Student scholarships available for RSA Data Security Conference.

[Trei, Peter]

The RSA Data Security conference will be held at the Moscone Center and the 
Metreon in San Francisco this year, April 8-12.

http://www.rsasecurity.com/conference/rsa2001/intro2.html

It's a really neat conference, but pricey. However, looking through the
registration web
pages, I found this:


>Student Scholarships

>Several corporations have kindly proposed to sponsor student
>registration fees; full-time students wishing to apply for a scholarship
>should contact RSA Security at
>[EMAIL PROTECTED]


I don't know how many are available, or what they include, but the regular
academic 
registration is $495.

Also, if you just want to attend the Expo (we have over 250 vendors
expected), you can get
a free pass if you register before March 2 (otherwise, $50 at door).


Peter Trei
[EMAIL PROTECTED]


 

RE: NONSTOP Crypto Query

[Trei, Peter]

I've seen an existance proof which indicates that this is possible.
Back when I was first getting involved with computers (circa 1972),
some digitizer tablets worked by speed-of-sound measurements.
The stylus tip contained a small  spark gap which was energized 
when the stylus pressed on the  tablet. This created a spark, 
and the spark a minuscule roll of  thunder. Microphones situated 
along the edges of the tablet recorded the arrival times of the sound, 
and the location of the stylus calculated within a millimeter or two.

This was a peripheral for a DEC PDP-8E.

This was calculating a position over about 20 cm to a millimeter,
in real time, in 1972. Doing so to a resolution of a centimeter or
two, in 2001, ever several meters sounds feasible.

Peter Trei  

> --
> From: Ray Dillinger[SMTP:[EMAIL PROTECTED]]
> Sent: Friday, January 12, 2001 4:37 PM
> To:   John Young
> Cc:   [EMAIL PROTECTED]
> Subject:  Re: NONSTOP Crypto Query
> 
> 
> 
> On Fri, 12 Jan 2001, John Young wrote:
> 
> >Wright also describes the use of supersensitive microphones
> >to pick up the daily setting of rotors on cryptomachines of the 
> >time, in particular the Hagelins made by CryptoAG.
> 
> Hmmm.  That sounds like a trick that could be brought up to 
> date.  If you get two sensitive microphones in a room, you 
> should be able to do interferometry to get the exact locations 
> on a keyboard of keystrokes from the sound of someone typing.  
> I guess three would be better, but with some reasonable 
> assumptions about keys being coplanar or on a surface of known 
> curvature, two would do it.  Interesting possibilities.
> 
>   Bear
> 
> [A quick contemplation of the wavelength of the sounds in question
> would put an end to that speculation I suspect. --Perry]
> 

RE: Internet anonymity/pseudonymity meeting invitation

[Trei, Peter]

> [EMAIL PROTECTED] wrote:
> 
> The NymIP Research Group will hold its first physical meeting on Sunday,
> December 10, 2000, from 14:30 US/Pacific (22:30 UCT) to 17:00 US/Pacific
> (01:00 UCT December 11), before the IETF meeting in San Diego,
> California. We invite interested parties to attend, either in person or
> by telephone.
> 
> The NymIP-RG is a newly formed entity dedicated to studying anonymity
> and pseudonymity in Internet communication. 
[...]

> This first meeting is a brief, relatively unstructured get-to-know-you
> affair, designed to identify those interested and start them talking to
> one another. 
[...]
>   -- J. Bashinski
>  Secretary, NymIP-RG
> 
Does anyone besides me find irony in having a 'get-to-know-you'
session for a group studying anonymity?

Will they allow masked attendees? Will the mailng list allow posts
from anonymous remailers, or is it closed? Is there a website to 
allow anonymous reading?

Practice what you preach

Peter Trei

'The anarchists were highly disciplined'

RE: Lots of random numbers

[Trei, Peter]

Others have responded as to why this is not so hot an idea.

It sounds like your trying to obtain more entropy than you really
need - I would have thought that the built in hardware RNG in
the newer Intel chips would do the job. Barring that, stick in one
of the various cryptographic coprocessor boards; this would allow
you not only to get real random numbers, it would speed up the
keygen stop substantially.

nCipher (partly owned by RSA :-) makes such boards. They work
with Linux.

Peter Trei



> --
> From: Rich Salz[SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, November 15, 2000 10:19 PM
> To:   [EMAIL PROTECTED]
> Subject:  Lots of random numbers
> 
> I'm putting together a system that might need to generate thousands of RSA
> keypairs per day, using OpenSSL on a "handful" of Linux machines.  What do
> folks think of the following: take one machine and dedicate it as an
> entropy
> source. After 'n' seconds turn the network card into promiscuous mode,
> scoop
> up packets and hash them, dump them into the entropy pool. Do this for 'm'
> seconds, then go back to sleep for awhile.  The sleep and wake times are
> random numbers.  Other systems on the newtwork periodically make an SSL
> connection to the entropy box, read bytes, and dump it into their
> /dev/random
> device.
> 
> Is this a cute hack, pointless, or a good idea?
>   /r$
> 

E-Larm (was: Re: Republic targeted for sale of 'unhackable' system )

[Trei, Peter]

It has all the hallmarks of snakeoil.

