RE: RE: Binding cryptography - a fraud-detectible alternative to
At 11:48 AM 10/13/96 +0000, everheul@mail.rijnhaave.nl wrote:
To explain the backround of "binding cryptography" once more; with respect to (interoperable, worldwide) security in the information society socities/governments have to achieve two tasks: 1. stimulating the establishment of a security structure that protects their citizens, but which does not aid criminals.
I think this is a phony distinction. Practically every product sold today could arguably "aid criminals." It isn't possible to prevent this. And that's the problem with your thinking above: If government argued that it had the authority to regulate any product that, arguably, "aided criminals," then it would automatically be able to regulate anything.
2. Coping with the use of encryption by criminals outside of this framework.
An inherent problem with these tasks is that different socities/governments have different views on the matter.
Given that item we just read about Burma illegalizing the non-authorized use of fax machines and modems, that is a vast understatement!
So to achieve the first task you'll need a concept behind the security structure that is flexible enough to incorporate *any* crypto policy, i.e. from liberal (Japan) to non-liberal (France).
Just a second! WHy should technology bow to government policy? Until now, the microcomputer industry has pretty much developed and sold products without much or any (?) regard for what governmental policy would desire. In fact, it isn't even clear that governments have had much opinion about the direction that the microcomputer markets should go. Why should we start adjusting business policies and product capabilities in a way which is hostile to customers, just because the government wants this?
We believe that "binding cryptography" is flexible enough to achieve this: a liberal crypto policy might use no Trusted Retrieval Parties at all, while a very non-liberal country might want one (government controlled) TRP, a compliance check on all network traffic and a ban on other crypto.
Why not ___NOT___ help these guys out? Do they somehow deserve to be assisted in the subjugation of their people? Does the name "Zyklon B" ring a bell?
With binding cryptography the issue on a crypto policy becomes non-technical and politically debatable: which features does a country want and what implementation?
I would much prefer a situation where freedom is provided and/or guaranteed by technology, and it is NOT debateable! See, one problem is that contrary you your implication above, where you said that crypto policy becomes "politically debateable" (which implies that the ordinary people of a country have some input) the _reality_ is that any such decision will be made by a tiny number of bureaucrats, if they can get away with it. The US Clipper proposal was a classic example of this: There was absolutely no public discussion or debate on it before it was announced, and it was obviously intended to be a fait accompli. Further, nearly all non-governmental people who are aware of the crypto issue disagree with the government's policies in this matter. Clearly, you cannot imply that crypto will REALLY be "politically debateable"!
For this kind of application, binding cryptography is spot on. Jim bell[SMTP:jimbell@pacifier.com] wrote: I think the biggest problem with allowing "anyone" to check the correctness of a key is that what is a technical possibility today, will become a legally-mandated requirement tomorrow. What if Internet backbone companies and/or ISP's were told that they had to implement software check these keys, and if they discovered an "incorrect" escrowed key, they were legally obligated to either refuse to forward that message, and/or forward a copy of that message to someone like Spooks@NSA.gov or Thugs@DOJ.gov.
The information society is international by nature; we want to securely communicate with Singapore. If Singapore, a democratic country!, has such a crypto policy that they want the above control, then so be it. Don't blame "binding cryptography" for making that possible, but start a dialogue with your politicians on what features of the proposal are acceptable in your country.
No, I think I _will_ blame your infernal invention for trying to make limited communication possible! There's no doubt that the leadership of places like Singapore might want to restrict communication, but on the other hand they also want to be connected to the rest of the world for "non-political" speech. In effect, they are forced to make a choice. Most countries, except for a very highly authoritarian few, will probably opt for connectivity and this will lead to increased freedom for the people in their countries. _YOU_ are trying to give those governments connectivity while maintaining tyranny. Are you proud of what you're doing?
Some countries seem to have the philosophy that "law-abiding" citizens should have nothing to "hide" from their government, so should not use encryption at all. I think that that is not acceptable. The concept behind the third-party checking is that no "law-abiding" citizen should have any problem that abuse - and only that - of a *voluntary* system can be "seen" by many parties.
