government then uses this "Clinton Clipper"
to argue for restrictions on unapproved encryption. (This is the main
concern of most of us, I think. The camel's nose in the tent, etc.)

And it may also become much worse if the ostensible security is
increased, thus allowing greater access to "central office" records by
the government (the conversations being encrypted, who will object to
letting the government have access to them, perhaps even automatically
archiving large fractions...). This was one of the main objections to
the S.266 proposal, that it would force telecom suppliers to provide
easy access for the government.

One the government has had access to months or years of your encrypted
conversations, now all it takes is one misstep, one violation that
gets them the paperwork needed to decrypt *all* of them!

Do we want anyone to have this kind of power?

-Tim May, whose sig block may get him busted in the New Regime

-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
Document_id: 15251
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 02/10 - Net Etiquette

Archive-name: cryptography-faq/part02
Last-modified: 1993/4/15


FAQ for sci.crypt, part 2: Net Etiquette

This is the second of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers 
every 21 days.


Contents:

* What groups are around? What's a FAQ? Who am I? Why am I here?
* Do political discussions belong in sci.crypt?
* How do I present a new encryption scheme in sci.crypt?


* What groups are around? What's a FAQ? Who am I? Why am I here?

  Read news.announce.newusers and news.answers for a few weeks. Always
  make sure to read a newsgroup for some time before you post to it.
  You'll be amazed how often the same question can be asked in the same
  newsgroup. After a month you'll have a much better sense of what the
  readers want to see.

* Do political discussions belong in sci.crypt?

  No. In fact some newsgroups (notably misc.legal.computing) were
  created exactly so that political questions like ``Should RSA be
  patented?'' don't get in the way of technical discussions. Many
  sci.crypt readers also read misc.legal.computing, comp.org.eff.talk,
  comp.patents, sci.math, comp.compression, et al.; for the benefit of
  people who don't care about those other topics, try to put your
  postings in the right group.

  Questions about microfilm and smuggling and other non-cryptographic
  ``spy stuff'' don't belong in sci.crypt either.

* How do I present a new encryption scheme in sci.crypt?

  ``I just came up with this neat method of encryption. Here's some
  ciphertext: FHDSIJOYW^&%$*#@OGBUJHKFSYUIRE. Is it strong?'' Without a
  doubt questions like this are the most annoying traffic on sci.crypt.

  If you have come up with an encryption scheme, providing some
  ciphertext from it is not adequate. Nobody has ever been impressed by
  random gibberish. Any new algorithm should be secure even if the
  opponent knows the full algorithm (including how any message key is
  distributed) and only the private key is kept secret. There are some
  systematic and unsystematic ways to take reasonably long ciphertexts
  and decrypt them even without prior knowledge of the algorithm, but
  this is a time-consuming and possibly fruitless exercise which most
  sci.crypt readers won't bother with.

  So what do you do if you have a new encryption scheme? First of all,
  find out if it's really new. Look through this FAQ for references and
  related methods. Familiarize yourself with the literature and the
  introductory textbooks.

  When you can appreciate how your cryptosystem fits into the world at
  large, try to break it yourself! You shouldn't waste the time of tens
  of thousands of readers asking a question which you could have easily
  answered on your own.

  If you really think your system is secure, and you want to get some
  reassurance from experts, you might try posting full details of your
  system, including working code and a solid theoretical explanation, to
  sci.crypt. (Keep in mind that the export of cryptography is regulated
  in some areas.)

  If you're lucky an expert might take some interest in what you posted.
  You can encourage this by offering cash rewards---for instance, noted
  cryptographer Ralph Merkle is offering $1000 to anyone who can break
  Snefru-4---but there are no guarantees. If you don't have enough
  experience, then most likely any experts who look at your system will
  be able to find a flaw. If this happens, it's your responsibility to
  consider the flaw and learn from it, rather than just add one more
  layer of complication and come back for another round.

  A different way to get your cryptosystem reviewed is to have the NSA
  look at it. A full discussion of this procedure is outside the scope
  of this FAQ.

  Among professionals, a common rule of thumb is that if you want to
  design a cryptosystem, you have to have experience as a cryptanalyst.

Newsgroup: sci.crypt
Document_id: 15252
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 05/10 - Product Ciphers

Archive-name: cryptography-faq/part05
Last-modified: 1993/4/15


FAQ for sci.crypt, part 5: Product ciphers

This is the fifth of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers
every 21 days.


Contents:

* What is a product cipher?
* What makes a product cipher secure?
* What are some group-theoretic properties of product ciphers?
* What can be proven about the security of a product cipher?
* How are block ciphers used to encrypt data longer than the block size?
* Can symmetric block ciphers be used for message authentication?
* What exactly is DES?
* What is triple DES?
* What is differential cryptanalysis?
* How was NSA involved in the design of DES?
* Is DES available in software?
* Is DES available in hardware?
* Can DES be used to protect classified information?
* What are "ECB", "CBC", "CFB", and "OFB" encryption?


* What is a product cipher?

  A product cipher is a block cipher that iterates several weak
  operations such as substitution, transposition, modular
  addition/multiplication, and linear transformation. (A ``block
  cipher'' just means a cipher that encrypts a block of data---8 bytes,
  say---all at once, then goes on to the next block.) The notion of
  product ciphers is due to Shannon [SHA49]. Examples of modern
  product ciphers include LUCIFER [SOR84], DES [NBS77], SP-networks
  [KAM78], LOKI [BRO90], FEAL [SHI84], PES [LAI90], Khufu and Khafre
  [ME91a]. The so-called Feistel ciphers are a class of product
  ciphers which operate on one half of the ciphertext at each round,
  and then swap the ciphertext halves after each round. LUCIFER,
  DES, LOKI, and FEAL are examples of Feistel ciphers.

  The following table compares the main parameters of several product 
  ciphers:

  cipher   |   block length   |   key bits   |   number of rounds
  LUCIFER          128               128                16
  DES               64                56                16
  LOKI              64                64                16
  FEAL              64               128            2^x, x >= 5
  PES               64               128                 8

* What makes a product cipher secure?

  Nobody knows how to prove mathematically that a product cipher is
  completely secure. So in practice one begins by demonstrating that the
  cipher ``looks highly random''. For example, the cipher must be
  nonlinear, and it must produce ciphertext which functionally depends
  on every bit of the plaintext and the key. Meyer [MEY78] has shown
  that at least 5 rounds of DES are required to guarantee such a
  dependence. In this sense a product cipher should act as a ``mixing''
  function which combines the plaintext, key, and ciphertext in a
  complex nonlinear fashion.

  The fixed per-round substitutions of the product cipher are
  referred to as S-boxes. For example, LUCIFER has 2 S-boxes, and DES
  has 8 S-boxes. The nonlinearity of a product cipher reduces to a
  careful design of these S-boxes. A list of partial design criteria
  for the S-boxes of DES, which apply to S-boxes in general, may be
  found in Brown [BRO89] and Brickell et al. [BRI86].

* What are some group-theoretic properties of product ciphers?

  Let E be a product cipher that maps N-bit blocks to N-bit blocks.
  Let E_K(X) be the encryption of X under key K. Then, for any fixed K,
  the map sending X to E_K(X) is a permutation of the set of N-bit
  blocks. Denote this permutation by P_K. The set of all N-bit
  permutations is called the symmetric group and is written S_{2^N}.
  The collection of all these permutations P_K, where K ranges over all
  possible keys, is denoted E(S_{2^N}). If E were a random mapping from
  plaintexts to ciphertexts then we would expect E(S_{2^N}) to generate
  a large subset of S_{2^N}.

  Coppersmith and Grossman [COP74] have shown that a very simple
  product cipher can generate the alternating group A_{2^N} given a
  sufficient number of rounds. (The alternating group is half of the
  symmetric group: it consists of all ``even'' permutations, i.e., all
  permutations which can be written as an even number of swaps.)
  Even and Goldreich [EVE83] were able to extend these results to show
  that Feistel ciphers can generate A_{2^N}, given a sufficient number
  of rounds.

  The security of multiple encipherment also depends on the
  group-theoretic properties of a cipher. Multiple encipherment is an
  extension over single encipherment if for keys K1, K2 there does
  not exist a third key K3 such that

  E_K2(E_K1(X)) == E_(K3)(X)                (**)

  which indicates that encrypting twice with two independent keys
  K1, K2 is equal to a single encryption under the third key K3.  If
  for every K1, K2 there exists a K3 such that eq. (**) is true then
  we say that E is a group.

  This question of whether DES is a group under this definition was
  extensively studied by Sherman, Kaliski, and Rivest [SHE88]. In their
  paper they give strong evidence for the hypothesis that DES is not a
  group. In fact DES is not a group [CAM93].

* What can be proven about the security of a product cipher?

  Recall from above that P_K is a permutation produced by E under
  some key K. The goal of the designer of E is to ensure that P_K
  appears to be a random element of S_{2^N}, the symmetric group.
  Let R be an element of S_{2^N} selected randomly. We will say that P_K
  and R are indistinguishable if an observer given P_K and R in some
  order cannot distinguish between these two permutations in polynomial
  time. That is, with time bounded resources, the observer cannot
  determine which of the permutations is produced by E: the optimal
  decision is no better than simply guessing.

  Luby and Rackoff [LUB88] have shown that a class of Feistel ciphers
  are secure in this sense when the round mapping is replaced by
  random boolean functions.

* How are block ciphers used to encrypt data longer than the block size?

  There are four standard "modes of operation" (and numerous non-standard
  ones as well).  The standard modes of operation are defined in the U.S.
  Department of Commerce Federal Information Processing Standard (FIPS) 81,
  published in 1980.  See the question about "ECB" below for more details.

  Although they are defined for the DES block cipher, the "modes of
  operation" can be used with any block cipher.

* Can symmetric block ciphers be used for message authentication?

  One may use a symmetric cryptosystem block cipher to prove to himself
  that he did or did not generate a message, and to prove to himself 
  whether his message was altered or unaltered since generation.  But one
  cannot prove these things to another without revealing the key, and 
  thereafter that key cannot be used to prove anything about any messages
  that were authenticated using that key.
  
  See ANSI X3.106-1983 and FIPS 113 (1985) for a standard method of message
  authentication using DES.

* What exactly is DES?

  DES is the U.S. Government's Data Encryption Standard - a product 
  cipher that operates on 64-bit blocks of data, using a 56-bit key.  

  It is defined in FIPS 46-1 (1988) [which supersedes FIPS 46 (1977)].
  FIPS are Federal Information Processing Standards published by NTIS.
  DES is identical to the ANSI standard Data Encryption Algorithm (DEA)
  defined in ANSI X3.92-1981. 

* What is triple DES?

  Triple DES is a product cipher which, like DES, operates on 64-bit 
  data blocks.  There are several forms, each of which uses the DES
  cipher 3 times.  Some forms use two 56-bit keys, some use three.
  The "DES modes of operation" may also be used with triple-DES.

  Some people refer to E(K1,D(K2,E(K1,x))) as triple-DES.

  This method is defined in chapter 7.2 of the ANSI standard X9.17-1985
  "Financial Institution Key Management" and is intended for use in
  encrypting DES keys and IVs for "Automated Key Distribution".  Its
  formal name is "Encryption and Decryption of a Single Key by a Key
  Pair", but it is referenced in other standards documents as EDE.

  That standard says (section 7.2.1): "Key encrypting keys may be a single
  DEA key or a DEA key pair.  Key pairs shoud be used where additional
  security is needed (e.g., the data protected by the key(s) has a long
  security life).  A key pair shall not be encrypted or decrypted using a
  single key."

  Others use the term "triple-DES" for E(K1,D(K2,E(K3,x))) or
  E(K1,E(K2,E(K3,x))).

  One of us (Carl Ellison) keeps advocating DES triple use in the form
  E(K1, TRAN( E(K2, TRAN( E(K3, COMPRESS( x )))))), where each DES instance
  has its own key and IV (for CBC mode) and TRAN has been posted on
  sci.crypt.  (It is a large-block transposition program taking its key
  from the data stream itself, so that it is not an encryption program on
  its own part.)

* What is differential cryptanalysis?

  Differential cryptanalysis is a statistical attack that can be
  applied to any iterated mapping (ie. any mapping which is based on
  a repeated round function). The method was recently popularized by
  Biham and Shamir [BIH91], but Coppersmith has remarked that the
  S-boxes of DES were optimized against this attack some 20 years ago.
  This method has proved effective against several product ciphers,
  notably FEAL [BI91a].

  Differential cryptanalysis is based on observing a large number of
  ciphertexts Y, Y' whose corresponding plaintexts X, X' satisfy a
  known difference D = X+X', where + is componentwise XOR. In the
  basic Biham-Shamir attack, 2^{47} such plaintext pairs are required
  to determine the key for DES. Substantially fewer pairs are required
  if DES is truncated to 6 or 8 rounds. In these cases, the actual key
  can be recovered in a matter of minutes using a few thousand pairs.
  For full DES this attack is impractical because it requires so many
  known plaintexts.

  The work of Biham and Shamir on DES revealed several startling
  observations on the algorithm. Most importantly, if the key
  schedule was removed from DES and a 16*48 = 768-bit key was used,
  the key could be recovered in less than 2^{64} steps. Thus
  independent subkeys do not add substantial security to DES.
  Further, the S-boxes of DES are extremely sensitive in that
  changing even single entries in these tables yields significant
  improvement in the differential attack.

  Adi Shamir is quoted to say (NYTimes Oct 13 1991), ``I would say
  that, contrary to what some people believe, there is no evidence
  of tampering with the DES so that the basic design was weakened.''

* How was NSA involved in the design of DES?

  According to Kinnucan [KIN78], Tuchman, a member of the group that
  developed DES at IBM is quoted as saying, ``We developed the DES
  algorithm entirely within IBM using IBMers. The NSA did not
  dictate a single wire!'' Tuchman and Meyer (another developer of
  DES) spent a year breaking ciphers and finding weaknesses in
  Lucifer. They then spent two years strengthening Lucifer. ``Their
  basic approach was to look for strong substitution, permutation,
  and key scheduling functions ... IBM has classified the notes
  containing the selection criteria at the request of the NSA....
  `The NSA told us we had inadvertently reinvented some of the deep
  secrets it uses to make its own algorithms,' explains Tuchman.''
  
  On the other hand, a document called ``Involvement of the NSA in
  the development of DES: unclassified summary of the United States
  Select Committee on Intelligence'', printed in the IEEE
  Communications Magazine, p53-55, 1978, states: ``In the development
  of DES, NSA convinced IBM that a reduced keysize was sufficient;
  indirectly assisted in the development of the S-box structures; and
  certified that the final DES algorithm was, to the best of their
  knowledge, free from any statistical or mathematical weakness.''

  Clearly the key size was reduced at the insistence of the NSA.
  The article further states that the NSA did not tamper with the
  algorithm itself, just the parameters, which in some sense
  resolves the apparent conflict in the remarks of Meyer and Tuchman
  presented above.

* Is DES available in software?

  Several people have made DES code available via ftp (see part 10 for
  pathnames): Stig Ostholm [FTPSO]; BSD [FTPBK]; Eric Young [FTPEY];
  Dennis Furguson [FTPDF]; Mark Riordan [FTPMR]; Phil Karn [FTPPK].
  A Pascal listing of DES is also given in Patterson [PAT87].

  FIPS 46-1 says "The algorithm specified in this standard is to be
  implemented ... using hardware (not software) technology.  ...
  Software implementations in general purpose computers are not in
  compliance with this standard."  Despite this, software
  implementations abound, and are used by government agencies.

* Is DES available in hardware?

  The following paragraphs are quoted from messages sent to the editors.
  We don't vouch for the quality or even existence of the products.

  Chip Rosenthal says: ``Dallas Semiconductor makes a DES
  encryption/decryption device for use on standard, digital 64Kbps PCM
  telecom data streams. It is capable of processing data in real time,
  e.g. one sample/frame. It is the DS2160. Their phone number is
  214-450-0400. You would probably need to talk with Dewight in Telecom
  marketing.''

  Christian Franke, franke@informatik.rwth-aachen.de, says: ``1.
  Cryptech CRY12C102: 22.5Mbit/s according to Data Sheet, with 32 Bit
  interface. We use this one, because it was the only one available when
  we started the project. No problems !  2. Pijnenburg PCC100: 20Mbit/s
  according to Data Sheet. Address: PIJNENBURG B.V., Boxtelswweg 26,
  NL-5261 NE Vught, The Netherlands.  3. INFOSYS DES Chip (Germany):
  S-Boxes must be loaded by software. So you can modify the Algorithm.
  Sorry, I don't have the data sheet handy. Please E-Mail me if you need
  further information.''

  mjr@tis.com (Marcus J Ranum) says: "SuperCrypt" 100Mb/sec and faster
  DES and Proprietary Storage for 16 56-bit keys Key stream generator
  Integrated hardware DES3 procedure Extended mode with 112 bit keys;
  Computer Elektronik Infosys; 512-A Herndon Parkway,; Herndon, VA
  22070; (800)322-3464

  thember@gandalf.ca (Tim Hember) says: Newbridge Microsystems sells
  an AM9568 compatible DES chip that operates at 25MHz, performs a
  round of encryption in 18 clocks, has a three-stage pipeline,
  supports ECB, CBC, CFB-8 and >>> CFB-1 <<<<.  Further it is very
  reasonable priced as opposed to other high-end DES chips.  Call
  Newbridge Microsystems, Ottawa, (613) 592-0714.  (... there are no
  import/export issues with Canada and the US).  If you require custom
  DES or Public Key ICs then Timestep Engineering developed
  Newbridge's crypto chips and ICs for other commercial and
  educational establishments. They can be reached at (613) 820-0024.

* Can DES be used to protect classified information?

  DES is not intended to protect classified data.  FIPS 46-1 says:
  "This standard will be used by Federal departments and agencies for
  the cryptographic protection of computer data when the following
  conditions apply: 1.  ...  cryptographic protection is required; and
  2. the data is not classified according to the National Security Act
  of 1947, as amended, or the Atomic Energy Act of 1954, as amended."

* What are "ECB", "CBC", "CFB", and "OFB" encryption?

  These are methods for using block ciphers, such as DES, to encrypt 
  messages, files, and blocks of data, known as "modes of operation."
  Four "modes of operation" are defined in FIPS 81 (1980 December 2), 
  and also in ANSI X3.106-1983.   

  FIPS 81 specifies that when 7-bit ASCII data is sent in octets, the
  unused most-significant bit is to be set to 1.
  FIPS 81 also specifies the padding for short blocks.

  The four DES modes of operation are: 
	Electronic Code Book  (ECB), 
	Cipher Block Chaining (CBC), 
	K-bit Cipher FeedBack (CFB), and 
	K-bit Output FeedBack (OFB).

  These methods are explained below in a c-language-like notation.

  Some symbols:

  P[n]	The n'th block of plaintext, input to encryption, output from
  	decryption.  Size of block determined by the mode.

  C[n]	The n'th block of ciphertext, output from encryption, input to
  	decryption.  Size of block determined by the mode.

  E(m)	The DES encryption function, performed on 64-bit block m, using
  	the 16-key schedule derived from some 56-bit key.

  D(m)	The DES decryption function, performed on 64-bit block m, using
  	the same key schedule as in E(m), except that the 16 keys
  	in the schedule are used in the opposite order as in E(m).

  IV	A 64-bit "initialization vector", a secret value which, along with
  	the key, is shared by both encryptor and decryptor.

  I[n]	The n'th value of a 64-bit variable, used in some modes.
  R[n]	The n'th value of a 64-bit variable, used in some modes.

  LSB(m,k) The k least significant (right-most) bits of m.
  	e.g.  m & ((1 << k) - 1)

  MSB(m,k) The k most significant (left-most) bits of m.
  	e.g.  (m >> (64-k)) & ((1 << k) - 1)

  = ^ << >> &  operators as defined in the c langage.


  Electronic Code Book (ECB):

  	  P[n] and C[n] are each 64-bits long.

  	  Encryption:			Decryption:
  	  C[n] = E(P[n])		P[n] = D(C[n])


  Cipher Block Chaining (CBC):

  	  P[n] and C[n] are each 64-bits long.

  	  Encryption:			Decryption:
  	  C[0] = E(P[0]^IV)		P[0] = D(C[0])^IV
  (n>0)	  C[n] = E(P[n]^C[n-1])		P[n] = D(C[n])^C[n-1]


  k-bit Cipher FeedBack (CFB):

  	  P[n] and C[n] are each k bits long, 1 <= k <= 64.  

  	  Encryption:			Decryption:
  	  I[0] = IV			I[0] = IV
  (n>0)	  I[n] = I[n-1]<<k | C[n-1]	I[n] = I[n-1]<<k | C[n-1]	
  (all n) R[n] = MSB(E(I[n]),k)		R[n] = MSB(E(I[n]),k)
  (all n) C[n] = P[n]^R[n]		P[n] = C[n]^R[n]

  	  Note that for k==64, this reduces to:

  	  I[0] = IV			I[0] = IV
  (n>0)	  I[n] = C[n-1]			I[n] = C[n-1]	
  (all n) R[n] = E(I[n])		R[n] = E(I[n])
  (all n) C[n] = P[n]^R[n]		P[n] = C[n]^R[n]

  CFB notes: Since I[n] depends only on the plain or cipher text from the
  previous operation, the E() function can be performed in parallel with
  the reception of the text with which it is used.


  k-bit Output FeedBack (OFB):

  	  P[n] and C[n] are each k bits long, 1 <= k <= 64.  

  	  Encryption:			Decryption:
  	  I[0] = IV			I[0] = IV
  (n>0)	  I[n] = I[n-1]<<k | R[n-1]	I[n] = I[n-1]<<k | R[n-1]	
  (all n) R[n] = MSB(E(I[n]),k)		R[n] = MSB(E(I[n]),k)
  (all n) C[n] = P[n]^R[n]		P[n] = C[n]^R[n]

  	  Note that for k==64, this reduces to:

  	  I[0] = IV			I[0] = IV
  (n>0)	  I[n] = R[n-1]			I[n] = R[n-1]	
  (all n) R[n] = E(I[n])		R[n] = E(I[n])
  (all n) C[n] = P[n]^R[n]		P[n] = C[n]^R[n]

  OFB notes: encryption and decryption are identical.  Since I[n] is
  independent of P and C, the E() function can be performed in advance of
  the receipt of the plain/cipher text with which it is to be used.


  Additional notes on DES "modes of operation":

  ECB and CBC use E() to encrypt and D() to decrypt, but the feedback modes
  use E() to both encrypt and decrypt.  This disproves the erroneous claim
  that systems which feature E() but not D() cannot be used for data
  confidentiality, and therefore are not subject to export controls.

Newsgroup: sci.crypt
Document_id: 15253
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 06/10 - Public Key Cryptography

Archive-name: cryptography-faq/part06
Last-modified: 1993/4/15


FAQ for sci.crypt, part 6: Public-Key Cryptography

This is the sixth of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers 
every 21 days.


Contents:

* What is public-key cryptography?
* What's RSA?
* Is RSA secure?
* How fast can people factor numbers?
* What about other public-key cryptosystems?


* What is public-key cryptography?

  In a classic cryptosystem, we have encryption functions E_K and
  decryption functions D_K such that D_K(E_K(P)) = P for any plaintext
  P. In a public-key cryptosystem, E_K can be easily computed from some
  ``public key'' X which in turn is computed from K. X is published, so
  that anyone can encrypt messages. If D_K cannot be easily computed
  from X, then only the person who generated K can decrypt messages.
  That's the essence of public-key cryptography, published by Diffie
  and Hellman in 1976.

  In a classic cryptosystem, if you want your friends to be able to
  send secret messages to you, you have to make sure nobody other than
  them sees the key K. In a public-key cryptosystem, you just publish X,
  and you don't have to worry about spies.

  This is only the beginning of public-key cryptography. There is an
  extensive literature on security models for public-key cryptography,
  applications of public-key cryptography, other applications of the
  mathematical technology behind public-key cryptography, and so on.

* What's RSA?

  RSA is a public-key cryptosystem defined by Rivest, Shamir, and
  Adleman.  For full details, there is a FAQ available by ftp at
  RSA.COM. Here's a small example.

  Plaintexts are positive integers up to 2^{512}. Keys are quadruples
  (p,q,e,d), with p a 256-bit prime number, q a 258-bit prime number,
  and d and e large numbers with (de - 1) divisible by (p-1)(q-1). We
  define E_K(P) = P^e mod pq, D_K(C) = C^d mod pq.

  Now E_K is easily computed from the pair (pq,e)---but, as far as
  anyone knows, there is no easy way to compute D_K from the pair
  (pq,e). So whoever generates K can publish (pq,e). Anyone can send a
  secret message to him; he is the only one who can read the messages.

* Is RSA secure?

  Nobody knows. An obvious attack on RSA is to factor pq into p and q.
  See below for comments on how fast state-of-the-art factorization
  algorithms run. Unfortunately nobody has the slightest idea how to
  prove that factorization---or any realistic problem at all, for that
  matter---is inherently slow. It is easy to formalize what we mean by
  ``RSA is/isn't strong''; but, as Hendrik W. Lenstra, Jr., says,
  ``Exact definitions appear to be necessary only when one wishes to
  prove that algorithms with certain properties do _not_ exist, and
  theoretical computer science is notoriously lacking in such negative
  results.''

* How fast can people factor numbers?

  It depends on the size of the numbers. In October 1992 Arjen Lenstra
  and Dan Bernstein factored 2^523 - 1 into primes, using about three
  weeks of MasPar time. (The MasPar is a 16384-processor SIMD machine;
  each processor can add about 200000 integers per second.) The
  algorithm there is called the ``number field sieve''; it is quite a
  bit faster for special numbers like 2^523 - 1 than for general numbers
  n, but it takes time only about exp(O(log^{1/3} n log^{2/3} log n)) in
  any case.

  An older and more popular method for smaller numbers is the ``multiple
  polynomial quadratic sieve'', which takes time exp(O(log^{1/2} n
  log^{1/2} log n))---faster than the number field sieve for small n,
  but slower for large n. The breakeven point is somewhere between 100
  and 150 digits, depending on the implementations.

  Factorization is a fast-moving field---the state of the art just a few
  years ago was nowhere near as good as it is now. If no new methods are
  developed, then 2048-bit RSA keys will always be safe from
  factorization, but one can't predict the future. (Before the number
  field sieve was found, many people conjectured that the quadratic
  sieve was asymptotically as fast as any factoring method could be.)

* What about other public-key cryptosystems?

  We've talked about RSA because it's well known and easy to describe.
  But there are lots of other public-key systems around, many of which
  are faster than RSA or depend on problems more widely believed to be
  difficult. This has been just a brief introduction; if you really want
  to learn about the many facets of public-key cryptography, consult the
  books and journal articles listed in part 10.

Newsgroup: sci.crypt
Document_id: 15254
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 07/10 - Digital Signatures

Archive-name: cryptography-faq/part07
Last-modified: 1993/4/15


FAQ for sci.crypt, part 7: Digital Signatures and Hash Functions

This is the seventh of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers
every 21 days.


Contents:

* What is a one-way hash function?
* What is the difference between public, private, secret, shared, etc.?
* What are MD4 and MD5?
* What is Snefru?


* What is a one-way hash function?

  A typical one-way hash function takes a variable-length message and
  produces a fixed-length hash. Given the hash it is computationally
  impossible to find a message with that hash; in fact one can't
  determine any usable information about a message with that hash, not
  even a single bit. For some one-way hash functions it's also
  computationally impossible to determine two messages which produce the
  same hash.

  A one-way hash function can be private or public, just like an
  encryption function. Here's one application of a public one-way hash
  function, like MD5 or Snefru. Most public-key signature systems are
  relatively slow. To sign a long message may take longer than the user
  is willing to wait. Solution: Compute the one-way hash of the message,
  and sign the hash, which is short. Now anyone who wants to verify the
  signature can do the same thing.

  Another name for one-way hash function is message digest function.

* What is the difference between public, private, secret, shared, etc.?

  There is a horrendous mishmash of terminology in the literature for a
  very small set of concepts. When an algorithm depends on a key which
  isn't published, we call it a private algorithm; otherwise we call it
  a public algorithm. We have encryption functions E and decryption
  functions D, so that D(E(M)) = M for any message M. We also have
  hashing functions H and verification functions V, such that V(M,X) = 1
  if and only if X = H(M).

  A public-key cryptosystem has public encryption and private
  decryption. Checksums, such as the application mentioned in the
  previous question, have public hashing and public verification.
  Digital signature functions have private hashing and public
  verification: only one person can produce the hash for a message,
  but everyone can verify that the hash is correct.

  Obviously, when an algorithm depends on a private key, it's meant to
  be unusable by anyone who doesn't have the key. There's no real
  difference between a ``shared'' key and a private key: a shared key
  isn't published, so it's private. If you encrypt data for a friend
  rather than ``for your eyes only'', are you suddenly doing
  ``shared-key encryption'' rather than private-key encryption? No.

* What are MD4 and MD5?

  MD4 and MD5 are message digest functions developed by Ron Rivest.
  Definitions appear in RFC 1320 and RFC 1321 (see part 10). Code is
  available from [FTPMD].

  Note that a transcription error was found in the original MD5 draft
  RFC. The corrected algorithm should be called MD5a, though some
  people refer to it as MD5.

* What is Snefru?

  Snefru is a family of message digest functions developed by Ralph
  Merkle. Snefru-8 is an 8-round function, the newest in the family.
  Definitions appear in Merkle's paper [ME91a]. Code is available from
  [FTPSF].

Newsgroup: sci.crypt
Document_id: 15255
From: crypt-comments@math.ncsu.edu
Subject: Cryptography FAQ 09/10 - Other Miscellany

Archive-name: cryptography-faq/part09
Last-modified: 1993/4/15


FAQ for sci.crypt, part 9: Other Miscellany

This is the ninth of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.

The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu 
as /pub/usenet/news.answers/cryptography-faq/part[xx].  The Cryptography 
FAQ is posted to the newsgroups sci.crypt, sci.answers, and news.answers 
every 21 days.


Contents:

* What is the National Security Agency (NSA)?
* What are the US export regulations?
* What is TEMPEST?
* What are the Beale Ciphers, and are they a hoax?
* What is the American Cryptogram Association, and how do I get in touch?
* Is RSA patented?
* What about the Voynich manuscript?


* What is the National Security Agency (NSA)?

  The NSA is the official security body of the U.S. government. It
  was given its charter by President Truman in the late 40's, and
  has continued research in cryptology till the present. The NSA is
  known to be the largest employer of mathematicians in the world,
  and is also the largest purchaser of computer hardware in the
  world. Governments in general have always been prime employers of
  cryptologists. The NSA probably possesses cryptographic expertise many
  years ahead of the public state of the art, and can undoubtedly break
  many of the systems used in practice; but for reasons of national
  security almost all information about the NSA is classified.

  Bamford's book [BAMFD] gives a history of the people and operations of
  the NSA. The following quote from Massey [MAS88] highlights the
  difference between public and private research in cryptography:

  ``... if one regards cryptology as the prerogative of government,
  one accepts that most cryptologic research will be conducted
  behind closed doors. Without doubt, the number of workers engaged
  today in such secret research in cryptology far exceeds that of
  those engaged in open research in cryptology. For only about 10
  years has there in fact been widespread open research in
  cryptology. There have been, and will continue to be, conflicts
  between these two research communities. Open research is common
  quest for knowledge that depends for its vitality on the open
  exchange of ideas via conference presentations and publications in
  scholarly journals. But can a government agency, charged with
  responsibilities of breaking the ciphers of other nations,
  countenance the publication of a cipher that it cannot break? Can
  a researcher in good conscience publish such a cipher that might
  undermine the effectiveness of his own government's code-breakers?
  One might argue that publication of a provably-secure cipher would
  force all governments to behave like Stimson's `gentlemen', but one
  must be aware that open research in cryptography is fraught with
  political and ethical considerations of a severity than in most
  scientific fields. The wonder is not that some conflicts have
  occurred between government agencies and open researchers in
  cryptology, but rather that these conflicts (at least those of which
  we are aware) have been so few and so mild.''

* What are the US export regulations?

  In a nutshell, there are two government agencies which control
  export of encryption software. One is the Bureau of Export
  Administration (BXA) in the Department of Commerce, authorized by
  the Export Administration Regulations (EAR). Another is the Office
  of Defense Trade Controls (DTC) in the State Department, authorized
  by the International Traffic in Arms Regulations (ITAR). As a rule
  of thumb, BXA (which works with COCOM) has less stringent
  requirements, but DTC (which takes orders from NSA) wants to see
  everything first and can refuse to transfer jurisdiction to BXA.

  The newsgroup misc.legal.computing carries many interesting
  discussions on the laws surrounding cryptographic export, what
  people think about those laws, and many other complex issues which
  go beyond the scope of technical groups like sci.crypt. Make sure to
  consult your lawyer before doing anything which will get you thrown in
  jail; if you are lucky, your lawyer might know a lawyer who has at
  least heard of the ITAR.

* What is TEMPEST?

  TEMPEST is a standard for electromagnetic shielding for computer
  equipment. It was created in response to the discovery that
  information can be read from computer radiation (e.g., from a CRT) at
  quite a distance and with little effort.

  Needless to say, encryption doesn't do much good if the cleartext
  is available this way.

* What are the Beale Ciphers, and are they a hoax?

  (Thanks to Jim Gillogly for this information and John King for
  corrections.)

  The story in a pamphlet by J. B. Ward (1885) goes: Thomas
  Jefferson Beale and a party of adventurers accumulated a huge mass
  of treasure and buried it in Bedford County, Virginia, leaving
  three ciphers with an innkeeper; the ciphers describe the
  location, contents, and intended beneficiaries of the treasure.
  Ward gives a decryption of the second cipher (contents) called B2;
  it was encrypted as a book cipher using the initial letters of the
  Declaration of Independence (DOI) as key. B1 and B3 are unsolved;
  many documents have been tried as the key to B1.

  Aficionados can join a group that attempts to solve B1 by various
  means with an eye toward splitting the treasure:

  The Beale Cypher Association
  P.O. Box 975
  Beaver Falls, PA 15010

  You can get the ciphers from the rec.puzzles FAQL by including the
  line:

  send index

  in a message to netlib@peregrine.com and following the directions.
  (There are apparently several different versions of the cipher
  floating around. The correct version is based on the 1885 pamphlet,
  says John King <kingj@hpcc01.corp.hp.com>.)

  Some believe the story is a hoax. Kruh [KRU88] gives a long list of
  problems with the story. Gillogly [GIL80] decrypted B1 with the DOI
  and found some unexpected strings, including ABFDEFGHIIJKLMMNOHPP.
  Hammer (president of the Beale Cypher Association) agrees that this
  string couldn't appear by chance, but feels there must be an
  explanation; Gwyn (sci.crypt expert) is unimpressed with this
  string.

* What is the American Cryptogram Association, and how do I get in touch?

  The ACA is an organization devoted to cryptography, with an emphasis
  on cryptanalysis of systems that can be attacked either with
  pencil-and-paper or computers. Its organ ``The Cryptogram'' includes
  articles and challenge ciphers. Among the more than 50 cipher types in
  English and other languages are simple substitution, Playfair,
  Vigenere, bifid, Bazeries, grille, homophonic, and cryptarithm.

  Dues are $15 for one year (6 issues); more outside of North America;
  less for students under 18 and seniors. Subscriptions should be sent
  to ACA Treasurer, 18789 West Hickory St., Mundelein, IL 60060.

* Is RSA patented?

  Yes. The patent number is 4,405,829, filed 12/14/77, granted 9/20/83.
  For further discussion of this patent, whether it should have been
  granted, algorithm patents in general, and related legal and moral
  issues, see comp.patents and misc.legal.computing. For information
  about the League for Programming Freedom see [FTPPF]. Note that one of
  the original purposes of comp.patents was to collect questions such as
  ``should RSA be patented?'', which often flooded sci.crypt and other
  technical newsgroups, into a more appropriate forum.

* What about the Voynich manuscript?

  nelson@reed.edu (Nelson Minar) says there is a mailing list on the
  subject.  the address to write to subscribe to the VMS mailing list
  is: <voynich-request@rand.org>

  the ftp archive is: rand.org:/pub/voynich

  There's all sorts of information about the manuscript itself, of
  course. A good bibliography can be found on the ftp site. Kahn's
  "The Codebreakers" gives a good introduction.

Newsgroup: sci.crypt
Document_id: 15256
From: johnson@trwacs.fp.trw.com (Steve Johnson)
Subject: Re: How do they know what keys to ask for? (Re: Clipper)

brad@clarinet.com (Brad Templeton) writes:

[...]
>And of course you have to identify yourself to the phone company, and
>since the phone company complies with court orders, they will know the
>magic number of your chip when they sign out a warrant on you, and
>then can present the warrant to the key escrow house.

  Who makes them forget and destroy all copies of the key once they've
decided you're not a criminal today?  Just curious.
>-- 
>Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366
------- Any views expressed are those of myself and not my employer. --------
Steven C. Johnson, WB3IRU / VK2GDS      |
TRW                                     | johnson@trwacs.fp.trw.com
FP1 / 3133                              |         [129.193.172.90]
1 Federal Systems Park Drive            | Phone:        +1 (703) 968.1000
Fairfax, Virginia  22033-4412  U.S.A.   | Fax:          +1 (703) 803.5189
-- 
------- Any views expressed are those of myself and not my employer. --------
Steven C. Johnson, WB3IRU / VK2GDS      |
TRW                                     | johnson@trwacs.fp.trw.com
FP1 / 3133                              |         [129.193.172.90]

Newsgroup: sci.crypt
Document_id: 15257
From: bet@sbi.com (Bennett Todd @ Salomon Brothers Inc., NY )
Subject: Re: Source of random bits on a Unix workstation

>>For your application, what you can do is to encrypt the real-time clock
>>value with a secret key.

Well, almost.... If I only had to solve the problem for myself, and were
willing to have to type in a second password (the secret key) whenever I
logged in, it could work. However, I'm trying to create a solution that
anyone can use, and which, once installed, is just as effortless to start up
as the non-solution of just using xhost(1) to control access. I've got
religeous problems with storing secret keys on multiuser computers.

>For a good discussion of cryptographically "good" random number
>generators, check out the draft-ietf-security-randomness-00.txt
>Internet Draft, available at your local friendly internet drafts
>repository.

Thanks for the pointer! It was good reading, and I liked the idea of using
several unrelated sources with a strong mixing function. However, unless I
missed something, the only source they suggested (aside from a hardware RNG)
that seems available, and unguessable by an intruder, when a Unix is
fresh-booted, is I/O buffers related to network traffic. I believe my
solution basically uses that strategy, without requiring me to reach into
the kernel.

>A reasonably source of randomness is the output of a cryptographic
>hash function (e.g., MD5), when fed with a large amount of
>more-or-less random data. For example, running MD5 on /dev/mem is a
>slow, but random enough, source of random bits; there are bound to be
>128 bits of entropy in the tens (or hundreds) of megabytes of data in
>a modern workstation's memory, as a fair amount of them are system
>timers, i/o buffers, etc.

I heard about this solution, and it sounded good. Then I heard that folks
were experiencing times of 30-60 seconds to run this, on
reasonably-configured workstations. I'm not willing to add that much delay
to someone's login process. My approach (etherfind|compress, skip 10K) takes
a second or two to run. I'm considering writing the be-all and end-all of
solutions, that launches the MD5, and simultaneously tries to suck bits off
the net, and if the net should be sitting __SO__ idle that it can't get 10K
after compression before MD5 finishes, use the MD5. This way I could have
guaranteed good bits, and a deterministic upper bound on login time, and
still have the common case of login take only a couple of extra seconds.

-Bennett
bet@sbi.com

Newsgroup: sci.crypt
Document_id: 15258
From: george@minster.york.ac.uk
Subject: Non-word password generator

Does anyone know of a non-word password generator program
for PC's?? i.e. it will produce a nonsense word but still
be pronouncible. e.g. lisgollan

Wanted to "force" users to adopt more secure passwords,
but still be memorable!

Thanks - George Bolt

p.s. please email me as well if possible "george@psychmips.york.ac.uk"

Newsgroup: sci.crypt
Document_id: 15259
From: brad@clarinet.com (Brad Templeton)
Subject: Re: Once tapped, your code is no good any more.

In article <tcmayC5M2xv.JEx@netcom.com> tcmay@netcom.com (Timothy C. May) writes:
>Getting the court order to reveal the key *also* makes decipherable
>all *past* conversations (which may be on tape, or disk, or whatver),
>as I understand the proposal. I could be wrong, but I've seen no
>mention of "session keys" being the escrowed entities.

True in theory.  In practice?  The technology of cellular phones will
probably be spread spectrum and quite difficult to record the crypttext
without the key.  If the frequency path depends on they key, as I
understand it to, it *could* be made effectively impossible to record.

Once it hits land you can record it if you have telco access.  The
telco isn't supposed to give that without a warrant.  That's the rule
today.

But even so, the evidence would not be admissible, I think, unless the
judge so ordered.  I think that even interception of the crypttext
without a warrant would be illegal.   Cops can't record today's plain
cellular calls and then ask a judge, "Hey, can we have permission to
listen to those tapes?" can they?

>worse, of course, if the government then uses this "Clinton Clipper"
>to argue for restrictions on unapproved encryption. (This is the main
>concern of most of us, I think. The camel's nose in the tent, etc.)

Yes, that is a major concern, but I think that they think they can
win just by having 99.5% of the USA use this system.  They don't even
have to care about the cautious .5% that's left.  They don't catch the
really smart crooks anyway.   John Gotti, who would have to be retarded
not to realize he was likely to be wiretapped, glibly chatted away
on his tapped phone about murder plans.  That's why he's in jail now.
Hard to believe, but true.


This scheme can succeed without laws forbidding more, which people would
fight a lot harder.  They like this enough that they are dropping the so
called "Digital Telephony" proposal, according to rumours.  However the
meaning of that is complex, since they still want to get at the crypttext
on telco systems, and that requires a bit of work.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
Document_id: 15260
From: johnson@trwacs.fp.trw.com (Steve Johnson)
Subject: Re: Once tapped, your code is no good any more.

tcmay@netcom.com (Timothy C. May) writes:

>Brad Templeton (brad@clarinet.com) wrote:
>: It occurs to me that if they get a wiretap order on you, and the escrow
>: houses release your code to the cops, your code is now no longer secure.
>: 
>: It's in the hands of cops, and while I am sure most of the time they are
>: good, their security will not be as good as the escrow houses.
>: 
>: What this effectively means is that if they perform a wiretap on you,
>: at the end of the wiretap, they should be obligated to inform you that
>: a tap was performed, and replace (for free) the clipper chip in your
>: cellular phone so that it is once again a code known only to the
>: escrow houses.

>Getting the court order to reveal the key *also* makes decipherable
>all *past* conversations (which may be on tape, or disk, or whatver),
>as I understand the proposal. I could be wrong, but I've seen no
>mention of "session keys" being the escrowed entities.

>As the EFF noted, this raises further issues about the fruits of one
>bust leading to incrimination in other areas.

>But is it any worse than the current unsecure system? It becomes much
>worse, of course, if the government then uses this "Clinton Clipper"
>to argue for restrictions on unapproved encryption. (This is the main
>concern of most of us, I think. The camel's nose in the tent, etc.)

>And it may also become much worse if the ostensible security is
>increased, thus allowing greater access to "central office" records by
>the government (the conversations being encrypted, who will object to
>letting the government have access to them, perhaps even automatically
>archiving large fractions...). This was one of the main objections to
>the S.266 proposal, that it would force telecom suppliers to provide
>easy access for the government.

>One the government has had access to months or years of your encrypted
>conversations, now all it takes is one misstep, one violation that
>gets them the paperwork needed to decrypt *all* of them!

>Do we want anyone to have this kind of power?

>-Tim May, whose sig block may get him busted in the New Regime

  A remark I heard the other day is beginning to take on increasingly
frightening significance.  The comment was made that "In other parts
of the world the Democrats [note the big "D"] would be known as
Socialists" 

  A [note the small "d"] democrat who wonders what Thomas Jefferson, on
this the 250th anniversary of his birth, would have thought of the state
of affairs between the government and the governed.


------- Any views expressed are those of myself and not my employer. --------
Steven C. Johnson, WB3IRU / VK2GDS      |
TRW                                     | johnson@trwacs.fp.trw.com
FP1 / 3133                              |         [129.193.172.90]
1 Federal Systems Park Drive            | Phone:        +1 (703) 968.1000
Fairfax, Virginia  22033-4412  U.S.A.   | Fax:          +1 (703) 803.5189
-- 
------- Any views expressed are those of myself and not my employer. --------
Steven C. Johnson, WB3IRU / VK2GDS      |
TRW                                     | johnson@trwacs.fp.trw.com
FP1 / 3133                              |         [129.193.172.90]

Newsgroup: sci.crypt
Document_id: 15261
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <jhesseC5Ltt5.IMC@netcom.com> jhesse@netcom.com (John Hesse) writes:
   Stupid me. I believed the Democrats stood for principles of personal
   privacy while it was the Neanderthal Republicans that wanted into every
   aspect of our lives. 
   Clinton is just more clever than the other guy. Looks like gun control for
   privacy technology. One small step at a time.

Remember "Defend Firearms - Defeat Dukakis", followed by Bush's soon-after-
election support for gun-control?   This is the Democrats' version
"Defend Free Speech - Reject Republicans" followed by speech control.

   Wait a minute....  Let me think about this.

   Hmmm, I feel better now. I believe the White House when they tell us
   this first step is, in fact, the final step. All is OK. We've nothing to fear.
   They're here to help us.   God bless America.
 
Hey, like the grrreat J.R. "Bob" Dobbs says, you've got to pull the
wool over your *own* eyes!

--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15262
From: sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes)
Subject: Clipper Crap


>encryption's dual-edge sword:  encryption helps to protect the
>privacy of individuals and industry, but it also can shield
>criminals and terrorists.  We need the "Clipper Chip" and other
 ^^^^^^^^^^^^^^^^^^^^^^^^


   Just a random passing thought, but can anyone cite a documented use
of encryption technology by criminals and terrorists.
   (Excluding the Iran-Contra Gang)


-- 

             Shaun P. Hughes  sphughes@sfsuvax1.sfsu.edu 

                    finger for PGP 2.2 Public Key

Newsgroup: sci.crypt
Document_id: 15263
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: White House Wiretap Chip Disinformation Sheet

Fascinating.  Most of the content of the White House announcements was
in what was *not* said.  It gives us almost nothing of value, threatens to
take away a lot, and does it with a sincere smile on its face,
and the nice friendly word "Management".

			      FACT SHEET
		     PUBLIC ENCRYPTION MANAGEMENT

The first thing it doesn't say is "We're giving you stronger encryption".
what it says is 
   the U. S. Government has developed a microcircuit that not only
   provides privacy through encryption that is substantially more robust
   than the current government standard, but also permits escrowing of
   the keys needed to unlock the encryption.  The system for the
   escrowing of keys will allow the government to gain access to
   encrypted information only with appropriate legal authorization.
But DES is strong enough that only the government can break it now,
so the major effect is to make it EASIER for government to break!
*At best* it makes it more difficult for the NSA to break, since they
need to get one of the two escrowed keys to do a brute-force search
for the other 40-bit key.

Similarly, it didn't say "We're making encryption is commercially available."
because encryption *is* already commercially available, including
forms the NSA may not be able to break, like triple-DES or IDEA.
And phone companies could offer DES-based systems *now* if they were
convinced the government would let them and they could make enough money.

The next thing it didn't say is "We're making encryption legal",
because of course encryption *has always been* legal, and the
President can't change the First Amendment merely by decree.
What it *did* say was:
	In making this decision, I do not intend to prevent the
	private sector from developing, or the government from approving,
	other microcircuits or algorithms that are equally effective in
	assuring both privacy and a secure key- escrow system.
which clearly means "We're making encryption illegal unless we get your keys.
Soon.  Once business buys into this."

Another thing it didn't say is "We're going to ask Congress for money
to do *lots* more wiretapping", because of course, there's a budget crisis,
and Congress might debate the policy issues or not give them the cash.
What it *did* say was:
   The Attorney General will procure and utilize encryption devices to
   the extent needed to preserve the government's ability to conduct
   lawful electronic surveillance and to fulfill the need for secure
   law enforcement communications.  Further, the Attorney General
   shall utilize funds from the Department of Justice Asset Forfeiture
   Super Surplus Fund to effect this purchase.
which means "We've got money Congress can't control and we're going to
buy lots of wiretapping equipment with it to detect NON-APPROVED CRYPTO
(that's what "preserve the government's ability to conduct ... surveillance" 
means.)  
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15264
From: brad@clarinet.com (Brad Templeton)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

Interestingly enough, in designing the escrow, we may want to use some
rather unusual technology, such as sealed boxes of paper, or
destructive read memory, rather than typical computer databases, which
is fun for a database of hundreds of millions of keys.

The greatest danger of the escrow database, if it were kept on disk,
would be the chance that a complete copy could somehow leak out.  You
can design lots of protection, but with enough corruption a complete
copy is always possible.   Storing it on paper or something very hard
to copy at once may actually make sense.  Or a medium that can't be
copied -- for example, something with very slow access times or which
leaves a destructive trail if it is even read.

Of course then it's hard to backup.  However, I think the consequences
of no backup -- the data is not there when a warrant comes -- are worse
than the consequences of a secret backup.

An audit trail that reveals when data has been access, that *can't* be
erased by the humans involved, is also necessary.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
Document_id: 15265
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Clinton Boost in Spy Spending


Right on the heels of the Clinton "registered encryption key" debacle comes:

sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes) writes:
>[From yesterdays S.F. Chronicle]

>"President Clinton has asked Congress for authority to spend more money
>on spy agencies, satellites and other intelligence activities in fiscal
>1994 than it allotted for 1993, congressional and administration
>officials say. "

>.... Clinton had promised to slash intelligence spending by $7 billion
>over four years.

>.... Although the size of the nations' vast intelligence budget remains
>an official secret, administration and congressional officials disclosed
>yesterday that it would total about $28 billion if the increase
>requested by Clinton is approved.

Wonder how much of that extra money goes into coming up with
encryption schemes they can easily crack?
-- 
The Theorem Theorem: If if, then then

Newsgroup: sci.crypt
Document_id: 15266
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: White House Wiretap Chip Disinformation Sheet

wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes:
>Fascinating.  Most of the content of the White House announcements was
>in what was *not* said.  It gives us almost nothing of value, threatens to
>take away a lot, and does it with a sincere smile on its face,
>and the nice friendly word "Management".

The computer, err, government, is your friend.  Have a nice day (under
penalty of law).
-- 
To refuse praise is to seek praise twice.

Newsgroup: sci.crypt
Document_id: 15267
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

jhesse@netcom.com (John Hesse) writes:
>Oh great. Wonderful news. Nobody can listen in--except the feds.

And anybody who can get the keys from the escrow company.  This is a
database that's going to take plenty of updating - they think they can
keep it secure?  Please...  and that's just primary, not secondary
sources, such as police using the key under a warrant.  Would anyone
be surprised if they just "neglected" to erase the key if it turned
out they couldn't nail you on anything?
-- 
Nourish a waif and it will pick out your eyes.

Newsgroup: sci.crypt
Document_id: 15268
From: brad@clarinet.com (Brad Templeton)
Subject: Re: How to detect use of an illegal cipher?

In article <1qnmnp$db8@sol.TIS.COM> mjr@tis.com (Marcus J Ranum) writes:
>traffic. That way your traffic looks "normal" and perhaps anyone
>desiring to listen in won't even bother, since they know nobody's
>going to really trust crypto that has classified internals for
>important stuff.


Nice to think, but naive.  The fact is that millions of people today
are sending highly confidential information over unencoded, easy to
receive cellular phones.  They figure the chances of being heard are
small, so they risk it.

And 99.9% of people don't understand crypto the way the least of the
sci.crypt newbies does.   If Clinton tells them it's good crypto,
they'll believe him, and send important stuff over it, and be thankful
that they're no longer using clear-voice FM cellular phones.

Only a tiny fraction of people will want more crypto.  Worse, in the
eyes of the government, which swears up and down the algorithim is
spook-level secure (and it may indeed be) the only reason you could
possibly want this extra level is to avoid police.

By using it, you'll attract attention as a likely lawbreaker.

"Your honour, the suspect suddenly started using another level of
cryptography and we can't tap his phone calls any more.  He must
have something to hide.  Please sign the warrant to search his
house..."
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
Document_id: 15269
From: barrett@lucy.ee.und.ac.za (Alan Barrett)
Subject: Re: White House Public Encryption Management Fact Sheet

In article <C5LGAz.250@dove.nist.gov>,
clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:
> Distribution: na

No thanks.  This topic is of interest to a much wider audience.

> In making this decision, I do
> not intend to prevent the private sector from developing, or the
> government from approving, other microcircuits or algorithms that
> are equally effective in assuring both privacy and a secure key-
> escrow system.

"In making this decision, I intend to prevent the private sector from
developing, except with the government's approval, other microcircuits
or algorithms that are more effective in assuring privacy."

--apb
Alan Barrett, Dept. of Electronic Eng., Univ. of Natal, Durban, South Africa
RFC822: barrett@ee.und.ac.za

Newsgroup: sci.crypt
Document_id: 15270
From: louie@sayshell.umd.edu (Louis A. Mamakos)
Subject: Re: Once tapped, your code is no good any more.

In article <tcmayC5M2xv.JEx@netcom.com> tcmay@netcom.com (Timothy C. May) writes:

>But is it any worse than the current unsecure system? It becomes much
>worse, of course, if the government then uses this "Clinton Clipper"
>to argue for restrictions on unapproved encryption. (This is the main
>concern of most of us, I think. The camel's nose in the tent, etc.)

Excuse me?  This has *already* happened.  There's a couple of humps in
the tent already.  Ask the folks at Qualcomm what became of the
non-trivial encryption scheme they proposed for use in their CDMA
digitial cellular phone standard?  There *already* are restrictions in
place.

Louis Mamakos

Newsgroup: sci.crypt
Document_id: 15271
From: ken@sugra.uucp (Kenneth Ng)
Subject: Re: Fifth Amendment and Passwords

In article <1993Apr16.165423.27204@linus.mitre.org: ptrei@bistromath.mitre.org (Peter Trei) writes:
:Judge: "I grant you immunity from whatever may be learned from the key
:	itself"
:You:    "The keyphrase is: "I confess to deliberately evading copyright; 
:	the file encoded with this keyphrase contains illegal scans of 
:        copyrighted Peanuts strips.""
:Judge and CP: "Oh."
:     How will they get you now? I'm not saying that they won't, or
:can't (or even that they shouldn't :-), but what legal mechanism will
:they use? Should we be crossposting this to misc.legal?

Hm, could another court try you via a bypass of the double jeopardy amendment
like they are doing in the LAPD trial?  Ie your judge is a state judge, and
then a federal judge retries you under the justification that its not the
same trail.

-- 
Kenneth Ng
Please reply to ken@blue.njit.edu for now.
"All this might be an elaborate simulation running in a little device sitting
on someone's table" -- J.L. Picard: ST:TNG

Newsgroup: sci.crypt
Document_id: 15272
From: smb@research.att.com (Steven Bellovin)
Subject: Re: The Old Key Registration Idea...

In article <rlglendeC5LrwC.95C@netcom.com>, rlglende@netcom.com (Robert Lewis Glendenning) writes:
> I have been chided for stating that Dorthy Denning was intellectually
> dishonest in the ACM debate and in this newsgroup.  I have previously
> refrained from suggesting that she is arguing on behalf of consulting
> clients.
> 
> Now, I say that it is clear that Dorthy Denning has been functioning
> as a lobbyist, not a computer scientist.  She has used legal ethics
> (truth is what you can convince anyone of), not scientific ethics
> (truth is understanding the external world).
> 
> Maybe we can revoke her ACM membership? 8)

I suggest that you refrain from such insults unless and until you can
produce some evidence to back up that claim.  Given the measures proposed
or passed in the last year or so, such as S.266 and the scanner ban,
her proposal need not be any more than her own attempt at a technical
solution.  It's entirely possible, in fact, that it was the notion of
splitting the key, which came up in the debate, that softened this proposal.

Newsgroup: sci.crypt
Document_id: 15273
From: ji@cs.columbia.edu (John Ioannidis)
Subject: Re: Source of random bits on a Unix workstation

In article <899@pivot.sbi.com> bet@sbi.com (Bennett Todd @ Salomon Brothers Inc., NY ) writes:
>
>I heard about this solution, and it sounded good. Then I heard that folks
>were experiencing times of 30-60 seconds to run this, on
>reasonably-configured workstations. I'm not willing to add that much delay
>to someone's login process. My approach (etherfind|compress, skip 10K) takes
>a second or two to run. I'm considering writing the be-all and end-all of
>solutions, that launches the MD5, and simultaneously tries to suck bits off
>the net, and if the net should be sitting __SO__ idle that it can't get 10K
>after compression before MD5 finishes, use the MD5. This way I could have
>guaranteed good bits, and a deterministic upper bound on login time, and
>still have the common case of login take only a couple of extra seconds.
>

53 seconds to hash 20M of core (I bet I know who the source of your
information is!). No, it's not acceptable if it's part of your login
process. But if you are going to use network traffic as the source of
pseudo-random information, do the right thing and pass it through a
cryptographic hash function, not a compressor. Aside from the fact
that it will run faster, it will give better results (think of a
cryptographic hash as a function that "distills" randomness).
Something along the lines of 
	etherfind -t -x -n  | dd bs=1k count=10 2>/dev/null | md5
should do the trick. -t gives you timestamps, and the lack of -u makes
sure that dd does not get ten lines as opposed to ten K. The above
takes a couple of seconds on a lightly-loaded ethernet.

>-Bennett
>bet@sbi.com

/ji


Newsgroup: sci.crypt
Document_id: 15274
From: zrepachol@cc.curtin.edu.au (Paul Repacholi)
Subject: Re: How do they know what keys to ask for? (Re: Clipper)

In article <johnson.735023704@trwacs>, johnson@trwacs.fp.trw.com (Steve Johnson) writes:
> brad@clarinet.com (Brad Templeton) writes:
>>And of course you have to identify yourself to the phone company, and
>>since the phone company complies with court orders, they will know the
>>magic number of your chip when they sign out a warrant on you, and
>>then can present the warrant to the key escrow house.


Lets hope. Years ago a Telecom tech refused to tap a line unless he saw the 
warrant. The managment type who told him to do it fired him. The appeal
against the dismissal was lost.

>   Who makes them forget and destroy all copies of the key once they've
> decided you're not a criminal today?  Just curious.

Good luck.

~Paul


Newsgroup: sci.crypt
Document_id: 15275
From: zrepachol@cc.curtin.edu.au (Paul Repacholi)
Subject: Re: What is going on?...

In article <1993Apr16.055100.1@cc.curtin.edu.au>, zrepachol@cc.curtin.edu.au (Paul Repacholi) writes:
...
> If you can't be bothered reading, get the video "Manufacturing Consent".
> 

In reply to mail queries; I don't know if a video is available yet. I asked
about a month ao and was told RSN.

Several have also asked which of Chomskys books. My answer is ALL of them, and
anything else you can get as well. How ever, due to irritations like the 24 hr
day etc, I would say 'Manafacturing Conscent' first, them th last parts of
'Detering Democracy' ie the bits about the "domestic 3rd world". Chilling.

Anyone at MIT have a good St. Noam bibliography?

~Paul


Newsgroup: sci.crypt
Document_id: 15276
From: deuelpm@craft.camp.clarkson.edu (Hobbit)
Subject: Re: White House Public Encryption Management Fact Sheet


I have a question about digital communications encryption:

	The Fact Sheet mentioned encryption/decryption microcircuitry with 
special "keys" for law enforcement for wire tapping purposes.

	If I wanted to, couldn't I develop  encryption of my own?  That
is, if me and a partner in crime had unique Encryption/decryption
devices installed before the "tappable" one, couldn't we circumvent
the "keys" system?  Or replace it?

	I'd be really interested in knowing how the E/D microcircuits might
be made to prevent such befuddlement! (Laymans' Language, please! maybe a bit
technical...)

Please E-mail to me, as I'm not in Net News as much as I'd like to be!


Pete
deuelpm@craft.camp.clarkson.edu

--
=====================================
deuelpm@craft.camp.clarkson.edu
=====================================
"*Regret* is a rough sheet to sleep on."  -Herman Brooks

Newsgroup: sci.crypt
Document_id: 15277
From: gtoal@news.ibmpcug.co.uk (Graham Toal)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <strnlghtC5LGFI.JqA@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>
>Though some may argue about the nose of the camel, it's worth noting that
>the government proposal is limited to scrambled telephony. If it is only
>used for that purpose, and does not extend to electronic mail or file
>encryption, then it IS an improvement over the current mass-produced
>standard civilian technology which, with a few exceptions, is limited to
>easy-to-break inverters.

Try reading between the lines David - there are *strong* hints in there
that they're angling for NREN next, and the only conceivable meaning of
applying this particular technology to a computer network is that they
intend it to be used in exclusion to any other means of encryption.

Don't be lulled by the wedge because its end looks so thin.

Graham

Newsgroup: sci.crypt
Document_id: 15278
From: eck@panix.com (Mark Eckenwiler)
Subject: Re: Once tapped, your code is no good any more.

In <1993Apr17.032828.14262@clarinet.com>, brad@clarinet.com sez:
>
>Do the police normally reveal every tap they do even if no charges are
>laid?   In many ways, it would be a positive step if they had to.
>Judges set time limits on warrants, I assume.  

Under the relevant federal law, 18 USC sec. 2518(8)(d), the
authorizing judge must notify the targets within 90 days after the tap
period (with extensions) expires.  This is the "normal" practice.

Of course, no wiretap law would be complete without the Unless Clause,
which in subsection 8(d) reads like this: "On an ex parte showing
[i.e., by the gov't without opposition, since that would obviously
involve notice to the targets] of good cause to a judge of competent
jurisdiction the serving of the inventory required by this subsection
[the order itself; dates of interception; etc.] *may be postponed*"
(emphasis added).


[Followups directed to a few select groups.]

-- 
MORAL: Always Choose the Right Sort of Parents 
       Before You Start in to be Rough
                                        - George Ade
	Mark Eckenwiler    eck@panix.com    ...!cmcl2!panix!eck

Newsgroup: sci.crypt
Document_id: 15279
From: murray@src.dec.com (Hal Murray)
Subject: Re: How do they know what keys to ask for?  (Re: Clipper)

In article <1993Apr17.031520.13902@clarinet.com>, brad@clarinet.com (Brad Templeton) writes:
|> The actual algorithm is classified, however, their main thrust here is
|> for cellular phones, and encryption is only over the radio end, not
|> end to end, I think.   End to end will come later.

Encrypting just the radio link doesn't make sense to me.  That means the telco
has to do the decryption, and hence they need the keys.  How are they going to be
kept secure?

Newsgroup: sci.crypt
Document_id: 15280
From: amolitor@nmsu.edu (Andrew Molitor)
Subject: Re: Once tapped, your code is no good any more.

In article <tcmayC5M2xv.JEx@netcom.com>
	tcmay@netcom.com (Timothy C. May) writes:
>
>But is it any worse than the current unsecure system? It becomes much
>worse, of course, if the government then uses this "Clinton Clipper"
>to argue for restrictions on unapproved encryption. (This is the main
>concern of most of us, I think. The camel's nose in the tent, etc.)
>

	Not to pick on Mr. May in particular, of course, but isn't this
kind of the domino theory? When one little country falls, its neighbor
will surely follow, and before you know it, we're all mining salt
in Siberia for not turning in our Captain Crunch Secret Decoder Rings.

	Surely the hypothesis relying on the least wild assumptions is
to take this at face value. Our lads at the fort were asked to cook up
something that's pretty secure, with a key that can be escrowed neatly,
and they did. The government plans to sell this thing, for the reasons
they state. Yes, those evil guys in the FBI can probably, with some
effort, abuse the system. I got news for you, if the evil guys in
the FBI decide they want to persecute you, they're gonna, and you're
gonna hate it. Fact is, the FBI doesn't want to listen to your phone
calls, and if they do, and if you're using triple-DES, they'll just
get a parabolic microphone and point it at your head.

	This is pretty clearly an effort by the government to do exactly
what they're saying they're doing. As is typical with governments,
it's mismanaged, and full of holes and compromises. As is typical
with our government, it's not too bad, could be worse.

	My interpretation.

	Andrew

>-Tim May, whose sig block may get him busted in the New Regime
                           ^^^^^^^^^^^^^^^^^^

	Isn't this just a little melodramatic?

Newsgroup: sci.crypt
Document_id: 15281
From: grady@netcom.com (1016/2EF221)
Subject: powerful "similarity" too

A Unix tool of cryptographic significance is available
for anonymous ftp.

"agrep 2.0.4" -- a fast approximate pattern-matching tool

source code project available from:

cs.arizona.edu 

in directory "agrep"

agrep is a very fast fuzzy search tool with a tremendous
number of powerful search options.  The one most obviously
applicable to cryptography (key selection) is to be able to
specify the "similarity" of matches in the data.

For example say you make up a password/phrase of "qimwe7l".
Of course you rightly suspect that this key itself is not
in any dictionary or word list.  But how *close* is it to
en entry that could be varied by some "crack" program to
brute-force search for it?

You use agrep to find out.  Looking with argument for none,
one or two errors, no matches.  Good so far.  But 

agrep -3 "qimwe7l" bigwordandphraselist

finds that the pattern "qimwe7l" is too close to the
pattern "imsel" (part of "himself" and a host of others),
to be of any cryptographic value as a key.

An error of level two corresponds to a simple transposition of
letters like "teh" for "the".  A minimally acceptable password
would have to pass as *least* level 3 in order not immediately
ruled-out as even a remote possibility of being a good password.
(In real cryptographic use, my personal passphrases clear at
*least* level 8 on my rather large [>80 meg] word and phrase lists.)


And for searching for key words in human-typed data (lots o'
typos) the tool is unexcelled.  For example, For example,
say I want to find out what people think about Gibson's
SF book "Neuromancer" in the huge SF-Lover's archives.
Even with an error distance specification as small as
of "1" I will find all those people who think the title
was "Necromancer" or other common typos.  Why miss anything?

Also, the program can look for up to 30,000 patterns IN PARALLEL
at Boyer-Moore (sublinear) speeds.  Great for a NSA wannabe
to look for your name, terrorists names, special Tagalog or
religious words, etc. in the news or e-mail spool directories.

You can even search for ciphertext by using, say, 30,000
random three-byte combinations and eliminate all texts that
don't score the X chi-square 'birthday' hits on message size Y.

You think some crypto-terrorist is try to foil you by changing
the pattern on you?  No problem.  Try agrep -p NSA to find
NSA, National Security Agency, NSecAg, No Such Agency,
National Scrabble Association, N*S*A, etc.

You can also specify "fixed" areas: looking for license
plate XYZ123 when you know that the letters are correct,
you might say:

agrep -2 <XYZ>123 licenseplatedatabase

will find all plates starting with XYZ with up to two errors
(addition, substitution, deletion) in the number area.  You can
also "weight" the relative "cost" for substiutions, additions,
or deletion errors.  For example, when searching DNA patterns
for a particular protein combination, you might know that
some kinds of damage cause the "A" nucelotide to drop out more
than other errors... you could adjust for this bias by setting
-Dc where you set the "deletion cost" to count as "c" errors.

A steganographic use (I even used "agrep -2 "<steg>eograp" E"
just now to find the correct spelling!) would be to intentionally
introduce errors of a certain type and magnitude into a plaintext
and then later recover the orginal it via an agrep pipe.  Lots of
possibilities here when only outlaws can have ciphertext...

Also with agrep's powerful extraction options it makes it easy
to abstract the "hits" into a useful form.  For example,

agrep -d "^From" 'PGP;(passphrase|Zimmerman|NSA)'

says output the entire mail record, delimited by 'From'
that contains 'PGP' and contains either 'passphrase',
'Zimmerman', or 'NSA'.

And agrep has been measured an order-of-magnitude faster
than the second-best similarity tool publicly available.

As usual, I will be glad to e-mail the source and docs
to those who reqest them by e-mail IF they cannot do
an anonymous FTP.

Get this now.
It is too powerful to stay in the hands of the NSA.


Grady Ward, vendor to the NSA (and proud of it)

-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
Document_id: 15282
From: mearle@netcom.com (Mark Earle)
Subject: PGP 2.0 vs 2.2


I've seen PGP 2.2 mentioned for the Mac platform. I use 2.0 on MS/DOS.
Is there a 2.2 for MS/DOS? If so, a site or two that has it available
(I'd need executables, although source would be nice to review).
What was "fixed" or changed from 2.0 > 2.2?
 
Thanks, mwe
mearle@netcom.com
finger for pgp2.0 public key


Newsgroup: sci.crypt
Document_id: 15283
From: gthomas@fraser.sfu.ca (Guy Thomas)
Subject: Re: What is going on?...

zrepachol@cc.curtin.edu.au (Paul Repacholi) writes:

>In article <1993Apr16.055100.1@cc.curtin.edu.au>, zrepachol@cc.curtin.edu.au (Paul Repacholi) writes:
>...
>> If you can't be bothered reading, get the video "Manufacturing Consent".
>> 

>In reply to mail queries; I don't know if a video is available yet. I asked
>about a month ao and was told RSN.

Yes it is. From the National Film Board of Canada.
Guy
gthomas@native-ed.bc.ca

Newsgroup: sci.crypt
Document_id: 15284
From: smb@research.att.com (Steven Bellovin)
Subject: Clipper -- some new thoughts

I'd *desparately* prefer it if we didn't rehash the same arguments
that went on ad infinitum last time.  That's especially true for
sci.crypt.  For that matter, I've created alt.privacy.clipper, since
the traffic is appearing in *many* different groups right now.

I'm going to focus here on some technical aspects of the plan, hence my
followup to sci.crypt.  Frankly, if you're not an absolutist, your
feelings may turn on some of these issues.  For example -- with an
80-bit key, simply splitting it into two 40-bit pieces is much less
acceptable than other schemes, because it means that if just one
repository is, shall we say, overly pliable, a would-be eavesdropper
would need to recover just 40 more bits of key.  I need not point out
in this newsgroup that that's pretty easy to do by exhaustive search.
A slightly more complex scheme -- XOR-ing the key with a random number,
and then with its complement -- would produce two 80-bit subkeys,
neither of which is useful alone.  That variant is much more resistant
to attack.  Clearly, one can get even more sophisticated, to protect
the subkeys even more.

Other thoughts...  Some people have noted the size and complexity of
the databases necessary.  But the id strings the phones emit could be
their back door key, double-encrypted with the escrow repositories'
public keys.  For that matter, they could do that only with session
keys, and have no back door at all.  In that case, the FBI would have
to bring every intercept to the repositories to be decrypted.  This
would answer many of the objections along the lines of ``how do you
make sure they stop''.

We can even combine that with a variant of the digital telephony back
door -- have the switch do the tap, but with a digitally-signed record
of the time, phone number, etc, of the call.  That provides proof to
the escrow agents that the tap was done in compliance with the terms of
the warrant.

I can suggest other variations, too.  Suppose each Clipper chip had 100
public key pairs.  Each would be used ~10 times, after which you'd need
more keying material.  (Not a bad idea in any event.)  This could be
used to enforce time limits, or rather, usage limits, on each warrant;
the keys the repository agents would deliver wouldn't last for very
long.

I suspect that the cryptographic algorithm itself is secure.  Apart from
the obvious -- why push a weak algorithm when you've already got the
back door? -- I think that the government is still genuinely concerned
about foreign espionage, especially aimed at commercial targets.  This
scheme lets the spooks have their cake and eat it, too.  (I've heard
rumors, over the years, that some factions within NSA were unhappy with
DES because it was too good.  Not that they couldn't crack it, but it
was much too expensive to do so as easily as they'd want.)  They're keeping
the details secret so that others don't build their own implementations
without the back door.

The cryptographic protocol, though, is another matter.  I see no valid
reasons for keeping it secret, and -- as I hope I've shown above -- there
are a lot of ways to do things that aren't (quite) as bad.

Newsgroup: sci.crypt
Document_id: 15285
From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>
Subject: How does it really work? (was Re: text of White House announcement and Q&As on clipper chip encryption)

This announcement is somewhat disconcerting; it doesn't do anything
evil in and of itself, but bodes badly for the future of open
algorithms and standards in information security.  I won't start
panicking until/unless DES or RSA or stuff like that is prohibited, but
I'm a little anxious.  (No doubt it won't be long before someone posts
explaining how this just a small part of some far-ranging and
long-lived NSA-PKP-IRS-FBI-CIA-HandgunControlInc-Clinton conspiracy to
subvert freedom, democracy, and mathematics.)  My feeling is that the
administration probably isn't that worried about things like DES and
RSA and PGP and RIPEM, since they'll never be used by a group much
wider than us computer geeks.

The fact that this just came out now suggests one of two things:

1.  The NSA has been working on this for a long time, and it only just
    now happened to be ``ready'' to release to the world at this time.

2.  The NSA has been working on this for a long time, but wasn't able
    to get the Bush administration to go along with this plan.  (I
    find it unlikely that this would have been because of a sympathy
    for the unescrowed use of cryptography; more likely the
    administration felt that even escrowed, secret-algorithm and, for
    all we know, trivially breakable cryptography should not be made
    widely available.)

Thus said clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement):
>This new technology will help companies protect proprietary
>information, protect the privacy of personal phone conversations
>and prevent unauthorized release of data transmitted
>electronically.  At the same time this technology preserves the
>ability of federal, state and local law enforcement agencies to
>intercept lawfully the phone conversations of criminals. 

The majority of the discussion involving this "Clipper Chip" seems to
pertain to the encryption of telephone conversations.  Does anyone
know if that means this chip is designed to work primarily with analog
signals?  The language sort of suggests this, but it's hard to say.

The main thing I just don't get is whether this chip implements
symmetric or asymmetric cryptographic techniques.  Anybody know?

I'm guessing symmetric, but they don't get very clear about it.  If it
is symmetric, how is it useful for anything other than link-level
encryption with an identical chip at each end?  How can you negotiate
a per-session key using symmetric cryptography without using a trusted
third party who knows your key?  (Or does it even use a per-session
key?)

If it's asymmetric, what about PKP's patents, which they claim cover
all methods of doing asymmetric cryptography?  Are they getting
royalties, or is hiding infringement the real reason for keeping the
algorithm secret? :-)
--
Marc VanHeyningen   mvanheyn@cs.indiana.edu   MIME & RIPEM accepted
Kirk:  I won't hurt you.
Alien: You hit me!
Kirk:  Well, I won't hit you again.

Newsgroup: sci.crypt
Document_id: 15286
From: cuffell@spot.Colorado.EDU (Tim Cuffel)
Subject: Re: Once tapped, your code is no good any more.

I change login passwords every couple of months.  I sure would suck if I had
to get a new sparc station everytime I wanted to do this.  It seems that this
is what they expect you to do if you want to routinely change your password
on your phone.  I'm sure the government contractor doesn't mind, but a system
where you can cheaply change keys (DES) has inherent security advantages, 
regardless of the algorithms involved.
-- 
-Tim Cuffel	Finger for PGP 2.1  The CIA has admitted that the assassination
                                    of Saddam Hussien was one of their goals.
They failed, of course.  Seems as though that motorcade through downtown Dallas
trick only works once.

Newsgroup: sci.crypt
Document_id: 15287
From: smythw@vccnw03.its.rpi.edu (William Smythe)
Subject: Re: How to detect use of an illegal cipher?

In article <betel.734997645@camelot> betel@camelot.bradley.edu (Robert Crawford) writes:
>Jay Fenton <Fenton@Kaleida.Com> writes:
>
>>How can the government tell which encryption method one is using without
>>being able to decode the traffic? i.e., In order to accuse me of using an
>>unauthorized strong encryption technique they would have to take both
>>keys out of escrow, run them against my ciphertext and "draw a blank".
>
>	I was thinking about this, also. It's quite possible the
>system transmits, in clear, the serial number of the device being
>used. That way they can start a tap, get the serial number, and use
>the warrant for the first tap to get the key.
>
>	If they tap someone who's apparently using encryption, but
>don't find that prefix, then they'll assume it's an "un-authorized"
>encryption scheme.

From the limited details released so far, It seems that the clipper chip 
system must employ some sort of public key cryptography. Otherwise, the key 
management problems inherent to symetric ciphers would make the system 
unworkable. It probably has some sort of public key exchange that takes place
at the start of each call. Thats how they would identify the private key in 
their data base?

This means that either the NSA has developed some non RSA public key 
algorythm or the feds have decided to subsidize PKP & RSADSI. The former is 
rather an exciting posibility since keeping the algorythm secret while making
chip implimentations widely avalibe will be exceptionally hard. If the feds
are forced to make it avalible in order to gain public acceptance than that 
could break RSA's stranglehold on public key crypto in the U.S.   

As for my impressions of the whole scheme It seems that instead of trying to
ban strong crypto, they are trying to co-opt it. Their contention that they 
need to keep the algorythm secret to protect the security of the key
registration suggests possible inherent weakness to the algorythm. More likely
is that they dont want anyone constructing black market devices which dont 
have the keys registered. Anyone else notice that in their Q&A session, they
talk about releasing the keys only to people with proper autiorization but
carefully dance around stating that the keys will simply have to be supeonaed.
They seem to be trying to keep open the posibility of obtaining keys without 
court order even though tapping a phone line requires one. Also pick up on 
their implicit threat of eithe accept this or we'll ban strong crypto outright?
I dont trust this plan at all and plan to oppose it in all (legal) ways
possible.

Bill Smythe


Newsgroup: sci.crypt
Document_id: 15288
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Once tapped, your code is no good any more.

tcmay@netcom.com (Timothy C. May) writes:
> But is it any worse than the current unsecure system? It becomes much 
> worse, of course, if the government then uses this "Clinton Clipper" to 
> argue for restrictions on unapproved encryption. (This is the main 
> concern of most of us, I think. The camel's nose in the tent, etc.) 

I agree.  This is the danger I see, not the system itself.  That is to say, 
this is a political issue, not a technical one.


Amanda Walker
InterCon Systems Corporation






Newsgroup: sci.crypt
Document_id: 15289
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

gtoal@news.ibmpcug.co.uk (Graham Toal) writes:
> Try reading between the lines David - there are *strong* hints in there 
> that they're angling for NREN next,

Where?  I honestly didn't see any...

> and the only conceivable meaning of 
> applying this particular technology to a computer network is that they 
> intend it to be used in exclusion to any other means of encryption. 

I disagree, if for no other reason than that there are already other 
standards in place.  Besides, even if they restrict encryption on the NREN, 
who cares?  Most of the Internet is commercial anyway.  The NREN is only for 
geovernment and university research (read the proposals--it's a "data 
superhighway" for Cray users, not anything having to do with the Internet).


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15290
From: pat@rwing.UUCP (Pat Myrto)
Subject: New Clipper Chip Proposal from the Guv...

I saw this article posted in a local newsgroup.  I haven't seen it,
or any followup traffic relating to it in these groups or other groups
which I subscribe to.  So, I am posting it here so others can read it,
check it out, and comment on it, and provide ideas for handling these
sorts of things.

I have no verification to the accuracy or lack of accuracy of this
article, but if accurate, I find it extremely disturbing, especially in
light of various abuses of the SSN number regarding privacy, (I understand
it is now to be required in CA to renew a drivers license, or to register
a car) and other proposals regarding 'smart' national Identity Cards,
wiretap proposals, and such.  One simply wonders what other gems are in
the wings ready to be sprung on the people by our government.  Perhaps
suggestions and ideas for preventing this and other such proposals from
acquiring the force of law would be useful.  The cost simply outweighs
any possible benefits, IMO.

BTW, reading this makes me think of some ideas a Prof Denning has been
promoting, in an even more disturbing form.

That said, with no further comment, the article follows:

------------ Begin included article ---------

Note:  This file will also be available via anonymous file
transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and
via the NIST Computer Security BBS at 301-948-5717.
     ---------------------------------------------------

                         THE WHITE HOUSE

                  Office of the Press Secretary

_________________________________________________________________

For Immediate Release                           April 16, 1993


                STATEMENT BY THE PRESS SECRETARY


The President today announced a new initiative that will bring
the Federal Government together with industry in a voluntary
program to improve the security and privacy of telephone
communications while meeting the legitimate needs of law
enforcement.

The initiative will involve the creation of new products to
accelerate the development and use of advanced and secure
telecommunications networks and wireless communications links.

For too long there has been little or no dialogue between our
private sector and the law enforcement community to resolve the
tension between economic vitality and the real challenges of
protecting Americans.  Rather than use technology to accommodate
the sometimes competing interests of economic growth, privacy and
law enforcement, previous policies have pitted government against
industry and the rights of privacy against law enforcement.

Sophisticated encryption technology has been used for years to
protect electronic funds transfer.  It is now being used to
protect electronic mail and computer files.  While encryption
technology can help Americans protect business secrets and the
unauthorized release of personal information, it also can be used
by terrorists, drug dealers, and other criminals.

A state-of-the-art microcircuit called the "Clipper Chip" has
been developed by government engineers.  The chip represents a
new approach to encryption technology.  It can be used in new,
relatively inexpensive encryption devices that can be attached to
an ordinary telephone.  It scrambles telephone communications
using an encryption algorithm that is more powerful than many in
commercial use today.

This new technology will help companies protect proprietary
information, protect the privacy of personal phone conversations
and prevent unauthorized release of data transmitted
electronically.  At the same time this technology preserves the
ability of federal, state and local law enforcement agencies to
intercept lawfully the phone conversations of criminals. 

A "key-escrow" system will be established to ensure that the
"Clipper Chip" is used to protect the privacy of law-abiding
Americans.  Each device containing the chip will have two unique


                                2


"keys," numbers that will be needed by authorized government
agencies to decode messages encoded by the device.  When the
device is manufactured, the two keys will be deposited separately
in two "key-escrow" data bases that will be established by the
Attorney General.  Access to these keys will be limited to
government officials with legal authorization to conduct a
wiretap.

The "Clipper Chip" technology provides law enforcement with no
new authorities to access the content of the private
conversations of Americans.

To demonstrate the effectiveness of this new technology, the
Attorney General will soon purchase several thousand of the new
devices.  In addition, respected experts from outside the
government will be offered access to the confidential details of
the algorithm to assess its capabilities and publicly report
their findings.

The chip is an important step in addressing the problem of
encryption's dual-edge sword:  encryption helps to protect the
privacy of individuals and industry, but it also can shield
criminals and terrorists.  We need the "Clipper Chip" and other
approaches that can both provide law-abiding citizens with access
to the encryption they need and prevent criminals from using it
to hide their illegal activities.  In order to assess technology
trends and explore new approaches (like the key-escrow system),
the President has directed government agencies to develop a
comprehensive policy on encryption that accommodates:

     --   the privacy of our citizens, including the need to
          employ voice or data encryption for business purposes;

     --   the ability of authorized officials to access telephone
          calls and data, under proper court or other legal
          order, when necessary to protect our citizens;

     --   the effective and timely use of the most modern
          technology to build the National Information
          Infrastructure needed to promote economic growth and
          the competitiveness of American industry in the global
          marketplace; and 

     --   the need of U.S. companies to manufacture and export
          high technology products.

The President has directed early and frequent consultations with
affected industries, the Congress and groups that advocate the
privacy rights of individuals as policy options are developed.



                                3

The Administration is committed to working with the private
sector to spur the development of a National Information
Infrastructure which will use new telecommunications and computer
technologies to give Americans unprecedented access to
information.  This infrastructure of high-speed networks
("information superhighways") will transmit video, images, HDTV
programming, and huge data files as easily as today's telephone
system transmits voice.

Since encryption technology will play an increasingly important
role in that infrastructure, the Federal Government must act
quickly to develop consistent, comprehensive policies regarding
its use.  The Administration is committed to policies that
protect all Americans' right to privacy while also protecting
them from those who break the law.

Further information is provided in an accompanying fact sheet. 
The provisions of the President's directive to acquire the new
encryption technology are also available.  

For additional details, call Mat Heyman, National Institute of
Standards and Technology, (301) 975-2758.

---------------------------------


QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S
TELECOMMUNICATIONS INITIATIVE




Q:   Does this approach expand the authority of government
     agencies to listen in on phone conversations?

A:   No.  "Clipper Chip" technology provides law enforcement with
     no new authorities to access the content of the private
     conversations of Americans.

Q:   Suppose a law enforcement agency is conducting a wiretap on
     a drug smuggling ring and intercepts a conversation
     encrypted using the device.  What would they have to do to
     decipher the message?

A:   They would have to obtain legal authorization, normally a
     court order, to do the wiretap in the first place.  They
     would then present documentation of this authorization to
     the two entities responsible for safeguarding the keys and
     obtain the keys for the device being used by the drug
     smugglers.  The key is split into two parts, which are
     stored separately in order to ensure the security of the key
     escrow system.

Q:   Who will run the key-escrow data banks?

A:   The two key-escrow data banks will be run by two independent
     entities.  At this point, the Department of Justice and the
     Administration have yet to determine which agencies will
     oversee the key-escrow data banks.

Q:   How strong is the security in the device?  How can I be sure
     how strong the security is?  

A:   This system is more secure than many other voice encryption
     systems readily available today.  While the algorithm will
     remain classified to protect the security of the key escrow
     system, we are willing to invite an independent panel of
     cryptography experts to evaluate the algorithm to assure all
     potential users that there are no unrecognized
     vulnerabilities.

Q:   Whose decision was it to propose this product?

A:   The National Security Council, the Justice Department, the
     Commerce Department, and other key agencies were involved in
     this decision.  This approach has been endorsed by the
     President, the Vice President, and appropriate Cabinet
     officials.

Q:   Who was consulted?  The Congress?  Industry?

A:   We have on-going discussions with Congress and industry on
     encryption issues, and expect those discussions to intensify
     as we carry out our review of encryption policy.  We have
     briefed members of Congress and industry leaders on the
     decisions related to this initiative.

Q:   Will the government provide the hardware to manufacturers?

A:   The government designed and developed the key access
     encryption microcircuits, but it is not providing the
     microcircuits to product manufacturers.  Product
     manufacturers can acquire the microcircuits from the chip
     manufacturer that produces them.

Q:   Who provides the "Clipper Chip"?

A:   Mykotronx programs it at their facility in Torrance,
     California, and will sell the chip to encryption device
     manufacturers.  The programming function could be licensed
     to other vendors in the future.

Q:   How do I buy one of these encryption devices? 

A:   We expect several manufacturers to consider incorporating
     the "Clipper Chip" into their devices.
     
Q:   If the Administration were unable to find a technological
     solution like the one proposed, would the Administration be
     willing to use legal remedies to restrict access to more
     powerful encryption devices?

A:   This is a fundamental policy question which will be
     considered during the broad policy review.  The key escrow
     mechanism will provide Americans with an encryption product
     that is more secure, more convenient, and less expensive
     than others readily available today, but it is just one
     piece of what must be the comprehensive approach to
     encryption technology, which the Administration is
     developing.

     The Administration is not saying, "since encryption
     threatens the public safety and effective law enforcement,
     we will prohibit it outright" (as some countries have
     effectively done); nor is the U.S. saying that "every
     American, as a matter of right, is entitled to an
     unbreakable commercial encryption product."  There is a
     false "tension" created in the assessment that this issue is
     an "either-or" proposition.  Rather, both concerns can be,
     and in fact are, harmoniously balanced through a reasoned,
     balanced approach such as is proposed with the "Clipper
     Chip" and similar encryption techniques.

Q:   What does this decision indicate about how the Clinton
     Administration's policy toward encryption will differ from
     that of the Bush Administration?  

A:   It indicates that we understand the importance of encryption
     technology in telecommunications and computing and are
     committed to working with industry and public-interest
     groups to find innovative ways to protect Americans'
     privacy, help businesses to compete, and ensure that law
     enforcement agencies have the tools they need to fight crime
     and terrorism.

Q:   Will the devices be exportable?  Will other devices that use
     the government hardware?

A:   Voice encryption devices are subject to export control
     requirements.  Case-by-case review for each export is
     required to ensure appropriate use of these devices.  The
     same is true for other encryption devices.  One of the
     attractions of this technology is the protection it can give
     to U.S. companies operating at home and abroad.  With this
     in mind, we expect export licenses will be granted on a
     case-by-case basis for U.S. companies seeking to use these
     devices to secure their own communications abroad.  We plan
     to review the possibility of permitting wider exportability
     of these products.

----------- End included article ----------- 

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 15291
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <1qp9d1$e37@dorothy.ibmpcug.co.uk>, gtoal@news.ibmpcug.co.uk (Graham Toal) writes:
> Try reading between the lines David - there are *strong* hints in there
> that they're angling for NREN next, and the only conceivable meaning of
> applying this particular technology to a computer network is that they
> intend it to be used in exclusion to any other means of encryption.

Umm...  I beg to differ with the phrase ``only conceivable meaning''.
The SDNS protocols, for example, make explicit provision for multiple
encryption systems, as does PEM.  (And I'd love to see how they'd
mandate this new system for PEM without disclosing it....)

Mind you, I'm not saying that multiple algorithms will actually be
used -- but the relevant technologies certainly provide for them, which
certainly casts doubt on your choice of words.

Newsgroup: sci.crypt
Document_id: 15292
From: rlglende@netcom.com (Robert Lewis Glendenning)
Subject: Don't fight Clipper Chip, subvert or replace it !

Clipper Chip is a response to the fact that there is no business
or professional body in a position to establish a standard and
provide chipsets to implement it for analog or digial transmission
systems.

RSA might be in position to do it, if they had active cooperation of
a couple of manufacturers of cellular phones or desktop phones.

Large companies in the voice/data comm business are out, because they
all have contracts with the gov which would be used to pressure them.

If we, as professionals in crypto organizations, EFF, etc. were to
put our collective minds and interests toward establishing a
crypto standard for transmission, and getting our companies to
implement it, we might avoid government control.

Otherwise, I think it will happen to us by default.  Gov isn't probably
strong enough or foolish enough to prevent strong crypt.  They
are strong enough, and we may be foolish enough, to push through
the Clipper Chip.

Is RSA independt of the gov enough to spearhead this?  I, for one,
would *gladly* pay royalties via purchasing secure phones.

If not this, we should provide an algorithm which can be implemented
in either SW or HW and publish it, then push to make it the defacto
standard in the way that PGP and RIPEM are becoming such.

We are opposing, charging the bunker.  We should be nimble and clever.
The gov is strong, not clever.

Lew
-- 
Lew Glendenning		rlglende@netcom.com
"Perspective is worth 80 IQ points."	Niels Bohr (or somebody like that).

Newsgroup: sci.crypt
Document_id: 15293
From: masjhd@gdr.bath.ac.uk (James Davenport)
Subject: Re: Trinomial-Based PRNG

I tried to mail Peter Boucher, who posted the question, but my e-mail
bounced, so, apologies to thsoe who are not interested.
>trinomials are all of the form X**a + X**b + 1, where a
Have you read:
Bremner,A.,
On Trinomials of Type x$+n$-+Ax$+m$-+1.
Math. Scand. 49(1981) pp. 145-155.
Zbl. 458.12012.
MR 83k:12002.

Ljunggren,W.,
On the Irreducibility of Certain Trinomials and Quadrinomials.
Math. Scand. 8(1960) pp. 65-70.
.

Tverberg,H.,
On the Irreducibility of the Trinomials
x$+n$-$mpm$$x$+m$-$mpm$$1.
Math. Scand. 8(1960) pp. 121-126.

Tverberg,H.,
On Cubic Factors of Certain Trinomials.
Math. Scand. 53(1983) pp. 178-184.
Zbl. 513.12003.

James Davenport
jhd@maths.bath.ac.uk

Newsgroup: sci.crypt
Document_id: 15294
From: kadie@cs.uiuc.edu (Carl M Kadie)
Subject: Re: Clipper Crap

>encryption's dual-edge sword:  encryption helps to protect the
>privacy of individuals and industry, but it also can shield
>criminals and terrorists.  We need the "Clipper Chip" and other

"Necessity is the plea for every infringement of human freedom. It is
the argument of tyrants; it is the creed of slaves." -- William Pitt
-- 
Carl Kadie -- I do not represent any organization; this is just me.
 = kadie@cs.uiuc.edu =

Newsgroup: sci.crypt
Document_id: 15295
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: Don't fight Clipper Chip, subvert or replace it !

Robert Lewis Glendenning (rlglende@netcom.com) wrote:
: Clipper Chip is a response to the fact that there is no business
: or professional body in a position to establish a standard and
: provide chipsets to implement it for analog or digial transmission
: systems.
: 
: RSA might be in position to do it, if they had active cooperation of
: a couple of manufacturers of cellular phones or desktop phones.
.......
: Is RSA independt of the gov enough to spearhead this?  I, for one,
: would *gladly* pay royalties via purchasing secure phones.


Hear hear! I completely agree that we need to work quickly to
establish alternatives to the government's Clinton Clipper. As Brad
Templeton and others have noted, once the Clipper becomes ensconced in
enough phones there will be enormous pressure to make it the *legal*
standard, and it will become the "market* standard as well. (There is
a lot of confusion in the proposal about whether the use of Clipper is
mandated, about whether non-escrow alternatives will be allowed, etc.)

(There are also unclear issues about how hard, or how illegal, it will
be to make "workalikes" which meet the standard but which generate
phony or untappable keys...I'm sure the next several weeks will see
these issues thrashed out in this and other groups.)

Meanwhile, I'd be interested to hear RSA Data Security's reaction.
Often criticized in this group for their licensing policies (the usual
complaints about MailSafe costing too much, at $125 or so, and the
general issue of software patents...), we may find that *allying*
ourselves with RSA is the best thing we can do. What's a mere
licensing fee when our liberty may be at stake? (If everyone who
wanted true security paid, say, $100 for a lifetime use of all of
RSA's patents--which expire in the period 1998-2002, or so--then RSA
would make tons of money and be happy, I'm sure. A small price to pay.
For those to whom $100 sounds like too much, I'm sure the actual terms
could be different, spread out over several years, whatever. To me,
it's a small price to pay.)

Strong crypto means strong privacy. Escrowing keys, sending copies of
keys to large databases, and splitting keys into two 40-bit pieces,
all done with secret and non-analyzable protocols and algorithms, is
*NOT* strong crypto!

Whatever some of us may think about the abstract principles of
patenting number theory applications, this minor issue pales in
comparison with the potential dangers of the Clipper proposal (note
that I said "potential"...we'll presumably learn more in the coming
months).

The RSA algorithms are at least public, have been analyzed and
attacked for years, and source code is available (to better ensure no
deliberate weakenesses or trapdoors).

I know of a number of groups putting together voice encryption systems
using off-the-shelf hardware (like Soundblaster boards for the PC) and
CELP-type software. The new generations of PCs, using fast 486s and
Pentiums are fast enough to do real-time voice encryption. Combined
with Diffie-Hellman key exchange, this should provide an alternative
to the Clipper system.

Of course, we don't really know if the Administration proposes to
outlaw competing systems. (It seems to me that their goal of tapping
terrorists, child pornographers, and Hilary bashers would be thwarted
if low-cost alternatives to Clipper proliferated. Not to defend child
pornographers or terrorists, but limiting basic freedoms to catch a
few criminals is not the American way of doing things. End of soapbox
mode.)

I suggest we in these groups set aside any differences we may have had
with RSA (and don't look at me....I have both MacPGP *and* a fully
legal copy of "MailSafe"!) and instead work with them as quickly as we can.

RSA?, Jim?, are you listening?

-Tim May

P.S. I reserve the right to retract these opinions if it should turn
out that RSA Data Security was involved in the Clipper proposal.
-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
Document_id: 15296
From: brad@clarinet.com (Brad Templeton)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

One presumes the system could work as follows:

a) Blank clips are manufactured by Mykotronx and VLSI.  The number
produced is carefully audited and they are shipped to the first
escrow house.

It programs the chips with its half the key, and prints out a paper slip
with the key half and non-secret chip serial number.   The reams of paper
are filed in locked boxes in the vault, a fuse is burnt in the chip so
that the key is now unreadable.

The chip then goes to the next escrow house, where the same thing is
done.  This continues through N escrow houses, perhaps, could be more than
2.

The last one provides the chip to the cellular phone maker.

And yes, this has to be a public key system or it would be almost
impossible to handle.  It might not be RSA, but that does not mean
that PKP doesn't get paid.  Until 1997, PKP has the patent on the
general concept of public key encryption, as well as the particular
implementation known as RSA.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
Document_id: 15297
From: jhesse@netcom.com (John Hesse)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <1qnupd$jpm@news.intercon.com> amanda@intercon.com (Amanda Walker) writes:
>jhesse@netcom.com (John Hesse) writes:
>> Oh great. Wonderful news. Nobody can listen in--except the feds. 
>
>Hey, it's better than the status quo.
>
>I am far less worried about "the feds" tapping my phone than high school 
>scanner surfers who get their kicks out of eavesdropping on cellular and 
>cordless phone calls.
>

Really? Why are so you worried about high school kids "getting their kicks"
with scanners, as compared to what the feds can do, and have done, to their
targets?

"Better than the status quo" isn't good enough, I'd say. The same 
technology could be implemented WITHOUT a back door open to the state.

We all know about power and corruption. But we all know that abuse is
something that only happens to the other guy.

>
>Amanda Walker
>InterCon Systems Corporation
>
>


-- 
------------------------------------------------------------------------------
John Hesse           |          A man,     
jhesse@netcom.com    |                 a plan, 
Moss Beach, Calif    |                         a canal, Bob.
------------------------------------------------------------------------------

Newsgroup: sci.crypt
Document_id: 15298
From: reeds@alice.att.com (Jim Reeds)
Subject: Re: Patents (was RC2 RC4)

In article <matt-160493203627@wardibm2.med.yale.edu>, matt@wardsgi.med.yale.edu (Matt Healy) writes:
and
> bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote:
and
> > ahaley@eoe.co.uk (Andrew Haley) writes:

about Coca-Cola and Pepsi Cola and what they can teach us.


Surely, if we must use pop patent law examples to discuss RC2 and RC4,
it would make more sense to consider the case of RC Cola?

Jim Reeds

Newsgroup: sci.crypt
Document_id: 15299
From: uni@acs.bu.edu (Shaen Bernhardt)
Subject: Re: Once tapped, your code is no good any more.

In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes:
>In article <tcmayC5M2xv.JEx@netcom.com>
>	tcmay@netcom.com (Timothy C. May) writes:
>>
>>But is it any worse than the current unsecure system? It becomes much
>>worse, of course, if the government then uses this "Clinton Clipper"
>>to argue for restrictions on unapproved encryption. (This is the main
>>concern of most of us, I think. The camel's nose in the tent, etc.)
>>
>
>	Not to pick on Mr. May in particular, of course, but isn't this
>kind of the domino theory? When one little country falls, its neighbor
>will surely follow, and before you know it, we're all mining salt
>in Siberia for not turning in our Captain Crunch Secret Decoder Rings.

I wish I could agree with you.  Ask yourself this.  Why would any private
sector entity wish to buy a crypto system that was KNOWN to be at least
partially compromised? (Key escrows in this instance)  Why would any
private sector entity wish to buy a crypto system that had not been properly
evaluated?  (i.e. algorythm not publically released)
The answer seems obvious to me, they wouldn't.  There is other hardware out
there not compromised.  DES as an example (triple DES as a better one.)

My suspicion is that the prices will drop dramatically on these non clipper
systems.  If not we're in trouble.

Given that the Clinton administration is not entirely stupid (although we'd like
to think so) I cannot believe that they have failed to realize this.
They know their initiative will fail, much as crippled DES was never taken
seriously.  The only way their moves can work is by coercion.  You know
little about politics if you don't realize that this is just a first step
in the next move, it makes NO sense otherwise.  The next move, banning
or SEVERLY crippling crypto not using the "Clipper" system is easily
justified "Why would anyone want other encryption unless they were trying
to subvert the government?  We've provided you with a very secure alternative
so use it or go to jail/be fined/whatever."
How can you reconcile the administrations self proclaimed purpose of providing
law enforcement with access to encrypted data without making the clipper system
the only crypto available in the U.S... ?  You simply can't, and the administration
knows it.  Anyone who wanted to keep the govt. out of their hair, be it for
drug dealing or whatever, would just buy still available non-clipper systems.

Don't sell our crafty Clinton types short, they can't be THAT stupid.
Either banning non clipper crypto is the next answer or the administrations
collective I.Q. is about that of a potato.

Why do you think AT&T jumped on so fast?  They know it's going to be big,
and NOT because it's better.  Right on the face of it, noone will buy the
stuff that doesn't have to.  AT&T must know this too, THINK MAN, why the
hell would they jump the gun?

>	My interpretation.
>
>	Andrew
>
>>-Tim May, whose sig block may get him busted in the New Regime
>                           ^^^^^^^^^^^^^^^^^^
>
>	Isn't this just a little melodramatic?

I really wonder.

To wit:  The letter I just sent to Clinton:

The White House
Office of the Press Secretary c/o:
Presidential Comment Line (fax)
(202) 456-2461
 
April 17, 1993
 
Sir and/or Madam:
 
 
I must object most strongly to the administrations evolving position on encryption and
cryptography.  I am shocked at the Clinton regimes increasing lean towards a authoritarian approach with regard to privacy and freedom from government oversight in day to day life.
 
It is apparent to me that those who drafted the "Clipper Chip Proposal" (which is, incidentally, gaining notoriety as the "Big Brother Proposal") are either incredibly ignorant or very sly indeed.  Anyone knowledgeable in the nuances of cryptographic development and research must understand that a key step in the development of a new algorithm, especially one destined for standardization, is the full disclosure of the algorithm to the private and academic sectors.  The proper evaluation of an algorithm dep





ends on careful scrutiny by these sectors, and only such scrutiny can provide true public confidence in the security of the algorithm.  The assumption that a new algorithm will be accepted based on assurances from "experts" without full disclosure is plain ignorance.
 
In addition, the assumption that an algorithm will be marketable over other technology, such as DES, when it is characterized by key escrow is lunacy.  It seems an easy step in the logic chain that probable consumers will prefer to purchase equipment not crippled by government key escrow, no matter how "tamper proof" the key escrows might be.
 
I cannot believe that even the least educated policy maker would have failed to realize these flaws.  I can only assume then that the drafters of the "Clipper Chip Proposal" knew very well the difficulties of selling a crippled system to the private sector.  The only way this proposal makes any sense, or has any chance of succeeding is in coercion.  Even the language of the proposal makes it painfully clear that the next logical step is the outlawing of other encryption devices and hardware that do not uti





lize the "Big Brother Chip."
 
Unfortunately the public at large is not educated enough on the issue to realize what they are losing.  I expect the Big Brother proposal to encounter little resistance from the American people who you will have so efficiently duped once again with pretty words like "harmony," "right to encryption," and "voluntary."
 
It mortifies me that the phrase that seems to be used more and more often to characterize the Clinton administration is "I can't believe it's happening here."  More startling is a question a colleague of mine posed and the realization that everyday it becomes more and more relevant; "When is the Reichstag fire planned for?"
 
 
						Most Concerned,
 
						[Signature]
						Shaen Logan Bernhardt I
uni@acs.bu.edu

-- 
uni@acs.bu.edu  ->  Public Keys by finger and/or request
Public Key Archives at <pgp-public-keys@junkbox.cc.iastate.edu>
DF610670F2467B99  97DE2B5C3749148C  Sovereignty is the sign of a brutal past.
Cryptography is not a crime.  Fight the Big Brother Proposal!

Newsgroup: sci.crypt
Document_id: 15300
From: ebrandt@jarthur.claremont.edu (Eli Brandt)
Subject: Re: How to detect use of an illegal cipher?

In article <1993Apr17.085358.18460@clarinet.com> brad@clarinet.com (Brad Templeton) writes:
>"Your honour, the suspect suddenly started using another level of
>cryptography and we can't tap his phone calls any more.  He must
>have something to hide.  Please sign the warrant to search his
>house..."

What they would need to do, though, is make sure that nobody has
access to decent crypto in the first place.  They probably can't
tell Clippered voice from Clippered triple-DESed voice until they
get their copy of your key.  Any criminal who's going to use
encryption will do it under cover of Clipper.  The only way to avoid
this will be to try to prohibit strong encryption.

I probably shouldn't say this, but they could try to detect the use
of an illegal cypher by transmitting in the clear some statistical
properties of the plaintext.  An old-fashioned wiretap could then
detect the use of pre-encryption, which would drastically increase
the measured entropy of the input.  A countermeasure to this would
be to use steganographic techniques which put out voice.

You can tell if the NSA built this feature in: blow on the mike, and
observe whether a band of thugs comes through your ceiling.

	 PGP 2 key by finger or e-mail
   Eli   ebrandt@jarthur.claremont.edu

Newsgroup: sci.crypt
Document_id: 15301
From: hal@cco.caltech.edu (Hal Finney)
Subject: Re: How does it really work? (was Re: text of White House announcement and Q&As on clipper chip encryption)

Marc VanHeyningen <mvanheyn@cs.indiana.edu> writes:

>The main thing I just don't get is whether this chip implements
>symmetric or asymmetric cryptographic techniques.  Anybody know?

I don't know, but I'm as willing to speculate as anyone.

Several people have suggested that the chips use public-key cryptography.
Another possibility is to use Diffie-Hellman key exchange, or some other
algorithm which has a similar effect.  DH allows both ends to agree on
a session key which they use with symmetric cryptography (something
like DES) for the encryption.

How could the "back door" keys work in this system?  I can see a few
possibilities.  One is that the DH-like algorithm has the property that
the session key can be deduced by an eavesdropper who knows the back door
keys for one (or possibly both) communicants.  Perhaps the random numbers
used in the DH are seeded by the back door key, or some such.

Another possibility, as was suggested here earlier, is that the chips
simply broadcast the session key, encrypted with the chip's own
internal secret key.  In this system the back door keys are secret keys
usable for decrypting this session key broadcast.  Actually the chip's
secret key doesn't need to be a public key in this usage, but can be
identical to the secret back-door key.  (This proposal seems most
straightforward to me.)

Still another possibility is that the encryption algorithm used for the
message itself has a "dual key" property, that possession of either of
two keys can be used to decrypt it.  One key would be the session key from
the DH exchange, and the other would be the back door key for the chip.

It's worth noting that one of the proposals Dorothy Denning raised
during her amazingly prescient on-line discussion last November and
December was a variation on Diffie-Hellman in which a third party would
participate in deriving the session keys.  This doesn't quite fit into
what we know of how Clipper works but it hints that those who had early
knowledge of Clipper (or whose thinking was somehow synchronized with
Clipper designers) may have had Diffie-Hellman on their minds.

Hal Finney

Newsgroup: sci.crypt
Document_id: 15302
From: ebrandt@jarthur.claremont.edu (Eli Brandt)
Subject: Re: The battle is joined

In article <1993Apr16.181040.9381@qualcomm.com> karn@servo.qualcomm.com (Phil Karn) writes:
>It looks like Dorothy Denning's wrong-headed ideas have gotten to the
>Administration even sooner than we feared.

I'd lay long odds that it was the other way around.  Clinton didn't
just pull this plan out of any bodily orifices; the NSA has to have
been working on it for years.  While it's possible that Denning (and
other prominent people) just happened to start arguing for such a
system, it seems more likely that there was a suggestion involved.
If this guess is wrong, I apologize.

	 PGP 2 key by finger or e-mail
   Eli   ebrandt@jarthur.claremont.edu

Newsgroup: sci.crypt
Document_id: 15303
From: marc@mit.edu (Marc Horowitz N1NZU)
Subject: The source of that announcement

The message from the NIST about the clipper chip comes from the
following address:

	clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement)

Just who is that, I asked myself, or rather, I asked the computer.

    % telnet csrc.ncsl.nist.gov 25
    Trying...
    Connected to csrc.ncsl.nist.gov.
    Escape character is '^]'.
    220 first.org sendmail 4.1/NIST ready at Sat, 17 Apr 93 20:42:56 EDT
    expn clipper
    250-<csspab@mail-gw.ncsl.nist.gov>
    250-<denning@cs.georgetown.edu>
    250-<hoffman@seas.gwu.edu>
    250-<mkapor@eff.org>
    250-<rotenberg@cpsr.org>
    250-<rivest@mit.edu>
    250-<mhellman@stanford.edu>
    250-<alanrp@aol.com>
    250-<dparker@sri.com>
    250-<jim@rsa.com>
    250-<branstad@tis.com>
    250 <mgrsplus@csmes.ncsl.nist.gov>
    quit
    221 first.org closing connection
    Connection closed.

Well, isn't that interesting.  Dorothy Denning, Mitch Kapor, Marc
Rotenberg, Ron Rivest, Jim Bidzos, and others.  The Government, RSA,
TIS, CPSR, and the EFF are all represented.  I don't suppose anybody
within any of these organizations would care to comment?  Or is this
just the White House's idea of a cruel joke on these peoples' inboxes?

		Marc
--
Marc Horowitz N1NZU <marc@mit.edu>				617-253-7788

Newsgroup: sci.crypt
Document_id: 15304
From: silly@ugcs.caltech.edu (Brad Threatt)
Subject: Remote file system security

In light of my recent paranoia concerning government proposals, I'd love to
see a UNIX-based encryption scheme that:

1) Kept some files encrypted on the host machine (say, all the files in your
   home directory)
2) Used a key system that could not be compromised by eavesdropping over a
   modem line.

It seems that this would require modifications to a shell program and a
way of telling whether a file was encrypted or not, among other things.

I'd love to know about potential security holes in such a system.

Does such a system exist?  If it were made easy-to-use and readily
available, I think it would be a Good Thing(tm).  I realize that this
would probably just involve putting a nice front-end on a readily available
and very secure encryption scheme, but it should be done.

Thanks for the ear,
Brad 

Newsgroup: sci.crypt
Document_id: 15305
From: jef@netcom.com (Jef Poskanzer)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

brad@clarinet.com (Brad Templeton):
}And yes, this has to be a public key system or it would be almost
}impossible to handle.  It might not be RSA, but that does not mean
}that PKP doesn't get paid.  Until 1997, PKP has the patent on the
}general concept of public key encryption, as well as the particular
}implementation known as RSA.

Hmm, my first thought was that they're using Diffie-Hellman exponential
session key exchange, or an equivalent.  However, the Diffie-Hellman
patent, like the Hellman-Merkle one on public key systems, claims
all equivalents, so the basic point stands.

Interestingly, a quote from Jim Bidzos showed up in the media real
soon after the announcement, and he sounded very pissed.  Maybe he hadn't
yet realized that PKP might have just struck gold?  All they have to
do is get someone to admit the general scheme that the Clipper uses.
---
Jef

           Jef Poskanzer  jef@netcom.com  jef@well.sf.ca.us
"An object never serves the same function as its image - or its name."
                           -- Rene Magritte

Newsgroup: sci.crypt
Document_id: 15306
From: whughes@lonestar.utsa.edu (William W. Hughes)
Subject: Re: Once tapped, your code is no good any more.

In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu
(Andrew Molitor) writes:
>In article <tcmayC5M2xv.JEx@netcom.com>
>tcmay@netcom.com (Timothy C. May) writes:
>
>>-Tim May, whose sig block may get him busted in the New Regime
>                           ^^^^^^^^^^^^^^^^^^
>Isn't this just a little melodramatic?

Not at all. Two weeks ago I registered a concern about some programming
that was being conducted by a student organisation here at the
University of Texas at San Antonio.  As a result, I was interrogated
by the capus police, who also attempted to create a positive-identification
file (photo, fingerprints, etc.). I refused to permit this, and filed a
complaint with the University administration.  The Vice-President for
Business Affairs (the 'boss' of the campus police) stated that he had no
interest in the legal/Constitutional implications of those actions.

-- 
The greatest threat facing the citizens of the United States in the decade of
the 90s is the United States Government; at all levels -- Federal, State, Local
[All opinions are mine, and I reserve the right to deny them at any time - WWH]

Newsgroup: sci.crypt
Document_id: 15307
From: ptrei@bistromath.mitre.org (Peter Trei)
Subject: Re: Fifth Amendment and Passwords

In article <1993Apr17.122651.1874@sugra.uucp> ken@sugra.uucp (Kenneth Ng) writes:
>In article <1993Apr16.165423.27204@linus.mitre.org: ptrei@bistromath.mitre.org (Peter Trei) writes:
>:Judge: "I grant you immunity from whatever may be learned from the key
>:	itself"
>:You:    "The keyphrase is: "I confess to deliberately evading copyright; 
>:	the file encoded with this keyphrase contains illegal scans of 
>:        copyrighted Peanuts strips.""
>:Judge and CP: "Oh."
>:     How will they get you now? I'm not saying that they won't, or
>:can't (or even that they shouldn't :-), but what legal mechanism will
>:they use? Should we be crossposting this to misc.legal?
>
>Hm, could another court try you via a bypass of the double jeopardy amendment
>like they are doing in the LAPD trial?  Ie your judge is a state judge, and
>then a federal judge retries you under the justification that its not the
>same trail.

    No. The LAPD officers were tried first by the State of California
on charges of police brutality, and secondly by the Federal Government
on depriving RK of his civil rights - a different crime.

    The scenario I outline is more similar to the Oliver North trial.
Ollie confessed to treason (aiding an enemy of the US) during Senate
hearings, under immunity. The team which was later to prosecute him on
criminal charges had to sequester itself from all reports of ON's
immunized testimony. ON's lawyer brought up the probability that at
least someone on the team had heard about the Senate testimony, and it
was a strong factor against the prosecution, which is one of the
reasons this ON is still walking around free today.

								Peter Trei
								ptrei@mitre.org


Newsgroup: sci.crypt
Document_id: 15308
From: wesommer@mit.edu (Bill Sommerfeld)
Subject: Re: The source of that announcement

       % telnet csrc.ncsl.nist.gov 25
       Trying...
       Connected to csrc.ncsl.nist.gov.
       Escape character is '^]'.
       220 first.org sendmail 4.1/NIST ready at Sat, 17 Apr 93 20:42:56 EDT
       expn clipper
       250-<csspab@mail-gw.ncsl.nist.gov>
       250-<denning@cs.georgetown.edu>
       250-<hoffman@seas.gwu.edu>
       250-<mkapor@eff.org>
       250-<rotenberg@cpsr.org>
       250-<rivest@mit.edu>
       250-<mhellman@stanford.edu>
       250-<alanrp@aol.com>
       250-<dparker@sri.com>
       250-<jim@rsa.com>
       250-<branstad@tis.com>
       250 <mgrsplus@csmes.ncsl.nist.gov>
       quit
       221 first.org closing connection
       Connection closed.

Note also:

% telnet csmes.ncsl.nist.gov 25
Trying 129.6.54.2...
Connected to csmes.ncsl.nist.gov.
Escape character is '^]'.
220 csmes.ncsl.nist.gov sendmail 4.1/NIST(rbj/dougm) ready at Sat, 17 Apr 93 23:08:58 EDT
expn mgrsplus
250-<mcnulty@ecf.ncsl.nist.gov>
250-Irene Gilbert <igilbert>
250-Dennis Branstad <branstad>
250-Robert Rosenthal <rmr>
250-Gene Troy <troy>
250-<smid@st1.ncsl.nist.gov>
250-Dennis Steinauer <dds>
250 <katzke@st1.ncsl.nist.gov>

telnet mail-gw.ncsl.nist.gov 25
Trying 129.6.48.199...
Connected to mail-gw.ncsl.nist.gov.
Escape character is '^]'.
220 mail-gw.ncsl.nist.gov sendmail 4.1/rbj/jck-3 ready at Sat, 17 Apr 93 23:06:50 EDT
expn csspab
250-<burrows@ecf>
250-<mcnulty@ecf>
250-Bill Colvin <colvin>
250-<Gangemi@dockmaster.ncsc.mil>
250-John Kuyers <kuyers>
250-<slambert@cgin.cto.citicorp.com>
250-<lipner@mitre.org>
250-<gallagher@dockmaster.ncsc.mil>
250-<cindy_rand@postmaster.dot.gov>
250-<walker@tis.com>
250-<willis@rand.org>
250-Eddie Zeitler <zeitler>
250-Cris Castro <castro>
250 <whitehurst@vnet.ibm.com>

% telnet st1.ncsl.nist.gov 25
Trying 129.6.54.91...
Connected to st1.ncsl.nist.gov.
Escape character is '^]'.
220 st1.ncsl.nist.gov SEndMaIl 4.1/NBS-rbj.11 rEadY At Sat, 17 Apr 93 23:13:43 EDT
expn smid
250 Miles Smid <smid>
expn katzke
250 Stuart Katzke <katzke>
quit
221 st1.ncsl.nist.gov closing connection
Connection closed by foreign host.

% telnet ecf.ncsl.nist.gov 25
Trying 129.6.48.2...
Connected to ecf.ncsl.nist.gov.
Escape character is '^]'.
220 ECF.NCSL.NIST.GOV TGV/MultiNet SMTP service ready.
expn burrows
250 Burrows, James <burrows>
expn mcnulty
250 McNulty, Lynn <mcnulty>
quit
221 ECF.NCSL.NIST.GOV TGV/MultiNet SMTP service complete.

% whois -h rs.internic.net first.org
National Institute of Standards and Technology (FIRST-DOM)
   225/A216
   	 NIST
   	 GAITHERSBURG, MD 20899

   Domain Name: FIRST.ORG

   Administrative Contact:
      Wack, John P.  (JPW18)  WACK@ENH.NIST.GOV
      (301) 975-3411 (FTS) 879-3411
   Technical Contact, Zone Contact:
      Hunt, Craig W.  (CWH3)  Hunt@ENH.NIST.GOV
      (301) 975-3827 (FTS) 879-3827

   Record last updated on 17-Dec-91.

   Domain servers in listed order:

   DOVE.NIST.GOV		129.6.16.2
   AMES.ARC.NASA.GOV		128.102.18.3


The InterNIC Registration Services Host ONLY contains Internet Information
(Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.
--

Newsgroup: sci.crypt
Document_id: 15309
From: jebright@magnus.acs.ohio-state.edu (James R Ebright)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article brad@clarinet.com (Brad Templeton) writes:

[...]>
>The greatest danger of the escrow database, if it were kept on disk,
>would be the chance that a complete copy could somehow leak out.  You
[...]>
>Of course then it's hard to backup.  However, I think the consequences
>of no backup -- the data is not there when a warrant comes -- are worse
>than the consequences of a secret backup.

If the data isn't there when the warrant comes, you effectively have
secure crypto.  If secret backups are kept...then you effectively have
no crypto.  Thus, this poster is essentialy arguing no crypto is better
than secure crypto.

If the data isn't there when the warrant comes, then the government will
just have to use normal law enforcement techniques to catch crooks.  Is
this so bad?   BTW, bugging isn't YET a normal law enforcement technique.
With the privacy clipper, it WILL become a normal technique.
/Jim
-- 
 Information farming at...     For addr&phone: finger             A/~~\A
 THE Ohio State University  jebright@magnus.acs.ohio-state.edu   ((0  0))____
      Jim Ebright             e-mail: jre+@osu.edu                 \  /      \
                                                                   (--)\      

Newsgroup: sci.crypt
Document_id: 15310
From: sethf@athena.mit.edu (Seth Finkelstein)
Subject: Re: The source of that announcement

Also note (from <branstad@tis.com> and <walker@tis.com>):

% whois -h rs.internic.net tis-dom
Trusted Information Systems, Inc. (TIS-DOM)
   3060 Washington Road, Route 97
   Glenwood, MD 21738

   Domain Name: TIS.COM

   Administrative Contact:
      Walker, Stephen T.  (STW3)  walker@TIS.COM
      (301) 854-6889
   Technical Contact, Zone Contact:
      Dalva, David I.  (DID1)  dave@TIS.COM
      (301) 854-6889

   Record last updated on 02-Jul-92.

   Domain servers in listed order:

   TIS.COM                      192.33.112.100
   LA.TIS.COM                   192.5.49.8

	And "dockmaster" is an infamous address ...

--
Seth Finkelstein                                sethf@athena.mit.edu
"The road to Hell is paved with good intentions"

Newsgroup: sci.crypt
Document_id: 15311
From: mkagalen@lynx.dac.northeastern.edu (michael kagalenko)
Subject: Re: How to detect use of an illegal cipher?

In article <C5nMB1.CoF@news.claremont.edu> ebrandt@jarthur.claremont.edu (Eli Brandt) writes:
>
>I probably shouldn't say this, but they could try to detect the use
>of an illegal cypher by transmitting in the clear some statistical
>properties of the plaintext.  An old-fashioned wiretap could then
>detect the use of pre-encryption, which would drastically increase
>the measured entropy of the input.  A countermeasure to this would
>be to use steganographic techniques which put out voice.

This way to detect pre-encryption may be defeated ; one can do  
transformation of the spectrum of encrypted signal just by adding some 
pre-arranged (in the beginning of communication) function.
I think so. Say, you can do FFT of your encrypted signal.
Just thinking ... 

-- 
--------------------------------------------------------------------------------
      For PGP2.1 public key finger mkagalen@lynx.dac.northeastern.edu
--------------------------------------------------------------------------------

Newsgroup: sci.crypt
Document_id: 15312
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Once tapped, your code is no good any more.

In article <115863@bu.edu> uni@acs.bu.edu (Shaen Bernhardt) writes:

>
>I wish I could agree with you.  Ask yourself this.  Why would any private
>sector entity wish to buy a crypto system that was KNOWN to be at least
>partially compromised? (Key escrows in this instance)  Why would any
>private sector entity wish to buy a crypto system that had not been properly
>evaluated?  (i.e. algorythm not publically released)
>The answer seems obvious to me, they wouldn't.  There is other hardware out
>there not compromised.  DES as an example (triple DES as a better one.)

What follows is my opinion. It is not asserted to be "the truth" so no
flames, please.  It comes out of a background of 20 years as a senior
corporate staff executive in two Fortune 50 companies.

I'd be happy to use a crypto system supplied by the NSA for business, if
they told me it was more secure than DES, and in particular resistant to
attempts by Japanese, French, and other competitive companies and
governments to break.

I'd be happy to do so even with escrowed keys, provided I was happy about
the bona fides of the escrow agencies (the Federal Reserve would certainly
satisfy me, as would something set up by one of the big 8 accounting firms).

I'd trust the NSA or the President if they stated there were no trap
doors--I'd be even happier if a committee of independent experts examined
the thing under seal of secrecy and reported back that it was secure.

I'd trust something from the NSA long before I'd trust something from some
Swiss or anybody Japanese.

This may seem surprising to some here, but I suggest most corporations would
feel the same way. Most/many/some (pick one) corporations have an attitude
that the NSA is part of our government and "we support our government", as
one very famous CEO put it to me one day.

Just some perspective from another point of view.

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15313
From: tuinstra@sunspot.ece.clarkson.edu.soe (Dwight Tuinstra)
Subject: re: WH announcement


Q:   Who was consulted?  The Congress?  Industry?

A:   We have on-going discussions with Congress and industry on
     encryption issues, and expect those discussions to intensify
     as we carry out our review of encryption policy.  We have
     briefed members of Congress and industry leaders on the
     decisions related to this initiative.

Congress??  So we're playing politics before we talk to CPSR, academia,
the public, internet users?  I`ve heard of top-down design, but top-down 
democracy?? [Just whose state/district are the chip manufacturers in?]

Q:   If the Administration were unable to find a technological
     solution like the one proposed, would the Administration be
     willing to use legal remedies to restrict access to more
     powerful encryption devices?

A:   This is a fundamental policy question which will be
     considered during the broad policy review. [...bs about
     the wonderfulness of the key escrow system...]

     The Administration is not saying, "since encryption
     threatens the public safety and effective law enforcement,
     we will prohibit it outright" (as some countries have
     effectively done); 

They'll just provide an easily-compromised version to JQ Public.

                         nor is the U.S. saying that "every
     American, as a matter of right, is entitled to an
     unbreakable commercial encryption product."  

Maybe we need a CRA -- Cryptographic Rights Amendment.

                                                  There is a
     false "tension" created in the assessment that this issue is
     an "either-or" proposition.  Rather, both concerns can be,
     and in fact are, harmoniously balanced through a reasoned,
     balanced approach such as is proposed with the "Clipper
     Chip" and similar encryption techniques.

Nice lullaby.  But why am I not soothed?

----------------
Also, 

In article 15472@leland.Stanford.EDU, arc@leland.Stanford.EDU (Andrew Richard Conway) writes:
>P.S. I can't work out why the US government doesn't want to sell
>them overseas. After all, they are rather easy for US interests to decode,
>so make a perfect tool for industrial/military espionage...lulling 
>anyone stupid enough to buy it into a false sense of security. You will
>notice that there is NO mention anywhere about safety for non-Americans.
>

Why repeat themselves?  It appears to some (and the story looks pretty
convincing to me, too) that the Justice Department stole a case-tracking
system, modified it, and distributed it to "friendly" police and suchlike
agencies around the world, eg. the Canadian Mounties.  Of course, I have 
no doubt they swore Scout's Honor that there were no backdoors.

With that kind of intelligence, who'd want to be swamped with terabytes
of commercial traffic?

+========================================================================+
|  dwight tuinstra             best:  tuinstra@sandman.ece.clarkson.edu  |
|                         tolerable:  tuinstrd@craft.camp.clarkson.edu   |
|                                                                        |
|        "Homo sapiens: planetary cancer??  ...  News at six"            |
+========================================================================+

Newsgroup: sci.crypt
Document_id: 15314
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: The battle is joined

In article <1993Apr16.181040.9381@qualcomm.com> karn@servo.qualcomm.com (Phil Karn) writes:
>It looks like Dorothy Denning's wrong-headed ideas have gotten to the
>Administration even sooner than we feared.

If the Administration is this far along, is it possible that the
government been working on it for a while and has been using the
Dennings to prime the pump, so to speak, or as the Judas goat?
Whether paid off, just gullible, or what, doesn't really matter.

It might also be possible that the NSA / whoever has had the idea for
this for quite a while, has been promoting it (Denning, et al) and
siezed the new opportunity - a new administration who wants to spend
more money on espionage than Bush did.

Whatever, i'm not so sure that the cause/effect order is totally
obvious.
-- 
You will lose your "Drug Free And Proud" ribbon.  Two days later, you will
catch a neighborhood kid smoking it.

Newsgroup: sci.crypt
Document_id: 15315
From: ptrei@bistromath.mitre.org (Peter Trei)
Subject: Re: The battle is joined

In article <C5nn9I.D5q@news.claremont.edu> ebrandt@jarthur.claremont.edu (Eli Brandt) writes:
>In article <1993Apr16.181040.9381@qualcomm.com> karn@servo.qualcomm.com (Phil Karn) writes:
>>It looks like Dorothy Denning's wrong-headed ideas have gotten to the
>>Administration even sooner than we feared.
>
>I'd lay long odds that it was the other way around.  Clinton didn't
>just pull this plan out of any bodily orifices; the NSA has to have
>been working on it for years.
      ^^^^^^^^^^^^^^^^^^^^^^^

     I first heard rumors of a similar government proposal (in Risks
Digest???) in 1987 or 1988.

							Peter Trei
							ptrei@mitre.org

Newsgroup: sci.crypt
Document_id: 15316
From: "dan mckinnon" <dan.mckinnon@canrem.com>
Subject: "clipper chip"

   I have lurked here a bit lately, and though some of the math is
unknown to me, found it interesting. I thought I would post an article I
found in the Saturday, April 17, 1993 Toronto Star:

                  'CLIPPER CHIP' to protect privacy

   Washington (REUTER) - President Bill CLinton announced yesterday a
plan to plant a new "Clipper Chip" in every government telephone and
computer line to prevent eavesdropping.

   Eventually the chips, developed by the government's National
Institute for Standards and Technology, would be used by commercial and
private electronics communication users.

   The White House said that to assure privacy, each device containing
the encryption devices would be assigned two unique "keys" - numbers
that will be needed by government agencies to decode messages.

   The attorney-general has been assigned the task of arranging that the
keys are deposited in two "key-escrow" data bases. Access to them would
be limited to government officials with legal authorization to conduct a
wiretap, the White House said in a statement.

                              -30-


 Dan McKinnon
--
Canada Remote Systems - Toronto, Ontario
416-629-7000/629-7044

Newsgroup: sci.crypt
Document_id: 15317
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: The source of that announcement

Marc Horowitz N1NZU (marc@mit.edu) wrote:
: The message from the NIST about the clipper chip comes from the
: following address:
: 
: 	clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement)
: 
: Just who is that, I asked myself, or rather, I asked the computer.
: 
:     % telnet csrc.ncsl.nist.gov 25
...list of name elided for brevity......
: 
: Well, isn't that interesting.  Dorothy Denning, Mitch Kapor, Marc
: Rotenberg, Ron Rivest, Jim Bidzos, and others.  The Government, RSA,
: TIS, CPSR, and the EFF are all represented.  I don't suppose anybody
: within any of these organizations would care to comment?  Or is this
: just the White House's idea of a cruel joke on these peoples' inboxes?

I know that at least one person on that list says the first he heard
of Clipper was in the Friday morning newspaper! And another has
already fired off a letter of protest to NIST.

My point? I suspect this list, interesting as it is for various
reasons, does not represent the cabal that put this proposal together.
Some of them, yes. Others, no. 

This may be nothing more than a mailing list of people who get
crypto-related announcements from NSA, er, I mean "NIST."

-Tim May
-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
Document_id: 15318
From: zeev@ccc.amdahl.com (Ze'ev Wurman)
Subject: Is there ANY security in the Clipper?

It seems to me that all discussions about Clipper security are almost 
irrelevant - if I cannot choose the key, but have to use a key chosen for
me by the foundry, the security of the WHOLE UNIVERSE OF USERS is as good
(or as bad) as the security of VLSI Technologies Inc.

It is a trivial effort to run any ciphertext agains ALL THE KEYS EVER 
MANUFACTURED - after all we are talking about 1 to 100 million keys that
will ever be manufactured. The key depositories can be as secure and
incorruptible as they wish to be, nobody cares anyway...:-(

Now if someone would convince me that the shipping docks of VTI, ATT and
others are impenetrable (remember: the chips have to ship with the key - 
you or the dealer are going to submit it to the authorities eventually)
I'd be a bit happier. But do we really believe that the various governments
(including ours) won't have the full lists of all the keys ever manufactured?

Did I miss something here?

My own opinions, quite obviously...
--
------------------------------------------------------------------
From........: Ze'ev Wurman 
email.......: <zeev@key.amdahl.com> or <zeev@ccc.amdahl.com> 
Organization: Amdahl Corp. 46525 Landing Parkway (M/S 581), Freemont CA 94538
Phone.......: (510) 623-2345 (Office)
Fax.........: (510) 770-0493  (Attn: Zeev Wurman)

Newsgroup: sci.crypt
Document_id: 15320
From: warlord@MIT.EDU (Derek Atkins)
Subject: Re: The Old Key Registration Idea...

-----BEGIN PGP SIGNED MESSAGE-----

In article <1qn1ic$hp6@access.digex.net> pcw@access.digex.com (Peter Wayner) writes:

   2) The system is vulnerable to simple phone swapping attacks
   like this. Criminals will quickly figure this out and go to
   town.

Depends..  Its possible that the phone sends its serial number in the
clear at some specified interval... So all a listener needs to do is
get that SN, and then get the key for it...  So swapping phones isn't
a problem (for the gov't, that is).  They still know that this line
belongs to you, so they just watch the line and see the SN, and then
they get the key for that SN...

   In either case, I think we need to look at this a bit deeper."'jbl)mW:wxlD2

Well, I think this is understood.  The major problem is that a lot of
people just don't trust this key escrow stuff, and the fact that the
algorithms are classified...  So, yes, a lot of this needs to be looked
at closer!

- -derek

PGP 2 key available upon request on the key-server:
	pgp-public-keys@toxicwaste.mit.edu

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQBuAgUBK9EbXDh0K1zBsGrxAQHzcALCAlvWtnvi7aySWf565id1MN++nsybTwQI
jQLgPKX/4tx6qjGC69BUQRZAtMQutkoVnvx/MqT5EZFM7uundRWD4cOwbb7CC4Gy
gT7JtLRqU0aF9VSf4SGNQqg=
=fGRj
-----END PGP SIGNATURE-----
--
  Derek Atkins, MIT '93, Electrical Engineering and Computer Science
     Secretary, MIT Student Information Processing Board (SIPB)
           MIT Media Laboratory, Speech Research Group
           warlord@MIT.EDU       PP-ASEL        N1NWH

Newsgroup: sci.crypt
Document_id: 15321
From: earle@isolar.Tujunga.CA.US (Greg Earle)
Subject: Re: PEM and MIME

In article <1qg8m2$2e5@nigel.msen.com> emv@garnet.msen.com (Edward Vielmetti) writes:
>W C Newell Jr (wcn@u.washington.edu) wrote:
>
>>Before we can have a global multimedia e-mail solution, there must be some
>>definition of a minimum service level, and MIME does not provide for this
>>(yet).  
>
>Before the Internet will invest in software, people need to see content. 
>I would suggest that 50 attractive MIME formatted news messages a day would be
>sufficient to get a few people thinking about adding MIME support to news
>readers, esp if the content is really worth it.
>
>>IMHO, we have a long way to go before the Unix-specific MUAs, newsreaders, etc
>>reach the service levels of the other commercial platforms.  There ought to be
>>such a definition, consisting of known object data types and rules for their
>>handling, included in the transport specification document.
>
>Yes.  But there is also a long way to go before most Mac, PC, and Windows
>MUAs and newsreaders are ready to handle the sheer volume of news and mail
>that many Unix specific tools are able to cope with.  When the choice is
>"more feechurs" or "make the damn thing fast enough to keep up with the
>flood", you have to bet that "fast enough" wins.

Ed, as usual, makes a very good point.

One time a friend of mine at Sun sent me an e-mail.  He composed it using the
Sun OpenWindows 3 "mailtool" which handles (non-MIME) "attachments" and the
like.

Since I don't use "mailtool", I had to manually save it, cut & paste, and
then "uudecode" the actual attachment.  What I got - after a not-inconsiderable
amount of time spent doing this - was an audio file.  The original message
was over 32Kb of mail headers and uuencoded data; the resulting audio message
was a single sentence that I transcribed as a 135 character message.

If he had sent me the sentence in plain text, the e-mail would have been
around 250 bytes, and it would have taken me about 3 seconds to process it at
most.  Instead, it was 32k and it took at least a minute.  A complete waste of
(my) time and bandwidth, as far as I'm concerned.  Sending plain text is still
the most efficient method of transmission, given the same transport mechanism.
I shudder to think what would happen if everyone started posting their Usenet
articles as audio files instead of plain text!  Meltdown of the Net predicted!
Film at Eleven!

Back to Mono!	(-:

[This sub-thread no longer has anything to do with PEM or administrative]
[policy, so I've redirected followups back to comp.mail.mime ... - Greg ]

-- 
	- Greg Earle
	  Phone: (818) 353-8695		FAX: (818) 353-1877
	  Internet: earle@isolar.Tujunga.CA.US
	  UUCP: isolar!earle@elroy.JPL.NASA.GOV a.k.a. ...!elroy!isolar!earle

Newsgroup: sci.crypt
Document_id: 15322
From: schinagl@fstgds15.tu-graz.ac.at (Hermann Schinagl)
Subject: Need source of FEAL encrytion algorithm

Hi !

I am interested in the source of FEAL encryption algorithm.
Does someone of you know where I can get the source from, or
where I can find documentation about FEAL.

Thanks in advance


Ciao Hermann

Please email me !!!

Newsgroup: sci.crypt
Document_id: 15323
From: ygoland@wright.seas.ucla.edu (The Jester)
Subject: Re: Don't fight Clipper Chip, subvert or replace it !

The Clipper chip is just the culmination of Dorthy Denning et all.
But lets ignore that for the moment.

The fundamental question is:Can the government stop me from using
encryption?

Ignoring for the moment the question of patented processes (such as
Public Keys), can the government stop me from using an encryption
process?

If the answer is yes then what freedom we have in this country is
truly gone and its time to get out the guns or the lawyers
(depending upon which causes more damage and to whom).

However assuming that I can still encrypt things as I please, who
cares about the clipper chip? As far as I'm concerned a phone line
is insecure PERIOD. I don't care if they encrypt it 10 ways from
sunday, if I didn't do the encrypting, I don't trust it. This is the
attitude that everyone else should have. Instead of worrying about a
clipper chip, simply connect your handset to your computer and feed
the voice single through, process, encrypt, and transmit over the
phone. The guy on the other hand then does the same in reverse.

Can't work you say? No Standard you say? Obviously you have never
uses PGP.

Anyone who expects the government to protect their freedoms is
kidding themselves. Only you can protect your own freedoms.

One final thought addressed to EFF:
	1.Do you support the implementation of ANY form of
	encryption where the encryption key must be revealed?
	2.If you do, why? If not, why?
	3.What SPECIFIC actions are you planning to take to either
	support or stop this proposal?
	4.If you do not support this proposal, what alternatives do
	you offer?

				The Jester
-- 
Proof Windows is a Virus:It is very widespread, It eats up your disk
space, It slows down your computer, It takes control over your
computer, It performs disk access at random times, It displays silly
messages on your screen, It randomly crashes the computer-Vesselin

Newsgroup: sci.crypt
Document_id: 15324
From: tuinstra@sunspot.ece.clarkson.edu.soe (Dwight Tuinstra)
Subject: WH proposal from Police point of view

It might pay to start looking at what this proposal might mean to a
police agency.  It just might be a bad idea for them, too.

OK, suppose the NY State Police want to tap a suspect's phone.  They
need a warrant, just like the old days.  But unlike the old days, they
now need to 

   (a) get two federal agencies to give them the two parts of
       the key.

Now, what happens if there's a tiff between the two escrow houses?
Posession/release of keys becomes a political bargaining chit.  State
and lower-level police agencies have to watch the big boys play politics,
while potentially good leads disappear, lives and property are lost,
statutes of limitations run out, etc.  Not to mention: a moderately
clever person who suspects the police are after her/him will be buying
new phones faster than tap requests can be processed.  Or using stolen
ones.  [Will the Turing Police come and arrest you for transmitting
without a dialing license?]

There's also bureacracy and security problems -- within each escrow house, 
how will requests for key disclosure be authenticated?  Put in enough
safeguards of the kind bureaucrats and activists feel comfortable with, and 
it might take a LONG time to get that key.  [Even when a request is approved, 
how is the key going to be disclosed?  Will it be encrypted by a Clipper-type
chip for transmission?  In a bureaucracy the size of the Federal
Government, with a databank of the necessary size, and data traffic of
the projected volume, there's going to be a lot of weak links.  How many of 
these kinds of problems will be open for public or "expert" scrutiny?]  

Furthermore, the Feds might be leery of handing completed keys around, 
even to State Police agencies: a trust and security issue.  This would be 
an especially acute issue if some other State's Police had mishandled a 
key, resulting in lawsuits, financial settlements, and political 
embarassment.  So, the Feds implement it this way:
 
   (b) some federal agency gets the keys, performs the tap, and
       turns the results over to the NY State Police.

But let's say Cuomo's been causing some problems over a Clinton
Aid-To-Urban-Areas proposal.  Or there just happens to be a turf war
going on between the State cops and the Justice department on a case.
Now, not only do we have the keys as a political chit, we have an
extra player in the game *and* we have the tap's tapes as another
bargaining chit.  Again, the State Police lose.

I understand that (legal) wiretaps are quite expensive to maintain. In
scenario (b), who pays the bill?

+========================================================================+
|  dwight tuinstra             best:  tuinstra@sandman.ece.clarkson.edu  |
|                         tolerable:  tuinstrd@craft.camp.clarkson.edu   |
|                                                                        |
|        "Homo sapiens: planetary cancer??  ...  News at six"            |
+========================================================================+

Newsgroup: sci.crypt
Document_id: 15325
From: bena@dec05.cs.monash.edu.au (Ben Aveling)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

Andrew Richard Conway (arc@leland.Stanford.EDU) wrote:

: P.S. I can't work out why the US government doesn't want to sell
: them overseas. After all, they are rather easy for US interests to decode,
: so make a perfect tool for industrial/military espionage...lulling 
: anyone stupid enough to buy it into a false sense of security. You will
: notice that there is NO mention anywhere about safety for non-Americans.

Don't forget, you are in the country that wouldn't let the Russians
buy Apple II's because of security concerns.
--
        Ben  (-: bena@bruce.cs.monash.edu.au :-)  

Newsgroup: sci.crypt
Document_id: 15326
From: jfc@athena.mit.edu (John F Carr)
Subject: Re: Don't fight Clipper Chip, subvert or replace it !

In article <ygoland.735123994@wright>
	ygoland@wright.seas.ucla.edu (The Jester) writes:

>Ignoring for the moment the question of patented processes (such as
>Public Keys), can the government stop me from using an encryption
>process?

Following precedent in other areas, the government is likely to put a tax on
encryption technology.  Once the tax is imposed, it becomes a federal matter
and suspicision of an unlicensed cryptographic tool will bring the BATF or
FBI tossing grenades into your house.  (The BATF appears to be the logical
agency to enforce such regulations: federal control over alocohol, tobacco,
and firearms is similary based on taxes.)

Look at the FCC: they won't allow sale of any receiever that can receive
bands that are supposed to be private.  This has nothing to do with any
desire to prevent harmful interference. If the government can make a radio
receiver illegal what makes you think they won't claim the right to control
encryption?

--
    John Carr (jfc@athena.mit.edu)

Newsgroup: sci.crypt
Document_id: 15327
From: Graham Toal <gtoal@gtoal.com>
Subject: Re: The battle is joined

In article <C5nn9I.D5q@news.claremont.edu> ebrandt@jarthur.claremont.edu (Eli Brandt) writes:
:In article <1993Apr16.181040.9381@qualcomm.com> karn@servo.qualcomm.com (Phil Karn) writes:
:>It looks like Dorothy Denning's wrong-headed ideas have gotten to the
:>Administration even sooner than we feared.
:
:I'd lay long odds that it was the other way around.  Clinton didn't
:just pull this plan out of any bodily orifices; the NSA has to have
:been working on it for years.  While it's possible that Denning (and
:other prominent people) just happened to start arguing for such a
:system, it seems more likely that there was a suggestion involved.
:If this guess is wrong, I apologize.

I'm sure Dorothy Denning is an honest person and wouldn't lie to us.
Simply think up a question to ask her about her involvement, but be
very careful to phrase it in such a way that there can be no Jesuitical
evasion or a true but wholly misleading answer.

In this country, MI5 are *experts* at answering these questions; for
instance there was a British journalist (Jonathon Moyle) killed in South
America a couple of years ago.  Parliament asked "Was he an MI5 employee"
"No." - turns out afterwards he wasn't paid, therefore wasn't an employee.
They could equally have said he wasn't an agent - he went abroad on his
private business with no brief from MI5, but was interviewed and debriefed
at length only *on his return*.

G


Newsgroup: sci.crypt
Document_id: 15328
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

  The dead giveaway is the repeated protestations that the new plan is aimed
at "criminals", "drug dealers", "terrorists", etc.  You'd think the tactic
would be too obvious to trot out yet again after a decade of Sarah and the
rest of the Brady Bunch using it to destroy the Second Amendment, but evidently
the control nuts feel it will serve them one more time.

  As far as the export needs of American companies are concerned, I could
almost believe that the plan to saddle the US industry with a hidden sabotaged
algorithm was invented by a cabal of Japanese lobbyists.



Newsgroup: sci.crypt
Document_id: 15329
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr17.061326.16130@clarinet.com> brad@clarinet.com (Brad Templeton) writes:
>In article <tcmayC5M2xv.JEx@netcom.com> tcmay@netcom.com (Timothy C. May) writes:
>>Getting the court order to reveal the key *also* makes decipherable
>>all *past* conversations (which may be on tape, or disk, or whatver),
>>as I understand the proposal. I could be wrong, but I've seen no
>>mention of "session keys" being the escrowed entities.
>
>True in theory.  In practice?  The technology of cellular phones will
>probably be spread spectrum and quite difficult to record the crypttext
>without the key.  If the frequency path depends on they key, as I
>understand it to, it *could* be made effectively impossible to record.

I am not an expert in the cryptography science, but some basic things
seem evident to me, things which this Clinton Clipper do not address.
The all pertain to opportunites for abuse, and conclusions based on what
I have seen the membership of this group (except for two notable persons)
agree to.  If anything bad is possible by the government in theory, it
almost always ends up happening in fact.  So the key is to make abuse
IMPOSSIBLE.  Question authority, and remember power DOES corrupt.

I think one has to regard this whole idea in the sense that it WILL be
expanded to include other data forms, such as data transfer and stored
data. and as such should be treated as if it were expanded (or such
expansion will be almost impossible to stop, using Clipper as a precident).
There was a hint of that in the proposal, remember.  That said, please
bear with me, I am not very articulate, so I take more words to say
what others could say much more briefly.  Thank you.

>Once it hits land you can record it if you have telco access.  The
>telco isn't supposed to give that without a warrant.  That's the rule
>today.

As I suggested this is NOW.  The hint is in the proposal that this or
similar proposals are being considered for other forms of encryptions
such as data transfer, data files, and such, largely dependent on how
this thing is accepted or flies.  I think one would be wise to treat
this in the manner one would when (not if) it gets expanded to other
areas than cellular phones.  I think this is guaranteed to happen, if
this proposal gets by.  Salami politics.  It has been and is used in
several other areas, it is certain to be used here.  Government is not
going to easily give up on the idea that they should be able to eavesedrop
whenever they want to.  'Court order required' has proven to be a rather
flimsy guarantee.  If the case warrants, they can always sieze the
material, and force one to give the key, or sit in jail forever on
periodically renewed contempt charges.  So it is not denying the justice
system the information, nor the ability to lock someone up if guilty
(or refuses to divulge the means to access the info - this is not
protected under the Fifth - one can be forced to perform ACTS that would
result in divulging incriminating evidence).  So, blocking restrictions
on private encryption is not preventing LEGITIMATE law enforcement - it
does make ILLEGITIMATE law enforcement a bunch more difficult.  Especially
fishing expeditions without the target's knowlege.  Don't give up the
right to be safe from that - that should be non-negotiable, and Clinton
and Co. know it (which is probably why they quietly developed this thing,
figuring if they get it this far, they can ram it on through).  How come
those consulted could be roughly described as "us insiders"?  They cannot
quietely IMPLIMENT it though, when they ban other schemes to ensure its
exclusive use.  Hence the nice PR document to try and reassure everyone.
Don't buy into it.  Has government really earned that kind of trust,
past or future?  To be secure and free, one must keep government honest
and the only way to do that is to make abuse IMPOSSIBLE, not 'unlikely'
or 'difficult'.

>But even so, the evidence would not be admissible, I think, unless the
>judge so ordered.  I think that even interception of the crypttext
>without a warrant would be illegal.   Cops can't record today's plain
>cellular calls and then ask a judge, "Hey, can we have permission to
>listen to those tapes?" can they?

So what?  One could use information gained by re-use of the keys (saved
after the last case was finished) or other means (master key, backdoor,
easily broken algorithm) to find other evidence which, given to a judge,
would authorize a tap which wouldn't have been possible otherwise.  This
has been the more common manner of abuse of wiretaps in the past...  For
local cops, this might be workable to keep them honest, but the Feds
have a workaround somehow, BET on it.  Does anyone really believe
for example, that the government will use a scheme NSA cannot listen
in on scanning for keywords - either easily defeated in realtime or
via a 'master key'?  I sure don't.

This whole thing sounds like something to eliminate the need to use
old-fashioned police work to build a case.  In the past, eavesdropping
was rather easy (with or without a court order).  I think the Law
Enforcement community has become a bit spoiled, and will resist changes
that require them to revert to using old-fashioned detective work.  I
just find it somewhat surprising coming from a bunch that cares so much
about civil and individual rights, that "puts people first".  The question
is "put people first" to WHERE?

With the innards not being revealed, how is one to be sure there DOESN'T
exist a 'master key' for use by NSA, etc (so they can do their keyword
scan, etc on conversations they routinely monitor, without a specific
court order)?   Remember, the cellular phone limitiation is only TEMPORARY.
Bet on it.  And so far I have not heard about police telling people that
they have been tapped and nothing incriminating was found.  What is to
keep them from simply keeping the keys on file for 'next time'? After
awhile, they would have quite a collection.  Kept especially for folks
they deem 'disruptive'.  And if they get only one key, that would
reduce the search space a lot, unless it is an RSA scheme.  Remember
Nixon years?  Need for court orders really slowed them down, didn't it?

And unless the escrow accounts are not government controlled (fat chance!
I see one ending up being under, say Treasury, the other under Justice
:-)) it could be worth some serious bucks to some folks to get keys to
a competitor's Clinton Clipper (or descendent when this idea is expanded
to be used for all non-government encryption).  Enough bucks would get
one the keys or the innards for this algorithm.  Perhaps not an important
concern, but given past government behavior and the other problems...

>>worse, of course, if the government then uses this "Clinton Clipper"
>>to argue for restrictions on unapproved encryption. (This is the main
>>concern of most of us, I think. The camel's nose in the tent, etc.)
>
>Yes, that is a major concern, but I think that they think they can
>win just by having 99.5% of the USA use this system.  They don't even
>have to care about the cautious .5% that's left.  They don't catch the
>really smart crooks anyway.   John Gotti, who would have to be retarded
>not to realize he was likely to be wiretapped, glibly chatted away
>on his tapped phone about murder plans.  That's why he's in jail now.
>Hard to believe, but true.

What will one do when it is expanded to data storage encryption?  You
can BET that if Clipper is accepted, that will be next on the agenda.
It is even hinted at in the proposal - read it carefully...  Expect the
argumet "well, if you got nothing to hide..."  Fine. Then using that
argument, one should not object to video cameras being installed in
every room of one's home.  Granted - an exteme expansion of the idea but
the principle holds.  Private stuff should remain private, even from a
govt fishing expedition.  And laws/rules may change in the future as
to 'safeguards'.  When it comes to the Fed Government, safeguards are
pretty meaningless, if they want to do/get something.

Don't work so hard to give up some rather treasured rights, or establish
bad precidents, please.  The price could be hell to pay, later.

>This scheme can succeed without laws forbidding more, which people would
>fight a lot harder.  They like this enough that they are dropping the so
>called "Digital Telephony" proposal, according to rumours.  However the
>meaning of that is complex, since they still want to get at the crypttext
>on telco systems, and that requires a bit of work.

People would fight laws forbidding more NOW, but in, say two years,
because we have this 'crisis' situation which MUST be addressed by some
'drastic action', just this added reasonable restriction will only bother
those who have someting to hide... etc.  Please don't buy into it.

If the Clinton Clipper is so very good, why not make its algrithm public
so many people can exchange ideas and examine it, rather than a few
isolated 'respected experts' (respected by whom?  for what?  Perhaps a
certain professor who likes key banks would be one of the selected
experts... this does seem to expand on some ideas the person was
advocating, if I recall :-).  How would anybody know that what the
experts examine is the same as what will end up being used in the Clipper
Chip, if it is kept secret?   Perhaps the Clipper will use a crippled
version (with a 'master key' provision), or features not present in the
version subjected for study and evaluation by the experts.  And who
chooses the expertes?  The government?  No conflict of interest there...
:-)

And isn't it a REQUIREMENT for any decent encryption scheme that it NOT
have its effectiveness reduced by having the algrorithm widely known?
I was lead to believe that one should assume the other side has everything
you have, except for the key(s)... I recall ideas presented to this
group are rejected if a requirement exists the algorithm be secret...

Another question - since it is a safe bet this Clipper thing would not
be used for government security, they are regarding it as not real secure
but "good enough" for common folk.  I think I would like to see a full
description (not a PR non-statement) of just what "good enough" means?
I think when saying how strong it is, "good enough" really means "not
very".  The excuse that other countries have these restrictions is not
acceptable:  Other countries do not have our Bill of Rights and
Constitution (which the people, not the governments, of those other
countries often regard with envy - what we have as rights they have as
revokable privileges).  And if we expect to retain those rights and
protections, we must not allow them to be gutted because we just GOTTA
have this thing to 'fight crime'.  We have allready have our Bill of
Rights pretty much torn to shreds.  We should not permit more weakining
for yet another 'noble cause', instead we should be trying to repair
the damage.  Our crime problem may have a number of causes, but "too
many rights and safeguards" is not a signifigant one.  A broken court
system and poor police work are a much more signifigant cause as having
"too many rights" (disregarding addressing the root causes for crime,
etc).

BTW - those who suggest that this is just an attack on Clinton, believe
this:  I would be going ballistic reagardless WHO seriously proposed
this thing.  It is just another step in a gradual erosion of our rights
under the Constitution or Bill of Rights.  The last couple of decades
have been a non-stop series of end-runs around the protections of the
Constitution.  It has to stop.  Now is as good a time as any, if it
isn't too late allready.

>-- 
>Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366


-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 15330
From: al@escom.com (Al Donaldson)
Subject: Re: Once tapped, your code is no good any more.

amolitor@nmsu.edu (Andrew Molitor) writes:
>Yes, those evil guys in the FBI can probably, with some
>effort, abuse the system. I got news for you, if the evil guys in
>the FBI decide they want to persecute you, they're gonna, ...

And if Richard Nixon had had this kind of toy, he wouldn't have had
to send people into the Watergate.

But that's not really the issue.  The real issue is whether this 
will be used to justify a ban against individuals' use of private 
(i.e., anything else) encryption methods.

Unrelated question...isn't the term "Clipper," as neat as it is,
already taken by Intergraph?

Al

Newsgroup: sci.crypt
Document_id: 15331
From: mrr@scss3.cl.msu.edu (Mark Riordan)
Subject: Re: Source of random bits on a Unix workstation

Bennett Todd @ Salomon Brothers Inc., NY (bet@sbi.com) wrote:
: However, unless I
: missed something, the only source they suggested (aside from a hardware RNG)
: that seems available, and unguessable by an intruder, when a Unix is
: fresh-booted, is I/O buffers related to network traffic. I believe my
: solution basically uses that strategy, without requiring me to reach into
: the kernel.

A few more sources are statistics on your filesystems (easily
and quickly obtained) and the output from the "rusage" system
call.  

You can also exec a finger to one or more favorite heavily-used
systems, though this can take several seconds.

cf. the source code to RIPEM on ripem.msu.edu.

Mark R.

Newsgroup: sci.crypt
Document_id: 15332
From: schneier@chinet.chi.il.us (Bruce Schneier)
Subject: Re: An Open Letter to Mr. Clinton

In article <strnlghtC5M2Cv.8Hx@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>
>Here's a simple way to convert the Clipper proposal to an unexceptionable
>one: Make it voluntary.
>
>That is--you get high quality secure NSA classified technology if you agree
>to escrow your key. Otherwise you are on your own.
>

As long as "you are on your own" means that you can use your own encryption,
I'm sold.

Bruce

Newsgroup: sci.crypt
Document_id: 15333
From: eldar@fraser.sfu.ca (Danny Eldar)
Subject: Need help !!

I am currently writing a paper on computer protocols security. I would 
appreciate your help.  I currently have no insight into these topics except
that they relate to security in multilevel security network.  Please semd me
any references, books, FAQs or contact persons names and Internet addresses.
The topics I am interested in:
1.  The "firewall gateway model" as implemented in Internet gateways.
2.  Kerberos Authentication Service

Please send me a private e-mail at eldar@sfu.ca and/or post it on the board.

Thanks a lot,

      Danny 


Newsgroup: sci.crypt
Document_id: 15334
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Once tapped, your code is no good any more.

In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes:
>In article <tcmayC5M2xv.JEx@netcom.com>
>	tcmay@netcom.com (Timothy C. May) writes:
>>
>>But is it any worse than the current unsecure system? It becomes much
>>worse, of course, if the government then uses this "Clinton Clipper"
>>to argue for restrictions on unapproved encryption. (This is the main
>>concern of most of us, I think. The camel's nose in the tent, etc.)
>>
>
>	Not to pick on Mr. May in particular, of course, but isn't this
>kind of the domino theory? When one little country falls, its neighbor
>will surely follow, and before you know it, we're all mining salt
>in Siberia for not turning in our Captain Crunch Secret Decoder Rings.
>
>	Surely the hypothesis relying on the least wild assumptions is
>to take this at face value. Our lads at the fort were asked to cook up
>something that's pretty secure, with a key that can be escrowed neatly,
>and they did. The government plans to sell this thing, for the reasons
>they state. Yes, those evil guys in the FBI can probably, with some
>effort, abuse the system. I got news for you, if the evil guys in
>the FBI decide they want to persecute you, they're gonna, and you're
>gonna hate it. Fact is, the FBI doesn't want to listen to your phone
>calls, and if they do, and if you're using triple-DES, they'll just
>get a parabolic microphone and point it at your head.
>
	With E-Mail, if they can't break your PGP encryption, they'll just
call up one of their TEMPEST trucks and read the electromagnetic emmisions
from your computer or terminal.  Note that measures to protect yourself from
TEMPEST surveillance are still classified, as far as I know.

>	This is pretty clearly an effort by the government to do exactly
>what they're saying they're doing. As is typical with governments,
>it's mismanaged, and full of holes and compromises. As is typical
>with our government, it's not too bad, could be worse.
>
>	My interpretation.
>
>	Andrew
>
>>-Tim May, whose sig block may get him busted in the New Regime
>                           ^^^^^^^^^^^^^^^^^^
>
>	Isn't this just a little melodramatic?

	If the new regime comes to fruition, make sure you protect your First
Amendment rights by asserting your Second Amendment Rights.

						Doug Holland


Newsgroup: sci.crypt
Document_id: 15335
From: bill@Celestial.COM (Bill Campbell)
Subject: Re: Once tapped, your code is no good any more.

In <1993Apr17.032828.14262@clarinet.com> brad@clarinet.com (Brad Templeton) writes:

:It occurs to me that if they get a wiretap order on you, and the escrow
:houses release your code to the cops, your code is now no longer secure.

A very good point!

:It's in the hands of cops, and while I am sure most of the time they are
:good, their security will not be as good as the escrow houses.

Why should we expect the cops to be honest!  They're underpaid
for the risks they face every day.  The media dumps on the all
the time and blames them for all sorts of discrimination,
brutality....  How can we expect them to be more than human?

Besides there are lots of cases of police abuses ranging from
protection scams to outright robbery (when I worked in D.C. there
was a breakin at a local Radio Shack and the alarm company heard the
cops responding to the call over the audio pickup in the store:-).

:What this effectively means is that if they perform a wiretap on you,
:at the end of the wiretap, they should be obligated to inform you that
:a tap was performed, and replace (for free) the clipper chip in your
:cellular phone so that it is once again a code known only to the
:escrow houses.

Then you would know that Big Brother had been listening.  Does he
really want to let you know?

:Do the police normally reveal every tap they do even if no charges are
:laid?   In many ways, it would be a positive step if they had to.
:Judges set time limits on warrants, I assume.  At the end of the time
:limit they should have to renew or replace your chip.

:That's if we go with this scheme, which I am not sure I agree with.

I'm completely against anything that makes it easier for the
government to encroach on the rights of individuals.  The
founders of this country spent a lot of effort limiting the power
of the government and specifying exactly what the governments
rights were (and this didn't include a gov't spy in every
bedroom).  IMHO, there are entirely too many things going on
today designed to preserve the government organism at the expense
of individuals.  Look around and reread 1984 and many early
Heinlein books.  Aren't there many parallels between the thought
police (can you spell Waco Texas?), and Heinlein's ``Crazy Years''?

Bill
-- 
INTERNET:  bill@Celestial.COM   Bill Campbell; Celestial Software
UUCP:   ...!thebes!camco!bill   6641 East Mercer Way
             uunet!camco!bill   Mercer Island, WA 98040; (206) 947-5591
SPEED COSTS MONEY -- HOW FAST DO YOU WANT TO GO?

Newsgroup: sci.crypt
Document_id: 15336
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <strnlghtC5LGFI.JqA@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>
>Though some may argue about the nose of the camel, it's worth noting that
>the government proposal is limited to scrambled telephony. If it is only
>used for that purpose, and does not extend to electronic mail or file
>encryption, then it IS an improvement over the current mass-produced
>standard civilian technology which, with a few exceptions, is limited to
>easy-to-break inverters.
>
>Note that the big issue for the feds is the continued ability to wiretap.
>Before we go off the deep end with long discusions about secure crypto for
>e-mail and files, let's focus on this.
>
>One question that was not asked in the release is whether this proposal is
>limited to telephony, or if the government intends to expand it.
>
>Though I share many of the concerns expressed by some, I find the proposal
>less threatening than many others, since right now most Americans have no
>secure telephony, and any jerk with a pair of clip leads and a "goat" can
>eavesdrop. This would also plug up the security hole in cellular and
>cordless phones.
>
>-------
>
>Reading between the lines, I infer that the system is highly secure
>without access to the keys. This would meet the needs of U.S. businesses
>confronted by rich and powerful adversaries, including French and Japanese
>security services and rich Japanese companies. It allows the NSA to make
>available some of its better stuff while protecting law enforcement needs.
>
>Most legitimate U.S. corporations trust the NSA, and would be delighted to
>have a high-security system certified by them, even at the price of
>depositing keys in escrow. I see no difficulty in creating a reliable
>escrow. Corporations entrust their secrets to attorneys every day of the
>week, and that system has worked pretty well.
>
>From my point of view this is a fair starting point. There are concerns that
>need to be addressed, including the reliability of the escrows. But in
>return we get access to high-security crypto. Many have suggested that DES
>and other systems may be breakable by the NSA and hence others similarly
>skilled and endowed. There is at least a good possibility (which should be
>checked) that the proposed system is not so breakable. It doesn't have to
>be, nor does it have to have trapdoors, if the government can get the keys
>pursuant to a legitimate court order. Thus they can protect legitimate
>communications against economic adversaries, while still being able to
>eavesdrop on crooks pursuant to a court order.
>
	Let me ask you this.  Would you trust Richard Nixon with your
crypto keys?  I wouldn't.

						Doug Holland



Newsgroup: sci.crypt
Document_id: 15337
From: smb@research.att.com (Steven Bellovin)
Subject: Clipper chip -- technical details

I received the following two notes from Martin Hellman with details
on how Clipper will work.  They are posted with his permission.  The
implications of some details are fascinating.

-------
Date: Sat, 17 Apr 93 23:05:23 PDT
From: "Martin Hellman" <hellman@isl.stanford.edu>
To: (a long list of recipients)
Subject: Clipper Chip


Most of you have seen the announcement in Friday's NY Times,
etc. about NIST (National Institute of Standards & Technology)
announcing the "Clipper Chip" crypto device. Several messges
on the net have asked for more technical details, and some have
been laboring under understandable misunderstandings given
the lack of details in the news  articles. So here to help out
is your friendly NSA link: me. I was somewhat surprised Friday
to get a call from the Agency which supplied many of the missing
details. I was told the info was public, so here it is (the cc of this
to Dennis Branstad at NIST is mostly as a double check on my
facts since I assume he is aware of all this; please let me know
if I have anything wrong):

The Clipper Chip will have a secret crypto algorithm embedded in 
Silicon. Each chip will have two secret, 80-bit keys. One will be the 
same for all chips (ie a system-wide key) and the other will be unit 
specific. I don't know what NIST and NSA will call them, but I will 
call them the system key SK and unit key UK in this message. 
The IC will be designed to be extremely difficult to reverse so 
that the system key can be kept secret. (Aside: It is clear that 
they also want to keep the algorithm secret and, in my opinion, 
it may be as much for that as this stated purpose.) The unit key 
will be generated as the XOR of two 80-bit random numbers K1 
and K2 (UK=K1+K2) which will be kept by the two escrow 
authorities. Who these escrow authorities will be is still to be 
decided by the Attorney General, but it was stressed to me that 
they will NOT be NSA or law enforcement agencies, that they 
must be parties acceptable to the users of the system as unbiased. 
When a law enforcement agency gets a court order, they will 
present it to these two escrow authorities and receive K1 and 
K2, thereby allowing access to the unit key UK.

In addition to the system key, each user will get to choose his 
or her own key and change it as often as desired. Call this key 
plain old K. When a message is to be sent it will first be 
encrypted under K, then K will be encrypted under the unit key UK, 
and the serial number of the unit added to produce a three part 
message which will then be encrypted under the system key SK 
producing

     E{ E[M; K], E[K; UK], serial number;  SK}

When a court order obtains K1 and K2, and thence K, the law 
enforcement agency will use SK to decrypt all information 
flowing on the suspected link [Aside: It is my guess that 
they may do this constantly on all links, with or without a 
court order, since it is almost impossible to tell which links 
over which a message will flow.] This gives the agency access to 

     E[M; K], E[K; UK], serial number

in the above message. They then check the serial number 
of the unit and see if it is on the "watch list" for which they 
have a court order. If so, they will decrypt E[K; UK] to obtain K, 
and then decrypt E[M; K] to obtain M.

I am still in the process of assessing this scheme, so please do 
not take the above as any kind of endorsement of the proposed 
scheme. All I am trying to do is help all of us assess the scheme 
more knowledgably. But I will say that the need for just one court 
order worries me. I would feel more comfortable (though not 
necessarily comfortable!) if two separate court orders were 
needed, one per escrow authority. While no explanation is
needed, the following story adds some color: In researching
some ideas that Silvio Micali and I have been kicking around,
I spoke with Gerald Gunther, the constitutional law expert
here at Stanford and he related the following story: When
Edward Levi became Pres. Ford's attorney general (right
after Watergate), he was visited by an FBI agent asking
for "the wiretap authorizations." When Levy asked for
the details so he could review the cases as required by
law, the agent told him that his predecessors just turned
over 40-50 blank, signed forms every time. Levi did not
comply and changed the system, but the lesson is clear: 
No single person or authority should have the power to
authorize wiretaps (or worse yet, divulging of personal
keys). Sometimes he or she will be an Edward Levi
and sometimes a John Mitchell.

Martin Hellman

----

Date: Sun, 18 Apr 93 11:41:42 PDT
From: "Martin Hellman" <hellman@isl.stanford.edu>
To: smb@research.att.com
Subject: Re: Clipper Chip

It is fine to post my previous message to sci.crypt 
if you also post this message with it in which:

1. I ask recipients to be sparse in their requesting further info 
from me or asking for comments on specific questions. By
this posting I apologize for any messages I am unable to
respond to. (I already spend too much time answering too much
e-mail and am particularly overloaded this week with other
responsibilities.) 

2. I note a probably correction sent to me by Dorothy Denning.
She met with the person from NSA that
I talked with by phone, so her understanding is likely to
better than mine on this point: Where I said the transmitted
info is  E{ E[M; K], E[K; UK], serial number;  SK}
she says the message is not double encrypted. The system
key (or family key as she was told it is called) only encrypts
the serial number or the serial number and the encrypted
unit key. This is not a major difference, but I thought it
should be mentioned and thank her for bringing it to
my attention. It makes more sense since it cuts down
on encryption computation overhead.

Newsgroup: sci.crypt
Document_id: 15338
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]


In article <1qnupd$jpm@news.intercon.com> amanda@intercon.com (Amanda Walker) writes:

   From: amanda@intercon.com (Amanda Walker)

   jhesse@netcom.com (John Hesse) writes:
   > Oh great. Wonderful news. Nobody can listen in--except the feds. 

   Hey, it's better than the status quo.

   I am far less worried about "the feds" tapping my phone than high school 
   scanner surfers who get their kicks out of eavesdropping on cellular and 
   cordless phone calls.

I'm a political dissident. I'm scared shitless of the feds listening
in on my calls. My opinions are the sort that would get me
"disappeared" in a slightly less free society -- and who knows what
sort of society we will be in in five or ten years? I have friends who
have had their phones tapped -- none of this is theoretical to me.

As for "its better than the status quo", well, first of all, you can
get a cryptophone from companies like Cylink today -- and they work
well. In addition, a number of groups are now working on building
software to turn any PC into a privacy enhanced phone right now -- and
they are all working in overdrive mode.

   And yes, I'd rather just see all crypto restrictions lifted, but this is at 
   least an incrememental improvement for certain applications...

There ARE no crypto restrictions... yet. You can use anything you want
RIGHT NOW. The point is to maintain that right.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15339
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Once tapped, your code is no good any more.


In article <1qovj8$74m@ni.umd.edu> louie@sayshell.umd.edu (Louis A. Mamakos) writes:

   In article <tcmayC5M2xv.JEx@netcom.com> tcmay@netcom.com (Timothy C. May) writes:

   >But is it any worse than the current unsecure system? It becomes much
   >worse, of course, if the government then uses this "Clinton Clipper"
   >to argue for restrictions on unapproved encryption. (This is the main
   >concern of most of us, I think. The camel's nose in the tent, etc.)

   Excuse me?  This has *already* happened.  There's a couple of humps in
   the tent already.  Ask the folks at Qualcomm what became of the
   non-trivial encryption scheme they proposed for use in their CDMA
   digitial cellular phone standard?  There *already* are restrictions in
   place.

You have it slightly wrong. They dumped the encryption system because
they could not export it -- not because they could not produce it for
U.S. use. There are no legal restraints on citizen use of strong
cryptography -- yet.
--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15340
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: are we being hysterical? No!


In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes:

>In article <tcmayC5M2xv.JEx@netcom.com>
>	tcmay@netcom.com (Timothy C. May) writes:
>>
>>But is it any worse than the current unsecure system? It becomes much
>>worse, of course, if the government then uses this "Clinton Clipper"
>>to argue for restrictions on unapproved encryption. (This is the main
>>concern of most of us, I think. The camel's nose in the tent, etc.)
>>

>	Not to pick on Mr. May in particular, of course, but isn't this
>kind of the domino theory?

