Cryptography-Digest Digest #583
Cryptography-Digest Digest #583, Volume #14 Sun, 10 Jun 01 23:13:01 EDT Contents: Re: Hehehe I found out who David Scott is ("Boyd Roberts") Re: cubing modulo 2^w - 1 as a design primitive? (Boris Kazak) Re: National Security Nightmare? ("Boyd Roberts") Re: National Security Nightmare? ([EMAIL PROTECTED]) Re: National Security Nightmare? ("Boyd Roberts") Re: Uniciyt distance and compression for AES ("Boyd Roberts") Re: Alice and Bob Speak MooJoo ("Douglas A. Gwyn") Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and ("Douglas A. Gwyn") Re: Alice and Bob Speak MooJoo ("Boyd Roberts") Re: Alice and Bob Speak MooJoo ("Boyd Roberts") Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY LONG (John Savard) Re: cubing modulo 2^w - 1 as a design primitive? ("Tom St Denis") Re: National Security Nightmare? (JPeschel) Re: National Security Nightmare? ("Tom St Denis") Re: National Security Nightmare? (JPeschel) Re: Uniciyt distance and compression for AES ("Tom St Denis") Re: National Security Nightmare? ([EMAIL PROTECTED]) Re: National Security Nightmare? (JPeschel) Re: National Security Nightmare? ("Boyd Roberts") Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY LONG (SCOTT19U.ZIP_GUY) Re: National Security Nightmare? (JPeschel) From: "Boyd Roberts" <[EMAIL PROTECTED]> Subject: Re: Hehehe I found out who David Scott is Date: Mon, 11 Jun 2001 01:51:38 +0200 well after not reading the group for about two years the french expression: plus ça change, plus la même chose springs to mind. same slaughtering of the english language complete with the obligatory set of 6 steak knives... oops, no, i mean scott.zip 'encryption'. what a package. free at sci.crypt or an ftp site near you. -- From: Boris Kazak <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Subject: Re: cubing modulo 2^w - 1 as a design primitive? Date: Sun, 10 Jun 2001 23:57:20 GMT Tom St Denis wrote: > I thought if p is your modulus, the order is at most a multiple of p-1? > > How do you explain it being a bijection for p=255? > > Tom === Cubing (and modular multiplication in general) can be a bijection when the multiplier and the modulus are mutually prime. In this case the multiplicative inverse exists, and the operation can be reversed. In case of a composite modulus (e.g. 255) the multiplicative inverses do not exist for numbers that have common factors with the modulus. So, for example 31^3 mod 255 will be a bijection, but 30^3 mod 255 will not, because 30 does not have a multiplicative inverse mod 255. Best wishes BNK -- From: "Boyd Roberts" <[EMAIL PROTECTED]> Subject: Re: National Security Nightmare? Date: Mon, 11 Jun 2001 02:18:36 +0200 "Tom St Denis" <[EMAIL PROTECTED]> a écrit dans le message news: is8U6.60161$[EMAIL PROTECTED] > > So it is in fact "A plethora of people is here" since it's only one > plethora? the word 'people' forces you to use 'are'. -- Subject: Re: National Security Nightmare? From: [EMAIL PROTECTED] Date: 10 Jun 2001 20:27:24 -0400 "Boyd Roberts" <[EMAIL PROTECTED]> writes: > "Tom St Denis" a écrit: >> >> So it is in fact "A plethora of people is here" since it's only one >> plethora? > > the word 'people' forces you to use 'are'. Incorrect. ``A plethora is here.'' ``Really? What sort of plethora?'' ``A plethora of people.'' Len. -- > We [hackesses] about our lives like most human beings, maybe even > a little better. Or in your case, a little dumber. -- Phrack Magazine -- From: "Boyd Roberts" <[EMAIL PROTECTED]> Subject: Re: National Security Nightmare? Date: Mon, 11 Jun 2001 02:29:30 +0200 "JPeschel" <[EMAIL PROTECTED]> a écrit dans le message news: [EMAIL PROTECTED] > Nope, if you want to use the passive voice, the verb should be "is." the passive is used to indicate an event but not who did it: s/he got flamed it uses the past participle, and is not influenced by the verb. > Here is a > way you can see that for yourself. Open MS-Word, or any word processor that can > check formal English > grammar. Make sure the options are set to check formal English. Now type: > "A bunch of nuts are claiming it means one thing." Word will suggest: "A bunch > of nuts is" o
Cryptography-Digest Digest #583
