Re: stego fingerprints

2001-02-20 Thread Russell Nelson

David Honig writes:
  Similarly, stego'ing an .mp3 ripped from a CD is a bad idea;
  stego'ing a .mp3 you made from a signal that was analogue at some
  point works.

Every algorithm is deterministic, but different algorithms will
produce different results.  And there is no "standard" algorithm for
mp3 encoding.  It might be suspicious if the TLA found an mp3 which
was encoded using no known algorithm.  A sensible cryptographer would
treat each tune as a one-time pad.  A "stego" mp3 encoder could encode
using a qualified random stream of bits by default, or a crypto stream
for an encoded message.  If this encoder was widely distributed, then
you'd have somewhere to hide crypto.  However if it wasn't, then
you're tagging your messages "THIS IS HIDDEN ENCRYPTION".

There's enough random bits flying around the net that there's no point 
in doing that.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | "This is Unix...
521 Pleasant Valley Rd. | +1 315 268 1925 voice | Stop acting so helpless."
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | --Daniel J. Bernstein




Re: Is PGP broken?

2000-12-03 Thread Russell Nelson

Bram Cohen writes:
  Not that I'm going to propose a new standard or even modifications to old
  ones - there are already too many of those, the problem is making one of
  them acceptable, or develpoing a new one which has a good chance of
  getting universal support.

Have you looked at CryptoKong?  http://catalog.com/jamesd/Kong/Kong.htm

--digsig
 Russ Nelson
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 BSvaK4MOZ2HQvr15n12Wn//srJ0bGg0SBsjB0i7z
 9DzVhXhT9dtOvXQsvNgW9fxxzbg1MahNdUf/jGDb

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com | If I knew the
Crynwr sells support for free software  | PGPok | destination of the
521 Pleasant Valley Rd. | +1 315 268 1925 voice | handbasket, I never would
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | have gotten into it!




Re: Is PGP broken?

2000-12-02 Thread Russell Nelson

Stefan Kelm writes:
  BTW, what do you mean by "point-source PGP signing"?

Instead of leaving your key signing up to your friends, PGP could
benefit from a policy-based signature.  You could come up with any
number of policies:
  o This keyholder is a Mason/Scout/Rotarian.
  o This keyholder is a Catholic/Mormon/Lutheran/Quaker.
  o This keyholder paid $X to sign their key (where X is a number large
enough that key abandonment has consequences).
  o This keyholder has $Y in escrow, to be paid out under some
circumstances.
  o This keyholder has identified themselves to a Notary Public.  A
photocopy of the identification is on file.
  o And last but not least: this keyholder publishes their key's
signature weekly in the Sunday New York Times.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com | If I knew the
Crynwr sells support for free software  | PGPok | destination of the
521 Pleasant Valley Rd. | +1 315 268 1925 voice | handbasket, I never would
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | have gotten into it!




Is PGP broken?

2000-11-28 Thread Russell Nelson

Is it just me, or is PGP broken?  I don't mean any particular version
of PGP -- I mean the fact that there are multiple versions of PGP
which generate incompatible cryptography.  Half the time when someone
sends me a PGP-encrypted message, I can't decrypt it.  Presuming that
I'm right, is anyone attempting to fix PGP?

Not to mention anything about PGP keyservers, or the utter and
complete absence of anybody doing point-source PGP signing.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | The best way to help the poor
521 Pleasant Valley Rd. | +1 315 268 1925 voice | is to help the rich build
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | up their capital.




The best

2000-09-12 Thread Russell Nelson

If the best is the enemy of the good, is strong crypto the enemy of
all other crypto?  Just something to ponder...

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com |
Crynwr sells support for free software  | PGPok | Damn the firewalls!
521 Pleasant Valley Rd. | +1 315 268 1925 voice | Full connectivity ahead!
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | 




Re: DeCSS and imminent harm ...

2000-09-01 Thread Russell Nelson

James A. Donald writes:
  It is a test of will and power.  Kaplan took offense at the widespread 
  attitude that such an act was beyond the power of a judge, that judges not 
  only should not censor thei internet, but that they *could* not censor the 
  internet, that the internet was stronger than the judiciary.

He's welcome to take offsense.  He's even welcome to take action.  But 
in the end, has he been successful?  Will he ever be successful?  What 
are the minimum qualifications necessary to get your hands on a copy
of DeCSS?  By the time this is all over, and the issue has been
decided, DeCSS will be available in a thousand different places and a
thousand different formats.

For example, I'm openly publishing a copy of DeCSS on my home page.
How stupid do you have to be to not "get it"?

For example, one of these days, some popular artist's CD is going to
come with a bonus load of bits.  After it's been a million-seller, the
activist is going to explain how to extract files from songs.  No
longer will you need to play a vinyl disk backwards to get the secret
message.  What do you try to suppress?  The CD?  Not possible.  The
information on how to extract?  It'll be nothing more than a 1024-bit
number.  So now the government declares posession of a number illegal.

And there is *nothing* any judge can do about it.  Governments have
a binary (I love the irony of it) choice: give up the economic
benefits of digital medium, or give up legal restrictions on
distribution of information.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com |
Crynwr sells support for free software  | PGPok | Damn the firewalls!
521 Pleasant Valley Rd. | +1 315 268 1925 voice | Full connectivity ahead!
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | 




Re: reflecting on PGP, keyservers, and the Web of Trust

2000-09-01 Thread Russell Nelson

Ed Gerck writes:
  Even though the web-of-trust seems to be a pretty good part of PGP,
  IMO it is actually it's Achilles heel.

Nope.  Usability is its Achilles heel.  PGP needs to be wrapped in
something, and yet it's not really designed to be wrapped.  Even if it
were, PGP, Inc. changed the interface!  Doh!  And then there's the
whole encryption method problem.

No, web-of-trust as a problem is way down there on the list.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com |
Crynwr sells support for free software  | PGPok | Damn the firewalls!
521 Pleasant Valley Rd. | +1 315 268 1925 voice | Full connectivity ahead!
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | 




Re: Comcast@Home bans VPNs

2000-08-19 Thread Russell Nelson

Ian Brown writes:
  ... subscribers to agree not to use the service as a means to create a VPN.

Could someone describe to me (in my ignorance) the problem this rule
is intended to solve?

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com  | If you think 
Crynwr sells support for free software  | PGPok | health care is expensive now
521 Pleasant Valley Rd. | +1 315 268 1925 voice | now, wait until you see
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | what it costs when it's free. 