After a bit of searching around, I found another article at the Sunday Times
(not noted for it's fact checking) and a company site. I'll include their
page
on the method below. It looks like typical snake oil - the description
includes
a number of errors which indicate a basic unfamiliarity with modern 
cryptography, and the usual grandiose claims of infallibility of their
system,
combined with claims of the weakness of current algorithms.

Bruce Schneier would have fun with this one.

Johnson seems quite a colorful character. Aside from crypto, he also
has interests in sewage treatment, image enhancement, intellectual
property protection, display technology, economic forcasting,
and genetic engineering. Several of these involve something he 
calls 'fractal modulation'.

There's nothing that screams "this doesn't work", but also nothing
to make me take it seriously. Among other things, they
seem to think they've invented perfect forward secrecy.

Peter Trei

Sunday times article:
http://www.sunday-times.co.uk/news/pages/sti/2000/02/13/stidordor03008.html

--
>From e-larms' web page at http://www.e-larm.co.uk


E-Larm Corporation Limited is a subsidiary of the
Microbar Security Group which is, in turn, wholly owned
by Durand Technology Limited.

E-larm Corporation Limited is a fully-owned subsidiary
of Microbar Security Limited and is party to the joint
venture with Debden Security Printing, a subsidiary of
the Bank of England.  E-larmÔ uses Fractal
Modulation and Chaos to create a completely different
extremely secure and compact method for encrypting and
decrypting data for e-commerce and other purposes.

There is a high degree of dissatisfaction from
e-commerce users and strong concerns about security
that must be overcome in order to enable e-commerce to
develop in the way it deserves.

Present encryption methods:

Variations on a well-know theme with public and private
keys arranged so that an exhaustive search will crack
the code. The problem is that modern computing with its
enormous power can complete an exhaustive search given
time so that the traditional safeguard that the
information will be old and less sensitive by the time
it is cracked has gone away. In other words systems can
be broken and therefore hacker can enter. E-larm makes
this impossible. In the past encryption has always been
prone to eventual repeat patterns that give the game
away.  Random numbers are really pseudo random and are
large prime numbers.  However, these must repeat
eventually if the transmission is long enough or
frequent enough using the same encryption.  All current
e-commerce encryption is stationary. That is to say
that the algorithms and keys do not change during the
transmission just like the wartime Enigma machine.

The uniqueness of E-larm

A fresh approach to developing non-repeating chaotic
numbers protects against deciphering.

It is a non-stationary encryption approach. In other
words, E-Larm uses different keys and algorithms on a
random basis throughout the transmission. Or it is like
a warehouse full of Enigma machines which are used at
random and only for a few keystrokes each.

Secure opening communication system, a secret
handshake, to exchange keys. Or in other words to agree
which warehouse full of Enigma machines to use for this
particular transmission.

We must make it clear that the keys for e-larm are not
the same as for traditional encryption.

E-larm is so diverse in its choice of algorithms and
keys and because it uses chaos cannot be broken even if
its approach is known. An exhaustive search cannot
unlock chaotic encryption.

--

> --
> From: William Knowles[SMTP:[EMAIL PROTECTED]]
> Sent: Friday, November 10, 2000 7:00 PM
> To:   [EMAIL PROTECTED]
> Subject:  Republic targeted for sale of 'unhackable' system 
> 
> Snakeoil?
> 
> [Smells like it. --Perry]
> 
> http://www.ireland.com/newspaper/finance/2000/1110/fin10.htm
> 
> Friday, November 10, 2000 
> 
> SECURITY/Jamie Smyth: A Guersey-based multimillionaire inventor, who
> claims to have developed the world's first "unhackable" communications
> security system, is seeking potential buyers in the Republic. Dr
> William Johnson, a tax exile with more than 100 registered patents to
> his name, has sent a negotiating team to the Republic to contact
> companies who may be interested in purchasing the licensing rights to
> the security system, E-Larm.
> 
[...]

RE: Oh for a decently encrypted mobile phone...

[Trei, Peter]

Well, that IS interesting. I note that there is both a government and
a civilian version, but I can't tell if they use different crypto. Of
course,
it's probably impossible to obtain an independent verification of the
security. 

Peter



> --
> From: Greg Rose[SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, September 14, 2000 9:59 PM
> To:   Bram Cohen
> Cc:   Enzo Michelangeli; [EMAIL PROTECTED]
> Subject:  Re: Oh for a decently encrypted mobile phone...
> 
> At 22:08 00/09/13 -0700, Bram Cohen wrote:
> >Wouldn't it be ironic if they resort to buying a bunch of stariums ...
> >-Bram Cohen
> >
> >[That would require that Stariums actually appear on the market at
> >some point. --Perry]
> 
> Stariums (a) should appear RSN (I have one) but (b) are not mobile.
> 
> There's the Qsec-800 CDMA mobile from Qualcomm, but that won't work in 
> England I don't think. See http://www.qualcomm.com/govsys/qsec.html .
> 
> Disclaimer: I work for one and invest in both, so I'm biased.
> Greg.
> 
> Greg Rose INTERNET: [EMAIL PROTECTED]
> Qualcomm AustraliaVOICE:  +61-2-9181-4851   FAX: +61-2-9181-5470
> Suite 410, Birkenhead Point, http://people.qualcomm.com/ggr/
> Drummoyne NSW 2047232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C
> 
> 

FWD: ETSI releases some digital phone crypto algorithms.

