Re: Critics blast Windows 2000's quiet use of DES instead of 3DES
John Gilmore wrote: There have been allegations that NSA influenced Microsoft's encryption support (one reason that NSA could afford to relax export controls could be that they've already subverted the highest volume US products). It's pretty well acknowledged that NSA did this to Crypto AG's hardware products decades ago, and has been reading the traffic of those who depended on those products. An eavesdropper doesn't need to break the encryption if they can break the user interface and make it lie about whether it is really encrypting. While John may be speculating about NSA subversion of strong crypto, specific examples of this would be very helpful. Here are a few firms for consideration as candidates for today's Crypto AGs besides Microsoft (meaning latest products, not those that have been suspected in the past): Cylink IBM Lotus TIS RSA PGP Perhaps it would be fair to list all firms that are now exporting strong crypto if John's speculation is accurate. How to get any compromise out in the open is the question. Presumably, secrecy agreements or NDAs are in effect for any complicit firm and its employees.We've gotten a couple of anonymous letters recently about Cylink but nothing on the others. Duncan Campbell's exchanges with Microsoft have been squelched by MS, but one final exchange is in the works which summarizes what MS has publicly stated and what suspicions remain unanswered. Similar queries in depth could be made to the other crypto exporters, if for no other reason than to assure their foreign customers that they can take and answer hard criticism. Otherwise, suspicions of complicity may undermine credibility of all US crypto products.
RE: Critics blast Windows 2000's quiet use of DES instead of 3DES
John wrote: There have been allegations that NSA influenced Microsoft's encryption support (one reason that NSA could afford to relax export controls could be that they've already subverted the highest volume US products). John Glimore wrote: There have been allegations that NSA influenced Microsoft's encryption support (one reason that NSA could afford to relax export controls could be that they've already subverted the highest volume US products). The FBI has been pretty blatant about their efforts, too. Both Microsoft and FBI officials told me on background last year that the FBI wanted to be sure MS included no encryption that wasn't easily broken. Granted, neither side would go on the record. But the fact that both sources told me they were willing to be cited as "company executives" and "government officials" speaks volumes about the PR war the feds have been waging. Will Rodger Voice +1 703 558 3375 Technology Reporter Fax +1 703 558 3981 USATODAY.com tech.usatoday.com PGP: 584D FD11 3035 0EC2 B35C AB16 D660 293F C7BE 3F62 application/ms-tnef
VirtualBanking2000
--- begin forwarded text From: Jay Mandevia [EMAIL PROTECTED] To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] Subject: VirtualBanking2000 Date: Wed, 17 May 2000 18:35:55 +0100 Dear Robert, RMR plc in partnership with the Chartered Institute of Bankers (CIB) have just launched the first web-based conference in the banking industry entitled VirtualBanking2000 (at www.virtualbanking2000.com). This web based conference and resource centre is designed to attract a mass audience to exchange ideas and receive presentations from leaders in the virtual banking industry. The conference goes live on 18 September 2000 for two weeks and will address the developing world of branchless banking. RMR plc have run several successful web based conferences including Environment97 (www.environment97.org) part of the Engineering Council's 2020 Vision, Safety98 (www.safety98.org), Aviation99 (www.aviation99.com) and the hugely successful Autism99 (www.autism99.org) which attracted in excess of 30,000 people and huge amounts of positive publicity. Two new conferences will be run in May 2000 entitled ForBusiness2000 (www.ForBusiness2000.com) and EnergyResource2000 (www.EnergyResource2000.com). Given your interest in the Banking Industry, RMR plc are pleased to invite you to contribute a paper to the Security and Encryption sector of the conference. Listed below are the conference sectors. Security and Encryption Software Service and Distribution Channels Hardware and ATM's Smart Cards WAP Call Centres Revolutionary Banking Legislation and Policy Risk Management All papers are at our invitation only and will attract a substantial amount of interest from the invited audience. The following pieces of information would be needed as soon as possible: 1. A paper title (no later than 15 June 2000) 2. An abstract (100 words) (no later than 15 June 2000) 3. A biography (50 words) (no later than 15 June 2000) 4. A head and shoulders photograph of the author(s) (no later than 15 June 2000) The full papers (in the region of 3-4000 words) must be technically oriented and not contain any content of a commercial nature. We need to receive your contribution no later than 15 July 2000 - in order to finalise and prepare the content for the conference. If you would like to see further details, please take a moment to view our online conference pack - www.virtualbanking2000.com/conferencepack. I look forward to speaking with you later in the next few days. Kind regards Jay Mandevia RMR Plc. http://www.rmrplc.com/www.rmrplc.com WebConference Co-ordinator Tel: +44 1865 733733 Fax: +44 1865 733777 Mail to: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Critics blast Windows 2000's quiet use of DES instead of 3DES
-BEGIN PGP SIGNED MESSAGE-
At 02:41 AM 5/17/00 -0700, John Gilmore wrote:
...