Re: Electronic Signatures Yield Unpleasant Surprises

2000-06-28 Thread Russell Nelson

Don Davis writes:
  if we are successful in making crypto that's usable enough to
  become pervasive, then industry and the public will need new
  laws to help resolve social conflicts involving crypto, such
  as inevitably will arise.

I'm not sure this statement is as obvious as you think it is.
Legislation could help, or it could hurt.  Unrealistic,
unimplementable legislation enacted through ignorance might hurt less
than well-informed legislation.

Case law tends to be more reflective of reality, and there's becoming
more of that.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | 
521 Pleasant Valley Rd. | +1 315 268 1925 voice | Is Unix compatible with
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | Linux?




Re: KeyGhost

2000-06-22 Thread Russell Nelson

Lyle Seaman writes:
  What I really want is a keyboard with a slight variation -- not a
  KeyGhost but a KeySpook.

If you have no physical security, you have no computer security.  I
can't think of any qualifiers to add to that statement.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | 
521 Pleasant Valley Rd. | +1 315 268 1925 voice | Is Unix compatible with
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | Linux?




good cellphone hacking press

2000-05-25 Thread Russell Nelson

The May 1 issue of America's Network (http://www.americasnetwork.com)
has some nice press for cryptography in its Wireless column.  The
title is "Hacked again!" and the subtitle is "Another cellular
algorithm has bitten the dust at the hands of cryptographers armed
with little more than a PC.  The industry says there's no cause for
alarm, but the cryptography community still says otherwise."

http://www.americasnetwork.com/issues/2000issues/2501/2501_hacked.htm

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | "Ask not what your country
521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | do for you..."  -Perry M.




Re: Critics blast Windows 2000's quiet use of DES instead of 3DES

2000-05-18 Thread Russell Nelson

L. Sassaman writes:
  PGP's source code has always been available for public review. This has
  not changed. There are no "back doors" for the NSA in PGP,

paranoiaUnless they are particularly subtle ones, based on a mathematical
understanding that is not yet publicly known.  Remember that the NSA
knew about differential cryptanalysis well before anyone else.  Times
have changed, but maybe less than we think./paranoia

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | "Ask not what your country
521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | do for you..."  -Perry M.




Re: hiding plaintext

2000-03-03 Thread Russell Nelson

Bill Stewart writes:
  At 02:54 PM 03/01/2000 -0500, Russell Nelson wrote:
  The essence of the above algorithm (let's call it BP1, for Buried
  Plaintext 1) is to force the decryption trial to be iterated until the
  buried plaintext is found.  It means that the decryption engine needs
  to have the full crypttext available to it.  If you can decrypt a
  message in N steps, then using BP1 with half random data forces you to
  do N*2 steps, where the steps themselves are more complicated.  The
  storage requirements are higher, as are the data transfer pathways.
  
  I'm not convinced that this is a big win compared to CBC with a random IV,
  which also forces the cracker to crank the crypto step an extra time.
  For many popular crypto algorithms, such as N-DES, Blowfish, even RC4,
  the key scheduling takes more time than cranking the algorithm
  (though there are ways to avoid that with 1-DES),
  and you know that once you find a SOT, that's the starting point,
  though if you've got the wrong key, 1/256 bytes will be SOT.

Yes, but you're tying up a decryptor for that much more time.
Cryptography is more about economics than anything else.  You want to
do things which cost the cryptanalyst more than they cost you,
preferably as many multiples more as you can manage.

But now I'm agreeing with you that there are probably other algorithms
which are more profitable to you.  That is, they have a higher
multiplier -- for a given amount of effort spent, they generate more
work for the cryptanalyst than anything else.  And realistically, that
translates into key length more than anything else.

Perhaps HP1 is best used to pad messages while creating the least
possible known plaintext.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | "Ask not what your country
521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | do for you..."  -Perry M.



hiding plaintext

2000-03-01 Thread Russell Nelson

One could increase the difficulty of decryption by three or four
doublings by intermixing random data with plaintext in a message.
Here's the least stupid method I can think of: the first character in
a message is the start of text (SOT) character.  The second character
in a message is the end of text (EOT) character.  The message itself
consists of random data intermixed with plaintext prefixed by SOT and
suffixed with EOT.  An EOT outside of plaintext stands for itself.  An
SOT inside plaintext stands for itself.  This method can encode
arbitrary plaintext.  By implication, the random data does not contain
an SOT nor EOT.

Instead of being able to look at a fixed point in the encrypted text
for plain text, it's necessary to examine the entire text.  The
cryptanalyst gets a clue that they should continue if they look at
enough of the random text without finding SOT or EOT characters.  They
get a clue they should stop if the first two characters are identical,
but that's only 1/256 probability.

This mainly serves to increase the complexity and expense of
decryption engines.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | No intellectual property
521 Pleasant Valley Rd. | +1 315 268 1925 voice | rights were harmed in the
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | creation of this message.



Re: hiding plaintext

2000-03-01 Thread Russell Nelson

Eric Murray writes:
  On Tue, Feb 29, 2000 at 11:14:31AM -0500, Russell Nelson wrote:
   One could increase the difficulty of decryption by three or four
   doublings by intermixing random data with plaintext in a message.
   Here's the least stupid method I can think of: the first character in
   a message is the start of text (SOT) character.  The second character
   in a message is the end of text (EOT) character.  The message itself
   consists of random data intermixed with plaintext prefixed by SOT and
   suffixed with EOT.  An EOT outside of plaintext stands for itself.  An
   SOT inside plaintext stands for itself.  This method can encode
   arbitrary plaintext.  By implication, the random data does not contain
   an SOT nor EOT.
  
  I assume that you do this before encryption. 

Yes.

  Wouldn't compressing the plaintext before encryption have the same effect?

Only if you use a secret compression system.  Otherwise the structure
of your compression system still exists as a known plaintext.  You
could (probably should) compress your plaintext before running it
through the above algorithm.

The essence of the above algorithm (let's call it BP1, for Buried
Plaintext 1) is to force the decryption trial to be iterated until the
buried plaintext is found.  It means that the decryption engine needs
to have the full crypttext available to it.  If you can decrypt a
message in N steps, then using BP1 with half random data forces you to
do N*2 steps, where the steps themselves are more complicated.  The
storage requirements are higher, as are the data transfer pathways.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | "Ask not what your country
521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | do for you..."  -Perry M.



Re: ZKS hires Brands, licenses patents

2000-02-23 Thread Russell Nelson

lcs Mixmaster Remailer writes:
  Have their been other open source projects which used patented technology
  owned by the company releasing the source?  How has the licensing been
  handled in those cases?