[Trei, Peter]

Some of these are downloadable (f8,f9 and kasumi), but others have 
fees and/or irksome confidentiality agreements.

Peter Trei
-

>From sci.crypt:

Bruce Schneier <[EMAIL PROTECTED]>
Thu 11:13 AM
Subject: Fresh Meat: New Crypto Algorithms Announced

The European Telecommunication Standards Institute (ETSI) has made a
bunch of encryption algorithms public:

 

My guess is that most of these are breakable, and that a good break
paper is publishable.

Bruce

RSA Security releases RSA algoritm into public domain two weeks early. [cpunk]

[Trei, Peter]

Wednesday September 6, 8:03 am Eastern Time

Press Release

SOURCE: RSA Security Inc.

RSA Security Releases RSA Encryption Algorithm into Public Domain

'c = m(e) mod n' Made Available Two Weeks Early

BEDFORD, Mass., Sept. 6 /PRNewswire/ -- RSA® Security
Inc. (Nasdaq: RSAS - news) today announced it has released the
RSA public key encryption algorithm into the public domain,
allowing anyone to create products that incorporate their own
implementation of the algorithm. This means that RSA Security has
waived its rights to enforce the patent for any development
activities that include the RSA algorithm occurring after
September 6, 2000.

Represented by the equation "c = m(e) mod n," the RSA algorithm
is widely considered the standard for encryption and the core
technology that secures the vast majority of the e-business
conducted on the Internet. The U.S. patent for the RSA algorithm
(#4,405,829, "Cryptographic Communications System And Method")
was issued to the Massachusetts Institute of Technology (MIT) on
September 20, 1983, licensed exclusively to RSA Security and
expires on September 20, 2000.

"So much misinformation has been spread recently regarding the
expiration of the RSA algorithm patent that we wanted to create
an opportunity to state the facts," said Art Coviello, chief
executive officer of RSA Security. "RSA Security's
commercialization of the RSA patent helped create an entire
industry of highly secure, interoperable products that are the
foundation of the worldwide online economy.  Releasing the RSA
algorithm into the public domain now is a symbolic next step in
the evolution of this market, as we believe it will cement the
position of RSA encryption as the standard in all categories of
wired and wireless applications and devices. RSA Security intends
to continue to offer the world's premier implementation of the
RSA algorithm and all other relevant encryption technologies in
our RSA BSAFE® software solutions and we remain confident in
our leadership in the encryption market."

For nearly two decades, more than 800 companies spanning a range
of global industries have turned to RSA Security as a trusted,
strategic partner that can provide the proven, time-tested
encryption implementations and resources designed to speed time
to market. These companies, including nearly 200 so far in 2000,
rely on RSA BSAFE® security software for its encryption
implementation and value-added services for a broad range of B2B,
B2C and wireless applications.

During the past 17 years, RSA Security has incorporated the
concepts represented by the RSA algorithm into its RSA BSAFE
cryptographic software. The company has made continuous
enhancements to the way the algorithm has been implemented,
including a number of performance improvements and optimizations,
not reflected in the original patent, for a wide range of
software applications, operating systems and chip designs. RSA
Security also is an industry leader in developing standards on
the robust application of encryption technologies for solving
real-world problems. These core standards, known as the Public
Key Cryptography Standards (PKCS), form the underpinnings of
today's most widely used communication methods.

In recent years, encryption technology has taken on an entirely
new level of importance in the world of business and consumer
technology, and RSA Security continues to be a leader in the
industry. Once the province of a small group of technologists and
mathematicians, new developments have raised the profile of
encryption among a broad range of audiences. Moving forward,
electronic signature legislation, export regulation and the
pending selection of the Advanced Encryption Standard (AES) all
will contribute significantly to encryption playing a key role in
the further expansion of e-commerce initiatives for B2B, B2C and
extended enterprise applications.

For more information regarding the RSA algorithm and a free RSA
algorithm t-shirt, visit www.rsasecurity.com/total-solution.

About RSA Security Inc.

RSA Security Inc., The Most Trusted Name in e-Security(TM), helps
organizations build secure, trusted foundations for e-business
through its RSA SecurID® two-factor authentication, RSA BSAFE
encryption and RSA Keon® public key management systems. With
more than a half billion RSA BSAFE-enabled applications in use
worldwide, more than seven million RSA SecurID users and almost
20 years of industry experience, RSA Security has the proven
leadership and innovative technology to address the changing
security needs of e-business and bring trust to the new, online
economy. RSA Security can be reached at www.rsasecurity.com.

NOTE: This press release contains forward-looking statements
relating to the role of the RSA algorithm encryption and the
expansion of e-commerce. Such statements involve a number of
risks and uncertainties. Among the important factors that could
cause actual results to differ materially from those indicated by
such forward-looking

RE: Free speech and the DeCSS case

[Trei, Peter]

I hope that reference is made to Judge Patels determination that
source code (at least) is speech in the Junger(?) case.