Microsoft didn't care
about the actual security they provide their users ("Having at least
some encryption is better than nothing" is wrong and dangerous,
leading to a false sense of security when you are actually
vulnerable).
I understand the sentiment behind this statement, and I would have
agreed a year ago, but I think this is wrong for most peoples' threat
models. Having some not-trivially-breakable crypto is better than
nothing for preventing untargeted attacks, where someone's just
looking at the traffic that goes by, checking for anything
interesting. That's honestly the right threat model for most people
to worry about.
A targeted attack is different. In that case, someone is willing to
spend real resources to read certain traffic you're sending or
receiving. Those resources might be time on a DES cracker, or just
time on a network of desktop machines during off hours, cracking 40
bit RC4. But the resources cost something, and that imposes a limit
on how many people can be targeted.
Now, I totally agree, there's no good reason (other than stupid
export-control laws) to use breakable crypto when strong crypto will
work just as well. But even relatively weak crypto, widely deployed,
would do an enormous amount to improve most peoples' privacy. (Of
course, this is subject to all the obvious caveats about having a
false sense of security, vulnerability to eavesdropping twenty years
from now, of recorded messages, etc.)
...
There have been allegations that NSA influenced Microsoft's
encryption support (one reason that NSA could afford to relax export
controls could be that they've already subverted the highest volume
US products). It's pretty well acknowledged that NSA did this to
Crypto AG's hardware products decades ago, and has been reading the
traffic of those who depended on those products. An eavesdropper
doesn't need to break the encryption if they can break the user
interface and make it lie about whether it is really encrypting.
Maybe, but if you can dumb down the crypto someone's using, why dumb
it down to 56 bits (which is too short, but still a lot of work to
break)? Why not dumb down the PRNG, or make the thing leak key bits
in its IV, or something? I mean, once you are in a position to
weaken someone's crypto, why settle for 56 bits, rather than leaving
them with no security at all against your eavesdroppers, or some
trivial amount. You could make this really subtle; maybe you always
generate 128-bit outputs from your PRNG, and use the first 64 bits as
IV and the second as a DES key (ignoring parity bits). You could
make the second 64 bits a function of (say) 16 random bits and the
first 64 bits, and I suspect you could do this, with some PRNG
constructions, in a way that would be *very* hard to see in the code.
(Keys still have full entropy if looked at by themselves, and key,IV
pairs have 80 bits of entropy, so you need to examine about 2^{40}
key,IV pairs to detect this in a straightforward test.)
I guess one possibility is that you might want to just make sure you
can brute-force interesting traffic. Another possibility is that
you're counting on interaction between the dumbing-down; the PRNG has
about 1/2 bit of entropy per bit of output, plus you use single-DES,
thus you can break the thing with 2^{28} work, while attackers who
haven't analyzed the PRNG have to do 2^{56} work. Still another is
that this is just another example of Microsoft not being particularly
interested in security, as opposed to impressive-looking feature
lists, shipping the product on time, fixing most of the visible bugs,
etc. At some point, it's impossible to distinguish incompetence,
malevolence, or simple lack of interest in security.