Basically, "You get a license for this patented algorithm only if you
use this source code."  Details are at http://opensource.org/licenses/

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | "Ask not what your country
521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | do for you..."  -Perry M.
 ^gratuitious moderator suck-up^



Coerced decryption?

2000-02-11 Thread Russell Nelson

Caspar Bowden writes:
  And, as a result, the Bill proposes that the police or the security services
  should have the power to force someone to hand over decryption keys or the
  plain text of specified materials, such as e-mails, and jail those who
  refuse.

Nobody's mentioned the possibility of an encryption system which
always encrypts two documents simultaneously, with two different keys:
one to retrieves the first (real) document, and the second one which
retrieves to the second (innocuous) document.

With such a system, it should be clear that coercing decryption has
the same negative attributes as coercing self-incrimination.

As an aside, why hasn't anybody mentioned this before?  It seems
obvious to me.  Am I some sort of supergenius or something (more
likely the latter, in my experience!)?  Or is there an information
source that I'm missing out on?  Are people saying things about
cryptography that don't make it to [EMAIL PROTECTED]?

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | "Ask not what your country
521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | do for you..."  -Perry M.



Re: The problem with Steganography

2000-01-27 Thread Russell Nelson

Ben Laurie writes:
  If you want a lot of people to see it, you can't keep it secret. If you
  can't keep it secret, you may as well just come out with it and publish
  the bits without stego.
  
  What did I miss?

It depends on how hostile the regime is.  If you want to publish
something but the publishing process itself is risky, you could
publish it stego'd after running it through something pseudo-random,
e.g. the low bits of a particular song.  Hmmm  I think I'm
thinking... my brain is starting to swell... I'm starting to come up with
something.

Just as PGP doesn't use a public key algorithm to encrypt, but instead
to encrypt a private-key-encryption key, you wouldn't use low-bit
stego to hide the data, you'd use it to say which *other* stream of
random bits had been used to exclusive-or the actual encrypted data.
If the set of random (low) bits came from the same type of data
stream, then the statistics would be the same.  So you use 1 out of
every 1024 bits to create a number, and the number selects a
particular archived piece of data, and then ... and then

Sigh.  But here we run into security by obscurity.  This only works if 
the algorithm to select the other audio stream is not published.  As
soon as you publish it, someone can de-randomize, or de-color the
data, and see that you have non-statistically-correct data hidden.

What you'd need to do is have an algorithm which takes in a whole big
pile of bits, and depending on the recipient's private key, selects
some of them for decryption.  In this manner, you make the problem of
detecting the stego computationally equal to decrypting the data.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | "Ask not what your country
521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | do for you..."  -Perry M.



A big safe source of random (colored) bits

2000-01-27 Thread Russell Nelson

Okay, here's something I've been thinking of for a while.  Run a
political discussion mailing list which mails audio files back and
forth.  This list, at least in the US, would enjoy the highest
Constitutional protection.  However, you'd never know if the low bits
of the audio stream have been tampered with or not.  In fact, you'd
actually *presume* that they had been.

Assuming you had effective stego, anyway.  As Rick points out, we
don't have any such.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | "Ask not what your country
521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | do for you..."  -Perry M.



Re: The problem with Steganography

2000-01-26 Thread Russell Nelson

David Honig writes:
  At 03:20 PM 1/25/00 -0500, Russell Nelson wrote:
  
  I'm trying to do forward stego -- that is, publish some encrypted
  steganographic document, with the idea that, once everyone has a copy,
  *then* you reveal the key.
  
  Fascinating, captain.  Canna imagine why.

Blackmail?  But you don't really need stego for that.  You could just
send a private-key-encoded file to a list of friends, saying "Please
keep this until mm/dd/yy.  I may send you the key later."  Run a
watchdog process somewhere which checks a certain newsgroup for a
crypto-signed timestamped message.  If it fails to see the message, it 
sends the key to your list of friends.

You could also use it for "Oh, by the way, that gzipped file of the
Linux kernel that you downloaded, that's mirrored all over everywhere?
It's made with certain sub-optimal compressions.  If you run it
through this program, it will produce a copy of the DeCSS code."

If you wanted to be really clever, you'd bury it inside some
government document, so you could at least obfuscate the prosecution
with claims of First Amendment rights.

But that's not stego either, whether the document is encrypted or not,
because you're adding bits, not replacing relatively random bits.

  Problem is, how do you convince them to keep a copy of that
  document if they're unaware that it has something buried inside
  it??
  
  Now you're into psychology.

Yup.  And I'm certainly (obviously not) competent at that.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | "Ask not what your country
521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | do for you..."  -Perry M.



Re: The problem with Steganography

2000-01-25 Thread Russell Nelson

lcs Mixmaster Remailer writes:
   The problem with Steganography is that there's basically no way to
   clue people in to it's location without clueing everyone into it.
  
  Encryption is successful if the attacker can't find information about the
  plaintext without the key.  Ideally, he can't answer questions about the
  plaintext any better with access to the ciphertext than without.

I'm trying to do forward stego -- that is, publish some encrypted
steganographic document, with the idea that, once everyone has a copy,
*then* you reveal the key.  Problem is, how do you convince them to
keep a copy of that document if they're unaware that it has something
buried inside it??

In this particular case, there is no crypto -- it's completely
security-by-obscurity.  I've published the burial algorithm, or at
least sent it to the maintainer of the software.  Haven't written the
retrieval algorithm yet, so in a sense the "key" is still secret.  But
only 33 people sucked down a copy.

Maybe I should have buried it inside a pornographic picture?  :)

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | "Ask not what your country
521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | do for you..."  -Perry M.



Re: Export control of Java VM ??

1999-12-02 Thread Russell Nelson

Ron Rivest writes:
  (*) A Post tag system has a number of rewrite rules of the form
   L_i -- R_i
  where L_i and R_i are strings over some alphabet (e.g. binary).
  As long as the prefix of the input matches some L_i, that
  L_i is removed from the beginning of the input, and the
  replacement R_i is added to the end of the input.  