Peter Trei

> --
> From: Steve Bellovin[SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, July 26, 2000 9:52 AM
> To:   [EMAIL PROTECTED]
> Subject:  Free speech and the DeCSS case
> 
> According to today's Wall Street Journal, the judge in the DeCSS case 
> against 2600 publisher Eric Corley (better known as Emmanuel Goldstein) 
> has asked both sides to submit briefs on whether or not software is 
> speech, and hence protected by the First Amendment.
> 
>   --Steve Bellovin
> 
> 
> 

RE: Electronic elections.

[Trei, Peter]

> --
> From: R. A. Hettinga[SMTP:[EMAIL PROTECTED]]
> At 9:33 AM -0400 on 5/30/00, Trei, Peter wrote:
> 
> > If the person whose vote is being coerced has the
> > coercer looking over their shoulder as they cast it
> 
> Just for fun, think about the mathematics of this proposition?
> 
If you're the person with an abusive spouse leaning over your
shoulder, the mathematics are 100%.

If you're the ward heeler who visits 50-100 households on
election day, and checks that  the residents vote "right"
(otherwise the local political machine will make things
difficult for them) the numbers are pretty good as well.

If the WH is better funded, she can let it be known that 
there's a $50 bill awaiting each voter in the preceinct who 
votes "right" from the PC in the heeler's office.

In the old days, you didn't fill out your own ballot - you got
one from the party rep outside the polling place, and were
observed dropping it in the box. At first color coding made
it abundantly clear which ballot you were using; later after
'white' had been mandated for ballots, the parties explored
the color space of off-white, white, pale gray, etc. Only when
the election process required the same form to be used
by all parties was this abuse eliminated...

The point has been made that paper ballots are also subject
to stuffing, removal, tampering, etc.

Perhaps, but in a system which pretends to fair elections,
it can be made very tough. The one election whose process I
observed carefully (rather than running in, voting, and leaving)
was a British one around 1975 (the house I lived in was a
polling station).

Representatives from both major parties where there for the
entire voting period. Having mutually suspicious observers
of the public parts of the process greatly enhances security.
After the period ended, the box was sealed (literally, with
sealing wax seals by the observers), and they all transported 
it together to the counting station, where, once again, 
mutually suspicious observers from all parties watched and 
vetted the counting process.

I'm sure it was not totally immune to tampering, but the
system seemed pretty resistant to it.

Peter Trei

> :-).
> 
> Cheers,
> RAH
> 

RE: Electronic elections.

[Trei, Peter]

> --
> From: Ray Hirschfeld[SMTP:[EMAIL PROTECTED]]
> Reply To: [EMAIL PROTECTED]
> Sent: Tuesday, May 30, 2000 1:18 AM
> To:   [EMAIL PROTECTED]
> Cc:   [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject:  Re: Electronic elections.
> 
> > Date: Mon, 29 May 2000 07:52:24 -0400
> > From: Dan Geer <[EMAIL PROTECTED]>
> 
> > There is no doubt whatsoever that the sanctity of a vote once
> > cast can be absolutely preserved as it is moved from your house
> > to the counting house.  What cannot be done, now or ever, is to
> > ensure the sanctity of the voting booth anywhere but in a
> > physical and, yes, public location attended to by persons both
> > known to each other and drawn from those strata of society who
> > care enough to be present.  There are no replacements for the
> > voting booth as a moment of privacy wrapped in inefficient but
> > proven isolation by unarguable witness, a place where we are
> > equal as in no other.  Move the dispatch of a vote to a remote
> > browser and $100 bills, concurrent sex acts, a pistol to the head,
> > wife-beating or any other combination of bribes and coercion is
> > an undiscoverable concommitant of the otherwise "assured"
> > integrity of the so-called vote.
> 
> There are a number of results in the crypto literature on receipt-free
> voting, most recently (that I'm aware of) one presented by Kazue Sako
> at last month's Eurocrypt 2000.  Receipt-freeness means that voters
> cannot demonstrate to third parties how they voted, and thus addresses
> the bribery and coercion issue.
> 
This is nonsense. If the person whose vote is being coerced has the
coercer looking over their shoulder as they cast it, no receipt is needed
to convince the coercer that their demand has been met.

If a receipt *is* created - allowing a voter to determine that their vote
was
recorded as being for a certain candidate -  the coercer can use that to
ensure that their demands were followed.
[..]

> A completely different tack is to allow voters to cast as many ballots
> as they like and count only the last one.  This effectively defends
> against buying and forcing of votes because the voter can always vote
> again.  (I gather that corporate proxy voting works this way.)
> 
This is more workable, as it increases the work factor for the coercer:
he/she/it has to ensure that the last vote cast was cast the way 
demanded. I don't regard it as sufficient however - the greater
complexity opens the way for error.

> Although internet voting may be hunky-dory from a cryptographer's
> perspective, there are some cogent (both technical and political)
> arguments against its feasibility at this time.  Cf. the report of
> California's task force at http://www.ss.ca.gov/executive/ivote.
> 
I entirely agree. I don't truely trust voting machines either - I would like
to see all elections decided by paper ballots stuffed in a box, after being
marked in a way which is private, and publically observable to be private.
The ballots should be counted with representatives of all candidates 
present.

