IP: WHITE HOUSE PROPOSES MASSIVE COMPUTER MONITORING SYSTEM

1999-07-28 Thread Robert Hettinga 


--- begin forwarded text


Date: Tue, 27 Jul 1999 22:51:23 -0400
To: [EMAIL PROTECTED]
From: "L.J.Alberts" [EMAIL PROTECTED]
Subject: IP: WHITE HOUSE PROPOSES MASSIVE COMPUTER MONITORING SYSTEM
Sender: [EMAIL PROTECTED]
Reply-To: "L.J.Alberts" [EMAIL PROTECTED]

-BEGIN PGP SIGNED MESSAGE-

X DRUDGE REPORT X TUESDAY, JULY 27, 1999 20:28:41 ET X

WHITE HOUSE PROPOSES MASSIVE COMPUTER MONITORING SYSTEM; WILL TRACK 
BANKING, TELECOMMUNICATIONS AND OTHER NETWORKS

The Clinton administration has developed a plan for an extensive 
computer monitoring system,
overseen by the FBI, that will track banking, telecommunications and 
other industries, it will
be reported on Wednesday.

The National Security Council is conducting a legal and technical 
review of the new Clinton
plan, a final report is scheduled to be made public in September.

NEW YORK TIMES reporter John Markoff has been shown a draft, 
according to publishing sources,
and was busy on Tuesday afternoon preparing a story.

In some government circles, the proposed system has been nicknamed "Hillary."

The plan calls for the development of a "sophisticated software 
system to monitor activities on
non-military government networks" and a separate system to "track all 
transactions used in the
banking, telecommunications and transportation industries."

The system is intended to alert law enforcement officials to computer 
attacks that might
cripple governmental or the nation's economy. But it could also 
become a massive government
utility used for surveillance of citizens, critics contend, with 
great potential for misuse.

"Law enforcement agencies obviously would be under great temptation 
to expand the use of the
information in pursuit of suspected criminals," the TIMES will report.

The plan has drawn fire from civil libertarians because it blends 
"civilian and military
functions" in protecting the nation's computer networks. Law 
enforcement agencies would be
under great temptation to expand the use of the information in 
pursuit of suspected criminals.
And the plan would put a new and powerful tool into the hands of the FBI.

Developing.

_
Reports are moved when circumstances warrant
(c)DRUDGE REPORT 1999
Not for reproduction without permission of the author
-BEGIN PGP SIGNATURE-
Version: PGP Personal Privacy 6.5.1

iQEVAwUBN55wKuX/Rf8MRjfTAQH2qQf/fi2ru8l5gv5zkJ0zXoMPaPX+27yavkeY
M0baGGRwFdhNxGt9RwWDZf4YZ36m6oZ4iF3BVM8+ujVByCtWUcP+Q1nDDmti/nZo
ob69QPEACe0Nxc2g7ODvtcpsp95JA7BzMXDrYC4ryZWFdOF2xpe7D/fMYDcrpHr8
Mcgq4GibDPoXvrRszDj/Wqpao/B1f/GYtwv2vKGi0Pke9mnNMxoRTdIooUai9Qa+
kjWFsoyMBuY+qPA98u9n6C0Xbrrt1+CHM2SNYSXVEXpckg+qEcpIq58mUlvH4GI5
Dq18a4zfaVk837V06ZbczGwg1RCaJhh/hWVOTNrYTTXSZ7clIziVHg==
=5A6h
-END PGP SIGNATURE-




To subscribe or unsubscribe, email:
  [EMAIL PROTECTED]
with the message:
  (un)subscribe ignition-point email@address

or (un)subscribe ignition-point-digest email@address

www.telepath.com/believer


--- end forwarded text


-
Robert A. Hettinga mailto: [EMAIL PROTECTED]
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Computer Monitoring System

1999-07-28 Thread Salzman, Noah 
Title: Computer Monitoring System





From the N.Y. Times web site:


---
July 28, 1999


U.S. Drafting Plan for Computer Monitoring System


By JOHN MARKOFF
The Clinton Administration has developed a plan for an extensive computer monitoring system, overseen by the Federal Bureau of Investigation, to protect the nation's crucial data networks from intruders. 