As John Gilmore has pointed out repeatedly, if you produce the
infrastructure that would permit a police state to function, all that
is required to suddenly find yourself living in one is a change of
attitude on the part of the government.

Our constitution was built by men who had to risk their lives to
ensure freedom in our country. They designed the system to make it
difficult for tyranny to arise. For instance, one of the reasons the
fourth amendment was put there was to make it harder for the
government to try to make smuggling a crime. Think I jest? John
Hancock made all his money smuggling rum, which is, after all, a drug.

Think about it. The government has everyones keys in escrow, and the
FBI gets their pet "wiretap without leaving the office" scheme. There
is a coup, which happens every day all around the world. Within hours,
everyone in the country who might oppose the tyrants is being
monitored more closely than ever before possible.

Without the tools being in place, a tyranny cannot stand. With tools
like this in place, a tyrannical dictatorship could actually be
successfully imposed.

Why give the government tools with which to enslave you? Maybe you can
trust Bill Clinton, but are you willing to tell me that you can trust
EVERY government that will ever arise in the U.S. hereafter? I am not
willing to make that leap of faith.

>>-Tim May, whose sig block may get him busted in the New Regime
>                           ^^^^^^^^^^^^^^^^^^
>	Isn't this just a little melodramatic?

I'm a political dissident. As such, I am acutely aware of what happens
to political dissidents in most of the world. In most of the world, I
could be killed for my beliefs. Call Amnesty International some time
to find out what happens to dissidents in most of the world.

All that seperates the U.S. from most of those places is a thin piece
of parchment in the National Archives thats being constantly more and
more eroded by such farces as the war on drugs. Coups have happened in
countries that have had stable democracies for over a hundred years.
Governments throughout history have fallen. No government has lasted
for more than a few hundred years. Often, they are replaced by
dictatorships. Do you really believe so intensely that it could never
ever ever happen here that you are willing to bet your own life and
the lives of your children and other loved ones on it?

If we construct the tools with which tyranny could be enforced, we
make it orders of magnitude more likely that it could happen, because
if it happened with the tools already in place it could actually
stick. 

Naive fools such as our leadership believe they can protect us where
hundreds that have gone before have failed. Thriving democracies led
by men far more skillfull than Bill Clinton have fallen to
dictatorship. Rome had a thriving republic run by exquisitely skilled
men before they became a tyranny.

I, for one, am unwilling to trust that it could never happen here.
Only hubris would allow us to believe we are immune to what has
happened elsewhere.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15341
From: marc@mit.edu (Marc Horowitz N1NZU)
Subject: Re: The source of that announcement

In article <tcmayC5o715.Mrs@netcom.com> tcmay@netcom.com (Timothy C. May) writes:

   I know that at least one person on that list says the first he heard
   of Clipper was in the Friday morning newspaper! And another has
   already fired off a letter of protest to NIST.

   My point? I suspect this list, interesting as it is for various
   reasons, does not represent the cabal that put this proposal together.
   Some of them, yes. Others, no. 

I received mail from Mitch Kapor saying that he did not ask to be on
the list, and does not know why he was added.  I'm sure the same
applies to others on the list.  So, I guess my initial theory was
right, that the clipper list was just someone's idea of a bad joke.  I
guess I should be happy it wasn't a conspiracy.

		Marc
--
Marc Horowitz N1NZU <marc@mit.edu>				617-253-7788

Newsgroup: sci.crypt
Document_id: 15342
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Once tapped, your code is no good any more.

In article <Apr18.194927.17048@yuma.ACNS.ColoState.EDU>
holland@CS.ColoState.EDU (douglas craig holland) writes:

>Note that measures to protect yourself from
>TEMPEST surveillance are still classified, as far as I know.

I think this to be inaccurate. One can buy TEMPEST equipment commercially.
Even Macs.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15343
From: djb@silverton.berkeley.edu (D. J. Bernstein)
Subject: Re: Clipper chip -- technical details

Short summary of what Bellovin says Hellman says the NSA says: There is
a global key G, plus one key U_C for each chip C. The user can choose a
new session key K_P for each phone call P he makes. Chip C knows three
keys: G, its own U_C, and the user's K_P. The government as a whole
knows G and every U_C. Apparently a message M is encrypted as
E_G(E_{U_C}(K_P),C) , E_{K_P}(M). That's it.

The system as described here can't possibly work. What happens when
someone plugs the above ciphertext into a receiving chip? To get M
the receiving chip needs K_P; to get K_P the receiving chip needs U_C.
The only information it can work with is C. If U_C can be computed
from C then the system is cryptographically useless and the ``key
escrow'' is bullshit. Otherwise how is a message decrypted?

---Dan

Newsgroup: sci.crypt
Document_id: 15344
Subject: Re: Once tapped, your code is no good any more.
From: steiner@jupiter.cse.utoledo.edu (Jason 'Think!' Steiner)

douglas craig holland (holland@CS.ColoState.EDU) writes:
>
> With E-Mail, if they can't break your PGP encryption, they'll just
> call up one of their TEMPEST trucks and read the electromagnetic 
> emmisions from your computer or terminal.  Note that measures to 
> protect yourself from TEMPEST surveillance are still classified, as 
> far as I know.

are LCD displays vulnerable to tempest?

> 	If the new regime comes to fruition, make sure you protect your First
> Amendment rights by asserting your Second Amendment Rights.

i'll second that.

jason


--
   "I stood up on my van. I yelled, `Excuse me, sir. Ain't nothing wrong
    with this country that a few plastic explosives won't cure!'"
              - Steve Taylor, I Blew Up the Clinic Real Good
`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,` steiner@jupiter.cse.utoledo.edu `,`,`,`

Newsgroup: sci.crypt
Document_id: 15345
From: amolitor@nmsu.edu (Andrew Molitor)
Subject: Re: Once tapped, your code is no good any more.

al@escom.COM (Al Donaldson) writes:
>amolitor@nmsu.edu (Andrew Molitor) writes:
>>Yes, those evil guys in the FBI can probably, with some
>>effort, abuse the system. I got news for you, if the evil guys in
>>the FBI decide they want to persecute you, they're gonna, ...
>
>And if Richard Nixon had had this kind of toy, he wouldn't have had
>to send people into the Watergate.
>

	This appears to be generic calling upon the name of the anti-christ.
Just for the hell of it, let's destroy this remark. Let us imagine that
the executive branch actually could extract keys from the escrow houses
without anyone knowing, or telling. Now what? Dick has 80 bits of data.
What the hell's he gonna do with it?

	1) Trot around to the telco and say 'we'd like an unauthorised
decrypting tap'. Uh huh.
	2) Break in to watergate and install his own tap (so his people still
do have to break in, neat, huh?) record some noise, then get the Executive
Branch Phone Decryption Box (huh? they've got one? Goodness, wait 'til the
washington post gets hold of this) and decrypt the noise.
	3) More likely, stare at the key, and say 'Oh, hell it's not
worth all this bloody hassle'

	Truth is, even granted *lots* of covert power on the part of
the Executive Branch, this system is *more* difficult to tap with than
POTS gear. The fact that it is easier to tap than some hypothetical
system neither you nor I am going to place on our phones is neither
here nor there.

	The only rational concerns I am seeing raised are:

	a) is the key really just chopped in half, and not some XOR
arrangement? That is, has some egregious technical error been built
in to the plan?
	b) is this is the first step toward strict regulation of strong
encryption?


>But that's not really the issue.  The real issue is whether this 
>will be used to justify a ban against individuals' use of private 
>(i.e., anything else) encryption methods.

	This is b), of course. I suspect not. If the government actually
wanted to make such regs, they'd just do it. A few hundred people on Usenet
yelling about it wouldn't even slow the machine down.

	Besides, who is this mysterious 'they' who's going to take away
all our rights the instant we let our guard down? Congress? That gang
of buffoons can't even balance their checkbooks. The FBI? But.. they
don't make the laws. The NSA? Ditto. The white house? Bill Clinton
is probably still looking for the bathroom. It's a big place, after all.

	Andrew

>
>Al

Newsgroup: sci.crypt
Document_id: 15346
From: uni@acs.bu.edu (Shaen Bernhardt)
Subject: Re: An Open Letter to Mr. Clinton

In article <C5oy0z.ILy@chinet.chi.il.us> schneier@chinet.chi.il.us (Bruce Schneier) writes:
>In article <strnlghtC5M2Cv.8Hx@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>>
>>Here's a simple way to convert the Clipper proposal to an unexceptionable
>>one: Make it voluntary.
>>
>>That is--you get high quality secure NSA classified technology if you agree
>>to escrow your key. Otherwise you are on your own.
>>
>
>As long as "you are on your own" means that you can use your own encryption,
>I'm sold.
>
>Bruce

As am I

If "high quality secure NSA classified technology" means handing my key
over to whomever, I'll take PGP any day.

Right now they are billing it as voluntary, i.e. bend over, here it comes.

As soon as enough Wiretap chip based units are out there, how much
easier do you think it will be to redefine "on your own" to mean
write it yourself and don't even THINK about distributing it...?

Get honest, no one is going to buy this trash if they KNOW it's compromised
already, and less will buy it if the algorithm is not disclosed.

The NSA knows that making this stuff available to the public means
handing it to whatever foreign powers are interested in the process.
Since when has export control stopped anyone (especially software wise)

Ask yourself carefully if " high quality secure NSA classified technology "
is something they are going to hand out.  Not unless you can drive a
NSA van through the holes.

uni (Dark)

-- 
uni@acs.bu.edu  ->  Public Keys by finger and/or request
Public Key Archives at <pgp-public-keys@pgp.iastate.edu>
DF610670F2467B99  97DE2B5C3749148C  Sovereignty is the sign of a brutal past.
Cryptography is not a crime.  Fight the Big Brother Proposal!

Newsgroup: sci.crypt
Document_id: 15347
From: sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes)
Subject: Who should be hearing my views on Clipper ?


Being a browser of this group for some time,
  and being very concerned about the clipper chip proposal,
    I am hoping someone with more knowledge can help out.

Who would be the most influential people to write to, protesting 
the obvious next step hinted at by this proposal ?
 (Heads of what committees, etc.)

What are the major flaws in the plan ?
 (From a cryptological standpoint)


-- 
  Shaun P. Hughes                          "Facts are Stupid Things."
  sphughes@sfsuvax1.sfsu.edu                Ronald Reagan
                                            Republican National
  Finger for PGP 2.2 Public Key             Convention 1988

Newsgroup: sci.crypt
Document_id: 15348
From: hallam@dscomsa.desy.de (Phill Hallam-Baker)
Subject: Re: Once tapped, your code is no good any more.


In article <1993Apr18.022011.15502@ringer.cs.utsa.edu>, whughes@lonestar.utsa.edu (William W. Hughes) writes:

|>In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu
|>(Andrew Molitor) writes:
|>>In article <tcmayC5M2xv.JEx@netcom.com>
|>>tcmay@netcom.com (Timothy C. May) writes:
|>>
|>>>-Tim May, whose sig block may get him busted in the New Regime
|>>                           ^^^^^^^^^^^^^^^^^^
|>>Isn't this just a little melodramatic?
|>
|>Not at all. Two weeks ago I registered a concern about some programming
|>that was being conducted by a student organisation here at the
|>University of Texas at San Antonio.  As a result, I was interrogated
|>by the capus police, who also attempted to create a positive-identification
|>file (photo, fingerprints, etc.). I refused to permit this, and filed a
|>complaint with the University administration.  The Vice-President for
|>Business Affairs (the 'boss' of the campus police) stated that he had no
|>interest in the legal/Constitutional implications of those actions.

In article <johnson.735025464@trwacs>, johnson@trwacs.fp.trw.com (Steve Johnson) writes:

|>  A remark I heard the other day is beginning to take on increasingly
|>frightening significance.  The comment was made that "In other parts
|>of the world the Democrats [note the big "D"] would be known as
|>Socialists" 

We might get further if we begin by accepting that the government 
really couldn't be bothered less about the political opinions of the 
right wing pro establishment types. Just about the only circumstances 
in which I could think that they would be interested in their political 
views would be to recruit them as spooks. They can be guaranteed to give
the government line when it counts. In US history it has been the 
socialists such as myself who have been persecuted. 


Now before people start asserting that there is no mechanism by which
the administration can get their new chip adopted without legal force
lets try thinking.

In the first place the clipper chip must have existed for several years as
a defense project. Therefore this is not a party matter at all. George Bush
was in any case hardly adverse to tapping calls, he was chief spook 
remember.

Secondly the govt can quite easily apply pressure. They simply "ask" their
chums who they give huge defense contracts to (motorola etc) to be "nice"
boys. After all Bill is giving them a nice little trade monopoly since the
chips won't be avaliable to foreign firms.

Thirdly the people who consider the Democrats to be socialist are not the
same as the ones who consider socialists to be communist. People might know
this if the US education system did not suffer from the Mcarthyite and 
Dewy version of political correctness - the sort with tribunals and show 
trials. Ever seen Ed Meese pissed? I have, it was when he said that socialism
and communism were the same thing and brought the house down with laughter.
It took several minutes before we realised that he was serious.


Phill Hallam-Baker

Phill Hallam-Baker

Newsgroup: sci.crypt
Document_id: 15349
From: artmel@well.sf.ca.us (Arthur Melnick)
Subject: Big Brother (Clipper) chip


     There are some issues which come to mind when one considers
the law enforcement aspects of the use of the Big Brother
(Clipper) chip.
     The drug dealers and terrorists aren't going to let
themselves be caught by using this type of encryption.  In 1985
the New York Times reported that government investigators broke
up a narcotics ring that was operating highly sophisticated
equipment capable of allowing the leaders of the ring to
eavesdrop on the law-enforcement agents who were trying to arrest
them.
     A Mr. Deely, an NSA official, said "There are a lot of
medium-sized countries that would have been proud to have the
signals intelligence operation of this group."
     For every John Gotti there are probably many more people who
have the sophistication to know what the risks of unsecure
communications are.  The press given to the Big Brother chip will
only increase their numbers.
     Even if there is some benefit to law-enforcement through the
use of Big Brother, it must be weighed against the constitutional
and civil liberties questions involved.
     For example, in some areas of the world torture is used as
an investigative tool by the local "law-enforcement" people.  I
suspect it is an effective means of obtaining information and
shortening many investigations.  It probably also helps keep the
conviction rate high.
     The fact that the torture tool is not used in this country
(even with a court order obtained by showing "probable cause") is
because we have rightly balanced the questions of expediency and
what is ethically and morally right.
     I think that the same question of expediency versus morality
should come into play when considering the use of Big Brother.  I
vote for morality.
     I am quite disturbed by what I interpret as a veiled threat
to prohibit the use of all encryption if this Big Brother chip is
not put into wide spread use.  After a quick reading of the White
House press release I came away with that impression.
     To most of the American public, the word "hacker" has
rightly or wrongly come to mean "high tech adolescent vandal".
It has struck me that most of the people posting to sci.crypt
regarding this issue are intelligent, thoughtful individuals who
have genuine concerns about the privacy and constitutional issues
surrounding Big Brother.  I hope that the use of Big Brother does
not become mandatory and other encryption become illegal.  I
would hate to see this become some kind of high tech Volstead
Act.
     The high speed digital communications revolution is coming
at us with the speed of an SST.  The times they are a changing,
and just as IBM is learning that they can't do business the same
way they have done it for the past 40 years, maybe NSA should
evaluate another approach.
     EFF, who have correctly questioned the cryptographic
strength of Big Brother, may need to send a stronger message out
regarding the constitutional issues involved.
     Al Gore may want to think this one through a little more.
     And as for Dorothy Elizabeth Robling Denning: En quoi cela
vous concerne, cheri?

Newsgroup: sci.crypt
Document_id: 15350
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Clipper chip and key exchange methods

   I was wanting to ask the same question Dan Bernstein asked--how does the
Clipper chip exchange keys?  If the public key is only 80 or 160 bits long,
does anyone know of any public-key schemes that are secure with that key
size?  (Diffie-Hellman or maybe El Gamal, with p set to a constant value?)
   Presumably, the real scheme is something like:
 
   1.  Exchange/verify public keys.
   2.  Send encrypted (randomly-generated) session key.
   3.  Encrypt / Decrypt voice trafic with some sort of fast stream cipher.
 
   Can anyone elaborate on this, or show me what I'm missing here?
 
   --John Kelsey, c445585@mizzou1.missouri.edu

Newsgroup: sci.crypt
Document_id: 15351
From: rclark@nyx.cs.du.edu
Subject: Re: Is there ANY security in the Clipper?

zeev@ccc.amdahl.com (Ze'ev Wurman) writes:

>But do we really believe that the various governments
>(including ours) won't have the full lists of all the keys ever manufactured?

Yes, but they'll be encrypted with Cripple Chip encryption, the
encryption algorithm so great it's TOP SECRET and so unbreakable
they WON'T EVEN LET YOU LOOK AT IT!

Doesn't that make you feel SECURE?
----
Robert W. Clark             Just Say No! to the
rclark@nyx.cs.du.edu        Big Brother Chip  

Newsgroup: sci.crypt
Document_id: 15352
From: jyork@iastate.edu (Justin York)
Subject: Clipper Chip - How would it work?


With all the talk about this Clipper chip, I have developed one question...

			HOW DOES IT WORK???

If you use this, then how does it get decrypted on the other end? Does the
other party (receiving the phone call/mail/etc) have to know some code to 
undo it? Do I use a different method for calling one party than I would for 
another?. If the other party can decrypt it, doesn't that mean that someone
else could also? I assume that if everyone has a different key, the only use
would be storing secure data for later retrieval by the same key. This seems
like a fundamental question to me, but I have very little experience with
cryptosystems, other than DES. If someone could give me an explanation as
to how it would be used (remember that I have had little experience with
this sort of thing) it would be very much appreciated. 

					Justin York
					jyork@iastate.edu

Newsgroup: sci.crypt
Document_id: 15353
From: rogue@ccs.northeastern.edu (Free Radical)
Subject: Re: Once tapped, your code is no good any more.

In article <Apr18.194927.17048@yuma.ACNS.ColoState.EDU>
holland@CS.ColoState.EDU (douglas craig holland) writes: 
[...]
>	With E-Mail, if they can't break your PGP encryption, they'll just
>call up one of their TEMPEST trucks and read the electromagnetic emmisions
>from your computer or terminal.  Note that measures to protect yourself from
>TEMPEST surveillance are still classified, as far as I know.

I don't know about classified, but I do seem to remember that unless
you're authorized by the Govt, it's illegal to TEMPEST-shield your
equipment.  Besides, effective TEMPEST-shielding is much more
difficult than you might think (hi Jim!).

	RA

rogue@cs.neu.edu (Rogue Agent/SoD!)
-----------------------------------
The NSA is now funding research not only in cryptography, but in all areas
of advanced mathematics. If you'd like a circular describing these new
research opportunities, just pick up your phone, call your mother, and
ask for one.

Newsgroup: sci.crypt
Document_id: 15354
From: prz@sage.cgd.ucar.edu (Philip Zimmermann)
Subject: Fighting the Clipper Initiative

Here are some ideas for those of you who want to oppose the White
House Clipper chip crypto initiative.  I think this is going to be a
tough measure to fight, since the Government has invested a lot of
resources in developing this high-profile initiative.  They are
serious about it now.  It won't be as easy as it was defeating Senate
Bill 266 in 1991.

Possible actions to take in response:

1)  Mobilize your friends to to all the things on this list, and
more.

2)  Work the Press.  Talk with your local newspaper's science and
technology reporter.  Write to your favorite trade rags.  Better yet,
write some articles yourself for your favorite magazines or
newspapers.  Explain why the Clipper chip initiative is a bad idea. 
Remember to tailor it to your audience.  The general public may be
slow to grasp why it's a bad idea, since it seems so technical and
arcane and innocent sounding.  Try not to come across as a flaming
libertarian paranoid extremist, even if you are one. 

3)  Lobby Congress.  Write letters and make phone calls to your
Member of Congress in your own district, as well as your two US
Senators.  Many Members of Congress have aides that advise them of
technology issues.  Talk to those aides.

4)  Involve your local political parties.  The Libertarian party
would certainly be interested.  There are also libertarian wings of
the Democrat and Republican parties.  The right to privacy has a
surprisingly broad appeal, spanning all parts of the political
spectrum.  We have many natural allies.  The ACLU.  The NRA.  Other
activist groups that may someday find themselves facing a government
that can suppress them much more efficiently if these trends play
themselves out.  But you must articulate our arguments well if you
want to draw in people who are not familiar with these issues.

4)  Contribute money to the Electronic Frontier Foundation (EFF) and
Computer Professionals for Social Responsibility (CPSR), assuming
these groups will fight this initiative.  They need money for legal
expenses and lobbying.

5)  Mobilize opposition in industry.  Companies that will presumably
develop products that will incorporate the Clipper chip should be
lobbied against it, from within and from without.  If you work for a
telecommunications equipment vendor, first enlist the aid of your
coworkers and fellow engineers against this initiative, and then
present your company's management with a united front of engineering
talent against this initiative.  Write persuasive memos to your
management, with your name and your colleagues' names on it.  Hold
meetings on it.

6)  Publicize, deploy and entrench as much guerrilla
techno-monkeywrenching apparatus as you can.  That means PGP,
anonymous mail forwarding systems based on PGP, PGP key servers,
etc.  The widespread availability of this kind of technology might
also be used as an argument that it can't be effectively suppressed
by Government action.  I will also be working to develop new useful
tools for these purposes. 

7)  Be prepared to engage in an impending public policy debate on
this topic.  We don't know yet how tough this fight will be, so we
may have to compromise to get most of what we want.  If we can't
outright defeat it, we may have to live with a modified version of
this Clipper chip plan in the end.  So we'd better be prepared to
analyze the Government's plan, and articulate how we want it
modified.


-Philip Zimmermann



Newsgroup: sci.crypt
Document_id: 15355
From: mcbeeb@atlantis.CSOS.ORST.EDU (Brian Mcbee)
Subject: How can clipper stay classified?

Maybe I don't know enough to know what I am asking, but with millions
of these things about, how could the algorythm possibly stay secret?
Couldn't some clever hackers just grind the thing down layer by layer,
and see how it worked?

-- 
----
Brian McBee    mcbeeb@atlantis.cs.orst.edu   Finger me for PGP 2.1 key

Newsgroup: sci.crypt
Document_id: 15356
From: johnl@iecc.cambridge.ma.us (John R. Levine)
Subject: Why the clipper algorithm is secret

>The cryptographic protocol, though, is another matter.  I see no valid
>reasons for keeping it secret, and -- as I hope I've shown above -- there
>are a lot of ways to do things that aren't (quite) as bad.

It just occurred to me why the algorithm is secret.  If it were
published, one could then build physically identical clone versions
of the chip that would interoperate with official Clipper chips.  But
the cloner wouldn't provide the keys to the escrow houses.  Hmmn.

Or is there a technical hack that I've missed?  E.g. how about if the
chips were made unprogrammed but serialized, and then shipped to the
two escrow houses who programmed in their halves of the keys, but
in a way that requires that secret keys known only to the escrow houses
be installed as well, without which clone versions wouldn't
interoperate?  This is getting awfully complicated, but that's
crypto for you.

-- 
John R. Levine, IECC, POB 349, Cambridge MA 02238, +1 617 492 3869
johnl@iecc.cambridge.ma.us, {ima|spdcc|world}!iecc!johnl
"Time is Money!  Steal some today!"

Newsgroup: sci.crypt
Document_id: 15357
From: rjc@hal.gnu.ai.mit.edu (Ray)
Subject: Re: Once tapped, your code is no good any more.

In article <C5pGFu.IA4@dscomsa.desy.de> hallam@zeus02.desy.de writes:
>views would be to recruit them as spooks. They can be guaranteed to give
>the government line when it counts. In US history it has been the 
>socialists such as myself who have been persecuted. 

  And in Russia, capitalists were persecuted for trading goods on the
black market. And in the US, capitalist minded types are imprisoned and killed
for things such as selling drugs, guns, pornography, and other victimless
activities.  It doesn't matter whether you are socialist or capitalist,
power and control are central to government. Since citizens can't be trusted to
run their own affairs, the government must watch them.  (for their
own good of course. I mean, with strong cryptography, citizens might <gasp!>
start to hide things from the IRS, sell drugs/guns/pornography, and
that cannot be allowed!)

>trials. Ever seen Ed Meese pissed? I have, it was when he said that socialism
>and communism were the same thing and brought the house down with laughter.
>It took several minutes before we realised that he was serious.

  Not very surprising to anyone who believes in "hands off" government. If
you believe that your private life (both social and financial) are none of
anyone else's business, the difference between socialism and communism is
like the difference between murder by lethal injection or by
chainsaw. The more centralized the economy is, the more potential
abuses for accumulation of information on individuals. If you think
credit companies are bad, ...  Well, I'm sure a democratic socialist society
would vote for absolute privacy of all citizens -- NOT!

Newsgroup: sci.crypt
Document_id: 15358
From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>
Subject: Re: Clipper chip -- technical details

Thus said djb@silverton.berkeley.edu (D. J. Bernstein):
>Short summary of what Bellovin says Hellman says the NSA says: There is
>a global key G, plus one key U_C for each chip C. The user can choose a
>new session key K_P for each phone call P he makes. Chip C knows three
>keys: G, its own U_C, and the user's K_P. The government as a whole
>knows G and every U_C. Apparently a message M is encrypted as
>E_G(E_{U_C}(K_P),C) , E_{K_P}(M). That's it.
>
>The system as described here can't possibly work. What happens when
>someone plugs the above ciphertext into a receiving chip? To get M
>the receiving chip needs K_P; to get K_P the receiving chip needs U_C.
>The only information it can work with is C. If U_C can be computed
>from C then the system is cryptographically useless and the ``key
>escrow'' is bullshit. Otherwise how is a message decrypted?

Given the description of the algorithm given, the only plausible
explantion I can find is that K_P must be agreed to out of bandwidth
in advance by the two parties; i.e. it's a standard shared symmetric
key.
--
Marc VanHeyningen   mvanheyn@cs.indiana.edu   MIME & RIPEM accepted
Security through Diversion: n. Theory which states that the public
availability of good computer games is vital to maintaining system
safety.  Contrast Security through Obscurity.

Newsgroup: sci.crypt
Document_id: 15359
From: amolitor@moink.nmsu.edu (Andrew Molitor)
Subject: What the clipper nay-sayers sound like to me.

	The following is available in some FTP archive somewhere, I insert
my comments liberally throughout this demonic memo of Big Brotherdom:

>	White House Announcement on Screw Thread Standards
>	--------------------------------------------------
>
>	This is to announce that the American National Standards
>Institute (or whatever it is) has been given the authority to define
>standard dimensions for screw threads.

   Look! This is clearly the first step toward outlawing our
   own screw thread specifications. If this madness isn't fought,
   tooth and nail, every step of the way, it'll be a crime to use
   screw threads other than those our Fearless Leaders so *graciously*
   define for us.

>	The purpose of this is to permit industry to draw upon a standard
>pool of specifications and designations, to ensure interoperability of
>various threaded objects across vendors.

   Rubbish, I say! ANSI standard screw threads will have subtle weaknesses,
   allowing their agents to disassemble our automobiles more easily,
   causing our mufflers to fall off at inoppurtune moments.

>	Questions and Answers on the ANSI screw thread standards
>	--------------------------------------------------------
>
>Q: Will the screw threads defined by ANSI be as good as other screw thread
>designs available elsewhere?
>
>A: Yes.

	Hah! "trust us"

>Q: Will I be able to use my own screw threads if I desire?
>
>A: Of course, but this will make your threaded objects unlikely to
>interoperate correctly with others within the industry.

	See??! See? This is the first step.

	It is clear we must band together, write your congressman!
Use Pretty Good Screw Threads, not this devil-inspired ANSI trash.
Protect your constitutional right to use whatever screw thread you
desire. Guerilla Screw Thread Activism must become the order of the
day. Boycott GM, and build your own car, using screws from STZ
Screw Thread Associates.

	Screw you, Bill Clinton! You and your totalitarianist thugs!

------------------------------------------------------------------------
amolitor@nmsu.edu | finger for PGST personal screw thread pitch, or
Screw Threads     |  see the screw thread servers.
must be freed!    |
------------------------------------------------------------------------

Newsgroup: sci.crypt
Document_id: 15360
From: howland@noc.arc.nasa.gov (Curt Howland)
Subject: Re: White House Wiretap Chip Disinformation Sheet



|>    The Attorney General will procure and utilize encryption devices to
|>    the extent needed to preserve the government's ability to conduct
|>    lawful electronic surveillance and to fulfill the need for secure
|>    law enforcement communications.  Further, the Attorney General
|>    shall utilize funds from the Department of Justice Asset Forfeiture
|>    Super Surplus Fund to effect this purchase.

This is the one part that really scares me. Without
the keys, it can likely be determined if a person
is using the "State Approved" encryption method,
and if not then that persons life is forfet, and
the profits go to making more busts, and more 
profit. 

"Power corrupts. Absolute power corrupts absolutely."
Human nature has not changed very much in only a few
hundred years....

---
Curt Howland        howland@nsipo.nasa.gov 
NSI Operations Center      NASA Ames
(800) 424-9920

Newsgroup: sci.crypt
Document_id: 15361
From: ns111310@LANCE.ColoState.Edu (Nathaniel Sammons)
Subject: Re: What the clipper nay-sayers sound like to me.

[... a bunch of well-meaning (maybe) cynnical text about screw-thread
	sizes, the rights of people to have their own standards,
	and the non-right of the gov. to regulate screw-threads...]

Well, as funny as your little comment may seem, it has very little to
do with your personal privacy as a citizen, and about the governemnt
being able to look at everything you have ever typed into a computer
at one point or another.

This "Clipper Chip" stuff is the seeds for nightmares to make the 
Nightmare on Elmstreet cheese-on-celluloid movies look like episodes
of Mr. Roger's Neighborhood.

IF the gov establishes a cryptography standard that has to be used by
everyone, and everyone's personal key is divided into two segments
and stored at two separate, albeit easy to find places, and that key is
only 80 bits to begin with, we are screwed (pardon the allusion to the 
affore-mentioned article)!

the gov, I believe, as do many others probably already have the cracking chips
for this Clipper Chip made.  Hell, they probably based the encoder on the 
chip that cracks it, that way it's easier to break the code, but since it is a 
classified algorythm, no one knows that they can crack it so easily.

I, for one, and quite scared of this kind of thing, and plan to support 
organizations (and even disorganizations) who are fighting against this
Clipper Chip in any way that I can.

I do not want the government to be able to have access, even with a search
warrant, to my keys... and I don't want those keys to be only 80 bits long
to begin with!

-nate sammons

o---------------------------+======================================o
| "I hate quotations.       |     This message brought you by      |
|   Tell me what you know." |   Nate Sammons, and the number 42.   |
|    --Ralph Waldo Emerson  |  ns111310@longs.lance.colostate.edu  |
o---------------------------+======================================o

Newsgroup: sci.crypt
Document_id: 15362
From: jed@pollux.usc.edu (Jonathan DeMarrais)
Subject: Crypto Conference

I need to know the following information about the upcoming
Crypto Conference; The address to submit articles, and the
number of copies needed.  Thanks,
				Jonathan DeMarrais 
				jed@pollux.usc.edu

-- 
--- Jay      jed@pollux.usc.edu          (University of Southern California)

What a depressingly stupid machine.
                                     Marvin

Newsgroup: sci.crypt
Document_id: 15363
From: pgf@srl03.cacs.usl.edu (Phil G. Fraering)
Subject: Re: Once tapped, your code is no good any more.

strnlght@netcom.com (David Sternlight) writes:

>What follows is my opinion. It is not asserted to be "the truth" so no
>flames, please.  It comes out of a background of 20 years as a senior
>corporate staff executive in two Fortune 50 companies.

>I'd be happy to use a crypto system supplied by the NSA for business, if
>they told me it was more secure than DES, and in particular resistant to
>attempts by Japanese, French, and other competitive companies and
>governments to break.

>I'd be happy to do so even with escrowed keys, provided I was happy about
>the bona fides of the escrow agencies (the Federal Reserve would certainly
>satisfy me, as would something set up by one of the big 8 accounting firms).

>I'd trust the NSA or the President if they stated there were no trap
>doors--I'd be even happier if a committee of independent experts examined
>the thing under seal of secrecy and reported back that it was secure.

>I'd trust something from the NSA long before I'd trust something from some
>Swiss or anybody Japanese.

A lot of us out here in the hinderland will trust the Japanese
before we'll trust the NSA, the President, or those stupid
Fortune 50 companies you're so proud of.

>This may seem surprising to some here, but I suggest most corporations would
>feel the same way. Most/many/some (pick one) corporations have an attitude
>that the NSA is part of our government and "we support our government", as
>one very famous CEO put it to me one day.

>Just some perspective from another point of view.

And since the Japanese corps aren't part of our "government/governors"
they may be more trusted out htere than you are.


People are getting tired of this "be patriotic, do whatever we say
without question, and pay more taxes" attitude that comes from
America's political party...
or should that be caste?

>-- 
>David Sternlight         Great care has been taken to ensure the accuracy of
>                         our information, errors and omissions excepted.  


--
Phil Fraering         |"Seems like every day we find out all sorts of stuff.
pgf@srl02.cacs.usl.edu|Like how the ancient Mayans had televison." Repo Man



Newsgroup: sci.crypt
Document_id: 15364
From: pgf@srl03.cacs.usl.edu (Phil G. Fraering)
Subject: Re: Once tapped, your code is no good any more.

holland@CS.ColoState.EDU (douglas craig holland) writes:


>	With E-Mail, if they can't break your PGP encryption, they'll just
>call up one of their TEMPEST trucks and read the electromagnetic emmisions
>from your computer or terminal.  Note that measures to protect yourself from
>TEMPEST surveillance are still classified, as far as I know.

1. I don't think they are classified.

2. I could independently invent about half a dozen right off
the top of my head. If I had studied Advanced E & M a little better,
I could probably come up with a _very_ good system.

...
>	If the new regime comes to fruition, make sure you protect your First
>Amendment rights by asserting your Second Amendment Rights.

>						Doug Holland

--
Phil Fraering         |"Seems like every day we find out all sorts of stuff.
pgf@srl02.cacs.usl.edu|Like how the ancient Mayans had televison." Repo Man



Newsgroup: sci.crypt
Document_id: 15365
From: mkagalen@lynx.dac.northeastern.edu (michael kagalenko)
Subject: Some thoughts on Clipper proposal 


I envision incorporation of new standart into
various communication systems, thus making it prevalent on the market & 
therefore cheap. The way to do that may be detaching crypto chip from 
communication equipment. It seems logical to provide Clipper chip 
to the end-user not as a part of phone, fax, modem & like but in the
form of smart-card compatible with various telecomm. products. Banks 
will encourage extensive use of new cards to make transactions by phone.
Natural step will be to cross-reference this card to the person in the 
government databases - or else this new version of "wiretap proposal" 
make no sence at all; one wish to eavesdrop (spell.) on the particular 
person, not on the particular modem or phone.
 
As a side note, I disagree with one poster, who said he won't care about
ability of the government to eavesdrop, since they can do that now 
anyway. Clipper will take away electronic survelliance from citizens, 
making it monopoly of the government. May be, we can find examples when
interceptions made by (unauthorised) people uncovered crimes of 
state officials ?


-- 
--------------------------------------------------------------------------------
      For PGP2.1 public key finger mkagalen@lynx.dac.northeastern.edu
--------------------------------------------------------------------------------

Newsgroup: sci.crypt
Document_id: 15366
From: tribe831@snake.cs.uidaho.edu (Mr. Duane Tribe; Esq.)
Subject: Underground encryption (was Re: text of White House announcement ...)

In article <1qmugcINNpu9@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes:
>It looks like the worst nightmares raised by Dorothy Denning's proposals
>are coming true.  If the government continues on this course, I imagine
>that we will see strong cryptography made illegal.  Encryption programs
>for disk files and email, as well as software to allow for encrypted
>voice communications, will be distributed only through the
>"underground".  People will have to learn how to hide the fact that
>they are protecting their privacy.

Some thoughts:

Has any work been done on encapsulating encrypted data inside "non-encrypted"
data files?  Many file formats can be written with "gaps" in them to hide
other data.  New file formats could be designed to have alternate data hidden
by dispersing it amongst the "legitimate" data.  The hidden data would only
show up with the right key(s), and a file with hidden data would be
indistinguishable from one without.  So, only the correct key(s) would reveal
the presence of an "illegal" document.

If I devise a custom file compression algorithm and only I and a friend have
the uncompressor, and otherwise the file appears to be total gigerish, do I
have the right to transmit the file?  Will we have to "escrow" all our data
file formats?  Are gangs required to escrow their hand signals, colors and
catch phrases?

I think that it's important to evaluate the content of electronic speach by
replacing the media with pen and paper or verbal speach and then re-ask the
question.

Newsgroup: sci.crypt
Document_id: 15367
From: "Douglas Johnson" <p00450@psilink.com>
Subject: Unix crypt for DOS

I've recently moved from Unix to a DOS box and have a number of files 
that I used crypt to "protect".  Does anyone know of a DOS version of 
crypt?  I've found one, but it insists on six letter keys and I used 
some shorter ones.  Thanks for your help.  -- Doug

Newsgroup: sci.crypt
Document_id: 15368
From: ignatz@chinet.chi.il.us (Dave Ihnat)
Subject: Re: Once tapped, your code is no good any more.

In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes:
>	Not to pick on Mr. May in particular, of course, but isn't this
>kind of the domino theory? When one little country falls, its neighbor
>will surely follow, and before you know it, we're all mining salt
>in Siberia for not turning in our Captain Crunch Secret Decoder Rings.

But, for all the wrongness of our attempt to correct it (VietNam, et. al.),
the domino theory wasn't disproved at all.

Newsgroup: sci.crypt
Document_id: 15369
From: <U23590@uicvm.uic.edu>
Subject: Re: Clipper -- some new thoughts

The cryptographic algorythm MUST be kept secret, or
private individuals could make ClipperClones with
which they could transmit messages which the feds would not have
ready access to.  This is clearly unacceptable.

I hope somebody starts doing this soon after the first
ones are released...

Newsgroup: sci.crypt
Document_id: 15370
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr17.061326.16130@clarinet.com> brad@clarinet.com (Brad Templeton) writes:
   Once it hits land you can record it if you have telco access.  The
   telco isn't supposed to give that without a warrant.  That's the rule today.

   But even so, the evidence would not be admissible, I think, unless the
   judge so ordered.  I think that even interception of the crypttext
   without a warrant would be illegal.   Cops can't record today's plain
   cellular calls and then ask a judge, "Hey, can we have permission to
   listen to those tapes?" can they?

How long do you think it will be before it becomes legal for the
police to record encrypted conversations "It's not violating your
privacy because we can't read the encryption without a warrant", with the usual
good-faith exception if they accidentally record a non-encrypted conversation.

Besides, it's covered by the Drug Exception to the Fourth Amendment...
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15371
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <Apr18.204843.50316@yuma.ACNS.ColoState.EDU>
holland@CS.ColoState.EDU (douglas craig holland) writes:


>	Let me ask you this.  Would you trust Richard Nixon with your
>crypto keys?  I wouldn't.

I take it you mean President Nixon, not private citizen Nixon. Sure.
Nothing I'm doing would be of the slightest interest to President Nixon .

David


-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15372
From: karn@unix.ka9q.ampr.org (Phil Karn)
Subject: Re: White House Wiretap Chip Disinformation Sheet

In article <WCS.93Apr17034914@rainier.ATT.COM>, wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes:
|>    The Attorney General will procure and utilize encryption devices to
|>    the extent needed to preserve the government's ability to conduct
|>    lawful electronic surveillance and to fulfill the need for secure
|>    law enforcement communications.  Further, the Attorney General
|>    shall utilize funds from the Department of Justice Asset Forfeiture
|>    Super Surplus Fund to effect this purchase.

This is a very curious thing to say. STU-IIIs (NSA-designed secure
telephones cleared for classified traffic) are already readily
available to law enforcement agencies. Word has it they're standard in
every FBI office, for example.  Something like several hundred
thousand of these phones exist in all. They are clearly the US government
standard.

So why does the DoJ need to buy new phones that, unlike STU-IIIs, will
not be certified for classified traffic, and in all likelihood will
not be compatible with existing STU-IIIs?

Unless, of course, they're gearing up for large scale decryption of
civilian Clipper users, and they need compatible hardware...

Phil


Newsgroup: sci.crypt
Document_id: 15373
From: strnlght@netcom.com (David Sternlight)
Subject: Re: WH proposal from Police point of view


dwight tuinstra posts a very interesting message in which he comments on the
effects of the Clipper chip on state and local police. Actually, reading
between the lines, it could be a very good thing for civil liberties in one
respect, since it will at least prevent cowboy cops and cowboy state and
local agancies from reading your traffic if they tap it illegally.

There has been extensive discussion in the eff forum, for example, about
inadmissible taps being used to develop information that could then lead to
admissible evidence.  This might put a stop to such things, which must from
time to time be simple fishing expeditions.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15374
From: hal@cco.caltech.edu (Hal Finney)
Subject: Re: Clipper chip -- technical details

djb@silverton.berkeley.edu (D. J. Bernstein) writes:

>[Summary elided]
>The system as described here can't possibly work. What happens when
>someone plugs the above ciphertext into a receiving chip? To get M
>the receiving chip needs K_P; to get K_P the receiving chip needs U_C.
>The only information it can work with is C. If U_C can be computed
>from C then the system is cryptographically useless and the ``key
>escrow'' is bullshit. Otherwise how is a message decrypted?

The description of the chip's operation evidently leaves out some of the
key management aspects.  Either the K_P is the secret key corresponding
to a public key which is broadcast at message initiation, or it is the
result of a Diffie-Hellman key exchange or something similar.  Either
way there must be some protocols beyond those described here.  It isn't
clear whether they are implemented in the Clipper wiretap chip or must
be provided by other system components.

Hal Finney

Newsgroup: sci.crypt
Document_id: 15375
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Clipper chip -- technical details

In article <1667.Apr1821.58.3593@silverton.berkeley.edu>, djb@silverton.berkeley.edu (D. J. Bernstein) writes:
> Short summary of what Bellovin says Hellman says the NSA says: There is
> a global key G, plus one key U_C for each chip C. The user can choose a
> new session key K_P for each phone call P he makes. Chip C knows three
> keys: G, its own U_C, and the user's K_P. The government as a whole
> knows G and every U_C. Apparently a message M is encrypted as
> E_G(E_{U_C}(K_P),C) , E_{K_P}(M). That's it.
> 
> The system as described here can't possibly work. What happens when
> someone plugs the above ciphertext into a receiving chip? To get M
> the receiving chip needs K_P; to get K_P the receiving chip needs U_C.
> The only information it can work with is C. If U_C can be computed
> from C then the system is cryptographically useless and the ``key
> escrow'' is bullshit. Otherwise how is a message decrypted?

Via K_P, of course.  Nothing was said about where K_P comes from.  It's
the session key, though, and it's chosen however you usually choose
session keys --- exponential key exchange, shared secret, RSA, etc.
But however you choose it, the chip will apparently emit the escrow
header when you do.

Newsgroup: sci.crypt
Document_id: 15376
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Corporate acceptance of the wiretap chip

 
strnlght@netcom.com (David Sternlight) writes:
>
>>What follows is my opinion. It is not asserted to be "the truth" so no
>>flames, please.  It comes out of a background of 20 years as a senior
>>corporate staff executive in two Fortune 50 companies.
>
>>I'd be happy to use a crypto system supplied by the NSA for business, if
>>they told me it was more secure than DES, and in particular resistant to
>>attempts by Japanese, French, and other competitive companies and
>>governments to break.
>
>>I'd be happy to do so even with escrowed keys, provided I was happy about
>>the bona fides of the escrow agencies (the Federal Reserve would certainly
>>satisfy me, as would something set up by one of the big 8 accounting firms).
 
   I don't doubt that this will be the attitude of many corporate leaders.
It's understandable--most corporate execs don't know much about cryptology,
and it's easy to get taken in by someone peddling snake oil.  And, the
proposed scheme *is* a major improvement in telephone security to what
exists now.
 
   The problem is that, with any security scheme of this kind, you have to
concern yourself with the weakest link in the chain.  I suspect that NSA
has put a fairly strong encryption algorithm in this wiretap chip of theirs,
probably at least as strong as (say) DES in OFB-mode.  Unfortunately, the
existence of the key-registry system seems to make possible all kinds of
possible attacks at a small fraction of the expense of trying to build (say)
a DES keysearch machine.
 
   As originally described, it sounded like any police / court combination
could acquire the key for a given chip.  I hope that's not the case, since
it would imply a glaring hole.  (How much does it cost to find *one* crooked
jodge and *one* crooked cop?  Especially for a foreign intelligence agency
or organized crime boss?)  However, even if more intelligent schemes are used
to allow access to the unencrypted phone conversations, there will be weak-
nesses.  They may be very expensive, and very difficult.  But who would
trust his/her confidential information to an encryption scheme that, for
(say) $100,000 could by cracked one time in a hundred?  (DES, for all the
complaints about a 56-bit key, would probably cost several million dollars
to build a keysearch machine for.)
 
   How many million dollars would the confidential phone messages of
the GM headquarters be worth to Nissan, Chrysler, or Audi?  How about
home phones of major execs and important engineers and designers?
"Gee, Mr Jones, I understand you've had some financial problems lately.
Maybe I can help..."
 
>>I'd trust something from the NSA long before I'd trust something from some
>>Swiss or anybody Japanese.
 
   Indeed, if NSA really designed the algorithm to be secure, it's very likely
as secure as IDEA or 2-key DES.  However, the system as a whole isn't resistant
to "practical cryptanalysis."  In _The Puzzle Palace_, Bamford describes how
several NSA employees were turned by foreign (presumably KGB) agents, despite
security measures that I doubt any Big 8 accounting firm could match.  And
NSA confidential data was *not* subject to being requested by thousands of
police organizations and courts across the land.
 
   --John Kelsey, c445585@mizzou1.missouri.edu

Newsgroup: sci.crypt
Document_id: 15377
From: dfl@panix.com (Danny O'Bedlam)
Subject: Re: Why the clipper algorithm is secret

In <1993Apr18.225502.358@iecc.cambridge.ma.us> johnl@iecc.cambridge.ma.us (John R. Levine) writes:
(quoting someone else here) 
>>The cryptographic protocol, though, is another matter.  I see no valid
>>reasons for keeping it secret, and -- as I hope I've shown above -- there
>>are a lot of ways to do things that aren't (quite) as bad.

>It just occurred to me why the algorithm is secret.  If it were
>published, one could then build physically identical clone versions
>of the chip that would interoperate with official Clipper chips.  But
>the cloner wouldn't provide the keys to the escrow houses.  Hmmn.

								Yeah!

	The algorithm is classified because a military contract (or similar
government equivalent to military) has been let for this "proprietary"
design that the Feds say that NSA developed.  Is there a patent?  Is that
patent publicly available?  My betting is that that too is classified.

	If the algorithm were made public, or reverse-engineered, it would
compromise not only the goal of Justice of being able to read every chip
users cypto-data but would reduce profits for the selected chip maker.

	Wouldn't that just be too bad?

-- 
***********************************************************************
* Danny O'Bedlam  = dfl@panix.com = cmcl2!panix!dfl = Danny Lieberman *
* PO Box 3131 Church St Station, New Yawk, New Yawk, 10008-3131 (usa) *
***********************************************************************

Newsgroup: sci.crypt
Document_id: 15378
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: The wiretap chip, clones, and secure key-exchange

U23590@uicvm.uic.edu writes:
>The cryptographic algorythm MUST be kept secret, or
>private individuals could make ClipperClones with
>which they could transmit messages which the feds would not have
>ready access to.
 
   Not necessarily.  I've been thinking about this, and if this chip/scheme
is to provide any real security, there must be some sort of key exchange,
either using a public-key encryption scheme, or using a key exchange scheme
like Diffie-Hellman.  If there's an out-of-band transmission of a shared
session key, then what protects that band from eavesdropping?  If the phone
company or some other online central authority generates a session key and
sends it to both users, then what's the point of going to the trouble of
having some complicated key-depositories?  Just ask the phone company for
a copy of the session key for each call.
 
   Now, it's probably not practical for each user to keep an online copy of
every public key used by anyone anywhere, right?  So, probably, there will
be some way of getting these keys verified.  This might be a digitally-
signed (by the chip manufacturer) copy of the public key in this unit,
stored by this unit.  It might also be an online directory with access to
everyone's public keys.  (This would introduce another weakness to the
security of the scheme, of course.)  Presumably, if you don't use your
designated key, you can't get a verified connection to other standard chips.
 
   It might be useful to have a modified chip, which would allow you to
use either the original public/private key pair, or some other key pair
and verification scheme.  Unfortunately, this would not allow you to call
most people and establish secure communications....
 
   --John Kelsey
>I hope somebody starts doing this soon after the first
>ones are released...

Newsgroup: sci.crypt
Document_id: 15379
From: brad@clarinet.com (Brad Templeton)
Subject: Re: How to detect use of an illegal cipher?

In article <C5nMB1.CoF@news.claremont.edu> ebrandt@jarthur.claremont.edu (Eli Brandt) writes:
>get their copy of your key.  Any criminal who's going to use
>encryption will do it under cover of Clipper.  The only way to avoid
>this will be to try to prohibit strong encryption.

This isn't true.  Today's criminals regularly use all sorts of unsafe
methods, from cordless phones to cellular phones to plain old copper
wire analog phones that you can put alligator clips on to plan and
execute their crimes.

It is amazing how stupid they are, which is why the FBI was so keen on
the digital telphony law, and its successor the clipper chip.  They're
hoping here that most crooks will remain stupid, feel safe using clipper
chip phones and get caught.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
Document_id: 15380
From: brad@clarinet.com (Brad Templeton)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <1993Apr18.032405.23325@magnus.acs.ohio-state.edu> jebright@magnus.acs.ohio-state.edu (James R Ebright) writes:
>In article brad@clarinet.com (Brad Templeton) writes:
>
>[...]>
>>The greatest danger of the escrow database, if it were kept on disk,
>>would be the chance that a complete copy could somehow leak out.  You
>[...]>
>>Of course then it's hard to backup.  However, I think the consequences
>>of no backup -- the data is not there when a warrant comes -- are worse
>>than the consequences of a secret backup.
>
>If the data isn't there when the warrant comes, you effectively have
>secure crypto.  If secret backups are kept...then you effectively have
>no crypto.  Thus, this poster is essentialy arguing no crypto is better
>than secure crypto.

No, the poster (me) has his brain in the wrong gear.  As you can infer
from the first sentence, I meant the consequences of no backup are *better*
than the consequences of an easy to copy database.
-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
Document_id: 15381
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Competing standard

   Perhaps one way of getting away from this cripple chip that the U.S.
government seems to be pushing would be to come up with a good alternative.
For example, how about a scheme using RSA, and some hybrid of DES-CFB and
another strong stream cipher (Maybe IDEA-CFB)?  This could be substantially
the same as the cripple chip, except that instead of key-registration, the
police could demand that you give up your secret key to them (with a court-
issued warrant).  Then, they could read the last few months of wiretapped
messages you've sent, and assuming you've committed no crimes, you could
generate a new key pair and go about your business.  I find that I'd be
willing to pay RSA for the right to use such a system, especially given the
alternative.  If you were unwilling to give up your secret key, then you'd
probably stay in jail (has anyone got a real legal precedent for this?).
   This would allow court-issued warrants to be used to gather information
on suspected criminals, but it couldn't be done in secrecy, and there
would be enormously less likelihood of corruption or theft of escrowed keys.
(Maybe someone from the law-enforcement or intelligent community will correct
me, but this doesn't *seem* like such a big loss in terms of law-enforcement
capabilities.)
 
   Any comments?
 
   --John Kelsey

Newsgroup: sci.crypt
Document_id: 15382
From: djb@silverton.berkeley.edu (D. J. Bernstein)
Subject: Re: Clipper chip -- technical details

In article <1993Apr19.052005.20665@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
> Nothing was said about where K_P comes from.

Oh? Hellman said ``each user will get to choose his or her own key.''
That's the key which I called K_P, the session key. According to
Hellman, if Alice and Bob are communicating with the Clipper Chip,
then Alice chooses ``her own key'' and Bob chooses ``his own key.''
This is incompatible with the suggestion that when Alice and Bob are
talking, they use a _common_ K_P, chosen by classical or public-key
approaches.

The protocol/key-management description published so far is either
incomplete or incorrect. It leaves me with no idea of how the system
would actually _work_. I hope the CPSR FOIA request succeeds so that
we get full details.

---Dan

Newsgroup: sci.crypt
Document_id: 15383
From: holthaus@news.weeg.uiowa.edu (James R. Holthaus)
Subject: Re: Fighting the Clipper Initiative

prz@sage.cgd.ucar.edu (Philip Zimmermann) writes:

Philip,
I think your ideas are well taken and constructive.  Thanks for
articulating them in this forum.

>2)  Work the Press.  Talk with your local newspaper's science and
>technology reporter.  Write to your favorite trade rags.  Better yet,
>write some articles yourself for your favorite magazines or
>newspapers.  Explain why the Clipper chip initiative is a bad idea. 
>Remember to tailor it to your audience.  The general public may be
>slow to grasp why it's a bad idea, since it seems so technical and
>arcane and innocent sounding.  Try not to come across as a flaming
>libertarian paranoid extremist, even if you are one. 

As a flaming libertarian paranoid extremist (:-), I'at a loss for
specific objections that don't sound frighteningly technical.  Any
suggestions?  Perhaps somebody could post a list of these?

>5)  Mobilize opposition in industry.  Companies that will presumably
>develop products that will incorporate the Clipper chip should be
>lobbied against it, from within and from without.  If you work for a
>telecommunications equipment vendor, first enlist the aid of your
>coworkers and fellow engineers against this initiative, and then
>present your company's management with a united front of engineering
>talent against this initiative.  Write persuasive memos to your
>management, with your name and your colleagues' names on it.  Hold
>meetings on it.
 
One way to do this might be to suggest that these companies should be
implementing their own schemes, not being limited to the govt's
scheme.

I find that most of my reasons for opposition to the CLipper scheme
are algoritm insecurity and mistrust of the govt/NSA.  These are hard 
to sell in letters to the editor and to nontechnical people.  Any
hints or advice.  Maybe a small FAQ-type thing "Why should I Hate
Clipper" would be a good idea.
-- 
<><><><><><><><><><>James Holthaus  james-holthaus@uiowa.edu<><><><><><><><><>
<   Government is an association of men who do violence to the rest of us.   >
<             -- Leo Tolstoy                                                 >
<><><><><>PGP 2.2 Public key available on request or from key server<><><><><>

Newsgroup: sci.crypt
Document_id: 15384
From: finchm@csugrad.cs.vt.edu (Michael >Finchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchmfinchm< Finch)
Subject: Re: Why the clipper algorithm is secret

johnl@iecc.cambridge.ma.us (John R. Levine) writes:
> >The cryptographic protocol, though, is another matter.  I see no valid
> >reasons for keeping it secret, and -- as I hope I've shown above -- there
> It just occurred to me why the algorithm is secret.  If it were
> published, one could then build physically identical clone versions

I recall seeing a post some time ago saying that if the details of
an encryption scheme couldn't be revealed, then the encryption
scheme is worthless.  I believe the statement was in response to
somebody saying that they had some new snazzy scheme, but the
algorithm was a secret.

Does this algorithm depend on the fact that the scheme is secret or
is it for the stated reasons above?


-Mike

Newsgroup: sci.crypt
Document_id: 15386
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Fighting the Clipper Initiative

 >As a flaming libertarian paranoid extremist (:-), I'at a loss for
 >specific objections that don't sound frighteningly technical.

  The idea that foisting the Cripple Chip standard on US manufacturers would
result in saying "Sayonara" to yet another high-tech market isn't technical,
isn't in the least difficult to understand, and plays on a concern lots of
people are worried about already....



Newsgroup: sci.crypt
Document_id: 15387
From: stan@tacobel.UUCP (stan)
Subject: Re: text of White House announcement and Q&As on clipper chip encryp

brad@clarinet.com (Brad Templeton) writes:
> Let's assume, for the moment, that the system really is secure unless
> you get both halves of the encryption key from the two independent
> escrow houses.  Let's say you even trust the escrow houses -- one is
> the ACLU and the other is the EFF.  (And I'm not entirely joking about
> those two names)
> 
Hi, I'm new to Internet, so this is a bit of a test message, so even a 
token reply would be very appreciated.

Anyways, reading this I'd figure this would be as excellent a method of 
corrupting the ACLU and the EFF as could be wished for.  "Who Gaurds the 
Guardians?", etc...

Newsgroup: sci.crypt
Document_id: 15388
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Automatic online encryption of data

	From: andersom@spot.Colorado.EDU (Marc Anderson)

	>Also.. how about a box that you plug your phone into, which would allow
	>encrypted voice communications with someone who has a similar box?  
	>(digitizing input speech, transmitting, and decrypting on the other end).  I 
	>don't know how a public-key system could work in this regard, but it might 
	[...]

	heh heh... I posted this just before reading all the Clinton Chip messages..
	I guess they beat me to it..  Anyway, I think it would be a great idea to
	develop such a product, perhaps in the underground, as it would otherwise
	probably become illegal pretty quickly here...

It's really very feasible and shouldn't be too expensive - all that's needed
is a box with a phone jack on one side, a DSP in the middle to do codec
functions of speech->compressed bytestream, and an RS232 on the other side.

You'd plug your phone into it, plug the RS232 into your computer, and have
a good old fashioned normal modem on your other RS232 port.  The CPU in the
middle would do the encryption with a version of pgp modified to work on
a byte stream.

With v32bis or better modems to carry the bytestream, it should work. 
Quality would only be marginally lower than a normal telephone.

At the very highest price, you could use one of those voice-mail compatible
modems to do the digitisation - that puts an upper bound of about $500 on
the cost of such a box.  In practice, you really ought to be able to get
the price well below $100 - I could do it now in software on my cheap&nasty
home RISC box (Acorn Archimedes) with the digitising microphone I bought
for 25 pounds, if I knew how to write good speech compression software
(which I don't).

The reason it won't work of course is that hardly anyone will have one -
the only consumer equipment to have encryption will use the wiretap chip.
Economics, I'm afraid.

However... we can get about 2Kcps throughput on the internet even with
the bottleneck of a v32bis modem.  When we get ISDN for all (ha ha ha)
and the new NREN, it might then be trivial to run compressed speech
over a tcp/ip connection on the Internet.  Perhaps we should start
thinking now of a standard to keep voice on the internet compatible
for everyone, and side-step the clipper stuff and use internet for
all our phone calls in future :-)  [1/2 joking]

G

Newsgroup: sci.crypt
Document_id: 15389
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Clipper chip -- technical details

	The protocol/key-management description published so far is either
	incomplete or incorrect. It leaves me with no idea of how the system
	would actually _work_. I hope the CPSR FOIA request succeeds so that
	we get full details.

Wouldn't it be easier just to ask denning@cs.georgetown.edu? ;-)

G

Newsgroup: sci.crypt
Document_id: 15390
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Corporate acceptance of the wiretap chip

:    Indeed, if NSA really designed the algorithm to be secure, it's very likely
: as secure as IDEA or 2-key DES.  However, the system as a whole isn't resistant
: to "practical cryptanalysis."  In _The Puzzle Palace_, Bamford describes how
: several NSA employees were turned by foreign (presumably KGB) agents, despite
: security measures that I doubt any Big 8 accounting firm could match.  And
: NSA confidential data was *not* subject to being requested by thousands of
: police organizations and courts across the land.

Ah yes, don't anyone mention Ronald William Pelton[*], heh heh heh.  How
embarrassing.

G
[*: NSA, 1964-1979; KGB 1980-1985]

Newsgroup: sci.crypt
Document_id: 15391
From: bell@mars.dev.promis.com (Mike Bell)
Subject: Clipper proposal - key length?

Danny Weitzner <djw@eff.org> writes:





>April 16, 1993

>INITIAL EFF ANALYSIS OF CLINTON PRIVACY AND SECURITY PROPOSAL

>DETAILS OF THE PROPOSAL:

>ESCROW

>The 80-bit key will be divided between two escrow agents, each of whom
>hold 40-bits of each key.  The manufacturer of the communications device
>would be required to register all keys with the two independent escrow
>agents.  A key is tied to the device, however, not the person using it.

So if we subvert one of the two escrow agents, we only have a 40-bit
space to search through...

2^40 doesn't sound that big - is digital telephony subject to a known
plaintext attack?

In which case half the key seems to be all that is needed, and the two
agent escrow arrangement is pointless. 

Of course, the unknown algorithm might turn gaps in speech into 
pseudo-random sequences, or there might be some magic involved, or...
-- 
-- Mike -- <bell@promis.com>

Newsgroup: sci.crypt
Document_id: 15392
From: rlward1@afterlife.ncsc.mil (Robert Ward)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <bontchev.734981805@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
>and since the US constitutions guarantees the right to every American
>to bear arms, why is not every American entitled, as a matter of

Have you read the applicable part of the Constitution and interpreted it IN 
CONTEXT?  If not, please do so before posting this misinterpretation again.
It refers to the right of the people to organize a militia, not for individuals 
to carry handguns, grenades, and assault rifles.  

Robert L. Ward


Newsgroup: sci.crypt
Document_id: 15393
From: lewis@eecg.toronto.edu (david lewis)
Subject: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <16BB51156.C445585@mizzou1.missouri.edu> C445585@mizzou1.missouri.edu (John Kelsey) writes:
> 
>strnlght@netcom.com (David Sternlight) writes:
>>
[..stuff deleted]
>existence of the key-registry system seems to make possible all kinds of
>possible attacks at a small fraction of the expense of trying to build (say)
>a DES keysearch machine.
> 
>   As originally described, it sounded like any police / court combination
>could acquire the key for a given chip.  I hope that's not the case, since
>it would imply a glaring hole.  (How much does it cost to find *one* crooked
>jodge and *one* crooked cop?  Especially for a foreign intelligence agency
>or organized crime boss?)  However, even if more intelligent schemes are used
>to allow access to the unencrypted phone conversations, there will be weak-
>nesses.  They may be very expensive, and very difficult.  But who would
>trust his/her confidential information to an encryption scheme that, for
>(say) $100,000 could by cracked one time in a hundred?  (DES, for all the
>complaints about a 56-bit key, would probably cost several million dollars
>to build a keysearch machine for.)
> 

I can buy a DES keysearch machine off the shelf now for approx $500K, but
it is not sold by that name. Go buy a circuit emulation machine (eg. Quickturn)
containing a bunch of FPGAs, (say 500 to 1000 3090's), and program each
to be a DES search engine. Lets say 500 chips, running at 10Mhz = 5G tests/sec.
Time is 14e6 sec max = 23 weeks, 12 weeks average. Can't wait that long?
Buy a bigger machine.


David Lewis

Newsgroup: sci.crypt
Document_id: 15394
From: jdailey@asic.sc.ti.com (Jim Dailey)
Subject: Re: Once tapped, your code is no good any

>amolitor@nmsu.edu (Andrew Molitor) writes:
>>	Not to pick on Mr. May in particular, of course, but isn't this
>>kind of the domino theory? When one little country falls, its neighbor
>>will surely follow, and before you know it, we're all mining salt
>>in Siberia for not turning in our Captain Crunch Secret Decoder Rings.

There was an interesting column on the editorial page of the Dallas
Morning News on Saturday by Walter Williams, who I believe is a
professor at Georgetown (I wonder if he knows of Dorothy "you're not in
Kansas anymore" Denning).  The article was titled "Government slowly
eroding our liberties", and in it he tells a story attributed to the
late Leonard Read who

        explained that if you wanted to take liberty away from
        Americans, you had to know how to cook a frog.  Mr. Read
        said you can't cook a frog by boiling a pot of water and
        then throwing the frog in.  His reflexes are so quick that
        as soon as his feet touch the water, he will leap away.
        You must put the frog in a pot of cold water and heat it
        up bit by bit.  By the time the frog realizes he's being
        cooked, it is too late.  It is the same with Americans.
        If anyone tried to take our freedoms all at once, we
        would naturally rebel and suppress the tyrant.  But as
        with successful frog cooking, our liberties can be taken
        a little bit at a time.

The last line of the article says, "It's not too late for us, but the
water is getting pretty warm."  I'd have toagree that it's warm and the
Clipper is keeping the temperature on an upward course.

NOTE: followups redirected to alt.privacy.clipper

---
Jim  jdailey@asic.sc.ti.com
   TI pays absolutely no attention to me or my opinions; therefore,
   the foregoing information cannot possibly represent TI's viewpoint.

Newsgroup: sci.crypt
Document_id: 15395
From: prm@ecn.purdue.edu (Philip R. Moyer)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <1993Apr17.032022.14021@clarinet.com>, brad@clarinet.com (Brad Templeton) writes:
|>
|> Let's assume, for the moment, that the system really is secure unless
|> you get both halves of the encryption key from the two independent
|> escrow houses.  Let's say you even trust the escrow houses -- one is
|> the ACLU and the other is the EFF.  (And I'm not entirely joking about
|> those two names)
|> 
|> In that case the Prince of Wales has nothing to worry about on this
|> system.

I must respectfully disagree with this assertion, Brad.  The government is
notoriously sloppy with physical, communications, and information security.  They
can't keep their computers safe, and they're "trying".  Read "DEA is
Not Adequately Protecting National Security Information" [GAO/IMTEC 92-31] for an
excellent example of what I'm talking about.

Private sector organizations tend to be even more lax in their security measures.
I believe that the escrow organizations will be penetrated by foreign
intelligence services within months, if not weeks, of their selection.  Private
organizations that lack the resources of a full-fleged intelligence service will
take longer - perhaps on the order of one to two years.  Nonetheless, the
penetrations will take place, without question.

Philip R. Moyer						     ECN Software Staff
Engineering Computer Network				    Voice: 317-494-3648
prm@ecn.purdue.edu					    Fax:   317-494-6440

Newsgroup: sci.crypt
Document_id: 15396
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: An Open Letter to Mr. Clinton

strnlght@netcom.com (David Sternlight) writes:

> Here's a simple way to convert the Clipper proposal to an unexceptionable
> one: Make it voluntary.

As usually, you are not reading. The proposal -does- say that it is a
"voluntary program". This doesn't make it more desirable, though...

> That is--you get high quality secure NSA classified technology if you agree
> to escrow your key. Otherwise you are on your own.

"Secure"? How do you know? Because NSA is trying to make you believe it?
"Trust us." Yeah, right.

"Otherwise you are on your own"? How do you know that tomorrow they
will not outlaw encrypring devices that don't use "their" technology?
Because they are promising you? Gee, they are not doing even that -
read the proposal again.

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
Document_id: 15397
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Once tapped, your code is no good any more.

strnlght@netcom.com (David Sternlight) writes:

> What follows is my opinion. It is not asserted to be "the truth" so no
> flames, please. 

It is incompetent, like almost anything you have posted here, so
you'll be flamed, sorry.

> It comes out of a background of 20 years as a senior
> corporate staff executive in two Fortune 50 companies.

%/$( your "20 years of background in two Fortune 50 companies"; I've
lived 30 years under a totalitarian regime, and boy, I *can* recognize
a totalitarian plot when I see one...

> I'd be happy to use a crypto system supplied by the NSA for business, if
> they told me it was more secure than DES, and in particular resistant to

I am sure that -you- would be happy to use anything "they" tell you is
secure; we're talking about the intelligent people here... Or the
criminal ones, if you don't like the previous sentence... :-) Or those
who don't want their privacy to be guaranteed to be invadable by the
government - any current and future government, mind you...

> I'd be happy to do so even with escrowed keys, provided I was happy about
> the bona fides of the escrow agencies (the Federal Reserve would certainly
> satisfy me, as would something set up by one of the big 8 accounting firms).

Even if you ignore the nonsense of the above statement for a moment,
and even if you are happy with such system and the current escrow
agencies NOW, what guarantees that you'll be happy with them TOMORROW,
when the government changes? Or when the current government throws
away the sheep skin? All the sheep who are reasoning like you will get
caught by surprise, but it will be too late, because then cryptography
that is not guaranteed to be breakable by the government will already
have been outlawed... After all, you've already got privacy that is
said to be breakable only by the law enforcement agencies, so if you
are law-abiding, you have no reasons to use a stronger one, right? So,
if you are using a stronger one, you have something to hide from the
law enforcement agencies, right? Something unlawful, right? Therefore,
strong crypto is a clear idndication that you are doing something
unlawful.

> I'd trust the NSA or the President if they stated there were no trap

Considering the level of competence in cryptology that you have
demonstrated in your messages, you would trust just anything... And
no, this is not an ad hominem attack; it's an attack against the
contents of your messages <grin>.

> doors--I'd be even happier if a committee of independent experts examined
> the thing under seal of secrecy and reported back that it was secure.

And how do you know that these experts are not corrupted? And how do
you know that they will not make a mistake? And how do you know that
the version of the algorithm they will be let to examine is the same
as the one that will be really used?

Regarding the mistake - even the few information "they" have let out
has revealed a serious security hole in the protocol - the 80-bit key
is split in two 40-bit ones, thus the whole system is easily
breakable, if you have only one of the keys.

> I'd trust something from the NSA long before I'd trust something from some
> Swiss or anybody Japanese.

The Swiss or the Japanese are motivated by simple greed; NSA is
motivated by their wish to control the people. That's why the drug
dealers have their accounts in Swiss banks, instead of in American
ones. For some reason, they do trust the Swiss banks more... Guess
they'll trust the Swiss encryption more too... I see IDEA becoming
suddenly popular... :-)

> This may seem surprising to some here, but I suggest most corporations would
> feel the same way. Most/many/some (pick one) corporations have an attitude
> that the NSA is part of our government and "we support our government", as
> one very famous CEO put it to me one day.

It's not surprising at all, but not because of the reason you give.
It's because it is obvious that the US government has put a lot of
money behind this program and it will support it. Thus, most
corporations will try to get their piece from the pie by supporting it
too. The same good old greed. Strong encryption is not widely
available now not because of some plot, but because the companies
don't see much money in it. It will be available even less, if the
companies can see any penalties associated with it...

> Just some perspective from another point of view.

Yeah, just as I predicted, you are here again, to support the new
system.

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
Document_id: 15398
From: ricktait@bnr.co.uk (Rick Tait)
Subject: Re: What the clipper nay-sayers sound like to me.

Nathaniel Sammons (ns111310@LANCE.ColoState.Edu) wrote on Mon, 19 Apr 1993 02:36:36 GMT: 
> If the gov establishes a cryptography standard that has to be used by
> everyone, and everyone's personal key is divided into two segments
> and stored at two separate, albeit easy to find places, and that key is
> only 80 bits to begin with, we are screwed (pardon the allusion to the 
> affore-mentioned article)!

> The gov, I believe, as do many others probably already have the cracking chips
> for this Clipper Chip made.  Hell, they probably based the encoder on the 
> chip that cracks it, that way it's easier to break the code, but since it is a 
> classified algorythm, no one knows that they can crack it so easily.

Agreed. No agency such as the NSA (or whoever) would approve the public 
release of a crypto-system, if they didn't already have the technical
means or the know-how to decrypt everything at their whim. Surely the whole
point of all this madness is to make Joe Public think that his/her
communications will be kept safe, while James Bond at the NSA can, if need
be, have full, decrypted access to someone's communications? That'll be
quite a heist, if they can pull it off. 


I thought that the US Government were going to release the algorithm to a
panel of "carefully chosen experts", who would then "study it deeply, and
report their findings"? Exactly who will these people be? Academics? Or
Government-sponsored researchers? Tiny-toons?

> I, for one, and quite scared of this kind of thing, and plan to support 
> organizations (and even disorganizations) who are fighting against this
> Clipper Chip in any way that I can.

I can only hope that the same sort of thing doesn't start filtering over
into the ears of the UK Government, and if the European Parliament gets
wind of it, well, we can kiss goodbye to any form of Democracy in Europe 
at all.

> I do not want the government to be able to have access, even with a search
> warrant, to my keys... and I don't want those keys to be only 80 bits long
> to begin with!

Hallelujah! :-)
--
Rick M. Tait                                Bell Northern Research Europe
Tel: +44-81-945-3352, Fax: +44-81-945-3352     Network Management Systems
<PGP 2.2 public key available on request>       New Southgate, London. UK
email: ricktait@bnr.co.uk  || rt@cix.compulink.co.uk  ||  ricktait@bnr.ca

Newsgroup: sci.crypt
Document_id: 15399
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

strnlght@netcom.com (David Sternlight) writes:

> Though some may argue about the nose of the camel, it's worth noting that
> the government proposal is limited to scrambled telephony. If it is only
> used for that purpose, and does not extend to electronic mail or file

As usual, David Sternlight is demonstrating his inability to read. The
proposal clearly states:

=> The initiative will involve the creation of new products to
=> accelerate the development and use of advanced and secure
=> telecommunications networks and wireless communications links.

It speaks about telecommunications in general. Read it again, David.
Maybe you'll understand it the next time... Nah, probably not.

> encryption, then it IS an improvement over the current mass-produced
> standard civilian technology which, with a few exceptions, is limited to
> easy-to-break inverters.

That's exactly what the government wants all sheep-minded people to
think. Let's look at the current situation. It allows to almost
anybody to eavesdrop almost everybody, unless secure (and I mean
secure) encryption is used. What will happen when ("if"? Ha!
optimists...) the new proposal gets accepted? Almost nobody EXCEPT
SOME will be able to eavesdrop everybody else, but the ability of
these "some" to eavesdrop will be guaranteed! The proposal emphasizes
on the former ("almost nobody") - which is clearly an improvement -
and "forgets" to mention the drawbacks of the latter ("guaranteed").
Yes, my statement assumes that the next step will be to make the
strong crypto unlawful. You think that it will not happen? Good luck.

> Note that the big issue for the feds is the continued ability to wiretap.

It's not just "continued ability". It's -guaranteed- ability.

> Before we go off the deep end with long discusions about secure crypto for
> e-mail and files, let's focus on this.

Yeah, that's exactly what your government wants you to think. Let's
take small steps, one at a time. Concentrate on the current one, don't
think about the future. Trust us.

> One question that was not asked in the release is whether this proposal is
> limited to telephony, or if the government intends to expand it.

It's not asked because the proposal clearly says that this is the
intention. They, unlike you, read what they write.

> Though I share many of the concerns expressed by some, I find the proposal
> less threatening than many others, since right now most Americans have no
> secure telephony, and any jerk with a pair of clip leads and a "goat" can
> eavesdrop. This would also plug up the security hole in cellular and
> cordless phones.

Yes, it will. It will stop the jerk who is eavesdropping now. It will
allow only to the government to eavesdrop. (If the scheme is secure,
of course, which is yet to be proven.) But how do you know that the
jerk you are fearing now will not get a government job tomorrow? The
new proposal -guarantees- him the ability to eavesdrop then. Hell,
that will even motivate him to get that job - if he indeed is that
mentally pervert...

> Reading between the lines, I infer that the system is highly secure
> without access to the keys.

Great. The Greatest Cryptographer of All Times David Sternlight (tm)
has succeeded to evaluate the new system in the absense of any
details whatsoever and has concluded that it is "highly secure". I
guess, that comes from the background of working some 50 years for the
two major crypto evaluating companies, right? Gee, now the government
can save all that money and trouble to ask a secret council of crypto
experts to secretly analyse the new secret method - for David
Sternlight has already done all the job for them...

> This would meet the needs of U.S. businesses
> confronted by rich and powerful adversaries, including French and Japanese
> security services and rich Japanese companies. It allows the NSA to make
> available some of its better stuff while protecting law enforcement needs.

"Trust us, we're from the Government and we're here to help you."

> Most legitimate U.S. corporations trust the NSA, and would be delighted to
> have a high-security system certified by them, even at the price of
> depositing keys in escrow. I see no difficulty in creating a reliable

"Those who are prepared to trade their liberties for the promises of
future safety, do not deserve either." This (or something like that; I
don't have the exact quote, but the meaning is the same) has been said
by one of your great men. Maybe you should study their works more
carefully, if you have the brains to understand them, of course.

> From my point of view this is a fair starting point. There are concerns that
> need to be addressed, including the reliability of the escrows. But in

The main question is to guarantee to availability of -really- secure
cryptography to the masses. Gee, if the proposal was saying "we
guarantee that every American will still have the full right to use
any kind of encryption s/he would like and regard this proposal as
just a default, voluntary implementation", there would have been much
less opposition... For some reason, they didn't even try to promise
you that. I wonder why... Was Orwell off only by 10 years?

> return we get access to high-security crypto.

No, in return you get crypto that is guaranteed to be crippled.

> Many have suggested that DES
> and other systems may be breakable by the NSA and hence others similarly
> skilled and endowed.

While the above is just rumors, and while even if it is true, it is
not done -easily-, the new scheme can is guaranteed to be easily
breakable by anybody who has the two keys. It might be also breakable
by somebody who does not have them but knows the right trick. Or who
has only one of them. NSA also told you that DES is secure, why don't
you simply trust them, huh?

> There is at least a good possibility (which should be
> checked) that the proposed system is not so breakable. It doesn't have to

It is -guaranteed- to be -easily- breakable - just get the keys. It
might be even easier, but until there is some evidence, this is just a
wild speculation.

> be, nor does it have to have trapdoors, if the government can get the keys

The trapdoors -are- there. In government's hands. The keys.

> pursuant to a legitimate court order. Thus they can protect legitimate
> communications against economic adversaries, while still being able to
> eavesdrop on crooks pursuant to a court order.

Legitimate? And who decides what communications are legitimate? Oh, I
guess, it's the government, right? The guys who already have the keys?
It's kinda if I have the keys from your car and I am asked to decide
who has the right to use it "legitimately"...

> In discussing this, let's try to avoid the nastiness, personal attacks and
> noise of some previous threads.

Impossible, since you are demonstrating the same level of incompetence
and ignorance as in the provious threads.

> This is a substantive and technical issue,
> and personal remarks have no place in such a discussion.

Unfortunately, I have yet to see you posting a technically competent
message.

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
Document_id: 15400
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

strnlght@netcom.com (David Sternlight) writes:

> Nothing I'm doing would be of the slightest interest to President Nixon .

A typical example of seep-minded thinking. We all know that David
Sternlight is a jerk, but I'm afraid that in this case 90% of the
population will think like him. Realize it guys - NSA, Dorothy
Denning, and the US government have already won the battle...

Unless... unless you succeed to wake up the people... but nah, that's
too unlikely... The events are happening too fast, cryptography is a
too sophisticated issue, and almost nobody cares anyway... A few
thousand of net.readers won't make the difference, if millions are
caught asleep... Too sad... :-(((((

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
Document_id: 15401
From: smb@research.att.com (Steven Bellovin)
Subject: More technical details

Here are some corrections and additions to Hellman's note, courtesy of
Dorothy Denning.  Again, this is reposted with permission.

Two requests -- first, note the roles of S1 and S2.  It appears to me
and others that anyone who knows those values can construct the unit
key.  And the nature of the generation process for K1 and K2 is such
that neither can be produced alone.  Thus, the scheme cannot be
implemented such that one repository generates the first half-key, and
another generates the second.  *That* is ominous.

Second -- these postings are not revealed scripture, nor are they
carefully-crafted spook postings.  Don't attempt to draw out hidden
meanings (as opposed to, say, the official announcements of Clipper).
Leave Denning out of this; given Hellman's record of opposition to DES,
which goes back before some folks on this newsgroup knew how to read, I
don't think you can impugn his integrity.

Oh yeah -- the folks who invented Clipper aren't stupid.  If you think
something doesn't make sense, it's almost certainly because you don't
understand their goals.

		--Steve Bellovin

-----

Date: Sun, 18 Apr 93 07:56:39 EDT
From: denning@cs.georgetown.edu (Dorothy Denning)
Subject: Re:  Clipper Chip
To: (a long list of folks)

I was also briefed by the NSA and FBI, so let me add a few comments to
Marty's message:

        The Clipper Chip will have a secret crypto algorithm embedded in 

The algorithm operates on 64-bit blocks (like DES) and the chip supports
all 4 DES modes of operation.  The algorithm uses 32 rounds of scrambling
compared with 16 in DES.

	In addition to the system key, each user will get to choose his 
	or her own key and change it as often as desired. Call this key 
	plain old K. When a message is to be sent it will first be 

K is the session key shared by the sender and receiver.  Any method
(e.g., public key) can be used to establish the session key.  In the
AT&T telephone security devices, which will have the new chip, the key
is negotiated using a public-key protocol.
 
	encrypted under K, then K will be encrypted under the unit key UK, 
	and the serial number of the unit added to produce a three part 
	message which will then be encrypted under the system key SK 
	producing

	     E{ E[M; K], E[K; UK], serial number;  SK}

My understanding is that E[M; K] is not encrypted under SK (called the
"family key") and that the decrypt key corresponding to SK is held by
law enforcement.  Does anyone have first hand knowledge on this?  I
will also check it out, but this is 7am Sunday so I did not want to wait.

        The unit key 
	will be generated as the XOR of two 80-bit random numbers K1 
	and K2 (UK=K1+K2) which will be kept by the two escrow 

The unit key, also called the "chip key," is generated from the
serial number N as follows.  Let N1, N2, and N3 be 64 bit blocks
derived from N, and let S1 and S2 be two 80-bit seeds used as keys.
Compute the 64-bit block 

        R1 = E[D[E[N1; S1]; S2]; S1] 

(Note that this is like using the DES in triple encryption mode with
two keys.)  Similarly compute blocks R2 and R3 starting with N2 and N3.
(I'm unlear about whether the keys S1 and S2 change.  The fact that
they're called seeds suggests they might.)  Then R1, R2, and R3 are
concatenated together giving 192 bits.  The first 80 bits  form K1 and
the next 80 bits form K2.  The remaining bits are discarded.

	authorities. Who these escrow authorities will be is still to be 
	decided by the Attorney General, but it was stressed to me that 
	they will NOT be NSA or law enforcement agencies, that they 
	must be parties acceptable to the users of the system as unbiased. 

Marty is right on this and the FBI has asked me for suggestions.
Please pass them to me along with your reasons.  In addition to Marty's
criteria, I would add that the agencies must have an established record
of being able to safeguard highly sensitive information.  Some suggestions
I've received so far include SRI, Rand, Mitre, the national labs (Sandia,
LANL, Los Alamos), Treasury, GAO.

	When a court order obtains K1 and K2, and thence K, the law 
	enforcement agency will use SK to decrypt all information 
	flowing on the suspected link [Aside: It is my guess that 
	they may do this constantly on all links, with or without a 
	court order, since it is almost impossible to tell which links 
	over which a message will flow.] 

My understanding is that there will be only one decode box and that it
will be operated by the FBI.  The service provider will isolate the
communications stream and pass it to the FBI where it will pass through
the decode box, which will have been keyed with K.

	for "the wiretap authorizations." When Levy asked for
	the details so he could review the cases as required by
	law, the agent told him that his predecessors just turned
	over 40-50 blank, signed forms every time. Levi did not
        comply and changed the system, but the lesson is clear: 
        No single person or authority should have the power to
        authorize wiretaps

No single person does, at least for FBI taps.  After completing a mound
of paperwork, an agent must get the approval of several people on a chain
that includes FBI legal counsel before the request is even taken to the
Attorney General for final approval.

Dorothy Denning

Newsgroup: sci.crypt
Document_id: 15402
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: WH proposal from Police point of view

strnlght@netcom.com (David Sternlight) writes:

> dwight tuinstra posts a very interesting message in which he comments on the
> effects of the Clipper chip on state and local police. Actually, reading
> between the lines, it could be a very good thing for civil liberties in one
> respect, since it will at least prevent cowboy cops and cowboy state and
> local agancies from reading your traffic if they tap it illegally.

Instead of reading between the lines, try to think a little bit. OK,
if that's way too difficult to you, here are some hints.

Indeed, the new proposal imposes some additional burocratic burden on
the local police, if they badly want to tape the magic cookie recipie
that your mom is telling you on the phone. So, guess what they will
do? Propose that the new technology is removed? Or implement some
"facilitations"? Of course, you won't want to wait until they get the
approval from two different agencies to decrypt the conversation
between two child molesters, because meanwhile those two child
molesters might be conspiring about molesting your child, right? So,
there should be some way for them to get access to those keys
-quickly-, right? Like, they could have a copy of the database, and
worry about a warrant later...

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
Document_id: 15403
From: grady@netcom.com (1016/2EF221)
Subject: Re: powerful "similarity" too

I've been asked to supply more specific directions
for automated fetching of the source and documentation
for "agrep," the powerful similarity pattern matching tool.

It is at

cs.arizona.edu
192.12.69.5

in directory

/agrep/README
/agrep/agrep-2.04.tar.Z
/agrep/agrep.ps.1.Z
/agrep/agrep.ps.2.Z

(The .ps suffixed files are the optional postscript docs; 
a reasonably good research report with benchmarks is
included.)

Note for Macintosh MPW users: after a few hours of drudgery,
I ported the tool to MPW 3.2.3 running under System 7.1.
If you would like me to e-mail a binhexed copy of the tool
suitable for dropping in to your MPW/tools folder, please write...

Other than the more purely cryptographic uses for the tool
I've been having lots of fun picking up the "lost"
references to things I'm interested in. For example,
starting a search like:

agrep -1 -i 'Burning Chrome' cyberpunkspool 

immediately finds references like 'burning crome' that I
have always missed before.  See how many times John
Gilmore's name is mentioned in the CUD archives
(and how often misspelled).  How about _your_ name?

As usual, I will e-mail the uuencoded tar.Z upon request
if you cannot do anonymous FTP.


-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
Document_id: 15404
From: aj@sage.cc.purdue.edu (John Dormer)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

  Misinterpretation, though it should be a crime in itself, is what
United States lawyers use to make their bread and butter.

  In Manchester, CT a few years ago, a small company wanted to run a
game system galled "LaserGames," similar in many aspects to Photon
(tm). Three lawyers and about a hundred citizens found an ancient law
in Manchester's books which clearly from context was designed to
prohibit travelling carnivals by enumerating the features of a carnival
which they felt at the time made the prohibition obvious. Among these
things was "shooting galleries," which is what the lawyers for the
opposition to LaserGames wanted to harp upon. The judge took the two
words from this law, completely out of context, and ruled that
LaserGames could not operate in Manchester.

  Keep in mind that most travelling carnivals use projectile weapons in
their shooting galleries, and not light beams. Clearly from context,
LaserGames got shafted, but if the two words are applied, their denial
of operating permission was justified.

  If I had the text of the law I'd post it, but I'm afraid I don't
remember it all well enough to even try. That little bit with the two
words stuck well, though.

:	John Dormer
:	jad@expert.cc.purdue.edu


Newsgroup: sci.crypt
Document_id: 15405
From: brands@cwi.nl (Stefan Brands)
Subject: * REPORT ON PRIVACY-PROTECTING OFF-LINE CASH AVAILABLE *

I recently published a new privacy-protecting off-line electronic cash
system as a technical report at CWI. Being a PhD-student at David
Chaum's cryptography-group, our group has a long history in research
in the field of privacy-protecting cash systems.

The report is called CS-R9323.ps.Z, contains 77 pages, and can be
retrieved from

ftp.cwi.nl   (192.16.184.180)

from the directory pub/CWIreports/AA.
The postscript-file is suitable for 300dpi laserprinters.

====================================================================
ABSTRACT (from coverpage): We present a new off-line electronic cash
system based on a problem, called the representation problem, of which
little use has been made in literature thus far. Our system is the
first to be based entirely on discrete logarithms.  Using the
representation problem as a basic concept, some techniques are
introduced that enable us to construct protocols for withdrawal and
payment that do not use the cut and choose methodology of earlier
systems. As a consequence, our cash system is much more efficient in
both computation and communication complexity than any such system
proposed previously.
  
Another important aspect of our system concerns its provability.
Contrary to previously proposed systems, its correctness can be
mathematically proven to a very great extent. Specifically, if we
make one plausible assumption concerning a single hash-function, the
ability to break the system seems to imply that one can break the
Diffie-Hellman problem. 
  
Our system offers a number of extensions that are hard to achieve in
previously known systems. In our opinion the most interesting of these
is that the entire cash system (including all the extensions) can be
incorporated in a setting based on wallets with observers, which has
the important advantage that double-spending can be prevented in the
first place, rather than detecting the identity of a double-spender
after the fact. In particular, it can be incorporated even under the
most stringent requirements conceivable about the privacy of the user,
which seems to be impossible to do with previously proposed systems.
Another benefit of our system is that framing attempts by a bank have
negligible probability of success (independent of computing power) by
a simple mechanism from within the system, which is something that
previous solutions lack entirely. Furthermore, the basic cash system
can be extended to checks, multi-show cash and divisibility, while
retaining its computational efficiency.
====================================================================

Cryptographers are challenged to try to break this system!  

I made a particular effort to keep the report as self-contained as
possible.  Nevertheless, if you have any questions, please e-mail to
me and I will try to reply as good as I can. Any comments are also
welcome!

Stefan Brands, 
--------------------------------------------------------
CWI, Kruislaan 413, 1098 SJ Amsterdam, The Netherlands 
Tel: +31 20 5924103, e-mail: brands@cwi.nl  

Newsgroup: sci.crypt
Document_id: 15406
From: habs@panix.com (Harry Shapiro)
Subject: Re: The source of that announcement

In <MARC.93Apr18174241@oliver.mit.edu> marc@mit.edu (Marc Horowitz
N1NZU) writes:

>I received mail from Mitch Kapor saying that he did not ask to be on
>the list, and does not know why he was added.  I'm sure the same
>applies to others on the list.  So, I guess my initial theory was
>right, that the clipper list was just someone's idea of a bad joke.  I
>guess I should be happy it wasn't a conspiracy.

I have also been in contact with Mitch about this. I believe
him when he says he didn't ask to be on the "clipper" list.

He also forwarded the traffic he had recieved through that list to
me which will be placed at some ftp site.

However, the first alias on the "clipper list" was csspab which was
another mailing list. It basically contained the addresses for
staffers and board members of the NIST security board. Several of
these people had their accounts within the dockmaster domain.

These are the people we might wish to FOIA...

/harry
-- 
Harry Shapiro  				      habs@panix.com
List Administrator of the Extropy Institute Mailing List
Private Communication for the Extropian Community since 1991

Newsgroup: sci.crypt
Document_id: 15407
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Once tapped, your code is no good any more.

uni@acs.bu.edu (Shaen Bernhardt) writes:
> I wish I could agree with you.  Ask yourself this.  Why would any 
> private sector entity wish to buy a crypto system that was KNOWN to be 
> at least partially compromised?

(a) To use for sensitive but not strategically important traffic,
(b) if the system was cheap.

For example, I don't own a cordless phone.  With Clipper, I would.  If the 
local men in blue really want to listen to me talk to my friends or order 
pizza, I'm no worse off than I am now, and I don't have to worry about
local kids or nosy neighbors.

That is to say, Clipper "raises the bar" on insecure channels.  It doesn't 
make them secure, by any means, but a wall, even if the FBI can get a master 
key by court order, is still better than a "keep off the grass" sign.

> The answer seems obvious to me, they wouldn't.  There is other hardware 
> out there not compromised.  DES as an example (triple DES as a better 
> one.) 

So, where can I buy a DES-encrypted cellular phone?  How much does it cost?
Personally, Cylink stuff is out of my budget for personal use :)...

> How can you reconcile the administrations self proclaimed purpose of 
> providing law enforcement with access to encrypted data without making 
> the clipper system the only crypto available in the U.S... ?

The Second and Fourth Amendments do come to mind.  


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15408
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

rlward1@afterlife.ncsc.mil (Robert Ward) writes:

> >and since the US constitutions guarantees the right to every American
> >to bear arms, why is not every American entitled, as a matter of

> Have you read the applicable part of the Constitution and interpreted it IN 
> CONTEXT? 

Yes. BTW, the appropriate Amendments were posted here some time ago.

> If not, please do so before posting this misinterpretation again.
> It refers to the right of the people to organize a militia, not for individual
> to carry handguns, grenades, and assault rifles.  

It's OK, it's OK... Just a month ago I expressed my belief that the
right to have a means to shoot your neighbor is not that much
necessary to ensure a people's right to be free and got flamed by lots
of American gun supporters. So I thought that...

Never mind. The new Cripple Chip is a purely American problem, so deal
with the mess yourselves. I just wanted to share with you a bit of my
experience of living 30 years under a totalitarian regime (I'm
Bulgarian) - because I thought that it might be useful to you. Oh
well.

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
Document_id: 15409
From: srt@duke.cs.duke.edu (Stephen R. Tate)
Subject: Re: Why the clipper algorithm is secret

In article <1993Apr18.225502.358@iecc.cambridge.ma.us> johnl@iecc.cambridge.ma.us (John R. Levine) writes:
>It just occurred to me why the algorithm is secret.  If it were
>published, one could then build physically identical clone versions
>of the chip that would interoperate with official Clipper chips.  But
>the cloner wouldn't provide the keys to the escrow houses.  Hmmn.

Not necessarily --- they could release the details of the algorithm
without releasing the "system key" (called SK by Hellman).  That would
make most people happy, and with some sort of verification procedure
before key exchange, the "official" chips would only work with other
"official" chips.  In other words, secrecy of SK makes "physically
identical clone versions" impossible;  secrecy of the algorithm shouldn't
be necessary.

Of course, revealing the algorithm opens them up to attacks on SK ---
since all units share this key, compromising it may be a big deal.
Personally, I wouldn't feel too comfortable knowing that one "secret"
80-bit number held in many places was all that guaranteed my security.
Of course, compromise of SK doesn't necessarily mean that the system
is compromised, but it's impossible to tell whether or not that's true
with a secret algorithm.

Incidentally, what's to keep a "secret algorithm" from using the secret
SK as the main key, with UK being only marginally important.  Then
a court order for UK may not even be necessary to do a wiretap.

-- 
Steve Tate srt@cs.duke.edu | The reason why mathematics enjoys special esteem,
Dept. of Computer Science  | above all other sciences, is that its laws are
Duke University     | absolutely certain and indisputable, while those of all
Durham, NC  27706   | other sciences are to some extent debatable. (Einstein)

Newsgroup: sci.crypt
Document_id: 15410
From: skt@dcs.glasgow.ac.uk (Simon K Train)
Subject: Help me please!

I am a PhD student.
Can I get the sci.crypt group posted directly to me???
Also I would like some feed-back on the encryption schemes that my research in
finite fields can be applied to. Any takers
Reply to gamv25@udcf.gla.ac.uk
Thanks yours
Gavin.

Newsgroup: sci.crypt
Document_id: 15411
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

pmetzger@snark.shearson.com (Perry E. Metzger) writes:
> I'm a political dissident. I'm scared shitless of the feds listening in 
> on my calls. My opinions are the sort that would get me 
> "disappeared" in a slightly less free society -- and who knows what 
> sort of society we will be in in five or ten years? I have friends who 
> have had their phones tapped -- none of this is theoretical to me. 

I understand, believe it or not, and there are any number of kinds of 
conversation and communication I engage in that I wouldn't even consider 
using this scheme for.  On the other hand, I don't see "Clipper" as providing 
a secure channel--it just prevents casual eavesdropping.  This is part of why 
I am not worried about it per se.  Trying to look at Clipper as a serious 
security tool is simply ludicrous.  It's a voice scrambler, nothing more.

There is still plenty of market for real crypto.

> As for "its better than the status quo", well, first of all, you can 
> get a cryptophone from companies like Cylink today -- and they work 
> well.

They cost an arm and a leg, though. "Clipper" is obviously aimed at the mass 
market.  It certainly won't put Cylink out of business.

> In addition, a number of groups are now working on building 
> software to turn any PC into a privacy enhanced phone right now -- and 
> they are all working in overdrive mode. 

This is old news.  I can do this now.

> There ARE no crypto restrictions... yet. You can use anything you want 
> RIGHT NOW. The point is to maintain that right. 

There ARE restrictions.  Example: We're a networking software vendor with a 
large overseas share of our market.  We cannot currently ship PEM, or even 
simple DES, in our products without case-by-case approval from the Department 
of State.  ITAR presents a material trade barrier to US firms trying to 
compete in international information systems markets.

Sure, you can use whatever freebie software you want to talk over BBS's in 
the USA.  I, on the other hand, want strong crypto (PKCS, for example) to be 
the *default* for electronic mail, worldwide.  I want priests to be able to 
hear confession over email.  I want lawyers to be able to talk to clients in 
confidence over email, or doctors talk with patients.  I want to be able to 
order products from my favorite Japanese mail-order catalog over the net.  I 
want to be able to sign contracts, transact business, and so on 
electronically.

This is so far infeasible as a result of the current restrictions on 
crytographic systems, especially beyond the borders of the USA.

Clipper is irrelevant, and if it distracts the authorities into feeling safe, 
all the better.  Its only danger is if it emboldens them into trying to put 
more restrictions into place, on the theory that it is "good enough for 
anyone who has nothing to hide."  That argument is, of course, utter BS, just 
as much as "no one needs an assault rifle".


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15412
From: amanda@intercon.com (Amanda Walker)
Subject: Re: text of White House announcement and Q&As on clipper chip 
	encryption

rlward1@afterlife.ncsc.mil (Robert Ward) writes:
> It refers to the right of the people to organize a militia, not for 
> individuals to carry handguns, grenades, and assault rifles.  

False, as federal courts have affirmed on many occasions.  This is getting 
out of sci.crypt territory, though...


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15413
From: res@colnet.cmhnet.org (Rob Stampfli)
Subject: Re: Fifth Amendment and Passwords

>>I am postive someone will correct me if I am wrong, but doesn't the Fifth
>>also cover not being forced to do actions that are self-incriminating?
>
>[From Mike Godwin <mnemonic@eff.org>, posted with permission - Carl]
>
>Sadly, it does not. Suspects can be compelled to give handwriting and
>voice exemplars, and to take blood and DNA tests.

I am sure that Mike is correct on this point.  I am also pretty sure that
administering "truth serum" would be ruled a violation of your right
not to incriminate yourself.  But, what is the salient difference?
Both drawing blood and injecting "truth serum" incapacitate you for
a while, but do no permanent damage.  Is it simply that we have come to
view one as acceptable, while the other is viewed as a fundamental
violation of one's rights?  If this is the case, how do we expand the
protections of the 5th amendment to incorporate new technologies without
the results being a hodgepodge of different judges personal opinions?
-- 
Rob Stampfli  rob@colnet.cmhnet.org      The neat thing about standards:
614-864-9377  HAM RADIO: kd8wk@n8jyv.oh  There are so many to choose from.

Newsgroup: sci.crypt
Document_id: 15414
From: arromdee@jyusenkyou.cs.jhu.edu (Ken Arromdee)
Subject: Re: Once tapped, your code is no good any more.

In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes:
>Yes, those evil guys in the FBI can probably, with some
>effort, abuse the system. I got news for you, if the evil guys in
>the FBI decide they want to persecute you, they're gonna, and you're
>gonna hate it. Fact is, the FBI doesn't want to listen to your phone
>calls, and if they do, and if you're using triple-DES, they'll just
>get a parabolic microphone and point it at your head.

Just because they can do it anyway, somehow, does not mean it is smart to make
the job easier for them.
--
"On the first day after Christmas my truelove served to me...  Leftover Turkey!
On the second day after Christmas my truelove served to me...  Turkey Casserole
    that she made from Leftover Turkey.
[days 3-4 deleted] ...  Flaming Turkey Wings! ...
   -- Pizza Hut commercial (and M*tlu/A*gic bait)

Ken Arromdee (arromdee@jyusenkyou.cs.jhu.edu)

Newsgroup: sci.crypt
Document_id: 15415
From: robichau@lambda.msfc.nasa.gov (Paul Robichaux)
Subject: Suggestions for escrow agencies (was: Re: More technical details)

( Below is my response to Dr. Denning's letter to Steven Bellovin. Comments
  are invited. - Paul )

In alt.privacy.clipper, Steve Bellovin posted your message to
him, which included a brief passage concerning selection of agencies
as escrow agencies.

I am glad to see that the proposal as written states that the escrow
agencies won't be law enforcement agencies. I would argue, however,
that *one* of the escrow agencies shouldn't be federal at all.

As a private citizen, I would feel much more "secure in my person and
papers" knowing that an organization committed to individual civil
liberties- the ACLU and the NRA come to mind- was safeguarding half of
my key. Both the ACLU and the NRA are resistent to government pressure
by the simple expedient fact that they are not supported, funded, or
overtly controlled by the government.

Of those federal and federally funded candidate agencies that you
mentioned, I have the following comments:

	- SRI, Rand, Mitre, and national labs: I agree that they have
        great experience safeguarding sensitive information. I am not
        convinced that they would adequately safeguard _this_
	information, since in any case requiring disclosure, there's
      	likely to be sigificant pressure for disclosure- possibly
 	*wrongful* disclosure.

	- GAO: perhaps. I would like to see more concrete evidence of
 	their fidelity and ability.

	- *TREASURY*? Surely you're joking. Perhaps you'd ask BATF
	to safeguard keys. Maybe the Federal Reserve would be a 
	better choice.

Ever since last fall's "trial balloon" was posted in sci.crypt, your
name has been synonymous with those who place a great deal of trust in
the ability of government agencies and agents to act within the law.

I agree with you in part: those agencies and agents *almost always*
act properly. However, there have been enough cases where _sworn
agents of the Federal Government_ have acted wrongly to make me feel
that having two federal agencies as key repositories is unacceptable.


Respectfully,
-Paul Robichaux
 (not speaking for NTI, BCSS, or NASA)


-- 
Paul Robichaux, KD4JZG                | HELP STOP THE BIG BROTHER CHIP!
NTI Mission Software Development Div. | RIPEM key on request.

Newsgroup: sci.crypt
Document_id: 15416
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

  You're drifting off topic.  In any case, if you check on any of the
topics devoted to gun rights issues, you will find ample evidence that
the "misinformation" is your assertion that the term "the people" in
the Second Amendment has mysteriously taken on a meaning diametrically
opposite the meaning of the exact same term in the First and Fourth
Amendments.



Newsgroup: sci.crypt
Document_id: 15417
From: caronni@nessie.cs.id.ethz.ch (Germano Caronni)
Subject: Re: More technical details

In article <1993Apr19.134346.2620@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
>Here are some corrections and additions to Hellman's note, courtesy of
>Dorothy Denning.  Again, this is reposted with permission.
>
>Two requests -- first, note the roles of S1 and S2.  It appears to me
>and others that anyone who knows those values can construct the unit
>key.  And the nature of the generation process for K1 and K2 is such
>that neither can be produced alone.  Thus, the scheme cannot be
>implemented such that one repository generates the first half-key, and
>another generates the second.  *That* is ominous.
>
>Second -- these postings are not revealed scripture, nor are they
>carefully-crafted spook postings.  Don't attempt to draw out hidden
>meanings (as opposed to, say, the official announcements of Clipper).
>Leave Denning out of this; given Hellman's record of opposition to DES,
>which goes back before some folks on this newsgroup knew how to read, I
>don't think you can impugn his integrity.
>
>Oh yeah -- the folks who invented Clipper aren't stupid.  If you think
>something doesn't make sense, it's almost certainly because you don't
>understand their goals.
>

This is an addition (posted with permission) to some tech. details of
cliper. They enligthen ??? the use of S1 and S2 for keygeneration.
-------------------------------------------
Date: Mon, 19 Apr 93 08:51:57 EDT
From: denning@cs.cosc.georgetown.edu (Dorothy Denning)
Subject: Re:  Clipper Chip

I just had another conversation with NSA to clarify some of the features
of Clipper.  Please feel free to distribute this and my other messages
on Clipper.

The name of the encryption algorithm is "Skipjack."

Martin Hellman had written

                and the serial number of the unit added to produce a three part
                message which will then be encrypted under the system key SK
                producing

                     E{ E[M; K], E[K; UK], serial number;  SK}

To which I responded:

        My understanding is that E[M; K] is not encrypted under SK (called the
        "family key") and that the decrypt key corresponding to SK is held by
        law enforcement.  Does anyone have first hand knowledge on this?

I was correct in that E[M; K] is not encrypted under SK.  However, Skipjack
being a single-key system, there is, of course, not a separate decrypt key
for the family key SK.

        The unit key, also called the "chip key," is generated from the
        serial number N as follows.  Let N1, N2, and N3 be 64 bit blocks
        derived from N, and let S1 and S2 be two 80-bit seeds used as keys.
        Compute the 64-bit block

                R1 = E[D[E[N1; S1]; S2]; S1]

        (Note that this is like using the DES in triple encryption mode with
        two keys.)  Similarly compute blocks R2 and R3 starting with N2 and N3.
        (I'm unlear about whether the keys S1 and S2 change.  The fact that
        they're called seeds suggests they might.)  Then R1, R2, and R3 are
        concatenated together giving 192 bits.  The first 80 bits  form K1 and
        the next 80 bits form K2.  The remaining bits are discarded.

The seeds S1 and S2 do not change.   The whole process is performed on
a laptop computer, and S1 and S2 are supplied by two independent people
so that no one person knows both.  The same S1 and S2 are used during
an entire "programming session" to generate keys for a stream of serial
numbers.  Everything is discarded at the end (the computer could be
thrown out if desired).

The serial number is 30 bits and the values N1, N2, and N3 are formed
by padding the serial number with fixed 34-bit blocks (separate padding
for each value).

The resulting keys K1 and K2 are output onto separate floppy disks, paired
up with their serial number.  Each pair is stored in a separate file.  The
floppy disks are taken away by two separate people on behalf of the two
escrow agencies.

Dorothy Denning
denning@cs.georgetown.edu

--------------------------------------------------------
I am sure more technical detail will be known when time goes by.
Please remark, that in posting this, I do not automatically agree
with it's contents and implications. So don't swamp my mailbox :-)

I just think this is an valuable addition to the less than technical
discussion that is rising here. And, no, I don't mind if you call
S1 and S2 'backdoor', as I could imagine the key-generation process
working without these seeds and the dependency of K1,K2 from the
Serial-Number.


Friendly greetings,

	Germano Caronni
-- 
Instruments register only through things they're designed to register.
Space still contains infinite unknowns.
                                                              PGP-Key-ID:341027
Germano Caronni caronni@nessie.cs.id.ethz.ch   FD560CCF586F3DA747EA3C94DD01720F

Newsgroup: sci.crypt
Document_id: 15418
From: ethridge@crchh403 (Allen Ethridge)
Subject: Re: Once tapped, your code is no good any more.

Amanda Walker (amanda@intercon.com) wrote:
: uni@acs.bu.edu (Shaen Bernhardt) writes:
: [deletions]
: 
: > How can you reconcile the administrations self proclaimed purpose of 
: > providing law enforcement with access to encrypted data without making 
: > the clipper system the only crypto available in the U.S... ?
: 
: The Second and Fourth Amendments do come to mind.  
: 

I think i heard someplace (misc.legal?, comp.org.eff.talk?) that the courts
have pretty much eliminated the fourth amendment already.

--
allen@well.sf.ca.us             Words got me the wound
ethridge@bnr.ca                  and will get me well,
my opinions are my own            if you believe it.
                                    -- Jim Morrison

Newsgroup: sci.crypt
Document_id: 15419
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <strnlghtC5puCL.6Kp@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>In article <Apr18.204843.50316@yuma.ACNS.ColoState.EDU>
>holland@CS.ColoState.EDU (douglas craig holland) writes:
>
>
>>	Let me ask you this.  Would you trust Richard Nixon with your
>>crypto keys?  I wouldn't.
>
>I take it you mean President Nixon, not private citizen Nixon. Sure.
>Nothing I'm doing would be of the slightest interest to President Nixon .
>
	Are you sure you aren't being watched?  Let me remind you that 
Watergate was only the tip of the iceberg.  Nixon extensively used the NSA
to watch people because he didn't like them.  According to _Decrypting the
Puzzle Palace_:

	Presumably, the NSA is restricted from conducting American surveillance
	by both the Foreign Intelligence Surveillance Act of 1978(FISA) and a
	series of presidential directives, beginning with one issued by
	President Ford following Richard Nixon's bold misuse of the NSA, in
	which he explicitly directed the NSA to conduct widespread domestic
	surveillance of political dissidents and drug users.

	Of course, just because there are laws saying the gov't is not 
supposed to conduct illegal surveillance doesn't mean those laws can't be
broken when they are in the way.
						Doug Holland



Newsgroup: sci.crypt
Document_id: 15420
From: zrepachol@cc.curtin.edu.au (Paul Repacholi)
Subject: Re: What is going on?...

In article <gthomas.735070935@sfu.ca>, gthomas@fraser.sfu.ca (Guy Thomas) writes:
> zrepachol@cc.curtin.edu.au (Paul Repacholi) writes:
> 
>>In article <1993Apr16.055100.1@cc.curtin.edu.au>, zrepachol@cc.curtin.edu.au (Paul Repacholi) writes:
>>...
>>> If you can't be bothered reading, get the video "Manufacturing Consent".
>>> 
> 
>>In reply to mail queries; I don't know if a video is available yet. I asked
>>about a month ao and was told RSN.
> 
> Yes it is. From the National Film Board of Canada.

Ah, not in the USA. Thats a relief, thought 'reality' must be slipping for a
second. :-)

St Noam was on the radio tonight, he has just published a new book "501 years".
Published by South End i guess. Could some bostonian confirm please?

I would love to hear what he thinks of the Clipper scam.

~Paul

PS The first posting I saw I thought was a joke in *VERY* bad taste. My appologies
to the person who broke the news.



Newsgroup: sci.crypt
Document_id: 15421
From: cuffell@spot.Colorado.EDU (Tim Cuffel)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <strnlghtC5puCL.6Kp@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>In article <Apr18.204843.50316@yuma.ACNS.ColoState.EDU>
>holland@CS.ColoState.EDU (douglas craig holland) writes:
>
>
>>	Let me ask you this.  Would you trust Richard Nixon with your
>>crypto keys?  I wouldn't.
>
>I take it you mean President Nixon, not private citizen Nixon. Sure.
>Nothing I'm doing would be of the slightest interest to President Nixon .
>
>David
>
>
>-- 
>David Sternlight         Great care has been taken to ensure the accuracy of
>                         our information, errors and omissions excepted.  
>
>

Ergo, if your life is sufficiently boring, you have no need for privacy?

(This is not meant to be personal, just the logical conclusion of your
statement.)
-- 
-Tim Cuffel	Finger for PGP 2.1  The CIA has admitted that the assassination
                                    of Saddam Hussien was one of their goals.
They failed, of course.  Seems as though that motorcade through downtown Dallas
trick only works once.

Newsgroup: sci.crypt
Document_id: 15422
From: karn@unix.ka9q.ampr.org (Phil Karn)
Subject: Re: Fifth Amendment and Passwords

In article <1993Apr18.233112.24107@colnet.cmhnet.org>, res@colnet.cmhnet.org (Rob Stampfli) writes:
|> >Sadly, it does not. Suspects can be compelled to give handwriting and
|> >voice exemplars, and to take blood and DNA tests.
|> 
|> I am sure that Mike is correct on this point.  I am also pretty sure that
|> administering "truth serum" would be ruled a violation of your right
|> not to incriminate yourself.  But, what is the salient difference?

You can find the salient difference in any number of 5th amendment
related Supreme Court opinions. The Court limits 5th amendment
protections to what they call "testimonial" evidence, as opposed to
physical evidence.

The whole question would hinge on whether a crypto key would be
considered "testimonial" evidence. I suppose arguments could be made
either way, though obviously I would hope it would be considered
testimonial.

Phil

Newsgroup: sci.crypt
Document_id: 15423
From: srt@duke.cs.duke.edu (Stephen R. Tate)
Subject: Re: More technical details

In article <1993Apr19.162936.7517@bernina.ethz.ch> caronni@nessie.cs.id.ethz.ch (Germano Caronni) (actually Dorothy Denning) writes:
>The seeds S1 and S2 do not change.  

Let me see if I have this straight --- if a person knows S1 and S2,
and the serial number of the unit, it's easy to reconstruct UK.
Of course, if they know SK, the "family key", they can easily get the
serial number of any unit that has made a transmission.  So with S1 and
S2 being used for a while "batch" of the unit keys, the number of
used S1/S2 pairs will probably be fairly low.  Of course, you have to
believe that the NSA/FBI/name-your-favorite-government agency will
know SK so all it needs is the S1/S2 pairs, and presto, nasty details 
like court orders for wire taps are no longer necessary.

Now, I'm not one of the people who distrusts the government at every
turn, but taking someone's word for it that the S1/S2 pairs are not kept
around is pushing what I'm willing to believe just a little bit too far.


-- 
Steve Tate srt@cs.duke.edu | The reason why mathematics enjoys special esteem,
Dept. of Computer Science  | above all other sciences, is that its laws are
Duke University     | absolutely certain and indisputable, while those of all
Durham, NC  27706   | other sciences are to some extent debatable. (Einstein)

Newsgroup: sci.crypt
Document_id: 15424
From: Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant)
Subject: Re: Key Registering Bodies

If we do not trust the NSA to be a registrar of Clipper Chip key halves,
I would not trust Mitre either.  Mitre does lots of work for NSA, at least
in the Trusted Product Evaluation Program (evaluation of commercial off the
shelf software for its efficacy in safeguarding classified information), and
I assume in other, less open, programs.

There are at least two other FFRDCs (Federally Funded Research and Development
Corporations) that work for NSA: Aerospace Corporation and the Institute for
Defense Analysis.  Now, if NSA were to be untrustworthy (a position that I
am neutral about, for purposes of this posting), it would be in a position to
exert economic pressure upon Mitre to release key halves on demand.  It could
just say, "If you don't cooperate with us, we'll place all our evaluation
contracts with Aerospace and IDA."

I am not saying that people at NSA, Mitre, Aerospace, or IDA are dishonest
folk.  But since they are people, and people occasionally go bad, the
system works better if organizations that you are depending upon to be
independent really are.

And, of course, I speak for myself, not my employer.

Lynn Grant

Newsgroup: sci.crypt
Document_id: 15425
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: WH proposal from Police point of view


In article <strnlghtC5puor.704@netcom.com> strnlght@netcom.com (David Sternlight) writes:

   There has been extensive discussion in the eff forum, for example, about
   inadmissible taps being used to develop information that could then lead to
   admissible evidence.  This might put a stop to such things, which must from
   time to time be simple fishing expeditions.

Far more likely, these things will continue to be done no matter what
assurances we are given. "Key Escrow" is likely going to prove to be a
joke.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15426
From: caronni@nessie.cs.id.ethz.ch (Germano Caronni)
Subject: Re: More technical details

Hmm, followup on my own posting... Well, who cares.

First let me try to work out the facts that we get to know about the
Clipper-Chip, from what Hellman and Denning were able to tell us:

The chip itself is not confined to (digital) telephony, but performs
general encryption in a symmetric manner.  The chip supports CFB OFB
ECB (and whatever the fourth mode of operation for DES is), the algorithm
consists of 32 rounds of *whatever*, and takes 80-Bit keys. Input data
seems to be 64 Bit? Yes.
So if two people want secure communication (whatever that means when 
Clipper is involved) they have first to agree on ONE secret key. 
(Or is it one key per direction ?)
They can exchange this key via DH-schemes or however.
Somehow the two feed their so won secret key into the Clipper-chip
which is now ready to work.
The clipper chip carries an unique Serial-Number (30 Bit's), and 160 Key-Bits.
These 160 key-bits seem to have been gained by encrypting the serial-number
with 160 seed-bits. (The seed-bits seem not to be stored in the chip)
At beginning of communication (and perhaps at certain invtervals whithin??)
before sending the fist real 64-bit output of the first encryption the Clipper
chip put's out packets (I guess 3) which represent the serial number,
and the session key. This might look like
X{ E[K; chipkeyK1+K2], serial number}
where X is a transformation of these 3? Packets involving a family-key.
This family(sp?)-key is equal for ALL chips. (X might be a simple XOR ???)
After that, the (digital?) phone-call can be done as usual, every packet
being encrypted and decrypted by Clipper.

Denning describes how K1 and K2 shall be generated, using a seed of 160
Bit's.

Now, leaving alone politics, which does not concern me as much as you, not
being an American Citicien(tm) [ :-) ] , there are some weak points in this
scheme, which might be exploited by several parties.

As far as I know about the generation of K1,K2 ; S1 and S2 look like the 
obvious backdoor. They could be used to generate the chip-keys by knowing
the serial-number (and also the family-key) of the chip. I really can't
imagine why these seeds would be needed otherwise, as true random-sources
for the generation of the K1,K2 can be bought for not to much money.

Then, the escrows. Each of them will get 80 bit of a 160-Bit key. Security
could (as little as existant) be maximized by giving them 160-bits
each, which have to be xored together to give the K1,K2. Now let's simply
assume the escrows are trustworthy, and can't be fooled by criminals or
law enforchemnt agencies. (And there will be no quarrel between escrows
and l.e.a which would hinder the l.e.a in doing their duties, and so on
and so on) Once the keys are surrendered, the corresponding
chip is compromised forever. Not very clever, IMHO [ :-)) ].
How about sending in the encrypted session-keys for each phone-call that
the police (or whoever) want's to listen to? Escrows could then simply decode
this session-key and send it back to police. (And would naturally not do this
after the warrant has expired...) This would be a better technical solution,
but I guess politics will not work that way.

Apparently (as Miss Dennings stated) the only one performing actually decodes
of intercepted messages shall be the FBI. Great. So local guys can not inter-
cept (understand) your traffic anymore. Does this mean that the FBI monopolizes
the right to do legal wiretaps ? (How is law over there, I have no idea who
is allowed to tap, and who not) This certainly means that watched communi-
cations will be routed automatically from the service-providing company
to the FBI, if the communicaiton is a watched one. And this means as far
as I understand it that the family-key has to be known by each switching-
company, and those providing cellular-phone servies etcetc. So the family-key
will not be very secret, and thus serial-numbers of calls will be readable
by anybody who cares. I _like_ traffic-analysis!

What do you guess, what happens, if you use the chip in ECB mode, and the
first few packets of the chip are somehow lost or garbled? So the session
key would not be actually broadcasted over the line? Hmmm. Shouldn't be so
difficult to do *that* :^)

And now a last point, for the other side. After all I have read and heard about
Clipper (not the programming language for dBase, is it ? [:-)]) it seems
to have many advantages, which shold not be overseen!


Now an afterthought to your rights. Please note that I have no idea what I am
talking about!!!

From: grady@netcom.com (1016/2EF221)
>    Amendment 1                                                           
>                                                                          
>    Congress shall make no law respecting an establishment of religion, or
>prohibiting the free exercise thereof; or abridging the freedom of speech,
>or of the press; or the right of the people peaceably to assemble, and to 
>petition the Government for a redress of grievances.

If this text is actually in your Bill of Rights, who can overrule this ?
But: 'Freedom of speech' is not 'Secrecy of speech'

Maybe you need to extend your Amendment #4  to cover information and
communication too ?

I am not very sure in what position your government actually is *legally*
when it tries to ban cryptography (and arms) Amendment say you may have them,
but not under what conditions. Hmm, tricky situation :-(

Actually it will make not much sense to discuss that topic in sci.crypt...
Discussion of technical details and vulnerabilites of the system are highly
suggested and appreciated :-)

Friendly greetings,

	Germano Caronni


DISCLAIMER: Everything in here is derived from things I heard and read from
other persons, so everything could be wrong. All opinions and thoughts in here
are mine, and subject to change without further notification. No warranty,
neither implicit not explicit etc. etc. etc. ad nauseam.

p.s. Please don't ask me about political opinions, as I might not bother to re-
     ply. (For further information read the last line of P. Metzgers signature)
-- 
Instruments register only through things they're designed to register.
Space still contains infinite unknowns.
                                                              PGP-Key-ID:341027
Germano Caronni caronni@nessie.cs.id.ethz.ch   FD560CCF586F3DA747EA3C94DD01720F

Newsgroup: sci.crypt
Document_id: 15427
From: paul@charon.gsfc.nasa.gov (Paul Olson)
Subject: Re: White House Public Encryption Management Fact Sheet

In article <1qnav4$r3l@transfer.stratus.com>, cme@ellisun.sw.stratus.com (Carl Ellison) writes...
>In article <C5LGAz.250@dove.nist.gov> clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:
> 
>>Further, the Attorney General
>>shall utilize funds from the Department of Justice Asset Forfeiture
>>Super Surplus Fund to effect this purchase.
> 
>Talk about adding insult to injury ... 
> 
>I, for one, believe that the use of civil forfeiture should be abolished by
>a decent administration, not continued.  Instead, it looks like that
>ill-gotten gain will be used to help pay for wiretap equipment.

I wholeheartedly agree.  Knowing that WE have let our law enforcement agencies
seize our property against the Fifth Amendment of OUR Constitution tells me that
we are absolving ourselves of our responsibility for SELF-GOVERNANCE.  WE have
to take our government back from the self-serving politicians who create laws
and rules only to better their positions within the government.  WE have allowed
them to take too much power from the people of this nation.  That situation has
to be changed.

Allowing the law enforcement agencies to use the seized property to pay-off drug
informants who lie and continue to deal in drugs is tantamount to making a pact
with the Devil himself.  It's a vicious cycle.  The law enforcement agencies are
motivated to seize property to fund their own activities.  And having no easy
way for the citizen to regain the property intact once taken gives even more
incentive for the agencies to take property.

It's also interesting to note that two months ago Rush Limbaugh said that
Clinton would have the "plumbers" out in force shortly.  Clinton and his
henchmen firmly believe in strong ubiquitous government control.  Anytime a
leader believes in that, the leader will use every means possible to retain that
control and take more.

WE have to take OUR government back.  Otherwise we will end up living in the
equivalent of a high-tech third world dictatorship.  We have to take
responsibility for ourselves, our personal welfare, and our actions.

       __  Paul J. Olson - VAX Systems Manager & Resident Amiga Addict
  C=  ///  Voice -    301/286-4246, 301/210-7701
 __  ///   DECnet-    CHARON::PAUL                                    
 \\\///    Internet - paul@charon.gsfc.nasa.gov                       
  \XX/     Disclaimer: Statements in my messages are wholely my own.   
  AMIGA    "Ignorance is a renewable resource." -- P.J. O'Rourke

Newsgroup: sci.crypt
Document_id: 15429
From: zrepachol@cc.curtin.edu.au (Paul Repacholi)
Subject: Re: Clipper Chip. LONG follow up.

In article <16695@rand.org>, jim@rand.org (Jim Gillogly) writes:
> This document is in the anonymous ftp directory at NIST.  Looks to me
> like the other shoe has dropped.
> 
> 	Jim Gillogly
> 	Trewesday, 25 Astron S.R. 1993, 17:00
> 

Thanks for posting this and making it available. This post will be LONG, I will
comment on most of it, and am reluctantly leaving all of the original in place
to provide context.

Please note that an alt. group has been set up for the Clipper stuff.

> -------------------
> 
> Note:  This file will also be available via anonymous file
> transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and
> via the NIST Computer Security BBS at 301-948-5717.
>      ---------------------------------------------------
> 
>                          THE WHITE HOUSE
> 
>                   Office of the Press Secretary
> 
> _________________________________________________________________
> 
> For Immediate Release                           April 16, 1993
> 
> 
>                 STATEMENT BY THE PRESS SECRETARY
> 
> 
> The President today announced a new initiative that will bring
> the Federal Government together with industry in a voluntary
                                                     ^^^^^^^^^
Hum, AT&T, VLSI and Mykotronx are 'industry'?
Wonder what happened to IBM, this should be right up their street.
And a mandateed scheme is voluntary? Mr Orwell would love this.

> program to improve the security and privacy of telephone
                                                 ^^^^^^^^^
> communications while meeting the legitimate needs of law
> enforcement.

Telephone encryption and scrambleing are years behind digital ones like RSA,
IDEA, or even DES. The above, while literaly true, is a clasic straw-man claim
in the context of non-real-time circuits such as E-mail and the like.

> The initiative will involve the creation of new products to
> accelerate the development and use of advanced and secure
> telecommunications networks and wireless communications links.
> 

I would modestly propose that a mandated use of ISDN would do more for commun-
ications than this lot.

> For too long there has been little or no dialogue between our
> private sector and the law enforcement community to resolve the
> tension between economic vitality and the real challenges of
> protecting Americans.  Rather than use technology to accommodate
> the sometimes competing interests of economic growth, privacy and
> law enforcement, previous policies have pitted government against
> industry and the rights of privacy against law enforcement.
> 
> Sophisticated encryption technology has been used for years to
> protect electronic funds transfer.  It is now being used to
> protect electronic mail and computer files.  While encryption

Normmaly DES.

> technology can help Americans protect business secrets and the
                                        ^^^^^^^^^^^^^^^^
> unauthorized release of personal information, it also can be used
> by terrorists, drug dealers, and other criminals.

Note the use of the word "business" in the above. The whole tenor of this
release seems to be establishing a ground rule that only "business" use
is legitimate for debate. If you want the nothings you drop in your wife's
ear to remain secret and private, that is not even on the agenda for debate.
Note that there is NO role for you to contain private info in this. The only
reference is to information already in the hands of others. The 'unauthorized
release' bit is also drawing a long bow. Most of these cases are by people who
have legitimate access abusing it, and revealing, or often selling the info.
These people are, of course, in this proposal, the people who will have the
keys.

The criminals also use lawers, courts, the CIA, white-house officials and pens
to go about their business. When will they be outlawed as well? Yeah, several
of them would be a better idea than CLipper!

Them again, the protections of law and the courts have been seriously erroded
over the last decade ofr so.

> A state-of-the-art microcircuit called the "Clipper Chip" has
> been developed by government engineers.  The chip represents a
                    ^^^^^^^^^^^^^^^^^^^^
NSA

> new approach to encryption technology.

Yeah, this bit is VERY true.

>....It can be used in new,
> relatively inexpensive encryption devices that can be attached to
> an ordinary telephone.  It scrambles telephone communications
> using an encryption algorithm that is more powerful than many in
> commercial use today.
> 

Note the repeated mixing of telephone scrabeling and encryption. A demo
of the above claim on an ordanary POTS would be a good nights entertainment
I suspect. Note also the 'many'. not 'all', as the general tone implies.

> This new technology will help companies protect proprietary
                                ^^^^^^^^^
> information, protect the privacy of personal phone conversations
                                      ^^^^^^^^^^^^^^
> and prevent unauthorized release of data transmitted
> electronically.  At the same time this technology preserves the
> ability of federal, state and local law enforcement agencies to
> intercept lawfully the phone conversations of criminals. 

The case record seems to indicate that what is needed is a brutal tightening
of the current abuses. I have not heard, yet, of a case that was impeaded by
the use of secure encryption by the men in black. The other side, abuse by law
enforcers is well documented, even by govt agencies. And the phone vs other coms
is blurred yet again.


















> A "key-escrow" system will be established to ensure that the
> "Clipper Chip" is used to protect the privacy of law-abiding
> Americans.















> A "key-escrow" system will be established to ensure that the
> "Clipper Chip" is used to protect the privacy of law-abiding
> Americans.

Lets run that line twice. Not **VERY** carefully what it says. The stated
purpose of the key eschrow is to make the use of Clipper compulsory. Note the
word "ensure". As to 'protect', or 'law-abiding', I will leave to you.
So to the person who asked if it included the outlawing of other encryptions,
the answer in this press release is, YES.

> ...Each device containing the chip will have two unique
> "keys," numbers that will be needed by authorized government
> agencies to decode messages encoded by the device.  When the
> device is manufactured, the two keys will be deposited separately
> in two "key-escrow" data bases that will be established by the
> Attorney General.  Access to these keys will be limited to
> government officials with legal authorization to conduct a
> wiretap.

Just as they only can wiretap now with a warrent. 

> The "Clipper Chip" technology provides law enforcement with no
> new authorities to access the content of the private
> conversations of Americans.

Just makes sure that the illegal ones are preserved.

> To demonstrate the effectiveness of this new technology, the
> Attorney General will soon purchase several thousand of the new
> devices.  In addition, respected experts from outside the
> government will be offered access to the confidential details of
> the algorithm to assess its capabilities and publicly report
> their findings.

Where do you find many experts. Any ex KGB people looking for a contract? :-)
And as a later posting asks, what of the STU-IIIs they already have. It will
be very interesting to see if the military and US embasies start to use it.
After all, it is secure, isn't it. The govt will answer that point by its own
actions.

> The chip is an important step in addressing the problem of
> encryption's dual-edge sword:  encryption helps to protect the
> privacy of individuals and industry, but it also can shield
> criminals and terrorists.  We need the "Clipper Chip" and other
> approaches that can both provide law-abiding citizens with access
> to the encryption they need and prevent criminals from using it
> to hide their illegal activities.  In order to assess technology
> trends and explore new approaches (like the key-escrow system),
> the President has directed government agencies to develop a
> comprehensive policy on encryption that accommodates:
> 
>      --   the privacy of our citizens, including the need to
>           employ voice or data encryption for business purposes;
                                                ^^^^^^^^

Again, personal use seems to be a unaskable question.

> 
>      --   the ability of authorized officials to access telephone
>           calls and data, under proper court or other legal
                                                  ^^^^^
>           order, when necessary to protect our citizens;

Ah, so warrents are not always needed it seems.

> 
>      --   the effective and timely use of the most modern
>           technology to build the National Information
>           Infrastructure needed to promote economic growth and
>           the competitiveness of American industry in the global
>           marketplace; and 
> 
>      --   the need of U.S. companies to manufacture and export
>           high technology products.

The ITARs seem to slightly impeed this.

> The President has directed early and frequent consultations with
> affected industries, the Congress and groups that advocate the
> privacy rights of individuals as policy options are developed.
> The Administration is committed to working with the private
> sector to spur the development of a National Information
> Infrastructure which will use new telecommunications and computer
> technologies to give Americans unprecedented access to
> information.  This infrastructure of high-speed networks
> ("information superhighways") will transmit video, images, HDTV
> programming, and huge data files as easily as today's telephone
> system transmits voice.

Note that all this wonderfull stuff will be in secret. Only the 'proper people'
will be able to express an opinion, hence only the desired result will emerge.

> Since encryption technology will play an increasingly important
> role in that infrastructure, the Federal Government must act
> quickly to develop consistent, comprehensive policies regarding
> its use.  The Administration is committed to policies that
> protect all Americans' right to privacy while also protecting
> them from those who break the law.

Encryption and codes have been around for millenia. They are generaly in
equilibrium with the technology of the time. The systematic study of cyphers
has resulted in a swing in favor of the encrypter, AT THE MOMENT. I have no
doubt that the factoring problem will fall in time. Probably fofr practical
purposes by the middle of the next century.

> Further information is provided in an accompanying fact sheet. 
> The provisions of the President's directive to acquire the new
> encryption technology are also available.  
> 
> For additional details, call Mat Heyman, National Institute of
> Standards and Technology, (301) 975-2758.
> 
> ---------------------------------
> 
> 
> QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S
> TELECOMMUNICATIONS INITIATIVE
> 
> 
> 
> 
> Q:   Does this approach expand the authority of government
>      agencies to listen in on phone conversations?
> 
> A:   No.  "Clipper Chip" technology provides law enforcement with
>      no new authorities to access the content of the private
>      conversations of Americans.
> 
> Q:   Suppose a law enforcement agency is conducting a wiretap on
>      a drug smuggling ring and intercepts a conversation
>      encrypted using the device.  What would they have to do to
>      decipher the message?
> 
> A:   They would have to obtain legal authorization, normally a
>      court order, to do the wiretap in the first place.  They
>      would then present documentation of this authorization to
>      the two entities responsible for safeguarding the keys and
>      obtain the keys for the device being used by the drug
>      smugglers.  The key is split into two parts, which are
>      stored separately in order to ensure the security of the key
>      escrow system.
> 
> Q:   Who will run the key-escrow data banks?
> 
> A:   The two key-escrow data banks will be run by two independent
>      entities.  At this point, the Department of Justice and the
>      Administration have yet to determine which agencies will
>      oversee the key-escrow data banks.

It is a little hard to critisise a non-proposal.

> Q:   How strong is the security in the device?  How can I be sure
>      how strong the security is?  
> 
> A:   This system is more secure than many other voice encryption
>      systems readily available today.

Note we drop back to 'phone-mode' again. If this is a true answer, it can be
rephrased as " It sucks big time. Anyone who can drive the crypt work-bench
will use it for light amusement before breakfast."

> ...   While the algorithm will
>      remain classified to protect the security of the key escrow
>      system,

This link between the security of the key-eschrow, and the actual algorithm is 
a real winner. Given that I have 2 secret 40 bit numbers, could someone please
explain how the details of an encryption algorithm will reveal them?

> ...  we are willing to invite an independent panel of
>      cryptography experts to evaluate the algorithm to assure all
>      potential users that there are no unrecognized
>      vulnerabilities.

Just make sure you read the CVs REAL carfully, OK.

> 
> Q:   Whose decision was it to propose this product?
> 
> A:   The National Security Council, the Justice Department, the
>      Commerce Department, and other key agencies were involved in
>      this decision.  This approach has been endorsed by the
>      President, the Vice President, and appropriate Cabinet
>      officials.

Quick, with out looking back, What name is missing from that list?

> Q:   Who was consulted?  The Congress?  Industry?
> 
> A:   We have on-going discussions with Congress and industry on
>      encryption issues, and expect those discussions to intensify
>      as we carry out our review of encryption policy.  We have
>      briefed members of Congress and industry leaders on the
>      decisions related to this initiative.

The people who agree with us and who think there is a buck in it for them.

> Q:   Will the government provide the hardware to manufacturers?
> 
> A:   The government designed and developed the key access
>      encryption microcircuits, but it is not providing the
>      microcircuits to product manufacturers.  Product
>      manufacturers can acquire the microcircuits from the chip
>      manufacturer that produces them.

The reverse engineering provisions of the 'Mask-work' act could be relevent
here.

> Q:   Who provides the "Clipper Chip"?
> 
> A:   Mykotronx programs it at their facility in Torrance,
>      California, and will sell the chip to encryption device
>      manufacturers.  The programming function could be licensed
>      to other vendors in the future.
> 
> Q:   How do I buy one of these encryption devices? 
> 
> A:   We expect several manufacturers to consider incorporating
>      the "Clipper Chip" into their devices.

You don't. Not unless you are one of the 'right people'.

> Q:   If the Administration were unable to find a technological
>      solution like the one proposed, would the Administration be
>      willing to use legal remedies to restrict access to more
>      powerful encryption devices?
> 
> A:   This is a fundamental policy question which will be
>      considered during the broad policy review.  The key escrow

They missed the word secret here. He needs a grammar lesson too.

>      mechanism will provide Americans with an encryption product
>      that is more secure, more convenient, and less expensive
>      than others readily available today, but it is just one
>      piece of what must be the comprehensive approach to
>      encryption technology, which the Administration is
>      developing.

I would say "less secure, less conveniant, more expensive ( PGP is free ),
less available, and more prone to being comprimised"
Proofs to the contarary will be welcome. Note PROOF.

>      The Administration is not saying, "since encryption
>      threatens the public safety and effective law enforcement,
>      we will prohibit it outright" (as some countries have
>      effectively done); nor is the U.S. saying that "every
>      American, as a matter of right, is entitled to an
>      unbreakable commercial encryption product."

They don't seem to be saying anything that makes much sense. And this proposal
DOES prohibit it except in a very limited way. And, this is the one explicit
reference to personal rights. It is a denial. And yes, I don't think that the
Mexicans, Brazilians, and Canucks are included in Clinton et als magnanamous
gesture.

> ...  There is a
>      false "tension" created in the assessment that this issue is
>      an "either-or" proposition.  Rather, both concerns can be,
>      and in fact are, harmoniously balanced through a reasoned,
>      balanced approach such as is proposed with the "Clipper
>      Chip" and similar encryption techniques.

The 'false tension' is false. The balance is between two repugnant points. The
RIGHT to privacy is hand-waved to non-existance by putting it behind the "false
assessment". It is assumed that the removal of the right to take what ever steps
YOU deem suitable to protect YOUR privacy is non negotiable, hence is defined
in the govenment language to be non-existant. If you don't agree, you must be a
criminal, as only criminals don't agree with out laws. Also note the non-
question. "If what is here was not possible..."

> Q:   What does this decision indicate about how the Clinton
>      Administration's policy toward encryption will differ from
>      that of the Bush Administration?  
> 
> A:   It indicates that we understand the importance of encryption
>      technology in telecommunications and computing and are
>      committed to working with industry and public-interest
>      groups to find innovative ways to protect Americans'
>      privacy, help businesses to compete, and ensure that law
>      enforcement agencies have the tools they need to fight crime
>      and terrorism.

It indicates we know that Bush dropped the ball in squashing that nasty < insert
suitable retoric > and will stamp out this disorderly, unruley outbreak of
freedom and ultra-national sentiment.

> Q:   Will the devices be exportable?  Will other devices that use
>      the government hardware?
> 
> A:   Voice encryption devices are subject to export control
>      requirements.  Case-by-case review for each export is
>      required to ensure appropriate use of these devices.  The
>      same is true for other encryption devices.  One of the
>      attractions of this technology is the protection it can give
>      to U.S. companies operating at home and abroad.  With this
>      in mind, we expect export licenses will be granted on a
>      case-by-case basis for U.S. companies seeking to use these
>      devices to secure their own communications abroad.  We plan
>      to review the possibility of permitting wider exportability
>      of these products.
> 

This one is a real giggle. In Australia or France, they will have to reveal the
keys, and the algorithm. Don't think it's at the top of my list of things I must
have, so the restrictions will protect me from saleks trying to sell me a bill
of crock.

Any for any others using it, they must be nuts!

Good luck folks.

~Paul


Newsgroup: sci.crypt
Document_id: 15431
From: rab@well.sf.ca.us (Bob Bickford)
Subject: Re: More technical details


The system, or 'family', key would appear to be cryptographically
useless, since *every* chip must know it and be able to remove its
effects from the bitstream.  I daresay that it will be widely known
almost immediately after this system is deployed, and since it's been
pointed out that there is not a separate decrypt key -- the same key
is used for both encryption and decryption -- there goes any benefit
to the use of a system-wide key in SkipJack.
--
 Robert Bickford      "A Hacker is any person who derives joy from
 rab@well.sf.ca.us    discovering ways to circumvent limitations." rab'86
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"I recognize that a class of criminals and juvenile delinquents has
taken to calling themselves 'hackers', but I consider them irrelevant
to the true meaning of the word; just as the Mafia calls themselves
'businessmen' but nobody pays that fact any attention."            rab'90
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Newsgroup: sci.crypt
Document_id: 15432
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Once tapped, your code is no good any more.

   For example, I don't own a cordless phone.  With Clipper, I would.  If the 
   local men in blue really want to listen to me talk to my friends or order 
   pizza, I'm no worse off than I am now, and I don't have to worry about
   local kids or nosy neighbors.
I do tend to agree.  Sigh.

   So, where can I buy a DES-encrypted cellular phone?  How much does it cost?

Of course, if we didn't have government monopolies on cellular phone service,
there probably *would* be some available.

   > How can you reconcile the administrations self proclaimed purpose of 
   > providing law enforcement with access to encrypted data without making 
   > the clipper system the only crypto available in the U.S... ?
   The Second and Fourth Amendments do come to mind.  

The Second Amendment is especially apt, given the ITAR definitions of
crypto equipment as munitions, and the gun-control people's increasing
ability to define things as "assault weapons" and make them illegal.
Triple-DES is obviously used for "assault phones", while
Cripple will be legal, and Triple-Cripple may fall into the gray area
of "illegally upgrading to an assault phone"...

--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15433
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <1993Apr19.130132.12650@afterlife.ncsc.mil> rlward1@afterlife.ncsc.mil (Robert Ward) writes:
>In article <bontchev.734981805@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
>>and since the US constitutions guarantees the right to every American
>>to bear arms, why is not every American entitled, as a matter of
>
>Have you read the applicable part of the Constitution and interpreted it IN 
>CONTEXT?  If not, please do so before posting this misinterpretation again.
>It refers to the right of the people to organize a militia, not for individuals
>to carry handguns, grenades, and assault rifles.  

Read the Constitution yourself.  The Second Amendment says the right to bear
arms shall not be infringed, so a well regulated militia may be more easily
formed.  I have an interpretation of the Second that shows there are no 
qualifications to the right to keep and bear arms.  If you want, I can E-mail
it to you.  By the way, gun talk belongs in talk.politics.guns.
							Doug Holland


Newsgroup: sci.crypt
Document_id: 15434
Subject: Re: Once tapped, your code is no good any more.
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <strnlghtC5nrHw.1qB@netcom.com> strnlght@netcom.com (David Sternlight) writes:

>In article <115863@bu.edu> uni@acs.bu.edu (Shaen Bernhardt) writes:

>>
>>I wish I could agree with you.  Ask yourself this.  Why would any private
>>sector entity wish to buy a crypto system that was KNOWN to be at least
>>partially compromised? (Key escrows in this instance)  Why would any
>>private sector entity wish to buy a crypto system that had not been properly
>>evaluated?  (i.e. algorythm not publically released)
>>The answer seems obvious to me, they wouldn't.  There is other hardware out
>>there not compromised.  DES as an example (triple DES as a better one.)

>What follows is my opinion. It is not asserted to be "the truth" so no
>flames, please.  It comes out of a background of 20 years as a senior
>corporate staff executive in two Fortune 50 companies.

No wonder American businesses are going down the tubes! :-|

>I'd be happy to use a crypto system supplied by the NSA for business, if
>they told me it was more secure than DES, and in particular resistant to
>attempts by Japanese, French, and other competitive companies and
>governments to break.

(It's NIST, not NSA.  NSA is not supposed to have anything to do with this.)
They didn't say that.  They said is was better than some commercial-grade
encryptions.  I, for one, wouldn't trust them if they did, unless they
release the algorithm for investigation.

>I'd be happy to do so even with escrowed keys, provided I was happy about
>the bona fides of the escrow agencies (the Federal Reserve would certainly
>satisfy me, as would something set up by one of the big 8 accounting firms).

Maybe the ACLU and EFF.  (It would have to be a non-profit, so the big 8
would be out.)

>I'd trust the NSA or the President if they stated there were no trap
>doors--I'd be even happier if a committee of independent experts examined
>the thing under seal of secrecy and reported back that it was secure.

I wouldn't trust the NSA.  I think I would trust the President on this, but
I'm not certain he would be told.

>I'd trust something from the NSA long before I'd trust something from some
>Swiss or anybody Japanese.

That's your problem.

>This may seem surprising to some here, but I suggest most corporations would
>feel the same way. Most/many/some (pick one) corporations have an attitude
>that the NSA is part of our government and "we support our government", as
>one very famous CEO put it to me one day.

I want to emphasize the I am not speaking for Beckman Instruments at this
point.  However, we are an international company, and I would like to think
that our customers come first, ahead of our government's whims.
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
Document_id: 15435
From: geoff@ficus.cs.ucla.edu (Geoffrey Kuenning)
Subject: Re: Once tapped, your code is no good any more.

In article <2073@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:

> fishing expeditions without the target's knowlege.  Don't give up the
> right to be safe from that - that should be non-negotiable, and Clinton
> and Co. know it (which is probably why they quietly developed this thing,
> figuring if they get it this far, they can ram it on through).

It always amazes me how quick people are to blame whatever
administration is current for things they couldn't possibly have
initiated.  This chip had to take *years* to develop, yet already
we're claiming that the Clinton administration sneaked it in on us.
Bullshit.  The *Bush* administration and the career Gestapo were
responsible for this horror, and the careerists presented it to the
new presidency as a fait accompli.  That doesn't excuse Clinton and
Gore from criticism for being so stupid as to go for it, but let's lay
the body at the proper door to start with.
-- 
	Geoff Kuenning	geoff@maui.cs.ucla.edu	geoff@ITcorp.com

Newsgroup: sci.crypt
Document_id: 15436
From: jhart@agora.rain.com (Jim Hart)
Subject: Screw the people, crypto is for hard-core hackers & spooks only

Since the wiretap chip is being distributed internationally,
allowing the U.S. government to spy on foreign governments,
companies and people as as well as to wiretap domestic citizens,
this is a world-wide issue.  Please put DISTRIBUTION: WORLD on the 
Distrubution: line.  Thank you.

ygoland@wright.seas.ucla.edu (The Jester) writes:

>However assuming that I can still encrypt things as I please, who
>cares about the clipper chip? 

You don't care that people are being lied to, fooled into believing
the chip gives "privacy" when it fact it allows wiretaps?  You
don't give a shit about anybody's privacy except your own?  (And
not even your own; are you so smart that you know when you're talking to
somebody who has a wiretap chip on their phone instead of a privacy
chip with private keys?)

>attitude that everyone else should have. Instead of worrying about a
>clipper chip, simply connect your handset to your computer and feed
>the voice single through, process, encrypt, and transmit over the
>phone. The guy on the other hand then does the same in reverse.

"Simply?" "Everyone" should have this attitude?   The only people
who can have this attitude are the most hard-core
computer hackers, who never make phone calls away from their
computer, who apparently never call anybody except another computer 
hacker, or perhaps another spook (U.S. classified agents refuse to use
their own system, only oblivious civilian dupes get that dubious privilege).
Only spooks and hard-core hackers need privacy, huh?

We *do* need an alternative to NSA-bugged telephones, but
we're talking inexpensive *telephones* here, including hand-sized
cellulars, that need strong crypto, real privacy.  Make-shift
computer hacker rigs that require living by your computer to
talk privately over the phone are just a dumb stunt that doesn't 
do anything for anybody's privacy in the real world.  

What we need is a true *privacy chip*.  For example, a real-time 
voice-encryption RSA, put it into a silicon compiler and spit out ASIC.  
Put this chip on the market as a de facto standard for international 
business, diplomats, and private communications.  If the U.S. bans 
it, we make it somewhere else and import it.  The Japanese, German,
Dutch, Taiwanese, Korean, etc. electronics companies don't want the 
NSA spying on them.  U.S. workers lose more jobs to government fascist
stupidity.

jhart@agora.rain.com

Newsgroup: sci.crypt
Document_id: 15437
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Once tapped, your code is no good any more.


geoff@ficus.cs.ucla.edu (Geoffrey Kuenning) writes:
>Bullshit.  The *Bush* administration and the career Gestapo were
>responsible for this horror, and the careerists presented it to the
>new presidency as a fait accompli.  That doesn't excuse Clinton and
>Gore from criticism for being so stupid as to go for it, but let's lay
>the body at the proper door to start with.

The final stages of denial... I can hardly imagine what the result
would have been if the Clinton administration had actually supported
this plan, instead of merely acquiescing with repugnance as they've so
obviously doing.  I don't believe the chip originated with the Clinton
administration either, but the Clinton administration has embraced it
and brought it to fruition.

Both of the major parties have what they consider excellent reasons
for limiting your freedoms and violating your privacy, and even seem
to feel that they're doing you a favor.  If this is really surprising
to anyone it means they've been willfully ignoring quite a bit of
previous evidence.  There's only one political party (not calling
anarchists a party) that considers your freedom and privacy goals
worthy in and of themselves.  If you're voting for the big two, you're
supporting a reduction of those rights (given their goals and their
histories), regardless of whether you personally support that
reduction.  To paint Clinton and Gore as unwitting tools is really
stretching things.

-- 
When you have to kill a man it costs nothing to be polite. -- Churchill

Newsgroup: sci.crypt
Document_id: 15438
From: trussell@cwis.unomaha.edu (Tim Russell)
Subject: Re: Once tapped, your code is no good any more.

geoff@ficus.cs.ucla.edu (Geoffrey Kuenning) writes:

>It always amazes me how quick people are to blame whatever
>administration is current for things they couldn't possibly have
>initiated.  This chip had to take *years* to develop, yet already
>we're claiming that the Clinton administration sneaked it in on us.

    No kidding.  The most recent post I saw in alt.privacy.clipper (and I
hope anyone interested in this topic ends up there) states that Clipper
has been in development for over four years.

    I am, however, more than a little PO'd that Clinton put his name on
this monstrosity, or even allowed it to get out the door, for that matter.
He's already heard from me, and I hope you'll all take the time to voice
your extreme displeasure as well.

--
   Tim Russell                 Omaha, NE              trussell@unomaha.edu

Newsgroup: sci.crypt
Document_id: 15439
From: mccoy@ccwf.cc.utexas.edu (Jim McCoy)
Subject: Re: Fifth Amendment and Passwords


In article <1993Apr19.180049.20572@qualcomm.com>, karn@unix.ka9q.ampr.org (Phil Karn) writes:
> In article <1993Apr18.233112.24107@colnet.cmhnet.org>, res@colnet.cmhnet.org (Rob Stampfli) writes:
> |> >Sadly, it does not. Suspects can be compelled to give handwriting and
> |> >voice exemplars, and to take blood and DNA tests.
> |> 
> |> I am sure that Mike is correct on this point.  I am also pretty sure that
> |> administering "truth serum" would be ruled a violation of your right
> |> not to incriminate yourself.  But, what is the salient difference?
> 
> You can find the salient difference in any number of 5th amendment
> related Supreme Court opinions. The Court limits 5th amendment
> protections to what they call "testimonial" evidence, as opposed to
> physical evidence.

I have a question that is a slight variation on the previously mentioned
examples that perhaps people could give me some pointers on (it has been a
couple of years since my Con Law class in college so I hope I am not
missing something obvious here...)

Basic Scenario:

	I set up a bbs that uses public-key encryption and encryption of
	files on disk.  The general setup is designed so that when users 
	connect they send a private key encrypted using the system public
	key and the user's public-private keypair is used to wrap the
	one-time session keys used for encrypting the files on disk.  The
	result of this is that even if I reveal the system private key it
	is impossible for anyone to gain access to the files stored on the
	machine.  What is possible is for someone to use the revealed
	system private key to entice users into revealing thier personal
	private keys during the authentication sequence.

Questions:

	Does the fact that the system private key does not provide any
	information useful for a search give me any protection as far as
	being coerced to reveal the key?  (I doubt it myself..)

	It seems providing the system private key does not mean that I am
	assisting in "entrapment" (the users would send thier key anyway
	and are not being enticed into doing something they would not
	otherwise do) but is there any other hook that can be used?

	Would the user private-key enticement require wiretap approval?

Any answers or general musings on the subject would be appreciated...

jim
-- 
Jim McCoy                |  UT Unix Sysadmin Tiger Team
mccoy@ccwf.cc.utexas.edu |  #include <disclaimer.h>
j-mccoy@nwu.edu          |  pgp key available via finger or upon request

Newsgroup: sci.crypt
Document_id: 15440
From: langley@dirac.scri.fsu.edu (Randolph Langley)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption


Gee, I guess they should also have such a repository for house keys,
car keys, safety deposit keys, ... :-(

rdl
--



Newsgroup: sci.crypt
Document_id: 15441
From: uni@acs.bu.edu (Shaen Bernhardt)
Subject: Re: What the clipper nay-sayers sound like to me.

In article <1qsvfcINNq9v@dns1.NMSU.Edu> amolitor@moink.nmsu.edu (Andrew Molitor) writes:
>
>	The following is available in some FTP archive somewhere, I insert
>my comments liberally throughout this demonic memo of Big Brotherdom:
>
>>	White House Announcement on Screw Thread Standards
>>	--------------------------------------------------
>>
>>	This is to announce that the American National Standards
>>Institute (or whatever it is) has been given the authority to define
>>standard dimensions for screw threads.
>
>   Look! This is clearly the first step toward outlawing our
>   own screw thread specifications. If this madness isn't fought,
>   tooth and nail, every step of the way, it'll be a crime to use
>   screw threads other than those our Fearless Leaders so *graciously*
>   define for us.

[Sarcastic text deleted, No value judgement implied]

>	Screw you, Bill Clinton! You and your totalitarianist thugs!
>
>------------------------------------------------------------------------
>amolitor@nmsu.edu | finger for PGST personal screw thread pitch, or
>Screw Threads     |  see the screw thread servers.
>must be freed!    |
>------------------------------------------------------------------------

At first I was going to complain that your analogy was completely
irrelevant.  But then I remembered something.

Remember that move to get the U.S. to the metric system all those
years ago?  As far as I know we were supposed to be there by now.

The government sold it as better for the people, easier to be in
tune with the rest of the world.  They had decided it was for
our own good.

Then, when the plan was released, it soon became apparant that the
government were a bunch 'o' thickies.

Think about it, change all the railroad track widths, signs,
screws, abolish the old regime.

At the cost of millions of dollars.

Your point is well taken.  You think there is nothing to worry
about, you could care less who designs your cryptography, any
more than who designs your screws or the system of measurement
you use.

Sit back, that's right, just relax, we'll take care of all your
needs Mr. Molitor.


-- 
uni@acs.bu.edu  ->  Public Keys by finger and/or request
Public Key Archives: <pgp-public-keys@pgp.iastate.edu> 
Sovereignty is the sign of a brutal past.<>Fight Clinton's Wiretap Chip!
DF610670F2467B99 97DE2B5C3749148C <> Crypto is not a Crime! Ask me how!

Newsgroup: sci.crypt
Document_id: 15442
From: artmel@well.sf.ca.us (Arthur Melnick)
Subject: Some questions regarding Big Brother (Clipper)


     In previous postings by Hellman, Bellovin, etal it was
reported the Big Brother (Clipper) chip will encrypt plaintext in
64 bit blocks as is done with DES.  The users key K which can be
derived from RSA, Diffy-Hellman, etc. is used to encrypt
plaintext M and is then used to form a "three part message".
     This three part message consists of E[M; K], K encrypted
with some other key, and the chip serial number.  This three part
message is then encrypted by still another key.
     My question is: What is a message?
     For example, say we are dealing with an encrypted digitized
voice application.  The speech waveform is sampled and digitized
and then some number of samples are grouped into a 64 bit block.
This block is then encrypted and transmitted over a non-secure
communications link.
     Where is the three part message?  Is something appended to
each 64 bit block?  Is a header sent at the beginning of the
session?
     If the header is sent at the beginning of the session, how
do they insure the equipment manufacturer using the chip does
just that?  Can just anyone manufacture products using the chip?
Is a facility clearance required to manufacture?
     Any ideas?

Newsgroup: sci.crypt
Document_id: 15443
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <strnlghtC5puCL.6Kp@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>In article <Apr18.204843.50316@yuma.ACNS.ColoState.EDU>
>holland@CS.ColoState.EDU (douglas craig holland) writes:
>
>
>>	Let me ask you this.  Would you trust Richard Nixon with your
>>crypto keys?  I wouldn't.
>
>I take it you mean President Nixon, not private citizen Nixon. Sure.
>Nothing I'm doing would be of the slightest interest to President Nixon .

I am sure you didn't miss the implication that we could have another
Richard Nixon type president in the future (perhaps not too distant
future, acutally).  With that in mind, then I take it you also would
not object to the Gov coming up with a decision (not proposal - just
like Clinton Cripple is a decision, not a proposal) sprung on us to
start placing video cameras with sound in every room of your house,
which could be activated without your knowlege.  They would be well
concealed so you wouldn't know the location, to prevent you from covering
the lens opening.  After all, nothing you're doing would be of the
slightest interest to a government official, right?  So, you surely
should not object to such a proposal...

Not the best anology, but the principle is pretty close - the ability
to eavesdrop on your activity with little or no effort, without your
knowlege, protected by entirely by "government safeguards".  You can
still draw your curtains, so you can still have your privacy from everyone
else (except Big Brother)!!  After all we need this for protection from
drug dealers and terrorists and other criminals (like 'enemies of the
STATE')... and you don't really have a right to "unbreakable" privacy
anyway, sort of as the press release of the Clinton Cripple DECISION
puts it...

I find it curious they use the word "unbreakable" when the term really
should be "difficult to break without proper authorization" (which the
Government most certainly has at their disposal, right?  They wouldn't
want to be able to break it ILLEGALLY, would they?)...  Nawww, not
"for the People" Clinton....

Can you, while my mind is on it, give us one good reason that the
algorithm should be a secret algorithm, unless this encryption scheme
either is a joke, or contains features like a 'master key' or other back
door for UNAUTHORIZED eavesdropping? If it was really even moderately
secure, and the government really meant to require the proper court
order and the keys that are in the Escrow accounts to be able to decipher
the traffic, what is the need to keep the algorithm secret?  Seems I
hear rather often that if an encryption scheme requires the algorithm
to remain a secret to be effective, it is not a worthwhile scheme... is
this just idle talk, or is the Administration bullshitting everyone?

With GREAT skepticism, and many doubts on our Administrations intentions...

And WAIT!! We haven't been told the NEXT gem the Administration has in
mind for e-mail and datafile security.  The press release does say that
this is part of a comprehensive thing on data security for us unprivileged
citizens.  Perhaps 'subjects' would be the better term - 'citizens'
somehow does not seem appropriate... that implies a free people, 'subjects'
better fits a population who serve at the pleasure of their rulers.
One thing for certain:  The government no longer regards the citizens
as their bosses anymore, but the other way around...

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 15444
From: uri@watson.ibm.com (Uri Blumenthal)
Subject: Re: Key Registering Bodies

In article <930419182442.669507@DOCKMASTER.NCSC.MIL>, Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant) writes:
|> If we do not trust the NSA to be a registrar of Clipper Chip key halves,
|> I would not trust Mitre either. 

I wouldn't trust Mitre  for another reason: 
remember "The Cuckoo's Egg"?  How great was
their security, eh?

NSA - well, with the list of known "turncoats",
does it make you wonder how many more unknown 
still are there?

(:-) (:-(
-- 
Regards,
Uri. 	  uri@watson.ibm.com	 scifi!angmar!uri 
------------
<Disclaimer>

Newsgroup: sci.crypt
Document_id: 15445
From: pla@sktb.demon.co.uk ("Paul L. Allen")
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

-----BEGIN PGP SIGNED MESSAGE-----

In article <PMETZGER.93Apr18141006@snark.shearson.com> pmetzger@snark.shearson.com (Perry E. Metzger) writes:

> In article <1qnupd$jpm@news.intercon.com> amanda@intercon.com (Amanda Walker) writes:
> 
>    From: amanda@intercon.com (Amanda Walker)
> 
>    jhesse@netcom.com (John Hesse) writes:
>    > Oh great. Wonderful news. Nobody can listen in--except the feds. 
> 
>    Hey, it's better than the status quo.
> 
>    I am far less worried about "the feds" tapping my phone than high school 
>    scanner surfers who get their kicks out of eavesdropping on cellular and 
>    cordless phone calls.
> 
> I'm a political dissident. I'm scared shitless of the feds listening
> in on my calls. My opinions are the sort that would get me
> "disappeared" in a slightly less free society -- and who knows what
> sort of society we will be in in five or ten years? I have friends who
> have had their phones tapped -- none of this is theoretical to me.
> 
> As for "its better than the status quo", well, first of all, you can
> get a cryptophone from companies like Cylink today -- and they work
> well. In addition, a number of groups are now working on building
> software to turn any PC into a privacy enhanced phone right now -- and
> they are all working in overdrive mode.
> 
>    And yes, I'd rather just see all crypto restrictions lifted, but this is at 
>    least an incrememental improvement for certain applications...
> 
> There ARE no crypto restrictions... yet. You can use anything you want
> RIGHT NOW. The point is to maintain that right.

The point you all seem to have missed was covered when the UK cellphone
scrambling system was discussed.  Incidentally, my MP has responded to
my questions on that issue, and it appears that the UK and other `approved'
countries will get the secure A5 encryption, and `dodgy' countries will
get A5X.  Existing mobile equipment will drop to clear mode when used with
A5X systems, but newer equipment will use A5/A5X/clear depending on the
capabilities of the base station.

The cops/feds do *not* need to be able to get hold of your private key to
listen in to cellular conversations.  Encryption is not end-to-end, but 
cellphone to base-station - it *has* to be this way so that cellular users
and fixed installations can talk to each other.  For cellular to cellular
calls, the transmission is decrypted at the base-station, passed to another
base-station and re-encrypted.  The cops/feds can listen to the unscrambled
call *provided* they get a warrant to tap into the cellular provider's
equipment.  The only reason for wanting a crackable system is so they can
listen without having to obtain a warrant.

But, maybe the Clipper system is secure, and they really do need a warrant
to get the key out of escrow before they can listen in using a scanner (see
above - they don't *have* to go down this route anyway).  I have my doubts,
but even if true once they have the key they will *never* again need a
warrant to tap into that particular phone whenever they want.  `Well, Judge,
it appears he wasn't a drug-dealer after all, so naturally we'll stop
listening in'...

You have every reason to be scared shitless.  Take a look at the records
of McCarthy, Hoover (J. Edgar, not the cleaner - though they both excelled at
sucking) and Nixon.

- --Paul

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQCVAgUBK9IAl2v14aSAK9PNAQEvxgQAoXrviAggvpVRDLWzCHbNQo6yHuNuj8my
cvPx2zVkhHjzkfs5lUW6z63rRwejvHxegV79EX4xzsssWVUzbLvyQUkGS08SZ2Eq
bLSuij9aFXalv5gJ4jB/hU40qvU6I7gKKrVgtLxEYpkvXFd+tFC4n9HovumvNRUc
ve5ZY8988pY=
=NOcG
-----END PGP SIGNATURE-----


Newsgroup: sci.crypt
Document_id: 15446
From: ameline@vnet.IBM.COM (Ian Ameline)
Subject: Screw the people, crypto is for hard-core hackers & spooks only

   I suspect that this clipper thing could backfire on the Gov in a
big hurry. I expect that products using these chips will socket them
rather than soldering them, since once the keys are handed over by the
escrow agencies, the chip is so much garbage, and will need to be
replaced. I expect that someone will come along with a pin compatible
chip that uses secure encryption -- possibly even disguised so that it's
not possible to tell it from the clipper chip until you try to use the
2 backdoor keys.

   If I were to manufacture such a chip, as part of my marketing
strategy, I would try to subvert one or both escrow agencies either
through bribes or industrial espionage -- and then publicize the fact.
(doing my best not to be connected with such activities -- which would
likely not be legal :-) Publicly discrediting the escrow agencies would
go quite far towards creating a market for a secure alternative.

  I also believe that someone will reverse engineer the clipper chip,
and knowlege of the algorithm will likely be fairly widespread. Any back-
doors or weaknesses would further discredit the scheme, and help grow
the market demand for a secure alternative.

 I believe that the company that provides such an alternative will make
few friends in the LE community, but lots of money. I also believe that
the government will do it's best to make such plug replacements illegal.
I expect that they will see the same success in limiting the availability
of such alternatives as they have seen in limiting the availability of
certain illicit drugs -- ie. little to none.

Regards,
Ian Ameline.
(Of course the ramblings above have nothing to do with my employer, nor
do I necessarily advocate doing any of the things described here -- I
just believe that the events above are likely to take place)

Newsgroup: sci.crypt
Document_id: 15447
From: caronni@nessie.cs.id.ethz.ch (Germano Caronni)
Subject: Re: Fifth Amendment and Passwords

In article <1qv83m$5i2@geraldo.cc.utexas.edu> mccoy@ccwf.cc.utexas.edu (Jim McCoy) writes:
>	I set up a bbs that uses public-key encryption and encryption of
>	files on disk.  The general setup is designed so that when users 
>	connect they send a private key encrypted using the system public
>	key and the user's public-private keypair is used to wrap the
>	one-time session keys used for encrypting the files on disk.  The
>	result of this is that even if I reveal the system private key it
>	is impossible for anyone to gain access to the files stored on the
>	machine.  What is possible is for someone to use the revealed
>	system private key to entice users into revealing thier personal
>	private keys during the authentication sequence.
>
>Any answers or general musings on the subject would be appreciated...
>

Just a question. 
As a provider of a public BBS service - aren't you bound by law to gurantee
intelligble access to the data of the users on the BBS, if police comes
with sufficent authorisation ? I guessed this would be  a basic condition
for such systems. (I did run a bbs some time ago, but that was in Switzerland)

Friendly greetings,
	Germano Caronni
-- 
Instruments register only through things they're designed to register.
Space still contains infinite unknowns.
                                                              PGP-Key-ID:341027
Germano Caronni caronni@nessie.cs.id.ethz.ch   FD560CCF586F3DA747EA3C94DD01720F

Newsgroup: sci.crypt
Document_id: 15448
From: rab@well.sf.ca.us (Bob Bickford)
Subject: Re: More technical details


Another objection occurred to me.  There was a comment about how
supposedly there would only be one decode box, operated by the FBI.
This is flat ridiculous, and I don't believe it for a millisecond.
Even *if* they in fact only build one (or two or some other small
number) of these, that won't stop others from building one.  Make
it work like two Clipper-chip phones, one listening to each side
of the recorded conversation.  I'll have to have another look at
the specs posted so far, but offhand I didn't see anything that
would preclude this sort of thing.....
--
        Robert Bickford                       rab@well.sf.ca.us
 Treasurer and Newsletter Editor,    /-------------------------------------\
 Lib. Party of Marin County (CA)     | Don't Blame Me: I Voted Libertarian |
Member, CA State Central Committee   \-------------------------------------/

Newsgroup: sci.crypt
Document_id: 15449
From: <U23590@uicvm.uic.edu>
Subject: Cripple Chip

How about this:  The
TelCo has your Clipper key.  The TelCo
has your intended partner's key, if he is
using one.  Whenever you call, the message
gets decrypted and reencrypted wihtout
y key exchange.  I know it's a stupid
system, but for the feds, it'd be
great.  The point of this isn;t to
take over the crypto market, BTW.  Clinton
doen not want people to have any sort of crypto at
all (just like Busch).  But he needs some support
for the "technology initiative" garbage he's
pushing (industrial policy stuff) and a computer
hip designed by the gov't is just the thing.

Who's going to thing about the (literal) Billions of
Dollars it took for a government agency to design?

-watkins@earth.eecs.uic.edu

Newsgroup: sci.crypt
Document_id: 15450
From: jfw@ksr.com (John F. Woods)
Subject: Re: Once tapped, your code is no good any more.

johnson@trwacs.fp.trw.com (Steve Johnson) writes:
>>-Tim May, whose sig block may get him busted in the New Regime
>  A remark I heard the other day is beginning to take on increasingly
>frightening significance.  The comment was made that "In other parts
>of the world the Democrats [note the big "D"] would be known as
>Socialists" 

And in other parts of the world, European "Socialists" would be known as
fascist capitalist pigs.  Get your head out of your labels and think carefully
for once:

According to the EFF announcement on this thing, the NSA has been developing
this turkey for *four* years.  The manufacturing contract was let *14 months
ago*.  Anyone out there who believes that the fact that Clinton's name was
on this White House announcement means that Bush or any other Republican is
a staunch supporter of personal privacy is a fool.

If this topic disturbs you, can the political finger-pointing and talk about
what you can do about it.  If you've just GOT to point fingers, remember that
this scheme was STARTED when a secret policeman was President.

Newsgroup: sci.crypt
Document_id: 15451
From: jebright@magnus.acs.ohio-state.edu (James R Ebright)
Subject: Re: WH proposal from Police point of view

In article <PMETZGER.93Apr19122105@snark.shearson.com> pmetzger@lehman.com writes:
>
>In article <strnlghtC5puor.704@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>
>   There has been extensive discussion in the eff forum, for example, about
>   inadmissible taps being used to develop information that could then lead to
>   admissible evidence.  This might put a stop to such things, which must from
>   time to time be simple fishing expeditions.
>
>Far more likely, these things will continue to be done no matter what
>assurances we are given. "Key Escrow" is likely going to prove to be a
>joke.

I feel like Winston Churchill in 1941 :( ...... but,
the privacy Clipper will, TO THE EXTENT KEY ESCROW IS LEGITIMATE, stop
most of the abuse of wiretaps by local cops, company cops, angry husbands/
wives, etc...  It is going to be hard for the keystone cops, the
Proctor&Gamble cops, etc. to bypass even a product as flawed as the ClipJob.

Now I admit, I am hard pressed to find anything else good to say about it
except that, if it actually takes off, someone will certainly come up with
a REAL crypto chip (pin compatable!) that we can buy... Unless, of course,
Big Brother makes it illegal to have real crypto 'cause good honest law
abiding citizens will be HAPPY to let the government listen to their
every word.... "Me? Did I say THAT?"

        "I am not a crook." - President Richard M. Nixon
                              ^^^^^^^^^

-- 
 Information farming at...     For addr&phone: finger             A/~~\A
 THE Ohio State University  jebright@magnus.acs.ohio-state.edu   ((0  0))____
      Jim Ebright             e-mail: jre+@osu.edu                 \  /      \
                                                                   (--)\      

Newsgroup: sci.crypt
Document_id: 15452
From: bear@kestrel.fsl.noaa.gov (Bear Giles)
Subject: Re: Fifth Amendment and Passwords

In article <1993Apr20.000359.20098@bernina.ethz.ch> caronni@nessie.cs.id.ethz.ch (Germano Caronni) writes:
>
>Just a question. 
>As a provider of a public BBS service - aren't you bound by law to gurantee
>intelligble access to the data of the users on the BBS, if police comes
>with sufficent authorisation ? I guessed this would be  a basic condition
>for such systems. (I did run a bbs some time ago, but that was in Switzerland)

That sounds like an old _Dragnet_ episode.

  "Joe and I went to the apartment of Prime Suspect.  Nobody answered the
  door, but his landlord gave us permission to search the apartment."

Perhaps that worked in California in the 60's, but as I understand the
law landlords do _not_ have authority to grant permission to search space
rented by a third party, provided the lease is not in default, etc.
(I'm not even sure if they can provide the master key, when shown a search
warrant, since the _subject_ of the search is supposed to be notified).

