Cryptographers Amici Briefs
For appeal of the MPAA v. 2600 decision: Brief Amici Curiae of Steven Bellovin, Matt Blaze, Dan Boneh, Dave Del Torto, Ian Goldberg, Bruce Schneier, Frank Andrew Stevenson, David Wagner: http://www.2600.com/dvd/docs/2001/0126-crypto-amicus.txt Brief Amicus Curiae of Arnold Reinhold: http://cryptome.org/mpaa-v-2600-agr.htm
MPAA v. 2600 - Appeal Brief of Amici Curiae
We offer James Tyre's Brief of Amici Curiae on behalf of 17 cryptographers, professors and scientists, for appeal of the MPAA v. 2600 judgment: http://cryptome.org/mpaa-v-2600-bac.htm The amici: Harold Abelson Andrew W. Appel Dan Boneh Edward W. Felten Robert Harper Andy Hertzfeld Brian Kernighan Marvin Minsky James Morris P.J. Plauger James C. Reynolds Ronald Rivest Avi Rubin Barbara Simons Eugene H. Spafford Richard Stallman David S. Touretzky
NONSTOP Doc Up
NSA's "NACSEM 5112 NONSTOP Evaluation Techniques," Reprinted July 1987, released under FOIA: http://cryptome.org/nacsem-5112.htm (196K, 3 images) About half of the 100-page document has been redacted, so brace for the mangle.
Re: NONSTOP Crypto Query
Joel McNamara first told me about NONSTOP and its commonly associated classified codeword, HIJACK, both somehow related to Tempest. When you do a search on either of them you get hundreds (or 1000s) of hits for the generic terms "non-stop" and "hi-jack" but few entries for the codewords, and then as standards in military security documents. It's as if the codewords were picked to be camouflaged by the generics. And, because codewords are usually set to have no relation to the protected material, they probably are not descriptive -- but could be, just to outfox the smarties. The NONSTOP doc released to us was first issued in 1975 and has gone through 4 reprintings, the latest in 1987. And it continues to be cited as still in effect, though usually such standards are updated at least every 5 years. So there may be a later one which would account for its partial release after first denial. It's intriguing to read Spycatcher (1987) while reading the Tempest docs. I had not read Wright's most informative book, and regret not having done so. (The Story of Hut 6, too, by Gordon Welchman -- luckily found both in a military used-bookstore.) For those who have not read Spycatcher, Peter Wright was MI5's first scientist, and entered the service after WW2. He specialized in the technology of counterintelligence and with a few others cooked up a host of ingenious means to spy on spies and suspects. A specialty was the extraordinary use of electromagnetic science -- radio, telephone, acoustic, resonance, and more -- applying scientific abilities well in advance of technicians and engineers. Some of his ideas were so advanced his bosses said impossible, until he proved effectiveness. Then Wright quickly became the savior of officers who could not understand why Britain's enemies kept outsmarting them -- usually with advanced technological means. Wright changed that, but often got at odds with non-scientific personnel whose faith was HUMINT. Among others, he worked closely with GCHQ on occasion to provide technical attacks on cryptosystems which could not be broken by cryptanalysis. Thus his research on the cryptosecrets revealed by compromising emanations from devices, cabling, furniture, construction materials, and a host of ordinary physical objects in and near cipher rooms -- all of which emitted signals that could be acquired and interpreted by careful tuning for comprehension. He writes of amazing methods of acquiring signals, and it is no wonder HMG fought to prevent publication of Spycatcher. What he did not write about must be even more wondrous, and it makes you think he could pick up your brain waves if you were part of particular triangulated antenna. Maybe NONSTOP and HIJACK have nothing to do with the stuff Wright excelled at. Still, reading Spycatcher along with the Tempest docs -- and now Stephen Budiansky's "Battle of Wits: The Complete Story of Codebreaking in World War II," (2000) -- certainly demonstrates how much of codebreaking has been done by covert technical and physical means, even as we are told misleading cover stories. Are these latest crypto-revelations disinformation? Historically nearly all have been. Ha. Ha. Ha.
Cryptographic Algorithm Metrics
Last summer, at a workshop on "Security Metrics," conducted by NIST's Computer System Security and Privacy Advisory Board, Landgrave Smith, Institute of Defense Analysis, reported on a pilot study of "the metrics used for determining the strength of cryptography." http://csrc.nist.gov/csspab/june13-15/sec-metrics.html (the workshop) http://csrc.nist.gov/csspab/june13-15/Smith.pdf (Smith's presentation) Five catergories of algorithm strength were established for the pilot: Unconditionally Secure (US) Computationally Secure (CS) Conditionally Computationally Secure (CCS) Weak (W) Very Weak (VW) Smith stated: "A cipher is Unconditionally Secure (US) if no matter how much ciphertext is intercepted, there is not enough information in the ciphertext to determine the plaintext uniquely." No examples for this strength were given, and it was not clear from Smith's presentation whether there is such a cipher or the category was only provided as a theoretical premise. Question: is there a cipher that is Unconditionally Secure? Mr. Smith defined the other categories: [Quote] A cipher is Computationally Secure (CS) if it cannot be broken by systematic analysis with available resources in a short enough time to permit exploitation. Examples: DES and 3 DES. A cipher is Conditionally Computationally Secure (CCS) if the cipher could be implemented with keys that are not quite "long enough" or with not quite "enough" rounds to warrant a CS rating. Examples: SKIPJACK and RSA. A Weak (W) cipher can be broken by a brute force attack in an acceptable length of time with an "affordable" investment in cryptanalytic resources (24 hours and $200K). No examples. A Very Weak (VW) cipher is one that can be broken by determining the key systematically in a short period of time with a small investment (8 hours and $20K). No examples. [End quote] DES - CS 3 DES - CS SKIPJACK - CCS RSA - CCS
What's Up with AES FIPS
NIST states on its Web site that a draft FIPS for AES would be issued for comment "shortly after announcement of the winner (probably in November 2000)." Anything scandalous behind the delay?
Re: UK intelligence agencies want 7 years of records of all phone calls, emails and internet connections
Clive Feather wrote: Calling this "NCIS carnivore" is misleading. It's concerned with transaction logs (who logged in when, web site logs, the sort of thing covered as "communications data" in RIP). Nothing to do with the contents of phone calls or email. I've been aware of these proposals for some time. The connection to Carnivore was made by the anonymous source of the document, probably a person within one of the CSPs which had been given the document for consultation -- as it sets forth. A person who likely has access to other yet undisclosed consultations, as Clive suggests is a fact of life for providers. In the US we have learned that the capabilities of Carnivore are more than has been publicly admitted, that it is only one in a series of developing surveillance technologies, one of a series of legislative initiatives, one of a series of trial balloons lofted for public reaction. The major ISPs in the US are being consulted on these rapidly developing means and methods, as were the telcos in days past and telecomms in the present. And it has been established that these corporations have been presented with, and themselves initiated, surveillance and interception programs, as ever, in the national interest -- which means in the interest of favorable regulation and economic advantage, now global not merely national. "Carnivore" is an apt term for the process of ravenous cooperation between telecommunications providers and their regulators in all the countries where that is occurring -- the list of admitted participants is growing daily. And the FBI and DoJ make no secret of their drive to have seamless global cooperation, helped as ever by US legal and technological prowess and lubricated by financial incentives. What is striking is how often HMG is willing to serve as stalking horse for draconian surveillance programs that later get adopted in some form by other countries. What the dark side of HMG is being promised for that contemptible role is worth sunshining by whoever gets hands on evidence.
Carnivore Report
We offer an HTML version of the Carnivore technical review report released yesterday by the Department of Justice (without appendices): http://cryptome.org/carnivore.rev.htm (164KB text, 8 images) One notable conclusion about Carnivore's shortcomings and why its code should not be released to the public: Carnivore can be countered with simple, public-domain encryption. But it can snarf everything done by a targeted Web user, e-mail, FTP, HTTP, and you name it. And, as Nicky Hager writes today, this capability is to become the global standard if the FBI gets its way: http://www.heise.de/tp/english/special/enfo/4306/1.html
DMCA Final Rule
We offer the US Digital Millennium Copyright Act Final Rule on Access Control Circumvention: http://cryptome.org/dmca102700.txt (149KB) An excerpt on why there will be no exemption for circumventing access to DVDs by tools such as DeCSS: http://cryptome.org/dmca-dvd.htm (15KB) The two exemptions granted: "1. Compilations Consisting of Lists of Websites Blocked by Filtering Software Applications 2. Literary Works, Including Computer Programs and Databases, Protected by Access Control Mechanisms That Fail to Permit Access Because of Malfunction, Damage or Obsoleteness." The copyright industry's arguments are often cited as grounds for minimal exemptions, as well as the power of the market to correct what Congress gave the industry. Specious.
Unified Cryptologic Architecture
The bibliography of an NSA reorganization report released today lists several entries under "Unified Cryptologic Architecture" as well as a "U.S. Cryptologic Strategy - Preparing for the 21st Century." There is also a citation of "SINEWS - GCHQ Modernization and Change Program." We would appreciate leads or pointers for getting these documents. The two reorganization reports are on the NSA web site in big PDF files. We offer HTML versions: http://cryptome.org/nsa-reorg-et.htm http://cryptome.org/nsa-reorg-net.htm The first is by an external study team, the second by an internal team. Strong criticism in both.