I think the terms "voluntary" and "abuse" are contradictory in your statement. If the system is "voluntary," then it is presumably "voluntary" to use a non-conforming system, right? And unless the government's goal is to harass or imprison or fine the user for not using that "voluntary" system, there is no purpose in knowing whether a person's use of encryption meets that "voluntary" standard.
If and *how* checking is done, is a matter of each society. The same concept holds for many things in life and is well accepted.
I see: "How each society decides to use our thumbscrews is totally voluntary and up to each country!" Pardon me while I puke.
For instance that is why cars have registration plates: if a car drives through after an accident on a *public* road, then by-standers (third parties) can observe that. I for one don't the information society to be the wild west, where anything goes.
I'm much closer to "the wild west" than you are, and I like it just fine. I prefer it much better than the tyranny of stratified societies that have enslaved people for over a thousand years.
Of course, people are rightfully worried that such a checkable system might be abused by a totalitarian regime to control their citizens. However, as long as such a system is voluntary I see no problem.
Maybe you need to remember that the way governments use it, the definition of the word "voluntary" tends to pick up a rather Orwellian meaning. Also, you need to remember that the difference between a "voluntary" and a mandatory system may be as little as a single law passed in the middle of the night by a legislature. A law which you are intending to make possible!
Signs in the USA indicate (cf. the NRC study & remarks of the president) that use of other systems will always be possible.
You seem to have ignored by conjecture, where I pointed out that Internet backbones and ISP might, hypothetically, be required to check keys and report "violations" to the government on a moment-to-moment basis. Further, they might be prohibited from forwarding messages that do not conform. This gets us back to the definition of the world "voluntary," again. Even if such an eventuality should occur, the government could cynically say that use of non-conforming forms of encryption were still "voluntary," because it's true you could use them. But they wouldn't be very useful if they didn't propagate on the Internet, now would they?
Also, the above discussions already showed that if such a system is voluntary, then there are lots of way to go around it.
Not if the cooperation of everyone else is coerced! And moreover, not if they are coerced into not dealing with anybody who doesn't go along. You must really hate freedom, huh? Jim Bell jimbell@pacifier.com
On Sun, 13 Oct 1996, jim bell wrote:
At 11:48 AM 10/13/96 +0000, everheul@mail.rijnhaave.nl wrote:
To explain the backround of "binding cryptography" once more; with respect to (interoperable, worldwide) security in the information society socities/governments have to achieve two tasks: 1. stimulating the establishment of a security structure that protects their citizens, but which does not aid criminals.
That is pure unadulterated B.S. That is only a flimsy, ruthless pretext, without any foundation whatsoever, to usurp human freedom itself. The use of such "Chicken Little tactics - the sky is falling," is an unvarnished absurdity. The sky is not falling, in the U.S. and a few other places, people are trying to protect their own unbridled oligarchies and elsewhere, where such irrational tactics are being used, it is only being used to disguise the real motive of maliciously seeking to subject others to their will and power. Is it not absolutely, absurdly dichotomous, to say the very, very least, that China, Burma, North Korea, North Viet Nam, Iran, Iraq, Cuba, Germany, the Mossad, the FBI, the NSA, the CIA, the DIA, and various others, who are otherwise mutually exclusive groups are completely in accordance, in this joint effort to oppose strong cryptography? There has to be something wrong, terribly wrong somewhere, and there is! Has any of the latter group given thought that if so many of their adversaries are in agreement with them on this issue, then there may be some compelling reasons to provide others with the privacy of communication tools that will enhance,.aide and abet those who are seeking precious freedom around the world? If we prohibit strong, unbreakable, cryptography, we are depriving a great number of our fellow human beings seeking such freedom from tyranny, of an valuable tool that they can use in the pursuit of that noble cause. Is that not far more important and far more precious to all who cherish freedom, than some irrational fear of how criminals and terrorists might use cryptography for malevolent activities? Who are we going to support? Those few who might use cryptography to break the law along with those who seek to usurp liberty and freedom - or all of the millions of law abiding citizens around the world along with those who seek to free themselves from the chains of despotism. We cannot have it both ways. It must be one or the other, and the choice is clear! If we allow the terrorists and criminals to control our future course, then we all will become victims of those terrorists and criminals. We have very little to lose, if anything, and a great deal to gain. The balance scale is not even close! .
