"Internet.Privacy.Guaranteed (IPG)" writes:

...

CRE Transforms, trademark IPG, are the only acknowledged unbreakable method of so transforming digitized information. There are no passwords, encryption keys, or anything like that to conjure up, remember, and perhaps forget.

Neat trick, unless they're using biometrics, which doesn't appear to be the case :} It uses one time pads - yes - but true OTPs, not random number generators with a key like the POTP people. The mere fact that POTP sells the entire

Mon Mar 19,1996 Obviously you want to criticise without investigation. He who knows all, knows little, or nothing accoring to Einstein. On Mon, 19 Feb 1996 lmccarth@cs.umass.edu wrote: package, should tell you something. For long Messages, the basic kernel of our system is also a random number generator, but the source key, 5600 bits, is a true random one time pad generated from a hardware source.

From that 5600 bits, a combination of a prime number numbers, picked from a large random table, by 512 of the random bits, ie 64 large prime numbers, and the other random bits are used to generate the random numbers used. This in effect creates a humoungous cycled encryption wheel system, with over 10 to the 2300th power possibilities before repeats, similar to engima but more like the most secured electronic encryption systems used prior to the advent of computers.

[...]

...

Don't Waste your time !

I think they just said it best themselves, but I'll comment a bit more....

[...]

...

Every informed expert of the technology will confirm, without reservation, that the IPG system is not breakable, as many already have!

All under NDA, I suppose. Note that they don't even name an "informed expert of the technology"; at least the POTP people gave some names. We did refer people to Paul Leyland as you note in your next paragrapgh - Unlike PGP, and other RSA systems, DES, and even POTP, the PCX Nvelopes system is mathematically unbreakable - if you labor uner the delusion

[...]

...

A fully operational integrated multi-user system costs approximately $140.00 per user, ready to load and go, with thousands, or millions of Nvelopes and Nvelopeners. IPG also offers full turnkey leases at $15.00 per user, per network, per month, which includes all software, upgrades, administration, and unlimited Nvelopes and Nvelopeners.

As a reference to its unbreakability, we refer you to an article by Paul Leyland on Internet at:

http://dcs.ex.ac.uk/~aba/otp.html

Clearly they (claim to) offer some sort of system using One Time Pads. Notice the price quote of "$15.00 per user, per network, per month" including "unlimited Nvelopes and Nvelopeners". I suspect this means that they're basically selling chunks of (pseudo- ?)random data for as much as $15/person each month! I guess it's nice work if you can get it. At that price, one would hope that they're at least generating truly random bits from a hardware source. But their skimpy details on their proprietary processes don't inspire confidence.... Every message is encrypted with a separate Nvelope, and as indicated in our site, nver repeated. If the message is less than 5600 bits, it is a

You obviously are too informed - since you already know everything, perhaps there is nothing more for you to learn so you are right, don't waste you time, since you already know, But others, less informed, might discover that they do nnot know everything that the PGP protects your privacy be our guest. Ask yourself " Why are Freeh, Gore and all the others not screaming more than they are about RSA systems, DES systems and so forth? They are talking about interceting 1 in 100 messages n urban areas, are they doing it because they want to waste their time? true random one time pad, from hardware sources - if longer, the one time pad becomes a random number generator as partially explained previously. Each nvelope, hardware one time pad, an ADC LOB system, is used once and only once, the system absolutely precludes reuse. The $15.00 per moth keeps all users supplied with the necessary one time pads, which in the case of high volume business users might be a few hundred a day, a stock broker, anb accountant, auditor, an attorney or the like.

...

For more information visit our Web Site at:

http://www.netprivacy.com/ipg

In case you didn't get enough hyperbole from the press release, they have extra helpings on the Web. This site has numerous pages containing precious little real information. I found a few tidbits in unlikely places, though:

In http://www.netprivacy.com/ipg/mlmplan.html, which incidentally promises that they "can help you to make some big bucks through the PCX Nvelopes Multi - Level - Marketing Plan", it says:

...

With our manufacturing process it is relatively easy for us to manufacture a ready to go system, for 25 users, or for 2,500 users. All the user has to do is to prepare a DIR.LST, a Directory Listing of the users. We use that as the template and manufacture the system.

This is actually a little scary. According to one of their other web pages, the DIR.LST file is a numbered list of user names and email addresses. So it appears that a customer hands over a list of names and addresses, and IPG assigns a set of one-time pads (or something) to each pair of users on the list. (Holy combinatorial explosion.) And now IPG knows the one-time pads that will be used between any pair of email addresses on the list it has ! The EES is starting to look attractive by comparison.