Yes, this is more expensive, and slower. However, public confidence 
in the fairness of elections is more than worthy of the expense. Dan is
write, and David is wrong.

Peter Trei


> Ray
> 

RE: Critics blast Windows 2000's quiet use of DES instead of 3DES

[Trei, Peter]

> --
> From: L. Sassaman[SMTP:[EMAIL PROTECTED]]
> On Wed, 17 May 2000, John Young wrote:
> 
> > While John may be speculating about NSA subversion of strong crypto,
> > specific examples of this would be very helpful. Here are a few firms
> > for consideration as candidates for today's Crypto AGs besides Microsoft
> 
> > (meaning latest products, not those that have been suspected in the
> past):
> > 
> > Cylink
> > IBM
> > Lotus
> > TIS
> > RSA
> > PGP
> 
[...]

> Well, I can tell you that my NDAs do not cover secrecy agreements for
> compromises made with the NSA. If PGP were in any way compromised by the
> NSA (or any other party, for that matter) I would not be working here.
> 
> 
I'd like to concur with Mr. Sassaman. Many people who work at security
related firms have a major personal committment to the principle of
privacy - enough that I suspect that it would be near impossible for any
major firm to deliberately compromise their products, and keep the
fact secret.

Peter Trei
[Disclaimer: The above is my own opinion only; it may or may not
represent that of my employer, though I would hope that it does.-pt]

RE: GPS no longer encrypted

[Trei, Peter]

Yes, my little Garmin GPS III+ now reports error circles as low as
13 feet (as opposed to about 200 before the change). This is *very*
nice for people who need that level of precision. Of course, minor 
errors in the map database become glaringly obvious when you 
can tell which lane you're driving in, as opposed to merely which
road you are on.

Over on sci.geo.satellite-nav they're wetting their pants in joy.

Peter Trei


> --
> From: Rich Salz[SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, May 02, 2000 10:12 AM
> To:   [EMAIL PROTECTED]
> Subject:  GPS no longer encrypted
> 
> A handful of press releases, including
>  
> http://www.whitehouse.gov/library/ThisWeek.cgi?type=p&date=1&briefing=0
> 
> Which starts...
> Today, I am pleased to announce that the United States will stop the
> intentional degradation of the Global Positioning System (GPS) signals
> available to the public beginning at midnight tonight.  We call this
> degradation feature Selective Availability (SA). This will mean that
> civilian users of GPS will be able to pinpoint locations up to ten
> times
> more accurately than they do now.  GPS is a dual-use, satellite-based
> system that provides accurate location and timing data to users
> worldwide.
> 
> 

RE: Onhand, clapping? (was Re: NTK now, 1999-12-10)

[Trei, Peter]

I think this is what Bob was trying to reference:

www.onhandpc.com

Peter Trei

> --
> From: R. A. Hettinga[SMTP:[EMAIL PROTECTED]]
> Sent: Monday, December 13, 1999 8:18 AM
> To:   Digital Bearer Settlement List; [EMAIL PROTECTED];
> [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject:  Re: Onhand, clapping? (was Re: NTK now, 1999-12-10)
> 
> At 12:56 am -0500 13/12/99, R. A. Hettinga wrote:
> >Hey, guys,
> >
> >Would this puppy work as an acceptable bearer-certificate-carrying
> device?
> >
> >:-).
> >
> >
> >
> 
> Heh...
> 
> 
> ...Which Fearghas tells me is some pseudomystical gobbledegook, which
> given
> the nature of the typo, could have been, um, worse.
> 
> 
> So, I'd like to sell a vowel, Vanna.
> 
> This is the URL, I was talking:
> 
> 
> 
> Cheers,
> RAH
> -
> R. A. Hettinga 
> The Internet Bearer Underwriting Corporation 
> 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
> 

RE: Rumor of a working quantum computer

[Trei, Peter]

Keith Dawson[SMTP:[EMAIL PROTECTED]] writes:
>Sent:  Thursday, September 30, 1999 9:00 AM
>Subject:   Rumor of a working quantum computer
>To:[EMAIL PROTECTED]

>Anyone heard word on this rumor? The Sunday Times story claims
>that a European Institute of Quantum Computing Network has been
>hastily formed to develop commercial banking codes based on
>quantum entanglement.

>  The institute was founded a few weeks after news leaked from
>  the Israel's Weizmann Institute that it was using a mixture of
>  quantum computing and special optical technology to break
>  the RSA-512 code, the system used by the European banking
>  system. It claims it has developed a hand-held device that
>  can break the code in 12 microseconds.

>The "special optical technology" sure sounds like someone has
>implemented Shamir's TWINKLE already.

>[TWINKLE I can believe. Quantum computers sound fishy. --Perry]
>Is there any truth to this?
>
>http://www.sunday-times.co.uk/news/pages/tim/99/09/29/timintint02001.html?1
341861

The short answer seems to be 'No.'

