Re: How to ban crypto?
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes: >The basic [GAK] argument is complexity. Cryptographic software and key >exchange protocols are very hard to get right even in simple cases. If we now >try to add a new feature, we have to add complexity. Worse yet, this new >feature is designed to do something that is not only brand-new, it's something >that more conventional protocols and implementations are designed to avoid, at >virtually all costs: export a copy of the key. Why do you think we can get >this right? There is strong empirical evidence to support the fact that we can't get this right. Let's say a GAK infrastructure is two orders of magnitude more difficult to establish than a PKI (it may be even worse than that, but let's take that as an estimate - to get a GAK infrastructure going you need, as a minimum, a fully functional PKI to build on top of). After 10 years of effort we haven't even managed to get a basic PKI going yet (what's being practiced today could best be described as "certificate manufacturing"). I can't see how a GAK infrastructure will ever be practical. (I once heard a story about a someone in the military who suggested that security researchers develop a program which could analyse another program to see if it would do something malicious. The response was that the military should fund the research and they'd let them know when they had a solution. Perhaps this is a way to get funding for further PKI/GAK research). Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
At 07:21 PM 09/16/2001 -0700, David Honig wrote: >At 06:02 PM 9/16/01 -0400, Angelos D. Keromytis wrote: > >Niels Provos (U. of Michigan) has a very interesting paper on detecting > >steganography on the network (he talked about it during the USENIX Sec. WIP > >session). Basically, he didn't find any steganography in about 2 million >images > >he tested on Ebay. He's working on doing the same for other mediums/sites. > >He did a positive control, right? Obviously this means that the stego-mongers are sufficiently good :-) It's not clear that EBay would be the right place to put stego, though I suppose it's an interesting idea. The popular method people discuss is Usenet porn spam; another obvious approach is webcams, since they're typically going to have pictures that aren't broadcast everywhere. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
In message <[EMAIL PROTECTED]>, David Honig writ es: >At 06:02 PM 9/16/01 -0400, Angelos D. Keromytis wrote: >>Niels Provos (U. of Michigan) has a very interesting paper on detecting >>steganography on the network (he talked about it during the USENIX Sec. WIP >>session). Basically, he didn't find any steganography in about 2 million >images >>he tested on Ebay. He's working on doing the same for other mediums/sites. > >He did a positive control, right? Yes (according to the paper). Niels is apparently stuck in Greece at the moment, which is probably why he's not responding... -Angelos - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
On Sun, 16 Sep 2001, Peter Fairbrother wrote: > Banning cryptography to deter terrorism, or controlling it to give > GAK, is much in the news these days. I wonder if it could be done? The noble goal of this "ban all crypto"-move, seems to be that all messages should be understandable and readabe to everyone. Or at least that is what *I* _decipher_ *their* _messages_ are intended to mean. Alas, to this day, even plain text english has not achieved this worthy goal. It is upto each recipient to ultimately decide what a message is, and what it means. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
[Some mailer problems. Perry, if possible, can you inject this mail with the headers below?] --- Forwarded Message Subject: Re: How to ban crypto? To: "Angelos D. Keromytis" <[EMAIL PROTECTED]> Cc: Carl Ellison <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL PROTECTED] From: Niels Provos <[EMAIL PROTECTED]> In-Reply-To: "Angelos D. Keromytis", Sun, 16 Sep 2001 18:02:49 EDT Date: Mon, 17 Sep 2001 07:33:39 -0400 Sender: [EMAIL PROTECTED] In message <[EMAIL PROTECTED]>, "Angelos D. Ke romytis" writes: >Niels Provos (U. of Michigan) has a very interesting paper on detecting >steganography on the network (he talked about it during the USENIX Sec. WIP >session). Basically, he didn't find any steganography in about 2 million >images he tested on Ebay. He's working on doing the same for other >mediums/sites. > >As the paper has not been published yet, I don't want to give more details. I' >ve cc'ed Niels on this message, so perhaps we'll get a summary of his latest >results. A preliminary version of the paper "Detecting Steganographic Content on the Internet" is available as CITI Techreport. You can find it at http://www.citi.umich.edu/techreports/ Greetings, Niels. --- End of Forwarded Message - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
Slashdot put up a decent, relevant article this afternoon. (Yes, a real original article, not just a quickie squib.) http://slashdot.org/article.pl?sid=01/09/16/1647231 James S. Tyre mailto:[EMAIL PROTECTED] Law Offices of James S. Tyre 310-839-4114/310-839-4602(fax) 10736 Jefferson Blvd., #512 Culver City, CA 90230-4969 Co-founder, The Censorware Project http://censorware.net - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