I think this is a phony distinction. Practically every product sold today could arguably "aid criminals." It isn't possible to prevent this. And that's the problem with your thinking above: If government argued that it had the authority to regulate any product that, arguably, "aided criminals," then it would automatically be able to regulate anything.
Obviously, though I strongly object to Jim's espousing of anarchy in achieving certain ends, in this limited instance I believe Jim is absolutely right. If you are pregnant, you are pregnant; there is no such thing as partial pregnancy or partial freedom and security. Under such arcane principles, we would all be at the absolute mercy of purely arbitrary government regulations. The underlying reason that governments, or governmental agencies, advance the theory that using strong, and yes even unbreakable, encryption aids criminals and terrorists is to perpetuate their oligarchical powers, be it in Burma or here in the United States. Fortunately, in the United States, at least the perpetrators rationalize that they are doing what is right for all of us; nevertheless, they are using their "Chicken Little - the sky is falling," tactics to protect their own personal empires too, either consciously or subconsciously.. The sky is not falling, far from it, careful reflection reveals that those who oppose strong, or unbreakable, encryption, are always talking about some vague potential threat as opposed to real threats. Criminals and terrorists will always find the ways and means to carry out their nefarious activities, with or without strong cryptography, it might take a little more time, but they will find the way to do it. On the other hand, all of the other millions of us, 99.99%+ of the users, who seek only to advance ourselves and the interests that they rightfully serve can never achieve our objectives without strong, unbreakable, encryption technology. , nit to mention all of those who can use it for good and noble cause which advance human freedom. Would we ever consider outlawing automobiles because they kill tens of thousands of people around the globe each year. Automobiles, drugs, cigarettes, alcohol and other causal agents kill far more people and are far more dangerous, by several orders of magnitude, than strong encryption technology. The benefits of encryption security and privacy far outweigh any deleterious problems associated with criminals and terrorists. It is not even remotely close. An information society must encompass the capability to have absolute privacy and security if it is to achieve its promise to make us a better world. One of those promises is that it will eventually free all humans from the power of despotic oppressors. We must struggle but 'We will overcome.' Freedom denied, except where PROPERLY tempered by the harm it might cause to others, is tyranny; and preventing us from using unbreakable cryptographical systems is an obvious denial of free speech and every other freedom that humans hold dear. TVM, Don Wood
On Sun, 13 Oct 1996 cypher@cyberstation.net wrote:
At 11:48 AM 10/13/96 +0000, everheul@mail.rijnhaave.nl wrote:
To explain the backround of "binding cryptography" once more; with respect to (interoperable, worldwide) security in the information society socities/governments have to achieve two tasks: 1. stimulating the establishment of a security structure that protects their citizens, but which does not aid criminals.
That is pure unadulterated B.S. That is only a flimsy, ruthless pretext, without any foundation whatsoever, to usurp human freedom itself. The use of such "Chicken Little tactics - the sky is falling," is an unvarnished absurdity. The sky is not falling, in the U.S. and a few other places, people are trying to protect their own unbridled oligarchies and elsewhere, where such irrational tactics are being used, it is only being used to disguise the real motive of maliciously seeking to subject others to their will and power.
[...]
If we prohibit strong, unbreakable, cryptography, we are depriving a great number of our fellow human beings seeking such freedom from tyranny, of an valuable tool that they can use in the pursuit of that noble cause. Is that not far more important and far more precious to all who cherish freedom, than some irrational fear of how criminals and terrorists might use cryptography for malevolent activities?
[...]