Cryptography-Digest Digest #583, Volume #13 Sun, 28 Jan 01 23:13:01 EST Contents: Re: Dynamic Transposition Revisited (long) (Mok-Kong Shen) Re: proving x^ed mod n = x ([EMAIL PROTECTED]) Re: William's P+1 ("Michael Scott") Re: Why Microsoft's Product Activation Stinks (Matthew Montchalin) Re: Why Microsoft's Product Activation Stinks (Matthew Montchalin) Re: finding inverses and factoring (Paul Crowley) Re: Why Microsoft's Product Activation Stinks (Bill Unruh) Re: Cryptographic Windows APIs or OCX? (David Hopwood) Re: Mr Szopa's encryption (was Why Microsoft's Product Activation Stinks) (Taneli Huuskonen) Re: Primality Test ("Matt Timmermans") Re: Primality Test ("Matt Timmermans") Re: "Enigma" at Sundance (John Savard) From: Mok-Kong Shen <[EMAIL PROTECTED]> Subject: Re: Dynamic Transposition Revisited (long) Date: Sun, 28 Jan 2001 23:50:48 +0100 Terry Ritter wrote: > > Mok-Kong Shen<[EMAIL PROTECTED]> wrote: > > >Terry Ritter wrote: > >> > >> Mok-Kong Shen<[EMAIL PROTECTED]> wrote: > >> > >> >[...] > >> >I suppose you have a different and problematical concept > >> >of the (THEORETICAL) OTP. The bit sequence of OTP is by > >> >definition/assumption unpredictable. If a 'claimed' OTP > >> >uses a predictable bit sequence and consequently is weak > >> >as you said, then it is by definition NOT an OTP, though > >> >snake-oil peddlers used to call that OTP. > >> > >> OK, then, in practice, there can be no OTP at all, since, in general, > >> it will be impossible to prove in practice that any bit sequence > >> actually is unpredictable. > >> > >> Clearly we can't compare a cipher which is designed to work in > >> practice to one which cannot. Yet that was exactly what you tried to > >> do. > > > >The last sentence is FALSE. > > Really? > > From: Mok-Kong Shen <[EMAIL PROTECTED]> > Newsgroups: sci.crypt > Subject: Re: Dynamic Transposition Revisited (long) > Date: Fri, 26 Jan 2001 23:26:55 +0100 > Message-ID: <[EMAIL PROTECTED]> > > "But the point is whether your DT is on a par with the > theoretical OTP or perhaps better than it. So it is a > 'theoretical' question, not a technical question." > > >It was you who made a comparison > >of your DT with the OTP and claimed even superiority over > >it. > > From the "Revisited" article: > > "When every plaintext block is exactly bit-balanced, any > possible plaintext block is some valid bit-permutation of > any ciphertext block. So, even if an opponent could > exhaustively un-permute a ciphertext block, the result > would just be every possible plaintext block. No particular > plaintext block could be distinguished as the source of the > ciphertext. This is a form of balanced, nonlinear combining > of the confusion sequence and data block: as such, it is > related to XOR, Latin squares, Shannon "perfect secrecy," > and the one-time-pad (OTP). > > "The inability to distinguish a particular plaintext, even > when every possibility is tried, is basically the advantage > claimed for the OTP. It is also an advantage which the OTP > cannot justify in practice unless we can prove that the OTP > keying sequence is unpredictable, which generally cannot be > done. That makes the practical OTP exceedingly "brittle": > if the opponents ever do gain the ability to predict the > sequence, they may be able to attack many messages, both > future and past. That would occur in the context of a > system supposedly "proven" secure; as usual, the user would > have no indication of security failure. > > "Dynamic Transposition does not need the assumption of > sequence unpredictability, because the sequence is hidden > behind a multitude of different sequences and permutations > which all produce the same result. And if the sequence > itself cannot be exposed, exploiting any predictability in > the sequence will be difficult. (This of course does not > mean that Dynamic Transposition cannot be attacked: > Brute-force attacks on the keys are still imaginable, which > is a good reason to use large random message keys.)" > > So exactly what about "an advantage which the OTP cannot justify in > practice" do you not understand? I was referring to your claim in the 'original' thread of DT where you claimed superiority of DT over OTP. Apparently you have forgotten what you
Cryptography-Digest Digest #583
