hyatt@dewey.udel.edu (Glenn Hyatt) (03/06/86)
A recent article in Information Week recounted efforts by the NSA to bully ANSI into voting against the adoption of the Data Encryption Standard (DES) by the ISO as an international encryption standard. The NSA has trouble decrypting intercepted communications that are thus encrypted, and anticipates greatly increased traffic of this sort if DES becomes an international standard. Corporate members of the affected ANSI committee (notably, IBM) strongly supported the adoption of DES. The Defense Department (apparently in the interest of the NSA) argued that DES is a militarily-useful "item" and as such is subject to export restrcition. This is ludicrous on the face of it, but it raised a couple of copyright questions on my mind: o Correct me if I'm wrong, but an algorithm isn't copyrightable is it? o If I am wrong, isn't "the" DES algorithm in the public domain? o If I'm right, can something uncopyright-able to be considered in the public domain, or is the concept of public domain inapplicable? o Does the "public domain" extend to the public of other countries?
ron@BRL.ARPA (Ron Natalie) (03/06/86)
I find this whole story interesting since NSA has found DES sufficiently vulnerable that it won't allow it's use for any privacy purposes, including routine encryption of non-classified but private defense information (DES was planned to be approved for classified encryption). -Ron
willis@rand-unix.arpa (Willis Ware) (03/07/86)
I imagine that you would find that the algorithm question per se is irrelevant. The export restrictions would be applied to the devices (i.e., equipments) that contain the DES algorithm, or possibly to chips which contained the DES algorithm. willis h. ware
chongo@decwrl.dec.com (03/12/86)
In article <8603061745.AA03046@ucbvax.berkeley.edu> hyatt@UDEL-DEWEY.ARPA (Glenn Hyatt) writes: >The NSA has trouble decrypting intercepted communications that are >thus encrypted, and anticipates greatly increased traffic of this >sort if DES becomes an international standard. First allow me to introduce one view of 'DES history': Actually the trend on DES has been towards it being LESS secure. Several advances in the area of DES-like functions have shown that DES contains some disturbing properties. While direct proof is still lacking, indications suggest that DES has flaws. When DES came out, people claimed that the IBM was pressured by the NSA to reduce the Cypher size and add a few funny 'S-boxes'. It was claimed that the modification by the NSA was done to introduce a 'backdoor' into DES. Knowing this 'backdoor' would allow someone to decrypt DES with ease. It has been shown that one should be able to construct DES-like systems that have 'backdoors'. Furthermore, one can make the discovery of the 'backdoor' without knowledge of the creation process would be VERY hard. The NSA has never made any useful comments on the ideas behind DES. Question: If the above were true, and someone were to find the 'trapdoor' and publish it, damages could result. Could the person who found/published the flaw be held accountable for the damage? Would the person be viewed as saving the world from other folks who were already exploiting the 'trapdoor'? Consider the same question if were proven that the DES created to with flaws in mind. Now for a bit of post-DES trends: Current ideas on the books include the production and license of a chip or black-box that performeds encryption/decryption. The package would be placed inside a package in such a way as to make in very hard to open it up and look inside. Even if one were to snatch the algorithm, publication/disclosure of it would be in violation of the trade secret since only people who were thusly licenced could obtain the chip. (kinda like Un*x licendes) Worse yet, only special keys/codes can be used with the chip. One would have to obtain your own keys from the chip supplier. The claim will be that restriction of the internals of the black-box would make it harder for someone to discover a security hole. Keys must be obtained so as to not reveal the encryption algorithm. One could obtain enough keys, and in such a fashion so as to make it 'hard' to trace who got what key. But who would validate the chip makers and set up the key production systems? The NSA. Now that takes gaul! chongo <this article is dedicated to the folks at arrowwon.UUCP> /\oo/\
rhorn@infinet.UUCP (Rob Horn) (03/12/86)
< just in case >
The export restrictions are a fully separate law from the patent and
copyright laws. I believe that you will find that something can be illegal
to export and be neither patentable nor copyrightable. The origin is
an "aid to the enemy" type thinking that *includes* algorithms or
information that can be used to create devices of military importance
(e.g. crypotographic machines). "Public domain" is just a patent and
copyright notion.