At this point the question becomes: did the user "rent" the disk space
her encrypted file occupies?  If she did, it _should_ fall under the same
body of case law that applies to apartments, storage lockers, etc.  (As
to whether any court would recognize this fact....)  If she did not (i.e.,
no compensation exchanged), I don't know how it would be treated -- there
doesn't seem to be a non-cyberspace equivalent.

-- 
Bear Giles
bear@fsl.noaa.gov

Newsgroup: sci.crypt
Document_id: 15453
From: bear@kestrel.fsl.noaa.gov (Bear Giles)
Subject: Re: Why the clipper algorithm is secret

In article <C5pstr.Lu2@panix.com> dfl@panix.com (Danny O'Bedlam) writes:
>	The algorithm is classified because a military contract (or similar
>government equivalent to military) has been let for this "proprietary"
>design that the Feds say that NSA developed.  Is there a patent?  Is that
>patent publicly available?  My betting is that that too is classified.

Unless there has been a _major_ change in the law, there's no such beast
as a "classified patent."  Patents exist to encourage communications and
develop the state of the art. 

(The 17-year lock is a nuisance, but historically has been pretty trivial.
It's only in an industry which doubles performance every three years (or
18 months, for some hardware) that 17 years is an eternity).

The same thing applies in civilian development: you can't patent something 
_and_ declare it a "trade secret."  However, you can (and should) mark all
software (including proprietary code) "unpublished copyright" so that it
ever does get exposed you still have some legal protection.

(Post-Berne this isn't required, since everything is "born copyrighted."
But it takes a while for people to learn the new rules).

-- 
Bear Giles
bear@fsl.noaa.gov

Newsgroup: sci.crypt
Document_id: 15454
From: johng@ecs.comm.mot.com (John Gilbert)
Subject: clipper chip --Bush did it

In article <WCS.93Apr17024857@rainier.ATT.COM> wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes:
>... This is the Democrats' version
>"Defend Free Speech - Reject Republicans" followed by speech control.

This must have been in the works for some time.  The Bush administration must
have been working on it for quite a while.  --Clinton simply took the credit (or
blame, depending on how you look at it).

-- 
John Gilbert                          johng@ecs.comm.mot.com  

Newsgroup: sci.crypt
Document_id: 15455
From: denning@guvax.acc.georgetown.edu
Subject: THE CLIPPER CHIP: A TECHNICAL SUMMARY

The following document summarizes the Clipper Chip, how it is used,
how programming of the chip is coupled to key generation and the
escrow process, and how law enforcement decrypts communications.
Since there has been some speculation on this news group about my
own involvement in this project, I'd like to add that I was not in
any way involved.  I found out about it when the FBI briefed me on
Thursday evening, April 15.  Since then I have spent considerable
time talking with the NSA and FBI to learn more about this, and I
attended the NIST briefing at the Department of Commerce on April 16.  
The document below is the result of that effort. 

Dorothy Denning
---------------

                     THE CLIPPER CHIP: A TECHNICAL SUMMARY

                               Dorothy Denning

                                April 19, 1993


INTRODUCTION

On April 16, the President announced a new initiative that will bring
together the Federal Government and industry in a voluntary program
to provide secure communications while meeting the legitimate needs of
law enforcement.  At the heart of the plan is a new tamper-proof encryption
chip called the "Clipper Chip" together with a split-key approach to
escrowing keys.  Two escrow agencies are used, and the key parts from
both are needed to reconstruct a key.


CHIP STRUCTURE

The Clipper Chip contains a classified 64-bit block encryption
algorithm called "Skipjack."  The algorithm uses 80 bit keys (compared
with 56 for the DES) and has 32 rounds of scrambling (compared with 16
for the DES).  It supports all 4 DES modes of operation.  Throughput is
16 Mbits a second.

Each chip includes the following components:

   the Skipjack encryption algorithm
   F, an 80-bit family key that is common to all chips
   N, a 30-bit serial number
   U, an 80-bit secret key that unlocks all messages encrypted with the chip


ENCRYPTING WITH THE CHIP

To see how the chip is used, imagine that it is embedded in the AT&T
telephone security device (as it will be).  Suppose I call someone and
we both have such a device.  After pushing a button to start a secure
conversation, my security device will negotiate a session key K with
the device at the other end (in general, any method of key exchange can
be used).  The key K and message stream M (i.e., digitized voice) are then
fed into the Clipper Chip to produce two values:

   E[M; K], the encrypted message stream, and 
   E[E[K; U] + N; F], a law enforcement block.  

The law enforcement block thus contains the session key K encrypted
under the unit key U concatenated with the serial number N, all
encrypted under the family key F.


CHIP PROGRAMMING AND ESCROW

All Clipper Chips are programmed inside a SCIF (secure computer
information facility), which is essentially a vault.  The SCIF contains
a laptop computer and equipment to program the chips.  About 300 chips
are programmed during a single session.  The SCIF is located at
Mikotronx.

At the beginning of a session, a trusted agent from each of the two key
escrow agencies enters the vault.  Agent 1 enters an 80-bit value S1
into the laptop and agent 2 enters an 80-bit value S2. These values
serve as seeds to generate keys for a sequence of serial numbers.

To generate the unit key for a serial number N, the 30-bit value N is
first padded with a fixed 34-bit block to produce a 64-bit block N1.
S1 and S2 are then used as keys to triple-encrypt N1, producing a
64-bit block R1:

        R1 = E[D[E[N1; S1]; S2]; S1] .

Similarly, N is padded with two other 34-bit blocks to produce N2 and
N3, and two additional 64-bit blocks R2 and R3 are computed:  

        R2 = E[D[E[N2; S1]; S2]; S1] 
        R3 = E[D[E[N3; S1]; S2]; S1] .

R1, R2, and R3 are then concatenated together, giving 192 bits. The
first 80 bits are assigned to U1 and the second 80 bits to U2.  The
rest are discarded.  The unit key U is the XOR of U1 and U2.  U1 and U2
are the key parts that are separately escrowed with the two escrow
agencies.

As a sequence of values for U1, U2, and U are generated, they are
written onto three separate floppy disks.  The first disk contains a
file for each serial number that contains the corresponding key part
U1.  The second disk is similar but contains the U2 values.  The third
disk contains the unit keys U.  Agent 1 takes the first disk and agent
2 takes the second disk.  The third disk is used to program the chips.
After the chips are programmed, all information is discarded from the
vault and the agents leave.  The laptop may be destroyed for additional
assurance that no information is left behind.
 
The protocol may be changed slightly so that four people are in the
room instead of two.  The first two would provide the seeds S1 and S2,
and the second two (the escrow agents) would take the disks back to
the escrow agencies.

The escrow agencies have as yet to be determined, but they will not
be the NSA, CIA, FBI, or any other law enforcement agency.  One or
both may be independent from the government.


LAW ENFORCEMENT USE

When law enforcement has been authorized to tap an encrypted line, they
will first take the warrant to the service provider in order to get
access to the communications line.  Let us assume that the tap is in
place and that they have determined that the line is encrypted with
Clipper.  They will first decrypt the law enforcement block with the
family key F.  This gives them E[K; U] + N.  They will then take a
warrant identifying the chip serial number N to each of the key escrow
agents and get back U1 and U2.  U1 and U2 are XORed together to produce
the unit key U, and E[K; U] is decrypted to get the session key K.
Finally the message stream is decrypted.  All this will be accomplished
through a special black box decoder operated by the FBI.


ACKNOWLEDGMENT AND DISTRIBUTION NOTICE.  All information is based on
information provided by NSA, NIST, and the FBI.  Permission to
distribute this document is granted.


    

Newsgroup: sci.crypt
Document_id: 15456
From: hagberg@violet.ccit.arizona.edu (HAGBERG JR, D. J.)
Subject: Clipper and Ranting Libertarians

I would think that you could reduce the defense of using non-clipper
based encryption technologies to defending freedom of expression 
(IE, free speech).  That you have to right to express whatever you
want in whatever form your little heart desires so long as you do
not impinge on the rights of others.

Encrypted text/sound/video is just another form of expression of that
particular text/sound/video.  Just like digitized sound is another 
means of expression of sound -- streams of 100100101111 instead of
continuous waveforms.

Also, it shouldn't be up to the government at all.  Encryption 
_Standards_ can be decided upon by Independent Standards Orgainizations
(apologies for the acronym).  One can note how well this has worked
with ISO and the Metric System, SAE, etc.  Independent entities 
or consortia of people/industries in that particular area are far
more qualified to set standards than any One government agency.
Consider for example what the Ascii character set would have looked
like if it was decided by the government.

I hope this helps folks to formulate their defenses.  I'm still working
on mine and hope to be faxing my congressmen soon...

			-=- D. J. Hagberg
			-=- hagberg@ccit.arizona.edu
			-=- finger ^ for Info and PGP Public Key

Newsgroup: sci.crypt
Document_id: 15458
From: kadie@eff.org (Carl M. Kadie)
Subject: Would "clipper" make a good cover for other encryption method?

Clipper might be a good way to cover the use of another layer of
encryption.

Currently, when you send an encrypted message, an opponent can usually
tell 1) that you are using encryption 2) which encryption method you
are using [because that information is usually in the clear].

With clipper, most opponents will only know that you are sending
clipper-text, they won't know that your clipper-text is itself
encoded.

Only those few opponents who get your clipper-keys will know
that your message is double encrypted.

... kind of like a safety deposit box containing a lock box.

So, don't just think of replacements for clipper, also think of front
ends.

- Carl



-- 
Carl Kadie -- I do not represent EFF; this is just me.
 =kadie@eff.org, kadie@cs.uiuc.edu =

Newsgroup: sci.crypt
Document_id: 15459
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <1qnpjuINN8ci@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes:
>brad@clarinet.com (Brad Templeton) writes:
>
>>Their strategy is a business one rather than legal one.  They are
>>pushing to get a standard in place, a secret standard, and if they
>>get it as a standard then they will drive competitors out of the market.
>>It will be legal to sell better, untapable encryption that doesn't have
>>registered keys, but it will be difficult, and thus not a plan for
>>most phone companies.
>
>If Brad's analysis is correct, it may offer an explanation for why the
>encryption algorithm is being kept secret.  This will prevent competitors
>from coming out with Clipper-compatible phones which lack the government-
>installed "back door."  The strategy Brad describes will only work as long
>as the only way to get compatible phones is to have ones with the government
>chips.
>
>(It would be nice, from the point of view of personal privacy, if Brad
>turns out to be right.  As long as people still have the power to provide
>their own encryption in place of or in addition to the Clipper, privacy
>is still possible.  But the wording of several passages in the announcement
>makes me doubt whether this will turn out to be true.)

Even if what Brad says turns out to be accurate, you can bet that the
Administration will have made it "very clear" to the vendors that "it
would very much be in their best interests" to institute a "voluntary"
policy of refusing to sell anything but Clinton Cripple equipped equipment
to anyone other than "Authorized government agencies and Law Enforcement",
or individuals and corporations who "have been been determined by the
Administration to have a valid need on a case-by-case basis" for an
effective system.

Note that this is very much like the language used in many gun control
bills/laws the Administration is pushing for, or otherwise supporting.
The logic and actual rationale (as opposed to the excuses that get fed
to the media) is the same in both cases, only the items or technology
in question are different.

I think this is no accident.  It comes from the same philosophy that
the government rules/controls the people, not the people controlling
the government, that the unconnected citizens are not sophisticated enough
to know what is best for them, so the government must tell the people
what they need or do not need ... "we know best...".  And the idea that
that a commoner can defend himself against government eavesdropping
or unlawful attack is totally unacceptable to people with this outlook.

>
>Hal Finney

Combine this all with pushing for national identity cards with 'smart
chips' to encode anything they please (internal passport) under the
guise of streamlining the State People's Health Care System, and with
(you can be certain) more jewels yet to come, and one sees an extremely
ominous trend.  So what if "1984" will be ten years late... it still is
turning out to be an amazingly accurate prophecy... unless a LOT of
people wake up, and in a hurry.

One should ALWAYS have every red warning light and bell and danger flag
come up when the government seeks to set itself apart in regard to
rights, etc.  from the unconnected/unprivileged citizen (or should we
now be saying 'subject' instead?)...  Why SHOULDN'T the average person
have a good, secure system of data security, not dependent on nebulous
'safeguards' for maintaining that security?  Why SHOULDN'T the average
person be able to defend himself from an agency gone rogue?  0I am sure
the Feds could break into any data they really wanted to (but it would
take some WORK), and using the same logic, one should not be allowed to
have a good safe, unless a duplicate of the key(s) or combination are
submitted for 'safekeeping' by the government?  I don't really see a
difference, philosophically.  Encrypted data sure won't evaporate, not
with such high-tech tools as a TAPE RECORDER...

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 15460
From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>
Subject: Re: More technical details

>	encrypted under K, then K will be encrypted under the unit key UK, 
>	and the serial number of the unit added to produce a three part 
>	message which will then be encrypted under the system key SK 
>	producing
>
>	     E{ E[M; K], E[K; UK], serial number;  SK}
>
>My understanding is that E[M; K] is not encrypted under SK (called the
>"family key") and that the decrypt key corresponding to SK is held by
>law enforcement.  Does anyone have first hand knowledge on this?  I
>will also check it out, but this is 7am Sunday so I did not want to wait.

Ok, so there are in fact two distinct components transmitted by the
chip; the real message encrypted with the "conventional" key, and the
serial number and encrypted "conventional" key encrypted with the
(IMHO kind of bogus, as the whole concept of "one key that millions of
people use which can't be changed" doesn't seem reasonable) "family
key".

Suppose I analyze the output of this chip and I'm able to determine
which bits are the encrypted packet which contains the serial number
and session key.  Suppose I also design a simple algorithm based on
this information which takes the data containing the encrypted session
key and twiddles a bit (or several) before it's sent down the line.

Mind you, I'm sure the NSA thought of this along with a dozen other
attacks I can't imagine, and the system is probably somehow designed
so that manipulation of this information will cause a compliant
receiving chip to somehow fail to decrypt successfully.  But how?
What if the two parties agree in advance on some kind of consistent
bit-twiddling scheme, so the decryption chip sees the restored
"proper" bitstream but an eavesdropper gets a E[K; UK] packet that's
wrong?

I suppose this could be easily defeated if the chip "sends" that
information out many times in slightly different ways, making it
effectively impossible to be certain you know all the information
being sent.
--
Marc VanHeyningen   mvanheyn@cs.indiana.edu   MIME & RIPEM accepted
If your theory predicts different outcomes depending on whether you use
discrete mathematics or continuous mathematics, then you've got the wrong
theory.		- Bruce MacLennan

Newsgroup: sci.crypt
Document_id: 15461
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: More technical details

srt@duke.cs.duke.edu (Stephen R. Tate) writes:
>
>Now, I'm not one of the people who distrusts the government at every
>turn, but taking someone's word for it that the S1/S2 pairs are not kept
>around is pushing what I'm willing to believe just a little bit too far.
>

Even if they somehow address this issue it is unlikely to be the only
back door in -- they might even have a few intentionally visible to
distract from the ones that aren't visible.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15462
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: The Escrow Database.

Here is a disturbing thought.

Now, we no longer live in the days of big filing cabinets. We live in
the electronic age. I asked myself, how big could the escrow database
get? How hard might it be to steal the whole thing, particularly were
I an NSA official operating with the tacit permission of the escrow
houses? (We can pretend that such will not happen, but thats naive.)

Well, lets see. Ten bytes of each escrow half. Lets asume ten bytes of
serial number -- in fact, I believe the serial number is smaller, but
this is an order of magnitude calculation. We assume 250*10^6 as the
population, and that each person has a key. I get five gigabytes for
each of the two escrow databases. Fits conveniently on a single very
valuable Exabyte tape. This can only get easier with time, but who
cares -- I can already hold all the clipper keys in the country in my
pocket on two 8mm tapes.

Admittely, they will think of safeguards. They won't put the whole
database on one disk, prehaps. Maybe they will throw stumbling blocks
in the way. This changes nothing -- they keys will be needed every day
by hundreds if not thousands of law enforcement types, so convenience
will dictate that the system permit quick electronic retrieval. At
some point, with or without collusion by the agencies, those exabyte
tapes are going to get cut. Dorothy Denning and David Sternlight will
doubtless claim this can't happen -- but we know that "can't" is a
prayer, not a word that in this instance connotes realism.

With two exabyte tapes in your pocket, you would hold the keys for
every person's conversations in the country in your hands. Yeah, you
need the "master key" two -- but thats just ten bytes of information
that have to be stored an awful lot of places.

Come to think of it, even if the NSA getting a copy of the database
isn't a threat to you because unlike me you have no contraversial
political views, consider foreign intelligence services. You know, the
ones that David Sternlight wants to protect us from because of the
evil industrial espionage that they do. The French apparently do have
a big spying operation in friendly countries to get industrial
secrets, so he isn't being completely irrational here (although why
our companies couldn't use cryptosystems without back doors is left
unexplained by those that point out this threat.) 

Presumably, foreign intelligence services can get moles into the NSA
and other agencies. We have proof by example of this: its happened
many times. Presumably, someday they will get their hands on some
fraction of the keys. You can't avoid that sort of thing.

Don't pretend that no one unauthorized will ever get their hands on
the escrow databases.

We crypto types are all taught something very important at the
beginning of intro to cryptography -- security must depend on the
easily changed key that you pick to run your system, and not on a
secret. The escrow databases aren't the sorts of secrets that our
teachers told us about, but they are the sort of big secrets they
would lump into this category. Imagine trying to replace 100 million
Clipper chips.

I cannot believe that the NSA or whomever it is thats doing this
doesn't realize all this already. They are too smart. There are too
many of them who have made their bones in the real world. I suspect
that they know precisely what they are doing -- and that what they are
doing is giving us the appearance of safety so that they can continue
to surveil in spite of the growth of strong cryptography. I suspect
that they realize that they can't put things off forever, but they can
try to delay things as long as possible.

Who knows. Maybe even some of the higher ups, the inevitable
bureaucratic types that rise in any organization, really do believe
that this scheme might give people some security, even as their
subordinates in Fort Meade wring their hands over the foolishness of
it all.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15463
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

rlward1@afterlife.ncsc.mil (Robert Ward) writes:
>In article <bontchev.734981805@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
>>and since the US constitutions guarantees the right to every American
>>to bear arms, why is not every American entitled, as a matter of
>
>Have you read the applicable part of the Constitution and interpreted it IN 
>CONTEXT?  If not, please do so before posting this misinterpretation again.
>It refers to the right of the people to organize a militia, not for individuals 
>to carry handguns, grenades, and assault rifles.  

The Supreme Court seems to disagree with you -- they have stated that
"the people" is a term of art refering to an individual right, and
have explicitly mentioned the second amendment as an example.

I quote:

  "... 'the people' seems to have been a term of art employed in
  select parts of the Constitution.  The Preamble declares that the
  Constitution is ordained, and established by 'the people of the
  the U.S.'  The Second Amendment protects the right of the people
  to keep and bear Arms ...."
	- Supreme Court of the U.S.,  U.S. v. Uerdugo-Uriquidez (1990).

Furthermore, in the Miller decision, they only permitted prosecution
for possession of a sawed-off shotgun because the defense had not
presented testimony and they therefore accepted the argument of the
government that such weapons have no military value -- they held that
the amendment protected the individual right to possess military
weapons. Unfortunately, no second amendment case has successfully
gotten to the court in fifty years. However, that does not change the
interpretation.

Furthermore, it appears that others disagree with you as well, vis:

 "The conclusion is thus inescapable that the history, concept,
  and wording of the Second Amendment to the Constitution of the
  United States, as well as its interpretation by every major
  commentator and court in the first half-century after its ratifi-
  cation, indicates that what is protected is an individual right
  of a private citizen to own and carry firearms in a peaceful manner."
   - Report of the Subcommittee on the Constitution of the
     Committee on the Judiciary, United States Senate,
     97th Congress, Second Session ( February 1982 )

You might rightfully ask "well then, what does that first bit about
militias mean?"

Well, "militia" in historical context basically means the whole of the
adult males of the country. (Indeed, the U.S. Code still defines
"militia" as all armed men over the age of 17).

   "The Militia comprised all males physically capable of acting
    in concert for the common defense ....  And ... these men were
    expected to appear bearing arms supplied by themselves and of
    the kind in common use at the time."
	- Supreme Court of the United States,  U.S. v. Miller (1939).

The reason for the phrase being there was to explain the rationale
behind the amendment, which was this: by depending on the people to
bear arms in defense of the country, no centralization of military
power could ever occur which would permit tyranny -- in short, the
government would remain perpetually in fear of the people, rather than
the other way around.

   "No free man shall ever be debarred the use of arms.  The strongest reason
   for the people to retain the right to keep and bear arms is, as a last
   resort, to protect themselves against tyranny in government."
     - Thomas Jefferson, Proposal Virginia Constitution, June 1776
       1 Thomas Jefferson Papers, 334 (C. J. Boyd, Ed., 1950).

   "And what country can preserve its liberties, if its rulers are not
   warned from time to time that this people preserve the spirit of
   resistance ?  Let them take arms ... The tree of liberty must be
   refreshed from time to time, with the blood of patriots and tyrants."
     - Thomas Jefferson (letter to William S. Smith, 1787, in
       Jefferson, On Democracy 20, S. Padover, ed., 1939).

   "Before a standing army can rule, the people must be disarmed;
   as they are in almost every kingdom of Europe.  The supreme
   power in America cannot enforce unjust laws by the sword;
   because the whole body of the people are armed, and constitute
   a force superior to any bands of regular troops that can be, on
   any pretense, raised in the United States."
     - Noah Webster, "An Examination into the Leading Principles
       of the Federal Constitution" (1787), in Pamphlets on the
       Constitution of the United States (P. Ford, 1888).

You may disagree with the second amendment, and wish that it be
repealed, but please do not pretend that it isn't there and that it
doesn't mean what it says. You might argue that conditions have
changed and that it should no longer be present, but you can't imagine
it away.

I could fill a book with detailed argumentation. Many have already.

However, none of this has anything to do with cryptography.  Lets get
it out of here. If you insist on discussing this, please do it in
talk.politics.guns, where people will gladly discuss this matter with
you.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15464
From: metatron!joe@dogface.austin.tx.us (Joe Zitt)
Subject: Re: Fighting the Clipper Initiative

steve-b@access.digex.com (Steve Brinich) writes:

>  >As a flaming libertarian paranoid extremist (:-), I'at a loss for
>  >specific objections that don't sound frighteningly technical.
> 
>   The idea that foisting the Cripple Chip standard on US manufacturers would
> result in saying "Sayonara" to yet another high-tech market isn't technical,
> isn't in the least difficult to understand, and plays on a concern lots of
> people are worried about already....
> 
>

Could you expand on this? I have a feeling you're right, but I don't quite
understand.
-- 
"You could be an ocarina salesman going  | Metatron Press | Austin, Texas!
from door to door..." -- Laurie Anderson | Human Systems Performance Group

Newsgroup: sci.crypt
Document_id: 15465
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: clipper chip --Bush did it

johng@ecs.comm.mot.com (John Gilbert) writes:
>This must have been in the works for some time.  The Bush administration must
>have been working on it for quite a while.  --Clinton simply took the credit (or
>blame, depending on how you look at it).

And the initiative for actual implementation.  Clinton is not just an
innocent bystander here - They didn't just slap his name on it without
consulting him.  What exactly is his extensive history of individual
rights advocacy that people are assuming he really has nothing to do
with this?  He just went back on his pledge to cut the espionage
budget, and is now asking for more money than even Bush wanted.
-- 
I've left my body to science - and science is contesting the will.

Newsgroup: sci.crypt
Document_id: 15466
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: Once tapped, your code is no good any more.

Dave Ihnat (ignatz@chinet.chi.il.us) wrote:
: In article <1qpg8fINN982@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes:
: >	Not to pick on Mr. May in particular, of course, but isn't this
: >kind of the domino theory? When one little country falls, its neighbor
: >will surely follow, and before you know it, we're all mining salt
: >in Siberia for not turning in our Captain Crunch Secret Decoder Rings.
: 
: But, for all the wrongness of our attempt to correct it (VietNam, et. al.),
: the domino theory wasn't disproved at all.

Ironically, the domino theory in fact *was* a reasonable metaphor for
the collapse of communism, from the liberalizations in Poland and
Hungary to the border crossings in the summer of '89 to the fall of
the Wall later that year....and then to the ultimate collapse of the
USSR.

-Tim May
-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
Document_id: 15467
From: markh@wimsey.bc.ca (Mark C. Henderson)
Subject: Re: Source of random bits on a Unix workstation

In article <1qs6cg$7cq@msuinfo.cl.msu.edu> mrr@scss3.cl.msu.edu (Mark Riordan) writes:
>A few more sources are statistics on your filesystems (easily
>and quickly obtained) and the output from the "rusage" system
>call.  
>
>You can also exec a finger to one or more favorite heavily-used
>systems, though this can take several seconds.
>
>cf. the source code to RIPEM on ripem.msu.edu.
>
>Mark R.

Other alternatives include output of vmstat, iostat, pstat and friends
with various flags, or even better crash. 

e.g. on an RS/6000 (AIX 3.2) you can get lots of relatively
unpredicatble data out of crash. (the output from the following script 
usually gives about 600k of goo on a moderately busy system.)

#!/bin/sh
crash <<!
proc -
tty
stack
pcb
callout
vfs -
socket
vnode
inode -
mbuf
file
mst
buffer
le
!

-- 
Mark Henderson
markh@wimsey.bc.ca
RIPEM key available by key server/finger/E-mail
  MD5OfPublicKey: F1F5F0C3984CBEAF3889ADAFA2437433

Newsgroup: sci.crypt
Document_id: 15468
From: ngorelic@speclab.cr.usgs.gov.cr.usgs.gov (Noel S. Gorelick)
Subject: Re: White House Public Encryption Management Fact Sheet

Alan Barrett (barrett@lucy.ee.und.ac.za) wrote:
> In article <C5LGAz.250@dove.nist.gov>,
> clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:
> 
>> In making this decision, I do
>> not intend to prevent the private sector from developing, or the
>> government from approving, other microcircuits or algorithms that
>> are equally effective in assuring both privacy and a secure key-
>> escrow system.
> 
> "In making this decision, I intend to prevent the private sector from
> developing, except with the government's approval, other microcircuits
> or algorithms that are more effective in assuring privacy."
> 

Doesn't this just mean that the government might not approve
something for use by other government agencies.  This does not
sound to me to be any form of threat that Joe User can't develop
and use his own encryption algorithm.

--
"You want it should sing too?"   | /*  Yeah we got dogs and Valvoline
  ngorelic@speclab.cr.usgs.gov   |     Its a pretty damn good time.    */
"Life is pain. Anyone that tells you different is trying to sell you something"

Newsgroup: sci.crypt
Document_id: 15469
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Do we need the clipper for cheap security?

amanda@intercon.com (Amanda Walker) writes:
>> The answer seems obvious to me, they wouldn't.  There is other hardware 
>> out there not compromised.  DES as an example (triple DES as a better 
>> one.) 
>
>So, where can I buy a DES-encrypted cellular phone?  How much does it cost?
>Personally, Cylink stuff is out of my budget for personal use :)...

If the Clipper chip can do cheap crypto for the masses, obviously one
could do the same thing WITHOUT building in back doors.

Indeed, even without special engineering, you can construct a good
system right now. A standard codec chip, a chip to do vocoding, a DES
chip, a V32bis integrated modem module, and a small processor to do
glue work, are all you need to have a secure phone. You can dump one
or more of the above if you have a fast processor. With integration,
you could put all of them onto a single chip -- and in the future they
can be.

Yes, cheap crypto is good -- but we don't need it from the government.
You can do everything the clipper chip can do without needing it to be
compromised. When the White House releases stuff saying "this is good
because it gives people privacy", note that we didn't need them to
give us privacy, the capability is available using commercial hardware
right now.

Indeed, were it not for the government doing everything possible to
stop them, Qualcomm would have designed strong encryption right in to
the CDMA cellular phone system they are pioneering. Were it not for
the NSA and company, cheap encryption systems would be everywhere. As
it is, they try every trick in the book to stop it. Had it not been
for them, I'm sure cheap secure phones would be out right now.

They aren't the ones making cheap crypto available. They are the ones
keeping cheap crypto out of people's hands. When they hand you a
clipper chip, what you are getting is a mess of pottage -- your prize
for having traded in your birthright.

And what did we buy with our birthright? Did we get safety from
foreigners? No. They can read conference papers as well as anyone else
and are using strong cryptography. Did we get safety from professional
terrorists? I suspect that they can get cryptosystems themselves on
the open market that work just fine -- most of them can't be idiots
like the guys that bombed the trade center. Are we getting cheaper
crypto for ourselves? No, because the market would have provided that
on its own had they not deliberately sabotaged it.

Someone please tell me what exactly we get in our social contract in
exchange for giving up our right to strong cryptography?
--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15470
From: tedwards@wam.umd.edu (technopagan priest)
Subject: Re: Would "clipper" make a good cover for other encryption method?

In article <1993Apr20.032623.3046@eff.org> kadie@eff.org (Carl M. Kadie) writes:
>Clipper might be a good way to cover the use of another layer of
>encryption.

True, but will traditional encryptions schemes, when further encrypted
by Clipper, be _more_ vulnerable to attacks such as partially known
plaintext?

-Thomas



Newsgroup: sci.crypt
Document_id: 15471
From: barrett@lucy.ee.und.ac.za (Alan Barrett)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <C5qy3M.DE3@agora.rain.com>,
jhart@agora.rain.com (Jim Hart) writes:
> Since the wiretap chip is being distributed internationally,
> allowing the U.S. government to spy on foreign governments,
> companies and people as as well as to wiretap domestic citizens,
> this is a world-wide issue.  Please put DISTRIBUTION: WORLD on the 
> Distrubution: line.  Thank you.

No!  Distribution keywords are case sensitive.  What you want
is

	Distribution: world

or no Distribution line at all.  "WORLD" in capital letters is wrong.

--apb
Alan Barrett, Dept. of Electronic Eng., Univ. of Natal, Durban, South Africa
RFC822: barrett@ee.und.ac.za

Newsgroup: sci.crypt
Document_id: 15474
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: The Escrow Database.

Perry E. Metzger (pmetzger@snark.shearson.com) wrote:
: Here is a disturbing thought.
....good stuff elided....
: Don't pretend that no one unauthorized will ever get their hands on
: the escrow databases.
: 
.......
: secret. The escrow databases aren't the sorts of secrets that our
: teachers told us about, but they are the sort of big secrets they
: would lump into this category. Imagine trying to replace 100 million
: Clipper chips.

Sounds to me like a *great* gimmick for a replacement market...every
so often issue a "Clipper Alert" announcing that some key backup tapes
are missing, that some Drug Lords got 'em, whatever. Then the owners
of these $1200 Clipperphones have to trot down to their local Key
Escrow Agency and buy new chips and have them programmed.

Microtoxin, the Clipper supplier, will make a killing...maybe this was
the real idea. (Anybody know if Janet Reno has stock in Microtoxin,
VLSI Technology, or AT&T?)

Could be a good opportunity to undermine this with some
disinformation: float rumors that the key database has been stolen.
All the chips need replacing. It angers people, undermines confidence
even more, and kills sales.

After the Waco Massacre and the Big Brother Wiretap Chip, any tactic
is fair.

-Tim May


-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
Document_id: 15475
From: bill@Celestial.COM (Bill Campbell)
Subject: Re: Once tapped, your code is no good any more.

In <strnlghtC5p7zp.3zM@netcom.com> strnlght@netcom.com (David Sternlight) writes:

:In article <Apr18.194927.17048@yuma.ACNS.ColoState.EDU>
:holland@CS.ColoState.EDU (douglas craig holland) writes:

:>Note that measures to protect yourself from
:>TEMPEST surveillance are still classified, as far as I know.

:I think this to be inaccurate. One can buy TEMPEST equipment commercially.
:Even Macs.

Sure you can buy a TEMPEST approved Mac -- if you have enough
money.  I haven't had any reason to look at this type of pricing
for about 10 years, but a TEMPEST rating in 1982 would raise the
price of a $2,495.00 Radio Shack Model III to something around
$15,000.00.

Bill
-- 
INTERNET:  bill@Celestial.COM   Bill Campbell; Celestial Software
UUCP:   ...!thebes!camco!bill   6641 East Mercer Way
             uunet!camco!bill   Mercer Island, WA 98040; (206) 947-5591
SPEED COSTS MONEY -- HOW FAST DO YOU WANT TO GO?

Newsgroup: sci.crypt
Document_id: 15476
From: jfc@athena.mit.edu (John F Carr)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <19930419.155204.305@almaden.ibm.com>
	ameline@vnet.IBM.COM (Ian Ameline) writes:

>  I also believe that someone will reverse engineer the clipper chip,
>and knowlege of the algorithm will likely be fairly widespread.

The chip and algorithm are classified.  If you reverse engineer it and
tell people, you are likely to go to jail.

Perhaps some foreign governments or corporations could help us out by
cracking the system outside the USA.  The US government could probably
stop importation of clone hardware, but a software implementation
should be practical.

--
    John Carr (jfc@athena.mit.edu)

Newsgroup: sci.crypt
Document_id: 15477
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Do we need the clipper for cheap security?

: From: pmetzger@snark.shearson.com (Perry E. Metzger)

: Indeed, were it not for the government doing everything possible to
: stop them, Qualcomm would have designed strong encryption right in to
: the CDMA cellular phone system they are pioneering. Were it not for
: the NSA and company, cheap encryption systems would be everywhere. As
: it is, they try every trick in the book to stop it. Had it not been
: for them, I'm sure cheap secure phones would be out right now.

In the UK, it's impossible to get approval to attach any crypto device
to the phone network.  (Anything that plugs in to our BT phone sockets
must be approved - for some reason crypto devices just never are...)

I was wondering some time ago how big a market there was for good old-
fashion acoustic coupler technology to build a secure phone :-) ... is
it possible to mask out all the real voice well enough so that none of
it strays into the mouthpiece?  Perhaps a well-sealed coupler attachment
that was as well blocked as possible, then a white noise generator on
the outside to muffle any real speech?

G

Newsgroup: sci.crypt
Document_id: 15478
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

: The cops/feds do *not* need to be able to get hold of your private key to
: listen in to cellular conversations.  Encryption is not end-to-end, but 
: cellphone to base-station - it *has* to be this way so that cellular users
: and fixed installations can talk to each other.  For cellular to cellular
: calls, the transmission is decrypted at the base-station, passed to another
: base-station and re-encrypted.  The cops/feds can listen to the unscrambled
: call *provided* they get a warrant to tap into the cellular provider's
: equipment.  The only reason for wanting a crackable system is so they can
: listen without having to obtain a warrant.

: But, maybe the Clipper system is secure, and they really do need a warrant
: to get the key out of escrow before they can listen in using a scanner (see
: above - they don't *have* to go down this route anyway).  I have my doubts,
: but even if true once they have the key they will *never* again need a
: warrant to tap into that particular phone whenever they want.  `Well, Judge,
: it appears he wasn't a drug-dealer after all, so naturally we'll stop
: listening in'...

That was true for the UK Paul, but I'm fairly sure they're talking about
building end-to-end encryption phones out of this chip.  It's *not* for
cellular (though it certainly could be used there in the way you suggest)

G

Newsgroup: sci.crypt
Document_id: 15479
From: jhart@agora.rain.com (Jim Hart)
Subject: Screw the people, crypto is for hard-core hackers & spooks only 

Since the AT&T wiretap chip is scheduled to be distributed 
internationally, allowing the U.S. government to spy on foreign 
governments, companies and people as as well as to wiretap domestic 
citizens, this is a world-wide issue.  Thus Distribution: world.

ygoland@wright.seas.ucla.edu (The Jester) writes:

>However assuming that I can still encrypt things as I please, who
>cares about the clipper chip? 

Why do we hackers care about the Clipper chip?  Do we give a shit
about anybody's privacy accept our own?  And perhaps not even our
own; are we so smart that we always know when we're talking to
somebody who has a wiretap on their phone?

I find the "call thru your computer" ideas may reflect this attitude.
Ideas that are of, by, and for hackers, and don't help anybody in the
real world, aren't going to do anybody much good, including ourselves
where voice phones are concerned.

We *do* need an alternative to NSA-bugged telephones, but
we're talking inexpensive *telephones* here, including hand-sized
cellulars, that need strong crypto, real privacy.  Make-shift
computer hacker rigs that require living by your computer to
talk privately over the phone are just a dumb stunt that doesn't 
do anything for anybody's privacy in the real world.  

What we need is a true *privacy chip*.  For example, a real-time 
voice-encryption RSA, silicon compile it and spit out ASIC.  
Put this chip on the market as a de facto standard for international 
business, diplomats, and private communications.  If the U.S. bans 
it, we make it somewhere else and import it.  The Japanese, German,
Dutch, Taiwanese, Korean, etc. electronics companies don't want the 
NSA spying on them.  U.S. workers lose more jobs to government fascist
stupidity.

jhart@agora.rain.com

Newsgroup: sci.crypt
Document_id: 15480
From: gumby@tweedledumb.cygnus.com (D V Henkel-Wallace)
Subject: Screw the people, crypto is for hard-core hackers & spooks only

   Date: 19 Apr 93 19:57:21 GMT
   From: jhart@agora.rain.com (Jim Hart)

   "Simply?" "Everyone" should have this attitude?   The only people
   who can have this attitude are the most hard-core
   computer hackers, who never make phone calls away from their
   computer

In 10 yeards everybody will be talkig into his or her PDA anyway.
That should solve most of the problem.


Newsgroup: sci.crypt
Document_id: 15481
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Fighting the Clipper Initiative

> > >As a flaming libertarian paranoid extremist (:-), I'at a loss for
> > >specific objections that don't sound frighteningly technical.
> >
> >  The idea that foisting the Cripple Chip standard on US manufacturers would
> >result in saying "Sayonara" to yet another high-tech market isn't technical,
> >isn't in the least difficult to understand, and plays on a concern lots of
> >people are worried about already....     
>
>  Could you expand on this...?


  Simple -- if you have a choice between:

 1. American manufacturers peddling Cripple Chips with a secret untested
     algorithm whose keys are held by people with a history of untrustworthy
     behavoir, or

 2. Japanese (to pick the obvious example) manufacturers peddling encryption
     chips with an algorithm that has faced public scrutiny and keys under
     the control of the user,

which would you choose?  At most, the American government can deny this
choice to American citizens (and probably not that, if the glorious success
of the War on Drugs is any example); it can't do much about the global market.

Newsgroup: sci.crypt
Document_id: 15482
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Fifth Amendment and Passwords


In article <1993Apr20.000359.20098@bernina.ethz.ch> caronni@nessie.cs.id.ethz.ch (Germano Caronni) writes:


   Just a question. 
   As a provider of a public BBS service - aren't you bound by law to gurantee
   intelligble access to the data of the users on the BBS, if police comes
   with sufficent authorisation ? I guessed this would be  a basic condition
   for such systems. (I did run a bbs some time ago, but that was in Switzerland)

You are obliged to let the police search the equipment if they have a
proper court order. You are under no legal obligation to keep the data
intelligble. If you wish to run your BBS entirely with all data
encrypted such that if the police show up they cannot read anything,
well, thats their problem. There are no legal restrictions on domestic
use of cryptography in the United States -- YET.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15483
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Facinating facts: 30 bit serial number, possibly fixed S1 and S2


denning@guvax.acc.georgetown.edu (Vidkun Abraham Lauritz Quisling) writes:

   Each chip includes the following components:

      the Skipjack encryption algorithm
      F, an 80-bit family key that is common to all chips
      N, a 30-bit serial number
      U, an 80-bit secret key that unlocks all messages encrypted with the chip

Hmmm. A thirty bit serial number. And, we are told, the unit key U is
derived deterministically from this serial number. That means that
there are only one billion possible unit keys.

   To generate the unit key for a serial number N, the 30-bit value N is
   first padded with a fixed 34-bit block to produce a 64-bit block N1.
   S1 and S2 are then used as keys to triple-encrypt N1, producing a
   64-bit block R1:

	   R1 = E[D[E[N1; S1]; S2]; S1] .

   Similarly, N is padded with two other 34-bit blocks to produce N2 and
   N3, and two additional 64-bit blocks R2 and R3 are computed:  

	   R2 = E[D[E[N2; S1]; S2]; S1] 
	   R3 = E[D[E[N3; S1]; S2]; S1] .

   R1, R2, and R3 are then concatenated together, giving 192 bits. The
   first 80 bits are assigned to U1 and the second 80 bits to U2.  The
   rest are discarded.  The unit key U is the XOR of U1 and U2.  U1 and U2
   are the key parts that are separately escrowed with the two escrow
   agencies.

Hmmm. We must assume that generating the unit key U from the serial
number N rather than generating it from a randomly selected U1 and U2
is an intentional way of assuring a "fail safe" for the government --
U is completedly determined given S1, S2 and N. If S1 and S2 do not
change they constitute effective "master keys" (along with F), the
theft of which (or the possession of which by various authorities)
completely obviates the security of the system. However, more
interestingly, we know, for a fact that if S1 and S2 are fixed no
matter what the keyspace for U is no more than 2^30. Why not pick U1
and U2 at random? Why this interesting restriction of they key space
if it NOT to provide an additional back door?

I find it disturbing that at the very best my security is dependant on
approximately 30 bytes worth of information that could be written on
the back of a napkin.

Even if S1 and S2 change periodically, the rationale behind this
restriction in the size of the keyspace seems strange if one is
assuming that the goal is security -- and makes perfect sense if the
goal is an illusion of security.

If S1 and S2 do not change, even if they remain secret I wonder if
they can somehow be back-derived given enough unit key/serial number
pairs. We are assured that this cannot happen -- but no one
understands how Skipjack works outside of government officials and,
soon, foreign intelligence services that gain the information via
espionage. Presumably we will eventually have the information as well
-- reverse engineering gets more and more advanced every year -- but
by the time we know it may be too late.

   As a sequence of values for U1, U2, and U are generated, they are
   written onto three separate floppy disks.  The first disk contains a
   file for each serial number that contains the corresponding key part
   U1.  The second disk is similar but contains the U2 values.  The third
   disk contains the unit keys U.  Agent 1 takes the first disk and agent
   2 takes the second disk.  The third disk is used to program the chips.
   After the chips are programmed, all information is discarded from the
   vault and the agents leave.  The laptop may be destroyed for additional
   assurance that no information is left behind.

None of this makes me feel the least bit secure. The silly notion of
"destroying the laptop" appears to be yet another bizarre distraction.
We all know that you can't read data from DRAM that has been turned
off for more than a few moments. On the other hand, what we don't know
is why there is a need to generate the unit keys from S1 and S2 in the
first place other than to weaken the system. We don't know if the
agents in question would resist a million in cash a piece for their
information -- its probably worth hundreds of million, so you can make
the bribe arbitrarily hard to resist. And to tell you the truth, doing
this in a "vault" rather than in Joe Random Tempest-shielded Room
with a laptop computer seems like melodrama designed to make
high-school dropouts from Peoria impressed -- but it does very little
for most of the rest of us.

   The protocol may be changed slightly so that four people are in the
   room instead of two.  The first two would provide the seeds S1 and S2,
   and the second two (the escrow agents) would take the disks back to
   the escrow agencies.

What would this provide? Lets say the escrow agencies are the ACLU and
the NRA and their agents personally take back the disks and are always
honest. Who cares? The NSA must be laughing out loud, because they
have the algorithm to regenerate U given N and likely don't need to
steal they keys as they effectively already have them.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15484
From: jebright@magnus.acs.ohio-state.edu (James R Ebright)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <1993Apr19.093227.1093@jarvis.csri.toronto.edu> lewis@eecg.toronto.edu (david lewis) writes:
>In article <16BB51156.C445585@mizzou1.missouri.edu> C445585@mizzou1.missouri.edu (John Kelsey) writes:
>> 
>>strnlght@netcom.com (David Sternlight) writes:
>>>
[..stuff deleted]
>>But who would
>>trust his/her confidential information to an encryption scheme that, for
>>(say) $100,000 could by cracked one time in a hundred?  (DES, for all the
>>complaints about a 56-bit key, would probably cost several million dollars
>>to build a keysearch machine for.)
>> 
>
>I can buy a DES keysearch machine off the shelf now for approx $500K, but
>it is not sold by that name. Go buy a circuit emulation machine (eg. Quickturn)
>containing a bunch of FPGAs, (say 500 to 1000 3090's), and program each
>to be a DES search engine. Lets say 500 chips, running at 10Mhz = 5G tests/sec.
>Time is 14e6 sec max = 23 weeks, 12 weeks average. Can't wait that long?
>Buy a bigger machine.
>
Oh, but can Big Brother afford such things in these times of tight
budgets?

I don't know how many folks noticed it, but Dorothy "Trust Me" Denning gave
a real clue to the current state of the art at NSA on decrypto machines when
she said the NSA told her they didn't even want to be the holder of any
part of the key.  

Now why is that?  I doubt there is a trapdoor in Skipjack.  (But we will
never know).  And I doubt the NSA would promote a mass market chip they
couldn't compromise.  Ergo, NSA is now capable of compromising (probably
with brute force keysearch) engines of the complexity of Skipjack.  Look
at the specs.  Why, I bet they have thousands of little chips chugging
away in their crypto busters... Maybe even tens of thousands.  Complexity?
Not much more than a 3090.  How many such machines will fit into Fort Meade?

I think PGP2.3 should have 256 bit IDEA keys...

-- 
 Information farming at...     For addr&phone: finger             A/~~\A
 THE Ohio State University  jebright@magnus.acs.ohio-state.edu   ((0  0))____
      Jim Ebright             e-mail: jre+@osu.edu                 \  /      \
                          Support Privacy: Support Encryption      (--)\      

Newsgroup: sci.crypt
Document_id: 15485
From: jebright@magnus.acs.ohio-state.edu (James R Ebright)
Subject: Re: Once tapped, your code is no good any more.

In article a_rubin@dsg4.dse.beckman.com (Arthur Rubin) writes:
>In strnlght@netcom.com (David Sternlight) writes:
>
[...]
>>I'd be happy to use a crypto system supplied by the NSA for business, if
>>they told me it was more secure than DES, and in particular resistant to
>>attempts by Japanese, French, and other competitive companies and
>>governments to break.
>
>(It's NIST, not NSA.  NSA is not supposed to have anything to do with this.)

With all the activity in sci.crypt these past few days, I am not supprised
you missed it... NIST got Skipjack from the NSA :)

[...]
>>I'd trust the NSA or the President if they stated there were no trap
>>doors--I'd be even happier if a committee of independent experts examined
>>the thing under seal of secrecy and reported back that it was secure.
>
>I wouldn't trust the NSA.  I think I would trust the President on this, but
>I'm not certain he would be told.

"I am not a crook." President Richard M. Nixon
                    ^^^^^^^^^
-- 
 Information farming at...     For addr&phone: finger             A/~~\A
 THE Ohio State University  jebright@magnus.acs.ohio-state.edu   ((0  0))____
      Jim Ebright             e-mail: jre+@osu.edu                 \  /      \
                          Support Privacy: Support Encryption      (--)\      

Newsgroup: sci.crypt
Document_id: 15486
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

	From: brad@clarinet.com (Brad Templeton)

	Let's assume, for the moment, that the system really is secure unless
	you get both halves of the encryption key from the two independent
	escrow houses.  Let's say you even trust the escrow houses -- one is
	the ACLU and the other is the EFF.  (And I'm not entirely joking about
	those two names)

I'm really not entirely sure I trust EFF any more to be honest.

Anyway, any organisation can be deeply infiltrated.  Look at CND in Britain
a dozen years ago - one of their top members was an SIS spy who stole their
complete address list.  How hard would it be to get one person to sneak in
and copy the escrow data to disk?

G

Newsgroup: sci.crypt
Document_id: 15487
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

Bred wrote:
	And this means that the FBI will want to track the customer lists of
	better encryption phones, because "the only reason a person would want
	one is to evade the police."

They don't have to track customer lists - they merely have to digitally
listen to any phone line and eliminate any that don't have the clipper
header/signature.  (No-one has said how it will be modulated - want a bet
it's a non-standard and hence easily recognisable baudrate?)

Devices to scan exchanges and detect modems etc already exist.  I've seen
them advertised in the trade press.

Once you eliminate crippled crypto devices and ordinary data modems, what's
left is crypto worth looking more closely at.  I guess any substitute scheme
will have to be v32bis or v.fast to disguise it, though then they just start
looking at the data too...

Whatever happens though, the effect of this new chip will be to make private
crypto stand out like a sore thumb.

G

Newsgroup: sci.crypt
Document_id: 15488
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

pat@rwing.UUCP (Pat Myrto) writes:

> Can you, while my mind is on it, give us one good reason that the
> algorithm should be a secret algorithm, unless this encryption scheme
> either is a joke, or contains features like a 'master key' or other back
> door for UNAUTHORIZED eavesdropping?

Hmm, here are a couple:

1) If the algorithm becomes known, it will be easy to produce
pin-compatible non-crippled chips that provide -real- encryption and
privacy, because their keys are only in their users' hands.

2) Since SkipJack is a symmetric key cypher, it needs some way to
agree on a session key. The released information says that any
protocol may be used (e.g., DH). From a theoretical point of view,
this is probably true. However, from a practical point of view, those
chips must have some kind of key exchange protocol built-in. What if
it is good old RSA? This will mean that the producer will have to pay
lots of bucks to PKP. By keeping the details secret this can be
avoided...

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
Document_id: 15489
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Fifth Amendment and Passwords

   In article <1993Apr20.000359.20098@bernina.ethz.ch> caronni@nessie.cs.id.ethz.ch (Germano Caronni) writes:
      Just a question. 
      As a provider of a public BBS service - aren't you bound by law to gurantee
      intelligble access to the data of the users on the BBS, if police comes
      with sufficent authorisation ? I guessed this would be  a basic condition
      for such systems. (I did run a bbs some time ago, but that was in Switzerland)

The US doesn't yet have many laws covering BBSs - they're not common carriers,
they're not phone companies, they're just private machines or services
operated by businesses.  There's no obligation to keep records.
As Perry Metzger points out, if the police come with a search warrant,
you have to let them see what the warrant demands, if it exists,
and they generally can confiscate the equipment as "evidence"
(which is not Constitutionally valid, but we're only beginning to
develop court cases supporting us).  A court MAY be able to compel
you to tell them information you know, such as the encryption password
for the disk - there aren't any definitive cases yet, since it's a new
situation, and there probably aren't laws specifically covering it.
But the court can't force you to *know* the keys, and there are no
laws preventing you from allowing your users to have their own keys
for their own files without giving them to you.

Even in areas that do have established law, there is uncertainty.
There was a guy in Idaho a few years ago who had his business records
subpoenaed as evidence for taxes or some other business-restriction law,
so he gave the court the records.  Which were in Hebrew.
The US doesn't have laws forcing you to keep your records in English,
and these were the originals of the records.  HE didn't speak Hebrew,
and neither did anybody in the court organization.  Don't think they
were able to do much about it.

It might be illegal for your BBS to deny access to potential customers
based on race, religion, national origin, gender, or sexual preference;
it probably hasn't been tested in court, but it seems like a plausible
extension of anti-discrimination laws affecting other businesses.


--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15490
From: tuinstra@signal.ece.clarkson.edu.soe (Dwight Tuinstra)
Subject: (new) reason for Clipper alg'm secrecy

[Apologies for not posting to alt.clipper, or whatever, but it seems it
may not be in the newsfeed here.]

There may be another reason (good from NSA's point of view, horrible
from everyone else's) why the algorithm/chip design might be secret.

First, note that the "experts" will only look at "details", and of just 
the algorithm:

    In addition, respected experts from outside the
    government will be offered access to the confidential details of
    the algorithm to assess its capabilities and publicly report
    their findings.

Why not the chip design?  Well, here's the possiblity:  in addition to
encryption, the chip pre-processes voice signals to make them easier
to analyze/transcribe electronically.  The chip, once widespread, might
effectively be part of a massively parallel computer for "voice-
grepping" the US phone network (or the criminal & wrong-thinking patrons
thereof).

I wouldn't put it past the NSA.  Think how much easier it would make life
for them.

And if this is indeed the case, think of the possible public outcry should
it become widely known.  Thus the secrecy.

It might be a good idea to have experts in DSP, voice recognition, and
AI conversation-understanding to be on that panel, and insist they be
given (authenticatable) design specs and implementation documentation.

+========================================================================+
|  dwight tuinstra             best:  tuinstra@sandman.ece.clarkson.edu  |
|                         tolerable:  tuinstrd@craft.camp.clarkson.edu   |
|                                                                        |
|           Look out, kid, it's something that you did.                  |
|           God knows when, but you're doin' it again ...                |
+========================================================================+

Newsgroup: sci.crypt
Document_id: 15491
From: ameline@vnet.IBM.COM (Ian Ameline)
Subject: Facinating facts: 30 bit serial number, possibly fixed S1 and S2

>Hmmm. We must assume that generating the unit key U from the serial
>number N rather than generating it from a randomly selected U1 and U2
>is an intentional way of assuring a "fail safe" for the government --
>U is completedly determined given S1, S2 and N. If S1 and S2 do not
>change they constitute effective "master keys" (along with F), the
>theft of which (or the possession of which by various authorities)
>completely obviates the security of the system. However, more
>interestingly, we know, for a fact that if S1 and S2 are fixed no
>matter what the keyspace for U is no more than 2^30. Why not pick U1
>and U2 at random? Why this interesting restriction of they key space
>if it NOT to provide an additional back door?
>
>I find it disturbing that at the very best my security is dependant on
>approximately 30 bytes worth of information that could be written on
>the back of a napkin.
>
>Even if S1 and S2 change periodically, the rationale behind this
>restriction in the size of the keyspace seems strange if one is
>assuming that the goal is security -- and makes perfect sense if the
>goal is an illusion of security.
>
>If S1 and S2 do not change, even if they remain secret I wonder if
>they can somehow be back-derived given enough unit key/serial number
>pairs. We are assured that this cannot happen -- but no one
>understands how Skipjack works outside of government officials and,
>soon, foreign intelligence services that gain the information via
>espionage. Presumably we will eventually have the information as well
>-- reverse engineering gets more and more advanced every year -- but
>by the time we know it may be too late.

Perhaps the trusted escrow agencies can be the ones who come up with
S1 and S2, and if these agencies are really trusted (ACLU & NRA is an
interesting example), we can hope that they'll use some physical
process to come up with truly random numbers. If the NSA comes up with
the numbers, that's a trap door you could drive a truck through.

>None of this makes me feel the least bit secure.

Me either.

   It seems from the following that the CPSR is atleats starting to
question this bogosity:

    ----------------------------------------------------------------
April 16, 1993
Washington, DC

               COMPUTER PROFESSIONALS CALL FOR PUBLIC
           DEBATE ON NEW GOVERNMENT ENCRYPTION INITIATIVE

        Computer Professionals for Social Responsibility (CPSR)
today called for the public disclosure of technical data
underlying the government's newly-announced "Public Encryption
Management" initiative.  The new cryptography scheme was
announced today by the White House and the National Institute
for Standards and Technology (NIST), which will implement the
technical specifications of the plan.  A NIST spokesman
acknowledged that the National Security Agency (NSA), the super-
secret military intelligence agency, had actually developed the
encryption technology around which the new initiative is built.

        According to NIST, the technical specifications and the
Presidential directive establishing the plan are classified.  To
open the initiative to public review and debate, CPSR today
filed a series of Freedom of Information Act (FOIA) requests
with key agencies, including NSA, NIST, the National Security
Council and the FBI for information relating to the encryption
plan.  The CPSR requests are in keeping with the spirit of the
Computer Security Act, which Congress passed in 1987 in order to
open the development of non-military computer security standards
to public scrutiny and to limit NSA's role in the creation of
such standards.

        CPSR previously has questioned the role of NSA in
developing the so-called "digital signature standard" (DSS), a
communications authentication technology that NIST proposed for
government-wide use in 1991.  After CPSR sued NIST in a FOIA
lawsuit last year, the civilian agency disclosed for the first
time that NSA had, in fact, developed that security standard.
NSA is due to file papers in federal court next week justifying
the classification of records concerning its creation of the
DSS.

        David Sobel, CPSR Legal Counsel, called the
administration's apparent commitment to the privacy of
electronic communications, as reflected in today's official
statement,  "a step in the right direction."  But he questioned
the propriety of NSA's role in the process and the apparent
secrecy that has thus far shielded the development process from
public scrutiny.  "At a time when we are moving towards the
development of a new information infrastructure, it is vital
that standards designed to protect personal privacy be
established openly and with full public participation.  It is
not appropriate for NSA -- an agency with a long tradition of
secrecy and opposition to effective civilian cryptography -- to
play a leading role in the development process."

        CPSR is a national public-interest alliance of computer
industry professionals dedicated to examining the impact of
technology on society.   CPSR has 21 chapters in the U.S. and
maintains offices in Palo Alto, California, Cambridge,
Massachusetts and Washington, DC.  For additional information on
CPSR, call (415) 322-3778 or e-mail <cpsr@csli.stanford.edu>.
      -----------------------------------------------
Regards,
Ian Ameline.

Newsgroup: sci.crypt
Document_id: 15492
From: rjq@phys.ksu.edu (Rob Quinn)
Subject: Stray thought (was Re: More technical details

In <1993Apr19.134346.2620@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
>Date: Sun, 18 Apr 93 07:56:39 EDT
>From: denning@cs.georgetown.edu (Dorothy Denning)
>        The Clipper Chip will have a secret crypto algorithm embedded in 
>The algorithm operates on 64-bit blocks (like DES) and the chip supports
>all 4 DES modes of operation.  The algorithm uses 32 rounds of scrambling
>compared with 16 in DES.

 So in a few years there could be millions of these chips in the USA, all
networked together? Sounds like a good science fiction story - the government
wants to crack foreign DES (or whatever) messages, so they con the public into
individually buying all of the components and installing them. Soon the US
could be covered by the largest parallel computer in the world, built on top of
our current phone net.
--
| "Those who suppress freedom always                             Rob Quinn |
| do so in the name of law                                rjq@phys.ksu.edu |
| and order." --John Lindsay                         QuinnBob@KSUVM.BITNET |

Newsgroup: sci.crypt
Document_id: 15493
From: mrr@scss3.cl.msu.edu (Mark Riordan)
Subject: List of large integer arithmetic packages

This is the file BIGNUMS.TXT from ripem.msu.edu, last updated April 1993.

In response to Email requests, I have assembled this list of
large-integer arithmetic packages of which I have heard.
Most of these are C function libraries, available in source form.

For your convenience, I have placed copies of
some of these on ripem.msu.edu (35.8.1.178).  They are
available for anonymous FTP in the directory "pub/bignum".
However, what I have may not be the most current version in all cases.

Here they are, in no particular order:

mp
    Multiple Precision package that comes with some Unixes
    
    Multiple precision package accessed via -lmp flag on your
    compiler.  Provides +, -, *, /, gcd, exponentiation,
    sqrt.  Comes with SunOS, NeXT Mach, BBN Mach 1000, 
    and probably a few others.  See "man mp".  
    Object code only, of course.

PARI
    Henri Cohen, et al., Universite Bordeaux I, Paris, FRANCE
    
    Multiple precision desk calculator and library routines.
    Contains optimized assembly code for Motorola 68020, 
    semi-optimized code for SPARC, and apparently rather slow
    generic C version.  Does both integers and reals.
    Does vectors and matrices as well as scalars.
    Contains a number of advanced functions, some of which I've
    never heard of.  ("Weber's function"?)
    Has a factorization function, primality test, & other related stuff.
    Plenty of TEX documentation.
    Public domain, but you can't distribute modified versions.
    Available via anonymous FTP from math.ucla.edu.  There seem to
    be Mac- and NeXT-specific versions there in addition to:
    Filename:  pari-1.35a.tar.Z
    
Arithmetic in Global Fields  (Arith)
    Kevin R. Coombes, David R. Grant
    
    Package of routines for arbitrary precision integers or
    polynomials over finite fields.  Includes basic +, -, *, /
    and a few others like gcd.  Source code in C.
    Distributed under the terms of the GNU public license.
    Includes man pages and TEX documentation.
    Filename:  arith.tar.Z

Arbitrary Precision Math Library
    Lloyd Zusman   Los Gatos, CA
    
    C package which supports basic +, -, *, /.  Provides for radix
    points (i.e., non-integers).  Not as polished as the others here.
    Posted to comp.sources.misc in October 1988.
    Filename:  apml.tar.Z
    
BigNum
    J. Vuillemin, INRIA, FRANCE, and others.
    Distributed by Digital Equipment Paris Research Lab (DECPRL)
    
    A "portable and efficient arbitrary-precision integer" package.
    C code, with generic C "kernel", plus assembly "kernels" for
    MC680x0, Intel i960, MIPS, NS32032, Pyramid, and of course VAX.
    This is probably one of the better-known packages of this type.
    Implements +, -, *, /, mod, plus logical operations OR, AND, XOR.
    Both signed and unsigned arithmetic available.
    Available via email from librarian@decprl.dec.com.
    You will receive 5 shell archives.  Give your postal address
    and you will also receive printed documentation from France.
    Package includes TEX documentation.
    Publicly available for non-commercial use.
    I removed this from my archive when I heard a rumor that PRL
    doesn't like others to distribute it.  However, BIGNUM *is*
    distributed as part of ecpp (see below).

Lenstra's package
    Arjen Lenstra   Bellcore
    
    Portable unsigned integer package written entirely in C.
    Includes +, -, *, /, exponentiation, mod, primality testing,
    sqrt, random number generator, and a few others.  The package
    was uncommented and undocumented; I have tried to add enough
    comments to get by.  This is the only of these packages that I
    have actually used.  It works well and is very portable.  
    I haven't done any benchmarks against the others, but the code 
    looks clever & Lenstra is an accomplished number theorist.
    Unlike the other packages here, this one requires you to allocate
    storage statically--only a problem if your numbers are really huge.
    Arjen has placed the code in the public domain.  
    Filename:  lenstra.tar.Z

lenstra_3.1
    Arjen Lenstra,  Bellcore

    An improved version of Arjen's package above.  This one
    does signed arithmetic and dynamic allocation (which can be turned
    off as an option). Has a few new routines, too.  "lenstra_3.1" contains
    minor bugfixes to the previously-available "lenstra_2" and "lenstra_3".
    Filename:  lenstra_3.1.c

bmp  (Brent's Multiple Precision?)
    R. P. Brent

    1981 vintage FORTRAN code to do extended precision floating &
    fixed point arithmetic.  Includes most of the mathematical
    functions you'd find in a FORTRAN run-time library.
    This code is an ACM algorithm, number 524.
    To obtain, send a mail message to  netlib@ornl.gov
    containing the line "send mp.f from bmp" or better yet, perhaps
    just start with "help".

SPX
    Kannan Alagappan & Joseph Tardo, DEC
    
    This is a huge prototype public key authentication system
    based on RSA.  I mention it here because those who have heard
    of SPX have probably correctly guessed that it contains a large
    integer package and I want to inform you that the large integer
    package it contains is indeed DEC's BigNum from France.
    You can get a beta test copy of SPX from crl.dec.com (192.58.206.2). 
    Use it only for testing, as it "may" expire on a certain date.
    (I don't know whether this has expired yet.)

amp  (Antti's Multiple Precision?)
    Antti Louko   alo@kampi.hut.fi

    Multiple precision integer package in C.  Includes +, -, *, /, %,
    pow, mod, 1/x mod y, random, sqrt, gcd.  Available for non-commercial
    use.  The package includes "share-secret", a public key system based
    on the Diffie-Hellman algorithm.
    This is normally part of the well-known "des-dist.tar.Z",
    but I have removed the DES part to avoid having to deal with 
    cryptographic export laws, and have named the result:
    Filename:  amp.tar.Z

gennum  
    Per Bothner   U of Wisconsin-Madison

    C++ routines and classes to do generic arithmetic, both
    integer and rational.  
    Formerly available on sevenlayer.cs.wis.edu.  However, it
    seems to have disappeared.  Sorry.

MIRACL
    (By someone in Dublin, Ireland)

    Integer and fractional multiple precision package.
    Includes factorization, primality testing, encryption.
    Not public domain, apparently.  It is available from the Austin
    Code Works.  (See ads in Byte Magazine or Dr. Dobbs.)

precision
    Dave Barrett  barrettd@tigger.colorado.edu

    Multiple precision integer package in C with +,-,*,/, sqrt, rand,
    mod, pow, log.  Simple vector support.  Does dynamic allocation of memory.
    Free as long as you don't sell it or any program that uses it.
    Filename:  precision.tar.Z

UBASIC
    Prof. Yuji Kida, Rikkyo University, Nishi-Ikebukuro 3, Tokyo 171, Japan
    kida@rkmath.rikkyo.ac.jp

    Multiple-precision version of the BASIC programming language,
    for MS-DOS.  Includes floating point.  Said (by Keith Briggs)
    to be pretty fast.  Object only, I think.  ervin@morekypr.bitnet
    says:  "This is the best package that I know of for
    fast arithmetic.  Has a version optimized for 386 machines.  Includes
    routines to do MPQS, the fastest currently known general factoring
    algorithm.  An additional file is at both sites to allow MPQS to use
    hard drives so that it can factor up to 80 digits.  Many number
    theoretical functions are included in UBASIC.  It allows over 2500
    digits of precision."
    Available via anonymous FTP from shape.mps.ohio-state.edu,
    or simtel20.army.mil, or wuarchive.wustl.edu.

calc_v22
    Unknown

    MS-DOS C-like language that allows "infinite" precision.
    Nice intrinsic functions.  ervin@morekypr.bitnet reports problems
    when changing precision on the fly.
    See simtel20 or wuarchive.

briggs_arith
    Keith Briggs (kbriggs@mundoe.maths.mu.oz.au)

    Turbo Pascal 5 source for routines that do multiple-precision
    +, -, *, /, sqrt, gcd, factoring, rand for integers; also includes
    +, -, *, / and rand for rational numbers.
    Filename:  briggs_arith.pas

Institute fur Experimentelle Mathematik
    Dr Gerhard Schneider (?)

    Fast C multiple-precision subroutine library.
    I don't know anything about it; sl25@ely.cl.cam.ac.uk says
    to contact MAT420@DE0HRZ1A.BITNET for more info.
    Postal Address:
    Institute fur Experimentelle Mathematik
    EllernStr 29
    D4300 Essen-12    GERMANY

LongInt
    Markus Mueller (mueller@komsys.tik.ethz.ch)

    "Multi precision arithmetic written in MODULA-2, with the most time critical
    parts written in Assembler. Includes basic arithmetics (+, -, *, /, %) as
    well as arithmetics MODULO a number. An additional module provides a
    collection of procedures for primality testing, gcd, multiplicative
    inverse and more. The package is part of a Privacy Enhanced Mail (PEM)
    package which includes a PEM mailer, RSA key generator and Certificate
    generation tools."

    Source is in Modula-2, C, and assembler for Sun 3.  LongInt has
    also been ported to MS-DOS under Logitech Modula-2 and Turbo
    Assembler.  Availability:  free for university use (research and
    education); otherwise, a source license is required.  To obtain,
    write or email to:

        Markus Mueller
        Bertastrasse 7
        CH-8953 Dietikon
        Switzerland
        email:  mueller@komsys.tik.ethz.ch

bignum-1.2
    Henrik.Johansson@Nexus.Comm.SE

    Bignum package written in portable C.  Will in the future
    conform to the Common Lisp functions that handles integers.
    Currently includes +, -, *, /, exponentiation, "exptmod",
    comparison, random numbers, and gcd.
    Filename: bignum-1.2

GNU Multiple Precision
    GNU (Free Software Foundation) multiple precision package.
    I haven't looked at it yet.  This is current as of April 1992,
    but there may be a more recent version by the time you read 
    this.  This package is very widely available on FTP sites.
    Filename: gmp-1.2.tar.Z

Elliptic Curve Primality Proving 
    Francois Morian, France.

    Large package to prove the primality of any prime.
    Includes Inria's BIGNUM package. 
    Obtained from ftp.inria.fr (128.93.1.26).
    Filename: ecpp.V3.4.1.tar.Z

PGP (Pretty Good Privacy)
    Philip Zimmermann   prz@sage.cgd.ucar.EDU

    Intel-based crypto package that includes bignum routines in C,
    said to be quite fast for Intel processors.  Unix and Mac
    versions also available.
    The crypto package violates RSA patents, but the bignum routines
    can be used without fear of legal repercussions.

Bell's Arbitrary Precision Calculator
    David I. Bell, Australia  (dbell@pdact.pd.necisa.oz.au)

    Arbitrary-precision calculator with good online help, C-like
    language, many builtin functions, support for integers,
    rational numbers (they work like floating point), complex numbers,
    matrices, strings, lists, files, "objects".  Includes 
    gcd, primality testing, even trig functions.  Recommended.
    (Large package, though.)  Obtained from comp.sources.unix.
    Filename: calc-1.24.7.tar.Z

Built-in support in other languages
    Various

    Multiple precision arithmetic is available in a number of 
    programming languages, such as Lisp and ABC (cf. mcsun.eu.net).
    Perl (by Larry Wall, available from devvax.jpl.nasa.gov)
    includes source, in Perl, for such a package, but it's probably
    not suitable for serious use.
    For some of these, source code may be available.  This list is
    long enough, so I'm not going to pursue it aggressively.

Thanks to Ed Vielmetti and several others who contributed to this list.

Mark Riordan   mrr@ripem.msu.edu

Newsgroup: sci.crypt
Document_id: 15494
From: ted@nmsu.edu (Ted Dunning)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption


nobody seems to have noticed that the clipper chip *must* have been
under development for considerably longer than the 3 months that
clinton has been president.  this is not something that choosing
choosing bush over clinton would have changed in the slightest; it has
been in the works for some time.


Newsgroup: sci.crypt
Document_id: 15495
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Facinating facts: 30 bit serial number, possibly fixed S1 and S2

	From: pmetzger@snark.shearson.com (Perry E. Metzger)

	denning@guvax.acc.georgetown.edu (Vidkun Abraham Lauritz Quisling) writes:

	   Each chip includes the following components:

	      the Skipjack encryption algorithm
	      F, an 80-bit family key that is common to all chips
	      N, a 30-bit serial number
	      U, an 80-bit secret key that unlocks all messages encrypted with the chip

	Hmmm. A thirty bit serial number. And, we are told, the unit key U is
	derived deterministically from this serial number. That means that
	there are only one billion possible unit keys.

Oh hell, it's *much* worse than that.  You think they'll ever make
more than a million of them?  Serial numbers aren't handed out at random
you know, they start at 1 and work up...  Call it a 20 bit space maybe.

G

Newsgroup: sci.crypt
Document_id: 15496
From: rja14@cl.cam.ac.uk (Ross Anderson)
Subject: Re: Clipper chip -- technical details

In article <1993Apr19.052005.20665@ulysses.att.com> smb@research.att.com (Steven 
Bellovin) writes:

> Nothing was said about where K_P comes from.

If you've got a secure device, you don't need public keys.

If the secret key which all chips share is SK, you can just use KP = 
E{(myname, yourname, date) ; SK}.

Maybe that's why Jim Bidzos was reported as being cheesed off.

Ross

Newsgroup: sci.crypt
Document_id: 15497
From: res@colnet.cmhnet.org (Rob Stampfli)
Subject: Re: Once tapped, your code is no good any more.

>>	With E-Mail, if they can't break your PGP encryption, they'll just
>>call up one of their TEMPEST trucks and read the electromagnetic emmisions
>>from your computer or terminal.  Note that measures to protect yourself from
>
>2. I could independently invent about half a dozen right off
>the top of my head. If I had studied Advanced E & M a little better,
>I could probably come up with a _very_ good system.

Wouldn't a a second monitor of similar type scrolling gibberish and adjacent
to the one being used provide reasonable resistance to tempest attacks?
-- 
Rob Stampfli  rob@colnet.cmhnet.org      The neat thing about standards:
614-864-9377  HAM RADIO: kd8wk@n8jyv.oh  There are so many to choose from.

Newsgroup: sci.crypt
Document_id: 15498
From: res@colnet.cmhnet.org (Rob Stampfli)
Subject: Re: The Old Key Registration Idea...

In article <1qn1ic$hp6@access.digex.net> pcw@access.digex.com (Peter Wayner) writes:
>That leads me to conjecture that:
...
>2) The system is vulnerable to simple phone swapping attacks

I seriously doubt that any practical implementation of this proposal would
place the onus on the individual to register keys.  Realistically, the
Clipper-Chip will probably emit an ID code which will serve as the identifier
when requesting the key fragments.  The chip manufacturer would register
this identifier code vs. key combination when the chip is made and the
(uninitiated) end-user can therefore remain completely outside the loop.
The chip could be used in a cellular phone, a modem, or other device --
it really makes no difference:  When the authorities detect the use of this
encryption standard during surveillance, they would then capture the ID
and apply for the key in order to decrypt the data.
-- 
Rob Stampfli  rob@colnet.cmhnet.org      The neat thing about standards:
614-864-9377  HAM RADIO: kd8wk@n8jyv.oh  There are so many to choose from.

Newsgroup: sci.crypt
Document_id: 15499
From: felixg@coop.com (Felix Gallo)
Subject: Re: Once tapped, your code is no good any more.

pat@rwing.UUCP (Pat Myrto) writes:

>If the Clinton Clipper is so very good, [...]

Please note that Bill Clinton probably has little if anything to do
with the design, implementation or reasoning behind this chip or behind
any "moves" being made using this chip as a pawn.

Remember, when you elect a president of the united states, it's not
the case that all the Republicans, etc. in the NSA and FBI and CIA
immediately pack their bags and get replaced by a team of fresh young
Democrats.  Most of the government -- say, 96% -- is appointed or
hired rather than elected.  Since this Clipper device has been in
production for over six months, it probably has little or no 
foundation in the currently elected Democratic Executive body.

>BTW - those who suggest that this is just an attack on Clinton, believe
>this:  I would be going ballistic reagardless WHO seriously proposed
>this thing.  It is just another step in a gradual erosion of our rights
>under the Constitution or Bill of Rights.  The last couple of decades
>have been a non-stop series of end-runs around the protections of the
>Constitution.  It has to stop.  Now is as good a time as any, if it
>isn't too late allready.

Could be.  However, the sky hasn't fallen yet, Chicken Little.

>-- 
>pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
>         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
>WISDOM: "Only two things are infinite; the universe and human stupidity,
>         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 15500
From: marc@tanda.isis.org (Marc Thibault)
Subject: Re: Don't fight Clipper Chip, subvert or replace it !

In article <ygoland.735123994@wright> 
(The Jester) writes: 

> Proof Windows is a Virus:It is very widespread, It eats up your disk
> space, It slows down your computer, It takes control over your
> computer, It performs disk access at random times, It displays silly
> messages on your screen, It randomly crashes the computer-Vesselin

        This sounds like a version Unix. Solaris?


Newsgroup: sci.crypt
Document_id: 15501
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Spoofing Clipper Serial Number

Secrecy in Clipper Chip

The serial number of the clipper chip is encrypted with the system key and
transmitted as one part of a three part message.

Presumably the protocol can be recovered (if by nothing else, differential
analysis).

Postulate if you will, a chip (or logic) sitting between the clipper chip
and its communications channel.  The purpose of this chip is twofold:
    
	1) Transmit Channel

	    The spoof chip XORs the 30 bit encrypted serial number with
	    a secondary keying variable.  This renders the serial number
	    unrecoverable with just the system key

	2) Recieve Channel

	    The spoof chip XORs the incoming encrypted serial number
	    with a secondary keying variable (assuming the serial number
	    is necessary for local operation).

This has the net result of hiding the serial number.  This gets more
interesting when the number of serial numbers issued becomes large,
making it difficult to distinguish between valid serial numbers and
a spoofed serial number.  Without knowing the system key, you could
lie about the serial number, but risk detection of the lie.

IF you had the system key and the encryption algorithm you could
successfully lie with a lower probability of detection by emulating the
format of your own serial number.

Makes you wonder whats being hidden here?   Seems  like the secrecy is
to prevent you from lying about who you are.

Newsgroup: sci.crypt
Document_id: 15502
From: butzerd@maumee.eng.ohio-state.edu (Dane C. Butzer)
Subject: How large are commercial keys?

What are the typical sizes for keys for commercial secret key algorithms?
I know DES is 56 bits ("tripple DES" is 112 bits) and IDEA is 128 bits.  Is
there anything made in the US that has 128 bit keys?  Anything anywhere
that has larger keys?  I've heard that RC2 can be scaled to arbitrarily
large keys, but is this actually implemented anywhere?

Finally, can anyone even concieve of a time/place where 128 bit keys aren't
sufficient?  (I certainly can't - even at a trillion keys a second, it
would take about 10 billion years to search just one billionth of that keys
space.)

Thanks,
Dane

Newsgroup: sci.crypt
Document_id: 15503
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Do we need the clipper for cheap security?

pmetzger@snark.shearson.com (Perry E. Metzger) writes:
> If the Clipper chip can do cheap crypto for the masses, obviously one 
> could do the same thing WITHOUT building in back doors. 

I agree.  So why is Cylink the only (and expensive) game in town?

Note: I think Cylink is great, and if my boss would double my salary, I'd buy 
a bunch of their stuff :).

One thing that Clipper offers is interoperability, at a higher degree of 
security than we currently have in non-proprietary voice encryption systems.
This means it will be cheaper than anyone's proprietary scheme, and easier to 
deploy.  This is, of course, either a bug or a feature depending on how you 
look at it :).

> Indeed, even without special engineering, you can construct a good 
> system right now. A standard codec chip, a chip to do vocoding, a DES 
> chip, a V32bis integrated modem module, and a small processor to do 
> glue work, are all you need to have a secure phone.

Great!  Where can I buy it?

Another note: If "Clipper" increases the incentive to bring stronger 
encryption to the mass market, all the better.  It's far overpriced at 
the moment.

> Yes, cheap crypto is good -- but we don't need it from the government.

I don't care where we *need* to get it from, I care where we *can* get it 
from, and whether it will interoperate with everyone else.
 
> Indeed, were it not for the government doing everything possible to 
> stop them, Qualcomm would have designed strong encryption right in to 
> the CDMA cellular phone system they are pioneering. Were it not for the 
> NSA and company, cheap encryption systems would be everywhere. As it 
> is, they try every trick in the book to stop it. Had it not been for 
> them, I'm sure cheap secure phones would be out right now. 

You can build them right now as long as you don't want to export (a 
restriction I firmly oppose).  The only thing stopping people from making 
cheap encryption is greed: they want a lock on the market.

> They aren't the ones making cheap crypto available. They are the ones 
> keeping cheap crypto out of people's hands. When they hand you a 
> clipper chip, what you are getting is a mess of pottage -- your prize 
> for having traded in your birthright. 

Oh, come on.  Only if you trust it farther than it deserves.  A Clipper phone 
*IS NOT* a substitute for a Cylink phone, or a STU-III.  It's a substitute 
for the "voice scramblers" advertised in the back of Radio Electronics.

> Are we getting cheaper crypto 
> for ourselves? No, because the market would have provided that on its 
> own had they not deliberately sabotaged it.

I disagree.  Modulo ITAR, it's not the government that has sabotaged the 
market.

> Someone please tell me what exactly we get in our social contract in 
> exchange for giving up our right to strong cryptography? 

Can you tell me where exactly we have given up that right?


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15504
From: brad@optilink.COM (Brad Yearwood)
Subject: Clipper considered harmful

If Clipper comes to cellular phones along with legal proscriptions against
using other cipher systems on these phones, a new and potentially dangerous
class of crime is created.

Criminals who very badly want inscrutable tactical communications (specifically
the terrorists and drug dealers who proponents of key escrow cite as threats)
will be highly motivated to steal the cipher phone of a legitimate user, and
to kill this person or hold them hostage so discovery of compromise of the
device will be delayed.

Once a suitable collection of devices is stolen, criminals can communicate
with impunity (assuming the cipher system carries no trapdoors apart from
key escrow) until and unless the compromise is discovered by some other means.

Because life-is-cheap criminals are currently willing to kill people to steal
very large and conspicuous property (luxury cars), it is reasonable to assume
that they will be willing to kill people to steal small and inconspicuous
property (a cipher cellular phone).  Just as we have seen in the past with
"blue box" technology, and in the present with modified cellular phones,
we can expect to see among high-stakes criminals a lucrative market for
stolen cipher phones which can be used for a few days.  The high-stakes
criminals will pay the life-is-cheap types substantial amounts for stolen
instruments.

Because a person is typically discovered as missing or dead in a few days,
a stolen instrument will be usable for only a few days.  There will be a
continuing demand for fresh phones: fresh bodies.

In other words, Clipper and similar systems have the potential to turn a
current inconvenience to law enforcement into a direct, vicious, and
persistent threat to the general public.

On the other hand, if a criminal were to apply some arbitrary cipher to a
device in a mostly non-ciphered network, the communication will at least
stand out as being unusual, and perhaps worthy of other means of investigation.

Finally, because there is essentially no possibility of intercepting in
realtime the scrutable content of communications between stolen instruments,
there will exist strong motivation to record and archive _all_ communications
in the network for ex-post-facto scrutiny (once some criminal act is discovered,
and the instruments involved have been identified).  While recording and
archiving may not be feasible for wireline networks, it is probably feasible
across the more limited bandwidth of radio networks.  The existence of these
recordings could open up vast potential for abuse.

Brad Yearwood    brad@optilink.com     {uunet, pyramid}!optilink!brad
Petaluma, CA


Newsgroup: sci.crypt
Document_id: 15505
From: butzerd@maumee.eng.ohio-state.edu (Dane C. Butzer)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr20.034724.3748@colnet.cmhnet.org> res@colnet.cmhnet.org (Rob Stampfli) writes:
>>>	With E-Mail, if they can't break your PGP encryption, they'll just
>>>call up one of their TEMPEST trucks and read the electromagnetic emmisions
>>>from your computer or terminal.  Note that measures to protect yourself from
>>
>>2. I could independently invent about half a dozen right off
>>the top of my head. If I had studied Advanced E & M a little better,
>>I could probably come up with a _very_ good system.
>
>Wouldn't a a second monitor of similar type scrolling gibberish and adjacent
>to the one being used provide reasonable resistance to tempest attacks?

Actually, old video games and pinball machines are supposed to work pretty
good (at blocking EM eavesdropping), too.  Those things put out a LOT of EM
noise.  Back in the 80's, I read about computer companies putting bunches
of games in their buildings for just this purpose (not to mention the $$$).


Dane

Newsgroup: sci.crypt
Document_id: 15506
From: lars@spectrum.CMC.COM (Lars Poulsen)
Subject: Re: Is there ANY security in the Clipper?

In article <ZEEV.93Apr18014822@sepia.ccc.amdahl.com> zeev@ccc.amdahl.com (Ze'ev Wurman) writes:
>It seems to me that all discussions about Clipper security are almost 
>irrelevant - if I cannot choose the key, but have to use a key chosen for
>me by the foundry, the security of the WHOLE UNIVERSE OF USERS is as good
>(or as bad) as the security of VLSI Technologies Inc.

- or their handlers.

>It is a trivial effort to run any ciphertext agains ALL THE KEYS EVER 
>MANUFACTURED - after all we are talking about 1 to 100 million keys that
>will ever be manufactured. The key depositories can be as secure and
>incorruptible as they wish to be, nobody cares anyway...:-(

They key depositories are IRRELEVANT. In order for the applicable law
enformcement agencies to be able to know what keys to request from
escrow, the system will have to squawk its serial number in clear text
as part of the link establishment protocol. Whoever owns the program 
that assigns keys to each serial number won't need access to the key
depository.

In other words, the FBI may need a court-ordered release of escrowed
keys, but the NSA has the keys before the chip is ever manufactured.
There is no need to go through the escrow or to try all keys. While
relations between law enforment agencies have sometimes been strained,
there is also a long history of trading favors. This will re-establish
the NSA as a very important agency for everyone to get along with,
because they can give you untraceable encryption leaks without court
orders.

The more I think about this affair, the fouler it smells. I'd rather
have a DES with an engineered-in backdoor ...
-- 
/ Lars Poulsen, SMTS Software Engineer	Internet E-mail: lars@CMC.COM
  CMC Network Products / Rockwell Int'l	Telephone: +1-805-968-4262	
  Santa Barbara, CA 93117-3083		TeleFAX:   +1-805-968-8256

Newsgroup: sci.crypt
Document_id: 15507
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks 
	only

jhart@agora.rain.com (Jim Hart) writes:
> You don't care that people are being lied to, fooled into believing the 
> chip gives "privacy" when it fact it allows wiretaps?

It does give privacy, just not absolute privacy.  The announcement was very 
up front about this, and about allowing wiretaps.  How is this "fooling" 
anyone?

> are you so smart that you know when you're talking 
> to somebody who has a wiretap chip on their phone instead of a privacy 
> chip with private keys?) 

Sure.  The two don't interoperate.  You couldn't talk to, say, a Cylink phone 
from a Clipper phone.  I would expect even multiprotocal phones to come with 
indicators saying which kind of link encryption is in use...

> We *do* need an alternative to NSA-bugged telephones, but 
> we're talking inexpensive *telephones* here, including hand-sized 
> cellulars, that need strong crypto, real privacy.

So start a company and build them.  This is still mostly a capitalist 
economy...

> What we need is a true *privacy chip*.  For example, a real-time 
> voice-encryption RSA, put it into a silicon compiler and spit out 
> ASIC.  Put this chip on the market as a de facto standard for 
> international business, diplomats, and private communications.

I agree.  Go for it.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15508
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

Ted Dunning (ted@nmsu.edu) wrote:
: 
: nobody seems to have noticed that the clipper chip *must* have been
: under development for considerably longer than the 3 months that
: clinton has been president.  this is not something that choosing
: choosing bush over clinton would have changed in the slightest; it has
: been in the works for some time.

Actually, many of us have noted this. We have noted that the program
started at least 4 years ago, that the contracts with VLSI Technology
and Microtoxin were let at least 14 months ago, that production of the
chips is well underway, and so forth.

Nobody I know has claimed Clinton intitiated the program. But he chose
to go ahead with it.


-Tim May
-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
Document_id: 15509
From: ray@ole.cdac.com (Ray Berry)
Subject: Clipper- business as usual?


    Notwithstanding all the legitimate fuss about this proposal, how much
of a change is it?  ATT's last product in this area (a) was priced over
$1000, as I suspect 'clipper' phones will be; (b) came to the customer 
with the key automatically preregistered with government authorities. Thus,
aside from attempting to further legitimize and solidify the fed's posture,
Clipper seems to be "more of the same", rather than a new direction.
   Yes, technology will eventually drive the cost down and thereby promote
more widespread use- but at present, the man on the street is not going
to purchase a $1000 crypto telephone, especially when the guy on the other
end probably doesn't have one anyway.  Am I missing something?
   The real question is what the gov will do in a year or two when air-
tight voice privacy on a phone line is as close as your nearest pc.  That
has got to a problematic scenario for them, even if the extent of usage
never surpasses the 'underground' stature of PGP.
-- 
Ray Berry kb7ht ray@ole.cdac.com  rjberry@eskimo.com  73407.3152@compuserve.com

Newsgroup: sci.crypt
Document_id: 15510
From: shirriff@sprite.berkeley.edu (Ken Shirriff)
Subject: Re: Once tapped, your code is no good any more.

In article <Apr18.194927.17048@yuma.ACNS.ColoState.EDU> holland@CS.ColoState.EDU (douglas craig holland) writes:
>	With E-Mail, if they can't break your PGP encryption, they'll just
>call up one of their TEMPEST trucks and read the electromagnetic emmisions
>from your computer or terminal.  Note that measures to protect yourself from
>TEMPEST surveillance are still classified, as far as I know.

Note that TEMPEST is the name of the shielding standard.  TEMPEST is not
the name of the surveillance technique.

Ken Shirriff				shirriff@sprite.Berkeley.EDU
Disclaimer: this is what I've heard and it's in the sci.crypt FAQ, so it's
probably true but I can't guarantee it.  I'd like to know if I'm wrong.

Newsgroup: sci.crypt
Document_id: 15511
From: amanda@intercon.com (Amanda Walker)
Subject: Re: text of White House announcement and Q&As on clipper chip 
	encryption

gtoal@gtoal.com (Graham Toal) writes:
> Whatever happens though, the effect of this new chip will be to make 
> private crypto stand out like a sore thumb. 

It already does.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15512
From: eachus@spectre.mitre.org (Robert I. Eachus)
Subject: Re: Would "clipper" make a good cover for other encryption method?

In article <1993Apr20.032623.3046@eff.org> kadie@eff.org (Carl M. Kadie) writes:

  > Clipper might be a good way to cover the use of another layer of
  > encryption.

  But, if you are making custom equipment in any case, why not just
roll your own Clipper implementation and report the wrong keys to the
Escrow agency?  (Tells us who is going to be in the chip business if
this thing goes through--NSA, and those with something to hide from
NSA.)

  If anyone can verify that your phone is not using the key registered
to that serial number, either:

  1) They have a court ordered wiretap.  But what are they going to
do?  Tell the judge that this individual really does have privacy?
All they know is that the keys are not enough, but not why.

  2) They have a court ordered wiretap on a phone in this series.
(This part is really scary.  Since the "expectation" is that all
chips in a particular batch will uses seeds based on the same S1 and
S2 and the serial number, getting the keys for one of a batch may give
access to all.)

  3) There is a backdoor which allows all messages to be deciphered
without the keys.  I find this one especially threatening since the
scheme seems very open to known plaintext attacks.  (What I need to
decipher is the data in the header.  If I talk to someone who has one
of these phones, presumably there will be an automatically negotiated
key generated.  I'm not trying to decipher the record of the
conversation to know what was said, I use it as a known plaintext to
recover the backdoor represented by the header, but I know what the
header says for conversations I participate in.  Even worse, if the
phones in a series have related keys, I can buy a phone/chip from the
same production lot.  Then I can recover its keys, either elegantly by
talking to myself, or by brute force analysis of the actual chip, then
apply the key generation process with those seeds to find the target
keys.)

    Hmmm!  I don't think I want to ever come close to these phones.
Even DES is starting to look good.  Two cans and a string will provide
much better security.



--

					Robert I. Eachus

with Standard_Disclaimer;
use  Standard_Disclaimer;
function Message (Text: in Clever_Ideas) return Better_Ideas is...

Newsgroup: sci.crypt
Document_id: 15513
From: cepek@vixvax.mgi.com
Subject: Tempest vs LCD (was: Re: Once tapped...)

douglas craig holland (holland@CS.ColoState.EDU) writes:
>
> With E-Mail, if they can't break your PGP encryption, they'll just
> call up one of their TEMPEST trucks and read the electromagnetic 
> emmisions from your computer or terminal.  Note that measures to 
> protect yourself from TEMPEST surveillance are still classified, as 
> far as I know.

steiner@jupiter.cse.utoledo.edu (Jason 'Think!' Steiner) writes:

> are LCD displays vulnerable to tempest?

I can see high-voltage type display devices being vulnerable (CRTs,
plasma displays, etc.)  But Jason beat me to this question.  What
about EM radiation from low-voltage items like LCD displays?

Perhaps the critical element is the driver circuitry?  The cabling?
What about a portable PC/Mac/etc., where all the "noise" is bunched
into one tiny area?

Newsgroup: sci.crypt
Document_id: 15514
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <1993Apr20.150531.2059@magnus.acs.ohio-state.edu>, jebright@magnus.acs.ohio-state.edu (James R Ebright) writes:
> Now why is that?  I doubt there is a trapdoor in Skipjack.  (But we will
> never know).  And I doubt the NSA would promote a mass market chip they
> couldn't compromise.  Ergo, NSA is now capable of compromising (probably
> with brute force keysearch) engines of the complexity of Skipjack.  Look
> at the specs.  Why, I bet they have thousands of little chips chugging
> away in their crypto busters... Maybe even tens of thousands.  Complexity?
> Not much more than a 3090.  How many such machines will fit into Fort Meade?

> I think PGP2.3 should have 256 bit IDEA keys...

Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
has 2^80 possible keys.  Let's assume a brute-force engine like that
hypothesized for DES:  1 microsecond per trial, 1 million chips.  That's
10^12 trials per second, or about 38,000 years for 2^80 trials.  Well,
maybe they can get chips running at one trial per nanosecond, and build
a machine with 10 million chips.  Sure -- only 3.8 years for each solution.

IDEA uses 128-bit keys.  Shall I bother doing the calculations for you?
Hint:  multiply 3.8 years by 2^(128-80).  And you can't do IDEA at that
speed; key setup takes much too long.  I wouldn't be surprised if that
were the case for Skipjack, too, though there's no way of knowing just
yet.  DES used only xor because that's what was feasible with mid-70's
technology.  Modern chips can do a lot more.

NSA may or may not know how to crack Skipjack and IDEA (I doubt it for
the former; I have no idea for the latter, though it does seem to be a
strong cryptosystem).  But it ain't gonna be by exhaustive search.

Newsgroup: sci.crypt
Document_id: 15515
From: kepley@photon.phys.unca.edu (Brad Kepley)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr20.161838.13213@coop.com> felixg@coop.com (Felix Gallo) writes:
>pat@rwing.UUCP (Pat Myrto) writes:
>
>>If the Clinton Clipper is so very good, [...]
>
>Please note that Bill Clinton probably has little if anything to do
>with the design, implementation or reasoning behind this chip or behind

Can't we move the political bickering to a more appropriate group?
-- 
Brad Kepley                  Internet         kepley@photon.phys.unca.edu
Work-days                    Voice            (704)252-8330
--

Newsgroup: sci.crypt
Document_id: 15516
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Clipper considered harmful

brad@optilink.COM (Brad Yearwood) writes:

> Criminals who very badly want inscrutable tactical communications (specificall
> the terrorists and drug dealers who proponents of key escrow cite as threats)
> will be highly motivated to steal the cipher phone of a legitimate user, and
> to kill this person or hold them hostage so discovery of compromise of the
> device will be delayed.

Why doing it in such a rough manner? It is much more professional to
steal the chip from the phone and even to replace it with a
pin-compatible do-nothing chip that does not encrypt at all. Chances
are that the victim will not notice anything, especially if it is done
professionally.

> Once a suitable collection of devices is stolen, criminals can communicate
> with impunity (assuming the cipher system carries no trapdoors apart from
> key escrow) until and unless the compromise is discovered by some other means.

No, because the Feds will still be able to decrypt the conversations.
True, they'll blame the wrong guys, but nevertheless one cannot say
something like "The drugs arrive tommorrow on the ship 'Terminus'"
when the Feds are listening, even if they cannot identify who the
speaker is.

No, the criminals will just use some secure encryption. The new
proposal does not stop criminals; it ensures that the government will
be able to wiretap the average citizen and stops the casual snooper.
To me, it also clearly looks as a step towards outlawing any other
strong encryption devices.

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
Document_id: 15517
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: How large are commercial keys?

butzerd@maumee.eng.ohio-state.edu (Dane C. Butzer) writes:

> Finally, can anyone even concieve of a time/place where 128 bit keys aren't
> sufficient?  

It depends on the algorithm used. 128-bit secret keys for RSA are
definitively not secure enough.

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
Document_id: 15518
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

jfc@athena.mit.edu (John F Carr) writes:
>In article <19930419.155204.305@almaden.ibm.com>
>	ameline@vnet.IBM.COM (Ian Ameline) writes:
>
>>  I also believe that someone will reverse engineer the clipper chip,
>>and knowlege of the algorithm will likely be fairly widespread.
>
>The chip and algorithm are classified.  If you reverse engineer it and
>tell people, you are likely to go to jail.

Well, I'm not a lawyer, but from what I can tell this is completely
and utterly untrue.

You see, this country has this thing called a "constitution".

If you legitimately aquire the device, and you yourself are
not a government employee or otherwise encumbered, I don't think they
can stop you from revealing anything about the device you can
determine. Remember the Pentagon Papers precedent? The First Amendment
applies here.

The U.S. does NOT have an official secrets act. We do have laws that
will punish you for revealing what classified information you learned
in your capacity as a government official, contractor, etc, and we
have laws that prohibit stealing such information. However, if they
sell you the chip, I can't see that they can make reverse engineering
it and revealing the details illegal.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15519
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: How does it really work? (was Re: text of White House announcement and Q&As on clipper chip encryption)

	From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>

	The majority of the discussion involving this "Clipper Chip" seems to
	pertain to the encryption of telephone conversations.  Does anyone
	know if that means this chip is designed to work primarily with analog
	signals?  The language sort of suggests this, but it's hard to say.

I'd lay a few bucks that its just data-in-data-out in parallel.  I suspect
to make it a phone you'd need a codec and speech compression.  There would
be a loss of bandwidth on the speech signal, which I suspect would scupper
any of the suggestions I've seen here about putting a different encryption
front end on it.

There's no hint of any modulation scheme in the docs.  I'm sure it's purely
a digital chip.  The back end will come later, but I'm *positive* it won't
be left to the manufacturers - they all have to be the same modulation
scheme to make it easy for the NSA to tap them.

The only other possibility is that this is intended only for ISDN phones.
(Puts a whole new spin on EFFs obsession about ISDN if true, bwahahaha! ;-) )

G

Newsgroup: sci.crypt
Document_id: 15520
From: Graham Toal <gtoal@gtoal.com>
Subject: Re: Once tapped, your code is no good any more.

In article <2073@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:
:If the Clinton Clipper is so very good, why not make its algrithm public
:so many people can exchange ideas and examine it, rather than a few
:isolated 'respected experts' (respected by whom?  for what?  Perhaps a
:certain professor who likes key banks would be one of the selected
:experts... this does seem to expand on some ideas the person was
:advocating, if I recall :-).  How would anybody know that what the

Actually, I am *completely* baffled by why Dorothy Denning has chosen
to throw away her academic respectability like this.  It looks to me
like a *major* Career Limiting Move.  There can be very few people
who know what she's been saying who take her seriously any more.

I wonder if she landed such a fat fee from cooperation with the NSA in
the design and propoganda stages that she doesn't care any more?

G

Newsgroup: sci.crypt
Document_id: 15521
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: "clipper chip"

	From: "dan mckinnon" <dan.mckinnon@canrem.com>

	   I have lurked here a bit lately, and though some of the math is
	unknown to me, found it interesting. I thought I would post an article I
	found in the Saturday, April 17, 1993 Toronto Star:

	                  'CLIPPER CHIP' to protect privacy

Politics is of course Dirty Pool, old man, and here we have a classic
example: the NSA and the administration have been working on this for
a *long* time, and in parallel with the announcement to us techies, we
see they're hitting the press with propoganda.

It's my bet the big magazines - Byte, Scientific American, et all - will
be ready to run with a pre-written government-slanted story on this in
the next issue.  ('Just keep us some pages spare boys, we'll give you
the copy in time for the presses')

We *must* get big names in the industry to write well argued pieces against
this proposal (can you call it that when it's a de facto announcement?) and
get them into the big magazines before too much damage is done.

It would be well worth folks archiving all the discussions from here since
the day of the announcement to keep all the arguments at our fingertips.  I
think between us we could write quite a good piece.

Now, who among us carries enough clout to guarantee publication?  Phil?
Don Parker?  Mitch Kapor?

G

Newsgroup: sci.crypt
Document_id: 15522
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

] gtoal@news.ibmpcug.co.uk (Graham Toal) writes:
] > Try reading between the lines David - there are *strong* hints in there 
] > that they're angling for NREN next,

] Where?  I honestly didn't see any...

Hint 1:

: Sophisticated encryption technology has been used for years to
: protect electronic funds transfer.  It is now being used to
: protect electronic mail and computer files.  While encryption
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Hint 2:

: This new technology will help companies protect proprietary
: information, protect the privacy of personal phone conversations
: and prevent unauthorized release of data transmitted
                                      ^^^^^^^^^^^^^^^^
: electronically.  At the same time this technology preserves the
  ^^^^^^^^^^^^^^ 
:      --   the privacy of our citizens, including the need to
:           employ voice or data encryption for business purposes;
                         ^^^^^^^^^^^^^^^^^^
:      --   the ability of authorized officials to access telephone
:           calls and data, under proper court or other legal
                  ^^^^^^^^
:           order, when necessary to protect our citizens;

VERY BIG HINT 3:

# The Administration is committed to working with the private
# sector to spur the development of a National Information
# Infrastructure which will use new telecommunications and computer
# technologies to give Americans unprecedented access to
# information.  This infrastructure of high-speed networks
# ("information superhighways") will transmit video, images, HDTV
# programming, and huge data files as easily as today's telephone
# system transmits voice.

VERY BIG HINT 4: (See above)

## Since encryption technology will play an increasingly important
## role in that infrastructure, the Federal Government must act
## quickly to develop consistent, comprehensive policies regarding
## its use.

] > and the only conceivable meaning of 
] > applying this particular technology to a computer network is that they 
] > intend it to be used in exclusion to any other means of encryption. 

] I disagree, if for no other reason than that there are already other 
] standards in place.  Besides, even if they restrict encryption on the NREN, 
] who cares?  Most of the Internet is commercial anyway.  The NREN is only for 
] geovernment and university research (read the proposals--it's a "data 
] superhighway" for Cray users, not anything having to do with the Internet).

Oh, I see your point.  I think you're wrong.  But if you sit back and wait
to find out if I'm right, it'll be too late.  Just listen *very* carefully
for the first 'such and such will not be permitted on network XYZ' shoe to
drop.

G



Newsgroup: sci.crypt
Document_id: 15523
From: jbotz@mtholyoke.edu (Jurgen Botz)
Subject: Re: The [secret] source of that announcement

In article <MARC.93Apr17211937@oliver.mit.edu> marc@mit.edu (Marc Horowitz N1NZU) writes:
>Just who is that, I asked myself, or rather, I asked the computer.
>
>    % telnet csrc.ncsl.nist.gov 25
>    Trying...
>    Connected to csrc.ncsl.nist.gov.
>    Escape character is '^]'.
>    220 first.org sendmail 4.1/NIST ready at Sat, 17 Apr 93 20:42:56 EDT
>    expn clipper
>    250-<csspab@mail-gw.ncsl.nist.gov>
>[...]
>    221 first.org closing connection
>    Connection closed.
>
>Well, isn't that interesting.  Dorothy Denning, Mitch Kapor, [...]

Even more interesting: the SMTP server at csrc.ncsl.nist.gov no longer
recognizes the 'expn' and 'vrfy' commands...

   telnet csrc.ncsl.nist.gov smtp
   Trying 129.6.54.11...
   Connected to csrc.ncsl.nist.gov.
   Escape character is '^]'.
   220 first.org sendmail 4.1/NIST ready at Tue, 20 Apr 93 17:01:34 EDT
   expn clipper
   500 Command unrecognized

Seems like sombody didn't like your snooping around, Marc.
-- 
Jurgen Botz, jbotz@mtholyoke.edu | Vending machines SHOULD respond to a [finger]
South Hadley, MA, USA            | request with a list of all items currently
--Unix is dead, long live Unix-- | available for purchase... -RFC1288

Newsgroup: sci.crypt
Document_id: 15524
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

ted@nmsu.edu (Ted Dunning) writes:
>nobody seems to have noticed that the clipper chip *must* have been
>under development for considerably longer than the 3 months that
>clinton has been president.  this is not something that choosing
>choosing bush over clinton would have changed in the slightest; it has
>been in the works for some time.

I've got no doubts that this would probably have gone ahead if Bush
was still president.  What's puzzling to me are the people who are
apparently amazed that Clinton is going along with it.
-- 
Other than that, Mrs. Lincoln, how did you like the play?

Newsgroup: sci.crypt
Document_id: 15525
From: Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant)
Subject: Another key registration body bites the dust (IMHO)

One of the candidates that has been suggested for a key registration
body is the ACLU.  I think this is poor choice.   The ACLU is
essentially a group of auditors: they audit how people's civil
liberties are administered.  Traditionally, auditors do not like to get
involved in the design or operational aspects of things, and with good
reason.

When I was a systems programmer, it always infuriated me that the
auditors would come in and tell us our implementation stunk from a
security point of view, but wouldn't tell us how to fix it.  I always
figured they just liked to critcize, without doing the work to help fix
the problem.

Then I took a stint as an auditor, and I found out the real reason.
Auditors don't like to recommend solutions, because it puts them in a
bad position if they have to criticize the implementation later.  The
auditee can say, "Well, you told us this way would be OK."  It
compromises the independence that is a necessary part of the auditor's
job.

Taking the case at hand, suppose ACLU becomes a key half registrar.
Suppose that, perhaps through some error on ACLU's part, a key half gets
away that shouldn't, and is used to deprive someone of her civil
liberties.  The ACLU gets wind of this, and wants to take it to court.
But they end up being at the same time on the side of the defendant
and of the plaintiff, which is not an easy position to be in.

There are exceptions to the complete independence of auditors: at one
place where I worked, when payroll checks were printed, they were signed
automatically by a signature drum on the bursting machine.  This drum
was kept by the auditors (who also kept the check stock), and
was brought down to Data Processing when it was time to do the checks.

I believe the difference between this situation and the key registration
situation is that it is fairly obvious when it is time to do the payroll
checks:  if they were done yesterday, and someone wants to do them again
today, he better be able to produce yesterday's checks so that they can
be destroyed.  Determining which of the many requests for key halves are
legit is a trickier process, one much more prone to mistakes that could
put the ACLU in a protecting-the-client versus protecting-the-ACLU
conflict of interest.

As always, my opinions are my own.

Lynn Grant
Grant@Dockmaster.NCSC.MIL

Newsgroup: sci.crypt
Document_id: 15526
From: amolitor@nmsu.edu (Andrew Molitor)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <1993Apr20.192105.11751@ulysses.att.com>
	smb@research.att.com (Steven Bellovin) writes:
>
> [ responding to claims about Skipjack cracking engines ]
>
>Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
>has 2^80 possible keys.  Let's assume a brute-force engine like that
>hypothesized for DES:  1 microsecond per trial, 1 million chips.  That's
>10^12 trials per second, or about 38,000 years for 2^80 trials.  Well,
>maybe they can get chips running at one trial per nanosecond, and build
>a machine with 10 million chips.  Sure -- only 3.8 years for each solution.
>

	I think I should also point out that the mystical DES engines
are known plaintext engines (unless you add a ton of really smart
hardware?)

	The 'plaintext' is digitized voice, and exists for a very short
time, probably in a couple inches of copper, tops. It's flatly not
available -- your bug in my office can hear my voice, and even digitize
it, but it's going to get a different bitstream.

	It is horribly naive to suppose that regular folks can figure
out how to crack skipjack, or clipper based telephones. I'm certainly
not devoting a great deal of thought to it.

	Andrew Molitor


Newsgroup: sci.crypt
Document_id: 15527
From: hanson@kronos.arc.nasa.gov (Robin Hanson)
Subject: Estimating Wiretap Costs/Benefits

I'm attempting to write a serious policy paper examining whether the
proposed wiretap (or "Clipper") chip is a cost-effective tool for
police investigation.  That is, ignoring concerns about government
intrusions into individual privacy, is the value of easy wiretaps to
investigators greater than the cost to the communications industry,
and their customers, to support this wiretap technology?  

A rough estimate suggests that wiretaps are worth about five million
dollars per year to U.S. law enforcement agencies.  (In 1990, 872 U.S.
wiretaps led to 2057 arrests, while total police expenditures of $28
billion led to 11.25 million arrests [ref US Statistical Abstracts].)
I'm working on estimating this wiretap benefit more accurately, but
I'd like to ask hardware experts out there to help me with estimating
the costs of the new proposed wiretap technology.

Please send me quotable/citeable estimates for:

- How many chips which would need to be made per year to keep all
  phones with wiretap chips?
- How much would it cost to make each chip?
- How much did it cost to develop this technology in the first place?
- How much more would supporting hardware, people, etc. cost, per chip?
- What percentage cheaper would encryption chips and support have been
  if private enterprise could compete to meet customer encryption needs?
- What percentage of phone traffic would be taken up by the proposed
  "law enforcement blocks"?
- What is the total cost of handling all phone traffic per year?

Put another way, the question I'm asking is, what if each police
agency that wanted a particular wiretap had to pay for it, being
charged their share of the full social cost of forcing communication
to be wiretap compatible?  Would they choose to buy such wiretaps, or
would they find it more cost-effective to instead investigate crimes
in other ways?
-- 
Robin Hanson  hanson@ptolemy.arc.nasa.gov 
415-604-3361  MS-269-2, NASA Ames Research Center, Moffett Field, CA 94035
510-651-7483  47164 Male Terrace, Fremont, CA  94539-7921 

Newsgroup: sci.crypt
Document_id: 15528
From: Markowitz@DOCKMASTER.NCSC.MIL
Subject: exportability of PKZIP (was: RE: RC2)

Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) writes:

>>Markowitz@DOCKMASTER.NCSC.MIL writes:  >>> It is interesting to note
in this regard that permission to export >>> PKZIP's encryption scheme
has twice been denied by NSA.  Draw you own >>> conclusions.

>>Uh, I'm afraid that your information is slightly out of date...
PKWare >>has obtained a license to export their program to the whole
world, >>except a very limited list of countries...  Draw your own
conclusions >>about the strength of the algorithm...  :-)

Sorry if I was less than clear.  :-) I was referring to our own efforts
to receive export permission from NSA for the PKZIP encryption
algorithm, not to any effort on the part of Phil Katz or PKWare.

I should point out that the original version of this algorithm was
designed by Roger Schlafly and that WE (meaning Roger and myself) were
twice denied an export license for it.  The second go 'round was just
this past fall.

I had no knowledge of Phil's attempts in this.  I do not even *know* for
sure if he choose to implement the algorithm as it was designed by
Roger, though I *believe* that was at least the case for versions prior
to 2.0.  And then there's the question of key management.  :-)

And even if our applications were identical, there is no reason to
assume the NSA would treat them that way.  :-)

-mjm

----------
  Michael J. Markowitz, VP R&D      markowitz@dockmaster.ncsc.mil
  Information Security Corp.        708 405-0500, fax: 708 405-0506
  1141 Lake Cook Rd., Suite D       MCI:  363-1959
  Deerfield, IL  60302              CIS: 76206,2617


Newsgroup: sci.crypt
Document_id: 15529
From: amolitor@nmsu.edu (Andrew Molitor)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <1r1otuINNdb2@dns1.NMSU.Edu>
	amolitor@nmsu.edu (Andrew Molitor) writes:

>	The 'plaintext' is digitized voice, and exists for a very short
>time, probably in a couple inches of copper, tops. It's flatly not
>available -- your bug in my office can hear my voice, and even digitize
>it, but it's going to get a different bitstream.

	I am an idiot. The plaintext that's relevant is the session key.
If you know that, you probably don't need a roomful of chips, do you?
If you were going to brute force something interesting, that'd be the
message stream, which is sort of approximately known by, say, a bug in
my office. Then your roomful of chips could get the session key. Which
I change every morning.

	Really, it's just a whole lot easier for the illicit wiretappers
to stick a bug in your phone.

	Andrew Molitor

Newsgroup: sci.crypt
Document_id: 15530
From: hollasch@kpc.com (Steve Hollasch)
Subject: Re: Clipper considered harmful

brad@optilink.COM (Brad Yearwood) writes:
| If Clipper comes to cellular phones along with legal proscriptions against
| using other cipher systems on these phones, a new and potentially dangerous
| class of crime is created.
| 
| Criminals who very badly want inscrutable tactical communications
| (specifically the terrorists and drug dealers who proponents of key escrow
| cite as threats) will be highly motivated to steal the cipher phone of a
| legitimate user, and to kill this person or hold them hostage so discovery
| of compromise of the device will be delayed.

    Yow - get some sleep Brad!  You mean that people (i.e. life-is-cheap
terrorists & drug-dealing warlords) who want to communicate in privacy will
prefer to break into my house, kill or kidnap me, and steal my telephone,
rather than:

        - Spending $15 at K-mart to buy a new phone.

        - Purchasing a load of phones from the black market / flea market /
          super market.

        - Talking (*gasp*) face-to-face.

        - Walking down to any one of millions of pay phones.

        - Using messengers.

        - Going to excruciating effort to think of code phrases like "I had
          a blowout on the freeway today".

    Look, this system does nothing to threaten folks who _know_ they're
being wiretapped, since it's trivial to find other avenues of communication;
they'd have no reason to resort to extreme measures, since a plethora of
simple alternatives are easily available to them.

    Among all the legitimate reasons to damn the proposed system, I don't
think we need to worry about terrorist commie drug warlord assasin thugs
murdering our families, kicking the dog and leaving the toilet seat up just
to steal a $15 telephone.  The system is more like urine testing:  it
catches some small number of very stupid people, has no effect on the "bad
guys" with at least three neurons working in unison who wish to subvert it,
and penalizes most heavily those who have no cause to be subject to it.

______________________________________________________________________________
Steve Hollasch                                   Kubota Pacific Computer, Inc.
hollasch@kpc.com                                 Santa Clara, California

Newsgroup: sci.crypt
Document_id: 15531
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

gtoal@gtoal.com (Graham Toal) writes:
> Oh, I see your point.  I think you're wrong.  But if you sit back and 
> wait to find out if I'm right, it'll be too late.  Just listen *very* 
> carefully for the first 'such and such will not be permitted on network 
> XYZ' shoe to drop. 

I've been a very intent NREN spectator of the NREN for years.  As a 
commercial IP software vendor, it really is my professional opinion that the 
NREN, at this point, is irrelevant to private sector networking.  If it had 
been deployed five years ago, it would have been a major development.  Now,
however, it's just an upgrade to the NSFnet, and an attempt to revive the 
lagging use of the national supercomputer centers.  You could cut out the 
NSFnet completely, and the Internet would continue chugging along without a 
hiccup (aside from a few universities).

Long-haul networking and Internet connectivity have long since ceased to be 
under federal sponsorship or regulation, at least in the USA.  The success of 
the CIX (Commercial Internet Exchange) is a prime example of this.  While our 
dear VP has been promoting his "data superhighway," the private sector has 
been building it, without the NSFnet's restrictions.

To illustrate, a connection from the machine on my desk to the machine your 
article was posted from (pizzabox.demon.co.uk) involves *only* commercial IP 
providers until it hits Amsterdam.  No NSFnet.  No NREN.  No "appropriate 
use" restrictions.  It's even 1.544mbps (T1) until it hits the EUnet 
gateway...

QED.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15532
From: usenet@news.cso.uiuc.edu (Net Noise owner)
Subject: Re: Facinating facts: 30 bit serial number, possibly fixed S1 and S2

The only way to view this method of generating unit keys is as a back-door.
What else can you call a key deterministically generated from the serial
number?


 To generate the unit key for a serial number N, the 30-bit value N is
   first padded with a fixed 34-bit block to produce a 64-bit block N1.
   S1 and S2 are then used as keys to triple-encrypt N1, producing a
   64-bit block R1:

	   R1 = E[D[E[N1; S1]; S2]; S1] .

   Similarly, N is padded with two other 34-bit blocks to produce N2 and
   N3, and two additional 64-bit blocks R2 and R3 are computed:  

	   R2 = E[D[E[N2; S1]; S2]; S1] 
	   R3 = E[D[E[N3; S1]; S2]; S1] .

   R1, R2, and R3 are then concatenated together, giving 192 bits. The
   first 80 bits are assigned to U1 and the second 80 bits to U2.  The
   rest are discarded.  The unit key U is the XOR of U1 and U2.  U1 and U2
   are the key parts that are separately escrowed with the two escrow
   agencies.


What happens is that the need for the Escrow houses is completely eliminated.
Or should I say, the need to _access_ the Escrow houses to decrypt the data.
The houses will still serve a real purpose as far as generating the illusion
of protection, and small-town cops won't be let in on the "secret", so they
will still go through the motions of going to the Escrow houses, but the fact
is __the Federal government CAN and WILL build a chip which generates the unit
keys from the encrypted serial number!__  'Nuff Said.

Newsgroup: sci.crypt
Document_id: 15533
From: warlord@MIT.EDU (Derek Atkins)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

-----BEGIN PGP SIGNED MESSAGE-----

> Why do we hackers care about the Clipper chip?  Do we give a shit
> about anybody's privacy accept our own?  And perhaps not even our
> own; are we so smart that we always know when we're talking to
> somebody who has a wiretap on their phone?

I find this a very disturbing view!  Yes, we DO care about EVERYONE's
privacy... Even if "they" don't know it. What happens if the gov't
starts creating legislation such that the Clipper and such
technologies become the only "legal" encryption forms?  What happens
when the Clipper is the *ONLY* type of encryption chips available to
the masses?

Sure, you might have your own method of encryption, but if you don't
have anyone else to talk to, what use is it?  You can't assume that
EVERYONE will be as open as you appear to be about encryption.

The point here is not the specific instance of the Wiretap Chip.
Rather, it is like having the government telling you that they want a
copy of your house key, safe-deposit box keys, etc., and telling you
that "they wont use them unless its totally neccessary."  I sure
wouldn't want that.  Why should encryption be any different?

- -derek

PGP 2 key available upon request on the key-server:
	pgp-public-keys@toxicwaste.mit.edu

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQBuAgUBK9RxVjh0K1zBsGrxAQHd8ALEDi3Ear7rEmr1UHuxqv2YIblH6px6VXnb
+sJLcUGzZxTCfxbRqIf7msLp98p0EvYYnLZbbORyVhfSzyyHYHeQqQILHEK3LPQE
aP29+od6YZrCCHarNRS024E=
=Ftek
-----END PGP SIGNATURE-----
--
  Derek Atkins, MIT '93, Electrical Engineering and Computer Science
     Secretary, MIT Student Information Processing Board (SIPB)
           MIT Media Laboratory, Speech Research Group
           warlord@MIT.EDU       PP-ASEL        N1NWH

Newsgroup: sci.crypt
Document_id: 15534
From: pdc@dcs.ed.ac.uk (Paul Crowley)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

Quoting pla@sktb.demon.co.uk in article <8AOHOnj024n@sktb.demon.co.uk>:
>You have every reason to be scared shitless.  Take a look at the records
>of McCarthy, Hoover (J. Edgar, not the cleaner - though they both excelled at
>sucking) and Nixon.

History does not record whether J. Edgar Hoover was any good at sucking.
As for the cleaners, I'll stick with my 850W Electrolux and damn the
carpet.
  __                                  _____
\/ o\ Paul Crowley   pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/  Fold a fish for Jesus!

Newsgroup: sci.crypt
Document_id: 15535
From: amolitor@nmsu.edu (Andrew Molitor)
Subject: Re: Once tapped, your code is no good any more.

In article <C5so84.Hxv@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
>Actually, I am *completely* baffled by why Dorothy Denning has chosen
>to throw away her academic respectability like this.  It looks to me
>like a *major* Career Limiting Move.  There can be very few people
>who know what she's been saying who take her seriously any more.

	Actually, I've been following her remarks for some time, with
interest. I'm also a member of academia, and her remarks have nothing
but elevate her respectability in my eyes. It remains to be seen whether
you are the radical fringe, or I.

	It is generally an error to assume that your beliefs are held by
the majority, or even a sizable minority. Especially when you're seeing
tens, nay dozens, of people on usenet agreeing with you.

	Andrew Molitor

Newsgroup: sci.crypt
Document_id: 15536
From: dgr@ENG.Vitalink.COM (Daniel Robinson)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <1993Apr19.130132.12650@afterlife.ncsc.mil> rlward1@afterlife.ncsc.mil (Robert Ward) writes:
+In article <bontchev.734981805@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
+>and since the US constitutions guarantees the right to every American
+>to bear arms, why is not every American entitled, as a matter of
+
+Have you read the applicable part of the Constitution and interpreted it IN 
+CONTEXT?  If not, please do so before posting this misinterpretation again.
+It refers to the right of the people to organize a militia, not for individuals 
+to carry handguns, grenades, and assault rifles.  

Hmmm, this could become a flame war very quickly.  The text is "...well
regulated militia..."  When that amendment was written and approved,
"regulated" meand "armed".  Remember all of those Westerns where bounty
hunters were called "regulators"?  This is now an archaic usage of the
word, but the original intent of the amendment was about weapons, not
control.

My $0.02.

Dan Robinson

Newsgroup: sci.crypt
Document_id: 15537
From: Graham Toal <gtoal@gtoal.com>
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <1993Apr20.192105.11751@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
:Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
:has 2^80 possible keys.

We don't yet know if all 80 bits count.  Anyway, its looking like the
keys and escrow arrangements are smoke and mirrors to cover the way the NSA
can regenerate the key from the transmitted serial number.

G

Newsgroup: sci.crypt
Document_id: 15538
From: olson@umbc.edu (Bryan Olson; CMSC)
Subject: Re: WH proposal from Police point of view


In article <1993Apr18.034352.19470@news.clarkson.edu>, tuinstra@sunspot.ece.clarkson.edu.soe (Dwight Tuinstra) writes:
|> It might pay to start looking at what this proposal might mean to a
|> police agency.  It just might be a bad idea for them, too.
|> 
|> OK, suppose the NY State Police want to tap a suspect's phone.  They
|> need a warrant, just like the old days.  But unlike the old days, they
|> now need to 
|> 
|>    (a) get two federal agencies to give them the two parts of
|>        the key.
|> 
|> Now, what happens if there's a tiff between the two escrow houses?
|> Posession/release of keys becomes a political bargaining chit.

	While I think it is unrealistic to suppose that the federal
agencies will fail to promptly comply with a court order, there is 
still a good point here.  Local law enforcement will be unable to perform
a wiretap without bringing in federal agencies.   Based on the (possibly
incomplete) understanding of the system quoted from D. Denning, only the
FBI will be able to decrypt the system key encryption layer, which seems
to be needed even to identify what escrowed keys to request.  This moves
a great deal of law enforcement power to the federal level.
	The reason I like this point is that it may sway or even persuade
people who don't generally line up with the civil liberties crowd.  A
national police force is opposed by people from a broad range of political 
viewpoints.


olson@umbc.edu

Newsgroup: sci.crypt
Document_id: 15539
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Once tapped, your code is no good any more.

  For that matter, it shouldn't be that difficult to design a black box
that gives off EMR similar to a monitor with gibberish on the screen....





Newsgroup: sci.crypt
Document_id: 15540
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Once tapped, your code is no good any more.

Graham Toal <gtoal@gtoal.com> writes:
>Actually, I am *completely* baffled by why Dorothy Denning has chosen
>to throw away her academic respectability like this.  It looks to me
>like a *major* Career Limiting Move.  There can be very few people
>who know what she's been saying who take her seriously any more.

I'm not sure it is a major limiting move... in the academic circles
I've seen, arguing for increased government intervention and
management is almost always a plus (not the least because it usually
means more high paying jobs for academics as "advisors").  Also
consider that it looks like Denning has some decent NSA / government
connections, which is always a plus for an academic institute that
wants more government funding and work tossed their way.

Despicable, yes; career limiting, well, the publicity probably
outweighs the drawbacks.  And there are a whole bunch of people who
think the whole thing is just peachy keen. If it's only going to be
used against drug dealers, child pornographers, and terrorists, well
it must be good. :p
-- 
Truth is hard to find and harder to obscure.

Newsgroup: sci.crypt
Document_id: 15541
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Clipper considered harmful

 > > Criminals who very badly want inscrutable tactical communications
 > >(specifically the terrorists and drug dealers who proponents of key escrow
 > >cite as threats) will be highly motivated to steal the cipher phone of
 > >a legitimate user, and to kill this person or hold them hostage so
 > >discovery of compromise of the device will be delayed.

 >Why doing it in such a rough manner? It is much more professional to
 >steal the chip from the phone and even to replace it with a
 >pin-compatible do-nothing chip that does not encrypt at all. Chances
 >are that the victim will not notice anything, especially if it is done
 >professionally.

  Assuming that the bad guys can easily obtain substitute chips which don't
cause any noticeable effect to either the user or the person at the other end
of the line (if there is any significant difficulty to obtaining such chips,
some of the criminals will decide to fall back on the murder/kidnap method).

 > > Once a suitable collection of devices is stolen, criminals can communicate
 > >with impunity (assuming the cipher system carries no trapdoors apart from
 > >key escrow) until and unless the compromise is discovered by some other
 > >means.

 > No, because the Feds will still be able to decrypt the conversations.
 >True, they'll blame the wrong guys, but nevertheless one cannot say
 >something like "The drugs arrive tommorrow on the ship 'Terminus'"
 >when the Feds are listening, even if they cannot identify who the
 >speaker is.

 This assumes that the Feds are tapping Clipper phones belonging to ordinary
citizens (getting such a phone is the whole point of the crime under
discussion).  To be sure, I wouldn't put it past them -- but raising the
possibility of such crime has the benefit of forcing the Feds to either
'fess up about such intentions in advance or state that using Clipper
exposes the user to an additional criminal threat. <g>

 > No, the criminals will just use some secure encryption. The new
 >proposal does not stop criminals; it ensures that the government will
 >be able to wiretap the average citizen and stops the casual snooper.
 >To me, it also clearly looks as a step towards outlawing any other
 >strong encryption devices.

  Agreed.

Newsgroup: sci.crypt
Document_id: 15542
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

pdc@dcs.ed.ac.uk (Paul Crowley) writes:
> As for the cleaners, I'll stick with my 850W Electrolux and damn the 
> carpet. 

Nah.  Nothing sucks like a VAX :)...


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15543
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Once tapped, your code is no good any more.

 > I wonder if she landed such a fat fee from cooperation with the NSA in
 >the design and propoganda stages that she doesn't care any more? 

  Which is to say: is the NSA -totally- perfidious, or does it at least
have the redeeming virtue of taking care of its own? <g>

Newsgroup: sci.crypt
Document_id: 15544
From: rlglende@netcom.com (Robert Lewis Glendenning)
Subject: Re: Estimating Wiretap Costs/Benefits

In article <1993Apr20.203756.20667@kronos.arc.nasa.gov> hanson@kronos.arc.nasa.gov (Robin Hanson) writes:
>I'm attempting to write a serious policy paper examining whether the
>proposed wiretap (or "Clipper") chip is a cost-effective tool for
>police investigation.  That is, ignoring concerns about government
>intrusions into individual privacy, is the value of easy wiretaps to
>investigators greater than the cost to the communications industry,
>and their customers, to support this wiretap technology?  
>
>A rough estimate suggests that wiretaps are worth about five million
>dollars per year to U.S. law enforcement agencies.  (In 1990, 872 U.S.
>wiretaps led to 2057 arrests, while total police expenditures of $28
>billion led to 11.25 million arrests [ref US Statistical Abstracts].)
>I'm working on estimating this wiretap benefit more accurately, but
>I'd like to ask hardware experts out there to help me with estimating
>the costs of the new proposed wiretap technology.
>
>Please send me quotable/citeable estimates for:
>
>- How many chips which would need to be made per year to keep all
>  phones with wiretap chips?
>- How much would it cost to make each chip?
>- How much did it cost to develop this technology in the first place?
>- How much more would supporting hardware, people, etc. cost, per chip?
>- What percentage cheaper would encryption chips and support have been
>  if private enterprise could compete to meet customer encryption needs?
>- What percentage of phone traffic would be taken up by the proposed
>  "law enforcement blocks"?
>- What is the total cost of handling all phone traffic per year?
>
>Put another way, the question I'm asking is, what if each police
>agency that wanted a particular wiretap had to pay for it, being
>charged their share of the full social cost of forcing communication
>to be wiretap compatible?  Would they choose to buy such wiretaps, or
>would they find it more cost-effective to instead investigate crimes
>in other ways?
>-- 
>Robin Hanson  hanson@ptolemy.arc.nasa.gov 
>415-604-3361  MS-269-2, NASA Ames Research Center, Moffett Field, CA 94035
>510-651-7483  47164 Male Terrace, Fremont, CA  94539-7921 

First, what the fuck is NASA doing wasting my tax dollars doing
policy papers on stuff far outside of their purvew/mission?
                                                                         
Second, this isn't a problem of economics.  This is a problem of
the incremental accumulation of police-state powers by our government.
 
How, exactly, do you put a price on the loss of freedom of a society?
Maybe use the dollars/life lost calculations for the extra people
killed by the gov.  The pain and suffering cases for those tortured.
The dollars/life lost caused by the inevitable collapse of the economy,
and all the secondary effects of diseases, diet, etc.  Plus, the
inevitable collapse of the economy as the gov controls it, becomes 
corrupt, etc.

Do us a favor.  Resign rather than right this paper for NASA.  Go
do useful work for the society.

lew
-- 
Lew Glendenning		rlglende@netcom.com
"Perspective is worth 80 IQ points."	Niels Bohr (or somebody like that).

Newsgroup: sci.crypt
Document_id: 15545
From: boucher@csl.sri.com (Peter K. Boucher)
Subject: Pseudo-Random Character Generators (large state)

Here are four pseudo-random character generators, based on
irreducible trinomials.  Each contains 16 separate trinomials,
one of which is selected on initialization (there are 64
distinct trinomials between the 4 PRCGs).  The PRCGs are
initialized with a 32-bit seed, and a 4-bit trinomial-
selector.

I would like to get comments on these by anyone who is
interested enough to look them over.  Please email,
because our news is on the fritz (Note that this was
posted via email).

Peter K. Boucher    <boucher@csl.sri.com>

================ CLIP CLIP =================================

begin 660 rnd.tar.Z
M'YV0<MR0B>%B#("#"!,J7,BPH<.'$"-*1 BBH@T;,$  J AB!@T:&D'$D!&C
M!LB-'#G:N$$C1L4:,VS4B$$SI@R.-4C6V#BQI\^?0(,*'4JTJ-&C2),J71KQ
MA0H0"D \#3BP((@6+:*JT,H1RIPR=<B\:2$GC, W;4",01.F[!@Z9>2 .%/&
M3=PP=-[(<5%12)BO9$"\<0,B#)LS>M/00=.&:\4Z@$&D(;RX# @A4XB J.(F
M#1X0*.BT20&BK$"K<^B089-&#(@V;\C485/&A6,04.2\L9.&3)DY(FV H),'
MSF_!9G!+<7($M&$V("!//@,"SALV>=R@36,8^!LSMRN#,*,W+185*L* 6 'B
MO K7[&.DL"V5ZY W</+(27,&#1V1.>0P VYEP"77$GP)\48=:\7%%11QM9'&
M''.D,=AP;T3W%0MJX9<'A["1D889'Q8F$ @BIK:?&'7 -1P:$W(UQW=TW-&6
M968%IAAP8HU11QMUT8&7A821)Y=9>517AQS6?65B8'<HAL:"='!E1AF630@"
M&G&5(4:29Y@&%QD<PJ$;;[X%MAA>+^(HQFZ6C>'A?OU5*14(VM&1QA@XPF%<
M6Y(1]ER'<*3Q&WTJO*"  B/X9L9DEA%1Q!%?9!33#8PZ"BD(4Q0!1:4BW1##
MHHV6\:A=($A*J4LTS#!JJ:=:UNFG+LD  PRD:HJJJE_<5 ,,,V1JZJ:S]@J"
M##3@D.NPNT[ZQ8 TV! LK,1Z^NRQ,="P;*RI.@L2#3#D("RWQ8*$ Z;C;LIK
M#2#8$ .FU*):++NVXIINLY0*)ZJX\<IJK7 EV=MOMY3>T*ZK]_K[J<$SP(#N
MP+SB  (.,DRKJ\)?2"P##@)?3/ 7.4Q\;L*<6AOR##%MJZZS,634\@S\>EQL
MRR"TI"S)O-(D4KCPRFRMSCC8H#*^7XPDD@PWQ,PLQD:3)#3.+ ](DX DSRSU
M#<%"O2I(([U;]<\@P9PUQ"RS&P/,2I/[,[VV+IK:D&-4Q,9@9R20P-MPQ;#%
MQR6!T,4."N"]I]QTVZV"&7#0(4<,@ L>-PASNU%W BHPJ3CC@0NIY^.13ZY"
M761\D?CB@"M0AQL5GF%78&NUI0!5,:"0@@)[*)" '&6<,:&!T:'.W^J0%YX&
MX+?GOGM<P4M.N1D!T=$#XI=S6'D9;?5@.>F+)I &"#U(Q;P;_[$W?5O$']X\
M]Y(1/R(*%:VPPO?_@>!#]R" +OKE%9$&0NT)I 0_^G@K ^;ZQQ'WX8Y\MNM#
M_=C@I/W9+B7K:]\*#B@7^='/?J-S"0CT1T$ :DZ Q.N#[:"WN.<UCWC7BX'U
MJ"<'%!9H26Y@'PI.ESK@M4X.*4#!]GS@@YV1)@6 $Z$"[/"&WH#@*W3X E6^
M\)4R#(1]3233<(ICF=FE!'>Z2PWR:/@[)R:/.E$$7$JXJ#HO3B9^Q#%.Z?B'
MQ>/)A8S ZYSV./2?[J6Q#"8HB0NSR#LX>E&.O@D3EDIWNPQZ$"\@M-T<HD2'
MM;#O/Z2I74HFR9$Q_,4R,-"![1(02-Q9IGN\@@'Q$H!!_'4O@"YA3RA'24*7
MG/*#J2S9IT2Y23$<< UBI.0D+>FD&&C2;IW$$OIR-LI2+NZ0>5L/WUAIR%<B
M,I8S&Z4MJ8?+J.@R);RTC Q^R<G<>7*8SI)!,05ROV,Z,YFJ#"<S37E$6"JS
M6.*LY2US><V*9+,CW SF)S\V@W&&KIGM?*8R>=7/3;82F0)\I[4*:K=IAJ&:
M]:SD)6N63V\*$Y3>\F<Y71E0='Z,!NLT9T<3RIYR27.>UHSH/6M044'N<UT:
M!2@J!^JL&H24HS,MJ;5L*D]JTK.>][1!2[^)T7S%E)TY_9@-;HI0:/[KI#Y-
M*5 G>H.A7O1C-SBJ2)/*JZP:5*;NU.G"H/K0GU[SGCBPZDN=A0.MXC2L'VOK
M5Y$*UV+)M:$HC:@])YH#M8*34CEP:U-I"EBFGI.DL@0962&JUWNVS*]%+1HM
M[6;,MPHTG:N:; (.>EBGTDJS#F6L2B=*$\CR;8"D)"=8+WM:PX[4LT5#;6C-
MJDO';G.3^OQKT>))6=72E;4YX^UF5^O1F0EWME(]*VEG8-J<,32U__RM1YWK
MVJ1:;;&TI:1C:=!<EH%TDY4=+&:+]EV[<?:U"J55>1. 7+VJA;0LQ:U%U[HJ
MGO8VNEN%:\[L.USI(G9F_$5N D1X-UCN+2-= ""6R$ \([%O>]UCG&1 P ,4
MS7<'DG'?!BO"OY1$$7TH0.46TI#@"+]L)CFA00U4\.'X5$S%0$R@[7+;/12T
M3 7Z) U[0KS@$N2XP7IY,/I$.>$*ZQ/#:= P!P42NQ@+D2D H(H,"@+E*D-9
M)1@)244\<I*CE:3+E%P)N%X2DYG4Q 8W>8E.>&+E-KOYS7".LYSG3&>B. 4J
M=Y*R5;"BE=MX!2QB(4N.T*(6MKB%=W2Q2UGRLI>^7#(P%S(,8O:SF,;<Z3&1
MF4R;+I.9S73F,Z$936ERA!K5L,8U(9I-;?Q\IMX<)P;"N:-WD@.%Y30'!8.2
MCN2J<YWL;*<[R D/E\93GO:@1SWL<0]\1#*?/M_I/OFADW\ )" "\0Y!EUE0
M@^3PH A-J$(7RHN&RL A.>4'1+$948ERA*+=K:A%EEE,C.XT(S/4Z$9/D@P=
M>/0&'P$)?$.ZD)%,E"0X+*E).#H1(Z?4(BL)4TM<PMV7YB(F)Y:IU6EZ$9O$
M$X8WV2%.<^*/?[B2ISWUZ4]RT?2@S&VH.2!*45H#U0QP8+&E)=9E,+@9V58%
M@IR\RF>T"H[./<:KFV#DYS:'Y[%@((.A1<I9 [(!#7J6](6*Y%=._VB['/:U
M3W%MZEE?%PAN,).N?X%=KNJ8S7DEG!S Q.S"D0&RPNXL@^7@!E17V\)JQC&Z
M4TIB LI[M3XE,5<];><@VQG"!E:LD-'D\$1GF<M*@G2]2Q8$.5 [MW+FDI'@
M(&V#C^VQ:-#TF!OM;$@SN]&B!?FU1TTD,R")Z@>4$[^3%_;N4CU(:M#ZS9=-
M). "O;S6!B!M90YNA%->@1$I@[WMUV^-T]S@OF@X$L;3<<GWW/6N+WW.%8YR
MQHRGZ7Q71M89^G4"D8'L:&>[-FKQC>2/H_#VZ$;JFP]\SQN=#*1'0>OIGY 0
MYCWG(SX45#[_TSW#8SL1M![O<SX65!'AES\<]D <<8 CQ5LI84 L%$(+U$ =
MQA$+J(& \H#UXUMRD&8<Q$((Q5L$9GTF!#XHI'\KA$#%0P<P)$-^9'YMD4,[
MU$,V\$-!M"A$9$1(I$3D%$7J=T0+1D=4M$%2Y7Y]%']_1#=*Z$0_E8.!@D94
MM$;M9SSOUSLU-(7*DP9TA#YWE$?V!85;)(6! 4@7ECW;MX+$LTB*X4C#L6&2
MU%@3E4GRY5*ZI5D1>%@W,5Z:97TKF%Z5@EW)55NDU5V4(ER!>(&$530A=1."
MB(BRE5=ZZ"2W!4SSI5N0:(*6*(GC)5R&>(EBU2N*Z%[WQ%Q]2%3\I%6C&$"#
M&(MS=8*'F(K/U5Z;:!G<]8I7Q2OK%8FT.(GK=8JDF%CKQ8NCY23QY8E^&%G\
M18P?5(LP=8NS6(V(&&":V(R6(53 2%]?L%3@)8JYJ%25>([%0HYX%56L2%6.
M^ 5>=5_EE(W,-XGSV%^XB(J)E8_,.%5.DE;AJ%MW!5WU>(X1DX[\:%>KV(N8
M%X^!58[X98]P88W.$I'FI7_J:#(-Z8T[$X\M(XL(*7D*F8PS UK=")"645H#
M&5DT(9+\R'DE68RI^)(]55:+J%VDU8G=%(U\$XH3.9*K8HH:N9 _<UPIJ5R]
MY(K0"(O4)9$'&9-1,Y/:6).[F)2,V$N_V)3!Z%TPF8PY<XQ%:9)@TY$J>74@
M.8WF*)7U197W6)/<&%4#IDC5>&!^HV!6.$)!-F$1AF049F$NA61*-H$$5!$?
M5F.T.&(E)A(G5A+(LF(M=C0>40,Q-I<]"8LV!@,X-E\Z!AI1Y&.<"61R(&3=
M0V3;8V07EF'LL61DH'Y.MB@* &54,0-45F>VV1!8EA$HT1$?$1)=8Q):-DEB
MEF8P(1,T<39HAA-R!P-L=IO.^9S0&9W2.9U'<6=<,9M[EA7U<6FX\15A,1:F
M(19I<4-A\!;(DVAWP6A\<1F/)AB"<AB)46FW 1EF1!G#AAF:P1F> 1JB01KA
M66JKT1JO$1NJABA=@7&O%FM4-&O*P1S.P0;0H6O481W8H1T2 FS?(6R6823F
M<6S*I&S*)!^(8A\A5R?4-B 0<FT)HFT1UVUR("$40B08,F[EYB'H)B(DPB'L
MEB**TQKP]B+S]A3U=F^XDV\[@B+]]B-!$G!%HA<$IR1,\@9.PFX+1R4.ER7 
M$7%> B85)T5FLANNIB9L\1\<YW$@%VTB9R=/47)\4AA^HH(J!Z&$TG(O9WL9
M,77"AS$9(7?&AWBL C.J=W6]MS*/V',VD*>)=1,DH7F$>BTS\':,9W7O,C:1
M1RD@<0.I%ZE>)Q)]%W/L<@.':G;T FNV)QPX@ .5%WIQES(Q9S TAZC%8C F
M87N EP.I.GR$5S.8:GN.=RNP:C+ -W2NEUF,"2RJYS)29WLZ,Q(P<*M,XQ(S
M)ZR^-Y1'<W>J=Q,QD /2VJAG WN9"G1%,R SL*NF]W7AHGLUDZRF9S;)\JNT
M0B^U=WR;DWUV$T SX'R_]S?R.GURM#RC4U#81WV4<ST VWWT"GXF6%#C%X8Z
MR&VSN7YLY(51R+#4EX#%PT?((T?WYSPD- /\QT+^IS@*JSWHL['*-#XM9#LF
MBX#J8P;LPX#_0X+&-" ;YD"%.1[G<U@,E8$3M($)U(&68;,0Y+(2U$$RF[ 2
M6!HJJ+,A-$+_^H)T$(,B.X,I6X,W"!I8>$,\*#\]= - J !"-(2!481+%$4S
M $5+.$7&X817)+%K2+&=4X4,)E58>$85<4=<>+'UAX5R1(9W:$=4A(;T]X5\
M6SA'!H?_BE ,18>-A :/A(<YN4M[&(^ B+0Z.XF%F+B7FXHHZ8X.Z4LM:8OT
MJ+DC-2#CA5H=J[B8:)9*J4WQ")3E-"";^S%$*;*JFXI(Z;D>R927V964\EPS
M>[NBJX^R6[J(>)6Z>Y9;V;OB.(R6:[SC)9:V.[LF=9.B=9;/R+RZI9;X5;SV
M.HG\E;K4NU.LFY7?&(_L:)"D^[WCE;[B"[V)E;[_V+IC%X_Y&+RSVU4AY;T?
M9+K]6+XZ&9#Q6)#X"[\)>8O\BTC^RY#6FUV2ZR1]%;J\@I'J.[T&?)'[*[R-
M!\ /O))\R)7B&))0N;[].XDBG)$6S+Z)=<+LA94!O)*@"\*Z99.CF\(E?+JH
M2\(*C(F9F+ST.Q(@";LZ#!?^&UP9/+ZTDKLX^8Y+"9+ ^[PJ_)0H+ <)3,28
MB+Q+_+G+2V-\X[S=*[QA><3P.S/+Z,(=C)827#9:5<5E4,1JC, :O#:*:)GV
M:I>+&49Z.9I\*1)^B9J!J9HU^X&&N6 @5L<DACXT 2PH]I@L1L@N-IF526!<
MG)F;Z5*=R6-.!)J6+)JD"0*F^9='!LBL>;:O&9M+014T4)O426>Y&9Q<YILZ
M 6;"R1+$66;':1/*21+-N<J\W,N^_,O C!36F6<"D<IQPV?;^105\6??*6AG
M,9Z&5IZ(5A?IJ1?KZ1>1$6GP26F,,9^99I^6@9^>MI^AYI^D%C>I$:"H1J"T
M8:#+C*#  6MJ>QS?T:"WEFL5LFL4ZFL7RD#!QIWBP:'&EAX?BA[+)J+.]A30
MIA]I>J+6ACS8IB ,TJ)W B$O^FTR*F[T6:/G-J XNFXGPJ/OYB+R-@<R0B,V
M4J3L=J0]HJ0 IR<"YZ1( J4(EV]5VG!W<B58NB5=,G%A8A9C<G%@FG%K0J;#
MUG%P0B@,72<D]P:;<W)P^I[0P7*'HA4PAWAWVJQFYS(WP*A$\Z<U9WF=%P/;
M2C0WD2R"AZO&D@-]6JG7LA)A'7H#(@/QBG@@(77.JHP=,:A$PRX<XZYGAWFE
MAWBF6@-IC3'" 2Z#[=9VMQ)F9S"+2JN*%]=J+3$TH*V\NC/28G8A8RME_73$
M2A,R -@TX]G*.M:0"JXZ(P,V\-D_>305<ZT]=ZK**C7(0MIS/:[*RC67@JYG
MT];#6C3L&MN:*MS'LC%N8[ "&T T@*_U!7W[ZGW*=SBC\UT!VZ^54]W1AWP"
M^SDF^%T+VT4-BWYD0 ,0VX48"W]P.W_H77\:"S_YIS@T\+'5<SW@3;+=8[($
MZ+/+D[/IHX!$"[,..#\0^-U)*\@X"SX(55X\6X _6P8,%+0('H(].X($7H+X
M!1(UVT&'55XM6-U0*[5R0 -4ZT(V&! XR(:%MH,ZQ+7',@-?&[9%-+8%8H2A
M$T7F+;=,N+96Q!%JJ-[B_45R>X4J;K?SG+<_#H9!WK=E"+C&(;CM3;@J[H:!
MB;CRO>!SR$AV"$D.Q,281+E:!1(=CKDA)>8C!1*<R\'8U(AI;*EAON F7.9P
M7I-J+E&<^+IO/N:E*.=ZGJAUOE=.PKM<3%!Y?N:3^%PD9.;,?;Q__EY.LL6?
M&%E>7$Z*_D%H_E%\;NBI6,8^;+X]%X_<2^ES_C'A6]VC/B^-'E3H6^B+WKZ9
MWNKQF^KPV.;RR.J6CH^O?NNIZ(]FO.8"3.L$;.!]?L!37.F(=.D,W(Y9[)$1
M+,.11<'&9.QP<>D3G.O'CH@4/+^>_EBTSL+1/NHYD[E7WN<G*>N]%,/:ZY*H
M]>W#SC(Y/.Z:OL(]O.QG"<3=+L3P#NM&?(O27@;(?I3FOI*"'NE\\\09#NY3
MR>^G_C-8?+T_#.D^&<8CG.^ZWL76/NV8R.GT_L/9.^AO7,,CCO!MJ?#D+L<-
M+&/+-^UVC)=SNUE[&8 2=IJ Z4F"N9J$Z6&$C)B6KIB(W)@I!IF.+)DPUK3I
M#AHWEF/*A,EDH,F>5)D.ML>?[,<T+\H5@<JR$X2F',Q:O_5<W_5>__5@'_9B
M/_9D7_9F?_9HGQ!^6C. 6MR=QWNVYRNA6MR*VC*V)ZZI776?<C64&MR7^JUZ
M_P5<TZF(]ZES#ZZCRM>@/8XBD]?K^.**CU43T_;@*JO /:T9@WFV:G:63:Z(
MUZOG6MR.ERS*.GG&ZO;(>OG<VGFVXO@_ ZVT;7K8.MJ'O<+8BMFF)S6Q5_M6
MTQ&>[];9 GRAK]K?HJY^RJZ?IWKP6GK7_7UUS#?LHJ_-/]T=N]WSVMT$:_W\
M^GW>W;VED[7G]["S$['IK>3E5[&#RSOOW3SQ3<7T+0<A2\4 6++_L]\TN++_
MK3T![CXQ>^'!&\@4J")8('M%/!H<?U,@$,X#!4#)L/\J7 7Q?TAKPRVMTD7T
M.E:(:S]/R\%9+12'M52<UFIQ/&3LQ#@A-..44!(I6POF;.FX><:V?)S; G+G
M+V[AL3%2Y!3<D5L4Y&]O33GAT>3F&9336U)NO2F/PX4!;9@"RW)UR''=H4@2
MN7S=EZ-UE>N+Y2]G(>ZH6!R;)0%/),0C@Q>[P!C+$&,J+)J</"]W+/#<Q+."
M4_ 1@<$;YN?&H$,:>!$/ZJPQ+_B[UN .TT59$.(YI8QR!MF8&W-S< R)";XL
MV/$(WC4">7X0?-E!*Y:*XM+&\W3@R-FAHSY(!\?1(FQCB$A^]3H[9QFJ"JV[
M7U",#>JO0#C&K 6OZW0O;&(,L#F8!C/&)5Q@UJ(@:;M4V.R*7K6CA*V0@KVO
M,,B1W*!'XG:2,-RQP@N665XA)NI<CS 5LJ1@Z.Z&811KAJ20%]**>>?PMAU/
M\GA#R1F*0I91N]!@*4QB6?!L.#%M> <+GC&T2N%0#_HN\D(.&:'%BX9LD(R%
MPT(8!T<>(JR$>@0>ED, ,\<(S/-#,"R/D^VQF ?*4E.2L7E"BR,<)L_4OWB>
MB5%DCDG%-#(O\LB&'LJ;9$>/,R6]S_1C\E@GBWHS;Y!0O=(@$$@9UF,*J$R5
MI;V?T,IVTRO;"+])EJ6$X41FC-.923,]1^[$@%VV$GNB3_R)SVF8385BEIT2
M6E?P3H$F/!$:\F2>Y )Z6C36S-%DL_<T::2$I5%FXT9'@#-.DY\^#7\2-?\)
MG9D: 95JVAFK&6H):IXQJ%KCH'"-G))0O*9"_1I_EJ$ VK 1:.X!V0RT@]9L
MDAD(6&C2YC]DJVJ3HB#:BIIH#J*B>9L8%6XRQ$93:C=*W>BHD.9N?!1)@Q$F
MC=Z@-'RSTO8-DO(W2PJF-:DCX08*SL&14@D'2D@)*Y73'DZ6ZFE<"JA9G.J 
MH,34QCEJ9DJI!<:F]M3<%,H)%(5!3E$UEV/5[%3-T&K%C:MYM<4'U@(537!M
M18?O\#YK<1/8VMUK%UC#[,RUNN;6[EI+,#MA(_*)G;\FJ@1;J9H8A@WN',?%
M%MP:VW3<.Y$MYDB,ET'9,(9EPWV?3[/5Q\32V7).Z6-,H^U8+1WHZ.X84]X3
M:[6BM2FKV4?<5)NOB'U^RK9=MMGSXAX&\.-MCLWM\3;5]]6&VWX$,,?M9DR_
MR<'<G)MQDW[*#;LE.NTGW;2/=HMN!ZO[4;KOYP'#7S$[;T!P8BTY]I8C,U;A
MV%CM;[Y)A?YCW^9??JM_0Y*_X3^+1>'ZWP4Q< #P9@U 2U< "X@#Y$ )4,(M
M0 IGM"#@P9. @*+#54 0!S]$'(G3@+CCQ,60#DBQ/F />G$C<(B40+)UA!9,
MCHLB.ZZ*/*$7:/[DSZZ9@1RA;ME O(4#HYR.C($\\&_YP'S8(V&@GZP;1+"0
M4+QCAP0;U^-B@F3P@]E"*FCKKATANGC^#A$APVJH#./1I#-U[6Y5@,I_1RNR
MX#4TA.KD#/8[:A<KB]W"^Q1*C%2>,3BX!^N@K!1YSV)5,CI?J+Q,9:?$>-%+
M6&XZ0@CJCF6H'"^E;E(BR\3B"'6E$VP7J^Y7IDI+2/+BW3K*@IZ0&18,9TDK
MQV6WA'6Q*@L*)''I"K5EO"-V^FA6(B)9N D!G66HA=A0L;A+?8?!SF7%VV#$
M\H=IRGSI[83=NR1)_M)3KK!1Z<"NY3+<E*MBW1E,?ADQE:6\"X>OLA[N%G)I
MPKJAO*Q)N;)A<D+8,P[W9<638O'R5H:K= B23J6T?);OT%:6//4R#],2QSQ=
MT3+DS4SAU@_ITK%;>:=DP0A$F-?'0F(9J'E1$N=Y$9WW,P_90WQ4$1'H442A
=1YF('D;43$AOQW#$T.01H5[1#&4'<</=R%+&% !Y
 
end

Newsgroup: sci.crypt
Document_id: 15546
From: shirriff@sprite.berkeley.edu (Ken Shirriff)
Subject: Re: Clipper considered harmful

In article <15469@optilink.COM> brad@optilink.COM (Brad Yearwood) writes:
>Finally, because there is essentially no possibility of intercepting in
>realtime the scrutable content of communications between stolen instruments,
>there will exist strong motivation to record and archive _all_ communications
>in the network for ex-post-facto scrutiny (once some criminal act is
>discovered, and the instruments involved have been identified).

It seems likely to me that that a large subset of encrypted communications
would be archived to tape so they could be read if sometime in the future
probable cause arises and a warrant is obtained.  I can even imagine this
being found legal and constitutional, since nothing is actually listened to
until a valid warrant is issued and the keys are obtained.

Imagine archiving all pay-phone conversations, so if someone turns out
to be a drug dealer, you can listen to all their past drug deals.  And
archive calls to/from suspected Mafia members, potential terrorists,
radicals, etc.  Imagine the convenience for the police of being able to
get a warrant now and listening to all the calls the World Trade Center
bombers made in the past year.

Since archiving would be such a powerful tool and so easy to do, why
wouldn't it happen?

Ken Shirriff				shirriff@sprite.Berkeley.EDU

Newsgroup: sci.crypt
Document_id: 15547
From: sommerfeld@apollo.hp.com (Bill Sommerfeld)
Subject: A little political philosophy worth reading.

Read this through once or twice.  Then replace "prince" with
"government" or "president", as appropriate, and read it again.  

[From Chapter XX of _The Prince_, by N. Macchiavelli, as translated by
Daniel Donno.]

	In order to keep their lands secure, some princes have
disarmed their subjects; others have prompted division within the
cities they have subjugated.  Some have nurtured animosities against
themselves; others have sought to win the approval of those they
initially distrusted.  Some have erected fortresses; others have
destroyed them.  Now, although it is impossible to set down definite
judgements on all of these measures without considering the particular
circumstances of the states where they may be employed, I shall
nevertheless discuss them in such broad terms as the subject itself
will allow.

	To begin with, there has never been a case of a new prince
disarming his subjects.  Indeed, whenever he found them disarmed, he
proceeded to arm them.  For by arming your subjects, you make their
arms your own.  Those among them who are suspicious become loyal,
while those who are already loyal remain so, and from subjects they
are transformed into partisans.  Though you cannot arm them all,
nonetheless you increase your safety among those you leave unarmed by
extending privileges to those you arm.  Your different treatment of
the two categories will make the latter feel obligated to you, while
the former will consider it proper thoat those who assume added duties
and dangers should receive advantages.  

	When you disarm your subjects, however, you offend them, by
showing that, either from cowardliness or from lack of faith, you
distrust them; and either conclusion will induce them to hate you.
Moreover, since it is impossible for you to remain unarmed, you would
have to resort to mercenaries, whose limitations have already been
discussed. Even if such troops were good, however, they could never be
good enough to defend you from powerful enemies, and doubtful
subjects.  Therefore, as I have said, a new prince in a newly acquired
state has always taken measures to arm his subjects, and history is
full of examples proving that this is so.

	But when a prince takes posession of a new state which he
annexes as an addition to his original domain, then he must disarm all
the subjects of the new state except those who helped him to acquire
it; and these, as time and occasion permit, he must seek to render
soft and weak.  He must arrange matters in such a way that the arms of
the entire state will be in the hands of soldiers who are native to
his original domain.

	...

	And since the subject demands it, I will not fail to remind
any prince who has acquired a new state by the aid of its inhabitants
that he soundly consider what induced them to assist him; if the
reason is not natural affection for him, but rather dissatisfaction
with the former government, he will find it extremely difficult to
keep them friendly, for it will be impossible to please them.  If he
will carefully think the matter through in the light of examples drawn
from ancient and modern affairs, he will understand why it is much
easier to win the favor of those who were happy with their former
government, and hence were his enemies, than to keep the favor of
those who, out of dissatisfaction with the former rule, helped him to
replace it.





Newsgroup: sci.crypt
Document_id: 15548
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Re: How large are commercial keys?

In article <1993Apr20.182038.12009@ee.eng.ohio-state.edu>
butzerd@maumee.eng.ohio-state.edu (Dane C. Butzer) writes:
 
>Finally, can anyone even concieve of a time/place where 128 bit keys aren't
>sufficient?  (I certainly can't - even at a trillion keys a second, it
>would take about 10 billion years to search just one billionth of that keys
>space.)
 
   It depends on the attack.  Adding a bit to the key doubles the amount of
work to be done in a straight brute-force attack, where you try every single
possible key until one works.  Processing and storage requirements for this
kind of attack on a 128-bit key seem like they ought to make it effectively
impossible.  However, there may be other attacks whose difficulty is (for
example) proportional to, say, 2**sqrt(n), or some such.  Also, a long
key does you little good if there is a way to incrementally guess a little
of the key at a time....
 
>Thanks,
>Dane
   --John

Newsgroup: sci.crypt
Document_id: 15549
From: andersom@spot.Colorado.EDU (Marc Anderson)
Subject: Re: Once tapped, your code is no good any more.

In article <rdippold.735253985@qualcom> rdippold@qualcomm.com (Ron "Asbestos" Dippold) writes:
>
>geoff@ficus.cs.ucla.edu (Geoffrey Kuenning) writes:
>>Bullshit.  The *Bush* administration and the career Gestapo were
>>responsible for this horror, and the careerists presented it to the
>>new presidency as a fait accompli.  That doesn't excuse Clinton and
>>Gore from criticism for being so stupid as to go for it, but let's lay
>>the body at the proper door to start with.
>
>The final stages of denial... I can hardly imagine what the result
>would have been if the Clinton administration had actually supported
>this plan, instead of merely acquiescing with repugnance as they've so
>obviously doing.  I don't believe the chip originated with the Clinton
>administration either, but the Clinton administration has embraced it
>and brought it to fruition.

[...]

(the date I have for this is 1-26-93)

note Clinton's statements about encryption in the 3rd paragraph..  I guess
this statement doesen't contradict what you said, though.

--- cut here ---

        WASHINGTON (UPI) -- The War on Drugs is about to get a fresh
start, President Clinton told delegates to the National Federation
of Police Commisioners convention in Washington.
        In the first speech on the drug issue since his innaugural,
Clinton said that his planned escalation of the Drug War ``would make
everything so far seem so half-hearted that for all practical
purposes this war is only beginning now.'' He repeatedly emphasized
his view that ``regardless of what has been tried, or who has tried
it, or how long they've been trying it, this is Day One to me.''
The audience at the convention, whose theme is ``How do we spell
fiscal relief?  F-O-R-F-E-I-T-U-R-E,'' interrupted Clinton frequently
with applause.
        Clinton's program, presented in the speech, follows the
outline given in his campaign position papers: a cabinet-level Drug
Czar and ``boot camps'' for first-time youthful offenders.  He did,
however, cover in more detail his plans for improved enforcement
methods.  ``This year's crime bill will have teeth, not bare gums,''
Clinton said.  In particular, his administration will place strict
controls on data formats and protocols, and require the registration
of so-called ``cryptographic keys,'' in the hope of denying drug
dealers the ability to communicate in secret.  Clinton said the
approach could be used for crackdowns on other forms of underground
economic activity, such as ``the deficit-causing tax evaders who
live in luxury at the expense of our grandchildren.''
        Clinton expressed optimism that the drug war can be won
``because even though not everyone voted for Bill Clinton last
November, everyone did vote for a candidate who shares my sense of
urgency about fighting the drug menace.  The advocates of
legalization -- the advocates of surrender -- may be very good at
making noise,'' Clinton said.  ``But when the American people cast
their ballots, it only proved what I knew all along -- that the
advocates of surrender are nothing more than a microscopic fringe.''



Newsgroup: sci.crypt
Document_id: 15550
From: strnlght@netcom.com (David Sternlight)
Subject: Re: The Escrow Database.

In article <tcmayC5rs6n.Lz8@netcom.com> tcmay@netcom.com (Timothy C. May) writes:

>
>After the Waco Massacre and the Big Brother Wiretap Chip, any tactic
>is fair.

This is pernicious nonsense!

David



-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15551
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Would "clipper" make a good cover for other encryption method?

In article <1993Apr20.032623.3046@eff.org> kadie@eff.org (Carl M. Kadie) writes:


>So, don't just think of replacements for clipper, also think of front
>ends.

This only makes sense if the government prohibits alternative non-escrowed
encryption schemes. Otherwise, why not just use the front end without
clipper?

David

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15552
From: pla@sktb.demon.co.uk ("Paul L. Allen")
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

-----BEGIN PGP SIGNED MESSAGE-----

In message <9304190956.AA10390@pizzabox.demon.co.uk> you write:

> : The cops/feds do *not* need to be able to get hold of your private key to
> : listen in to cellular conversations.  Encryption is not end-to-end, but 
> : cellphone to base-station
[...]

> That was true for the UK Paul, but I'm fairly sure they're talking about
> building end-to-end encryption phones out of this chip.  It's *not* for
> cellular (though it certainly could be used there in the way you suggest)

I'd lost the White House's deathless prose when I posted (that's what happens
when you read news at home when you're rat-arsed), but I did have a bunch
of follow-ups going on about cellular/cordless comms.  The original article
has reappeared, so:

    The President today announced a new initiative that will bring
    the Federal Government together with industry in a voluntary
    program to improve the security and privacy of telephone
    communications while meeting the legitimate needs of law
    enforcement.

Hmm, telephone communications could indeed include end-to-end encryption on
ordinary landlines.

    The initiative will involve the creation of new products to
    accelerate the development and use of advanced and secure
    telecommunications networks and wireless communications links.

But the next paragraph says telecoms networks and wireless communications
links.

OK, it's far from clear exactly what Cripple (what an apposite anagram) will
be applied to, but the reason Joe Public wants secure comms is to stop
people listening in to his cellular or cordless phones (and he wouldn't
even be bothered about that were it not for Wingnut and Squidqy's
misfortunes).

Yes, Cripple *might* be for end-to-end encyption, dropping to clear
when the other end doesn't have Cripple.  But then a cordless-to-ordinary
conversation would be in clear leaving the cordless end just as vulnerable
as at present.  Nope, I suspect that Cripple will only be used on radio
links.

OK, it's possible `telecommunications networks' could mean `ordinary phone
lines', but I'm betting it means the microwave links used by the telcos.

My apologies if I'm wrong, particularly if the turgid Press Release makes it
clear that I'm wrong and I missed it, but as far as I can see it was full of
obfuscation, and anyone expecting end-to-end encryption is in for a surprise
(IMHO).


BTW, Graham, I've posted questions to alt.security.pgp and not seen any
replies/followups from outside Europe - how about you?  Have I made it into
everyone's kill file, or is there some problem?

- --Paul

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQCVAgUBK9SPBmv14aSAK9PNAQGJBwP/ZoKyrm0gemlyYsNj8bqoH8l8qLJoMRBo
eOCClpKsTavebtdCLIGqHNzoWC6Ar2K1blIbpUa2tWnqwRGVa15OgOc7XXKJJ093
yb7P/vWvQbXYiA6zDJ5zkQsDeP7X6ckIDVDRz5CdIS+oNXtiOtHk3s3B3wjQBjCU
vks8KOV8gfg=
=gVy0
-----END PGP SIGNATURE-----


Newsgroup: sci.crypt
Document_id: 15553
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <1993Apr19.130132.12650@afterlife.ncsc.mil> rlward1@afterlife.ncsc.mil (Robert Ward) writes:
>In article <bontchev.734981805@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
>>and since the US constitutions guarantees the right to every American
>>to bear arms, why is not every American entitled, as a matter of
>
>Have you read the applicable part of the Constitution and interpreted it IN 
>CONTEXT?  If not, please do so before posting this misinterpretation again.
>It refers to the right of the people to organize a militia, not for individuals 
>to carry handguns, grenades, and assault rifles.  

Read it again yourself, then re-apply the admonition you gave to the
previous poster to yourself, as well.  The first clause is not a condition,
it is a reason for explicitly supporting the right WHICH EXISTS, MILITIA
OR NOT, that the people have a right to keep and bear arms.  This is
NOT a right granted by the Constitution, it is a right presumed to exist
by default.  The Constitution mentioning a right is to prevent the
government from removing that right by stating very clearly the government
shall NOT infringe (mess with, block, limit) that right.  Remember the
Constitution is a bunch of negative things - things the government CANNOT
do.  All rights, etc not epxressly given to the government go to the
states and the PEOPLE (the same people the other 9 Amendments in the
Bill of Rights talk about).

Since I am sure you will summarily reject my interpretation, I am
appending a linguistic analysis by one far more expert than myself (and
you, I suspect).  I am sure you will find his qualifications adequate.
If that isn't enough I can send you the Senate Subcommitee to the
Judiciary on the Constitution report on the same thing...  There are
some things in there that Big Brother types, like Biden, etc must have
really had to swallow hard to admit.

I think you will find that people that seriously study the Constitution
and state what it means will say the same thing.  Those who come up
with 'new improved meanings' are those who are trying to subvert the
Constitution for a given agenda.  Like Clinton and his Clinton Cripple,
Gun Control, People Control, and Control Control, and the whole nasty
mess.

Please tell us how this person is in error, won't you? (And please back it
up with some proof, since I am backing my assertion up with independent
proof, and have a BUNCH MORE I can provide...).

NOTE:  Followups set to talk.politics.guns

--------- Begin included article -------

			THE UNABRIDGED SECOND AMENDMENT

			      by J. Neil Schulman

If you wanted to know all about the Big Bang, you'd ring up Carl Sagan,
right ?  And if you wanted to know about desert warfare, the man to call
would be Norman Schwarzkopf, no question about it.  But who would you call
if you wanted the top expert on American usage, to tell you the meaning
of the Second Amendment to the United States Constitution ?

That was the question I asked A.C. Brocki, editorial coordinator of the Los
Angeles Unified School District and formerly senior editor at Houghton
Mifflin Publishers -- who himself had been recommended to me as the
foremost expert on English usage in the Los Angeles school system.  Mr.
Brocki told me to get in touch with Roy Copperud, a retired professor
journalism at the University of Southern California and the author of
"American Usage and Style: The Consensus."

A little research lent support to Brocki's opinion of Professor Copperud's
expertise.

Roy Copperud was a newspaper writer on major dailies for over three decades
before embarking on a a distinguished 17-year career teaching journalism at
USC.  Since 1952, Copperud has been writing a column dealing with the
professional aspects of journalism for "Editor and Publisher", a weekly
magazine focusing on the journalism field.

He's on the usage panel of the American Heritage Dictionary, and Merriam
Webster's Usage Dictionary frequently cites him as an expert.  Copperud's
fifth book on usage, "American Usage and Style: The Consensus," has been in
continuous print from Van Nostrand Reinhold since 1981, and is the winner
of the Association of American Publisher's Humanities Award.

That sounds like an expert to me.

After a brief telephone call to Professor Copperud in which I introduced
myself but did not give him any indication of why I was interested, I sent
the following letter:

"I am writing you to ask you for your professional opinion as an expert in
English usage, to analyze the text of the Second Amendment to the United
States Constitution, and extract the intent from the text.

"The text of the Second Amendment is, 'A well-regulated Militia, being
necessary for the security of a free State, the right of the people to keep
and bear Arms, shall not be infringed.'

"The debate over this amendment has been whether the first part of the
sentence, 'A well-regulated Militia, being necessary to the security of a
free State', is a restrictive clause or a subordinate clause, with respect
to the independent clause containing the subject of the sentence, 'the
right of the people to keep and bear Arms, shall not be infringed.'

"I would request that your analysis of this sentence not take into
consideration issues of political impact or public policy, but be restricted
entirely to a linguistic analysis of its meaning and intent.  Further,
since your professional analysis will likely become part of litigation
regarding the consequences of the Second Amendment, I ask that whatever
analysis you make be a professional opinion that you would be willing to
stand behind with your reputation, and even be willing to testify under
oath to support, if necessary."

My letter framed several questions about the test of the Second Amendment,
then concluded:

"I realize that I am asking you to take on a major responsibility and task
with this letter.  I am doing so because, as a citizen, I believe it is
vitally important to extract the actual meaning of the Second Amendment.
While I ask that your analysis not be affected by the political importance of
its results, I ask that you do this because of that importance."

After several more letters and phone calls, in which we discussed terms for
his doing such an analysis, but in which we never discussed either of our
opinions regarding the Second Amendment, gun control, or any other political
subject, Professor Copperud sent me the follow analysis (into which I have
inserted my questions for the sake of clarity):

[Copperud:] "The words 'A well-regulated militia, being necessary to the
security of a free state,' contrary to the interpretation cited in your
letter of July 26, 1991, constitutes a present participle, rather than a
clause.  It is used as an adjective, modifying 'militia,' which is
followed by the main clause of the sentence (subject 'the right', verb
'shall').  The to keep and bear arms is asserted as an essential for
maintaining a militia.

"In reply to your numbered questions:

[Schulman:] "(1) Can the sentence be interpreted to grant the right to keep
and bear arms solely to 'a well-regulated militia'?"

[Copperud:] "(1) The sentence does not restrict the right to keep and bear
arms, nor does it state or imply possession of the right elsewhere or by
others than the people; it simply makes a positive statement with respect
to a right of the people."

[Schulman:] "(2) Is 'the right of the people to keep and bear arms' granted
by the words of the Second Amendment, or does the Second Amendment assume a
preexisting right of the people to keep and bear arms, and merely state
that such right 'shall not be infringed'?"

[Copperud:] "(2) The right is not granted by the amendment; its existence
is assumed.  The thrust of the sentence is that the right shall be
preserved inviolate for the sake of ensuring a militia."

[Schulman:] "(3) Is the right of the people to keep and bear arms
conditioned upon whether or not a well regulated militia, is, in fact
necessary to the security of a free State, and if that condition is not
existing, is the statement 'the right of the people to keep and bear Arms,
shall not be infringed' null and void?"

[Copperud:] "(3) No such condition is expressed or implied.  The right to
keep and bear arms is not said by the amendment to depend on the existence
of a militia.  No condition is stated or implied as to the relation of the
right to keep and bear arms and to the necessity of a well-regulated
militia as a requisite to the security of a free state.  The right to keep
and bear arms is deemed unconditional by the entire sentence."

