RE: more re Encryption Technology Limits Eased
-- [EMAIL PROTECTED][SMTP:[EMAIL PROTECTED] wrote:] Subject: Re: more re Encryption Technology Limits Eased Bill Simpson said: - We just learned a few weeks ago that every copy of Windows has a secret NSA key. We don't know why. Remember the Lotus Notes secret NSA key fiasco that got us in trouble with the Swedish government? How can we ever compete, when nobody trusts our software? Just because I was in the middle of this and am personally sensitive to misinformation circulating about this, let me clarify the facts about this: Lotus Notes has since January '96 contained an NSA Public key. It has never been a secret. Lotus issued a press release about it at the RSA Conference that January and I posted a copy of that press release to cypherpunks. I also described it in a talk I gave at Lotusphere. It is there in support of the best deal we could negotiate with NSA whereby we were allowed to use 64 bit keys in the export version if we encrypted 24 of those bits under the NSA public key so that if they wanted to break a message they would only face a 40 bit workfactor. It is not used for communications between two copies of the domestic version of the product. The result was encryption that was as secure against the U.S. government as any that could legally be exported and more secure against other attackers. But no good deed ever goes unpunished. Periodically someone stumbles across that press release and reveals it as though it were some secret revelation. There was a PR problem in the Swedish press, and more recently when it was cited in a European Commission report on Echelon. --Charlie Kaufman I concur with Charlie. It was announced at the conference, and the press release was posted, and the issue discussed to death on cypherpunks. It led me to coin the term 'espionage enabled' to describe this class of weakened security (this was before I came to work for my current employer). I've been slightly bemused by the Swedish government's claims to have discovered some deep, dark secret. What it really shows is that government's failure to do due diligence. Peter Trei [EMAIL PROTECTED] Disclaimer: I am not speaking for my employer.
RE: more re Encryption Technology Limits Eased
At 10:26 PM 9/17/1999 +0100, Antonomasia wrote: From: Lucky Green [EMAIL PROTECTED] after he began talking about some very curious, very complex, very undocumented instruction he discovered in late-model CPU's. Instructions that will put the processor into a mode that makes OS protections irrelevant. This is scary. It could be time to hoard antique computers. I would like to see some discussion of what are the actual possible CPU subversions. All the obvious subversions would seem to require a cooperating OS. In many ways, CPUs seem to be limited as targets since they see only opcodes and databytes, it certainly would not 'know' it was working on cyphertext any more than it would know know it was recalcing a spreadsheet or calculating a pixel. A compromised OS could, of course, be saving keystrokes to a file, or sending them out in packets. But the CPU does not see files or packets or keystrokes, only individual opcodes. The only obvious effective subversions I can think of off hand are: RNG (can be potentially countered by replacing with trusted software) Radiation of signal for TEMPEST. (Since the CPU cannot determine what it is actually doing, it would have to radiate its entire operation stream...hundreds of millions of ops per second, mostly doing background stuff. Without a cooperating compromised OS, it would be up to the attacker to sort out the meaningfull from the noise...not an easy task...especially if there are 2 or more units located in close proximity). With all the techies on this list, I would like to hear other types of CPU attacks discussed wo we can anticipate problems. What would these 'specialized' opcodes look like? jay
RE: more re Encryption Technology Limits Eased
Jay Holovacs [EMAIL PROTECTED]: I would like to see some discussion of what are the actual possible CPU subversions. All the obvious subversions would seem to require a cooperating OS... Pure speculation, but what if copying a certain 256-bit string caused the program counter to pick up execution after that string ? Then practically every program would have an exploitable buffer overflow detectable and useable only by those with the secret key. Combine that with disabling protected memory in the processor and all those overflows are remote root exploits, perhaps triggered by a single ICMP packet. -- ## # Antonomasia [EMAIL PROTECTED] # # See http://www.notatla.demon.co.uk/# ##
Re: more re Encryption Technology Limits Eased