Obviously you again already know everything, so there is no need to try to explain it to you, but others might be interested. As to combinatorial explosion, it really ius not as ad as people might think! A user does not jave to keep all the combinations, only the ones paired with, thus in a thousand user system, there is only a need for 999 paired Nvelope and Nvelopeners, and some of those will little usage. We keep 10 Nvelopes/Nvelopeners for each pair, 20 in duplex, and each is 700 bytes. Thus in a 1000 user system, about 7.2 MB would be required to handle all the one taime pads, a lot os space but not unmageable, As Nvelopes are used, they are replensihed accordingly to a heuristic algorithm built into the system.

...

It becomes a load and go installation at each of the user sites.

Gee, why are we all so worried about key management ? It's just a load and go installation at each of the user sites ! ;)

...

We will even prepare, or help prepare, the DIR.LST for users. > > While we have the software and manufacturing facility to do that quickly, it is not easily transportable, to say the least, and certain aspects of it, we consider highly proprietary.

"not easily transportable, to say the least" ??? Any ideas to what this might refer ? The combinatorial problem that you referred to previously, would indeed generate almost 500,000 pair sets, which we call packets. What is the best way to generate those 499,500 sets? 999 We can automatically generate

That is precisely why PCX Nvelopes is such an extraordinary system. That is the beauty of PCX Nvelopes, it lifts that burden from the user, eliminates it entirely. You may have worried about key management, but with our system, you will not have to do so in the future. The system itself, manages all the OTPs, you do not have to do anything but use the system. Key management is the problem with all existing systems, but it is no problem at all with the PCX Nvelopes system, as you would see if you looked at the system, instead, of talking about something when you have no idea at all of what it is about. The first set of keys must be sent by a secure source, US mail, FED EX, or whatever, but thereafter, all updates can be accomodated over Internet. them, and all the software that goes with them on 1000 sets of 6 diskettes each, each of which goes through a separte verification process, and certification process, larger systems are delivered in parts, two diskettes direct, and the others over internet.

OK, I saved (IMHO) the best for last. I suppose this could be taken as a claim about their proprietary, immobile RNG methods: (from http://www.netprivacy.com/ipg/comp.html)

...

How do we Achieve such High Standards? First Class Quality Control!

We achieve unusually high standards of excellence because of the manufacturing process. Over 30%, sometimes as high as 50% or more of our Nvelopes, Nvelopeners, are discarded because they cannot meet our rigid standards. Also our Nvelopes and Nvelopeners are subjected to a battery of performance tests to insure that when used, they will meet the high standards that you would expect.

Every onetime pad is subjected to analysis at the bit level, character level, couplet level, triplet level, and set level, 5600 bits. As you might, but probably do not know, all hardware generation of OTP's are irregular, otherwise they are not random. Thus at times, a hardware source, such as ADC LOB system, can generate nonrandom data, unless this is checked, it can destroyed the integrity of your system. At all levels, we check standard deviation, chi Square, Delta IC, and other statistical tests. Moreover, we check sets of packet, at the 2, 4, 8, 16, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384 etal. Our packets are random, and you can take that to the bank.

<sigh> It's a jungle out there....

-Lewis "You're always disappointed, nothing seems to keep you high -- drive your bargains, push your papers, win your medals, fuck your strangers; don't it leave you on the empty side ?" (Joni Mitchell, 1972)

<sigh> - Einstein - He who thinks that he knows everything, knows nothing.

On Tue, 20 Feb 1996 lmccarth@cs.umass.edu wrote:

IPG Sales writes:

...

Obviously you want to criticise without investigation. He who knows all, knows little, or nothing accoring to Einstein.

I apologize but I do believe that you prejudged it without bothering to inquire of us, or inquire further. We are now anxious to cooperate with cypherpunks and let them show us how silly the system is. We will cooperate fully, with minor but we believe accpeptableimitations and subject to reciprocation.

That's a rather disingenuous statement. I read your press release, and then I spent a while browsing through everything that seemed germane on your web pages. But my investigation of all the material you had presented to the world yielded very little in the way of hard facts about the security of the IPG system. I responded to what I'd been able to find.

Future technical investigations of IPG would be greatly aided if you placed on your web pages some of the technical details you have at last revealed here. I just checked your web pages again, and they still don't explain the actual workings of the system at all.

-Lewis "You're always disappointed, nothing seems to keep you high -- drive your bargains, push your papers, win your medals, fuck your strangers; don't it leave you on the empty side ?" (Joni Mitchell, 1972)

We will not post it to Internet, but we will provide it to the Cipherpunks, a large selected set choisen by Derek Atkins or his designee. Some men are as sure of their opinions as they are of what they know - Shakespeare.

-----BEGIN PGP SIGNED MESSAGE----- In article <199602200851.DAA02057@thor.cs.umass.edu>, lmccarth@cs.umass.edu wrote:

IPG Sales writes:

...