[Schulman:] "(4) Does the clause 'A well-regulated Militia, being necessary
to the security of a free State,' grant a right to the government to place
conditions on the 'right of the people to keep and bear arms,' or is such
right deemed unconditional by the meaning of the entire sentence?"

[Copperud:] "(4) The right is assumed to exist and to be unconditional, as
previously stated.  It is invoked here specifically for the sake of the
militia."

[Schulman:] "(5) Which of the following does the phrase 'well-regulated
militia' mean: 'well-equipped', 'well-organized,' 'well-drilled,'
'well-educated,' or 'subject to regulations of a superior authority'?"

[Copperud:] "(5) The phrase means 'subject to regulations of a superior
authority;' this accords with the desire of the writers for civilian
control over the military."

[Schulman:] "(6) (If at all possible, I would ask you to take account the
changed meanings of words, or usage, since that sentence was written 200
years ago, but not take into account historical interpretations of the
intents of the authors, unless those issues can be clearly separated."

[Copperud:] "To the best of my knowledge, there has been no change in the
meaning of words or in usage that would affect the meaning of the
amendment.  If it were written today, it might be put: "Since a
well-regulated militia is necessary tot he security of a free state, the
right of the people to keep and bear arms shall not be abridged.'

[Schulman:] "As a 'scientific control' on this analysis, I would also
appreciate it if you could compare your analysis of the text of the Second
Amendment to the following sentence,

"A well-schooled electorate, being necessary to the security of a free
State, the right of the people to keep and read Books, shall not be
infringed.'

"My questions for the usage analysis of this sentence would be,

"(1) Is the grammatical structure and usage of this sentence and the way
the words modify each other, identical to the Second Amendment's sentence?;
and

"(2) Could this sentence be interpreted to restrict 'the right of the people
to keep and read Books' _only_ to 'a well-educated electorate' -- for
example, registered voters with a high-school diploma?"

[Copperud:] "(1) Your 'scientific control' sentence precisely parallels the
amendment in grammatical structure.

"(2) There is nothing in your sentence that either indicates or implies the
possibility of a restricted interpretation."

Professor Copperud had only one additional comment, which he placed in his
cover letter: "With well-known human curiosity, I made some speculative
efforts to decide how the material might be used, but was unable to reach
any conclusion."

So now we have been told by one of the top experts on American usage what
many knew all along: the Constitution of the United States unconditionally
protects the people's right to keep and bear arms, forbidding all
governments formed under the Constitution from abridging that right.

As I write this, the attempted coup against constitutional government in the
Soviet Union has failed, apparently because the will of the people in that
part of the world to be free from capricious tyranny is stronger than the
old guard's desire to maintain a monopoly on dictatorial power.

And here in the United States, elected lawmakers, judges, and appointed
officials who are pledged to defend the Constitution of the United States
ignore, marginalize, or prevaricate about the Second Amendment routinely.
American citizens are put in American prisons for carrying arms, owning
arms of forbidden sorts, or failing to satisfy bureaucratic requirements
regarding the owning and carrying of firearms -- all of which is an
abridgement of the unconditional right of the people to keep and bear arms,
guaranteed by the Constitution.

And even the American Civil Liberties Union (ACLU), staunch defender of the
rest of the Bill of Rights, stands by and does nothing.

it seems it is up to those who believe in the right to keep and bear arms to
preserve that right.  no one else will.  No one else can.  Will we beg our
elected representatives not to take away our rights, and continue regarding
them as representing us if they do?  Will we continue obeying judges who
decide that the Second Amendment doesn't mean what it says it means but
means whatever they say it means in their Orwellian doublespeak ?

Or will be simply keep and bear the arms of our choice, as the Constitution
of the United States promises us we can, and pledge that we will defend
that promise with our lives, our fortuned, and our sacred honor ?

(C) 1991 by The New Gun Week and Second Amendment Foundation.
Informational reproduction of the entire article is hereby authorized
provided the author, The New Gun Week and Second Amendment Foundation are
credited.  All other rights reserved.

			About the Author

J. Neil Schulman is the award-winning author of novels endorsed by Anthony
Burgess and Nobel-economist Milton Friedman, and writer of the CBS "Twilight
Zone" episode in which a time-traveling historian prevents the JFK
assassination.  He's also the founder and president of SoftServ Publishing,
the first publishing company to distribute "paperless books" via personal
computers and modems.

Most recently, Schulman has founded the Committee to Enforce the Second
Amendment (CESA), through which he intends to see the individual's right to
keep and bear arms recognized as a constitutional protection equal to those
afforded in the First, Fourth, Fifth, Ninth and Fourteenth amendments.

------------- End included article --------

Can you still honestly say the Second is a 'State-Run militia only right'?

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 15554
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <bontchev.735232729@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
>rlward1@afterlife.ncsc.mil (Robert Ward) writes:
>
>> >and since the US constitutions guarantees the right to every American
>> >to bear arms, why is not every American entitled, as a matter of
>
>> Have you read the applicable part of the Constitution and interpreted it IN 
>> CONTEXT? 
>
>Yes. BTW, the appropriate Amendments were posted here some time ago.
>
>> If not, please do so before posting this misinterpretation again.
>> It refers to the right of the people to organize a militia, not for individual
>> to carry handguns, grenades, and assault rifles.  
>
>It's OK, it's OK... Just a month ago I expressed my belief that the
>right to have a means to shoot your neighbor is not that much
>necessary to ensure a people's right to be free and got flamed by lots
>of American gun supporters. So I thought that...
>
>Never mind. The new Cripple Chip is a purely American problem, so deal
>with the mess yourselves. I just wanted to share with you a bit of my
>experience of living 30 years under a totalitarian regime (I'm
>Bulgarian) - because I thought that it might be useful to you. Oh
>well.

I think your experiences under the Bulgarian regime are highly relevant.
We have too many people with their heads in the sand saying it cannot
happen here, as our Constitutional Rights are being trashed every day
because the government justifies doing some end-run around the protections
by a 'crisis' requiring 'drastic action'.   It is most likely that in the
future possession of secure encryption tools will be regarded as possession
of 'terrorist and drug dealers tools', and be some serious Fedaral Felony.
Just like common tools are 'burgular tools' if the police say so, common
computer programs (even computers themselves) are now 'hackers tools',
and will become 'terrorist tools'.  BET ON IT.

The insights of someone who has lived throught this are very important.
If the US goes the way of the old Soviet Union and its client states
as far as individual rights, privacy and overall freedom are concerned,
the rest of the world (remember 'New World Order'?) will not be far
behind - only a few years.

Please keep posting anything you find that is deficient or that threatens
ones rights in this thing.

For example, a conversation between a suspect and a lawyer will no longer
be private from Big Brother eavesdropping.  Political dissent allready
is very dangerous in this country, all it takes is the government to
decide that enough people will take one seriously, then one becomes
guilty of 'plotting to overthrow the government by illegal means'.  The
phrase 'illegal means' is defined as whatever the government wants it
to be defined as.

Couple this with Clinton's pressing for a 'smart' National ID card (an
'Internal passport'?), with the added wrinkle that anything about you and
your past can be put on it, and you can only take the government's
word as to what is really on it (since they will be the only ones
with the means to completely read and reprogram the thing).  Isn't
that nice?

While the Feds can bust into one's safe without the keys, the owner
knows his safe has been broken into.  When they break into your 'secure'
phone conversations (or other stored/transmitted data in the near future)
you have no way of knowing, so accountability as to the legalities has
gone out the window.  Just like a safe, if they have a legal cause, they
can get the keys from the suspect, just like they can get the keys to
a safe or the combination from the suspect.  Same with encryption:
Record everything, get the warrants, THEN decode it with the keys
obtained from the suspect.

This Clinton Cripple, along with its natural extensions, will make any
priviliged communications between client and lawyer, and any meaningful
political dissent virtually impossible.  Which is the general idea.
Any propeganda about its being secure, and the safeguards, and all
of that are just that - propeganda to reassure people so they will
by into this monstrosity.  DON'T BE SUCKERED.

BIG BROTHER IS LISTENING!!!

>
>Regards,
>Vesselin
>-- 
>Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
>Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
>< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
>e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany


-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 15555
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: An Open Letter to Mr. Clinton

In article <bontchev.735226256@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
<strnlght@netcom.com (David Sternlight) writes:
<
<> Here's a simple way to convert the Clipper proposal to an unexceptionable
<> one: Make it voluntary.
<
<As usually, you are not reading. The proposal -does- say that it is a
<"voluntary program". This doesn't make it more desirable, though...
<
<> That is--you get high quality secure NSA classified technology if you agree
<> to escrow your key. Otherwise you are on your own.
<
<"Secure"? How do you know? Because NSA is trying to make you believe it?
<"Trust us." Yeah, right.
<
<"Otherwise you are on your own"? How do you know that tomorrow they
<will not outlaw encrypring devices that don't use "their" technology?
<Because they are promising you? Gee, they are not doing even that -
<read the proposal again.

One minor nitpick:  It is not a proposal.  It is a *DECISION* ... from their
point of view it is a DONE DEAL.  The chips are being manufactured, it
obviously has been budgeted, the whole thing.  THAT IS WHAT IS SO UPSETTING.
THIS WAS ALL DONE IN SECRET.  Because they DIDN'T want the people to know
what was going on until it is too late.

Otherwise, I agree with you 100 percent.

How come it always takes someone who has lived under the Eastern Bloc to
remind us about how precious and fragile our liberties are?

Please, keep up the good work.  Hopefully you will wake SOMEONE up...

<
<Regards,
<Vesselin
<-- 
<Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
<Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
<< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
<e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany


-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 15556
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only 

In article <C5rrtD.1Gz@agora.rain.com> jhart@agora.rain.com (Jim Hart) writes:

>
>What we need is a true *privacy chip*.  For example, a real-time 
>voice-encryption RSA, silicon compile it and spit out ASIC.  
>Put this chip on the market as a de facto standard for international 
>business, diplomats, and private communications.  If the U.S. bans 
>it, we make it somewhere else and import it.  The Japanese, German,
>Dutch, Taiwanese, Korean, etc. electronics companies don't want the 
>NSA spying on them.  U.S. workers lose more jobs to government fascist
>stupidity.
>

Some countries have laws about importing crypto gear--I believe the U.S.
does. Without a license the above scheme won't work (at least not legally)
in such countries, including at least France and the U.S.

David


-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15557
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Would "clipper" make a good cover for other encryption method?

In article <EACHUS.93Apr20140314@spectre.mitre.org> eachus@spectre.mitre.org
(Robert I. Eachus) writes:
>
>  But, if you are making custom equipment in any case, why not just
>roll your own Clipper implementation and report the wrong keys to the
>Escrow agency?  (Tells us who is going to be in the chip business if
>this thing goes through--NSA, and those with something to hide from
>NSA.)

This won't work if there is a checksum on the keys you don't know about.
Neither will registering a clipper chip and then substituting a
"counterfeit" one if the serial number contains a checksum.

Chances are the government has thought of this, and "just anyone" won't be
permitted access to enough of the internals to make a "fake" clipper chip.
Chances are that the government has classified some details of the internals
at a very high level, and manufacturers are required to observe security
safeguards and clearances corresponding to that level.

While not perfect, it would prevent Joe Hacker from rolling his own spoofing
chip, since not many counterfeiters can survive a background investigation.
Some of the more notorious self-styled dissidents here, for example, have
already got their heads so high above the tall grass that they'd have little
chance of getting a clearance.

Of course it's not impossible that someone do this, but probably extremely
difficult. Chances are there will also be very heavy criminal penalties for
phony clipper chips, on some national security/classified info grounds or
other, thus making the game not worth the candle.

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15558
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <WARLORD.93Apr20175546@deathtongue.mit.edu> warlord@MIT.EDU
(Derek Atkins) writes:


>
>The point here is not the specific instance of the Wiretap Chip.
>Rather, it is like having the government telling you that they want a
>copy of your house key, safe-deposit box keys, etc., and telling you
>that "they wont use them unless its totally neccessary."  I sure
>wouldn't want that.  Why should encryption be any different?

Actually the govrnment is telling you that if you want to use their
"product" the manufacturer (actually better yet, some "trusted" pair
of escrow agencies) has to have the key.

Most of us already are in this situation--our car makers have keys to our
cars (or can get them quickly from the VIN  number), and I have no doubt
that if presented with a court order, they'd surrender copies to the
government.

Chances are that many locksmiths have the code numbers for house locks
they've installed, and in an emergency can cut keys; thus they'd also
provide such keys to the government pursuant to a court order.

The state has no difficulty gaining access to your safe deposit box if they
have a court order.

Bad analogy.

This is not to argue for or against the proposal, but rather better
distinctions are required in thinking about it than "house key, safe-deposit
keys, etc.".

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15559
Subject: Organized Lobbying for Cryptography
From: kubo@zariski.harvard.edu (Tal Kubo)

In article <4014.Apr2003.03.4093@silverton.berkeley.edu> 
djb@silverton.berkeley.edu (D. J. Bernstein) writes:
>
>I want to see an organization which will combat such statements.
>Encryption does _not_ threaten the public safety, any more than ski
>masks do. Every American _is_ entitled to use strong encryption which
>ensures his own privacy and is _not_ crippled by a key-escrow system.
>I guess I'm looking for a ``League for Cryptographic Freedom.'' Or a
>``National Cryptography Association.''

An excellent idea.

>
>To what extent does the EFF serve this purpose? Is a new organization
>necessary? Does it already exist?

While I don't know the full scope of the activities of the EFF, 
from what little I've seen I think it would be better to lobby for 
strong cryptography through a distinct organization.

The EFF has been associated with efforts to prevent the banning of sex
and pictures newsgroups at various universities. Horror stories about the
contents of those groups (e.g. exploitative pictures of possibly underaged
models) have already surfaced in the press. The White House bulletin
already raised the specter of drug-dealing and terrorism, which is only one
step removed from the old "crypto-wielding child molester" argument.  An
EFF lobbying effort for cryptography would be too easily derailed by the
connection to child pornography and the like.

Similarly, LPF is connected with Stallman and his Gnu project.  In
light of, say, the Gnu Manifesto, this means that in a public debate it
stands to be labelled as "communist", "anarchist hackers", radical, etc.  

I don't know about CPSR, but if it is an offshoot of Physicians for Social
Responsibility (best known for Helen Caldicott and her hysterical
antinuclear lobbying) then it probably also carries unwelcome political
baggage.

Perhaps for practical reasons a lobbying organization for cryptography
would best be formed under the umbrella of EFF or some other existing
group, but its charter should then be distinct, independent, and limited to
advocacy for the right to cryptography.  To reiterate Dan Bernstein's
question: does any suitable organization exist?  If not, what are you going
to do about it?

Having mentioned the possible dangers of unwelcome political associations,
I would be remiss not to suggest something in the opposite direction:
gathering the support of the NRA by emphasizing the RKBA side of the
issue as well as the First-Amendment side.



Tal  kubo@math.harvard.edu



Newsgroup: sci.crypt
Document_id: 15560
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Do we need the clipper for cheap security?

gtoal@gtoal.com (Graham Toal) writes:
>
>In the UK, it's impossible to get approval to attach any crypto device
>to the phone network.  (Anything that plugs in to our BT phone sockets
>must be approved - for some reason crypto devices just never are...)
>

Whats the difference between a V.32bis modem and a V.32bis modem?

I'm not being entirely silly here: what I'm pointing out is that the
modems that they have already approved for data transmission will work
just fine to transmit scrambled vocoded voice.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15561
From: smk5@quads.uchicago.edu (Steve Kramarsky)
Subject: Re: Hard drive security for FBI targets

In article <Apr13.011855.69422@yuma.ACNS.ColoState.EDU> holland@CS.ColoState.EDU (douglas craig holland) writes:
>I'm not a lawyer, so correct me if I'm wrong, but doing that could be
>considered obstruction of justice, which could land you in prison for
>quite a while.
>
>The thing that's great about the secret key is it is IDEA encrypted, so
>even if the FBI do get the key, they're SOL unless they know the magic
>word.  If they try to force you to give them your pass phrase, just say
>"Oops, I forgot."  Since the burden of proof is still on the prosecution
>in this country, if you keep your mouth shut, how can they prove that you
>didn't forget your pass phrase.
>
  OK, Doug is right, it would be obstruction of justice, blah blah blah,
BUT, saying "I forgot" is a lie, which is just as bad from a moral point
of view _IF_ you think "lawfulness" is a good in and of itself (which 
admittedly most people do not.)  But there's an even better way out of this.
PROVIDED the government is prosecuting you criminally, you can probably
plead the fifth amendmeent and thus LEGALLY avoid revealing your key.  The
government cannot demand information from a criminal defendant which "may
tend to incriminate" that defendant.  Though this has never been applied
in the cryptography context (at least as far as I can tell) it seems an
obvious application to me.  

 This may be a common suggestion in this group, but if it's not (I'm new
here) I'd love to hear what people have to say about it.  Since I don't
really read this group (and since the subject matter is more legal than
cryptoid) maybe misc.legal.computing would be an appropriate place?

  Steve.

-- 
            Steve Kramarsky, University of Chicago Law School
           steve@faerie.chi.il.us -or- smk5@quads.uchicago.edu 
     "All I did was kiss a girl." - Jake, the night before his hanging.

Newsgroup: sci.crypt
Document_id: 15562
From: tedwards@eng.umd.edu (Thomas Grant Edwards)
Subject: Re: Once tapped, your code is no good any more.

In article <1r1r3nINNebn@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes:
>In article <C5so84.Hxv@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
>>Actually, I am *completely* baffled by why Dorothy Denning has chosen
>>to throw away her academic respectability like this.

>	Actually, I've been following her remarks for some time, with
>interest. I'm also a member of academia, and her remarks have nothing
>but elevate her respectability in my eyes. It remains to be seen whether
>you are the radical fringe, or I.

>	It is generally an error to assume that your beliefs are held by
>the majority, or even a sizable minority. Especially when you're seeing
>tens, nay dozens, of people on usenet agreeing with you.

The people on usenet are clearly a special bunch.  We live the net, which
is the future of our culture.  Usenetters have rapid electronic access to
information.  Society in general must depend on CNN.  

I can only hope we can make this information accessable by the public before
the radical fringe, which _is_ the majority, destroys the fabric of
this country.  Freedom is never easily won.

-Thomas



Newsgroup: sci.crypt
Document_id: 15563
From: smk5@quads.uchicago.edu (Steve Kramarsky)
Subject: Re: Keeping Your Mouth Shut (was: Hard drive security)

In article <1993Apr14.055903.5358@qualcomm.com> karn@servo.qualcomm.com (Phil Karn) writes:
>
>
>I say "in theory" because in another case, a woman was held in
>contempt for refusing to reveal the location of her child even after
>taking the 5th. In this case, the woman was suspected of having
>murdered the kid, so taking the 5th wasn't surprising. Sure, so she
>was probably guilty, but that's not good enough. In our system you're
>not supposed to be able to force a suspect to confess to a crime, no
>matter how strongly you think they're guilty.  You have to develop
>your evidence independently. Doing otherwise might catch a few more
>crooks, but only at the cost of turning the clock back to the middle
>ages, when confessions were routinely tortured out of suspects both
>guilty and innocent.
>
 OK, I should have read the thread before posting my own $0.02.  I would
just add to Phil's very infomative discussion the following caveat: the
fifth amendment applies ONLY in crinial cases.  ("...nor shall any person .
. . be compelled in any criminal case to be a witness against himself...").
Thus if the father sued for custody of the children, the case would be
civil and the defendant mother would not have fifth amendment protection.
Oddly enough, her refusal to give information in a civil case can lead to
criminal contempt charges (thus landing her in jail.)  The interesting part
of all this is that in a murder trial, the woman CAN plead the fifth as 
to the location of the child--this is routine.  A "computer crime" 
prosecution thus would seem to be fertile ground for this kind of defense, 
where a suit by a party injured by "hackers" would not.  If I am accused, 
for example, of sending encrypted kiddie porn over the nets the fifth should 
protect my key.  If I am accused of sending copyrighted material, however,
it proabably will not (copyright infringement not being a "crime" in the
technical sense.)  The REALLY tricky question is, say I do both (naughty
boy that I am) can the government use the information gained in the civil
trial (ie. my key) to gain access to my files for use in the criminal
prosecution.  The answer should certainly be no, but lord only knows how
this would work out.

Steve.
 

-- 
            Steve Kramarsky, University of Chicago Law School
           steve@faerie.chi.il.us -or- smk5@quads.uchicago.edu 
     "All I did was kiss a girl." - Jake, the night before his hanging.

Newsgroup: sci.crypt
Document_id: 15564
Subject: Re: Don't fight Clipper Chip, subvert or replace it !
From: steiner@jupiter.cse.utoledo.edu (Jason 'Think!' Steiner)

Marc Thibault (marc@tanda.isis.org) writes:
> (The Jester) writes: 

> > Proof Windows is a Virus:It is very widespread, It eats up your disk
> > space, It slows down your computer, It takes control over your
> > computer, It performs disk access at random times, It displays silly
> > messages on your screen, It randomly crashes the computer-Vesselin

>         This sounds like a version Unix. Solaris?

as someone who just lived through a switch from SunOS4.x.x. to
Solaris, i'll heartily agree with this. 

ObCrypt: one of my main gripes with Solaris is its braindead mailx,
which is -almost- enough like mail to get you hoping, but crashes
horribly when you try to do anything useful with it. (like use pgp-
capable sendmail replacements.)

jason

--
   "I stood up on my van. I yelled, `Excuse me, sir. Ain't nothing wrong
    with this country that a few plastic explosives won't cure!'"
              - Steve Taylor, I Blew Up the Clinic Real Good
`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,`,` steiner@jupiter.cse.utoledo.edu `,`,`,`

Newsgroup: sci.crypt
Document_id: 15565
From: smk5@quads.uchicago.edu (Steve Kramarsky)
Subject: Re: Fifth Amendment and Passwords

In article <1993Apr17.122651.1874@sugra.uucp> ken@sugra.uucp (Kenneth Ng) writes:
>In article <1993Apr16.165423.27204@linus.mitre.org: ptrei@bistromath.mitre.org (Peter Trei) writes:
>:Judge: "I grant you immunity from whatever may be learned from the key
>:	itself"
>:You:    "The keyphrase is: "I confess to deliberately evading copyright; 
>:	the file encoded with this keyphrase contains illegal scans of 
>:        copyrighted Peanuts strips.""

Can we use murder instead of copyright violation, just to keep things
straight?  The 5th applies only to criminal cases which copyright 
infringements are not (they are civil).

Steve

P.S. I'm sorry to waste bandwidth on a quibble, I just don't want
anyone to get confused.  I think a bunch of kiddie porn GIFs make
a better test case than a bunch of Peanuts strips and that IS criminal
both in posession and distribution.

-- 
            Steve Kramarsky, University of Chicago Law School
           steve@faerie.chi.il.us -or- smk5@quads.uchicago.edu 
     "All I did was kiss a girl." - Jake, the night before his hanging.

Newsgroup: sci.crypt
Document_id: 15566
From: kadie@cs.uiuc.edu (Carl M Kadie)
Subject: Re: Organized Lobbying for Cryptography

kubo@zariski.harvard.edu (Tal Kubo) writes:

[...]
>The EFF has been associated with efforts to prevent the banning of sex
>and pictures newsgroups at various universities.
[...]

So what? Justices William Brennan, Thurgood Marshall, John Paul
Stevens, and Byron White are associated with a plurality Supreme Court
decision that prevented the removal of "anti-American, anti-Christian,
anti-Semitic, and just plain filthy" books from a public high school
library [_Board of Education v. Pico_ (1982)]. Does this mean that
they could no longer defend free expression and privacy?

- Carl
-- 
Carl Kadie -- I do not represent any organization; this is just me.
 = kadie@cs.uiuc.edu =

Newsgroup: sci.crypt
Document_id: 15567
From: holthaus@news.weeg.uiowa.edu (James R. Holthaus)
Subject: Re: Estimating Wiretap Costs/Benefits

rlglende@netcom.com (Robert Lewis Glendenning) writes:

>In article <1993Apr20.203756.20667@kronos.arc.nasa.gov> hanson@kronos.arc.nasa.gov (Robin Hanson) writes:
>>I'm attempting to write a serious policy paper examining whether the
>>proposed wiretap (or "Clipper") chip is a cost-effective tool for
>>police investigation.  That is, ignoring concerns about government
>>intrusions into individual privacy, is the value of easy wiretaps to
>>investigators greater than the cost to the communications industry,
>>and their customers, to support this wiretap technology?  
>>[...]

>First, what the fuck is NASA doing wasting my tax dollars doing
>policy papers on stuff far outside of their purvew/mission?
>[...]                                                                         
>Do us a favor.  Resign rather than right this paper for NASA.  Go
>do useful work for the society.

Whew!  Take it easy on the guy.  Maybe he's going to do this in his
spare time.  Maybe he's going to do this to see how much a wiretap
*really* costs.  Maybe he's going to do this so he can add to the
opposition to Clipper.  I don't know fully why he might do this, but
maybe we shouldn't start flaming at the drop of a hat.  
-- 
<><><><><><><><><><>James Holthaus  james-holthaus@uiowa.edu<><><><><><><><><>
<   Government is an association of men who do violence to the rest of us.   >
<             -- Leo Tolstoy                                                 >
<><><><><>PGP 2.2 Public key available on request or from key server<><><><><>

Newsgroup: sci.crypt
Document_id: 15568
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

mathew <mathew@mantis.co.uk> writes:

> bena@dec05.cs.monash.edu.au (Ben Aveling) writes:
> > Don't forget, you are in the country that wouldn't let the Russians
> > buy Apple II's because of security concerns.

> That's nothing.  They wouldn't let the British buy Inmos Transputer systems
> because of security concerns.  And we designed the damn things!

Funny, we had plenty of them in Bulgaria, regardless of the embargo...
:-) So much for export controls...

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
Document_id: 15569
From: holthaus@news.weeg.uiowa.edu (James R. Holthaus)
Subject: Cryptology in the world

What is the status of cruptology for private citizens throughout the
world? or, more clearly, is there a listing of countries and their
policies on citizens encrypting electronic data?  

I'm curious how the Europeans handle this, for instance.
-- 
<><><><><><><><><><>James Holthaus  james-holthaus@uiowa.edu<><><><><><><><><>
<   Government is an association of men who do violence to the rest of us.   >
<             -- Leo Tolstoy                                                 >
<><><><><>PGP 2.2 Public key available on request or from key server<><><><><>

Newsgroup: sci.crypt
Document_id: 15570
From: tarl@coyoacan.sw.stratus.com (Tarl Neustaedter)
Subject: Re: Organized Lobbying for Cryptography

In article <C5tBpD.Lt@cs.uiuc.edu> kadie@cs.uiuc.edu (Carl M Kadie) writes:
>[...]
>>The EFF has been associated with efforts to prevent the banning of sex
>>and pictures newsgroups at various universities.
>[...]
>
>So what? Justices William Brennan, Thurgood Marshall, John Paul
>Stevens, and Byron White are associated with [...]

It means that the EFF's public stance is complicated with issues irrelevant
to the encryption issue per se. There may well be people who care about
the encryption issue who don't care to associate themselves with the
network erotica issue (or may even disagree with the EFF's position).

Ending up with pallets of baggage to drag around is a frequent 
problem with permanent organizations. EFF is no exception.
	Tarl

Newsgroup: sci.crypt
Document_id: 15571
Subject: Looking for MS-DOS crypto programs
From: EXTDSM@LURE.LATROBE.EDU.AU (MADDISON,David)

I am a new reader of sci.crypt I would like to obtain a copy of a
public domain program that can encrypt files, preferably using DES,
that runs under MS-DOS.

I would also like to obtain a program which will password protect
floppy disks, if this is possible.

Thanks.

David Maddison
Melbourne, Australia

Newsgroup: sci.crypt
Document_id: 15572
From: oz@ursa.sis.yorku.ca (Ozan S. Yigit)
Subject: Re: List of large integer arithmetic packages

Mark Riordan writes:

	[a list of large-integer arithmetic packages elided]

I thought I would note that except Lenstra's packages, none of the
large-integer packages are in the public domain. As an alternative,
a straightforward *PD* implementation of Knuth's algorithms may be
found as a part of Uof Arizona's ICON distribution.

oz
---
With diligence, it is possible to make | electric: oz@sis.yorku.ca
anything run slowly.        --Tom Duff | ph:[416] 736 2100 x 33976

			




Newsgroup: sci.crypt
Document_id: 15573
From: scs@lokkur.dexter.mi.us (Steve Simmons)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

smb@research.att.com (Steven Bellovin) writes:

>Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
>has 2^80 possible keys.  Let's assume a brute-force engine like that
>hypothesized for DES:  1 microsecond per trial, 1 million chips.  That's
>10^12 trials per second, or about 38,000 years for 2^80 trials.  Well,
>maybe they can get chips running at one trial per nanosecond, and build
>a machine with 10 million chips.  Sure -- only 3.8 years for each solution.

Normally I'd be the last to argue with Steve . . . but shouldn't that
read "3.8 years for *all* solutions".  I mean, if we can imagine the
machine that does 1 trial/nanosecond, we can imagine the storage medium
that could index and archive it.
-- 
 "Shadwell hated all southerners and, by inference, was standing at the
  North Pole."
	-- "Good Omens", by Neil Gaiman and Terry Pratchett

Newsgroup: sci.crypt
Document_id: 15574
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Clipper considered harmful

shirriff@sprite.berkeley.edu (Ken Shirriff) writes:
> Since archiving would be such a powerful tool and so easy to do, why 
> wouldn't it happen? 

Not enough magtape.

Seriously, do you have any idea how much traffic flows through the US phone 
system in a single day?


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15575
From: tuinstra@signal.ece.clarkson.edu.soe (Dwight Tuinstra)
Subject: Clipper will corrupt cops (was WH proposal from Police point of view)

In article 735230663@fbihh, bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
>strnlght@netcom.com (David Sternlight) writes:
>
>> dwight tuinstra posts a very interesting message in which he comments on the
>> effects of the Clipper chip on state and local police. Actually, reading
>> between the lines, it could be a very good thing for civil liberties in one
>> respect, since it will at least prevent cowboy cops and cowboy state and
>> local agancies from reading your traffic if they tap it illegally.
>
>Instead of reading between the lines, try to think a little bit. OK,
>if that's way too difficult to you, here are some hints.
>
>Indeed, the new proposal imposes some additional burocratic burden on
>the local police, if they badly want to tape the magic cookie recipie
>that your mom is telling you on the phone. So, guess what they will
>do? Propose that the new technology is removed? Or implement some
>"facilitations"? Of course, you won't want to wait until they get the
>approval from two different agencies to decrypt the conversation
>between two child molesters, because meanwhile those two child
>molesters might be conspiring about molesting your child, right? So,
>there should be some way for them to get access to those keys
>-quickly-, right? Like, they could have a copy of the database, and
>worry about a warrant later...

I perhaps should have been clearer and more concise in my post, but that's
what I get from posting at 1 am...

The central point I made is that local/state police agencies attempting to
play by the rules and get warrants, legit escrowed keys, etc., may find
themselves at the mercy of bureaucratic inertia and agency infighting
at the federal level.  

I disagree that this would assist civil liberties by hobbling the cowboy
cops.  It would be a strong incentive, as Vesselin points out, for more
police agencies to "go rogue" and try to get keys through more efficient
(but less Constitutional) means.  Notice what the release said:

   Q:   Suppose a law enforcement agency is conducting a wiretap on
        a drug smuggling ring and intercepts a conversation
        encrypted using the device.  What would they have to do to
        decipher the message?

   A:   They would have to obtain legal authorization, normally a
                                                       ^^^^^^^^^^
        court order, to do the wiretap in the first place.
        ^^^^^^^^^^^

The clear implication is that there are "legal" authorizations other
than a court order.  Just how leaky are these?  (And who 
knows what's in those 7 pages that authorized the NSA?).  There
may well arise a black market of sorts _within_ police agencies, in which
keys are traded.  Furthermore, the police will be in an excellent
position to carry out this kind of thing without being caught.  They
already have a communication infrastructure with secure portions.  There
are a few laws that I know of, that limit citizens' rights to access
police communications (or use the information they get).  It may be
very difficult to prove police misuse -- the fact that you have such
evidence may itself be evidence that YOU have broken some other law.

Throw in private detectives, who have even fewer policy/constitutional
restrictions.  Also consider mercenaries who've "retired" from intelligence
agencies.  William Gibson must be loving it.  Great story material.

Don't think it'll happen?  

Well, consider e.g. the Michigan State Police, generally a very professional
organization, which for years kept "Red Files" on thousands of suspected 
commies, knowing full well it was not consititutional.  The standards
of evidence were just about zero: people were in the file because they
happened to park near a place where, say, a US-China People's Friendship
rally was happening -- the police went around writing down license
plate numbers.  If you happened to be visiting a friend who lived near the 
meeting place, well, the state police wound up filing you as a subversive.
(They were eventually found out and a court ruled against carrying on any
more such nonsense.  I believe thay may have had to destroy the tapes
as well.)

Even with well-meaning cops (and I'm sure there are many), there will 
be strong pressure to bend the constitutional safeguards.  We don't need
to assume corrupt or unbalanced officers -- it will all be in the interest 
of enforcing sensible laws, saving lives, and protecting property.  
Compromises will be made by well-meaning officers, facing what (to them) 
will be a moral dilemma.

Clipper will make criminals out of cops.  Do we want to do this to our
police forces?

+========================================================================+
|  dwight tuinstra             best:  tuinstra@sandman.ece.clarkson.edu  |
|                         tolerable:  tuinstrd@craft.camp.clarkson.edu   |
|                                                                        |
|        "Homo sapiens: planetary cancer??  ...  News at six"            |
+========================================================================+

Newsgroup: sci.crypt
Document_id: 15576
Subject: Re: Once tapped, your code is no good any more.
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <1993Apr20.151718.2576@magnus.acs.ohio-state.edu> jebright@magnus.acs.ohio-state.edu (James R Ebright) writes:

>In article a_rubin@dsg4.dse.beckman.com (Arthur Rubin) writes:

>>I wouldn't trust the NSA.  I think I would trust the President on this, but
>>I'm not certain he would be told.

>"I am not a crook." President Richard M. Nixon
>                    ^^^^^^^^^

THIS President.  (And I could easily be wrong.)
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
Document_id: 15577
From: warlord@MIT.EDU (Derek Atkins)
Subject: Re: Would "clipper" make a good cover for other encryption method?

-----BEGIN PGP SIGNED MESSAGE-----

In article <strnlghtC5t3nH.Is1@netcom.com> strnlght@netcom.com (David Sternlight) writes:

   In article <1993Apr20.032623.3046@eff.org> kadie@eff.org (Carl M. Kadie) writes:


   >So, don't just think of replacements for clipper, also think of front
   >ends.

   This only makes sense if the government prohibits alternative non-escrowed
   encryption schemes. Otherwise, why not just use the front end without
   clipper?

   David

David, they (== the gov't) have already said that they hope to DO THIS
in the long run...

- -derek

PGP 2 key available upon request on the key-server:
	pgp-public-keys@toxicwaste.mit.edu

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQBuAgUBK9TknDh0K1zBsGrxAQEAQgLFEFNH9HlHyoVHuWR5RWD9Y+mBrXkYKWsC
aAZO1x1WXhca5FG+UK9/TYYoBpBTLqGSUrgKgdzPXWFH8/+ZXgXrggwf6wP2eDSt
BYCCYb9JRX3LoZcg5whgOi4=
=8H7Y
-----END PGP SIGNATURE-----
--
  Derek Atkins, MIT '93, Electrical Engineering and Computer Science
     Secretary, MIT Student Information Processing Board (SIPB)
           MIT Media Laboratory, Speech Research Group
           warlord@MIT.EDU       PP-ASEL        N1NWH

Newsgroup: sci.crypt
Document_id: 15578
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Would "clipper" make a good cover for other encryption method?

strnlght@netcom.com (David Sternlight) writes:
> Chances are the government has thought of this, and "just anyone" won't 
> be permitted access to enough of the internals to make a "fake" clipper 
> chip. 

Once the chips are released (in phones, or whatever), they are vulnerable to 
phsyical inspection and observation.  Now, I will grant that there will no 
doubt be safeguards against "peeling" the chip, but the NSA has no monopoly 
on cleverness.  The chip, and the algorithms it uses, will not remain secret 
for very long.  Any university with a VLSI lab has the required equipment, as 
does any offshore semiconductor manufacturer.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15579
From: smythw@vccsouth23.its.rpi.edu (William Smythe)
Subject: Re: Once tapped, your code is no good any more.

In article <1qsip1INNnj2@dns1.NMSU.Edu> amolitor@nmsu.edu (Andrew Molitor) writes:
>al@escom.COM (Al Donaldson) writes:
>>amolitor@nmsu.edu (Andrew Molitor) writes:

>	This appears to be generic calling upon the name of the anti-christ.
>Just for the hell of it, let's destroy this remark. Let us imagine that
>the executive branch actually could extract keys from the escrow houses
>without anyone knowing, or telling. Now what? Dick has 80 bits of data.
>What the hell's he gonna do with it?
>
>	1) Trot around to the telco and say 'we'd like an unauthorised
>decrypting tap'. Uh huh.
>	2) Break in to watergate and install his own tap (so his people still
>do have to break in, neat, huh?) record some noise, then get the Executive
>Branch Phone Decryption Box (huh? they've got one? Goodness, wait 'til the
>washington post gets hold of this) and decrypt the noise.
>	3) More likely, stare at the key, and say 'Oh, hell it's not
>worth all this bloody hassle'


No, he gives the keys to the FBI (who may then give them to the local police
on request) who then simply put some alagator clips on your phone junction
box and conduct an illegal tap. They then decrypt when they recover the tape.
Its just doing what the government does best: breaking the law.

Bill Smythe




Newsgroup: sci.crypt
Document_id: 15580
From: strnlght@netcom.com (David Sternlight)
Subject: Re: The [secret] source of that announcement


grady@netcom.com suggests using a common but restricted-distribution private
key to allow public key system encrypted postings. In theory that will work
fine as long as the privae key remains secure.

In practice it would be a good idea to check to see if that would be a
violation of some net rule, practice, custom, etc. I don't say it would be,
just that it would be a good idea to check. This is not like rot13 where
everybody can have the key trivially.

It would also be a good idea to check to see if such posts would be
forwarded by the sites needed to make the chain work.

Of course there'd be no problem with a discussion group travelling over
facilities entirely under the control of the members. Probably there would
also be no problem with a mailing list approach. It might even  be fun for
some.

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15581
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Once tapped, your code is no good any more.

In article <ELEE9SF.93Apr21095141@menudo.menudo.UH.EDU>
elee9sf@menudo.menudo.UH.EDU (Karl Barrus) writes:

>
>Would you trust a black-box from the NSA versus an "open system" from
>elsewhere?

Absolutely, if I were assured by someone I trusted that the black box was
more secure. I have nothing to conceal from the government, but I would like
to be sure that any Russian, Japanese, French, or other competitors for my
services can't read my traffic. I'd like to be sure that competitive bid
information was safe from commercial competitors and foreign governments
which would aid them.

I believe the NSA has identical motivations with respect to my activities.
The President and many other senior government officials have made it very
clear that they share these motivations. Thus I'd trust them on the
"coincidence of interests" argument as well as on a basic trust in their
professionalism and a high confidence in their skills.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15582
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: 80-bit keyseach machine

In article <1993Apr21.001230.26384@lokkur.dexter.mi.us>
scs@lokkur.dexter.mi.us (Steve Simmons) writes:
 
>Normally I'd be the last to argue with Steve . . . but shouldn't that
>read "3.8 years for *all* solutions".  I mean, if we can imagine the
>machine that does 1 trial/nanosecond, we can imagine the storage medium
>that could index and archive it.
 
   Hmmmm.  I think, with really large keyspaces like this, you need to
alter the strategy discussed for DES.  Attempt decryption of several
blocks, and check the disctribution of the contents.  I don't think it's
at all feasible to keep 2**80 encryptions of a known plaintext block on
*any* amount of tape or CD-ROM.  And certainly not 2**128 such encrypted
blocks.  (Anyone know a cheap way of converting every atom in the solar
system into a one bit storage device?)
 
   Actually, a keysearch of this kind shouldn't be much worse than the
simpler kind in terms of speed.  It's just that you have to do it over
for *every* encrypted message.
 
   Dumb question:  Has anyone ever done any serious research on how many
legitimate ASCII-encoded 8-byte blocks there are that could be part of
an english sentence?  For attacking DES in ECB mode, it seems like a
dictionary of this kind might be pretty valuable....
 
   --John Kelsey

Newsgroup: sci.crypt
Document_id: 15583
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Fighting the Clipper Initiative

In article <1r0nov$p3e@access.digex.net> steve-b@access.digex.com (Steve
Brinich) writes:


>
> 1. American manufacturers peddling Cripple Chips with a secret untested
>     algorithm whose keys are held by people with a history of untrustworthy
>     behavoir, or
>

er, excuse me but since the escrow agencies aren't yet chosen, how can you
say they have a "history of untrustworthy behavoir[sic]"?

I'm sure each of us can think of agencies without such a history. Price
Waterhouse has kept the secret of the Academy Awards for many years, even in
the face of an aggressive press. The Federal Reserve Open Market Committee
has successfully kept decisions from leaking for the statutory period until
publication. Even the Department of Agriculture has successfully kept crop
forecasts from leaking prematurely.

Frankly, I'd trust the above (not the D of A, of course since they might be
subject to political pressure) far sooner than the ACLU, EFF, or CPSR which,
though not exactly government apologists, have no particular track record
for internal security that I know of.

David

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15584
From: jebright@magnus.acs.ohio-state.edu (James R Ebright)
Subject: Re: 80-bit keyseach machine

In article <16BB71018.C445585@mizzou1.missouri.edu> C445585@mizzou1.missouri.edu (John Kelsey) writes:
>In article <1993Apr21.001230.26384@lokkur.dexter.mi.us>
>scs@lokkur.dexter.mi.us (Steve Simmons) writes:
> 
>>Normally I'd be the last to argue with Steve . . . but shouldn't that
>>read "3.8 years for *all* solutions".  I mean, if we can imagine the
>>machine that does 1 trial/nanosecond, we can imagine the storage medium
>>that could index and archive it.
> 
>   Hmmmm.  I think, with really large keyspaces like this, you need to
>alter the strategy discussed for DES.  Attempt decryption of several
>blocks, and check the disctribution of the contents.  I don't think it's
>at all feasible to keep 2**80 encryptions of a known plaintext block on
>*any* amount of tape or CD-ROM.  And certainly not 2**128 such encrypted
>blocks.  (Anyone know a cheap way of converting every atom in the solar
>system into a one bit storage device?)
[...]

I don't claim to be a crypto analyist... there isn't a whole lot of good
literature on the subject, and the best people don't seem to publish
their work :)  but I rather doubt the approach such folks use is brute
force (sorry to have implied that in my previous post).  The history
of these things is folks find clever ways of limiting the search and
bang from there.

I guess my real problem with Skipjack is I can not believe NSA would
make publicly available a system they couldn't break if they wanted...
it just isn't in their charter.  Remember DES came from IBM, not NSA
and, when first published, was given a useful life of 20 years... I think
we are well past that point now :(

Remember, based on the size of the NSA budget, they spend a lot more
on the technology of decryption than most computer companies spend on
R&D.  I have to imagine their stuff is real interesting...

A friend who once worked for them (he is dead now) said he always enjoyed
monitoring SAC's (Strategic Air Command) crypto traffic :)  and I rather
suspect that stuff is a bit more complex than Skipjack  (Or was it the
military got the stuff from the NSA just like we get Skipjack from them ;)
[BTW, folks, NSA wasn't being given the keys.  And the Walker spy case
shows for some of the systems, the KGB didn't need them either.]

-- 
 Information farming at...     For addr&phone: finger             A/~~\A
 THE Ohio State University  jebright@magnus.acs.ohio-state.edu   ((0  0))____
      Jim Ebright             e-mail: jre+@osu.edu                 \  /      \
                          Support Privacy: Support Encryption      (--)\      

Newsgroup: sci.crypt
Document_id: 15585
From: ebrandt@jarthur.claremont.edu (Eli Brandt)
Subject: Re: Do we need the clipper for cheap security?

In article <1r1f62$rh5@news.intercon.com> amanda@intercon.com (Amanda Walker) writes:
>One thing that Clipper offers is interoperability, at a higher degree of 
>security than we currently have in non-proprietary voice encryption systems.
>This means it will be cheaper than anyone's proprietary scheme, and easier to 
>deploy.

I may be an anarchist nutcase, but I wouldn't have frothed overmuch
had the government proposed a secure encryption standard.  In fact,
if the NSA had come up with a privacy chip rather than a wiretap
chip, I would have been happy.  They *could* have done this -- set
up an ANSI committee, picked a secure cryptosystem, defined a
protocol and interface, and said, "Hey, start building them."

Instead we have a deliberately brain-dead version of a cryptosystem
that has not even been peer reviewed.  Yes, the NSA owns some smart
people.  But if they pulled a FEAL, well, AT&T is going to be left
with a lot of dud phones on its hands.

>Perry said:
>> Someone please tell me what exactly we get in our social contract in 
>> exchange for giving up our right to strong cryptography? 
>
>Can you tell me where exactly we have given up that right?

Heh heh.  The government already gave it up for us.  Remember in the
announcement they described this scheme as balancing the two
extremes of having no privacy and claiming that citizens had a
Constitutional right to encryption?  

So much for Clinton's support of the "right of privacy".

	 PGP 2 key by finger or e-mail  (void when prohibited)
   Eli   ebrandt@jarthur.claremont.edu



Newsgroup: sci.crypt
Document_id: 15586
From: jpb@calmasd.Prime.COM (Jan Bielawski)
Subject: Re: Clipper Chip. LONG follow up.

In article <1993Apr20.030538.1@cc.curtin.edu.au> zrepachol@cc.curtin.edu.au (Paul Repacholi) writes:
<> 
<> QUESTIONS AND ANSWERS ABOUT THE CLINTON ADMINISTRATION'S
<> TELECOMMUNICATIONS INITIATIVE
<> 
<> Q:   Suppose a law enforcement agency is conducting a wiretap on
<>      a drug smuggling ring and intercepts a conversation
<>      encrypted using the device.  What would they have to do to
<>      decipher the message?
<> 
<> A:   They would have to obtain legal authorization, normally a
<>      court order, to do the wiretap in the first place.  They
<>      would then present documentation of this authorization to
<>      the two entities responsible for safeguarding the keys and
<>      obtain the keys for the device being used by the drug
<>      smugglers.  The key is split into two parts, which are
<>      stored separately in order to ensure the security of the key
<>      escrow system.

I apologize for being so dense but this sentence reads as if it
was lifted from a Luis Bunuel screenplay.  Am I missing something?
Why on earth would drug smugglers even _use_ the device then?
Obviously, they'll be using something like triple encryption DES instead.
As long as alternatives to Clipper remain legal, Clipper accomplishes
absolutely nothing, ZERO, as far as law enforcement is concerned.
The whole scheme is an absolute, total, incredible, waste of government
time and money AS LONG AS other encryption schemes that are any good 
remain legal.  In order for Clipper to work as intended all strong
cryptosystems have to be outlawed.

	Jan Bielawski
	Computervision, San Diego
	jpb@calmasd.prime.com


Newsgroup: sci.crypt
Document_id: 15587
From: Borut.B.Lavrencic@ijs.si
Subject: Re: Cryptology in the world

In article <1993Apr21.031524.11080@news.weeg.uiowa.edu>, 
holthaus@news.weeg.uiowa.edu (James R. Holthaus) writes:

> What is the status of cruptology for private citizens throughout the
> world? or, more clearly, is there a listing of countries and their
> policies on citizens encrypting electronic data?  
> 
> I'm curious how the Europeans handle this, for instance.
> -- 

Good question. I also wanted to find out and I did a while ago.

In our former communist times such activity (i.e. sending crypto emails)
would be prevented sooner ot later, law or no law. But now there is no law 
against it. So we are free to use it. We now have an EC conformant law for 
protection and registration of personal files. You must remember that the 
situation in small countries is vastly different from the big ones.
-- 
Borut B. Lavrencic, D.Sc.     | X.400   :C=si;A=mail;P=ac;O=ijs;S=lavrencic
J. Stefan Institute           | Internet:Borut.B.Lavrencic@ijs.si
University of Ljubljana,      | Phone   :+ 386 1 159 199
SI-61111 Ljubljana, Slovenia  |	    PGP Public Key available on request

DOLGO SMOIS KALIS OVRAZ NIKEI NJIHK OCNOO DKRIL IVSEB IPIKA


Newsgroup: sci.crypt
Document_id: 15588
From: stevew@helios.unl.edu (Steve Wu)
Subject: CRYPTO 93 FINAL CALL


............................................................................
        CRYPTO '93  -  Conference Announcement & Final Call for Papers
............................................................................

The Thirteenth Annual CRYPTO Conference, sponsored by the International 
Association for Cryptologic Research (IACR), in cooperation with 
the IEEE Computer Society Technical Committee on Security and Privacy, 
the Computer Science Department of the University of California, Santa 
Barbara, and Bell-Northern Research (a subsidiary of Northern Telecom), 
will be held on the campus of the University of California, Santa Barbara, 
on August 22-26, 1993. Original research papers and technical expository talks 
are solicited on all practical and theoretical aspects of cryptology. It is 
anticipated that some talks may also be presented by special invitation of the 
Program Committee.
-------------------------        
INSTRUCTIONS FOR AUTHORS:  Authors are requested to send 12 copies of a 
detailed abstract (not a full paper) by April 26, 1993, to the Program Chair 
at the address given below. A limit of 10 pages of 12pt type (not counting 
the bibliography or the title page) is placed on all submissions. Submissions 
must arrive on time or be postmarked no later than April 21, 1993 and sent by 
airmail in order to receive consideration by the Program Committee. It is 
required that submissions start with a succinct statement of the problem 
addressed, the solution proposed, and its significance to cryptology, 
appropriate for a non-specialist reader. Technical development directed to 
the specialist should follow as needed.
-------------------------        
Abstracts that have been submitted to other conferences that have proceedings 
are NOT eligible for submission.

Submissions MUST BE ANONYMOUS. This means that names and affiliations of 
authors should only appear on the title page of the submission; it should 
be possible to remove this page and send the papers to Program Committee 
members. A Latex style file that produces output in this format is available by email from the Program Chair.

Authors will be informed of acceptance or rejection in a letter mailed on 
or before June 21, 1993. A compilation of all accepted abstracts will be 
available at the conference in the form of pre-proceedings. Authors of 
accepted abstracts will be allowed to submit revised versions for the 
pre-proceedings. A revised abstract should contain only minor changes and 
corrections to the originally submitted abstract. All revised abstracts must 
be received by the Program Chair by July 16, 1993. THE 10 PAGE LIMIT WILL BE 
STRICTLY ENFORCED for the pre-proceedings.

Complete conference proceedings are expected to be published in Springer-
Verlag's Lecture Notes in Computer Science series at a later date, pending 
negotiation.
-------------------------        
The Program Committee consists of 

   D. Stinson (Chair, Nebraska)   
   M. Bellare (IBM T. J. Watson)       E. Biham (Technion, Israel)
   E. Brickell (Sandia National Labs)  J. Feigenbaum (AT&T Bell Labs)
   R. Impagliazzo (UCSD)               A. Odlyzko (AT&T Bell Labs)
   T. Okamoto (NTT, Japan)             B. Pfitzmann (Hildesheim, Germany)
   R. Rueppel (R3, Switzerland)        S. Vanstone (Waterloo, Canada)
-------------------------        
Send submissions to the Program Chair:        

Douglas R. Stinson, Crypto '93        
Computer Science and Engineering Department         
115 Ferguson Hall, University of Nebraska        
Lincoln, NE 68588-0115 USA        
Telephone: (402)-472-7791         
Fax: (402)-472-7767        
Internet: stinson@bibd.unl.edu        

For other information, contact the General Chair: 

Paul C. Van Oorschot, Crypto '93 
Bell-Northern Research (MAIL STOP 000) 
3500 Carling Ave. 
Nepean, Ontario K2H 8E9  Canada 
Telephone: (613)-763-4199 
Fax: (613)-763-2626 
Internet: crypto93@bnr.ca

............................................................................
        CRYPTO '93  -  General Information  (August 22 - 26, 1993)
............................................................................

THE PROGRAM:  Crypto'93 is the thirteenth in a series of workshops on 
cryptology held at Santa Barbara, and is sponsored by the International 
Association for Cryptologic Research, in cooperation with the IEEE 
Computer Society Technical Committee on Security and Privacy, the Computer 
Science Department of the University of California, Santa Barbara, and 
Bell-Northern Research (a subsidiary of Northern Telecom). The program 
for the workshop will cover all aspects of cryptology. Extended abstracts of 
the papers presented at the conference will be distributed to all attendees 
at the conference, and formal proceedings will be published at a later date.

In addition to the regular program of papers selected or invited by the 
program committee, there will be a rump session on Tuesday evening for 
informal presentations. Facilities will also be provided for attendees to 
demonstrate hardware, software and other items of cryptographic interest. 
If you wish to demonstrate such items, you are urged to contact the General 
Chair so that your needs will be attended to. The social program will include 
hosted cocktail parties on Sunday and Monday. In addition, there will be a 
beach barbecue on Wednesday evening. The price of the barbecue is included 
in the room and board charge, and extra tickets may be purchased.

ABOUT THE CONFERENCE FACILITIES:  The workshop will be held on the campus of 
the University of California, Santa Barbara. The campus is located adjacent 
to the Santa Barbara airport and the Pacific Ocean. Accommodations are 
available in the university dormitories at relatively low cost for conference 
participants. Children under the age of 13 are not allowed to stay in the 
dormitories, so those bringing small children will need to make separate 
arrangements in one of several nearby hotels. More information on hotels is 
enclosed. Parking on campus is available at no cost to the participants. 
However, participants must indicate on the registration form if they desire 
a parking permit.

TRAVEL INFORMATION:  The campus is located approximately 2 miles from the 
Santa Barbara airport, which is served by several airlines, including 
American, America West, Delta, United, and US Air. Free shuttle bus service 
will be provided between the Santa Barbara airport and the campus on Sunday 
and Thursday afternoons. All major rental car agencies are also represented 
in Santa Barbara, and AMTRAK has rail connections to San Francisco from the 
north and Los Angeles from the south. Santa Barbara is approximately 100 miles 
north of Los Angeles airport, and 350 miles south of San Francisco.

REGISTRATION:  Participation is invited by interested parties, but attendance 
at the workshop is limited, and pre-registration is strongly advised. Late 
registrations, subject to a late registration fee, may be accepted if space 
is available, but there are NO GUARANTEES. To register, fill out the attached 
registration form and return to the address on the form along with payment in 
full before July 9, 1993. Campus accommodations will be available on a first 
come, first serve basis for attendees who register by July 9, 1993. The 
conference fees include participation in the program and all social functions, 
as well as membership to the IACR and a subscription to the Journal of 
Cryptology. The room and board charges include dormitory lodging and meals 
>from dinner on Sunday to lunch on Thursday. Technical sessions will run 
>from Monday morning to Thursday at noon. A very limited number of stipends 
are available to those unable to obtain funding. Applications for stipends 
should be sent to the General Chair before June 4, 1993.

............................................................................
        CRYPTO '93  -  CRYPTO '93 Registration Form 
............................................................................
                       REGISTRATION DEADLINE: July 9, 1993

Last Name:   _____________________________________________

First Name:  _____________________________________________ Sex: (M)__  (F)__

Affiliation: _______________________________________________________________ 

Mailing Address:  __________________________________________________________

                  __________________________________________________________

                  __________________________________________________________

                  ___________________________________________________________

Phone:  __________________________________ FAX:  ___________________________ 

Electronic Mail:  __________________________________________________________ 

Payment of the conference fee entitles you to membership in the International 
Association for Cryptologic Research for one year at no extra charge, 
including a subscription to the Journal of Cryptology, published by Springer-
Verlag, at no extra charge.  Do you wish to be an IACR member?   YES__  NO__

The conference fee also includes the conference proceedings when they become 
available, containing final versions of conference papers. The book of 
extended abstracts distributed at the conference will contain only shortened 
preliminary versions of these papers (maximum 10 pages).

Conference fee: Regular ($280)                        US$ _______
                Attended Eurocrypt'93, Norway ($230)      _______
                Full time student ($190)                  _______ 
                deduct $50 if you do not wish proceedings _______
                Total conference fee:                              US$_______

Room and Board (4 nights):   Smoking ___  Non-smoking ___
        Single room ($275 per person)                                 _______
        Double room ($225 per person)                                 _______
               Roommate's name:  ____________________________________

Extra barbecue tickets ($20 each; one is included in room and board)  _______ 
$40 late fee for registration after July 9; 
    REGISTRATION NOT GUARANTEED AFTER JULY 9                          _______

Total funds enclosed (U.S. dollars):                              US$ _______

Payment must be by check PAYABLE IN U.S. FUNDS, by money order IN U.S. FUNDS, 
or by U.S. BANK DRAFT, payable to: CRYPTO'93.  Payment should be mailed to the 
General Chair:
               Paul C. Van Oorschot, CRYPTO'93 
               Bell-Northern Research (MAIL STOP 000)
               3500 Carling Ave.
               Nepean, Ontario K2H 8E9   Canada 

............................................................................
        CRYPTO '93  -  Hotel Information
............................................................................

For those who choose not to stay in the dormitories, the following is a 
partial list of hotels in the area. Those who choose to stay off campus are 
responsible for making their own reservations, and early reservations are 
advised since August is a popular season in Santa Barbara. Note that Goleta 
is closer to UCSB than Santa Barbara, but that a car will probably be 
required to travel between any hotel and the campus. All prices are subject 
to change; prices should be confirmed by calling the individual hotels 
directly. However, mention CRYPTO'93 when you are making your reservation and 
in several of the hotels listed you will be eligible for the university rate 
which can be significantly less than the normal rates. We are not able to 
block rooms in these hotels, so please make reservations as early as 
possible. The quality of the hotels range from rather expensive beach-front 
resorts to basic inexpensive accommodations. For further information, try 
contacting the Santa Barbara Convention and Visitors Center, (805)-966-9222. 

South Coast Inn: 5620 Calle Real, Goleta, CA 93117. Regular rates: Single $89, 
Double $94; call for University rates. Contact Murrill Forrester at 
(805)-967-3200 or toll-free at (800)-350-3614.

Cathedral Oaks Lodge: 4770 Calle Real, Santa Barbara, 93110. Single rates not 
available, Double rates start at $84 including breakfast; no University rates. 
Call Tom Patton at (805)-964-3511 or toll-free at (800)-654-1965.

Motel 6: 5897 Calle Real, Goleta, CA 93117. Single $33.95, Double $39.95, 
no University rate available. Call (505)-891-6161.

The Sandman Inn: 3714 State St., Santa Barbara, CA 93105. Regular rates: 
Single or Double $84, $94 for king-size, University rate $65. Call Jean 
Ingerle at (805)-687-2468 or toll-free at (800)-350-8174.

Miramar Hotel (Beachfront): 3 miles south of Santa Barbara on U.S. 101 at 
San Ysidro turnoff. Regular rates: $70-$135. No University rates. Call 
(805)-969-2203. 

Pepper Tree Inn: 3850 State St., Santa Barbara, CA 93105. Regular rates: 
$106-$112 for two people, University rates $96-$102 for two people. Call 
Christopher Oliphant at (805)-687-5511 or toll-free at (800)-338-0030.

Encina Lodge: 220 Bath Street, Santa Barbara, CA 93105. Regular rates 
$106-$108 for two people, no University rates. Call Carol Wolford at 
(805)-682-7550 or toll-free at (800)-526-2282.

Quality Suites: 5500 Hollister Ave, Santa Barbara, CA 93111 (close to campus). 
Regular rates: Single $125, Double $145, University rates $99 double 
(must mention you are attending a UCSB program). Call Michael Ensign at 
(805)-683-6722.

Upham Hotel (bed-and-breakfast): 1404 De La Vina Road, Santa Barbara, 
CA 93101. University rate $85 (mention you are from Crypto). Call Sheila 
Donegan at (805)-962-0058.
............................................................................




--
stevew@helios.unl.edu  |=| \ Fender / |=| ... smoke on the water, fire in
                       |=|   \    /   |=| the sky...   Smoke on the water.
stevew@hoss.unl.edu    |=|     \/     |=|     (36 bars guitar solo)
		      Deep purple, the best

Newsgroup: sci.crypt
Document_id: 15589
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Clipper considered harmful

In article <15469@optilink.COM> brad@optilink.COM (Brad Yearwood) writes:
<If Clipper comes to cellular phones along with legal proscriptions against
<using other cipher systems on these phones, a new and potentially dangerous
<class of crime is created.

Aside from possession of "terrorist tools" (unapproved encryption devices
or programs)...

<Criminals who very badly want inscrutable tactical communications (specifically
<the terrorists and drug dealers who proponents of key escrow cite as threats)
<will be highly motivated to steal the cipher phone of a legitimate user, and
<to kill this person or hold them hostage so discovery of compromise of the
<device will be delayed.
<
<Once a suitable collection of devices is stolen, criminals can communicate
<with impunity (assuming the cipher system carries no trapdoors apart from
<key escrow) until and unless the compromise is discovered by some other means.
<
<Because life-is-cheap criminals are currently willing to kill people to steal
<very large and conspicuous property (luxury cars), it is reasonable to assume
<that they will be willing to kill people to steal small and inconspicuous
<property (a cipher cellular phone).  Just as we have seen in the past with
<"blue box" technology, and in the present with modified cellular phones,
<we can expect to see among high-stakes criminals a lucrative market for
<stolen cipher phones which can be used for a few days.  The high-stakes
<criminals will pay the life-is-cheap types substantial amounts for stolen
<instruments.
<
<Because a person is typically discovered as missing or dead in a few days,
<a stolen instrument will be usable for only a few days.  There will be a
<continuing demand for fresh phones: fresh bodies.

And since Clinton is also going full-bore to deny unconnected citizens
the means to defend themselves ("we will protect you ... 911 is good
enough for you...") by perverting or trashing the Second Amendment,
the targeted individuals will be GUARANTEED easy prey.  What is a few
bodies compared to the "greater good" of the Fed being able to defeat
a citizen's security with impunity?  You don't think there doesn't
exist a means by which the NSA can do their usual eavesdropping, scanning
for keywords, with OR WITHOUT a court order or any 'keys', do you?
If so, I got some great Florida real estate you might be interested in...

Perhaps the idea of escrowed keys is meant to divert the discussion to
how they will be safeguarded, and away from the basic fact that the
government is systematically taking away our right to privacy, to be
secure, for the means of self-defense, and just about every other right
spelled out in the Bill of Rights?

Nawwww - they are the GOVERNMENT!  "Trust us..."

<In other words, Clipper and similar systems have the potential to turn a
<current inconvenience to law enforcement into a direct, vicious, and
<persistent threat to the general public.

What is more important to the government?  Law Enforcement (people control)
or the safety of the general public?  The gun control issue should answer
that one - look at how good that works in making cities safer:  The places
that are the worst in that regard are also the places with the 'best' gun
control.  Government is NOT about public good, it is about CONTROL.

Never forget that.  Our Founding Fathers sure were concerned about it.

<
<  [ ... remainder deleted ... ]
<


-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 15590
From: marc@math.uni-sb.de (Marc Conrad)
Subject: Re: List of large integer arithmetic packages

mrr@scss3.cl.msu.edu (Mark Riordan) writes:

[not very comprehensive list deleted]

There is a very comprehensive list in sci.math.symbolic, 
which detailed descriptions of many packages. 
(Especially you, Mark, should update your list :-) )
Here it is: 


			Available    Systems

This is the  list of  currently  developed  and   distributed  software  for 
symbolic math applications. No informations is supplied on systems no longer 
being supported like: SAINT, FORMAC, ALPAK, ALTRAN, MATHLAB, SIN, SAC, CAMAL, 
ScratchPad, MuMath, SHEEP, TRIGMAN, ANALITIK, SMP or CCALC.

For more detailed info on any of the systems below,  look into the directory
pub/Symbolic_Math in the anonymous FTP of "math.berkeley.edu". No particular 
recommendation is made for any of these.      If you want prices contact the 
company. Programs are listed by (aprox.) the reverse order of the number  of 
machines they run on, in each class, general purpose systems first.

If you have any information to add to this list (we know we are missing
MuPAD & FELIX) please send it to :

			ca@math.berkeley.edu
Paulo Ney de Souza
Department of Mathematics
University of California
Berkeley CA 94720 				desouza@math.berkeley.edu

GENERAL PURPOSE
===============
 
Maple:: 
	Type:      commercial
	Machines:  Most impressive list of machines I seen for a program:
                   workstations (DEC, HP, IBM, MIPS, Sun, SGI, Apollo), 
                   386 PC's, Mac, Amiga, Atari, AT&T 3B2, Gould, Convex,
                   NCR, Pyramid, Sequent, Unisys and Cray's.
	Contact:   maple@daisy.waterloo.edu
		   Waterloo Maple Software, 160 Columbia Street West,
        	   Waterloo, Ontario, Canada     N2L 3L3
        	   Phone: (519) 747-2373
	Version:   5 Release 1
	Comments:  General purpose , source available for most routines ,
		   graphics support in 5.0. A demo of the program for PC-DOS
		   can be obtained from anonymous FTP at
		   wuarchive.wustl.edu:/edu/math/msdos/modern.algebra/maplev.zip

Mathematica::
	Type: 	   commercial
	Machines:  Cray YMP down to Mac's and PC's
	Contact:   info@wri.com, Phone: 1-800-441-MATH
		   Wolfram Research, Inc.
 	           100 Trade Center Drive, Champaign IL 61820-7237
	Version:   2.1
	Comments:  General purpose, Notebook interface on Next, Mac, 
	           nice graphics. 

Macsyma:: 
   	Type:      commercial
    	Machines:  Sun-3, Sun-4 (SPARC), VAX (UNIX and VMS), Apollo, 
		   HP 9000, DEC RISC, PC386/DOS, Symbolics computers, 
		   368/387 and 486 (no SX's) PC's.
    	Contact:   macsyma-service@macsyma.com, Phone: 800-MACSYMA
		   Macsyma Inc,  20 Academy St., Arlington MA 02174-6436
    	Version:   depends on machine: 417.100 is the latest (for Sun-4, HP, 
		   and DEC RISC), 417.125 for PC's
   	Comments:  General purpose, many diverse capabilities, one of the 
		   oldest around. Includes propietary improvements from 
		   Symbolics and Macsyma Inc. Descendant of MIT's Macsyma.

DOE-Macsyma:
	Type:      distribution fee only
	Machines:  GigaMos, Symbolics, and TI Explorer Lisp machines.  The NIL 
                   version runs on Vaxes using the VMS system.  The public 
                   domain Franz Lisp version, runs on Unix machines, including 
                   Suns and Vaxes using Unix.
	Contact:   ESTSC - Energy Science & Technology Software Center 
		   P. O. Box 1020 Oak Ridge TN 37831-1020
		   Phone: (615) 576-2606
	Comments:  Help with DOE-Macsyma, general and help with issues such as
	           obtaining support, new versions, etc: lph@paradigm.com
                   Leon Harten from Paradigm Assoc. Paradigm Associates, Inc. 
                   29 Putnam Avenue, Suite 6 Cambridge, MA 02139 (617) 492-6079.

Maxima::
	Type:	   Licence for a fee. Get licence from ESTC before download.
	Machines:  Unix workstations (Sun, MIPS, HP, PC's) and PC-DOS (beta).
        Contact:   wfs@rascal.utexas.edu (Bill Schelter)
	Version:   4.155
	Comments:  General purpose -  MIT Macsyma family. Common Lisp 
                   implementation by William F. Schelter, based on Kyoto
		   Common Lisp. Modified version of DOE-Macsyma available
		   to ESTSC (DOE) sites. Get the licence from ESTSC (phone:
		   615-576-2606) and then dowload the software from 
		   DOS: math.utexas.edu:pub/beta-max.zip   or
		   UNIX: rascal.ics.utexas.edu:pub/maxima-4-155.tar.Z
		   Currently their charge for 1 machine license is $165 to
		   universities. Site licenses are also available.

Aljabr::
	Type:      commercial
	Machines:  Mac's with 4Meg of RAM. 
	Contact:   aljabr@fpr.com,  Phone: (508) 263-9692, Fort Pond Research.
                   15 Fort Pond Road, Acton MA  01720 US
	Version:   1.0
	Comments:  MIT Macsyma family descendant, uses Franz LISP.

Paramacs::
	Type:      commercial 
	Machines:  VAX-VMS, Sun-3, Sun-4, (SGI and Mac's on the works)
	Contact:   lph@paradigm.com
	Version:   ???
	Comments:  ???

Vaxima::
	Type:	   distribution fee only
	Machines:  VAX-Unix
        Contact:   ESTSC (see DOE-Macsyma above)
	Version:   ???
	Comments:  General purpose -  MIT Macsyma family descendant.
		   Includes source and binaries with assembler for Macsyma 
		   and Franz Lisp Opus 38

Reduce::
	Type:      commercial
	Machines:  All Unix workstations, a variety of mainframes, 
 	           MS-DOS/386/4Mbyte and Atari ST. 
	Contact:   reduce-netlib@rand.org
	Version:   3.34 
	Comments:  General purpose 

FORM::
	Type:      Public domain verison 1 , Version 2 commercial
	Machines:  Msdos, AtariSt , Mac, Sun3, Sun4/sparc, Apollo, NeXT,
 		   VAX/VMS, VAX/Ultrix , DECStation , and others
	Contact:   t68@nikhef.nl (Jos Vermaseren)
		   Binary versions of version 1 are available
 		   by anonymous ftp from nikhef.nikhef.nl (192.16.199.1)
	Version:   1 and 2.
	Comments:  General purpose , designed for BIG problems , batch-like
 		   interface 

Axiom::
	Type:      commercial
	Machines:  IBM RS 6000's and other IBM plataforms
	Contact:   ryan@nag.com,  Phone: (708) 971-2337 FAX: (708) 971-2706
                   NAG - Numerical Algorithms Group, Inc
		   1400 Opus Place, Suite 200, Downers Grove, Il 60515-5702
	Version:   ???
	Comments:  General purpose.

SIMATH::
	Type:      anonymous ftp 
	Machines:  Suns, Apollo DN and Siemens workstations.
	Contact:   simath@math.uni-sb.de
	Version:   3.5
	Comments:  General purpose

Derive::
	Type:      commercial 
	Machines:  Runs on PC's and HP 95's.
	Contact:   808-734-5801 
 		   Soft Warehouse Inc. 3615 Harding Ave, Suite 505
                   Honolulu, Hawaii 96816-3735
        Version:   2.01
	Comments:  Said to be very robust, gets problems that other larger
 		   programs fail on. Low cost. 

Theorist::
	Type:      commercial
	Machines:  Mac's
        Contact:   prescien@well.sf.ca.us, phone:(415)543-2252 fax:(415)882-0530
		   Prescience Corp, 939 Howard St #333, San Francisco, CA 94103
	Version:   1.11
	Comments:  General purpose , Graphics , If you like the mac interface
 		   you'll love this , fixed precision ( 19 digits ), runs on
 		   smaller mac's than MMA.

MAS::
	Type:      Anonymous FTP
	Machines:  Atari ST (TDI and SPC Modula-2 compilers), IBM PC/AT 
		   (M2SDS and Topspeed Modula-2 compilers) and Commodore 
		   Amiga (M2AMIGA compiler).  
	Contact:   H. Kredel. Computer Algebra Group
		   University of Passau, Germany
        Version:   0.60
	Comments:  MAS is an experimental computer algebra system combining 
		   imperative programming facilities with algebraic 
		   specification capabilities for design and study of algebraic
		   algorithms. MAS is available via anonymous ftp from: 
    		   alice.fmi.uni-passau.de = 123.231.10.1 

MockMma::
	Type:      anonymous FTP from peoplesparc.berkeley.edu
	Machines:  Anywhere running Common LISP.
	Contact:   fateman@cs.berkeley.edu
        Version:   ???????
	Comments:  It does Matematica (or I mispelled that!).

Weyl::
	Type:      anonymous FTP from ftp.cs.cornell.edu /pub/Weyl
	Contact:   rz@cs.cornell.edu
        Version:   4.240
	Comments:  Intended to be incorporated in larger, more specialized
		   systems.

FLAC::
	Type:      ???
	Machines:  IBM PC's (DOS)
	Contact:   Victor L. Kistlerov, Institute for Control Sciences, 
		   Profsoyuznaya 65, Moscow, USSR
	Version:   ???
	Comments:  Functional language


GROUP THEORY
============

Cayley::
	Type:      Cost recovery
	Machines:  SUN 3, SUN 4, IBM AIX and VM machines, Apollo, DEC
	           VAX/VMS, Mac running A/UX 2.01 or higher and Convex.
	Contact:   cayley@maths.su.oz.au 
		   Phone: (61) (02) 692 3338, Fax: (61) (02) 692 4534
		   Computational Algebra Group
                   University of Sydney
                   NSW 2006 Australia
	Version:   3.8.3
	Comments:  Designed for fast computation with algebraic and
 		   combinatorial structures such as groups, rings,
 		   fields, modules and graphs. Although it began as a
 		   group theory system it has recently evolved into a
 		   general (abstract) algebra system.

GAP::
	Type:      anonymous ftp (free, but not PD; basically GNU copyleft)
	Machines:  All Unix workstations, ATARI ST, IBM PC and MAC 
        Contact:   gap@samson.math.rwth-aachen.de
	FTP site:  samson.math.rwth-aachen.de (137.226.152.6) & math.ucla.edu
	Version:   3.1 (3.2 to be released Dec 92)
	Comments:  group theory calculations.


ALGEBRA & NUMBER THEORY
=======================

PARI::
	Type:      anonymous ftp  
	Machines:  Most workstations, Mac and NeXT
	Contact:   pari@mizar.greco-prog.fr
                   anonymous ftp to math.ucla.edu (128.97.64.16)
	           in the directory /pub/pari
	Version:   1.35
	Comments:  Number theoretical computations, source available, key 
		   routines are in assembler, ascii and Xwindows graphics. 
		   PC-DOS version available from anonymous FTP at 
		   wuarchive.wustl.edu:/edu/math/msdos/modern.algebra/pari386

Macaulay::
	Type:      anonymous ftp
	Machines:  Complete source available, Binary Mac versions available
	Contact:   anonymous ftp to zariski.harvard.edu (128.103.1.107)
	Version:   ???
	Comments:  focused on Algebra type computations ( polynomial rings
 		   over finite fields ), things like that.

Kant::
	Type:      ???
	Machines:  ???
	Contact:   KANT Group
		   Prof. Dr. M. E. Pohst / Dr. Johannes Graf v. Schmettow 
		   Mathematisches Institut, Heinrich-Heine-Universit\"at 
		   Universit\"atsstr. 1, D-4000 D\"usseldorf 1 
		   pohst@dd0rud81.bitnet or schmetto@dd0rud81.bitnet
        Version:   1 & 2
	Comments:  Kant (Computational  Algebraic  Number  Theory) is 
		   subroutine  package for algorithms  from geometry of 
		   numbers and  algebraic number theory. There are  two 
		   versions of  Kant:  Kant  V1 is written  in Ansi-Fortran 77,
		   while Kant V2 is built on the Cayley Platform and written in 
		   Ansi-C.

LiE::
	Type:      commercial 
	Machines:  Unix workstations (SUN, DEC, SGI, IBM), NeXT, PC's,
                   Atari and Mac's.
	Contact:   lie@can.nl, Phone: +31 20 592-6050,  FAX: +31 20 592-4199
                   CAN Expertise Centre, Kruislaan 413, 
                   1098 SJ Amsterdam, The Netherlands
	Version:   2
	Comments:  Lie group computations

UBASIC::
	Type:	   anonymous FTP (ubas830.zip)
	Machines:  Mac and IBM PC's
	Contact:   malm@argo.acs.oakland.edu, Phone: (313) 370-3425
	 	   Donald E. G. Malm, Department of Mathematical Sciences
                   Oakland University, Rochester, MI 48309-4401
	Version:   8.30
	Comments:  BASIC-like environment for number theory. In the collection
		   of programs written for it one can find: 
		   MALM (Collection of UBASIC Number Theory Programs (malm.zip)
		   by Donald E. G. Malm (and copyrighted by him), including: 
		   Baillie-Wagstaff Lucas pseudoprime test, Algorithm for 
  		   Chinese remaindering, Elliptic curve method to factorize n, 
		   Fermat's method of factoring, General periodic continued 
		   fraction to quadratic routine, Evaluates Carmichael's 
		   function & D. H. Lehmer's method of solving x^2 = q (mod p).
		   UBMPQS (Prime factorization program for numbers over 80 
		   digits (ubmpqs32.zip)), that can be found in the WURST 
		   Archives (wuarchive.wustl.edu).

Numbers::
	Type:      Free but not Public Domain, registration required.
	Machines:  PC-DOS
	Contact:   Ivo Dntsch                   Phone:    (++49) 541-969 2346
	           Rechenzentrum                 Fax:     (++49) 541-969 2470
          	   Universitt Osnabrck         Bitnet:   duentsch@dosuni1
          	   Postfach 4469
          	   W 4500 Osnabrck GERMANY
        Version:   202c
	Comments:  Numbers is a calculator for number theory. It performs 
	   	   various routines in elementary number theory, some of  
		   which are also usable in algebra or combinatorics.
	  	   Available in the anonymous FTP in ftp.rz.Uni-Osnabrueck.de  
		   in the directory /pub/msdos/math

CoCoA::
	Type:      ???
	Machines:  Mac's
	Contact:   cocoa@igecuniv.bitnet
	Version:   ???
	Comments:  Computations in commutative algebra

Galois::
	Type:      Commercial
	Machines:  IBM-PC DOS
	Contact:   CIFEG Inc., Kalkgruberweg 26, A-4040 Linz, Austria
        Version:   ???
	Comments:  Algebra and number theory microcomputer  written by
   		   R. Lidl, R. W. Matthews, and R. Wells from the U. Tasmania 
		   in Turbo Pascal v3.0.

GANITH::
	Type:      Anonymous FTP
	Machines:  Any system with vanilla Common Lisp, X 11, and has at least 
		   a rudimentary Lisp/C interface.
	Contact:   Chanderjit Bajaj & Andrew Royappa 
                   Department of Computer Science, Purdue University
                   West Lafayette, IN 47907
		   (bajaj and royappa@cs.purdue.edu)
        Version:   
	Comments:  GANITH is an algebraic geometry toolkit, for computing 
		   and visualising solutions to systems of algebraic equations.
                   It is written in Common Lisp and C, and runs under version
  		   11 of the X window system.
  		   GANITH is available from the anonymous FTP at 
		   cs.purdue.edu in the file /pub/avr/ganith-src.tar.Z


TENSOR ANALYSIS
===============

SchoonShip::
	Type:      ???
	Machines:  ???
	Contact:   mentioned in  Comp.Phys. Comm. 8, 1 (1974).
	Version:   ???
	Comments:  I have heard this program mentioned , supposely it's designed
 		   for large problems (i.e. thousands of terms in series 
 		   expansions ). Developed at CERN for CDC7600 ? 

STENSOR::
	Type:	   ????
	Machines:  VAX, SUN, Apollos, Orion, Atari & Amiga
	Contact:   lh@vand.physto.se, 
		   Lars Hornfeldt, Physics Department, University of Stockholm
                   Vanadisv.9, S-113 46, Stockholm, Sweden
        Version:   ????
	Comments:  System for tensor calculus and noncommutative algebra


LISP CALCULATORS
================

JACAL:: 
	Type:      Gnu CopyLeft
	Machines:  Needs a Lisp (either Common or Scheme) 
	Contact:   Available by anon ftp to altdorf.ai.mit.edu [18.43.0.246]
	Version:   ???
	Comments:  An IBM PC version on floppy for $50 is available from 
 		   Aubrey Jaffer, 84 Pleasant St. Wakefield MA 01880, USA.

GNU-calc::
	Type:      GNU copyleft
	Machines:  Where Emacs runs.
	Contact:   Free Software Foundation
        Version:   ???
	Comments:  It runs inside GNU Emacs and is written entirely in Emacs
		   Lisp. It does the usual things: arbitrary precision integer,
		   real, and complex arithmetic (all written in Lisp), 
		   scientific functions, symbolic algebra and calculus, 
		   matrices, graphics, etc. and can display expressions with 
		   square root signs and integrals by drawing them on the 
		   screen with ascii characters. It comes with well written 
		   600 page online manual. You can FTP it from any GNU site.


DIFFERENTIAL EQUATIONS
======================

DELiA::
	Type:      Informal distribution
	Machines:  IBM PC's (DOS)
	Contact:   A. V. Bocharov, Program Systems Institute, 
		   USSR Academy of Science, Pereslavl, 
                   P.O. Box 11, 152140 USSR, Tlx: 412531 BOAT
	Version:   ????
	Comments:  Differetial equation computations


PC SHAREWARE
============

SymbMath::
	Type:      shareware, student and advanced versions.
	Machines:  IBM PC
	Contact:   chen@deakin.OZ.AU
	Version:   2.1.1
	Comments:  Runs on plain (640k) DOS machines. The shareware version
		   is available in the file sm211a.zip on the Wurst Archives.
		   More capable versions are available by mail-order from the 
	           author.  

CLA::
	Type:      anonymous FTP
	Machines:  PC-DOS
	Contact:   ????
        Version:   2.0
	Comments:  A linear or matrix algebra package which computes
		   rank, determinant, rwo-reduced echelon form, Jordan 
		   canonical form, characteristic equation, eigenvalues, 
	 	   etc. of a matrix. File cla20.zip on the Wurst Archives.

XPL::
	Type:      anonymous FTP
	Machines:  PC-DOS
	Contact:   David Meredith, Department of Mathematics
                   San Francisco State University
                   San Francisco, CA 94132
                   meredith@sfsuvax1.sfsu.edu
        Version:   4.0
	Comments:  Formerly called CCALC. Well-integrated graphics and some
		   (numerical) matrix manipulation routines. Intended for 
		   calculus students. Prentice Hall sells this with a book 
		   (ISBN 0-13-117441-X--or by calling 201-767-5937), but it 
		   is also available (without the manual but with a 
		   comprehensive help system) by anonymous FTP from 
		   wuarchive.wustl.edu: /edu/math/msdos/calculus/cc4-9206.zip.

AMP::
	Type:      Commercial, evaluation copy available by anonymous FTP
	Machines:  PC-DOS
	Contact:   Mark Garber (71571,2006@compuserve.com) Ph: (404) 452-1129
     		   Cerebral Software, PO Box 80332, Chamblee, GA 30366
        Version:   3.0
	Comments:  The Algebraic Manipulation Program (AMP) is written in 
		   Modula-2 and is a symbolic calculation tool. AMP functions 
		   in an interpreter mode and program mode. It  has tensor 
		   manipulation using index notation.  The evaluation copy is
		   available in the anonymous FTP at:
		   ftp.rz.Uni-Osnabrueck.de:pub/msdos/math/amp30.zip

Mercury::
	Type:      Shareware
	Machines:  PC-DOS
	Contact:   ???
        Version:   2.06
	Comments:  Limited in symbolic capabilities, but is extremely adept 
		   at numerically solving equations and produces publication
		   quality graphical output. This used to be Borland's Eureka!, 
		   but when Borland abandoned it, its original author started 
		   selling it as shareware under the name Mercury. Available
		   from anonymous FTP at 
		   wuarchive.wustl.edu:/edu/math/msdos/calculus/mrcry206.zip

PFSA::
	Type:      Public Domain
	Machines:  PC-DOS
	Contact:   ???
        Version:   5.46
	Comments:  Available from the anonymous FTP at 
		   wuarchive.wustl.edu:/edu/math/msdos/modern.algebra/vol546.zip

LIE::
	Type:      Public Domain
	Machines:  PC-DOS
	Contact:   HEAD@RIVETT.MST.CSIRO.AU (A. K. Head)
		   CSIRO Division of Materials Science and Technology
		   Melbourne Australia   or
		   Locked Bag 33, Clayton, Vic 3168, Australia
		   Phone: (03) 542 2861 Telex: AA 32945 Fax: (03) 544 1128
        Version:   3.3
	Comments:  LIE is a program written in the MuMath language (not a 
		   package) for Lie analysis of differential equations. 
		   Available from anonymous FTP at 
		   wuarchive.wustl.edu: /edu/math/msdos/adv.diff.equations/lie33

Calculus::
	Type:      Shareware
	Machines:  PC-DOS with EGA
	Contact:   Byoung Keum, Dept. of Mathematics
		   University of IL.  Urbana, IL 61801.
        Version:   9.0
	Comments:  Program for Calculus and Differential Equations. It has
     		   symbolic diff. & integration (simple functions), graphs.
		   Very unstable program - no reason to use it, except for
		   price (suggested registration fee is $ 30.00).
		   Available from anonymous FTP at 
		   wuarchive.wustl.edu: /edu/math/msdos/calculus/calc.arc 

--
     \   /                     | Marc Conrad, Universitaet des Saarlandes 
      \ Luxemburg              | marc@math.uni-sb.de   
France \|   Germany            | these opinions are not necessarily these   
        \x <---- you are here! | of the SIMATH-group (and maybe even not mine).

Newsgroup: sci.crypt
Document_id: 15591
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Do we need the clipper for cheap security?

	gtoal@gtoal.com (Graham Toal) writes:
	>
	>In the UK, it's impossible to get approval to attach any crypto device
	>to the phone network.  (Anything that plugs in to our BT phone sockets
	>must be approved - for some reason crypto devices just never are...)
	>

	Whats the difference between a V.32bis modem and a V.32bis modem?

	I'm not being entirely silly here: what I'm pointing out is that the
	modems that they have already approved for data transmission will work
	just fine to transmit scrambled vocoded voice.

Absolutely.  I just meant that no secure *dedicated* crypto device has
ever been given approval.  Guerrilla underground devices should be well
possible with today's high-speed modems (not that I can think of many v32bis
modems that are approved either mind you - just the overpriced Couriers)

Can someone tell me if hardware compression is or is not needed to run
digital speech down 14.4K?  I think it is; I've heard it's not.  Lets
say 8 bit samples.  Would *raw* data at the corresponding sampling rate
be usable?  If not, how fancy does the compression need to be?

G

Newsgroup: sci.crypt
Document_id: 15592
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

		I think I should also point out that the mystical DES engines
	are known plaintext engines (unless you add a ton of really smart
	hardware?)

Assume the ton of smart hardware.  It doesn't really have to be that smart.

G



Newsgroup: sci.crypt
Document_id: 15593
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: The [secret] source of that announcement

	Even more interesting: the SMTP server at csrc.ncsl.nist.gov no longer
	recognizes the 'expn' and 'vrfy' commands...

	   telnet csrc.ncsl.nist.gov smtp
	   Trying 129.6.54.11...
	   Connected to csrc.ncsl.nist.gov.
	   Escape character is '^]'.
	   220 first.org sendmail 4.1/NIST ready at Tue, 20 Apr 93 17:01:34 EDT
	   expn clipper
	   500 Command unrecognized

	Seems like sombody didn't like your snooping around, Marc.

Or mine.  Or the dozen or so other people who probably had the same idea :-)

So does this rush to shut it down imply that some of the names on that
list *are* heavy-duty spooks? :-)))

G

Newsgroup: sci.crypt
Document_id: 15594
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

	Actually, many of us have noted this. We have noted that the program
	started at least 4 years ago, that the contracts with VLSI Technology
	and Microtoxin were let at least 14 months ago, that production of the
	chips is well underway, and so forth.

	Nobody I know has claimed Clinton intitiated the program. But he chose
	to go ahead with it.

Perhaps the NSA realised that *no-one* would even contemplate falling for
the dual-escrow bluff while under the Bush administration and *had* to
wait for a Democrat govt to con into promoting this because people *might*
just believe they were honest.  (Didn't work, did it? :-) )

G

Newsgroup: sci.crypt
Document_id: 15595
From: redsonja@olias.linet.org (Red Sonja)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <1qmugcINNpu9@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes:
>The key question is whether non-Clipper encryption will be made illegal.
>
It seems pretty obvious that it will be made illegal if VERY LOUD NOISE is
not made about this IMMEDIATELY to Congress and the House!

>It looks like the worst nightmares raised by Dorothy Denning's proposals
>are coming true.  If the government continues on this course, I imagine
>that we will see strong cryptography made illegal.  Encryption programs
>for disk files and email, as well as software to allow for encrypted
>voice communications, will be distributed only through the
>"underground".  People will have to learn how to hide the fact that
>they are protecting their privacy.
 
I don't know what's worse - the waste of money, or the fact that (in SPITE
of all Clinton's rhetoric to the contrary) this is a feeble attempt by
a large group of bored intelligence bureaucrats to justify their currently
useless jobs. Clinton said he was going to trim the fat from the government.
This doesn't look very dietetic to me! 

As I said before in this group: drug dealing and terrorism both tend to
be international crimes which are not going to cease if the US starts to
regulate encryption. The drug dealers and terrorists will simply go to
other countries to communicate their plans, and will still carry them out
here and/or wherever else. This is not the solution to the problem.

They try to invent a new problem by saying we "need" encryption. I guess
it's a good thing Bill Gates isn't a 4-star general or we would all "need"
our own copies of MS-DOS too, right?

Und vee haff vays uff findink out iff you are usink DOCTOR DOS!!

>It's shocking and frightening to see that this is actually happening here.

Our health care and education systems are in the toilet and they come up
with THIS pearl. If this goddamned government doesn't get a clue real quick
and start trying to repair the infrastructure of the country rather than
inventing someone to blame, Germany and Japan are going to eat the US alive,
and we will deserve it. It's not like there's any shortage of REAL problems
to solve, guys! 

A Clipper chip is really going to help the homeless! A Clipper chip is
really going to help educate the children in the ghettos of our cities!
Just think of the generation gap that can be developed when they rehire
DoD engineer dad to work on Clipper chips that will be used to decrypt
slightly rebellious adolescent hacker son's naughty GIF files! I can see
the shitcom already.

If that wasn't a forged post or a sick joke, I'm popping that Dead Kennedys
tape into the car stereo and tearing ass to Canada. Clinton on White Horse
is near. It's the suede/denim secret police! They have come for your uncool
niece! Don't worry it's only a phone...shit, I knew I should have gotten
some of those "consent to monitoring" stickers they keep on Autovon phones
when I had the chance. I should have known I'd need them in civilian life.

-- 
redsonja@olias.linet.org     \\\RS///     Self possession is 9/10 of the law.
Alien: "We control the laws of nature!" | "How come when it's human, it's an
Joel: "And you still dress that way?"   | abortion, but when it's a chicken, 
(MST3K#17 - Gamera vs Guiron)           | it's an omelet?" - George Carlin

Newsgroup: sci.crypt
Document_id: 15596
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Fighting the Clipper Initiative

 > er, excuse me but since the escrow agencies aren't yet chosen, how can you
 >say they have a "history of untrustworthy behavoir[sic]"? 

  I refer to the Federal law enforcement apparatus (which is ultimately in
charge of this) generally.



Newsgroup: sci.crypt
Document_id: 15597
From: random@presto.UUCP (Jeff W. Hyche)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr18.150259.1748@escom.com>, Al Donaldson writes:

> Unrelated question...isn't the term "Clipper," as neat as it is,
> already taken by Intergraph?
> 

Yes, "Clipper" is a trademark of Intergraph.  Its the RISC chip used
in some of thier workstations. 

I wonder what Intergraph is going to do to this infringement on thier
name sake?

--
                                // Jeff Hyche  
 -There Can Be Only One-    \\ //  presto!random@uunet.uu.net
                             \X/ 

Newsgroup: sci.crypt
Document_id: 15598
From: strnlght@netcom.com (David Sternlight)
Subject: Re: An Open Letter to Mr. Clinton

In article <01050810.vkcsbl@mbeckman.mbeckman.com> mbeckman@mbeckman.com writes:


>  As an economist, I'm sure you can see the flaws in this logic. If the (naive)
>market is flooded with proprietary, but weak, encryption, then truly strong 
>encryption will be unable to compete.

This is true for the mass market, but not for those who need strong crypto
and are willing to pay the price. After all, one can buy strong crypto today
if one is willing to spend enough.

Thus the concern is not economic.

The issue most worth worrying about is that after the system takes hold, the
government will outlaw other systems, and something voluntary will become
the only system available. That is a political, not an economic issue.

As a separate matter, you may be making an implied advocacy for cheap secure
crypto for everyone. It's true that the Clipper chip would probably prevent
that except via Clipper, but "cheap, secure crypto for everyone" is a
political discussion, not an economic one, and the whole point of Clipper is 
to resolve that political (policy) tension between securing legitimate
communications and tapping the crooks.

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15599
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Do we need the clipper for cheap security?

ebrandt@jarthur.claremont.edu (Eli Brandt) writes:
> Instead we have a deliberately brain-dead version of a cryptosystem 
> that has not even been peer reviewed.  Yes, the NSA owns some smart 
> people.  But if they pulled a FEAL, well, AT&T is going to be left with 
> a lot of dud phones on its hands. 

Agreed.  Remember, I don't even think of Clipper as encryption in any real 
sense--if I did, I'd probably be a lot more annoyed about it.

> Heh heh.  The government already gave it up for us.  Remember in the 
> announcement they described this scheme as balancing the two 
> extremes of having no privacy and claiming that citizens had a 
> Constitutional right to encryption?  

That's not for Clinton (or anyone under him) to say, though.  Only the 
federal and supreme courts can say anything about the constitutionality.
Anything the administration or any governmental agency says is opinion at 
best.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15600
From: eachus@spectre.mitre.org (Robert I. Eachus)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)


   smb@research.att.com (Steven Bellovin) writes:

   >Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
   >has 2^80 possible keys.  Let's assume a brute-force engine like that
   >hypothesized for DES:  1 microsecond per trial, 1 million chips.  That's
   >10^12 trials per second, or about 38,000 years for 2^80 trials.  Well,
   >maybe they can get chips running at one trial per nanosecond, and build
   >a machine with 10 million chips.  Sure -- only 3.8 years for each solution.

   But there is a MUCH more pernicious problem with the scheme as
proposed.  Building a brute force machine to test 2^40 possible keys
if you have the other half from one escrow agent is EASY.  (One chip,
one test per microsecond gives you one break every two weeks, and that
break gives you all messages involving that phone.)

   The XOR scheme so that the files from one escrow agent gives you
nothing is an improvement, but notice that XORing with (truely random)
bit strings allows for an arbitrary number of escrow agents.  Using +
for XOR, SK for the escrowed key, and A and B for two random bit
strings, hand SK+A+B, SK+A, and SK+B to three escrow agents.  It is
possible to come with an encoding scheme to match any escrow pattern,
for example 3 of 4, such that fewer cooperating escrow agents gives
the cracking agency no benefit.

--

					Robert I. Eachus

with Standard_Disclaimer;
use  Standard_Disclaimer;
function Message (Text: in Clever_Ideas) return Better_Ideas is...

Newsgroup: sci.crypt
Document_id: 15601
From: jfc@athena.mit.edu (John F Carr)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <1993Apr20.145338.14804@shearson.com>
	pmetzger@snark.shearson.com (Perry E. Metzger) writes:

[I wrote:]
>>The chip and algorithm are classified.  If you reverse engineer it and
>>tell people, you are likely to go to jail.

>Well, I'm not a lawyer, but from what I can tell this is completely
>and utterly untrue.

>The U.S. does NOT have an official secrets act. We do have laws that
>will punish you for revealing what classified information you learned
>in your capacity as a government official, contractor, etc, and we
>have laws that prohibit stealing such information. However, if they
>sell you the chip, I can't see that they can make reverse engineering
>it and revealing the details illegal.

In most cases information you come by properly is yours to use as you wish,
but there are certainly exceptions.  If you write a paper which includes
sufficiently detailed information on how to build a nuclear weapon, it is
classified.  As I understand the law, nuclear weapons design is
_automatically_ classified even if you do the work yourself.  I believe you
are then not allowed to read your own paper.

A less serious example: if you tell drivers about a speed trap they are
about to run into, you can be fined, even though you might argue that you
broke no law when you discovered the location of the policeman.  The charge
is interfering with a police officer, which is quite similar what you would
be doing by reverse engineering the Clipper chip.

Don't tell me that you think this violates the Constitution -- find some
court cases which have struck down such laws.  Many people would not be
comforted by the fact that the government violated their rights when it
imprisoned them.

--
    John Carr (jfc@athena.mit.edu)

Newsgroup: sci.crypt
Document_id: 15602
From: ee92jks@brunel.ac.uk (Jonathan K Saville)
Subject: Re: freely distributable public key cryptography c++ code:  where?

D. Wigglesworth (smhanaes@gpu.utcc.utoronto.ca) wrote:

: Do you know of any freely distributable c++ (or c) code for public
: key cryptography (such as RSA)?  

: I've tried various archie searches to no avail.  

Have you heard of PGP? I assume from your post that you have not. PGP 2.2
is a freeware RSA encryption program which includes digital signatures and
comprehensive key management facilities. Most sites also keep the source code.
A growing number of people are using this excellent software to encrypt (to
a very high standard) their email and data. Get it before Clinton outlaws it.

Two of the many sites are:
      rsa.com     /pub/pgp
      soda.berkeley.edu      /pub/cypherpunks/pgp

Hope this helps,

Jon
--
 ------------------------ -------------------------------------
|      Jon Saville       |   Who alive can say, 'Thou art no   |
|  ee92jks@brunel.ac.uk  |  Poet, may'st not tell thy dreams?' |
 ------------------------ -----------  Keats, 1819  -----------
     PGP 2.2 public key available upon request or by finger

Newsgroup: sci.crypt
Document_id: 15603
From: peter@memex.co.uk (Peter Ilieve)
Subject: Re: Clipper Chip and crypto key-escrow

Excerpts from the Clipper announcement, with some questions:

>     --   the ability of authorized officials to access telephone
>          calls and data, under proper court or other legal
>          order, when necessary to protect our citizens;

>Q:   Suppose a law enforcement agency is conducting a wiretap on
>     a drug smuggling ring and intercepts a conversation
>     encrypted using the device.  What would they have to do to
>     decipher the message?
>
>A:   They would have to obtain legal authorization, normally a
>     court order, to do the wiretap in the first place.  They
>     would then present documentation of this authorization to
>     the two entities responsible for safeguarding the keys and
>     obtain the keys for the device being used by the drug
>     smugglers.  The key is split into two parts, which are
>     stored separately in order to ensure the security of the key
>     escrow system.

In these two sections the phrases `or other legal order' and `normally a
court order' imply there is some other way or ways of doing a legal
wiretap. What is/are these? How do they affect the way people who trust the
system of court orders to protect them feel about this escrow system?

The second section shows the sequence of events.
The law enforcer, armed with his warrant, attaches his headphones to the
line with his croc-clips (remember, these are the folk who couldn't cope
with digital telephony) and hears a load of modem-like tones (we are
talking analogue telephony here).
What next? What modulation scheme do these Clipper boxes use?
Is it possible to record the tones for use after the keys are obtained?
I thought it was quite difficult to record a modem session at some
intermediate point on the line. Maybe they have taken a crash course
in data comms and have a unit that demodulates the tones and stores the
digital stream for decryption later. This would still suffer from the
same problems as trying to record the tones as the demodulator would not
be at one end of the line. If calls can't be recorded for decryption later
it would be quite easy to foil the system by buying lots of Clipper units
(these are supposed to be cheap mass market items) and using them in turn.

How tolerant is the modulation scheme to errors? These things are proposed
for use by US corporations to secure their foreign offices, where phone
line quality may well be poor. It seems hard enough to me to get digitised
speech of any quality into something a modem can handle without having to
add lots of error correction to keep the decryption in sync.

>Q:   Will the devices be exportable?  Will other devices that use
>     the government hardware?
>
>A:   Voice encryption devices are subject to export control
>     requirements.  ...  One of the
>     attractions of this technology is the protection it can give
>     to U.S. companies operating at home and abroad.  With this
>     in mind, we expect export licenses will be granted on a
>     case-by-case basis for U.S. companies seeking to use these
>     devices to secure their own communications abroad.
>     ...

This raises an intersting question in the UK. Here it is illegal to connect
anything to a public telecomms network without it being approved by a body
called BABT. It has been stated, either here or in the uk.telecom group,
that they will not approve equipment that does encryption. I don't know
if this is true or not, but this would make a good test case.
Perhaps `friendly' countries, and the UK may still qualify, will get
to fish in the escrowed key pool as well.


		Peter Ilieve		peter@memex.co.uk


Newsgroup: sci.crypt
Document_id: 15604
From: purinton@toyon-next.Stanford.EDU (Joshua Jordan Purinton)
Subject: Re: The [secret] source of that announcement

In article <1r3hgqINNdaa@uwm.edu> Rick Miller <rick@ee.uwm.edu> writes:
>jbotz@mtholyoke.edu (Jurgen Botz) writes:
>>marc@mit.edu (Marc Horowitz N1NZU) writes:


>>Seems like sombody didn't like your snooping around, Marc.
>
>Or, the more *likely* explanation is that Marc is spoofing.
>                                          ^^^^^^^^^^^^^^^^
>I sincerely doubt that Denning and crew are keen enough to react that
>quickly, and I doubt they'd want to cripple their SMTP server t'boot.
>

Marc is not spoofing.  Try it yourself.  At least, the commands work
exactly as he described (i.e. they do not work.)

- Josh.


-- 
No pattern, content or thing is the being who looks out from each pair of eyes.
And only that is important.  - E. T. Gendlin

Newsgroup: sci.crypt
Document_id: 15605
From: Rick Miller - former spook <rick@ee.uwm.edu>
Subject: Alternate *legal* wiretaps.

tuinstra@signal.ece.clarkson.edu.soe writes:
[...]
>  It would be a strong incentive, as Vesselin points out, for more
>police agencies to "go rogue" and try to get keys through more efficient
>(but less Constitutional) means.  Notice what the release said:
>
>   Q:   Suppose a law enforcement agency is conducting a wiretap on
>        a drug smuggling ring and intercepts a conversation
>        encrypted using the device.  What would they have to do to
>        decipher the message?
>
>   A:   They would have to obtain legal authorization, normally a
>                                                       ^^^^^^^^^^
>        court order, to do the wiretap in the first place.
>        ^^^^^^^^^^^

>The clear implication is that there are "legal" authorizations other
>than a court order.  Just how leaky are these?  (And who 
>knows what's in those 7 pages that authorized the NSA?).  There
[...]

I was a cryptologic tech in the US Navy (CTRSN, nothing big).  All 'spooks'
in the Navy are required to know the "gist" of "USSID 18", the Navy-way of
naming a particular Presidential "Executive Order".  It outlines what spooks
can and can't do with respect to the privacy of US nationals.

The following information is (of course) UNCLASSIFIED.

The whole issue hangs about what you mean by "wiretap".  If the signal can
be detected by "non-intrusive" means (like radio listening), then it may be
recorded and it may be "analyzed".  "Analyzed" means that it may be either
deciphered and/or radio-location may be used to locate the transmitter.

The catch is this:  Any and all record of the signal and its derivatives
may only be kept for a maximum of 90 days, after which they are destroyed
unless permission is obtained from the US Attorney General to keep them.

Didn't you ever wonder how Coast Guard cutters *find* those drug-runners
in all those tens of thousands of square miles of sea, even in the dark?!?

Rick Miller  <rick@ee.uwm.edu> | <ricxjo@discus.mil.wi.us>   Ricxjo Muelisto
Send a postcard, get one back! | Enposxtigu bildkarton kaj vi ricevos alion!
          RICK MILLER // 16203 WOODS // MUSKEGO, WIS. 53150 // USA

Newsgroup: sci.crypt
Document_id: 15606
From: jgfoot@minerva.cis.yale.edu (Josh A. Goldfoot)
Subject: Re: Organized Lobbying for Cryptography

Tarl Neustaedter (tarl@coyoacan.sw.stratus.com) wrote:

: It means that the EFF's public stance is complicated with issues irrelevant
: to the encryption issue per se. There may well be people who care about
: the encryption issue who don't care to associate themselves with the
: network erotica issue (or may even disagree with the EFF's position).

Perhaps these encryption-only types would defend the digitized porn if it
was posted encrypted?

These issues are not as seperable as you maintain.


Newsgroup: sci.crypt
Document_id: 15607
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Once tapped, your code is no good any more.

random@presto.UUCP (Jeff W. Hyche) writes:
>Yes, "Clipper" is a trademark of Intergraph.  Its the RISC chip used
>in some of thier workstations.  I wonder what Intergraph is going to
>do to this infringement on thier name sake?

Probably keep quiet and take it, lest they get their kneecaps busted.
-- 
Good news.  Ten weeks from Friday will be a good day.

Newsgroup: sci.crypt
Document_id: 15608
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Why the clipper algorithm is secret

In article <1993Apr20.014135.24134@fsl.noaa.gov> bear@kestrel.fsl.noaa.gov (Bear Giles) writes:
   In article <C5pstr.Lu2@panix.com> dfl@panix.com (Danny O'Bedlam) writes:
   >	The algorithm is classified because a military contract (or similar
   >government equivalent to military) has been let for this "proprietary"
   >design that the Feds say that NSA developed.  Is there a patent?  Is that
   >patent publicly available?  My betting is that that too is classified.

   Unless there has been a _major_ change in the law, there's no such beast
   as a "classified patent."  Patents exist to encourage communications and
   develop the state of the art. 

While there aren't classified patents, there are "patent secrecy orders".

Suppose you invent a voice scrambler for CB radio, and apply for a patent.
The Patent Office decides the NSA might be interested, gives them a copy
of your application, and you get a nice note back saying your patent
application has now been classified for national security reasons and
you're no longer allowed to make and sell it.  
I'm picking this example because it happened in the late 1970s.
It was probably some analog scrambler, and would have probably
violated FCC rules anyway, but it did get classified.

Or suppose you publish a paper on your Really Spiffy Algorithm and
then file a patent application.  Since it's been published,
they can't gain anything by classifying it, though you can't get
patents in most countries other than the US, where patent laws are different.

Obviously a system of classified patents would be highly bogus
"You can't sell that widget, because there's a classified patent on it.
You're not allowed to see the patent, or know who owns the design,
so just give us all your money and work in progress and maybe we won't throw
you in jail for espionage."  Some countries might have that kind of
system :-(, but we don't have that here.  Quite.  Yet.
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15609
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <C5sy1z.4tD@demon.co.uk>, Graham Toal <gtoal@gtoal.com> writes:
> In article <1993Apr20.192105.11751@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
> :Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
> :has 2^80 possible keys.
> 
> We don't yet know if all 80 bits count.

That doesn't worry me at all; they're not going to cheat at something
they can get caught at.  And key size is one of the things that can be
verified externally.  Feed lots of random key/input pairs into the
chip, then try flipping random key bits, and see what happens to the
output.  We already know what *should* happen -- about half the output
bits should vary, on average, from a 1-bit key change or input change.

If they were out to build a weak cryptosystem, it might be the case that
some of the bits are much less powerful than others, in the sense that
they only enter into the encryption very late in the game.  By contrast,
DES was designed to use each key bit as early as possible; the 50% output
change rate appears as early as round 5.  Again, though, I don't think
NSA is going to cheat that crudely; they're likely to get caught.

Remember that they've promised to let a committee of outside experts see
the cryptosystem design.  If you assume something DES-like, a biased
subkey generation schedule will stick out like a sore thumb.  The committee
can and should run lots of tests, and retain the output.  This can be verified
later against the chip.  And yes, the civilian community has at least some
secure storage facilities that I don't think even NSA can get into without
it being noticed, until Fort Meade gets its transporter working again.
(Oops -- I don't think I was supposed to talk about that...)  The committee
members can even retain secure copies of the code -- in two halves, which
you have to XOR together to recover the program...

Seriously, there are, I think, problems with this whole scheme.  But the
people who invented it aren't stupid, and they've been in the crypto game
and the smoke-and-mirrors game far longer than most of us.  They're not
going to lie in ways that can be detected easily, since their credibility
is the *only* thing they can use to sell this system.  If they've lied
about the civilian committee, no one will believe them about the absence
of other back doors.  If they've lied about the key size, no one will
believe that they haven't copied the programming disk with the U keys.
If they've lied about obvious aspects of the strength of the cryptosystem,
no one will believe the escrow agencies aren't in cahoots with them.

That isn't to say that they aren't lying about all those other things
anyway.  And I'm certainly not claiming that NSA can't build a cryptosystem
with a back door that the committee can't find -- look how long it took
for folks to believe that the S-boxes weren't sabotaged.  It's entirely
possible that the committee will release an ambiguous report, for just
such reasons.  But that's a subtle point (i.e., one you can't explain to
a Senator...).

> Anyway, its looking like the
> keys and escrow arrangements are smoke and mirrors to cover the way the NSA
> can regenerate the key from the transmitted serial number.

I don't like the unit key generation process any better than you do.
However -- S1 and S2 are supposed to be under control of the same
escrow agents.  If they can't be trusted to keep the seed values secure,
they can't be trusted to keep the half-keys secure.

I still don't know if or when S1 and S2 change.  I thought I had seen
something about them being constant, but I just reread Denning's technical
information post, and it doesn't say anything, one way or the other.


		--Steve Bellovin

Newsgroup: sci.crypt
Document_id: 15610
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Would "clipper" make a good cover for other encryption method?

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
> If there are many as..., er, people in the USA who reason like the 
> above, then it should not be surprising that the current plot has been 
> allowed to happen... 

The willingness of the majority of the people to give up their freedom in 
exchange for a sense of safety is hardly limited to the USA, and is an 
endemic problem in any human society of any appreciable size.  The structure 
of the US government does try to combat this tendency to some extent, but 
fighting entropy is always a losing battle.  Most people would rather have 
comfort than freedom.  The paradox is that you can't really have the former, 
in the long term, unless you have the latter.

One of the reasons that I probably come across to some people as a weird 
cross between a libertarian and an "establishment tool" is that I end up 
taking an utterly pragmatic view of government.  I don't get up in arms when 
the government fails to protect the interests of the people, because in my 
lifetime it never has--therefore, I have no expectation that it will.  

As a result, I protect my own interests rather than expecting the government 
to be "fair".  I will use strong cryptography when I think it is needed, 
whether or not it is legal at the time.  Same thing with anything else the 
government would rather not see in private hands--that's their problem.  
What's important to me is using the right tool for the job.  If it's legal, 
so much the better.  If it is not, but does not violate my (very strong) 
sense of personal ethics, I will use it anyway as long I think it is worth 
it.  Expecting the government to actually protect the interests of its 
citizens, except by accident, is utter folly.  Even Jefferson, one of the 
major architects of the American system of government, figured that in a 
couple hundred years it would become so corrupt and self-serving that it 
would be time dismantle it and try again, by revolution if necessary.  I 
agree, and while I don't go around trying to spark one, I'll certainly 
participate if it happens when I'm around.  There is a reason I am such a 
strong supporter of individual rights while being so cynical about politics.  
I've already written off politics.

And yes, this may get me in trouble some day.  If so, so be it.  I drive 
faster than 55 MPH, too.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15611
From: grady@netcom.com (1016/2EF221)
Subject: Re: The [secret] source of that announcement

Andrew Molitor (amolitor@nmsu.edu) wrote:
: 
: 	1) Monitor my phonecalls.
: 	2) Monitor usenet.
: 	3) Provide only cryptosystems they can easily crack.
: 	4) etc etc.
: 
: 	This is not to say that they *don't*, they might. But you don't
: know that they do, and you have no evidence that they do, for almost
: all values of you. It follows, therefore, that for most values of 'you',
: your claims about the NSA border on paranoia.
: 
: 	Andrew

Now I wouldn't be the one to claim that you are injecting some
disinformation into the net, Andrew, but 'paranoia' refers to
unwarranted or excessive suspicions or fear, not those that
have reasonable roots.

Let's start with looking at the professionals, the NSA itself.
Its birth was by secret executive order by Harry S Truman
in 1952.  Until even 1976 not even one word of this executive
order chartering the NSA was sealed.  Paranoia, right?

On the outside of the NSA complex is a ten foot Cyclone fence
with multiple rows of barbed wire, with high voltage, complete with signs
prohibiting even making sketches under penalty of the Internal
Security Act.  The area is completely scanned by closed circuit
television.  More paranoia.

These are professionals,  Maybe they know something we don't, eh?

Do you think it would have helped Admiral Yamamoto if the Japanese
had been a little more 'paranoid' of their purple cipher?

Or maybe the Germans should have been a little more 'paranoid' about
their Engima with respect to Turing and the British.

How about the cracking of the Zimmerman telegram?  Would a little
more paranoia have helped the Germans here?

Maybe the NSA should have been a little more 'paranoid' about
Emma Woikin, or Joseph Sidney Petersen, Jr., or  ...

Maybe you want to talk about Macmillan publishers cooperation
with the CIA and NSA to suppress Yardley's Japanese Diplomatic
Secrets or even Kahn's The Codebreakers.. paranoia, right?

The most popular cipher systems in captured soviet spies was
the one-time pad, even with the necessity of keeping incriminating
evidence about, is known to be the only proven unbreakable system.
Soviet paranoia, right?

And what do you think the NSA does with its Wullenwebers?  And 
huge Rhombics pointed embassy row?  And their sites near
satellite uplink and downlink sites?  Duh.

When I worked in a classified MITRE communications lab at one time
even with a "secret" clearance I had to be escorted to the toilet
and the entire site was built INTO a Mosler-type vault with *very*
thick bomb-proof door.  MITRE paranoia?

I could cite probably a hundred more facts which all support, as
best hypothesis, the notion that the NSA is grabbing as much as
it can, as fast as it can.  One would be a fool to ignore the
pattern of facts and conclude that they were random...

And we know the government is violent -- even against children as
recent events prove.  Judge William Sessions is a disgrace
but a solemn warning to those who ignore the web of evidence
that our government institutions have in their contempt for our
civil rights.

And of course we have to err somewhat on the excessive side of
caution because that does much less harm than erring on the
reckless side. As member of the crew of the USS Liberty might aver.

I might suggest, Andrew, that you read Kahn's Codebreakers and
Bamford's Puzzle Palace and come back with some more facts to
support your sheepish acquiescence to authority.
 
-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
Document_id: 15612
Subject: Re: Clipper considered harmful
From: yuan1@scws7.harvard.edu (Nina Yuan)

shirriff@sprite.berkeley.edu (Ken Shirriff) writes:

>It seems likely to me that that a large subset of encrypted communications
>would be archived to tape so they could be read if sometime in the future
>probable cause arises and a warrant is obtained.  I can even imagine this
>being found legal and constitutional, since nothing is actually listened to
>until a valid warrant is issued and the keys are obtained.

>Imagine archiving all pay-phone conversations, so if someone turns out
>to be a drug dealer, you can listen to all their past drug deals.  And
>archive calls to/from suspected Mafia members, potential terrorists,
>radicals, etc.  Imagine the convenience for the police of being able to
>get a warrant now and listening to all the calls the World Trade Center
>bombers made in the past year.

Imagine if this were available during the 1992 elections; instead of
clumsily searching through the Clinton passport file, they could have 
just done a "voice-grep" (as someone stated earlier) on his telephone
conversations for the last 10 years.

I'm not a lawyer and I don't even play one on TV, but intuitively there's
something wrong with having one's words archived for possible future
use against you.  This possibility frightens me more than any of the
talk about the Clipper Chip, right to cryptography, etc.

>Since archiving would be such a powerful tool and so easy to do, why
>wouldn't it happen?

I'm afraid it just might.

-nhy

-- 
----------------------------------------------------------------------------
Nina H. Yuan                               "It's a miracle that curiosity
Harvard College                             survives formal education."
yuan1@husc.harvard.edu                                  - Albert Einstein

Newsgroup: sci.crypt
Document_id: 15613
From: mcbay@clam.com (George McBay)
Subject: Re: What the clipper nay-sayers sound like to me.

In article <1qsvfcINNq9v@dns1.NMSU.Edu> amolitor@moink.nmsu.edu (Andrew Molitor) writes:
[A lot of this article has been deleted for space.]

>   Look! This is clearly the first step toward outlawing our
>   own screw thread specifications. If this madness isn't fought,
>   tooth and nail, every step of the way, it'll be a crime to use
>   screw threads other than those our Fearless Leaders so *graciously*
>   define for us.

	The Clipper standard *is* the first step toward outlawing other
strong encryption standards.  If the government didn't intend to outlaw
other forms of encryption, than Clipper is just a big waste of time and money.
Why, you ask?  Because anyone who is transferring data that any government
agency could use against him/her would be a total fool to use the Clipper
system..So why add the backdoor-key if all lawbreakers will use alternate
encryption methods? Because they assume they can just do away with everything
else.
	I, for one, am planning on boycotting any equipment that contains
clipper technology.



Newsgroup: sci.crypt
Document_id: 15614
From: jhan@debra.dgbt.doc.ca (Jerry Han)
Subject: Re: Once tapped, your code is no good any more.

In article <bontchev.735404289@fbihh>
bontchev@fbihh.informatik.uni-hamburg.de writes: 

>And some people thought that I am exaggerating when claiming that the
>Cripple Chip is just a first step in a totalitarian plot against the
>civil liberties in the USA... It seems that I've even been an optimist
>- the things are happening even faster than I expected.... That's
>another of the dirty tricks they used to apply on us under the
>communist regime - do something secret, THEN tell the people about is
>(after the fact, when nothing can be done any more), and of course,
>explaining them how much better the situation is now...
>
>In my previous messages I wrote that the Americans should wake up and
>fight against the new proposal. Now it seems to me that it is already
>too late - it has already happened, the civil liberties have been
>violated, no, stollen from the American people, while the most part of
>this people has been sleeping happily... :-((( Too sad...

As one of the happily sleeping people, I would just like to ask this->
aren't people just slightly overreacting to this?  Or are we all of a
sudden going to draw parallels to Nazi Germany and Communist Russia?

The point of the matter is that; yes this is a serious problem.  But it is
not the end of the world.  Guess what?  We're doing something now you
can't do in a Communist country or Nazi Germany.  We're complaining about
it, (or rather, you're complaining about it) and nobody is shooting at us.  

(Or, rather, if they're shooting at me, they have real bad aim.  (:-) )

GUESS WHAT PEOPLE?  You live in one of the few countries in the world
where a person can complain without getting shot at.  

People are always complaining that somebody did this wrong, or somebody
did that wrong, or whatever.  Sit down and figure out two things:

1)  What have they done right?
2)  How much worse can it get?

And you'll find that you and I, are pretty damn lucky.

So let's talk about it, get some action going, decide what's going on. 
But let's not overreact!  

>
>Regards,
>Vesselin
>-- 
>Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
>Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
>< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
>e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany


-- 
Jerry Han-CRC-DOC-Div. of Behavioural Research-"jhan@debra.dgbt.doc.ca"
///////////// These are my opinions, and my opinions only. \\\\\\\\\\\\\
\\\\\\\\\ A proud and frozen member of the Mighty Warriors Band ////////  
"Memories of those I've left behind, still ringing in my ears."-Genesis-

Newsgroup: sci.crypt
Document_id: 15615
From: rlglende@netcom.com (Robert Lewis Glendenning)
Subject: Re: Organized Lobbying for Cryptography

Generally, an organization has influence in proportion to:

	The narrowness of its objectives
	The number of members
	The strength of belief of its members

This is why the pro- and anti-abortion groups are so strong: narrow objectives,
lots of interested members who are real passionate.

For this reason, mixing with the NRA is probably a bad idea.  It diffuses
the interests of both groups.  It may well diminish the Passion Index
of the combined organization.  It is not clear it would greatly enlarge
the NRA.

So, I believe a new organization, which may cooperate with NRA where the
two organization's interest coincide, is the optimum strategy.

lew
-- 
Lew Glendenning		rlglende@netcom.com
"Perspective is worth 80 IQ points."	Niels Bohr (or somebody like that).

Newsgroup: sci.crypt
Document_id: 15616
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Do we need the clipper for cheap security?

gtoal@gtoal.com (Graham Toal) writes:
>Can someone tell me if hardware compression is or is not needed to run
>digital speech down 14.4K?  I think it is; I've heard it's not.  Lets
>say 8 bit samples.  Would *raw* data at the corresponding sampling rate
>be usable?  If not, how fancy does the compression need to be?

A good vocoder like ours will give you 8000 bits per second locked at
full rate (it's a variable rate voice activity vocoder).  If you want
less quality, cut that to 4000 bps (half rate).  At full rate variable
you could put two full-duplex conversations on a V.32bis modem.  This
requires a DSP or ASICs, though.  An RS-6000 has a CPU that could
probably do it in real-time, because it has the add-and-multiply
instruction and a few other DSP things.

If you want to do speech in real-time you need about 4000 samples a
second (for not very good voice) with your 8 bit samples (ISDN is 8000
8-bit samples a second), which is 32 kbps.  You could do a fast 2:1
compression on that to get it down to 16 kbps, which is just about
V.32bis.  The quality at this point is very bleah, but it should work.
Now add in the time for your encryption method.  You're going to need
sampling hardware, which is no problem on a new Mac, an Amiga.  Or a
PC with a SoundBlaster card (just because they're so popular and cheap
- you could also build a simple ADC).  The problem with the
SoundBlaster is that it doesn't seem to be full duplex - you can't
sample and play backq at the same time, making a two-way conversation
a bit tough.  The special hardware or a more capable sound card may be
required.

The only thing that worries me is that 2:1 compression - the
SoundBlaster can do it automatically in hardware, but other than that
I don't have a good feel for how processor intensive it is, so I can't
estimate how fast a PC you'd need.


-- 
Not all men who drink are poets.  Some of us drink because we are not poets.

Newsgroup: sci.crypt
Document_id: 15617
From: vjs@rhyolite.wpd.sgi.com (Vernon Schryver)
Subject: Re: Fighting the Clipper Initiative

In article <strnlghtC5toC6.KIu@netcom.com>, strnlght@netcom.com (David Sternlight) writes:
> ...
>                                  The Federal Reserve Open Market Committee
> has successfully kept decisions from leaking for the statutory period until
> publication.

How are you sure of that?  Weren't there some recent studies that
found corelations between not-yet announced decisions and market changes?

Aren't there continuing early rumors of their deliberations?


>              Even the Department of Agriculture has successfully kept crop
> forecasts from leaking prematurely.

Sheesh!  Remember the big scandal a year or two (or 3?) ago about
exactly such leaks?


Vernon Schryver,  vjs@sgi.com

Newsgroup: sci.crypt
Document_id: 15618
From: rab@well.sf.ca.us (Bob Bickford)
Subject: Re: Off the shelf cheap DES keyseach machine

In article <TOM.93Apr21114536@amber.ssd.csd.harris.com>,
  tom@ssd.csd.harris.com (Tom Horsley) writes:
>
>This isn't intended to be a flame or anything, I am just really curious
>how to manufacture these things while still maintaining the key escrow
>security without simply saying "trust the manufacturer, they won't look".

Without getting into the *really* *thorny* questions about reverse
engineering and all of that, let me just point out that there already
exist gate arrays and suchlike that have what's known as a security fuse
which can be programmed after you've verified all other programming --
this makes it impossible to read out the programming of the device
(again, ignoring the reverse engineering questions).  Speaking from
experience here: I had to completely reinvent one of my designs some
six or seven years ago when the disk file was zapped, the backups were
all bad, and the devices were unreadable because of the security fuses.
Made me appreciate the value of printouts.  ;-)

So on this point at least there's not so much worry.

But whether or not we can get the chips made reliably and securely is
really secondary to the question of whether use of the chip is itself
likely to be secure, methinks.
--
 Robert Bickford      "A Hacker is any person who derives joy from
 rab@well.sf.ca.us    discovering ways to circumvent limitations." rab'86
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"I recognize that a class of criminals and juvenile delinquents has
taken to calling themselves 'hackers', but I consider them irrelevant
to the true meaning of the word; just as the Mafia calls themselves
'businessmen' but nobody pays that fact any attention."            rab'90
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Newsgroup: sci.crypt
Document_id: 15619
From: ab@ersys.edmonton.ab.ca (Allan Brockman)
Subject: I don't have FTP, live in Canada, how do i get RSA(RAS?) 4 my atariS

i don't have FTP and i live in canada ( this means that it would be 
illeagle for a U.S. citizen to send the program to me. their gigerment 
wishes to restrict its dispersil ) but someone in europe must have ported 
a coppy of RSA to the atariST by now.  how do i get a coppy of the RSA 
from a non-FTP news feed?


--
Allan Brockman              ab@ersys.edmonton.ab.ca 

Newsgroup: sci.crypt
Document_id: 15620
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: THE CLIPPER CHIP: A TECHNICAL SUMMARY

In article <1993Apr19.182327.3420@guvax.acc.georgetown.edu> denning@guvax.acc.georgetown.edu writes:
	[Prof. Denning's description of SkipJack mostly omitted]

	CHIP STRUCTURE
	The Clipper Chip contains a classified 64-bit block encryption
	algorithm called "Skipjack."  The algorithm uses 80 bit keys (compared
	with 56 for the DES) and has 32 rounds of scrambling (compared with 16
	for the DES).  It supports all 4 DES modes of operation.  Throughput is
	16 Mbits a second. [...]

	F, an 80-bit family key that is common to all chips
	N, a 30-bit serial number
	U, an 80-bit secret key that unlocks all messages encrypted
		 with the chip
	The key K and message stream M (i.e., digitized voice) are then
	fed into the Clipper Chip to produce two values:

  	   E[M; K], the encrypted message stream, and 
	   E[E[K; U] + N; F], a law enforcement block.  

Three questions:
1) It looks like each 64 bits of input gives you 4*64 bits of output:
		E[M;K] = 64 bits
		E[K;U] = E[ 80 bits ] = 128 bits
		E[ E[K;U], N ; F ] = E[ 128 + 30 bits ] = 192 bits
   Do you really need to transmit all 256 bits each time,
   or do you only transmit the 192 bits of wiretap block at the beginning?   
   All 256 would be really obnoxious for bandwidth-limited applications
   like cellular phones (or even regular phones over 

2) how do the 4 DES modes interact with the two-part output?
   Do the various feedback modes only apply to the message block,
   or also to the wiretap block?  Or, if the wiretap block is only
   transmitted at the beginning, does it get incorporated into
   everything through feedback modes, but not during ECB mode?

3) Does the Clipper Chip check the wiretap block itself?
   Does the block have to be present at all?
   Since the receiving chip doesn't know the transmitter's U,
   it presumably can't check the validity of E[K;U], so it's 
   limited to checking the *form* of the wiretap block,
   and maybe checking the serial number for reasonableness
   (unless there's some sort of back-door structure that lets
   it recognize a valid E[K;U].)
   
   In that case, can you replace the wiretap block with a DIFFERENT
   wiretap block, presumably an old valid one to avoid attracting attention?
   (The chip won't do it, so you postprocess the output.)
   Regular people can do one with their own serial number and a dummy key;
   paranoid people can use someone else's serial number.

   On the other hand, if I could think of that solution so easily,
   presumably the NSA could too - have they done something to block it,
   like use message encryption that's really E[M; K,U,N] ?


	Thanks!
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15621
From: elee9sf@menudo.menudo.UH.EDU (Karl Barrus)
Subject: Re: Once tapped, your code is no good any more.


David Sternlight writes:

> I'd trust something from the NSA long before I'd trust something from
> some Swiss or anbody Japanese.

What???  This is an incredible statement!  The NSA tried to suppress
public key crypto and RSA, and yet they claim to encourage use of
strong crypto for US citizens.

Would you trust a black-box from the NSA versus an "open system" from
elsewhere?

/-----------------------------------\
| Karl L. Barrus                    |
| elee9sf@menudo.uh.edu             | <- preferred address
| barrus@tree.egr.uh.edu (NeXTMail) |
\-----------------------------------/



--
/-----------------------------------\
| Karl L. Barrus                    |
| elee9sf@menudo.uh.edu             | <- preferred address
| barrus@tree.egr.uh.edu (NeXTMail) |
\-----------------------------------/

Newsgroup: sci.crypt
Document_id: 15622
From: mjr@tis.com (Marcus J Ranum)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

>I mean, if we can imagine the
>machine that does 1 trial/nanosecond, we can imagine the storage medium
>that could index and archive it.

	I think you'd have to do some massive data compression just to
fit a bit of key information on each primary particle of the known
universe.
	But, hey, it's fun to imagine.

mjr.

Newsgroup: sci.crypt
Document_id: 15623
From: smhanaes@gpu.utcc.utoronto.ca (D. Wigglesworth)
Subject: freely distributable public key cryptography c++ code:  where?


Do you know of any freely distributable c++ (or c) code for public
key cryptography (such as RSA)?  

I've tried various archie searches to no avail.  

	Thanks,
	Dan

Newsgroup: sci.crypt
Document_id: 15624
From: rboudrie@chpc.org (Rob Boudrie)
Subject: Re: Once tapped, your code is no good any more.

In article <C5so84.Hxv@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
>In article <2073@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:
>:If the Clinton Clipper is so very good, why not make its algrithm public
>:so many people can exchange ideas and examine it, rather than a few
>:isolated 'respected experts' (respected by whom?  for what?  Perhaps a

One more time...

    If they released the algorithm, it would be possible for someone
    to come up with an implementation which was identical, but
    lacking an escrowed key.

    Note that the press announcement mentioned that the algorithm was
    being kept secret for security of the key escrow system.  In this
    case security means "an escrowed key for EVERY clipper chip".


    Assuming you believed all that is said about the effective of
    the algorithm, and the escrow system, which would you buy :

     (a)  Chip from firm A with the escrowed key
     (b)  Second source chip from reputable firm B with no key
          in government escrow.

    There would obviously be powerful economic incentives for a second
    source, non escrowed, vendor.

Newsgroup: sci.crypt
Document_id: 15625
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Once tapped, your code is no good any more.

andersom@spot.Colorado.EDU (Marc Anderson) writes:

> methods.  ``This year's crime bill will have teeth, not bare gums,''
> Clinton said.  In particular, his administration will place strict
> controls on data formats and protocols, and require the registration
> of so-called ``cryptographic keys,'' in the hope of denying drug
> dealers the ability to communicate in secret.  Clinton said the
> approach could be used for crackdowns on other forms of underground
> economic activity, such as ``the deficit-causing tax evaders who
> live in luxury at the expense of our grandchildren.''

And some people thought that I am exaggerating when claiming that the
Cripple Chip is just a first step in a totalitarian plot against the
civil liberties in the USA... It seems that I've even been an optimist
- the things are happening even faster than I expected.... That's
another of the dirty tricks they used to apply on us under the
communist regime - do something secret, THEN tell the people about is
(after the fact, when nothing can be done any more), and of course,
explaining them how much better the situation is now...

In my previous messages I wrote that the Americans should wake up and
fight against the new proposal. Now it seems to me that it is already
too late - it has already happened, the civil liberties have been
violated, no, stollen from the American people, while the most part of
this people has been sleeping happily... :-((( Too sad...

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
Document_id: 15626
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Would "clipper" make a good cover for other encryption method?

strnlght@netcom.com (David Sternlight) writes:

> Some of the more notorious self-styled dissidents here, for example, have
> already got their heads so high above the tall grass that they'd have little
> chance of getting a clearance.

If there are many as..., er, people in the USA who reason like the
above, then it should not be surprising that the current plot has been
allowed to happen...

Regards,
Vesselin
-- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

Newsgroup: sci.crypt
Document_id: 15627
From: grady@netcom.com (1016/2EF221)
Subject: Re: The [secret] source of that announcement

I guess the cryptowranglers read this group too.  But of
course I knew that because it is so easy to do.  There is
not a single doubt in my mind that every byte that passes
every significant gateway or 'bone is captured for the
colligation of data about __________?  (Maybe your name is here).

Maybe we should start a newsgroup for the distribution of encrypted 
posts intended of members of affinity groups with a shared private
key.  For example at the coming up Cypherpunks meeting, a private
key corresponding to that particular meeting could be passed out
by a moderator.  Minutes, followup comments to other participants,
and so on could be posted to the alt.encrypted group for the use
of the people who attended. Communiques intended by the group for
non-attendees could of course just be signed using the private key
but otherwises not encrypted.

Starting a alt.encrypted newsgroup rather than just maintaining
mailing lists is better for several reasons.  First, it would be
easier to archive for people who might join a group "late" and
who might like to easily read earlier posts; second, traffic analysis
to know exactly to whom an affinity message is directed would be foiled;
three, a newsgroup is much more public and would serve to publicize
available privacy measures on the internet.

And it would be fun to accumulate a secret keyring full of such
keys -- it beats giving out t-shirts as a door prize.

We could send a copy of alt.encrypted directly to Judge William
Sessions or Admiral Studeman to save them the time of having it
collected for them.


-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
Document_id: 15628
From: ptrei@bistromath.mitre.org (Peter Trei)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <strnlghtC5t4o3.K5p@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>Actually the govrnment is telling you that if you want to use their
>"product" the manufacturer (actually better yet, some "trusted" pair
>of escrow agencies) has to have the key.
>
>Most of us already are in this situation--our car makers have keys to our
>cars (or can get them quickly from the VIN  number), and I have no doubt
>that if presented with a court order, they'd surrender copies to the
>government.

>Chances are that many locksmiths have the code numbers for house locks
>they've installed, and in an emergency can cut keys; thus they'd also
>provide such keys to the government pursuant to a court order.

    Of course, nothing prevents you from buying a new lock with cash
and installing it yourself. Even modifying the core to match some
arbitrary key is not difficult to do at home. I once knew someone who
had fixed his locks in this way - his house, office and cars all took
the same key (which he took GOOD care of :-)

>The state has no difficulty gaining access to your safe deposit box if they
>have a court order.

>Bad analogy.

    Very bad (yours, that is). Have you ever had a safety deposit box?
They work on a two-key system. The bank clerk has one, and you have
the other (they are different keys). The bank does NOT keep a copy of
your key. If you lose it, they have to drill out the lock, and replace
the door. This is a time consuming and expensive process (which they
will be happy to charge to your account :-).

     This process is exactly analogous to having a private key which
is NOT in a escrow system, and the state having to crack your cipher
to get the data.

     Please do not use false analogies.

							Peter Trei
							ptrei@mitre.org


Newsgroup: sci.crypt
Document_id: 15629
From: langford@gems.vcu.edu
Subject: Re: Organized Lobbying for Cryptography

In article <1993Apr20.213718.23129@husc3.harvard.edu>, kubo@zariski.harvard.edu (Tal Kubo) writes:
 
> Having mentioned the possible dangers of unwelcome political associations,
> I would be remiss not to suggest something in the opposite direction:
> gathering the support of the NRA by emphasizing the RKBA side of the
> issue as well as the First-Amendment side.
> 
> Tal  kubo@math.harvard.edu
> 
> 
Hmmm, this gave me an interesting idea.  How about this argument:

1)  Second Amendment gives us the right to keep and bear arms.

2)  Strong cryptography is "arms", according to the U.S. government (that's
    why it's so hard to export).

Therefore, we have a constituitional right to strong cryptography!  
Q.E.D.

However, it's likely to be as hard or harder to exercise this right as it
is getting to exercise the other rights that the government is slowly
restricting.  Maybe the NRA _would_ be the best existing organization?
(Although I think a new one might be better, but perhaps would take too long
to start up.  I would certainly join.)
-- 
| From the electronic desk of Bob Langford          Health Sciences Computing
| 804-786-9843   (fax: 804-786-9807)         Virginia Commonwealth University
| e-mail:  langford@gems.vcu.edu     [or]     langford@vcuvax  (for BITNET)

Newsgroup: sci.crypt
Document_id: 15630
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

 > > :Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
 > > :has 2^80 possible keys.
 > >
 > > We don't yet know if all 80 bits count.
 >
 > That doesn't worry me at all; they're not going to cheat at something
 >they can get caught at.  And key size is one of the things that can be
 >verified externally.  Feed lots of random key/input pairs into the
 >chip, then see what happens to the output....

  If the device is designed to use the key that's registered with the Feds,
I don't see how you -can- feed it a different key.  If the user can change
the key to any of the 2^80 possibilities, the main reason for regarding
this proposal as unacceptable disappears.




Newsgroup: sci.crypt
Document_id: 15631
From: tom@ssd.csd.harris.com (Tom Horsley)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

>I don't like the unit key generation process any better than you do.
>However -- S1 and S2 are supposed to be under control of the same
>escrow agents.  If they can't be trusted to keep the seed values secure,
>they can't be trusted to keep the half-keys secure.

I hope there is something I don't understand about this system, but can
someone tell me how these chips are going to be manufactured while maintaining
each half key under total control of the separate escrow agencies? Don't
both halfs of the key have to come together (in some form) at the time
the chip is constructed?

Or is it built like a fusable prom, with the chip being sent to the 1st
escrow agency to program its 1/2 key, then the 2nd agency to program its
1/2 key (but who invents the safeguards that prevent the 2nd agency from
reading the information already programmed by the 1st)?

This isn't intended to be a flame or anything, I am just really curious
how to manufacture these things while still maintaining the key escrow
security without simply saying "trust the manufacturer, they won't look".
--
======================================================================
domain: tahorsley@csd.harris.com       USMail: Tom Horsley
  uucp: ...!uunet!hcx1!tahorsley               511 Kingbird Circle
                                               Delray Beach, FL  33444
+==== Censorship is the only form of Obscenity ======================+
|     (Wait, I forgot government tobacco subsidies...)               |
+====================================================================+

Newsgroup: sci.crypt
Document_id: 15632
From: angel@Foghorn_Leghorn.coe.northeastern.edu (Kirill Shklovsky)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr21.204036.13723@rick.dgbt.doc.ca> jhan@debra.dgbt.doc.ca (Jerry Han) writes:
>As one of the happily sleeping people, I would just like to ask this->
>aren't people just slightly overreacting to this?  Or are we all of a
>sudden going to draw parallels to Nazi Germany and Communist Russia?
>
>The point of the matter is that; yes this is a serious problem.  But it is
>not the end of the world.  Guess what?  We're doing something now you
>can't do in a Communist country or Nazi Germany.  We're complaining about
>it, (or rather, you're complaining about it) and nobody is shooting at us.  
>
>(Or, rather, if they're shooting at me, they have real bad aim.  (:-) )
>
>GUESS WHAT PEOPLE?  You live in one of the few countries in the world
>where a person can complain without getting shot at.  
>
>People are always complaining that somebody did this wrong, or somebody
>did that wrong, or whatever.  Sit down and figure out two things:
>
>1)  What have they done right?
>2)  How much worse can it get?
>
>And you'll find that you and I, are pretty damn lucky.
>
>So let's talk about it, get some action going, decide what's going on. 
>But let's not overreact!  
>
Us having the liberties to talk about this doesn't make the problem go
away.  It doesn't make it right.  Rather the opposite, if we do not do 
anything about it, you can bet it's going to get worse.

        *             Angel@foghorn_leghorn.coe.northeastern.edu
   *   * *     *   BTW: These are my opinions, and not that of any other entity
- * * *   *   * * ------------------------------------------------------------*
     *     * *               My god, its full of stars! - Dave
            *        I don't know about you, but we've got company!  - Epidemic


Newsgroup: sci.crypt
Document_id: 15633
From: sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes)
Subject: Re: Organized Lobbying for Cryptography

In article <1r3jgbINN35i@eli.CS.YALE.EDU> jgfoot@minerva.cis.yale.edu writes:
>Tarl Neustaedter (tarl@coyoacan.sw.stratus.com) wrote:
>
>: It means that the EFF's public stance is complicated with issues irrelevant
>: to the encryption issue per se. There may well be people who care about
>: the encryption issue who don't care to associate themselves with the
>: network erotica issue (or may even disagree with the EFF's position).
>
>Perhaps these encryption-only types would defend the digitized porn if it
>was posted encrypted?
>
>These issues are not as seperable as you maintain.
>

Now why would anyone "post" anything encrypted? Encryption is only of 
use between persons who know how to decrypt the data.

And why should I care what other people look at? 

What does concern me is the continued erosion of my constitutional
rights. ( Amendments I, II, IV, and V to note a few. )

-- 
  Shaun P. Hughes                          "Facts are Stupid Things."
  sphughes@sfsuvax1.sfsu.edu                Ronald Reagan
                                            Republican National
  Finger for PGP 2.2 Public Key             Convention 1988

Newsgroup: sci.crypt
Document_id: 15634
From: jgfoot@minerva.cis.yale.edu (Josh A. Goldfoot)
Subject: Re: Organized Lobbying for Cryptography

Shaun P. Hughes (sphughes@sfsuvax1.sfsu.edu) wrote:
: In article <1r3jgbINN35i@eli.CS.YALE.EDU> jgfoot@minerva.cis.yale.edu writes:
[deletion]
: >Perhaps these encryption-only types would defend the digitized porn if it
: >was posted encrypted?
: >
: >These issues are not as seperable as you maintain.
: >

: Now why would anyone "post" anything encrypted? Encryption is only of 
: use between persons who know how to decrypt the data.

: And why should I care what other people look at? 

I was responding to another person (Tarl Neustaedter) who held that the
EFF wasn't the best organization to fight for crytography rights since the
EFF also supports the right to distribute pornography over the internet,
something some Crypto people might object to. In other words, he's
implying that there are people who will protect any speech, just  as long
as it is encrypted.


Newsgroup: sci.crypt
Document_id: 15635
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Once tapped, your code is no good any more.

  Agreed.  This is like the Bay of Pigs fiasco (planned by the Eisenhower
Administration but given the final green light by Kennedy).
  To be sure, hen it all went down, Kennedy was at least man enough to take
full responsibility, which is not what I expect from Slick Willie Clinton....


Newsgroup: sci.crypt
Document_id: 15636
From: arc@leland.Stanford.EDU (Andrew Richard Conway)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr21.204036.13723@rick.dgbt.doc.ca> jhan@debra.dgbt.doc.ca (Jerry Han) writes:
>In article <bontchev.735404289@fbihh>
>
>As one of the happily sleeping people, I would just like to ask this->
>aren't people just slightly overreacting to this?  Or are we all of a
>sudden going to draw parallels to Nazi Germany and Communist Russia?

Yes. Reasonable parallels. (though I don't think Russia ever claimed to be
Communist)

>The point of the matter is that; yes this is a serious problem.  But it is
>not the end of the world.  Guess what?  We're doing something now you
>can't do in a Communist country or Nazi Germany.  We're complaining about

I must protest your "...in a Communist country". How do you know?
There haven't been any, and are unlikely to ever be any. In some Socialist
dictatorships, you can't, whilst in some socialist democracies
(such as France or Australia)
you can. Of course, some people may disagree about France & Australia being
socialist...

>it, (or rather, you're complaining about it) and nobody is shooting at us.  

Yet.

>(Or, rather, if they're shooting at me, they have real bad aim.  (:-) )
>
>GUESS WHAT PEOPLE?  You live in one of the few countries in the world
>where a person can complain without getting shot at.  

In some circumstances. I was at a public meeting last night (in the USA), where
a protester, who was very nice and calm, and just said before the
speaker started to beware of his opinions, was forced out of the meeting by
two armed policemen.

There are a lot of things that one cannot do in the USA. You may not
notice them, but as an Australian visitor, I notice them.

>People are always complaining that somebody did this wrong, or somebody
>did that wrong, or whatever.  Sit down and figure out two things:
>
>1)  What have they done right?
>2)  How much worse can it get?
>
>And you'll find that you and I, are pretty damn lucky.

Yes, we are lucky at the moment. I hope that is still true in
a few years time. Because it didn't just happen...it required concious
effort.

>So let's talk about it, get some action going, decide what's going on. 
>But let's not overreact!  

Of course don't over react --- but don't under react.

Andrew.
Disclaimer: All my opinions are my own, and do not represent the society
for the conservation of momentum or any other group. I hope I don't lose
my student Visa as a result of these opinions..


-- 
-----------------------------------------------------------------
Andrew Conway    arc@leland.stanford.edu  Phone: USA 415 497 1094


Newsgroup: sci.crypt
Document_id: 15637
From: ebrandt@jarthur.claremont.edu (Eli Brandt)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <1993Apr21.132318.16981@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
>Remember that they've promised to let a committee of outside experts see
>the cryptosystem design.

I hope there are some silicon jocks on the committee who can follow
the algorithm through to hardware.  While I doubt the NSA would pull
any monkey business on this point -- they have to expect that the
chip will be reverse-engineered sooner or later -- it's an obvious
opportunity to introduce additional holes.

>		--Steve Bellovin

	 PGP 2 key by finger or e-mail
   Eli   ebrandt@jarthur.claremont.edu


Newsgroup: sci.crypt
Document_id: 15638
From: george@tessi.com (George Mitchell)
Subject: Re: Organized Lobbying for Cryptography

langford@gems.vcu.edu writes:

>In article <1993Apr20.213718.23129@husc3.harvard.edu>, kubo@zariski.harvard.edu (Tal Kubo) writes:
>> Having mentioned the possible dangers of unwelcome political associations,
>> I would be remiss not to suggest something in the opposite direction:
>> gathering the support of the NRA by emphasizing the RKBA side of the
>> issue as well as the First-Amendment side.

>Hmmm, this gave me an interesting idea.  How about this argument:
>1)  Second Amendment gives us the right to keep and bear arms.
>2)  Strong cryptography is "arms", according to the U.S. government (that's
>    why it's so hard to export).
>Therefore, we have a constituitional right to strong cryptography!  
>Q.E.D.

>[. . .]  Maybe the NRA _would_ be the best existing organization?

I think a new organization would be a much better idea, as the NRA
carries as much undesireable baggage for me as the EFF and CPSR do
for others.

Are any hot-shot, reputable organizers reading this message?  If an
effective group comes into existence, it can count on me signing up.

-- George Mitchell (george@tessi.com)

Newsgroup: sci.crypt
Document_id: 15639
From: A. Charles Gross <acg@eff.org>
Subject: I have seen the lobby, and it is us

In article <1993Apr21.113152.395@gems.vcu.edu> , langford@gems.vcu.edu
writes:
>However, it's likely to be as hard or harder to exercise this right as it
>is getting to exercise the other rights that the government is slowly
>restricting.  Maybe the NRA _would_ be the best existing organization?
>(Although I think a new one might be better, but perhaps would take too
long
>to start up.  I would certainly join.)

The NRA is successful because (among a number of things), on the drop of
a hat, they can get a congresspersons office flooded with postcards,
faxes and phone calls.  Certainly, with our way-cool Internet powers of
organization, we can act in the same way, if such action is appropriate.

As long as we are kept informed of events, anyone on this bboard can make
a call to action.  Hopefully, we're a strong enough community to act on
those calls.  I realize this is a little optomistic, and I'm glad EFF is
working in the loop on these issues, but don't underestimate the
potential of the net for political action.

Adam
* I speak for myself

Newsgroup: sci.crypt
Document_id: 15640
From: andyl@harlqn.co.uk (Andy Latto)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)


In article <1993Apr21.132318.16981@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:

   In article <C5sy1z.4tD@demon.co.uk>, Graham Toal <gtoal@gtoal.com> writes:
   > In article <1993Apr20.192105.11751@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
   > :Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
   > :has 2^80 possible keys.
   > 
   > We don't yet know if all 80 bits count.

   That doesn't worry me at all; they're not going to cheat at something
   they can get caught at.  And key size is one of the things that can be
   verified externally.  Feed lots of random key/input pairs into the
   chip, then try flipping random key bits, and see what happens to the
   output.  We already know what *should* happen -- about half the output
   bits should vary, on average, from a 1-bit key change or input change.

   If they were out to build a weak cryptosystem, it might be the case that
   some of the bits are much less powerful than others, in the sense that
   they only enter into the encryption very late in the game.  By contrast,
   DES was designed to use each key bit as early as possible; the 50% output
   change rate appears as early as round 5.  Again, though, I don't think
   NSA is going to cheat that crudely; they're likely to get caught.

Consider a cryptosytem that starts out by XORing bits 23 and 47, and
not using either of these bits except through this XOR. This system
makes early use of every bit. but an exhaustive key search would now
only have 2^79 keys to search. Your test by varying single key bits
wouldn't turn up anything interesting.

   Remember that they've promised to let a committee of outside experts see
   the cryptosystem design.  If you assume something DES-like, a biased
   subkey generation schedule will stick out like a sore thumb.

The algorithm I suggest above would stick out like a sore thumb, but
I'm sure I could design a system with a more subtle key redundancy
which was well-hidden, but would still make an exhaustive key search
take far less than 2^80 encryptions. I don't believe your claim that
the real keysize can be verified externally.

							Andy Latto
							andyl@harlequin.com

Newsgroup: sci.crypt
Document_id: 15641
From: caronni@nessie.cs.id.ethz.ch (Germano Caronni)
Subject: Re: Do we need the clipper for cheap security?

In article <9304201003.AA05465@pizzabox.demon.co.uk> gtoal@gtoal.com (Graham Toal) writes:
>Can someone tell me if hardware compression is or is not needed to run
>digital speech down 14.4K?  I think it is; I've heard it's not.  Lets
>say 8 bit samples.  Would *raw* data at the corresponding sampling rate
>be usable?  If not, how fancy does the compression need to be?

As far as I know ISDN (call it Swissnet here, and it's being plugged in) it's
8 bit 8000Hz (gives you one channel of 64kBit/sec) I guess you should not go
below a sampling rate of 6000 Hz if you want to have same quality as on an
analog-line. Anybody knows compression-algorithms & -factors for voice ?

Greetings,

	Germano Caronni
-- 
Instruments register only through things they're designed to register.
Space still contains infinite unknowns.
                                                              PGP-Key-ID:341027
Germano Caronni caronni@nessie.cs.id.ethz.ch   FD560CCF586F3DA747EA3C94DD01720F

Newsgroup: sci.crypt
Document_id: 15642
From: Tony Lezard <tony@mantis.co.uk>
Subject: Re: text of White House announcement and Q&As on clipper chip encryp

gtoal@gtoal.com (Graham Toal) writes:

> Whatever happens though, the effect of this new chip will be to make private
> crypto stand out like a sore thumb.

ONLY IF this chip catches on. Which means alternatives have to be
developed. Which will only happen if Clipper is discredited.

-- 
Tony Lezard IS tony@mantis.co.uk | PGP 2.2 public key available from key
OR tony%mantis.co.uk@uknet.ac.uk | servers such as pgp-public-keys@demon.co.uk
OR EVEN      arl10@phx.cam.ac.uk | 172045 / 3C85783F 09BBEA0C B86CF9C6 7A5FA172


Newsgroup: sci.crypt
Document_id: 15643
From: mathew <mathew@mantis.co.uk>
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

bena@dec05.cs.monash.edu.au (Ben Aveling) writes:
> Don't forget, you are in the country that wouldn't let the Russians
> buy Apple II's because of security concerns.

That's nothing.  They wouldn't let the British buy Inmos Transputer systems
because of security concerns.  And we designed the damn things!


mathew

Newsgroup: sci.crypt
Document_id: 15644
From: psionic@wam.umd.edu (Haywood J. Blowme)
Subject: new encryption

   As promised, I spoke today with the company mentioned in a Washington
Times article about the Clipper chip announcement. The name of the company
is Secure Communicatiions Technology (Information will be given at the end
of this message on how to contact them).

   Basically they are disturbed about the announcement for many reasons that
we are. More specifically however, Mr. Bryen of Secure Communications
brought to light many points that might interest most of the readers.

   His belief is that AT&T was made known of the clipper well before the
rest of the industry. This is for several reasons, several of which are:

 - A company of AT&T's size could never be able to make a decision to use
   the new chip on the SAME DAY it was announced.

 - Months ago they proposed using their own chip for AT&T's secure telephone
   devices. AT&T basically blew them off as being not interested at all.
   This stuck them as strange, until now...


   Also I spoke with Art Melnick, their cryptographer, he expressed several
concerns over the new Clipper Chip:

  - The obvious backdoor will be able to let many people decrypt the code.

  - Once the key is released to authorities the security of the crypto
    system is lost forever. These keys can end up in the hands of any agency
    of the government.

  - The fact that the escrowed keys never change means that the algorithm
    is vulnerable over time to an attacker.

  - The classified algorithm may hide another backdoor. But he feels that
    it is probably to keep people from forging fake serial numbers, or
    changing the keys themselves.

  - Additionally he feels that the NSA has probably spent enough time and
    money in working on a way to keep this chip from being reversed
    engineered, that he feels that reverse engineering it will be very
    difficult to do. He feels that they have developed a suitable technique
    to protect the chip from this attack. Also he feels that the chip is
    hardware encoded with the algorithm and not microcoded onto the chip.

Additonally I spoke with Mr. Melnick about their algorithm. He couldn't tell
me much about their new agorithm because it hasn't been patented yet.
However he told me a little:

 - The algorithm will be released for public review after patents have been
   granted for it. This is so the crypto community can see that it is
   secure.

 - The algorithm is called NEA for New Encryption Algorithm.
   The details were sketchy because now it is held as a trade secret
   until the patent was issued, but I was told that it will incorporate
   the following:

    - It will have fast encryption of data (Exact specs not given, but
      Mr. Melnick stated "Much faster than what an RS-232 can put out.")

    - It is a symmetric cipher, just like IDEA and DES.

    - It will use 64 bit data blocks for encryption (like DES and IDEA).

    - The key length was not given to me, but Mr. Melnick states that
      it is _adujustable_ and is "More than adequate for security."

    - The algorithm is written in C and Assembler in software form, and
      can be ported to many platforms (Unlike the the Clipper Chip which
      is hardware ONLY and cannot be made into software) This I
      consider a definite plus for the NEA for widespread use.

    - The algorithm will accomodate public key distribution techniques
      such as RSA or Diffie-Hellman. This will also be supported in the
      hardware chip.

    - Right now the projected cost of the NEA chip will be about 10 dollars
      for each!! (Clipper will run 25 each chip [that is if it is produced
      enough, which probably won't happen]).

    - They currently sell a program called C-COM that uses the algorithm
      and a special streaming protocol that does not divide the encrypted
      data into "blocks." This could prevent plaintext attacks if you know
      what the block header is. This program operates at all supported
      RS-232 speeds and uses the software implementation of the algorithm.

    - Most importantly: IT DOES NOT HAVE A BACKDOOR!!



Right now the company is afraid that the new clipper chip will put them out
of business. This is a very real possibility. So they really need help in
stopping the clipper chip from becoming a standard. If you want to contact
them, they can be reached at..

Secure Communications Technology
8700 Georgia Ave. Suite 302
Silver Spring, MD

(301) 588-2200

I talked to Mr. Bryen who represents the company. He can answer any
questions you have.




Any factual errors occurring in this write up are my own and I apologize for
them ahead of time.

 

=============================================================================
      ///    | psionic@wam.umd.edu | Fight the WIRETAP CHIP!! Ask me how!
 __  /// C=  | -Craig H. Rowland-  |
 \\\/// Amiga| PGP Key Available   | "Those who would give up liberty for
  \///  1200 | by request.         |  security deserve neither."
=============================================================================
A



Newsgroup: sci.crypt
Document_id: 15645
From: neuhaus@vier.informatik.uni-kl.de (Stephan Neuhaus (HiWi Mattern))
Subject: Re: Do we need the clipper for cheap security?

gtoal@gtoal.com (Graham Toal) writes:

>Can someone tell me if hardware compression is or is not needed to run
>digital speech down 14.4K?  I think it is; I've heard it's not.  Lets
>say 8 bit samples.  Would *raw* data at the corresponding sampling rate
>be usable?  If not, how fancy does the compression need to be?

Note: I am *not* a cable freak, so I might have completely
misunderstood what you said.  Also, my math is frequently noted for
being wrong, so you'll better check the calculations yourself.

I assume that 14.4K means 14.4K Bits.  So if we assume one start and
one stopbit, and no protocol overhead, the effective number of bytes
per second is 1.44K.

Let's also assume that you do not want to transmit your speech in
stereo, so that you can send 1,440 samples/sec.  This corresponds to a
Nyquist frequency of 720 Hz, which should be too low, especially if
you think about the 8-bit low quality sound.  Furthermore, your D/A
converter will probably not present you with a signal that has been
cut off at 720 Hz, but will instead alias in all the higher
frequencies.  (Although you can definitely build a filter to overcome
that problem.)

On the other hand, speech should be easily compressible.  For example,
you could form power spectra, or you could simply band-pass filter and
then linearize the fourier transforms.  It won't be CD quality sound,
but it'll be discernible.  The power spectrum method is very good in
that respect.  I have once programmed such a software compressor, and
compression rates of 90% with relative errors due to linearization of
less than 5% were common.  Although I must say that these were musical
sounds, not speech.

Have fun.

-- 
Stephan <neuhaus@informatik.uni-kl.de>
sig closed for inventory.  Please leave your pickaxe outside.
PGP 2.2 public key available on request.  Note the expiration date.

Newsgroup: sci.crypt
Document_id: 15646
From: m.t.palmer@larc.nasa.gov (Michael T. Palmer)
Subject: Re: Once tapped, your code is no good any more.


In article <1993Apr21.150815.6657@chpc.org> rboudrie@chpc.org (Rob Boudrie) writes:
>In article <C5so84.Hxv@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
>>In article <2073@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:
>>:If the Clinton Clipper is so very good, why not make its algrithm public
>>:so many people can exchange ideas and examine it, rather than a few
>>:isolated 'respected experts' (respected by whom?  for what?  Perhaps a
>
>One more time...
>
>    If they released the algorithm, it would be possible for someone
>    to come up with an implementation which was identical, but
>    lacking an escrowed key.
>
>    Note that the press announcement mentioned that the algorithm was
>    being kept secret for security of the key escrow system.  In this
>    case security means "an escrowed key for EVERY clipper chip".
>
>
>    Assuming you believed all that is said about the effective of
>    the algorithm, and the escrow system, which would you buy :
>
>     (a)  Chip from firm A with the escrowed key
>     (b)  Second source chip from reputable firm B with no key
>          in government escrow.
>
>    There would obviously be powerful economic incentives for a second
>    source, non escrowed, vendor.

But what about second sources for pin-compatible non-Clipper algorithm
chips that also have escrowed keys?  If a "reputable firm" produces a
chip (with escrowed key) that is a pop-in replacement for the Clipper
chip in my phone, and uses an algorithm that is widely known and evaluated
and "trusted," then what's the problem?

The Clipper is going to be reverse engineered anyway by any organization
with sufficient resources (can you say "billions of cocaine dollars?") so
those drug dealers they're so worried about will be slipping through the
cracks.  We law-abiding (non-incredibly-wealthy) citizens, naturally, will
not have this recourse.  But claiming that the algorithm can't be
released to prevent people from using non-key-escrowed chips is plain
deceitful... analysis of the chip output will provide information on
the necessary headers and whatnot, so the "bad guys" could build chips
using a *different* algorithm and still not escrow their keys.

Or, they could just buy bunches of cheap phones at K-mart every week,
and play Swap-the-Clipper-Chip with their cellular phone every day.


Michael T. Palmer         |  "A man is crazy who writes a secret in any
m.t.palmer@larc.nasa.gov  |   other way than one which will conceal it
RIPEM key on server       |   from the vulgar." - Roger Bacon, 1220-1292

Newsgroup: sci.crypt
Document_id: 15647
From: rboudrie@chpc.org (Rob Boudrie)
Subject: Re: How to detect use of an illegal cipher?

>As for my impressions of the whole scheme It seems that instead of trying to
>ban strong crypto, they are trying to co-opt it. Their contention that they 
>need to keep the algorythm secret to protect the security of the key
>registration suggests possible inherent weakness to the algorythm. More likely
>is that they dont want anyone constructing black market devices which dont 
>have the keys registered. Anyone else notice that in their Q&A session, they

Preventing black market chips w/non-escrowed keys IS exactly what they
mean by protecting the security of the key escrow system.  There are
two parts to the security of such a system:
  
    (a) Preventing decruption by unauthorized personel
    (b) Assuring that the gummit can always decrypt clipper
        traffic when it authorizes itself to do so.

Of course, the ministry of propoganda will do a lot of tallking about
(a) and very little about (b).

                                        rob boudrie
                                        rboudrie@chpc.org

ps: Anyone care to guess what encryption scheme the gov't is using on
    its newly formed database of anarch-cryptists who oppose this entire
    lunacy?


Newsgroup: sci.crypt
Document_id: 15648
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <1r47l1INN8gq@senator-bedfellow.MIT.EDU> jfc@athena.mit.edu (John F Carr) writes:

>In most cases information you come by properly is yours to use as you wish,
>but there are certainly exceptions.  If you write a paper which includes
>sufficiently detailed information on how to build a nuclear weapon, it is
>classified.  As I understand the law, nuclear weapons design is
>_automatically_ classified even if you do the work yourself.  I believe you
>are then not allowed to read your own paper.

This has now been thrown out by the courts.  (The "Progressive" case.)

>A less serious example: if you tell drivers about a speed trap they are
>about to run into, you can be fined, even though you might argue that you
>broke no law when you discovered the location of the policeman.  The charge
>is interfering with a police officer, which is quite similar what you would
>be doing by reverse engineering the Clipper chip.

This is outright illegal.  It DOES violate the first amendment.  If you
would, give a case in which your "speed trap" example has been upheld by
the courts.
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
Document_id: 15649
Subject: Re: Once tapped, your code is no good any more.
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <strnlghtC5uIJ4.76t@netcom.com> strnlght@netcom.com (David Sternlight) writes:

>In article <ELEE9SF.93Apr21095141@menudo.menudo.UH.EDU>
>elee9sf@menudo.menudo.UH.EDU (Karl Barrus) writes:

>>
>>Would you trust a black-box from the NSA versus an "open system" from
>>elsewhere?

>Absolutely, if I were assured by someone I trusted that the black box was
>more secure. I have nothing to conceal from the government, but I would like
>to be sure that any Russian, Japanese, French, or other competitors for my
>services can't read my traffic. I'd like to be sure that competitive bid
>information was safe from commercial competitors and foreign governments
>which would aid them.

>I believe the NSA has identical motivations with respect to my activities.
>The President and many other senior government officials have made it very
>clear that they share these motivations. Thus I'd trust them on the
>"coincidence of interests" argument as well as on a basic trust in their
>professionalism and a high confidence in their skills.

>David
>-- 
>David Sternlight         Great care has been taken to ensure the accuracy of
>                         our information, errors and omissions excepted.  

Nothing but errors and omissions here!

--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
Document_id: 15650
From: mbeckman@mbeckman.mbeckman.com (Mel Beckman)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption


In article <1993Apr17.032022.14021@clarinet.com> (sci.crypt,alt.security,comp.org.eff.talk,comp.security.misc,comp.org.acm,comp.org.ieee), brad@clarinet.com (Brad Templeton) writes:
> Let's assume, for the moment, that the system really is secure unless
> you get both halves of the encryption key from the two independent
> escrow houses.  Let's say you even trust the escrow houses -- one is
> the ACLU and the other is the EFF.  (And I'm not entirely joking about
> those two names)

The problem with "Let's assume" reasoning is that, taken to the extreme
(and you're close), you arrive at "Let's assume this is perfectly OK."

The assumptions you make are big ones. If the system is really secure, then
why does the government have to keep the algorithm secret?  There are plenty
of encryption algorithms that don't depend upon nondisclosure to be secure,
so why in the world use one that does?  There are reasons, of course, but
I certainly can't think of any honest ones.

Next, you assume we can "trust" the escrow houses. But the last time I checked,
EVERY SINGLE BRANCH OF GOVERNMENT has experienced unauthorized disclosure,
corruption, and even fabrication, of supposedly secure data. The govt is
saying "Yeah, but NOW we're serious, so you can trust us."  Bullcrypt. 

And finally, although you didn't state it explicitly, you implicitly assume
that the warrant mechanism in this country is safe and reasonable. The case
in Ventura County of a man shot and killed by officers serving a deliberately
fraudulant warrant tells me that the govt has a long ways to go on this
score.

Remember that all this is to catch the drug dealers, right?  As others
have pointed out, the current proposal will, if deployed, render truly secure
encryption much more expensive and inconvenient than Uncle Sam's brand.
Who will be able to afford, and be sufficiently motivated, to purchase this
expensive, inconvenient higher protection?  Somebody with lots of extra
cash...

The following is more true than ever:

  "When [strong] encryption is outlawed, only outlaws will have [strong]
encryption."


________________________________________________________________________
| Mel beckman                  |   Internet: mbeckman@mbeckman.com     |
| Beckman Software Engineering | Compuserve: 75226,2257                |
| Ventura, CA 93003            |  Voice/fax: 805/647-1641 805/647-3125 |
|______________________________|_______________________________________|
 "You can observe a lot just by watching."  -Yogi Bera

Newsgroup: sci.crypt
Document_id: 15651
From: mbeckman@mbeckman.mbeckman.com (Mel Beckman)
Subject: Re: An Open Letter to Mr. Clinton


In article <strnlghtC5M2Cv.8Hx@netcom.com> (sci.crypt), strnlght@netcom.com (David Sternlight) writes:
> Here's a simple way to convert the Clipper proposal to an unexceptionable
> one: Make it voluntary.
> 
> That is--you get high quality secure NSA classified technology if you agree
> to escrow your key. Otherwise you are on your own.
> 

David,

  As an economist, I'm sure you can see the flaws in this logic. If the (naive)
market is flooded with proprietary, but weak, encryption, then truly strong 
encryption will be unable to compete. Suppose the govt had a secret TV broadcast
standard, and then sold TVs below cost. Private industry has a better standard,
but it's not as widespread due to the govt early flooding of the market
with cheap proprietary sets. Even though the industry's technology is better,
the programming is being broadcast to the govt's unduplicatable standard.
Who could compete?

  The other flaw, of course, is that making something voluntary today ensures
that it will be voluntary in the future. I went to renew my CA drivers license
last week and was required not only to give my SSN, but to PRODUCE AN SSN
CARD to veryify the number!  Note that a federal law once said that no state
or local govt could ever require the use of SSNs for drivers license registration
(specifically!).

   I do not trust the govt that says "trust me on this even though we could
have an arrangement that doesn't require your trust."  Something is big
time fishy. If you look more carefully, you'll see it.

  -mel

________________________________________________________________________
| Mel beckman                  |   Internet: mbeckman@mbeckman.com     |
| Beckman Software Engineering | Compuserve: 75226,2257                |
| Ventura, CA 93003            |  Voice/fax: 805/647-1641 805/647-3125 |
|______________________________|_______________________________________|
 "You can observe a lot just by watching."  -Yogi Bera

Newsgroup: sci.crypt
Document_id: 15652
From: rschnapp@metaflow.com (Russ Schnapp)
Subject: Re: Once tapped, your code is no good any more.

It might be nice to:

1. cut out the ad hominem attacks on Prof. Denning, Mr. Sternlight,
etc.  If you have something objective to say about their views, go
ahead and say it (subject to point 2.).  Personal attacks reflect more
on the attacker more than on the attackee.  Throw light, not heat!

2. restrict the discussion to appropriate newsgroups. I submit that
comp.org.acm and comp.org.ieee are not appropriate for this
discussion.  You have now made subscribers to these newsgroups aware of
the issue.  If they want to know more or participate in the discussion,
they can easily join sci.crypt, comp.security.misc, alt.security, or
comp.org.eff.talk.
-- 

...Russ Schnapp
Email: netcom!metaflow!rschnapp or rschnapp@Metaflow.com or rschnapp@BIX.com
Metaflow Technologies   Voice: 619/452-6608x230;  FAX: 619/452-0401
La Jolla, California    Unless otw specified, I`m speaking only for myself!

Newsgroup: sci.crypt
Document_id: 15653
From: mbeckman@mbeckman.mbeckman.com (Mel Beckman)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]


In article <1993Apr17.090731.18680@clarinet.com> (sci.crypt), brad@clarinet.com (Brad Templeton) writes:
> Interestingly enough, in designing the escrow, we may want to use some
> rather unusual technology, such as sealed boxes of paper, or
> destructive read memory, rather than typical computer databases, which
> is fun for a database of hundreds of millions of keys.
> 

To me, a larger problem is that once disclosed, your keys could be used
to decrypt any previously recorded conversations. I gather that from this
proposal a warrant would be required to get the keys, but not to collect
conversations! Consider the scenario where an agency collects preemptively
all encrypted conversations for certain people likely to be targets (and
not necessarily "legitimate" targets), then arranges for some unrelated
incident that can trigger a warrant:

   "Your honor, we know that the suspect has received calls from noted 
crime figure Bugsy Butthead [said calls arranged by the agency] and we must 
therefore have this warrant to determine whether this suspect, in a
sensitive govt post, is corrupt."

  I suppose that it is conceivable that there are session keys involved
somewhere, but that doesn't seem likely; if there are, why wouldn't the
technical overview mention them when it goes to such details as the number
of bits held by each escrow authority?

  This scheme is full of holes, and stinks to high heaven.

  -mel

________________________________________________________________________
| Mel beckman                  |   Internet: mbeckman@mbeckman.com     |
| Beckman Software Engineering | Compuserve: 75226,2257                |
| Ventura, CA 93003            |  Voice/fax: 805/647-1641 805/647-3125 |
|______________________________|_______________________________________|
 "You can observe a lot just by watching."  -Yogi Bera

Newsgroup: sci.crypt
Document_id: 15654
From: ifarqhar@laurel.ocs.mq.edu.au (Ian Farquhar)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <1r0ausINNi01@senator-bedfellow.MIT.EDU> jfc@athena.mit.edu (John F Carr) writes:
>The chip and algorithm are classified.  If you reverse engineer it and
>tell people, you are likely to go to jail.