Matt Blaze <[EMAIL PROTECTED]> writes: > If anything, the key escrow problem has become much harder. Today, > far more than three years ago, encryption is central to protecting > many aspects of what we call "critical infrastructure", and, although I've > not systematically studied this recently, I suspect it would be far more > difficult to protect many of these applications with a requirement for > key escrow. Even leaving aside the issue of critical infrastructure, the situation is dramatically different than it was in 97-98 in one very important sense: installed base. Pretty much anyone who downloaded a browser since the big liberalization in 1998 now has strong crypto, at least for HTTPS and quite possibly for e-mail as well. Even if we assume that users are willing to change their browsers--a big if-- transitioning them is a nightmare. In the best case scenario, the user is running the absolute most modern version of the browser and so you just need to replace it with a crippled version that is otherwise the same. This sort of software changeover doesn't break things that often but with many tens (hundreds?) of millions of users we're going to see a lot of broken installations anyway. Moreover, the best case isn't that common. Many people are running downrev software and will have to upgrade (downgrade?) to the newest crippled version. This sort of upgrade causes a lot of breakage. In the worst shape will be users who are using operating systems for which new browsers are no longer available. For instance, you don't seem to be able to get IE 5 for Windows 3.1 at all and I don't seem to be able to get IE 6 for Win95. Do we expect Microsoft to release new versions of IE 5.5 with GAK? IE 4? I don't see how a switch like this could be made to work in practice even if the users wanted it. Since a substantial number won't want to--or may not even know how--I don't see how it can be done at all. -Ekr [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
At 06:02 PM 9/16/01 -0400, Angelos D. Keromytis wrote: >Niels Provos (U. of Michigan) has a very interesting paper on detecting >steganography on the network (he talked about it during the USENIX Sec. WIP >session). Basically, he didn't find any steganography in about 2 million images >he tested on Ebay. He's working on doing the same for other mediums/sites. He did a positive control, right? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
>>The two most common anti-GAK arguments are: >> 1a) It can't be done well. >> 1b) If it can't be done well, it shouldn't be done at all. >> 1c) Specifically, the risk of wholesale key-compromise is too great. >The basic argument is complexity. ... For 1c, I always thought the basic argument is human nature. The model of GAK is that a nice policeman goes to the GAK vault, shows the court order or other paperwork, and the clerk gives the policeman the key to whatever it is he wants to snoop on. Then the evil terrorist (or kiddie porn drug runner) shows up without the proper paperwork, and the clerk doesn't give him the key. We depend on the clerk to act correctly in both situations, which over the long run is totally unrealistic. A complexity argument is that either you have a separate key on file for each crypto device, which is a huge record-keeping problem, or you have a super-key of some sort that the clerk can use to recreate device keys as needed. In the former case, you have a large database that will be very hard to maintain both correctly and securely, in the second case, you have a single target that's very attractive to bad guys and as soon as the superkey is compromised, the whole system is broken. Those of us in the computer biz understand how brittle software tends to be (not just crypto software), but people outside often don't, even as they reboot their Windows PCs three times a day. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
John Denker writes: [regarding key escrow] > I'm dubious about argument (1) in all its forms. I suspect that if we > wanted to make it work, we could make it work. [...] [and] > > 2) There are AFAICT no convincing technical arguments against GAK. [...] I'm curious as to your technical basis for saying this. Certainly when we studied this in 1997 and 1998 we concluded that while it is may by possible to create a key escrow system that gives out keys, building one securely entails significant risks and costs that may preclude the use of encryption in many applications. See http://www.crypto.com/papers/escrowrisks98.pdf There were no serious technical objections when we wrote the report (and there were significant commercial interests trying to sell key escrow systems at the time). In what way is the problem easier today than it was then? If anything, the key escrow problem has become much harder. Today, far more than three years ago, encryption is central to protecting many aspects of what we call "critical infrastructure", and, although I've not systematically studied this recently, I suspect it would be far more difficult to protect many of these applications with a requirement for key escrow. That said, I think you may have made an important point with your third and forth conclusions: > 3) The ultra-serious crimes such as occurred last week are irrelevant to > the GAK debate, and vice versa. > > 4) Therefore it comes down to a routine policy decision: We get to choose > a tradeoff somewhere in the gray area between > -- extreme privacy, and > -- extremely easy solution of some minor crimes. > -matt - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