You mean like:

#!/usr/bin/perl
# usage: post-tag '01--02' '002--3'
# tests: 01 002 010 00201

while($_=shift) {
  die unless m/(.*)--(.*)/;
  push(@L, $1);
  push(@R, $2);
}
while() {
  chomp;
  do {
for($i=0; $i  @L; $i++) {
  $l=$L[$i];
  $r=$R[$i];
  print "$_ trying $l--$r\n";
  last if s/^$l(.*)/$1$r/;
}
  print "$_ restarting\n" if ($i  @L);
  } while ($i  @L);
  print "$_\n";
}

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



RE: Two Observations on the IETF Plenary Wiretap Vote

1999-11-15 Thread Russell Nelson

lcs Mixmaster Remailer writes:
  Lucky Green [EMAIL PROTECTED] writes:
  
   Over the years, using Wei Dai's term Pipenet (or Pipe-net, as it was spelled
   originally) has firmly been established as denotating an anonymous IP
   network that uses constant or otherwise data independent "pipes" between the
   nodes of the network. Since Freedom uses link padding, I would consider
   Freedom a Pipenet.
  
   It has been the recognition that data-independent traffic flows are a
   necessary design component of a secure anonymous IP network, especially
   between the end-user and the first network node, that sets Pipenet designs
   apart from naive implementations such as the first generation Onion Routers
   and Crowds.
  
  This documentation would apparently be consistent with the use of link
  padding between the nodes of the network but not between the user's
  machine and the node where it enters the network.  As Lucky points
  out, padding from the end-user to the first network node is important.
  We need a clear description of the Freedom architecture which answers
  this question.

I utterly fail to see what's wrong with mixmaster, other than the fact
that the sole implementation is no longer supported.  The concept
seems fine, it's just the implementation that's lacking.  If I had
anything resembling copious spare time, I'd take it over, and write a
Windows version as well.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



Re: PGPphone sources released.

1999-11-13 Thread Russell Nelson

Ted Lemon writes:
  
   Apparently the sources to PGPphone have been released (after many
   years). See:
  
  According to that message, the license is not an open source license,
  though, so this is unfortunately not very exciting.   :'(

Right.  However, you are free to download the source code, and you are
free to distribute patches.  You just don't have any permission to
distribute the code, or derived versions (e.g. code with patches
applied, or binaries).  Unfortunately, this means that we have to rely
on NAI's continued distribution of the code, and users will be limited 
to those who can download, patch, and compile the code.

Yes, it would be better if NAI distributed the sources under some sort 
of open source license.  A number of open source licenses may be found 
at http://opensource.org/, not all of them unfriendly to business
interests.

SpeakFreely (http://www.speakfreely.org) is already open source, so it 
sets a minimum bar on the restrictions you can expect to be able to
set on the distribution of a freeware encrypting telephone package.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



Re: Almost-Everywhere Superiority for Quantum Computing

1999-10-17 Thread Russell Nelson

Julian Assange writes:
   Simon as extended by Brassard and H{\o}yer shows that there are
   tasks on which quantum machines are exponentially faster than
   each classical machine infinitely often. The present paper shows
   that there are tasks on which quantum machines are exponentially
   faster than each classical machine almost everywhere.

Okay, then can I ask a silly question (I prefer to contribute good
answers, but in this case hopefully the question is good enough)?  If
quantum computers make brute-force cryptanalysis tasks easier, don't
they also make brute-force cryptographic tasks easier as well?  Put
another way, is there something special about quantum computers that
is different from Intel's next process shrink?  That is, apart from
the havoc it plays with key lifetime expectations?

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



Re: IP: IETF considers building wiretapping into the Internet

1999-10-13 Thread Russell Nelson

Steven M. Bellovin writes:
  So -- how should the back door be installed?  In the protocol? In the telco 
  endpoint?  Is it ethical for security people to work on something that lowers 
  the security of the system?  Given that it's going to be done anyway, is it 
  ethical to refrain, lest it be done incompetently?

If something evil is done poorly, is that more or less evil?  Answer
not obvious to me.  In any case, a properly implemented end-to-end
encrypted voice stream traveling over a data path with the CALEA bit
set just allows the FBI easy access to strong crypto.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



Re: desirable properties of secure voting

1999-10-12 Thread Russell Nelson

Anonymous writes:
   8. Receipt­freeness: A voter can't prove to a coercer, how he has
   voted. As a result, verifiable vote buying is impossible.
  
  It appears that the votehere system does not satisfy this, since the vote
  is published in encrypted form, so the voter can reveal the plaintext in
  a verifiable way.  Of course even if the system mathematically protected
  against this you could still sell your vote by voting at home while the
  vote buyer watched you.

Any time you're allowed to vote in a manner which a third party can
observe everything you observe, they can affect your cost of voting
one way or another.

It's much more fun to try to disprove a positive statement.  So let's
try.  Perhaps the voting is in a challenge-response form?  Given a
number, the voting executes a pre-arranged algorithm on it, and votes
with the results of the algorithm.  That would work, presuming that
the algorithm has enough bits of entropy to confound cryptanalysis.

There's a bunch of problems, though: the algorithm has to be
executable in someone's head, without any intermediate values being
transcribed.  The algorithm has to be memorized.  The algorithm has to 
be coordinated with the vote-taking authority.

Does this sound like the pre-computer key distribution problem to you?
Sure does to me, so much so that I would say that this disproof
disproves nothing in a world where guys pick their girlfriend's name
as their password, and where people can keep 5+-2 things in their head 
at any one time.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



Re: The well-travelled packet

1999-09-25 Thread Russell Nelson

Ray Hirschfeld writes:
  Seriously, my first reaction was that no crime had been committed, but
  upon re-examining the export regulations I'm not so sure.  Perhaps the
  fact that the packets are explicitly destined for the US is considered
  "adequate precaution" against unauthorized transfer.  Here is the
  relevant section [734.2(b)(9)] of the EAR:

The precautions may be "usual", but they are certainly not
sufficient.  If crackers can write a credit card number scanner, they
can write a crypto code scanner, particularly if they're looking for a 
special package.

But really, this is just a curio.  Anyone can get a shell account on
some ISP's computer in the US, and download to their heart's content.
The crypto export laws are not based at curtailing export, they're
aimed directly at businesses.  It may hurt to be a US crypto
businessman, but at least you can take comfort from the fact that your
pain is intended.  :(

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



The well-travelled packet

1999-09-24 Thread Russell Nelson

Forwarded with permission (the permission being the short quote below,
the message being the long one).  I don't have a copy of the
traceroute, but it definitely showed packets going from Washington DC
to NYC through Paris.

Dick St.Peters writes:
  Well, the questions were really intended to be rhetorical and/or
  amusing, but sure.  The crypto guys will probably be as amused as
  anyone.

Dick St.Peters writes:
  Remember that traceroute I sent you showing packets from me to a site
  near here going by way of Europe?  I was telling a friend about that
  this morning, and he asked an interesting question.
  
