hyatt@UDEL-DEWEY.ARPA (Glenn Hyatt) (03/06/86)
A recent article in Information Week recounted efforts by the NSA to bully ANSI into voting against the adoption of the Data Encryption Standard (DES) by the ISO as an international encryption standard. The NSA has trouble decrypting intercepted communications that are thus encrypted, and anticipates greatly increased traffic of this sort if DES becomes an international standard. Corporate members of the affected ANSI committee (notably, IBM) strongly supported the adoption of DES. The Defense Department (apparently in the interest of the NSA) argued that DES is a militarily-useful "item" and as such is subject to export restrcition. This is ludicrous on the face of it, but it raised a couple of copyright questions on my mind: o Correct me if I'm wrong, but an algorithm isn't copyrightable is it? o If I am wrong, isn't "the" DES algorithm in the public domain? o If I'm right, can something uncopyright-able to be considered in the public domain, or is the concept of public domain inapplicable? o Does the "public domain" extend to the public of other countries?
ron@BRL.ARPA (Ron Natalie) (03/06/86)
I find this whole story interesting since NSA has found DES sufficiently vulnerable that it won't allow it's use for any privacy purposes, including routine encryption of non-classified but private defense information (DES was planned to be approved for classified encryption). -Ron
willis@RAND-UNIX.ARPA (Willis Ware) (03/07/86)
I imagine that you would find that the algorithm question per se is irrelevant. The export restrictions would be applied to the devices (i.e., equipments) that contain the DES algorithm, or possibly to chips which contained the DES algorithm. willis h. ware
chongo@NSC.UUCP (Landon Noll) (03/12/86)
In article <8603061745.AA03046@ucbvax.berkeley.edu> hyatt@UDEL-DEWEY.ARPA (Glenn Hyatt) writes: >The NSA has trouble decrypting intercepted communications that are >thus encrypted, and anticipates greatly increased traffic of this >sort if DES becomes an international standard. First allow me to introduce one view of 'DES history': Actually the trend on DES has been towards it being LESS secure. Several advances in the area of DES-like functions have shown that DES contains some disturbing properties. While direct proof is still lacking, indications suggest that DES has flaws. When DES came out, people claimed that the IBM was pressured by the NSA to reduce the Cypher size and add a few funny 'S-boxes'. It was claimed that the modification by the NSA was done to introduce a 'backdoor' into DES. Knowing this 'backdoor' would allow someone to decrypt DES with ease. It has been shown that one should be able to construct DES-like systems that have 'backdoors'. Furthermore, one can make the discovery of the 'backdoor' without knowledge of the creation process would be VERY hard. The NSA has never made any useful comments on the ideas behind DES. Question: If the above were true, and someone were to find the 'trapdoor' and publish it, damages could result. Could the person who found/published the flaw be held accountable for the damage? Would the person be viewed as saving the world from other folks who were already exploiting the 'trapdoor'? Consider the same question if were proven that the DES created to with flaws in mind. Now for a bit of post-DES trends: Current ideas on the books include the production and license of a chip or black-box that performeds encryption/decryption. The package would be placed inside a package in such a way as to make in very hard to open it up and look inside. Even if one were to snatch the algorithm, publication/disclosure of it would be in violation of the trade secret since only people who were thusly licenced could obtain the chip. (kinda like Un*x licendes) Worse yet, only special keys/codes can be used with the chip. One would have to obtain your own keys from the chip supplier. The claim will be that restriction of the internals of the black-box would make it harder for someone to discover a security hole. Keys must be obtained so as to not reveal the encryption algorithm. One could obtain enough keys, and in such a fashion so as to make it 'hard' to trace who got what key. But who would validate the chip makers and set up the key production systems? The NSA. Now that takes gaul! chongo <this article is dedicated to the folks at arrowwon.UUCP> /\oo/\
hyatt@DEWEY.UDEL.EDU (Glenn Hyatt) (03/15/86)
I hadn't heard about DES' alleged trap door. It's interesting. I remain puzzled, though. If DES is such a breeze for the NSA to crack, why do they fight it so vigorously? My guess is that although they may have fairly easy ways to break it (especially the stream encryption), it still takes a great deal more in processing time to decrypt and read ciphertext than it takes just to read cleartext.