Re: PGP ADK Bug Fix
Anrold Reinhold wrote: How hard would it be to filter the public key servers for unsigned ADKs and either notify the keyowner or just remove the unsigned ADKs? It might be possible to filter the unsigned ADKs from key servers, however, it is not clear if the bug discovered is all there is to worry about. PGP/NAI has not yet given a complete explanation of how the bug got past quality control for truly reliable security. Others have noted on the net how long the fault related to bug has been around, and that despite warnings to PGP nothing was done about it. A few have also noted that the pattern of eventual disclosure of a fault is not unprecedented as a way to discover a built-in flaw added to gain export approval in an NDA sit-down with governmental authorities, a process still required by US export law for strongest crypto and a process that is also in effect in other countries linked to the US by technology control pacts such as Wassenaar. PGP has a wonderful reservoir of goodwill that will surely help it through this embarassment, but the reservoir has been drained rather much and needs replenishment. To help with that Michel Bouissou has circulated a call for restored confidence in PGP Freeware with a set of constructive suggestions for PGP/NAI: http://cryptome.org/pgp-reborn.htm Are there other suggestions being floated?
PGP ADK Bug Fix
Cryptome offers the ADK bug-fixed PGP Freeware 6.5.8: http://jya.com/pgpfree/PGPFW658Win32.zip (7.8MB) http://jya.com/pgpfree/PGPFW658Mac_sit.bin (5.6MB) Analyses of the ADK fix and any others most welcome.
Monroe Cypher
In a 1992 Studies in Intelligence article, "America's First Encrypted Cable," Ralph Weber refers to a "Monroe cypher:" http://cryptome.org/us-cable1.htm We would appreciate information on this cipher, and a sample of its use with plaintext and ciphertext, or, a long shot, a source for the whole thing. This except from David Kahn's "The Codebreakers" may refer to the cypher: Another code composed on the Livingston forms, endorsed "Mr. Monroe's cypher," was used by Monroe in 1805 when he was minister to England, by James A. Bayard in 1814 when he helped negotiate the treaty that ended the War of 1812, and as late as 1832 by President Andrew Jackson in letters to a diplomatic agent. It therefore seems to have been one of the first official codes of the United States under the Constitution." -- p. 185, 1967 edition
Re: Monroe Cypher
Yes, Kahn did footnote the Monroe cypher information, attirubitng it to Edmund C. Burnett, in his "Letters of Members of the Continental Congress." I've also received two other citations for more on Monroe's cypher from the mail list Intelligence Forum, a quite informative source on crypto and intelligence matters, many of whose members are active or former members of a variety of intel agencies, as well as scholars of the field. http://www.intelforum.org From Hayden Peake: The Monroe Cypher (aka: WEO28) is discussed (who used it and when, etc.) in WEBER's book, United States Diplomatic Codes and Ciphers 1775-1938, (Chicago: Precedent Publishing, 1979). The code itself is reproduced in an appendix (pp. 478-489). If a copy of the book is not to hand, let me know and I can fax the code itself. WEBER can be contacted at: [EMAIL PROTECTED], tel: 414-785-1910. - And from Louis Kruh: A more detailed version (30 pages and 108 footnotes) of Ralph Weber's interesting article, "America's First Encrypted Cable" is included in his "Masked Dispatches: Cryptograms and Cryptology in American History, 1775-1900." Published by Center for Cryptologic History, NSA, 1993, 236 pp.
Re: Andrew Fernandes on NSA back doors
Arnold Rheinhold wrote: I'm afraid I don't find Mr. Fernandes' argument convincing. ... To me the mystery is why Microsoft is unwilling to fully explain its actions. Perhaps there are other details they do not wish to reveal. For example, since each CAPI module to be signed would require BXA approval beforehand, NSA may have wanted the tokens kept at a trusted third part, perhaps some law firm, giving BXA positive control over what gets signed. Whatever the reason, the _NSAKEY incident demonstrates that Microsoft has some secret relationship with NSA. Note that the exchange with Duncan occurred while MS is butting heads with DOJ. And the breakoff occurred in the possible death struggle to keep MS a single company. Would MS squeal on NSA during this crucial time? Not likely. Would it ask for help from NSA in placating DOJ, say for two companies rather than three? Possibly, if it could be kept quiet, especially from Judge Jackson. Would MS set up a covert company for government work if it has not already done so? Probably, if the pattern of other corporations is followed. In that case, all records are excluded from FOIA. The tone of MS's exchanges with Duncan certainly sounds like those who are forbidden to go beyond a precise limit as to what can be disclosed. Few say that the reason is an NDA for even that cannot be revealed in most cases. Another person at Microsoft, head of MS crypto in France, commented (stonewalled) in response to a ZDNet (FR) article (this too forwarded by Duncan though it was not written to him): [Sent to ZDNet, No date] Monsieur, Je vous remercie pour larticle très intéressant publié sur ZDNet (http://www.zdnet.fr/actu/tech/a0014367.html). Je souhaite cependant apporter quelques précisions concernant le rôle de la NSA, et sur le fait que les éditeurs soient dans lobligation de fournir le code source au NSA pour obtenir les autorisations dexportation. La revue technique effectuée par le BXA nimplique pas la fourniture du code source, ni dextrait de code source. La déclaration nest quune documentation décrivant les capacités dencryption et sa force, ainsi que des justifications pour obtenir une licence export sans restriction. Le process est clairement documenté par le site de la BXA (Bureau des Exportations du Département du Commerce américain): http://www.bxa.doc.gov/Encryption/enc.htm. Comme vous pouvez le constater, il nest fait nulle part mention de fourniture du code. Dans un passé assez lointain cependant pour exporter des produits à 40-bit, il était offert comme possibilité parmi dautres, la fourniture du code source. Comme vous vous en doutez, les grands éditeurs ont toujours préféré les autres méthodes dont celle dite du "40-bit vector tests" qui consistait par une série dexemple à prouver que le système fonctionnait bien avec un niveau de sécurité à 40 bits. Dans lesprit tout au moins, cette méthode ressemble à celle demandée aujourdhui encore par le SCSSI pour les autorisations et déclaration dutilisation générale. Cordialement, Pierre-Henri Frévol En charge des affaires Crypto Microsoft France
Andrew Fernandes on NSA back doors
Duncan Campbell sends along with permission of Andrew: Additional comment from Andrew D. Fernandes of Cryptonym Corporation (who discovered the NSA_KEY) on the MS/Campbell exchange on the NSA_KEY http://cryptome.org/nsakey-ms-dc.htm: Microsoft's insistence that the second key is there for backup purposes is not a satisfying explanation for a number of reasons. The reason that the arguments are not satisfying is clear if you have experience using dedicated tamper-resistant crypto-boxes. A dedicated crypto-box internally generates a key pair, exports the public key, and then digitally signs designated input whenever properly prompted. These boxes are specifically designed to NEVER export the private key as plaintext. Furthermore, these boxes are designed to destroy their private key if the box detects any attempted physical tampering. The danger with a crypto-box is not only the potential compromise of the private key. An almost as great danger is the loss of the private key! Consider that a disgruntled employee could destroy the private key by merely hitting the crypto-box, sticking a paperclip into an input port, or dropping an ice cube on the box... (no, I'm not making up the ice cube part - these boxes are usually temperature sensitive). What you would have is a very ready denial-of-service attack. Therefore, almost universally, crypto-boxes allow the export of the private key in encrypted format. A good crypto-box will even use advanced cryptographic techniques called "secret splitting" to split the encrypted key into several different parts - one part for each senior manager. That way, if the crypto-box is lost or destroyed, a new crypto-box can be quickly initialized and utilized. It is possible that Microsoft's CSP team has a crypto-box that will not export the private key even if it is in encrypted or secret-split format. If that is true, it would be natural to assume a second backup key would be necessary. However, look at this scenario in terms of "failure analysis", where the security of the CSP scheme fails if a signing key is lost. There are two signing keys that can load a CSP. If the first key is lost, Microsoft could rely on using the second key. If the second key is lost, then Microsoft is out of luck, and must patch or upgrade every copy of Windows in the world, as well as every CSP it has ever signed, all because they did not buy a crypto-box capable of data recovery. Call me draconian, but given the extraordinarily high level of cryptographic expertise that Microsoft employs, I would fire the design team that presented a CSP signing system based on a single backup, rather than data recovery. So it is rather strange that the CSP signing key (labeled "_KEY") has backup key at all... even more strange that it would be labeled "_NSAKEY". In fact, there is no specific requirement in the BXA's EAR that backup keys exist. That document draws heavily on the Wassenaar Arrangement on the export of dual-use goods (http://www.wassenaar.org/) for its wording and substance. -
Re: Critics blast Windows 2000's quiet use of DES instead of 3DES
John Gilmore wrote: There have been allegations that NSA influenced Microsoft's encryption support (one reason that NSA could afford to relax export controls could be that they've already subverted the highest volume US products). It's pretty well acknowledged that NSA did this to Crypto AG's hardware products decades ago, and has been reading the traffic of those who depended on those products. An eavesdropper doesn't need to break the encryption if they can break the user interface and make it lie about whether it is really encrypting. While John may be speculating about NSA subversion of strong crypto, specific examples of this would be very helpful. Here are a few firms for consideration as candidates for today's Crypto AGs besides Microsoft (meaning latest products, not those that have been suspected in the past): Cylink IBM Lotus TIS RSA PGP Perhaps it would be fair to list all firms that are now exporting strong crypto if John's speculation is accurate. How to get any compromise out in the open is the question. Presumably, secrecy agreements or NDAs are in effect for any complicit firm and its employees.We've gotten a couple of anonymous letters recently about Cylink but nothing on the others. Duncan Campbell's exchanges with Microsoft have been squelched by MS, but one final exchange is in the works which summarizes what MS has publicly stated and what suspicions remain unanswered. Similar queries in depth could be made to the other crypto exporters, if for no other reason than to assure their foreign customers that they can take and answer hard criticism. Otherwise, suspicions of complicity may undermine credibility of all US crypto products.
