June 1993 - cypherpunks-legacy

Re: Digital Cash$$$$
by Duncan Frissell 17 Jun '93

17 Jun '93

(J. Michael Diehl) >>>Then DC is actually backed by "legal" currency? Then, what's to keep >>>someone from opening a digital bank, and takeing the money and runing? Nothing. Just like the First National City Bank of New York or Bank Leu, Zurich. You should deal with someone with a rep and perhaps a history. Obviously the risk of fraud would be greater with a digital cash issuer completely unconnected to an existing financial institution. >>>OECD? The Organization for Economic Cooperation and Development. AKA the rich countries (plus Turkey). The 12 EEC Countries (we can all name them, can't we? %{) + Canada, US, Japan, AU, NZ, Iceland, Norway, Sweden, Finland, Austria, Switzerland, and Turkey. >>>Obviously, DC can lead to quite a few opportunities for corruption, >>>taxes for example. This will hinder (or help, in Washington D.C! ;^]) >>>the spread of DC.Is there any arguements for DC, to offer to counter >>>this major drawback? That's not a bug that's a *feature*. Those are the main arguements in *favor* of DC. The main argument that DC can use against D.C. is that conventional regulatory techniques have been obsoleted by the nets, downsizing effects *all* sorts of institutions not just corporations, and the denizens of the District had better start figuring out what they will do when they are forced to get honest work. Duncan Frissell Laws are local, communication is universal.

