Re: SRA+IDEA Telnet
Couldn't you work the code so it obtains all its' encryption functions from an external library, such as the system's libdes? That would let you export the code, since it doesn't provide any encryption functions itself, and international people could use the international DES library (for other encryption algorithms, pick a freely available implmenetation such as the one from openssl). This makes the most sense. Thrash it out as a port, and if that works, we can bring it into both repositories. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: SRA+IDEA Telnet
Couldn't you work the code so it obtains all its' encryption functions from an external library, such as the system's libdes? That would let you export the code, since it doesn't provide any encryption functions itself, and international people could use the international DES library (for other encryption algorithms, pick a freely available implmenetation such as the one from openssl). This makes the most sense. Thrash it out as a port, and if that works, we can bring it into both repositories. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: SRA+IDEA Telnet
On Sat, 14 Aug 1999, Mark Murray wrote: Couldn't you work the code so it obtains all its' encryption functions from an external library, such as the system's libdes? That would let you export the code, since it doesn't provide any encryption functions itself, and international people could use the international DES library (for other encryption algorithms, pick a freely available implmenetation such as the one from openssl). This makes the most sense. Thrash it out as a port, and if that works, we can bring it into both repositories. Why not just wait and bring the openssl library in? A new telnet authentifications method that just we used is not terribly usefull. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org Sander There is no love, no good, no happiness and no future - all these are just illusions. To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: SRA+IDEA Telnet
Why not just wait and bring the openssl library in? Er - I do't think that will happen. Not for a while. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: SRA+IDEA Telnet
Mark Murray wrote: Couldn't you work the code so it obtains all its' encryption functions from an external library, such as the system's libdes? That would let you export the code, since it doesn't provide any encryption functions itself, The commerce department says otherwise. It's still not exportable even if it interfaces to encryption code. smime.p7s Description: S/MIME Cryptographic Signature
Re: SRA+IDEA Telnet
Narvi wrote: On Sat, 14 Aug 1999, Mark Murray wrote: Couldn't you work the code so it obtains all its' encryption functions from an external library, such as the system's libdes? That would let you export the code, since it doesn't provide any encryption functions itself, and international people could use the international DES library (for other encryption algorithms, pick a freely available implmenetation such as the one from openssl). This makes the most sense. Thrash it out as a port, and if that works, we can bring it into both repositories. Why not just wait and bring the openssl library in? If it even talks to openssl, it's not exportable. A new telnet authentifications method that just we used is not terribly usefull. A. It's not new. B. Not just we use it. It may not be tremendously widespread, but I assert that just as many people use SRA as use SRP or SSLtelnet (probably a lot more people use ssh). smime.p7s Description: S/MIME Cryptographic Signature
Re: SRA+IDEA Telnet
How exactly do you plan to get this to the FreeBSD internationsl server that has the crypto repository? Sander There is no love, no good, no happiness and no future - all these are just illusions. On Thu, 12 Aug 1999, Nick Sayer wrote: Ok. I have put up a rough cut of my proposed src/crypto/telnet stuff with SRA authentication and IDEA encryption. It requires the libutil from 3.2 (or better), but it appears to work pretty well. Please don't download it if you're outside the US. But if you are in the US, you can grab it from ftp://ftp.kfu.com/pub/sra-idea.FreeBSD-32.tgz Move your existing /usr/src/crypto/telnet out of the way and unpack the tgz into /usr/src/crypto. Then cd into telnet and make. In particular, anyone who sees any stupid stuff in the Makefiles (I had to guess a lot) or anything that would break existing (kerberos) functionality, please let me know. It seems to me, though, that since there were no Makefiles in there before the kerberos stuff must be using its own Makefiles with these source files or some such magic. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: SRA+IDEA Telnet