The plan, an outgrowth of the Administration's anti-terrorism program, has already raised concerns from civil liberties groups. 

A draft prepared by officials at the National Security Council last month, which was provided to The New York Times by a civil liberties group, calls for a sophisticated software system to monitor activities on nonmilitary Government networks and a separate system to track networks used in crucial industries like banking, telecommunications and transportation. 

---


the rest of the article can be found at:


http://www.nytimes.com/library/tech/99/07/biztech/articles/28compute.html

Re: depleting the random number generator -- repeated state

1999-07-28 Thread Arnold G. Reinhold 

At 3:22 PM -0700 7/27/99, Jon Callas wrote:
I built a PRNG that used an RC4 variant as John Kelsey said. The thing is
also actually very Yarrow-like. I modified it later to use a state array
512 long instead of 256 long, just so it would have a larger entropy pool.

When I added more entropy, I added entropy using the same basic algorithm
as RC4 key setup. The difference was that the S-array was not 0..256, but
whatever the state of the array was. You simply *don't* use the input
mechanism that Anonymous described.

I'll also note that the state-loop that Anonymous described can easily be
detected and corrected. Given that this is a PRNG, not a cipher,
predictability is not a requirement (although you can algorithmically
correct in a way that will still make it a cipher).

Someday, I need to update the Entropy Manager (as I called it) and
re-release it.

   Jon

I believe the input mechanism Anonymous described *is* the RC4 key setup
mechanism. In any case, I take Anonymous' remarks about the brittle nature
of RC4 very seriously. I wouldn't mess with it just to double the entropy
pool. If you think more entropy is needed, build a side buffer or run two
copies of RC4.

There is a lot to be said for using a known cryptographic object like RC4
to build other tools. It is very valuable to be able to translate any
imagined attack on the system your are proposing into an equivalant attack
on RC4. You then incorporate all past and future analysis of RC4 to your
system.

Anyway here is my latest nonce maker proposal, based on the thread so far
(in pseudocode):

private unsigned byte i, j, S[256]

mix(K) {
i = i + 1
j = j + S[i] + K
swap S[i] and S[j]
t = S[i] + S[j]
return S[t]
}

setup() {
i = j = 0
for m = 0 to 255 S[m] = m
for m = 1 to 256 mix(get_a_true_random_byte())
i = j = 0
for m = 1 to 256 mix(0)
}

deposit(string) {
prev = mix(0)
for m = 1 to length(string) prev = mix(string[m-1] xor prev)
i = j = 0
}

getnonce(length) {
bytestring nonce
deposit(current_time())
for m = 1 to length concatinate (nonce, mix(0))
return nonce
}

mix is equivalent to the RC4 setup loop. It is also the RC4 cipher loop if
K=0. The indicies i and j are reinitialized every time mix is run in setup
mode to keep out of the repeated state. All entropy deposits are
RC4-encoded to prevent any chosen-entropy attack.

You would call deposit at opportune times like key presses, mouse moves,
disk and network I/O. Because i and j are reset so often and because nonces
and deposits are likely to be short, the begining of the S arrray will get
more mixing than the rest of the array. Therefore, it might be desirable to
stir the S array throughly every so often, perhaps by calling mix(0)
repeatedly during idle time.


Arnold Reinhold

Re: US Urges Ban of Internet Crypto

1999-07-28 Thread William H. Geiger III 

In [EMAIL PROTECTED], on 07/27/99 
   at 09:17 PM, John Young [EMAIL PROTECTED] said:

use of the Internet to distribute encryption products 
will render Wassenaar's controls immaterial."