An information society must encompass the capability to have absolute privacy and security if it is to achieve its promise to make us a better world. One of those promises is that it will eventually free all humans from the power of despotic oppressors. We must struggle but 'We will overcome.' Freedom denied, except where PROPERLY tempered by the harm it might cause to others, is tyranny; and preventing us from using unbreakable cryptographical systems is an obvious denial of free speech and every other freedom that humans hold dear.
Remember who it is that you must deal with. You must deal with government. Like it or not, government is the medium here. Effectively there are three options. 1> Convince government. 2> Avoid governmnet. 3> Overthrow governmnet. Convince Government: It is my opinion as a Washington resident, attorney and beltway fever observer that this is impossible in any meaningful way. I don't care how many industry people gripe, how many letters go into senators, how many whimpers there are. If the Director of the FBI, key people at Justice, the Director of CIA and the Director of NSA tell the President that their ability to enforce the law, conduct intelligence operations and prosecute high profile cases is going to be severely hampered by strong crypto, you can bet that something is going to get done. Crypto is on the radar folks. So are anonymous remailers (and not just the penet kind) and so are secure communications in general. The government, particularly the executive branch, is a lot more savvy on this issue than even this list has given them credit for. They have a 13th Generation component (Michael Vatis is a great example) who are listened to by craft superiors (Gorelick), know the issues, know the risks, and know the weak points. Be very afraid. Changing their mind is out of the question in my view, and efforts are better directed elsewhere. It would be a bit easier if crypto savvy types like our two .nl friends (of "Binding Cryptography" fame) wouldn't provide them with gelding instruments, but this is to be expected. At this point, some original type will suggest that the people (a minority to be sure as the number of people who know much about the net much less crypto, while increasing, is unlikely to be very effectual) should just start whacking officials who aren't crypto friendly. Let's take it to option #3 then and address this. Overthrow Government: Any student of international relations and/or internal low intensity conflict will realize that there must be a measure of public support to back any kind of organized revolt with political ends as its goal. Terrorism hardly seems a prudent option. Certainly a net terrorist today could use his skill and expertise in causing a great deal more havoc with a great deal less funding and general resource than a terrorist of yore, but what irony. Destroying the net to save it? Bombing power centers to make the internet free for all man? Moreover, without larger scale organization one never reaches the level of "low intensity conflict" but rather remains at the level of "random terrorism." The effectiveness of random terrorism is, I think, historically quite well defined. Essentially it is ineffectual alone. To bring about the level of organization required to raise the stakes to "low intensity conflict" or "organizaed revolt" some cadre of supporters and popular sympathy is required. Not likely in this case. It's hard enough to conduct an effective low intensity campaign with a easily understood mantra (like political system, religious freedom, fundamentalism, etc.) but to conduct one with the goal of overturning crypto regulations...? I understand that many people on this list view the crypto debate as an essentially free speech issue. I tend to agree with this view, but in terms of strict free speech nexi, I am in the minority and even my agreement is tempered with the realization that such an expansive reading of free speech is fringe at best. The question becomes not what is the right intrepretation of the crypto issue, but how strongly public sentiment can be identified with the crypto issue itself. This is a minimal, almost vanishingly small influence outside of this list. So we are left with random terrorism in the name of free strong crypto. Perhaps a few high profile incidents might come off without a hitch by groups who have it together or have some more impressive leadership or exotic background, but individual efforts are unlikely to accomplish a great deal. Between a few small group efforts and perhaps a single or two successful individual efforts to make headline news in a few years times we have then perhaps 5 incidents, two of which might be really scary if they involve bombings or some such. This would require at the very least 10-15 active participants, or in the most extreme case 7-10. Given the past preformance of the FBI I'd suspect that half or more of the efforts would result in arrests. As far as I can tell there are perhaps two or three members on this list who would come anywhere close to doing actual terrorist acts to further strong crypto at the moment. Even by this quite generous estimate I think its clear that in the next 3 years the liklihood of a government overthrow or even a marginally successful terrorist campaign is vanishingly small. Organized low intensity conflict is out of the question in this time frame. 2: Avoid the Government I am convinced this is the only answer. It has essentially always been the cypherpunk answer. "Cypherpunks write code." Cypherpunks get it done. etc. Get the genie out of the bottle and keep it there. This is PGP, this is ssh, this is SSL, this is mixmaster, this is remailers. Get it out, get it working, get there first. Ok. We got some of it there. Now what? The lead time on crypto is about up. In my estimate regulation will be in place by 1998, if not earlier. Remember that in many countries regulation already exists. Efforts put on resisting or moderating crypto are fine. Political action is fine. Even so I submit that technological action is more important at this stage. The delaying games are about over. Where is highly sophisticated stego? Where are larger keys for symetric ciphers? Where is a fully functional and secure "stealth PGP"? Where are anonymous and encrypted WWW clients and hosts which permit chaining? If the crypto war is going to be lost it will be lost in the chill of development when crypto regulation is put into place. If you don't make the guns in the first place, the government has a much easier time taking them away. It is going to take a constitutional amendment or a very very favorable Supreme Court ruling to keep strong crypto legal. There is no "right to crypto," as much as Mr. Wood would like to believe it exists. Sorry Mr. Wood. It isn't going to be as easy as all that.