Narvi wrote: How exactly do you plan to get this to the FreeBSD internationsl server that has the crypto repository? The short answer is that I don't. Unfortunately the trick that PGP used of publishing it in a book and exporting that won't work anymore, because I believe the commerce department now says that source code printed in a book that can be scanned and OCRed is, in fact, "machine readable" and unexportable. I originally obtained SRA code from a University in Germany. I obtained my implementation of IDEA from PGP. In fact, I used idea.[ch] and #if 0'ed out stuff that's not needed. However, SRA is perfectly able to supply a compatable DES encryption key, so you can just add SRA to telnet and have SRA+DES. In fact, given that SRA isn't all that hard to break, one could argue that DES probably good enough (I hear it now -- if SRA isn't that hard to break, why bother? Answer: Because it's harder to break than plaintext. Factoring SRA would take a few days. Just watching for login: and password: takes nothing). I obtained the Makefiles for libtelnet, telnetd and telnet from the /usr/src/secure Attic and modified them so that they would enable encryption, authentication, SRA and DES (after adding SRA code, of course). I can discuss what I did with non-US citizens only in broad terms like the above. I can't assist and I can't provide source. The good news is that I believe the Bernstein case is headed finally for the Supreme Court and if all goes well source code may well be exempted from export regulations by deeming it protected speech. S/MIME Cryptographic Signature
Re: SRA+IDEA Telnet
Kris Kennaway wrote: On Fri, 13 Aug 1999, Nick Sayer wrote: I originally obtained SRA code from a University in Germany. I obtained my implementation of IDEA from PGP. In fact, I used idea.[ch] and #if 0'ed out stuff that's not needed. Couldn't you work the code so it obtains all its' encryption functions from an external library, such as the system's libdes? That would let you export the code, since it doesn't provide any encryption functions itself, and international people could use the international DES library (for other encryption algorithms, pick a freely available implmenetation such as the one from openssl). Alas, the commerce department says that even code that has no cryptography in itself, but that _interfaces_ to a crypto library is unexportable. As an example, I have a hack for pine that interfaces it to Openssl (the pine4+ssl port). That code is unexportable even though it talks to a library that talks to a crypto library. This despite the fact that it is distributed separately from the crypto itself. The same applies to mod_ssl (at least when it is present within the US). You can't pass that around even though it does no encryption by itself at all (the fact that it may be available outside the US doesn't matter either. You still can't export it even if it was originally IMported for it to get here in the first place). Yes, it sucks, and no, I am not making this up. I'm not sure what functionality this provides above something like SSLtelnet (in ports) or ssh, though. Probably much easier for folks to just use those. The whole point is to have the default system come with something better than plaintext logins that has no administrative overhead. If the default telnet/telnetd (in the DES distribution) had this functionality, it would end up being far more automatic than having to go and build and install ANY alternative in the ports or having to set up either Kerberos or S/key. I use and am a big fan of SSH. But I had to install and configure it. If we're ever going to reach the day when cryptographic security is so routine we don't even think about it, we have to start having it present _by default_. Kris S/MIME Cryptographic Signature
Re: SRA+IDEA Telnet
How exactly do you plan to get this to the FreeBSD internationsl server that has the crypto repository? Sander There is no love, no good, no happiness and no future - all these are just illusions. On Thu, 12 Aug 1999, Nick Sayer wrote: Ok. I have put up a rough cut of my proposed src/crypto/telnet stuff with SRA authentication and IDEA encryption. It requires the libutil from 3.2 (or better), but it appears to work pretty well. Please don't download it if you're outside the US. But if you are in the US, you can grab it from ftp://ftp.kfu.com/pub/sra-idea.FreeBSD-32.tgz Move your existing /usr/src/crypto/telnet out of the way and unpack the tgz into /usr/src/crypto. Then cd into telnet and make. In particular, anyone who sees any stupid stuff in the Makefiles (I had to guess a lot) or anything that would break existing (kerberos) functionality, please let me know. It seems to me, though, that since there were no Makefiles in there before the kerberos stuff must be using its own Makefiles with these source files or some such magic. To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: SRA+IDEA Telnet