I don't find this a credible argument, for two reasons.  One you have
supplied below: unless I care about entering the USA at any time in the
future (eg. the Taiwanese backyard cloners - who BTW have been known to
decap custom silicon and reproduce it on daughterboards when pirating
high-profit arcade machines and the like - who wouldn't care less), I am not 
going to care much about US confidentiality, am I?  Only people like the
real me, who does care about travelling to various countries for business
reasons, will sit up and follow laws like this, but I would contend that
we're not the main threat.

I also have grave doubts whether an algorythm widely distributed in silicon
could possibly be called "classified."  It's like handing out military
secrets to the whole world in envelopes marked "don't open me."  I can
imagine several credible defences which could be employed if it came to
a trial.  One would be the stupidity of the government's actions.

>Perhaps some foreign governments or corporations could help us out by
>cracking the system outside the USA.  The US government could probably
>stop importation of clone hardware, but a software implementation
>should be practical.

Amusing thought: could they have employed an algorythm which is infeasable
for a fast software implementation, but which is easy in custom hardware?
In DES, the extensive use of permutation tables (trivial in hardware: you
just swap bus lines), but relatively slow in software have had a big effect
on the speed difference between hardware and software implementations of
that cipher (indeed, I suspect that Lucifer's designers were well aware that
it would be, and approved.)  Certain algorythms (usually parallel search
algorythms) can be very slow in software, yet can fly in custom hardware.
I have no proof of their employment in Clipper -- it is pure conjecture.  
However, as a software implementation of this cipher is something that its 
designers would have been trying to avoid at all costs, then the inclusion 
of such techniques seems credible.

Hmmm... I also wonder what Intergraph thinks about the use of the name
"Clipper" for this device. :)

--
Ian Farquhar                      Phone : + 61 2 805-9400
Office of Computing Services      Fax   : + 61 2 805-7433
Macquarie University  NSW  2109   Also  : + 61 2 805-7420
Australia                         EMail : ifarqhar@laurel.ocs.mq.edu.au.

Newsgroup: sci.crypt
Document_id: 15655
From: ifarqhar@laurel.ocs.mq.edu.au (Ian Farquhar)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <19930419.155204.305@almaden.ibm.com> ameline@vnet.IBM.COM (Ian Ameline) writes:
>  I also believe that someone will reverse engineer the clipper chip,
>and knowlege of the algorithm will likely be fairly widespread. Any back-
>doors or weaknesses would further discredit the scheme, and help grow
>the market demand for a secure alternative.

I must admit that this point has been running through my mind for most of
the discussion: one the dice are out there, it won't be long before someone
decaps it and, after a bit of work, has full details of the Clipper
algorythm.  This isn't trivial to do, but then again, it is not impossibly
difficult either.  Any half way decent VLSI design student should be able
to take a photograph of a technology s/he is familiar with, and given a
description of the input, output, control and supply lines, figure out 
the function of various subsystems on the die.  Indeed, this is not an
uncommon exercise performed during training (because it makes you think
about design decisions made by other designers.

I could speculate that these chips are going to be manufactured using
"tamperproof" carriers (unlikely - such techniques are *very* expensive
and this thing is supposed to be relatively cheap to produce), or that
there will be some legal or legislative framework to prevent publication
of the algorythm (unlikely - please correct me if I am wrong but aren't these
supposed to be sold internationally?).  I suppose that the most likely
reason the algorythm is remaining secret for the moment is that some idiot
bureaucrat, untrammeled by the realities of the situation, decided that
"well, we should keep it a secret because it is supposed to be secret,
isn't it?"

Just some random thoughts...

--
Ian Farquhar                      Phone : + 61 2 805-9400
Office of Computing Services      Fax   : + 61 2 805-7433
Macquarie University  NSW  2109   Also  : + 61 2 805-7420
Australia                         EMail : ifarqhar@laurel.ocs.mq.edu.au.

Newsgroup: sci.crypt
Document_id: 15656
From: Lyle_Seaman@transarc.com
Subject: Re: Once tapped, your code is no good any more.

jhan@debra.dgbt.doc.ca (Jerry Han) writes:
> The point of the matter is that; yes this is a serious problem.  But it is
> not the end of the world.  Guess what?  We're doing something now you
> can't do in a Communist country or Nazi Germany. 

Or John Edgar Hoover's USA.

> We're complaining about
> it, (or rather, you're complaining about it) and nobody is shooting at us.  

yet.

> GUESS WHAT PEOPLE?  You live in one of the few countries in the world
> where a person can complain without getting shot at.  

yet.

> People are always complaining that somebody did this wrong, or somebody
> did that wrong, or whatever.  Sit down and figure out two things:
> 
> 1)  What have they done right?
> 2)  How much worse can it get?
> 
> And you'll find that you and I, are pretty damn lucky.

so far.

> So let's talk about it, get some action going, decide what's going on. 
> But let's not overreact!  

What harm is there in overreacting?
This may be the largest single threat to civil liberties yet in my
lifetime.  The US has done some pretty heinous things in the past, 
and we haven't yet recovered from all of them.  There certainly seems
to be a historical trend towards less liberty, with occasional
perturbations. 

Time to break out the quotes from American political radicals.

Lyle		Transarc		707 Grant Street
412 338 4474	The Gulf Tower		Pittsburgh 15219

 There are more instances of the abridgement of the freedom of the
 people by the gradual and silent encroachment of those in power,
 than by violent and sudden usurpation.          -- James Madison



Newsgroup: sci.crypt
Document_id: 15657
From: amolitor@nmsu.edu (Andrew Molitor)
Subject: Re: The [secret] source of that announcement

In article <gradyC5uAMw.BnG@netcom.com> grady@netcom.com (1016/2EF221) writes:
>I guess the cryptowranglers read this group too.  But of
>course I knew that because it is so easy to do.  There is
>not a single doubt in my mind that every byte that passes
>every significant gateway or 'bone is captured for the
>colligation of data about __________?  (Maybe your name is here).

	I really like these claims. Where did they come from? We hear,
practically daily, that the NSA monitors, oh, everything. They can
crack anything. They'd never release a cryptosystem they couldn't crack.

	Where do people get these fascinating facts? 'The Puzzle Palace'?
If you can get it for a buck, 2nd hand, it must be true, eh? I'm pretty
sure the NSA is supposed to, among many other things, provide high-quality
cryptosystems to a variety of places. I don't recall reading anywhere
reliable that they're supposed to:

	1) Monitor my phonecalls.
	2) Monitor usenet.
	3) Provide only cryptosystems they can easily crack.
	4) etc etc.

	This is not to say that they *don't*, they might. But you don't
know that they do, and you have no evidence that they do, for almost
all values of you. It follows, therefore, that for most values of 'you',
your claims about the NSA border on paranoia.

	Andrew


Newsgroup: sci.crypt
Document_id: 15658
From: rbrand@usasoc.soc.mil (Raymond S. Brand)
Subject: "Clipper Chip" facts: a request

Having read the various "Clipper" announcements on the net over the last few 
days and a LOT of uninformed speculation about the chip, its uses,
government plots, etc, I have the following questions.

  1) What does the "Clipper chip" actually implement? Just the Skipjack
	cryptographic algorithm? Or does it also implement a "chip to chip"
	communications protocol? If it does implement a communications
	protocol, can it be used as just a "crypt chip" also.

  2) Where can the chip specifications and spec sheets be obtained?

  3) Who may purchase them and under what conditions?

  4) Are there restrictions as to how the chip may be used in a system?

  5) The security of the algorithm and the encrypted communications does
	not appear to require that the "Family key" be a secret. Why is
	it a secret? What happens when the "family key" becomes well known?
	If it's a secret to make traffic analysis more difficult, does
	the "Law enforcement message" contain any random information?
	How much and how random is it?

  6) Can the chip be programmed to reveal the "Unit key"? The chip "serial
	number"? Any of the programming parameters?

-----------------------------------------------------------------------------
Raymond S. Brand					rbrand@usasoc.soc.mil
-----------------------------------------------------------------------------

Newsgroup: sci.crypt
Document_id: 15659
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Once tapped, your code is no good any more.

In article <bontchev.735404289@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
>andersom@spot.Colorado.EDU (Marc Anderson) writes:
>
>> methods.  ``This year's crime bill will have teeth, not bare gums,''
>> Clinton said.  In particular, his administration will place strict
>> controls on data formats and protocols, and require the registration
>> of so-called ``cryptographic keys,'' in the hope of denying drug
>> dealers the ability to communicate in secret.  Clinton said the
>> approach could be used for crackdowns on other forms of underground
>> economic activity, such as ``the deficit-causing tax evaders who
>> live in luxury at the expense of our grandchildren.''
>
>And some people thought that I am exaggerating when claiming that the
>Cripple Chip is just a first step in a totalitarian plot against the
>civil liberties in the USA... It seems that I've even been an optimist
>- the things are happening even faster than I expected.... That's
>another of the dirty tricks they used to apply on us under the
>communist regime - do something secret, THEN tell the people about is
>(after the fact, when nothing can be done any more), and of course,
>explaining them how much better the situation is now...
>
>In my previous messages I wrote that the Americans should wake up and
>fight against the new proposal. Now it seems to me that it is already
>too late - it has already happened, the civil liberties have been
>violated, no, stollen from the American people, while the most part of
>this people has been sleeping happily... :-((( Too sad...
>

	I'm definitely going to write my Congressman, and nobody's ever
going to make me respect a law that violates my freedom of speech, and
if the feds try to enforce this law on me, I will protect my freedoms, with
force if it ever comes to that. (Hopefully, it won't)

Doug Holland

-- 
----------------------------------------------------------------------------
|  Doug Holland                | Anyone who tries to take away my freedom  |
|  holland@cs.colostate.edu    | of speech will have to pry it from my     |
|  PGP key available by E-mail | cold, dead lips!!                         |

Newsgroup: sci.crypt
Document_id: 15660
From: ebrandt@jarthur.claremont.edu (Eli Brandt)
Subject: Re: Do we need the clipper for cheap security?

In article <1r466c$an3@news.intercon.com> amanda@intercon.com (Amanda Walker) writes:
>Agreed.  Remember, I don't even think of Clipper as encryption in any real 
>sense--if I did, I'd probably be a lot more annoyed about it.

I agree with this assessment.  Furthermore, its promotion as
providing greater protection than bare voice is quite true, as far
as it goes.  However, the only way for it to fulfill its stated goal
of letting LE wiretap "terrorists and drug dealers" is to restrict
stronger techniques.  

Wiretap targets presently use strong encryption, weak encryption, or
(the vast majority) no encryption.  The latter two classes can be
tapped.  With weak encryption in every phone, the no-encryption
class is merged into the weak-encryption class.  Will the
introduction of Clipper cause targets presently enjoying strong
privacy to give up on it?  that is, to rely for privacy on a system
expressly designed to deny it to people like them?  I doubt it.  The
mere introduction of this scheme will give the government *nothing*.

The stated goal of preventing the degradation of wiretapping
capabilities can be fulfilled by restriction of domestic
cryptography, and only by this restriction.  "Clipper" appears to be
no more than a sop, given to the public to mute any complaints.  We
would find this a grossly inadequate tradeoff, but I fear the public
at large will not care.  I hate to even mention gun control, but
most people seem to think that an `assault weapon' (as the NYT uses
the word) is some sort of automatic weapon, .50 caliber maybe.  Who
wants to have such a thing legal?  Well, people know even less about
cryptology; I suspect that strong cryptography could easily be
labeled "too much secrecy for law-abiding citizens to need".

>That's not for Clinton (or anyone under him) to say, though.  Only the 
>federal and supreme courts can say anything about the constitutionality.
>Anything the administration or any governmental agency says is opinion at 
>best.

What they say is opinion, but what they do is what matters, and will
continue unless overturned.  And the courts are reluctant to annul
law or regulation, going to some length to decide cases on other
grounds.  Furthermore, Congress can get away with quite a bit.  They
could levy a burdensome tax; this would place enforcement in the
hands of the BATF, who as we've seen you really don't want on your
case.  They could invoke the Commerce Clause; this seems most
likely.  This clause will get you anywhere these days.  The 18th was
required because the Supreme Court ruled a prohibitory statute
unconstitutional.  In 1970 Congress prohibited many drugs, with a
textual nod to the Commerce Clause.  The Controlled Substances
Act of 1970 still stands.  I think the government could get away
with it.

>Amanda Walker

	 PGP 2 key by finger or e-mail
   Eli   ebrandt@jarthur.claremont.edu



Newsgroup: sci.crypt
Document_id: 15661
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Would "clipper" make a good cover for other encryption method?

amanda@intercon.com (Amanda Walker) writes:
> I don't get up in arms when 
> the government fails to protect the interests of the people, because in 
> my lifetime it never has--therefore, I have no expectation that it will. 

Just to make sure everyone is clear on this: "it never has" refers to 
"protects", not "fails to protect"; i.e., in my lifetime I have never seen 
the U.S. government consistently protect the interest of U.S. citizens, 
except by accident.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15662
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Once tapped, your code is no good any more.

res@colnet.cmhnet.org (Rob Stampfli) writes:
>
>Wouldn't a a second monitor of similar type scrolling gibberish and adjacent
>to the one being used provide reasonable resistance to tempest attacks?

It would be in a different location, so a directional antenna could
probably lock in on just the one monitor. Failing that, a phased array
could likely seperate the signals. Admittedly, this is expensive, but
so is all the rest of this stuff anyway.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15663
From: arussell@austin.ibm.com (AG Russell)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)


In article <1993Apr21.001230.26384@lokkur.dexter.mi.us>, scs@lokkur.dexter.mi.us (Steve Simmons) writes:
> smb@research.att.com (Steven Bellovin) writes:
> 
> >Thousands?  Tens of thousands?  Do some arithmetic, please...  Skipjack
> >has 2^80 possible keys.  Let's assume a brute-force engine like that
> >hypothesized for DES:  1 microsecond per trial, 1 million chips.  That's
> >10^12 trials per second, or about 38,000 years for 2^80 trials.  Well,
> >maybe they can get chips running at one trial per nanosecond, and build
> >a machine with 10 million chips.  Sure -- only 3.8 years for each solution.
> 
> Normally I'd be the last to argue with Steve . . . but shouldn't that
> read "3.8 years for *all* solutions".  I mean, if we can imagine the
> machine that does 1 trial/nanosecond, we can imagine the storage medium
> that could index and archive it.

At the company I worked for previously, I received a file that was des encryped
and the person that had sent it, went on vaction.  Rather than wait two weeks
I set up a straight frontal attack with one key at a time.  It only took two(2)
days to crack the file.  No, I don't have any faith in DES.

A.G.



-- 
A.G. Russell   Dept A06S  OLTP section of PALS Group   VM ID  SC39093 at AUSVM1
Email  arussell@austin.ibm.com       Phone 512-838-7953        TieLine 678-7953
These are my views, on anyone else they would look silly. FREE THE BERKELEY 4.4

Newsgroup: sci.crypt
Document_id: 15664
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: White House Public Encryption Management Fact Sheet

In article <19APR199313020883@charon.gsfc.nasa.gov> paul@charon.gsfc.nasa.gov (Paul Olson) writes:
>In article <1qnav4$r3l@transfer.stratus.com>, cme@ellisun.sw.stratus.com (Carl Ellison) writes...
>>In article <C5LGAz.250@dove.nist.gov> clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement) writes:
>> 
>>>Further, the Attorney General
>>
> [ ... good post describing what is in store for us deleted ... ]
>
>It's also interesting to note that two months ago Rush Limbaugh said that
>Clinton would have the "plumbers" out in force shortly.  Clinton and his
>henchmen firmly believe in strong ubiquitous government control.  Anytime a
>leader believes in that, the leader will use every means possible to retain
>that control and take more.
>
>WE have to take OUR government back.  Otherwise we will end up living in the
>equivalent of a high-tech third world dictatorship.  We have to take
>responsibility for ourselves, our personal welfare, and our actions.

I totally agree.  But how do you propose we take government back?  They
obviously don't listen to the people or want the people to know who is
responsibile for what (a person telnetted the site of the Clipper chip
release, to see what the entity 'clipper' was, and got a few lists.
BUt when another person tried a bit later, the commands were disabled)
Does not sound like an Administration that wants to have any accountability
or information they don't control given to the people.  The secret
development and implimentation of the Clipper Chip decision further
backs that up.  You can bet unaurhorized encryption methods and software
will be considered 'terrorist tools' and also subject to civil forfeiture,
along with the systems that are running it.  YOU WATCH, SEE IF I AM WRONG.

The government is not going to be very cooperative about the people taking
it back.  And they have all the resources, unlimited access to the media
for propeganda, and almost all the guns (soon to be ALL the guns if
Clinton's agenda succeeds)...   Those that do not play ball?  Waco
might be a good example of what to expect...  The warrant (just released)
stated the reason for the raid was the BDs spent a very large sum
for weapons, over an undetermined amount of time.  I don't recall
spending a lot of money on guns, etc being illegal ... yet, that is.

Clinton might go down in history as the worst thing to ever happen to
the US of A. ... Now to be known as the 'Peoples Socalist Democratic
Republic of America'  (PSDRA).

Big Brother is LISTENING!!!

Hail Big Brother... (and Sister...?)  only ten years late!!!

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 15665
From: cmsph02@nt.com  (Steven Holton)
Subject: Re: Do we need the clipper for cheap security?

In article <1r1f62$rh5@news.intercon.com>, amanda@intercon.com (Amanda
Walker) wrote:
> One thing that Clipper offers is interoperability, at a higher degree of 
> security than we currently have in non-proprietary voice encryption systems.
> This means it will be cheaper than anyone's proprietary scheme, and easier to 
                        ^^^^^^^
Probably cheaper than you think.  I'll bet some of my (and yours)
tax dollars become a subsidy for these chips.  If these chips don't
sell well, what's to stop the US government from 'giving' them
away (in the interest of National Security)?

> deploy.  This is, of course, either a bug or a feature depending on how you 
> look at it :).
> 
> Amanda Walker
> InterCon Systems Corporation

-- 
Steven P. Holton
Network Administrator - RTP FAST
Northern Telecom, Inc.
Replies To:  cmsph02@nt.com
on bounce: [ sholton@aol.com | 70521.2430@compuserve.com ]
 
"Opinions expressed here are my own."

Newsgroup: sci.crypt
Document_id: 15666
From: pdc@dcs.ed.ac.uk (Paul Crowley)
Subject: Re: Would "clipper" make a good cover for other encryption method?

Quoting strnlght@netcom.com (David Sternlight) in article <strnlghtC5t3nH.Is1@netcom.com>:
>In article <1993Apr20.032623.3046@eff.org> kadie@eff.org (Carl M. Kadie) writes:
>
>
>>So, don't just think of replacements for clipper, also think of front
>>ends.
>
>This only makes sense if the government prohibits alternative non-escrowed
>encryption schemes. Otherwise, why not just use the front end without
>clipper?

Because that will make private encryption stick out like a sore thumb
and the government will start to take a sharp interest in everything you
do.
  __                                  _____
\/ o\ Paul Crowley   pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/  Fold a fish for Jesus!

Newsgroup: sci.crypt
Document_id: 15667
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr20.161838.13213@coop.com> felixg@coop.com (Felix Gallo) writes:
<pat@rwing.UUCP (Pat Myrto) writes:
<
<>If the Clinton Clipper is so very good, [...]
<
<Please note that Bill Clinton probably has little if anything to do
<with the design, implementation or reasoning behind this chip or behind
<any "moves" being made using this chip as a pawn.

Uh, I notice he has not either asked for or allowed public input, and he damn
sure has not stopped it...

<Remember, when you elect a president of the united states, it's not
<the case that all the Republicans, etc. in the NSA and FBI and CIA
<immediately pack their bags and get replaced by a team of fresh young
<Democrats.  Most of the government -- say, 96% -- is appointed or
<hired rather than elected.  Since this Clipper device has been in
<production for over six months, it probably has little or no 
<foundation in the currently elected Democratic Executive body.

Again, if it was something Clinton didn't like, how come he did not
stop it, or get PUBLIC input before implimenting the DECISION?  He
sure has asserted his authority on other things he did not agree with
from the Bush administrationk, I notice.   He is the president, therefore
he is RESPONSIBLE for the actions of the Execuitive Branch.  I have
not the slightest bit of doubt you would be holding Bush or Reagan
to that standard had they been in office when this thing was cast into
stone...

<>BTW - those who suggest that this is just an attack on Clinton, believe
<>this:  I would be going ballistic reagardless WHO seriously proposed
<>this thing.  It is just another step in a gradual erosion of our rights
<>under the Constitution or Bill of Rights.  The last couple of decades
<>have been a non-stop series of end-runs around the protections of the
<>Constitution.  It has to stop.  Now is as good a time as any, if it
<>isn't too late allready.
<
<Could be.  However, the sky hasn't fallen yet, Chicken Little.

Thanks for the name-calling.  That really makes your position higly
credible.  Lenin had a term for folks with your outlook.  Do you REALLY
have THAT MUCH faith in the trustworthiness and honesty of the government
that is primarily concerned with people control?   I suspect you will
be in for an unpleasant surprise.  I would just as soon see this nipped
in the bud while/if it still can be done, instead of waiting for yet
more abridgements of our Bill of Rights, thank you...

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 15668
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr19.193528.5655@cs.ucla.edu> geoff@ficus.cs.ucla.edu (Geoffrey Kuenning) writes:
>In article <2073@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:
>
>> fishing expeditions without the target's knowlege.  Don't give up the
>> right to be safe from that - that should be non-negotiable, and Clinton
>> and Co. know it (which is probably why they quietly developed this thing,
>> figuring if they get it this far, they can ram it on through).
>
>It always amazes me how quick people are to blame whatever
>administration is current for things they couldn't possibly have
>initiated.  This chip had to take *years* to develop, yet already
>we're claiming that the Clinton administration sneaked it in on us.
>Bullshit.  The *Bush* administration and the career Gestapo were
>responsible for this horror, and the careerists presented it to the
>new presidency as a fait accompli.  That doesn't excuse Clinton and
>Gore from criticism for being so stupid as to go for it, but let's lay
>the body at the proper door to start with.

You are so correct - Clinton did not initiate it.  He just cast it in
GRANITE by implimenting, NOT stopping the DECISION.  I also stated in another
post I don't give a damn what administration does it, I still find it
totally unacceptable, and whoever impliments it or rams it down our throats
ought to be run out of office.

Also, Bush was not trying to deprive us of our Second Amendment rights.
Clinton is BUSTING HIS BUTT in that regard.  That reveals a total difference
in philosophy.  Clinton appears to support the idea of TOTAL people
control.  Eavesdropping whenever they feel like it, no real security
for the common person, and no ability to defend oneself against illegal
attack, from whatever source.  "Trust us, we will protect (and control)
you... if we don't find it inconvenient..."

Clinton has also shown his utter contempt for public disclosure and
accountability, as well.  He had plenty of time to change the policy.

HE DIDN'T.  HE EXPANDED ON IT.

I bet had Bush been in office, you would be in there howling louder
than I.

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 15669
From: pdc@dcs.ed.ac.uk (Paul Crowley)
Subject: Re: Organized Lobbying for Cryptography

Quoting jgfoot@minerva.cis.yale.edu in article <1r3jgbINN35i@eli.CS.YALE.EDU>:
>Perhaps these encryption-only types would defend the digitized porn if it
>was posted encrypted?

>These issues are not as seperable as you maintain.

In fact, since effective encryption makes censorship impossible, they
are almost the same issue and they certainly fall into the brief of the
EFF.
  __                                  _____
\/ o\ Paul Crowley   pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/  Fold a fish for Jesus!

Newsgroup: sci.crypt
Document_id: 15670
From: denning@guvax.acc.georgetown.edu
Subject: REVISED TECHNICAL SUMMARY OF CLIPPER CHIP

Here is a revised version of my summary which corrects some errors
and provides some additional information and explanation.


                     THE CLIPPER CHIP: A TECHNICAL SUMMARY

                               Dorothy Denning

                           Revised, April 21, 1993


INTRODUCTION

On April 16, the President announced a new initiative that will bring
together the Federal Government and industry in a voluntary program
to provide secure communications while meeting the legitimate needs of
law enforcement.  At the heart of the plan is a new tamper-proof encryption
chip called the "Clipper Chip" together with a split-key approach to
escrowing keys.  Two escrow agencies are used, and the key parts from
both are needed to reconstruct a key.


CHIP CONTENTS

The Clipper Chip contains a classified single-key 64-bit block
encryption algorithm called "Skipjack."  The algorithm uses 80 bit keys
(compared with 56 for the DES) and has 32 rounds of scrambling
(compared with 16 for the DES).  It supports all 4 DES modes of
operation.  The algorithm takes 32 clock ticks, and in Electronic
Codebook (ECB) mode runs at 12 Mbits per second.

Each chip includes the following components:

   the Skipjack encryption algorithm
   F, an 80-bit family key that is common to all chips
   N, a 30-bit serial number (this length is subject to change)
   U, an 80-bit secret key that unlocks all messages encrypted with the chip

The chips are programmed by Mykotronx, Inc., which calls them the
"MYK-78."  The silicon is supplied by VLSI Technology Inc.  They are
implemented in 1 micron technology and will initially sell for about
$30 each in quantities of 10,000 or more.  The price should drop as the
technology is shrunk to .8 micron.


ENCRYPTING WITH THE CHIP

To see how the chip is used, imagine that it is embedded in the AT&T
telephone security device (as it will be).  Suppose I call someone and
we both have such a device.  After pushing a button to start a secure
conversation, my security device will negotiate an 80-bit session key K
with the device at the other end.  This key negotiation takes place
without the Clipper Chip.  In general, any method of key exchange can
be used such as the Diffie-Hellman public-key distribution method.

Once the session key K is established, the Clipper Chip is used to
encrypt the conversation or message stream M (digitized voice).  The
telephone security device feeds K and M into the chip to produce two
values:

   E[M; K], the encrypted message stream, and 
   E[E[K; U] + N; F], a law enforcement field , 

which are transmitted over the telephone line.  The law enforcement
field thus contains the session key K encrypted under the unit key U
concatenated with the serial number N, all encrypted under the family
key F.  The law enforcement field is decrypted by law enforcement after
an authorized wiretap has been installed.

The ciphertext E[M; K] is decrypted by the receiver's device using the
session key:

   D[E[M; K]; K] = M .


CHIP PROGRAMMING AND ESCROW

All Clipper Chips are programmed inside a SCIF (Secure Compartmented
Information Facility), which is essentially a vault.  The SCIF contains
a laptop computer and equipment to program the chips.  About 300 chips
are programmed during a single session.  The SCIF is located at
Mykotronx.

At the beginning of a session, a trusted agent from each of the two key
escrow agencies enters the vault.  Agent 1 enters a secret, random
80-bit value S1 into the laptop and agent 2 enters a secret, random
80-bit value S2. These random values serve as seeds to generate unit
keys for a sequence of serial numbers.  Thus, the unit keys are a
function of 160 secret, random bits, where each agent knows only 80.
  
To generate the unit key for a serial number N, the 30-bit value N is
first padded with a fixed 34-bit block to produce a 64-bit block N1.
S1 and S2 are then used as keys to triple-encrypt N1, producing a
64-bit block R1:

        R1 = E[D[E[N1; S1]; S2]; S1] .

Similarly, N is padded with two other 34-bit blocks to produce N2 and
N3, and two additional 64-bit blocks R2 and R3 are computed:  

        R2 = E[D[E[N2; S1]; S2]; S1] 
        R3 = E[D[E[N3; S1]; S2]; S1] .

R1, R2, and R3 are then concatenated together, giving 192 bits. The
first 80 bits are assigned to U1 and the second 80 bits to U2.  The
rest are discarded.  The unit key U is the XOR of U1 and U2.  U1 and U2
are the key parts that are separately escrowed with the two escrow
agencies.

As a sequence of values for U1, U2, and U are generated, they are
written onto three separate floppy disks.  The first disk contains a
file for each serial number that contains the corresponding key part
U1.  The second disk is similar but contains the U2 values.  The third
disk contains the unit keys U.  Agent 1 takes the first disk and agent
2 takes the second disk.  Thus each agent walks away knowing
an 80-bit seed and the 80-bit key parts.  However, the agent does not
know the other 80 bits used to generate the keys or the other 80-bit
key parts.  

The third disk is used to program the chips.  After the chips are
programmed, all information is discarded from the vault and the agents
leave.  The laptop may be destroyed for additional assurance that no
information is left behind.
 
The protocol may be changed slightly so that four people are in the
room instead of two.  The first two would provide the seeds S1 and S2,
and the second two (the escrow agents) would take the disks back to
the escrow agencies. 

The escrow agencies have as yet to be determined, but they will not
be the NSA, CIA, FBI, or any other law enforcement agency.  One or
both may be independent from the government.


LAW ENFORCEMENT USE

When law enforcement has been authorized to tap an encrypted line, they
will first take the warrant to the service provider in order to get
access to the communications line.  Let us assume that the tap is in
place and that they have determined that the line is encrypted with the
Clipper Chip.  The law enforcement field is first decrypted with the
family key F, giving E[K; U] + N.  Documentation certifying that a tap
has been authorized for the party associated with serial number N is
then sent (e.g., via secure FAX) to each of the key escrow agents, who
return (e.g., also via secure FAX) U1 and U2.  U1 and U2 are XORed
together to produce the unit key U, and E[K; U] is decrypted to get the
session key K.  Finally the message stream is decrypted.  All this will
be accomplished through a special black box decoder.


CAPSTONE: THE NEXT GENERATION

A successor to the Clipper Chip, called "Capstone" by the government
and "MYK-80" by Mykotronx, has already been developed.  It will include
the Skipjack algorithm, the Digital Signature Standard (DSS), the
Secure Hash Algorithm (SHA), a method of key exchange, a fast
exponentiator, and a randomizer.  A prototoype will be available for
testing on April 22, and the chips are expected to be ready for
delivery in June or July.


ACKNOWLEDGMENT AND DISTRIBUTION NOTICE.  This article is based on
information provided by NSA, NIST, FBI, and Mykotronx.  Permission to
distribute this document is granted.


    

Newsgroup: sci.crypt
Document_id: 15671
From: ns111310@LANCE.ColoState.Edu (Nathaniel Sammons)
Subject: Re: I have seen the lobby, and it is us

In article <1993Apr21.163929.21149@eff.org> A. Charles Gross <acg@eff.org> writes:
>Certainly, with our way-cool Internet powers of
>organization, we can act in the same way, if such action is appropriate.
>
>As long as we are kept informed of events, anyone on this bboard can make
>a call to action.  Hopefully, we're a strong enough community to act on
>those calls.  I realize this is a little optomistic, and I'm glad EFF is
>working in the loop on these issues, but don't underestimate the
>potential of the net for political action.
>
>Adam
>* I speak for myself

I second the motion.

All in favor?

BTW>> a few days ago, Charles Fee <CXF111@psuvm.psu.edu> posted the names,
addresses, and phone numbers (voice and fax) of almost all the 103rd 
congress's members.  This info, along witha great number of cabinet men, etc...
I captured it, as did many others, I am sure.

We should single out a few of the people on the list, and bombard them 
with lobbying against the Clipper Chip, et al.

-nate


o---------------------------+======================================o
| "I hate quotations.       |     This message brought you by      |
|   Tell me what you know." |   Nate Sammons, and the number 42.   |
|    --Ralph Waldo Emerson  |  ns111310@longs.lance.colostate.edu  |
o---------------------------+======================================o

Newsgroup: sci.crypt
Document_id: 15672
From: ariel@world.std.com (Robert L Ullmann)
Subject: Re: Why the algorithm is secret

Exactly.

But I'll add another observation: if the chip does become a standard,
the algorithm won't _remain_ secret.

Leaving the government with the only remaining option: to make use
of un-escrowed keys illegal. Which won't begin to bother the terrorists
and child abusers the government is so fond of referring to.

Note that the Federalist papers stress _one_ reason for the right
of citizens to bear arms: to defend themselves _against_ the army.
_Our_ army.

IMHO the _primary_ purpose of private crypto is defend ourselves
_against_ the government. The odd terrorist I'm not worried about;
the goverment damages my quality of life every day.

Rob
--
Robert Ullmann		Ariel@World.STD.COM	+1 508 879 6994 x226
Quand Maigret poussa la porte du Tabac Fontaine, vers une heure et demie,
le patron du bar, qui venait de se lever, descendait lentement un escalier
en colimaon qui s'amorait dans l'arrire-salle. ... Arriv derrire le
comptoir, il repousa le garon d'un geste ngligent de la main, saisit
une bouteille de vin blanc, un verre, mlangea au vin de l'eau minrale et,
la tte renverse en arrire, se gargarisa.  -- Simenon
[text is ISO 10646 UTF-1 universal character set]

Newsgroup: sci.crypt
Document_id: 15673
From: carl@lvsun.com (Carl Shapiro)
Subject: Re: Estimating Wiretap Costs/Benefits

In article <1993Apr20.203756.20667@kronos.arc.nasa.gov> hanson@kronos.arc.nasa.gov (Robin Hanson) writes:
>A rough estimate suggests that wiretaps are worth about five million
>dollars per year to U.S. law enforcement agencies.  (In 1990, 872 U.S.
>wiretaps led to 2057 arrests, while total police expenditures of $28
>billion led to 11.25 million arrests [ref US Statistical Abstracts].)
>I'm working on estimating this wiretap benefit more accurately, but

You seem to be assuming that all arrests are of equal value, and that
the use of wiretaps is spread uniformly among them.

Given this comparatively tiny number of wiretaps, and the associated
difficulty and cost involved (judges, technicians, etc) I expect that
law enforcement reserves the use of wiretaps for the most valuable
cases.  Since the "value" of an arrest can vary over an enormous range
(eg. jaywalking -> mass murder) I think your $5 million estimate may
be too low by a couple of orders of magnitude.

Newsgroup: sci.crypt
Document_id: 15674
From: ebrandt@jarthur.claremont.edu (Eli Brandt)
Subject: Re: The [secret] source of that announcement

In article <1r3hgqINNdaa@uwm.edu> Rick Miller <rick@ee.uwm.edu> writes:
>jbotz@mtholyoke.edu (Jurgen Botz) writes:
>>Seems like sombody didn't like your snooping around, Marc.
>
>Or, the more *likely* explanation is that Marc is spoofing.

While I didn't try the expansion personally, I know of at least two
other people who did and got the same results.  Your allegation is
incorrect at best.

	 PGP 2 key by finger or e-mail
   Eli   ebrandt@jarthur.claremont.edu

Newsgroup: sci.crypt
Document_id: 15675
From: mrr@scss3.cl.msu.edu (Mark Riordan)
Subject: DOS 6.0 compression API: partial answer

For those of you looking for information on MS-DOS 6.0's
file system compression API:

Today I called Microsoft's DOS 6.0 hotline at (800)228-7007.
They told me that the DOS 6.0 Resource Kit had the specifications
for the compression interface.  The Resource Kit costs $19.95,
plus tax and $5 shipping.

I ordered a copy and will post further when I get it and know more
about it.  I am posting now because the order turnaround is 15 
working days.  

If anyone knows for sure where's there's a good
source of info on this API, please speak up.  I am 
slightly skeptical about the Resource Kit's likelihood
of having detailed programming info.

Mark R.  mrr@ripem.msu.edu

(posted also to sci.crypt, since the API could presumably also
be used for file system encryption.)

Newsgroup: sci.crypt
Document_id: 15676
From: eachus@spectre.mitre.org (Robert I. Eachus)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)


      Don't get fooled by exponents 2^80 (possible keys) is not in the
same league with 10^80 (particles in the universe).  2^80 < 10^25.
Remember Avagadro's number?  There are about that many elementary
particles (not molecules) in one mole.  Pretty small universe!  Or if
you can put 5 Gigabytes on one tape, you would need about 10 trillion
tapes (allowing several bytes per entry).  Still more than all of the
existing magnetic media on the planet, but wait a few years.  (I'm
including existing audio and video cassettes in the total.  Ten
trillion is about 2,000 per person worldwide...  Gives new meaning to
the suspicions of hiden messages.)

--

					Robert I. Eachus

with Standard_Disclaimer;
use  Standard_Disclaimer;
function Message (Text: in Clever_Ideas) return Better_Ideas is...

Newsgroup: sci.crypt
Document_id: 15677
From: dcd@se.houston.geoquest.slb.com (Dan Day)
Subject: Re: The Escrow Database.

In article <1993Apr20.021846.2423@shearson.com> pmetzger@snark.shearson.com (Perry E. Metzger) writes:
>
>each of the two escrow databases. Fits conveniently on a single very
>valuable Exabyte tape. This can only get easier with time, but who
>cares -- I can already hold all the clipper keys in the country in my
>pocket on two 8mm tapes.

Excellent point, and there's a related point I'd like to make.
They'll have to back up these databases themselves, won't they?
How many tape copies will there be, and how secure will the
tapes be?  If they store them off-site, it wouldn't be too
hard to hijack them in transit.  If they're all kept on-site,
one good bomb attack by some group intent on freeing us from
the threat of government snooping will take care of the problem
once and for all.  I can see it now -- "Hi, we're from the
government and we, um, misplaced our copy of your key.  Could
you mail us a copy?"

Newsgroup: sci.crypt
Document_id: 15678
From: ebrandt@jarthur.claremont.edu (Eli Brandt)
Subject: Re: Would "clipper" make a good cover for other encryption method?

In article <1993Apr20.032623.3046@eff.org> kadie@eff.org (Carl M. Kadie) writes:
>Clipper might be a good way to cover the use of another layer of
>encryption.

Could somebody provide an overview of the proposed systems using the
chip?  (Ought to see if ATT has a spec sheet)  Skipjack sounds like a
normal digital encryption algorithm, so the data path will have to be
	voice --> digitize --> compress --> encrypt 
Compression will be necessary to fit the data on the wire, unless
they want to wait for ISDN (that we should be so lucky...).  Feeding
pre-encrypted data into the compressor will cause it to chuckle at
you; you'd have to tap into the guts of the phone and hack either
the compressed data stream, or selected parts of the output stream
before it hits the modem.  Unless you want to pay for two fast
modems on top of the encryption, and just plug the box in between
your phone and the wall.

>- Carl

	 PGP 2 key by finger or e-mail
   Eli   ebrandt@jarthur.claremont.edu


Newsgroup: sci.crypt
Document_id: 15679
From: habs@panix.com (Harry Shapiro)
Subject: Re: The [secret] source of that announcement

In <1r1om5$c5m@slab.mtholyoke.edu> jbotz@mtholyoke.edu (Jurgen Botz)
writes:

>Even more interesting: the SMTP server at csrc.ncsl.nist.gov no longer
>recognizes the 'expn' and 'vrfy' commands...

>   telnet csrc.ncsl.nist.gov smtp
>   Trying 129.6.54.11...
>   Connected to csrc.ncsl.nist.gov.
>   Escape character is '^]'.
>   220 first.org sendmail 4.1/NIST ready at Tue, 20 Apr 93 17:01:34 EDT
>   expn clipper
>   500 Command unrecognized

>Seems like sombody didn't like your snooping around, Marc.

Then it is a good thing we already have this:

The csspub mailing list: csspab@mail-gw.ncsl.nist.gov, and address on
the clipper mailing list, seems to contain basically the members of
the NIST security board.

In addition to the names already posted, their true names are as
follows:

burrows@ecf = James Burrows a director of NIST's National Computer
Systems Laboratory

mcnulty@ecf = F. Lynn McNulty an associate director for computer
security at the National Institute of Standards and Technology's
Computer Systems Laboratory

Gangemi@dockmaster.ncsc.mil = Gaetano Gangemi is director of the
secure systems program at Wang Laboratories Inc. He wrote: Computer
Security Basics by Deborah Russell and G. T.  Gangemi, Sr. -1991,
O'Reilly and Associates

slambert@cgin.cto.citicorp.com = Sandra Lambert is vice-president of
information security at Citibank, N.A.

lipner@mitre.org = Lipner is Mitre Corp.'s director of information
systems.

gallagher@dockmaster.ncsc.mil = Patrick Gallagher, director of the
National Security Agency's National Computer Security Center and a
security board member

walker@tis.com = Stephen Walker a computer security expert and
president of Trusted Information Systems, Inc. in Glenwood, Md

willis@rand.org = Willis H.  Ware a the Rand Corp.  executive who
chairs the security board.

whitehurst@vnet.ibm.com = William Whitehurst is a security board
member and director of IBM Corp.'s data security programs.

-- 
Harry Shapiro  				      habs@panix.com
List Administrator of the Extropy Institute Mailing List
Private Communication for the Extropian Community since 1991

-- 
Harry Shapiro  				      habs@panix.com
List Administrator of the Extropy Institute Mailing List
Private Communication for the Extropian Community since 1991

Newsgroup: sci.crypt
Document_id: 15680
From: tfs@gravity.gmu.edu (Tim Scanlon)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]



	After reading the debate over the Clipper, I have a few things to
add.

	First, most of the people I know who activly use encryption
privately do not care about most of the issues that surround this debate,
and any questions about what is or is not ok to use in the US. All they
care about is wether or not what they are using is secure or not. That,
after all IS the bottom line. 

	Second, if I look at all the people I know who use any form
of encryption at all, and this group spans people from the morons who
still insist that the DES is a good and secure standard, to people 
looking at trying to improve upon existing strategies, I can not think
of anyone of them who would approve blindly of a strategy that leaves
their methods open to abuse. The Clipper does this, because people make
mistakes by nature, and the US government is made up of people who are
just as vulnerable to mistakes as everyone else. 

	Third, since most of the people I know are at least marginaly
familiar with the vulnerabilities present in current software encryption
stratigies, I can't see how most of them are going to blindly trust that
someone will not figure out a good way to compromise the Clipper Chip.
That despite any strengths or weaknesses that may exist in it. So, I can 
not see a high degree of confidence developing in the chip.

	Fourth, when it comes to criminal abuse, sure there are many stupid
people out there. And yes, some will be open to being caught via the 
built in back door of the Clipper Chip. However, anyone who is going to
do any serious investigation of how best to secure their data is going
to run into that problem pretty damned fast and, I would assume, start
looking around for other easily obtainible methods of encryption. 


	If nothing else were avalible, none of this would be an issue. However,
the truth is that most private encryption users that I've ever run into
simply do not give a damn about the legal status of RSA or PGP or anything
else. If it works, they use it. This is not going to change either. I do
not think for a moment that anyone with serious criminal intent will be
slowed down by the advent of the Clipper Chip. It is all to easy to 
convert encrypted data into unintellgible garbage as it is, if anything,
the Clipper Chip just adds another tool to the user.


	The bottom line here is that people will use what works, and
unavoidibly, I'm sure most criminals would rather face an encryption
related charge than one which could potentialy lead to death penalty
charges in the case of criminals who murder as part of their conspiricy.
	The other thing that has struck me since the advent and wide 
useage of public encryption has begun is that quite simply the cat is
out of the bag (Or if you have an interest in snooping, Pandora's Box
has been opened), and this is not going to change. I've seen a blindness
to this that I've found utterly stunning, and the Clipper Chip, along
with the way it has been presented only confirms this to me to a larger
degree.


			Sincerly,

			Tim Scanlon

-- 

tfs@gravity.gmu.edu

Newsgroup: sci.crypt
Document_id: 15681
From: ebrandt@jarthur.claremont.edu (Eli Brandt)
Subject: Re: Estimating Wiretap Costs/Benefits

In article <rlglendeC5t133.En3@netcom.com> rlglende@netcom.com (Robert Lewis Glendenning) writes:
>First, what the fuck is NASA doing wasting my tax dollars doing
>policy papers on stuff far outside of their purvew/mission?

I don't think they're paying for it.

>Do us a favor.  Resign rather than right this paper for NASA.  Go
>do useful work for the society.

Useful?  I find his estimate of the annual value to law enforcement
of $5 million quite useful, if rough (e.g. wiretaps may be
preferentially used on otherwise-hard-to-catch criminals, resulting
in an underestimate).  This comes to twenty cents a head over the
U.S. population.  I would find some rigorous numbers on this quite
useful -- it would make for nice slogans: "Your privacy is worth
$0.37", or whatever it turns out to be.

>Lew Glendenning		rlglende@netcom.com

	 PGP 2 key by finger or e-mail
   Eli   ebrandt@jarthur.claremont.edu



Newsgroup: sci.crypt
Document_id: 15682
From: makey@VisiCom.COM (Jeff Makey)
Subject: Re: Once tapped, your code is no good any more.

In article <C5so84.Hxv@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
>I am *completely* baffled by why Dorothy Denning has chosen
>to throw away her academic respectability like this.

She hasn't.  Dorothy Denning has spent many years earning the
professional respect of her colleagues, and something won in this
manner is not easily lost.  Her support of the clipper -- no matter
how unpopular that position may be -- serves far more to enhance the
clipper's respectability than to diminish her own.

                           :: Jeff Makey

Department of Tautological Pleonasms and Superfluous Redundancies Department
    Disclaimer: All opinions are strictly those of the author.
    Domain: makey@VisiCom.COM    UUCP: nosc!visicom!makey

Newsgroup: sci.crypt
Document_id: 15683
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Will FEDs troll for mutilated law enforcement blocks?

From Denning:

   the Skipjack encryption algorithm
   F, an 80-bit family key that is common to all chips
   N, a 30-bit serial number
   U, an 80-bit secret key that unlocks all messages encrypted with the chip

   E[M; K], the encrypted message stream, and 
   E[E[K; U] + N; F], a law enforcement block.  

Where the session key is K, and is transmitted encrypted in the unit Key U.
Which along with the serial number N is encrypted in the Family key F.

Presumably the protocol can be recovered (if by nothing else, differential
analysis).

Postulate if you will, a chip (or logic) sitting between the clipper chip
and its communications channel.  The function of this spoof chip is twofold:
    
	1) Transmit Channel

	    The spoof chip XORs the 30 bit encrypted serial number with
	    a secondary keying variable.  This renders the serial number
	    unrecoverable with just the family key

	2) Receive Channel

	    The spoof chip XORs the incoming encrypted serial number
	    with a secondary keying variable (assuming integrity of the
	    law enforcement block is necessary for local operation -
	    checksums, sequence control, etc.).

This has the net result of hiding the serial number.  It is probable theere is
a known plaintext pattern used as a filler in the block containing N (34 bits
as used in generating U, U1,U2) correctness of the law enforcement block
can be determined with only the family key F.  Whereas, no one has proposed
Federal Agencies be denied F, and because they could recover it themselves,
The correctness of the serial number can be tested by examining the pad bits
of N in E[N; F].

The one could selectively alter the law enforcement block as above, but the
mutilation could be detected.  A better approach would be to mutilate the
entire law enforcement block.  If it were done with a group encryption scheme
such as DES or (presumably) Skipjack, the chances the law enforcement block
can be recovered are lessened.

What do you want to bet the transmission protocol can be recognized and the
serial numbers decrypted in a target search?  When digital transmission
becomes widely available, would there be a requirement that clipper protocol
transmissions be refused when containing mutilated law enforcement blocks?

One way to avoid notice, would be to spoof protocol information of the block
containing M, as well as spoofing the law enforcement block.

The goal is to use a secure communications scheme, without redress to 
detection or key K interception (contained encrypted within the law
enforcement block).  The data stream is returned to its original state
for use by the clipper chip (or system) if required, for proper operation.

It is somewhat improbable that the entire protocol will be contained within
the clipper chip, yet likely that sequence of events will be tested for,
requiring a valid law enforcement block to be received before accepting
and decrypting E(M; K);

The spoof chip could be implemented anywhere in the protocols, including
on the resulting serial data stream.  Existing clipper products could
be subborned.  After all, they are high security encryption systems right?

Super encipherment/encryption could allow the chip to be used without
redress to detection of the use of the chip, or disclosure of the serial
number.  Security must be adequate to deny the serial number, which should
not be recoverable by other means.  One can see the use of cut outs for
procurring clipper phones, or once the number of units is high enough,
stealing them.  It would be a mistake on the part of authority, but nice
from a point of privacy, if the serial number N were not associated with
a particular clipper chip or lot of chips through the manufacturing and 
distribution process.  Hopefully the list of known missing or stolen
clipper serial numbers N encrypted with F, and the protocols are not 
sufficient plaintext to attact the super encrypted clipper stream.
This could be further made difficult by altering the temporal and or
spatial relationship of the clipper stream to that of the super encrypted
stream.

Detection of an encrypted stream could tip off the use of the aforementioned
scheme.

******************************************************************************

If you could capture valid law enforcement blocks not your own, and use
them in a codebook sustitution with your own, where they point to a valid
law enforcement block stored in a library utilizing a session key matching
the remainder of the transmission, you could simply out and out lie, yet
deliver to monitoring and/or hostile forces a seemingly valid law enforcement
block.   These captured law enforcement blocks would be used as authenticators,
such as in a manually keyed encryption system.  Fending this off would require
escalation in examining the protocols and blocks in the transmission.

The M code stream  might be independently attacked based on knowledge of
clipper chip protocols as revealed plaintext.  This could be invalidated
by changing the temporal and or spatial relationship of the clipper M stream
and the actual transmitted stream, under the control of a secure key
generator synchronized between endpoints.

The useful life time of captured law enforcement blocks might be limited
based on hostile forces using them as targets following transmission
interception.  You would need a large number of them, but, hey there's
supposed to be millions of these things, right?  Adding time stamps to
the encrypted law enforcement block is probably impractical, who wants
an encryption chip with a real time clock?

*****************************************************************************

The entire idea of the law enforcement block can be invalidated.









Newsgroup: sci.crypt
Document_id: 15684
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Re: Will FEDs troll for mutilated law enforcement blocks?

The M code stream  might be independently attacked based on knowledge of
clipper chip protocols as revealed plaintext.  This could be invalidated
by changing the temporal and or spatial relationship of the clipper M stream
and the actual transmitted stream, under the control of a secure key
generator synchronized between endpoints.

The useful life time of captured law enforcement blocks might be limited
based on hostile forces using them as targets following transmission
interception.  You would need a large number of them, but, hey there's
supposed to be millions of these things, right?  Adding time stamps to
the encrypted law enforcement block is probably impractical, who wants
an encryption chip with a real time clock?

*****************************************************************************

The entire idea of the law enforcement block can be invalidated.

I just had the thought, that you could capture your own law enforcement blocks
for session keys K that you will not use in actual transmissions as
the session key authenticators.  The proviso that you don't mind your own
serial number being discovered.

d. denning just sent out further information of a new version of the clipper
chip.	If a hash function were to be embedded in a clipper M transmission
block reflecting the law enforcement block, it better not fall on 64 bit block
boundaries.  If it were a recognizeable datum, you could lie with it too.

I like the randomizer inclusion in the MYK-80.  I remember reading that
Intel had an approved random noise source on silicon, hence the ability
to put it Inside.

You ever think that Mykotronx sounds like one of those made up names of 
companies used as fronts for intelligence organizations?











Newsgroup: sci.crypt
Document_id: 15685
From: tuinstra@signal.ece.clarkson.edu.soe (Dwight Tuinstra)
Subject: political point of attack: Clipper infrastructure

My earlier argument that "Clipper will encourage state and local cops 
to commit criminal acts" is largely moot, now that we've learned that 
the FBI will perform the actual tap.  [It will encourage the *FBI* to
commit (even more) criminal acts, but that's not the point here.]

But this gives another avenue of attack on the Clipper proposal.  When
the EFF/ACLU/CPSR FOIA requests are made, they should ask for details
on the bureaucratic and equipment infrastructure that is proposed (or 
even already budgeted) for the FBI to service tapping requests -- for now
and the projected future. 

From these figures, estimate the number of Clipper-tap requests the FBI
is expecting.  Publish this figure.  Compare it on a per-capita basis
with the amount of tapping now known or suspected.

Also estimate how expensive it would be for the FBI to install more
Clipper-tapping stations, and how rapidly they could be built and
installed ... ie, get the "plus or minus" epsilon for the near future.

Might be a mite disturbing for J. Q. Public to know these things.

And despite all the technical details [BTW, thanks to those who've been
providing them!], we still don't know 

1) how the tapping requests will be transmitted and authenticated (though
   it isn't too hard to guess a good scheme).

2) how the results will be securely transmitted (Fed Ex the audio tapes?)

3) how privacy will be re-established when an investigation is complete.

+========================================================================+
|  dwight tuinstra             best:  tuinstra@sandman.ece.clarkson.edu  |
|                         tolerable:  tuinstrd@craft.camp.clarkson.edu   |
|                                                                        |
|        "Homo sapiens: planetary cancer??  ...  News at six"            |
+========================================================================+

Newsgroup: sci.crypt
Document_id: 15686
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Clipper will corrupt cops (was WH proposal from Police point of view)

In article <1993Apr21.041033.16550@news.clarkson.edu>, tuinstra@signal.ece.clarkson.edu.soe (Dwight Tuinstra) writes:
> The clear implication is that there are "legal" authorizations other
> than a court order.  Just how leaky are these?

I don't have the wiretap statute handy.  But here's what the law says
on pen registers.  This is all from Title 18 of the U.S. Code.  Note
how vague S. 3125(a)(1)(B) is....  I haven't had a chance to check
out 50 U.S.C. 1801 yet.

----

18 USC  S. 3121 Pen Registers (as of 4/93)


S. 3121. General prohibition on  pen register  and trap and trace device
use; exception

   (a) In general. Except as provided in this section, no person may
install or use a  pen register  or a trap and trace device without first
obtaining a court order under section 3123 of this title or under the
Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.).

.....

S. 3125.  Emergency  pen register  and trap and trace device
installation

   (a) Notwithstanding any other provision of this chapter , any
investigative or law enforcement officer, specially designated by the
Attorney General, the Deputy Attorney General, the Associate Attorney
General, any Assistant Attorney General, any acting Assistant Attorney
General, or any Deputy Assistant Attorney General, or by the principal
prosecuting attorney of any State or subdivision thereof acting pursuant
to a statute of that State, who reasonably determines that--

   (1) an emergency situation exists that involves--

   (A) immediate danger of death or serious bodily injury to any person;
or

   (B) conspiratorial activities characteristic of organized crime,

   that requires the installation and use of a  pen register  or a trap
and trace device before an order authorizing such installation and use
can, with due diligence, be obtained, and

   (2) there are grounds upon which an order could be entered under this
chapter to authorize such installation and use "may have installed and
use a  pen register  or trap and trace device if, within forty-eight
hours after the installation has occurred, or begins to occur, an order
approving the installation or use is issued in accordance with section
3123 of this title."

   (b) In the absence of an authorizing order, such use shall
immediately terminate when the information sought is obtained, when the
application for the order is denied or when forty-eight hours have
lapsed since the installation of the  pen register  or trap and trace
device, whichever is earlier.

   (c) The knowing installation or use by any investigative or law
enforcement officer of a  pen register  or trap and trace device
pursuant to subsection (a) without application for the authorizing order
within forty-eight hours of the installation shall constitute a
violation of this chapter.


Newsgroup: sci.crypt
Document_id: 15687
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Clipper considered harmful

In article <1r24us$oeh@agate.berkeley.edu>, shirriff@sprite.berkeley.edu (Ken Shirriff) writes:
> Imagine archiving all pay-phone conversations, so if someone turns out
> to be a drug dealer, you can listen to all their past drug deals.  And
> archive calls to/from suspected Mafia members, potential terrorists,
> radicals, etc.  Imagine the convenience for the police of being able to
> get a warrant now and listening to all the calls the World Trade Center
> bombers made in the past year.
> 
> Since archiving would be such a powerful tool and so easy to do, why
> wouldn't it happen?

Apart from the storage and search requirements, because the evidence
is inadmissible:  wiretaps require a warrant.  And as soon as one
such case comes to light, all previous cases are likely to be discovered,
and thrown out.  There was an article in the NY Times a few months ago
about how many convictions in the state might be invalidated because
they relied on pen registers -- and the Court of Appeals ruled that
pen registers were equivalent to wiretaps, and hence required warrants
under New York law.

Newsgroup: sci.crypt
Document_id: 15688
From: eab@msc.edu (Edward Bertsch)
Subject: Re: I have seen the lobby, and it is us

I agree that notifying your elected officials of your feelings on this
(and any other, for that matter) issue is the way to go.  And by the
way, the phone #s on the list posted the other day were all in Washington
D.C.  --  For most of you, your elected officials will also maintain
a local office in your area code.

When I 'manage' my elected officials, I use their local office #'s
exclusively, and my fax modem and windows-print-capture software are
my tool of choice.  They see my words as I have stated them, rather
than a summary as they would if I called in /voice/ and left a
comment with the office staff.


-- 
Edward A. Bertsch (eab@msc.edu)   Minnesota Supercomputer Center, Inc.
Operations/User Services          1200 Washington Avenue South
(612) 626-1888 work               Minneapolis, Minnesota  55415
(612) 645-0168 voice mail         [DISCLAIMER: MY OPINIONS; NOT MSCI'S]

Newsgroup: sci.crypt
Document_id: 15689
From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>
Subject: Re: freely distributable public key cryptography c++ code:  where?

Thus said ee92jks@brunel.ac.uk (Jonathan K Saville):
>D. Wigglesworth (smhanaes@gpu.utcc.utoronto.ca) wrote:
>
>: Do you know of any freely distributable c++ (or c) code for public
>: key cryptography (such as RSA)?  
>
>: I've tried various archie searches to no avail.  
>
>Have you heard of PGP? I assume from your post that you have not. PGP 2.2
>is a freeware RSA encryption program which includes digital signatures and
>comprehensive key management facilities. Most sites also keep the source code.
>A growing number of people are using this excellent software to encrypt (to
>a very high standard) their email and data. Get it before Clinton outlaws it.
>
>Two of the many sites are:
>      rsa.com     /pub/pgp
>      soda.berkeley.edu      /pub/cypherpunks/pgp

PGP is not available on the archive site rsa.com.  If it were, it
would be highly amusing, since rsa.com (actually Public Key Partners,
but it's the same entity) is the organization holding the patents
which they claim are violated if you actually "make, use or sell" PGP.
I believe those patents also apply in Canada, but I'm not a patent
lawyer or anything.

There is no such thing as freely redistributable code for RSA which
can be used in North America without legal entanglements.  You may
wish to consider RSAREF, however, which *is* available from the FTP
site rsa.com in /rsaref but probably doesn't meet your definition of
"freely redistributable" (it's readily available in source, in C, and
does RSA, MD5, etc. and comes with a license allowing noncommercial
use.  Like any other strong crypto software, it's not exportable
legally.  It can be modified with permission from RSADSI, which a
number of people have received in the past.)  For reasons that aren't
entirely clear to me, RSA says that only U.S. people should take
RSAREF from its server, although there aren't ITAR issues regarding
Canada.  The RIPEM distribution site (ripem.msu.edu) has RSAREF in its
distribution, and is OK for Canadians.
--
Marc VanHeyningen   mvanheyn@cs.indiana.edu   MIME & RIPEM accepted


"Barney the Dinosaur is simply Rush Limbaugh in a Dinosaur Suit."  - Lost Boy

Newsgroup: sci.crypt
Document_id: 15690
From: caronni@nessie.cs.id.ethz.ch (Germano Caronni)
Subject: Some Questions (was: REVISED SUMMARY)



> Here is a revised version of my summary that corrects some errors and
> provides some additional information and explanation.

Thank you very much. After reading the text some distinct questions
arised to me, which I guess will also be asked by other people. Perhaps
would it be interesting to find an answer to these questions ?


>                      THE CLIPPER CHIP: A TECHNICAL SUMMARY
>    N, a 30-bit serial number (this length is subject to change)

shorter or longer ?

> Once the session key K is established, the Clipper Chip is used to
> encrypt the conversation or message stream M (digitized voice).  The
> telephone security device feeds K and M into the chip to produce two
> values:

>    E[M; K], the encrypted message stream, and
>    E[E[K; U] + N; F], a law enforcement field ,

> which are transmitted over the telephone line.  The law enforcement
> field thus contains the session key K encrypted under the unit key U
> concatenated with the serial number N, all encrypted under the family
> key F.  The law enforcement field is decrypted by law enforcement after
> an authorized wiretap has been installed.

First question: When will the LawEnforcmentField be transmitted, and how
does the remote Clipper Chip handle it? Is it transmitted periodically
in the stream of encrypted blocks, or just at the beginning ? Does the
phone at the other side discard those packets via a protocol whatsoever,
or tries it to turn them into voice-output ? (Which would not be disturbing)


> At the beginning of a session, a trusted agent from each of the two key
> escrow agencies enters the vault.  Agent 1 enters a secret, random
> 80-bit value S1 into the laptop and agent 2 enters a secret, random
> 80-bit value S2. These random values serve as seeds to generate unit
> keys for a sequence of serial numbers.  Thus, the unit keys are a
> function of 160 secret, random bits, where each agent knows only 80.

Second question: Why!?!? Why is such a strange procedure used, and not
a real RNG ? This turns those S1,S2 in a kind of bottleneck for system-
security.


> When law enforcement has been authorized to tap an encrypted line, they
> will first take the warrant to the service provider in order to get
> access to the communications line.  Let us assume that the tap is in
> place and that they have determined that the line is encrypted with the
> Clipper Chip.  The law enforcement field is first decrypted with the
> family key F, giving E[K; U] + N.  Documentation certifying that a tap
> has been authorized for the party associated with serial number N is
> then sent (e.g., via secure FAX) to each of the key escrow agents, who
> return (e.g., also via secure FAX) U1 and U2.  U1 and U2 are XORed
> together to produce the unit key U, and E[K; U] is decrypted to get the
> session key K.  Finally the message stream is decrypted.  All this will
> be accomplished through a special black box decoder.

So no (technical) provision will be taken to place a 'timeout' on these
warrants? This would be a unique possibility to realize such a technical
restriction, by letting the escrow-agencies perform the decoding of the
session key. Just take modem-lines instead of secure fax. Is this such
a bad idea ?


> A successor to the Clipper Chip, called "Capstone" by the government
> and "MYK-80" by Mykotronx, has already been developed.  It will include
> the Skipjack algorithm, the Digital Signature Standard (DSS), the
> Secure Hash Algorithm (SHA), a method of key exchange, a fast
> exponentiator, and a randomizer.  A prototoype will be available for
> testing on April 22, and the chips are expected to be ready for
> delivery in June or July.

Wow! (How does the randomizer work?) Are the SHA (and Key exchange) secret,
or publicly known ? Key-Exchange is DH, I guess ?

It seems that those who are opposed to this chip shall have a tough time,
your government realy means to act. :-(

Friendly greetings,
	   Germano Caronni

-- 
Instruments register only through things they're designed to register.
Space still contains infinite unknowns.
                                                              PGP-Key-ID:341027
Germano Caronni caronni@nessie.cs.id.ethz.ch   FD560CCF586F3DA747EA3C94DD01720F

Newsgroup: sci.crypt
Document_id: 15691
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <1r47l1INN8gq@senator-bedfellow.MIT.EDU> jfc@athena.mit.edu (John F Carr) writes:
>
>In most cases information you come by properly is yours to use as you wish,
>but there are certainly exceptions.  If you write a paper which includes
>sufficiently detailed information on how to build a nuclear weapon, it is
>classified.  As I understand the law, nuclear weapons design is
>_automatically_ classified even if you do the work yourself.  I believe you
>are then not allowed to read your own paper.
>
	Hate to mess up your point, but it is incredibly easy to learn how
to make a nuclear weapon.  The hard part is getting the radioactives to
put in it.  Have you ever read Tom Clancy's _The Sum of All Fears_?  It
describes in great detail how a Palestinian terrorist group constructed a
nuclear bomb using stolen (actually found) plutonium, with some help from
an East German nuclear physicist.  For some non fiction, read Tom Clancy's
article _Five Minutes Till Midnight_.  It shows how a terrorist group could
construct a nuke using Neptunium, a low grade radioactive waste product
dumped in toxic waste sites and forgotten about.  He also claims information
on constructing a nuke is easily found in any large library.  Sounds
kind of scary, doesn't it? :-(

>A less serious example: if you tell drivers about a speed trap they are
>about to run into, you can be fined, even though you might argue that you
>broke no law when you discovered the location of the policeman.  The charge
>is interfering with a police officer, which is quite similar what you would
>be doing by reverse engineering the Clipper chip.
>
>Don't tell me that you think this violates the Constitution -- find some
>court cases which have struck down such laws.  Many people would not be
>comforted by the fact that the government violated their rights when it
>imprisoned them.
>

	Don't know whether you could get busted for warning of a speedtrap.

Doug Holland

-- 
----------------------------------------------------------------------------
|  Doug Holland                | Anyone who tries to take away my freedom  |
|  holland@cs.colostate.edu    | of speech will have to pry it from my     |
|  PGP key available by E-mail | cold, dead lips!!                         |

Newsgroup: sci.crypt
Document_id: 15692
From: brad@optilink.COM (Brad Yearwood)
Subject: Re: Would "clipper" make a good cover for other encryption method?

In article <strnlghtC5t42t.J9B@netcom.com>, strnlght@netcom.com (David Sternlight) writes:
> 
> Chances are the government has thought of this, and "just anyone" won't be
> permitted access to enough of the internals to make a "fake" clipper chip.
> Chances are that the government has classified some details of the internals
> at a very high level, and manufacturers are required to observe security
> safeguards and clearances corresponding to that level.

Assume in this case the usual canard-adversary of narcotraficantes.  They
probably have more cash than the KGB did, and they're probably more generous
at handing it out.  It will be easier than ever to find or cultivate Walkers
and Pollards for the keys, and it will be easy enough to find someone to
reverse-engineer the chip (unless the tamper proofing is damned clever and
effective).

Brad Yearwood     brad@optilink.com     {uunet, pyramid}!optilink!brad
Petaluma, CA



Newsgroup: sci.crypt
Document_id: 15693
From: djb@silverton.berkeley.edu (D. J. Bernstein)
Subject: Re: Off the shelf cheap DES keyseach machine

In article <1993Apr21.132318.16981@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
> And key size is one of the things that can be
> verified externally.

Gee. Say they feed the 80-bit key through Snefru-8 and take the first 60
bits of the result, then use those 60 bits as the real key. How do you
figure out that each key is one of 2^20 ``equal'' keys? You can try a
birthday attack, but if the key can be changed only once a second then
you will need several lifetimes to get reliable statistics. Somehow I
don't think you could catch the NSA at this sort of skulduggery.

---Dan

Newsgroup: sci.crypt
Document_id: 15694
From: bear@tigger.cs.Colorado.EDU (Bear Giles)
Subject: Re: The [secret] source of that announcement

>Andrew Molitor (amolitor@nmsu.edu) wrote:
>: 
>: 	1) Monitor my phonecalls.
>: 	2) Monitor usenet.

They may collect the data, but making sense of it is another matter.

On sci.crypt I'm a graduate CS major (with strong math background) and
experienced programmer taking a cryptology course.  (<< keyword for
alleged NSA filters).

On sci.skeptic I'm an ex-physics major who's a new-age flake, talking
about silly things like how a person's expectations colors what he
sees.

On talk.religion.newage I'm a physics geek who enjoys squashing
interesting idea with WASP science, although I do write occasional
posts showing a minimal knowledge of Zen, mythology, etc.

I could go on, but I'm sure you see my point.  I'm a single person,
but I react differently on different groups (admittedly, in part
because I'm a contrarian you always shouts "but, on the other hand...").
On top of that, I _loath_ certainty and have taken public positions
in the past for no reason other than to challenge "conventional wisdom".
I wish them luck in figuring out who "I" am based on that information.

(They can probably figure out I'm liberal, with a technical degree
but humanistic interests, from a common thread throughout my posts.
But that describes a fair portion of the users of Internet).

-- 
Bear Giles
bear@cs.colorado.edu/fsl.noaa.gov

Newsgroup: sci.crypt
Document_id: 15695
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: An Open Letter to Mr. Clinton

In article <strnlghtC5M2Cv.8Hx@netcom.com> strnlght@netcom.com (David Sternlight) writes:
   Here's a simple way to convert the Clipper proposal to an unexceptionable
   one: Make it voluntary.

   That is--you get high quality secure NSA classified technology if you agree
   to escrow your key. Otherwise you are on your own.

That's the disturbing part - use of other products IS voluntary, for now,
and the press releases talk about the White House's unwillingness to
decide that citizens have a right to good commercial crypto gear,
and about how commercial alternatives will be permitted as long as
they provide key escrow services.  That's a clear implication that
they're considering banning alternatives.

Additionally, use of real alternatives ISN'T totally legal -
you're not allowed to export really good crypto equipment except to
the government's friends (e.g. the Australian government)
you can only export even BAD crypto equipment with their permission,
and the regulators who control the cellular telephone companies make
sure there are only two competitors, so Joe's Garage Cellular can't
start offering a secure service.  
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15696
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Clipper considered harmful

In article <1r24us$oeh@agate.berkeley.edu> shirriff@sprite.berkeley.edu (Ken Shirriff) writes:
   In article <15469@optilink.COM> brad@optilink.COM (Brad Yearwood) writes:
   >Finally, because there is essentially no possibility of intercepting in
   >realtime the scrutable content of communications between stolen instruments,
   >there will exist strong motivation to record and archive _all_ communications
   >in the network for ex-post-facto scrutiny (once some criminal act is
   >discovered, and the instruments involved have been identified).

"All" is a *very* big number.  The AT&T Long Distance network has
around 20,000 T3 trunks (45 Mbit/sec), which is on the order of 10**12 bits/sec.
That doesn't even count the amount of traffic in the LOCAL phone companies,
or our long-distance competitors.  It's about 200 Exabytes tapes / second,
which is pretty large even for the NSA :-)

On the other hand, I can easily see them recording the traffic for
"interesting" people, such as dissidents, suspected criminals,
foreign telephone calls, and anybody noticed using encryption.
As Ken Shiriff speculates, recording encrypted traffic will probably
be judged not to be an invasion of privacy pretty soon ....
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15697
From: andersom@spot.Colorado.EDU (Marc Anderson)
Subject: **Sorry folks** (read this)

In article <1993Apr21.001707.9999@ucsu.Colorado.EDU> andersom@spot.Colorado.EDU (Marc Anderson) writes:
[...]
>
>(the date I have for this is 1-26-93)
>
>note Clinton's statements about encryption in the 3rd paragraph..  I guess
>this statement doesen't contradict what you said, though.
>
>--- cut here ---
>
>        WASHINGTON (UPI) -- The War on Drugs is about to get a fresh
>start, President Clinton told delegates to the National Federation
>of Police Commisioners convention in Washington.
>        In the first speech on the drug issue since his innaugural,
>Clinton said that his planned escalation of the Drug War ``would make
>everything so far seem so half-hearted that for all practical
[...]

I just found out from my source that this article was a joke.  Heh heh..  
It seemed pretty damn convincing to me from the start -- I just didn't
notice the smiley at the end of the article, and there were a few other
hints which I should of caught.

Anyway -- I guess this 'joke' did turn out to resemble Clinton's true 
feelings at least to some extent.  

Sorry about that...

-marc
andersom@spot.colorado.edu



Newsgroup: sci.crypt
Document_id: 15698
From: anthonyf@microsoft.com (Anthony Francisco)
Subject: Re: Clipper and Ranting Libertarians

Just a little nitpicking. Wasn't it the government that required
a standard railway gauge ? Didn't that improve things ?

Please don't misunderstand. I'm utter suspicious of this Clipper
chip. Why hold the design TOP SECRET ? Was this a work around the
law that says that any discoveries made by people working for the
government is public domain. ( e.g. NIH Class Library, etc. )
DES has its designs published all over the place and it is considered
fairly strong ( although could be stronger ).

							- Ants

Newsgroup: sci.crypt
Document_id: 15699
From: steve-b@access.digex.com (Steve Brinich)
Subject: Fear, Uncertainty, Doubt

  I suspect that the decisive element in the political battle will be the
FUD (Fear, Uncertainty, Doubt) factor.
  If the people who would be end users of the Cripple Chip hear of the whole
debate only vaguely -- the government says it's solid; other people in the
field say it's Swiss cheese -- the balance of doubt could shift against the
Feds.  Any attempt to limit other forms of encryption could then be presented
as the government covering its own butt by protecting its poor product from
superior competition.
  Comments?


Newsgroup: sci.crypt
Document_id: 15700
Subject: Re: How large are commercial keys?
From: pgut1@cs.aukuni.ac.nz (Peter Gutmann)

In <1993Apr20.182038.12009@ee.eng.ohio-state.edu> butzerd@maumee.eng.ohio-state.edu (Dane C. Butzer) writes:

>What are the typical sizes for keys for commercial secret key algorithms?
>I know DES is 56 bits ("tripple DES" is 112 bits) and IDEA is 128 bits.  Is
>there anything made in the US that has 128 bit keys?  Anything anywhere
>that has larger keys?  I've heard that RC2 can be scaled to arbitrarily
>large keys, but is this actually implemented anywhere?

My MDC cipher (which uses any one-way hash function as a CFB-mode stream
cipher, the current implementation uses MD5) uses a key of up to 2048 bits
(that is, you can use a 1-bit key if you want and copy it over the entire
2048-bit range, or you can use the entire 2048 bits).  Runtime is
independant of key size, the system runs slightly slower than MD5 itself.
I presume RC2 and RC4 use a similar system (or possibly they just hash an
arbitrary-length key down to n bits, maybe 128, using something like MD5).

Peter.

Newsgroup: sci.crypt
Document_id: 15701
From: rita@eff.org (Rita Marie Rouvalis)
Subject: Re: **Sorry folks** (read this)

In article <1993Apr22.014646.28445@ucsu.Colorado.EDU> andersom@spot.Colorado.EDU (Marc Anderson) writes:

>I just found out from my source that this article was a joke.  Heh heh..  
>It seemed pretty damn convincing to me from the start -- I just didn't
>notice the smiley at the end of the article, and there were a few other
>hints which I should of caught.

	People took this article seriously?  I mean, I know it's the
Net and all, but the prankster didn't even have Clinton's sound-bites
right.


-- 
Rita Rouvalis
rita@village.com

Newsgroup: sci.crypt
Document_id: 15702
Subject: Re: Once tapped, your code is no good any more.
From: pgut1@cs.aukuni.ac.nz (Peter Gutmann)

In <1993Apr21.001707.9999@ucsu.Colorado.EDU> andersom@spot.Colorado.EDU (Marc Anderson) writes:

>(the date I have for this is 1-26-93)

>note Clinton's statements about encryption in the 3rd paragraph..  I guess
>this statement doesen't contradict what you said, though.

>--- cut here ---

>        WASHINGTON (UPI) -- The War on Drugs is about to get a fresh
>start, President Clinton told delegates to the National Federation
>of Police Commisioners convention in Washington.
>        In the first speech on the drug issue since his innaugural,
>Clinton said that his planned escalation of the Drug War ``would make
>everything so far seem so half-hearted that for all practical
>purposes this war is only beginning now.'' He repeatedly emphasized
>his view that ``regardless of what has been tried, or who has tried
>it, or how long they've been trying it, this is Day One to me.''
>The audience at the convention, whose theme is ``How do we spell
>fiscal relief?  F-O-R-F-E-I-T-U-R-E,'' interrupted Clinton frequently
>with applause.
>        Clinton's program, presented in the speech, follows the
>outline given in his campaign position papers: a cabinet-level Drug
>Czar and ``boot camps'' for first-time youthful offenders.  He did,
>however, cover in more detail his plans for improved enforcement
>methods.  ``This year's crime bill will have teeth, not bare gums,''
>Clinton said.  In particular, his administration will place strict
>controls on data formats and protocols, and require the registration
>of so-called ``cryptographic keys,'' in the hope of denying drug
>dealers the ability to communicate in secret.  Clinton said the
>approach could be used for crackdowns on other forms of underground
>economic activity, such as ``the deficit-causing tax evaders who
>live in luxury at the expense of our grandchildren.''
>        Clinton expressed optimism that the drug war can be won
>``because even though not everyone voted for Bill Clinton last
>November, everyone did vote for a candidate who shares my sense of
>urgency about fighting the drug menace.  The advocates of
>legalization -- the advocates of surrender -- may be very good at
>making noise,'' Clinton said.  ``But when the American people cast
>their ballots, it only proved what I knew all along -- that the
>advocates of surrender are nothing more than a microscopic fringe.''

Just doing a quick reality check here - is this for real or did someone
invent it to provoke a reaction from people?  It sounds more like the
sort of thing you'd have heard, suitably rephrased, from the leader of a 
certain German political party in the 1930's....

Peter. 

Newsgroup: sci.crypt
Document_id: 15703
From: rlglende@netcom.com (Robert Lewis Glendenning)
Subject: Re: Estimating Wiretap Costs/Benefits

I am most embarassed that my irrate, intemperate post is still
circulating.

I have been chided by experts for my behavior.  I now agree with
all of them, although some were no more restrained in their
speech than I was 8)

I have apologized to Robin Hanson.

Lew
-- 
Lew Glendenning		rlglende@netcom.com
"Perspective is worth 80 IQ points."	Niels Bohr (or somebody like that).

Newsgroup: sci.crypt
Document_id: 15704
From: duck@nuustak.csir.co.za (Paul Ducklin)
Subject: Re: Do we need the clipper for cheap security?


gtoal@gtoal.com (Graham Toal) writes:

>Can someone tell me if hardware compression is or is not needed to run
>digital speech down 14.4K?  I think it is; I've heard it's not.  Lets
>say 8 bit samples.  Would *raw* data at the corresponding sampling rate
>be usable?  If not, how fancy does the compression need to be?

It's all easy with a DSP. The Olivetti Quaderno, for example [*great* 1kg
subnotebook/palmtop PC -- sorry for the plug, folks, but Olivetti don't
seem to be doing a good job marketing it themselves :-)] includes sound
digitisation hardware; they provide vocoders for their DSP which produce
varous bit-rates. There's one which gives pretty acceptable voice
quality at 13Kbit/sec, just right for a V.32bis modem.

Their DSP can play and record at the same time, too -- so you wouldn't
need to play "two-way-radio". You can also download code to the DSP
subunit, though you'd need a software development kit for the DSP in 
question [dunno which it is...] if you wanted to produce your own 
vocoder for, say, V.32 speeds.

Paul

    /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
    \  Paul Ducklin                         duck@nuustak.csir.co.za  /
    /  CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa  \
    \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Newsgroup: sci.crypt
Document_id: 15705
From: TSOS@uni-duesseldorf.de (Detlef Lannert)
Subject: Re: Facinating facts: 30 bit serial number, possibly fixed S1 and S2

In article <PMETZGER.93Apr20065402@snark.shearson.com> pmetzger@snark.shearson.com (Perry E. Metzger) writes:

>Hmmm. We must assume that generating the unit key U from the serial
>number N rather than generating it from a randomly selected U1 and U2
>is an intentional way of assuring a "fail safe" for the government --
>U is completedly determined given S1, S2 and N. 
 [...]
>If S1 and S2 do not change, even if they remain secret I wonder if
>they can somehow be back-derived given enough unit key/serial number
>pairs. [...]

Maybe 300 such pairs suffice to reconstruct S1 and S2? By such a back-
door (in the encryption algorithm perhaps) it would be possible (for  
the manufacturer) to get the keys of all chips that were programmed in 
one session. This would not, btw, enable anybody else to retrieve the 
keys in the same way because they'll never get a bunch of 300 (N,U) 
pairs with identical S1 and S2. (Note that these have to be constant 
for the whole batch by the very nature of the procedure, i.e., they 
have to be typed in manually by the `random number supplying agents'!)

And I was wondering why they'll always do 300 chips in one session ... 
Since the procedure described by Ms Denning imposes high costs on the 
production of every chip (at least three persons for one hour each, 
plus the cost of a laptop finally blown to pieces in a spectacular, 
Hollywood-like bonfire; add travelling expenses, drinks and lighting, 
divide the sum by 300) there won't be a larger demand -- not from the 
private sector anyway. 

And let me mention one other thought that certainly has occurred to all 
the notoriously paranoid people in this group before: Who is going to 
verify that _no_ interested party will perform tempest attacks on the 
vault?? 

Where there's so much smoke and mirrors -- there can't be a nice, honest 
fire but something really worth hiding ... 
--
Detlef Lannert       DC3EK       E-Mail: tsos@rz.uni-duesseldorf.de
PGP 2.2 key via server or finger lannert@clio.rz.uni-duesseldorf.de
"I am Psmith." - "Oh, you're Smith, are you?" - "With a preliminary
P. Which, however, is not sounded."                   P.G.Wodehouse

Newsgroup: sci.crypt
Document_id: 15706
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Off the shelf cheap DES keyseach machine

In article <7020.Apr2207.05.3993@silverton.berkeley.edu>, djb@silverton.berkeley.edu (D. J. Bernstein) writes:
> In article <1993Apr21.132318.16981@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
> > And key size is one of the things that can be
> > verified externally.
> 
> Gee. Say they feed the 80-bit key through Snefru-8 and take the first 60
> bits of the result, then use those 60 bits as the real key. How do you
> figure out that each key is one of 2^20 ``equal'' keys? You can try a
> birthday attack, but if the key can be changed only once a second then
> you will need several lifetimes to get reliable statistics.

You're right, and I retract the suggestion.  Still, I wonder.  That
there are only 60 bits of key information should, in principle, be
detectable.  Maybe some variant of the tests Rivest et al. did to
demonstrate that DES was probably not a group?  It should make an
interesting paper -- a black-box analysis of a cryptosystem.

Newsgroup: sci.crypt
Document_id: 15707
From: whughes@lonestar.utsa.edu (William W. Hughes)
Subject: Re: Tempest

In article <1993Apr22.105915.5584@infodev.cam.ac.uk> rja14@cl.cam.ac.uk
(Ross Anderson) writes:
>res@colnet.cmhnet.org (Rob Stampfli) writes:
>> Wouldn't a a second monitor of similar type scrolling gibberish and adjacent
>> to the one being used provide reasonable resistance to tempest attacks?
>We've got a tempest receiver in the lab here, and there's no difficulty in
>picking up individual monitors. Their engineering tolerances are slack enough
>that they tend to radiate on different frequencies. Even where they overlap, you
>can discriminate because they have different line synch frequencies - you can
>lock in on one and average the others out.
>
>The signals are weird in any case, with varying polarisations and all sorts
>of interactions with the building. Just moving a folded dipole around is also
>highly effective as a (randomised) means of switching from one monitor to
>another,
>
Hell, just set up a spark jammer, or some other _very_ electrically-noisy
device. Or build an active Farrady cage around the room, with a "noise"
signal piped into it. While these measures will not totally mask the
emissions of your equipment, they will provide sufficient interference to
make remote monitoring a chancy proposition, at best. There is, of course,
the consideration that these measures may (and almost cretainly will)
cause a certain amount of interference in your own systems. It's a matter
of balancing security versus convenience.

BTW, I'm an ex-Air Force Telecommunications Systems Control Supervisor and
Telecommunications/Cryptographic Equipment Technician.

-- 
                            REMEMBER WACO!
     Who will the government decide to murder next? Maybe you?
[Opinions are mine; I don't care if you blame the University or the State.]

Newsgroup: sci.crypt
Document_id: 15708
From: pom@anke.imsd.uni-mainz.DE (Prof. Dr. Klaus Pommerening)
Subject: DES: init vector as additional key?

The recent discussion in this news group suggests that a key search attack  
against DES is quite feasible now. But normally DES is applied in CBC or CFB  
mode where one chooses a random init vector of 8 bytes. Questions:

 - Makes it sense to handle the init vector as an additional key? Then we have  
a 56 + 64 = 120 bit key.
 
 - If yes: Is anything known about the security of this key scheme? Can we  
break it faster than by exhaustive search through the 120 bit key space?

--
Klaus Pommerening
Institut fuer Medizinische Statistik und Dokumentation
der Johannes-Gutenberg-Universitaet
Obere Zahlbacher Strasse 69, W-6500 Mainz, Germany

Newsgroup: sci.crypt
Document_id: 15709
From: lfoard@hopper.Virginia.EDU (Lawrence C. Foard)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr22.065357.9667@cs.aukuni.ac.nz> pgut1@cs.aukuni.ac.nz (Peter Gutmann) writes:
[article deleted]
>
>Just doing a quick reality check here - is this for real or did someone
>invent it to provoke a reaction from people?  It sounds more like the
>sort of thing you'd have heard, suitably rephrased, from the leader of a 
>certain German political party in the 1930's....

It sounds like a joke (but then the war on drugs has always been a joke...).

-- 
------          Join the Pythagorean Reform Church!               .
\    /        Repent of your evil irrational numbers             . .
 \  /   and bean eating ways. Accept 10 into your heart!        . . .
  \/   Call the Pythagorean Reform Church BBS at 508-793-9568  . . . .
    

Newsgroup: sci.crypt
Document_id: 15710
From: harryb@phred.UUCP (harry barnett)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article 29778@yuma.ACNS.ColoState.EDU, holland@CS.ColoState.EDU (douglas craig holland) writes:
>In article <1993Apr19.130132.12650@afterlife.ncsc.mil> rlward1@afterlife.ncsc.mil (Robert Ward) writes:
>>In article <bontchev.734981805@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
>>>and since the US constitutions guarantees the right to every American
>>>to bear arms, why is not every American entitled, as a matter of
>>
>>Have you read the applicable part of the Constitution and interpreted it IN 
>>CONTEXT?  If not, please do so before posting this misinterpretation again.
>>It refers to the right of the people to organize a militia, not for individuals
>>to carry handguns, grenades, and assault rifles.  
>
>Read the Constitution yourself.  The Second Amendment says the right to bear
>arms shall not be infringed, so a well regulated militia may be more easily
>formed.  I have an interpretation of the Second that shows there are no 
>qualifications to the right to keep and bear arms.  If you want, I can E-mail
>it to you.  By the way, gun talk belongs in talk.politics.guns.
>							Doug Holland

Mr. Ward, before you start blathering about your skill "interpreting"
the Constitution, it might be helpful to learn to read.  After a review
with a high school English teacher emphasizing participial phrases, you
might start with the Second Amendment, and follow it up with:

 97th Congress, 2nd Session, Committee Print, *The Right To Keep and
 Bear Arms*, of the Subcomittee on the Constitution of the Committee on
 the Judiciary, United States Senate, 97th Congress, Second Session,
 February, 1982.  GPO No. 88-618-O

This authoritative, heavily researched and annotated document clearly
turns your "interpretation" into specious claptrap, which is a polite
way of saying utter bullshit.  In spite of your false assertion to the
contrary, the Second Amendment DOES protect the right of the individual
citizen, in his capacity as an individual, to keep and bear arms.

And, Mr. Holland, IMHO, blatantly and harmfully false information,
asserted as fact and globally distributed, deserves globally
distributed rebuttal in the forum in which it is posted.

(And besides, this site doesn't carry t.p.g...:-)

harryb%phred@data-io.com
phred!harryb@data-io.com
-----------------------------------------------------------------------
No free man shall ever be debarred the use of arms.  The strongest
reason for the people to retain the right to keep and bear arms is,
as a last resort, to protect themselves against tyranny in government.
					--Thomas Jefferson
-----------------------------------------------------------------------

Newsgroup: sci.crypt
Document_id: 15711
From: Borut.B.Lavrencic@ijs.si
Subject: Re: The [secret] source of that announcement

In article <gradyC5unp0.D21@netcom.com>, 
grady@netcom.com (1016/2EF221) writes:
> Andrew Molitor (amolitor@nmsu.edu) wrote:
> : 
> : 	1) Monitor my phonecalls.
> : 	2) Monitor usenet.
> : 	3) Provide only cryptosystems they can easily crack.
> : 	4) etc etc.
> : 
> : 	This is not to say that they *don't*, they might. But you don't
> : know that they do, and you have no evidence that they do, for almost
> : all values of you. It follows, therefore, that for most values of 'you',
> : your claims about the NSA border on paranoia.
> : 
> : 	Andrew

.....
.....
.....

> 
> Or maybe the Germans should have been a little more 'paranoid' about
> their Engima with respect to Turing and the British.
> 
> How about the cracking of the Zimmerman telegram?  Would a little
> more paranoia have helped the Germans here?
> 
> Maybe the NSA should have been a little more 'paranoid' about
> Emma Woikin, or Joseph Sidney Petersen, Jr., or  ...
> 
> Maybe you want to talk about Macmillan publishers cooperation
> with the CIA and NSA to suppress Yardley's Japanese Diplomatic
> Secrets or even Kahn's The Codebreakers.. paranoia, right?
> 
> The most popular cipher systems in captured soviet spies was
> the one-time pad, even with the necessity of keeping incriminating
> evidence about, is known to be the only proven unbreakable system.
> Soviet paranoia, right?
> 
> And what do you think the NSA does with its Wullenwebers?  And 
> huge Rhombics pointed embassy row?  And their sites near
> satellite uplink and downlink sites?  Duh.
> 
.....  
> -- 
> grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F
>

One case of Slovenian paranoia.

Once upon a time a tried to walk over the (famous) Marathon field, not far away 
from Athens. I could not do that mostly becouse the field is now a huge 
antenna farm. Probably a Greek COMINT installation, would you agree? 
-- 
Borut B. Lavrencic, D.Sc.     | X.400   :C=si;A=mail;P=ac;O=ijs;S=lavrencic
J. Stefan Institute           | Internet:Borut.B.Lavrencic@ijs.si
University of Ljubljana,      | Phone   :+ 386 1 159 199
SI-61111 Ljubljana, Slovenia  |	    PGP Public Key available on request

DOLGO SMOIS KALIS OVRAZ NIKEI NJIHK OCNOO DKRIL IVSEB IPIKA


Newsgroup: sci.crypt
Document_id: 15712
From: pdc@dcs.ed.ac.uk (Paul Crowley)
Subject: Re: Do we need the clipper for cheap security?

Quoting pmetzger@snark.shearson.com (Perry E. Metzger) in article <1993Apr21.012011.27470@shearson.com>:
>Whats the difference between a V.32bis modem and a V.32bis modem?

How fast do the fastest modems go?

How far can voice be compressed?

I've seen various assertions about this, but anyone with the
straightforward bits-per-second figures will be my friend forever...
  __                                  _____
\/ o\ Paul Crowley   pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/  Fold a fish for Jesus!

Newsgroup: sci.crypt
Document_id: 15713
From: pdc@dcs.ed.ac.uk (Paul Crowley)
Subject: Re: Hard drive security for FBI targets

If "I forgot" doesn't have as much credibility as you'd like, consider
this alternative.  Somewhere on the hard disk, duplicated a few times,
keep a 128-bit random number.  When the 128-bit digest of your
passphrase is computed, it is XORred with the random number before being
used as the key for your hard disk.  Writing random junk over the random
numbers makes the hard disk unreadable by anyone.

Now, if you were merely to *claim* that you have written random junk
over the XOR key, no-one would be able to tell whether or not you were
telling the truth.  This is (a) perjury, and (b) vunerable to
rubber-hose cryptography, but otherwise effective.
  __                                  _____
\/ o\ Paul Crowley   pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/  Fold a fish for Jesus!

Newsgroup: sci.crypt
Document_id: 15714
From: gtf1000@cus.cam.ac.uk (G.T. Falk)
Subject: alt.security.pgp

-----BEGIN PGP SIGNED MESSAGE-----

Hi all..

Does anyone know of a UNIX utility allowing encrypted telnet sessions using
public-key? I'd like something so that nobody can snoop my password or
session text while I'm logging in remotely over the network.

Thanks

g.

- -------------------------------------------------------------------------
PLEASE REPORT UNSIGNED (HENCE UNAUTHORISED) MESSAGES PURPORTEDLY FROM ME,
SENT AFTER 22/04/93.                                gtf1000@cus.cam.ac.uk
- -------------------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQBVAgUBK9ZxMTQRcjh0adt3AQFHrwH9HwBPyWwr+/O+pEocO9glPOZ5odKHynW8
AJIiF6Tsm+YMqBwmVHoLm7bUb4JPybQanpkmz8tdd4tYuinSX68cVg==
=Gw7z
-----END PGP SIGNATURE-----

Newsgroup: sci.crypt
Document_id: 15715
From: abaum@armltd.uucp (Allen Baum)
Subject: Re: 80-bit keyseach machine

jebright@magnus.acs.ohio-state.edu (James R Ebright) writes:

(regarding NSA monitoring of US military code traffic)

>[BTW, folks, NSA wasn't being given the keys.  And the Walker spy case
>shows for some of the systems, the KGB didn't need them either.]

On the contrary- The Walker spy case is one where the KGB was
given keys (as I recall)
-- 

----------------
Allen J. Baum		Apple Computer		baum@apple.com, abaum@armltd.co.uk

Newsgroup: sci.crypt
Document_id: 15716
From: pdh@netcom.com (P D H)
Subject: Re: An Open Letter to Mr. Clinton

ld231782@LANCE.ColoState.Edu (L. Detweiler) writes:

>I'm quite astonished, shocked, and appalled at this serious frontal 
>assault on emerging American freedoms.  The Clinton administration 
>nor any other government agency has any legitimate role whatsoever 
>in regulating cryptography. To do so is tantamount to regulating 
>`acceptable' speech, and is blatantly unconstitutional. Perhaps we 
>should rename this year `1984' in honor of such an illustrious 
>proposal.  Let the Crappy Chip live in infamy, and the adminstration
>receive great shame and discredit for this bizarre misadventure.

IMHO, encryption is (also) protected under the SECOND amendment of
the Constitution of the United States.


>I am outraged that my tax money is being used to develop technology
>to restrict my freedoms far beyond reasonable measures.  The U.S.
>government will have my full uncooperation and disobedience on any
>serious threat to my liberties such as this, and I call on everyone
>with an interest in a sensible government to resist and defy this 
>proposal.  The administration does not seem to understand that they
>are merely a subservient instrument to implement the will of the
>public, and hence anyone involved in this proposal in this respect is 
>wholly negligent and remiss in performing their lawful duty.

I am not surprised that this administration is doing this.
I could have told you so.


>Cryptography is neutral technology. If everybody has strong 
>cryptography (including policemen, bureacrats, businessmen, 
>housewives, thugs and hoodlums), we have a sustainable 
>equilibrium.  Anything less is an unworkable anti-egaltarian 
>arrangement, intrinsically antithetical to American freedoms, and
>guaranteed to collapse under its own weight of inherent 
>impracticality. We don't need to compromise on issues of freedom.

Privacy has ALWAYS been something that has the effect of restricting
out ability to prosecute criminals.  We are supposed to have the
presumption of innocence.

I have the right to pull the curtains over my windows and close my
door, and the police may not come in.  If I perform a crim in my home,
they will have to find out by means other than simply looking.

Encryption is to my data as the window curtains are to my home.
Simple enough?


>For too long our government has demonstrated itself to be 
>increasingly hostile and a serious obstacle to economic vitality 
>and protecting Americans.

And yet the people vote for these people because they come out a lie
to them about promising to fix things.


>The administration has to be committed to leaving private 
>industries alone, esp. on this issue.  The government has no 
>legitimate role in regulating the content of communications.
>Law enforcement agencies must be prepared to forfeit their
>surveillance bludgeon; they are soon and inevitably to be 
>disarmed of it. 

You mean they might have to go back to actually WORKING to do their job?
Oh heavens.


>No such laws can be constitutionally sound, and this is equivalent
>to a veiled threat, which I don't appreciate.  This kind of 
>extortion tends to agitate me and others into radicalism. I will
>trade threats for threats, and violation for violation.

Perhaps the FIRST amendment.  Definitely the SECOND and FIFTH.


>If the administration did say this, it would find itself 
>impeached for reckless and outrageous disregard of essential,
>established, entrenched, and explicit constitutional privacy 
>guarantees. The administration would have no legal standing 
>whatsoever; such an action would be egregiously illegal and
>criminal, and wholly untolerated and disregarded by vast 
>segments of the population.

Unfortunately, the vast segments of the population are misinformed.
They just haven't appended -SR to the name of out country, yet.


>This is an outright Dingaling Denning lie.  The two aims of
>privacy and surveillance are intrinsically and fundamentally 
>incompatible, and you have to work for the NSA to think otherwise. 
>Americans are about to discover ways, through the use of technology, 
>to preserve their inalienable but forgotten freedoms that have slowly 
>been eroded away by an increasingly distant and unresponsive and 
>*unrepresentative* government.

I seriously doubt that the NSA thinks that privacy and surveillance are
compatible.  I doubt of any smart person in any other agency thinks
so, either.  The PROBLEM is that they simply hold PRIVACY to be of no
value at all.
-- 
| Phil Howard,  pdh@netcom.com,  KA9WGN         Spell protection?  "1(911)A1" |
| Right wing conservative capitalists are out to separate you from your MONEY |
| Left wing liberal do gooders are out to separate you from EVERYTHING ELSE!! |
+-----------------------------------------------------------------------------+

Newsgroup: sci.crypt
Document_id: 15717
From: jhan@debra.dgbt.doc.ca (Jerry Han)
Subject: Overreacting (was Re: Once tapped, your code is no good any more)

In this giant bally-ho over this Clipper chip I noticed a rather
disturbing trend in some of the E-mail and posts I've tossing back and
forth.  

Somebody asked me what was wrong about overreacting in cases such as this.

The reason is very simple:  How many people do you want to die in a riot? 
In a new Civil War? 

Everybody is jumping up and down and screaming about it, and I'm worried
that people are going to reach for their hammers and rifles before their pens
and paper.  

Can people work within the system before trying to break it?  Examine your
history books, and find out how many armed revolutions led to Democratic
(or Democratic style) governments.  I think you'll only find one in over
five thousand years of written history.

That's not very good odds.  

Somebody once said something like: "Armed Violence is meant only to be
used in response to an armed attack.  It is not meant to be used in
agression.  This is the difference between self-defence and murder."

Let's try to avoid killing things, eh?  There's enough blood shed in the
world, without adding a couple of riots, Civil Wars, etc.

I'm probably overreacting.  But what I've read scared me a lot.  I don't
want my children growing up in a War Zone.


-- 
Jerry Han-CRC-DOC-Div. of Behavioural Research-"jhan@debra.dgbt.doc.ca"
///////////// These are my opinions, and my opinions only. \\\\\\\\\\\\\
\\\\\\\\\ A proud and frozen member of the Mighty Warriors Band ////////  
"Memories of those I've left behind, still ringing in my ears."-Genesis-

Newsgroup: sci.crypt
Document_id: 15718
From: rja14@cl.cam.ac.uk (Ross Anderson)
Subject: Re: Tempest


res@colnet.cmhnet.org (Rob Stampfli) writes:

> Wouldn't a a second monitor of similar type scrolling gibberish and adjacent
> to the one being used provide reasonable resistance to tempest attacks?

We've got a tempest receiver in the lab here, and there's no difficulty in
picking up individual monitors. Their engineering tolerances are slack enough
that they tend to radiate on different frequencies. Even where they overlap, you
can discriminate because they have different line synch frequencies - you can
lock in on one and average the others out.

The signals are weird in any case, with varying polarisations and all sorts
of interactions with the building. Just moving a folded dipole around is also
highly effective as a (randomised) means of switching from one monitor to
another,

Ross


Newsgroup: sci.crypt
Document_id: 15719
From: smb@research.att.com (Steven Bellovin)
Subject: Re: (new) reason for Clipper alg'm secrecy

In article <1993Apr20.155924.29995@news.clarkson.edu>, tuinstra@signal.ece.clarkson.edu.soe (Dwight Tuinstra) writes:
> First, note that the "experts" will only look at "details", and of just 
> the algorithm:
> 
>     In addition, respected experts from outside the
>     government will be offered access to the confidential details of
>     the algorithm to assess its capabilities and publicly report
>     their findings.
> 
> Why not the chip design?  Well, here's the possiblity:  in addition to
> encryption, the chip pre-processes voice signals to make them easier
> to analyze/transcribe electronically.  The chip, once widespread, might
> effectively be part of a massively parallel computer for "voice-
> grepping" the US phone network (or the criminal & wrong-thinking patrons
> thereof).

First of all, the chip doesn't do that.  It runs at 16 megabits/second,
which is far beyond what you need for voice.  It's obviously intended
for data as well, and on high-speed lines at that.

Second -- what advantage is there to doing the processing in the phone?
I don't care how fancy that chip is; it's not as fancy as the roomful
of analyzers at Fort Meade running the program they'll have 5 years from
now.  They can't update every Clipper chip that's out there.

Third -- if they did do this preprocessing in the chip, it would probably
have a serious effect on recognizability of the voice patterns.  If
nothing else, that would hurt the acceptability of the product.  The
V.32bis modems are just barely fast enough to do a good job on properly-
massaged voice as is; add any more to the mix, and you're completely out
of the ballpark.

Newsgroup: sci.crypt
Document_id: 15720
From: steve-b@access.digex.com (Steve Brinich)
Subject: S1, S2

 > Second question: Why!?!? Why is such a strange procedure used, and not
 >a real RNG ? This turns those S1,S2 in a kind of bottleneck for system-
 >security.

  The only theory that makes any sense is that S1 and S2 are either the
same for all chips, or vary among very few possibilities, so that anyone
trying to break the encryption by brute force need only plow through the
possible serial numbers (2^30, about one billion), multiplied by the number
of different S1, S2 combinations.





Newsgroup: sci.crypt
Document_id: 15721
From: rj@ri.cadre.com (Rob deFriesse)
Subject: Can DES code be shipped to Canada?

Someone in Canada asked me to send him some public domain DES file
encryption code I have.  Is it legal for me to send it?

Thanx.
--
Eschew Obfuscation

Rob deFriesse                    Mail:  rj@ri.cadre.com
Cadre Technologies Inc.          Phone:  (401) 351-5950
222 Richmond St.                 Fax:    (401) 351-7380
Providence, RI  02903

I don't speak for my employer.

Newsgroup: sci.crypt
Document_id: 15722
From: throopw%sheol@concert.net
Subject: Re: Clipper considered harmful

: From: shirriff@sprite.berkeley.edu (Ken Shirriff)
: Message-ID: <1r24us$oeh@agate.berkeley.edu>
: It seems likely to me that that a large subset of encrypted communications
: would be archived to tape so they could be read if sometime in the future
: probable cause arises and a warrant is obtained.

I think it is unlikely that data like this could be used in court.
Currently LEAs can install wiretaps on large numbers of phones, record
calls without listening to them, and then post-facto obtain warrants
and listen to calls after probable cause is established.  But this
strategy wouldn't get the stuff admitted in court.  (At least, not
in the near term.)

In other words, near as I can tell, the thing that makes such evidence
inadmissable is the interception without a warrant, not the attempt to
interpret what was intercepted without a warrant.  I'd be surprised
that archiving data without consent would be interpreted as anything
but analogous to a wiretap by the courts.

Note that that doesn't mean I think it won't be done if technically
feasible.  Just as I'm sure many wiretaps are done now without
warrants, just to fish for avenues to investigate.  So in the future,
start surveilance, start archiving data, trump up some probable cause,
decrypt post-facto after the warrant is in hand, and the investigation
gets a boost from data that, sadly, won't ever be presented to a jury.

While I'm posting...  for an interesting cautionary tale projecting this
archiving scenario to extremes, read "Lacey and his Friends", a
collection of sf stories by David Drake.  The US starts down the
slippery slope by archiving *everyghing*.  But don't worry folks, it's
stored in a secure repository where nobody but LEAs with warrants can
get to it.  And by the way, we'll be installing cameras on all major
streets.  Hey, this is nothing new, we already have cameras in banks and
teller machines, don't we?

And then we'll pass laws requiring cameras covering *all* public
places.  Then in some private places.  Then we'll make it a crime ever
to be out of range of a camera, except in legally licensed privacy
cubicles.  Only alone.  And with a thorough body search before and
after.  But, see, there's still a right to privacy.  We haven't
curtailed any rights, not really.  And just think how much easier it'd
be to solve crimes in such a situation: just obtain a warrant, put on a
VR helmet and take a walk down memory lane.

And hey, nobody'll be tracking *you* or *me*, no need to be self-conscious.

After all, if you're not doing anything illegal...

Funny, though.  While speeding and the radar detector industry became
pretty much a thing of the past, somehow all this didn't elminate all
crime in the story.  And somehow, politicians got exemptions on grounds
of national security, and rich corporations got exemptions for their
execs on grounds of industrial espionage and the preservation of
competition.  And not everybody was exactly happy with the system.  
I can't imagine why.

--
Wayne Throop   throopw%sheol@concert.net
               throop%aurgate@concert.net

Newsgroup: sci.crypt
Document_id: 15723
From: grady@netcom.com (1016/2EF221)
Subject: IDEA vectors?

I am testing IDEA block cipher implementations for correctness
and needs some golden test vectors.  I've looked through
the postscript IDEA chapter but the single example gives me
zero degrees of freedom.  I'll contact the inventor if necessary
but since we are NOT paying him money for use of his invention,
I'd like to offload this from him.  Anybody got vectors?
(No disease vectors, please).

-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
Document_id: 15724
From: clipper@csrc.ncsl.nist.gov (Clipper Chip Announcement)
Subject: Re: The [secret] source of that announcement

In article <C5uxGv.Dv7@panix.com> habs@panix.com (Harry Shapiro) writes:
>In <1r1om5$c5m@slab.mtholyoke.edu> jbotz@mtholyoke.edu (Jurgen Botz)
>writes:
>
>>Even more interesting: the SMTP server at csrc.ncsl.nist.gov no longer
>>recognizes the 'expn' and 'vrfy' commands...
>
>>   telnet csrc.ncsl.nist.gov smtp
>>   Trying 129.6.54.11...
>>   Connected to csrc.ncsl.nist.gov.
>>   Escape character is '^]'.
>>   220 first.org sendmail 4.1/NIST ready at Tue, 20 Apr 93 17:01:34 EDT
>>   expn clipper
>>   500 Command unrecognized
>
>>Seems like sombody didn't like your snooping around, Marc.
>
>Then it is a good thing we already have this:
>
>The csspub mailing list: csspab@mail-gw.ncsl.nist.gov, and address on
> [rest of names deleted]

Sigh... my version of 'rn' asked me whether I really want to send this
posting!

You may as well know that all this stuff about the secret source of the
Clipper announcement is because of a silly mistake.  I am the administrator
of csrc.ncsl.nist.gov, alias first.org.  It's a system set up to help out
the needs of FIRST, a Forum of Incident Response and Security Teams, which 
includes a number of world-wide incident response teams such as CERT/CC and
other places in Europe.  As to the VRFY and EXPN commands, they are normally
disabled, since early on we didn't want crackers to find out the names of
incident response folks on our mailing lists.  We had a disk crash several
months ago which required completely rebuilding the O/S files - same old
story, our backups weren't especially helpful.  As you can guess, I didn't
remember to re-disable VRFY and EXPN until I saw people on the net trying to
find out who was behind clipper@csrc...  When I saw people's names posted
here, I felt it was time to clear things up.  So, EXPN and VRFY on csrc have
always been disabled in the past for reasons having nothing to do with 
Clipper.

I posted the White House announcements at the request of policy folks here
because csrc also provides Usenet service.  I posted them from an account
called 'clipper.'  I also created an alias called 'clipper' that contains
the addresses of members of the NIST Computer Security Privacy and Advisory
Board, set up under law of the Computer Security Act of 1987, and addresses
of other individuals not affiliated with NIST but involved in cryptography,
security, and privacy - I believe that these individuals were included on
this list because NIST felt it important to get them the Clipper information
first-hand.

The 'clipper' alias is there for the benefit of those named above.  It is 
not a source for information, it was set up solely to monitor any initial
traffic.  Individuals on the list have requested that they continue to get
traffic that is not already duplicated on Usenet.

While you can rightfully say we were a bit disorganized in handling this,
I would ask that people stop speculating about any hidden agendas or motives
of the individuals on the 'clipper' alias - I've already apologized to them
for what's happened.  Disabling EXPN and VRFY is an increasingly common
practice (albeit unfriendly to some), and any effect of disabling it again
was unintentional.

-John Wack
  

Newsgroup: sci.crypt
Document_id: 15725
From: karl@genesis.MCS.COM (Karl Denninger)
Subject: Re: Do we need the clipper for cheap security?

In article <9304201003.AA05465@pizzabox.demon.co.uk> gtoal@gtoal.com (Graham Toal) writes:
>	gtoal@gtoal.com (Graham Toal) writes:
>	>
>	>In the UK, it's impossible to get approval to attach any crypto device
>	>to the phone network.  (Anything that plugs in to our BT phone sockets
>	>must be approved - for some reason crypto devices just never are...)
>	>
>
>	Whats the difference between a V.32bis modem and a V.32bis modem?
>
>	I'm not being entirely silly here: what I'm pointing out is that the
>	modems that they have already approved for data transmission will work
>	just fine to transmit scrambled vocoded voice.
>
>Absolutely.  I just meant that no secure *dedicated* crypto device has
>ever been given approval.  Guerrilla underground devices should be well
>possible with today's high-speed modems (not that I can think of many v32bis
>modems that are approved either mind you - just the overpriced Couriers)
>
>Can someone tell me if hardware compression is or is not needed to run
>digital speech down 14.4K?  I think it is; I've heard it's not.  Lets
>say 8 bit samples.  Would *raw* data at the corresponding sampling rate
>be usable?  If not, how fancy does the compression need to be?

Reasonably fancy.

Standard "voice" circuits run at 56kbps inter-exchange in the US.
Therefore, you need to achieve 4:1 to get standard voice quality.

If you're willing to give up some quality, you need only 2:1.  This is still
acceptable from a speech standpoint; it will be a little less faithful to
the original, but certainly intelligable.  That's all you really need for
this application.

--
Karl Denninger (karl@genesis.MCS.COM) 	| You can never please everyone except
Data Line: [+1 312 248-0900]		| by bankrupting yourself.
         	   LIVE Internet in Chicago; an MCSNET first!


Newsgroup: sci.crypt
Document_id: 15726
From: croley@magic.mcc.com (David Croley)
Subject: Re: new encryption

In article <1993Apr21.225435.6292@wam.umd.edu>, psionic@wam.umd.edu (Haywood J. Blowme) writes:
|>    As promised, I spoke today with the company mentioned in a Washington
|> Times article about the Clipper chip announcement. The name of the company
|> is Secure Communications Technology (Information will be given at the end
|> of this message on how to contact them).
|>
|>     ...
|> 
|>    His belief is that AT&T was made known of the clipper well before the
|> rest of the industry. This is for several reasons, several of which are:
|> 
	This is a very good point.  AT&T obviously knew and participated in the
development of the Clipper chip.  This amounts to unfair business practice and
gives AT&T an early monopoly on the market [hopefully a non-existant market].
Other companies that compete with AT&T in the cellular market (Motorola, NEC, etc)
have grounds to file a complaint over this.

|> 
|> Right now the company is afraid that the new clipper chip will put them out
|> of business. This is a very real possibility. So they really need help in
|> stopping the clipper chip from becoming a standard. If you want to contact
|> them, they can be reached at..
|> 
|> Secure Communications Technology
|> 8700 Georgia Ave. Suite 302
|> Silver Spring, MD
|> 
|> (301) 588-2200
|> 
|>  ...

It would seem that the one fact that the government has overlooked in this
whole fiasco is the economic standpoint.  As others have mentioned, the most
difficulty the Clipper chip faces is an economic one.  Let's face it, the
average consumer doesn't care or know that the Clipper is a bad idea.  If
there is a perceived need for cellular encryption, then the companies will
provide one.  Most likely, a standard will emerge.  But if the Clipper is
too expensive (and $25 a chip is way too much) then they will develope their
own or buy a cheaper one.  I give SCT my full support, and hope the
Clipper chip goes the way of the Beta video tape format.

Also hope they get sued over re-using the name Clipper.

-- 
 ---------------------------------------Cyberspace:--------------------------
| David T. Croley | MCC - Exp Sys Lab | A place not real, no stone, no steel.|
| croley@mcc.com  | UT Austin, Texas  | A ghost unseen...the world "between".|
 ----------------------------------------------------------------------------

Newsgroup: sci.crypt
Document_id: 15727
From: gregb@den.mmc.com (gregb)
Subject: Looking for crypto paper

Looking for PostScript or Tex version of a paper called:
	"PUBLIC-KEY CRYPTOGRAPHY"

Written by:
	James Nechvatal
	Security Technology Group
	National Computer Systems Laboratory
	National Institute of Standards and Technology
	Gaithersburg, MD 20899

	December 1990

The version I obtained is plain text and all symbolic character
formatting has been lost.

--
gregb@tosgcla.den.mmc.com

Newsgroup: sci.crypt
Document_id: 15728
From: jac55@cas.org ()
Subject: Re: Why the clipper algorithm is secret

In article <1993Apr20.014135.24134@fsl.noaa.gov> bear@kestrel.fsl.noaa.gov (Bear Giles) writes:
>In article <C5pstr.Lu2@panix.com> dfl@panix.com (Danny O'Bedlam) writes:
>>      The algorithm is classified because a military contract (or similar
>>government equivalent to military) has been let for this "proprietary"
>>design that the Feds say that NSA developed.  Is there a patent?  Is that
>>patent publicly available?  My betting is that that too is classified.
>
>Unless there has been a _major_ change in the law, there's no such beast
>as a "classified patent."  Patents exist to encourage communications and
>develop the state of the art.

	Yes there is, the patent can be classified as secret.  I recently
	saw a patent from 1947 (dealing with nuclear weapons technology)
	that was only declassified in the last couple of years.  There
	is of course the problem of enforcing the patent.

>The same thing applies in civilian development: you can't patent something
>_and_ declare it a "trade secret."  However, you can (and should) mark all
>software (including proprietary code) "unpublished copyright" so that it
>ever does get exposed you still have some legal protection.

	This is absolutely right.

	Alec Chambers

Newsgroup: sci.crypt
Document_id: 15729
Subject: Re: freely distributable public key cryptography c++ code: where?
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <15314.735453769@moose.cs.indiana.edu> Marc VanHeyningen <mvanheyn@cs.indiana.edu> writes:

>PGP is not available on the archive site rsa.com.  If it were, it
>would be highly amusing, since rsa.com (actually Public Key Partners,
>but it's the same entity) is the organization holding the patents
>which they claim are violated if you actually "make, use or sell" PGP.
>I believe those patents also apply in Canada, but I'm not a patent
>lawyer or anything.

(Sorry about double posting, but I forgot something.)

"make, use or sell" in this context have non-standard meanings:

"Make" means making an encrypted message.  "Use" may mean using PGP, or
using an encrypted message.  "Sell" would probably mean selling an
encrypted message.  It is the message created by a "patented" process
incorporated in PGP, which infringes.

--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
Document_id: 15730
Subject: Re: Key Registering Bodies
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <nagleC5w79E.7HL@netcom.com> nagle@netcom.com (John Nagle) writes:

>       Since the law requires that wiretaps be requested by the Executive
>Branch and approved by the Judicial Branch, it seems clear that one
>of the key registering bodies should be under the control of the
>Judicial Branch.  I suggest the Supreme Court, or, regionally, the
>Courts of Appeal.  More specifically, the offices of their Clerks.

Now THAT makes sense.  But the other half must be in a non-government
escrow.  (I still like EFF, but I admin their security has not been
tested.)

--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
Document_id: 15731
From: dds@doc.ic.ac.uk (Diomidis Spinellis)
Subject: "Greek" COMINT installation (was Re: The [secret] source of that announcement)

From article <1993Apr22.145106.158@cathy.ijs.si>, by Borut.B.Lavrencic@ijs.si:
> In article <gradyC5unp0.D21@netcom.com>, 
> grady@netcom.com (1016/2EF221) writes:
[...]
>> The most popular cipher systems in captured soviet spies was
>> the one-time pad, even with the necessity of keeping incriminating
>> evidence about, is known to be the only proven unbreakable system.
>> Soviet paranoia, right?
>> 
>> And what do you think the NSA does with its Wullenwebers?  And 
>> huge Rhombics pointed embassy row?  And their sites near
>> satellite uplink and downlink sites?  Duh.
[...]
> One case of Slovenian paranoia.
> 
> Once upon a time a tried to walk over the (famous) Marathon field, not far away 
> from Athens. I could not do that mostly becouse the field is now a huge 
> antenna farm. Probably a Greek COMINT installation, would you agree? 

Are you sure that the field is in the area you found the antenna
farm?  The tomb ("Ymvos") of Marathon which Herodotus specifies as near
the fighting area is in an area open to the public.

You must be referring to the U.S. army base of "Nea Makri".  It was
built by the U.S. in the same manner as bases all over the world
(W. Germany, Spain, Philippines, Turkey etc.) were built.  I think
it was a telecommunications hub.  Over the recent years U.S. forces
have withdrawn from the base and removed all military equipment.  The
area is currently under the control of the Greek Navy until the all
interested parties (local goverment, central goverment, political parties
agree on what should be done with the land (park, recreation area,
real-estate.)

(This has nothing to do with cryptography, security and the EFF; I have
redirected followups to soc.culture.greek)

Diomidis
-- 
Diomidis Spinellis    Internet: <dds@doc.ic.ac.uk>  UUCP: ...!uknet!icdoc!dds
Department of Computing, Imperial College, London SW7     #include "/dev/tty"

Newsgroup: sci.crypt
Document_id: 15732
Subject: Re: Once tapped, your code is no good any more.
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <305@VisiCom.COM> makey@VisiCom.COM (Jeff Makey) writes:

>In article <C5so84.Hxv@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
>>I am *completely* baffled by why Dorothy Denning has chosen
>>to throw away her academic respectability like this.

>She hasn't.  Dorothy Denning has spent many years earning the
>professional respect of her colleagues, and something won in this
>manner is not easily lost.  Her support of the clipper -- no matter
>how unpopular that position may be -- serves far more to enhance the
>clipper's respectability than to diminish her own.

I wouldn't think so.  Asking people to trust a secret algorithm seems
unsound to me.
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
Document_id: 15733
Subject: Re: freely distributable public key cryptography c++ code: where?
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <15314.735453769@moose.cs.indiana.edu> Marc VanHeyningen <mvanheyn@cs.indiana.edu> writes:

>PGP is not available on the archive site rsa.com.  If it were, it
>would be highly amusing, since rsa.com (actually Public Key Partners,
>but it's the same entity) is the organization holding the patents
>which they claim are violated if you actually "make, use or sell" PGP.
>I believe those patents also apply in Canada, but I'm not a patent
>lawyer or anything.

The patents don't apply in Canada.  I think the free trade agreement may
provide for recognition of new patents, but not old ones.


--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
Document_id: 15734
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

 > Somebody asked me what was wrong about overreacting in cases such as this.
 >
 > The reason is very simple:  How many people do you want to die in a riot?
 >In a new Civil War?

  Not me -- which is precisely why the government must be cut off at the
knees when it pulls stunts like this, lest the situation worsen to the point
where extreme measures are required.






Newsgroup: sci.crypt
Document_id: 15735
From: nagle@netcom.com (John Nagle)
Subject: Re: Key Registering Bodies

       Since the law requires that wiretaps be requested by the Executive
Branch and approved by the Judicial Branch, it seems clear that one
of the key registering bodies should be under the control of the
Judicial Branch.  I suggest the Supreme Court, or, regionally, the
Courts of Appeal.  More specifically, the offices of their Clerks.

       Courts already operate substantial record-keeping operations.  Some
of these records are confidential.  So the concept of a court holding
information in confidence in accordance with law has longstanding legal 
precedents.  The judiciary is more immune to pressure from the executive
branch than any executive branch agency or contractor can be.  So judicial
control of keys is appropriate.

       For the other half of the key, I suggest a unit of Congress, the
General Accounting Office.  The GAO is Congress's staff unit for keeping
tabs on the Executive Branch, and has an excellent reputation.  It's
controlled strictly by Congress; the Executive Branch has no authority
over it.

       With keys split between the Legislative and Judicial branches,
we might have a chance of this system working honestly.  If, of course,
a way can be found to keep the keys from being siphoned off before
they reach the repositories.

       This should not be construed as an endorsement by me of the
whole Clipper concept.  But if we have to have it, splitting control
across all three branches of government might make it work.

					John Nagle

Newsgroup: sci.crypt
Document_id: 15736
From: pjhong@cs.sunysb.edu (P. Joseph Hong)
Subject: Hidden Markov Modeling

In the article "At last! Now you can talk to your computer." in the May
issue of FORTUNE magazine, it was mentioned that phoneme prediction
used Hidden Markov Modeling.  This was the statistical method that Markov
developed to predict letter sequences in Pushkin's novel, _Eugene Onegin_.
It was then said that this technique worked so well that the NSA used
it to crack codes.
Does anyone have any references for HMM and how the NSA used it?
Or is this just an extension of the letter frequency tables that we
are all using anyway?

Joe	pjhong@clio.rad.sunysb.edu

Newsgroup: sci.crypt
Document_id: 15737
From: agk@neural.hampshire.edu (Andrew Kriger)
Subject: Re: How to detect use of an illegal cipher?


could someone repost or send to me via email the original posting of the
Clipper Chip press release.

thanks

andrew kriger
hampshire college
agk@neural.hampshire.edu
-- 
Andrew Kriger					"Three may keep a secret
Hampshire College				 if two of them are dead"
agk@neural.hampshire.edu			 	---Benjamin Franklin

Newsgroup: sci.crypt
Document_id: 15738
From: msnyder@nmt.edu (Rebecca Snyder)
Subject: public awareness (wasRe: text of White House announcement and Q&As on clipper chip encryption)

In article <2076@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:
>I think this is no accident.  It comes from the same philosophy that
>the government rules/controls the people, not the people controlling
>the government, that the unconnected citizens are not sophisticated enough
>to know what is best for them, so the government must tell the people
>what they need or do not need ... "we know best...".  And the idea that
>that a commoner can defend himself against government eavesdropping
>or unlawful attack is totally unacceptable to people with this outlook.
>
>
>Combine this all with pushing for national identity cards with 'smart
>chips' to encode anything they please (internal passport) under the
>guise of streamlining the State People's Health Care System, and with
>(you can be certain) more jewels yet to come, and one sees an extremely
>ominous trend.  So what if "1984" will be ten years late... it still is
>turning out to be an amazingly accurate prophecy... unless a LOT of
>people wake up, and in a hurry.
>
>One should ALWAYS have every red warning light and bell and danger flag
>come up when the government seeks to set itself apart in regard to
>rights, etc.  from the unconnected/unprivileged citizen (or should we
>now be saying 'subject' instead?)...  Why SHOULDN'T the average person
>have a good, secure system of data security, not dependent on nebulous
>'safeguards' for maintaining that security?  Why SHOULDN'T the average
>person be able to defend himself from an agency gone rogue?  0I am sure
>the Feds could break into any data they really wanted to (but it would
>take some WORK), and using the same logic, one should not be allowed to
>have a good safe, unless a duplicate of the key(s) or combination are
>submitted for 'safekeeping' by the government?  I don't really see a
>difference, philosophically.  Encrypted data sure won't evaporate, not
>with such high-tech tools as a TAPE RECORDER...
>

The average amerikan today seems to think that the government should be
able to eavesdrop on everyone (else).  Opinion polls show that most
people belive the Bill of Rights to grant too much freedom to people,
when it is not identified as such (BTW, if anyone knows of a cite for that,
I'd love to have it).  Not only does this mean that these people are 
willing to give up everyone (else's) rights, they don't even know what 
the Bill of Rights actually says.

How can we show the average person (not the average USENET reader) that
people are actually entitiled to these rights?  So many people don't
care if the government is taking more and more control of us all, a little 
at a time.  

If there was some sort of awareness of what the government is trying
to do by a majority of the US population... Just think about what
could be accomplished - but there are so many that trust, unthinkingly,
in whatever the media and government tell them.

Newsgroup: sci.crypt
Document_id: 15739
From: kbeal@amber (Ken Beal)
Subject: Re: Once tapped, your code is no good any more.

Lawrence C. Foard (lfoard@hopper.Virginia.EDU) wrote:
> In article <1993Apr22.065357.9667@cs.aukuni.ac.nz> pgut1@cs.aukuni.ac.nz (Peter Gutmann) writes:
> [article deleted]
> >
> >Just doing a quick reality check here - is this for real or did someone
> >invent it to provoke a reaction from people?  It sounds more like the
> >sort of thing you'd have heard, suitably rephrased, from the leader of a 
> >certain German political party in the 1930's....
> It sounds like a joke (but then the war on drugs has always been a joke...).

I remember seeing it several months ago, and it was marked as a joke.
Funny how things circulate!
--
Kenneth L. Beal, Jr.  kbeal@amber.ssd.csd.harris.com | Use OS/2 2.1! :-) often.
"Does Pavlov ring a bell?"               - NLP tapes | Learn.  Keep moving.
"Street person my responsibility."   -  Indigo Girls | Better yourself.  Fnord.
"One man gathers what another man spills."   -  Dead | <> Opinions are mine. <>
Is YOUR religion BATF-approved?                      | pro!=con; progress != 

Newsgroup: sci.crypt
Document_id: 15740
From: mckee@cs.Buffalo.EDU (Douglas McKee)
Subject: Re: **Sorry folks** (read this)


In article <1993Apr22.014646.28445@ucsu.Colorado.EDU>, andersom@spot.Colorado.EDU (Marc Anderson) writes:
|> In article <1993Apr21.001707.9999@ucsu.Colorado.EDU> andersom@spot.Colorado.EDU (Marc Anderson) writes:
|> [...]
|> >
|> >(the date I have for this is 1-26-93)
|> >
|> >note Clinton's statements about encryption in the 3rd paragraph..  I guess
|> >this statement doesen't contradict what you said, though.
|> >
|> >--- cut here ---
|> >
|> >        WASHINGTON (UPI) -- The War on Drugs is about to get a fresh
|> >start, President Clinton told delegates to the National Federation
|> >of Police Commisioners convention in Washington.
|> >        In the first speech on the drug issue since his innaugural,
|> >Clinton said that his planned escalation of the Drug War ``would make
|> >everything so far seem so half-hearted that for all practical
|> [...]
|> 
|> I just found out from my source that this article was a joke.  Heh heh..  
|> It seemed pretty damn convincing to me from the start -- I just didn't
|> notice the smiley at the end of the article, and there were a few other
|> hints which I should of caught.

Well, isn't this just a hoot! :)  All I read on this group is a bunch
of ppl fearing the misuses of information by the big bad evil govt.
This just happens to be a case of an ordinary-joe-netter, who decided
that he would create and/or distribute some misinformation.  Ppl buy
into BS posts like this (I know, because I forwarded a copy of the
post to my office mate, who turned around and was (although he won't
admit it...sorry Joe!) ready to get in a fight about F-O-R-F-E-I-T-U-R-E!!!)
Please, if we're going to hold our govt (which admittedly has had and
still has its problems) to high standards, then mustn't we follow these
too?  Electronic Freedoms only go so far.

 
|> Anyway -- I guess this 'joke' did turn out to resemble Clinton's true 
|> feelings at least to some extent.  
|> 
|> Sorry about that...
|> 
|> -marc
|> andersom@spot.colorado.edu

Hey, I'm willing to forgive...after of course my office mate takes his
extra anti-paranoia pills! :)

Doug McKee
mckee@cs.buffalo.edu

Newsgroup: sci.crypt
Document_id: 15741
From: gardner@convex.com (Steve Gardner)
Subject: Re: The Escrow Database.

In article <strnlghtC5t3K6.InF@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>>After the Waco Massacre and the Big Brother Wiretap Chip, any tactic
>>is fair.
>
>This is pernicious nonsense!
	In what way David?  Our government is totally out of control,
	whether you realize it or not.  I know you find it painful to
	think of your old buddy Uncle Sam as evil but it's true.  Other
	democracies have fallen before.  Ours is on its way and knee-jerk
	sheep that instinctively trust government are helping it slide.
	Power corrupts David, why is that so hard to understand?


Newsgroup: sci.crypt
Document_id: 15742
From: jhan@debra.dgbt.doc.ca (Jerry Han)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <1r6g1n$rvb@access.digex.net> steve-b@access.digex.com (Steve Brinich) writes:
> > Somebody asked me what was wrong about overreacting in cases such as this.
> >
> > The reason is very simple:  How many people do you want to die in a riot?
> >In a new Civil War?
>
>  Not me -- which is precisely why the government must be cut off at the
>knees when it pulls stunts like this, lest the situation worsen to the point
>where extreme measures are required.


Fine then.  Cut them off with pen and paper, and not the sword.



-- 
Jerry Han-CRC-DOC-Div. of Behavioural Research-"jhan@debra.dgbt.doc.ca"
///////////// These are my opinions, and my opinions only. \\\\\\\\\\\\\
\\\\\\\\\ A proud and frozen member of the Mighty Warriors Band ////////  
"Memories of those I've left behind, still ringing in my ears."-Genesis-

Newsgroup: sci.crypt
Document_id: 15743
From: strnlght@netcom.com (David Sternlight)
Subject: Re: new encryption


psionic@wam.umd.edu, whose parenthesized name is either an unfortunate
coincidence or casts serious doubt on his bona fides, posts a message in
which he seems willing to take the word of a private firm about which he
knows little that their new encryption algorithm is secure and contains no
trapdoors, while seemingly distrusting that of the government about clipper.

I suppose it depends on how paranoid one wishes to be, but how does the
writer know the firm isn't, for example, an NSA front? For purposes of this
message, how do we know "psionic" isn't?

I don't suggest that, but post this to point out that there is a class of
speculation that has no more truth value, without lots of hard evidence,
than the contrary one.

By the way, if "psionic" had said, in lower case letters, that the firm
CLAIMS there was no back door, I'd have no problem with that phrasing.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15744
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <C5uvn4.MF7@austin.ibm.com> arussell@austin.ibm.com (AG Russell)
writes:

>
>At the company I worked for previously, I received a file that was des encryped
>and the person that had sent it, went on vaction.  Rather than wait two weeks
>I set up a straight frontal attack with one key at a time.  It only took two(2)
>days to crack the file.  No, I don't have any faith in DES.
>

Taking this at face value (though it seems quite dissonant with much else
that has been published here about brute force DES cracking, unless Russell
was lucky with respect to the key), I'd be very interested in whether the
program Russell used is available? In whether he used a cleartext
recognition algorithm in the program or whether he had to examine each
decryption by hand? In whether he used a known plaintext attack?

He probably should also tell us, given his address, what machine he used--a
desktop, workstation, or super-computer.

Depending on his answer, this could be an appalling development calling into
question both DES and RSA/DES. Dunno about RSA/IDEA.

If any bright programmer with a little idle machine time can crack a single
DES message in a couple of days (assuming no tricks that are
message-specific), then here's my Clipper key, NSA; give me the chip at
once.  :-)

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15745
From: victori@xetron.com (Victor Iseli)
Subject: Re: freely distributable public key cryptography c++ code:  where?



"Numerical Recipes in C"..Fortran..Pascal  has a nice section on
encryption and decryption based on the DES algorithm.  There is
also source code provided (I think some versions of this book are 
distributed with the source code on disk; the source code can
also be ordered from the publisher).

--Victor Iseli
victori@xetron.com

Newsgroup: sci.crypt
Document_id: 15746
From: "Jon C. R. Bennett" <jb7m+@andrew.cmu.edu>
Subject: Ideas on Clipper


I have an idea as to why the encryption algorithm needs to be keep secret,
and some things that i think it implies. (Of course these could all be
wrong.....) 

from 

                     THE CLIPPER CHIP: A TECHNICAL SUMMARY
                               Dorothy Denning
                           Revised, April 21, 1993

.
.
.

The Clipper Chip contains a classified single-key 64-bit block
encryption algorithm called "Skipjack."  The algorithm uses 80 bit keys
(compared with 56 for the DES) and has 32 rounds of scrambling
(compared with 16 for the DES).  It supports all 4 DES modes of
operation.  The algorithm takes 32 clock ticks, and in Electronic
Codebook (ECB) mode runs at 12 Mbits per second.

Each chip includes the following components:

   the Skipjack encryption algorithm
   F, an 80-bit family key that is common to all chips
   N, a 30-bit serial number (this length is subject to change)
   U, an 80-bit secret key that unlocks all messages encrypted with the chip

.
.
.

ENCRYPTING WITH THE CHIP

To see how the chip is used, imagine that it is embedded in the AT&T
telephone security device (as it will be).  Suppose I call someone and
we both have such a device.  After pushing a button to start a secure
conversation, my security device will negotiate an 80-bit session key K
with the device at the other end.  This key negotiation takes place
without the Clipper Chip.  In general, any method of key exchange can
be used such as the Diffie-Hellman public-key distribution method.

Once the session key K is established, the Clipper Chip is used to
encrypt the conversation or message stream M (digitized voice).  The
telephone security device feeds K and M into the chip to produce two
values:

   E[M; K], the encrypted message stream, and 
   E[E[K; U] + N; F], a law enforcement field , 

which are transmitted over the telephone line.  The law enforcement
field thus contains the session key K encrypted under the unit key U
concatenated with the serial number N, all encrypted under the family
key F.  The law enforcement field is decrypted by law enforcement after
an authorized wiretap has been installed.

------------------

suppose i knew how the algorithm worked and knew the N for my chip, but
did not know F, then by cryptanalysis i might be able to determine F from
if law enforcement field 
   E[E[K; U] + N; F]
not knowing N would might make this much harder.

Now suppose that I know F, (either legitimately or not),
If I know K (either because I am involved in the conversation, or I know U
for a party in the conversation), I may now be able to determine U for the
other party.

If I know F I can also defeat the law enforcement field, since I could
make my own, with a different K then the one I am using. Knowing F also
allows traffic analysis to be performed. So I might not know what you are
saying but I could know who you are saying it too.

Now I admit that someone trying to compute U will not have lots of
messages to work from, but since we have no way of knowing that the key
generation method does not (deliberately?) generate weak keys, or for that
matter that the published method is in fact used, perhaps the U's will be
chosen from know weak keys for the system.

Obviously the compromise of F would be a disaster, both to law enforcement
for whom this whole thing is designed, and for the people who believe that
it is giving them security. F is but one number, and I sure that alot of
people (more then 1) know what it is (and if some "panel of experts" is
going to check it over for flaws then many more will know F, forget
grinding chips, bribery and blackmail work just fine.

So, am I wrong? Or are these problems.

jon


Newsgroup: sci.crypt
Document_id: 15747
From: strnlght@netcom.com (David Sternlight)
Subject: Re: The Escrow Database.

In article <1993Apr22.170418.15799@news.eng.convex.com> gardner@convex.com
(Steve Gardner) writes:

>In article <strnlghtC5t3K6.InF@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>>>After the Waco Massacre and the Big Brother Wiretap Chip, any tactic
>>>is fair.
>>
>>This is pernicious nonsense!
>	In what way David?  Our government is totally out of control,
>	whether you realize it or not.  I know you find it painful to
>	think of your old buddy Uncle Sam as evil but it's true.  Other
>	democracies have fallen before.  Ours is on its way and knee-jerk
>	sheep that instinctively trust government are helping it slide.
>	Power corrupts David, why is that so hard to understand?
>

That wasn't my point. My point is that your implied position about the "Waco
Massacre" is an assertion cum political position. According to a CNN poll,
about 86% of Americans think the FBI acted properly, and a majority think
they should have done it (the tear gas) a lot sooner. A large majority also
believe the FBI was not at all responsible for the death of the victims,
Koresh was. (Let's avoid the kind of fruitless argument of the sort If A
hadn't X'd, then B might not have Y'd....)

What you call the "Big Brother Chip" is right now a proposal under
discussion, and it is not yet clear that strong crypto is going to be
banned.

Therefore neither justifies "any tactic is fair." Thus the statement is
nonsense. It is pernicious, because "any tactic" can lead to damaging
others.

As I see you know from the tone of your reply, there's nothing personal
intended.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15748
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Once tapped, your code is no good any more.

In article <1r21t1$4mc@access.digex.net> steve-b@access.digex.com (Steve Brinich) writes:
<
< > I wonder if she landed such a fat fee from cooperation with the NSA in
< >the design and propoganda stages that she doesn't care any more? 
<
<  Which is to say: is the NSA -totally- perfidious, or does it at least
<have the redeeming virtue of taking care of its own? <g>

Of course they take care of their own ... very well ... until the person
has 'outlived his/her/undefined usefulness'... then 'elimination' becomes
a consideration...  :-)

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 15749
From: boyd@acsu.buffalo.edu (Daniel F Boyd)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <strnlghtC5wCMo.Fx5@netcom.com> strnlght@netcom.com (David Sternlight) writes:
> In article <C5uvn4.MF7@austin.ibm.com> arussell@austin.ibm.com (AG Russell)
> writes:
> >At the company I worked for previously, I received a file that was
> >des encryped and the person that had sent it, went on vaction.
> >Rather than wait two weeks I set up a straight frontal attack with
> >one key at a time.  It only took two(2) days to crack the file.

> Taking this at face value (though it seems quite dissonant with much else
> that has been published here about brute force DES cracking, unless Russell
> was lucky with respect to the key), I'd be very interested in whether the
> program Russell used is available? In whether he used a cleartext
> recognition algorithm in the program or whether he had to examine each
> decryption by hand? In whether he used a known plaintext attack?


This has to be a dictionary attack.  No other attack makes sense.


This means that whoever encrypted the file just typed some password
which was a single dictionary word, and then Russell tried all the
words in the dictionary.  This isn't too implausible, especially if he
was smart and clipped the first plaintext block off the ciphertext (if
the first block doesn't decrypt then obviously the others won't
either).

Assuming one attempt a second, it takes seven hours to try all the
words in /usr/dict/words.   Not real tough.

If you want DES to be secure, you have to use RANDOM KEYS.  You can't
just type your wife's name and think "aha they'll never guess that
one!"



-- 
Daniel F. Boyd -- boyd@cs.buffalo.edu 

"Welcome to the First Church of Appliantology.  The white zone is for
loading and unloading only."

Newsgroup: sci.crypt
Document_id: 15750
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: The Escrow Database.

David Sternlight (strnlght@netcom.com) wrote:
: In article <1993Apr22.170418.15799@news.eng.convex.com> gardner@convex.com
: (Steve Gardner) writes:

...cascades elided to preserve our sanity....

: That wasn't my point. My point is that your implied position about the "Waco
: Massacre" is an assertion cum political position. According to a CNN poll,
....
: What you call the "Big Brother Chip" is right now a proposal under
: discussion, and it is not yet clear that strong crypto is going to be
: banned.

Just to set the record straight, Steve Gardner was not the author of
the bit you quoted--I was. Steve just took issue with David's
characterization of my words as "pernicious nonsense."

I won't further comment on my own views...folks either support 'em or
they don't, and the lines in question were neither central to the
points I was making in my original post nor to the important debate
here in sci.crypt and elsewhere.


-Tim May, who continues to hold the same views but doesn't feel like
debating politics

-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
Document_id: 15751
From: dmuntz@quip.eecs.umich.edu (Dan Muntz)
Subject: Re: new encryption

In article <strnlghtC5wC3z.Erw@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>psionic@wam.umd.edu, whose parenthesized name is either an unfortunate
>coincidence or casts serious doubt on his bona fides, posts a message in
>which he seems willing to take the word of a private firm about which he
>knows little that their new encryption algorithm is secure and contains no
>trapdoors, while seemingly distrusting that of the government about clipper.

Will someone please post the David Sternlight FAQ to alt.privacy.clipper before
someone unfamiliar with him takes him seriously and starts yet another
flame fest?

  -Dan


Newsgroup: sci.crypt
Document_id: 15752
From: ns111310@LANCE.ColoState.Edu (Nathaniel Sammons)
Subject: Re: I have seen the lobby, and it is us

1) I think that most of us can afford a stamp and an envelope, and the
cost of printing out a letter.

2) If some kind soul out there would write a letter, and upload it to 
the net, everyone could capture it, print it out, and snail-mail it
out to their local congressional critter.

BTW>> I'm working on one.

-nate

o---------------------------+======================================o
| "I hate quotations.       |     This message brought you by      |
|   Tell me what you know." |   Nate Sammons, and the number 42.   |
|    --Ralph Waldo Emerson  |  ns111310@longs.lance.colostate.edu  |
o---------------------------+======================================o

Newsgroup: sci.crypt
Document_id: 15753
From: ns111310@LANCE.ColoState.Edu (Nathaniel Sammons)
Subject: could someone mail me the text from the White House Clipper announcement?

thanks a bunch,

-nate

o---------------------------+======================================o
| "I hate quotations.       |     This message brought you by      |
|   Tell me what you know." |   Nate Sammons, and the number 42.   |
|    --Ralph Waldo Emerson  |  ns111310@longs.lance.colostate.edu  |
o---------------------------+======================================o

Newsgroup: sci.crypt
Document_id: 15754
From: wingo@apple.com (Tony Wingo)
Subject: Re: new encryption

In article <1993Apr22.092959@magic.mcc.com>, croley@magic.mcc.com (David
Croley) wrote:

> 
> It would seem that the one fact that the government has overlooked in this
> whole fiasco is the economic standpoint.  As others have mentioned, the most
> difficulty the Clipper chip faces is an economic one.  Let's face it, the
> average consumer doesn't care or know that the Clipper is a bad idea.  If
> there is a perceived need for cellular encryption, then the companies will
> provide one.  Most likely, a standard will emerge.  But if the Clipper is
> too expensive (and $25 a chip is way too much) then they will develope their
> own or buy a cheaper one.  

This is an interesting point.  As a VERY COARSE rule of thumb, you can
figure that the final price of a product is 3 to 5 times the Cost Of Goods.
(The exact multiplier depends largely on economies of scale: Products that
sell tens of millions of units/year will be at the low end, those that sell
thousands of units/year will be at the high end.  I suspect cellular phones
are in the middle).  This implies that adding a $25 chip would increase the
cost of the phone by approx $100, or about 25% - 30%.

I don't think you'll get a lot of consumer support for this.


-tony

>>usual disclaimer<<

Newsgroup: sci.crypt
Document_id: 15755
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Clipper considered harmful

In article <bontchev.735336144@fbihh> bontchev@fbihh.informatik.uni-hamburg.de writes:
>No, because the Feds will still be able to decrypt the conversations.
>True, they'll blame the wrong guys, but nevertheless one cannot say
>something like "The drugs arrive tommorrow on the ship 'Terminus'"
>when the Feds are listening, even if they cannot identify who the
>speaker is.


It's not a question just of who is holding the phone.  It's a question of
what circuit to wiretap in the first place.  If two drug dealers are both
using stolen cellular phones, the FBI doesn't know which lines to tap
-- unless of course they're tapping *all* phones (maybe *all* cellular
phones).  If they haven't tapped the connection (ie., at least one end of
the connection) then they don't know what key to request.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
Document_id: 15756
From: grady@netcom.com (1016/2EF221)
Subject: Re: freely distributable public key cryptography c++ code:  where?

Victor Iseli (victori@xetron.com) wrote:
: 
: 
: "Numerical Recipes in C"..Fortran..Pascal  has a nice section on
: encryption and decryption based on the DES algorithm.  There is
: also source code provided (I think some versions of this book are 
: distributed with the source code on disk; the source code can
: also be ordered from the publisher).
: 
: --Victor Iseli
: victori@xetron.com

Yes I benchmarked the DES implementation in the Recipes in C
book.. it is about 1 1/2 orders of magnitude SLOWER than the
Outerbridge/Karn/Gillogly/et al implementation.

It may be instructional, but it isn't very fast.
-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
Document_id: 15757
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Once tapped, your code is no good any more.

In article <C5vMF3.MBt@murdoch.acc.Virginia.EDU>, lfoard@hopper.Virginia.EDU (Lawrence C. Foard) writes:
> In article <1993Apr22.065357.9667@cs.aukuni.ac.nz> pgut1@cs.aukuni.ac.nz (Peter Gutmann) writes:
> [article deleted]
> >
> >Just doing a quick reality check here - is this for real or did someone
> >invent it to provoke a reaction from people?  It sounds more like the
> >sort of thing you'd have heard, suitably rephrased, from the leader of a 
> >certain German political party in the 1930's....
> 
> It sounds like a joke (but then the war on drugs has always been a joke...).

I'm seeking permission to repost the actual note, but someone on another
mailing list checked the archives on Nexis (UPI and all major newspapers),
and found no mention of that article.

Newsgroup: sci.crypt
Document_id: 15758
From: gardner@convex.com (Steve Gardner)
Subject: Re: Clipper will corrupt cops (was WH proposal from Police point of view)

In article <1993Apr21.041033.16550@news.clarkson.edu> tuinstra@signal.ece.clarkson.edu.soe writes:
>Clipper will make criminals out of cops.  Do we want to do this to our
>police forces?
	The War on some drugs has already turned alot of police into
	criminals.  This is yet another nail in the constitution's coffin.


							smg

Newsgroup: sci.crypt
Document_id: 15759
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Re: new encryption

>From: denning@guvax.acc.georgetown.edu
>                     THE CLIPPER CHIP: A TECHNICAL SUMMARY

>                               Dorothy Denning

>                           Revised, April 21, 1993

>The chips are programmed by Mykotronx, Inc., which calls them the
>"MYK-78."  The silicon is supplied by VLSI Technology Inc.


>All Clipper Chips are programmed inside a SCIF (Secure Compartmented
>Information Facility), which is essentially a vault.  The SCIF contains
>a laptop computer and equipment to program the chips.  About 300 chips
>are programmed during a single session.  The SCIF is located at
>Mykotronx.

>ACKNOWLEDGMENT AND DISTRIBUTION NOTICE.  This article is based on
>information provided by NSA, NIST, FBI, and Mykotronx.  Permission to
>distribute this document is granted.

So, who is Mykotronx, Inc.?  It would be nice to know that they were
not a front company used by an intelligence or other agency of the 
U.S. government.  Trusting the fox to guard the chickens, and all that.
Seems suspicious when the rest of the sources are foxes.

While we are at it, the chip design(s) should be examined and verified
against silicon to insure no trap doors or hidden protocols exist in silicon,
regardless of the security level of the encryption algorithm.  It would be a 
shame if some three letter agency had the ability to interrogate my chip, when
all I'd know is that someone rang, and when I attempted to go off hook the
line went dead.  Could be even worse if the chip were intended to connect
directly to a modem.

The design examination should be done to the gate level.  Does anyone have
a good idea how to tell if there is a piggyback design on silicon?  The model
would be extra logic sharing pins with the advertised function.  Tip offs
would be circuitry that would ignore incoming data if formats or sequence
is not right.  I can think of only two ways an output pin could be used,
and its possible that might be noticed, but could be edited from the netlist.
I think the silicon itself needs to be investigated.  Imagine a design
done in two layer metalization, yet finding a third layer under the
microscope.  

The government is asking for a lot of blind trust:  the encryption algorithm, 
operating protocols, the agency having physical control of the devices, the 
silicon implementation.  I'd feel like keeping one hand on my wallet.




Newsgroup: sci.crypt
Document_id: 15760
From: rsilvers@nynexst.com (Robert Silvers)
Subject: Re: I have seen the lobby, and it is us

In article <Apr22.185314.14420@yuma.ACNS.ColoState.EDU> ns111310@LANCE.ColoState.Edu (Nathaniel Sammons) writes:
>1) I think that most of us can afford a stamp and an envelope, and the
>cost of printing out a letter.
>
>2) If some kind soul out there would write a letter, and upload it to 
>the net, everyone could capture it, print it out, and snail-mail it
>out to their local congressional critter.
>
>BTW>> I'm working on one.

	Send something to Rush Linbaugh about Clinton taking away our right
to privacy and how if the govt. standard takes off, only people with lots
of money (drug dealers) will be able to justify DES stuff.  He will slam
Clinton for this on the air.
						--Rob.


Newsgroup: sci.crypt
Document_id: 15761
From: hanson@kronos.arc.nasa.gov (Robin Hanson)
Subject: Estimating Wiretap Costs/Benefits

              WOULD WIRETAP CHIP BE COST-EFFECTIVE?

                        by Robin Hanson
                     Draft, April 21, 1993

  SUMMARY: Compared to an average monthly phone bill of sixty dollars,
  wiretaps are only worth two cents a month to police.  So the
  proposed wiretap chip must raise phone costs by less than one part 
  in three thousand to be cost-effective. 

BACKGROUND

Until now, phones have happened to allow the existence of "wiretaps",
detectors which could pick up conversations on a phone line.  And over
time, law enforcement agencies have come to rely on this capability to
aid in criminal investigations.  However, powerful new encryption
technologies threaten this status quo, by making possible truly
private communication.  A small chip in each phone could soon make it
literally impossible to overhear a conversation without physical
microphones at either end.

In order to preserve the ability of law enforcement agencies to tap
phone conversations, the U.S. government announced on April 16, 1993
that it had developed and begun manufacturing a special "wiretap" chip
to be placed in future phones, instead of the total privacy chips
which have been under private development.  The same day, AT&T
announced it would use these chips "in all its secure telephone
products".

Each chip would be created under government supervision, when it would
be given a fixed indentifier and encryption key.  Periodically during
each conversation, the chip would broadcast its identifier and other
info in a special "law enforcement block".  Law enforcement officers
with a court order could then obtain the key corresponding to the
indentifier from special trust agencies, and could thereby listen in
on any future or previously recorded conversations on that phone.

To date, most concerns voiced about this plan have been about its
security.  The government won't disclose the encryption algorithm, and
many suspect the government will not limit its access in the way it
has claimed.  The track record of previous governments does not
inspire confidence on this point [1].

However, this paper will neglect these concerns, and ask instead
whether this new wiretap chip is a cost-effective tool for police
investigation.  That is, which is a cheaper way for society to
investigate crime: force phone communications to support wiretaps, or
give police agencies more money to investigate crimes in other ways?
Or to put it another way, would police agencies be willing to pay for
each wiretap, if they had to pay their share of the full social cost
of forcing phones to support wiretaps?

To start to answer this question, we might compare the current
benefits wiretaps provide to law enforcement agencies with projected
costs of implementing the new wiretap chip plan.  And since current
benefits are easier to estimate, we begin there.

WIRETAP BENEFITS

1990 is the latest year for which wiretap statistics are available
[2].  In that year, 872 wiretap installations were requested, and no
requests were denied.  (This figure does not include wiretaps obtained
with the consent of a party to the conversation.)  2057 arrests
resulted from wiretaps started the same year, 1486 arrests came from
wiretaps in previous years, and 55% of arrests led to convictions.
76% of the wiretaps were for phones (vs pagers, email, etc.), 60% were
regarding drug offenses, and 40% were requested by federal
authorities.  Each wiretap installation heard an average of 1487
calls, 22% of them incriminating, among 131 people, and cost an
average of $45,125 (extrapolating from the 794 installations
reporting costs), mostly for labor.

Thus a total of about $40 Million was spent on wiretaps, to obtain
about 4000 arrests, at $10,000 per arrest.  Thus these arrests are at
least four times more expensive than the $2500 per arrest figure one
gets by dividing the $28 Billion spent by all police nationally by the
total 11 Million non-traffic arrests [3].  Thus the $30 Million per
year spent on phone taps is only one thousanth of the total police
expenditures.  And if we divide this by the 138 Million phone "access"
lines in the country [3], we get about 23 cents spent per year per
phone line, or about two cents a month.

In general, we deter a given class of criminals through a combination
of a perceived probability of being caught and convicted, and some
expected punishment level if convicted.  So the social value of having
wiretaps is no more than the amount that we would have to pay to get
the same criminal deterrence through other means.  If unable to
wiretap a particular suspect's phone, police might instead use hidden
microphones, or investigate that suspect in other ways.  Or police
might focus on suspects more easily investigated without wiretaps.  Or
we might raise the fine or prison time for certain types of crime.

If we generously assume that these substitutes for wiretaps would be
on average twice as expensive as wiretaps, then the annual social
benefit of phone wiretaps is about equal to the current spending level
of two cents a month per phone line.

WIRETAP COSTS

Let us for the moment optimistically assume that the US government
encryption scheme is as secure as whatever private enterprise would
have offered instead, protecting our conversations from the spying
ears of neighbors, corporations, and governments, both foreign and
domestic.  Even so, the need to support wiretaps would add many
additional costs to build and maintain our communication system.

Extra law enforcement blocks would be added to phone transmissions,
increasing traffic by some unknown percentage.  A special process must
be used to add encryption keys to chips, while securely distributing
these keys to special agencies, which must be funded and monitored.
The chips themselves are designed by a military contractor, whose
design is to remain secret, and are manufactured through a special
process so that the chip becomes nearly impossible to take apart.
(Chips are now offered at the relatively high price of $30 a peice in
lots of 10,000 [4].)  Private encryption systems not supporting
wiretaps would require none of these extra costs.

Perhaps most important, government degree would at least partially
replace private marketplace evolution of standards for how voice is to
be represented, encrypted, and exchanged in our future phones.  It is
widely believed that governments are less efficient than private
enterprise in procuring products and standards, though they may perhaps
perform a useful brokering role when we choose between competing private
standards.  How much less efficient is a matter of debate, some say
they pay twice as much, while others might say only 10% more.    

Currently, a total of $96 Billion is spent as operating expenses of
U.S. phone companies [3], which comes out to about $60 per month per
access line.  If we compare this to the wiretap value of two cents per
month, we see that if wiretaps raise average operating costs by even
as much as one part in 3000, then wiretaps are not cost effective!
And this doesn't even include extra costs phone owners pay because
their encryption chips are more expensive.  Of course most phones
wouldn't have encryption chips for a while, but the wiretap benefit
per phone is still the same, so this argument still applies.

CONCLUSION

Given this dramatic difference between the total cost of running the
phone system and the value of wiretaps, we can justify only the
slightest modification of the phone system to accommodate wiretaps.
When the only modification required was to allow investigators in to
attach clips to phone wires, wiretap support may have been reasonable.
But when we consider substantial modification, the burden of proof is
clearly on those proposing such modification to show that the costs
would really be less than the benefits.  

If consensus cannot be obtain on this cost/benefit estimate, a
compromise might be to tax phones which do not support wiretaps at a
rate of say five cents per month, a tax payable to police agencies
nationwide to compensate them for their loss of wiretap abilities.

[1] The Invisible Weapon, Oxford Press, ISBN 0-19-506273-6

[2] Report on Applications for Orders Authorizing or Approving the
    Interception of Wire, Oral, or Electronic Communications, 1990,
    Administrative Office of U.S. Courts, Washington, DC 20544.

[3] U.S. Statistical Abstracts, 1992.  

[4] Dorothy Denning, "The Clipper Chip: A Technical Summary",
    distributed to sci.crypt newsgroup April 21, 1993. 
-- 
Robin Hanson  hanson@ptolemy.arc.nasa.gov 
415-604-3361  MS-269-2, NASA Ames Research Center, Moffett Field, CA 94035
510-651-7483  47164 Male Terrace, Fremont, CA  94539-7921 

Newsgroup: sci.crypt
Document_id: 15762
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Do we need the clipper for cheap security?


pdc@dcs.ed.ac.uk (Paul Crowley) writes:
>Quoting pmetzger@snark.shearson.com (Perry E. Metzger) in article <1993Apr21.012011.27470@shearson.com>:
>>Whats the difference between a V.32bis modem and a V.32bis modem?

>How fast do the fastest modems go?
>How far can voice be compressed?
>I've seen various assertions about this, but anyone with the
>straightforward bits-per-second figures will be my friend forever...

How about half a friend?  The Motorola Codex preliminary V.Fast modem
(which you can by right now) does 24.4 kbps (raw) over standard phone
lines.  28.8 kbps is what is usually claimed for the "final" v.fast,
but you can't go out and buy that right now, the standard isn't done yet.

Again, voice can be compressed quite well down to 4000 or 8000 bps
depending on how good you want it to be, but that requires a DSP or a
special ASIC to do in real-time.
-- 
I think I am! I think I am! - the little engine that philosophized

Newsgroup: sci.crypt
Document_id: 15763
From: martin@world.std.com (Martin J Hannigan)
Subject: Re: new encryption

In article <1993Apr22.185330.20976@zip.eecs.umich.edu> dmuntz@quip.eecs.umich.edu (Dan Muntz) writes:
>In article <strnlghtC5wC3z.Erw@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>>psionic@wam.umd.edu, whose parenthesized name is either an unfortunate
>>coincidence or casts serious doubt on his bona fides, posts a message in
>>which he seems willing to take the word of a private firm about which he
>>knows little that their new encryption algorithm is secure and contains no
>>trapdoors, while seemingly distrusting that of the government about clipper.
>
>Will someone please post the David Sternlight FAQ to alt.privacy.clipper before
>someone unfamiliar with him takes him seriously and starts yet another
>flame fest?
>
>  -Dan
>


Hello. I am the David Sternlight keeper of the FAQ. Unfortuantely I cannot
find it at the present time.

From the original FAQ:

Question: Does anyone take David Sternlight serious?

Fact: No one takes David Sternlight serious. They review his opinions and
in most cases immediately discard them or jerk them over to
alt.fan.david-sternlight which actually should be alt.flame.david-sternlight.

A photograph of David Sternlight for the curious:



                         |\/\/\/\|
                         |       |
                         |  (o)(o)
                         C       _)           David Sternlight
                          |  ,___|            Net.Police
                          |    /              a.k.a. PROUD
              _0--------/\/----\/\-------0_   DICK OF
             /         /0 \----/ 0\        \  THE INTERNET
            /     |      \ \||/ /     |     \
           /     /|DAVID    ||  POLICE|\     \
         _/_____/ ||     ]  ||  | [#] || \_____\_
        |_______/ |\____/   ||  \__*_/| \_______|                    


Question: Why does David continue to relate mis statements regarding
encryption and other topics?

Fact: David Sternlight has a chemical imbalance of the right side of his
brain.



-- 
Martin Hannigan    :       Twisted Pair Consulting       : 617-623-3534
Mac                :         IBM PC & Mainframe          : UNIX

Newsgroup: sci.crypt
Document_id: 15764
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Once tapped, your code is no good any more.

In article <a_rubin.735496128@dsg4.dse.beckman.com>
a_rubin@dsg4.dse.beckman.com (Arthur Rubin) writes:

>
>I wouldn't think so.  Asking people to trust a secret algorithm seems
>unsound to me.

Maybe so, but it's quite common. There are millions of Macintosh users who
have no idea what's in Apple's patented ROMs. Many have modems connected.
How do you know all your business secrets aren't being stolen? Answer:
1. Because you trust Apple;
2. Because if any such attempt, however sophicsticated, came out, it would
destroy Apple's credibility forever.

In the Clipper case, a representative body of experts is going to be allowed
to audit it, and we'll have assurances (maybe even from the President) that
other than the escrowed keys there are no back doors. While some may not
have confidence in that (I am not among them), it's a lot more assurance
than we get for many things we routinely trust in everyday life.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15765
From: ted@nmsu.edu (Ted Dunning)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)


In article <strnlghtC5wCMo.Fx5@netcom.com> strnlght@netcom.com (David
Sternlight) writes:

   >At the company I worked for previously, I received a file that was
   >des encryped and the person that had sent it, went on vaction.
   >Rather than wait two weeks I set up a straight frontal attack with
   >one key at a time.  It only took two(2) days to crack the file.
   >No, I don't have any faith in DES.
   

   Taking this at face value (though it seems quite dissonant with
   much else that has been published here about brute force DES
   cracking, unless Russell was lucky with respect to the key), I'd be
   very interested in whether the program Russell used is available?

key search is very practical in many real situations since people use
such stupid keys on the average.  password crackers know this well.

   Depending on his answer, this could be an appalling development
   calling into question both DES and RSA/DES.

not really.  in fact, public key based communication systems very
often pick keys automatically which are much better than passwords or
pass phrases.

   If any bright programmer with a little idle machine time can crack
   a single DES message in a couple of days (assuming no tricks that
   are message-specific),

if a person picked the password or pass phrase, then the key search is
pretty straightforward.  in running english text, the average content
of a single word is about 8 bits.  in pass phrases, this may increase
to 10 bits or so.  searching 30bit spaces is semi-practical even in
software and searching 40bit spaces isn't outrageous to imagine with
hardware assists of moderate size.

Newsgroup: sci.crypt
Document_id: 15766
Subject: Re: Organized Lobbying for Cryptography
From: kubo@zariski.harvard.edu (Tal Kubo)

In article <C5uprt.GMq@dcs.ed.ac.uk> pdc@dcs.ed.ac.uk (Paul Crowley) writes:
>
>>Perhaps these encryption-only types would defend the digitized porn if it
>>was posted encrypted?
>
>>These issues are not as seperable as you maintain.
>
>In fact, since effective encryption makes censorship impossible, they
>are almost the same issue and they certainly fall into the brief of the
>EFF.


It also falls within the purview of the ACLU, but that doesn't mean
the ACLU (or the EFF) would be the most effective instrument to 
"win the hearts and minds" in favor of access to cryptography. 

It's precisely slogans like "cryptography makes censorship impossible"
which stand to torpedo any attempt to generate a broad consensus in favor
of encryption.  It is not true, and in the context of a public debate it
would be a dangerous red herring.  Advocates of strong crypto had better
prepare themselves to answer such charges in pragmatic terms that laypeople
and politicians can sympathize with. The usual mumblings about
Constitutional amendments are not enough.



Tal  kubo@math.harvard.edu

Newsgroup: sci.crypt
Document_id: 15767
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only


Doug Holland claims Tom Clancy has provided the recipe for nuclear bombs.
Clancy himself says he has omitted certain crucial steps. Further, how do we
know Clancy knows, rather than repeating what he's read or been told in the
unclassified domain?

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15768
From: strnlght@netcom.com (David Sternlight)
Subject: Re: political point of attack: Clipper infrastructure

In article <1993Apr22.022324.17172@news.clarkson.edu> tuinstra@signal.ece.clarkson.edu.soe writes:

>
>From these figures, estimate the number of Clipper-tap requests the FBI
>is expecting.  Publish this figure.  Compare it on a per-capita basis
>with the amount of tapping now known or suspected.

The Attorney General publishes the number of court-ordered taps each year.
It isn't enough (around a thousand) for the average non-crook, non-spy to
worry about. In fact, considering any reasonable guess about the number of
big-time crooks and spies around, it may not be enough even for most crooks
and spies to worry about.

There's no reason to believe that it will go up with Clipper, since the
number of taps now includes many targets too stupid to use encryption (based
on the playbacks we've heard in court cases).

David

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15769
From: gardner@convex.com (Steve Gardner)
Subject: Re: Would "clipper" make a good cover for other encryption method?

In article <strnlghtC5t3nH.Is1@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>In article <1993Apr20.032623.3046@eff.org> kadie@eff.org (Carl M. Kadie) writes:
>
>
>>So, don't just think of replacements for clipper, also think of front
>>ends.
>
>This only makes sense if the government prohibits alternative non-escrowed
>encryption schemes. Otherwise, why not just use the front end without
>clipper?
	Because everyone but you expects that making alternative methods of 
	encryption illegal is the next step.  Otherwise the Cripple chip is 
	utterly worthless.  It should be obvious that 
		a) the Cripple Chip is aimed at spying on ordinary citizens
				OR
		b) that other forms of encryption will soon be illegal.

						smg



Newsgroup: sci.crypt
Document_id: 15770
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Can DES code be shipped to Canada?

In article <1993Apr22.125402.27561@fripp.ri.cadre.com> rj@ri.cadre.com writes:
>Someone in Canada asked me to send him some public domain DES file
>encryption code I have.  Is it legal for me to send it?

I believe it is illegal to send any cryptographic code out of the country
without an export license. (Others will correct me if this is inaccurate.)

Dunno if you'd get one for the particular code you have; the only way to
find out is to apply for a license.

Note that you need to distinguish between what is legal to send to Canada if
YOU have such a license, and what is legal to send if you don't.

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  

Newsgroup: sci.crypt
Document_id: 15771
From: strnlght@netcom.com (David Sternlight)
Subject: Wiretapping reality today


Some of the messages here seem to reflect the view that the government is
listening in on everything and one will have to hide one's clipper messages
somehow if non-escrowed crypto goes away.

A little perspective might be in order.

The number of court ordered wire taps is pretty low. Law enforcement has to
present pretty good evidence to get even that limited number of
authorizations.

Thus the overwhelming majority of conversations are neither tapped nor
recorded by the government, and for that to happen they have to:
a) Have a pretty good reason, with evidence;
b) Use this sparingly on highest priority "pretty good reasons."

Though the system may be imperfect, it is a long way from the horror stories
some here seem to believe or anticipate.

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15772
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Fear, Uncertainty, Doubt

In article <1r4vo3$koj@access.digex.net> steve-b@access.digex.com (Steve
Brinich) writes:

>  I suspect that the decisive element in the political battle will be the
>FUD (Fear, Uncertainty, Doubt) factor.
>  If the people who would be end users of the Cripple Chip hear of the whole
>debate only vaguely -- the government says it's solid; other people in the
>field say it's Swiss cheese -- the balance of doubt could shift against the
>Feds.  Any attempt to limit other forms of encryption could then be presented
>as the government covering its own butt by protecting its poor product from
>superior competition.
>  Comments?
>
Since you asked, the above is a bit inaccurate. More accurate is that the
government says its solid, other people in the field who might be able to
find out haven't yet done their review of the chip design, and there's been
a lot of wild speculation and guesswork from those with little information
that it might be Swiss cheese.

David


-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15773
From: strnlght@netcom.com (David Sternlight)
Subject: Re: I have seen the lobby, and it is us

hIn article <Apr22.185314.14420@yuma.ACNS.ColoState.EDU>
ns111310@LANCE.ColoState.Edu (Nathaniel Sammons) writes:

>1) I think that most of us can afford a stamp and an envelope, and the
>cost of printing out a letter.
>
>2) If some kind soul out there would write a letter, and upload it to 
>the net, everyone could capture it, print it out, and snail-mail it
>out to their local congressional critter.
>
>BTW>> I'm working on one.

Far more effective than mass mailing of a standard letter (this is taken
usually to represent one pressure group) is a set of individual letters.

Perhaps Nathaniel Sammons or someone else would like to prepare a set of
"talking points" from which individuals could compose their own letters.

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  

Newsgroup: sci.crypt
Document_id: 15774
From: kadie@cs.uiuc.edu (Carl M Kadie)
Subject: Re: political point of attack: Clipper infrastructure

strnlght@netcom.com (David Sternlight) writes:

[...]
>The Attorney General publishes the number of court-ordered taps each year.
[...]

I believe you are mistaken. I don't believe the AG publishes the
number of state wiretaps.

- Carl

-- 
Carl Kadie -- I do not represent any organization; this is just me.
 = kadie@cs.uiuc.edu =

Newsgroup: sci.crypt
Document_id: 15775
From: Lyle_Seaman@transarc.com
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

jhan@debra.dgbt.doc.ca (Jerry Han) writes:
> Somebody asked me what was wrong about overreacting in cases such as this.

That was probably me.
I meant only that nobody has overreacted yet.  It seemed to me that
Jerry was suggesting that people are currently overreacting, and I 
vehemently disagree.  I see a lot of talk, but not much action.
I see now that I misunderstood Jerry's position.

> The reason is very simple:  How many people do you want to die in a riot? 
> In a new Civil War? 
>
> Everybody is jumping up and down and screaming about it, and I'm worried
> that people are going to reach for their hammers and rifles before their pens
> and paper.  

Not this bunch.  They'll just bitch on the Net for a while, and 
then go back to lurking.

> Can people work within the system before trying to break it?  Examine your
> history books, and find out how many armed revolutions led to Democratic
> (or Democratic style) governments.  I think you'll only find one in over
> five thousand years of written history.

Actually, it's not quite that bad, but it's close.

Look, we (collectively) have the power to throw the bums out, but we
don't use it.  We clearly don't need to go burning things down, but we
clearly do need to throw at least some of the bums out.
Unfortunately, the bums have learned to target only small groups of
people at a single time, so the masses won't react and throw them out.
Eventually, the masses will react, unless the bums cease their
relentless encroachment on liberty and despoilment of the economy.
The sooner it happens, the less the damages will be.  I don't want to
live in a war zone, either -- I want to see the bums thrown out before
they do some *real* damage.

Lyle		Transarc		707 Grant Street
412 338 4474	The Gulf Tower		Pittsburgh 15219

Newsgroup: sci.crypt
Document_id: 15776
From: calkin@math34.gatech (Neil Calkin)
Subject: Re: political point of attack: Clipper infrastructure

In article <C5wMu9.MqJ@cs.uiuc.edu> kadie@cs.uiuc.edu (Carl M Kadie) writes:
   strnlght@netcom.com (David Sternlight) writes:

   [...]
   >The Attorney General publishes the number of court-ordered taps each year.
   [...]

   I believe you are mistaken. I don't believe the AG publishes the
   number of state wiretaps.

   - Carl

   -- 
   Carl Kadie -- I do not represent any organization; this is just me.
    = kadie@cs.uiuc.edu =

Hmmm.... now if we could have *3* keys kept in escrow, with one of the 
groups keeping a key being the government, then the states would need
federal permission to run a wiretap.... interesting possibility:-)


Neil

Newsgroup: sci.crypt
Document_id: 15777
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Clipper considered harmful

brad@optilink.COM (Brad Yearwood) writes:
>If Clipper comes to cellular phones along with legal proscriptions against
>using other cipher systems on these phones, a new and potentially dangerous
>class of crime is created.
>
>Criminals who very badly want inscrutable tactical communications (specifically
>the terrorists and drug dealers who proponents of key escrow cite as threats)
>will be highly motivated to steal the cipher phone of a legitimate user, and
>to kill this person or hold them hostage so discovery of compromise of the
>device will be delayed.

You obviously haven't read the information about the system. The chips
put out serial number infomation into the cypher stream to allow
themselves to be identified. The system does not rely on registering
people as owning particular phone units.

I am against the proposal, but lets be accurate in our objections.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15778
From: davidc@montagar.com (David L. Cathey)
Subject: Re: The [secret] source of that announcement

In article <gradyC5uAMw.BnG@netcom.com>, grady@netcom.com (1016/2EF221) writes:
> Maybe we should start a newsgroup for the distribution of encrypted 
> posts intended of members of affinity groups with a shared private
> key.  For example at the coming up Cypherpunks meeting, a private
> key corresponding to that particular meeting could be passed out
> by a moderator.  Minutes, followup comments to other participants,
> and so on could be posted to the alt.encrypted group for the use
> of the people who attended. Communiques intended by the group for
> non-attendees could of course just be signed using the private key
> but otherwises not encrypted.