  Suppose someone on my network sent someone at the site a cryptographic
  program - a US citizen in the US sending it to another US citizen in
  the US, but the packet route is via Europe.  Is that illegal?
  
  If so, who is guilty?  My user with no knowledge of the route?
  Sprint, who sent the packets abroad with no knowledge of what they
  contained?  EUNet, who BGP-announced the route to Sprint in Europe?
  
  --
  Dick St.Peters, [EMAIL PROTECTED] 
  Gatekeeper, NetHeaven, Saratoga Springs, NY
  Saratoga/Albany/Amsterdam/BoltonLanding/Cobleskill/Greenwich/
  GlensFalls/LakePlacid/NorthCreek/Plattsburgh/...
  Oldest Internet service based in the Adirondack-Albany region



I'm not sure we have the obvious problem here.

1999-09-18 Thread Russell Nelson

On Fri, 17 Sep 1999, Greg Broiles wrote:
 
  What scares me is the possibility that there won't even be an argument
  about whether or not a particular clump of ciphertext decodes to a
  particular bit of plaintext because I don't think it'll be possible to
  cross-examine prosecution witnesses about the way that they came into
  possession of what's purported to be plaintext. They won't need to say
  how they came into possession of the plaintext, because that would
  reveal their methods . . . .

On the other hand, if a defendant could show a possibility of a
violation of the 4th Amendment (quoted below), then they've got a
serious case.  What we have been fretting about are a bunch of serious
4th Amendment violations.  There's no two ways around it:
non-circumspect gathering of encrypted documents, or a keyboard
sniffer, or a processor protection by-pass, are all potential 4th
Amendment violations.

Now, I don't mean to wave a piece of paper and say that it's a magic
token that keeps me safe.  However, what we are afraid of is illegal.
We don't have to pass any new laws.  All we have to do is ensure that
the existing ones are enforced.

It all comes down to your threat model.  Is the entity you're
protecting against capable of subverting your processor?  Your
operating system?  Your hardware configuration?  If so, there's no
crypto that can protect you.  You want to get scared?  What if your
network controller chip was spying on the keyboard controller
accesses, and leaking the keystrokes in data appended beyond the
length of valid IP packets?  Or into ICMP replies?  I don't know of
any protocol analyzer that bothers to look at that data.  Would you
notice or care if someone was pinging you?  Some sites would, but most 
wouldn't.

4th Amendment
  The right of the people to be secure in their persons, houses, 
  papers, and effects, against unreasonable searches and seizures, 
  shall not be violated; and no warrants shall issue, but upon 
  probable cause, supported by oath or affirmation, and 
  particularly describing the place to be searched and the persons 
  or things to be seized. 

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



Re: Why did White House change its mind on crypto?

1999-09-17 Thread Russell Nelson

Ben Laurie writes:
  Declan McCullagh wrote:
Another answer might lie in a
little-noticed section of the legislation the
White House has sent to Congress. It
says that during civil cases or criminal
prosecutions, the Feds can use
decrypted evidence in court without
revealing how they descrambled it.
  
  If you can not reveal how you descramble it, doesn't that mean you can't
  be asked to show that it actually corresponds to the ciphertext?
  
  Scary!

I agree it's scary.  What's the difference between that, and being
stopped on a dark road at 2AM by a state trooper?  I was, and it was
scary, because he kept asking me if I had any guns, and he wanted to
see what was inside the foil candy wrapper on my dashboard (more
foil), but obviously he expected that it was hash.  But what if he
handed back some hash wrapped in foil?  What would I have done?  At
that point, I've got drugs, and he knows it, and he could arrest me.
What's the difference between that, and someone claiming that a
certain piece of text decrypts to a sinister message?

Seems to me like the best defense against that is mass-market crypto.
Because if the TLA claims that something decrypts to something, and I
can use the mass-market crypto to have it decrypt to something else,
the TLA has a credibility problem.

Or is this not why you're scared?

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



RSA security advert

1999-09-15 Thread Russell Nelson

The September 13th InfoWorld has an advertisement by RSA Security.  If
you squint your eyes up real tight, and read between the lines, it
reads like this:


   Our patents are running out.
  Please don't forget
   who invented this stuff.


   RSA

   Security


   For almost two decades,   More than 450 million copies   
   businesses have had no choice of our RSA BSAFE(r) encryption 
   but to purchase public-keytechnology are installed in
   cryptography from RSA Datatoday's most successful
   Security.  Because we've  applications and devices.  And 
   gotten so much money, we've   why shouldn't it be that way?  
   purchased another company,All other software is illegal, 
   Security Dynamics and we like it like that.  To  
   Technologies, Inc.  Today, thetry to keep you using our  
   companies have unified under  software, we have a new RSA
   one name, RSA Security, Inc.  Keon(tm) product line, 
   Our new name and look reflectsproviding companies with a 
   our desperate desire for you  complete digital certificate   
   to continue to purchase   system, known as "PKI," to 
   products from us, even after  enable and manage security for 
   our patents run out.  We know e-commerce applications.   
   you have almost no idea who weThousands of customers have
   are, but you should.  Chances chosen RSA Security, including 
   are pretty close to 100%  Cisco, Compaq, Ericsson,   
   you've had to rely on one or  Fidelity, IBM, and Lucent. 
   more of our products to   They haven't had any other 
   purchase something over the   choice, and neither do you.
   Internet, securely send email,Now that we have to persuade   
   safely connect to youryou to purchase from us, we're 
   network, or do you bankingnow trying to build a brand
   online.  As a combinedname before it's too late.  To 
   company, we are the premier   learn how we might serve your  
   monopoly in e-security -- at  e-security needs, please visit 
   least until our patents run   us at www.rsasecurity.com, or  
   out.  contact us at  
 [EMAIL PROTECTED] or
 1-877-RSA-4900

   
   Your Only Choice in e-Security


-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



Re: Power analysis of AES candidates

1999-08-31 Thread Russell Nelson

John Kelsey writes:
  There's some question about how hard it will be to design
  hardware that will be DPA-resistant for different
  algorithms.

Big on-chip caps.  Lithium batteries.  Tamper-resistant housings.
That's what Dallas Semiconductor uses for its 1-Wire devices,
including the famous Java ring.  It works to protect data, but not
algorithms, because once you extract the algorithm, you've got it.
With data, you have only to make extraction more expensive than the
data is worth.

You could also superglue the chip to something very hard, so that you
can't probe the chip without getting the cover off, and if you try,
you destroy the chip trying.

