Re: "U.S. May Help Chinese Evade Net Censorship"
On Thursday, August 30, 2001, at 02:11 PM, Faustine wrote:
True, of course they do. "Technology is morally neutral," sure, whatever. Yay capitalism. I still think handing over your security product beta on a silver platter in exchange for a nice fat government contract is a stupid, stupid idea.
And since software is infinitely replicable, all the NSA would have to do if ZKS refused to sell to them is to get a copy anywhere else: from an employee who orders it sent to his home address, from a contractor, off the shelf at Fry's or Circuit City (someday, maybe not today), and so on. Much more importantly, modern crypto relies to avoiding "security through obscurity." As outlined by Kirchoff in the 19th century, the security of a cipher ultimately depends only on the _key_, not the algorithm used to process the key. (Phrased in more modern terms, figuring out the algorithm is an "easy" problem, presumably solvable in polynomial time, while discovering the key is either provably impossible (except by guessing) or in the case of RSA is believed to be "hard" (not yet proven, and textbooks will tell you all kinds of stuff about what "hard" means). Now Freedom is not a cipher, but a system. And no doubt supplying an attacker with the program would help him to design an attack. Supplying him with the source code and detailed specs would help him even more. But, as with Kirchoff's point, the attacker is going to get the design eventually. But not the keys. In any case, NSA probably had it from their buddies in Canada, who either got it by arrangement with ZKS or snarfed it in one of several ways. The security of Freedom should not depend on even having access to the source code, else ZKS would be lying when they claim that even they cannot trace a message back to the sender. (Something which some may doubt...)
Either way, the prospects for "dissident-grade untraceability" are fairly bleak.
You pontificate as if you know something about our field, when you clearly know very little. Get some education if you plan to pontificate like this. A mixnet of the N extant remailers offers pretty damned good untraceability. Needs some work on getting remailers more robust, but the underlying nested encryption looks to be a formidable challenge for Shin Bet to crack. --Tim May
On Thu, Aug 30, 2001 at 09:14:46PM -0700, Tim May wrote: | A mixnet of the N extant remailers offers pretty damned good | untraceability. Needs some work on getting remailers more robust, but | the underlying nested encryption looks to be a formidable challenge for | Shin Bet to crack. http://anon.efga.org/Remailers lists about 35 Mixmasters and 45 type 1 remailers. An awful lot depends on what you mean by "pretty good untracability." For example, if you send a dozen messages from Alice to Bob, then I'd bet you can do an entry-exit correlation attack. It becomes harder if you add substantial cover traffic, but Kocher-esque reductions in the noise are very powerful. If Alice and Bob are smart spies, and use a different hotmail recieving address each time, then you get pretty good untracability, but that untracability comes as much from the one-off nature of the messages as the mix network between them. And, depending on how good I think Shin Bet is at traffic analysis, I'm not sure if I'd even draw attention to my messages by sending them through 1/40^5 remailers. Thats 28 or 29 bits with 5 hops. If you start looking at reliability, only half or so of the remailers have 99% reliability, although only 10 are below 95% which means either a smaller pool, or a need for redundancy, both of which reduce your security. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
participants (2)
-
Adam Shostack -
Tim May