	I like it.  PGP would be useful, I guess.  Although I don't have
a working version for VMS yet... :-(

> grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
David L. Cathey		                |INET: davidc@montagar.com
Montagar Software Concepts              |UUCP: ...!montagar!davidc
P. O. Box 260772, Plano TX  75026-0772  |Fone: (214)-618-2117

Newsgroup: sci.crypt
Document_id: 15779
From: lefty@apple.com (Lefty)
Subject: Re: freely distributable public key cryptography c++ code:  where?

In article <gradyC5wGrz.CvC@netcom.com>, grady@netcom.com (1016/2EF221)
wrote:
> 
> Victor Iseli (victori@xetron.com) wrote:
> : 
> : 
> : "Numerical Recipes in C"..Fortran..Pascal  has a nice section on
> : encryption and decryption based on the DES algorithm.  There is
> : also source code provided (I think some versions of this book are 
> : distributed with the source code on disk; the source code can
> : also be ordered from the publisher).
> : 
> : --Victor Iseli
> : victori@xetron.com
> 
> Yes I benchmarked the DES implementation in the Recipes in C
> book.. it is about 1 1/2 orders of magnitude SLOWER than the
> Outerbridge/Karn/Gillogly/et al implementation.
> 
> It may be instructional, but it isn't very fast.

It has also apparently been excised from the second edition.

--
Lefty (lefty@apple.com)
C:.M:.C:., D:.O:.D:.

Newsgroup: sci.crypt
Document_id: 15780
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: CELP vocoders

gtoal@gtoal.com (Graham Toal) writes:
>Absolutely.  I just meant that no secure *dedicated* crypto device has
>ever been given approval.  Guerrilla underground devices should be well
>possible with today's high-speed modems (not that I can think of many v32bis
>modems that are approved either mind you - just the overpriced Couriers)
>
>Can someone tell me if hardware compression is or is not needed to run
>digital speech down 14.4K?  I think it is; I've heard it's not.  Lets
>say 8 bit samples.  Would *raw* data at the corresponding sampling rate
>be usable?  If not, how fancy does the compression need to be?

It is said that CELP vocoders can run on the highest speed 486s with
some room to spare -- they turn 64kbit (8 bit samples, 8k samples/sec)
into 4800 baud. However, DSP is hairy, and I have yet to see actual
proof of this in the form of an implementation. I have heard fairly
reliable rumors to the effect that a famous internetworking guru has a
CELP implementation that runs on Sparcstation 1+'s with some room to
spare, but I have not succeeded thus far in getting my hands on a copy
-- the guru in question has a reputation for not releasing code
without having beaten on it for a very very long time first. 

DSP experts are heavily encouraged to try their own hand at this
problem.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15781
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Is key escrow enough?

>From: denning@guvax.acc.georgetown.edu
>                           Revised, April 21, 1993

>The chips are programmed by Mykotronx, Inc., which calls them the
>"MYK-78."  The silicon is supplied by VLSI Technology Inc.

>All Clipper Chips are programmed inside a SCIF (Secure Compartmented
>Information Facility), which is essentially a vault.  The SCIF contains
>a laptop computer and equipment to program the chips.  About 300 chips
>are programmed during a single session.  The SCIF is located at
>Mykotronx.

>ACKNOWLEDGMENT AND DISTRIBUTION NOTICE.  This article is based on
>information provided by NSA, NIST, FBI, and Mykotronx.  Permission to
>distribute this document is granted.

So, who is Mykotronx, Inc.?  It would be nice to know that they are
not a front company used by an intelligence or other agency of the 
U.S. government.

While we are at it, the chip design(s) should be examined and verified
against silicon to insure no trap doors or hidden protocols exist in silicon,
regardless of the security level of the encryption algorithm.  There is
no proof that the chip won't squeel and role over for someone with the
proper knowledge to interrogate it via the communications link.

The design examination should be done to the gate level.  Also, how does one
verify that what you are looking at is reflected in tapeout, or masks?

The silicon should be examined as well, the design in hand (a clean room
publicly defined clipper chip) can be merged with another design later, or
changed between completion and mask out.  There is little proof that what
you are told is in the chip is all that is in the chip.

Put the (verified) masks in escrow, and use them for chip production,
use a third escrow party for programming the chips. 

The government is asking for a lot of blind trust:  the encryption algorithm, 
operating protocols, the agency having physical control of the devices, the 
silicon implementation.  If the  government is so trustworthy, why escrow
anything?








Newsgroup: sci.crypt
Document_id: 15782
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks  only

amanda@intercon.com (Amanda Walker) writes:
>
>> We *do* need an alternative to NSA-bugged telephones, but 
>> we're talking inexpensive *telephones* here, including hand-sized 
>> cellulars, that need strong crypto, real privacy.
>
>So start a company and build them.  This is still mostly a capitalist 
>economy...

Qualcomm had spare cycles in the DSPs for their new CDMA digital
cellular phones. They wanted to put strong crypto into them since they
had the capacity. The government decided to "discourage" them.

Really, none of this stuff is especially hard. All you need for a true
private phone is an ISDN codec, a vocoder (either a chip or
software), an encryptor (a chip is fine, but software is more than
fast enough), a V.32 or V.32bis modem module, and maybe a
microcontroller to run the whole thing. Its easy to do, its cheap. And
any "normal" company trying to put one out will likely get a visit
from the boys in the dark suits from Washington, just like Qualcomm
did. I suspect that companies like Cylink are tolerated because their
products are too expensive.

However, no law yet stops one from building really private phones, in
spite of the hints the administration has made when discussing the new
"crime bill" and in connection with the Clipper/Skipjack Big Brother
chip. Someone out there WILL build a unit to do all this. Better yet,
prehaps someone will produce a package that turns any 486 box with a
sound card into a secure phone.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15783
From: grady@netcom.com (1016/2EF221)
Subject: Re: transparent cyphertext?

 (34AEJ7D@CMUVM.BITNET) wrote:
: In light of recent events, it may soon become a very good idea
: to include the ability to produce transparent, or at least non-obvious,
: cyphertext in upcoming revisions.

This won't help if the NSA/FBA axis requires all messages to
undergo textual analysis and reduction to canonical form to
eliminate concealed messages.

After reading several National Computer Security Center
documents, I'm convinced that they are already using this
filter.  DoubleplusgoodNOT.

-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
Document_id: 15784
From: arussell@austin.ibm.com (AG Russell)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)


In article <strnlghtC5wCMo.Fx5@netcom.com>, strnlght@netcom.com (David Sternlight) writes:
> In article <C5uvn4.MF7@austin.ibm.com> arussell@austin.ibm.com (AG Russell)
> writes:
> 
> >
> >At the company I worked for previously, I received a file that was des encryped
> >and the person that had sent it, went on vaction.  Rather than wait two weeks
> >I set up a straight frontal attack with one key at a time.  It only took two(2)
> >days to crack the file.  No, I don't have any faith in DES.
> >
> 
> Taking this at face value (though it seems quite dissonant with much else
> that has been published here about brute force DES cracking, unless Russell
> was lucky with respect to the key), I'd be very interested in whether the
> program Russell used is available? In whether he used a cleartext
> recognition algorithm in the program or whether he had to examine each
> decryption by hand? In whether he used a known plaintext attack?

Given that certain archival methods have certain key(cleartext) in a file I
used a programatic dictionary attack.  I used the DES library provided with the
system that I was using.  What is to keep anyone from being lucky with a key?
 
> He probably should also tell us, given his address, what machine he used--a
> desktop, workstation, or super-computer.

My previous employment has nothing to do with my current address, other than
the fact that the fastest machine in the office was an IBM RISC System/6000 
model 530, with 16 meg of memory.(not a super-computer)
 
> Depending on his answer, this could be an appalling development calling into
> question both DES and RSA/DES. Dunno about RSA/IDEA.

I really think this more of a statement of the limitations placed on the key
by the interface(ascii char/no padding), and most programs don't bother to
clear off the archival front and backend ID's.

> If any bright programmer with a little idle machine time can crack a single
> DES message in a couple of days (assuming no tricks that are
> message-specific), then here's my Clipper key, NSA; give me the chip at
> once.  :-)

Yes any moderatly bright programmer with a little idle machine time, can
crack most of todays real world encryption.  I sure that you or I could
select a key, and prepare the data inorder that the decryption will become a 
worst case.  but that is not the real world, and I'm sure that is how any 
agency would start an attack on a message, as you pointed out, there are some 
very good recognition algorithms availible, I'm just not familiar with them.

A.G.
-- 
A.G. Russell   Dept A06S  OLTP section of PALS Group   VM ID  SC39093 at AUSVM1
Email  arussell@austin.ibm.com       Phone 512-838-7953        TieLine 678-7953
These are my views, on anyone else they would look silly. FREE THE BERKELEY 4.4

Newsgroup: sci.crypt
Document_id: 15785
From: rens@stimpys.imsi.com (Rens Troost)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <1993Apr22.134214.18517@rick.dgbt.doc.ca> jhan@debra.dgbt.doc.ca (Jerry Han) writes:

>   In this giant bally-ho over this Clipper chip I noticed a rather
>   disturbing trend in some of the E-mail and posts I've tossing back and
>   forth.  

Me too. A tendency on the part of some people to hide their head in
the sand.

>   The reason is very simple:  How many people do you want to die in a riot? 
>   In a new Civil War? 

How many people do you want jailed for their convictions, for their
insistence on real privacy? Why sit by quietly while the preconditions
for a real civil war are put in place by a short-sighted government.

>   Everybody is jumping up and down and screaming about it, and I'm worried
>   that people are going to reach for their hammers and rifles before their pens
>   and paper.  

The terminal is mightier than the pen :)

>   Can people work within the system before trying to break it?  Examine your
>   history books, and find out how many armed revolutions led to Democratic
>   (or Democratic style) governments.  I think you'll only find one in over
>   five thousand years of written history.

Really? I guess you mean the U.S. revolution. How about England,
India, Mexico, France, Holland....

>   That's not very good odds.  

You are misinformed. But this whole issue is off the topic.

>   Somebody once said something like: "Armed Violence is meant only to be
>   used in response to an armed attack.  It is not meant to be used in
>   agression.  This is the difference between self-defence and murder."

When the cops kick in your door for using PGP, tell them that. All
we're doing here is exercising our (so-called, rapidly narrowing)
right to free speech. 

>   I'm probably overreacting.  But what I've read scared me a lot.  I don't
>   want my children growing up in a War Zone.

Perhaps you should talk to the government about that. Or are you a
disciple of David "The cops are our FRIENDS" Sternlight?

The implied threat of the illegalization of private crypto, the
not-so-subtle subtext of the clipper announcement, is what worries me.
I don't want my children growing up in a police state.

-Rens

**Disclaimer: all opinions herein are mine and mine alone, and do not
              necessarily represent those of any organization with
              which I may be affiliated.
--
  o===============================================================o
  | J. Laurens Troost - UNIX Systems  | At Work: rens@imsi.com    |
  | Investment Management Svcs, Inc.  | At Play: rens@century.com |
  | 12 East 49th Street,  35th floor  |   Phone: (212) 339-2823   |
  | New York, New York         10017  |     Fax: (212) 444-1980   |
  o===============================================================o
     -- IMS is unlikely to share any of the above opinions --

Newsgroup: sci.crypt
Document_id: 15786
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

  It is my intent to cut the government off at the knees with the pen
(and keyboard).  True, the lawyer and the lawbook only go so far, but
I agree that it is best to use those resources to the maximum extent
before seriously contemplating anything more... disruptive.


Newsgroup: sci.crypt
Document_id: 15787
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Once tapped, your code is no good any more.

 > Maybe so, but it's quite common. There are millions of Macintosh users who
 >have no idea what's in Apple's patented ROMs. Many have modems connected.
 >How do you know all your business secrets aren't being stolen? Answer:
 >1. Because you trust Apple;
 >2. Because if any such attempt, however sophicsticated, came out, it would
destroy Apple's credibility forever.  

  The reason I could theoretically trust Apple (though I'm a PC person
myself :-) ) is that Apple has to worry about their customers deserting
them if they screw up badly enough.  The government doesn't have any such
worry; it can change the rules by force to get the outcome it wants.  This
is the ultimate reason why private enterprise is usually more efficient
than government agencies.


Newsgroup: sci.crypt
Document_id: 15788
From: mjs@behemoth.genetics.wisc.edu (Mike Schmelzer)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <strnlghtC5puCL.6Kp@netcom.com> strnlght@netcom.com (David Sternlight) writes:
> In article <Apr18.204843.50316@yuma.ACNS.ColoState.EDU>
> holland@CS.ColoState.EDU (douglas craig holland) writes:


>>	Let me ask you this.  Would you trust Richard Nixon with your
>>crypto keys?  I wouldn't.

> I take it you mean President Nixon, not private citizen Nixon. Sure.
> Nothing I'm doing would be of the slightest interest to President Nixon .

Mr. Sternlight, your naivete and historical ignorance is appalling.

[ History lesson detailing 1968-74 deleted. ]
--
=== Mike Schmelzer,  mjs@genetics.wisc.edu, (608)262-4550. Finger for PGP.
=== "People didn't riot the minute they saw that film.
=== They waited on justice. Which never came." - Ice T.

Newsgroup: sci.crypt
Document_id: 15789
From: mjr@tis.com (Marcus J Ranum)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks  only

pmetzger@snark.shearson.com (Perry E. Metzger) writes:
>Really, none of this stuff is especially hard. All you need for a true
>private phone is an ISDN codec, a vocoder (either a chip or
>software), an encryptor (a chip is fine, but software is more than
>fast enough), a V.32 or V.32bis modem module, and maybe a
>microcontroller to run the whole thing. Its easy to do, its cheap. And
>any "normal" company trying to put one out will likely get a visit
>from the boys in the dark suits from Washington, just like Qualcomm
>did.

	Have the feds shut down the people making Sound Blaster? What
about Apple and NeXT? Apple, NeXT, Sun, and others make systems that
can handle CD-quality audio in and out, and can perform arbitrary
transformation on it in the process of transmitting it across a network
or modem.

	Perhaps there's a market for a portable vocoder. Not a crypto
device, simply an RS232<->voice converter. Make it capable of recording
speech and playing it back simultaneously. It has applications for
multimedia, computing for the handicapped, Internet Talk Radio, IRC,
etc, etc, etc.  It wouldn't be a cryptographic device at all - but I
suppose someone could have it hooked to a 486 laptop with a V.32bis
modem and some crypto software. I'd market the thing with an API for
text-to-speech using simple phonemes and the ability to use speech
samples. And, of course, I'd publish the interface to it so other
folks could write any applications they wanted to talk to the thing.

mjr.

Newsgroup: sci.crypt
Document_id: 15790
From: tauren@rigel.cs.pdx.edu (Tauren N Mills)
Subject: Thoughts and questions

I just joined this group recently and really do not know much about
cryptography, but a couple things came to mind while reading through
the posts.

1.  Is the Clipper chip going to be exported?  If not, how will
people communicate with other countries?  Will they have to do
that in un-crypt-mode.  Will other encryption techniques be
legal (assuming the government cracks down on using others) when
going overseas, but not within the states?

2.  I've read about authentication systems that use an electronic  
security card that looks like a calculator to create an encrypted
PIN based on the time/date.  The host system has the algorithm
built into it as well so that it can authenticate a user.
Is there some form of encryption technology that would create
keys that are only valid at a certain instant in time?  The 
systems would then allow a "window" of time around this instant
where the key would work.
I realize that this technique would increase the amount of information
needing to be stored because you would need entire algorithms rather
than just keys.  But for smaller scale things it might work.
Could some similar method be used to make the two 80-bit keys that
are issued to police/FBI/etc to tap a phone only usable for one-week
(for instance).  If further surveilance was needed, they would have
to go back to the escrow service to get another key.  This would
make it useless for local police to database keys they have used.

I assume this is not possible because the receiving phone would need
to be able to decypher the message.  But any thoughts on the subject?

Thanks,
Tauren Mills

Tauren Mills
tauren@rigel.cs.pdx.edu

Newsgroup: sci.crypt
Document_id: 15791
From: "Jon C. R. Bennett" <jb7m+@andrew.cmu.edu>
Subject: Re: Ideas on Clipper

Jim Gillogly <jim@mycroft.rand.org> writes:
> In article <0fpiZBG00WC70qOKYw@andrew.cmu.edu> you write:
> >suppose i knew how the algorithm worked and knew the N for my chip, but
> >did not know F, then by cryptanalysis i might be able to determine F from
> >if law enforcement field 
> >   E[E[K; U] + N; F]
> >not knowing N would might make this much harder.
> 
> They're betting that you can't do this, even if you know N.  Even if you
> know E, in fact, which they're trying to keep secret.  If you can find E
> by grinding down the chip, presumably you can find F as well.  But we can't
> do this right now with DES, even knowing the encryption method without
> doing almost the whole 56-bit search.

That is not true, with chosen plaintext attacks DES keys can be determined
without the full search.

> 
> >Now suppose that I know F, (either legitimately or not),
> >If I know K (either because I am involved in the conversation, or I know U
> >for a party in the conversation), I may now be able to determine U for the
> >other party.
> 
> Again, they're betting that you can't find U given K -- i.e. they claim the
> encryption is strong.  (Trust us...)

I am not willing to take that bet.

> >If I know F I can also defeat the law enforcement field, since I could
> >make my own, with a different K then the one I am using. Knowing F also
> >allows traffic analysis to be performed. So I might not know what you are
> >saying but I could know who you are saying it too.
> 
> I'm not sure there'll be a way to shove arbitrary key and data through your
> chip, but if so, this part's OK.  (We're assuming E is unknown.)

You can obviously shove arbitrary data through your chip......
As for the key, it is stated that the sesion key exchange is external to
the chip, so I can pick my keys too.

> >Now I admit that someone trying to compute U will not have lots of
> >messages to work from, but since we have no way of knowing that the key
> >generation method does not (deliberately?) generate weak keys, or for that
> >matter that the published method is in fact used, perhaps the U's will be
> >chosen from know weak keys for the system.
> 
> They assume that you won't be able to find U no matter how many messages
> you have.  If <they> could break U, they wouldn't need the key escrow.

BING BING BING BING BING, THAT EXACTLY MY POINT, SINCE WE CANT KNOW THAT
THEY DO NOT HAVE THIS CAPABILITY, THE ONLY SAFE ASSUMPTION IS THAT THEY
DO... i admit that most of my cryptographic complaints are probably
unfounded, but since we cant know one way or the other, im not gonig to
take their word for it....

> >Obviously the compromise of F would be a disaster, both to law enforcement
> >for whom this whole thing is designed, and for the people who believe that
> >it is giving them security. F is but one number, and I sure that alot of
> >people (more then 1) know what it is (and if some "panel of experts" is
> >going to check it over for flaws then many more will know F, forget
> >grinding chips, bribery and blackmail work just fine.
> 
> It's not clear that the "experts" will be told F.  In fact, I'd be surprised.
> I'd expect something more of the form of the FIPS pub describing DES, so that
> they could look at the algorithm in general, rather than with the specific
> set of keys chosen.

Oh come on, thats like saying you could evaluate DES without the S-box
constants.....

jon

Newsgroup: sci.crypt
Document_id: 15792
From: rschnapp@metaflow.com (Russ Schnapp)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <1993Apr22.134214.18517@rick.dgbt.doc.ca>, jhan@debra.dgbt.doc.ca (Jerry Han) writes:
|> In this giant bally-ho over this Clipper chip I noticed a rather
|> disturbing trend in some of the E-mail and posts I've tossing back and
|> forth.  
|> 
|> Somebody asked me what was wrong about overreacting in cases such as this.
|> 
|> The reason is very simple:  How many people do you want to die in a riot? 
|> In a new Civil War? 
|> 
|> Everybody is jumping up and down and screaming about it, and I'm worried
|> that people are going to reach for their hammers and rifles before their pens
|> and paper.  

Well, I know one person who is ready to kill.  Me.  And the victim is
this whole topic, damnit.  

PLEASE STOP COPYING ALL THIS CRAP TO comp.org.acm.  PLEASE?
-- 

...Russ Schnapp
Email: netcom!metaflow!rschnapp or rschnapp@Metaflow.com or rschnapp@BIX.com
Metaflow Technologies   Voice: 619/452-6608x230;  FAX: 619/452-0401
La Jolla, California    Unless otw specified, I`m speaking only for myself!

Newsgroup: sci.crypt
Document_id: 15793
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: new encryption

In article <strnlghtC5wC3z.Erw@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>
>psionic@wam.umd.edu, whose parenthesized name is either an unfortunate
>coincidence or casts serious doubt on his bona fides, posts a message in
>which he seems willing to take the word of a private firm about which he
>knows little that their new encryption algorithm is secure and contains no
>trapdoors, while seemingly distrusting that of the government about clipper.

I have a couple reasons why I would be more likely to trust this algorithm:
	1. The algorithm will be made totally public, once it is patented.
	2. The keys will NOT be escrowed.
Of course if either of these is not true, I will not use this new algorithm.
Since I have never seen this new algorithm, I have no idea how secure it is
yet.

>I suppose it depends on how paranoid one wishes to be, but how does the
>writer know the firm isn't, for example, an NSA front? For purposes of this
>message, how do we know "psionic" isn't?
>
>I don't suggest that, but post this to point out that there is a class of
>speculation that has no more truth value, without lots of hard evidence,
>than the contrary one.
>
>By the way, if "psionic" had said, in lower case letters, that the firm
>CLAIMS there was no back door, I'd have no problem with that phrasing.
>
I can't make any judgements about the algorithm itself yet, but I do notice
that the creators of this algorithm are being more open about how the
thing works, and is willing to make it public, showing that after a bit
of scrutiny, any weaknesses will probably be revealed, while we don't know
about Clipper.

Doug Holland

-- 
|  Doug Holland                | Anyone who tries to take away my freedom  |
|  holland@cs.colostate.edu    | of speech will have to pry it from my     |
|  PGP key available by E-mail | cold, dead lips!!                         |

Newsgroup: sci.crypt
Document_id: 15794
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

In article <C5uup3.5wp@news.claremont.edu> ebrandt@jarthur.claremont.edu (Eli Brandt) writes:
   In article <1993Apr21.132318.16981@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
   >Remember that they've promised to let a committee of outside experts see
   >the cryptosystem design.

   I hope there are some silicon jocks on the committee who can follow
   the algorithm through to hardware.  While I doubt the NSA would pull
   any monkey business on this point -- they have to expect that the
   chip will be reverse-engineered sooner or later -- it's an obvious
   opportunity to introduce additional holes.

The chip isn't the place to pull the monkey business - you do it in
the key generation, either by having a mathematical backdoor,
or by having the program on the laptop that supposedly generates the
keys also save a copy of S1 and S2 and leak it out somehow,
or by having the program that supposedly puts the official keys
on the chip actually put a *different* key there (VERY hard to detect,
since the escrow agents have to either trust the NSA laptop or
give each other the S* keys, and they still don't know the algorithm.)
Or have the chip-burner at the factory make copies of the keys.
Or whatever.
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15795
From: rlglende@netcom.com (Robert Lewis Glendenning)
Subject: Re: Do we need the clipper for cheap security?

There are chips which perform the voice compression/expansion.  They can't
be expensive, because they exist in many phones connected to PBXs or on the
PBX line cards, as well as in a lot of equipment which compresses
voice-grade circuits to save the cost of long-distance, leased T1s or
satellite circuits.

I can't remember the generic term for these chips.  My impression is that
this was a big deal 10 years ago, but circuits have gotten so cheap that
it isn't done much now.

Lew

-- 
Lew Glendenning		rlglende@netcom.com
"Perspective is worth 80 IQ points."	Niels Bohr (or somebody like that).

Newsgroup: sci.crypt
Document_id: 15796
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Wiretapping reality today

strnlght@netcom.com (David Sternlight) writes:
>Some of the messages here seem to reflect the view that the government is
>listening in on everything and one will have to hide one's clipper messages
>somehow if non-escrowed crypto goes away.
>A little perspective might be in order.

Right.  People here believe the government is listening in on
everything.  Sure.  If you can't provide an answer, change the
assumptions to something you can deal with.

It's not a matter of the government listening on on everything, it's a
matter of the government listening on anyone they take an interest in.
Say, if you do something heinous like attend a computer meeting at a
mall, the Secret Service decides to go for a warrantless search, and
acquires your name.  It's a matter of any number of possible wiretap
abuses that cryptology makes far less likely, and this chip can
sabotage. 

Par for the course, though.  I predicted that you'd be jumping in in
favor of this.  The reply was that you'd justify anything up to and
including death camps as long as the government backed them and had a
written policy statement.  Perhaps a little extreme, but not much.
-- 
"Seattle" is an Indian word meaning "52 degrees and raining."

Newsgroup: sci.crypt
Document_id: 15797
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Do we need the clipper for cheap security?

In article <C5upHy.GH7@dcs.ed.ac.uk> pdc@dcs.ed.ac.uk (Paul Crowley) writes:
   How fast do the fastest modems go?

V.FAST is targeted for about 28kbps; 14.4kbps is ~$500, and 19.2 may
be here soon too.  (Remember to ignore compression figures which make
your modem go faster on compressible data, because voice gets
compressed better than that, and encryption makes further compression impossible.)

   How far can voice be compressed?

The STU-III phones on the market from AT&T, Motorola, and (I forget who else),
give you a choice of 9600, 4800, and 2400 baud.  The 9600 and 4800 are CELP,
and I think the 2400 is some earlier military vocoder stuff.
9600 is decent, 2400 is pretty artificial, anything less is Speak&Spell.
16000 can produce quite adequate sound.  There's also some 8 kbps CELP around.
DSPs have made it possible to do all this in real time for cheap.

Old-hand government crypto have trouble adjusting to systems faster
than 9600 baud, because if the voice on the other end sounds good,
you assume the crypto hasn't been turned on yet :-)
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15798
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <strnlghtC5wJAG.46L@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>
>Doug Holland claims Tom Clancy has provided the recipe for nuclear bombs.
>Clancy himself says he has omitted certain crucial steps. Further, how do we
>know Clancy knows, rather than repeating what he's read or been told in the
>unclassified domain?
>
Tom Clancy omitted these key steps to try to prevent groups of people from
building a nuclear bomb.  However, he asserts that you can find these key
steps in any university library.  The main point of _Five Minutes To Midnight_
is that it is impossible to prevent the proliferation of nuclear weapons,
since it has become easy to acquire the knowledge to build one, and fissible
materials are nearly impossible to control.  Read this article, or better
yet, run to your library yourself and dig up some stuff on constructing a
nuclear weapon.

Doug Holland

-- 
|  Doug Holland                | Anyone who tries to take away my freedom  |
|  holland@cs.colostate.edu    | of speech will have to pry it from my     |
|  PGP key available by E-mail | cold, dead lips!!                         |

Newsgroup: sci.crypt
Document_id: 15799
From: rlglende@netcom.com (Robert Lewis Glendenning)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <1r4g7l$fdl@sunb.ocs.mq.edu.au> ifarqhar@laurel.ocs.mq.edu.au (Ian Farquhar) writes:
>In article <19930419.155204.305@almaden.ibm.com> ameline@vnet.IBM.COM (Ian Ameline) writes:
>>  I also believe that someone will reverse engineer the clipper chip,
>>and knowlege of the algorithm will likely be fairly widespread. Any back-
>>doors or weaknesses would further discredit the scheme, and help grow
>>the market demand for a secure alternative.
>

There are companies (one in Canada, as I recall) which specialize in
analyzing chips to understand process technology, design rules,
... to understand the probable yield of the assembly line making them,
and therefore the probable current cost and possible future cost curves,
given design shrinks, statistical quality control -> better yields, etc.

Taiwanese, Japanese and especially Korean semiconductor manufacturers
have all (korea continues) reverse-engineered foreign chips and
produced the chip.  Taiwan and Japan have signed intellectual
property treaties, and now at least extract the gate/transitor level
design before laying the chip out again.  The koreans still
use mask-level copying, I believe.  At least, they are under a lot
of pressure to pass laws to meet international intellectual property
standards.

All this despite lots of attempts to hide the designs.  There are lots
of techniques to do so in both hardware and software design.

For a complex chip, there will be real intellectual effort extracting
the gate design from the transistor design, and the algorithm from
the gate design.  But it won't take two smart guys even 6 months, working
40 hour weeks.  Koreans work 60 or more 8)

Lew
-- 
Lew Glendenning		rlglende@netcom.com
"Perspective is worth 80 IQ points."	Niels Bohr (or somebody like that).

Newsgroup: sci.crypt
Document_id: 15800
From: "Stephen J. Ludwick" <sl3b+@andrew.cmu.edu>
Subject: Encryption Chip Availibility

Hi everybody!

Does anyone know of companies that are currently manufacturing
encryption chips for sale to the general public?  Get them while you
can!  Some pointers would be greatly appreciated.

Thanks

Steve

Newsgroup: sci.crypt
Document_id: 15801
From: jim@rand.org (Jim Gillogly)
Subject: Re: Ideas on Clipper

I was annoyed to find that this guy posted my private e-mail response to
him, but since I believe what I said, I'll defend it anyway.

In article <gfpo=Wu00WC70qOQ4O@andrew.cmu.edu> jb7m+@andrew.cmu.edu (Jon C. R. Bennett) writes:
>Jim Gillogly <jim@mycroft.rand.org> writes (in private e-mail):

>> They're betting that you can't [cryptanalyze E to get U given N].
>> ...  But we can't
>> do this right now with DES, even knowing the encryption method without
>> doing almost the whole 56-bit search.
>
>That is not true, with chosen plaintext attacks DES keys can be determined
>without the full search.

By "almost" I mean the differential cryptanalysis attack.  The chosen
plaintext attack requires a detailed analysis of about 2^36 chosen plaintexts
drawn from a total of about 2^47 that need to be run, if I understand the
situation correctly.  This is certainly a "break" under the meaning of the
Act, but does not constitute much less work than the brute force keysearch.

The rest of his article assumes that we can figure out the Skipjack
encryption algorithm E by choosing the correct data to send through it and
observe the results.  I wish him joy of it, and choose not to try that attack.

I am not defending the system, and in fact am offended by the ideas of
escrowed keys or a secret algorithm becoming a de facto industry standard.
However, I also object to opposing it for the wrong reasons, since that
weakens the case against it.

I said (in my private e-mail):
>> It's not clear that the "experts" will be told F.  In fact, I'd be surprised.
>> I'd expect something more of the form of the FIPS pub describing DES, so that
>> they could look at the algorithm in general, rather than with the specific
>> set of keys chosen.
>
>Oh come on, thats like saying you could evaluate DES without the S-box
>constants.....

No, it's quite different.  The government would have no percentage in
choosing F to be a weak key, since it's not to their advantage to have
anybody else know it.  The "experts" could thus assume that F is no worse
than anything else during their analysis.  Totally different situation
from unknown S-boxes.  Again, I'm not saying it would be good or
satisfactory for the experts to just be given the raw algorithm without
the rest of the surrounding details regarding the chip and protocols and
so on -- simply that I doubt that they <would> be given all the
information.
-- 
	Jim Gillogly
	Trewesday, 2 Thrimidge S.R. 1993, 03:01

Newsgroup: sci.crypt
Document_id: 15802
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: text of White House announcement and Q&As on clipper chip encryption

In article <2079@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:
>For example, a conversation between a suspect and a lawyer will no longer
>be private from Big Brother eavesdropping.

Now, almost 100 years later, we have the right words for the problem here.

Phone calls are "virtual visits".  Those experienced in virtual reality
would know from that title that phone calls need to have all the properties
of a walk in the park with your friend -- security from casual overhearing
and easy verification to see if anyone is listening secretively.  As designed,
they fail at that.

..trouble is, telephones were invented a long time ago and people didn't
realize the danger or the concept of virtual reality back then.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
Document_id: 15803
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Do we need the clipper for cheap security?

In article <C5trGt.Ew4@news.claremont.edu> ebrandt@jarthur.claremont.edu (Eli Brandt) writes:
>Remember in the
>announcement they described this scheme as balancing the two
>extremes of having no privacy and claiming that citizens had a
>Constitutional right to encryption?  
>
>So much for Clinton's support of the "right of privacy".

There's an out for him.  The announcement talked about strong cryptography
I believe.  Specifically:

	nor is the U.S. saying that "every
     American, as a matter of right, is entitled to an
     unbreakable commercial encryption product."

Every vendor claims his product is unbreakable -- so this was sloppy wording.

I am not claiming that we private citizens should have access to the NSA's
best, secret algorithms.  I don't want any NSA algorithms, actually.

I'll let them break my pitiful amateur algorithms -- and RSA's.

All I want is what I have already -- the ability and right to invent and use
my own algorithms, share them with my friends and sell them.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
Document_id: 15804
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Write to Clinton


I've been reading the sci.crypt, alt.privacy.clipper and comp.org.eff.talk
discussions about the Clipper chip and find (as usual) that most of us
think alike -- so there's a lot of repitition.  If each of these messages
were sent to Clinton as well as to the net (or instead of to the net), we
might actually have some effect.

	0005895485@MCIMAIL.COM  (White House)

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
Document_id: 15805
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Organized Lobbying for Cryptography

In article <1r3jgbINN35i@eli.CS.YALE.EDU> jgfoot@minerva.cis.yale.edu writes:
>
>Perhaps these encryption-only types would defend the digitized porn if it
>was posted encrypted?
>
>These issues are not as seperable as you maintain.
>

To paraphrase, I may not agree with what you're encrypting, but I defend
your right to encrypt it.



-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
Document_id: 15806
From: "Stephen J. Ludwick" <sl3b+@andrew.cmu.edu>
Subject: Encryption Chips


Does anyone know where I can get a hold of some secure encrypting chips
or devices before they are banned completely?!?

Steve


"If encryption is outlawed, only outlaws will have encryption"

Newsgroup: sci.crypt
Document_id: 15807
From: artmel@well.sf.ca.us (Arthur Melnick)
Subject: New Encryption Algorithm


     Ever since Craig Rowland posted his piece "New Encryption"
to sci.crypt there has been some discussion of our company,
Secured Communications Technologies, Inc, and on encryption
algorithm, NEA.
     I spoke to Craig at length on 4/21/93 and we covered a lot
of ground.  Some of the information in the posting requires some
clarification, and I would like to answer some of the questions
raised on sci.crypt.
     SCT is a small company based in Silver Spring Maryland.  Our
two main products at this time are a PC based secure
communications program called SECOM and a general purpose
encryption chip which uses the NEA algorithm developed for SECOM.
     SECOM provides an encrypted secure communication link
between two PC's connected over dial up telephone lines.  It
supports simultaneous bi-directional file transfer and keyboard
to screen "chat".  It has its own proprietary communications
protocol which is tightly integrated to the encryption.  All
though it is a packetized link, the data stream appears to be
continuous because the packet boundaries are hidden.
     When SECOM was initially developed, it was implemented to
use DES encryption.  A business decision was made to seek export
approval for the product because it was perceived that the
overseas market was a large one and provided a good marketing
opportunity.
     We soon found out that we would NEVER be granted general
export approval for anything using DES.  All though the reason
for this was never explicitly stated, it seems to have something
to do with secret government to government agreements which are
still in effect.
     In any event, the decision was made to develop a new and
different algorithm which would take the place of DES.  This was
the reason NEA (New Encryption Algorithm) was born.
     At this time NEA is being held as a trade secret.  The
preliminary work of patenting it has begun, and the plan is to
make it public once the patent process is complete.  All though
one can make certain legal arguments for keeping it an ongoing
secret, I think in the case of an encryption algorithm it is
necessary to let people "shoot at it" over an extended period of
time to prove its worth.
     In order to get export approval for SECOM/NEA, it was
necessary to go through NSA and to reveal to them the details of
the program and algorithm.  This was done only AFTER we had a
finished product to submit.
     Let me state unequivocally that there is NO "back door" to
the program or the algorithm.  Secured Communications
Technologies is a closely held private company and
NSA/FBI/CIA/NIST/WHATEVER has NO financial interest in any way
whatsoever with the company or any of the people involved.
     From a practical business standpoint, we are interested in
selling chips and software (hopefully in large quantities) and a
back door to the encryption, if found out, could destroy our
credibility and our business.
     With the encryption algorithm approved for export, we set
out to talk to a number of potential customers for encryption
products and systems.  We were able to identify several common
threads of functionality requirements.  This led to the design of
a chip with the encryption algorithm "cast in silicon" and
certain other capabilities added so that the chip could fulfill
the broad range of requirements that we identified.
     We are strongly opposed to the clipper/capstone chips.  In a
press release today, our president, Dr. Stephen Bryen stated:

          "It seems as if the government has an unlimited source
     of funds to use to push its new bugged chips on the American
     Public.  But do we not understand how the National Security
     Agency, which is not supposed to be involved in domestic
     spying, can fund the development of a commercial chip
     intended to accommodate U.S. government domestic spying
     activities."

     If they had asked me to put a "back door" in NEA I would
have told them to g__ f____ed.
     Can NSA break NEA?  Or for that matter can they break DES,
RSA, IDEA, Diffy-Hellman, PGP, RC2, RC4, or whatever?  I don't
know and probably never will.

Newsgroup: sci.crypt
Document_id: 15808
From: quilty@twain.ucs.umass.edu (Lulu of the lotus-eaters)
Subject: Info on Mathematics of Encryption Wanted

I just signed up for this group, so I hope I'm not missing something
in a FAQ, but I'm looking for a good introduction to the mathematics
of encryption -- particularly DES and Public-Key, though others would
be interesting also.  Probably a good library could help me out, but I
thought it might be even easier if I could obtain a nice article
entirely electronically (besides, I have this rather *rational* phobia
of libraries for reasons stemming from this "dissertation" thing
hanging over my head :-)).  
	I have a basic knowledge of mathematics... number-theory is a
bit unfamiliar to me, but I've had a few graduate-level math courses
in some other areas; anyway, I'm not a complete novice to the field.
So probably something aimed at a basic graduate introductory level
would be about right.  Something, anyway, which is more specific than
"a really big prime number is generated to code the message".
	If someone knows of a good text available by ftp (or gopher),
or would like to email me one... please let me know.  I'll probably keep
reading this group; but it would be nice if you would email me at the
same time, so I don't miss it.

Thanx, Lulu...
-- 
      _/_/_/ THIS MESSAGE WAS BROUGHT TO YOU BY: Postmodern Enterprises _/_/_/ 
     _/_/    ~~~~~~~~~~~~~~~~[quilty@philos.umass.edu]~~~~~~~~~~~~~~~~~  _/_/ 
    _/_/  The opinions expressed here must be those of my employer...   _/_/ 
   _/_/_/_/_/_/_/_/_/_/ Surely you don't think that *I* believe them!  _/_/ 

Newsgroup: sci.crypt
Document_id: 15809
From: merlin@lerami.lerctr.org (David Hayes)
Subject: Re: The [secret] source of that announcement

In article <1r3vjhINN5iq@dns1.NMSU.Edu>
amolitor@nmsu.edu (Andrew Molitor) writes:
>In article <gradyC5uAMw.BnG@netcom.com> grady@netcom.com (1016/2EF221) writes:
>If you can get it for a buck, 2nd hand, it must be true, eh? I'm pretty
>sure the NSA is supposed to, among many other things, provide high-quality
>cryptosystems to a variety of places. I don't recall reading anywhere
>reliable that they're supposed to:
>
>	1) Monitor my phonecalls.
>	2) Monitor usenet.
>	3) Provide only cryptosystems they can easily crack.
>	4) etc etc.
>
>	This is not to say that they *don't*, they might. But you don't
>know that they do, and you have no evidence that they do, for almost
>all values of you. It follows, therefore, that for most values of 'you',
>your claims about the NSA border on paranoia.
>
>	Andrew
>

OK, Andrew, I'll provide some evidence. A friend of mine worked for an
electronics manufacturer on with a west-coast office. They routinely sold
equipment to the Japanese. One day, the Japanese started showing up with
discount demands that were amazingly close to the cost to manufacture the
products.

This company routinely sent most of the manufacturing data to the field 
offices. The Japanese had simply intercepted it. So my friend, the computer
systems admin, came up with a solution. He started sending the data out
double-block-encrypted with DES. 

Two days after this new distribution plan was implemented, the president of
the company got a visit from a pair of government agents. They told him to
"knock it off". The president gave in, since his company did a considerable
business with the federal government.

Now, if the government wasn't monitoring the communications, how would they
even know that the encryption system was installed? Further, since encryp-
tion isn't illegal, and DES certainly isn't, what is the basis of the
government's cease-and-desist demand?

The spooks do whatever they think is necessary, with or without the blessings
of the law. I'll say "no thanks" to Clipper, or anything else the government
produces. For the moment, double or triple DES is probably adequate. And when
the line is idle, send random garbage, just to keep 'em busy. 

    David Hayes    merlin@lerami.lerctr.org




Newsgroup: sci.crypt
Document_id: 15810
From: uni@acs.bu.edu (Shaen Bernhardt)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <1993Apr22.134214.18517@rick.dgbt.doc.ca> jhan@debra.dgbt.doc.ca (Jerry Han) writes:
>In this giant bally-ho over this Clipper chip I noticed a rather
>disturbing trend in some of the E-mail and posts I've tossing back and
>forth.  
>
>Somebody asked me what was wrong about overreacting in cases such as this.
>
>The reason is very simple:  How many people do you want to die in a riot? 
>In a new Civil War? 
>
>Everybody is jumping up and down and screaming about it, and I'm worried
>that people are going to reach for their hammers and rifles before their pens
>and paper.  
>
>Can people work within the system before trying to break it?

A circut court judge in Illinois once said "When dealing with a government
that seeks continually new and more creative ways to spy on its' citizenry,
one cannot discourage the move to empower the common citizen with the means
to parry this attack on personal privacy."

(Unfortunately the comment was with regard to the banning of radar
detectors....)

The point remains.  More and more I see the government slowly washing
away privacy.  Even unwittingly.  Do you think I will ever live in a
soceity that issues smart cards to citizens at birth?  Do you think I
will live in a soceity that insists I register my crypto keys so they
can keep track of what I'm saying?  Even if there is no evidence of my
guilt?  Do you think I will ever live in a soceity that seeks to meddle
in the affairs of its' citizenry without recourse of any kind?  I'm tired
of it.  There is (IMHO) no compromise with an administration that seeks
to implement these proposals under the guise of enhancing privacy.

More than the proposals themselves, I read the language of the press
releases, the obvious deception involved in presenting these pieces to
the public, and I am sickened.  I am revolted.  I am repulsed.

90%, perhaps even 95% of this country could care less about the
clipper chip, the wiretap bill, the smart card, because they are so
entrapped in the rhetoric of the Clinton Administration.

This saddens and frightens me.

I am a conserveative believe it or not.  A law and order conserveative.
But the move to a centralized authoratarian regime really scares me,
mostly because I know you cant go far wrong underestimating the
intelligence of the American people.  Tell them it's going to keep
them safe from drug dealers and terrorists, and they will let you
put cameras in their home.

Even in the wake of Waco, you find those who support the increasingly
totalatarian moves.

>Somebody once said something like: "Armed Violence is meant only to be
>used in response to an armed attack.  It is not meant to be used in
>agression.  This is the difference between self-defence and murder."

To be quite honest, the way things are going, I'd call it self defense.

>Let's try to avoid killing things, eh?  There's enough blood shed in the
>world, without adding a couple of riots, Civil Wars, etc.
>
>I'm probably overreacting.  But what I've read scared me a lot.  I don't
>want my children growing up in a War Zone.


And I dont want mine growning up in the eyes of a security camera
24 hours a day.
>-- 
>Jerry Han-CRC-DOC-Div. of Behavioural Research-"jhan@debra.dgbt.doc.ca"
>///////////// These are my opinions, and my opinions only. \\\\\\\\\\\\\
>\\\\\\\\\ A proud and frozen member of the Mighty Warriors Band ////////  
>"Memories of those I've left behind, still ringing in my ears."-Genesis-

uni

-- 
uni@acs.bu.edu  ->  Public Keys by finger and/or request
Public Key Archives: <pgp-public-keys@pgp.iastate.edu> 
Sovereignty is the sign of a brutal past.<>Fight Clinton's Wiretap Chip!
DF610670F2467B99 97DE2B5C3749148C <> Crypto is not a Crime! Ask me how!

Newsgroup: sci.crypt
Document_id: 15811
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: Estimating Wiretap Costs/Benefits

Robin Hanson (hanson@kronos.arc.nasa.gov) wrote:
:               WOULD WIRETAP CHIP BE COST-EFFECTIVE?

:   SUMMARY: Compared to an average monthly phone bill of sixty dollars,
:   wiretaps are only worth two cents a month to police.  So the
:   proposed wiretap chip must raise phone costs by less than one part 
:   in three thousand to be cost-effective. 

Robin's calculation is interesting and important, even if it's off by
an order of magnitude (for example).

Even if hardware costs for the Clipper Chip phones were ZERO, the
protocol overhead in transmitting the escrow field would be much
higher than the 1 part in 3 thousand...it depends on the exact details
of the phone call length, protocol, etc. (shorter calls get a
proportionately greater hit).

However, I suspect most Americans will not find this line of reasoning
as persuasive as the analogies about escrowing keys to one's house
are.

-Tim May


-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
Document_id: 15812
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: THE CLIPPER CHIP: A TECHNICAL SUMMARY

In article <1993Apr19.182327.3420@guvax.acc.georgetown.edu> denning@guvax.acc.georgetown.edu writes:
>The following document summarizes the Clipper Chip, how it is used,
>how programming of the chip is coupled to key generation and the
>escrow process, and how law enforcement decrypts communications.

Interesting.  Tell us, what happens if I were to say OK, I want to have
something else.  If the law enforcement wants my traffic, they can record
it, then get a search warrant, and get the keys FROM ME, just like they
would the keys to a stout private safe, etc. (Lets say I suspect that
there is a way to trivially crack this at the Fed level, with no warrant,
say for NSA scanning for keywords, etc., and the government has abused
great power in the past...).

So I say "Mr Vendor, I want something different, independent.  I am
a paranoid sort, ya understand...".

Will the result be "Sorry, without Government permission, we cannot sell
you anything secure", or would it be "Sorry, we know which side our
bread is buttered on, we cannot sell except to government people, law
enforcement, and 'special' people...".

What, in your opinion, would be the chances of "sure, we will sell you
this secure system ... be happy to..."

Also, please be so kind as to tell us what the plans are for private
encryption of, say files transferred by modem, or FTP, or data stored
on disk?  SURELY you have a feel for what the administration is planning
for us people on that....  With your rather intimate relationship with
the FBI, NSA, etc. you must CERTAINLY have an idea.  You are surely
not going to say "the people are not to know, until it is too late..."
This IS supposed to be government of the people by the PEOPLE, isn't
it?  That is, the people ARE the government's BOSSES?  The BOSSES
want to know what the *@()#*&(@ is going on here...

You see, I am kind of nervous, because in the last month or so, I have
seen a non-stop stream of ideas coming out of Wash DC that at least
appear VERY STRONGLY to have a common trait to limit privacy (freedom
from Govt eavesdropping), and the ability to defend ourselves against
violent attack (no, 911 is *NOT* good enough for 'common folk', they
arrive only in time to clean up the mess: I would be DEAD if I had to
depend on 911...).   You see, with all that talk about National smart
ID cards, limiting of encryption to 'government approved', denial of
means to effective personal defense (EIGHT bills in congress right now),
it looks an AWFULLY lot like the whole thing is to be able to trace
EVERY ACTIVITY of an individual from cradle to grave.  All it would take
is requiring that National ID card to be used in all transactions...
and with no effective data protection, and with the people suitably
disarmed, there would not be a helluva lot they could do about it, now
would there?  All in the name of the War on the Constitu ... er ...
drugs, and of course that catch word 'terrorists'.  What is wrong with
good OLD-FASHIONED POLICE WORK to build a case?  They don't want to
have to be burdened to leave the office, it seems...

Please read the Bill of Rights (first ten amendments to the US
Constitution) and tell us how you can reconcile this Big Brother-ish
policy of the Administration (always for a 'crisis' of some kind, isn't
it?) with that Bill of Rights in the context of the people who wrote
it?

Reassure us - please... (or is that no longer regarded as necessary,
seeing as apparantly the people have NO input on this agenda, the
Administration preferring to make all the DECISIONS in secret, then
springing it on us...).  Doesn't sound much like ... by the PEOPLE
to me.  I cannot help notice that the congress people involved were
NOT mentioned on the press release.  I find that more than a little
bit curious, don't you?  I sure would like to know who to not vote
for come election time...

Yes, I am upset.  I feel you are a part of this, because I recall it
was you that was posting HEAVILY in favor of a very similar idea (could
have been the SAME thing, it was so close) a few months ago...  I
also recall it was not well received.  Apparantly powers-that-be
really didn't care (or were not told, or both).

From what I see, Clipper will ONLY be useful for conversations I don't
want the neighborhood kid listening in on.  Any SERIOUS security I don't
think I would want to trust it a bit.  Might as well use cleartext.
Certainly corporations would be rather dumb to depend on this for serious
trade-secret data, especially if millions depended on that security.
Given enough money, one could BUY any keys they wanted.  Buy a crooked
judge, and a crooked cop.   Given a few hundred thou, they wouldn't be
hard to find.  So, we end up with only criminals, terrorists, and the
Government with real security, and the ability to eavesdrop.  You know
the first two, if they are serious, ain't going to use this thing for
THEIR communications.  I bet the government won't, either (except perhaps
to order a pizza).

Tell us, will that be prima face evidence of criminal activity,
someone not using the 'government approved' methods?  That just a desire
to have PRIVACY is no longer regarded as a legitimate right of an
unconnected citizen?  Will that be grounds for a fly-through-the-door
raid, and confiscation of all one's equipment, as 'terrorist tools',
using civil forfeiture, so there will be no inconvenient need to
PROVE any wrongdoing on the part of the citizen?

I have yet another question, are we going to see articles in all the
public magazines, consisting of soothing text telling us how great
this is, how nice the government is by LETTING us have this illusion
of privacy?  That the government is going to be so kind as to let
us 'sort of' exercise a RIGHT?  What you want to bet that I am
correct here?

Please answer these questions.  As citizens of the United States, we
hava a RIGHT to know what our Government plans to 'let' us have
out of the goodness of their hearts...

Funny thing, though - with all these proposals, I don't feel ONE BIT
safer from drug dealers, terrorists, or a common street thug.  I am
beginning to wonder if the greater danger lies in the above entities,
or our own government gone out of control?

Re-assure us, please.  So far, I haven't seen much to reassure me...
and a LOT to greatly disturb me.

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 15813
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Fear, Uncertainty, Doubt

 > More accurate is that the government says its solid, other people
 >in the field who might be able to find out haven't yet done their
 >review of the chip design, and there's been a lot of wild speculation
 >and guesswork from those with little information that it might be
 >Swiss cheese.

  Oh, that puts the debate on -excellent- terms for our side:

  FEDS:  You people saying that Clipper is insecure don't have any real
information to support that judgment.
  ME:  Fine -- show me this "information" that would prove me wrong.
  FEDS:  That's secret!

  When it comes down to that, it looks suspiciously like some government
official pasting "TOP SECRET" stamps over embarrasing information in order
to save his own hide.  In fact, framing the secrecy issue in that perspective
is more likely to turn Joe Sixpack's suspicions against the Feds than the
Constitutional argument -- a point I urge the others on the pro-freedom
side to consider when making their case.



Newsgroup: sci.crypt
Document_id: 15814
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Re: Clipper considered harmful

 
   The clipper chip's User key is formed by:
 
           R1 = E[D[E[N1;S1];S2];S1]
           R2 = E[D[E[N2;S1];S2];S1]
           R3 = E[D[E[N3;S1];S2];S1]
 
   Why is the triple-encrytion used?  Is it just to gain an effective
increase in keyspace to defeat a potential keysearch?  (If so, why use
80 bit keys?)  Not knowing anything about the Skipjack algorithm, it's
not really possible to guess whether this makes it harder or easier to
guess S1,S2.
 
   Why are N1, N2, and N3 formed as they are?  It would be facinating to
see the Skipjack algorithm, to look for ways of attacking it that require
three ciphertext blocks formed in that odd way.
 
   Where do the 34-bit constant values that are concatenated with the
serial number to form N1,N2,N3 come from?  Are they changed from chip to
chip, or session to session?  (Even if they're published in the NY Times,
if SkipJack is resistant to known-plaintext attacks, when using triple-
encryption, then there's no break in security.  But why allow that kind
of weird format?  If those three 34-bit values are truly-random bits, then
maybe it's used to ensure that a known-plaintext attack on SkipJack, if
it exists, can't be easily used to derive S1 and S2 for a whole production
run of these chips....)
 
   Does Dorothy Denning read this group?  If not, is someone on the group
forwarding questions like these to her, or Martin Hellman, or anyone else
who's seen more details about the chip?
 
   --John Kelsey

Newsgroup: sci.crypt
Document_id: 15815
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Is key escrow enough?

  The points raised about checking what is actually -in- the chip, as
opposed to what is allegedly programmed therein, raise yet another trust
issue.  Even if we assume that these "trusted agents" are really entering
a wide range of S1 and S2 seeds (rather than using the same one all the
time to reduce the key search space to 30 bits), I assume they are not
doing so by picking up an iron filing and poking it into the circuitry
at carefully selected points to encode data.  They would presumably be
punching numbers into a computer, which for all they know could program
the chips in a manner completely independent of the S1 and S2 values they
are feeding into the system.





Newsgroup: sci.crypt
Document_id: 15816
From: servalan@access.digex.com (Servalan)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks  only

In article <1993Apr22.223906.25929@lehman.com> pmetzger@snark.shearson.com (Perry E. Metzger) writes:
>Qualcomm had spare cycles in the DSPs for their new CDMA digital
>cellular phones. They wanted to put strong crypto into them since they
>had the capacity. The government decided to "discourage" them.

You're blowing smoke.  Qualcomm wants to sell to nice, lucrative overseas
markets like Japan and the EC.  The government told them "don't do encryption
if you ever hope to export this technology".  The reason that CDMA doesn't
have encryption is NOT because the G-men came a'knocking at Qualcomm's door.
It's because Qualcomm doesn't think that the US market for digital cellular
is big enough for them.  This is just the International Traffic in Arms
Regulations all over again.

If you don't believe me, call Qualcomm and ASK THEM.  Don't just throw
out conspicracy theories.  At least, don't do it on sci.crypt--there are
whole other newsgroups devoted to this kind of uninformed claptrap.

>any "normal" company trying to put one out will likely get a visit
>from the boys in the dark suits from Washington, just like Qualcomm
>did. I suspect that companies like Cylink are tolerated because their
>products are too expensive.

Hah.  They're not that much more expensive.  Besides, if a drug dealer
can afford a Rolex and a Mercedes, he can darn well afford Cylink phones.
No, Cylink sells their phones because they're willing to make different
stuff for domestic use vs. export.  Qualcomm isn't.  So Cylink makes
money--that's capitalism, comrade.

>Someone out there WILL build a unit to do all this. Better yet,
>prehaps someone will produce a package that turns any 486 box with a
>sound card into a secure phone.

"Someone" this and "someone" that.  If you think it's so easy, why are
you whining on the net instead of getting your butt in gear and writing
it?  Your name would become known and loved by dozens!  But no, that would
require actual EFFORT.

					-= Servalan =-

Newsgroup: sci.crypt
Document_id: 15817
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Crypto papers on the net.

   I've recently been reading a paper of Merkle's (publixhed only on the
net, I think) discussing three potential replacements for DES.  Was
anyting ever done with these?  Are Khufu, Khafre, and/or Snefru still
being discussed anywhere?  (I know Snefru is referenced in the RSA
FAQ, and I think it may also be in the sci.crypt FAQ.)
   On a related topic, can anyone point me toward good sites to find
papers/articles/discussions of cryptology?  I think I've about exhausted
the Math/Sci library here, which doesn't seem to have anything more recent
than about '84.
 
   Thanks.
 
   --John Kelsey

Newsgroup: sci.crypt
Document_id: 15818
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: PGP ideas for IBM systems

   I've been thinking about how difficult it would be to make PGP available
in some form on EBCDIC machines.  The message authentication would be ugly,
but I think at least the IDEA encryption could work, if PGP had a switch
to tell it to use IDEA in OFB-mode or ECB-mode.  In OFB-mode, errors in
translating EBCDIC-->ASCII-->EBCDIC would only affect their byte, not the
16 bytes that would be affected under CBC.
   Is PGP set up to use different IDEA modes?  I don't recall notincing it
in the executable, but I haven't gone through it as carefully as I probably
should....
 
   --John Kelsey

Newsgroup: sci.crypt
Document_id: 15819
From: Peter.White <Peter.White@mixcom.mixcom.com>
Subject: Why are we being censored in a free America? This node specificaly

I have been scanning and trying to read the articles in the sci.crypt area,
but what do I get?   SURPRISINGLY, the blurb comes upon the screen " file xxx
has either been cancelled or expired.       Now I ask you, If it expired,
wouldn't it be out of the available file cache?
I am 32 and not a paranoid, but the older I get, the greater my cynicism of
both federal and state governments becomes.    
The censorship  of this Internet (and it is no less than censorship [stupid me, it's the GOVT.])
is ridiculous.  The Japanese have far outstripped our ciphertechnology,  and 
our government is now, before your very observant eyes, trying to force the
"crypto standard" onto a framefork where the "standard" is now an ancient
relic in terms of modern Japanese security techniques.


Now, I pose the question: Why censor folks on the net and send the warning
shown above ("cancelled or expired") when it would be wiser to not let people
see the post at all??


Which Article of the Constitution gives me the right of revolution if things
seem to be going cockeyed??


Hmmm...
-- 
Peter G. White, President, Synthesis 93 Inc.
Milwaukee, Wisconsin, U.S.A.  
Peter.White@mixcom.com

Newsgroup: sci.crypt
Document_id: 15820
From: rab@well.sf.ca.us (Bob Bickford)
Subject: Re: New Encryption Algorithm

In article <artmel.735538777@well.sf.ca.us>,
   artmel@well.sf.ca.us (Arthur Melnick) writes:
>
>     In order to get export approval for SECOM/NEA, it was
>necessary to go through NSA and to reveal to them the details of
>the program and algorithm.  This was done only AFTER we had a
>finished product to submit.

    . . . . .

>     With the encryption algorithm approved for export, we set

Please don't be insulted, but based on this I would say that your
encryption algorithm is very likely not worth the paper it's printed
on.  If the NSA gave export approval, that means they felt confident
that they could crack it -- that's their JOB, mandated by LAW, and
I'm sure they believe in what they do.  If they gave export approval
to an encryption algorithm which they weren't confident of being able
to crack, they would be derelict in their sworn duty to monitor foreign
communications for US national security related material.

Just because many (most?) of us think that the government and the spooks
are pugnacious slimeballs is no reason to lose sight of the fact that
they do their jobs to the best of their ability, and further that said
ability is rather high.  I hope that one day we can make them all
obsolete....... but until then, we have to cope with their existence.
Export approvals are one thing they do that we can learn a lot from,
for example.

--
  Robert Bickford        /-------------------------------------\
  rab@well.sf.ca.us      | Don't Blame Me: I Voted Libertarian |
                         \-------------------------------------/

Newsgroup: sci.crypt
Document_id: 15821
From: "Jon \\lnes" <jon@ifi.uio.no>
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate
        acceptance of the wiretap chip)

In article <strnlghtC5wCMo.Fx5@netcom.com> strnlght@netcom.com (David Sternlight) writes:

> In article <C5uvn4.MF7@austin.ibm.com> arussell@austin.ibm.com (AG Russell)
> writes:
> 
> >
> >At the company I worked for previously, I received a file that was des encryped
> >and the person that had sent it, went on vaction.  Rather than wait two weeks
> >I set up a straight frontal attack with one key at a time.  It only took two(2)
> >days to crack the file.  No, I don't have any faith in DES.
> >
> 
> Taking this at face value (though it seems quite dissonant with much else
> that has been published here about brute force DES cracking, unless Russell
> was lucky with respect to the key), I'd be very interested in whether the
> program Russell used is available? In whether he used a cleartext
> recognition algorithm in the program or whether he had to examine each
> decryption by hand? In whether he used a known plaintext attack?
> 
> He probably should also tell us, given his address, what machine he used--a
> desktop, workstation, or super-computer.
> 
> Depending on his answer, this could be an appalling development calling into
> question both DES and RSA/DES. Dunno about RSA/IDEA.
> 
> If any bright programmer with a little idle machine time can crack a single
> DES message in a couple of days (assuming no tricks that are
> message-specific), then here's my Clipper key, NSA; give me the chip at
> once.  :-)
> 
> David
> -- 
> David Sternlight         Great care has been taken to ensure the accuracy of
>                          our information, errors and omissions excepted.  
> 
> 

A person I know, belonging to a research lab of a rivate
company, claimed to me during a priavte conversation that, given the
equipment in his lab, he could crack a Kerberos ticket in 15 minutes to
an hour. He had access to rather powerful DES hardware, but not of an
extraordinare kind, I believe. The attack was possible because of the
amount of known plaintext in the ticket, which itself constitutes a small
message. This was two years ago.
DES is no longer usable for encryption of really sensitive data. For a
lot of purposes, however, it is still very adequate.

Jon Olnes, Norwegian Computing Centre, Oslo, Norway
E-mail: Jon.Olnes@nr.no   or   jon@ifi.uio.no

Newsgroup: sci.crypt
Document_id: 15822
From: stan@tacobel.UUCP (stan)
Subject: Re: I have seen the lobby, and it is us

ns111310@LANCE.ColoState.Edu (Nathaniel Sammons) writes:
> I second the motion.
> 
> All in favor?

In favor.  If y'all have any newsletters or are taking down addresses for 
any in the future, feel free to put me on such a list.

Newsgroup: sci.crypt
Document_id: 15823
From: redsonja@olias.linet.org (Red Sonja)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr20.054308.15985@Celestial.COM> bill@Celestial.COM (Bill Campbell) writes:
>In <strnlghtC5p7zp.3zM@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>
>:In article <Apr18.194927.17048@yuma.ACNS.ColoState.EDU>
>:holland@CS.ColoState.EDU (douglas craig holland) writes:
>
>:>Note that measures to protect yourself from
>:>TEMPEST surveillance are still classified, as far as I know.
>
>:I think this to be inaccurate. One can buy TEMPEST equipment commercially.
>:Even Macs.
>
>Sure you can buy a TEMPEST approved Mac -- if you have enough
>money.  I haven't had any reason to look at this type of pricing
>for about 10 years, but a TEMPEST rating in 1982 would raise the
>price of a $2,495.00 Radio Shack Model III to something around
>$15,000.00.
>
Or just dig a deep enough hole in the ground. 50 feet should do it.


-- 
redsonja@olias.linet.org     \\\RS///     Self possession is 9/10 of the law.
Alien: "We control the laws of nature!" | "How come when it's human, it's an
Joel: "And you still dress that way?"   | abortion, but when it's a chicken, 
(MST3K#17 - Gamera vs Guiron)           | it's an omelet?" - George Carlin

Newsgroup: sci.crypt
Document_id: 15824
From: jebright@magnus.acs.ohio-state.edu (James R Ebright)
Subject: Re: The [secret] source of that announcement

In article merlin@lerami.lerctr.org (David Hayes) writes:
>In article amolitor@nmsu.edu (Andrew Molitor) writes:
>>If you can get it for a buck, 2nd hand, it must be true, eh? I'm pretty
>>sure the NSA is supposed to, among many other things, provide high-quality
>>cryptosystems to a variety of places. I don't recall reading anywhere
>>reliable that they're supposed to:
>>
>>	1) Monitor my phonecalls.
>>	2) Monitor usenet.
>>	3) Provide only cryptosystems they can easily crack.
>>	4) etc etc.
>>
>>	This is not to say that they *don't*, they might. But you don't
>>know that they do, and you have no evidence that they do, for almost
>>all values of you. It follows, therefore, that for most values of 'you',
>>your claims about the NSA border on paranoia.
>>
>>	Andrew
>>
>
>OK, Andrew, I'll provide some evidence. A friend of mine worked for an
>electronics manufacturer on with a west-coast office. They routinely sold
[story deleted]

Let me give you another story that actually happened to ME.  We sell
communications boards that use a 68000.  They used to be high tech. Our
agent in the UK sold a system to a company in CH which packaged it in a
product for CZ (London-Bern-Prague).  I telexed the Brits and told them
the Swiss need to pass export paperwork through the US as, at the time,
you needed an export lisence for these systems.

Now I knew the NSA was watching this traffic (just like they are watching
THIS traffic.)

And what do you know... two weeks later an agent of the US government shows
up in my office to remind me if we or our agents sold systems into the Evil
Empire, we had better make sure the export lisences were handled properly.

He was part of a FIVE man office in COLUMBUS OHIO!! who did this stuff
based on sources he could not reveal. (I assume most of the time these
guys sat around the office with their thumbs up their ass as there isn't
that much stuff coming out of Columbus :)

Wow, the electric utility in Prague sure is a big worry for these folks :)

The point is, we have created a giant bureaucracy (NSA) with a budget
bigger than the CIA's who, like all bureaucracies, fill their time looking
for things to do.  The Evil Empire is gone.  The NSA is not.  They will do
something to fill their time and justify their budgets.  (I just wish they
too would sit around with their thumbs up their ass... but that is too
much to hope for... they will spy on us and do things like skipjack and
subvert people like Dorothy Denning.)  Sigh...
-- 
 Information farming at...     For addr&phone: finger             A/~~\A
 THE Ohio State University  jebright@magnus.acs.ohio-state.edu   ((0  0))____
      Jim Ebright             e-mail: jre+@osu.edu                 \  /      \
                          Support Privacy: Support Encryption      (--)\      

Newsgroup: sci.crypt
Document_id: 15825
From: smoir@world.std.com (Scott A Moir)
Subject: Re: Organized Lobbying for Cryptography

In article <1993Apr21.154122.13015@csus.edu> sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes) writes:
>In article <1r3jgbINN35i@eli.CS.YALE.EDU> jgfoot@minerva.cis.yale.edu writes:
>>
>>Perhaps these encryption-only types would defend the digitized porn if it
>>was posted encrypted?
>>
>>These issues are not as seperable as you maintain.
>
>Now why would anyone "post" anything encrypted? Encryption is only of 
>use between persons who know how to decrypt the data.

You mean something like Uuencode? It isn't super crypto, but it is encrypted.

Scott


-- 
Scott Moir  /  Satyr on IRC    ______ # "There's really only one requirement 
smoir@world.std.com            \ \/ / #  for a Prophet, and you've got it."
B4 f t+ w g k+(+!) s+ m r p+    \/\/  # "What's that?"
Also: pentangl@ursa-major.spdcc.com   # "A mouth." - 'God' to J.R.'BoB' Dobbs

Newsgroup: sci.crypt
Document_id: 15826
From: tarnold@vnet.IBM.COM (Todd W. Arnold)
Subject: Re: Can DES code be shipped to Canada?

In article <1993Apr22.125402.27561@fripp.ri.cadre.com> rj@ri.cadre.com writes:
>Someone in Canada asked me to send him some public domain DES file
>encryption code I have.  Is it legal for me to send it?

I believe it's legal to send DES code or equipment from the US to Canada
with no export license.  I think this is the only place you can do this - all
other countries require a license.

As an aside, I've always thought it should be legal to send DES software
anywhere, if you follow these rules:

   1.  Encrypt your DES software with DES.
   2.  Send the encrypted software to the recipient.
   3.  Send the key to the recipient.

The only way the person on the other end can use your DES software is if
he/she already *has* DES available - otherwise, they can't decrypt your
program, and it is useless.  If you've guaranteed they already have DES,
have you really violated any law by sending it to them in the form of
your program??  I'm sure it's still illegal, but it seems like a good idea...

- Todd

Newsgroup: sci.crypt
Document_id: 15827
From: Rick Miller <rick@ee.uwm.edu>
Subject: Does Rush read his E-mail?

rsilvers@nynexst.com (Robert Silvers) writes:
>	Send something to Rush Linbaugh about Clinton taking away our right
>to privacy and how if the govt. standard takes off, only people with lots
>of money (drug dealers) will be able to justify DES stuff.  He will slam
>Clinton for this on the air.
>						--Rob.

I seem to recall Rush saying that he has a CompuServe account.  If anyone
wants to E-mail him, all we need is his account number (i.e.: 12345,6789)
and then we could e-mail him via gateway by using a dot instead of a comma
like so: "12345.6789@compuserve.com".  (THIS IS *NOT* HIS ADDRESS.)

So, does anyone know his e-mail address?  He *says* he uses it all the time.
(I wonder if he reads alt.fan.rush-limbaugh...   His ego is big enough!)

Rick Miller  <rick@ee.uwm.edu> | <ricxjo@discus.mil.wi.us>   Ricxjo Muelisto
Send a postcard, get one back! | Enposxtigu bildkarton kaj vi ricevos alion!
          RICK MILLER // 16203 WOODS // MUSKEGO, WIS. 53150 // USA

Newsgroup: sci.crypt
Document_id: 15828
From: rja14@cl.cam.ac.uk (Ross Anderson)
Subject: Re: Key Registering Bodies

In article <a_rubin.735498087@dsg4.dse.beckman.com>, a_rubin@dsg4.dse.beckman.com
(Arthur Rubin) writes:

|> In <nagleC5w79E.7HL@netcom.com> nagle@netcom.com (John Nagle) writes:
|> 
|> >       Since the law requires that wiretaps be requested by the Executive
|> > Branch and approved by the Judicial Branch, it seems clear that one
|> > of the key registering bodies should be under the control of the
|> > Judicial Branch.  I suggest the Supreme Court, or, regionally, the
|> > Courts of Appeal.  More specifically, the offices of their Clerks.
|> 
|> Now THAT makes sense.  But the other half must be in a non-government
|> escrow.

Good idea, But why put all the eggs in one basket?

Given that the escrow keys are generated 200 at a time on floppy disks, why
not keep them there rather than creating one huge database that will have to
be guarded better than Fort Knox.

Give each floppy to a different bank for safekeeping. The USA has over 10,000
banks and thrifts - there are not likely to be more than 2,000,000 Clipper
phones sold.

Ross

Newsgroup: sci.crypt
Document_id: 15829
From: russotto@vnet.IBM.COM (Matthew T. Russotto)
Subject: Re: Once tapped, your code is no good any more.

In <strnlghtC5wHo2.1FK@netcom.com> David Sternlight writes:
>In the Clipper case, a representative body of experts is going to be allowed
>to audit it, and we'll have assurances (maybe even from the President) that
>other than the escrowed keys there are no back doors. While some may not
>have confidence in that (I am not among them)

Wow, assurances from the President.  Why, those are almost as good as
campaign promises!  I don't see why ANYONE wouldn't have confidence in
those.

Newsgroup: sci.crypt
Document_id: 15830
From: mathew <mathew@mantis.co.uk>
Subject: Re: new encryption

psionic@wam.umd.edu (Haywood J. Blowme) writes:
> Additonally I spoke with Mr. Melnick about their algorithm. He couldn't tell
> me much about their new agorithm because it hasn't been patented yet.
[...]
> Right now the company is afraid that the new clipper chip will put them out
> of business. This is a very real possibility. So they really need help in
> stopping the clipper chip from becoming a standard.

If they're planning on patenting an algorithm, then I hope they go out of
business as quickly as possible.  And you can tell them I said that.

I'm sure many other readers of these newsgroups will agree, too.


mathew

Newsgroup: sci.crypt
Document_id: 15831
From: dougb@comm.mot.com (Doug Bank)
Subject: Re: REVISED TECHNICAL SUMMARY OF CLIPPER CHIP

In article <1993Apr21.192615.3465@guvax.acc.georgetown.edu>, denning@guvax.acc.georgetown.edu writes:

|> The chips are programmed by Mykotronx, Inc., which calls them the
|> "MYK-78."  The silicon is supplied by VLSI Technology Inc.  They are
|> implemented in 1 micron technology and will initially sell for about
|> $30 each in quantities of 10,000 or more.  The price should drop as the
|> technology is shrunk to .8 micron.

Hmmmmmm.  $30 seems a bit expensive.  How big is the chip?  What kind
of packages will be used?  3 volt or 5 volt technology?  How much
current will it draw?  I think there are many practical questions
that haven't been answered, especially since this chip already exists!

|> All Clipper Chips are programmed inside a SCIF (Secure Compartmented
|> Information Facility), which is essentially a vault.  The SCIF contains
|> a laptop computer and equipment to program the chips.  About 300 chips
|> are programmed during a single session.  The SCIF is located at
|> Mykotronx.
|> 
|> At the beginning of a session, a trusted agent from each of the two key
|> escrow agencies enters the vault.  Agent 1 enters a secret, random
|> 80-bit value S1 into the laptop and agent 2 enters a secret, random
|> 80-bit value S2. These random values serve as seeds to generate unit
|> keys for a sequence of serial numbers.  Thus, the unit keys are a
|> function of 160 secret, random bits, where each agent knows only 80.

OK, I've got a big problem with all of this.  How in the world do you
expect to sell these chips for even $30 after all the overhead involved
in this programming procedure?  2-4 people, a laptop, only 300 chips at 
a time:  give me a break.  And how long does all of this take?  Even if
it is a minute per chip, it will take the greater part of a day to 
turn out 300 of these things.  How long do you suppose it will take to
program those 10,000 chips mentioned above?  This is highly impractical!

|> To see how the chip is used, imagine that it is embedded in the AT&T
|> telephone security device (as it will be).  Suppose I call someone and
|> we both have such a device.  After pushing a button to start a secure
|> conversation, my security device will negotiate an 80-bit session key K
|> with the device at the other end.  

So where can I find info on this AT&T device?  What kind of vocoder
does it use?  Does it require ISDN phone lines?  If not, is it full
duplex?  How does it sound?  What kind of synchronization scheme is
used?  Will all other little black boxes have to conform to AT&Ts choices
of protocol, etc.?  Will anybody else be allowed to build boxes that
conform to these specifications?


-- 
Doug Bank                       Private Systems Division
dougb@ecs.comm.mot.com          Motorola Communications Sector
dougb@nwu.edu                   Schaumburg, Illinois
dougb@casbah.acns.nwu.edu       708-576-8207                    

Newsgroup: sci.crypt
Document_id: 15832
Subject: Re: The [secret] source of that announcement
From: pgut1@cs.aukuni.ac.nz (Peter Gutmann)

In <C5x2xs.EF0@lerami.lerctr.org> merlin@lerami.lerctr.org (David Hayes) writes:

>OK, Andrew, I'll provide some evidence. A friend of mine worked for an
>electronics manufacturer on with a west-coast office. They routinely sold
>equipment to the Japanese. One day, the Japanese started showing up with
>discount demands that were amazingly close to the cost to manufacture the
>products.

>This company routinely sent most of the manufacturing data to the field 
>offices. The Japanese had simply intercepted it. So my friend, the computer
>systems admin, came up with a solution. He started sending the data out
>double-block-encrypted with DES. 

>Two days after this new distribution plan was implemented, the president of
>the company got a visit from a pair of government agents. They told him to
>"knock it off". The president gave in, since his company did a considerable
>business with the federal government.

>Now, if the government wasn't monitoring the communications, how would they
>even know that the encryption system was installed? Further, since encryp-
>tion isn't illegal, and DES certainly isn't, what is the basis of the
>government's cease-and-desist demand?

Something similar has happened to me - ages ago when we were working on PGP
we used to send short messages about development issues or simply to test 
new features around.  Now at this time PGP (and certainly the newer version)
was unknown over here.  Suddenly the admin at the site I was using received
a request that I stop sending encrypted email.  Now there is almost no way
that some automatic scanner could have found this, since they wouldn't have
known about PGP - they *must* have checked for unknown data types in the
message, tried to unscramble it, found they couldn't get past the PEM
armour part, and then contacted the sysadmin and asked me to stop.  Luckily
the current email carriers are less picky about what goes over their
networks :-).

In case people think email scanning doesn't take place, I can assure you
that it is done regularly by many sites - usually not by government
agencies (or at least not that I know of), but by local administrators who,
for reasons of their own, have decided to monitor all communications
(I'm sure you can all think of a whole mess of reasons - stop hackers/
terrorists/child pornographers/drug dealers/evil commies/whatever).  There
have been several occasions when I've got people into trouble simply by
including the traditional NSA bait in a message (I don't try it any more
now :-).  A friend of mine was once picked up for mentioning the name of
the UK town of Scunthorpe (hint: look for words embedded in it).  I'm sure
there are many more examples of this happening (in fact if anyone has any
examples I'd appreciate hearing from them - I could use them as
ammunition during talks on privacy issues).

Peter.
--
 pgut1@cs.aukuni.ac.nz||p_gutmann@cs.aukuni.ac.nz||gutmann_p@kosmos.wcc.govt.nz
peterg@kcbbs.gen.nz||peter@nacjack.gen.nz||peter@phlarnschlorpht.nacjack.gen.nz
             (In order of preference - one of 'em's bound to work)
               -- Don't vote.  You'll only encourage them --


Newsgroup: sci.crypt
Document_id: 15833
From: Lyle_Seaman@transarc.com
Subject: Re: new encryption

martin@world.std.com (Martin J Hannigan) writes:
> Hello. I am the David Sternlight keeper of the FAQ. Unfortuantely I cannot
> find it at the present time.

Cool it, will you?  Let people form their own opinions.
Even Mr. Sternlight might be right sometime, and you guys
are setting things up so that the only way he can regain 
any credibility is to renounce his previous statements and
move towards the mainstream of net.opinion.  This does not
bespeak tolerance, IMO.

>                          C       _)           David Sternlight
>                           |  ,___|            Net.Police

Indeed...  

Lyle		Transarc		707 Grant Street
412 338 4474	The Gulf Tower		Pittsburgh 15219

Newsgroup: sci.crypt
Document_id: 15834
From: jhan@debra.dgbt.doc.ca (Jerry Han)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <RENS.93Apr22153654@stimpys.imsi.com> rens@imsi.com (Rens
Troost) writes: 

>>   In this giant bally-ho over this Clipper chip I noticed a rather
>>   disturbing trend in some of the E-mail and posts I've tossing back and
>>   forth.  
>
>Me too. A tendency on the part of some people to hide their head in
>the sand.

I never advocated "hiding in the sand."  I'm advocating a peaceful
solution while a peaceful solution is possible.  Unless you want blood on
your hands.

>How many people do you want jailed for their convictions, for their
>insistence on real privacy? Why sit by quietly while the preconditions
>for a real civil war are put in place by a short-sighted government.

Read the above.

>>   Everybody is jumping up and down and screaming about it, and I'm worried
>>   that people are going to reach for their hammers and rifles before their pens
>>   and paper.  
>
>The terminal is mightier than the pen :)

I type corrected.  (:-)

>Really? I guess you mean the U.S. revolution. How about England,
>India, Mexico, France, Holland....

English revolution-> what revolution?  They never had one.  
India-> If they could get around their religion restrictions
Mexico-> Point Taken, I forgot about this one.  
France-> Napoleon Bonepart would have something to say about this.
Holland-> I didn't know they had one, won't comment because I don't know
enough.

>>   That's not very good odds.  
>
>You are misinformed. But this whole issue is off the topic.

Actually, I consider the issue on topic.  When you start gambling with
fire crackers, sooner or later, somebody is going to lose a hand.

>When the cops kick in your door for using PGP, tell them that. All
>we're doing here is exercising our (so-called, rapidly narrowing)
>right to free speech. 

Fine.  Exercise the right to free speech.  That's great!  But don't resort
to armed violence until there's no other possibility.

>Perhaps you should talk to the government about that. Or are you a
>disciple of David "The cops are our FRIENDS" Sternlight?

No.  I believe there are bad cops, and good cops.  There are bad people,
and good people.  (And all that grey inbetween.)  

I have had the pleasure of knowing a police officer who did his best to
uphold the laws he swore to defend.  I have also seen what happens when
police power is abused.

Don't generalize in either direction.  It just causes problems.

>The implied threat of the illegalization of private crypto, the
>not-so-subtle subtext of the clipper announcement, is what worries me.
>I don't want my children growing up in a police state.

Me either.  Nice can of worms, ain't it?

-- 
Jerry Han-CRC-DOC-Div. of Behavioural Research-"jhan@debra.dgbt.doc.ca"
///////////// These are my opinions, and my opinions only. \\\\\\\\\\\\\
\\\\\\\\\ A proud and frozen member of the Mighty Warriors Band ////////  
"Memories of those I've left behind, still ringing in my ears."-Genesis-

Newsgroup: sci.crypt
Document_id: 15835
From: jhan@debra.dgbt.doc.ca (Jerry Han)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <116530@bu.edu> uni@acs.bu.edu (Shaen Bernhardt) writes:
>
>The point remains.  More and more I see the government slowly washing
>away privacy.  Even unwittingly.  Do you think I will ever live in a
>soceity that issues smart cards to citizens at birth?  Do you think I
>will live in a soceity that insists I register my crypto keys so they
>can keep track of what I'm saying?  Even if there is no evidence of my
>guilt?  Do you think I will ever live in a soceity that seeks to meddle
>in the affairs of its' citizenry without recourse of any kind?  I'm tired
>of it.  There is (IMHO) no compromise with an administration that seeks
>to implement these proposals under the guise of enhancing privacy.
>
>More than the proposals themselves, I read the language of the press
>releases, the obvious deception involved in presenting these pieces to
>the public, and I am sickened.  I am revolted.  I am repulsed.
>
>90%, perhaps even 95% of this country could care less about the
>clipper chip, the wiretap bill, the smart card, because they are so
>entrapped in the rhetoric of the Clinton Administration.
>
>This saddens and frightens me.
>
>I am a conserveative believe it or not.  A law and order conserveative.
>But the move to a centralized authoratarian regime really scares me,
>mostly because I know you cant go far wrong underestimating the
>intelligence of the American people.  Tell them it's going to keep
>them safe from drug dealers and terrorists, and they will let you
>put cameras in their home.
>
>Even in the wake of Waco, you find those who support the increasingly
>totalatarian moves.
>
>To be quite honest, the way things are going, I'd call it self defense.
>
>And I dont want mine growning up in the eyes of a security camera
>24 hours a day.

I never advocated not saying what you believe in.  I'm advocating second
thought, and calm.  

"A smart warrior defeats the enemy in ambush on the battlefield"
"A smarter warrior defeats the enemy in open warfare on the battlefield"
"The smartest warrior defeats the enemy without using the battlefield"

Think about it.  


>-- 
>uni@acs.bu.edu  ->  Public Keys by finger and/or request
>Public Key Archives: <pgp-public-keys@pgp.iastate.edu> 
>Sovereignty is the sign of a brutal past.<>Fight Clinton's Wiretap Chip!
>DF610670F2467B99 97DE2B5C3749148C <> Crypto is not a Crime! Ask me how!


-- 
Jerry Han-CRC-DOC-Div. of Behavioural Research-"jhan@debra.dgbt.doc.ca"
///////////// These are my opinions, and my opinions only. \\\\\\\\\\\\\
\\\\\\\\\ A proud and frozen member of the Mighty Warriors Band ////////  
"Memories of those I've left behind, still ringing in my ears."-Genesis-

Newsgroup: sci.crypt
Document_id: 15836
From: Lyle_Seaman@transarc.com
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

"Jon \\lnes" <jon@ifi.uio.no> writes:
> A person I know, belonging to a research lab of a rivate
> company, claimed to me during a priavte conversation that, given the
> equipment in his lab, he could crack a Kerberos ticket in 15 minutes to
> an hour. He had access to rather powerful DES hardware, but not of an
> extraordinare kind, I believe. The attack was possible because of the
> amount of known plaintext in the ticket, which itself constitutes a small
> message. This was two years ago.

That would be a V4 ticket, presumably, not a V5 ticket.  The V4 ticket
format can even be complicated several more orders of magnitude...

Lyle		Transarc		707 Grant Street
412 338 4474	The Gulf Tower		Pittsburgh 15219

Newsgroup: sci.crypt
Document_id: 15837
From: martin@world.std.com (Martin J Hannigan)
Subject: Re: new encryption

In article <sfpzMNz0BwwbMDwhUC@transarc.com> Lyle_Seaman@transarc.com writes:
>martin@world.std.com (Martin J Hannigan) writes:
>> Hello. I am the David Sternlight keeper of the FAQ. Unfortuantely I cannot
>> find it at the present time.
>
>Cool it, will you?  Let people form their own opinions.
>Even Mr. Sternlight might be right sometime, and you guys
>are setting things up so that the only way he can regain 
>any credibility is to renounce his previous statements and
>move towards the mainstream of net.opinion.  This does not
>bespeak tolerance, IMO.
>
>>                          C       _)           David Sternlight
>>                           |  ,___|            Net.Police
>
>Indeed...  
>
>Lyle		Transarc		707 Grant Street
>412 338 4474	The Gulf Tower		Pittsburgh 15219


Hopefully, he doesnt take it personal...
-- 
Martin Hannigan    :       Twisted Pair Consulting       : 617-623-3534
Mac                :         IBM PC & Mainframe          : UNIX

Newsgroup: sci.crypt
Document_id: 15838
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Strong Encryption

I just posted this reply to comp.risks (answering RISKS DIGEST 14.53).
Summary: Re: [14.53 Mark Seecof] "key escrow"
References: <CMM.0.90.1.735527964.risks@chiron.csl.sri.com>

>From: Mark Seecof <marks@wimsey.latimes.com>
>Subject: "key escrow" (Clipper Chip; RISKS 14.51)

>Advances in digital computing have made it possible for ordinary people to
>use powerful machine cipher techniques.

It is tempting (albeit chauvinistic) to believe that we have a new situation
here, thanks to our pet computers.  This is not true.  David Kahn's "The
Codebreakers", a history of cryptography, makes two things obvious:

1.	Cryptography is a spontaneous invention of private human individuals
	and has been going on for thousands of years.  [Teen-age slang and
	cipher inventions provide a modern example of this spontaneous
	creation.]

2.	The systems people created on their own were roughly as secure as (and
	sometimes more secure than) those used by military and diplomatic
	users *of that time* (although they seem very simple and insecure
	today). [e.g., In places, the Bible used a more complex simple
	substitution than Caesar did for his military dispatches, but before
	Caesar.]

I commend Kahn's book to all who might be interested.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
Document_id: 15839
From: johan@blade.stack.urc.tue.nl (Johan Wevers)
Subject: Re: Once tapped, your code is no good any more.

russotto@vnet.IBM.COM (Matthew T. Russotto) writes:

>>In the Clipper case, a representative body of experts is going to be allowed
>>to audit it, and we'll have assurances (maybe even from the President) that
>>other than the escrowed keys there are no back doors. While some may not
>>have confidence in that (I am not among them)

>Wow, assurances from the President.  Why, those are almost as good as
>campaign promises!  I don't see why ANYONE wouldn't have confidence in
>those.

I don't think mr. Clinton can even understand the technical details of
the clipper encryption scheme. So, his "assurances" are of no value at
al, if he gives them he just says what a panel of experts(?) told him.
If I lived in the USA, I would hope those experts were not paid by the
<fill here you favorite 3-letter combination>.
-- 
J.C.A. Wevers             The only nature of reality is physics.
johan@stack.urc.tue.nl  

Newsgroup: sci.crypt
Document_id: 15840
From: morgan@engr.uky.edu (Wes Morgan)
Subject: Re: I have seen the lobby, and it is us

ns111310@LANCE.ColoState.Edu (Nathaniel Sammons) wrote:
>2) If some kind soul out there would write a letter, and upload it to 
>the net, everyone could capture it, print it out, and snail-mail it
>out to their local congressional critter.
>
>BTW>> I'm working on one.

You should realize that form letters are the *worst* way to influence
your congresscritters; exact copies are routinely placed on the lowest
rung of the opinion ladder.

If you want to write (and I think you should!), take the time to really
*write* a letter.  Things to emphasize:

	- It's been said that Usenet is available to the 'technical
	  elite', i.e. the techies at corporate sites and universi-
	  ties.  Emphasize that you are part of the group that will
	  be making/developing/using Clinton's 'data superhighway.'

	- Explain how you are intimately familiar with both computing
	  and data communications. (if this is the case; don't call your-
	  self an 'expert' after wiring in a 1200 bps modem.)   This
	  will distinguish your letter from the random flamers.  Don't
	  turn it into braggadocio; just tell them that you know the
	  technical sides of the issue.

	- Don't overdo jargon and gobbledygook.  Remember, your letter
	  will be first read (in all likelihood) by a staffer who may
	  even be a college student; if they don't understand it, your
	  views won't even make the 'running total' sheets.

	- Be concise; don't ramble.  Rants are *definitely* out of place.
	  Cite references, if necessary, but only use "accepted" references
	  like academic journals.  "My neighbor Jim" is *not* a real refer-
	  ence.  8)

	- Unfortunately, very few Congresscritters *really* understand
	  electronic communications.  Encourage them to pick up access
	  to Compuserve, America Online, or one of the Free-Nets.  Offer
	  to send them samples.  If you are in a position to do so, offer
	  them (or their staffers back in the home state) access to your
	  systems.  Offer to give a demonstration the next time they're in
	  town.  Your offer to get *personally* involved in helping them
	  *will* give your opinions more credence.

	- In addition to sending mail to your representatives, send mail
	  to the members of the committee (or subcommittee) that is dealing
	  with the issue.  If your Congresscritter isn't on the committee,
	  they can't be of much help until the matter comes to the floor.

--Wes

ps> I'd suggest drawing analogies between digital communication and the
    more traditional media, but Usenet doesn't have a decent track record
    in the analogy department.  8)

-- 
Rachel Elizabeth Morgan  --  4/13/93, 7:00 am    | Oh yeah, I can be reached as
9 pounds 4 ounces (despite coming 3 weeks early) |     morgan@engr.uky.edu
                                                 |-----------------------------
To netters who gave constant encouragement and prayer - thanks for everything!

Newsgroup: sci.crypt
Document_id: 15841
From: mathew <mathew@mantis.co.uk>
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

ifarqhar@laurel.ocs.mq.edu.au (Ian Farquhar) writes:
> Hmmm... I also wonder what Intergraph thinks about the use of the name
> "Clipper" for this device. :)

Not to mention Computer Associates.  I'll have to be careful to stop telling
people I'm a Clipper programmer, they might lynch me... :-)


mathew

Newsgroup: sci.crypt
Document_id: 15842
From: n9045178@henson.cc.wwu.edu (Sean Dean)
Subject: Re: Does Rush read his E-mail?

rick@ee.uwm.edu (Rick Miller) writes:

>rsilvers@nynexst.com (Robert Silvers) writes:
>>	Send something to Rush Linbaugh about Clinton taking away our right
>>to privacy and how if the govt. standard takes off, only people with lots
>>of money (drug dealers) will be able to justify DES stuff.  He will slam
>>Clinton for this on the air.
>>						--Rob.

>I seem to recall Rush saying that he has a CompuServe account.  If anyone
>wants to E-mail him, all we need is his account number (i.e.: 12345,6789)
>and then we could e-mail him via gateway by using a dot instead of a comma
>like so: "12345.6789@compuserve.com".  (THIS IS *NOT* HIS ADDRESS.)

>So, does anyone know his e-mail address?  He *says* he uses it all the time.
>(I wonder if he reads alt.fan.rush-limbaugh...   His ego is big enough!)

>Rick Miller  <rick@ee.uwm.edu> | <ricxjo@discus.mil.wi.us>   Ricxjo Muelisto
>Send a postcard, get one back! | Enposxtigu bildkarton kaj vi ricevos alion!


I've heard he doesn't read alt.fan.rush.....
But I have no idea of a Compuserve e-mail address...

Newsgroup: sci.crypt
Document_id: 15843
From: hshubs@cis.umassd.edu (Howard S Shubs)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In <4fplPDH0BwwbEDweNJ@transarc.com> Lyle_Seaman@transarc.com writes:

>Look, we (collectively) have the power to throw the bums out, but we
>don't use it.  We clearly don't need to go burning things down, but we
>clearly do need to throw at least some of the bums out.
>Unfortunately, the bums have learned to target only small groups of
>people at a single time, so the masses won't react and throw them out.
>Eventually, the masses will react, unless the bums cease their
>relentless encroachment on liberty and despoilment of the economy.
>The sooner it happens, the less the damages will be.  I don't want to
>live in a war zone, either -- I want to see the bums thrown out before
>they do some *real* damage.

Before they do some real damage??  You haven't been paying attention, it
seems.  The so-called War on Drugs has already done major damage to
the US Constitution.
-- 
Howard S Shubs    hshubs@bix.com          For to win 100 victories in 100
The Denim Adept   hshubs@cis.umassd.edu   battles is not the acme of skill.

Newsgroup: sci.crypt
Document_id: 15844
From: levin@bbn.com (Joel B Levin)
Subject: Re: Does Rush read his E-mail?

rsilvers@nynexst.com (Robert Silvers) writes:
|>>	Send something to Rush Linbaugh about Clinton taking away our right
|>>to privacy and how if the govt. standard takes off, only people with lots
|>>of money (drug dealers) will be able to justify DES stuff.  He will slam
|>>Clinton for this on the air.

He'll slam Clinton for anything at all on the air.  I just do not
understand why he remains so popular.  He'll take a piece of video of
Clinton walking along; find a frame in which Clinton wrinkles his
nose, say; freeze on it and blow it up full screen; and then rant for
five minutes on how no one could possibly trust someone with such a
face and such beady greedy little eyes.  I've seen this on his TV show
(it was around the time of the inauguration).  Can anyone call this
stuff legitimate (I hate to say "informed") commentary?  How can
anyone with half a brain in his or her head[1] continue to watch
it[2]?

The American TV-watching (and I guess radio-listening) public never
ceases to amaze me.

	/J

[1] Oops, have I just inadvertently answered my own question?

[2] I myself only see it when I run across it every couple months when
    channel-surfing late at night; the longest I've been able to stand
    him was about 10 minutes.

(Apologies for stripping the alt.fan.rush groups from the Newsgroups
line; the software here apparently rejects anything with groups we
don't carry, and we don't carry those.  Also I removed sci.crypt from
followups.)

=
Nets: levin@bbn.com  |  "There were sweetheart roses on Yancey Wilmerding's
POTS: (617)873-3463  |  bureau that morning.  Wide-eyed and distraught, she
              N1MNF  |  stood with all her faculties rooted to the floor."
                     |					-- S. J. Perelman

Newsgroup: sci.crypt
Document_id: 15845
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Organized Lobbying for Cryptography

In article <1993Apr21.113152.395@gems.vcu.edu> langford@gems.vcu.edu writes:
>1)  Second Amendment gives us the right to keep and bear arms.
>
>2)  Strong cryptography is "arms", according to the U.S. government (that's
>    why it's so hard to export).
>
>Therefore, we have a constituitional right to strong cryptography!  


Better, I think, is our right peacably to assemble.  I have a right to meet
you in a park and talk privately.  I have a right to see if anyone is
nearby, listening.

In cyberspace, cryptography gives us a right to assemble with control over
who overhears us.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
Document_id: 15846
From: lkimes@alshain.usc.edu (Lance 'Moof' Kimes)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)


In article <116530@bu.edu>, uni@acs.bu.edu (Shaen Bernhardt) writes:

|> I am a conserveative believe it or not.  A law and order conserveative.
|> But the move to a centralized authoratarian regime really scares me,
|> mostly because I know you cant go far wrong underestimating the
|> intelligence of the American people.  Tell them it's going to keep
|> them safe from drug dealers and terrorists, and they will let you
|> put cameras in their home.


There is one point I'd like to make, that most people seem to have forgotten.
That is that one of the underlining principles in the Constitution is a DISTRUST
of governmental authority and control. All those "checks & balances" is because
they realize that you should distrust those in power. What everyone seems to have
forgotten as well is the original reason that the Bill of Rights guaranteed the
right to bear arms. It's inclusion was not to allow you to protect yourself
against other citizens, but to prevent the government from taking away your only
means of protecting yourself from an armed and aggressive government. Its hard to
oppress your citizenry when its armed against you.

I am not a fanatic, I'm a retired Naval officer. Because I have spent so much
time defending it, perhaps I understand its "purpose" as well as its "plan".

Lance Kimes

Newsgroup: sci.crypt
Document_id: 15847
From: r1b6116@zeus.tamu.edu (Mr. Weather)
Subject: Re: Does Rush read his E-mail?

n9045178@henson.cc.wwu.edu (Sean Dean) writes...

[other 2 posts deleted]

|I've heard he doesn't read alt.fan.rush.....
|But I have no idea of a Compuserve e-mail address...

Does anyone have Rush Limbaugh's e-mail address?  Is there anyone out there
on Compuserve who might be able to look it up or otherwise find it?
Maybe it would be impossible, but I thought I should at least ask...

               Mr. Weather / r1b6116@zeus.tamu.edu / Ken Blair

Newsgroup: sci.crypt
Document_id: 15848
Subject: Re: Write to Clinton
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <1r74a4$h2t@transfer.stratus.com> cme@ellisun.sw.stratus.com (Carl Ellison) writes:


>I've been reading the sci.crypt, alt.privacy.clipper and comp.org.eff.talk
>discussions about the Clipper chip and find (as usual) that most of us
>think alike -- so there's a lot of repitition.  If each of these messages
>were sent to Clinton as well as to the net (or instead of to the net), we
>might actually have some effect.

>	0005895485@MCIMAIL.COM  (White House)

I've already written a 5000 char commentary (from my MCI MAIL account, so I
can't be accused of being a "hacker".)
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
Document_id: 15849
From: helleset@solar.usc.edu (Tor Helleseth)
Subject: PROGRAM EUROCRYPT'93, MAY 23-27, LOFTHUS, NORWAY


PROGRAM EUROCRYPT'93, MAY 23-27, LOFTHUS, NORWAY
------------------------------------------------
General chair : Kaare Presttun 
                email: eurocrypt93@alcatel.no                

Program chair : Tor Helleseth
                Department of Informatics 
                University of Bergen
                N-5020 Bergen
                NORWAY
                email: torh@ii.uib.no

=========================================================================

                      MONDAY,  May 24
                      ---------------
                 
              SESSION 1 : AUTHENTICATION
              --------------------------
              Chair: J. Seberry

 9.00- 9.30   Welcome and opening remarks
 9.30-10.00   On the Relation Between A-codes and Codes Correcting Independent 
              Errors, T. Johansson, B. Smeets (Lund University, Sweden), 
              and G. Kabatianskii (Institute for Problems of Information 
              Transmission, Russia)
10.00-10.20   Optimal Authentication Systems, R. Safavi-Naini and L. Tombak 
              (University of Wollongong, Australia)

10.20-10.50   Coffee or tea


              SESSION 2 : PUBLIC KEY
              ----------------------
              Chair: A. Odlyzko

10.50-11.10   Factoring Integers using SIMD Sieves, B. Dixon (Princeton 
              University, USA) and A.K. Lenstra (Bellcore, USA)
11.10-11.30   A New Elliptic Curve Based Analogue of RSA, 
              N. Demytko (Telecom Research Laboratories, Australia)
11.30-11.50   Weaknesses of a Public-Key Cryptosystem Based on Factorization 
              of Finite Groups, J. Stern (ENS, France)

11.50-14.00   Lunch


              SESSION 3 : BLOCK CIPHERS
              -------------------------
              Chair: A. De Santis

14.00-14.20   Differentially Uniform Mappings for Cryptography, 
              K. Nyberg (Technical University of Vienna, Austria)
14.20-14.40   On Permutations Against Differential Cryptanalysis, 
              T. Beth and C. Ding (EISS, University of Karlsruhe, Germany)
14.40-15.10   Two New Classes of Bent Functions, 
              C. Carlet (INRIA, France)
15.10-15.30   Boolean Functions Satisfying a Higher Order Strict Avalanche
              Condition, T.W. Cusick (SUNY, Buffalo, USA)

15.30-16.00   Coffee or tea


              SESSION 4 : SECRET SHARING
              --------------------------
              Chair: Y. Desmedt

16.00-16.30  Size of Shares and Probability of Cheating in Threshold Schemes, 
             M. Carpentieri, A. De Santis and U. Vaccaro (University of 
             Salerno, Italy)
16.30-17.00  Nonperfect Secret Sharing Schemes and Matroids, K. Kurosawa,
             K. Okada, K. Sakano, W. Ogata and S. Tsujii (Tokyo Institute of
             Technology, Japan)
     

                      TUESDAY, May 25
                      ---------------

             SESSION 5 : STREAMCIPHERS I
             ---------------------------
             Chair: T. Helleseth 

 9.00-10.00 From the Memoars of a Norwegian Cryptolog, E. Selmer (University 
            of Bergen, Norway) (Invited talk)
10.00-10.20 On the Linear Complexity of Products of Shift-Register Sequences, 
            R. Gottfert and H. Niderreiter (Austrian Academy of Sciences, 
            Vienna, Austria)

10.20-10.50 Coffee or tea


             SESSION 6 : STREAMCIPHERS II
             ----------------------------
             Chair: D. Gollman

10.50-11.20  Resynchronisation Weaknesses in Synchronous Stream Ciphers,
             J. Daemen, R. Govaerts and J. Vandewalle (ESAT, KU Leuven, 
             Belgium)
11.20-11.40  Blind Synchronization of m-Sequences with Even Span,
             R. Games and J.J. Rushanan (MITRE, USA)
11.40-12.10  On Constructions and Nonlinearity of Correlation Immune Functions,
             J. Seberry, X. Zhang and Y. Zheng (University of Wollongong, 
             Australia)

12.10-14.00  Lunch


             SESSION 7 : DIGITAL SIGNATURES
             ------------------------------
             Chair: C. Schnorr

14.00-14.30  Practical and Provable Secure Release of a Secret and Exchange of
             Signatures, I.B. Damgard (Aarhus University, Denmark)
14.30-14.50  Subliminal Communication is Easy Using the DSA, 
             G.J. Simmons
14.50-15.10  Can OSS be Repaired, D. Naccache (Gemplus, France)

15.10-15.40  Coffee or tea


             SESSION 8 : PROTOCOLS I
             -----------------------
             Chair: K. Kurosawa

15.40-16.00  Limitations of Logical Analysis of Cryptographic Protocols,  
             C. Boyd and W. Mao (University of Manchester, United Kingdom)
16.00-16.30  Practical Anonymous and Secure Voting Scheme, K. Itoh, C. Park 
             and K. Kurosawa (Tokyo Institute of Technology, Japan)
16.30-16.50  Untransferable Rights in a Client-Independent Server Environment,
             J. Domingo-Ferrer (University of Barcelona, Spain)
16.50-17.20  Interactive Hashing Simplifies Zero-Knowledge Protocol Design,
             R. Ostrovsky (UC Berkeley, USA), R. Venkatesan (Bellcore, USA) and
             M. Yung (IBM T. Watson, USA)

             RUMP SESSION
             -------------
             Chair: I. Ingemarsson     

20.00-24.00  Accepted paper: 
             Security in Digital Mobile Communication Systems,
             C. Park, K. Kurosawa, T. Okamoto and S. Tsujii (Tokyo
             Institute of Technology, Japan)


                     WEDNESDAY, May 26
                     -----------------

             SESSION 9 : HASH FUNCTIONS
             ---------------------------
             Chair: B. Preneel

 9.00- 9.20  One-Way Accumulators: A Decentralized Alternative to Digital
             Signatures, J. Benaloh and M. de Mare (Clarkson University, USA)
 9.20- 9.40  Some Attacks on the ARL Hash Function, I.B. Damgard and 
             L.R. Knudsen (Aarhus University, Denmark)
 9.40-10.10  Collisions for the Compression Function of MD5, B. den Boer and
             A. Bosselaers (ESAT, KU Leuven, Belgium)
10.10-10.30  How to Find and Avoid Collisions for the Knapsack Hash Function, 
             J. Patarin (Bull CP8, France)
  
10.30-11.00  Coffee or tea


             SESSION 10: PAYMENT SYSTEMS
             ---------------------------
             Chair: I.B. Damgard

11.00-11.20  Single Term Off-Line Coins, N.T. Ferguson (CWI Amsterdam,
             The Netherlands)
11.20-11.40  Improved Privacy in Wallets with Observers,
             R.J.F. Cramer (CWI Amsterdam, The Netherlands) and 
             T.P. Pedersen (Aarhus University, Denmark)
11.40-12.10  How to Prevent the Mafia Fraud Using Distance-Bounding Protocols,
             S. Brands and D. Chaum (CWI Amsterdam, The Netherlands)
           
12.10-14.00 Lunch
 

             SESSION 11: CRYPTANALYSIS
             --------------------------
             Chair: G.J. Simmons

14.00-14.20 On the Distribution of Characteristics in Bijective Mappings,
            L. O'Connor (University of Waterloo, Canada)
14.20-14.40 On the Security of the IDEA Block Cipher, 
            W. Meier (HTL, Switzerland)
14.40-15.10 Linear Cryptanalysis Method for DES Cipher,
            M. Matsui (Mitsubishi, Japan)
15.10-15.40 New Types of Cryptanalytic Attacks Using Related Keys, 
            E. Biham (Technion, Israel)

15.40-16.10 Coffee or tea
 

             SESSION 12 : PROTOCOLS II
             -------------------------
             Chair: P. Landrock

16.10-16.40  Reconciliation on a Secret Key Through Public Discussion,
             G. Brassard and L. Salvail (University of Montreal, Canada)
16.40-17.10  Global, Unpredictable Bit Generation Without Broadcast,
             D. Beaver and N. So (Penn State University, USA)
17.10-17.40  IACR Business meeting

==========================================================================
















Keywords: 


Newsgroup: sci.crypt
Document_id: 15850
From: azoghlin@uxa.cso.uiuc.edu (Very Old Freshman (VOF))
Subject: Re: The [secret] source of that announcement

bear@tigger.cs.Colorado.EDU (Bear Giles) writes:
>I wish them luck in figuring out who "I" am based on that information.

>(They can probably figure out I'm liberal, with a technical degree
>but humanistic interests, from a common thread throughout my posts.
>But that describes a fair portion of the users of Internet).

Sounds like you are the brother of sibble to me. <hey that wasn't
nice> {Oh shut up, I'm posting now} [Both of you pipe down, or I
will take control of the arms and sock you in the mouth]



Newsgroup: sci.crypt
Document_id: 15851
From: johne@vcd.hp.com (John Eaton)
Subject: Re: Suggestions for escrow agencies (was: Re: More technical details)

Paul Robichaux (robichau@lambda.msfc.nasa.gov) wrote:
: 
: As a private citizen, I would feel much more "secure in my person and
: papers" knowing that an organization committed to individual civil
: liberties- the ACLU and the NRA come to mind- was safeguarding half of
: my key. Both the ACLU and the NRA are resistent to government pressure
: by the simple expedient fact that they are not supported, funded, or
: overtly controlled by the government.
: --------------------------
Thats one problem that has so far been overlooked. These two escrow
agencies will have to create a secure database and service the
input and output of Keys. Who pays for this? If they refuse an
illegal request from some congressman to deliver a key can their
budget by cut to punish them? Will congress be forced to fund
them forever?

The problem is that laws can change. Congress may pass a law setting
up an escrow agency with instructions that keys are private. Some
future congress may change that law. Suppose pre-nazi Germany had
a clipper system. Do you think the escrow agencies would have
told Hitler that he could not have the keys without a valid 
court order?

In effect you must set up escrow agencies as a fourth branch of
the goverment and isolate them from any outside interferance. 
They will be able to directly tap into Federal funds with no
accountability to anyone except through a court challenge.

John Eaton
!hp-vcd!johne



Newsgroup: sci.crypt
Document_id: 15852
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: I have seen the lobby, and it is us

In article <1993Apr21.163929.21149@eff.org> A. Charles Gross <acg@eff.org> writes:
>The NRA is successful because (among a number of things), on the drop of
>a hat, they can get a congresspersons office flooded with postcards,
>faxes and phone calls.  Certainly, with our way-cool Internet powers of
>organization, we can act in the same way, if such action is appropriate.

I don't know about you, but I have nearly forgotten how to generate paper
mail.

If I had e-mail to Congress, I would have written many letters by now.
I haven't written one yet, as it turns out.  Writing on paper is such
a complicated job, for those of us hooked on our way-cool Internet.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
Document_id: 15853
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate

In article <CMM.0.90.2.735554186.jon@gode.ifi.uio.no>, "Jon \\lnes" <jon@ifi.uio.no> writes:
> A person I know, belonging to a research lab of a rivate
> company, claimed to me during a priavte conversation that, given the
> equipment in his lab, he could crack a Kerberos ticket in 15 minutes to
> an hour. He had access to rather powerful DES hardware, but not of an
> extraordinare kind, I believe. The attack was possible because of the
> amount of known plaintext in the ticket, which itself constitutes a small
> message. This was two years ago.
> DES is no longer usable for encryption of really sensitive data. For a
> lot of purposes, however, it is still very adequate.

This sounds an awful lot like a password-guesser, not a weakness in
DES.  Merritt and I pointed out this weakness in Kerberos in a paper
that came out about 2.5 years ago, in both Computer Communications
Review and Usenix.  For that matter, it was loudly discussed on the
Kerberos mailing list even earlier.

The problem has nothing whatsoever to do with DES, and everything to do
with bad password selection.

I'm perfectly willing to believe that there are cryptanalytic attacks
possible on DES.  I'm quite dubious that private research labs know
them.  And the parameters of a brute-force attack are quite well
established; see, for example, the Garon and Outerbridge paper in the
July '91 Cryptologia.  You're not going to do it in an hour with only
``rather powerful DES hardware''.  I'll leave the arithmetic as an
exercise for the reader.  On average, you'll need to do 2^55 trials.
Pick your own parameters for how fast the DES engine runs, and for
how many such engines are used.

Newsgroup: sci.crypt
Document_id: 15854
From: kliegel@key.amdahl.com (James Kliegel)
Subject: Crypto-PenPals

I came. I lurked. I read the FAQ.

Now having purchased the recommended books, and having taken to heart the advice that
one knows nothing about crypto without having done a stint as a cryptanalyst, I would like
to correspond with people interested in cryptology.

I am working on implementing the cryptanalyst's workbench example in Booch's OOD with
Applications. I hope to start sending ciphers back and forth so each of us can practice cracking
them.  I would like to start with simple Ceaser's ciphers and progress roughly according to
David Kahn's book. Of course I would be interested in general discussions and math also.

I hope to have some foriegn correspondants so that we can test the response time of the
"men in the suits" I've been hearing so much about. Unfortunately as a product of the American
education system I only know English.

Looking forward to any and all responses.

James
---
======================================================================
James M. Kliegel
kliegel@key.amdahl.com                                  (510) 623-3148
======================================================================


Newsgroup: sci.crypt
Document_id: 15855
Subject: Re: I have seen the lobby, and it is us
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <1r9av2$bg6@transfer.stratus.com> cme@ellisun.sw.stratus.com (Carl Ellison) writes:

>In article <1993Apr21.163929.21149@eff.org> A. Charles Gross <acg@eff.org> writes:
>>The NRA is successful because (among a number of things), on the drop of
>>a hat, they can get a congresspersons office flooded with postcards,
>>faxes and phone calls.  Certainly, with our way-cool Internet powers of
>>organization, we can act in the same way, if such action is appropriate.

>I don't know about you, but I have nearly forgotten how to generate paper
>mail.

>If I had e-mail to Congress, I would have written many letters by now.
>I haven't written one yet, as it turns out.  Writing on paper is such
>a complicated job, for those of us hooked on our way-cool Internet.

That's what MCI Mail is for!  (CompuServe also has "CongressGrams" (TM).)

This is not intended as an advertisement; that really is what MCI Mail WAS
intended for (according to their ads).
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
Document_id: 15856
From: mgr@anhep3.hep.anl.gov (Dr. mike)
Subject: clipper/freedom/comments


-----BEGIN PGP SIGNED MESSAGE-----

Gasp!

I've just spent 3 hours catching up on sci.crypt here (slow reader I
guess) and I really have to put out a few comments too.  First, let me
flame the famous Dave S. : He's obviously only 10 years old.  Cut him
some slack. :^}

The joke about Clinton/crypto/drugs slammed me thru the roof.  Nice job
guys!  I've been working on marijuana legalization for over 5 years
now, Clinton's actions so far have really helped.  But because of
government action taken against various other groups, I have developed
a 64 bit DES based on public literature to protect my mailing list.
The S-boxes are the critical component, and since I chose 32 out of 57
based on the key, cracking this DES is going to tough.  (The reason it
slows you down a touch is that for each key you try you need to use a
different set of s-boxes, I know it's only a vector, but it sure makes
random search a pain).  Several marijuana legalization groups have had
their mailing lists confiscated when people were charged with drug
use/sales.  It's not a crime to be a member of a legalization org,
*but* you will be watched.

It really is important to write a letter to every official you
personally vote for to explain *why* your privacy is being destroyed by
the "cripple chip".  Amazingly enough they do listen when they get
*enough* mail.  The Doonsbery jokes about NRA postcards are real, and
the IMI (Illinois Marijuana Initiative) has grown to the point where we
*are* seeing some changes.

It's pretty clear that all the hullabaloo is really about the
implimentation decision being made behind our backs.  As Vesselin
points out, this was common practice in communist regimes (and may be
again depending on how the vote goes).  But just as criminals have guns
and "law abiding" citizens don't, and criminals like me have marijuana
and "law abiding" subjects don't, criminals like me will have secure
crypto while "law abiding" robots don't.  PGP is nice, but as time goes
on we all can do better.  And to save our hides we will.

Someone posted an excerpt from Machiavelli.  He's my favorite dude.
500 years ago he saw clearly how people *are*, and tried to explain
that to "princes" who wanted people to *obey*.  One section not quoted
(I've got "The Prince" at home, so I'll just paraphrase :) ) had to do
with conquring a free city.  The only way is to *completly destroy*
it.  Failing that, you must appoint locals to high positions and accept
the people's customs.  Even after 100 years of oppression, a people
will remember their heratige and rise up to overthrow the oppresive
government.  And he gave an example.  And that was 300 years *before*
Thomas Jefferson.

There were questions about watching traffic.  Only *interesting* traffic
is watched: stuff that goes overseas and comes back; stuff with keywords
like marijauana, cryptography, NSA;  certain individuals who are known
subversives, etc.  It is easy enough to store all that traffic.  So if
you know how to be *subversive* i.e. how to be unseen, it's pretty easy
to go unnoticed for a long time.  The stronger your crypto system and the
less you're noticed, the better your chances of developing an organization
which can diseminate truth to the masses.

Which gets me to the thread about a "public encrypted conference".
That's just silly.  The first thing the feds do is send in an
infiltrator (like Dave S.) and they know what you're doing.  It will be
fun for teenagers and college students, but for the real world it's
pretty pointless.  Crypto is useful for more things than hiding where
you get your marijuana.

Guns, drugs and crypto do have some commonality: there are people in
government who want you to *obey* their rules.  As Lundquist says in
alt.drugs "Live free or don't".  Machiavelli pointed out that's just
how most people actually live, inspite of appearences to the contrary.
It's true that the decision to shove the clipper (not the same thing as
Intergraph's!!!) down our throats violates the principles of what the
U.S. was founded on, but the government is full of idiotic robots
called bureaucrats and there's less to worry about than one might
think.  Only really innocent (read naive) subjects of the U.S. will be
hurt by this, the rest of us *criminals* will live in secure freedom.
de Toqueville pointed out 150+ years ago that the tyranny of the
majority will be mitigated by the mediocrity of the government.

And given what I see government officials doing where I work (Argonne
National Lab.) the level of stupidity makes Dave S. look smart.

Patience, persistence, truth,		work: dvader@hemp-imi.hep.anl.gov
Dr. mike				home: mrosing@igc.org

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQBVAgUBK9hETK3mm/E84rLHAQFV+gH9ExvzfXbNR4x0BTg2nQIxB5/ZMaxT289B
G4QjTsv8mszMrzU1DcJ8eLIQ37BwX53jATBH9U4B/biqmGKiPzHCmA==
=S3hf
-----END PGP SIGNATURE-----


Newsgroup: sci.crypt
Document_id: 15857
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Once tapped, your code is no good any more.

In article <strnlghtC5wHo2.1FK@netcom.com> strnlght@netcom.com (David Sternlight) writes:
   >I wouldn't think so.  Asking people to trust a secret algorithm seems
   >unsound to me.

   Maybe so, but it's quite common. There are millions of Macintosh users who
   have no idea what's in Apple's patented ROMs. Many have modems connected.
   How do you know all your business secrets aren't being stolen? Answer:
   1. Because you trust Apple;
   2. Because if any such attempt, however sophicsticated, came out, it would
   destroy Apple's credibility forever.

Then there's also
3) Because it's NOT SECRET.  If I want to, I CAN go look at Apple's
copyrighted ROMs in a Mac, so they're not keeping any secrets.  
You don't even have to pry the top off the chip and use an electron microscope,
you just have to read the data in memory and see if you can figure out what it means.
(Motorola object code isn't all *that* obscure!)  
Yes, it's copyrighted, so I can't go selling copies, or using the copy myself,
but I CAN see it, and disassemble it.

4) They're not asking me to trust their honesty.  They're asking me to
trust the quality of their assembly language programming :-),
but I can see for myself what the performance, price, and crashes/day are.
NSA, an organization not known for its honesty or openness, 
is asking me to trust them with my privacy, but they won't trust me.  Feh!
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15858
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Clipper Not Good Enough for Government?

There's been some discussion very recently as to whether the
government once again might exempt themselves from something they use
to screw us over...  Well, from comp.dcom.telecom:

From: lesreeves@attmail.com
Subject: Odds 'n Ends in the News

* The Clipper Chip device introduced yesterday by AT&T may not be
suitable for government use, says House Telecom Subcommittee Chairman
Markey.  In a letter to Commerce Secretary Brown, Markey asked whether
the use of the technology could lead to "inadvertently increased costs
to those U.S. companies hoping to serve both" the government and
private markets.  Markey has ordered Brown to answer several questions
about security and cost concerns by April 28.  (Communications Daily,
4/20/93)
-- 
Show me a guy who's afraid to look bad, and I'll show you a guy you can beat
every time. -- Renee Auberjonois

Newsgroup: sci.crypt
Document_id: 15859
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks  only

   In article <1993Apr22.223906.25929@lehman.com> pmetzger@snark.shearson.com (Perry E. Metzger) writes:
   >Qualcomm had spare cycles in the DSPs for their new CDMA digital
   >cellular phones. They wanted to put strong crypto into them since they
   >had the capacity. The government decided to "discourage" them.

   You're blowing smoke.  Qualcomm wants to sell to nice, lucrative overseas
   markets like Japan and the EC.  The government told them "don't do encryption
   if you ever hope to export this technology".  The reason that CDMA doesn't
   have encryption is NOT because the G-men came a'knocking at Qualcomm's door.
   It's because Qualcomm doesn't think that the US market for digital cellular
   is big enough for them.  This is just the International Traffic in Arms
   Regulations all over again.

Perry has already stated on the net that Qualcomm wanted to sell overseas, and
the government told them they wouldn't be allowed to export,
so he's only blowing the same smoke you are :-)
Sure, they probably could have made a US version, and a non-crypto
export version, and contracted with a Bulgarian or Japanese software house to
develop an overseas crypto ROM, but that's getting pretty expensive.

   No, Cylink sells their phones because they're willing to make different
   stuff for domestic use vs. export.  Qualcomm isn't.  So Cylink makes
   money--that's capitalism, comrade.

Well, some people like capitalism, and others prefer free enterprise;
they're different!  Using the government to stifle your competition is capitalist.

   >Someone out there WILL build a unit to do all this. Better yet,
   >prehaps someone will produce a package that turns any 486 box with a
   >sound card into a secure phone.
   "Someone" this and "someone" that.  If you think it's so easy, why are
   you whining on the net instead of getting your butt in gear and writing it?

Writing good crypto code is something most good programmers can do;
writing good new crypto algorithms is a very specialized skill.
Developing new voice coding algorithms is also pretty specialized,
but finding ways to implement the more complex ones when you don't
have enough horsepower is still fairly hairy stuff.
Once the 586/Pentium becomes widespread, or the next generation of
sound boards has DSPs on it, I suspect we'll see it happen.
Maybe the vanilla 486+Soundblaster is enough.
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15860
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <strnlghtC5wJAG.46L@netcom.com> strnlght@netcom.com (David Sternlight) writes:
   Doug Holland claims Tom Clancy has provided the recipe for nuclear bombs.
   Clancy himself says he has omitted certain crucial steps. Further, how do we
   know Clancy knows, rather than repeating what he's read or been told in the
   unclassified domain?

On the other hand, when John Aristotle Phillips was a junior at Princeton
trying to keep from flunking physics by doing a terrific term paper,
his atom bomb design was good enough that it got classified.
A few of the steps were derived from social engineering 
(e.g. the name of the explosive), but it was fundamentally sound (and DID get an A.)
The Pakistan embassy also called him up trying to get a copy;
at the time they were lobbying the US government to get some nuclear
reactors for "purely non-military" electrical power generation.


--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15861
From: tuinstra@signal.ece.clarkson.edu.soe (Dwight Tuinstra)
Subject: Re: Organized Lobbying for Cryptography

In article hcs@transfer.stratus.com, cme@ellisun.sw.stratus.com (Carl Ellison) writes:
>
>To paraphrase, I may not agree with what you're encrypting, but I defend
>your right to encrypt it.
>

Great slogan!  I'm ready to sign up with a crypto-lobbying effort (though
I wouldn't want to do it through an NRA offshoot).  Shall we also push
for the CRA  -- Cryptographic Rights Amendment ??

+========================================================================+
|  dwight tuinstra             best:  tuinstra@sandman.ece.clarkson.edu  |
|                         tolerable:  tuinstrd@craft.camp.clarkson.edu   |
|                                                                        |
|        "Homo sapiens: planetary cancer??  ...  News at six"            |
+========================================================================+

Newsgroup: sci.crypt
Document_id: 15862
From: gtoal@gtoal.com (Graham Toal)
Subject: Let's build software cryptophones for over the internet...

Well, after a lot of trawling through archives, I found the post
I reproduce in full below.  Is it time to get together to develop
a tcp/ip standard for crypto voice that we could then layer on
point-to-point SLIP as *the* free standard for crypto voice like
pgp is for mail?

(PS Note the date of this post.  Appropriate, huh? :-) )

---
From jpcampb@afterlife.ncsc.mil Thu Jul  9 11:50:11 1992
From: jpcampb@afterlife.ncsc.mil (Joe Campbell)
Newsgroups: comp.compression.research
Subject: Re: sound compression algorithms
Date: 4 Jul 92 14:46:04 GMT
Organization: The Great Beyond

In article <1992Jun26.165210.15088@sequent.com> lff@sequent.com (Lou Fernandez) writes:
>The techniques for production systems revolve around Code Excited Linear
>Prediction (CELP) algorithms which capture 20 ms or so of speech and
>attempt to match the speech with a combination of signals from a
>codebook, choosing the combination which minimizes the error....

In case you'd like to experiment with CELP, you can obtain a software
implementation of the 4800 bps Fed Std CELP coder for free:

The U.S. DoD's Federal-Standard-1016 based 4800 bps code excited linear
prediction voice coder version 3.2 (CELP 3.2) Fortran and C simulation source
codes are now available for worldwide distribution at no charge (on DOS
diskettes, but configured to compile on Sun SPARC stations) from:

Bob Fenichel
National Communications System
Washington, D.C.  20305
1-703-692-2124
1-703-746-4960 (fax)

In addition to the source codes, example input and processed speech files
are included along with a technical information bulletin to assist in
implementation of FS-1016 CELP.  (An anonymous ftp site is being considered
for future releases.)

Copies of the actual standard "Federal Standard 1016, Telecommunications:
Analog to Digital Conversion of Radio Voice by 4,800 bit/second Code
Excited Linear Prediction (CELP)" are available for $2.50 each from:

GSA Rm 6654
7th & D St SW
Washington, D.C.  20407
1-202-708-9205

The following articles describe the Federal-Standard-1016 4.8-kbps CELP
coder (it's unnecessary to read more than one):

Campbell, Joseph P. Jr., Thomas E. Tremain and Vanoy C. Welch,
"The Federal Standard 1016 4800 bps CELP Voice Coder," Digital Signal
Processing, Academic Press, 1991, Vol. 1, No. 3, p. 145-155.

Campbell, Joseph P. Jr., Thomas E. Tremain and Vanoy C. Welch,
"The DoD 4.8 kbps Standard (Proposed Federal Standard 1016),"
in Advances in Speech Coding, ed. Atal, Cuperman and Gersho,
Kluwer Academic Publishers, 1991, Chapter 12, p. 121-133.

Campbell, Joseph P. Jr., Thomas E. Tremain and Vanoy C. Welch, "The
Proposed Federal Standard 1016 4800 bps Voice Coder:  CELP," Speech
Technology Magazine, April/May 1990, p. 58-64.

For U.S. FED-STD-1016 (4800 bps CELP) _realtime_ DSP code
and information about products using this code, contact:

John DellaMorte
DSP Software Engineering
165 Middlesex Tpk, Suite 206
Bedford, MA  01730
1-617-275-3733
1-617-275-4323 (fax)
dspse.bedford@channel1.com

DSP Software Engineering's code can run on a DSP Research's Tiger 30 board
(a PC board with a TMS320C3x and analog interface suited to development work)
or on Intellibit's AE2000 TMS320C31 based 3" by 2.5" card.

DSP Research                Intellibit
1095 E. Duane Ave.          P.O. Box 9785
Sunnyvale, CA  94086        McLean, VA  22102-0785
(408)773-1042               (703)442-4781
(408)736-3451 (fax)         (703)442-4784 (fax)
-- 
.............................................................................
; Joe Campbell  N3JBC  jpcampb@afterlife.ncsc.mil  74040.305@compuserve.com ;
; My opinions are mine!   Happiness = Reality - Expectations, Click & Clack ;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Newsgroup: sci.crypt
Document_id: 15863
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Suggestions for escrow agencies (was: Re: More technical details)

In article <C5y746.73K@vcd.hp.com> johne@vcd.hp.com (John Eaton) writes:

>Thats one problem that has so far been overlooked. These two escrow
>agencies will have to create a secure database and service the
>input and output of Keys. Who pays for this? If they refuse an
>illegal request from some congressman to deliver a key can their
>budget by cut to punish them? Will congress be forced to fund
>them forever?
>

The easiest way is a user fee for each clipper chip manufactured. This makes
the funding separate from government.

It also has the neat side property that if the chip doesn't catch on, the
scheme breaks down, and the government is back to the drawing boards,
assuming that they haven't prohibited alternatives in the meantime.

In fact, maybe this should be part of the "official" system. Before the
government is allowed to move this past the "experimental" stage, they
should have to demonstrate economic viability by mass adoption. The
government is very fond of demonstration projects proving feasibility in the
use of government funds for social programs--they should have to make a
similar feasibility demonstration (on economic viability cum acceptance
terms) for this baby as well. Let's put it to the only vote that counts--a
marketplace vote among those who have to pay for it.

David

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15864
From: whitaker@eternity.demon.co.uk (Russell Earl Whitaker)
Subject: MEETING: UK Cryptoprivacy Association

-----BEGIN PGP SIGNED MESSAGE-----

Meeting of the UK Cryptoprivacy Association
- -------------------------------------------

Saturday, 8 May 1993, 1500

To be held at the offices of:

  FOREST
  4th floor
  2 Grosvenor Gardens
  London  SW1W 0DH

This is located at the corner of Hobart Place, a couple of
blocks west of Victoria Station, and almost directly across from
the dark green cabbie shelter.

If you have trouble finding the place, please call the office on
071-823-6550.  Or, call me (Russell Whitaker) on my pager,
081-812-2661, and leave an informative message with the
telephone number where you can be reached; I will return the
call almost immediately.

Discussion will range from the usual general topics, such as the
use of secure public key cryptosystems to protect message data, to
specific topics, such as recent moves by the U.S. government
to restrict choice in data privacy (reference recent discussion
on Usenet groups, e.g. sci.crypt and alt.security.pgp).

All are invited.  Particularly welcome are members of the
newly-formed UK CommUnity group ... the local
EFF-in-spirit-if-not-in-name folks.

Those who plan to attend should email me and let me know.
Please.

All attendees are requested to bring diskettes - preferably
MS-DOS - with their PGP 2.+ public keys.  As is usual at these
gatherings, several of us will bring our laptops, and will sign
public keys, subject to the usual caveats (reference the
documentation for PGP 2.2, specifically files PGPDOC1.DOC and
PGPDOC2.DOC).

If you do not already have a copy of PGP 2.2 (MS-DOS), and would
like to have a copy of this public domain program, please bring
a formatted, medium or high density 3.5 inch floppy PC diskette;
you will be provided a copy of the program.

Of course, you might prefer to ftp a version of the program from
one of the various archive sites.  I suggest trying Demon
Internet Systems, which carries the full range of PGP (Phil
Zimmerman's "Pretty Good Privacy") implementations: directory
/pub/pgp at gate.demon.co.uk.

Meetings are of indeterminate time.  Those who are interested
are invited to join the rest of us at a pseudorandomly
determined pub afterwards.

Please note:
- ------------
In the past few months, interested people have emailed me,
requesting FAQs and special information mailings.  I regret
that, except in very unusual cases (e.g. working press), I
cannot, in a timely manner, respond to these requests.  I will,
however - and for the first time - do a writeup of this meeting,
which I will post in various places.

What I *am* willing to supply is general information on our
activities for the maintainers of existing FAQs, such as that
for alt.privacy.  FAQ maintainers can contact me at
whitaker@eternity.demon.co.uk

Russell Earl Whitaker                   whitaker@eternity.demon.co.uk
Communications Editor                                 AMiX: RWhitaker
EXTROPY: The Journal of Transhumanist Thought
Board member, Extropy Institute (ExI)
================ PGP 2.2 public key available =======================

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQCVAgUBK9bG/ITj7/vxxWtPAQG0/AQAmPQKQl7KNB43DyniRyuDu5tixStXd2F7
k5CiWNwN/u9ExZfptPgajwY91dsafX0H53RV5+lT8OSnvIx35QMmgBmPQOJCGnGj
ZUJ2eGiSvfuLtAmgMQtSLtJh5x/VXmUIl8SJHzrffIz3SjnKcENTzrQnGc7UdIQ6
x85InstiJzU=
=Y9GS
-----END PGP SIGNATURE-----


Newsgroup: sci.crypt
Document_id: 15865
From: strnlght@netcom.com (David Sternlight)
Subject: Re: The [secret] source of that announcement

In article <1993Apr23.110149.29470@cs.aukuni.ac.nz> pgut1@cs.aukuni.ac.nz
(Peter Gutmann) writes:

>
>Something similar has happened to me - ages ago when we were working on PGP
>we used to send short messages about development issues or simply to test 
>new features around.  Now at this time PGP (and certainly the newer version)
>was unknown over here.  Suddenly the admin at the site I was using received
>a request that I stop sending encrypted email.  Now there is almost no way
>that some automatic scanner could have found this, since they wouldn't have
>known about PGP - they *must* have checked for unknown data types in the
>message, tried to unscramble it, found they couldn't get past the PEM
>armour part, and then contacted the sysadmin and asked me to stop.  Luckily
>the current email carriers are less picky about what goes over their
>networks :-).

Is the sending of encrypted traffic without government permission legal in
New Zealand?

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15866
From: tomw@orac.asd.sgi.com (Tom Weinstein)
Subject: Re: REVISED TECHNICAL SUMMARY OF CLIPPER CHIP

In article <1993Apr21.192615.3465@guvax.acc.georgetown.edu>, denning@guvax.acc.georgetown.edu writes:

> Each chip includes the following components:

>    the Skipjack encryption algorithm
>    F, an 80-bit family key that is common to all chips
>    N, a 30-bit serial number (this length is subject to change)
>    U, an 80-bit secret key that unlocks all messages encrypted with the chip
[ ... ]

> To see how the chip is used, imagine that it is embedded in the AT&T
> telephone security device (as it will be).  Suppose I call someone and
> we both have such a device.  After pushing a button to start a secure
> conversation, my security device will negotiate an 80-bit session key K
> with the device at the other end.  This key negotiation takes place
> without the Clipper Chip.  In general, any method of key exchange can
> be used such as the Diffie-Hellman public-key distribution method.

> Once the session key K is established, the Clipper Chip is used to
> encrypt the conversation or message stream M (digitized voice).  The
> telephone security device feeds K and M into the chip to produce two
> values:

>    E[M; K], the encrypted message stream, and 
>    E[E[K; U] + N; F], a law enforcement field , 
[ ... ]

> which are transmitted over the telephone line.  The law enforcement
> field thus contains the session key K encrypted under the unit key U
> concatenated with the serial number N, all encrypted under the family
> key F.  The law enforcement field is decrypted by law enforcement after
> an authorized wiretap has been installed.

One very interesting thing I notice about this is that the only use of
the chip key is to encode the session key for the law enforcement field.
It is not used at all by the encryption algorithm.

It seems like it would be possible to create a device that would be
otherwise compatible, but would send out a bogus law enforcement field.
This might render the device unusable with "normal" devices if there's
some sort of validation involving the law enforcement field, but it
could certainly be used with other such modified devices.

Of course, this is irrelevant if the NSA has a backdoor in the
algorithm, but it does make it possible to defeat the key escrow system.

--
Wilt thou seal up avenues of ill?  Pay every      |   Tom Weinstein
debt, as though God wrote the bill. -- Emmerson   |   tomw@orac.esd.sgi.com

Newsgroup: sci.crypt
Document_id: 15867
From: amanda@intercon.com (Amanda Walker)
Subject: Re: The [secret] source of that announcement

jebright@magnus.acs.ohio-state.edu (James R Ebright) writes:
> (I assume most of the time these guys sat around the office with their
> thumbs up their ass as there isn't that much stuff coming out of
> Columbus :) 

CompuServe is in Columbus, OH.  So are the corporate headquarters of several 
major insurance companies, the largest private R&D company in the world 
(Batelle Memorial Institute), DCSC (The Defense Construction & Supply 
Center), Ohio State University (one of the three largest US universities), 
OCLC (the Online College Library Center), and so on.  You'd be amazed, 
actually.

Columbus only *looks* like a cow town.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 15868
From: fw@world.std.com (forrest d whitcher)
Subject: SUMMARY: responses / research on oracle password security

My original post was:

>I am building an oracle v6 database to serve as a repository for
>information which is considered proprietary or confidential. As such
>I want to verify the security of oracle passwords and apply some of
>the same security checking techniques we use on our *nix systems.
>Specifically I would like to use Crack, or something like it to check
>the encrypted data for easily guessed passwords.
>
>The use of 'Crack' would depend on oracle using the unix password
>encryption scheme, does anyone know if this is the case, or what
>method is used?
>
>Any other methods for security checking / audit in the oracle
>environment would be much appreciated.

This article will just scratch the surface of a few security
considerations, comments are requested. (email: fw@world.std.com)
My thanks to the people who responded, both on usenet and from
Oracle Corp.

The most common response was to suggest use of oracle audit 
features or OPS$ passwords to control access (opinion on OPS$
included suggestions to use and not use). I was also advised to 
use table views to refine the granularity of access control.

One important security consideration in networked installations
is that OPS$ accounts presume that the client host provides user
authentication. Os/2 server OPS$ users are only as secure as the 
_least_ secure machine on the network. Hence you should probably 
not define any OPS$ accounts on systems with PC's, or limit access 
of OPS$ accounts to data with no security concerns. Unix oracle 
servers provide for disabling OPS$ access over the network (orasrv
option), while relying on host security for local processes. 

Internally Oracle provides powerful and well documented (sic) 
audit mechanisms which the DBA will use to monitor system and
data access. These tools can be used to track the primary security
risks from within the Oracle environment.

Oracle password security is based on a proprietary usage of DES
encryption. Oracle Corp. states that the algorithm is not prone
to cleartext attack. This is a difficult claim to substantiate 
since the algorithm is unknown. The concern here is that if users 
choose easily guessed passwords. _If_ a cracker can gain access 
to your oracle database files through the host operating system, 
s/he could extract the 'cyphertext' password data and apply 
cryptanalysis techniques to learn the users passwords.

As security risks go, the above scenario is pretty low severity.
Certainly once an intruder has access to the raw database files,
s/he can access to the data in them. If a cracker _could_ break 
the passwords, however, s/he could do substantial damage without
alerting the auditing mechanism's, and leaving and audit trail
which would point to valid users. At present Oracle (like Unix)
provides no native means of ensuring that passwords are not 
guessable. 

As with all computer security, the most important defense is to 
educate users in the safe choice of passwords. These techniques
are well discussed in internet rfc#1281 and the Crack manual, 
(both available from ftp archive servers) and, UNIX(R) System 
Security (Curry, David A. - Addison-Welsey 1992) 



Forrest Whitcher                 fw@world.std.com
Boston Scientific Corp.          Watertown MA

Newsgroup: sci.crypt
Document_id: 15869
From: uni@acs.bu.edu (Shaen Bernhardt)
Subject: Re: Once tapped, your code is no good any more.

In article <strnlghtC5wHo2.1FK@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>In article <a_rubin.735496128@dsg4.dse.beckman.com>
>a_rubin@dsg4.dse.beckman.com (Arthur Rubin) writes:
>
>>I wouldn't think so.  Asking people to trust a secret algorithm seems
>>unsound to me.
>
>Maybe so, but it's quite common.

Not when your talking about cryptography.

>There are millions of Macintosh users who
>have no idea what's in Apple's patented ROMs. Many have modems connected.
>How do you know all your business secrets aren't being stolen? Answer:
>1. Because you trust Apple;

Think again.  You won't see me using apple's new signature from the
finder feature.

>2. Because if any such attempt, however sophicsticated, came out, it would
>destroy Apple's credibility forever.

This analogy fails in its assumption that the government gives two
squirts about credibility.


In addition, Apple's proclaimed purpose in releasing the Macintosh wasn't
survellience.

Quite the opposite:
"On January 24, Apple will introduce.... Macintosh, and you'll see why
1984 won't be, like '1984'"

So don't give me any bullshit analogies about how we trust coke not to
put mind control drugs in every can to get us to buy more.


>In the Clipper case, a representative body of experts is going to be allowed
>to audit it, and we'll have assurances (maybe even from the President) that
>other than the escrowed keys there are no back doors. While some may not
>have confidence in that (I am not among them), it's a lot more assurance
>than we get for many things we routinely trust in everyday life.

One of the reasons we should be all the more suspicious.  When was the
last time the president wasted his time to comfort americans?
Just another reason to look closely at exactally what's going on.

>David
>-- 
>David Sternlight         Great care has been taken to ensure the accuracy of
>                         our information, errors and omissions excepted.  

uni@acs.bu.edu
-- 
uni@acs.bu.edu  ->  Public Keys by finger and/or request
Public Key Archives: <pgp-public-keys@pgp.iastate.edu> 
Sovereignty is the sign of a brutal past.<>Fight Clinton's Wiretap Chip!
DF610670F2467B99 97DE2B5C3749148C <> Crypto is not a Crime! Ask me how!

Newsgroup: sci.crypt
Document_id: 15870
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: What would happen if export restrictions violated?


OK, I heard a lot of talk about the NSA's infamous control over encryption
export through the ITAR.  Here's a question.  Say I develop this great new
encryption system, and I want to sell my software worldwide.  The thought
police then come in and say "This algorithm is a threat to national security.
You will not be permitted to export it."  At this point, what kind of trouble
could I get into if I ignored the ITAR and sold my program to international
customers anyway?

Doug Holland

-- 
|  Doug Holland                | Anyone who tries to take away my freedom  |
|  holland@cs.colostate.edu    | of speech will have to pry it from my     |
|  PGP key available by E-mail | cold, dead lips!!                         |

Newsgroup: sci.crypt
Document_id: 15871
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <MJS.93Apr22194125@behemoth.genetics.wisc.edu>
mjs@behemoth.genetics.wisc.edu (Mike Schmelzer) writes:

>
>>>	Let me ask you this.  Would you trust Richard Nixon with your
>>>crypto keys?  I wouldn't.
>
>> I take it you mean President Nixon, not private citizen Nixon. Sure.
>> Nothing I'm doing would be of the slightest interest to President Nixon .
>
>Mr. Sternlight, your naivete and historical ignorance is appalling.
>
>[ History lesson detailing 1968-74 deleted. ]

Nonsense! I wasn't asked if Larry O'Brien should trust Nixon with his keys,
but whether I would.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15872
From: strnlght@netcom.com (David Sternlight)
Subject: Re: THE CLIPPER CHIP: A TECHNICAL SUMMARY


Pat Myrto says if law enforcement wants keys, let them get a court order and
then ask him for them.

Most use of probably cause wiretapping warrants isn't to decrypt historical
traffic, but for prospective listening once probably cause is established.
Pat's approach would tip off the crooks.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15873
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: A Parable.

scottmi@microsoft.com (Scott Miller (TechCom)) writes:
>Stikes me that all this concern over the government's ability
>to eavesdrop is a little overblown... what can't they do today?
>My understanding is that they already can tap, listen, get access
>exc. to our phone lines, bank records, etc. etc again.

Well, they can't listen in on much of mine, since I already use
cryptography for much of my electronic mail, and will start using it
for my telephony as soon as practical.

However, allow me to tell a parable.

There was once a far away land called Ruritania, and in Ruritania
there was a strange phenonmenon -- all the trees that grew in
Ruritainia were transparent. Now, in the days when people had lived in
mud huts, this had not been a problem, but now high-tech wood
technology had been developed, and in the new age of wood, everyone in
Ruritania found that their homes were all 100% see through. Now, until
this point, no one ever thought of allowing the police to spy on
someone's home, but the new technology made this tempting. This being
a civilized country, however, warrants were required to use binoculars
and watch someone in their home. The police, taking advantage of this,
would get warrants to use binoculars and peer in to see what was going
on. Occassionally, they would use binoculars without a warrant, but
everyone pretended that this didn't happen.

One day, a smart man invented paint -- and if you painted your house,
suddenly the police couldn't watch all your actions at will. Things
would go back to the way they were in the old age -- completely
private.

Indignant, the state decided to try to require that all homes have
video cameras installed in every nook and cranny. "After all", they
said, "with this new development crime could run rampant. Installing
video cameras doesn't mean that the police get any new capability --
they are just keeping the old one."

A wise man pointed out that citizens were not obligated to make the
lives of the police easy, that the police had survived all through the
mud hut age without being able to watch the citizens at will, and that
Ruritania was a civilized country where not everything that was
expedient was permitted. For instance, in a neighboring country, it
had been discovered that torture was an extremely effective way to
solve crimes. Ruritania had banned this practice in spite of its
expedience. Indeed, "why have warrants at all", he asked, "if we are
interested only in expedience?"

A famous paint technologist, Dorothy Quisling, intervened however. She
noted that people might take photographs of children masturbating
should the new paint technology be widely deployed without safeguards,
and the law was passed.

Soon it was discovered that some citizens would cover their mouths
while speaking to each other, thus preventing the police from reading
their lips through the video cameras. This had to be prevented, the
police said. After all, it was preventing them from conducting their
lawful surveilance. The wise man pointed out that the police had never
before been allowed to listen in on people's homes, but Dorothy
Quisling pointed out that people might use this new invention of
covering their mouths with veils to discuss the kidnapping and
mutilation of children. No one in the legislature wanted to be accused
of being in favor of mutilating children, but then again, no one
wanted to interfere in people's rights to wear what they liked, so a
compromise was reached whereby all homes were installed with
microphones in each room to accompany the video cameras. The wise man
lamented few if any child mutilations had ever been solved by the old
lip reading technology, but it was too late -- the microphones were
installed everwhere.

However, it was discovered that this was insufficient to prevent
citizens from hiding information from the authorities, because some of
them would cleverly speak in languages that the police could not
understand. A new law was proposed to force all citizens to speak at
all times only in Ruritanian, and, for good measure, to require that
they speak clearly and distinctly near the microphones. "After all",
Dorothy Quisling pointed out, "they might be using the opportunity to
speak in private to mask terrorist activities!"  Terrorism struck
terror into everyone's hearts, and they rejoiced at the brulliance of
this new law.

Meanwhile, the wise man talked one evening to his friends on how all
of this was making a sham of the constitution of Ruritania, of which
all Ruritanians were proud. "Why", he asked, "are we obligated to
sacrifice all our freedom and privacy to make the lives of the police
easier? There isn't any real evidence that this makes any big dent in
crime anyway! All it does is make our privacy forfeit to the state!"

However, the wise man made the mistake of saying this, as the law
required, in Ruritanian, clearly and distinctly, and near a
microphone.  Soon, the newly formed Ruritanian Secret Police arrived
and took him off, and got him to confess by torturing him. Torture
was, after all, far more efficient than the old methods, and had been
recently instituted to stop the recent wave of people thinking obscene
thoughts about tomatoes, which Dorothy Quisling noted was one of the
major problems of the new age of plenty and joy.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15874
From: strnlght@netcom.com (David Sternlight)
Subject: Re: New Encryption Algorithm


Arthur Melnick posts an interesting first-hand message about his NEA
algorithm. Though I have no reason to disbelieve anything he says, I want to
clarify one point:

He says he has no connection with the NSA. If he was part of an "NSA plot",
of course he'd say that.

Now I don't think he is. But the level of some discussion here is of that
sort, and very quickly we reach the point where it's impossible to continue
rationally discussing some issues.

"I am not a crook"

"Well, if you were, of course you'd say that"


or the ever popular favorite:

"Please prove the following negative."

I don't know what to do with such messages, so I have taken to ignoring
them.

Comments?

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15875
From: strnlght@netcom.com (David Sternlight)
Subject: Re: THE CLIPPER CHIP: A TECHNICAL SUMMARY


For some reason my fingers want to type "probably" cause whenever I want to
say "probable" cause. Sorry for any confusion in the previous message.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15876
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Once tapped, your code is no good any more.

In article <116664@bu.edu> uni@acs.bu.edu (Shaen Bernhardt) writes:


>
>So don't give me any bullshit analogies about how we trust coke not to
>put mind control drugs in every can to get us to buy more.

Shhh--coke drinkers haven't found out about Phosphoric Acid yet.

:-)

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15877
From: eachus@spectre.mitre.org (Robert I. Eachus)
Subject: Re: Can DES code be shipped to Canada?

In article <strnlghtC5wKrt.6JA@netcom.com> strnlght@netcom.com (David Sternlight) writes:

   > I believe it is illegal to send any cryptographic code out of the
   > country without an export license. (Others will correct me if
   > this is inaccurate.)

   Glad to!  You are correct, it is illegal to send cryptographic
code (and lots of other things) out of the country without a license.
HOWEVER, every US citizen has a general export license, allowing
export of lots of things, including constitutionally protected speech.
This has the effect that it is legal for US citizens to export some
things which it is illegal for a US corporation to export without
first obtaining a license.

   > Dunno if you'd get one for the particular code you have; the only
   > way to find out is to apply for a license.

   Nope, talk to a good lawyer in the area of export law.  But, in
general, the government has to have a very good national security case
to try prevent the export of anything you personally might wish to
publish.  (Yes, I worded that the way I did intentionally.  It is a
lot easier for the government to TRY to prevent the export of
information than to charge someone with a crime after the fact.
Espionage is probably the only exception.)

   > Note that you need to distinguish between what is legal to send
   > to Canada if YOU have such a license, and what is legal to send
   > if you don't.

    If you are a US citizen, you have a general license.  (I am not a
lawyer, so take some of this with a grain of salt.  However, I have
also had to swim through both ITAR and export regs in a few cases.)

--

					Robert I. Eachus

with Standard_Disclaimer;
use  Standard_Disclaimer;
function Message (Text: in Clever_Ideas) return Better_Ideas is...

Newsgroup: sci.crypt
Document_id: 15878
From: pvr@wang.com ()
Subject: Crypto File System reference?

   A while ago there was a reference to a paper on a crypto file
system (CFS) given by someone at at AT&T (?).   How can I
get a copy?   Is it available on the net?   Was it published?
Who was the author?

   Thanks
   
--
-->>>>>>>>>> Peter Reilley ..... pvr@wiis.wang.com ..... KA1LAT <<<<<<<<<<<--
                     Well, that about says it.

Newsgroup: sci.crypt
Document_id: 15879
From: andersom@spot.Colorado.EDU (Marc Anderson)
Subject: Re: **Sorry folks** (read this)

In article <C5w9qw.5pB@acsu.buffalo.edu> mckee@cs.Buffalo.EDU (Douglas McKee) writes:
>In article <1993Apr22.014646.28445@ucsu.Colorado.EDU>, andersom@spot.Colorado.EDU (Marc Anderson) writes:
>|> In article <1993Apr21.001707.9999@ucsu.Colorado.EDU> andersom@spot.Colorado.EDU (Marc Anderson) writes:
>|> [...]
>|> >(the date I have for this is 1-26-93)
[...]
>|> >        WASHINGTON (UPI) -- The War on Drugs is about to get a fresh
[...]
>|> I just found out from my source that this article was a joke.  Heh heh..  
>|> It seemed pretty damn convincing to me from the start -- I just didn't
>|> notice the smiley at the end of the article, and there were a few other
>|> hints which I should of caught.
>
>Well, isn't this just a hoot! :)  All I read on this group is a bunch
>of ppl fearing the misuses of information by the big bad evil govt.
>This just happens to be a case of an ordinary-joe-netter, who decided
>that he would create and/or distribute some misinformation.  Ppl buy
>into BS posts like this (I know, because I forwarded a copy of the
>post to my office mate, who turned around and was (although he won't
>admit it...sorry Joe!) ready to get in a fight about F-O-R-F-E-I-T-U-R-E!!!)
>Please, if we're going to hold our govt (which admittedly has had and
>still has its problems) to high standards, then mustn't we follow these
>too?  Electronic Freedoms only go so far.

Again -- I'm extremely sorry about this..  I got this message several 
months ago (quite a bit before the clipper chip proposal) when it was posted
to a different newsgroup.  It was very startling to me as well, and I guess
I should of verified the source at least to some extent before reposting..

Aaack..  

-marc

Newsgroup: sci.crypt
Document_id: 15880
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

jfc@athena.mit.edu (John F Carr) writes:
>	pmetzger@snark.shearson.com (Perry E. Metzger) writes:
>>Well, I'm not a lawyer, but from what I can tell this is completely
>>and utterly untrue.
>
>>The U.S. does NOT have an official secrets act. We do have laws that
>>will punish you for revealing what classified information you learned
>>in your capacity as a government official, contractor, etc, and we
>>have laws that prohibit stealing such information. However, if they
>>sell you the chip, I can't see that they can make reverse engineering
>>it and revealing the details illegal.
>
>In most cases information you come by properly is yours to use as you wish,
>but there are certainly exceptions.  If you write a paper which includes
>sufficiently detailed information on how to build a nuclear weapon, it is
>classified.  As I understand the law, nuclear weapons design is
>_automatically_ classified even if you do the work yourself.  I believe you
>are then not allowed to read your own paper.

Oh? What about the precedent in which nuclear weapons information was
published in "The Progressive"? I was under the impression that the
court held that prior restraint could NOT be used. Any lawyers out
there?

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15881
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Is this overreaction?

jhan@debra.dgbt.doc.ca (Jerry Han) writes:
>As one of the happily sleeping people, I would just like to ask this->
>aren't people just slightly overreacting to this?  Or are we all of a
>sudden going to draw parallels to Nazi Germany and Communist Russia?
>
>The point of the matter is that; yes this is a serious problem.  But it is
>not the end of the world.  Guess what?  We're doing something now you
>can't do in a Communist country or Nazi Germany.  We're complaining about
>it, (or rather, you're complaining about it) and nobody is shooting at us.  

We would like to keep it that way. Thats the point. By reacting
strongly and forcefully now, we will assure that we continue to remain
free. You cannot overreact to a threat like this. The worst that
happens if we overreact is that we waste time and effort. The worst that
happens if we underreact is tyranny. I prefer overreaction myself.

>GUESS WHAT PEOPLE?  You live in one of the few countries in the world
>where a person can complain without getting shot at.  

Doesn't that tell you how precious and hard to maintain freedom is?

Only through centuries of overreaction have we managed to maintain
ourselves in this state of even moderate freedom. I suggest that
overreacting now and in the future is a good thing.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15882
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: How to make the Clipper chip and wiretapping less bad

   I've got an idea that would remove most of the political complaints
I have about the Clipper chip.  Pass a law stating that if, within a
year of performaing a wiretap on someone, a police agency hasn't
managed to convict the suspect of the crime the warrant/wiretap was for,
then that agency owes the suspect $1 million to repay him/her for
lost privacy.
   Of course, there are *still* problems with the technical aspects of
Clipper, and with the one-size-fits-all mentality that would be behind
an attempt to enforce it as a standard.  But this would be a way for
those in favor of allowing continued wiretaps to assure us that it will
only be used in cases where the crime is important and the police are
all but certain that there really will be a conviction....
 
   --John KJ
            elsey

Newsgroup: sci.crypt
Document_id: 15883
From: niteowl@stein2.u.washington.edu (Jamie Jamison)
Subject: Re: Wiretapping reality today

strnlght@netcom.com (David Sternlight) writes:


>Some of the messages here seem to reflect the view that the government is
>listening in on everything and one will have to hide one's clipper messages
>somehow if non-escrowed crypto goes away.

>A little perspective might be in order.

>The number of court ordered wire taps is pretty low. Law enforcement has to
>present pretty good evidence to get even that limited number of
>authorizations.

>Thus the overwhelming majority of conversations are neither tapped nor
>recorded by the government, and for that to happen they have to:
>a) Have a pretty good reason, with evidence;
>b) Use this sparingly on highest priority "pretty good reasons."

>Though the system may be imperfect, it is a long way from the horror stories
>some here seem to believe or anticipate.

>-- 
>David Sternlight         Great care has been taken to ensure the accuracy of
>                         our information, errors and omissions excepted.  

	Again we have the trust in government problem here. Members of 
Mr. Sternlight's generation trust the government to a degree which
members of my generation find ridiculous. I would suggest that Mr. Sternlight
read about the COINTELPRO program, or about J. Edgar Hoover, or about
the wire-tapping of Martin Luther King, then, after he has digested this
information he can ponder the fact that while the government does not
tap every conversation that they have a record of tapping many conversations
that they have no right to, even under their own laws. Given the long
history of members of the US government ignoring the laws that apply
to them, it is no wonder that so many people in here sound so paranoid, and
given the fact that it is often difficult or impossible to punish these
individuals once they are discovered, it is no wonder that so many people
in here have so little faith in the escrow proposal for Clipper.




Jamie Jamison

Newsgroup: sci.crypt
Document_id: 15884
From: burt@chirality.rsa.com (Burt Kaliski)
Subject: Pseudocollisions in MD5

Following is a short note commenting on den Boer and Bosselaers'
recent work on the MD5 message-digest algorithm. Feel free to email
questions or further comments.

-- Burt Kaliski
RSA Laboratories
----------------------------------------------------------------------
\documentstyle[12pt]{article}
\begin{document}

\title{On ``Pseudocollisions'' in the MD5 Message-Digest Algorithm}
\author{Burton S. Kaliski Jr. \\
{\tt burt@rsa.com} \and
Matthew J.B. Robshaw \\
{\tt matt@rsa.com} \and
RSA Laboratories \\
100 Marine Parkway \\
Redwood City, CA  94065}
\date{April 23, 1993}

\maketitle

A message-digest algorithm maps a message of arbitrary length to a
``digest'' of fixed length, and has three properties: Computing the
digest is easy, finding a message with a given
digest---``inversion''---is hard, and finding two messages with the
same digest---``collision''---is also hard. Message-digest algorithms
have many applications, including digital signatures and message
authentication.

RSA Data Security's MD5 message-digest algorithm, developed by Ron
Rivest \cite{rfc-md5}, maps a message to a 128-bit message digest.
Computing the digest of a one-megabyte message takes as little as a
second.  While no message-digest algorithm can yet be {\em proved}
secure, MD5 is believed to be at least as good as any other that maps
to a 128-bit digest.  Inversion should take about $2^{128}$
operations, and collision should take about $2^{64}$ operations.  No
one has found a faster approach to inversion or collision.

Recent work by den Boer and Bosselaers \cite{den-boer-md5} presents
a special kind of ``pseudocollision'' in MD5's
internal compression function, which maps
a 512-bit message block $x$ and a
128-bit input state $s$ to a 128-bit output
state. They show how to find a message block $x$
and two related input states $s_1$ and $s_2$ that yield the same
output state: $f(x,s_1)$ = $f(x,s_2)$. Their well-thought approach
exploits structural properties of the collision function to find 
a pseudocollision in about $2^{16}$ operations, much less than one
would expect.

Practical implications of this pseudocollision work to the security of
MD5 are not evident. While a real collision in MD5 implies a
pseudocollision (or a ``pseudo-inversion''), a
pseudocollision need not imply a real collision. Indeed, a real
collision, since it involves two different messages, would almost
always involve {\em different} message blocks $x_1$ and $x_2$ such that
$f(x_1,s_1) = f(x_2,s_2)$, but the pseudocollisions have the same
message blocks. Moreover, the input states $s_1$ and $s_2$ would
generally be unrelated, but the pseudocollisions' input states are
the same except for four bits.  There does not seem to be any way to
extend den Boer and Bosselaers' approach to anything beyond the
special pseudocollisions, a limitation they readily admit.

It is reasonable, therefore, to believe that MD5 remains secure. While den
Boer and Bosselaers have found interesting structural properties in
MD5, the properties seem only to lead to special pseudocollisions
and not anything approaching real collisions. Further research, of
course, will give a better understanding of the strengths of MD5 and
other message-digest algorithms, with the eventual hope that
such algorithms can, in some sense, be proved secure.

\bibliographystyle{plain}
\begin{thebibliography}{1}

\bibitem{den-boer-md5}
Bert den~Boer and Antoon Bosselaers.
\newblock Collisions for the compression function of {MD5}.
\newblock In {\it Advances in Cryptology --- Eurocrypt '93}, 1993.
\newblock Preprint.

\bibitem{rfc-md5}
R.L. Rivest.
\newblock {\it {RFC} 1321: The {MD5 Message-Digest Algorithm}}.
\newblock Internet Activities Board, April 1992.

\end{thebibliography}

\end{document}

Newsgroup: sci.crypt
Document_id: 15885
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Suggestions for escrow agencies (was: Re: More technical details)

In article <strnlghtC5yBKA.Dp5@netcom.com> strnlght@netcom.com (David Sternlight) 
brings up the issue of how the escrow agent will be paid, and the fact
that the government had financial leverage if they don't cooperate.
It's an important issue, especially if one of the escrow agents
decides they'd rather stop offering the service. 
I assume that if the escrow agent isn't the government,
then the contract for providing escrow service would include some
termination clause like returning the keys.

>   The easiest way is a user fee for each clipper chip manufactured. 
>   This makes the funding separate from government.

But who's the user paying the fees here, and what's the service?  
If the user is the government, then the funding's not separate from the government.

If the user is the buyer, what's the service?  
Keeping the key for me?  No thanks - I don't need, and won't buy their service!
Not telling everybody my key?  Sounds like blackmail!

If the user is the manufacturer, does the user have a choice about buying?
The alternative is to just generate the key and not escrow it, which is fine -
I'd certainly pay more for this kind of key than an escrowed key!

Face it, the escrow provider is providing a service the users don't want.
The only people who want it are the government, not the users.
What you're really talking about is either the government paying for
the service, up front or per-year, either from general taxes,
or from a special direct tax on wiretap chips, or on an indirect tax
(forcing the manufacturer to pay the fee to the escrow agent.)

I hope the escrow people have no way of finding out your name from
your serial number, especially if the escrow is a government agency.

Here in New Jersey, we have lots of people willing to provide that
sort of services for user fees.  There are people willing to keep your
store from burning down for a small monthly fee, though sometimes people
refuse to pay and discover that the service really was effective.
If you go to a baseball game at Yankee Stadium, there are people who
will watch your car in the parking lot for a small user fee.
Something could scratch the paint, after all.
And what a shame if your Clipper key got out!
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15886
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Re: How to make the Clipper chip and wiretapping less bad

What is the reason for the push on clipper?

Two days after the lead story here in the Mercury Times (murky news)
there was another article on industrial espionage by the french.

Someone had said what can it hurt to allow the government to have
continued access to our communications, they already have it.  The
problem is that, yes the do have access, and probably more than
we realize.  The government wants exclusive access to communications
intercept here in the united states, cutting out other access detrimental
to the national security (tm).

I also doubt that a certain3 letter agency, that originated the encryption
algorithm and the chip designs needs to have anything to do with the 
escrow system to continue their intercept effort.  

Better yet, who owns the company doing the programming?


Newsgroup: sci.crypt
Document_id: 15887
From: sean@sdg.dra.com
Subject: Re: Fighting the Clipper Initiative

In article <he1pb02@rhyolite.wpd.sgi.com>, vjs@rhyolite.wpd.sgi.com (Vernon Schryver) writes:
> In article <strnlghtC5toC6.KIu@netcom.com>, strnlght@netcom.com (David Sternlight) writes:
>>              Even the Department of Agriculture has successfully kept crop
>> forecasts from leaking prematurely.
> 
> Sheesh!  Remember the big scandal a year or two (or 3?) ago about
> exactly such leaks?

My choice for the escow house would be the Smithsonian, and someplace on
the west coast.  My biggest concern isn't that the escrow house could
be compromised (it will be), but the fact it has been compromised will
be kept secret.  

The keys could be kept under glass, with 24-hour C-SPAN coverage.  If you
thought your key had been stolen just turn on the cable, and wait until
the roving camera reachs the musuem case with your key.  Or if you think the
C-SPAN satellite has been compromised, take a tour of the Smithsonian
yourself, and view the seal on your key.

-- 
Sean Donelan, Data Research Associates, Inc, St. Louis, MO
Domain: sean@sdg.dra.com, Voice: (Work) +1 314-432-1100

Newsgroup: sci.crypt
Document_id: 15888
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: What would happen if export restrictions violated?

In article <Apr23.215306.83257@yuma.ACNS.ColoState.EDU> holland@CS.ColoState.EDU (douglas craig holland) writes:
   OK, I heard a lot of talk about the NSA's infamous control over encryption
   export through the ITAR.  Here's a question.  Say I develop this great new
   encryption system, and I want to sell my software worldwide.  The thought
   police then come in and say "This algorithm is a threat to national security.
   You will not be permitted to export it."  At this point, what kind of trouble
   could I get into if I ignored the ITAR and sold my program to international
   customers anyway?

First of all, it's not the thought police, it's the export police.
If you move overseas with your great thoughts in your head, write the software there,
and then sell it, the US Thought Police probably can't do too much about it,
though you might want to check with your lawyer first.

However, if you write the program here, and sell it to furriners,
you are now an international arms dealer and can get thrown in the
clink for *many* years, especially if they decide you'd be a good example,
and Cuban Drug Dealers and Fanatic Middle Eastern Terrorists buy your stuff.

(Definitions of "public domain" are different for ITAR purposes, so if
you've got a good enough lawyer who'll do your case for free after
they've confiscated everything you own as evidence, you might win.
But nobody wants to go first, since the stakes are _quite_ high.)
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15889
From: amolitor@nmsu.edu (Andrew Molitor)
Subject: Re: New Encryption Algorithm

In article <artmel.735538777@well.sf.ca.us>
	artmel@well.sf.ca.us (Arthur Melnick) writes:
>     We are strongly opposed to the clipper/capstone chips.  In a
>press release today, our president, Dr. Stephen Bryen stated:
>
>          "It seems as if the government has an unlimited source
>     of funds to use to push its new bugged chips on the American
>     Public.  But do we not understand how the National Security
>     Agency, which is not supposed to be involved in domestic
>     spying, can fund the development of a commercial chip
>     intended to accommodate U.S. government domestic spying
>     activities."
>

	Well, actually, this one's easy. It's their job. The NSA is
supposed to develop cryptosystems. If the government chooses to go
ahead and sell those cryptosystems to the masses, so be it.

	This sounds a lot like slamming the competition, not a cry
for justice. These guys are way out on a limb, if I read that right.
They've commited their new algorithm to silicon before it's been
made public. What are they gonna do if Shamir writes a paper showing
how to crack the entire class of algorithms in 5 minutes with a slide
rule and a pencil?

	If they weren't busy throwing muck to smear their competitors,
I'd feel kinda sorry for 'em. Still do, a little.

	Andrew


Newsgroup: sci.crypt
Document_id: 15890
From:  (Jamie Lawrence)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr21.222016.18990@leland.Stanford.EDU>, arc@leland.Stanford.EDU (Andrew Richard Conway) writes:
> I must protest your "...in a Communist country". How do you know?
> There haven't been any, and are unlikely to ever be any. In some Socialist
> dictatorships, you can't, whilst in some socialist democracies
> (such as France or Australia)
> you can. Of course, some people may disagree about France & Australia being
> socialist...
> 
> >it, (or rather, you're complaining about it) and nobody is shooting at us.  
> 
> Yet.
> 
> >GUESS WHAT PEOPLE?  You live in one of the few countries in the world
> >where a person can complain without getting shot at.  
> 
> In some circumstances. I was at a public meeting last night (in the USA), where
> a protester, who was very nice and calm, and just said before the
> speaker started to beware of his opinions, was forced out of the meeting by
> two armed policemen.
> 
> There are a lot of things that one cannot do in the USA. You may not
> notice them, but as an Australian visitor, I notice them.
> 
> 
> Of course don't over react --- but don't under react.
> 
Thank you Andrew.  Not only for the firm rebuttal, but for understanding the 
difference between communism and socialism (even though this is off topic).
Why do people just not understand that just because all those pretty songs about
the land of the free and so on sound nice, that they may not be true?
Take off those rose colored glasses and get a clue (to use two of the better 
cliches around)
thanks you again
jamie

Newsgroup: sci.crypt
Document_id: 15891
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Let's build software cryptophones for over the internet...

I forwarded an old posting about CELP speech compression:

	In case you'd like to experiment with CELP, you can obtain a software
	implementation of the 4800 bps Fed Std CELP coder for free:

	The U.S. DoD's Federal-Standard-1016 based 4800 bps code excited linear
	prediction voice coder version 3.2 (CELP 3.2) Fortran and C simulation source
	codes are now available for worldwide distribution at no charge (on DOS
	diskettes, but configured to compile on Sun SPARC stations) from:

I've since been told that the source of this is on cygnus.com
in /pub/celp.speech.tar.Z

I'm not in a position to; any Sun tcp/ip gurus out there who think they
can marry this with netfone by the end of the week? ;-)  Seriously.  I
think someone with real net access and two sparcs could have this running
by the end of the week.  Then we ask the pgp guys to add a bytestream
crypto filter.  Two weeks at the most.  [Damn, I wish I had my sparc
back... I'm stuck on a 25mhz 386sx]


Share and Enjoy!

G
PS  You'll have to use archie to find netfone - I have a copy but no note
of where it's from; author in the docs is kelvin@autodesk.com and he
appears to be located in France

Newsgroup: sci.crypt
Document_id: 15892
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Do we need the clipper for cheap security?

: From: caronni@nessie.cs.id.ethz.ch (Germano Caronni)

: In article <9304201003.AA05465@pizzabox.demon.co.uk> gtoal@gtoal.com (Graham Toal) writes:
: >Can someone tell me if hardware compression is or is not needed to run
: >digital speech down 14.4K?  I think it is; I've heard it's not.  Lets
: >say 8 bit samples.  Would *raw* data at the corresponding sampling rate
: >be usable?  If not, how fancy does the compression need to be?

: As far as I know ISDN (call it Swissnet here, and it's being plugged in) it's
: 8 bit 8000Hz (gives you one channel of 64kBit/sec) I guess you should not go
: below a sampling rate of 6000 Hz if you want to have same quality as on an
: analog-line. Anybody knows compression-algorithms & -factors for voice ?

I've posted some info on CELP coding on sci.crypt.  Looks like you can
squeeze speech into 4000bps if you have a fast enough computer like a
sparcstation (or a Newton with the Acorn Risc Machine in it :-) )

This drops the bandwidth to so low a figure that it's feasible to run
speech over tcp/ip running on top of slip down a v32bis modem.  Not only
will this let us run point to point encrypted speech, it'll let us
run speech internationally over the internet if no-one stops us by
getting *very* heavy about regulations.  The thought of this, if the
administration realised, would probably scare them shitless.

Now of course the trick is to develop and define a standard protocol
for internet speech *damn fast*, allowing anyone who feels brave to
inplement custom handheld hardware as well as us hacking it on our
workstations.  Shouldn't be too difficult.  The CELP stuff is standardised,
we use tcp/ip streams, and a protocol allowing silences to be used to
catch up on any net lag, and also to avoid sending any data during
silences (ie it's not wise to be synchronised real-time on each end
because any net delays would add up to big voice-lags)

As for me, I'm going to press ahead on trying this stuff as soon as
I get my sparc back from being loaned out and buy the necessary microphone.
It'll save me a fortune in calling my friend in texas every night :)
(whether encrypted or not)

You know, surely *someone* is working on this.  Who?  It's so obvious,
why doesn't it exist already?  I've only seen netphone for Suns and
it didn't do the CELP compression so was restricted to ether connections.

G

Newsgroup: sci.crypt
Document_id: 15893
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Would "clipper" make a good cover for other encryption method?

: From: brad@optilink.COM (Brad Yearwood)

: Assume in this case the usual canard-adversary of narcotraficantes.  They
: probably have more cash than the KGB did, and they're probably more generous
: at handing it out.  It will be easier than ever to find or cultivate Walkers
: and Pollards for the keys, and it will be easy enough to find someone to
: reverse-engineer the chip (unless the tamper proofing is damned clever and
: effective).