TVM,
Don Wood
-- I hate lightning - finger for public key - Vote Monarchist unicorn@schloss.li
Black Unicorn <unicorn@schloss.li> writes:
[avoiding government is the only way]
2: Avoid the Government
I am convinced this is the only answer. It has essentially always been the cypherpunk answer. "Cypherpunks write code." Cypherpunks get it done. etc. Get the genie out of the bottle and keep it there. This is PGP, this is ssh, this is SSL, this is mixmaster, this is remailers. Get it out, get it working, get there first.
Ok. We got some of it there. Now what? The lead time on crypto is about up. In my estimate regulation will be in place by 1998, if not earlier. Remember that in many countries regulation already exists.
Efforts put on resisting or moderating crypto are fine. Political action is fine. Even so I submit that technological action is more important at this stage. The delaying games are about over.
Where is highly sophisticated stego?
Good stego is difficult. Very low bandwidth stego is doable, but stego of reasonable bandwidth, and good plausible deniablity is difficult. What are our options? - Stego in english text. Highly desirable, but very difficult, I think. - Stego in audio and graphic file formats Easier. Not so much plausible deniability. You've got to scan your own pictures, and post lots of them. (Become an avid alt.binaries.pictures.* poster?) - Stego in Internet Phone protocols. Bill Stewart discussed some of the problems with this a short while ago. If I recall the basic problem is that the higher quality lossy audio compression CODECs, which typically get used for low bandwidth (28.8k and below modems) to get reasonable quality, don't have that much room left, as they are compressing, and lossy, and by design trying to leave as little as possible redundancy left. I have also seen claims made for digital watermarking, that if enough channels and redundancy is used, that digital watermarking survives all kinds of abuse, analogue reproduction and redigitizing, etc. Digital watermarking that I have seen discussed most involves image files. Is there any published work on digital watermarking of audio files? It would be interesting to see if any audio watermarking techniques survives internet phone CODECs. However, the problem still is that the two aims are in tension: stego is trying to make the fact that the data is there at all undetectable, the main aim with watermarking is that you not be able to remove all traces of watermarking, and the way that this is achieved is to spread the watermarking through many channels. The fact that there is watermarking in the document is not necessarily being concealed, the primary aim is to stop removal, and encode the watermark so that the image is not appreciably damaged visually. - Stego in Internet video conference formats This kind of technology is difficult for similar reasons to that of audio. Also the technology is a bit premature, I don't think you would be able to get a very good frame rate of high resolution video over a 28.8k modem.
Where are larger keys for symetric ciphers?