1 0

Rude CryptoStacker Suggestion (LONG)
by mlshew＠dixie.com 17 Jun '93

17 Jun '93

Earlier I talked about some amiga programs I had that did compression and encryption. I've uploaded some to soda. As I've said, most of them are amiga-specific, but of course the encryption-only bits of code can still be educational to other-machine users. If not, Eric can erase them, or not make them public, which is of course okay. It's his site and all that. I figured I'd go through these files here to explain a bit of what they are and do, if nothing else, with liberal amounts of plagiarism from the readme files. This should at least prevent people from downloading interesting sounding titles for nothing. First, the list of files. Although I don't know where they'll end up, The full list of things I uploaded are: ************************************************* * * rdes.lha 25K DES encryption program * idea.lha 31K File encryption tool using IDEA * Crypt.device-1.8.lha 23K Crypting handler * crypdisk.zoo 55K Sector oriented disk encryption * xpk25dev.lha 141K Compression package, developer's additions * xpk25usr.lha 215K Compression package, user's edition * XFH134.lha 135K (De-)compressing handler, uses Xpk. * xPack_1.5.lha 9K OS 2.x Shell Interface for XPK * ************************************************* Now for the individual descriptions: ************************************************* * * rdes.lha 25K Another DES encryption program * ************************************************* Any collection of encryption programs should of course include a version of DES, so I'll start off with one. The following is taken from the RDES man file. Note the -x option. *********** * * The usage for RDES is * * RDES [-e | -d] [-x] [-b] [-m mode] [-k key] [in_file [out_file]] * * where: * * -e => encrypt the file (default) * -d => decrypt the file * * -x => add n random bytes to the end of the file, where n is * a random integer between 0 and 7 inclusive (used in * encryption mode only). * * -b => use straight DES (default is to use cipher block chaining). * -m => set `mode' bits (see below for details). * -k => set key string * *********** ************************************************* * * idea.lha 31K File encryption tool using IDEA * ************************************************* This is another one that should be easily recompilable on multiple platforms--it's straight C, and it even includes the original unix code. It is small, does IDEA encryption/decryption, and that's all. Here's the top of idea.doc. If it looks interesting you'll probably just want to get it anyway. *********** * * NAME * idea - encrypt and decrypt using IDEA * * SYNOPSIS * idea [ -e | -d ] [ -ecb | -cbcN | -cfbN | -ofbN ] * ( -k keyString | -K keyHexString ) * [ inputFile [ ouputFile ] ] * * idea [ -h | -H ] [ -tan | -abr ] * [ -k keyString | -K keyHexString ] * [ inputFile [ [ ouputFile ] hashvalFile ] * *********** ************************************************* * * Crypt.device-1.8.lha 23K Crypting handler * ************************************************* This is a device driver that you can use to mount an encrypting virtual partition as a file in top of an existing AmigaDos device. It says it's based on fdev.device -- "filesystem in a file". You can edit the virtual partition parameters however you want (such as sectors/cylinders/filesystem etc.) The encryption method is IDEA in cbc mode, which is written in 68000 assembly. ************************************************* * * crypdisk.zoo 55K sector oriented disk encryption * ************************************************* This is a sector based disk- (or AmigaDos device-) based encryption program. It works a bit differently from crypt-device, and also uses a 68000 handcoded IDEA algorithm, and it's not limited to cbc mode. It's a modification of the xpkIDEA library assembler source which will be mentioned in the next section. ************************************************* * * xpk25dev.lha 141K Compression package, developer's additions * xpk25usr.lha 215K Compression package, user's edition * XFH134.lha 135K (De-)compressing handler, uses Xpk. * xPack_1.5.lha 9K OS 2.x Shell Interface for XPK * ************************************************* * * Note: The bottom two files are updates to subparts of the top two. * (Obviously, I didn't want to modify the original distribution.) * ************************************************* The easiest way for me to describe the xpk???.lha files is to cheat, and mostly just include the overview file. Here it is, with a lot of deletions: (Including the list of way-cool authors.) *********** * * THE XPK DATA COMPRESSION PACKAGE * ================================ * * * 1. What is XPK * -------------- * * For a long time, there have been various compression programs for different * purposes on the Amiga. But every application supported only one compressor, * and most compressors were only supported by one application. XPK wants to * put an end to this: Every application with XPK interface can use very packer * with XPK interface. An XPK packer is a library with a four letter library * name. * * * 3. XPK-Compressors * ------------------ * * First a general overview of the most important packers and crypters and * their uses. [...] * - FEAL encrypts data at reasonable speed with very high safety, ie. it has * not yet been broken in the higher-round modes. Any kind of private data * is safe in the hands of FEAL. ===> [Is this still true?] ===> [Also: On the chart below, A3000 means a 25Mhz 68030 machine.] * Now for the complete overview of all existing compressors. You may not have * all of them. The meaning of the fields: * * Name: 4 letter name of the packer. * CSpd: Compression speed in K/sec on an A3000 * USpd: Decompression speed in K/sec on an A3000 * CF : Compression factor in % * Mo : This packer supports modes * Cry : This packer can encrypt * Desc: Description of the packer * * Name CSpd USpd CF Mo Cry Desc * ---- ---- ---- -- -- --- ---- * BLZW 139 364 32 + - Fast compression & decompression, usable CF * CBR0 410 1918 3 - - Byte run encoding, only for simple files (Gfx) * DLTA 104 1265 - - - Pre-processor for packing of sound samples * ENCO 393 393 - - + Sample library for cryptors * FEAL 109 109 - + + Encryption with selectable safety * HUFF 88 138 24 - - Huffman coding, low CF and speed * IDEA 90 90 - + + Safe Encryption, not too fast, many variations * IMPL 6 280 44 + - Imploder, good CF, slow compression, fast decomp * NONE 1918 2477 0 - - Do-nothing packer * NUKE 36 630 45 - - Very fast decompression, good CF & fast compression * RLEN 170 1351 4 - - Sample library for packers * SHRI 5 9 52 + - Excellent CF but low speed * VERN 861 874 - - + Less safe but very fast Vernam encryption * ---- ---- ---- -- -- --- ---- * * Also, XPK supports powerpacker.library for decompression. * *********** Note that there are multiple encrypting "compressors" there, including a blank one for an example. The distribution also contains two handlers to allow one to use these compression/encryption libraries transparently instead of semi-explicitly. One of these, XFH, (the one that Urban mentions), has been upgraded since this distribution. The latest version of which I am aware is 1.34, so I uploaded XFH134.lha also. Now to discuss some of the individual encryption libraries within this XPK distribution. I recall people having asked about what the speed of doing on-the-fly encryption would be. For Vernam encryption (Has anyone heard of this???), not only are the benchmarks not included but neither is the library nor the docs. Maybe the author didn't contact Urban for inclusion in the master archive, I dunno, I don't even have an xpkVERN.library. However, I do have numbers for FEAL and IDEA. Here are the speeds for the FEAL encryption, from a speed chart from its docfile. (I believe this is for a 25Mhz 68030 machine.) *********** * * Speed and Memoryusage * --------------------- * * Rounds Memory En-/Decryptioncryption * Usage Speed * ------ ------ ---------------------- * 4 1K 190 K/sec * 8 1K 144 K/sec * 16 1K 96 K/sec * 32 1K 58 K/sec * 64 1K 33 K/sec * *********** Here are the IDEA speeds: *********** * * The xpkIDEA implementation uses the following XPK modes for different * encryption methods: * * XPK Mode Encr. Method Nr. States 68030/25 68000/7.14 * -------- ------------ ---------- -------- ---------- * 0..25 ECB / 90 K/s 12 K/s * -------------------------------------------------------------------------- * 26 CFB 1 * . . . 87 K/s 11 K/s * . . . * 50 CFB 25 * -------------------------------------------------------------------------- * 51 OFB 1 * . . . 84 K/s 11 K/s * . . . * 75 OFB 25 * -------------------------------------------------------------------------- * 76 CBC 1 * . . . 84 K/s 11 K/s * . . . * 100 CBC 25 * -------------------------------------------------------------------------- * *********** Rather obvious possibilities for those wanting to do similar things on other machines: o Forget it, your machines are inferior pieces of... Oh sorry, I'm supposed to be being polite. Scratch that. o Scavenge source code from some of the above packages and use it in the skeletons of DOS 'redirectors' (?) o Go the whole way and implement the XPK standard on other machines. (You might want to bring get with Urban and the others though. By the way, when quoting sections of the XPK overview, I didn't inlcude the partial author list of nine people. Anyone interested in these projects do have lots of other people to talk with about the standard.) o Disassociate from the mediocritins and.. oops, there I go again. And finally, o Keep part of your mind still thinking about standards for secure data links. I have my own ideas on the subject, which should translate to other machines mostly. They are as follows: On the amiga, I think it would be best to write a driver one would use instead of the default of serial.device or whoever, to handle the encryption. It would then call serial.device or whoever to actually transmit the data. The advantage here is the modularity of having any terminal program work with this device driver, so you could at any time bring up its window on the workbench screen or a public screen, to adjust its parameters in a way independent of whatever terminal programs you might have running, if need be, or controlled with ARexx scripts or from other programs. The neat parts here are that (a), it could do compression as it goes, too, but more importantly, (b), it would be transparent to any other binary transfer protocol you'd be useing, except for speed. (Although it could somewhat make up for that by making them slightly more efficient--seeing as the encrypting device would have to do it's own error checking, dynamic transfer protocols used by the term programs would tend to use larger and larger window sizes), and (c) this could be standardized across machines, so it would also be neat if (d) the standard allowed for multiple concurrent sessions transparently, as well as file transfers, all dynamically configurable. (Not just multiple resident invocation of the same code, but one link turned into 12, like uwm, or dnet on amigas and unix.) (I'm almost making it into a terminal program itself.) One of the main things would be to make it very transparent to the other programs running--so that even if you were on some weird (but somewhat secure) network, you could run a program on this standard between your telnet on your machine and it's connection to the network. (I may be speaking nonsense here.) Whether you were really using kermit, telnet, ftp, or zmodem, the underlying connection would be secure. Anyway, I was just thinking that this might be especially cool if it were compatible across platforms. I figured I'd share those thoughts with any others thinking about secure links, to help maximize the spread of ideas. (And then Timothy Newsham uploads something along those lines even before I can post this. Sheesh! Okay, here's a way to make money by taking bets on this phenomenon: Pick a random person and a cypherpunk, and let them race, with the random person describing a neat program he'd like to have, and the cypherpunk writing it. I'd place my bets on the cypherpunk finishing first. :-) ) Hoping to add to the general confusion, -Mark Shewmaker