Zombie Cow wrote: Or start producing Open Sourced CPUs and motherboards. IBM has an Open Source PPC motherboard, and here's an article referring to an Open Source CPU by Sun: (Well, they're not really "Open Source", but still, open enough..) (Search www.techweb.com for the source URL, I don't have it here.) I rather like this direction. The PowerPC chips seem well suited to practical crypto on firewalls and servers. They have good support for both little endian (think MD5), and big-endian (think SHA1), and the new AltiVec stuff may be great for running a large number of Diffie-Hellman operations. On the other hand, having the actual CPU source, we could stop worrying about Intel's ID gaffs, and RNG support, and "know" it is built correctly. Either way, the crypto community needs to come together and have a plan! On the original topic of this thread, I talked to my congresscritter today, and she'll talk to Zoe Baird and others. I think she understood the implications of the secret court evidence. And she was very surprised to learn about the quotes about no "relaxation" from the press conference. They're on recess at the moment, from the hurricane, so this is a good time to catch them at the local office. Talk to yours! Especially if they were signed on as co-sponsors of SAFE (look it up in Thomas or thru CDT). Again, the crypto community needs to educate (as best we can) the legislators, to dispel some of the murk that's coming down from the administration. Personal contact would do a lot for our community. You need to think of a good local hook to get their attention, tho. Some of mine were: - That Detroit teachers strike 2 weeks ago was technically illegal, even though they had no contract. Our state law requires that they go to work even without pay. They are "lawbreakers", and their cell phones could be tracked and calls recorded, and their computers searched to uncover the "conspiracy". (As the former A2 school board president, she got that right away.) - Do we trust the same people that lied to the Attorney General about snipers and use of incendiaries for Waco, with telling the truth and always getting proper warrants? Haven't we had this problem before with J Edgar, civil rights, union busting, and secretly spying on congress members? - We just learned a few weeks ago that every copy of Windows has a secret NSA key. We don't know why. Remember the Lotus Notes secret NSA key fiasco that got us in trouble with the Swedish government? How can we ever compete, when nobody trusts our software? - The prohibition against revealing key recovery techniques could make me a criminal. Do you want to see me go to jail? - We have a whole lab of people that break smart cards and such at U-Mich. Should they go to jail? [EMAIL PROTECTED] Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
RE: more re Encryption Technology Limits Eased
Declan wrote: [Various quality information elided] What I found most interesting was what Attorney General Reno said about the government's cryptanalysis abilities. When asked if she can break strong, 64 bit equivalent crypto, she said, "We have carefully looked at this and think it's possible," and declined to add details. Sure. With an n-billion dollar budget, breaking 64 bits is real-time. In addition, the USG has been leaning heavily on hardware manufacturers to add backdoors to the underlying hardware. God only knows what they worked out with some OS vendors. Anybody exploring this gets leaned on even harder. Just ask a certain Australian university professor how things went for him after he began talking about some very curious, very complex, very undocumented instruction he discovered in late-model CPU's. Instructions that will put the processor into a mode that makes OS protections irrelevant. I could give a few more examples, but I am under informal NDA on them. I am working on demonstrating some of the claims. [The problem here is that I have limited time and resources. The feds and manufacturers can spend millions on inserting backdoors. There is no budget and no paying constituency for exposing these backdoors. So the fight is between millions of dollars and hundreds of engineers vs. a few of us and our spare time. Which makes it impossible to expose all the backdoors that exist]. And when one finds such a backdoor, even some of the more clueful won't believe it is a deliberate backdoor without an accompanying video tape recording of the NSA rep discussing the insertion of the backdoor with the manufacturer. "NSAKEY"? "Oh, no, that couldn't possibly be the NSA's key. It is just a backup key with an unfortunate name". If well-known crypto experts are that trusting, what would convince the public or the press? What I found most interesting about today's announcement was not that it was largely content-free with respect to crypto export regulations and the fifth or sixth such content-free "crypto deregulation" announcement that I can remember causing the exact same predictable reactions by the press and the less operationally savvy. No, what I find interesting is that so far everybody missed the one paragraph in the announcement that actually offered new information about the USG's insidious objectives. I presume this oversight on part of the analysts is due to the fact that most readers didn't understand what the paragraph I am referring to was saying. Or perhaps they were too psyched about the "crypto deregulation" lead-in to read to the end of the document. " Protect sensitive investigative techniques