The recent discussion on using IDEA with larger keys, or using 3IDEA (triple IDEA) might be one way to get larger key spaces. Peter Gutmann's MDC or the Luby-Rackoff method for constructing a CBC mode block cipher from hash functions are another way. However, Schneier, in AC2 voices concerns about basing ciphers on hashes because the design goals for hashes are different from those for symmetric ciphers. I would be interested to discuss the options of combining cryptosystems so that the resulting cipher is as strong as the strongest of the used ciphers. For instance ways to combine IDEA, 3DES, and MDC say, such that all 3 have to be thoroughly broken before the combination is broken. How good is simple multiple encryption: C = IDEA( key1, 3DES( key2, MDC( key3, M ) ) ) The same question for public key, how good is: C = RSA( pk1, ElGamal( pk2, Rabin( pk3, M ) ) ) mixing in a PK system based on a hard problem other than one based on discrete logs / factoring would be nice also, in case there turn out to be problems in this area. Also Schneier has this one: generate a one-time pad P, XOR it with the data M, then: C = IDEA( P ) || 3DES( P XOR M ) generating the pad is left as an exercise to the reader (just remember, you need at least 112 + 128 bits of security). Also this has the problem that it doubles the message size, but it is guaranteed to be as hard to break as breaking both IDEA and 3DES (or whatever algorithms it is you are using). Also another problem for all of this, you need really top quality random number generators, to get full use from your long key length algorithms.
Where is a fully functional and secure "stealth PGP"?
PGP stealth 2.01 beta is at: http://www.dcs.ex.ac.uk/~aba/stealth/ It is not release quality. I've been meaning to fix that for a while now, a release version will be out RSN. Do you, or anyone else who is interested see any advantage in having stealth functionality integrated into PGP, say as a patch for PGP263i / mit PGP262? Not that hard to do, if there's any interest for it to be integrated. Zbigniew Fiedorowicz <fiedorow@math.mps.ohio-state.edu> added stealth and SHA1 support directly to a MAC version of PGP. The key words `fat mac pgp' in a www search engine would probably find it. Or `Zbigniew pgp'?
Where are anonymous and encrypted WWW clients and hosts which permit chaining?
Folks working on this? Adam -- print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
On Mon, 14 Oct 1996, Adam Back wrote: [Quoting Uni]
Where are anonymous and encrypted WWW clients and hosts which permit chaining?
Folks working on this?
As always when this question comes up, I give this answer: The only idea that seems to address the issue of chaining of realtime connections is Wei Dai's PipeNet. However, Wei doesn't have the time to turn it into code. Neither do I. But my offer from years ago still stands: I will fully finance the *second* node running PipeNet. For newcomers, PipeNet is a "remailer" for IP. You use constant bandwidth pipes to conceal traffic. To be useful in any way, PipeNet requires at least a dedicated T1. --Lucky
What, a discussion of cryptography on the cypherpunks list? aba@dcs.ex.ac.uk (Adam Back) writes: >>Where is highly sophisticated stego? >What are our options? >- Stego in english text. >- Stego in audio and graphic file formats >- Stego in Internet Phone protocols. >- Stego in Internet video conference formats What about stego in IP itself? It's been awhile since I've looked, but aren't there some bits one could subvert in the TCP/IP headers themselves?
Nelson Minar wrote: | What, a discussion of cryptography on the cypherpunks list? | | aba@dcs.ex.ac.uk (Adam Back) writes: | >>Where is highly sophisticated stego? | >What are our options? | >- Stego in english text. | >- Stego in audio and graphic file formats | >- Stego in Internet Phone protocols. | >- Stego in Internet video conference formats | | What about stego in IP itself? It's been awhile since I've looked, but | aren't there some bits one could subvert in the TCP/IP headers themselves? A bunch of must be zeros. Easy to see. A machine with two interfaces could send data by choosing the interface to send on. Ping, DNS, and ICMP all have lots of space for data. Adam -- "Every year the Republicans campaign like Libertarians, and then go to Wasthington and spend like Democrats." Vote Harry Browne for President. http://www.harrybrowne96.org
participants (7)
-
Adam Back -
Adam Shostack -
Black Unicorn -
cypher@cyberstation.net -
jim bell -
Lucky Green -
Nelson Minar