Devil's Advocate (again)
I notice the argument against "why do you need crypto... are you doing something ILLEGAL" is that the argument that "why don't you want a camera in your house... are you doing something ILLEGAL". This is good, but where in the Constitution does it say that people can have crypto not regulated by the Government? Would this be under the First Amendment of free speech? Again, I am playing Devil's Advocate here. ------------ To respond to the sender of this message, send mail to remailer@soda.berkeley.edu, starting your message with the following 8 lines: :: Response-Key: ideaclipper ====Encrypted-Sender-Begin==== MI@```%IS^P;+]AB?X9TW6\8WR:"P&2%))6DK&_"'9H7Z#TP^%/-Q).;<[88Q ME30D:-V2"G!=KV&$CCA?;+(6+E.#?2%P`0:V-J'.#NA:J^2@,\;GUI)DG5,O %CR6`-HX` ====Encrypted-Sender-End====
Anonymous User says:
I notice the argument against "why do you need crypto... are you doing something ILLEGAL" is that the argument that "why don't you want a camera in your house... are you doing something ILLEGAL".
This is good, but where in the Constitution does it say that people can have crypto not regulated by the Government? Would this be under the First Amendment of free speech?
Again, I am playing Devil's Advocate here.
The first amendment is a good start. The fourth amendment protections against unreasonable search could be held to not require that everyone conduct all their business in such a way as to make search maximally easy. (The courts have already held, for instance, that you are under no obligation to keep your business records in english.) The ninth amendment, and the derived "right to privacy" ideas that culminated in Roe v. Wade, could also be invoked. .pm
On Fri, 1 Jul 1994, Perry E. Metzger wrote:
The ninth amendment, and the derived "right to privacy" ideas that culminated in Roe v. Wade, could also be invoked.
.pm
Additionally, since properly executed crypto can only be breached by the application of torture to the key holder, The VIIIth Amendment's prohibition of cruel and unusual punishment may apply. DCF "Not to mention the IInd Amendment RKBA and in the case of the Digital Telephony Initiative the IIIrd Amenment's prohibition on quartering troops in private homes."
DCF wrote: | Additionally, since properly executed crypto can only be breached by the | application of torture to the key holder, The VIIIth Amendment's | prohibition of cruel and unusual punishment may apply. There are a number of good ways to breach modern cryptography without torture. They include: Van Eck (Tempest) monitoring. Sodium pentathol & its more modern cousins. Bribery. Blackmail. Adam -- Adam Shostack adam@bwh.harvard.edu Politics. From the greek "poly," meaning many, and ticks, a small, annoying bloodsucker.
There are a number of good ways to breach modern cryptography without torture. They include:
Van Eck (Tempest) monitoring. Sodium pentathol & its more modern cousins. Bribery. Blackmail.
Adam Shostack adam@bwh.harvard.edu
Much more likely: * Diskettes left lying around. Secret keys on home computers. * Incompletely erased files. (Norton Utilities can recover erased files; mil-grade multiple-pass erasure may be needed.) A simple search warrant executed on your premises will usually crack open all your crypto secrets. (Fixes to this are left as an exercise.) Where to store one's secret key is an issue that makes academic the issue of whether one's key can be compelled. A diskette stored at one's home, in one's briefcase, etc., can be gotten. A pendant or dongle or whatever that stores the key can also be gotten. The passphrase (8-12 characters, typically) is secure, but not the key. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."
Excuse my ignorance of PGP, I am fairly new to using it, and thinking about its operation and source code. Is not your secret key stored encoded by the pass phrase, so that if the pass phrase is in your head, the secret key on disk is useless to an attacker? Of course, while PGP is running, after you have entered the pass phrase, the secret key is available within your machine, and could be stolen, and if your OS leaves pagefiles etc arounnd, might even be taken after you shut down PGP. Or am I missing something? Thanks, Andy
Excuse my ignorance of PGP, I am fairly new to using it, and thinking about its operation and source code. Is not your secret key stored encoded by the pass phrase, so that if the pass phrase is in your head, the secret key on disk is useless to an attacker? Of course, while PGP is running, after you have entered the pass phrase, the secret key is available within your machine, and could be stolen, and if your OS leaves pagefiles etc arounnd, might even be taken after you shut down PGP.
Or am I missing something? Thanks, Andy
I haven't seen a formal analysis of the strength of PGP if the secret key is known but the passphrase is still secure, but from conventional crypto we would assume that the search space would be greatly reduced. My passphrase, for example, is 11 characters long. Other folks may use fewer characters. And many people pick passphrases of less total entropy (that is, more predictable). Fragments of names, phrases, etc. The number of passphrase guesses that would have to be made depends on the characters used and the particular characters chose. For example, if most people use 8 characters chosen from the 26 letters, in one case, then 26^8 = 2 x 10e11 possibilities. Increasing this to, say, 40 characters and a length of 10 implies 4 x 10e17 possibilities, which is almost out of reach for brute-force cracking. (But most passphrases picked by humans have lower entropy than this.) Speculatively, knowing the passphrase-encrypted secret key may make it easier to crack RSA; this is just a speculation. It is not yet even been proven that RSA is a strong as factoring. i.e., we don't know for sure that the RSA information provided as part of the protocol doesn't in some way make the problem simpler than straight factoring of the modulus. In short, these are reasons to keep your secret key secret. Your passphrase alone may be insufficient (else why not just dispense with the secret key and just have a passphrase?). I haven't checked to see what Schneier or Zimmermann had to say about this, so maybe they have more information. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."