and industry trade secrets from unnecessary disclosure in litigation or criminal trials involving encryption, consistent with fully protecting defendants' rights to a fair trial." Having just read the proposed bill, what this paragraph refers to is that under the proposed bill, LE will be able to enter evidence gathered by means of factory-installed backdoors, intrusion, and other means without needing to disclose to the defense or the Jury how this evidence was obtained. All it takes is for the prosecutor to convince the judge (in the absence of the defendant and his counsel) that disclosing the means of obtaining the evidence would endanger future investigations or national security. Shouldn't be too tough, given how effective The Briefing has been in the past. Suddenly, we have legal situation in which a defendant is no longer allowed to even *mention* in the court room that the plaintext evidence presented by the prosecution may be questionable. "Officer, would you please explain to the Jury how you determined that the random gibberish on the defendant's hard drive decrypts to "I sold 5 kg of cocaine"? "Counsel, you are out of order! Members of the Jury, you will ignore the question". This from an attorney I bounced my analysis off: "They want to be protected from being forced to reveal holes or techniques as part of criminal or civil trials - e.g., defense attorneys can't cross-examine prosecution witnesses about the source of their evidence, it will simply appear before the jury without explanation or authentication. An LEO will appear and announce that "the defendant sent this message, which says he wanted to do terrible things" without disclosing whether the message (which had been sent encrypted) was turned into plaintext by the feds because they'd compromised the local machine, or by compromising the software at the manufacturer, or by a brute-force crack, or [...] whatever." That's the real, and only, news in today's announcement. Under the Whitehouse proposal, FISA-court rules will apply to any trial involving decrypted evidence or any other evidence obtained by means of backdoors or system compromises. If that isn't scary to supporters of a society based on the rule of law, then I don't know what is. --Lucky
RE: more re Encryption Technology Limits Eased
Lucky, actually not everyone missed it. It's our top story on Wired News this morning. http://www.wired.com/news/news/politics/story/21810.html Decoding the Crypto Policy Change 3:00 a.m. Why did the White House suddenly change its mind on regulating encryption? It couldn't be because the NSA has changed its spying agenda. Or could it? A Wired News perspective by Declan McCullagh. -Declan At 23:07 9/16/1999 -0700, Lucky Green wrote: less operationally savvy. No, what I find interesting is that so far everybody missed the one paragraph in the announcement that actually offered new information about the USG's insidious objectives. [...] " Protect sensitive investigative techniques and industry trade secrets from unnecessary disclosure in litigation or criminal trials involving encryption, consistent with fully protecting defendants' rights to a fair trial." Having just read the proposed bill, what this paragraph refers to is that under the proposed bill, LE will be able to enter evidence gathered by means of factory-installed backdoors, intrusion, and other means without needing to disclose to the defense or the Jury how this evidence was obtained. All
Re: more re Encryption Technology Limits Eased
--- begin forwarded text Date: Thu, 16 Sep 1999 16:08:10 -0700 To: [EMAIL PROTECTED] From: John Muller [EMAIL PROTECTED] Subject: Re: more re Encryption Technology Limits Eased Sender: [EMAIL PROTECTED] Reply-To: John Muller [EMAIL PROTECTED] You can now find a fuller set of White House materials, including the press statement and fact sheet on the crypto export policy and a fact sheet and letter to Congress on the Cyberspace Electronic Security Act, at http://www.pub.whitehouse.gov/search/white-house-publications?everything+%3 Eyesterday+%3D200+. This URL is probably only good for one day. John Muller [EMAIL PROTECTED] [EMAIL PROTECTED] "Just because it's simple doesn't mean it's easy" For help on using this list (especially unsubscribing), send a message to "[EMAIL PROTECTED]" with one line of text: "help". --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: more re Encryption Technology Limits Eased
You can find all that and more already archived at www.epic.org and www.cdt.org. -Declan At 08:54 9/17/1999 -0400, Robert Hettinga wrote: To: [EMAIL PROTECTED] From: John Muller [EMAIL PROTECTED] Subject: Re: more re Encryption Technology Limits Eased Sender: [EMAIL PROTECTED] Reply-To: John Muller [EMAIL PROTECTED] You can now find a fuller set of White House materials, including the press statement and fact sheet on the crypto export policy and a fact sheet and letter to Congress on the Cyberspace Electronic Security Act, at http://www.pub.whitehouse.gov/search/white-house-publications?everything+%3 Eyesterday+%3D200+. This URL is probably only good for one day.