1 0

Binaries
by Paul Goggin 17 Jun '93

17 Jun '93

In order to equalize, what may be construed as a growing disparity between ripem and pgp availability (i.e. ripem binaries being kept online for ftp). I have taken upon myself to start collecting binaries for PGP. If you would be kind enough to email me if you would like to offer any binaries. I will check against what I already have and get back to you for retrieval. Please enclose your OS and sytem type (pretty much referring to UNIX here). For instance, -r--r--r-- 1 ftp guest 252829 Jun 17 05:05 pgp-hp720-8.07.Z -r--r--r-- 1 ftp guest 166958 Jun 17 05:00 pgp-ibm-rs6000-3.1.Z Paul -- R O All Comments Copyright by | Technofetisht A N Paul S. Goggin (1993) | Cypher, Cyber, Chaos V Information Broker | Ergoflux, Interzone E chaos(a)aql.gatech.edu | Carpe Diem: Stop the Clipper wiretap chip Finger account for latest _Phrack_ | Public Key: PGP and RIPEM available For anonymous communication:---> anonymus+4744(a)charcoal.com ------------------------------------------------------------------------------ Title 18 USC 2511 and 18 USC 2703 Protected -- Monitoring Absolutely Forbidden

1 0

Re: Weak stenography.
by J. Michael Diehl 17 Jun '93

17 Jun '93

According to Timothy C. May: > > (very) weak stenography. By "informed," I mean that the intruder has reason > > I dislike spelling flames, but you consistently misspelled > "steganography" as "stenography," which is what a secretary does. > > Thought you might want to watch out for this in future postings. You may dislike them, but I sure appreciate it. Thanx. I can do a lot of things; spelling isn't one of them. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl(a)triton.unm.edu | But, I was mistaken. |available| | mike.diehl(a)fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" <Me> | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+

1 0

Weak stenography.
by J. Michael Diehl 17 Jun '93

17 Jun '93

Recent discussion reguarding court-requested plaintext has made if obvious that data conceilment techniques need to be developed before real privacy can be obtained. For the sake of discussion, lets define "weak stenography" as any data-hiding techinique which will fool all but the "informed and skilled" intruder. For example, hiding encrypted data in "hidden" files in msdog would qualify as (very) weak stenography. By "informed," I mean that the intruder has reason to think that you are hiding something. "Skilled" simply means that the intruder has the needed skills to find and verify anything you might be hiding. Now, lets say some LEA thought you had plotted to (your favorite crime here.) And that they also suspected that you had encrypted all of the needed evidence. Further, that you had hidden the data, but couldn't prove it. In order for them to get you to produce that plaintext, they would have to be able to prove that you actually had such data. The only way that I can think of for them to prove such a thing is to produce a piece of cyphertext, and prove that it is, indeed, cyphertext. Further, they would have to prove that it belongs to you. So, if the data is hidden, they have to find it before they can compel you to decrypt it. Now for a proposal: Lets say we have to binary files, one that is an executable, and the other some type of (pgp?) encrypted file. We take these two files and put the cyphertext on the end of the executable, and encode the length of the the cyphertext at the end of the resulting file. Now, lets say that we had xor'ed the cyphertext with some string before we did the concatenation. The file-size-change would be a sure tip-off, if the LEA had another copy of the executable to compare with, so assume they don't. Looking at the file with a binary editor would reveal nothing. Since the cyphertext was transformed, running the decrypter program on the file would be fruitless. Disassembling the executable might, to the real skilled, reveal something, so we can assume this is what happens. After this much work, the LEA has some kind of binary file which they now have to tie to you and prove that it contains some kind of message. BTW, you can always claim to have downloaded it from somewhere.... Now they need to figure out how you transformed your cyphertext, if they even think of that. Lets say they figure out how you did it. Now they have to find what string you used in the xor process. Give that such a string might be about 6 ascii characters, they have to look at 64^6 different strings; each time through, they have to run the decryption program to see if it recognizes the cyphertext. If they can do one such examination per second, this process will take 2.2 years! And when their done, they still have to prove you put the message there in the first place. Bummer. ;^) Is there something wrong with my reasoning? Does this sound plausable. Would it be as effective as I envision? Comments are welcome. If the response is favorable, I will try to get it coded in (portable?) C and release it. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl(a)triton.unm.edu | But, I was mistaken. |available| | mike.diehl(a)fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" <Me> | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+