If the administration *really* believes big-time drug dealers are the threat
(personally I thought it was the CIA and the air force that did all the real
drug shipping :-) ) then they *ought* to take this seriously: unlike the
KGB, drug dealers can make a most convincing argument for cooperation: "help
us and we'll be nice and give you some money, don't help us and we'll start
cutting off your favourite body parts"

After all, it was probably an argument like that that persuaded Jack Ruby to
shoot Oswald in full view of the police.  Life in jail probably seems much
more preferable to most people than several weeks of something nasty
followed by no life at all...

G

Newsgroup: sci.crypt
Document_id: 15894
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

: At the company I worked for previously, I received a file that was des encryped
: and the person that had sent it, went on vaction.  Rather than wait two weeks
: I set up a straight frontal attack with one key at a time.  It only took two(2)
: days to crack the file.  No, I don't have any faith in DES.

: A.G.

Fun!  Three questions:

1) What hardware did you use?
2) When you found the key, was there anything about it that was special
   that meant you had been lucky to find it early? (Like the first 30 bits
   all being 0)
3) ... or did you mean a dictionary attack rather than a binary key attack?

G

Newsgroup: sci.crypt
Document_id: 15895
From: cramer@optilink.COM (Clayton Cramer)
Subject: Re: The Escrow Database.

In article <strnlghtC5t3K6.InF@netcom.com>, strnlght@netcom.com (David Sternlight) writes:
> In article <tcmayC5rs6n.Lz8@netcom.com> tcmay@netcom.com (Timothy C. May) writes:
> >After the Waco Massacre and the Big Brother Wiretap Chip, any tactic
> >is fair.
> 
> This is pernicious nonsense!
> 
> David Sternlight         Great care has been taken to ensure the accuracy of

Since the FBI's account of what happened is being contradicted on an
increasingly frequent basis by other officials investigating the
fire, the most pernicious idea of all is believing that Big Brother
is going to be well-behaved with respect to cryptographic keys.

In light of the very serious allegations with respect to the DOJ
selling software to various other intelligence services, what do
you suppose the chances are of some future DOJ selling escrowed
keys to business firms?

Trusting the government to be honest and fair is putting the 
fox in charge of protecting the chickens.


-- 
Clayton E. Cramer {uunet,pyramid}!optilink!cramer  My opinions, all mine!
Relations between people to be by mutual consent, or not at all.

Newsgroup: sci.crypt
Document_id: 15896
From: Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant)
Subject: Re: Once they get your keys....

About 50 people so far have asked, "Once the FBI gets your Clipper keys,
won't they be able to read all your future and past traffic?"

There has been no response from NIST, NSA, Ms. Denning, Mr. Hellman, or
anyone else who might be able to give us an authoritative answer.
This is troubling.

Didn't NSA think about this?  Or is it a feature, and they thought we
wouldn't notice?

I would have thought that by now they would have responded with something
of the form, "Well, that won't be a problem because ...."

Very curious.

Lynn Grant

Newsgroup: sci.crypt
Document_id: 15897
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Wiretapping reality today

In article <1r9vouINN2tv@shelley.u.washington.edu> niteowl@stein2.u.washington.edu (Jamie Jamison) writes:


>	Again we have the trust in government problem here. Members of 
>Mr. Sternlight's generation trust the government to a degree which
>members of my generation find ridiculous. I would suggest that Mr. Sternlight
>read about the COINTELPRO program, or about J. Edgar Hoover, or about

You should read the history. It was Hoover who stopped Nixon's COINTELPRO
dead in its tracks because he said it was unconstitutional. They tried to
get around him every way they could.

Despite other things he may have done, for this alone, Hoover saved the
Constitution.

David

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15898
From: ed@titipu.resun.com (Edward Reid)
Subject: Re: Once tapped, PLEASE RESTRICT YOUR FOLLOWUPS

However valuable, this discussion does NOT belong on comp.org.acm or on
comp.org.ieee.  Please edit your followups to include only the appropriate
newsgroups.

--
Edward Reid  Greensboro FL   ed@titipu.resun.com  or  nosc!blkhole!ed
  (looking for programming contracts, especially Unisys A-Series)

Newsgroup: sci.crypt
Document_id: 15899
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Once they get your keys....

In article <930424031634.176183@DOCKMASTER.NCSC.MIL> Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant) writes:

>About 50 people so far have asked, "Once the FBI gets your Clipper keys,
>won't they be able to read all your future and past traffic?"
>
>There has been no response from NIST, NSA, Ms. Denning, Mr. Hellman, or
>anyone else who might be able to give us an authoritative answer.
>This is troubling.

The proposal could be modified so that if they get a court order to tap you
and don't charge you with a crime within, say, 90 days, they have to buy you
a new phone.

If they do charge you, and you are found innocent, they have to buy you a
new phone.

:-)

David

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15900
From: schneier@chinet.chi.il.us (Bruce Schneier)
Subject: Re: Crypto papers on the net.

In article <16BB91429.C445585@mizzou1.missouri.edu> C445585@mizzou1.missouri.edu (John Kelsey) writes:
>   I've recently been reading a paper of Merkle's (publixhed only on the
>net, I think) discussing three potential replacements for DES.  Was
>anyting ever done with these?  Are Khufu, Khafre, and/or Snefru still
>being discussed anywhere?  (I know Snefru is referenced in the RSA
>FAQ, and I think it may also be in the sci.crypt FAQ.)
>   On a related topic, can anyone point me toward good sites to find
>papers/articles/discussions of cryptology?  I think I've about exhausted
>the Math/Sci library here, which doesn't seem to have anything more recent
>than about '84.
> 
>   Thanks.
> 
>   --John Kelsey

Khufu and Khafre are both patented (#5003597).  Biham and Shamir showed
that differential cryptanalysis can break 16-round Khafre with a chosen-
plaintext attack using 1500 different encryptions.  Khafre with 24 rounds
can be broken with the same attack using 2^53 different encryptions.
(There are probably more efficient differential cryptanalytic attacks, if
someone wants to take the time to look.)

Khufu has key-dependent S-boxes, and is immune to differential cryptanalysis.
Source code for this algorithm (and Khafre) are in the patent.

Snefru is a public-domain one-way hash function.  The version of Snefru
that produces a 128-bit hash is vulnerable to differential cryptanalysis
(vulnerable means that the attack is more efficient that brute force) for
four passes or less.  Given that, SHA and MD5 are much more efficient.

Oh yes, anyone interested in licensing the patent should contact Dave Petre,
Director of Patent Licencing for Xerox, (203) 986-3231.

Bruce 

Newsgroup: sci.crypt
Document_id: 15901
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: Once they get your keys....

(alt.security.clipper added, to keep them informed of this issue)


David Sternlight (strnlght@netcom.com) wrote:
....
: The proposal could be modified so that if they get a court order to tap you
: and don't charge you with a crime within, say, 90 days, they have to buy you
: a new phone.
: 
: If they do charge you, and you are found innocent, they have to buy you a
: new phone.
: 
: :-)

Yes, but will they buy you a ticket on a time machine to allow you to
go back and use the phone with the new key instead of the phone whose
key they obtained?

It is unclear whether obtaining the key at time 0 also unlocks
messages recorded (by whomever) at earlier times. The announcement was
silent on this. The betting seems to be that once your key has been
obtained (by the authorities, by divorce lawyers, by the Mafia, by the
FBI, by lost or stolen backup tapes, by the NSA, etc.). all previous
conversations are unsecure. (Session keys are negotiated, but knowing
the private key is believed by many commentators here to break the
security. No doubt more details will emerge.)

So, the loss of a key, whether one is guilty or innocent, may mean a lot
more than merely replacing the phone.

Sort of like saying to someone, "Oh, I copied your diary. But I'll buy
you a new one."


And the system, if made mandatory (as I expect), will make such
storing of conversations much easier, I fear. For one thing, the
transmission of the escrow key field acts as a clear signal to anyone
listening, a kind of "Caller ID" and "Callee ID" on a grand scale.
Also, the phone companies may not care as much about protecting the
privacy of the calls, as they perceive them all to be useless
encrypted junk. (This is a bit of a reach, I know, suggesting that the
Clipper will make security more lax...).

Anyway, still lots of issues unresolved.


-Tim May


-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
Document_id: 15902
From: tcmay@netcom.com (Timothy C. May)
Subject: Re: Is this overreaction?

Perry E. Metzger (pmetzger@snark.shearson.com) wrote:
...
: We would like to keep it that way. Thats the point. By reacting
: strongly and forcefully now, we will assure that we continue to remain
: free. You cannot overreact to a threat like this. The worst that
: happens if we overreact is that we waste time and effort. The worst that
: happens if we underreact is tyranny. I prefer overreaction myself.
....
: Only through centuries of overreaction have we managed to maintain
: ourselves in this state of even moderate freedom. I suggest that
: overreacting now and in the future is a good thing.

Perry is right on target here. Careful analysis of the Clipper Chip
announcement reveals that is *not* likely to remain "voluntary" for
very long...the cost of the system, the cost of generating and _then
storing_ the escrow keys, and the admitted security holes pretty much
make the ClipperPhone a loser.

Strong crypto will outcompete it, if strong crypto is allowed. This is
the battle we face.

We had rumblings of this totalitarian key registration thing a while
back, and now the other shoe has dropped. The firestorm of commentary
and criticism this time around reveals the almost immediate revulsion
this Wiretap Chip (and automatic Caller ID and Callee ID, don't
forget!) generates in everyone, or almost everyone, who hears about
it.

This is a battle we can't afford to lose.


-Tim May


-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | Public Key: PGP and MailSafe available.


Newsgroup: sci.crypt
Document_id: 15903
From: brad@optilink.COM (Brad Yearwood)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <1993Apr22.222016.25628@lehman.com>, pmetzger@snark.shearson.com (Perry E. Metzger) writes:
> You obviously haven't read the information about the system. The chips
> put out serial number infomation into the cypher stream to allow
> themselves to be identified. The system does not rely on registering
> people as owning particular phone units.
> 
> I am against the proposal, but lets be accurate in our objections.
> 

Do not presume to tell me what I have and have not read.  The system may
not rely upon registering people as owning particular phone units, but
it is necessary to know which phone units are likely to be used for some
suspected criminal communication before you can obtain their unit keys
from escrow.  This necessity raises the stakes in favor of a criminal's
coercing or colluding use of some other person's Clipper phone.

I will restate my assumptions more explicitly and amplify my argument.
The original title perhaps should have been "Distinction between legal
and illegal cipher systems considered harmful", but "Clipper considered
harmful" is not inaccurate, and is more eye-catching in the current context.

Assumptions:

  1.  Clipper is made available.

  2.  Laws are passed to make use of cipher systems other than Clipper illegal
      (either on radio systems, or on any common carrier system).  These laws
      also include enforcement authority to listen across the relevant radio
      spectrum (or other medium), characterize signals, validate Clipper
      wrappers, detect probable use of non-Clipper ciphers, and make such
      detection a cause for further action.

  3.  For escrowed keys to be useful, some specific Clipper chip must be
      associated with a suspected criminal.  This means that at a minimum
      some association between the common carrier's unique phone ID (ESN) and
      the Clipper chip serial number N will be stored in a government database.
      An observed pairing of N and ESN other than the one recorded raises a
      red flag.

  4.  To reduce ordinary fraud, the cellphone system which offers Clipper
      will also be constructed with an ESN mechanism much more tamper-proof
      and much less spoofable than today's cellphones.

  5.  Criminals want inscrutable communications.  Some criminals are not
      entirely stupid or ignorant, and will figure out both that Clipper
      cellphones offer excellent security in normal circumstances, and that
      they offer no security against law enforcement once a (presumably
      legitimate) wiretap order exists.  They will also figure out that the
      wiretap order must necessarily be against a specific cellphone, because
      each one has a unique unit key.

  6.  Criminals do not want to call attention to themselves.  Because they
      are not stupid or ignorant (or because they read netnews), and because
      they know that their open use of a non-Clipper cipher is likely to be
      detected, they will generally avoid using non-Clipper ciphers directly
      on some monitorable/tappable channel.  They know that do so would raise
      a red flag, putting a given cellphone (if not a given person) under
      immediate suspicion.

  7.  It is impractical to reverse engineer Skipjack, discover family key F,
      and construct a functional clone of a Clipper chip.

By #2, #3, #4, and #7 it will be very difficult to spoof a given Clipper
phone without immediate detection.  Because it is difficult to obscure one's
association to a specific phone by reprogramming or changing chips
around, the criminal will be motivated to find an intact phone which is
associated with someone else.

A non-stupid criminal will conclude that they can have Clipper-secure
communications, at least for some limited time T, if they buy, beg, borrow,
or steal use of someone's phone in a way that prevents that person from
reporting compromise of the phone for at least time T.  The encrypted
communications might have been recorded, and thus be retrievable later,
but the criminal can delay, and quite likely evade, discovery by destroying
or abandoning the phone before T elapses.

It would be unusual for an innocent person to volunteer use of their Clipper
phone to someone else.  The honest subscriber doesn't want to pay someone
else's bill, and he doesn't want to fall under suspicion.

This leaves two sources of Clipper phones for criminal use: coercion
and collusion.

Coercion first.  Theft bears a relatively low risk, but also sometimes
a low time until detection (a few minutes if a phone is stolen from
a car parked in front of a store, a couple of weeks if a phone is stolen
from someone who is away on vacation).  Criminal commerce is likely to
arise in stolen Clipper phones, with phones coming from risk-inured poor
criminals, and cash coming from risk-averse wealthy criminals.  Someone
who is extraordinarily motivated to gain a day or two of undetected
communication (like a terrorist) could kill a person or hold them hostage.
The limited time (before detection) that a coerced phone is useful means
that continuing criminal enterprises require a continuing supply of
freshly coerced phones.

There would also be created a collusive commerce between relatively
wealthy criminals, and ignorant or don't-care patsies who need money,
and who will submit to being paid in return for subscribing to Clipper
phone service for someone else's use.

Criminals will learn that it is more to their advantage to coerce use of a
Clipper cellphone than it is to apply a non-Clipper cipher to a normal
cellphone.  They will call much less attention to themselves (or at least to
their stolen phone) this way.  The fact of a phone's use being coerced must
first be reported before it can be identified as an interesting phone, and
have its keys obtained from escrow.

Clipper also allows an extraordinary opportunity for the criminal to
conceal use of super-encryption.  An automated full-system surveillance
mechanism (quite feasible across radio bandwidth) which knows family key F,
can validate Clipper wrappers and N:ESN associations, but it cannot reveal
in realtime the use of super-encryption, unless it knows all unit keys,
which we are being assured are only to be made available in two separate
pieces, upon specific wiretap-like order.

Whereas a criminal's use of any cipher within a normally cleartext medium
would stand out, a criminal's use of a non-Clipper cipher within a Clipper
medium would be very difficult to detect, even ex post facto in bulk
recordings, as long as the association between criminal and specific Clipper
chip is fractured.

If you make use of this other cipher illegal per se, then you can charge
the criminal with this (if you can identify the true criminal - he'll be
using someone else's phone), but you'll have no evidence to help you against
whatever traditional crime he might have been planning.  You will not even be
able to detect that unusual (encrypted) communications are occurring until you
identify specific phones and obtain their keys from escrow.

The gangster and terrorist are thus arguably more, not less, secure than
they were before Clipper came along.

I therefore consider Clipper harmful because:

  1.  It does not provide absolute privacy to the honest public against
      aggressive or dishonest government.

  2.  If other ciphers are proscribed, it engenders new types of direct
      criminal threat to the honest public.

  3.  It provides an extraordinarily effective mechanism for criminals to
      hide their use of some other cipher, making it more difficult than
      ever even to gain notice that unusual communications are occurring
      and that plans for some criminal act might be in progress.

  4.  If other ciphers are proscribed, lazy investigators and prosecutors
      are more likely to pursue the easily quantifiable cipher-use crime
      than they are the traditional and directly harmful crimes which key
      escrow is claimed to help against.

  5.  If other ciphers are proscribed, the stage is set for witch hunting
      of "illegal" cipher use.  Because any computer can be used as a cipher
      machine...

Brad Yearwood    brad@optilink.com     {uunet, pyramid}!optilink!brad
Petaluma, CA

Newsgroup: sci.crypt
Document_id: 15904
From: mg@cs.princeton.edu (Michael Golan)
Subject: clipper serial numbers need 2nd court order?

something that no one has discussed yet (or I missed it):

The FBI sets up a wiretap AFTER the court order was handed. 
Only at this point they can access the line and detect 
the serial number N.

What happens next, does the FBI simply asks for the keys
for N, and, since a warrant was issued for the line, the FBI 
simply gets it? What if multiple phones are used from the
same house, the FBI just asks for N1, N2, etc.?

Exactly who is to prevent the FBI from claiming some
other serial number, X, was also used over the wirtapped 
line and get the keys for X? 

Either a second court order (for the specific serial/key)
is required (and I have seen no indication of this), or
the FBI can effectively ask for any pair of keys at any
time, so the escrow key holders are a total fake.

An unrelated issue: if and when all phones always use
the clipper chip, how are call-transfers going to take 
place?!


 Michael Golan
 mg@cs.princeton.edu


Newsgroup: sci.crypt
Document_id: 15905
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

 > Nonsense! I wasn't asked if Larry O'Brien should trust Nixon with his keys,
 >but whether I would.

  Well, that explains it.  The government has no real need to spy on people
who already love Big Brother; it's the people who are inclined to talk
back who need to be watched.

Newsgroup: sci.crypt
Document_id: 15906
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: New Encryption Algorithm

 >  Well, actually, this one's easy. It's their job. The NSA is
 >supposed to develop cryptosystems. If the government chooses to go
 >ahead and sell those cryptosystems to the masses, so be it.

  Ah, but developing cryptosystems which are specificially designed to
protect the government's domestic spying capabilities takes them beyond
that mandate, into the forbidden field of domestic wiretapping.


Newsgroup: sci.crypt
Document_id: 15907
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Suggestions for escrow agencies (was: Re: More technical details)

  On the contrary, the entire Clipper proposal is an example of the
government servicing the people (in the sense of the term found in the
sentence, "The farmer paid $100 to rent a bull to service his cows.")



Newsgroup: sci.crypt
Document_id: 15908
From: Graham Toal <gtoal@gtoal.com>
Subject: Re: Key Registering Bodies

In article <nagleC5w79E.7HL@netcom.com> nagle@netcom.com (John Nagle) writes:
:       Since the law requires that wiretaps be requested by the Executive
:Branch and approved by the Judicial Branch, it seems clear that one
:of the key registering bodies should be under the control of the
:Judicial Branch.  I suggest the Supreme Court, or, regionally, the
:Courts of Appeal.  More specifically, the offices of their Clerks.

I've got a better idea.  We give one set to the KGB c/o Washington embassy,
and the other set to the Red chinese.

G

Newsgroup: sci.crypt
Document_id: 15909
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: PGP ideas for IBM systems

:    I've been thinking about how difficult it would be to make PGP available
: in some form on EBCDIC machines.

Don't encourage them.  Let EBCDIC machines die an honorable death :)

G


Newsgroup: sci.crypt
Document_id: 15910
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Is key escrow enough?

	  The points raised about checking what is actually -in- the chip, as
	opposed to what is allegedly programmed therein, raise yet another trust
	issue.  Even if we assume that these "trusted agents" are really entering
	a wide range of S1 and S2 seeds (rather than using the same one all the
	time to reduce the key search space to 30 bits), I assume they are not
	doing so by picking up an iron filing and poking it into the circuitry
	at carefully selected points to encode data.  They would presumably be
	punching numbers into a computer, which for all they know could program
	the chips in a manner completely independent of the S1 and S2 values they
	are feeding into the system.

S1 and S2 are clearly the backdoor - we should assume they are all
compromised.  If they're not compromisable, why the hell not use a
hardware true random number source.  There isn't a random number
source *anywhere* in this proposal.  The whole thing is deterministic
from the day the serial number is stamped on the chip.

Nope, it can't be trusted.  This is all about two levels of access -
the (possibly honest) key escrow that police forces have to use, and
ostensibly the FBI; and the back door that lets the NSA decode *everything*
on the fly - and maybe some back-handers to the FBI when they want a
warrantless tab in exchange for favours.

G

Newsgroup: sci.crypt
Document_id: 15911
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Do we need the clipper for cheap security?

: There are chips which perform the voice compression/expansion.  They can't
: be expensive, because they exist in many phones connected to PBXs or on the
: PBX line cards, as well as in a lot of equipment which compresses
: voice-grade circuits to save the cost of long-distance, leased T1s or
: satellite circuits.

: I can't remember the generic term for these chips.  My impression is that
: this was a big deal 10 years ago, but circuits have gotten so cheap that
: it isn't done much now.

Codecs.  They have to get about 6:1 compression on 8 bit samples to squeeze
them down v32bis.  I played around with the lossless 'shorten' program
last night, but it only managed 2.5:1.  I've got some specimen CELP code
but it's not obvious that it runs in real time; I think it's just proof-of-
concept code, and I have some mucking about with file formats to do before
I can put my own sample through it.

Looks like the current option is to use a voice-mail modem with built-in
DSP chip to do this in hardware.  That means two modems for a system,
putting the cost at $600 upwards.  Ouch.  Maybe soon we'll be able to
do it in software on high-powered games consoles - isn't the 3DO an
Acorn RISC machine inside?  That cpu runs like shit off a shovel... and
will be nicely mass-market too.

G

Newsgroup: sci.crypt
Document_id: 15912
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Clipper considered harmful

	From: pmetzger@snark.shearson.com (Perry E. Metzger)

	You obviously haven't read the information about the system. The chips
	put out serial number infomation into the cypher stream to allow
	themselves to be identified. The system does not rely on registering
	people as owning particular phone units.

And probably as a back door to allow re-generation of the secret key.

Have we determined yet that S1 and S2 don't ever change?

G

Newsgroup: sci.crypt
Document_id: 15913
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Clipper considered harmful

:    Does Dorothy Denning read this group?  If not, is someone on the group
: forwarding questions like these to her, or Martin Hellman, or anyone else
: who's seen more details about the chip?

Of course she does; it's just she's been toasted so often for being
an NSA patsy that she's keeping her head down.  You can always mail
her directly as denning@guvax.acc.georgetown.edu,
denning@cs.cosc.georgetown.edu or denning@cs.georgetown.edu

G

Newsgroup: sci.crypt
Document_id: 15914
From: mike@avon.demon.co.uk ("Mike H.")
Subject: Re: Clipper Chip and crypto key-esc 

In article <1993Apr21.131510.3215@memex.co.uk> peter@memex.co.uk writes:

>I thought it was quite difficult to record a modem session at some
>intermediate point on the line. Maybe they have taken a crash course
>in data comms and have a unit that demodulates the tones and stores the
>digital stream for decryption later. This would still suffer from the

>called BABT. It has been stated, either here or in the uk.telecom group,
>that they will not approve equipment that does encryption. I don't know
>if this is true or not, but this would make a good test case.
>
>                Peter Ilieve            peter@memex.co.uk

You forget the obvious! If it is an *authorised* tap then it can be done at
the exchange. If the exchange is *digital* then I suspect that you can
auto-monitor a line and pickup the full link. Therefore syncing a piggyback
modem on the line would not be impossible - I suspect.
-- 

                        Mike H. (mike@avon.demon.co.uk)

Newsgroup: sci.crypt
Document_id: 15915
From: gtoal@gtoal.com (Graham Toal)
Subject: Re: Once tapped, your code is no good any more.

	I don't think mr. Clinton can even understand the technical details of
	the clipper encryption scheme. So, his "assurances" are of no value at
	al, if he gives them he just says what a panel of experts(?) told him.
	If I lived in the USA, I would hope those experts were not paid by the
	<fill here you favorite 3-letter combination>.

"The doctrine of plausible deniability".  No-one is going to tell him
it has a back door.  The NSA will assume he has the sense to work it out
for himself or they wouldn't be pushing it.  Clinton might even *believe*
the NSA when they tell him, for the record, it doesn't have a back door.

And no FOIA request in the world will ever find it.  These guys don't
play by that set of rules.  They have their own rule book, and no, you're
not allowed to see that either.

G

Newsgroup: sci.crypt
Document_id: 15916
From: stan@tacobel.UUCP (stan)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more

jhan@debra.dgbt.doc.ca (Jerry Han) writes:
> Can people work within the system before trying to break it?  Examine your
> history books, and find out how many armed revolutions led to Democratic
> (or Democratic style) governments.  I think you'll only find one in over
> five thousand years of written history.
> 
> That's not very good odds.  

I may be misreading you here.  Are you saying the American Revolution 
wasn't a good idea because it was bad odds?

I kind of doubt that any revolution, armed or otherwise, was ever started 
without vast amounts of failed "working within a system".  A good sign of 
a system being not worth preserving would probably be that very inability 
to work within it productively.

Hopefully I've misunderstood.  (BTW, I'm not a big fan of arms myself.  

Newsgroup: sci.crypt
Document_id: 15917
From: ijames@helix.nih.gov (Carl Ijames)
Subject: Re: REVISED TECHNICAL SUMMARY OF CLIPPER CHIP

> In article <1993Apr21.192615.3465@guvax.acc.georgetown.edu>, denning@guvax.acc.georgetown.edu writes:
> 
> > Each chip includes the following components:
> 
> >    the Skipjack encryption algorithm
> >    F, an 80-bit family key that is common to all chips
> >    N, a 30-bit serial number (this length is subject to change)
> >    U, an 80-bit secret key that unlocks all messages encrypted with the chip
> [ ... ]
> 
> > To see how the chip is used, imagine that it is embedded in the AT&T
> > telephone security device (as it will be).  Suppose I call someone and
> > we both have such a device.  After pushing a button to start a secure
> > conversation, my security device will negotiate an 80-bit session key K
> > with the device at the other end.  This key negotiation takes place
> > without the Clipper Chip.  In general, any method of key exchange can
> > be used such as the Diffie-Hellman public-key distribution method.
> 
> > Once the session key K is established, the Clipper Chip is used to
> > encrypt the conversation or message stream M (digitized voice).  The
> > telephone security device feeds K and M into the chip to produce two
> > values:
> 
> >    E[M; K], the encrypted message stream, and 
> >    E[E[K; U] + N; F], a law enforcement field , 
> [ ... ]
> 
> > which are transmitted over the telephone line.  The law enforcement
> > field thus contains the session key K encrypted under the unit key U
> > concatenated with the serial number N, all encrypted under the family
> > key F.  The law enforcement field is decrypted by law enforcement after
> > an authorized wiretap has been installed.

Is the U used in the law enforcement field from the phone which placed the
call, from the unit whose 'start secure session' button was pressed first,
or does each phone transmit its own law enforcement field?  Even assuming
one of the first two choices, the FBI is going to get a fresh N,U for its
own database about every other phone call, eventually accumulating keys for
all the phones used to connect to the line they are monitoring, not just
the 'suspects' key.  (Assuming the ever-thrifty FBI doesn't forget each key
after its wiretap permission has expired.)  Not quite a pyramid, but not
bad, either.

Carl Ijames     ijames@helix.nih.gov        More worried every day.

Newsgroup: sci.crypt
Document_id: 15918
From: jluther@cs.umr.edu (John W. Luther)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr21.222016.18990@leland.Stanford.EDU> arc@leland.Stanford.EDU (Andrew Richard Conway) writes:

>Of course don't over react --- but don't under react.
>
Better yet: act.

John
-- 
* John W. Luther                        |   Anybody who mistakes my *
* jluther@cs.umr.edu   <-Best for Email |   opinions for UMR's just *
* 71140.313@compuserve.com  <-$$$$$!    |   doesn't know UMR.       *
********************************************************************

Newsgroup: sci.crypt
Document_id: 15919
From: feustel@netcom.com (David Feustel)
Subject: Re: The Escrow Database.

And the fox has rabies too.
-- 
Dave Feustel N9MYI <feustel@netcom.com>

<sig being revised>

Newsgroup: sci.crypt
Document_id: 15920
From: pla@sktb.demon.co.uk ("Paul L. Allen")
Subject: Re: Wiretapping reality today

-----BEGIN PGP SIGNED MESSAGE-----

In article <strnlghtC5wKH0.62x@netcom.com> strnlght@netcom.com (David Sternlight) writes:

> The number of court ordered wire taps is pretty low. Law enforcement has to
> present pretty good evidence to get even that limited number of
> authorizations.
> 
> Thus the overwhelming majority of conversations are neither tapped nor
> recorded by the government, and for that to happen they have to:
> a) Have a pretty good reason, with evidence;
> b) Use this sparingly on highest priority "pretty good reasons."

David, given the proposition of the first first paragraph, the conclusion of
the second *should* read:

> Thus the overwhelming majority of conversations are neither tapped nor
> recorded legally by the government [...]
           ^^^^^^^

Which completely overturns your argument.  To not see this requires an
unbelievable degree of stupidity or naivete on your part.  Perhaps it's time
for you to own up and say which spook agency you work for...

- --Paul


-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQCVAgUBK9h5ymv14aSAK9PNAQHUPQP/VJ3fNzRljlIXkjU2BnDC0mZEh1im2vM1
B3kOhisgJhkmPA6Y8F/mpj2FIZDnCkresnuJq8tc4kQQJpPDG/RKydr7W4hkA/z2
jfWT8bxZNrwVQjAC539LGYoneNa8dC6hCpG4zKty8Q4hBzohNs8/eTMHAOpxj1PJ
jD8ZuW3aIZk=
=y8CT
-----END PGP SIGNATURE-----


Newsgroup: sci.crypt
Document_id: 15921
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Is this overreaction?

  Good points.  In addition, I would point out that now is one of the
best times to fight this political battle, with much of the opposition
in disarray -- an FBI director (Sessions) on his way out, an Attorney
General (Reno) who has only been in long enough to find the office coffee
machine two tries out of three (and, between slow confirmations and
Clinton's Saturday Night Massacre, hasn't much of a staff in place).
If we really get lucky, both of the above will be too busy trying to
keep their feet from being held to the Waco fire to spend much effort
insisting on their alleged right to spy on the American people.

  "I swear to you, we aren't finished yet." -- James T. Kirk, ST III


Newsgroup: sci.crypt
Document_id: 15922
From: jhart@agora.rain.com (Jim Hart)
Subject: Trademark violation claimed


Forwarded from libernet@dartmouth.edu:

Date: Tue, 20 Apr 93 10:30:47 PDT
From: ald@clipper.clipper.ingr.com (Al Date)
Subject: "Clipper Chip"  --NOT!
To: libernet@Dartmouth.EDU

Clipper TM chip is a registered trademark of Intergraph Corp.

The so-called Clipper chip which was recently mentioned here
and in other media
with respect to encryption is being used in violation of that trademark.  

The Intergraph Clipper chip is a Unix microprocessor, originally 
developed by Fairchild Semiconductors, and has no relationship
to the encryption chip whatsoever.  

I mention this here with the hope that someone reading this will
intercede before the group alt.privacy."clipper" is established.


--Al Date



Newsgroup: sci.crypt
Document_id: 15923
From: <34AEJ7D@CMUVM.BITNET>
Subject: Re: Encryption Chip Availibility

In article <ofppPcS00iUy0_k3Mr@andrew.cmu.edu>, "Stephen J. Ludwick"
<sl3b+@andrew.cmu.edu> says:
>
>Hi everybody!
>
>Does anyone know of companies that are currently manufacturing
>encryption chips for sale to the general public?  Get them while you
>can!  Some pointers would be greatly appreciated.
>
>Thanks
>
>Steve

I believe Fisher(sp?) International, makers of the Watchdog(tm) PC
security package offers a hardware implementation of DES as an add-on
to that package.

Newsgroup: sci.crypt
Document_id: 15924
From: nobody@alumni.cco.caltech.edu
Subject: Jerry Berman on pseudonymous privacy

Hello all,
I thought you all might like to see this. It's a letter from Jerry
Berman to David Chaum from November of 1985, in response to
information that Mr. Chaum sent to Mr. Berman.

While I have to congratulate EFF for its prompt response to the
Clipper Chip announcement from the White House, I think it's important
to recognize the philosophy of their Executive Director, as explained
below.

I agree that legal remedies are important, but when pressed, I'd
prefer to retain the ability to use purely technical solutions to
preserve my privacy, because they'll hold up under fire.

Mr. Chaum has consented to the publication of this letter on the Net. 

I don't work for, nor am I a member of EFF, ACLU, or any similar
organizations, but I do agree with them on a great many things. 

					--Aristophanes

----------


                     AMERICAN CIVIL LIBERTIES UNION


                       WASHINGTON OFFICE        
                                                               
                                                    122 Maryland Avenue, NE
 November 1, 1985                                   Washington, DC 20002
                                                    --------------------
                                                    National Headquarters
Mr. David Chaum                                     132 West 43rd Street    
Centre for Mathematics and Computer Science         New York. NY 10036    
P.O. Box 4079                                       (212) 944-9800        
19O9 AB Amsterdam                                   Norman Dorsen           
                                              President        
Dear Mr. Chaum:                                     Ira Glasser
                                                      Executive Director
                                                    Eleanor Holmes Norton
                                                      CHAIR
                                                    National Advisory       
                                                  Council
                                                                         
                                                                         
                                                                            
 
                                              

	Thank you for sending me a most interesting article.   A
society of  individuals  and  organizations  that  would  expend  the
time and resources to use a  series  of  'digital  pseudonyms' to
avoid data linkage does not in my opinion make big brother
obsolete but  acts  on  the  assumption  that  big  brother  is  ever
present.  I  view  your  system  as  a  form  of  societal  paranoia.

	As a matter of  principle,  we  are  working  to  enact  formal
legal protections for  individual  privacy  rather  than  relying  on
technical solutions.   We want to  assume  a  society  of  law  which
respects legal limits rather than  a  society  that  will  disobey  the
law, requiring  citizens  to  depend  on  technical  solutions.  e.g.
require  a  judical  warrant  for  government  interception  of  data
communications rather than  encrypt  all  messages  on  the  assumption
that regardless of the lawt  the  government  will  abuse  its  power
and invade privacy.

	As a  matter  of  practicality,  I  do  not  think  your  system
offers much hope for privacy.    First, the trend toward universal
identifiers  is  as  much.-a  movement  generated  by  government  or
industry's desire to keep track of all citizens as it is by
citizens seeking simplicity and convenience in all transactions.
At best,  your  system  would  benefit  the  sophisticated  and  most
would opt for  simplicity.  The  poor  and  the  undereducated  would
never use or benefit from it.

	Finally where there's a  will, there's  a  way. If  government
wants to link data bases, it  will,  by  law, require  the  disclosure
of various individual pseudonyms used by citizens or prohibit it
for data bases which the government wants to link.      Since
corporations  make  money  by  trading  commercial  lists  with   one
another, they will never adopt  the  system  or  if  it  is  adopted,
will use "fine printn  contracts  to  permit  selling  various   codes
used by their customers to other firms.

	The solution remains law, policy, and consensus about limits
on government or corporate intrusion into areas of individual
autonomy.  Technique can be used to enforce that consensus or to
override it. It cannot be used as a substitute for such
consensus.



                                            Sincerely Yours,

                                             /Sig/

                                            Jerry J. Berman
                                            Chief Legislative Counsel
                                            & Direrector ACLU
                                            Privacy Technology Project


   cc: John Shattuck





Newsgroup: sci.crypt
Document_id: 15925
From: quilty@twain.ucs.umass.edu (Lulu of the lotus-eaters)
Subject: Information on Mathematics of Cryptography (followup)

I posted an informational request about any electronically available
articles on cryptographic algorithms a couple of days ago.  As I
mentioned, I was interested, in particular, in DES and Public-Key --
but also wouldn't mind learning about others.  As I said, I can read
an intro-graduate level text book, having had some mathematics, though
not much number-theory per se.  I'd like to see the technical details
of the mathematics of cryptography, as oppossed to the popularizations
of things like _scientific am_ which just say, "then you find a
*really* big prime number....".

Following my request, several people were so kind as to suggest
reading-lists, which I hope to get around to.  Two other people were
so *very* kind as to send large documents, which I presume were actual
articles (about 1000 lines each); but I've stupidly deleted them
accidentally before having a chance even to skim them.  If they can
forgive me for my careless use of file-commands, would the original
senders be so kind as to resend? Or anyone else who has good
crypto-articles at a fairly technical mathematical level? Also,
ftp-able or gopher-able docs would be nice to know about.

Yours, Lulu...

-- 
      _/_/_/ THIS MESSAGE WAS BROUGHT TO YOU BY: Postmodern Enterprises _/_/_/ 
     _/_/    ~~~~~~~~~~~~~~~~[quilty@philos.umass.edu]~~~~~~~~~~~~~~~~~  _/_/ 
    _/_/  The opinions expressed here must be those of my employer...   _/_/ 
   _/_/_/_/_/_/_/_/_/_/ Surely you don't think that *I* believe them!  _/_/ 

Newsgroup: sci.crypt
Document_id: 15926
From: injc@sun.rz.tu-clausthal.de (Joerg Czeranski)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate acceptance of the wiretap chip)

AG Russell (arussell@austin.ibm.com) wrote:
: At the company I worked for previously, I received a file that was
: des encryped
: and the person that had sent it, went on vaction.  Rather than wait
: two weeks
: I set up a straight frontal attack with one key at a time.  It only
: took two(2)
: days to crack the file.  No, I don't have any faith in DES.

Then it was either _really_ good luck or you had some _very_ fast
machine.  DES has 2^56 possible keys, each two of which are simply
to convert into each other, so you have to expect 2^54 trial encryptions
in the mean case, assuming known plaintext.
2^54 / 2 / (24*60*60) / 1000000 is ca. 104250.
So you must have managed to do 104250 encryptions per microsecond.
CE Infosys builds a very fast DES chip that manages 2 (!) encryptions
per microsecond.

Yes, I'm not very seriously bothered about the security of DES yet;
though you might prefer to use triple DES or IDEA, both of which
use more key bits.

joerg

--
Joerg Czeranski                EMail czeranski@rz.tu-clausthal.de
Osteroeder Strasse 55          SMTP  injc@[139.174.2.10]
W-3392 Clausthal-Zellerfeld    Voice (at work)  +49-5323-72-3896
Germany                        Voice (at home)  +49-5323-78858

To obtain PGP public key, finger injc@sun.rz.tu-clausthal.de, or email me.

Newsgroup: sci.crypt
Document_id: 15927
From: anovak@twain.ucs.umass.edu (Tree Hugger)
Subject: Rush Limbaugh's address (oops from before)

	I think this didn't get posted before (I've been reading
USENET for the longest time, but never had much interest in posting
until recently).  This is what I typed before:

	I have written Mr. Limbaugh before, and I loathe to use the
name Rush in association with him, because he is unworthy to have a
name in common with some of the greatest musicians in our time, the
BAND, Rush.  
	His address, as some of you wanted is:
	70277.2502@compuserve.com
	He has been to wrapped up in himself to respond to me, but
maybe some of you will have better luck.  :)  bye!
--
	g'bye for now...

	-=I   Tree   I=-                  a.k.a. Andy Novak

---------------------------------------------------------------------
            anovak@titan.ucs.umass.edu 
                  anovak@twain.ucs.umass.edu
---------------------------------------------------------------------
--
	g'bye for now...

	-=I   Tree   I=-                  a.k.a. Andy Novak

---------------------------------------------------------------------
            anovak@titan.ucs.umass.edu 
                  anovak@twain.ucs.umass.edu
--------------------------------------------------------------------- 

Newsgroup: sci.crypt
Document_id: 15928
From: mkapor@eff.org (Mitch Kapor)
Subject: Re: Jerry Berman on pseudonymous privacy

nobody@alumni.cco.caltech.edu correctly states Jerry Berman's 1985 view on
privacy, but he mistakenly assumes that this represents Berman's 1993 view as
EFF Executive Director.

As one of the people who convinced Jerry that legal protections for privacy
are insufficient, and that technical measures, especially public key
cryptography, are also vitally necessary, I can tell you that Jerry and EFF
are fully committed to this position.

The previous poster is apparently unaware of a long series of EFF positions in
support of this view.  I suggest those interested read EFF's position on
Clipper or our other work in digital privacy.  Check ftp.eff.org for more
details.

One of the great things about human beings is that they are capable of change
and evolution in their thinking.  The idea that crypto is critical to privacy
is one which is no longer limited to certain net afficianados, but is 
spreading to parts of the public policy community in Washington.

Mitch Kapor
co-Founder, EFF 

Newsgroup: sci.crypt
Document_id: 15929
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Clipper considered harmful

In article <16BB9F30.C445585@mizzou1.missouri.edu>, C445585@mizzou1.missouri.edu (John Kelsey) writes:
>  
>    The clipper chip's User key is formed by:
>  
>            R1 = E[D[E[N1;S1];S2];S1]
>            R2 = E[D[E[N2;S1];S2];S1]
>            R3 = E[D[E[N3;S1];S2];S1]
>  
>    Why is the triple-encrytion used?  Is it just to gain an effective
> increase in keyspace to defeat a potential keysearch?  (If so, why use
> 80 bit keys?)  Not knowing anything about the Skipjack algorithm, it's
> not really possible to guess whether this makes it harder or easier to
> guess S1,S2.
>  
>    Why are N1, N2, and N3 formed as they are?  It would be facinating to
> see the Skipjack algorithm, to look for ways of attacking it that require
> three ciphertext blocks formed in that odd way.
>  
>    Where do the 34-bit constant values that are concatenated with the
> serial number to form N1,N2,N3 come from?  Are they changed from chip to
> chip, or session to session?  (Even if they're published in the NY Times,
> if SkipJack is resistant to known-plaintext attacks, when using triple-
> encryption, then there's no break in security.  But why allow that kind
> of weird format?  If those three 34-bit values are truly-random bits, then
> maybe it's used to ensure that a known-plaintext attack on SkipJack, if
> it exists, can't be easily used to derive S1 and S2 for a whole production
> run of these chips....)

I can't answer all our questions in detail, but I can take a stab at
them.

The form the operations that compute R1, R2, and R3 is, of course, the
famous ``triple encryption'' suggested for use with DES.  It's much
stronger than a single encryption, and has an effective key length of
160 bits.  For reasons that were discussed when DES was first
standardized, a simple double encryption would not have the same
strength.  Triple encryption has been used by IBM since more or less
the beginning to encrypt other keys.  It's recommended for anything of
very high value.  And I think we can agree that the R_i and S_i fit
that description.

Why n_1, n_2, and n_3?  Well, you need different plaintext values.  I
have no idea if they'll be disclosed or not.  At a guess, they're
constructed so that they differ in as many bit positions as possible.
A goo cryptosystem will scramble things a lot with even a 1-bit change
-- but the values of N in a series will have fairly similar bit
patterns, and there might, conceivably, be a weakness.  So the n_i
values are -- and I'm guessing -- chosen to increase the Hamming
distance.

In any event, I'm quite convinced that one cannot go back to the S_i
from the U_i, let alone U.  (Observe:  if the NSA has U, they don't
need to find S_i.  But even if they do, they can't get U_1 and U_2.  In
theory, they should never even see those values, even with a warrant.)

The real question, I think, is why use this scheme at all, as opposed
to a hardware random number generator.  My answer is that this is
*much* more verifiable.  Look -- suppose that NSA, NIST, the ACLU, the
EFF, and the NRA combined to build a *really* good random number
generator, and that it passed every test you could think of.  When you
come back next week to program some more chips, does it still work that
well?  Have any components changed in value?  Have the components been
changed out from under you?  Does it still work well the in the
presence of a focused microwave beam that tends to bias it towards
selecting 1 bits?  Yes, you can run detailed statistical tests on it
again, but that's hard.

Consider, on the other hand, a software solution.  You bring your own
floppies with you, you can run cryptographic checksums, etc.  It's a
lot easier to verify that the software is unchanged, in other words.
(Yes, I can think of ways to cheat software, too.  I think that they're
a lot harder.)

There are three issues with Clipper.  The first is whether or not the
architecture of the whole scheme is capable of working.  My answer,
with one significant exception, is yes.  I really do think that NSA and
NIST have designed this scheme about as well as can be, assuming that
their real objectives are as stated: to permit wiretapping, under
certain carefully-controlled circumstances, with a minimum risk of
abuse.  (The exception is that U exists outside of the chip, on a
programming diskette.  That's seriously wrong.  U_1 and U_2 should be
loaded onto the chip separately.)  To those who disagree (and I don't
claim my answer is obvious, though I found my own reasoning
sufficiently persuasive that I was forced to rewrite the Conclusions
section of my technical analysis paper -- I had originally blasted the
scheme), I issue this invitation:  assume that you were charged with
implementing such a system, with complete regard for civil rights and
due process.  What would you do differently?  In answering this
question, please accept NSA's fundamental assumptions:  that both
strong cryptography against outsiders, and the ability to wiretap
*some* domestic users, is necessary.  (If you feel it necessary to
challenge those assumptions, do it in the context of the last issue I
present below.  Right here, I'm discussing *just* the technical
aspects.  And no, I don't by any means claim that just because
something can be done, it should be.)

The second issue is whether or not this whole architecture is actually
going to be used.  Just because Clipper chips are made this way doesn't
mean that that's the only way they'll be made.  Maybe the NSA will
substitute its own chips between the programming facility and the
shipping dock.  And they'll generate bogus warrant requests, so that
the escrow agents don't wonder why they've never called.  (``Sorry,
guys; all them terrorists and drug dealers and pedophiles seem to have
bought triple-DES phones instead.  Who'd 'a' thunk it?'')  I have no
answer to this question, and at the moment, I don't see a way of
answering it.  Those concerns are part of my reasoning in my answer
to the final question, below.

The third, and most serious issue, is whether or not Clipper is a good
idea even if carried out strictly according to the letter of the law.
I think that the answer is no, but it's not a no-brainer.  I'm a civil
libertarian, not a libertarian, for reasons that I explained at great
length on the net in the Elder Days, and that I don't have the energy
to repeat now.  But that means that I'm willing to accept that some
laws are necessary, so long as they respect the essential rights of
individuals.  The government already has the ability and -- in our
system -- the right to issue search warrants, and while that power has
certainly been abused, it's also been used quite properly and fairly in
other cases.  Is key escrow sufficiently different?  I think so -- but
again, it's not an easy question for me.  (It is easy for libertarians
to answer, of course, since Clipper is completely alien to much of the
rest of their (oft-admirable) philosophy.  And it's also easy for those
who give their unreserved trust to government, a group I'm much more
distant from.)


		--Steve Bellovin

Newsgroup: sci.crypt
Document_id: 15930
From: mike@avon.demon.co.uk ("Mike H.")
Subject: Re: S1, S2 

In article <1r60ue$102@access.digex.net> steve-b@access.digex.com writes:
>  The only theory that makes any sense is that S1 and S2 are either the
>same for all chips, or vary among very few possibilities, so that anyone
>trying to break the encryption by brute force need only plow through the
>possible serial numbers (2^30, about one billion), multiplied by the number
>of different S1, S2 combinations.
>
Iff the phones transmit their serial nos. as part of the message then what
is to say that each phone can take that serial number and use it to generate
the required key....



Newsgroup: sci.crypt
Document_id: 15931
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Once they get your keys....

In article <930424031634.176183@DOCKMASTER.NCSC.MIL>, Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant) writes:
> About 50 people so far have asked, "Once the FBI gets your Clipper keys,
> won't they be able to read all your future and past traffic?"
> 
> There has been no response from NIST, NSA, Ms. Denning, Mr. Hellman, or
> anyone else who might be able to give us an authoritative answer.
> This is troubling.
> 
> Didn't NSA think about this?  Or is it a feature, and they thought we
> wouldn't notice?
> 
> I would have thought that by now they would have responded with something
> of the form, "Well, that won't be a problem because ...."

Don Alvarez posted a good partial solution to this problem to
comp.risks.  I'll present my variant on it instead, since I feel it's a
bit stronger against some likely attempts to cheat.  depends on the
protocol that's followed for reading traffic.  Briefly, the cops get a
wiretap warrant, and record the call.  They then notice the encryption
and the disclosure header.  It, along with a copy of their warrant, is
sent to the FBI, or whoever it is who holds the family key.  The
F-holder decrypts the header, and sends the serial number N and the
encrypted session key U[K] to the escrow agents.  They, in turn, use U1
and U2 to recover K, and send that to the local police.

Note how this solves the problem of wiretapping forever.  Neither the
cops nor the FBI ever see U, so they can't read other traffic.  Every
request must be validated by both the FBI and the escrow agents.  The
cops and the FBI together can't cheat, since they don't have U.  (I
regard that as a likely pairing of folks who might try to beat the
system.  It's to prevent this that I modified Alvarez's scheme.)  The
escrow agents can't read the conversation, since they don't have it;
all they have is N and U[K].  And the police don't even see N.

It's harder to see how to block decryption of old, warrantless,
wiretaps.  There is one protection -- you have to persuade the escrow
agents that the call is current.  But that's not nearly as strong.
There are approaches I can see that might work, involving sequences of
data on an unalterable medium, complete with cryptographic protection
against insertion onto a new medium.  But I don't have anything yet
that isn't too complex for comfort, or too hard to install in the real
world.  The NSA might have an answer; they may or may not be smarter
than me, but I've been working on this for a week, and they've had years.

Newsgroup: sci.crypt
Document_id: 15932
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Clipper considered harmful [Restated and amplified]


Brad Yearwood posts a long response to the issue of registering a
phone-clipper relationship.

It doesn't wash.

Recall that law enforcement gets a court order to tap a suspect's phone
calls. They do what they do now--figure out which lines to tap. They then
record the stuff. If it's Clipper, they read the law enforcement block,
extract the serial number, and get the keys using the court order.

No new difficulties (such as using someone else's phone instrument or phone
line) are introduced that wouldn't have existed absent clipper. If the
crooks were going to use a pay phone (say), they could have done so without
clipper. If the government figures out they're so doing, they listen in, and
if it's a clipper conversation they get the serial number and then the keys.

If the crooks use an innocent person's clipper phone on the tapped line
there's no problem. The Feds don't care whose phone instrument is used, just
that the conversation is by the suspect on the tapped line. They get the
serial number, get the keys, and they are in business.

No clipper chip to person association is ever needed.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15933
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

In article <1rae88$b5j@access.digex.net> steve-b@access.digex.com (Steve Brinich) writes:
> > Nonsense! I wasn't asked if Larry O'Brien should trust Nixon with his keys,
> >but whether I would.
>
>  Well, that explains it.  The government has no real need to spy on people
>who already love Big Brother; it's the people who are inclined to talk
>back who need to be watched.

Though I think this an overstatement, it does contain a grain of truth. It's
drug dealers, spies, terrorists, and organized crime figures (assuming
enough probable cause to convince a judge) who need to be watched, not
law-abiding citizens.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15934
From: strnlght@netcom.com (David Sternlight)
Subject: Back doors in Clipper?


I think it very unlikely there are back doors in clipper, for two reasons:

1. The government doesn't need them if it can get the key (and yes, I assume
that the "official" government obeys court orders, etc.--and that the design
of the chip and its approval were "official");

2. It would defeat the whole purpose of providing secure crypto for American
business that couldn't be read by our economic adversaries. If this were not
a legitimate and genuine purpose, and as many think, the NSA can read DES,
why bother otherwise?

Rational responses preferred to conspiracy theories, thanks.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15935
From: strnlght@netcom.com (David Sternlight)
Subject: Re: clipper serial numbers need 2nd court order?

In article <1993Apr23.051005.28404@Princeton.EDU> mg@cs.princeton.edu (Michael Golan) writes:
>something that no one has discussed yet (or I missed it):
>
>The FBI sets up a wiretap AFTER the court order was handed. 
>Only at this point they can access the line and detect 
>the serial number N.
>
>What happens next, does the FBI simply asks for the keys
>for N, and, since a warrant was issued for the line, the FBI 
>simply gets it? What if multiple phones are used from the
>same house, the FBI just asks for N1, N2, etc.?
>
>Exactly who is to prevent the FBI from claiming some
>other serial number, X, was also used over the wirtapped 
>line and get the keys for X? 
>
>Either a second court order (for the specific serial/key)
>is required (and I have seen no indication of this), or
>the FBI can effectively ask for any pair of keys at any
>time, so the escrow key holders are a total fake.
>

Two safeguards:

1. The FBI could be asked to produce the law enforcement block to the escrow
agencies, and associate it with a particular court order;

2. If the thing comes to trial the defense attorneys can probe this issue
closely. It is not too different from proving that the speaker on a legal
wiretap is the person the court order covered.

Putting it another way, this question is not very different from the
pre-clipper question "What's to prevent the FBI from getting a court order
to tap Al Capone and then using it to tap Jonathan Livingstone Seagull
instead?"

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15936
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Once they get your keys....

In article <tcmayC5z3yE.F38@netcom.com> tcmay@netcom.com (Timothy C. May)
writes:

>(alt.security.clipper added, to keep them informed of this issue)
>
>
>David Sternlight (strnlght@netcom.com) wrote:
>....
>: The proposal could be modified so that if they get a court order to tap you
>: and don't charge you with a crime within, say, 90 days, they have to buy you
>: a new phone.
>: 
>: If they do charge you, and you are found innocent, they have to buy you a
>: new phone.
>: 
>: :-)
>
>Yes, but will they buy you a ticket on a time machine to allow you to
>go back and use the phone with the new key instead of the phone whose
>key they obtained?
>
>It is unclear whether obtaining the key at time 0 also unlocks
>messages recorded (by whomever) at earlier times. The announcement was
>silent on this. The betting seems to be that once your key has been
>obtained (by the authorities, by divorce lawyers, by the Mafia, by the
>FBI, by lost or stolen backup tapes, by the NSA, etc.). all previous
>conversations are unsecure. (Session keys are negotiated, but knowing
>the private key is believed by many commentators here to break the
>security. No doubt more details will emerge.)
>

Doesn't matter if we assume they are obeying the law, since they won't have
had a court order to tap calls prior to the date of the court order, and
thus won't have them available.

If they aren't obeying the law, we are in an entirely different discussion,
in which this is the least of one's worries.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15937
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Re: Once they get your keys....

>In article <930424031634.176183@DOCKMASTER.NCSC.MIL> Grant@DOCKMASTER.NCSC.MIL (Lynn R Grant) writes:
>
>About 50 people so far have asked, "Once the FBI gets your Clipper keys,
>won't they be able to read all your future and past traffic?"
>
>There has been no response from NIST, NSA, Ms. Denning, Mr. Hellman, or
>anyone else who might be able to give us an authoritative answer.
>This is troubling.
 
   It was implied in the first technical posting by Dorothy Denning that the
FBI would do the decryption *for* the law enforcement agencies.  It wasn't
clear to me from the post whether this would be done in realtime or not, or
whether the FBI would just decrypt the session keys for the locals, or would
do the whole message.
 
   One thing I'm a bit puzzled by:  Why aren't they doing this with a public
key scheme of some sort?  You could generate two uniqe public/private pairsor
for each chip.  Then, escrow the private keys with the escrow agencies.  Set
the protocol up to encrypt the session key with both public keys.  To decrypt
a message, both escrow agencies (in the right order, for most PK schemes)
have to decrypt with the escrowed private key.  This way, there wouldn't be
thecconcern that, once the police had asked fo  a warrant/wiretap, they
would have your key forver.
 
   --John Kelsey

Newsgroup: sci.crypt
Document_id: 15938
From: gardner@convex.com (Steve Gardner)
Subject: Re: What would happen if export restrictions violated?

In article <Apr23.215306.83257@yuma.ACNS.ColoState.EDU> holland@CS.ColoState.EDU (douglas craig holland) writes:
>
>At this point, what kind of trouble
>could I get into if I ignored the ITAR and sold my program to international
>customers anyway?
	I'm not sure it has been established that the government can
	prevent you from sending an algorithm abroad.  The NSA seems
	to have won by intimidation so far.  Why don't you try it? ;-)
	Of course you could just distribute your algorithm widely for
	free and screw them up big time.  (That would be my approach ;-))


						smg

Newsgroup: sci.crypt
Document_id: 15939
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <4fplPDH0BwwbEDweNJ@transarc.com> Lyle_Seaman@transarc.com writes:
<jhan@debra.dgbt.doc.ca (Jerry Han) writes:
<> Somebody asked me what was wrong about overreacting in cases such as this.
<
<That was probably me.
<I meant only that nobody has overreacted yet.  It seemed to me that
<Jerry was suggesting that people are currently overreacting, and I 
<vehemently disagree.  I see a lot of talk, but not much action.
<I see now that I misunderstood Jerry's position.
<
<> The reason is very simple:  How many people do you want to die in a riot? 
<> In a new Civil War? 
<>
<> Everybody is jumping up and down and screaming about it, and I'm worried
<> that people are going to reach for their hammers and rifles before their pens
<> and paper.  
<
<Not this bunch.  They'll just bitch on the Net for a while, and 
<then go back to lurking.
<
<> Can people work within the system before trying to break it?  Examine your
<> history books, and find out how many armed revolutions led to Democratic
<> (or Democratic style) governments.  I think you'll only find one in over
<> five thousand years of written history.
<
<Actually, it's not quite that bad, but it's close.

I think everyone would just as soon work within the system.  The presence
of the POSSIBILITY of using the bullet box instead of the ballot box
is supposed to be a deterrent - by keeping the price of massive abuse
unacceptable.  However, governments being what they are, sure would
like to REMOVE that deterrence, which will make the need for armed
citizens all the more great (you don't need 'em till you don't have 'em).
Then I think we can be more accurately called 'subjects' instead of
'citizens'.  The idea of the people being sovereign over the government
is sure not in vogue in the Beltway these days, that is for sure...
The Administration is saying "We know best.  We will tell you what
you need, or don't need..."  "After, that old-fashioned anachronism
called the Bill of Rights is not needed in these 'enlightened times'...

<Look, we (collectively) have the power to throw the bums out, but we
<don't use it.  We clearly don't need to go burning things down, but we

Not if the government has its way:  There are EIGHT bills before Congress
that will either ban, tax exhorbitantly, or register all useful weapons
in the hands of the unconnected US subject.   Can you say $200.00 just
for a box of cartridges for practice?  One of the current Administrations
top priority items is to disarm all who are not well-connected, or that
work for the government.

<clearly do need to throw at least some of the bums out.
<Unfortunately, the bums have learned to target only small groups of
<people at a single time, so the masses won't react and throw them out.
<Eventually, the masses will react, unless the bums cease their
<relentless encroachment on liberty and despoilment of the economy.
<The sooner it happens, the less the damages will be.  I don't want to
<live in a war zone, either -- I want to see the bums thrown out before
<they do some *real* damage.

Another tactic is to toss out so many outrages at once that nobody can
give justice to them all.  Like is being done RIGHT NOW.

<Lyle		Transarc		707 Grant Street
<412 338 4474	The Gulf Tower		Pittsburgh 15219


-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 15940
From: jim@rand.org (Jim Gillogly)
Subject: Re: Clipper considered harmful

Steve Bellovin writes a well-thought-out and nearly persuasive article about
why the Clipper (are we still calling it Clipper today, or have they figured
out a non-infringing word yet?) protocol is almost as good as one can do
given their marching ordes.

In article <1993Apr24.160121.17189@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
>         I issue this invitation:  assume that you were charged with
>implementing such a system, with complete regard for civil rights and
>due process.  What would you do differently?  In answering this
>question, please accept NSA's fundamental assumptions:  that both
>strong cryptography against outsiders, and the ability to wiretap
>*some* domestic users, is necessary.

I'll accept the second assumption only for the sake of argument.  In my
view the primary remaining flaw is that the encryption algorithm is
secret, leading to suspicion that there is a back door.  Without complete
disclosure this suspicion cannot be dispelled, no matter how many trusted
experts are allowed to look at it in isolation.

Is it possible to do this whole thing with a public algorithm?  The only
concern I've seen with making Skipjack public is that someone could build
Clipperphones without registering the keys.  Assume F can really be kept
secret as the Government assumes.  Then as part of the initial connection,
a Clipperphone executes a protocol with the Pseudophone to demonstrate
that they both know F.  For example, the initiating phone picks a number Q
and sends E[Q; F].  The receiver sends back E[Q+1; F], and the initiator
sends back E[Q+2; F] to demonstrate that her first packet wasn't just a
random 64-bit block.  Repeat in the opposite direction with another Q so
it can't be defeated by somebody building up a library of sequential
numbers by remembering responses and using those responses as the initial
numbers of subsequent challenges.  This way Clipperphones will talk only
to other Clipperphones.  Of course the Pseudo Company can build their own
proprietary Skipjack phone, but the Presidential Fact Sheet implies that
they won't get approval for it without equivalent key escrow.

What's wrong with this picture?  It depends of F staying secret and on
Skipjack being resistant to cryptanalysis, but the Government appears to
believe in both of these.  Even if the particular Q&A I suggest has some
flaw, I imagine there's a zero-knowledge-proof protocol that doesn't.

smb says:
>The third, and most serious issue, is whether or not Clipper is a good
>idea even if carried out strictly according to the letter of the law.

Agreed.  My view, and you can quote me: if it's not worth doing, it's
not worth doing well.
-- 
	Jim Gillogly
	Hevensday, 3 Thrimidge S.R. 1993, 20:48

Newsgroup: sci.crypt
Document_id: 15941
From: steve-b@access.digex.com (Steve Brinich)
Subject: How To Escrow, If Escrowing Were OK

  There is a description of something called a "fair crypto system" in the
May 1993 issue of BYTE, p. 134, attributed to MIT professor Silvio Micali.

  The way it works is as follows:

  You generate your private key S, and break it up into pieces s1, s2, s3,
s4, and s5, such that (s1 + s2 + ... + s5) mod p = S.
  You give each piece s1, s2, etc. to a different escrow agency.
  The agencies each compute g^sn mod p, and forward the result to the public
key telephone book keeper.
  The public key telephone book keeper multiplies all the g^sn mod p, reduces
the result to mod p, and this will be the user's public key.

  Now, if there were several hundered recognized escrow agencies, and the user
could give a piece of the key to each of the ones he trusted, the result would
be something of an improvement over the proposed Clipper system.

  I still don't think key escrow is a good idea, for both philosophical and
security reasons, but I do offer this suggestion simply to determine whether
escrow advocates are at all interested in considering alternatives in good
faith, or whether the goal is to insure the use of only two agencies selected
for spinelessness in the face of official requests.



Newsgroup: sci.crypt
Document_id: 15942
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Clipper considered harmful [Restated and amplified]

 > If the crooks use an innocent person's clipper phone on the tapped line
 >there's no problem. The Feds don't care whose phone instrument is used, just
 >that the conversation is by the suspect on the tapped line. They get the
 >serial number, get the keys, and they are in business.

  So, you admit that Clipper opens the doors wide for the following scenario:

  FEDS: We need the keys to Joe Blow's phone.

  ESCROW AGENT: Joe Blow?  You have a warrant to tap his line?

  FEDS: Well, no, but we have a warrant to tap Carlos "Slime-Devil" Gonzales'
     line, and our tap shows that Mr. Gonzales is using Mr. Blow's phone.

  ESCROW AGENT: Well, OK....






Newsgroup: sci.crypt
Document_id: 15943
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

 > Though I think this an overstatement, it does contain a grain of truth. It's
 >drug dealers, spies, terrorists, and organized crime figures (assuming
 >enough probable cause to convince a judge) who need to be watched, not
 >law-abiding citizens.

  Don't tell me; tell the Feds.  They, not I, need to get a clue about this.




Newsgroup: sci.crypt
Document_id: 15944
From: bzs@world.std.com (Barry Shein)
Subject: Re: Clipper considered harmful [Restated and amplified]


>If the crooks use an innocent person's clipper phone on the tapped line
>there's no problem. The Feds don't care whose phone instrument is used, just
>that the conversation is by the suspect on the tapped line. They get the
>serial number, get the keys, and they are in business.
>
>No clipper chip to person association is ever needed.

Yeah, but who wants to start a pool on the first person arrested
mistakenly and has their life turned upside-down because some law
enforcement agency *does* make a chip::person association?

I wonder if there are any plans to keep these records (e.g. encode the
serial number into the UPC scanned at K-Mart along with the credit
card info, voila.)

At least your phone number tends to only locate to your house or
whatever (i.e. to be coming from your telephone number the person
likely is in your house etc.), plus or minus some shenanigans of
course.

But I'd hate to think of these guys getting the clipper id, recording
the conversation, then doing a quick cross-lookup and your name comes
up as owner of that id (mistakenly, maybe you sold the phone at a
garage sale or the phone was stolen from your car or whatever.) They
might only know who one side of the conversation is, for example.

Anyone who thinks the govt is forbidden by law to cross-correlate such
databases loses two points. First, law enforcement agencies can of
course do this. Second, they're only forbidden from BUDGETING any
money for it. The IRS, for example, does do this anyhow. They just
don't spend any money on it so it's (technically) legal I guess.

Instead they probably trade little favors with companies like
mastercard (if you're the IRS I'll bet you have a *lot* of
opportunities to trade favors with major corps for their databases.)

I know, an IRS guy read an amazing list off to me (from his screen, I
could hear him typing to pull up each screen) once on the phone during
a dispute I had with them (to intimidate me, actually, not much of a
dispute, I didn't particularly disagree, but for some reason this
fellow wanted to play tough guy with me, I hope he's better now.)

Amazing stuff he had at his finger tips. Be afraid.

-- 
        -Barry Shein

Software Tool & Die    | bzs@world.std.com          | uunet!world!bzs
Purveyors to the Trade | Voice: 617-739-0202        | Login: 617-739-WRLD

Newsgroup: sci.crypt
Document_id: 15945
From: "Jon C. R. Bennett" <jb7m+@andrew.cmu.edu>
Subject: Re: Clipper considered harmful [Restated and amplified]



strnlght@netcom.com (David Sternlight) writes:
> If the crooks use an innocent person's clipper phone on the tapped line
> there's no problem. The Feds don't care whose phone instrument is used, just
> that the conversation is by the suspect on the tapped line. They get the
> serial number, get the keys, and they are in business.
> 
> No clipper chip to person association is ever needed.

celular phones...........


jon

Newsgroup: sci.crypt
Document_id: 15946
From: caronni@nessie.cs.id.ethz.ch (Germano Caronni)
Subject: Re: Once they get your keys....

In article <tcmayC5z3yE.F38@netcom.com> tcmay@netcom.com (Timothy C. May) writes:
>It is unclear whether obtaining the key at time 0 also unlocks
>messages recorded (by whomever) at earlier times. The announcement was
>silent on this. The betting seems to be that once your key has been
>obtained (by the authorities, by divorce lawyers, by the Mafia, by the
>FBI, by lost or stolen backup tapes, by the NSA, etc.). all previous
>conversations are unsecure. (Session keys are negotiated, but knowing
>the private key is believed by many commentators here to break the
>security. No doubt more details will emerge.)

It is completely clear. You have to assume that each byte that was encrypted
by this 'Clipper Chip' has been compromised. 
Some people wondered, why Denning, Hellman and others did not respond,
when asked what would be done about such compromised phones, or if
compromise could not be restricted in time. (I did too) Let us just assume
that a) They do not know and b) Those who know don't tell and c)
They do not care. It seem's to be an 'Other Person's Problem' ...

 gec
-- 
Instruments register only through things they're designed to register.
Space still contains infinite unknowns.
                                                              PGP-Key-ID:341027
Germano Caronni caronni@nessie.cs.id.ethz.ch   FD560CCF586F3DA747EA3C94DD01720F

Newsgroup: sci.crypt
Document_id: 15947
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Do we need the clipper for cheap security?

pdc@dcs.ed.ac.uk (Paul Crowley) writes:
>How fast do the fastest modems go?

The Shannon limit for voice lines is likely somewhere around 25kbps.
We are rapidly approaching it. The fastest affordable full-duplex
modems currently on the market are V32bis, which is 14400bps.

>How far can voice be compressed?

CELP manages to sound decent at 4800 bps.

In theory, if you built a speech recognition system that turned voice
into ASCII, and a perfect synthesis system on the other end that
sounded just like the person you were speaking to, you could get it
down to the information content of the speech.

With various kinds of LPC, you can get it down to 2400 bps or prehaps
even less, at which point it sounds horrible.

4800 bps is more than adequite for our purposes.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15948
From: johnf@uhheph.phys.hawaii.edu (John Flanagan)
Subject: Re: The [secret] source of that announcement

In article <C5x2xs.EF0@lerami.lerctr.org> merlin@lerami.lerctr.org
(David Hayes) writes:
>
>This company routinely sent most of the manufacturing data to the field 
>offices. The Japanese had simply intercepted it. So my friend, the computer
>systems admin, came up with a solution. He started sending the data out
>double-block-encrypted with DES. 
>
>Two days after this new distribution plan was implemented, the president of
>the company got a visit from a pair of government agents. They told him to
>"knock it off". The president gave in, since his company did a considerable
>business with the federal government.
>
>Now, if the government wasn't monitoring the communications, how would they
>even know that the encryption system was installed?

How can you be sure the two visitors were really government agents?
:-)

--John
-- 
John Flanagan                          ||"I believe in my theories,    
johnf@uhheph.phys.hawaii.edu           || they give me a feeling of    
U. of Hawaii, Dept. of Physics & Astro.|| security, and, they inflate  
2505 Correa Rd., Honolulu, HI 96822    || my ego enormously." --A. Abian

Newsgroup: sci.crypt
Document_id: 15949
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Tempest

whughes@lonestar.utsa.edu (William W. Hughes) writes:
>Hell, just set up a spark jammer, or some other _very_ electrically-noisy
>device.

As I've noted, you can likely get around that with a directional
sensor. Phased array systems could completely defeat this scheme.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 15950
From: feeley@cattell.psych.upenn.edu (Wm. Michael Feeley)
Subject: Clipper and conference calls

Just curious, how would the Clipper Chip system handle
conference calls?




Newsgroup: sci.crypt
Document_id: 15951
From: kingj@hpcc01.corp.hp.com (John C. King)
Subject: Wanted: Riverbank Pub. No. 16

I'm looking for a copy of Friedman's Riverbank Publication No. 16 "Methods
for the Solution of Running-Key Ciphers."  Agean Park Press tells me that their
publication C-23 "The Riverbank Publications, Volume 1" is out of print.  Can
anyone snail-mail me a photocopy of No. 16?  If someone could it would be much
appreciated.

Regards,

John King
kingj@corp.hp.com

Newsgroup: sci.crypt
Document_id: 15952
From: warlord@MIT.EDU (Derek Atkins)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <strnlghtC5t4D6.Jn8@netcom.com> strnlght@netcom.com (David Sternlight) writes:

   Some countries have laws about importing crypto gear--I believe the U.S.
   does. Without a license the above scheme won't work (at least not legally)
   in such countries, including at least France and the U.S.

   David

BZZT!

Wrong.  The US does NOT have crypto import laws.

-derek
--
  Derek Atkins, MIT '93, Electrical Engineering and Computer Science
     Secretary, MIT Student Information Processing Board (SIPB)
           MIT Media Laboratory, Speech Research Group
           warlord@MIT.EDU       PP-ASEL        N1NWH

Newsgroup: sci.crypt
Document_id: 15953
From: whughes@lonestar.utsa.edu (William W. Hughes)
Subject: Re: Tempest

In article <1993Apr24.233742.26839@lehman.com> pmetzger@snark.shearson.com (Perry E. Metzger) writes:
>whughes@lonestar.utsa.edu (William W. Hughes) writes:
>>Hell, just set up a spark jammer, or some other _very_ electrically-noisy
>>device.
>
>As I've noted, you can likely get around that with a directional
>sensor. Phased array systems could completely defeat this scheme.

True, but the basic idea behind any communications security system is not
to absolutely deny access, but to make access more expensive (in time,
money, manpower) than it is worth.

-- 
                            REMEMBER WACO!
     Who will the government decide to murder next? Maybe you?
[Opinions are mine; I don't care if you blame the University or the State.]

Newsgroup: sci.crypt
Document_id: 15954
From: mbeckman@mbeckman.mbeckman.com (Mel Beckman)
Subject: Re: Once tapped, your code is no good any more.


In article <strnlghtC5wHo2.1FK@netcom.com> (sci.crypt,alt.security,comp.org.ieee), strnlght@netcom.com (David Sternlight) writes:
> Maybe so, but it's quite common. There are millions of Macintosh users who
> have no idea what's in Apple's patented ROMs. Many have modems connected.
> How do you know all your business secrets aren't being stolen? Answer:
> 1. Because you trust Apple;
> 2. Because if any such attempt, however sophicsticated, came out, it would
> destroy Apple's credibility forever.
> 

David,

   Neither (1) or (2) apply with the government, though. The feds, unlike
Apple, have repeatedly demonstrated that trust is an unsafe thread on which
to hang your freedom. Why?  Because unlike Apple in (2), the govt has no
credibility to lose. I'm serious about this. One can name just about any
agency -- the IRS, RTC, FCC, FAA, FBI, NSA, CIA -- and find numerous examples
of the public trust run roughshod over. Worse, one can rarely find in such 
examples any serious consequences to the offending agency. Even supposing
we could get a reign on trust somehow, there's always the matter of competence
in govt agencies. Can they even trust themselves?

  -mel

  P.S. I was amused when you mentioned the USDA as an example of an agency
capable of managing the an escrow. I'm a consultant to the USDA, and while those
*I* work with are wonderful <grin>, the agency itself is ranked in industry
publications such as Govt Computer News as one of the worst caretakers of
its computer resources. Recently, Prime Time Live did a long segment on
the USDA's computer troubles. They are making a concerted effort to change,
but intentions don't make a track record.

________________________________________________________________________
| Mel beckman                  |   Internet: mbeckman@mbeckman.com     |
| Beckman Software Engineering | Compuserve: 75226,2257                |
| Ventura, CA 93003            |  Voice/fax: 805/647-1641 805/647-3125 |
|______________________________|_______________________________________|
 "You can observe a lot just by watching."  -Yogi Bera

Newsgroup: sci.crypt
Document_id: 15955
From: jhesse@netcom.com (John Hesse)
Subject: Re: Fighting the Clipper Initiative

In article <strnlghtC5toC6.KIu@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>>
>
>er, excuse me but since the escrow agencies aren't yet chosen, how can you
>say they have a "history of untrustworthy behavoir[sic]"?
>
>I'm sure each of us can think of agencies without such a history. Price
>Waterhouse has kept the secret of the Academy Awards for many years, even in
>

Damn, you're dead right! That pretty much settles it. Not to worry.

-- 
------------------------------------------------------------------------------
John Hesse           |          A man,     
jhesse@netcom.com    |                 a plan, 
Moss Beach, Calif    |                         a canal, Bob.
------------------------------------------------------------------------------

Newsgroup: sci.crypt
Document_id: 15956
From: rogue@ccs.northeastern.edu (Free Radical)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <1rcboi$j4a@access.digex.net> steve-b@access.digex.com
(Steve Brinich) writes: 
[...]
>  FEDS: We need the keys to Joe Blow's phone.
>
>  ESCROW AGENT: Joe Blow?  You have a warrant to tap his line?
>
>  FEDS: Well, no, but we have a warrant to tap Carlos "Slime-Devil" Gonzales'
>     line, and our tap shows that Mr. Gonzales is using Mr. Blow's phone.
>
>  ESCROW AGENT: Well, OK....

No no no no no no no.

It will go like this:

FEDS: We need the key to phone 334RE67D99.

ESCROW: You have a warrant to tap the line phone 334RE67D99 is on?

FEDS: Yes.

ESCROW: Fine, here is our key.

What happens is, Feds tap a line; find Clipper is being used; extract
serial number; get key; decipher convo.  The serial number is never
registered to a specific owner, it is _sent_ as part of the
conversation.  If I give you my Clipper phone, you do not need to
re-register it (mainly because it was never 'registered' to me in the
first place).

There are a lot of things that bother me about Clipper, but this is
not one of them.  Let's get our facts straight and not waste effort
demolishing straw men.

	RA

rogue@cs.neu.edu (Rogue Agent/SoD!)
-----------------------------------
The NSA is now funding research not only in cryptography, but in all areas
of advanced mathematics. If you'd like a circular describing these new
research opportunities, just pick up your phone, call your mother, and
ask for one.

Newsgroup: sci.crypt
Document_id: 15957
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Clipper considered harmful

In article <WCS.93Apr21204048@rainier.ATT.COM>, wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes:
> On the other hand, I can easily see them recording the traffic for
> "interesting" people, such as dissidents, suspected criminals,
> foreign telephone calls, and anybody noticed using encryption.
> As Ken Shiriff speculates, recording encrypted traffic will probably
> be judged not to be an invasion of privacy pretty soon ....

As I read the current wiretap law, it would not be legal now.  On the
other hand, assuming a legislative change, recording but not decrypting
Clipper conversations would probably be found constitutional by the Supreme
Court, using the same reasoning (or the lack thereof...) by which they
permit random roadblocks to check for drunk drivers.

Incidentally, if we use that as our model, the Court will likely not
uphold selective recording.  (On the other hand, I don't think they've
thrown out ``drug courier profiles'' yet.  Must be that exception to
the Fourth Amendment that I can never find in my copy of the Bill of
Rights.)

A lot -- and I mean a *lot* -- will depend on exactly how Clippertaps
(or Tipperclaps, for encrypted music?) are used.  Don Alvarez showed in
the latest RISKS digest that it's possible to prevent the cops from
reading traffic after their warrant expires.

That is -- the cops send the LEF to the F-holder.  The F-holder strips
off F, and sends U[K],N to the escrow agents.  They send either U or K
to the cops.  (Don says U, I say K.)  The cops can't use U in the
future, because they can't strip off F.  The F-holder never sees U.  In
Don's model, the escrow agents can't read the traffic, because they
don't have K; in my model, they have K, but not the message itself.
And I trust that more because I think the cops and the FBI (the
F-holder) are more likely to collaborate on breaking the rules.  The
net result is that by involving the F-holder and the escrow agents on
every tap, we can avoid extending permission to tap.

Newsgroup: sci.crypt
Document_id: 15958
From: mbeckman@mbeckman.mbeckman.com (Mel Beckman)
Subject: Re: Suggestions for escrow agencies (was: Re: More technical details)


In article <strnlghtC5yBKA.Dp5@netcom.com> (sci.crypt,alt.privacy.clipper), strnlght@netcom.com (David Sternlight) writes:
> The easiest way is a user fee for each clipper chip manufactured. This makes
> the funding separate from government.
> 
> It also has the neat side property that if the chip doesn't catch on, the
> scheme breaks down, and the government is back to the drawing boards,
> assuming that they haven't prohibited alternatives in the meantime.
> 
> In fact, maybe this should be part of the "official" system. Before the
> government is allowed to move this past the "experimental" stage, they
> should have to demonstrate economic viability by mass adoption. 

David,

  While I disagree strongly with you on the issue of our trusting the government,
I think you have a good idea here. There is danger that, with funding coming
from asset forfeitures, the government could continue to promulgate a bad
product in spite of poor acceptance. Making the product pay its way (as
it must for private ventures) would be a good incentive for quality and
listening to we, the ranters. :)

  -mel

________________________________________________________________________
| Mel beckman                  |   Internet: mbeckman@mbeckman.com     |
| Beckman Software Engineering | Compuserve: 75226,2257                |
| Ventura, CA 93003            |  Voice/fax: 805/647-1641 805/647-3125 |
|______________________________|_______________________________________|
 "You can observe a lot just by watching."  -Yogi Bera

Newsgroup: sci.crypt
Document_id: 15959
From: mbeckman@mbeckman.mbeckman.com (Mel Beckman)
Subject: Re: Wiretapping reality today


In article <strnlghtC5z0KA.B9u@netcom.com> (sci.crypt), strnlght@netcom.com (David Sternlight) writes:
> You should read the history. It was Hoover who stopped Nixon's COINTELPRO
> dead in its tracks because he said it was unconstitutional. They tried to
> get around him every way they could.
> 

Unfortunately, Hoover thought himself above the constitution, whatever he
considered the limits others should obey. He ruthlessly invaded the privacy
of many private and public citizens. 

  -mel

________________________________________________________________________
| Mel beckman                  |   Internet: mbeckman@mbeckman.com     |
| Beckman Software Engineering | Compuserve: 75226,2257                |
| Ventura, CA 93003            |  Voice/fax: 805/647-1641 805/647-3125 |
|______________________________|_______________________________________|
 "You can observe a lot just by watching."  -Yogi Bera

Newsgroup: sci.crypt
Document_id: 15960
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Tempest

In article <1993Apr25.024032.26935@ringer.cs.utsa.edu> whughes@lonestar.utsa.edu (William W. Hughes) writes:
>In article <1993Apr24.233742.26839@lehman.com> pmetzger@snark.shearson.com (Perry E. Metzger) writes:
>>whughes@lonestar.utsa.edu (William W. Hughes) writes:
>>>Hell, just set up a spark jammer, or some other _very_ electrically-noisy
>>>device.
>>
>>As I've noted, you can likely get around that with a directional
>>sensor. Phased array systems could completely defeat this scheme.
>
>True, but the basic idea behind any communications security system is not
>to absolutely deny access, but to make access more expensive (in time,
>money, manpower) than it is worth.
>
Another idea: Use a laptop computer.  As mentioned earlier, the LCD screen
is a lot less noisy than a standard CRT, but since many laptops have power
supplies that run at 3 volts instead of 5, they would be considerably 
quieter.

Doug Holland


-- 
|  Doug Holland                | Anyone who tries to take away my freedom  |
|  holland@cs.colostate.edu    | of speech will have to pry it from my     |
|  PGP key available by E-mail | cold, dead lips!!                         |

Newsgroup: sci.crypt
Document_id: 15961
From: mg@hart (Michael Golan)
Subject: Re: clipper serial numbers need 2nd court order?

strnlght@netcom.com (David Sternlight) writes:
>Two safeguards:

>1. The FBI could be asked to produce the law enforcement block to the escrow
>agencies, and associate it with a particular court order;

Exactly what would that show, ?! the "law enforcement block" is easy to
create, given the Government key and any serial number. 

>2. If the thing comes to trial the defense attorneys can probe this issue
>closely. It is not too different from proving that the speaker on a legal
>wiretap is the person the court order covered.

*IF* it comes to trail about the wiretap.... ya, some safegaurd that is.
What if they just harass people as a result, or learn things they shouldn't
have learned, etc? 

>Putting it another way, this question is not very different from the
>pre-clipper question "What's to prevent the FBI from getting a court order
>to tap Al Capone and then using it to tap Jonathan Livingstone Seagull
>instead?"

The whole point of the Escrow system is to prevent the FBI from making 
illegal wiretaps. Why not have the FBI holds the
keys and that's it? Why do we need the escrow system at all?

Unless a 3rd party (a judge) verifies that the requested serial number
is "right", and the FBI can get any key they like at anytime, the escrow
system is useless.

-- Michael Golan
   mg@cs.princeon.edu



Newsgroup: sci.crypt
Document_id: 15962
From: rdippold@qualcomm.com (Ron "Asbestos" Dippold)
Subject: Re: Once they get your keys....

strnlght@netcom.com (David Sternlight) writes:
>The proposal could be modified so that if they get a court order to tap you
>and don't charge you with a crime within, say, 90 days, they have to buy you
>a new phone.
>If they do charge you, and you are found innocent, they have to buy you a
>new phone.
>:-)

Yeah, right, and if the ATF trashes your place on a bad tip they have
to pay to repair it, sure.  And if your computer equipment is
confisticated in a raid they have to charge you with a crime within,
say, 90 days.  You're stretching the naivete bit on this one.
-- 
Love:  two minds without a single thought. -- Philip Barry

Newsgroup: sci.crypt
Document_id: 15963
From: zrepachol@cc.curtin.edu.au (Paul Repacholi)
Subject: Re: I have seen the lobby, and it is us

In article <1993Apr22.194121.25386@nynexst.com>, rsilvers@nynexst.com (Robert Silvers) writes:
...
> 	Send something to Rush Linbaugh about Clinton taking away our right
> to privacy and how if the govt. standard takes off, only people with lots
> of money (drug dealers) will be able to justify DES stuff.  He will slam
> Clinton for this on the air.

Well, lets for a hypothetical put our selves in the place of the US end
of the drug rings. What do we do about the Cripple chip? First off, we
would express disaproval to our congress critters, and remind them of the
large sums of money our legitimate co.s provide to their campain coffers. We
would also let them know via the 'other' channels that a) their income is about
to take a hit, and b) their health may not be too good either.

But just in case, the next obvious step to take is to BUY Mycotoxic and VLSI!
Yeah, free enterprise at work. :-) Now they have the Cripple in their pockets,
literaly as well as figurativly. Tough about the masses though.

~Paul


Newsgroup: sci.crypt
Document_id: 15964
From: jhupp@shockwave.win.net (Jeff Hupp)
Subject: PGP Where to get it?

        I am both new to this news group and to the net.
        
        I am facinated by the things I have heard about the PGP
encryption program.  Does anybody out there know where I might get a
version of this program that runs under Windows 3.1, MS-Dos, Unix
w/source?  As of this writting I have no UNIX access and am running on a
nifty windows implamentation of uucico.
        Thanks in advance!
 

_____________________________________________________________________
\Jeff Hupp                      |Internet: jhupp@shockwave.win.net   \
|9797 Medowglen, Apt. 1807      |Ad:    Contract Programming, Novell |
|Houston, Texas  77042          |       Network Design and Support.  |
|Voice: (713) 780 - 9419        |"The best govenment doesn't" -- me. |
\_____________________________________________________________________\ 

Newsgroup: sci.crypt
Document_id: 15965
From: jhart@agora.rain.com (Jim Hart)
Subject: Dorothy Denning opposes Clipper, Capstone wiretap chips

"The security of the system should depend only on the secrecy of
the keys and not on the secrecy of the algorithms" -- Dorothy Denning

jhart@agora.rain.com

Newsgroup: sci.crypt
Document_id: 15966
From: smb@research.att.com (Steven Bellovin)
Subject: Re: Clipper and conference calls

In article <122723@netnews.upenn.edu>, feeley@cattell.psych.upenn.edu (Wm. Michael Feeley) writes:
> Just curious, how would the Clipper Chip system handle
> conference calls?

It's not Clipper, it's any encryption system.  I've seen a number of
designs; they generally involve a multi-line cleartext bridge.

Newsgroup: sci.crypt
Document_id: 15967
Subject: Re: Tempest
From: pgut1@cs.aukuni.ac.nz (Peter Gutmann)

In <1993Apr22.132638.19448@ringer.cs.utsa.edu> whughes@lonestar.utsa.edu (William W. Hughes) writes:

>Hell, just set up a spark jammer, or some other _very_ electrically-noisy
>device. Or build an active Farrady cage around the room, with a "noise"
>signal piped into it. While these measures will not totally mask the
>emissions of your equipment, they will provide sufficient interference to
>make remote monitoring a chancy proposition, at best. There is, of course,
>the consideration that these measures may (and almost cretainly will)
>cause a certain amount of interference in your own systems. It's a matter
>of balancing security versus convenience.

The problem is that this will also cause  "a certain amount of interference"
in *all* systems within the range of the device.  A long time ago I built a
small jammer to dissuade my brother from using his radio alarm clock at 
something like 4am, which had just enough range to cover my room and his.
However something powerful enough to mask all (or at least most) emissions from
your computer equipment is also going to knock out half your neighbourhoods
radio and TV reception.  This isn't going to make you many friends.

Incidentally, an older-model TRS80 makes a fine wideband jammer <grin>

Peter.
--
 pgut1@cs.aukuni.ac.nz||p_gutmann@cs.aukuni.ac.nz||gutmann_p@kosmos.wcc.govt.nz
peterg@kcbbs.gen.nz||peter@nacjack.gen.nz||peter@phlarnschlorpht.nacjack.gen.nz
             (In order of preference - one of 'em's bound to work)
            -- Everything was so different before it all changed --

Newsgroup: sci.crypt
Document_id: 15968
Subject: Re: Crypto papers on the net.
From: pgut1@cs.aukuni.ac.nz (Peter Gutmann)

In <16BB91429.C445585@mizzou1.missouri.edu> C445585@mizzou1.missouri.edu (John Kelsey) writes:

>   I've recently been reading a paper of Merkle's (publixhed only on the
>net, I think) discussing three potential replacements for DES.  Was
>anyting ever done with these?  Are Khufu, Khafre, and/or Snefru still
>being discussed anywhere?  (I know Snefru is referenced in the RSA
>FAQ, and I think it may also be in the sci.crypt FAQ.)

The paper was distributed (against the wishes of the NSA - I have a copy
with a few 'illicit distribution' footnotes scribbled on it :-), and eventually
published at one of the crypto conferences.  Things were looking good.

Then Xerox patented the algorithms.  <Plonk!>

I don't know of anything which uses them.  Also, Khafre was broken at a
later conference and from work on a related algorithm I don't think the
existing Khufu would hold up too well against a converted differential
cryptanalysis attack, although it can probably be changed to resist this
type of attack....

Peter.

[In case you don't know what the <Plonk> is about, check _The New Hacker's
 Dictionary_.  It's the sound someone makes when they fall to the bottom
 of a killfile]


Newsgroup: sci.crypt
Document_id: 15969
From: warlord@MIT.EDU (Derek Atkins)
Subject: Re: Clipper and conference calls

In article <1993Apr25.114820.14022@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:

   In article <122723@netnews.upenn.edu>, feeley@cattell.psych.upenn.edu (Wm. Michael Feeley) writes:
   > Just curious, how would the Clipper Chip system handle
   > conference calls?

   It's not Clipper, it's any encryption system.  I've seen a number of
   designs; they generally involve a multi-line cleartext bridge.

Depending on the encryption system, so long as everyone has the same
key, it can be done.  For example, I was using "vat", which is an
Internet Audio tool, for a conference call, and we were encrypting the
session.  (Unfortunately, one site was doing more work, and didn't
have the CPU for it, so it didn't sound all that good at a different
site)

So, you don't neccessarily have to have a clear-text bridge.  But if
you do, its totally internal to one of the sites involved in the
conversation....

-derek


--
  Derek Atkins, MIT '93, Electrical Engineering and Computer Science
     Secretary, MIT Student Information Processing Board (SIPB)
           MIT Media Laboratory, Speech Research Group
           warlord@MIT.EDU       PP-ASEL        N1NWH

Newsgroup: sci.crypt
Document_id: 15970
From: schneier@chinet.chi.il.us (Bruce Schneier)
Subject: Re: New Encryption Algorithm

In article <1raeir$be1@access.digex.net> steve-b@access.digex.com (Steve Brinich) writes:
> >  Well, actually, this one's easy. It's their job. The NSA is
> >supposed to develop cryptosystems. If the government chooses to go
> >ahead and sell those cryptosystems to the masses, so be it.
>
>  Ah, but developing cryptosystems which are specificially designed to
>protect the government's domestic spying capabilities takes them beyond
>that mandate, into the forbidden field of domestic wiretapping.
>

Unlike the CIA, the NSA has no prohibition against domestic spying.  Read
Bamford's THE PUZZLE PALACE.

Bruce

Newsgroup: sci.crypt
Document_id: 15971
From: hal@cco.caltech.edu (Hal Finney)
Subject: Re: Let's build software cryptophones for over the internet...

gtoal@gtoal.com (Graham Toal) writes:

>I forwarded an old posting about CELP speech compression:
>[...]
>I've since been told that the source of this is on cygnus.com
>in /pub/celp.speech.tar.Z

>I'm not in a position to; any Sun tcp/ip gurus out there who think they
>can marry this with netfone by the end of the week? ;-)  Seriously.  I
>think someone with real net access and two sparcs could have this running
>by the end of the week.  Then we ask the pgp guys to add a bytestream
>crypto filter.  Two weeks at the most.  [Damn, I wish I had my sparc
>back... I'm stuck on a 25mhz 386sx]

I tried this code yesterday.  On my Sparcstation ELC it takes over
300 seconds to compress 22 seconds' worth of speech.  This means that it
needs to be "optimized" by over a factor of 10 before it will be usable
in even a half-duplex mode.

I question whether CELP is the best approach for this application.  It produces
great compression but at the expense of tremendous CPU loads.  We want
something that can be run on ordinary workstations or even high-end PC's
without DSP cards.  My guess is that some other algorithm is going to be
a better starting point.

Hal Finney

Newsgroup: sci.crypt
Document_id: 15972
From: hal@cco.caltech.edu (Hal Finney)
Subject: Re: S1, S2

steve-b@access.digex.com (Steve Brinich) writes:

> > Second question: Why!?!? Why is such a strange procedure used, and not
> >a real RNG ? This turns those S1,S2 in a kind of bottleneck for system-
> >security.

>  The only theory that makes any sense is that S1 and S2 are either the
>same for all chips, or vary among very few possibilities, so that anyone
>trying to break the encryption by brute force need only plow through the
>possible serial numbers (2^30, about one billion), multiplied by the number
>of different S1, S2 combinations.

My interpretation of Denning's description is that S1 and S2 are chosen
randomly by agents of the key escrow companies at the start of each 300-
chip programming session.  I imagine that the chips are in a carrier which
will allow them all to be programmed fairly quickly - there would not be
a need to transfer chips one at a time into a little PLA programmer as some
people have envisioned.

My guess as to why this procedure is used is that basing the keys on the
S1 and S2 using a specified algorithm provides an (in-principle) checkable
way to verify that no back doors exist in the choice of the random numbers
used to generate the keys.  Since we have to trust the escrow companies
anyway, it does not weaken the system to have the keys be generated from
random seeds entered by the escrow agents.  And since the algorithm for
key-generation is public (modulo Skipjack secrecy) then in principle an
agent could challenge the procedure, ask for S1 and S2 to be exposed, and
run his own independent calculation of U1 and U2 to verify that that is
what is actually being put onto the floppies.

And yes, there are many ways in which failures to follow this scheme could
be hard to check.  The laptop probably will not really be destroyed each
time.  Hidden cameras in the ceiling could see the S1 and S2 entered by
the trusted escrow agents.  Back doors in the chip could allow U to be
recovered.  Heck, each chip could be recorded with the same U, ignoring
what was on the floppy.

Hal Finney

Newsgroup: sci.crypt
Document_id: 15973
From: schneier@chinet.chi.il.us (Bruce Schneier)
Subject: Re: What would happen if export restrictions violated?

In article <Apr23.215306.83257@yuma.ACNS.ColoState.EDU> holland@CS.ColoState.EDU (douglas craig holland) writes:
>
>OK, I heard a lot of talk about the NSA's infamous control over encryption
>export through the ITAR.  Here's a question.  Say I develop this great new
>encryption system, and I want to sell my software worldwide.  The thought
>police then come in and say "This algorithm is a threat to national security.
>You will not be permitted to export it."  At this point, what kind of trouble
>could I get into if I ignored the ITAR and sold my program to international
>customers anyway?
>
>Doug Holland

You would be arrested as an international arms trafficker.

Bruce

Newsgroup: sci.crypt
Document_id: 15974
From: mpcline@cats.ucsc.edu (The Hermit)
Subject: Re: I have seen the lobby, and it is us


In <Apr21.233200.70723@yuma.ACNS.ColoState.EDU> ns111310@LANCE.ColoState.Edu (Nathaniel Sammons) writes:

>In article <1993Apr21.163929.21149@eff.org> A. Charles Gross <acg@eff.org> writes:
>>Certainly, with our way-cool Internet powers of
>>organization, we can act in the same way, if such action is appropriate.
>>
>>As long as we are kept informed of events, anyone on this bboard can make
>>a call to action.  Hopefully, we're a strong enough community to act on
>>those calls.  I realize this is a little optomistic, and I'm glad EFF is
>>working in the loop on these issues, but don't underestimate the
>>potential of the net for political action.
>>
>>Adam
>>* I speak for myself

>I second the motion.

>All in favor?

Sounds great.  But how would something like this be done?  Start up a
news group for discussions of things like lobbying tecniques and how to
get non-computer geeks as pissed-off as we are?
-- 
/-----------------------------------------------------------------------------\
|Matthew Cline        | Read in the "letters to the editor" colum of "TIME"   |
|                     | in response to an article on teen suicide: "People    |
|mpcline@cats.ucsc.edu| should be aware of the dangers of killing themselves" |
\-----------------------------------------------------------------------------/

Newsgroup: sci.crypt
Document_id: 15975
From: nagle@netcom.com (John Nagle)
Subject: Re: New Encryption Algorithm

artmel@well.sf.ca.us (Arthur Melnick) writes:
>     Ever since Craig Rowland posted his piece "New Encryption"
>to sci.crypt there has been some discussion of our company,
>Secured Communications Technologies, Inc, and on encryption
>algorithm, NEA.

       The classic comment on new encryption algorithms comes from
Friedman:

	"No new cypher is worth considering unless it comes 
	from someone who has already broken a very hard one."

Historically, Friedman has been right.  It's really hard to develop
a good cypher.  IBM's Lucifer, the precursor to DES, turns out to have
been fatally flawed.  Most of the DES-like systems other than DES seem
to be vulnerable to differential cryptanalysis.  The first two tries at
public key encryption (remember knapsack cyphers?) were broken.  Most
if not all of the machine cyphers of the electromechanical era were
broken eventually.  Attempts in the computer era to home-brew encryption
have been disappointing; the classic "A survey of data insecurity packages"
in Cryptologia contains analyses and breaking techniques for a few of the
popular "security packages" of the late 1980s.

        A new, proprietary algorithm?  No way.

        If the US is permitting general export of this thing, it has
to be weak; that's how the current regulations work.  Currently there's
a willingness to allow systems with short keys (32 bits appears to be
no problem; the 56 bits of DES are too many) or weak algorithms
(I think Word Perfect qualifies under that rule) to be exported.
I can't believe these guys shepherded their technique through the 
PTO and the State Department's Arms Control Division without finding that out.

					John Nagle

p.s. No, I'm not thrilled with Clipper either, but that's a different issue.

Newsgroup: sci.crypt
Document_id: 15976
From: oml@eloka.demon.co.uk (Owen Lewis)
Subject: Re: Tempest 

In article <1993Apr25.024032.26935@ringer.cs.utsa.edu> whughes@lonestar.utsa.edu writes:

>In article <1993Apr24.233742.26839@lehman.com> pmetzger@snark.shearson.com


> ...the basic idea behind any communications security system is not
>to absolutely deny access, but to make access more expensive (in time,
>money, manpower) than it is worth.
>
True of all security sytems, I think, and it is the fundamental measure to 
be used in establishing a requisite security level.

-- 

                               -= Owen Lewis =-
                                      @
      Tele/fax  +44-(0)794-301731   ELOKA   Consultancy & Project Management
                            oml@eloka.demon.co.uk
                        pgp 2.x public key on request

Newsgroup: sci.crypt
Document_id: 15977
From: Graham Toal <gtoal@gtoal.com>
Subject: Re: Let's build software cryptophones for over the internet...

In article <1regq0INNn7u@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes:
:I tried this code yesterday.  On my Sparcstation ELC it takes over
:300 seconds to compress 22 seconds' worth of speech.  This means that it
:needs to be "optimized" by over a factor of 10 before it will be usable
:in even a half-duplex mode.

Ouch!  Thanks for trying it.

:I question whether CELP is the best approach for this application.  It produces
:great compression but at the expense of tremendous CPU loads.  We want
:something that can be run on ordinary workstations or even high-end PC's
:without DSP cards.  My guess is that some other algorithm is going to be
:a better starting point.

Yes.  I'm not sure if my xposting to comp.speech made it to here too, but
I've found that a low sample rate (3300 samples/sec at 8 bits per sample)
plus the pd 'shorten' lossless sound compression code actually does get
speech into 14.4K with a simdgen left over.  This is *definitely* worth
working on, folks.  And shorten works in well under real-time.

G

Newsgroup: sci.crypt
Document_id: 15978
From: smk5@quads.uchicago.edu (Steve Kramarsky)
Subject: Re: Clipper considered harmful

In article <1993Apr23.183655.13710@ulysses.att.com> smb@research.att.com (Steven Bellovin) writes:
>
>That is -- the cops send the LEF to the F-holder.  The F-holder strips
>off F, and sends U[K],N to the escrow agents.  They send either U or K
>to the cops.  (Don says U, I say K.)  The cops can't use U in the
>future, because they can't strip off F.  The F-holder never sees U.  In
>Don's model, the escrow agents can't read the traffic, because they
>don't have K; in my model, they have K, but not the message itself.
>And I trust that more because I think the cops and the FBI (the
>F-holder) are more likely to collaborate on breaking the rules.  The
>net result is that by involving the F-holder and the escrow agents on
>every tap, we can avoid extending permission to tap.

I've been reading this board passively for a while now and find the
subject absolutely fascinating, especially from the point of view of
a civil rights nut like myself.  My problem is that I'm new to the field
and paragraphs like the above keep popping up.  I'm sure what Mr. 
Bellovin is writing about is both fascinating and important, but I have 
NO IDEA what it means.  :-)   
  
  Anyway I'm keen to learn and will read anything I can get my hands on
that explains this stuff in lay terms (I have a decent CS background, but
not a huge amount of hyper-advanced math).  Can anyone point me to a FAQ
or a decent source of information about the guts of current cryptography and
maybe a little history as well?  I read the piece in this month's WIRED, can
anyone tell me how much I should trust the references they suggest?

  Thanks in advance,
   Steve.

-- 
            Steve Kramarsky, University of Chicago Law School
           steve@faerie.chi.il.us -or- smk5@quads.uchicago.edu 
     "All I did was kiss a girl." - Jake, the night before his hanging.

Newsgroup: sci.crypt
Document_id: 15980
From: mt92mmj@brunel.ac.uk (Pwgll)
Subject: Re: Looking for MS-DOS crypto programs

MADDISON,David wrote:
: I am a new reader of sci.crypt I would like to obtain a copy of a
: public domain program that can encrypt files, preferably using DES,
: that runs under MS-DOS.

: I would also like to obtain a program which will password protect
: floppy disks, if this is possible.

: Thanks.

: David Maddison
: Melbourne, Australia

When you find out a floppy password protect program, could you e-mail me.
Thanks

Marcus Jones 						mt92mmj@brunel.ac.uk
Dept. Materials Technology, Brunel University.
PGP v2.2 Public Key on request

Newsgroup: sci.crypt
Document_id: 15981
From: jim@rand.org (Jim Gillogly)
Subject: Re: New Encryption Algorithm

In article <C61rDq.5v5@chinet.chi.il.us> schneier@chinet.chi.il.us (Bruce Schneier) writes:
>In article <1raeir$be1@access.digex.net> steve-b@access.digex.com (Steve Brinich) writes:
>>  Ah, but developing cryptosystems which are specificially designed to
>>protect the government's domestic spying capabilities takes them beyond
>>that mandate, into the forbidden field of domestic wiretapping.
>>
>
>Unlike the CIA, the NSA has no prohibition against domestic spying.  Read
>Bamford's THE PUZZLE PALACE.

I did.  You're mistaken.  NSA's communications intelligence mission is
strictly against foreign governments.  Here's an excerpt from the enabling
charter (24 Oct 52, Truman) that should clarify this.  The charter was
declassified in about Feb 1990 when an FOIA request made it public.  Mind
you, I don't know that they never collect anything they're not supposed
to... but spying on US citizens isn't in their charter.

    b. The COMINT  mission of the National  Security Agency
	(NSA) shall be to provide an effective,  unified organization
	and control of the communications  intelligence activities of
	the United States  conducted against foreign  governments, to
	provide for  integrated operational  policies and  procedures
	pertaining thereto.   As  used in  this directive,  the terms
	"communications intelligence"  or "COMINT" shall be construed
	to mean all  procedures and methods used in  the interception
	of communications  other  than foreign  press and  propaganda
	broadcasts  and  the  obtaining  of   information  from  such
	communications by other  than intended recipients,  but shall
	exclude censorship  and the  production and dissemination  of
	finished intelligence.

They're also tasked with protecting the US's communications, but I haven't
seen the specific enabling memo on that.  I assume that's the role under
which Skipjack was developed.

NSA is not in the standard-setting business, though -- that's why this
Clipper stuff came from NIST, which I believe is tasked with coming up
with standards based on their best inputs from other government agencies,
which would include NSA.
-- 
	Jim Gillogly
	Mersday, 4 Thrimidge S.R. 1993, 21:59

Newsgroup: sci.crypt
Document_id: 15982
From: mjr@tis.com (Marcus J Ranum)
Subject: Re: Let's build software cryptophones for over the internet...

Graham Toal <gtoal@gtoal.com> writes:
>Yes.  I'm not sure if my xposting to comp.speech made it to here too, but
>I've found that a low sample rate (3300 samples/sec at 8 bits per sample)
>plus the pd 'shorten' lossless sound compression code actually does get
>speech into 14.4K with a simdgen left over.  This is *definitely* worth
>working on, folks.  And shorten works in well under real-time.

	I don't think that this should be worked on just in the context
of cryptography. That's sure to pose all sorts of problems for all sorts
of people.

	What's needed is for someone to develop a portable telephone
quality speech<->RS232 converter. Imagine, if you will, a little box that
takes data on its serial port and puts out sound, and takes sound and codes
it to signals on its serial port. Full duplex. Now, this device is not a
cryptographic device. It's a portable poor man's sound blaster or whatever
you want to call it. It's got loads of perfectly legitimate applications
for:
	a) speech synthesis (with a few nifty libraries and some samples)
	b) speech recording for electronic messaging
	c) building voicemail systems
	d) internet talk radio
	e) internet relay chat

	Of course, some of the electronic messaging in item b might be
encrypted, possibly realtime, but that's the user's decision. One would
need 2 of these talky boxes and a pair of modems and some kind of cutout
to switch over, and some code on, say, a 486 laptop.

	I'd really like to see such a thing developed so that interactive
internet talk radio could be done. Ideally, though, it should be a general
purpose device. It should be a general purpose enough device that nobody
should be able to balk at its widespread use. Obviously, to make it easy
for homebrewers, it should use pretty common hardware.

	It's interesting to note that I'd already talked with a couple
of folks about building such a thing, before this whole clipper thing
started. I even went so far as to track down a couple of folks who are
able to make sample units, given incentive and some time. I'd envisioned
finding a couple of folks interested in such a project and helping fund
development of a public domain board layout and parts set, that could
be published in the form of CAD drawings for a couple of major CAD
packages, and in PostScript.

	Anyone interested? I'll start a provisional mailing list. Let
me know if you want on.

mjr.

Newsgroup: sci.crypt
Document_id: 15983
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <sfqPuJu00WC7IqOP5T@andrew.cmu.edu> "Jon C. R. Bennett" <jb7m+@andrew.cmu.edu> writes:
>
>
>strnlght@netcom.com (David Sternlight) writes:
>> If the crooks use an innocent person's clipper phone on the tapped line
>> there's no problem. The Feds don't care whose phone instrument is used, just
>> that the conversation is by the suspect on the tapped line. They get the
>> serial number, get the keys, and they are in business.
>> 
>> No clipper chip to person association is ever needed.
>
>celular phones...........

Direction-finding and directional monitoring receivers. Can you say "little
black bakery truck"?

:-)

David

>
>jon


-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 15984
From: tedcrum@garnet.berkeley.edu (Ted Crum)
Subject: Re: Trademark violation claimed


The RISC processor made by Fairchild, sold to Intergraph, much the same
story as the R4000.

Remember how Spielberg lost the control of Star Wars when the DOD started
using the name? The loss was confirmed in court. 

Newsgroup: sci.crypt
Document_id: 15985
From: mjs@behemoth.genetics.wisc.edu (Mike Schmelzer)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]


Argh. This is what I get for acknowledging David Sternlight's existence.

In article <strnlghtC602x2.Ir2@netcom.com> strnlght@netcom.com (David Sternlight) writes:
> Though I think this an overstatement, it does contain a grain of truth. It's
> drug dealers, spies, terrorists, and organized crime figures (assuming
> enough probable cause to convince a judge) who need to be watched, not
> law-abiding citizens.

Okay, it looks like I am going to have to do the history lesson after all.

During the Vietnam war, there were a great many citizens opposed to it
who considered themselves perfectly law abiding, although Mr. Nixon and
his lackeys thought otherwise.

The Federal government had no compunction about adding "people who
are otherwise decent, law abiding and upstanding, but disagree with
us" to your nice little list. Do you think this could never happen
again?

Note that I am not speculating about what the government could do,
but discussing the sort of "observation" - including but not limited
to phone tapping - that the government put its citizens under during
a time of national tension.

Your naivete is still appalling, BTW. I mean, read what you posted again.
How are we to differentiate between Good People and Bad People? Answer:
A priori, we can't; we have to assume. Now, which way do we assume? Do
we assume a priori that a citizen is law-abiding, or rather a potential
CommunistDrugLordChildAbuserCultMessiah? One of the things that's
supposedly great about America is the freedoms enjoyed by citizens who
are presumed to be law-abiding until proven otherwise.
--

--
=== Mike Schmelzer,  mjs@genetics.wisc.edu, (608)262-4550. Finger for PGP.
=== "People didn't riot the minute they saw that film.
=== They waited on justice. Which never came." - Ice T.


Newsgroup: sci.crypt
Document_id: 15986
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <116530@bu.edu> uni@acs.bu.edu (Shaen Bernhardt) writes:
<In article <1993Apr22.134214.18517@rick.dgbt.doc.ca> jhan@debra.dgbt.doc.ca (Jerry Han) writes:
<>In this giant bally-ho over this Clipper chip I noticed a rather
<>disturbing trend in some of the E-mail and posts I've tossing back and
<>forth.  
<> [ ... deleted ... ]
<A circut court judge in Illinois once said "When dealing with a government
<that seeks continually new and more creative ways to spy on its' citizenry,
<one cannot discourage the move to empower the common citizen with the means
<to parry this attack on personal privacy."
<
<(Unfortunately the comment was with regard to the banning of radar
<detectors....)
<
<The point remains.  More and more I see the government slowly washing
<away privacy.  Even unwittingly.  Do you think I will ever live in a
<soceity that issues smart cards to citizens at birth?  Do you think I
<will live in a soceity that insists I register my crypto keys so they
<can keep track of what I'm saying?  Even if there is no evidence of my
<guilt?  Do you think I will ever live in a soceity that seeks to meddle
<in the affairs of its' citizenry without recourse of any kind?  I'm tired
<of it.  There is (IMHO) no compromise with an administration that seeks
<to implement these proposals under the guise of enhancing privacy.
<
<More than the proposals themselves, I read the language of the press
<releases, the obvious deception involved in presenting these pieces to
<the public, and I am sickened.  I am revolted.  I am repulsed.
<
<90%, perhaps even 95% of this country could care less about the
<clipper chip, the wiretap bill, the smart card, because they are so
<entrapped in the rhetoric of the Clinton Administration.

The problem is, the people are not having the scope, or implicataions
pointed out to them.  Hell, most haven't even heard of Clipper, and
when they do, it will be in soothing language telling everyone how
nice the government is at 'letting them have' privacy.

How come the media is not telling about the provisions of the Clipper
decision?  The provisions of the Crime Bill?  The abuses of Civil Forfeiture?
The government uses polls to support 75 percent of the people want
gun bans, etc., yet the same pollsters have determined (according to
the media) that 30 percent of the people are unaware of what the Holocaust
is...

The people cannot be expected to give decent decisions when they are
denied the information that all these abuses and whittling away of
rights are going on quietly.  When they find out (when it hits them),
it will be too late.  One cannot expect each citizen to spend all their
time probing, searching, researching, etc.   For example, how big a
percentage of the average population even has access to USENET?  Way
less than 1 percent, I bet.   How many outside of Internet/USENET
are even AWARE of what Big Brother is doing, or have been exposed to
arguments of both sides of the issue?

What the public will get is only ONE side:  The Government's side.

THAT is scary.

<
<This saddens and frightens me.
<
<I am a conserveative believe it or not.  A law and order conserveative.
<But the move to a centralized authoratarian regime really scares me,
<mostly because I know you cant go far wrong underestimating the
<intelligence of the American people.  Tell them it's going to keep
<them safe from drug dealers and terrorists, and they will let you
<put cameras in their home.

How can the bulk of the people be informed, when the media refuses to
do it?

<Even in the wake of Waco, you find those who support the increasingly
<totalatarian moves.
<
<>Somebody once said something like: "Armed Violence is meant only to be
<>used in response to an armed attack.  It is not meant to be used in
<>agression.  This is the difference between self-defence and murder."
<
<To be quite honest, the way things are going, I'd call it self defense.
<
<>Let's try to avoid killing things, eh?  There's enough blood shed in the
<>world, without adding a couple of riots, Civil Wars, etc.
<>
<>I'm probably overreacting.  But what I've read scared me a lot.  I don't
<>want my children growing up in a War Zone.
<
<
<And I dont want mine growning up in the eyes of a security camera
<24 hours a day.

The people at large need to be informed.  BUT HOW?   I am but one person.
I try to talk to everyone that will listen, but I can hardly make any
kind of dent.

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 15987
From: Greg.Onufer@Eng.Sun.COM (Greg Onufer)
Subject: Re: Let's build software cryptophones for over the internet...

In <C622A1.7t6@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
>In article <1regq0INNn7u@gap.caltech.edu> hal@cco.caltech.edu (Hal Finney) writes:
>:I tried this code yesterday.  On my Sparcstation ELC it takes over
>:300 seconds to compress 22 seconds' worth of speech.  This means that it
>:needs to be "optimized" by over a factor of 10 before it will be usable
>:in even a half-duplex mode.

>Ouch!  Thanks for trying it.

The following program is a very quick hack I created a few months
ago to determine whether a Sun Sparcstation IPC could perform
real-time, full-duplex encrypted audio with resulting data rates
sustainable by today's modems.

This test program reads linearly-encoded audio from the audio device,
compresses it with GSM 06.10 (compresses frames of 160 13-bit samples
recorded at 8kHz into 260 bits resulting in a 50 Hz frame rate), encrypts
it with DES, then reverses the process and sends the reconstructed audio
back to the audio device.  The compressed, encrypted audio stream
is 13 kbits/s (!).

My Sparcstation IPC (not exactly a very fast machine these days,
certainly slower than an ELC) would just barely sustain this activity
(audio underruns would occcur but the speech was very intelligible).  I
ran it as a real-time process to get the best results.  Remember,
though, that this program is a quick hack and the performance can
certainly be improved.

The audio compression routines can be ftp'd from tub.cs.tu-berlin.de,
I believe (look for gsm or toast).  I used Eric Young's DES
implementation but I no longer know where I got it from.

Cheers!greg

<--------------------------- CUT HERE ----------------------------->
/*
 * Test program to see how much CPU it takes for secure digital audio.
 * Written by G. Onufer (greg@cheers.Bungi.COM).
 *
 * Written on a Sun IPC running Solaris 2.2 with a Sun ISDN S-Bus card
 * and a SpeakerBox.
 */
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/audioio.h>
#include <stropts.h>

#include <gsm.h>
#include <des.h>

boolean_t
svs_audio_init(int fd, audio_info_t *prev_info)
{
	audio_info_t info;

	if (prev_info != NULL) {
		if (ioctl(fd, AUDIO_GETINFO, prev_info) < 0) {
			perror("AUDIO_GETINFO");
			return (B_FALSE);
		}
	}

	AUDIO_INITINFO(&info);

	info.record.pause = B_TRUE;
	info.play.pause = B_TRUE;

	info.play.sample_rate = 8000;
	info.play.encoding = AUDIO_ENCODING_LINEAR;
	info.play.channels = 1;
	info.play.precision = 16;
	info.record.sample_rate = 8000;
	info.record.encoding = AUDIO_ENCODING_LINEAR;
	info.record.channels = 1;
	info.record.precision = 16;

	info.record.buffer_size = 320 * 4;

	if (ioctl(fd, AUDIO_SETINFO, &info) < 0) {
		perror("AUDIO_SETINFO");
		return (B_FALSE);
	}

	if (ioctl(fd, I_FLUSH, FLUSHRW) < 0) {
		perror("I_FLUSH");
		return (B_FALSE);
	}

	
	AUDIO_INITINFO(&info);

	info.record.pause = B_FALSE;
	info.play.pause = B_FALSE;

	if (ioctl(fd, AUDIO_SETINFO, &info) < 0) {
		perror("AUDIO_SETINFO");
		return (B_FALSE);
	}

	return (B_TRUE);
}


boolean_t
svs_in(int ifd, gsm handle, gsm_byte *buf)
{
	gsm_signal sample[160];

	if (read(ifd, sample, sizeof (sample)) != sizeof (sample)) {
		fprintf(stderr, "svs_in: short read\n");
		return (B_FALSE);
	}

	gsm_encode(handle, sample, buf);

	return (B_TRUE);
}


boolean_t
svs_out(int ofd, gsm handle, gsm_byte *buf)
{
	gsm_signal sample[160];

	if (gsm_decode(handle, buf, sample) < 0) {
		fprintf(stderr, "svs_out: gsm_decode failed\n");
		return (B_FALSE);
	}

	if (write(ofd, sample, sizeof (sample)) != sizeof (sample)) {
		fprintf(stderr, "svs_out: short write\n");
		return (B_FALSE);
	}

	return (B_TRUE);
}


main()
{
	gsm handle;
	gsm_frame frame;
	int audiofd;
	int option;
	des_cblock key, ivec_in, ivec_out;
	des_key_schedule ks_in, ks_out;
	des_cblock cbuf_in[4], cbuf_out[4], cbuf_buf[4];

	audiofd = open("/dev/audio", O_RDWR);
	if (audiofd < 0) {
		perror("open");
		exit(4);
	}

	/*
	 * Initialize GSM compression code
	 */
	if ((handle = gsm_create()) == NULL) {
		fprintf(stderr, "svs: gsm_create failed\n");
		exit(4);
	}

	option = B_TRUE;
	if (gsm_option(handle, GSM_OPT_FAST, &option) < 0) {
		fprintf(stderr, "svs: gsm_option (FAST) failed\n");
		exit(4);
	}

	/*
	 * Initialize DES code
	 */
	des_random_key(&key);

	if (des_set_key(&key, ks_in) < 0) {
		fprintf(stderr, "svs: des_set_key failed\n");
		exit(4);
	}
	if (des_set_key(&key, ks_out) < 0) {
		fprintf(stderr, "svs: des_set_key failed\n");
		exit(4);
	}
	memset(ivec_in, 0, sizeof (ivec_in));
	memset(ivec_out, 0, sizeof (ivec_out));

	/*
	 * Open audio device and configure it
	 */
	if (!svs_audio_init(audiofd, NULL))
		exit(3);

	for (;;) {
		/*
		 * Get 160 samples (16-bit linear 8000Hz) and
		 * convert to a 33 byte frame
		 */
		if (!svs_in(audiofd, handle, frame))
			exit(1);

		/*
		 * Encrypt/Decrypt block
		 */
		des_cbc_encrypt(frame, cbuf_out, (long)32, ks_in, ivec_in,
		    DES_ENCRYPT);
		des_cbc_encrypt(cbuf_out, cbuf_buf, (long)32, ks_out, ivec_out,
		    DES_DECRYPT);

		memmove(frame, cbuf_buf, 32);

#if 0
		if (memcmp(cbuf_in, cbuf_buf, 32) != 0) {
			fprintf(stderr, "svs: memcmp failed\n");
			exit(4);
		}
#endif

		/*
		 * Take 33 byte frame and convert to 160 samples
		 * and play
		 */
		if (!svs_out(audiofd, handle, frame))
			exit(2);
	}

	gsm_destroy(handle);
}
<--------------------------- CUT HERE ----------------------------->

Newsgroup: sci.crypt
Document_id: 15988
From: Graham Toal <gtoal@gtoal.com>
Subject: Re: Let's build software cryptophones for over the internet...

In article <1rf04s$jqu@sol.TIS.COM> mjr@tis.com (Marcus J Ranum) writes:
:	I'd really like to see such a thing developed so that interactive
:internet talk radio could be done. Ideally, though, it should be a general
:purpose device. It should be a general purpose enough device that nobody
:should be able to balk at its widespread use. Obviously, to make it easy
:for homebrewers, it should use pretty common hardware.

I suggest we start with the ubiquitous Sun, to get a lot of momentum
going.  Custom hardware isn't going to go anywhere until there's a
user base.

:	Anyone interested? I'll start a provisional mailing list. Let
:me know if you want on.

Count me in.  I need someone at the US end to experiment on the 
protocols with, and I like the way you code.  Give me 3 weeks to
move house and settle in then we'll go for it seriously...

G

Newsgroup: sci.crypt
Document_id: 15989
From: dhesi@rahul.net (Rahul Dhesi)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In <2109@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:

>How come the media is not telling about the provisions of the Clipper
>decision? ...

>How can the bulk of the people be informed, when the media refuses to
>do it?

The answer to your second question lies in the way you phrased the
first one:  'the media is...'.

The medis isn't 'is'.  The media 'are'.  'Media' means 'more than one
medium.'  There are thousands of publications.  Some say this, some say
that.  

     How can the bulk of the people be informed, when they won't read
     informative publications?
-- 
Rahul Dhesi <dhesi@rahul.net>
also:  dhesi@cirrus.com

Newsgroup: sci.crypt
Document_id: 15990
From: tenney@netcom.com (Glenn S. Tenney)
Subject: Hearing on 29 April 1993

I received a fax of a letter from Representative Markey (Subcommittee on 
Telecommunications and Finance) to Ron Brown (Secretary of Commerce).  Since 
encryption and the Clipper chip are raised in this letter, I felt it would be
of interest.  I understand that on 29 April, Mr. Markey will be holding a
hearing on the questions raised in this letter.  There may also be a follow-on
hearing dedicated to the clipper chip, but that's not definite.

I've typed in the letter, which follows.  Any errors in transcription are 
mine...

---
Glenn Tenney
tenney@netcom.com            Amateur radio: AA6ER
Voice: (415) 574-3420        Fax: (415) 574-0546

------------------ letter of interest follows ----------------

April 19, 1993

The Honorable Ronald H. Brown
Secretary
Department of Commerce
14th and Pennsylvania Ave., NW
Washington, DC 20236

Dear Secretary Brown:

   As you know, I have long been interested in the privacy 
and security of telecommunications transmissions and data in 
a networked environment.  Recent reports concerning the 
Administration's endorsement of an electronic encryption 
standard, based upon "clipper chip" technology, have raised a 
number of related issues.  The international competitiveness 
of U.S. high tech manufacturers and the software industry is 
a key factor that the government should consider when 
addressing issues of encryption and data security.  As the 
nation moves forward in developing the national 
communications and information infrastructure, security of 
telecommunications transmissions and network data will be an 
increasingly important factor for protecting the privacy of 
users.

   The "hacker" community can compromise the integrity of 
telecommunications transmissions and databases linked by the 
network.  The people and businesses that use the nation's 
telecommunications network and the personal computers linked 
through it increasingly are demanding that information be 
protected against unauthorized access, alteration, and theft.

   I am concerned that the Administration's plan may mean 
that to remain competitive internationally, U.S. companies 
would be compelled to develop two products -- one for U.S. 
government customers, and another for private, commercial 
users who may want a higher encryption standard.  This may 
inadvertently increase costs to those U.S. companies hoping 
to serve both markets.  To assist the Subcommittee's analysis 
of this issue, please respond to the following questions:

1. Has the encryption algorithm or standard endorsed by the 
Administration been tested by any entity other than NSA, NIST 
or the vendor?  If so, please identify such entities and the 
nature of testing performed.  If not, please describe any 
plans to have the algorithm tested by outside experts and how 
such experts will be chosen.

2. Under the Administration's plan, what entities will be the 
holders of the "keys" to decrypt scrambled data?  What 
procedures or criteria will the Administration utilize to 
designate such key holders?

3. Does the encryption algorithm endorsed by the 
Administration contain a "trap door" or "back door," which 
could allow an agency or entity of the Federal government to 
crack the code?

4. It is clear that over time, changes in technologies used 
for communications will require new techniques and additional 
equipment.  How will encryption devices adapt to the rapid 
advancement of telecommunications technology?

5. What additional costs would the proposed encryption place 
on the Federal government?  What is the estimated cost to 
consumers and businesses which opt for the federal standard 
in their equipment?

6. What is the Commerce Department's assessment of the 
competitive impact of the Administration's endorsement of the 
"clipper chip" technology on U.S. exports of computer and 
telecommunications hardware and software products?

   I would appreciate your response by no later than close-
of-business, Wednesday, April 28, 1993.  If you have any 
questions, please have your staff contact Colin Crowell or 
Karen Colannino of the Subcommittee staff at (202) 226-2424.

Sincerely,

Edward J. Markey
Chairman

###
-- 
Glenn Tenney
voice: (415) 574-3420      fax: (415) 574-0546
tenney@netcom.com          Ham radio: AA6ER

Newsgroup: sci.crypt
Document_id: 15991
From: matt@consent.uucp (Matthew)
Subject: Implementing a Diffie-Hellman key exchange.


I want to add link encryption to a module that multiplexes upper
level routines into a single data link. The upper levels won't know
about this, and thus key exchange shall only need to occur once (at
the initial link establishment). I figure that I can do this with
DES and a Diffie-Hellman key exchange.

Is using a Diffie-Hellman exchange to establish a 64 bit DES key
acceptable, in other words, what are the pro's and con's of such a 
setup? Are there any important issues to watch out for (aside from
filtering out unacceptable keys)?

And in order to achieve this, I guess I will need to use 64bit math
routines (for probable prime number calculation, exponentiation etc),
so could someone point me towards a good package (this is strictly
non-commercial).

Matthew.
-- 
matt%consent@uts.EDU.AU - 
'The power of one man seems like a small squirt ...' -- tDHoH

Newsgroup: sci.crypt
Document_id: 15992
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Let's build software cryptophones for over the internet...

In article <C62D8r.C7p@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
>In article <1rf04s$jqu@sol.TIS.COM> mjr@tis.com (Marcus J Ranum) writes:
>:	I'd really like to see such a thing developed so that interactive
>:internet talk radio could be done. Ideally, though, it should be a general
>:purpose device. It should be a general purpose enough device that nobody
>:should be able to balk at its widespread use. Obviously, to make it easy
>:for homebrewers, it should use pretty common hardware.
>
>I suggest we start with the ubiquitous Sun, to get a lot of momentum
>going.  Custom hardware isn't going to go anywhere until there's a
>user base.

     Why don't we move down even further toward the masses by setting this
up on an IBM PC clone(probably needs to be a 386 or a 486) with a 
sound blaster and a V.32bis modem.  Those components are very widely
available.  I don't know if the PC has enough horsepower to encrypt the data
at realtime, but the sound blaster has 4 to 1 hardware compression and will
work at any sampling rate from 4KHz to 23 KHz.

Doug Holland

-- 
|  Doug Holland                | Anyone who tries to take away my freedom  |
|  holland@cs.colostate.edu    | of speech will have to pry it from my     |
|  PGP key available by E-mail | cold, dead lips!!                         |

Newsgroup: sci.crypt
Document_id: 15993
From: Theodore M.P. Lee <tmplee@TIS.COM>
Subject: Re: Hearing on 29 April 1993

In article <tenneyC62HqH.6s1@netcom.com> Glenn S. Tenney,
tenney@netcom.com writes:
> of interest.  I understand that on 29 April, Mr. Markey will be holding
a
> hearing on the questions raised in this letter.  There may also be a
follow-on
> hearing dedicated to the clipper chip, but that's not definite.

Glenn,

Thanks for posting that.  I was surprised to notice, however, that one
question I might have expected to be asked was not:  "Are all forms of
strong encryption other than the Clipper to be made illegal?"  Speaking
of which, is anyone aware of whether that question *has* been asked of
any knowledgeable or official spokesperson for the government?  I have
not yet seen it mentioned in any of a dozen places it might have been
reported, but I could have easily missed it.

Ted Lee                                                
Trusted Information System, Inc.                        tmplee@tis.com
PO Box 1718                                             
Minnetonka, MN 55345

Newsgroup: sci.crypt
Document_id: 15994
From: jhupp@shockwave.win.net (Jeff Hupp)
Subject: Re: New Encryption Algorithm

 
> >  Well, actually, this one's easy. It's their job. The NSA is
> >supposed to develop cryptosystems. If the government chooses to go
> >ahead and sell those cryptosystems to the masses, so be it.
>
>  Ah, but developing cryptosystems which are specificially designed to
>protect the government's domestic spying capabilities takes them beyond
>that mandate, into the forbidden field of domestic wiretapping.
>
>
    The NSA's charter forbids them from doing any purely domestic
intelligence work, I would think that even providing assistance in
development of the Skipjack algorithom is a violation of that charter. 
But as with any intrenched government agency, they will do what they
think is expedent.


_____________________________________________________________________
\Jeff Hupp                      |Internet: jhupp@shockwave.win.net   \
|9797 Medowglen, Apt. 1807      |Ad:    Contract Programming, Novell |
|Houston, Texas  77042          |       Network Design and Support.  |
|Voice: (713) 780 - 9419        |"The best govenment doesn't" -- me. |
\_____________________________________________________________________\ 

Newsgroup: sci.crypt
Document_id: 15995
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: New Encryption Algorithm

In article <16724@rand.org> jim@rand.org (Jim Gillogly) writes:
   I did.  You're mistaken.  NSA's communications intelligence mission is
   strictly against foreign governments.  Here's an excerpt from the enabling
   charter (24 Oct 52, Truman) that should clarify this.  The charter was
   declassified in about Feb 1990 when an FOIA request made it public.
Interesting!  Where can I get the whole thing?

   NSA is not in the standard-setting business, though -- that's why this
   Clipper stuff came from NIST, which I believe is tasked with coming up
   with standards based on their best inputs from other government agencies,
   which would include NSA.

Several of the newspaper reports have made it fairly clear that the
NSA did all the real work.  You can't believe everything you read in
the papers :-), but the package of information the NIST is faxing out
has so little information beyond what's widely known that it sounds
like it's true.
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 15996
From: gideony@microsoft.com (Gideon Yuval)
Subject: Re: Clipper considered harmful

In article <9304221116.AA02093@pizzabox.demon.co.uk> gtoal@gtoal.com (Graham Toal) writes:
>:    Does Dorothy Denning read this group?  If not, is someone on the group
>: forwarding questions like these to her, or Martin Hellman, or anyone else
>: who's seen more details about the chip?
>
>Of course she does; it's just she's been toasted so often for being
>an NSA patsy that she's keeping her head down.  You can always mail
>her directly as denning@guvax.acc.georgetown.edu,
>denning@cs.cosc.georgetown.edu or denning@cs.georgetown.edu
>
>G

I found the personal attacks on Prof. Denning pretty disgusting.
I don't agree with all her positions; but I think scholars can
disagree without the argument getting into the gutter.

If these personal attacks are what stopped Prof. Denning from
replying on issues of substance, they have cause real harm
to the serious debate here.
-- 
Gideon Yuval, gideony@microsoft.com, 206-882-8080 (fax:-883-8101;TWX:160520)

Newsgroup: sci.crypt
Document_id: 15997
From: mnemonic@eff.org (Mike Godwin)
Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips

In article <C614BJ.BK6@agora.rain.com> jhart@agora.rain.com (Jim Hart) writes:
>"The security of the system should depend only on the secrecy of
>the keys and not on the secrecy of the algorithms" -- Dorothy Denning

Cite source, please.


--Mike




-- 
Mike Godwin,    |    Ariel Rose Godwin
mnemonic@eff.org|    Born 4-15-93 at 4:34 pm in Cambridge 
(617) 576-4510  |    7 pounds, 1.5 ounces, 19.75 inches long 
EFF, Cambridge  |    A new citizen of the Electronic Frontier 

Newsgroup: sci.crypt
Document_id: 15998
From: mg@elan (Michael Golan)
Subject: Re: Clipper scope [was: Overreacting]

pat@rwing.UUCP (Pat Myrto) writes:


>The problem is, the people are not having the scope, or implicataions
>pointed out to them.  Hell, most haven't even heard of Clipper, and
>when they do, it will be in soothing language telling everyone how
>nice the government is at 'letting them have' privacy.

[much more deleted]

>The people at large need to be informed.  BUT HOW?   I am but one person.
>I try to talk to everyone that will listen, but I can hardly make any
>kind of dent.

Here is how! Lets write a DOCUMENT which includes all the reasons
we oppose Clipper, in clear, concise, non-techincal manner. I urge 
everyone of you to take the (very simple) "start" below and repost it
with changes. Let the text evolve until we reach something most of us
like. Then, all of you should send a copy (with a personnel letter)
to your congress critter, local reporter on sci/tech, etc.

Please, to make this a success, try to post only an "agreed" version,
not flames. To respond to a flame to this, please change the subject
to, e.g, "clipper scope - discussion".

-- Michael Golan
   mg@cs.princeton.edu

[all of these are points - which should be made into paragraphs]

What is wrong with the clipper chip - By usenet users
-----------------------------------------------------

1) It is secret. 
2) How can we trust the escrow agencies?
3) It is not cost-effective
4) We want other encryption systems, the government seems to want to
   disallow it in the future
5) Anyone can build a non-key system
6) We are worried about a back door
7) Once everyone uses a clipper chip, the mechanism for a Big-Brother
   government is in place, a change of government can lead to it. 
   Especially since the escrow agencies operation is not governed by
   law (so the president can change the rules to allow free access to
   the keys at any time, e.g., during war)
8) Few criminals are caught by wiretaps, the cost [and risks] are unjustified
9) Once the FBI get hold of a key, it can decrypt past and future conversations

...

   

Newsgroup: sci.crypt
Document_id: 15999
Subject: Re: What is going on?...
From: sdoty@odie.santarosa.edu (Scott Doty)

Paul Repacholi (zrepachol@cc.curtin.edu.au) wrote:

: PS The first posting I saw I thought was a joke in *VERY* bad taste. My appologies
: to the person who broke the news.

For what it's worth...

Clipper Chip Announcement (clipper@csrc.ncsl.nist.gov) wrote:

: Note:  This file will also be available via anonymous file
: transfer from csrc.ncsl.nist.gov in directory /pub/nistnews and
: via the NIST Computer Security BBS at 301-948-5717.
:      ---------------------------------------------------
: 
:                          THE WHITE HOUSE
: 

I haven't been able to open an ftp session with that machine.

Operating under the assumption that the address was wrong, I tried using
nslookup and nicname/whois...

> ls nist.gov 
[nnsc.nsf.net]
Host or domain name            Internet address              
[...]
 ncsl                           server = mail-gw.ncsl.nist.gov         
 mail-gw.ncsl                   129.6.48.199
 ncsl                           server = dove.nist.gov                 
 ncsl                           server = ecf.ncsl.nist.gov             
 ecf.ncsl                       129.6.48.2
 ncsl                           server = enh.nist.gov                  
 ncsl                           server = SUNMGR.NCSL.NIST.GOV          
 SUNMGR.NCSL                    129.6.48.12
[...]

That's all I could find about the ncsl domain...oh, and I tried an MX lookup
on the machine in question, which failed.  Nicname/whois domain lookups at
both registries failed, too. 

So I thought, "hey, I'm just not using the tools right" and tried calling
the BBS number -- no answer.

I'm probably doing something wrong...or, perhaps, the machine has been put
behind a firewall.  But it does look like csrc.ncsl.nist.gov has become an
un-machine.  If someone would try ftp'ing to it, or knows what's up, I'd
really appreciate the info. 

Scott Doty <sdoty@odie.santarosa.edu>

Newsgroup: sci.crypt
Document_id: 16000
From: jhupp@shockwave.win.net (Jeff Hupp)
Subject: Re: Clipper and conference calls

 
>In article <122723@netnews.upenn.edu>, feeley@cattell.psych.upenn.edu (Wm. Michael Feeley) writes:
>> Just curious, how would the Clipper Chip system handle
>> conference calls?
>
>It's not Clipper, it's any encryption system.  I've seen a number of
>designs; they generally involve a multi-line cleartext bridge.
>
        A 'multi-line cleartext bridge?"
                      ^^^^^^^^^
        And just were would you put that bridge?  If it isn't at one of
the receiptants location, forget encryption at all.  You have blown any
security you thought you might have had. 

_____________________________________________________________________
\Jeff Hupp                      |Internet: jhupp@shockwave.win.net   \
|9797 Medowglen, Apt. 1807      |Ad:    Contract Programming, Novell |
|Houston, Texas  77042          |       Network Design and Support.  |
|Voice: (713) 780 - 9419        |"The best govenment doesn't" -- me. |
\_____________________________________________________________________\ 

Newsgroup: sci.crypt
Document_id: 16001
From: Borut.B.Lavrencic@ijs.si
Subject: Re: Key Registering Bodies

In article <C5wDFo.327@demon.co.uk>, 
Graham Toal <gtoal@gtoal.com> writes:
> In article <nagleC5w79E.7HL@netcom.com> nagle@netcom.com (John Nagle) writes:
> :       Since the law requires that wiretaps be requested by the Executive
> :Branch and approved by the Judicial Branch, it seems clear that one
> :of the key registering bodies should be under the control of the
> :Judicial Branch.  I suggest the Supreme Court, or, regionally, the
> :Courts of Appeal.  More specifically, the offices of their Clerks.
> 
> I've got a better idea.  We give one set to the KGB c/o Washington embassy,
> and the other set to the Red chinese.
> 
IMHO, one should place the keybanks into satellites (space). The 
recovery should be done only by (highly visible) teams of astronauts.


-- 
Borut B. Lavrencic, D.Sc.     | X.400   :C=si;A=mail;P=ac;O=ijs;S=lavrencic
J. Stefan Institute           | Internet:Borut.B.Lavrencic@ijs.si
University of Ljubljana,      | Phone   :+ 386 1 159 199
SI-61111 Ljubljana, Slovenia  |	    PGP Public Key available on request

DOLGO SMOIS KALIS OVRAZ NIKEI NJIHK OCNOO DKRIL IVSEB IPIKA


Newsgroup: sci.crypt
Document_id: 16002
From: rja14@cl.cam.ac.uk (Ross Anderson)
Subject: Re: Tempest

whughes@lonestar.utsa.edu (William W. Hughes) writes:

> Hell, just set up a spark jammer, or some other _very_ electrically-noisy
> device.

This doesn't work, due to the near-field far-field effect. You may stop
someone five yards away from listening in, but someone fifty yards away will
be relatively unaffected - unless you pump out hundreds of watts and jam all 
the neighbourhood TV's as well. In that case the government will stomp on you -
ask any radio ham! Democratic governments care even more about their voters' 
right to watch soap operas than they do about national security, and dictators 
consider their propaganda to be an integral part of their national security.

And holland@cs.colostate.edu (Doug Holland) writes:

> Another idea: Use a laptop computer.  As mentioned earlier, the LCD screen
> is a lot less noisy than a standard CRT, but since many laptops have power
> supplies that run at 3 volts instead of 5, they would be considerably 
> quieter.

I'm afraid this doesn't work either. We can pick up laptop screens without any
problem.

Most of the so-called `low radiation' monitors are also useless. The description
turns out to a marketing assertion rather than an engineering one.

We thought there might be a market for a monitor which was not as hugely
expensive as the military Tempest kit, but which was well enough shielded to
stop eavesdropping using available receivers. We built a prototype, it works,
and it's still sitting on my lab bench. Commercial interest was exactly zero.

In the absence of open standards, a monitor which really is `low radiation'
(and costs 500 dollars more) can't compete against a monitor which just
claims to be `low radiation' (and whose only extra cost of production is the
pretty blue sticker on the box).

Ross

Newsgroup: sci.crypt
Document_id: 16003
From: rja14@cl.cam.ac.uk (Ross Anderson)
Subject: Re: New Encryption Algorithm

In article <C61rDq.5v5@chinet.chi.il.us>, schneier@chinet.chi.il.us 
(Bruce Schneier) writes:
 
|> Unlike the CIA, the NSA has no prohibition against domestic spying.  Read
|> Bamford's THE PUZZLE PALACE.

We had a senior NSA scientist in Cambridge at one of our workshops recently
(in fact he was here when the Clipper announcement was made, but we didn't
learn of it till after he'd gone). He said on this point that he was forbidden
by law to monitor conversations between US nationals (and he is a chap who is 
very precise about his choice of words). So I don't expect he'd have any qualms
about monitoring a domestic US conversation if one of the parties was an alien.

However it got me thinking of the Navajo code talkers. Just imagine:

+ `Hello, is that the Iraqi mission in New York? This is the Iraqi foreign
+ ministry in Baghdad, I am Farouq Hussein, US citizen, social security number
+ so-and-so'

+ `Yes, indeed, this is the New York mission, Mustafa Jadid speaking, also a
+ US citizen, my social security number is such-and-such, here is our report
+ on activities against the Satan Clinton'

Ross

Newsgroup: sci.crypt
Document_id: 16004
From: jebright@magnus.acs.ohio-state.edu (James R Ebright)
Subject: Re: Tempest

In article <1993Apr26.104320.10398@infodev.cam.ac.uk> rja14@cl.cam.ac.uk (Ross Anderson) writes:
>whughes@lonestar.utsa.edu (William W. Hughes) writes:
[ideas that are claimed not to work deleted...]

How about putting your system inside a faraday cage?  Even I could build
one...
/Jim

-- 
 Information farming at...     For addr&phone: finger             A/~~\A
 THE Ohio State University  jebright@magnus.acs.ohio-state.edu   ((0  0))____
      Jim Ebright             e-mail: jre+@osu.edu                 \  /      \
                          Support Privacy: Support Encryption      (--)\      

Newsgroup: sci.crypt
Document_id: 16005
From: Borut.B.Lavrencic@ijs.si
Subject: Re: Wiretapping reality today

In article <01050810.vuumdq@mbeckman.mbeckman.com>, 
mbeckman@mbeckman.mbeckman.com (Mel Beckman) writes:
> 
> Unfortunately, Hoover thought himself above the constitution, whatever he
> considered the limits others should obey. He ruthlessly invaded the privacy
> of many private and public citizens. 
> 
>   -mel

In 1967, when I was a grad student at UW in Seattle I had a chance to 
read Hoover's book "Masters of Deceit", and I quote a sentence (from 
memory):

"and beware my fellow Americans, a communist may look just as an 
ordinary person..."

I went to the mirror and it was true.

-- 
Borut B. Lavrencic, D.Sc.     | X.400   :C=si;A=mail;P=ac;O=ijs;S=lavrencic
J. Stefan Institute           | Internet:Borut.B.Lavrencic@ijs.si
University of Ljubljana,      | Phone   :+ 386 1 159 199
SI-61111 Ljubljana, Slovenia  |	    PGP Public Key available on request

DOLGO SMOIS KALIS OVRAZ NIKEI NJIHK OCNOO DKRIL IVSEB IPIKA


Newsgroup: sci.crypt
Document_id: 16006
From: elee9sf@menudo.menudo.UH.EDU (Karl Barrus)
Subject: Re: Wiretapping reality today


David Sternlight writes:
> A little perspective might be in order.

I cannot believe you can make these claims given hard evidence of
abuse.  Do you ignore stories about survellience of Martin Luther
King, have you blocked from your mind McCarthy's crusade in the 50's?

> The number of court ordered wire taps is pretty low.

And how many illegal wiretaps are performed?  Funny, but I'll be that
the FBI doesn't keep statistics on these!

"confidential informer" = illegal wiretap

/-----------------------------------\
| Karl L. Barrus                    |
| elee9sf@menudo.uh.edu             | <- preferred address
| barrus@tree.egr.uh.edu (NeXTMail) |
\-----------------------------------/

--
/-----------------------------------\
| Karl L. Barrus                    |
| elee9sf@menudo.uh.edu             | <- preferred address
| barrus@tree.egr.uh.edu (NeXTMail) |
\-----------------------------------/

Newsgroup: sci.crypt
Document_id: 16007
From: smb@research.att.com (Steven Bellovin)
Subject: Re: New Encryption Algorithm

In article <41@shockwave.win.net>, jhupp@shockwave.win.net (Jeff Hupp) writes:
>     The NSA's charter forbids them from doing any purely domestic
> intelligence work, I would think that even providing assistance in
> development of the Skipjack algorithom is a violation of that charter. 
> But as with any intrenched government agency, they will do what they
> think is expedent.

There are other laws and directives which bear upon the subject.  For
example, the National Computer Security Act of 1987 specifically directs
NBS [sic] to work with NSA on developing security standards for civilian
Federal computers.  (Pick up the bill from cpsr.org; it also includes
a report describing it, and some of the legislative history, including
concerns about NSA's involvement.)  Note also that NSA is specifically
charged with running the National Computer Security Center,  -- to
quote the aforementioned report -- ``NSA also will work with industries at
the DOD Computer Security Center to develop security standards for private
sector use.''

It may or may not be a good idea to have NSA tinkering with this, but
I'm pretty sure it's legal.  (Btw -- when it comes to development of
cryptosystems, there may be two choices.  Either NSA helped develop it,
in which case maybe they can crack it, maybe not, but probably, no one
else can; or NSA didn't help, in which case they probably can crack it,
and maybe others as well...)

Newsgroup: sci.crypt
Document_id: 16008
From: spp@zabriskie.berkeley.edu (Steve Pope)
Subject: Re: What is going on?...

sdoty@odie.santarosa.edu (Scott Doty) writes:

> But it does look like csrc.ncsl.nist.gov has become an
> un-machine.  If someone would try ftp'ing to it, or knows what's up, 
> I'd really appreciate the info. 

csrc.ncsl.nist.gov (129.6.54.11) is ftp-able from here...


Steve

Newsgroup: sci.crypt
Document_id: 16009
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Re: Clipper considered harmful [Restated and amplified]

>Clipper also allows an extraordinary opportunity for the criminal to
>conceal use of super-encryption.  An automated full-system surveillance
>mechanism (quite feasible across radio bandwidth) which knows family key F,
>can validate Clipper wrappers and N:ESN associations, but it cannot reveal
>in realtime the use of super-encryption, unless it knows all unit keys,
>which we are being assured are only to be made available in two separate
>pieces, upon specific wiretap-like order.

The serial number will be in a 64 bit block, with a 34 bit filler.  Doesn't
take a lot to check to see if that is correct.


Newsgroup: sci.crypt
Document_id: 16010
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Tempest

  The "low radiation" claims one sees on monitors these days pertain to
allegedly harmful electromagnetic emissions, which does not necessarily have
anything to do wtih TEMPEST security.
  (I think the alleged hazard is BS, but that's another topic.)



Newsgroup: sci.crypt
Document_id: 16011
From: ad@cat.de (Axel Dunkel)
Subject: How sensible is DES towards bit-errors?

Hello,

how sensible is DES encrypted data towards bit errors? How much data per
bit will be lost in average (I assume you still have the correct key)?

Thanx for hints,
Axel

---
Experience is what you get if you don't get what you want...

Systemberatung Axel Dunkel, Koenigsberger Strasse 41, D 6239 Kriftel, Germany
E-Mail: ad@cat.de, Voice: +49-6192-46949, Fax: +49-6192-46949


Newsgroup: sci.crypt
Document_id: 16012
From: zrepachol@cc.curtin.edu.au (Paul Repacholi)
Subject: Re: I have seen the lobby, and it is us

In article <1r9av2$bg6@transfer.stratus.com>, cme@ellisun.sw.stratus.com (Carl Ellison) writes:
> I don't know about you, but I have nearly forgotten how to generate paper
> mail.
> 
> If I had e-mail to Congress, I would have written many letters by now.
> I haven't written one yet, as it turns out.  Writing on paper is such
> a complicated job, for those of us hooked on our way-cool Internet.

Just ask postmaster for the e-mail address of the printer. :-)

~Paul


Newsgroup: sci.crypt
Document_id: 16013
From: dougb@comm.mot.com (Doug Bank)
Subject: Re: Clipper Not Good Enough for Government?

In article <rdippold.735595213@qualcom>, rdippold@qualcomm.com (Ron "Asbestos" Dippold) writes:
|> There's been some discussion very recently as to whether the
|> government once again might exempt themselves from something they use
|> to screw us over...  Well, from comp.dcom.telecom:
|> 
|> From: lesreeves@attmail.com
|> Subject: Odds 'n Ends in the News
|> 
|> * The Clipper Chip device introduced yesterday by AT&T may not be
|> suitable for government use, says House Telecom Subcommittee Chairman
|> Markey.  In a letter to Commerce Secretary Brown, Markey asked whether
|> the use of the technology could lead to "inadvertently increased costs
|> to those U.S. companies hoping to serve both" the government and
|> private markets.  Markey has ordered Brown to answer several questions
|> about security and cost concerns by April 28.  (Communications Daily,
|> 4/20/93)

This is stupid.  Won't it cost more to those companies hoping to 
serve the gov't and private markets if they DON'T use the same
technology?

-- 
Doug Bank                       Private Systems Division
dougb@ecs.comm.mot.com          Motorola Communications Sector
dougb@nwu.edu                   Schaumburg, Illinois
dougb@casbah.acns.nwu.edu       708-576-8207                    

Newsgroup: sci.crypt
Document_id: 16014
From: dougb@comm.mot.com (Doug Bank)
Subject: Re: Encryption Chip Availibility

In article <93113.11034134AEJ7D@CMUVM.BITNET>, <34AEJ7D@CMUVM.BITNET> writes:
|> In article <ofppPcS00iUy0_k3Mr@andrew.cmu.edu>, "Stephen J. Ludwick"
|> <sl3b+@andrew.cmu.edu> says:
|> >
|> >Hi everybody!
|> >
|> >Does anyone know of companies that are currently manufacturing
|> >encryption chips for sale to the general public?  Get them while you
|> >can!  Some pointers would be greatly appreciated.

Motorola certainly makes them, but I don't know how you
would go about buying one.  You'd probably have to buy one
of our secure radios.  

You could also bring in encryption chips from outside the country.

-- 
Doug Bank                       Private Systems Division
dougb@ecs.comm.mot.com          Motorola Communications Sector
dougb@nwu.edu                   Schaumburg, Illinois
dougb@casbah.acns.nwu.edu       708-576-8207                    

Newsgroup: sci.crypt
Document_id: 16015
From: mlm@fuzine.mt.cs.cmu.edu (Michael Mauldin)
Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips

In article <1993Apr26.063532.10120@eff.org> mnemonic@eff.org (Mike Godwin)  
writes:
> In article <C614BJ.BK6@agora.rain.com> jhart@agora.rain.com (Jim Hart)  
writes:
> >"The security of the system should depend only on the secrecy of
> >the keys and not on the secrecy of the algorithms" -- Dorothy Denning
> 
> Cite source, please.

Dorothy Denning, _Cryptography and Data Security_, 1982, Addison Wesley.
Page 8, under the heading "Cryptosystems must satisfy three general
requirements.  The other two are efficiency and ease of use.

--Michael L. Mauldin
  Carnegie Mellon University


Newsgroup: sci.crypt
Document_id: 16016
From: tarnold@vnet.IBM.COM (Todd W. Arnold)
Subject: Re: How sensible is DES towards bit-errors?

In <ad.735831059@cat> Axel Dunkel writes:
>how sensible is DES encrypted data towards bit errors? How much data per
>bit will be lost in average (I assume you still have the correct key)?

It depends on the mode you're using.  For a single 64-bit input block, a
one-bit error will have a 50 percent chance of corrupting each of the 64
output bits - in other words, it essentially turns the output block into
a random number.  If you're encrypting data in CBC mode, however, only the
one 64-bit block will be affected.  The next block, and all that follow it
will be decrypted properly.

It's a good idea to have some kind of error correction in your system if
corrupted bits are likely.

   - Todd

Newsgroup: sci.crypt
Document_id: 16017
From: georgel@NeoSoft.com (George Livsey)
Subject: Is it illegal to transmit encrypted data?


   I am aware of the restrictions imposed by the munitions act
on the export of cryptographic technology, however, is it illegal to
transmit encrypted data from the U.S. to another country?  If so,
then which laws apply to this situation?
 
-- 
georgel@NeoSoft.com   |                        
George Livsey         |           Visualize Whirrled Peas!           
Net's Worth           |                        
(713) 994-0447

Newsgroup: sci.crypt
Document_id: 16018
From: eachus@spectre.mitre.org (Robert I. Eachus)
Subject: Re: Keeping Your Mouth Shut (was: Hard drive security)

In article <1993Apr21.023319.13965@midway.uchicago.edu> smk5@quads.uchicago.edu (Steve Kramarsky) writes:

  > OK, I should have read the thread before posting my own $0.02.  I would
  > just add to Phil's very infomative discussion the following caveat: the
  > fifth amendment applies ONLY in crinial cases.  ("...nor shall any person .
  > . . be compelled in any criminal case to be a witness against himself...").

    Maybe you are using the wrong amendment.  If someone were to seize
a safe containing your (paper) records, and demand that you produce
the combination, the applicable defense would be on grounds of
unreasonable search and seizure.  The police would be entitled to
subpoena documents relating to a specific matter, but any broad search
such as implied by impounding all your records would be unconstitutional.
In the case of the safe, they would probably get a locksmith and
assert that they ONLY examined documents covered by the warrent.
(Sure!)  In the cryptographic case, their only resort would be
rubber-hose cryptography.

    (This would also make a good "mental experiment" to use in
choosing escrow agents.  Would you trust this proposed agent with a
key to your hard disk?--or half the key for that matter.)

--

					Robert I. Eachus

with Standard_Disclaimer;
use  Standard_Disclaimer;
function Message (Text: in Clever_Ideas) return Better_Ideas is...

Newsgroup: sci.crypt
Document_id: 16019
From: patl@golem.mit.edu (Patrick J. LoPresti)
Subject: Re: S1, S2


>>>>> In article <1r60ue$102@access.digex.net>,
>>>>> steve-b@access.digex.com (Steve Brinich) writes:

 > Second question: Why!?!? Why is such a strange procedure used, and
 >not a real RNG ? This turns those S1,S2 in a kind of bottleneck for
 >system- security.

	>> The only theory that makes any sense is that S1 and S2 are
	>> either the same for all chips, or vary among very few
	>> possibilities, so that anyone trying to break the encryption
	>> by brute force need only plow through the possible serial
	>> numbers (2^30, about one billion), multiplied by the number
	>> of different S1, S2 combinations.


Suppose instead that S1 and S2 can be reconstructed given 3 or 4 of the
unit keys generated in a single batch (through some sort of known
plaintext attack, say).  Suppose further that 3 or 4 of the chips
programmed in each session never find their way into commercial
products, but instead end up "elsewhere".

Suppose the folks at "elsewhere" can determine a unit key, given
physical access to one of these chips.  Then those same folks can
determine S1 and S2 for the whole batch...

Too many suppositions?  Yeah, probably.

- Pat




Newsgroup: sci.crypt
Document_id: 16020
From: jbs@watson.ibm.com
Subject: Re: Clipper chip

         Is it realistic for the government to try to keep the details
of the encrytion algorithm secret if it intends to use evidence from
wiretaps in court?  Won't defense attorneys attempt to obtain the
details of the method if the prosecution attempts to present evidence
from wiretaps in court?  Is it certain that such attempts will fail?
                          James B. Shearer

Newsgroup: sci.crypt
Document_id: 16021
From: ee92jks@brunel.ac.uk (Jonathan K Saville)
Subject: Re: PGP Where to get it?

Jeff Hupp (jhupp@shockwave.win.net) wrote:
:         
:         I am facinated by the things I have heard about the PGP
: encryption program.  Does anybody out there know where I might get a
: version of this program that runs under Windows 3.1, MS-Dos, Unix
: w/source?  As of this writting I have no UNIX access and am running on a
: nifty windows implamentation of uucico.

At the moment PGP is available in executable format for MS-DOS and Mac,
and source code for most other platforms including UNIX. Many FTP sites
keep a copy (although the Mac version is getting hard to find). Try the
following site:

soda.berkeley.edu           /pub/cypherpunks/pgp

Jon
--
#      Jon Saville       |   Who alive can say, 'Thou art no
#  ee92jks@brunel.ac.uk  |  Poet, may'st not tell thy dreams?'
                                 ---  Keats, 1819  ---
     PGP 2.2 public key available upon request or by finger


Newsgroup: sci.crypt
Document_id: 16022
From: dougb@comm.mot.com (Doug Bank)
Subject: Re: Clipper and conference calls


|>    > Just curious, how would the Clipper Chip system handle
|>    > conference calls?
 
|> Depending on the encryption system, so long as everyone has the same
|> key, it can be done.  For example, I was using "vat", which is an
|> Internet Audio tool, for a conference call, and we were encrypting the
|> session.  (Unfortunately, one site was doing more work, and didn't
|> have the CPU for it, so it didn't sound all that good at a different
|> site)

You would have to use something other than the AT&T black box - in other
words, I don't think public key would work.  The session key would have 
to be agreed upon prior to the conversation and distributed to all 
sites beforehand.

Or go out and get a STU-III ;-)

-- 
Doug Bank                       Private Systems Division
dougb@ecs.comm.mot.com          Motorola Communications Sector
dougb@nwu.edu                   Schaumburg, Illinois
dougb@casbah.acns.nwu.edu       708-576-8207                    

These opinions do NOT reflect Motorola thinking in any way, shape, or form.

Newsgroup: sci.crypt
Document_id: 16023
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Hearing on 29 April 1993

In article <C62oJM.CJH@News.MR.Net> tmplee@TIS.COM (Theodore M.P. Lee) writes:
>In article <tenneyC62HqH.6s1@netcom.com> Glenn S. Tenney,
>tenney@netcom.com writes:
>> of interest.  I understand that on 29 April, Mr. Markey will be holding
>a
>> hearing on the questions raised in this letter.  There may also be a
>follow-on
>> hearing dedicated to the clipper chip, but that's not definite.
>
>Glenn,
>
>Thanks for posting that.  I was surprised to notice, however, that one
>question I might have expected to be asked was not:  "Are all forms of
>strong encryption other than the Clipper to be made illegal?"  Speaking
>of which, is anyone aware of whether that question *has* been asked of
>any knowledgeable or official spokesperson for the government?  I have
>not yet seen it mentioned in any of a dozen places it might have been
>reported, but I could have easily missed it.

Please let us know if you get a solid answer to the question of legality
of other strong cryptosystems.   So far any references I have seen
have been weasel-words ("more plans in the future, etc"), but nothing
that could be taken as a "NO (strong crypto will NOT be outlawed)".  I
have heard (not verified) that the Crime Bill before Congress has
language that either requires escrow of keys, or that will regard
all systems 'unapproved' for public use, like strong cryptosystems
not trivially broken by the Govt, or without escrowed keys
which one cannot readily change (read: use being only permitted by
folks with 'special' connections, or government agencies) as either
'terrorist tools' or 'drug dealers tools'.  Not outlawed SPECIFICALLY
but by added Civil Forfeiture powers, and clever wording, EFFECTIVELY
outlawed for all intents and purposes.

Now, for some idle speculation ... for those who don't care, hit 'n' now.

Crypto being EFFECTIVELY outlawed could be done without SPECIFICALLY
outlawing ANY class of crypto systems.  For example, a crowbar, hammers,
screwdrivers, and such can be regarded as 'burglar tools' pretty much
at the whim of the authorities, based primarily on the individual
possessing them in the car, etc. not being in a trade that makes routine
use of these tools.  In a like manner, one who has no 'legitimate need'
(gov't definition) for strong crypto software or systems, and is caught
using them, might find themselves in possession of 'terrorist tools'.
In other words, if one is not working for a corporation with extremely
sensitive commercial data that warrants (in the Fed's opinion) strong
security, or a government agency, and securing only work-related data,
not personal data, one will most likely be nailed on this if discoverd.
A personal desire for 'privacy' most certainly will not be regarded as
a 'legitimate NEED': 
"Why do you want such strong security, especially from 'legitimate law
enforcement'? An individual with 'legitimate' endeavors would not be so
concerned - government is not in the business of revealing your personal
secrets to the public... so you must be trying to conceal or planning
to conceal some unlawful or criminal activity...  DO YOU HAVE SOMETHING
TO HIDE, HMMMM?"
I expect that initially there will be some people selected either at
random, or who happen to have been 'troublemakers' for the purposes of
'making an example' for those who think the Feds are not SERIOUS about
this... (mega ':-('s)

One asking about a 'right' to privacy will probably get a response that
there is no constitutional right for privacy spelled out AS SUCH (an
argument used in the abortion debate):  "You do NOT have a right to have
security that 'Legitimate Law Enforcement cannot break'" (as suggested
in the Clipper Press Release).

This, in a nutshell, is what I find so extremely frightening.  Not only
for crypto systems, as in this case, but for the precident it will set,
laying the groundwork for future erosions of privacy (escrow of both
safe-deposit box keys - 'master' keys or combinations for privately
owned safes, and so on.  WHY NOT?)...

I cannot think of a better way to make an 'end-run' around those
'inconvenient' parts of the US Constitution.  A law cannot be easily
declared unconstitutional, if it there IS NO SPECIFIC LAW.  It would
simply be a minor extension of the RICO statutes or WoD policies. A
simple policy decision, just like so many of the gun regulations are
mainly BATF policy decisions...  The Conversation of the Fed agents
would go something like:

"We are gonna seize your home, your computers, your car, your bank
account, (you don't have to undress and give us yer clothes, unless you
have a floppy in yer pocket) because they are all connected with your
acquisition, transport, and use of 'terrorist tools' and/or 'drug dealers
tools' - part of the WoD or against terrorism, ya unnerstand... no
decent American Subject would be against these noble causes...".

"Note we are not accusing YOU of any wrong-doing ... we are only saying
your HOME, COMPUTERS, CAR, BANK ASSETS are connected with wrong-doing
SOMEHOW - they housed, transported, and funded these 'terrorist tools'.
Only a civil matter ...  <heh-heh> ... We had this 'tip'...<grin>".

"Therefore, the Constitutional Protection on Individual rights do NOT
apply - we are 'arresting' the tainted PROPERTY... not YOU...<evil grin>".

"If you wish to deposit a BOND, hire some attorneys, and go to court to
PROVE the innocence of this property (that they are not 'terrorist tools'
and again to prove they are not also 'drug dealers tools'), go ahead,
we have no problem with that!  'Course, with your bank assets seized,
no car, computer, or home, (probably no job, too) and your
less-than-limitless resources, you might run into some minor practical
difficulties <grin>...".

THAT is what has me going so damned ballistic...  It is EXACTLY how
the logic goes when someone gives a 'tip' that your home has been
used to store DRUGS...  Note no trace of drugs need to be found on
the property... only some bozo who will say 'yup.  I stored stuff in
that dude's house...' (probably to get out of a 10 year sentence for
dealing).  Much more cost effective to let him walk, to bust another
day, and hit the jackpot with YOUR assets...

Ob Disclaimer (of course)...

Ok, note that I am not a lawyer, and can only base these speculations
on what I have read/heard/been told regarding past Civil Forfeiture
cases, and how they are used to augment the budgets of assorted agencies,
or to get 'cooperation' of folks who just want to be left alone, or who
do not wish to be put in a risky situation (especially in areas where
they are denied either meaningful police protection, AND the means to be
able to even pretend to defend themselves, as is quite common back East,
like NJ, MA, NYC, Wa DC, or out West in CA).  These people have the
choice of cowering under the government boot, or cowering under threats
of pissed off drug dealing gang-bangers... helpless in either case...
All behind some dude who drops a dime on you for his gain, or behind
the Feds wanting to 'make an example'...  Civil Forfeiture being the 'hook'.

Point is, are these speculations way out of line, or are they all too
typical, and if so, does the extension to crypto and just about anything
that the Feds regard as 'inconvenient' seem reasonable?  And if not
why not (what are our guarantees, besides the government promises)?

NONE?

>Ted Lee
>Trusted Information System, Inc.                        tmplee@tis.com
>PO Box 1718 
>Minnetonka, MN 55345

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 16024
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <1993Apr26.145937.3570@wdl.loral.com> koontzd@phobos.lrmsc.loral.com (David Koontz ) writes:
   >Clipper also allows an extraordinary opportunity for the criminal to
   >conceal use of super-encryption.  An automated full-system surveillance
   >mechanism (quite feasible across radio bandwidth) which knows family key F,
   >can validate Clipper wrappers and N:ESN associations, but it cannot reveal
   >in realtime the use of super-encryption, unless it knows all unit keys,
   >which we are being assured are only to be made available in two separate
   >pieces, upon specific wiretap-like order.

   The serial number will be in a 64 bit block, with a 34 bit filler.  Doesn't
   take a lot to check to see if that is correct.

Depends on whether the filler is a constant (makes checking easy,
but susceptible to replay), or variable (e.g. timer, counter, random),
which makes replay harder and can also make it easier for the
inquisitors to know if they've missed messages, or gotten them out of
sequence, or other interesting things that sort of person might care about.

It is still easy to conceal super-encryption, at least until the
inquisitors get ahold of the K key, which can take a while,
presumably not in near-real-time.  (Worst-case, in which the escrow agencies
provide the U key to the local cops, still only gets one side of the
conversation per warrant, unless the same key is used for both directions,
which I suppose the CAPSTONE version of the chip will probably insist on.)
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 16025
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Clipper and conference calls

In article <42@shockwave.win.net> jhupp@shockwave.win.net (Jeff Hupp) writes:
   >> conference calls?
   >It's not Clipper, it's any encryption system.  I've seen a number of
   >designs; they generally involve a multi-line cleartext bridge.

	   A 'multi-line cleartext bridge?"
			 ^^^^^^^^^
	   And just were would you put that bridge?  If it isn't at one of
   the receiptants location, forget encryption at all.  You have blown any
   security you thought you might have had. 

Most of the people using encrypted conference bridges these days are
military (or equivalent, like CIA and other embassy personnel),
so putting bridges on the recipient's location is normal -
it's in a vault on a military base or Ft. Meade, and the
secure phones are in sound-proof rooms with big locks on the doors
because they're talking about Classified Stuff (or Golf with Other Generals.)

That paradigm will change as we start using encrypted phones in our
offices or homes to carry on normal conversations about dinner plans
and stock purchases and meeting schedules and technical info
and the good batch of illegal frop that we got last weekend from Bob;
most people don't use sound-proof vaults, and may use bridges in their
PBX or from the local phone company (3-way calls) or Long Distance
or value-added phone company (e.g. Alliance conference bridges).

If Clipjack is mainly used for the radio portion of cellular phones,
the conferencing aspects don't change.  But there may be a market niche for
trusted conference-bridge providers, though I suppose the inquisitors
would try to get a blanket wiretap authorization for many bridges,
just in case a Bad Guy might use the service.
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 16026
From: angel@Foghorn_Leghorn.coe.northeastern.edu (Kirill Shklovsky)
Subject: Re: Tempest

In article <1993Apr26.104320.10398@infodev.cam.ac.uk> rja14@cl.cam.ac.uk (Ross Anderson) writes:
>I'm afraid this doesn't work either. We can pick up laptop screens without any
>problem.
>
>Most of the so-called `low radiation' monitors are also useless. The description
>turns out to a marketing assertion rather than an engineering one.
>
>We thought there might be a market for a monitor which was not as hugely
>expensive as the military Tempest kit, but which was well enough shielded to
>stop eavesdropping using available receivers. We built a prototype, it works,
>and it's still sitting on my lab bench. Commercial interest was exactly zero.
>
>In the absence of open standards, a monitor which really is `low radiation'
>(and costs 500 dollars more) can't compete against a monitor which just
>claims to be `low radiation' (and whose only extra cost of production is the
>pretty blue sticker on the box).
>
>Ross

I heard somewhere (can't name the source) that TEMPEST does not necessarily
pick-up just CRTs, but it can pick up emissions from almost any chip.  If
that is true, the kind monitor would not make any difference becuase everything
on the screen can be picked-up from the video controller.  Can anybody verify
or refute this?

        *             Angel@foghorn_leghorn.coe.northeastern.edu
   *   * *     *   BTW: These are my opinions, and not that of any other entity
- * * *   *   * * ------------------------------------------------------------*
     *     * *               My god, its full of stars! - Dave
            *        I don't know about you, but we've got company!  - Epidemic


Newsgroup: sci.crypt
Document_id: 16028
From: mgr@anhep3.hep.anl.gov (Dr. mike)
Subject: Official Secrets act (USA)

Sorry, my news reader doesn't seem to know how to copy a subject header.
This tracks the thread "why people don't need strong crypto....."

The Atomic Energy Act of 1954 expressly forbids *thinking* about building
nuclear devices.  While I was in grad school, a friend of mine got a 
security clearance to work on the defense for the Progressive magazine.
He found lots of articles which were public domain *removed* from the
local engineering library (Madison Wisconsin).  So the lawyers sent him
all over the states to other libraries to show that the information in
the article was already public.  What pissed everyone off was a local
underground paper went and published the article anyway (it had been
precensored by the feds, that's what this was all about) so the judge
declared the case moot.

The Atomic Energy Act of 1954 has never been tested in court.  From my
discussions with several people familiar with the case, only 2 other
times has this preemptive clause been used.  In every case the people
simply did what they felt like and courts tossed the cases out.

For all intents and purposes, the government *does* have precidence for
declaring things classified *after* it has been published.  While I was
working on Star Wars this happened to me: my clearance was in the works
and I developed a method for tracking particle beams.  It was good enough
to classify, so I was no longer allowed to work on it.  A friend from
Canada was in the same boat: he developed a method to compute stripping
cross sections, but because the subject was classified *he was not allowed
to present his own paper at a conference!*.  He later published it in an
open journal without problems.

When the going gets wierd, the wierd turn pro.  The feds can do whatever
they want whenever they feel like it, and they will make up rules to let
themselves get away with it.  Since the mass media can't tell the difference
between a joke and the real thing (like "ranch appocolypse" for the Waco
massacre) don't count on them to help spread the word about their loss
of freedom.  The government *can* make strong crypto illegal.  SO WHAT?
Since the government does not obey any of its own rules, why should we?