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



Re: message-signing at the MTA level

1999-08-22 Thread Russell Nelson

Greg Rose writes:
  At 22:09 21/08/1999 -0400, Russell Nelson wrote:
  I've been thinking about cryptographic signing of messages at the mail 
  transfer agent level.  I can think of how to do it, but I'm not sure
  what problem it solves.  :)  Anyone have any ideas?
  
  Signing messages at the MTA level solves no problem at all unless there's a
  widely deployed PKI.

Because of man in the middle attacks?  You could supply a public key
in the SMTP server banner, but that doesn't help if someone is fudging
things in the middle.  Encryption would help, though, wouldn't it?  Of
course, you've got a nasty bit of known plaintext right at the
beginning: "Received:"

Actually, if your sole threat model is "telnet mail.example.com 25",
then *any* kind of crypto helps.  :)  And if I go down in history for
any quote at all, it should be: "Crypto without a threat model is like 
cookies without milk."

-- 
-russ nelson [EMAIL PROTECTED]  http://russnelson.com
Crynwr sells support for free software  | PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



Re: Proposed bill for tax credit to develop encryption with covert access

1999-08-04 Thread Russell Nelson

-- BEGIN 2rot-13

David Jablon writes:
  Amazing!  Despite the title, this seems to be a retro-active tax
  break for all developers of snake-oil and other poorly concieved or
  poorly implemented cryptography.

Or for that matter, poorly selling.  There's nothing in the bill that
requires that the encryption be otherwise unbreakable (e.g. I could
get a tax credit for implementing a backdoor'ed rot-13) or that anyone
actually buy or use the snake-oil^H^H^H^H^H^H^H^H^Hencryption
software.

Just how *would* you put a backdoor into rot-13?  Ah!  I've got it!
Implement a new, higher security 2rot-13 (apply rot-13 twice, for
double the encryption value).

-- END 2rot-13 
-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr sells support for free software  | PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



It's to be expected (crypto laws)

1999-07-23 Thread Russell Nelson

I just read _The Incredible Bread Machine_, by R. W. Grant.  A Fox 
Wilkes book, available from Laissez-Faire Books.  I think a quote from 
page 241, on The Limits of Political Action, is appropriate in re the
recent "I told you so" observation by Lucky Green:

Government is force, and politics is simply the means of deciding
who gets to use it at whose expense.  By its nature, then,
politics will inexorably represent the interests of those who seek
the favors of government.  Hence the bewilderment of voters who
find that no matter who wins the election, government continues to
grow bigger and more intrusive.  At best, transient reforms can be
accomplished, but the underlying dynamic of politics is constantly
to expand the role of the state.

Accordingly, those seeking to limit the role of political force
[aka crypto export laws] in our society are quite literally
disenfranchised.  You can vote for ruler A or ruler B, but you
can't vote for ino/i ruler.  Political action can possibly be
helpful for educational purposes, or as a rear-guard effort, but
its effectiveness as an influence for less government is
limited. [as we've seen.]

What to do?  Attack the state at the source of its power: our
cooperation.  It can be noisy civil disobediance.  It can be simply
ignoring an unenforcable law.  It can be challenging the power of the
state in its own institution, as in the Bernstein, Karn, and Junger
cases.

I highly encourage all [EMAIL PROTECTED] readers to read The
Incredible Bread Machine.  It puts together a comprehensive attack on
the legitimacy of the state.

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr sells OSI Certified(tm) Open Source Sware| PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



Re: depleting the random number generator

1999-07-18 Thread Russell Nelson

John Denker writes:
  The bad part is that Whitney has already gobbled up quite a few
  bits of entropy from /dev/random before the slightest bit of
  authentication is attempted.

You're presuming that you're using the standard Linux version of
/dev/random.  You could quite easily write a driver for that serial
port white noise generator which was discussed earlier on this list.
Make it's operation compatible with /dev/random, and replace
/dev/random with a node pointing to your device.

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



Eason/Kawaguchi stego

1999-06-29 Thread Russell Nelson

There's an EETimes article on Eason/Kawaguchi stego in the 6/28 issue.
They hide their bits in the most complex parts of the image -- where
neighboring pixels are most different from one another.  Also, only a
few parameters are needed to retrieve the information, so anybody with
the appropriate detector and a few guesses can find the information.
Yes, that's right, it's only hidden from view, not from even the least
determined observer.  So why not just call it watermarking?  Because
(so they claim) watermarking is embedded everywhere in the image.

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



Re: Eason/Kawaguchi stego

1999-06-29 Thread Russell Nelson

Jay Holovacs writes:
  --
   From: Russell Nelson [EMAIL PROTECTED]
   To: [EMAIL PROTECTED]
   Subject: Eason/Kawaguchi stego
   Date: Tuesday, June 29, 1999 9:27 AM
   
   .  Also, only a
   few parameters are needed to retrieve the information, so anybody with
   the appropriate detector and a few guesses can find the information.
   Yes, that's right, it's only hidden from view, not from even the least
   determined observer. 
  
  But if data is properly encrypted first, noise extracted from any picture
  should be virtually indistinguishable from encrypted data. Stego is really
  just obscurity with plausible deniability, it should never be used without
  encryption.

I don't know of any stego packages that work with mass-market
cryptography e.g. pgp or mixmaster.  You can't just take the output of
one of those crypto systems and stuff it into the "random" bits of a
real-life sample.  There's too much plaintext for the stego to hide.
Stego needs a special type of cryptography that has no known plaintext
in its encrypted output -- where the output of the stego algorithm is
just as white as the white noise it replaces.

So you've got a chicken-and-egg problem -- you have to have yet
another set of public keys for your stego crypto algorithm.

But besides that, you need software which camps on every source of
"random" bits that come into your life, cryptanlyzing it using your
private key.

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



Re: NPR story on crypto...

1999-06-28 Thread Russell Nelson

John Young writes:
  What's intriguing is whether PECSENC, now headed by an ex-NSA
  honcho, is going to bite NSA's sigint bullet, and recommend that
  strong encryption is better for the public interest than natsec snooping,
  what with the world now getting its hands on means of strong protection
  for conventional telecommunications of text and to a lesser extent 
  voice.

I'll go out on a limb and speculate that the NSA will eventually be a
proponent of strong crypto.  Why?  Because the weak-crypto crowd
essentially operates as a cartel.  A cartel is built of all interested
parties (e.g. oil producers in OPEC).  They all agree to refrain from
behavior which would be advantagous if only a minority did it, but
which is harmful if everyone did it (e.g. competing in a free
market).  In the case of economic producers, that means reducing
production and raising prices.