In message <[EMAIL PROTECTED]>, John Denk er writes: ... >. > >The two most common anti-GAK arguments are: > 1a) It can't be done well. > 1b) If it can't be done well, it shouldn't be done at all. > 1c) Specifically, the risk of wholesale key-compromise is too great. > > 2a) It won't really detect/deter typical crime, because typical >criminals will find ways around it. > 2b) It won't really detect/deter terrorism, because dedicated terrorists >will find ways around it. > > >I'm dubious about argument (1) in all its forms. I suspect that if we >wanted to make it work, we could make it work. > John, you've just opened a can of worm. A giant, economy-sized can of worms... The basic argument is complexity. Cryptographic software and key exchange protocols are very hard to get right even in simple cases. If we now try to add a new feature, we have to add complexity. Worse yet, this new feature is designed to do something that is not only brand-new, it's something that more conventional protocols and implementations are designed to avoid, at virtually all costs: export a copy of the key. Why do you think we can get this right? That's the essence of why I (and many others) accept (1); for more detail, see "The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption", at http://www.cdt.org/crypto/risks98. As a postscript, I'll note that we've already had a failure associated with the key recovery mechanisms in a version of PGP; see CERT Advisory CA-2000-18, http://www.cert.org/advisories/CA-2000-18.html. --Steve Bellovin, http://www.research.att.com/~smb http://www.wilyhacker.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
In message <[EMAIL PROTECTED]>, Sam Weiler writes: > >That (excellent) paper was in the refereed track, not the WiPs: > >http://www.usenix.org/publications/library/proceedings/sec01/provos.html >http://www.citi.umich.edu/u/provos/stego/ >http://www.outguess.org/ The above URLs point to the first paper, on statistical analysis of steganographic content in images and on a method to bypass them (as implemented in Outguess 0.2); there is a followup paper that talks about applying this method for large-scale stego detection. This second paper is as yet unpublished, and that's what I was referring to. -Angelos - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
At 06:58 PM 9/16/01 +0200, Axel H Horns wrote: >During the >past years I managed to convince a handful of clients and colleagues >to make use of PGP in order to protect confidential information when >sending e-mail messages. > >Of course, if PGP would be banned in Germany by some legislation I >would not be able to recommend any client or colleague to continue >with PGP usage. That's narrowly true as stated, but it's misleading because it's not the whole story. Let's not speak as if the only two options were PGP or nothing. In fact there is a wide continuum, of which three particularly interesting points are A) Anything you want, including PGP. B) Mandatory GAK. C) Mandatory plaintext. Nobody is going to ban crypto. Nobody is going to impose plan (C). Given the choice between (B) and (C), we and our customers could adopt plan (B) and get along pretty much as we do now. >... a ban of non-GAK strong crypto would not be a suitable >measure to fight terrorism. It would only stabilize the present >SIGINT hybris. This says GAK is unsuitable, doesn't clearly say why. I don't know whether it is a philosophical point, a political point, a technical point, or whatever. The two most common anti-GAK arguments are: 1a) It can't be done well. 1b) If it can't be done well, it shouldn't be done at all. 1c) Specifically, the risk of wholesale key-compromise is too great. 2a) It won't really detect/deter typical crime, because typical criminals will find ways around it. 2b) It won't really detect/deter terrorism, because dedicated terrorists will find ways around it. I'm dubious about argument (1) in all its forms. I suspect that if we wanted to make it work, we could make it work. I'm certain that argument (2a) is mostly false as stated. The typical prosecution involves putting together a lot of facts, most of which are not by themselves obviously illegal. For instance, imagine a world where GAK is mandatory. Then when somebody encrypts a private note such as Dear Monica - Meet me at 11:00, you know where. Love, Bill he doesn't think he is doing anything illegal. Just because it's private doesn't mean it's illegal. Much later somebody, perhaps as part of a civil suit, shows probable cause sufficient to overcome the right to privacy, and poof! GAK is exploited to decrypt the message. At this point two possibilities must be considered: a) either Bill superencrypted the message, to