These messages were extracted from RISKS Digest (14.64) - 8<------- Snip, Snip ------------- Date: Wed, 19 May 1993 16:32:46 -0400 (EDT) From: esr@snark.thyrsus.com (Eric S. Raymond) Subject: Re: Clipper (Denning, RISKS-14.60; Rotenberg, RISKS-14.62) In <CMM.0.90.1.737688970.risks@chiron.csl.sri.com> Marc Rotenberg wrote:

Denning has to be kidding. The comments on the proposed DSS were uniformly critical. Both Marty Hellman and Ron Rivest questioned the desirability of the proposed standard.

Mr. Rotenberg, as a public figure operating in the political arena, has to exercise a certain diplomatic restraint in responding to Ms. Denning's claims. I am, thankfully, under no such requirement. As a long-time RISKS reader and contributor, I observe that that this is not the first time that Ms. Denning has apparently operated as a mouthpiece for the NSA's anti-privacy party line on DES and related issues. I believe Ms. Denning's remarks must be understood as part of a continuing propaganda campaign to marginalize and demonize advocates of electronic privacy rights. Other facets of this campaign have attempted to link privacy advocates to terrorists and drug dealers by suggesting that only criminals need fear wiretapping. These are serious charges. I make them because, in the wake of the Clipper proposal, I do not believe civil libertarians can afford any longer to assume that their opponents are persons of good will with whom they can simply debate minor differences of institutional means in a collegial way. It's time for someone to say, in public and on this list, what I know many of us have been thinking. The future is *now*. Electronic privacy issues are no longer a parlor game for futurologists; they are the focus of a critical political struggle, *and the opponents of privacy are fighting their war with all the tools of force, deception, and propaganda they can command*. The histories of the DES, the FBI wiretap proposal, and now the Clipper proposal must be considered against a wider background of abuses including the Steve Jackson case, "Operation Longarm", and the routine tapping of U.S. domestic telecommunications by NSA interception stations located outside the geographic borders of the United States. These form a continuing pattern of attempts by agencies of the U.S. government to pre-empt efforts to extend First and Fourth Amendment privacy protections to the new electronic media. In each case, the attempt was made to present civil libertarians with a fait accompli, invoking "national security" (or the nastiness of "kiddie porn") to justify legislative, judicial and practical precedents prejudicial against electronic privacy rights. While I would not go so far as to claim that these efforts are masterminded by a unitary conspiracy, I believe that the interlocking groups of spies, bureaucrats and lawmen who have originated them recognize each other as cooperating fellow-travelers in much the same way as opposing groups like the EFF, CPSR and the Cypherpunks do. Their implicit agenda is to make the new electronic communications media transparent to government surveillance and (eventually) pliant to government control. One of the traits of this culture of control is the belief that manipulative lying and dissemblage can be justified for a `higher good'. I believe that Ms. Denning's disingenuous claim that the DSS "is now considered to be just as strong as RSA" is no mere technical misapprehension. I believe it is propaganda aimed at making objectors non-persons in the debate. I cannot know whether Ms. Denning actually believes this claim, but it reminds me all too strongly of the classic "Big Lie" technique. It is important for us to recognize that the propaganda lie is not an aberration, but a routine tool of the authoritarian mindset. And the authoritarian mindset is, ultimately, what we are confronting here --- the mindset that regards the fighting of elastically-defined `crime' as more important than privacy, that presumes guilt until innocence is proven, that demands for government a license to override any individual's natural rights at political whim. We cannot trust representatives of an institutional culture that was *constructed* to deal in information control, lies, secrecy, paranoia and deception to tell us the truth. We cannot accept the authoritarians' unverified assurances that the sealed interior of the Clipper chip contains no `trapdoor' enabling the NSA to eavesdrop at will. We cannot trust the authoritarians' assertions that they have no intention of outlawing cryptographic technologies potentially more secure than the Clipper chip. We cannot believe the authoritarians' claims that `independent' key registries will prevent abuse of decryption keys by government and/or corrupt individuals. We cannot --- we *must not* --- cede control of encryption technology to the authoritarians. To do so would betray our children and their descendants, who will work and *live* in cyberspace to an extent we can barely imagine. We cannot any longer afford the luxury of treating the authoritarians as honest dealers with whom compromise is morally advisable, or even possible. Whatever their own valuation of themselves, the thinly-veiled power grab represented by the Clipper proposal reveals a desire to institutionalize means which a free society, wishing to remain free, *cannot tolerate*. Big Brother must be stopped *here*. *Now.* While it is still possible. Eric S. Raymond <esr@snark.thyrsus.com> - -- Date: Wed, 19 May 93 18:37:24 EDT From: denning@cs.cosc.georgetown.edu (Dorothy Denning) Subject: Re: Clipper (Raymond, RISKS-14.64) Eric Raymond has accused me of being part of a propaganda campaign and a "Big Lie." Among his wild speculations, he wrote: I believe that Ms. Denning's disingenuous claim that the DSS "is now considered to be just as strong as RSA" is no mere technical misapprehension. I believe it is propaganda aimed at making objectors non-persons in the debate. I cannot know whether Ms. Denning actually believes this claim, but it reminds me all too strongly of the classic "Big Lie" technique. Frankly, I don't know how to respond his allegations other than by saying that I am not and have never been on the payroll of NIST, NSA, or the FBI and that every word I have published has been completely on my own initiative. While I frequently speak with people in these agencies (mainly to ask them questions so that I can be informed) and have considerable respect for them, I am operating on my own initiative and making my own independent evaluations based on all the evidence I can find. I try to avoid pure speculation as much as possible. My objective in responding to Sobel in the first place was to point out that, in my best judgement, the DSS as revised is as secure as RSA. I did that so that readers would not be led to believe the contrary. Let me elaborate more. The security of the DSS is based on the difficulty of computing the discret log. (The Diffie-Hellman key exchange, invented in 1976, is likewise so based.) The security of the RSA is based on factoring. My understanding is that the computational difficulty of these two problems is about the same for comparable key lengths, and indeed, the fastest solutions with both come using the same basic technique, namely the number field sieve. If I'm wrong here, I am happy to be corrected by someone who knows more than I do about this. There are other factors, of course, that must be taken into account. With both schemes, you have to make sure you get good primes. In the case of the DSS, you want really random ones so that you don't get ones with "trapdoors." This is readily done and the chances of getting a trapdoor one are minuscule. For a reference, see Daniel Gordon's paper from Crypto '92. I still remember the day when George Davida called me up to say that he had cracked RSA. It turned out that he had found a way of exploiting the digital signatures to get access to plaintext (but not keys). I generalized his mathematics and published a paper in CACM (April 84). The solution is to hash messages before they are signed, which has other advantages anyway. I also remember various articles by people pointing other potential vulnerabilities with RSA if the primes weren't picked right. There are potential weaknesses in all of these public-key methods, but they can be resolved. As near as I can tell, NIST has resolved the potential problems with the DSS, and I am confident that if new ones are found, they will resolve them too. Dorothy Denning Paul Ferguson | The future is now. Network Integrator | History will tell the tale; Centreville, Virginia USA | We must endure and struggle fergp@sytex.com | to shape it. Stop the Wiretap (Clipper/Capstone) Chip.