NSA on AES2
The National Security Agency had today published "Hardware Performance Simulations of Round 2 Advanced Encryption Standard Algorithms," a 55-page report: http://csrc.nist.gov/encryption/aes/round2/NSA-AESfinalreport.pdf (165K) Its abstract: "The National Security Agency is providing hardware simulation support and performance measurements to aid NIST in their selection of the AES algorithm. Although much of the Round 1 analysis focused on software, much more attention will be directed towards hardware implementation issues in the Round 2 analysis. As NIST has stated, a common set of assumptions will be essential in comparing the hardware efficiency of the finalists. This paper presents a technical overview of the methods and approaches used to analyze the Round 2 candidate algorithms (MARS, RC6, RIJNDAEL, SERPENT and TWOFISH) in 0.5um CMOS-based hardware. Both design procedures and architectures will be presented to provide an overview of each of the algorithms and the methods used. To cover a wide range of potential hardware applications, two distinct architectures will be targeted for comparison, specifically a medium speed, small area iterated version and a high speed, large area pipelined version. The standard design approach will consist of creating hardware models using VHDL and an underlying library of cryptographic components to completely describe each algorithm. Once generated, the model can be verified for correctness through simulation and comparison to test vectors, and synthesized to a common CMOS hardware library for performance analysis. Hardware performance data will be collected for a variety of design constraints for each of the algorithms to ensure a wide range of measured data. A summary report of the findings will be presented to demonstrate algorithm performance across a wide range of metrics, such as speed, area, and throughput. This report will provide a common baseline of information, which will enable NIST and the community to compare the hardware performance of the algorithms relative to one another."
Re: jya.com taken down?
Cryptome/JYA are down due to a glitch in switching to a new faster, absoutely never-fail server. Both should be back in service today -- barring the Filipino factor.
MS on NSA_KEY in Windows
Duncan Campbell has provided a recent exchange of informative messages with Scott Culp at Microsoft on the origin, function and purpose of NSA_KEY in Windows: http://cryptome.org/nsakey-ms-dc.htm
Updated A5/1 Paper
Adi Shamir has provided "Real Time Cryptanalysis of A5/1 on a PC," an 18-page paper by Alex Biryukov, Adi Shamir and David Wagner presented at the Fast Encryption Software Workshop in New York City on April 10. It is an updated version of the December 1999 preliminary draft by Biryukov and Shamir. HTML: http://cryptome.org/a51-bsw.htm (text, 55K; 6 images, 156K) Original Postscript: http://cryptome.org/a5.ps (297K) Zipped Postscript: http://cryptome.or/a5.zip (104K)
MPAA v. 2600
Martin Garbus, an internationally distinguished New York attorney, and his firm have been retained by the defense in the New York MPAA DeCSS case. Two of the three defendants have withdrawn under consent agreements, leaving only the magazine 2600, which succeeds its publisher, Emmanuel Goldstein, as defendant. At a hearing on Monday a trial date was set for December 5. Mr. Garbus has provided an intra-office memo on his firm's participation and his CV: http://cryptome.org/mpaa-2600-mg.htm Excerpt: The Firm has been retained in a very interesting and potentially precedent-setting case involving the DVD industry. It is one of the first and most significant cases involving the Digital Millennium Copyright Act (DMCA), copyright, fair use, and the First Amendment. We represent a journalist who posted a de-encryption code on his magazine's website that permits DVDs to be played on DVD players without the otherwise necessary authorization software. We have been retained to represent Emmanuel Goldstein, a journalist who posted DeCSS on his website, 2600.com. The website and his 16 year-old 2600 Magazine are long-standing and very respected media commentators on the Internet and particularly "hackers" and hacking. As it winds its way through the District Court, the Second Circuit and the Supreme Court, this major lawsuit may be the litigation that determines: + the constitutionality of the DMCA's very broad access prohibitions, + the application of the First Amendment to the DMCA and encryption, and + the interaction or survival of Fair Use and DMCA 1201 (a)(2) End excerpt
Cryptome Daily List
Cryptome is offering a daily list by e-mail of new items with URLs added to the archive. Six to ten new items are added daily, some are archived at Cryptome, some are available at other URLs. Most of the items will show brief, salient excerpts as now done at the site. To subscribe send a blank message from the e-mail address to receive the mailing with the subject "list" : [EMAIL PROTECTED] Here's an example: To: [EMAIL PROTECTED] From: you@yours Date: date Subject: list To unsubscribe send a blank message from the e-mail address to receive the mailing with the subject "unlist" : Or to sub or unsub just lob a request to [EMAIL PROTECTED] If you haven't seen Cryptome, here are the identical twins: http://cryptome.org http://jya.com/crypto.htm
Re: crypto.com
Harald Koch wrote: Do you have it registered with the PTO, or just in the DNS? If the latter, their next move is probably to have the Internic take your domain away from you under the current trademark infrigement policy. Beware... Good point. In fact, an inspired challenge. If the nouveau Crypto.com attempts to snatch the domain from Matt, what a wonderful public battle that would be. Oh yes, may that foolish gambit be played. Matt just might make a couple of hundred thousand to agree to let them off the hook they've set for themselves. But no gentleperson handshake to forget about it. Particularly if the culprits work daytime at Vodaphone RD, or worse, Crypto.ch.
First Echelon Source
Making history: the original source for the 1988 first Echelon report steps forward London, Friday 25 February, 2000 By Duncan Campbell In the circumstances of the extensive worldwide political and media attention that is currently focussed on the Echelon communications surveillance network, I wish to pay tribute to the person who first alerted the United States legislature and the world to the existence of Echelon. Following the presentation of my report on Echelon and related Sigint systems to the European Parliament in Brussels earlier this week, my principal original source has said that she may be identified. I published the first-ever report about Echelon in the British political weekly New Statesman on 12 August 1988. The information about Echelon in that report came principally from Margaret Newsham, a computer systems manager who is now in retirement. Margaret Newsham, better known as Peg, was formerly employed by a contractor at the National Security Agency Field Station at Menwith Hill, Yorkshire, England. Now - finally - 12 years late, CBS has invited her to repeat the information we first published in 1988 on their programme Sixty Minutes, to be shown on Sunday evening, 27 February. - Full article: http://cryptome.org/echelon-mndc.htm
Re: Interesting point about the declassified Capstone spec
What is current thinking of the AES finalists on NSA review of the proposals. Will there be (or has there been), say, overtures made to the developers to cooperate with national security and/or law enforcement requirements. Or is an alternate, parallel successor to DES underway for that dual- or single-use purpose. Or, or, is there SIGINT technology which gives access despite crypto? Not the CE kind that's known and sold commercially, but a means and method out front of open sources. Yeah, this is asking for classified-at-birth info, but what's the speculation? A paper or rump session on that at AES New York, or Fast Encryption would draw a curious crowd, no?
Re: Interesting point about the declassified Capstone spec
Dan Geer wrote: I would place a bet that only traffic analysis will remain an area of sustainable lead, that traffic analysis is the only area where commercial interests will not naturally marshall the resources to threaten the lead of the national agencies. This may well be. However, a writer on UK Crypto pointed out a couple of days ago that Tempest effects in communications systems were observed and countered as early as 1884. That's 1884, a mere 116 years ago. And some 32 years before the Yardley and his Black Chamber reportedly invented it -- when it appears that by then several nations knew about the threat and kept mum, and kept winning battles over those who didn't know what they thought they knew. There's a good chance that Yardley was briefed by the British during his WW1 visit and the Chamber developed a leak -- Yardley, who needed the money after his unit was downsized. Will downsizing NSA produce leaks of amazing technology? Is it already dribbling into markets, first other federal agencies, then LEAs, then PIs, then corp-sec, then startups, then a scandal of congressional interest, then we get it, finally, with a Skipjack, Capstone, CE, Echelon declass dribbledown. While the edge stuff eats your liver and brainstem cell by jigger.