defeat GAK, or b) he didn't. In case (b) all they get is the message. They may or may not be able to put that together with a zillion other micro-facts to prove wrongdoing. He might get acquitted. In case (a) they've got him dead to rights for violating the mandatory-GAK laws. Klink! Given this choice, most people will opt for no superencryption. I'm not asking you to _like_ this scenario. But the rules are that one should consider all the plausible scenarios, to see where they lead. There's nothing implausible about this scenario. The situation changes if you are a dedicated evildoer. Suppose you are planning something so heinous that the penalty for being caught is more severe than the penalty for violating the mandatory-GAK laws. Then superencryption might be a good idea. Even then it won't help much, because if they can get subpoena for GAK one day, they can get a subpoena to bug your premises the next day. You increase their costs a little, but the cost to you is going to be much higher. == So we continue the search for a robust anti-GAK argument. One part of the argument is this: Terrorists don't need fancy superencryption to defeat GAK. Indeed they hardly need encryption at all. They can formulate the basic plan in a cave somewhere, and thereafter communicate in the clear: "Dear Uncle: Please send another $10,000 so I can continue my training." "Dear Cousin: I will be taking flight AA73 tomorrow. I understand you will be taking UA175, right?" Some people are speaking as if the recent attack required vast resources and sophisticated communications. It didn't. Just because the US Army has adopted a communications-intensive battle doctrine doesn't mean everybody else will follow suit. == Conclusions: 1) The Subject: line of this thread is misleading. The issue is not mandatory plaintext. The issue is whether or not we want mandatory GAK. 2) There are AFAICT no convincing technical arguments against GAK. 3) The ultra-serious crimes such as occurred last week are irrelevant to the GAK debate, and vice versa. 4) Therefore it comes down to a routine policy decision: We get to choose a tradeoff somewhere in the gray area between -- extreme privacy, and -- extremely easy solution of some minor crimes. The real world operates in shades of gray, not at either extreme. It always has, and always will. The US Constitution, for example,
Re: How to ban crypto?
On Sun, 16 Sep 2001, Angelos D. Keromytis wrote: > Niels Provos (U. of Michigan) has a very interesting paper on detecting > steganography on the network (he talked about it during the USENIX Sec. > WIP session). Basically, he didn't find any steganography in about 2 > million images he tested on Ebay. He's working on doing the same for > other mediums/sites. That (excellent) paper was in the refereed track, not the WiPs: http://www.usenix.org/publications/library/proceedings/sec01/provos.html http://www.citi.umich.edu/u/provos/stego/ http://www.outguess.org/ -- Sam - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
At 12:07 AM 9/17/2001 +0200, Hadmut Danisch wrote: >On Sun, Sep 16, 2001 at 02:12:40PM -0700, Carl Ellison wrote: > > > > I think it is ironic that Congress passed a law a while ago that > > discourages crypto researchers from studying and publishing how to > > detect and defeat stego systems. > > > >:-O > >What the hell is the purpose of such a law? >I could not agree with, but at least see some >sense in a law against stego, but what is >a law against detecting and defeating stego >systems good for? > >Where can I find details about this law? > >[Moderator's note: It is called the DMCA, Hadmut. It is intended to >prevent people from finding ways around copy protection. --Perry] And access protection of course. 17 U.S.C. sections 1201-1205, 512, with 1201 being the main code section. All available at http://www4.law.cornell.edu/uscode/17/ James S. Tyre mailto:[EMAIL PROTECTED] Law Offices of James S. Tyre 310-839-4114/310-839-4602(fax) 10736 Jefferson Blvd., #512 Culver City, CA 90230-4969 Co-founder, The Censorware Project http://censorware.net - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
On Sun, Sep 16, 2001 at 02:12:40PM -0700, Carl Ellison wrote: > > I think it is ironic that Congress passed a law a while ago that > discourages crypto researchers from studying and publishing how to > detect and defeat stego systems. > :-O What the hell is the purpose of such a law? I could not agree with, but at least see some sense in a law against stego, but what is a law against detecting and defeating stego systems good for? Where can I find details about this law? [Moderator's note: It is called the DMCA, Hadmut. It is intended to prevent people from finding ways around copy protection. --Perry] regards Hadmut - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