The bitch is getting a clue. :)

-- 
---
William H. Geiger III  http://www.openpgp.net
Geiger ConsultingCooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP  MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii

Hi Jeff!! :)
---

Re: US Urges Ban of Internet Crypto

1999-07-28 Thread Dan Geer 

[Forwarded because no one has brought up this notion in a while. My
problem with it is that most people don't seem to like the 2nd
amendment any more so this can hardly help to popularize the cause. My
feeling is that the 4th and 5th amendments have more potential
protection in them. --Perry]

John, et al.,

In a moment of logic, as if that mattered,

WHEREAS
   By the declaration of the state, cryptographic capacity is a weapon, and
WHEREAS
   By the facts of use, cryptographic capacity is a personal weapon, and
WHEREAS
   The (US) Second Amendment denies the (US) federal government the
   authority to restrict personal weapons,
THEREFORE
   The right to bear crypto is a (US) constitutional right.

Of course, logic has nothing to do with it because the very
definition of politics is the art of making decisions based
on the manipulation of emotion, but I am, whether by choice
or by genotype, a man of logic and not of emotion, though I
am pissed off...

--dan

US Urges Ban of Internet Crypto

1999-07-28 Thread Eugene Leitl 

John Young writes:

  Nations do not control distribution of intangible items. While 
  I recognize that this issue is controversial, unless we address 
  this situation, use of the Internet to distribute encryption products 
  will render Wassenaar's controls immaterial."

I just love this sentence. So, let's create unenforcible legislation,
and then try to pave over all the world in the attempt to make reality
comply. Name's Janet Reno, huh? 

What's worse, the gullible Germans will probably heel.

Re: linux-ipsec: Re: TRNG, PRNG

1999-07-28 Thread John Denker 

At 08:02 PM 7/22/99 +0200, Anonymous wrote:
 That is:
   1a') When there is entropy in the pool, it [/dev/urandom]
 gobbles it all up before
 acting like a PRNG.  Leverage factor=1.  This causes other applications to
 stall if they need to read /dev/random.

This does not seem to be a big problem, and in fact is arguably the right
behavior.

What it means is, /dev/urandom provides the best quality random numbers
possible, given the entropy available.  

H.  People usually take the "minimax" approach to security analysis;
that is, we design our defenses assuming the opponents make their best
move.  Therefore I don't undestand the argument for using "best available"
bits.

ISTM that if a certain quality X+ is required, it should be required
always, unless proven otherwise.  To say it the other way, if a certain
quality X- suffices sometimes it should suffice always, unless proven
otherwise.  

In my case X- is the unreseeded PRNG behavior of /dev/urandom.  The
designers of linux-ipsec have evidently decided this is good enough,
because that's where they get key material.

In my application, many keys will be generated during conditions where the
TRNG has been totally depleted.  I must assume that attackers will know
this, and will be able to focus their attacks on those keys.

If you are telling me that the unreseeded PRNG is not good enough, then I
have deployed an insecure system.  That would be bad, and there would be no
way to fix it short of a hardware TRNG.

OTOH if the unreseeded PRNG *is* good enough, then it is wastefully selfish
for it to gobble up all the TRNG bits.  It is improper to assume that the
application that is gobbling up all the PRNG bits is the only application
running on this machine.  In my case there are other applications for which
one could make a very good argument that they need TRNG bits under
conditions when IPsec does not.

Also..


At 12:40 PM 7/22/99 -0700, bram wrote in part:

 In particular, consider the following reseeding schedule:
   a) Every N minutes...
   b) Every Z bits of PRNG output... 
   c) As soon as a quantum of TRNG material is available ...
 ... whichever comes *LAST*, and where N and Z are chosen to ensure a good
 leverage ratio.

a) and b) don't help much - the true answer is c).

One could argue (a) and (b) *do* add something -- they address the problem
that started this thread, namely the seemingly-needless depletion of the TRNG.

Right?

Re: depleting the random number generator -- repeated state

1999-07-28 Thread Jon Callas 

At 10:49 AM -0400 7/28/99, Arnold G. Reinhold wrote:

   I believe the input mechanism Anonymous described *is* the RC4 key setup
   mechanism. In any case, I take Anonymous' remarks about the brittle nature
   of RC4 very seriously. I wouldn't mess with it just to double the entropy
   pool. If you think more entropy is needed, build a side buffer or run two
   copies of RC4.

