Passwords, passphrases, etc.
Cypherpunks: The evolution of the discussion here regarding passwords or passphrases is a telling indicator, and one which people here should think about, because you are reinventing the NSA. You start with a desire for privacy/secrecy, and so you create a package as a functional cryptosystem. The requirements of the cryptosystem, however, makes memorization of the cryptographic key non-trivial (and nobody here suggests offline storage, as the NSA primarily uses); this causes you to use an access control mechanism that protects the key on a local basis. This then makes you think about armoured operating systems, physical security of the site, biometric security, signals emission, coersion methods, etc. It is a capsule history of the enemy, and I hope it helps you understand what created them; the major difference was that they had an available budget and potent adversaries. Imagine the cypherpunks sitting around and attacking their own system and others (Clipper, for instance), getting paid to write code, build hardware, whatever necessary to attack/defend, and with operational support and infrastructure. Quite educational, isn't it? Another brief observation you might want to think about in regards to the implications; the data in the public domain for cryptanalysis tends to be based primarily in the English language (frequency tables, dictionary attacks, etc.). Isn't it striking that so little of similar data has leaked out for what one can assume were the real targets--Russian, Arabic, German, etc.? Seems to be quite an effort to attack English-based systems. There also seems to be an unusual silence on what one would consider to be important cryptanalysis data--if you were NSA, wouldn't you be certain to suppress data that helped your adversary? Just food for thought. Is this a true emphasis or a Potemkin village? One benefit of being multilingual; all access codes that I need to remember are obscure phrases in little known dialects. I imagine they would look like gibberish to the uninitiated. Michael Wilson Managing Director, The Nemesis Group [I hope that the record of purchases made through the Maryland Procurement group are making their way from systems such as Mead Data and into private systems for analysis; warning, access of such data is expensive.]
I didn't comment before on Michael Wilson's revelations about the Maryland Procurement Office (and how it revealed NSA purchases). But I will now. He writes:
Michael Wilson Managing Director, The Nemesis Group
[I hope that the record of purchases made through the Maryland Procurement group are making their way from systems such as Mead Data and into private systems for analysis; warning, access of such data is expensive.]
Actually, there are much cheaper way to get even more accurate data. Gunter Ahrendt has been the compiler of a list of supercomputer sites, a list which he publishes weekly in comp.sys.super. (I haven't seen it recently, so it may be dormant for the summer.) Here's an excerpt for the NSA and CSS: 2) 83.73 - (02-JUN-1993) [NSA] National Security Agency,California,US 1) 3 * Cray C916-512 83.73 3) 69.79 - (22-JUL-1993) [CSS] National Computing Security Center,Central Security Service,National Security Agency Headquarters,Fort George G Meade,Maryland,US, postmaster@ftmeade-eas.army.mil 1) TMC CM-5/512 ~35.04 {linearly scaled from a 64CPU unit} 2) 5 * Cray Y-MP/8-256 34.75 etc. I don't discount the possibility that NSA, CSS, NRO, etc. try to hide some of their purchases--certainly in budgets, if not physically. But in general they have little to gain by hiding the fact that they have, for example, 8 Connection Machines. After all, Thinking Machines knows (purchase, service), and word gets out. Ahrendt has had good accuracy. In any case, the number of supercomputers the NSA and its related affiliate agencies have is not too worrisome to me. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."
Michael Wilson <0005514706@mcimail.com> writes: Another brief observation you might want to think about in regards to the implications; the data in the public domain for cryptanalysis tends to be based primarily in the English language (frequency tables, dictionary attacks, etc.). Isn't it striking that so little of similar data has leaked out for what one can assume were the real targets--Russian, Arabic, German, etc.? Seems to be quite an effort to attack English-based systems. There also seems to be an unusual
Pedagogy rather than conspiracy -- you're reading the wrong books. It's easier to explain stuff to people in a language they understand, so they can do the right things with guessing the middles of words and phrases, extending key or plaintext islands, and so on. Try Kullback's "Statistical Methods in Cryptanalysis", which does literary and telegraphic English, as well as frequencies for French, German, Italian, Japanese, Portuguese, Russian and Spanish; and digraphs for Czech, French, German, Italian (military), Japanese, Polish, Spanish, and Swedish. Sacco's "Manual of Cryptography" also has various languages, and Givierge concentrates on French (as you might expect). Military Cryptanalytics part I vol 2 (Friedman and Callimahos) has lots of foreign language and English stats: German, French, Italian, Spanish, Portuguese, and Russian. The stats in Military Cryptanalytics Part III (the declassified parts) include 24 languages. All but the last are available from Aegean Park Press, P.O. Box 2837, Laguna Hills CA 92654-0837, (714)586-8811. Jim Gillogly 9 Afterlithe S.R. 1994, 23:16
participants (3)
-
Jim Gillogly -
Michael Wilson -
tcmay@netcom.com