Of course, you can't deny the free market.  It's like a balloon --
press in on it, and it presses out somewhere else.  If you succeed in
containing it, it pushes back hard everywhere.  Now that prices are
higher, you have two problems: new entrants have to be incorporated
into the cartel, and current entrants have a strong incentive to
cheat.  These problems are bad enough that only one cartel has
survived in the long run: the deBeers diamond cartel.  Remember the
new diamond fields in Canada and Russia discovered earlier this
decade?  They were brought into the cartel (IIRC).  They had to be,
otherwise the cartel would fall.  This works because people have been
persuaded that diamonds are precious, worth paying very high prices.
There's lots of room in the diamond cartel.

Is it obvious now how this applies to the crypto market?  If everyone
is forced to use weak crypto, all governments can spy on all
others.[1] But now that PC's are cheap and strong crypto is widely
available, governments have a harder time enforcing weak crypto
(presuming they want to).  As their citizens and corporations defect,
the remaining cartel members lose the advantage of decrypting the
defectors, and have a shorter lever to control their own citizens and
corporations.

At some point there will be enough defectors to bring down the cartel.
Once we break the dam, the NSA, being a responsible government
institution, must advocate strong crypto in order to protect its
mission.  Because, their mission is to gain an advantage over other
countries through sigint.  If their policies create an obvious
disadvantage (US crypto can be broken, but nobody else's can), then
they'll be changed.

And when the dam breaks, you'll see an amazing flip-flop.  You'll need 
a seat belt on your computer chair to keep from falling on the floor.


[1] There are secret trade shows where wiretapping equipment is sold.
You need a clearance and a photo badge to attend.  I've never been,
but I expect that the same, or similar, trade shows sell DES-breaking
equipment.  Particularly when it's cheaper than five hum-vees.

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



Re: Word needed for Entropy

1999-06-28 Thread Russell Nelson

[I suspect we're hitting the end of this thread... --Perry]

At 9:32 AM -0700 6/26/99, Carl Ellison wrote:
  I've been guilty of sloppy use of English, occasionally, and one such
  sloppiness that I run into occasionally is with the word "entropy"
  for cryptographic purposes.
  
  What we need is a word or very short phrase to capture the full
  phrase:

How about "God's dice"?

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



Re: so why is IETF stilling adding DES to protocols? (Re: It's official... DES is History)

1999-06-26 Thread Russell Nelson

Lucky Green writes:
  OpenSSL is a library. It should support whatever the standard supports and
  whatever users and/or authors of the lib desire to be in the lib. That may
  include broken or null-ciphers. But the user should have to take positive
  action to get at the broken ciphers. I believe by default, OpenSSL should
  ship with the weak ciphers disabled. And there should be a clear warning:
  "Not secure, don't fool yourself, do not use, etc]".
  
  Offering ROT-13 in a library you one maintains is one thing.

That's it!  Include a whole range of ciphers, all the way from ROT-13
through Caesar through Enigma through an exportable 40-bit code
through DES through IDEA through blowfish.  Make it clear that the
security one gets is the security one chooses, and include an analysis 
of the history and security of the various ciphers.

I mean, it's foolish to impose your threat model on other people, just
as it would be foolish for someone with a higher threat model impose
her security requirements on you.  I mean, one high threat model says
"No back channels", so all data must travel through a hardware one-way
interface.  No.  Would you like to be told that your chosen level of
security is insufficient for that threat model, therefore you must
take special steps to enable a cipher sufficient for your threat model?

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | can outdo them. Homeschool!



Just the ticket for those conferences

1999-04-09 Thread Russell Nelson

http://loaf.ecks.org/

Linux On A Floppy.  Get networking params (IP address, subnet mask,
default router), power-down, insert floppy, reboot.  Comes with ssh.

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok |   There is good evidence
521 Pleasant Valley Rd. | +1 315 268 1925 voice |   that freedom is the
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   |   cause of world peace.



Re: Neal Stephenson's Cryptonomicon

1999-04-02 Thread Russell Nelson

Jeff Simmons writes:
  There's also a page at http://www.well.com/user/neal/cypherFAQ.html
  that is aimed at the cypherpunk list.  Most interesting part is that
  evidently Bruce Schneier designed a special cypher for use in the novel,
  based on a deck of playing cards. (?)

I'll ask the obvious stupid questions now: Is our government going to
refuse export of playing cards?  Are border guards going to start
shuffling decks of cards they find in passenger suitcases?  Or
confiscating them?

I expect to go abroad within the month.  I think I'll take a
half-dozen decks of cards with me.

Guard: Why do you have so many decks of cards?

Me: They're munitions.  I wanted to be well-armed.

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok |   There is good evidence
521 Pleasant Valley Rd. | +1 315 268 1925 voice |   that freedom is the
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   |   cause of world peace.



Re: Biprime Cryptography to replace RSA?

1999-03-31 Thread Russell Nelson

Bluefish [@ home] writes:
   I would propose "Biprime Cryptography" or "BPC" as the generic term for
   RSA. Biprime is a natural and appropriate English name for the product of
   two primes.
  
  There are other "biprimes" too,

BiPrime Factoring.  BPF (no, not Berkeley Packet Filter!)

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok |   There is good evidence
521 Pleasant Valley Rd. | +1 315 268 1925 voice |   that freedom is the
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   |   cause of world peace.



mixmaster the DNS

1999-02-08 Thread Russell Nelson

Hmmm  Anybody thought of combining mixmaster, an SMTP client, SMTP
server, and the DNS?  Here's how it would work:
 1) email would arrive at the SMTP client using ordinary means.
 2) The SMTP client would ask the DNS for the MX records for the host.
 3) If the DNS has two MX records which point to the same host, one of 
which is in a particular range (e.g. 23489-23511), then the
recipient is considered mixmaster-enabled.  If not, then the mail
is simply delivered.
 4) The SMTP client has access to a list of acceptable relay hosts,
also mixmaster-enabled.  It either delivers the mail, or relays
the mail to one of these hosts.  The relay is done in the usual
mixmaster fashion.
 5) (and here's the key).  When the SMTP client (either the original
one, or the one on the relay) tries to deliver the mail, it does
so by connecting to the port number named in the highest-numbered
of the two MX records.  If that fails, then the mail is delivered
via unencrypted SMTP.

It's got some weaknesses, but it goes a long way towards keeping
intranet trans-Internet mail private.