--
R Horn
UUCP: ...{decvax, seismo!harvard}!wanginst!infinet!rhornkludge@gitpyr.UUCP (Scott Dorsey) (03/13/86)
In article <1590@brl-smoke.ARPA> hyatt@dewey.udel.edu (Glenn Hyatt) writes: >The Defense Department (apparently in the interest of the NSA) argued >that DES is a militarily-useful "item" and as such is subject to >export restrcition. This is ludicrous on the face of it, but it >raised a couple of copyright questions on my mind: Not long ago, I bought an HP 141 oscilloscope military surplus. Although the machine was last calibrated in 1961 (it is a 22 MHz scope that weighs over 200 lbs), it was on a 'military supplies list', and I was required to sign a form stating that I would not export it, or sell it to any firm engaged in exporting equipment outside the country (etc...). First of all, this just shows you the government's reliability in determining what is truly militarily useful, and also how crude the restrictions are. Not that a restriction on DES could ever be enforced, anyway. ------- Disclaimer: Everything I say is probably a trademark of someone. But don't worry, I probably don't know what I'm talking about. Scott Dorsey Kaptain_kludge ICS Programming Lab (Where old terminals go to die), Rich 110, Georgia Institute of Technology, Atlanta, Georgia 30332 ...!{akgua,allegra,amd,hplabs,ihnp4,seismo,ut-ngp}!gatech!gitpyr!kludge USnail: Box 36681, Atlanta GA. 30332 -- ------- Disclaimer: Everything I say is probably a trademark of someone. But don't worry, I probably don't know what I'm talking about. Scott Dorsey Kaptain_kludge ICS Programming Lab (Where old terminals go to die), Rich 110, Georgia Institute of Technology, Atlanta, Georgia 30332 ...!{akgua,allegra,amd,hplabs,ihnp4,seismo,ut-ngp}!gatech!gitpyr!kludge USnail: Box 36681, Atlanta GA. 30332
hyatt@dewey.udel.edu (Glenn Hyatt) (03/15/86)
I hadn't heard about DES' alleged trap door. It's interesting. I remain puzzled, though. If DES is such a breeze for the NSA to crack, why do they fight it so vigorously? My guess is that although they may have fairly easy ways to break it (especially the stream encryption), it still takes a great deal more in processing time to decrypt and read ciphertext than it takes just to read cleartext.
larry@kitty.UUCP (Larry Lippman) (03/16/86)
In article <1537@gitpyr.UUCP>, kludge@gitpyr.UUCP (Scott Dorsey) writes: > Not long ago, I bought an HP 141 oscilloscope military surplus. Although > the machine was last calibrated in 1961 (it is a 22 MHz scope that weighs > over 200 lbs), it was on a 'military supplies list', and I was required to > sign a form stating that I would not export it, or sell it to any firm > engaged in exporting equipment outside the country (etc...). First of all, > this just shows you the government's reliability in determining what is > truly militarily useful, and also how crude the restrictions are. Not that > a restriction on DES could ever be enforced, anyway. On the other hand, the military has been known to give away the store. A minor example from personal experience: In 1983, I purchased a microprocessor controlled search receiver on a sealed bid sale from the Defense Property Disposal Office at Brandywine, Maryland. With the receiver was a box with twenty pounds (really!) of manuals. After the receiver was delivered to me by a common carrier, I discovered that mixed in with the manuals were several sensitive documents from the late 70's (with classification stamps) pertaining to the "Empass Project" (collection of electromagnetic signatures) from the Naval Weapons Laboratory at Dahlgreen, Virginia [the existence and purpose of this project is not classified, otherwise I wouldn't mention it here]. Needless to say, I was rather shocked, so I called a friend of mine who works for the Navy and has a security clearance, and asked his advice as to what I should do. After kicking around the matter, I felt the best, least complicated course of action was for me to quietly destroy the documents; since my friend did not disagree with this suggestion, that is what I did. The moral of the story is: ANYTHING is possible with respect to security of militarily-useful data... ==> Larry Lippman @ Recognition Research Corp., Clarence, New York <== ==> UUCP {decvax|dual|rocksanne|rocksvax|watmath}!sunybcs!kitty!larry <== ==> VOICE 716/741-9185 {rice|shell}!baylor!/ <== ==> FAX 716/741-9635 {G1, G2, G3 modes} duke!ethos!/ <== ==> seismo!/ <== ==> "Have you hugged your cat today?" ihnp4!/ <==