Venerable as the Times of London is, I've found the
fact-checking at the Sunday Times to be wanting on
occasion. While www.eiqc.org is a real web site, it is
curiously content free - the only contact points listed
are email addresses in other domains, and the only
'meat' in terms of quantum research lie in pointers to
other sites, none of which mention a working quantum
computer. It's particularly interesting that the EIQC
site mentions nothing about the Weizmann Institute's
purported use of quantum and optical methods to quickly 
crack RSA-512, since that is the alleged reason for it 
was created.
. 
The only paper directly referenced is TWINKLE, and that's 
refered to at jya.com, rather than WPI (where the paper
was presented), or Technion U. (where the research was
done).

I asked Bob Silverman, the Senior Research Scientest
and factoring expert here at RSA Security, about
this, and his opinion was that the EIQC and the claims
for a working quantum computer were almost certainly a
hoax.

I think the Times got snookered on this one.

Peter Trei
[EMAIL PROTECTED]

Disclaimer: The above represents my (and Bob's)
personal opinions only, and should not be
construed as neccesarily representing those of
our employer.

RE: Is There a Visor Security Model?

[Trei, Peter]

The Visor uses Palm OS, so I don't think it's any better.
Peter Trei


> --
> From: Robert Hettinga[SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, September 21, 1999 2:49 PM
> To:   [EMAIL PROTECTED]; [EMAIL PROTECTED]; Digital Bearer
> Settlement List
> Subject:  Is There a Visor Security Model?
> 
> Everyone's probably heard of the new Palm-alike Visor by now, and 
> it's got this "springboard" slot in the back processors, memory, and 
> other stuff.
> 
> The Palm's security model is, by most accounts I've seen, non-existant.
> 
> Is the Visor any better?
> 
> It would be nice to have a portable cryptographic/signature/digital 
> money device. Are we any closer?
> 
> Cheers,
> RAH
> -
> Robert A. Hettinga 
> The Internet Bearer Underwriting Corporation 
> 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
> 

RE: more re Encryption Technology Limits Eased

[Trei, Peter]

> --
> [EMAIL PROTECTED][SMTP:[EMAIL PROTECTED] wrote:]
> Subject:  Re: more re Encryption Technology Limits Eased
> 
> Bill Simpson said:
> >
> > - We just learned a few weeks ago that every copy of Windows has a
> secret
> >   NSA key.  We don't know why.  Remember the Lotus Notes secret NSA key
> >   fiasco that got us in trouble with the Swedish government?  How can we
> >   ever compete, when nobody trusts our software?
> 
> Just because I was in the middle of this and am personally sensitive to
> misinformation circulating about this, let me clarify the facts about
> this:
> 
> Lotus Notes has since January '96 contained an NSA Public key. It has
> never
> been a secret. Lotus issued a press release about it at the RSA Conference
> that January and I posted a copy of that press release to cypherpunks. I
> also described it in a talk I gave at Lotusphere. It is there in support
> of the best deal we could negotiate with NSA whereby we were allowed
> to use 64 bit keys in the export version if we encrypted 24 of
> those bits under the NSA public key so that if they wanted to break a
> message they would only face a 40 bit workfactor. It is not used for
> communications between two copies of the domestic version of the product.
> The result was encryption that was as secure against the U.S. government
> as any that could legally be exported and more secure against other
> attackers.
> 
> But no good deed ever goes unpunished. Periodically someone stumbles
> across that press release and reveals it as though it were some
> secret revelation. There was a PR problem in the Swedish press,
> and more recently when it was cited in a European Commission report
> on Echelon.
> 
>  --Charlie Kaufman
> 
I concur with Charlie. It was announced at the conference,
and the press release was posted, and the issue discussed
to death on cypherpunks. It led me to coin the
term 'espionage enabled' to describe this class of 
weakened security (this was before I came to work for my
current employer).

I've been slightly bemused by the Swedish government's
claims to have discovered some deep, dark secret. What
it really shows is that government's failure to do
due diligence.

Peter Trei
[EMAIL PROTECTED]

Disclaimer: I am not speaking for my employer.

RE: No liberalization for source code, API's

[Trei, Peter]

> --
> Greg Broiles[SMTP:[EMAIL PROTECTED]] wrote:
> Subject:  No liberalization for source code, API's
> 
> There's been some discussion of this in the press, but not much discussion
> 
> of the specifics. BXA has published a "question-and-answer" document 
> discussing the anticipated regulations; it's available at 
> , and John Young has archived
> 
> a copy at .
> 
[...]
> Also, their thinking about API's seems to have become more nuanced; they 
> now envision two classes of API's which are treated differently for export
> 
> purposes, to wit -
> 
>  >How does the update to encryption policy affect the export of
>  >cryptographic application programming interfaces (CAPIs)?
>  >
>  >Cryptographic interfaces are divided into two classes: Open
> Cryptographic
>  >Interfaces (OCI) andClosed Cryptographic Interfaces (CCI). OCI's are
>  >considered crypto-with-a-hole because they permit a customer or other
> party
>  >to insert cryptography into an encryption item. OCI's will continue to
> be
>  >reviewed on a case-by-case basis through the licensing process.
>  >
>  >CCI's contain a mechanism (such as a digital signing key) that prevents
> a
>  >customer or other party from inserting cryptography into an encryption
> item.
>  >After a technical review of the binding mechanism, these products will
> be
>  >eligible for export under a license exception. If destined to a
> commercial
>  >enduser, the additional signing can take place under a license exception
>  >after a technical review. If destined to a foreign government or
> military
>  >entity, the additional signing requires a license.
>  >
>  >We intend to discuss this issue with industry as we consult on the
>  >implementation of this regulation.
> 
So, has MS-CAPI changed from a CCI to an OCI, now that 
people can replace the _NSAKEY with their own, and use
any strength crypto components they wish?