-----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, Mssr. tcmay@netcom.com (Timothy C. May):
In short, these are reasons to keep your secret key secret. Your passphrase alone may be insufficient (else why not just dispense with the secret key and just have a passphrase?).
Another reason for a secret key and passphrase... with a passphrase alone, you couldn't change it without changing the public key too. Since I stupidly typed my passphrase in the clear in front of someone once, I was very glad the phrase was changeable! :) - -- Roy M. Silvernail -- roy@sendai.cybrspc.mn.org perl -e '$x = 1/20; print "Just my \$$x! (adjusted for inflation)\n"' "What do you mean, you've never been to Alpha Centauri?" -- Prostetnic Vogon Jeltz -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBLhWpQhvikii9febJAQGNggP/eWj28ovHgb6y45TZA1OqAR6S/jCMgi0z QqfB+TvpLbf6WZYVI1K44DiLgjAn2IWddSqWQ2lz3IuhyXMM4S8V5tFoGNWE+lUn FG1hO4fjV1XUn+tJCqeeJdN77gd1+Nzszu8m8/Pq9eU+q+bcehTIaRCQNvrOC9D/ ZkEuSDYcBVY= =/C3u -----END PGP SIGNATURE-----
[good discussion of how the pass phrase is more guessable that the secret key deleted ]
In short, these are reasons to keep your secret key secret. Your passphrase alone may be insufficient (else why not just dispense with the secret key and just have a passphrase?).
Well, because the secret key is part of a <secret key, public key> pair, and is thus some un-rememberable number, rather than a hash of something rememberable.
Tim May writes:
Speculatively, knowing the passphrase-encrypted secret key may make it easier to crack RSA; this is just a speculation. It is not yet even been proven that RSA is a strong as factoring. i.e., we don't know for sure that the RSA information provided as part of the protocol doesn't in some way make the problem simpler than straight factoring of the modulus.
Here is a little-known fact. In fact, I had forgotten it myself until what Tim said reminded me. Your PGP secret key file is partially encrypted using IDEA keyed with the hash of your pass phrase. But some fields are left in the clear. In particular, the number of bits in p and q is left exposed, as is the number of bits in d, the decryption exponent. Now, this is not really a big deal. Usually with a 1024-bit key p and q will both be 512 bits long, so knowing this for sure doesn't add that much information. And I don't think that knowing the exact number of bits in the factors will help with the factoring when the two factors are about the same size. Nevertheless it does represent an information leak that many people may not be aware exists. One way an attacker might exploit this is as follows. Suppose he wants to do an exhaustive search of pass phrases. As Tim said, a lot of people may have ones which are easy to guess. How does he know when he's guessed correctly? The secret key has a checksum (in the clear). After decrypting all of d, p, q, and u, PGP accumulates a checksum as it does this and com- pares it with the checksum stored in the secret key. If they match, PGP (or the cracker) knows that he has used the right pass phrase. This requires decrypting all four of these numbers, a total of about 320 bytes. But he can do a provisional check much faster by using the in-the-clear lengths. Just decrypting the first byte of each MP number allows you to see immediately what the bit length of the resulting MP value will be since they are stored in MSB form. For the most extreme case, suppose the length of p were one more than a multiple of 8, say 505 bits. Now we decrypt the first part of p and see if the first byte of the decryption is exactly 1. If not, we can know immediately that we have the wrong pass phrase and move on without doing any more IDEA op- erations. This will immediately reject 255 out of 256 wrong pass phrases. I don't know how much of a speedup you would actually see from this; IDEA has a setup phase and you still have to run MD5 on each pass phrase. But possibly it could be significant. Hal Finney hfinney@shell.portal.com
There are a number of good ways to breach modern cryptography without torture. They include:
Van Eck (Tempest) monitoring. Sodium pentathol & its more modern cousins.
I believe this is considered torture in the US. Bribery.
Blackmail.
Both of these are great but any evidence is inadmissable in court and therefore of no use to a prosecutor.
-- Adam Shostack adam@bwh.harvard.edu
Jim choate <ravage@bga.com>:
Both of these are great but any evidence is inadmissable in court and therefore of no use to a prosecutor.
"Your honor, we would like a (search warrant)(wiretap order)(arrest warrant) for XXX based on the following information we received from a confidential informant."
C'punks, Let's keep our eyes on the prize. Courts will do what courts will do. Maybe someone will shoot us up with sodium pentathal, maybe not. The real point of Cypherpunks is that it's better to use strong crypto than weak crypto or no crypto at all. Our use of crypto doesn't have to be totally bullet proof to be of value. Let *them* worry about the technicalities while we make sure they have to work harder and pay more for our encrypted info than they would if it were in plaintext. S a n d y
On Fri, 1 Jul 1994, Jim choate wrote:
There are a number of good ways to breach modern cryptography without torture. They include:
Van Eck (Tempest) monitoring. Sodium pentathol & its more modern cousins.