Narvi wrote: How exactly do you plan to get this to the FreeBSD internationsl server that has the crypto repository? The short answer is that I don't. Unfortunately the trick that PGP used of publishing it in a book and exporting that won't work anymore, because I believe the commerce department now says that source code printed in a book that can be scanned and OCRed is, in fact, machine readable and unexportable. I originally obtained SRA code from a University in Germany. I obtained my implementation of IDEA from PGP. In fact, I used idea.[ch] and #if 0'ed out stuff that's not needed. However, SRA is perfectly able to supply a compatable DES encryption key, so you can just add SRA to telnet and have SRA+DES. In fact, given that SRA isn't all that hard to break, one could argue that DES probably good enough (I hear it now -- if SRA isn't that hard to break, why bother? Answer: Because it's harder to break than plaintext. Factoring SRA would take a few days. Just watching for login: and password: takes nothing). I obtained the Makefiles for libtelnet, telnetd and telnet from the /usr/src/secure Attic and modified them so that they would enable encryption, authentication, SRA and DES (after adding SRA code, of course). I can discuss what I did with non-US citizens only in broad terms like the above. I can't assist and I can't provide source. The good news is that I believe the Bernstein case is headed finally for the Supreme Court and if all goes well source code may well be exempted from export regulations by deeming it protected speech. smime.p7s Description: S/MIME Cryptographic Signature
Re: SRA+IDEA Telnet
On Fri, 13 Aug 1999, Nick Sayer wrote: I originally obtained SRA code from a University in Germany. I obtained my implementation of IDEA from PGP. In fact, I used idea.[ch] and #if 0'ed out stuff that's not needed. Couldn't you work the code so it obtains all its' encryption functions from an external library, such as the system's libdes? That would let you export the code, since it doesn't provide any encryption functions itself, and international people could use the international DES library (for other encryption algorithms, pick a freely available implmenetation such as the one from openssl). I'm not sure what functionality this provides above something like SSLtelnet (in ports) or ssh, though. Probably much easier for folks to just use those. Kris To Unsubscribe: send mail to majord...@freebsd.org with unsubscribe freebsd-hackers in the body of the message
Re: SRA+IDEA Telnet
Kris Kennaway wrote: On Fri, 13 Aug 1999, Nick Sayer wrote: I originally obtained SRA code from a University in Germany. I obtained my implementation of IDEA from PGP. In fact, I used idea.[ch] and #if 0'ed out stuff that's not needed. Couldn't you work the code so it obtains all its' encryption functions from an external library, such as the system's libdes? That would let you export the code, since it doesn't provide any encryption functions itself, and international people could use the international DES library (for other encryption algorithms, pick a freely available implmenetation such as the one from openssl). Alas, the commerce department says that even code that has no cryptography in itself, but that _interfaces_ to a crypto library is unexportable. As an example, I have a hack for pine that interfaces it to Openssl (the pine4+ssl port). That code is unexportable even though it talks to a library that talks to a crypto library. This despite the fact that it is distributed separately from the crypto itself. The same applies to mod_ssl (at least when it is present within the US). You can't pass that around even though it does no encryption by itself at all (the fact that it may be available outside the US doesn't matter either. You still can't export it even if it was originally IMported for it to get here in the first place). Yes, it sucks, and no, I am not making this up. I'm not sure what functionality this provides above something like SSLtelnet (in ports) or ssh, though. Probably much easier for folks to just use those. The whole point is to have the default system come with something better than plaintext logins that has no administrative overhead. If the default telnet/telnetd (in the DES distribution) had this functionality, it would end up being far more automatic than having to go and build and install ANY alternative in the ports or having to set up either Kerberos or S/key. I use and am a big fan of SSH. But I had to install and configure it. If we're ever going to reach the day when cryptographic security is so routine we don't even think about it, we have to start having it present _by default_. Kris smime.p7s Description: S/MIME Cryptographic Signature