1 0

Need hard Clipper data
by mbriceno＠ideath.goldenbear.com 17 Jun '93

17 Jun '93

I am representing the anti-clipper side in an ongoing debate in the "Wired " conference on OneNet. The governmental lemmings question the existence of the "Law Enforcement Exploitation Field" and want citations. Would the person who posted the hard facts about Clipper please send me all the info? Thanks in advance, -Marc Briceno PGP public key

1 0

Re: Digital Cash$$$$
by wcs＠anchor.ho.att.com 17 Jun '93

17 Jun '93

J. Michael Diehl asks: > 1. How does one start a digital cash economy? How is the initial distribution > of currency done? This is, of course, assuming the technical stuff is taken > care of. Issuing digital cash is easy - the problem is getting someone to take it :-) Other than anonymity, the problems of starting a digicash exchange economy are pretty similar to those of starting any other private money system - governments avoid the problem by pointing guns at people (i.e. issuing fiat currency and making legal tender laws), and commodity money systems mostly avoid it by using a commodity people care about as a standard (gold, silver, cordwood, tobacco, etc. - doesn't have to be fixed value), but everybody else has to solve it somehow. (The other main issue, which someone brought up, is whether there are applicable laws like banking law or taxable transaction reporting laws that may require you to get permits or let regulators regulate you or whatever, which vary from country to country, and also depend on how you define and manage your digicash accounts.) My current involvement in token-based currencies, aside from government fiat, includes NJ parkway toll tokens, which went up in value when the toll went up, Washington DC Metro tickets, which aren't redeemable for anything, and Joe's Coffee Money at work. Joe prints it on the Macintosh, there's a box of them on the counter, you leave a dollar when you take more, the coffee's ok, profits pay for new hardware and occasional free days, and unlike the bozos who run New Jersey's highways and Arts Center, Joe's a guy you can trust :-) One way to get people to accept your digicash is to use it for convenient anonymous payment for a service, like highway tolls or subway fares, or anonymous remailer payments. Essentially, you're getting a group of vendors together, selling digibucks for cash, and distributing the cash among the vendors according to the digibucks they've received. It's not much different from other systems using tokens. As long as the vendors agree to accept tokens at the current value for an extended period of time, you don't risk much. If you ran a barter club using tokens, you could do it with digicash; the problem then is how to agree on when tokens will be generated, and by whom. One solution that would be readily accepted is to only issue tokens in return for real cash or other valuable commodities. This means everybody knows that a digibuck is worth a buck, and has a reasonable expectation that the currency won't be inflated away. For commodities, some reasonable valuation needs to be done. (ObMovieReference - the poker game in "Benny and Joon" is marvelous :-) For payment for services, it's tougher - the demand side of your market depends on how much money is floating around as well as how many people want your services, and a market that's too small won't be able to generate much. On the other hand, unless there's some way for people to perform services that become part of the bank's assets and available to creditors, it shouldn't issue more digibucks to pay for them; that's inflating the currency merely for the bank's benefit. Another way to start a digicash system is as a credit card analogue, where the bank bills the customers later and only has enough cash backing to cover the float, but that's not much different from a cash-based system except that in a pay-first cash system, it's possible for the digibank to invest the cash in an external investment, with the usual issues of risk, liquidity, etc. that normal banks have, only the account balances exist as digibucks in people's digiwallets instead of ledger entries in the bank's computer. > 2. Is digital cash supposed to be backed by actual cash on deposit at the bank? Or by a promise of future services from vendors hired by the bank (presumably for real cash), if the customers find that acceptable, but that's essentially backed by the bank's negotiable assets, including cash. > 3. How would one "get out" of such an economy if he wanted to? The ideal way is by spending all your digicash, either for the Collect the system service / product if it's a vendor-based system, or for services or products sold by other members. It's somewhat of a system failure to redeem your digicash for paper cash, unless the system is basically intended as a payment system, in which case it's fine. Or abandon your investment, or sue. > 4. If DC is to be backed by actual cash, is this really such a good idea? I once knew someone who had invested in a bank-like system that denominated its accounts in gold rather than fiat currency, and paid its depositors in gold on demand. It also paid interest, which should have been a clue.... It eventually collapsed, and turned out to be a semi-scam; it had invested most of its money in high-yield, high-risk stocks (South African gold mines,mainly, which were actually doing quite well in 1980), and when it folded he had to file SEC complaints and sue them in Federal court to get them to distribute the stocks to their creditors instead of distributing stock in a worthless subsidiary company that it had formed to take over the assets. He was successful, so he lost a lot less than he could have, but being a hard-money paranoid isn't all it's cracked up to be :-( Bill