Thus at times, a hardware source, such as ADC LOB system, can generate nonrandom data, unless this is checked, it can destroyed the integrity of your system.

Could you explain what the acronyms "ADC" and "LOB" mean here ? I just tried a web search for the two together, and all I got was a page of UFO acronyms, and some astronomical acronyms (LOB = Lick Observatory Bulletin). Schneier discusses hardware RNG at length in Applied Cryptography, but he doesn't mention either acronym. I might guess that LOB = Low Order Bits.

I'd say that you're right, and I'd also guess myself that ADC stands for Analog-to-Digital Converter, so that an "ADC LOB system" is a hardware random number generator that looks at the lowest order (and therefore presumed noisy) bit of an analog-to-digital converter. ObCrypto: Would four years experience interpreting cryptic vanity plates while commuting on the Nimitz Freeway be a good qualification for an NSA cryptanalyst? Would that experience also qualify me as a traffic analyst? - -- Alan Bostick | "If I am to be held in contempt of court, Seeking opportunity to | your honor, it can only be because the court develop multimedia content. | has acted contemptibly!" Finger abostick@netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMSn/a+VevBgtmhnpAQG14QMAmzKee6JNV+R5so+xsGN/bPtzmIdAUqES KB3CJaIEWvKD6PWUQ7/L+j+f8Ugr9ZrXHOscjjIge1zLdwtMnRmzNO/vpO6kI/aq loVXVhPvPwnlniO6FGF5QqddQ7fUn5gI =kfQZ -----END PGP SIGNATURE-----

On Mon, 19 Feb 1996, Adam Shostack wrote:

Since you're convinced that your system can stand scrutiny, why not post a URL for a paper describing the algorithims, key management, etc, of your system. What you've posted here is unparseable, with the exception of some nonsense, which parses to `We know enough to be dangerous.'

Adam

IPG Sales wrote:

| >From that 5600 bits, a combination of a prime number numbers, picked from | a large random table, by 512 of the random bits, ie 64 large prime | numbers, and the other random bits are used to generate the random numbers | used. This in effect creates a humoungous cycled encryption wheel | system, with over 10 to the 2300th power possibilities before repeats, | similar to engima but more like the most secured electronic encryption | systems used prior to the advent of computers.

| <sigh> - Einstein - He who thinks that he knows everything, knows | nothing. |

-- "It is seldom that liberty of any kind is lost all at once." -Hume

We are not currently revealing all the details of our system because of patents in process, and other relat6ed matters. We are offering the software. You should be able to readily decompile it and determine the algorithms used andf how they are used to generate random number sequences for very long files. For short messages, a true OTP is used directly. If you are aware of encrtypting technology, you recognize that hardware prime number cycle wheels for the basis of some of the most secured hardware systems employed for encryption. We simply expand that technogy using software to set an intial setting, an adder, and a limit for 64 such wheels, using large random prime numbers for each of those settings. The total number of possibilities is over 10 to the 1690th power and can be much larger. Thus we can eliminate the need to have the length of the OTP to be equal to the length of the file - if you do not belive that it works, try it and see - it takes inly a few hours to set such a trial up. We generated over 790 gigabytes of charcaters, on multiple backups, and tested. Our standard deviations, chi squares, Delta ICs for bits, characters, sets, and the entire set were random. The sets are random, and you can take that to the bank. Someone, will decompile it and discover that it is truly random, at least from the practical usage basis. But we need that time to file patents, cvopyrights and the like. The IPG system solves the key management problem and produces a truly unbreakabkle system. We make no apologies for not currently revealing all of the methodologies andf algorithms, but they will be revealed with time, by us or others, and you will discover that it is indeed a simple, easy to use, easy to install, truly unbreakable system. "Unless we know, we do not experience by talking," Plato

On Mon, 19 Feb 1996, Perry E. Metzger wrote:

> 
> IPG Sales writes:
> > We are not currently revealing all the details of our system because of 
> > patents in process,
> 
> Bull. Once you have applied for the patent you no longer need be
> secret -- indeed, you can still apply for a patent up to one year
> after full publication.
True, but we are not sure what is going to be covered by patents, 
obviously you must know that wemay have to treat some of the information, 
maybe all of the really iomportant stuff as trad secret material and try 
our best to protect it inm that manner - we cannot depend upon the 
paatents until we know what is going to be covered, if anything - so bull
back to you.

> 
> > We are offering the software. You should be able to readily
> > decompile it and determine the algorithms used andf how they are
> > used to generate random number sequences for very long files.
> 
> Something tells me it wouldn't be worth my while. Until you guys get a
> clue, none of my clients on Wall Street or elsewhere are coming within
> a mile of your products. I won't even waste my time looking at them.
> 
In time they will, because keymanagem,ent makes RSA systems unmanageable 
for large organizations - offer such a suystem to Merrill Lynch and be 
laughed out of the office - only a syustem such as ours resolve that 
problem!