MPAA DeCSS Demand
Cryptome got a demand letter yesterday from the MPAA Anti-Piracy Unit to remove DeCSS as well as to immediately perform other unnatural acts: http://cryptome.org/dvd-mpaa-ccd.htm A number of responses to the letter have come in which might be of interest here: http://cryptome.org/dvd-mpaa-ccd2.htm One item we've added to the package is a message from the Copy Protection Technical Working Group, an MPAA related org, which lists dozens of subscribers to its mail list, including familiar cryptographers, attorneys and other faithful servants from the world's most cartel-ic .coms, .edus and .orgs.
Re: How old is TEMPEST?
We ran across a claim that compromising emanations were discovered in 1918: http://www.tscm.com/TSCM101tempest.html "TEMPEST was 'invented' in 1918 when Herbert Yardley and his staff of the Black Chamber were engaged by the U.S. Army to develop methods to detect, intercept, and exploit covert radio transmitters. The initial research identified that "normal unmodified equipment" was allowing classified information to be passed to the enemy through a variety of technical weaknesses. A classified program was then created to develop methods to suppress these "compromising emanations". However, the actual acronym known as TEMPEST was only coined in the late 60's and early 70's (and is now considered an obsolete term, which has since, been replaced by the phrase "Emissions Security" or EMSEC)." About the author: "James M. Atkinson is one of a small number of people who have been formally certified and trained by the NSA as a TEMPEST Engineer, and Cryptographic Technician. He has extensive experience with the design and development of SIGINT systems to exploit and/or control compromising emanations. Additionally, he has many hours of experience working deep inside highly classified U.S. and NATO cryptographic, communications, and computer systems." Has this claim been seen in any of the Yardley/Black Chamber accounts?
Re: DeCSS MPAA New York Opinion
Phil, What happens to your court case when Commerce issues its letter? And for those of us who came late to crypto law, when did you initiate your suit? Which gives me a chance to say many thanks to you, and Dan and Peter, for educating the rest of us not only in how to effect crypto policy but in showing the persistence, stamina and guts it takes to do that -- and, what else, hold a 1.5-time job to boot. It cost you hard cash and hard time, too, but, were you going to chase golf balls with that otherwise?
Re: DeCSS MPAA New York Opinion
Brad kemp wrote: It was interesting to note that the judge stated that 'DeCSS, or some version of it, contain programmer's comments, "which are non-executable appendages to lines of executable code"... Such comments are protected by the First Amendment' Does this mean the it is legal to post the source code as long as it is comments? For those who wish to see them the DeCSS programmer comments are Exhibit A of the Hoy Reply Declaration filed in the California case. Exhibit B of this declaration is the CSS code which was mistakenly filed as an open document and later sealed as the mistake was publicized. This CSS code was improperly annotated as "DeCSS," which may have been one reason it was filed openly. For the full declaration, as we've posted here previously: http://cryptome.org/dvd-hoy-reply.htm (140K) The original DeCSS, v1.2a, with comments (a few K in size) is available at: http://perso.libertysurf.fr/dvdrip/rippers_rip.htm Don't even think of looking at what else is on the site or you might get hit with an injunction.
DeCSS MPAA New York Opinion
Judge Kaplan has issued his Memorandum Opinion in the DeCSS MPAA v. 3 suit in New York: http://www.nysd.uscourts.gov/courtweb/pdf/00-01149.PDF We offer an HTML version: http://cryptome.org/dvd-mpaa-3-mo.htm Judge Kaplan aims at settling the code as expression dispute, citing Bernstein, Karn and Junger cases, and the First Amendment loses to Copyright and DMCA Acts.
Re: DVD CCA Emergency Hearing to seal DeCSS
Up to 4 PM EST we've had no notice that the file has been "sealed." There have been over 26,000 downloads and they are now going out at 600 per hour.
Re: DVD CCA Emergency Hearing to seal DeCSS
This is becoming picayune but: I'm told that the court has now sealed Exhibits A and B of Hoy's declaration. These are the DeCSS notes and the CSS scramble code. However, the sealing applies only to the paper versions and will prevent hardcopying. Denying access to online versions will require some other action.
Re: NSA Declassified
Your points are valid for the AIA document. However, in the Navy document, Number 9, image 3, there is the phrase, "Maintain and operate an ECHELON site." Still, you may be right that none of this proves there is a program by that name, and it may be only a way of indicating an activity of a particular kind. (However, I note that the military units assigned for the various AF and Navy duties described do match what has been reported about Echelon, as well as what has been reported about some of those units as well -- several of which maintain Web sites for retired and active members.) I asked Duncan Campbell about the term "Echelon" a while back and he said the term was not used in the ordinary military sense in the documents he had seen. He showed a sliver of an allegedly classified doc (the remainder concealed from me) which had the phrase "Echelon 2" on it, among a list of what are described as data-gathering programs. In that case the word was spelled with the first letter capitalized. (He said that document is the first proof he had seen of what had heretofore only been verbally described.) That "Echelon 2" sliver is the image he put in his EuroParl report of April 1999. On an earlier occasion we pulled out the image and put it at: http://jya.com/xechelon.jpg It will be interesting to see what Jeffrey Richelson writes about "Fear of Echelon" upcoming in the Bulletin of the Atomic Scientists, as noted on the National Security Archive site. You may recall that James Bamford and Steve Aftergood with FAS have publicly stated their doubts about the threat of Echelon. Though Wayne Madsen is a fierce believer in its danger to privacy. Duncan's report for EPIC should be out soon as well, I believe and maybe he will have new information. And, we can hope that David Kahn will soon publish what he has found as resident scholar at NSA. Note that he is on the National Security Archives board.
Bernstein Asks BXA to Clarify Crypto Regs
Cindy Cohn, lead Bernstein counsel, has provided a January 16 letter to BXA asking for clarification of the new crypto export regulations: http://cryptome.org/bernstein-bxa.htm The letter describes at length still unanswered questions about compliance; requests a formal BXA Opinion -- in public, as soon as possible -- and proposes a schedule for filing briefs with the court in light of the new regulations.
Re: New Encryption Regulations have other gotchas
Phil Karn wrote: I believe the anti-Tempest provisions have been in the export regs for some time. Yes, but when did they appear? We're attempting to trace Tempest's origin -- not easy because of classification of so much stuff. One classified standard dates to 1967. A French article on Tempest in December 99 states: "The initiators of this technique is the Bulgarian secret service (formed by the KGB) which placed modified vans around embassies or important companies." No date for the initiation. Is the claim accurate? We've read hints that some of the earliest research concerned naval vessels whose metal structure was discovered to be acting as unintentional antennas. Then, later, planes, other equipment and architectural/engineering elements of buildings. We would appreciate information on the history of Tempest. Not asking for classified/NDA info just dates, say, or what kind of discoveries led to the technology. And when it went into the export control regs. Who knows what emanates compromising information these days as the sensitivity of instruments and capabilities of EM interception and analysis increases. Thank you very much.
US Cyber Security Plan
Thanks to Will Rodger we offer the National Plan for Information Systems Protection, Executive Summary, released by the White House on January 7: http://cryptome.org/cybersec-plan.htm (109K) Zipped: http://cryptome.org/cybersec-plan.zip (32K)
Revised Draft Crypto Regs
Stewart Baker offers a Revised Draft of Encryption Export Regulations, dated December 17, which supecedes that issued on November 19, and is being circulated among industry groups for comments: http://www.steptoe.com/webdoc.nsf/Files/regs/$file/regs.pdf We offer an HTML version: http://cryptome.org/bxa121799.htm (48K)
A5/1 Cryptanalysis Paper
Adi Shamir has provided "Real-Time Cryptanalysis of GSM's A5/1 on a PC, (Preliminary Draft)" by Alex Biryukov and Adi Shamir, December 9, 1999: http://cryptome.org/a5.ps (Postscript, 292K)
A5/1 Correction
Title correction on the A5/1 paper: "Real-Time Cryptanalysis of the Alleged A5/1 on a PC, (Preliminary Draft)" Note "the alleged' in lieu of "GSM's" used in Adi's initial announcment. http://cryptome.org/a5.ps (Postscript, 292K)
A5/1 Paper in HTML
For those unable to read Postscript we offer the Biryukov- Shamir A5/1 cryptanalysis paper in HTML: http://cryptome.org/a51-bs.htm (text, 44K; six images, 163K)
Wassenaar Changes Crypto
On December 3 the Wassenaar members approved changes to the cryptography provisions of the WA: http://cryptome.org/wass120399.htm And enhanced enforcement: http://207.96.11.93/press/99/WassEnforce.html
Re: Wassenaar Revises Crypto
Oops, you're right. Whatever changes were made on December 3 this year apparently did not affect cryptography. Sorry for antsy. Ulf Möller wrote: Did they really change anything now? This looks like the December 1998 (!) list.