It doesn't double the entropy pool. It increases it from being order 256!
to being order 512!. Incidentally, the remarks about brittleness apply just
as much to a variant that is 9 bits wide as well as 8 bits wide. There are
certain states you don't want it to be in. Look for them. Compensate.

   There is a lot to be said for using a known cryptographic object like RC4
   to build other tools. It is very valuable to be able to translate any
   imagined attack on the system your are proposing into an equivalant attack
   on RC4. You then incorporate all past and future analysis of RC4 to your
   system.

I agree completely. But also read Schneier's remarks on wide variants of
RC4 -- which were my inspiration to use a wide variant. The math all works
the same, strengths and vulnerabilities.

[...]

   ... All entropy deposits are
   RC4-encoded to prevent any chosen-entropy attack.

  You would call deposit at opportune times like key presses, mouse moves,
   disk and network I/O. Because i and j are reset so often and because nonces
   and deposits are likely to be short, the begining of the S arrray will get
   more mixing than the rest of the array. Therefore, it might be desirable to
   stir the S array throughly every so often, perhaps by calling mix(0)
   repeatedly during idle time.

That's one of the places where we differ. I never directly add in entropy
deposits. I run a separate entropy pool that is hash-based, and
periodically tap that pool to update the secondary pool. I get really
nervous about adding entropy directly into a single pool. I also like to
capitalize on the properties of hash functions for prepping the entropy.

Jon

Re: depleting the random number generator -- repeated state

1999-07-28 Thread Arnold G. Reinhold 

At 2:51 PM -0400 7/28/99, Steven M. Bellovin wrote:
In message v04011701b3c4f4fbabb1@[24.218.56.100], "Arnold G. Reinhold"
writes
 I'd spin it the other way. The best approach to making nonces -- DH
 exponents, symetric keys, etc -- is to use a true source of randomness.
 That eliminates one area of risk. However most computers do not come with
 random number sources, so one uses unpredictable events and so on to glean
 entropy. To harvest that entropy you use a whitener. If you use a
 cryptographic function to do your whitening you get the added advantage of
 shielding the randomness pool from an attacker.

Define "best approach".

Perhaps I should have said "The best approach ... is to use a
*theoretically perfect* source of randomness." I tried to point out such
things don't exist and come to the same conclusion you do, namely  "A sound
design mixes both."

At 11:16 AM -0700 7/28/99, Jon Callas wrote:
At 10:49 AM -0400 7/28/99, Arnold G. Reinhold wrote:

   I believe the input mechanism Anonymous described *is* the RC4 key setup
   mechanism. In any case, I take Anonymous' remarks about the brittle nature
   of RC4 very seriously. I wouldn't mess with it just to double the entropy
   pool. If you think more entropy is needed, build a side buffer or run two
   copies of RC4.

It doesn't double the entropy pool. It increases it from being order 256!
to being order 512!.

Good point, but the ratio of log2(512!) to log2(256!) is only 2.3, a little
more than double the number of bits.  That's not worth leaving the
accumulated body of RC4 analysis, IMHO.

That's one of the places where we differ. I never directly add in entropy
deposits. I run a separate entropy pool that is hash-based, and
periodically tap that pool to update the secondary pool. I get really
nervous about adding entropy directly into a single pool. I also like to
capitalize on the properties of hash functions for prepping the entropy.

Can you say what you fear might happen if you directly add entropy
deposits? I don't see the problem.

Arnold Reinhold

Re: US Urges Ban of Internet Crypto

1999-07-28 Thread Phil Karn 

I recognize that this issue is controversial, unless we address 
this situation, use of the Internet to distribute encryption products 
will render Wassenaar's controls immaterial."

Gee, I thought Reinsch said it didn't matter that encryption software
was distributed on the Internet because nobody will trust anything
they download off the Internet... :-)

Trying to debate these people rationally is like trying to nail Jello
to a wall.

Phil