> > If you are aware of encrtypting technology, you recognize that hardware 
> > prime number cycle wheels for the basis of some of the most secured 
> > hardware systems employed for encryption.

Please refer to Dorthy Dennings excellent work on mathematical 
crytanalysis of wheeeled cryptosystems, and then imagine that every 
Nvelope, or suych wheeled system, was based on randomly selecting the 
prime number wheels, they do not have to be, but ours are - imagine that 
every message ever sent was sent using such an unique wheel system. 

> 
> The cypherpunks mailing list is composed of some of the most
> knowledgeable people in the field of cryptography in the
> world. Therefore, you will pardon my noting that the phrase "prime
> number cycle wheels" isn't a term any of us are familiar with. I don't
> find the term anywhere in any of the literature, I don't recall it,
> and if it was anything more than marketingese I would have. You do
> seem to know enough to know that prime numbers play a bit of a role in
> modern cryptography, but that seems to be it. They play very little
> role in non-public key systems like yours.

Are you sure that none of you are familiar with it? I have received many 
replies indicating that a large number of you are familiar with it, 
I refer you again to Denning's. Maybe you are not, but many are, 
apparently most from the replies that I am getting. Such systems are 
used at the highest level of government because they are the most secure 
systems available, excepting OTP's of course. 


> > We simply expand that technogy 
> > using software to set an intial setting, an adder, and a limit for 64 
> > such wheels, using large random prime numbers for each of those settings. 
> > The total number of possibilities is over 10 to the 1690th power and can 
> > be much larger. 
> 
> Spare us the bull. You don't get security in a crypto system from
> having impressive combinatorial explosions. A simple monoalphabetic
> substitution can claim to have 403291461126605635584000000 possible
> keys and you wouldn't trust your six year old cousin not to crack
> it. (the number would be far, far more impressive if I'd taken all
> ASCII characters instead of just the alphabet of 26 letters in to
> account).
Who in the world said it was monalpabetic substitution -  we are talking 
about the random sequences for a single message - A random prime number 
wheel system, provides a far more secure system that RSA based systesms, 
- check it out, and do some investigating instead of talking. > 
> > Someone, will decompile it and discover that it is truly random, at least 
> > from the practical usage basis.
> 
> "Truly random" and "for practical purposes" don't mix. If it isn't
> truly random, then the question is whether or not the thing is, in
> fact, a strong encryption system.
> 
> Time and time again, snake oil salesmen come up and delude themselves
> and others into thinking that they have some sort of great encryption
> system and time and time again it cracks open like an egg. You guys
> have all the stigmata.
> 
> > The IPG system solves the key management problem
> 
> Public key cryptography did that 20 years ago. Where have you been?
> 
> > and produces a truly unbreakabkle system.
> 
> The only system that is truly unbreakable is a true one time pad, not
> a fake one.
> 
> > We make no apologies for not currently revealing all 
> > of the methodologies and algorithms,
> 
> Too bad. You should be embarassed to even open your mouths. 

Not until we know what patent coverage is going to do and not to do.

> 
> Perry
> 

Perry, I will not waste anymore of your time, or mine - Since you seem to know everything about everything, there is no need in talking in circles - You may think that you know everything there is to know about encryption, but believe me, there is a lot more for you to learn - I do not now what KDC's are, I presume some sort o Key Delivery Codes. or Systems, but? I would like to find out though - send us some literature and we will send you a free demo system- that is the differece between you and us - we know very little and want to know more you know everythinh there is to know - and do not need to know anymore - Incidentally crypto wheel systems are stillemployed in 1996 at some of the highest levels of usage - some called then rotors at one time - they are still used because the produce non repeatable sequeces - the fact that ROMs are userd insteaed of rotors does not change the basic nature of such systems, they depend upon the generation of random, nonrepeatable sequences, which they can do, much faster and much more securely ythan RSA systems, I like RSA systems, they have application - but they are not the begin all and end all of encryption technology - good luck

Perry Yes you are quite right - time will tell and it is you that is wrong - as time will prove - it will be my pleasure to have you eventually choke on your castigating words - to castigate be sure that you are right, and in this case, you are wrong as time will tell - wait and see -!!!!!!

IPG Sales writes:

For short messages, a true OTP is used directly.

Quick question: does anybody at IPG know what the "O" in "OTP" stands for? ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * I want more, I want more, m5@tivoli.com * m101@io.com * I want more, I want more ... <URL:http://www.io.com/~m101> *_______________________________