Hersh on NSA
Here's Seymour Hersh's article in The New Yorker of December 6 on NSA's troubles with the digital age: http://cryptome.org/nsa-hersh.htm (36K) Opening: "The National Security Agency, whose Cold War research into code breaking and electronic eavesdropping spurred the American computer revolution, has become a victim of the high-tech world it helped to create. Through mismanagement, arrogance, and fear of the unknown, the senior military and civilian bureaucrats who work at the agency's headquarters, in suburban Fort Meade, Maryland, have failed to prepare fully for today's high-volume flow of E-mail and fibre-optic transmissions -- even as nations throughout Europe, Asia, and the Third World have begun exchanging diplomatic and national-security messages encrypted in unbreakable digital code."
NYC Crypto Talk
For those in the NYC-area, Michael Anshel writes: I'm scheduled to speak to my colleagues in the Physics Dept at CCNY some of whom have co-taught with me Quantum Computing and Cryptography. The announcement is below. THE CITY COLLEGE OF THE CITY UNIVERSITY OF NEW YORK NEW YORK, NY 10031 DEPARTMENT OF PHYSICS J419 Telephone: 2l2-650-6832 SOLID STATE SEMINAR Date/Time: Wed. Nov.24,1999 12:15 pm Place: Room J418 Speaker: Prof. Michael Anshel Dept. of ComputerSciences,CCNY-CUNY Title: Cryptography for Physicists Abstract: Methods of constructing public key cryptosystems via combinatorial group theory. By all means let interested parties know. I very much appreciate your help Michael http://www-cs.engr.ccny.cuny.edu/~csmma/ PS: My co-workers are my daughter Iris Anshel and her husband (and my son-in-law) Dorian Goldfeld. cc: David Molnar, Bob Karash, Jean-Jacques Quisquater, Iris Anshel and Dorian Goldfeld - See Anshel's paper, "Constructing Public Key Cryptosystems Via Combinatorial Group Theory:" http://cryptome.org/pkc-cgt.htm
HTML of flannery Paper
We've completed an HTML version of Sarah Flannery's paper, except for the Mathematica code; same URL: http://cryptome.org/flannery-cp.htm (48KB with image) William Whyte suggested that the successful attack on Flannery's algorithm carried out by Purser, Flannery and 'Whyte, appended to the original January 1999 paper, might be of interest, as Jim Gillogly previously noted. Double check our transcription of equations with the original images. Corrections welcomed. Joe Author prepared a PDF file of Quisquater's original 18 images and cut the total file size by half: http://cryptome.org/flannery-cp.pdf (603KB)
Flannery on Cayley-Purser/RSA
Thanks to Jean-Jacques Quisquater and Jean-François Misarsky we offer Sarah Flannery's September 1999 paper on the Cayley-Purser Algorithm and her comparison of it to the security and speed of RSA: http://cryptome.org/flannery-cp.htm She concludes that Cayley-Purser is as secure as RSA and some twenty-two times faster. She describes a successful attack on C-P. We have converted excerpts to HTML. Eighteen images of the 17-page paper by Quisquater, heavily loaded with equations, tables and graphs: http://cryptome.org/flannery-cp.zip (TIF format; 1.2MB)
CAPSTONE Specs
Thanks to Anonymous we offer the CAPSTONE (MYK-80) Specifications, August, 1995, about 1/3 redacted of parts still classified TOP SECRET UMBRA: http://cryptome.org/capstone.htm (40K text and 13 images) Or Zipped: http://cryptome.org/capstone.zip (text and images: 298K) This doc was released in August, 1999.
Bernstein Delay Motion
Thanks to Cindy Cohn we offer the USG's motion yesterday to delay en banc reargument in Bernstein: http://cryptome.org/bernstein-mot.htm A quote: "The revisions being implemented by the Department of Commerce entail extensive changes in the existing terms of the encryption export regulations. At this time, the details of the revised regulations are under review. One of the subjects currently under review in connection with the policy update is the regulatory treatment of encryption source code. It is possible that the revised regulations will not materially change the treatment of source code. But it is also possible that the revised regulations will alter the treatment of source code in ways that could have a bearing on the constitutional issues before this Court.(1) (1) In connection with the announcement of the Administration's encryption policy update on September 16, the Department of Commerce issued a "question and answer" document regarding the update that indicated, inter alia, that existing controls on the export of encryption source code would not be changed. That document does not reflect the review that is currently taking place." End quote.
Re: IP: IETF considers building wiretapping into the Internet
The FCC issued yesterday its detailed definitions of what types of services are and are not subject to CALEA requirements: http://cryptome.org/fcc101299.txt This was issued in an attempt is to answer questions from respondents about what is a "telecommunications carrier." Excerpts: "5. CALEA also makes clear that its requirements do not apply to certain entities and services. Subsection 102(8)(C) of the definition specifically excludes information services, and the legislative history makes clear that CALEA does not apply to private network services: [T]elecommunications services that support the transport or switching of communications for private networks or for the sole purpose of interconnecting telecommunications carriers * * * need not meet any wiretap standards. PBXs are excluded. So are automated teller machine (ATM) networks and other closed networks. Also excluded from coverage are all information services, such as Internet service providers or services such as Prodigy and America-On-Line. All of these private network systems or information services can be wiretapped pursuant to court order, and their owners must cooperate when presented with a wiretap order, but these services and systems do not have to be designed so as to comply with the capability requirements. It is unnecessary to adopt the FBI's recommendation not to use the adverb ``indiscriminately'' in clarifying the definition of telecommunications carrier. The FBI is concerned that the inclusion of this term may allow companies that hold themselves out to serve only particular groups to undermine CALEA, intentionally or inadvertently, by creating a loophole that would permit criminals to use telecommunications providers that do not indiscriminately offer their services to the public." [End excerpts]
Sue MSNSA for Key?
Date: Mon, 06 Sep 1999 23:01:46 -0700 From: "Paul E. Merrell" [EMAIL PROTECTED] Organization: Lawyer To: "[EMAIL PROTECTED]" [EMAIL PROTECTED] Subject: Does Microsoft's CryptoAPI key violate U.S. law? : : What follows is a copy of my post to a U.S.-based listserv for law office technical issues: "Eric C. Grimm" wrote: The HotMail hole means a lot of fun and games about whether one or more privacy causes of action lie against a private entity -- Microsoft. But if this latest NSA rumor turns out to be true, then it appears to be more of a straight shot -- fraud, common-law conspiracy, 42 U.S.C. sec. 1983, and 42 U.S.C sec. 1985 against both Microsoft and NSA. Any others have thoughts or comments? Assuming the key is a backdoor to intercepted encrypted information, Microsoft would be walking on very thin ice indeed, but may have severe legal problems in any event. The federal wiretapping statute is very clear in its prohibitions against advertising or distributing in commerce "devices" for intercepting electronic communications. Except in very narrowly drawn circumstances, a court order is necessary and must address the need to intercept communications of a particular person, and only for a limited time. See http://www4.law.cornell.edu/uscode/18/2511.html (prohibitions); http://www4.law.cornell.edu/uscode/18/2510.html (definitions); http://www4.law.cornell.edu/uscode/18/2518.html (procedures for obtaining court order). So Microsoft's involved officials could be looking at a 5-year criminal sentence for each distribution of each copy of Win32 **unless** it does have a valid contract with the government to include the cryptographic key in question, which seems to defy the statute in any event. See e.g., http://www4.law.cornell.edu/uscode/18/2512.html (.) There is also potential civil liability including punitive damages to persons whose communications were thereby intercepted, http://www4.law.cornell.edu/uscode/18/2520.html (,) as well as a remedy for injunctive relief. http://www4.law.cornell.edu/uscode/18/2521.html (.) There are certain affirmative defenses allowed, but the situation would seem to provide fair grounds for litigation, particularly absent an actual valid order or contract. Regarding the NSA's public referral of all relevant questions to the private companies involved, that referral may be disingenuous. Under Section (2)(a)(ii) of 18 U.S.C. 2511, http://www4.law.cornell.edu/uscode/18/2511.html (,) assuming Microsoft **does** have a valid instruction to include the encryption key, any unauthorized disclosure or discussion of the key's actual purpose would appear to subject Microsoft to further civil and criminal penalties. We must discount Microsoft's input on the matter accordingly. For further background, see also 50 U.S.C. 1801, et seq., the Foreign Intelligence Surveillance Act of 1978 as amended, which adopts roughly equivalent procedures, prohibitions, and rights, but which are for the most part limited to surveillance of non-U.S. citizens. In summary form, the right of federal intelligence agencies to engage in electronic surveillance under the act is severely limited when it comes to U.S. citizens. If there is authority in the statutes for the U.S. federal government to require across-the-board inclusion of decryption keys in software, I did not find it. The purported authority is a rather expansive reading of export restriction laws lacking any provisions in apparent conflict with the more specific prohibitions in the wiretapping statutes. The federal encryption export controls for Web browsers appear to cross the line from limiting the encryption key length to requiring inclusion of a prohibited "device" for decryption purposes. In the following quoted material discussing that issue, I've included some content required for understanding the discussion that follows of IBM, Microsoft, and Netscape encryption/decryption keys. The references for the quoted material are included as footnotes in the linked article. 39. From the 1940s to date, NSA has undermined the effectiveness of cryptographic systems made or used in Europe. The most important target of NSA activity was a prominent Swiss manufacturing company, Crypto AG. Crypto AG established a strong position as a supplier of code and cypher systems after the second world war. Many governments would not trust products offered for sale by major powers. In contrast, Swiss companies in this sector benefited from Switzerland's neutrality and image of integrity. 40. NSA arranged to rig encryption systems sold by Crypto AG, enabling UKUSA agencies to read the coded diplomatic and military traffic of more than 130 countries. NSA's covert intervention was arranged through the company's owner and founder Boris Hagelin, and involved periodic visits to Switzerland by US "consultants" working for NSA. One was Nora L MacKabee, a career NSA
Euro-Parl Surveillance Reports
We offer the European Parliament-sponsored reports which have been prepared as follow-up to the 1998 "Appraisal of the Technologies of Political Control." The four-part series is titled "Development of Surveillance Technology and Risk of Abuse of Economic Information (an appraisal of technologies of political control)," April and May 1999. Part 1: "The perception of economic risks arising from the potential vulnerability of electronic commercial media to interception - Survey of opinions of experts. Interim Study," by Nikos Bogonikolos: http://cryptome.org/dst-1.htm (158K, English) Part 2: "The legality of the interception of electronic communications: A concise survey of the principal legal issues and instruments under international, European and national law," by Prof. Chris Elliott: http://cryptome.org/dst-2.htm (42K, English) Part 3: "Encryption and cryptosystems in electronic surveillance: a survey of the technology assessment issues," by Dr. Franck Leprévost: http://cryptome.org/dst-3.htm (81K, FR; EN trans invited) To round out the four parts, we point to the previously published Part 4: "The state of the art in Communications Intelligence (COMINT) of automated processing for intelligence purposes of intercepted broadband multi-language leased or common carrier systems, and its applicability to COMINT targeting and selection, including speech recognition," by Duncan Campbell: http://www.iptvreports.mcmail.com/stoa_cover.htm
PECSENC Says Free Up Crypto?