Patience, persistence, truth,		reality: dvader@hemp-imi.hep.anl.gov
Dr. mike				home:    mrosing@igc.org

Newsgroup: sci.crypt
Document_id: 16029
From: weaver@kuttner.sfc.sony.com (Eric Weaver)
Subject: Citations for Electronic Cash papers please


Deeply grateful for citations to any papers on electronic cash schemes.
Enquiring minds &c...
-- 
Eric Weaver  Sony AVTC  677 River Oaks Pkwy, MS 35  SJ CA 95134  408 944-4904
& Chief Engineer, KFJC 89.7 Foothill College, Los Altos Hills CA 94022

Newsgroup: sci.crypt
Document_id: 16030
From: baxter@ed0118.ped.pto.ford.com (Gene Baxter)
Subject: Re: Let's build software cryptophones for over the internet...

douglas craig holland (holland@CS.ColoState.EDU) wrote:
: In article <C62D8r.C7p@demon.co.uk> Graham Toal <gtoal@gtoal.com> writes:
: >In article <1rf04s$jqu@sol.TIS.COM> mjr@tis.com (Marcus J Ranum) writes:
: >:	I'd really like to see such a thing developed so that interactive
: >:internet talk radio could be done. Ideally, though, it should be a general
: >:purpose device. It should be a general purpose enough device that nobody
: >:should be able to balk at its widespread use. Obviously, to make it easy
: >:for homebrewers, it should use pretty common hardware.
: 
:      Why don't we move down even further toward the masses by setting this
: up on an IBM PC clone(probably needs to be a 386 or a 486) with a 
: sound blaster and a V.32bis modem.  Those components are very widely

	I concur for a PC to PC version.  BUT for a interactive thing like
internet talk radio?!?!  It makes me cringe at the amount of hogging such
a thing would do to the bandwidth of the internet.  I mean 15 meg files getting
floated around for internet talk radio is bad enough.  I have a solution; use
the phone system; take your electronics and use them on point to point 
conversations through the phone and thats it.  If you need to tell someone 
something secret and very important wouldn't it make more sense to write it 
out concisely? And if it's just a quick "YO" then use a code word and spend 
your twenty cents.
	Those good ol analog systems like Shortwave, Telephones, and TV's have
a use don't gunk up a nice digital packet network trying to emulate them!

Baxter
Baxter.

Newsgroup: sci.crypt
Document_id: 16031
From: rbrand@usasoc.soc.mil (Raymond S. Brand)
Subject: Re: Clipper considered harmful

In article <1993Apr24.160121.17189@ulysses.att.com>, smb@research.att.com (Steven Bellovin) writes:
[...]
> There are three issues with Clipper.  The first is whether or not the
> architecture of the whole scheme is capable of working.  My answer,
> with one significant exception, is yes.  I really do think that NSA and
> NIST have designed this scheme about as well as can be, assuming that
> their real objectives are as stated: to permit wiretapping, under
> certain carefully-controlled circumstances, with a minimum risk of
> abuse.  (The exception is that U exists outside of the chip, on a
> programming diskette.  That's seriously wrong.  U_1 and U_2 should be
> loaded onto the chip separately.)  To those who disagree (and I don't
> claim my answer is obvious, though I found my own reasoning
> sufficiently persuasive that I was forced to rewrite the Conclusions
> section of my technical analysis paper -- I had originally blasted the
> scheme), I issue this invitation:  assume that you were charged with
> implementing such a system, with complete regard for civil rights and
> due process.  What would you do differently?  In answering this
> question, please accept NSA's fundamental assumptions:  that both
> strong cryptography against outsiders, and the ability to wiretap
> *some* domestic users, is necessary.  (If you feel it necessary to
> challenge those assumptions, do it in the context of the last issue I
> present below.  Right here, I'm discussing *just* the technical
> aspects.  And no, I don't by any means claim that just because
> something can be done, it should be.)

OK Steve, here's a sketch of an alternative that I believe addresses
most of the objections to the Clipper scheme.

Notation:
	+	concatenation
	^	exclusive or
	E(M,K)	message M encrypted by key K
	D(M,K)	message M decrypted by key K
	H(M)	hash (digest/signature) of message M

Important Values:
	U0[X]		local chip unit key from escrow agency X
	U1[X]		remote chip unit key from escrow agency X
	N[0]		serial number of the local chip
	N[1]		serial number of the remote chip
	A		number of escrow agencies
	K[0],K[1]	"session keys" agreed upon external to this protocol
	F		"family key", need not be secret

Protocol:
	Choose K0[1],...K0[A] such that K[0] = K0[1]^...^K0[A]
	Remote chip does same for K[1],K1[1],...,K1[A].

	Compute the following:

		L0[1] = E(K0[1], U0[1])
		...
		L0[A] = E(K0[A], U0[A])

		L[0] = N[0] + E(N[0] + L0[1] + ... + L0[A], F)

		Remote chip does the same for L1[1],...,L1[A],L[1]

	Send L[0] to remote chip and receive L[1] from remote chip

	Compute:

		KE[0] = H(K[0] + N[0] + L0[1] + ... + L0[A]
			+ K[1] + D(L[1], F)

		KD[0] = H(K[1] + D(L[1], F)
			+ K[0] + N[0] + L0[1] + ... + L0[A]

		Note that D(L[1], F) = N[1] + L1[1] + ... + L1[A]

		Remote chip does the same for KE[1] and KD[1]

	User data is encrypted (decrypted) with keys KE[0], KE[1]
		(KD[0], KD[1])

Assumptions:
	No trap doors in E(), D() and H(). H() is not invertible.

	Algorithms for E(), D() and H() are secret. Otherwise a software
	implementation (bogus chip) could communicate with a real chip.

	The chip only supports the following operation:

		1)  Return N[0]
		2)  Load K0[x]
		3)  Return E(K0[x], U0[x])
		4)  Return E(N[0] + L0[1] + ... + L0[A], F)
		5)  Given E(N[1] + L1[1] + ... + L1[A], F),
			return N[1],L1[1],...,L1[A]
		6)  Load K[1]
		7)  Given E(N[1] + L1[1] + ... + L1[A], F),
			compute KE[0], KD[0]
		8)  Given M, return E(M, KE[0])
		9)  Given M, return D(M, KD[0])

	Anything programmed into the chip can be determined by destroying
	the chip (U[1],...,U[A],F,N[0]).

	U[1],...,U[A] can not be determined except by destroying the chip.
	(Unfortunately this may not be true in reality. I suppose it's
	possible to determine how a chip has been programmed with a
	sophisticated[sp?] x-ray machine to look for blown fuses.)

	The U's are programmed independantly by the escrow agencies.

Notes:
	For tapping escrow agency Y is given N[0], E(K0[Y], U0[Y]), N[1],
	E(K1[Y], U1[Y]) and returns K0[Y], K1[Y].

	LEA's must contact all escrow agencies with the serial numbers from
	both chips and the encrypted partial keys. This allows the agencies
	to record that both chips were tapped.

	LEA's only get the session key, not the key to all conversations
	of a particular chip. This precludes real-time decrypting of a
	conversation but that isn't one of the STATED requirements.

Observation:
	In order for any secure by "tap-able" communication scheme to work,
	the active parts need to share a secret. And if this secret is
	revealed, communications by those that know the secret can be made
	"un-tap-able". Obvious candidates are the cryptographic algorithm
	and the master (family) key. Relative size and complexity suggests
	that the key can be obtained from a silicon implementation of the
	scheme a LOT easier and faster than the algorithm.


						rsbx

-----------------------------------------------------------------------------
Raymond S. Brand					rbrand@usasoc.soc.mil
-----------------------------------------------------------------------------

Newsgroup: sci.crypt
Document_id: 16032
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Once tapped, your code is no good any more.

In article <116664@bu.edu>, uni@acs.bu.edu (Shaen Bernhardt) writes:
> Think again.  You won't see me using apple's new signature from the 
> finder feature. 

Why not?  It hasn't been released, so there's no way for you to evaluate it 
yet.  After all, Apple could have been smart and had AOCE use an MD5 hash 
encrypted with RSA, just like PKCS signatures.  They could even be actually 
PKCS compliant, for all you know; why not wait until it is released, and hard 
information is available, before passing judgement on it?

AOCE's algorithm's aren't secret because Apple's being fascistic--AOCE itself 
remains secret (except for Apple demos at MacWorld :)), simply because it's 
not done yet.

It may be flawed, and it may not.  However, you can't tell which until you 
actually see it.  I, at least, am quite impressed with what I have seen so 
far, and have no expectation of being disappointed.


Amanda Walker
InterCon Systems Corporation



Newsgroup: sci.crypt
Document_id: 16033
From: karl@genesis.MCS.COM (Karl Denninger)
Subject: Government intentions regarding encryptoion

There is an article in Communications Week (April 12's issue) which
states definitively that not only is the justice department trying to revive
the "wiretapping bill", but they are ALSO trying to find a way to force key
registration.  CLIPPER is an obvious thrust in exactly this direction.
Dorothy Dennings is quoted in this missive.

Communications Week, April 12th, page 8.  Read it and get peeved folks.
Then ACT NOW or lose your fundamental right to privacy.

Clinton has shown us that his only interest in this has to do with abortion,
and not the right of all citizens to be secure in their papers and effects.

--
Karl Denninger (karl@genesis.MCS.COM) 	| You can never please everyone except
Data Line: [+1 312 248-0900]		| by bankrupting yourself.
         	   LIVE Internet in Chicago; an MCSNET first!

Newsgroup: sci.crypt
Document_id: 16034
From: gardner@convex.com (Steve Gardner)
Subject: Re: Hearing on 29 April 1993

In article <2112@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:
>A personal desire for 'privacy' most certainly will not be regarded as
>a 'legitimate NEED': 
>"Why do you want such strong security, especially from 'legitimate law
>enforcement'? An individual with 'legitimate' endeavors would not be so
>concerned - government is not in the business of revealing your personal
>secrets to the public... so you must be trying to conceal or planning
>to conceal some unlawful or criminal activity...  DO YOU HAVE SOMETHING
>TO HIDE, HMMMM?"
	You have underlined here the battle that must be fought.  It is
	a battle for the "hearts and minds" of the american public.
	People must realize that the government is not their a fit
	"father confessor".  The government does not have a right to
	share our every thought the moment we decide to share that
	thought with someone else at a distance.  In order to protect
	ourselves from a government bent on undermining the constitution
	we must realize that our government is our enemy as much if not
	more than the Soviet Union ever was.  This is hard for 
	some people who have been brought up with loyalty to our government
	cast as being synonmous with patriotism.  

>I expect that initially there will be some people selected either at
>random, or who happen to have been 'troublemakers' for the purposes of
>'making an example' for those who think the Feds are not SERIOUS about
>this... (mega ':-('s)
	We must be vigilant and make sure that we do not let such
	events go by unprotested.  We must be willing to fight the
	government at every step of the way.  

>THAT is what has me going so damned ballistic...  It is EXACTLY how
>the logic goes when someone gives a 'tip' that your home has been
>used to store DRUGS...  Note no trace of drugs need to be found on
>the property... only some bozo who will say 'yup.  I stored stuff in
>that dude's house...' (probably to get out of a 10 year sentence for
>dealing).  Much more cost effective to let him walk, to bust another
>day, and hit the jackpot with YOUR assets...
	Its time we rolled back this nonsense.  Civil forfeiture is
	the most effective end run around the constitution that has
	ever been promulgated.  Our enemy used to be the Soviets now
	it is clearly our own government.  



							smg

Newsgroup: sci.crypt
Document_id: 16035
From: jrbd@craycos.com (James Davies)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <1993Apr26.145937.3570@wdl.loral.com> koontzd@phobos.lrmsc.loral.com (David Koontz ) writes:
>>Clipper also allows an extraordinary opportunity for the criminal to
>>conceal use of super-encryption.  An automated full-system surveillance
>>mechanism (quite feasible across radio bandwidth) which knows family key F,
>>can validate Clipper wrappers and N:ESN associations, but it cannot reveal
>>in realtime the use of super-encryption, unless it knows all unit keys,
>>which we are being assured are only to be made available in two separate
>>pieces, upon specific wiretap-like order.
>
>The serial number will be in a 64 bit block, with a 34 bit filler.  Doesn't
>take a lot to check to see if that is correct.

Yes, but the extra encryption could be applied *before* the message
is encrypted by the Clipper, so that the wrapper would be fine, the
phone's serial number and the session key would be in the law-enforcement
field, etc., but the message wouldn't be readable even if the particular
Clipper's key were obtained from the escrow agents.  In fact, it shouldn't
even be possible to detect that a message has been double-encrypted without
a court order, right?

Newsgroup: sci.crypt
Document_id: 16036
From: jrbd@craycos.com (James Davies)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <WCS.93Apr26141950@rainier.ATT.COM> wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes:
>
>It is still easy to conceal super-encryption, at least until the
>inquisitors get ahold of the K key, which can take a while,
>presumably not in near-real-time.  (Worst-case, in which the escrow agencies
>provide the U key to the local cops, still only gets one side of the
>conversation per warrant, unless the same key is used for both directions,
>which I suppose the CAPSTONE version of the chip will probably insist on.)

I was under the impression (from reading Denning's description of the
Clipper's operation) that the same session key *is* used in both directions for
encrypting the message text, but that each chip uses it's own key for
encrypting the session key into the law-enforcement field.  So, you only
need to know the U key for one of the phones involved to decrypt the
messages in both directions.

Newsgroup: sci.crypt
Document_id: 16037
From: uni@acs2.bu.edu (Shaen Bernhardt)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <1993Apr23.134422.25521@rick.dgbt.doc.ca> jhan@debra.dgbt.doc.ca (Jerry Han) writes:
>In article <116530@bu.edu> uni@acs.bu.edu (Shaen Bernhardt) writes:

[Text Deleted]

>>To be quite honest, the way things are going, I'd call it self defense.

>I never advocated not saying what you believe in.  I'm advocating second
>thought, and calm.  
>
>"A smart warrior defeats the enemy in ambush on the battlefield"
>"A smarter warrior defeats the enemy in open warfare on the battlefield"
>"The smartest warrior defeats the enemy without using the battlefield"
>
>Think about it.  

I have, my thesis was on Sun Tzu.

More to the point:

Those who are called the good militarists of old, could make opponents
lost contact between front and back lines, lose reliability between
large and small groups, lose mutual concern for the welfare of the
different social classes among them, lose mutual accomodation between
the rulers and the ruled, lose enlistments among the soldiers, lose
coherence within the armies.  They went into action when it was
advantageous, stopped when it was not.

Today it is.  Sitting on your hands will get you nowhere in this battle.

>-- 
>Jerry Han-CRC-DOC-Div. of Behavioural Research-"jhan@debra.dgbt.doc.ca"
>///////////// These are my opinions, and my opinions only. \\\\\\\\\\\\\
>\\\\\\\\\ A proud and frozen member of the Mighty Warriors Band ////////  
>"Memories of those I've left behind, still ringing in my ears."-Genesis-

uni@acs.bu.edu
-- 
uni@acs.bu.edu  ->  Public Keys by finger and/or request
Public Key Archives: <pgp-public-keys@pgp.iastate.edu> 
Sovereignty is the sign of a brutal past.<>Fight Clinton's Wiretap Chip!
DF610670F2467B99 97DE2B5C3749148C <> Crypto is not a Crime! Ask me how!

Newsgroup: sci.crypt
Document_id: 16038
From: gjb@fig.citib.com (Greg Brail)
Subject: Re: Write to Clinton

In article <1r74a4$h2t@transfer.stratus.com> cme@ellisun.sw.stratus.com (Carl Ellison) writes:
>
>I've been reading the sci.crypt, alt.privacy.clipper and comp.org.eff.talk
>discussions about the Clipper chip and find (as usual) that most of us
>think alike -- so there's a lot of repitition.  If each of these messages
>were sent to Clinton as well as to the net (or instead of to the net), we
>might actually have some effect.
>
>	0005895485@MCIMAIL.COM  (White House)

Is this "White House e-mail address" really working yet? Someone
posted such an address on CompuServe a few months ago, but apparently
the White House wasn't really set up to recive hundreds (thousands?)
of messages a day to that account and didn't want people to use it
yet. So is this MCI address something the people at the White House
actually read, or is it another Craig Shergold story? I don't know --
I'm just asking.

Unless the people at the White House print and distribute this mail
every day, you may have better luck printing out a letter (on paper,
that flat white stuff all over my desk) and Snail-Mailing it to the
White House. I imagine writing to your local representative and
senator wouldn't hurt either. Heck, why not write to Al Gore while
you're at it?

				greg	

-- 
Greg Brail ------------------ Citibank -------------------- gjb@fig.citib.com

Newsgroup: sci.crypt
Document_id: 16039
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Off the shelf cheap DES keyseach machine (Was: Re: Corporate

"Jon \\lnes" <jon@ifi.uio.no> writes:
>A person I know, belonging to a research lab of a rivate
>company, claimed to me during a priavte conversation that, given the
>equipment in his lab, he could crack a Kerberos ticket in 15 minutes to
>an hour. He had access to rather powerful DES hardware, but not of an
>extraordinare kind, I believe. The attack was possible because of the
>amount of known plaintext in the ticket, which itself constitutes a small
>message. This was two years ago.

I don't believe you, and I don't believe your friend.

Why? 

Because DES is not known to have any known plaintext attacks readily
availble. Unless your friend knows something and is keeping it secret,
he was bullshitting you.

Now, it IS possible that he noted a weakness in the *implementation* of
the Kerberos protocol. For instance, using a weak RNG to generate keys
might cut down on the keyspace (not for the user keys -- for the other
kind who's name I can't remember). However, this is not what was
claimed. You are claiming a general weakness in DES, which is not
known to exist in the open literature.

Don't get me wrong -- DES is weaker than it should be. However,
cracking it in 15 minutes requires more money be spent on the cracking
machine than ANY organization I know of has available.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 16040
From: mjr@tis.com (Marcus J Ranum)
Subject: Re: Write to Clinton

>>	0005895485@MCIMAIL.COM  (White House)
>
>Is this "White House e-mail address" really working yet? Someone
>posted such an address on CompuServe a few months ago, but apparently
>the White House wasn't really set up to recive hundreds (thousands?)

	This is a real address. My understanding of the current process
that mail takes is it gets downloaded on floppy disk and is processed
by retiree volunteers, who match the message against message profiles
and check the message count. (I.e.: "yeah, that's a for gays in the
military. what's this clipper stuff? must be against gays in the
military...")

	The higher-volume white-house email stuff is in the works,
I know for a fact, but won't be online for probably another month
or two at the soonest. My understanding is that the link speed will
increase (direct internet instead of Compu$erve to floppy) but the
message processing will remain the same.

>Unless the people at the White House print and distribute this mail
>every day, you may have better luck printing out a letter (on paper,
>that flat white stuff all over my desk) and Snail-Mailing it to the
>White House. I imagine writing to your local representative and
>senator wouldn't hurt either. Heck, why not write to Al Gore while
>you're at it?

	The white house email does get read. I agree that printing it
and sending Cc: to everyone you can think of is probably better because
it is more visible, but the message processing (fitting messages against
a template) is the same in either case.

mjr.

Newsgroup: sci.crypt
Document_id: 16041
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Is it illegal to transmit encrypted data?

In article <C63Ly7.GBx@sugar.neosoft.com> georgel@NeoSoft.com (George Livsey) writes:
      I am aware of the restrictions imposed by the munitions act
   on the export of cryptographic technology, however, is it illegal to
   transmit encrypted data from the U.S. to another country?  If so,
   then which laws apply to this situation?

From the US law perspective, unless you're engaging in illegal speech,
it's not illegal to use encryption.  Yet.  The NSA is allowed to try
to listen, but you're not obligated to make it easy for them.  Yet.
The other country may have more repressive laws about that;
I gather France's bureaucracy wants to know what you're saying, 
and in the old Soviet Union, they didn't need laws to make things illegal :-(

(paranoia follows, for those of you who want to play it safe :-)
The fact that the NSA is listening may affect your willingness to use
wimpy crypto technologies, but it may also affect your willingness to
use technologies that violate RSA's patents, e.g. if you use PGP, the
NSA may tell RSA that you're doing so, and if the Secret Service catches on,
they may decide that the mere fact that RSA hasn't filed a lawsuit
against you doesn't mean that you don't deserve to have your computer
confiscated for possible patent violation, munitions law violation,
espionage, money laundering, drug importation, and creatin' a disturbance,
and then not give it back because you *did* violate the patent even
though they had to drop all the other charges, unlike that nasty Steve
Jackson who had the gall not to be guilty of *anything*.
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 16042
From: wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705)
Subject: Re: Tempest

In article <1993Apr26.193801.12416@lynx.dac.northeastern.edu> angel@Foghorn_Leghorn.coe.northeastern.edu (Kirill Shklovsky) writes:
   In article <1993Apr26.104320.10398@infodev.cam.ac.uk> rja14@cl.cam.ac.uk (Ross Anderson) writes:
   >I'm afraid this doesn't work either. We can pick up laptop screens without any
   >problem. [...]

   I heard somewhere (can't name the source) that TEMPEST does not necessarily
   pick-up just CRTs, but it can pick up emissions from almost any chip.  If
   that is true, the kind monitor would not make any difference becuase everything
   on the screen can be picked-up from the video controller.  Can anybody verify
   or refute this?

Yes, that's true.  TEMPEST is nothing magic, it's just listening to any
available electromagnetic emissions and using all the analysis techniques  
you know to separate out the interesting stuff. 

The nice thing about old CRTs is that they used to put out LOTS of
signal, so they're easy to detect, and if you do your sync carefully,
you can watch the output on the monitor in your deceptively-marked
Chevy Step-Van.  Some brands of electric typewriters were even worse.
In both cases, it's especially nice because it gets you the data the
user is looking at, rather than whatever stuff the paging algorithm is
paging out to disk, etc.

With newer, quieter equipment, there isn't as much signal, and it's harder to
isolate the fun parts.  TEMPEST-rated equipment has much lower signal levels.
But "Everything has vibrations", as Master Chuan said.
--
#				Pray for peace;      Bill
# Bill Stewart 1-908-949-0705 wcs@anchor.att.com AT&T Bell Labs 4M312 Holmdel NJ
#	              No, I'm *from* New Jersey, I only *work* in cyberspace....
# White House Commect Line 1-202-456-1111  fax 1-202-456-2461

Newsgroup: sci.crypt
Document_id: 16043
From: allen@well.sf.ca.us (Allen Barrett Ethridge)
Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips

In <1993Apr26.063532.10120@eff.org> mnemonic@eff.org (Mike Godwin) writes:

>In article <C614BJ.BK6@agora.rain.com> jhart@agora.rain.com (Jim Hart) writes:
>>"The security of the system should depend only on the secrecy of
>>the keys and not on the secrecy of the algorithms" -- Dorothy Denning

>Cite source, please.

"Cryptography and Data Security", page 8, perhaps.

Newsgroup: sci.crypt
Document_id: 16044
From: uskmg@emoryu1.cc.emory.edu (Ken Guyton)
Subject: Amiga RIPEM?

Has anyone ported RIPEM to the Amiga yet or is anyone working on it?

Emailed responses are fine.

--
Ken Guyton, Emory University    | PREFERRED:  uskmg@unix.cc.emory.edu
Information Technology Division | UUCP:      ...gatech!emoryu1!uskmg
Atlanta, GA 30322               | NON-DOMAIN BITNET:   uskmg@emoryu1
Phone: (404) 727-7685           | FAX:  (404) 727-2599

Newsgroup: sci.crypt
Document_id: 16045
From: holland@CS.ColoState.EDU (douglas craig holland)
Subject: Re: Tempest

In article <1993Apr26.193801.12416@lynx.dac.northeastern.edu> angel@Foghorn_Leghorn.coe.northeastern.edu (Kirill Shklovsky) writes:
>In article <1993Apr26.104320.10398@infodev.cam.ac.uk> rja14@cl.cam.ac.uk (Ross Anderson) writes:
>>I'm afraid this doesn't work either. We can pick up laptop screens without any
>>problem.
>>
>>Most of the so-called `low radiation' monitors are also useless. The description
>>turns out to a marketing assertion rather than an engineering one.
>>
>>We thought there might be a market for a monitor which was not as hugely
>>expensive as the military Tempest kit, but which was well enough shielded to
>>stop eavesdropping using available receivers. We built a prototype, it works,
>>and it's still sitting on my lab bench. Commercial interest was exactly zero.
>>
>>In the absence of open standards, a monitor which really is `low radiation'
>>(and costs 500 dollars more) can't compete against a monitor which just
>>claims to be `low radiation' (and whose only extra cost of production is the
>>pretty blue sticker on the box).
>>
>>Ross
>
>I heard somewhere (can't name the source) that TEMPEST does not necessarily
>pick-up just CRTs, but it can pick up emissions from almost any chip.  If
>that is true, the kind monitor would not make any difference becuase everything
>on the screen can be picked-up from the video controller.  Can anybody verify
>or refute this?
>
Just thought of something.  Yes, laptops can still be read, but it's not quite
as easy as a normal pc with a CRT.  My thought, Airline pilots lately have
been complaining about how laptops being used in flight mess with the plane's
instruments.  If this can be hyped up, manufacturers may start building
laptops with even lower emmisions.  It would probably still be possible to
pick up with surveillance equipment, but at this point, it would be a lot
cheaper to mask the remaining signals with TEMPEST techniques.

Doug Holland

-- 
|  Doug Holland                | Anyone who tries to take away my freedom  |
|  holland@cs.colostate.edu    | of speech will have to pry it from my     |
|  PGP key available by E-mail | cold, dead lips!!                         |

Newsgroup: sci.crypt
Document_id: 16046
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Re: Implementing a Diffie-Hellman key exchange.

   You should probably use numbers much larger than 64-bits.  Also, you
may want to include some randomly-generated bitstrings in your protocol.
This way, if someone should find the shared key you and another person
use on one day, they won't be able to guess it for the next day....
 
   Ie A sends G**A mod P and random string R0
      B sends G**B mod P and random string R1
 
      Both find (G**A mod P)** B mod P = Shared Key, then both calculate
 
      Session Key = Hash(R0,Shared Key, R1)
 
   Also, you will want to make sure that you're getting the right public
key value G**A mod P.  Someone with the power to intercept and change messages
can oterwise spoof you by sending both of you *his* public key, and then
acquiring a session key with each of you....
 
   --John

Newsgroup: sci.crypt
Document_id: 16047
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Clipper considered harmful

In article <1993Apr25.193300.1707@microsoft.com> gideony@microsoft.com
(Gideon Yuval) writes:

>If these personal attacks are what stopped Prof. Denning from
>replying on issues of substance, they have cause real harm
>to the serious debate here.

They are and they have.

David

-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 16048
From: schneier@chinet.chi.il.us (Bruce Schneier)
Subject: Comments on Clipper for Publication


I am writing an article on Clipper for Network World.  I am looking for
comments and opinions (that I can quote) on the scheme, its implications
for security and privacy, its acceptance here and overseas, etc. 

I hope this to be a balenced article, with opinions from various quarters.
The only  catch is that your name and company affiliation will appear in
print.

I am on very tight deadline (I need to finish this Wednesday night).  Please
call or E-Mail responses.

Thanks,
Bruce
(708) 524-9461

Newsgroup: sci.crypt
Document_id: 16049
From: jongsma@esseye.si.com (Ken Jongsma)
Subject: Re: Does Rush read his E-mail?

In <1993Apr23.153320.4568@henson.cc.wwu.edu> n9045178@henson.cc.wwu.edu (Sean Dean) writes:

>But I have no idea of a Compuserve e-mail address...

70277.2502@compuserve.com


-- 
Ken Jongsma                                          
Smiths Industries                                jongsma@swdev.si.com
Grand Rapids, Michigan                      73115.1041@compuserve.com

Newsgroup: sci.crypt
Document_id: 16050
From: marc@tanda.isis.org (Marc Thibault)
Subject: A Trojan Horse on the Clipper

Gentlefolk,

        It seems to me that the "Step 1" of taking a warrant to the
        telco to get a wiretap is so much stinky red herring (don't
        you love animal metaphors).

        With each phone broadcasting the serial number of its chip
        ("E(N;F)" is not syntactically different than "N"), all they
        have to do is aim a reciever in the general direction of
        today's target and use the serial number to identify the
        session they want, and get the chip number of the other end of
        the conversation. Even without the key, this is great for
        traffic analysis. I can think of several ways to learn the
        right serial number.

        It looks like one intended effect of the Clipper is to
        eliminate the awkward business of getting the telco to
        cooperate (or risking getting caught in the act with your
        alligator clips erect). This is particularly handy if you have
        S1 and S2.

        BTW, did anyone explain why they are scrambling the serial
        number?
        
        Cheers,
                Marc

---
 Marc Thibault                             | marc@tanda.isis.org
 Automation Architect                      | CIS:71441,2226
 R.R.1, Oxford Mills, Ontario, Canada      | NC FreeNet: aa185

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQBNAiqxYTkAAAECALfeHYp0yC80s1ScFvJSpj5eSCAO+hihtneFrrn+vuEcSavh
AAUwpIUGyV2N8n+lFTPnnLc42Ms+c8PJUPYKVI8ABRG0I01hcmMgVGhpYmF1bHQg
PG1hcmNAdGFuZGEuaXNpcy5vcmc+
=HLnv
-----END PGP PUBLIC KEY BLOCK-----


Newsgroup: sci.crypt
Document_id: 16051
From: marc@tanda.isis.org (Marc Thibault)
Subject: Re: Once tapped, your code is no good any more.

In article <1993Apr21.204036.13723@rick.dgbt.doc.ca> 
(Jerry Han) writes: 
> GUESS WHAT PEOPLE?  You live in one of the few countries in the world
> where a person can complain without getting shot at.  

        Only guessing, but from his address I'd say that Jerry, like
        me, lives in Canada. Unlike me, he thinks that our friends in
        the US enjoy the same freedom that we do, and he has not seen
        the slow but steady erosion to the south of us.

        We have the benefit of relatively slow politicians and
        ineffective law enforcement. Our rednecks tend to be the
        objects of derision rather than elected officials. It's
        everything LE can do to keep up with the real criminals. Any
        time they actually go after somebody just because they don't
        like his or her attitude, it's national news (It also often
        blows up in their faces: eg. the well-intentioned but flawed
        Zundel case, which resulted in a scolding from the Supreme
        Court, not only to LE for prosecuting the case but to
        Parliament for passing the law it was prosecuted under).

        Our friends south of the border don't have as easy a time of
        it. Among other things they have as many LE agencies as we
        have agencies, and some of them have teeth. They also have the
        War on Drugs which gives law-enforcement agencies exceptional
        powers to ignore individuals' rights (the DEA has more
        arbitrary power than that given to Canadian agencies under the
        War Measures Act). We have the RCMP and CSIS who can't stop
        fighting each other long enough to do any really effective
        suppression of private citizens' rights. Not only that, our
        Police Commissions have teeth, as I learned when I had to fend
        off a bent cop.

        It may be ironic that the nation founded on Life, Liberty and
        the Pursuit of Happiness is getting government-imposed order,
        while the nation founded on Peace, Order and Good Government
        is getting in-your-face liberty.

        That's not to say our time won't come. It looks like Chretien
        is going to run on a law-and-order platform. Be afraid.

        Cheers,
                Marc

---
 Marc Thibault                             | marc@tanda.isis.org
 Automation Architect                      | CIS:71441,2226
 R.R.1, Oxford Mills, Ontario, Canada      | NC FreeNet: aa185

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQBNAiqxYTkAAAECALfeHYp0yC80s1ScFvJSpj5eSCAO+hihtneFrrn+vuEcSavh
AAUwpIUGyV2N8n+lFTPnnLc42Ms+c8PJUPYKVI8ABRG0I01hcmMgVGhpYmF1bHQg
PG1hcmNAdGFuZGEuaXNpcy5vcmc+
=HLnv
-----END PGP PUBLIC KEY BLOCK-----


Newsgroup: sci.crypt
Document_id: 16052
From: marc@tanda.isis.org (Marc Thibault)
Subject: Re: Do we need the clipper for cheap security?

In article <rdippold.735426379@qualcom> 
(Ron "Asbestos" Dippold) writes: 
  ...
> The only thing that worries me is that 2:1 compression - the
> SoundBlaster can do it automatically in hardware, but other than that
> I don't have a good feel for how processor intensive it is, so I can't
> estimate how fast a PC you'd need.

        There's a better way. Doesn't Qualcom have a secure design
        that it decided not to market?  Since they aren't going to
        use it, wouldn't the patriotic thing be to put the design in
        the public domain? How about selling a "Cryptography
        Educational Kit" with the critical parts? Something that could
        end up as a PC option board with two phone jacks?

        Cheers,
                Marc

---
 Marc Thibault                             | marc@tanda.isis.org
 Automation Architect                      | CIS:71441,2226
 R.R.1, Oxford Mills, Ontario, Canada      | NC FreeNet: aa185

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQBNAiqxYTkAAAECALfeHYp0yC80s1ScFvJSpj5eSCAO+hihtneFrrn+vuEcSavh
AAUwpIUGyV2N8n+lFTPnnLc42Ms+c8PJUPYKVI8ABRG0I01hcmMgVGhpYmF1bHQg
PG1hcmNAdGFuZGEuaXNpcy5vcmc+
=HLnv
-----END PGP PUBLIC KEY BLOCK-----


Newsgroup: sci.crypt
Document_id: 16053
From: marc@tanda.isis.org (Marc Thibault)
Subject: Re: Organized Lobbying for Cryptography

In article <1993Apr23.195051.16862@news.clarkson.edu> 
(Dwight Tuinstra) writes: 
> Great slogan!  I'm ready to sign up with a crypto-lobbying effort (though
> I wouldn't want to do it through an NRA offshoot).  Shall we also push
> for the CRA  -- Cryptographic Rights Amendment ??

        Looking at it from up here in the Frozen North, it looks like
        you could do worse than get the NRA involved. They have a
        kindred problem, a large number of voters, the right attitude,
        and lots of funds.

        From an ethical _or_ constitutional viewpoint, I haven't seen
        a good argument for cryptographic rights that doesn't also
        support the NRA position on guns (and vice-versa).

        Cheers,
                Marc

---
 Marc Thibault                             | marc@tanda.isis.org
 Automation Architect                      | CIS:71441,2226
 R.R.1, Oxford Mills, Ontario, Canada      | NC FreeNet: aa185

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQBNAiqxYTkAAAECALfeHYp0yC80s1ScFvJSpj5eSCAO+hihtneFrrn+vuEcSavh
AAUwpIUGyV2N8n+lFTPnnLc42Ms+c8PJUPYKVI8ABRG0I01hcmMgVGhpYmF1bHQg
PG1hcmNAdGFuZGEuaXNpcy5vcmc+
=HLnv
-----END PGP PUBLIC KEY BLOCK-----


Newsgroup: sci.crypt
Document_id: 16054
From: marc@tanda.isis.org (Marc Thibault)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <1993Apr23.134422.25521@rick.dgbt.doc.ca> 
(Jerry Han) writes: 

> "A smart warrior defeats the enemy in ambush on the battlefield"
> "A smarter warrior defeats the enemy in open warfare on the battlefield"
> "The smartest warrior defeats the enemy without using the battlefield"

        Y'all got the first two reversed.

                - Judge Roy Bean


Newsgroup: sci.crypt
Document_id: 16055
From: dave@tygra.Michigan.COM (David Conrad)
Subject: Re: New Encryption Algorithm

In article <1raeir$be1@access.digex.net> steve-b@access.digex.com (Steve Brinich) writes:
> >  Well, actually, this one's easy. It's their job. The NSA is
> >supposed to develop cryptosystems. If the government chooses to go
> >ahead and sell those cryptosystems to the masses, so be it.
>
>  Ah, but developing cryptosystems which are specificially designed to
>protect the government's domestic spying capabilities takes them beyond
>that mandate, into the forbidden field of domestic wiretapping.
>

But the NSA will not be doing any wiretapping.  The actual wiretapping will,
presumably, be conducted by the FBI.  Of course, the capability for this was
provided by the NSA, but I think that they are still within the limitations
of their charter.

I realize this is a fine point, and some may differ, but this is my opinion.
Although I don't care for Clipper and won't support or use it, I don't see
the NSA as having overstepped their bounds.

David R. Conrad		"No his mind is not for rent/To any god or government"
-- 
=  CAT-TALK Conferencing Network, Computer Conferencing and File Archive      =
-  1-313-882-2209, 300bps-14400bps, V.32/V.32bis/TurboPEP New users use 'new' - 
=  as a login id.  AVAILABLE VIA PC-PURSUIT!!! (City code "MIDET")            =
   E-MAIL Address: dave@Michigan.COM

Newsgroup: sci.crypt
Document_id: 16056
From: mattair@sun44.synercom.hounix.org (Charles Mattair)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <1993Apr25.025459.12837@random.ccs.northeastern.edu> rogue@ccs.northeastern.edu (Free Radical) writes:
>
>No no no no no no no.
>
>It will go like this:
>
>FEDS: We need the key to phone 334RE67D99.
>
>ESCROW: You have a warrant to tap the line phone 334RE67D99 is on?
>
>FEDS: Yes.
>
>ESCROW: Fine, here is our key.
>
>rogue@cs.neu.edu (Rogue Agent/SoD!)

It also goes like this:

FED1: We need to listen into <mafia head/druglord/terrorist/BBS sysop>'s
      conversations but don't have probable cause for a tap.

FED2: Who do we have a tap on?

FED1: <some other enemy of the state>.

FED2: So get the keys - we can always claim that phone's being used on the
      tapped line.

There's got to be some way to associate an instrument with an individual or
the state effectively has a tap, possibly not admissible (given the War on
Drugs exceptions to the 4/5 ammendments, who knows) but none the less
listenable tap on any phone.
-- 
Charles Mattair		 		(work)	mattair@synercom.hounix.org
<standard.disclaimer>			(home)	cgm@elmat.synercom.hounix.org
In a mature society, "civil servant" is semantically equivalent to
       "civil master." - Robert Heinlein, _The Notebooks of Lazarus Long_

Newsgroup: sci.crypt
Document_id: 16057
From: wendyg@skeptic.demon.co.uk ("Wendy M. Grossman")
Subject: Re: Fifth Amendment and Passwords 

In article <1993Apr16.113151.7648@cs.aukuni.ac.nz> pgut1@cs.aukuni.ac.nz writes:

>In <C5Jzsz.Jzo@cs.uiuc.edu> kadie@cs.uiuc.edu (Carl M Kadie) writes:
>
>looks like you can't be forced to reveal a password, if anyone can provide
>a convincing legal argument to the contrary (ie an actual court case) I'd
>be most interested...
>
This is the case in Britain, according to the head of the computer crime
unit here when I interviewed him a couple of months ago.

wg
-- 
                 Wendy M. Grossman
9A North Avenue, Kew         Founder, The Skeptic (UK)
Richmond, Surrey TW9 3LZ     Freelance writer
+(44) (81) 948 3784          Recovering folksinger

Newsgroup: sci.crypt
Document_id: 16058
From: eah1@gauguin.wustl.edu (Edward Anthony Hutchins)
Subject: Re: Let's build software cryptophones for over the internet...

Hmmm.... CELP takes up about 12.6 MIPS for full duplex, and has been
implemented on about a million DSP chips... the 56001 card in my PC only cost
about $700, and I'm sure once demand goes up the prices would drop. The Analog
Devices 21020 board that we're looking at now cost about $500 (academic price).
I don't think hardware is something to worry about... if you get it working,
people will snap up internet phone cards like there was no tomorrow.
What we need here is a good implementation of CELP (the government code is
absolute crap, I got a 30% speedup after looking at it for a couple of hours),
and modifications to pgp to allow it to compress/decompress 144 bit frames
every 30msec... I think the AD21020 should have enough juice for this (50MIPS).
As part of the project I'm working on now, we're trying to get CELP up and
running in realtime full duplex mode... I gotta find the source to pgp and
see how tough it would be to integrate the en/decryption parts into the code.
I'll play with it. Anyone else out there got an AD21020 setup?
	- Ed
_____________________________________________________________________________
:-)  ('')  (-:  (,,)  :-)  ('')  (-:  (,,)  :-) | see lidflip instructions on
Edward Hutchins, eah1@cec1.wustl.edu            | other side of card

Newsgroup: sci.crypt
Document_id: 16059
From: rogue@ccs.northeastern.edu (Free Radical)
Subject: Re: Tempest

In article <1993Apr26.193801.12416@lynx.dac.northeastern.edu>
angel@Foghorn_Leghorn.coe.northeastern.edu (Kirill Shklovsky) writes: 
[...]
>I heard somewhere (can't name the source) that TEMPEST does not necessarily
>pick-up just CRTs, but it can pick up emissions from almost any chip.  If
>that is true, the kind monitor would not make any difference becuase everything
>on the screen can be picked-up from the video controller.  Can anybody verify
>or refute this?

As anyone who attended HoHoCon will attest, you can pick information
off the video chip.  It's surprisingly easy too.  The guy did it with
a portable TV, with very minor mods.  It only worked from 3 feet, but
then it was just a demonstration.

	RA

rogue@cs.neu.edu (Rogue Agent/SoD!)
-----------------------------------
The NSA is now funding research not only in cryptography, but in all areas
of advanced mathematics. If you'd like a circular describing these new
research opportunities, just pick up your phone, call your mother, and
ask for one.

Newsgroup: sci.crypt
Document_id: 16060
From: steve-b@access.digex.com (Steve Brinich)
Subject: Basic Crypto Requirements


  In order to have formulate a rational position on what cryptography
policies are acceptable, we must set forth a list of basic requirements.
I would propose the following as a starting point:

  1. The algorithm must be publicly known, and must have a record of
       surviving attempts by outside experts to find weaknesses.

  2. The system implementation must make it possible to verify that the
       advertised algorithm is, in fact, the one that is being used.

  3. The key must be quickly changeable by the user, and must be of a
       sufficient length and complexity to defeat any brute-force search
       possible now or in the reasonably near future.

  Note that these requirements are not incompatible with some form of key
escrow system; the May 1993 issue of "Byte" describes an example of an
encryption system which can clearly be implemented in a manner consistent
with the above requirements while requiring that parts of the key be
escrowed in order to have one's public key listed by a central distributor.

Newsgroup: sci.crypt
Document_id: 16061
From: als@kowari.cpsg.com.au (Anthony Shipman)
Subject: Re: Clipper considered harmful

yuan1@scws7.harvard.edu (Nina Yuan) writes:

>I'm not a lawyer and I don't even play one on TV, but intuitively there's
>something wrong with having one's words archived for possible future
>use against you.  This possibility frightens me more than any of the
>talk about the Clipper Chip, right to cryptography, etc.

:-)

I can just imagine it.  The mother is wheeled into the labour ward.  After
delivery a government agent steps up to read the baby its rights...
	"You have the right to remain silent.  If you give up this right anything
	you say may be taken down and used in evidence against you."

	"Waaaaaaaaah"


--
Anthony Shipman                 "You've got to be taught before it's too late,
CP Software Export Pty Ltd,      Before you are six or seven or eight,
19 Cato St., East Hawthorn,      To hate all the people your relatives hate,
Melbourne, Australia, 3121       You've got to be carefully taught."  R&H

E-mail: als@cpsg.com.au

Newsgroup: sci.crypt
Document_id: 16062
From: jin@spdcc.com (Jerry Natowitz)
Subject: PD code for crypt(1) like encryption

I am looking for some Public Domain (and exportable) code for
encryption.  Nothing elaborate, just something that will satisfy
a marketing need :-)
Oh yes, UNIX platform.
-- 
     Jerry Natowitz
     Guest user on:
ARPA jin@ursa-major.spdcc.com
UUCP {ima,harvard,rayssd,linus,m2c}!spdcc!jin

Newsgroup: sci.crypt
Document_id: 16063
From: paul@fairgate.com
Subject: Birthday attack?


I recently saw a message here (posted by Bob Silverman, I think) which 
referred to a "birthday" attack on a cryptosystem. I'm looking for 
references on, and explanations of, this type of attack.

Thanks,
-Paul

Newsgroup: sci.crypt
Document_id: 16064
Subject: Re: Tempest
From: pgut1@cs.aukuni.ac.nz (Peter Gutmann)

In <1993Apr27.071549.22910@random.ccs.northeastern.edu> rogue@ccs.northeastern.edu (Free Radical) writes:

>As anyone who attended HoHoCon will attest, you can pick information
                        ^^^^^^^
>off the video chip.  It's surprisingly easy too.  The guy did it with
>a portable TV, with very minor mods.  It only worked from 3 feet, but
>then it was just a demonstration.

A convention for Santa Claus impersonators?  Please elaborate, enquiring minds
(those in the second and third jars from the left) want to know....

Peter.

Newsgroup: sci.crypt
Document_id: 16065
From: pdc@dcs.ed.ac.uk (Paul Crowley)
Subject: Re: Clipper and conference calls

Quoting dougb@ecs.comm.mot.com in article <1993Apr26.150434.227@lmpsbbs.comm.mot.com>:
>You would have to use something other than the AT&T black box - in other
>words, I don't think public key would work.  The session key would have 
>to be agreed upon prior to the conversation and distributed to all 
>sites beforehand.

Why can't one site decide a session key and send it to the other sites
by public key encryption?
  __                                  _____
\/ o\ Paul Crowley   pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/  Fold a fish for Jesus!

Newsgroup: sci.crypt
Document_id: 16066
From: hamrick@convex.com (Ed Hamrick)
Subject: Re: PD code for crypt(1) like encryption

In article <1993Apr27.114659.28363@spdcc.com> jin@spdcc.com (Jerry Natowitz) writes:
>I am looking for some Public Domain (and exportable) code for
>encryption.  Nothing elaborate, just something that will satisfy
>a marketing need :-)
>Oh yes, UNIX platform.

You can find what you're looking for on hundreds of sites worldwide.  Try

	anonymous ftp to nic.funet.fi (Finland)

	/pub/unix/4.3bsd/net2/lib/libc/gen/crypt.c.Z

This includes source code for fully-functional DES encryption and decryption.

There are some who believe that public domain code is exportable, some
who don't.  Make your own judgements, but it seems obvious to me.

Regards,
Ed Hamrick

Newsgroup: sci.crypt
Document_id: 16067
From: rwirthli@nyx.cs.du.edu (Ralph Wirthlin)
Subject: Re: Is it illegal to transmit encrypted data?

wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes:

>The fact that the NSA is listening may affect your willingness to use
>wimpy crypto technologies, but it may also affect your willingness to
>use technologies that violate RSA's patents, e.g. if you use PGP, the
>NSA may tell RSA that you're doing so, and if the Secret Service catches on,

I'm afraid I have to disagree with you on that point.  NSA will *not*
tell RSA or any other non-DOD entity anything that its eavesdropping
reveals.  That includes the FBI and Secrect Service (although there
have been rare exceptions).   


Newsgroup: sci.crypt
Document_id: 16068
From: fig@eff.org (Cliff Figallo)
Subject: Re: Organized Lobbying for Cryptography

jgfoot@minerva.cis.yale.edu (Josh A. Goldfoot) writes:

>Tarl Neustaedter (tarl@coyoacan.sw.stratus.com) wrote:

>: It means that the EFF's public stance is complicated with issues irrelevant
>: to the encryption issue per se. There may well be people who care about
>: the encryption issue who don't care to associate themselves with the
>: network erotica issue (or may even disagree with the EFF's position).

>Perhaps these encryption-only types would defend the digitized porn if it
>was posted encrypted?

>These issues are not as seperable as you maintain.

Well, regardless of what policy liabilities anyone in Washington may think
EFF has, it is going ahead aggressively attacking the assumptions that are
behind the Administrations Clipper Chip initiative.  For all the reasons
stated here.  In Washington, you have to work under the assumption that 
everyone has some liabilities.  Government and non-governmental 
organizations alike all share the same glass house.  EFF is variously
identified as the Hacker Defense Fund, the First Amendment Absolutists,
the New Communists, etc, but it is also an acknowledged leader in the
civil liberties arena and is respected as a serious player in the 
policy circles.  So unless there is another organization with the
credibility and clout and right policy stance that you know of in
Washington, please don't count EFF out as a valid representative of
your views in the Clipper Chip matter.
-- 
                    <<*>><<*>><<*>><<*>><<*>><<*>>                         
Cliff Figallo                                     fig@eff.org
EFF Online Guy                                  (617)576-4506

Newsgroup: sci.crypt
Document_id: 16069
From: anton@hydra.unm.edu (Stanton McCandlish)
Subject: Re: PGP Where to get it?

>At the moment PGP is available in executable format for MS-DOS and Mac,
>and source code for most other platforms including UNIX. Many FTP sites
>keep a copy (although the Mac version is getting hard to find). Try the
>following site:
>
>soda.berkeley.edu           /pub/cypherpunks/pgp

For those with out FTP access, try NitV-BBS (see .sig).  I have the following:
(all from nic.funet.fi, garbo.uwasa.fi, sony.com, and ftp.uni-erlangen.de)

PLATFORM    EXECS   SOURCE   PATCH4SRC   XTRAS  BBS FILE AREA    FIDO FREQNAME

DOS           x       x                    x      LOGIN         PGPDOS, PGPSDOS
MAC           x       x                           NONIBM        PGPMAC, PGPSMAC
AMIGA         x       ?                           NONIBM        PGPAMI
ARCHIMEDES    x       ?                           NONIBM        PGPARC
OS/2          x       ?                           WIN           PGPOS2
NeXT                            x                 NONIBM        PGPNXT
UNIX          x       x                           NONIBM        PGPUNX

? = haven't looked in the archive to see if it has source or not (usually 
because I can't handle the format).  For FidoNet FREQ magic-names, the
PGPS??? names are source code, others are either execs or execs + src 
[+ extras], or in the case of NeXT, just a patch (you still need one of
the full source code packages).

NitV-BBS is FREE.  This is not an ad, it is a public service announcement.

-- 
Testes saxi solidi!  **********************   Podex opacus gravedinosus est!  
Stanton McCandlish,  SysOp:  Noise in the Void Data Center BBS
IndraNet: 369:1/1      FidoNet: 1:301/2      Internet: anton@hydra.unm.edu
Data phone: +1-505-246-8515 (24hr, 1200-14400 v32bis, N-8-1)

Newsgroup: sci.crypt
Document_id: 16070
From: jhupp@shockwave.win.net (Jeff Hupp)
Subject: Re: New Encryption Algorithm

 
>In article <1raeir$be1@access.digex.net> steve-b@access.digex.com (Steve Brinich) writes:
>> >  Well, actually, this one's easy. It's their job. The NSA is
>> >supposed to develop cryptosystems. If the government chooses to go
>> >ahead and sell those cryptosystems to the masses, so be it.
>>
>>  Ah, but developing cryptosystems which are specificially designed to
>>protect the government's domestic spying capabilities takes them beyond
>>that mandate, into the forbidden field of domestic wiretapping.
>>
>
>Unlike the CIA, the NSA has no prohibition against domestic spying.  Read
>Bamford's THE PUZZLE PALACE.
>
>Bruce
>
        I have that book, and the way I read it is, one side of the
conversation MUST be from outside the United States.
        Of coures, that ASS U MEs that the NSA plays by the rules...
 

_____________________________________________________________________
\Jeff Hupp                      |Internet: jhupp@shockwave.win.net   \
|9797 Medowglen, Apt. 1807      |Ad:    Contract Programming, Novell |
|Houston, Texas  77042          |       Network Design and Support.  |
|Voice: (713) 780 - 9419        |"The best govenment doesn't" -- me. |
\_____________________________________________________________________\ 

Newsgroup: sci.crypt
Document_id: 16071
From: jhupp@shockwave.win.net (Jeff Hupp)
Subject: Re: New Encryption Algorithm

 
>In article <C61rDq.5v5@chinet.chi.il.us>, schneier@chinet.chi.il.us 
>(Bruce Schneier) writes:
> 
>|> Unlike the CIA, the NSA has no prohibition against domestic spying.  Read
>|> Bamford's THE PUZZLE PALACE.
>
>We had a senior NSA scientist in Cambridge at one of our workshops recently
>(in fact he was here when the Clipper announcement was made, but we didn't
>learn of it till after he'd gone). He said on this point that he was forbidden
>by law to monitor conversations between US nationals (and he is a chap who is 
>very precise about his choice of words). So I don't expect he'd have any qualms
>about monitoring a domestic US conversation if one of the parties was an alien.
>
>However it got me thinking of the Navajo code talkers. Just imagine:
>
>+ `Hello, is that the Iraqi mission in New York? This is the Iraqi foreign
>+ ministry in Baghdad, I am Farouq Hussein, US citizen, social security number
>+ so-and-so'
>
>+ `Yes, indeed, this is the New York mission, Mustafa Jadid speaking, also a
>+ US citizen, my social security number is such-and-such, here is our report
>+ on activities against the Satan Clinton'
>
>Ross
>
        This one is easy, they 'tape' the conversation, call the FBI or
Secret Service.  You see "activities against the Satan Clinton" could be
construed as a threat against the President of the United States.  I am
sure they(NSA,FBI,SS,...,...) have enough judges in their collective
pockets to have a warrent before the call is over..... 

_____________________________________________________________________
\Jeff Hupp                      |Internet: jhupp@shockwave.win.net   \
|9797 Medowglen, Apt. 1807      |Ad:    Contract Programming, Novell |
|Houston, Texas  77042          |       Network Design and Support.  |
|Voice: (713) 780 - 9419        |"The best govenment doesn't" -- me. |
\_____________________________________________________________________\ 

Newsgroup: sci.crypt
Document_id: 16073
Subject: Re: What would happen if export restrictions violated?
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <C61rt8.6BC@chinet.chi.il.us> schneier@chinet.chi.il.us (Bruce Schneier) writes:

>In article <Apr23.215306.83257@yuma.ACNS.ColoState.EDU> holland@CS.ColoState.EDU (douglas craig holland) writes:
>>
>>OK, I heard a lot of talk about the NSA's infamous control over encryption
>>export through the ITAR.  Here's a question.  Say I develop this great new
>>encryption system, and I want to sell my software worldwide.  The thought
>>police then come in and say "This algorithm is a threat to national security.
>>You will not be permitted to export it."  At this point, what kind of trouble
>>could I get into if I ignored the ITAR and sold my program to international
>>customers anyway?
>>
>>Doug Holland

>You would be arrested as an international arms trafficker.

There are several things in ITAR which have never been tested in court. 
The concensus appears to be:

You could be arrested as an international arms trafficker.  (You could,
regardless of the state of the law, but there are some paragraphs which
suggest you would be violating the law.)

If it goes to court, the ITARs could be thrown out is incompatible with the
First amendment; or the court could rule that "software" is "technical
data" not subject to the ITARs; or the court could rule that the
phrase "publicly available" as defined in the ITARs would apply,
making it only subject to requiring a general export license; or, you could
be prosecuted successfully for arms trafficing or espionage.  General
concensus among lawyers who have read the ITARs, is that one of the first
two would occur.
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
Document_id: 16074
From: zrepachol@cc.curtin.edu.au (Paul Repacholi)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <strnlghtC602KA.IFD@netcom.com>, strnlght@netcom.com (David Sternlight) writes:
> 
> Brad Yearwood posts a long response to the issue of registering a
> phone-clipper relationship.
> 
> It doesn't wash.
> 
> Recall that law enforcement gets a court order to tap a suspect's phone
> calls. They do what they do now--figure out which lines to tap. They then
> record the stuff. If it's Clipper, they read the law enforcement block,
> extract the serial number, and get the keys using the court order.
> 
> No new difficulties (such as using someone else's phone instrument or phone
> line) are introduced that wouldn't have existed absent clipper. If the
> crooks were going to use a pay phone (say), they could have done so without
> clipper. If the government figures out they're so doing, they listen in, and
> if it's a clipper conversation they get the serial number and then the keys.
> 
> If the crooks use an innocent person's clipper phone on the tapped line
> there's no problem. The Feds don't care whose phone instrument is used, just
> that the conversation is by the suspect on the tapped line. They get the
> serial number, get the keys, and they are in business.
> 
> No clipper chip to person association is ever needed.
> 
> David
> -- 
> David Sternlight         Great care has been taken to ensure the accuracy of
>                          our information, errors and omissions excepted.  
> 
> 

Newsgroup: sci.crypt
Document_id: 16075
From: TSOS@uni-duesseldorf.de (Detlef Lannert)
Subject: Re: Clipper considered harmful [Restated and amplified]

In article <WCS.93Apr26141950@rainier.ATT.COM> wcs@anchor.ho.att.com (Bill Stewart +1-908-949-0705) writes:

>   The serial number will be in a 64 bit block, with a 34 bit filler.  Doesn't
>   take a lot to check to see if that is correct.
>
>Depends on whether the filler is a constant (makes checking easy,
>but susceptible to replay), or variable (e.g. timer, counter, random),
>which makes replay harder and can also make it easier for the
>inquisitors to know if they've missed messages, or gotten them out of
>sequence, or other interesting things that sort of person might care about.

I'd use a secret (nope, obscure) cryptographic encoding to expand the 
30 bit serial number to a 64 bit block. The redundancy hereby introduced 
can be used to detect tampered Clipper signals where some public enemy 
replaced the L.E. block by random data. 

And of course the L.E. block would be used to initialise the encryption 
of the user data so that at the receiving end the correct L.E. block must 
be processed in order to have any chance of getting the plaintext back. 

For those of you who might want to mangle the L.E. block (e.g. by xor-ing 
a constant pattern) on the transmission line and restore it before feeding 
it into the receiving Crippler Chip I would add further encrypted copies 
of this block (perhaps created by repeated application of the encryption 
algorithm or so) at regular intervals during the transmission. If the 
receiving chip detects a mismatch it must assume that the line is bad and 
it will cease to work; in your own interest you are protected from getting 
faulty plaintext, you know -- it's just like a checksum for your own 
safety ;-(. 

The `monitoring agencies' won't have the famous black box which is needed 
for actual decryption and will be kept by the FBI; but nothing prevents 
them from using special boxes which will do the redundancy check for the 
serial number block and consistency checks on the embedded L.E. blocks 
within the transmission. These boxes will turn a red light on as soon as 
they detect a bitstream that violates the correct protocol.

So don't anyone think that you can use the chip and fool L.E. about the 
tapping key -- I bet the developpers have provided much better checks 
than those suggested above. Of course it's absolutely crucial that the 
algorithms (and protocols) remain secret. Personally I doubt they will.

--
Detlef Lannert       DC3EK       E-Mail: tsos@rz.uni-duesseldorf.de
PGP 2.2 key via server or finger lannert@clio.rz.uni-duesseldorf.de
"I am Psmith." - "Oh, you're Smith, are you?" - "With a preliminary
P. Which, however, is not sounded."                   P.G.Wodehouse

Newsgroup: sci.crypt
Document_id: 16076
From: jap@cbnews.cb.att.com (james.a.parker)
Subject: Re: The [secret] source of that announcement

In article <1r9m97$enn@news.intercon.com> amanda@intercon.com (Amanda Walker) writes:
>CompuServe is in Columbus, OH.  So are the corporate headquarters of several 
>major insurance companies, the largest private R&D company in the world 
>(Batelle Memorial Institute), DCSC (The Defense Construction & Supply 
>Center), Ohio State University (one of the three largest US universities), 
>OCLC (the Online College Library Center), and so on.  You'd be amazed, 
>actually.

Don't forget Chemical Abstracts Service (which is pretty much the international
clearinghouse for all chemical information), whose former director (Ronald
Wigington) and head of R&D (Nick Farmer) were openly former NSA employees.

                                      James Parker
                                      jap@cb1focus.att.com

Newsgroup: sci.crypt
Document_id: 16077
From: ad@cat.de (Axel Dunkel)
Subject: Summary: How sensible is DES towards bit-errors?

Hi,

I'd like to thank you all for the fast responses. 
Special thanks go to those who replied (lexical order):

Marcus J Ranum <mjr@TIS.COM>
Paul Crowley <pdc@dcs.ed.ac.uk>
pausch@saaf.se (Paul Schlyter)
tarnold@vnet.IBM.COM (Todd W. Arnold)
wcs@anchor.ho.att.com (Bill Stewart) 

My question was:

>how sensible is DES encrypted data towards bit errors? How much data per
>bit will be lost in average (I assume you still have the correct key)?

How much of the DES-encrypted data is affected depends on the used
encryption mode. According to Marcus J Ranum (mjr@TIS.COM) there is:

|	cfb = cipher feedback mode
|	ecb = electronic code book mode
|	cbc = cipher block chaining mode
|	ofb = output feedback mode
|
|	each mode does some stuff better than others. ofb and cfb are designed
|for communications streams more than for files.

Unfortunally, people strongly disagree which mode will lead to destruction
of all of the following data. Sure seems that some modes will resync quite
fast, others will never, others will even only effect the very block.

Summarized, people said concerning *this* matter:

/
|In CBC mode, only the current block will be affected (tarnold@vnet.IBM.COM 
|<Todd W. Arnold>).
|
|If you use CBC (Cihper Block Chaining), then the remainder of the data
|will be destroyed as well. (pausch@saaf.se <Paul Schlyter>)
|
|In CFB mode, DES synchronizes quite fast (probably within 1 block 
|according to Maracus J Ranum <mjr@TIS.COM>).
\

Maybe someone *definitely* knows what happens in which mode?

Nevertheless, Thank you all very much again.

Axel Dunkel

--------------------------------------------------------------------

I include the responses I got:

From: tarnold@vnet.IBM.COM (Todd W. Arnold)

In <ad.735831059@cat> Axel Dunkel writes:
>how sensible is DES encrypted data towards bit errors? How much data per
>bit will be lost in average (I assume you still have the correct key)?

It depends on the mode you're using.  For a single 64-bit input block, a
one-bit error will have a 50 percent chance of corrupting each of the 64
output bits - in other words, it essentially turns the output block into
a random number.  If you're encrypting data in CBC mode, however, only the
one 64-bit block will be affected.  The next block, and all that follow it
will be decrypted properly.

It's a good idea to have some kind of error correction in your system if
corrupted bits are likely.

   - Todd

--------------------------------------------------------------------

From: pausch@saaf.se (Paul Schlyter)

In article <ad.735831059@cat> you write:
>Hello,
>
>how sensible is DES encrypted data towards bit errors? How much data per
>bit will be lost in average (I assume you still have the correct key)?

At least 8 bytes of data will be destroyed if one bit encrypted data is
in error.

If you use CBC (Cihper Block Chaining), then the remainder of the data
will be destroyed as well.

DES is VERY seisitive for single bit errors.  This is as it should be.

-- 
---
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Nybrogatan 75 A, 6 tr,  S-114 40 Stockholm,  Sweden
InterNet:  pausch@saaf.se

--------------------------------------------------------------------

From: Paul Crowley <pdc@dcs.ed.ac.uk>

> how sensible is DES encrypted data towards bit errors? How much data per
> bit will be lost in average (I assume you still have the correct key)?

Probably very bad; you might lose the rest of the data stream.  If you
want safety against dropped bits use an error correcting coder like the
freeware GNU ecc.
  __                                  _____
\/ o\ Paul Crowley   pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/  Fold a fish for Jesus!

--------------------------------------------------------------------

From: wcs@anchor.ho.att.com

   how sensible is DES encrypted data towards bit errors? How much data per
   bit will be lost in average (I assume you still have the correct key)?

It depends on the mode you're using DES in.
Electronic Code Book (ECB) takes a block of 64 input bits
and produces 64 output bits, so if any bits are changed,
the entire block of 64 bits becomes bad.
I forget which feedback mode is which.
In all of them, the results of encrypting one block affect later blocks.
With some modes, the system self-synchronizes, so errors are repaired
in a few blocks.  With other modes, once one block is bad,
all later blocks will be bad too.

There's also the framing problem.  If you have a bit change,
the block that it's in changes, and maybe later blocks also change.
But if you have bits lost or bits added (64 bits in, 63 or 65 bits out),
everything is confused after that.

--------------------------------------------------------------------

From: Marcus J Ranum <mjr@TIS.COM>

	depends on the mode you're using. cfb, for example, synchronises
pretty fast. figure a bit error will destroy the current block and the
next one.

mjr.

--------------------------------------------------------------------

---
Experience is what you get if you don't get what you want...

Systemberatung Axel Dunkel, Koenigsberger Strasse 41, D 6239 Kriftel, Germany
E-Mail: ad@cat.de, Voice: +49-6192-41360, Fax: +49-6192-46949


Newsgroup: sci.crypt
Document_id: 16078
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Clipper considered harmful [Restated and amplified]

brad@optilink.COM (Brad Yearwood) writes:
>In article <1993Apr22.222016.25628@lehman.com>, pmetzger@snark.shearson.com (Perry E. Metzger) writes:
>> You obviously haven't read the information about the system. The chips
>> put out serial number infomation into the cypher stream to allow
>> themselves to be identified. The system does not rely on registering
>> people as owning particular phone units.
>> 
>> I am against the proposal, but lets be accurate in our objections.
>> 
>
>Do not presume to tell me what I have and have not read.  The system may
>not rely upon registering people as owning particular phone units, but
>it is necessary to know which phone units are likely to be used for some
>suspected criminal communication before you can obtain their unit keys
>from escrow.

Big deal. If you are a legitimate law enforcement agent and have a
legitimate wiretap order, you just listen in on the line for 10
minutes, get the serial number, and then take the order and go to the
escrow agencies. If you notice the criminal is now using a different
phone instrument, take your still-valid wiretap order to the escrow
agency with the new serial number. (This provides opportunities for
abuse by law enforcement, but thats not what we are discussing right
now.) I oppose Clipper, but the mechanics here are simple and easy to
understand. The whole rest of your article is based on a large series
of false premises, all predicated on the notion that this simple act
is somehow impossible.

I feel free to presume to tell you that you do not seem to understand
the mechanics of the proposal. Arguing that terrorists will be killing
people for their clipper phones is silly because its pointless. Lets
be alarmist about what really would show up as a problem, shall we?

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 16079
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

jhan@debra.dgbt.doc.ca (Jerry Han) writes:
>In article <RENS.93Apr22153654@stimpys.imsi.com> rens@imsi.com (Rens
>Troost) writes: 
>
>>>   In this giant bally-ho over this Clipper chip I noticed a rather
>>>   disturbing trend in some of the E-mail and posts I've tossing back and
>>>   forth.  
>>
>>Me too. A tendency on the part of some people to hide their head in
>>the sand.
>
>I never advocated "hiding in the sand."  I'm advocating a peaceful
>solution while a peaceful solution is possible.  Unless you want blood on
>your hands.

No one has mentioned violence other than you, Mr. Han. I believe you
are imagining things.

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 16080
From: mjacques@flute.calpoly.edu (Michael Jacques)
Subject: Re: Does Rush read his E-mail?

In article <1993Apr26.121052.9530@esseye.si.com> jongsma@tws4.si.com writes:
>In <1993Apr23.153320.4568@henson.cc.wwu.edu> n9045178@henson.cc.wwu.edu (Sean Dean) writes:
>
>>But I have no idea of a Compuserve e-mail address...
>
>70277.2502@compuserve.com

However, he said on his radio show today that he won't read anything
from the two alt groups. He simply deletes them without reading them. He
says that some of the people in the two groups are vicious.

>
>
>-- 
>Ken Jongsma                                          
>Smiths Industries                                jongsma@swdev.si.com
>Grand Rapids, Michigan                      73115.1041@compuserve.com



Newsgroup: sci.crypt
Document_id: 16081
From: bryan@jpl-devvax.jpl.nasa.gov (Bryan L. Allen)
Subject: Re: New Encryption Algorithm

In article <49@shockwave.win.net> jhupp@shockwave.win.net (Jeff Hupp) writes:
> 
>>In article <1raeir$be1@access.digex.net> steve-b@access.digex.com (Steve Brinich) writes:
[some deleted]
>>
>>Unlike the CIA, the NSA has no prohibition against domestic spying.  Read
>>Bamford's THE PUZZLE PALACE.
>>
>>Bruce
>>
>        I have that book, and the way I read it is, one side of the
>conversation MUST be from outside the United States.
>        Of coures, that ASS U MEs that the NSA plays by the rules...

One thing that seems ambiguous is whether a signal being echoed down from
geosynchronous orbit is "...from outside the United States."

Also, being able to assess whether NSA is playing by the rules requires
knowing what the rules are. We only know a subset. For those even more
suspicious, there could be other surveillance organizations "blacker"
than the NSA.

-- 
          Bryan L. Allen       bryan@devvax.jpl.nasa.gov
          Telos Corp./JPL      (818) 306-6425

Newsgroup: sci.crypt
Document_id: 16082
From: ktl@wag.caltech.edu (Kian-Tat Lim)
Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips

The *security* of the system does depend only on the secrecy of the keys.

The ability to tap is an inherent *insecurity* which depends fundamentally on
the secrecy of the algorithm.  To spell it out, because so many people seem to
miss the point, if the algorithm were published, anyone could create a chip
which would work correctly with the Skipjack chips but which would not have
its key registered.

I believe there is no technical means of ensuring key escrow without the
government maintaining a secret of some kind.  For example, the secret could be
the private keys of the escrow agencies; their digital signatures would be
required before a key could be used.  In this case, the NSA/NIST/whoever has
decided that protecting the entire algorithm is easier/cheaper/more secure than
other possible protocols.

-- 
Kian-Tat Lim (ktl@wag.caltech.edu, GEnie: K.LIM1)
Materials & Molecular Simulation Center, Caltech
Henry Spencer left-of-|, Margaret "*" Puckette signature fan

Newsgroup: sci.crypt
Document_id: 16083
From: bchen@wpi.WPI.EDU (Bi Chen)
Subject: Help: Where is FAQ for sci.crypt and other questions


Dear netters:

I have been scanning this news group for a while but has not found a FAQ.
Could someone enlight me where to find the FAQ if there is a one. Also,
could someone recommend a few good books about encription and decription,
about patent information, goverment regulation on this science/technology.
I will appreciate any of your help very much.

Sincerely

Bi Chen



Newsgroup: sci.crypt
Document_id: 16084
From: mnemonic@eff.org (Mike Godwin)
Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips

In article <allen.735873202@well.sf.ca.us> allen@well.sf.ca.us (Allen Barrett Ethridge) writes:
>In <1993Apr26.063532.10120@eff.org> mnemonic@eff.org (Mike Godwin) writes:
>
>>In article <C614BJ.BK6@agora.rain.com> jhart@agora.rain.com (Jim Hart) writes:
>>>"The security of the system should depend only on the secrecy of
>>>the keys and not on the secrecy of the algorithms" -- Dorothy Denning
>
>>Cite source, please.
>
>"Cryptography and Data Security", page 8, perhaps.

Thanks. Got that from two other sources as well. The full quote is as
follows:

From Dorothy Denning, CRYPTOGRAPHY AND DATA SECURITY, Addison-Wesley
1982,1983, page 8:

"Cryptosystems must satisfy three general requirements:

"1. The enciphering and deciphering transformations must be efficient for
all keys.

"2. The system must be easy to use.

"3. The security of the system should depend only on the secrecy of the
keys and not on the secrecy of algorithms E [enciphering] or D
[deciphering]."



--Mike




-- 
Mike Godwin,    |    Ariel Rose Godwin
mnemonic@eff.org|    Born 4-15-93 at 4:34 pm in Cambridge 
(617) 576-4510  |    7 pounds, 1.5 ounces, 19.75 inches long 
EFF, Cambridge  |    A new citizen of the Electronic Frontier 

Newsgroup: sci.crypt
Document_id: 16085
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Suggestions for escrow agencies (was: Re: More technical details)

In article <C5y746.73K@vcd.hp.com> johne@vcd.hp.com (John Eaton) writes:
<Paul Robichaux (robichau@lambda.msfc.nasa.gov) wrote:
<: 
<: As a private citizen, I would feel much more "secure in my person and
<: papers" knowing that an organization committed to individual civil
<: liberties- the ACLU and the NRA come to mind- was safeguarding half of
<: my key. Both the ACLU and the NRA are resistent to government pressure
<: by the simple expedient fact that they are not supported, funded, or
<: overtly controlled by the government.
<: --------------------------
<Thats one problem that has so far been overlooked. These two escrow
<agencies will have to create a secure database and service the
<input and output of Keys. Who pays for this? If they refuse an
<illegal request from some congressman to deliver a key can their
<budget by cut to punish them? Will congress be forced to fund
<them forever?

Congress isn't forced to do ANYTHING.  Not even follow their own rules,
if it isn't expedient.  If caught with their collective pants down,
they make some funny noises, perhaps crucify a skapegoat or two, then
continue business as usual.  I notice those senators involved with
the S&L Scandal weren't hurt too much, if at all.  DeConcini's personal
stake in suppliers to those big Aerostats hasn't affected his credibility
at all, inside Congress, at least.  He is still pushing his police state
agenda...

<The problem is that laws can change. Congress may pass a law setting
<up an escrow agency with instructions that keys are private. Some
<future congress may change that law. Suppose pre-nazi Germany had
<a clipper system. Do you think the escrow agencies would have
<told Hitler that he could not have the keys without a valid 
<court order?

It will be like the old saw in New Jersey and New York, Chicago, etc
when the politicians PROMISED that this spiffy new gun registration law
will NOT be used for future confiscation purposes.  Sure enough, a few
years later, when they WERE used JUST FOR THAT PURPOSE, and folks
complained, the response was "Well, *I* didn't make that promise..."
Some politicians may not even wait a few years...  Escrowed keys would
have the same assurances of security.  Besides, if someone wants to
snoop, how are YOU to know - you don't think they will send you a letter
saying "We are now snooping on your private conversations...", do you?
What are the assurances the escrow people will not be FORBIDDEN to
report any access attempts for one's keys?

So much for government assurances of privacy.

<In effect you must set up escrow agencies as a fourth branch of
<the goverment and isolate them from any outside interferance. 
<They will be able to directly tap into Federal funds with no
<accountability to anyone except through a court challenge.

How?  The Feds will just change the law, or just ignore it.  Nothing
new here...  They got the muscle, the resources, the guns...

As an aside, since export of crypto is verboten because of ITAR,
shouldn't the Second Amendment also come into play here?

<John Eaton
<!hp-vcd!johne

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 16086
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Screw the people, crypto is for hard-core hackers & spooks only

In article <WARLORD.93Apr24232556@podge.mit.edu> warlord@MIT.EDU (Derek Atkins) writes:
<In article <strnlghtC5t4D6.Jn8@netcom.com> strnlght@netcom.com (David Sternlight) writes:
<
<   Some countries have laws about importing crypto gear--I believe the U.S.
<   does. Without a license the above scheme won't work (at least not legally)
<   in such countries, including at least France and the U.S.
<
<   David
<
<BZZT!
<
<Wrong.  The US does NOT have crypto import laws.

I'd not be so sure about that:

Are there any MUNITIONS import laws, and could those be used against
importation of crypto hardware/software as well as firearms?

Importing so-called 'assault weapons' for use by commoners come to mind....

NOTE - talk.politics.guns added to Newsgroups for possible feedback...

-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 16087
From: strnlght@netcom.com (David Sternlight)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <1993Apr27.190451.25650@lehman.com> pmetzger@snark.shearson.com
(Perry E. Metzger) writes:


>
>No one has mentioned violence other than you, Mr. Han. I believe you
>are imagining things.

This is factually incorrect. There was at least one message that said that
Waco and Clipper justified "anything" in response.

David
-- 
David Sternlight         Great care has been taken to ensure the accuracy of
                         our information, errors and omissions excepted.  



Newsgroup: sci.crypt
Document_id: 16088
From: jamesl@galaxy.nsc.com (James Lu x3702)
Subject: How to make this illuminating thing?


In some hobby shop, they sell a flexible tube (1/4-inch diameter,
18-inch ling) that will illuminate if you bend or shake it (it
is also sold in amusement parks in the evenings). The brightness
can last 2 to 4 hours. If it is left in refrigrator (in coldness),
you can prolong its life of illumination.

Is this something we can make ourself easily? Or, do you know any
reading can provide details about this stuff? Working with kids,
it would be nice if it can be a do-it-yourself project with 
minimum budget.




Newsgroup: sci.crypt
Document_id: 16089
From: mcnally@quip.eecs.umich.edu (Mike McNally)
Subject: Re: I have seen the lobby, and it is us

In article <C5xxGA.GAv@ms.uky.edu> morgan@engr.uky.edu (Wes Morgan) writes:
>
>You should realize that form letters are the *worst* way to influence
>your congresscritters; exact copies are routinely placed on the lowest
>rung of the opinion ladder.
>
>If you want to write (and I think you should!), take the time to really
>*write* a letter.  Things to emphasize:

  [excellent and helpful list deleted] 

>	- Be concise; don't ramble.  Rants are *definitely* out of place.
>	  Cite references, if necessary, but only use "accepted" references
>	  like academic journals.  "My neighbor Jim" is *not* a real refer-
>	  ence.  8)

  Wes's list is of "do"s and "don't"s for writing your Congressional
representatives is a fine one but I'd like to encourage people to pay
extra attention to the point above.  As cliched as the saying may be
it's nevertheless true that you can catch more flies with honey than
with vinegar.

  While the writing styles prevalent on the net possess a certain charm
please remember that the person reading your letter is likely to be
uninfluenced or negatively influenced if you express your concerns in
a way that makes you sound like a flake or a paranoid crackpot.  Wild
and unsupported accusations about the menace from the NSA will not
carry much weight, nor are overblown conclusions about the inevitable
consequences of the proposal likely to convince (especially not ones
that attempt strained analogies to the rise of the Nazi party.  Please
save the Niemoller quote for another letter..)

  If you want your opinions to be taken seriously it is *very* important
that you state those opinions in a manner that is understandable and 
seems reasonable to a layman.  Don't overburden your reader with technical
details or expect them to know the history of various encryption 
technologies.  Before you mail it, hand your letter to a non-technical
friend and ask them to sanity-check it.

  Above all, realize that legislators are often motivated as much by
self-interest as by anything else.  Try to point out risks in terms that
will be meaningful and motivating to them such as the loss of individual
privacy rights or the damage restrictive export regulations do to American
businesses' ability to compete in the global marketplace.  Pull the 
strings that you think will work with your legislator -- if your
legislator is unlikely to be swayed by civil-rights concerns then point out
how a government-granted monopoly for Mycotronx damages the competitiveness
of businesses in your district that manufacture or market phone or crypto
technology.

                                                                 -mcnally.

Newsgroup: sci.crypt
Document_id: 16092
From: pmetzger@snark.shearson.com (Perry E. Metzger)
Subject: Re: Secret algorithm [Re: Clipper Chip and crypto key-escrow]

strnlght@netcom.com (David Sternlight) writes:
>>  Well, that explains it.  The government has no real need to spy on people
>>who already love Big Brother; it's the people who are inclined to talk
>>back who need to be watched.

>Though I think this an overstatement, it does contain a grain of truth. It's
>drug dealers, spies, terrorists, and organized crime figures (assuming
>enough probable cause to convince a judge) who need to be watched, not
>law-abiding citizens.

And thus, COINTELPRO, in which horrible people who threatened the
republic by disagreeing with the Government were systematically kept
track of for years...

--
Perry Metzger		pmetzger@shearson.com
--
Laissez faire, laissez passer. Le monde va de lui meme.

Newsgroup: sci.crypt
Document_id: 16101
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: forbidden to reveal wiretap?


   If it's forbidden to inform someone of a police wiretap on their phone, then
is it legal to work privtely as a "sweeper," and report to the person you
work for whether you found a bug?

Newsgroup: sci.crypt
Document_id: 16102
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: Clipper and backdoors

David Sternlight says:
 
>It discredits the writer with third parties to claim Clipper has a back
>door. It does not.
 
   Actually, David, I don't think it's any more intellectually honest to
say there are no backdoors than to say there are backdoors, unless you've
had a chance to examine the algorithm and the silicon closely.  For all
we know, skipjack could be easily broken, or impossible to break.  And
clearly, if skipjack is not secure, then the clipper chip is not worth much.
 
   --John Kelsey

Newsgroup: sci.crypt
Document_id: 16105
From: tedwards@eng.umd.edu (Thomas Grant Edwards)
Subject: Re: Clipper considered harmful

>Sternlight) writes:
>>>(Gideon Yuval) writes:
>>>>If these personal attacks are what stopped Prof. Denning from
>>>>replying on issues of substance, they have cause real harm
>>>>to the serious debate here.
>>>They are and they have.

If Prof. Denning is afraid of posting here due to personal attacks,
perhaps she should use an anonymous posting service.  That is why
they are there, to allow heated debate to occur without the personal
attacks.  

Is anon@penet back up yet?

-Thomas


Newsgroup: sci.crypt
Document_id: 16115
From: grady@netcom.com (1016/2EF221)
Subject: Re: Subliminal Channels in DSS

May I suggest that any any proposed cipher system
having less entropy than the user's key and message can have
an embedded subliminal channel as big as the
difference in entropies between the entropy of the user
input (message) and the entropy of the output?

For example, take plain DES.  The unsuspecting
user inputs a string "PLAINTEXT" to be enciphered.

He cranks the algorithm which has been hacked
by George Quisling and comes out with j*3H4902d.

Nine char in and nine chars out.  Right?

The unsepecting user ships the ciphertext
to be decrpyted and the message "PLAINTEXT"
is produced.  Everything fine, right?  Nope.


Imagine the algorithm did a LZ compression
on PLAINTEXT before DESing. (Compressing is
down to four characters with more entropy:

9#wj

The opponent now pads the message with his
own message, also compressed

*3dk@

before applying DES to the concatenated
compressed pairs.  When decrpyted, the
first compressed message is stripped off
and declared sent.  Unbeknowst to the
receiver, the opponents accomplice collects
the remaining message in the bit bucket and
uncompresses to KILL NOW.

And to prevent all such subliminal or covert
storage channels you would need to have 
maximal entropy all the time -- which is
a priori impossible because (for example)
a stereotypical message might be
replaced by one bit in the output reserving
the rest of the output bits for the long
covert message.

In other words, if you opponent get to muck
with the algorithm -- you either have got to
muck with it LAST or concede his possible 
embedding of covert channels.

In other words, if you present a message
to an opponet with less than maximal entropy
then you have given him free bits of storage.

-- 
grady@netcom.com  2EF221 / 15 E2 AD D3 D1 C6 F3 FC  58 AC F7 3D 4F 01 1E 2F


Newsgroup: sci.crypt
Document_id: 16117
From: amanda@intercon.com (Amanda Walker)
Subject: Re: My letter about Clipper

David Reeve Sward <sward+@CMU.EDU> writes:
> We don't know this, do we?  The algorithm is classified. 

I speculate, from the MykoTronx data sheet on the MYK-78, that the algorithm 
is a classified cryptosystem, similar in application to DES but cleared by 
the NSA for classified traffic, that has been in use for a number of years.  
Myktotronx refers to it as "Government Type II encryption", which matches the 
designation of one of the types of encryption available on STU-III phones, 
and may be the same as a cryptosystem I have heard called "CIPHER2".

This would make sense, since this is evidently a field-proven cryptosystem 
which can act as a "pin-compatible" substitute for DES.  Combined with a 
tappable key exchange protocol, this would offer exactly what is claimed for 
Clipper: secure encryption with access via a key escrow.  If this is fact the 
case, it would make me quite confident of the encipherment algorithm itself.

Now, I do not know if these are in fact the same cryptosystem; my knowledge 
of classified cryptography isn't even fuzzy :), it's nonexistent.  However, 
it would certainly have been the least-effort approach on the part of the 
government: take an old military cipher that people can drop in place of DES 
(and which is at least as secure), set up a key escrow scheme for law 
enforcement, and promote it for public use.  This also fits with Mykotronx, 
who's been around but almost invisible for years.

Has anyone else made this sort of connection, or am I just hallucinating pink 
elephants here? :).  My curiousity has been piqued...


Amanda Walker
InterCon Systems Corporation

Newsgroup: sci.crypt
Document_id: 16118
From: kennejs@a.cs.okstate.edu (KENNEDY JAMES SCOT)
Subject: Re: RE: RE: Clipper Chip

From article <67@cyberia.win.net>, by johnston@cyberia.win.net (Robert Johnston):
> Encryption technologies are currently reguarded as arms by the
> Feds, hence the export ban.  While the Second is under enough
> attack for guarrentteing our rights to fire arms, perhaps we
> should reflect on this as well.  (Perhaps fire arms are not the
> only weapons covered under the Second Amendment)

Hmmm... I wouldn't consider encryption to be a weapon.  How would the
government classify encryption?  Seems to me that encryption ought to
be covered by the first amendment.   Using this line of reasoning, the
government shouldn't be able to restrict what data people encrypt and
what encryption algorithms they use because this would be restricting
one's freedom of speech.  In other words, encrypted data---text,
graphics, or other information---is just another form of free speech.
For this reason the government shouldn't be able to regulate the use
of encryption algorithms and encrypted data.  The only time the
government should be able to 'force' someone to reveal his or her
encryption keys for some encrypted data is when the encrypted data
in question may be something that isn't protected by the first
amendment such as kiddy porn.  Even in a case like this the
government should be required to get a search warrant before coercing
someone into revealing the keys.

BTW, what encryption methods are considered to be state-of-the-art
nowdays.  Have the feds relaxed export restrictions on DES yet?
Also, is DES still regarded as a good form of encryption?

> Robert Johnston
> johonston@cyberia.win.net


Scott Kennedy,  Brewer and Patriot

Before:  "David Koresh is a cheap thug who interprets
          the Bible through the barrel of a gun..."  --ATF spokesman
After:   "[The ATF] is a cheap thug who interprets
          [the Constitution] through the barrel of a gun..."  --Me

         *******************************************
         * BATF = Cigarette Cops                   *
         * FBI  = Fuehrer's Bureau of Incineration *
         *******************************************



Newsgroup: sci.crypt
Document_id: 16119
From: maa@plato.ds.boeing.com (Mark A Allyn)
Subject: Clipper Chip: Reverse Engineering

I have been looking over the postings about the Clipper Chip and noticed
an interesting omission from the discussion.

You all mention that the algorithm is classified and have expressed 
concerns and ideas of how to figure out the algorithm using software.

The question that I have is why cant someone take one of these chips
and reverse engineer it? I mean, take the thing to a chip testing/
analysis facility, one with a decent electron microscope. Just pry
off the top of the chip and start scanning it with the electron
microcope and figure out the circuitry. I remembered a place that I use
to work for had one of these facilities that they used to analyze chips
that we accidently blew out while running tests. They could actually find
the area that was fried and show us where in the circuit it was. 

I am sure that many companies and universities must have these facilities
and that the potential is there, especially at a university where the
security at such a facility is looser, for someone to take a clipper
apart and analyze it?

What can the government do to prevent this? Start taking away all 
microchip analysis facilities and electron microscopes??

mark



Newsgroup: sci.crypt
Document_id: 16120
From: smythw@vccsouth10.its.rpi.edu (William Smythe)
Subject: Re: I have seen the lobby, and it is us

In article <Apr22.185314.14420@yuma.ACNS.ColoState.EDU> ns111310@LANCE.ColoState.Edu (Nathaniel Sammons) writes:
>1) I think that most of us can afford a stamp and an envelope, and the
>cost of printing out a letter.
>
>2) If some kind soul out there would write a letter, and upload it to 
>the net, everyone could capture it, print it out, and snail-mail it
>out to their local congressional critter.
>
>BTW>> I'm working on one.

Dear Senator/Congressman/President {fill in the blank}

I am writing you to voice my strong opposition to President Clinton's Clipper 
Chip initiative. This proposal to establish a secret government designed
cryptography chip with government key registration as the standard for voice
encryption is very disturbing. The idea that citizens must register their 
secrets with the government just in case they are trying to keep them secret 
is patently unAmerican. Additionally, the press release for this program
strongly implied that other forms of cryptography would be banned after the 
Clipper Chip standard is in place. This latest attack on our civil rights is 
deeply disturbing and is frankly a voting issue for me. 

The presidents press release stated that the plan strikes a balance between the
legitimate needs of law enforcement and a citizens right to privacy but this 
is not the case. The fact is that since other strong cryptographic equipment 
is avalible the criminals, drug dealers and terrorists mentioned in the press 
release will simply use non clipper cryptography. Meanwhile the average citizen
may gain no protection against warentless wiretaps by the government since the 
government escrowed key is derived deterministicly from the unit serial number
which is broadcast by the chip durring its opperation. This seems like an 
obvious back door for the NSA and law enforcement. If you still do nott 
understand my objection to key registration, consider the way J. Edgar Hoover 
blackmailed government officials like yourself; would you now use a phone to 
transmit personal details of your life that the NSA and FBI have the keys to?


______________________________________________________________________________
Well heres a letter, I didnt spell check it since I dont know how in EMACS
so you might want to do that. 

Bill Smythe

Newsgroup: sci.crypt
Document_id: 16121
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Overreacting (was Re: Once tapped, your code is no good any more)

In article <C62EL4.4I4@rahul.net> dhesi@rahul.net (Rahul Dhesi) writes:
>In <2109@rwing.UUCP> pat@rwing.UUCP (Pat Myrto) writes:
>
>>How come the media is not telling about the provisions of the Clipper
>>decision? ...
>
>>How can the bulk of the people be informed, when the media refuses to
>>do it?
>
>The answer to your second question lies in the way you phrased the
>first one:  'the media is...'.
>
>The medis isn't 'is'.  The media 'are'.  'Media' means 'more than one
>medium.'  There are thousands of publications.  Some say this, some say
>that.  
>
>     How can the bulk of the people be informed, when they won't read
>     informative publications?

Because much of the public aren't even aware of the NAMES of informative
publications.  Look at the 'wealth' of material on the typical newsstand.
Unless the person is working in some kind of technical environment, with
the usual trade journals, all they ever see is the media (note: media
in this context is the popular media - TV, radio, daily newspapers, and
such publications as Time, Newsweek, and all that).  And they all say
pretty much the same thing.  I see most of them being in the range of
center-left to far Left, and generally supportive of pie-in-sky
we-will-take- care-of-you-think-for-you-cradle-to-grave.  There seems
to be an air of arrogance that the individual is not capable of
understanding major issues so the media doesn't bother to inform them
(as with Clipper, for example) or tells the people how to interpret
events in others.  What is lost sight of is that the people are not good
at understanding things because they are not TOLD accurate information
about them.  It is a lot to expect of the people for them to be
clarirvoyant.  For example, I would have been unaware of Clipper had
I not picked it up on USENET.  How much of the population has USENET,
let alone Internet access?

For access to better publications, the person has to spend time digging.
Many folks, especially who work long hours, have families, etc., do not
have TIME to go digging, and many are not (yet) aware things are wrong,
so are not motivated to dig.  Not saying its right, just saying that is
the way things are.  People aren't upset about things when they aren't
TOLD.  And the less than objective media is a major contributer to the
problem.

And then compound that with an attitude of arrogance in the civil service
(bureaucrats, politicians) that act as if the person without political
connections, or deep pockets (potential contributer) should have few if
any rights, being a resource to be used by those in control for their
polticial or financial gain.  Some Law Enforcement agencies act as if
they regard the common person with a rather intense degree of contempt,
peons that are supposed to do what they are TOLD, and get very nasty
when someone questions them.  The media pundits/editors, etc tend to
fall into those with privilege, and tend to not be upset by the current
state of affairs.  The fellow in DC, who shot the swimmer in his Jacuzzi
for daring to swim in it, with an ILLEGALLY owned gun (violating the law
he pushed to be foisted on everyone else), ends up walking where a less
well-connected person would have been crucified.  A typical example of
one standard for 'us', a much more restrictive standard for 'other folk'.

Perhaps I am not real eloquent in expressing this, but the solution
sure as hell is NOT to make it HARDER for people to find out what is
going on, or dismiss their concerns because one happens to be in a position
where one feels they are exempt or insulated.  Such as that hypocrite of
a journalist in DC described above.  One notices that these less-than
complimentary points about that double-standard was NOT covered in the
media.  I feel the reason was it dovetailed with their political views
on the subject, and it involved a 'brother' journalist.

Isn't it time for our 'objective' media, the MAIN SOURCE of info for the
average person, to start being what they claim to be, instead of spin
doctors for the Statist elements?

>-- 
>Rahul Dhesi <dhesi@rahul.net>
>also:  dhesi@cirrus.com


-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 16122
From: pat@rwing.UUCP (Pat Myrto)
Subject: Re: Clipper considered harmful

In article <strnlghtC64Dx1.1zn@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>In article <1993Apr25.193300.1707@microsoft.com> gideony@microsoft.com
>(Gideon Yuval) writes:
>
>>If these personal attacks are what stopped Prof. Denning from
>>replying on issues of substance, they have cause real harm
>>to the serious debate here.
>
>They are and they have.

Are you in contact with her, is that what she said, or what you THINK
her reason is?

Also, could it be possible that she is not replying because she has
no reply that wouldn't confirm the worst suspicions?  If the suspicions
are way out of pocket, one would think the person would be in there
saying so, and indicating WHY they are out of pocket.  Hiding behind
a veil of secrecy is not reassuring.


-- 
pat@rwing.uucp      [Without prejudice UCC 1-207]     (Pat Myrto) Seattle, WA
         If all else fails, try:       ...!uunet!pilchuck!rwing!pat
WISDOM: "Only two things are infinite; the universe and human stupidity,
         and I am not sure about the former."              - Albert Einstien

Newsgroup: sci.crypt
Document_id: 16123
From: whitaker@eternity.demon.co.uk (Russell Earl Whitaker)
Subject: From Crossbows to Cryptography

-----BEGIN PGP SIGNED MESSAGE-----

Please note that the following speech was made by Chuck Hammill
in 1987.  Address all letters to his address, given at the end
of this document.
     -- Russell

  FROM CROSSBOWS TO CRYPTOGRAPHY:  THWARTING THE STATE VIA
                     TECHNOLOGY

  Given at the Future of Freedom Conference, November 1987


     You   know,   technology--and   particularly   computer
technology--has often gotten a bad rap in  Libertarian  cir-
cles.  We tend to think of Orwell's 1984, or Terry Gilliam's
Brazil,  or  the  proximity  detectors keeping East Berlin's
slave/citizens on their own side of the border, or  the  so-
phisticated  bugging  devices  Nixon used to harass those on
his "enemies list."  Or, we recognize that for the price  of
a  ticket  on  the Concorde we can fly at twice the speed of
sound, but only if we first walk thru a magnetometer run  by
a  government  policeman, and permit him to paw thru our be-
longings if it beeps.

     But I think that mind-set is a mistake.   Before  there
were cattle prods, governments tortured their prisoners with
clubs  and  rubber  hoses.    Before  there  were lasers for
eavesdropping, governments used binoculars and  lip-readers.
Though  government certainly uses technology to oppress, the
evil lies not in the tools but in the wielder of the tools.

     In fact, technology represents one of the most  promis-
ing  avenues  available  for  re-capturing our freedoms from
those who have stolen them.  By its very nature,  it  favors
the  bright  (who can put it to use) over the dull (who can-
not).  It favors the adaptable (who are  quick  to  see  the
merit  of  the  new  (over  the sluggish (who cling to time-
tested ways).  And what two better words are  there  to  de-
scribe government bureaucracy than "dull" and "sluggish"?

     One  of  the  clearest,  classic triumphs of technology
over tyranny I see is  the  invention  of  the  man-portable
crossbow.   With it, an untrained peasant could now reliably
and lethally engage a target out to  fifty  meters--even  if
that  target  were  a mounted, chain-mailed knight.  (Unlike
the longbow, which, admittedly was more powerful, and  could
get  off  more shots per unit time, the crossbow required no
formal training to utilize.   Whereas the  longbow  required
elaborate  visual,  tactile  and kinesthetic coordination to
achieve any degree of accuracy, the wielder  of  a  crossbow
could simply put the weapon to his shoulder, sight along the
arrow  itself, and be reasonably assured of hitting his tar-
get.)

     Moreover, since just about  the  only  mounted  knights
likely  to  visit  your  average peasant would be government
soldiers and tax collectors, the utility of the  device  was
plain:    With it, the common rabble could defend themselves
not only against one another, but against their governmental
masters.   It was the  medieval  equivalent  of  the  armor-
piercing  bullet,  and, consequently, kings and priests (the
medieval equivalent of a  Bureau  of  Alcohol,  Tobacco  and
Crossbows)  threatened  death  and  excommunication, respec-
tively, for its unlawful possession.

     Looking at later developments, we  see  how  technology
like  the  firearm--particularly the repeating rifle and the
handgun, later followed by the Gatling gun and more advanced
machine guns--radically altered the balance of interpersonal
and inter-group power.  Not without reason was the Colt  .45
called "the equalizer."  A frail dance-hall hostess with one
in  her  possession  was  now  fully able to protect herself
against the brawniest roughneck in any saloon.    Advertise-
ments  for  the period also reflect the merchandising of the
repeating cartridge  rifle  by  declaring  that  "a  man  on
horseback,  armed with one of these rifles, simply cannot be
captured."  And, as long as his captors  were  relying  upon
flintlocks  or  single-shot rifles, the quote is doubtless a
true one.

     Updating now to  the  present,  the  public-key  cipher
(with  a  personal  computer to run it) represents an equiv-
alent quantum leap--in a defensive weapon.    Not  only  can
such  a technique be used to protect sensitive data in one's
own possession, but it can also permit two strangers to  ex-
change   information   over   an   insecure   communications
channel--a  wiretapped   phone   line,   for   example,   or
skywriting, for that matter)--without ever having previously
met  to  exchange cipher keys.   With a thousand-dollar com-
puter, you can create a cipher that  a  multi-megabuck  CRAY
X-MP  can't  crack in a year.  Within a few years, it should
be economically feasible to similarly encrypt voice communi-
cations; soon after that, full-color digitized video images.
Technology will not only have made wiretapping obsolete,  it
will  have  totally demolished government's control over in-
formation transfer.

     I'd like to take just a moment to sketch the  mathemat-
ics  which makes this principle possible.  This algorithm is
called the RSA algorithm, after Rivest, Shamir, and  Adleman
who  jointly created it.  Its security derives from the fact
that, if a very large number is  the  product  of  two  very
large  primes,  then it is extremely difficult to obtain the
two prime factors from analysis  of  their  product.    "Ex-
tremely"  in  the  sense that if primes  p  and  q  have 100
digits apiece, then their 200-digit product cannot  in  gen-
eral be factored in less than 100 years by the most powerful
computer now in existence.

     The  "public" part of the key consists of (1) the prod-
uct  pq  of the two large primes p and q, and (2)  one  fac-
tor,  call it  x  , of the product  xy  where  xy = {(p-1) *
(q-1) + 1}.  The "private" part of the key consists  of  the
other factor  y.

     Each  block of the text to be encrypted is first turned
into an integer--either by using ASCII,  or  even  a  simple
A=01,  B=02,  C=03, ... , Z=26 representation.  This integer
is then raised to the power  x (modulo pq) and the resulting
integer is then sent as the encrypted message.  The receiver
decrypts by taking this integer to the  (secret)  power    y
(modulo  pq).  It can be shown that this process will always
yield the original number started with.

     What makes this a groundbreaking development,  and  why
it  is  called  "public-key"  cryptography,"  is  that I can
openly publish the product  pq and the number   x   ,  while
keeping  secret  the number  y  --so that anyone can send me
an encrypted message, namely
                       x
                     a    (mod pq)  ,
but only I can recover the original message  a  , by  taking
what  they  send, raising it to the power  y  and taking the
result (mod pq).  The risky step (meeting to exchange cipher
keys) has been eliminated.  So people who may not even trust
each other enough to want to meet, may  still  reliably  ex-
change  encrypted  messages--each  party having selected and
disseminated his own  pq  and his  x  ,   while  maintaining
the secrecy of his own  y.

     Another benefit of this scheme is the notion of a "dig-
ital signature," to enable one to authenticate the source of
a given message.  Normally, if I want to send you a message,
I raise my plaintext  a  to your x and take the result  (mod
your pq)  and send that.

    However,  if in my message, I take the plaintext  a and
raise it to my (secret) power  y  , take the result  (mod my
pq), then raise that result to your x   (mod  your  pq)  and
send this, then even after you have normally "decrypted" the
message,  it  will still look like garbage.  However, if you
then raise it to my public power x   , and take  the  result
(mod  my public pq  ), so you will not only recover the ori-
ginal plaintext message, but you will know that no one but I
could have sent it to you (since no one else knows my secret
y).

     And these are the very concerns by the way that are to-
day tormenting the Soviet Union about the whole question  of
personal  computers.    On the one hand, they recognize that
American schoolchildren are right now growing up  with  com-
puters  as commonplace as sliderules used to be--more so, in
fact, because there are things computers can do  which  will
interest  (and instruct) 3- and 4-year-olds.  And it is pre-
cisely these students who one generation hence will be going
head-to-head against their Soviet  counterparts.    For  the
Soviets  to  hold  back might be a suicidal as continuing to
teach swordsmanship  while  your  adversaries  are  learning
ballistics.    On  the  other hand, whatever else a personal
computer may be, it is also an exquisitely efficient copying
machine--a floppy disk will hold upwards of 50,000 words  of
text,  and  can  be  copied in a couple of minutes.  If this
weren't threatening enough, the computer that  performs  the
copy  can also encrypt the data in a fashion that is all but
unbreakable.  Remember that in Soviet society  publicly  ac-
cessible  Xerox  machines are unknown.   (The relatively few
copying machines in existence  are  controlled  more  inten-
sively than machine guns are in the United States.)

     Now  the  "conservative" position is that we should not
sell these computers to the Soviets, because they could  use
them  in weapons systems.  The "liberal" position is that we
should sell them, in  the  interests  of  mutual  trade  and
cooperation--and  anyway,  if  we don't make the sale, there
will certainly be some other nation willing to.

     For my part, I'm ready to suggest that the  Libertarian
position should be to give them to the Soviets for free, and
if  necessary, make them take them . . . and if that doesn't
work load up an SR-71  Blackbird  and  air  drop  them  over
Moscow in the middle of the night.  Paid for by private sub-
scription, of course, not taxation . . . I confess that this
is not a position that has gained much support among members
of  the conventional left-right political spectrum, but, af-
ter all, in the words of one of Illuminatus's characters, we
are political non-Euclideans:   The shortest distance  to  a
particular  goal may not look anything like what most people
would consider a "straight line."    Taking  a  long  enough
world-view,  it is arguable that breaking the Soviet govern-
ment monopoly on information transfer could better  lead  to
the enfeeblement and, indeed, to the ultimate dissolution of
the Soviet empire than would the production of another dozen
missiles aimed at Moscow.

     But  there's  the rub:  A "long enough" world view does
suggest that the evil, the oppressive, the coercive and  the
simply  stupid  will "get what they deserve," but what's not
immediately clear is how the rest of  us  can  escape  being
killed, enslaved, or pauperized in the process.

    When  the  liberals and other collectivists began to at-
tack freedom, they possessed a reasonably  stable,  healthy,
functioning economy, and almost unlimited time to proceed to
hamstring   and   dismantle  it.    A  policy  of  political
gradualism was at least  conceivable.    But  now,  we  have
patchwork  crazy-quilt  economy held together by baling wire
and spit.  The state not only taxes us to  "feed  the  poor"
while also inducing farmers to slaughter milk cows and drive
up food prices--it then simultaneously turns around and sub-
sidizes research into agricultural chemicals designed to in-
crease  yields of milk from the cows left alive.  Or witness
the fact that a decline in the price of oil is considered as
potentially frightening as a comparable increase a few years
ago.  When the price went up,  we  were  told,  the  economy
risked  collapse for for want of energy.  The price increase
was called the "moral equivalent of war" and the Feds  swung
into  action.    For the first time in American history, the
speed at which you drive your car to work in the morning be-
came an issue of Federal concern.   Now, when the  price  of
oil  drops, again we risk problems, this time because Ameri-
can oil companies and Third World  basket-case  nations  who
sell  oil  may  not  be  able to ever pay their debts to our
grossly over-extended banks.  The suggested panacea is  that
government  should now re-raise the oil prices that OPEC has
lowered, via a new oil tax.  Since the government is seeking
to raise oil prices to about the same extent  as  OPEC  did,
what  can we call this except the "moral equivalent of civil
war--the government against its own people?"

     And, classically, in international trade, can you imag-
ine any entity in the world except  a  government  going  to
court  claiming  that  a  vendor  was  selling  it goods too
cheaply and demanding not only that that naughty  vendor  be
compelled by the court to raise its prices, but also that it
be punished for the act of lowering them in the first place?

     So  while the statists could afford to take a couple of
hundred years to trash our  economy  and  our  liberties--we
certainly  cannot  count  on  having an equivalent period of
stability in which to reclaim them.   I contend  that  there
exists  almost  a  "black  hole"  effect in the evolution of
nation-states just as in the evolution of stars.  Once free-
dom contracts beyond a certain  minimum  extent,  the  state
warps  the fabric of the political continuum about itself to
the degree that subsequent re-emergence of  freedom  becomes
all but impossible.  A good illustration of this can be seen
in the area of so-called "welfare" payments.  When those who
sup  at the public trough outnumber (and thus outvote) those
whose taxes must replenish the trough,  then  what  possible
choice has a democracy but to perpetuate and expand the tak-
ing  from  the few for the unearned benefit of the many?  Go
down to the nearest "welfare" office, find just  two  people
on  the dole . . . and recognize that between them they form
a voting bloc that can forever outvote you on  the  question
of who owns your life--and the fruits of your life's labor.

     So essentially those who love liberty need an "edge" of
some  sort  if  we're ultimately going to prevail.  We obvi-
ously  can't  use  the  altruists'  "other-directedness"  of
"work,  slave, suffer, sacrifice, so that next generation of
a billion random strangers can  live  in  a  better  world."
Recognize  that, however immoral such an appeal might be, it
is nonetheless an extremely powerful one in today's culture.
If you can convince  people  to  work  energetically  for  a
"cause," caring only enough for their personal welfare so as
to  remain  alive  enough  and  healthy  enough  to continue
working--then you have a truly massive reservoir  of  energy
to draw from.  Equally clearly, this is just the sort of ap-
peal which tautologically cannot be utilized for egoistic or
libertarian goals.  If I were to stand up before you tonight
and say something like, "Listen, follow me as I enunciate my
noble "cause," contribute your money to support the "cause,"
give  up  your  free  time  to  work for the "cause," strive
selflessly to bring it about, and then (after you  and  your
children are dead) maybe your children's children will actu-
ally  live under egoism"--you'd all think I'd gone mad.  And
of course you'd be right.  Because the point I'm  trying  to
make is that libertarianism and/or egoism will be spread if,
when, and as, individual libertarians and/or egoists find it
profitable and/or enjoyable to do so.    And  probably  only
then.

     While I certainly do not disparage the concept of poli-
tical  action, I don't believe that it is the only, nor even
necessarily the most cost-effective path  toward  increasing
freedom  in  our time.  Consider that, for a fraction of the
investment in time, money and effort I might expend in  try-
ing  to  convince  the  state to abolish wiretapping and all
forms of censorship--I can teach every libertarian who's in-
terested  how  to   use   cryptography   to   abolish   them
unilaterally.

     There  is  a  maxim--a proverb--generally attributed to
the Eskimoes, which very likely most Libertarians  have  al-
ready  heard.    And while you likely would not quarrel with
the saying, you might well feel that you've heard  it  often
enough already, and that it has nothing further to teach us,
and moreover, that maybe you're even tired of hearing it.  I
shall therefore repeat it now:

     If you give a man a fish, the saying runs, you feed him
for a day.  But if you teach a man how to fish, you feed him
for a lifetime.

     Your exposure to the quote was probably in some sort of
a  "workfare"  vs.  "welfare"  context;  namely, that if you
genuinely wish to help someone in need, you should teach him
how to earn his sustenance, not simply how to  beg  for  it.
And of course this is true, if only because the next time he
is hungry, there might not be anybody around willing or even
able to give him a fish, whereas with the information on how
to fish, he is completely self sufficient.

     But  I  submit  that this exhausts only the first order
content of the quote, and if there were nothing  further  to
glean  from  it,  I would have wasted your time by citing it
again.  After all, it seems to have almost a crypto-altruist
slant, as though to imply that we should structure  our  ac-
tivities  so  as  to  maximize  the  benefits to such hungry
beggars as we may encounter.

     But consider:

     Suppose this Eskimo doesn't know how to  fish,  but  he
does  know  how  to hunt walruses.   You, on the other hand,
have often gone hungry while traveling thru  walrus  country
because  you  had  no idea how to catch the damn things, and
they ate most of the fish you could catch.  And now  suppose
the  two  of  you  decide to exchange information, bartering
fishing knowledge for hunting knowledge.   Well,  the  first
thing  to  observe  is  that  a  transaction  of  this  type
categorically and unambiguously refutes the Marxist  premise
that  every  trade  must  have a "winner" and a "loser;" the
idea that if one person gains, it must necessarily be at the
"expense" of another person who loses.  Clearly, under  this
scenario, such is not the case.  Each party has gained some-
thing  he  did  not have before, and neither has been dimin-
ished in any way.  When it comes to exchange of  information
(rather  than material objects) life is no longer a zero-sum
game.  This is an extremely powerful notion.   The  "law  of
diminishing   returns,"   the  "first  and  second  laws  of
thermodynamics"--all those "laws" which constrain our possi-
bilities in other contexts--no longer bind us!   Now  that's
anarchy!

     Or  consider  another possibility:  Suppose this hungry
Eskimo never learned  to  fish  because  the  ruler  of  his
nation-state    had  decreed fishing illegal.   Because fish
contain dangerous tiny bones, and sometimes sharp spines, he
tells us, the state has decreed that their  consumption--and
even  their  possession--are  too  hazardous to the people's
health to be permitted . . . even by knowledgeable,  willing
adults.   Perhaps it is because citizens' bodies are thought
to be government property, and therefore it is the  function
of the state to punish those who improperly care for govern-
ment  property.    Or perhaps it is because the state gener-
ously extends to competent adults the "benefits" it provides
to children and to the mentally ill:  namely,  a  full-time,
all-pervasive supervisory conservatorship--so that they need
not  trouble  themselves  with making choices about behavior
thought physically risky or morally "naughty."  But, in  any
case,  you  stare stupefied, while your Eskimo informant re-
lates how this law is taken so seriously that  a  friend  of
his was recently imprisoned for years for the crime of "pos-
session of nine ounces of trout with intent to distribute."

     Now  you  may  conclude  that  a society so grotesquely
oppressive as to enforce a law of this  type  is  simply  an
affront to the dignity of all human beings.  You may go far-
ther  and  decide to commit some portion of your discretion-
ary, recreational time specifically to the task of thwarting
this tyrant's goal.  (Your rationale may be "altruistic"  in
the   sense   of  wanting  to  liberate  the  oppressed,  or
"egoistic" in the sense of  proving  you  can  outsmart  the
oppressor--or  very likely some combination of these or per-
haps even other motives.)

     But, since you have zero desire to become a  martyr  to
your "cause," you're not about to mount a military campaign,
or  even try to run a boatload of fish through the blockade.
However, it is here that technology--and in  particular  in-
formation technology--can multiply your efficacy literally a
hundredfold.    I say "literally," because for a fraction of
the effort (and virtually none of  the  risk)  attendant  to
smuggling in a hundred fish, you can quite readily produce a
hundred  Xerox copies of fishing instructions.  (If the tar-
geted government, like present-day America, at least permits
open  discussion  of  topics  whose  implementation  is  re-
stricted,  then that should suffice.  But, if the government
attempts to suppress the flow of information as  well,  then
you will have to take a little more effort and perhaps write
your  fishing manual on a floppy disk encrypted according to
your mythical Eskimo's public-key parameters.  But as far as
increasing real-world access to fish you have  made  genuine
nonzero  headway--which  may  continue to snowball as others
re-disseminate the information you have provided.   And  you
have not had to waste any of your time trying to convert id-
eological  adversaries, or even trying to win over the unde-
cided.  Recall Harry Browne's dictum  from  "Freedom  in  an
Unfree World" that the success of any endeavor is in general
inversely proportional to the number of people whose persua-
sion is necessary to its fulfilment.

     If  you  look  at  history, you cannot deny that it has
been dramatically shaped by men with names like  Washington,
Lincoln,  .  .  .  Nixon  .  . . Marcos . . . Duvalier . . .
Khadaffi . . .  and their ilk.  But it has also been  shaped
by  people with names like Edison, Curie, Marconi, Tesla and
Wozniak.  And this latter shaping has been at least as  per-
vasive, and not nearly so bloody.

     And  that's  where  I'm  trying  to  take The LiberTech
Project.  Rather than beseeching the state to please not en-
slave, plunder or constrain us, I propose a libertarian net-
work spreading  the  technologies  by  which  we  may  seize
freedom for ourselves.

     But here we must be a bit careful.  While it is not (at
present)  illegal  to  encrypt  information  when government
wants to spy on you, there is no guarantee of what  the  fu-
ture  may hold.  There have been bills introduced, for exam-
ple, which would have made it a crime  to  wear  body  armor
when government wants to shoot you.  That is, if you were to
commit certain crimes while wearing a Kevlar vest, then that
fact  would  constitute a separate federal crime of its own.
This law to my knowledge has not passed . . . yet . . .  but
it does indicate how government thinks.

     Other  technological  applications,  however, do indeed
pose legal risks.  We recognize, for  example,  that  anyone
who  helped a pre-Civil War slave escape on the "underground
railroad" was making a clearly illegal use of technology--as
the sovereign government of the United States of America  at
that time found the buying and selling of human beings quite
as  acceptable  as  the buying and selling of cattle.  Simi-
larly, during Prohibition, anyone who used  his  bathtub  to
ferment  yeast and sugar into the illegal psychoactive drug,
alcohol--the controlled substance, wine--was using  technol-
ogy  in a way that could get him shot dead by federal agents
for his "crime"--unfortunately not to be  restored  to  life
when  Congress  reversed itself and re-permitted use of this
drug.

     So . . . to quote a former President,  un-indicted  co-
conspirator  and pardoned felon . . . "Let me make one thing
perfectly clear:"  The LiberTech Project does not  advocate,
participate  in, or conspire in the violation of any law--no
matter how oppressive,  unconstitutional  or  simply  stupid
such  law may be.  It does engage in description (for educa-
tional and informational  purposes  only)  of  technological
processes,  and some of these processes (like flying a plane
or manufacturing a firearm) may well require appropriate li-
censing to perform legally.    Fortunately,  no  license  is
needed  for  the  distribution or receipt of information it-
self.

     So, the next time you look at the political  scene  and
despair,  thinking,  "Well,  if 51% of the nation and 51% of
this State, and 51% of this city have  to  turn  Libertarian
before  I'll  be  free,  then  somebody might as well cut my
goddamn throat now, and put me out of my  misery"--recognize
that  such  is not the case.  There exist ways to make your-
self free.

     If you wish to explore such techniques via the Project,
you are welcome to give me your name and address--or a  fake
name  and  mail  drop, for that matter--and you'll go on the
mailing list for my erratically-published newsletter.    Any
friends  or acquaintances whom you think would be interested
are welcome as well.  I'm not even asking for stamped  self-
addressed envelopes, since my printer can handle mailing la-
bels and actual postage costs are down in the noise compared
with  the  other  efforts  in getting an issue out.   If you
should have an idea to share, or even a  useful  product  to
plug,  I'll be glad to have you write it up for publication.
Even if you want to be the proverbial "free rider" and  just
benefit  from  what others contribute--you're still welcome:
Everything will be public domain; feel free to  copy  it  or
give it away (or sell it, for that matter, 'cause if you can
get  money  for  it while I'm taking full-page ads trying to
give it away, you're certainly entitled to  your  capitalist
profit . . .)  Anyway, every application of these principles
should make the world just a little freer, and I'm certainly
willing to underwrite that, at least for the forseeable  fu-
ture.

     I  will leave you with one final thought:  If you don't
learn how to beat your plowshares into  swords  before  they
outlaw  swords,  then you sure as HELL ought to learn before
they outlaw plowshares too.

                                       --Chuck Hammill

                                 THE LIBERTECH PROJECT
                                 3194 Queensbury Drive
                               Los Angeles, California
                                                 90064
                                          310-836-4157

                                    hammill@netcom.com

[The above LiberTech address was updated December 1992, with the
 permission of Chuck Hammill, by Russell Whitaker]

Those interested in the issues raised in this piece should participate
in at least these newsgroups:

                alt.privacy
                alt.security.pgp
                comp.org.eff.talk
                sci.crypt

A copy of the RSA-based public key encryption program, PGP 2.1 (Pretty
Good Privacy), can be obtained at various ftp sites around the world.
One such site is gate.demon.co.uk, where an MS-DOS version can be had by
anonymous ftp as pgp22.zip in /pub/pgp.

Versions for other operating systems, including UNIX variants
and Macintosh, are also available.  Source code is also
available.

Here's the blurb for PGP, by the way:

- ----------------------  Quote ----------------------------------------
PGP (Pretty Good Privacy) ver 2.2 - RSA public-key encryption freeware
for MSDOS, protects E-mail.  Lets you communicate securely with people
you've never met, with no secure channels needed for prior exchange of
keys.  Well featured and fast!  Excellent user documentation.

PGP has sophisticated key management, an RSA/conventional hybrid
encryption scheme, message digests for digital signatures, data
compression before encryption, and good ergonomic design.  Source
code is free.

Filenames:  pgp22.zip (executable and manuals), pgp22src.zip (sources)
Keywords:   PGP, Pretty Good Privacy, RSA, public key, encryption,
            privacy, authentication, signatures, email
- ---------------------- End Quote -------------------------------------

Russell Earl Whitaker                   whitaker@eternity.demon.co.uk
Communications Editor                                 AMiX: RWhitaker
EXTROPY: The Journal of Transhumanist Thought
Board member, Extropy Institute (ExI)


-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQCVAgUBK922PYTj7/vxxWtPAQEbkgQAsgOxCtZjdZMZuRfm05nwm2ObsoLH/cFh
aHRnb6dmp1o+4+yxaR+BO4fpRAtNMMOhn6WUSOoUJz1qqqkghfolYRu/TeCdr9du
irrb7tCwndKsQC+wcTI/Q4+cmq3HrRRTnaIWYjmfaqXPEYRODVFDXc409umVGRJb
5IgXfNgaz78=
=T1vu
-----END PGP SIGNATURE-----


Newsgroup: sci.crypt
Document_id: 16124
From: rmal@jet.uk (Richard Lucock)
Subject: triple des

I have seen various references to 'triple des' recently. Could anyone
tell me what it is ? From context, I would guess that it means
encrypting each block 3 times, with a different key each time, but
I'd like to be sure.

Replies by email preferred - our news is unreliable.

Thanks,
	Richard

-- 

--------------
PGP Public Key available on request
--------------
-- 

--------------
PGP Public Key available on request
--------------
- Disclaimer: Please note that the above is a personal view and should not 
  be construed as an official comment from the JET project.

Newsgroup: sci.crypt
Document_id: 16125
From: pom@anke.imsd.uni-mainz.DE (Prof. Dr. Klaus Pommerening)
Subject: SUMMARY: DES: init vector as additional key?

At the risk of getting lost in the clipper chip discussion I give a  
summary on my recent question:

In article <PQSCBCNH@minnie.zdv.uni-mainz.de> I wrote:
> The recent discussion in this news group suggests that a key search
> attack  
> against DES is quite feasible now. But normally DES is applied in CBC or 
> CFB  
> mode where one chooses a random init vector of 8 bytes. Questions:
> 
>  - Makes it sense to handle the init vector as an additional key? Then
> we have  
> a 56 + 64 = 120 bit key.
>  
>  - If yes: Is anything known about the security of this key scheme? Can 
> we  
> break it faster than by exhaustive search through the 120 bit key space?

Unfortunately the answer is no - concealing the initialisation vector  
essentially doesn't give any additional security. I got 3 answers (from  
grady@netcom.com, Mark.Lomas@cl.cam.ac.uk, smb@research.att.com) that  
opened my eyes. It's pretty simple:

Say E is encryption (and D decryption) with key K on 64-bit blocks.

Let c[0] be the initialisation vector,
m[1], m[2], ... the message blocks,
c[1], c[2], ... the cipher text blocks.

Then encryption in cipher block chaining (CBC) mode works by the formula

   c[i] = E(m[i] XOR c[i-1]),

and decryption by

   m[i] = c[i-1] XOR D(c[i]).

So if the attacker doesn't have c[0] this only affects the first message  
block m[1]. But she can do her key search attack on m[2], m[3], ...

The situation in cipher feedback (CFB) mode is a bit more complicated but  
similar and left as an exercise for the reader :-)

Finally there is the modified output feedback mode (OFB) where DES (or  
whatever block cipher you use) simply acts as random generator by

   s[i] = E(s[i-1]) with initialisation vector (= seed) s[0],

and encryption is given by

   c[i] = m[i] XOR s[i].

Here the usual `known plaintext' attack against XOR-bitstream ciphers  
reduces the cracking to key search for K.

--
Klaus Pommerening
Institut fuer Medizinische Statistik und Dokumentation
der Johannes-Gutenberg-Universitaet
Obere Zahlbacher Strasse 69, W-6500 Mainz, Germany

Newsgroup: sci.crypt
Document_id: 16126
From: brad@clarinet.com (Brad Templeton)
Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips

In article <C614BJ.BK6@agora.rain.com> jhart@agora.rain.com (Jim Hart) writes:
>"The security of the system should depend only on the secrecy of
>the keys and not on the secrecy of the algorithms" -- Dorothy Denning
>
>jhart@agora.rain.com


You're reading far too much into this (aside from the obvious fact
that you shouldn't hold anybody to what they wrote in a 10 year old
book in a rapidly changing field like this.)


Quite simply she says that the security should not DEPEND on the
secrecy of the algorithm.  A secret algorithm can still be secure,
after all, we just don't know it.  Only our level of trust is
affected, not the security of the system.

The algorithm *could* be RSA for all we know, which we believe to
be secure.

They have a much better reason to classify the algorithm than to
protect its security.  They want to protect its market share.

If they publish the algorithm, then shortly manufacturers would
make chips that implement the algorithm and standard but do not
use a key stored in escrow.  And of course, everybody would buy them.


The whole push of this chip is that by establishing a standard that
you can only use if you follow their rules, they get us to follow
their rules without enacting new laws that we would fight tooth and
nail.

Quite simply, with Clipper established, it would be much harder for
another encryption maker to define a new standard, to make phones that
can't talk to the leading phone companies.   The result is tappable
cryptography without laws forbidding other kinds, for 99% of the
populace.


To get untappable crypto, you would have to build a special phone that
runs on top of this system, and everybody you talk to would have to
have an indentical one.

That's the chicken and egg of crypto.  The government is using its
very special ability to solve chicken and egg problems of new
technologies to control this one in a way they like.


It's almost admirably clever.  When the EFF started, I posed the question here
"What are the police going to do when they wake up and discover they
can't wiretap?" and nobody here had an answer (or even thought it was
much of a question)

Then came the backdoor and Digital Telephony bills, which we fought.

Now we have their real answer, the cleverest of all.

-- 
Brad Templeton, ClariNet Communications Corp. -- Sunnyvale, CA 408/296-0366

Newsgroup: sci.crypt
Document_id: 16127
From: h2o@dmi.ens.fr (Philippe Hoogvorst)
Subject: Re: Clipper chip

In article <19930426.113215.145@almaden.ibm.com>, jbs@watson.ibm.com writes:
|>          Is it realistic for the government to try to keep the details
|> of the encrytion algorithm secret if it intends to use evidence from...
|>                           James B. Shearer

I do not think they can use the eavesdropping as evidence at all. However,
using the info they gather while listening, they can go searching THE right
place and find good, strong evidence, which they can use in court. 

Question : currently, it is easy to wire-tap, from the technical point of
view, at least. Anybody using the appropriate radio receiver can listen
to communications between a car-telephone and the ground station. The police
also, obviously. The clipper chip will make it much more difficult for the
non-authorized person to eavesdrop (note that I DO NOT write << impossible>> ).
The privacy will thus improve from the current situation. Poeple who REALLY
have something to hide already DO NOT use the phone to speak of these things.
If an illegal operation is really worth, one can afford having critical data
carried by a person rather than sending it electronically. 
The clipper chip will not change this. 

The problem is more politic. Foreign countries will never accept the clipper
chip is the access to the escrow cannot be directly granted to their own
police following their OWN law, not the US law. i.e. each country will have
its own escrow. How then will it be possible to monitor the international
traffic? or, will encrypted international traffic be possible ? or will there
be an international escrow, some kind of U.N. thing ?

Forbidding crypted communication is impractical: how is it possible to spot
a crypted communication in the thousands of megabytes of data which circulate
on the various existing networks. What about private networks ? And this will
be more and more impossible as the volume of electronic traffic will increrase
in the next years.

I think that the clipper chip can only be an interesting device to limit the
risk of , for instance, one's girlfriend's husband listening to his wife's
communications. It will bring no more as regards to security. Is it worth ?
I think so if its cost is limited, I think that many privacy invasions are done
not only by official services, but also by private entities. The clipper can
help reducing these. Provided we do not hope too much of it, it is not a real
danger and it can be helpful.

Ph. HOOGVORST

Newsgroup: sci.crypt
Document_id: 16128
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Is it illegal to transmit encrypted data?

 > I'm afraid I have to disagree with you on that point.  NSA will *not*
 >tell RSA or any other non-DOD entity anything that its eavesdropping
 >reveals.

  I don't know about that; they might if they find it the most expedient
way to keep people from using something they can't crack.


Newsgroup: sci.crypt
Document_id: 16129
From: steve-b@access.digex.com (Steve Brinich)
Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips

 > I believe there is no technical means of ensuring key escrow without the
 >government maintaining a secret of some kind.

  Not necessarily.  For instance, in the system outlined in the May 1993
issue of "Byte", the process of getting one's public key listed for general
use involves giving pieces of your private key to escrow agencies, which
do calculations on those pieces and forward the result to the publishers of
the public key directory, which combines these results into your listed
public key.  If you try to give the escrow agencies pieces which -don't-
yield your private key when they are all put together, the result is that
the public key listed for you is wrong and you can't read messages encrypted
to you.


Newsgroup: sci.crypt
Document_id: 16130
From: jfc@athena.mit.edu (John F Carr)
Subject: Re: Clipper chip

In article <1993Apr28.104036.15896@ens.fr>
	h2o@dmi.ens.fr (Philippe Hoogvorst) writes:

>Forbidding crypted communication is impractical: how is it possible to spot
>a crypted communication in the thousands of megabytes of data which circulate
>on the various existing networks. What about private networks ?

I suspect the government feels it is enough to prevent companies from
offering secure encryption services.  Big companies don't take that
kind of risk.  They're too visible and have too much to lose.

The US government may not have to make encryption illegal to prevent its
use.  If they could credibly say to IBM or MIT: you will receive no US
government money next year unless you follow these voluntary guidelines on
use of encryption, I doubt either organization would delay making use of
encryption a violation of local policies.  The US government gets much of
its power by making it impractical to operate without getting money from the
government while putting restrictions on use of such money that would be
illegal if they were enacted as laws.

--
    John Carr (jfc@athena.mit.edu)

Newsgroup: sci.crypt
Document_id: 16131
From: dave@tygra.Michigan.COM (David Conrad)
Subject: Re: Let's build software cryptophones for over the internet...

In article <1993Apr27.075011.12624@wuecl.wustl.edu>
 eah1@gauguin.wustl.edu (Edward Anthony Hutchins) writes:
>[modify] pgp to allow it to compress/decompress 144 bit frames
>every 30msec... 
>As part of the project I'm working on now, we're trying to get CELP up and
>running in realtime full duplex mode... I gotta find the source to pgp and
>see how tough it would be to integrate the en/decryption parts into the code.

I presume you are just going to use IDEA for the session encryption and
transmit the session key with RSA?

David R. Conrad		"No his mind is not for rent/To any god or government"
-- 
=  CAT-TALK Conferencing Network, Computer Conferencing and File Archive      =
-  1-313-882-2209, 300bps-14400bps, V.32/V.32bis/TurboPEP New users use 'new' - 
=  as a login id.  AVAILABLE VIA PC-PURSUIT!!! (City code "MIDET")            =
   E-MAIL Address: dave@Michigan.COM

Newsgroup: sci.crypt
Document_id: 16132
From: dave@tygra.Michigan.COM (David Conrad)
Subject: Cryptography Bibliography

Yesterday I read an article from someone who was requesting references for
introductory texts on cryptography.  Although I marked the article to
return, it appears to have expired on this site.

Anyway, on one of the previous occasions when this subject arose I saved
a couple articles which made suggestions.  One of the articles contained
a quite impressive bibliography.  If the poster of the request (or anyone
else) would like to email me, I would be glad to send out copies of these
recommendations, including the bibliography.

David R. Conrad		"No his mind is not for rent/To any god or government"
-- 
=  CAT-TALK Conferencing Network, Computer Conferencing and File Archive      =
-  1-313-882-2209, 300bps-14400bps, V.32/V.32bis/TurboPEP New users use 'new' - 
=  as a login id.  AVAILABLE VIA PC-PURSUIT!!! (City code "MIDET")            =
   E-MAIL Address: dave@Michigan.COM

Newsgroup: sci.crypt
Document_id: 16133
From: Peter.Bruells@arbi.informatik.uni-oldenburg.de (Peter Bruells)
Subject: Re: Clipper Crap



>>>>> On Wed, 28 Apr 1993 04:30:27 GMT, kckluge@eecs.umich.edu (Karl Kluge) said:

KK> (Shaun P. Hughes) writes:

KK>    Newsgroups: sci.crypt
KK>    From: sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes)
KK>    Date: Sat, 17 Apr 1993 07:18:59 GMT


	[..]

KK>       Just a random passing thought, but can anyone cite a documented use
KK>    of encryption technology by criminals and terrorists.
KK>       (Excluding the Iran-Contra Gang)

KK> Sure, the rum-runners in Prohibition. See Kahn's _The Codebreakers_.
KK> The irony was, they were using better codes and key security than
KK> most governments were.

And Fidel Castro / Che Guerra - they used one time pads, I think. It was in an Scientific American article about Quantum Cryptography.

Newsgroup: sci.crypt
Document_id: 16134
From: res@colnet.cmhnet.org (Rob Stampfli)
Subject: Re: Organized Lobbying for Cryptography

In article <1r74ta$hcs@transfer.stratus.com> cme@ellisun.sw.stratus.com (Carl Ellison) writes:
>In article <1r3jgbINN35i@eli.CS.YALE.EDU> jgfoot@minerva.cis.yale.edu writes:
>>
>>Perhaps these encryption-only types would defend the digitized porn if it
>>was posted encrypted?
>
>To paraphrase, I may not agree with what you're encrypting, but I defend
>your right to encrypt it.

I suppose after Waco, it's only prudent to leave the "to the death" part out.
-- 
Rob Stampfli  rob@colnet.cmhnet.org      The neat thing about standards:
614-864-9377  HAM RADIO: kd8wk@n8jyv.oh  There are so many to choose from.

Newsgroup: sci.crypt
Document_id: 16135
From: oml@eloka.demon.co.uk (Owen Lewis)
Subject: Re: Tempest 

In article <1993Apr26.193801.12416@lynx.dac.northeastern.edu> angel@Foghorn_Leghorn.coe.northeastern.edu writes:

>I heard somewhere (can't name the source) that TEMPEST does not necessarily
>pick-up just CRTs, but it can pick up emissions from almost any chip.  If
>that is true, the kind monitor would not make any difference becuase everything
>on the screen can be picked-up from the video controller.  Can anybody verify
>or refute this?

You are correct (several times). TEMPEST is a codeword for a standard, shared between the NATO governments, to limit the inadvertent emission of information by either electromagnetic radiation or conduction. The limits set in the 
standard are classified but there is open source information to the effect 
that either the electrical or magnetic components of electromagnetism can be 
exploited. It is a basic rule of physics that there is an electromagnetic 
field associated with any path that conducts a flow of electrons.

Among other things, I drive a 1987 Korean built AT clone and an associated 24 pin dotmatrix printer. The major source of unintentional emission is the CRT. To that can be added the video driver card, the RS232 parallel cable and the 
printer head. The emissions from these are gross can be detected with the 
crudest of equipment. Were I to apply good test equipment and some 
intelligence to measuring emission levels, I would find many other potential 
sources of leaked information.

Where cryptography is used for serious purposes, poor TEMPEST protection 
becomes an important security hazard.

In the early eighties, the need to allow some commercial concerns, 
particularly financial institutions, a level of protection against TEMPEST 
threat led to a series of briefings to invited corporations and to the 
'release' of a cut-down TEMPEST stansard for commercial use. I say 'release' 
for while equipment to meet the standard is available (at a price and to 
approved customers) AFAIK even the commercial standard remains classified. If
you think about it, it would really have to wouldn't it? 
   
-- 

                               -= Owen Lewis =-
                                      @
      Tele/fax  +44-(0)794-301731   ELOKA   Consultancy & Project Management
                            oml@eloka.demon.co.uk
                        pgp 2.x public key on request

Newsgroup: sci.crypt
Document_id: 16136
From: jhupp@shockwave.win.net (Jeff Hupp)
Subject: Re: Clipper Not Good Enough for Government?

 
>
>This is stupid.  Won't it cost more to those companies hoping to 
>serve the gov't and private markets if they DON'T use the same
>technology?
>
        I would guess that they won't use Clipper at all.  What they will
do is use their STU-IIIs amoung themselves and the governmental agencies
they need to talk to, and ignore Clipper.  After all, if it's not secure
enough for the agency/department they are communicating with why should
the coprations trust it?
 

_____________________________________________________________________
\Jeff Hupp                      |Internet: jhupp@shockwave.win.net   \
|9797 Medowglen, Apt. 1807      |Ad:    Contract Programming, Novell |
|Houston, Texas  77042          |       Network Design and Support.  |
|Voice: (713) 780 - 9419        |"The best govenment doesn't" -- me. |
\_____________________________________________________________________\ 

Newsgroup: sci.crypt
Document_id: 16137
From: "Josh N. Pritikin" <jpab+@andrew.cmu.edu>
Subject: Re: From Crossbows to Cryptography

>      But I think that mind-set is a mistake.   Before  there
> were cattle prods, governments tortured their prisoners with
> clubs  and  rubber  hoses.    Before  there  were lasers for
> eavesdropping, governments used binoculars and  lip-readers.
> Though  government certainly uses technology to oppress, the
> evil lies not in the tools but in the wielder of the tools.

Evil and good walk hand in hand.  It is also important to note that
the good in the tools lies in the wielder of the tools.

>      In fact, technology represents one of the most  promis-
> ing  avenues  available  for  re-capturing our freedoms from
> those who have stolen them.

I cannot accept this ridiculous leap in logic.  Technology is neutral
to good or evil.  When technology is used by "evil" men, it is called
evil technology.  When it is used by "good" men, it is called good
technology.  Really, it is just technology that allows action to be
realized more efficently and on a larger scale.

> By its very nature,  it  favors
> the  bright  (who can put it to use) over the dull (who can-
> not).

Try not to confused the development of technology with its use.
Certainly, "bright" people will be better at creating technology, but
even young children know how to program VCR machines.  Are VCR
machines not extremely complex to create?

> It favors the adaptable (who are  quick  to  see  the
> merit  of  the  new  (over  the sluggish (who cling to time-
> tested ways).

Adaptibility and flexibility is always better at enduring than the
stiff and stubborn.  A young child is soft and supple; an old man is
stiff and inflexible.  A dripping of water can cut through stone.
This has nothing to do with technology, rather technology just
allows us to magnify action.

> And what two better words are  there  to  de-
> scribe government bureaucracy than "dull" and "sluggish"?

I have no objection to this!  :)

joshp@cmu.edu   /o)\   Silent
                \(o/   Thunder

Newsgroup: sci.crypt
Document_id: 16138
From: pose-rh@ee.up.ac.za (R H W Poser - 9155430 - Chemies)
Subject: Re: How to make this illuminating thing?

In article <1rn458INNguj@dns1.NMSU.Edu> jcho@dante.nmsu.edu (CHO) writes:

>My father having worked for American Cyanamid for sometime did mention
>that the "recipe" is a secret... Neither of us know of just how toxic
>the stuff is...but you can synthesize a simliar substance that is
>available to just about any organic lab...called Luminol.  You can usually
>find this in an organic lab book or something similiar... 

These substances are normally not the secret, but how to get at them. The 
method of preperation is normally patented, which means that no-one else can 
make the chemical in the same way, without undergoing an agreement with 
American Cyanamid. (But I guess you knew what a patent is :-) )

If you know what substance is used, you'll also know its toxicity.

>Rumor has it that luminol is some base form for the stuff used in the 
>light sticks...

The Luminol reaction has the disadvantage of not lasting as long as the 
commercial version.

Remember that cyano compounds are found in nature, and not all are poisonous.

Regards,

(--------------------------------------------------------------------)
( R.H.W. Poser          Chem.Eng. III         University of Pretoria )
(Fidonet : 5:7101/22.23  or : Rolf.Poser@p23.f22.n7101.z5.fidonet.org)
(   Fastest : pose-rh@babel.ee.up.ac.za        Tel.: +27-12-451528   )
(--------------------------------------------------------------------)

Newsgroup: sci.crypt
Document_id: 16139
From: rwirthli@nyx.cs.du.edu (Ralph Wirthlin)
Subject: Re: Is it illegal to transmit encrypted data?

steve-b@access.digex.com (Steve Brinich) writes:


> > I'm afraid I have to disagree with you on that point.  NSA will *not*
> >tell RSA or any other non-DOD entity anything that its eavesdropping
> >reveals.

>  I don't know about that; they might if they find it the most expedient
>way to keep people from using something they can't crack.

Let's put it this way, they have a charter and several executive orders
to obey, among other things which *explicitly* prohibit sharing this
information (unless things have changed withing the last little while).
I suppose they could ignore it, if they choose.  But I doubt they would.
For an authoritative look at the NSA, get Bamford's "The Puzzle Palace".
That's all I can say.


			Ralph


Newsgroup: sci.crypt
Document_id: 16140
From: george@tessi.com (George Mitchell)
Subject: Re: Organized Lobbying for Cryptography

marc@tanda.isis.org (Marc Thibault) writes:
>        Looking at it from up here in the Frozen North, it looks like
>        you could do worse than get the NRA involved. They have a
>        kindred problem, a large number of voters, the right attitude,
>        and lots of funds.

They also have a lot of the other voters really irritated at them.

>        From an ethical _or_ constitutional viewpoint, I haven't seen
>        a good argument for cryptographic rights that doesn't also
>        support the NRA position on guns (and vice-versa).

Okay, folks, I know I'm in the minority on this issue, but I can't
let this assertion go unchallenged yet again.  I'm going to say this
ONLY ONCE, in the hopes of NOT starting a flame war off of the main
topic.

Guns are offensive.  Cryptography is defensive.  See the difference?
The only way you can use a gun is to hurt somebody else.  Crypto-
graphy helps prevent other people from hurting you.

Sorry for the digression.  Let's not forget the issue that we DO
agree on: We want continued access to crypto technology of our
choice, without key registration.
-- George Mitchell (george@tessi.com)

Newsgroup: sci.crypt
Document_id: 16141
From: koontzd@phobos.lrmsc.loral.com (David Koontz )
Subject: Re: triple des


Please post to news, too.




Newsgroup: sci.crypt
Document_id: 16142
From: pdc@dcs.ed.ac.uk (Paul Crowley)
Subject: Re: Organized Lobbying for Cryptography

Quoting amanda@intercon.com (Amanda Walker) in article <1rn1b3$khb@news.intercon.com>:
>george@tessi.com (George Mitchell) writes:
>> Guns are offensive.  Cryptography is defensive.  See the difference? 

>Nope.  Information, properly delivered, can be just as deadly as lead.

The same is true of lemon meringue pie.
  __                                  _____
\/ o\ Paul Crowley   pdc@dcs.ed.ac.uk \\ //
/\__/ Trust me. I know what I'm doing. \X/  Fold a fish for Jesus!

Newsgroup: sci.crypt
Document_id: 16143
From: jhupp@shockwave.win.net (Jeff Hupp)
Subject: STU-III - General Question

Why are people willing to trust the STU-III?
Because the government does?


_____________________________________________________________________
\Jeff Hupp                      |Internet: jhupp@shockwave.win.net   \
|9797 Medowglen, Apt. 1807      |Ad:    Contract Programming, Novell |
|Houston, Texas  77042          |       Network Design and Support.  |
|Voice: (713) 780 - 9419        |"The best govenment doesn't" -- me. |
\_____________________________________________________________________\ 

Newsgroup: sci.crypt
Document_id: 16144
From: lsnyder@fig.ucsb.edu (Lowell R. Snyder)
Subject: Re: Tempest

angel@Foghorn_Leghorn.coe.northeastern.edu (Kirill Shklovsky) writes:

>In article <1993Apr26.104320.10398@infodev.cam.ac.uk> rja14@cl.cam.ac.uk (Ross Anderson) writes:
>I heard somewhere (can't name the source) that TEMPEST does not necessarily
>pick-up just CRTs, but it can pick up emissions from almost any chip.  If
>that is true, the kind monitor would not make any difference becuase everything
>on the screen can be picked-up from the video controller.  Can anybody verify
>or refute this?

Anything can be an emissions problem, right down to the video cable.  Given
the right equipment, you can pick the screen paint from the cable.  But,
given any cable, you must know what is being sent through it to know the
format of the signal, as well as how many wires, etc.

Newsgroup: sci.crypt
Document_id: 16145
From: matt@ra.oc.com (Matthew Lyle)
Subject: Re: Clipper Chip: Reverse Engineering

maa@plato.ds.boeing.com (Mark A Allyn) writes:
>You all mention that the algorithm is classified and have expressed 
>concerns and ideas of how to figure out the algorithm using software.
>
>The question that I have is why cant someone take one of these chips
>and reverse engineer it? I mean, take the thing to a chip testing/
>analysis facility, one with a decent electron microscope. Just pry
>off the top of the chip and start scanning it with the electron
>microcope and figure out the circuitry. I remembered a place that I use
>to work for had one of these facilities that they used to analyze chips
>that we accidently blew out while running tests. They could actually find
>the area that was fried and show us where in the circuit it was. 
>
>I am sure that many companies and universities must have these facilities
>and that the potential is there, especially at a university where the
>security at such a facility is looser, for someone to take a clipper
>apart and analyze it?
>
>What can the government do to prevent this? Start taking away all 
>microchip analysis facilities and electron microscopes??


They are using some technology developed by VLSI systems, the other manufacturer of
the Clipper Chips, that produces chips that are supposed to be highly resistant to
reverse engineering.

-- 

Matthew Lyle                                           matt@oc.com
                                                       matt@utdallas.bitnet
OpenConnect System, Dallas, Texas                      (214) 888-0474

Newsgroup: sci.crypt
Document_id: 16146
From: rboudrie@chpc.org (Rob Boudrie)
Subject: Re: Suggestions for escrow agencies (was: Re: More technical details)

>What are the assurances the escrow people will not be FORBIDDEN to
>report any access attempts for one's keys?


In NY State it is already a crime to inform anyone of a law enforcement
wiretap on their phone, even if the person doing the informing learns
about it through "non privliged" means.

Newsgroup: sci.crypt
Document_id: 16147
From: mathew@mantis.co.uk (mathew)
Subject: Re: Clipper considered harmful

tedwards@eng.umd.edu (Thomas Grant Edwards) writes:
>>> If these personal attacks are what stopped Prof. Denning from
>>> replying on issues of substance, they have cause real harm
>>> to the serious debate here.
>> They are and they have.
> If Prof. Denning is afraid of posting here due to personal attacks,
> perhaps she should use an anonymous posting service.  That is why
> they are there, to allow heated debate to occur without the personal
> attacks.

Er, people are going to make personal attacks on Prof. Denning whether she
posts here or not.  That much should be obvious from looking at the traffic
over the last few weeks.  Therefore I conclude that the existence of personal
attacks is irrelevant to any decision concerning whether to post.

I suspect that Prof. Denning is actually using the attacks as an excuse for
not posting, and that the real reason for the silence is that Clipper is not
the sort of proposal any self-respecting cryptographer can support via
reasoned argument.


mathew
-- 
"If you want to have constructive discussions here, and more importantly, be
 taken seriously by your peers, you may wish to consider shaping up."
  -- Advice I was offered by David Sternlight

Newsgroup: sci.crypt
Document_id: 16148
From: amanda@intercon.com (Amanda Walker)
Subject: Re: Dorothy Denning opposes Clipper, Capstone wiretap chips

brad@clarinet.com (Brad Templeton) writes:
> They have a much better reason to classify the algorithm than to 
> protect its security.  They want to protect its market share. 

That's one way to put it.  Keeping the algorithm classified means that 
disclosure of it falls under the rubric of "national security."  Nothing like 
federal marshalls to guard a monopoly...

> The result is tappable 
> cryptography without laws forbidding other kinds, for 99% of the 
> populace. 

Agreed, although this is still somewhat better than the status quo :).

> To get untappable crypto, you would have to build a special phone that 
> runs on top of this system, and everybody you talk to would have to 
> have an indentical one. 

Sounds like a job for the Free Software Foundation :)/2...


Amanda Walker
InterCon Systems Corporation

Newsgroup: sci.crypt
Document_id: 16149
From: neuhaus@vier.informatik.uni-kl.de (Stephan Neuhaus (HiWi Mattern))
Subject: Re: Clipper Crap

kckluge@eecs.umich.edu (Karl Kluge) writes:

>In article <1993Apr17.071859.9555@csus.edu> sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes) writes:

>      Just a random passing thought, but can anyone cite a documented use
>   of encryption technology by criminals and terrorists.
>      (Excluding the Iran-Contra Gang)

Just a couple of days ago, I heard on the radio news that a Neo-Nazi
organization had set up a BBS to keep its members informed.  According
to the radio man, the Nazis were using encryption to reduce their risk
if they were prosecuted.  No, I do not have any more information.

Have fun.

-- 
Stephan <neuhaus@informatik.uni-kl.de>
sig closed for inventory.  Please leave your pickaxe outside.
PGP 2.2 public key available on request.  Note the expiration date.

Newsgroup: sci.crypt
Document_id: 16150
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Organized Lobbying for Cryptography

In article <rdippold.736035556@qualcom> rdippold@qualcomm.com (Ron "Asbestos" Dippold) writes:
>george@tessi.com (George Mitchell) writes:
>>Guns are offensive.  Cryptography is defensive.  See the difference?
>No.  They're both neutral.  Whether they're offensive or defensive
>depends on how you use them.

Nonsense.

Mike, in Heinlein's "Moon is a Harsh Mistress" decides that a weapon is some
mechanism which allows you to deliver energy at a distance.  (I don't
have the book handy or I'd find the exact quote).

Guns do that.

Cryptosystems do not.

-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
Document_id: 16151
From: ee92jks@brunel.ac.uk (Jonathan K Saville)
Subject: Re: triple des

Richard Lucock (rmal@jet.uk) wrote:
: I have seen various references to 'triple des' recently. Could anyone
: tell me what it is ? From context, I would guess that it means
: encrypting each block 3 times, with a different key each time, but
: I'd like to be sure.

: Replies by email preferred - our news is unreliable.

Could people replying to the above question post their responses here
as well, as I'm sure others (including myself) would like to hear them.

Thanks.

Jon
--
#      Jon Saville       #   Who alive can say, 'Thou art no   | Keats,
#  ee92jks@brunel.ac.uk  #  Poet, may'st not tell thy dreams?' | 1819
     PGP 2.2 public key available upon request or by finger

Newsgroup: sci.crypt
Document_id: 16152
Subject: Re: Clipper Chip Questions
From: a_rubin@dsg4.dse.beckman.com (Arthur Rubin)

In <1rmrm4$jvb@sol.TIS.COM> mjr@tis.com (Marcus J Ranum) writes:

>[about scanning clipper and reverse-engineering the algorithm]
>>Am I missing something obvious here? What could have the government done
>>to address this possibility? Do they really care if it stays classified?

>	Yeah, you're missing the obvious fact that since the algorithm
>is classified, if you reverse engineer it from the chip, and later
>publish it, or build a compatible chip, you're divulging classified
>information and are in a big load of trouble.

I don't think they can do that without changing the law.  The chip itself
isn't classified, and reverse engineering is allowed by law (possibly)
unless prohibited by a valid contract.  The algorithm may be classified,
but there are many court cases ruling that information identical to
classfied information, but obtained from unclassified sources, is freely
publishable (with the possible exception of nuclear weapon information.)
--
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

Newsgroup: sci.crypt
Document_id: 16165
From: cme@ellisun.sw.stratus.com (Carl Ellison)
Subject: Re: Clipper Crap

In article <KCKLUGE.93Apr27233027@krusty.eecs.umich.edu> kckluge@eecs.umich.edu (Karl Kluge) writes:
>In article <1993Apr17.071859.9555@csus.edu> sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes) writes:
>   >encryption's dual-edge sword:  encryption helps to protect the
>   >privacy of individuals and industry, but it also can shield
>   >criminals and terrorists.  We need the "Clipper Chip" and other
>    ^^^^^^^^^^^^^^^^^^^^^^^^
>      Just a random passing thought, but can anyone cite a documented use
>   of encryption technology by criminals and terrorists.
>      (Excluding the Iran-Contra Gang)
>
>Sure, the rum-runners in Prohibition. See Kahn's _The Codebreakers_.
>The irony was, they were using better codes and key security than
>most governments were.

Yes -- great chapter.  Elizabeth Friedman (sp?) comes shining through.

However, the chapter also notes that these rum runners invented their own
crypto -- hired ex-military folks, in fact.  (How's that for a revolving
door?)

Now, given that today's rum runners (coke runners, actually) have even more
money than yesterday's, it's reasonable to expect them to have even better
cryptography.  I doubt they have a chip foundry of their own yet, but ....

So, my question of the FBI/NIST/NSA is: "How are you going to make the rum
runners use the Clipper Chip?"

Answer:  	you're not.

Question:	OK -- in that case, your justification for taking away our
		rights has evaporated.  How do you justify our loss of rights
		if you can't use the drug dealers and terrorists?


-- 
 - <<Disclaimer: All opinions expressed are my own, of course.>>
 - Carl Ellison                                        cme@sw.stratus.com
 - Stratus Computer Inc.       M3-2-BKW                TEL: (508)460-2783
 - 55 Fairbanks Boulevard ; Marlborough MA 01752-1298  FAX: (508)624-7488

Newsgroup: sci.crypt
Document_id: 16279
From: pla@sktb.demon.co.uk ("Paul L. Allen")
Subject: Re: Clipper: Two additional possible problems

-----BEGIN PGP SIGNED MESSAGE-----

In article <cliftonrC69tvt.4AL@netcom.com> cliftonr@netcom.com (Pope Clifton) writes:

[...]
> If I want to talk to someone, I don't need to have previously exchanged
> keys with him, I just call him up, and the phones establish a session key
> for us using a zero-knowledge algorithm or something of the kind.  (If I've
> misunderstood this part, it probably invalidates the rest of this notion.)
> 
> This lends itself to spoofing.
[...]
> I go buy a pair of Clipper phones to go on a pair of phone lines in a back
> room somewhere, and have the digital switch programmed to redirect his
> calls to one of my two lines instead of to his, whenever he receives a
> call.  The two phones are wired back-to-back in the clear.


> Anyone see any problem with this scheme, other than to assume that all
> public officials and phone company employees are totally incorruptible?

As far as I can see, no matter how the session keys are generated (be it
Diffie-Hellman or whatever), any Cripple conversation which travels in
whole or in part over a land-line is vulnerable to this scheme.  Law-
enforcement agencies can do it legally at the telco, or illegally by finding
some part of the phone line that they can cut into.  The degree of risk
depends very much on location - not good in the middle of a busy street,
but not bad on a line in open country (leading to a drug lord's ranch).  The
only way to defeat it would be if your phone had the equivalent of a public
key indexed against phone number for every phone you might want to call (all
of them) - totally impractical, even if some part of the Cripple algorithm
could be used as a kind of public key (I don't understand enough about these
things to know).

This sort of encryption scheme is only really workable over a radio link,
and even then you could probably interevene without causing problems for
other phones nearby if you were physically close to the target phone.

Gosh, yet another way to get round Cripple encryption.  How many is that
we've found so far?  And that's without even knowing the details of the
algorithm.

- --Paul

-----BEGIN PGP SIGNATURE-----
Version: 2.2

iQCVAgUBK+F5hGv14aSAK9PNAQHEFAP6Ap4AhhqHc9ewDJI14/1DP8woO6wpibkO
B/lrJBT9GRKdgFDSzrc5aYe2aRctnYjFKQO3RHot0uN68Ewv1e7+1CcQDTCTVgaq
ZaKHkGVkk99BaHEYGYy1Jn/MgKrJWrehIUfvHDp7x84tVPdCeMIMkAU0sZWwN2Kv
YbqiEgkRBcg=
=2pPL
-----END PGP SIGNATURE-----


Newsgroup: sci.crypt
Document_id: 16344
From: rja14@cl.cam.ac.uk (Ross Anderson)
Subject: Re: hardware hash function

In article <C6DEo6.uyE@watson.ibm.com>, basturk@watson.ibm.com (Erol Basturk) 
writes:

|>                          So, the question is: has a "fast" hash
|> function been designed for hardware implementation ? 

Yes, you can use a stream cipher chip to hash data with only slight 
modification. See:

`A fast cryptographic checksum algorithm based on stream ciphers', X Lai,
RA Rueppel, J Woolven, Auscrypt 92 pp 8-7 to 8-11.

Ross

Newsgroup: sci.crypt
Document_id: 16345
From: tenney@netcom.com (Glenn S. Tenney)
Subject: Re: HELP! Some nut is threatening to sue!

I don't wish to rehash the PGP patent issue at all, but I do feel
that some potential misconceptions in interpretting intellectual property
laws need to be raised.

In article <a_rubin.736125803@dsg4.dse.beckman.com> a_rubin@dsg4.dse.beckman.com (Arthur Rubin) writes:
>
>If PGP violates RSAs patents, then only executing PGP could be a violation.
>Distributing PGP could be contributory infringement, but the PGP
>documentation seemed sufficient to me to protect distributors (before I
>deleted it -- using PGP might be a patent violation in the US, so I have no
>need to keep it.)

You are correct that executing PGP would be a violation (unless the patent
were declared invalid by the courts), but...  there is a question as
to when, how, or if distributing PGP would be a violation.  If the person
or company distributing PGP receives money for doing so, then it is
clearly a sale (for example, if it were on Compuserve, they charge you
for access so they would be selling PGP).  When there is no charge for
PGP things get less clear, but there would still be a reasonable view
that it is inducing an infringement.

> ... [nb re: Jim Bidzos]
>You have no legal action you can take, unless you believe you can prove
>someone is using PGP in the US, for a purpose other than that specifically
>allowed by patent laws.  (Not entirely correct, anyone can sue for any
>reason, but, you cannot prevail unless you can prove that by a prepoderance
>of evidence).  Under patent laws, PGP does have legitimate uses, as a means
>to study your algorithm, in order to produce improvements (which would
>still require your approval to execute, until the patent runs out around
>2000).

This is a common misconception.  The patent laws do not mention any valid
purpose for infringing a patent.  Although it is clear that in order to
create a new invention either based on a prior patent or to avoid infringing
a prior patent, one must perform research on an existing patent.  To
just say that you infringed a patent (assume we're not talking the RSA
patent) only for research purposes (wink wink, nudge nudge) and then never
develop any related invention (ie. only use it), would be a clear
infringement.

-- 
Glenn Tenney
voice: (415) 574-3420      fax: (415) 574-0546
tenney@netcom.com          Ham radio: AA6ER

Newsgroup: sci.crypt
Document_id: 16347
From: carl@lvsun.com (Carl Shapiro)
Subject: Re: My letter about Clipper

In article <strnlghtC6BJDw.MID@netcom.com> strnlght@netcom.com (David Sternlight) writes:
>Part of the basis for my belief is that we [NSA] have more people, spend much
>more money, and have much better hardware than anyone else.

The same could be said for many other goverment agencies, but big budgets,
large staffs, and long lead time haven't made many of them into models of
effectiveness.

The fact is that those of us outside the inner circles have only James
Bamford's word that the people at the NSA use those legendary masses of
computers for anything other than reading netnews, like many of us.

The NSA *doesn't* have an impressive record of accomplishments, at least
not a public record.

>David Sternlight		  Great care has been taken to ensure the accuracy of
>						  our information, errors and omissions excepted.

This, on the other hand, is priceless!	Where's it from?

Newsgroup: sci.crypt
Document_id: 16348
From: pooka@access.digex.net (Louis Emmet Mahoney)
Subject: Re: Clipper: Two additional possible problems

erwin@trwacs.fp.trw.com (Harry Erwin) writes:

>Anyone interested in adopting British Telecom's quantum encryption scheme?
>They've demonstrated it over a 10 km link. It automatically detects
>wiretapping.

Can you tell us more?

-pooka


Newsgroup: sci.crypt
Document_id: 16351
From: mark@bart.demon.co.uk (Mark Starzewski)
Subject: Re: Clipper: Two additional possible problems

In article <erwin.736304526@trwacs> erwin@trwacs.fp.trw.com writes:

>Anyone interested in adopting British Telecom's quantum encryption scheme?
>They've demonstrated it over a 10 km link. It automatically detects
>wiretapping.
>
If the BT phone system is anything to go by...me thinks this should be
approached with great caution.

Mark
--
******************************************************************************
..without warranty,                           Internet: mark@bart.demon.co.uk
   implied merchantability                          CIS: 100114,2415
   or fitness for a particular purpose...Yo Dude!
******************************************************** Click,Click...brrr...

Newsgroup: sci.crypt
Document_id: 16352
From: t31694c@kaira.hut.fi (Tapani Lindgren)
Subject: Re: DES salts

In article <1993Mar31.014220.7701@Demax.COM> mikel@Demax.COM (Mikel Lechner) writes:
>
>You could just as well use a 16 character password to perform the encryption
>of the 64 zero bits.  One simple method would be to use the first 8 characters
>to encrypt the 64 zero bits and then use the remaining 8 characters to
>encrypt the result again.  The output would still be 64 bits which encodes
>into 11 ASCII characters.
>
Wouldn't this method be vulnerable against a "birthday" attack?
Currently a cracker needs to find the _only_ (*1) key that produces
the given ciphertext.  He has to try about 2^63 keys on the average.
In the proposed method the cracker only needs _any pair_ of key halves.
If he can store about 2^32 guesses for one half, he is likely to find
a mathching pair in about 2^32 guesses.  (Here I have assumed that the
DES-encryption is reversable, if the key is guessed.  Is this so or do
the modifications of the S-boxes by the salt bits make it non-reversable?)

*1 Probably there is only one key; I think there is 1 chance in about 128
that there are two or more keys (can anyone verify this?), but this doesn't
help the cracker much.


Newsgroup: sci.crypt
Document_id: 16353
From: schlege@lips.ecn.purdue.edu (Kevin L Schlegelmilch)
Subject: Source code for Substitution cipher

  I was wondering if anyone knew of where I could find source
code for a program to solve a substitution cipher?  

Thanks!
Kevin

(Please post your answer instead of e-mailing me directly)

Newsgroup: sci.crypt
Document_id: 16354
From: msawyer@mael (Michael Sawyer)
Subject: Re: More Clipper stuff

Ben Liberman (ben@genesis.MCS.COM) wrote:
: What if clipper is fairly secure but leaves a distinct clipper signature...
: that is, what if it's not too difficult to tell that a msg. was clipper
: encrypted, even if you can't tell the contents?  In that case, anyone 
: who is trying to hide behind anther encryption scheme will stand out
: from all of the other traffic and raise a red flag to the NSA, etc.

I think the obvious answer (which may have been posted, but I haven't
seen it) is to encrypt your data with some other scheme, then run it
through clipper.  The only way the police will be able to detect the
other encryption is through a wiretap, so even if they do notice with
an illegal wiretap, I have a hard time seeing a judge issuing a
warrant for a search to "confiscate" the illegal scheme (assuming that
at one day, it comes to this; a worse case) based on an illegal
wiretap.  Then again, maybe I am an idealist.  :>

: 	------------    --------    ----------------------
: 	Ben Liberman    INTERNET    ben@genesis.MCS.COM
: 	                            ben@tai.chi.il.us

--
Michael Sawyer - My opinions are mine, not necessarily UH's, NSF's, or NASA's
University of Hawaii Physical Oceanography/Satellite Remote Sensing
RIPEM public key available, MD5OfPublicKey: C53C8744A87664168D135C0763DCCC1D


Newsgroup: sci.crypt
Document_id: 16355
From: olson@umbc.edu (Bryan Olson; CMSC (G))
Subject: Advanced one time pad (was: Re: more one time pad stuff)


O.K.- if you've read this group for a while, you know all about the
one-time-pad, but here's a question I haven't seen.

The one-time-pad yeilds ideal security, but has a well-known flaw in
authentication.  Suppose you use a random bit stream as the pad, and
exclusive-or as the encryption operation.  If an adversary knows the 
plaintext of a message, he can change it into any other message.  
Here's how it works.

Alice is sending Bob a plaintext P, under a key stream S
Alice computes the ciphertext C = S xor P,  and sends it to Bob.

Eve knows the plainext P, but wants the message to appear as P'.
Eve intercepts C, and computes  C' = C xor P xor P' = S xor P'.
Eve sends C' to Bob.

Bob decrypts C' by computing  C'xor S = P',  thus receiving the 
false message which was substituted by Eve.


Now the question is how can this attack be defeated with information
theoretic security, not just computational security.
Can we define something like "ideal authentication" which is the
analog of ideal security.  Can we obtain ideal authentication ?

If not, how much can we limit Eve's control over the message ?

If we can achieve ideal authentication, does the solution use more
key bits or expand the message ?  Can we show the solution to be
optimal in one or more parameters ?

Does anyone know if these questions have been aswered before ?

olson@umbc.edu

Newsgroup: sci.crypt
Document_id: 16356
From: tds@hoserve.att.com (Tony DeSimone)
Subject: Re: Audio CDs?

>>>>> On 30 Apr 1993 21:16:29 -0400, steve-b@access.digex.net (Steve Brinich) said:

Steve>   Hmmm... given the error corrections in modern audio CDs, is
Steve> it sufficient to simply instruct your agent to decrypt using
Steve> the bit stream from the second cut of the latest Garth Brooks
Steve> CD, or are the usual number of bit errors found acceptable in
Steve> commercial CDs because of that error correction enough to
Steve> garble the message if such a method is used?

One unreliable data point: while looking over the shoulder of a
recording engineer, I decided that he was seeing a raw error rate of
about 1 in 1e6 on a CD ``master.''  Both the extrapolation to
mass-market CDs and my state of mind while doing the arithmetic (I was
waiting for him to finish so we could go get something to eat) are
questionable. 
--
Tony DeSimone                               Room 3m321               
Performance Analysis Department             101 Crawfords Corner Road
AT&T Bell Laboratories                      Holmdel, NJ 07733-3030   

Newsgroup: sci.crypt
Document_id: 16357
From: ji@cs.columbia.edu (John Ioannidis)
Subject: Re: Organized Lobbying for Cryptography

In article <1993Apr30.004519.7741@csus.edu> sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes) writes:
>
>Perhaps someone should ask Zippy the Pinhead for his opinion. :)
>

Yow! Am I ENCRYPTING yet?

Didn't we go over this guns'n'crypto discussion a few months ago? Must
we go over it again?

/ji

Newsgroup: sci.crypt
Document_id: 16358
From: C445585@mizzou1.missouri.edu (John Kelsey)
Subject: One-time pad authentication?

   I can think of a couple of ways of guaranteeing authenticity in a one-time
pad encrytped scheme, though I'm not sure how to prove that what kind of
authenicity they provide.
 
   An obvious first-attempt might be to prepend a truly random (unpredictable
for Eve) block to the message, and then calculate a CRC which included the
random starting block and all of the message.  This could be encrypted after
the message.  The problem is, I'm not sure it's impossible to come up with
a message that will hash to the same CRC regardless of the random starting
block.  (It intuitively seems like it ought to be hard, but I'm not *that*
sure....)  Clearly, a crypto-strength hash like MD5 or the SHA would be
stronger, but again, I'm not sure I'm comfortable claiming that it's
unbreakable.
 
   A scheme to use up some of the pad bits to decide how many bits of 0's
to include in the plaintext stream before going on wouldn't be too bad,
either.  At the cost of increasing the speed with which you use up your
pad, this could be used to give you arbitrarily low probability that your
opponent could spoof a valid-looking message, since any deciphered plaintext
in a spot that should be carrying 0's will show that something funny's going
on.
 
   If, for each message bit M_i, we used up one random bit, R_i, to decide
whether to insert a 0 into the plaintext stream, we'd get a total pad use
of 2.5 times the message length.  (We'd expand the message size by about
half.)  Each 0 that should appear in the plaintext stream that doesn't is a
guess for our would-be spoofer.  At each bit, she has to guess.  I'm trying
to see how to quantify her chances of making it all the way through the
spoofed message, but it gets a little complicated, because she can get un-
synched, and still happen to have a 0 in that place in the spoofed message.
 
   Now, I can see a simple way of doing this that's got to be as secure
as a one-time pad, at a cost of using 4 times the message length in pad bits.
 
   For each message bit, M_i, use one random bit, R_i, and xor them together
to get X_i.  Now, encrypt the three bits with the one-time pad.  The enemy
has no way of guessing what R_i is, so he/she can't guess what X_i is, either.
Any change she makes in the ciphertext stream will have to involve a guess
of what R_i was.  Is there any way to do this without using so many pad bits?
 
   Spoofing the message is equivalent to correctly guessing as many random
bits as there are bits in the message.  Clearly, this makes spoofing messages
just as hard if you know the whole message text as if you know none of it.
In fact, it looks to me like this makes it just as hard to generate a spoofed
message with the ciphertext as without it, but I'm not entirely sure about
that.
 
   Is there an easier way of doing this that's provably as secure as the
one-time pad?
 
   --John Kelsey

Newsgroup: sci.crypt
Document_id: 16359
From: ggr@koonda.acci.com.au (Greg Rose)
Subject: Authentication and one-time-pads (was: Re: Advanced one time pad)

In article <1s1dbmINNehb@elang05.acslab.umbc.edu> olson@umbc.edu (Bryan Olson; CMSC (G)) writes:
>The one-time-pad yeilds ideal security, but has a well-known flaw in
>authentication.  Suppose you use a random bit stream as the pad, and
>exclusive-or as the encryption operation.  If an adversary knows the 
>plaintext of a message, he can change it into any other message.  
>Here's how it works.
>
>Alice is sending Bob a plaintext P, under a key stream S
>Alice computes the ciphertext C = S xor P,  and sends it to Bob.
>
>Eve knows the plainext P, but wants the message to appear as P'.
>Eve intercepts C, and computes  C' = C xor P xor P' = S xor P'.
>Eve sends C' to Bob.
>
>Bob decrypts C' by computing  C'xor S = P',  thus receiving the 
>false message which was substituted by Eve.

Firstly, an aside:

I agree that the weakness exists, but I have a lot of trouble
believing that it represents a difficulty in real life. Given:

1. the purpose of the one-time pad is to give unbreakable security,
and the expense of key distribution etc., imply that the clients
really do want that level of security

2. These same people want to keep P a secret

I find it hard to believe that Eve might happen to have a copy of P
lying around.

(I am aware that the same argument applies to Eve knowing even a small
part of the message, but Eve must know EXACTLY where (which bytes) in
C her known susequence starts, or the result will be garbled. I find
this at least as surprising.)

Back to the question:

If I had the resources to use a one-time-pad for such transmissions, I
would also append a Message Authentication Code to the message, using up
the next bits of the one-time-pad as the key perhaps. Your original
question basically asked whether there was any way to authenticate the
message with the same degree of security as the Pad itself provided,
and I don't know the answer. However, I would propose the following
for discussion.

Alice and Bob have an arbitrary number of secret, random bits to
share, which Eve doesn't know. She finds them out (effectively) by
knowing some P and the corresponding C. It is the fact that they
CORRESPOND that causes the problem. If a message authentication code was to
be created using some one-time-pad operation such that Eve could not
know which parts of the MAC were affected by which parts of the input,
she would be unable to forge a MAC to correspond.

What is required is a non-linear combiner of parts of the message.
(Non-linear so that simply xoring or subtracting or whatever doesn't
have exactly the same effect).

Now, at the end of the encrypted message C, Alice appends a n-bit MAC
computed as follows (S2 means the next full chunk of the one time pad):
  1. compute C2 = P xor S2, and pad to an n-bit boundary with more of S
  2. break C2 into n-bit chunks
  3. set MAC to 0 (initialisation vector)
  4. for i in each chunk sequentially
       set MAC = MAC NLOP C2[i]

At the end of this process MAC is the Message Authentication Code.

(Bob verifies the MAC in the obvious manner; he recovers the
plaintext P, then uses some more of his pad to reproduce the MAC in
the same manner.)

NLOP is the non-linear operator, and there is the rub. The simplest
non-linear operator I can think of is an S-box; that is, have a fixed
(even published) permutation of the n-bit integers, an indexable table
called Sbox, and use:
  x NLOP y = x xor Sbox[y].

Practically speaking, I think this solves your problem, as Eve never
sees the intermediate output C2, and hence can't deduce S2 or perform any valid
substitution on it.

Also practically speaking, you want the MAC to be fairly large, say 32
bits, but you might not want a 4 gigabyte (say) S-box, so you might
work on 4 byte-sized S-boxes, but I think that is an irrelevant detail
for the discussion at hand.

Who will be first to point out my errors, or give me a pointer to some
literature?
--
Greg Rose                 Australian Computing and Communications Institute
ggr@acci.com.au                                              +61 18 174 842
`Use of the standard phrase "HIJACKED" may be inadvisable' -- CAA