1 0

Second epistle of Whit apostle to Congress
by whitfield.diffie＠Eng.Sun.COM 17 Jun '93

17 Jun '93

Here is what I told Markey's telecommunications committee last Wednesday about the business impact of key escrot. What follows has been corrected for a major error for which I apologize to CPSR. I had carelessly cited EFF as the extractor of some documents under FOIA. It also makes some minor corrections; the changes are shown at the end. Whit TESTIMONY BEFORE THE HOUSE SUBCOMMITTEE ON TELECOMMUNICATIONS AND FINANCE 9 June 1993 The Impact of Regulating Cryptography on the Computer and Communications Industries Whitfield Diffie Distinguished Engineer Sun Microsystems, Inc. I'd like to begin by expressing my thanks to Chairman Markey, the other members of the committee, and the committee staff for giving us the opportunity to appear before the committee and express our views. We stand at a moment in history when an amazing coincidence of developments in technology and world politics is showing us opportunities in both business and personal life that no one could have anticipated. These developments rest on two closely related cornerstones: communication and internationalism. Business today is characterized by an unprecedented freedom and volume of travel by both people and goods. It is an era of rapid inexpensive transportation coupled with declining trade barriers. All this movement is made possible, however, by the reality of instant telecommunication between places thousands of miles apart, conveying voices, images, and data wherever they are needed. Ease of communication, both physical and electronic, has ushered in an era of international markets and multinational corporations. No country is large enough that its industries can concentrate on the domestic market to the exclusion of all others. When foreign sales rival or exceed domestic ones, the structure of the corporation follows suit with new divisions placed in proximity to markets, materials, or labor. The result is a world in which much of the population enjoys a standard of material wealth and freedom of action previously unknown. It is also a world in which no company, community, or country can afford not to compete in the global market. Security of communication and computing is essential to this telecommunication driven environment. The communication system must ensure that orders for goods and services are genuine, guarantee that payments are credited to the proper accounts, and protect the privacy of business plans and personal information. In the past, these diverse assurances have been provided by an ad hoc patchwork that has evolved slowly over the century and a half since the invention of the telegraph, but two factors are now making that patchwork obsolete. The first is the rise in importance of intellectual property. Much of what is now bought and sold is information that varies from computer programs to surveys of customer buying habits. Information security has become an end in itself rather than just a means for insuring the security of people and property. The second is the universal demand for mobility in communications. Traveling corporate computer users sit down at workstations they have never seen before and expect the same environment that is on the desks in their offices. They carry cellular telephones and communicate constantly by radio. They haul out portable PCs and dial their home computers from locations around the globe. With each such action they expose their information to threats of eavesdropping and falsification barely known a decade ago. It is the lack of security for these increasingly common activities that we encounter when we hear that most cellular telephone calls in major metropolitan areas are overheard or even recorded by eavesdroppers with scanners; that a new computer virus is destroying data on the disks of PCs; or that industrial spies have broken into a database half a world away. In this troubling scenario, however, there is a large ray of hope. Most of the technology to provide the needed protection is already available in the form of contemporary cryptography and its allied disciplines. Some of it has existed for nearly fifty years; some dates from the last five. It isn't in widespread use, but it does exist. Why then are proper security measures not incorporated in every cell phone, laptop, and workstation? Part of the answer is economic. Collecting intelligence by spying on information is so hard to detect that most users are unaware that they are suffering from it and unwilling to pay to protect themselves. Another lies in a unique problem of implementing security standards: security mechanisms are designed to block access to everyone who does not conform exactly to their demands. This makes them very unforgiving of that flexibility at the margins that makes much of standardization possible. Compounding these internal difficulties is one that is entirely external: a regulatory structure that goes back to the cold war and does not recognize the realities of the present situation. In the United States, export control has been the major barrier. Companies are deterred from building proper security mechanisms into their products because to do so will limit their exports and subject them to tedious administrative procedures required to comply with the law. The alternatives are to support two versions of each product, one for domestic use and one for export or to dilute the security measures in all products to a level whose export the government permits. At Sun Microsystems, approximately half our customers are outside the United States. Were we to build a workstation and an operating system embodying the best security we know how to provide and the security that we believe is needed, we would not be permitted to export them. This would present us with insuperable problems in maintaining distinct but somehow compatible domestic and foreign product lines. Not least of the consequences is that we are unable to provide security features that elements of the U.S. Government would like in the systems they buy, because that market does not come close to making up for the one we would have to forgo. I believe we are typical of computer companies in these respects. Digital Equipment after having made some outstanding contributions to network security, appears to have abandoned its lead in the field. Export issues were cited when it discontinued development of an operating system designed to achieve an National Computer Security Center A1 rating some five years back and I suspect they may have played a role in its larger retreat from security as well. We have also suffered from the government's failure to take the lead in championing security standards, both domestic and international. The first proposed federal standard in the area of public key cryptography has appeared only after such techniques had been employed for more than a decade and does not conform to the conventional practice that has evolved both in the U.S. and abroad. Some have even suggested that the government has actively worked to block standardization citing the United States failure to vote for its own national