John, Have you heard about this PECSENC recommendation cited by Dorothy Denning? I've written the PECSENC administrator about getting the recommendation. That's Jason Gomberg [EMAIL PROTECTED]. Could you try from your end? Thanks, John -- Date: Fri, 20 Aug 1999 13:49:07 -0400 From: [EMAIL PROTECTED] (Dorothy Denning) Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Proposed US Export changes? The President's Export Council Subcommittee on Encryption, of which I am a member, recommended something to that effect, but I do not know if the Administration will adopt that recommendation. The next meeting is September 29 and perhaps we will learn something then. Dorothy From [EMAIL PROTECTED] Fri Aug 20 13:53:36 1999 From: Jeremy Hilton [EMAIL PROTECTED] To: "'UK Crypto'" [EMAIL PROTECTED] Subject: Proposed US Export changes? Date: Fri, 20 Aug 1999 18:17:37 +0100 I have heard in a couple of areas that the US may be considering easing export controls whereby crypto can be exported up to the same strength that is commercially available in other parts of the world. Does anyone know if there is any truth in this? Jeremy
Crypto: Police v. Privacy
We offer Nick Ellsmore's exemplary paper, "Cryptology: Law Enforcement National Security vs. Privacy, Security The Future of E-Commerce": http://cryptome.org/crypto97-ne.htm (196K) It is also available in Zipped .DOC format: http://cryptome.org/crypto97-ne.zip (76K) For those who don't know, Nick's accomplishments include discovery and exposure of the notorious Walsh Report on AU crypto policy. He is with 3rd Year Information Systems Management, University of New South Wales.
Re: NPR story on crypto...
Vin McLelland wrote: Nice article in USAToday, Will! You might find it useful to note -- and I'm open for correction on this from anyone -- that the US Government's Bernstein brief is, I believe, the first time the Govt has openly acknowledged that the export control issue is all about sigint -- listening to the legal communications of citizens and officials of other national, allied and friendly. There's more brewing on this with PECSENC, if not PEC. Recall that PECSENC has been directed by the President to come up with recommendations for a more publicly acceptable crypto policy by September under the rubric "Liberalization 2000:" Quote from a proposed Federal Register notice by PECSENC: The PECSENC has designated an encryption export control experts' group to evaluate and propose an agenda of plausible, incremental reforms as early as next year. The experts' group will consider proposals from the PECSENC, from industry, and from the public. It will recommend proposals it finds worthy of the PECSENC's consideration. The proposals will be considered independently by the PECSENC and modified, adopted, or rejected as the PECSENC chooses. This is from a report on the May 14 PECSENC meeting: http://jya.com/pecsenc051499.htm There may be more news of this from the PECSENC meeting today on when the public is to be engaged in this "liberalization" policy. What's intriguing is whether PECSENC, now headed by an ex-NSA honcho, is going to bite NSA's sigint bullet, and recommend that strong encryption is better for the public interest than natsec snooping, what with the world now getting its hands on means of strong protection for conventional telecommunications of text and to a lesser extent voice. This would correspond with the CRISIS report of 1996, which recommended liberalization on strong crypto and the development of other (unnamed) technologies for snooping and law enforcement. The rapid advance of technologies for identification, interception and surveillance other than those for text and voice transmissions could replace the need for weak crypto. There are some pretty amazing things being done with Hidden Markov Modeling to track patterns for identification, based on a survey of some 300 patents utilizing the invention in a wide host of applications.
PECSENC Meet
Federal Register, 9 June 1999 DEPARTMENT OF COMMERCE Bureau of Export Administration President's Export Council Subcommittee on Encryption; Open Meeting The President's Export Council Subcommittee on Encryption (PECSENC) will meet on June 25, 1999, at the U.S. Department of Commerce, Herbert C. Hoover Building, Room 3407, 14th Street between Pennsylvania and Constitution Avenues, NW, Washington, DC. The meeting will begin at 9 a.m. and is scheduled to adjourn at 3 p.m. The Subcommittee provides advice on matters pertinent to policies regarding commercial encryption products. Open Session: 9 a.m.-3 p.m. 1. Opening remarks by the Chairman. 2. Presentation of papers or comments by the public. 3. Update on Bureau of Export Administration initiatives. 4. Issue briefings. 5. Open discussion. The meeting is open to the public and a limited number of seats will be available. Reservations are not required. To the extent time permits, members of the public may present oral statements to the PECSENC. The public may submit written statements at any time before or after the meeting. However, to facilitate distribution of public presentation materials to PECSENC members, the PECSENC suggests that public presentation materials or comments be forwarded before the meeting to the address listed below: Ms. Lee Ann Carpenter, Advisory Committees MS: 3876, U.S. Department of Commerce, 15th St. Pennsylvania Ave, NW, Washington, DC 20230 For more information, contact Ms. Carpenter on (202) 482-2583. Dated: June 3, 1999. Iain S. Baird, Deputy Assistant Secretary. [FR Doc. 99-14546 Filed 6-8-99; 8:45 am] BILLING CODE 3510-33-M
Re: Germany Frees Crypto
Peter Haefner has provided an English translation of the full German statement, "Cornerstones of German Encryption Policy": http://jya.com/de-crypto-all.htm
Germany Frees Crypto
The German cabinet today released a policy statement on the unrestricted use of encryption (an English translation would be welcome): http://www.bmwi.de/presse/1999/0602prm1.html It says, pardon my German, that for worldwide protection against economic espionage and electronic interception strongest encryption is to be allowed Germans, and the German crypto industry will be supported to develop superior products. And, though unrestricted encryptoon that may mean its increased usage for criminal purposes, the need for protection of commerce overrides; a report on criminal use is to be prepared and submitted within two years. Echelon is not specifically mentioned, but it hovers. France and Germany, who would have thought they'd feel threatened by UKUSA. Thanks to the German online publication Future Zone for pointing: http://futurezone.orf.at/futurezone.orf?read=detailid=1513tmp=75421
Junger Reply to Gov Brief
We offer Peter Junger's reply to the government's brief in his appeal to the 6th Circuit: http://jya.com/pdj-reply6th.htm Here's a swell petard hoisting excerpt: The government has introduced evidence that the use of encryption "by foreign intelligence targets 'can have a debilitating effect on NSA's ability to collect and report critical foreign intelligence' ", but the government has not shown that the challenged regulations are an effective means of keeping encryption out of the hands of foreign intelligence targets. In contrast, Junger has submitted evidence to the contrary. Vice Admiral McConnell of the NSA, in response to Senator Murray's question "with at least 20 million people hooked up to the Internet how do U.S. export controls actually prevent criminals, terrorists, or whoever from obtaining encryption software?" stated that "encryption software distribution via Internet, bulletin board or modem does not undermine the effectiveness of encryption export controls." NSA Deputy Director Adm. William Crowell repeated the same point to Congress, stating that "serious users of security products don't obtain them from the Internet." The testimony of these two high-ranking NSA officials is strong evidence that the regulations restricting the "export" of encryption source code on the Internet do not further the government's stated interest. [End excerpt]
Jospin's Crypto coup
A report on how 128-bit crypto was liberated in France. http://jya.com/jospin-coup.htm An outfoxed French spook warns, "Free crypto, it will be the end of the State."