I believe this is considered torture in the US.
Bribery. Blackmail.
Both of these are great but any evidence is inadmissable in court and therefore of no use to a prosecutor.
Do you think the NSA cares either about the majority of US laws or the admissibility of evidence? If they want your key badly enough, they will get it, and in all probability will have no compunctions against any of those methods. -------------------------------------------------------------------------- Michael Brandt Handler <grendel@netaxs.com> Philadelphia, PA <mh7p+@andrew.cmu.edu> Currently at CMU, Pittsburgh, PA PGP v2.6 public key on request Boycott Canter & Siegel <<NSA>> 1984: We're Behind Schedule
Do you think the NSA cares either about the majority of US laws or the admissibility of evidence? If they want your key badly enough, they will get it, and in all probability will have no compunctions against any of those methods.
-------------------------------------------------------------------------- Michael Brandt Handler <grendel@netaxs.com>
True, but then again the NSA does not have a history of using torture and violence againsta US citizens. They may be implicit in the sicking of other more rabidly violent agents but violence is not in their best interest. I am more worried about the local police department, state law agencies, and traditional federal law enforcement. These are the folks who spend the majority of their funding spending time watching individuals and their behaviour on a regular basis. I really doubt the NSA is able to monitor single individuals for long terms (the Puzzle Palace makes several references to their asking other agencies for assisstance when this was needed because they didn't have the resources). I don't think this historical pattern is broken at this point.
C'punks, On Fri, 1 Jul 1994, Michael Handler wrote:
. . . Do you think the NSA cares either about the majority of US laws or the admissibility of evidence?
Actually, yes, for two reasons: First, they cannot overtly break the law. Other groups of thugs such as the FBI, the justice system, etc. will take umbridge if their turf is invaded. Second, though the NSA must have its share of evil people, they must also have their share of decent folks. Decent folks would include whistleblowers who could blow the cover of the NSA's bad folks. Hell, they might even use strong crypto routed through anonymous remailers!
If they want your key badly enough, ^^^^^^^^^^^^ they will get it, and in all probability will have no compunctions against any of those methods.
All actions have costs. How badly do they have to want it to risk exposure to public/legal scrutiny? Even if they want it that much, must we assume they have no compunctions? Calm down. If the world were as lopsided as some of us seem to think, we would all be in jail or in the ground. Perceptions of powerlessness result in paralysis. Don't let the boogyman keep you from writing code. S a n d y
Additionally, since properly executed crypto can only be breached by the application of torture to the key holder, The VIIIth Amendment's prohibition of cruel and unusual punishment may apply.
How can sitting in jail cell under contempt of court charge for undetermined periods be considered cruel or unusual punishment? Would seem to me that if a person refuses to comply and reveal their keys they should expect some form of legal retribution. If a person were to sit there long enough I am shure they would crack if for no other reason than family pressure and the sure realization that their homes and other possessions will be repossessed or otherwise lost.
On Fri, 1 Jul 1994, Duncan Frissell wrote:
Additionally, since properly executed crypto can only be breached by the application of torture to the key holder, The VIIIth Amendment's prohibition of cruel and unusual punishment may apply. This is not even slightly true. They can say that if you don't show them your tax status, they sieze everyting you have. This would require some random key. This dosn't involve tourture, just tax.
Roger.
On Fri, 1 Jul 1994, Roger Bryner wrote:
This is not even slightly true. They can say that if you don't show them your tax status, they sieze everyting you have. This would require some random key. This dosn't involve tourture, just tax.
Roger.
However, strong crypto can protect "everything you have" or at least cash and securities behind unbreachable walls. Likewise it can protect ownership structures so that you can even control physical assets without governments being able to sieze them. DCF
:: Response-Key: ideaclipper ====Encrypted-Sender-Begin==== MI@```%IS^P;+]AB?X9TW6\8WR:"P&2%))6DK&_"'9H7Z#TP^%/-Q).;<[88Q ME30D:-V2"G!=KV&$CCA?;+(6+E.#?2%P`0:V-J'.#NA:J^2@,\;GUI)DG5,O %CR6`-HX` ====Encrypted-Sender-End==== The 1st ammendment guarantees freedom of speech. This includes the right to speak in any "language" you want. Cryptography is a way of changing the "language" of a text or binary file so that only the intended recipient is able to understand it. Hence, cyphertext is protected by the 1st ammendment. Whether this will hold up in court....
participants (14)
-
Adam Shostack -
Andrew Purshottam -
Anonymous User -
Duncan Frissell -
Hal -
Jim choate -
Michael Handler -
Perry E. Metzger -
pstemari@bismark.cbis.com -
rarachel@prism.poly.edu -
Roger Bryner -
roy@sendai.cybrspc.mn.org -
Sandy Sandfort -
tcmay@netcom.com