CDR: Re: Lions and Tigers and Backdoors, oh, my...
From the article...
Until recently the US government strictly controlled the strength of cryptography in software exported to different countries, in order to protect the government's ability to access and monitor communications data. The regulations were relaxed after pressure from industry but Madison believes that this may have driven the NSA to find ways to carry out surveillance. "They're not going to give in over exporting strong cryptography without getting something in return," he says. I can't believe that they would voluntarily enter a period of weakend capabilities. My guess would be that he has the event ordering wrong. More likely the security types had alternatives in place and this, along with the easy flow of crypto code over the borders meant that relaxing the crypto regulations would not alter the landscape. It might even appease some of the privacy activists. Keep your eye on the birdie. I'm still waiting for RIP-USA to rear its ugly mug. Mike
At 3:46 PM -0700 on 9/26/00, Michael Motyka wrote:
I'm still waiting for RIP-USA to rear its ugly mug.
I think, if they do that, they kill internet commerce. Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
On Tue, 26 Sep 2000, Michael Motyka wrote:
From the article...
Until recently the US government strictly controlled the strength of cryptography in software exported to different countries, in order to protect the government's ability to access and monitor communications data. The regulations were relaxed after pressure from industry but Madison believes that this may have driven the NSA to find ways to carry out surveillance. "They're not going to give in over exporting strong cryptography without getting something in return," he says.
I can't believe that they would voluntarily enter a period of weakend capabilities. My guess would be that he has the event ordering wrong.
Nope, he's got it right. There used to be, officially, a 40-bit key length limit on exportable software. This made american software products with any crypto capacity ridiculously weak, to the point where anyone concerned about security would not use it -- the software industry was losing to foreign competition, and the quality of the intercepts was going down because everybody was wise to it and nobody who mattered to them was using it anymore. New policy: The BXA approves export licenses for people who put all but the last 40 bits of the key in the headers or trailers somewhere, encrypted under a key that the NSA doubtless knows. Not that this is noised about too much. Feature AOL saying "yes, we broke the encryption in Netscape starting after version 4.07..." not bloody likely. After a little security skirmish with my (now Ex)Bank, I discovered this about Netscape and Internet Explorer; both have "help fields" in their headers that facilitate cryptanalysis of SSL connections if you have the key to the help field. As far as I know, the same is true of all software that has BXA approval for downloadable status. At least (name deleted -- a friend who works at netscape) confirmed that they couldn't get BXA approval for export, OR get anyone at BXA to tell them why not, except for vague wailing about "security considerations" until someone finally offered to put in a "help field". Anyway; people concerned about security from ordinary theives can now be reassured because only the US gov't gets the juicy bits, and the Uber-theives at the US gov't are reassured because they are getting the juicy bits again now that most people think US products have "strong" crypto. Don't get me started on this; I get so mad I can't see straight. Keywords to search by: "Help field" (in quotes), PKI, NSA, "40 bits" "Netscape" -- It's out there, mostly in smarmy self-congratulatory tones about how "We are pleased to announce that Netscape is working with us and will be in compliance with the Public-Key Infrastructure" by (Date -- I forget the date, but it coincides with the release of Netscape 4.5). Ray
On Tue, 26 Sep 2000, Ray Dillinger wrote:
After a little security skirmish with my (now Ex)Bank, I discovered this about Netscape and Internet Explorer; both have "help fields" in their headers that facilitate cryptanalysis of SSL connections if you have the key to the help field.
Really? This is not just a cattle-mutilation-kinda rumor? If such help fields exist, what is the kind of crypto used on them? If it's symmetric, somebody's going to have a highly satisfactory debugging session, soon... Sampo Syreeni <decoy@iki.fi>, aka decoy, student/math/Helsinki university
On Wed, 27 Sep 2000, Sampo A Syreeni wrote:
On Tue, 26 Sep 2000, Ray Dillinger wrote:
After a little security skirmish with my (now Ex)Bank, I discovered this about Netscape and Internet Explorer; both have "help fields" in their headers that facilitate cryptanalysis of SSL connections if you have the key to the help field.
Really? This is not just a cattle-mutilation-kinda rumor? If such help fields exist, what is the kind of crypto used on them? If it's symmetric, somebody's going to have a highly satisfactory debugging session, soon...
Don't know what kind of crypto is used for them. I do suggest you have that debugging session, but I'd be surprised if the crypto is actually symmetric. Bear
Ray Dillinger <bear@sonic.net> sez:
After a little security skirmish with my (now Ex)Bank, I discovered this about Netscape and Internet Explorer; both have "help fields" in their headers that facilitate cryptanalysis of SSL connections if you have the key to the help field.
I wonder if this is also true of international versions of Netscape products that have been "fortified" (www.fortify.net)? -- Bob
Keywords to search by: "Help field" (in quotes), PKI, NSA, "40 bits" "Netscape" -- It's out there, mostly in smarmy self-congratulatory tones about how "We are pleased to announce that Netscape is working with us and will be in compliance with the Public-Key Infrastructure" by (Date -- I forget the date, but it coincides with the release of Netscape 4.5).
From Google: Your search - "Help field" PKI NSA "40 bits" Netscape - did not match any documents. And altavista search (putting in the ands for "advanced" search") returned similar results. -- A quote from Petro's Archives: ********************************************** Sometimes it is said that man can not be trusted with the government of himself. Can he, then, be trusted with the government of others? Or have we found angels in the forms of kings to govern him? Let history answer this question. -- Thomas Jefferson, 1st Inaugural
participants (6)
-
Michael Motyka -
petro -
R. A. Hettinga -
Ray Dillinger -
rp@null.net -
Sampo A Syreeni