Re: US spying on Europe
The author of the STOA report on Echelon, Duncan Campbell, offers the report: http://www.iptvreports.mcmail.com/stoa_cover.htm We offer a zipped version Duncan provided: http://jya.com/ic2000.zip (961K) There are two others in the series which are now completed of comparable interest, both of which should be available soon if we can get STOA's agreement to allow publication prior to their being offered at the STOA site: (1)The legality of the interception of electronic communications: A concise survey of the principal legal issues and instruments under international, European and national law, by Chris ELLIOTT, Surrey, UK Final Study, Working document for the STOA Panel, Workplan 1998 - 98/14/01, EN, April 1999, PE 168.184/part 2/4 (2)Encryption and cryptosystems in electronic surveillance: A survey of the technology assessment issues, by Franck LEPRÉVOST, Technische Universität Berlin, Germany Final Study, Working document for the STOA Panel, Workplan 1998 - 98/14/01, EN, April 1999, PE 168.184/part 3/4 The fourth in the series has not been publicized on the STOA site. The person at STOA in charge if anyone wants to encourage early release: Frans SCHAERLAEKEN Parlement Européen STOA SCH 4/62 L-2929 Luxembourg E-mail: [EMAIL PROTECTED] The reason I'm told STOA has not formally released the documents is that there is considerable dispute within the European Parliament about informing the public on the true state of surreptitious electronic surveillance and other technologies of political control.
PECSENC Docs
We offer several documents from the PECSENC meeting of February 14, 1999: 1. Agenda 2. Members of PECSENC 3. Memorandum on PECSENC Action Plan 4. Executive Summary, PECSENC Meeting Open Session, March 12, 1999 5. Candid Meeting Comments (backdoor algorithms) http://jya.com/pecsenc051499.htm No. 5: Candid Meeting Comments (backdoor algorithms): Stewart Baker (ex-NSA Counsel, ex-PECSENC Acting Chairman): "McCain's bill [S.768] is stupid, written as idiot proof by ignorant people who don't understand that key recovery is dead. (Smile.)" (Emphasis in original) William Reinsch, Undersecretary of the Bureau of Export Administration: "The Senate doesn't get it, what we want them to do, the House does. (Smile.)" Several Attendees: "We've got to help them, give them [legislators] language that is acceptable. (Knowing nods.)" William Reinsch: "BXA will recommend to the Justice Department that the Bernstein decision be fought, we've got to, otherwise encryption export controls are finished. (Frown, '... national security ... '.)" William Crowell, PECSENC Chairman (ex-Deputy DIRNSA): "While PECSENC recommendations should formally go through the President's Export Council (PEC), we've got access to the White House. (Smile)." Several Attendees: "What will happen if Bernstein prevails, source code is exportable but executable code is not? Right, all the strong encryption will be developed outside the United States. The encryption industry will abandon America. (Gasps, groans, grins, eyerolls, poots.)"
PECSENC Docs Date
That's docs from the PECSENC meeting of May 14, 1999. http://jya.com/pecsenc051499.htm
PECSENC Agenda
An updated agenda for the May 14 meeting in DC of the President's Export Council Subcommittee on Encryption (PECSENC) has been provided by Lisa Ann Carpenter, Committee Liaison Officer (202-482-2583): Opening remarks by the new chairman, William Crowell (ex-Deputy DIRNSA) Encryption initiatives of the Bureau of Export Administration, by William Reinsch Overview of the Critical Infrastructure Assurance Office (CIAO) by Jeffrey Hunker, Director 1:30 Presentation by the office of Senator McCain on his crypto bill 2:00 Report on Congressional activities 2:30 Presentations on Bernstein by the two sides, Cindy Cohn and Department of Justice 3:00 Adjourn (cut back from 5:00 as the FR announced) Also, a list of PECSENC members was promised but has not yet arrived. This information is hard to come by so it will be most welcomed. Minutes of past meetings and policy recommendations are elusive too. See the one public statement: http://209.122.145.150/PresidentsExportCouncil/PECSENC/pecsenc1.htm It's shameful and maybe illegal to hide PECSENC information. Recent scutbutt was that acting PECSENC chair Stewart Baker (ex-NSA) was going to help John Gilmore set up a public web site for PECSENC affairs. That accountability initiative appears to have died with Crowell's appointment, or to be fair, is more likely being studied to slow death to cozzen natsec grizzes -- which fits NSA's MO to SIDA misfit crypto naifs.
A5/1 Crack
"A Pedagogical Implementation of A5/1," by Marc Briceno, Ian Goldberg, and David Wagner. http://jya.com/a51-pi.htm "With COMP128 broken and A5/1 published below, we will now turn our attention to A5/2. The latter has been acknowledged by the GSM community to have been specifically designed by intelligence agencies for lack of security."
1,000 Free Crypto Sites
Heeding Hugh Daniels' call today to set up 1,000 US crypto sites free of unconstituional export restrictions as provided by the Bernstein opinion, we invite contributions of unlimited-strengh encryption programs and/or links to such programs for a new US section for unrestricted cryptography at the International Cryptography Freedom site: http://jya.com/crypto-free.htm
Shamir's TWINKLE
From: Adi Shamir [EMAIL PROTECTED] Date: Wed, 5 May 1999 09:57:33 +0300 To: [EMAIL PROTECTED] Subject: Re: TWINKLE Hi, The early version of the paper was quietly circulated to a small number of factoring experts and colleagues to get their comments. I'll probably write an expanded version soon, but in the meantime I am enclosing in the next email the current version, which is now in the public domain and can be circulated freely. Best personal wishes, Adi. - The 12-page paper: http://jya.com/twinkle.eps (370K) Zipped: http://jya.com/twinkle.zip (79K)
US Brief in Junger v. Daley
We offer the US Proof Brief arguing against Peter Junger's appeal of the Ohio district court decision: http://jya.com/pdj-usa-brief.htm (109K)
French Crypto Decrees
The French Prime Minister signed detailed decrees allowing strong encyption on March 17 which were officially published yesterday: http://jya.com/decret031799.htm (34K) They are in French, though brief, and an English version would be appreciated.
Call for Contributions
We humbly ask for contributions for expenses of operating Cryptome http://jya.com/crypto.htm. Checks made to John Young: John Young JYA/Urban Deadline 251 West 89th Street, Suite 6E New York, NY 10024 Thanks very much.
Draft FIPS 46-3 Up
Jim Foti at NIST has put the Draft FIPS 46-3 at: http://csrc.nist.gov/fips/dfips46-3.pdf (209K) We offer an HTML version: http://jya.com/dfips46-3.htm (49K + 35K images)
France Allows 128 Bit Crypto
The French Prime Minister today announced that due to the threat of espionage and invasion of privacy France will allow encryption strength up to 128 bits: http://www.premier-ministre.gouv.fr/PM/D190199.HTM [Excerpt; Babelfish English below.] (c) Le troisième chantier législatif concerne la cryptologie. Alors que se développent les moyens d'espionnage électronique, la cryptologie apparaît comme un moyen essentiel pour protéger la confidentialité des échanges et la protection de la vie privée. Nous avions, il y a un an, franchi un premier pas vers la libéralisation des moyens de cryptologie. J'avais annoncé alors que nous en franchirions un autre ultérieurement. Le Gouvernement a, depuis, entendu les acteurs, interrogé les experts et consulté ses partenaires internationaux. Nous avons aujourd'hui acquis la conviction que la législation de 1996 n'est plus adaptée. En effet, elle restreint fortement l'usage de la cryptologie en France, sans d'ailleurs permettre pour autant aux pouvoirs publics de lutter efficacement contre des agissements criminels dont le chiffrement pourrait faciliter la dissimulation. Pour changer l'orientation de notre législation, le Gouvernement a donc retenu les orientations suivantes dont je me suis entretenu avec le Président de la République : - offrir une liberté complète dans l'utilisation de la cryptologie ; - supprimer le caractère obligatoire du recours au tiers de confiance pour le dépôt des clefs de chiffrement ; - compléter le dispositif juridique actuel par l'instauration d'obligations, assorties de sanctions pénales, concernant la remise aux autorités judiciaires, lorsque celles-ci la demandent, de la transcription en clair des documents chiffrés. De même, les capacités techniques des pouvoirs publics seront significativement renforcées. Changer la loi prendra plusieurs mois. Le Gouvernement a voulu que les principales entraves qui pèsent sur les citoyens pour protéger la confidentialité de leurs échanges et sur le développement du commerce électronique soient levées sans attendre. Ainsi, dans l'attente des modifications législatives annoncées, le Gouvernement a décidé de relever le seuil de la cryptologie dont l'utilisation est libre, de 40 bits à 128 bits, niveau considéré par les experts comme assurant durablement une très grande sécurité. -- English translation by Babelfish: (c) the third legislative building site relates to cryptology. Whereas develop the means of electronic espionage, cryptology seems an average essence to protect the confidentiality from the exchanges and protection of the private life. We had, one year ago, crossed a first step towards the liberalization of the means of cryptology. I had announced whereas we would cross some another later on. The Government, since, heard the actors, questioned the experts and consulted its international partners. We acquired the conviction today that the legislation of 1996 is not adapted any more. Indeed, it strongly restricts the use of cryptology in France, without allowing besides for the public authorities fighting as much effectively against criminal intrigues whose encryption could facilitate the dissimulation. To change the orientation of our legislation, the Government thus followed the following orientations of which I discussed with the President the Republic: - to offer a freedom supplements in the use of cryptology; - to remove the obligatory character of the recourse to the third of confidence for the deposit of the keys of encryption; - to supplement the current legal device by the introduction of obligations, together with penal sanctions, concerning the handing-over with the legal authorities, when those require it, of the transcription in light of the quantified documents. In the same way, the technical capacities of the public authorities will significantly be reinforced. To change the law will take several months. The Government wanted that the principal obstacles which weigh on the citizens to protect the confidentiality from their exchanges and on the development of the electronic trade are raised without waiting. Thus, in the waiting of modification legislative announce, the Government have decide to raise the threshold of cryptology of which the use be free, of 40 bit with 128 bit, level consider by the expert ensure durably a very large safety. - Thanks to P for pointing.