Cryptography-Digest Digest #583, Volume #12 Thu, 31 Aug 00 22:13:01 EDT Contents: Post-ADK bug blues ("A. Melon") Re: QKD and The Space Shuttle (wtshaw) Re: Remark on practical predictability of sequences (Mok-Kong Shen) Re: QKD and The Space Shuttle (Brian Thorn) Re: more on that neat prime generator ([EMAIL PROTECTED]) Re: one-time pad question (Mr. Ian E. Yolk) Re: an attack for stream ciphers ([EMAIL PROTECTED]) Re: an attack for stream ciphers ([EMAIL PROTECTED]) Re: QKD and The Space Shuttle (Markus Mehring) Re: blowfish problem ("Kelsey Bjarnason") Re: blowfish problem ("Bruce G. Stewart") Re: blowfish problem (Kaz Kylheku) test (Jim Walsh) Re: QKD and The Space Shuttle (John Savard) Re: QKD and The Space Shuttle (John Savard) Date: Thu, 31 Aug 2000 14:12:19 -0700 From: "A. Melon" <[EMAIL PROTECTED]> Subject: Post-ADK bug blues The discovery that Mallory can tamper with PGP v4 self-signatures to insert ADK's and thus trick certain newer versions of PGP into giving the session key to Mallory is pretty upsetting, especially in view of the fact that (1) GnuPG uses the v4 format (even though it isn't vulnerable to ADK's itself, Mallory can still tamper with keys generated by GnuPG to trick PGP users of the key), and (2) the other family of freeware public key systems, namely Pegwit and its derivatives (Pegwit-W and CryptoKong), has also bit the dust. It appears that if you want a general PC cryptosystem that can generate a public key that is secure, we are stuck with the ADK-free PGP v3 signature format, which means using software from the PGP v2.6 stable and its derivatives. However, PGP 2.6.3i (the most popular in this category, especially after the RSA patent expires and Americans can start using it legally) is not without its problems. Ideally, I would like a system where the public key is at least as secure as the 128-bit symmetric session key, which is not the case when you are limited to 2048-bit RSA. Likewise, the hash function ought to achieve that level of security too, especially if you plan to use the cryptosystem for clearsigs - but MD5 comes up short in this regard. My question is: what is the best software option for minimizing these shortcomings? I know the Cyber-Knights Templar have come up with a derivative of PGP 2.6 that allows bigger RSA key sizes. Likewise, the pgpi.org page has links to a variant called Even-Better Privacy v2.7, that allows one to subsitute HAVAL for MD5 as the hash function. Unfortunately, there doesn't seem to be a PGP 2.6 variant that does both, and I have no idea how trustworthy either the CKT or EBP software is. Has anyone taken a careful look at these PGP v2.6 variants? And assuming that they are both trustworthy, which is the lesser of two evils - MD5+big RSA keys, or HAVAL+2048-bit RSA? Or is there some other software I'm overlooking? Maybe these "evils" aren't really that much of a problem in practical terms, but a lot of people said the same thing about using the v4 signature format too. In this business, one can't be too paranoid. -- From: [EMAIL PROTECTED] (wtshaw) Crossposted-To: sci.space.shuttle,talk.politics.crypto Subject: Re: QKD and The Space Shuttle Date: Thu, 31 Aug 2000 14:59:47 -0600 In article <[EMAIL PROTECTED]>, Mok-Kong Shen <[EMAIL PROTECTED]> wrote: > David A Molnar wrote: > > > [snip] > > The problem with all of these protocols is that if an adversary can > > replace the random beacon with his own source, all bets are off. > > So some people would *like* to see a satellite in the sky broadcasting > > random bits to the world. There will still be issues with ground-side > > jamming and with authentication of the satellite, though, which are > > not yet fully ironed out (at least not that I've seen). > > Isn't the trouble in principle the same with certification > where one needs some trust/belief on a third party, in > other words there is some non-objectivity that can NEVER > be entirely disposed of? > > M. K. Shen Yes, just when are you ready to trust imperfect strangers who interests are likely to viewed by them as superior to your own. All the propaganda to the contrary is the real snake oil. -- A Pangram: Fast girls show jugs to vex quizical boys, plus mankind. -- From: Mok-Kong Shen <[EMAIL PROTECTED]> Subject: Re: Remark on practical predictability of sequences Date: Fri, 01 Sep 2000 00:01:31 +0200 "John A. Malley" wrote: > > Does enciphering the output of a fast and predictable PRNG always > generate an unpredictable output sequence if the applied cipher is > secure? A draft paper considering a specific example is no
Cryptography-Digest Digest #583