Peter Trei
[EMAIL PROTECTED]

Disclaimer: I am not speaking for my employer.

RE: NSA key in MSFT Crypto API

[Trei, Peter]

The ability to replace the NSA key with another
is an extremely serious vulnerability. This means that
*anyone* - not just the NSA - can write a compromised
module and install it on the target, as long as they
also replace the NSA key with the one they used to
sign the weakened module.

Tripwire, anyone?

Peter Trei


> --
> From: Salz, Rich[SMTP:[EMAIL PROTECTED]]
> Sent: Friday, September 03, 1999 10:42 AM
> To:   'Lucky Green'; cypherpunks@Algebra. COM
> Cc:   Cryptography@C2. Net; [EMAIL PROTECTED]
> Subject:  RE: NSA key in MSFT Crypto API
> 
> >For more information and a program to remove the NSA's key from your copy
> of
> >Windows 95, 98, NT, 2000, see
> >http://www.cryptonym.com/hottopics/msft-nsa.html
> 
> Perhaps more interestingly, the program lets you replace the key, too.
> It requires no special privileges -- just uses some undocumented API's.
> 
> It would be ...interesting... for someone to combine that program with
> Melissa, where the body of the messages was a public/private keypair.
>   /r$
> 

Some hard info on Adi Shamir's paper.

[Trei, Peter]

Bob Silverman, who works downstairs from
me, recently posted the following to 
sci.crypt.

Peter Trei

--
From: Bob Silverman <[EMAIL PROTECTED]>
Newsgroups: sci.crypt
Subject: Shamir's Announcement
Date: Tue, 04 May 1999 17:42:18 GMT
Organization: Deja News - The Leader in Internet Discussion
Lines: 26
Message-ID: <7gnbhp$jnc$[EMAIL PROTECTED]>
NNTP-Posting-Host: 204.167.112.129


I promised a description.

See:  

http://www.rsa.com/rsalabs/html/twinkle_qa.html

and

http://www.rsa.com/rsalabs/html/twinkle.html

Shamir's announcement is for a fast piece of sieving hardware.  He
gives a rough spec for a photo-electric sieving device which will sieve
100 to 1000 times faster than a typical PC.

Such devices are NOT new.  D.H. Lehmer built a mechanical-optical sieve
in the 1930's.

Shamir's device still requires some sophisticated optical/electrical
engineering to make it a reality. But it does look feasible.

--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"

---== Posted via Deja News, The Discussion Network ==--
http://www.dejanews.com/   Search, Read, Discuss, or Start Your Own

RE: Starium announces STU-III for the masses

[Trei, Peter]

Rather than argue about April 1 "FireFly"
RFCs and the purported properties of 
classified devices, here's a tidbit 
of real info: 

I asked Eric if the protocols will 
be published, so that compatible
software implemenations can be created.

He said yes.

Peter Trei

Free passes for RSA 1999 Vendor Expositions

[Trei, Peter]

I hope that this gets to the interested parties in 
time

The 1999 RSA Data Security Conference starts this 
Sunday in San Jose. New this year, you can get 
a free pass for the vendor exhibitions (Mon-Wed) 
simply by registering for one at the RSA website
(www.rsa.com).

The deadline for this is 14 January. It covers
the exhibit halls only - not the sessions,
receptions, etc (though for $75 a full member can
get you a ticket for the IBM Cryptographer's Gala
on Wednesday night at the New Tech Museum - past
Gala's have been much more than worth the money :-)

Peter Trei

RE: Demise of H.R. 1714 and its lessons for Internet voting

[Trei, Peter]

This may be drifting off-topic, but...

One serious worry I have concerning 
Internet voting schemes is that there
seems to be no consideration of making
the ballot secret. 

If I go to my school auditorium to vote,
I fill out the ballot in a little hutch,
and no one but I can see what I have 
*actually* put down (yes, I know the
protection is not absolute, but the 
presence of mutually suspicious 
poll-watchers makes it pretty good).

If I were to vote at home on my PC,
regardless of how good the cryptographic
protections are, I can see no way to
make shoulder surfing impossible. 

This enables inducments. Examples:

"Honey - if I see you vote for 
Feinstein I'll make it *real* *good* 
for you tonight" 

or 

'This $50 bill is yours if I see you vote
Republican'.

Back in the old days, parties printed 
their own ballots (sometimes on odd
colored paper) and could observe which
ballot a voter actually stuffed in the
box, and made pay-offs accordingly.

Are we headed back to this situation?

