Recent discussion about Apple's commitment (or lack thereof) to providing anything like real privacy calls to mind some stuff from MacWeek of several weeks ago; the 7/12/93 issue of MacWeek includes a "special report" on AOCE (Apple Open Collaborative Environment, a "groupware" (anyone have any better explanation?) setup which facilitates sharing data between colleagues. The "special report" includes two sidebars about encryption and security in the AOCE environment, which I reproduce below. I called and asked about permission to reprint the entire article to the list but was unable to get past marketroids who wanted me to pay $50 + copying costs (payable to them) for my 4-color glossy reprints showcasing my product. (don't have one, dammit.) Some folks still don't "get" the net. Sigh. I found the idea that RSADSI will be generating folks' key pairs particularly chilling. The article accompanying these sidebars suggests that folks' private keys will be stored on the server; the article made the security of the thing sound *so* poorly designed that I figure it must be the result of miscommunication between the Apple folks and the article's author (Mitch Radcliffe). If anyone really cares I can see about posting some more of the article. --- "Apple could have the toughest code on the block" The Cold War mind-set in Washington, D.C., thawed a bit when Apple gained permission from the U.S. government to ship AOCE outside the United States while retaining the software's advanced encryption features. Encryption technology is considered munitions by the national defense apparatus. For many years, the Department of Commerce, in collaboration with the National Security Agency, has limited encryption technology exports. But the strict limits on cryptography seem to be eroding after the fall of the Soviet Union. According to sources, the RC-4 encryption in AOCE was approved under a special agreement between Apple and the NSA that will allow slightly more-powerful scrambling capabilities than are typically given export clearance. The NSA recently signed an agreement with the Software Publishers Association that will provide expedited approval of RC-4 encryption based on 40-bit keys. AOCE uses 64-bit keys, and larger keys mean better security. "Protection can be at many levels," Gursharan Sidhu, Apple technical director of collaboration systems development, told attendees at the Apple Worldwide Developers Conference in May. He said it's very easy to protect against casual intrusion and even determined hackers. But a resource-rich intruder with access to supercomputers can defeat many encryption technologies. "You've got to look at these various dimensions of how far you want to go in providing security," Sidhu said. Apple's security is among the best available, he said. The company fought for several years to win approval for AOCE's privacy and security technologies. "In the world of commercial security, it's a matter of saying it is secure within the parameters of commercial reality," Sidhu said. Sources said it would take a supercomputer-equipped intruder from two hours to six days to crack a 64-bit RC-4 key using a brute-force attack that analyzed the encrypted data for hints about the key. Even if such an intruder cracked the key for one network session, each successive session would have to be recracked because it would have a different key. Apple will be constrained from selling AOCE in countries on the State Department's list of terrorist nations. And the company will sell a version of AOCE without encryption functions in France, because the French government requires access to all imported encryption technology. In the United States, the barriers against encryption export seem to be falling. In May, the Computer System Security and Privacy Advisory Board of the National Institute of Standards and Technology, the Department of Commerce agency that monitors civilian encryption technologies, issued resolutions that recommend the United States revise its export laws to facilitate the spread of encryption technologies. "I think the NIST resolutions are a good indication that the Department of Commerce is trying to make it clear to the White House that these policies are backward," said Marc Rotenberg, director of the Washington, D.C., office of Computer Professionals for Social Responsibility. "If they don't change, they'll still be making policy for the 1950's." - by Mitch Ratcliffe --------- "Behind it all, digital signatures" If the messaging engine is the workhorse of AOCE, the digital signature capability is the electronic Paul Revere that carries the important information. A digital signature is an electronic analogy to the written signature, and no two are alike. The result of complex cryptographic processes, a digital signature can prove that a particular user "signed" a particular document. Users sign a document by clicking a check box in the AOCE mailer. The legal force of such signatures has not been determined, but Apple believes they are sufficiently reliable for building audit trails through a company or even between companies. Users will have to apply for and recieve their digital signatures from RSA Data Security Inc. of Redwood City, Calif., which developed the technology. The signature arrives in two parts, a private key that the user must keep secure and a public key that can be distributed freely. Any document signed using the private key can be compared with the user's public key to see if the document is authentic and unchanged. Public keys can be handed out by a user or stored in a key database, where users can go to get keys that have been verified by a third party. For example, a bank might keep the list of public keys that can be used by a customer's company for signing purchase orders. Developers, such as Snow Development Corp. of Clearwater, Fla., and Shana Corp. of Edmonton, Alberta, plan to use AOCE digital signatures in report-routing and forms software. The applications will let a user create a flowchart of colleagues who need to sign off on a document, send the document to that list serially or in parallel, and collect all the digital signatures for auditing purposes in the final document. -- by Mitch Ratcliffe -- Greg Broiles greg@goldenbear.com Golden Bear Computer Consulting +1 503 342 7982 Box 12005 Eugene OR 97440 BBS: +1 503 687 7764