cryptographic standard (DES) in the International Standards Organization and material on the working relationship between NIST and NSA recently released to the Computer Professionals for Social Responsibility under the Freedom of Information Act. Now we are faced with the greatest challenge to our ability to secure the personal and business communications of the modern world that we have yet encountered. The administration proposes to adopt as a federal standard a system that is not only secret, but incorporates provisions for the government secretly to decode any person's communications when it deems this necessary for law enforcement or national security purposes. The effect is very much like that of the little keyhole in the back of the combination locks used on the lockers of school children. The children open the locks with the combinations, which is supposed to keep the other children out, but the teachers can always look in the lockers by using the key. The stated objective is to require the use of equipment based on these new `key escrow' chips for certain communications within the government and between the government and business. If they are successful in their objective, the latter provision could force the inclusion of these chips in all devices used, for example, to communicate with the government about contracts or taxes. What would be the effect of such broad inclusion? We have been assured by NIST that the finished chips, once their key escrow provisions have been programmed, will be available without restriction for incorporation in any piece of domestic equipment, but it is hard to see how either the security or wiretap objectives could be achieved if this were the case. It appears more likely that key escrow chips will be available only to companies that agree to employ them in approved ways. Probably this will be done by using existing regulatory machinery (called the Type II Commercial COMSEC Endorsement Program) that requires the manufacturers to submit their designs to NSA for approval. Were this to happen, the nation's computer manufacturers would be trapped in a regulatory web more confining than any we have seen so far. If we at Sun were required by customers' needs to communicate with the government to put the key escrow chip on the mother board of our machine and by regulations to have the board design approved, the government would have effective control of our development cycle. One of the requirements that would likely be imposed in these circumstances would be that we not offer any other security mechanisms that could be used to defeat the escrow provisions. This would mean we could not even maintain compatibility with our existing product line. It seems especially unlikely that customer acceptance of a chip explicitly designed to provide only partial security could ever be achieved other than by the coercive force of regulations. Nor does it seem likely that a system to which the U.S. held the keys would ever be accepted by more than a handful of other countries. They do not need it to achieve security, because an understanding of cryptography is now global and developing rapidly. Faced with a choice between secret U.S. technology known to embody a compromise and foreign systems of published function that at least claim not to, customer response seems hardly in doubt. The result may give the government a devastating choice: accept the import of foreign technology, losing both market share and the new law enforcement capability or forbid the import of foreign cryptographic systems altogether. In the latter case, the U.S., currently a leader in computers and software, seems likely to become a backwater, cut off from one of the most profitable segments of the global economy. Another problem presented by the key escrow technology is cost. No matter how essential it may be, security is still difficult to sell and extremely price sensitive. To require that cryptography not merely be isolated in hardware (by and large a good security practice) but that that hardware be a tamper resistant chip entirely dedicated to one security function will push the prices of many products and features beyond the reach of their potential markets. Cryptography can perfectly safely be embodied in microcode, implemented in cells incorporated in multi-function chips, or programmed on dedicated, but standard, microcontrollers at a tiny fraction of the tens of dollars per chip that Clipper is predicted to cost. The effect of giving the government and one or a small number of companies a monopoly control over an essential technology is also troubling to contemplate. The present key escrow chips operate in the megabit range. Can companies depend on NSA to have hundred megabit or gigabit chips available just when they are needed or might U.S. companies miss critical market windows while they wait for delivery of parts over which they have no control? Will there come a time, as occurred with DES, when NSA wants the standard changed even though industry still finds it adequate for many applications? If that occurs will industry have any recourse but to do what it is told? And if this happens who will pay for the conversion? Last month, before another committee of Congress, I discussed at some length the impact that the key escrow proposal could have on personal freedom, concluding that if it is adopted, we will take a big step toward a world in which the right of private conversation belongs only to those rich enough to travel to face to face meetings. Rather than repeat those arguments, I have attached my earlier testimony as an appendix and focus here on a few essential points. It is clear that the costs of key escrow will be monumental whether measured in dollars spent for computers, squandered business opportunities, or lost liberties. Even if these costs are accepted, there remain two questions: can the law enforcement function be achieved, and is it even necessary? In a world in which cryptographic expertise is widespread and cryptography is readily implemented on small processors, rules seem no more likely to keep security out of the hands of criminals than export controls guarantee it will not be available to hostile nations. This, however, may not matter. Despite the concern of law enforcement that advancing technology will reduce the effectiveness of wiretaps, that technology has been at least as much a blessing to the police as a curse. Even ignoring the contribution of police communication systems and databases, modern telephone switches make wiretaps more effective by supplying caller ID in real time under many circumstances. In a world in which conspiracies were conducted via conference calls on secure phones, criminals could never be sure that one of the participants was not an informer recording everything in high fidelity without the risk of being caught wearing a body wire. Corrections to First Version Given to Congress line 89 unaware of that ==> unaware that line 137 Electronic Frontiers Foundation ==> Computer Professionals for Social Responsibility line 181 design cycle ==> development cycle line 213 implemented in dedicated ==> programmed on dedicated