Cryptography-Digest Digest #583, Volume #11 Thu, 20 Apr 00 06:13:00 EDT Contents: Help With PGP's Newest TLS/SSL toolkit for linux. ("Jeff Hamilton") Review of CryptoBag (Tom St Denis) Re: Q: NTRU's encryption algorithm (David A Molnar) Re: Text File Encryption ("Joseph Ashwood") Re: GSM Man-in-the-Middle (David Hopwood) Re: password generator ("Trevor L. Jackson, III") Re: password generator (Tom St Denis) Re: diff between Symetric and Asymetric Keys (JPeschel) Re: Q: NTRU's encryption algorithm (Diet NSA) Re: OAP-L3: Semester 1 / Class #1 All are invited. (Anthony Stephen Szopa) From: "Jeff Hamilton" <[EMAIL PROTECTED]> Subject: Help With PGP's Newest TLS/SSL toolkit for linux. Date: Wed, 19 Apr 2000 17:23:38 -0700 Has anyone had much luck developing with PGP's Newest TLS/SSL toolkit? I received a trial version for developersbut it is not intuitive to say the least. Also, they said it performs RSA Key-Gen and Verification, and I see RSA referenced in the lib functionsbut I can't implement them. If you have worked with it please let me know. I'm simply trying to create either a Key-Gen Function or have a simple SSL client to make a connection and verify a cert. Thanks, Jeff -- From: Tom St Denis <[EMAIL PROTECTED]> Subject: Review of CryptoBag Date: Thu, 20 Apr 2000 00:42:42 GMT I was wondering if some of the people who downloaded CryptoBag could post a short reply to this message about their impressions? I need some references that I could use in an introductory letter for university. Generally what did you think of my coding style, and efficiency, praticallity. Thanks, Tom -- From: David A Molnar <[EMAIL PROTECTED]> Subject: Re: Q: NTRU's encryption algorithm Date: 20 Apr 2000 00:40:00 GMT David Hopwood <[EMAIL PROTECTED]> wrote: > I don't remember the discussion a few months ago, but I'm extremely > skeptical of any claim that lattice-based cryptosystems are necessarily > secure against quantum computers. As I understand it, the reasoning goes like this : * The closest vector problem (CVP) is NP-hard for exact answers, and for constant approximation factors (not sure what the sharpest factor is, exactly). * There are results which show that Grover's algorithm on a quantum computer, with its sqrt(n) speedup, is optimal in the model of computation where all you can do is check to see if you have the right answer. Put another way, if you're not allowed to look at any "extra structure" beyond the fact that the problem is in NP, then you can only get sqrt(n) speedup over a classical computer. Yet another way of saying it might be that there is no "generic" quantum algorithm which can solve every problem in NP in polynomial time. I can't remember the references now, but I think there's a paper due to Jozsa in the lanl archives on the subject. * This seems to support a conjecture that BQP != NP -- that is, the class of languages decidable in a polynomial number of measurements on a quantum computer isn't the same as NP. It's not conclusive, because it could still be the case that every NP problem has a separate fast quantum algorithm tailor made for it. In fact, we know of at least two NP problems which _do_ have separate fast quantum algorithms tailor made for them -- factoring and discrete logarithms. Unfortunately. * If you could solve the Closest Vector Problem exactly using a fast quantum algorithm, then you can solve for everything in NP. This would imply that BQP \superseteq NP, contrary to the conjecture above. * Therefore, a "lattice based cryptosystem" which relies on the CVP probably doesn't have a fast quantum algorithm, right?? * Except one or two things : - It's not clear to me if a fast quantum algorithm for CVP would contradict the optimality results on Grover's algorithm. Why? Because the algorithm + the reduction from each problem to SVP would clearly use some special "structure" of the problem which I do not know to be covered by the optimality results. Then again, I have _not_ made any kind of comprehensive study on these results. I just read over a paper or two last year which mentioned this... There may be other reasons to believe BQP != NP. - Solving the SVP exactly is NP-hard. Solving the CVP to within an error factor of O(2^n) is doable in polytime by the LLL basis reduct
Cryptography-Digest Digest #583