RE: more re Encryption Technology Limits Eased
Lucky wrote: What I found most interesting about today's announcement was not that it was largely content-free with respect to crypto export regulations and the fifth or sixth such content-free "crypto deregulation" announcement that I can remember causing the exact same predictable reactions by the press and the less operationally savvy. Many operationally and politically savvy people still think yesterday was important. I guess we're just clueless, too. No, what I find interesting is that so far everybody missed the one paragraph in the announcement that actually offered new information about the USG's insidious objectives. That's one explanation for the coverage. I don't think it's quite right, however. I personally telegraphed those concerns by quoting David Sobel of EPIC who said he feared industry and government would hop in the sack if the FBI got the tech center it wants. The whole reference was one sentence. How, you ask, could I be so glib? So superficial? One simple reason: reader interest. I couldn't, for the life of me, sell my boss on the idea of explaining all the back doors and traps that might be inserted into code for yesterday's story. That goes well beyond the scope of a mainstream news outlet when it's already running one piece on a new, complex proposal. Tech pubs are, of course, another question. Consider: 1-- Most general-interest readers frankly won't read a full explanation of the problem. It's far too arcane. (Those shocked by such wide-spread ignorance may clear throats and scowl here.) 2 -- The issue is clearly going to be around for a long, long time. So what's the rush? If experience is any teacher, this whole issue of trade secrets will either resolve itself quickly (no, no, says Ms. Reno, that's not what we meant, let's clarify the language) or, far more likely, become the new battleground. I'd look for analysis on the issue further down the road. Will Rodger USATODAY.com application/ms-tnef
RE: more re Encryption Technology Limits Eased
From: Lucky Green [EMAIL PROTECTED] after he began talking about some very curious, very complex, very undocumented instruction he discovered in late-model CPU's. Instructions that will put the processor into a mode that makes OS protections irrelevant. This is scary. It could be time to hoard antique computers. " Protect sensitive investigative techniques and industry trade secrets from unnecessary disclosure in litigation or criminal trials involving encryption, consistent with fully protecting defendants' rights to a fair trial." Having just read the proposed bill, what this paragraph refers to is that under the proposed bill, LE will be able to enter evidence gathered by means of factory-installed backdoors, intrusion, and other means without needing to disclose to the defense or the Jury how this evidence was obtained. But how new is this in real practical terms ? Suppose an incriminating message is produced in evidence as a set of ciphertext, plaintext and key. "We found this on Mr Green's disk, and you can see the files yourselves on his disk which we've been holding for several months. And he can't produce an alternative decryption." "That was not on my disk at or before the moment you seized it." "What ? It's here visible isn't it ? We have all the forms signed by officers showing this never left the sealed bag from time X to now." That conversation seems possible to me even before the recent announcement. (I could rant about audit trails and the difference between error and dishonesty in the context of ISO 9000 audits. Many of the auditors I have met had no idea what was really evidence of (non)compliance and didn't always understand what they were auditing against.) -- ## # Antonomasia [EMAIL PROTECTED] # # See http://www.notatla.demon.co.uk/# ##
Re: more re Encryption Technology Limits Eased
Dave Farber: As I said , the devil is in the details. Let me agree. Remember when the Administration said it was giving industry what it wanted -- transferring crypto exports to the Commerce Dept? And when later "industry" worked out a deal so they could "easily" export key-recovery products, only to discover that in the final regs and procedures it really wasn't so easy? There's a vague and undefined term in the press leaks so far: One-Time Technical Review What does this mean? It appeared in some early crypto liberalization bills floated in Congressional committees. Does it mean: * On the same day that you first put your encryption invention on your web site, you have to send a binary copy to the NSA? or: * BEFORE you post your encryption invention on your web site, you have to send a copy to NSA? or: * BEFORE you post it, you have to send a copy to NSA -- AND THEN WAIT until they say you can export it? or: * BEFORE you post it, you have to send the source code to NSA -- and rather than a mere delay, they have the option to respond by telling you that you just can't export it? or: * You can't post it at all -- you need to provide details about each person who receives it, and you don't know that about the people who download it. or: * infinite variations We'll only really know once the regulations are published, which is rumored to be in a few months. John
Re: more re Encryption Technology Limits Eased
John Gilmore wrote: There's a vague and undefined term in the press leaks so far: One-Time Technical Review What does this mean? It appeared in some early crypto liberalization bills floated in Congressional committees. Based on my previous experience with the export process, here's what I think this means: You have to tell the NSA what you're doing and let them think about it for a while. You'll have to answer any questions they have, but they aren't likely to ask for source code. It's not something you want to do the week before you ship. It's a process that's likely to take a couple months and involve more than one face to face meeting with NSA people. Of course it may mean something completely different. I've been surprised by what the NSA does more often than not. -- What is appropriate for the master is not appropriate| Tom Weinstein for the novice. You must understand Tao before | [EMAIL PROTECTED] transcending structure. -- The Tao of Programming |