Peter Trei 




> --
> From: Ed Gerck[SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, November 04, 1999 3:12 AM
> To:   [EMAIL PROTECTED]
> Subject:  Demise of H.R. 1714 and its lessons for Internet voting
> 
> 
> California - http://www.votesite.com/CIVI.PDF
> 
> This initiative by the Attorney General of California aims to
> make California safe for Internet voting by creating an ad hoc
> validity for Internet voting while vacating current laws
> (including the California Constitution) and even theoretically
> possible laws that could impede the use of Internet voting in
> California.
> 
> 

RE: Triple DES "standard"?

[Trei, Peter]

> -Original Message-
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> 
    [Trei, Peter]  
> > A couple years ago, when the X9 committee -- or maybe one of the X9
> >crypto subcommittees -- rejected that advice and initially recommended
> that
> >3DES be made a standard, I was told that the NSA rep angrily declared
> that
> >3DES would _never_ get an export license and would never be shipped
> >overseas. (Which may have put a damper on the 3DES standardization
> >effort;-)
> 
> I heard the same story, but don't recall the source either.
> 
> Someone (memory says Phil Karn, but I'm probably wrong) applied for some
> kind  of  export license and was denied.  Interestingly, the form had an
> obviously-newly-added
> reason appended to the "checklist of reasons for denial."  The addition
> was
> "uses
> triple-DES."
> 
> Trolling through the cypherpunks archives around 12-18 months ago should
> find the
> story.
>   /r$
[Trei, Peter]  
I can partially confirm this - a couple of years ago 
(at a previous employer) I incorporated SSL into an NT 
web server (using SSLeay). The standard version used 
3DES to encrypt server private keys for storage on 
the server (not for transmission). The NSA initially 
refused export permission, based on this feature. I 
lowered the bar to single DES, and they were happy.

This was despite the fact that 3DES could *only* be used
to *store* the certificate. The NSA person I spoke to 
made it clear that any use of 3DES in any capacity would
result in an automatic refusal.

[The domestic version continued to use 3DES, 1024 bit RSA,
and 128 bit RC4]

Peter Trei
[EMAIL PROTECTED]

[I apologize for the lousy formatting of this message. I
am using a Microsoft mail product.]

DoS considered harmful [WAS: RE: Anyone striking?]

[Trei, Peter]

Someone using the name Carlos Gomes [[EMAIL PROTECTED]] 
wrote:

> [...]
> There were several ideas floating around: a) detach
> from the net and from work b) create a signed letter of
> disapproval published to appropriate orgs c) _short_
> loosely organized burst of DoS against select online
> targets from widely distributed sources.

> All valid forms of protests (when properly organized
> and executed) all with varying forms of impact and
> visibility.  For the record, I think option c) could be
> a valid and effective form of active protest.  It is a
> form which has not been used in support of the cpunks'
> agenda (or many agenda's for that matter) to date and
> one that merits a review.
> [...]

> regards,
> C.G.

A DoS (Denial of Service) action is a really, really,
really bad idea.

It's both illegal and counterproductive. It's the sort
of thing I would expect to hear from an 'agent
provocateur' bent on discrediting critics of
government policy, by casting them as malicous hackers.

We went through this once before. Back when I was
getting the DES challenges going, some one proposed
that the target should be a live bank transaction (I
think in Germany). I argued strenuously against such a
move, and in favor of a specifically created target
This goal was fullfilled when I got RSA to set up and
sponsor the Symmetric Key Challenges.

If a group of people coordinated in any way to mount a
DoS attack, the effects would include:

1. Lump anyone taking an anti-Wassenaar position
together with a gang of destructive hackers.  This
would be a tremendous setback for the Good Guys, and
play straight into the hands of the those who would
remove freedom.

2. Anyone engaging in such an attack would face
real-world LEA investigation for computer hacking.

3. Anyone who discusses such an attack with anyone who
actually goes out and does it (other than to argue
against it, as I am doing) could be charged with
conspiracy.

[So, if any of you are idiotic enough to do this, do
the rest of us a favor, and keep your discussion to
private channels and *off* the mailing lists. I *don't*
want to know.]

4. Most importantly, It Would Be Wrong. As long as
legal channels exist to right the errors of government
policy, they should be used. That governments stoop to
dishonest, deceitful, and unconstitutional activities
(or activities 'legal' only in the Clintonian sense)
does not justify others abandoning the moral high
ground.

I don't think a strike is going to fly, either. What
might work is a Web page blackout, similar to that
done for the original CDA nonsense.

Peter Trei
[EMAIL PROTECTED]

[Disclaimer: In this message, I speak for myself only.]

January Bay Area meeting date.

[Trei, Peter]

The 1999 RSA Data Security Conference will be held
in San Jose, Sunday January 17th thru Thursday,
January 21. It will bring a lot of out-of-town
members of these mailing lists into the Bay Area.

Last year, the date of the January Cypherpunks
Physical Meeting was shifted so that conference
attendees who stayed over the weekend could turn
up. Several did, and I gave a repeat performance
of my conference presentation.

I'd like to suggest shifting the date again. The 
physical meetings seem to be normally held second 
Saturdays, which  suggests a Jan 9 date. If it 
could be moved up to the 16th, people could 
arrive on Friday (or early Saturday) and 
attend the cpunk meeting. Many conference
attendees will be staying over that Saturday
night to take advantage of the cheaper airfares.

Peter Trei