Cryptography-Digest Digest #583, Volume #10 Wed, 17 Nov 99 18:13:03 EST Contents: Re: AES cyphers leak information like sieves ("Douglas T. Yoest") Re: AES cyphers leak information like sieves (SCOTT19U.ZIP_GUY) Re: ATTN Scott Nelson (Scott Nelson) Re: weak ciphers and their usage ("Gary") Re: AES cyphers leak information like sieves (SCOTT19U.ZIP_GUY) Re: AES cyphers leak information like sieves (SCOTT19U.ZIP_GUY) Re: NSA should do a cryptoanalysis of AES (albert) Serpent speeds tested (albert) Weak keys in Rijndael? What happened to that? (albert) What part of 'You need the key to know' don't you people get? (Tom St Denis) Date: Wed, 17 Nov 1999 15:38:29 -0800 From: "Douglas T. Yoest" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Subject: Re: AES cyphers leak information like sieves Not everyone is only interested in cryptography for the internet. While global, its very narrowing. Doug "SCOTT19U.ZIP_GUY" wrote: In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote: >DJohn37050 <[EMAIL PROTECTED]> wrote: > >: This is known as the self-syncronizing property of CBC mode. You only lose 2 >: blocks due to a bit flip. Check it out if you do not believe it. > >OK, then - I'll look it up. It is well known back in the morsecode days one needed a way to get back in synch. Today it called error correcting and all the 3 letter ways of chaining have this "feature" but the only people who can really use the feature today are those breaking codes. The system protocol of the internet should keep your messages intact. It is foolish in todays world to have these features part of encrption. The only reason it is still there is inertia of the public crypto community and the fact the NSA likes people to use these old ways of chaining blocks. David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE http://www.jim.com/jamesd/Kong/scott19u.zip">http://www.jim.com/jamesd/Kong/scott19u.zip Scott famous encryption website NOT FOR WIMPS http://members.xoom.com/ecil/index.htm">http://members.xoom.com/ecil/index.htm Scott rejected paper for the ACM http://members.xoom.com/ecil/dspaper.htm">http://members.xoom.com/ecil/dspaper.htm Scott famous Compression Page WIMPS allowed http://members.xoom.com/ecil/compress.htm">http://members.xoom.com/ecil/compress.htm **NOTE EMAIL address is for SPAMERS*** -- From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: AES cyphers leak information like sieves Date: Wed, 17 Nov 1999 21:47:49 GMT In article <[EMAIL PROTECTED]>, Volker Hetzer <[EMAIL PROTECTED]> wrote: >SCOTT19U.ZIP_GUY wrote: >> True but the purpose of some encryption is to make the data as hard as >> possible for the attacker to recover. So you can add security by hiding the >> information through out the whole file. >How much security do you gain over a bidirectional CBC with a cipher of >a blocksize of 128 bit? >How much over a normal CBC with a cipher of a blocksize of 128 bit? > >The fact that in case of modifications not everything decrypts to garbage >is no problem at all as long as a hash is included in the plaintext. > >> Standard 3 letter chaining methods >> give a false since of security by giving the illusion of hiding data through >> out the whole file. >They don't give a false sense of security and no illusion either. They just > exist >and have properties that are easy to see for everyone. > >> As my procedure shows. When you edit a file that uses block encyption >> with standard 3 letter chaining even if you do several passes of CBC when >> you decrypt the modifed file only a small set of blocks come bach with > errors. >What's the point? >The modes are there to hide plaintext patterns and to prevent dictionary >attacks. They do exactly that. > The point is they don not spread information through the file so that a code breaker needs to only analyize a small fragment of the file. If one wants true security one should have the option of using chaining that does not mod the file length and does spread information through the file. Of course your happy with the status quo and may the NSA bless you for your weak sighted beliefs. David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE http://www.jim.com/jamesd/Kong/scott19u.zip Scott famous encryption website NOT FOR WIMPS http://members.xoom.com/ecil/index.htm Scott rejected paper for the ACM http://members.xoom.com/ecil/dspaper.htm Scott famous Compression Page WIMPS allowed http://members.xoom.com/ecil/compress.htm **NOTE EMAIL address is for SPAMERS*** -- From: [EMAIL PROTECTED] (Scott
Cryptography-Digest Digest #583