John
- --John Kelsey, [EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.1 Int. for non-commercial use
http://www.pgpinternational.com
Comment: foo
iQCVAwUBOSLYsiZv+/Ry/LrBAQG8nwP9FucP/1HrXgxlILoFlI/sWFbgUpbfgm8n
iyW1GeQpyvVqOjj9qy+0VVOiaA3jH3NoSOIBtTv3yY9hibPn8RY62BbquCCCt63l
mOysZa/nCg28+rT7pJk/Y+FngAW4p4d79ICdryMvaLRSlXSdnCPbftfjzjGb2CCL
gVkg1kRHbRY=
=eKQc
-END PGP SIGNATURE-
Microsoft Condoms (may have pinholes) (Re: Critics blast Windows 2000's quiet use of DES instead of 3DES)
A condom with an invisible hole is worse than no condom. At 12:37 PM 5/17/00 -0500, John Kelsey wrote: Having some not-trivially-breakable crypto is better than nothing for preventing untargeted attacks, where someone's just looking at the traffic that goes by, checking for anything interesting. That's honestly the right threat model for most people to worry about. Fine, but the user must be *aware* of their flimsy door locks. Lest they act as if they had strong protection, and leave something valuable around. This is why MS is negligent (intentionally or accidentally). Unlike metal locks, Joe User can't tell whether he's got a cheap toy or a serious security system. (Oh yes--- an entry in a log. How nice.) Unlike the metal-lock world, with bit-theft, you'll never know you've been ripped off. A targeted attack is different. In that case, someone is willing to spend real resources to read certain traffic you're sending or receiving. But if you're using encryption, you must be doing something *interesting*, and your message is worth reading off line. And maybe initiate some traffic analysis on you and your correspondents while waiting for the Bombe to finish. This "crypto=interesting" principle is valid until most net traffic is encrypted. (This is a complement of the "why use crypto? what have you to hide?" fallacy.) Giving out free condoms with pinholes is.. criminally negligent. So is (effectively) silently degrading to 1DES. Microsoft is giving condoms with pinholes to teenagers (the cryptonaif public). S/WAN is wisely checking for porosity first, and refusing to tango. (One could imagine a really amusing 101 billboard using this metaphor..) IMHO
House commerce committee votes to ban radio-decryption gear
http://www.wired.com/news/politics/0,1283,36401,00.html House Reps Ban Wireless Decoding by Declan McCullagh ([EMAIL PROTECTED]) 3:30 p.m. May. 17, 2000 PDT WASHINGTON -- Americans may no longer buy radio receivers that decode PCS cellular or pager transmissions, a House panel said Wednesday. The House Commerce Committee also voted to make it a crime to sell electronic gadgets that can "decode encrypted radio transmissions for the purposes of unauthorized interception." The criminal penalties, which were attached to a tax harmonization bill, expand existing law, which already bans the sale of devices that can intercept analog cellular conversations. [...]
Re: Critics blast Windows 2000's quiet use of DES instead of 3DES
"L. Sassaman" wrote: If a Microsoft user configures 3DES protection and tries to connect it a Linux FreeS/WAN box, the negotiation will fail -- with at least the Linux side reporting that they couldn't agree. Frankly, I can't understand why the IPsec protocol still allows DES. It should require strong encryption. Having DES in a product these days makes about as much sense as mandating the usage of ROT13. We are waiting for AES.
Re: Critics blast Windows 2000's quiet use of DES instead of 3DES
"L. Sassaman" wrote: PGP's source code has always been available for public review. This has not changed. There are no "back doors" for the NSA in PGP, and PGP has never supported weak (under 128 bit) encryption, and never will. Who's PGP? Last I looked PGP Inc. was owned by Network Associates, a key recovery alliance member.
