Re: Crypto software that *is* exportable from the USA

1999-01-25 Thread Paul Sheer 

>  - I would not be able to include the new crypto features in the package
>anyway due to US export laws.

no, the US version contains no crypto code.

> (Debian packages are binary only, and

Both the source and binary US versions of mirrordir contain no crypto
code.

>FTP connectivity is not assured, so the "download sources from
>South Africa" model does not work.) 

I will set it to only download when the crypto stuff is used, so that
ordinary usage does not cause an automatic ftp transfer of the scripts.
When users discover the security features, they can then bother with not
having ftp connectivity.
Is this OK?

> 
>  - Most of the recent releases have been bug fixes of crypto features.
>Besides the above problem with crypto, it does not appear stable.

There have been some very important bug fixes in the ftp code. Also, the
crypto stuff is now quite stable.

-paul

Re: Crypto software that *is* exportable from the USA

1999-01-24 Thread Paul Sheer 

On Sat, 23 Jan 1999, Bear Giles wrote:

> > It supports strong encryption but is exportable from
> > the US because it does not have encryption compiled in by default. Instead
> > it downloads the scripts it needs from South Africa when it runs for the
> > first time.
> 
> This is *extremely* risky behavior. 
> 
> [...]
> 
> > South Africa has no export restrictions on cryptography. It
> > supports file transfer and secure logins shells.
> 

I meant that mirrordir supported file transfer and secure logins shells.
The scripts are downloaded via ordinary ftp.

> 
> As an aside, why would a mirror program even want strong 
> encryption?  Encryption != authentication, although the implementatons
> have significant overlap.
> 
It started as a mirror program. Now its a suite of utilities including a
secure shell.

I don't think the problem is as big as you say. To illustrate, the connect
script follows. We are talking about less than 200 lines of script - an
extremely small amount. It could easily become widely publicisely what
these scripts are. A script to do checksums on the package itself would
only take a few lines. I admit that its not foolproof, but it can easily
reach a point where its highly improbably that a user could have a
compromised script. On the other hand, users would have the ability to do
secure logins on a stock standard system, without having to install a
single thing.

Also: there is no GPL secure shell (as far as I know). So even the
International version of mirrordir with compiled in encryption (i.e. not
in scripts) is a worthwhile package which can be downloaded from outside
the US just like ssh. It seems to have recieved very little attention
considering the need for a GPL secure shell. Is there something that I am
missing here?

-paul


/* client connection script, exporting this script from the US
   may be in violation of the US munitions export regulations */
Huge *r; Huge *s; Huge *p; Huge *q; Huge *g;
Huge *m; Huge *x; Huge *y; Huge *X; Huge *Y;
long l; long type; 
char *c; char *prot;
l = strlen ("dIffIe--HelLmaN\n");
if (l != send ("dIffIe--HelLmaN\n", l, 0))
return 0;
prot = "1234";
prot[0] = 0;
prot[1] = 1;
type = typeoption ();
prot[2] = type;
prot[3] = 0;
if (send (prot, 4, 0) != 4)
return 0;
p = prime (type);
g = 2;
y = random (typesize (type));
Y = pow (g, y, p);
if (writehuge (Y, 0))
return 0;
l = strlen ("DIfFiE--hEllMan\n");
if (recv (&c, l, 0) != l)
return 1;
if (strncmp ("DIfFiE--hEllMan\n", c, l))
return 1;
if (!(X = readhuge (0)))
return 0;
m = pow (X, y, p);
huge2bin (m, &c, &l);
initarcrd (c, l / 2);   /* stream cypher initialisation */
initarcwr (c + l / 2, l / 2);
x = 0;
y = 0;
if (!(y = readhuge (1)))
return 0;
if (checksavedkey (y, type))
return 0;
if (!(r = readhuge (1)))
return 0;
if (!(s = readhuge (1)))
return 0;
q = p >> 1;
/* signature equation */
if (m != (((pow (g, s, p) * pow (y, r % q, p)) % p * r) % p))
return 0;
return 1;

Crypto software that *is* exportable from the USA

1999-01-23 Thread Paul Sheer 

Hi there,

I am trying to draw attention to what I think is an important piece of
software - Mirrordir. It supports strong encryption but is exportable from
the US because it does not have encryption compiled in by default. Instead
it downloads the scripts it needs from South Africa when it runs for the
first time. South Africa has no export restrictions on cryptography. It
supports file transfer and secure logins shells.

I remember someone was maintaining the debian release of this software
(although then, it did not support encryption). Please get the latest
version from:
ftp://lava.obsidian.co.za/pub/mirrordir/US/

(Note: for the Debian distribution you must download from the `US' tree,
and not the `International' tree.)

Thanks

-paul

Obsidian Systems . . . .  Linux installations, support, networking
[EMAIL PROTECTED] . . . . . . . . . . . . Tel  (+27 11) 792 6500
http://www.obsidian.co.za  . . . . . . . .  Fax  (+27 11) 792 6522
__   __ __  __ __  __ __  __
   / /  / //  |/ // / / / \ \/ /
  / /_ / // /|  // /_/ /   \  /
 /___//_//_/ |_/ \//  \
  /_/\_\