Cryptography-Digest Digest #583, Volume #9 Sun, 23 May 99 11:13:02 EDT Contents: Re-post (Off Topic) ("rosi") Data dependant bit permutation ([EMAIL PROTECTED]) Re: HushMail -- Free Secure Email Re: HushMail -- Free Secure Email Re: HushMail -- Free Secure Email (John Kennedy) Re: Biprime Cryptography, Part II (wtshaw) ASDIC ("Skint") Re: ASDIC ("Åke Hellgren") Re: Cryptonomicon Review (David Wadsworth) SV: Europe and USA encryption export restrictions ("Claes & Gunn Irene") Re: HushMail -- Free Secure Email (David Crick) SV: Oh! Before I get some sleep is DES international yet? ("Claes & Gunn Irene") Re: HushMail -- Free Secure Email (John Kennedy) Can I have some opinions please? (Pwrk) Re: HushMail -- Free Secure Email Re: HushMail -- Free Secure Email From: "rosi" <[EMAIL PROTECTED]> Subject: Re-post (Off Topic) Date: Sat, 22 May 1999 17:50:14 -0400 Sorry to post here (again). However, some people might be interested or know people who might. I am offering my cryptographic invention for 'free', i.e. If you are interested in paying for the filing and maintenance in exchange for the exclusive patent rights, please go to the news group alt.inventors and look for a thread, subject titled: Cryptographic Invention Sorry for any inconvenience this causes. --- (My Signature) P.S. Last I checked the previous post could be seen but now I can't. Sorry to waste the bandwidth. I always seem to have problems to have my server working right. -- From: [EMAIL PROTECTED] Subject: Data dependant bit permutation Date: Sun, 23 May 1999 01:55:45 GMT I found in ICE a keyed bit-permutation which is quite interesting to look at. It doesn't however deter differntial analysis well. Are there any data-dependant bit permutations of the same genre out there? Tom -- PGP public keys. SPARE key is for daily work, WORK key is for published work. The spare is at 'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at 'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first! --== Sent via Deja.com http://www.deja.com/ ==-- ---Share what you know. Learn what you don't.--- -- From: [EMAIL PROTECTED] () Subject: Re: HushMail -- Free Secure Email Date: 23 May 99 03:10:44 GMT [EMAIL PROTECTED] wrote: : Other than that, it is of great importance (and the only real way of : being sure that hushmail is what it's pretending to be) that their : source is analysed COMPLETELY. I could be worrying needlessly, but of course it's just as important to compare the object code against the source, to ensure they match. That it doesn't let me download first, and install (maybe after upgrading my browser later) later, completely off-line, is worrisome. This doesn't prove there's anything wrong, but obviously it will provoke some concern. And compiling a list of the E-mail addresses of people interested in encrypting their communications... John Savard -- From: [EMAIL PROTECTED] () Subject: Re: HushMail -- Free Secure Email Date: 23 May 99 03:15:17 GMT Roger Schlafly ([EMAIL PROTECTED]) wrote: : Terry Ritter wrote in message <[EMAIL PROTECTED]>... : >But even if not, if the code was developed outside the US, how is : >*importing* it a problem? : I don't know. If circumventing the US export laws were that simple, : Microsoft and others would user a foreign unit to develop outside the : US. Well, Sun does do something like that. Essentially, the export laws prohibit a U.S. resident or citizen from - exporting cryptographic software, - writing such software while abroad, - directly assisting people abroad who are writing such software, - having foreign employees write such software abroad. But they *can* purchase encryption software from a foreign firm, whether it is off-the-shelf, or _custom-designed to their specifications_. That is the only "loophole" in the export laws as they now stand, and it takes good legal advice to walk through it. John Savard -- From: [EMAIL PROTECTED] (John Kennedy) Subject: Re: HushMail -- Free Secure Email Reply-To: [EMAIL PROTECTED] Date: Sun, 23 May 1999 04:22:01 GMT On Sat, 22 May 1999 11:18:07 +0100, David Crick <[EMAIL PROTECTED]> wrote: >Total security would also require users to be running 128-bit crypto >browsers, something which isn't clearly stated on the web site. > >public/private keys are stored on their server, encrypted with Blowfish. > >Assuming this isn't some Three Letter Agency scam (*g*), they appear >to have reproduced the nym system, but without the remailing. Assuming the source code checks out