In message <3.0.5.32.20010916141240.01b7eee0@localhost>, Carl Ellison writes: > >At 05:26 PM 9/16/2001 +0100, Peter Fairbrother wrote: >>Bin-Laden was at one time said to use stego in posted images for >>comms. > >I heard that restated today on NPR by an ex-FBI commentator. > >I think it is ironic that Congress passed a law a while ago that >discourages crypto researchers from studying and publishing how to >detect and defeat stego systems. > >Of course, terrorists won't use watermarking stego systems, but the >discouragement of researchers in one area of stego is likely to >discourage them in another (or in cryptography in general). Niels Provos (U. of Michigan) has a very interesting paper on detecting steganography on the network (he talked about it during the USENIX Sec. WIP session). Basically, he didn't find any steganography in about 2 million images he tested on Ebay. He's working on doing the same for other mediums/sites. As the paper has not been published yet, I don't want to give more details. I've cc'ed Niels on this message, so perhaps we'll get a summary of his latest results. -Angelos - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 05:26 PM 9/16/2001 +0100, Peter Fairbrother wrote: >Bin-Laden was at one time said to use stego in posted images for >comms. I heard that restated today on NPR by an ex-FBI commentator. I think it is ironic that Congress passed a law a while ago that discourages crypto researchers from studying and publishing how to detect and defeat stego systems. Of course, terrorists won't use watermarking stego systems, but the discouragement of researchers in one area of stego is likely to discourage them in another (or in cryptography in general). -BEGIN PGP SIGNATURE- Version: PGP 6.5.8 iQA/AwUBO6UVx3PxfjyW5ytxEQItqgCfZcOv3rI6i6kGpQ/RfHvhqbcILfoAoJ1Q AYjmfg8XVYynTsx+CMXXP6gJ =ochU -END PGP SIGNATURE- +--+ |Carl M. Ellison [EMAIL PROTECTED] http://world.std.com/~cme | |PGP: 08FF BA05 599B 49D2 23C6 6FFD 36BA D342 | +--Officer, officer, arrest that man. He's whistling a dirty song.-+ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How to ban crypto?
On 16 Sep 2001, at 17:26, Peter Fairbrother wrote: > Any other suggestions for how to ban crypto? I can't think of anything > that would actually work against terrorists. Hmmm... we should be careful not to restrict the discussion of potential (non-)effects of coming restrictive legislative measures with regard to cryptography to pure technical aspects thereof. For example, I am working in Germany as a Patent Attorney. During the past years I managed to convince a handful of clients and colleagues to make use of PGP in order to protect confidential information when sending e-mail messages. Of course, if PGP would be banned in Germany by some legislation I would not be able to recommend any client or colleague to continue with PGP usage. I for myself would have to cease PGP usage immediately. Besides criminal charges, it would be an offence in violation of the applicable professional code of conduct, and I surely would get a lot of trouble if I would exercise non-compliance in conjunction with my professional activities. Maybe that I would lose my professional admission (in Germany, "Patentanwalt" is a strictly regulated profession). Other professional users would also effectively be forced to cease PGP usage by similar mechanisms. So a ban on strong crypto might indeed very effective among professional users where economical aspects are at stake. Nevertheless, a ban of non-GAK strong crypto would not be a suitable measure to fight terrorism. It would only stabilize the present SIGINT hybris. Axel H Horns - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
How to ban crypto?
Banning cryptography to deter terrorism, or controlling it to give GAK, is much in the news these days. I wonder if it could be done? Bin-Laden was at one time said to use stego in posted images for comms. I doubt this was true, but it would be very hard to stop. Good stego can be undetectable (and deniable) for short messages of the type needed by terrorists. Without depth it can be very hard to detect even "ordinary" stego, and stego is advancing fast. To prevent traffic analysis, public fora such as newspaper private ads or chalk marks on walls have been used by spies and terrorists for a long time, and modern ones like newsnet groups aren't very different. Requiring posters to prove identity would be difficult if not impossible, and wouldn't work against undetectable stego anyway. Even a popular privately run site could be used to provide cover traffic. That's not counting the CIA's SafeWeb anonymiser, remailers, and the like. Subliminal channels in Government-approved crypto could also be used. Word or phrase selections can carry messages. Pre-arranged codes can be as secure as OTP, and impossible to detect or prove. The list is long if not endless. Perhaps Governments can ban (non-approved?) encryption software, and punish those who have it on their computers? I'm no expert, but it seems likely that a macro worm could be written to do hard crypto without great difficulty, and people can reasonably say they didn't know it was there. It might even be possible to embed this functionality in a virus. Certainly it could be included in freeware available on the 'net. I've also been looking at the possibility of "steganographically" hiding functionality, and while I can't do it yet, I'm convinced it could be done. Any other suggestions for how to ban crypto? I can't think of anything that would actually work against terrorists. -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]