Re: more re Encryption Technology Limits Eased
When we got an export license for Stronghold earlier this year (don't ask), the process consisted of filling out an application form listing the types of encryption and ciphers supported, key sizes supported, etc., then answering a few follow-up questions of that sort from some NSA staffer, and then pestering them for 5 or 6 weeks until they provided a response. No source code review. --Steve Cook At 01:27 PM 9/16/99 -0700, Tom Weinstein wrote: John Gilmore wrote: There's a vague and undefined term in the press leaks so far: One-Time Technical Review What does this mean? It appeared in some early crypto liberalization bills floated in Congressional committees. Based on my previous experience with the export process, here's what I think this means: You have to tell the NSA what you're doing and let them think about it for a while. You'll have to answer any questions they have, but they aren't likely to ask for source code. It's not something you want to do the week before you ship. It's a process that's likely to take a couple months and involve more than one face to face meeting with NSA people. Of course it may mean something completely different. I've been surprised by what the NSA does more often than not. -- Steve Cook e-mail: [EMAIL PROTECTED] C2Net Software, Inc. http://www.c2.net/ 1440 Broadway, Suite 700fax: 510-986-8777 Oakland, CA 94612 USA tel: 510-986-8770 Ext. 312
Re: more re Encryption Technology Limits Eased
John, I buttonholed William Reinsch, Commerce Dept undersecretary, outside the White House briefing room a few minutes ago. I happened to ask him the same question you bring up here: What's up with that one-time technical review? Things were crowded and noisy, but here's what I learned. (The BXA regs are still being drafted and are supposed to be published in the Federal Register no later than December 15.) Products 64 bit or equivalent are generally decontrolled except for: 1. Can't export to Cuba, Iran, Iraq, Libya, N.Korea, Sudan, Syria, and 2. A one-time technical review is STILL REQUIRED. That process is supposed to take not more than a few months. According to Reinsch, such a review is closest to your: or:* BEFORE you post it, you have to send a copy to NSA -- AND THEN WAIT until they say you can export it? It's unclear to me whether they'll require source. DoD's Hamre simply said it would have to be a "meaningful" review and said providing a product brochure just isn't good enough. Also, the regs differentiate between "retail" and "custom" products. Reinsch: "There are differences in the way it will be treated." When asked whether, say, shrinkwrapped software available at CompUSA would be automatically treated as retail, Reinsch replied, "It's more complicated than that." Products 64bit or equivalent are still controlled under EAR but can be exported through a license exception under these circumstances: 1. Feds get one-time technical review, and 2. You must file post-export reports with Commerce Dept, and 3. Can't export to Cuba, Iran, Iraq, Libya, N.Korea, Sudan, Syria, and If the destination is a permissible foreign government or a state entity such as a telecom firm, I believe you must also satisfy these conditions: 4. Product must not "require substantial support" (think technical support), and 5. Product must be "sold in tangible form or have been specifically designed for individual consumer use" For each version of a new product (I gave Reinsch example of PGP 10.0.0.0 and 10.0.0.1), you have to submit it and wait for a new "one-time" technical review. Also, I asked Reinsch if "end users" include distributors such as computer stores in foreign countries. He said yes, and that they're not trying to pull a fast one. What I found most interesting was what Attorney General Reno said about the government's cryptanalysis abilities. When asked if she can break strong, 64 bit equivalent crypto, she said, "We have carefully looked at this and think it's possible," and declined to add details. DoD's Hamre said that there would be a big chunk assigned to cryptanalysis RD in DoD's requested FY2001 budget but added "some of the parts you may be interested [in] I can't discuss." (I wouldn't necessarily read much into this. It could simply be a face-saving move.) Finally, Reno indicated that this kind of cryptanalysis may not be enough -- and legal requirements such as mandatory key escrow may be necessary. She said: "This legislation does not provide any new authority for law enforcement to be able to obtain usable evidence from criminals. We will continue to operate under our existing authorities and attempt to meet the threat of the criminal use of encryption. We are hopeful that these existing authorities will prove sufficient." Here's hoping... -Declan More: http://www.wired.com/news/news/politics/story/21790.html http://www.wired.com/news/news/politics/story/21786.html
Re: more re Encryption Technology Limits Eased
In message [EMAIL PROTECTED], Declan McCullagh wr ites: What I found most interesting was what Attorney General Reno said about the government's cryptanalysis abilities. When asked if she can break strong, 64 bit equivalent crypto, she said, "We have carefully looked at this and think it's possible," and declined to add details. DoD's Hamre said that there would be a big chunk assigned to cryptanalysis RD in DoD's requested FY2001 budget but added "some of the parts you may be interested [in] I can't discuss." (I wouldn't necessarily read much into this. It could simply be a face-saving move.) This isn't at all improbable -- just do the math. Deep Crack cost $250,000; it works against a 56-bit cipher. Multiply that by 256 and you get $64,000,000 -- hardly a preposterous increase in NSA's budget. Sure, they want faster results; they'll also have economies of scale, processors faster than 40 Mhz, etc.