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok |   There is good evidence
521 Pleasant Valley Rd. | +1 315 268 1925 voice |   that freedom is the
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   |   cause of world peace.



Re: Intel announcements at RSA '99

1999-01-27 Thread Russell Nelson

Arnold G. Reinhold writes:
  I do not agree, however, that 1 bit per second would be fast enough.

Why not?  Randomness never goes stale.  If it did, they wouldn't print
books full of random numbers.  Store the 1bps in a FIFO.  Save that
entropy!  There's a limited amount of it in the universe, you know.  :)

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok |   There is good evidence
521 Pleasant Valley Rd. | +1 315 268 1925 voice |   that freedom is the
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   |   cause of world peace.



RE: France Allows 128 Bit Crypto

1999-01-20 Thread Russell Nelson

Black Unicorn writes:
  WOAH.  Are you sure you know what you are doing?  You're close to imposing a
  duty to decrypt punishable by penal sanctions (read jailtime).  This is
  precisely the WRONG way to go.

Sure, because you can't tell the difference between someone who is
unable to decrypt (Sorry, I lost my key), and someone who is unwilling
to decrypt (Sorry, I "lost" my key).  Encrypted documents should be
covered under our Fifth Amendment.

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok |   There is good evidence
521 Pleasant Valley Rd. | +1 315 268 1925 voice |   that freedom is the
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   |   cause of world peace.



Re: crypto-stego

1999-01-05 Thread Russell Nelson

Bill Stewart writes:
  At 09:42 PM 12/30/98 -, Russell Nelson wrote:
  Now here's a silly question: cryptanalysis requires that one be able
  to recognize the plaintext.  Steganography requires that one NOT be
  able to recognize the cryptography from random noise.  So, if I use a
  legal cryptography algorithm (with however few bits I'm allowed), on
  the output of an illegal stego program, all of those bits are pure
  pleasure.  Even someone with my legal public key can't be sure that
  they've decrypted the right thing unless my stego is broken or they
  have my illegal public key.
  
  I think you've got this backwards - your words say that
   Output = Crypto( Stego(something), WimpyKey )
  where "something" is presumably the message.
  But that's not secure - good steganography doesn't require that
   Stego(Message)  look like random noise, only that
   Stego(Crypto(Message)) and Stego(Noise) look similar enough
  so the Bad Guys won't notice that the encrypted message is there.

No, "something" is presumably a crypto algorithm that adds another set 
of key bits.  But you're right, it was a silly question.  Stego relies 
on hiding crypto within something identifiable as something ordinary.
It needs to say "These are not the droids you're looking for."  You
might get a fair bit of extra security, perhaps approaching the number
of added key bits, by using the same crypto algorithm which produced
the input to your stego algorithm.

  you need to make sure that it's really stealthy, something PGP hasn't done
  after N years aand several format changes.

Maybe there's hope for GNU Privacy Guard?

  Cryptography restrictions are the USA's Maginot Line.  Big, expensive,
  ultimately routed around regardless, and once the war is over,
  difficult to get rid of.
  
  Heh - it's especially surprising to me that regulations designed to
  keep Commies from getting military technology are still in place,
  and the Russians are even part of the deal.

The comparison seems apt because France is now filled with large
chunks of concrete, with no budget to get rid of them.  I fear that,
once we win the crypto war against our own government ("Give me crypto 
or give me death!") the crypto landscape will be littered with large
chunks of concrete.  Heck, it already is -- look at the sorry state of 
cellular phones, or Internet communications.

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok |   There is good evidence
521 Pleasant Valley Rd. | +1 315 268 1925 voice |   that freedom is the
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   |   cause of world peace.



Re: Building crypto archives worldwide to foil US-built Berlin Walls

1998-12-15 Thread Russell Nelson

Enzo Michelangeli writes:
  JYA and others,
  
  The first Hong Kong free crypto archive is up and running at:
  
  ftp://ftp.futuredynamics.com/freecrypto/
  
  At the moment I'm just mirroring ftp.pgpi.com (about 119 Mb). More 
  stuff will be hopefully added later. Also, I hope to announce more 
  sites soon.

Here's a suggestion I don't have time to implement (ideas are cheap):

Create a system of mirrors where files cannot be removed, only
repudiated.  Have a single piece of software which is 1) distributed
in the archive, and 2) when installed, creates and publishes a local
archive.  This piece of software checks other archives, and
incorporates content from those archives.

This kind of archive has a problem akin to the key distribution
problem (call it the archive anti-distribution problem).  How do you
keep people from wantonly adding things to the archive?

Perhaps an archive would have a list of signatures for which it is an
archive?

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok |   There is good evidence
521 Pleasant Valley Rd. | +1 315 268 1925 voice |   that freedom is the
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   |   cause of world peace.



Re: Is a serial cable as good as thin air?

1998-12-01 Thread Russell Nelson

Arnold G. Reinhold writes:
  I am uncomfortable with the tone of this thread. There is nowhere near
  enough information provided in Mr.  Georgoudis' posting to conclude that
  hisbank's existing floppy disk transfer scheme is secure, much less render
  an opinion on the impact of a serial connection.

  :all). Here is the question: Is this as good as thin air?

He didn't ask if it was secure.  He only wanted to know if a serial
connection could be made as secure as a floppy disk transfer.  I
contend that an xmodem transfer of the file is as secure as a floppy
disk transfer.  The truly paranoid would insert a PIC chip which
enforces that only the xmodem protocol could transit the wire, and
then in only one direction.

Sure, the floppy disk transfer could be insecure, but as you say, he
neither gave us enough information, nor asked if we felt it was secure.

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok |   There is good evidence
521 Pleasant Valley Rd. | +1 315 268 1925 voice |   that freedom is the
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   |   cause of world peace.



RE: Is a serial cable as good as thin air?

1998-11-30 Thread Russell Nelson

Brown, R Ken writes:
  If I was a bank I would be very wary of  proposals like "We would write our
  own transmission protocol. " That seems to introduce yet more complexity,
  not to mention maintenance effort and undiscovered bugs. It would seem safer
  (more conservative a bank might say) to use off-the-shelf code which had
  been tried and tested ( for which source code was available if you really
  cared about security)

Use xmodem.  Only provide the receive code and the transmission code
on the respective sides.  That will be as safe as sneakernet.

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok |   There is good evidence
521 Pleasant Valley Rd. | +1 315 268 1925 voice |   that freedom is the
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   |   cause of world peace.