1 0

Need consulting work
by Philip Zimmermann 17 Jun '93

17 Jun '93

Hello Cypherpunks. I'm looking for some more consulting work in data security. Anyone have any leads? You can respond by email or phone. Thanks. -Philip Zimmermann 303 541-0140

1 0

Re: yaa (yet another arti
by M..Stirner＠f28.n125.z1.FIDONET.ORG 17 Jun '93

17 Jun '93

> Another wiretap enabled authorities to thwart Chicago's "El Rukns > street gang" from a Libyan government-sponsored attempt to shoot > down a U.S. commercial airliner with a military weapons system. Uu> They find these all the time through other mechanisms. This episode was hilarious. An imprisoned El Rukun was conducting gang business via jailhouse payphone. One chuckly FBI agent was "decoding" the simple slang-code by which the goons communicated. After _three months_ he figured out enough of the code to bring an indictment. Some of the more amusing of these sophisticated subterfuges: Peanut = Jimmy Carter Hollywood = Ronald Reagan Roman = Policeman Change = Kill Our Friend = Qadaffi Long Demonstration = Shotgun It's interesting to note the length of time required for this "plaintext" to be decoded in an urgent matter of national security. . ~ . M. ********************************************************************* * <m..stirner(a)f28.n125.z1.fidonet.org> - PGP Key D30909 via servers * * > What country can preserve its liberties if its rulers are not <* * > warned from time to time that their people preserve the spirit <* * > of resistance? Let them take arms!" - Thomas Jefferson, 1787 <* ********************************************************************* ___ Blue Wave/QWK v2.12 -- M. Stirner - via FidoNet node 1:125/1 UUCP: ...!uunet!kumr!shelter!28!M..Stirner INTERNET: M..Stirner(a)f28.n125.z1.FIDONET.ORG

1 0