Re: Cayley-Purser
Clive Feather asked about news of an Irish teenager who has devised a fast crypto algo. William Whyte at Baltimore Technologies in Dublin -- where Sarah Flannery worked recently and got a boost from the cryptographers there -- gave a brief rundown on her invention on mail list UKCrypto. There's a copy of his remarks at: http://jya.com/flannery.htm
Re: Proposed wiretap laws in South Africa
Thanks to Alan Barrett for pointing to the provocative SA wiretap paper. And his critique is apt. We offer it in HTML: http://jya.com/za-esnoop.htm (364K) The "Review of Security Legislation" looks at electronic surveillance law in several countries -- South Africa, US, UK, France, Germany, the Netherlands, Belgium, Canada and Hong Kong, with detailed review of legislation of the last two -- as a basis for new legislation to protect against latest intrusive technology, or, rather, to restrict its usage to government agencies. Its comparative review of surveillance law is informative for the way it lays out the similarity of each country's definition of the threat of technology -- somewhat to citizen privacy but more importantly to law enforcement. It notes variations in privacy protection law, and finds, for example, US and UK deficiencies in that area even as these countries excell in manufacturing the evil tools. SA sees strong encryption as a challenge to authority! So, as Alan notes, South Africa is joining the crowd in tightening controls on technology by proposing that telecomm providers make their systems accessible to government (at their own expense), emulating the recent US-EU snooping agreement advanced by the FBI and Europol.
Re: ANSI standards for block ciphers?
This probably refers to the ANSI X9 financial standards committee, whose X9F Subcommittee on Data and Information Security devises cryptographic standards in cooperation with the global financial services community and various standards groups. See general info at the X9 home page: http://www.x9.org/ Most of the X9F subcommittee portion of the site is restricted to members. However, Rich Ankey [EMAIL PROTECTED], who heads, or headed, the subcommittee is informative about its workings. There sub-subcommittees on "cryptographic tools," "protocols," "applications," and "certificates." See one of Rick's papers "Introduction to Cryptographic Standards," at NISSC 97: http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/cipher-crypto-stds.html John
Wassenaar/Crypto News
A BXA spokesperson said today that the text of the recent Wassenaar agreement had been received yesterday and it is now being prepared for release on the BXA website (www.bxa.doc.gov) maybe by the end of the week but maybe not until next week. She said she expected the US to be the first to publish the doc, after I cited the WA message below from Caspar Bowden. She also said that the Practising Law Institute (www.pli.edu) session on encryption controls yesterday was taped and inquiries should be made to PLI (a continuing legal ed org) 1-(800) 260-4PLI. And that Bill Reinsch did not participate in the session, only gave the speech on Dec 7 noted here yesterday: http://jya.com/war120798-2.htm A call to PLI (Betty Gray) has not been returned. From UK Crypto: From: "Caspar Bowden" [EMAIL PROTECTED] To: "Ukcrypto (E-mail)" [EMAIL PROTECTED] Subject: More from Wassenaar Secretariat Date: Wed, 9 Dec 1998 09:19:09 - : : : : : : -Original Message- From: Wassenaar Secretariat [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 08, 1998 16:54 To: Caspar Bowden Subject: Re: Attn: Dirk Weicke Mr. Weicke is still away, however, I can assure you that the Secretariat has been recently authorized by all member states to publish the new Lists on the web site. This will be done as soon as possible. Please be patient, we are a very small Secretariat. Glenn Sibbitt Special Advisor WA Secretariat Caspar Bowden wrote: Dear Mr.Weicke, We spoke by telephone on Fri afternoon. You mentioned that the text and details of the new agreement would be published on the Wassenaar website this week. I understand that you have been away sick for a few days (my commiserations), but there have been reports from your colleagues that there will in fact be no publication on your Website. I'd be most grateful if you could just confirm when publication of details will take place, in particular the "Cryptography Note" detailing key-length limits, and definitions of categories. Kind regards -- Caspar Bowdenhttp://www.fipr.org Director, Foundation for Information Policy Research Tel: +44(0)171 354 2333 Fax: +44(0)171 827 6534
AU Wassenaar
From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Date: Mon, 7 Dec 1998 16:58:49 +1000 Subject: Wassenaar changes [OK to repost to crypto lists and Cryptome - dant] I spoke this afternoon with one of the Australian delegates at the Wassenaar meeting, an official from the Dept of Foreign Affairs and Trade (DFAT). Speaking off the record, they confirmed the changes at Wassenaar are pretty much as we know already: - NEW CONTROLS on mass market crypto products (hardware and software); - DEREGULATING all weak encryption products using key lengths up to 56 bits; - EXEMPTING mass market software where the key length is 64 bits or less; - EXTENDING the same mass market exemption to hardware for the first time; - EXCLUDING encryption products that protect intellectual property, such as digital watermarking; - NO DECISION was made about regulating 'intangible' distribution of technology, including Internet downloads. Apparently in the short term the intangibles issue is being considered in other fora (including the Nuclear Suppliers Group (NSG) which includes Australia thanks to Filthy Jabilucre et al). It is still not clear whether the new restrictions are intended to stop public domain software such as PGP*. The DFAT contact said there was no discussion about an intention to stop public domain packages like PGP. They did not think public domain was being restricted. Yet apparently the Australian DoD has expressed the David Aaron view that public domain is subject to the same restrictions as mass market. * PGP is "in the public domain" for the purposes of Wassenaar/DSGL, since the definition states: "in the public domain" (GTN NTN GSN), as it applies herein, means "technology" or "software" which has been made available without restrictions upon its further dissemination (copyright restrictions do not remove "technology" or "software" from being "in the public domain") Note: there is no equivalent definition for "mass market", but the General Software Note (GSN) states it thus: Generally available to the public by being: 1. Sold from stock at retail selling points, without restriction, by means of: a. Over-the-counter transactions; b. Mail order transactions; or c. Telephone order transactions; and 2. Designed for installation by the user without substantial support by the supplier; Dan = Dan Tebbutt, Technology Journalist, Melbourne Australia Australian Personal Computer (http://www.apcmag.com) LAN Corporate IT (http://www.lanlive.com) The Australian (http://www.newsit.com.au) Ph: +61-3-9347-8893 Fax:+61-2-9264-6320 Email: [EMAIL PROTECTED] "The revolution will be televised ... on pay-per-view."
Wassenaar Statement
The Secretariat of The Wassenaar Arrangement has issued brief public docs on the recent meeting: http://jya.com/wa-state98.htm Only one brief mention of encryption: "8. The WA agreed control list amendments to take into account recent technological developments. The amendments to the lists included elimination of coverage of commonly available civil telecommunications equipment as well as the modernisation of encryption controls to keep pace with developing technology and electronic commerce, while also being mindful of security interests. Participating States also discussed the potential need for the WA and national export control authorities to respond quickly and effectively to the emergence of new technologies." Which appears to confirm that each state will implement and announce its encryption policy as it sees fit. The US has jumped to proclaim to its constituencies that it has won. Though it's the secret agreements that remain to be publicized. Note the gaps in the public docs and dissimulative assurances. We also offer a recent related message from Denmark on its fluid crypto policy: http://jya.com/dk-crypto98.htm
Rivest Patent
Ron Rivest received on November 10 "US Patent 5835600: Block encryption algorithm with data-dependent rotations:" http://jya.com/rivest111098.htm (22K)
Info Age Crime Terror and War
Senator Kyl has issued a long report, "Crime, Terror War: National Security and Public Safety in the Information Age," which recounts his Subcommittee's hearings and recommendations on encryption, Y2K, terrorism, info war, domestic preparedness, wiretap, and more: http://jya.com/ctw.htm (97K) It describes a plan to combat threats to critical infrastructure and the US homeland which, if implemented, would criminalize much held dear to a few of this list's subscribers; other lurkers will be overjoyed to read Kyl coming to the rescue of careers and budgets of MIB and their suppliers of technologies of political control. He wants DoD to get cracking on domestic protection, move over piddling LEA. Civil liberties, nonsense. Crypto genie out of the bottle, more nonsense. Getting government access to encrypted communications, you bet. Through commercial products, yep. Thanks to FT for forwarding.
